summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_lib.c')
-rw-r--r--src/lib/libssl/ssl_lib.c415
1 files changed, 51 insertions, 364 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 065411aea8..0f4b7a475b 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -110,11 +110,7 @@
110 * Hudson (tjh@cryptsoft.com). 110 * Hudson (tjh@cryptsoft.com).
111 * 111 *
112 */ 112 */
113/* ==================================================================== 113
114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
115 * ECC cipher suite support in OpenSSL originally developed by
116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 */
118 114
119#ifdef REF_CHECK 115#ifdef REF_CHECK
120# include <assert.h> 116# include <assert.h>
@@ -125,11 +121,7 @@
125#include <openssl/objects.h> 121#include <openssl/objects.h>
126#include <openssl/lhash.h> 122#include <openssl/lhash.h>
127#include <openssl/x509v3.h> 123#include <openssl/x509v3.h>
128#include <openssl/rand.h> 124#include <openssl/fips.h>
129#include <openssl/ocsp.h>
130#ifndef OPENSSL_NO_DH
131#include <openssl/dh.h>
132#endif
133 125
134const char *SSL_version_str=OPENSSL_VERSION_TEXT; 126const char *SSL_version_str=OPENSSL_VERSION_TEXT;
135 127
@@ -140,14 +132,7 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
140 ssl_undefined_function, 132 ssl_undefined_function,
141 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function, 133 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
142 (int (*)(SSL*, int))ssl_undefined_function, 134 (int (*)(SSL*, int))ssl_undefined_function,
143 (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function, 135 (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
144 0, /* finish_mac_length */
145 (int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function,
146 NULL, /* client_finished_label */
147 0, /* client_finished_label_len */
148 NULL, /* server_finished_label */
149 0, /* server_finished_label_len */
150 (int (*)(int))ssl_undefined_function
151 }; 136 };
152 137
153int SSL_clear(SSL *s) 138int SSL_clear(SSL *s)
@@ -287,40 +272,19 @@ SSL *SSL_new(SSL_CTX *ctx)
287 s->msg_callback=ctx->msg_callback; 272 s->msg_callback=ctx->msg_callback;
288 s->msg_callback_arg=ctx->msg_callback_arg; 273 s->msg_callback_arg=ctx->msg_callback_arg;
289 s->verify_mode=ctx->verify_mode; 274 s->verify_mode=ctx->verify_mode;
290#if 0
291 s->verify_depth=ctx->verify_depth; 275 s->verify_depth=ctx->verify_depth;
292#endif
293 s->sid_ctx_length=ctx->sid_ctx_length; 276 s->sid_ctx_length=ctx->sid_ctx_length;
294 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); 277 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
295 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); 278 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
296 s->verify_callback=ctx->default_verify_callback; 279 s->verify_callback=ctx->default_verify_callback;
297 s->generate_session_id=ctx->generate_session_id; 280 s->generate_session_id=ctx->generate_session_id;
298
299 s->param = X509_VERIFY_PARAM_new();
300 if (!s->param)
301 goto err;
302 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
303#if 0
304 s->purpose = ctx->purpose; 281 s->purpose = ctx->purpose;
305 s->trust = ctx->trust; 282 s->trust = ctx->trust;
306#endif
307 s->quiet_shutdown=ctx->quiet_shutdown; 283 s->quiet_shutdown=ctx->quiet_shutdown;
308 284
309 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); 285 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
310 s->ctx=ctx; 286 s->ctx=ctx;
311#ifndef OPENSSL_NO_TLSEXT 287
312 s->tlsext_debug_cb = 0;
313 s->tlsext_debug_arg = NULL;
314 s->tlsext_ticket_expected = 0;
315 s->tlsext_status_type = -1;
316 s->tlsext_status_expected = 0;
317 s->tlsext_ocsp_ids = NULL;
318 s->tlsext_ocsp_exts = NULL;
319 s->tlsext_ocsp_resp = NULL;
320 s->tlsext_ocsp_resplen = -1;
321 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
322 s->initial_ctx=ctx;
323#endif
324 s->verify_result=X509_V_OK; 288 s->verify_result=X509_V_OK;
325 289
326 s->method=ctx->method; 290 s->method=ctx->method;
@@ -429,22 +393,22 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
429 393
430int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 394int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
431 { 395 {
432 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 396 return X509_PURPOSE_set(&s->purpose, purpose);
433 } 397 }
434 398
435int SSL_set_purpose(SSL *s, int purpose) 399int SSL_set_purpose(SSL *s, int purpose)
436 { 400 {
437 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 401 return X509_PURPOSE_set(&s->purpose, purpose);
438 } 402 }
439 403
440int SSL_CTX_set_trust(SSL_CTX *s, int trust) 404int SSL_CTX_set_trust(SSL_CTX *s, int trust)
441 { 405 {
442 return X509_VERIFY_PARAM_set_trust(s->param, trust); 406 return X509_TRUST_set(&s->trust, trust);
443 } 407 }
444 408
445int SSL_set_trust(SSL *s, int trust) 409int SSL_set_trust(SSL *s, int trust)
446 { 410 {
447 return X509_VERIFY_PARAM_set_trust(s->param, trust); 411 return X509_TRUST_set(&s->trust, trust);
448 } 412 }
449 413
450void SSL_free(SSL *s) 414void SSL_free(SSL *s)
@@ -467,9 +431,6 @@ void SSL_free(SSL *s)
467 } 431 }
468#endif 432#endif
469 433
470 if (s->param)
471 X509_VERIFY_PARAM_free(s->param);
472
473 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); 434 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
474 435
475 if (s->bbio != NULL) 436 if (s->bbio != NULL)
@@ -506,16 +467,7 @@ void SSL_free(SSL *s)
506 /* Free up if allocated */ 467 /* Free up if allocated */
507 468
508 if (s->ctx) SSL_CTX_free(s->ctx); 469 if (s->ctx) SSL_CTX_free(s->ctx);
509#ifndef OPENSSL_NO_TLSEXT 470
510 if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
511 if (s->tlsext_ocsp_exts)
512 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
513 X509_EXTENSION_free);
514 if (s->tlsext_ocsp_ids)
515 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
516 if (s->tlsext_ocsp_resp)
517 OPENSSL_free(s->tlsext_ocsp_resp);
518#endif
519 if (s->client_CA != NULL) 471 if (s->client_CA != NULL)
520 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free); 472 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
521 473
@@ -691,7 +643,7 @@ int SSL_get_verify_mode(const SSL *s)
691 643
692int SSL_get_verify_depth(const SSL *s) 644int SSL_get_verify_depth(const SSL *s)
693 { 645 {
694 return X509_VERIFY_PARAM_get_depth(s->param); 646 return(s->verify_depth);
695 } 647 }
696 648
697int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *) 649int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
@@ -706,7 +658,7 @@ int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
706 658
707int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) 659int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
708 { 660 {
709 return X509_VERIFY_PARAM_get_depth(ctx->param); 661 return(ctx->verify_depth);
710 } 662 }
711 663
712int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *) 664int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
@@ -724,7 +676,7 @@ void SSL_set_verify(SSL *s,int mode,
724 676
725void SSL_set_verify_depth(SSL *s,int depth) 677void SSL_set_verify_depth(SSL *s,int depth)
726 { 678 {
727 X509_VERIFY_PARAM_set_depth(s->param, depth); 679 s->verify_depth=depth;
728 } 680 }
729 681
730void SSL_set_read_ahead(SSL *s,int yes) 682void SSL_set_read_ahead(SSL *s,int yes)
@@ -898,7 +850,7 @@ int SSL_peek(SSL *s,void *buf,int num)
898 { 850 {
899 if (s->handshake_func == 0) 851 if (s->handshake_func == 0)
900 { 852 {
901 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); 853 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
902 return -1; 854 return -1;
903 } 855 }
904 856
@@ -989,19 +941,12 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
989 l=s->max_cert_list; 941 l=s->max_cert_list;
990 s->max_cert_list=larg; 942 s->max_cert_list=larg;
991 return(l); 943 return(l);
992 case SSL_CTRL_SET_MTU:
993 if (SSL_version(s) == DTLS1_VERSION)
994 {
995 s->d1->mtu = larg;
996 return larg;
997 }
998 return 0;
999 default: 944 default:
1000 return(s->method->ssl_ctrl(s,cmd,larg,parg)); 945 return(s->method->ssl_ctrl(s,cmd,larg,parg));
1001 } 946 }
1002 } 947 }
1003 948
1004long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 949long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
1005 { 950 {
1006 switch(cmd) 951 switch(cmd)
1007 { 952 {
@@ -1089,7 +1034,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
1089 } 1034 }
1090 } 1035 }
1091 1036
1092long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 1037long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
1093 { 1038 {
1094 switch(cmd) 1039 switch(cmd)
1095 { 1040 {
@@ -1223,36 +1168,33 @@ int SSL_set_cipher_list(SSL *s,const char *str)
1223/* works well for SSLv2, not so good for SSLv3 */ 1168/* works well for SSLv2, not so good for SSLv3 */
1224char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) 1169char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1225 { 1170 {
1226 char *p; 1171 char *end;
1227 STACK_OF(SSL_CIPHER) *sk; 1172 STACK_OF(SSL_CIPHER) *sk;
1228 SSL_CIPHER *c; 1173 SSL_CIPHER *c;
1174 size_t curlen = 0;
1229 int i; 1175 int i;
1230 1176
1231 if ((s->session == NULL) || (s->session->ciphers == NULL) || 1177 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1232 (len < 2)) 1178 (len < 2))
1233 return(NULL); 1179 return(NULL);
1234 1180
1235 p=buf;
1236 sk=s->session->ciphers; 1181 sk=s->session->ciphers;
1182 buf[0] = '\0';
1237 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1183 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1238 { 1184 {
1239 int n;
1240
1241 c=sk_SSL_CIPHER_value(sk,i); 1185 c=sk_SSL_CIPHER_value(sk,i);
1242 n=strlen(c->name); 1186 end = buf + curlen;
1243 if (n+1 > len) 1187 if (strlcat(buf, c->name, len) >= len ||
1188 (curlen = strlcat(buf, ":", len)) >= len)
1244 { 1189 {
1245 if (p != buf) 1190 /* remove truncated cipher from list */
1246 --p; 1191 *end = '\0';
1247 *p='\0'; 1192 break;
1248 return buf;
1249 } 1193 }
1250 strcpy(p,c->name);
1251 p+=n;
1252 *(p++)=':';
1253 len-=n+1;
1254 } 1194 }
1255 p[-1]='\0'; 1195 /* remove trailing colon */
1196 if ((end = strrchr(buf, ':')) != NULL)
1197 *end = '\0';
1256 return(buf); 1198 return(buf);
1257 } 1199 }
1258 1200
@@ -1327,29 +1269,6 @@ err:
1327 return(NULL); 1269 return(NULL);
1328 } 1270 }
1329 1271
1330#ifndef OPENSSL_NO_TLSEXT
1331/** return a servername extension value if provided in Client Hello, or NULL.
1332 * So far, only host_name types are defined (RFC 3546).
1333 */
1334
1335const char *SSL_get_servername(const SSL *s, const int type)
1336 {
1337 if (type != TLSEXT_NAMETYPE_host_name)
1338 return NULL;
1339
1340 return s->session && !s->tlsext_hostname ?
1341 s->session->tlsext_hostname :
1342 s->tlsext_hostname;
1343 }
1344
1345int SSL_get_servername_type(const SSL *s)
1346 {
1347 if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname))
1348 return TLSEXT_NAMETYPE_host_name;
1349 return -1;
1350 }
1351#endif
1352
1353unsigned long SSL_SESSION_hash(const SSL_SESSION *a) 1272unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
1354 { 1273 {
1355 unsigned long l; 1274 unsigned long l;
@@ -1393,6 +1312,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1393 return(NULL); 1312 return(NULL);
1394 } 1313 }
1395 1314
1315#ifdef OPENSSL_FIPS
1316 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1317 {
1318 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1319 return NULL;
1320 }
1321#endif
1322
1396 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 1323 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1397 { 1324 {
1398 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 1325 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1441,9 +1368,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1441 ret->msg_callback=0; 1368 ret->msg_callback=0;
1442 ret->msg_callback_arg=NULL; 1369 ret->msg_callback_arg=NULL;
1443 ret->verify_mode=SSL_VERIFY_NONE; 1370 ret->verify_mode=SSL_VERIFY_NONE;
1444#if 0
1445 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ 1371 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
1446#endif
1447 ret->sid_ctx_length=0; 1372 ret->sid_ctx_length=0;
1448 ret->default_verify_callback=NULL; 1373 ret->default_verify_callback=NULL;
1449 if ((ret->cert=ssl_cert_new()) == NULL) 1374 if ((ret->cert=ssl_cert_new()) == NULL)
@@ -1452,8 +1377,6 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1452 ret->default_passwd_callback=0; 1377 ret->default_passwd_callback=0;
1453 ret->default_passwd_callback_userdata=NULL; 1378 ret->default_passwd_callback_userdata=NULL;
1454 ret->client_cert_cb=0; 1379 ret->client_cert_cb=0;
1455 ret->app_gen_cookie_cb=0;
1456 ret->app_verify_cookie_cb=0;
1457 1380
1458 ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash), 1381 ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
1459 LHASH_COMP_FN(SSL_SESSION_cmp)); 1382 LHASH_COMP_FN(SSL_SESSION_cmp));
@@ -1471,10 +1394,6 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1471 goto err2; 1394 goto err2;
1472 } 1395 }
1473 1396
1474 ret->param = X509_VERIFY_PARAM_new();
1475 if (!ret->param)
1476 goto err;
1477
1478 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) 1397 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
1479 { 1398 {
1480 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); 1399 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
@@ -1499,20 +1418,6 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
1499 ret->extra_certs=NULL; 1418 ret->extra_certs=NULL;
1500 ret->comp_methods=SSL_COMP_get_compression_methods(); 1419 ret->comp_methods=SSL_COMP_get_compression_methods();
1501 1420
1502#ifndef OPENSSL_NO_TLSEXT
1503 ret->tlsext_servername_callback = 0;
1504 ret->tlsext_servername_arg = NULL;
1505 /* Setup RFC4507 ticket keys */
1506 if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
1507 || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
1508 || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
1509 ret->options |= SSL_OP_NO_TICKET;
1510
1511 ret->tlsext_status_cb = 0;
1512 ret->tlsext_status_arg = NULL;
1513
1514#endif
1515
1516 return(ret); 1421 return(ret);
1517err: 1422err:
1518 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); 1423 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -1545,9 +1450,6 @@ void SSL_CTX_free(SSL_CTX *a)
1545 } 1450 }
1546#endif 1451#endif
1547 1452
1548 if (a->param)
1549 X509_VERIFY_PARAM_free(a->param);
1550
1551 /* 1453 /*
1552 * Free internal session cache. However: the remove_cb() may reference 1454 * Free internal session cache. However: the remove_cb() may reference
1553 * the ex_data of SSL_CTX, thus the ex_data store can only be removed 1455 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
@@ -1610,7 +1512,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
1610 1512
1611void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) 1513void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
1612 { 1514 {
1613 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 1515 ctx->verify_depth=depth;
1614 } 1516 }
1615 1517
1616void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) 1518void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
@@ -1620,13 +1522,6 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
1620 int rsa_enc_export,dh_rsa_export,dh_dsa_export; 1522 int rsa_enc_export,dh_rsa_export,dh_dsa_export;
1621 int rsa_tmp_export,dh_tmp_export,kl; 1523 int rsa_tmp_export,dh_tmp_export,kl;
1622 unsigned long mask,emask; 1524 unsigned long mask,emask;
1623 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
1624#ifndef OPENSSL_NO_ECDH
1625 int have_ecdh_tmp;
1626#endif
1627 X509 *x = NULL;
1628 EVP_PKEY *ecc_pkey = NULL;
1629 int signature_nid = 0;
1630 1525
1631 if (c == NULL) return; 1526 if (c == NULL) return;
1632 1527
@@ -1647,9 +1542,6 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
1647 dh_tmp=dh_tmp_export=0; 1542 dh_tmp=dh_tmp_export=0;
1648#endif 1543#endif
1649 1544
1650#ifndef OPENSSL_NO_ECDH
1651 have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
1652#endif
1653 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); 1545 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
1654 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); 1546 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
1655 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 1547 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
@@ -1664,8 +1556,7 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
1664/* FIX THIS EAY EAY EAY */ 1556/* FIX THIS EAY EAY EAY */
1665 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 1557 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
1666 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 1558 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
1667 cpk= &(c->pkeys[SSL_PKEY_ECC]); 1559
1668 have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
1669 mask=0; 1560 mask=0;
1670 emask=0; 1561 emask=0;
1671 1562
@@ -1722,127 +1613,11 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
1722 emask|=SSL_kKRB5|SSL_aKRB5; 1613 emask|=SSL_kKRB5|SSL_aKRB5;
1723#endif 1614#endif
1724 1615
1725 /* An ECC certificate may be usable for ECDH and/or
1726 * ECDSA cipher suites depending on the key usage extension.
1727 */
1728 if (have_ecc_cert)
1729 {
1730 /* This call populates extension flags (ex_flags) */
1731 x = (c->pkeys[SSL_PKEY_ECC]).x509;
1732 X509_check_purpose(x, -1, 0);
1733 ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
1734 (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
1735 ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
1736 (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
1737 ecc_pkey = X509_get_pubkey(x);
1738 ecc_pkey_size = (ecc_pkey != NULL) ?
1739 EVP_PKEY_bits(ecc_pkey) : 0;
1740 EVP_PKEY_free(ecc_pkey);
1741 if ((x->sig_alg) && (x->sig_alg->algorithm))
1742 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
1743#ifndef OPENSSL_NO_ECDH
1744 if (ecdh_ok)
1745 {
1746 if ((signature_nid == NID_md5WithRSAEncryption) ||
1747 (signature_nid == NID_md4WithRSAEncryption) ||
1748 (signature_nid == NID_md2WithRSAEncryption))
1749 {
1750 mask|=SSL_kECDH|SSL_aRSA;
1751 if (ecc_pkey_size <= 163)
1752 emask|=SSL_kECDH|SSL_aRSA;
1753 }
1754 if (signature_nid == NID_ecdsa_with_SHA1)
1755 {
1756 mask|=SSL_kECDH|SSL_aECDSA;
1757 if (ecc_pkey_size <= 163)
1758 emask|=SSL_kECDH|SSL_aECDSA;
1759 }
1760 }
1761#endif
1762#ifndef OPENSSL_NO_ECDSA
1763 if (ecdsa_ok)
1764 {
1765 mask|=SSL_aECDSA;
1766 emask|=SSL_aECDSA;
1767 }
1768#endif
1769 }
1770
1771#ifndef OPENSSL_NO_ECDH
1772 if (have_ecdh_tmp)
1773 {
1774 mask|=SSL_kECDHE;
1775 emask|=SSL_kECDHE;
1776 }
1777#endif
1778 c->mask=mask; 1616 c->mask=mask;
1779 c->export_mask=emask; 1617 c->export_mask=emask;
1780 c->valid=1; 1618 c->valid=1;
1781 } 1619 }
1782 1620
1783/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
1784#define ku_reject(x, usage) \
1785 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
1786
1787int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
1788 {
1789 unsigned long alg = cs->algorithms;
1790 EVP_PKEY *pkey = NULL;
1791 int keysize = 0;
1792 int signature_nid = 0;
1793
1794 if (SSL_C_IS_EXPORT(cs))
1795 {
1796 /* ECDH key length in export ciphers must be <= 163 bits */
1797 pkey = X509_get_pubkey(x);
1798 if (pkey == NULL) return 0;
1799 keysize = EVP_PKEY_bits(pkey);
1800 EVP_PKEY_free(pkey);
1801 if (keysize > 163) return 0;
1802 }
1803
1804 /* This call populates the ex_flags field correctly */
1805 X509_check_purpose(x, -1, 0);
1806 if ((x->sig_alg) && (x->sig_alg->algorithm))
1807 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
1808 if (alg & SSL_kECDH)
1809 {
1810 /* key usage, if present, must allow key agreement */
1811 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
1812 {
1813 return 0;
1814 }
1815 if (alg & SSL_aECDSA)
1816 {
1817 /* signature alg must be ECDSA */
1818 if (signature_nid != NID_ecdsa_with_SHA1)
1819 {
1820 return 0;
1821 }
1822 }
1823 if (alg & SSL_aRSA)
1824 {
1825 /* signature alg must be RSA */
1826 if ((signature_nid != NID_md5WithRSAEncryption) &&
1827 (signature_nid != NID_md4WithRSAEncryption) &&
1828 (signature_nid != NID_md2WithRSAEncryption))
1829 {
1830 return 0;
1831 }
1832 }
1833 }
1834 else if (alg & SSL_aECDSA)
1835 {
1836 /* key usage, if present, must allow signing */
1837 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
1838 {
1839 return 0;
1840 }
1841 }
1842
1843 return 1; /* all checks are ok */
1844 }
1845
1846/* THIS NEEDS CLEANING UP */ 1621/* THIS NEEDS CLEANING UP */
1847X509 *ssl_get_server_send_cert(SSL *s) 1622X509 *ssl_get_server_send_cert(SSL *s)
1848 { 1623 {
@@ -1857,26 +1632,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
1857 mask=is_export?c->export_mask:c->mask; 1632 mask=is_export?c->export_mask:c->mask;
1858 kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); 1633 kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
1859 1634
1860 if (kalg & SSL_kECDH) 1635 if (kalg & SSL_kDHr)
1861 {
1862 /* we don't need to look at SSL_kECDHE
1863 * since no certificate is needed for
1864 * anon ECDH and for authenticated
1865 * ECDHE, the check for the auth
1866 * algorithm will set i correctly
1867 * NOTE: For ECDH-RSA, we need an ECC
1868 * not an RSA cert but for ECDHE-RSA
1869 * we need an RSA cert. Placing the
1870 * checks for SSL_kECDH before RSA
1871 * checks ensures the correct cert is chosen.
1872 */
1873 i=SSL_PKEY_ECC;
1874 }
1875 else if (kalg & SSL_aECDSA)
1876 {
1877 i=SSL_PKEY_ECC;
1878 }
1879 else if (kalg & SSL_kDHr)
1880 i=SSL_PKEY_DH_RSA; 1636 i=SSL_PKEY_DH_RSA;
1881 else if (kalg & SSL_kDHd) 1637 else if (kalg & SSL_kDHd)
1882 i=SSL_PKEY_DH_DSA; 1638 i=SSL_PKEY_DH_DSA;
@@ -1900,7 +1656,6 @@ X509 *ssl_get_server_send_cert(SSL *s)
1900 return(NULL); 1656 return(NULL);
1901 } 1657 }
1902 if (c->pkeys[i].x509 == NULL) return(NULL); 1658 if (c->pkeys[i].x509 == NULL) return(NULL);
1903
1904 return(c->pkeys[i].x509); 1659 return(c->pkeys[i].x509);
1905 } 1660 }
1906 1661
@@ -1924,9 +1679,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
1924 else 1679 else
1925 return(NULL); 1680 return(NULL);
1926 } 1681 }
1927 else if ((alg & SSL_aECDSA) &&
1928 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
1929 return(c->pkeys[SSL_PKEY_ECC].privatekey);
1930 else /* if (alg & SSL_aNULL) */ 1682 else /* if (alg & SSL_aNULL) */
1931 { 1683 {
1932 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); 1684 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
@@ -2132,12 +1884,6 @@ int ssl_undefined_function(SSL *s)
2132 return(0); 1884 return(0);
2133 } 1885 }
2134 1886
2135int ssl_undefined_void_function(void)
2136 {
2137 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2138 return(0);
2139 }
2140
2141int ssl_undefined_const_function(const SSL *s) 1887int ssl_undefined_const_function(const SSL *s)
2142 { 1888 {
2143 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1889 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -2253,8 +1999,8 @@ SSL *SSL_dup(SSL *s)
2253 ret->rstate=s->rstate; 1999 ret->rstate=s->rstate;
2254 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ 2000 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
2255 ret->hit=s->hit; 2001 ret->hit=s->hit;
2256 2002 ret->purpose=s->purpose;
2257 X509_VERIFY_PARAM_inherit(ret->param, s->param); 2003 ret->trust=s->trust;
2258 2004
2259 /* dup the cipher_list and cipher_list_by_id stacks */ 2005 /* dup the cipher_list and cipher_list_by_id stacks */
2260 if (s->cipher_list != NULL) 2006 if (s->cipher_list != NULL)
@@ -2306,7 +2052,6 @@ void ssl_clear_cipher_ctx(SSL *s)
2306 OPENSSL_free(s->enc_write_ctx); 2052 OPENSSL_free(s->enc_write_ctx);
2307 s->enc_write_ctx=NULL; 2053 s->enc_write_ctx=NULL;
2308 } 2054 }
2309#ifndef OPENSSL_NO_COMP
2310 if (s->expand != NULL) 2055 if (s->expand != NULL)
2311 { 2056 {
2312 COMP_CTX_free(s->expand); 2057 COMP_CTX_free(s->expand);
@@ -2317,7 +2062,6 @@ void ssl_clear_cipher_ctx(SSL *s)
2317 COMP_CTX_free(s->compress); 2062 COMP_CTX_free(s->compress);
2318 s->compress=NULL; 2063 s->compress=NULL;
2319 } 2064 }
2320#endif
2321 } 2065 }
2322 2066
2323/* Fix this function so that it takes an optional type parameter */ 2067/* Fix this function so that it takes an optional type parameter */
@@ -2344,31 +2088,6 @@ SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
2344 return(s->session->cipher); 2088 return(s->session->cipher);
2345 return(NULL); 2089 return(NULL);
2346 } 2090 }
2347#ifdef OPENSSL_NO_COMP
2348const void *SSL_get_current_compression(SSL *s)
2349 {
2350 return NULL;
2351 }
2352const void *SSL_get_current_expansion(SSL *s)
2353 {
2354 return NULL;
2355 }
2356#else
2357
2358const COMP_METHOD *SSL_get_current_compression(SSL *s)
2359 {
2360 if (s->compress != NULL)
2361 return(s->compress->meth);
2362 return(NULL);
2363 }
2364
2365const COMP_METHOD *SSL_get_current_expansion(SSL *s)
2366 {
2367 if (s->expand != NULL)
2368 return(s->expand->meth);
2369 return(NULL);
2370 }
2371#endif
2372 2091
2373int ssl_init_wbio_buffer(SSL *s,int push) 2092int ssl_init_wbio_buffer(SSL *s,int push)
2374 { 2093 {
@@ -2462,24 +2181,6 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
2462 return(ssl->ctx); 2181 return(ssl->ctx);
2463 } 2182 }
2464 2183
2465SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
2466 {
2467 if (ssl->ctx == ctx)
2468 return ssl->ctx;
2469#ifndef OPENSSL_NO_TLSEXT
2470 if (ctx == NULL)
2471 ctx = ssl->initial_ctx;
2472#endif
2473 if (ssl->cert != NULL)
2474 ssl_cert_free(ssl->cert);
2475 ssl->cert = ssl_cert_dup(ctx->cert);
2476 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
2477 if (ssl->ctx != NULL)
2478 SSL_CTX_free(ssl->ctx); /* decrement reference count */
2479 ssl->ctx = ctx;
2480 return(ssl->ctx);
2481 }
2482
2483#ifndef OPENSSL_NO_STDIO 2184#ifndef OPENSSL_NO_STDIO
2484int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) 2185int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2485 { 2186 {
@@ -2489,19 +2190,19 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
2489int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 2190int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
2490 const char *CApath) 2191 const char *CApath)
2491 { 2192 {
2492 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); 2193 int r;
2194 r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
2195 return r;
2493 } 2196 }
2494#endif 2197#endif
2495 2198
2496void SSL_set_info_callback(SSL *ssl, 2199void SSL_set_info_callback(SSL *ssl,
2497 void (*cb)(const SSL *ssl,int type,int val)) 2200 void (*cb)(const SSL *ssl,int type,int val))
2498 { 2201 {
2499 ssl->info_callback=cb; 2202 ssl->info_callback=cb;
2500 } 2203 }
2501 2204
2502/* One compiler (Diab DCC) doesn't like argument names in returned 2205void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val)
2503 function pointer. */
2504void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
2505 { 2206 {
2506 return ssl->info_callback; 2207 return ssl->info_callback;
2507 } 2208 }
@@ -2588,14 +2289,14 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
2588 int is_export, 2289 int is_export,
2589 int keylength)) 2290 int keylength))
2590 { 2291 {
2591 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); 2292 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
2592 } 2293 }
2593 2294
2594void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl, 2295void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
2595 int is_export, 2296 int is_export,
2596 int keylength)) 2297 int keylength))
2597 { 2298 {
2598 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); 2299 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
2599 } 2300 }
2600#endif 2301#endif
2601 2302
@@ -2624,38 +2325,24 @@ RSA *cb(SSL *ssl,int is_export,int keylength)
2624void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, 2325void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
2625 int keylength)) 2326 int keylength))
2626 { 2327 {
2627 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); 2328 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
2628 } 2329 }
2629 2330
2630void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, 2331void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
2631 int keylength)) 2332 int keylength))
2632 { 2333 {
2633 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); 2334 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
2634 }
2635#endif
2636
2637#ifndef OPENSSL_NO_ECDH
2638void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2639 int keylength))
2640 {
2641 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
2642 }
2643
2644void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
2645 int keylength))
2646 {
2647 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
2648 } 2335 }
2649#endif 2336#endif
2650 2337
2651 2338
2652void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) 2339void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
2653 { 2340 {
2654 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 2341 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
2655 } 2342 }
2656void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) 2343void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
2657 { 2344 {
2658 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 2345 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
2659 } 2346 }
2660 2347
2661 2348
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 13:56:46 +0000