summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl.h2304
-rw-r--r--src/lib/libssl/ssl/Makefile43
-rw-r--r--src/lib/libssl/ssl/shlib_version2
-rw-r--r--src/lib/libssl/ssl2.h268
-rw-r--r--src/lib/libssl/ssl23.h83
-rw-r--r--src/lib/libssl/ssl3.h648
-rw-r--r--src/lib/libssl/ssl_algs.c140
-rw-r--r--src/lib/libssl/ssl_asn1.c592
-rw-r--r--src/lib/libssl/ssl_cert.c834
-rw-r--r--src/lib/libssl/ssl_ciph.c1747
-rw-r--r--src/lib/libssl/ssl_err.c573
-rw-r--r--src/lib/libssl/ssl_err2.c70
-rw-r--r--src/lib/libssl/ssl_lib.c3045
-rw-r--r--src/lib/libssl/ssl_locl.h1079
-rw-r--r--src/lib/libssl/ssl_rsa.c779
-rw-r--r--src/lib/libssl/ssl_sess.c1095
-rw-r--r--src/lib/libssl/ssl_stat.c567
-rw-r--r--src/lib/libssl/ssl_txt.c240
-rw-r--r--src/lib/libssl/ssleay.cnf65
19 files changed, 0 insertions, 14174 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
deleted file mode 100644
index 8f922eea72..0000000000
--- a/src/lib/libssl/ssl.h
+++ /dev/null
@@ -1,2304 +0,0 @@
1/* ssl/ssl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#ifndef HEADER_SSL_H
144#define HEADER_SSL_H
145
146#include <openssl/e_os2.h>
147
148#ifndef OPENSSL_NO_COMP
149#include <openssl/comp.h>
150#endif
151#ifndef OPENSSL_NO_BIO
152#include <openssl/bio.h>
153#endif
154#ifndef OPENSSL_NO_DEPRECATED
155#ifndef OPENSSL_NO_X509
156#include <openssl/x509.h>
157#endif
158#include <openssl/crypto.h>
159#include <openssl/lhash.h>
160#include <openssl/buffer.h>
161#endif
162#include <openssl/pem.h>
163#include <openssl/hmac.h>
164
165#include <openssl/kssl.h>
166#include <openssl/safestack.h>
167#include <openssl/symhacks.h>
168
169#ifdef __cplusplus
170extern "C" {
171#endif
172
173/* SSLeay version number for ASN.1 encoding of the session information */
174/* Version 0 - initial version
175 * Version 1 - added the optional peer certificate
176 */
177#define SSL_SESSION_ASN1_VERSION 0x0001
178
179/* text strings for the ciphers */
180#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5
181#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5
182#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
183#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5
184#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
185#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5
186#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5
187#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA
188#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
189#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
190
191/* VRS Additional Kerberos5 entries
192 */
193#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
194#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
195#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
196#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
197#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
198#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
199#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
200#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
201
202#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
203#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
204#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
205#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
206#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
207#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
208
209#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
210#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
211#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
212#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
213#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
214#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
215#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
216
217#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
218#define SSL_MAX_SID_CTX_LENGTH 32
219
220#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
221#define SSL_MAX_KEY_ARG_LENGTH 8
222#define SSL_MAX_MASTER_KEY_LENGTH 48
223
224
225/* These are used to specify which ciphers to use and not to use */
226
227#define SSL_TXT_EXP40 "EXPORT40"
228#define SSL_TXT_EXP56 "EXPORT56"
229#define SSL_TXT_LOW "LOW"
230#define SSL_TXT_MEDIUM "MEDIUM"
231#define SSL_TXT_HIGH "HIGH"
232#define SSL_TXT_FIPS "FIPS"
233
234#define SSL_TXT_kFZA "kFZA" /* unused! */
235#define SSL_TXT_aFZA "aFZA" /* unused! */
236#define SSL_TXT_eFZA "eFZA" /* unused! */
237#define SSL_TXT_FZA "FZA" /* unused! */
238
239#define SSL_TXT_aNULL "aNULL"
240#define SSL_TXT_eNULL "eNULL"
241#define SSL_TXT_NULL "NULL"
242
243#define SSL_TXT_kRSA "kRSA"
244#define SSL_TXT_kDHr "kDHr" /* no such ciphersuites supported! */
245#define SSL_TXT_kDHd "kDHd" /* no such ciphersuites supported! */
246#define SSL_TXT_kDH "kDH" /* no such ciphersuites supported! */
247#define SSL_TXT_kEDH "kEDH"
248#define SSL_TXT_kKRB5 "kKRB5"
249#define SSL_TXT_kECDHr "kECDHr"
250#define SSL_TXT_kECDHe "kECDHe"
251#define SSL_TXT_kECDH "kECDH"
252#define SSL_TXT_kEECDH "kEECDH"
253#define SSL_TXT_kPSK "kPSK"
254#define SSL_TXT_kGOST "kGOST"
255
256#define SSL_TXT_aRSA "aRSA"
257#define SSL_TXT_aDSS "aDSS"
258#define SSL_TXT_aDH "aDH" /* no such ciphersuites supported! */
259#define SSL_TXT_aECDH "aECDH"
260#define SSL_TXT_aKRB5 "aKRB5"
261#define SSL_TXT_aECDSA "aECDSA"
262#define SSL_TXT_aPSK "aPSK"
263#define SSL_TXT_aGOST94 "aGOST94"
264#define SSL_TXT_aGOST01 "aGOST01"
265#define SSL_TXT_aGOST "aGOST"
266
267#define SSL_TXT_DSS "DSS"
268#define SSL_TXT_DH "DH"
269#define SSL_TXT_EDH "EDH" /* same as "kEDH:-ADH" */
270#define SSL_TXT_ADH "ADH"
271#define SSL_TXT_RSA "RSA"
272#define SSL_TXT_ECDH "ECDH"
273#define SSL_TXT_EECDH "EECDH" /* same as "kEECDH:-AECDH" */
274#define SSL_TXT_AECDH "AECDH"
275#define SSL_TXT_ECDSA "ECDSA"
276#define SSL_TXT_KRB5 "KRB5"
277#define SSL_TXT_PSK "PSK"
278
279#define SSL_TXT_DES "DES"
280#define SSL_TXT_3DES "3DES"
281#define SSL_TXT_RC4 "RC4"
282#define SSL_TXT_RC2 "RC2"
283#define SSL_TXT_IDEA "IDEA"
284#define SSL_TXT_SEED "SEED"
285#define SSL_TXT_AES128 "AES128"
286#define SSL_TXT_AES256 "AES256"
287#define SSL_TXT_AES "AES"
288#define SSL_TXT_CAMELLIA128 "CAMELLIA128"
289#define SSL_TXT_CAMELLIA256 "CAMELLIA256"
290#define SSL_TXT_CAMELLIA "CAMELLIA"
291
292#define SSL_TXT_MD5 "MD5"
293#define SSL_TXT_SHA1 "SHA1"
294#define SSL_TXT_SHA "SHA" /* same as "SHA1" */
295#define SSL_TXT_GOST94 "GOST94"
296#define SSL_TXT_GOST89MAC "GOST89MAC"
297
298#define SSL_TXT_SSLV2 "SSLv2"
299#define SSL_TXT_SSLV3 "SSLv3"
300#define SSL_TXT_TLSV1 "TLSv1"
301
302#define SSL_TXT_EXP "EXP"
303#define SSL_TXT_EXPORT "EXPORT"
304
305#define SSL_TXT_ALL "ALL"
306
307/*
308 * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
309 * ciphers normally not being used.
310 * Example: "RC4" will activate all ciphers using RC4 including ciphers
311 * without authentication, which would normally disabled by DEFAULT (due
312 * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
313 * will make sure that it is also disabled in the specific selection.
314 * COMPLEMENTOF* identifiers are portable between version, as adjustments
315 * to the default cipher setup will also be included here.
316 *
317 * COMPLEMENTOFDEFAULT does not experience the same special treatment that
318 * DEFAULT gets, as only selection is being done and no sorting as needed
319 * for DEFAULT.
320 */
321#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
322#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
323
324/* The following cipher list is used by default.
325 * It also is substituted when an application-defined cipher list string
326 * starts with 'DEFAULT'. */
327#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
328/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
329 * starts with a reasonable order, and all we have to do for DEFAULT is
330 * throwing out anonymous and unencrypted ciphersuites!
331 * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
332 * some of them.)
333 */
334
335/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
336#define SSL_SENT_SHUTDOWN 1
337#define SSL_RECEIVED_SHUTDOWN 2
338
339#ifdef __cplusplus
340}
341#endif
342
343#ifdef __cplusplus
344extern "C" {
345#endif
346
347#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
348#define OPENSSL_NO_SSL2
349#endif
350
351#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
352#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
353
354/* This is needed to stop compilers complaining about the
355 * 'struct ssl_st *' function parameters used to prototype callbacks
356 * in SSL_CTX. */
357typedef struct ssl_st *ssl_crock_st;
358typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
359
360/* used to hold info on the particular ciphers used */
361typedef struct ssl_cipher_st
362 {
363 int valid;
364 const char *name; /* text name */
365 unsigned long id; /* id, 4 bytes, first is version */
366
367 /* changed in 0.9.9: these four used to be portions of a single value 'algorithms' */
368 unsigned long algorithm_mkey; /* key exchange algorithm */
369 unsigned long algorithm_auth; /* server authentication */
370 unsigned long algorithm_enc; /* symmetric encryption */
371 unsigned long algorithm_mac; /* symmetric authentication */
372 unsigned long algorithm_ssl; /* (major) protocol version */
373
374 unsigned long algo_strength; /* strength and export flags */
375 unsigned long algorithm2; /* Extra flags */
376 int strength_bits; /* Number of bits really used */
377 int alg_bits; /* Number of bits for algorithm */
378 } SSL_CIPHER;
379
380DECLARE_STACK_OF(SSL_CIPHER)
381
382typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
383typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
384
385/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
386typedef struct ssl_method_st
387 {
388 int version;
389 int (*ssl_new)(SSL *s);
390 void (*ssl_clear)(SSL *s);
391 void (*ssl_free)(SSL *s);
392 int (*ssl_accept)(SSL *s);
393 int (*ssl_connect)(SSL *s);
394 int (*ssl_read)(SSL *s,void *buf,int len);
395 int (*ssl_peek)(SSL *s,void *buf,int len);
396 int (*ssl_write)(SSL *s,const void *buf,int len);
397 int (*ssl_shutdown)(SSL *s);
398 int (*ssl_renegotiate)(SSL *s);
399 int (*ssl_renegotiate_check)(SSL *s);
400 long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, long
401 max, int *ok);
402 int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len,
403 int peek);
404 int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
405 int (*ssl_dispatch_alert)(SSL *s);
406 long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
407 long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
408 const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
409 int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
410 int (*ssl_pending)(const SSL *s);
411 int (*num_ciphers)(void);
412 const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
413 const struct ssl_method_st *(*get_ssl_method)(int version);
414 long (*get_timeout)(void);
415 struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
416 int (*ssl_version)(void);
417 long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
418 long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
419 } SSL_METHOD;
420
421/* Lets make this into an ASN.1 type structure as follows
422 * SSL_SESSION_ID ::= SEQUENCE {
423 * version INTEGER, -- structure version number
424 * SSLversion INTEGER, -- SSL version number
425 * Cipher OCTET STRING, -- the 3 byte cipher ID
426 * Session_ID OCTET STRING, -- the Session ID
427 * Master_key OCTET STRING, -- the master key
428 * KRB5_principal OCTET STRING -- optional Kerberos principal
429 * Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument
430 * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
431 * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
432 * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
433 * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
434 * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
435 * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
436 * ECPointFormatList [ 7 ] OCTET STRING, -- optional EC point format list from TLS extension
437 * PSK_identity_hint [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
438 * PSK_identity [ 9 ] EXPLICIT OCTET STRING -- optional PSK identity
439 * }
440 * Look in ssl/ssl_asn1.c for more details
441 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
442 */
443typedef struct ssl_session_st
444 {
445 int ssl_version; /* what ssl version session info is
446 * being kept in here? */
447
448 /* only really used in SSLv2 */
449 unsigned int key_arg_length;
450 unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
451 int master_key_length;
452 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
453 /* session_id - valid? */
454 unsigned int session_id_length;
455 unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
456 /* this is used to determine whether the session is being reused in
457 * the appropriate context. It is up to the application to set this,
458 * via SSL_new */
459 unsigned int sid_ctx_length;
460 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
461
462#ifndef OPENSSL_NO_KRB5
463 unsigned int krb5_client_princ_len;
464 unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
465#endif /* OPENSSL_NO_KRB5 */
466#ifndef OPENSSL_NO_PSK
467 char *psk_identity_hint;
468 char *psk_identity;
469#endif
470 int not_resumable;
471
472 /* The cert is the certificate used to establish this connection */
473 struct sess_cert_st /* SESS_CERT */ *sess_cert;
474
475 /* This is the cert for the other end.
476 * On clients, it will be the same as sess_cert->peer_key->x509
477 * (the latter is not enough as sess_cert is not retained
478 * in the external representation of sessions, see ssl_asn1.c). */
479 X509 *peer;
480 /* when app_verify_callback accepts a session where the peer's certificate
481 * is not ok, we must remember the error for session reuse: */
482 long verify_result; /* only for servers */
483
484 int references;
485 long timeout;
486 long time;
487
488 unsigned int compress_meth; /* Need to lookup the method */
489
490 const SSL_CIPHER *cipher;
491 unsigned long cipher_id; /* when ASN.1 loaded, this
492 * needs to be used to load
493 * the 'cipher' structure */
494
495 STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
496
497 CRYPTO_EX_DATA ex_data; /* application specific data */
498
499 /* These are used to make removal of session-ids more
500 * efficient and to implement a maximum cache size. */
501 struct ssl_session_st *prev,*next;
502#ifndef OPENSSL_NO_TLSEXT
503 char *tlsext_hostname;
504#ifndef OPENSSL_NO_EC
505 size_t tlsext_ecpointformatlist_length;
506 unsigned char *tlsext_ecpointformatlist; /* peer's list */
507 size_t tlsext_ellipticcurvelist_length;
508 unsigned char *tlsext_ellipticcurvelist; /* peer's list */
509#endif /* OPENSSL_NO_EC */
510 /* RFC4507 info */
511 unsigned char *tlsext_tick; /* Session ticket */
512 size_t tlsext_ticklen; /* Session ticket length */
513 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
514#endif
515 } SSL_SESSION;
516
517
518#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
519#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
520/* Allow initial connection to servers that don't support RI */
521#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
522#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
523#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
524#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
525#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
526#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
527#define SSL_OP_TLS_D5_BUG 0x00000100L
528#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
529
530/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
531 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
532 * the workaround is not needed. Unfortunately some broken SSL/TLS
533 * implementations cannot handle it at all, which is why we include
534 * it in SSL_OP_ALL. */
535#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */
536
537/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
538 * This used to be 0x000FFFFFL before 0.9.7. */
539#define SSL_OP_ALL 0x80000FFFL
540
541/* DTLS options */
542#define SSL_OP_NO_QUERY_MTU 0x00001000L
543/* Turn on Cookie Exchange (on relevant for servers) */
544#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
545/* Don't use RFC4507 ticket extension */
546#define SSL_OP_NO_TICKET 0x00004000L
547/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
548#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
549
550/* As server, disallow session resumption on renegotiation */
551#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
552/* Don't use compression even if supported */
553#define SSL_OP_NO_COMPRESSION 0x00020000L
554/* Permit unsafe legacy renegotiation */
555#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
556/* If set, always create a new key when using tmp_ecdh parameters */
557#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
558/* If set, always create a new key when using tmp_dh parameters */
559#define SSL_OP_SINGLE_DH_USE 0x00100000L
560/* Set to always use the tmp_rsa key when doing RSA operations,
561 * even when this violates protocol specs */
562#define SSL_OP_EPHEMERAL_RSA 0x00200000L
563/* Set on servers to choose the cipher according to the server's
564 * preferences */
565#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
566/* If set, a server will allow a client to issue a SSLv3.0 version number
567 * as latest version supported in the premaster secret, even when TLSv1.0
568 * (version 3.1) was announced in the client hello. Normally this is
569 * forbidden to prevent version rollback attacks. */
570#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
571
572#define SSL_OP_NO_SSLv2 0x01000000L
573#define SSL_OP_NO_SSLv3 0x02000000L
574#define SSL_OP_NO_TLSv1 0x04000000L
575
576/* The next flag deliberately changes the ciphertest, this is a check
577 * for the PKCS#1 attack */
578#define SSL_OP_PKCS1_CHECK_1 0x08000000L
579#define SSL_OP_PKCS1_CHECK_2 0x10000000L
580#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
581#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
582/* Make server add server-hello extension from early version of
583 * cryptopro draft, when GOST ciphersuite is negotiated.
584 * Required for interoperability with CryptoPro CSP 3.x
585 */
586#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000L
587
588/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
589 * when just a single record has been written): */
590#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
591/* Make it possible to retry SSL_write() with changed buffer location
592 * (buffer contents must stay the same!); this is not the default to avoid
593 * the misconception that non-blocking SSL_write() behaves like
594 * non-blocking write(): */
595#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
596/* Never bother the application with retries if the transport
597 * is blocking: */
598#define SSL_MODE_AUTO_RETRY 0x00000004L
599/* Don't attempt to automatically build certificate chain */
600#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
601/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
602 * TLS only.) "Released" buffers are put onto a free-list in the context
603 * or just freed (depending on the context's setting for freelist_max_len). */
604#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
605
606/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
607 * they cannot be used to clear bits. */
608
609#define SSL_CTX_set_options(ctx,op) \
610 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
611#define SSL_CTX_clear_options(ctx,op) \
612 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
613#define SSL_CTX_get_options(ctx) \
614 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
615#define SSL_set_options(ssl,op) \
616 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
617#define SSL_clear_options(ssl,op) \
618 SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
619#define SSL_get_options(ssl) \
620 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
621
622#define SSL_CTX_set_mode(ctx,op) \
623 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
624#define SSL_CTX_clear_mode(ctx,op) \
625 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
626#define SSL_CTX_get_mode(ctx) \
627 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
628#define SSL_clear_mode(ssl,op) \
629 SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
630#define SSL_set_mode(ssl,op) \
631 SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
632#define SSL_get_mode(ssl) \
633 SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
634#define SSL_set_mtu(ssl, mtu) \
635 SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
636
637#define SSL_get_secure_renegotiation_support(ssl) \
638 SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
639
640void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
641void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
642#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
643#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
644
645
646
647#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
648#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
649#else
650#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
651#endif
652
653#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
654
655/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
656 * them. It is used to override the generation of SSL/TLS session IDs in a
657 * server. Return value should be zero on an error, non-zero to proceed. Also,
658 * callbacks should themselves check if the id they generate is unique otherwise
659 * the SSL handshake will fail with an error - callbacks can do this using the
660 * 'ssl' value they're passed by;
661 * SSL_has_matching_session_id(ssl, id, *id_len)
662 * The length value passed in is set at the maximum size the session ID can be.
663 * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
664 * can alter this length to be less if desired, but under SSLv2 session IDs are
665 * supposed to be fixed at 16 bytes so the id will be padded after the callback
666 * returns in this case. It is also an error for the callback to set the size to
667 * zero. */
668typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
669 unsigned int *id_len);
670
671typedef struct ssl_comp_st
672 {
673 int id;
674 const char *name;
675#ifndef OPENSSL_NO_COMP
676 COMP_METHOD *method;
677#else
678 char *method;
679#endif
680 } SSL_COMP;
681
682DECLARE_STACK_OF(SSL_COMP)
683DECLARE_LHASH_OF(SSL_SESSION);
684
685struct ssl_ctx_st
686 {
687 const SSL_METHOD *method;
688
689 STACK_OF(SSL_CIPHER) *cipher_list;
690 /* same as above but sorted for lookup */
691 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
692
693 struct x509_store_st /* X509_STORE */ *cert_store;
694 LHASH_OF(SSL_SESSION) *sessions;
695 /* Most session-ids that will be cached, default is
696 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
697 unsigned long session_cache_size;
698 struct ssl_session_st *session_cache_head;
699 struct ssl_session_st *session_cache_tail;
700
701 /* This can have one of 2 values, ored together,
702 * SSL_SESS_CACHE_CLIENT,
703 * SSL_SESS_CACHE_SERVER,
704 * Default is SSL_SESSION_CACHE_SERVER, which means only
705 * SSL_accept which cache SSL_SESSIONS. */
706 int session_cache_mode;
707
708 /* If timeout is not 0, it is the default timeout value set
709 * when SSL_new() is called. This has been put in to make
710 * life easier to set things up */
711 long session_timeout;
712
713 /* If this callback is not null, it will be called each
714 * time a session id is added to the cache. If this function
715 * returns 1, it means that the callback will do a
716 * SSL_SESSION_free() when it has finished using it. Otherwise,
717 * on 0, it means the callback has finished with it.
718 * If remove_session_cb is not null, it will be called when
719 * a session-id is removed from the cache. After the call,
720 * OpenSSL will SSL_SESSION_free() it. */
721 int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
722 void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
723 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
724 unsigned char *data,int len,int *copy);
725
726 struct
727 {
728 int sess_connect; /* SSL new conn - started */
729 int sess_connect_renegotiate;/* SSL reneg - requested */
730 int sess_connect_good; /* SSL new conne/reneg - finished */
731 int sess_accept; /* SSL new accept - started */
732 int sess_accept_renegotiate;/* SSL reneg - requested */
733 int sess_accept_good; /* SSL accept/reneg - finished */
734 int sess_miss; /* session lookup misses */
735 int sess_timeout; /* reuse attempt on timeouted session */
736 int sess_cache_full; /* session removed due to full cache */
737 int sess_hit; /* session reuse actually done */
738 int sess_cb_hit; /* session-id that was not
739 * in the cache was
740 * passed back via the callback. This
741 * indicates that the application is
742 * supplying session-id's from other
743 * processes - spooky :-) */
744 } stats;
745
746 int references;
747
748 /* if defined, these override the X509_verify_cert() calls */
749 int (*app_verify_callback)(X509_STORE_CTX *, void *);
750 void *app_verify_arg;
751 /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
752 * ('app_verify_callback' was called with just one argument) */
753
754 /* Default password callback. */
755 pem_password_cb *default_passwd_callback;
756
757 /* Default password callback user data. */
758 void *default_passwd_callback_userdata;
759
760 /* get client cert callback */
761 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
762
763 /* cookie generate callback */
764 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
765 unsigned int *cookie_len);
766
767 /* verify cookie callback */
768 int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
769 unsigned int cookie_len);
770
771 CRYPTO_EX_DATA ex_data;
772
773 const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
774 const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
775 const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
776
777 STACK_OF(X509) *extra_certs;
778 STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
779
780
781 /* Default values used when no per-SSL value is defined follow */
782
783 void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
784
785 /* what we put in client cert requests */
786 STACK_OF(X509_NAME) *client_CA;
787
788
789 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
790
791 unsigned long options;
792 unsigned long mode;
793 long max_cert_list;
794
795 struct cert_st /* CERT */ *cert;
796 int read_ahead;
797
798 /* callback that allows applications to peek at protocol messages */
799 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
800 void *msg_callback_arg;
801
802 int verify_mode;
803 unsigned int sid_ctx_length;
804 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
805 int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
806
807 /* Default generate session ID callback. */
808 GEN_SESSION_CB generate_session_id;
809
810 X509_VERIFY_PARAM *param;
811
812#if 0
813 int purpose; /* Purpose setting */
814 int trust; /* Trust setting */
815#endif
816
817 int quiet_shutdown;
818
819 /* Maximum amount of data to send in one fragment.
820 * actual record size can be more than this due to
821 * padding and MAC overheads.
822 */
823 unsigned int max_send_fragment;
824
825#ifndef OPENSSL_ENGINE
826 /* Engine to pass requests for client certs to
827 */
828 ENGINE *client_cert_engine;
829#endif
830
831#ifndef OPENSSL_NO_TLSEXT
832 /* TLS extensions servername callback */
833 int (*tlsext_servername_callback)(SSL*, int *, void *);
834 void *tlsext_servername_arg;
835 /* RFC 4507 session ticket keys */
836 unsigned char tlsext_tick_key_name[16];
837 unsigned char tlsext_tick_hmac_key[16];
838 unsigned char tlsext_tick_aes_key[16];
839 /* Callback to support customisation of ticket key setting */
840 int (*tlsext_ticket_key_cb)(SSL *ssl,
841 unsigned char *name, unsigned char *iv,
842 EVP_CIPHER_CTX *ectx,
843 HMAC_CTX *hctx, int enc);
844
845 /* certificate status request info */
846 /* Callback for status request */
847 int (*tlsext_status_cb)(SSL *ssl, void *arg);
848 void *tlsext_status_arg;
849
850 /* draft-rescorla-tls-opaque-prf-input-00.txt information */
851 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
852 void *tlsext_opaque_prf_input_callback_arg;
853#endif
854
855#ifndef OPENSSL_NO_PSK
856 char *psk_identity_hint;
857 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,
858 unsigned int max_identity_len, unsigned char *psk,
859 unsigned int max_psk_len);
860 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
861 unsigned char *psk, unsigned int max_psk_len);
862#endif
863
864#ifndef OPENSSL_NO_BUF_FREELISTS
865#define SSL_MAX_BUF_FREELIST_LEN_DEFAULT 32
866 unsigned int freelist_max_len;
867 struct ssl3_buf_freelist_st *wbuf_freelist;
868 struct ssl3_buf_freelist_st *rbuf_freelist;
869#endif
870 };
871
872#define SSL_SESS_CACHE_OFF 0x0000
873#define SSL_SESS_CACHE_CLIENT 0x0001
874#define SSL_SESS_CACHE_SERVER 0x0002
875#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
876#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
877/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
878#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
879#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
880#define SSL_SESS_CACHE_NO_INTERNAL \
881 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
882
883LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
884#define SSL_CTX_sess_number(ctx) \
885 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
886#define SSL_CTX_sess_connect(ctx) \
887 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
888#define SSL_CTX_sess_connect_good(ctx) \
889 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
890#define SSL_CTX_sess_connect_renegotiate(ctx) \
891 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
892#define SSL_CTX_sess_accept(ctx) \
893 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
894#define SSL_CTX_sess_accept_renegotiate(ctx) \
895 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
896#define SSL_CTX_sess_accept_good(ctx) \
897 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
898#define SSL_CTX_sess_hits(ctx) \
899 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
900#define SSL_CTX_sess_cb_hits(ctx) \
901 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
902#define SSL_CTX_sess_misses(ctx) \
903 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
904#define SSL_CTX_sess_timeouts(ctx) \
905 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
906#define SSL_CTX_sess_cache_full(ctx) \
907 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
908
909void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess));
910int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
911void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess));
912void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
913void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy));
914SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *Data, int len, int *copy);
915void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,int val));
916void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
917void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
918int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
919#ifndef OPENSSL_NO_ENGINE
920int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
921#endif
922void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
923void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
924
925#ifndef OPENSSL_NO_PSK
926/* the maximum length of the buffer given to callbacks containing the
927 * resulting identity/psk */
928#define PSK_MAX_IDENTITY_LEN 128
929#define PSK_MAX_PSK_LEN 256
930void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
931 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
932 char *identity, unsigned int max_identity_len, unsigned char *psk,
933 unsigned int max_psk_len));
934void SSL_set_psk_client_callback(SSL *ssl,
935 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
936 char *identity, unsigned int max_identity_len, unsigned char *psk,
937 unsigned int max_psk_len));
938void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
939 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
940 unsigned char *psk, unsigned int max_psk_len));
941void SSL_set_psk_server_callback(SSL *ssl,
942 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
943 unsigned char *psk, unsigned int max_psk_len));
944int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint);
945int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
946const char *SSL_get_psk_identity_hint(const SSL *s);
947const char *SSL_get_psk_identity(const SSL *s);
948#endif
949
950#define SSL_NOTHING 1
951#define SSL_WRITING 2
952#define SSL_READING 3
953#define SSL_X509_LOOKUP 4
954
955/* These will only be used when doing non-blocking IO */
956#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
957#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
958#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
959#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
960
961#define SSL_MAC_FLAG_READ_MAC_STREAM 1
962#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
963
964struct ssl_st
965 {
966 /* protocol version
967 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
968 */
969 int version;
970 int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
971
972 const SSL_METHOD *method; /* SSLv3 */
973
974 /* There are 2 BIO's even though they are normally both the
975 * same. This is so data can be read and written to different
976 * handlers */
977
978#ifndef OPENSSL_NO_BIO
979 BIO *rbio; /* used by SSL_read */
980 BIO *wbio; /* used by SSL_write */
981 BIO *bbio; /* used during session-id reuse to concatenate
982 * messages */
983#else
984 char *rbio; /* used by SSL_read */
985 char *wbio; /* used by SSL_write */
986 char *bbio;
987#endif
988 /* This holds a variable that indicates what we were doing
989 * when a 0 or -1 is returned. This is needed for
990 * non-blocking IO so we know what request needs re-doing when
991 * in SSL_accept or SSL_connect */
992 int rwstate;
993
994 /* true when we are actually in SSL_accept() or SSL_connect() */
995 int in_handshake;
996 int (*handshake_func)(SSL *);
997
998 /* Imagine that here's a boolean member "init" that is
999 * switched as soon as SSL_set_{accept/connect}_state
1000 * is called for the first time, so that "state" and
1001 * "handshake_func" are properly initialized. But as
1002 * handshake_func is == 0 until then, we use this
1003 * test instead of an "init" member.
1004 */
1005
1006 int server; /* are we the server side? - mostly used by SSL_clear*/
1007
1008 int new_session;/* 1 if we are to use a new session.
1009 * 2 if we are a server and are inside a handshake
1010 * (i.e. not just sending a HelloRequest)
1011 * NB: For servers, the 'new' session may actually be a previously
1012 * cached session or even the previous session unless
1013 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
1014 int quiet_shutdown;/* don't send shutdown packets */
1015 int shutdown; /* we have shut things down, 0x01 sent, 0x02
1016 * for received */
1017 int state; /* where we are */
1018 int rstate; /* where we are when reading */
1019
1020 BUF_MEM *init_buf; /* buffer used during init */
1021 void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
1022 int init_num; /* amount read/written */
1023 int init_off; /* amount read/written */
1024
1025 /* used internally to point at a raw packet */
1026 unsigned char *packet;
1027 unsigned int packet_length;
1028
1029 struct ssl2_state_st *s2; /* SSLv2 variables */
1030 struct ssl3_state_st *s3; /* SSLv3 variables */
1031 struct dtls1_state_st *d1; /* DTLSv1 variables */
1032
1033 int read_ahead; /* Read as many input bytes as possible
1034 * (for non-blocking reads) */
1035
1036 /* callback that allows applications to peek at protocol messages */
1037 void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
1038 void *msg_callback_arg;
1039
1040 int hit; /* reusing a previous session */
1041
1042 X509_VERIFY_PARAM *param;
1043
1044#if 0
1045 int purpose; /* Purpose setting */
1046 int trust; /* Trust setting */
1047#endif
1048
1049 /* crypto */
1050 STACK_OF(SSL_CIPHER) *cipher_list;
1051 STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1052
1053 /* These are the ones being used, the ones in SSL_SESSION are
1054 * the ones to be 'copied' into these ones */
1055 int mac_flags;
1056 EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
1057 EVP_MD_CTX *read_hash; /* used for mac generation */
1058#ifndef OPENSSL_NO_COMP
1059 COMP_CTX *expand; /* uncompress */
1060#else
1061 char *expand;
1062#endif
1063
1064 EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
1065 EVP_MD_CTX *write_hash; /* used for mac generation */
1066#ifndef OPENSSL_NO_COMP
1067 COMP_CTX *compress; /* compression */
1068#else
1069 char *compress;
1070#endif
1071
1072 /* session info */
1073
1074 /* client cert? */
1075 /* This is used to hold the server certificate used */
1076 struct cert_st /* CERT */ *cert;
1077
1078 /* the session_id_context is used to ensure sessions are only reused
1079 * in the appropriate context */
1080 unsigned int sid_ctx_length;
1081 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
1082
1083 /* This can also be in the session once a session is established */
1084 SSL_SESSION *session;
1085
1086 /* Default generate session ID callback. */
1087 GEN_SESSION_CB generate_session_id;
1088
1089 /* Used in SSL2 and SSL3 */
1090 int verify_mode; /* 0 don't care about verify failure.
1091 * 1 fail if verify fails */
1092 int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
1093
1094 void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
1095
1096 int error; /* error bytes to be written */
1097 int error_code; /* actual code */
1098
1099#ifndef OPENSSL_NO_KRB5
1100 KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
1101#endif /* OPENSSL_NO_KRB5 */
1102
1103#ifndef OPENSSL_NO_PSK
1104 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,
1105 unsigned int max_identity_len, unsigned char *psk,
1106 unsigned int max_psk_len);
1107 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
1108 unsigned char *psk, unsigned int max_psk_len);
1109#endif
1110
1111 SSL_CTX *ctx;
1112 /* set this flag to 1 and a sleep(1) is put into all SSL_read()
1113 * and SSL_write() calls, good for nbio debuging :-) */
1114 int debug;
1115
1116 /* extra application data */
1117 long verify_result;
1118 CRYPTO_EX_DATA ex_data;
1119
1120 /* for server side, keep the list of CA_dn we can use */
1121 STACK_OF(X509_NAME) *client_CA;
1122
1123 int references;
1124 unsigned long options; /* protocol behaviour */
1125 unsigned long mode; /* API behaviour */
1126 long max_cert_list;
1127 int first_packet;
1128 int client_version; /* what was passed, used for
1129 * SSLv3/TLS rollback check */
1130 unsigned int max_send_fragment;
1131#ifndef OPENSSL_NO_TLSEXT
1132 /* TLS extension debug callback */
1133 void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
1134 unsigned char *data, int len,
1135 void *arg);
1136 void *tlsext_debug_arg;
1137 char *tlsext_hostname;
1138 int servername_done; /* no further mod of servername
1139 0 : call the servername extension callback.
1140 1 : prepare 2, allow last ack just after in server callback.
1141 2 : don't call servername callback, no ack in server hello
1142 */
1143 /* certificate status request info */
1144 /* Status type or -1 if no status type */
1145 int tlsext_status_type;
1146 /* Expect OCSP CertificateStatus message */
1147 int tlsext_status_expected;
1148 /* OCSP status request only */
1149 STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
1150 X509_EXTENSIONS *tlsext_ocsp_exts;
1151 /* OCSP response received or to be sent */
1152 unsigned char *tlsext_ocsp_resp;
1153 int tlsext_ocsp_resplen;
1154
1155 /* RFC4507 session ticket expected to be received or sent */
1156 int tlsext_ticket_expected;
1157#ifndef OPENSSL_NO_EC
1158 size_t tlsext_ecpointformatlist_length;
1159 unsigned char *tlsext_ecpointformatlist; /* our list */
1160 size_t tlsext_ellipticcurvelist_length;
1161 unsigned char *tlsext_ellipticcurvelist; /* our list */
1162#endif /* OPENSSL_NO_EC */
1163
1164 /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
1165 void *tlsext_opaque_prf_input;
1166 size_t tlsext_opaque_prf_input_len;
1167
1168 /* TLS Session Ticket extension override */
1169 TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
1170
1171 /* TLS Session Ticket extension callback */
1172 tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
1173 void *tls_session_ticket_ext_cb_arg;
1174
1175 /* TLS pre-shared secret session resumption */
1176 tls_session_secret_cb_fn tls_session_secret_cb;
1177 void *tls_session_secret_cb_arg;
1178
1179 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
1180#define session_ctx initial_ctx
1181#else
1182#define session_ctx ctx
1183#endif /* OPENSSL_NO_TLSEXT */
1184 };
1185
1186#ifdef __cplusplus
1187}
1188#endif
1189
1190#include <openssl/ssl2.h>
1191#include <openssl/ssl3.h>
1192#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
1193#include <openssl/dtls1.h> /* Datagram TLS */
1194#include <openssl/ssl23.h>
1195
1196#ifdef __cplusplus
1197extern "C" {
1198#endif
1199
1200/* compatibility */
1201#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
1202#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
1203#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
1204#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
1205#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
1206#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
1207
1208/* The following are the possible values for ssl->state are are
1209 * used to indicate where we are up to in the SSL connection establishment.
1210 * The macros that follow are about the only things you should need to use
1211 * and even then, only when using non-blocking IO.
1212 * It can also be useful to work out where you were when the connection
1213 * failed */
1214
1215#define SSL_ST_CONNECT 0x1000
1216#define SSL_ST_ACCEPT 0x2000
1217#define SSL_ST_MASK 0x0FFF
1218#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT)
1219#define SSL_ST_BEFORE 0x4000
1220#define SSL_ST_OK 0x03
1221#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
1222
1223#define SSL_CB_LOOP 0x01
1224#define SSL_CB_EXIT 0x02
1225#define SSL_CB_READ 0x04
1226#define SSL_CB_WRITE 0x08
1227#define SSL_CB_ALERT 0x4000 /* used in callback */
1228#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
1229#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
1230#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
1231#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
1232#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
1233#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
1234#define SSL_CB_HANDSHAKE_START 0x10
1235#define SSL_CB_HANDSHAKE_DONE 0x20
1236
1237/* Is the SSL_connection established? */
1238#define SSL_get_state(a) SSL_state(a)
1239#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
1240#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
1241#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
1242#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
1243#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
1244
1245/* The following 2 states are kept in ssl->rstate when reads fail,
1246 * you should not need these */
1247#define SSL_ST_READ_HEADER 0xF0
1248#define SSL_ST_READ_BODY 0xF1
1249#define SSL_ST_READ_DONE 0xF2
1250
1251/* Obtain latest Finished message
1252 * -- that we sent (SSL_get_finished)
1253 * -- that we expected from peer (SSL_get_peer_finished).
1254 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
1255size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
1256size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
1257
1258/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
1259 * are 'ored' with SSL_VERIFY_PEER if they are desired */
1260#define SSL_VERIFY_NONE 0x00
1261#define SSL_VERIFY_PEER 0x01
1262#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
1263#define SSL_VERIFY_CLIENT_ONCE 0x04
1264
1265#define OpenSSL_add_ssl_algorithms() SSL_library_init()
1266#define SSLeay_add_ssl_algorithms() SSL_library_init()
1267
1268/* this is for backward compatibility */
1269#if 0 /* NEW_SSLEAY */
1270#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
1271#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
1272#define SSL_add_session(a,b) SSL_CTX_add_session((a),(b))
1273#define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
1274#define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
1275#endif
1276/* More backward compatibility */
1277#define SSL_get_cipher(s) \
1278 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1279#define SSL_get_cipher_bits(s,np) \
1280 SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
1281#define SSL_get_cipher_version(s) \
1282 SSL_CIPHER_get_version(SSL_get_current_cipher(s))
1283#define SSL_get_cipher_name(s) \
1284 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1285#define SSL_get_time(a) SSL_SESSION_get_time(a)
1286#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
1287#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
1288#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
1289
1290#define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
1291#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
1292
1293DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
1294
1295#define SSL_AD_REASON_OFFSET 1000 /* offset to get SSL_R_... value from SSL_AD_... */
1296
1297/* These alert types are for SSLv3 and TLSv1 */
1298#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
1299#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
1300#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */
1301#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
1302#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
1303#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
1304#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */
1305#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */
1306#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
1307#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
1308#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
1309#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
1310#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
1311#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */
1312#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */
1313#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */
1314#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */
1315#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
1316#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */
1317#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */
1318#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
1319#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
1320#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
1321#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
1322#define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION
1323#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
1324#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
1325#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
1326#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
1327#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
1328
1329#define SSL_ERROR_NONE 0
1330#define SSL_ERROR_SSL 1
1331#define SSL_ERROR_WANT_READ 2
1332#define SSL_ERROR_WANT_WRITE 3
1333#define SSL_ERROR_WANT_X509_LOOKUP 4
1334#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
1335#define SSL_ERROR_ZERO_RETURN 6
1336#define SSL_ERROR_WANT_CONNECT 7
1337#define SSL_ERROR_WANT_ACCEPT 8
1338
1339#define SSL_CTRL_NEED_TMP_RSA 1
1340#define SSL_CTRL_SET_TMP_RSA 2
1341#define SSL_CTRL_SET_TMP_DH 3
1342#define SSL_CTRL_SET_TMP_ECDH 4
1343#define SSL_CTRL_SET_TMP_RSA_CB 5
1344#define SSL_CTRL_SET_TMP_DH_CB 6
1345#define SSL_CTRL_SET_TMP_ECDH_CB 7
1346
1347#define SSL_CTRL_GET_SESSION_REUSED 8
1348#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
1349#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
1350#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
1351#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
1352#define SSL_CTRL_GET_FLAGS 13
1353#define SSL_CTRL_EXTRA_CHAIN_CERT 14
1354
1355#define SSL_CTRL_SET_MSG_CALLBACK 15
1356#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
1357
1358/* only applies to datagram connections */
1359#define SSL_CTRL_SET_MTU 17
1360/* Stats */
1361#define SSL_CTRL_SESS_NUMBER 20
1362#define SSL_CTRL_SESS_CONNECT 21
1363#define SSL_CTRL_SESS_CONNECT_GOOD 22
1364#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
1365#define SSL_CTRL_SESS_ACCEPT 24
1366#define SSL_CTRL_SESS_ACCEPT_GOOD 25
1367#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
1368#define SSL_CTRL_SESS_HIT 27
1369#define SSL_CTRL_SESS_CB_HIT 28
1370#define SSL_CTRL_SESS_MISSES 29
1371#define SSL_CTRL_SESS_TIMEOUTS 30
1372#define SSL_CTRL_SESS_CACHE_FULL 31
1373#define SSL_CTRL_OPTIONS 32
1374#define SSL_CTRL_MODE 33
1375
1376#define SSL_CTRL_GET_READ_AHEAD 40
1377#define SSL_CTRL_SET_READ_AHEAD 41
1378#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
1379#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
1380#define SSL_CTRL_SET_SESS_CACHE_MODE 44
1381#define SSL_CTRL_GET_SESS_CACHE_MODE 45
1382
1383#define SSL_CTRL_GET_MAX_CERT_LIST 50
1384#define SSL_CTRL_SET_MAX_CERT_LIST 51
1385
1386#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
1387
1388/* see tls1.h for macros based on these */
1389#ifndef OPENSSL_NO_TLSEXT
1390#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
1391#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
1392#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
1393#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56
1394#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
1395#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
1396#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
1397#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60
1398#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61
1399#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62
1400#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
1401#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
1402#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
1403#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66
1404#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67
1405#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68
1406#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69
1407#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70
1408#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71
1409
1410#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
1411#endif
1412
1413#define DTLS_CTRL_GET_TIMEOUT 73
1414#define DTLS_CTRL_HANDLE_TIMEOUT 74
1415#define DTLS_CTRL_LISTEN 75
1416
1417#define SSL_CTRL_GET_RI_SUPPORT 76
1418#define SSL_CTRL_CLEAR_OPTIONS 77
1419#define SSL_CTRL_CLEAR_MODE 78
1420
1421#define DTLSv1_get_timeout(ssl, arg) \
1422 SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
1423#define DTLSv1_handle_timeout(ssl) \
1424 SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
1425#define DTLSv1_listen(ssl, peer) \
1426 SSL_ctrl(ssl,DTLS_CTRL_LISTEN,0, (void *)peer)
1427
1428#define SSL_session_reused(ssl) \
1429 SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
1430#define SSL_num_renegotiations(ssl) \
1431 SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
1432#define SSL_clear_num_renegotiations(ssl) \
1433 SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
1434#define SSL_total_renegotiations(ssl) \
1435 SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
1436
1437#define SSL_CTX_need_tmp_RSA(ctx) \
1438 SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1439#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
1440 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1441#define SSL_CTX_set_tmp_dh(ctx,dh) \
1442 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1443#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
1444 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1445
1446#define SSL_need_tmp_RSA(ssl) \
1447 SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
1448#define SSL_set_tmp_rsa(ssl,rsa) \
1449 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
1450#define SSL_set_tmp_dh(ssl,dh) \
1451 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
1452#define SSL_set_tmp_ecdh(ssl,ecdh) \
1453 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1454
1455#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
1456 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
1457
1458#ifndef OPENSSL_NO_BIO
1459BIO_METHOD *BIO_f_ssl(void);
1460BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
1461BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
1462BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
1463int BIO_ssl_copy_session_id(BIO *to,BIO *from);
1464void BIO_ssl_shutdown(BIO *ssl_bio);
1465
1466#endif
1467
1468int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
1469SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
1470void SSL_CTX_free(SSL_CTX *);
1471long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
1472long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1473X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1474void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
1475int SSL_want(const SSL *s);
1476int SSL_clear(SSL *s);
1477
1478void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
1479
1480const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1481int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
1482char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1483const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1484
1485int SSL_get_fd(const SSL *s);
1486int SSL_get_rfd(const SSL *s);
1487int SSL_get_wfd(const SSL *s);
1488const char * SSL_get_cipher_list(const SSL *s,int n);
1489char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1490int SSL_get_read_ahead(const SSL * s);
1491int SSL_pending(const SSL *s);
1492#ifndef OPENSSL_NO_SOCK
1493int SSL_set_fd(SSL *s, int fd);
1494int SSL_set_rfd(SSL *s, int fd);
1495int SSL_set_wfd(SSL *s, int fd);
1496#endif
1497#ifndef OPENSSL_NO_BIO
1498void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
1499BIO * SSL_get_rbio(const SSL *s);
1500BIO * SSL_get_wbio(const SSL *s);
1501#endif
1502int SSL_set_cipher_list(SSL *s, const char *str);
1503void SSL_set_read_ahead(SSL *s, int yes);
1504int SSL_get_verify_mode(const SSL *s);
1505int SSL_get_verify_depth(const SSL *s);
1506int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
1507void SSL_set_verify(SSL *s, int mode,
1508 int (*callback)(int ok,X509_STORE_CTX *ctx));
1509void SSL_set_verify_depth(SSL *s, int depth);
1510#ifndef OPENSSL_NO_RSA
1511int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1512#endif
1513int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
1514int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1515int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
1516int SSL_use_certificate(SSL *ssl, X509 *x);
1517int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
1518
1519#ifndef OPENSSL_NO_STDIO
1520int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
1521int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
1522int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
1523int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1524int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1525int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
1526int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
1527STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
1528int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1529 const char *file);
1530#ifndef OPENSSL_SYS_VMS
1531#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
1532int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1533 const char *dir);
1534#endif
1535#endif
1536
1537#endif
1538
1539void SSL_load_error_strings(void );
1540const char *SSL_state_string(const SSL *s);
1541const char *SSL_rstate_string(const SSL *s);
1542const char *SSL_state_string_long(const SSL *s);
1543const char *SSL_rstate_string_long(const SSL *s);
1544long SSL_SESSION_get_time(const SSL_SESSION *s);
1545long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1546long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1547long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1548void SSL_copy_session_id(SSL *to,const SSL *from);
1549
1550SSL_SESSION *SSL_SESSION_new(void);
1551const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
1552 unsigned int *len);
1553#ifndef OPENSSL_NO_FP_API
1554int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
1555#endif
1556#ifndef OPENSSL_NO_BIO
1557int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
1558#endif
1559void SSL_SESSION_free(SSL_SESSION *ses);
1560int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
1561int SSL_set_session(SSL *to, SSL_SESSION *session);
1562int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
1563int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
1564int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1565int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1566int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1567 unsigned int id_len);
1568SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char **pp,
1569 long length);
1570
1571#ifdef HEADER_X509_H
1572X509 * SSL_get_peer_certificate(const SSL *s);
1573#endif
1574
1575STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1576
1577int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1578int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1579int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
1580void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
1581 int (*callback)(int, X509_STORE_CTX *));
1582void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
1583void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
1584#ifndef OPENSSL_NO_RSA
1585int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1586#endif
1587int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
1588int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1589int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
1590 const unsigned char *d, long len);
1591int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
1592int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
1593
1594void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1595void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1596
1597int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1598int SSL_check_private_key(const SSL *ctx);
1599
1600int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
1601 unsigned int sid_ctx_len);
1602
1603SSL * SSL_new(SSL_CTX *ctx);
1604int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
1605 unsigned int sid_ctx_len);
1606
1607int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
1608int SSL_set_purpose(SSL *s, int purpose);
1609int SSL_CTX_set_trust(SSL_CTX *s, int trust);
1610int SSL_set_trust(SSL *s, int trust);
1611
1612int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1613int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1614
1615void SSL_free(SSL *ssl);
1616int SSL_accept(SSL *ssl);
1617int SSL_connect(SSL *ssl);
1618int SSL_read(SSL *ssl,void *buf,int num);
1619int SSL_peek(SSL *ssl,void *buf,int num);
1620int SSL_write(SSL *ssl,const void *buf,int num);
1621long SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
1622long SSL_callback_ctrl(SSL *, int, void (*)(void));
1623long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
1624long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
1625
1626int SSL_get_error(const SSL *s,int ret_code);
1627const char *SSL_get_version(const SSL *s);
1628
1629/* This sets the 'default' SSL version that SSL_new() will create */
1630int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
1631
1632#ifndef OPENSSL_NO_SSL2
1633const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
1634const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
1635const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
1636#endif
1637
1638const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
1639const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
1640const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
1641
1642const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
1643const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
1644const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */
1645
1646const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1647const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1648const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1649
1650const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
1651const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
1652const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
1653
1654STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1655
1656int SSL_do_handshake(SSL *s);
1657int SSL_renegotiate(SSL *s);
1658int SSL_renegotiate_pending(SSL *s);
1659int SSL_shutdown(SSL *s);
1660
1661const SSL_METHOD *SSL_get_ssl_method(SSL *s);
1662int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
1663const char *SSL_alert_type_string_long(int value);
1664const char *SSL_alert_type_string(int value);
1665const char *SSL_alert_desc_string_long(int value);
1666const char *SSL_alert_desc_string(int value);
1667
1668void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1669void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1670STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1671STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1672int SSL_add_client_CA(SSL *ssl,X509 *x);
1673int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
1674
1675void SSL_set_connect_state(SSL *s);
1676void SSL_set_accept_state(SSL *s);
1677
1678long SSL_get_default_timeout(const SSL *s);
1679
1680int SSL_library_init(void );
1681
1682char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size);
1683STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
1684
1685SSL *SSL_dup(SSL *ssl);
1686
1687X509 *SSL_get_certificate(const SSL *ssl);
1688/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
1689
1690void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1691int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1692void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1693int SSL_get_quiet_shutdown(const SSL *ssl);
1694void SSL_set_shutdown(SSL *ssl,int mode);
1695int SSL_get_shutdown(const SSL *ssl);
1696int SSL_version(const SSL *ssl);
1697int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1698int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1699 const char *CApath);
1700#define SSL_get0_session SSL_get_session /* just peek at pointer */
1701SSL_SESSION *SSL_get_session(const SSL *ssl);
1702SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1703SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1704SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx);
1705void SSL_set_info_callback(SSL *ssl,
1706 void (*cb)(const SSL *ssl,int type,int val));
1707void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
1708int SSL_state(const SSL *ssl);
1709
1710void SSL_set_verify_result(SSL *ssl,long v);
1711long SSL_get_verify_result(const SSL *ssl);
1712
1713int SSL_set_ex_data(SSL *ssl,int idx,void *data);
1714void *SSL_get_ex_data(const SSL *ssl,int idx);
1715int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1716 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1717
1718int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
1719void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
1720int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1721 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1722
1723int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
1724void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
1725int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1726 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1727
1728int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1729
1730#define SSL_CTX_sess_set_cache_size(ctx,t) \
1731 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
1732#define SSL_CTX_sess_get_cache_size(ctx) \
1733 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
1734#define SSL_CTX_set_session_cache_mode(ctx,m) \
1735 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
1736#define SSL_CTX_get_session_cache_mode(ctx) \
1737 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
1738
1739#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
1740#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
1741#define SSL_CTX_get_read_ahead(ctx) \
1742 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
1743#define SSL_CTX_set_read_ahead(ctx,m) \
1744 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
1745#define SSL_CTX_get_max_cert_list(ctx) \
1746 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1747#define SSL_CTX_set_max_cert_list(ctx,m) \
1748 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1749#define SSL_get_max_cert_list(ssl) \
1750 SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1751#define SSL_set_max_cert_list(ssl,m) \
1752 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1753
1754#define SSL_CTX_set_max_send_fragment(ctx,m) \
1755 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1756#define SSL_set_max_send_fragment(ssl,m) \
1757 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1758
1759 /* NB: the keylength is only applicable when is_export is true */
1760#ifndef OPENSSL_NO_RSA
1761void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1762 RSA *(*cb)(SSL *ssl,int is_export,
1763 int keylength));
1764
1765void SSL_set_tmp_rsa_callback(SSL *ssl,
1766 RSA *(*cb)(SSL *ssl,int is_export,
1767 int keylength));
1768#endif
1769#ifndef OPENSSL_NO_DH
1770void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1771 DH *(*dh)(SSL *ssl,int is_export,
1772 int keylength));
1773void SSL_set_tmp_dh_callback(SSL *ssl,
1774 DH *(*dh)(SSL *ssl,int is_export,
1775 int keylength));
1776#endif
1777#ifndef OPENSSL_NO_ECDH
1778void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
1779 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
1780 int keylength));
1781void SSL_set_tmp_ecdh_callback(SSL *ssl,
1782 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
1783 int keylength));
1784#endif
1785
1786#ifndef OPENSSL_NO_COMP
1787const COMP_METHOD *SSL_get_current_compression(SSL *s);
1788const COMP_METHOD *SSL_get_current_expansion(SSL *s);
1789const char *SSL_COMP_get_name(const COMP_METHOD *comp);
1790STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
1791int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
1792#else
1793const void *SSL_get_current_compression(SSL *s);
1794const void *SSL_get_current_expansion(SSL *s);
1795const char *SSL_COMP_get_name(const void *comp);
1796void *SSL_COMP_get_compression_methods(void);
1797int SSL_COMP_add_compression_method(int id,void *cm);
1798#endif
1799
1800/* TLS extensions functions */
1801int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
1802
1803int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
1804 void *arg);
1805
1806/* Pre-shared secret session resumption functions */
1807int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
1808
1809/* BEGIN ERROR CODES */
1810/* The following lines are auto generated by the script mkerr.pl. Any changes
1811 * made after this point may be overwritten when the script is next run.
1812 */
1813void ERR_load_SSL_strings(void);
1814
1815/* Error codes for the SSL functions. */
1816
1817/* Function codes. */
1818#define SSL_F_CLIENT_CERTIFICATE 100
1819#define SSL_F_CLIENT_FINISHED 167
1820#define SSL_F_CLIENT_HELLO 101
1821#define SSL_F_CLIENT_MASTER_KEY 102
1822#define SSL_F_D2I_SSL_SESSION 103
1823#define SSL_F_DO_DTLS1_WRITE 245
1824#define SSL_F_DO_SSL3_WRITE 104
1825#define SSL_F_DTLS1_ACCEPT 246
1826#define SSL_F_DTLS1_ADD_CERT_TO_BUF 295
1827#define SSL_F_DTLS1_BUFFER_RECORD 247
1828#define SSL_F_DTLS1_CLIENT_HELLO 248
1829#define SSL_F_DTLS1_CONNECT 249
1830#define SSL_F_DTLS1_ENC 250
1831#define SSL_F_DTLS1_GET_HELLO_VERIFY 251
1832#define SSL_F_DTLS1_GET_MESSAGE 252
1833#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253
1834#define SSL_F_DTLS1_GET_RECORD 254
1835#define SSL_F_DTLS1_HANDLE_TIMEOUT 297
1836#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
1837#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
1838#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
1839#define SSL_F_DTLS1_PROCESS_RECORD 257
1840#define SSL_F_DTLS1_READ_BYTES 258
1841#define SSL_F_DTLS1_READ_FAILED 259
1842#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
1843#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
1844#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
1845#define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263
1846#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST 264
1847#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE 265
1848#define SSL_F_DTLS1_SEND_SERVER_HELLO 266
1849#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267
1850#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268
1851#define SSL_F_GET_CLIENT_FINISHED 105
1852#define SSL_F_GET_CLIENT_HELLO 106
1853#define SSL_F_GET_CLIENT_MASTER_KEY 107
1854#define SSL_F_GET_SERVER_FINISHED 108
1855#define SSL_F_GET_SERVER_HELLO 109
1856#define SSL_F_GET_SERVER_VERIFY 110
1857#define SSL_F_I2D_SSL_SESSION 111
1858#define SSL_F_READ_N 112
1859#define SSL_F_REQUEST_CERTIFICATE 113
1860#define SSL_F_SERVER_FINISH 239
1861#define SSL_F_SERVER_HELLO 114
1862#define SSL_F_SERVER_VERIFY 240
1863#define SSL_F_SSL23_ACCEPT 115
1864#define SSL_F_SSL23_CLIENT_HELLO 116
1865#define SSL_F_SSL23_CONNECT 117
1866#define SSL_F_SSL23_GET_CLIENT_HELLO 118
1867#define SSL_F_SSL23_GET_SERVER_HELLO 119
1868#define SSL_F_SSL23_PEEK 237
1869#define SSL_F_SSL23_READ 120
1870#define SSL_F_SSL23_WRITE 121
1871#define SSL_F_SSL2_ACCEPT 122
1872#define SSL_F_SSL2_CONNECT 123
1873#define SSL_F_SSL2_ENC_INIT 124
1874#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241
1875#define SSL_F_SSL2_PEEK 234
1876#define SSL_F_SSL2_READ 125
1877#define SSL_F_SSL2_READ_INTERNAL 236
1878#define SSL_F_SSL2_SET_CERTIFICATE 126
1879#define SSL_F_SSL2_WRITE 127
1880#define SSL_F_SSL3_ACCEPT 128
1881#define SSL_F_SSL3_ADD_CERT_TO_BUF 296
1882#define SSL_F_SSL3_CALLBACK_CTRL 233
1883#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
1884#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
1885#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
1886#define SSL_F_SSL3_CLIENT_HELLO 131
1887#define SSL_F_SSL3_CONNECT 132
1888#define SSL_F_SSL3_CTRL 213
1889#define SSL_F_SSL3_CTX_CTRL 133
1890#define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293
1891#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
1892#define SSL_F_SSL3_ENC 134
1893#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
1894#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
1895#define SSL_F_SSL3_GET_CERT_STATUS 289
1896#define SSL_F_SSL3_GET_CERT_VERIFY 136
1897#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
1898#define SSL_F_SSL3_GET_CLIENT_HELLO 138
1899#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
1900#define SSL_F_SSL3_GET_FINISHED 140
1901#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
1902#define SSL_F_SSL3_GET_MESSAGE 142
1903#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283
1904#define SSL_F_SSL3_GET_RECORD 143
1905#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
1906#define SSL_F_SSL3_GET_SERVER_DONE 145
1907#define SSL_F_SSL3_GET_SERVER_HELLO 146
1908#define SSL_F_SSL3_HANDSHAKE_MAC 285
1909#define SSL_F_SSL3_NEW_SESSION_TICKET 287
1910#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
1911#define SSL_F_SSL3_PEEK 235
1912#define SSL_F_SSL3_READ_BYTES 148
1913#define SSL_F_SSL3_READ_N 149
1914#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
1915#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
1916#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
1917#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
1918#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
1919#define SSL_F_SSL3_SEND_SERVER_HELLO 242
1920#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
1921#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
1922#define SSL_F_SSL3_SETUP_READ_BUFFER 156
1923#define SSL_F_SSL3_SETUP_WRITE_BUFFER 291
1924#define SSL_F_SSL3_WRITE_BYTES 158
1925#define SSL_F_SSL3_WRITE_PENDING 159
1926#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 298
1927#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 277
1928#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
1929#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
1930#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 299
1931#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278
1932#define SSL_F_SSL_BAD_METHOD 160
1933#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
1934#define SSL_F_SSL_CERT_DUP 221
1935#define SSL_F_SSL_CERT_INST 222
1936#define SSL_F_SSL_CERT_INSTANTIATE 214
1937#define SSL_F_SSL_CERT_NEW 162
1938#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
1939#define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 280
1940#define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 279
1941#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
1942#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
1943#define SSL_F_SSL_CLEAR 164
1944#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
1945#define SSL_F_SSL_CREATE_CIPHER_LIST 166
1946#define SSL_F_SSL_CTRL 232
1947#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
1948#define SSL_F_SSL_CTX_NEW 169
1949#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
1950#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 290
1951#define SSL_F_SSL_CTX_SET_PURPOSE 226
1952#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
1953#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
1954#define SSL_F_SSL_CTX_SET_TRUST 229
1955#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
1956#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
1957#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
1958#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
1959#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
1960#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
1961#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
1962#define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT 272
1963#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
1964#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
1965#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
1966#define SSL_F_SSL_DO_HANDSHAKE 180
1967#define SSL_F_SSL_GET_NEW_SESSION 181
1968#define SSL_F_SSL_GET_PREV_SESSION 217
1969#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
1970#define SSL_F_SSL_GET_SIGN_PKEY 183
1971#define SSL_F_SSL_INIT_WBIO_BUFFER 184
1972#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
1973#define SSL_F_SSL_NEW 186
1974#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
1975#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
1976#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
1977#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
1978#define SSL_F_SSL_PEEK 270
1979#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
1980#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
1981#define SSL_F_SSL_READ 223
1982#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
1983#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
1984#define SSL_F_SSL_SESSION_NEW 189
1985#define SSL_F_SSL_SESSION_PRINT_FP 190
1986#define SSL_F_SSL_SESS_CERT_NEW 225
1987#define SSL_F_SSL_SET_CERT 191
1988#define SSL_F_SSL_SET_CIPHER_LIST 271
1989#define SSL_F_SSL_SET_FD 192
1990#define SSL_F_SSL_SET_PKEY 193
1991#define SSL_F_SSL_SET_PURPOSE 227
1992#define SSL_F_SSL_SET_RFD 194
1993#define SSL_F_SSL_SET_SESSION 195
1994#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
1995#define SSL_F_SSL_SET_SESSION_TICKET_EXT 294
1996#define SSL_F_SSL_SET_TRUST 228
1997#define SSL_F_SSL_SET_WFD 196
1998#define SSL_F_SSL_SHUTDOWN 224
1999#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
2000#define SSL_F_SSL_UNDEFINED_FUNCTION 197
2001#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
2002#define SSL_F_SSL_USE_CERTIFICATE 198
2003#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
2004#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
2005#define SSL_F_SSL_USE_PRIVATEKEY 201
2006#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
2007#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
2008#define SSL_F_SSL_USE_PSK_IDENTITY_HINT 273
2009#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
2010#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
2011#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
2012#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
2013#define SSL_F_SSL_WRITE 208
2014#define SSL_F_TLS1_CERT_VERIFY_MAC 286
2015#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
2016#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
2017#define SSL_F_TLS1_ENC 210
2018#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275
2019#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
2020#define SSL_F_TLS1_PRF 284
2021#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
2022#define SSL_F_WRITE_PENDING 212
2023
2024/* Reason codes. */
2025#define SSL_R_APP_DATA_IN_HANDSHAKE 100
2026#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
2027#define SSL_R_BAD_ALERT_RECORD 101
2028#define SSL_R_BAD_AUTHENTICATION_TYPE 102
2029#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
2030#define SSL_R_BAD_CHECKSUM 104
2031#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
2032#define SSL_R_BAD_DECOMPRESSION 107
2033#define SSL_R_BAD_DH_G_LENGTH 108
2034#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
2035#define SSL_R_BAD_DH_P_LENGTH 110
2036#define SSL_R_BAD_DIGEST_LENGTH 111
2037#define SSL_R_BAD_DSA_SIGNATURE 112
2038#define SSL_R_BAD_ECC_CERT 304
2039#define SSL_R_BAD_ECDSA_SIGNATURE 305
2040#define SSL_R_BAD_ECPOINT 306
2041#define SSL_R_BAD_HANDSHAKE_LENGTH 332
2042#define SSL_R_BAD_HELLO_REQUEST 105
2043#define SSL_R_BAD_LENGTH 271
2044#define SSL_R_BAD_MAC_DECODE 113
2045#define SSL_R_BAD_MAC_LENGTH 333
2046#define SSL_R_BAD_MESSAGE_TYPE 114
2047#define SSL_R_BAD_PACKET_LENGTH 115
2048#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
2049#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH 316
2050#define SSL_R_BAD_RESPONSE_ARGUMENT 117
2051#define SSL_R_BAD_RSA_DECRYPT 118
2052#define SSL_R_BAD_RSA_ENCRYPT 119
2053#define SSL_R_BAD_RSA_E_LENGTH 120
2054#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
2055#define SSL_R_BAD_RSA_SIGNATURE 122
2056#define SSL_R_BAD_SIGNATURE 123
2057#define SSL_R_BAD_SSL_FILETYPE 124
2058#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
2059#define SSL_R_BAD_STATE 126
2060#define SSL_R_BAD_WRITE_RETRY 127
2061#define SSL_R_BIO_NOT_SET 128
2062#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
2063#define SSL_R_BN_LIB 130
2064#define SSL_R_CA_DN_LENGTH_MISMATCH 131
2065#define SSL_R_CA_DN_TOO_LONG 132
2066#define SSL_R_CCS_RECEIVED_EARLY 133
2067#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
2068#define SSL_R_CERT_LENGTH_MISMATCH 135
2069#define SSL_R_CHALLENGE_IS_DIFFERENT 136
2070#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
2071#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
2072#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
2073#define SSL_R_CLIENTHELLO_TLSEXT 226
2074#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
2075#define SSL_R_COMPRESSION_DISABLED 343
2076#define SSL_R_COMPRESSION_FAILURE 141
2077#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307
2078#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
2079#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
2080#define SSL_R_CONNECTION_TYPE_NOT_SET 144
2081#define SSL_R_COOKIE_MISMATCH 308
2082#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
2083#define SSL_R_DATA_LENGTH_TOO_LONG 146
2084#define SSL_R_DECRYPTION_FAILED 147
2085#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
2086#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
2087#define SSL_R_DIGEST_CHECK_FAILED 149
2088#define SSL_R_DTLS_MESSAGE_TOO_BIG 334
2089#define SSL_R_DUPLICATE_COMPRESSION_ID 309
2090#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT 317
2091#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 318
2092#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322
2093#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323
2094#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
2095#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
2096#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
2097#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
2098#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
2099#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
2100#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
2101#define SSL_R_HTTPS_PROXY_REQUEST 155
2102#define SSL_R_HTTP_REQUEST 156
2103#define SSL_R_ILLEGAL_PADDING 283
2104#define SSL_R_INCONSISTENT_COMPRESSION 340
2105#define SSL_R_INVALID_CHALLENGE_LENGTH 158
2106#define SSL_R_INVALID_COMMAND 280
2107#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
2108#define SSL_R_INVALID_PURPOSE 278
2109#define SSL_R_INVALID_STATUS_RESPONSE 328
2110#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
2111#define SSL_R_INVALID_TRUST 279
2112#define SSL_R_KEY_ARG_TOO_LONG 284
2113#define SSL_R_KRB5 285
2114#define SSL_R_KRB5_C_CC_PRINC 286
2115#define SSL_R_KRB5_C_GET_CRED 287
2116#define SSL_R_KRB5_C_INIT 288
2117#define SSL_R_KRB5_C_MK_REQ 289
2118#define SSL_R_KRB5_S_BAD_TICKET 290
2119#define SSL_R_KRB5_S_INIT 291
2120#define SSL_R_KRB5_S_RD_REQ 292
2121#define SSL_R_KRB5_S_TKT_EXPIRED 293
2122#define SSL_R_KRB5_S_TKT_NYV 294
2123#define SSL_R_KRB5_S_TKT_SKEW 295
2124#define SSL_R_LENGTH_MISMATCH 159
2125#define SSL_R_LENGTH_TOO_SHORT 160
2126#define SSL_R_LIBRARY_BUG 274
2127#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
2128#define SSL_R_MESSAGE_TOO_LONG 296
2129#define SSL_R_MISSING_DH_DSA_CERT 162
2130#define SSL_R_MISSING_DH_KEY 163
2131#define SSL_R_MISSING_DH_RSA_CERT 164
2132#define SSL_R_MISSING_DSA_SIGNING_CERT 165
2133#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
2134#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
2135#define SSL_R_MISSING_RSA_CERTIFICATE 168
2136#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
2137#define SSL_R_MISSING_RSA_SIGNING_CERT 170
2138#define SSL_R_MISSING_TMP_DH_KEY 171
2139#define SSL_R_MISSING_TMP_ECDH_KEY 311
2140#define SSL_R_MISSING_TMP_RSA_KEY 172
2141#define SSL_R_MISSING_TMP_RSA_PKEY 173
2142#define SSL_R_MISSING_VERIFY_MESSAGE 174
2143#define SSL_R_MULTIPLE_SGC_RESTARTS 346
2144#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
2145#define SSL_R_NO_CERTIFICATES_RETURNED 176
2146#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
2147#define SSL_R_NO_CERTIFICATE_RETURNED 178
2148#define SSL_R_NO_CERTIFICATE_SET 179
2149#define SSL_R_NO_CERTIFICATE_SPECIFIED 180
2150#define SSL_R_NO_CIPHERS_AVAILABLE 181
2151#define SSL_R_NO_CIPHERS_PASSED 182
2152#define SSL_R_NO_CIPHERS_SPECIFIED 183
2153#define SSL_R_NO_CIPHER_LIST 184
2154#define SSL_R_NO_CIPHER_MATCH 185
2155#define SSL_R_NO_CLIENT_CERT_METHOD 331
2156#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
2157#define SSL_R_NO_COMPRESSION_SPECIFIED 187
2158#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330
2159#define SSL_R_NO_METHOD_SPECIFIED 188
2160#define SSL_R_NO_PRIVATEKEY 189
2161#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
2162#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
2163#define SSL_R_NO_PUBLICKEY 192
2164#define SSL_R_NO_RENEGOTIATION 339
2165#define SSL_R_NO_REQUIRED_DIGEST 324
2166#define SSL_R_NO_SHARED_CIPHER 193
2167#define SSL_R_NO_VERIFY_CALLBACK 194
2168#define SSL_R_NULL_SSL_CTX 195
2169#define SSL_R_NULL_SSL_METHOD_PASSED 196
2170#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
2171#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
2172#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
2173#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327
2174#define SSL_R_PACKET_LENGTH_TOO_LONG 198
2175#define SSL_R_PARSE_TLSEXT 227
2176#define SSL_R_PATH_TOO_LONG 270
2177#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
2178#define SSL_R_PEER_ERROR 200
2179#define SSL_R_PEER_ERROR_CERTIFICATE 201
2180#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
2181#define SSL_R_PEER_ERROR_NO_CIPHER 203
2182#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
2183#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
2184#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
2185#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
2186#define SSL_R_PSK_IDENTITY_NOT_FOUND 223
2187#define SSL_R_PSK_NO_CLIENT_CB 224
2188#define SSL_R_PSK_NO_SERVER_CB 225
2189#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
2190#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
2191#define SSL_R_PUBLIC_KEY_NOT_RSA 210
2192#define SSL_R_READ_BIO_NOT_SET 211
2193#define SSL_R_READ_TIMEOUT_EXPIRED 312
2194#define SSL_R_READ_WRONG_PACKET_TYPE 212
2195#define SSL_R_RECORD_LENGTH_MISMATCH 213
2196#define SSL_R_RECORD_TOO_LARGE 214
2197#define SSL_R_RECORD_TOO_SMALL 298
2198#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 335
2199#define SSL_R_RENEGOTIATION_ENCODING_ERR 336
2200#define SSL_R_RENEGOTIATION_MISMATCH 337
2201#define SSL_R_REQUIRED_CIPHER_MISSING 215
2202#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342
2203#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
2204#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
2205#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
2206#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
2207#define SSL_R_SERVERHELLO_TLSEXT 275
2208#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
2209#define SSL_R_SHORT_READ 219
2210#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
2211#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
2212#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
2213#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321
2214#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 319
2215#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 320
2216#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300
2217#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
2218#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
2219#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
2220#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
2221#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
2222#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
2223#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
2224#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
2225#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
2226#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
2227#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
2228#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
2229#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
2230#define SSL_R_SSL_HANDSHAKE_FAILURE 229
2231#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
2232#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
2233#define SSL_R_SSL_SESSION_ID_CONFLICT 302
2234#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
2235#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
2236#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
2237#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
2238#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
2239#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
2240#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
2241#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
2242#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
2243#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
2244#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
2245#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
2246#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
2247#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
2248#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
2249#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
2250#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
2251#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
2252#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
2253#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
2254#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
2255#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
2256#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
2257#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
2258#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
2259#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
2260#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
2261#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
2262#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
2263#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314
2264#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
2265#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
2266#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
2267#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
2268#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
2269#define SSL_R_UNEXPECTED_MESSAGE 244
2270#define SSL_R_UNEXPECTED_RECORD 245
2271#define SSL_R_UNINITIALIZED 276
2272#define SSL_R_UNKNOWN_ALERT_TYPE 246
2273#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
2274#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
2275#define SSL_R_UNKNOWN_CIPHER_TYPE 249
2276#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
2277#define SSL_R_UNKNOWN_PKEY_TYPE 251
2278#define SSL_R_UNKNOWN_PROTOCOL 252
2279#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
2280#define SSL_R_UNKNOWN_SSL_VERSION 254
2281#define SSL_R_UNKNOWN_STATE 255
2282#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
2283#define SSL_R_UNSUPPORTED_CIPHER 256
2284#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
2285#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
2286#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
2287#define SSL_R_UNSUPPORTED_PROTOCOL 258
2288#define SSL_R_UNSUPPORTED_SSL_VERSION 259
2289#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
2290#define SSL_R_WRITE_BIO_NOT_SET 260
2291#define SSL_R_WRONG_CIPHER_RETURNED 261
2292#define SSL_R_WRONG_MESSAGE_TYPE 262
2293#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
2294#define SSL_R_WRONG_SIGNATURE_LENGTH 264
2295#define SSL_R_WRONG_SIGNATURE_SIZE 265
2296#define SSL_R_WRONG_SSL_VERSION 266
2297#define SSL_R_WRONG_VERSION_NUMBER 267
2298#define SSL_R_X509_LIB 268
2299#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
2300
2301#ifdef __cplusplus
2302}
2303#endif
2304#endif
diff --git a/src/lib/libssl/ssl/Makefile b/src/lib/libssl/ssl/Makefile
deleted file mode 100644
index 3215b33574..0000000000
--- a/src/lib/libssl/ssl/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
1# $OpenBSD: Makefile,v 1.24 2012/07/11 11:02:48 sthen Exp $
2
3LIB= ssl
4WANTLINT=
5
6SSLEAYDIST= src
7
8LSSL_SRC= ${.CURDIR}/../${SSLEAYDIST}/ssl
9
10CFLAGS+= -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE
11CFLAGS+= -DOPENSSL_NO_MDC2
12CFLAGS+= -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5
13CFLAGS+= -DOPENSSL_NO_SSL2
14CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST} -I${.CURDIR}/../${SSLEAYDIST}/crypto
15
16SRCS=\
17 s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
18 s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
19 s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
20 t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
21 d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
22 d1_both.c d1_enc.c \
23 ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
24 ssl_ciph.c ssl_stat.c ssl_rsa.c \
25 ssl_asn1.c ssl_txt.c ssl_algs.c \
26 bio_ssl.c ssl_err.c kssl.c t1_reneg.c
27
28HDRS= ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h kssl.h
29
30.PATH: ${LSSL_SRC}
31
32includes:
33 @test -d ${DESTDIR}/usr/include/openssl || \
34 mkdir ${DESTDIR}/usr/include/openssl
35 @cd ${LSSL_SRC}; for i in $(HDRS); do \
36 j="cmp -s $$i ${DESTDIR}/usr/include/openssl/`basename $$i` || \
37 ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 $$i\
38 ${DESTDIR}/usr/include/openssl"; \
39 echo $$j; \
40 eval "$$j"; \
41 done;
42
43.include <bsd.lib.mk>
diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version
deleted file mode 100644
index 94727e17b3..0000000000
--- a/src/lib/libssl/ssl/shlib_version
+++ /dev/null
@@ -1,2 +0,0 @@
1major=18
2minor=0
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
deleted file mode 100644
index 99a52ea0dd..0000000000
--- a/src/lib/libssl/ssl2.h
+++ /dev/null
@@ -1,268 +0,0 @@
1/* ssl/ssl2.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL2_H
60#define HEADER_SSL2_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/* Protocol Version Codes */
67#define SSL2_VERSION 0x0002
68#define SSL2_VERSION_MAJOR 0x00
69#define SSL2_VERSION_MINOR 0x02
70/* #define SSL2_CLIENT_VERSION 0x0002 */
71/* #define SSL2_SERVER_VERSION 0x0002 */
72
73/* Protocol Message Codes */
74#define SSL2_MT_ERROR 0
75#define SSL2_MT_CLIENT_HELLO 1
76#define SSL2_MT_CLIENT_MASTER_KEY 2
77#define SSL2_MT_CLIENT_FINISHED 3
78#define SSL2_MT_SERVER_HELLO 4
79#define SSL2_MT_SERVER_VERIFY 5
80#define SSL2_MT_SERVER_FINISHED 6
81#define SSL2_MT_REQUEST_CERTIFICATE 7
82#define SSL2_MT_CLIENT_CERTIFICATE 8
83
84/* Error Message Codes */
85#define SSL2_PE_UNDEFINED_ERROR 0x0000
86#define SSL2_PE_NO_CIPHER 0x0001
87#define SSL2_PE_NO_CERTIFICATE 0x0002
88#define SSL2_PE_BAD_CERTIFICATE 0x0004
89#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
90
91/* Cipher Kind Values */
92#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */
93#define SSL2_CK_RC4_128_WITH_MD5 0x02010080
94#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080
95#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080
96#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080
97#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080
98#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040
99#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */
100#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0
101#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */
102#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */
103
104#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */
105#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */
106
107#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1"
108#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5"
109#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5"
110#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5"
111#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5"
112#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5"
113#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5"
114#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5"
115#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA"
116#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5"
117#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA"
118#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5"
119
120#define SSL2_TXT_NULL "NULL"
121
122/* Flags for the SSL_CIPHER.algorithm2 field */
123#define SSL2_CF_5_BYTE_ENC 0x01
124#define SSL2_CF_8_BYTE_ENC 0x02
125
126/* Certificate Type Codes */
127#define SSL2_CT_X509_CERTIFICATE 0x01
128
129/* Authentication Type Code */
130#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01
131
132#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32
133
134/* Upper/Lower Bounds */
135#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
136#ifdef OPENSSL_SYS_MPE
137#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
138#else
139#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
140#endif
141#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
142
143#define SSL2_CHALLENGE_LENGTH 16
144/*#define SSL2_CHALLENGE_LENGTH 32 */
145#define SSL2_MIN_CHALLENGE_LENGTH 16
146#define SSL2_MAX_CHALLENGE_LENGTH 32
147#define SSL2_CONNECTION_ID_LENGTH 16
148#define SSL2_MAX_CONNECTION_ID_LENGTH 16
149#define SSL2_SSL_SESSION_ID_LENGTH 16
150#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32
151#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
152#define SSL2_MAX_KEY_MATERIAL_LENGTH 24
153
154#ifndef HEADER_SSL_LOCL_H
155#define CERT char
156#endif
157
158typedef struct ssl2_state_st
159 {
160 int three_byte_header;
161 int clear_text; /* clear text */
162 int escape; /* not used in SSLv2 */
163 int ssl2_rollback; /* used if SSLv23 rolled back to SSLv2 */
164
165 /* non-blocking io info, used to make sure the same
166 * args were passwd */
167 unsigned int wnum; /* number of bytes sent so far */
168 int wpend_tot;
169 const unsigned char *wpend_buf;
170
171 int wpend_off; /* offset to data to write */
172 int wpend_len; /* number of bytes passwd to write */
173 int wpend_ret; /* number of bytes to return to caller */
174
175 /* buffer raw data */
176 int rbuf_left;
177 int rbuf_offs;
178 unsigned char *rbuf;
179 unsigned char *wbuf;
180
181 unsigned char *write_ptr;/* used to point to the start due to
182 * 2/3 byte header. */
183
184 unsigned int padding;
185 unsigned int rlength; /* passed to ssl2_enc */
186 int ract_data_length; /* Set when things are encrypted. */
187 unsigned int wlength; /* passed to ssl2_enc */
188 int wact_data_length; /* Set when things are decrypted. */
189 unsigned char *ract_data;
190 unsigned char *wact_data;
191 unsigned char *mac_data;
192
193 unsigned char *read_key;
194 unsigned char *write_key;
195
196 /* Stuff specifically to do with this SSL session */
197 unsigned int challenge_length;
198 unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
199 unsigned int conn_id_length;
200 unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
201 unsigned int key_material_length;
202 unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
203
204 unsigned long read_sequence;
205 unsigned long write_sequence;
206
207 struct {
208 unsigned int conn_id_length;
209 unsigned int cert_type;
210 unsigned int cert_length;
211 unsigned int csl;
212 unsigned int clear;
213 unsigned int enc;
214 unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
215 unsigned int cipher_spec_length;
216 unsigned int session_id_length;
217 unsigned int clen;
218 unsigned int rlen;
219 } tmp;
220 } SSL2_STATE;
221
222/* SSLv2 */
223/* client */
224#define SSL2_ST_SEND_CLIENT_HELLO_A (0x10|SSL_ST_CONNECT)
225#define SSL2_ST_SEND_CLIENT_HELLO_B (0x11|SSL_ST_CONNECT)
226#define SSL2_ST_GET_SERVER_HELLO_A (0x20|SSL_ST_CONNECT)
227#define SSL2_ST_GET_SERVER_HELLO_B (0x21|SSL_ST_CONNECT)
228#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A (0x30|SSL_ST_CONNECT)
229#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B (0x31|SSL_ST_CONNECT)
230#define SSL2_ST_SEND_CLIENT_FINISHED_A (0x40|SSL_ST_CONNECT)
231#define SSL2_ST_SEND_CLIENT_FINISHED_B (0x41|SSL_ST_CONNECT)
232#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A (0x50|SSL_ST_CONNECT)
233#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B (0x51|SSL_ST_CONNECT)
234#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C (0x52|SSL_ST_CONNECT)
235#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D (0x53|SSL_ST_CONNECT)
236#define SSL2_ST_GET_SERVER_VERIFY_A (0x60|SSL_ST_CONNECT)
237#define SSL2_ST_GET_SERVER_VERIFY_B (0x61|SSL_ST_CONNECT)
238#define SSL2_ST_GET_SERVER_FINISHED_A (0x70|SSL_ST_CONNECT)
239#define SSL2_ST_GET_SERVER_FINISHED_B (0x71|SSL_ST_CONNECT)
240#define SSL2_ST_CLIENT_START_ENCRYPTION (0x80|SSL_ST_CONNECT)
241#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE (0x90|SSL_ST_CONNECT)
242/* server */
243#define SSL2_ST_GET_CLIENT_HELLO_A (0x10|SSL_ST_ACCEPT)
244#define SSL2_ST_GET_CLIENT_HELLO_B (0x11|SSL_ST_ACCEPT)
245#define SSL2_ST_GET_CLIENT_HELLO_C (0x12|SSL_ST_ACCEPT)
246#define SSL2_ST_SEND_SERVER_HELLO_A (0x20|SSL_ST_ACCEPT)
247#define SSL2_ST_SEND_SERVER_HELLO_B (0x21|SSL_ST_ACCEPT)
248#define SSL2_ST_GET_CLIENT_MASTER_KEY_A (0x30|SSL_ST_ACCEPT)
249#define SSL2_ST_GET_CLIENT_MASTER_KEY_B (0x31|SSL_ST_ACCEPT)
250#define SSL2_ST_SEND_SERVER_VERIFY_A (0x40|SSL_ST_ACCEPT)
251#define SSL2_ST_SEND_SERVER_VERIFY_B (0x41|SSL_ST_ACCEPT)
252#define SSL2_ST_SEND_SERVER_VERIFY_C (0x42|SSL_ST_ACCEPT)
253#define SSL2_ST_GET_CLIENT_FINISHED_A (0x50|SSL_ST_ACCEPT)
254#define SSL2_ST_GET_CLIENT_FINISHED_B (0x51|SSL_ST_ACCEPT)
255#define SSL2_ST_SEND_SERVER_FINISHED_A (0x60|SSL_ST_ACCEPT)
256#define SSL2_ST_SEND_SERVER_FINISHED_B (0x61|SSL_ST_ACCEPT)
257#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A (0x70|SSL_ST_ACCEPT)
258#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B (0x71|SSL_ST_ACCEPT)
259#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C (0x72|SSL_ST_ACCEPT)
260#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D (0x73|SSL_ST_ACCEPT)
261#define SSL2_ST_SERVER_START_ENCRYPTION (0x80|SSL_ST_ACCEPT)
262#define SSL2_ST_X509_GET_SERVER_CERTIFICATE (0x90|SSL_ST_ACCEPT)
263
264#ifdef __cplusplus
265}
266#endif
267#endif
268
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
deleted file mode 100644
index d3228983c7..0000000000
--- a/src/lib/libssl/ssl23.h
+++ /dev/null
@@ -1,83 +0,0 @@
1/* ssl/ssl23.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL23_H
60#define HEADER_SSL23_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/*client */
67/* write to server */
68#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT)
69#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT)
70/* read from server */
71#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT)
72#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT)
73
74/* server */
75/* read from client */
76#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
77#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT)
78
79#ifdef __cplusplus
80}
81#endif
82#endif
83
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
deleted file mode 100644
index 9c2c41287a..0000000000
--- a/src/lib/libssl/ssl3.h
+++ /dev/null
@@ -1,648 +0,0 @@
1/* ssl/ssl3.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#ifndef HEADER_SSL3_H
118#define HEADER_SSL3_H
119
120#ifndef OPENSSL_NO_COMP
121#include <openssl/comp.h>
122#endif
123#include <openssl/buffer.h>
124#include <openssl/evp.h>
125#include <openssl/ssl.h>
126
127#ifdef __cplusplus
128extern "C" {
129#endif
130
131/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
132#define SSL3_CK_SCSV 0x030000FF
133
134#define SSL3_CK_RSA_NULL_MD5 0x03000001
135#define SSL3_CK_RSA_NULL_SHA 0x03000002
136#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
137#define SSL3_CK_RSA_RC4_128_MD5 0x03000004
138#define SSL3_CK_RSA_RC4_128_SHA 0x03000005
139#define SSL3_CK_RSA_RC2_40_MD5 0x03000006
140#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007
141#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008
142#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009
143#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A
144
145#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B
146#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C
147#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D
148#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E
149#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F
150#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010
151
152#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011
153#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012
154#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013
155#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014
156#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015
157#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016
158
159#define SSL3_CK_ADH_RC4_40_MD5 0x03000017
160#define SSL3_CK_ADH_RC4_128_MD5 0x03000018
161#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019
162#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
163#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
164
165#if 0
166 #define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
167 #define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
168 #if 0 /* Because it clashes with KRB5, is never used any more, and is safe
169 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
170 of the ietf-tls list */
171 #define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
172 #endif
173#endif
174
175/* VRS Additional Kerberos5 entries
176 */
177#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E
178#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F
179#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020
180#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021
181#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022
182#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023
183#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024
184#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025
185
186#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026
187#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027
188#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028
189#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029
190#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A
191#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B
192
193#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
194#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
195#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
196#define SSL3_TXT_RSA_RC4_128_MD5 "RC4-MD5"
197#define SSL3_TXT_RSA_RC4_128_SHA "RC4-SHA"
198#define SSL3_TXT_RSA_RC2_40_MD5 "EXP-RC2-CBC-MD5"
199#define SSL3_TXT_RSA_IDEA_128_SHA "IDEA-CBC-SHA"
200#define SSL3_TXT_RSA_DES_40_CBC_SHA "EXP-DES-CBC-SHA"
201#define SSL3_TXT_RSA_DES_64_CBC_SHA "DES-CBC-SHA"
202#define SSL3_TXT_RSA_DES_192_CBC3_SHA "DES-CBC3-SHA"
203
204#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA "EXP-DH-DSS-DES-CBC-SHA"
205#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA "DH-DSS-DES-CBC-SHA"
206#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA "DH-DSS-DES-CBC3-SHA"
207#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA "EXP-DH-RSA-DES-CBC-SHA"
208#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA "DH-RSA-DES-CBC-SHA"
209#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA "DH-RSA-DES-CBC3-SHA"
210
211#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA "EXP-EDH-DSS-DES-CBC-SHA"
212#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA "EDH-DSS-DES-CBC-SHA"
213#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA "EDH-DSS-DES-CBC3-SHA"
214#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA "EXP-EDH-RSA-DES-CBC-SHA"
215#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA "EDH-RSA-DES-CBC-SHA"
216#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA "EDH-RSA-DES-CBC3-SHA"
217
218#define SSL3_TXT_ADH_RC4_40_MD5 "EXP-ADH-RC4-MD5"
219#define SSL3_TXT_ADH_RC4_128_MD5 "ADH-RC4-MD5"
220#define SSL3_TXT_ADH_DES_40_CBC_SHA "EXP-ADH-DES-CBC-SHA"
221#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
222#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
223
224#if 0
225 #define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
226 #define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
227 #define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
228#endif
229
230#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
231#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
232#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA"
233#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA"
234#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
235#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
236#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5"
237#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5"
238
239#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
240#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA"
241#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA"
242#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
243#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5"
244#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5"
245
246#define SSL3_SSL_SESSION_ID_LENGTH 32
247#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
248
249#define SSL3_MASTER_SECRET_SIZE 48
250#define SSL3_RANDOM_SIZE 32
251#define SSL3_SESSION_ID_SIZE 32
252#define SSL3_RT_HEADER_LENGTH 5
253
254#ifndef SSL3_ALIGN_PAYLOAD
255 /* Some will argue that this increases memory footprint, but it's
256 * not actually true. Point is that malloc has to return at least
257 * 64-bit aligned pointers, meaning that allocating 5 bytes wastes
258 * 3 bytes in either case. Suggested pre-gaping simply moves these
259 * wasted bytes from the end of allocated region to its front,
260 * but makes data payload aligned, which improves performance:-) */
261# define SSL3_ALIGN_PAYLOAD 8
262#else
263# if (SSL3_ALIGN_PAYLOAD&(SSL3_ALIGN_PAYLOAD-1))!=0
264# error "insane SSL3_ALIGN_PAYLOAD"
265# undef SSL3_ALIGN_PAYLOAD
266# endif
267#endif
268
269/* This is the maximum MAC (digest) size used by the SSL library.
270 * Currently maximum of 20 is used by SHA1, but we reserve for
271 * future extension for 512-bit hashes.
272 */
273
274#define SSL3_RT_MAX_MD_SIZE 64
275
276/* Maximum block size used in all ciphersuites. Currently 16 for AES.
277 */
278
279#define SSL_RT_MAX_CIPHER_BLOCK_SIZE 16
280
281#define SSL3_RT_MAX_EXTRA (16384)
282
283/* Maximum plaintext length: defined by SSL/TLS standards */
284#define SSL3_RT_MAX_PLAIN_LENGTH 16384
285/* Maximum compression overhead: defined by SSL/TLS standards */
286#define SSL3_RT_MAX_COMPRESSED_OVERHEAD 1024
287
288/* The standards give a maximum encryption overhead of 1024 bytes.
289 * In practice the value is lower than this. The overhead is the maximum
290 * number of padding bytes (256) plus the mac size.
291 */
292#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE)
293
294/* OpenSSL currently only uses a padding length of at most one block so
295 * the send overhead is smaller.
296 */
297
298#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
299 (SSL_RT_MAX_CIPHER_BLOCK_SIZE + SSL3_RT_MAX_MD_SIZE)
300
301/* If compression isn't used don't include the compression overhead */
302
303#ifdef OPENSSL_NO_COMP
304#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH
305#else
306#define SSL3_RT_MAX_COMPRESSED_LENGTH \
307 (SSL3_RT_MAX_PLAIN_LENGTH+SSL3_RT_MAX_COMPRESSED_OVERHEAD)
308#endif
309#define SSL3_RT_MAX_ENCRYPTED_LENGTH \
310 (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH)
311#define SSL3_RT_MAX_PACKET_SIZE \
312 (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
313
314#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
315#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
316
317#define SSL3_VERSION 0x0300
318#define SSL3_VERSION_MAJOR 0x03
319#define SSL3_VERSION_MINOR 0x00
320
321#define SSL3_RT_CHANGE_CIPHER_SPEC 20
322#define SSL3_RT_ALERT 21
323#define SSL3_RT_HANDSHAKE 22
324#define SSL3_RT_APPLICATION_DATA 23
325
326#define SSL3_AL_WARNING 1
327#define SSL3_AL_FATAL 2
328
329#define SSL3_AD_CLOSE_NOTIFY 0
330#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */
331#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */
332#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */
333#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */
334#define SSL3_AD_NO_CERTIFICATE 41
335#define SSL3_AD_BAD_CERTIFICATE 42
336#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
337#define SSL3_AD_CERTIFICATE_REVOKED 44
338#define SSL3_AD_CERTIFICATE_EXPIRED 45
339#define SSL3_AD_CERTIFICATE_UNKNOWN 46
340#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
341
342typedef struct ssl3_record_st
343 {
344/*r */ int type; /* type of record */
345/*rw*/ unsigned int length; /* How many bytes available */
346/*r */ unsigned int off; /* read/write offset into 'buf' */
347/*rw*/ unsigned char *data; /* pointer to the record data */
348/*rw*/ unsigned char *input; /* where the decode bytes are */
349/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
350/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
351/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
352 } SSL3_RECORD;
353
354typedef struct ssl3_buffer_st
355 {
356 unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
357 * see ssl3_setup_buffers() */
358 size_t len; /* buffer size */
359 int offset; /* where to 'copy from' */
360 int left; /* how many bytes left */
361 } SSL3_BUFFER;
362
363#define SSL3_CT_RSA_SIGN 1
364#define SSL3_CT_DSS_SIGN 2
365#define SSL3_CT_RSA_FIXED_DH 3
366#define SSL3_CT_DSS_FIXED_DH 4
367#define SSL3_CT_RSA_EPHEMERAL_DH 5
368#define SSL3_CT_DSS_EPHEMERAL_DH 6
369#define SSL3_CT_FORTEZZA_DMS 20
370/* SSL3_CT_NUMBER is used to size arrays and it must be large
371 * enough to contain all of the cert types defined either for
372 * SSLv3 and TLSv1.
373 */
374#define SSL3_CT_NUMBER 9
375
376
377#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
378#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
379#define SSL3_FLAGS_POP_BUFFER 0x0004
380#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
381#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
382
383/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
384 * restart a handshake because of MS SGC and so prevents us
385 * from restarting the handshake in a loop. It's reset on a
386 * renegotiation, so effectively limits the client to one restart
387 * per negotiation. This limits the possibility of a DDoS
388 * attack where the client handshakes in a loop using SGC to
389 * restart. Servers which permit renegotiation can still be
390 * effected, but we can't prevent that.
391 */
392#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
393
394typedef struct ssl3_state_st
395 {
396 long flags;
397 int delay_buf_pop_ret;
398
399 unsigned char read_sequence[8];
400 int read_mac_secret_size;
401 unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
402 unsigned char write_sequence[8];
403 int write_mac_secret_size;
404 unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
405
406 unsigned char server_random[SSL3_RANDOM_SIZE];
407 unsigned char client_random[SSL3_RANDOM_SIZE];
408
409 /* flags for countermeasure against known-IV weakness */
410 int need_empty_fragments;
411 int empty_fragment_done;
412
413 /* The value of 'extra' when the buffers were initialized */
414 int init_extra;
415
416 SSL3_BUFFER rbuf; /* read IO goes into here */
417 SSL3_BUFFER wbuf; /* write IO goes into here */
418
419 SSL3_RECORD rrec; /* each decoded record goes in here */
420 SSL3_RECORD wrec; /* goes out from here */
421
422 /* storage for Alert/Handshake protocol data received but not
423 * yet processed by ssl3_read_bytes: */
424 unsigned char alert_fragment[2];
425 unsigned int alert_fragment_len;
426 unsigned char handshake_fragment[4];
427 unsigned int handshake_fragment_len;
428
429 /* partial write - check the numbers match */
430 unsigned int wnum; /* number of bytes sent so far */
431 int wpend_tot; /* number bytes written */
432 int wpend_type;
433 int wpend_ret; /* number of bytes submitted */
434 const unsigned char *wpend_buf;
435
436 /* used during startup, digest all incoming/outgoing packets */
437 BIO *handshake_buffer;
438 /* When set of handshake digests is determined, buffer is hashed
439 * and freed and MD_CTX-es for all required digests are stored in
440 * this array */
441 EVP_MD_CTX **handshake_dgst;
442 /* this is set whenerver we see a change_cipher_spec message
443 * come in when we are not looking for one */
444 int change_cipher_spec;
445
446 int warn_alert;
447 int fatal_alert;
448 /* we allow one fatal and one warning alert to be outstanding,
449 * send close alert via the warning alert */
450 int alert_dispatch;
451 unsigned char send_alert[2];
452
453 /* This flag is set when we should renegotiate ASAP, basically when
454 * there is no more data in the read or write buffers */
455 int renegotiate;
456 int total_renegotiations;
457 int num_renegotiations;
458
459 int in_read_app_data;
460
461 /* Opaque PRF input as used for the current handshake.
462 * These fields are used only if TLSEXT_TYPE_opaque_prf_input is defined
463 * (otherwise, they are merely present to improve binary compatibility) */
464 void *client_opaque_prf_input;
465 size_t client_opaque_prf_input_len;
466 void *server_opaque_prf_input;
467 size_t server_opaque_prf_input_len;
468
469 struct {
470 /* actually only needs to be 16+20 */
471 unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
472
473 /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
474 unsigned char finish_md[EVP_MAX_MD_SIZE*2];
475 int finish_md_len;
476 unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
477 int peer_finish_md_len;
478
479 unsigned long message_size;
480 int message_type;
481
482 /* used to hold the new cipher we are going to use */
483 const SSL_CIPHER *new_cipher;
484#ifndef OPENSSL_NO_DH
485 DH *dh;
486#endif
487
488#ifndef OPENSSL_NO_ECDH
489 EC_KEY *ecdh; /* holds short lived ECDH key */
490#endif
491
492 /* used when SSL_ST_FLUSH_DATA is entered */
493 int next_state;
494
495 int reuse_message;
496
497 /* used for certificate requests */
498 int cert_req;
499 int ctype_num;
500 char ctype[SSL3_CT_NUMBER];
501 STACK_OF(X509_NAME) *ca_names;
502
503 int use_rsa_tmp;
504
505 int key_block_length;
506 unsigned char *key_block;
507
508 const EVP_CIPHER *new_sym_enc;
509 const EVP_MD *new_hash;
510 int new_mac_pkey_type;
511 int new_mac_secret_size;
512#ifndef OPENSSL_NO_COMP
513 const SSL_COMP *new_compression;
514#else
515 char *new_compression;
516#endif
517 int cert_request;
518 } tmp;
519
520 /* Connection binding to prevent renegotiation attacks */
521 unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
522 unsigned char previous_client_finished_len;
523 unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
524 unsigned char previous_server_finished_len;
525 int send_connection_binding; /* TODOEKR */
526 } SSL3_STATE;
527
528
529/* SSLv3 */
530/*client */
531/* extra state */
532#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
533/* write to server */
534#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
535#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
536/* read from server */
537#define SSL3_ST_CR_SRVR_HELLO_A (0x120|SSL_ST_CONNECT)
538#define SSL3_ST_CR_SRVR_HELLO_B (0x121|SSL_ST_CONNECT)
539#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126|SSL_ST_CONNECT)
540#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B (0x127|SSL_ST_CONNECT)
541#define SSL3_ST_CR_CERT_A (0x130|SSL_ST_CONNECT)
542#define SSL3_ST_CR_CERT_B (0x131|SSL_ST_CONNECT)
543#define SSL3_ST_CR_KEY_EXCH_A (0x140|SSL_ST_CONNECT)
544#define SSL3_ST_CR_KEY_EXCH_B (0x141|SSL_ST_CONNECT)
545#define SSL3_ST_CR_CERT_REQ_A (0x150|SSL_ST_CONNECT)
546#define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT)
547#define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT)
548#define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT)
549/* write to server */
550#define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT)
551#define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT)
552#define SSL3_ST_CW_CERT_C (0x172|SSL_ST_CONNECT)
553#define SSL3_ST_CW_CERT_D (0x173|SSL_ST_CONNECT)
554#define SSL3_ST_CW_KEY_EXCH_A (0x180|SSL_ST_CONNECT)
555#define SSL3_ST_CW_KEY_EXCH_B (0x181|SSL_ST_CONNECT)
556#define SSL3_ST_CW_CERT_VRFY_A (0x190|SSL_ST_CONNECT)
557#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
558#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
559#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
560#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
561#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
562/* read from server */
563#define SSL3_ST_CR_CHANGE_A (0x1C0|SSL_ST_CONNECT)
564#define SSL3_ST_CR_CHANGE_B (0x1C1|SSL_ST_CONNECT)
565#define SSL3_ST_CR_FINISHED_A (0x1D0|SSL_ST_CONNECT)
566#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT)
567#define SSL3_ST_CR_SESSION_TICKET_A (0x1E0|SSL_ST_CONNECT)
568#define SSL3_ST_CR_SESSION_TICKET_B (0x1E1|SSL_ST_CONNECT)
569#define SSL3_ST_CR_CERT_STATUS_A (0x1F0|SSL_ST_CONNECT)
570#define SSL3_ST_CR_CERT_STATUS_B (0x1F1|SSL_ST_CONNECT)
571
572/* server */
573/* extra state */
574#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT)
575/* read from client */
576/* Do not change the number values, they do matter */
577#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
578#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
579#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
580/* write to client */
581#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
582#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
583#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT)
584#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT)
585#define SSL3_ST_SW_HELLO_REQ_C (0x122|SSL_ST_ACCEPT)
586#define SSL3_ST_SW_SRVR_HELLO_A (0x130|SSL_ST_ACCEPT)
587#define SSL3_ST_SW_SRVR_HELLO_B (0x131|SSL_ST_ACCEPT)
588#define SSL3_ST_SW_CERT_A (0x140|SSL_ST_ACCEPT)
589#define SSL3_ST_SW_CERT_B (0x141|SSL_ST_ACCEPT)
590#define SSL3_ST_SW_KEY_EXCH_A (0x150|SSL_ST_ACCEPT)
591#define SSL3_ST_SW_KEY_EXCH_B (0x151|SSL_ST_ACCEPT)
592#define SSL3_ST_SW_CERT_REQ_A (0x160|SSL_ST_ACCEPT)
593#define SSL3_ST_SW_CERT_REQ_B (0x161|SSL_ST_ACCEPT)
594#define SSL3_ST_SW_SRVR_DONE_A (0x170|SSL_ST_ACCEPT)
595#define SSL3_ST_SW_SRVR_DONE_B (0x171|SSL_ST_ACCEPT)
596/* read from client */
597#define SSL3_ST_SR_CERT_A (0x180|SSL_ST_ACCEPT)
598#define SSL3_ST_SR_CERT_B (0x181|SSL_ST_ACCEPT)
599#define SSL3_ST_SR_KEY_EXCH_A (0x190|SSL_ST_ACCEPT)
600#define SSL3_ST_SR_KEY_EXCH_B (0x191|SSL_ST_ACCEPT)
601#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT)
602#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
603#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
604#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
605#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
606#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
607/* write to client */
608#define SSL3_ST_SW_CHANGE_A (0x1D0|SSL_ST_ACCEPT)
609#define SSL3_ST_SW_CHANGE_B (0x1D1|SSL_ST_ACCEPT)
610#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT)
611#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
612#define SSL3_ST_SW_SESSION_TICKET_A (0x1F0|SSL_ST_ACCEPT)
613#define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT)
614#define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT)
615#define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT)
616
617#define SSL3_MT_HELLO_REQUEST 0
618#define SSL3_MT_CLIENT_HELLO 1
619#define SSL3_MT_SERVER_HELLO 2
620#define SSL3_MT_NEWSESSION_TICKET 4
621#define SSL3_MT_CERTIFICATE 11
622#define SSL3_MT_SERVER_KEY_EXCHANGE 12
623#define SSL3_MT_CERTIFICATE_REQUEST 13
624#define SSL3_MT_SERVER_DONE 14
625#define SSL3_MT_CERTIFICATE_VERIFY 15
626#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
627#define SSL3_MT_FINISHED 20
628#define SSL3_MT_CERTIFICATE_STATUS 22
629#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
630
631
632#define SSL3_MT_CCS 1
633
634/* These are used when changing over to a new cipher */
635#define SSL3_CC_READ 0x01
636#define SSL3_CC_WRITE 0x02
637#define SSL3_CC_CLIENT 0x10
638#define SSL3_CC_SERVER 0x20
639#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE)
640#define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ)
641#define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ)
642#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE)
643
644#ifdef __cplusplus
645}
646#endif
647#endif
648
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
deleted file mode 100644
index 0967b2dfe4..0000000000
--- a/src/lib/libssl/ssl_algs.c
+++ /dev/null
@@ -1,140 +0,0 @@
1/* ssl/ssl_algs.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/objects.h>
61#include <openssl/lhash.h>
62#include "ssl_locl.h"
63
64int SSL_library_init(void)
65 {
66
67#ifndef OPENSSL_NO_DES
68 EVP_add_cipher(EVP_des_cbc());
69 EVP_add_cipher(EVP_des_ede3_cbc());
70#endif
71#ifndef OPENSSL_NO_IDEA
72 EVP_add_cipher(EVP_idea_cbc());
73#endif
74#ifndef OPENSSL_NO_RC4
75 EVP_add_cipher(EVP_rc4());
76#endif
77#ifndef OPENSSL_NO_RC2
78 EVP_add_cipher(EVP_rc2_cbc());
79 /* Not actually used for SSL/TLS but this makes PKCS#12 work
80 * if an application only calls SSL_library_init().
81 */
82 EVP_add_cipher(EVP_rc2_40_cbc());
83#endif
84#ifndef OPENSSL_NO_AES
85 EVP_add_cipher(EVP_aes_128_cbc());
86 EVP_add_cipher(EVP_aes_192_cbc());
87 EVP_add_cipher(EVP_aes_256_cbc());
88#endif
89#ifndef OPENSSL_NO_CAMELLIA
90 EVP_add_cipher(EVP_camellia_128_cbc());
91 EVP_add_cipher(EVP_camellia_256_cbc());
92#endif
93
94#ifndef OPENSSL_NO_SEED
95 EVP_add_cipher(EVP_seed_cbc());
96#endif
97
98#ifndef OPENSSL_NO_MD5
99 EVP_add_digest(EVP_md5());
100 EVP_add_digest_alias(SN_md5,"ssl2-md5");
101 EVP_add_digest_alias(SN_md5,"ssl3-md5");
102#endif
103#ifndef OPENSSL_NO_SHA
104 EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
105 EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
106 EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
107#endif
108#ifndef OPENSSL_NO_SHA256
109 EVP_add_digest(EVP_sha224());
110 EVP_add_digest(EVP_sha256());
111#endif
112#ifndef OPENSSL_NO_SHA512
113 EVP_add_digest(EVP_sha384());
114 EVP_add_digest(EVP_sha512());
115#endif
116#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
117 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
118 EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
119 EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
120 EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
121#endif
122#ifndef OPENSSL_NO_ECDSA
123 EVP_add_digest(EVP_ecdsa());
124#endif
125 /* If you want support for phased out ciphers, add the following */
126#if 0
127 EVP_add_digest(EVP_sha());
128 EVP_add_digest(EVP_dss());
129#endif
130#ifndef OPENSSL_NO_COMP
131 /* This will initialise the built-in compression algorithms.
132 The value returned is a STACK_OF(SSL_COMP), but that can
133 be discarded safely */
134 (void)SSL_COMP_get_compression_methods();
135#endif
136 /* initialize cipher/digest methods table */
137 ssl_load_ciphers();
138 return(1);
139 }
140
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
deleted file mode 100644
index d7f4c6087e..0000000000
--- a/src/lib/libssl/ssl_asn1.c
+++ /dev/null
@@ -1,592 +0,0 @@
1/* ssl/ssl_asn1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include <stdlib.h>
87#include "ssl_locl.h"
88#include <openssl/asn1_mac.h>
89#include <openssl/objects.h>
90#include <openssl/x509.h>
91
92typedef struct ssl_session_asn1_st
93 {
94 ASN1_INTEGER version;
95 ASN1_INTEGER ssl_version;
96 ASN1_OCTET_STRING cipher;
97 ASN1_OCTET_STRING comp_id;
98 ASN1_OCTET_STRING master_key;
99 ASN1_OCTET_STRING session_id;
100 ASN1_OCTET_STRING session_id_context;
101 ASN1_OCTET_STRING key_arg;
102#ifndef OPENSSL_NO_KRB5
103 ASN1_OCTET_STRING krb5_princ;
104#endif /* OPENSSL_NO_KRB5 */
105 ASN1_INTEGER time;
106 ASN1_INTEGER timeout;
107 ASN1_INTEGER verify_result;
108#ifndef OPENSSL_NO_TLSEXT
109 ASN1_OCTET_STRING tlsext_hostname;
110 ASN1_INTEGER tlsext_tick_lifetime;
111 ASN1_OCTET_STRING tlsext_tick;
112#endif /* OPENSSL_NO_TLSEXT */
113#ifndef OPENSSL_NO_PSK
114 ASN1_OCTET_STRING psk_identity_hint;
115 ASN1_OCTET_STRING psk_identity;
116#endif /* OPENSSL_NO_PSK */
117 } SSL_SESSION_ASN1;
118
119int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
120 {
121#define LSIZE2 (sizeof(long)*2)
122 int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0;
123 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
124 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
125#ifndef OPENSSL_NO_TLSEXT
126 int v6=0,v9=0,v10=0;
127 unsigned char ibuf6[LSIZE2];
128#endif
129#ifndef OPENSSL_NO_COMP
130 unsigned char cbuf;
131 int v11=0;
132#endif
133 long l;
134 SSL_SESSION_ASN1 a;
135 M_ASN1_I2D_vars(in);
136
137 if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
138 return(0);
139
140 /* Note that I cheat in the following 2 assignments. I know
141 * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
142 * is > sizeof(long)+1, the buffer will not be re-OPENSSL_malloc()ed.
143 * This is a bit evil but makes things simple, no dynamic allocation
144 * to clean up :-) */
145 a.version.length=LSIZE2;
146 a.version.type=V_ASN1_INTEGER;
147 a.version.data=ibuf1;
148 ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION);
149
150 a.ssl_version.length=LSIZE2;
151 a.ssl_version.type=V_ASN1_INTEGER;
152 a.ssl_version.data=ibuf2;
153 ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version);
154
155 a.cipher.type=V_ASN1_OCTET_STRING;
156 a.cipher.data=buf;
157
158 if (in->cipher == NULL)
159 l=in->cipher_id;
160 else
161 l=in->cipher->id;
162 if (in->ssl_version == SSL2_VERSION)
163 {
164 a.cipher.length=3;
165 buf[0]=((unsigned char)(l>>16L))&0xff;
166 buf[1]=((unsigned char)(l>> 8L))&0xff;
167 buf[2]=((unsigned char)(l ))&0xff;
168 }
169 else
170 {
171 a.cipher.length=2;
172 buf[0]=((unsigned char)(l>>8L))&0xff;
173 buf[1]=((unsigned char)(l ))&0xff;
174 }
175
176#ifndef OPENSSL_NO_COMP
177 if (in->compress_meth)
178 {
179 cbuf = (unsigned char)in->compress_meth;
180 a.comp_id.length = 1;
181 a.comp_id.type = V_ASN1_OCTET_STRING;
182 a.comp_id.data = &cbuf;
183 }
184#endif
185
186 a.master_key.length=in->master_key_length;
187 a.master_key.type=V_ASN1_OCTET_STRING;
188 a.master_key.data=in->master_key;
189
190 a.session_id.length=in->session_id_length;
191 a.session_id.type=V_ASN1_OCTET_STRING;
192 a.session_id.data=in->session_id;
193
194 a.session_id_context.length=in->sid_ctx_length;
195 a.session_id_context.type=V_ASN1_OCTET_STRING;
196 a.session_id_context.data=in->sid_ctx;
197
198 a.key_arg.length=in->key_arg_length;
199 a.key_arg.type=V_ASN1_OCTET_STRING;
200 a.key_arg.data=in->key_arg;
201
202#ifndef OPENSSL_NO_KRB5
203 if (in->krb5_client_princ_len)
204 {
205 a.krb5_princ.length=in->krb5_client_princ_len;
206 a.krb5_princ.type=V_ASN1_OCTET_STRING;
207 a.krb5_princ.data=in->krb5_client_princ;
208 }
209#endif /* OPENSSL_NO_KRB5 */
210
211 if (in->time != 0L)
212 {
213 a.time.length=LSIZE2;
214 a.time.type=V_ASN1_INTEGER;
215 a.time.data=ibuf3;
216 ASN1_INTEGER_set(&(a.time),in->time);
217 }
218
219 if (in->timeout != 0L)
220 {
221 a.timeout.length=LSIZE2;
222 a.timeout.type=V_ASN1_INTEGER;
223 a.timeout.data=ibuf4;
224 ASN1_INTEGER_set(&(a.timeout),in->timeout);
225 }
226
227 if (in->verify_result != X509_V_OK)
228 {
229 a.verify_result.length=LSIZE2;
230 a.verify_result.type=V_ASN1_INTEGER;
231 a.verify_result.data=ibuf5;
232 ASN1_INTEGER_set(&a.verify_result,in->verify_result);
233 }
234
235#ifndef OPENSSL_NO_TLSEXT
236 if (in->tlsext_hostname)
237 {
238 a.tlsext_hostname.length=strlen(in->tlsext_hostname);
239 a.tlsext_hostname.type=V_ASN1_OCTET_STRING;
240 a.tlsext_hostname.data=(unsigned char *)in->tlsext_hostname;
241 }
242 if (in->tlsext_tick)
243 {
244 a.tlsext_tick.length= in->tlsext_ticklen;
245 a.tlsext_tick.type=V_ASN1_OCTET_STRING;
246 a.tlsext_tick.data=(unsigned char *)in->tlsext_tick;
247 }
248 if (in->tlsext_tick_lifetime_hint > 0)
249 {
250 a.tlsext_tick_lifetime.length=LSIZE2;
251 a.tlsext_tick_lifetime.type=V_ASN1_INTEGER;
252 a.tlsext_tick_lifetime.data=ibuf6;
253 ASN1_INTEGER_set(&a.tlsext_tick_lifetime,in->tlsext_tick_lifetime_hint);
254 }
255#endif /* OPENSSL_NO_TLSEXT */
256#ifndef OPENSSL_NO_PSK
257 if (in->psk_identity_hint)
258 {
259 a.psk_identity_hint.length=strlen(in->psk_identity_hint);
260 a.psk_identity_hint.type=V_ASN1_OCTET_STRING;
261 a.psk_identity_hint.data=(unsigned char *)(in->psk_identity_hint);
262 }
263 if (in->psk_identity)
264 {
265 a.psk_identity.length=strlen(in->psk_identity);
266 a.psk_identity.type=V_ASN1_OCTET_STRING;
267 a.psk_identity.data=(unsigned char *)(in->psk_identity);
268 }
269#endif /* OPENSSL_NO_PSK */
270
271 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
272 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
273 M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
274 M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING);
275 M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING);
276#ifndef OPENSSL_NO_KRB5
277 if (in->krb5_client_princ_len)
278 M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
279#endif /* OPENSSL_NO_KRB5 */
280 if (in->key_arg_length > 0)
281 M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
282 if (in->time != 0L)
283 M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
284 if (in->timeout != 0L)
285 M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
286 if (in->peer != NULL)
287 M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
288 M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
289 if (in->verify_result != X509_V_OK)
290 M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
291
292#ifndef OPENSSL_NO_TLSEXT
293 if (in->tlsext_tick_lifetime_hint > 0)
294 M_ASN1_I2D_len_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
295 if (in->tlsext_tick)
296 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
297 if (in->tlsext_hostname)
298 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
299#ifndef OPENSSL_NO_COMP
300 if (in->compress_meth)
301 M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
302#endif
303#endif /* OPENSSL_NO_TLSEXT */
304#ifndef OPENSSL_NO_PSK
305 if (in->psk_identity_hint)
306 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
307 if (in->psk_identity)
308 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
309#endif /* OPENSSL_NO_PSK */
310
311 M_ASN1_I2D_seq_total();
312
313 M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER);
314 M_ASN1_I2D_put(&(a.ssl_version), i2d_ASN1_INTEGER);
315 M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING);
316 M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING);
317 M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING);
318#ifndef OPENSSL_NO_KRB5
319 if (in->krb5_client_princ_len)
320 M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
321#endif /* OPENSSL_NO_KRB5 */
322 if (in->key_arg_length > 0)
323 M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
324 if (in->time != 0L)
325 M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
326 if (in->timeout != 0L)
327 M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
328 if (in->peer != NULL)
329 M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
330 M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
331 v4);
332 if (in->verify_result != X509_V_OK)
333 M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
334#ifndef OPENSSL_NO_TLSEXT
335 if (in->tlsext_hostname)
336 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
337#endif /* OPENSSL_NO_TLSEXT */
338#ifndef OPENSSL_NO_PSK
339 if (in->psk_identity_hint)
340 M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
341 if (in->psk_identity)
342 M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
343#endif /* OPENSSL_NO_PSK */
344#ifndef OPENSSL_NO_TLSEXT
345 if (in->tlsext_tick_lifetime_hint > 0)
346 M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
347 if (in->tlsext_tick)
348 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
349#endif /* OPENSSL_NO_TLSEXT */
350#ifndef OPENSSL_NO_COMP
351 if (in->compress_meth)
352 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
353#endif
354 M_ASN1_I2D_finish();
355 }
356
357SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
358 long length)
359 {
360 int ssl_version=0,i;
361 long id;
362 ASN1_INTEGER ai,*aip;
363 ASN1_OCTET_STRING os,*osp;
364 M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new);
365
366 aip= &ai;
367 osp= &os;
368
369 M_ASN1_D2I_Init();
370 M_ASN1_D2I_start_sequence();
371
372 ai.data=NULL; ai.length=0;
373 M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
374 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
375
376 /* we don't care about the version right now :-) */
377 M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
378 ssl_version=(int)ASN1_INTEGER_get(aip);
379 ret->ssl_version=ssl_version;
380 if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
381
382 os.data=NULL; os.length=0;
383 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
384 if (ssl_version == SSL2_VERSION)
385 {
386 if (os.length != 3)
387 {
388 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
389 goto err;
390 }
391 id=0x02000000L|
392 ((unsigned long)os.data[0]<<16L)|
393 ((unsigned long)os.data[1]<< 8L)|
394 (unsigned long)os.data[2];
395 }
396 else if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
397 {
398 if (os.length != 2)
399 {
400 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
401 goto err;
402 }
403 id=0x03000000L|
404 ((unsigned long)os.data[0]<<8L)|
405 (unsigned long)os.data[1];
406 }
407 else
408 {
409 c.error=SSL_R_UNKNOWN_SSL_VERSION;
410 goto err;
411 }
412
413 ret->cipher=NULL;
414 ret->cipher_id=id;
415
416 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
417 if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
418 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
419 else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
420 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
421
422 if (os.length > i)
423 os.length = i;
424 if (os.length > (int)sizeof(ret->session_id)) /* can't happen */
425 os.length = sizeof(ret->session_id);
426
427 ret->session_id_length=os.length;
428 OPENSSL_assert(os.length <= (int)sizeof(ret->session_id));
429 memcpy(ret->session_id,os.data,os.length);
430
431 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
432 if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
433 ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
434 else
435 ret->master_key_length=os.length;
436 memcpy(ret->master_key,os.data,ret->master_key_length);
437
438 os.length=0;
439
440#ifndef OPENSSL_NO_KRB5
441 os.length=0;
442 M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING);
443 if (os.data)
444 {
445 if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
446 ret->krb5_client_princ_len=0;
447 else
448 ret->krb5_client_princ_len=os.length;
449 memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len);
450 OPENSSL_free(os.data);
451 os.data = NULL;
452 os.length = 0;
453 }
454 else
455 ret->krb5_client_princ_len=0;
456#endif /* OPENSSL_NO_KRB5 */
457
458 M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
459 if (os.length > SSL_MAX_KEY_ARG_LENGTH)
460 ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
461 else
462 ret->key_arg_length=os.length;
463 memcpy(ret->key_arg,os.data,ret->key_arg_length);
464 if (os.data != NULL) OPENSSL_free(os.data);
465
466 ai.length=0;
467 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1);
468 if (ai.data != NULL)
469 {
470 ret->time=ASN1_INTEGER_get(aip);
471 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
472 }
473 else
474 ret->time=(unsigned long)time(NULL);
475
476 ai.length=0;
477 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
478 if (ai.data != NULL)
479 {
480 ret->timeout=ASN1_INTEGER_get(aip);
481 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
482 }
483 else
484 ret->timeout=3;
485
486 if (ret->peer != NULL)
487 {
488 X509_free(ret->peer);
489 ret->peer=NULL;
490 }
491 M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
492
493 os.length=0;
494 os.data=NULL;
495 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4);
496
497 if(os.data != NULL)
498 {
499 if (os.length > SSL_MAX_SID_CTX_LENGTH)
500 {
501 c.error=SSL_R_BAD_LENGTH;
502 goto err;
503 }
504 else
505 {
506 ret->sid_ctx_length=os.length;
507 memcpy(ret->sid_ctx,os.data,os.length);
508 }
509 OPENSSL_free(os.data); os.data=NULL; os.length=0;
510 }
511 else
512 ret->sid_ctx_length=0;
513
514 ai.length=0;
515 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
516 if (ai.data != NULL)
517 {
518 ret->verify_result=ASN1_INTEGER_get(aip);
519 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
520 }
521 else
522 ret->verify_result=X509_V_OK;
523
524#ifndef OPENSSL_NO_TLSEXT
525 os.length=0;
526 os.data=NULL;
527 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,6);
528 if (os.data)
529 {
530 ret->tlsext_hostname = BUF_strndup((char *)os.data, os.length);
531 OPENSSL_free(os.data);
532 os.data = NULL;
533 os.length = 0;
534 }
535 else
536 ret->tlsext_hostname=NULL;
537#endif /* OPENSSL_NO_TLSEXT */
538
539#ifndef OPENSSL_NO_PSK
540 os.length=0;
541 os.data=NULL;
542 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,7);
543 if (os.data)
544 {
545 ret->psk_identity_hint = BUF_strndup((char *)os.data, os.length);
546 OPENSSL_free(os.data);
547 os.data = NULL;
548 os.length = 0;
549 }
550 else
551 ret->psk_identity_hint=NULL;
552#endif /* OPENSSL_NO_PSK */
553
554#ifndef OPENSSL_NO_TLSEXT
555 ai.length=0;
556 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,9);
557 if (ai.data != NULL)
558 {
559 ret->tlsext_tick_lifetime_hint=ASN1_INTEGER_get(aip);
560 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
561 }
562 else if (ret->tlsext_ticklen && ret->session_id_length)
563 ret->tlsext_tick_lifetime_hint = -1;
564 else
565 ret->tlsext_tick_lifetime_hint=0;
566 os.length=0;
567 os.data=NULL;
568 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,10);
569 if (os.data)
570 {
571 ret->tlsext_tick = os.data;
572 ret->tlsext_ticklen = os.length;
573 os.data = NULL;
574 os.length = 0;
575 }
576 else
577 ret->tlsext_tick=NULL;
578#endif /* OPENSSL_NO_TLSEXT */
579#ifndef OPENSSL_NO_COMP
580 os.length=0;
581 os.data=NULL;
582 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,11);
583 if (os.data)
584 {
585 ret->compress_meth = os.data[0];
586 OPENSSL_free(os.data);
587 os.data = NULL;
588 }
589#endif
590
591 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
592 }
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
deleted file mode 100644
index 27256eea81..0000000000
--- a/src/lib/libssl/ssl_cert.c
+++ /dev/null
@@ -1,834 +0,0 @@
1/*! \file ssl/ssl_cert.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#include <stdio.h>
118
119#include "e_os.h"
120#ifndef NO_SYS_TYPES_H
121# include <sys/types.h>
122#endif
123
124#include "o_dir.h"
125#include <openssl/objects.h>
126#include <openssl/bio.h>
127#include <openssl/pem.h>
128#include <openssl/x509v3.h>
129#ifndef OPENSSL_NO_DH
130#include <openssl/dh.h>
131#endif
132#include <openssl/bn.h>
133#include "ssl_locl.h"
134
135int SSL_get_ex_data_X509_STORE_CTX_idx(void)
136 {
137 static volatile int ssl_x509_store_ctx_idx= -1;
138 int got_write_lock = 0;
139
140 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
141
142 if (ssl_x509_store_ctx_idx < 0)
143 {
144 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
145 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
146 got_write_lock = 1;
147
148 if (ssl_x509_store_ctx_idx < 0)
149 {
150 ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
151 0,"SSL for verify callback",NULL,NULL,NULL);
152 }
153 }
154
155 if (got_write_lock)
156 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
157 else
158 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
159
160 return ssl_x509_store_ctx_idx;
161 }
162
163CERT *ssl_cert_new(void)
164 {
165 CERT *ret;
166
167 ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
168 if (ret == NULL)
169 {
170 SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
171 return(NULL);
172 }
173 memset(ret,0,sizeof(CERT));
174
175 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
176 ret->references=1;
177
178 return(ret);
179 }
180
181CERT *ssl_cert_dup(CERT *cert)
182 {
183 CERT *ret;
184 int i;
185
186 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
187 if (ret == NULL)
188 {
189 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
190 return(NULL);
191 }
192
193 memset(ret, 0, sizeof(CERT));
194
195 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
196 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
197 * if you find that more readable */
198
199 ret->valid = cert->valid;
200 ret->mask_k = cert->mask_k;
201 ret->mask_a = cert->mask_a;
202 ret->export_mask_k = cert->export_mask_k;
203 ret->export_mask_a = cert->export_mask_a;
204
205#ifndef OPENSSL_NO_RSA
206 if (cert->rsa_tmp != NULL)
207 {
208 RSA_up_ref(cert->rsa_tmp);
209 ret->rsa_tmp = cert->rsa_tmp;
210 }
211 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
212#endif
213
214#ifndef OPENSSL_NO_DH
215 if (cert->dh_tmp != NULL)
216 {
217 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
218 if (ret->dh_tmp == NULL)
219 {
220 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
221 goto err;
222 }
223 if (cert->dh_tmp->priv_key)
224 {
225 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
226 if (!b)
227 {
228 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
229 goto err;
230 }
231 ret->dh_tmp->priv_key = b;
232 }
233 if (cert->dh_tmp->pub_key)
234 {
235 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
236 if (!b)
237 {
238 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
239 goto err;
240 }
241 ret->dh_tmp->pub_key = b;
242 }
243 }
244 ret->dh_tmp_cb = cert->dh_tmp_cb;
245#endif
246
247#ifndef OPENSSL_NO_ECDH
248 if (cert->ecdh_tmp)
249 {
250 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
251 if (ret->ecdh_tmp == NULL)
252 {
253 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
254 goto err;
255 }
256 }
257 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
258#endif
259
260 for (i = 0; i < SSL_PKEY_NUM; i++)
261 {
262 if (cert->pkeys[i].x509 != NULL)
263 {
264 ret->pkeys[i].x509 = cert->pkeys[i].x509;
265 CRYPTO_add(&ret->pkeys[i].x509->references, 1,
266 CRYPTO_LOCK_X509);
267 }
268
269 if (cert->pkeys[i].privatekey != NULL)
270 {
271 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
272 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
273 CRYPTO_LOCK_EVP_PKEY);
274
275 switch(i)
276 {
277 /* If there was anything special to do for
278 * certain types of keys, we'd do it here.
279 * (Nothing at the moment, I think.) */
280
281 case SSL_PKEY_RSA_ENC:
282 case SSL_PKEY_RSA_SIGN:
283 /* We have an RSA key. */
284 break;
285
286 case SSL_PKEY_DSA_SIGN:
287 /* We have a DSA key. */
288 break;
289
290 case SSL_PKEY_DH_RSA:
291 case SSL_PKEY_DH_DSA:
292 /* We have a DH key. */
293 break;
294
295 case SSL_PKEY_ECC:
296 /* We have an ECC key */
297 break;
298
299 default:
300 /* Can't happen. */
301 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
302 }
303 }
304 }
305
306 /* ret->extra_certs *should* exist, but currently the own certificate
307 * chain is held inside SSL_CTX */
308
309 ret->references=1;
310
311 return(ret);
312
313#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
314err:
315#endif
316#ifndef OPENSSL_NO_RSA
317 if (ret->rsa_tmp != NULL)
318 RSA_free(ret->rsa_tmp);
319#endif
320#ifndef OPENSSL_NO_DH
321 if (ret->dh_tmp != NULL)
322 DH_free(ret->dh_tmp);
323#endif
324#ifndef OPENSSL_NO_ECDH
325 if (ret->ecdh_tmp != NULL)
326 EC_KEY_free(ret->ecdh_tmp);
327#endif
328
329 for (i = 0; i < SSL_PKEY_NUM; i++)
330 {
331 if (ret->pkeys[i].x509 != NULL)
332 X509_free(ret->pkeys[i].x509);
333 if (ret->pkeys[i].privatekey != NULL)
334 EVP_PKEY_free(ret->pkeys[i].privatekey);
335 }
336
337 return NULL;
338 }
339
340
341void ssl_cert_free(CERT *c)
342 {
343 int i;
344
345 if(c == NULL)
346 return;
347
348 i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
349#ifdef REF_PRINT
350 REF_PRINT("CERT",c);
351#endif
352 if (i > 0) return;
353#ifdef REF_CHECK
354 if (i < 0)
355 {
356 fprintf(stderr,"ssl_cert_free, bad reference count\n");
357 abort(); /* ok */
358 }
359#endif
360
361#ifndef OPENSSL_NO_RSA
362 if (c->rsa_tmp) RSA_free(c->rsa_tmp);
363#endif
364#ifndef OPENSSL_NO_DH
365 if (c->dh_tmp) DH_free(c->dh_tmp);
366#endif
367#ifndef OPENSSL_NO_ECDH
368 if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
369#endif
370
371 for (i=0; i<SSL_PKEY_NUM; i++)
372 {
373 if (c->pkeys[i].x509 != NULL)
374 X509_free(c->pkeys[i].x509);
375 if (c->pkeys[i].privatekey != NULL)
376 EVP_PKEY_free(c->pkeys[i].privatekey);
377#if 0
378 if (c->pkeys[i].publickey != NULL)
379 EVP_PKEY_free(c->pkeys[i].publickey);
380#endif
381 }
382 OPENSSL_free(c);
383 }
384
385int ssl_cert_inst(CERT **o)
386 {
387 /* Create a CERT if there isn't already one
388 * (which cannot really happen, as it is initially created in
389 * SSL_CTX_new; but the earlier code usually allows for that one
390 * being non-existant, so we follow that behaviour, as it might
391 * turn out that there actually is a reason for it -- but I'm
392 * not sure that *all* of the existing code could cope with
393 * s->cert being NULL, otherwise we could do without the
394 * initialization in SSL_CTX_new).
395 */
396
397 if (o == NULL)
398 {
399 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
400 return(0);
401 }
402 if (*o == NULL)
403 {
404 if ((*o = ssl_cert_new()) == NULL)
405 {
406 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
407 return(0);
408 }
409 }
410 return(1);
411 }
412
413
414SESS_CERT *ssl_sess_cert_new(void)
415 {
416 SESS_CERT *ret;
417
418 ret = OPENSSL_malloc(sizeof *ret);
419 if (ret == NULL)
420 {
421 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
422 return NULL;
423 }
424
425 memset(ret, 0 ,sizeof *ret);
426 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
427 ret->references = 1;
428
429 return ret;
430 }
431
432void ssl_sess_cert_free(SESS_CERT *sc)
433 {
434 int i;
435
436 if (sc == NULL)
437 return;
438
439 i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
440#ifdef REF_PRINT
441 REF_PRINT("SESS_CERT", sc);
442#endif
443 if (i > 0)
444 return;
445#ifdef REF_CHECK
446 if (i < 0)
447 {
448 fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
449 abort(); /* ok */
450 }
451#endif
452
453 /* i == 0 */
454 if (sc->cert_chain != NULL)
455 sk_X509_pop_free(sc->cert_chain, X509_free);
456 for (i = 0; i < SSL_PKEY_NUM; i++)
457 {
458 if (sc->peer_pkeys[i].x509 != NULL)
459 X509_free(sc->peer_pkeys[i].x509);
460#if 0 /* We don't have the peer's private key. These lines are just
461 * here as a reminder that we're still using a not-quite-appropriate
462 * data structure. */
463 if (sc->peer_pkeys[i].privatekey != NULL)
464 EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
465#endif
466 }
467
468#ifndef OPENSSL_NO_RSA
469 if (sc->peer_rsa_tmp != NULL)
470 RSA_free(sc->peer_rsa_tmp);
471#endif
472#ifndef OPENSSL_NO_DH
473 if (sc->peer_dh_tmp != NULL)
474 DH_free(sc->peer_dh_tmp);
475#endif
476#ifndef OPENSSL_NO_ECDH
477 if (sc->peer_ecdh_tmp != NULL)
478 EC_KEY_free(sc->peer_ecdh_tmp);
479#endif
480
481 OPENSSL_free(sc);
482 }
483
484int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
485 {
486 sc->peer_cert_type = type;
487 return(1);
488 }
489
490int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
491 {
492 X509 *x;
493 int i;
494 X509_STORE_CTX ctx;
495
496 if ((sk == NULL) || (sk_X509_num(sk) == 0))
497 return(0);
498
499 x=sk_X509_value(sk,0);
500 if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk))
501 {
502 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
503 return(0);
504 }
505#if 0
506 if (SSL_get_verify_depth(s) >= 0)
507 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
508#endif
509 X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
510
511 /* We need to inherit the verify parameters. These can be determined by
512 * the context: if its a server it will verify SSL client certificates
513 * or vice versa.
514 */
515
516 X509_STORE_CTX_set_default(&ctx,
517 s->server ? "ssl_client" : "ssl_server");
518 /* Anything non-default in "param" should overwrite anything in the
519 * ctx.
520 */
521 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
522
523 if (s->verify_callback)
524 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
525
526 if (s->ctx->app_verify_callback != NULL)
527#if 1 /* new with OpenSSL 0.9.7 */
528 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
529#else
530 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
531#endif
532 else
533 {
534#ifndef OPENSSL_NO_X509_VERIFY
535 i=X509_verify_cert(&ctx);
536#else
537 i=0;
538 ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
539 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
540#endif
541 }
542
543 s->verify_result=ctx.error;
544 X509_STORE_CTX_cleanup(&ctx);
545
546 return(i);
547 }
548
549static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
550 {
551 if (*ca_list != NULL)
552 sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
553
554 *ca_list=name_list;
555 }
556
557STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
558 {
559 int i;
560 STACK_OF(X509_NAME) *ret;
561 X509_NAME *name;
562
563 ret=sk_X509_NAME_new_null();
564 for (i=0; i<sk_X509_NAME_num(sk); i++)
565 {
566 name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
567 if ((name == NULL) || !sk_X509_NAME_push(ret,name))
568 {
569 sk_X509_NAME_pop_free(ret,X509_NAME_free);
570 return(NULL);
571 }
572 }
573 return(ret);
574 }
575
576void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
577 {
578 set_client_CA_list(&(s->client_CA),name_list);
579 }
580
581void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
582 {
583 set_client_CA_list(&(ctx->client_CA),name_list);
584 }
585
586STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
587 {
588 return(ctx->client_CA);
589 }
590
591STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
592 {
593 if (s->type == SSL_ST_CONNECT)
594 { /* we are in the client */
595 if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
596 (s->s3 != NULL))
597 return(s->s3->tmp.ca_names);
598 else
599 return(NULL);
600 }
601 else
602 {
603 if (s->client_CA != NULL)
604 return(s->client_CA);
605 else
606 return(s->ctx->client_CA);
607 }
608 }
609
610static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
611 {
612 X509_NAME *name;
613
614 if (x == NULL) return(0);
615 if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
616 return(0);
617
618 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
619 return(0);
620
621 if (!sk_X509_NAME_push(*sk,name))
622 {
623 X509_NAME_free(name);
624 return(0);
625 }
626 return(1);
627 }
628
629int SSL_add_client_CA(SSL *ssl,X509 *x)
630 {
631 return(add_client_CA(&(ssl->client_CA),x));
632 }
633
634int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
635 {
636 return(add_client_CA(&(ctx->client_CA),x));
637 }
638
639static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
640 {
641 return(X509_NAME_cmp(*a,*b));
642 }
643
644#ifndef OPENSSL_NO_STDIO
645/*!
646 * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
647 * it doesn't really have anything to do with clients (except that a common use
648 * for a stack of CAs is to send it to the client). Actually, it doesn't have
649 * much to do with CAs, either, since it will load any old cert.
650 * \param file the file containing one or more certs.
651 * \return a ::STACK containing the certs.
652 */
653STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
654 {
655 BIO *in;
656 X509 *x=NULL;
657 X509_NAME *xn=NULL;
658 STACK_OF(X509_NAME) *ret = NULL,*sk;
659
660 sk=sk_X509_NAME_new(xname_cmp);
661
662 in=BIO_new(BIO_s_file_internal());
663
664 if ((sk == NULL) || (in == NULL))
665 {
666 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
667 goto err;
668 }
669
670 if (!BIO_read_filename(in,file))
671 goto err;
672
673 for (;;)
674 {
675 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
676 break;
677 if (ret == NULL)
678 {
679 ret = sk_X509_NAME_new_null();
680 if (ret == NULL)
681 {
682 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
683 goto err;
684 }
685 }
686 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
687 /* check for duplicates */
688 xn=X509_NAME_dup(xn);
689 if (xn == NULL) goto err;
690 if (sk_X509_NAME_find(sk,xn) >= 0)
691 X509_NAME_free(xn);
692 else
693 {
694 sk_X509_NAME_push(sk,xn);
695 sk_X509_NAME_push(ret,xn);
696 }
697 }
698
699 if (0)
700 {
701err:
702 if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
703 ret=NULL;
704 }
705 if (sk != NULL) sk_X509_NAME_free(sk);
706 if (in != NULL) BIO_free(in);
707 if (x != NULL) X509_free(x);
708 if (ret != NULL)
709 ERR_clear_error();
710 return(ret);
711 }
712#endif
713
714/*!
715 * Add a file of certs to a stack.
716 * \param stack the stack to add to.
717 * \param file the file to add from. All certs in this file that are not
718 * already in the stack will be added.
719 * \return 1 for success, 0 for failure. Note that in the case of failure some
720 * certs may have been added to \c stack.
721 */
722
723int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
724 const char *file)
725 {
726 BIO *in;
727 X509 *x=NULL;
728 X509_NAME *xn=NULL;
729 int ret=1;
730 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
731
732 oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
733
734 in=BIO_new(BIO_s_file_internal());
735
736 if (in == NULL)
737 {
738 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
739 goto err;
740 }
741
742 if (!BIO_read_filename(in,file))
743 goto err;
744
745 for (;;)
746 {
747 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
748 break;
749 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
750 xn=X509_NAME_dup(xn);
751 if (xn == NULL) goto err;
752 if (sk_X509_NAME_find(stack,xn) >= 0)
753 X509_NAME_free(xn);
754 else
755 sk_X509_NAME_push(stack,xn);
756 }
757
758 ERR_clear_error();
759
760 if (0)
761 {
762err:
763 ret=0;
764 }
765 if(in != NULL)
766 BIO_free(in);
767 if(x != NULL)
768 X509_free(x);
769
770 (void)sk_X509_NAME_set_cmp_func(stack,oldcmp);
771
772 return ret;
773 }
774
775/*!
776 * Add a directory of certs to a stack.
777 * \param stack the stack to append to.
778 * \param dir the directory to append from. All files in this directory will be
779 * examined as potential certs. Any that are acceptable to
780 * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
781 * included.
782 * \return 1 for success, 0 for failure. Note that in the case of failure some
783 * certs may have been added to \c stack.
784 */
785
786int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
787 const char *dir)
788 {
789 OPENSSL_DIR_CTX *d = NULL;
790 const char *filename;
791 int ret = 0;
792
793 CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
794
795 /* Note that a side effect is that the CAs will be sorted by name */
796
797 while((filename = OPENSSL_DIR_read(&d, dir)))
798 {
799 char buf[1024];
800 int r;
801
802 if(strlen(dir)+strlen(filename)+2 > sizeof buf)
803 {
804 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
805 goto err;
806 }
807
808#ifdef OPENSSL_SYS_VMS
809 r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);
810#else
811 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
812#endif
813 if (r <= 0 || r >= (int)sizeof(buf))
814 goto err;
815 if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
816 goto err;
817 }
818
819 if (errno)
820 {
821 SYSerr(SYS_F_OPENDIR, get_last_sys_error());
822 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
823 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
824 goto err;
825 }
826
827 ret = 1;
828
829err:
830 if (d) OPENSSL_DIR_end(&d);
831 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
832 return ret;
833 }
834
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
deleted file mode 100644
index 54ba7ef5b4..0000000000
--- a/src/lib/libssl/ssl_ciph.c
+++ /dev/null
@@ -1,1747 +0,0 @@
1/* ssl/ssl_ciph.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#include <stdio.h>
144#include <openssl/objects.h>
145#ifndef OPENSSL_NO_COMP
146#include <openssl/comp.h>
147#endif
148#ifndef OPENSSL_NO_ENGINE
149#include <openssl/engine.h>
150#endif
151#include "ssl_locl.h"
152
153#define SSL_ENC_DES_IDX 0
154#define SSL_ENC_3DES_IDX 1
155#define SSL_ENC_RC4_IDX 2
156#define SSL_ENC_RC2_IDX 3
157#define SSL_ENC_IDEA_IDX 4
158#define SSL_ENC_NULL_IDX 5
159#define SSL_ENC_AES128_IDX 6
160#define SSL_ENC_AES256_IDX 7
161#define SSL_ENC_CAMELLIA128_IDX 8
162#define SSL_ENC_CAMELLIA256_IDX 9
163#define SSL_ENC_GOST89_IDX 10
164#define SSL_ENC_SEED_IDX 11
165#define SSL_ENC_NUM_IDX 12
166
167
168static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
169 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
170 };
171
172#define SSL_COMP_NULL_IDX 0
173#define SSL_COMP_ZLIB_IDX 1
174#define SSL_COMP_NUM_IDX 2
175
176static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
177
178#define SSL_MD_MD5_IDX 0
179#define SSL_MD_SHA1_IDX 1
180#define SSL_MD_GOST94_IDX 2
181#define SSL_MD_GOST89MAC_IDX 3
182/*Constant SSL_MAX_DIGEST equal to size of digests array should be
183 * defined in the
184 * ssl_locl.h */
185#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
186static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
187 NULL,NULL,NULL,NULL
188 };
189/* PKEY_TYPE for GOST89MAC is known in advance, but, because
190 * implementation is engine-provided, we'll fill it only if
191 * corresponding EVP_PKEY_METHOD is found
192 */
193static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={
194 EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef
195 };
196
197static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
198 0,0,0,0
199 };
200
201static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
202 SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
203 SSL_HANDSHAKE_MAC_GOST94,0
204 };
205
206#define CIPHER_ADD 1
207#define CIPHER_KILL 2
208#define CIPHER_DEL 3
209#define CIPHER_ORD 4
210#define CIPHER_SPECIAL 5
211
212typedef struct cipher_order_st
213 {
214 const SSL_CIPHER *cipher;
215 int active;
216 int dead;
217 struct cipher_order_st *next,*prev;
218 } CIPHER_ORDER;
219
220static const SSL_CIPHER cipher_aliases[]={
221 /* "ALL" doesn't include eNULL (must be specifically enabled) */
222 {0,SSL_TXT_ALL,0, 0,0,~SSL_eNULL,0,0,0,0,0,0},
223 /* "COMPLEMENTOFALL" */
224 {0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0},
225
226 /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
227 {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
228
229 /* key exchange aliases
230 * (some of those using only a single bit here combine
231 * multiple key exchange algs according to the RFCs,
232 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
233 {0,SSL_TXT_kRSA,0, SSL_kRSA, 0,0,0,0,0,0,0,0},
234
235 {0,SSL_TXT_kDHr,0, SSL_kDHr, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
236 {0,SSL_TXT_kDHd,0, SSL_kDHd, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
237 {0,SSL_TXT_kDH,0, SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
238 {0,SSL_TXT_kEDH,0, SSL_kEDH, 0,0,0,0,0,0,0,0},
239 {0,SSL_TXT_DH,0, SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0},
240
241 {0,SSL_TXT_kKRB5,0, SSL_kKRB5, 0,0,0,0,0,0,0,0},
242
243 {0,SSL_TXT_kECDHr,0, SSL_kECDHr,0,0,0,0,0,0,0,0},
244 {0,SSL_TXT_kECDHe,0, SSL_kECDHe,0,0,0,0,0,0,0,0},
245 {0,SSL_TXT_kECDH,0, SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},
246 {0,SSL_TXT_kEECDH,0, SSL_kEECDH,0,0,0,0,0,0,0,0},
247 {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
248
249 {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
250 {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
251
252 /* server authentication aliases */
253 {0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
254 {0,SSL_TXT_aDSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
255 {0,SSL_TXT_DSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
256 {0,SSL_TXT_aKRB5,0, 0,SSL_aKRB5, 0,0,0,0,0,0,0},
257 {0,SSL_TXT_aNULL,0, 0,SSL_aNULL, 0,0,0,0,0,0,0},
258 {0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
259 {0,SSL_TXT_aECDH,0, 0,SSL_aECDH, 0,0,0,0,0,0,0},
260 {0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
261 {0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
262 {0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0},
263 {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
264 {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
265 {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
266
267 /* aliases combining key exchange and server authentication */
268 {0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
269 {0,SSL_TXT_EECDH,0, SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
270 {0,SSL_TXT_NULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
271 {0,SSL_TXT_KRB5,0, SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},
272 {0,SSL_TXT_RSA,0, SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},
273 {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
274 {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
275 {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},
276
277
278 /* symmetric encryption aliases */
279 {0,SSL_TXT_DES,0, 0,0,SSL_DES, 0,0,0,0,0,0},
280 {0,SSL_TXT_3DES,0, 0,0,SSL_3DES, 0,0,0,0,0,0},
281 {0,SSL_TXT_RC4,0, 0,0,SSL_RC4, 0,0,0,0,0,0},
282 {0,SSL_TXT_RC2,0, 0,0,SSL_RC2, 0,0,0,0,0,0},
283 {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0},
284 {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0},
285 {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
286 {0,SSL_TXT_AES128,0, 0,0,SSL_AES128,0,0,0,0,0,0},
287 {0,SSL_TXT_AES256,0, 0,0,SSL_AES256,0,0,0,0,0,0},
288 {0,SSL_TXT_AES,0, 0,0,SSL_AES128|SSL_AES256,0,0,0,0,0,0},
289 {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
290 {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
291 {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0},
292
293 /* MAC aliases */
294 {0,SSL_TXT_MD5,0, 0,0,0,SSL_MD5, 0,0,0,0,0},
295 {0,SSL_TXT_SHA1,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
296 {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
297 {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0},
298 {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0},
299
300 /* protocol version aliases */
301 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},
302 {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0},
303 {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0},
304
305 /* export flag */
306 {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
307 {0,SSL_TXT_EXPORT,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
308
309 /* strength classes */
310 {0,SSL_TXT_EXP40,0, 0,0,0,0,0,SSL_EXP40, 0,0,0},
311 {0,SSL_TXT_EXP56,0, 0,0,0,0,0,SSL_EXP56, 0,0,0},
312 {0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0},
313 {0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
314 {0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
315 /* FIPS 140-2 approved ciphersuite */
316 {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0},
317 };
318/* Search for public key algorithm with given name and
319 * return its pkey_id if it is available. Otherwise return 0
320 */
321#ifdef OPENSSL_NO_ENGINE
322
323static int get_optional_pkey_id(const char *pkey_name)
324 {
325 const EVP_PKEY_ASN1_METHOD *ameth;
326 int pkey_id=0;
327 ameth = EVP_PKEY_asn1_find_str(NULL,pkey_name,-1);
328 if (ameth)
329 {
330 EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
331 }
332 return pkey_id;
333 }
334
335#else
336
337static int get_optional_pkey_id(const char *pkey_name)
338 {
339 const EVP_PKEY_ASN1_METHOD *ameth;
340 ENGINE *tmpeng = NULL;
341 int pkey_id=0;
342 ameth = EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1);
343 if (ameth)
344 {
345 EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
346 }
347 if (tmpeng) ENGINE_finish(tmpeng);
348 return pkey_id;
349 }
350
351#endif
352
353void ssl_load_ciphers(void)
354 {
355 ssl_cipher_methods[SSL_ENC_DES_IDX]=
356 EVP_get_cipherbyname(SN_des_cbc);
357 ssl_cipher_methods[SSL_ENC_3DES_IDX]=
358 EVP_get_cipherbyname(SN_des_ede3_cbc);
359 ssl_cipher_methods[SSL_ENC_RC4_IDX]=
360 EVP_get_cipherbyname(SN_rc4);
361 ssl_cipher_methods[SSL_ENC_RC2_IDX]=
362 EVP_get_cipherbyname(SN_rc2_cbc);
363#ifndef OPENSSL_NO_IDEA
364 ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
365 EVP_get_cipherbyname(SN_idea_cbc);
366#else
367 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL;
368#endif
369 ssl_cipher_methods[SSL_ENC_AES128_IDX]=
370 EVP_get_cipherbyname(SN_aes_128_cbc);
371 ssl_cipher_methods[SSL_ENC_AES256_IDX]=
372 EVP_get_cipherbyname(SN_aes_256_cbc);
373 ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]=
374 EVP_get_cipherbyname(SN_camellia_128_cbc);
375 ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]=
376 EVP_get_cipherbyname(SN_camellia_256_cbc);
377 ssl_cipher_methods[SSL_ENC_GOST89_IDX]=
378 EVP_get_cipherbyname(SN_gost89_cnt);
379 ssl_cipher_methods[SSL_ENC_SEED_IDX]=
380 EVP_get_cipherbyname(SN_seed_cbc);
381
382 ssl_digest_methods[SSL_MD_MD5_IDX]=
383 EVP_get_digestbyname(SN_md5);
384 ssl_mac_secret_size[SSL_MD_MD5_IDX]=
385 EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
386 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
387 ssl_digest_methods[SSL_MD_SHA1_IDX]=
388 EVP_get_digestbyname(SN_sha1);
389 ssl_mac_secret_size[SSL_MD_SHA1_IDX]=
390 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
391 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
392 ssl_digest_methods[SSL_MD_GOST94_IDX]=
393 EVP_get_digestbyname(SN_id_GostR3411_94);
394 if (ssl_digest_methods[SSL_MD_GOST94_IDX])
395 {
396 ssl_mac_secret_size[SSL_MD_GOST94_IDX]=
397 EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
398 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
399 }
400 ssl_digest_methods[SSL_MD_GOST89MAC_IDX]=
401 EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
402 ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
403 if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
404 ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
405 }
406
407 }
408#ifndef OPENSSL_NO_COMP
409
410static int sk_comp_cmp(const SSL_COMP * const *a,
411 const SSL_COMP * const *b)
412 {
413 return((*a)->id-(*b)->id);
414 }
415
416static void load_builtin_compressions(void)
417 {
418 int got_write_lock = 0;
419
420 CRYPTO_r_lock(CRYPTO_LOCK_SSL);
421 if (ssl_comp_methods == NULL)
422 {
423 CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
424 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
425 got_write_lock = 1;
426
427 if (ssl_comp_methods == NULL)
428 {
429 SSL_COMP *comp = NULL;
430
431 MemCheck_off();
432 ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
433 if (ssl_comp_methods != NULL)
434 {
435 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
436 if (comp != NULL)
437 {
438 comp->method=COMP_zlib();
439 if (comp->method
440 && comp->method->type == NID_undef)
441 OPENSSL_free(comp);
442 else
443 {
444 comp->id=SSL_COMP_ZLIB_IDX;
445 comp->name=comp->method->name;
446 sk_SSL_COMP_push(ssl_comp_methods,comp);
447 }
448 }
449 sk_SSL_COMP_sort(ssl_comp_methods);
450 }
451 MemCheck_on();
452 }
453 }
454
455 if (got_write_lock)
456 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
457 else
458 CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
459 }
460#endif
461
462int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
463 const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
464 {
465 int i;
466 const SSL_CIPHER *c;
467
468 c=s->cipher;
469 if (c == NULL) return(0);
470 if (comp != NULL)
471 {
472 SSL_COMP ctmp;
473#ifndef OPENSSL_NO_COMP
474 load_builtin_compressions();
475#endif
476
477 *comp=NULL;
478 ctmp.id=s->compress_meth;
479 if (ssl_comp_methods != NULL)
480 {
481 i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
482 if (i >= 0)
483 *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
484 else
485 *comp=NULL;
486 }
487 }
488
489 if ((enc == NULL) || (md == NULL)) return(0);
490
491 switch (c->algorithm_enc)
492 {
493 case SSL_DES:
494 i=SSL_ENC_DES_IDX;
495 break;
496 case SSL_3DES:
497 i=SSL_ENC_3DES_IDX;
498 break;
499 case SSL_RC4:
500 i=SSL_ENC_RC4_IDX;
501 break;
502 case SSL_RC2:
503 i=SSL_ENC_RC2_IDX;
504 break;
505 case SSL_IDEA:
506 i=SSL_ENC_IDEA_IDX;
507 break;
508 case SSL_eNULL:
509 i=SSL_ENC_NULL_IDX;
510 break;
511 case SSL_AES128:
512 i=SSL_ENC_AES128_IDX;
513 break;
514 case SSL_AES256:
515 i=SSL_ENC_AES256_IDX;
516 break;
517 case SSL_CAMELLIA128:
518 i=SSL_ENC_CAMELLIA128_IDX;
519 break;
520 case SSL_CAMELLIA256:
521 i=SSL_ENC_CAMELLIA256_IDX;
522 break;
523 case SSL_eGOST2814789CNT:
524 i=SSL_ENC_GOST89_IDX;
525 break;
526 case SSL_SEED:
527 i=SSL_ENC_SEED_IDX;
528 break;
529 default:
530 i= -1;
531 break;
532 }
533
534 if ((i < 0) || (i > SSL_ENC_NUM_IDX))
535 *enc=NULL;
536 else
537 {
538 if (i == SSL_ENC_NULL_IDX)
539 *enc=EVP_enc_null();
540 else
541 *enc=ssl_cipher_methods[i];
542 }
543
544 switch (c->algorithm_mac)
545 {
546 case SSL_MD5:
547 i=SSL_MD_MD5_IDX;
548 break;
549 case SSL_SHA1:
550 i=SSL_MD_SHA1_IDX;
551 break;
552 case SSL_GOST94:
553 i = SSL_MD_GOST94_IDX;
554 break;
555 case SSL_GOST89MAC:
556 i = SSL_MD_GOST89MAC_IDX;
557 break;
558 default:
559 i= -1;
560 break;
561 }
562 if ((i < 0) || (i > SSL_MD_NUM_IDX))
563 {
564 *md=NULL;
565 if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
566 if (mac_secret_size!=NULL) *mac_secret_size = 0;
567
568 }
569 else
570 {
571 *md=ssl_digest_methods[i];
572 if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i];
573 if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i];
574 }
575
576 if ((*enc != NULL) && (*md != NULL) && (!mac_pkey_type||*mac_pkey_type != NID_undef))
577 return(1);
578 else
579 return(0);
580 }
581
582int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md)
583{
584 if (idx <0||idx>=SSL_MD_NUM_IDX)
585 {
586 return 0;
587 }
588 if (ssl_handshake_digest_flag[idx]==0) return 0;
589 *mask = ssl_handshake_digest_flag[idx];
590 *md = ssl_digest_methods[idx];
591 return 1;
592}
593
594#define ITEM_SEP(a) \
595 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
596
597static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
598 CIPHER_ORDER **tail)
599 {
600 if (curr == *tail) return;
601 if (curr == *head)
602 *head=curr->next;
603 if (curr->prev != NULL)
604 curr->prev->next=curr->next;
605 if (curr->next != NULL)
606 curr->next->prev=curr->prev;
607 (*tail)->next=curr;
608 curr->prev= *tail;
609 curr->next=NULL;
610 *tail=curr;
611 }
612
613static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
614 CIPHER_ORDER **tail)
615 {
616 if (curr == *head) return;
617 if (curr == *tail)
618 *tail=curr->prev;
619 if (curr->next != NULL)
620 curr->next->prev=curr->prev;
621 if (curr->prev != NULL)
622 curr->prev->next=curr->next;
623 (*head)->prev=curr;
624 curr->next= *head;
625 curr->prev=NULL;
626 *head=curr;
627 }
628
629static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl)
630 {
631 *mkey = 0;
632 *auth = 0;
633 *enc = 0;
634 *mac = 0;
635 *ssl = 0;
636
637#ifdef OPENSSL_NO_RSA
638 *mkey |= SSL_kRSA;
639 *auth |= SSL_aRSA;
640#endif
641#ifdef OPENSSL_NO_DSA
642 *auth |= SSL_aDSS;
643#endif
644 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
645 *auth |= SSL_aDH;
646#ifdef OPENSSL_NO_DH
647 *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
648 *auth |= SSL_aDH;
649#endif
650#ifdef OPENSSL_NO_KRB5
651 *mkey |= SSL_kKRB5;
652 *auth |= SSL_aKRB5;
653#endif
654#ifdef OPENSSL_NO_ECDSA
655 *auth |= SSL_aECDSA;
656#endif
657#ifdef OPENSSL_NO_ECDH
658 *mkey |= SSL_kECDHe|SSL_kECDHr;
659 *auth |= SSL_aECDH;
660#endif
661#ifdef OPENSSL_NO_PSK
662 *mkey |= SSL_kPSK;
663 *auth |= SSL_aPSK;
664#endif
665 /* Check for presence of GOST 34.10 algorithms, and if they
666 * do not present, disable appropriate auth and key exchange */
667 if (!get_optional_pkey_id("gost94")) {
668 *auth |= SSL_aGOST94;
669 }
670 if (!get_optional_pkey_id("gost2001")) {
671 *auth |= SSL_aGOST01;
672 }
673 /* Disable GOST key exchange if no GOST signature algs are available * */
674 if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
675 *mkey |= SSL_kGOST;
676 }
677#ifdef SSL_FORBID_ENULL
678 *enc |= SSL_eNULL;
679#endif
680
681
682
683 *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
684 *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
685 *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
686 *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
687 *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
688 *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
689 *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0;
690 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;
691 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;
692 *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0;
693 *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0;
694
695 *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
696 *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
697 *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;
698 *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;
699
700 }
701
702static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
703 int num_of_ciphers,
704 unsigned long disabled_mkey, unsigned long disabled_auth,
705 unsigned long disabled_enc, unsigned long disabled_mac,
706 unsigned long disabled_ssl,
707 CIPHER_ORDER *co_list,
708 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
709 {
710 int i, co_list_num;
711 const SSL_CIPHER *c;
712
713 /*
714 * We have num_of_ciphers descriptions compiled in, depending on the
715 * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
716 * These will later be sorted in a linked list with at most num
717 * entries.
718 */
719
720 /* Get the initial list of ciphers */
721 co_list_num = 0; /* actual count of ciphers */
722 for (i = 0; i < num_of_ciphers; i++)
723 {
724 c = ssl_method->get_cipher(i);
725 /* drop those that use any of that is not available */
726 if ((c != NULL) && c->valid &&
727 !(c->algorithm_mkey & disabled_mkey) &&
728 !(c->algorithm_auth & disabled_auth) &&
729 !(c->algorithm_enc & disabled_enc) &&
730 !(c->algorithm_mac & disabled_mac) &&
731 !(c->algorithm_ssl & disabled_ssl))
732 {
733 co_list[co_list_num].cipher = c;
734 co_list[co_list_num].next = NULL;
735 co_list[co_list_num].prev = NULL;
736 co_list[co_list_num].active = 0;
737 co_list_num++;
738#ifdef KSSL_DEBUG
739 printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
740#endif /* KSSL_DEBUG */
741 /*
742 if (!sk_push(ca_list,(char *)c)) goto err;
743 */
744 }
745 }
746
747 /*
748 * Prepare linked list from list entries
749 */
750 if (co_list_num > 0)
751 {
752 co_list[0].prev = NULL;
753
754 if (co_list_num > 1)
755 {
756 co_list[0].next = &co_list[1];
757
758 for (i = 1; i < co_list_num - 1; i++)
759 {
760 co_list[i].prev = &co_list[i - 1];
761 co_list[i].next = &co_list[i + 1];
762 }
763
764 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
765 }
766
767 co_list[co_list_num - 1].next = NULL;
768
769 *head_p = &co_list[0];
770 *tail_p = &co_list[co_list_num - 1];
771 }
772 }
773
774static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
775 int num_of_group_aliases,
776 unsigned long disabled_mkey, unsigned long disabled_auth,
777 unsigned long disabled_enc, unsigned long disabled_mac,
778 unsigned long disabled_ssl,
779 CIPHER_ORDER *head)
780 {
781 CIPHER_ORDER *ciph_curr;
782 const SSL_CIPHER **ca_curr;
783 int i;
784 unsigned long mask_mkey = ~disabled_mkey;
785 unsigned long mask_auth = ~disabled_auth;
786 unsigned long mask_enc = ~disabled_enc;
787 unsigned long mask_mac = ~disabled_mac;
788 unsigned long mask_ssl = ~disabled_ssl;
789
790 /*
791 * First, add the real ciphers as already collected
792 */
793 ciph_curr = head;
794 ca_curr = ca_list;
795 while (ciph_curr != NULL)
796 {
797 *ca_curr = ciph_curr->cipher;
798 ca_curr++;
799 ciph_curr = ciph_curr->next;
800 }
801
802 /*
803 * Now we add the available ones from the cipher_aliases[] table.
804 * They represent either one or more algorithms, some of which
805 * in any affected category must be supported (set in enabled_mask),
806 * or represent a cipher strength value (will be added in any case because algorithms=0).
807 */
808 for (i = 0; i < num_of_group_aliases; i++)
809 {
810 unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey;
811 unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth;
812 unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc;
813 unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac;
814 unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl;
815
816 if (algorithm_mkey)
817 if ((algorithm_mkey & mask_mkey) == 0)
818 continue;
819
820 if (algorithm_auth)
821 if ((algorithm_auth & mask_auth) == 0)
822 continue;
823
824 if (algorithm_enc)
825 if ((algorithm_enc & mask_enc) == 0)
826 continue;
827
828 if (algorithm_mac)
829 if ((algorithm_mac & mask_mac) == 0)
830 continue;
831
832 if (algorithm_ssl)
833 if ((algorithm_ssl & mask_ssl) == 0)
834 continue;
835
836 *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
837 ca_curr++;
838 }
839
840 *ca_curr = NULL; /* end of list */
841 }
842
843static void ssl_cipher_apply_rule(unsigned long cipher_id,
844 unsigned long alg_mkey, unsigned long alg_auth,
845 unsigned long alg_enc, unsigned long alg_mac,
846 unsigned long alg_ssl,
847 unsigned long algo_strength,
848 int rule, int strength_bits,
849 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
850 {
851 CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
852 const SSL_CIPHER *cp;
853 int reverse = 0;
854
855#ifdef CIPHER_DEBUG
856 printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
857 rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits);
858#endif
859
860 if (rule == CIPHER_DEL)
861 reverse = 1; /* needed to maintain sorting between currently deleted ciphers */
862
863 head = *head_p;
864 tail = *tail_p;
865
866 if (reverse)
867 {
868 curr = tail;
869 last = head;
870 }
871 else
872 {
873 curr = head;
874 last = tail;
875 }
876
877 curr2 = curr;
878 for (;;)
879 {
880 if ((curr == NULL) || (curr == last)) break;
881 curr = curr2;
882 curr2 = reverse ? curr->prev : curr->next;
883
884 cp = curr->cipher;
885
886 /*
887 * Selection criteria is either the value of strength_bits
888 * or the algorithms used.
889 */
890 if (strength_bits >= 0)
891 {
892 if (strength_bits != cp->strength_bits)
893 continue;
894 }
895 else
896 {
897#ifdef CIPHER_DEBUG
898 printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
899#endif
900
901 if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
902 continue;
903 if (alg_auth && !(alg_auth & cp->algorithm_auth))
904 continue;
905 if (alg_enc && !(alg_enc & cp->algorithm_enc))
906 continue;
907 if (alg_mac && !(alg_mac & cp->algorithm_mac))
908 continue;
909 if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
910 continue;
911 if ((algo_strength & SSL_EXP_MASK) && !(algo_strength & SSL_EXP_MASK & cp->algo_strength))
912 continue;
913 if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
914 continue;
915 }
916
917#ifdef CIPHER_DEBUG
918 printf("Action = %d\n", rule);
919#endif
920
921 /* add the cipher if it has not been added yet. */
922 if (rule == CIPHER_ADD)
923 {
924 /* reverse == 0 */
925 if (!curr->active)
926 {
927 ll_append_tail(&head, curr, &tail);
928 curr->active = 1;
929 }
930 }
931 /* Move the added cipher to this location */
932 else if (rule == CIPHER_ORD)
933 {
934 /* reverse == 0 */
935 if (curr->active)
936 {
937 ll_append_tail(&head, curr, &tail);
938 }
939 }
940 else if (rule == CIPHER_DEL)
941 {
942 /* reverse == 1 */
943 if (curr->active)
944 {
945 /* most recently deleted ciphersuites get best positions
946 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
947 * works in reverse to maintain the order) */
948 ll_append_head(&head, curr, &tail);
949 curr->active = 0;
950 }
951 }
952 else if (rule == CIPHER_KILL)
953 {
954 /* reverse == 0 */
955 if (head == curr)
956 head = curr->next;
957 else
958 curr->prev->next = curr->next;
959 if (tail == curr)
960 tail = curr->prev;
961 curr->active = 0;
962 if (curr->next != NULL)
963 curr->next->prev = curr->prev;
964 if (curr->prev != NULL)
965 curr->prev->next = curr->next;
966 curr->next = NULL;
967 curr->prev = NULL;
968 }
969 }
970
971 *head_p = head;
972 *tail_p = tail;
973 }
974
975static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
976 CIPHER_ORDER **tail_p)
977 {
978 int max_strength_bits, i, *number_uses;
979 CIPHER_ORDER *curr;
980
981 /*
982 * This routine sorts the ciphers with descending strength. The sorting
983 * must keep the pre-sorted sequence, so we apply the normal sorting
984 * routine as '+' movement to the end of the list.
985 */
986 max_strength_bits = 0;
987 curr = *head_p;
988 while (curr != NULL)
989 {
990 if (curr->active &&
991 (curr->cipher->strength_bits > max_strength_bits))
992 max_strength_bits = curr->cipher->strength_bits;
993 curr = curr->next;
994 }
995
996 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
997 if (!number_uses)
998 {
999 SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
1000 return(0);
1001 }
1002 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
1003
1004 /*
1005 * Now find the strength_bits values actually used
1006 */
1007 curr = *head_p;
1008 while (curr != NULL)
1009 {
1010 if (curr->active)
1011 number_uses[curr->cipher->strength_bits]++;
1012 curr = curr->next;
1013 }
1014 /*
1015 * Go through the list of used strength_bits values in descending
1016 * order.
1017 */
1018 for (i = max_strength_bits; i >= 0; i--)
1019 if (number_uses[i] > 0)
1020 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p);
1021
1022 OPENSSL_free(number_uses);
1023 return(1);
1024 }
1025
1026static int ssl_cipher_process_rulestr(const char *rule_str,
1027 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
1028 const SSL_CIPHER **ca_list)
1029 {
1030 unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
1031 const char *l, *buf;
1032 int j, multi, found, rule, retval, ok, buflen;
1033 unsigned long cipher_id = 0;
1034 char ch;
1035
1036 retval = 1;
1037 l = rule_str;
1038 for (;;)
1039 {
1040 ch = *l;
1041
1042 if (ch == '\0')
1043 break; /* done */
1044 if (ch == '-')
1045 { rule = CIPHER_DEL; l++; }
1046 else if (ch == '+')
1047 { rule = CIPHER_ORD; l++; }
1048 else if (ch == '!')
1049 { rule = CIPHER_KILL; l++; }
1050 else if (ch == '@')
1051 { rule = CIPHER_SPECIAL; l++; }
1052 else
1053 { rule = CIPHER_ADD; }
1054
1055 if (ITEM_SEP(ch))
1056 {
1057 l++;
1058 continue;
1059 }
1060
1061 alg_mkey = 0;
1062 alg_auth = 0;
1063 alg_enc = 0;
1064 alg_mac = 0;
1065 alg_ssl = 0;
1066 algo_strength = 0;
1067
1068 for (;;)
1069 {
1070 ch = *l;
1071 buf = l;
1072 buflen = 0;
1073#ifndef CHARSET_EBCDIC
1074 while ( ((ch >= 'A') && (ch <= 'Z')) ||
1075 ((ch >= '0') && (ch <= '9')) ||
1076 ((ch >= 'a') && (ch <= 'z')) ||
1077 (ch == '-'))
1078#else
1079 while ( isalnum(ch) || (ch == '-'))
1080#endif
1081 {
1082 ch = *(++l);
1083 buflen++;
1084 }
1085
1086 if (buflen == 0)
1087 {
1088 /*
1089 * We hit something we cannot deal with,
1090 * it is no command or separator nor
1091 * alphanumeric, so we call this an error.
1092 */
1093 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
1094 SSL_R_INVALID_COMMAND);
1095 retval = found = 0;
1096 l++;
1097 break;
1098 }
1099
1100 if (rule == CIPHER_SPECIAL)
1101 {
1102 found = 0; /* unused -- avoid compiler warning */
1103 break; /* special treatment */
1104 }
1105
1106 /* check for multi-part specification */
1107 if (ch == '+')
1108 {
1109 multi=1;
1110 l++;
1111 }
1112 else
1113 multi=0;
1114
1115 /*
1116 * Now search for the cipher alias in the ca_list. Be careful
1117 * with the strncmp, because the "buflen" limitation
1118 * will make the rule "ADH:SOME" and the cipher
1119 * "ADH-MY-CIPHER" look like a match for buflen=3.
1120 * So additionally check whether the cipher name found
1121 * has the correct length. We can save a strlen() call:
1122 * just checking for the '\0' at the right place is
1123 * sufficient, we have to strncmp() anyway. (We cannot
1124 * use strcmp(), because buf is not '\0' terminated.)
1125 */
1126 j = found = 0;
1127 cipher_id = 0;
1128 while (ca_list[j])
1129 {
1130 if (!strncmp(buf, ca_list[j]->name, buflen) &&
1131 (ca_list[j]->name[buflen] == '\0'))
1132 {
1133 found = 1;
1134 break;
1135 }
1136 else
1137 j++;
1138 }
1139
1140 if (!found)
1141 break; /* ignore this entry */
1142
1143 if (ca_list[j]->algorithm_mkey)
1144 {
1145 if (alg_mkey)
1146 {
1147 alg_mkey &= ca_list[j]->algorithm_mkey;
1148 if (!alg_mkey) { found = 0; break; }
1149 }
1150 else
1151 alg_mkey = ca_list[j]->algorithm_mkey;
1152 }
1153
1154 if (ca_list[j]->algorithm_auth)
1155 {
1156 if (alg_auth)
1157 {
1158 alg_auth &= ca_list[j]->algorithm_auth;
1159 if (!alg_auth) { found = 0; break; }
1160 }
1161 else
1162 alg_auth = ca_list[j]->algorithm_auth;
1163 }
1164
1165 if (ca_list[j]->algorithm_enc)
1166 {
1167 if (alg_enc)
1168 {
1169 alg_enc &= ca_list[j]->algorithm_enc;
1170 if (!alg_enc) { found = 0; break; }
1171 }
1172 else
1173 alg_enc = ca_list[j]->algorithm_enc;
1174 }
1175
1176 if (ca_list[j]->algorithm_mac)
1177 {
1178 if (alg_mac)
1179 {
1180 alg_mac &= ca_list[j]->algorithm_mac;
1181 if (!alg_mac) { found = 0; break; }
1182 }
1183 else
1184 alg_mac = ca_list[j]->algorithm_mac;
1185 }
1186
1187 if (ca_list[j]->algo_strength & SSL_EXP_MASK)
1188 {
1189 if (algo_strength & SSL_EXP_MASK)
1190 {
1191 algo_strength &= (ca_list[j]->algo_strength & SSL_EXP_MASK) | ~SSL_EXP_MASK;
1192 if (!(algo_strength & SSL_EXP_MASK)) { found = 0; break; }
1193 }
1194 else
1195 algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK;
1196 }
1197
1198 if (ca_list[j]->algo_strength & SSL_STRONG_MASK)
1199 {
1200 if (algo_strength & SSL_STRONG_MASK)
1201 {
1202 algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
1203 if (!(algo_strength & SSL_STRONG_MASK)) { found = 0; break; }
1204 }
1205 else
1206 algo_strength |= ca_list[j]->algo_strength & SSL_STRONG_MASK;
1207 }
1208
1209 if (ca_list[j]->valid)
1210 {
1211 /* explicit ciphersuite found; its protocol version
1212 * does not become part of the search pattern!*/
1213
1214 cipher_id = ca_list[j]->id;
1215 }
1216 else
1217 {
1218 /* not an explicit ciphersuite; only in this case, the
1219 * protocol version is considered part of the search pattern */
1220
1221 if (ca_list[j]->algorithm_ssl)
1222 {
1223 if (alg_ssl)
1224 {
1225 alg_ssl &= ca_list[j]->algorithm_ssl;
1226 if (!alg_ssl) { found = 0; break; }
1227 }
1228 else
1229 alg_ssl = ca_list[j]->algorithm_ssl;
1230 }
1231 }
1232
1233 if (!multi) break;
1234 }
1235
1236 /*
1237 * Ok, we have the rule, now apply it
1238 */
1239 if (rule == CIPHER_SPECIAL)
1240 { /* special command */
1241 ok = 0;
1242 if ((buflen == 8) &&
1243 !strncmp(buf, "STRENGTH", 8))
1244 ok = ssl_cipher_strength_sort(head_p, tail_p);
1245 else
1246 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
1247 SSL_R_INVALID_COMMAND);
1248 if (ok == 0)
1249 retval = 0;
1250 /*
1251 * We do not support any "multi" options
1252 * together with "@", so throw away the
1253 * rest of the command, if any left, until
1254 * end or ':' is found.
1255 */
1256 while ((*l != '\0') && !ITEM_SEP(*l))
1257 l++;
1258 }
1259 else if (found)
1260 {
1261 ssl_cipher_apply_rule(cipher_id,
1262 alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength,
1263 rule, -1, head_p, tail_p);
1264 }
1265 else
1266 {
1267 while ((*l != '\0') && !ITEM_SEP(*l))
1268 l++;
1269 }
1270 if (*l == '\0') break; /* done */
1271 }
1272
1273 return(retval);
1274 }
1275
1276STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1277 STACK_OF(SSL_CIPHER) **cipher_list,
1278 STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1279 const char *rule_str)
1280 {
1281 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
1282 unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
1283 STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
1284 const char *rule_p;
1285 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1286 const SSL_CIPHER **ca_list = NULL;
1287
1288 /*
1289 * Return with error if nothing to do.
1290 */
1291 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
1292 return NULL;
1293
1294 /*
1295 * To reduce the work to do we only want to process the compiled
1296 * in algorithms, so we first get the mask of disabled ciphers.
1297 */
1298 ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl);
1299
1300 /*
1301 * Now we have to collect the available ciphers from the compiled
1302 * in ciphers. We cannot get more than the number compiled in, so
1303 * it is used for allocation.
1304 */
1305 num_of_ciphers = ssl_method->num_ciphers();
1306#ifdef KSSL_DEBUG
1307 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
1308#endif /* KSSL_DEBUG */
1309 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
1310 if (co_list == NULL)
1311 {
1312 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1313 return(NULL); /* Failure */
1314 }
1315
1316 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
1317 disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
1318 co_list, &head, &tail);
1319
1320
1321 /* Now arrange all ciphers by preference: */
1322
1323 /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */
1324 ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1325 ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1326
1327 /* AES is our preferred symmetric cipher */
1328 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1329
1330 /* Temporarily enable everything else for sorting */
1331 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1332
1333 /* Low priority for MD5 */
1334 ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
1335
1336 /* Move anonymous ciphers to the end. Usually, these will remain disabled.
1337 * (For applications that allow them, they aren't too bad, but we prefer
1338 * authenticated ciphers.) */
1339 ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1340
1341 /* Move ciphers without forward secrecy to the end */
1342 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1343 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
1344 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1345 ssl_cipher_apply_rule(0, SSL_kPSK, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1346 ssl_cipher_apply_rule(0, SSL_kKRB5, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1347
1348 /* RC4 is sort-of broken -- move the the end */
1349 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1350
1351 /* Now sort by symmetric encryption strength. The above ordering remains
1352 * in force within each class */
1353 if (!ssl_cipher_strength_sort(&head, &tail))
1354 {
1355 OPENSSL_free(co_list);
1356 return NULL;
1357 }
1358
1359 /* Now disable everything (maintaining the ordering!) */
1360 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1361
1362
1363 /*
1364 * We also need cipher aliases for selecting based on the rule_str.
1365 * There might be two types of entries in the rule_str: 1) names
1366 * of ciphers themselves 2) aliases for groups of ciphers.
1367 * For 1) we need the available ciphers and for 2) the cipher
1368 * groups of cipher_aliases added together in one list (otherwise
1369 * we would be happy with just the cipher_aliases table).
1370 */
1371 num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
1372 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
1373 ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
1374 if (ca_list == NULL)
1375 {
1376 OPENSSL_free(co_list);
1377 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1378 return(NULL); /* Failure */
1379 }
1380 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
1381 disabled_mkey, disabled_auth, disabled_enc,
1382 disabled_mac, disabled_ssl, head);
1383
1384 /*
1385 * If the rule_string begins with DEFAULT, apply the default rule
1386 * before using the (possibly available) additional rules.
1387 */
1388 ok = 1;
1389 rule_p = rule_str;
1390 if (strncmp(rule_str,"DEFAULT",7) == 0)
1391 {
1392 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
1393 &head, &tail, ca_list);
1394 rule_p += 7;
1395 if (*rule_p == ':')
1396 rule_p++;
1397 }
1398
1399 if (ok && (strlen(rule_p) > 0))
1400 ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
1401
1402 OPENSSL_free((void *)ca_list); /* Not needed anymore */
1403
1404 if (!ok)
1405 { /* Rule processing failure */
1406 OPENSSL_free(co_list);
1407 return(NULL);
1408 }
1409
1410 /*
1411 * Allocate new "cipherstack" for the result, return with error
1412 * if we cannot get one.
1413 */
1414 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
1415 {
1416 OPENSSL_free(co_list);
1417 return(NULL);
1418 }
1419
1420 /*
1421 * The cipher selection for the list is done. The ciphers are added
1422 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
1423 */
1424 for (curr = head; curr != NULL; curr = curr->next)
1425 {
1426 if (curr->active)
1427 {
1428 sk_SSL_CIPHER_push(cipherstack, curr->cipher);
1429#ifdef CIPHER_DEBUG
1430 printf("<%s>\n",curr->cipher->name);
1431#endif
1432 }
1433 }
1434 OPENSSL_free(co_list); /* Not needed any longer */
1435
1436 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1437 if (tmp_cipher_list == NULL)
1438 {
1439 sk_SSL_CIPHER_free(cipherstack);
1440 return NULL;
1441 }
1442 if (*cipher_list != NULL)
1443 sk_SSL_CIPHER_free(*cipher_list);
1444 *cipher_list = cipherstack;
1445 if (*cipher_list_by_id != NULL)
1446 sk_SSL_CIPHER_free(*cipher_list_by_id);
1447 *cipher_list_by_id = tmp_cipher_list;
1448 (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
1449
1450 sk_SSL_CIPHER_sort(*cipher_list_by_id);
1451 return(cipherstack);
1452 }
1453
1454char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1455 {
1456 int is_export,pkl,kl;
1457 const char *ver,*exp_str;
1458 const char *kx,*au,*enc,*mac;
1459 unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2;
1460#ifdef KSSL_DEBUG
1461 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
1462#else
1463 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
1464#endif /* KSSL_DEBUG */
1465
1466 alg_mkey = cipher->algorithm_mkey;
1467 alg_auth = cipher->algorithm_auth;
1468 alg_enc = cipher->algorithm_enc;
1469 alg_mac = cipher->algorithm_mac;
1470 alg_ssl = cipher->algorithm_ssl;
1471
1472 alg2=cipher->algorithm2;
1473
1474 is_export=SSL_C_IS_EXPORT(cipher);
1475 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
1476 kl=SSL_C_EXPORT_KEYLENGTH(cipher);
1477 exp_str=is_export?" export":"";
1478
1479 if (alg_ssl & SSL_SSLV2)
1480 ver="SSLv2";
1481 else if (alg_ssl & SSL_SSLV3)
1482 ver="SSLv3";
1483 else
1484 ver="unknown";
1485
1486 switch (alg_mkey)
1487 {
1488 case SSL_kRSA:
1489 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
1490 break;
1491 case SSL_kDHr:
1492 kx="DH/RSA";
1493 break;
1494 case SSL_kDHd:
1495 kx="DH/DSS";
1496 break;
1497 case SSL_kKRB5:
1498 kx="KRB5";
1499 break;
1500 case SSL_kEDH:
1501 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
1502 break;
1503 case SSL_kECDHr:
1504 kx="ECDH/RSA";
1505 break;
1506 case SSL_kECDHe:
1507 kx="ECDH/ECDSA";
1508 break;
1509 case SSL_kEECDH:
1510 kx="ECDH";
1511 break;
1512 case SSL_kPSK:
1513 kx="PSK";
1514 break;
1515 default:
1516 kx="unknown";
1517 }
1518
1519 switch (alg_auth)
1520 {
1521 case SSL_aRSA:
1522 au="RSA";
1523 break;
1524 case SSL_aDSS:
1525 au="DSS";
1526 break;
1527 case SSL_aDH:
1528 au="DH";
1529 break;
1530 case SSL_aKRB5:
1531 au="KRB5";
1532 break;
1533 case SSL_aECDH:
1534 au="ECDH";
1535 break;
1536 case SSL_aNULL:
1537 au="None";
1538 break;
1539 case SSL_aECDSA:
1540 au="ECDSA";
1541 break;
1542 case SSL_aPSK:
1543 au="PSK";
1544 break;
1545 default:
1546 au="unknown";
1547 break;
1548 }
1549
1550 switch (alg_enc)
1551 {
1552 case SSL_DES:
1553 enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
1554 break;
1555 case SSL_3DES:
1556 enc="3DES(168)";
1557 break;
1558 case SSL_RC4:
1559 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
1560 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
1561 break;
1562 case SSL_RC2:
1563 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
1564 break;
1565 case SSL_IDEA:
1566 enc="IDEA(128)";
1567 break;
1568 case SSL_eNULL:
1569 enc="None";
1570 break;
1571 case SSL_AES128:
1572 enc="AES(128)";
1573 break;
1574 case SSL_AES256:
1575 enc="AES(256)";
1576 break;
1577 case SSL_CAMELLIA128:
1578 enc="Camellia(128)";
1579 break;
1580 case SSL_CAMELLIA256:
1581 enc="Camellia(256)";
1582 break;
1583 case SSL_SEED:
1584 enc="SEED(128)";
1585 break;
1586 default:
1587 enc="unknown";
1588 break;
1589 }
1590
1591 switch (alg_mac)
1592 {
1593 case SSL_MD5:
1594 mac="MD5";
1595 break;
1596 case SSL_SHA1:
1597 mac="SHA1";
1598 break;
1599 default:
1600 mac="unknown";
1601 break;
1602 }
1603
1604 if (buf == NULL)
1605 {
1606 len=128;
1607 buf=OPENSSL_malloc(len);
1608 if (buf == NULL) return("OPENSSL_malloc Error");
1609 }
1610 else if (len < 128)
1611 return("Buffer too small");
1612
1613#ifdef KSSL_DEBUG
1614 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl);
1615#else
1616 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
1617#endif /* KSSL_DEBUG */
1618 return(buf);
1619 }
1620
1621char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1622 {
1623 int i;
1624
1625 if (c == NULL) return("(NONE)");
1626 i=(int)(c->id>>24L);
1627 if (i == 3)
1628 return("TLSv1/SSLv3");
1629 else if (i == 2)
1630 return("SSLv2");
1631 else
1632 return("unknown");
1633 }
1634
1635/* return the actual cipher being used */
1636const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1637 {
1638 if (c != NULL)
1639 return(c->name);
1640 return("(NONE)");
1641 }
1642
1643/* number of bits for symmetric cipher */
1644int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1645 {
1646 int ret=0;
1647
1648 if (c != NULL)
1649 {
1650 if (alg_bits != NULL) *alg_bits = c->alg_bits;
1651 ret = c->strength_bits;
1652 }
1653 return(ret);
1654 }
1655
1656SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1657 {
1658 SSL_COMP *ctmp;
1659 int i,nn;
1660
1661 if ((n == 0) || (sk == NULL)) return(NULL);
1662 nn=sk_SSL_COMP_num(sk);
1663 for (i=0; i<nn; i++)
1664 {
1665 ctmp=sk_SSL_COMP_value(sk,i);
1666 if (ctmp->id == n)
1667 return(ctmp);
1668 }
1669 return(NULL);
1670 }
1671
1672#ifdef OPENSSL_NO_COMP
1673void *SSL_COMP_get_compression_methods(void)
1674 {
1675 return NULL;
1676 }
1677int SSL_COMP_add_compression_method(int id, void *cm)
1678 {
1679 return 1;
1680 }
1681
1682const char *SSL_COMP_get_name(const void *comp)
1683 {
1684 return NULL;
1685 }
1686#else
1687STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1688 {
1689 load_builtin_compressions();
1690 return(ssl_comp_methods);
1691 }
1692
1693int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1694 {
1695 SSL_COMP *comp;
1696
1697 if (cm == NULL || cm->type == NID_undef)
1698 return 1;
1699
1700 /* According to draft-ietf-tls-compression-04.txt, the
1701 compression number ranges should be the following:
1702
1703 0 to 63: methods defined by the IETF
1704 64 to 192: external party methods assigned by IANA
1705 193 to 255: reserved for private use */
1706 if (id < 193 || id > 255)
1707 {
1708 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
1709 return 0;
1710 }
1711
1712 MemCheck_off();
1713 comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
1714 comp->id=id;
1715 comp->method=cm;
1716 load_builtin_compressions();
1717 if (ssl_comp_methods
1718 && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0)
1719 {
1720 OPENSSL_free(comp);
1721 MemCheck_on();
1722 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID);
1723 return(1);
1724 }
1725 else if ((ssl_comp_methods == NULL)
1726 || !sk_SSL_COMP_push(ssl_comp_methods,comp))
1727 {
1728 OPENSSL_free(comp);
1729 MemCheck_on();
1730 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
1731 return(1);
1732 }
1733 else
1734 {
1735 MemCheck_on();
1736 return(0);
1737 }
1738 }
1739
1740const char *SSL_COMP_get_name(const COMP_METHOD *comp)
1741 {
1742 if (comp)
1743 return comp->name;
1744 return NULL;
1745 }
1746
1747#endif
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
deleted file mode 100644
index e9be77109f..0000000000
--- a/src/lib/libssl/ssl_err.c
+++ /dev/null
@@ -1,573 +0,0 @@
1/* ssl/ssl_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ssl.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
70
71static ERR_STRING_DATA SSL_str_functs[]=
72 {
73{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"},
74{ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"},
75{ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
76{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY), "CLIENT_MASTER_KEY"},
77{ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"},
78{ERR_FUNC(SSL_F_DO_DTLS1_WRITE), "DO_DTLS1_WRITE"},
79{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
80{ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"},
81{ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"},
82{ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"},
83{ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"},
84{ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"},
85{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
86{ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"},
87{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "DTLS1_GET_MESSAGE"},
88{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
89{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"},
90{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "DTLS1_HANDLE_TIMEOUT"},
91{ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
92{ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
93{ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
94{ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
95{ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "DTLS1_READ_BYTES"},
96{ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "DTLS1_READ_FAILED"},
97{ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST), "DTLS1_SEND_CERTIFICATE_REQUEST"},
98{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE), "DTLS1_SEND_CLIENT_CERTIFICATE"},
99{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE), "DTLS1_SEND_CLIENT_KEY_EXCHANGE"},
100{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY), "DTLS1_SEND_CLIENT_VERIFY"},
101{ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST), "DTLS1_SEND_HELLO_VERIFY_REQUEST"},
102{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE), "DTLS1_SEND_SERVER_CERTIFICATE"},
103{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "DTLS1_SEND_SERVER_HELLO"},
104{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE), "DTLS1_SEND_SERVER_KEY_EXCHANGE"},
105{ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "DTLS1_WRITE_APP_DATA_BYTES"},
106{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED), "GET_CLIENT_FINISHED"},
107{ERR_FUNC(SSL_F_GET_CLIENT_HELLO), "GET_CLIENT_HELLO"},
108{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
109{ERR_FUNC(SSL_F_GET_SERVER_FINISHED), "GET_SERVER_FINISHED"},
110{ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"},
111{ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"},
112{ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"},
113{ERR_FUNC(SSL_F_READ_N), "READ_N"},
114{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"},
115{ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
116{ERR_FUNC(SSL_F_SERVER_HELLO), "SERVER_HELLO"},
117{ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
118{ERR_FUNC(SSL_F_SSL23_ACCEPT), "SSL23_ACCEPT"},
119{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
120{ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
121{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO), "SSL23_GET_CLIENT_HELLO"},
122{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO), "SSL23_GET_SERVER_HELLO"},
123{ERR_FUNC(SSL_F_SSL23_PEEK), "SSL23_PEEK"},
124{ERR_FUNC(SSL_F_SSL23_READ), "SSL23_READ"},
125{ERR_FUNC(SSL_F_SSL23_WRITE), "SSL23_WRITE"},
126{ERR_FUNC(SSL_F_SSL2_ACCEPT), "SSL2_ACCEPT"},
127{ERR_FUNC(SSL_F_SSL2_CONNECT), "SSL2_CONNECT"},
128{ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
129{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL), "SSL2_GENERATE_KEY_MATERIAL"},
130{ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"},
131{ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"},
132{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"},
133{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"},
134{ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"},
135{ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"},
136{ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"},
137{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
138{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
139{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
140{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
141{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
142{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
143{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
144{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
145{ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "SSL3_DIGEST_CACHED_RECORDS"},
146{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"},
147{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
148{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
149{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
150{ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"},
151{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"},
152{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"},
153{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
154{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"},
155{ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"},
156{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
157{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"},
158{ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"},
159{ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"},
160{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"},
161{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"},
162{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
163{ERR_FUNC(SSL_F_SSL3_HANDSHAKE_MAC), "ssl3_handshake_mac"},
164{ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET), "SSL3_NEW_SESSION_TICKET"},
165{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "SSL3_OUTPUT_CERT_CHAIN"},
166{ERR_FUNC(SSL_F_SSL3_PEEK), "SSL3_PEEK"},
167{ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"},
168{ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"},
169{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
170{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"},
171{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
172{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"},
173{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE), "SSL3_SEND_SERVER_CERTIFICATE"},
174{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO), "SSL3_SEND_SERVER_HELLO"},
175{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
176{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"},
177{ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "SSL3_SETUP_READ_BUFFER"},
178{ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "SSL3_SETUP_WRITE_BUFFER"},
179{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"},
180{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
181{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
182{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"},
183{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
184{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
185{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
186{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"},
187{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
188{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
189{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
190{ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
191{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE), "SSL_CERT_INSTANTIATE"},
192{ERR_FUNC(SSL_F_SSL_CERT_NEW), "SSL_CERT_NEW"},
193{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
194{ERR_FUNC(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT), "SSL_CHECK_SERVERHELLO_TLSEXT"},
195{ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG), "SSL_CHECK_SRVR_ECC_CERT_AND_ALG"},
196{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
197{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
198{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
199{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"},
200{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"},
201{ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"},
202{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
203{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
204{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
205{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"},
206{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"},
207{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"},
208{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"},
209{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST), "SSL_CTX_set_trust"},
210{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"},
211{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"},
212{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE), "SSL_CTX_use_certificate_chain_file"},
213{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), "SSL_CTX_use_certificate_file"},
214{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"},
215{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), "SSL_CTX_use_PrivateKey_ASN1"},
216{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), "SSL_CTX_use_PrivateKey_file"},
217{ERR_FUNC(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT), "SSL_CTX_use_psk_identity_hint"},
218{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"},
219{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1), "SSL_CTX_use_RSAPrivateKey_ASN1"},
220{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), "SSL_CTX_use_RSAPrivateKey_file"},
221{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
222{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
223{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
224{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
225{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
226{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
227{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
228{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
229{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
230{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
231{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
232{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
233{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
234{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
235{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
236{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
237{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
238{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
239{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
240{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
241{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"},
242{ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"},
243{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"},
244{ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"},
245{ERR_FUNC(SSL_F_SSL_SET_PKEY), "SSL_SET_PKEY"},
246{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
247{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
248{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
249{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
250{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
251{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
252{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
253{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
254{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"},
255{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"},
256{ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), "SSL_UNDEFINED_VOID_FUNCTION"},
257{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"},
258{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"},
259{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"},
260{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"},
261{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"},
262{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
263{ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"},
264{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
265{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
266{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
267{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
268{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
269{ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"},
270{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
271{ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"},
272{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
273{ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT), "TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
274{ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT), "TLS1_PREPARE_SERVERHELLO_TLSEXT"},
275{ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"},
276{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
277{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
278{0,NULL}
279 };
280
281static ERR_STRING_DATA SSL_str_reasons[]=
282 {
283{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
284{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
285{ERR_REASON(SSL_R_BAD_ALERT_RECORD) ,"bad alert record"},
286{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
287{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
288{ERR_REASON(SSL_R_BAD_CHECKSUM) ,"bad checksum"},
289{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
290{ERR_REASON(SSL_R_BAD_DECOMPRESSION) ,"bad decompression"},
291{ERR_REASON(SSL_R_BAD_DH_G_LENGTH) ,"bad dh g length"},
292{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
293{ERR_REASON(SSL_R_BAD_DH_P_LENGTH) ,"bad dh p length"},
294{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) ,"bad digest length"},
295{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) ,"bad dsa signature"},
296{ERR_REASON(SSL_R_BAD_ECC_CERT) ,"bad ecc cert"},
297{ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE) ,"bad ecdsa signature"},
298{ERR_REASON(SSL_R_BAD_ECPOINT) ,"bad ecpoint"},
299{ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH) ,"bad handshake length"},
300{ERR_REASON(SSL_R_BAD_HELLO_REQUEST) ,"bad hello request"},
301{ERR_REASON(SSL_R_BAD_LENGTH) ,"bad length"},
302{ERR_REASON(SSL_R_BAD_MAC_DECODE) ,"bad mac decode"},
303{ERR_REASON(SSL_R_BAD_MAC_LENGTH) ,"bad mac length"},
304{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE) ,"bad message type"},
305{ERR_REASON(SSL_R_BAD_PACKET_LENGTH) ,"bad packet length"},
306{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
307{ERR_REASON(SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH),"bad psk identity hint length"},
308{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
309{ERR_REASON(SSL_R_BAD_RSA_DECRYPT) ,"bad rsa decrypt"},
310{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT) ,"bad rsa encrypt"},
311{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH) ,"bad rsa e length"},
312{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
313{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) ,"bad rsa signature"},
314{ERR_REASON(SSL_R_BAD_SIGNATURE) ,"bad signature"},
315{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"},
316{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
317{ERR_REASON(SSL_R_BAD_STATE) ,"bad state"},
318{ERR_REASON(SSL_R_BAD_WRITE_RETRY) ,"bad write retry"},
319{ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"},
320{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
321{ERR_REASON(SSL_R_BN_LIB) ,"bn lib"},
322{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
323{ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"},
324{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"},
325{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
326{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"},
327{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
328{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
329{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
330{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
331{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) ,"clienthello tlsext"},
332{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
333{ERR_REASON(SSL_R_COMPRESSION_DISABLED) ,"compression disabled"},
334{ERR_REASON(SSL_R_COMPRESSION_FAILURE) ,"compression failure"},
335{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
336{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
337{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
338{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
339{ERR_REASON(SSL_R_COOKIE_MISMATCH) ,"cookie mismatch"},
340{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
341{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
342{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
343{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
344{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
345{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
346{ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"},
347{ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID),"duplicate compression id"},
348{ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT),"ecc cert not for key agreement"},
349{ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING),"ecc cert not for signing"},
350{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"},
351{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"},
352{ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
353{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
354{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
355{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
356{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
357{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
358{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
359{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
360{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
361{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
362{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
363{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
364{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
365{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
366{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
367{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
368{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
369{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid trust"},
370{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) ,"key arg too long"},
371{ERR_REASON(SSL_R_KRB5) ,"krb5"},
372{ERR_REASON(SSL_R_KRB5_C_CC_PRINC) ,"krb5 client cc principal (no tkt?)"},
373{ERR_REASON(SSL_R_KRB5_C_GET_CRED) ,"krb5 client get cred"},
374{ERR_REASON(SSL_R_KRB5_C_INIT) ,"krb5 client init"},
375{ERR_REASON(SSL_R_KRB5_C_MK_REQ) ,"krb5 client mk_req (expired tkt?)"},
376{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET) ,"krb5 server bad ticket"},
377{ERR_REASON(SSL_R_KRB5_S_INIT) ,"krb5 server init"},
378{ERR_REASON(SSL_R_KRB5_S_RD_REQ) ,"krb5 server rd_req (keytab perms?)"},
379{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED) ,"krb5 server tkt expired"},
380{ERR_REASON(SSL_R_KRB5_S_TKT_NYV) ,"krb5 server tkt not yet valid"},
381{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW) ,"krb5 server tkt skew"},
382{ERR_REASON(SSL_R_LENGTH_MISMATCH) ,"length mismatch"},
383{ERR_REASON(SSL_R_LENGTH_TOO_SHORT) ,"length too short"},
384{ERR_REASON(SSL_R_LIBRARY_BUG) ,"library bug"},
385{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
386{ERR_REASON(SSL_R_MESSAGE_TOO_LONG) ,"message too long"},
387{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) ,"missing dh dsa cert"},
388{ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"},
389{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) ,"missing dh rsa cert"},
390{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
391{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
392{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
393{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
394{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
395{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
396{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"},
397{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) ,"missing tmp ecdh key"},
398{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
399{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
400{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
401{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
402{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
403{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
404{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
405{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
406{ERR_REASON(SSL_R_NO_CERTIFICATE_SET) ,"no certificate set"},
407{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
408{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE) ,"no ciphers available"},
409{ERR_REASON(SSL_R_NO_CIPHERS_PASSED) ,"no ciphers passed"},
410{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"},
411{ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"},
412{ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"},
413{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
414{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
415{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
416{ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"},
417{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"},
418{ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"},
419{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
420{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
421{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
422{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
423{ERR_REASON(SSL_R_NO_REQUIRED_DIGEST) ,"digest requred for handshake isn't computed"},
424{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
425{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
426{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
427{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
428{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
429{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),"old session compression algorithm not returned"},
430{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
431{ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),"opaque PRF input too long"},
432{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
433{ERR_REASON(SSL_R_PARSE_TLSEXT) ,"parse tlsext"},
434{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
435{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
436{ERR_REASON(SSL_R_PEER_ERROR) ,"peer error"},
437{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
438{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
439{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER) ,"peer error no cipher"},
440{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
441{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
442{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
443{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN) ,"protocol is shutdown"},
444{ERR_REASON(SSL_R_PSK_IDENTITY_NOT_FOUND),"psk identity not found"},
445{ERR_REASON(SSL_R_PSK_NO_CLIENT_CB) ,"psk no client cb"},
446{ERR_REASON(SSL_R_PSK_NO_SERVER_CB) ,"psk no server cb"},
447{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
448{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
449{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
450{ERR_REASON(SSL_R_READ_BIO_NOT_SET) ,"read bio not set"},
451{ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED) ,"read timeout expired"},
452{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
453{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
454{ERR_REASON(SSL_R_RECORD_TOO_LARGE) ,"record too large"},
455{ERR_REASON(SSL_R_RECORD_TOO_SMALL) ,"record too small"},
456{ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG),"renegotiate ext too long"},
457{ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR),"renegotiation encoding err"},
458{ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
459{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
460{ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING),"required compresssion algorithm missing"},
461{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
462{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
463{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
464{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
465{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
466{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
467{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
468{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
469{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
470{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
471{ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT),"ssl3 ext invalid ecpointformat"},
472{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME),"ssl3 ext invalid servername"},
473{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),"ssl3 ext invalid servername type"},
474{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"},
475{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"},
476{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"},
477{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"},
478{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"},
479{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"},
480{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"},
481{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"},
482{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
483{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
484{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
485{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
486{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
487{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
488{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
489{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"},
490{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"},
491{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
492{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
493{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
494{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
495{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
496{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
497{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
498{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
499{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
500{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
501{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
502{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
503{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"},
504{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
505{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
506{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
507{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE),"tlsv1 bad certificate hash value"},
508{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE),"tlsv1 bad certificate status response"},
509{ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"},
510{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
511{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
512{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
513{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
514{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
515{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
516{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
517{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
518{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),"unable to decode ecdh certs"},
519{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
520{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
521{ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),"unable to find ecdh parameters"},
522{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
523{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
524{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
525{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
526{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
527{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) ,"unexpected message"},
528{ERR_REASON(SSL_R_UNEXPECTED_RECORD) ,"unexpected record"},
529{ERR_REASON(SSL_R_UNINITIALIZED) ,"uninitialized"},
530{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) ,"unknown alert type"},
531{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
532{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
533{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"},
534{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
535{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) ,"unknown pkey type"},
536{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) ,"unknown protocol"},
537{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
538{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
539{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
540{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
541{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
542{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
543{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
544{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
545{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"},
546{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
547{ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"},
548{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"},
549{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
550{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"},
551{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
552{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
553{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) ,"wrong signature size"},
554{ERR_REASON(SSL_R_WRONG_SSL_VERSION) ,"wrong ssl version"},
555{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"},
556{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"},
557{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
558{0,NULL}
559 };
560
561#endif
562
563void ERR_load_SSL_strings(void)
564 {
565#ifndef OPENSSL_NO_ERR
566
567 if (ERR_func_error_string(SSL_str_functs[0].error) == NULL)
568 {
569 ERR_load_strings(0,SSL_str_functs);
570 ERR_load_strings(0,SSL_str_reasons);
571 }
572#endif
573 }
diff --git a/src/lib/libssl/ssl_err2.c b/src/lib/libssl/ssl_err2.c
deleted file mode 100644
index ea95a5f983..0000000000
--- a/src/lib/libssl/ssl_err2.c
+++ /dev/null
@@ -1,70 +0,0 @@
1/* ssl/ssl_err2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/err.h>
61#include <openssl/ssl.h>
62
63void SSL_load_error_strings(void)
64 {
65#ifndef OPENSSL_NO_ERR
66 ERR_load_crypto_strings();
67 ERR_load_SSL_strings();
68#endif
69 }
70
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
deleted file mode 100644
index 7755476de3..0000000000
--- a/src/lib/libssl/ssl_lib.c
+++ /dev/null
@@ -1,3045 +0,0 @@
1/*! \file ssl/ssl_lib.c
2 * \brief Version independent SSL functions.
3 */
4/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * All rights reserved.
6 *
7 * This package is an SSL implementation written
8 * by Eric Young (eay@cryptsoft.com).
9 * The implementation was written so as to conform with Netscapes SSL.
10 *
11 * This library is free for commercial and non-commercial use as long as
12 * the following conditions are aheared to. The following conditions
13 * apply to all code found in this distribution, be it the RC4, RSA,
14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15 * included with this distribution is covered by the same copyright terms
16 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17 *
18 * Copyright remains Eric Young's, and as such any Copyright notices in
19 * the code are not to be removed.
20 * If this package is used in a product, Eric Young should be given attribution
21 * as the author of the parts of the library used.
22 * This can be in the form of a textual message at program startup or
23 * in documentation (online or textual) provided with the package.
24 *
25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions
27 * are met:
28 * 1. Redistributions of source code must retain the copyright
29 * notice, this list of conditions and the following disclaimer.
30 * 2. Redistributions in binary form must reproduce the above copyright
31 * notice, this list of conditions and the following disclaimer in the
32 * documentation and/or other materials provided with the distribution.
33 * 3. All advertising materials mentioning features or use of this software
34 * must display the following acknowledgement:
35 * "This product includes cryptographic software written by
36 * Eric Young (eay@cryptsoft.com)"
37 * The word 'cryptographic' can be left out if the rouines from the library
38 * being used are not cryptographic related :-).
39 * 4. If you include any Windows specific code (or a derivative thereof) from
40 * the apps directory (application code) you must include an acknowledgement:
41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
42 *
43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
46 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
47 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
48 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
49 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * SUCH DAMAGE.
54 *
55 * The licence and distribution terms for any publically available version or
56 * derivative of this code cannot be changed. i.e. this code cannot simply be
57 * copied and put under another distribution licence
58 * [including the GNU Public Licence.]
59 */
60/* ====================================================================
61 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
62 *
63 * Redistribution and use in source and binary forms, with or without
64 * modification, are permitted provided that the following conditions
65 * are met:
66 *
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 *
70 * 2. Redistributions in binary form must reproduce the above copyright
71 * notice, this list of conditions and the following disclaimer in
72 * the documentation and/or other materials provided with the
73 * distribution.
74 *
75 * 3. All advertising materials mentioning features or use of this
76 * software must display the following acknowledgment:
77 * "This product includes software developed by the OpenSSL Project
78 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
79 *
80 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
81 * endorse or promote products derived from this software without
82 * prior written permission. For written permission, please contact
83 * openssl-core@openssl.org.
84 *
85 * 5. Products derived from this software may not be called "OpenSSL"
86 * nor may "OpenSSL" appear in their names without prior written
87 * permission of the OpenSSL Project.
88 *
89 * 6. Redistributions of any form whatsoever must retain the following
90 * acknowledgment:
91 * "This product includes software developed by the OpenSSL Project
92 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
93 *
94 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
95 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
97 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
98 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
99 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
100 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
101 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
102 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
103 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
104 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
105 * OF THE POSSIBILITY OF SUCH DAMAGE.
106 * ====================================================================
107 *
108 * This product includes cryptographic software written by Eric Young
109 * (eay@cryptsoft.com). This product includes software written by Tim
110 * Hudson (tjh@cryptsoft.com).
111 *
112 */
113/* ====================================================================
114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
115 * ECC cipher suite support in OpenSSL originally developed by
116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 */
118/* ====================================================================
119 * Copyright 2005 Nokia. All rights reserved.
120 *
121 * The portions of the attached software ("Contribution") is developed by
122 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
123 * license.
124 *
125 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
126 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
127 * support (see RFC 4279) to OpenSSL.
128 *
129 * No patent licenses or other rights except those expressly stated in
130 * the OpenSSL open source license shall be deemed granted or received
131 * expressly, by implication, estoppel, or otherwise.
132 *
133 * No assurances are provided by Nokia that the Contribution does not
134 * infringe the patent or other intellectual property rights of any third
135 * party or that the license provides you with all the necessary rights
136 * to make use of the Contribution.
137 *
138 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
139 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
140 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
141 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
142 * OTHERWISE.
143 */
144
145#ifdef REF_CHECK
146# include <assert.h>
147#endif
148#include <stdio.h>
149#include "ssl_locl.h"
150#include "kssl_lcl.h"
151#include <openssl/objects.h>
152#include <openssl/lhash.h>
153#include <openssl/x509v3.h>
154#include <openssl/rand.h>
155#include <openssl/ocsp.h>
156#ifndef OPENSSL_NO_DH
157#include <openssl/dh.h>
158#endif
159#ifndef OPENSSL_NO_ENGINE
160#include <openssl/engine.h>
161#endif
162
163const char *SSL_version_str=OPENSSL_VERSION_TEXT;
164
165SSL3_ENC_METHOD ssl3_undef_enc_method={
166 /* evil casts, but these functions are only called if there's a library bug */
167 (int (*)(SSL *,int))ssl_undefined_function,
168 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
169 ssl_undefined_function,
170 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
171 (int (*)(SSL*, int))ssl_undefined_function,
172 (int (*)(SSL *, const char*, int, unsigned char *))ssl_undefined_function,
173 0, /* finish_mac_length */
174 (int (*)(SSL *, int, unsigned char *))ssl_undefined_function,
175 NULL, /* client_finished_label */
176 0, /* client_finished_label_len */
177 NULL, /* server_finished_label */
178 0, /* server_finished_label_len */
179 (int (*)(int))ssl_undefined_function
180 };
181
182int SSL_clear(SSL *s)
183 {
184
185 if (s->method == NULL)
186 {
187 SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
188 return(0);
189 }
190
191 if (ssl_clear_bad_session(s))
192 {
193 SSL_SESSION_free(s->session);
194 s->session=NULL;
195 }
196
197 s->error=0;
198 s->hit=0;
199 s->shutdown=0;
200
201#if 0 /* Disabled since version 1.10 of this file (early return not
202 * needed because SSL_clear is not called when doing renegotiation) */
203 /* This is set if we are doing dynamic renegotiation so keep
204 * the old cipher. It is sort of a SSL_clear_lite :-) */
205 if (s->new_session) return(1);
206#else
207 if (s->new_session)
208 {
209 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
210 return 0;
211 }
212#endif
213
214 s->type=0;
215
216 s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
217
218 s->version=s->method->version;
219 s->client_version=s->version;
220 s->rwstate=SSL_NOTHING;
221 s->rstate=SSL_ST_READ_HEADER;
222#if 0
223 s->read_ahead=s->ctx->read_ahead;
224#endif
225
226 if (s->init_buf != NULL)
227 {
228 BUF_MEM_free(s->init_buf);
229 s->init_buf=NULL;
230 }
231
232 ssl_clear_cipher_ctx(s);
233 ssl_clear_hash_ctx(&s->read_hash);
234 ssl_clear_hash_ctx(&s->write_hash);
235
236 s->first_packet=0;
237
238#if 1
239 /* Check to see if we were changed into a different method, if
240 * so, revert back if we are not doing session-id reuse. */
241 if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
242 {
243 s->method->ssl_free(s);
244 s->method=s->ctx->method;
245 if (!s->method->ssl_new(s))
246 return(0);
247 }
248 else
249#endif
250 s->method->ssl_clear(s);
251 return(1);
252 }
253
254/** Used to change an SSL_CTXs default SSL method type */
255int SSL_CTX_set_ssl_version(SSL_CTX *ctx,const SSL_METHOD *meth)
256 {
257 STACK_OF(SSL_CIPHER) *sk;
258
259 ctx->method=meth;
260
261 sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
262 &(ctx->cipher_list_by_id),
263 meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
264 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
265 {
266 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
267 return(0);
268 }
269 return(1);
270 }
271
272SSL *SSL_new(SSL_CTX *ctx)
273 {
274 SSL *s;
275
276 if (ctx == NULL)
277 {
278 SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
279 return(NULL);
280 }
281 if (ctx->method == NULL)
282 {
283 SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
284 return(NULL);
285 }
286
287 s=(SSL *)OPENSSL_malloc(sizeof(SSL));
288 if (s == NULL) goto err;
289 memset(s,0,sizeof(SSL));
290
291#ifndef OPENSSL_NO_KRB5
292 s->kssl_ctx = kssl_ctx_new();
293#endif /* OPENSSL_NO_KRB5 */
294
295 s->options=ctx->options;
296 s->mode=ctx->mode;
297 s->max_cert_list=ctx->max_cert_list;
298
299 if (ctx->cert != NULL)
300 {
301 /* Earlier library versions used to copy the pointer to
302 * the CERT, not its contents; only when setting new
303 * parameters for the per-SSL copy, ssl_cert_new would be
304 * called (and the direct reference to the per-SSL_CTX
305 * settings would be lost, but those still were indirectly
306 * accessed for various purposes, and for that reason they
307 * used to be known as s->ctx->default_cert).
308 * Now we don't look at the SSL_CTX's CERT after having
309 * duplicated it once. */
310
311 s->cert = ssl_cert_dup(ctx->cert);
312 if (s->cert == NULL)
313 goto err;
314 }
315 else
316 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
317
318 s->read_ahead=ctx->read_ahead;
319 s->msg_callback=ctx->msg_callback;
320 s->msg_callback_arg=ctx->msg_callback_arg;
321 s->verify_mode=ctx->verify_mode;
322#if 0
323 s->verify_depth=ctx->verify_depth;
324#endif
325 s->sid_ctx_length=ctx->sid_ctx_length;
326 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
327 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
328 s->verify_callback=ctx->default_verify_callback;
329 s->generate_session_id=ctx->generate_session_id;
330
331 s->param = X509_VERIFY_PARAM_new();
332 if (!s->param)
333 goto err;
334 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
335#if 0
336 s->purpose = ctx->purpose;
337 s->trust = ctx->trust;
338#endif
339 s->quiet_shutdown=ctx->quiet_shutdown;
340 s->max_send_fragment = ctx->max_send_fragment;
341
342 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
343 s->ctx=ctx;
344#ifndef OPENSSL_NO_TLSEXT
345 s->tlsext_debug_cb = 0;
346 s->tlsext_debug_arg = NULL;
347 s->tlsext_ticket_expected = 0;
348 s->tlsext_status_type = -1;
349 s->tlsext_status_expected = 0;
350 s->tlsext_ocsp_ids = NULL;
351 s->tlsext_ocsp_exts = NULL;
352 s->tlsext_ocsp_resp = NULL;
353 s->tlsext_ocsp_resplen = -1;
354 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
355 s->initial_ctx=ctx;
356#endif
357
358 s->verify_result=X509_V_OK;
359
360 s->method=ctx->method;
361
362 if (!s->method->ssl_new(s))
363 goto err;
364
365 s->references=1;
366 s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
367
368 SSL_clear(s);
369
370 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
371
372#ifndef OPENSSL_NO_PSK
373 s->psk_client_callback=ctx->psk_client_callback;
374 s->psk_server_callback=ctx->psk_server_callback;
375#endif
376
377 return(s);
378err:
379 if (s != NULL)
380 {
381 if (s->cert != NULL)
382 ssl_cert_free(s->cert);
383 if (s->ctx != NULL)
384 SSL_CTX_free(s->ctx); /* decrement reference count */
385 OPENSSL_free(s);
386 }
387 SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
388 return(NULL);
389 }
390
391int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
392 unsigned int sid_ctx_len)
393 {
394 if(sid_ctx_len > sizeof ctx->sid_ctx)
395 {
396 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
397 return 0;
398 }
399 ctx->sid_ctx_length=sid_ctx_len;
400 memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
401
402 return 1;
403 }
404
405int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
406 unsigned int sid_ctx_len)
407 {
408 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
409 {
410 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
411 return 0;
412 }
413 ssl->sid_ctx_length=sid_ctx_len;
414 memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
415
416 return 1;
417 }
418
419int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
420 {
421 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
422 ctx->generate_session_id = cb;
423 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
424 return 1;
425 }
426
427int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
428 {
429 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
430 ssl->generate_session_id = cb;
431 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
432 return 1;
433 }
434
435int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
436 unsigned int id_len)
437 {
438 /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
439 * we can "construct" a session to give us the desired check - ie. to
440 * find if there's a session in the hash table that would conflict with
441 * any new session built out of this id/id_len and the ssl_version in
442 * use by this SSL. */
443 SSL_SESSION r, *p;
444
445 if(id_len > sizeof r.session_id)
446 return 0;
447
448 r.ssl_version = ssl->version;
449 r.session_id_length = id_len;
450 memcpy(r.session_id, id, id_len);
451 /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
452 * callback is calling us to check the uniqueness of a shorter ID, it
453 * must be compared as a padded-out ID because that is what it will be
454 * converted to when the callback has finished choosing it. */
455 if((r.ssl_version == SSL2_VERSION) &&
456 (id_len < SSL2_SSL_SESSION_ID_LENGTH))
457 {
458 memset(r.session_id + id_len, 0,
459 SSL2_SSL_SESSION_ID_LENGTH - id_len);
460 r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
461 }
462
463 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
464 p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r);
465 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
466 return (p != NULL);
467 }
468
469int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
470 {
471 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
472 }
473
474int SSL_set_purpose(SSL *s, int purpose)
475 {
476 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
477 }
478
479int SSL_CTX_set_trust(SSL_CTX *s, int trust)
480 {
481 return X509_VERIFY_PARAM_set_trust(s->param, trust);
482 }
483
484int SSL_set_trust(SSL *s, int trust)
485 {
486 return X509_VERIFY_PARAM_set_trust(s->param, trust);
487 }
488
489int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
490 {
491 return X509_VERIFY_PARAM_set1(ctx->param, vpm);
492 }
493
494int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
495 {
496 return X509_VERIFY_PARAM_set1(ssl->param, vpm);
497 }
498
499void SSL_free(SSL *s)
500 {
501 int i;
502
503 if(s == NULL)
504 return;
505
506 i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
507#ifdef REF_PRINT
508 REF_PRINT("SSL",s);
509#endif
510 if (i > 0) return;
511#ifdef REF_CHECK
512 if (i < 0)
513 {
514 fprintf(stderr,"SSL_free, bad reference count\n");
515 abort(); /* ok */
516 }
517#endif
518
519 if (s->param)
520 X509_VERIFY_PARAM_free(s->param);
521
522 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
523
524 if (s->bbio != NULL)
525 {
526 /* If the buffering BIO is in place, pop it off */
527 if (s->bbio == s->wbio)
528 {
529 s->wbio=BIO_pop(s->wbio);
530 }
531 BIO_free(s->bbio);
532 s->bbio=NULL;
533 }
534 if (s->rbio != NULL)
535 BIO_free_all(s->rbio);
536 if ((s->wbio != NULL) && (s->wbio != s->rbio))
537 BIO_free_all(s->wbio);
538
539 if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
540
541 /* add extra stuff */
542 if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
543 if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
544
545 /* Make the next call work :-) */
546 if (s->session != NULL)
547 {
548 ssl_clear_bad_session(s);
549 SSL_SESSION_free(s->session);
550 }
551
552 ssl_clear_cipher_ctx(s);
553 ssl_clear_hash_ctx(&s->read_hash);
554 ssl_clear_hash_ctx(&s->write_hash);
555
556 if (s->cert != NULL) ssl_cert_free(s->cert);
557 /* Free up if allocated */
558
559#ifndef OPENSSL_NO_TLSEXT
560 if (s->tlsext_hostname)
561 OPENSSL_free(s->tlsext_hostname);
562 if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
563#ifndef OPENSSL_NO_EC
564 if (s->tlsext_ecpointformatlist) OPENSSL_free(s->tlsext_ecpointformatlist);
565 if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist);
566#endif /* OPENSSL_NO_EC */
567 if (s->tlsext_opaque_prf_input) OPENSSL_free(s->tlsext_opaque_prf_input);
568 if (s->tlsext_ocsp_exts)
569 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
570 X509_EXTENSION_free);
571 if (s->tlsext_ocsp_ids)
572 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
573 if (s->tlsext_ocsp_resp)
574 OPENSSL_free(s->tlsext_ocsp_resp);
575#endif
576
577 if (s->client_CA != NULL)
578 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
579
580 if (s->method != NULL) s->method->ssl_free(s);
581
582 if (s->ctx) SSL_CTX_free(s->ctx);
583
584#ifndef OPENSSL_NO_KRB5
585 if (s->kssl_ctx != NULL)
586 kssl_ctx_free(s->kssl_ctx);
587#endif /* OPENSSL_NO_KRB5 */
588
589 OPENSSL_free(s);
590 }
591
592void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
593 {
594 /* If the output buffering BIO is still in place, remove it
595 */
596 if (s->bbio != NULL)
597 {
598 if (s->wbio == s->bbio)
599 {
600 s->wbio=s->wbio->next_bio;
601 s->bbio->next_bio=NULL;
602 }
603 }
604 if ((s->rbio != NULL) && (s->rbio != rbio))
605 BIO_free_all(s->rbio);
606 if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
607 BIO_free_all(s->wbio);
608 s->rbio=rbio;
609 s->wbio=wbio;
610 }
611
612BIO *SSL_get_rbio(const SSL *s)
613 { return(s->rbio); }
614
615BIO *SSL_get_wbio(const SSL *s)
616 { return(s->wbio); }
617
618int SSL_get_fd(const SSL *s)
619 {
620 return(SSL_get_rfd(s));
621 }
622
623int SSL_get_rfd(const SSL *s)
624 {
625 int ret= -1;
626 BIO *b,*r;
627
628 b=SSL_get_rbio(s);
629 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
630 if (r != NULL)
631 BIO_get_fd(r,&ret);
632 return(ret);
633 }
634
635int SSL_get_wfd(const SSL *s)
636 {
637 int ret= -1;
638 BIO *b,*r;
639
640 b=SSL_get_wbio(s);
641 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
642 if (r != NULL)
643 BIO_get_fd(r,&ret);
644 return(ret);
645 }
646
647#ifndef OPENSSL_NO_SOCK
648int SSL_set_fd(SSL *s,int fd)
649 {
650 int ret=0;
651 BIO *bio=NULL;
652
653 bio=BIO_new(BIO_s_socket());
654
655 if (bio == NULL)
656 {
657 SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
658 goto err;
659 }
660 BIO_set_fd(bio,fd,BIO_NOCLOSE);
661 SSL_set_bio(s,bio,bio);
662 ret=1;
663err:
664 return(ret);
665 }
666
667int SSL_set_wfd(SSL *s,int fd)
668 {
669 int ret=0;
670 BIO *bio=NULL;
671
672 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
673 || ((int)BIO_get_fd(s->rbio,NULL) != fd))
674 {
675 bio=BIO_new(BIO_s_socket());
676
677 if (bio == NULL)
678 { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
679 BIO_set_fd(bio,fd,BIO_NOCLOSE);
680 SSL_set_bio(s,SSL_get_rbio(s),bio);
681 }
682 else
683 SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
684 ret=1;
685err:
686 return(ret);
687 }
688
689int SSL_set_rfd(SSL *s,int fd)
690 {
691 int ret=0;
692 BIO *bio=NULL;
693
694 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
695 || ((int)BIO_get_fd(s->wbio,NULL) != fd))
696 {
697 bio=BIO_new(BIO_s_socket());
698
699 if (bio == NULL)
700 {
701 SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
702 goto err;
703 }
704 BIO_set_fd(bio,fd,BIO_NOCLOSE);
705 SSL_set_bio(s,bio,SSL_get_wbio(s));
706 }
707 else
708 SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
709 ret=1;
710err:
711 return(ret);
712 }
713#endif
714
715
716/* return length of latest Finished message we sent, copy to 'buf' */
717size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
718 {
719 size_t ret = 0;
720
721 if (s->s3 != NULL)
722 {
723 ret = s->s3->tmp.finish_md_len;
724 if (count > ret)
725 count = ret;
726 memcpy(buf, s->s3->tmp.finish_md, count);
727 }
728 return ret;
729 }
730
731/* return length of latest Finished message we expected, copy to 'buf' */
732size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
733 {
734 size_t ret = 0;
735
736 if (s->s3 != NULL)
737 {
738 ret = s->s3->tmp.peer_finish_md_len;
739 if (count > ret)
740 count = ret;
741 memcpy(buf, s->s3->tmp.peer_finish_md, count);
742 }
743 return ret;
744 }
745
746
747int SSL_get_verify_mode(const SSL *s)
748 {
749 return(s->verify_mode);
750 }
751
752int SSL_get_verify_depth(const SSL *s)
753 {
754 return X509_VERIFY_PARAM_get_depth(s->param);
755 }
756
757int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
758 {
759 return(s->verify_callback);
760 }
761
762int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
763 {
764 return(ctx->verify_mode);
765 }
766
767int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
768 {
769 return X509_VERIFY_PARAM_get_depth(ctx->param);
770 }
771
772int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
773 {
774 return(ctx->default_verify_callback);
775 }
776
777void SSL_set_verify(SSL *s,int mode,
778 int (*callback)(int ok,X509_STORE_CTX *ctx))
779 {
780 s->verify_mode=mode;
781 if (callback != NULL)
782 s->verify_callback=callback;
783 }
784
785void SSL_set_verify_depth(SSL *s,int depth)
786 {
787 X509_VERIFY_PARAM_set_depth(s->param, depth);
788 }
789
790void SSL_set_read_ahead(SSL *s,int yes)
791 {
792 s->read_ahead=yes;
793 }
794
795int SSL_get_read_ahead(const SSL *s)
796 {
797 return(s->read_ahead);
798 }
799
800int SSL_pending(const SSL *s)
801 {
802 /* SSL_pending cannot work properly if read-ahead is enabled
803 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
804 * and it is impossible to fix since SSL_pending cannot report
805 * errors that may be observed while scanning the new data.
806 * (Note that SSL_pending() is often used as a boolean value,
807 * so we'd better not return -1.)
808 */
809 return(s->method->ssl_pending(s));
810 }
811
812X509 *SSL_get_peer_certificate(const SSL *s)
813 {
814 X509 *r;
815
816 if ((s == NULL) || (s->session == NULL))
817 r=NULL;
818 else
819 r=s->session->peer;
820
821 if (r == NULL) return(r);
822
823 CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
824
825 return(r);
826 }
827
828STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
829 {
830 STACK_OF(X509) *r;
831
832 if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
833 r=NULL;
834 else
835 r=s->session->sess_cert->cert_chain;
836
837 /* If we are a client, cert_chain includes the peer's own
838 * certificate; if we are a server, it does not. */
839
840 return(r);
841 }
842
843/* Now in theory, since the calling process own 't' it should be safe to
844 * modify. We need to be able to read f without being hassled */
845void SSL_copy_session_id(SSL *t,const SSL *f)
846 {
847 CERT *tmp;
848
849 /* Do we need to to SSL locking? */
850 SSL_set_session(t,SSL_get_session(f));
851
852 /* what if we are setup as SSLv2 but want to talk SSLv3 or
853 * vice-versa */
854 if (t->method != f->method)
855 {
856 t->method->ssl_free(t); /* cleanup current */
857 t->method=f->method; /* change method */
858 t->method->ssl_new(t); /* setup new */
859 }
860
861 tmp=t->cert;
862 if (f->cert != NULL)
863 {
864 CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
865 t->cert=f->cert;
866 }
867 else
868 t->cert=NULL;
869 if (tmp != NULL) ssl_cert_free(tmp);
870 SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
871 }
872
873/* Fix this so it checks all the valid key/cert options */
874int SSL_CTX_check_private_key(const SSL_CTX *ctx)
875 {
876 if ( (ctx == NULL) ||
877 (ctx->cert == NULL) ||
878 (ctx->cert->key->x509 == NULL))
879 {
880 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
881 return(0);
882 }
883 if (ctx->cert->key->privatekey == NULL)
884 {
885 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
886 return(0);
887 }
888 return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
889 }
890
891/* Fix this function so that it takes an optional type parameter */
892int SSL_check_private_key(const SSL *ssl)
893 {
894 if (ssl == NULL)
895 {
896 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
897 return(0);
898 }
899 if (ssl->cert == NULL)
900 {
901 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
902 return 0;
903 }
904 if (ssl->cert->key->x509 == NULL)
905 {
906 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
907 return(0);
908 }
909 if (ssl->cert->key->privatekey == NULL)
910 {
911 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
912 return(0);
913 }
914 return(X509_check_private_key(ssl->cert->key->x509,
915 ssl->cert->key->privatekey));
916 }
917
918int SSL_accept(SSL *s)
919 {
920 if (s->handshake_func == 0)
921 /* Not properly initialized yet */
922 SSL_set_accept_state(s);
923
924 return(s->method->ssl_accept(s));
925 }
926
927int SSL_connect(SSL *s)
928 {
929 if (s->handshake_func == 0)
930 /* Not properly initialized yet */
931 SSL_set_connect_state(s);
932
933 return(s->method->ssl_connect(s));
934 }
935
936long SSL_get_default_timeout(const SSL *s)
937 {
938 return(s->method->get_timeout());
939 }
940
941int SSL_read(SSL *s,void *buf,int num)
942 {
943 if (s->handshake_func == 0)
944 {
945 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
946 return -1;
947 }
948
949 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
950 {
951 s->rwstate=SSL_NOTHING;
952 return(0);
953 }
954 return(s->method->ssl_read(s,buf,num));
955 }
956
957int SSL_peek(SSL *s,void *buf,int num)
958 {
959 if (s->handshake_func == 0)
960 {
961 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
962 return -1;
963 }
964
965 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
966 {
967 return(0);
968 }
969 return(s->method->ssl_peek(s,buf,num));
970 }
971
972int SSL_write(SSL *s,const void *buf,int num)
973 {
974 if (s->handshake_func == 0)
975 {
976 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
977 return -1;
978 }
979
980 if (s->shutdown & SSL_SENT_SHUTDOWN)
981 {
982 s->rwstate=SSL_NOTHING;
983 SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
984 return(-1);
985 }
986 return(s->method->ssl_write(s,buf,num));
987 }
988
989int SSL_shutdown(SSL *s)
990 {
991 /* Note that this function behaves differently from what one might
992 * expect. Return values are 0 for no success (yet),
993 * 1 for success; but calling it once is usually not enough,
994 * even if blocking I/O is used (see ssl3_shutdown).
995 */
996
997 if (s->handshake_func == 0)
998 {
999 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
1000 return -1;
1001 }
1002
1003 if ((s != NULL) && !SSL_in_init(s))
1004 return(s->method->ssl_shutdown(s));
1005 else
1006 return(1);
1007 }
1008
1009int SSL_renegotiate(SSL *s)
1010 {
1011 if (s->new_session == 0)
1012 {
1013 s->new_session=1;
1014 }
1015 return(s->method->ssl_renegotiate(s));
1016 }
1017
1018int SSL_renegotiate_pending(SSL *s)
1019 {
1020 /* becomes true when negotiation is requested;
1021 * false again once a handshake has finished */
1022 return (s->new_session != 0);
1023 }
1024
1025long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1026 {
1027 long l;
1028
1029 switch (cmd)
1030 {
1031 case SSL_CTRL_GET_READ_AHEAD:
1032 return(s->read_ahead);
1033 case SSL_CTRL_SET_READ_AHEAD:
1034 l=s->read_ahead;
1035 s->read_ahead=larg;
1036 return(l);
1037
1038 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1039 s->msg_callback_arg = parg;
1040 return 1;
1041
1042 case SSL_CTRL_OPTIONS:
1043 return(s->options|=larg);
1044 case SSL_CTRL_CLEAR_OPTIONS:
1045 return(s->options&=~larg);
1046 case SSL_CTRL_MODE:
1047 return(s->mode|=larg);
1048 case SSL_CTRL_CLEAR_MODE:
1049 return(s->mode &=~larg);
1050 case SSL_CTRL_GET_MAX_CERT_LIST:
1051 return(s->max_cert_list);
1052 case SSL_CTRL_SET_MAX_CERT_LIST:
1053 l=s->max_cert_list;
1054 s->max_cert_list=larg;
1055 return(l);
1056 case SSL_CTRL_SET_MTU:
1057 if (larg < (long)dtls1_min_mtu())
1058 return 0;
1059
1060 if (SSL_version(s) == DTLS1_VERSION ||
1061 SSL_version(s) == DTLS1_BAD_VER)
1062 {
1063 s->d1->mtu = larg;
1064 return larg;
1065 }
1066 return 0;
1067 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1068 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1069 return 0;
1070 s->max_send_fragment = larg;
1071 return 1;
1072 case SSL_CTRL_GET_RI_SUPPORT:
1073 if (s->s3)
1074 return s->s3->send_connection_binding;
1075 else return 0;
1076 default:
1077 return(s->method->ssl_ctrl(s,cmd,larg,parg));
1078 }
1079 }
1080
1081long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1082 {
1083 switch(cmd)
1084 {
1085 case SSL_CTRL_SET_MSG_CALLBACK:
1086 s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1087 return 1;
1088
1089 default:
1090 return(s->method->ssl_callback_ctrl(s,cmd,fp));
1091 }
1092 }
1093
1094LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
1095 {
1096 return ctx->sessions;
1097 }
1098
1099long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
1100 {
1101 long l;
1102
1103 switch (cmd)
1104 {
1105 case SSL_CTRL_GET_READ_AHEAD:
1106 return(ctx->read_ahead);
1107 case SSL_CTRL_SET_READ_AHEAD:
1108 l=ctx->read_ahead;
1109 ctx->read_ahead=larg;
1110 return(l);
1111
1112 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1113 ctx->msg_callback_arg = parg;
1114 return 1;
1115
1116 case SSL_CTRL_GET_MAX_CERT_LIST:
1117 return(ctx->max_cert_list);
1118 case SSL_CTRL_SET_MAX_CERT_LIST:
1119 l=ctx->max_cert_list;
1120 ctx->max_cert_list=larg;
1121 return(l);
1122
1123 case SSL_CTRL_SET_SESS_CACHE_SIZE:
1124 l=ctx->session_cache_size;
1125 ctx->session_cache_size=larg;
1126 return(l);
1127 case SSL_CTRL_GET_SESS_CACHE_SIZE:
1128 return(ctx->session_cache_size);
1129 case SSL_CTRL_SET_SESS_CACHE_MODE:
1130 l=ctx->session_cache_mode;
1131 ctx->session_cache_mode=larg;
1132 return(l);
1133 case SSL_CTRL_GET_SESS_CACHE_MODE:
1134 return(ctx->session_cache_mode);
1135
1136 case SSL_CTRL_SESS_NUMBER:
1137 return(lh_SSL_SESSION_num_items(ctx->sessions));
1138 case SSL_CTRL_SESS_CONNECT:
1139 return(ctx->stats.sess_connect);
1140 case SSL_CTRL_SESS_CONNECT_GOOD:
1141 return(ctx->stats.sess_connect_good);
1142 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
1143 return(ctx->stats.sess_connect_renegotiate);
1144 case SSL_CTRL_SESS_ACCEPT:
1145 return(ctx->stats.sess_accept);
1146 case SSL_CTRL_SESS_ACCEPT_GOOD:
1147 return(ctx->stats.sess_accept_good);
1148 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
1149 return(ctx->stats.sess_accept_renegotiate);
1150 case SSL_CTRL_SESS_HIT:
1151 return(ctx->stats.sess_hit);
1152 case SSL_CTRL_SESS_CB_HIT:
1153 return(ctx->stats.sess_cb_hit);
1154 case SSL_CTRL_SESS_MISSES:
1155 return(ctx->stats.sess_miss);
1156 case SSL_CTRL_SESS_TIMEOUTS:
1157 return(ctx->stats.sess_timeout);
1158 case SSL_CTRL_SESS_CACHE_FULL:
1159 return(ctx->stats.sess_cache_full);
1160 case SSL_CTRL_OPTIONS:
1161 return(ctx->options|=larg);
1162 case SSL_CTRL_CLEAR_OPTIONS:
1163 return(ctx->options&=~larg);
1164 case SSL_CTRL_MODE:
1165 return(ctx->mode|=larg);
1166 case SSL_CTRL_CLEAR_MODE:
1167 return(ctx->mode&=~larg);
1168 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1169 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1170 return 0;
1171 ctx->max_send_fragment = larg;
1172 return 1;
1173 default:
1174 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
1175 }
1176 }
1177
1178long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1179 {
1180 switch(cmd)
1181 {
1182 case SSL_CTRL_SET_MSG_CALLBACK:
1183 ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
1184 return 1;
1185
1186 default:
1187 return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
1188 }
1189 }
1190
1191int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1192 {
1193 long l;
1194
1195 l=a->id-b->id;
1196 if (l == 0L)
1197 return(0);
1198 else
1199 return((l > 0)?1:-1);
1200 }
1201
1202int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1203 const SSL_CIPHER * const *bp)
1204 {
1205 long l;
1206
1207 l=(*ap)->id-(*bp)->id;
1208 if (l == 0L)
1209 return(0);
1210 else
1211 return((l > 0)?1:-1);
1212 }
1213
1214/** return a STACK of the ciphers available for the SSL and in order of
1215 * preference */
1216STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
1217 {
1218 if (s != NULL)
1219 {
1220 if (s->cipher_list != NULL)
1221 {
1222 return(s->cipher_list);
1223 }
1224 else if ((s->ctx != NULL) &&
1225 (s->ctx->cipher_list != NULL))
1226 {
1227 return(s->ctx->cipher_list);
1228 }
1229 }
1230 return(NULL);
1231 }
1232
1233/** return a STACK of the ciphers available for the SSL and in order of
1234 * algorithm id */
1235STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
1236 {
1237 if (s != NULL)
1238 {
1239 if (s->cipher_list_by_id != NULL)
1240 {
1241 return(s->cipher_list_by_id);
1242 }
1243 else if ((s->ctx != NULL) &&
1244 (s->ctx->cipher_list_by_id != NULL))
1245 {
1246 return(s->ctx->cipher_list_by_id);
1247 }
1248 }
1249 return(NULL);
1250 }
1251
1252/** The old interface to get the same thing as SSL_get_ciphers() */
1253const char *SSL_get_cipher_list(const SSL *s,int n)
1254 {
1255 SSL_CIPHER *c;
1256 STACK_OF(SSL_CIPHER) *sk;
1257
1258 if (s == NULL) return(NULL);
1259 sk=SSL_get_ciphers(s);
1260 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
1261 return(NULL);
1262 c=sk_SSL_CIPHER_value(sk,n);
1263 if (c == NULL) return(NULL);
1264 return(c->name);
1265 }
1266
1267/** specify the ciphers to be used by default by the SSL_CTX */
1268int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1269 {
1270 STACK_OF(SSL_CIPHER) *sk;
1271
1272 sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
1273 &ctx->cipher_list_by_id,str);
1274 /* ssl_create_cipher_list may return an empty stack if it
1275 * was unable to find a cipher matching the given rule string
1276 * (for example if the rule string specifies a cipher which
1277 * has been disabled). This is not an error as far as
1278 * ssl_create_cipher_list is concerned, and hence
1279 * ctx->cipher_list and ctx->cipher_list_by_id has been
1280 * updated. */
1281 if (sk == NULL)
1282 return 0;
1283 else if (sk_SSL_CIPHER_num(sk) == 0)
1284 {
1285 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1286 return 0;
1287 }
1288 return 1;
1289 }
1290
1291/** specify the ciphers to be used by the SSL */
1292int SSL_set_cipher_list(SSL *s,const char *str)
1293 {
1294 STACK_OF(SSL_CIPHER) *sk;
1295
1296 sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
1297 &s->cipher_list_by_id,str);
1298 /* see comment in SSL_CTX_set_cipher_list */
1299 if (sk == NULL)
1300 return 0;
1301 else if (sk_SSL_CIPHER_num(sk) == 0)
1302 {
1303 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
1304 return 0;
1305 }
1306 return 1;
1307 }
1308
1309/* works well for SSLv2, not so good for SSLv3 */
1310char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1311 {
1312 char *end;
1313 STACK_OF(SSL_CIPHER) *sk;
1314 SSL_CIPHER *c;
1315 size_t curlen = 0;
1316 int i;
1317
1318 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1319 (len < 2))
1320 return(NULL);
1321
1322 sk=s->session->ciphers;
1323 buf[0] = '\0';
1324 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1325 {
1326 c=sk_SSL_CIPHER_value(sk,i);
1327 end = buf + curlen;
1328 if (strlcat(buf, c->name, len) >= len ||
1329 (curlen = strlcat(buf, ":", len)) >= len)
1330 {
1331 /* remove truncated cipher from list */
1332 *end = '\0';
1333 break;
1334 }
1335 }
1336 /* remove trailing colon */
1337 if ((end = strrchr(buf, ':')) != NULL)
1338 *end = '\0';
1339 return(buf);
1340 }
1341
1342int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1343 int (*put_cb)(const SSL_CIPHER *, unsigned char *))
1344 {
1345 int i,j=0;
1346 SSL_CIPHER *c;
1347 unsigned char *q;
1348#ifndef OPENSSL_NO_KRB5
1349 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
1350#endif /* OPENSSL_NO_KRB5 */
1351
1352 if (sk == NULL) return(0);
1353 q=p;
1354
1355 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1356 {
1357 c=sk_SSL_CIPHER_value(sk,i);
1358#ifndef OPENSSL_NO_KRB5
1359 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
1360 nokrb5)
1361 continue;
1362#endif /* OPENSSL_NO_KRB5 */
1363#ifndef OPENSSL_NO_PSK
1364 /* with PSK there must be client callback set */
1365 if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) &&
1366 s->psk_client_callback == NULL)
1367 continue;
1368#endif /* OPENSSL_NO_PSK */
1369 j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
1370 p+=j;
1371 }
1372 /* If p == q, no ciphers and caller indicates an error. Otherwise
1373 * add SCSV if not renegotiating.
1374 */
1375 if (p != q && !s->new_session)
1376 {
1377 static SSL_CIPHER scsv =
1378 {
1379 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
1380 };
1381 j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
1382 p+=j;
1383#ifdef OPENSSL_RI_DEBUG
1384 fprintf(stderr, "SCSV sent by client\n");
1385#endif
1386 }
1387
1388 return(p-q);
1389 }
1390
1391STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
1392 STACK_OF(SSL_CIPHER) **skp)
1393 {
1394 const SSL_CIPHER *c;
1395 STACK_OF(SSL_CIPHER) *sk;
1396 int i,n;
1397 if (s->s3)
1398 s->s3->send_connection_binding = 0;
1399
1400 n=ssl_put_cipher_by_char(s,NULL,NULL);
1401 if ((num%n) != 0)
1402 {
1403 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1404 return(NULL);
1405 }
1406 if ((skp == NULL) || (*skp == NULL))
1407 sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */
1408 else
1409 {
1410 sk= *skp;
1411 sk_SSL_CIPHER_zero(sk);
1412 }
1413
1414 for (i=0; i<num; i+=n)
1415 {
1416 /* Check for SCSV */
1417 if (s->s3 && (n != 3 || !p[0]) &&
1418 (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
1419 (p[n-1] == (SSL3_CK_SCSV & 0xff)))
1420 {
1421 /* SCSV fatal if renegotiating */
1422 if (s->new_session)
1423 {
1424 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1425 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1426 goto err;
1427 }
1428 s->s3->send_connection_binding = 1;
1429 p += n;
1430#ifdef OPENSSL_RI_DEBUG
1431 fprintf(stderr, "SCSV received by server\n");
1432#endif
1433 continue;
1434 }
1435
1436 c=ssl_get_cipher_by_char(s,p);
1437 p+=n;
1438 if (c != NULL)
1439 {
1440 if (!sk_SSL_CIPHER_push(sk,c))
1441 {
1442 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
1443 goto err;
1444 }
1445 }
1446 }
1447
1448 if (skp != NULL)
1449 *skp=sk;
1450 return(sk);
1451err:
1452 if ((skp == NULL) || (*skp == NULL))
1453 sk_SSL_CIPHER_free(sk);
1454 return(NULL);
1455 }
1456
1457
1458#ifndef OPENSSL_NO_TLSEXT
1459/** return a servername extension value if provided in Client Hello, or NULL.
1460 * So far, only host_name types are defined (RFC 3546).
1461 */
1462
1463const char *SSL_get_servername(const SSL *s, const int type)
1464 {
1465 if (type != TLSEXT_NAMETYPE_host_name)
1466 return NULL;
1467
1468 return s->session && !s->tlsext_hostname ?
1469 s->session->tlsext_hostname :
1470 s->tlsext_hostname;
1471 }
1472
1473int SSL_get_servername_type(const SSL *s)
1474 {
1475 if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname))
1476 return TLSEXT_NAMETYPE_host_name;
1477 return -1;
1478 }
1479#endif
1480
1481static unsigned long ssl_session_hash(const SSL_SESSION *a)
1482 {
1483 unsigned long l;
1484
1485 l=(unsigned long)
1486 ((unsigned int) a->session_id[0] )|
1487 ((unsigned int) a->session_id[1]<< 8L)|
1488 ((unsigned long)a->session_id[2]<<16L)|
1489 ((unsigned long)a->session_id[3]<<24L);
1490 return(l);
1491 }
1492
1493/* NB: If this function (or indeed the hash function which uses a sort of
1494 * coarser function than this one) is changed, ensure
1495 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1496 * able to construct an SSL_SESSION that will collide with any existing session
1497 * with a matching session ID. */
1498static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
1499 {
1500 if (a->ssl_version != b->ssl_version)
1501 return(1);
1502 if (a->session_id_length != b->session_id_length)
1503 return(1);
1504 return(memcmp(a->session_id,b->session_id,a->session_id_length));
1505 }
1506
1507/* These wrapper functions should remain rather than redeclaring
1508 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1509 * variable. The reason is that the functions aren't static, they're exposed via
1510 * ssl.h. */
1511static IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION)
1512static IMPLEMENT_LHASH_COMP_FN(ssl_session, SSL_SESSION)
1513
1514SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1515 {
1516 SSL_CTX *ret=NULL;
1517
1518 if (meth == NULL)
1519 {
1520 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
1521 return(NULL);
1522 }
1523
1524 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1525 {
1526 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1527 goto err;
1528 }
1529 ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
1530 if (ret == NULL)
1531 goto err;
1532
1533 memset(ret,0,sizeof(SSL_CTX));
1534
1535 ret->method=meth;
1536
1537 ret->cert_store=NULL;
1538 ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
1539 ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
1540 ret->session_cache_head=NULL;
1541 ret->session_cache_tail=NULL;
1542
1543 /* We take the system default */
1544 ret->session_timeout=meth->get_timeout();
1545
1546 ret->new_session_cb=0;
1547 ret->remove_session_cb=0;
1548 ret->get_session_cb=0;
1549 ret->generate_session_id=0;
1550
1551 memset((char *)&ret->stats,0,sizeof(ret->stats));
1552
1553 ret->references=1;
1554 ret->quiet_shutdown=0;
1555
1556/* ret->cipher=NULL;*/
1557/* ret->s2->challenge=NULL;
1558 ret->master_key=NULL;
1559 ret->key_arg=NULL;
1560 ret->s2->conn_id=NULL; */
1561
1562 ret->info_callback=NULL;
1563
1564 ret->app_verify_callback=0;
1565 ret->app_verify_arg=NULL;
1566
1567 ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
1568 ret->read_ahead=0;
1569 ret->msg_callback=0;
1570 ret->msg_callback_arg=NULL;
1571 ret->verify_mode=SSL_VERIFY_NONE;
1572#if 0
1573 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
1574#endif
1575 ret->sid_ctx_length=0;
1576 ret->default_verify_callback=NULL;
1577 if ((ret->cert=ssl_cert_new()) == NULL)
1578 goto err;
1579
1580 ret->default_passwd_callback=0;
1581 ret->default_passwd_callback_userdata=NULL;
1582 ret->client_cert_cb=0;
1583 ret->app_gen_cookie_cb=0;
1584 ret->app_verify_cookie_cb=0;
1585
1586 ret->sessions=lh_SSL_SESSION_new();
1587 if (ret->sessions == NULL) goto err;
1588 ret->cert_store=X509_STORE_new();
1589 if (ret->cert_store == NULL) goto err;
1590
1591 ssl_create_cipher_list(ret->method,
1592 &ret->cipher_list,&ret->cipher_list_by_id,
1593 meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
1594 if (ret->cipher_list == NULL
1595 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
1596 {
1597 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
1598 goto err2;
1599 }
1600
1601 ret->param = X509_VERIFY_PARAM_new();
1602 if (!ret->param)
1603 goto err;
1604
1605 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
1606 {
1607 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
1608 goto err2;
1609 }
1610 if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
1611 {
1612 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
1613 goto err2;
1614 }
1615 if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
1616 {
1617 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
1618 goto err2;
1619 }
1620
1621 if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
1622 goto err;
1623
1624 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
1625
1626 ret->extra_certs=NULL;
1627 ret->comp_methods=SSL_COMP_get_compression_methods();
1628
1629 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1630
1631#ifndef OPENSSL_NO_TLSEXT
1632 ret->tlsext_servername_callback = 0;
1633 ret->tlsext_servername_arg = NULL;
1634 /* Setup RFC4507 ticket keys */
1635 if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
1636 || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
1637 || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
1638 ret->options |= SSL_OP_NO_TICKET;
1639
1640 ret->tlsext_status_cb = 0;
1641 ret->tlsext_status_arg = NULL;
1642
1643#endif
1644#ifndef OPENSSL_NO_PSK
1645 ret->psk_identity_hint=NULL;
1646 ret->psk_client_callback=NULL;
1647 ret->psk_server_callback=NULL;
1648#endif
1649#ifndef OPENSSL_NO_BUF_FREELISTS
1650 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1651 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
1652 if (!ret->rbuf_freelist)
1653 goto err;
1654 ret->rbuf_freelist->chunklen = 0;
1655 ret->rbuf_freelist->len = 0;
1656 ret->rbuf_freelist->head = NULL;
1657 ret->wbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
1658 if (!ret->wbuf_freelist)
1659 {
1660 OPENSSL_free(ret->rbuf_freelist);
1661 goto err;
1662 }
1663 ret->wbuf_freelist->chunklen = 0;
1664 ret->wbuf_freelist->len = 0;
1665 ret->wbuf_freelist->head = NULL;
1666#endif
1667#ifndef OPENSSL_NO_ENGINE
1668 ret->client_cert_engine = NULL;
1669#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
1670#define eng_strx(x) #x
1671#define eng_str(x) eng_strx(x)
1672 /* Use specific client engine automatically... ignore errors */
1673 {
1674 ENGINE *eng;
1675 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1676 if (!eng)
1677 {
1678 ERR_clear_error();
1679 ENGINE_load_builtin_engines();
1680 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1681 }
1682 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
1683 ERR_clear_error();
1684 }
1685#endif
1686#endif
1687 /* Default is to connect to non-RI servers. When RI is more widely
1688 * deployed might change this.
1689 */
1690 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
1691
1692 return(ret);
1693err:
1694 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
1695err2:
1696 if (ret != NULL) SSL_CTX_free(ret);
1697 return(NULL);
1698 }
1699
1700#if 0
1701static void SSL_COMP_free(SSL_COMP *comp)
1702 { OPENSSL_free(comp); }
1703#endif
1704
1705#ifndef OPENSSL_NO_BUF_FREELISTS
1706static void
1707ssl_buf_freelist_free(SSL3_BUF_FREELIST *list)
1708 {
1709 SSL3_BUF_FREELIST_ENTRY *ent, *next;
1710 for (ent = list->head; ent; ent = next)
1711 {
1712 next = ent->next;
1713 OPENSSL_free(ent);
1714 }
1715 OPENSSL_free(list);
1716 }
1717#endif
1718
1719void SSL_CTX_free(SSL_CTX *a)
1720 {
1721 int i;
1722
1723 if (a == NULL) return;
1724
1725 i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
1726#ifdef REF_PRINT
1727 REF_PRINT("SSL_CTX",a);
1728#endif
1729 if (i > 0) return;
1730#ifdef REF_CHECK
1731 if (i < 0)
1732 {
1733 fprintf(stderr,"SSL_CTX_free, bad reference count\n");
1734 abort(); /* ok */
1735 }
1736#endif
1737
1738 if (a->param)
1739 X509_VERIFY_PARAM_free(a->param);
1740
1741 /*
1742 * Free internal session cache. However: the remove_cb() may reference
1743 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
1744 * after the sessions were flushed.
1745 * As the ex_data handling routines might also touch the session cache,
1746 * the most secure solution seems to be: empty (flush) the cache, then
1747 * free ex_data, then finally free the cache.
1748 * (See ticket [openssl.org #212].)
1749 */
1750 if (a->sessions != NULL)
1751 SSL_CTX_flush_sessions(a,0);
1752
1753 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
1754
1755 if (a->sessions != NULL)
1756 lh_SSL_SESSION_free(a->sessions);
1757
1758 if (a->cert_store != NULL)
1759 X509_STORE_free(a->cert_store);
1760 if (a->cipher_list != NULL)
1761 sk_SSL_CIPHER_free(a->cipher_list);
1762 if (a->cipher_list_by_id != NULL)
1763 sk_SSL_CIPHER_free(a->cipher_list_by_id);
1764 if (a->cert != NULL)
1765 ssl_cert_free(a->cert);
1766 if (a->client_CA != NULL)
1767 sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
1768 if (a->extra_certs != NULL)
1769 sk_X509_pop_free(a->extra_certs,X509_free);
1770#if 0 /* This should never be done, since it removes a global database */
1771 if (a->comp_methods != NULL)
1772 sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
1773#else
1774 a->comp_methods = NULL;
1775#endif
1776
1777#ifndef OPENSSL_NO_PSK
1778 if (a->psk_identity_hint)
1779 OPENSSL_free(a->psk_identity_hint);
1780#endif
1781#ifndef OPENSSL_NO_ENGINE
1782 if (a->client_cert_engine)
1783 ENGINE_finish(a->client_cert_engine);
1784#endif
1785
1786#ifndef OPENSSL_NO_BUF_FREELISTS
1787 if (a->wbuf_freelist)
1788 ssl_buf_freelist_free(a->wbuf_freelist);
1789 if (a->rbuf_freelist)
1790 ssl_buf_freelist_free(a->rbuf_freelist);
1791#endif
1792
1793 OPENSSL_free(a);
1794 }
1795
1796void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
1797 {
1798 ctx->default_passwd_callback=cb;
1799 }
1800
1801void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
1802 {
1803 ctx->default_passwd_callback_userdata=u;
1804 }
1805
1806void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
1807 {
1808 ctx->app_verify_callback=cb;
1809 ctx->app_verify_arg=arg;
1810 }
1811
1812void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
1813 {
1814 ctx->verify_mode=mode;
1815 ctx->default_verify_callback=cb;
1816 }
1817
1818void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
1819 {
1820 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
1821 }
1822
1823void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1824 {
1825 CERT_PKEY *cpk;
1826 int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
1827 int rsa_enc_export,dh_rsa_export,dh_dsa_export;
1828 int rsa_tmp_export,dh_tmp_export,kl;
1829 unsigned long mask_k,mask_a,emask_k,emask_a;
1830 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
1831#ifndef OPENSSL_NO_ECDH
1832 int have_ecdh_tmp;
1833#endif
1834 X509 *x = NULL;
1835 EVP_PKEY *ecc_pkey = NULL;
1836 int signature_nid = 0, pk_nid = 0, md_nid = 0;
1837
1838 if (c == NULL) return;
1839
1840 kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
1841
1842#ifndef OPENSSL_NO_RSA
1843 rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
1844 rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
1845 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
1846#else
1847 rsa_tmp=rsa_tmp_export=0;
1848#endif
1849#ifndef OPENSSL_NO_DH
1850 dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
1851 dh_tmp_export=(c->dh_tmp_cb != NULL ||
1852 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
1853#else
1854 dh_tmp=dh_tmp_export=0;
1855#endif
1856
1857#ifndef OPENSSL_NO_ECDH
1858 have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
1859#endif
1860 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
1861 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
1862 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1863 cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
1864 rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
1865 cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
1866 dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
1867 cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
1868 dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1869 dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1870 cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
1871/* FIX THIS EAY EAY EAY */
1872 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1873 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1874 cpk= &(c->pkeys[SSL_PKEY_ECC]);
1875 have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
1876 mask_k=0;
1877 mask_a=0;
1878 emask_k=0;
1879 emask_a=0;
1880
1881
1882
1883#ifdef CIPHER_DEBUG
1884 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
1885 rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp,
1886 rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
1887#endif
1888
1889 cpk = &(c->pkeys[SSL_PKEY_GOST01]);
1890 if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
1891 mask_k |= SSL_kGOST;
1892 mask_a |= SSL_aGOST01;
1893 }
1894 cpk = &(c->pkeys[SSL_PKEY_GOST94]);
1895 if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
1896 mask_k |= SSL_kGOST;
1897 mask_a |= SSL_aGOST94;
1898 }
1899
1900 if (rsa_enc || (rsa_tmp && rsa_sign))
1901 mask_k|=SSL_kRSA;
1902 if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
1903 emask_k|=SSL_kRSA;
1904
1905#if 0
1906 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
1907 if ( (dh_tmp || dh_rsa || dh_dsa) &&
1908 (rsa_enc || rsa_sign || dsa_sign))
1909 mask_k|=SSL_kEDH;
1910 if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
1911 (rsa_enc || rsa_sign || dsa_sign))
1912 emask_k|=SSL_kEDH;
1913#endif
1914
1915 if (dh_tmp_export)
1916 emask_k|=SSL_kEDH;
1917
1918 if (dh_tmp)
1919 mask_k|=SSL_kEDH;
1920
1921 if (dh_rsa) mask_k|=SSL_kDHr;
1922 if (dh_rsa_export) emask_k|=SSL_kDHr;
1923
1924 if (dh_dsa) mask_k|=SSL_kDHd;
1925 if (dh_dsa_export) emask_k|=SSL_kDHd;
1926
1927 if (rsa_enc || rsa_sign)
1928 {
1929 mask_a|=SSL_aRSA;
1930 emask_a|=SSL_aRSA;
1931 }
1932
1933 if (dsa_sign)
1934 {
1935 mask_a|=SSL_aDSS;
1936 emask_a|=SSL_aDSS;
1937 }
1938
1939 mask_a|=SSL_aNULL;
1940 emask_a|=SSL_aNULL;
1941
1942#ifndef OPENSSL_NO_KRB5
1943 mask_k|=SSL_kKRB5;
1944 mask_a|=SSL_aKRB5;
1945 emask_k|=SSL_kKRB5;
1946 emask_a|=SSL_aKRB5;
1947#endif
1948
1949 /* An ECC certificate may be usable for ECDH and/or
1950 * ECDSA cipher suites depending on the key usage extension.
1951 */
1952 if (have_ecc_cert)
1953 {
1954 /* This call populates extension flags (ex_flags) */
1955 x = (c->pkeys[SSL_PKEY_ECC]).x509;
1956 X509_check_purpose(x, -1, 0);
1957 ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
1958 (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
1959 ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
1960 (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
1961 ecc_pkey = X509_get_pubkey(x);
1962 ecc_pkey_size = (ecc_pkey != NULL) ?
1963 EVP_PKEY_bits(ecc_pkey) : 0;
1964 EVP_PKEY_free(ecc_pkey);
1965 if ((x->sig_alg) && (x->sig_alg->algorithm))
1966 {
1967 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
1968 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
1969 }
1970#ifndef OPENSSL_NO_ECDH
1971 if (ecdh_ok)
1972 {
1973
1974 if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
1975 {
1976 mask_k|=SSL_kECDHr;
1977 mask_a|=SSL_aECDH;
1978 if (ecc_pkey_size <= 163)
1979 {
1980 emask_k|=SSL_kECDHr;
1981 emask_a|=SSL_aECDH;
1982 }
1983 }
1984
1985 if (pk_nid == NID_X9_62_id_ecPublicKey)
1986 {
1987 mask_k|=SSL_kECDHe;
1988 mask_a|=SSL_aECDH;
1989 if (ecc_pkey_size <= 163)
1990 {
1991 emask_k|=SSL_kECDHe;
1992 emask_a|=SSL_aECDH;
1993 }
1994 }
1995 }
1996#endif
1997#ifndef OPENSSL_NO_ECDSA
1998 if (ecdsa_ok)
1999 {
2000 mask_a|=SSL_aECDSA;
2001 emask_a|=SSL_aECDSA;
2002 }
2003#endif
2004 }
2005
2006#ifndef OPENSSL_NO_ECDH
2007 if (have_ecdh_tmp)
2008 {
2009 mask_k|=SSL_kEECDH;
2010 emask_k|=SSL_kEECDH;
2011 }
2012#endif
2013
2014#ifndef OPENSSL_NO_PSK
2015 mask_k |= SSL_kPSK;
2016 mask_a |= SSL_aPSK;
2017 emask_k |= SSL_kPSK;
2018 emask_a |= SSL_aPSK;
2019#endif
2020
2021 c->mask_k=mask_k;
2022 c->mask_a=mask_a;
2023 c->export_mask_k=emask_k;
2024 c->export_mask_a=emask_a;
2025 c->valid=1;
2026 }
2027
2028/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
2029#define ku_reject(x, usage) \
2030 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
2031
2032#ifndef OPENSSL_NO_EC
2033
2034int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2035 {
2036 unsigned long alg_k, alg_a;
2037 EVP_PKEY *pkey = NULL;
2038 int keysize = 0;
2039 int signature_nid = 0, md_nid = 0, pk_nid = 0;
2040
2041 alg_k = cs->algorithm_mkey;
2042 alg_a = cs->algorithm_auth;
2043
2044 if (SSL_C_IS_EXPORT(cs))
2045 {
2046 /* ECDH key length in export ciphers must be <= 163 bits */
2047 pkey = X509_get_pubkey(x);
2048 if (pkey == NULL) return 0;
2049 keysize = EVP_PKEY_bits(pkey);
2050 EVP_PKEY_free(pkey);
2051 if (keysize > 163) return 0;
2052 }
2053
2054 /* This call populates the ex_flags field correctly */
2055 X509_check_purpose(x, -1, 0);
2056 if ((x->sig_alg) && (x->sig_alg->algorithm))
2057 {
2058 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2059 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2060 }
2061 if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
2062 {
2063 /* key usage, if present, must allow key agreement */
2064 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
2065 {
2066 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2067 return 0;
2068 }
2069 if (alg_k & SSL_kECDHe)
2070 {
2071 /* signature alg must be ECDSA */
2072 if (pk_nid != NID_X9_62_id_ecPublicKey)
2073 {
2074 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2075 return 0;
2076 }
2077 }
2078 if (alg_k & SSL_kECDHr)
2079 {
2080 /* signature alg must be RSA */
2081
2082 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
2083 {
2084 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2085 return 0;
2086 }
2087 }
2088 }
2089 if (alg_a & SSL_aECDSA)
2090 {
2091 /* key usage, if present, must allow signing */
2092 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
2093 {
2094 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2095 return 0;
2096 }
2097 }
2098
2099 return 1; /* all checks are ok */
2100 }
2101
2102#endif
2103
2104/* THIS NEEDS CLEANING UP */
2105X509 *ssl_get_server_send_cert(SSL *s)
2106 {
2107 unsigned long alg_k,alg_a;
2108 CERT *c;
2109 int i;
2110
2111 c=s->cert;
2112 ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
2113
2114 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2115 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2116
2117 if (alg_k & (SSL_kECDHr|SSL_kECDHe))
2118 {
2119 /* we don't need to look at SSL_kEECDH
2120 * since no certificate is needed for
2121 * anon ECDH and for authenticated
2122 * EECDH, the check for the auth
2123 * algorithm will set i correctly
2124 * NOTE: For ECDH-RSA, we need an ECC
2125 * not an RSA cert but for EECDH-RSA
2126 * we need an RSA cert. Placing the
2127 * checks for SSL_kECDH before RSA
2128 * checks ensures the correct cert is chosen.
2129 */
2130 i=SSL_PKEY_ECC;
2131 }
2132 else if (alg_a & SSL_aECDSA)
2133 {
2134 i=SSL_PKEY_ECC;
2135 }
2136 else if (alg_k & SSL_kDHr)
2137 i=SSL_PKEY_DH_RSA;
2138 else if (alg_k & SSL_kDHd)
2139 i=SSL_PKEY_DH_DSA;
2140 else if (alg_a & SSL_aDSS)
2141 i=SSL_PKEY_DSA_SIGN;
2142 else if (alg_a & SSL_aRSA)
2143 {
2144 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
2145 i=SSL_PKEY_RSA_SIGN;
2146 else
2147 i=SSL_PKEY_RSA_ENC;
2148 }
2149 else if (alg_a & SSL_aKRB5)
2150 {
2151 /* VRS something else here? */
2152 return(NULL);
2153 }
2154 else if (alg_a & SSL_aGOST94)
2155 i=SSL_PKEY_GOST94;
2156 else if (alg_a & SSL_aGOST01)
2157 i=SSL_PKEY_GOST01;
2158 else /* if (alg_a & SSL_aNULL) */
2159 {
2160 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
2161 return(NULL);
2162 }
2163 if (c->pkeys[i].x509 == NULL) return(NULL);
2164
2165 return(c->pkeys[i].x509);
2166 }
2167
2168EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher)
2169 {
2170 unsigned long alg_a;
2171 CERT *c;
2172
2173 alg_a = cipher->algorithm_auth;
2174 c=s->cert;
2175
2176 if ((alg_a & SSL_aDSS) &&
2177 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2178 return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
2179 else if (alg_a & SSL_aRSA)
2180 {
2181 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2182 return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
2183 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
2184 return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
2185 else
2186 return(NULL);
2187 }
2188 else if ((alg_a & SSL_aECDSA) &&
2189 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2190 return(c->pkeys[SSL_PKEY_ECC].privatekey);
2191 else /* if (alg_a & SSL_aNULL) */
2192 {
2193 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
2194 return(NULL);
2195 }
2196 }
2197
2198void ssl_update_cache(SSL *s,int mode)
2199 {
2200 int i;
2201
2202 /* If the session_id_length is 0, we are not supposed to cache it,
2203 * and it would be rather hard to do anyway :-) */
2204 if (s->session->session_id_length == 0) return;
2205
2206 i=s->session_ctx->session_cache_mode;
2207 if ((i & mode) && (!s->hit)
2208 && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
2209 || SSL_CTX_add_session(s->session_ctx,s->session))
2210 && (s->session_ctx->new_session_cb != NULL))
2211 {
2212 CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
2213 if (!s->session_ctx->new_session_cb(s,s->session))
2214 SSL_SESSION_free(s->session);
2215 }
2216
2217 /* auto flush every 255 connections */
2218 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
2219 ((i & mode) == mode))
2220 {
2221 if ( (((mode & SSL_SESS_CACHE_CLIENT)
2222 ?s->session_ctx->stats.sess_connect_good
2223 :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff)
2224 {
2225 SSL_CTX_flush_sessions(s->session_ctx,(unsigned long)time(NULL));
2226 }
2227 }
2228 }
2229
2230const SSL_METHOD *SSL_get_ssl_method(SSL *s)
2231 {
2232 return(s->method);
2233 }
2234
2235int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
2236 {
2237 int conn= -1;
2238 int ret=1;
2239
2240 if (s->method != meth)
2241 {
2242 if (s->handshake_func != NULL)
2243 conn=(s->handshake_func == s->method->ssl_connect);
2244
2245 if (s->method->version == meth->version)
2246 s->method=meth;
2247 else
2248 {
2249 s->method->ssl_free(s);
2250 s->method=meth;
2251 ret=s->method->ssl_new(s);
2252 }
2253
2254 if (conn == 1)
2255 s->handshake_func=meth->ssl_connect;
2256 else if (conn == 0)
2257 s->handshake_func=meth->ssl_accept;
2258 }
2259 return(ret);
2260 }
2261
2262int SSL_get_error(const SSL *s,int i)
2263 {
2264 int reason;
2265 unsigned long l;
2266 BIO *bio;
2267
2268 if (i > 0) return(SSL_ERROR_NONE);
2269
2270 /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
2271 * etc, where we do encode the error */
2272 if ((l=ERR_peek_error()) != 0)
2273 {
2274 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
2275 return(SSL_ERROR_SYSCALL);
2276 else
2277 return(SSL_ERROR_SSL);
2278 }
2279
2280 if ((i < 0) && SSL_want_read(s))
2281 {
2282 bio=SSL_get_rbio(s);
2283 if (BIO_should_read(bio))
2284 return(SSL_ERROR_WANT_READ);
2285 else if (BIO_should_write(bio))
2286 /* This one doesn't make too much sense ... We never try
2287 * to write to the rbio, and an application program where
2288 * rbio and wbio are separate couldn't even know what it
2289 * should wait for.
2290 * However if we ever set s->rwstate incorrectly
2291 * (so that we have SSL_want_read(s) instead of
2292 * SSL_want_write(s)) and rbio and wbio *are* the same,
2293 * this test works around that bug; so it might be safer
2294 * to keep it. */
2295 return(SSL_ERROR_WANT_WRITE);
2296 else if (BIO_should_io_special(bio))
2297 {
2298 reason=BIO_get_retry_reason(bio);
2299 if (reason == BIO_RR_CONNECT)
2300 return(SSL_ERROR_WANT_CONNECT);
2301 else if (reason == BIO_RR_ACCEPT)
2302 return(SSL_ERROR_WANT_ACCEPT);
2303 else
2304 return(SSL_ERROR_SYSCALL); /* unknown */
2305 }
2306 }
2307
2308 if ((i < 0) && SSL_want_write(s))
2309 {
2310 bio=SSL_get_wbio(s);
2311 if (BIO_should_write(bio))
2312 return(SSL_ERROR_WANT_WRITE);
2313 else if (BIO_should_read(bio))
2314 /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
2315 return(SSL_ERROR_WANT_READ);
2316 else if (BIO_should_io_special(bio))
2317 {
2318 reason=BIO_get_retry_reason(bio);
2319 if (reason == BIO_RR_CONNECT)
2320 return(SSL_ERROR_WANT_CONNECT);
2321 else if (reason == BIO_RR_ACCEPT)
2322 return(SSL_ERROR_WANT_ACCEPT);
2323 else
2324 return(SSL_ERROR_SYSCALL);
2325 }
2326 }
2327 if ((i < 0) && SSL_want_x509_lookup(s))
2328 {
2329 return(SSL_ERROR_WANT_X509_LOOKUP);
2330 }
2331
2332 if (i == 0)
2333 {
2334 if (s->version == SSL2_VERSION)
2335 {
2336 /* assume it is the socket being closed */
2337 return(SSL_ERROR_ZERO_RETURN);
2338 }
2339 else
2340 {
2341 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
2342 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
2343 return(SSL_ERROR_ZERO_RETURN);
2344 }
2345 }
2346 return(SSL_ERROR_SYSCALL);
2347 }
2348
2349int SSL_do_handshake(SSL *s)
2350 {
2351 int ret=1;
2352
2353 if (s->handshake_func == NULL)
2354 {
2355 SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
2356 return(-1);
2357 }
2358
2359 s->method->ssl_renegotiate_check(s);
2360
2361 if (SSL_in_init(s) || SSL_in_before(s))
2362 {
2363 ret=s->handshake_func(s);
2364 }
2365 return(ret);
2366 }
2367
2368/* For the next 2 functions, SSL_clear() sets shutdown and so
2369 * one of these calls will reset it */
2370void SSL_set_accept_state(SSL *s)
2371 {
2372 s->server=1;
2373 s->shutdown=0;
2374 s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
2375 s->handshake_func=s->method->ssl_accept;
2376 /* clear the current cipher */
2377 ssl_clear_cipher_ctx(s);
2378 ssl_clear_hash_ctx(&s->read_hash);
2379 ssl_clear_hash_ctx(&s->write_hash);
2380 }
2381
2382void SSL_set_connect_state(SSL *s)
2383 {
2384 s->server=0;
2385 s->shutdown=0;
2386 s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
2387 s->handshake_func=s->method->ssl_connect;
2388 /* clear the current cipher */
2389 ssl_clear_cipher_ctx(s);
2390 ssl_clear_hash_ctx(&s->read_hash);
2391 ssl_clear_hash_ctx(&s->write_hash);
2392 }
2393
2394int ssl_undefined_function(SSL *s)
2395 {
2396 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2397 return(0);
2398 }
2399
2400int ssl_undefined_void_function(void)
2401 {
2402 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2403 return(0);
2404 }
2405
2406int ssl_undefined_const_function(const SSL *s)
2407 {
2408 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2409 return(0);
2410 }
2411
2412SSL_METHOD *ssl_bad_method(int ver)
2413 {
2414 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2415 return(NULL);
2416 }
2417
2418const char *SSL_get_version(const SSL *s)
2419 {
2420 if (s->version == TLS1_VERSION)
2421 return("TLSv1");
2422 else if (s->version == SSL3_VERSION)
2423 return("SSLv3");
2424 else if (s->version == SSL2_VERSION)
2425 return("SSLv2");
2426 else
2427 return("unknown");
2428 }
2429
2430SSL *SSL_dup(SSL *s)
2431 {
2432 STACK_OF(X509_NAME) *sk;
2433 X509_NAME *xn;
2434 SSL *ret;
2435 int i;
2436
2437 if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
2438 return(NULL);
2439
2440 ret->version = s->version;
2441 ret->type = s->type;
2442 ret->method = s->method;
2443
2444 if (s->session != NULL)
2445 {
2446 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
2447 SSL_copy_session_id(ret,s);
2448 }
2449 else
2450 {
2451 /* No session has been established yet, so we have to expect
2452 * that s->cert or ret->cert will be changed later --
2453 * they should not both point to the same object,
2454 * and thus we can't use SSL_copy_session_id. */
2455
2456 ret->method->ssl_free(ret);
2457 ret->method = s->method;
2458 ret->method->ssl_new(ret);
2459
2460 if (s->cert != NULL)
2461 {
2462 if (ret->cert != NULL)
2463 {
2464 ssl_cert_free(ret->cert);
2465 }
2466 ret->cert = ssl_cert_dup(s->cert);
2467 if (ret->cert == NULL)
2468 goto err;
2469 }
2470
2471 SSL_set_session_id_context(ret,
2472 s->sid_ctx, s->sid_ctx_length);
2473 }
2474
2475 ret->options=s->options;
2476 ret->mode=s->mode;
2477 SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
2478 SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
2479 ret->msg_callback = s->msg_callback;
2480 ret->msg_callback_arg = s->msg_callback_arg;
2481 SSL_set_verify(ret,SSL_get_verify_mode(s),
2482 SSL_get_verify_callback(s));
2483 SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
2484 ret->generate_session_id = s->generate_session_id;
2485
2486 SSL_set_info_callback(ret,SSL_get_info_callback(s));
2487
2488 ret->debug=s->debug;
2489
2490 /* copy app data, a little dangerous perhaps */
2491 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
2492 goto err;
2493
2494 /* setup rbio, and wbio */
2495 if (s->rbio != NULL)
2496 {
2497 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
2498 goto err;
2499 }
2500 if (s->wbio != NULL)
2501 {
2502 if (s->wbio != s->rbio)
2503 {
2504 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
2505 goto err;
2506 }
2507 else
2508 ret->wbio=ret->rbio;
2509 }
2510 ret->rwstate = s->rwstate;
2511 ret->in_handshake = s->in_handshake;
2512 ret->handshake_func = s->handshake_func;
2513 ret->server = s->server;
2514 ret->new_session = s->new_session;
2515 ret->quiet_shutdown = s->quiet_shutdown;
2516 ret->shutdown=s->shutdown;
2517 ret->state=s->state; /* SSL_dup does not really work at any state, though */
2518 ret->rstate=s->rstate;
2519 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
2520 ret->hit=s->hit;
2521
2522 X509_VERIFY_PARAM_inherit(ret->param, s->param);
2523
2524 /* dup the cipher_list and cipher_list_by_id stacks */
2525 if (s->cipher_list != NULL)
2526 {
2527 if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2528 goto err;
2529 }
2530 if (s->cipher_list_by_id != NULL)
2531 if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
2532 == NULL)
2533 goto err;
2534
2535 /* Dup the client_CA list */
2536 if (s->client_CA != NULL)
2537 {
2538 if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
2539 ret->client_CA=sk;
2540 for (i=0; i<sk_X509_NAME_num(sk); i++)
2541 {
2542 xn=sk_X509_NAME_value(sk,i);
2543 if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
2544 {
2545 X509_NAME_free(xn);
2546 goto err;
2547 }
2548 }
2549 }
2550
2551 if (0)
2552 {
2553err:
2554 if (ret != NULL) SSL_free(ret);
2555 ret=NULL;
2556 }
2557 return(ret);
2558 }
2559
2560void ssl_clear_cipher_ctx(SSL *s)
2561 {
2562 if (s->enc_read_ctx != NULL)
2563 {
2564 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
2565 OPENSSL_free(s->enc_read_ctx);
2566 s->enc_read_ctx=NULL;
2567 }
2568 if (s->enc_write_ctx != NULL)
2569 {
2570 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
2571 OPENSSL_free(s->enc_write_ctx);
2572 s->enc_write_ctx=NULL;
2573 }
2574#ifndef OPENSSL_NO_COMP
2575 if (s->expand != NULL)
2576 {
2577 COMP_CTX_free(s->expand);
2578 s->expand=NULL;
2579 }
2580 if (s->compress != NULL)
2581 {
2582 COMP_CTX_free(s->compress);
2583 s->compress=NULL;
2584 }
2585#endif
2586 }
2587
2588/* Fix this function so that it takes an optional type parameter */
2589X509 *SSL_get_certificate(const SSL *s)
2590 {
2591 if (s->cert != NULL)
2592 return(s->cert->key->x509);
2593 else
2594 return(NULL);
2595 }
2596
2597/* Fix this function so that it takes an optional type parameter */
2598EVP_PKEY *SSL_get_privatekey(SSL *s)
2599 {
2600 if (s->cert != NULL)
2601 return(s->cert->key->privatekey);
2602 else
2603 return(NULL);
2604 }
2605
2606const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
2607 {
2608 if ((s->session != NULL) && (s->session->cipher != NULL))
2609 return(s->session->cipher);
2610 return(NULL);
2611 }
2612#ifdef OPENSSL_NO_COMP
2613const void *SSL_get_current_compression(SSL *s)
2614 {
2615 return NULL;
2616 }
2617const void *SSL_get_current_expansion(SSL *s)
2618 {
2619 return NULL;
2620 }
2621#else
2622
2623const COMP_METHOD *SSL_get_current_compression(SSL *s)
2624 {
2625 if (s->compress != NULL)
2626 return(s->compress->meth);
2627 return(NULL);
2628 }
2629
2630const COMP_METHOD *SSL_get_current_expansion(SSL *s)
2631 {
2632 if (s->expand != NULL)
2633 return(s->expand->meth);
2634 return(NULL);
2635 }
2636#endif
2637
2638int ssl_init_wbio_buffer(SSL *s,int push)
2639 {
2640 BIO *bbio;
2641
2642 if (s->bbio == NULL)
2643 {
2644 bbio=BIO_new(BIO_f_buffer());
2645 if (bbio == NULL) return(0);
2646 s->bbio=bbio;
2647 }
2648 else
2649 {
2650 bbio=s->bbio;
2651 if (s->bbio == s->wbio)
2652 s->wbio=BIO_pop(s->wbio);
2653 }
2654 (void)BIO_reset(bbio);
2655/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
2656 if (!BIO_set_read_buffer_size(bbio,1))
2657 {
2658 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
2659 return(0);
2660 }
2661 if (push)
2662 {
2663 if (s->wbio != bbio)
2664 s->wbio=BIO_push(bbio,s->wbio);
2665 }
2666 else
2667 {
2668 if (s->wbio == bbio)
2669 s->wbio=BIO_pop(bbio);
2670 }
2671 return(1);
2672 }
2673
2674void ssl_free_wbio_buffer(SSL *s)
2675 {
2676 if (s->bbio == NULL) return;
2677
2678 if (s->bbio == s->wbio)
2679 {
2680 /* remove buffering */
2681 s->wbio=BIO_pop(s->wbio);
2682#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
2683 assert(s->wbio != NULL);
2684#endif
2685 }
2686 BIO_free(s->bbio);
2687 s->bbio=NULL;
2688 }
2689
2690void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
2691 {
2692 ctx->quiet_shutdown=mode;
2693 }
2694
2695int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
2696 {
2697 return(ctx->quiet_shutdown);
2698 }
2699
2700void SSL_set_quiet_shutdown(SSL *s,int mode)
2701 {
2702 s->quiet_shutdown=mode;
2703 }
2704
2705int SSL_get_quiet_shutdown(const SSL *s)
2706 {
2707 return(s->quiet_shutdown);
2708 }
2709
2710void SSL_set_shutdown(SSL *s,int mode)
2711 {
2712 s->shutdown=mode;
2713 }
2714
2715int SSL_get_shutdown(const SSL *s)
2716 {
2717 return(s->shutdown);
2718 }
2719
2720int SSL_version(const SSL *s)
2721 {
2722 return(s->version);
2723 }
2724
2725SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
2726 {
2727 return(ssl->ctx);
2728 }
2729
2730SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
2731 {
2732 if (ssl->ctx == ctx)
2733 return ssl->ctx;
2734#ifndef OPENSSL_NO_TLSEXT
2735 if (ctx == NULL)
2736 ctx = ssl->initial_ctx;
2737#endif
2738 if (ssl->cert != NULL)
2739 ssl_cert_free(ssl->cert);
2740 ssl->cert = ssl_cert_dup(ctx->cert);
2741 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
2742 if (ssl->ctx != NULL)
2743 SSL_CTX_free(ssl->ctx); /* decrement reference count */
2744 ssl->ctx = ctx;
2745 return(ssl->ctx);
2746 }
2747
2748#ifndef OPENSSL_NO_STDIO
2749int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2750 {
2751 return(X509_STORE_set_default_paths(ctx->cert_store));
2752 }
2753
2754int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
2755 const char *CApath)
2756 {
2757 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
2758 }
2759#endif
2760
2761void SSL_set_info_callback(SSL *ssl,
2762 void (*cb)(const SSL *ssl,int type,int val))
2763 {
2764 ssl->info_callback=cb;
2765 }
2766
2767/* One compiler (Diab DCC) doesn't like argument names in returned
2768 function pointer. */
2769void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
2770 {
2771 return ssl->info_callback;
2772 }
2773
2774int SSL_state(const SSL *ssl)
2775 {
2776 return(ssl->state);
2777 }
2778
2779void SSL_set_verify_result(SSL *ssl,long arg)
2780 {
2781 ssl->verify_result=arg;
2782 }
2783
2784long SSL_get_verify_result(const SSL *ssl)
2785 {
2786 return(ssl->verify_result);
2787 }
2788
2789int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
2790 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
2791 {
2792 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
2793 new_func, dup_func, free_func);
2794 }
2795
2796int SSL_set_ex_data(SSL *s,int idx,void *arg)
2797 {
2798 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2799 }
2800
2801void *SSL_get_ex_data(const SSL *s,int idx)
2802 {
2803 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2804 }
2805
2806int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
2807 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
2808 {
2809 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
2810 new_func, dup_func, free_func);
2811 }
2812
2813int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
2814 {
2815 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
2816 }
2817
2818void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
2819 {
2820 return(CRYPTO_get_ex_data(&s->ex_data,idx));
2821 }
2822
2823int ssl_ok(SSL *s)
2824 {
2825 return(1);
2826 }
2827
2828X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
2829 {
2830 return(ctx->cert_store);
2831 }
2832
2833void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
2834 {
2835 if (ctx->cert_store != NULL)
2836 X509_STORE_free(ctx->cert_store);
2837 ctx->cert_store=store;
2838 }
2839
2840int SSL_want(const SSL *s)
2841 {
2842 return(s->rwstate);
2843 }
2844
2845/*!
2846 * \brief Set the callback for generating temporary RSA keys.
2847 * \param ctx the SSL context.
2848 * \param cb the callback
2849 */
2850
2851#ifndef OPENSSL_NO_RSA
2852void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
2853 int is_export,
2854 int keylength))
2855 {
2856 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
2857 }
2858
2859void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
2860 int is_export,
2861 int keylength))
2862 {
2863 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
2864 }
2865#endif
2866
2867#ifdef DOXYGEN
2868/*!
2869 * \brief The RSA temporary key callback function.
2870 * \param ssl the SSL session.
2871 * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
2872 * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
2873 * of the required key in bits.
2874 * \return the temporary RSA key.
2875 * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
2876 */
2877
2878RSA *cb(SSL *ssl,int is_export,int keylength)
2879 {}
2880#endif
2881
2882/*!
2883 * \brief Set the callback for generating temporary DH keys.
2884 * \param ctx the SSL context.
2885 * \param dh the callback
2886 */
2887
2888#ifndef OPENSSL_NO_DH
2889void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
2890 int keylength))
2891 {
2892 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
2893 }
2894
2895void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
2896 int keylength))
2897 {
2898 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
2899 }
2900#endif
2901
2902#ifndef OPENSSL_NO_ECDH
2903void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2904 int keylength))
2905 {
2906 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
2907 }
2908
2909void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2910 int keylength))
2911 {
2912 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
2913 }
2914#endif
2915
2916#ifndef OPENSSL_NO_PSK
2917int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
2918 {
2919 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
2920 {
2921 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
2922 return 0;
2923 }
2924 if (ctx->psk_identity_hint != NULL)
2925 OPENSSL_free(ctx->psk_identity_hint);
2926 if (identity_hint != NULL)
2927 {
2928 ctx->psk_identity_hint = BUF_strdup(identity_hint);
2929 if (ctx->psk_identity_hint == NULL)
2930 return 0;
2931 }
2932 else
2933 ctx->psk_identity_hint = NULL;
2934 return 1;
2935 }
2936
2937int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
2938 {
2939 if (s == NULL)
2940 return 0;
2941
2942 if (s->session == NULL)
2943 return 1; /* session not created yet, ignored */
2944
2945 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
2946 {
2947 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
2948 return 0;
2949 }
2950 if (s->session->psk_identity_hint != NULL)
2951 OPENSSL_free(s->session->psk_identity_hint);
2952 if (identity_hint != NULL)
2953 {
2954 s->session->psk_identity_hint = BUF_strdup(identity_hint);
2955 if (s->session->psk_identity_hint == NULL)
2956 return 0;
2957 }
2958 else
2959 s->session->psk_identity_hint = NULL;
2960 return 1;
2961 }
2962
2963const char *SSL_get_psk_identity_hint(const SSL *s)
2964 {
2965 if (s == NULL || s->session == NULL)
2966 return NULL;
2967 return(s->session->psk_identity_hint);
2968 }
2969
2970const char *SSL_get_psk_identity(const SSL *s)
2971 {
2972 if (s == NULL || s->session == NULL)
2973 return NULL;
2974 return(s->session->psk_identity);
2975 }
2976
2977void SSL_set_psk_client_callback(SSL *s,
2978 unsigned int (*cb)(SSL *ssl, const char *hint,
2979 char *identity, unsigned int max_identity_len, unsigned char *psk,
2980 unsigned int max_psk_len))
2981 {
2982 s->psk_client_callback = cb;
2983 }
2984
2985void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
2986 unsigned int (*cb)(SSL *ssl, const char *hint,
2987 char *identity, unsigned int max_identity_len, unsigned char *psk,
2988 unsigned int max_psk_len))
2989 {
2990 ctx->psk_client_callback = cb;
2991 }
2992
2993void SSL_set_psk_server_callback(SSL *s,
2994 unsigned int (*cb)(SSL *ssl, const char *identity,
2995 unsigned char *psk, unsigned int max_psk_len))
2996 {
2997 s->psk_server_callback = cb;
2998 }
2999
3000void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
3001 unsigned int (*cb)(SSL *ssl, const char *identity,
3002 unsigned char *psk, unsigned int max_psk_len))
3003 {
3004 ctx->psk_server_callback = cb;
3005 }
3006#endif
3007
3008void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3009 {
3010 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3011 }
3012void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3013 {
3014 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3015 }
3016
3017/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
3018 * vairable, freeing EVP_MD_CTX previously stored in that variable, if
3019 * any. If EVP_MD pointer is passed, initializes ctx with this md
3020 * Returns newly allocated ctx;
3021 */
3022
3023EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md)
3024{
3025 ssl_clear_hash_ctx(hash);
3026 *hash = EVP_MD_CTX_create();
3027 if (md) EVP_DigestInit_ex(*hash,md,NULL);
3028 return *hash;
3029}
3030void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
3031{
3032
3033 if (*hash) EVP_MD_CTX_destroy(*hash);
3034 *hash=NULL;
3035}
3036
3037#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
3038#include "../crypto/bio/bss_file.c"
3039#endif
3040
3041IMPLEMENT_STACK_OF(SSL_CIPHER)
3042IMPLEMENT_STACK_OF(SSL_COMP)
3043IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
3044 ssl_cipher_id);
3045
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
deleted file mode 100644
index cea622a2a6..0000000000
--- a/src/lib/libssl/ssl_locl.h
+++ /dev/null
@@ -1,1079 +0,0 @@
1/* ssl/ssl_locl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#ifndef HEADER_SSL_LOCL_H
144#define HEADER_SSL_LOCL_H
145#include <stdlib.h>
146#include <time.h>
147#include <string.h>
148#include <errno.h>
149
150#include "e_os.h"
151
152#include <openssl/buffer.h>
153#ifndef OPENSSL_NO_COMP
154#include <openssl/comp.h>
155#endif
156#include <openssl/bio.h>
157#include <openssl/stack.h>
158#ifndef OPENSSL_NO_RSA
159#include <openssl/rsa.h>
160#endif
161#ifndef OPENSSL_NO_DSA
162#include <openssl/dsa.h>
163#endif
164#include <openssl/err.h>
165#include <openssl/ssl.h>
166#include <openssl/symhacks.h>
167
168#ifdef OPENSSL_BUILD_SHLIBSSL
169# undef OPENSSL_EXTERN
170# define OPENSSL_EXTERN OPENSSL_EXPORT
171#endif
172
173#define PKCS1_CHECK
174
175#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
176 l|=(((unsigned long)(*((c)++)))<< 8), \
177 l|=(((unsigned long)(*((c)++)))<<16), \
178 l|=(((unsigned long)(*((c)++)))<<24))
179
180/* NOTE - c is not incremented as per c2l */
181#define c2ln(c,l1,l2,n) { \
182 c+=n; \
183 l1=l2=0; \
184 switch (n) { \
185 case 8: l2 =((unsigned long)(*(--(c))))<<24; \
186 case 7: l2|=((unsigned long)(*(--(c))))<<16; \
187 case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
188 case 5: l2|=((unsigned long)(*(--(c)))); \
189 case 4: l1 =((unsigned long)(*(--(c))))<<24; \
190 case 3: l1|=((unsigned long)(*(--(c))))<<16; \
191 case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
192 case 1: l1|=((unsigned long)(*(--(c)))); \
193 } \
194 }
195
196#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
197 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
198 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
199 *((c)++)=(unsigned char)(((l)>>24)&0xff))
200
201#define n2l(c,l) (l =((unsigned long)(*((c)++)))<<24, \
202 l|=((unsigned long)(*((c)++)))<<16, \
203 l|=((unsigned long)(*((c)++)))<< 8, \
204 l|=((unsigned long)(*((c)++))))
205
206#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
207 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
208 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
209 *((c)++)=(unsigned char)(((l) )&0xff))
210
211#define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \
212 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
213 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
214 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
215 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
216 *((c)++)=(unsigned char)(((l) )&0xff))
217
218#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
219 l|=((BN_ULLONG)(*((c)++)))<<32, \
220 l|=((BN_ULLONG)(*((c)++)))<<24, \
221 l|=((BN_ULLONG)(*((c)++)))<<16, \
222 l|=((BN_ULLONG)(*((c)++)))<< 8, \
223 l|=((BN_ULLONG)(*((c)++))))
224
225/* NOTE - c is not incremented as per l2c */
226#define l2cn(l1,l2,c,n) { \
227 c+=n; \
228 switch (n) { \
229 case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
230 case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
231 case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
232 case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \
233 case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
234 case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
235 case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
236 case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \
237 } \
238 }
239
240#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
241 (((unsigned int)(c[1])) )),c+=2)
242#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
243 c[1]=(unsigned char)(((s) )&0xff)),c+=2)
244
245#define n2l3(c,l) ((l =(((unsigned long)(c[0]))<<16)| \
246 (((unsigned long)(c[1]))<< 8)| \
247 (((unsigned long)(c[2])) )),c+=3)
248
249#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
250 c[1]=(unsigned char)(((l)>> 8)&0xff), \
251 c[2]=(unsigned char)(((l) )&0xff)),c+=3)
252
253/* LOCAL STUFF */
254
255#define SSL_DECRYPT 0
256#define SSL_ENCRYPT 1
257
258#define TWO_BYTE_BIT 0x80
259#define SEC_ESC_BIT 0x40
260#define TWO_BYTE_MASK 0x7fff
261#define THREE_BYTE_MASK 0x3fff
262
263#define INC32(a) ((a)=((a)+1)&0xffffffffL)
264#define DEC32(a) ((a)=((a)-1)&0xffffffffL)
265#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
266
267/*
268 * Define the Bitmasks for SSL_CIPHER.algorithms.
269 * This bits are used packed as dense as possible. If new methods/ciphers
270 * etc will be added, the bits a likely to change, so this information
271 * is for internal library use only, even though SSL_CIPHER.algorithms
272 * can be publicly accessed.
273 * Use the according functions for cipher management instead.
274 *
275 * The bit mask handling in the selection and sorting scheme in
276 * ssl_create_cipher_list() has only limited capabilities, reflecting
277 * that the different entities within are mutually exclusive:
278 * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
279 */
280
281/* Bits for algorithm_mkey (key exchange algorithm) */
282#define SSL_kRSA 0x00000001L /* RSA key exchange */
283#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
284#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
285#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
286#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
287#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
288#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
289#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
290#define SSL_kPSK 0x00000100L /* PSK */
291#define SSL_kGOST 0x00000200L /* GOST key exchange */
292
293/* Bits for algorithm_auth (server authentication) */
294#define SSL_aRSA 0x00000001L /* RSA auth */
295#define SSL_aDSS 0x00000002L /* DSS auth */
296#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
297#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
298#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
299#define SSL_aKRB5 0x00000020L /* KRB5 auth */
300#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
301#define SSL_aPSK 0x00000080L /* PSK auth */
302#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
303#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
304
305
306/* Bits for algorithm_enc (symmetric encryption) */
307#define SSL_DES 0x00000001L
308#define SSL_3DES 0x00000002L
309#define SSL_RC4 0x00000004L
310#define SSL_RC2 0x00000008L
311#define SSL_IDEA 0x00000010L
312#define SSL_eNULL 0x00000020L
313#define SSL_AES128 0x00000040L
314#define SSL_AES256 0x00000080L
315#define SSL_CAMELLIA128 0x00000100L
316#define SSL_CAMELLIA256 0x00000200L
317#define SSL_eGOST2814789CNT 0x00000400L
318#define SSL_SEED 0x00000800L
319
320#define SSL_AES (SSL_AES128|SSL_AES256)
321#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
322
323
324/* Bits for algorithm_mac (symmetric authentication) */
325#define SSL_MD5 0x00000001L
326#define SSL_SHA1 0x00000002L
327#define SSL_GOST94 0x00000004L
328#define SSL_GOST89MAC 0x00000008L
329
330/* Bits for algorithm_ssl (protocol version) */
331#define SSL_SSLV2 0x00000001L
332#define SSL_SSLV3 0x00000002L
333#define SSL_TLSV1 SSL_SSLV3 /* for now */
334
335
336/* Bits for algorithm2 (handshake digests and other extra flags) */
337
338#define SSL_HANDSHAKE_MAC_MD5 0x10
339#define SSL_HANDSHAKE_MAC_SHA 0x20
340#define SSL_HANDSHAKE_MAC_GOST94 0x40
341#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
342
343/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
344 * make sure to update this constant too */
345#define SSL_MAX_DIGEST 4
346
347#define TLS1_PRF_DGST_SHIFT 8
348#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
349#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
350#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
351#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
352
353/* Stream MAC for GOST ciphersuites from cryptopro draft
354 * (currently this also goes into algorithm2) */
355#define TLS1_STREAM_MAC 0x04
356
357
358
359/*
360 * Export and cipher strength information. For each cipher we have to decide
361 * whether it is exportable or not. This information is likely to change
362 * over time, since the export control rules are no static technical issue.
363 *
364 * Independent of the export flag the cipher strength is sorted into classes.
365 * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
366 * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
367 * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
368 * since SSL_EXP64 could be similar to SSL_LOW.
369 * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
370 * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
371 * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
372 * be possible.
373 */
374#define SSL_EXP_MASK 0x00000003L
375#define SSL_STRONG_MASK 0x000001fcL
376
377#define SSL_NOT_EXP 0x00000001L
378#define SSL_EXPORT 0x00000002L
379
380#define SSL_STRONG_NONE 0x00000004L
381#define SSL_EXP40 0x00000008L
382#define SSL_MICRO (SSL_EXP40)
383#define SSL_EXP56 0x00000010L
384#define SSL_MINI (SSL_EXP56)
385#define SSL_LOW 0x00000020L
386#define SSL_MEDIUM 0x00000040L
387#define SSL_HIGH 0x00000080L
388#define SSL_FIPS 0x00000100L
389
390/* we have used 000001ff - 23 bits left to go */
391
392/*
393 * Macros to check the export status and cipher strength for export ciphers.
394 * Even though the macros for EXPORT and EXPORT40/56 have similar names,
395 * their meaning is different:
396 * *_EXPORT macros check the 'exportable' status.
397 * *_EXPORT40/56 macros are used to check whether a certain cipher strength
398 * is given.
399 * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
400 * algorithm structure element to be passed (algorithms, algo_strength) and no
401 * typechecking can be done as they are all of type unsigned long, their
402 * direct usage is discouraged.
403 * Use the SSL_C_* macros instead.
404 */
405#define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
406#define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
407#define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
408#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
409#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
410#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
411
412#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
413 (a) == SSL_DES ? 8 : 7)
414#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
415#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithm_enc, \
416 (c)->algo_strength)
417#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
418
419
420
421
422/* Mostly for SSLv3 */
423#define SSL_PKEY_RSA_ENC 0
424#define SSL_PKEY_RSA_SIGN 1
425#define SSL_PKEY_DSA_SIGN 2
426#define SSL_PKEY_DH_RSA 3
427#define SSL_PKEY_DH_DSA 4
428#define SSL_PKEY_ECC 5
429#define SSL_PKEY_GOST94 6
430#define SSL_PKEY_GOST01 7
431#define SSL_PKEY_NUM 8
432
433/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
434 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
435 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
436 * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
437 * SSL_aRSA <- RSA_ENC | RSA_SIGN
438 * SSL_aDSS <- DSA_SIGN
439 */
440
441/*
442#define CERT_INVALID 0
443#define CERT_PUBLIC_KEY 1
444#define CERT_PRIVATE_KEY 2
445*/
446
447#ifndef OPENSSL_NO_EC
448/* From ECC-TLS draft, used in encoding the curve type in
449 * ECParameters
450 */
451#define EXPLICIT_PRIME_CURVE_TYPE 1
452#define EXPLICIT_CHAR2_CURVE_TYPE 2
453#define NAMED_CURVE_TYPE 3
454#endif /* OPENSSL_NO_EC */
455
456typedef struct cert_pkey_st
457 {
458 X509 *x509;
459 EVP_PKEY *privatekey;
460 } CERT_PKEY;
461
462typedef struct cert_st
463 {
464 /* Current active set */
465 CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
466 * Probably it would make more sense to store
467 * an index, not a pointer. */
468
469 /* The following masks are for the key and auth
470 * algorithms that are supported by the certs below */
471 int valid;
472 unsigned long mask_k;
473 unsigned long mask_a;
474 unsigned long export_mask_k;
475 unsigned long export_mask_a;
476#ifndef OPENSSL_NO_RSA
477 RSA *rsa_tmp;
478 RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
479#endif
480#ifndef OPENSSL_NO_DH
481 DH *dh_tmp;
482 DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
483#endif
484#ifndef OPENSSL_NO_ECDH
485 EC_KEY *ecdh_tmp;
486 /* Callback for generating ephemeral ECDH keys */
487 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize);
488#endif
489
490 CERT_PKEY pkeys[SSL_PKEY_NUM];
491
492 int references; /* >1 only if SSL_copy_session_id is used */
493 } CERT;
494
495
496typedef struct sess_cert_st
497 {
498 STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
499
500 /* The 'peer_...' members are used only by clients. */
501 int peer_cert_type;
502
503 CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
504 CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
505 /* Obviously we don't have the private keys of these,
506 * so maybe we shouldn't even use the CERT_PKEY type here. */
507
508#ifndef OPENSSL_NO_RSA
509 RSA *peer_rsa_tmp; /* not used for SSL 2 */
510#endif
511#ifndef OPENSSL_NO_DH
512 DH *peer_dh_tmp; /* not used for SSL 2 */
513#endif
514#ifndef OPENSSL_NO_ECDH
515 EC_KEY *peer_ecdh_tmp;
516#endif
517
518 int references; /* actually always 1 at the moment */
519 } SESS_CERT;
520
521
522/*#define MAC_DEBUG */
523
524/*#define ERR_DEBUG */
525/*#define ABORT_DEBUG */
526/*#define PKT_DEBUG 1 */
527/*#define DES_DEBUG */
528/*#define DES_OFB_DEBUG */
529/*#define SSL_DEBUG */
530/*#define RSA_DEBUG */
531/*#define IDEA_DEBUG */
532
533#define FP_ICC (int (*)(const void *,const void *))
534#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
535 ((ssl)->method->put_cipher_by_char((ciph),(ptr)))
536#define ssl_get_cipher_by_char(ssl,ptr) \
537 ((ssl)->method->get_cipher_by_char(ptr))
538
539/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
540 * It is a bit of a mess of functions, but hell, think of it as
541 * an opaque structure :-) */
542typedef struct ssl3_enc_method
543 {
544 int (*enc)(SSL *, int);
545 int (*mac)(SSL *, unsigned char *, int);
546 int (*setup_key_block)(SSL *);
547 int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
548 int (*change_cipher_state)(SSL *, int);
549 int (*final_finish_mac)(SSL *, const char *, int, unsigned char *);
550 int finish_mac_length;
551 int (*cert_verify_mac)(SSL *, int, unsigned char *);
552 const char *client_finished_label;
553 int client_finished_label_len;
554 const char *server_finished_label;
555 int server_finished_label_len;
556 int (*alert_value)(int);
557 } SSL3_ENC_METHOD;
558
559#ifndef OPENSSL_NO_COMP
560/* Used for holding the relevant compression methods loaded into SSL_CTX */
561typedef struct ssl3_comp_st
562 {
563 int comp_id; /* The identifier byte for this compression type */
564 char *name; /* Text name used for the compression type */
565 COMP_METHOD *method; /* The method :-) */
566 } SSL3_COMP;
567#endif
568
569#ifndef OPENSSL_NO_BUF_FREELISTS
570typedef struct ssl3_buf_freelist_st
571 {
572 size_t chunklen;
573 unsigned int len;
574 struct ssl3_buf_freelist_entry_st *head;
575 } SSL3_BUF_FREELIST;
576
577typedef struct ssl3_buf_freelist_entry_st
578 {
579 struct ssl3_buf_freelist_entry_st *next;
580 } SSL3_BUF_FREELIST_ENTRY;
581#endif
582
583extern SSL3_ENC_METHOD ssl3_undef_enc_method;
584OPENSSL_EXTERN const SSL_CIPHER ssl2_ciphers[];
585OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
586
587
588SSL_METHOD *ssl_bad_method(int ver);
589
590extern SSL3_ENC_METHOD TLSv1_enc_data;
591extern SSL3_ENC_METHOD SSLv3_enc_data;
592extern SSL3_ENC_METHOD DTLSv1_enc_data;
593
594#define IMPLEMENT_tls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \
595const SSL_METHOD *func_name(void) \
596 { \
597 static const SSL_METHOD func_name##_data= { \
598 TLS1_VERSION, \
599 tls1_new, \
600 tls1_clear, \
601 tls1_free, \
602 s_accept, \
603 s_connect, \
604 ssl3_read, \
605 ssl3_peek, \
606 ssl3_write, \
607 ssl3_shutdown, \
608 ssl3_renegotiate, \
609 ssl3_renegotiate_check, \
610 ssl3_get_message, \
611 ssl3_read_bytes, \
612 ssl3_write_bytes, \
613 ssl3_dispatch_alert, \
614 ssl3_ctrl, \
615 ssl3_ctx_ctrl, \
616 ssl3_get_cipher_by_char, \
617 ssl3_put_cipher_by_char, \
618 ssl3_pending, \
619 ssl3_num_ciphers, \
620 ssl3_get_cipher, \
621 s_get_meth, \
622 tls1_default_timeout, \
623 &TLSv1_enc_data, \
624 ssl_undefined_void_function, \
625 ssl3_callback_ctrl, \
626 ssl3_ctx_callback_ctrl, \
627 }; \
628 return &func_name##_data; \
629 }
630
631#define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect, s_get_meth) \
632const SSL_METHOD *func_name(void) \
633 { \
634 static const SSL_METHOD func_name##_data= { \
635 SSL3_VERSION, \
636 ssl3_new, \
637 ssl3_clear, \
638 ssl3_free, \
639 s_accept, \
640 s_connect, \
641 ssl3_read, \
642 ssl3_peek, \
643 ssl3_write, \
644 ssl3_shutdown, \
645 ssl3_renegotiate, \
646 ssl3_renegotiate_check, \
647 ssl3_get_message, \
648 ssl3_read_bytes, \
649 ssl3_write_bytes, \
650 ssl3_dispatch_alert, \
651 ssl3_ctrl, \
652 ssl3_ctx_ctrl, \
653 ssl3_get_cipher_by_char, \
654 ssl3_put_cipher_by_char, \
655 ssl3_pending, \
656 ssl3_num_ciphers, \
657 ssl3_get_cipher, \
658 s_get_meth, \
659 ssl3_default_timeout, \
660 &SSLv3_enc_data, \
661 ssl_undefined_void_function, \
662 ssl3_callback_ctrl, \
663 ssl3_ctx_callback_ctrl, \
664 }; \
665 return &func_name##_data; \
666 }
667
668#define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, s_get_meth) \
669const SSL_METHOD *func_name(void) \
670 { \
671 static const SSL_METHOD func_name##_data= { \
672 TLS1_VERSION, \
673 tls1_new, \
674 tls1_clear, \
675 tls1_free, \
676 s_accept, \
677 s_connect, \
678 ssl23_read, \
679 ssl23_peek, \
680 ssl23_write, \
681 ssl_undefined_function, \
682 ssl_undefined_function, \
683 ssl_ok, \
684 ssl3_get_message, \
685 ssl3_read_bytes, \
686 ssl3_write_bytes, \
687 ssl3_dispatch_alert, \
688 ssl3_ctrl, \
689 ssl3_ctx_ctrl, \
690 ssl23_get_cipher_by_char, \
691 ssl23_put_cipher_by_char, \
692 ssl_undefined_const_function, \
693 ssl23_num_ciphers, \
694 ssl23_get_cipher, \
695 s_get_meth, \
696 ssl23_default_timeout, \
697 &ssl3_undef_enc_method, \
698 ssl_undefined_void_function, \
699 ssl3_callback_ctrl, \
700 ssl3_ctx_callback_ctrl, \
701 }; \
702 return &func_name##_data; \
703 }
704
705#define IMPLEMENT_ssl2_meth_func(func_name, s_accept, s_connect, s_get_meth) \
706const SSL_METHOD *func_name(void) \
707 { \
708 static const SSL_METHOD func_name##_data= { \
709 SSL2_VERSION, \
710 ssl2_new, /* local */ \
711 ssl2_clear, /* local */ \
712 ssl2_free, /* local */ \
713 s_accept, \
714 s_connect, \
715 ssl2_read, \
716 ssl2_peek, \
717 ssl2_write, \
718 ssl2_shutdown, \
719 ssl_ok, /* NULL - renegotiate */ \
720 ssl_ok, /* NULL - check renegotiate */ \
721 NULL, /* NULL - ssl_get_message */ \
722 NULL, /* NULL - ssl_get_record */ \
723 NULL, /* NULL - ssl_write_bytes */ \
724 NULL, /* NULL - dispatch_alert */ \
725 ssl2_ctrl, /* local */ \
726 ssl2_ctx_ctrl, /* local */ \
727 ssl2_get_cipher_by_char, \
728 ssl2_put_cipher_by_char, \
729 ssl2_pending, \
730 ssl2_num_ciphers, \
731 ssl2_get_cipher, \
732 s_get_meth, \
733 ssl2_default_timeout, \
734 &ssl3_undef_enc_method, \
735 ssl_undefined_void_function, \
736 ssl2_callback_ctrl, /* local */ \
737 ssl2_ctx_callback_ctrl, /* local */ \
738 }; \
739 return &func_name##_data; \
740 }
741
742#define IMPLEMENT_dtls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \
743const SSL_METHOD *func_name(void) \
744 { \
745 static const SSL_METHOD func_name##_data= { \
746 DTLS1_VERSION, \
747 dtls1_new, \
748 dtls1_clear, \
749 dtls1_free, \
750 s_accept, \
751 s_connect, \
752 ssl3_read, \
753 ssl3_peek, \
754 ssl3_write, \
755 ssl3_shutdown, \
756 ssl3_renegotiate, \
757 ssl3_renegotiate_check, \
758 dtls1_get_message, \
759 dtls1_read_bytes, \
760 dtls1_write_app_data_bytes, \
761 dtls1_dispatch_alert, \
762 dtls1_ctrl, \
763 ssl3_ctx_ctrl, \
764 ssl3_get_cipher_by_char, \
765 ssl3_put_cipher_by_char, \
766 ssl3_pending, \
767 ssl3_num_ciphers, \
768 dtls1_get_cipher, \
769 s_get_meth, \
770 dtls1_default_timeout, \
771 &DTLSv1_enc_data, \
772 ssl_undefined_void_function, \
773 ssl3_callback_ctrl, \
774 ssl3_ctx_callback_ctrl, \
775 }; \
776 return &func_name##_data; \
777 }
778
779void ssl_clear_cipher_ctx(SSL *s);
780int ssl_clear_bad_session(SSL *s);
781CERT *ssl_cert_new(void);
782CERT *ssl_cert_dup(CERT *cert);
783int ssl_cert_inst(CERT **o);
784void ssl_cert_free(CERT *c);
785SESS_CERT *ssl_sess_cert_new(void);
786void ssl_sess_cert_free(SESS_CERT *sc);
787int ssl_set_peer_cert_type(SESS_CERT *c, int type);
788int ssl_get_new_session(SSL *s, int session);
789int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
790int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
791DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
792 ssl_cipher_id);
793int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
794 const SSL_CIPHER * const *bp);
795STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
796 STACK_OF(SSL_CIPHER) **skp);
797int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
798 int (*put_cb)(const SSL_CIPHER *, unsigned char *));
799STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
800 STACK_OF(SSL_CIPHER) **pref,
801 STACK_OF(SSL_CIPHER) **sorted,
802 const char *rule_str);
803void ssl_update_cache(SSL *s, int mode);
804int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
805 const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
806int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);
807int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
808int ssl_undefined_function(SSL *s);
809int ssl_undefined_void_function(void);
810int ssl_undefined_const_function(const SSL *s);
811X509 *ssl_get_server_send_cert(SSL *);
812EVP_PKEY *ssl_get_sign_pkey(SSL *,const SSL_CIPHER *);
813int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
814void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
815STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
816int ssl_verify_alarm_type(long type);
817void ssl_load_ciphers(void);
818
819int ssl2_enc_init(SSL *s, int client);
820int ssl2_generate_key_material(SSL *s);
821void ssl2_enc(SSL *s,int send_data);
822void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
823const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
824int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
825int ssl2_part_read(SSL *s, unsigned long f, int i);
826int ssl2_do_write(SSL *s);
827int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data);
828void ssl2_return_error(SSL *s,int reason);
829void ssl2_write_error(SSL *s);
830int ssl2_num_ciphers(void);
831const SSL_CIPHER *ssl2_get_cipher(unsigned int u);
832int ssl2_new(SSL *s);
833void ssl2_free(SSL *s);
834int ssl2_accept(SSL *s);
835int ssl2_connect(SSL *s);
836int ssl2_read(SSL *s, void *buf, int len);
837int ssl2_peek(SSL *s, void *buf, int len);
838int ssl2_write(SSL *s, const void *buf, int len);
839int ssl2_shutdown(SSL *s);
840void ssl2_clear(SSL *s);
841long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
842long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
843long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
844long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
845int ssl2_pending(const SSL *s);
846long ssl2_default_timeout(void );
847
848const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
849int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
850void ssl3_init_finished_mac(SSL *s);
851int ssl3_send_server_certificate(SSL *s);
852int ssl3_send_newsession_ticket(SSL *s);
853int ssl3_send_cert_status(SSL *s);
854int ssl3_get_finished(SSL *s,int state_a,int state_b);
855int ssl3_setup_key_block(SSL *s);
856int ssl3_send_change_cipher_spec(SSL *s,int state_a,int state_b);
857int ssl3_change_cipher_state(SSL *s,int which);
858void ssl3_cleanup_key_block(SSL *s);
859int ssl3_do_write(SSL *s,int type);
860int ssl3_send_alert(SSL *s,int level, int desc);
861int ssl3_generate_master_secret(SSL *s, unsigned char *out,
862 unsigned char *p, int len);
863int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
864long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
865int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
866int ssl3_num_ciphers(void);
867const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
868int ssl3_renegotiate(SSL *ssl);
869int ssl3_renegotiate_check(SSL *ssl);
870int ssl3_dispatch_alert(SSL *s);
871int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
872int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
873int ssl3_final_finish_mac(SSL *s, const char *sender, int slen,unsigned char *p);
874int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
875void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
876int ssl3_enc(SSL *s, int send_data);
877int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
878void ssl3_free_digest_list(SSL *s);
879unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
880SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
881 STACK_OF(SSL_CIPHER) *srvr);
882int ssl3_setup_buffers(SSL *s);
883int ssl3_setup_read_buffer(SSL *s);
884int ssl3_setup_write_buffer(SSL *s);
885int ssl3_release_read_buffer(SSL *s);
886int ssl3_release_write_buffer(SSL *s);
887int ssl3_digest_cached_records(SSL *s);
888int ssl3_new(SSL *s);
889void ssl3_free(SSL *s);
890int ssl3_accept(SSL *s);
891int ssl3_connect(SSL *s);
892int ssl3_read(SSL *s, void *buf, int len);
893int ssl3_peek(SSL *s, void *buf, int len);
894int ssl3_write(SSL *s, const void *buf, int len);
895int ssl3_shutdown(SSL *s);
896void ssl3_clear(SSL *s);
897long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
898long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
899long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
900long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
901int ssl3_pending(const SSL *s);
902
903void ssl3_record_sequence_update(unsigned char *seq);
904int ssl3_do_change_cipher_spec(SSL *ssl);
905long ssl3_default_timeout(void );
906
907int ssl23_num_ciphers(void );
908const SSL_CIPHER *ssl23_get_cipher(unsigned int u);
909int ssl23_read(SSL *s, void *buf, int len);
910int ssl23_peek(SSL *s, void *buf, int len);
911int ssl23_write(SSL *s, const void *buf, int len);
912int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
913const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
914long ssl23_default_timeout(void );
915
916long tls1_default_timeout(void);
917int dtls1_do_write(SSL *s,int type);
918int ssl3_read_n(SSL *s, int n, int max, int extend);
919int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
920int ssl3_do_compress(SSL *ssl);
921int ssl3_do_uncompress(SSL *ssl);
922int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
923 unsigned int len);
924unsigned char *dtls1_set_message_header(SSL *s,
925 unsigned char *p, unsigned char mt, unsigned long len,
926 unsigned long frag_off, unsigned long frag_len);
927
928int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
929int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
930
931int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
932int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
933unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
934int dtls1_read_failed(SSL *s, int code);
935int dtls1_buffer_message(SSL *s, int ccs);
936int dtls1_retransmit_message(SSL *s, unsigned short seq,
937 unsigned long frag_off, int *found);
938int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
939int dtls1_retransmit_buffered_messages(SSL *s);
940void dtls1_clear_record_buffer(SSL *s);
941void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr);
942void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
943void dtls1_reset_seq_numbers(SSL *s, int rw);
944long dtls1_default_timeout(void);
945struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
946int dtls1_handle_timeout(SSL *s);
947const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
948void dtls1_start_timer(SSL *s);
949void dtls1_stop_timer(SSL *s);
950int dtls1_is_timer_expired(SSL *s);
951void dtls1_double_timeout(SSL *s);
952int dtls1_send_newsession_ticket(SSL *s);
953unsigned int dtls1_min_mtu(void);
954
955/* some client-only functions */
956int ssl3_client_hello(SSL *s);
957int ssl3_get_server_hello(SSL *s);
958int ssl3_get_certificate_request(SSL *s);
959int ssl3_get_new_session_ticket(SSL *s);
960int ssl3_get_cert_status(SSL *s);
961int ssl3_get_server_done(SSL *s);
962int ssl3_send_client_verify(SSL *s);
963int ssl3_send_client_certificate(SSL *s);
964int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
965int ssl3_send_client_key_exchange(SSL *s);
966int ssl3_get_key_exchange(SSL *s);
967int ssl3_get_server_certificate(SSL *s);
968int ssl3_check_cert_and_algorithm(SSL *s);
969#ifndef OPENSSL_NO_TLSEXT
970int ssl3_check_finished(SSL *s);
971#endif
972
973int dtls1_client_hello(SSL *s);
974int dtls1_send_client_certificate(SSL *s);
975int dtls1_send_client_key_exchange(SSL *s);
976int dtls1_send_client_verify(SSL *s);
977
978/* some server-only functions */
979int ssl3_get_client_hello(SSL *s);
980int ssl3_send_server_hello(SSL *s);
981int ssl3_send_hello_request(SSL *s);
982int ssl3_send_server_key_exchange(SSL *s);
983int ssl3_send_certificate_request(SSL *s);
984int ssl3_send_server_done(SSL *s);
985int ssl3_check_client_hello(SSL *s);
986int ssl3_get_client_certificate(SSL *s);
987int ssl3_get_client_key_exchange(SSL *s);
988int ssl3_get_cert_verify(SSL *s);
989
990int dtls1_send_hello_request(SSL *s);
991int dtls1_send_server_hello(SSL *s);
992int dtls1_send_server_certificate(SSL *s);
993int dtls1_send_server_key_exchange(SSL *s);
994int dtls1_send_certificate_request(SSL *s);
995int dtls1_send_server_done(SSL *s);
996
997
998
999int ssl23_accept(SSL *s);
1000int ssl23_connect(SSL *s);
1001int ssl23_read_bytes(SSL *s, int n);
1002int ssl23_write_bytes(SSL *s);
1003
1004int tls1_new(SSL *s);
1005void tls1_free(SSL *s);
1006void tls1_clear(SSL *s);
1007long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
1008long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
1009
1010int dtls1_new(SSL *s);
1011int dtls1_accept(SSL *s);
1012int dtls1_connect(SSL *s);
1013void dtls1_free(SSL *s);
1014void dtls1_clear(SSL *s);
1015long dtls1_ctrl(SSL *s,int cmd, long larg, void *parg);
1016
1017long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
1018int dtls1_get_record(SSL *s);
1019int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
1020 unsigned int len, int create_empty_fragement);
1021int dtls1_dispatch_alert(SSL *s);
1022int dtls1_enc(SSL *s, int snd);
1023
1024int ssl_init_wbio_buffer(SSL *s, int push);
1025void ssl_free_wbio_buffer(SSL *s);
1026
1027int tls1_change_cipher_state(SSL *s, int which);
1028int tls1_setup_key_block(SSL *s);
1029int tls1_enc(SSL *s, int snd);
1030int tls1_final_finish_mac(SSL *s,
1031 const char *str, int slen, unsigned char *p);
1032int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
1033int tls1_mac(SSL *ssl, unsigned char *md, int snd);
1034int tls1_generate_master_secret(SSL *s, unsigned char *out,
1035 unsigned char *p, int len);
1036int tls1_alert_code(int code);
1037int ssl3_alert_code(int code);
1038int ssl_ok(SSL *s);
1039
1040#ifndef OPENSSL_NO_ECDH
1041int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs);
1042#endif
1043
1044SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
1045
1046#ifndef OPENSSL_NO_EC
1047int tls1_ec_curve_id2nid(int curve_id);
1048int tls1_ec_nid2curve_id(int nid);
1049#endif /* OPENSSL_NO_EC */
1050
1051#ifndef OPENSSL_NO_TLSEXT
1052unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
1053unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
1054int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
1055int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
1056int ssl_prepare_clienthello_tlsext(SSL *s);
1057int ssl_prepare_serverhello_tlsext(SSL *s);
1058int ssl_check_clienthello_tlsext(SSL *s);
1059int ssl_check_serverhello_tlsext(SSL *s);
1060
1061#ifdef OPENSSL_NO_SHA256
1062#define tlsext_tick_md EVP_sha1
1063#else
1064#define tlsext_tick_md EVP_sha256
1065#endif
1066int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1067 const unsigned char *limit, SSL_SESSION **ret);
1068#endif
1069EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
1070void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
1071int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1072 int maxlen);
1073int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1074 int *al);
1075int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1076 int maxlen);
1077int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1078 int *al);
1079#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
deleted file mode 100644
index c0960b5712..0000000000
--- a/src/lib/libssl/ssl_rsa.c
+++ /dev/null
@@ -1,779 +0,0 @@
1/* ssl/ssl_rsa.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "ssl_locl.h"
61#include <openssl/bio.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65#include <openssl/pem.h>
66
67static int ssl_set_cert(CERT *c, X509 *x509);
68static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
69int SSL_use_certificate(SSL *ssl, X509 *x)
70 {
71 if (x == NULL)
72 {
73 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
74 return(0);
75 }
76 if (!ssl_cert_inst(&ssl->cert))
77 {
78 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
79 return(0);
80 }
81 return(ssl_set_cert(ssl->cert,x));
82 }
83
84#ifndef OPENSSL_NO_STDIO
85int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
86 {
87 int j;
88 BIO *in;
89 int ret=0;
90 X509 *x=NULL;
91
92 in=BIO_new(BIO_s_file_internal());
93 if (in == NULL)
94 {
95 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
96 goto end;
97 }
98
99 if (BIO_read_filename(in,file) <= 0)
100 {
101 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
102 goto end;
103 }
104 if (type == SSL_FILETYPE_ASN1)
105 {
106 j=ERR_R_ASN1_LIB;
107 x=d2i_X509_bio(in,NULL);
108 }
109 else if (type == SSL_FILETYPE_PEM)
110 {
111 j=ERR_R_PEM_LIB;
112 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
113 }
114 else
115 {
116 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
117 goto end;
118 }
119
120 if (x == NULL)
121 {
122 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
123 goto end;
124 }
125
126 ret=SSL_use_certificate(ssl,x);
127end:
128 if (x != NULL) X509_free(x);
129 if (in != NULL) BIO_free(in);
130 return(ret);
131 }
132#endif
133
134int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
135 {
136 X509 *x;
137 int ret;
138
139 x=d2i_X509(NULL,&d,(long)len);
140 if (x == NULL)
141 {
142 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
143 return(0);
144 }
145
146 ret=SSL_use_certificate(ssl,x);
147 X509_free(x);
148 return(ret);
149 }
150
151#ifndef OPENSSL_NO_RSA
152int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
153 {
154 EVP_PKEY *pkey;
155 int ret;
156
157 if (rsa == NULL)
158 {
159 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
160 return(0);
161 }
162 if (!ssl_cert_inst(&ssl->cert))
163 {
164 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
165 return(0);
166 }
167 if ((pkey=EVP_PKEY_new()) == NULL)
168 {
169 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
170 return(0);
171 }
172
173 RSA_up_ref(rsa);
174 EVP_PKEY_assign_RSA(pkey,rsa);
175
176 ret=ssl_set_pkey(ssl->cert,pkey);
177 EVP_PKEY_free(pkey);
178 return(ret);
179 }
180#endif
181
182static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
183 {
184 int i;
185
186 i=ssl_cert_type(NULL,pkey);
187 if (i < 0)
188 {
189 SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
190 return(0);
191 }
192
193 if (c->pkeys[i].x509 != NULL)
194 {
195 EVP_PKEY *pktmp;
196 pktmp = X509_get_pubkey(c->pkeys[i].x509);
197 EVP_PKEY_copy_parameters(pktmp,pkey);
198 EVP_PKEY_free(pktmp);
199 ERR_clear_error();
200
201#ifndef OPENSSL_NO_RSA
202 /* Don't check the public/private key, this is mostly
203 * for smart cards. */
204 if ((pkey->type == EVP_PKEY_RSA) &&
205 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
206 ;
207 else
208#endif
209 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
210 {
211 X509_free(c->pkeys[i].x509);
212 c->pkeys[i].x509 = NULL;
213 return 0;
214 }
215 }
216
217 if (c->pkeys[i].privatekey != NULL)
218 EVP_PKEY_free(c->pkeys[i].privatekey);
219 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
220 c->pkeys[i].privatekey=pkey;
221 c->key= &(c->pkeys[i]);
222
223 c->valid=0;
224 return(1);
225 }
226
227#ifndef OPENSSL_NO_RSA
228#ifndef OPENSSL_NO_STDIO
229int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
230 {
231 int j,ret=0;
232 BIO *in;
233 RSA *rsa=NULL;
234
235 in=BIO_new(BIO_s_file_internal());
236 if (in == NULL)
237 {
238 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
239 goto end;
240 }
241
242 if (BIO_read_filename(in,file) <= 0)
243 {
244 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
245 goto end;
246 }
247 if (type == SSL_FILETYPE_ASN1)
248 {
249 j=ERR_R_ASN1_LIB;
250 rsa=d2i_RSAPrivateKey_bio(in,NULL);
251 }
252 else if (type == SSL_FILETYPE_PEM)
253 {
254 j=ERR_R_PEM_LIB;
255 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
256 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
257 }
258 else
259 {
260 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
261 goto end;
262 }
263 if (rsa == NULL)
264 {
265 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
266 goto end;
267 }
268 ret=SSL_use_RSAPrivateKey(ssl,rsa);
269 RSA_free(rsa);
270end:
271 if (in != NULL) BIO_free(in);
272 return(ret);
273 }
274#endif
275
276int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
277 {
278 int ret;
279 const unsigned char *p;
280 RSA *rsa;
281
282 p=d;
283 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
284 {
285 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
286 return(0);
287 }
288
289 ret=SSL_use_RSAPrivateKey(ssl,rsa);
290 RSA_free(rsa);
291 return(ret);
292 }
293#endif /* !OPENSSL_NO_RSA */
294
295int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
296 {
297 int ret;
298
299 if (pkey == NULL)
300 {
301 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
302 return(0);
303 }
304 if (!ssl_cert_inst(&ssl->cert))
305 {
306 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
307 return(0);
308 }
309 ret=ssl_set_pkey(ssl->cert,pkey);
310 return(ret);
311 }
312
313#ifndef OPENSSL_NO_STDIO
314int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
315 {
316 int j,ret=0;
317 BIO *in;
318 EVP_PKEY *pkey=NULL;
319
320 in=BIO_new(BIO_s_file_internal());
321 if (in == NULL)
322 {
323 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
324 goto end;
325 }
326
327 if (BIO_read_filename(in,file) <= 0)
328 {
329 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
330 goto end;
331 }
332 if (type == SSL_FILETYPE_PEM)
333 {
334 j=ERR_R_PEM_LIB;
335 pkey=PEM_read_bio_PrivateKey(in,NULL,
336 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
337 }
338 else if (type == SSL_FILETYPE_ASN1)
339 {
340 j = ERR_R_ASN1_LIB;
341 pkey = d2i_PrivateKey_bio(in,NULL);
342 }
343 else
344 {
345 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
346 goto end;
347 }
348 if (pkey == NULL)
349 {
350 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
351 goto end;
352 }
353 ret=SSL_use_PrivateKey(ssl,pkey);
354 EVP_PKEY_free(pkey);
355end:
356 if (in != NULL) BIO_free(in);
357 return(ret);
358 }
359#endif
360
361int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
362 {
363 int ret;
364 const unsigned char *p;
365 EVP_PKEY *pkey;
366
367 p=d;
368 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
369 {
370 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
371 return(0);
372 }
373
374 ret=SSL_use_PrivateKey(ssl,pkey);
375 EVP_PKEY_free(pkey);
376 return(ret);
377 }
378
379int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
380 {
381 if (x == NULL)
382 {
383 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
384 return(0);
385 }
386 if (!ssl_cert_inst(&ctx->cert))
387 {
388 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
389 return(0);
390 }
391 return(ssl_set_cert(ctx->cert, x));
392 }
393
394static int ssl_set_cert(CERT *c, X509 *x)
395 {
396 EVP_PKEY *pkey;
397 int i;
398
399 pkey=X509_get_pubkey(x);
400 if (pkey == NULL)
401 {
402 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
403 return(0);
404 }
405
406 i=ssl_cert_type(x,pkey);
407 if (i < 0)
408 {
409 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
410 EVP_PKEY_free(pkey);
411 return(0);
412 }
413
414 if (c->pkeys[i].privatekey != NULL)
415 {
416 EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
417 ERR_clear_error();
418
419#ifndef OPENSSL_NO_RSA
420 /* Don't check the public/private key, this is mostly
421 * for smart cards. */
422 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
423 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
424 RSA_METHOD_FLAG_NO_CHECK))
425 ;
426 else
427#endif /* OPENSSL_NO_RSA */
428 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
429 {
430 /* don't fail for a cert/key mismatch, just free
431 * current private key (when switching to a different
432 * cert & key, first this function should be used,
433 * then ssl_set_pkey */
434 EVP_PKEY_free(c->pkeys[i].privatekey);
435 c->pkeys[i].privatekey=NULL;
436 /* clear error queue */
437 ERR_clear_error();
438 }
439 }
440
441 EVP_PKEY_free(pkey);
442
443 if (c->pkeys[i].x509 != NULL)
444 X509_free(c->pkeys[i].x509);
445 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
446 c->pkeys[i].x509=x;
447 c->key= &(c->pkeys[i]);
448
449 c->valid=0;
450 return(1);
451 }
452
453#ifndef OPENSSL_NO_STDIO
454int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
455 {
456 int j;
457 BIO *in;
458 int ret=0;
459 X509 *x=NULL;
460
461 in=BIO_new(BIO_s_file_internal());
462 if (in == NULL)
463 {
464 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
465 goto end;
466 }
467
468 if (BIO_read_filename(in,file) <= 0)
469 {
470 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
471 goto end;
472 }
473 if (type == SSL_FILETYPE_ASN1)
474 {
475 j=ERR_R_ASN1_LIB;
476 x=d2i_X509_bio(in,NULL);
477 }
478 else if (type == SSL_FILETYPE_PEM)
479 {
480 j=ERR_R_PEM_LIB;
481 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
482 }
483 else
484 {
485 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
486 goto end;
487 }
488
489 if (x == NULL)
490 {
491 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
492 goto end;
493 }
494
495 ret=SSL_CTX_use_certificate(ctx,x);
496end:
497 if (x != NULL) X509_free(x);
498 if (in != NULL) BIO_free(in);
499 return(ret);
500 }
501#endif
502
503int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
504 {
505 X509 *x;
506 int ret;
507
508 x=d2i_X509(NULL,&d,(long)len);
509 if (x == NULL)
510 {
511 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
512 return(0);
513 }
514
515 ret=SSL_CTX_use_certificate(ctx,x);
516 X509_free(x);
517 return(ret);
518 }
519
520#ifndef OPENSSL_NO_RSA
521int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
522 {
523 int ret;
524 EVP_PKEY *pkey;
525
526 if (rsa == NULL)
527 {
528 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
529 return(0);
530 }
531 if (!ssl_cert_inst(&ctx->cert))
532 {
533 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
534 return(0);
535 }
536 if ((pkey=EVP_PKEY_new()) == NULL)
537 {
538 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
539 return(0);
540 }
541
542 RSA_up_ref(rsa);
543 EVP_PKEY_assign_RSA(pkey,rsa);
544
545 ret=ssl_set_pkey(ctx->cert, pkey);
546 EVP_PKEY_free(pkey);
547 return(ret);
548 }
549
550#ifndef OPENSSL_NO_STDIO
551int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
552 {
553 int j,ret=0;
554 BIO *in;
555 RSA *rsa=NULL;
556
557 in=BIO_new(BIO_s_file_internal());
558 if (in == NULL)
559 {
560 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
561 goto end;
562 }
563
564 if (BIO_read_filename(in,file) <= 0)
565 {
566 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
567 goto end;
568 }
569 if (type == SSL_FILETYPE_ASN1)
570 {
571 j=ERR_R_ASN1_LIB;
572 rsa=d2i_RSAPrivateKey_bio(in,NULL);
573 }
574 else if (type == SSL_FILETYPE_PEM)
575 {
576 j=ERR_R_PEM_LIB;
577 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
578 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
579 }
580 else
581 {
582 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
583 goto end;
584 }
585 if (rsa == NULL)
586 {
587 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
588 goto end;
589 }
590 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
591 RSA_free(rsa);
592end:
593 if (in != NULL) BIO_free(in);
594 return(ret);
595 }
596#endif
597
598int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
599 {
600 int ret;
601 const unsigned char *p;
602 RSA *rsa;
603
604 p=d;
605 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
606 {
607 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
608 return(0);
609 }
610
611 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
612 RSA_free(rsa);
613 return(ret);
614 }
615#endif /* !OPENSSL_NO_RSA */
616
617int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
618 {
619 if (pkey == NULL)
620 {
621 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
622 return(0);
623 }
624 if (!ssl_cert_inst(&ctx->cert))
625 {
626 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
627 return(0);
628 }
629 return(ssl_set_pkey(ctx->cert,pkey));
630 }
631
632#ifndef OPENSSL_NO_STDIO
633int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
634 {
635 int j,ret=0;
636 BIO *in;
637 EVP_PKEY *pkey=NULL;
638
639 in=BIO_new(BIO_s_file_internal());
640 if (in == NULL)
641 {
642 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
643 goto end;
644 }
645
646 if (BIO_read_filename(in,file) <= 0)
647 {
648 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
649 goto end;
650 }
651 if (type == SSL_FILETYPE_PEM)
652 {
653 j=ERR_R_PEM_LIB;
654 pkey=PEM_read_bio_PrivateKey(in,NULL,
655 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
656 }
657 else if (type == SSL_FILETYPE_ASN1)
658 {
659 j = ERR_R_ASN1_LIB;
660 pkey = d2i_PrivateKey_bio(in,NULL);
661 }
662 else
663 {
664 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
665 goto end;
666 }
667 if (pkey == NULL)
668 {
669 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
670 goto end;
671 }
672 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
673 EVP_PKEY_free(pkey);
674end:
675 if (in != NULL) BIO_free(in);
676 return(ret);
677 }
678#endif
679
680int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
681 long len)
682 {
683 int ret;
684 const unsigned char *p;
685 EVP_PKEY *pkey;
686
687 p=d;
688 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
689 {
690 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
691 return(0);
692 }
693
694 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
695 EVP_PKEY_free(pkey);
696 return(ret);
697 }
698
699
700#ifndef OPENSSL_NO_STDIO
701/* Read a file that contains our certificate in "PEM" format,
702 * possibly followed by a sequence of CA certificates that should be
703 * sent to the peer in the Certificate message.
704 */
705int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
706 {
707 BIO *in;
708 int ret=0;
709 X509 *x=NULL;
710
711 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
712
713 in=BIO_new(BIO_s_file_internal());
714 if (in == NULL)
715 {
716 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
717 goto end;
718 }
719
720 if (BIO_read_filename(in,file) <= 0)
721 {
722 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
723 goto end;
724 }
725
726 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
727 if (x == NULL)
728 {
729 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
730 goto end;
731 }
732
733 ret=SSL_CTX_use_certificate(ctx,x);
734 if (ERR_peek_error() != 0)
735 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
736 if (ret)
737 {
738 /* If we could set up our certificate, now proceed to
739 * the CA certificates.
740 */
741 X509 *ca;
742 int r;
743 unsigned long err;
744
745 if (ctx->extra_certs != NULL)
746 {
747 sk_X509_pop_free(ctx->extra_certs, X509_free);
748 ctx->extra_certs = NULL;
749 }
750
751 while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
752 != NULL)
753 {
754 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
755 if (!r)
756 {
757 X509_free(ca);
758 ret = 0;
759 goto end;
760 }
761 /* Note that we must not free r if it was successfully
762 * added to the chain (while we must free the main
763 * certificate, since its reference count is increased
764 * by SSL_CTX_use_certificate). */
765 }
766 /* When the while loop ends, it's usually just EOF. */
767 err = ERR_peek_last_error();
768 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
769 ERR_clear_error();
770 else
771 ret = 0; /* some real error */
772 }
773
774end:
775 if (x != NULL) X509_free(x);
776 if (in != NULL) BIO_free(in);
777 return(ret);
778 }
779#endif
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
deleted file mode 100644
index 8e5d8a0972..0000000000
--- a/src/lib/libssl/ssl_sess.c
+++ /dev/null
@@ -1,1095 +0,0 @@
1/* ssl/ssl_sess.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <stdio.h>
139#include <openssl/lhash.h>
140#include <openssl/rand.h>
141#ifndef OPENSSL_NO_ENGINE
142#include <openssl/engine.h>
143#endif
144#include "ssl_locl.h"
145
146static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
147static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
148static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
149
150SSL_SESSION *SSL_get_session(const SSL *ssl)
151/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
152 {
153 return(ssl->session);
154 }
155
156SSL_SESSION *SSL_get1_session(SSL *ssl)
157/* variant of SSL_get_session: caller really gets something */
158 {
159 SSL_SESSION *sess;
160 /* Need to lock this all up rather than just use CRYPTO_add so that
161 * somebody doesn't free ssl->session between when we check it's
162 * non-null and when we up the reference count. */
163 CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
164 sess = ssl->session;
165 if(sess)
166 sess->references++;
167 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
168 return(sess);
169 }
170
171int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
172 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
173 {
174 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
175 new_func, dup_func, free_func);
176 }
177
178int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
179 {
180 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
181 }
182
183void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
184 {
185 return(CRYPTO_get_ex_data(&s->ex_data,idx));
186 }
187
188SSL_SESSION *SSL_SESSION_new(void)
189 {
190 SSL_SESSION *ss;
191
192 ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
193 if (ss == NULL)
194 {
195 SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
196 return(0);
197 }
198 memset(ss,0,sizeof(SSL_SESSION));
199
200 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
201 ss->references=1;
202 ss->timeout=60*5+4; /* 5 minute timeout by default */
203 ss->time=(unsigned long)time(NULL);
204 ss->prev=NULL;
205 ss->next=NULL;
206 ss->compress_meth=0;
207#ifndef OPENSSL_NO_TLSEXT
208 ss->tlsext_hostname = NULL;
209#ifndef OPENSSL_NO_EC
210 ss->tlsext_ecpointformatlist_length = 0;
211 ss->tlsext_ecpointformatlist = NULL;
212 ss->tlsext_ellipticcurvelist_length = 0;
213 ss->tlsext_ellipticcurvelist = NULL;
214#endif
215#endif
216 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
217#ifndef OPENSSL_NO_PSK
218 ss->psk_identity_hint=NULL;
219 ss->psk_identity=NULL;
220#endif
221 return(ss);
222 }
223
224const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
225 {
226 if(len)
227 *len = s->session_id_length;
228 return s->session_id;
229 }
230
231/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
232 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
233 * until we have no conflict is going to complete in one iteration pretty much
234 * "most" of the time (btw: understatement). So, if it takes us 10 iterations
235 * and we still can't avoid a conflict - well that's a reasonable point to call
236 * it quits. Either the RAND code is broken or someone is trying to open roughly
237 * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
238 * store that many sessions is perhaps a more interesting question ... */
239
240#define MAX_SESS_ID_ATTEMPTS 10
241static int def_generate_session_id(const SSL *ssl, unsigned char *id,
242 unsigned int *id_len)
243{
244 unsigned int retry = 0;
245 do
246 if (RAND_pseudo_bytes(id, *id_len) <= 0)
247 return 0;
248 while(SSL_has_matching_session_id(ssl, id, *id_len) &&
249 (++retry < MAX_SESS_ID_ATTEMPTS));
250 if(retry < MAX_SESS_ID_ATTEMPTS)
251 return 1;
252 /* else - woops a session_id match */
253 /* XXX We should also check the external cache --
254 * but the probability of a collision is negligible, and
255 * we could not prevent the concurrent creation of sessions
256 * with identical IDs since we currently don't have means
257 * to atomically check whether a session ID already exists
258 * and make a reservation for it if it does not
259 * (this problem applies to the internal cache as well).
260 */
261 return 0;
262}
263
264int ssl_get_new_session(SSL *s, int session)
265 {
266 /* This gets used by clients and servers. */
267
268 unsigned int tmp;
269 SSL_SESSION *ss=NULL;
270 GEN_SESSION_CB cb = def_generate_session_id;
271
272 if ((ss=SSL_SESSION_new()) == NULL) return(0);
273
274 /* If the context has a default timeout, use it */
275 if (s->session_ctx->session_timeout == 0)
276 ss->timeout=SSL_get_default_timeout(s);
277 else
278 ss->timeout=s->session_ctx->session_timeout;
279
280 if (s->session != NULL)
281 {
282 SSL_SESSION_free(s->session);
283 s->session=NULL;
284 }
285
286 if (session)
287 {
288 if (s->version == SSL2_VERSION)
289 {
290 ss->ssl_version=SSL2_VERSION;
291 ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
292 }
293 else if (s->version == SSL3_VERSION)
294 {
295 ss->ssl_version=SSL3_VERSION;
296 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
297 }
298 else if (s->version == TLS1_VERSION)
299 {
300 ss->ssl_version=TLS1_VERSION;
301 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
302 }
303 else if (s->version == DTLS1_BAD_VER)
304 {
305 ss->ssl_version=DTLS1_BAD_VER;
306 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
307 }
308 else if (s->version == DTLS1_VERSION)
309 {
310 ss->ssl_version=DTLS1_VERSION;
311 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
312 }
313 else
314 {
315 SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
316 SSL_SESSION_free(ss);
317 return(0);
318 }
319#ifndef OPENSSL_NO_TLSEXT
320 /* If RFC4507 ticket use empty session ID */
321 if (s->tlsext_ticket_expected)
322 {
323 ss->session_id_length = 0;
324 goto sess_id_done;
325 }
326#endif
327 /* Choose which callback will set the session ID */
328 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
329 if(s->generate_session_id)
330 cb = s->generate_session_id;
331 else if(s->session_ctx->generate_session_id)
332 cb = s->session_ctx->generate_session_id;
333 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
334 /* Choose a session ID */
335 tmp = ss->session_id_length;
336 if(!cb(s, ss->session_id, &tmp))
337 {
338 /* The callback failed */
339 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
340 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
341 SSL_SESSION_free(ss);
342 return(0);
343 }
344 /* Don't allow the callback to set the session length to zero.
345 * nor set it higher than it was. */
346 if(!tmp || (tmp > ss->session_id_length))
347 {
348 /* The callback set an illegal length */
349 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
350 SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
351 SSL_SESSION_free(ss);
352 return(0);
353 }
354 /* If the session length was shrunk and we're SSLv2, pad it */
355 if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
356 memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
357 else
358 ss->session_id_length = tmp;
359 /* Finally, check for a conflict */
360 if(SSL_has_matching_session_id(s, ss->session_id,
361 ss->session_id_length))
362 {
363 SSLerr(SSL_F_SSL_GET_NEW_SESSION,
364 SSL_R_SSL_SESSION_ID_CONFLICT);
365 SSL_SESSION_free(ss);
366 return(0);
367 }
368#ifndef OPENSSL_NO_TLSEXT
369 sess_id_done:
370 if (s->tlsext_hostname) {
371 ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
372 if (ss->tlsext_hostname == NULL) {
373 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
374 SSL_SESSION_free(ss);
375 return 0;
376 }
377 }
378#ifndef OPENSSL_NO_EC
379 if (s->tlsext_ecpointformatlist)
380 {
381 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
382 if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
383 {
384 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
385 SSL_SESSION_free(ss);
386 return 0;
387 }
388 ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
389 memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
390 }
391 if (s->tlsext_ellipticcurvelist)
392 {
393 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
394 if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
395 {
396 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
397 SSL_SESSION_free(ss);
398 return 0;
399 }
400 ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
401 memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
402 }
403#endif
404#endif
405 }
406 else
407 {
408 ss->session_id_length=0;
409 }
410
411 if (s->sid_ctx_length > sizeof ss->sid_ctx)
412 {
413 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
414 SSL_SESSION_free(ss);
415 return 0;
416 }
417 memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
418 ss->sid_ctx_length=s->sid_ctx_length;
419 s->session=ss;
420 ss->ssl_version=s->version;
421 ss->verify_result = X509_V_OK;
422
423 return(1);
424 }
425
426int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
427 const unsigned char *limit)
428 {
429 /* This is used only by servers. */
430
431 SSL_SESSION *ret=NULL;
432 int fatal = 0;
433#ifndef OPENSSL_NO_TLSEXT
434 int r;
435#endif
436
437 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
438 goto err;
439#ifndef OPENSSL_NO_TLSEXT
440 r = tls1_process_ticket(s, session_id, len, limit, &ret);
441 if (r == -1)
442 {
443 fatal = 1;
444 goto err;
445 }
446 else if (r == 0 || (!ret && !len))
447 goto err;
448 else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
449#else
450 if (len == 0)
451 goto err;
452 if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
453#endif
454 {
455 SSL_SESSION data;
456 data.ssl_version=s->version;
457 data.session_id_length=len;
458 if (len == 0)
459 return 0;
460 memcpy(data.session_id,session_id,len);
461 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
462 ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data);
463 if (ret != NULL)
464 /* don't allow other threads to steal it: */
465 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
466 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
467 }
468
469 if (ret == NULL)
470 {
471 int copy=1;
472
473 s->session_ctx->stats.sess_miss++;
474 ret=NULL;
475 if (s->session_ctx->get_session_cb != NULL
476 && (ret=s->session_ctx->get_session_cb(s,session_id,len,&copy))
477 != NULL)
478 {
479 s->session_ctx->stats.sess_cb_hit++;
480
481 /* Increment reference count now if the session callback
482 * asks us to do so (note that if the session structures
483 * returned by the callback are shared between threads,
484 * it must handle the reference count itself [i.e. copy == 0],
485 * or things won't be thread-safe). */
486 if (copy)
487 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
488
489 /* Add the externally cached session to the internal
490 * cache as well if and only if we are supposed to. */
491 if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
492 /* The following should not return 1, otherwise,
493 * things are very strange */
494 SSL_CTX_add_session(s->session_ctx,ret);
495 }
496 if (ret == NULL)
497 goto err;
498 }
499
500 /* Now ret is non-NULL, and we own one of its reference counts. */
501
502 if (ret->sid_ctx_length != s->sid_ctx_length
503 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
504 {
505 /* We've found the session named by the client, but we don't
506 * want to use it in this context. */
507
508#if 0 /* The client cannot always know when a session is not appropriate,
509 * so we shouldn't generate an error message. */
510
511 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
512#endif
513 goto err; /* treat like cache miss */
514 }
515
516 if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
517 {
518 /* We can't be sure if this session is being used out of
519 * context, which is especially important for SSL_VERIFY_PEER.
520 * The application should have used SSL[_CTX]_set_session_id_context.
521 *
522 * For this error case, we generate an error instead of treating
523 * the event like a cache miss (otherwise it would be easy for
524 * applications to effectively disable the session cache by
525 * accident without anyone noticing).
526 */
527
528 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
529 fatal = 1;
530 goto err;
531 }
532
533 if (ret->cipher == NULL)
534 {
535 unsigned char buf[5],*p;
536 unsigned long l;
537
538 p=buf;
539 l=ret->cipher_id;
540 l2n(l,p);
541 if ((ret->ssl_version>>8) >= SSL3_VERSION_MAJOR)
542 ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
543 else
544 ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
545 if (ret->cipher == NULL)
546 goto err;
547 }
548
549
550#if 0 /* This is way too late. */
551
552 /* If a thread got the session, then 'swaped', and another got
553 * it and then due to a time-out decided to 'OPENSSL_free' it we could
554 * be in trouble. So I'll increment it now, then double decrement
555 * later - am I speaking rubbish?. */
556 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
557#endif
558
559 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
560 {
561 s->session_ctx->stats.sess_timeout++;
562 /* remove it from the cache */
563 SSL_CTX_remove_session(s->session_ctx,ret);
564 goto err;
565 }
566
567 s->session_ctx->stats.sess_hit++;
568
569 /* ret->time=time(NULL); */ /* rezero timeout? */
570 /* again, just leave the session
571 * if it is the same session, we have just incremented and
572 * then decremented the reference count :-) */
573 if (s->session != NULL)
574 SSL_SESSION_free(s->session);
575 s->session=ret;
576 s->verify_result = s->session->verify_result;
577 return(1);
578
579 err:
580 if (ret != NULL)
581 SSL_SESSION_free(ret);
582 if (fatal)
583 return -1;
584 else
585 return 0;
586 }
587
588int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
589 {
590 int ret=0;
591 SSL_SESSION *s;
592
593 /* add just 1 reference count for the SSL_CTX's session cache
594 * even though it has two ways of access: each session is in a
595 * doubly linked list and an lhash */
596 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
597 /* if session c is in already in cache, we take back the increment later */
598
599 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
600 s=lh_SSL_SESSION_insert(ctx->sessions,c);
601
602 /* s != NULL iff we already had a session with the given PID.
603 * In this case, s == c should hold (then we did not really modify
604 * ctx->sessions), or we're in trouble. */
605 if (s != NULL && s != c)
606 {
607 /* We *are* in trouble ... */
608 SSL_SESSION_list_remove(ctx,s);
609 SSL_SESSION_free(s);
610 /* ... so pretend the other session did not exist in cache
611 * (we cannot handle two SSL_SESSION structures with identical
612 * session ID in the same cache, which could happen e.g. when
613 * two threads concurrently obtain the same session from an external
614 * cache) */
615 s = NULL;
616 }
617
618 /* Put at the head of the queue unless it is already in the cache */
619 if (s == NULL)
620 SSL_SESSION_list_add(ctx,c);
621
622 if (s != NULL)
623 {
624 /* existing cache entry -- decrement previously incremented reference
625 * count because it already takes into account the cache */
626
627 SSL_SESSION_free(s); /* s == c */
628 ret=0;
629 }
630 else
631 {
632 /* new cache entry -- remove old ones if cache has become too large */
633
634 ret=1;
635
636 if (SSL_CTX_sess_get_cache_size(ctx) > 0)
637 {
638 while (SSL_CTX_sess_number(ctx) >
639 SSL_CTX_sess_get_cache_size(ctx))
640 {
641 if (!remove_session_lock(ctx,
642 ctx->session_cache_tail, 0))
643 break;
644 else
645 ctx->stats.sess_cache_full++;
646 }
647 }
648 }
649 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
650 return(ret);
651 }
652
653int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
654{
655 return remove_session_lock(ctx, c, 1);
656}
657
658static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
659 {
660 SSL_SESSION *r;
661 int ret=0;
662
663 if ((c != NULL) && (c->session_id_length != 0))
664 {
665 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
666 if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c)
667 {
668 ret=1;
669 r=lh_SSL_SESSION_delete(ctx->sessions,c);
670 SSL_SESSION_list_remove(ctx,c);
671 }
672
673 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
674
675 if (ret)
676 {
677 r->not_resumable=1;
678 if (ctx->remove_session_cb != NULL)
679 ctx->remove_session_cb(ctx,r);
680 SSL_SESSION_free(r);
681 }
682 }
683 else
684 ret=0;
685 return(ret);
686 }
687
688void SSL_SESSION_free(SSL_SESSION *ss)
689 {
690 int i;
691
692 if(ss == NULL)
693 return;
694
695 i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
696#ifdef REF_PRINT
697 REF_PRINT("SSL_SESSION",ss);
698#endif
699 if (i > 0) return;
700#ifdef REF_CHECK
701 if (i < 0)
702 {
703 fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
704 abort(); /* ok */
705 }
706#endif
707
708 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
709
710 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
711 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
712 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
713 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
714 if (ss->peer != NULL) X509_free(ss->peer);
715 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
716#ifndef OPENSSL_NO_TLSEXT
717 if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
718 if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
719#ifndef OPENSSL_NO_EC
720 ss->tlsext_ecpointformatlist_length = 0;
721 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
722 ss->tlsext_ellipticcurvelist_length = 0;
723 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
724#endif /* OPENSSL_NO_EC */
725#endif
726#ifndef OPENSSL_NO_PSK
727 if (ss->psk_identity_hint != NULL)
728 OPENSSL_free(ss->psk_identity_hint);
729 if (ss->psk_identity != NULL)
730 OPENSSL_free(ss->psk_identity);
731#endif
732 OPENSSL_cleanse(ss,sizeof(*ss));
733 OPENSSL_free(ss);
734 }
735
736int SSL_set_session(SSL *s, SSL_SESSION *session)
737 {
738 int ret=0;
739 const SSL_METHOD *meth;
740
741 if (session != NULL)
742 {
743 meth=s->ctx->method->get_ssl_method(session->ssl_version);
744 if (meth == NULL)
745 meth=s->method->get_ssl_method(session->ssl_version);
746 if (meth == NULL)
747 {
748 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
749 return(0);
750 }
751
752 if (meth != s->method)
753 {
754 if (!SSL_set_ssl_method(s,meth))
755 return(0);
756 if (s->ctx->session_timeout == 0)
757 session->timeout=SSL_get_default_timeout(s);
758 else
759 session->timeout=s->ctx->session_timeout;
760 }
761
762#ifndef OPENSSL_NO_KRB5
763 if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
764 session->krb5_client_princ_len > 0)
765 {
766 s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
767 memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
768 session->krb5_client_princ_len);
769 s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
770 }
771#endif /* OPENSSL_NO_KRB5 */
772
773 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
774 CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
775 if (s->session != NULL)
776 SSL_SESSION_free(s->session);
777 s->session=session;
778 s->verify_result = s->session->verify_result;
779 /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
780 ret=1;
781 }
782 else
783 {
784 if (s->session != NULL)
785 {
786 SSL_SESSION_free(s->session);
787 s->session=NULL;
788 }
789
790 meth=s->ctx->method;
791 if (meth != s->method)
792 {
793 if (!SSL_set_ssl_method(s,meth))
794 return(0);
795 }
796 ret=1;
797 }
798 return(ret);
799 }
800
801long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
802 {
803 if (s == NULL) return(0);
804 s->timeout=t;
805 return(1);
806 }
807
808long SSL_SESSION_get_timeout(const SSL_SESSION *s)
809 {
810 if (s == NULL) return(0);
811 return(s->timeout);
812 }
813
814long SSL_SESSION_get_time(const SSL_SESSION *s)
815 {
816 if (s == NULL) return(0);
817 return(s->time);
818 }
819
820long SSL_SESSION_set_time(SSL_SESSION *s, long t)
821 {
822 if (s == NULL) return(0);
823 s->time=t;
824 return(t);
825 }
826
827long SSL_CTX_set_timeout(SSL_CTX *s, long t)
828 {
829 long l;
830 if (s == NULL) return(0);
831 l=s->session_timeout;
832 s->session_timeout=t;
833 return(l);
834 }
835
836long SSL_CTX_get_timeout(const SSL_CTX *s)
837 {
838 if (s == NULL) return(0);
839 return(s->session_timeout);
840 }
841
842#ifndef OPENSSL_NO_TLSEXT
843int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
844 STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
845 {
846 if (s == NULL) return(0);
847 s->tls_session_secret_cb = tls_session_secret_cb;
848 s->tls_session_secret_cb_arg = arg;
849 return(1);
850 }
851
852int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
853 void *arg)
854 {
855 if (s == NULL) return(0);
856 s->tls_session_ticket_ext_cb = cb;
857 s->tls_session_ticket_ext_cb_arg = arg;
858 return(1);
859 }
860
861int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
862 {
863 if (s->version >= TLS1_VERSION)
864 {
865 if (s->tlsext_session_ticket)
866 {
867 OPENSSL_free(s->tlsext_session_ticket);
868 s->tlsext_session_ticket = NULL;
869 }
870
871 s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
872 if (!s->tlsext_session_ticket)
873 {
874 SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
875 return 0;
876 }
877
878 if (ext_data)
879 {
880 s->tlsext_session_ticket->length = ext_len;
881 s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
882 memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
883 }
884 else
885 {
886 s->tlsext_session_ticket->length = 0;
887 s->tlsext_session_ticket->data = NULL;
888 }
889
890 return 1;
891 }
892
893 return 0;
894 }
895#endif /* OPENSSL_NO_TLSEXT */
896
897typedef struct timeout_param_st
898 {
899 SSL_CTX *ctx;
900 long time;
901 LHASH_OF(SSL_SESSION) *cache;
902 } TIMEOUT_PARAM;
903
904static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
905 {
906 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
907 {
908 /* The reason we don't call SSL_CTX_remove_session() is to
909 * save on locking overhead */
910 (void)lh_SSL_SESSION_delete(p->cache,s);
911 SSL_SESSION_list_remove(p->ctx,s);
912 s->not_resumable=1;
913 if (p->ctx->remove_session_cb != NULL)
914 p->ctx->remove_session_cb(p->ctx,s);
915 SSL_SESSION_free(s);
916 }
917 }
918
919static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM)
920
921void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
922 {
923 unsigned long i;
924 TIMEOUT_PARAM tp;
925
926 tp.ctx=s;
927 tp.cache=s->sessions;
928 if (tp.cache == NULL) return;
929 tp.time=t;
930 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
931 i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
932 CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0;
933 lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout),
934 TIMEOUT_PARAM, &tp);
935 CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i;
936 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
937 }
938
939int ssl_clear_bad_session(SSL *s)
940 {
941 if ( (s->session != NULL) &&
942 !(s->shutdown & SSL_SENT_SHUTDOWN) &&
943 !(SSL_in_init(s) || SSL_in_before(s)))
944 {
945 SSL_CTX_remove_session(s->ctx,s->session);
946 return(1);
947 }
948 else
949 return(0);
950 }
951
952/* locked by SSL_CTX in the calling function */
953static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
954 {
955 if ((s->next == NULL) || (s->prev == NULL)) return;
956
957 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
958 { /* last element in list */
959 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
960 { /* only one element in list */
961 ctx->session_cache_head=NULL;
962 ctx->session_cache_tail=NULL;
963 }
964 else
965 {
966 ctx->session_cache_tail=s->prev;
967 s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
968 }
969 }
970 else
971 {
972 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
973 { /* first element in list */
974 ctx->session_cache_head=s->next;
975 s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
976 }
977 else
978 { /* middle of list */
979 s->next->prev=s->prev;
980 s->prev->next=s->next;
981 }
982 }
983 s->prev=s->next=NULL;
984 }
985
986static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
987 {
988 if ((s->next != NULL) && (s->prev != NULL))
989 SSL_SESSION_list_remove(ctx,s);
990
991 if (ctx->session_cache_head == NULL)
992 {
993 ctx->session_cache_head=s;
994 ctx->session_cache_tail=s;
995 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
996 s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
997 }
998 else
999 {
1000 s->next=ctx->session_cache_head;
1001 s->next->prev=s;
1002 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
1003 ctx->session_cache_head=s;
1004 }
1005 }
1006
1007void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
1008 int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess))
1009 {
1010 ctx->new_session_cb=cb;
1011 }
1012
1013int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
1014 {
1015 return ctx->new_session_cb;
1016 }
1017
1018void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
1019 void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess))
1020 {
1021 ctx->remove_session_cb=cb;
1022 }
1023
1024void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
1025 {
1026 return ctx->remove_session_cb;
1027 }
1028
1029void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
1030 SSL_SESSION *(*cb)(struct ssl_st *ssl,
1031 unsigned char *data,int len,int *copy))
1032 {
1033 ctx->get_session_cb=cb;
1034 }
1035
1036SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
1037 unsigned char *data,int len,int *copy)
1038 {
1039 return ctx->get_session_cb;
1040 }
1041
1042void SSL_CTX_set_info_callback(SSL_CTX *ctx,
1043 void (*cb)(const SSL *ssl,int type,int val))
1044 {
1045 ctx->info_callback=cb;
1046 }
1047
1048void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val)
1049 {
1050 return ctx->info_callback;
1051 }
1052
1053void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
1054 int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
1055 {
1056 ctx->client_cert_cb=cb;
1057 }
1058
1059int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
1060 {
1061 return ctx->client_cert_cb;
1062 }
1063
1064#ifndef OPENSSL_NO_ENGINE
1065int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
1066 {
1067 if (!ENGINE_init(e))
1068 {
1069 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
1070 return 0;
1071 }
1072 if(!ENGINE_get_ssl_client_cert_function(e))
1073 {
1074 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
1075 ENGINE_finish(e);
1076 return 0;
1077 }
1078 ctx->client_cert_engine = e;
1079 return 1;
1080 }
1081#endif
1082
1083void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
1084 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
1085 {
1086 ctx->app_gen_cookie_cb=cb;
1087 }
1088
1089void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
1090 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
1091 {
1092 ctx->app_verify_cookie_cb=cb;
1093 }
1094
1095IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
deleted file mode 100644
index 144b81e55f..0000000000
--- a/src/lib/libssl/ssl_stat.c
+++ /dev/null
@@ -1,567 +0,0 @@
1/* ssl/ssl_stat.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include "ssl_locl.h"
87
88const char *SSL_state_string_long(const SSL *s)
89 {
90 const char *str;
91
92 switch (s->state)
93 {
94case SSL_ST_BEFORE: str="before SSL initialization"; break;
95case SSL_ST_ACCEPT: str="before accept initialization"; break;
96case SSL_ST_CONNECT: str="before connect initialization"; break;
97case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
98case SSL_ST_RENEGOTIATE: str="SSL renegotiate ciphers"; break;
99case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
100case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
101case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
102case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
103#ifndef OPENSSL_NO_SSL2
104case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
105case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
106case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
107case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
108case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
109case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
110case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
111case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
112case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
113case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
114case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
115case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
116case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
117case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
118case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
119case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
120case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
121case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
122case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
123case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
124case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
125case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
126case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
127case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
128case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
129case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
130case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
131case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
132case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
133case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
134case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
135case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
136case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
137case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
138case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
139case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
140case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
141case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
142#endif
143
144#ifndef OPENSSL_NO_SSL3
145/* SSLv3 additions */
146case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break;
147case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break;
148case SSL3_ST_CR_SRVR_HELLO_A: str="SSLv3 read server hello A"; break;
149case SSL3_ST_CR_SRVR_HELLO_B: str="SSLv3 read server hello B"; break;
150case SSL3_ST_CR_CERT_A: str="SSLv3 read server certificate A"; break;
151case SSL3_ST_CR_CERT_B: str="SSLv3 read server certificate B"; break;
152case SSL3_ST_CR_KEY_EXCH_A: str="SSLv3 read server key exchange A"; break;
153case SSL3_ST_CR_KEY_EXCH_B: str="SSLv3 read server key exchange B"; break;
154case SSL3_ST_CR_CERT_REQ_A: str="SSLv3 read server certificate request A"; break;
155case SSL3_ST_CR_CERT_REQ_B: str="SSLv3 read server certificate request B"; break;
156case SSL3_ST_CR_SESSION_TICKET_A: str="SSLv3 read server session ticket A";break;
157case SSL3_ST_CR_SESSION_TICKET_B: str="SSLv3 read server session ticket B";break;
158case SSL3_ST_CR_SRVR_DONE_A: str="SSLv3 read server done A"; break;
159case SSL3_ST_CR_SRVR_DONE_B: str="SSLv3 read server done B"; break;
160case SSL3_ST_CW_CERT_A: str="SSLv3 write client certificate A"; break;
161case SSL3_ST_CW_CERT_B: str="SSLv3 write client certificate B"; break;
162case SSL3_ST_CW_CERT_C: str="SSLv3 write client certificate C"; break;
163case SSL3_ST_CW_CERT_D: str="SSLv3 write client certificate D"; break;
164case SSL3_ST_CW_KEY_EXCH_A: str="SSLv3 write client key exchange A"; break;
165case SSL3_ST_CW_KEY_EXCH_B: str="SSLv3 write client key exchange B"; break;
166case SSL3_ST_CW_CERT_VRFY_A: str="SSLv3 write certificate verify A"; break;
167case SSL3_ST_CW_CERT_VRFY_B: str="SSLv3 write certificate verify B"; break;
168
169case SSL3_ST_CW_CHANGE_A:
170case SSL3_ST_SW_CHANGE_A: str="SSLv3 write change cipher spec A"; break;
171case SSL3_ST_CW_CHANGE_B:
172case SSL3_ST_SW_CHANGE_B: str="SSLv3 write change cipher spec B"; break;
173case SSL3_ST_CW_FINISHED_A:
174case SSL3_ST_SW_FINISHED_A: str="SSLv3 write finished A"; break;
175case SSL3_ST_CW_FINISHED_B:
176case SSL3_ST_SW_FINISHED_B: str="SSLv3 write finished B"; break;
177case SSL3_ST_CR_CHANGE_A:
178case SSL3_ST_SR_CHANGE_A: str="SSLv3 read change cipher spec A"; break;
179case SSL3_ST_CR_CHANGE_B:
180case SSL3_ST_SR_CHANGE_B: str="SSLv3 read change cipher spec B"; break;
181case SSL3_ST_CR_FINISHED_A:
182case SSL3_ST_SR_FINISHED_A: str="SSLv3 read finished A"; break;
183case SSL3_ST_CR_FINISHED_B:
184case SSL3_ST_SR_FINISHED_B: str="SSLv3 read finished B"; break;
185
186case SSL3_ST_CW_FLUSH:
187case SSL3_ST_SW_FLUSH: str="SSLv3 flush data"; break;
188
189case SSL3_ST_SR_CLNT_HELLO_A: str="SSLv3 read client hello A"; break;
190case SSL3_ST_SR_CLNT_HELLO_B: str="SSLv3 read client hello B"; break;
191case SSL3_ST_SR_CLNT_HELLO_C: str="SSLv3 read client hello C"; break;
192case SSL3_ST_SW_HELLO_REQ_A: str="SSLv3 write hello request A"; break;
193case SSL3_ST_SW_HELLO_REQ_B: str="SSLv3 write hello request B"; break;
194case SSL3_ST_SW_HELLO_REQ_C: str="SSLv3 write hello request C"; break;
195case SSL3_ST_SW_SRVR_HELLO_A: str="SSLv3 write server hello A"; break;
196case SSL3_ST_SW_SRVR_HELLO_B: str="SSLv3 write server hello B"; break;
197case SSL3_ST_SW_CERT_A: str="SSLv3 write certificate A"; break;
198case SSL3_ST_SW_CERT_B: str="SSLv3 write certificate B"; break;
199case SSL3_ST_SW_KEY_EXCH_A: str="SSLv3 write key exchange A"; break;
200case SSL3_ST_SW_KEY_EXCH_B: str="SSLv3 write key exchange B"; break;
201case SSL3_ST_SW_CERT_REQ_A: str="SSLv3 write certificate request A"; break;
202case SSL3_ST_SW_CERT_REQ_B: str="SSLv3 write certificate request B"; break;
203case SSL3_ST_SW_SESSION_TICKET_A: str="SSLv3 write session ticket A"; break;
204case SSL3_ST_SW_SESSION_TICKET_B: str="SSLv3 write session ticket B"; break;
205case SSL3_ST_SW_SRVR_DONE_A: str="SSLv3 write server done A"; break;
206case SSL3_ST_SW_SRVR_DONE_B: str="SSLv3 write server done B"; break;
207case SSL3_ST_SR_CERT_A: str="SSLv3 read client certificate A"; break;
208case SSL3_ST_SR_CERT_B: str="SSLv3 read client certificate B"; break;
209case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break;
210case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
211case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
212case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
213#endif
214
215#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
216/* SSLv2/v3 compatibility states */
217/* client */
218case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
219case SSL23_ST_CW_CLNT_HELLO_B: str="SSLv2/v3 write client hello B"; break;
220case SSL23_ST_CR_SRVR_HELLO_A: str="SSLv2/v3 read server hello A"; break;
221case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break;
222/* server */
223case SSL23_ST_SR_CLNT_HELLO_A: str="SSLv2/v3 read client hello A"; break;
224case SSL23_ST_SR_CLNT_HELLO_B: str="SSLv2/v3 read client hello B"; break;
225#endif
226
227/* DTLS */
228case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DTLS1 read hello verify request A"; break;
229case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DTLS1 read hello verify request B"; break;
230case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: str="DTLS1 write hello verify request A"; break;
231case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: str="DTLS1 write hello verify request B"; break;
232
233default: str="unknown state"; break;
234 }
235 return(str);
236 }
237
238const char *SSL_rstate_string_long(const SSL *s)
239 {
240 const char *str;
241
242 switch (s->rstate)
243 {
244 case SSL_ST_READ_HEADER: str="read header"; break;
245 case SSL_ST_READ_BODY: str="read body"; break;
246 case SSL_ST_READ_DONE: str="read done"; break;
247 default: str="unknown"; break;
248 }
249 return(str);
250 }
251
252const char *SSL_state_string(const SSL *s)
253 {
254 const char *str;
255
256 switch (s->state)
257 {
258case SSL_ST_BEFORE: str="PINIT "; break;
259case SSL_ST_ACCEPT: str="AINIT "; break;
260case SSL_ST_CONNECT: str="CINIT "; break;
261case SSL_ST_OK: str="SSLOK "; break;
262#ifndef OPENSSL_NO_SSL2
263case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break;
264case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break;
265case SSL2_ST_SEND_CLIENT_HELLO_A: str="2SCH_A"; break;
266case SSL2_ST_SEND_CLIENT_HELLO_B: str="2SCH_B"; break;
267case SSL2_ST_GET_SERVER_HELLO_A: str="2GSH_A"; break;
268case SSL2_ST_GET_SERVER_HELLO_B: str="2GSH_B"; break;
269case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="2SCMKA"; break;
270case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="2SCMKB"; break;
271case SSL2_ST_SEND_CLIENT_FINISHED_A: str="2SCF_A"; break;
272case SSL2_ST_SEND_CLIENT_FINISHED_B: str="2SCF_B"; break;
273case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="2SCC_A"; break;
274case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="2SCC_B"; break;
275case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="2SCC_C"; break;
276case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="2SCC_D"; break;
277case SSL2_ST_GET_SERVER_VERIFY_A: str="2GSV_A"; break;
278case SSL2_ST_GET_SERVER_VERIFY_B: str="2GSV_B"; break;
279case SSL2_ST_GET_SERVER_FINISHED_A: str="2GSF_A"; break;
280case SSL2_ST_GET_SERVER_FINISHED_B: str="2GSF_B"; break;
281case SSL2_ST_GET_CLIENT_HELLO_A: str="2GCH_A"; break;
282case SSL2_ST_GET_CLIENT_HELLO_B: str="2GCH_B"; break;
283case SSL2_ST_GET_CLIENT_HELLO_C: str="2GCH_C"; break;
284case SSL2_ST_SEND_SERVER_HELLO_A: str="2SSH_A"; break;
285case SSL2_ST_SEND_SERVER_HELLO_B: str="2SSH_B"; break;
286case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="2GCMKA"; break;
287case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="2GCMKA"; break;
288case SSL2_ST_SEND_SERVER_VERIFY_A: str="2SSV_A"; break;
289case SSL2_ST_SEND_SERVER_VERIFY_B: str="2SSV_B"; break;
290case SSL2_ST_SEND_SERVER_VERIFY_C: str="2SSV_C"; break;
291case SSL2_ST_GET_CLIENT_FINISHED_A: str="2GCF_A"; break;
292case SSL2_ST_GET_CLIENT_FINISHED_B: str="2GCF_B"; break;
293case SSL2_ST_SEND_SERVER_FINISHED_A: str="2SSF_A"; break;
294case SSL2_ST_SEND_SERVER_FINISHED_B: str="2SSF_B"; break;
295case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="2SRC_A"; break;
296case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="2SRC_B"; break;
297case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="2SRC_C"; break;
298case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="2SRC_D"; break;
299case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="2X9GSC"; break;
300case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="2X9GCC"; break;
301#endif
302
303#ifndef OPENSSL_NO_SSL3
304/* SSLv3 additions */
305case SSL3_ST_SW_FLUSH:
306case SSL3_ST_CW_FLUSH: str="3FLUSH"; break;
307case SSL3_ST_CW_CLNT_HELLO_A: str="3WCH_A"; break;
308case SSL3_ST_CW_CLNT_HELLO_B: str="3WCH_B"; break;
309case SSL3_ST_CR_SRVR_HELLO_A: str="3RSH_A"; break;
310case SSL3_ST_CR_SRVR_HELLO_B: str="3RSH_B"; break;
311case SSL3_ST_CR_CERT_A: str="3RSC_A"; break;
312case SSL3_ST_CR_CERT_B: str="3RSC_B"; break;
313case SSL3_ST_CR_KEY_EXCH_A: str="3RSKEA"; break;
314case SSL3_ST_CR_KEY_EXCH_B: str="3RSKEB"; break;
315case SSL3_ST_CR_CERT_REQ_A: str="3RCR_A"; break;
316case SSL3_ST_CR_CERT_REQ_B: str="3RCR_B"; break;
317case SSL3_ST_CR_SRVR_DONE_A: str="3RSD_A"; break;
318case SSL3_ST_CR_SRVR_DONE_B: str="3RSD_B"; break;
319case SSL3_ST_CW_CERT_A: str="3WCC_A"; break;
320case SSL3_ST_CW_CERT_B: str="3WCC_B"; break;
321case SSL3_ST_CW_CERT_C: str="3WCC_C"; break;
322case SSL3_ST_CW_CERT_D: str="3WCC_D"; break;
323case SSL3_ST_CW_KEY_EXCH_A: str="3WCKEA"; break;
324case SSL3_ST_CW_KEY_EXCH_B: str="3WCKEB"; break;
325case SSL3_ST_CW_CERT_VRFY_A: str="3WCV_A"; break;
326case SSL3_ST_CW_CERT_VRFY_B: str="3WCV_B"; break;
327
328case SSL3_ST_SW_CHANGE_A:
329case SSL3_ST_CW_CHANGE_A: str="3WCCSA"; break;
330case SSL3_ST_SW_CHANGE_B:
331case SSL3_ST_CW_CHANGE_B: str="3WCCSB"; break;
332case SSL3_ST_SW_FINISHED_A:
333case SSL3_ST_CW_FINISHED_A: str="3WFINA"; break;
334case SSL3_ST_SW_FINISHED_B:
335case SSL3_ST_CW_FINISHED_B: str="3WFINB"; break;
336case SSL3_ST_SR_CHANGE_A:
337case SSL3_ST_CR_CHANGE_A: str="3RCCSA"; break;
338case SSL3_ST_SR_CHANGE_B:
339case SSL3_ST_CR_CHANGE_B: str="3RCCSB"; break;
340case SSL3_ST_SR_FINISHED_A:
341case SSL3_ST_CR_FINISHED_A: str="3RFINA"; break;
342case SSL3_ST_SR_FINISHED_B:
343case SSL3_ST_CR_FINISHED_B: str="3RFINB"; break;
344
345case SSL3_ST_SW_HELLO_REQ_A: str="3WHR_A"; break;
346case SSL3_ST_SW_HELLO_REQ_B: str="3WHR_B"; break;
347case SSL3_ST_SW_HELLO_REQ_C: str="3WHR_C"; break;
348case SSL3_ST_SR_CLNT_HELLO_A: str="3RCH_A"; break;
349case SSL3_ST_SR_CLNT_HELLO_B: str="3RCH_B"; break;
350case SSL3_ST_SR_CLNT_HELLO_C: str="3RCH_C"; break;
351case SSL3_ST_SW_SRVR_HELLO_A: str="3WSH_A"; break;
352case SSL3_ST_SW_SRVR_HELLO_B: str="3WSH_B"; break;
353case SSL3_ST_SW_CERT_A: str="3WSC_A"; break;
354case SSL3_ST_SW_CERT_B: str="3WSC_B"; break;
355case SSL3_ST_SW_KEY_EXCH_A: str="3WSKEA"; break;
356case SSL3_ST_SW_KEY_EXCH_B: str="3WSKEB"; break;
357case SSL3_ST_SW_CERT_REQ_A: str="3WCR_A"; break;
358case SSL3_ST_SW_CERT_REQ_B: str="3WCR_B"; break;
359case SSL3_ST_SW_SRVR_DONE_A: str="3WSD_A"; break;
360case SSL3_ST_SW_SRVR_DONE_B: str="3WSD_B"; break;
361case SSL3_ST_SR_CERT_A: str="3RCC_A"; break;
362case SSL3_ST_SR_CERT_B: str="3RCC_B"; break;
363case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break;
364case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break;
365case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break;
366case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
367#endif
368
369#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
370/* SSLv2/v3 compatibility states */
371/* client */
372case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
373case SSL23_ST_CW_CLNT_HELLO_B: str="23WCHB"; break;
374case SSL23_ST_CR_SRVR_HELLO_A: str="23RSHA"; break;
375case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break;
376/* server */
377case SSL23_ST_SR_CLNT_HELLO_A: str="23RCHA"; break;
378case SSL23_ST_SR_CLNT_HELLO_B: str="23RCHB"; break;
379#endif
380/* DTLS */
381case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DRCHVA"; break;
382case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DRCHVB"; break;
383case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: str="DWCHVA"; break;
384case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: str="DWCHVB"; break;
385
386default: str="UNKWN "; break;
387 }
388 return(str);
389 }
390
391const char *SSL_alert_type_string_long(int value)
392 {
393 value>>=8;
394 if (value == SSL3_AL_WARNING)
395 return("warning");
396 else if (value == SSL3_AL_FATAL)
397 return("fatal");
398 else
399 return("unknown");
400 }
401
402const char *SSL_alert_type_string(int value)
403 {
404 value>>=8;
405 if (value == SSL3_AL_WARNING)
406 return("W");
407 else if (value == SSL3_AL_FATAL)
408 return("F");
409 else
410 return("U");
411 }
412
413const char *SSL_alert_desc_string(int value)
414 {
415 const char *str;
416
417 switch (value & 0xff)
418 {
419 case SSL3_AD_CLOSE_NOTIFY: str="CN"; break;
420 case SSL3_AD_UNEXPECTED_MESSAGE: str="UM"; break;
421 case SSL3_AD_BAD_RECORD_MAC: str="BM"; break;
422 case SSL3_AD_DECOMPRESSION_FAILURE: str="DF"; break;
423 case SSL3_AD_HANDSHAKE_FAILURE: str="HF"; break;
424 case SSL3_AD_NO_CERTIFICATE: str="NC"; break;
425 case SSL3_AD_BAD_CERTIFICATE: str="BC"; break;
426 case SSL3_AD_UNSUPPORTED_CERTIFICATE: str="UC"; break;
427 case SSL3_AD_CERTIFICATE_REVOKED: str="CR"; break;
428 case SSL3_AD_CERTIFICATE_EXPIRED: str="CE"; break;
429 case SSL3_AD_CERTIFICATE_UNKNOWN: str="CU"; break;
430 case SSL3_AD_ILLEGAL_PARAMETER: str="IP"; break;
431 case TLS1_AD_DECRYPTION_FAILED: str="DC"; break;
432 case TLS1_AD_RECORD_OVERFLOW: str="RO"; break;
433 case TLS1_AD_UNKNOWN_CA: str="CA"; break;
434 case TLS1_AD_ACCESS_DENIED: str="AD"; break;
435 case TLS1_AD_DECODE_ERROR: str="DE"; break;
436 case TLS1_AD_DECRYPT_ERROR: str="CY"; break;
437 case TLS1_AD_EXPORT_RESTRICTION: str="ER"; break;
438 case TLS1_AD_PROTOCOL_VERSION: str="PV"; break;
439 case TLS1_AD_INSUFFICIENT_SECURITY: str="IS"; break;
440 case TLS1_AD_INTERNAL_ERROR: str="IE"; break;
441 case TLS1_AD_USER_CANCELLED: str="US"; break;
442 case TLS1_AD_NO_RENEGOTIATION: str="NR"; break;
443 case TLS1_AD_UNSUPPORTED_EXTENSION: str="UE"; break;
444 case TLS1_AD_CERTIFICATE_UNOBTAINABLE: str="CO"; break;
445 case TLS1_AD_UNRECOGNIZED_NAME: str="UN"; break;
446 case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str="BR"; break;
447 case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: str="BH"; break;
448 case TLS1_AD_UNKNOWN_PSK_IDENTITY: str="UP"; break;
449 default: str="UK"; break;
450 }
451 return(str);
452 }
453
454const char *SSL_alert_desc_string_long(int value)
455 {
456 const char *str;
457
458 switch (value & 0xff)
459 {
460 case SSL3_AD_CLOSE_NOTIFY:
461 str="close notify";
462 break;
463 case SSL3_AD_UNEXPECTED_MESSAGE:
464 str="unexpected_message";
465 break;
466 case SSL3_AD_BAD_RECORD_MAC:
467 str="bad record mac";
468 break;
469 case SSL3_AD_DECOMPRESSION_FAILURE:
470 str="decompression failure";
471 break;
472 case SSL3_AD_HANDSHAKE_FAILURE:
473 str="handshake failure";
474 break;
475 case SSL3_AD_NO_CERTIFICATE:
476 str="no certificate";
477 break;
478 case SSL3_AD_BAD_CERTIFICATE:
479 str="bad certificate";
480 break;
481 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
482 str="unsupported certificate";
483 break;
484 case SSL3_AD_CERTIFICATE_REVOKED:
485 str="certificate revoked";
486 break;
487 case SSL3_AD_CERTIFICATE_EXPIRED:
488 str="certificate expired";
489 break;
490 case SSL3_AD_CERTIFICATE_UNKNOWN:
491 str="certificate unknown";
492 break;
493 case SSL3_AD_ILLEGAL_PARAMETER:
494 str="illegal parameter";
495 break;
496 case TLS1_AD_DECRYPTION_FAILED:
497 str="decryption failed";
498 break;
499 case TLS1_AD_RECORD_OVERFLOW:
500 str="record overflow";
501 break;
502 case TLS1_AD_UNKNOWN_CA:
503 str="unknown CA";
504 break;
505 case TLS1_AD_ACCESS_DENIED:
506 str="access denied";
507 break;
508 case TLS1_AD_DECODE_ERROR:
509 str="decode error";
510 break;
511 case TLS1_AD_DECRYPT_ERROR:
512 str="decrypt error";
513 break;
514 case TLS1_AD_EXPORT_RESTRICTION:
515 str="export restriction";
516 break;
517 case TLS1_AD_PROTOCOL_VERSION:
518 str="protocol version";
519 break;
520 case TLS1_AD_INSUFFICIENT_SECURITY:
521 str="insufficient security";
522 break;
523 case TLS1_AD_INTERNAL_ERROR:
524 str="internal error";
525 break;
526 case TLS1_AD_USER_CANCELLED:
527 str="user canceled";
528 break;
529 case TLS1_AD_NO_RENEGOTIATION:
530 str="no renegotiation";
531 break;
532 case TLS1_AD_UNSUPPORTED_EXTENSION:
533 str="unsupported extension";
534 break;
535 case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
536 str="certificate unobtainable";
537 break;
538 case TLS1_AD_UNRECOGNIZED_NAME:
539 str="unrecognized name";
540 break;
541 case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
542 str="bad certificate status response";
543 break;
544 case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
545 str="bad certificate hash value";
546 break;
547 case TLS1_AD_UNKNOWN_PSK_IDENTITY:
548 str="unknown PSK identity";
549 break;
550 default: str="unknown"; break;
551 }
552 return(str);
553 }
554
555const char *SSL_rstate_string(const SSL *s)
556 {
557 const char *str;
558
559 switch (s->rstate)
560 {
561 case SSL_ST_READ_HEADER:str="RH"; break;
562 case SSL_ST_READ_BODY: str="RB"; break;
563 case SSL_ST_READ_DONE: str="RD"; break;
564 default: str="unknown"; break;
565 }
566 return(str);
567 }
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
deleted file mode 100644
index 3122440e26..0000000000
--- a/src/lib/libssl/ssl_txt.c
+++ /dev/null
@@ -1,240 +0,0 @@
1/* ssl/ssl_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86#include <openssl/buffer.h>
87#include "ssl_locl.h"
88
89#ifndef OPENSSL_NO_FP_API
90int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
91 {
92 BIO *b;
93 int ret;
94
95 if ((b=BIO_new(BIO_s_file_internal())) == NULL)
96 {
97 SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
98 return(0);
99 }
100 BIO_set_fp(b,fp,BIO_NOCLOSE);
101 ret=SSL_SESSION_print(b,x);
102 BIO_free(b);
103 return(ret);
104 }
105#endif
106
107int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
108 {
109 unsigned int i;
110 const char *s;
111
112 if (x == NULL) goto err;
113 if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
114 if (x->ssl_version == SSL2_VERSION)
115 s="SSLv2";
116 else if (x->ssl_version == SSL3_VERSION)
117 s="SSLv3";
118 else if (x->ssl_version == TLS1_VERSION)
119 s="TLSv1";
120 else if (x->ssl_version == DTLS1_VERSION)
121 s="DTLSv1";
122 else if (x->ssl_version == DTLS1_BAD_VER)
123 s="DTLSv1-bad";
124 else
125 s="unknown";
126 if (BIO_printf(bp," Protocol : %s\n",s) <= 0) goto err;
127
128 if (x->cipher == NULL)
129 {
130 if (((x->cipher_id) & 0xff000000) == 0x02000000)
131 {
132 if (BIO_printf(bp," Cipher : %06lX\n",x->cipher_id&0xffffff) <= 0)
133 goto err;
134 }
135 else
136 {
137 if (BIO_printf(bp," Cipher : %04lX\n",x->cipher_id&0xffff) <= 0)
138 goto err;
139 }
140 }
141 else
142 {
143 if (BIO_printf(bp," Cipher : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0)
144 goto err;
145 }
146 if (BIO_puts(bp," Session-ID: ") <= 0) goto err;
147 for (i=0; i<x->session_id_length; i++)
148 {
149 if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err;
150 }
151 if (BIO_puts(bp,"\n Session-ID-ctx: ") <= 0) goto err;
152 for (i=0; i<x->sid_ctx_length; i++)
153 {
154 if (BIO_printf(bp,"%02X",x->sid_ctx[i]) <= 0)
155 goto err;
156 }
157 if (BIO_puts(bp,"\n Master-Key: ") <= 0) goto err;
158 for (i=0; i<(unsigned int)x->master_key_length; i++)
159 {
160 if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err;
161 }
162 if (BIO_puts(bp,"\n Key-Arg : ") <= 0) goto err;
163 if (x->key_arg_length == 0)
164 {
165 if (BIO_puts(bp,"None") <= 0) goto err;
166 }
167 else
168 for (i=0; i<x->key_arg_length; i++)
169 {
170 if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
171 }
172#ifndef OPENSSL_NO_KRB5
173 if (BIO_puts(bp,"\n Krb5 Principal: ") <= 0) goto err;
174 if (x->krb5_client_princ_len == 0)
175 {
176 if (BIO_puts(bp,"None") <= 0) goto err;
177 }
178 else
179 for (i=0; i<x->krb5_client_princ_len; i++)
180 {
181 if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
182 }
183#endif /* OPENSSL_NO_KRB5 */
184#ifndef OPENSSL_NO_PSK
185 if (BIO_puts(bp,"\n PSK identity: ") <= 0) goto err;
186 if (BIO_printf(bp, "%s", x->psk_identity ? x->psk_identity : "None") <= 0) goto err;
187 if (BIO_puts(bp,"\n PSK identity hint: ") <= 0) goto err;
188 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) goto err;
189#endif
190#ifndef OPENSSL_NO_TLSEXT
191 if (x->tlsext_tick_lifetime_hint)
192 {
193 if (BIO_printf(bp,
194 "\n TLS session ticket lifetime hint: %ld (seconds)",
195 x->tlsext_tick_lifetime_hint) <=0)
196 goto err;
197 }
198 if (x->tlsext_tick)
199 {
200 if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) goto err;
201 if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0)
202 goto err;
203 }
204#endif
205
206#ifndef OPENSSL_NO_COMP
207 if (x->compress_meth != 0)
208 {
209 SSL_COMP *comp = NULL;
210
211 ssl_cipher_get_evp(x,NULL,NULL,NULL,NULL,&comp);
212 if (comp == NULL)
213 {
214 if (BIO_printf(bp,"\n Compression: %d",x->compress_meth) <= 0) goto err;
215 }
216 else
217 {
218 if (BIO_printf(bp,"\n Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err;
219 }
220 }
221#endif
222 if (x->time != 0L)
223 {
224 if (BIO_printf(bp, "\n Start Time: %ld",x->time) <= 0) goto err;
225 }
226 if (x->timeout != 0L)
227 {
228 if (BIO_printf(bp, "\n Timeout : %ld (sec)",x->timeout) <= 0) goto err;
229 }
230 if (BIO_puts(bp,"\n") <= 0) goto err;
231
232 if (BIO_puts(bp, " Verify return code: ") <= 0) goto err;
233 if (BIO_printf(bp, "%ld (%s)\n", x->verify_result,
234 X509_verify_cert_error_string(x->verify_result)) <= 0) goto err;
235
236 return(1);
237err:
238 return(0);
239 }
240
diff --git a/src/lib/libssl/ssleay.cnf b/src/lib/libssl/ssleay.cnf
deleted file mode 100644
index c6480ee465..0000000000
--- a/src/lib/libssl/ssleay.cnf
+++ /dev/null
@@ -1,65 +0,0 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = /dev/arandom
7
8####################################################################
9[ req ]
10default_bits = 1024
11default_keyfile = privkey.pem
12distinguished_name = req_distinguished_name
13attributes = req_attributes
14
15[ req_distinguished_name ]
16countryName = Country Name (2 letter code)
17#countryName_default = AU
18countryName_min = 2
19countryName_max = 2
20
21stateOrProvinceName = State or Province Name (full name)
22#stateOrProvinceName_default = Some-State
23
24localityName = Locality Name (eg, city)
25
260.organizationName = Organization Name (eg, company)
27#0.organizationName_default = Internet Widgits Pty Ltd
28
29# we can do this but it is not needed normally :-)
30#1.organizationName = Second Organization Name (eg, company)
31#1.organizationName_default = CryptSoft Pty Ltd
32
33organizationalUnitName = Organizational Unit Name (eg, section)
34#organizationalUnitName_default =
35
36commonName = Common Name (eg, fully qualified host name)
37commonName_max = 64
38
39emailAddress = Email Address
40emailAddress_max = 64
41
42[ req_attributes ]
43challengePassword = A challenge password
44challengePassword_min = 4
45challengePassword_max = 20
46
47unstructuredName = An optional company name
48
49[ x509v3_extensions ]
50
51nsCaRevocationUrl = http://www.cryptsoft.com/ca-crl.pem
52nsComment = "This is a comment"
53
54# under ASN.1, the 0 bit would be encoded as 80
55nsCertType = 0x40
56
57#nsBaseUrl
58#nsRevocationUrl
59#nsRenewalUrl
60#nsCaPolicyUrl
61#nsSslServerName
62#nsCertSequence
63#nsCertExt
64#nsDataType
65
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-01-10 20:04:00 +0000