summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_lib.c')
-rw-r--r--src/lib/libssl/ssl_lib.c274
1 files changed, 34 insertions, 240 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index f82d071d6e..7755476de3 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -176,10 +176,7 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
176 0, /* client_finished_label_len */ 176 0, /* client_finished_label_len */
177 NULL, /* server_finished_label */ 177 NULL, /* server_finished_label */
178 0, /* server_finished_label_len */ 178 0, /* server_finished_label_len */
179 (int (*)(int))ssl_undefined_function, 179 (int (*)(int))ssl_undefined_function
180 (int (*)(SSL *, unsigned char *, size_t, const char *,
181 size_t, const unsigned char *, size_t,
182 int use_context)) ssl_undefined_function,
183 }; 180 };
184 181
185int SSL_clear(SSL *s) 182int SSL_clear(SSL *s)
@@ -205,9 +202,9 @@ int SSL_clear(SSL *s)
205 * needed because SSL_clear is not called when doing renegotiation) */ 202 * needed because SSL_clear is not called when doing renegotiation) */
206 /* This is set if we are doing dynamic renegotiation so keep 203 /* This is set if we are doing dynamic renegotiation so keep
207 * the old cipher. It is sort of a SSL_clear_lite :-) */ 204 * the old cipher. It is sort of a SSL_clear_lite :-) */
208 if (s->renegotiate) return(1); 205 if (s->new_session) return(1);
209#else 206#else
210 if (s->renegotiate) 207 if (s->new_session)
211 { 208 {
212 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); 209 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
213 return 0; 210 return 0;
@@ -356,9 +353,6 @@ SSL *SSL_new(SSL_CTX *ctx)
356 s->tlsext_ocsp_resplen = -1; 353 s->tlsext_ocsp_resplen = -1;
357 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); 354 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
358 s->initial_ctx=ctx; 355 s->initial_ctx=ctx;
359# ifndef OPENSSL_NO_NEXTPROTONEG
360 s->next_proto_negotiated = NULL;
361# endif
362#endif 356#endif
363 357
364 s->verify_result=X509_V_OK; 358 s->verify_result=X509_V_OK;
@@ -592,14 +586,6 @@ void SSL_free(SSL *s)
592 kssl_ctx_free(s->kssl_ctx); 586 kssl_ctx_free(s->kssl_ctx);
593#endif /* OPENSSL_NO_KRB5 */ 587#endif /* OPENSSL_NO_KRB5 */
594 588
595#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
596 if (s->next_proto_negotiated)
597 OPENSSL_free(s->next_proto_negotiated);
598#endif
599
600 if (s->srtp_profiles)
601 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
602
603 OPENSSL_free(s); 589 OPENSSL_free(s);
604 } 590 }
605 591
@@ -1022,21 +1008,10 @@ int SSL_shutdown(SSL *s)
1022 1008
1023int SSL_renegotiate(SSL *s) 1009int SSL_renegotiate(SSL *s)
1024 { 1010 {
1025 if (s->renegotiate == 0) 1011 if (s->new_session == 0)
1026 s->renegotiate=1; 1012 {
1027 1013 s->new_session=1;
1028 s->new_session=1; 1014 }
1029
1030 return(s->method->ssl_renegotiate(s));
1031 }
1032
1033int SSL_renegotiate_abbreviated(SSL *s)
1034 {
1035 if (s->renegotiate == 0)
1036 s->renegotiate=1;
1037
1038 s->new_session=0;
1039
1040 return(s->method->ssl_renegotiate(s)); 1015 return(s->method->ssl_renegotiate(s));
1041 } 1016 }
1042 1017
@@ -1044,7 +1019,7 @@ int SSL_renegotiate_pending(SSL *s)
1044 { 1019 {
1045 /* becomes true when negotiation is requested; 1020 /* becomes true when negotiation is requested;
1046 * false again once a handshake has finished */ 1021 * false again once a handshake has finished */
1047 return (s->renegotiate != 0); 1022 return (s->new_session != 0);
1048 } 1023 }
1049 1024
1050long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) 1025long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
@@ -1079,10 +1054,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1079 s->max_cert_list=larg; 1054 s->max_cert_list=larg;
1080 return(l); 1055 return(l);
1081 case SSL_CTRL_SET_MTU: 1056 case SSL_CTRL_SET_MTU:
1082#ifndef OPENSSL_NO_DTLS1
1083 if (larg < (long)dtls1_min_mtu()) 1057 if (larg < (long)dtls1_min_mtu())
1084 return 0; 1058 return 0;
1085#endif
1086 1059
1087 if (SSL_version(s) == DTLS1_VERSION || 1060 if (SSL_version(s) == DTLS1_VERSION ||
1088 SSL_version(s) == DTLS1_BAD_VER) 1061 SSL_version(s) == DTLS1_BAD_VER)
@@ -1336,36 +1309,33 @@ int SSL_set_cipher_list(SSL *s,const char *str)
1336/* works well for SSLv2, not so good for SSLv3 */ 1309/* works well for SSLv2, not so good for SSLv3 */
1337char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) 1310char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1338 { 1311 {
1339 char *p; 1312 char *end;
1340 STACK_OF(SSL_CIPHER) *sk; 1313 STACK_OF(SSL_CIPHER) *sk;
1341 SSL_CIPHER *c; 1314 SSL_CIPHER *c;
1315 size_t curlen = 0;
1342 int i; 1316 int i;
1343 1317
1344 if ((s->session == NULL) || (s->session->ciphers == NULL) || 1318 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1345 (len < 2)) 1319 (len < 2))
1346 return(NULL); 1320 return(NULL);
1347 1321
1348 p=buf;
1349 sk=s->session->ciphers; 1322 sk=s->session->ciphers;
1323 buf[0] = '\0';
1350 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1324 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1351 { 1325 {
1352 int n;
1353
1354 c=sk_SSL_CIPHER_value(sk,i); 1326 c=sk_SSL_CIPHER_value(sk,i);
1355 n=strlen(c->name); 1327 end = buf + curlen;
1356 if (n+1 > len) 1328 if (strlcat(buf, c->name, len) >= len ||
1329 (curlen = strlcat(buf, ":", len)) >= len)
1357 { 1330 {
1358 if (p != buf) 1331 /* remove truncated cipher from list */
1359 --p; 1332 *end = '\0';
1360 *p='\0'; 1333 break;
1361 return buf;
1362 } 1334 }
1363 strcpy(p,c->name);
1364 p+=n;
1365 *(p++)=':';
1366 len-=n+1;
1367 } 1335 }
1368 p[-1]='\0'; 1336 /* remove trailing colon */
1337 if ((end = strrchr(buf, ':')) != NULL)
1338 *end = '\0';
1369 return(buf); 1339 return(buf);
1370 } 1340 }
1371 1341
@@ -1385,10 +1355,6 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1385 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1355 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1386 { 1356 {
1387 c=sk_SSL_CIPHER_value(sk,i); 1357 c=sk_SSL_CIPHER_value(sk,i);
1388 /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
1389 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
1390 (TLS1_get_client_version(s) < TLS1_2_VERSION))
1391 continue;
1392#ifndef OPENSSL_NO_KRB5 1358#ifndef OPENSSL_NO_KRB5
1393 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) && 1359 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
1394 nokrb5) 1360 nokrb5)
@@ -1406,7 +1372,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1406 /* If p == q, no ciphers and caller indicates an error. Otherwise 1372 /* If p == q, no ciphers and caller indicates an error. Otherwise
1407 * add SCSV if not renegotiating. 1373 * add SCSV if not renegotiating.
1408 */ 1374 */
1409 if (p != q && !s->renegotiate) 1375 if (p != q && !s->new_session)
1410 { 1376 {
1411 static SSL_CIPHER scsv = 1377 static SSL_CIPHER scsv =
1412 { 1378 {
@@ -1453,7 +1419,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
1453 (p[n-1] == (SSL3_CK_SCSV & 0xff))) 1419 (p[n-1] == (SSL3_CK_SCSV & 0xff)))
1454 { 1420 {
1455 /* SCSV fatal if renegotiating */ 1421 /* SCSV fatal if renegotiating */
1456 if (s->renegotiate) 1422 if (s->new_session)
1457 { 1423 {
1458 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); 1424 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1459 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1425 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
@@ -1510,137 +1476,8 @@ int SSL_get_servername_type(const SSL *s)
1510 return TLSEXT_NAMETYPE_host_name; 1476 return TLSEXT_NAMETYPE_host_name;
1511 return -1; 1477 return -1;
1512 } 1478 }
1513
1514# ifndef OPENSSL_NO_NEXTPROTONEG
1515/* SSL_select_next_proto implements the standard protocol selection. It is
1516 * expected that this function is called from the callback set by
1517 * SSL_CTX_set_next_proto_select_cb.
1518 *
1519 * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
1520 * strings. The length byte itself is not included in the length. A byte
1521 * string of length 0 is invalid. No byte string may be truncated.
1522 *
1523 * The current, but experimental algorithm for selecting the protocol is:
1524 *
1525 * 1) If the server doesn't support NPN then this is indicated to the
1526 * callback. In this case, the client application has to abort the connection
1527 * or have a default application level protocol.
1528 *
1529 * 2) If the server supports NPN, but advertises an empty list then the
1530 * client selects the first protcol in its list, but indicates via the
1531 * API that this fallback case was enacted.
1532 *
1533 * 3) Otherwise, the client finds the first protocol in the server's list
1534 * that it supports and selects this protocol. This is because it's
1535 * assumed that the server has better information about which protocol
1536 * a client should use.
1537 *
1538 * 4) If the client doesn't support any of the server's advertised
1539 * protocols, then this is treated the same as case 2.
1540 *
1541 * It returns either
1542 * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
1543 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
1544 */
1545int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len)
1546 {
1547 unsigned int i, j;
1548 const unsigned char *result;
1549 int status = OPENSSL_NPN_UNSUPPORTED;
1550
1551 /* For each protocol in server preference order, see if we support it. */
1552 for (i = 0; i < server_len; )
1553 {
1554 for (j = 0; j < client_len; )
1555 {
1556 if (server[i] == client[j] &&
1557 memcmp(&server[i+1], &client[j+1], server[i]) == 0)
1558 {
1559 /* We found a match */
1560 result = &server[i];
1561 status = OPENSSL_NPN_NEGOTIATED;
1562 goto found;
1563 }
1564 j += client[j];
1565 j++;
1566 }
1567 i += server[i];
1568 i++;
1569 }
1570
1571 /* There's no overlap between our protocols and the server's list. */
1572 result = client;
1573 status = OPENSSL_NPN_NO_OVERLAP;
1574
1575 found:
1576 *out = (unsigned char *) result + 1;
1577 *outlen = result[0];
1578 return status;
1579 }
1580
1581/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
1582 * requested protocol for this connection and returns 0. If the client didn't
1583 * request any protocol, then *data is set to NULL.
1584 *
1585 * Note that the client can request any protocol it chooses. The value returned
1586 * from this function need not be a member of the list of supported protocols
1587 * provided by the callback.
1588 */
1589void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len)
1590 {
1591 *data = s->next_proto_negotiated;
1592 if (!*data) {
1593 *len = 0;
1594 } else {
1595 *len = s->next_proto_negotiated_len;
1596 }
1597}
1598
1599/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
1600 * TLS server needs a list of supported protocols for Next Protocol
1601 * Negotiation. The returned list must be in wire format. The list is returned
1602 * by setting |out| to point to it and |outlen| to its length. This memory will
1603 * not be modified, but one should assume that the SSL* keeps a reference to
1604 * it.
1605 *
1606 * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
1607 * such extension will be included in the ServerHello. */
1608void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
1609 {
1610 ctx->next_protos_advertised_cb = cb;
1611 ctx->next_protos_advertised_cb_arg = arg;
1612 }
1613
1614/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
1615 * client needs to select a protocol from the server's provided list. |out|
1616 * must be set to point to the selected protocol (which may be within |in|).
1617 * The length of the protocol name must be written into |outlen|. The server's
1618 * advertised protocols are provided in |in| and |inlen|. The callback can
1619 * assume that |in| is syntactically valid.
1620 *
1621 * The client must select a protocol. It is fatal to the connection if this
1622 * callback returns a value other than SSL_TLSEXT_ERR_OK.
1623 */
1624void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg)
1625 {
1626 ctx->next_proto_select_cb = cb;
1627 ctx->next_proto_select_cb_arg = arg;
1628 }
1629# endif
1630#endif 1479#endif
1631 1480
1632int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1633 const char *label, size_t llen, const unsigned char *p, size_t plen,
1634 int use_context)
1635 {
1636 if (s->version < TLS1_VERSION)
1637 return -1;
1638
1639 return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
1640 llen, p, plen,
1641 use_context);
1642 }
1643
1644static unsigned long ssl_session_hash(const SSL_SESSION *a) 1481static unsigned long ssl_session_hash(const SSL_SESSION *a)
1645 { 1482 {
1646 unsigned long l; 1483 unsigned long l;
@@ -1684,14 +1521,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1684 return(NULL); 1521 return(NULL);
1685 } 1522 }
1686 1523
1687#ifdef OPENSSL_FIPS
1688 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1689 {
1690 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1691 return NULL;
1692 }
1693#endif
1694
1695 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 1524 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1696 { 1525 {
1697 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 1526 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1811,19 +1640,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1811 ret->tlsext_status_cb = 0; 1640 ret->tlsext_status_cb = 0;
1812 ret->tlsext_status_arg = NULL; 1641 ret->tlsext_status_arg = NULL;
1813 1642
1814# ifndef OPENSSL_NO_NEXTPROTONEG
1815 ret->next_protos_advertised_cb = 0;
1816 ret->next_proto_select_cb = 0;
1817# endif
1818#endif 1643#endif
1819#ifndef OPENSSL_NO_PSK 1644#ifndef OPENSSL_NO_PSK
1820 ret->psk_identity_hint=NULL; 1645 ret->psk_identity_hint=NULL;
1821 ret->psk_client_callback=NULL; 1646 ret->psk_client_callback=NULL;
1822 ret->psk_server_callback=NULL; 1647 ret->psk_server_callback=NULL;
1823#endif 1648#endif
1824#ifndef OPENSSL_NO_SRP
1825 SSL_CTX_SRP_CTX_init(ret);
1826#endif
1827#ifndef OPENSSL_NO_BUF_FREELISTS 1649#ifndef OPENSSL_NO_BUF_FREELISTS
1828 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT; 1650 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1829 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST)); 1651 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1952,16 +1774,10 @@ void SSL_CTX_free(SSL_CTX *a)
1952 a->comp_methods = NULL; 1774 a->comp_methods = NULL;
1953#endif 1775#endif
1954 1776
1955 if (a->srtp_profiles)
1956 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
1957
1958#ifndef OPENSSL_NO_PSK 1777#ifndef OPENSSL_NO_PSK
1959 if (a->psk_identity_hint) 1778 if (a->psk_identity_hint)
1960 OPENSSL_free(a->psk_identity_hint); 1779 OPENSSL_free(a->psk_identity_hint);
1961#endif 1780#endif
1962#ifndef OPENSSL_NO_SRP
1963 SSL_CTX_SRP_CTX_free(a);
1964#endif
1965#ifndef OPENSSL_NO_ENGINE 1781#ifndef OPENSSL_NO_ENGINE
1966 if (a->client_cert_engine) 1782 if (a->client_cert_engine)
1967 ENGINE_finish(a->client_cert_engine); 1783 ENGINE_finish(a->client_cert_engine);
@@ -2215,13 +2031,12 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2215 2031
2216#ifndef OPENSSL_NO_EC 2032#ifndef OPENSSL_NO_EC
2217 2033
2218int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) 2034int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2219 { 2035 {
2220 unsigned long alg_k, alg_a; 2036 unsigned long alg_k, alg_a;
2221 EVP_PKEY *pkey = NULL; 2037 EVP_PKEY *pkey = NULL;
2222 int keysize = 0; 2038 int keysize = 0;
2223 int signature_nid = 0, md_nid = 0, pk_nid = 0; 2039 int signature_nid = 0, md_nid = 0, pk_nid = 0;
2224 const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
2225 2040
2226 alg_k = cs->algorithm_mkey; 2041 alg_k = cs->algorithm_mkey;
2227 alg_a = cs->algorithm_auth; 2042 alg_a = cs->algorithm_auth;
@@ -2251,7 +2066,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2251 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT); 2066 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2252 return 0; 2067 return 0;
2253 } 2068 }
2254 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION) 2069 if (alg_k & SSL_kECDHe)
2255 { 2070 {
2256 /* signature alg must be ECDSA */ 2071 /* signature alg must be ECDSA */
2257 if (pk_nid != NID_X9_62_id_ecPublicKey) 2072 if (pk_nid != NID_X9_62_id_ecPublicKey)
@@ -2260,7 +2075,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2260 return 0; 2075 return 0;
2261 } 2076 }
2262 } 2077 }
2263 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION) 2078 if (alg_k & SSL_kECDHr)
2264 { 2079 {
2265 /* signature alg must be RSA */ 2080 /* signature alg must be RSA */
2266 2081
@@ -2350,36 +2165,34 @@ X509 *ssl_get_server_send_cert(SSL *s)
2350 return(c->pkeys[i].x509); 2165 return(c->pkeys[i].x509);
2351 } 2166 }
2352 2167
2353EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) 2168EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher)
2354 { 2169 {
2355 unsigned long alg_a; 2170 unsigned long alg_a;
2356 CERT *c; 2171 CERT *c;
2357 int idx = -1;
2358 2172
2359 alg_a = cipher->algorithm_auth; 2173 alg_a = cipher->algorithm_auth;
2360 c=s->cert; 2174 c=s->cert;
2361 2175
2362 if ((alg_a & SSL_aDSS) && 2176 if ((alg_a & SSL_aDSS) &&
2363 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 2177 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2364 idx = SSL_PKEY_DSA_SIGN; 2178 return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
2365 else if (alg_a & SSL_aRSA) 2179 else if (alg_a & SSL_aRSA)
2366 { 2180 {
2367 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 2181 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2368 idx = SSL_PKEY_RSA_SIGN; 2182 return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
2369 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 2183 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
2370 idx = SSL_PKEY_RSA_ENC; 2184 return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
2185 else
2186 return(NULL);
2371 } 2187 }
2372 else if ((alg_a & SSL_aECDSA) && 2188 else if ((alg_a & SSL_aECDSA) &&
2373 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) 2189 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2374 idx = SSL_PKEY_ECC; 2190 return(c->pkeys[SSL_PKEY_ECC].privatekey);
2375 if (idx == -1) 2191 else /* if (alg_a & SSL_aNULL) */
2376 { 2192 {
2377 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); 2193 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
2378 return(NULL); 2194 return(NULL);
2379 } 2195 }
2380 if (pmd)
2381 *pmd = c->pkeys[idx].digest;
2382 return c->pkeys[idx].privatekey;
2383 } 2196 }
2384 2197
2385void ssl_update_cache(SSL *s,int mode) 2198void ssl_update_cache(SSL *s,int mode)
@@ -2604,10 +2417,6 @@ SSL_METHOD *ssl_bad_method(int ver)
2604 2417
2605const char *SSL_get_version(const SSL *s) 2418const char *SSL_get_version(const SSL *s)
2606 { 2419 {
2607 if (s->version == TLS1_2_VERSION)
2608 return("TLSv1.2");
2609 else if (s->version == TLS1_1_VERSION)
2610 return("TLSv1.1");
2611 if (s->version == TLS1_VERSION) 2420 if (s->version == TLS1_VERSION)
2612 return("TLSv1"); 2421 return("TLSv1");
2613 else if (s->version == SSL3_VERSION) 2422 else if (s->version == SSL3_VERSION)
@@ -2702,7 +2511,6 @@ SSL *SSL_dup(SSL *s)
2702 ret->in_handshake = s->in_handshake; 2511 ret->in_handshake = s->in_handshake;
2703 ret->handshake_func = s->handshake_func; 2512 ret->handshake_func = s->handshake_func;
2704 ret->server = s->server; 2513 ret->server = s->server;
2705 ret->renegotiate = s->renegotiate;
2706 ret->new_session = s->new_session; 2514 ret->new_session = s->new_session;
2707 ret->quiet_shutdown = s->quiet_shutdown; 2515 ret->quiet_shutdown = s->quiet_shutdown;
2708 ret->shutdown=s->shutdown; 2516 ret->shutdown=s->shutdown;
@@ -2968,11 +2776,6 @@ int SSL_state(const SSL *ssl)
2968 return(ssl->state); 2776 return(ssl->state);
2969 } 2777 }
2970 2778
2971void SSL_set_state(SSL *ssl, int state)
2972 {
2973 ssl->state = state;
2974 }
2975
2976void SSL_set_verify_result(SSL *ssl,long arg) 2779void SSL_set_verify_result(SSL *ssl,long arg)
2977 { 2780 {
2978 ssl->verify_result=arg; 2781 ssl->verify_result=arg;
@@ -3231,16 +3034,6 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
3231 *hash=NULL; 3034 *hash=NULL;
3232} 3035}
3233 3036
3234void SSL_set_debug(SSL *s, int debug)
3235 {
3236 s->debug = debug;
3237 }
3238
3239int SSL_cache_hit(SSL *s)
3240 {
3241 return s->hit;
3242 }
3243
3244#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) 3037#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
3245#include "../crypto/bio/bss_file.c" 3038#include "../crypto/bio/bss_file.c"
3246#endif 3039#endif
@@ -3249,3 +3042,4 @@ IMPLEMENT_STACK_OF(SSL_CIPHER)
3249IMPLEMENT_STACK_OF(SSL_COMP) 3042IMPLEMENT_STACK_OF(SSL_COMP)
3250IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, 3043IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
3251 ssl_cipher_id); 3044 ssl_cipher_id);
3045
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-25 12:14:25 +0000