summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_lib.c')
-rw-r--r--src/lib/libssl/ssl_lib.c707
1 files changed, 416 insertions, 291 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index cde564cade..830f574183 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -160,7 +160,10 @@
160const char *SSL_version_str = OPENSSL_VERSION_TEXT; 160const char *SSL_version_str = OPENSSL_VERSION_TEXT;
161 161
162SSL3_ENC_METHOD ssl3_undef_enc_method = { 162SSL3_ENC_METHOD ssl3_undef_enc_method = {
163 /* evil casts, but these functions are only called if there's a library bug */ 163 /*
164 * Evil casts, but these functions are only called if there's a
165 * library bug.
166 */
164 (int (*)(SSL *, int))ssl_undefined_function, 167 (int (*)(SSL *, int))ssl_undefined_function,
165 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, 168 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
166 ssl_undefined_function, 169 ssl_undefined_function,
@@ -182,9 +185,9 @@ SSL3_ENC_METHOD ssl3_undef_enc_method = {
182int 185int
183SSL_clear(SSL *s) 186SSL_clear(SSL *s)
184{ 187{
185
186 if (s->method == NULL) { 188 if (s->method == NULL) {
187 SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED); 189 SSLerr(SSL_F_SSL_CLEAR,
190 SSL_R_NO_METHOD_SPECIFIED);
188 return (0); 191 return (0);
189 } 192 }
190 193
@@ -198,7 +201,8 @@ SSL_clear(SSL *s)
198 s->shutdown = 0; 201 s->shutdown = 0;
199 202
200 if (s->renegotiate) { 203 if (s->renegotiate) {
201 SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR); 204 SSLerr(SSL_F_SSL_CLEAR,
205 ERR_R_INTERNAL_ERROR);
202 return 0; 206 return 0;
203 } 207 }
204 208
@@ -226,16 +230,19 @@ SSL_clear(SSL *s)
226 s->first_packet = 0; 230 s->first_packet = 0;
227 231
228#if 1 232#if 1
229 /* Check to see if we were changed into a different method, if 233 /*
230 * so, revert back if we are not doing session-id reuse. */ 234 * Check to see if we were changed into a different method, if
231 if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { 235 * so, revert back if we are not doing session-id reuse.
236 */
237 if (!s->in_handshake && (s->session == NULL) &&
238 (s->method != s->ctx->method)) {
232 s->method->ssl_free(s); 239 s->method->ssl_free(s);
233 s->method = s->ctx->method; 240 s->method = s->ctx->method;
234 if (!s->method->ssl_new(s)) 241 if (!s->method->ssl_new(s))
235 return (0); 242 return (0);
236 } else 243 } else
237#endif 244#endif
238 s->method->ssl_clear(s); 245 s->method->ssl_clear(s);
239 return (1); 246 return (1);
240} 247}
241 248
@@ -243,14 +250,15 @@ SSL_clear(SSL *s)
243int 250int
244SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) 251SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
245{ 252{
246 STACK_OF(SSL_CIPHER) *sk; 253 STACK_OF(SSL_CIPHER) *sk;
247 254
248 ctx->method = meth; 255 ctx->method = meth;
249 256
250 sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), 257 sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
251 &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); 258 &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST);
252 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { 259 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
253 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 260 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,
261 SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
254 return (0); 262 return (0);
255 } 263 }
256 return (1); 264 return (1);
@@ -259,14 +267,16 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
259SSL * 267SSL *
260SSL_new(SSL_CTX *ctx) 268SSL_new(SSL_CTX *ctx)
261{ 269{
262 SSL *s; 270 SSL *s;
263 271
264 if (ctx == NULL) { 272 if (ctx == NULL) {
265 SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX); 273 SSLerr(SSL_F_SSL_NEW,
274 SSL_R_NULL_SSL_CTX);
266 return (NULL); 275 return (NULL);
267 } 276 }
268 if (ctx->method == NULL) { 277 if (ctx->method == NULL) {
269 SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 278 SSLerr(SSL_F_SSL_NEW,
279 SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
270 return (NULL); 280 return (NULL);
271 } 281 }
272 282
@@ -283,7 +293,8 @@ SSL_new(SSL_CTX *ctx)
283 s->max_cert_list = ctx->max_cert_list; 293 s->max_cert_list = ctx->max_cert_list;
284 294
285 if (ctx->cert != NULL) { 295 if (ctx->cert != NULL) {
286 /* Earlier library versions used to copy the pointer to 296 /*
297 * Earlier library versions used to copy the pointer to
287 * the CERT, not its contents; only when setting new 298 * the CERT, not its contents; only when setting new
288 * parameters for the per-SSL copy, ssl_cert_new would be 299 * parameters for the per-SSL copy, ssl_cert_new would be
289 * called (and the direct reference to the per-SSL_CTX 300 * called (and the direct reference to the per-SSL_CTX
@@ -291,8 +302,8 @@ SSL_new(SSL_CTX *ctx)
291 * accessed for various purposes, and for that reason they 302 * accessed for various purposes, and for that reason they
292 * used to be known as s->ctx->default_cert). 303 * used to be known as s->ctx->default_cert).
293 * Now we don't look at the SSL_CTX's CERT after having 304 * Now we don't look at the SSL_CTX's CERT after having
294 * duplicated it once. */ 305 * duplicated it once.
295 306 */
296 s->cert = ssl_cert_dup(ctx->cert); 307 s->cert = ssl_cert_dup(ctx->cert);
297 if (s->cert == NULL) 308 if (s->cert == NULL)
298 goto err; 309 goto err;
@@ -362,7 +373,7 @@ SSL_new(SSL_CTX *ctx)
362#endif 373#endif
363 374
364 return (s); 375 return (s);
365err: 376 err:
366 if (s != NULL) { 377 if (s != NULL) {
367 if (s->cert != NULL) 378 if (s->cert != NULL)
368 ssl_cert_free(s->cert); 379 ssl_cert_free(s->cert);
@@ -370,7 +381,8 @@ err:
370 SSL_CTX_free(s->ctx); /* decrement reference count */ 381 SSL_CTX_free(s->ctx); /* decrement reference count */
371 free(s); 382 free(s);
372 } 383 }
373 SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); 384 SSLerr(SSL_F_SSL_NEW,
385 ERR_R_MALLOC_FAILURE);
374 return (NULL); 386 return (NULL);
375} 387}
376 388
@@ -379,7 +391,8 @@ SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
379 unsigned int sid_ctx_len) 391 unsigned int sid_ctx_len)
380{ 392{
381 if (sid_ctx_len > sizeof ctx->sid_ctx) { 393 if (sid_ctx_len > sizeof ctx->sid_ctx) {
382 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 394 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
395 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
383 return 0; 396 return 0;
384 } 397 }
385 ctx->sid_ctx_length = sid_ctx_len; 398 ctx->sid_ctx_length = sid_ctx_len;
@@ -393,7 +406,8 @@ SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
393 unsigned int sid_ctx_len) 406 unsigned int sid_ctx_len)
394{ 407{
395 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 408 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
396 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 409 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,
410 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
397 return 0; 411 return 0;
398 } 412 }
399 ssl->sid_ctx_length = sid_ctx_len; 413 ssl->sid_ctx_length = sid_ctx_len;
@@ -485,7 +499,7 @@ SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
485void 499void
486SSL_free(SSL *s) 500SSL_free(SSL *s)
487{ 501{
488 int i; 502 int i;
489 503
490 if (s == NULL) 504 if (s == NULL)
491 return; 505 return;
@@ -550,7 +564,7 @@ SSL_free(SSL *s)
550 free(s->tlsext_opaque_prf_input); 564 free(s->tlsext_opaque_prf_input);
551 if (s->tlsext_ocsp_exts) 565 if (s->tlsext_ocsp_exts)
552 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 566 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
553 X509_EXTENSION_free); 567 X509_EXTENSION_free);
554 if (s->tlsext_ocsp_ids) 568 if (s->tlsext_ocsp_ids)
555 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 569 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
556 if (s->tlsext_ocsp_resp) 570 if (s->tlsext_ocsp_resp)
@@ -587,8 +601,7 @@ SSL_free(SSL *s)
587void 601void
588SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) 602SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
589{ 603{
590 /* If the output buffering BIO is still in place, remove it 604 /* If the output buffering BIO is still in place, remove it */
591 */
592 if (s->bbio != NULL) { 605 if (s->bbio != NULL) {
593 if (s->wbio == s->bbio) { 606 if (s->wbio == s->bbio) {
594 s->wbio = s->wbio->next_bio; 607 s->wbio = s->wbio->next_bio;
@@ -624,8 +637,8 @@ SSL_get_fd(const SSL *s)
624int 637int
625SSL_get_rfd(const SSL *s) 638SSL_get_rfd(const SSL *s)
626{ 639{
627 int ret = -1; 640 int ret = -1;
628 BIO *b, *r; 641 BIO *b, *r;
629 642
630 b = SSL_get_rbio(s); 643 b = SSL_get_rbio(s);
631 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); 644 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
@@ -637,8 +650,8 @@ SSL_get_rfd(const SSL *s)
637int 650int
638SSL_get_wfd(const SSL *s) 651SSL_get_wfd(const SSL *s)
639{ 652{
640 int ret = -1; 653 int ret = -1;
641 BIO *b, *r; 654 BIO *b, *r;
642 655
643 b = SSL_get_wbio(s); 656 b = SSL_get_wbio(s);
644 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); 657 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
@@ -651,34 +664,36 @@ SSL_get_wfd(const SSL *s)
651int 664int
652SSL_set_fd(SSL *s, int fd) 665SSL_set_fd(SSL *s, int fd)
653{ 666{
654 int ret = 0; 667 int ret = 0;
655 BIO *bio = NULL; 668 BIO *bio = NULL;
656 669
657 bio = BIO_new(BIO_s_socket()); 670 bio = BIO_new(BIO_s_socket());
658 671
659 if (bio == NULL) { 672 if (bio == NULL) {
660 SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); 673 SSLerr(SSL_F_SSL_SET_FD,
674 ERR_R_BUF_LIB);
661 goto err; 675 goto err;
662 } 676 }
663 BIO_set_fd(bio, fd, BIO_NOCLOSE); 677 BIO_set_fd(bio, fd, BIO_NOCLOSE);
664 SSL_set_bio(s, bio, bio); 678 SSL_set_bio(s, bio, bio);
665 ret = 1; 679 ret = 1;
666err: 680 err:
667 return (ret); 681 return (ret);
668} 682}
669 683
670int 684int
671SSL_set_wfd(SSL *s, int fd) 685SSL_set_wfd(SSL *s, int fd)
672{ 686{
673 int ret = 0; 687 int ret = 0;
674 BIO *bio = NULL; 688 BIO *bio = NULL;
675 689
676 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) 690 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
677 || ((int)BIO_get_fd(s->rbio, NULL) != fd)) { 691 || ((int)BIO_get_fd(s->rbio, NULL) != fd)) {
678 bio = BIO_new(BIO_s_socket()); 692 bio = BIO_new(BIO_s_socket());
679 693
680 if (bio == NULL) 694 if (bio == NULL) {
681 { SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB); 695 SSLerr(SSL_F_SSL_SET_WFD,
696 ERR_R_BUF_LIB);
682 goto err; 697 goto err;
683 } 698 }
684 BIO_set_fd(bio, fd, BIO_NOCLOSE); 699 BIO_set_fd(bio, fd, BIO_NOCLOSE);
@@ -686,22 +701,23 @@ SSL_set_wfd(SSL *s, int fd)
686 } else 701 } else
687 SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s)); 702 SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s));
688 ret = 1; 703 ret = 1;
689err: 704 err:
690 return (ret); 705 return (ret);
691} 706}
692 707
693int 708int
694SSL_set_rfd(SSL *s, int fd) 709SSL_set_rfd(SSL *s, int fd)
695{ 710{
696 int ret = 0; 711 int ret = 0;
697 BIO *bio = NULL; 712 BIO *bio = NULL;
698 713
699 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) 714 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
700 || ((int)BIO_get_fd(s->wbio, NULL) != fd)) { 715 || ((int)BIO_get_fd(s->wbio, NULL) != fd)) {
701 bio = BIO_new(BIO_s_socket()); 716 bio = BIO_new(BIO_s_socket());
702 717
703 if (bio == NULL) { 718 if (bio == NULL) {
704 SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB); 719 SSLerr(SSL_F_SSL_SET_RFD,
720 ERR_R_BUF_LIB);
705 goto err; 721 goto err;
706 } 722 }
707 BIO_set_fd(bio, fd, BIO_NOCLOSE); 723 BIO_set_fd(bio, fd, BIO_NOCLOSE);
@@ -709,7 +725,7 @@ SSL_set_rfd(SSL *s, int fd)
709 } else 725 } else
710 SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s)); 726 SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s));
711 ret = 1; 727 ret = 1;
712err: 728 err:
713 return (ret); 729 return (ret);
714} 730}
715#endif 731#endif
@@ -719,7 +735,7 @@ err:
719size_t 735size_t
720SSL_get_finished(const SSL *s, void *buf, size_t count) 736SSL_get_finished(const SSL *s, void *buf, size_t count)
721{ 737{
722 size_t ret = 0; 738 size_t ret = 0;
723 739
724 if (s->s3 != NULL) { 740 if (s->s3 != NULL) {
725 ret = s->s3->tmp.finish_md_len; 741 ret = s->s3->tmp.finish_md_len;
@@ -734,7 +750,7 @@ SSL_get_finished(const SSL *s, void *buf, size_t count)
734size_t 750size_t
735SSL_get_peer_finished(const SSL *s, void *buf, size_t count) 751SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
736{ 752{
737 size_t ret = 0; 753 size_t ret = 0;
738 754
739 if (s->s3 != NULL) { 755 if (s->s3 != NULL) {
740 ret = s->s3->tmp.peer_finish_md_len; 756 ret = s->s3->tmp.peer_finish_md_len;
@@ -810,7 +826,8 @@ SSL_get_read_ahead(const SSL *s)
810int 826int
811SSL_pending(const SSL *s) 827SSL_pending(const SSL *s)
812{ 828{
813 /* SSL_pending cannot work properly if read-ahead is enabled 829 /*
830 * SSL_pending cannot work properly if read-ahead is enabled
814 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), 831 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
815 * and it is impossible to fix since SSL_pending cannot report 832 * and it is impossible to fix since SSL_pending cannot report
816 * errors that may be observed while scanning the new data. 833 * errors that may be observed while scanning the new data.
@@ -823,7 +840,7 @@ SSL_pending(const SSL *s)
823X509 * 840X509 *
824SSL_get_peer_certificate(const SSL *s) 841SSL_get_peer_certificate(const SSL *s)
825{ 842{
826 X509 *r; 843 X509 *r;
827 844
828 if ((s == NULL) || (s->session == NULL)) 845 if ((s == NULL) || (s->session == NULL))
829 r = NULL; 846 r = NULL;
@@ -841,32 +858,38 @@ SSL_get_peer_certificate(const SSL *s)
841STACK_OF(X509) * 858STACK_OF(X509) *
842SSL_get_peer_cert_chain(const SSL *s) 859SSL_get_peer_cert_chain(const SSL *s)
843{ 860{
844 STACK_OF(X509) *r; 861 STACK_OF(X509) *r;
845 862
846 if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) 863 if ((s == NULL) || (s->session == NULL) ||
864 (s->session->sess_cert == NULL))
847 r = NULL; 865 r = NULL;
848 else 866 else
849 r = s->session->sess_cert->cert_chain; 867 r = s->session->sess_cert->cert_chain;
850 868
851 /* If we are a client, cert_chain includes the peer's own 869 /*
870 * If we are a client, cert_chain includes the peer's own
852 * certificate; 871 * certificate;
853if we are a server, it does not. */ 872 * if we are a server, it does not.
854 873 */
855 return (r); 874 return (r);
856} 875}
857 876
858/* Now in theory, since the calling process own 't' it should be safe to 877/*
859 * modify. We need to be able to read f without being hassled */ 878 * Now in theory, since the calling process own 't' it should be safe to
879 * modify. We need to be able to read f without being hassled
880 */
860void 881void
861SSL_copy_session_id(SSL *t, const SSL *f) 882SSL_copy_session_id(SSL *t, const SSL *f)
862{ 883{
863 CERT *tmp; 884 CERT *tmp;
864 885
865 /* Do we need to to SSL locking? */ 886 /* Do we need to to SSL locking? */
866 SSL_set_session(t, SSL_get_session(f)); 887 SSL_set_session(t, SSL_get_session(f));
867 888
868 /* what if we are setup as SSLv2 but want to talk SSLv3 or 889 /*
869 * vice-versa */ 890 * What if we are setup as SSLv2 but want to talk SSLv3 or
891 * vice-versa.
892 */
870 if (t->method != f->method) { 893 if (t->method != f->method) {
871 t->method->ssl_free(t); /* cleanup current */ 894 t->method->ssl_free(t); /* cleanup current */
872 t->method=f->method; /* change method */ 895 t->method=f->method; /* change method */
@@ -888,17 +911,19 @@ SSL_copy_session_id(SSL *t, const SSL *f)
888int 911int
889SSL_CTX_check_private_key(const SSL_CTX *ctx) 912SSL_CTX_check_private_key(const SSL_CTX *ctx)
890{ 913{
891 if ((ctx == NULL) || 914 if ((ctx == NULL) || (ctx->cert == NULL) ||
892 (ctx->cert == NULL) || 915 (ctx->cert->key->x509 == NULL)) {
893 (ctx->cert->key->x509 == NULL)) { 916 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
894 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); 917 SSL_R_NO_CERTIFICATE_ASSIGNED);
895 return (0); 918 return (0);
896 } 919 }
897 if (ctx->cert->key->privatekey == NULL) { 920 if (ctx->cert->key->privatekey == NULL) {
898 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); 921 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
922 SSL_R_NO_PRIVATE_KEY_ASSIGNED);
899 return (0); 923 return (0);
900 } 924 }
901 return (X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey)); 925 return (X509_check_private_key(ctx->cert->key->x509,
926 ctx->cert->key->privatekey));
902} 927}
903 928
904/* Fix this function so that it takes an optional type parameter */ 929/* Fix this function so that it takes an optional type parameter */
@@ -906,31 +931,34 @@ int
906SSL_check_private_key(const SSL *ssl) 931SSL_check_private_key(const SSL *ssl)
907{ 932{
908 if (ssl == NULL) { 933 if (ssl == NULL) {
909 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER); 934 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
935 ERR_R_PASSED_NULL_PARAMETER);
910 return (0); 936 return (0);
911 } 937 }
912 if (ssl->cert == NULL) { 938 if (ssl->cert == NULL) {
913 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); 939 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
940 SSL_R_NO_CERTIFICATE_ASSIGNED);
914 return 0; 941 return 0;
915 } 942 }
916 if (ssl->cert->key->x509 == NULL) { 943 if (ssl->cert->key->x509 == NULL) {
917 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); 944 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
945 SSL_R_NO_CERTIFICATE_ASSIGNED);
918 return (0); 946 return (0);
919 } 947 }
920 if (ssl->cert->key->privatekey == NULL) { 948 if (ssl->cert->key->privatekey == NULL) {
921 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); 949 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
950 SSL_R_NO_PRIVATE_KEY_ASSIGNED);
922 return (0); 951 return (0);
923 } 952 }
924 return(X509_check_private_key(ssl->cert->key->x509, 953 return (X509_check_private_key(ssl->cert->key->x509,
925 ssl->cert->key->privatekey)); 954 ssl->cert->key->privatekey));
926} 955}
927 956
928int 957int
929SSL_accept(SSL *s) 958SSL_accept(SSL *s)
930{ 959{
931 if (s->handshake_func == 0) 960 if (s->handshake_func == 0)
932 /* Not properly initialized yet */ 961 SSL_set_accept_state(s); /* Not properly initialized yet */
933 SSL_set_accept_state(s);
934 962
935 return (s->method->ssl_accept(s)); 963 return (s->method->ssl_accept(s));
936} 964}
@@ -939,8 +967,7 @@ int
939SSL_connect(SSL *s) 967SSL_connect(SSL *s)
940{ 968{
941 if (s->handshake_func == 0) 969 if (s->handshake_func == 0)
942 /* Not properly initialized yet */ 970 SSL_set_connect_state(s); /* Not properly initialized yet */
943 SSL_set_connect_state(s);
944 971
945 return (s->method->ssl_connect(s)); 972 return (s->method->ssl_connect(s));
946} 973}
@@ -955,7 +982,8 @@ int
955SSL_read(SSL *s, void *buf, int num) 982SSL_read(SSL *s, void *buf, int num)
956{ 983{
957 if (s->handshake_func == 0) { 984 if (s->handshake_func == 0) {
958 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 985 SSLerr(SSL_F_SSL_READ,
986 SSL_R_UNINITIALIZED);
959 return -1; 987 return -1;
960 } 988 }
961 989
@@ -970,7 +998,8 @@ int
970SSL_peek(SSL *s, void *buf, int num) 998SSL_peek(SSL *s, void *buf, int num)
971{ 999{
972 if (s->handshake_func == 0) { 1000 if (s->handshake_func == 0) {
973 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); 1001 SSLerr(SSL_F_SSL_PEEK,
1002 SSL_R_UNINITIALIZED);
974 return -1; 1003 return -1;
975 } 1004 }
976 1005
@@ -984,13 +1013,15 @@ int
984SSL_write(SSL *s, const void *buf, int num) 1013SSL_write(SSL *s, const void *buf, int num)
985{ 1014{
986 if (s->handshake_func == 0) { 1015 if (s->handshake_func == 0) {
987 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); 1016 SSLerr(SSL_F_SSL_WRITE,
1017 SSL_R_UNINITIALIZED);
988 return -1; 1018 return -1;
989 } 1019 }
990 1020
991 if (s->shutdown & SSL_SENT_SHUTDOWN) { 1021 if (s->shutdown & SSL_SENT_SHUTDOWN) {
992 s->rwstate = SSL_NOTHING; 1022 s->rwstate = SSL_NOTHING;
993 SSLerr(SSL_F_SSL_WRITE, SSL_R_PROTOCOL_IS_SHUTDOWN); 1023 SSLerr(SSL_F_SSL_WRITE,
1024 SSL_R_PROTOCOL_IS_SHUTDOWN);
994 return (-1); 1025 return (-1);
995 } 1026 }
996 return (s->method->ssl_write(s, buf, num)); 1027 return (s->method->ssl_write(s, buf, num));
@@ -999,14 +1030,16 @@ SSL_write(SSL *s, const void *buf, int num)
999int 1030int
1000SSL_shutdown(SSL *s) 1031SSL_shutdown(SSL *s)
1001{ 1032{
1002 /* Note that this function behaves differently from what one might 1033 /*
1034 * Note that this function behaves differently from what one might
1003 * expect. Return values are 0 for no success (yet), 1035 * expect. Return values are 0 for no success (yet),
1004 * 1 for success; but calling it once is usually not enough, 1036 * 1 for success; but calling it once is usually not enough,
1005 * even if blocking I/O is used (see ssl3_shutdown). 1037 * even if blocking I/O is used (see ssl3_shutdown).
1006 */ 1038 */
1007 1039
1008 if (s->handshake_func == 0) { 1040 if (s->handshake_func == 0) {
1009 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); 1041 SSLerr(SSL_F_SSL_SHUTDOWN,
1042 SSL_R_UNINITIALIZED);
1010 return -1; 1043 return -1;
1011 } 1044 }
1012 1045
@@ -1041,15 +1074,17 @@ SSL_renegotiate_abbreviated(SSL *s)
1041int 1074int
1042SSL_renegotiate_pending(SSL *s) 1075SSL_renegotiate_pending(SSL *s)
1043{ 1076{
1044 /* becomes true when negotiation is requested; 1077 /*
1045 * false again once a handshake has finished */ 1078 * Becomes true when negotiation is requested;
1079 * false again once a handshake has finished.
1080 */
1046 return (s->renegotiate != 0); 1081 return (s->renegotiate != 0);
1047} 1082}
1048 1083
1049long 1084long
1050SSL_ctrl(SSL *s, int cmd, long larg, void *parg) 1085SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1051{ 1086{
1052 long l; 1087 long l;
1053 1088
1054 switch (cmd) { 1089 switch (cmd) {
1055 case SSL_CTRL_GET_READ_AHEAD: 1090 case SSL_CTRL_GET_READ_AHEAD:
@@ -1084,7 +1119,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1084#endif 1119#endif
1085 1120
1086 if (SSL_version(s) == DTLS1_VERSION || 1121 if (SSL_version(s) == DTLS1_VERSION ||
1087 SSL_version(s) == DTLS1_BAD_VER) { 1122 SSL_version(s) == DTLS1_BAD_VER) {
1088 s->d1->mtu = larg; 1123 s->d1->mtu = larg;
1089 return larg; 1124 return larg;
1090 } 1125 }
@@ -1108,7 +1143,9 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1108{ 1143{
1109 switch (cmd) { 1144 switch (cmd) {
1110 case SSL_CTRL_SET_MSG_CALLBACK: 1145 case SSL_CTRL_SET_MSG_CALLBACK:
1111 s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); 1146 s->msg_callback = (void (*)(int write_p, int version,
1147 int content_type, const void *buf, size_t len,
1148 SSL *ssl, void *arg))(fp);
1112 return 1; 1149 return 1;
1113 1150
1114 default: 1151 default:
@@ -1125,7 +1162,7 @@ SSL_CTX_sessions(SSL_CTX *ctx)
1125long 1162long
1126SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 1163SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1127{ 1164{
1128 long l; 1165 long l;
1129 1166
1130 switch (cmd) { 1167 switch (cmd) {
1131 case SSL_CTRL_GET_READ_AHEAD: 1168 case SSL_CTRL_GET_READ_AHEAD:
@@ -1206,7 +1243,9 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1206{ 1243{
1207 switch (cmd) { 1244 switch (cmd) {
1208 case SSL_CTRL_SET_MSG_CALLBACK: 1245 case SSL_CTRL_SET_MSG_CALLBACK:
1209 ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); 1246 ctx->msg_callback = (void (*)(int write_p, int version,
1247 int content_type, const void *buf, size_t len, SSL *ssl,
1248 void *arg))(fp);
1210 return 1; 1249 return 1;
1211 1250
1212 default: 1251 default:
@@ -1217,7 +1256,7 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1217int 1256int
1218ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) 1257ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1219{ 1258{
1220 long l; 1259 long l;
1221 1260
1222 l = a->id - b->id; 1261 l = a->id - b->id;
1223 if (l == 0L) 1262 if (l == 0L)
@@ -1230,7 +1269,7 @@ int
1230ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, 1269ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1231 const SSL_CIPHER * const *bp) 1270 const SSL_CIPHER * const *bp)
1232{ 1271{
1233 long l; 1272 long l;
1234 1273
1235 l = (*ap)->id - (*bp)->id; 1274 l = (*ap)->id - (*bp)->id;
1236 if (l == 0L) 1275 if (l == 0L)
@@ -1239,24 +1278,27 @@ ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
1239 return ((l > 0) ? 1:-1); 1278 return ((l > 0) ? 1:-1);
1240} 1279}
1241 1280
1242/** return a STACK of the ciphers available for the SSL and in order of 1281/*
1243 * preference */ 1282 * Return a STACK of the ciphers available for the SSL and in order of
1283 * preference.
1284 */
1244STACK_OF(SSL_CIPHER) * 1285STACK_OF(SSL_CIPHER) *
1245SSL_get_ciphers(const SSL *s) 1286SSL_get_ciphers(const SSL *s)
1246{ 1287{
1247 if (s != NULL) { 1288 if (s != NULL) {
1248 if (s->cipher_list != NULL) { 1289 if (s->cipher_list != NULL) {
1249 return (s->cipher_list); 1290 return (s->cipher_list);
1250 } else if ((s->ctx != NULL) && 1291 } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
1251 (s->ctx->cipher_list != NULL)) {
1252 return (s->ctx->cipher_list); 1292 return (s->ctx->cipher_list);
1253 } 1293 }
1254 } 1294 }
1255 return (NULL); 1295 return (NULL);
1256} 1296}
1257 1297
1258/** return a STACK of the ciphers available for the SSL and in order of 1298/*
1259 * algorithm id */ 1299 * Return a STACK of the ciphers available for the SSL and in order of
1300 * algorithm id.
1301 */
1260STACK_OF(SSL_CIPHER) * 1302STACK_OF(SSL_CIPHER) *
1261ssl_get_ciphers_by_id(SSL *s) 1303ssl_get_ciphers_by_id(SSL *s)
1262{ 1304{
@@ -1264,19 +1306,19 @@ ssl_get_ciphers_by_id(SSL *s)
1264 if (s->cipher_list_by_id != NULL) { 1306 if (s->cipher_list_by_id != NULL) {
1265 return (s->cipher_list_by_id); 1307 return (s->cipher_list_by_id);
1266 } else if ((s->ctx != NULL) && 1308 } else if ((s->ctx != NULL) &&
1267 (s->ctx->cipher_list_by_id != NULL)) { 1309 (s->ctx->cipher_list_by_id != NULL)) {
1268 return (s->ctx->cipher_list_by_id); 1310 return (s->ctx->cipher_list_by_id);
1269 } 1311 }
1270 } 1312 }
1271 return (NULL); 1313 return (NULL);
1272} 1314}
1273 1315
1274/** The old interface to get the same thing as SSL_get_ciphers() */ 1316/* The old interface to get the same thing as SSL_get_ciphers(). */
1275const char * 1317const char *
1276SSL_get_cipher_list(const SSL *s, int n) 1318SSL_get_cipher_list(const SSL *s, int n)
1277{ 1319{
1278 SSL_CIPHER *c; 1320 SSL_CIPHER *c;
1279 STACK_OF(SSL_CIPHER) *sk; 1321 STACK_OF(SSL_CIPHER) *sk;
1280 1322
1281 if (s == NULL) 1323 if (s == NULL)
1282 return (NULL); 1324 return (NULL);
@@ -1289,35 +1331,38 @@ SSL_get_cipher_list(const SSL *s, int n)
1289 return (c->name); 1331 return (c->name);
1290} 1332}
1291 1333
1292/** specify the ciphers to be used by default by the SSL_CTX */ 1334/* Specify the ciphers to be used by default by the SSL_CTX. */
1293int 1335int
1294SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 1336SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1295{ 1337{
1296 STACK_OF(SSL_CIPHER) *sk; 1338 STACK_OF(SSL_CIPHER) *sk;
1297 1339
1298 sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, 1340 sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
1299 &ctx->cipher_list_by_id, str); 1341 &ctx->cipher_list_by_id, str);
1300 /* ssl_create_cipher_list may return an empty stack if it 1342 /*
1343 * ssl_create_cipher_list may return an empty stack if it
1301 * was unable to find a cipher matching the given rule string 1344 * was unable to find a cipher matching the given rule string
1302 * (for example if the rule string specifies a cipher which 1345 * (for example if the rule string specifies a cipher which
1303 * has been disabled). This is not an error as far as 1346 * has been disabled). This is not an error as far as
1304 * ssl_create_cipher_list is concerned, and hence 1347 * ssl_create_cipher_list is concerned, and hence
1305 * ctx->cipher_list and ctx->cipher_list_by_id has been 1348 * ctx->cipher_list and ctx->cipher_list_by_id has been
1306 * updated. */ 1349 * updated.
1350 */
1307 if (sk == NULL) 1351 if (sk == NULL)
1308 return 0; 1352 return 0;
1309 else if (sk_SSL_CIPHER_num(sk) == 0) { 1353 else if (sk_SSL_CIPHER_num(sk) == 0) {
1310 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); 1354 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST,
1355 SSL_R_NO_CIPHER_MATCH);
1311 return 0; 1356 return 0;
1312 } 1357 }
1313 return 1; 1358 return 1;
1314} 1359}
1315 1360
1316/** specify the ciphers to be used by the SSL */ 1361/* Specify the ciphers to be used by the SSL. */
1317int 1362int
1318SSL_set_cipher_list(SSL *s, const char *str) 1363SSL_set_cipher_list(SSL *s, const char *str)
1319{ 1364{
1320 STACK_OF(SSL_CIPHER) *sk; 1365 STACK_OF(SSL_CIPHER) *sk;
1321 1366
1322 sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, 1367 sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
1323 &s->cipher_list_by_id, str); 1368 &s->cipher_list_by_id, str);
@@ -1325,7 +1370,8 @@ SSL_set_cipher_list(SSL *s, const char *str)
1325 if (sk == NULL) 1370 if (sk == NULL)
1326 return 0; 1371 return 0;
1327 else if (sk_SSL_CIPHER_num(sk) == 0) { 1372 else if (sk_SSL_CIPHER_num(sk) == 0) {
1328 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); 1373 SSLerr(SSL_F_SSL_SET_CIPHER_LIST,
1374 SSL_R_NO_CIPHER_MATCH);
1329 return 0; 1375 return 0;
1330 } 1376 }
1331 return 1; 1377 return 1;
@@ -1335,11 +1381,11 @@ SSL_set_cipher_list(SSL *s, const char *str)
1335char * 1381char *
1336SSL_get_shared_ciphers(const SSL *s, char *buf, int len) 1382SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
1337{ 1383{
1338 char *end; 1384 char *end;
1339 STACK_OF(SSL_CIPHER) *sk; 1385 STACK_OF(SSL_CIPHER) *sk;
1340 SSL_CIPHER *c; 1386 SSL_CIPHER *c;
1341 size_t curlen = 0; 1387 size_t curlen = 0;
1342 int i; 1388 int i;
1343 1389
1344 if ((s->session == NULL) || (s->session->ciphers == NULL) || 1390 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1345 (len < 2)) 1391 (len < 2))
@@ -1351,7 +1397,7 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
1351 c = sk_SSL_CIPHER_value(sk, i); 1397 c = sk_SSL_CIPHER_value(sk, i);
1352 end = buf + curlen; 1398 end = buf + curlen;
1353 if (strlcat(buf, c->name, len) >= len || 1399 if (strlcat(buf, c->name, len) >= len ||
1354 (curlen = strlcat(buf, ":", len)) >= len) { 1400 (curlen = strlcat(buf, ":", len)) >= len) {
1355 /* remove truncated cipher from list */ 1401 /* remove truncated cipher from list */
1356 *end = '\0'; 1402 *end = '\0';
1357 break; 1403 break;
@@ -1367,11 +1413,11 @@ int
1367ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p, 1413ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p,
1368 int (*put_cb)(const SSL_CIPHER *, unsigned char *)) 1414 int (*put_cb)(const SSL_CIPHER *, unsigned char *))
1369{ 1415{
1370 int i, j = 0; 1416 int i, j = 0;
1371 SSL_CIPHER *c; 1417 SSL_CIPHER *c;
1372 unsigned char *q; 1418 unsigned char *q;
1373#ifndef OPENSSL_NO_KRB5 1419#ifndef OPENSSL_NO_KRB5
1374 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); 1420 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
1375#endif /* OPENSSL_NO_KRB5 */ 1421#endif /* OPENSSL_NO_KRB5 */
1376 1422
1377 if (sk == NULL) 1423 if (sk == NULL)
@@ -1382,30 +1428,33 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p,
1382 c = sk_SSL_CIPHER_value(sk, i); 1428 c = sk_SSL_CIPHER_value(sk, i);
1383 /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */ 1429 /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
1384 if ((c->algorithm_ssl & SSL_TLSV1_2) && 1430 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
1385 (TLS1_get_client_version(s) < TLS1_2_VERSION)) 1431 (TLS1_get_client_version(s) < TLS1_2_VERSION))
1386 continue; 1432 continue;
1387#ifndef OPENSSL_NO_KRB5 1433#ifndef OPENSSL_NO_KRB5
1388 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) && 1434 if (((c->algorithm_mkey & SSL_kKRB5) ||
1389 nokrb5) 1435 (c->algorithm_auth & SSL_aKRB5)) && nokrb5)
1390 continue; 1436 continue;
1391#endif /* OPENSSL_NO_KRB5 */ 1437#endif /* OPENSSL_NO_KRB5 */
1392#ifndef OPENSSL_NO_PSK 1438#ifndef OPENSSL_NO_PSK
1393 /* with PSK there must be client callback set */ 1439 /* with PSK there must be client callback set */
1394 if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) && 1440 if (((c->algorithm_mkey & SSL_kPSK) ||
1395 s->psk_client_callback == NULL) 1441 (c->algorithm_auth & SSL_aPSK)) &&
1396 continue; 1442 s->psk_client_callback == NULL)
1443 continue;
1397#endif /* OPENSSL_NO_PSK */ 1444#endif /* OPENSSL_NO_PSK */
1398 j = put_cb ? put_cb(c, p) : ssl_put_cipher_by_char(s, c, p); 1445 j = put_cb ? put_cb(c, p) : ssl_put_cipher_by_char(s, c, p);
1399 p += j; 1446 p += j;
1400 } 1447 }
1401 /* If p == q, no ciphers and caller indicates an error. Otherwise 1448 /*
1449 * If p == q, no ciphers and caller indicates an error. Otherwise
1402 * add SCSV if not renegotiating. 1450 * add SCSV if not renegotiating.
1403 */ 1451 */
1404 if (p != q && !s->renegotiate) { 1452 if (p != q && !s->renegotiate) {
1405 static SSL_CIPHER scsv = { 1453 static SSL_CIPHER scsv = {
1406 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 1454 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
1407 }; 1455 };
1408 j = put_cb ? put_cb(&scsv, p) : ssl_put_cipher_by_char(s, &scsv, p); 1456 j = put_cb ? put_cb(&scsv, p) :
1457 ssl_put_cipher_by_char(s, &scsv, p);
1409 p += j; 1458 p += j;
1410#ifdef OPENSSL_RI_DEBUG 1459#ifdef OPENSSL_RI_DEBUG
1411 fprintf(stderr, "SCSV sent by client\n"); 1460 fprintf(stderr, "SCSV sent by client\n");
@@ -1419,15 +1468,17 @@ STACK_OF(SSL_CIPHER) *
1419ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, 1468ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
1420 STACK_OF(SSL_CIPHER) **skp) 1469 STACK_OF(SSL_CIPHER) **skp)
1421{ 1470{
1422 const SSL_CIPHER *c; 1471 const SSL_CIPHER *c;
1423 STACK_OF(SSL_CIPHER) *sk; 1472 STACK_OF(SSL_CIPHER) *sk;
1424 int i, n; 1473 int i, n;
1474
1425 if (s->s3) 1475 if (s->s3)
1426 s->s3->send_connection_binding = 0; 1476 s->s3->send_connection_binding = 0;
1427 1477
1428 n = ssl_put_cipher_by_char(s, NULL, NULL); 1478 n = ssl_put_cipher_by_char(s, NULL, NULL);
1429 if ((num % n) != 0) { 1479 if ((num % n) != 0) {
1430 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 1480 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
1481 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1431 return (NULL); 1482 return (NULL);
1432 } 1483 }
1433 if ((skp == NULL) || (*skp == NULL)) 1484 if ((skp == NULL) || (*skp == NULL))
@@ -1440,12 +1491,14 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
1440 for (i = 0; i < num; i += n) { 1491 for (i = 0; i < num; i += n) {
1441 /* Check for SCSV */ 1492 /* Check for SCSV */
1442 if (s->s3 && (n != 3 || !p[0]) && 1493 if (s->s3 && (n != 3 || !p[0]) &&
1443 (p[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && 1494 (p[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
1444 (p[n - 1] == (SSL3_CK_SCSV & 0xff))) { 1495 (p[n - 1] == (SSL3_CK_SCSV & 0xff))) {
1445 /* SCSV fatal if renegotiating */ 1496 /* SCSV fatal if renegotiating */
1446 if (s->renegotiate) { 1497 if (s->renegotiate) {
1447 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); 1498 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
1448 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1499 SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1500 ssl3_send_alert(s, SSL3_AL_FATAL,
1501 SSL_AD_HANDSHAKE_FAILURE);
1449 1502
1450 goto err; 1503 goto err;
1451 } 1504 }
@@ -1461,7 +1514,8 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
1461 p += n; 1514 p += n;
1462 if (c != NULL) { 1515 if (c != NULL) {
1463 if (!sk_SSL_CIPHER_push(sk, c)) { 1516 if (!sk_SSL_CIPHER_push(sk, c)) {
1464 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); 1517 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
1518 ERR_R_MALLOC_FAILURE);
1465 goto err; 1519 goto err;
1466 } 1520 }
1467 } 1521 }
@@ -1470,7 +1524,7 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
1470 if (skp != NULL) 1524 if (skp != NULL)
1471 *skp = sk; 1525 *skp = sk;
1472 return (sk); 1526 return (sk);
1473err: 1527 err:
1474 if ((skp == NULL) || (*skp == NULL)) 1528 if ((skp == NULL) || (*skp == NULL))
1475 sk_SSL_CIPHER_free(sk); 1529 sk_SSL_CIPHER_free(sk);
1476 return (NULL); 1530 return (NULL);
@@ -1478,10 +1532,10 @@ err:
1478 1532
1479 1533
1480#ifndef OPENSSL_NO_TLSEXT 1534#ifndef OPENSSL_NO_TLSEXT
1481/** return a servername extension value if provided in Client Hello, or NULL. 1535/*
1536 * Return a servername extension value if provided in Client Hello, or NULL.
1482 * So far, only host_name types are defined (RFC 3546). 1537 * So far, only host_name types are defined (RFC 3546).
1483 */ 1538 */
1484
1485const char * 1539const char *
1486SSL_get_servername(const SSL *s, const int type) 1540SSL_get_servername(const SSL *s, const int type)
1487{ 1541{
@@ -1489,20 +1543,23 @@ SSL_get_servername(const SSL *s, const int type)
1489 return NULL; 1543 return NULL;
1490 1544
1491 return s->session && !s->tlsext_hostname ? 1545 return s->session && !s->tlsext_hostname ?
1492 s->session->tlsext_hostname : 1546 s->session->tlsext_hostname :
1493 s->tlsext_hostname; 1547 s->tlsext_hostname;
1494} 1548}
1495 1549
1496int 1550int
1497SSL_get_servername_type(const SSL *s) 1551SSL_get_servername_type(const SSL *s)
1498{ 1552{
1499 if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname)) 1553 if (s->session &&
1554 (!s->tlsext_hostname ?
1555 s->session->tlsext_hostname : s->tlsext_hostname))
1500 return TLSEXT_NAMETYPE_host_name; 1556 return TLSEXT_NAMETYPE_host_name;
1501 return -1; 1557 return -1;
1502} 1558}
1503 1559
1504# ifndef OPENSSL_NO_NEXTPROTONEG 1560# ifndef OPENSSL_NO_NEXTPROTONEG
1505/* SSL_select_next_proto implements the standard protocol selection. It is 1561/*
1562 * SSL_select_next_proto implements the standard protocol selection. It is
1506 * expected that this function is called from the callback set by 1563 * expected that this function is called from the callback set by
1507 * SSL_CTX_set_next_proto_select_cb. 1564 * SSL_CTX_set_next_proto_select_cb.
1508 * 1565 *
@@ -1533,17 +1590,23 @@ SSL_get_servername_type(const SSL *s)
1533 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached. 1590 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
1534 */ 1591 */
1535int 1592int
1536SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len) 1593SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
1594 const unsigned char *server, unsigned int server_len,
1595 const unsigned char *client, unsigned int client_len)
1537{ 1596{
1538 unsigned int i, j; 1597 unsigned int i, j;
1539 const unsigned char *result; 1598 const unsigned char *result;
1540 int status = OPENSSL_NPN_UNSUPPORTED; 1599 int status = OPENSSL_NPN_UNSUPPORTED;
1541 1600
1542 /* For each protocol in server preference order, see if we support it. */ 1601 /*
1602 * For each protocol in server preference order,
1603 * see if we support it.
1604 */
1543 for (i = 0; i < server_len; ) { 1605 for (i = 0; i < server_len; ) {
1544 for (j = 0; j < client_len; ) { 1606 for (j = 0; j < client_len; ) {
1545 if (server[i] == client[j] && 1607 if (server[i] == client[j] &&
1546 memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { 1608 memcmp(&server[i + 1],
1609 &client[j + 1], server[i]) == 0) {
1547 /* We found a match */ 1610 /* We found a match */
1548 result = &server[i]; 1611 result = &server[i];
1549 status = OPENSSL_NPN_NEGOTIATED; 1612 status = OPENSSL_NPN_NEGOTIATED;
@@ -1560,13 +1623,14 @@ SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned
1560 result = client; 1623 result = client;
1561 status = OPENSSL_NPN_NO_OVERLAP; 1624 status = OPENSSL_NPN_NO_OVERLAP;
1562 1625
1563 found: 1626 found:
1564 *out = (unsigned char *) result + 1; 1627 *out = (unsigned char *) result + 1;
1565 *outlen = result[0]; 1628 *outlen = result[0];
1566 return status; 1629 return status;
1567} 1630}
1568 1631
1569/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's 1632/*
1633 * SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
1570 * requested protocol for this connection and returns 0. If the client didn't 1634 * requested protocol for this connection and returns 0. If the client didn't
1571 * request any protocol, then *data is set to NULL. 1635 * request any protocol, then *data is set to NULL.
1572 * 1636 *
@@ -1575,7 +1639,8 @@ SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned
1575 * provided by the callback. 1639 * provided by the callback.
1576 */ 1640 */
1577void 1641void
1578SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len) 1642SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
1643 unsigned *len)
1579{ 1644{
1580 *data = s->next_proto_negotiated; 1645 *data = s->next_proto_negotiated;
1581 if (!*data) { 1646 if (!*data) {
@@ -1585,23 +1650,27 @@ SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigne
1585 } 1650 }
1586} 1651}
1587 1652
1588/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a 1653/*
1654 * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
1589 * TLS server needs a list of supported protocols for Next Protocol 1655 * TLS server needs a list of supported protocols for Next Protocol
1590 * Negotiation. The returned list must be in wire format. The list is returned 1656 * Negotiation. The returned list must be in wire format. The list is returned
1591 * by setting |out| to point to it and |outlen| to its length. This memory will 1657 * by setting |out| to point to it and |outlen| to its length. This memory will
1592 * not be modified, but one should assume that the SSL* keeps a reference to 1658 * not be modified, but one should assume that the SSL* keeps a reference to
1593 * it. 1659 * it.
1594 * 1660 *
1595 * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no 1661 * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise.
1596 * such extension will be included in the ServerHello. */ 1662 * Otherwise, no such extension will be included in the ServerHello.
1663 */
1597void 1664void
1598SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg) 1665SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl,
1666 const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
1599{ 1667{
1600 ctx->next_protos_advertised_cb = cb; 1668 ctx->next_protos_advertised_cb = cb;
1601 ctx->next_protos_advertised_cb_arg = arg; 1669 ctx->next_protos_advertised_cb_arg = arg;
1602} 1670}
1603 1671
1604/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a 1672/*
1673 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
1605 * client needs to select a protocol from the server's provided list. |out| 1674 * client needs to select a protocol from the server's provided list. |out|
1606 * must be set to point to the selected protocol (which may be within |in|). 1675 * must be set to point to the selected protocol (which may be within |in|).
1607 * The length of the protocol name must be written into |outlen|. The server's 1676 * The length of the protocol name must be written into |outlen|. The server's
@@ -1612,7 +1681,9 @@ SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const u
1612 * callback returns a value other than SSL_TLSEXT_ERR_OK. 1681 * callback returns a value other than SSL_TLSEXT_ERR_OK.
1613 */ 1682 */
1614void 1683void
1615SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg) 1684SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
1685 unsigned char **out, unsigned char *outlen, const unsigned char *in,
1686 unsigned int inlen, void *arg), void *arg)
1616{ 1687{
1617 ctx->next_proto_select_cb = cb; 1688 ctx->next_proto_select_cb = cb;
1618 ctx->next_proto_select_cb_arg = arg; 1689 ctx->next_proto_select_cb_arg = arg;
@@ -1623,34 +1694,35 @@ SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char
1623int 1694int
1624SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, 1695SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1625 const char *label, size_t llen, const unsigned char *p, size_t plen, 1696 const char *label, size_t llen, const unsigned char *p, size_t plen,
1626int use_context) 1697 int use_context)
1627{ 1698{
1628 if (s->version < TLS1_VERSION) 1699 if (s->version < TLS1_VERSION)
1629 return -1; 1700 return -1;
1630 1701
1631 return s->method->ssl3_enc->export_keying_material(s, out, olen, label, 1702 return s->method->ssl3_enc->export_keying_material(s, out, olen,
1632 llen, p, plen, 1703 label, llen, p, plen, use_context);
1633 use_context);
1634} 1704}
1635 1705
1636static unsigned long 1706static unsigned long
1637ssl_session_hash(const SSL_SESSION *a) 1707ssl_session_hash(const SSL_SESSION *a)
1638{ 1708{
1639 unsigned long l; 1709 unsigned long l;
1640 1710
1641 l = (unsigned long) 1711 l = (unsigned long)
1642 ((unsigned int) a->session_id[0] )| 1712 ((unsigned int) a->session_id[0] )|
1643 ((unsigned int) a->session_id[1]<< 8L)| 1713 ((unsigned int) a->session_id[1]<< 8L)|
1644 ((unsigned long)a->session_id[2]<<16L)| 1714 ((unsigned long)a->session_id[2]<<16L)|
1645 ((unsigned long)a->session_id[3]<<24L); 1715 ((unsigned long)a->session_id[3]<<24L);
1646 return (l); 1716 return (l);
1647} 1717}
1648 1718
1649/* NB: If this function (or indeed the hash function which uses a sort of 1719/*
1720 * NB: If this function (or indeed the hash function which uses a sort of
1650 * coarser function than this one) is changed, ensure 1721 * coarser function than this one) is changed, ensure
1651 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being 1722 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1652 * able to construct an SSL_SESSION that will collide with any existing session 1723 * able to construct an SSL_SESSION that will collide with any existing session
1653 * with a matching session ID. */ 1724 * with a matching session ID.
1725 */
1654static int 1726static int
1655ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) 1727ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
1656{ 1728{
@@ -1661,10 +1733,12 @@ ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
1661 return (memcmp(a->session_id, b->session_id, a->session_id_length)); 1733 return (memcmp(a->session_id, b->session_id, a->session_id_length));
1662} 1734}
1663 1735
1664/* These wrapper functions should remain rather than redeclaring 1736/*
1737 * These wrapper functions should remain rather than redeclaring
1665 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each 1738 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1666 * variable. The reason is that the functions aren't static, they're exposed via 1739 * variable. The reason is that the functions aren't static, they're exposed via
1667 * ssl.h. */ 1740 * ssl.h.
1741 */
1668static 1742static
1669IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION) 1743IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION)
1670static 1744static
@@ -1673,15 +1747,17 @@ IMPLEMENT_LHASH_COMP_FN(ssl_session, SSL_SESSION)
1673SSL_CTX * 1747SSL_CTX *
1674SSL_CTX_new(const SSL_METHOD *meth) 1748SSL_CTX_new(const SSL_METHOD *meth)
1675{ 1749{
1676 SSL_CTX *ret = NULL; 1750 SSL_CTX *ret = NULL;
1677 1751
1678 if (meth == NULL) { 1752 if (meth == NULL) {
1679 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); 1753 SSLerr(SSL_F_SSL_CTX_NEW,
1754 SSL_R_NULL_SSL_METHOD_PASSED);
1680 return (NULL); 1755 return (NULL);
1681 } 1756 }
1682 1757
1683 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { 1758 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
1684 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 1759 SSLerr(SSL_F_SSL_CTX_NEW,
1760 SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1685 goto err; 1761 goto err;
1686 } 1762 }
1687 ret = calloc(1, sizeof(SSL_CTX)); 1763 ret = calloc(1, sizeof(SSL_CTX));
@@ -1748,7 +1824,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
1748 &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); 1824 &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST);
1749 if (ret->cipher_list == NULL || 1825 if (ret->cipher_list == NULL ||
1750 sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { 1826 sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
1751 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); 1827 SSLerr(SSL_F_SSL_CTX_NEW,
1828 SSL_R_LIBRARY_HAS_NO_CIPHERS);
1752 goto err2; 1829 goto err2;
1753 } 1830 }
1754 1831
@@ -1757,11 +1834,13 @@ SSL_CTX_new(const SSL_METHOD *meth)
1757 goto err; 1834 goto err;
1758 1835
1759 if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { 1836 if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
1760 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); 1837 SSLerr(SSL_F_SSL_CTX_NEW,
1838 SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
1761 goto err2; 1839 goto err2;
1762 } 1840 }
1763 if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { 1841 if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
1764 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); 1842 SSLerr(SSL_F_SSL_CTX_NEW,
1843 SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
1765 goto err2; 1844 goto err2;
1766 } 1845 }
1767 1846
@@ -1782,9 +1861,9 @@ SSL_CTX_new(const SSL_METHOD *meth)
1782 ret->tlsext_servername_arg = NULL; 1861 ret->tlsext_servername_arg = NULL;
1783 /* Setup RFC4507 ticket keys */ 1862 /* Setup RFC4507 ticket keys */
1784 if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) 1863 if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
1785 || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) 1864 || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
1786 || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) 1865 || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
1787 ret->options |= SSL_OP_NO_TICKET; 1866 ret->options |= SSL_OP_NO_TICKET;
1788 1867
1789 ret->tlsext_status_cb = 0; 1868 ret->tlsext_status_cb = 0;
1790 ret->tlsext_status_arg = NULL; 1869 ret->tlsext_status_arg = NULL;
@@ -1814,22 +1893,25 @@ SSL_CTX_new(const SSL_METHOD *meth)
1814 if (!eng) { 1893 if (!eng) {
1815 ERR_clear_error(); 1894 ERR_clear_error();
1816 ENGINE_load_builtin_engines(); 1895 ENGINE_load_builtin_engines();
1817 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); 1896 eng = ENGINE_by_id(eng_str(
1897 OPENSSL_SSL_CLIENT_ENGINE_AUTO));
1818 } 1898 }
1819 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) 1899 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
1820 ERR_clear_error(); 1900 ERR_clear_error();
1821 } 1901 }
1822#endif 1902#endif
1823#endif 1903#endif
1824 /* Default is to connect to non-RI servers. When RI is more widely 1904 /*
1905 * Default is to connect to non-RI servers. When RI is more widely
1825 * deployed might change this. 1906 * deployed might change this.
1826 */ 1907 */
1827 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; 1908 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
1828 1909
1829 return (ret); 1910 return (ret);
1830err: 1911 err:
1831 SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); 1912 SSLerr(SSL_F_SSL_CTX_NEW,
1832err2: 1913 ERR_R_MALLOC_FAILURE);
1914 err2:
1833 if (ret != NULL) 1915 if (ret != NULL)
1834 SSL_CTX_free(ret); 1916 SSL_CTX_free(ret);
1835 return (NULL); 1917 return (NULL);
@@ -1845,7 +1927,7 @@ SSL_COMP_free(SSL_COMP *comp)
1845void 1927void
1846SSL_CTX_free(SSL_CTX *a) 1928SSL_CTX_free(SSL_CTX *a)
1847{ 1929{
1848 int i; 1930 int i;
1849 1931
1850 if (a == NULL) 1932 if (a == NULL)
1851 return; 1933 return;
@@ -1926,7 +2008,8 @@ SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
1926} 2008}
1927 2009
1928void 2010void
1929SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg) 2011SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,
2012 void *), void *arg)
1930{ 2013{
1931 ctx->app_verify_callback = cb; 2014 ctx->app_verify_callback = cb;
1932 ctx->app_verify_arg = arg; 2015 ctx->app_verify_arg = arg;
@@ -1948,18 +2031,18 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
1948void 2031void
1949ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) 2032ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1950{ 2033{
1951 CERT_PKEY *cpk; 2034 CERT_PKEY *cpk;
1952 int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; 2035 int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
1953 int rsa_enc_export, dh_rsa_export, dh_dsa_export; 2036 int rsa_enc_export, dh_rsa_export, dh_dsa_export;
1954 int rsa_tmp_export, dh_tmp_export, kl; 2037 int rsa_tmp_export, dh_tmp_export, kl;
1955 unsigned long mask_k, mask_a, emask_k, emask_a; 2038 unsigned long mask_k, mask_a, emask_k, emask_a;
1956 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; 2039 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
1957#ifndef OPENSSL_NO_ECDH 2040#ifndef OPENSSL_NO_ECDH
1958 int have_ecdh_tmp; 2041 int have_ecdh_tmp;
1959#endif 2042#endif
1960 X509 *x = NULL; 2043 X509 *x = NULL;
1961 EVP_PKEY *ecc_pkey = NULL; 2044 EVP_PKEY *ecc_pkey = NULL;
1962 int signature_nid = 0, pk_nid = 0, md_nid = 0; 2045 int signature_nid = 0, pk_nid = 0, md_nid = 0;
1963 2046
1964 if (c == NULL) 2047 if (c == NULL)
1965 return; 2048 return;
@@ -2005,8 +2088,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2005 2088
2006#ifdef CIPHER_DEBUG 2089#ifdef CIPHER_DEBUG
2007 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", 2090 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
2008 rsa_tmp, rsa_tmp_export, dh_tmp, have_ecdh_tmp, 2091 rsa_tmp, rsa_tmp_export, dh_tmp, have_ecdh_tmp,
2009 rsa_enc, rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa); 2092 rsa_enc, rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
2010#endif 2093#endif
2011 2094
2012 cpk = &(c->pkeys[SSL_PKEY_GOST01]); 2095 cpk = &(c->pkeys[SSL_PKEY_GOST01]);
@@ -2071,7 +2154,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2071 emask_a|=SSL_aKRB5; 2154 emask_a|=SSL_aKRB5;
2072#endif 2155#endif
2073 2156
2074 /* An ECC certificate may be usable for ECDH and/or 2157 /*
2158 * An ECC certificate may be usable for ECDH and/or
2075 * ECDSA cipher suites depending on the key usage extension. 2159 * ECDSA cipher suites depending on the key usage extension.
2076 */ 2160 */
2077 if (have_ecc_cert) { 2161 if (have_ecc_cert) {
@@ -2150,11 +2234,11 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2150int 2234int
2151ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) 2235ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2152{ 2236{
2153 unsigned long alg_k, alg_a; 2237 unsigned long alg_k, alg_a;
2154 EVP_PKEY *pkey = NULL; 2238 EVP_PKEY *pkey = NULL;
2155 int keysize = 0; 2239 int keysize = 0;
2156 int signature_nid = 0, md_nid = 0, pk_nid = 0; 2240 int signature_nid = 0, md_nid = 0, pk_nid = 0;
2157 const SSL_CIPHER *cs = s->s3->tmp.new_cipher; 2241 const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
2158 2242
2159 alg_k = cs->algorithm_mkey; 2243 alg_k = cs->algorithm_mkey;
2160 alg_a = cs->algorithm_auth; 2244 alg_a = cs->algorithm_auth;
@@ -2179,21 +2263,25 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2179 if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) { 2263 if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
2180 /* key usage, if present, must allow key agreement */ 2264 /* key usage, if present, must allow key agreement */
2181 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) { 2265 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
2182 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT); 2266 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2267 SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2183 return 0; 2268 return 0;
2184 } 2269 }
2185 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION) { 2270 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) <
2271 TLS1_2_VERSION) {
2186 /* signature alg must be ECDSA */ 2272 /* signature alg must be ECDSA */
2187 if (pk_nid != NID_X9_62_id_ecPublicKey) { 2273 if (pk_nid != NID_X9_62_id_ecPublicKey) {
2188 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); 2274 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2275 SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2189 return 0; 2276 return 0;
2190 } 2277 }
2191 } 2278 }
2192 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION) { 2279 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) <
2280 TLS1_2_VERSION) {
2193 /* signature alg must be RSA */ 2281 /* signature alg must be RSA */
2194
2195 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) { 2282 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) {
2196 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); 2283 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2284 SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2197 return 0; 2285 return 0;
2198 } 2286 }
2199 } 2287 }
@@ -2201,7 +2289,8 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2201 if (alg_a & SSL_aECDSA) { 2289 if (alg_a & SSL_aECDSA) {
2202 /* key usage, if present, must allow signing */ 2290 /* key usage, if present, must allow signing */
2203 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) { 2291 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
2204 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_SIGNING); 2292 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2293 SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2205 return 0; 2294 return 0;
2206 } 2295 }
2207 } 2296 }
@@ -2216,9 +2305,9 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2216CERT_PKEY * 2305CERT_PKEY *
2217ssl_get_server_send_pkey(const SSL *s) 2306ssl_get_server_send_pkey(const SSL *s)
2218{ 2307{
2219 unsigned long alg_k, alg_a; 2308 unsigned long alg_k, alg_a;
2220 CERT *c; 2309 CERT *c;
2221 int i; 2310 int i;
2222 2311
2223 c = s->cert; 2312 c = s->cert;
2224 ssl_set_cert_masks(c, s->s3->tmp.new_cipher); 2313 ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
@@ -2227,7 +2316,8 @@ ssl_get_server_send_pkey(const SSL *s)
2227 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2316 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2228 2317
2229 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { 2318 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
2230 /* we don't need to look at SSL_kEECDH 2319 /*
2320 * We don't need to look at SSL_kEECDH
2231 * since no certificate is needed for 2321 * since no certificate is needed for
2232 * anon ECDH and for authenticated 2322 * anon ECDH and for authenticated
2233 * EECDH, the check for the auth 2323 * EECDH, the check for the auth
@@ -2242,7 +2332,7 @@ ssl_get_server_send_pkey(const SSL *s)
2242 } else if (alg_a & SSL_aECDSA) { 2332 } else if (alg_a & SSL_aECDSA) {
2243 i = SSL_PKEY_ECC; 2333 i = SSL_PKEY_ECC;
2244 } else if (alg_k & SSL_kDHr) 2334 } else if (alg_k & SSL_kDHr)
2245 i = SSL_PKEY_DH_RSA; 2335 i = SSL_PKEY_DH_RSA;
2246 else if (alg_k & SSL_kDHd) 2336 else if (alg_k & SSL_kDHd)
2247 i = SSL_PKEY_DH_DSA; 2337 i = SSL_PKEY_DH_DSA;
2248 else if (alg_a & SSL_aDSS) 2338 else if (alg_a & SSL_aDSS)
@@ -2256,12 +2346,12 @@ ssl_get_server_send_pkey(const SSL *s)
2256 /* VRS something else here? */ 2346 /* VRS something else here? */
2257 return (NULL); 2347 return (NULL);
2258 } else if (alg_a & SSL_aGOST94) 2348 } else if (alg_a & SSL_aGOST94)
2259 i = SSL_PKEY_GOST94; 2349 i = SSL_PKEY_GOST94;
2260 else if (alg_a & SSL_aGOST01) 2350 else if (alg_a & SSL_aGOST01)
2261 i = SSL_PKEY_GOST01; 2351 i = SSL_PKEY_GOST01;
2262 else /* if (alg_a & SSL_aNULL) */ 2352 else { /* if (alg_a & SSL_aNULL) */
2263 { 2353 SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,
2264 SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY, ERR_R_INTERNAL_ERROR); 2354 ERR_R_INTERNAL_ERROR);
2265 return (NULL); 2355 return (NULL);
2266 } 2356 }
2267 2357
@@ -2271,7 +2361,8 @@ ssl_get_server_send_pkey(const SSL *s)
2271X509 * 2361X509 *
2272ssl_get_server_send_cert(const SSL *s) 2362ssl_get_server_send_cert(const SSL *s)
2273{ 2363{
2274 CERT_PKEY *cpk; 2364 CERT_PKEY *cpk;
2365
2275 cpk = ssl_get_server_send_pkey(s); 2366 cpk = ssl_get_server_send_pkey(s);
2276 if (!cpk) 2367 if (!cpk)
2277 return NULL; 2368 return NULL;
@@ -2281,26 +2372,27 @@ ssl_get_server_send_cert(const SSL *s)
2281EVP_PKEY * 2372EVP_PKEY *
2282ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) 2373ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
2283{ 2374{
2284 unsigned long alg_a; 2375 unsigned long alg_a;
2285 CERT *c; 2376 CERT *c;
2286 int idx = -1; 2377 int idx = -1;
2287 2378
2288 alg_a = cipher->algorithm_auth; 2379 alg_a = cipher->algorithm_auth;
2289 c = s->cert; 2380 c = s->cert;
2290 2381
2291 if ((alg_a & SSL_aDSS) && 2382 if ((alg_a & SSL_aDSS) &&
2292 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 2383 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2293 idx = SSL_PKEY_DSA_SIGN; 2384 idx = SSL_PKEY_DSA_SIGN;
2294 else if (alg_a & SSL_aRSA) { 2385 else if (alg_a & SSL_aRSA) {
2295 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 2386 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2296 idx = SSL_PKEY_RSA_SIGN; 2387 idx = SSL_PKEY_RSA_SIGN;
2297 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 2388 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
2298 idx = SSL_PKEY_RSA_ENC; 2389 idx = SSL_PKEY_RSA_ENC;
2299 } else if ((alg_a & SSL_aECDSA) && 2390 } else if ((alg_a & SSL_aECDSA) &&
2300 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) 2391 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2301 idx = SSL_PKEY_ECC; 2392 idx = SSL_PKEY_ECC;
2302 if (idx == -1) { 2393 if (idx == -1) {
2303 SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR); 2394 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,
2395 ERR_R_INTERNAL_ERROR);
2304 return (NULL); 2396 return (NULL);
2305 } 2397 }
2306 if (pmd) 2398 if (pmd)
@@ -2311,18 +2403,19 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
2311void 2403void
2312ssl_update_cache(SSL *s, int mode) 2404ssl_update_cache(SSL *s, int mode)
2313{ 2405{
2314 int i; 2406 int i;
2315 2407
2316 /* If the session_id_length is 0, we are not supposed to cache it, 2408 /*
2317 * and it would be rather hard to do anyway :-) */ 2409 * If the session_id_length is 0, we are not supposed to cache it,
2410 * and it would be rather hard to do anyway :-)
2411 */
2318 if (s->session->session_id_length == 0) 2412 if (s->session->session_id_length == 0)
2319 return; 2413 return;
2320 2414
2321 i = s->session_ctx->session_cache_mode; 2415 i = s->session_ctx->session_cache_mode;
2322 if ((i & mode) && (!s->hit) 2416 if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
2323 && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) 2417 || SSL_CTX_add_session(s->session_ctx, s->session))
2324 || SSL_CTX_add_session(s->session_ctx, s->session)) 2418 && (s->session_ctx->new_session_cb != NULL)) {
2325 && (s->session_ctx->new_session_cb != NULL)) {
2326 CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); 2419 CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION);
2327 if (!s->session_ctx->new_session_cb(s, s->session)) 2420 if (!s->session_ctx->new_session_cb(s, s->session))
2328 SSL_SESSION_free(s->session); 2421 SSL_SESSION_free(s->session);
@@ -2330,10 +2423,10 @@ ssl_update_cache(SSL *s, int mode)
2330 2423
2331 /* auto flush every 255 connections */ 2424 /* auto flush every 255 connections */
2332 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && 2425 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
2333 ((i & mode) == mode)) { 2426 ((i & mode) == mode)) {
2334 if ((((mode & SSL_SESS_CACHE_CLIENT) 2427 if ((((mode & SSL_SESS_CACHE_CLIENT) ?
2335 ?s->session_ctx->stats.sess_connect_good 2428 s->session_ctx->stats.sess_connect_good :
2336 :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) { 2429 s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) {
2337 SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); 2430 SSL_CTX_flush_sessions(s->session_ctx, time(NULL));
2338 } 2431 }
2339 } 2432 }
@@ -2348,8 +2441,8 @@ SSL_get_ssl_method(SSL *s)
2348int 2441int
2349SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) 2442SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
2350{ 2443{
2351 int conn = -1; 2444 int conn = -1;
2352 int ret = 1; 2445 int ret = 1;
2353 2446
2354 if (s->method != meth) { 2447 if (s->method != meth) {
2355 if (s->handshake_func != NULL) 2448 if (s->handshake_func != NULL)
@@ -2374,9 +2467,9 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
2374int 2467int
2375SSL_get_error(const SSL *s, int i) 2468SSL_get_error(const SSL *s, int i)
2376{ 2469{
2377 int reason; 2470 int reason;
2378 unsigned long l; 2471 unsigned long l;
2379 BIO *bio; 2472 BIO *bio;
2380 2473
2381 if (i > 0) 2474 if (i > 0)
2382 return (SSL_ERROR_NONE); 2475 return (SSL_ERROR_NONE);
@@ -2422,8 +2515,11 @@ SSL_get_error(const SSL *s, int i)
2422 if (BIO_should_write(bio)) 2515 if (BIO_should_write(bio))
2423 return (SSL_ERROR_WANT_WRITE); 2516 return (SSL_ERROR_WANT_WRITE);
2424 else if (BIO_should_read(bio)) 2517 else if (BIO_should_read(bio))
2425 /* See above (SSL_want_read(s) with BIO_should_write(bio)) */ 2518 return (SSL_ERROR_WANT_READ);
2426 return (SSL_ERROR_WANT_READ); 2519 /*
2520 * See above (SSL_want_read(s) with
2521 * BIO_should_write(bio))
2522 */
2427 else if (BIO_should_io_special(bio)) { 2523 else if (BIO_should_io_special(bio)) {
2428 reason = BIO_get_retry_reason(bio); 2524 reason = BIO_get_retry_reason(bio);
2429 if (reason == BIO_RR_CONNECT) 2525 if (reason == BIO_RR_CONNECT)
@@ -2449,10 +2545,11 @@ SSL_get_error(const SSL *s, int i)
2449int 2545int
2450SSL_do_handshake(SSL *s) 2546SSL_do_handshake(SSL *s)
2451{ 2547{
2452 int ret = 1; 2548 int ret = 1;
2453 2549
2454 if (s->handshake_func == NULL) { 2550 if (s->handshake_func == NULL) {
2455 SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET); 2551 SSLerr(SSL_F_SSL_DO_HANDSHAKE,
2552 SSL_R_CONNECTION_TYPE_NOT_SET);
2456 return (-1); 2553 return (-1);
2457 } 2554 }
2458 2555
@@ -2464,8 +2561,10 @@ SSL_do_handshake(SSL *s)
2464 return (ret); 2561 return (ret);
2465} 2562}
2466 2563
2467/* For the next 2 functions, SSL_clear() sets shutdown and so 2564/*
2468 * one of these calls will reset it */ 2565 * For the next 2 functions, SSL_clear() sets shutdown and so
2566 * one of these calls will reset it
2567 */
2469void 2568void
2470SSL_set_accept_state(SSL *s) 2569SSL_set_accept_state(SSL *s)
2471{ 2570{
@@ -2495,28 +2594,32 @@ SSL_set_connect_state(SSL *s)
2495int 2594int
2496ssl_undefined_function(SSL *s) 2595ssl_undefined_function(SSL *s)
2497{ 2596{
2498 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2597 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,
2598 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2499 return (0); 2599 return (0);
2500} 2600}
2501 2601
2502int 2602int
2503ssl_undefined_void_function(void) 2603ssl_undefined_void_function(void)
2504{ 2604{
2505 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2605 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,
2606 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2506 return (0); 2607 return (0);
2507} 2608}
2508 2609
2509int 2610int
2510ssl_undefined_const_function(const SSL *s) 2611ssl_undefined_const_function(const SSL *s)
2511{ 2612{
2512 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2613 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,
2614 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2513 return (0); 2615 return (0);
2514} 2616}
2515 2617
2516SSL_METHOD * 2618SSL_METHOD *
2517ssl_bad_method(int ver) 2619ssl_bad_method(int ver)
2518{ 2620{
2519 SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2621 SSLerr(SSL_F_SSL_BAD_METHOD,
2622 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2520 return (NULL); 2623 return (NULL);
2521} 2624}
2522 2625
@@ -2554,10 +2657,12 @@ SSL_dup(SSL *s)
2554 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ 2657 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
2555 SSL_copy_session_id(ret, s); 2658 SSL_copy_session_id(ret, s);
2556 } else { 2659 } else {
2557 /* No session has been established yet, so we have to expect 2660 /*
2661 * No session has been established yet, so we have to expect
2558 * that s->cert or ret->cert will be changed later -- 2662 * that s->cert or ret->cert will be changed later --
2559 * they should not both point to the same object, 2663 * they should not both point to the same object,
2560 * and thus we can't use SSL_copy_session_id. */ 2664 * and thus we can't use SSL_copy_session_id.
2665 */
2561 2666
2562 ret->method->ssl_free(ret); 2667 ret->method->ssl_free(ret);
2563 ret->method = s->method; 2668 ret->method = s->method;
@@ -2592,7 +2697,8 @@ SSL_dup(SSL *s)
2592 ret->debug = s->debug; 2697 ret->debug = s->debug;
2593 2698
2594 /* copy app data, a little dangerous perhaps */ 2699 /* copy app data, a little dangerous perhaps */
2595 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) 2700 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL,
2701 &ret->ex_data, &s->ex_data))
2596 goto err; 2702 goto err;
2597 2703
2598 /* setup rbio, and wbio */ 2704 /* setup rbio, and wbio */
@@ -2615,22 +2721,30 @@ SSL_dup(SSL *s)
2615 ret->new_session = s->new_session; 2721 ret->new_session = s->new_session;
2616 ret->quiet_shutdown = s->quiet_shutdown; 2722 ret->quiet_shutdown = s->quiet_shutdown;
2617 ret->shutdown = s->shutdown; 2723 ret->shutdown = s->shutdown;
2618 ret->state=s->state; /* SSL_dup does not really work at any state, though */ 2724 /* SSL_dup does not really work at any state, though */
2725 ret->state=s->state;
2619 ret->rstate = s->rstate; 2726 ret->rstate = s->rstate;
2620 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ 2727
2728 /*
2729 * Would have to copy ret->init_buf, ret->init_msg, ret->init_num,
2730 * ret->init_off
2731 */
2732 ret->init_num = 0;
2733
2621 ret->hit = s->hit; 2734 ret->hit = s->hit;
2622 2735
2623 X509_VERIFY_PARAM_inherit(ret->param, s->param); 2736 X509_VERIFY_PARAM_inherit(ret->param, s->param);
2624 2737
2625 /* dup the cipher_list and cipher_list_by_id stacks */ 2738 /* dup the cipher_list and cipher_list_by_id stacks */
2626 if (s->cipher_list != NULL) { 2739 if (s->cipher_list != NULL) {
2627 if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 2740 if ((ret->cipher_list =
2741 sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2628 goto err; 2742 goto err;
2629 } 2743 }
2630 if (s->cipher_list_by_id != NULL) 2744 if (s->cipher_list_by_id != NULL)
2631 if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id)) 2745 if ((ret->cipher_list_by_id =
2632 == NULL) 2746 sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL)
2633 goto err; 2747 goto err;
2634 2748
2635 /* Dup the client_CA list */ 2749 /* Dup the client_CA list */
2636 if (s->client_CA != NULL) { 2750 if (s->client_CA != NULL) {
@@ -2638,7 +2752,8 @@ SSL_dup(SSL *s)
2638 ret->client_CA = sk; 2752 ret->client_CA = sk;
2639 for (i = 0; i < sk_X509_NAME_num(sk); i++) { 2753 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2640 xn = sk_X509_NAME_value(sk, i); 2754 xn = sk_X509_NAME_value(sk, i);
2641 if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) { 2755 if (sk_X509_NAME_set(sk, i,
2756 X509_NAME_dup(xn)) == NULL) {
2642 X509_NAME_free(xn); 2757 X509_NAME_free(xn);
2643 goto err; 2758 goto err;
2644 } 2759 }
@@ -2646,7 +2761,7 @@ SSL_dup(SSL *s)
2646 } 2761 }
2647 2762
2648 if (0) { 2763 if (0) {
2649err: 2764 err:
2650 if (ret != NULL) 2765 if (ret != NULL)
2651 SSL_free(ret); 2766 SSL_free(ret);
2652 ret = NULL; 2767 ret = NULL;
@@ -2740,7 +2855,7 @@ SSL_get_current_expansion(SSL *s)
2740int 2855int
2741ssl_init_wbio_buffer(SSL *s, int push) 2856ssl_init_wbio_buffer(SSL *s, int push)
2742{ 2857{
2743 BIO *bbio; 2858 BIO *bbio;
2744 2859
2745 if (s->bbio == NULL) { 2860 if (s->bbio == NULL) {
2746 bbio = BIO_new(BIO_f_buffer()); 2861 bbio = BIO_new(BIO_f_buffer());
@@ -2755,7 +2870,8 @@ ssl_init_wbio_buffer(SSL *s, int push)
2755 (void)BIO_reset(bbio); 2870 (void)BIO_reset(bbio);
2756/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ 2871/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
2757 if (!BIO_set_read_buffer_size(bbio, 1)) { 2872 if (!BIO_set_read_buffer_size(bbio, 1)) {
2758 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB); 2873 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,
2874 ERR_R_BUF_LIB);
2759 return (0); 2875 return (0);
2760 } 2876 }
2761 if (push) { 2877 if (push) {
@@ -2871,8 +2987,10 @@ SSL_set_info_callback(SSL *ssl,
2871 ssl->info_callback = cb; 2987 ssl->info_callback = cb;
2872} 2988}
2873 2989
2874/* One compiler (Diab DCC) doesn't like argument names in returned 2990/*
2875 function pointer. */ 2991 * One compiler (Diab DCC) doesn't like argument names in returned
2992 * function pointer.
2993 */
2876void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) 2994void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
2877{ 2995{
2878 return ssl->info_callback; 2996 return ssl->info_callback;
@@ -2907,7 +3025,7 @@ SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
2907 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 3025 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
2908{ 3026{
2909 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, 3027 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
2910 new_func, dup_func, free_func); 3028 new_func, dup_func, free_func);
2911} 3029}
2912 3030
2913int 3031int
@@ -2927,7 +3045,7 @@ SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
2927 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 3045 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
2928{ 3046{
2929 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, 3047 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
2930 new_func, dup_func, free_func); 3048 new_func, dup_func, free_func);
2931} 3049}
2932 3050
2933int 3051int
@@ -3030,10 +3148,11 @@ SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export,
3030 3148
3031#ifndef OPENSSL_NO_ECDH 3149#ifndef OPENSSL_NO_ECDH
3032void 3150void
3033SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, int is_export, 3151SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl,
3034 int keylength)) 3152 int is_export, int keylength))
3035{ 3153{
3036 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); 3154 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB,
3155 (void (*)(void))ecdh);
3037} 3156}
3038 3157
3039void 3158void
@@ -3048,8 +3167,10 @@ SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export,
3048int 3167int
3049SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) 3168SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
3050{ 3169{
3051 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 3170 if (identity_hint != NULL && strlen(identity_hint) >
3052 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG); 3171 PSK_MAX_IDENTITY_LEN) {
3172 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT,
3173 SSL_R_DATA_LENGTH_TOO_LONG);
3053 return 0; 3174 return 0;
3054 } 3175 }
3055 if (ctx->psk_identity_hint != NULL) 3176 if (ctx->psk_identity_hint != NULL)
@@ -3072,8 +3193,10 @@ SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
3072 if (s->session == NULL) 3193 if (s->session == NULL)
3073 return 1; /* session not created yet, ignored */ 3194 return 1; /* session not created yet, ignored */
3074 3195
3075 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 3196 if (identity_hint != NULL && strlen(identity_hint) >
3076 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG); 3197 PSK_MAX_IDENTITY_LEN) {
3198 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT,
3199 SSL_R_DATA_LENGTH_TOO_LONG);
3077 return 0; 3200 return 0;
3078 } 3201 }
3079 if (s->session->psk_identity_hint != NULL) 3202 if (s->session->psk_identity_hint != NULL)
@@ -3106,7 +3229,7 @@ SSL_get_psk_identity(const SSL *s)
3106void 3229void
3107SSL_set_psk_client_callback(SSL *s, 3230SSL_set_psk_client_callback(SSL *s,
3108 unsigned int (*cb)(SSL *ssl, const char *hint, 3231 unsigned int (*cb)(SSL *ssl, const char *hint,
3109char *identity, unsigned int max_identity_len, unsigned char *psk, 3232 char *identity, unsigned int max_identity_len, unsigned char *psk,
3110 unsigned int max_psk_len)) 3233 unsigned int max_psk_len))
3111{ 3234{
3112 s->psk_client_callback = cb; 3235 s->psk_client_callback = cb;
@@ -3115,7 +3238,7 @@ char *identity, unsigned int max_identity_len, unsigned char *psk,
3115void 3238void
3116SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, 3239SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
3117 unsigned int (*cb)(SSL *ssl, const char *hint, 3240 unsigned int (*cb)(SSL *ssl, const char *hint,
3118char *identity, unsigned int max_identity_len, unsigned char *psk, 3241 char *identity, unsigned int max_identity_len, unsigned char *psk,
3119 unsigned int max_psk_len)) 3242 unsigned int max_psk_len))
3120{ 3243{
3121 ctx->psk_client_callback = cb; 3244 ctx->psk_client_callback = cb;
@@ -3124,7 +3247,7 @@ char *identity, unsigned int max_identity_len, unsigned char *psk,
3124void 3247void
3125SSL_set_psk_server_callback(SSL *s, 3248SSL_set_psk_server_callback(SSL *s,
3126 unsigned int (*cb)(SSL *ssl, const char *identity, 3249 unsigned int (*cb)(SSL *ssl, const char *identity,
3127unsigned char *psk, unsigned int max_psk_len)) 3250 unsigned char *psk, unsigned int max_psk_len))
3128{ 3251{
3129 s->psk_server_callback = cb; 3252 s->psk_server_callback = cb;
3130} 3253}
@@ -3132,30 +3255,33 @@ unsigned char *psk, unsigned int max_psk_len))
3132void 3255void
3133SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, 3256SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
3134 unsigned int (*cb)(SSL *ssl, const char *identity, 3257 unsigned int (*cb)(SSL *ssl, const char *identity,
3135unsigned char *psk, unsigned int max_psk_len)) 3258 unsigned char *psk, unsigned int max_psk_len))
3136{ 3259{
3137 ctx->psk_server_callback = cb; 3260 ctx->psk_server_callback = cb;
3138} 3261}
3139#endif 3262#endif
3140 3263
3141void 3264void
3142SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) 3265SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version,
3266 int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3143{ 3267{
3144 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 3268 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK,
3269 (void (*)(void))cb);
3145} 3270}
3146 3271
3147void 3272void
3148SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) 3273SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
3274 int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3149{ 3275{
3150 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 3276 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3151} 3277}
3152 3278
3153/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer 3279/*
3280 * Allocates new EVP_MD_CTX and sets pointer to it into given pointer
3154 * vairable, freeing EVP_MD_CTX previously stored in that variable, if 3281 * vairable, freeing EVP_MD_CTX previously stored in that variable, if
3155 * any. If EVP_MD pointer is passed, initializes ctx with this md 3282 * any. If EVP_MD pointer is passed, initializes ctx with this md
3156 * Returns newly allocated ctx; 3283 * Returns newly allocated ctx;
3157 */ 3284 */
3158
3159EVP_MD_CTX * 3285EVP_MD_CTX *
3160ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md) 3286ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
3161{ 3287{
@@ -3169,7 +3295,6 @@ ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
3169void 3295void
3170ssl_clear_hash_ctx(EVP_MD_CTX **hash) 3296ssl_clear_hash_ctx(EVP_MD_CTX **hash)
3171{ 3297{
3172
3173 if (*hash) 3298 if (*hash)
3174 EVP_MD_CTX_destroy(*hash); 3299 EVP_MD_CTX_destroy(*hash);
3175 *hash = NULL; 3300 *hash = NULL;
@@ -3190,4 +3315,4 @@ SSL_cache_hit(SSL *s)
3190IMPLEMENT_STACK_OF(SSL_CIPHER) 3315IMPLEMENT_STACK_OF(SSL_CIPHER)
3191IMPLEMENT_STACK_OF(SSL_COMP) 3316IMPLEMENT_STACK_OF(SSL_COMP)
3192IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, 3317IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
3193ssl_cipher_id); 3318 ssl_cipher_id);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-26 23:32:53 +0000