summaryrefslogtreecommitdiff
path: root/src/lib/libssl
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl')
-rw-r--r--src/lib/libssl/bio_ssl.c585
-rw-r--r--src/lib/libssl/s23_clnt.c466
-rw-r--r--src/lib/libssl/s23_lib.c233
-rw-r--r--src/lib/libssl/s23_pkt.c120
-rw-r--r--src/lib/libssl/s23_srvr.c499
-rw-r--r--src/lib/libssl/s3_both.c469
-rw-r--r--src/lib/libssl/s3_clnt.c1678
-rw-r--r--src/lib/libssl/s3_lib.c961
-rw-r--r--src/lib/libssl/s3_pkt.c1061
-rw-r--r--src/lib/libssl/s3_srvr.c1675
-rw-r--r--src/lib/libssl/shlib_version2
-rw-r--r--src/lib/libssl/ssl.h1453
-rw-r--r--src/lib/libssl/ssl2.h265
-rw-r--r--src/lib/libssl/ssl23.h83
-rw-r--r--src/lib/libssl/ssl3.h455
-rw-r--r--src/lib/libssl/ssl_algs.c102
-rw-r--r--src/lib/libssl/ssl_asn1.c313
-rw-r--r--src/lib/libssl/ssl_cert.c329
-rw-r--r--src/lib/libssl/ssl_ciph.c758
-rw-r--r--src/lib/libssl/ssl_err.c374
-rw-r--r--src/lib/libssl/ssl_err2.c70
-rw-r--r--src/lib/libssl/ssl_lib.c1721
-rw-r--r--src/lib/libssl/ssl_locl.h558
-rw-r--r--src/lib/libssl/ssl_rsa.c831
-rw-r--r--src/lib/libssl/ssl_sess.c582
-rw-r--r--src/lib/libssl/ssl_stat.c458
-rw-r--r--src/lib/libssl/ssl_txt.c152
-rw-r--r--src/lib/libssl/t1_clnt.c90
-rw-r--r--src/lib/libssl/t1_enc.c635
-rw-r--r--src/lib/libssl/t1_lib.c151
-rw-r--r--src/lib/libssl/t1_meth.c88
-rw-r--r--src/lib/libssl/t1_srvr.c91
-rw-r--r--src/lib/libssl/test/CAss.cnf25
-rw-r--r--src/lib/libssl/test/CAssdh.cnf24
-rw-r--r--src/lib/libssl/test/CAssdsa.cnf23
-rw-r--r--src/lib/libssl/test/CAssrsa.cnf24
-rw-r--r--src/lib/libssl/test/Sssdsa.cnf27
-rw-r--r--src/lib/libssl/test/Sssrsa.cnf26
-rw-r--r--src/lib/libssl/test/Uss.cnf28
-rw-r--r--src/lib/libssl/test/methtest.c105
-rw-r--r--src/lib/libssl/test/pkcs7-1.pem15
-rw-r--r--src/lib/libssl/test/pkcs7.pem54
-rw-r--r--src/lib/libssl/test/r160test.c57
-rw-r--r--src/lib/libssl/test/tcrl81
-rw-r--r--src/lib/libssl/test/test.cnf88
-rw-r--r--src/lib/libssl/test/testca44
-rw-r--r--src/lib/libssl/test/testcrl.pem16
-rw-r--r--src/lib/libssl/test/testenc62
-rw-r--r--src/lib/libssl/test/testgen30
-rw-r--r--src/lib/libssl/test/testp7.pem46
-rw-r--r--src/lib/libssl/test/testreq2.pem7
-rw-r--r--src/lib/libssl/test/testrsa.pem9
-rw-r--r--src/lib/libssl/test/testsid.pem12
-rw-r--r--src/lib/libssl/test/testss89
-rw-r--r--src/lib/libssl/test/testssl40
-rw-r--r--src/lib/libssl/test/testx509.pem10
-rw-r--r--src/lib/libssl/test/times113
-rw-r--r--src/lib/libssl/test/tpkcs751
-rw-r--r--src/lib/libssl/test/tpkcs7d44
-rw-r--r--src/lib/libssl/test/treq81
-rw-r--r--src/lib/libssl/test/trsa81
-rw-r--r--src/lib/libssl/test/tsid81
-rw-r--r--src/lib/libssl/test/tx50981
-rw-r--r--src/lib/libssl/test/v3-cert1.pem16
-rw-r--r--src/lib/libssl/test/v3-cert2.pem16
-rw-r--r--src/lib/libssl/tls1.h115
66 files changed, 18929 insertions, 0 deletions
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
new file mode 100644
index 0000000000..58a6d69b9b
--- /dev/null
+++ b/src/lib/libssl/bio_ssl.c
@@ -0,0 +1,585 @@
1/* ssl/bio_ssl.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <string.h>
62#include <errno.h>
63#include "crypto.h"
64#include "bio.h"
65#include "err.h"
66#include "ssl.h"
67
68#ifndef NOPROTO
69static int ssl_write(BIO *h,char *buf,int num);
70static int ssl_read(BIO *h,char *buf,int size);
71static int ssl_puts(BIO *h,char *str);
72static long ssl_ctrl(BIO *h,int cmd,long arg1,char *arg2);
73static int ssl_new(BIO *h);
74static int ssl_free(BIO *data);
75#else
76static int ssl_write();
77static int ssl_read();
78static int ssl_puts();
79static long ssl_ctrl();
80static int ssl_new();
81static int ssl_free();
82#endif
83
84typedef struct bio_ssl_st
85 {
86 SSL *ssl; /* The ssl handle :-) */
87 /* re-negotiate every time the total number of bytes is this size */
88 int num_renegotiates;
89 unsigned long renegotiate_count;
90 unsigned long byte_count;
91 unsigned long renegotiate_timeout;
92 unsigned long last_time;
93 } BIO_SSL;
94
95static BIO_METHOD methods_sslp=
96 {
97 BIO_TYPE_SSL,"ssl",
98 ssl_write,
99 ssl_read,
100 ssl_puts,
101 NULL, /* ssl_gets, */
102 ssl_ctrl,
103 ssl_new,
104 ssl_free,
105 };
106
107BIO_METHOD *BIO_f_ssl()
108 {
109 return(&methods_sslp);
110 }
111
112static int ssl_new(bi)
113BIO *bi;
114 {
115 BIO_SSL *bs;
116
117 bs=(BIO_SSL *)Malloc(sizeof(BIO_SSL));
118 if (bs == NULL)
119 {
120 BIOerr(BIO_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
121 return(0);
122 }
123 memset(bs,0,sizeof(BIO_SSL));
124 bi->init=0;
125 bi->ptr=(char *)bs;
126 bi->flags=0;
127 return(1);
128 }
129
130static int ssl_free(a)
131BIO *a;
132 {
133 BIO_SSL *bs;
134
135 if (a == NULL) return(0);
136 bs=(BIO_SSL *)a->ptr;
137 if (bs->ssl != NULL) SSL_shutdown(bs->ssl);
138 if (a->shutdown)
139 {
140 if (a->init && (bs->ssl != NULL))
141 SSL_free(bs->ssl);
142 a->init=0;
143 a->flags=0;
144 }
145 if (a->ptr != NULL)
146 Free(a->ptr);
147 return(1);
148 }
149
150static int ssl_read(b,out,outl)
151BIO *b;
152char *out;
153int outl;
154 {
155 int ret=1;
156 BIO_SSL *sb;
157 SSL *ssl;
158 int retry_reason=0;
159 int r=0;
160
161 if (out == NULL) return(0);
162 sb=(BIO_SSL *)b->ptr;
163 ssl=sb->ssl;
164
165 BIO_clear_retry_flags(b);
166
167#if 0
168 if (!SSL_is_init_finished(ssl))
169 {
170/* ret=SSL_do_handshake(ssl); */
171 if (ret > 0)
172 {
173
174 outflags=(BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
175 ret= -1;
176 goto end;
177 }
178 }
179#endif
180/* if (ret > 0) */
181 ret=SSL_read(ssl,out,outl);
182
183 switch (SSL_get_error(ssl,ret))
184 {
185 case SSL_ERROR_NONE:
186 if (ret <= 0) break;
187 if (sb->renegotiate_count > 0)
188 {
189 sb->byte_count+=ret;
190 if (sb->byte_count > sb->renegotiate_count)
191 {
192 sb->byte_count=0;
193 sb->num_renegotiates++;
194 SSL_renegotiate(ssl);
195 r=1;
196 }
197 }
198 if ((sb->renegotiate_timeout > 0) && (!r))
199 {
200 unsigned long tm;
201
202 tm=(unsigned long)time(NULL);
203 if (tm > sb->last_time+sb->renegotiate_timeout)
204 {
205 sb->last_time=tm;
206 sb->num_renegotiates++;
207 SSL_renegotiate(ssl);
208 }
209 }
210
211 break;
212 case SSL_ERROR_WANT_READ:
213 BIO_set_retry_read(b);
214 break;
215 case SSL_ERROR_WANT_WRITE:
216 BIO_set_retry_write(b);
217 break;
218 case SSL_ERROR_WANT_X509_LOOKUP:
219 BIO_set_retry_special(b);
220 retry_reason=BIO_RR_SSL_X509_LOOKUP;
221 break;
222 case SSL_ERROR_WANT_CONNECT:
223 BIO_set_retry_special(b);
224 retry_reason=BIO_RR_CONNECT;
225 break;
226 case SSL_ERROR_SYSCALL:
227 case SSL_ERROR_SSL:
228 case SSL_ERROR_ZERO_RETURN:
229 default:
230 break;
231 }
232
233 b->retry_reason=retry_reason;
234 return(ret);
235 }
236
237static int ssl_write(b,out,outl)
238BIO *b;
239char *out;
240int outl;
241 {
242 int ret,r=0;
243 int retry_reason=0;
244 SSL *ssl;
245 BIO_SSL *bs;
246
247 if (out == NULL) return(0);
248 bs=(BIO_SSL *)b->ptr;
249 ssl=bs->ssl;
250
251 BIO_clear_retry_flags(b);
252
253/* ret=SSL_do_handshake(ssl);
254 if (ret > 0) */
255 ret=SSL_write(ssl,out,outl);
256
257 switch (SSL_get_error(ssl,ret))
258 {
259 case SSL_ERROR_NONE:
260 if (ret <= 0) break;
261 if (bs->renegotiate_count > 0)
262 {
263 bs->byte_count+=ret;
264 if (bs->byte_count > bs->renegotiate_count)
265 {
266 bs->byte_count=0;
267 bs->num_renegotiates++;
268 SSL_renegotiate(ssl);
269 r=1;
270 }
271 }
272 if ((bs->renegotiate_timeout > 0) && (!r))
273 {
274 unsigned long tm;
275
276 tm=(unsigned long)time(NULL);
277 if (tm > bs->last_time+bs->renegotiate_timeout)
278 {
279 bs->last_time=tm;
280 bs->num_renegotiates++;
281 SSL_renegotiate(ssl);
282 }
283 }
284 break;
285 case SSL_ERROR_WANT_WRITE:
286 BIO_set_retry_write(b);
287 break;
288 case SSL_ERROR_WANT_READ:
289 BIO_set_retry_read(b);
290 break;
291 case SSL_ERROR_WANT_X509_LOOKUP:
292 BIO_set_retry_special(b);
293 retry_reason=BIO_RR_SSL_X509_LOOKUP;
294 break;
295 case SSL_ERROR_WANT_CONNECT:
296 BIO_set_retry_special(b);
297 retry_reason=BIO_RR_CONNECT;
298 case SSL_ERROR_SYSCALL:
299 case SSL_ERROR_SSL:
300 default:
301 break;
302 }
303
304 b->retry_reason=retry_reason;
305 return(ret);
306 }
307
308static long ssl_ctrl(b,cmd,num,ptr)
309BIO *b;
310int cmd;
311long num;
312char *ptr;
313 {
314 SSL **sslp,*ssl;
315 BIO_SSL *bs;
316 BIO *dbio,*bio;
317 long ret=1;
318
319 bs=(BIO_SSL *)b->ptr;
320 ssl=bs->ssl;
321 if ((ssl == NULL) && (cmd != BIO_C_SET_SSL))
322 return(0);
323 switch (cmd)
324 {
325 case BIO_CTRL_RESET:
326 SSL_shutdown(ssl);
327
328 if (ssl->handshake_func == ssl->method->ssl_connect)
329 SSL_set_connect_state(ssl);
330 else if (ssl->handshake_func == ssl->method->ssl_accept)
331 SSL_set_accept_state(ssl);
332
333 SSL_clear(ssl);
334
335 if (b->next_bio != NULL)
336 ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
337 else if (ssl->rbio != NULL)
338 ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
339 else
340 ret=1;
341 break;
342 case BIO_CTRL_INFO:
343 ret=0;
344 break;
345 case BIO_C_SSL_MODE:
346 if (num) /* client mode */
347 SSL_set_connect_state(ssl);
348 else
349 SSL_set_accept_state(ssl);
350 break;
351 case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT:
352 ret=bs->renegotiate_timeout;
353 if (num < 60) num=5;
354 bs->renegotiate_timeout=(unsigned long)num;
355 bs->last_time=(unsigned long)time(NULL);
356 break;
357 case BIO_C_SET_SSL_RENEGOTIATE_BYTES:
358 ret=bs->renegotiate_count;
359 if ((long)num >=512)
360 bs->renegotiate_count=(unsigned long)num;
361 break;
362 case BIO_C_GET_SSL_NUM_RENEGOTIATES:
363 ret=bs->num_renegotiates;
364 break;
365 case BIO_C_SET_SSL:
366 if (ssl != NULL)
367 ssl_free(b);
368 b->shutdown=(int)num;
369 ssl=(SSL *)ptr;
370 ((BIO_SSL *)b->ptr)->ssl=ssl;
371 bio=SSL_get_rbio(ssl);
372 if (bio != NULL)
373 {
374 if (b->next_bio != NULL)
375 BIO_push(bio,b->next_bio);
376 b->next_bio=bio;
377 CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO);
378 }
379 b->init=1;
380 break;
381 case BIO_C_GET_SSL:
382 if (ptr != NULL)
383 {
384 sslp=(SSL **)ptr;
385 *sslp=ssl;
386 }
387 else
388 ret=0;
389 break;
390 case BIO_CTRL_GET_CLOSE:
391 ret=b->shutdown;
392 break;
393 case BIO_CTRL_SET_CLOSE:
394 b->shutdown=(int)num;
395 break;
396 case BIO_CTRL_WPENDING:
397 ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
398 break;
399 case BIO_CTRL_PENDING:
400 ret=SSL_pending(ssl);
401 if (ret == 0)
402 ret=BIO_pending(ssl->rbio);
403 break;
404 case BIO_CTRL_FLUSH:
405 BIO_clear_retry_flags(b);
406 ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
407 BIO_copy_next_retry(b);
408 break;
409 case BIO_CTRL_PUSH:
410 if ((b->next_bio != NULL) && (b->next_bio != ssl->rbio))
411 {
412 SSL_set_bio(ssl,b->next_bio,b->next_bio);
413 CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
414 }
415 break;
416 case BIO_CTRL_POP:
417 /* ugly bit of a hack */
418 if (ssl->rbio != ssl->wbio) /* we are in trouble :-( */
419 {
420 BIO_free_all(ssl->wbio);
421 }
422 ssl->wbio=NULL;
423 ssl->rbio=NULL;
424 break;
425 case BIO_C_DO_STATE_MACHINE:
426 BIO_clear_retry_flags(b);
427
428 b->retry_reason=0;
429 ret=(int)SSL_do_handshake(ssl);
430
431 switch (SSL_get_error(ssl,(int)ret))
432 {
433 case SSL_ERROR_WANT_READ:
434 BIO_set_flags(b,
435 BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
436 break;
437 case SSL_ERROR_WANT_WRITE:
438 BIO_set_flags(b,
439 BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY);
440 break;
441 case SSL_ERROR_WANT_CONNECT:
442 BIO_set_flags(b,
443 BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY);
444 b->retry_reason=b->next_bio->retry_reason;
445 break;
446 default:
447 break;
448 }
449 break;
450 case BIO_CTRL_DUP:
451 dbio=(BIO *)ptr;
452 if (((BIO_SSL *)dbio->ptr)->ssl != NULL)
453 SSL_free(((BIO_SSL *)dbio->ptr)->ssl);
454 ((BIO_SSL *)dbio->ptr)->ssl=SSL_dup(ssl);
455 ((BIO_SSL *)dbio->ptr)->renegotiate_count=
456 ((BIO_SSL *)b->ptr)->renegotiate_count;
457 ((BIO_SSL *)dbio->ptr)->byte_count=
458 ((BIO_SSL *)b->ptr)->byte_count;
459 ((BIO_SSL *)dbio->ptr)->renegotiate_timeout=
460 ((BIO_SSL *)b->ptr)->renegotiate_timeout;
461 ((BIO_SSL *)dbio->ptr)->last_time=
462 ((BIO_SSL *)b->ptr)->last_time;
463 ret=(((BIO_SSL *)dbio->ptr)->ssl != NULL);
464 break;
465 case BIO_C_GET_FD:
466 ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
467 break;
468 case BIO_CTRL_SET_CALLBACK:
469 SSL_set_info_callback(ssl,(void (*)())ptr);
470 break;
471 case BIO_CTRL_GET_CALLBACK:
472 {
473 void (**fptr)();
474
475 fptr=(void (**)())ptr;
476 *fptr=SSL_get_info_callback(ssl);
477 }
478 break;
479 default:
480 ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
481 break;
482 }
483 return(ret);
484 }
485
486static int ssl_puts(bp,str)
487BIO *bp;
488char *str;
489 {
490 int n,ret;
491
492 n=strlen(str);
493 ret=BIO_write(bp,str,n);
494 return(ret);
495 }
496
497BIO *BIO_new_buffer_ssl_connect(ctx)
498SSL_CTX *ctx;
499 {
500 BIO *ret=NULL,*buf=NULL,*ssl=NULL;
501
502 if ((buf=BIO_new(BIO_f_buffer())) == NULL)
503 return(NULL);
504 if ((ssl=BIO_new_ssl_connect(ctx)) == NULL)
505 goto err;
506 if ((ret=BIO_push(buf,ssl)) == NULL)
507 goto err;
508 return(ret);
509err:
510 if (buf != NULL) BIO_free(buf);
511 if (ssl != NULL) BIO_free(ssl);
512 return(NULL);
513 }
514
515BIO *BIO_new_ssl_connect(ctx)
516SSL_CTX *ctx;
517 {
518 BIO *ret=NULL,*con=NULL,*ssl=NULL;
519
520 if ((con=BIO_new(BIO_s_connect())) == NULL)
521 return(NULL);
522 if ((ssl=BIO_new_ssl(ctx,1)) == NULL)
523 goto err;
524 if ((ret=BIO_push(ssl,con)) == NULL)
525 goto err;
526 return(ret);
527err:
528 if (con != NULL) BIO_free(con);
529 if (ret != NULL) BIO_free(ret);
530 return(NULL);
531 }
532
533BIO *BIO_new_ssl(ctx,client)
534SSL_CTX *ctx;
535int client;
536 {
537 BIO *ret;
538 SSL *ssl;
539
540 if ((ret=BIO_new(BIO_f_ssl())) == NULL)
541 return(NULL);
542 if ((ssl=SSL_new(ctx)) == NULL)
543 {
544 BIO_free(ret);
545 return(NULL);
546 }
547 if (client)
548 SSL_set_connect_state(ssl);
549 else
550 SSL_set_accept_state(ssl);
551
552 BIO_set_ssl(ret,ssl,BIO_CLOSE);
553 return(ret);
554 }
555
556int BIO_ssl_copy_session_id(t,f)
557BIO *t,*f;
558 {
559 t=BIO_find_type(t,BIO_TYPE_SSL);
560 f=BIO_find_type(f,BIO_TYPE_SSL);
561 if ((t == NULL) || (f == NULL))
562 return(0);
563 if ( (((BIO_SSL *)t->ptr)->ssl == NULL) ||
564 (((BIO_SSL *)f->ptr)->ssl == NULL))
565 return(0);
566 SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl,((BIO_SSL *)f->ptr)->ssl);
567 return(1);
568 }
569
570void BIO_ssl_shutdown(b)
571BIO *b;
572 {
573 SSL *s;
574
575 while (b != NULL)
576 {
577 if (b->method->type == BIO_TYPE_SSL)
578 {
579 s=((BIO_SSL *)b->ptr)->ssl;
580 SSL_shutdown(s);
581 break;
582 }
583 b=b->next_bio;
584 }
585 }
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
new file mode 100644
index 0000000000..a4661ebb68
--- /dev/null
+++ b/src/lib/libssl/s23_clnt.c
@@ -0,0 +1,466 @@
1/* ssl/s23_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "buffer.h"
61#include "rand.h"
62#include "objects.h"
63#include "evp.h"
64#include "ssl_locl.h"
65
66#define BREAK break
67
68#ifndef NOPROTO
69static int ssl23_client_hello(SSL *s);
70static int ssl23_get_server_hello(SSL *s);
71#else
72static int ssl23_client_hello();
73static int ssl23_get_server_hello();
74#endif
75
76static SSL_METHOD *ssl23_get_client_method(ver)
77int ver;
78 {
79 if (ver == SSL2_VERSION)
80 return(SSLv2_client_method());
81 else if (ver == SSL3_VERSION)
82 return(SSLv3_client_method());
83 else if (ver == TLS1_VERSION)
84 return(TLSv1_client_method());
85 else
86 return(NULL);
87 }
88
89SSL_METHOD *SSLv23_client_method()
90 {
91 static int init=1;
92 static SSL_METHOD SSLv23_client_data;
93
94 if (init)
95 {
96 init=0;
97 memcpy((char *)&SSLv23_client_data,
98 (char *)sslv23_base_method(),sizeof(SSL_METHOD));
99 SSLv23_client_data.ssl_connect=ssl23_connect;
100 SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
101 }
102 return(&SSLv23_client_data);
103 }
104
105int ssl23_connect(s)
106SSL *s;
107 {
108 BUF_MEM *buf;
109 unsigned long Time=time(NULL);
110 void (*cb)()=NULL;
111 int ret= -1;
112 int new_state,state;
113
114 RAND_seed((unsigned char *)&Time,sizeof(Time));
115 ERR_clear_error();
116 clear_sys_error();
117
118 if (s->info_callback != NULL)
119 cb=s->info_callback;
120 else if (s->ctx->info_callback != NULL)
121 cb=s->ctx->info_callback;
122
123 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
124 s->in_handshake++;
125
126 for (;;)
127 {
128 state=s->state;
129
130 switch(s->state)
131 {
132 case SSL_ST_BEFORE:
133 case SSL_ST_CONNECT:
134 case SSL_ST_BEFORE|SSL_ST_CONNECT:
135 case SSL_ST_OK|SSL_ST_CONNECT:
136
137 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
138
139 /* s->version=TLS1_VERSION; */
140 s->type=SSL_ST_CONNECT;
141
142 if (s->init_buf == NULL)
143 {
144 if ((buf=BUF_MEM_new()) == NULL)
145 {
146 ret= -1;
147 goto end;
148 }
149 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
150 {
151 ret= -1;
152 goto end;
153 }
154 s->init_buf=buf;
155 }
156
157 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
158
159 ssl3_init_finished_mac(s);
160
161 s->state=SSL23_ST_CW_CLNT_HELLO_A;
162 s->ctx->sess_connect++;
163 s->init_num=0;
164 break;
165
166 case SSL23_ST_CW_CLNT_HELLO_A:
167 case SSL23_ST_CW_CLNT_HELLO_B:
168
169 s->shutdown=0;
170 ret=ssl23_client_hello(s);
171 if (ret <= 0) goto end;
172 s->state=SSL23_ST_CR_SRVR_HELLO_A;
173 s->init_num=0;
174
175 break;
176
177 case SSL23_ST_CR_SRVR_HELLO_A:
178 case SSL23_ST_CR_SRVR_HELLO_B:
179 ret=ssl23_get_server_hello(s);
180 if (ret >= 0) cb=NULL;
181 goto end;
182 break;
183
184 default:
185 SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE);
186 ret= -1;
187 goto end;
188 /* break; */
189 }
190
191 if (s->debug) BIO_flush(s->wbio);
192
193 if ((cb != NULL) && (s->state != state))
194 {
195 new_state=s->state;
196 s->state=state;
197 cb(s,SSL_CB_CONNECT_LOOP,1);
198 s->state=new_state;
199 }
200 }
201end:
202 s->in_handshake--;
203 if (cb != NULL)
204 cb(s,SSL_CB_CONNECT_EXIT,ret);
205 return(ret);
206 }
207
208
209static int ssl23_client_hello(s)
210SSL *s;
211 {
212 unsigned char *buf;
213 unsigned char *p,*d;
214 int i,ch_len;
215
216 buf=(unsigned char *)s->init_buf->data;
217 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
218 {
219#if 0
220 /* don't reuse session-id's */
221 if (!ssl_get_new_session(s,0))
222 {
223 return(-1);
224 }
225#endif
226
227 p=s->s3->client_random;
228 RAND_bytes(p,SSL3_RANDOM_SIZE);
229
230 /* Do the message type and length last */
231 d= &(buf[2]);
232 p=d+9;
233
234 *(d++)=SSL2_MT_CLIENT_HELLO;
235 if (!(s->options & SSL_OP_NO_TLSv1))
236 {
237 *(d++)=TLS1_VERSION_MAJOR;
238 *(d++)=TLS1_VERSION_MINOR;
239 }
240 else if (!(s->options & SSL_OP_NO_SSLv3))
241 {
242 *(d++)=SSL3_VERSION_MAJOR;
243 *(d++)=SSL3_VERSION_MINOR;
244 }
245 else if (!(s->options & SSL_OP_NO_SSLv2))
246 {
247 *(d++)=SSL2_VERSION_MAJOR;
248 *(d++)=SSL2_VERSION_MINOR;
249 }
250 else
251 {
252 SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
253 return(-1);
254 }
255
256 /* Ciphers supported */
257 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p);
258 if (i == 0)
259 {
260 /* no ciphers */
261 SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
262 return(-1);
263 }
264 s2n(i,d);
265 p+=i;
266
267 /* put in the session-id, zero since there is no
268 * reuse. */
269#if 0
270 s->session->session_id_length=0;
271#endif
272 s2n(0,d);
273
274 if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
275 ch_len=SSL2_CHALLENGE_LENGTH;
276 else
277 ch_len=SSL2_MAX_CHALLENGE_LENGTH;
278
279 /* write out sslv2 challenge */
280 if (SSL3_RANDOM_SIZE < ch_len)
281 i=SSL3_RANDOM_SIZE;
282 else
283 i=ch_len;
284 s2n(i,d);
285 memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
286 RAND_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
287 memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
288 p+=i;
289
290 i= p- &(buf[2]);
291 buf[0]=((i>>8)&0xff)|0x80;
292 buf[1]=(i&0xff);
293
294 s->state=SSL23_ST_CW_CLNT_HELLO_B;
295 /* number of bytes to write */
296 s->init_num=i+2;
297 s->init_off=0;
298
299 ssl3_finish_mac(s,&(buf[2]),i);
300 }
301
302 /* SSL3_ST_CW_CLNT_HELLO_B */
303 return(ssl23_write_bytes(s));
304 }
305
306static int ssl23_get_server_hello(s)
307SSL *s;
308 {
309 char buf[8];
310 unsigned char *p;
311 int i,ch_len;
312 int n;
313
314 n=ssl23_read_bytes(s,7);
315
316 if (n != 7) return(n);
317 p=s->packet;
318
319 memcpy(buf,p,n);
320
321 if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
322 (p[5] == 0x00) && (p[6] == 0x02))
323 {
324 /* we are talking sslv2 */
325 /* we need to clean up the SSLv3 setup and put in the
326 * sslv2 stuff. */
327
328 if (s->options & SSL_OP_NO_SSLv2)
329 {
330 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
331 goto err;
332 }
333 if (s->s2 == NULL)
334 {
335 if (!ssl2_new(s))
336 goto err;
337 }
338 else
339 ssl2_clear(s);
340
341 if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
342 ch_len=SSL2_CHALLENGE_LENGTH;
343 else
344 ch_len=SSL2_MAX_CHALLENGE_LENGTH;
345
346 /* write out sslv2 challenge */
347 i=(SSL3_RANDOM_SIZE < ch_len)
348 ?SSL3_RANDOM_SIZE:ch_len;
349 s->s2->challenge_length=i;
350 memcpy(s->s2->challenge,
351 &(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
352
353 if (s->s3 != NULL) ssl3_free(s);
354
355 if (!BUF_MEM_grow(s->init_buf,
356 SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
357 {
358 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
359 goto err;
360 }
361
362 s->state=SSL2_ST_GET_SERVER_HELLO_A;
363 s->s2->ssl2_rollback=1;
364
365 /* setup the 5 bytes we have read so we get them from
366 * the sslv2 buffer */
367 s->rstate=SSL_ST_READ_HEADER;
368 s->packet_length=n;
369 s->packet= &(s->s2->rbuf[0]);
370 memcpy(s->packet,buf,n);
371 s->s2->rbuf_left=n;
372 s->s2->rbuf_offs=0;
373
374 /* we have already written one */
375 s->s2->write_sequence=1;
376
377 s->method=SSLv2_client_method();
378 s->handshake_func=s->method->ssl_connect;
379 }
380 else if ((p[0] == SSL3_RT_HANDSHAKE) &&
381 (p[1] == SSL3_VERSION_MAJOR) &&
382 ((p[2] == SSL3_VERSION_MINOR) ||
383 (p[2] == TLS1_VERSION_MINOR)) &&
384 (p[5] == SSL3_MT_SERVER_HELLO))
385 {
386 /* we have sslv3 or tls1 */
387
388 if (!ssl_init_wbio_buffer(s,1)) goto err;
389
390 /* we are in this state */
391 s->state=SSL3_ST_CR_SRVR_HELLO_A;
392
393 /* put the 5 bytes we have read into the input buffer
394 * for SSLv3 */
395 s->rstate=SSL_ST_READ_HEADER;
396 s->packet_length=n;
397 s->packet= &(s->s3->rbuf.buf[0]);
398 memcpy(s->packet,buf,n);
399 s->s3->rbuf.left=n;
400 s->s3->rbuf.offset=0;
401
402 if ((p[2] == SSL3_VERSION_MINOR) &&
403 !(s->options & SSL_OP_NO_SSLv3))
404 {
405 s->version=SSL3_VERSION;
406 s->method=SSLv3_client_method();
407 }
408 else if ((p[2] == TLS1_VERSION_MINOR) &&
409 !(s->options & SSL_OP_NO_TLSv1))
410 {
411 s->version=TLS1_VERSION;
412 s->method=TLSv1_client_method();
413 }
414 else
415 {
416 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
417 goto err;
418 }
419
420 s->handshake_func=s->method->ssl_connect;
421 }
422 else if ((p[0] == SSL3_RT_ALERT) &&
423 (p[1] == SSL3_VERSION_MAJOR) &&
424 ((p[2] == SSL3_VERSION_MINOR) ||
425 (p[2] == TLS1_VERSION_MINOR)) &&
426 (p[3] == 0) &&
427 (p[4] == 2))
428 {
429 void (*cb)()=NULL;
430 int j;
431
432 /* An alert */
433 if (s->info_callback != NULL)
434 cb=s->info_callback;
435 else if (s->ctx->info_callback != NULL)
436 cb=s->ctx->info_callback;
437
438 i=p[5];
439 if (cb != NULL)
440 {
441 j=(i<<8)|p[6];
442 cb(s,SSL_CB_READ_ALERT,j);
443 }
444
445 s->rwstate=SSL_NOTHING;
446 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,1000+p[6]);
447 goto err;
448 }
449 else
450 {
451 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNKNOWN_PROTOCOL);
452 goto err;
453 }
454 s->init_num=0;
455
456 /* Since, if we are sending a ssl23 client hello, we are not
457 * reusing a session-id */
458 if (!ssl_get_new_session(s,0))
459 goto err;
460
461 s->first_packet=1;
462 return(SSL_connect(s));
463err:
464 return(-1);
465 }
466
diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c
new file mode 100644
index 0000000000..e16f641101
--- /dev/null
+++ b/src/lib/libssl/s23_lib.c
@@ -0,0 +1,233 @@
1/* ssl/s23_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "objects.h"
61#include "ssl_locl.h"
62
63#ifndef NOPROTO
64static int ssl23_num_ciphers(void );
65static SSL_CIPHER *ssl23_get_cipher(unsigned int u);
66static int ssl23_read(SSL *s, char *buf, int len);
67static int ssl23_write(SSL *s, char *buf, int len);
68static long ssl23_default_timeout(void );
69static int ssl23_put_cipher_by_char(SSL_CIPHER *c, unsigned char *p);
70static SSL_CIPHER *ssl23_get_cipher_by_char(unsigned char *p);
71#else
72static int ssl23_num_ciphers();
73static SSL_CIPHER *ssl23_get_cipher();
74static int ssl23_read();
75static int ssl23_write();
76static long ssl23_default_timeout();
77static int ssl23_put_cipher_by_char();
78static SSL_CIPHER *ssl23_get_cipher_by_char();
79#endif
80
81char *SSL23_version_str="SSLv2/3 compatablity part of SSLeay 0.7.0 30-Jan-1997";
82
83static SSL_METHOD SSLv23_data= {
84 TLS1_VERSION,
85 tls1_new,
86 tls1_clear,
87 tls1_free,
88 ssl_undefined_function,
89 ssl_undefined_function,
90 ssl23_read,
91 ssl_undefined_function,
92 ssl23_write,
93 ssl_undefined_function,
94 ssl_undefined_function,
95 ssl3_ctrl,
96 ssl3_ctx_ctrl,
97 ssl23_get_cipher_by_char,
98 ssl23_put_cipher_by_char,
99 ssl_undefined_function,
100 ssl23_num_ciphers,
101 ssl23_get_cipher,
102 ssl_bad_method,
103 ssl23_default_timeout,
104 &ssl3_undef_enc_method,
105 };
106
107static long ssl23_default_timeout()
108 {
109 return(300);
110 }
111
112SSL_METHOD *sslv23_base_method()
113 {
114 return(&SSLv23_data);
115 }
116
117static int ssl23_num_ciphers()
118 {
119 return(ssl3_num_ciphers()+ssl2_num_ciphers());
120 }
121
122static SSL_CIPHER *ssl23_get_cipher(u)
123unsigned int u;
124 {
125 unsigned int uu=ssl3_num_ciphers();
126
127 if (u < uu)
128 return(ssl3_get_cipher(u));
129 else
130 return(ssl2_get_cipher(u-uu));
131 }
132
133/* This function needs to check if the ciphers required are actually
134 * available */
135static SSL_CIPHER *ssl23_get_cipher_by_char(p)
136unsigned char *p;
137 {
138 SSL_CIPHER c,*cp;
139 unsigned long id;
140 int n;
141
142 n=ssl3_num_ciphers();
143 id=0x03000000|((unsigned long)p[0]<<16L)|
144 ((unsigned long)p[1]<<8L)|(unsigned long)p[2];
145 c.id=id;
146 cp=ssl3_get_cipher_by_char(p);
147 if (cp == NULL)
148 cp=ssl2_get_cipher_by_char(p);
149 return(cp);
150 }
151
152static int ssl23_put_cipher_by_char(c,p)
153SSL_CIPHER *c;
154unsigned char *p;
155 {
156 long l;
157
158 /* We can write SSLv2 and SSLv3 ciphers */
159 if (p != NULL)
160 {
161 l=c->id;
162 p[0]=((unsigned char)(l>>16L))&0xFF;
163 p[1]=((unsigned char)(l>> 8L))&0xFF;
164 p[2]=((unsigned char)(l ))&0xFF;
165 }
166 return(3);
167 }
168
169static int ssl23_read(s,buf,len)
170SSL *s;
171char *buf;
172int len;
173 {
174 int n;
175
176#if 0
177 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
178 {
179 s->rwstate=SSL_NOTHING;
180 return(0);
181 }
182#endif
183 clear_sys_error();
184 if (SSL_in_init(s) && (!s->in_handshake))
185 {
186 n=s->handshake_func(s);
187 if (n < 0) return(n);
188 if (n == 0)
189 {
190 SSLerr(SSL_F_SSL23_READ,SSL_R_SSL_HANDSHAKE_FAILURE);
191 return(-1);
192 }
193 return(SSL_read(s,buf,len));
194 }
195 else
196 {
197 ssl_undefined_function(s);
198 return(-1);
199 }
200 }
201
202static int ssl23_write(s,buf,len)
203SSL *s;
204char *buf;
205int len;
206 {
207 int n;
208
209#if 0
210 if (s->shutdown & SSL_SENT_SHUTDOWN)
211 {
212 s->rwstate=SSL_NOTHING;
213 return(0);
214 }
215#endif
216 clear_sys_error();
217 if (SSL_in_init(s) && (!s->in_handshake))
218 {
219 n=s->handshake_func(s);
220 if (n < 0) return(n);
221 if (n == 0)
222 {
223 SSLerr(SSL_F_SSL23_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE);
224 return(-1);
225 }
226 return(SSL_write(s,buf,len));
227 }
228 else
229 {
230 ssl_undefined_function(s);
231 return(-1);
232 }
233 }
diff --git a/src/lib/libssl/s23_pkt.c b/src/lib/libssl/s23_pkt.c
new file mode 100644
index 0000000000..c25c312772
--- /dev/null
+++ b/src/lib/libssl/s23_pkt.c
@@ -0,0 +1,120 @@
1/* ssl/s23_pkt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <errno.h>
61#define USE_SOCKETS
62#include "evp.h"
63#include "buffer.h"
64#include "ssl_locl.h"
65
66int ssl23_write_bytes(s)
67SSL *s;
68 {
69 int i,num,tot;
70 char *buf;
71
72 buf=s->init_buf->data;
73 tot=s->init_off;
74 num=s->init_num;
75 for (;;)
76 {
77 s->rwstate=SSL_WRITING;
78 i=BIO_write(s->wbio,&(buf[tot]),num);
79 if (i < 0)
80 {
81 s->init_off=tot;
82 s->init_num=num;
83 return(i);
84 }
85 s->rwstate=SSL_NOTHING;
86 if (i == num) return(tot+i);
87
88 num-=i;
89 tot+=i;
90 }
91 }
92
93/* only return when we have read 'n' bytes */
94int ssl23_read_bytes(s,n)
95SSL *s;
96int n;
97 {
98 unsigned char *p;
99 int j;
100
101 if (s->packet_length < (unsigned int)n)
102 {
103 p=s->packet;
104
105 for (;;)
106 {
107 s->rwstate=SSL_READING;
108 j=BIO_read(s->rbio,(char *)&(p[s->packet_length]),
109 n-s->packet_length);
110 if (j <= 0)
111 return(j);
112 s->rwstate=SSL_NOTHING;
113 s->packet_length+=j;
114 if (s->packet_length >= (unsigned int)n)
115 return(s->packet_length);
116 }
117 }
118 return(n);
119 }
120
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
new file mode 100644
index 0000000000..c7b9ecbcf2
--- /dev/null
+++ b/src/lib/libssl/s23_srvr.c
@@ -0,0 +1,499 @@
1/* ssl/s23_srvr.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "buffer.h"
61#include "rand.h"
62#include "objects.h"
63#include "evp.h"
64#include "ssl_locl.h"
65
66#define BREAK break
67
68#ifndef NOPROTO
69int ssl23_get_client_hello(SSL *s);
70#else
71int ssl23_get_client_hello();
72#endif
73
74static SSL_METHOD *ssl23_get_server_method(ver)
75int ver;
76 {
77 if (ver == SSL2_VERSION)
78 return(SSLv2_server_method());
79 else if (ver == SSL3_VERSION)
80 return(SSLv3_server_method());
81 else if (ver == TLS1_VERSION)
82 return(TLSv1_server_method());
83 else
84 return(NULL);
85 }
86
87SSL_METHOD *SSLv23_server_method()
88 {
89 static int init=1;
90 static SSL_METHOD SSLv23_server_data;
91
92 if (init)
93 {
94 init=0;
95 memcpy((char *)&SSLv23_server_data,
96 (char *)sslv23_base_method(),sizeof(SSL_METHOD));
97 SSLv23_server_data.ssl_accept=ssl23_accept;
98 SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
99 }
100 return(&SSLv23_server_data);
101 }
102
103int ssl23_accept(s)
104SSL *s;
105 {
106 BUF_MEM *buf;
107 unsigned long Time=time(NULL);
108 void (*cb)()=NULL;
109 int ret= -1;
110 int new_state,state;
111
112 RAND_seed((unsigned char *)&Time,sizeof(Time));
113 ERR_clear_error();
114 clear_sys_error();
115
116 if (s->info_callback != NULL)
117 cb=s->info_callback;
118 else if (s->ctx->info_callback != NULL)
119 cb=s->ctx->info_callback;
120
121 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
122 s->in_handshake++;
123
124 for (;;)
125 {
126 state=s->state;
127
128 switch(s->state)
129 {
130 case SSL_ST_BEFORE:
131 case SSL_ST_ACCEPT:
132 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
133 case SSL_ST_OK|SSL_ST_ACCEPT:
134
135 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
136
137 /* s->version=SSL3_VERSION; */
138 s->type=SSL_ST_ACCEPT;
139
140 if (s->init_buf == NULL)
141 {
142 if ((buf=BUF_MEM_new()) == NULL)
143 {
144 ret= -1;
145 goto end;
146 }
147 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
148 {
149 ret= -1;
150 goto end;
151 }
152 s->init_buf=buf;
153 }
154
155 ssl3_init_finished_mac(s);
156
157 s->state=SSL23_ST_SR_CLNT_HELLO_A;
158 s->ctx->sess_accept++;
159 s->init_num=0;
160 break;
161
162 case SSL23_ST_SR_CLNT_HELLO_A:
163 case SSL23_ST_SR_CLNT_HELLO_B:
164
165 s->shutdown=0;
166 ret=ssl23_get_client_hello(s);
167 if (ret >= 0) cb=NULL;
168 goto end;
169 break;
170
171 default:
172 SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE);
173 ret= -1;
174 goto end;
175 /* break; */
176 }
177
178 if ((cb != NULL) && (s->state != state))
179 {
180 new_state=s->state;
181 s->state=state;
182 cb(s,SSL_CB_ACCEPT_LOOP,1);
183 s->state=new_state;
184 }
185 }
186end:
187 if (cb != NULL)
188 cb(s,SSL_CB_ACCEPT_EXIT,ret);
189 s->in_handshake--;
190 return(ret);
191 }
192
193
194int ssl23_get_client_hello(s)
195SSL *s;
196 {
197 char buf_space[8];
198 char *buf= &(buf_space[0]);
199 unsigned char *p,*d,*dd;
200 unsigned int i;
201 unsigned int csl,sil,cl;
202 int n=0,j,tls1=0;
203 int type=0,use_sslv2_strong=0;
204
205 /* read the initial header */
206 if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
207 {
208 if (!ssl3_setup_buffers(s)) goto err;
209
210 n=ssl23_read_bytes(s,7);
211 if (n != 7) return(n);
212
213 p=s->packet;
214
215 memcpy(buf,p,n);
216
217 if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
218 {
219 /* SSLv2 header */
220 if ((p[3] == 0x00) && (p[4] == 0x02))
221 {
222 /* SSLv2 */
223 if (!(s->options & SSL_OP_NO_SSLv2))
224 type=1;
225 }
226 else if (p[3] == SSL3_VERSION_MAJOR)
227 {
228 /* SSLv3/TLSv1 */
229 if (p[4] >= TLS1_VERSION_MINOR)
230 {
231 if (!(s->options & SSL_OP_NO_TLSv1))
232 {
233 tls1=1;
234 s->state=SSL23_ST_SR_CLNT_HELLO_B;
235 }
236 else if (!(s->options & SSL_OP_NO_SSLv3))
237 {
238 s->state=SSL23_ST_SR_CLNT_HELLO_B;
239 }
240 }
241 else if (!(s->options & SSL_OP_NO_SSLv3))
242 s->state=SSL23_ST_SR_CLNT_HELLO_B;
243
244 if (s->options & SSL_OP_NON_EXPORT_FIRST)
245 {
246 STACK *sk;
247 SSL_CIPHER *c;
248 int ne2,ne3;
249
250 j=((p[0]&0x7f)<<8)|p[1];
251 if (j > (1024*4))
252 {
253 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
254 goto err;
255 }
256
257 n=ssl23_read_bytes(s,j+2);
258 if (n <= 0) return(n);
259 p=s->packet;
260
261 if ((buf=Malloc(n)) == NULL)
262 {
263 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
264 goto err;
265 }
266 memcpy(buf,p,n);
267
268 p+=5;
269 n2s(p,csl);
270 p+=4;
271
272 sk=ssl_bytes_to_cipher_list(
273 s,p,csl,NULL);
274 if (sk != NULL)
275 {
276 ne2=ne3=0;
277 for (j=0; j<sk_num(sk); j++)
278 {
279 c=(SSL_CIPHER *)sk_value(sk,j);
280 if (!(c->algorithms & SSL_EXP))
281 {
282 if ((c->id>>24L) == 2L)
283 ne2=1;
284 else
285 ne3=1;
286 }
287 }
288 if (ne2 && !ne3)
289 {
290 type=1;
291 use_sslv2_strong=1;
292 goto next_bit;
293 }
294 }
295 }
296 }
297 }
298 else if ((p[0] == SSL3_RT_HANDSHAKE) &&
299 (p[1] == SSL3_VERSION_MAJOR) &&
300 (p[5] == SSL3_MT_CLIENT_HELLO))
301 {
302 /* true SSLv3 or tls1 */
303 if (p[2] >= TLS1_VERSION_MINOR)
304 {
305 if (!(s->options & SSL_OP_NO_TLSv1))
306 {
307 type=3;
308 tls1=1;
309 }
310 else if (!(s->options & SSL_OP_NO_SSLv3))
311 type=3;
312 }
313 else if (!(s->options & SSL_OP_NO_SSLv3))
314 type=3;
315 }
316 else if ((strncmp("GET ", p,4) == 0) ||
317 (strncmp("POST ",p,5) == 0) ||
318 (strncmp("HEAD ",p,5) == 0) ||
319 (strncmp("PUT ", p,4) == 0))
320 {
321 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST);
322 goto err;
323 }
324 else if (strncmp("CONNECT",p,7) == 0)
325 {
326 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST);
327 goto err;
328 }
329 }
330
331next_bit:
332 if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
333 {
334 /* we have a SSLv3/TLSv1 in a SSLv2 header */
335 type=2;
336 p=s->packet;
337 n=((p[0]&0x7f)<<8)|p[1];
338 if (n > (1024*4))
339 {
340 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
341 goto err;
342 }
343
344 j=ssl23_read_bytes(s,n+2);
345 if (j <= 0) return(j);
346
347 ssl3_finish_mac(s,&(s->packet[2]),s->packet_length-2);
348
349 p=s->packet;
350 p+=5;
351 n2s(p,csl);
352 n2s(p,sil);
353 n2s(p,cl);
354 d=(unsigned char *)s->init_buf->data;
355 if ((csl+sil+cl+11) != s->packet_length)
356 {
357 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
358 goto err;
359 }
360
361 *(d++)=SSL3_VERSION_MAJOR;
362 if (tls1)
363 *(d++)=TLS1_VERSION_MINOR;
364 else
365 *(d++)=SSL3_VERSION_MINOR;
366
367 /* lets populate the random area */
368 /* get the chalenge_length */
369 i=(cl > SSL3_RANDOM_SIZE)?SSL3_RANDOM_SIZE:cl;
370 memset(d,0,SSL3_RANDOM_SIZE);
371 memcpy(&(d[SSL3_RANDOM_SIZE-i]),&(p[csl+sil]),i);
372 d+=SSL3_RANDOM_SIZE;
373
374 /* no session-id reuse */
375 *(d++)=0;
376
377 /* ciphers */
378 j=0;
379 dd=d;
380 d+=2;
381 for (i=0; i<csl; i+=3)
382 {
383 if (p[i] != 0) continue;
384 *(d++)=p[i+1];
385 *(d++)=p[i+2];
386 j+=2;
387 }
388 s2n(j,dd);
389
390 /* compression */
391 *(d++)=1;
392 *(d++)=0;
393
394 i=(d-(unsigned char *)s->init_buf->data);
395
396 /* get the data reused from the init_buf */
397 s->s3->tmp.reuse_message=1;
398 s->s3->tmp.message_type=SSL3_MT_CLIENT_HELLO;
399 s->s3->tmp.message_size=i;
400 }
401
402 if (type == 1)
403 {
404 /* we are talking sslv2 */
405 /* we need to clean up the SSLv3/TLSv1 setup and put in the
406 * sslv2 stuff. */
407
408 if (s->s2 == NULL)
409 {
410 if (!ssl2_new(s))
411 goto err;
412 }
413 else
414 ssl2_clear(s);
415
416 if (s->s3 != NULL) ssl3_free(s);
417
418 if (!BUF_MEM_grow(s->init_buf,
419 SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
420 {
421 goto err;
422 }
423
424 s->state=SSL2_ST_GET_CLIENT_HELLO_A;
425 if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
426 use_sslv2_strong)
427 s->s2->ssl2_rollback=0;
428 else
429 s->s2->ssl2_rollback=1;
430
431 /* setup the 5 bytes we have read so we get them from
432 * the sslv2 buffer */
433 s->rstate=SSL_ST_READ_HEADER;
434 s->packet_length=n;
435 s->packet= &(s->s2->rbuf[0]);
436 memcpy(s->packet,buf,n);
437 s->s2->rbuf_left=n;
438 s->s2->rbuf_offs=0;
439
440 s->method=SSLv2_server_method();
441 s->handshake_func=s->method->ssl_accept;
442 }
443
444 if ((type == 2) || (type == 3))
445 {
446 /* we have SSLv3/TLSv1 */
447
448 if (!ssl_init_wbio_buffer(s,1)) goto err;
449
450 /* we are in this state */
451 s->state=SSL3_ST_SR_CLNT_HELLO_A;
452
453 if (type == 3)
454 {
455 /* put the 'n' bytes we have read into the input buffer
456 * for SSLv3 */
457 s->rstate=SSL_ST_READ_HEADER;
458 s->packet_length=n;
459 s->packet= &(s->s3->rbuf.buf[0]);
460 memcpy(s->packet,buf,n);
461 s->s3->rbuf.left=n;
462 s->s3->rbuf.offset=0;
463 }
464 else
465 {
466 s->packet_length=0;
467 s->s3->rbuf.left=0;
468 s->s3->rbuf.offset=0;
469 }
470
471 if (tls1)
472 {
473 s->version=TLS1_VERSION;
474 s->method=TLSv1_server_method();
475 }
476 else
477 {
478 s->version=SSL3_VERSION;
479 s->method=SSLv3_server_method();
480 }
481 s->handshake_func=s->method->ssl_accept;
482 }
483
484 if ((type < 1) || (type > 3))
485 {
486 /* bad, very bad */
487 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL);
488 goto err;
489 }
490 s->init_num=0;
491
492 if (buf != buf_space) Free(buf);
493 s->first_packet=1;
494 return(SSL_accept(s));
495err:
496 if (buf != buf_space) Free(buf);
497 return(-1);
498 }
499
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
new file mode 100644
index 0000000000..6de62e1591
--- /dev/null
+++ b/src/lib/libssl/s3_both.c
@@ -0,0 +1,469 @@
1/* ssl/s3_both.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "buffer.h"
61#include "rand.h"
62#include "objects.h"
63#include "evp.h"
64#include "x509.h"
65#include "ssl_locl.h"
66
67#define BREAK break
68
69/* SSL3err(SSL_F_SSL3_GET_FINISHED,SSL_R_EXCESSIVE_MESSAGE_SIZE);
70 */
71
72int ssl3_send_finished(s,a,b,sender,slen)
73SSL *s;
74int a;
75int b;
76unsigned char *sender;
77int slen;
78 {
79 unsigned char *p,*d;
80 int i;
81 unsigned long l;
82
83 if (s->state == a)
84 {
85 d=(unsigned char *)s->init_buf->data;
86 p= &(d[4]);
87
88 i=s->method->ssl3_enc->final_finish_mac(s,
89 &(s->s3->finish_dgst1),
90 &(s->s3->finish_dgst2),
91 sender,slen,p);
92 p+=i;
93 l=i;
94
95 *(d++)=SSL3_MT_FINISHED;
96 l2n3(l,d);
97 s->init_num=(int)l+4;
98 s->init_off=0;
99
100 s->state=b;
101 }
102
103 /* SSL3_ST_SEND_xxxxxx_HELLO_B */
104 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
105 }
106
107int ssl3_get_finished(s,a,b)
108SSL *s;
109int a;
110int b;
111 {
112 int al,i,ok;
113 long n;
114 unsigned char *p;
115
116 /* the mac has already been generated when we received the
117 * change cipher spec message and is in s->s3->tmp.in_dgst[12]
118 */
119
120 n=ssl3_get_message(s,
121 a,
122 b,
123 SSL3_MT_FINISHED,
124 64, /* should actually be 36+4 :-) */
125 &ok);
126
127 if (!ok) return((int)n);
128
129 /* If this occurs if we has missed a message */
130 if (!s->s3->change_cipher_spec)
131 {
132 al=SSL_AD_UNEXPECTED_MESSAGE;
133 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_GOT_A_FIN_BEFORE_A_CCS);
134 goto f_err;
135 }
136 s->s3->change_cipher_spec=0;
137
138 p=(unsigned char *)s->init_buf->data;
139
140 i=s->method->ssl3_enc->finish_mac_length;
141
142 if (i != n)
143 {
144 al=SSL_AD_DECODE_ERROR;
145 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_BAD_DIGEST_LENGTH);
146 goto f_err;
147 }
148
149 if (memcmp( p, (char *)&(s->s3->tmp.finish_md[0]),i) != 0)
150 {
151 al=SSL_AD_DECRYPT_ERROR;
152 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
153 goto f_err;
154 }
155
156 return(1);
157f_err:
158 ssl3_send_alert(s,SSL3_AL_FATAL,al);
159 return(0);
160 }
161
162/* for these 2 messages, we need to
163 * ssl->enc_read_ctx re-init
164 * ssl->s3->read_sequence zero
165 * ssl->s3->read_mac_secret re-init
166 * ssl->session->read_sym_enc assign
167 * ssl->session->read_compression assign
168 * ssl->session->read_hash assign
169 */
170int ssl3_send_change_cipher_spec(s,a,b)
171SSL *s;
172int a,b;
173 {
174 unsigned char *p;
175
176 if (s->state == a)
177 {
178 p=(unsigned char *)s->init_buf->data;
179 *p=SSL3_MT_CCS;
180 s->init_num=1;
181 s->init_off=0;
182
183 s->state=b;
184 }
185
186 /* SSL3_ST_CW_CHANGE_B */
187 return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
188 }
189
190unsigned long ssl3_output_cert_chain(s,x)
191SSL *s;
192X509 *x;
193 {
194 unsigned char *p;
195 int n,i;
196 unsigned long l=7;
197 BUF_MEM *buf;
198 X509_STORE_CTX xs_ctx;
199 X509_OBJECT obj;
200
201 /* TLSv1 sends a chain with nothing in it, instead of an alert */
202 buf=s->init_buf;
203 if (!BUF_MEM_grow(buf,(int)(10)))
204 {
205 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
206 return(0);
207 }
208 if (x != NULL)
209 {
210 X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL);
211
212 for (;;)
213 {
214 n=i2d_X509(x,NULL);
215 if (!BUF_MEM_grow(buf,(int)(n+l+3)))
216 {
217 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
218 return(0);
219 }
220 p=(unsigned char *)&(buf->data[l]);
221 l2n3(n,p);
222 i2d_X509(x,&p);
223 l+=n+3;
224 if (X509_NAME_cmp(X509_get_subject_name(x),
225 X509_get_issuer_name(x)) == 0) break;
226
227 i=X509_STORE_get_by_subject(&xs_ctx,X509_LU_X509,
228 X509_get_issuer_name(x),&obj);
229 if (i <= 0) break;
230 x=obj.data.x509;
231 /* Count is one too high since the X509_STORE_get uped the
232 * ref count */
233 X509_free(x);
234 }
235
236 X509_STORE_CTX_cleanup(&xs_ctx);
237 }
238
239 l-=7;
240 p=(unsigned char *)&(buf->data[4]);
241 l2n3(l,p);
242 l+=3;
243 p=(unsigned char *)&(buf->data[0]);
244 *(p++)=SSL3_MT_CERTIFICATE;
245 l2n3(l,p);
246 l+=4;
247 return(l);
248 }
249
250long ssl3_get_message(s,st1,stn,mt,max,ok)
251SSL *s;
252int st1,stn,mt;
253long max;
254int *ok;
255 {
256 unsigned char *p;
257 unsigned long l;
258 long n;
259 int i,al;
260
261 if (s->s3->tmp.reuse_message)
262 {
263 s->s3->tmp.reuse_message=0;
264 if ((mt >= 0) && (s->s3->tmp.message_type != mt))
265 {
266 al=SSL_AD_UNEXPECTED_MESSAGE;
267 SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
268 goto f_err;
269 }
270 *ok=1;
271 return((int)s->s3->tmp.message_size);
272 }
273
274 p=(unsigned char *)s->init_buf->data;
275
276 if (s->state == st1)
277 {
278 i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,
279 (char *)&(p[s->init_num]),
280 4-s->init_num);
281 if (i < (4-s->init_num))
282 {
283 *ok=0;
284 return(ssl3_part_read(s,i));
285 }
286
287 if ((mt >= 0) && (*p != mt))
288 {
289 al=SSL_AD_UNEXPECTED_MESSAGE;
290 SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
291 goto f_err;
292 }
293 s->s3->tmp.message_type= *(p++);
294
295 n2l3(p,l);
296 if (l > (unsigned long)max)
297 {
298 al=SSL_AD_ILLEGAL_PARAMETER;
299 SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
300 goto f_err;
301 }
302 if (l && !BUF_MEM_grow(s->init_buf,(int)l))
303 {
304 SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
305 goto err;
306 }
307 s->s3->tmp.message_size=l;
308 s->state=stn;
309
310 s->init_num=0;
311 }
312
313 /* next state (stn) */
314 p=(unsigned char *)s->init_buf->data;
315 n=s->s3->tmp.message_size;
316 if (n > 0)
317 {
318 i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,
319 (char *)&(p[s->init_num]),(int)n);
320 if (i != (int)n)
321 {
322 *ok=0;
323 return(ssl3_part_read(s,i));
324 }
325 }
326 *ok=1;
327 return(n);
328f_err:
329 ssl3_send_alert(s,SSL3_AL_FATAL,al);
330err:
331 *ok=0;
332 return(-1);
333 }
334
335int ssl_cert_type(x,pkey)
336X509 *x;
337EVP_PKEY *pkey;
338 {
339 EVP_PKEY *pk;
340 int ret= -1,i,j;
341
342 if (pkey == NULL)
343 pk=X509_get_pubkey(x);
344 else
345 pk=pkey;
346 if (pk == NULL) goto err;
347
348 i=pk->type;
349 if (i == EVP_PKEY_RSA)
350 {
351 ret=SSL_PKEY_RSA_ENC;
352 if (x != NULL)
353 {
354 j=X509_get_ext_count(x);
355 /* check to see if this is a signing only certificate */
356 /* EAY EAY EAY EAY */
357 }
358 }
359 else if (i == EVP_PKEY_DSA)
360 {
361 ret=SSL_PKEY_DSA_SIGN;
362 }
363 else if (i == EVP_PKEY_DH)
364 {
365 /* if we just have a key, we needs to be guess */
366
367 if (x == NULL)
368 ret=SSL_PKEY_DH_DSA;
369 else
370 {
371 j=X509_get_signature_type(x);
372 if (j == EVP_PKEY_RSA)
373 ret=SSL_PKEY_DH_RSA;
374 else if (j== EVP_PKEY_DSA)
375 ret=SSL_PKEY_DH_DSA;
376 else ret= -1;
377 }
378 }
379 else
380 ret= -1;
381
382err:
383 return(ret);
384 }
385
386int ssl_verify_alarm_type(type)
387long type;
388 {
389 int al;
390
391 switch(type)
392 {
393 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
394 case X509_V_ERR_UNABLE_TO_GET_CRL:
395 al=SSL_AD_UNKNOWN_CA;
396 break;
397 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
398 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
399 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
400 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
401 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
402 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
403 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
404 case X509_V_ERR_CERT_NOT_YET_VALID:
405 case X509_V_ERR_CRL_NOT_YET_VALID:
406 al=SSL_AD_BAD_CERTIFICATE;
407 break;
408 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
409 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
410 al=SSL_AD_DECRYPT_ERROR;
411 break;
412 case X509_V_ERR_CERT_HAS_EXPIRED:
413 case X509_V_ERR_CRL_HAS_EXPIRED:
414 al=SSL_AD_CERTIFICATE_EXPIRED;
415 break;
416 case X509_V_ERR_CERT_REVOKED:
417 al=SSL_AD_CERTIFICATE_REVOKED;
418 break;
419 case X509_V_ERR_OUT_OF_MEM:
420 al=SSL_AD_INTERNAL_ERROR;
421 break;
422 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
423 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
424 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
425 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
426 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
427 al=SSL_AD_UNKNOWN_CA;
428 break;
429 case X509_V_ERR_APPLICATION_VERIFICATION:
430 al=SSL_AD_HANDSHAKE_FAILURE;
431 break;
432 default:
433 al=SSL_AD_CERTIFICATE_UNKNOWN;
434 break;
435 }
436 return(al);
437 }
438
439int ssl3_setup_buffers(s)
440SSL *s;
441 {
442 unsigned char *p;
443 unsigned int extra;
444
445 if (s->s3->rbuf.buf == NULL)
446 {
447 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
448 extra=SSL3_RT_MAX_EXTRA;
449 else
450 extra=0;
451 if ((p=(unsigned char *)Malloc(SSL3_RT_MAX_PACKET_SIZE+extra))
452 == NULL)
453 goto err;
454 s->s3->rbuf.buf=p;
455 }
456
457 if (s->s3->wbuf.buf == NULL)
458 {
459 if ((p=(unsigned char *)Malloc(SSL3_RT_MAX_PACKET_SIZE))
460 == NULL)
461 goto err;
462 s->s3->wbuf.buf=p;
463 }
464 s->packet= &(s->s3->rbuf.buf[0]);
465 return(1);
466err:
467 SSLerr(SSL_F_SSL3_SETUP_BUFFERS,ERR_R_MALLOC_FAILURE);
468 return(0);
469 }
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
new file mode 100644
index 0000000000..940c6a458f
--- /dev/null
+++ b/src/lib/libssl/s3_clnt.c
@@ -0,0 +1,1678 @@
1/* ssl/s3_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "buffer.h"
61#include "rand.h"
62#include "objects.h"
63#include "evp.h"
64#include "ssl_locl.h"
65
66#define BREAK break
67/* SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
68 * SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
69 * SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
70 * SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
71 * SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
72 * SSLerr(SSL_F_SSL3_GET_SERVER_DONE,ERR_R_MALLOC_FAILURE);
73SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
74 */
75
76#ifndef NOPROTO
77static int ssl3_client_hello(SSL *s);
78static int ssl3_get_server_hello(SSL *s);
79static int ssl3_get_certificate_request(SSL *s);
80static int ca_dn_cmp(X509_NAME **a,X509_NAME **b);
81static int ssl3_get_server_done(SSL *s);
82static int ssl3_send_client_verify(SSL *s);
83static int ssl3_send_client_certificate(SSL *s);
84static int ssl3_send_client_key_exchange(SSL *s);
85static int ssl3_get_key_exchange(SSL *s);
86static int ssl3_get_server_certificate(SSL *s);
87static int ssl3_check_cert_and_algorithm(SSL *s);
88#else
89static int ssl3_client_hello();
90static int ssl3_get_server_hello();
91static int ssl3_get_certificate_request();
92static int ca_dn_cmp();
93static int ssl3_get_server_done();
94static int ssl3_send_client_verify();
95static int ssl3_send_client_certificate();
96static int ssl3_send_client_key_exchange();
97static int ssl3_get_key_exchange();
98static int ssl3_get_server_certificate();
99static int ssl3_check_cert_and_algorithm();
100#endif
101
102static SSL_METHOD *ssl3_get_client_method(ver)
103int ver;
104 {
105 if (ver == SSL3_VERSION)
106 return(SSLv3_client_method());
107 else
108 return(NULL);
109 }
110
111SSL_METHOD *SSLv3_client_method()
112 {
113 static int init=1;
114 static SSL_METHOD SSLv3_client_data;
115
116 if (init)
117 {
118 init=0;
119 memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
120 sizeof(SSL_METHOD));
121 SSLv3_client_data.ssl_connect=ssl3_connect;
122 SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
123 }
124 return(&SSLv3_client_data);
125 }
126
127int ssl3_connect(s)
128SSL *s;
129 {
130 BUF_MEM *buf;
131 unsigned long Time=time(NULL),l;
132 long num1;
133 void (*cb)()=NULL;
134 int ret= -1;
135 BIO *under;
136 int new_state,state,skip=0;;
137
138 RAND_seed((unsigned char *)&Time,sizeof(Time));
139 ERR_clear_error();
140 clear_sys_error();
141
142 if (s->info_callback != NULL)
143 cb=s->info_callback;
144 else if (s->ctx->info_callback != NULL)
145 cb=s->ctx->info_callback;
146
147 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
148 s->in_handshake++;
149
150 for (;;)
151 {
152 state=s->state;
153
154 switch(s->state)
155 {
156 case SSL_ST_RENEGOTIATE:
157 s->new_session=1;
158 s->state=SSL_ST_CONNECT;
159 s->ctx->sess_connect_renegotiate++;
160 /* break */
161 case SSL_ST_BEFORE:
162 case SSL_ST_CONNECT:
163 case SSL_ST_BEFORE|SSL_ST_CONNECT:
164 case SSL_ST_OK|SSL_ST_CONNECT:
165
166 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
167
168 if ((s->version & 0xff00 ) != 0x0300)
169 abort();
170 /* s->version=SSL3_VERSION; */
171 s->type=SSL_ST_CONNECT;
172
173 if (s->init_buf == NULL)
174 {
175 if ((buf=BUF_MEM_new()) == NULL)
176 {
177 ret= -1;
178 goto end;
179 }
180 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
181 {
182 ret= -1;
183 goto end;
184 }
185 s->init_buf=buf;
186 }
187
188 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
189
190 /* setup buffing BIO */
191 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
192
193 /* don't push the buffering BIO quite yet */
194
195 ssl3_init_finished_mac(s);
196
197 s->state=SSL3_ST_CW_CLNT_HELLO_A;
198 s->ctx->sess_connect++;
199 s->init_num=0;
200 break;
201
202 case SSL3_ST_CW_CLNT_HELLO_A:
203 case SSL3_ST_CW_CLNT_HELLO_B:
204
205 s->shutdown=0;
206 ret=ssl3_client_hello(s);
207 if (ret <= 0) goto end;
208 s->state=SSL3_ST_CR_SRVR_HELLO_A;
209 s->init_num=0;
210
211 /* turn on buffering for the next lot of output */
212 if (s->bbio != s->wbio)
213 s->wbio=BIO_push(s->bbio,s->wbio);
214
215 break;
216
217 case SSL3_ST_CR_SRVR_HELLO_A:
218 case SSL3_ST_CR_SRVR_HELLO_B:
219 ret=ssl3_get_server_hello(s);
220 if (ret <= 0) goto end;
221 if (s->hit)
222 s->state=SSL3_ST_CR_FINISHED_A;
223 else
224 s->state=SSL3_ST_CR_CERT_A;
225 s->init_num=0;
226 break;
227
228 case SSL3_ST_CR_CERT_A:
229 case SSL3_ST_CR_CERT_B:
230 /* Check if it is anon DH */
231 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
232 {
233 ret=ssl3_get_server_certificate(s);
234 if (ret <= 0) goto end;
235 }
236 else
237 skip=1;
238 s->state=SSL3_ST_CR_KEY_EXCH_A;
239 s->init_num=0;
240 break;
241
242 case SSL3_ST_CR_KEY_EXCH_A:
243 case SSL3_ST_CR_KEY_EXCH_B:
244 ret=ssl3_get_key_exchange(s);
245 if (ret <= 0) goto end;
246 s->state=SSL3_ST_CR_CERT_REQ_A;
247 s->init_num=0;
248
249 /* at this point we check that we have the
250 * required stuff from the server */
251 if (!ssl3_check_cert_and_algorithm(s))
252 {
253 ret= -1;
254 goto end;
255 }
256 break;
257
258 case SSL3_ST_CR_CERT_REQ_A:
259 case SSL3_ST_CR_CERT_REQ_B:
260 ret=ssl3_get_certificate_request(s);
261 if (ret <= 0) goto end;
262 s->state=SSL3_ST_CR_SRVR_DONE_A;
263 s->init_num=0;
264 break;
265
266 case SSL3_ST_CR_SRVR_DONE_A:
267 case SSL3_ST_CR_SRVR_DONE_B:
268 ret=ssl3_get_server_done(s);
269 if (ret <= 0) goto end;
270 if (s->s3->tmp.cert_req)
271 s->state=SSL3_ST_CW_CERT_A;
272 else
273 s->state=SSL3_ST_CW_KEY_EXCH_A;
274 s->init_num=0;
275
276 break;
277
278 case SSL3_ST_CW_CERT_A:
279 case SSL3_ST_CW_CERT_B:
280 case SSL3_ST_CW_CERT_C:
281 ret=ssl3_send_client_certificate(s);
282 if (ret <= 0) goto end;
283 s->state=SSL3_ST_CW_KEY_EXCH_A;
284 s->init_num=0;
285 break;
286
287 case SSL3_ST_CW_KEY_EXCH_A:
288 case SSL3_ST_CW_KEY_EXCH_B:
289 ret=ssl3_send_client_key_exchange(s);
290 if (ret <= 0) goto end;
291 l=s->s3->tmp.new_cipher->algorithms;
292 /* EAY EAY EAY need to check for DH fix cert
293 * sent back */
294 /* For TLS, cert_req is set to 2, so a cert chain
295 * of nothing is sent, but no verify packet is sent */
296 if (s->s3->tmp.cert_req == 1)
297 {
298 s->state=SSL3_ST_CW_CERT_VRFY_A;
299 }
300 else
301 {
302 s->state=SSL3_ST_CW_CHANGE_A;
303 s->s3->change_cipher_spec=0;
304 }
305
306 s->init_num=0;
307 break;
308
309 case SSL3_ST_CW_CERT_VRFY_A:
310 case SSL3_ST_CW_CERT_VRFY_B:
311 ret=ssl3_send_client_verify(s);
312 if (ret <= 0) goto end;
313 s->state=SSL3_ST_CW_CHANGE_A;
314 s->init_num=0;
315 s->s3->change_cipher_spec=0;
316 break;
317
318 case SSL3_ST_CW_CHANGE_A:
319 case SSL3_ST_CW_CHANGE_B:
320 ret=ssl3_send_change_cipher_spec(s,
321 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
322 if (ret <= 0) goto end;
323 s->state=SSL3_ST_CW_FINISHED_A;
324 s->init_num=0;
325
326 s->session->cipher=s->s3->tmp.new_cipher;
327 if (!s->method->ssl3_enc->setup_key_block(s))
328 {
329 ret= -1;
330 goto end;
331 }
332
333 if (!s->method->ssl3_enc->change_cipher_state(s,
334 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
335 {
336 ret= -1;
337 goto end;
338 }
339
340 break;
341
342 case SSL3_ST_CW_FINISHED_A:
343 case SSL3_ST_CW_FINISHED_B:
344 ret=ssl3_send_finished(s,
345 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
346 s->method->ssl3_enc->client_finished,
347 s->method->ssl3_enc->client_finished_len);
348 if (ret <= 0) goto end;
349 s->state=SSL3_ST_CW_FLUSH;
350
351 /* clear flags */
352 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
353 if (s->hit)
354 {
355 s->s3->tmp.next_state=SSL_ST_OK;
356 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
357 {
358 s->state=SSL_ST_OK;
359 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
360 s->s3->delay_buf_pop_ret=0;
361 }
362 }
363 else
364 {
365 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
366 }
367 s->init_num=0;
368 break;
369
370 case SSL3_ST_CR_FINISHED_A:
371 case SSL3_ST_CR_FINISHED_B:
372
373 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
374 SSL3_ST_CR_FINISHED_B);
375 if (ret <= 0) goto end;
376
377 if (s->hit)
378 s->state=SSL3_ST_CW_CHANGE_A;
379 else
380 s->state=SSL_ST_OK;
381 s->init_num=0;
382 break;
383
384 case SSL3_ST_CW_FLUSH:
385 /* number of bytes to be flushed */
386 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
387 if (num1 > 0)
388 {
389 s->rwstate=SSL_WRITING;
390 num1=BIO_flush(s->wbio);
391 if (num1 <= 0) { ret= -1; goto end; }
392 s->rwstate=SSL_NOTHING;
393 }
394
395 s->state=s->s3->tmp.next_state;
396 break;
397
398 case SSL_ST_OK:
399 /* clean a few things up */
400 ssl3_cleanup_key_block(s);
401
402 BUF_MEM_free(s->init_buf);
403 s->init_buf=NULL;
404
405 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
406 {
407 /* remove buffering */
408 under=BIO_pop(s->wbio);
409 if (under != NULL)
410 s->wbio=under;
411 else
412 abort(); /* ok */
413
414 BIO_free(s->bbio);
415 s->bbio=NULL;
416 }
417 /* else do it later */
418
419 s->init_num=0;
420 s->new_session=0;
421
422 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
423 if (s->hit) s->ctx->sess_hit++;
424
425 ret=1;
426 /* s->server=0; */
427 s->handshake_func=ssl3_connect;
428 s->ctx->sess_connect_good++;
429
430 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
431
432 goto end;
433 break;
434
435 default:
436 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
437 ret= -1;
438 goto end;
439 /* break; */
440 }
441
442 /* did we do anything */
443 if (!s->s3->tmp.reuse_message && !skip)
444 {
445 if (s->debug)
446 {
447 if ((ret=BIO_flush(s->wbio)) <= 0)
448 goto end;
449 }
450
451 if ((cb != NULL) && (s->state != state))
452 {
453 new_state=s->state;
454 s->state=state;
455 cb(s,SSL_CB_CONNECT_LOOP,1);
456 s->state=new_state;
457 }
458 }
459 skip=0;
460 }
461end:
462 if (cb != NULL)
463 cb(s,SSL_CB_CONNECT_EXIT,ret);
464 s->in_handshake--;
465 return(ret);
466 }
467
468
469static int ssl3_client_hello(s)
470SSL *s;
471 {
472 unsigned char *buf;
473 unsigned char *p,*d;
474 int i;
475 unsigned long Time,l;
476
477 buf=(unsigned char *)s->init_buf->data;
478 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
479 {
480 if ((s->session == NULL) ||
481 (s->session->ssl_version != s->version))
482 {
483 if (!ssl_get_new_session(s,0))
484 goto err;
485 }
486 /* else use the pre-loaded session */
487
488 p=s->s3->client_random;
489 Time=time(NULL); /* Time */
490 l2n(Time,p);
491 RAND_bytes(&(p[4]),SSL3_RANDOM_SIZE-sizeof(Time));
492
493 /* Do the message type and length last */
494 d=p= &(buf[4]);
495
496 *(p++)=s->version>>8;
497 *(p++)=s->version&0xff;
498
499 /* Random stuff */
500 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
501 p+=SSL3_RANDOM_SIZE;
502
503 /* Session ID */
504 if (s->new_session)
505 i=0;
506 else
507 i=s->session->session_id_length;
508 *(p++)=i;
509 if (i != 0)
510 {
511 memcpy(p,s->session->session_id,i);
512 p+=i;
513 }
514
515 /* Ciphers supported */
516 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
517 if (i == 0)
518 {
519 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
520 goto err;
521 }
522 s2n(i,p);
523 p+=i;
524
525 /* hardwire in the NULL compression algorithm. */
526 *(p++)=1;
527 *(p++)=0;
528
529 l=(p-d);
530 d=buf;
531 *(d++)=SSL3_MT_CLIENT_HELLO;
532 l2n3(l,d);
533
534 s->state=SSL3_ST_CW_CLNT_HELLO_B;
535 /* number of bytes to write */
536 s->init_num=p-buf;
537 s->init_off=0;
538 }
539
540 /* SSL3_ST_CW_CLNT_HELLO_B */
541 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
542err:
543 return(-1);
544 }
545
546static int ssl3_get_server_hello(s)
547SSL *s;
548 {
549 STACK *sk;
550 SSL_CIPHER *c;
551 unsigned char *p,*d;
552 int i,al,ok;
553 unsigned int j;
554 long n;
555
556 n=ssl3_get_message(s,
557 SSL3_ST_CR_SRVR_HELLO_A,
558 SSL3_ST_CR_SRVR_HELLO_B,
559 SSL3_MT_SERVER_HELLO,
560 300, /* ?? */
561 &ok);
562
563 if (!ok) return((int)n);
564 d=p=(unsigned char *)s->init_buf->data;
565
566 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
567 {
568 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
569 s->version=(s->version&0xff00)|p[1];
570 al=SSL_AD_PROTOCOL_VERSION;
571 goto f_err;
572 }
573 p+=2;
574
575 /* load the server hello data */
576 /* load the server random */
577 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
578 p+=SSL3_RANDOM_SIZE;
579
580 /* get the session-id */
581 j= *(p++);
582
583 if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
584 {
585 /* SSLref returns 16 :-( */
586 if (j < SSL2_SSL_SESSION_ID_LENGTH)
587 {
588 al=SSL_AD_ILLEGAL_PARAMETER;
589 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
590 goto f_err;
591 }
592 }
593 if ((j != 0) && (j == s->session->session_id_length) &&
594 (memcmp(p,s->session->session_id,j) == 0))
595 s->hit=1;
596 else /* a miss or crap from the other end */
597 {
598 /* If we were trying for session-id reuse, make a new
599 * SSL_SESSION so we don't stuff up other people */
600 s->hit=0;
601 if (s->session->session_id_length > 0)
602 {
603 if (!ssl_get_new_session(s,0))
604 {
605 al=SSL_AD_INTERNAL_ERROR;
606 goto f_err;
607 }
608 }
609 s->session->session_id_length=j;
610 memcpy(s->session->session_id,p,j); /* j could be 0 */
611 }
612 p+=j;
613 c=ssl_get_cipher_by_char(s,p);
614 if (c == NULL)
615 {
616 /* unknown cipher */
617 al=SSL_AD_ILLEGAL_PARAMETER;
618 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
619 goto f_err;
620 }
621 p+=ssl_put_cipher_by_char(s,NULL,NULL);
622
623 sk=ssl_get_ciphers_by_id(s);
624 i=sk_find(sk,(char *)c);
625 if (i < 0)
626 {
627 /* we did not say we would use this cipher */
628 al=SSL_AD_ILLEGAL_PARAMETER;
629 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
630 goto f_err;
631 }
632
633 if (s->hit && (s->session->cipher != c))
634 {
635 if (!(s->options &
636 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
637 {
638 al=SSL_AD_ILLEGAL_PARAMETER;
639 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
640 goto f_err;
641 }
642 }
643 s->s3->tmp.new_cipher=c;
644
645 /* lets get the compression algorithm */
646 j= *(p++);
647 if (j != 0)
648 {
649 al=SSL_AD_ILLEGAL_PARAMETER;
650 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
651 goto f_err;
652 }
653
654 if (p != (d+n))
655 {
656 /* wrong packet length */
657 al=SSL_AD_DECODE_ERROR;
658 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
659 goto err;
660 }
661
662 return(1);
663f_err:
664 ssl3_send_alert(s,SSL3_AL_FATAL,al);
665err:
666 return(-1);
667 }
668
669static int ssl3_get_server_certificate(s)
670SSL *s;
671 {
672 int al,i,ok,ret= -1;
673 unsigned long n,nc,llen,l;
674 X509 *x=NULL;
675 unsigned char *p,*d,*q;
676 STACK *sk=NULL;
677 CERT *c;
678 EVP_PKEY *pkey=NULL;
679
680 n=ssl3_get_message(s,
681 SSL3_ST_CR_CERT_A,
682 SSL3_ST_CR_CERT_B,
683 -1,
684#if defined(MSDOS) && !defined(WIN32)
685 1024*30, /* 30k max cert list :-) */
686#else
687 1024*100, /* 100k max cert list :-) */
688#endif
689 &ok);
690
691 if (!ok) return((int)n);
692
693 if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
694 {
695 s->s3->tmp.reuse_message=1;
696 return(1);
697 }
698
699 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
700 {
701 al=SSL_AD_UNEXPECTED_MESSAGE;
702 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
703 goto f_err;
704 }
705 d=p=(unsigned char *)s->init_buf->data;
706
707 if ((sk=sk_new_null()) == NULL)
708 {
709 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
710 goto err;
711 }
712
713 n2l3(p,llen);
714 if (llen+3 != n)
715 {
716 al=SSL_AD_DECODE_ERROR;
717 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
718 goto f_err;
719 }
720 for (nc=0; nc<llen; )
721 {
722 n2l3(p,l);
723 if ((l+nc+3) > llen)
724 {
725 al=SSL_AD_DECODE_ERROR;
726 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
727 goto f_err;
728 }
729
730 q=p;
731 x=d2i_X509(NULL,&q,l);
732 if (x == NULL)
733 {
734 al=SSL_AD_BAD_CERTIFICATE;
735 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
736 goto f_err;
737 }
738 if (q != (p+l))
739 {
740 al=SSL_AD_DECODE_ERROR;
741 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
742 goto f_err;
743 }
744 if (!sk_push(sk,(char *)x))
745 {
746 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
747 goto err;
748 }
749 x=NULL;
750 nc+=l+3;
751 p=q;
752 }
753
754 i=ssl_verify_cert_chain(s,sk);
755 if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
756 {
757 al=ssl_verify_alarm_type(s->verify_result);
758 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
759 goto f_err;
760 }
761
762 c=ssl_cert_new();
763 if (c == NULL) goto err;
764
765 if (s->session->cert) ssl_cert_free(s->session->cert);
766 s->session->cert=c;
767
768 c->cert_chain=sk;
769 x=(X509 *)sk_value(sk,0);
770 sk=NULL;
771
772 pkey=X509_get_pubkey(x);
773
774 if (EVP_PKEY_missing_parameters(pkey))
775 {
776 x=NULL;
777 al=SSL3_AL_FATAL;
778 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
779 goto f_err;
780 }
781
782 i=ssl_cert_type(x,pkey);
783 if (i < 0)
784 {
785 x=NULL;
786 al=SSL3_AL_FATAL;
787 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
788 goto f_err;
789 }
790
791 c->cert_type=i;
792 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
793 if (c->pkeys[i].x509 != NULL)
794 X509_free(c->pkeys[i].x509);
795 c->pkeys[i].x509=x;
796 c->key= &(c->pkeys[i]);
797
798 if ((s->session != NULL) && (s->session->peer != NULL))
799 X509_free(s->session->peer);
800 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
801 s->session->peer=x;
802
803 x=NULL;
804 ret=1;
805
806 if (0)
807 {
808f_err:
809 ssl3_send_alert(s,SSL3_AL_FATAL,al);
810 }
811err:
812 if (x != NULL) X509_free(x);
813 if (sk != NULL) sk_pop_free(sk,X509_free);
814 return(ret);
815 }
816
817static int ssl3_get_key_exchange(s)
818SSL *s;
819 {
820#ifndef NO_RSA
821 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
822#endif
823 EVP_MD_CTX md_ctx;
824 unsigned char *param,*p;
825 int al,i,j,param_len,ok;
826 long n,alg;
827 EVP_PKEY *pkey=NULL;
828 RSA *rsa=NULL;
829#ifndef NO_DH
830 DH *dh=NULL;
831#endif
832
833 n=ssl3_get_message(s,
834 SSL3_ST_CR_KEY_EXCH_A,
835 SSL3_ST_CR_KEY_EXCH_B,
836 -1,
837 1024*8, /* ?? */
838 &ok);
839
840 if (!ok) return((int)n);
841
842 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
843 {
844 s->s3->tmp.reuse_message=1;
845 return(1);
846 }
847
848 param=p=(unsigned char *)s->init_buf->data;
849
850 if (s->session->cert != NULL)
851 {
852#ifndef NO_RSA
853 if (s->session->cert->rsa_tmp != NULL)
854 {
855 RSA_free(s->session->cert->rsa_tmp);
856 s->session->cert->rsa_tmp=NULL;
857 }
858#endif
859#ifndef NO_DH
860 if (s->session->cert->dh_tmp)
861 {
862 DH_free(s->session->cert->dh_tmp);
863 s->session->cert->dh_tmp=NULL;
864 }
865#endif
866 }
867 else
868 {
869 s->session->cert=ssl_cert_new();
870 }
871
872 param_len=0;
873 alg=s->s3->tmp.new_cipher->algorithms;
874
875#ifndef NO_RSA
876 if (alg & SSL_kRSA)
877 {
878 if ((rsa=RSA_new()) == NULL)
879 {
880 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
881 goto err;
882 }
883 n2s(p,i);
884 param_len=i+2;
885 if (param_len > n)
886 {
887 al=SSL_AD_DECODE_ERROR;
888 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
889 goto f_err;
890 }
891 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
892 {
893 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
894 goto err;
895 }
896 p+=i;
897
898 n2s(p,i);
899 param_len+=i+2;
900 if (param_len > n)
901 {
902 al=SSL_AD_DECODE_ERROR;
903 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
904 goto f_err;
905 }
906 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
907 {
908 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
909 goto err;
910 }
911 p+=i;
912 n-=param_len;
913
914/* s->session->cert->rsa_tmp=rsa;*/
915 /* this should be because we are using an export cipher */
916 if (alg & SSL_aRSA)
917 pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
918 else
919 {
920 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
921 goto err;
922 }
923 s->session->cert->rsa_tmp=rsa;
924 }
925 else
926#endif
927#ifndef NO_DH
928 if (alg & SSL_kEDH)
929 {
930 if ((dh=DH_new()) == NULL)
931 {
932 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
933 goto err;
934 }
935 n2s(p,i);
936 param_len=i+2;
937 if (param_len > n)
938 {
939 al=SSL_AD_DECODE_ERROR;
940 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
941 goto f_err;
942 }
943 if (!(dh->p=BN_bin2bn(p,i,NULL)))
944 {
945 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
946 goto err;
947 }
948 p+=i;
949
950 n2s(p,i);
951 param_len+=i+2;
952 if (param_len > n)
953 {
954 al=SSL_AD_DECODE_ERROR;
955 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
956 goto f_err;
957 }
958 if (!(dh->g=BN_bin2bn(p,i,NULL)))
959 {
960 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
961 goto err;
962 }
963 p+=i;
964
965 n2s(p,i);
966 param_len+=i+2;
967 if (param_len > n)
968 {
969 al=SSL_AD_DECODE_ERROR;
970 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
971 goto f_err;
972 }
973 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
974 {
975 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
976 goto err;
977 }
978 p+=i;
979 n-=param_len;
980
981#ifndef NO_RSA
982 if (alg & SSL_aRSA)
983 pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
984 else
985#endif
986#ifndef NO_DSA
987 if (alg & SSL_aDSS)
988 pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_DSA_SIGN].x509);
989#endif
990 /* else anonymous DH, so no certificate or pkey. */
991
992 s->session->cert->dh_tmp=dh;
993 }
994 else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
995 {
996 al=SSL_AD_ILLEGAL_PARAMETER;
997 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
998 goto f_err;
999 }
1000#endif
1001
1002 /* p points to the next byte, there are 'n' bytes left */
1003
1004
1005 /* if it was signed, check the signature */
1006 if (pkey != NULL)
1007 {
1008 n2s(p,i);
1009 n-=2;
1010 j=EVP_PKEY_size(pkey);
1011
1012 if ((i != n) || (n > j) || (n <= 0))
1013 {
1014 /* wrong packet length */
1015 al=SSL_AD_DECODE_ERROR;
1016 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1017 goto err;
1018 }
1019
1020#ifndef NO_RSA
1021 if (pkey->type == EVP_PKEY_RSA)
1022 {
1023 int num;
1024
1025 j=0;
1026 q=md_buf;
1027 for (num=2; num > 0; num--)
1028 {
1029 EVP_DigestInit(&md_ctx,(num == 2)
1030 ?s->ctx->md5:s->ctx->sha1);
1031 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1032 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1033 EVP_DigestUpdate(&md_ctx,param,param_len);
1034 EVP_DigestFinal(&md_ctx,q,(unsigned int *)&i);
1035 q+=i;
1036 j+=i;
1037 }
1038 i=RSA_public_decrypt((int)n,p,p,pkey->pkey.rsa,
1039 RSA_PKCS1_PADDING);
1040 if (i <= 0)
1041 {
1042 al=SSL_AD_DECRYPT_ERROR;
1043 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1044 goto f_err;
1045 }
1046 if ((j != i) || (memcmp(p,md_buf,i) != 0))
1047 {
1048 /* bad signature */
1049 al=SSL_AD_DECRYPT_ERROR;
1050 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1051 goto f_err;
1052 }
1053 }
1054 else
1055#endif
1056#ifndef NO_DSA
1057 if (pkey->type == EVP_PKEY_DSA)
1058 {
1059 /* lets do DSS */
1060 EVP_VerifyInit(&md_ctx,EVP_dss1());
1061 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1062 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1063 EVP_VerifyUpdate(&md_ctx,param,param_len);
1064 if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1065 {
1066 /* bad signature */
1067 al=SSL_AD_DECRYPT_ERROR;
1068 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1069 goto f_err;
1070 }
1071 }
1072 else
1073#endif
1074 {
1075 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1076 goto err;
1077 }
1078 }
1079 else
1080 {
1081 /* still data left over */
1082 if (!(alg & SSL_aNULL))
1083 {
1084 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1085 goto err;
1086 }
1087 if (n != 0)
1088 {
1089 al=SSL_AD_DECODE_ERROR;
1090 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1091 goto f_err;
1092 }
1093 }
1094
1095 return(1);
1096f_err:
1097 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1098err:
1099 return(-1);
1100 }
1101
1102static int ssl3_get_certificate_request(s)
1103SSL *s;
1104 {
1105 int ok,ret=0;
1106 unsigned long n,nc,l;
1107 unsigned int llen,ctype_num,i;
1108 X509_NAME *xn=NULL;
1109 unsigned char *p,*d,*q;
1110 STACK *ca_sk=NULL;
1111
1112 n=ssl3_get_message(s,
1113 SSL3_ST_CR_CERT_REQ_A,
1114 SSL3_ST_CR_CERT_REQ_B,
1115 -1,
1116#if defined(MSDOS) && !defined(WIN32)
1117 1024*30, /* 30k max cert list :-) */
1118#else
1119 1024*100, /* 100k max cert list :-) */
1120#endif
1121 &ok);
1122
1123 if (!ok) return((int)n);
1124
1125 s->s3->tmp.cert_req=0;
1126
1127 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1128 {
1129 s->s3->tmp.reuse_message=1;
1130 return(1);
1131 }
1132
1133 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1134 {
1135 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1136 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1137 goto err;
1138 }
1139
1140 /* TLS does not like anon-DH with client cert */
1141 if (s->version > SSL3_VERSION)
1142 {
1143 l=s->s3->tmp.new_cipher->algorithms;
1144 if (l & SSL_aNULL)
1145 {
1146 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1147 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1148 goto err;
1149 }
1150 }
1151
1152 d=p=(unsigned char *)s->init_buf->data;
1153
1154 if ((ca_sk=sk_new(ca_dn_cmp)) == NULL)
1155 {
1156 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1157 goto err;
1158 }
1159
1160 /* get the certificate types */
1161 ctype_num= *(p++);
1162 if (ctype_num > SSL3_CT_NUMBER)
1163 ctype_num=SSL3_CT_NUMBER;
1164 for (i=0; i<ctype_num; i++)
1165 s->s3->tmp.ctype[i]= p[i];
1166 p+=ctype_num;
1167
1168 /* get the CA RDNs */
1169 n2s(p,llen);
1170 if ((llen+ctype_num+2+1) != n)
1171 {
1172 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1173 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1174 goto err;
1175 }
1176
1177 for (nc=0; nc<llen; )
1178 {
1179 n2s(p,l);
1180 if ((l+nc+2) > llen)
1181 {
1182 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1183 goto cont; /* netscape bugs */
1184 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1185 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1186 goto err;
1187 }
1188
1189 q=p;
1190
1191 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1192 {
1193 /* If netscape tollerance is on, ignore errors */
1194 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1195 goto cont;
1196 else
1197 {
1198 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1199 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1200 goto err;
1201 }
1202 }
1203
1204 if (q != (p+l))
1205 {
1206 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1207 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1208 goto err;
1209 }
1210 if (!sk_push(ca_sk,(char *)xn))
1211 {
1212 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1213 goto err;
1214 }
1215
1216 p+=l;
1217 nc+=l+2;
1218 }
1219
1220 if (0)
1221 {
1222cont:
1223 ERR_clear_error();
1224 }
1225
1226 /* we should setup a certficate to return.... */
1227 s->s3->tmp.cert_req=1;
1228 s->s3->tmp.ctype_num=ctype_num;
1229 if (s->s3->tmp.ca_names != NULL)
1230 sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1231 s->s3->tmp.ca_names=ca_sk;
1232 ca_sk=NULL;
1233
1234 ret=1;
1235err:
1236 if (ca_sk != NULL) sk_pop_free(ca_sk,X509_NAME_free);
1237 return(ret);
1238 }
1239
1240static int ca_dn_cmp(a,b)
1241X509_NAME **a,**b;
1242 {
1243 return(X509_NAME_cmp(*a,*b));
1244 }
1245
1246static int ssl3_get_server_done(s)
1247SSL *s;
1248 {
1249 int ok,ret=0;
1250 long n;
1251
1252 n=ssl3_get_message(s,
1253 SSL3_ST_CR_SRVR_DONE_A,
1254 SSL3_ST_CR_SRVR_DONE_B,
1255 SSL3_MT_SERVER_DONE,
1256 30, /* should be very small, like 0 :-) */
1257 &ok);
1258
1259 if (!ok) return((int)n);
1260 if (n > 0)
1261 {
1262 /* should contain no data */
1263 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1264 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1265 }
1266 ret=1;
1267 return(ret);
1268 }
1269
1270static int ssl3_send_client_key_exchange(s)
1271SSL *s;
1272 {
1273 unsigned char *p,*q,*d;
1274 int n;
1275 unsigned long l;
1276 EVP_PKEY *pkey=NULL;
1277
1278 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1279 {
1280 d=(unsigned char *)s->init_buf->data;
1281 p= &(d[4]);
1282
1283 l=s->s3->tmp.new_cipher->algorithms;
1284
1285#ifndef NO_RSA
1286 if (l & SSL_kRSA)
1287 {
1288 RSA *rsa;
1289 unsigned char tmp_buf[48];
1290
1291 if (s->session->cert->rsa_tmp != NULL)
1292 rsa=s->session->cert->rsa_tmp;
1293 else
1294 {
1295 pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
1296 if ((pkey == NULL) ||
1297 (pkey->type != EVP_PKEY_RSA) ||
1298 (pkey->pkey.rsa == NULL))
1299 {
1300 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1301 goto err;
1302 }
1303 rsa=pkey->pkey.rsa;
1304 }
1305
1306 tmp_buf[0]=s->version>>8;
1307 tmp_buf[1]=s->version&0xff;
1308 RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1309
1310 s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
1311
1312 q=p;
1313 /* Fix buf for TLS and beyond */
1314 if (s->version > SSL3_VERSION)
1315 p+=2;
1316 n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
1317 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1318 if (n <= 0)
1319 {
1320 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1321 goto err;
1322 }
1323
1324 /* Fix buf for TLS and beyond */
1325 if (s->version > SSL3_VERSION)
1326 {
1327 s2n(n,q);
1328 n+=2;
1329 }
1330
1331 s->session->master_key_length=
1332 s->method->ssl3_enc->generate_master_secret(s,
1333 s->session->master_key,
1334 tmp_buf,48);
1335 memset(tmp_buf,0,48);
1336 }
1337 else
1338#endif
1339#ifndef NO_DH
1340 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1341 {
1342 DH *dh_srvr,*dh_clnt;
1343
1344 if (s->session->cert->dh_tmp != NULL)
1345 dh_srvr=s->session->cert->dh_tmp;
1346 else
1347 {
1348 /* we get them from the cert */
1349 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1350 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1351 goto err;
1352 }
1353
1354 /* generate a new random key */
1355 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
1356 {
1357 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1358 goto err;
1359 }
1360 if (!DH_generate_key(dh_clnt))
1361 {
1362 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1363 goto err;
1364 }
1365
1366 /* use the 'p' output buffer for the DH key, but
1367 * make sure to clear it out afterwards */
1368
1369 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
1370
1371 if (n <= 0)
1372 {
1373 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1374 goto err;
1375 }
1376
1377 /* generate master key from the result */
1378 s->session->master_key_length=
1379 s->method->ssl3_enc->generate_master_secret(s,
1380 s->session->master_key,p,n);
1381 /* clean up */
1382 memset(p,0,n);
1383
1384 /* send off the data */
1385 n=BN_num_bytes(dh_clnt->pub_key);
1386 s2n(n,p);
1387 BN_bn2bin(dh_clnt->pub_key,p);
1388 n+=2;
1389
1390 DH_free(dh_clnt);
1391
1392 /* perhaps clean things up a bit EAY EAY EAY EAY*/
1393 }
1394 else
1395#endif
1396 {
1397 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1398 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1399 goto err;
1400 }
1401
1402 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
1403 l2n3(n,d);
1404
1405 s->state=SSL3_ST_CW_KEY_EXCH_B;
1406 /* number of bytes to write */
1407 s->init_num=n+4;
1408 s->init_off=0;
1409 }
1410
1411 /* SSL3_ST_CW_KEY_EXCH_B */
1412 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1413err:
1414 return(-1);
1415 }
1416
1417static int ssl3_send_client_verify(s)
1418SSL *s;
1419 {
1420 unsigned char *p,*d;
1421 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
1422 EVP_PKEY *pkey;
1423 int i=0;
1424 unsigned long n;
1425#ifndef NO_DSA
1426 int j;
1427#endif
1428
1429 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
1430 {
1431 d=(unsigned char *)s->init_buf->data;
1432 p= &(d[4]);
1433 pkey=s->cert->key->privatekey;
1434
1435 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
1436 &(data[MD5_DIGEST_LENGTH]));
1437
1438#ifndef NO_RSA
1439 if (pkey->type == EVP_PKEY_RSA)
1440 {
1441 s->method->ssl3_enc->cert_verify_mac(s,
1442 &(s->s3->finish_dgst1),&(data[0]));
1443 i=RSA_private_encrypt(
1444 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
1445 data,&(p[2]),pkey->pkey.rsa,
1446 RSA_PKCS1_PADDING);
1447 if (i <= 0)
1448 {
1449 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
1450 goto err;
1451 }
1452 s2n(i,p);
1453 n=i+2;
1454 }
1455 else
1456#endif
1457#ifndef NO_DSA
1458 if (pkey->type == EVP_PKEY_DSA)
1459 {
1460 if (!DSA_sign(pkey->save_type,
1461 &(data[MD5_DIGEST_LENGTH]),
1462 SHA_DIGEST_LENGTH,&(p[2]),
1463 (unsigned int *)&j,pkey->pkey.dsa))
1464 {
1465 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
1466 goto err;
1467 }
1468 s2n(j,p);
1469 n=j+2;
1470 }
1471 else
1472#endif
1473 {
1474 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,SSL_R_INTERNAL_ERROR);
1475 goto err;
1476 }
1477 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
1478 l2n3(n,d);
1479
1480 s->init_num=(int)n+4;
1481 s->init_off=0;
1482 }
1483 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1484err:
1485 return(-1);
1486 }
1487
1488static int ssl3_send_client_certificate(s)
1489SSL *s;
1490 {
1491 X509 *x509=NULL;
1492 EVP_PKEY *pkey=NULL;
1493 int i;
1494 unsigned long l;
1495
1496 if (s->state == SSL3_ST_CW_CERT_A)
1497 {
1498 if ((s->cert == NULL) ||
1499 (s->cert->key->x509 == NULL) ||
1500 (s->cert->key->privatekey == NULL))
1501 s->state=SSL3_ST_CW_CERT_B;
1502 else
1503 s->state=SSL3_ST_CW_CERT_C;
1504 }
1505
1506 /* We need to get a client cert */
1507 if (s->state == SSL3_ST_CW_CERT_B)
1508 {
1509 /* If we get an error, we need to
1510 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
1511 * We then get retied later */
1512 i=0;
1513 if (s->ctx->client_cert_cb != NULL)
1514 i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
1515 if (i < 0)
1516 {
1517 s->rwstate=SSL_X509_LOOKUP;
1518 return(-1);
1519 }
1520 s->rwstate=SSL_NOTHING;
1521 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
1522 {
1523 s->state=SSL3_ST_CW_CERT_B;
1524 if ( !SSL_use_certificate(s,x509) ||
1525 !SSL_use_PrivateKey(s,pkey))
1526 i=0;
1527 }
1528 else if (i == 1)
1529 {
1530 i=0;
1531 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
1532 }
1533
1534 if (x509 != NULL) X509_free(x509);
1535 if (pkey != NULL) EVP_PKEY_free(pkey);
1536 if (i == 0)
1537 {
1538 if (s->version == SSL3_VERSION)
1539 {
1540 s->s3->tmp.cert_req=0;
1541 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
1542 return(1);
1543 }
1544 else
1545 {
1546 s->s3->tmp.cert_req=2;
1547 }
1548 }
1549
1550 /* Ok, we have a cert */
1551 s->state=SSL3_ST_CW_CERT_C;
1552 }
1553
1554 if (s->state == SSL3_ST_CW_CERT_C)
1555 {
1556 s->state=SSL3_ST_CW_CERT_D;
1557 l=ssl3_output_cert_chain(s,
1558 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
1559 s->init_num=(int)l;
1560 s->init_off=0;
1561 }
1562 /* SSL3_ST_CW_CERT_D */
1563 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1564 }
1565
1566#define has_bits(i,m) (((i)&(m)) == (m))
1567
1568static int ssl3_check_cert_and_algorithm(s)
1569SSL *s;
1570 {
1571 int i,idx;
1572 long algs;
1573 EVP_PKEY *pkey=NULL;
1574 CERT *c;
1575 RSA *rsa;
1576 DH *dh;
1577
1578 c=s->session->cert;
1579
1580 if (c == NULL)
1581 {
1582 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR);
1583 goto err;
1584 }
1585
1586 algs=s->s3->tmp.new_cipher->algorithms;
1587
1588 /* we don't have a certificate */
1589 if (algs & (SSL_aDH|SSL_aNULL))
1590 return(1);
1591
1592 rsa=s->session->cert->rsa_tmp;
1593 dh=s->session->cert->dh_tmp;
1594
1595 /* This is the passed certificate */
1596
1597 idx=c->cert_type;
1598 pkey=X509_get_pubkey(c->pkeys[idx].x509);
1599 i=X509_certificate_type(c->pkeys[idx].x509,pkey);
1600
1601
1602 /* Check that we have a certificate if we require one */
1603 if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
1604 {
1605 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
1606 goto f_err;
1607 }
1608#ifndef NO_DSA
1609 else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
1610 {
1611 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
1612 goto f_err;
1613 }
1614#endif
1615
1616 if ((algs & SSL_kRSA) &&
1617 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
1618 {
1619 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
1620 goto f_err;
1621 }
1622#ifndef NO_DH
1623 else if ((algs & SSL_kEDH) &&
1624 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
1625 {
1626 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
1627 goto f_err;
1628 }
1629 else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
1630 {
1631 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
1632 goto f_err;
1633 }
1634#ifndef NO_DSA
1635 else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
1636 {
1637 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
1638 goto f_err;
1639 }
1640#endif
1641#endif
1642
1643 if ((algs & SSL_EXP) && !has_bits(i,EVP_PKT_EXP))
1644 {
1645#ifndef NO_RSA
1646 if (algs & SSL_kRSA)
1647 {
1648 if ((rsa == NULL) || (RSA_size(rsa) > 512))
1649 {
1650 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
1651 goto f_err;
1652 }
1653 }
1654 else
1655#endif
1656#ifndef NO_DH
1657 if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1658 {
1659 if ((dh == NULL) || (DH_size(dh) > 512))
1660 {
1661 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
1662 goto f_err;
1663 }
1664 }
1665 else
1666#endif
1667 {
1668 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1669 goto f_err;
1670 }
1671 }
1672 return(1);
1673f_err:
1674 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1675err:
1676 return(0);
1677 }
1678
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
new file mode 100644
index 0000000000..0fd945025d
--- /dev/null
+++ b/src/lib/libssl/s3_lib.c
@@ -0,0 +1,961 @@
1/* ssl/s3_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "objects.h"
61#include "ssl_locl.h"
62
63char *ssl3_version_str="SSLv3 part of SSLeay 0.9.0b 29-Jun-1998";
64
65#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
66
67#ifndef NOPROTO
68static long ssl3_default_timeout(void );
69#else
70static long ssl3_default_timeout();
71#endif
72
73SSL_CIPHER ssl3_ciphers[]={
74/* The RSA ciphers */
75/* Cipher 01 */
76 {
77 1,
78 SSL3_TXT_RSA_NULL_MD5,
79 SSL3_CK_RSA_NULL_MD5,
80 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
81 0,
82 SSL_ALL_CIPHERS,
83 },
84/* Cipher 02 */
85 {
86 1,
87 SSL3_TXT_RSA_NULL_SHA,
88 SSL3_CK_RSA_NULL_SHA,
89 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
90 0,
91 SSL_ALL_CIPHERS,
92 },
93
94/* anon DH */
95/* Cipher 17 */
96 {
97 1,
98 SSL3_TXT_ADH_RC4_40_MD5,
99 SSL3_CK_ADH_RC4_40_MD5,
100 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
101 0,
102 SSL_ALL_CIPHERS,
103 },
104/* Cipher 18 */
105 {
106 1,
107 SSL3_TXT_ADH_RC4_128_MD5,
108 SSL3_CK_ADH_RC4_128_MD5,
109 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
110 0,
111 SSL_ALL_CIPHERS,
112 },
113/* Cipher 19 */
114 {
115 1,
116 SSL3_TXT_ADH_DES_40_CBC_SHA,
117 SSL3_CK_ADH_DES_40_CBC_SHA,
118 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
119 0,
120 SSL_ALL_CIPHERS,
121 },
122/* Cipher 1A */
123 {
124 1,
125 SSL3_TXT_ADH_DES_64_CBC_SHA,
126 SSL3_CK_ADH_DES_64_CBC_SHA,
127 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
128 0,
129 SSL_ALL_CIPHERS,
130 },
131/* Cipher 1B */
132 {
133 1,
134 SSL3_TXT_ADH_DES_192_CBC_SHA,
135 SSL3_CK_ADH_DES_192_CBC_SHA,
136 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
137 0,
138 SSL_ALL_CIPHERS,
139 },
140
141/* RSA again */
142/* Cipher 03 */
143 {
144 1,
145 SSL3_TXT_RSA_RC4_40_MD5,
146 SSL3_CK_RSA_RC4_40_MD5,
147 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
148 0,
149 SSL_ALL_CIPHERS,
150 },
151/* Cipher 04 */
152 {
153 1,
154 SSL3_TXT_RSA_RC4_128_MD5,
155 SSL3_CK_RSA_RC4_128_MD5,
156 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
157 0,
158 SSL_ALL_CIPHERS,
159 },
160/* Cipher 05 */
161 {
162 1,
163 SSL3_TXT_RSA_RC4_128_SHA,
164 SSL3_CK_RSA_RC4_128_SHA,
165 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
166 0,
167 SSL_ALL_CIPHERS,
168 },
169/* Cipher 06 */
170 {
171 1,
172 SSL3_TXT_RSA_RC2_40_MD5,
173 SSL3_CK_RSA_RC2_40_MD5,
174 SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
175 0,
176 SSL_ALL_CIPHERS,
177 },
178/* Cipher 07 */
179 {
180 1,
181 SSL3_TXT_RSA_IDEA_128_SHA,
182 SSL3_CK_RSA_IDEA_128_SHA,
183 SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
184 0,
185 SSL_ALL_CIPHERS,
186 },
187/* Cipher 08 */
188 {
189 1,
190 SSL3_TXT_RSA_DES_40_CBC_SHA,
191 SSL3_CK_RSA_DES_40_CBC_SHA,
192 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
193 0,
194 SSL_ALL_CIPHERS,
195 },
196/* Cipher 09 */
197 {
198 1,
199 SSL3_TXT_RSA_DES_64_CBC_SHA,
200 SSL3_CK_RSA_DES_64_CBC_SHA,
201 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
202 0,
203 SSL_ALL_CIPHERS,
204 },
205/* Cipher 0A */
206 {
207 1,
208 SSL3_TXT_RSA_DES_192_CBC3_SHA,
209 SSL3_CK_RSA_DES_192_CBC3_SHA,
210 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
211 0,
212 SSL_ALL_CIPHERS,
213 },
214
215/* The DH ciphers */
216/* Cipher 0B */
217 {
218 0,
219 SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
220 SSL3_CK_DH_DSS_DES_40_CBC_SHA,
221 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
222 0,
223 SSL_ALL_CIPHERS,
224 },
225/* Cipher 0C */
226 {
227 0,
228 SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
229 SSL3_CK_DH_DSS_DES_64_CBC_SHA,
230 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
231 0,
232 SSL_ALL_CIPHERS,
233 },
234/* Cipher 0D */
235 {
236 0,
237 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
238 SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
239 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
240 0,
241 SSL_ALL_CIPHERS,
242 },
243/* Cipher 0E */
244 {
245 0,
246 SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
247 SSL3_CK_DH_RSA_DES_40_CBC_SHA,
248 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
249 0,
250 SSL_ALL_CIPHERS,
251 },
252/* Cipher 0F */
253 {
254 0,
255 SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
256 SSL3_CK_DH_RSA_DES_64_CBC_SHA,
257 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
258 0,
259 SSL_ALL_CIPHERS,
260 },
261/* Cipher 10 */
262 {
263 0,
264 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
265 SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
266 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
267 0,
268 SSL_ALL_CIPHERS,
269 },
270
271/* The Ephemeral DH ciphers */
272/* Cipher 11 */
273 {
274 1,
275 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
276 SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
277 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
278 0,
279 SSL_ALL_CIPHERS,
280 },
281/* Cipher 12 */
282 {
283 1,
284 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
285 SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
286 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
287 0,
288 SSL_ALL_CIPHERS,
289 },
290/* Cipher 13 */
291 {
292 1,
293 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
294 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
295 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
296 0,
297 SSL_ALL_CIPHERS,
298 },
299/* Cipher 14 */
300 {
301 1,
302 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
303 SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
304 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
305 0,
306 SSL_ALL_CIPHERS,
307 },
308/* Cipher 15 */
309 {
310 1,
311 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
312 SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
313 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
314 0,
315 SSL_ALL_CIPHERS,
316 },
317/* Cipher 16 */
318 {
319 1,
320 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
321 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
322 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
323 0,
324 SSL_ALL_CIPHERS,
325 },
326
327/* Fortezza */
328/* Cipher 1C */
329 {
330 0,
331 SSL3_TXT_FZA_DMS_NULL_SHA,
332 SSL3_CK_FZA_DMS_NULL_SHA,
333 SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
334 0,
335 SSL_ALL_CIPHERS,
336 },
337
338/* Cipher 1D */
339 {
340 0,
341 SSL3_TXT_FZA_DMS_FZA_SHA,
342 SSL3_CK_FZA_DMS_FZA_SHA,
343 SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
344 0,
345 SSL_ALL_CIPHERS,
346 },
347
348/* Cipher 1E */
349 {
350 0,
351 SSL3_TXT_FZA_DMS_RC4_SHA,
352 SSL3_CK_FZA_DMS_RC4_SHA,
353 SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
354 0,
355 SSL_ALL_CIPHERS,
356 },
357
358/* end of list */
359 };
360
361static SSL3_ENC_METHOD SSLv3_enc_data={
362 ssl3_enc,
363 ssl3_mac,
364 ssl3_setup_key_block,
365 ssl3_generate_master_secret,
366 ssl3_change_cipher_state,
367 ssl3_final_finish_mac,
368 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
369 ssl3_cert_verify_mac,
370 SSL3_MD_CLIENT_FINISHED_CONST,4,
371 SSL3_MD_SERVER_FINISHED_CONST,4,
372 ssl3_alert_code,
373 };
374
375static SSL_METHOD SSLv3_data= {
376 SSL3_VERSION,
377 ssl3_new,
378 ssl3_clear,
379 ssl3_free,
380 ssl_undefined_function,
381 ssl_undefined_function,
382 ssl3_read,
383 ssl3_peek,
384 ssl3_write,
385 ssl3_shutdown,
386 ssl3_renegotiate,
387 ssl3_ctrl,
388 ssl3_ctx_ctrl,
389 ssl3_get_cipher_by_char,
390 ssl3_put_cipher_by_char,
391 ssl3_pending,
392 ssl3_num_ciphers,
393 ssl3_get_cipher,
394 ssl_bad_method,
395 ssl3_default_timeout,
396 &SSLv3_enc_data,
397 };
398
399static long ssl3_default_timeout()
400 {
401 /* 2 hours, the 24 hours mentioned in the SSLv3 spec
402 * is way too long for http, the cache would over fill */
403 return(60*60*2);
404 }
405
406SSL_METHOD *sslv3_base_method()
407 {
408 return(&SSLv3_data);
409 }
410
411int ssl3_num_ciphers()
412 {
413 return(SSL3_NUM_CIPHERS);
414 }
415
416SSL_CIPHER *ssl3_get_cipher(u)
417unsigned int u;
418 {
419 if (u < SSL3_NUM_CIPHERS)
420 return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
421 else
422 return(NULL);
423 }
424
425/* The problem is that it may not be the correct record type */
426int ssl3_pending(s)
427SSL *s;
428 {
429 return(s->s3->rrec.length);
430 }
431
432int ssl3_new(s)
433SSL *s;
434 {
435 SSL3_CTX *s3;
436
437 if ((s3=(SSL3_CTX *)Malloc(sizeof(SSL3_CTX))) == NULL) goto err;
438 memset(s3,0,sizeof(SSL3_CTX));
439
440 s->s3=s3;
441 /*
442 s->s3->tmp.ca_names=NULL;
443 s->s3->tmp.key_block=NULL;
444 s->s3->tmp.key_block_length=0;
445 s->s3->rbuf.buf=NULL;
446 s->s3->wbuf.buf=NULL;
447 */
448
449 s->method->ssl_clear(s);
450 return(1);
451err:
452 return(0);
453 }
454
455void ssl3_free(s)
456SSL *s;
457 {
458 ssl3_cleanup_key_block(s);
459 if (s->s3->rbuf.buf != NULL)
460 Free(s->s3->rbuf.buf);
461 if (s->s3->wbuf.buf != NULL)
462 Free(s->s3->wbuf.buf);
463#ifndef NO_DH
464 if (s->s3->tmp.dh != NULL)
465 DH_free(s->s3->tmp.dh);
466#endif
467 if (s->s3->tmp.ca_names != NULL)
468 sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
469 memset(s->s3,0,sizeof(SSL3_CTX));
470 Free(s->s3);
471 s->s3=NULL;
472 }
473
474void ssl3_clear(s)
475SSL *s;
476 {
477 unsigned char *rp,*wp;
478
479 ssl3_cleanup_key_block(s);
480 if (s->s3->tmp.ca_names != NULL)
481 sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
482
483 rp=s->s3->rbuf.buf;
484 wp=s->s3->wbuf.buf;
485
486 memset(s->s3,0,sizeof(SSL3_CTX));
487 if (rp != NULL) s->s3->rbuf.buf=rp;
488 if (wp != NULL) s->s3->wbuf.buf=wp;
489 s->packet_length=0;
490 s->s3->renegotiate=0;
491 s->s3->total_renegotiations=0;
492 s->s3->num_renegotiations=0;
493 s->s3->in_read_app_data=0;
494 s->version=SSL3_VERSION;
495 }
496
497long ssl3_ctrl(s,cmd,larg,parg)
498SSL *s;
499int cmd;
500long larg;
501char *parg;
502 {
503 int ret=0;
504
505 switch (cmd)
506 {
507 case SSL_CTRL_GET_SESSION_REUSED:
508 ret=s->hit;
509 break;
510 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
511 break;
512 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
513 ret=s->s3->num_renegotiations;
514 break;
515 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
516 ret=s->s3->num_renegotiations;
517 s->s3->num_renegotiations=0;
518 break;
519 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
520 ret=s->s3->total_renegotiations;
521 break;
522 default:
523 break;
524 }
525 return(ret);
526 }
527
528long ssl3_ctx_ctrl(ctx,cmd,larg,parg)
529SSL_CTX *ctx;
530int cmd;
531long larg;
532char *parg;
533 {
534 CERT *cert;
535
536 cert=ctx->default_cert;
537
538 switch (cmd)
539 {
540#ifndef NO_RSA
541 case SSL_CTRL_NEED_TMP_RSA:
542 if ( (cert->rsa_tmp == NULL) &&
543 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
544 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))
545 )
546 return(1);
547 else
548 return(0);
549 break;
550 case SSL_CTRL_SET_TMP_RSA:
551 {
552 RSA *rsa;
553 int i;
554
555 rsa=(RSA *)parg;
556 i=1;
557 if (rsa == NULL)
558 i=0;
559 else
560 {
561 if ((rsa=RSAPrivateKey_dup(rsa)) == NULL)
562 i=0;
563 }
564 if (!i)
565 {
566 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB);
567 return(0);
568 }
569 else
570 {
571 if (cert->rsa_tmp != NULL)
572 RSA_free(cert->rsa_tmp);
573 cert->rsa_tmp=rsa;
574 return(1);
575 }
576 }
577 break;
578 case SSL_CTRL_SET_TMP_RSA_CB:
579 cert->rsa_tmp_cb=(RSA *(*)())parg;
580 break;
581#endif
582#ifndef NO_DH
583 case SSL_CTRL_SET_TMP_DH:
584 {
585 DH *new=NULL,*dh;
586
587 dh=(DH *)parg;
588 if ( ((new=DHparams_dup(dh)) == NULL) ||
589 (!DH_generate_key(new)))
590 {
591 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
592 if (new != NULL) DH_free(new);
593 return(0);
594 }
595 else
596 {
597 if (cert->dh_tmp != NULL)
598 DH_free(cert->dh_tmp);
599 cert->dh_tmp=new;
600 return(1);
601 }
602 }
603 break;
604 case SSL_CTRL_SET_TMP_DH_CB:
605 cert->dh_tmp_cb=(DH *(*)())parg;
606 break;
607#endif
608 default:
609 return(0);
610 }
611 return(1);
612 }
613
614/* This function needs to check if the ciphers required are actually
615 * available */
616SSL_CIPHER *ssl3_get_cipher_by_char(p)
617unsigned char *p;
618 {
619 static int init=1;
620 static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
621 SSL_CIPHER c,*cp= &c,**cpp;
622 unsigned long id;
623 int i;
624
625 if (init)
626 {
627 init=0;
628
629 for (i=0; i<SSL3_NUM_CIPHERS; i++)
630 sorted[i]= &(ssl3_ciphers[i]);
631
632 qsort( (char *)sorted,
633 SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
634 FP_ICC ssl_cipher_ptr_id_cmp);
635 }
636
637 id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
638 c.id=id;
639 cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
640 (char *)sorted,
641 SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
642 (int (*)())ssl_cipher_ptr_id_cmp);
643 if ((cpp == NULL) || !(*cpp)->valid)
644 return(NULL);
645 else
646 return(*cpp);
647 }
648
649int ssl3_put_cipher_by_char(c,p)
650SSL_CIPHER *c;
651unsigned char *p;
652 {
653 long l;
654
655 if (p != NULL)
656 {
657 l=c->id;
658 if ((l & 0xff000000) != 0x03000000) return(0);
659 p[0]=((unsigned char)(l>> 8L))&0xFF;
660 p[1]=((unsigned char)(l ))&0xFF;
661 }
662 return(2);
663 }
664
665int ssl3_part_read(s,i)
666SSL *s;
667int i;
668 {
669 s->rwstate=SSL_READING;
670
671 if (i < 0)
672 {
673 return(i);
674 }
675 else
676 {
677 s->init_num+=i;
678 return(0);
679 }
680 }
681
682SSL_CIPHER *ssl3_choose_cipher(s,have,pref)
683SSL *s;
684STACK *have,*pref;
685 {
686 SSL_CIPHER *c,*ret=NULL;
687 int i,j,ok;
688 CERT *cert;
689 unsigned long alg,mask,emask;
690
691 /* Lets see which ciphers we can supported */
692 if (s->cert != NULL)
693 cert=s->cert;
694 else
695 cert=s->ctx->default_cert;
696
697 ssl_set_cert_masks(cert);
698 mask=cert->mask;
699 emask=cert->export_mask;
700
701 sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
702
703 for (i=0; i<sk_num(have); i++)
704 {
705 c=(SSL_CIPHER *)sk_value(have,i);
706 alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
707 if (alg & SSL_EXPORT)
708 {
709 ok=((alg & emask) == alg)?1:0;
710#ifdef CIPHER_DEBUG
711 printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name);
712#endif
713 }
714 else
715 {
716 ok=((alg & mask) == alg)?1:0;
717#ifdef CIPHER_DEBUG
718 printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name);
719#endif
720 }
721
722 if (!ok) continue;
723
724 j=sk_find(pref,(char *)c);
725 if (j >= 0)
726 {
727 ret=(SSL_CIPHER *)sk_value(pref,j);
728 break;
729 }
730 }
731 return(ret);
732 }
733
734int ssl3_get_req_cert_type(s,p)
735SSL *s;
736unsigned char *p;
737 {
738 int ret=0;
739 unsigned long alg;
740
741 alg=s->s3->tmp.new_cipher->algorithms;
742
743#ifndef NO_DH
744 if (alg & (SSL_kDHr|SSL_kEDH))
745 {
746#ifndef NO_RSA
747 p[ret++]=SSL3_CT_RSA_FIXED_DH;
748#endif
749#ifndef NO_DSA
750 p[ret++]=SSL3_CT_DSS_FIXED_DH;
751#endif
752 }
753 if ((s->version == SSL3_VERSION) &&
754 (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
755 {
756#ifndef NO_RSA
757 p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
758#endif
759#ifndef NO_DSA
760 p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
761#endif
762 }
763#endif /* !NO_DH */
764#ifndef NO_RSA
765 p[ret++]=SSL3_CT_RSA_SIGN;
766#endif
767 p[ret++]=SSL3_CT_DSS_SIGN;
768 return(ret);
769 }
770
771int ssl3_shutdown(s)
772SSL *s;
773 {
774
775 /* Don't do anything much if we have not done the handshake or
776 * we don't want to send messages :-) */
777 if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
778 {
779 s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
780 return(1);
781 }
782
783 if (!(s->shutdown & SSL_SENT_SHUTDOWN))
784 {
785 s->shutdown|=SSL_SENT_SHUTDOWN;
786#if 1
787 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
788#endif
789 /* our shutdown alert has been sent now, and if it still needs
790 * to be written, s->s3->alert_dispatch will be true */
791 }
792 else if (s->s3->alert_dispatch)
793 {
794 /* resend it if not sent */
795#if 1
796 ssl3_dispatch_alert(s);
797#endif
798 }
799 else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
800 {
801 /* If we are waiting for a close from our peer, we are closed */
802 ssl3_read_bytes(s,0,NULL,0);
803 }
804
805 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
806 !s->s3->alert_dispatch)
807 return(1);
808 else
809 return(0);
810 }
811
812int ssl3_write(s,buf,len)
813SSL *s;
814char *buf;
815int len;
816 {
817 int ret,n;
818 BIO *under;
819
820#if 0
821 if (s->shutdown & SSL_SEND_SHUTDOWN)
822 {
823 s->rwstate=SSL_NOTHING;
824 return(0);
825 }
826#endif
827 clear_sys_error();
828 if (s->s3->renegotiate) ssl3_renegotiate_check(s);
829
830 /* This is an experimental flag that sends the
831 * last handshake message in the same packet as the first
832 * use data - used to see if it helps the TCP protocol during
833 * session-id reuse */
834 /* The second test is because the buffer may have been removed */
835 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
836 {
837 /* First time through, we write into the buffer */
838 if (s->s3->delay_buf_pop_ret == 0)
839 {
840 ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
841 (char *)buf,len);
842 if (ret <= 0) return(ret);
843
844 s->s3->delay_buf_pop_ret=ret;
845 }
846
847 s->rwstate=SSL_WRITING;
848 n=BIO_flush(s->wbio);
849 if (n <= 0) return(n);
850 s->rwstate=SSL_NOTHING;
851
852 /* We have flushed the buffer */
853 under=BIO_pop(s->wbio);
854 s->wbio=under;
855 BIO_free(s->bbio);
856 s->bbio=NULL;
857 ret=s->s3->delay_buf_pop_ret;
858 s->s3->delay_buf_pop_ret=0;
859
860 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
861 }
862 else
863 {
864 ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
865 (char *)buf,len);
866 if (ret <= 0) return(ret);
867 }
868
869 return(ret);
870 }
871
872int ssl3_read(s,buf,len)
873SSL *s;
874char *buf;
875int len;
876 {
877 int ret;
878
879 clear_sys_error();
880 if (s->s3->renegotiate) ssl3_renegotiate_check(s);
881 s->s3->in_read_app_data=1;
882 ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
883 if ((ret == -1) && (s->s3->in_read_app_data == 0))
884 {
885 ERR_get_error(); /* clear the error */
886 s->s3->in_read_app_data=0;
887 s->in_handshake++;
888 ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
889 s->in_handshake--;
890 }
891 else
892 s->s3->in_read_app_data=0;
893
894 return(ret);
895 }
896
897int ssl3_peek(s,buf,len)
898SSL *s;
899char *buf;
900int len;
901 {
902 SSL3_RECORD *rr;
903 int n;
904
905 rr= &(s->s3->rrec);
906 if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA))
907 {
908 n=ssl3_read(s,buf,1);
909 if (n <= 0) return(n);
910 rr->length++;
911 rr->off--;
912 }
913
914 if ((unsigned int)len > rr->length)
915 n=rr->length;
916 else
917 n=len;
918 memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
919 return(n);
920 }
921
922int ssl3_renegotiate(s)
923SSL *s;
924 {
925 if (s->handshake_func == NULL)
926 return(1);
927
928 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
929 return(0);
930
931 s->s3->renegotiate=1;
932 return(1);
933 }
934
935int ssl3_renegotiate_check(s)
936SSL *s;
937 {
938 int ret=0;
939
940 if (s->s3->renegotiate)
941 {
942 if ( (s->s3->rbuf.left == 0) &&
943 (s->s3->wbuf.left == 0) &&
944 !SSL_in_init(s))
945 {
946/*
947if we are the server, and we have sent a 'RENEGOTIATE' message, we
948need to go to SSL_ST_ACCEPT.
949*/
950 /* SSL_ST_ACCEPT */
951 s->state=SSL_ST_RENEGOTIATE;
952 s->s3->renegotiate=0;
953 s->s3->num_renegotiations++;
954 s->s3->total_renegotiations++;
955 ret=1;
956 }
957 }
958 return(ret);
959 }
960
961
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
new file mode 100644
index 0000000000..2385080347
--- /dev/null
+++ b/src/lib/libssl/s3_pkt.c
@@ -0,0 +1,1061 @@
1/* ssl/s3_pkt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <errno.h>
61#define USE_SOCKETS
62#include "evp.h"
63#include "buffer.h"
64#include "ssl_locl.h"
65
66/* SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER);
67 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE);
68 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE);
69 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
70 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE);
71 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE);
72 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_BAD_RECORD_MAC);
73 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE);
74 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE);
75 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_NO_CERTIFICATE);
76 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_BAD_CERTIFICATE);
77 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE);
78 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED);
79 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED);
80 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN);
81 * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);
82 */
83
84#ifndef NOPROTO
85static int do_ssl3_write(SSL *s, int type, char *buf, unsigned int len);
86static int ssl3_write_pending(SSL *s, int type, char *buf, unsigned int len);
87static int ssl3_get_record(SSL *s);
88static int do_compress(SSL *ssl);
89static int do_uncompress(SSL *ssl);
90static int do_change_cipher_spec(SSL *ssl);
91#else
92static int do_ssl3_write();
93static int ssl3_write_pending();
94static int ssl3_get_record();
95static int do_compress();
96static int do_uncompress();
97static int do_change_cipher_spec();
98#endif
99
100static int ssl3_read_n(s,n,max,extend)
101SSL *s;
102int n;
103int max;
104int extend;
105 {
106 int i,off,newb;
107
108 /* if there is stuff still in the buffer from a previous read,
109 * and there is more than we want, take some. */
110 if (s->s3->rbuf.left >= (int)n)
111 {
112 if (extend)
113 s->packet_length+=n;
114 else
115 {
116 s->packet= &(s->s3->rbuf.buf[s->s3->rbuf.offset]);
117 s->packet_length=n;
118 }
119 s->s3->rbuf.left-=n;
120 s->s3->rbuf.offset+=n;
121 return(n);
122 }
123
124 /* else we need to read more data */
125 if (!s->read_ahead) max=n;
126 if (max > SSL3_RT_MAX_PACKET_SIZE)
127 max=SSL3_RT_MAX_PACKET_SIZE;
128
129 /* First check if there is some left or we want to extend */
130 off=0;
131 if ( (s->s3->rbuf.left != 0) ||
132 ((s->packet_length != 0) && extend))
133 {
134 newb=s->s3->rbuf.left;
135 if (extend)
136 {
137 /* Copy bytes back to the front of the buffer
138 * Take the bytes already pointed to by 'packet'
139 * and take the extra ones on the end. */
140 off=s->packet_length;
141 if (s->packet != s->s3->rbuf.buf)
142 memcpy(s->s3->rbuf.buf,s->packet,newb+off);
143 }
144 else if (s->s3->rbuf.offset != 0)
145 { /* so the data is not at the start of the buffer */
146 memcpy(s->s3->rbuf.buf,
147 &(s->s3->rbuf.buf[s->s3->rbuf.offset]),newb);
148 s->s3->rbuf.offset=0;
149 }
150
151 s->s3->rbuf.left=0;
152 }
153 else
154 newb=0;
155
156 /* So we now have 'newb' bytes at the front of
157 * s->s3->rbuf.buf and need to read some more in on the end
158 * We start reading into the buffer at 's->s3->rbuf.offset'
159 */
160 s->packet=s->s3->rbuf.buf;
161
162 while (newb < n)
163 {
164 clear_sys_error();
165 if (s->rbio != NULL)
166 {
167 s->rwstate=SSL_READING;
168 i=BIO_read(s->rbio,
169 (char *)&(s->s3->rbuf.buf[off+newb]),
170 max-newb);
171 }
172 else
173 {
174 SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
175 i= -1;
176 }
177
178 if (i <= 0)
179 {
180 s->s3->rbuf.left+=newb;
181 return(i);
182 }
183 newb+=i;
184 }
185
186 /* record used data read */
187 if (newb > n)
188 {
189 s->s3->rbuf.offset=n+off;
190 s->s3->rbuf.left=newb-n;
191 }
192 else
193 {
194 s->s3->rbuf.offset=0;
195 s->s3->rbuf.left=0;
196 }
197
198 if (extend)
199 s->packet_length+=n;
200 else
201 s->packet_length+=n;
202 return(n);
203 }
204
205/* Call this to get a new input record.
206 * It will return <= 0 if more data is needed, normally due to an error
207 * or non-blocking IO.
208 * When it finishes, one packet has been decoded and can be found in
209 * ssl->s3->rrec.type - is the type of record
210 * ssl->s3->rrec.data, - data
211 * ssl->s3->rrec.length, - number of bytes
212 */
213static int ssl3_get_record(s)
214SSL *s;
215 {
216 char tmp_buf[512];
217 int ssl_major,ssl_minor,al;
218 int n,i,ret= -1;
219 SSL3_BUFFER *rb;
220 SSL3_RECORD *rr;
221 SSL_SESSION *sess;
222 unsigned char *p;
223 unsigned char md[EVP_MAX_MD_SIZE];
224 short version;
225 unsigned int mac_size;
226 int clear=0,extra;
227
228 rr= &(s->s3->rrec);
229 rb= &(s->s3->rbuf);
230 sess=s->session;
231
232 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
233 extra=SSL3_RT_MAX_EXTRA;
234 else
235 extra=0;
236
237again:
238 /* check if we have the header */
239 if ( (s->rstate != SSL_ST_READ_BODY) ||
240 (s->packet_length < SSL3_RT_HEADER_LENGTH))
241 {
242 n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH,
243 SSL3_RT_MAX_PACKET_SIZE,0);
244 if (n <= 0) return(n); /* error or non-blocking */
245 s->rstate=SSL_ST_READ_BODY;
246
247 p=s->packet;
248
249 /* Pull apart the header into the SSL3_RECORD */
250 rr->type= *(p++);
251 ssl_major= *(p++);
252 ssl_minor= *(p++);
253 version=(ssl_major<<8)|ssl_minor;
254 n2s(p,rr->length);
255
256 /* Lets check version */
257 if (s->first_packet)
258 {
259 s->first_packet=0;
260 }
261 else
262 {
263 if (version != s->version)
264 {
265 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
266 /* Send back error using their
267 * version number :-) */
268 s->version=version;
269 al=SSL_AD_PROTOCOL_VERSION;
270 goto f_err;
271 }
272 }
273
274 if ((version>>8) != SSL3_VERSION_MAJOR)
275 {
276 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
277 goto err;
278 }
279
280 if (rr->length >
281 (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
282 {
283 al=SSL_AD_RECORD_OVERFLOW;
284 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
285 goto f_err;
286 }
287
288 s->rstate=SSL_ST_READ_BODY;
289 }
290
291 /* get and decode the data */
292 if (s->rstate == SSL_ST_READ_BODY)
293 {
294 if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
295 {
296 i=rr->length;
297 /*-(s->packet_length-SSL3_RT_HEADER_LENGTH); */
298 n=ssl3_read_n(s,i,i,1);
299 if (n <= 0) return(n); /* error or non-blocking io */
300 }
301 s->rstate=SSL_ST_READ_HEADER;
302 }
303
304 /* At this point, we have the data in s->packet and there should be
305 * s->packet_length bytes, we must not 'overrun' this buffer :-)
306 * One of the following functions will copy the data from the
307 * s->packet buffer */
308
309 rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
310
311 /* ok, we can now read from 's->packet' data into 'rr'
312 * rr->input points at rr->length bytes, which
313 * need to be copied into rr->data by either
314 * the decryption or by the decompression
315 * When the data is 'copied' into the rr->data buffer,
316 * rr->input will be pointed at the new buffer */
317
318 /* Set the state for the following operations */
319 s->rstate=SSL_ST_READ_HEADER;
320
321 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
322 * rr->length bytes of encrypted compressed stuff. */
323
324 /* check is not needed I belive */
325 if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
326 {
327 al=SSL_AD_RECORD_OVERFLOW;
328 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
329 goto f_err;
330 }
331
332 /* decrypt in place in 'rr->input' */
333 rr->data=rr->input;
334 memcpy(tmp_buf,rr->input,(rr->length > 512)?512:rr->length);
335
336 if (!s->method->ssl3_enc->enc(s,0))
337 {
338 al=SSL_AD_DECRYPT_ERROR;
339 goto f_err;
340 }
341#ifdef TLS_DEBUG
342printf("dec %d\n",rr->length);
343{ int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
344printf("\n");
345#endif
346 /* r->length is now the compressed data plus mac */
347 if ( (sess == NULL) ||
348 (s->enc_read_ctx == NULL) ||
349 (s->read_hash == NULL))
350 clear=1;
351
352 if (!clear)
353 {
354 mac_size=EVP_MD_size(s->read_hash);
355
356 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
357 {
358 al=SSL_AD_RECORD_OVERFLOW;
359 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
360 goto f_err;
361 }
362 /* check MAC for rr->input' */
363 if (rr->length < mac_size)
364 {
365 al=SSL_AD_DECODE_ERROR;
366 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
367 goto f_err;
368 }
369 rr->length-=mac_size;
370 i=s->method->ssl3_enc->mac(s,md,0);
371 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
372 {
373 al=SSL_AD_BAD_RECORD_MAC;
374 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_MAC_DECODE);
375 ret= -1;
376 goto f_err;
377 }
378 }
379
380 /* r->length is now just compressed */
381 if ((sess != NULL) && (sess->read_compression != NULL))
382 {
383 if (rr->length >
384 (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
385 {
386 al=SSL_AD_RECORD_OVERFLOW;
387 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
388 goto f_err;
389 }
390 if (!do_uncompress(s))
391 {
392 al=SSL_AD_DECOMPRESSION_FAILURE;
393 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
394 goto f_err;
395 }
396 }
397
398 if (rr->length > (unsigned int)SSL3_RT_MAX_PLAIN_LENGTH+extra)
399 {
400 al=SSL_AD_RECORD_OVERFLOW;
401 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
402 goto f_err;
403 }
404
405 rr->off=0;
406 /* So at this point the following is true
407 * ssl->s3->rrec.type is the type of record
408 * ssl->s3->rrec.length == number of bytes in record
409 * ssl->s3->rrec.off == offset to first valid byte
410 * ssl->s3->rrec.data == where to take bytes from, increment
411 * after use :-).
412 */
413
414 /* we have pulled in a full packet so zero things */
415 s->packet_length=0;
416
417 /* just read a 0 length packet */
418 if (rr->length == 0) goto again;
419
420 return(1);
421f_err:
422 ssl3_send_alert(s,SSL3_AL_FATAL,al);
423err:
424 return(ret);
425 }
426
427static int do_uncompress(ssl)
428SSL *ssl;
429 {
430 return(1);
431 }
432
433static int do_compress(ssl)
434SSL *ssl;
435 {
436 return(1);
437 }
438
439/* Call this to write data
440 * It will return <= 0 if not all data has been sent or non-blocking IO.
441 */
442int ssl3_write_bytes(s,type,buf,len)
443SSL *s;
444int type;
445char *buf;
446int len;
447 {
448 unsigned int tot,n,nw;
449 int i;
450
451 s->rwstate=SSL_NOTHING;
452 tot=s->s3->wnum;
453 s->s3->wnum=0;
454
455 if (SSL_in_init(s) && !s->in_handshake)
456 {
457 i=s->handshake_func(s);
458 if (i < 0) return(i);
459 if (i == 0)
460 {
461 SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
462 return(-1);
463 }
464 }
465
466 n=(len-tot);
467 for (;;)
468 {
469 if (n > SSL3_RT_MAX_PLAIN_LENGTH)
470 nw=SSL3_RT_MAX_PLAIN_LENGTH;
471 else
472 nw=n;
473
474 i=do_ssl3_write(s,type,&(buf[tot]),nw);
475 if (i <= 0)
476 {
477 s->s3->wnum=tot;
478 return(i);
479 }
480
481 if (type == SSL3_RT_HANDSHAKE)
482 ssl3_finish_mac(s,(unsigned char *)&(buf[tot]),i);
483
484 if (i == (int)n) return(tot+i);
485
486 n-=i;
487 tot+=i;
488 }
489 }
490
491static int do_ssl3_write(s,type,buf,len)
492SSL *s;
493int type;
494char *buf;
495unsigned int len;
496 {
497 unsigned char *p,*plen;
498 int i,mac_size,clear=0;
499 SSL3_RECORD *wr;
500 SSL3_BUFFER *wb;
501 SSL_SESSION *sess;
502
503 /* first check is there is a SSL3_RECORD still being written
504 * out. This will happen with non blocking IO */
505 if (s->s3->wbuf.left != 0)
506 return(ssl3_write_pending(s,type,buf,len));
507
508 /* If we have an alert to send, lets send it */
509 if (s->s3->alert_dispatch)
510 {
511 i=ssl3_dispatch_alert(s);
512 if (i <= 0)
513 return(i);
514 /* if it went, fall through and send more stuff */
515 }
516
517 if (len <= 0) return(len);
518
519 wr= &(s->s3->wrec);
520 wb= &(s->s3->wbuf);
521 sess=s->session;
522
523 if ( (sess == NULL) ||
524 (s->enc_write_ctx == NULL) ||
525 (s->write_hash == NULL))
526 clear=1;
527
528 if (clear)
529 mac_size=0;
530 else
531 mac_size=EVP_MD_size(s->write_hash);
532
533 p=wb->buf;
534
535 /* write the header */
536 *(p++)=type&0xff;
537 wr->type=type;
538
539 *(p++)=(s->version>>8);
540 *(p++)=s->version&0xff;
541
542 /* record where we are to write out packet length */
543 plen=p;
544 p+=2;
545
546 /* lets setup the record stuff. */
547 wr->data=p;
548 wr->length=(int)len;
549 wr->input=(unsigned char *)buf;
550
551 /* we now 'read' from wr->input, wr->length bytes into
552 * wr->data */
553
554 /* first we compress */
555 if ((sess != NULL) && (sess->write_compression != NULL))
556 {
557 if (!do_compress(s))
558 {
559 SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
560 goto err;
561 }
562 }
563 else
564 {
565 memcpy(wr->data,wr->input,wr->length);
566 wr->input=wr->data;
567 }
568
569 /* we should still have the output to wr->data and the input
570 * from wr->input. Length should be wr->length.
571 * wr->data still points in the wb->buf */
572
573 if (mac_size != 0)
574 {
575 s->method->ssl3_enc->mac(s,&(p[wr->length]),1);
576 wr->length+=mac_size;
577 wr->input=p;
578 wr->data=p;
579 }
580
581 /* ssl3_enc can only have an error on read */
582 s->method->ssl3_enc->enc(s,1);
583
584 /* record length after mac and block padding */
585 s2n(wr->length,plen);
586
587 /* we should now have
588 * wr->data pointing to the encrypted data, which is
589 * wr->length long */
590 wr->type=type; /* not needed but helps for debugging */
591 wr->length+=SSL3_RT_HEADER_LENGTH;
592
593 /* Now lets setup wb */
594 wb->left=wr->length;
595 wb->offset=0;
596
597 s->s3->wpend_tot=len;
598 s->s3->wpend_buf=buf;
599 s->s3->wpend_type=type;
600 s->s3->wpend_ret=len;
601
602 /* we now just need to write the buffer */
603 return(ssl3_write_pending(s,type,buf,len));
604err:
605 return(-1);
606 }
607
608/* if s->s3->wbuf.left != 0, we need to call this */
609static int ssl3_write_pending(s,type,buf,len)
610SSL *s;
611int type;
612char *buf;
613unsigned int len;
614 {
615 int i;
616
617/* XXXX */
618 if ((s->s3->wpend_tot > (int)len) || (s->s3->wpend_buf != buf)
619 || (s->s3->wpend_type != type))
620 {
621 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
622 return(-1);
623 }
624
625 for (;;)
626 {
627 clear_sys_error();
628 if (s->wbio != NULL)
629 {
630 s->rwstate=SSL_WRITING;
631 i=BIO_write(s->wbio,
632 (char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]),
633 (unsigned int)s->s3->wbuf.left);
634 }
635 else
636 {
637 SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
638 i= -1;
639 }
640 if (i == s->s3->wbuf.left)
641 {
642 s->s3->wbuf.left=0;
643 s->rwstate=SSL_NOTHING;
644 return(s->s3->wpend_ret);
645 }
646 else if (i <= 0)
647 return(i);
648 s->s3->wbuf.offset+=i;
649 s->s3->wbuf.left-=i;
650 }
651 }
652
653int ssl3_read_bytes(s,type,buf,len)
654SSL *s;
655int type;
656char *buf;
657int len;
658 {
659 int al,i,j,n,ret;
660 SSL3_RECORD *rr;
661 void (*cb)()=NULL;
662 BIO *bio;
663
664 if (s->s3->rbuf.buf == NULL) /* Not initalised yet */
665 if (!ssl3_setup_buffers(s))
666 return(-1);
667
668 if (!s->in_handshake && SSL_in_init(s))
669 {
670 i=s->handshake_func(s);
671 if (i < 0) return(i);
672 if (i == 0)
673 {
674 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
675 return(-1);
676 }
677 }
678start:
679 s->rwstate=SSL_NOTHING;
680
681 /* s->s3->rrec.type - is the type of record
682 * s->s3->rrec.data, - data
683 * s->s3->rrec.off, - ofset into 'data' for next read
684 * s->s3->rrec.length, - number of bytes. */
685 rr= &(s->s3->rrec);
686
687 /* get new packet */
688 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
689 {
690 ret=ssl3_get_record(s);
691 if (ret <= 0) return(ret);
692 }
693
694 /* we now have a packet which can be read and processed */
695
696 if (s->s3->change_cipher_spec && (rr->type != SSL3_RT_HANDSHAKE))
697 {
698 al=SSL_AD_UNEXPECTED_MESSAGE;
699 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
700 goto err;
701 }
702
703 /* If the other end has shutdown, throw anything we read away */
704 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
705 {
706 rr->length=0;
707 s->rwstate=SSL_NOTHING;
708 return(0);
709 }
710
711 /* Check for an incoming 'Client Request' message */
712 if ((rr->type == SSL3_RT_HANDSHAKE) && (rr->length == 4) &&
713 (rr->data[0] == SSL3_MT_CLIENT_REQUEST) &&
714 (s->session != NULL) && (s->session->cipher != NULL))
715 {
716 if ((rr->data[1] != 0) || (rr->data[2] != 0) ||
717 (rr->data[3] != 0))
718 {
719 al=SSL_AD_DECODE_ERROR;
720 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CLIENT_REQUEST);
721 goto err;
722 }
723
724 if (SSL_is_init_finished(s) &&
725 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
726 !s->s3->renegotiate)
727 {
728 ssl3_renegotiate(s);
729 if (ssl3_renegotiate_check(s))
730 {
731 n=s->handshake_func(s);
732 if (n < 0) return(n);
733 if (n == 0)
734 {
735 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
736 return(-1);
737 }
738 }
739 }
740 rr->length=0;
741/* ZZZ */ goto start;
742 }
743
744 /* if it is not the type we want, or we have shutdown and want
745 * the peer shutdown */
746 if ((rr->type != type) || (s->shutdown & SSL_SENT_SHUTDOWN))
747 {
748 if (rr->type == SSL3_RT_ALERT)
749 {
750 if ((rr->length != 2) || (rr->off != 0))
751 {
752 al=SSL_AD_DECODE_ERROR;
753 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_ALERT_RECORD);
754 goto f_err;
755 }
756
757 i=rr->data[0];
758 n=rr->data[1];
759
760 /* clear from buffer */
761 rr->length=0;
762
763 if (s->info_callback != NULL)
764 cb=s->info_callback;
765 else if (s->ctx->info_callback != NULL)
766 cb=s->ctx->info_callback;
767
768 if (cb != NULL)
769 {
770 j=(i<<8)|n;
771 cb(s,SSL_CB_READ_ALERT,j);
772 }
773
774 if (i == 1)
775 {
776 s->s3->warn_alert=n;
777 if (n == SSL_AD_CLOSE_NOTIFY)
778 {
779 s->shutdown|=SSL_RECEIVED_SHUTDOWN;
780 return(0);
781 }
782 }
783 else if (i == 2)
784 {
785 char tmp[16];
786
787 s->rwstate=SSL_NOTHING;
788 s->s3->fatal_alert=n;
789 SSLerr(SSL_F_SSL3_READ_BYTES,1000+n);
790 sprintf(tmp,"%d",n);
791 ERR_add_error_data(2,"SSL alert number ",tmp);
792 s->shutdown|=SSL_RECEIVED_SHUTDOWN;
793 SSL_CTX_remove_session(s->ctx,s->session);
794 return(0);
795 }
796 else
797 {
798 al=SSL_AD_ILLEGAL_PARAMETER;
799 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
800 goto f_err;
801 }
802
803 rr->length=0;
804 goto start;
805 }
806
807 if (s->shutdown & SSL_SENT_SHUTDOWN)
808 {
809 s->rwstate=SSL_NOTHING;
810 rr->length=0;
811 return(0);
812 }
813
814 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
815 {
816 if ( (rr->length != 1) || (rr->off != 0) ||
817 (rr->data[0] != SSL3_MT_CCS))
818 {
819 i=SSL_AD_ILLEGAL_PARAMETER;
820 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
821 goto err;
822 }
823
824 rr->length=0;
825 s->s3->change_cipher_spec=1;
826 if (!do_change_cipher_spec(s))
827 goto err;
828 else
829 goto start;
830 }
831
832 /* else we have a handshake */
833 if ((rr->type == SSL3_RT_HANDSHAKE) &&
834 !s->in_handshake)
835 {
836 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
837 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
838 {
839 s->state=SSL_ST_BEFORE;
840 s->new_session=1;
841 }
842 n=s->handshake_func(s);
843 if (n < 0) return(n);
844 if (n == 0)
845 {
846 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
847 return(-1);
848 }
849
850 /* In the case where we try to read application data
851 * the first time, but we trigger an SSL handshake, we
852 * return -1 with the retry option set. I do this
853 * otherwise renegotiation can cause nasty problems
854 * in the non-blocking world */
855
856 s->rwstate=SSL_READING;
857 bio=SSL_get_rbio(s);
858 BIO_clear_retry_flags(bio);
859 BIO_set_retry_read(bio);
860 return(-1);
861 }
862
863 switch (rr->type)
864 {
865 default:
866#ifndef NO_TLS
867 /* TLS just ignores unknown message types */
868 if (s->version == TLS1_VERSION)
869 {
870 goto start;
871 }
872#endif
873 case SSL3_RT_CHANGE_CIPHER_SPEC:
874 case SSL3_RT_ALERT:
875 case SSL3_RT_HANDSHAKE:
876 al=SSL_AD_UNEXPECTED_MESSAGE;
877 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
878 goto f_err;
879 case SSL3_RT_APPLICATION_DATA:
880 /* At this point, we were expecting something else,
881 * but have application data. What we do is set the
882 * error, and return -1. On the way out, if the
883 * library was running inside ssl3_read() and it makes
884 * sense to read application data at this point, we
885 * will indulge it. This will mostly happen during
886 * session renegotiation.
887 */
888 if (s->s3->in_read_app_data &&
889 (s->s3->total_renegotiations != 0) &&
890 ((
891 (s->state & SSL_ST_CONNECT) &&
892 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
893 (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
894 ) || (
895 (s->state & SSL_ST_ACCEPT) &&
896 (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
897 (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
898 )
899 ))
900 {
901 s->s3->in_read_app_data=0;
902 return(-1);
903 }
904 else
905 {
906 al=SSL_AD_UNEXPECTED_MESSAGE;
907 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
908 goto f_err;
909 }
910 }
911 }
912
913 /* make sure that we are not getting application data when we
914 * are doing a handshake for the first time */
915 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
916 (s->enc_read_ctx == NULL))
917 {
918 al=SSL_AD_UNEXPECTED_MESSAGE;
919 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
920 goto f_err;
921 }
922
923 if (len <= 0) return(len);
924
925 if ((unsigned int)len > rr->length)
926 n=rr->length;
927 else
928 n=len;
929
930 memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
931 rr->length-=n;
932 rr->off+=n;
933 if (rr->length <= 0)
934 {
935 s->rstate=SSL_ST_READ_HEADER;
936 rr->off=0;
937 }
938
939 if (type == SSL3_RT_HANDSHAKE)
940 ssl3_finish_mac(s,(unsigned char *)buf,n);
941 return(n);
942f_err:
943 ssl3_send_alert(s,SSL3_AL_FATAL,al);
944err:
945 return(-1);
946 }
947
948static int do_change_cipher_spec(s)
949SSL *s;
950 {
951 int i;
952 unsigned char *sender;
953 int slen;
954
955 if (s->state & SSL_ST_ACCEPT)
956 i=SSL3_CHANGE_CIPHER_SERVER_READ;
957 else
958 i=SSL3_CHANGE_CIPHER_CLIENT_READ;
959
960 if (s->s3->tmp.key_block == NULL)
961 {
962 s->session->cipher=s->s3->tmp.new_cipher;
963 if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
964 }
965
966 if (!s->method->ssl3_enc->change_cipher_state(s,i))
967 return(0);
968
969 /* we have to record the message digest at
970 * this point so we can get it before we read
971 * the finished message */
972 if (s->state & SSL_ST_CONNECT)
973 {
974 sender=s->method->ssl3_enc->server_finished;
975 slen=s->method->ssl3_enc->server_finished_len;
976 }
977 else
978 {
979 sender=s->method->ssl3_enc->client_finished;
980 slen=s->method->ssl3_enc->client_finished_len;
981 }
982
983 s->method->ssl3_enc->final_finish_mac(s,
984 &(s->s3->finish_dgst1),
985 &(s->s3->finish_dgst2),
986 sender,slen,&(s->s3->tmp.finish_md[0]));
987
988 return(1);
989 }
990
991int ssl3_do_write(s,type)
992SSL *s;
993int type;
994 {
995 int ret;
996
997 ret=ssl3_write_bytes(s,type,(char *)
998 &(s->init_buf->data[s->init_off]),s->init_num);
999 if (ret == s->init_num)
1000 return(1);
1001 if (ret < 0) return(-1);
1002 s->init_off+=ret;
1003 s->init_num-=ret;
1004 return(0);
1005 }
1006
1007void ssl3_send_alert(s,level,desc)
1008SSL *s;
1009int level;
1010int desc;
1011 {
1012 /* Map tls/ssl alert value to correct one */
1013 desc=s->method->ssl3_enc->alert_value(desc);
1014 if (desc < 0) return;
1015 /* If a fatal one, remove from cache */
1016 if ((level == 2) && (s->session != NULL))
1017 SSL_CTX_remove_session(s->ctx,s->session);
1018
1019 s->s3->alert_dispatch=1;
1020 s->s3->send_alert[0]=level;
1021 s->s3->send_alert[1]=desc;
1022 if (s->s3->wbuf.left == 0) /* data still being written out */
1023 ssl3_dispatch_alert(s);
1024 /* else data is still being written out, we will get written
1025 * some time in the future */
1026 }
1027
1028int ssl3_dispatch_alert(s)
1029SSL *s;
1030 {
1031 int i,j;
1032 void (*cb)()=NULL;
1033
1034 s->s3->alert_dispatch=0;
1035 i=do_ssl3_write(s,SSL3_RT_ALERT,&(s->s3->send_alert[0]),2);
1036 if (i <= 0)
1037 {
1038 s->s3->alert_dispatch=1;
1039 }
1040 else
1041 {
1042 /* If it is important, send it now. If the message
1043 * does not get sent due to non-blocking IO, we will
1044 * not worry too much. */
1045 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1046 BIO_flush(s->wbio);
1047
1048 if (s->info_callback != NULL)
1049 cb=s->info_callback;
1050 else if (s->ctx->info_callback != NULL)
1051 cb=s->ctx->info_callback;
1052
1053 if (cb != NULL)
1054 {
1055 j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1056 cb(s,SSL_CB_WRITE_ALERT,j);
1057 }
1058 }
1059 return(i);
1060 }
1061
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
new file mode 100644
index 0000000000..64903af151
--- /dev/null
+++ b/src/lib/libssl/s3_srvr.c
@@ -0,0 +1,1675 @@
1/* ssl/s3_srvr.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#define REUSE_CIPHER_BUG
60
61#include <stdio.h>
62#include "buffer.h"
63#include "rand.h"
64#include "objects.h"
65#include "evp.h"
66#include "x509.h"
67#include "ssl_locl.h"
68
69#define BREAK break
70/* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE);
71 * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
72 * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
73 * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE);
74 * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
75 */
76
77#ifndef NOPROTO
78static int ssl3_get_client_hello(SSL *s);
79static int ssl3_send_server_hello(SSL *s);
80static int ssl3_send_server_key_exchange(SSL *s);
81static int ssl3_send_certificate_request(SSL *s);
82static int ssl3_send_server_done(SSL *s);
83static int ssl3_get_cert_verify(SSL *s);
84static int ssl3_get_client_key_exchange(SSL *s);
85static int ssl3_get_client_certificate(SSL *s);
86static int ssl3_send_hello_request(SSL *s);
87
88#else
89
90static int ssl3_get_client_hello();
91static int ssl3_send_server_hello();
92static int ssl3_send_server_key_exchange();
93static int ssl3_send_certificate_request();
94static int ssl3_send_server_done();
95static int ssl3_get_cert_verify();
96static int ssl3_get_client_key_exchange();
97static int ssl3_get_client_certificate();
98static int ssl3_send_hello_request();
99
100#endif
101
102static SSL_METHOD *ssl3_get_server_method(ver)
103int ver;
104 {
105 if (ver == SSL3_VERSION)
106 return(SSLv3_server_method());
107 else
108 return(NULL);
109 }
110
111SSL_METHOD *SSLv3_server_method()
112 {
113 static int init=1;
114 static SSL_METHOD SSLv3_server_data;
115
116 if (init)
117 {
118 init=0;
119 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
120 sizeof(SSL_METHOD));
121 SSLv3_server_data.ssl_accept=ssl3_accept;
122 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
123 }
124 return(&SSLv3_server_data);
125 }
126
127int ssl3_accept(s)
128SSL *s;
129 {
130 BUF_MEM *buf;
131 unsigned long l,Time=time(NULL);
132 void (*cb)()=NULL;
133 long num1;
134 int ret= -1;
135 CERT *ct;
136 BIO *under;
137 int new_state,state,skip=0;
138
139 RAND_seed((unsigned char *)&Time,sizeof(Time));
140 ERR_clear_error();
141 clear_sys_error();
142
143 if (s->info_callback != NULL)
144 cb=s->info_callback;
145 else if (s->ctx->info_callback != NULL)
146 cb=s->ctx->info_callback;
147
148 /* init things to blank */
149 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
150 s->in_handshake++;
151
152#ifdef undef
153 /* FIX THIS EAY EAY EAY */
154 /* we don't actually need a cert, we just need a cert or a DH_tmp */
155 if (((s->session == NULL) || (s->session->cert == NULL)) &&
156 (s->cert == NULL))
157 {
158 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
159 ret= -1;
160 goto end;
161 }
162#endif
163
164 for (;;)
165 {
166 state=s->state;
167
168 switch (s->state)
169 {
170 case SSL_ST_RENEGOTIATE:
171 s->new_session=1;
172 /* s->state=SSL_ST_ACCEPT; */
173
174 case SSL_ST_BEFORE:
175 case SSL_ST_ACCEPT:
176 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
177 case SSL_ST_OK|SSL_ST_ACCEPT:
178
179 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
180
181 if ((s->version>>8) != 3)
182 abort();
183 /* s->version=SSL3_VERSION; */
184 s->type=SSL_ST_ACCEPT;
185
186 if (s->init_buf == NULL)
187 {
188 if ((buf=BUF_MEM_new()) == NULL)
189 {
190 ret= -1;
191 goto end;
192 }
193 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
194 {
195 ret= -1;
196 goto end;
197 }
198 s->init_buf=buf;
199 }
200
201 if (!ssl3_setup_buffers(s))
202 {
203 ret= -1;
204 goto end;
205 }
206
207 /* Ok, we now need to push on a buffering BIO so that
208 * the output is sent in a way that TCP likes :-)
209 */
210 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
211
212 s->init_num=0;
213
214 if (s->state != SSL_ST_RENEGOTIATE)
215 {
216 s->state=SSL3_ST_SR_CLNT_HELLO_A;
217 ssl3_init_finished_mac(s);
218 s->ctx->sess_accept++;
219 }
220 else
221 {
222 s->ctx->sess_accept_renegotiate++;
223 s->state=SSL3_ST_SW_HELLO_REQ_A;
224 }
225 break;
226
227 case SSL3_ST_SW_HELLO_REQ_A:
228 case SSL3_ST_SW_HELLO_REQ_B:
229
230 s->shutdown=0;
231 ret=ssl3_send_hello_request(s);
232 if (ret <= 0) goto end;
233 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
234 s->state=SSL3_ST_SW_FLUSH;
235 s->init_num=0;
236
237 ssl3_init_finished_mac(s);
238 break;
239
240 case SSL3_ST_SW_HELLO_REQ_C:
241 /* remove buffering on output */
242 under=BIO_pop(s->wbio);
243 if (under != NULL)
244 s->wbio=under;
245 else
246 abort(); /* ok */
247 BIO_free(s->bbio);
248 s->bbio=NULL;
249
250 s->state=SSL_ST_OK;
251 ret=1;
252 goto end;
253 /* break; */
254
255 case SSL3_ST_SR_CLNT_HELLO_A:
256 case SSL3_ST_SR_CLNT_HELLO_B:
257 case SSL3_ST_SR_CLNT_HELLO_C:
258
259 s->shutdown=0;
260 ret=ssl3_get_client_hello(s);
261 if (ret <= 0) goto end;
262 s->state=SSL3_ST_SW_SRVR_HELLO_A;
263 s->init_num=0;
264 break;
265
266 case SSL3_ST_SW_SRVR_HELLO_A:
267 case SSL3_ST_SW_SRVR_HELLO_B:
268 ret=ssl3_send_server_hello(s);
269 if (ret <= 0) goto end;
270
271 if (s->hit)
272 s->state=SSL3_ST_SW_CHANGE_A;
273 else
274 s->state=SSL3_ST_SW_CERT_A;
275 s->init_num=0;
276 break;
277
278 case SSL3_ST_SW_CERT_A:
279 case SSL3_ST_SW_CERT_B:
280 /* Check if it is anon DH */
281 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
282 {
283 ret=ssl3_send_server_certificate(s);
284 if (ret <= 0) goto end;
285 }
286 else
287 skip=1;
288 s->state=SSL3_ST_SW_KEY_EXCH_A;
289 s->init_num=0;
290 break;
291
292 case SSL3_ST_SW_KEY_EXCH_A:
293 case SSL3_ST_SW_KEY_EXCH_B:
294 l=s->s3->tmp.new_cipher->algorithms;
295 if (s->session->cert == NULL)
296 {
297 if (s->cert != NULL)
298 {
299 CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
300 s->session->cert=s->cert;
301 }
302 else
303 {
304 CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
305 s->session->cert=s->ctx->default_cert;
306 }
307 }
308 ct=s->session->cert;
309
310 /* clear this, it may get reset by
311 * send_server_key_exchange */
312 if (s->options & SSL_OP_EPHEMERAL_RSA)
313 s->s3->tmp.use_rsa_tmp=1;
314 else
315 s->s3->tmp.use_rsa_tmp=0;
316
317 /* only send if a DH key exchange, fortezza or
318 * RSA but we have a sign only certificate */
319 if ( s->s3->tmp.use_rsa_tmp ||
320 (l & (SSL_DH|SSL_kFZA)) ||
321 ((l & SSL_kRSA) &&
322 ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)||
323 ((l & SSL_EXPORT) &&
324 (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512)
325 )
326 )
327 )
328 )
329 {
330 ret=ssl3_send_server_key_exchange(s);
331 if (ret <= 0) goto end;
332 }
333 else
334 skip=1;
335
336 s->state=SSL3_ST_SW_CERT_REQ_A;
337 s->init_num=0;
338 break;
339
340 case SSL3_ST_SW_CERT_REQ_A:
341 case SSL3_ST_SW_CERT_REQ_B:
342 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
343 ((s->session->peer != NULL) &&
344 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
345 {
346 /* no cert request */
347 skip=1;
348 s->s3->tmp.cert_request=0;
349 s->state=SSL3_ST_SW_SRVR_DONE_A;
350 }
351 else
352 {
353 s->s3->tmp.cert_request=1;
354 ret=ssl3_send_certificate_request(s);
355 if (ret <= 0) goto end;
356 s->state=SSL3_ST_SW_SRVR_DONE_A;
357 s->init_num=0;
358 }
359 break;
360
361 case SSL3_ST_SW_SRVR_DONE_A:
362 case SSL3_ST_SW_SRVR_DONE_B:
363 ret=ssl3_send_server_done(s);
364 if (ret <= 0) goto end;
365 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
366 s->state=SSL3_ST_SW_FLUSH;
367 s->init_num=0;
368 break;
369
370 case SSL3_ST_SW_FLUSH:
371 /* number of bytes to be flushed */
372 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
373 if (num1 > 0)
374 {
375 s->rwstate=SSL_WRITING;
376 num1=BIO_flush(s->wbio);
377 if (num1 <= 0) { ret= -1; goto end; }
378 s->rwstate=SSL_NOTHING;
379 }
380
381 s->state=s->s3->tmp.next_state;
382 break;
383
384 case SSL3_ST_SR_CERT_A:
385 case SSL3_ST_SR_CERT_B:
386 /* could be sent for a DH cert, even if we
387 * have not asked for it :-) */
388 ret=ssl3_get_client_certificate(s);
389 if (ret <= 0) goto end;
390 s->init_num=0;
391 s->state=SSL3_ST_SR_KEY_EXCH_A;
392 break;
393
394 case SSL3_ST_SR_KEY_EXCH_A:
395 case SSL3_ST_SR_KEY_EXCH_B:
396 ret=ssl3_get_client_key_exchange(s);
397 if (ret <= 0) goto end;
398 s->state=SSL3_ST_SR_CERT_VRFY_A;
399 s->init_num=0;
400
401 /* We need to get hashes here so if there is
402 * a client cert, it can be verified */
403 s->method->ssl3_enc->cert_verify_mac(s,
404 &(s->s3->finish_dgst1),
405 &(s->s3->tmp.finish_md[0]));
406 s->method->ssl3_enc->cert_verify_mac(s,
407 &(s->s3->finish_dgst2),
408 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
409
410 break;
411
412 case SSL3_ST_SR_CERT_VRFY_A:
413 case SSL3_ST_SR_CERT_VRFY_B:
414
415 /* we should decide if we expected this one */
416 ret=ssl3_get_cert_verify(s);
417 if (ret <= 0) goto end;
418
419 s->state=SSL3_ST_SR_FINISHED_A;
420 s->init_num=0;
421 break;
422
423 case SSL3_ST_SR_FINISHED_A:
424 case SSL3_ST_SR_FINISHED_B:
425 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
426 SSL3_ST_SR_FINISHED_B);
427 if (ret <= 0) goto end;
428 if (s->hit)
429 s->state=SSL_ST_OK;
430 else
431 s->state=SSL3_ST_SW_CHANGE_A;
432 s->init_num=0;
433 break;
434
435 case SSL3_ST_SW_CHANGE_A:
436 case SSL3_ST_SW_CHANGE_B:
437
438 s->session->cipher=s->s3->tmp.new_cipher;
439 if (!s->method->ssl3_enc->setup_key_block(s))
440 { ret= -1; goto end; }
441
442 ret=ssl3_send_change_cipher_spec(s,
443 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
444
445 if (ret <= 0) goto end;
446 s->state=SSL3_ST_SW_FINISHED_A;
447 s->init_num=0;
448
449 if (!s->method->ssl3_enc->change_cipher_state(s,
450 SSL3_CHANGE_CIPHER_SERVER_WRITE))
451 {
452 ret= -1;
453 goto end;
454 }
455
456 break;
457
458 case SSL3_ST_SW_FINISHED_A:
459 case SSL3_ST_SW_FINISHED_B:
460 ret=ssl3_send_finished(s,
461 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
462 s->method->ssl3_enc->server_finished,
463 s->method->ssl3_enc->server_finished_len);
464 if (ret <= 0) goto end;
465 s->state=SSL3_ST_SW_FLUSH;
466 if (s->hit)
467 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
468 else
469 s->s3->tmp.next_state=SSL_ST_OK;
470 s->init_num=0;
471 break;
472
473 case SSL_ST_OK:
474 /* clean a few things up */
475 ssl3_cleanup_key_block(s);
476
477 BUF_MEM_free(s->init_buf);
478 s->init_buf=NULL;
479
480 /* remove buffering on output */
481 under=BIO_pop(s->wbio);
482 if (under != NULL)
483 s->wbio=under;
484 else
485 abort(); /* ok */
486 BIO_free(s->bbio);
487 s->bbio=NULL;
488
489 s->new_session=0;
490 s->init_num=0;
491
492 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
493
494 s->ctx->sess_accept_good++;
495 /* s->server=1; */
496 s->handshake_func=ssl3_accept;
497 ret=1;
498
499 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
500
501 goto end;
502 /* break; */
503
504 default:
505 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
506 ret= -1;
507 goto end;
508 /* break; */
509 }
510
511 if (!s->s3->tmp.reuse_message && !skip)
512 {
513 if (s->debug)
514 {
515 if ((ret=BIO_flush(s->wbio)) <= 0)
516 goto end;
517 }
518
519
520 if ((cb != NULL) && (s->state != state))
521 {
522 new_state=s->state;
523 s->state=state;
524 cb(s,SSL_CB_ACCEPT_LOOP,1);
525 s->state=new_state;
526 }
527 }
528 skip=0;
529 }
530end:
531 /* BIO_flush(s->wbio); */
532
533 if (cb != NULL)
534 cb(s,SSL_CB_ACCEPT_EXIT,ret);
535 s->in_handshake--;
536 return(ret);
537 }
538
539static int ssl3_send_hello_request(s)
540SSL *s;
541 {
542 unsigned char *p;
543
544 if (s->state == SSL3_ST_SW_HELLO_REQ_A)
545 {
546 p=(unsigned char *)s->init_buf->data;
547 *(p++)=SSL3_MT_CLIENT_REQUEST;
548 *(p++)=0;
549 *(p++)=0;
550 *(p++)=0;
551
552 s->state=SSL3_ST_SW_HELLO_REQ_B;
553 /* number of bytes to write */
554 s->init_num=4;
555 s->init_off=0;
556 }
557
558 /* SSL3_ST_SW_HELLO_REQ_B */
559 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
560 }
561
562static int ssl3_get_client_hello(s)
563SSL *s;
564 {
565 int i,j,ok,al,ret= -1;
566 long n;
567 unsigned long id;
568 unsigned char *p,*d;
569 SSL_CIPHER *c;
570 STACK *ciphers=NULL;
571
572 /* We do this so that we will respond with our native type.
573 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
574 * This down switching should be handled by a different method.
575 * If we are SSLv3, we will respond with SSLv3, even if prompted with
576 * TLSv1.
577 */
578 if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
579 {
580 s->first_packet=1;
581 s->state=SSL3_ST_SR_CLNT_HELLO_B;
582 }
583 n=ssl3_get_message(s,
584 SSL3_ST_SR_CLNT_HELLO_B,
585 SSL3_ST_SR_CLNT_HELLO_C,
586 SSL3_MT_CLIENT_HELLO,
587 SSL3_RT_MAX_PLAIN_LENGTH,
588 &ok);
589
590 if (!ok) return((int)n);
591 d=p=(unsigned char *)s->init_buf->data;
592
593 /* The version number has already been checked in ssl3_get_message.
594 * I a native TLSv1/SSLv3 method, the match must be correct except
595 * perhaps for the first message */
596 p+=2;
597
598 /* load the client random */
599 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
600 p+=SSL3_RANDOM_SIZE;
601
602 /* get the session-id */
603 j= *(p++);
604
605 s->hit=0;
606 if (j == 0)
607 {
608 if (!ssl_get_new_session(s,1))
609 goto err;
610 }
611 else
612 {
613 i=ssl_get_prev_session(s,p,j);
614 if (i == 1)
615 { /* previous session */
616 s->hit=1;
617 }
618 else
619 {
620 if (!ssl_get_new_session(s,1))
621 goto err;
622 }
623 }
624
625 p+=j;
626 n2s(p,i);
627 if ((i == 0) && (j != 0))
628 {
629 /* we need a cipher if we are not resuming a session */
630 al=SSL_AD_ILLEGAL_PARAMETER;
631 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
632 goto f_err;
633 }
634 if ((i+p) > (d+n))
635 {
636 /* not enough data */
637 al=SSL_AD_DECODE_ERROR;
638 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
639 goto f_err;
640 }
641 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
642 == NULL))
643 {
644 goto err;
645 }
646 p+=i;
647
648 /* If it is a hit, check that the cipher is in the list */
649 if ((s->hit) && (i > 0))
650 {
651 j=0;
652 id=s->session->cipher->id;
653
654 for (i=0; i<sk_num(ciphers); i++)
655 {
656 c=(SSL_CIPHER *)sk_value(ciphers,i);
657 if (c->id == id)
658 {
659 j=1;
660 break;
661 }
662 }
663 if (j == 0)
664 {
665 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_num(ciphers) == 1))
666 {
667 /* Very bad for multi-threading.... */
668 s->session->cipher=
669 (SSL_CIPHER *)sk_value(ciphers,0);
670 }
671 else
672 {
673 /* we need to have the cipher in the cipher
674 * list if we are asked to reuse it */
675 al=SSL_AD_ILLEGAL_PARAMETER;
676 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
677 goto f_err;
678 }
679 }
680 }
681
682 /* compression */
683 i= *(p++);
684 for (j=0; j<i; j++)
685 if (p[j] == 0) break;
686
687 p+=i;
688 if (j >= i)
689 {
690 /* no compress */
691 al=SSL_AD_DECODE_ERROR;
692 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
693 goto f_err;
694 }
695
696 /* TLS does not mind if there is extra stuff */
697 if (s->version == SSL3_VERSION)
698 {
699 if (p > (d+n))
700 {
701 /* wrong number of bytes,
702 * there could be more to follow */
703 al=SSL_AD_DECODE_ERROR;
704 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
705 goto f_err;
706 }
707 }
708
709 /* do nothing with compression */
710
711 /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
712 * pick a cipher */
713
714 if (!s->hit)
715 {
716 if (s->session->ciphers != NULL)
717 sk_free(s->session->ciphers);
718 s->session->ciphers=ciphers;
719 if (ciphers == NULL)
720 {
721 al=SSL_AD_ILLEGAL_PARAMETER;
722 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
723 goto f_err;
724 }
725 ciphers=NULL;
726 c=ssl3_choose_cipher(s,s->session->ciphers,
727 ssl_get_ciphers_by_id(s));
728
729 if (c == NULL)
730 {
731 al=SSL_AD_HANDSHAKE_FAILURE;
732 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
733 goto f_err;
734 }
735 s->s3->tmp.new_cipher=c;
736 }
737 else
738 {
739 /* Session-id reuse */
740#ifdef REUSE_CIPHER_BUG
741 STACK *sk;
742 SSL_CIPHER *nc=NULL;
743 SSL_CIPHER *ec=NULL;
744
745 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
746 {
747 sk=s->session->ciphers;
748 for (i=0; i<sk_num(sk); i++)
749 {
750 c=(SSL_CIPHER *)sk_value(sk,i);
751 if (c->algorithms & SSL_eNULL)
752 nc=c;
753 if (c->algorithms & SSL_EXP)
754 ec=c;
755 }
756 if (nc != NULL)
757 s->s3->tmp.new_cipher=nc;
758 else if (ec != NULL)
759 s->s3->tmp.new_cipher=ec;
760 else
761 s->s3->tmp.new_cipher=s->session->cipher;
762 }
763 else
764#endif
765 s->s3->tmp.new_cipher=s->session->cipher;
766 }
767
768 /* we now have the following setup.
769 * client_random
770 * cipher_list - our prefered list of ciphers
771 * ciphers - the clients prefered list of ciphers
772 * compression - basically ignored right now
773 * ssl version is set - sslv3
774 * s->session - The ssl session has been setup.
775 * s->hit - sesson reuse flag
776 * s->tmp.new_cipher - the new cipher to use.
777 */
778
779 ret=1;
780 if (0)
781 {
782f_err:
783 ssl3_send_alert(s,SSL3_AL_FATAL,al);
784 }
785err:
786 if (ciphers != NULL) sk_free(ciphers);
787 return(ret);
788 }
789
790static int ssl3_send_server_hello(s)
791SSL *s;
792 {
793 unsigned char *buf;
794 unsigned char *p,*d;
795 int i,sl;
796 unsigned long l,Time;
797
798 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
799 {
800 buf=(unsigned char *)s->init_buf->data;
801 p=s->s3->server_random;
802 Time=time(NULL); /* Time */
803 l2n(Time,p);
804 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
805 /* Do the message type and length last */
806 d=p= &(buf[4]);
807
808 *(p++)=s->version>>8;
809 *(p++)=s->version&0xff;
810
811 /* Random stuff */
812 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
813 p+=SSL3_RANDOM_SIZE;
814
815 /* now in theory we have 3 options to sending back the
816 * session id. If it is a re-use, we send back the
817 * old session-id, if it is a new session, we send
818 * back the new session-id or we send back a 0 length
819 * session-id if we want it to be single use.
820 * Currently I will not implement the '0' length session-id
821 * 12-Jan-98 - I'll now support the '0' length stuff.
822 */
823 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
824 s->session->session_id_length=0;
825
826 sl=s->session->session_id_length;
827 *(p++)=sl;
828 memcpy(p,s->session->session_id,sl);
829 p+=sl;
830
831 /* put the cipher */
832 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
833 p+=i;
834
835 /* put the compression method */
836 *(p++)=0;
837
838 /* do the header */
839 l=(p-d);
840 d=buf;
841 *(d++)=SSL3_MT_SERVER_HELLO;
842 l2n3(l,d);
843
844 s->state=SSL3_ST_CW_CLNT_HELLO_B;
845 /* number of bytes to write */
846 s->init_num=p-buf;
847 s->init_off=0;
848 }
849
850 /* SSL3_ST_CW_CLNT_HELLO_B */
851 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
852 }
853
854static int ssl3_send_server_done(s)
855SSL *s;
856 {
857 unsigned char *p;
858
859 if (s->state == SSL3_ST_SW_SRVR_DONE_A)
860 {
861 p=(unsigned char *)s->init_buf->data;
862
863 /* do the header */
864 *(p++)=SSL3_MT_SERVER_DONE;
865 *(p++)=0;
866 *(p++)=0;
867 *(p++)=0;
868
869 s->state=SSL3_ST_SW_SRVR_DONE_B;
870 /* number of bytes to write */
871 s->init_num=4;
872 s->init_off=0;
873 }
874
875 /* SSL3_ST_CW_CLNT_HELLO_B */
876 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
877 }
878
879static int ssl3_send_server_key_exchange(s)
880SSL *s;
881 {
882#ifndef NO_RSA
883 unsigned char *q;
884 int j,num;
885 RSA *rsa;
886 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
887#endif
888#ifndef NO_DH
889 DH *dh,*dhp;
890#endif
891 EVP_PKEY *pkey;
892 unsigned char *p,*d;
893 int al,i;
894 unsigned long type;
895 int n;
896 CERT *cert;
897 BIGNUM *r[4];
898 int nr[4],kn;
899 BUF_MEM *buf;
900 EVP_MD_CTX md_ctx;
901
902 if (s->state == SSL3_ST_SW_KEY_EXCH_A)
903 {
904 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
905 cert=s->session->cert;
906
907 buf=s->init_buf;
908
909 r[0]=r[1]=r[2]=r[3]=NULL;
910 n=0;
911#ifndef NO_RSA
912 if (type & SSL_kRSA)
913 {
914 rsa=cert->rsa_tmp;
915 if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
916 {
917 rsa=s->ctx->default_cert->rsa_tmp_cb(s,
918 (s->s3->tmp.new_cipher->algorithms|
919 SSL_NOT_EXP)?0:1);
920 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
921 cert->rsa_tmp=rsa;
922 }
923 if (rsa == NULL)
924 {
925 al=SSL_AD_HANDSHAKE_FAILURE;
926 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
927 goto f_err;
928 }
929 r[0]=rsa->n;
930 r[1]=rsa->e;
931 s->s3->tmp.use_rsa_tmp=1;
932 }
933 else
934#endif
935#ifndef NO_DH
936 if (type & SSL_kEDH)
937 {
938 dhp=cert->dh_tmp;
939 if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
940 dhp=cert->dh_tmp_cb(s,
941 (s->s3->tmp.new_cipher->algorithms|
942 SSL_NOT_EXP)?0:1);
943 if (dhp == NULL)
944 {
945 al=SSL_AD_HANDSHAKE_FAILURE;
946 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
947 goto f_err;
948 }
949 if ((dh=DHparams_dup(dhp)) == NULL)
950 {
951 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
952 goto err;
953 }
954
955 s->s3->tmp.dh=dh;
956 if (((dhp->pub_key == NULL) ||
957 (dhp->priv_key == NULL) ||
958 (s->options & SSL_OP_SINGLE_DH_USE)) &&
959 (!DH_generate_key(dh)))
960 {
961 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
962 goto err;
963 }
964 else
965 {
966 dh->pub_key=BN_dup(dhp->pub_key);
967 dh->priv_key=BN_dup(dhp->priv_key);
968 if ((dh->pub_key == NULL) ||
969 (dh->priv_key == NULL))
970 {
971 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
972 goto err;
973 }
974 }
975 r[0]=dh->p;
976 r[1]=dh->g;
977 r[2]=dh->pub_key;
978 }
979 else
980#endif
981 {
982 al=SSL_AD_HANDSHAKE_FAILURE;
983 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
984 goto f_err;
985 }
986 for (i=0; r[i] != NULL; i++)
987 {
988 nr[i]=BN_num_bytes(r[i]);
989 n+=2+nr[i];
990 }
991
992 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
993 {
994 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
995 == NULL)
996 {
997 al=SSL_AD_DECODE_ERROR;
998 goto f_err;
999 }
1000 kn=EVP_PKEY_size(pkey);
1001 }
1002 else
1003 {
1004 pkey=NULL;
1005 kn=0;
1006 }
1007
1008 if (!BUF_MEM_grow(buf,n+4+kn))
1009 {
1010 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1011 goto err;
1012 }
1013 d=(unsigned char *)s->init_buf->data;
1014 p= &(d[4]);
1015
1016 for (i=0; r[i] != NULL; i++)
1017 {
1018 s2n(nr[i],p);
1019 BN_bn2bin(r[i],p);
1020 p+=nr[i];
1021 }
1022
1023 /* not anonymous */
1024 if (pkey != NULL)
1025 {
1026 /* n is the length of the params, they start at &(d[4])
1027 * and p points to the space at the end. */
1028#ifndef NO_RSA
1029 if (pkey->type == EVP_PKEY_RSA)
1030 {
1031 q=md_buf;
1032 j=0;
1033 for (num=2; num > 0; num--)
1034 {
1035 EVP_DigestInit(&md_ctx,(num == 2)
1036 ?s->ctx->md5:s->ctx->sha1);
1037 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1038 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1039 EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1040 EVP_DigestFinal(&md_ctx,q,
1041 (unsigned int *)&i);
1042 q+=i;
1043 j+=i;
1044 }
1045 i=RSA_private_encrypt(j,md_buf,&(p[2]),
1046 pkey->pkey.rsa,RSA_PKCS1_PADDING);
1047 if (i <= 0)
1048 {
1049 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1050 goto err;
1051 }
1052 s2n(i,p);
1053 n+=i+2;
1054 }
1055 else
1056#endif
1057#if !defined(NO_DSA)
1058 if (pkey->type == EVP_PKEY_DSA)
1059 {
1060 /* lets do DSS */
1061 EVP_SignInit(&md_ctx,EVP_dss1());
1062 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1063 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1064 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1065 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1066 (unsigned int *)&i,pkey))
1067 {
1068 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
1069 goto err;
1070 }
1071 s2n(i,p);
1072 n+=i+2;
1073 }
1074 else
1075#endif
1076 {
1077 /* Is this error check actually needed? */
1078 al=SSL_AD_HANDSHAKE_FAILURE;
1079 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
1080 goto f_err;
1081 }
1082 }
1083
1084 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
1085 l2n3(n,d);
1086
1087 /* we should now have things packed up, so lets send
1088 * it off */
1089 s->init_num=n+4;
1090 s->init_off=0;
1091 }
1092
1093 /* SSL3_ST_SW_KEY_EXCH_B */
1094 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1095f_err:
1096 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1097err:
1098 return(-1);
1099 }
1100
1101static int ssl3_send_certificate_request(s)
1102SSL *s;
1103 {
1104 unsigned char *p,*d;
1105 int i,j,nl,off,n;
1106 STACK *sk=NULL;
1107 X509_NAME *name;
1108 BUF_MEM *buf;
1109
1110 if (s->state == SSL3_ST_SW_CERT_REQ_A)
1111 {
1112 buf=s->init_buf;
1113
1114 d=p=(unsigned char *)&(buf->data[4]);
1115
1116 /* get the list of acceptable cert types */
1117 p++;
1118 n=ssl3_get_req_cert_type(s,p);
1119 d[0]=n;
1120 p+=n;
1121 n++;
1122
1123 off=n;
1124 p+=2;
1125 n+=2;
1126
1127 sk=SSL_get_client_CA_list(s);
1128 nl=0;
1129 if (sk != NULL)
1130 {
1131 for (i=0; i<sk_num(sk); i++)
1132 {
1133 name=(X509_NAME *)sk_value(sk,i);
1134 j=i2d_X509_NAME(name,NULL);
1135 if (!BUF_MEM_grow(buf,4+n+j+2))
1136 {
1137 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1138 goto err;
1139 }
1140 p=(unsigned char *)&(buf->data[4+n]);
1141 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1142 {
1143 s2n(j,p);
1144 i2d_X509_NAME(name,&p);
1145 n+=2+j;
1146 nl+=2+j;
1147 }
1148 else
1149 {
1150 d=p;
1151 i2d_X509_NAME(name,&p);
1152 j-=2; s2n(j,d); j+=2;
1153 n+=j;
1154 nl+=j;
1155 }
1156 }
1157 }
1158 /* else no CA names */
1159 p=(unsigned char *)&(buf->data[4+off]);
1160 s2n(nl,p);
1161
1162 d=(unsigned char *)buf->data;
1163 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1164 l2n3(n,d);
1165
1166 /* we should now have things packed up, so lets send
1167 * it off */
1168
1169 s->init_num=n+4;
1170 s->init_off=0;
1171 }
1172
1173 /* SSL3_ST_SW_CERT_REQ_B */
1174 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1175err:
1176 return(-1);
1177 }
1178
1179static int ssl3_get_client_key_exchange(s)
1180SSL *s;
1181 {
1182 int i,al,ok;
1183 long n;
1184 unsigned long l;
1185 unsigned char *p;
1186 RSA *rsa=NULL;
1187 EVP_PKEY *pkey=NULL;
1188#ifndef NO_DH
1189 BIGNUM *pub=NULL;
1190 DH *dh_srvr;
1191#endif
1192
1193 n=ssl3_get_message(s,
1194 SSL3_ST_SR_KEY_EXCH_A,
1195 SSL3_ST_SR_KEY_EXCH_B,
1196 SSL3_MT_CLIENT_KEY_EXCHANGE,
1197 400, /* ???? */
1198 &ok);
1199
1200 if (!ok) return((int)n);
1201 p=(unsigned char *)s->init_buf->data;
1202
1203 l=s->s3->tmp.new_cipher->algorithms;
1204
1205#ifndef NO_RSA
1206 if (l & SSL_kRSA)
1207 {
1208 /* FIX THIS UP EAY EAY EAY EAY */
1209 if (s->s3->tmp.use_rsa_tmp)
1210 {
1211 if ((s->session->cert != NULL) &&
1212 (s->session->cert->rsa_tmp != NULL))
1213 rsa=s->session->cert->rsa_tmp;
1214 else if ((s->ctx->default_cert != NULL) &&
1215 (s->ctx->default_cert->rsa_tmp != NULL))
1216 rsa=s->ctx->default_cert->rsa_tmp;
1217 /* Don't do a callback because rsa_tmp should
1218 * be sent already */
1219 if (rsa == NULL)
1220 {
1221 al=SSL_AD_HANDSHAKE_FAILURE;
1222 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
1223 goto f_err;
1224
1225 }
1226 }
1227 else
1228 {
1229 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1230 if ( (pkey == NULL) ||
1231 (pkey->type != EVP_PKEY_RSA) ||
1232 (pkey->pkey.rsa == NULL))
1233 {
1234 al=SSL_AD_HANDSHAKE_FAILURE;
1235 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
1236 goto f_err;
1237 }
1238 rsa=pkey->pkey.rsa;
1239 }
1240
1241 /* TLS */
1242 if (s->version > SSL3_VERSION)
1243 {
1244 n2s(p,i);
1245 if (n != i+2)
1246 {
1247 if (!(s->options & SSL_OP_TLS_D5_BUG))
1248 {
1249 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1250 goto err;
1251 }
1252 else
1253 p-=2;
1254 }
1255 else
1256 n=i;
1257 }
1258
1259 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1260
1261#if 1
1262 /* If a bad decrypt, use a dud master key */
1263 if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
1264 ((p[0] != (s->version>>8)) ||
1265 (p[1] != (s->version & 0xff))))
1266 {
1267 p[0]=(s->version>>8);
1268 p[1]=(s->version & 0xff);
1269 RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1270 i=SSL_MAX_MASTER_KEY_LENGTH;
1271 }
1272#else
1273 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1274 {
1275 al=SSL_AD_DECODE_ERROR;
1276 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1277 goto f_err;
1278 }
1279
1280 if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))
1281 {
1282 al=SSL_AD_DECODE_ERROR;
1283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1284 goto f_err;
1285 }
1286#endif
1287
1288 s->session->master_key_length=
1289 s->method->ssl3_enc->generate_master_secret(s,
1290 s->session->master_key,
1291 p,i);
1292 memset(p,0,i);
1293 }
1294 else
1295#endif
1296#ifndef NO_DH
1297 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1298 {
1299 n2s(p,i);
1300 if (n != i+2)
1301 {
1302 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
1303 {
1304 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1305 goto err;
1306 }
1307 else
1308 {
1309 p-=2;
1310 i=(int)n;
1311 }
1312 }
1313
1314 if (n == 0L) /* the parameters are in the cert */
1315 {
1316 al=SSL_AD_HANDSHAKE_FAILURE;
1317 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1318 goto f_err;
1319 }
1320 else
1321 {
1322 if (s->s3->tmp.dh == NULL)
1323 {
1324 al=SSL_AD_HANDSHAKE_FAILURE;
1325 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1326 goto f_err;
1327 }
1328 else
1329 dh_srvr=s->s3->tmp.dh;
1330 }
1331
1332 pub=BN_bin2bn(p,i,NULL);
1333 if (pub == NULL)
1334 {
1335 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
1336 goto err;
1337 }
1338
1339 i=DH_compute_key(p,pub,dh_srvr);
1340
1341 if (i <= 0)
1342 {
1343 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1344 goto err;
1345 }
1346
1347 DH_free(s->s3->tmp.dh);
1348 s->s3->tmp.dh=NULL;
1349
1350 BN_clear_free(pub);
1351 pub=NULL;
1352 s->session->master_key_length=
1353 s->method->ssl3_enc->generate_master_secret(s,
1354 s->session->master_key,p,i);
1355 }
1356 else
1357#endif
1358 {
1359 al=SSL_AD_HANDSHAKE_FAILURE;
1360 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
1361 goto f_err;
1362 }
1363
1364 return(1);
1365f_err:
1366 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1367#if !defined(NO_DH) || !defined(NO_RSA)
1368err:
1369#endif
1370 return(-1);
1371 }
1372
1373static int ssl3_get_cert_verify(s)
1374SSL *s;
1375 {
1376 EVP_PKEY *pkey=NULL;
1377 unsigned char *p;
1378 int al,ok,ret=0;
1379 long n;
1380 int type=0,i,j;
1381 X509 *peer;
1382
1383 n=ssl3_get_message(s,
1384 SSL3_ST_SR_CERT_VRFY_A,
1385 SSL3_ST_SR_CERT_VRFY_B,
1386 -1,
1387 512, /* 512? */
1388 &ok);
1389
1390 if (!ok) return((int)n);
1391
1392 if (s->session->peer != NULL)
1393 {
1394 peer=s->session->peer;
1395 pkey=X509_get_pubkey(peer);
1396 type=X509_certificate_type(peer,pkey);
1397 }
1398 else
1399 {
1400 peer=NULL;
1401 pkey=NULL;
1402 }
1403
1404 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
1405 {
1406 s->s3->tmp.reuse_message=1;
1407 if ((peer != NULL) && (type | EVP_PKT_SIGN))
1408 {
1409 al=SSL_AD_UNEXPECTED_MESSAGE;
1410 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
1411 goto f_err;
1412 }
1413 ret=1;
1414 goto end;
1415 }
1416
1417 if (peer == NULL)
1418 {
1419 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
1420 al=SSL_AD_UNEXPECTED_MESSAGE;
1421 goto f_err;
1422 }
1423
1424 if (!(type & EVP_PKT_SIGN))
1425 {
1426 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
1427 al=SSL_AD_ILLEGAL_PARAMETER;
1428 goto f_err;
1429 }
1430
1431 if (s->s3->change_cipher_spec)
1432 {
1433 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1434 al=SSL_AD_UNEXPECTED_MESSAGE;
1435 goto f_err;
1436 }
1437
1438 /* we now have a signature that we need to verify */
1439 p=(unsigned char *)s->init_buf->data;
1440 n2s(p,i);
1441 n-=2;
1442 if (i > n)
1443 {
1444 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
1445 al=SSL_AD_DECODE_ERROR;
1446 goto f_err;
1447 }
1448
1449 j=EVP_PKEY_size(pkey);
1450 if ((i > j) || (n > j) || (n <= 0))
1451 {
1452 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
1453 al=SSL_AD_DECODE_ERROR;
1454 goto f_err;
1455 }
1456
1457#ifndef NO_RSA
1458 if (pkey->type == EVP_PKEY_RSA)
1459 {
1460 i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
1461 if (i < 0)
1462 {
1463 al=SSL_AD_DECRYPT_ERROR;
1464 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
1465 goto f_err;
1466 }
1467 if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
1468 memcmp(&(s->s3->tmp.finish_md[0]),p,
1469 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
1470 {
1471 al=SSL_AD_DECRYPT_ERROR;
1472 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
1473 goto f_err;
1474 }
1475 }
1476 else
1477#endif
1478#ifndef NO_DSA
1479 if (pkey->type == EVP_PKEY_DSA)
1480 {
1481 j=DSA_verify(pkey->save_type,
1482 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
1483 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
1484 if (j <= 0)
1485 {
1486 /* bad signature */
1487 al=SSL_AD_DECRYPT_ERROR;
1488 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
1489 goto f_err;
1490 }
1491 }
1492 else
1493#endif
1494 {
1495 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
1496 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1497 goto f_err;
1498 }
1499
1500
1501 ret=1;
1502 if (0)
1503 {
1504f_err:
1505 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1506 }
1507end:
1508 return(ret);
1509 }
1510
1511static int ssl3_get_client_certificate(s)
1512SSL *s;
1513 {
1514 int i,ok,al,ret= -1;
1515 X509 *x=NULL;
1516 unsigned long l,nc,llen,n;
1517 unsigned char *p,*d,*q;
1518 STACK *sk=NULL;
1519
1520 n=ssl3_get_message(s,
1521 SSL3_ST_SR_CERT_A,
1522 SSL3_ST_SR_CERT_B,
1523 -1,
1524#if defined(MSDOS) && !defined(WIN32)
1525 1024*30, /* 30k max cert list :-) */
1526#else
1527 1024*100, /* 100k max cert list :-) */
1528#endif
1529 &ok);
1530
1531 if (!ok) return((int)n);
1532
1533 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
1534 {
1535 if ( (s->verify_mode & SSL_VERIFY_PEER) &&
1536 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1537 {
1538 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1539 al=SSL_AD_HANDSHAKE_FAILURE;
1540 goto f_err;
1541 }
1542 /* If tls asked for a client cert we must return a 0 list */
1543 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
1544 {
1545 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
1546 al=SSL_AD_UNEXPECTED_MESSAGE;
1547 goto f_err;
1548 }
1549 s->s3->tmp.reuse_message=1;
1550 return(1);
1551 }
1552
1553 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1554 {
1555 al=SSL_AD_UNEXPECTED_MESSAGE;
1556 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1557 goto f_err;
1558 }
1559 d=p=(unsigned char *)s->init_buf->data;
1560
1561 if ((sk=sk_new_null()) == NULL)
1562 {
1563 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1564 goto err;
1565 }
1566
1567 n2l3(p,llen);
1568 if (llen+3 != n)
1569 {
1570 al=SSL_AD_DECODE_ERROR;
1571 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1572 goto f_err;
1573 }
1574 for (nc=0; nc<llen; )
1575 {
1576 n2l3(p,l);
1577 if ((l+nc+3) > llen)
1578 {
1579 al=SSL_AD_DECODE_ERROR;
1580 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1581 goto f_err;
1582 }
1583
1584 q=p;
1585 x=d2i_X509(NULL,&p,l);
1586 if (x == NULL)
1587 {
1588 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
1589 goto err;
1590 }
1591 if (p != (q+l))
1592 {
1593 al=SSL_AD_DECODE_ERROR;
1594 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1595 goto f_err;
1596 }
1597 if (!sk_push(sk,(char *)x))
1598 {
1599 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1600 goto err;
1601 }
1602 x=NULL;
1603 nc+=l+3;
1604 }
1605
1606 if (sk_num(sk) <= 0)
1607 {
1608 /* TLS does not mind 0 certs returned */
1609 if (s->version == SSL3_VERSION)
1610 {
1611 al=SSL_AD_HANDSHAKE_FAILURE;
1612 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
1613 goto f_err;
1614 }
1615 /* Fail for TLS only if we required a certificate */
1616 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
1617 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1618 {
1619 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1620 al=SSL_AD_HANDSHAKE_FAILURE;
1621 goto f_err;
1622 }
1623 }
1624 else
1625 {
1626 i=ssl_verify_cert_chain(s,sk);
1627 if (!i)
1628 {
1629 al=ssl_verify_alarm_type(s->verify_result);
1630 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
1631 goto f_err;
1632 }
1633 }
1634
1635 /* This should not be needed */
1636 if (s->session->peer != NULL)
1637 X509_free(s->session->peer);
1638 s->session->peer=(X509 *)sk_shift(sk);
1639
1640 ret=1;
1641 if (0)
1642 {
1643f_err:
1644 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1645 }
1646err:
1647 if (x != NULL) X509_free(x);
1648 if (sk != NULL) sk_pop_free(sk,X509_free);
1649 return(ret);
1650 }
1651
1652int ssl3_send_server_certificate(s)
1653SSL *s;
1654 {
1655 unsigned long l;
1656 X509 *x;
1657
1658 if (s->state == SSL3_ST_SW_CERT_A)
1659 {
1660 x=ssl_get_server_send_cert(s);
1661 if (x == NULL)
1662 {
1663 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
1664 return(0);
1665 }
1666
1667 l=ssl3_output_cert_chain(s,x);
1668 s->state=SSL3_ST_SW_CERT_B;
1669 s->init_num=(int)l;
1670 s->init_off=0;
1671 }
1672
1673 /* SSL3_ST_SW_CERT_B */
1674 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1675 }
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
new file mode 100644
index 0000000000..1edea46de9
--- /dev/null
+++ b/src/lib/libssl/shlib_version
@@ -0,0 +1,2 @@
1major=1
2minor=0
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
new file mode 100644
index 0000000000..cf8f9651b2
--- /dev/null
+++ b/src/lib/libssl/ssl.h
@@ -0,0 +1,1453 @@
1/* ssl/ssl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL_H
60#define HEADER_SSL_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/* SSLeay version number for ASN.1 encoding of the session information */
67/* Version 0 - initial version
68 * Version 1 - added the optional peer certificate
69 */
70#define SSL_SESSION_ASN1_VERSION 0x0001
71
72/* text strings for the ciphers */
73#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5
74#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5
75#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
76#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5
77#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
78#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5
79#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5
80#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA
81#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
82#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
83
84#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
85
86#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
87#define SSL_MAX_KEY_ARG_LENGTH 8
88#define SSL_MAX_MASTER_KEY_LENGTH 48
89
90/* These are used to specify which ciphers to use and not to use */
91#define SSL_TXT_LOW "LOW"
92#define SSL_TXT_MEDIUM "MEDIUM"
93#define SSL_TXT_HIGH "HIGH"
94#define SSL_TXT_kFZA "kFZA"
95#define SSL_TXT_aFZA "aFZA"
96#define SSL_TXT_eFZA "eFZA"
97#define SSL_TXT_FZA "FZA"
98
99#define SSL_TXT_aNULL "aNULL"
100#define SSL_TXT_eNULL "eNULL"
101#define SSL_TXT_NULL "NULL"
102
103#define SSL_TXT_kRSA "kRSA"
104#define SSL_TXT_kDHr "kDHr"
105#define SSL_TXT_kDHd "kDHd"
106#define SSL_TXT_kEDH "kEDH"
107#define SSL_TXT_aRSA "aRSA"
108#define SSL_TXT_aDSS "aDSS"
109#define SSL_TXT_aDH "aDH"
110#define SSL_TXT_DSS "DSS"
111#define SSL_TXT_DH "DH"
112#define SSL_TXT_EDH "EDH"
113#define SSL_TXT_ADH "ADH"
114#define SSL_TXT_RSA "RSA"
115#define SSL_TXT_DES "DES"
116#define SSL_TXT_3DES "3DES"
117#define SSL_TXT_RC4 "RC4"
118#define SSL_TXT_RC2 "RC2"
119#define SSL_TXT_IDEA "IDEA"
120#define SSL_TXT_MD5 "MD5"
121#define SSL_TXT_SHA1 "SHA1"
122#define SSL_TXT_SHA "SHA"
123#define SSL_TXT_EXP "EXP"
124#define SSL_TXT_EXPORT "EXPORT"
125#define SSL_TXT_SSLV2 "SSLv2"
126#define SSL_TXT_SSLV3 "SSLv3"
127#define SSL_TXT_ALL "ALL"
128
129/* 'DEFAULT' at the start of the cipher list insert the following string
130 * in addition to this being the default cipher string */
131#ifndef NO_RSA
132#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
133#else
134#define SSL_ALLOW_ADH
135#define SSL_DEFAULT_CIPHER_LIST "HIGH:MEDIUM:LOW:ADH+3DES:ADH+RC4:ADH+DES:+EXP"
136#endif
137
138/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
139#define SSL_SENT_SHUTDOWN 1
140#define SSL_RECEIVED_SHUTDOWN 2
141
142#include "crypto.h"
143#include "lhash.h"
144#include "buffer.h"
145#include "bio.h"
146#include "x509.h"
147
148#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
149#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
150
151/* This is needed to stop compilers complaining about the
152 * 'struct ssl_st *' function parameters used to prototype callbacks
153 * in SSL_CTX. */
154typedef struct ssl_st *ssl_crock_st;
155
156/* used to hold info on the particular ciphers used */
157typedef struct ssl_cipher_st
158 {
159 int valid;
160 char *name; /* text name */
161 unsigned long id; /* id, 4 bytes, first is version */
162 unsigned long algorithms; /* what ciphers are used */
163 unsigned long algorithm2; /* Extra flags */
164 unsigned long mask; /* used for matching */
165 } SSL_CIPHER;
166
167/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
168typedef struct ssl_method_st
169 {
170 int version;
171 int (*ssl_new)();
172 void (*ssl_clear)();
173 void (*ssl_free)();
174 int (*ssl_accept)();
175 int (*ssl_connect)();
176 int (*ssl_read)();
177 int (*ssl_peek)();
178 int (*ssl_write)();
179 int (*ssl_shutdown)();
180 int (*ssl_renegotiate)();
181 long (*ssl_ctrl)();
182 long (*ssl_ctx_ctrl)();
183 SSL_CIPHER *(*get_cipher_by_char)();
184 int (*put_cipher_by_char)();
185 int (*ssl_pending)();
186 int (*num_ciphers)();
187 SSL_CIPHER *(*get_cipher)();
188 struct ssl_method_st *(*get_ssl_method)();
189 long (*get_timeout)();
190 struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
191 } SSL_METHOD;
192
193typedef struct ssl_compression_st
194 {
195 char *stuff;
196 } SSL_COMPRESSION;
197
198/* Lets make this into an ASN.1 type structure as follows
199 * SSL_SESSION_ID ::= SEQUENCE {
200 * version INTEGER, -- structure version number
201 * SSLversion INTEGER, -- SSL version number
202 * Cipher OCTET_STRING, -- the 3 byte cipher ID
203 * Session_ID OCTET_STRING, -- the Session ID
204 * Master_key OCTET_STRING, -- the master key
205 * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument
206 * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
207 * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
208 * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
209 * }
210 * Look in ssl/ssl_asn1.c for more details
211 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
212 */
213typedef struct ssl_session_st
214 {
215 int ssl_version; /* what ssl version session info is
216 * being kept in here? */
217
218 /* only really used in SSLv2 */
219 unsigned int key_arg_length;
220 unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
221 int master_key_length;
222 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
223 /* session_id - valid? */
224 unsigned int session_id_length;
225 unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
226
227 int not_resumable;
228
229 /* The cert is the certificate used to establish this connection */
230 struct cert_st /* CERT */ *cert;
231
232 /* This is the cert for the other end. On servers, it will be
233 * the same as cert->x509 */
234 X509 *peer;
235
236 int references;
237 long timeout;
238 long time;
239
240 SSL_COMPRESSION *read_compression;
241 SSL_COMPRESSION *write_compression;
242
243 SSL_CIPHER *cipher;
244 unsigned long cipher_id; /* when ASN.1 loaded, this
245 * needs to be used to load
246 * the 'cipher' structure */
247
248 STACK /* SSL_CIPHER */ *ciphers; /* shared ciphers? */
249
250 CRYPTO_EX_DATA ex_data; /* application specific data */
251
252 /* These are used to make removal of session-ids more
253 * efficient and to implement a maximum cache size. */
254 struct ssl_session_st *prev,*next;
255 } SSL_SESSION;
256
257#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
258#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
259#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
260#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
261#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
262#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L
263#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
264#define SSL_OP_TLS_D5_BUG 0x00000100L
265#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
266
267/* If set, only use tmp_dh parameters once */
268#define SSL_OP_SINGLE_DH_USE 0x00100000L
269/* Set to also use the tmp_rsa key when doing RSA operations. */
270#define SSL_OP_EPHEMERAL_RSA 0x00200000L
271
272#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
273#define SSL_OP_NON_EXPORT_FIRST 0x40000000L
274#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L
275#define SSL_OP_ALL 0x000FFFFFL
276
277#define SSL_CTX_set_options(ctx,op) ((ctx)->options|=(op))
278#define SSL_set_options(ssl,op) ((ssl)->options|=(op))
279
280#define SSL_OP_NO_SSLv2 0x01000000L
281#define SSL_OP_NO_SSLv3 0x02000000L
282#define SSL_OP_NO_TLSv1 0x04000000L
283
284/* Normally you will only use these if your application wants to use
285 * the certificate store in other places, perhaps PKCS7 */
286#define SSL_CTX_get_cert_store(ctx) ((ctx)->cert_store)
287#define SSL_CTX_set_cert_store(ctx,cs) \
288 (X509_STORE_free((ctx)->cert_store),(ctx)->cert_store=(cs))
289
290
291#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
292
293typedef struct ssl_ctx_st
294 {
295 SSL_METHOD *method;
296 unsigned long options;
297
298 STACK /* SSL_CIPHER */ *cipher_list;
299 /* same as above but sorted for lookup */
300 STACK /* SSL_CIPHER */ *cipher_list_by_id;
301
302 struct x509_store_st /* X509_STORE */ *cert_store;
303 struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSION's */
304 /* Most session-ids that will be cached, default is
305 * SSL_SESSION_CACHE_SIZE_DEFAULT. 0 is unlimited. */
306 unsigned long session_cache_size;
307 struct ssl_session_st *session_cache_head;
308 struct ssl_session_st *session_cache_tail;
309
310 /* This can have one of 2 values, ored together,
311 * SSL_SESS_CACHE_CLIENT,
312 * SSL_SESS_CACHE_SERVER,
313 * Default is SSL_SESSION_CACHE_SERVER, which means only
314 * SSL_accept which cache SSL_SESSIONS. */
315 int session_cache_mode;
316
317 /* If timeout is not 0, it is the default timeout value set
318 * when SSL_new() is called. This has been put in to make
319 * life easier to set things up */
320 long session_timeout;
321
322 /* If this callback is not null, it will be called each
323 * time a session id is added to the cache. If this function
324 * returns 1, it means that the callback will do a
325 * SSL_SESSION_free() when it has finished using it. Otherwise,
326 * on 0, it means the callback has finished with it.
327 * If remove_session_cb is not null, it will be called when
328 * a session-id is removed from the cache. Again, a return
329 * of 0 mens that SSLeay should not SSL_SESSION_free() since
330 * the application is doing something with it. */
331#ifndef NOPROTO
332 int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
333 void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
334 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
335 unsigned char *data,int len,int *copy);
336#else
337 int (*new_session_cb)();
338 void (*remove_session_cb)();
339 SSL_SESSION *(*get_session_cb)();
340#endif
341
342 int sess_connect; /* SSL new connection - started */
343 int sess_connect_renegotiate;/* SSL renegotiatene - requested */
344 int sess_connect_good; /* SSL new connection/renegotiate - finished */
345 int sess_accept; /* SSL new accept - started */
346 int sess_accept_renegotiate;/* SSL renegotiatene - requested */
347 int sess_accept_good; /* SSL accept/renegotiate - finished */
348 int sess_miss; /* session lookup misses */
349 int sess_timeout; /* session reuse attempt on timeouted session */
350 int sess_cache_full; /* session removed due to full cache */
351 int sess_hit; /* session reuse actually done */
352 int sess_cb_hit; /* session-id that was not in the cache was
353 * passed back via the callback. This
354 * indicates that the application is supplying
355 * session-id's from other processes -
356 * spooky :-) */
357
358 int references;
359
360 void (*info_callback)();
361
362 /* if defined, these override the X509_verify_cert() calls */
363 int (*app_verify_callback)();
364 char *app_verify_arg;
365
366 /* default values to use in SSL structures */
367 struct cert_st /* CERT */ *default_cert;
368 int default_read_ahead;
369 int default_verify_mode;
370 int (*default_verify_callback)();
371
372 /* Default password callback. */
373 int (*default_passwd_callback)();
374
375 /* get client cert callback */
376 int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
377
378 /* what we put in client requests */
379 STACK *client_CA;
380
381 int quiet_shutdown;
382
383 CRYPTO_EX_DATA ex_data;
384
385 EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
386 EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
387 EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
388 } SSL_CTX;
389
390#define SSL_SESS_CACHE_OFF 0x0000
391#define SSL_SESS_CACHE_CLIENT 0x0001
392#define SSL_SESS_CACHE_SERVER 0x0002
393#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
394#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
395/* This one, when set, makes the server session-id lookup not look
396 * in the cache. If there is an application get_session callback
397 * defined, this will still get called. */
398#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
399
400#define SSL_CTX_sessions(ctx) ((ctx)->sessions)
401/* You will need to include lhash.h to access the following #define */
402#define SSL_CTX_sess_number(ctx) ((ctx)->sessions->num_items)
403#define SSL_CTX_sess_connect(ctx) ((ctx)->sess_connect)
404#define SSL_CTX_sess_connect_good(ctx) ((ctx)->sess_connect_good)
405#define SSL_CTX_sess_accept(ctx) ((ctx)->sess_accept)
406#define SSL_CTX_sess_accept_renegotiate(ctx) ((ctx)->sess_accept_renegotiate)
407#define SSL_CTX_sess_connect_renegotiate(ctx) ((ctx)->sess_connect_renegotiate)
408#define SSL_CTX_sess_accept_good(ctx) ((ctx)->sess_accept_good)
409#define SSL_CTX_sess_hits(ctx) ((ctx)->sess_hit)
410#define SSL_CTX_sess_cb_hits(ctx) ((ctx)->sess_cb_hit)
411#define SSL_CTX_sess_misses(ctx) ((ctx)->sess_miss)
412#define SSL_CTX_sess_timeouts(ctx) ((ctx)->sess_timeout)
413#define SSL_CTX_sess_cache_full(ctx) ((ctx)->sess_cache_full)
414
415#define SSL_CTX_sess_set_cache_size(ctx,t) ((ctx)->session_cache_size=(t))
416#define SSL_CTX_sess_get_cache_size(ctx) ((ctx)->session_cache_size)
417
418#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
419#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb)
420#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb))
421#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
422#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
423#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb)
424#define SSL_CTX_set_session_cache_mode(ctx,m) ((ctx)->session_cache_mode=(m))
425#define SSL_CTX_get_session_cache_mode(ctx) ((ctx)->session_cache_mode)
426#define SSL_CTX_set_timeout(ctx,t) ((ctx)->session_timeout=(t))
427#define SSL_CTX_get_timeout(ctx) ((ctx)->session_timeout)
428
429#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb))
430#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback)
431#define SSL_CTX_set_default_read_ahead(ctx,m) (((ctx)->default_read_ahead)=(m))
432
433#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb))
434#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb)
435
436#define SSL_NOTHING 1
437#define SSL_WRITING 2
438#define SSL_READING 3
439#define SSL_X509_LOOKUP 4
440
441/* These will only be used when doing non-blocking IO */
442#define SSL_want(s) ((s)->rwstate)
443#define SSL_want_nothing(s) ((s)->rwstate == SSL_NOTHING)
444#define SSL_want_read(s) ((s)->rwstate == SSL_READING)
445#define SSL_want_write(s) ((s)->rwstate == SSL_WRITING)
446#define SSL_want_x509_lookup(s) ((s)->rwstate == SSL_X509_LOOKUP)
447
448typedef struct ssl_st
449 {
450 /* procol version
451 * 2 for SSLv2
452 * 3 for SSLv3
453 * -3 for SSLv3 but accept SSLv2 */
454 int version;
455 int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
456
457 SSL_METHOD *method; /* SSLv3 */
458
459 /* There are 2 BIO's even though they are normally both the
460 * same. This is so data can be read and written to different
461 * handlers */
462
463#ifdef HEADER_BIO_H
464 BIO *rbio; /* used by SSL_read */
465 BIO *wbio; /* used by SSL_write */
466 BIO *bbio; /* used during session-id reuse to concatinate
467 * messages */
468#else
469 char *rbio; /* used by SSL_read */
470 char *wbio; /* used by SSL_write */
471 char *bbio;
472#endif
473 /* This holds a variable that indicates what we were doing
474 * when a 0 or -1 is returned. This is needed for
475 * non-blocking IO so we know what request needs re-doing when
476 * in SSL_accept or SSL_connect */
477 int rwstate;
478
479 /* true when we are actually in SSL_accept() or SSL_connect() */
480 int in_handshake;
481 int (*handshake_func)();
482
483/* int server;*/ /* are we the server side? */
484
485 int new_session;/* 1 if we are to use a new session */
486 int quiet_shutdown;/* don't send shutdown packets */
487 int shutdown; /* we have shut things down, 0x01 sent, 0x02
488 * for received */
489 int state; /* where we are */
490 int rstate; /* where we are when reading */
491
492 BUF_MEM *init_buf; /* buffer used during init */
493 int init_num; /* amount read/written */
494 int init_off; /* amount read/written */
495
496 /* used internally to point at a raw packet */
497 unsigned char *packet;
498 unsigned int packet_length;
499
500 struct ssl2_ctx_st *s2; /* SSLv2 variables */
501 struct ssl3_ctx_st *s3; /* SSLv3 variables */
502
503 int read_ahead; /* Read as many input bytes as possible */
504 int hit; /* reusing a previous session */
505
506 /* crypto */
507 STACK /* SSL_CIPHER */ *cipher_list;
508 STACK /* SSL_CIPHER */ *cipher_list_by_id;
509
510 /* These are the ones being used, the ones is SSL_SESSION are
511 * the ones to be 'copied' into these ones */
512
513 EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
514 EVP_MD *read_hash; /* used for mac generation */
515 SSL_COMPRESSION *read_compression; /* compression */
516
517 EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
518 EVP_MD *write_hash; /* used for mac generation */
519 SSL_COMPRESSION *write_compression; /* compression */
520
521 /* session info */
522
523 /* client cert? */
524 /* This is used to hold the server certificate used */
525 struct cert_st /* CERT */ *cert;
526
527 /* This can also be in the session once a session is established */
528 SSL_SESSION *session;
529
530 /* Used in SSL2 and SSL3 */
531 int verify_mode; /* 0 don't care about verify failure.
532 * 1 fail if verify fails */
533 int (*verify_callback)(); /* fail if callback returns 0 */
534 void (*info_callback)(); /* optional informational callback */
535
536 int error; /* error bytes to be written */
537 int error_code; /* actual code */
538
539 SSL_CTX *ctx;
540 /* set this flag to 1 and a sleep(1) is put into all SSL_read()
541 * and SSL_write() calls, good for nbio debuging :-) */
542 int debug;
543
544 /* extra application data */
545 long verify_result;
546 CRYPTO_EX_DATA ex_data;
547
548 /* for server side, keep the list of CA_dn we can use */
549 STACK /* X509_NAME */ *client_CA;
550
551 int references;
552 unsigned long options;
553 int first_packet;
554 } SSL;
555
556#include "ssl2.h"
557#include "ssl3.h"
558#include "tls1.h" /* This is mostly sslv3 with a few tweaks */
559#include "ssl23.h"
560
561/* compatablity */
562#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
563#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
564#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
565#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
566#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
567#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
568
569/* The following are the possible values for ssl->state are are
570 * used to indicate where we are upto in the SSL connection establishment.
571 * The macros that follow are about the only things you should need to use
572 * and even then, only when using non-blocking IO.
573 * It can also be useful to work out where you were when the connection
574 * failed */
575
576#define SSL_ST_CONNECT 0x1000
577#define SSL_ST_ACCEPT 0x2000
578#define SSL_ST_MASK 0x0FFF
579#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT)
580#define SSL_ST_BEFORE 0x4000
581#define SSL_ST_OK 0x03
582#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
583
584#define SSL_CB_LOOP 0x01
585#define SSL_CB_EXIT 0x02
586#define SSL_CB_READ 0x04
587#define SSL_CB_WRITE 0x08
588#define SSL_CB_ALERT 0x4000 /* used in callback */
589#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
590#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
591#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
592#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
593#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
594#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
595#define SSL_CB_HANDSHAKE_START 0x10
596#define SSL_CB_HANDSHAKE_DONE 0x20
597
598/* Is the SSL_connection established? */
599#define SSL_get_state(a) SSL_state(a)
600#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
601#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
602#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
603#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
604#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
605
606/* The following 2 states are kept in ssl->rstate when reads fail,
607 * you should not need these */
608#define SSL_ST_READ_HEADER 0xF0
609#define SSL_ST_READ_BODY 0xF1
610#define SSL_ST_READ_DONE 0xF2
611
612/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
613 * are 'ored' with SSL_VERIFY_PEER if they are desired */
614#define SSL_VERIFY_NONE 0x00
615#define SSL_VERIFY_PEER 0x01
616#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
617#define SSL_VERIFY_CLIENT_ONCE 0x04
618
619/* this is for backward compatablility */
620#if 0 /* NEW_SSLEAY */
621#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
622#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
623#define SSL_add_session(a,b) SSL_CTX_add_session((a),(b))
624#define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
625#define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
626#endif
627/* More backward compatablity */
628#define SSL_get_cipher(s) \
629 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
630#define SSL_get_cipher_bits(s,np) \
631 SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
632#define SSL_get_cipher_version(s) \
633 SSL_CIPHER_get_version(SSL_get_current_cipher(s))
634#define SSL_get_cipher_name(s) \
635 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
636#define SSL_get_time(a) SSL_SESSION_get_time(a)
637#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
638#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
639#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
640
641/* VMS linker has a 31 char name limit */
642#define SSL_CTX_set_cert_verify_callback(a,b,c) \
643 SSL_CTX_set_cert_verify_cb((a),(b),(c))
644
645#if 1 /*SSLEAY_MACROS*/
646#define d2i_SSL_SESSION_bio(bp,s_id) (SSL_SESSION *)ASN1_d2i_bio( \
647 (char *(*)())SSL_SESSION_new,(char *(*)())d2i_SSL_SESSION, \
648 (bp),(unsigned char **)(s_id))
649#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio(i2d_SSL_SESSION, \
650 bp,(unsigned char *)s_id)
651#define PEM_read_SSL_SESSION(fp,x,cb) (SSL_SESSION *)PEM_ASN1_read( \
652 (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb)
653#define PEM_read_bio_SSL_SESSION(bp,x,cb) (SSL_SESSION *)PEM_ASN1_read_bio( \
654 (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb)
655#define PEM_write_SSL_SESSION(fp,x) \
656 PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
657 PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL)
658#define PEM_write_bio_SSL_SESSION(bp,x) \
659 PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
660 PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL)
661#endif
662
663/* These alert types are for SSLv3 and TLSv1 */
664#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
665#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
666#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */
667#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
668#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
669#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
670#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */
671#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */
672#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
673#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
674#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
675#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
676#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
677#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */
678#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */
679#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */
680#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */
681#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
682#define SSL_AD_EXPORT_RESTRICION TLS1_AD_EXPORT_RESTRICION/* fatal */
683#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */
684#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
685#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
686#define SSL_AD_USER_CANCLED TLS1_AD_USER_CANCLED
687#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
688
689#define SSL_ERROR_NONE 0
690#define SSL_ERROR_SSL 1
691#define SSL_ERROR_WANT_READ 2
692#define SSL_ERROR_WANT_WRITE 3
693#define SSL_ERROR_WANT_X509_LOOKUP 4
694#define SSL_ERROR_SYSCALL 5 /* look at errno */
695#define SSL_ERROR_ZERO_RETURN 6
696#define SSL_ERROR_WANT_CONNECT 7
697
698#define SSL_CTRL_NEED_TMP_RSA 1
699#define SSL_CTRL_SET_TMP_RSA 2
700#define SSL_CTRL_SET_TMP_DH 3
701#define SSL_CTRL_SET_TMP_RSA_CB 4
702#define SSL_CTRL_SET_TMP_DH_CB 5
703/* Add these ones */
704#define SSL_CTRL_GET_SESSION_REUSED 6
705#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 7
706#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8
707#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9
708#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10
709
710#define SSL_session_reused(ssl) \
711 SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
712#define SSL_num_renegotiations(ssl) \
713 SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
714#define SSL_clear_num_renegotiations(ssl) \
715 SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
716#define SSL_total_renegotiations(ssl) \
717 SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
718
719#define SSL_CTX_need_tmp_RSA(ctx) \
720 SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
721#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
722 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
723#define SSL_CTX_set_tmp_dh(ctx,dh) \
724 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
725
726/* For the next 2, the callbacks are
727 * RSA *tmp_rsa_cb(int export)
728 * DH *tmp_dh_cb(int export)
729 */
730#define SSL_CTX_set_tmp_rsa_callback(ctx,cb) \
731 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb)
732#define SSL_CTX_set_tmp_dh_callback(ctx,dh) \
733 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh)
734
735#ifndef NOPROTO
736
737#ifdef HEADER_BIO_H
738BIO_METHOD *BIO_f_ssl(void);
739BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
740BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
741BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
742int BIO_ssl_copy_session_id(BIO *to,BIO *from);
743void BIO_ssl_shutdown(BIO *ssl_bio);
744
745#endif
746
747int SSL_CTX_set_cipher_list(SSL_CTX *,char *str);
748SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
749void SSL_CTX_free(SSL_CTX *);
750void SSL_clear(SSL *s);
751void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
752
753SSL_CIPHER *SSL_get_current_cipher(SSL *s);
754int SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits);
755char * SSL_CIPHER_get_version(SSL_CIPHER *c);
756char * SSL_CIPHER_get_name(SSL_CIPHER *c);
757
758int SSL_get_fd(SSL *s);
759char * SSL_get_cipher_list(SSL *s,int n);
760char * SSL_get_shared_ciphers(SSL *s, char *buf, int len);
761int SSL_get_read_ahead(SSL * s);
762int SSL_pending(SSL *s);
763#ifndef NO_SOCK
764int SSL_set_fd(SSL *s, int fd);
765int SSL_set_rfd(SSL *s, int fd);
766int SSL_set_wfd(SSL *s, int fd);
767#endif
768#ifdef HEADER_BIO_H
769void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
770BIO * SSL_get_rbio(SSL *s);
771BIO * SSL_get_wbio(SSL *s);
772#endif
773int SSL_set_cipher_list(SSL *s, char *str);
774void SSL_set_read_ahead(SSL *s, int yes);
775int SSL_get_verify_mode(SSL *s);
776int (*SSL_get_verify_callback(SSL *s))();
777void SSL_set_verify(SSL *s, int mode, int (*callback) ());
778int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
779int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
780int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
781int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
782int SSL_use_certificate(SSL *ssl, X509 *x);
783int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);
784
785#ifndef NO_STDIO
786int SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type);
787int SSL_use_PrivateKey_file(SSL *ssl, char *file, int type);
788int SSL_use_certificate_file(SSL *ssl, char *file, int type);
789int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, char *file, int type);
790int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, char *file, int type);
791int SSL_CTX_use_certificate_file(SSL_CTX *ctx, char *file, int type);
792STACK * SSL_load_client_CA_file(char *file);
793#endif
794
795void ERR_load_SSL_strings(void );
796void SSL_load_error_strings(void );
797char * SSL_state_string(SSL *s);
798char * SSL_rstate_string(SSL *s);
799char * SSL_state_string_long(SSL *s);
800char * SSL_rstate_string_long(SSL *s);
801long SSL_SESSION_get_time(SSL_SESSION *s);
802long SSL_SESSION_set_time(SSL_SESSION *s, long t);
803long SSL_SESSION_get_timeout(SSL_SESSION *s);
804long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
805void SSL_copy_session_id(SSL *to,SSL *from);
806
807SSL_SESSION *SSL_SESSION_new(void);
808unsigned long SSL_SESSION_hash(SSL_SESSION *a);
809int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b);
810#ifndef NO_FP_API
811int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses);
812#endif
813#ifdef HEADER_BIO_H
814int SSL_SESSION_print(BIO *fp,SSL_SESSION *ses);
815#endif
816void SSL_SESSION_free(SSL_SESSION *ses);
817int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
818int SSL_set_session(SSL *to, SSL_SESSION *session);
819int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
820int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
821SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
822
823#ifdef HEADER_X509_H
824X509 * SSL_get_peer_certificate(SSL *s);
825#endif
826
827STACK * SSL_get_peer_cert_chain(SSL *s);
828
829int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
830int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))();
831void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*callback)());
832void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg);
833int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
834int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
835int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
836int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
837 unsigned char *d, long len);
838int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
839int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
840
841void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx,int (*cb)());
842
843int SSL_CTX_check_private_key(SSL_CTX *ctx);
844int SSL_check_private_key(SSL *ctx);
845
846SSL * SSL_new(SSL_CTX *ctx);
847void SSL_clear(SSL *s);
848void SSL_free(SSL *ssl);
849int SSL_accept(SSL *ssl);
850int SSL_connect(SSL *ssl);
851int SSL_read(SSL *ssl,char *buf,int num);
852int SSL_peek(SSL *ssl,char *buf,int num);
853int SSL_write(SSL *ssl,char *buf,int num);
854long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
855long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg);
856
857int SSL_get_error(SSL *s,int ret_code);
858char * SSL_get_version(SSL *s);
859
860/* This sets the 'default' SSL version that SSL_new() will create */
861int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
862
863SSL_METHOD *SSLv2_method(void); /* SSLv2 */
864SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
865SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
866
867SSL_METHOD *SSLv3_method(void); /* SSLv3 */
868SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
869SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
870
871SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
872SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
873SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */
874
875SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
876SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
877SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
878
879STACK *SSL_get_ciphers(SSL *s);
880
881int SSL_do_handshake(SSL *s);
882int SSL_renegotiate(SSL *s);
883int SSL_shutdown(SSL *s);
884
885SSL_METHOD *SSL_get_ssl_method(SSL *s);
886int SSL_set_ssl_method(SSL *s,SSL_METHOD *method);
887char *SSL_alert_type_string_long(int value);
888char *SSL_alert_type_string(int value);
889char *SSL_alert_desc_string_long(int value);
890char *SSL_alert_desc_string(int value);
891
892void SSL_set_client_CA_list(SSL *s, STACK *list);
893void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK *list);
894STACK *SSL_get_client_CA_list(SSL *s);
895STACK *SSL_CTX_get_client_CA_list(SSL_CTX *s);
896int SSL_add_client_CA(SSL *ssl,X509 *x);
897int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
898
899void SSL_set_connect_state(SSL *s);
900void SSL_set_accept_state(SSL *s);
901
902long SSL_get_default_timeout(SSL *s);
903
904void SSLeay_add_ssl_algorithms(void );
905
906char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
907STACK *SSL_dup_CA_list(STACK *sk);
908
909SSL *SSL_dup(SSL *ssl);
910
911X509 *SSL_get_certificate(SSL *ssl);
912/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
913
914void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
915int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
916void SSL_set_quiet_shutdown(SSL *ssl,int mode);
917int SSL_get_quiet_shutdown(SSL *ssl);
918void SSL_set_shutdown(SSL *ssl,int mode);
919int SSL_get_shutdown(SSL *ssl);
920int SSL_version(SSL *ssl);
921int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
922int SSL_CTX_load_verify_locations(SSL_CTX *ctx,char *CAfile,char *CApath);
923SSL_SESSION *SSL_get_session(SSL *ssl);
924SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
925void SSL_set_info_callback(SSL *ssl,void (*cb)());
926void (*SSL_get_info_callback(SSL *ssl))();
927int SSL_state(SSL *ssl);
928
929void SSL_set_verify_result(SSL *ssl,long v);
930long SSL_get_verify_result(SSL *ssl);
931
932int SSL_set_ex_data(SSL *ssl,int idx,char *data);
933char *SSL_get_ex_data(SSL *ssl,int idx);
934int SSL_get_ex_new_index(long argl, char *argp, int (*new_func)(),
935 int (*dup_func)(), void (*free_func)());
936
937int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,char *data);
938char *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
939int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
940 int (*dup_func)(), void (*free_func)());
941
942int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,char *data);
943char *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
944int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
945 int (*dup_func)(), void (*free_func)());
946
947#else
948
949BIO_METHOD *BIO_f_ssl();
950BIO *BIO_new_ssl();
951BIO *BIO_new_ssl_connect();
952BIO *BIO_new_buffer_ssl_connect();
953int BIO_ssl_copy_session_id();
954void BIO_ssl_shutdown();
955
956int SSL_CTX_set_cipher_list();
957SSL_CTX *SSL_CTX_new();
958void SSL_CTX_free();
959void SSL_clear();
960void SSL_CTX_flush_sessions();
961
962SSL_CIPHER *SSL_get_current_cipher();
963int SSL_CIPHER_get_bits();
964char * SSL_CIPHER_get_version();
965char * SSL_CIPHER_get_name();
966
967int SSL_get_fd();
968char * SSL_get_cipher_list();
969char * SSL_get_shared_ciphers();
970int SSL_get_read_ahead();
971int SSL_pending();
972#ifndef NO_SOCK
973int SSL_set_fd();
974int SSL_set_rfd();
975int SSL_set_wfd();
976#endif
977#ifdef HEADER_BIO_H
978void SSL_set_bio();
979BIO * SSL_get_rbio();
980BIO * SSL_get_wbio();
981#endif
982int SSL_set_cipher_list();
983void SSL_set_read_ahead();
984int SSL_get_verify_mode();
985
986void SSL_set_verify();
987int SSL_use_RSAPrivateKey();
988int SSL_use_RSAPrivateKey_ASN1();
989int SSL_use_PrivateKey();
990int SSL_use_PrivateKey_ASN1();
991int SSL_use_certificate();
992int SSL_use_certificate_ASN1();
993
994#ifndef NO_STDIO
995int SSL_use_RSAPrivateKey_file();
996int SSL_use_PrivateKey_file();
997int SSL_use_certificate_file();
998int SSL_CTX_use_RSAPrivateKey_file();
999int SSL_CTX_use_PrivateKey_file();
1000int SSL_CTX_use_certificate_file();
1001STACK * SSL_load_client_CA_file();
1002#endif
1003
1004void ERR_load_SSL_strings();
1005void SSL_load_error_strings();
1006char * SSL_state_string();
1007char * SSL_rstate_string();
1008char * SSL_state_string_long();
1009char * SSL_rstate_string_long();
1010long SSL_SESSION_get_time();
1011long SSL_SESSION_set_time();
1012long SSL_SESSION_get_timeout();
1013long SSL_SESSION_set_timeout();
1014void SSL_copy_session_id();
1015
1016SSL_SESSION *SSL_SESSION_new();
1017unsigned long SSL_SESSION_hash();
1018int SSL_SESSION_cmp();
1019#ifndef NO_FP_API
1020int SSL_SESSION_print_fp();
1021#endif
1022#ifdef HEADER_BIO_H
1023int SSL_SESSION_print();
1024#endif
1025void SSL_SESSION_free();
1026int i2d_SSL_SESSION();
1027int SSL_set_session();
1028int SSL_CTX_add_session();
1029int SSL_CTX_remove_session();
1030SSL_SESSION *d2i_SSL_SESSION();
1031
1032#ifdef HEADER_X509_H
1033X509 * SSL_get_peer_certificate();
1034#endif
1035
1036STACK * SSL_get_peer_cert_chain();
1037
1038int SSL_CTX_get_verify_mode();
1039int (*SSL_CTX_get_verify_callback())();
1040void SSL_CTX_set_verify();
1041void SSL_CTX_set_cert_verify_cb();
1042int SSL_CTX_use_RSAPrivateKey();
1043int SSL_CTX_use_RSAPrivateKey_ASN1();
1044int SSL_CTX_use_PrivateKey();
1045int SSL_CTX_use_PrivateKey_ASN1();
1046int SSL_CTX_use_certificate();
1047int SSL_CTX_use_certificate_ASN1();
1048
1049void SSL_CTX_set_default_passwd_cb();
1050
1051int SSL_CTX_check_private_key();
1052int SSL_check_private_key();
1053
1054SSL * SSL_new();
1055void SSL_clear();
1056void SSL_free();
1057int SSL_accept();
1058int SSL_connect();
1059int SSL_read();
1060int SSL_peek();
1061int SSL_write();
1062long SSL_ctrl();
1063long SSL_CTX_ctrl();
1064
1065int SSL_get_error();
1066char * SSL_get_version();
1067
1068int SSL_CTX_set_ssl_version();
1069
1070SSL_METHOD *SSLv2_method();
1071SSL_METHOD *SSLv2_server_method();
1072SSL_METHOD *SSLv2_client_method();
1073
1074SSL_METHOD *SSLv3_method();
1075SSL_METHOD *SSLv3_server_method();
1076SSL_METHOD *SSLv3_client_method();
1077
1078SSL_METHOD *SSLv23_method();
1079SSL_METHOD *SSLv23_server_method();
1080SSL_METHOD *SSLv23_client_method();
1081
1082SSL_METHOD *TLSv1_method();
1083SSL_METHOD *TLSv1_server_method();
1084SSL_METHOD *TLSv1_client_method();
1085
1086STACK *SSL_get_ciphers();
1087
1088int SSL_do_handshake();
1089int SSL_renegotiate();
1090int SSL_shutdown();
1091
1092SSL_METHOD *SSL_get_ssl_method();
1093int SSL_set_ssl_method();
1094char *SSL_alert_type_string_long();
1095char *SSL_alert_type_string();
1096char *SSL_alert_desc_string_long();
1097char *SSL_alert_desc_string();
1098
1099void SSL_set_client_CA_list();
1100void SSL_CTX_set_client_CA_list();
1101STACK *SSL_get_client_CA_list();
1102STACK *SSL_CTX_get_client_CA_list();
1103int SSL_add_client_CA();
1104int SSL_CTX_add_client_CA();
1105
1106void SSL_set_connect_state();
1107void SSL_set_accept_state();
1108
1109long SSL_get_default_timeout();
1110
1111void SSLeay_add_ssl_algorithms();
1112
1113char *SSL_CIPHER_description();
1114STACK *SSL_dup_CA_list();
1115
1116SSL *SSL_dup();
1117
1118X509 *SSL_get_certificate();
1119/* EVP * */ struct evp_pkey_st *SSL_get_privatekey();
1120
1121#ifdef this_is_for_mk1mf_pl
1122EVP *SSL_get_privatekey();
1123
1124void SSL_CTX_set_quiet_shutdown();
1125int SSL_CTX_get_quiet_shutdown();
1126void SSL_set_quiet_shutdown();
1127int SSL_get_quiet_shutdown();
1128void SSL_set_shutdown();
1129int SSL_get_shutdown();
1130int SSL_version();
1131int SSL_CTX_set_default_verify_paths();
1132int SSL_CTX_load_verify_locations();
1133SSL_SESSION *SSL_get_session();
1134SSL_CTX *SSL_get_SSL_CTX();
1135void SSL_set_info_callback();
1136int (*SSL_get_info_callback())();
1137int SSL_state();
1138void SSL_set_verify_result();
1139long SSL_get_verify_result();
1140
1141int SSL_set_ex_data();
1142char *SSL_get_ex_data();
1143int SSL_get_ex_new_index();
1144
1145int SSL_SESSION_set_ex_data();
1146char *SSL_SESSION_get_ex_data();
1147int SSL_SESSION_get_ex_new_index();
1148
1149int SSL_CTX_set_ex_data();
1150char *SSL_CTX_get_ex_data();
1151int SSL_CTX_get_ex_new_index();
1152
1153#endif
1154
1155#endif
1156
1157/* BEGIN ERROR CODES */
1158/* Error codes for the SSL functions. */
1159
1160/* Function codes. */
1161#define SSL_F_CLIENT_CERTIFICATE 100
1162#define SSL_F_CLIENT_HELLO 101
1163#define SSL_F_CLIENT_MASTER_KEY 102
1164#define SSL_F_D2I_SSL_SESSION 103
1165#define SSL_F_DO_SSL3_WRITE 104
1166#define SSL_F_GET_CLIENT_FINISHED 105
1167#define SSL_F_GET_CLIENT_HELLO 106
1168#define SSL_F_GET_CLIENT_MASTER_KEY 107
1169#define SSL_F_GET_SERVER_FINISHED 108
1170#define SSL_F_GET_SERVER_HELLO 109
1171#define SSL_F_GET_SERVER_VERIFY 110
1172#define SSL_F_I2D_SSL_SESSION 111
1173#define SSL_F_READ_N 112
1174#define SSL_F_REQUEST_CERTIFICATE 113
1175#define SSL_F_SERVER_HELLO 114
1176#define SSL_F_SSL23_ACCEPT 115
1177#define SSL_F_SSL23_CLIENT_HELLO 116
1178#define SSL_F_SSL23_CONNECT 117
1179#define SSL_F_SSL23_GET_CLIENT_HELLO 118
1180#define SSL_F_SSL23_GET_SERVER_HELLO 119
1181#define SSL_F_SSL23_READ 120
1182#define SSL_F_SSL23_WRITE 121
1183#define SSL_F_SSL2_ACCEPT 122
1184#define SSL_F_SSL2_CONNECT 123
1185#define SSL_F_SSL2_ENC_INIT 124
1186#define SSL_F_SSL2_READ 125
1187#define SSL_F_SSL2_SET_CERTIFICATE 126
1188#define SSL_F_SSL2_WRITE 127
1189#define SSL_F_SSL3_ACCEPT 128
1190#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
1191#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
1192#define SSL_F_SSL3_CLIENT_HELLO 131
1193#define SSL_F_SSL3_CONNECT 132
1194#define SSL_F_SSL3_CTX_CTRL 133
1195#define SSL_F_SSL3_ENC 134
1196#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
1197#define SSL_F_SSL3_GET_CERT_VERIFY 136
1198#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
1199#define SSL_F_SSL3_GET_CLIENT_HELLO 138
1200#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
1201#define SSL_F_SSL3_GET_FINISHED 140
1202#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
1203#define SSL_F_SSL3_GET_MESSAGE 142
1204#define SSL_F_SSL3_GET_RECORD 143
1205#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
1206#define SSL_F_SSL3_GET_SERVER_DONE 145
1207#define SSL_F_SSL3_GET_SERVER_HELLO 146
1208#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
1209#define SSL_F_SSL3_READ_BYTES 148
1210#define SSL_F_SSL3_READ_N 149
1211#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
1212#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
1213#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
1214#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
1215#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
1216#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
1217#define SSL_F_SSL3_SETUP_BUFFERS 156
1218#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
1219#define SSL_F_SSL3_WRITE_BYTES 158
1220#define SSL_F_SSL3_WRITE_PENDING 159
1221#define SSL_F_SSL_BAD_METHOD 160
1222#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
1223#define SSL_F_SSL_CERT_NEW 162
1224#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
1225#define SSL_F_SSL_CREATE_CIPHER_LIST 164
1226#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165
1227#define SSL_F_SSL_CTX_NEW 166
1228#define SSL_F_SSL_CTX_SET_SSL_VERSION 167
1229#define SSL_F_SSL_CTX_USE_CERTIFICATE 168
1230#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169
1231#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170
1232#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171
1233#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172
1234#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173
1235#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174
1236#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175
1237#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176
1238#define SSL_F_SSL_DO_HANDSHAKE 177
1239#define SSL_F_SSL_GET_NEW_SESSION 178
1240#define SSL_F_SSL_GET_SERVER_SEND_CERT 179
1241#define SSL_F_SSL_GET_SIGN_PKEY 180
1242#define SSL_F_SSL_INIT_WBIO_BUFFER 181
1243#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182
1244#define SSL_F_SSL_NEW 183
1245#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184
1246#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185
1247#define SSL_F_SSL_SESSION_NEW 186
1248#define SSL_F_SSL_SESSION_PRINT_FP 187
1249#define SSL_F_SSL_SET_CERT 188
1250#define SSL_F_SSL_SET_FD 189
1251#define SSL_F_SSL_SET_PKEY 190
1252#define SSL_F_SSL_SET_RFD 191
1253#define SSL_F_SSL_SET_SESSION 192
1254#define SSL_F_SSL_SET_WFD 193
1255#define SSL_F_SSL_UNDEFINED_FUNCTION 194
1256#define SSL_F_SSL_USE_CERTIFICATE 195
1257#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196
1258#define SSL_F_SSL_USE_CERTIFICATE_FILE 197
1259#define SSL_F_SSL_USE_PRIVATEKEY 198
1260#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199
1261#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200
1262#define SSL_F_SSL_USE_RSAPRIVATEKEY 201
1263#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202
1264#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203
1265#define SSL_F_SSL_WRITE 204
1266#define SSL_F_TLS1_CHANGE_CIPHER_STATE 205
1267#define SSL_F_TLS1_ENC 206
1268#define SSL_F_TLS1_SETUP_KEY_BLOCK 207
1269#define SSL_F_WRITE_PENDING 208
1270
1271/* Reason codes. */
1272#define SSL_R_APP_DATA_IN_HANDSHAKE 100
1273#define SSL_R_BAD_ALERT_RECORD 101
1274#define SSL_R_BAD_AUTHENTICATION_TYPE 102
1275#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
1276#define SSL_R_BAD_CHECKSUM 104
1277#define SSL_R_BAD_CLIENT_REQUEST 105
1278#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
1279#define SSL_R_BAD_DECOMPRESSION 107
1280#define SSL_R_BAD_DH_G_LENGTH 108
1281#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
1282#define SSL_R_BAD_DH_P_LENGTH 110
1283#define SSL_R_BAD_DIGEST_LENGTH 111
1284#define SSL_R_BAD_DSA_SIGNATURE 112
1285#define SSL_R_BAD_MAC_DECODE 113
1286#define SSL_R_BAD_MESSAGE_TYPE 114
1287#define SSL_R_BAD_PACKET_LENGTH 115
1288#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
1289#define SSL_R_BAD_RESPONSE_ARGUMENT 117
1290#define SSL_R_BAD_RSA_DECRYPT 118
1291#define SSL_R_BAD_RSA_ENCRYPT 119
1292#define SSL_R_BAD_RSA_E_LENGTH 120
1293#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
1294#define SSL_R_BAD_RSA_SIGNATURE 122
1295#define SSL_R_BAD_SIGNATURE 123
1296#define SSL_R_BAD_SSL_FILETYPE 124
1297#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
1298#define SSL_R_BAD_STATE 126
1299#define SSL_R_BAD_WRITE_RETRY 127
1300#define SSL_R_BIO_NOT_SET 128
1301#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
1302#define SSL_R_BN_LIB 130
1303#define SSL_R_CA_DN_LENGTH_MISMATCH 131
1304#define SSL_R_CA_DN_TOO_LONG 132
1305#define SSL_R_CCS_RECEIVED_EARLY 133
1306#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
1307#define SSL_R_CERT_LENGTH_MISMATCH 135
1308#define SSL_R_CHALLENGE_IS_DIFFERENT 136
1309#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
1310#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
1311#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
1312#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
1313#define SSL_R_COMPRESSION_FAILURE 141
1314#define SSL_R_CONNECTION_ID_IS_DIFFERENT 142
1315#define SSL_R_CONNECTION_TYPE_NOT_SET 143
1316#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 144
1317#define SSL_R_DATA_LENGTH_TOO_LONG 145
1318#define SSL_R_DECRYPTION_FAILED 146
1319#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 147
1320#define SSL_R_DIGEST_CHECK_FAILED 148
1321#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 149
1322#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 150
1323#define SSL_R_EXCESSIVE_MESSAGE_SIZE 151
1324#define SSL_R_EXTRA_DATA_IN_MESSAGE 152
1325#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 153
1326#define SSL_R_HTTPS_PROXY_REQUEST 154
1327#define SSL_R_HTTP_REQUEST 155
1328#define SSL_R_INTERNAL_ERROR 156
1329#define SSL_R_INVALID_CHALLENGE_LENGTH 157
1330#define SSL_R_LENGTH_MISMATCH 158
1331#define SSL_R_LENGTH_TOO_SHORT 159
1332#define SSL_R_LIBRARY_HAS_NO_CIPHERS 160
1333#define SSL_R_MISSING_DH_DSA_CERT 161
1334#define SSL_R_MISSING_DH_KEY 162
1335#define SSL_R_MISSING_DH_RSA_CERT 163
1336#define SSL_R_MISSING_DSA_SIGNING_CERT 164
1337#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 165
1338#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 166
1339#define SSL_R_MISSING_RSA_CERTIFICATE 167
1340#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 168
1341#define SSL_R_MISSING_RSA_SIGNING_CERT 169
1342#define SSL_R_MISSING_TMP_DH_KEY 170
1343#define SSL_R_MISSING_TMP_RSA_KEY 171
1344#define SSL_R_MISSING_TMP_RSA_PKEY 172
1345#define SSL_R_MISSING_VERIFY_MESSAGE 173
1346#define SSL_R_NON_SSLV2_INITIAL_PACKET 174
1347#define SSL_R_NO_CERTIFICATES_RETURNED 175
1348#define SSL_R_NO_CERTIFICATE_ASSIGNED 176
1349#define SSL_R_NO_CERTIFICATE_RETURNED 177
1350#define SSL_R_NO_CERTIFICATE_SET 178
1351#define SSL_R_NO_CERTIFICATE_SPECIFIED 179
1352#define SSL_R_NO_CIPHERS_AVAILABLE 180
1353#define SSL_R_NO_CIPHERS_PASSED 181
1354#define SSL_R_NO_CIPHERS_SPECIFIED 182
1355#define SSL_R_NO_CIPHER_LIST 183
1356#define SSL_R_NO_CIPHER_MATCH 184
1357#define SSL_R_NO_CLIENT_CERT_RECEIVED 185
1358#define SSL_R_NO_COMPRESSION_SPECIFIED 186
1359#define SSL_R_NO_PRIVATEKEY 187
1360#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 188
1361#define SSL_R_NO_PROTOCOLS_AVAILABLE 189
1362#define SSL_R_NO_PUBLICKEY 190
1363#define SSL_R_NO_SHARED_CIPHER 191
1364#define SSL_R_NULL_SSL_CTX 192
1365#define SSL_R_NULL_SSL_METHOD_PASSED 193
1366#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 194
1367#define SSL_R_PACKET_LENGTH_TOO_LONG 195
1368#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 196
1369#define SSL_R_PEER_ERROR 197
1370#define SSL_R_PEER_ERROR_CERTIFICATE 198
1371#define SSL_R_PEER_ERROR_NO_CERTIFICATE 199
1372#define SSL_R_PEER_ERROR_NO_CIPHER 200
1373#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 201
1374#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 202
1375#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 203
1376#define SSL_R_PROTOCOL_IS_SHUTDOWN 204
1377#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 205
1378#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 206
1379#define SSL_R_PUBLIC_KEY_NOT_RSA 207
1380#define SSL_R_READ_BIO_NOT_SET 208
1381#define SSL_R_READ_WRONG_PACKET_TYPE 209
1382#define SSL_R_RECORD_LENGTH_MISMATCH 210
1383#define SSL_R_RECORD_TOO_LARGE 211
1384#define SSL_R_REQUIRED_CIPHER_MISSING 212
1385#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 213
1386#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 214
1387#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 215
1388#define SSL_R_SHORT_READ 216
1389#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 217
1390#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 218
1391#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
1392#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
1393#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
1394#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
1395#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
1396#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
1397#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
1398#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
1399#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
1400#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 219
1401#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 220
1402#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 221
1403#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 222
1404#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
1405#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 223
1406#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
1407#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 224
1408#define SSL_R_SSL_HANDSHAKE_FAILURE 225
1409#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 226
1410#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 227
1411#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 228
1412#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 229
1413#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 230
1414#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 231
1415#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 232
1416#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 233
1417#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 234
1418#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 235
1419#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 236
1420#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 237
1421#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 238
1422#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 239
1423#define SSL_R_UNEXPECTED_MESSAGE 240
1424#define SSL_R_UNEXPECTED_RECORD 241
1425#define SSL_R_UNKNOWN_ALERT_TYPE 242
1426#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 243
1427#define SSL_R_UNKNOWN_CIPHER_RETURNED 244
1428#define SSL_R_UNKNOWN_CIPHER_TYPE 245
1429#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 246
1430#define SSL_R_UNKNOWN_PKEY_TYPE 247
1431#define SSL_R_UNKNOWN_PROTOCOL 248
1432#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 249
1433#define SSL_R_UNKNOWN_SSL_VERSION 250
1434#define SSL_R_UNKNOWN_STATE 251
1435#define SSL_R_UNSUPPORTED_CIPHER 252
1436#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 253
1437#define SSL_R_UNSUPPORTED_PROTOCOL 254
1438#define SSL_R_UNSUPPORTED_SSL_VERSION 255
1439#define SSL_R_WRITE_BIO_NOT_SET 256
1440#define SSL_R_WRONG_CIPHER_RETURNED 257
1441#define SSL_R_WRONG_MESSAGE_TYPE 258
1442#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 259
1443#define SSL_R_WRONG_SIGNATURE_LENGTH 260
1444#define SSL_R_WRONG_SIGNATURE_SIZE 261
1445#define SSL_R_WRONG_SSL_VERSION 262
1446#define SSL_R_WRONG_VERSION_NUMBER 263
1447#define SSL_R_X509_LIB 264
1448
1449#ifdef __cplusplus
1450}
1451#endif
1452#endif
1453
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
new file mode 100644
index 0000000000..3dc94e520b
--- /dev/null
+++ b/src/lib/libssl/ssl2.h
@@ -0,0 +1,265 @@
1/* ssl/ssl2.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL2_H
60#define HEADER_SSL2_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/* Protocol Version Codes */
67#define SSL2_VERSION 0x0002
68#define SSL2_VERSION_MAJOR 0x00
69#define SSL2_VERSION_MINOR 0x02
70#define SSL2_CLIENT_VERSION 0x0002
71#define SSL2_SERVER_VERSION 0x0002
72
73/* Protocol Message Codes */
74#define SSL2_MT_ERROR 0
75#define SSL2_MT_CLIENT_HELLO 1
76#define SSL2_MT_CLIENT_MASTER_KEY 2
77#define SSL2_MT_CLIENT_FINISHED 3
78#define SSL2_MT_SERVER_HELLO 4
79#define SSL2_MT_SERVER_VERIFY 5
80#define SSL2_MT_SERVER_FINISHED 6
81#define SSL2_MT_REQUEST_CERTIFICATE 7
82#define SSL2_MT_CLIENT_CERTIFICATE 8
83
84/* Error Message Codes */
85#define SSL2_PE_UNDEFINED_ERROR 0x0000
86#define SSL2_PE_NO_CIPHER 0x0001
87#define SSL2_PE_NO_CERTIFICATE 0x0002
88#define SSL2_PE_BAD_CERTIFICATE 0x0004
89#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
90
91/* Cipher Kind Values */
92#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */
93#define SSL2_CK_RC4_128_WITH_MD5 0x02010080
94#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080
95#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080
96#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080
97#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080
98#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040
99#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */
100#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0
101#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */
102#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */
103
104#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */
105#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */
106
107#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1"
108#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5"
109#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5"
110#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5"
111#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5"
112#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5"
113#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5"
114#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5"
115#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA"
116#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5"
117#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA"
118#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5"
119
120#define SSL2_TXT_NULL "NULL"
121
122/* Flags for the SSL_CIPHER.algorithm2 field */
123#define SSL2_CF_5_BYTE_ENC 0x01
124#define SSL2_CF_8_BYTE_ENC 0x02
125
126/* Certificate Type Codes */
127#define SSL2_CT_X509_CERTIFICATE 0x01
128
129/* Authentication Type Code */
130#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01
131
132#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32
133
134/* Upper/Lower Bounds */
135#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
136#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767
137#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/
138
139#define SSL2_CHALLENGE_LENGTH 16
140/*#define SSL2_CHALLENGE_LENGTH 32 */
141#define SSL2_MIN_CHALLENGE_LENGTH 16
142#define SSL2_MAX_CHALLENGE_LENGTH 32
143#define SSL2_CONNECTION_ID_LENGTH 16
144#define SSL2_MAX_CONNECTION_ID_LENGTH 16
145#define SSL2_SSL_SESSION_ID_LENGTH 16
146#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32
147#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
148#define SSL2_MAX_KEY_MATERIAL_LENGTH 24
149
150#ifndef HEADER_SSL_LOCL_H
151#define CERT char
152#endif
153
154typedef struct ssl2_ctx_st
155 {
156 int three_byte_header;
157 int clear_text; /* clear text */
158 int escape; /* not used in SSLv2 */
159 int ssl2_rollback; /* used if SSLv23 rolled back to SSLv2 */
160
161 /* non-blocking io info, used to make sure the same
162 * args were passwd */
163 unsigned int wnum; /* number of bytes sent so far */
164 int wpend_tot;
165 char *wpend_buf;
166
167 int wpend_off; /* offset to data to write */
168 int wpend_len; /* number of bytes passwd to write */
169 int wpend_ret; /* number of bytes to return to caller */
170
171 /* buffer raw data */
172 int rbuf_left;
173 int rbuf_offs;
174 unsigned char *rbuf;
175 unsigned char *wbuf;
176
177 unsigned char *write_ptr;/* used to point to the start due to
178 * 2/3 byte header. */
179
180 unsigned int padding;
181 unsigned int rlength; /* passed to ssl2_enc */
182 int ract_data_length; /* Set when things are encrypted. */
183 unsigned int wlength; /* passed to ssl2_enc */
184 int wact_data_length; /* Set when things are decrypted. */
185 unsigned char *ract_data;
186 unsigned char *wact_data;
187 unsigned char *mac_data;
188 unsigned char *pad_data;
189
190 unsigned char *read_key;
191 unsigned char *write_key;
192
193 /* Stuff specifically to do with this SSL session */
194 unsigned int challenge_length;
195 unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
196 unsigned int conn_id_length;
197 unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
198 unsigned int key_material_length;
199 unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
200
201 unsigned long read_sequence;
202 unsigned long write_sequence;
203
204 struct {
205 unsigned int conn_id_length;
206 unsigned int cert_type;
207 unsigned int cert_length;
208 int csl;
209 int clear;
210 unsigned int enc;
211 unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
212 int cipher_spec_length;
213 unsigned int session_id_length;
214 unsigned int clen;
215 unsigned int rlen;
216 } tmp;
217 } SSL2_CTX;
218
219/* SSLv2 */
220/* client */
221#define SSL2_ST_SEND_CLIENT_HELLO_A (0x10|SSL_ST_CONNECT)
222#define SSL2_ST_SEND_CLIENT_HELLO_B (0x11|SSL_ST_CONNECT)
223#define SSL2_ST_GET_SERVER_HELLO_A (0x20|SSL_ST_CONNECT)
224#define SSL2_ST_GET_SERVER_HELLO_B (0x21|SSL_ST_CONNECT)
225#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A (0x30|SSL_ST_CONNECT)
226#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B (0x31|SSL_ST_CONNECT)
227#define SSL2_ST_SEND_CLIENT_FINISHED_A (0x40|SSL_ST_CONNECT)
228#define SSL2_ST_SEND_CLIENT_FINISHED_B (0x41|SSL_ST_CONNECT)
229#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A (0x50|SSL_ST_CONNECT)
230#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B (0x51|SSL_ST_CONNECT)
231#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C (0x52|SSL_ST_CONNECT)
232#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D (0x53|SSL_ST_CONNECT)
233#define SSL2_ST_GET_SERVER_VERIFY_A (0x60|SSL_ST_CONNECT)
234#define SSL2_ST_GET_SERVER_VERIFY_B (0x61|SSL_ST_CONNECT)
235#define SSL2_ST_GET_SERVER_FINISHED_A (0x70|SSL_ST_CONNECT)
236#define SSL2_ST_GET_SERVER_FINISHED_B (0x71|SSL_ST_CONNECT)
237#define SSL2_ST_CLIENT_START_ENCRYPTION (0x80|SSL_ST_CONNECT)
238#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE (0x90|SSL_ST_CONNECT)
239/* server */
240#define SSL2_ST_GET_CLIENT_HELLO_A (0x10|SSL_ST_ACCEPT)
241#define SSL2_ST_GET_CLIENT_HELLO_B (0x11|SSL_ST_ACCEPT)
242#define SSL2_ST_GET_CLIENT_HELLO_C (0x12|SSL_ST_ACCEPT)
243#define SSL2_ST_SEND_SERVER_HELLO_A (0x20|SSL_ST_ACCEPT)
244#define SSL2_ST_SEND_SERVER_HELLO_B (0x21|SSL_ST_ACCEPT)
245#define SSL2_ST_GET_CLIENT_MASTER_KEY_A (0x30|SSL_ST_ACCEPT)
246#define SSL2_ST_GET_CLIENT_MASTER_KEY_B (0x31|SSL_ST_ACCEPT)
247#define SSL2_ST_SEND_SERVER_VERIFY_A (0x40|SSL_ST_ACCEPT)
248#define SSL2_ST_SEND_SERVER_VERIFY_B (0x41|SSL_ST_ACCEPT)
249#define SSL2_ST_SEND_SERVER_VERIFY_C (0x42|SSL_ST_ACCEPT)
250#define SSL2_ST_GET_CLIENT_FINISHED_A (0x50|SSL_ST_ACCEPT)
251#define SSL2_ST_GET_CLIENT_FINISHED_B (0x51|SSL_ST_ACCEPT)
252#define SSL2_ST_SEND_SERVER_FINISHED_A (0x60|SSL_ST_ACCEPT)
253#define SSL2_ST_SEND_SERVER_FINISHED_B (0x61|SSL_ST_ACCEPT)
254#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A (0x70|SSL_ST_ACCEPT)
255#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B (0x71|SSL_ST_ACCEPT)
256#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C (0x72|SSL_ST_ACCEPT)
257#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D (0x73|SSL_ST_ACCEPT)
258#define SSL2_ST_SERVER_START_ENCRYPTION (0x80|SSL_ST_ACCEPT)
259#define SSL2_ST_X509_GET_SERVER_CERTIFICATE (0x90|SSL_ST_ACCEPT)
260
261#ifdef __cplusplus
262}
263#endif
264#endif
265
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
new file mode 100644
index 0000000000..d3228983c7
--- /dev/null
+++ b/src/lib/libssl/ssl23.h
@@ -0,0 +1,83 @@
1/* ssl/ssl23.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL23_H
60#define HEADER_SSL23_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/*client */
67/* write to server */
68#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT)
69#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT)
70/* read from server */
71#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT)
72#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT)
73
74/* server */
75/* read from client */
76#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
77#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT)
78
79#ifdef __cplusplus
80}
81#endif
82#endif
83
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
new file mode 100644
index 0000000000..95772eef60
--- /dev/null
+++ b/src/lib/libssl/ssl3.h
@@ -0,0 +1,455 @@
1/* ssl/ssl3.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL3_H
60#define HEADER_SSL3_H
61
62#include "buffer.h"
63
64#ifdef __cplusplus
65extern "C" {
66#endif
67
68#define SSL3_CK_RSA_NULL_MD5 0x03000001
69#define SSL3_CK_RSA_NULL_SHA 0x03000002
70#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
71#define SSL3_CK_RSA_RC4_128_MD5 0x03000004
72#define SSL3_CK_RSA_RC4_128_SHA 0x03000005
73#define SSL3_CK_RSA_RC2_40_MD5 0x03000006
74#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007
75#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008
76#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009
77#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A
78
79#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B
80#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C
81#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D
82#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E
83#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F
84#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010
85
86#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011
87#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012
88#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013
89#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014
90#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015
91#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016
92
93#define SSL3_CK_ADH_RC4_40_MD5 0x03000017
94#define SSL3_CK_ADH_RC4_128_MD5 0x03000018
95#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019
96#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
97#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
98
99#define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
100#define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
101#define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
102
103#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
104#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
105#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
106#define SSL3_TXT_RSA_RC4_128_MD5 "RC4-MD5"
107#define SSL3_TXT_RSA_RC4_128_SHA "RC4-SHA"
108#define SSL3_TXT_RSA_RC2_40_MD5 "EXP-RC2-CBC-MD5"
109#define SSL3_TXT_RSA_IDEA_128_SHA "IDEA-CBC-SHA"
110#define SSL3_TXT_RSA_DES_40_CBC_SHA "EXP-DES-CBC-SHA"
111#define SSL3_TXT_RSA_DES_64_CBC_SHA "DES-CBC-SHA"
112#define SSL3_TXT_RSA_DES_192_CBC3_SHA "DES-CBC3-SHA"
113
114#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA "EXP-DH-DSS-DES-CBC-SHA"
115#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA "DH-DSS-DES-CBC-SHA"
116#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA "DH-DSS-DES-CBC3-SHA"
117#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA "EXP-DH-RSA-DES-CBC-SHA"
118#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA "DH-RSA-DES-CBC-SHA"
119#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA "DH-RSA-DES-CBC3-SHA"
120
121#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA "EXP-EDH-DSS-DES-CBC-SHA"
122#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA "EDH-DSS-DES-CBC-SHA"
123#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA "EDH-DSS-DES-CBC3-SHA"
124#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA "EXP-EDH-RSA-DES-CBC-SHA"
125#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA "EDH-RSA-DES-CBC-SHA"
126#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA "EDH-RSA-DES-CBC3-SHA"
127
128#define SSL3_TXT_ADH_RC4_40_MD5 "EXP-ADH-RC4-MD5"
129#define SSL3_TXT_ADH_RC4_128_MD5 "ADH-RC4-MD5"
130#define SSL3_TXT_ADH_DES_40_CBC_SHA "EXP-ADH-DES-CBC-SHA"
131#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
132#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
133
134#define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
135#define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
136#define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
137
138#define SSL3_SSL_SESSION_ID_LENGTH 32
139#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
140
141#define SSL3_MASTER_SECRET_SIZE 48
142#define SSL3_RANDOM_SIZE 32
143#define SSL3_SESSION_ID_SIZE 32
144#define SSL3_RT_HEADER_LENGTH 5
145
146/* Due to MS stuffing up, this can change.... */
147#if defined(WIN16) || (defined(MSDOS) && !defined(WIN32))
148#define SSL3_RT_MAX_EXTRA (14000)
149#else
150#define SSL3_RT_MAX_EXTRA (16384)
151#endif
152
153#define SSL3_RT_MAX_PLAIN_LENGTH 16384
154#define SSL3_RT_MAX_COMPRESSED_LENGTH (1024+SSL3_RT_MAX_PLAIN_LENGTH)
155#define SSL3_RT_MAX_ENCRYPTED_LENGTH (1024+SSL3_RT_MAX_COMPRESSED_LENGTH)
156#define SSL3_RT_MAX_PACKET_SIZE (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
157#define SSL3_RT_MAX_DATA_SIZE (1024*1024)
158
159/* the states that a SSL3_RECORD can be in
160 * For SSL_read it goes
161 * rbuf->ENCODED -> read
162 * ENCODED -> we need to decode everything - call decode_record
163 */
164
165#define SSL3_RS_BLANK 1
166#define SSL3_RS_DATA
167
168#define SSL3_RS_ENCODED 2
169#define SSL3_RS_READ_MORE 3
170#define SSL3_RS_WRITE_MORE
171#define SSL3_RS_PLAIN 3
172#define SSL3_RS_PART_READ 4
173#define SSL3_RS_PART_WRITE 5
174
175#define SSL3_MD_CLIENT_FINISHED_CONST {0x43,0x4C,0x4E,0x54}
176#define SSL3_MD_SERVER_FINISHED_CONST {0x53,0x52,0x56,0x52}
177
178#define SSL3_VERSION 0x0300
179#define SSL3_VERSION_MAJOR 0x03
180#define SSL3_VERSION_MINOR 0x00
181
182#define SSL3_RT_CHANGE_CIPHER_SPEC 20
183#define SSL3_RT_ALERT 21
184#define SSL3_RT_HANDSHAKE 22
185#define SSL3_RT_APPLICATION_DATA 23
186
187#define SSL3_AL_WARNING 1
188#define SSL3_AL_FATAL 2
189
190#define SSL3_AD_CLOSE_NOTIFY 0
191#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */
192#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */
193#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */
194#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */
195#define SSL3_AD_NO_CERTIFICATE 41
196#define SSL3_AD_BAD_CERTIFICATE 42
197#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
198#define SSL3_AD_CERTIFICATE_REVOKED 44
199#define SSL3_AD_CERTIFICATE_EXPIRED 45
200#define SSL3_AD_CERTIFICATE_UNKNOWN 46
201#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
202
203typedef struct ssl3_record_st
204 {
205/*r */ int type; /* type of record */
206/* */ /*int state;*/ /* any data in it? */
207/*rw*/ unsigned int length; /* How many bytes available */
208/*r */ unsigned int off; /* read/write offset into 'buf' */
209/*rw*/ unsigned char *data; /* pointer to the record data */
210/*rw*/ unsigned char *input; /* where the decode bytes are */
211/*rw*/ unsigned char *comp; /* only used with decompression */
212 } SSL3_RECORD;
213
214typedef struct ssl3_buffer_st
215 {
216/*r */ int total; /* used in non-blocking writes */
217/*r */ int wanted; /* how many more bytes we need */
218/*rw*/ int left; /* how many bytes left */
219/*rw*/ int offset; /* where to 'copy from' */
220/*rw*/ unsigned char *buf; /* SSL3_RT_MAX_PACKET_SIZE bytes */
221 } SSL3_BUFFER;
222
223typedef struct ssl3_compression_st {
224 int nothing;
225 } SSL3_COMPRESSION;
226
227#define SSL3_CT_RSA_SIGN 1
228#define SSL3_CT_DSS_SIGN 2
229#define SSL3_CT_RSA_FIXED_DH 3
230#define SSL3_CT_DSS_FIXED_DH 4
231#define SSL3_CT_RSA_EPHEMERAL_DH 5
232#define SSL3_CT_DSS_EPHEMERAL_DH 6
233#define SSL3_CT_FORTEZZA_DMS 20
234#define SSL3_CT_NUMBER 7
235
236#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
237#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
238#define SSL3_FLAGS_POP_BUFFER 0x0004
239#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
240
241#if 0
242#define AD_CLOSE_NOTIFY 0
243#define AD_UNEXPECTED_MESSAGE 1
244#define AD_BAD_RECORD_MAC 2
245#define AD_DECRYPTION_FAILED 3
246#define AD_RECORD_OVERFLOW 4
247#define AD_DECOMPRESSION_FAILURE 5 /* fatal */
248#define AD_HANDSHAKE_FAILURE 6 /* fatal */
249#define AD_NO_CERTIFICATE 7 /* Not under TLS */
250#define AD_BAD_CERTIFICATE 8
251#define AD_UNSUPPORTED_CERTIFICATE 9
252#define AD_CERTIFICATE_REVOKED 10
253#define AD_CERTIFICATE_EXPIRED 11
254#define AD_CERTIFICATE_UNKNOWN 12
255#define AD_ILLEGAL_PARAMETER 13 /* fatal */
256#define AD_UNKNOWN_CA 14 /* fatal */
257#define AD_ACCESS_DENIED 15 /* fatal */
258#define AD_DECODE_ERROR 16 /* fatal */
259#define AD_DECRYPT_ERROR 17
260#define AD_EXPORT_RESTRICION 18 /* fatal */
261#define AD_PROTOCOL_VERSION 19 /* fatal */
262#define AD_INSUFFICIENT_SECURITY 20 /* fatal */
263#define AD_INTERNAL_ERROR 21 /* fatal */
264#define AD_USER_CANCLED 22
265#define AD_NO_RENEGOTIATION 23
266#endif
267
268typedef struct ssl3_ctx_st
269 {
270 long flags;
271 int delay_buf_pop_ret;
272
273 unsigned char read_sequence[8];
274 unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
275 unsigned char write_sequence[8];
276 unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
277
278 unsigned char server_random[SSL3_RANDOM_SIZE];
279 unsigned char client_random[SSL3_RANDOM_SIZE];
280
281 SSL3_BUFFER rbuf; /* read IO goes into here */
282 SSL3_BUFFER wbuf; /* write IO goes into here */
283 SSL3_RECORD rrec; /* each decoded record goes in here */
284 SSL3_RECORD wrec; /* goes out from here */
285 /* Used by ssl3_read_n to point
286 * to input data packet */
287
288 /* partial write - check the numbers match */
289 unsigned int wnum; /* number of bytes sent so far */
290 int wpend_tot; /* number bytes written */
291 int wpend_type;
292 int wpend_ret; /* number of bytes submitted */
293 char *wpend_buf;
294
295 /* used during startup, digest all incoming/outgoing packets */
296 EVP_MD_CTX finish_dgst1;
297 EVP_MD_CTX finish_dgst2;
298
299 /* this is set whenerver we see a change_cipher_spec message
300 * come in when we are not looking for one */
301 int change_cipher_spec;
302
303 int warn_alert;
304 int fatal_alert;
305 /* we alow one fatal and one warning alert to be outstanding,
306 * send close alert via the warning alert */
307 int alert_dispatch;
308 char send_alert[2];
309
310 /* This flag is set when we should renegotiate ASAP, basically when
311 * there is no more data in the read or write buffers */
312 int renegotiate;
313 int total_renegotiations;
314 int num_renegotiations;
315
316 int in_read_app_data;
317
318 struct {
319 /* Actually only needs to be 16+20 for SSLv3 and 12 for TLS */
320 unsigned char finish_md[EVP_MAX_MD_SIZE*2];
321
322 unsigned long message_size;
323 int message_type;
324
325 /* used to hold the new cipher we are going to use */
326 SSL_CIPHER *new_cipher;
327 DH *dh;
328
329 /* used when SSL_ST_FLUSH_DATA is entered */
330 int next_state;
331
332 int reuse_message;
333
334 /* used for certificate requests */
335 int cert_req;
336 int ctype_num;
337 char ctype[SSL3_CT_NUMBER];
338 STACK *ca_names;
339
340 int use_rsa_tmp;
341
342 int key_block_length;
343 unsigned char *key_block;
344
345 EVP_CIPHER *new_sym_enc;
346 EVP_MD *new_hash;
347 SSL_COMPRESSION *new_compression;
348 int cert_request;
349 } tmp;
350 } SSL3_CTX;
351
352/* SSLv3 */
353/*client */
354/* extra state */
355#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
356/* write to server */
357#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
358#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
359/* read from server */
360#define SSL3_ST_CR_SRVR_HELLO_A (0x120|SSL_ST_CONNECT)
361#define SSL3_ST_CR_SRVR_HELLO_B (0x121|SSL_ST_CONNECT)
362#define SSL3_ST_CR_CERT_A (0x130|SSL_ST_CONNECT)
363#define SSL3_ST_CR_CERT_B (0x131|SSL_ST_CONNECT)
364#define SSL3_ST_CR_KEY_EXCH_A (0x140|SSL_ST_CONNECT)
365#define SSL3_ST_CR_KEY_EXCH_B (0x141|SSL_ST_CONNECT)
366#define SSL3_ST_CR_CERT_REQ_A (0x150|SSL_ST_CONNECT)
367#define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT)
368#define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT)
369#define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT)
370/* write to server */
371#define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT)
372#define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT)
373#define SSL3_ST_CW_CERT_C (0x172|SSL_ST_CONNECT)
374#define SSL3_ST_CW_CERT_D (0x173|SSL_ST_CONNECT)
375#define SSL3_ST_CW_KEY_EXCH_A (0x180|SSL_ST_CONNECT)
376#define SSL3_ST_CW_KEY_EXCH_B (0x181|SSL_ST_CONNECT)
377#define SSL3_ST_CW_CERT_VRFY_A (0x190|SSL_ST_CONNECT)
378#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
379#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
380#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
381#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
382#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
383/* read from server */
384#define SSL3_ST_CR_CHANGE_A (0x1C0|SSL_ST_CONNECT)
385#define SSL3_ST_CR_CHANGE_B (0x1C1|SSL_ST_CONNECT)
386#define SSL3_ST_CR_FINISHED_A (0x1D0|SSL_ST_CONNECT)
387#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT)
388
389/* server */
390/* extra state */
391#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT)
392/* read from client */
393/* Do not change the number values, they do matter */
394#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
395#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
396#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
397/* write to client */
398#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT)
399#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT)
400#define SSL3_ST_SW_HELLO_REQ_C (0x122|SSL_ST_ACCEPT)
401#define SSL3_ST_SW_SRVR_HELLO_A (0x130|SSL_ST_ACCEPT)
402#define SSL3_ST_SW_SRVR_HELLO_B (0x131|SSL_ST_ACCEPT)
403#define SSL3_ST_SW_CERT_A (0x140|SSL_ST_ACCEPT)
404#define SSL3_ST_SW_CERT_B (0x141|SSL_ST_ACCEPT)
405#define SSL3_ST_SW_KEY_EXCH_A (0x150|SSL_ST_ACCEPT)
406#define SSL3_ST_SW_KEY_EXCH_B (0x151|SSL_ST_ACCEPT)
407#define SSL3_ST_SW_CERT_REQ_A (0x160|SSL_ST_ACCEPT)
408#define SSL3_ST_SW_CERT_REQ_B (0x161|SSL_ST_ACCEPT)
409#define SSL3_ST_SW_SRVR_DONE_A (0x170|SSL_ST_ACCEPT)
410#define SSL3_ST_SW_SRVR_DONE_B (0x171|SSL_ST_ACCEPT)
411/* read from client */
412#define SSL3_ST_SR_CERT_A (0x180|SSL_ST_ACCEPT)
413#define SSL3_ST_SR_CERT_B (0x181|SSL_ST_ACCEPT)
414#define SSL3_ST_SR_KEY_EXCH_A (0x190|SSL_ST_ACCEPT)
415#define SSL3_ST_SR_KEY_EXCH_B (0x191|SSL_ST_ACCEPT)
416#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT)
417#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
418#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
419#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
420#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
421#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
422/* write to client */
423#define SSL3_ST_SW_CHANGE_A (0x1D0|SSL_ST_ACCEPT)
424#define SSL3_ST_SW_CHANGE_B (0x1D1|SSL_ST_ACCEPT)
425#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT)
426#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
427
428#define SSL3_MT_CLIENT_REQUEST 0
429#define SSL3_MT_CLIENT_HELLO 1
430#define SSL3_MT_SERVER_HELLO 2
431#define SSL3_MT_CERTIFICATE 11
432#define SSL3_MT_SERVER_KEY_EXCHANGE 12
433#define SSL3_MT_CERTIFICATE_REQUEST 13
434#define SSL3_MT_SERVER_DONE 14
435#define SSL3_MT_CERTIFICATE_VERIFY 15
436#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
437#define SSL3_MT_FINISHED 20
438
439#define SSL3_MT_CCS 1
440
441/* These are used when changing over to a new cipher */
442#define SSL3_CC_READ 0x01
443#define SSL3_CC_WRITE 0x02
444#define SSL3_CC_CLIENT 0x10
445#define SSL3_CC_SERVER 0x20
446#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE)
447#define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ)
448#define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ)
449#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE)
450
451#ifdef __cplusplus
452}
453#endif
454#endif
455
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
new file mode 100644
index 0000000000..65f3a59386
--- /dev/null
+++ b/src/lib/libssl/ssl_algs.c
@@ -0,0 +1,102 @@
1/* ssl/ssl_algs.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "objects.h"
61#include "lhash.h"
62#include "ssl_locl.h"
63
64void SSLeay_add_ssl_algorithms()
65 {
66#ifndef NO_DES
67 EVP_add_cipher(EVP_des_cbc());
68 EVP_add_cipher(EVP_des_ede3_cbc());
69#endif
70#ifndef NO_IDEA
71 EVP_add_cipher(EVP_idea_cbc());
72#endif
73#ifndef NO_RC4
74 EVP_add_cipher(EVP_rc4());
75#endif
76#ifndef NO_RC2
77 EVP_add_cipher(EVP_rc2_cbc());
78#endif
79
80#ifndef NO_MD2
81 EVP_add_digest(EVP_md2());
82#endif
83#ifndef NO_MD5
84 EVP_add_digest(EVP_md5());
85 EVP_add_alias(SN_md5,"ssl2-md5");
86 EVP_add_alias(SN_md5,"ssl3-md5");
87#endif
88#ifndef NO_SHA1
89 EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
90 EVP_add_alias(SN_sha1,"ssl3-sha1");
91#endif
92#if !defined(NO_SHA1) && !defined(NO_DSA)
93 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
94#endif
95
96 /* If you want support for phased out ciphers, add the following */
97#if 0
98 EVP_add_digest(EVP_sha());
99 EVP_add_digest(EVP_dss());
100#endif
101 }
102
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
new file mode 100644
index 0000000000..116a83de64
--- /dev/null
+++ b/src/lib/libssl/ssl_asn1.c
@@ -0,0 +1,313 @@
1/* ssl/ssl_asn1.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include "asn1_mac.h"
62#include "objects.h"
63#include "ssl_locl.h"
64
65typedef struct ssl_session_asn1_st
66 {
67 ASN1_INTEGER version;
68 ASN1_INTEGER ssl_version;
69 ASN1_OCTET_STRING cipher;
70 ASN1_OCTET_STRING master_key;
71 ASN1_OCTET_STRING session_id;
72 ASN1_OCTET_STRING key_arg;
73 ASN1_INTEGER time;
74 ASN1_INTEGER timeout;
75 } SSL_SESSION_ASN1;
76
77/*
78 * SSLerr(SSL_F_I2D_SSL_SESSION,SSL_R_CIPHER_CODE_WRONG_LENGTH);
79 * SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNSUPPORTED_CIPHER);
80 */
81
82int i2d_SSL_SESSION(in,pp)
83SSL_SESSION *in;
84unsigned char **pp;
85 {
86#define LSIZE2 (sizeof(long)*2)
87 int v1=0,v2=0,v3=0;
88 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
89 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2];
90 long l;
91 SSL_SESSION_ASN1 a;
92 M_ASN1_I2D_vars(in);
93
94 if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
95 return(0);
96
97 /* Note that I cheat in the following 2 assignments. I know
98 * that if the ASN1_INTERGER passed to ASN1_INTEGER_set
99 * is > sizeof(long)+1, the buffer will not be re-Malloc()ed.
100 * This is a bit evil but makes things simple, no dynamic allocation
101 * to clean up :-) */
102 a.version.length=LSIZE2;
103 a.version.type=V_ASN1_INTEGER;
104 a.version.data=ibuf1;
105 ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION);
106
107 a.ssl_version.length=LSIZE2;
108 a.ssl_version.type=V_ASN1_INTEGER;
109 a.ssl_version.data=ibuf2;
110 ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version);
111
112 a.cipher.type=V_ASN1_OCTET_STRING;
113 a.cipher.data=buf;
114
115 if (in->cipher == NULL)
116 l=in->cipher_id;
117 else
118 l=in->cipher->id;
119 if (in->ssl_version == SSL2_VERSION)
120 {
121 a.cipher.length=3;
122 buf[0]=((unsigned char)(l>>16L))&0xff;
123 buf[1]=((unsigned char)(l>> 8L))&0xff;
124 buf[2]=((unsigned char)(l ))&0xff;
125 }
126 else
127 {
128 a.cipher.length=2;
129 buf[0]=((unsigned char)(l>>8L))&0xff;
130 buf[1]=((unsigned char)(l ))&0xff;
131 }
132
133 a.master_key.length=in->master_key_length;
134 a.master_key.type=V_ASN1_OCTET_STRING;
135 a.master_key.data=in->master_key;
136
137 a.session_id.length=in->session_id_length;
138 a.session_id.type=V_ASN1_OCTET_STRING;
139 a.session_id.data=in->session_id;
140
141 a.key_arg.length=in->key_arg_length;
142 a.key_arg.type=V_ASN1_OCTET_STRING;
143 a.key_arg.data=in->key_arg;
144
145 if (in->time != 0L)
146 {
147 a.time.length=LSIZE2;
148 a.time.type=V_ASN1_INTEGER;
149 a.time.data=ibuf3;
150 ASN1_INTEGER_set(&(a.time),in->time);
151 }
152
153 if (in->timeout != 0L)
154 {
155 a.timeout.length=LSIZE2;
156 a.timeout.type=V_ASN1_INTEGER;
157 a.timeout.data=ibuf4;
158 ASN1_INTEGER_set(&(a.timeout),in->timeout);
159 }
160
161 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
162 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
163 M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
164 M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING);
165 M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING);
166 if (in->key_arg_length > 0)
167 M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
168 if (in->time != 0L)
169 M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
170 if (in->timeout != 0L)
171 M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
172 if (in->peer != NULL)
173 M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
174
175 M_ASN1_I2D_seq_total();
176
177 M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER);
178 M_ASN1_I2D_put(&(a.ssl_version), i2d_ASN1_INTEGER);
179 M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING);
180 M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING);
181 M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING);
182 if (in->key_arg_length > 0)
183 M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
184 if (in->time != 0L)
185 M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
186 if (in->timeout != 0L)
187 M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
188 if (in->peer != NULL)
189 M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
190
191 M_ASN1_I2D_finish();
192 }
193
194SSL_SESSION *d2i_SSL_SESSION(a,pp,length)
195SSL_SESSION **a;
196unsigned char **pp;
197long length;
198 {
199 int version,ssl_version=0,i;
200 long id;
201 ASN1_INTEGER ai,*aip;
202 ASN1_OCTET_STRING os,*osp;
203 M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new);
204
205 aip= &ai;
206 osp= &os;
207
208 M_ASN1_D2I_Init();
209 M_ASN1_D2I_start_sequence();
210
211 ai.data=NULL; ai.length=0;
212 M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
213 version=(int)ASN1_INTEGER_get(aip);
214 if (ai.data != NULL) { Free(ai.data); ai.data=NULL; ai.length=0; }
215
216 /* we don't care about the version right now :-) */
217 M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
218 ssl_version=(int)ASN1_INTEGER_get(aip);
219 ret->ssl_version=ssl_version;
220 if (ai.data != NULL) { Free(ai.data); ai.data=NULL; ai.length=0; }
221
222 os.data=NULL; os.length=0;
223 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
224 if (ssl_version == SSL2_VERSION)
225 {
226 if (os.length != 3)
227 {
228 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
229 goto err;
230 }
231 id=0x02000000L|
232 ((unsigned long)os.data[0]<<16L)|
233 ((unsigned long)os.data[1]<< 8L)|
234 (unsigned long)os.data[2];
235 }
236 else if ((ssl_version>>8) == 3)
237 {
238 if (os.length != 2)
239 {
240 c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
241 goto err;
242 }
243 id=0x03000000L|
244 ((unsigned long)os.data[0]<<8L)|
245 (unsigned long)os.data[1];
246 }
247 else
248 {
249 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
250 return(NULL);
251 }
252
253 ret->cipher=NULL;
254 ret->cipher_id=id;
255
256 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
257 if ((ssl_version>>8) == SSL3_VERSION)
258 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
259 else /* if (ssl_version == SSL2_VERSION) */
260 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
261
262 if (os.length > i)
263 os.length=i;
264
265 ret->session_id_length=os.length;
266 memcpy(ret->session_id,os.data,os.length);
267
268 M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
269 if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
270 ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
271 else
272 ret->master_key_length=os.length;
273 memcpy(ret->master_key,os.data,ret->master_key_length);
274
275 os.length=0;
276 M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
277 if (os.length > SSL_MAX_KEY_ARG_LENGTH)
278 ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
279 else
280 ret->key_arg_length=os.length;
281 memcpy(ret->key_arg,os.data,ret->key_arg_length);
282 if (os.data != NULL) Free(os.data);
283
284 ai.length=0;
285 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1);
286 if (ai.data != NULL)
287 {
288 ret->time=ASN1_INTEGER_get(aip);
289 Free(ai.data); ai.data=NULL; ai.length=0;
290 }
291 else
292 ret->time=time(NULL);
293
294 ai.length=0;
295 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
296 if (ai.data != NULL)
297 {
298 ret->timeout=ASN1_INTEGER_get(aip);
299 Free(ai.data); ai.data=NULL; ai.length=0;
300 }
301 else
302 ret->timeout=3;
303
304 if (ret->peer != NULL)
305 {
306 X509_free(ret->peer);
307 ret->peer=NULL;
308 }
309 M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
310
311 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
312 }
313
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
new file mode 100644
index 0000000000..c1cb86e1b7
--- /dev/null
+++ b/src/lib/libssl/ssl_cert.c
@@ -0,0 +1,329 @@
1/* ssl/ssl_cert.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "objects.h"
61#include "bio.h"
62#include "pem.h"
63#include "ssl_locl.h"
64
65CERT *ssl_cert_new()
66 {
67 CERT *ret;
68
69 ret=(CERT *)Malloc(sizeof(CERT));
70 if (ret == NULL)
71 {
72 SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
73 return(NULL);
74 }
75 memset(ret,0,sizeof(CERT));
76/*
77 ret->valid=0;
78 ret->mask=0;
79 ret->export_mask=0;
80 ret->cert_type=0;
81 ret->key->x509=NULL;
82 ret->key->publickey=NULL;
83 ret->key->privatekey=NULL; */
84
85 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
86 ret->references=1;
87
88 return(ret);
89 }
90
91void ssl_cert_free(c)
92CERT *c;
93 {
94 int i;
95
96 i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
97#ifdef REF_PRINT
98 REF_PRINT("CERT",c);
99#endif
100 if (i > 0) return;
101#ifdef REF_CHECK
102 if (i < 0)
103 {
104 fprintf(stderr,"ssl_cert_free, bad reference count\n");
105 abort(); /* ok */
106 }
107#endif
108
109#ifndef NO_RSA
110 if (c->rsa_tmp) RSA_free(c->rsa_tmp);
111#endif
112#ifndef NO_DH
113 if (c->dh_tmp) DH_free(c->dh_tmp);
114#endif
115
116 for (i=0; i<SSL_PKEY_NUM; i++)
117 {
118 if (c->pkeys[i].x509 != NULL)
119 X509_free(c->pkeys[i].x509);
120 if (c->pkeys[i].privatekey != NULL)
121 EVP_PKEY_free(c->pkeys[i].privatekey);
122#if 0
123 if (c->pkeys[i].publickey != NULL)
124 EVP_PKEY_free(c->pkeys[i].publickey);
125#endif
126 }
127 if (c->cert_chain != NULL)
128 sk_pop_free(c->cert_chain,X509_free);
129 Free(c);
130 }
131
132int ssl_set_cert_type(c, type)
133CERT *c;
134int type;
135 {
136 c->cert_type=type;
137 return(1);
138 }
139
140int ssl_verify_cert_chain(s,sk)
141SSL *s;
142STACK *sk;
143 {
144 X509 *x;
145 int i;
146 X509_STORE_CTX ctx;
147
148 if ((sk == NULL) || (sk_num(sk) == 0))
149 return(0);
150
151 x=(X509 *)sk_value(sk,0);
152 X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
153 X509_STORE_CTX_set_app_data(&ctx,(char *)s);
154
155 if (s->ctx->app_verify_callback != NULL)
156 i=s->ctx->app_verify_callback(&ctx);
157 else
158 i=X509_verify_cert(&ctx);
159
160 X509_STORE_CTX_cleanup(&ctx);
161 s->verify_result=ctx.error;
162
163 return(i);
164 }
165
166static void set_client_CA_list(ca_list,list)
167STACK **ca_list;
168STACK *list;
169 {
170 if (*ca_list != NULL)
171 sk_pop_free(*ca_list,X509_NAME_free);
172
173 *ca_list=list;
174 }
175
176STACK *SSL_dup_CA_list(sk)
177STACK *sk;
178 {
179 int i;
180 STACK *ret;
181 X509_NAME *name;
182
183 ret=sk_new_null();
184 for (i=0; i<sk_num(sk); i++)
185 {
186 name=X509_NAME_dup((X509_NAME *)sk_value(sk,i));
187 if ((name == NULL) || !sk_push(ret,(char *)name))
188 {
189 sk_pop_free(ret,X509_NAME_free);
190 return(NULL);
191 }
192 }
193 return(ret);
194 }
195
196void SSL_set_client_CA_list(s,list)
197SSL *s;
198STACK *list;
199 {
200 set_client_CA_list(&(s->client_CA),list);
201 }
202
203void SSL_CTX_set_client_CA_list(ctx,list)
204SSL_CTX *ctx;
205STACK *list;
206 {
207 set_client_CA_list(&(ctx->client_CA),list);
208 }
209
210STACK *SSL_CTX_get_client_CA_list(ctx)
211SSL_CTX *ctx;
212 {
213 return(ctx->client_CA);
214 }
215
216STACK *SSL_get_client_CA_list(s)
217SSL *s;
218 {
219 if (s->type == SSL_ST_CONNECT)
220 { /* we are in the client */
221 if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
222 (s->s3 != NULL))
223 return(s->s3->tmp.ca_names);
224 else
225 return(NULL);
226 }
227 else
228 {
229 if (s->client_CA != NULL)
230 return(s->client_CA);
231 else
232 return(s->ctx->client_CA);
233 }
234 }
235
236static int add_client_CA(sk,x)
237STACK **sk;
238X509 *x;
239 {
240 X509_NAME *name;
241
242 if (x == NULL) return(0);
243 if ((*sk == NULL) && ((*sk=sk_new_null()) == NULL))
244 return(0);
245
246 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
247 return(0);
248
249 if (!sk_push(*sk,(char *)name))
250 {
251 X509_NAME_free(name);
252 return(0);
253 }
254 return(1);
255 }
256
257int SSL_add_client_CA(ssl,x)
258SSL *ssl;
259X509 *x;
260 {
261 return(add_client_CA(&(ssl->client_CA),x));
262 }
263
264int SSL_CTX_add_client_CA(ctx,x)
265SSL_CTX *ctx;
266X509 *x;
267 {
268 return(add_client_CA(&(ctx->client_CA),x));
269 }
270
271static int name_cmp(a,b)
272X509_NAME **a,**b;
273 {
274 return(X509_NAME_cmp(*a,*b));
275 }
276
277#ifndef NO_STDIO
278STACK *SSL_load_client_CA_file(file)
279char *file;
280 {
281 BIO *in;
282 X509 *x=NULL;
283 X509_NAME *xn=NULL;
284 STACK *ret,*sk;
285
286 ret=sk_new(NULL);
287 sk=sk_new(name_cmp);
288
289 in=BIO_new(BIO_s_file_internal());
290
291 if ((ret == NULL) || (sk == NULL) || (in == NULL))
292 {
293 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
294 goto err;
295 }
296
297 if (!BIO_read_filename(in,file))
298 goto err;
299
300 for (;;)
301 {
302 if (PEM_read_bio_X509(in,&x,NULL) == NULL)
303 break;
304 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
305 /* check for duplicates */
306 xn=X509_NAME_dup(xn);
307 if (xn == NULL) goto err;
308 if (sk_find(sk,(char *)xn) >= 0)
309 X509_NAME_free(xn);
310 else
311 {
312 sk_push(sk,(char *)xn);
313 sk_push(ret,(char *)xn);
314 }
315 }
316
317 if (0)
318 {
319err:
320 if (ret != NULL) sk_pop_free(ret,X509_NAME_free);
321 ret=NULL;
322 }
323 if (sk != NULL) sk_free(sk);
324 if (in != NULL) BIO_free(in);
325 if (x != NULL) X509_free(x);
326 return(ret);
327 }
328#endif
329
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
new file mode 100644
index 0000000000..820994408b
--- /dev/null
+++ b/src/lib/libssl/ssl_ciph.c
@@ -0,0 +1,758 @@
1/* ssl/ssl_ciph.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "objects.h"
61#include "ssl_locl.h"
62
63#define SSL_ENC_DES_IDX 0
64#define SSL_ENC_3DES_IDX 1
65#define SSL_ENC_RC4_IDX 2
66#define SSL_ENC_RC2_IDX 3
67#define SSL_ENC_IDEA_IDX 4
68#define SSL_ENC_eFZA_IDX 5
69#define SSL_ENC_NULL_IDX 6
70#define SSL_ENC_NUM_IDX 7
71
72static EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
73 NULL,NULL,NULL,NULL,NULL,NULL,
74 };
75
76#define SSL_MD_MD5_IDX 0
77#define SSL_MD_SHA1_IDX 1
78#define SSL_MD_NUM_IDX 2
79static EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
80 NULL,NULL,
81 };
82
83typedef struct cipher_sort_st
84 {
85 SSL_CIPHER *cipher;
86 int pref;
87 } CIPHER_SORT;
88
89#define CIPHER_ADD 1
90#define CIPHER_KILL 2
91#define CIPHER_DEL 3
92#define CIPHER_ORD 4
93
94typedef struct cipher_choice_st
95 {
96 int type;
97 unsigned long algorithms;
98 unsigned long mask;
99 long top;
100 } CIPHER_CHOICE;
101
102typedef struct cipher_order_st
103 {
104 SSL_CIPHER *cipher;
105 int active;
106 int dead;
107 struct cipher_order_st *next,*prev;
108 } CIPHER_ORDER;
109
110static SSL_CIPHER cipher_aliases[]={
111 {0,SSL_TXT_ALL, 0,SSL_ALL, 0,SSL_ALL}, /* must be first */
112 {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,SSL_MKEY_MASK},
113 {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,SSL_MKEY_MASK},
114 {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,SSL_MKEY_MASK},
115 {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,SSL_MKEY_MASK},
116 {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,SSL_MKEY_MASK},
117 {0,SSL_TXT_DH, 0,SSL_DH, 0,SSL_MKEY_MASK},
118 {0,SSL_TXT_EDH, 0,SSL_EDH, 0,SSL_MKEY_MASK|SSL_AUTH_MASK},
119
120 {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,SSL_AUTH_MASK},
121 {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,SSL_AUTH_MASK},
122 {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,SSL_AUTH_MASK},
123 {0,SSL_TXT_aNULL,0,SSL_aNULL,0,SSL_AUTH_MASK},
124 {0,SSL_TXT_aDH, 0,SSL_aDH, 0,SSL_AUTH_MASK},
125 {0,SSL_TXT_DSS, 0,SSL_DSS, 0,SSL_AUTH_MASK},
126
127 {0,SSL_TXT_DES, 0,SSL_DES, 0,SSL_ENC_MASK},
128 {0,SSL_TXT_3DES,0,SSL_3DES, 0,SSL_ENC_MASK},
129 {0,SSL_TXT_RC4, 0,SSL_RC4, 0,SSL_ENC_MASK},
130 {0,SSL_TXT_RC2, 0,SSL_RC2, 0,SSL_ENC_MASK},
131 {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,SSL_ENC_MASK},
132 {0,SSL_TXT_eNULL,0,SSL_eNULL,0,SSL_ENC_MASK},
133 {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,SSL_ENC_MASK},
134
135 {0,SSL_TXT_MD5, 0,SSL_MD5, 0,SSL_MAC_MASK},
136 {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,SSL_MAC_MASK},
137 {0,SSL_TXT_SHA, 0,SSL_SHA, 0,SSL_MAC_MASK},
138
139 {0,SSL_TXT_NULL,0,SSL_NULL, 0,SSL_ENC_MASK},
140 {0,SSL_TXT_RSA, 0,SSL_RSA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
141 {0,SSL_TXT_ADH, 0,SSL_ADH, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
142 {0,SSL_TXT_FZA, 0,SSL_FZA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK},
143
144 {0,SSL_TXT_EXP, 0,SSL_EXP, 0,SSL_EXP_MASK},
145 {0,SSL_TXT_EXPORT,0,SSL_EXPORT,0,SSL_EXP_MASK},
146 {0,SSL_TXT_SSLV2,0,SSL_SSLV2,0,SSL_SSL_MASK},
147 {0,SSL_TXT_SSLV3,0,SSL_SSLV3,0,SSL_SSL_MASK},
148 {0,SSL_TXT_LOW, 0,SSL_LOW,0,SSL_STRONG_MASK},
149 {0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
150 {0,SSL_TXT_HIGH, 0,SSL_HIGH,0,SSL_STRONG_MASK},
151 };
152
153static int init_ciphers=1;
154static void load_ciphers();
155
156static int cmp_by_name(a,b)
157SSL_CIPHER **a,**b;
158 {
159 return(strcmp((*a)->name,(*b)->name));
160 }
161
162static void load_ciphers()
163 {
164 init_ciphers=0;
165 ssl_cipher_methods[SSL_ENC_DES_IDX]=
166 EVP_get_cipherbyname(SN_des_cbc);
167 ssl_cipher_methods[SSL_ENC_3DES_IDX]=
168 EVP_get_cipherbyname(SN_des_ede3_cbc);
169 ssl_cipher_methods[SSL_ENC_RC4_IDX]=
170 EVP_get_cipherbyname(SN_rc4);
171 ssl_cipher_methods[SSL_ENC_RC2_IDX]=
172 EVP_get_cipherbyname(SN_rc2_cbc);
173 ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
174 EVP_get_cipherbyname(SN_idea_cbc);
175
176 ssl_digest_methods[SSL_MD_MD5_IDX]=
177 EVP_get_digestbyname(SN_md5);
178 ssl_digest_methods[SSL_MD_SHA1_IDX]=
179 EVP_get_digestbyname(SN_sha1);
180 }
181
182int ssl_cipher_get_evp(c,enc,md)
183SSL_CIPHER *c;
184EVP_CIPHER **enc;
185EVP_MD **md;
186 {
187 int i;
188
189 if (c == NULL) return(0);
190
191 switch (c->algorithms & SSL_ENC_MASK)
192 {
193 case SSL_DES:
194 i=SSL_ENC_DES_IDX;
195 break;
196 case SSL_3DES:
197 i=SSL_ENC_3DES_IDX;
198 break;
199 case SSL_RC4:
200 i=SSL_ENC_RC4_IDX;
201 break;
202 case SSL_RC2:
203 i=SSL_ENC_RC2_IDX;
204 break;
205 case SSL_IDEA:
206 i=SSL_ENC_IDEA_IDX;
207 break;
208 case SSL_eNULL:
209 i=SSL_ENC_NULL_IDX;
210 break;
211 break;
212 default:
213 i= -1;
214 break;
215 }
216
217 if ((i < 0) || (i > SSL_ENC_NUM_IDX))
218 *enc=NULL;
219 else
220 {
221 if (i == SSL_ENC_NULL_IDX)
222 *enc=EVP_enc_null();
223 else
224 *enc=ssl_cipher_methods[i];
225 }
226
227 switch (c->algorithms & SSL_MAC_MASK)
228 {
229 case SSL_MD5:
230 i=SSL_MD_MD5_IDX;
231 break;
232 case SSL_SHA1:
233 i=SSL_MD_SHA1_IDX;
234 break;
235 default:
236 i= -1;
237 break;
238 }
239 if ((i < 0) || (i > SSL_MD_NUM_IDX))
240 *md=NULL;
241 else
242 *md=ssl_digest_methods[i];
243
244 if ((*enc != NULL) && (*md != NULL))
245 return(1);
246 else
247 return(0);
248 }
249
250#define ITEM_SEP(a) \
251 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
252
253static void ll_append_tail(head,curr,tail)
254CIPHER_ORDER **head,*curr,**tail;
255 {
256 if (curr == *tail) return;
257 if (curr == *head)
258 *head=curr->next;
259 if (curr->prev != NULL)
260 curr->prev->next=curr->next;
261 if (curr->next != NULL) /* should always be true */
262 curr->next->prev=curr->prev;
263 (*tail)->next=curr;
264 curr->prev= *tail;
265 curr->next=NULL;
266 *tail=curr;
267 }
268
269STACK *ssl_create_cipher_list(ssl_method,cipher_list,cipher_list_by_id,str)
270SSL_METHOD *ssl_method;
271STACK **cipher_list,**cipher_list_by_id;
272char *str;
273 {
274 SSL_CIPHER *c;
275 char *l;
276 STACK *ret=NULL,*ok=NULL;
277#define CL_BUF 40
278 char buf[CL_BUF];
279 char *tmp_str=NULL;
280 unsigned long mask,algorithms,ma;
281 char *start;
282 int i,j,k,num=0,ch,multi;
283 unsigned long al;
284 STACK *ca_list=NULL;
285 int current_x,num_x;
286 CIPHER_CHOICE *ops=NULL;
287 CIPHER_ORDER *list=NULL,*head=NULL,*tail=NULL,*curr,*tail2,*curr2;
288 int list_num;
289 int type;
290 SSL_CIPHER c_tmp,*cp;
291
292 if (str == NULL) return(NULL);
293
294 if (strncmp(str,"DEFAULT",7) == 0)
295 {
296 i=strlen(str)+2+strlen(SSL_DEFAULT_CIPHER_LIST);
297 if ((tmp_str=Malloc(i)) == NULL)
298 {
299 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
300 goto err;
301 }
302 strcpy(tmp_str,SSL_DEFAULT_CIPHER_LIST);
303 strcat(tmp_str,":");
304 strcat(tmp_str,&(str[7]));
305 str=tmp_str;
306 }
307 if (init_ciphers) load_ciphers();
308
309 num=ssl_method->num_ciphers();
310
311 if ((ret=(STACK *)sk_new(NULL)) == NULL) goto err;
312 if ((ca_list=(STACK *)sk_new(cmp_by_name)) == NULL) goto err;
313
314 mask =SSL_kFZA;
315#ifdef NO_RSA
316 mask|=SSL_aRSA|SSL_kRSA;
317#endif
318#ifdef NO_DSA
319 mask|=SSL_aDSS;
320#endif
321#ifdef NO_DH
322 mask|=SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
323#endif
324
325#ifndef SSL_ALLOW_ENULL
326 mask|=SSL_eNULL;
327#endif
328
329 mask|=(ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL)?SSL_DES :0;
330 mask|=(ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL)?SSL_3DES:0;
331 mask|=(ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL)?SSL_RC4 :0;
332 mask|=(ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL)?SSL_RC2 :0;
333 mask|=(ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL)?SSL_IDEA:0;
334 mask|=(ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL)?SSL_eFZA:0;
335
336 mask|=(ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL)?SSL_MD5 :0;
337 mask|=(ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL)?SSL_SHA1:0;
338
339 if ((list=(CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER)*num)) == NULL)
340 goto err;
341
342 /* Get the initial list of ciphers */
343 list_num=0;
344 for (i=0; i<num; i++)
345 {
346 c=ssl_method->get_cipher((unsigned int)i);
347 /* drop those that use any of that is not available */
348 if ((c != NULL) && c->valid && !(c->algorithms & mask))
349 {
350 list[list_num].cipher=c;
351 list[list_num].next=NULL;
352 list[list_num].prev=NULL;
353 list[list_num].active=0;
354 list_num++;
355 if (!sk_push(ca_list,(char *)c)) goto err;
356 }
357 }
358
359 for (i=1; i<list_num-1; i++)
360 {
361 list[i].prev= &(list[i-1]);
362 list[i].next= &(list[i+1]);
363 }
364 if (list_num > 0)
365 {
366 head= &(list[0]);
367 head->prev=NULL;
368 head->next= &(list[1]);
369 tail= &(list[list_num-1]);
370 tail->prev= &(list[list_num-2]);
371 tail->next=NULL;
372 }
373
374 /* special case */
375 cipher_aliases[0].algorithms= ~mask;
376
377 /* get the aliases */
378 k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);
379 for (j=0; j<k; j++)
380 {
381 al=cipher_aliases[j].algorithms;
382 /* Drop those that are not relevent */
383 if ((al & mask) == al) continue;
384 if (!sk_push(ca_list,(char *)&(cipher_aliases[j]))) goto err;
385 }
386
387 /* ca_list now holds a 'stack' of SSL_CIPHERS, some real, some
388 * 'aliases' */
389
390 /* how many parameters are there? */
391 num=1;
392 for (l=str; *l; l++)
393 if (ITEM_SEP(*l))
394 num++;
395 ops=(CIPHER_CHOICE *)Malloc(sizeof(CIPHER_CHOICE)*num);
396 if (ops == NULL) goto err;
397 memset(ops,0,sizeof(CIPHER_CHOICE)*num);
398
399 /* we now parse the input string and create our operations */
400 l=str;
401 i=0;
402 current_x=0;
403
404 for (;;)
405 {
406 ch= *l;
407
408 if (ch == '\0') break;
409
410 if (ch == '-')
411 { j=CIPHER_DEL; l++; }
412 else if (ch == '+')
413 { j=CIPHER_ORD; l++; }
414 else if (ch == '!')
415 { j=CIPHER_KILL; l++; }
416 else
417 { j=CIPHER_ADD; }
418
419 if (ITEM_SEP(ch))
420 {
421 l++;
422 continue;
423 }
424 ops[current_x].type=j;
425 ops[current_x].algorithms=0;
426 ops[current_x].mask=0;
427
428 start=l;
429 for (;;)
430 {
431 ch= *l;
432 i=0;
433 while ( ((ch >= 'A') && (ch <= 'Z')) ||
434 ((ch >= '0') && (ch <= '9')) ||
435 ((ch >= 'a') && (ch <= 'z')) ||
436 (ch == '-'))
437 {
438 buf[i]=ch;
439 ch= *(++l);
440 i++;
441 if (i >= (CL_BUF-2)) break;
442 }
443 buf[i]='\0';
444
445 /* check for multi-part specification */
446 if (ch == '+')
447 {
448 multi=1;
449 l++;
450 }
451 else
452 multi=0;
453
454 c_tmp.name=buf;
455 j=sk_find(ca_list,(char *)&c_tmp);
456 if (j < 0)
457 goto end_loop;
458
459 cp=(SSL_CIPHER *)sk_value(ca_list,j);
460 ops[current_x].algorithms|=cp->algorithms;
461 /* We add the SSL_SSL_MASK so we can match the
462 * SSLv2 and SSLv3 versions of RC4-MD5 */
463 ops[current_x].mask|=cp->mask;
464 if (!multi) break;
465 }
466 current_x++;
467 if (ch == '\0') break;
468end_loop:
469 /* Make sure we scan until the next valid start point */
470 while ((*l != '\0') && ITEM_SEP(*l))
471 l++;
472 }
473
474 num_x=current_x;
475 current_x=0;
476
477 /* We will now process the list of ciphers, once for each category, to
478 * decide what we should do with it. */
479 for (j=0; j<num_x; j++)
480 {
481 algorithms=ops[j].algorithms;
482 type=ops[j].type;
483 mask=ops[j].mask;
484
485 curr=head;
486 curr2=head;
487 tail2=tail;
488 for (;;)
489 {
490 if ((curr == NULL) || (curr == tail2)) break;
491 curr=curr2;
492 curr2=curr->next;
493
494 cp=curr->cipher;
495 ma=mask & cp->algorithms;
496 if ((ma == 0) || ((ma & algorithms) != ma))
497 {
498 /* does not apply */
499 continue;
500 }
501
502 /* add the cipher if it has not been added yet. */
503 if (type == CIPHER_ADD)
504 {
505 if (!curr->active)
506 {
507 ll_append_tail(&head,curr,&tail);
508 curr->active=1;
509 }
510 }
511 /* Move the added cipher to this location */
512 else if (type == CIPHER_ORD)
513 {
514 if (curr->active)
515 {
516 ll_append_tail(&head,curr,&tail);
517 }
518 }
519 else if (type == CIPHER_DEL)
520 curr->active=0;
521 if (type == CIPHER_KILL)
522 {
523 if (head == curr)
524 head=curr->next;
525 else
526 curr->prev->next=curr->next;
527 if (tail == curr)
528 tail=curr->prev;
529 curr->active=0;
530 if (curr->next != NULL)
531 curr->next->prev=curr->prev;
532 if (curr->prev != NULL)
533 curr->prev->next=curr->next;
534 curr->next=NULL;
535 curr->prev=NULL;
536 }
537 }
538 }
539
540 for (curr=head; curr != NULL; curr=curr->next)
541 {
542 if (curr->active)
543 {
544 sk_push(ret,(char *)curr->cipher);
545#ifdef CIPHER_DEBUG
546 printf("<%s>\n",curr->cipher->name);
547#endif
548 }
549 }
550
551 if (cipher_list != NULL)
552 {
553 if (*cipher_list != NULL)
554 sk_free(*cipher_list);
555 *cipher_list=ret;
556 }
557
558 if (cipher_list_by_id != NULL)
559 {
560 if (*cipher_list_by_id != NULL)
561 sk_free(*cipher_list_by_id);
562 *cipher_list_by_id=sk_dup(ret);
563 }
564
565 if ( (cipher_list_by_id == NULL) ||
566 (*cipher_list_by_id == NULL) ||
567 (cipher_list == NULL) ||
568 (*cipher_list == NULL))
569 goto err;
570 sk_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
571
572 ok=ret;
573 ret=NULL;
574err:
575 if (tmp_str) Free(tmp_str);
576 if (ops != NULL) Free(ops);
577 if (ret != NULL) sk_free(ret);
578 if (ca_list != NULL) sk_free(ca_list);
579 if (list != NULL) Free(list);
580 return(ok);
581 }
582
583char *SSL_CIPHER_description(cipher,buf,len)
584SSL_CIPHER *cipher;
585char *buf;
586int len;
587 {
588 int export;
589 char *ver,*exp;
590 char *kx,*au,*enc,*mac;
591 unsigned long alg,alg2;
592 static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
593
594 alg=cipher->algorithms;
595 alg2=cipher->algorithm2;
596
597 export=(alg&SSL_EXP)?1:0;
598 exp=(export)?" export":"";
599
600 if (alg & SSL_SSLV2)
601 ver="SSLv2";
602 else if (alg & SSL_SSLV3)
603 ver="SSLv3";
604 else
605 ver="unknown";
606
607 switch (alg&SSL_MKEY_MASK)
608 {
609 case SSL_kRSA:
610 kx=(export)?"RSA(512)":"RSA";
611 break;
612 case SSL_kDHr:
613 kx="DH/RSA";
614 break;
615 case SSL_kDHd:
616 kx="DH/DSS";
617 break;
618 case SSL_kFZA:
619 kx="Fortezza";
620 break;
621 case SSL_kEDH:
622 kx=(export)?"DH(512)":"DH";
623 break;
624 default:
625 kx="unknown";
626 }
627
628 switch (alg&SSL_AUTH_MASK)
629 {
630 case SSL_aRSA:
631 au="RSA";
632 break;
633 case SSL_aDSS:
634 au="DSS";
635 break;
636 case SSL_aDH:
637 au="DH";
638 break;
639 case SSL_aFZA:
640 case SSL_aNULL:
641 au="None";
642 break;
643 default:
644 au="unknown";
645 break;
646 }
647
648 switch (alg&SSL_ENC_MASK)
649 {
650 case SSL_DES:
651 enc=export?"DES(40)":"DES(56)";
652 break;
653 case SSL_3DES:
654 enc="3DES(168)";
655 break;
656 case SSL_RC4:
657 enc=export?"RC4(40)":((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
658 break;
659 case SSL_RC2:
660 enc=export?"RC2(40)":"RC2(128)";
661 break;
662 case SSL_IDEA:
663 enc="IDEA(128)";
664 break;
665 case SSL_eFZA:
666 enc="Fortezza";
667 break;
668 case SSL_eNULL:
669 enc="None";
670 break;
671 default:
672 enc="unknown";
673 break;
674 }
675
676 switch (alg&SSL_MAC_MASK)
677 {
678 case SSL_MD5:
679 mac="MD5";
680 break;
681 case SSL_SHA1:
682 mac="SHA1";
683 break;
684 default:
685 mac="unknown";
686 break;
687 }
688
689 if (buf == NULL)
690 {
691 buf=Malloc(128);
692 if (buf == NULL) return("Malloc Error");
693 }
694 else if (len < 128)
695 return("Buffer too small");
696
697 sprintf(buf,format,cipher->name,ver,kx,au,enc,mac,exp);
698 return(buf);
699 }
700
701char *SSL_CIPHER_get_version(c)
702SSL_CIPHER *c;
703 {
704 int i;
705
706 if (c == NULL) return("(NONE)");
707 i=(int)(c->id>>24L);
708 if (i == 3)
709 return("TLSv1/SSLv3");
710 else if (i == 2)
711 return("SSLv2");
712 else
713 return("unknown");
714 }
715
716/* return the actual cipher being used */
717char *SSL_CIPHER_get_name(c)
718SSL_CIPHER *c;
719 {
720 if (c != NULL)
721 return(c->name);
722 return("(NONE)");
723 }
724
725/* number of bits for symetric cipher */
726int SSL_CIPHER_get_bits(c,alg_bits)
727SSL_CIPHER *c;
728int *alg_bits;
729 {
730 int ret=0,a=0;
731 EVP_CIPHER *enc;
732 EVP_MD *md;
733
734 if (c != NULL)
735 {
736 if (!ssl_cipher_get_evp(c,&enc,&md))
737 return(0);
738
739 a=EVP_CIPHER_key_length(enc)*8;
740
741 if (c->algorithms & SSL_EXP)
742 {
743 ret=40;
744 }
745 else
746 {
747 if (c->algorithm2 & SSL2_CF_8_BYTE_ENC)
748 ret=64;
749 else
750 ret=a;
751 }
752 }
753
754 if (alg_bits != NULL) *alg_bits=a;
755
756 return(ret);
757 }
758
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
new file mode 100644
index 0000000000..bcbb98591f
--- /dev/null
+++ b/src/lib/libssl/ssl_err.c
@@ -0,0 +1,374 @@
1/* lib/ssl/ssl_err.c */
2/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58#include <stdio.h>
59#include "err.h"
60#include "ssl.h"
61
62/* BEGIN ERROR CODES */
63#ifndef NO_ERR
64static ERR_STRING_DATA SSL_str_functs[]=
65 {
66{ERR_PACK(0,SSL_F_CLIENT_CERTIFICATE,0), "CLIENT_CERTIFICATE"},
67{ERR_PACK(0,SSL_F_CLIENT_HELLO,0), "CLIENT_HELLO"},
68{ERR_PACK(0,SSL_F_CLIENT_MASTER_KEY,0), "CLIENT_MASTER_KEY"},
69{ERR_PACK(0,SSL_F_D2I_SSL_SESSION,0), "d2i_SSL_SESSION"},
70{ERR_PACK(0,SSL_F_DO_SSL3_WRITE,0), "DO_SSL3_WRITE"},
71{ERR_PACK(0,SSL_F_GET_CLIENT_FINISHED,0), "GET_CLIENT_FINISHED"},
72{ERR_PACK(0,SSL_F_GET_CLIENT_HELLO,0), "GET_CLIENT_HELLO"},
73{ERR_PACK(0,SSL_F_GET_CLIENT_MASTER_KEY,0), "GET_CLIENT_MASTER_KEY"},
74{ERR_PACK(0,SSL_F_GET_SERVER_FINISHED,0), "GET_SERVER_FINISHED"},
75{ERR_PACK(0,SSL_F_GET_SERVER_HELLO,0), "GET_SERVER_HELLO"},
76{ERR_PACK(0,SSL_F_GET_SERVER_VERIFY,0), "GET_SERVER_VERIFY"},
77{ERR_PACK(0,SSL_F_I2D_SSL_SESSION,0), "i2d_SSL_SESSION"},
78{ERR_PACK(0,SSL_F_READ_N,0), "READ_N"},
79{ERR_PACK(0,SSL_F_REQUEST_CERTIFICATE,0), "REQUEST_CERTIFICATE"},
80{ERR_PACK(0,SSL_F_SERVER_HELLO,0), "SERVER_HELLO"},
81{ERR_PACK(0,SSL_F_SSL23_ACCEPT,0), "SSL23_ACCEPT"},
82{ERR_PACK(0,SSL_F_SSL23_CLIENT_HELLO,0), "SSL23_CLIENT_HELLO"},
83{ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"},
84{ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0), "SSL23_GET_CLIENT_HELLO"},
85{ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0), "SSL23_GET_SERVER_HELLO"},
86{ERR_PACK(0,SSL_F_SSL23_READ,0), "SSL23_READ"},
87{ERR_PACK(0,SSL_F_SSL23_WRITE,0), "SSL23_WRITE"},
88{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"},
89{ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"},
90{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"},
91{ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"},
92{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"},
93{ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"},
94{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"},
95{ERR_PACK(0,SSL_F_SSL3_CHANGE_CIPHER_STATE,0), "SSL3_CHANGE_CIPHER_STATE"},
96{ERR_PACK(0,SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,0), "SSL3_CHECK_CERT_AND_ALGORITHM"},
97{ERR_PACK(0,SSL_F_SSL3_CLIENT_HELLO,0), "SSL3_CLIENT_HELLO"},
98{ERR_PACK(0,SSL_F_SSL3_CONNECT,0), "SSL3_CONNECT"},
99{ERR_PACK(0,SSL_F_SSL3_CTX_CTRL,0), "SSL3_CTX_CTRL"},
100{ERR_PACK(0,SSL_F_SSL3_ENC,0), "SSL3_ENC"},
101{ERR_PACK(0,SSL_F_SSL3_GET_CERTIFICATE_REQUEST,0), "SSL3_GET_CERTIFICATE_REQUEST"},
102{ERR_PACK(0,SSL_F_SSL3_GET_CERT_VERIFY,0), "SSL3_GET_CERT_VERIFY"},
103{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_CERTIFICATE,0), "SSL3_GET_CLIENT_CERTIFICATE"},
104{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_HELLO,0), "SSL3_GET_CLIENT_HELLO"},
105{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,0), "SSL3_GET_CLIENT_KEY_EXCHANGE"},
106{ERR_PACK(0,SSL_F_SSL3_GET_FINISHED,0), "SSL3_GET_FINISHED"},
107{ERR_PACK(0,SSL_F_SSL3_GET_KEY_EXCHANGE,0), "SSL3_GET_KEY_EXCHANGE"},
108{ERR_PACK(0,SSL_F_SSL3_GET_MESSAGE,0), "SSL3_GET_MESSAGE"},
109{ERR_PACK(0,SSL_F_SSL3_GET_RECORD,0), "SSL3_GET_RECORD"},
110{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_CERTIFICATE,0), "SSL3_GET_SERVER_CERTIFICATE"},
111{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"},
112{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"},
113{ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"},
114{ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"},
115{ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"},
116{ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"},
117{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,0), "SSL3_SEND_CLIENT_CERTIFICATE"},
118{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,0), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
119{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_VERIFY,0), "SSL3_SEND_CLIENT_VERIFY"},
120{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_CERTIFICATE,0), "SSL3_SEND_SERVER_CERTIFICATE"},
121{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,0), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
122{ERR_PACK(0,SSL_F_SSL3_SETUP_BUFFERS,0), "SSL3_SETUP_BUFFERS"},
123{ERR_PACK(0,SSL_F_SSL3_SETUP_KEY_BLOCK,0), "SSL3_SETUP_KEY_BLOCK"},
124{ERR_PACK(0,SSL_F_SSL3_WRITE_BYTES,0), "SSL3_WRITE_BYTES"},
125{ERR_PACK(0,SSL_F_SSL3_WRITE_PENDING,0), "SSL3_WRITE_PENDING"},
126{ERR_PACK(0,SSL_F_SSL_BAD_METHOD,0), "SSL_BAD_METHOD"},
127{ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0), "SSL_BYTES_TO_CIPHER_LIST"},
128{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0), "SSL_CERT_NEW"},
129{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0), "SSL_check_private_key"},
130{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0), "SSL_CREATE_CIPHER_LIST"},
131{ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0), "SSL_CTX_check_private_key"},
132{ERR_PACK(0,SSL_F_SSL_CTX_NEW,0), "SSL_CTX_new"},
133{ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0), "SSL_CTX_set_ssl_version"},
134{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE,0), "SSL_CTX_use_certificate"},
135{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,0), "SSL_CTX_use_certificate_ASN1"},
136{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,0), "SSL_CTX_use_certificate_file"},
137{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY,0), "SSL_CTX_use_PrivateKey"},
138{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,0), "SSL_CTX_use_PrivateKey_ASN1"},
139{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,0), "SSL_CTX_use_PrivateKey_file"},
140{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,0), "SSL_CTX_use_RSAPrivateKey"},
141{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,0), "SSL_CTX_use_RSAPrivateKey_ASN1"},
142{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,0), "SSL_CTX_use_RSAPrivateKey_file"},
143{ERR_PACK(0,SSL_F_SSL_DO_HANDSHAKE,0), "SSL_do_handshake"},
144{ERR_PACK(0,SSL_F_SSL_GET_NEW_SESSION,0), "SSL_GET_NEW_SESSION"},
145{ERR_PACK(0,SSL_F_SSL_GET_SERVER_SEND_CERT,0), "SSL_GET_SERVER_SEND_CERT"},
146{ERR_PACK(0,SSL_F_SSL_GET_SIGN_PKEY,0), "SSL_GET_SIGN_PKEY"},
147{ERR_PACK(0,SSL_F_SSL_INIT_WBIO_BUFFER,0), "SSL_INIT_WBIO_BUFFER"},
148{ERR_PACK(0,SSL_F_SSL_LOAD_CLIENT_CA_FILE,0), "SSL_load_client_CA_file"},
149{ERR_PACK(0,SSL_F_SSL_NEW,0), "SSL_new"},
150{ERR_PACK(0,SSL_F_SSL_RSA_PRIVATE_DECRYPT,0), "SSL_RSA_PRIVATE_DECRYPT"},
151{ERR_PACK(0,SSL_F_SSL_RSA_PUBLIC_ENCRYPT,0), "SSL_RSA_PUBLIC_ENCRYPT"},
152{ERR_PACK(0,SSL_F_SSL_SESSION_NEW,0), "SSL_SESSION_new"},
153{ERR_PACK(0,SSL_F_SSL_SESSION_PRINT_FP,0), "SSL_SESSION_print_fp"},
154{ERR_PACK(0,SSL_F_SSL_SET_CERT,0), "SSL_SET_CERT"},
155{ERR_PACK(0,SSL_F_SSL_SET_FD,0), "SSL_set_fd"},
156{ERR_PACK(0,SSL_F_SSL_SET_PKEY,0), "SSL_SET_PKEY"},
157{ERR_PACK(0,SSL_F_SSL_SET_RFD,0), "SSL_set_rfd"},
158{ERR_PACK(0,SSL_F_SSL_SET_SESSION,0), "SSL_set_session"},
159{ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"},
160{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"},
161{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0), "SSL_use_certificate"},
162{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0), "SSL_use_certificate_ASN1"},
163{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_FILE,0), "SSL_use_certificate_file"},
164{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY,0), "SSL_use_PrivateKey"},
165{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_ASN1,0), "SSL_use_PrivateKey_ASN1"},
166{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_FILE,0), "SSL_use_PrivateKey_file"},
167{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY,0), "SSL_use_RSAPrivateKey"},
168{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,0), "SSL_use_RSAPrivateKey_ASN1"},
169{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,0), "SSL_use_RSAPrivateKey_file"},
170{ERR_PACK(0,SSL_F_SSL_WRITE,0), "SSL_write"},
171{ERR_PACK(0,SSL_F_TLS1_CHANGE_CIPHER_STATE,0), "TLS1_CHANGE_CIPHER_STATE"},
172{ERR_PACK(0,SSL_F_TLS1_ENC,0), "TLS1_ENC"},
173{ERR_PACK(0,SSL_F_TLS1_SETUP_KEY_BLOCK,0), "TLS1_SETUP_KEY_BLOCK"},
174{ERR_PACK(0,SSL_F_WRITE_PENDING,0), "WRITE_PENDING"},
175{0,NULL},
176 };
177
178static ERR_STRING_DATA SSL_str_reasons[]=
179 {
180{SSL_R_APP_DATA_IN_HANDSHAKE ,"app data in handshake"},
181{SSL_R_BAD_ALERT_RECORD ,"bad alert record"},
182{SSL_R_BAD_AUTHENTICATION_TYPE ,"bad authentication type"},
183{SSL_R_BAD_CHANGE_CIPHER_SPEC ,"bad change cipher spec"},
184{SSL_R_BAD_CHECKSUM ,"bad checksum"},
185{SSL_R_BAD_CLIENT_REQUEST ,"bad client request"},
186{SSL_R_BAD_DATA_RETURNED_BY_CALLBACK ,"bad data returned by callback"},
187{SSL_R_BAD_DECOMPRESSION ,"bad decompression"},
188{SSL_R_BAD_DH_G_LENGTH ,"bad dh g length"},
189{SSL_R_BAD_DH_PUB_KEY_LENGTH ,"bad dh pub key length"},
190{SSL_R_BAD_DH_P_LENGTH ,"bad dh p length"},
191{SSL_R_BAD_DIGEST_LENGTH ,"bad digest length"},
192{SSL_R_BAD_DSA_SIGNATURE ,"bad dsa signature"},
193{SSL_R_BAD_MAC_DECODE ,"bad mac decode"},
194{SSL_R_BAD_MESSAGE_TYPE ,"bad message type"},
195{SSL_R_BAD_PACKET_LENGTH ,"bad packet length"},
196{SSL_R_BAD_PROTOCOL_VERSION_NUMBER ,"bad protocol version number"},
197{SSL_R_BAD_RESPONSE_ARGUMENT ,"bad response argument"},
198{SSL_R_BAD_RSA_DECRYPT ,"bad rsa decrypt"},
199{SSL_R_BAD_RSA_ENCRYPT ,"bad rsa encrypt"},
200{SSL_R_BAD_RSA_E_LENGTH ,"bad rsa e length"},
201{SSL_R_BAD_RSA_MODULUS_LENGTH ,"bad rsa modulus length"},
202{SSL_R_BAD_RSA_SIGNATURE ,"bad rsa signature"},
203{SSL_R_BAD_SIGNATURE ,"bad signature"},
204{SSL_R_BAD_SSL_FILETYPE ,"bad ssl filetype"},
205{SSL_R_BAD_SSL_SESSION_ID_LENGTH ,"bad ssl session id length"},
206{SSL_R_BAD_STATE ,"bad state"},
207{SSL_R_BAD_WRITE_RETRY ,"bad write retry"},
208{SSL_R_BIO_NOT_SET ,"bio not set"},
209{SSL_R_BLOCK_CIPHER_PAD_IS_WRONG ,"block cipher pad is wrong"},
210{SSL_R_BN_LIB ,"bn lib"},
211{SSL_R_CA_DN_LENGTH_MISMATCH ,"ca dn length mismatch"},
212{SSL_R_CA_DN_TOO_LONG ,"ca dn too long"},
213{SSL_R_CCS_RECEIVED_EARLY ,"ccs received early"},
214{SSL_R_CERTIFICATE_VERIFY_FAILED ,"certificate verify failed"},
215{SSL_R_CERT_LENGTH_MISMATCH ,"cert length mismatch"},
216{SSL_R_CHALLENGE_IS_DIFFERENT ,"challenge is different"},
217{SSL_R_CIPHER_CODE_WRONG_LENGTH ,"cipher code wrong length"},
218{SSL_R_CIPHER_OR_HASH_UNAVAILABLE ,"cipher or hash unavailable"},
219{SSL_R_CIPHER_TABLE_SRC_ERROR ,"cipher table src error"},
220{SSL_R_COMPRESSED_LENGTH_TOO_LONG ,"compressed length too long"},
221{SSL_R_COMPRESSION_FAILURE ,"compression failure"},
222{SSL_R_CONNECTION_ID_IS_DIFFERENT ,"connection id is different"},
223{SSL_R_CONNECTION_TYPE_NOT_SET ,"connection type not set"},
224{SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ,"data between ccs and finished"},
225{SSL_R_DATA_LENGTH_TOO_LONG ,"data length too long"},
226{SSL_R_DECRYPTION_FAILED ,"decryption failed"},
227{SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG ,"dh public value length is wrong"},
228{SSL_R_DIGEST_CHECK_FAILED ,"digest check failed"},
229{SSL_R_ENCRYPTED_LENGTH_TOO_LONG ,"encrypted length too long"},
230{SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST ,"error in received cipher list"},
231{SSL_R_EXCESSIVE_MESSAGE_SIZE ,"excessive message size"},
232{SSL_R_EXTRA_DATA_IN_MESSAGE ,"extra data in message"},
233{SSL_R_GOT_A_FIN_BEFORE_A_CCS ,"got a fin before a ccs"},
234{SSL_R_HTTPS_PROXY_REQUEST ,"https proxy request"},
235{SSL_R_HTTP_REQUEST ,"http request"},
236{SSL_R_INTERNAL_ERROR ,"internal error"},
237{SSL_R_INVALID_CHALLENGE_LENGTH ,"invalid challenge length"},
238{SSL_R_LENGTH_MISMATCH ,"length mismatch"},
239{SSL_R_LENGTH_TOO_SHORT ,"length too short"},
240{SSL_R_LIBRARY_HAS_NO_CIPHERS ,"library has no ciphers"},
241{SSL_R_MISSING_DH_DSA_CERT ,"missing dh dsa cert"},
242{SSL_R_MISSING_DH_KEY ,"missing dh key"},
243{SSL_R_MISSING_DH_RSA_CERT ,"missing dh rsa cert"},
244{SSL_R_MISSING_DSA_SIGNING_CERT ,"missing dsa signing cert"},
245{SSL_R_MISSING_EXPORT_TMP_DH_KEY ,"missing export tmp dh key"},
246{SSL_R_MISSING_EXPORT_TMP_RSA_KEY ,"missing export tmp rsa key"},
247{SSL_R_MISSING_RSA_CERTIFICATE ,"missing rsa certificate"},
248{SSL_R_MISSING_RSA_ENCRYPTING_CERT ,"missing rsa encrypting cert"},
249{SSL_R_MISSING_RSA_SIGNING_CERT ,"missing rsa signing cert"},
250{SSL_R_MISSING_TMP_DH_KEY ,"missing tmp dh key"},
251{SSL_R_MISSING_TMP_RSA_KEY ,"missing tmp rsa key"},
252{SSL_R_MISSING_TMP_RSA_PKEY ,"missing tmp rsa pkey"},
253{SSL_R_MISSING_VERIFY_MESSAGE ,"missing verify message"},
254{SSL_R_NON_SSLV2_INITIAL_PACKET ,"non sslv2 initial packet"},
255{SSL_R_NO_CERTIFICATES_RETURNED ,"no certificates returned"},
256{SSL_R_NO_CERTIFICATE_ASSIGNED ,"no certificate assigned"},
257{SSL_R_NO_CERTIFICATE_RETURNED ,"no certificate returned"},
258{SSL_R_NO_CERTIFICATE_SET ,"no certificate set"},
259{SSL_R_NO_CERTIFICATE_SPECIFIED ,"no certificate specified"},
260{SSL_R_NO_CIPHERS_AVAILABLE ,"no ciphers available"},
261{SSL_R_NO_CIPHERS_PASSED ,"no ciphers passed"},
262{SSL_R_NO_CIPHERS_SPECIFIED ,"no ciphers specified"},
263{SSL_R_NO_CIPHER_LIST ,"no cipher list"},
264{SSL_R_NO_CIPHER_MATCH ,"no cipher match"},
265{SSL_R_NO_CLIENT_CERT_RECEIVED ,"no client cert received"},
266{SSL_R_NO_COMPRESSION_SPECIFIED ,"no compression specified"},
267{SSL_R_NO_PRIVATEKEY ,"no privatekey"},
268{SSL_R_NO_PRIVATE_KEY_ASSIGNED ,"no private key assigned"},
269{SSL_R_NO_PROTOCOLS_AVAILABLE ,"no protocols available"},
270{SSL_R_NO_PUBLICKEY ,"no publickey"},
271{SSL_R_NO_SHARED_CIPHER ,"no shared cipher"},
272{SSL_R_NULL_SSL_CTX ,"null ssl ctx"},
273{SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"},
274{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"},
275{SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"},
276{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
277{SSL_R_PEER_ERROR ,"peer error"},
278{SSL_R_PEER_ERROR_CERTIFICATE ,"peer error certificate"},
279{SSL_R_PEER_ERROR_NO_CERTIFICATE ,"peer error no certificate"},
280{SSL_R_PEER_ERROR_NO_CIPHER ,"peer error no cipher"},
281{SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"peer error unsupported certificate type"},
282{SSL_R_PRE_MAC_LENGTH_TOO_LONG ,"pre mac length too long"},
283{SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS ,"problems mapping cipher functions"},
284{SSL_R_PROTOCOL_IS_SHUTDOWN ,"protocol is shutdown"},
285{SSL_R_PUBLIC_KEY_ENCRYPT_ERROR ,"public key encrypt error"},
286{SSL_R_PUBLIC_KEY_IS_NOT_RSA ,"public key is not rsa"},
287{SSL_R_PUBLIC_KEY_NOT_RSA ,"public key not rsa"},
288{SSL_R_READ_BIO_NOT_SET ,"read bio not set"},
289{SSL_R_READ_WRONG_PACKET_TYPE ,"read wrong packet type"},
290{SSL_R_RECORD_LENGTH_MISMATCH ,"record length mismatch"},
291{SSL_R_RECORD_TOO_LARGE ,"record too large"},
292{SSL_R_REQUIRED_CIPHER_MISSING ,"required cipher missing"},
293{SSL_R_REUSE_CERT_LENGTH_NOT_ZERO ,"reuse cert length not zero"},
294{SSL_R_REUSE_CERT_TYPE_NOT_ZERO ,"reuse cert type not zero"},
295{SSL_R_REUSE_CIPHER_LIST_NOT_ZERO ,"reuse cipher list not zero"},
296{SSL_R_SHORT_READ ,"short read"},
297{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
298{SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"},
299{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"},
300{SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"},
301{SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED ,"sslv3 alert certificate expired"},
302{SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED ,"sslv3 alert certificate revoked"},
303{SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN ,"sslv3 alert certificate unknown"},
304{SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE ,"sslv3 alert decompression failure"},
305{SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE ,"sslv3 alert handshake failure"},
306{SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER ,"sslv3 alert illegal parameter"},
307{SSL_R_SSLV3_ALERT_NO_CERTIFICATE ,"sslv3 alert no certificate"},
308{SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE,"sslv3 alert peer error certificate"},
309{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE,"sslv3 alert peer error no certificate"},
310{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER ,"sslv3 alert peer error no cipher"},
311{SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"sslv3 alert peer error unsupported certificate type"},
312{SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE ,"sslv3 alert unexpected message"},
313{SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE,"sslv3 alert unknown remote error type"},
314{SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE,"sslv3 alert unsupported certificate"},
315{SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION,"ssl ctx has no default ssl version"},
316{SSL_R_SSL_HANDSHAKE_FAILURE ,"ssl handshake failure"},
317{SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS ,"ssl library has no ciphers"},
318{SSL_R_SSL_SESSION_ID_IS_DIFFERENT ,"ssl session id is different"},
319{SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"},
320{SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"},
321{SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"},
322{SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER ,"tried to use unsupported cipher"},
323{SSL_R_UNABLE_TO_DECODE_DH_CERTS ,"unable to decode dh certs"},
324{SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY ,"unable to extract public key"},
325{SSL_R_UNABLE_TO_FIND_DH_PARAMETERS ,"unable to find dh parameters"},
326{SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS,"unable to find public key parameters"},
327{SSL_R_UNABLE_TO_FIND_SSL_METHOD ,"unable to find ssl method"},
328{SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES ,"unable to load ssl2 md5 routines"},
329{SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES ,"unable to load ssl3 md5 routines"},
330{SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES ,"unable to load ssl3 sha1 routines"},
331{SSL_R_UNEXPECTED_MESSAGE ,"unexpected message"},
332{SSL_R_UNEXPECTED_RECORD ,"unexpected record"},
333{SSL_R_UNKNOWN_ALERT_TYPE ,"unknown alert type"},
334{SSL_R_UNKNOWN_CERTIFICATE_TYPE ,"unknown certificate type"},
335{SSL_R_UNKNOWN_CIPHER_RETURNED ,"unknown cipher returned"},
336{SSL_R_UNKNOWN_CIPHER_TYPE ,"unknown cipher type"},
337{SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE ,"unknown key exchange type"},
338{SSL_R_UNKNOWN_PKEY_TYPE ,"unknown pkey type"},
339{SSL_R_UNKNOWN_PROTOCOL ,"unknown protocol"},
340{SSL_R_UNKNOWN_REMOTE_ERROR_TYPE ,"unknown remote error type"},
341{SSL_R_UNKNOWN_SSL_VERSION ,"unknown ssl version"},
342{SSL_R_UNKNOWN_STATE ,"unknown state"},
343{SSL_R_UNSUPPORTED_CIPHER ,"unsupported cipher"},
344{SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM ,"unsupported compression algorithm"},
345{SSL_R_UNSUPPORTED_PROTOCOL ,"unsupported protocol"},
346{SSL_R_UNSUPPORTED_SSL_VERSION ,"unsupported ssl version"},
347{SSL_R_WRITE_BIO_NOT_SET ,"write bio not set"},
348{SSL_R_WRONG_CIPHER_RETURNED ,"wrong cipher returned"},
349{SSL_R_WRONG_MESSAGE_TYPE ,"wrong message type"},
350{SSL_R_WRONG_NUMBER_OF_KEY_BITS ,"wrong number of key bits"},
351{SSL_R_WRONG_SIGNATURE_LENGTH ,"wrong signature length"},
352{SSL_R_WRONG_SIGNATURE_SIZE ,"wrong signature size"},
353{SSL_R_WRONG_SSL_VERSION ,"wrong ssl version"},
354{SSL_R_WRONG_VERSION_NUMBER ,"wrong version number"},
355{SSL_R_X509_LIB ,"x509 lib"},
356{0,NULL},
357 };
358
359#endif
360
361void ERR_load_SSL_strings()
362 {
363 static int init=1;
364
365 if (init);
366 {;
367 init=0;
368#ifndef NO_ERR
369 ERR_load_strings(ERR_LIB_SSL,SSL_str_functs);
370 ERR_load_strings(ERR_LIB_SSL,SSL_str_reasons);
371#endif
372
373 }
374 }
diff --git a/src/lib/libssl/ssl_err2.c b/src/lib/libssl/ssl_err2.c
new file mode 100644
index 0000000000..0b91f7b8d2
--- /dev/null
+++ b/src/lib/libssl/ssl_err2.c
@@ -0,0 +1,70 @@
1/* ssl/ssl_err2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "err.h"
61#include "ssl.h"
62
63void SSL_load_error_strings()
64 {
65#ifndef NO_ERR
66 ERR_load_crypto_strings();
67 ERR_load_SSL_strings();
68#endif
69 }
70
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
new file mode 100644
index 0000000000..f562ec6b14
--- /dev/null
+++ b/src/lib/libssl/ssl_lib.c
@@ -0,0 +1,1721 @@
1/* ssl/ssl_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "objects.h"
61#include "lhash.h"
62#include "ssl_locl.h"
63
64char *SSL_version_str="SSLeay 0.9.0b 29-Jun-1998";
65
66static STACK *ssl_meth=NULL;
67static STACK *ssl_ctx_meth=NULL;
68static int ssl_meth_num=0;
69static int ssl_ctx_meth_num=0;
70
71SSL3_ENC_METHOD ssl3_undef_enc_method={
72 ssl_undefined_function,
73 ssl_undefined_function,
74 ssl_undefined_function,
75 ssl_undefined_function,
76 ssl_undefined_function,
77 ssl_undefined_function,
78 };
79
80void SSL_clear(s)
81SSL *s;
82 {
83 int state;
84
85 if (s->method == NULL) return;
86
87 s->error=0;
88 s->hit=0;
89
90 /* This is set if we are doing dynamic renegotiation so keep
91 * the old cipher. It is sort of a SSL_clear_lite :-) */
92 if (s->new_session) return;
93
94 state=s->state; /* Keep to check if we throw away the session-id */
95 s->type=0;
96
97 s->version=s->method->version;
98 s->rwstate=SSL_NOTHING;
99 s->state=SSL_ST_BEFORE;
100 s->rstate=SSL_ST_READ_HEADER;
101 s->read_ahead=s->ctx->default_read_ahead;
102
103/* s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */
104
105 if (s->init_buf != NULL)
106 {
107 BUF_MEM_free(s->init_buf);
108 s->init_buf=NULL;
109 }
110
111 ssl_clear_cipher_ctx(s);
112
113 if (ssl_clear_bad_session(s))
114 {
115 SSL_SESSION_free(s->session);
116 s->session=NULL;
117 }
118
119 s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
120 s->first_packet=0;
121
122 s->method->ssl_clear(s);
123 }
124
125/* Used to change an SSL_CTXs default SSL method type */
126int SSL_CTX_set_ssl_version(ctx,meth)
127SSL_CTX *ctx;
128SSL_METHOD *meth;
129 {
130 STACK *sk;
131
132 ctx->method=meth;
133
134 sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
135 &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
136 if ((sk == NULL) || (sk_num(sk) <= 0))
137 {
138 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
139 return(0);
140 }
141 return(1);
142 }
143
144SSL *SSL_new(ctx)
145SSL_CTX *ctx;
146 {
147 SSL *s;
148
149 if (ctx == NULL)
150 {
151 SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
152 return(NULL);
153 }
154 if (ctx->method == NULL)
155 {
156 SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
157 return(NULL);
158 }
159
160 s=(SSL *)Malloc(sizeof(SSL));
161 if (s == NULL) goto err;
162 memset(s,0,sizeof(SSL));
163
164 if (ctx->default_cert != NULL)
165 {
166 CRYPTO_add(&ctx->default_cert->references,1,
167 CRYPTO_LOCK_SSL_CERT);
168 s->cert=ctx->default_cert;
169 }
170 else
171 s->cert=NULL;
172 s->verify_mode=ctx->default_verify_mode;
173 s->verify_callback=ctx->default_verify_callback;
174 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
175 s->ctx=ctx;
176
177 s->verify_result=X509_V_OK;
178
179 s->method=ctx->method;
180
181 if (!s->method->ssl_new(s))
182 {
183 SSL_CTX_free(ctx);
184 Free(s);
185 goto err;
186 }
187
188 s->quiet_shutdown=ctx->quiet_shutdown;
189 s->references=1;
190 s->options=ctx->options;
191 SSL_clear(s);
192
193 CRYPTO_new_ex_data(ssl_meth,(char *)s,&s->ex_data);
194
195 return(s);
196err:
197 SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
198 return(NULL);
199 }
200
201void SSL_free(s)
202SSL *s;
203 {
204 int i;
205
206 i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
207#ifdef REF_PRINT
208 REF_PRINT("SSL",s);
209#endif
210 if (i > 0) return;
211#ifdef REF_CHECK
212 if (i < 0)
213 {
214 fprintf(stderr,"SSL_free, bad reference count\n");
215 abort(); /* ok */
216 }
217#endif
218
219 CRYPTO_free_ex_data(ssl_meth,(char *)s,&s->ex_data);
220
221 if (s->bbio != NULL)
222 {
223 /* If the buffering BIO is in place, pop it off */
224 if (s->bbio == s->wbio)
225 {
226 s->wbio=BIO_pop(s->wbio);
227 }
228 BIO_free(s->bbio);
229 s->bbio=NULL;
230 }
231 if (s->rbio != NULL)
232 BIO_free_all(s->rbio);
233 if ((s->wbio != NULL) && (s->wbio != s->rbio))
234 BIO_free_all(s->wbio);
235
236 if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
237
238 /* add extra stuff */
239 if (s->cipher_list != NULL) sk_free(s->cipher_list);
240 if (s->cipher_list_by_id != NULL) sk_free(s->cipher_list_by_id);
241
242 /* Make the next call work :-) */
243 if (s->session != NULL)
244 {
245 ssl_clear_bad_session(s);
246 SSL_SESSION_free(s->session);
247 }
248
249 ssl_clear_cipher_ctx(s);
250
251 if (s->cert != NULL) ssl_cert_free(s->cert);
252 /* Free up if allocated */
253
254 if (s->ctx) SSL_CTX_free(s->ctx);
255
256 if (s->client_CA != NULL)
257 sk_pop_free(s->client_CA,X509_NAME_free);
258
259 if (s->method != NULL) s->method->ssl_free(s);
260
261 Free((char *)s);
262 }
263
264void SSL_set_bio(s, rbio,wbio)
265SSL *s;
266BIO *rbio;
267BIO *wbio;
268 {
269 /* If the output buffering BIO is still in place, remove it
270 */
271 if (s->bbio != NULL)
272 {
273 if (s->wbio == s->bbio)
274 {
275 s->wbio=s->wbio->next_bio;
276 s->bbio->next_bio=NULL;
277 }
278 }
279 if ((s->rbio != NULL) && (s->rbio != rbio))
280 BIO_free_all(s->rbio);
281 if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
282 BIO_free_all(s->wbio);
283 s->rbio=rbio;
284 s->wbio=wbio;
285 }
286
287BIO *SSL_get_rbio(s)
288SSL *s;
289 { return(s->rbio); }
290
291BIO *SSL_get_wbio(s)
292SSL *s;
293 { return(s->wbio); }
294
295int SSL_get_fd(s)
296SSL *s;
297 {
298 int ret= -1;
299 BIO *b,*r;
300
301 b=SSL_get_rbio(s);
302 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
303 if (r != NULL)
304 BIO_get_fd(r,&ret);
305 return(ret);
306 }
307
308#ifndef NO_SOCK
309int SSL_set_fd(s, fd)
310SSL *s;
311int fd;
312 {
313 int ret=0;
314 BIO *bio=NULL;
315
316 bio=BIO_new(BIO_s_socket());
317
318 if (bio == NULL)
319 {
320 SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
321 goto err;
322 }
323 BIO_set_fd(bio,fd,BIO_NOCLOSE);
324 SSL_set_bio(s,bio,bio);
325 ret=1;
326err:
327 return(ret);
328 }
329
330int SSL_set_wfd(s, fd)
331SSL *s;
332int fd;
333 {
334 int ret=0;
335 BIO *bio=NULL;
336
337 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
338 || ((int)BIO_get_fd(s->rbio,NULL) != fd))
339 {
340 bio=BIO_new(BIO_s_socket());
341
342 if (bio == NULL)
343 { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
344 BIO_set_fd(bio,fd,BIO_NOCLOSE);
345 SSL_set_bio(s,SSL_get_rbio(s),bio);
346 }
347 else
348 SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
349 ret=1;
350err:
351 return(ret);
352 }
353
354int SSL_set_rfd(s, fd)
355SSL *s;
356int fd;
357 {
358 int ret=0;
359 BIO *bio=NULL;
360
361 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
362 || ((int)BIO_get_fd(s->wbio,NULL) != fd))
363 {
364 bio=BIO_new(BIO_s_socket());
365
366 if (bio == NULL)
367 {
368 SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
369 goto err;
370 }
371 BIO_set_fd(bio,fd,BIO_NOCLOSE);
372 SSL_set_bio(s,bio,SSL_get_wbio(s));
373 }
374 else
375 SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
376 ret=1;
377err:
378 return(ret);
379 }
380#endif
381
382int SSL_get_verify_mode(s)
383SSL *s;
384 {
385 return(s->verify_mode);
386 }
387
388int (*SSL_get_verify_callback(s))()
389SSL *s;
390 {
391 return(s->verify_callback);
392 }
393
394int SSL_CTX_get_verify_mode(ctx)
395SSL_CTX *ctx;
396 {
397 return(ctx->default_verify_mode);
398 }
399
400int (*SSL_CTX_get_verify_callback(ctx))()
401SSL_CTX *ctx;
402 {
403 return(ctx->default_verify_callback);
404 }
405
406void SSL_set_verify(s, mode, callback)
407SSL *s;
408int mode;
409int (*callback)();
410 {
411 s->verify_mode=mode;
412 if (callback != NULL)
413 s->verify_callback=callback;
414 }
415
416void SSL_set_read_ahead(s, yes)
417SSL *s;
418int yes;
419 {
420 s->read_ahead=yes;
421 }
422
423int SSL_get_read_ahead(s)
424SSL *s;
425 {
426 return(s->read_ahead);
427 }
428
429int SSL_pending(s)
430SSL *s;
431 {
432 return(s->method->ssl_pending(s));
433 }
434
435X509 *SSL_get_peer_certificate(s)
436SSL *s;
437 {
438 X509 *r;
439
440 if ((s == NULL) || (s->session == NULL))
441 r=NULL;
442 else
443 r=s->session->peer;
444
445 if (r == NULL) return(r);
446
447 CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
448
449 return(r);
450 }
451
452STACK *SSL_get_peer_cert_chain(s)
453SSL *s;
454 {
455 STACK *r;
456
457 if ((s == NULL) || (s->session == NULL) || (s->session->cert == NULL))
458 r=NULL;
459 else
460 r=s->session->cert->cert_chain;
461
462 return(r);
463 }
464
465/* Now in theory, since the calling process own 't' it should be safe to
466 * modify. We need to be able to read f without being hassled */
467void SSL_copy_session_id(t,f)
468SSL *t,*f;
469 {
470 CERT *tmp;
471
472 /* Do we need to to SSL locking? */
473 SSL_set_session(t,SSL_get_session(f));
474
475 /* what if we are setup as SSLv2 but want to talk SSLv3 or
476 * vice-versa */
477 if (t->method != f->method)
478 {
479 t->method->ssl_free(t); /* cleanup current */
480 t->method=f->method; /* change method */
481 t->method->ssl_new(t); /* setup new */
482 }
483
484 tmp=t->cert;
485 if (f->cert != NULL)
486 {
487 CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
488 t->cert=f->cert;
489 }
490 else
491 t->cert=NULL;
492 if (tmp != NULL) ssl_cert_free(tmp);
493 }
494
495/* Fix this so it checks all the valid key/cert options */
496int SSL_CTX_check_private_key(ctx)
497SSL_CTX *ctx;
498 {
499 if ( (ctx == NULL) ||
500 (ctx->default_cert == NULL) ||
501 (ctx->default_cert->key->x509 == NULL))
502 {
503 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
504 return(0);
505 }
506 if (ctx->default_cert->key->privatekey == NULL)
507 {
508 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
509 return(0);
510 }
511 return(X509_check_private_key(ctx->default_cert->key->x509, ctx->default_cert->key->privatekey));
512 }
513
514/* Fix this function so that it takes an optional type parameter */
515int SSL_check_private_key(ssl)
516SSL *ssl;
517 {
518 if (ssl == NULL)
519 {
520 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
521 return(0);
522 }
523 if (ssl->cert == NULL)
524 return(SSL_CTX_check_private_key(ssl->ctx));
525 if (ssl->cert->key->x509 == NULL)
526 {
527 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
528 return(0);
529 }
530 if (ssl->cert->key->privatekey == NULL)
531 {
532 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
533 return(0);
534 }
535 return(X509_check_private_key(ssl->cert->key->x509,
536 ssl->cert->key->privatekey));
537 }
538
539int SSL_accept(s)
540SSL *s;
541 {
542 return(s->method->ssl_accept(s));
543 }
544
545int SSL_connect(s)
546SSL *s;
547 {
548 return(s->method->ssl_connect(s));
549 }
550
551long SSL_get_default_timeout(s)
552SSL *s;
553 {
554 return(s->method->get_timeout());
555 }
556
557int SSL_read(s,buf,num)
558SSL *s;
559char *buf;
560int num;
561 {
562 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
563 {
564 s->rwstate=SSL_NOTHING;
565 return(0);
566 }
567 return(s->method->ssl_read(s,buf,num));
568 }
569
570int SSL_peek(s,buf,num)
571SSL *s;
572char *buf;
573int num;
574 {
575 if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
576 {
577 return(0);
578 }
579 return(s->method->ssl_peek(s,buf,num));
580 }
581
582int SSL_write(s,buf,num)
583SSL *s;
584char *buf;
585int num;
586 {
587 if (s->shutdown & SSL_SENT_SHUTDOWN)
588 {
589 s->rwstate=SSL_NOTHING;
590 SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
591 return(-1);
592 }
593 return(s->method->ssl_write(s,buf,num));
594 }
595
596int SSL_shutdown(s)
597SSL *s;
598 {
599 if ((s != NULL) && !SSL_in_init(s))
600 return(s->method->ssl_shutdown(s));
601 else
602 return(1);
603 }
604
605int SSL_renegotiate(s)
606SSL *s;
607 {
608 s->new_session=1;
609 return(s->method->ssl_renegotiate(s));
610 }
611
612long SSL_ctrl(s,cmd,larg,parg)
613SSL *s;
614int cmd;
615long larg;
616char *parg;
617 {
618 return(s->method->ssl_ctrl(s,cmd,larg,parg));
619 }
620
621long SSL_CTX_ctrl(ctx,cmd,larg,parg)
622SSL_CTX *ctx;
623int cmd;
624long larg;
625char *parg;
626 {
627 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
628 }
629
630int ssl_cipher_id_cmp(a,b)
631SSL_CIPHER *a,*b;
632 {
633 long l;
634
635 l=a->id-b->id;
636 if (l == 0L)
637 return(0);
638 else
639 return((l > 0)?1:-1);
640 }
641
642int ssl_cipher_ptr_id_cmp(ap,bp)
643SSL_CIPHER **ap,**bp;
644 {
645 long l;
646
647 l=(*ap)->id-(*bp)->id;
648 if (l == 0L)
649 return(0);
650 else
651 return((l > 0)?1:-1);
652 }
653
654/* return a STACK of the ciphers available for the SSL and in order of
655 * preference */
656STACK *SSL_get_ciphers(s)
657SSL *s;
658 {
659 if ((s != NULL) && (s->cipher_list != NULL))
660 {
661 return(s->cipher_list);
662 }
663 else if ((s->ctx != NULL) &&
664 (s->ctx->cipher_list != NULL))
665 {
666 return(s->ctx->cipher_list);
667 }
668 return(NULL);
669 }
670
671/* return a STACK of the ciphers available for the SSL and in order of
672 * algorithm id */
673STACK *ssl_get_ciphers_by_id(s)
674SSL *s;
675 {
676 if ((s != NULL) && (s->cipher_list_by_id != NULL))
677 {
678 return(s->cipher_list_by_id);
679 }
680 else if ((s != NULL) && (s->ctx != NULL) &&
681 (s->ctx->cipher_list_by_id != NULL))
682 {
683 return(s->ctx->cipher_list_by_id);
684 }
685 return(NULL);
686 }
687
688/* The old interface to get the same thing as SSL_get_ciphers() */
689char *SSL_get_cipher_list(s,n)
690SSL *s;
691int n;
692 {
693 SSL_CIPHER *c;
694 STACK *sk;
695
696 if (s == NULL) return(NULL);
697 sk=SSL_get_ciphers(s);
698 if ((sk == NULL) || (sk_num(sk) <= n))
699 return(NULL);
700 c=(SSL_CIPHER *)sk_value(sk,n);
701 if (c == NULL) return(NULL);
702 return(c->name);
703 }
704
705/* specify the ciphers to be used by defaut by the SSL_CTX */
706int SSL_CTX_set_cipher_list(ctx,str)
707SSL_CTX *ctx;
708char *str;
709 {
710 STACK *sk;
711
712 sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
713 &ctx->cipher_list_by_id,str);
714/* XXXX */
715 return((sk == NULL)?0:1);
716 }
717
718/* specify the ciphers to be used by the SSL */
719int SSL_set_cipher_list(s, str)
720SSL *s;
721char *str;
722 {
723 STACK *sk;
724
725 sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
726 &s->cipher_list_by_id,str);
727/* XXXX */
728 return((sk == NULL)?0:1);
729 }
730
731/* works well for SSLv2, not so good for SSLv3 */
732char *SSL_get_shared_ciphers(s,buf,len)
733SSL *s;
734char *buf;
735int len;
736 {
737 char *p,*cp;
738 STACK *sk;
739 SSL_CIPHER *c;
740 int i;
741
742 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
743 (len < 2))
744 return(NULL);
745
746 p=buf;
747 sk=s->session->ciphers;
748 for (i=0; i<sk_num(sk); i++)
749 {
750 /* Decrement for either the ':' or a '\0' */
751 len--;
752 c=(SSL_CIPHER *)sk_value(sk,i);
753 for (cp=c->name; *cp; )
754 {
755 if (len-- == 0)
756 {
757 *p='\0';
758 return(buf);
759 }
760 else
761 *(p++)= *(cp++);
762 }
763 *(p++)=':';
764 }
765 p[-1]='\0';
766 return(buf);
767 }
768
769int ssl_cipher_list_to_bytes(s,sk,p)
770SSL *s;
771STACK *sk;
772unsigned char *p;
773 {
774 int i,j=0;
775 SSL_CIPHER *c;
776 unsigned char *q;
777
778 if (sk == NULL) return(0);
779 q=p;
780
781 for (i=0; i<sk_num(sk); i++)
782 {
783 c=(SSL_CIPHER *)sk_value(sk,i);
784 j=ssl_put_cipher_by_char(s,c,p);
785 p+=j;
786 }
787 return(p-q);
788 }
789
790STACK *ssl_bytes_to_cipher_list(s,p,num,skp)
791SSL *s;
792unsigned char *p;
793int num;
794STACK **skp;
795 {
796 SSL_CIPHER *c;
797 STACK *sk;
798 int i,n;
799
800 n=ssl_put_cipher_by_char(s,NULL,NULL);
801 if ((num%n) != 0)
802 {
803 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
804 return(NULL);
805 }
806 if ((skp == NULL) || (*skp == NULL))
807 sk=sk_new(NULL); /* change perhaps later */
808 else
809 {
810 sk= *skp;
811 sk_zero(sk);
812 }
813
814 for (i=0; i<num; i+=n)
815 {
816 c=ssl_get_cipher_by_char(s,p);
817 p+=n;
818 if (c != NULL)
819 {
820 if (!sk_push(sk,(char *)c))
821 {
822 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
823 goto err;
824 }
825 }
826 }
827
828 if (skp != NULL)
829 *skp=sk;
830 return(sk);
831err:
832 if ((skp == NULL) || (*skp == NULL))
833 sk_free(sk);
834 return(NULL);
835 }
836
837unsigned long SSL_SESSION_hash(a)
838SSL_SESSION *a;
839 {
840 unsigned long l;
841
842 l= (a->session_id[0] )|(a->session_id[1]<< 8L)|
843 (a->session_id[2]<<16L)|(a->session_id[3]<<24L);
844 return(l);
845 }
846
847int SSL_SESSION_cmp(a, b)
848SSL_SESSION *a;
849SSL_SESSION *b;
850 {
851 if (a->ssl_version != b->ssl_version)
852 return(1);
853 if (a->session_id_length != b->session_id_length)
854 return(1);
855 return(memcmp(a->session_id,b->session_id,a->session_id_length));
856 }
857
858SSL_CTX *SSL_CTX_new(meth)
859SSL_METHOD *meth;
860 {
861 SSL_CTX *ret;
862
863 if (meth == NULL)
864 {
865 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
866 return(NULL);
867 }
868 ret=(SSL_CTX *)Malloc(sizeof(SSL_CTX));
869 if (ret == NULL)
870 goto err;
871
872 memset(ret,0,sizeof(SSL_CTX));
873
874 ret->method=meth;
875
876 ret->cert_store=NULL;
877 ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
878 ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
879 ret->session_cache_head=NULL;
880 ret->session_cache_tail=NULL;
881
882 /* We take the system default */
883 ret->session_timeout=meth->get_timeout();
884
885 ret->new_session_cb=NULL;
886 ret->remove_session_cb=NULL;
887 ret->get_session_cb=NULL;
888
889 ret->sess_connect=0;
890 ret->sess_connect_good=0;
891 ret->sess_accept=0;
892 ret->sess_accept_renegotiate=0;
893 ret->sess_connect_renegotiate=0;
894 ret->sess_accept_good=0;
895 ret->sess_miss=0;
896 ret->sess_timeout=0;
897 ret->sess_cache_full=0;
898 ret->sess_hit=0;
899 ret->sess_cb_hit=0;
900
901 ret->references=1;
902 ret->quiet_shutdown=0;
903
904/* ret->cipher=NULL;*/
905/* ret->s2->challenge=NULL;
906 ret->master_key=NULL;
907 ret->key_arg=NULL;
908 ret->s2->conn_id=NULL; */
909
910 ret->info_callback=NULL;
911
912 ret->app_verify_callback=NULL;
913 ret->app_verify_arg=NULL;
914
915 ret->default_read_ahead=0;
916 ret->default_verify_mode=SSL_VERIFY_NONE;
917 ret->default_verify_callback=NULL;
918 if ((ret->default_cert=ssl_cert_new()) == NULL)
919 goto err;
920
921 ret->default_passwd_callback=NULL;
922 ret->client_cert_cb=NULL;
923
924 ret->sessions=lh_new(SSL_SESSION_hash,SSL_SESSION_cmp);
925 if (ret->sessions == NULL) goto err;
926 ret->cert_store=X509_STORE_new();
927 if (ret->cert_store == NULL) goto err;
928
929 ssl_create_cipher_list(ret->method,
930 &ret->cipher_list,&ret->cipher_list_by_id,
931 SSL_DEFAULT_CIPHER_LIST);
932 if ((ret->cipher_list == NULL) || (sk_num(ret->cipher_list) <= 0))
933 {
934 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
935 goto err2;
936 }
937
938 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
939 {
940 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
941 goto err2;
942 }
943 if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
944 {
945 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
946 goto err2;
947 }
948 if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
949 {
950 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
951 goto err2;
952 }
953
954 if ((ret->client_CA=sk_new_null()) == NULL)
955 goto err;
956
957 CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data);
958
959 return(ret);
960err:
961 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
962err2:
963 if (ret != NULL) SSL_CTX_free(ret);
964 return(NULL);
965 }
966
967void SSL_CTX_free(a)
968SSL_CTX *a;
969 {
970 int i;
971
972 if (a == NULL) return;
973
974 i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
975#ifdef REF_PRINT
976 REF_PRINT("SSL_CTX",a);
977#endif
978 if (i > 0) return;
979#ifdef REF_CHECK
980 if (i < 0)
981 {
982 fprintf(stderr,"SSL_CTX_free, bad reference count\n");
983 abort(); /* ok */
984 }
985#endif
986 CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data);
987
988 if (a->sessions != NULL)
989 {
990 SSL_CTX_flush_sessions(a,0);
991 lh_free(a->sessions);
992 }
993 if (a->cert_store != NULL)
994 X509_STORE_free(a->cert_store);
995 if (a->cipher_list != NULL)
996 sk_free(a->cipher_list);
997 if (a->cipher_list_by_id != NULL)
998 sk_free(a->cipher_list_by_id);
999 if (a->default_cert != NULL)
1000 ssl_cert_free(a->default_cert);
1001 if (a->client_CA != NULL)
1002 sk_pop_free(a->client_CA,X509_NAME_free);
1003 Free((char *)a);
1004 }
1005
1006void SSL_CTX_set_default_passwd_cb(ctx,cb)
1007SSL_CTX *ctx;
1008int (*cb)();
1009 {
1010 ctx->default_passwd_callback=cb;
1011 }
1012
1013void SSL_CTX_set_cert_verify_cb(ctx,cb,arg)
1014SSL_CTX *ctx;
1015int (*cb)();
1016char *arg;
1017 {
1018 ctx->app_verify_callback=cb;
1019 ctx->app_verify_arg=arg;
1020 }
1021
1022void SSL_CTX_set_verify(ctx,mode,cb)
1023SSL_CTX *ctx;
1024int mode;
1025int (*cb)();
1026 {
1027 ctx->default_verify_mode=mode;
1028 ctx->default_verify_callback=cb;
1029 /* This needs cleaning up EAY EAY EAY */
1030 X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
1031 }
1032
1033void ssl_set_cert_masks(c)
1034CERT *c;
1035 {
1036 CERT_PKEY *cpk;
1037 int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
1038 int rsa_enc_export,dh_rsa_export,dh_dsa_export;
1039 int rsa_tmp_export,dh_tmp_export;
1040 unsigned long mask,emask;
1041
1042 if ((c == NULL) || (c->valid)) return;
1043
1044#ifndef NO_RSA
1045 rsa_tmp=((c->rsa_tmp != NULL) || (c->rsa_tmp_cb != NULL))?1:0;
1046 rsa_tmp_export=((c->rsa_tmp_cb != NULL) ||
1047 (rsa_tmp && (RSA_size(c->rsa_tmp)*8 <= 512)))?1:0;
1048#else
1049 rsa_tmp=rsa_tmp_export=0;
1050#endif
1051#ifndef NO_DH
1052 dh_tmp=((c->dh_tmp != NULL) || (c->dh_tmp_cb != NULL))?1:0;
1053 dh_tmp_export=((c->dh_tmp_cb != NULL) ||
1054 (dh_tmp && (DH_size(c->dh_tmp)*8 <= 512)))?1:0;
1055#else
1056 dh_tmp=dh_tmp_export=0;
1057#endif
1058
1059 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
1060 rsa_enc= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
1061 rsa_enc_export=(rsa_enc && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
1062 cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
1063 rsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
1064 cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
1065 dsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
1066 cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
1067 dh_rsa= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
1068 dh_rsa_export=(dh_rsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
1069 cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
1070/* FIX THIS EAY EAY EAY */
1071 dh_dsa= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
1072 dh_dsa_export=(dh_dsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
1073
1074 mask=0;
1075 emask=0;
1076
1077#ifdef CIPHER_DEBUG
1078 printf("rt=%d dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n",
1079 rsa_tmp,dh_tmp,
1080 rsa_enc,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
1081#endif
1082
1083 if (rsa_enc || (rsa_tmp && rsa_sign))
1084 mask|=SSL_kRSA;
1085 if (rsa_enc_export || (rsa_tmp_export && rsa_sign))
1086 emask|=SSL_kRSA;
1087
1088#if 0
1089 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
1090 if ( (dh_tmp || dh_rsa || dh_dsa) &&
1091 (rsa_enc || rsa_sign || dsa_sign))
1092 mask|=SSL_kEDH;
1093 if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
1094 (rsa_enc || rsa_sign || dsa_sign))
1095 emask|=SSL_kEDH;
1096#endif
1097
1098 if (dh_tmp_export)
1099 emask|=SSL_kEDH;
1100
1101 if (dh_tmp)
1102 mask|=SSL_kEDH;
1103
1104 if (dh_rsa) mask|=SSL_kDHr;
1105 if (dh_rsa_export) emask|=SSL_kDHr;
1106
1107 if (dh_dsa) mask|=SSL_kDHd;
1108 if (dh_dsa_export) emask|=SSL_kDHd;
1109
1110 if (rsa_enc || rsa_sign)
1111 {
1112 mask|=SSL_aRSA;
1113 emask|=SSL_aRSA;
1114 }
1115
1116 if (dsa_sign)
1117 {
1118 mask|=SSL_aDSS;
1119 emask|=SSL_aDSS;
1120 }
1121
1122#ifdef SSL_ALLOW_ADH
1123 mask|=SSL_aNULL;
1124 emask|=SSL_aNULL;
1125#endif
1126
1127 c->mask=mask;
1128 c->export_mask=emask;
1129 c->valid=1;
1130 }
1131
1132/* THIS NEEDS CLEANING UP */
1133X509 *ssl_get_server_send_cert(s)
1134SSL *s;
1135 {
1136 unsigned long alg,mask,kalg;
1137 CERT *c;
1138 int i,export;
1139
1140 c=s->cert;
1141 ssl_set_cert_masks(c);
1142 alg=s->s3->tmp.new_cipher->algorithms;
1143 export=(alg & SSL_EXPORT)?1:0;
1144 mask=(export)?c->export_mask:c->mask;
1145 kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
1146
1147 if (kalg & SSL_kDHr)
1148 i=SSL_PKEY_DH_RSA;
1149 else if (kalg & SSL_kDHd)
1150 i=SSL_PKEY_DH_DSA;
1151 else if (kalg & SSL_aDSS)
1152 i=SSL_PKEY_DSA_SIGN;
1153 else if (kalg & SSL_aRSA)
1154 {
1155 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
1156 i=SSL_PKEY_RSA_SIGN;
1157 else
1158 i=SSL_PKEY_RSA_ENC;
1159 }
1160 else /* if (kalg & SSL_aNULL) */
1161 {
1162 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,SSL_R_INTERNAL_ERROR);
1163 return(NULL);
1164 }
1165 if (c->pkeys[i].x509 == NULL) return(NULL);
1166 return(c->pkeys[i].x509);
1167 }
1168
1169EVP_PKEY *ssl_get_sign_pkey(s,cipher)
1170SSL *s;
1171SSL_CIPHER *cipher;
1172 {
1173 unsigned long alg;
1174 CERT *c;
1175
1176 alg=cipher->algorithms;
1177 c=s->cert;
1178
1179 if ((alg & SSL_aDSS) &&
1180 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
1181 return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
1182 else if (alg & SSL_aRSA)
1183 {
1184 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
1185 return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
1186 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
1187 return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
1188 else
1189 return(NULL);
1190 }
1191 else /* if (alg & SSL_aNULL) */
1192 {
1193 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,SSL_R_INTERNAL_ERROR);
1194 return(NULL);
1195 }
1196 }
1197
1198void ssl_update_cache(s,mode)
1199SSL *s;
1200int mode;
1201 {
1202 int i;
1203
1204 /* If the session_id_length is 0, we are not supposed to cache it,
1205 * and it would be rather hard to do anyway :-) */
1206 if (s->session->session_id_length == 0) return;
1207
1208 if ((s->ctx->session_cache_mode & mode)
1209 && (!s->hit)
1210 && SSL_CTX_add_session(s->ctx,s->session)
1211 && (s->ctx->new_session_cb != NULL))
1212 {
1213 CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
1214 if (!s->ctx->new_session_cb(s,s->session))
1215 SSL_SESSION_free(s->session);
1216 }
1217
1218 /* auto flush every 255 connections */
1219 i=s->ctx->session_cache_mode;
1220 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
1221 ((i & mode) == mode))
1222 {
1223 if ( (((mode & SSL_SESS_CACHE_CLIENT)
1224 ?s->ctx->sess_connect_good
1225 :s->ctx->sess_accept_good) & 0xff) == 0xff)
1226 {
1227 SSL_CTX_flush_sessions(s->ctx,time(NULL));
1228 }
1229 }
1230 }
1231
1232SSL_METHOD *SSL_get_ssl_method(s)
1233SSL *s;
1234 {
1235 return(s->method);
1236 }
1237
1238int SSL_set_ssl_method(s,meth)
1239SSL *s;
1240SSL_METHOD *meth;
1241 {
1242 int conn= -1;
1243 int ret=1;
1244
1245 if (s->method != meth)
1246 {
1247 if (s->handshake_func != NULL)
1248 conn=(s->handshake_func == s->method->ssl_connect);
1249
1250 if (s->method->version == meth->version)
1251 s->method=meth;
1252 else
1253 {
1254 s->method->ssl_free(s);
1255 s->method=meth;
1256 ret=s->method->ssl_new(s);
1257 }
1258
1259 if (conn == 1)
1260 s->handshake_func=meth->ssl_connect;
1261 else if (conn == 0)
1262 s->handshake_func=meth->ssl_accept;
1263 }
1264 return(ret);
1265 }
1266
1267int SSL_get_error(s,i)
1268SSL *s;
1269int i;
1270 {
1271 int reason;
1272 BIO *bio;
1273
1274 if (i > 0) return(SSL_ERROR_NONE);
1275
1276 if (ERR_peek_error() != 0)
1277 return(SSL_ERROR_SSL);
1278
1279 if ((i < 0) && SSL_want_read(s))
1280 {
1281 bio=SSL_get_rbio(s);
1282 if (BIO_should_read(bio))
1283 return(SSL_ERROR_WANT_READ);
1284 else if (BIO_should_write(bio))
1285 return(SSL_ERROR_WANT_WRITE);
1286 else if (BIO_should_io_special(bio))
1287 {
1288 reason=BIO_get_retry_reason(bio);
1289 if (reason == BIO_RR_CONNECT)
1290 return(SSL_ERROR_WANT_CONNECT);
1291 else
1292 return(SSL_ERROR_SYSCALL); /* unknown */
1293 }
1294 }
1295
1296 if ((i < 0) && SSL_want_write(s))
1297 {
1298 bio=SSL_get_wbio(s);
1299 if (BIO_should_write(bio))
1300 return(SSL_ERROR_WANT_WRITE);
1301 else if (BIO_should_read(bio))
1302 return(SSL_ERROR_WANT_READ);
1303 else if (BIO_should_io_special(bio))
1304 {
1305 reason=BIO_get_retry_reason(bio);
1306 if (reason == BIO_RR_CONNECT)
1307 return(SSL_ERROR_WANT_CONNECT);
1308 else
1309 return(SSL_ERROR_SYSCALL);
1310 }
1311 }
1312 if ((i < 0) && SSL_want_x509_lookup(s))
1313 {
1314 return(SSL_ERROR_WANT_X509_LOOKUP);
1315 }
1316
1317 if (i == 0)
1318 {
1319 if (s->version == SSL2_VERSION)
1320 {
1321 /* assume it is the socket being closed */
1322 return(SSL_ERROR_ZERO_RETURN);
1323 }
1324 else
1325 {
1326 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
1327 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
1328 return(SSL_ERROR_ZERO_RETURN);
1329 }
1330 }
1331 return(SSL_ERROR_SYSCALL);
1332 }
1333
1334int SSL_do_handshake(s)
1335SSL *s;
1336 {
1337 int ret=1;
1338
1339 if (s->handshake_func == NULL)
1340 {
1341 SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
1342 return(-1);
1343 }
1344 if (s->s3->renegotiate) ssl3_renegotiate_check(s);
1345 if (SSL_in_init(s) || SSL_in_before(s))
1346 {
1347 ret=s->handshake_func(s);
1348 }
1349 return(ret);
1350 }
1351
1352/* For the next 2 functions, SSL_clear() sets shutdown and so
1353 * one of these calls will reset it */
1354void SSL_set_accept_state(s)
1355SSL *s;
1356 {
1357 s->shutdown=0;
1358 s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
1359 s->handshake_func=s->method->ssl_accept;
1360 /* clear the current cipher */
1361 ssl_clear_cipher_ctx(s);
1362 }
1363
1364void SSL_set_connect_state(s)
1365SSL *s;
1366 {
1367 s->shutdown=0;
1368 s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
1369 s->handshake_func=s->method->ssl_connect;
1370 /* clear the current cipher */
1371 ssl_clear_cipher_ctx(s);
1372 }
1373
1374int ssl_undefined_function(s)
1375SSL *s;
1376 {
1377 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1378 return(0);
1379 }
1380
1381SSL_METHOD *ssl_bad_method(ver)
1382int ver;
1383 {
1384 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1385 return(NULL);
1386 }
1387
1388char *SSL_get_version(s)
1389SSL *s;
1390 {
1391 if (s->version == TLS1_VERSION)
1392 return("TLSv1");
1393 else if (s->version == SSL3_VERSION)
1394 return("SSLv3");
1395 else if (s->version == SSL2_VERSION)
1396 return("SSLv2");
1397 else
1398 return("unknown");
1399 }
1400
1401SSL *SSL_dup(s)
1402SSL *s;
1403 {
1404 STACK *sk;
1405 X509_NAME *xn;
1406 SSL *ret;
1407 int i;
1408
1409 if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) return(NULL);
1410
1411 /* This copies version, session-id, SSL_METHOD and 'cert' */
1412 SSL_copy_session_id(ret,s);
1413
1414 SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
1415 SSL_set_verify(ret,SSL_get_verify_mode(s),
1416 SSL_get_verify_callback(s));
1417
1418 SSL_set_info_callback(ret,SSL_get_info_callback(s));
1419
1420 ret->debug=s->debug;
1421 ret->options=s->options;
1422
1423 /* copy app data, a little dangerous perhaps */
1424 if (!CRYPTO_dup_ex_data(ssl_meth,&ret->ex_data,&s->ex_data))
1425 goto err;
1426
1427 /* setup rbio, and wbio */
1428 if (s->rbio != NULL)
1429 {
1430 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
1431 goto err;
1432 }
1433 if (s->wbio != NULL)
1434 {
1435 if (s->wbio != s->rbio)
1436 {
1437 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
1438 goto err;
1439 }
1440 else
1441 ret->wbio=ret->rbio;
1442 }
1443
1444 /* dup the cipher_list and cipher_list_by_id stacks */
1445 if (s->cipher_list != NULL)
1446 {
1447 if ((ret->cipher_list=sk_dup(s->cipher_list)) == NULL)
1448 goto err;
1449 }
1450 if (s->cipher_list_by_id != NULL)
1451 if ((ret->cipher_list_by_id=sk_dup(s->cipher_list_by_id))
1452 == NULL)
1453 goto err;
1454
1455 /* Dup the client_CA list */
1456 if (s->client_CA != NULL)
1457 {
1458 if ((sk=sk_dup(s->client_CA)) == NULL) goto err;
1459 ret->client_CA=sk;
1460 for (i=0; i<sk_num(sk); i++)
1461 {
1462 xn=(X509_NAME *)sk_value(sk,i);
1463 if ((sk_value(sk,i)=(char *)X509_NAME_dup(xn)) == NULL)
1464 {
1465 X509_NAME_free(xn);
1466 goto err;
1467 }
1468 }
1469 }
1470
1471 ret->shutdown=s->shutdown;
1472 ret->state=s->state;
1473 ret->handshake_func=s->handshake_func;
1474
1475 if (0)
1476 {
1477err:
1478 if (ret != NULL) SSL_free(ret);
1479 ret=NULL;
1480 }
1481 return(ret);
1482 }
1483
1484void ssl_clear_cipher_ctx(s)
1485SSL *s;
1486 {
1487 if (s->enc_read_ctx != NULL)
1488 {
1489 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
1490 Free(s->enc_read_ctx);
1491 s->enc_read_ctx=NULL;
1492 }
1493 if (s->enc_write_ctx != NULL)
1494 {
1495 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
1496 Free(s->enc_write_ctx);
1497 s->enc_write_ctx=NULL;
1498 }
1499 }
1500
1501/* Fix this function so that it takes an optional type parameter */
1502X509 *SSL_get_certificate(s)
1503SSL *s;
1504 {
1505 if (s->cert != NULL)
1506 return(s->cert->key->x509);
1507 else
1508 return(NULL);
1509 }
1510
1511/* Fix this function so that it takes an optional type parameter */
1512EVP_PKEY *SSL_get_privatekey(s)
1513SSL *s;
1514 {
1515 if (s->cert != NULL)
1516 return(s->cert->key->privatekey);
1517 else
1518 return(NULL);
1519 }
1520
1521SSL_CIPHER *SSL_get_current_cipher(s)
1522SSL *s;
1523 {
1524 if ((s->session != NULL) && (s->session->cipher != NULL))
1525 return(s->session->cipher);
1526 return(NULL);
1527 }
1528
1529int ssl_init_wbio_buffer(s,push)
1530SSL *s;
1531int push;
1532 {
1533 BIO *bbio;
1534
1535 if (s->bbio == NULL)
1536 {
1537 bbio=BIO_new(BIO_f_buffer());
1538 if (bbio == NULL) return(0);
1539 s->bbio=bbio;
1540 }
1541 else
1542 {
1543 bbio=s->bbio;
1544 if (s->bbio == s->wbio)
1545 s->wbio=BIO_pop(s->wbio);
1546 }
1547 BIO_reset(bbio);
1548/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
1549 if (!BIO_set_read_buffer_size(bbio,1))
1550 {
1551 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
1552 return(0);
1553 }
1554 if (push)
1555 {
1556 if (s->wbio != bbio)
1557 s->wbio=BIO_push(bbio,s->wbio);
1558 }
1559 else
1560 {
1561 if (s->wbio == bbio)
1562 s->wbio=BIO_pop(bbio);
1563 }
1564 return(1);
1565 }
1566
1567void SSL_CTX_set_quiet_shutdown(ctx,mode)
1568SSL_CTX *ctx;
1569int mode;
1570 {
1571 ctx->quiet_shutdown=mode;
1572 }
1573
1574int SSL_CTX_get_quiet_shutdown(ctx)
1575SSL_CTX *ctx;
1576 {
1577 return(ctx->quiet_shutdown);
1578 }
1579
1580void SSL_set_quiet_shutdown(s,mode)
1581SSL *s;
1582int mode;
1583 {
1584 s->quiet_shutdown=mode;
1585 }
1586
1587int SSL_get_quiet_shutdown(s)
1588SSL *s;
1589 {
1590 return(s->quiet_shutdown);
1591 }
1592
1593void SSL_set_shutdown(s,mode)
1594SSL *s;
1595int mode;
1596 {
1597 s->shutdown=mode;
1598 }
1599
1600int SSL_get_shutdown(s)
1601SSL *s;
1602 {
1603 return(s->shutdown);
1604 }
1605
1606int SSL_version(s)
1607SSL *s;
1608 {
1609 return(s->version);
1610 }
1611
1612SSL_CTX *SSL_get_SSL_CTX(ssl)
1613SSL *ssl;
1614 {
1615 return(ssl->ctx);
1616 }
1617
1618int SSL_CTX_set_default_verify_paths(ctx)
1619SSL_CTX *ctx;
1620 {
1621 return(X509_STORE_set_default_paths(ctx->cert_store));
1622 }
1623
1624int SSL_CTX_load_verify_locations(ctx,CAfile,CApath)
1625SSL_CTX *ctx;
1626char *CAfile;
1627char *CApath;
1628 {
1629 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
1630 }
1631
1632void SSL_set_info_callback(ssl,cb)
1633SSL *ssl;
1634void (*cb)();
1635 {
1636 ssl->info_callback=cb;
1637 }
1638
1639void (*SSL_get_info_callback(ssl))()
1640SSL *ssl;
1641 {
1642 return(ssl->info_callback);
1643 }
1644
1645int SSL_state(ssl)
1646SSL *ssl;
1647 {
1648 return(ssl->state);
1649 }
1650
1651void SSL_set_verify_result(ssl,arg)
1652SSL *ssl;
1653long arg;
1654 {
1655 ssl->verify_result=arg;
1656 }
1657
1658long SSL_get_verify_result(ssl)
1659SSL *ssl;
1660 {
1661 return(ssl->verify_result);
1662 }
1663
1664int SSL_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
1665long argl;
1666char *argp;
1667int (*new_func)();
1668int (*dup_func)();
1669void (*free_func)();
1670 {
1671 ssl_meth_num++;
1672 return(CRYPTO_get_ex_new_index(ssl_meth_num-1,
1673 &ssl_meth,argl,argp,new_func,dup_func,free_func));
1674 }
1675
1676int SSL_set_ex_data(s,idx,arg)
1677SSL *s;
1678int idx;
1679char *arg;
1680 {
1681 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
1682 }
1683
1684char *SSL_get_ex_data(s,idx)
1685SSL *s;
1686int idx;
1687 {
1688 return(CRYPTO_get_ex_data(&s->ex_data,idx));
1689 }
1690
1691int SSL_CTX_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
1692long argl;
1693char *argp;
1694int (*new_func)();
1695int (*dup_func)();
1696void (*free_func)();
1697 {
1698 ssl_ctx_meth_num++;
1699 return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1,
1700 &ssl_ctx_meth,argl,argp,new_func,dup_func,free_func));
1701 }
1702
1703int SSL_CTX_set_ex_data(s,idx,arg)
1704SSL_CTX *s;
1705int idx;
1706char *arg;
1707 {
1708 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
1709 }
1710
1711char *SSL_CTX_get_ex_data(s,idx)
1712SSL_CTX *s;
1713int idx;
1714 {
1715 return(CRYPTO_get_ex_data(&s->ex_data,idx));
1716 }
1717
1718#if defined(_WINDLL) && defined(WIN16)
1719#include "../crypto/bio/bss_file.c"
1720#endif
1721
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
new file mode 100644
index 0000000000..b29517081b
--- /dev/null
+++ b/src/lib/libssl/ssl_locl.h
@@ -0,0 +1,558 @@
1/* ssl/ssl_locl.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL_LOCL_H
60#define HEADER_SSL_LOCL_H
61#include <stdlib.h>
62#include <time.h>
63#include <string.h>
64#include <errno.h>
65
66#include "e_os.h"
67
68#include "buffer.h"
69#include "bio.h"
70#include "crypto.h"
71#include "evp.h"
72#include "stack.h"
73#include "x509.h"
74#include "err.h"
75#include "ssl.h"
76
77
78#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
79 l|=(((unsigned long)(*((c)++)))<< 8), \
80 l|=(((unsigned long)(*((c)++)))<<16), \
81 l|=(((unsigned long)(*((c)++)))<<24))
82
83/* NOTE - c is not incremented as per c2l */
84#define c2ln(c,l1,l2,n) { \
85 c+=n; \
86 l1=l2=0; \
87 switch (n) { \
88 case 8: l2 =((unsigned long)(*(--(c))))<<24; \
89 case 7: l2|=((unsigned long)(*(--(c))))<<16; \
90 case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
91 case 5: l2|=((unsigned long)(*(--(c)))); \
92 case 4: l1 =((unsigned long)(*(--(c))))<<24; \
93 case 3: l1|=((unsigned long)(*(--(c))))<<16; \
94 case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
95 case 1: l1|=((unsigned long)(*(--(c)))); \
96 } \
97 }
98
99#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
100 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
101 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
102 *((c)++)=(unsigned char)(((l)>>24)&0xff))
103
104#define n2l(c,l) (l =((unsigned long)(*((c)++)))<<24, \
105 l|=((unsigned long)(*((c)++)))<<16, \
106 l|=((unsigned long)(*((c)++)))<< 8, \
107 l|=((unsigned long)(*((c)++))))
108
109#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
110 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
111 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
112 *((c)++)=(unsigned char)(((l) )&0xff))
113
114/* NOTE - c is not incremented as per l2c */
115#define l2cn(l1,l2,c,n) { \
116 c+=n; \
117 switch (n) { \
118 case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
119 case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
120 case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
121 case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \
122 case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
123 case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
124 case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
125 case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \
126 } \
127 }
128
129#define n2s(c,s) (s =((unsigned int)(*((c)++)))<< 8, \
130 s|=((unsigned int)(*((c)++))))
131#define s2n(s,c) (*((c)++)=(unsigned char)(((s)>> 8)&0xff), \
132 *((c)++)=(unsigned char)(((s) )&0xff))
133
134#define n2l3(c,l) (l =((unsigned long)(*((c)++)))<<16, \
135 l|=((unsigned long)(*((c)++)))<< 8, \
136 l|=((unsigned long)(*((c)++))))
137
138#define l2n3(l,c) (*((c)++)=(unsigned char)(((l)>>16)&0xff), \
139 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
140 *((c)++)=(unsigned char)(((l) )&0xff))
141
142/* LOCAL STUFF */
143
144#define SSL_DECRYPT 0
145#define SSL_ENCRYPT 1
146
147#define TWO_BYTE_BIT 0x80
148#define SEC_ESC_BIT 0x40
149#define TWO_BYTE_MASK 0x7fff
150#define THREE_BYTE_MASK 0x3fff
151
152#define INC32(a) ((a)=((a)+1)&0xffffffffL)
153#define DEC32(a) ((a)=((a)-1)&0xffffffffL)
154#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
155
156#define SSL_MKEY_MASK 0x0000001FL
157#define SSL_kRSA 0x00000001L /* RSA key exchange */
158#define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */
159#define SSL_kDHd 0x00000004L /* DH cert DSA CA cert */
160#define SSL_kFZA 0x00000008L
161#define SSL_kEDH 0x00000010L /* tmp DH key no DH cert */
162#define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
163
164#define SSL_AUTH_MASK 0x000003e0L
165#define SSL_aRSA 0x00000020L /* Authenticate with RSA */
166#define SSL_aDSS 0x00000040L /* Authenticate with DSS */
167#define SSL_DSS SSL_aDSS
168#define SSL_aFZA 0x00000080L
169#define SSL_aNULL 0x00000100L /* no Authenticate, ADH */
170#define SSL_aDH 0x00000200L /* no Authenticate, ADH */
171
172#define SSL_NULL (SSL_eNULL)
173#define SSL_ADH (SSL_kEDH|SSL_aNULL)
174#define SSL_RSA (SSL_kRSA|SSL_aRSA)
175#define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH)
176#define SSL_FZA (SSL_aFZA|SSL_kFZA|SSL_eFZA)
177
178#define SSL_ENC_MASK 0x0001Fc00L
179#define SSL_DES 0x00000400L
180#define SSL_3DES 0x00000800L
181#define SSL_RC4 0x00001000L
182#define SSL_RC2 0x00002000L
183#define SSL_IDEA 0x00004000L
184#define SSL_eFZA 0x00008000L
185#define SSL_eNULL 0x00010000L
186
187#define SSL_MAC_MASK 0x00060000L
188#define SSL_MD5 0x00020000L
189#define SSL_SHA1 0x00040000L
190#define SSL_SHA (SSL_SHA1)
191
192#define SSL_EXP_MASK 0x00300000L
193#define SSL_EXP 0x00100000L
194#define SSL_NOT_EXP 0x00200000L
195#define SSL_EXPORT SSL_EXP
196
197#define SSL_SSL_MASK 0x00c00000L
198#define SSL_SSLV2 0x00400000L
199#define SSL_SSLV3 0x00800000L
200
201#define SSL_STRONG_MASK 0x07000000L
202#define SSL_LOW 0x01000000L
203#define SSL_MEDIUM 0x02000000L
204#define SSL_HIGH 0x04000000L
205
206/* we have used 0fffffff - 4 bits left to go */
207#define SSL_ALL 0xffffffffL
208#define SSL_ALL_CIPHERS (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
209 SSL_MAC_MASK|SSL_EXP_MASK)
210
211/* Mostly for SSLv3 */
212#define SSL_PKEY_RSA_ENC 0
213#define SSL_PKEY_RSA_SIGN 1
214#define SSL_PKEY_DSA_SIGN 2
215#define SSL_PKEY_DH_RSA 3
216#define SSL_PKEY_DH_DSA 4
217#define SSL_PKEY_NUM 5
218
219/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
220 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
221 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
222 * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
223 * SSL_aRSA <- RSA_ENC | RSA_SIGN
224 * SSL_aDSS <- DSA_SIGN
225 */
226
227/*
228#define CERT_INVALID 0
229#define CERT_PUBLIC_KEY 1
230#define CERT_PRIVATE_KEY 2
231*/
232
233typedef struct cert_pkey_st
234 {
235 X509 *x509;
236/* EVP_PKEY *publickey; *//* when extracted */
237 EVP_PKEY *privatekey;
238 } CERT_PKEY;
239
240typedef struct cert_st
241 {
242 int cert_type;
243
244#ifdef undef
245 X509 *x509;
246 EVP_PKEY *publickey; /* when extracted */
247 EVP_PKEY *privatekey;
248
249 pkeys[SSL_PKEY_RSA_ENC].x509
250/* pkeys[SSL_PKEY_RSA_ENC].publickey */
251 pkeys[SSL_PKEY_RSA_ENC].privatekey
252#endif
253
254 /* Current active set */
255 CERT_PKEY *key;
256
257 /* The following masks are for the key and auth
258 * algorithms that are supported by the certs below */
259 int valid;
260 unsigned long mask;
261 unsigned long export_mask;
262
263 RSA *rsa_tmp;
264 DH *dh_tmp;
265 RSA *(*rsa_tmp_cb)();
266 DH *(*dh_tmp_cb)();
267 CERT_PKEY pkeys[SSL_PKEY_NUM];
268
269 STACK *cert_chain;
270
271 int references;
272 } CERT;
273
274/*#define MAC_DEBUG */
275
276/*#define ERR_DEBUG */
277/*#define ABORT_DEBUG */
278/*#define PKT_DEBUG 1 */
279/*#define DES_DEBUG */
280/*#define DES_OFB_DEBUG */
281/*#define SSL_DEBUG */
282/*#define RSA_DEBUG */
283/*#define IDEA_DEBUG */
284
285#ifndef NOPROTO
286#define FP_ICC (int (*)(const void *,const void *))
287#else
288#define FP_ICC
289#endif
290
291#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
292 ((ssl)->method->put_cipher_by_char((ciph),(ptr)))
293#define ssl_get_cipher_by_char(ssl,ptr) \
294 ((ssl)->method->get_cipher_by_char(ptr))
295
296/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
297 * It is a bit of a mess of functions, but hell, think of it as
298 * an opaque strucute :-) */
299typedef struct ssl3_enc_method
300 {
301 int (*enc)();
302 int (*mac)();
303 int (*setup_key_block)();
304 int (*generate_master_secret)();
305 int (*change_cipher_state)();
306 int (*final_finish_mac)();
307 int finish_mac_length;
308 int (*cert_verify_mac)();
309 unsigned char client_finished[20];
310 int client_finished_len;
311 unsigned char server_finished[20];
312 int server_finished_len;
313 int (*alert_value)();
314 } SSL3_ENC_METHOD;
315
316extern SSL3_ENC_METHOD ssl3_undef_enc_method;
317extern SSL_CIPHER ssl2_ciphers[];
318extern SSL_CIPHER ssl3_ciphers[];
319
320#ifndef NOPROTO
321
322SSL_METHOD *ssl_bad_method(int ver);
323SSL_METHOD *sslv2_base_method(void);
324SSL_METHOD *sslv23_base_method(void);
325SSL_METHOD *sslv3_base_method(void);
326
327void ssl_clear_cipher_ctx(SSL *s);
328int ssl_clear_bad_session(SSL *s);
329CERT *ssl_cert_new(void);
330void ssl_cert_free(CERT *c);
331int ssl_set_cert_type(CERT *c, int type);
332int ssl_get_new_session(SSL *s, int session);
333int ssl_get_prev_session(SSL *s, unsigned char *session,int len);
334int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b);
335int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp);
336STACK *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,STACK **skp);
337int ssl_cipher_list_to_bytes(SSL *s,STACK *sk,unsigned char *p);
338STACK *ssl_create_cipher_list(SSL_METHOD *meth,STACK **pref,
339 STACK **sorted,char *str);
340void ssl_update_cache(SSL *s, int mode);
341int ssl_cipher_get_evp(SSL_CIPHER *c, EVP_CIPHER **enc, EVP_MD **md);
342int ssl_verify_cert_chain(SSL *s,STACK *sk);
343int ssl_undefined_function(SSL *s);
344X509 *ssl_get_server_send_cert(SSL *);
345EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
346int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
347void ssl_set_cert_masks(CERT *c);
348STACK *ssl_get_ciphers_by_id(SSL *s);
349int ssl_verify_alarm_type(long type);
350
351int ssl2_enc_init(SSL *s, int client);
352void ssl2_generate_key_material(SSL *s);
353void ssl2_enc(SSL *s,int send_data);
354void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
355SSL_CIPHER *ssl2_get_cipher_by_char(unsigned char *p);
356int ssl2_put_cipher_by_char(SSL_CIPHER *c,unsigned char *p);
357int ssl2_part_read(SSL *s, unsigned long f, int i);
358int ssl2_do_write(SSL *s);
359int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data);
360void ssl2_return_error(SSL *s,int reason);
361void ssl2_write_error(SSL *s);
362int ssl2_num_ciphers(void);
363SSL_CIPHER *ssl2_get_cipher(unsigned int u);
364int ssl2_new(SSL *s);
365void ssl2_free(SSL *s);
366int ssl2_accept(SSL *s);
367int ssl2_connect(SSL *s);
368int ssl2_read(SSL *s, char *buf, int len);
369int ssl2_peek(SSL *s, char *buf, int len);
370int ssl2_write(SSL *s, char *buf, int len);
371int ssl2_shutdown(SSL *s);
372void ssl2_clear(SSL *s);
373long ssl2_ctrl(SSL *s,int cmd, long larg, char *parg);
374long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
375int ssl2_pending(SSL *s);
376
377SSL_CIPHER *ssl3_get_cipher_by_char(unsigned char *p);
378int ssl3_put_cipher_by_char(SSL_CIPHER *c,unsigned char *p);
379void ssl3_init_finished_mac(SSL *s);
380int ssl3_send_server_certificate(SSL *s);
381int ssl3_get_finished(SSL *s,int state_a,int state_b);
382int ssl3_setup_key_block(SSL *s);
383int ssl3_send_change_cipher_spec(SSL *s,int state_a,int state_b);
384int ssl3_change_cipher_state(SSL *s,int which);
385void ssl3_cleanup_key_block(SSL *s);
386int ssl3_do_write(SSL *s,int type);
387void ssl3_send_alert(SSL *s,int level, int desc);
388int ssl3_generate_master_secret(SSL *s, unsigned char *out,
389 unsigned char *p, int len);
390int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
391long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
392int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender,int slen);
393int ssl3_num_ciphers(void);
394SSL_CIPHER *ssl3_get_cipher(unsigned int u);
395int ssl3_renegotiate(SSL *ssl);
396int ssl3_renegotiate_check(SSL *ssl);
397int ssl3_dispatch_alert(SSL *s);
398int ssl3_read_bytes(SSL *s, int type, char *buf, int len);
399int ssl3_part_read(SSL *s, int i);
400int ssl3_write_bytes(SSL *s, int type, char *buf, int len);
401int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1,EVP_MD_CTX *ctx2,
402 unsigned char *sender, int slen,unsigned char *p);
403int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
404void ssl3_finish_mac(SSL *s, unsigned char *buf, int len);
405int ssl3_enc(SSL *s, int send_data);
406int ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
407unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
408SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK *have,STACK *pref);
409int ssl3_setup_buffers(SSL *s);
410int ssl3_new(SSL *s);
411void ssl3_free(SSL *s);
412int ssl3_accept(SSL *s);
413int ssl3_connect(SSL *s);
414int ssl3_read(SSL *s, char *buf, int len);
415int ssl3_peek(SSL *s,char *buf, int len);
416int ssl3_write(SSL *s, char *buf, int len);
417int ssl3_shutdown(SSL *s);
418void ssl3_clear(SSL *s);
419long ssl3_ctrl(SSL *s,int cmd, long larg, char *parg);
420long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
421int ssl3_pending(SSL *s);
422
423int ssl23_accept(SSL *s);
424int ssl23_connect(SSL *s);
425int ssl23_read_bytes(SSL *s, int n);
426int ssl23_write_bytes(SSL *s);
427
428int tls1_new(SSL *s);
429void tls1_free(SSL *s);
430void tls1_clear(SSL *s);
431long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
432SSL_METHOD *tlsv1_base_method(void );
433
434
435int ssl_init_wbio_buffer(SSL *s, int push);
436
437int tls1_change_cipher_state(SSL *s, int which);
438int tls1_setup_key_block(SSL *s);
439int tls1_enc(SSL *s, int snd);
440int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
441 unsigned char *str, int slen, unsigned char *p);
442int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
443int tls1_mac(SSL *ssl, unsigned char *md, int snd);
444int tls1_generate_master_secret(SSL *s, unsigned char *out,
445 unsigned char *p, int len);
446int tls1_alert_code(int code);
447int ssl3_alert_code(int code);
448
449
450#else
451
452SSL_METHOD *ssl_bad_method();
453SSL_METHOD *sslv2_base_method();
454SSL_METHOD *sslv23_base_method();
455SSL_METHOD *sslv3_base_method();
456
457void ssl_clear_cipher_ctx();
458int ssl_clear_bad_session();
459CERT *ssl_cert_new();
460void ssl_cert_free();
461int ssl_set_cert_type();
462int ssl_get_new_session();
463int ssl_get_prev_session();
464int ssl_cipher_id_cmp();
465int ssl_cipher_ptr_id_cmp();
466STACK *ssl_bytes_to_cipher_list();
467int ssl_cipher_list_to_bytes();
468STACK *ssl_create_cipher_list();
469void ssl_update_cache();
470int ssl_session_get_ciphers();
471int ssl_verify_cert_chain();
472int ssl_undefined_function();
473X509 *ssl_get_server_send_cert();
474EVP_PKEY *ssl_get_sign_pkey();
475int ssl_cert_type();
476void ssl_set_cert_masks();
477STACK *ssl_get_ciphers_by_id();
478int ssl_verify_alarm_type();
479
480int ssl2_enc_init();
481void ssl2_generate_key_material();
482void ssl2_enc();
483void ssl2_mac();
484SSL_CIPHER *ssl2_get_cipher_by_char();
485int ssl2_put_cipher_by_char();
486int ssl2_part_read();
487int ssl2_do_write();
488int ssl2_set_certificate();
489void ssl2_return_error();
490void ssl2_write_error();
491int ssl2_num_ciphers();
492SSL_CIPHER *ssl2_get_cipher();
493int ssl2_new();
494void ssl2_free();
495int ssl2_accept();
496int ssl2_connect();
497int ssl2_read();
498int ssl2_peek();
499int ssl2_write();
500int ssl2_shutdown();
501void ssl2_clear();
502long ssl2_ctrl();
503long ssl2_ctx_ctrl();
504int ssl2_pending();
505
506SSL_CIPHER *ssl3_get_cipher_by_char();
507int ssl3_put_cipher_by_char();
508void ssl3_init_finished_mac();
509int ssl3_send_server_certificate();
510int ssl3_get_finished();
511int ssl3_setup_key_block();
512int ssl3_send_change_cipher_spec();
513int ssl3_change_cipher_state();
514void ssl3_cleanup_key_block();
515int ssl3_do_write();
516void ssl3_send_alert();
517int ssl3_generate_master_secret();
518int ssl3_get_req_cert_type();
519long ssl3_get_message();
520int ssl3_send_finished();
521int ssl3_num_ciphers();
522SSL_CIPHER *ssl3_get_cipher();
523int ssl3_renegotiate();
524int ssl3_renegotiate_check();
525int ssl3_dispatch_alert();
526int ssl3_read_bytes();
527int ssl3_part_read();
528int ssl3_write_bytes();
529int ssl3_final_finish_mac();
530void ssl3_finish_mac();
531int ssl3_enc();
532int ssl3_mac();
533unsigned long ssl3_output_cert_chain();
534SSL_CIPHER *ssl3_choose_cipher();
535int ssl3_setup_buffers();
536int ssl3_new();
537void ssl3_free();
538int ssl3_accept();
539int ssl3_connect();
540int ssl3_read();
541int ssl3_peek();
542int ssl3_write();
543int ssl3_shutdown();
544void ssl3_clear();
545long ssl3_ctrl();
546long ssl3_ctx_ctrl();
547int ssl3_pending();
548
549int ssl23_accept();
550int ssl23_connect();
551int ssl23_read_bytes();
552int ssl23_write_bytes();
553
554int ssl_init_wbio_buffer();
555
556#endif
557
558#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
new file mode 100644
index 0000000000..140475e5fb
--- /dev/null
+++ b/src/lib/libssl/ssl_rsa.c
@@ -0,0 +1,831 @@
1/* ssl/ssl_rsa.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "bio.h"
61#include "objects.h"
62#include "evp.h"
63#include "x509.h"
64#include "pem.h"
65#include "ssl_locl.h"
66
67#ifndef NOPROTO
68static int ssl_set_cert(CERT *c, X509 *x509);
69static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
70#else
71static int ssl_set_cert();
72static int ssl_set_pkey();
73#endif
74
75int SSL_use_certificate(ssl, x)
76SSL *ssl;
77X509 *x;
78 {
79 CERT *c;
80
81 if (x == NULL)
82 {
83 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
84 return(0);
85 }
86 if ((ssl->cert == NULL) || (ssl->cert == ssl->ctx->default_cert))
87 {
88 c=ssl_cert_new();
89 if (c == NULL)
90 {
91 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
92 return(0);
93 }
94 if (ssl->cert != NULL) ssl_cert_free(ssl->cert);
95 ssl->cert=c;
96 }
97 c=ssl->cert;
98
99 return(ssl_set_cert(c,x));
100 }
101
102#ifndef NO_STDIO
103int SSL_use_certificate_file(ssl, file, type)
104SSL *ssl;
105char *file;
106int type;
107 {
108 int j;
109 BIO *in;
110 int ret=0;
111 X509 *x=NULL;
112
113 in=BIO_new(BIO_s_file_internal());
114 if (in == NULL)
115 {
116 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
117 goto end;
118 }
119
120 if (BIO_read_filename(in,file) <= 0)
121 {
122 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
123 goto end;
124 }
125 if (type == SSL_FILETYPE_ASN1)
126 {
127 j=ERR_R_ASN1_LIB;
128 x=d2i_X509_bio(in,NULL);
129 }
130 else if (type == SSL_FILETYPE_PEM)
131 {
132 j=ERR_R_PEM_LIB;
133 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback);
134 }
135 else
136 {
137 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
138 goto end;
139 }
140
141 if (x == NULL)
142 {
143 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
144 goto end;
145 }
146
147 ret=SSL_use_certificate(ssl,x);
148end:
149 if (x != NULL) X509_free(x);
150 if (in != NULL) BIO_free(in);
151 return(ret);
152 }
153#endif
154
155int SSL_use_certificate_ASN1(ssl, len, d)
156SSL *ssl;
157int len;
158unsigned char *d;
159 {
160 X509 *x;
161 int ret;
162
163 x=d2i_X509(NULL,&d,(long)len);
164 if (x == NULL)
165 {
166 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
167 return(0);
168 }
169
170 ret=SSL_use_certificate(ssl,x);
171 X509_free(x);
172 return(ret);
173 }
174
175#ifndef NO_RSA
176int SSL_use_RSAPrivateKey(ssl, rsa)
177SSL *ssl;
178RSA *rsa;
179 {
180 CERT *c;
181 EVP_PKEY *pkey;
182 int ret;
183
184 if (rsa == NULL)
185 {
186 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
187 return(0);
188 }
189
190 if ((ssl->cert == NULL) || (ssl->cert == ssl->ctx->default_cert))
191 {
192 c=ssl_cert_new();
193 if (c == NULL)
194 {
195 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
196 return(0);
197 }
198 if (ssl->cert != NULL) ssl_cert_free(ssl->cert);
199 ssl->cert=c;
200 }
201 c=ssl->cert;
202 if ((pkey=EVP_PKEY_new()) == NULL)
203 {
204 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
205 return(0);
206 }
207
208 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
209 EVP_PKEY_assign_RSA(pkey,rsa);
210
211 ret=ssl_set_pkey(c,pkey);
212 EVP_PKEY_free(pkey);
213 return(ret);
214 }
215#endif
216
217static int ssl_set_pkey(c,pkey)
218CERT *c;
219EVP_PKEY *pkey;
220 {
221 int i,ok=0,bad=0;
222
223 i=ssl_cert_type(NULL,pkey);
224 if (i < 0)
225 {
226 SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
227 return(0);
228 }
229
230 if (c->pkeys[i].x509 != NULL)
231 {
232#ifndef NO_RSA
233 /* Don't check the public/private key, this is mostly
234 * for smart cards. */
235 if ((pkey->type == EVP_PKEY_RSA) &&
236 (RSA_flags(pkey->pkey.rsa) &
237 RSA_METHOD_FLAG_NO_CHECK))
238 ok=1;
239 else
240#endif
241 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
242 {
243 if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
244 {
245 i=(i == SSL_PKEY_DH_RSA)?
246 SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
247
248 if (c->pkeys[i].x509 == NULL)
249 ok=1;
250 else
251 {
252 if (!X509_check_private_key(
253 c->pkeys[i].x509,pkey))
254 bad=1;
255 else
256 ok=1;
257 }
258 }
259 else
260 bad=1;
261 }
262 else
263 ok=1;
264 }
265 else
266 ok=1;
267
268 if (bad)
269 {
270 X509_free(c->pkeys[i].x509);
271 c->pkeys[i].x509=NULL;
272 return(0);
273 }
274
275 if (c->pkeys[i].privatekey != NULL)
276 EVP_PKEY_free(c->pkeys[i].privatekey);
277 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
278 c->pkeys[i].privatekey=pkey;
279 c->key= &(c->pkeys[i]);
280
281 c->valid=0;
282 return(1);
283 }
284
285#ifndef NO_RSA
286#ifndef NO_STDIO
287int SSL_use_RSAPrivateKey_file(ssl, file, type)
288SSL *ssl;
289char *file;
290int type;
291 {
292 int j,ret=0;
293 BIO *in;
294 RSA *rsa=NULL;
295
296 in=BIO_new(BIO_s_file_internal());
297 if (in == NULL)
298 {
299 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
300 goto end;
301 }
302
303 if (BIO_read_filename(in,file) <= 0)
304 {
305 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
306 goto end;
307 }
308 if (type == SSL_FILETYPE_ASN1)
309 {
310 j=ERR_R_ASN1_LIB;
311 rsa=d2i_RSAPrivateKey_bio(in,NULL);
312 }
313 else if (type == SSL_FILETYPE_PEM)
314 {
315 j=ERR_R_PEM_LIB;
316 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
317 ssl->ctx->default_passwd_callback);
318 }
319 else
320 {
321 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
322 goto end;
323 }
324 if (rsa == NULL)
325 {
326 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
327 goto end;
328 }
329 ret=SSL_use_RSAPrivateKey(ssl,rsa);
330 RSA_free(rsa);
331end:
332 if (in != NULL) BIO_free(in);
333 return(ret);
334 }
335#endif
336
337int SSL_use_RSAPrivateKey_ASN1(ssl,d,len)
338SSL *ssl;
339unsigned char *d;
340long len;
341 {
342 int ret;
343 unsigned char *p;
344 RSA *rsa;
345
346 p=d;
347 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
348 {
349 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
350 return(0);
351 }
352
353 ret=SSL_use_RSAPrivateKey(ssl,rsa);
354 RSA_free(rsa);
355 return(ret);
356 }
357#endif /* !NO_RSA */
358
359int SSL_use_PrivateKey(ssl, pkey)
360SSL *ssl;
361EVP_PKEY *pkey;
362 {
363 CERT *c;
364 int ret;
365
366 if (pkey == NULL)
367 {
368 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
369 return(0);
370 }
371
372 if ((ssl->cert == NULL) || (ssl->cert == ssl->ctx->default_cert))
373 {
374 c=ssl_cert_new();
375 if (c == NULL)
376 {
377 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
378 return(0);
379 }
380 if (ssl->cert != NULL) ssl_cert_free(ssl->cert);
381 ssl->cert=c;
382 }
383 c=ssl->cert;
384
385 ret=ssl_set_pkey(c,pkey);
386 return(ret);
387 }
388
389#ifndef NO_STDIO
390int SSL_use_PrivateKey_file(ssl, file, type)
391SSL *ssl;
392char *file;
393int type;
394 {
395 int j,ret=0;
396 BIO *in;
397 EVP_PKEY *pkey=NULL;
398
399 in=BIO_new(BIO_s_file_internal());
400 if (in == NULL)
401 {
402 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
403 goto end;
404 }
405
406 if (BIO_read_filename(in,file) <= 0)
407 {
408 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
409 goto end;
410 }
411 if (type == SSL_FILETYPE_PEM)
412 {
413 j=ERR_R_PEM_LIB;
414 pkey=PEM_read_bio_PrivateKey(in,NULL,
415 ssl->ctx->default_passwd_callback);
416 }
417 else
418 {
419 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
420 goto end;
421 }
422 if (pkey == NULL)
423 {
424 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
425 goto end;
426 }
427 ret=SSL_use_PrivateKey(ssl,pkey);
428 EVP_PKEY_free(pkey);
429end:
430 if (in != NULL) BIO_free(in);
431 return(ret);
432 }
433#endif
434
435int SSL_use_PrivateKey_ASN1(type,ssl,d,len)
436int type;
437SSL *ssl;
438unsigned char *d;
439long len;
440 {
441 int ret;
442 unsigned char *p;
443 EVP_PKEY *pkey;
444
445 p=d;
446 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
447 {
448 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
449 return(0);
450 }
451
452 ret=SSL_use_PrivateKey(ssl,pkey);
453 EVP_PKEY_free(pkey);
454 return(ret);
455 }
456
457int SSL_CTX_use_certificate(ctx, x)
458SSL_CTX *ctx;
459X509 *x;
460 {
461 CERT *c;
462
463 if (x == NULL)
464 {
465 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
466 return(0);
467 }
468
469 if (ctx->default_cert == NULL)
470 {
471 c=ssl_cert_new();
472 if (c == NULL)
473 {
474 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
475 return(0);
476 }
477 ctx->default_cert=c;
478 }
479 c=ctx->default_cert;
480
481 return(ssl_set_cert(c,x));
482 }
483
484static int ssl_set_cert(c,x)
485CERT *c;
486X509 *x;
487 {
488 EVP_PKEY *pkey;
489 int i,ok=0,bad=0;
490
491 pkey=X509_get_pubkey(x);
492 if (pkey == NULL)
493 {
494 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
495 return(0);
496 }
497
498 i=ssl_cert_type(x,pkey);
499 if (i < 0)
500 {
501 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
502 return(0);
503 }
504
505 if (c->pkeys[i].privatekey != NULL)
506 {
507 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
508 {
509 if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
510 {
511 i=(i == SSL_PKEY_DH_RSA)?
512 SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
513
514 if (c->pkeys[i].privatekey == NULL)
515 ok=1;
516 else
517 {
518 if (!X509_check_private_key(x,
519 c->pkeys[i].privatekey))
520 bad=1;
521 else
522 ok=1;
523 }
524 }
525 else
526 bad=1;
527 }
528 else
529 ok=1;
530 }
531 else
532 ok=1;
533
534 if (bad)
535 {
536 EVP_PKEY_free(c->pkeys[i].privatekey);
537 c->pkeys[i].privatekey=NULL;
538 }
539
540 if (c->pkeys[i].x509 != NULL)
541 X509_free(c->pkeys[i].x509);
542 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
543 c->pkeys[i].x509=x;
544 c->key= &(c->pkeys[i]);
545
546 c->valid=0;
547 return(1);
548 }
549
550#ifndef NO_STDIO
551int SSL_CTX_use_certificate_file(ctx, file, type)
552SSL_CTX *ctx;
553char *file;
554int type;
555 {
556 int j;
557 BIO *in;
558 int ret=0;
559 X509 *x=NULL;
560
561 in=BIO_new(BIO_s_file_internal());
562 if (in == NULL)
563 {
564 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
565 goto end;
566 }
567
568 if (BIO_read_filename(in,file) <= 0)
569 {
570 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
571 goto end;
572 }
573 if (type == SSL_FILETYPE_ASN1)
574 {
575 j=ERR_R_ASN1_LIB;
576 x=d2i_X509_bio(in,NULL);
577 }
578 else if (type == SSL_FILETYPE_PEM)
579 {
580 j=ERR_R_PEM_LIB;
581 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback);
582 }
583 else
584 {
585 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
586 goto end;
587 }
588
589 if (x == NULL)
590 {
591 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
592 goto end;
593 }
594
595 ret=SSL_CTX_use_certificate(ctx,x);
596end:
597 if (x != NULL) X509_free(x);
598 if (in != NULL) BIO_free(in);
599 return(ret);
600 }
601#endif
602
603int SSL_CTX_use_certificate_ASN1(ctx, len, d)
604SSL_CTX *ctx;
605int len;
606unsigned char *d;
607 {
608 X509 *x;
609 int ret;
610
611 x=d2i_X509(NULL,&d,(long)len);
612 if (x == NULL)
613 {
614 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
615 return(0);
616 }
617
618 ret=SSL_CTX_use_certificate(ctx,x);
619 X509_free(x);
620 return(ret);
621 }
622
623#ifndef NO_RSA
624int SSL_CTX_use_RSAPrivateKey(ctx, rsa)
625SSL_CTX *ctx;
626RSA *rsa;
627 {
628 int ret;
629 CERT *c;
630 EVP_PKEY *pkey;
631
632 if (rsa == NULL)
633 {
634 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
635 return(0);
636 }
637 if (ctx->default_cert == NULL)
638 {
639 c=ssl_cert_new();
640 if (c == NULL)
641 {
642 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
643 return(0);
644 }
645 ctx->default_cert=c;
646 }
647 c=ctx->default_cert;
648
649 if ((pkey=EVP_PKEY_new()) == NULL)
650 {
651 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
652 return(0);
653 }
654
655 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
656 EVP_PKEY_assign_RSA(pkey,rsa);
657
658 ret=ssl_set_pkey(c,pkey);
659 EVP_PKEY_free(pkey);
660 return(ret);
661 }
662
663#ifndef NO_STDIO
664int SSL_CTX_use_RSAPrivateKey_file(ctx, file, type)
665SSL_CTX *ctx;
666char *file;
667int type;
668 {
669 int j,ret=0;
670 BIO *in;
671 RSA *rsa=NULL;
672
673 in=BIO_new(BIO_s_file_internal());
674 if (in == NULL)
675 {
676 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
677 goto end;
678 }
679
680 if (BIO_read_filename(in,file) <= 0)
681 {
682 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
683 goto end;
684 }
685 if (type == SSL_FILETYPE_ASN1)
686 {
687 j=ERR_R_ASN1_LIB;
688 rsa=d2i_RSAPrivateKey_bio(in,NULL);
689 }
690 else if (type == SSL_FILETYPE_PEM)
691 {
692 j=ERR_R_PEM_LIB;
693 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
694 ctx->default_passwd_callback);
695 }
696 else
697 {
698 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
699 goto end;
700 }
701 if (rsa == NULL)
702 {
703 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
704 goto end;
705 }
706 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
707 RSA_free(rsa);
708end:
709 if (in != NULL) BIO_free(in);
710 return(ret);
711 }
712#endif
713
714int SSL_CTX_use_RSAPrivateKey_ASN1(ctx,d,len)
715SSL_CTX *ctx;
716unsigned char *d;
717long len;
718 {
719 int ret;
720 unsigned char *p;
721 RSA *rsa;
722
723 p=d;
724 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
725 {
726 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
727 return(0);
728 }
729
730 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
731 RSA_free(rsa);
732 return(ret);
733 }
734#endif /* !NO_RSA */
735
736int SSL_CTX_use_PrivateKey(ctx, pkey)
737SSL_CTX *ctx;
738EVP_PKEY *pkey;
739 {
740 CERT *c;
741
742 if (pkey == NULL)
743 {
744 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
745 return(0);
746 }
747
748 if (ctx->default_cert == NULL)
749 {
750 c=ssl_cert_new();
751 if (c == NULL)
752 {
753 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
754 return(0);
755 }
756 ctx->default_cert=c;
757 }
758 c=ctx->default_cert;
759
760 return(ssl_set_pkey(c,pkey));
761 }
762
763#ifndef NO_STDIO
764int SSL_CTX_use_PrivateKey_file(ctx, file, type)
765SSL_CTX *ctx;
766char *file;
767int type;
768 {
769 int j,ret=0;
770 BIO *in;
771 EVP_PKEY *pkey=NULL;
772
773 in=BIO_new(BIO_s_file_internal());
774 if (in == NULL)
775 {
776 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
777 goto end;
778 }
779
780 if (BIO_read_filename(in,file) <= 0)
781 {
782 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
783 goto end;
784 }
785 if (type == SSL_FILETYPE_PEM)
786 {
787 j=ERR_R_PEM_LIB;
788 pkey=PEM_read_bio_PrivateKey(in,NULL,
789 ctx->default_passwd_callback);
790 }
791 else
792 {
793 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
794 goto end;
795 }
796 if (pkey == NULL)
797 {
798 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
799 goto end;
800 }
801 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
802 EVP_PKEY_free(pkey);
803end:
804 if (in != NULL) BIO_free(in);
805 return(ret);
806 }
807#endif
808
809int SSL_CTX_use_PrivateKey_ASN1(type,ctx,d,len)
810int type;
811SSL_CTX *ctx;
812unsigned char *d;
813long len;
814 {
815 int ret;
816 unsigned char *p;
817 EVP_PKEY *pkey;
818
819 p=d;
820 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
821 {
822 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
823 return(0);
824 }
825
826 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
827 EVP_PKEY_free(pkey);
828 return(ret);
829 }
830
831
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
new file mode 100644
index 0000000000..8212600e40
--- /dev/null
+++ b/src/lib/libssl/ssl_sess.c
@@ -0,0 +1,582 @@
1/* ssl/ssl_sess.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "lhash.h"
61#include "rand.h"
62#include "ssl_locl.h"
63
64#ifndef NOPROTO
65static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
66static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
67#else
68static void SSL_SESSION_list_remove();
69static void SSL_SESSION_list_add();
70#endif
71
72static ssl_session_num=0;
73static STACK *ssl_session_meth=NULL;
74
75SSL_SESSION *SSL_get_session(ssl)
76SSL *ssl;
77 {
78 return(ssl->session);
79 }
80
81int SSL_SESSION_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
82long argl;
83char *argp;
84int (*new_func)();
85int (*dup_func)();
86void (*free_func)();
87 {
88 ssl_session_num++;
89 return(CRYPTO_get_ex_new_index(ssl_session_num-1,
90 &ssl_session_meth,
91 argl,argp,new_func,dup_func,free_func));
92 }
93
94int SSL_SESSION_set_ex_data(s,idx,arg)
95SSL_SESSION *s;
96int idx;
97char *arg;
98 {
99 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
100 }
101
102char *SSL_SESSION_get_ex_data(s,idx)
103SSL_SESSION *s;
104int idx;
105 {
106 return(CRYPTO_get_ex_data(&s->ex_data,idx));
107 }
108
109SSL_SESSION *SSL_SESSION_new()
110 {
111 SSL_SESSION *ss;
112
113 ss=(SSL_SESSION *)Malloc(sizeof(SSL_SESSION));
114 if (ss == NULL)
115 {
116 SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
117 return(0);
118 }
119 memset(ss,0,sizeof(SSL_SESSION));
120
121 ss->references=1;
122 ss->timeout=60*5+4; /* 5 minute timeout by default */
123 ss->time=time(NULL);
124 ss->prev=NULL;
125 ss->next=NULL;
126 CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
127 return(ss);
128 }
129
130int ssl_get_new_session(s, session)
131SSL *s;
132int session;
133 {
134 SSL_SESSION *ss=NULL;
135
136 if ((ss=SSL_SESSION_new()) == NULL) return(0);
137
138 /* If the context has a default timeout, use it */
139 if (s->ctx->session_timeout != 0)
140 ss->timeout=SSL_get_default_timeout(s);
141
142 if (s->session != NULL)
143 {
144 SSL_SESSION_free(s->session);
145 s->session=NULL;
146 }
147
148 if (session)
149 {
150 if (s->version == SSL2_CLIENT_VERSION)
151 {
152 ss->ssl_version=SSL2_VERSION;
153 ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
154 }
155 else if (s->version == SSL3_VERSION)
156 {
157 ss->ssl_version=SSL3_VERSION;
158 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
159 }
160 else if (s->version == TLS1_VERSION)
161 {
162 ss->ssl_version=TLS1_VERSION;
163 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
164 }
165 else
166 {
167 SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
168 SSL_SESSION_free(ss);
169 return(0);
170 }
171
172 for (;;)
173 {
174 SSL_SESSION *r;
175
176 RAND_bytes(ss->session_id,ss->session_id_length);
177 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
178 r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,
179 (char *)ss);
180 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
181 if (r == NULL) break;
182 /* else - woops a session_id match */
183 }
184 }
185 else
186 {
187 ss->session_id_length=0;
188 }
189
190 s->session=ss;
191 ss->ssl_version=s->version;
192
193 return(1);
194 }
195
196int ssl_get_prev_session(s,session_id,len)
197SSL *s;
198unsigned char *session_id;
199int len;
200 {
201 SSL_SESSION *ret=NULL,data;
202
203 /* conn_init();*/
204 data.ssl_version=s->version;
205 data.session_id_length=len;
206 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
207 return(0);
208 memcpy(data.session_id,session_id,len);;
209
210 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
211 {
212 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
213 ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
214 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
215 }
216
217 if (ret == NULL)
218 {
219 int copy=1;
220
221 s->ctx->sess_miss++;
222 ret=NULL;
223 if ((s->ctx->get_session_cb != NULL) &&
224 ((ret=s->ctx->get_session_cb(s,session_id,len,&copy))
225 != NULL))
226 {
227 s->ctx->sess_cb_hit++;
228
229 /* The following should not return 1, otherwise,
230 * things are very strange */
231 SSL_CTX_add_session(s->ctx,ret);
232 /* auto free it */
233 if (!copy)
234 SSL_SESSION_free(ret);
235 }
236 if (ret == NULL) return(0);
237 }
238
239 if (ret->cipher == NULL)
240 {
241 char buf[5],*p;
242 unsigned long l;
243
244 p=buf;
245 l=ret->cipher_id;
246 l2n(l,p);
247 if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
248 ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
249 else
250 ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
251 if (ret->cipher == NULL)
252 return(0);
253 }
254
255 /* If a thread got the session, then 'swaped', and another got
256 * it and then due to a time-out decided to 'Free' it we could
257 * be in trouble. So I'll increment it now, then double decrement
258 * later - am I speaking rubbish?. */
259 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
260
261 if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
262 {
263 s->ctx->sess_timeout++;
264 /* remove it from the cache */
265 SSL_CTX_remove_session(s->ctx,ret);
266 SSL_SESSION_free(ret); /* again to actually Free it */
267 return(0);
268 }
269
270 s->ctx->sess_hit++;
271
272 /* ret->time=time(NULL); */ /* rezero timeout? */
273 /* again, just leave the session
274 * if it is the same session, we have just incremented and
275 * then decremented the reference count :-) */
276 if (s->session != NULL)
277 SSL_SESSION_free(s->session);
278 s->session=ret;
279 return(1);
280 }
281
282int SSL_CTX_add_session(ctx,c)
283SSL_CTX *ctx;
284SSL_SESSION *c;
285 {
286 int ret=0;
287 SSL_SESSION *s;
288
289 /* conn_init(); */
290 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
291
292 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
293 s=(SSL_SESSION *)lh_insert(ctx->sessions,(char *)c);
294
295 /* Put on the end of the queue unless it is already in the cache */
296 if (s == NULL)
297 SSL_SESSION_list_add(ctx,c);
298
299 /* If the same session if is being 're-added', Free the old
300 * one when the last person stops using it.
301 * This will also work if it is alread in the cache.
302 * The references will go up and then down :-) */
303 if (s != NULL)
304 {
305 SSL_SESSION_free(s);
306 ret=0;
307 }
308 else
309 {
310 ret=1;
311
312 if (SSL_CTX_sess_get_cache_size(ctx) > 0)
313 {
314 while (SSL_CTX_sess_number(ctx) >
315 SSL_CTX_sess_get_cache_size(ctx))
316 {
317 if (!SSL_CTX_remove_session(ctx,
318 ctx->session_cache_tail))
319 break;
320 else
321 ctx->sess_cache_full++;
322 }
323 }
324 }
325 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
326 return(ret);
327 }
328
329int SSL_CTX_remove_session(ctx,c)
330SSL_CTX *ctx;
331SSL_SESSION *c;
332 {
333 SSL_SESSION *r;
334 int ret=0;
335
336 if ((c != NULL) && (c->session_id_length != 0))
337 {
338 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
339 r=(SSL_SESSION *)lh_delete(ctx->sessions,(char *)c);
340 if (r != NULL)
341 {
342 ret=1;
343 SSL_SESSION_list_remove(ctx,c);
344 }
345
346 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
347
348 if (ret)
349 {
350 r->not_resumable=1;
351 if (ctx->remove_session_cb != NULL)
352 ctx->remove_session_cb(ctx,r);
353 SSL_SESSION_free(r);
354 }
355 }
356 else
357 ret=0;
358 return(ret);
359 }
360
361void SSL_SESSION_free(ss)
362SSL_SESSION *ss;
363 {
364 int i;
365
366 i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
367#ifdef REF_PRINT
368 REF_PRINT("SSL_SESSION",ss);
369#endif
370 if (i > 0) return;
371#ifdef REF_CHECK
372 if (i < 0)
373 {
374 fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
375 abort(); /* ok */
376 }
377#endif
378
379 CRYPTO_free_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
380
381 memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
382 memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
383 memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
384 if (ss->cert != NULL) ssl_cert_free(ss->cert);
385 if (ss->peer != NULL) X509_free(ss->peer);
386 if (ss->ciphers != NULL) sk_free(ss->ciphers);
387 memset(ss,0,sizeof(*ss));
388 Free(ss);
389 }
390
391int SSL_set_session(s, session)
392SSL *s;
393SSL_SESSION *session;
394 {
395 int ret=0;
396 SSL_METHOD *meth;
397
398 if (session != NULL)
399 {
400 meth=s->ctx->method->get_ssl_method(session->ssl_version);
401 if (meth == NULL)
402 meth=s->method->get_ssl_method(session->ssl_version);
403 if (meth == NULL)
404 {
405 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
406 return(0);
407 }
408
409 if (meth != s->method)
410 {
411 if (!SSL_set_ssl_method(s,meth))
412 return(0);
413 session->timeout=SSL_get_default_timeout(s);
414 }
415
416 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
417 CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
418 if (s->session != NULL)
419 SSL_SESSION_free(s->session);
420 s->session=session;
421 /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
422 ret=1;
423 }
424 else
425 {
426 if (s->session != NULL)
427 {
428 SSL_SESSION_free(s->session);
429 s->session=NULL;
430 }
431 }
432 return(ret);
433 }
434
435long SSL_SESSION_set_timeout(s,t)
436SSL_SESSION *s;
437long t;
438 {
439 if (s == NULL) return(0);
440 s->timeout=t;
441 return(1);
442 }
443
444long SSL_SESSION_get_timeout(s)
445SSL_SESSION *s;
446 {
447 if (s == NULL) return(0);
448 return(s->timeout);
449 }
450
451long SSL_SESSION_get_time(s)
452SSL_SESSION *s;
453 {
454 if (s == NULL) return(0);
455 return(s->time);
456 }
457
458long SSL_SESSION_set_time(s,t)
459SSL_SESSION *s;
460long t;
461 {
462 if (s == NULL) return(0);
463 s->time=t;
464 return(t);
465 }
466
467typedef struct timeout_param_st
468 {
469 SSL_CTX *ctx;
470 long time;
471 LHASH *cache;
472 } TIMEOUT_PARAM;
473
474static void timeout(s,p)
475SSL_SESSION *s;
476TIMEOUT_PARAM *p;
477 {
478 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
479 {
480 /* The reason we don't call SSL_CTX_remove_session() is to
481 * save on locking overhead */
482 lh_delete(p->cache,(char *)s);
483 SSL_SESSION_list_remove(p->ctx,s);
484 s->not_resumable=1;
485 if (p->ctx->remove_session_cb != NULL)
486 p->ctx->remove_session_cb(p->ctx,s);
487 SSL_SESSION_free(s);
488 }
489 }
490
491void SSL_CTX_flush_sessions(s,t)
492SSL_CTX *s;
493long t;
494 {
495 unsigned long i;
496 TIMEOUT_PARAM tp;
497
498 tp.ctx=s;
499 tp.cache=SSL_CTX_sessions(s);
500 if (tp.cache == NULL) return;
501 tp.time=t;
502 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
503 i=tp.cache->down_load;
504 tp.cache->down_load=0;
505 lh_doall_arg(tp.cache,(void (*)())timeout,(char *)&tp);
506 tp.cache->down_load=i;
507 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
508 }
509
510int ssl_clear_bad_session(s)
511SSL *s;
512 {
513 if ( (s->session != NULL) &&
514 !(s->shutdown & SSL_SENT_SHUTDOWN) &&
515 !(SSL_in_init(s) || SSL_in_before(s)))
516 {
517 SSL_CTX_remove_session(s->ctx,s->session);
518 return(1);
519 }
520 else
521 return(0);
522 }
523
524/* locked by SSL_CTX in the calling function */
525static void SSL_SESSION_list_remove(ctx,s)
526SSL_CTX *ctx;
527SSL_SESSION *s;
528 {
529 if ((s->next == NULL) || (s->prev == NULL)) return;
530
531 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
532 { /* last element in list */
533 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
534 { /* only one element in list */
535 ctx->session_cache_head=NULL;
536 ctx->session_cache_tail=NULL;
537 }
538 else
539 {
540 ctx->session_cache_tail=s->prev;
541 s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
542 }
543 }
544 else
545 {
546 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
547 { /* first element in list */
548 ctx->session_cache_head=s->next;
549 s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
550 }
551 else
552 { /* middle of list */
553 s->next->prev=s->prev;
554 s->prev->next=s->next;
555 }
556 }
557 s->prev=s->next=NULL;
558 }
559
560static void SSL_SESSION_list_add(ctx,s)
561SSL_CTX *ctx;
562SSL_SESSION *s;
563 {
564 if ((s->next != NULL) && (s->prev != NULL))
565 SSL_SESSION_list_remove(ctx,s);
566
567 if (ctx->session_cache_head == NULL)
568 {
569 ctx->session_cache_head=s;
570 ctx->session_cache_tail=s;
571 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
572 s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
573 }
574 else
575 {
576 s->next=ctx->session_cache_head;
577 s->next->prev=s;
578 s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
579 ctx->session_cache_head=s;
580 }
581 }
582
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
new file mode 100644
index 0000000000..a1daf25dd4
--- /dev/null
+++ b/src/lib/libssl/ssl_stat.c
@@ -0,0 +1,458 @@
1/* ssl/ssl_stat.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "ssl_locl.h"
61
62char *SSL_state_string_long(s)
63SSL *s;
64 {
65 char *str;
66
67 switch (s->state)
68 {
69case SSL_ST_BEFORE: str="before SSL initalisation"; break;
70case SSL_ST_ACCEPT: str="before accept initalisation"; break;
71case SSL_ST_CONNECT: str="before connect initalisation"; break;
72case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
73case SSL_ST_RENEGOTIATE: str="SSL renegotiate ciphers"; break;
74case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initalisation"; break;
75case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initalisation"; break;
76case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initalisation"; break;
77case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initalisation"; break;
78#ifndef NO_SSL2
79case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
80case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
81case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
82case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
83case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
84case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
85case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
86case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
87case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
88case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
89case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
90case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
91case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
92case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
93case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
94case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
95case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
96case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
97case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
98case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
99case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
100case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
101case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
102case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
103case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
104case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
105case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
106case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
107case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
108case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
109case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
110case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
111case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
112case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
113case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
114case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
115case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
116case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
117#endif
118
119#ifndef NO_SSL3
120/* SSLv3 additions */
121case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break;
122case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break;
123case SSL3_ST_CR_SRVR_HELLO_A: str="SSLv3 read server hello A"; break;
124case SSL3_ST_CR_SRVR_HELLO_B: str="SSLv3 read server hello B"; break;
125case SSL3_ST_CR_CERT_A: str="SSLv3 read server certificate A"; break;
126case SSL3_ST_CR_CERT_B: str="SSLv3 read server certificate B"; break;
127case SSL3_ST_CR_KEY_EXCH_A: str="SSLv3 read server key exchange A"; break;
128case SSL3_ST_CR_KEY_EXCH_B: str="SSLv3 read server key exchange B"; break;
129case SSL3_ST_CR_CERT_REQ_A: str="SSLv3 read server certificate request A"; break;
130case SSL3_ST_CR_CERT_REQ_B: str="SSLv3 read server certificate request B"; break;
131case SSL3_ST_CR_SRVR_DONE_A: str="SSLv3 read server done A"; break;
132case SSL3_ST_CR_SRVR_DONE_B: str="SSLv3 read server done B"; break;
133case SSL3_ST_CW_CERT_A: str="SSLv3 write client certificate A"; break;
134case SSL3_ST_CW_CERT_B: str="SSLv3 write client certificate B"; break;
135case SSL3_ST_CW_KEY_EXCH_A: str="SSLv3 write client key exchange A"; break;
136case SSL3_ST_CW_KEY_EXCH_B: str="SSLv3 write client key exchange B"; break;
137case SSL3_ST_CW_CERT_VRFY_A: str="SSLv3 write certificate verify A"; break;
138case SSL3_ST_CW_CERT_VRFY_B: str="SSLv3 write certificate verify A"; break;
139
140case SSL3_ST_CW_CHANGE_A:
141case SSL3_ST_SW_CHANGE_A: str="SSLv3 write change cipher spec A"; break;
142case SSL3_ST_CW_CHANGE_B:
143case SSL3_ST_SW_CHANGE_B: str="SSLv3 write change cipher spec B"; break;
144case SSL3_ST_CW_FINISHED_A:
145case SSL3_ST_SW_FINISHED_A: str="SSLv3 write finished A"; break;
146case SSL3_ST_CW_FINISHED_B:
147case SSL3_ST_SW_FINISHED_B: str="SSLv3 write finished A"; break;
148case SSL3_ST_CR_CHANGE_A:
149case SSL3_ST_SR_CHANGE_A: str="SSLv3 read change cipher spec A"; break;
150case SSL3_ST_CR_CHANGE_B:
151case SSL3_ST_SR_CHANGE_B: str="SSLv3 read change cipher spec B"; break;
152case SSL3_ST_CR_FINISHED_A:
153case SSL3_ST_SR_FINISHED_A: str="SSLv3 read finished A"; break;
154case SSL3_ST_CR_FINISHED_B:
155case SSL3_ST_SR_FINISHED_B: str="SSLv3 read finished B"; break;
156
157case SSL3_ST_CW_FLUSH:
158case SSL3_ST_SW_FLUSH: str="SSLv3 flush data"; break;
159
160case SSL3_ST_SR_CLNT_HELLO_A: str="SSLv3 read client hello A"; break;
161case SSL3_ST_SR_CLNT_HELLO_B: str="SSLv3 read client hello B"; break;
162case SSL3_ST_SR_CLNT_HELLO_C: str="SSLv3 read client hello C"; break;
163case SSL3_ST_SW_HELLO_REQ_A: str="SSLv3 write hello request A"; break;
164case SSL3_ST_SW_HELLO_REQ_B: str="SSLv3 write hello request B"; break;
165case SSL3_ST_SW_HELLO_REQ_C: str="SSLv3 write hello request C"; break;
166case SSL3_ST_SW_SRVR_HELLO_A: str="SSLv3 write server hello A"; break;
167case SSL3_ST_SW_SRVR_HELLO_B: str="SSLv3 write server hello B"; break;
168case SSL3_ST_SW_CERT_A: str="SSLv3 write certificate A"; break;
169case SSL3_ST_SW_CERT_B: str="SSLv3 write certificate B"; break;
170case SSL3_ST_SW_KEY_EXCH_A: str="SSLv3 write key exchange A"; break;
171case SSL3_ST_SW_KEY_EXCH_B: str="SSLv3 write key exchange B"; break;
172case SSL3_ST_SW_CERT_REQ_A: str="SSLv3 write certificate request A"; break;
173case SSL3_ST_SW_CERT_REQ_B: str="SSLv3 write certificate request B"; break;
174case SSL3_ST_SW_SRVR_DONE_A: str="SSLv3 write server done A"; break;
175case SSL3_ST_SW_SRVR_DONE_B: str="SSLv3 write server done B"; break;
176case SSL3_ST_SR_CERT_A: str="SSLv3 read client certificate A"; break;
177case SSL3_ST_SR_CERT_B: str="SSLv3 read client certificate B"; break;
178case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break;
179case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
180case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
181case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
182#endif
183
184#if !defined(NO_SSL2) && !defined(NO_SSL3)
185/* SSLv2/v3 compatablitity states */
186/* client */
187case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
188case SSL23_ST_CW_CLNT_HELLO_B: str="SSLv2/v3 write client hello B"; break;
189case SSL23_ST_CR_SRVR_HELLO_A: str="SSLv2/v3 read server hello A"; break;
190case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break;
191/* server */
192case SSL23_ST_SR_CLNT_HELLO_A: str="SSLv2/v3 read client hello A"; break;
193case SSL23_ST_SR_CLNT_HELLO_B: str="SSLv2/v3 read client hello B"; break;
194#endif
195
196default: str="unknown state"; break;
197 }
198 return(str);
199 }
200
201char *SSL_rstate_string_long(s)
202SSL *s;
203 {
204 char *str;
205
206 switch (s->rstate)
207 {
208 case SSL_ST_READ_HEADER: str="read header"; break;
209 case SSL_ST_READ_BODY: str="read body"; break;
210 case SSL_ST_READ_DONE: str="read done"; break;
211 default: str="unknown"; break;
212 }
213 return(str);
214 }
215
216char *SSL_state_string(s)
217SSL *s;
218 {
219 char *str;
220
221 switch (s->state)
222 {
223case SSL_ST_BEFORE: str="PINIT "; break;
224case SSL_ST_ACCEPT: str="AINIT "; break;
225case SSL_ST_CONNECT: str="CINIT "; break;
226case SSL_ST_OK: str="SSLOK "; break;
227#ifndef NO_SSL2
228case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break;
229case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break;
230case SSL2_ST_SEND_CLIENT_HELLO_A: str="2SCH_A"; break;
231case SSL2_ST_SEND_CLIENT_HELLO_B: str="2SCH_B"; break;
232case SSL2_ST_GET_SERVER_HELLO_A: str="2GSH_A"; break;
233case SSL2_ST_GET_SERVER_HELLO_B: str="2GSH_B"; break;
234case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="2SCMKA"; break;
235case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="2SCMKB"; break;
236case SSL2_ST_SEND_CLIENT_FINISHED_A: str="2SCF_A"; break;
237case SSL2_ST_SEND_CLIENT_FINISHED_B: str="2SCF_B"; break;
238case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="2SCC_A"; break;
239case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="2SCC_B"; break;
240case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="2SCC_C"; break;
241case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="2SCC_D"; break;
242case SSL2_ST_GET_SERVER_VERIFY_A: str="2GSV_A"; break;
243case SSL2_ST_GET_SERVER_VERIFY_B: str="2GSV_B"; break;
244case SSL2_ST_GET_SERVER_FINISHED_A: str="2GSF_A"; break;
245case SSL2_ST_GET_SERVER_FINISHED_B: str="2GSF_B"; break;
246case SSL2_ST_GET_CLIENT_HELLO_A: str="2GCH_A"; break;
247case SSL2_ST_GET_CLIENT_HELLO_B: str="2GCH_B"; break;
248case SSL2_ST_GET_CLIENT_HELLO_C: str="2GCH_C"; break;
249case SSL2_ST_SEND_SERVER_HELLO_A: str="2SSH_A"; break;
250case SSL2_ST_SEND_SERVER_HELLO_B: str="2SSH_B"; break;
251case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="2GCMKA"; break;
252case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="2GCMKA"; break;
253case SSL2_ST_SEND_SERVER_VERIFY_A: str="2SSV_A"; break;
254case SSL2_ST_SEND_SERVER_VERIFY_B: str="2SSV_B"; break;
255case SSL2_ST_SEND_SERVER_VERIFY_C: str="2SSV_C"; break;
256case SSL2_ST_GET_CLIENT_FINISHED_A: str="2GCF_A"; break;
257case SSL2_ST_GET_CLIENT_FINISHED_B: str="2GCF_B"; break;
258case SSL2_ST_SEND_SERVER_FINISHED_A: str="2SSF_A"; break;
259case SSL2_ST_SEND_SERVER_FINISHED_B: str="2SSF_B"; break;
260case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="2SRC_A"; break;
261case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="2SRC_B"; break;
262case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="2SRC_C"; break;
263case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="2SRC_D"; break;
264case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="2X9GSC"; break;
265case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="2X9GCC"; break;
266#endif
267
268#ifndef NO_SSL3
269/* SSLv3 additions */
270case SSL3_ST_SW_FLUSH:
271case SSL3_ST_CW_FLUSH: str="3FLUSH"; break;
272case SSL3_ST_CW_CLNT_HELLO_A: str="3WCH_A"; break;
273case SSL3_ST_CW_CLNT_HELLO_B: str="3WCH_B"; break;
274case SSL3_ST_CR_SRVR_HELLO_A: str="3RSH_A"; break;
275case SSL3_ST_CR_SRVR_HELLO_B: str="3RSH_B"; break;
276case SSL3_ST_CR_CERT_A: str="3RSC_A"; break;
277case SSL3_ST_CR_CERT_B: str="3RSC_B"; break;
278case SSL3_ST_CR_KEY_EXCH_A: str="3RSKEA"; break;
279case SSL3_ST_CR_KEY_EXCH_B: str="3RSKEB"; break;
280case SSL3_ST_CR_CERT_REQ_A: str="3RCR_A"; break;
281case SSL3_ST_CR_CERT_REQ_B: str="3RCR_B"; break;
282case SSL3_ST_CR_SRVR_DONE_A: str="3RSD_A"; break;
283case SSL3_ST_CR_SRVR_DONE_B: str="3RSD_B"; break;
284case SSL3_ST_CW_CERT_A: str="3WCC_A"; break;
285case SSL3_ST_CW_CERT_B: str="3WCC_B"; break;
286case SSL3_ST_CW_KEY_EXCH_A: str="3WCKEA"; break;
287case SSL3_ST_CW_KEY_EXCH_B: str="3WCKEB"; break;
288case SSL3_ST_CW_CERT_VRFY_A: str="3WCV_A"; break;
289case SSL3_ST_CW_CERT_VRFY_B: str="3WCV_B"; break;
290
291case SSL3_ST_SW_CHANGE_A:
292case SSL3_ST_CW_CHANGE_A: str="3WCCSA"; break;
293case SSL3_ST_SW_CHANGE_B:
294case SSL3_ST_CW_CHANGE_B: str="3WCCSB"; break;
295case SSL3_ST_SW_FINISHED_A:
296case SSL3_ST_CW_FINISHED_A: str="3WFINA"; break;
297case SSL3_ST_SW_FINISHED_B:
298case SSL3_ST_CW_FINISHED_B: str="3WFINB"; break;
299case SSL3_ST_SR_CHANGE_A:
300case SSL3_ST_CR_CHANGE_A: str="3RCCSA"; break;
301case SSL3_ST_SR_CHANGE_B:
302case SSL3_ST_CR_CHANGE_B: str="3RCCSB"; break;
303case SSL3_ST_SR_FINISHED_A:
304case SSL3_ST_CR_FINISHED_A: str="3RFINA"; break;
305case SSL3_ST_SR_FINISHED_B:
306case SSL3_ST_CR_FINISHED_B: str="3RFINB"; break;
307
308case SSL3_ST_SW_HELLO_REQ_A: str="3WHR_A"; break;
309case SSL3_ST_SW_HELLO_REQ_B: str="3WHR_B"; break;
310case SSL3_ST_SW_HELLO_REQ_C: str="3WHR_C"; break;
311case SSL3_ST_SR_CLNT_HELLO_A: str="3RCH_A"; break;
312case SSL3_ST_SR_CLNT_HELLO_B: str="3RCH_B"; break;
313case SSL3_ST_SR_CLNT_HELLO_C: str="3RCH_C"; break;
314case SSL3_ST_SW_SRVR_HELLO_A: str="3WSH_A"; break;
315case SSL3_ST_SW_SRVR_HELLO_B: str="3WSH_B"; break;
316case SSL3_ST_SW_CERT_A: str="3WSC_A"; break;
317case SSL3_ST_SW_CERT_B: str="3WSC_B"; break;
318case SSL3_ST_SW_KEY_EXCH_A: str="3WSKEA"; break;
319case SSL3_ST_SW_KEY_EXCH_B: str="3WSKEB"; break;
320case SSL3_ST_SW_CERT_REQ_A: str="3WCR_A"; break;
321case SSL3_ST_SW_CERT_REQ_B: str="3WCR_B"; break;
322case SSL3_ST_SW_SRVR_DONE_A: str="3WSD_A"; break;
323case SSL3_ST_SW_SRVR_DONE_B: str="3WSD_B"; break;
324case SSL3_ST_SR_CERT_A: str="3RCC_A"; break;
325case SSL3_ST_SR_CERT_B: str="3RCC_B"; break;
326case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break;
327case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break;
328case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break;
329case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
330#endif
331
332#if !defined(NO_SSL2) && !defined(NO_SSL3)
333/* SSLv2/v3 compatablitity states */
334/* client */
335case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
336case SSL23_ST_CW_CLNT_HELLO_B: str="23WCHB"; break;
337case SSL23_ST_CR_SRVR_HELLO_A: str="23RSHA"; break;
338case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break;
339/* server */
340case SSL23_ST_SR_CLNT_HELLO_A: str="23RCHA"; break;
341case SSL23_ST_SR_CLNT_HELLO_B: str="23RCHB"; break;
342#endif
343
344default: str="UNKWN "; break;
345 }
346 return(str);
347 }
348
349char *SSL_alert_type_string_long(value)
350int value;
351 {
352 value>>=8;
353 if (value == SSL3_AL_WARNING)
354 return("warning");
355 else if (value == SSL3_AL_FATAL)
356 return("fatal");
357 else
358 return("unknown");
359 }
360
361char *SSL_alert_type_string(value)
362int value;
363 {
364 value>>=8;
365 if (value == SSL3_AL_WARNING)
366 return("W");
367 else if (value == SSL3_AL_FATAL)
368 return("F");
369 else
370 return("U");
371 }
372
373char *SSL_alert_desc_string(value)
374int value;
375 {
376 char *str;
377
378 switch (value & 0xff)
379 {
380 case SSL3_AD_CLOSE_NOTIFY: str="CN"; break;
381 case SSL3_AD_UNEXPECTED_MESSAGE: str="UM"; break;
382 case SSL3_AD_BAD_RECORD_MAC: str="BM"; break;
383 case SSL3_AD_DECOMPRESSION_FAILURE: str="DF"; break;
384 case SSL3_AD_HANDSHAKE_FAILURE: str="HF"; break;
385 case SSL3_AD_NO_CERTIFICATE: str="NC"; break;
386 case SSL3_AD_BAD_CERTIFICATE: str="BC"; break;
387 case SSL3_AD_UNSUPPORTED_CERTIFICATE: str="UC"; break;
388 case SSL3_AD_CERTIFICATE_REVOKED: str="CR"; break;
389 case SSL3_AD_CERTIFICATE_EXPIRED: str="CE"; break;
390 case SSL3_AD_CERTIFICATE_UNKNOWN: str="CU"; break;
391 case SSL3_AD_ILLEGAL_PARAMETER: str="IP"; break;
392 default: str="UK"; break;
393 }
394 return(str);
395 }
396
397char *SSL_alert_desc_string_long(value)
398int value;
399 {
400 char *str;
401
402 switch (value & 0xff)
403 {
404 case SSL3_AD_CLOSE_NOTIFY:
405 str="close notify";
406 break;
407 case SSL3_AD_UNEXPECTED_MESSAGE:
408 str="unexected_message";
409 break;
410 case SSL3_AD_BAD_RECORD_MAC:
411 str="bad record mac";
412 break;
413 case SSL3_AD_DECOMPRESSION_FAILURE:
414 str="decompression failure";
415 break;
416 case SSL3_AD_HANDSHAKE_FAILURE:
417 str="handshake failure";
418 break;
419 case SSL3_AD_NO_CERTIFICATE:
420 str="no certificate";
421 break;
422 case SSL3_AD_BAD_CERTIFICATE:
423 str="bad certificate";
424 break;
425 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
426 str="unsupported certificate";
427 break;
428 case SSL3_AD_CERTIFICATE_REVOKED:
429 str="certificate revoked";
430 break;
431 case SSL3_AD_CERTIFICATE_EXPIRED:
432 str="certificate expired";
433 break;
434 case SSL3_AD_CERTIFICATE_UNKNOWN:
435 str="certifcate unknown";
436 break;
437 case SSL3_AD_ILLEGAL_PARAMETER:
438 str="illegal parameter";
439 break;
440 default: str="unknown"; break;
441 }
442 return(str);
443 }
444
445char *SSL_rstate_string(s)
446SSL *s;
447 {
448 char *str;
449
450 switch (s->rstate)
451 {
452 case SSL_ST_READ_HEADER:str="RH"; break;
453 case SSL_ST_READ_BODY: str="RB"; break;
454 case SSL_ST_READ_DONE: str="RD"; break;
455 default: str="unknown"; break;
456 }
457 return(str);
458 }
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
new file mode 100644
index 0000000000..ce60e1a6dd
--- /dev/null
+++ b/src/lib/libssl/ssl_txt.c
@@ -0,0 +1,152 @@
1/* ssl/ssl_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "buffer.h"
61#include "ssl_locl.h"
62
63#ifndef NO_FP_API
64int SSL_SESSION_print_fp(fp, x)
65FILE *fp;
66SSL_SESSION *x;
67 {
68 BIO *b;
69 int ret;
70
71 if ((b=BIO_new(BIO_s_file_internal())) == NULL)
72 {
73 SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
74 return(0);
75 }
76 BIO_set_fp(b,fp,BIO_NOCLOSE);
77 ret=SSL_SESSION_print(b,x);
78 BIO_free(b);
79 return(ret);
80 }
81#endif
82
83int SSL_SESSION_print(bp,x)
84BIO *bp;
85SSL_SESSION *x;
86 {
87 int i;
88 char str[128],*s;
89
90 if (x == NULL) goto err;
91 if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
92 if (x->ssl_version == SSL2_VERSION)
93 s="SSLv2";
94 else if (x->ssl_version == SSL3_VERSION)
95 s="SSLv3";
96 else if (x->ssl_version == TLS1_VERSION)
97 s="TLSv1";
98 else
99 s="unknown";
100 sprintf(str," Protocol : %s\n",s);
101 if (BIO_puts(bp,str) <= 0) goto err;
102
103 if (x->cipher == NULL)
104 {
105 if (((x->cipher_id) & 0xff000000) == 0x02000000)
106 sprintf(str," Cipher : %06lX\n",x->cipher_id&0xffffff);
107 else
108 sprintf(str," Cipher : %04lX\n",x->cipher_id&0xffff);
109 }
110 else
111 sprintf(str," Cipher : %s\n",(x->cipher == NULL)?"unknown":x->cipher->name);
112 if (BIO_puts(bp,str) <= 0) goto err;
113 if (BIO_puts(bp," Session-ID: ") <= 0) goto err;
114 for (i=0; i<(int)x->session_id_length; i++)
115 {
116 sprintf(str,"%02X",x->session_id[i]);
117 if (BIO_puts(bp,str) <= 0) goto err;
118 }
119 if (BIO_puts(bp,"\n Master-Key: ") <= 0) goto err;
120 for (i=0; i<(int)x->master_key_length; i++)
121 {
122 sprintf(str,"%02X",x->master_key[i]);
123 if (BIO_puts(bp,str) <= 0) goto err;
124 }
125 if (BIO_puts(bp,"\n Key-Arg : ") <= 0) goto err;
126 if (x->key_arg_length == 0)
127 {
128 if (BIO_puts(bp,"None") <= 0) goto err;
129 }
130 else
131 for (i=0; i<(int)x->key_arg_length; i++)
132 {
133 sprintf(str,"%02X",x->key_arg[i]);
134 if (BIO_puts(bp,str) <= 0) goto err;
135 }
136 if (x->time != 0L)
137 {
138 sprintf(str,"\n Start Time: %ld",x->time);
139 if (BIO_puts(bp,str) <= 0) goto err;
140 }
141 if (x->timeout != 0L)
142 {
143 sprintf(str,"\n Timeout : %ld (sec)",x->timeout);
144 if (BIO_puts(bp,str) <= 0) goto err;
145 }
146 if (BIO_puts(bp,"\n") <= 0) goto err;
147
148 return(1);
149err:
150 return(0);
151 }
152
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
new file mode 100644
index 0000000000..986d2436e2
--- /dev/null
+++ b/src/lib/libssl/t1_clnt.c
@@ -0,0 +1,90 @@
1/* ssl/t1_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "buffer.h"
61#include "rand.h"
62#include "objects.h"
63#include "evp.h"
64#include "ssl_locl.h"
65
66static SSL_METHOD *tls1_get_client_method(ver)
67int ver;
68 {
69 if (ver == TLS1_VERSION)
70 return(TLSv1_client_method());
71 else
72 return(NULL);
73 }
74
75SSL_METHOD *TLSv1_client_method()
76 {
77 static int init=1;
78 static SSL_METHOD TLSv1_client_data;
79
80 if (init)
81 {
82 init=0;
83 memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
84 sizeof(SSL_METHOD));
85 TLSv1_client_data.ssl_connect=ssl3_connect;
86 TLSv1_client_data.get_ssl_method=tls1_get_client_method;
87 }
88 return(&TLSv1_client_data);
89 }
90
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
new file mode 100644
index 0000000000..fbdd3bffb5
--- /dev/null
+++ b/src/lib/libssl/t1_enc.c
@@ -0,0 +1,635 @@
1/* ssl/t1_enc.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "evp.h"
61#include "hmac.h"
62#include "ssl_locl.h"
63
64static void tls1_P_hash(md,sec,sec_len,seed,seed_len,out,olen)
65EVP_MD *md;
66unsigned char *sec;
67int sec_len;
68unsigned char *seed;
69int seed_len;
70unsigned char *out;
71int olen;
72 {
73 int chunk,n;
74 unsigned int j;
75 HMAC_CTX ctx;
76 HMAC_CTX ctx_tmp;
77 unsigned char A1[HMAC_MAX_MD_CBLOCK];
78 unsigned int A1_len;
79
80 chunk=EVP_MD_size(md);
81
82 HMAC_Init(&ctx,sec,sec_len,md);
83 HMAC_Update(&ctx,seed,seed_len);
84 HMAC_Final(&ctx,A1,&A1_len);
85
86 n=0;
87 for (;;)
88 {
89 HMAC_Init(&ctx,NULL,0,NULL); /* re-init */
90 HMAC_Update(&ctx,A1,A1_len);
91 memcpy(&ctx_tmp,&ctx,sizeof(ctx)); /* Copy for A2 */ /* not needed for last one */
92 HMAC_Update(&ctx,seed,seed_len);
93
94 if (olen > chunk)
95 {
96 HMAC_Final(&ctx,out,&j);
97 out+=j;
98 olen-=j;
99 HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
100 }
101 else /* last one */
102 {
103 HMAC_Final(&ctx,A1,&A1_len);
104 memcpy(out,A1,olen);
105 break;
106 }
107 }
108 HMAC_cleanup(&ctx);
109 HMAC_cleanup(&ctx_tmp);
110 memset(A1,0,sizeof(A1));
111 }
112
113static void tls1_PRF(md5,sha1,label,label_len,sec,slen,out1,out2,olen)
114EVP_MD *md5;
115EVP_MD *sha1;
116unsigned char *label;
117int label_len;
118unsigned char *sec;
119int slen;
120unsigned char *out1;
121unsigned char *out2;
122int olen;
123 {
124 int len,i;
125 unsigned char *S1,*S2;
126
127 len=slen/2;
128 S1=sec;
129 S2= &(sec[len]);
130 len+=(slen&1); /* add for odd, make longer */
131
132
133 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
134 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
135
136 for (i=0; i<olen; i++)
137 out1[i]^=out2[i];
138 }
139
140static void tls1_generate_key_block(s,km,tmp,num)
141SSL *s;
142unsigned char *km,*tmp;
143int num;
144 {
145 unsigned char *p;
146 unsigned char buf[SSL3_RANDOM_SIZE*2+
147 TLS_MD_MAX_CONST_SIZE];
148 p=buf;
149
150 memcpy(p,TLS_MD_KEY_EXPANSION_CONST,
151 TLS_MD_KEY_EXPANSION_CONST_SIZE);
152 p+=TLS_MD_KEY_EXPANSION_CONST_SIZE;
153 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
154 p+=SSL3_RANDOM_SIZE;
155 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
156 p+=SSL3_RANDOM_SIZE;
157
158 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,
159 s->session->master_key,s->session->master_key_length,
160 km,tmp,num);
161 }
162
163int tls1_change_cipher_state(s,which)
164SSL *s;
165int which;
166 {
167 unsigned char *p,*key_block,*mac_secret;
168 unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+
169 SSL3_RANDOM_SIZE*2];
170 unsigned char tmp1[EVP_MAX_KEY_LENGTH];
171 unsigned char tmp2[EVP_MAX_KEY_LENGTH];
172 unsigned char iv1[EVP_MAX_IV_LENGTH*2];
173 unsigned char iv2[EVP_MAX_IV_LENGTH*2];
174 unsigned char *ms,*key,*iv,*er1,*er2;
175 int client_write;
176 EVP_CIPHER_CTX *dd;
177 EVP_CIPHER *c;
178 SSL_COMPRESSION *comp;
179 EVP_MD *m;
180 int exp,n,i,j,k,exp_label_len;
181
182 exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0;
183 c=s->s3->tmp.new_sym_enc;
184 m=s->s3->tmp.new_hash;
185 comp=s->s3->tmp.new_compression;
186 key_block=s->s3->tmp.key_block;
187
188 if (which & SSL3_CC_READ)
189 {
190 if ((s->enc_read_ctx == NULL) &&
191 ((s->enc_read_ctx=(EVP_CIPHER_CTX *)
192 Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
193 goto err;
194 dd= s->enc_read_ctx;
195 s->read_hash=m;
196 s->read_compression=comp;
197 memset(&(s->s3->read_sequence[0]),0,8);
198 mac_secret= &(s->s3->read_mac_secret[0]);
199 }
200 else
201 {
202 if ((s->enc_write_ctx == NULL) &&
203 ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
204 Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
205 goto err;
206 dd= s->enc_write_ctx;
207 s->write_hash=m;
208 s->write_compression=comp;
209 memset(&(s->s3->write_sequence[0]),0,8);
210 mac_secret= &(s->s3->write_mac_secret[0]);
211 }
212
213 EVP_CIPHER_CTX_init(dd);
214
215 p=s->s3->tmp.key_block;
216 i=EVP_MD_size(m);
217 j=(exp)?5:EVP_CIPHER_key_length(c);
218 k=EVP_CIPHER_iv_length(c);
219 er1= &(s->s3->client_random[0]);
220 er2= &(s->s3->server_random[0]);
221 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
222 (which == SSL3_CHANGE_CIPHER_SERVER_READ))
223 {
224 ms= &(p[ 0]); n=i+i;
225 key= &(p[ n]); n+=j+j;
226 iv= &(p[ n]); n+=k+k;
227 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
228 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
229 client_write=1;
230 }
231 else
232 {
233 n=i;
234 ms= &(p[ n]); n+=i+j;
235 key= &(p[ n]); n+=j+k;
236 iv= &(p[ n]); n+=k;
237 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
238 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
239 client_write=0;
240 }
241
242 if (n > s->s3->tmp.key_block_length)
243 {
244 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR);
245 goto err2;
246 }
247
248 memcpy(mac_secret,ms,i);
249#ifdef TLS_DEBUG
250printf("which = %04X\nmac key=",which);
251{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
252#endif
253 if (exp)
254 {
255 /* In here I set both the read and write key/iv to the
256 * same value since only the correct one will be used :-).
257 */
258 p=buf;
259 memcpy(p,exp_label,exp_label_len);
260 p+=exp_label_len;
261 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
262 p+=SSL3_RANDOM_SIZE;
263 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
264 p+=SSL3_RANDOM_SIZE;
265 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,key,j,
266 tmp1,tmp2,EVP_CIPHER_key_length(c));
267 key=tmp1;
268
269 if (k > 0)
270 {
271 p=buf;
272 memcpy(p,TLS_MD_IV_BLOCK_CONST,
273 TLS_MD_IV_BLOCK_CONST_SIZE);
274 p+=TLS_MD_IV_BLOCK_CONST_SIZE;
275 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
276 p+=SSL3_RANDOM_SIZE;
277 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
278 p+=SSL3_RANDOM_SIZE;
279 tls1_PRF(s->ctx->md5,s->ctx->sha1,
280 buf,p-buf,"",0,iv1,iv2,k*2);
281 if (client_write)
282 iv=iv1;
283 else
284 iv= &(iv1[k]);
285 }
286 }
287
288 s->session->key_arg_length=0;
289
290 EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
291#ifdef TLS_DEBUG
292printf("which = %04X\nkey=",which);
293{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
294printf("\niv=");
295{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
296printf("\n");
297#endif
298
299 memset(tmp1,0,sizeof(tmp1));
300 memset(tmp2,0,sizeof(tmp1));
301 memset(iv1,0,sizeof(iv1));
302 memset(iv2,0,sizeof(iv2));
303 return(1);
304err:
305 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
306err2:
307 return(0);
308 }
309
310int tls1_setup_key_block(s)
311SSL *s;
312 {
313 unsigned char *p1,*p2;
314 EVP_CIPHER *c;
315 EVP_MD *hash;
316 int num,exp;
317
318 if (s->s3->tmp.key_block_length != 0)
319 return(1);
320
321 if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash))
322 {
323 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
324 return(0);
325 }
326
327 s->s3->tmp.new_sym_enc=c;
328 s->s3->tmp.new_hash=hash;
329
330 exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
331
332 num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
333 num*=2;
334
335 ssl3_cleanup_key_block(s);
336
337 if ((p1=(unsigned char *)Malloc(num)) == NULL)
338 goto err;
339 if ((p2=(unsigned char *)Malloc(num)) == NULL)
340 goto err;
341
342 s->s3->tmp.key_block_length=num;
343 s->s3->tmp.key_block=p1;
344
345
346#ifdef TLS_DEBUG
347printf("client random\n");
348{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
349printf("server random\n");
350{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
351printf("pre-master\n");
352{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
353#endif
354 tls1_generate_key_block(s,p1,p2,num);
355 memset(p2,0,num);
356 Free(p2);
357#ifdef TLS_DEBUG
358printf("\nkey block\n");
359{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
360#endif
361
362 return(1);
363err:
364 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
365 return(0);
366 }
367
368int tls1_enc(s,send)
369SSL *s;
370int send;
371 {
372 SSL3_RECORD *rec;
373 EVP_CIPHER_CTX *ds;
374 unsigned long l;
375 int bs,i,ii,j,k,n=0;
376 EVP_CIPHER *enc;
377 SSL_COMPRESSION *comp;
378
379 if (send)
380 {
381 if (s->write_hash != NULL)
382 n=EVP_MD_size(s->write_hash);
383 ds=s->enc_write_ctx;
384 rec= &(s->s3->wrec);
385 if (s->enc_write_ctx == NULL)
386 { enc=NULL; comp=NULL; }
387 else
388 {
389 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
390 comp=s->write_compression;
391 }
392 }
393 else
394 {
395 if (s->read_hash != NULL)
396 n=EVP_MD_size(s->read_hash);
397 ds=s->enc_read_ctx;
398 rec= &(s->s3->rrec);
399 if (s->enc_read_ctx == NULL)
400 { enc=NULL; comp=NULL; }
401 else
402 {
403 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
404 comp=s->read_compression;
405 }
406 }
407
408 if ((s->session == NULL) || (ds == NULL) ||
409 ((enc == NULL) && (comp == NULL)))
410 {
411 memcpy(rec->data,rec->input,rec->length);
412 rec->input=rec->data;
413 }
414 else
415 {
416 l=rec->length;
417 bs=EVP_CIPHER_block_size(ds->cipher);
418
419 if ((bs != 1) && send)
420 {
421 i=bs-((int)l%bs);
422
423 /* Add weird padding of upto 256 bytes */
424
425 /* we need to add 'i' padding bytes of value j */
426 j=i-1;
427 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
428 {
429 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
430 j++;
431 }
432 for (k=(int)l; k<(int)(l+i); k++)
433 rec->input[k]=j;
434 l+=i;
435 rec->length+=i;
436 }
437
438 EVP_Cipher(ds,rec->data,rec->input,l);
439
440 if ((bs != 1) && !send)
441 {
442 ii=i=rec->data[l-1];
443 i++;
444 if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
445 {
446 /* First packet is even in size, so check */
447 if ((memcmp(s->s3->read_sequence,
448 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
449 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
450 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
451 i--;
452 }
453 if (i > (int)rec->length)
454 {
455 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
456 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
457 return(0);
458 }
459 for (j=(int)(l-i); j<(int)l; j++)
460 {
461 if (rec->data[j] != ii)
462 {
463 SSLerr(SSL_F_TLS1_ENC,SSL_R_DECRYPTION_FAILED);
464 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
465 return(0);
466 }
467 }
468 rec->length-=i;
469 }
470 }
471 return(1);
472 }
473
474int tls1_cert_verify_mac(s,in_ctx,out)
475SSL *s;
476EVP_MD_CTX *in_ctx;
477unsigned char *out;
478 {
479 unsigned int ret;
480 EVP_MD_CTX ctx;
481
482 memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX));
483 EVP_DigestFinal(&ctx,out,&ret);
484 return((int)ret);
485 }
486
487int tls1_final_finish_mac(s,in1_ctx,in2_ctx,str,slen,out)
488SSL *s;
489EVP_MD_CTX *in1_ctx,*in2_ctx;
490unsigned char *str;
491int slen;
492unsigned char *out;
493 {
494 unsigned int i;
495 EVP_MD_CTX ctx;
496 unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
497 unsigned char *q,buf2[12];
498
499 q=buf;
500 memcpy(q,str,slen);
501 q+=slen;
502
503 memcpy(&ctx,in1_ctx,sizeof(EVP_MD_CTX));
504 EVP_DigestFinal(&ctx,q,&i);
505 q+=i;
506 memcpy(&ctx,in2_ctx,sizeof(EVP_MD_CTX));
507 EVP_DigestFinal(&ctx,q,&i);
508 q+=i;
509
510 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,q-buf,
511 s->session->master_key,s->session->master_key_length,
512 out,buf2,12);
513 memset(&ctx,0,sizeof(EVP_MD_CTX));
514
515 return((int)12);
516 }
517
518int tls1_mac(ssl,md,send)
519SSL *ssl;
520unsigned char *md;
521int send;
522 {
523 SSL3_RECORD *rec;
524 unsigned char *mac_sec,*seq;
525 EVP_MD *hash;
526 unsigned int md_size;
527 int i;
528 HMAC_CTX hmac;
529 unsigned char buf[5];
530
531 if (send)
532 {
533 rec= &(ssl->s3->wrec);
534 mac_sec= &(ssl->s3->write_mac_secret[0]);
535 seq= &(ssl->s3->write_sequence[0]);
536 hash=ssl->write_hash;
537 }
538 else
539 {
540 rec= &(ssl->s3->rrec);
541 mac_sec= &(ssl->s3->read_mac_secret[0]);
542 seq= &(ssl->s3->read_sequence[0]);
543 hash=ssl->read_hash;
544 }
545
546 md_size=EVP_MD_size(hash);
547
548 buf[0]=rec->type;
549 buf[1]=TLS1_VERSION_MAJOR;
550 buf[2]=TLS1_VERSION_MINOR;
551 buf[3]=rec->length>>8;
552 buf[4]=rec->length&0xff;
553
554 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
555 HMAC_Init(&hmac,mac_sec,EVP_MD_size(hash),hash);
556 HMAC_Update(&hmac,seq,8);
557 HMAC_Update(&hmac,buf,5);
558 HMAC_Update(&hmac,rec->input,rec->length);
559 HMAC_Final(&hmac,md,&md_size);
560
561#ifdef TLS_DEBUG
562printf("sec=");
563{int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
564printf("seq=");
565{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
566printf("buf=");
567{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
568printf("rec=");
569{int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
570#endif
571
572 for (i=7; i>=0; i--)
573 if (++seq[i]) break;
574
575#ifdef TLS_DEBUG
576{int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
577#endif
578 return(md_size);
579 }
580
581int tls1_generate_master_secret(s,out,p,len)
582SSL *s;
583unsigned char *out;
584unsigned char *p;
585int len;
586 {
587 unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
588 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
589
590 /* Setup the stuff to munge */
591 memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
592 TLS_MD_MASTER_SECRET_CONST_SIZE);
593 memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]),
594 s->s3->client_random,SSL3_RANDOM_SIZE);
595 memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]),
596 s->s3->server_random,SSL3_RANDOM_SIZE);
597 tls1_PRF(s->ctx->md5,s->ctx->sha1,
598 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
599 s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
600 return(SSL3_MASTER_SECRET_SIZE);
601 }
602
603int tls1_alert_code(code)
604int code;
605 {
606 switch (code)
607 {
608 case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY);
609 case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
610 case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC);
611 case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED);
612 case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW);
613 case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
614 case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE);
615 case SSL_AD_NO_CERTIFICATE: return(-1);
616 case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE);
617 case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
618 case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
619 case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
620 case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
621 case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER);
622 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA);
623 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED);
624 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR);
625 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR);
626 case SSL_AD_EXPORT_RESTRICION: return(TLS1_AD_EXPORT_RESTRICION);
627 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION);
628 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
629 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
630 case SSL_AD_USER_CANCLED: return(TLS1_AD_USER_CANCLED);
631 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
632 default: return(-1);
633 }
634 }
635
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
new file mode 100644
index 0000000000..f9fbfa414c
--- /dev/null
+++ b/src/lib/libssl/t1_lib.c
@@ -0,0 +1,151 @@
1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "objects.h"
61#include "ssl_locl.h"
62
63char *tls1_version_str="TLSv1 part of SSLeay 0.9.0b 29-Jun-1998";
64
65#ifndef NO_PROTO
66static long tls1_default_timeout(void);
67#else
68static long tls1_default_timeout();
69#endif
70
71static SSL3_ENC_METHOD TLSv1_enc_data={
72 tls1_enc,
73 tls1_mac,
74 tls1_setup_key_block,
75 tls1_generate_master_secret,
76 tls1_change_cipher_state,
77 tls1_final_finish_mac,
78 TLS1_FINISH_MAC_LENGTH,
79 tls1_cert_verify_mac,
80 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
81 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
82 tls1_alert_code,
83 };
84
85static SSL_METHOD TLSv1_data= {
86 TLS1_VERSION,
87 tls1_new,
88 tls1_clear,
89 tls1_free,
90 ssl_undefined_function,
91 ssl_undefined_function,
92 ssl3_read,
93 ssl3_peek,
94 ssl3_write,
95 ssl3_shutdown,
96 ssl3_renegotiate,
97 ssl3_ctrl,
98 ssl3_ctx_ctrl,
99 ssl3_get_cipher_by_char,
100 ssl3_put_cipher_by_char,
101 ssl3_pending,
102 ssl3_num_ciphers,
103 ssl3_get_cipher,
104 ssl_bad_method,
105 tls1_default_timeout,
106 &TLSv1_enc_data,
107 };
108
109static long tls1_default_timeout()
110 {
111 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
112 * is way too long for http, the cache would over fill */
113 return(60*60*2);
114 }
115
116SSL_METHOD *tlsv1_base_method()
117 {
118 return(&TLSv1_data);
119 }
120
121int tls1_new(s)
122SSL *s;
123 {
124 if (!ssl3_new(s)) return(0);
125 s->method->ssl_clear(s);
126 return(1);
127 }
128
129void tls1_free(s)
130SSL *s;
131 {
132 ssl3_free(s);
133 }
134
135void tls1_clear(s)
136SSL *s;
137 {
138 ssl3_clear(s);
139 s->version=TLS1_VERSION;
140 }
141
142#if 0
143long tls1_ctrl(s,cmd,larg,parg)
144SSL *s;
145int cmd;
146long larg;
147char *parg;
148 {
149 return(0);
150 }
151#endif
diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c
new file mode 100644
index 0000000000..512c2078e7
--- /dev/null
+++ b/src/lib/libssl/t1_meth.c
@@ -0,0 +1,88 @@
1/* ssl/t1_meth.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "objects.h"
61#include "ssl_locl.h"
62
63static SSL_METHOD *tls1_get_method(ver)
64int ver;
65 {
66 if (ver == TLS1_VERSION)
67 return(TLSv1_method());
68 else
69 return(NULL);
70 }
71
72SSL_METHOD *TLSv1_method()
73 {
74 static int init=1;
75 static SSL_METHOD TLSv1_data;
76
77 if (init)
78 {
79 init=0;
80 memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
81 sizeof(SSL_METHOD));
82 TLSv1_data.ssl_connect=ssl3_connect;
83 TLSv1_data.ssl_accept=ssl3_accept;
84 TLSv1_data.get_ssl_method=tls1_get_method;
85 }
86 return(&TLSv1_data);
87 }
88
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
new file mode 100644
index 0000000000..8cf0addcd9
--- /dev/null
+++ b/src/lib/libssl/t1_srvr.c
@@ -0,0 +1,91 @@
1/* ssl/t1_srvr.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "buffer.h"
61#include "rand.h"
62#include "objects.h"
63#include "evp.h"
64#include "x509.h"
65#include "ssl_locl.h"
66
67static SSL_METHOD *tls1_get_server_method(ver)
68int ver;
69 {
70 if (ver == TLS1_VERSION)
71 return(TLSv1_server_method());
72 else
73 return(NULL);
74 }
75
76SSL_METHOD *TLSv1_server_method()
77 {
78 static int init=1;
79 static SSL_METHOD TLSv1_server_data;
80
81 if (init)
82 {
83 init=0;
84 memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
85 sizeof(SSL_METHOD));
86 TLSv1_server_data.ssl_accept=ssl3_accept;
87 TLSv1_server_data.get_ssl_method=tls1_get_server_method;
88 }
89 return(&TLSv1_server_data);
90 }
91
diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf
new file mode 100644
index 0000000000..b941b7ae15
--- /dev/null
+++ b/src/lib/libssl/test/CAss.cnf
@@ -0,0 +1,25 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = ./.rnd
7
8####################################################################
9[ req ]
10default_bits = 512
11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no
14default_md = sha1
15
16[ req_distinguished_name ]
17countryName = Country Name (2 letter code)
18countryName_default = AU
19countryName_value = AU
20
21organizationName = Organization Name (eg, company)
22organizationName_value = Dodgy Brothers
23
24commonName = Common Name (eg, YOUR name)
25commonName_value = Dodgy CA
diff --git a/src/lib/libssl/test/CAssdh.cnf b/src/lib/libssl/test/CAssdh.cnf
new file mode 100644
index 0000000000..4e0a908679
--- /dev/null
+++ b/src/lib/libssl/test/CAssdh.cnf
@@ -0,0 +1,24 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5# hacked by iang to do DH certs - CA
6
7RANDFILE = ./.rnd
8
9####################################################################
10[ req ]
11distinguished_name = req_distinguished_name
12encrypt_rsa_key = no
13
14[ req_distinguished_name ]
15countryName = Country Name (2 letter code)
16countryName_default = CU
17countryName_value = CU
18
19organizationName = Organization Name (eg, company)
20organizationName_value = La Junta de la Revolucion
21
22commonName = Common Name (eg, YOUR name)
23commonName_value = Junta
24
diff --git a/src/lib/libssl/test/CAssdsa.cnf b/src/lib/libssl/test/CAssdsa.cnf
new file mode 100644
index 0000000000..a6b4d1810c
--- /dev/null
+++ b/src/lib/libssl/test/CAssdsa.cnf
@@ -0,0 +1,23 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5# hacked by iang to do DSA certs - CA
6
7RANDFILE = ./.rnd
8
9####################################################################
10[ req ]
11distinguished_name = req_distinguished_name
12encrypt_rsa_key = no
13
14[ req_distinguished_name ]
15countryName = Country Name (2 letter code)
16countryName_default = ES
17countryName_value = ES
18
19organizationName = Organization Name (eg, company)
20organizationName_value = Hermanos Locos
21
22commonName = Common Name (eg, YOUR name)
23commonName_value = Hermanos Locos CA
diff --git a/src/lib/libssl/test/CAssrsa.cnf b/src/lib/libssl/test/CAssrsa.cnf
new file mode 100644
index 0000000000..eb24a6dfc0
--- /dev/null
+++ b/src/lib/libssl/test/CAssrsa.cnf
@@ -0,0 +1,24 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5# create RSA certs - CA
6
7RANDFILE = ./.rnd
8
9####################################################################
10[ req ]
11distinguished_name = req_distinguished_name
12encrypt_key = no
13
14[ req_distinguished_name ]
15countryName = Country Name (2 letter code)
16countryName_default = ES
17countryName_value = ES
18
19organizationName = Organization Name (eg, company)
20organizationName_value = Hermanos Locos
21
22commonName = Common Name (eg, YOUR name)
23commonName_value = Hermanos Locos CA
24
diff --git a/src/lib/libssl/test/Sssdsa.cnf b/src/lib/libssl/test/Sssdsa.cnf
new file mode 100644
index 0000000000..8e170a28ef
--- /dev/null
+++ b/src/lib/libssl/test/Sssdsa.cnf
@@ -0,0 +1,27 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5# hacked by iang to do DSA certs - Server
6
7RANDFILE = ./.rnd
8
9####################################################################
10[ req ]
11distinguished_name = req_distinguished_name
12encrypt_rsa_key = no
13
14[ req_distinguished_name ]
15countryName = Country Name (2 letter code)
16countryName_default = ES
17countryName_value = ES
18
19organizationName = Organization Name (eg, company)
20organizationName_value = Tortilleras S.A.
21
220.commonName = Common Name (eg, YOUR name)
230.commonName_value = Torti
24
251.commonName = Common Name (eg, YOUR name)
261.commonName_value = Gordita
27
diff --git a/src/lib/libssl/test/Sssrsa.cnf b/src/lib/libssl/test/Sssrsa.cnf
new file mode 100644
index 0000000000..8c79a03fca
--- /dev/null
+++ b/src/lib/libssl/test/Sssrsa.cnf
@@ -0,0 +1,26 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5# create RSA certs - Server
6
7RANDFILE = ./.rnd
8
9####################################################################
10[ req ]
11distinguished_name = req_distinguished_name
12encrypt_key = no
13
14[ req_distinguished_name ]
15countryName = Country Name (2 letter code)
16countryName_default = ES
17countryName_value = ES
18
19organizationName = Organization Name (eg, company)
20organizationName_value = Tortilleras S.A.
21
220.commonName = Common Name (eg, YOUR name)
230.commonName_value = Torti
24
251.commonName = Common Name (eg, YOUR name)
261.commonName_value = Gordita
diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf
new file mode 100644
index 0000000000..c89692d519
--- /dev/null
+++ b/src/lib/libssl/test/Uss.cnf
@@ -0,0 +1,28 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = ./.rnd
7
8####################################################################
9[ req ]
10default_bits = 512
11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no
14default_md = md2
15
16[ req_distinguished_name ]
17countryName = Country Name (2 letter code)
18countryName_default = AU
19countryName_value = AU
20
21organizationName = Organization Name (eg, company)
22organizationName_value = Dodgy Brothers
23
240.commonName = Common Name (eg, YOUR name)
250.commonName_value = Brother 1
26
271.commonName = Common Name (eg, YOUR name)
281.commonName_value = Brother 2
diff --git a/src/lib/libssl/test/methtest.c b/src/lib/libssl/test/methtest.c
new file mode 100644
index 0000000000..630d29dc91
--- /dev/null
+++ b/src/lib/libssl/test/methtest.c
@@ -0,0 +1,105 @@
1/* test/methtest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include "rsa.h"
62#include "x509.h"
63#include "meth.h"
64#include "err.h"
65
66int main(argc,argv)
67int argc;
68char *argv[];
69 {
70 METHOD_CTX *top,*tmp1,*tmp2;
71
72 top=METH_new(x509_lookup()); /* get a top level context */
73 if (top == NULL) goto err;
74
75 tmp1=METH_new(x509_by_file());
76 if (top == NULL) goto err;
77 METH_arg(tmp1,METH_TYPE_FILE,"cafile1");
78 METH_arg(tmp1,METH_TYPE_FILE,"cafile2");
79 METH_push(top,METH_X509_CA_BY_SUBJECT,tmp1);
80
81 tmp2=METH_new(x509_by_dir());
82 METH_arg(tmp2,METH_TYPE_DIR,"/home/eay/.CAcerts");
83 METH_arg(tmp2,METH_TYPE_DIR,"/home/eay/SSLeay/certs");
84 METH_arg(tmp2,METH_TYPE_DIR,"/usr/local/ssl/certs");
85 METH_push(top,METH_X509_CA_BY_SUBJECT,tmp2);
86
87/* tmp=METH_new(x509_by_issuer_dir);
88 METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts");
89 METH_push(top,METH_X509_BY_ISSUER,tmp);
90
91 tmp=METH_new(x509_by_issuer_primary);
92 METH_arg(tmp,METH_TYPE_FILE,"/home/eay/.mycerts/primary.pem");
93 METH_push(top,METH_X509_BY_ISSUER,tmp);
94*/
95
96 METH_init(top);
97 METH_control(tmp1,METH_CONTROL_DUMP,stdout);
98 METH_control(tmp2,METH_CONTROL_DUMP,stdout);
99 exit(0);
100err:
101 ERR_load_crypto_strings();
102 ERR_print_errors_fp(stderr);
103 exit(1);
104 return(0);
105 }
diff --git a/src/lib/libssl/test/pkcs7-1.pem b/src/lib/libssl/test/pkcs7-1.pem
new file mode 100644
index 0000000000..c47b27af88
--- /dev/null
+++ b/src/lib/libssl/test/pkcs7-1.pem
@@ -0,0 +1,15 @@
1-----BEGIN PKCS7-----
2MIICUAYJKoZIhvcNAQcCoIICQTCCAj0CAQExDjAMBggqhkiG9w0CAgUAMCgGCSqG
3SIb3DQEHAaAbBBlFdmVyeW9uZSBnZXRzIEZyaWRheSBvZmYuoIIBXjCCAVowggEE
4AgQUAAApMA0GCSqGSIb3DQEBAgUAMCwxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRF
5eGFtcGxlIE9yZ2FuaXphdGlvbjAeFw05MjA5MDkyMjE4MDZaFw05NDA5MDkyMjE4
6MDVaMEIxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlv
7bjEUMBIGA1UEAxMLVGVzdCBVc2VyIDEwWzANBgkqhkiG9w0BAQEFAANKADBHAkAK
8ZnkdxpiBaN56t3QZu3+wwAHGJxAnAHUUKULhmo2MUdBTs+N4Kh3l3Fr06+mUaBcB
9FKHf5nzcmpr1XWVWILurAgMBAAEwDQYJKoZIhvcNAQECBQADQQBFGqHhqncgSl/N
109XYGnQL3MsJvNnsNV4puZPOakR9Hld8JlDQFEaDR30ogsmp3TMrvdfxpLlTCoZN8
11BxEmnZsWMYGbMIGYAgEBMDQwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEV4YW1w
12bGUgT3JnYW5pemF0aW9uAgQUAAApMAwGCCqGSIb3DQICBQAwDQYJKoZIhvcNAQEB
13BQAEQAX6aoEvx9+L9PJUJQngPoRuEbnGIL4gCe+0QO+8xmkhaZSsBPNBtX0FIC1C
14j7Kie1x339mxW/w9VZNTUDQQweHh
15-----END PKCS7-----
diff --git a/src/lib/libssl/test/pkcs7.pem b/src/lib/libssl/test/pkcs7.pem
new file mode 100644
index 0000000000..d55c60b94e
--- /dev/null
+++ b/src/lib/libssl/test/pkcs7.pem
@@ -0,0 +1,54 @@
1 MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIE+DCCBGGg
2 AwIBAgIQaGSF/JpbS1C223+yrc+N1DANBgkqhkiG9w0BAQQFADBiMREwDwYDVQQH
3 EwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1Zl
4 cmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwHhcNOTYw
5 ODEyMDAwMDAwWhcNOTYwODE3MjM1OTU5WjCCASAxETAPBgNVBAcTCEludGVybmV0
6 MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
7 c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjE3MDUGA1UECxMuRGlnaXRh
8 bCBJRCBDbGFzcyAxIC0gU01JTUUgVmVyaVNpZ24sIEluYy4gVEVTVDFGMEQGA1UE
9 CxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IFJl
10 Zi4sTElBQi5MVEQoYyk5NjEZMBcGA1UEAxMQQWxleGFuZHJlIERlYWNvbjEgMB4G
11 CSqGSIb3DQEJARYRYWxleEB2ZXJpc2lnbi5jb20wWzANBgkqhkiG9w0BAQEFAANK
12 ADBHAkAOy7xxCAIkOfuIA2LyRpxgKlDORl8htdXYhF5iBGUx1GYaK6KF+bK/CCI0
13 l4j2OfWGFBUrwGoWqxTNcWgTfMzRAgMBAAGjggIyMIICLjAJBgNVHRMEAjAAMIIC
14 HwYDVR0DBIICFjCCAhIwggIOMIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMg
15 Y2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVzIGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1
16 c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhlIFZlcmlTaWduIENlcnRpZmlj
17 YXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUgYXQ6IGh0
18 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBDUFMtcmVx
19 dWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu
20 LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBU
21 ZWwuICsxICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2ln
22 biwgSW5jLiAgQWxsIFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVT
23 IERJU0NMQUlNRUQgYW5kIExJQUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcB
24 AQGhDgYMYIZIAYb4RQEHAQECMCwwKhYoaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
25 L3JlcG9zaXRvcnkvQ1BTIDANBgkqhkiG9w0BAQQFAAOBgQAimWMGQwwwxk+b3KAL
26 HlSWXtU7LWHe29CEG8XeVNTvrqs6SBqT7OoENOkGxpfdpVgZ3Qw2SKjxDvbvpfSF
27 slsqcxWSgB/hWuaVuZCkvTw/dYGGOxkTJGxvDCfl1PZjX4dKbatslsi9Z9HpGWT7
28 ttItRwKqcBKgmCJvKi1pGWED0zCCAnkwggHioAMCAQICEDURpVKQb+fQKaRAGdQR
29 /D4wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlT
30 aWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRp
31 ZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDYyNzAwMDAwMFoXDTk3MDYyNzIzNTk1
32 OVowYjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMu
33 MTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJz
34 Y3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FKbPTdAFDdjKI9Bv
35 qrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7jW80GqLd5HUQq7XPy
36 sVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW7s987Lrb
37 P2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTAPBgNVHRMECDAGAQH/AgEBMAsG
38 A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAgQwDQYJKoZIhvcNAQECBQADgYEA
39 KeXHoBmnbxRCgk0jM9e9mDppdxpsipIna/J8DOHEUuD4nONAr4+xOg73SBl026n7
40 Bk55A2wvAMGo7+kKTZ+rHaFDDcmq4O+rzFri2RIOeGAncj1IcGptAQhvXoIhFMG4
41 Jlzg1KlHZHqy7D3jex78zcSU7kKOu8f5tAX1jC3+sToAAKGAMIIBJzCBkTANBgkq
42 hkiG9w0BAQIFADBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNp
43 Z24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlk
44 dWFsIFN1YnNjcmliZXIXDTk2MDcwMTE3MzA0MFoXDTk3MDcwMTAwMDAwMFowDQYJ
45 KoZIhvcNAQECBQADgYEAGLuQ6PX8A7AiqBEtWzYtl6lZNSDI0bR5YUo+D2Jzkw30
46 dxQnJSbKXEc6XYuzAW5HvrzATXu5c19WWPT4cRDwmjH71i9QcDysWwf/wE0qGTiW
47 I3tQT0I5VGh7jIJD07nlBw3R4Xl8dH9kr85JsWinqDH5YKpIo9o8knY5n7+qjOow
48 ggEkMIGOMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5W
49 ZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBD
50 ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eRcNOTYwNzE2MjMxMTI5WhcNOTYwODE1MDAw
51 MDAwWjANBgkqhkiG9w0BAQIFAAOBgQAXsLE4vnsY6sY67QrmWec7iaU2ehzxanEK
52 /9wKHZNuhlNzk+qGZZw2evxfUe2OaRbYpl8zuZvhK9BHD3ad14OSe9/zx5hOPgP/
53 DQXt6R4R8Q/1JheBrolrgbavjvI2wKS8/Psp2prBrkF4T48+AKRmS8Zzh1guxgvP
54 b+xSu/jH0gAAMYAAAAAAAAAAAA==
diff --git a/src/lib/libssl/test/r160test.c b/src/lib/libssl/test/r160test.c
new file mode 100644
index 0000000000..a172e393ca
--- /dev/null
+++ b/src/lib/libssl/test/r160test.c
@@ -0,0 +1,57 @@
1/* test/r160test.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
new file mode 100644
index 0000000000..859fba452f
--- /dev/null
+++ b/src/lib/libssl/test/tcrl
@@ -0,0 +1,81 @@
1#!/bin/sh
2
3PATH=../apps:$PATH
4export PATH
5
6cmd='../apps/ssleay crl'
7
8if [ "$1"x != "x" ]; then
9 t=$1
10else
11 t=testcrl.pem
12fi
13
14echo testing crl conversions
15cp $t fff.p
16
17echo "p -> d"
18$cmd -in fff.p -inform p -outform d >f.d
19if [ $? != 0 ]; then exit 1; fi
20#echo "p -> t"
21#$cmd -in fff.p -inform p -outform t >f.t
22#if [ $? != 0 ]; then exit 1; fi
23echo "p -> p"
24$cmd -in fff.p -inform p -outform p >f.p
25if [ $? != 0 ]; then exit 1; fi
26
27echo "d -> d"
28$cmd -in f.d -inform d -outform d >ff.d1
29if [ $? != 0 ]; then exit 1; fi
30#echo "t -> d"
31#$cmd -in f.t -inform t -outform d >ff.d2
32#if [ $? != 0 ]; then exit 1; fi
33echo "p -> d"
34$cmd -in f.p -inform p -outform d >ff.d3
35if [ $? != 0 ]; then exit 1; fi
36
37#echo "d -> t"
38#$cmd -in f.d -inform d -outform t >ff.t1
39#if [ $? != 0 ]; then exit 1; fi
40#echo "t -> t"
41#$cmd -in f.t -inform t -outform t >ff.t2
42#if [ $? != 0 ]; then exit 1; fi
43#echo "p -> t"
44#$cmd -in f.p -inform p -outform t >ff.t3
45#if [ $? != 0 ]; then exit 1; fi
46
47echo "d -> p"
48$cmd -in f.d -inform d -outform p >ff.p1
49if [ $? != 0 ]; then exit 1; fi
50#echo "t -> p"
51#$cmd -in f.t -inform t -outform p >ff.p2
52#if [ $? != 0 ]; then exit 1; fi
53echo "p -> p"
54$cmd -in f.p -inform p -outform p >ff.p3
55if [ $? != 0 ]; then exit 1; fi
56
57cmp fff.p f.p
58if [ $? != 0 ]; then exit 1; fi
59cmp fff.p ff.p1
60if [ $? != 0 ]; then exit 1; fi
61#cmp fff.p ff.p2
62#if [ $? != 0 ]; then exit 1; fi
63cmp fff.p ff.p3
64if [ $? != 0 ]; then exit 1; fi
65
66#cmp f.t ff.t1
67#if [ $? != 0 ]; then exit 1; fi
68#cmp f.t ff.t2
69#if [ $? != 0 ]; then exit 1; fi
70#cmp f.t ff.t3
71#if [ $? != 0 ]; then exit 1; fi
72
73cmp f.p ff.p1
74if [ $? != 0 ]; then exit 1; fi
75#cmp f.p ff.p2
76#if [ $? != 0 ]; then exit 1; fi
77cmp f.p ff.p3
78if [ $? != 0 ]; then exit 1; fi
79
80/bin/rm -f f.* ff.* fff.*
81exit 0
diff --git a/src/lib/libssl/test/test.cnf b/src/lib/libssl/test/test.cnf
new file mode 100644
index 0000000000..faad3914a8
--- /dev/null
+++ b/src/lib/libssl/test/test.cnf
@@ -0,0 +1,88 @@
1#
2# SSLeay example configuration file.
3# This is mostly being used for generation of certificate requests.
4#
5
6RANDFILE = ./.rnd
7
8####################################################################
9[ ca ]
10default_ca = CA_default # The default ca section
11
12####################################################################
13[ CA_default ]
14
15dir = ./demoCA # Where everything is kept
16certs = $dir/certs # Where the issued certs are kept
17crl_dir = $dir/crl # Where the issued crl are kept
18database = $dir/index.txt # database index file.
19new_certs_dir = $dir/new_certs # default place for new certs.
20
21certificate = $dir/CAcert.pem # The CA certificate
22serial = $dir/serial # The current serial number
23crl = $dir/crl.pem # The current CRL
24private_key = $dir/private/CAkey.pem# The private key
25RANDFILE = $dir/private/.rand # private random number file
26
27default_days = 365 # how long to certify for
28default_crl_days= 30 # how long before next CRL
29default_md = md5 # which md to use.
30
31# A few difference way of specifying how similar the request should look
32# For type CA, the listed attributes must be the same, and the optional
33# and supplied fields are just that :-)
34policy = policy_match
35
36# For the CA policy
37[ policy_match ]
38countryName = match
39stateOrProvinceName = match
40organizationName = match
41organizationalUnitName = optional
42commonName = supplied
43emailAddress = optional
44
45# For the 'anything' policy
46# At this point in time, you must list all acceptable 'object'
47# types.
48[ policy_anything ]
49countryName = optional
50stateOrProvinceName = optional
51localityName = optional
52organizationName = optional
53organizationalUnitName = optional
54commonName = supplied
55emailAddress = optional
56
57####################################################################
58[ req ]
59default_bits = 512
60default_keyfile = testkey.pem
61distinguished_name = req_distinguished_name
62encrypt_rsa_key = no
63
64[ req_distinguished_name ]
65countryName = Country Name (2 letter code)
66countryName_default = AU
67countryName_value = AU
68
69stateOrProvinceName = State or Province Name (full name)
70stateOrProvinceName_default = Queensland
71stateOrProvinceName_value =
72
73localityName = Locality Name (eg, city)
74localityName_value = Brisbane
75
76organizationName = Organization Name (eg, company)
77organizationName_default =
78organizationName_value = CryptSoft Pty Ltd
79
80organizationalUnitName = Organizational Unit Name (eg, section)
81organizationalUnitName_default =
82organizationalUnitName_value = .
83
84commonName = Common Name (eg, YOUR name)
85commonName_value = Eric Young
86
87emailAddress = Email Address
88emailAddress_value = eay@mincom.oz.au
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
new file mode 100644
index 0000000000..a28402f9ca
--- /dev/null
+++ b/src/lib/libssl/test/testca
@@ -0,0 +1,44 @@
1#!/bin/sh
2
3SH="/bin/sh"
4PATH=../apps:$PATH
5export SH PATH
6
7SSLEAY_CONFIG="-config CAss.cnf"
8export SSLEAY_CONFIG
9
10/bin/rm -fr demoCA
11$SH ../apps/CA.sh -newca <<EOF
12EOF
13
14if [ $? != 0 ]; then
15 exit 1;
16fi
17
18SSLEAY_CONFIG="-config Uss.cnf"
19export SSLEAY_CONFIG
20$SH ../apps/CA.sh -newreq
21if [ $? != 0 ]; then
22 exit 1;
23fi
24
25
26SSLEAY_CONFIG="-config ../apps/ssleay.cnf"
27export SSLEAY_CONFIG
28$SH ../apps/CA.sh -sign <<EOF
29y
30y
31EOF
32if [ $? != 0 ]; then
33 exit 1;
34fi
35
36
37$SH ../apps/CA.sh -verify newcert.pem
38if [ $? != 0 ]; then
39 exit 1;
40fi
41
42/bin/rm -fr demoCA newcert.pem newreq.pem
43#usage: CA -newcert|-newreq|-newca|-sign|-verify
44
diff --git a/src/lib/libssl/test/testcrl.pem b/src/lib/libssl/test/testcrl.pem
new file mode 100644
index 0000000000..0989788354
--- /dev/null
+++ b/src/lib/libssl/test/testcrl.pem
@@ -0,0 +1,16 @@
1-----BEGIN X509 CRL-----
2MIICjTCCAfowDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxIDAeBgNVBAoT
3F1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2VydmVy
4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05NTA1MDIwMjEyMjZaFw05NTA2MDEw
5MDAxNDlaMIIBaDAWAgUCQQAABBcNOTUwMjAxMTcyNDI2WjAWAgUCQQAACRcNOTUw
6MjEwMDIxNjM5WjAWAgUCQQAADxcNOTUwMjI0MDAxMjQ5WjAWAgUCQQAADBcNOTUw
7MjI1MDA0NjQ0WjAWAgUCQQAAGxcNOTUwMzEzMTg0MDQ5WjAWAgUCQQAAFhcNOTUw
8MzE1MTkxNjU0WjAWAgUCQQAAGhcNOTUwMzE1MTk0MDQxWjAWAgUCQQAAHxcNOTUw
9MzI0MTk0NDMzWjAWAgUCcgAABRcNOTUwMzI5MjAwNzExWjAWAgUCcgAAERcNOTUw
10MzMwMDIzNDI2WjAWAgUCQQAAIBcNOTUwNDA3MDExMzIxWjAWAgUCcgAAHhcNOTUw
11NDA4MDAwMjU5WjAWAgUCcgAAQRcNOTUwNDI4MTcxNzI0WjAWAgUCcgAAOBcNOTUw
12NDI4MTcyNzIxWjAWAgUCcgAATBcNOTUwNTAyMDIxMjI2WjANBgkqhkiG9w0BAQIF
13AAN+AHqOEJXSDejYy0UwxxrH/9+N2z5xu/if0J6qQmK92W0hW158wpJg+ovV3+wQ
14wvIEPRL2rocL0tKfAsVq1IawSJzSNgxG0lrcla3MrJBnZ4GaZDu4FutZh72MR3Gt
15JaAL3iTJHJD55kK2D/VoyY1djlsPuNh6AEgdVwFAyp0v
16-----END X509 CRL-----
diff --git a/src/lib/libssl/test/testenc b/src/lib/libssl/test/testenc
new file mode 100644
index 0000000000..42db56c2be
--- /dev/null
+++ b/src/lib/libssl/test/testenc
@@ -0,0 +1,62 @@
1#!/bin/sh
2
3testsrc=Makefile.ssl
4test=./p
5cmd=../apps/ssleay
6
7cat $testsrc >$test;
8
9echo cat
10$cmd enc < $test > $test.cipher
11$cmd enc < $test.cipher >$test.clear
12cmp $test $test.clear
13if [ $? != 0 ]
14then
15 exit 1
16else
17 /bin/rm $test.cipher $test.clear
18fi
19echo base64
20$cmd enc -a -e < $test > $test.cipher
21$cmd enc -a -d < $test.cipher >$test.clear
22cmp $test $test.clear
23if [ $? != 0 ]
24then
25 exit 1
26else
27 /bin/rm $test.cipher $test.clear
28fi
29
30for i in rc4 \
31 des-cfb des-ede-cfb des-ede3-cfb \
32 des-ofb des-ede-ofb des-ede3-ofb \
33 des-ecb des-ede des-ede3 desx \
34 des-cbc des-ede-cbc des-ede3-cbc \
35 idea-ecb idea-cfb idea-ofb idea-cbc \
36 rc2-ecb rc2-cfb rc2-ofb rc2-cbc \
37 bf-ecb bf-cfb bf-ofb bf-cbc rc4 \
38 cast5-ecb cast5-cfb cast5-ofb cast5-cbc
39do
40 echo $i
41 $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher
42 $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
43 cmp $test $test.$i.clear
44 if [ $? != 0 ]
45 then
46 exit 1
47 else
48 /bin/rm $test.$i.cipher $test.$i.clear
49 fi
50
51 echo $i base64
52 $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher
53 $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
54 cmp $test $test.$i.clear
55 if [ $? != 0 ]
56 then
57 exit 1
58 else
59 /bin/rm $test.$i.cipher $test.$i.clear
60 fi
61done
62rm -f $test
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
new file mode 100644
index 0000000000..12a4ca4cea
--- /dev/null
+++ b/src/lib/libssl/test/testgen
@@ -0,0 +1,30 @@
1#!/bin/sh
2
3T=testcert
4KEY=512
5CA=../certs/testca.pem
6
7/bin/rm -f $T.1 $T.2 $T.key
8
9PATH=../apps:$PATH;
10export PATH
11
12echo "generating certificate request"
13
14echo "There should be a 2 sequences of .'s and some +'s."
15echo "There should not be more that at most 80 per line"
16echo "This could take some time."
17
18../apps/ssleay req -config test.cnf -new -out testreq.pem
19if [ $? != 0 ]; then
20echo problems creating request
21exit 1
22fi
23
24../apps/ssleay req -verify -in testreq.pem -noout
25if [ $? != 0 ]; then
26echo signature on req is wrong
27exit 1
28fi
29
30exit 0
diff --git a/src/lib/libssl/test/testp7.pem b/src/lib/libssl/test/testp7.pem
new file mode 100644
index 0000000000..b3b6dba830
--- /dev/null
+++ b/src/lib/libssl/test/testp7.pem
@@ -0,0 +1,46 @@
1-----BEGIN PKCS7-----
2MIAGCSqGSIb3DQEHAqCAMIIIBwIBATEAMIAGCSqGSIb3DQEHAQAAoIIGPDCCBHIw
3ggQcoAMCAQICEHkvjiX1iVGQMenF9HgIjI8wDQYJKoZIhvcNAQEEBQAwYjERMA8G
4A1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQL
5EytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMB4X
6DTk2MDcxOTAwMDAwMFoXDTk3MDMzMDIzNTk1OVowgdUxETAPBgNVBAcTCEludGVy
7bmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24g
8Q2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjEoMCYGA1UECxMfRGln
9aXRhbCBJRCBDbGFzcyAxIC0gU01JTUUgVGVzdDFHMEUGA1UECxM+d3d3LnZlcmlz
10aWduLmNvbS9yZXBvc2l0b3J5L0NQUy0xLjAgSW5jLiBieSBSZWYuLExJQUIuTFRE
11KGMpOTYwWzANBgkqhkiG9w0BAQEFAANKADBHAkAOy7xxCAIkOfuIA2LyRpxgKlDO
12Rl8htdXYhF5iBGUx1GYaK6KF+bK/CCI0l4j2OfWGFBUrwGoWqxTNcWgTfMzRAgMB
13AAGjggI5MIICNTAJBgNVHRMEAjAAMIICJgYDVR0DBIICHTCCAhkwggIVMIICEQYL
14YIZIAYb4RQEHAQEwggIAFoIBq1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz
15IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0
16bywgdGhlIFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50
17IChDUFMpLCBhdmFpbGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9D
18UFMtMS4wOyBieSBFLW1haWwgYXQgQ1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsg
19b3IgYnkgbWFpbCBhdCBWZXJpU2lnbiwgSW5jLiwgMjU5MyBDb2FzdCBBdmUuLCBN
20b3VudGFpbiBWaWV3LCBDQSA5NDA0MyBVU0EgVGVsLiArMSAoNDE1KSA5NjEtODgz
21MCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMg
22UmVzZXJ2ZWQuIENFUlRBSU4gV0FSUkFOVElFUyBESVNDTEFJTUVEIGFuZCBMSUFC
23SUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4RQEHAQEBoQ4GDGCGSAGG+EUBBwEBAjAv
24MC0WK2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUy0xLgMw
25DQYJKoZIhvcNAQEEBQADQQDAmA7km/3iJWEsWN9Z2WU2gmZAknx45WnDKHxMa3Bf
26gNsh6BLk/ngkJKjNKTDR13XVHqEPUY1flbjATZputw1GMIIBwjCCAWygAwIBAgIQ
27fAmE6tW5ERSQWDneu3KfSTANBgkqhkiG9w0BAQIFADA+MQswCQYDVQQGEwJVUzEX
28MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xFjAUBgNVBAsTDVRFU1QgUm9vdCBQQ0Ew
29HhcNOTYwNzE3MDAwMDAwWhcNOTcwNzE3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRl
30cm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWdu
31IENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwXDANBgkqhkiG9w0B
32AQEFAANLADBIAkEA7Fc6zYJw4WwCWa1ni3fYNbzGSQNluuw990024GusjLfhEk1h
33MsIUukTT/n8yxoO7rYp4x+LS+tHF2tBtuxg7CwIDAQABoyIwIDALBgNVHQ8EBAMC
34AQYwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEBAgUAA0EAFKem0cJGg9nd
35TAbP5o1HIEyNn11ZlvLU5v1Hejs1MKQt72IMm4jjgOH+pjguXW8lB6yzrK4oVOO2
36UNCaNQ1H26GCAa0wgeYwgZEwDQYJKoZIhvcNAQECBQAwYjERMA8GA1UEBxMISW50
37ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2ln
38biBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyFw05NjA3MTcxNzU5
39MjlaFw05NzA3MTgwMDAwMDBaMA0GCSqGSIb3DQEBAgUAA0EAubVWYTsWsQmste9f
40+UgMw8BkjDlM25fwQLrCfmmnLxjewey10kSROypUaJLb+r4oRALc0fG9XfZsaiiI
41gotQHjCBwTBtMA0GCSqGSIb3DQEBAgUAMD4xCzAJBgNVBAYTAlVTMRcwFQYDVQQK
42Ew5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNVEVTVCBSb290IFBDQRcNOTYwNzE3
43MTc0NDA5WhcNOTgwNzE3MDAwMDAwWjANBgkqhkiG9w0BAQIFAANBAHitA0/xAukC
44jHzeh1AMT/l2oC68N+yFb+aJPHBBMxc6gG2MaKjBNwb5hcXUllMlExONA3ju10f7
45owIq3s3wx10xAAAAAAA=
46-----END PKCS7-----
diff --git a/src/lib/libssl/test/testreq2.pem b/src/lib/libssl/test/testreq2.pem
new file mode 100644
index 0000000000..c3cdcffcbc
--- /dev/null
+++ b/src/lib/libssl/test/testreq2.pem
@@ -0,0 +1,7 @@
1-----BEGIN CERTIFICATE REQUEST-----
2MIHaMIGFAgEAMA4xDDAKBgNVBAMTA2NuNDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
3QQCQsnkyUGDY2R3mYoeTprFJKgWuJ3f1jUjlIuW5+wfAUoeMt35c4vcFZ2mIBpEG
4DtzkNQN1kr2O9ldm9zYnYhyhAgMBAAGgEjAQBgorBgEEAYI3AgEOMQIwADANBgkq
5hkiG9w0BAQQFAANBAAb2szZgVIxg3vK6kYLjGSBISyuzcXJ6IvuPW6M+yzi1Qgoi
6gQhazHTJp91T8ItZEzUJGZSZl2e5iXlnffWB+/U=
7-----END CERTIFICATE REQUEST-----
diff --git a/src/lib/libssl/test/testrsa.pem b/src/lib/libssl/test/testrsa.pem
new file mode 100644
index 0000000000..aad21067a8
--- /dev/null
+++ b/src/lib/libssl/test/testrsa.pem
@@ -0,0 +1,9 @@
1-----BEGIN RSA PRIVATE KEY-----
2MIIBPAIBAAJBAKrbeqkuRk8VcRmWFmtP+LviMB3+6dizWW3DwaffznyHGAFwUJ/I
3Tv0XtbsCyl3QoyKGhrOAy3RvPK5M38iuXT0CAwEAAQJAZ3cnzaHXM/bxGaR5CR1R
4rD1qFBAVfoQFiOH9uPJgMaoAuoQEisPHVcZDKcOv4wEg6/TInAIXBnEigtqvRzuy
5oQIhAPcgZzUq3yVooAaoov8UbXPxqHlwo6GBMqnv20xzkf6ZAiEAsP4BnIaQTM8S
6mvcpHZwQJdmdHHkGKAs37Dfxi67HbkUCIQCeZGliHXFa071Fp06ZeWlR2ADonTZz
7rJBhdTe0v5pCeQIhAIZfkiGgGBX4cIuuckzEm43g9WMUjxP/0GlK39vIyihxAiEA
8mymehFRT0MvqW5xAKAx7Pgkt8HVKwVhc2LwGKHE0DZM=
9-----END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/test/testsid.pem b/src/lib/libssl/test/testsid.pem
new file mode 100644
index 0000000000..cd8617be2e
--- /dev/null
+++ b/src/lib/libssl/test/testsid.pem
@@ -0,0 +1,12 @@
1-----BEGIN SSL SESSION PARAMETERS-----
2MIIBxwIBAQIBAgQDAQCABBCi11xa5qkOP8xrr02K/NQCBBBkIYQZM0Bt95W0EHNV
3bA58oQYCBDIBr7WiBAICASyjggGGMIIBgjCCASwCAQMwDQYJKoZIhvcNAQEEBQAw
4ODELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3Jz
5YSB0ZXN0IENBMB4XDTk1MTAwOTIzMzEzNFoXDTk4MDcwNTIzMzEzNFowYDELMAkG
6A1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRk
7LjELMAkGA1UECxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIGNsaWVudDBcMA0G
8CSqGSIb3DQEBAQUAA0sAMEgCQQC4pcXEL1lgVA+B5Q3TcuW/O3LZHoA73IYm8oFD
9TezgCDhL2RTMn+seKWF36UtJKRIOBU9jZHCVVd0Me5ls6BEjAgMBAAEwDQYJKoZI
10hvcNAQEEBQADQQBoIpOcwUY1qlVF7j3ROSGvUsbvByOBFmYWkIBgsCqR+9qo1A7L
11CrWF5i8LWt/vLwAHaxWNx2YuBJMFyuK81fTv
12-----END SSL SESSION PARAMETERS-----
diff --git a/src/lib/libssl/test/testss b/src/lib/libssl/test/testss
new file mode 100644
index 0000000000..a5aecf4694
--- /dev/null
+++ b/src/lib/libssl/test/testss
@@ -0,0 +1,89 @@
1#!/bin/sh
2
3digest='-mdc2'
4reqcmd="../apps/ssleay req"
5x509cmd="../apps/ssleay x509 $digest"
6verifycmd="../apps/ssleay verify"
7
8CAkey="keyCA.ss"
9CAcert="certCA.ss"
10CAreq="reqCA.ss"
11CAconf="CAss.cnf"
12CAreq2="req2CA.ss" # temp
13
14Uconf="Uss.cnf"
15Ukey="keyU.ss"
16Ureq="reqU.ss"
17Ucert="certU.ss"
18
19echo
20echo "make a certificate request using 'req'"
21$reqcmd -config $CAconf -out $CAreq -keyout $CAkey -new #>err.ss
22if [ $? != 0 ]; then
23 echo "error using 'req' to generate a certificate request"
24 exit 1
25fi
26echo
27echo "convert the certificate request into a self signed certificate using 'x509'"
28$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss
29if [ $? != 0 ]; then
30 echo "error using 'x509' to self sign a certificate request"
31 exit 1
32fi
33
34echo
35echo "convert a certificate into a certificate request using 'x509'"
36$x509cmd -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 >err.ss
37if [ $? != 0 ]; then
38 echo "error using 'x509' convert a certificate to a certificate request"
39 exit 1
40fi
41
42$reqcmd -verify -in $CAreq -noout
43if [ $? != 0 ]; then
44 echo first generated request is invalid
45 exit 1
46fi
47
48$reqcmd -verify -in $CAreq2 -noout
49if [ $? != 0 ]; then
50 echo second generated request is invalid
51 exit 1
52fi
53
54$verifycmd -CAfile $CAcert $CAcert
55if [ $? != 0 ]; then
56 echo first generated cert is invalid
57 exit 1
58fi
59
60echo
61echo "make another certificate request using 'req'"
62$reqcmd -config $Uconf -out $Ureq -keyout $Ukey -new >err.ss
63if [ $? != 0 ]; then
64 echo "error using 'req' to generate a certificate request"
65 exit 1
66fi
67
68echo
69echo "sign certificate request with the just created CA via 'x509'"
70$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss
71if [ $? != 0 ]; then
72 echo "error using 'x509' to sign a certificate request"
73 exit 1
74fi
75
76$verifycmd -CAfile $CAcert $Ucert
77echo
78echo "Certificate details"
79$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
80
81echo
82echo The generated CA certificate is $CAcert
83echo The generated CA private key is $CAkey
84
85echo The generated user certificate is $Ucert
86echo The generated user private key is $Ukey
87
88/bin/rm err.ss
89exit 0
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
new file mode 100644
index 0000000000..f115adb8e1
--- /dev/null
+++ b/src/lib/libssl/test/testssl
@@ -0,0 +1,40 @@
1#!/bin/sh
2
3echo test sslv2
4./ssltest -ssl2 || exit 1
5
6echo test sslv2 with server authentication
7./ssltest -ssl2 -server_auth -CApath ../certs || exit 1
8
9echo test sslv2 with client authentication
10./ssltest -ssl2 -client_auth -CApath ../certs || exit 1
11
12echo test sslv2 with both client and server authentication
13./ssltest -ssl2 -server_auth -client_auth -CApath ../certs || exit 1
14
15echo test sslv3
16./ssltest -ssl3 || exit 1
17
18echo test sslv3 with server authentication
19./ssltest -ssl3 -server_auth -CApath ../certs || exit 1
20
21echo test sslv3 with client authentication
22./ssltest -ssl3 -client_auth -CApath ../certs || exit 1
23
24echo test sslv3 with both client and server authentication
25./ssltest -ssl3 -server_auth -client_auth -CApath ../certs || exit 1
26
27echo test sslv2/sslv3
28./ssltest || exit 1
29
30echo test sslv2/sslv3 with server authentication
31./ssltest -server_auth -CApath ../certs || exit 1
32
33echo test sslv2/sslv3 with client authentication
34./ssltest -client_auth -CApath ../certs || exit 1
35
36echo test sslv2/sslv3 with both client and server authentication
37./ssltest -server_auth -client_auth -CApath ../certs || exit 1
38
39exit 0
40
diff --git a/src/lib/libssl/test/testx509.pem b/src/lib/libssl/test/testx509.pem
new file mode 100644
index 0000000000..8a85d14964
--- /dev/null
+++ b/src/lib/libssl/test/testx509.pem
@@ -0,0 +1,10 @@
1-----BEGIN CERTIFICATE-----
2MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
3BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz
4MzMxMloXDTk1MDcxNzIzMzMxMlowOjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
5RDEdMBsGA1UEAxMUU1NMZWF5L3JzYSB0ZXN0IGNlcnQwXDANBgkqhkiG9w0BAQEF
6AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO
7/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE
8Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ
9zl9HYIMxATFyqSiD9jsx
10-----END CERTIFICATE-----
diff --git a/src/lib/libssl/test/times b/src/lib/libssl/test/times
new file mode 100644
index 0000000000..49aeebf216
--- /dev/null
+++ b/src/lib/libssl/test/times
@@ -0,0 +1,113 @@
1
2More number for the questions about SSL overheads....
3
4The following numbers were generated on a pentium pro 200, running linux.
5They give an indication of the SSL protocol and encryption overheads.
6
7The program that generated them is an unreleased version of ssl/ssltest.c
8which is the SSLeay ssl protocol testing program. It is a single process that
9talks both sides of the SSL protocol via a non-blocking memory buffer
10interface.
11
12How do I read this? The protocol and cipher are reasonable obvious.
13The next number is the number of connections being made. The next is the
14number of bytes exchanged bewteen the client and server side of the protocol.
15This is the number of bytes that the client sends to the server, and then
16the server sends back. Because this is all happening in one process,
17the data is being encrypted, decrypted, encrypted and then decrypted again.
18It is a round trip of that many bytes. Because the one process performs
19both the client and server sides of the protocol and it sends this many bytes
20each direction, multiply this number by 4 to generate the number
21of bytes encrypted/decrypted/MACed. The first time value is how many seconds
22elapsed doing a full SSL handshake, the second is the cost of one
23full handshake and the rest being session-id reuse.
24
25SSLv2 RC4-MD5 1000 x 1 12.83s 0.70s
26SSLv3 NULL-MD5 1000 x 1 14.35s 1.47s
27SSLv3 RC4-MD5 1000 x 1 14.46s 1.56s
28SSLv3 RC4-MD5 1000 x 1 51.93s 1.62s 1024bit RSA
29SSLv3 RC4-SHA 1000 x 1 14.61s 1.83s
30SSLv3 DES-CBC-SHA 1000 x 1 14.70s 1.89s
31SSLv3 DES-CBC3-SHA 1000 x 1 15.16s 2.16s
32
33SSLv2 RC4-MD5 1000 x 1024 13.72s 1.27s
34SSLv3 NULL-MD5 1000 x 1024 14.79s 1.92s
35SSLv3 RC4-MD5 1000 x 1024 52.58s 2.29s 1024bit RSA
36SSLv3 RC4-SHA 1000 x 1024 15.39s 2.67s
37SSLv3 DES-CBC-SHA 1000 x 1024 16.45s 3.55s
38SSLv3 DES-CBC3-SHA 1000 x 1024 18.21s 5.38s
39
40SSLv2 RC4-MD5 1000 x 10240 18.97s 6.52s
41SSLv3 NULL-MD5 1000 x 10240 17.79s 5.11s
42SSLv3 RC4-MD5 1000 x 10240 20.25s 7.90s
43SSLv3 RC4-MD5 1000 x 10240 58.26s 8.08s 1024bit RSA
44SSLv3 RC4-SHA 1000 x 10240 22.96s 11.44s
45SSLv3 DES-CBC-SHA 1000 x 10240 30.65s 18.41s
46SSLv3 DES-CBC3-SHA 1000 x 10240 47.04s 34.53s
47
48SSLv2 RC4-MD5 1000 x 102400 70.22s 57.74s
49SSLv3 NULL-MD5 1000 x 102400 43.73s 31.03s
50SSLv3 RC4-MD5 1000 x 102400 71.32s 58.83s
51SSLv3 RC4-MD5 1000 x 102400 109.66s 59.20s 1024bit RSA
52SSLv3 RC4-SHA 1000 x 102400 95.88s 82.21s
53SSLv3 DES-CBC-SHA 1000 x 102400 173.22s 160.55s
54SSLv3 DES-CBC3-SHA 1000 x 102400 336.61s 323.82s
55
56What does this all mean? Well for a server, with no session-id reuse, with
57a transfer size of 10240 bytes, using RC4-MD5 and a 512bit server key,
58a pentium pro 200 running linux can handle the SSLv3 protocol overheads of
59about 49 connections a second. Reality will be quite different :-).
60
61Remeber the first number is 1000 full ssl handshakes, the second is
621 full and 999 with session-id reuse. The RSA overheads for each exchange
63would be one public and one private operation, but the protocol/MAC/cipher
64cost would be quite similar in both the client and server.
65
66eric (adding numbers to speculation)
67
68--- Appendix ---
69- The time measured is user time but these number a very rough.
70- Remember this is the cost of both client and server sides of the protocol.
71- The TCP/kernal overhead of connection establishment is normally the
72 killer in SSL. Often delays in the TCP protocol will make session-id
73 reuse look slower that new sessions, but this would not be the case on
74 a loaded server.
75- The TCP round trip latencies, while slowing indervidual connections,
76 would have minimal impact on throughput.
77- Instead of sending one 102400 byte buffer, one 8k buffer is sent until
78- the required number of bytes are processed.
79- The SSLv3 connections were actually SSLv2 compatable SSLv3 headers.
80- A 512bit server key was being used except where noted.
81- No server key verification was being performed on the client side of the
82 protocol. This would slow things down very little.
83- The library being used is SSLeay 0.8.x.
84- The normal mesauring system was commands of the form
85 time ./ssltest -num 1000 -bytes 102400 -cipher DES-CBC-SHA -reuse
86 This modified version of ssltest should be in the next public release of
87 SSLeay.
88
89The general cipher performace number for this platform are
90
91SSLeay 0.8.2a 04-Sep-1997
92built on Fri Sep 5 17:37:05 EST 1997
93options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
94C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
95The 'numbers' are in 1000s of bytes per second processed.
96type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
97md2 131.02k 368.41k 500.57k 549.21k 566.09k
98mdc2 535.60k 589.10k 595.88k 595.97k 594.54k
99md5 1801.53k 9674.77k 17484.03k 21849.43k 23592.96k
100sha 1261.63k 5533.25k 9285.63k 11187.88k 11913.90k
101sha1 1103.13k 4782.53k 7933.78k 9472.34k 10070.70k
102rc4 10722.53k 14443.93k 15215.79k 15299.24k 15219.59k
103des cbc 3286.57k 3827.73k 3913.39k 3931.82k 3926.70k
104des ede3 1443.50k 1549.08k 1561.17k 1566.38k 1564.67k
105idea cbc 2203.64k 2508.16k 2538.33k 2543.62k 2547.71k
106rc2 cbc 1430.94k 1511.59k 1524.82k 1527.13k 1523.33k
107blowfish cbc 4716.07k 5965.82k 6190.17k 6243.67k 6234.11k
108 sign verify
109rsa 512 bits 0.0100s 0.0011s
110rsa 1024 bits 0.0451s 0.0012s
111rsa 2048 bits 0.2605s 0.0086s
112rsa 4096 bits 1.6883s 0.0302s
113
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
new file mode 100644
index 0000000000..ea1f005dac
--- /dev/null
+++ b/src/lib/libssl/test/tpkcs7
@@ -0,0 +1,51 @@
1#!/bin/sh
2
3PATH=../apps:$PATH
4export PATH
5
6cmd='../apps/ssleay pkcs7'
7
8if [ "$1"x != "x" ]; then
9 t=$1
10else
11 t=testp7.pem
12fi
13
14echo testing pkcs7 conversions
15cp $t fff.p
16
17echo "p -> d"
18$cmd -in fff.p -inform p -outform d >f.d
19if [ $? != 0 ]; then exit 1; fi
20echo "p -> p"
21$cmd -in fff.p -inform p -outform p >f.p
22if [ $? != 0 ]; then exit 1; fi
23
24echo "d -> d"
25$cmd -in f.d -inform d -outform d >ff.d1
26if [ $? != 0 ]; then exit 1; fi
27echo "p -> d"
28$cmd -in f.p -inform p -outform d >ff.d3
29if [ $? != 0 ]; then exit 1; fi
30
31echo "d -> p"
32$cmd -in f.d -inform d -outform p >ff.p1
33if [ $? != 0 ]; then exit 1; fi
34echo "p -> p"
35$cmd -in f.p -inform p -outform p >ff.p3
36if [ $? != 0 ]; then exit 1; fi
37
38cmp fff.p f.p
39if [ $? != 0 ]; then exit 1; fi
40cmp fff.p ff.p1
41if [ $? != 0 ]; then exit 1; fi
42cmp fff.p ff.p3
43if [ $? != 0 ]; then exit 1; fi
44
45cmp f.p ff.p1
46if [ $? != 0 ]; then exit 1; fi
47cmp f.p ff.p3
48if [ $? != 0 ]; then exit 1; fi
49
50/bin/rm -f f.* ff.* fff.*
51exit 0
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
new file mode 100644
index 0000000000..c8f18fb09c
--- /dev/null
+++ b/src/lib/libssl/test/tpkcs7d
@@ -0,0 +1,44 @@
1#!/bin/sh
2
3PATH=../apps:$PATH
4export PATH
5
6cmd='../apps/ssleay pkcs7'
7
8if [ "$1"x != "x" ]; then
9 t=$1
10else
11 t=pkcs7-1.pem
12fi
13
14echo testing pkcs7 conversions
15cp $t fff.p
16
17echo "p -> d"
18$cmd -in fff.p -inform p -outform d >f.d
19if [ $? != 0 ]; then exit 1; fi
20echo "p -> p"
21$cmd -in fff.p -inform p -outform p >f.p
22if [ $? != 0 ]; then exit 1; fi
23
24echo "d -> d"
25$cmd -in f.d -inform d -outform d >ff.d1
26if [ $? != 0 ]; then exit 1; fi
27echo "p -> d"
28$cmd -in f.p -inform p -outform d >ff.d3
29if [ $? != 0 ]; then exit 1; fi
30
31echo "d -> p"
32$cmd -in f.d -inform d -outform p >ff.p1
33if [ $? != 0 ]; then exit 1; fi
34echo "p -> p"
35$cmd -in f.p -inform p -outform p >ff.p3
36if [ $? != 0 ]; then exit 1; fi
37
38cmp f.p ff.p1
39if [ $? != 0 ]; then exit 1; fi
40cmp f.p ff.p3
41if [ $? != 0 ]; then exit 1; fi
42
43/bin/rm -f f.* ff.* fff.*
44exit 0
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
new file mode 100644
index 0000000000..e5f1d8cc41
--- /dev/null
+++ b/src/lib/libssl/test/treq
@@ -0,0 +1,81 @@
1#!/bin/sh
2
3PATH=../apps:$PATH
4export PATH
5
6cmd='../apps/ssleay req'
7
8if [ "$1"x != "x" ]; then
9 t=$1
10else
11 t=testreq.pem
12fi
13
14echo testing req conversions
15cp $t fff.p
16
17echo "p -> d"
18$cmd -in fff.p -inform p -outform d >f.d
19if [ $? != 0 ]; then exit 1; fi
20#echo "p -> t"
21#$cmd -in fff.p -inform p -outform t >f.t
22#if [ $? != 0 ]; then exit 1; fi
23echo "p -> p"
24$cmd -in fff.p -inform p -outform p >f.p
25if [ $? != 0 ]; then exit 1; fi
26
27echo "d -> d"
28$cmd -verify -in f.d -inform d -outform d >ff.d1
29if [ $? != 0 ]; then exit 1; fi
30#echo "t -> d"
31#$cmd -in f.t -inform t -outform d >ff.d2
32#if [ $? != 0 ]; then exit 1; fi
33echo "p -> d"
34$cmd -verify -in f.p -inform p -outform d >ff.d3
35if [ $? != 0 ]; then exit 1; fi
36
37#echo "d -> t"
38#$cmd -in f.d -inform d -outform t >ff.t1
39#if [ $? != 0 ]; then exit 1; fi
40#echo "t -> t"
41#$cmd -in f.t -inform t -outform t >ff.t2
42#if [ $? != 0 ]; then exit 1; fi
43#echo "p -> t"
44#$cmd -in f.p -inform p -outform t >ff.t3
45#if [ $? != 0 ]; then exit 1; fi
46
47echo "d -> p"
48$cmd -in f.d -inform d -outform p >ff.p1
49if [ $? != 0 ]; then exit 1; fi
50#echo "t -> p"
51#$cmd -in f.t -inform t -outform p >ff.p2
52#if [ $? != 0 ]; then exit 1; fi
53echo "p -> p"
54$cmd -in f.p -inform p -outform p >ff.p3
55if [ $? != 0 ]; then exit 1; fi
56
57cmp fff.p f.p
58if [ $? != 0 ]; then exit 1; fi
59cmp fff.p ff.p1
60if [ $? != 0 ]; then exit 1; fi
61#cmp fff.p ff.p2
62#if [ $? != 0 ]; then exit 1; fi
63cmp fff.p ff.p3
64if [ $? != 0 ]; then exit 1; fi
65
66#cmp f.t ff.t1
67#if [ $? != 0 ]; then exit 1; fi
68#cmp f.t ff.t2
69#if [ $? != 0 ]; then exit 1; fi
70#cmp f.t ff.t3
71#if [ $? != 0 ]; then exit 1; fi
72
73cmp f.p ff.p1
74if [ $? != 0 ]; then exit 1; fi
75#cmp f.p ff.p2
76#if [ $? != 0 ]; then exit 1; fi
77cmp f.p ff.p3
78if [ $? != 0 ]; then exit 1; fi
79
80/bin/rm -f f.* ff.* fff.*
81exit 0
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
new file mode 100644
index 0000000000..e5b8fe0448
--- /dev/null
+++ b/src/lib/libssl/test/trsa
@@ -0,0 +1,81 @@
1#!/bin/sh
2
3PATH=../apps:$PATH
4export PATH
5
6cmd='../apps/ssleay rsa'
7
8if [ "$1"x != "x" ]; then
9 t=$1
10else
11 t=testrsa.pem
12fi
13
14echo testing rsa conversions
15cp $t fff.p
16
17echo "p -> d"
18$cmd -in fff.p -inform p -outform d >f.d
19if [ $? != 0 ]; then exit 1; fi
20#echo "p -> t"
21#$cmd -in fff.p -inform p -outform t >f.t
22#if [ $? != 0 ]; then exit 1; fi
23echo "p -> p"
24$cmd -in fff.p -inform p -outform p >f.p
25if [ $? != 0 ]; then exit 1; fi
26
27echo "d -> d"
28$cmd -in f.d -inform d -outform d >ff.d1
29if [ $? != 0 ]; then exit 1; fi
30#echo "t -> d"
31#$cmd -in f.t -inform t -outform d >ff.d2
32#if [ $? != 0 ]; then exit 1; fi
33echo "p -> d"
34$cmd -in f.p -inform p -outform d >ff.d3
35if [ $? != 0 ]; then exit 1; fi
36
37#echo "d -> t"
38#$cmd -in f.d -inform d -outform t >ff.t1
39#if [ $? != 0 ]; then exit 1; fi
40#echo "t -> t"
41#$cmd -in f.t -inform t -outform t >ff.t2
42#if [ $? != 0 ]; then exit 1; fi
43#echo "p -> t"
44#$cmd -in f.p -inform p -outform t >ff.t3
45#if [ $? != 0 ]; then exit 1; fi
46
47echo "d -> p"
48$cmd -in f.d -inform d -outform p >ff.p1
49if [ $? != 0 ]; then exit 1; fi
50#echo "t -> p"
51#$cmd -in f.t -inform t -outform p >ff.p2
52#if [ $? != 0 ]; then exit 1; fi
53echo "p -> p"
54$cmd -in f.p -inform p -outform p >ff.p3
55if [ $? != 0 ]; then exit 1; fi
56
57cmp fff.p f.p
58if [ $? != 0 ]; then exit 1; fi
59cmp fff.p ff.p1
60if [ $? != 0 ]; then exit 1; fi
61#cmp fff.p ff.p2
62#if [ $? != 0 ]; then exit 1; fi
63cmp fff.p ff.p3
64if [ $? != 0 ]; then exit 1; fi
65
66#cmp f.t ff.t1
67#if [ $? != 0 ]; then exit 1; fi
68#cmp f.t ff.t2
69#if [ $? != 0 ]; then exit 1; fi
70#cmp f.t ff.t3
71#if [ $? != 0 ]; then exit 1; fi
72
73cmp f.p ff.p1
74if [ $? != 0 ]; then exit 1; fi
75#cmp f.p ff.p2
76#if [ $? != 0 ]; then exit 1; fi
77cmp f.p ff.p3
78if [ $? != 0 ]; then exit 1; fi
79
80/bin/rm -f f.* ff.* fff.*
81exit 0
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
new file mode 100644
index 0000000000..8c7e9b1387
--- /dev/null
+++ b/src/lib/libssl/test/tsid
@@ -0,0 +1,81 @@
1#!/bin/sh
2
3PATH=../apps:$PATH
4export PATH
5
6cmd='../apps/ssleay sess_id'
7
8if [ "$1"x != "x" ]; then
9 t=$1
10else
11 t=testsid.pem
12fi
13
14echo testing session-id conversions
15cp $t fff.p
16
17echo "p -> d"
18$cmd -in fff.p -inform p -outform d >f.d
19if [ $? != 0 ]; then exit 1; fi
20#echo "p -> t"
21#$cmd -in fff.p -inform p -outform t >f.t
22#if [ $? != 0 ]; then exit 1; fi
23echo "p -> p"
24$cmd -in fff.p -inform p -outform p >f.p
25if [ $? != 0 ]; then exit 1; fi
26
27echo "d -> d"
28$cmd -in f.d -inform d -outform d >ff.d1
29if [ $? != 0 ]; then exit 1; fi
30#echo "t -> d"
31#$cmd -in f.t -inform t -outform d >ff.d2
32#if [ $? != 0 ]; then exit 1; fi
33echo "p -> d"
34$cmd -in f.p -inform p -outform d >ff.d3
35if [ $? != 0 ]; then exit 1; fi
36
37#echo "d -> t"
38#$cmd -in f.d -inform d -outform t >ff.t1
39#if [ $? != 0 ]; then exit 1; fi
40#echo "t -> t"
41#$cmd -in f.t -inform t -outform t >ff.t2
42#if [ $? != 0 ]; then exit 1; fi
43#echo "p -> t"
44#$cmd -in f.p -inform p -outform t >ff.t3
45#if [ $? != 0 ]; then exit 1; fi
46
47echo "d -> p"
48$cmd -in f.d -inform d -outform p >ff.p1
49if [ $? != 0 ]; then exit 1; fi
50#echo "t -> p"
51#$cmd -in f.t -inform t -outform p >ff.p2
52#if [ $? != 0 ]; then exit 1; fi
53echo "p -> p"
54$cmd -in f.p -inform p -outform p >ff.p3
55if [ $? != 0 ]; then exit 1; fi
56
57cmp fff.p f.p
58if [ $? != 0 ]; then exit 1; fi
59cmp fff.p ff.p1
60if [ $? != 0 ]; then exit 1; fi
61#cmp fff.p ff.p2
62#if [ $? != 0 ]; then exit 1; fi
63cmp fff.p ff.p3
64if [ $? != 0 ]; then exit 1; fi
65
66#cmp f.t ff.t1
67#if [ $? != 0 ]; then exit 1; fi
68#cmp f.t ff.t2
69#if [ $? != 0 ]; then exit 1; fi
70#cmp f.t ff.t3
71#if [ $? != 0 ]; then exit 1; fi
72
73cmp f.p ff.p1
74if [ $? != 0 ]; then exit 1; fi
75#cmp f.p ff.p2
76#if [ $? != 0 ]; then exit 1; fi
77cmp f.p ff.p3
78if [ $? != 0 ]; then exit 1; fi
79
80/bin/rm -f f.* ff.* fff.*
81exit 0
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
new file mode 100644
index 0000000000..f8d1f82cdd
--- /dev/null
+++ b/src/lib/libssl/test/tx509
@@ -0,0 +1,81 @@
1#!/bin/sh
2
3PATH=../apps:$PATH
4export PATH
5
6cmd='../apps/ssleay x509'
7
8if [ "$1"x != "x" ]; then
9 t=$1
10else
11 t=testx509.pem
12fi
13
14echo testing X509 conversions
15cp $t fff.p
16
17echo "p -> d"
18$cmd -in fff.p -inform p -outform d >f.d
19if [ $? != 0 ]; then exit 1; fi
20echo "p -> n"
21$cmd -in fff.p -inform p -outform n >f.n
22if [ $? != 0 ]; then exit 1; fi
23echo "p -> p"
24$cmd -in fff.p -inform p -outform p >f.p
25if [ $? != 0 ]; then exit 1; fi
26
27echo "d -> d"
28$cmd -in f.d -inform d -outform d >ff.d1
29if [ $? != 0 ]; then exit 1; fi
30echo "n -> d"
31$cmd -in f.n -inform n -outform d >ff.d2
32if [ $? != 0 ]; then exit 1; fi
33echo "p -> d"
34$cmd -in f.p -inform p -outform d >ff.d3
35if [ $? != 0 ]; then exit 1; fi
36
37echo "d -> n"
38$cmd -in f.d -inform d -outform n >ff.n1
39if [ $? != 0 ]; then exit 1; fi
40echo "n -> n"
41$cmd -in f.n -inform n -outform n >ff.n2
42if [ $? != 0 ]; then exit 1; fi
43echo "p -> n"
44$cmd -in f.p -inform p -outform n >ff.n3
45if [ $? != 0 ]; then exit 1; fi
46
47echo "d -> p"
48$cmd -in f.d -inform d -outform p >ff.p1
49if [ $? != 0 ]; then exit 1; fi
50echo "n -> p"
51$cmd -in f.n -inform n -outform p >ff.p2
52if [ $? != 0 ]; then exit 1; fi
53echo "p -> p"
54$cmd -in f.p -inform p -outform p >ff.p3
55if [ $? != 0 ]; then exit 1; fi
56
57cmp fff.p f.p
58if [ $? != 0 ]; then exit 1; fi
59cmp fff.p ff.p1
60if [ $? != 0 ]; then exit 1; fi
61cmp fff.p ff.p2
62if [ $? != 0 ]; then exit 1; fi
63cmp fff.p ff.p3
64if [ $? != 0 ]; then exit 1; fi
65
66cmp f.n ff.n1
67if [ $? != 0 ]; then exit 1; fi
68cmp f.n ff.n2
69if [ $? != 0 ]; then exit 1; fi
70cmp f.n ff.n3
71if [ $? != 0 ]; then exit 1; fi
72
73cmp f.p ff.p1
74if [ $? != 0 ]; then exit 1; fi
75cmp f.p ff.p2
76if [ $? != 0 ]; then exit 1; fi
77cmp f.p ff.p3
78if [ $? != 0 ]; then exit 1; fi
79
80/bin/rm -f f.* ff.* fff.*
81exit 0
diff --git a/src/lib/libssl/test/v3-cert1.pem b/src/lib/libssl/test/v3-cert1.pem
new file mode 100644
index 0000000000..0da253d5c3
--- /dev/null
+++ b/src/lib/libssl/test/v3-cert1.pem
@@ -0,0 +1,16 @@
1-----BEGIN CERTIFICATE-----
2MIICjTCCAfigAwIBAgIEMaYgRzALBgkqhkiG9w0BAQQwRTELMAkGA1UEBhMCVVMx
3NjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlz
4dHJhdGlvbjAmFxE5NjA1MjgxMzQ5MDUrMDgwMBcROTgwNTI4MTM0OTA1KzA4MDAw
5ZzELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
6ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEgMAkGA1UEBRMCMTYwEwYDVQQDEwxTdGV2
7ZSBTY2hvY2gwWDALBgkqhkiG9w0BAQEDSQAwRgJBALrAwyYdgxmzNP/ts0Uyf6Bp
8miJYktU/w4NG67ULaN4B5CnEz7k57s9o3YY3LecETgQ5iQHmkwlYDTL2fTgVfw0C
9AQOjgaswgagwZAYDVR0ZAQH/BFowWDBWMFQxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
10Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
11DTALBgNVBAMTBENSTDEwFwYDVR0BAQH/BA0wC4AJODMyOTcwODEwMBgGA1UdAgQR
12MA8ECTgzMjk3MDgyM4ACBSAwDQYDVR0KBAYwBAMCBkAwCwYJKoZIhvcNAQEEA4GB
13AH2y1VCEw/A4zaXzSYZJTTUi3uawbbFiS2yxHvgf28+8Js0OHXk1H1w2d6qOHH21
14X82tZXd/0JtG0g1T9usFFBDvYK8O0ebgz/P5ELJnBL2+atObEuJy1ZZ0pBDWINR3
15WkDNLCGiTkCKp0F5EWIrVDwh54NNevkCQRZita+z4IBO
16-----END CERTIFICATE-----
diff --git a/src/lib/libssl/test/v3-cert2.pem b/src/lib/libssl/test/v3-cert2.pem
new file mode 100644
index 0000000000..de0723ff8d
--- /dev/null
+++ b/src/lib/libssl/test/v3-cert2.pem
@@ -0,0 +1,16 @@
1-----BEGIN CERTIFICATE-----
2MIICiTCCAfKgAwIBAgIEMeZfHzANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJD
3YTEPMA0GA1UEBxMGTmVwZWFuMR4wHAYDVQQLExVObyBMaWFiaWxpdHkgQWNjZXB0
4ZWQxHzAdBgNVBAoTFkZvciBEZW1vIFB1cnBvc2VzIE9ubHkxHDAaBgNVBAMTE0Vu
5dHJ1c3QgRGVtbyBXZWIgQ0EwHhcNOTYwNzEyMTQyMDE1WhcNOTYxMDEyMTQyMDE1
6WjB0MSQwIgYJKoZIhvcNAQkBExVjb29rZUBpc3NsLmF0bC5ocC5jb20xCzAJBgNV
7BAYTAlVTMScwJQYDVQQLEx5IZXdsZXR0IFBhY2thcmQgQ29tcGFueSAoSVNTTCkx
8FjAUBgNVBAMTDVBhdWwgQS4gQ29va2UwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
96ceSq9a9AU6g+zBwaL/yVmW1/9EE8s5you1mgjHnj0wAILuoB3L6rm6jmFRy7QZT
10G43IhVZdDua4e+5/n1ZslwIDAQABo2MwYTARBglghkgBhvhCAQEEBAMCB4AwTAYJ
11YIZIAYb4QgENBD8WPVRoaXMgY2VydGlmaWNhdGUgaXMgb25seSBpbnRlbmRlZCBm
12b3IgZGVtb25zdHJhdGlvbiBwdXJwb3Nlcy4wDQYJKoZIhvcNAQEEBQADgYEAi8qc
13F3zfFqy1sV8NhjwLVwOKuSfhR/Z8mbIEUeSTlnH3QbYt3HWZQ+vXI8mvtZoBc2Fz
14lexKeIkAZXCesqGbs6z6nCt16P6tmdfbZF3I3AWzLquPcOXjPf4HgstkyvVBn0Ap
15jAFN418KF/Cx4qyHB4cjdvLrRjjQLnb2+ibo7QU=
16-----END CERTIFICATE-----
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
new file mode 100644
index 0000000000..60978613ef
--- /dev/null
+++ b/src/lib/libssl/tls1.h
@@ -0,0 +1,115 @@
1/* ssl/tls1.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_TLS1_H
60#define HEADER_TLS1_H
61
62#include "buffer.h"
63
64#ifdef __cplusplus
65extern "C" {
66#endif
67
68#define TLS1_VERSION 0x0301
69#define TLS1_VERSION_MAJOR 0x03
70#define TLS1_VERSION_MINOR 0x01
71
72#define TLS1_AD_DECRYPTION_FAILED 21
73#define TLS1_AD_RECORD_OVERFLOW 22
74#define TLS1_AD_UNKNOWN_CA 48 /* fatal */
75#define TLS1_AD_ACCESS_DENIED 49 /* fatal */
76#define TLS1_AD_DECODE_ERROR 50 /* fatal */
77#define TLS1_AD_DECRYPT_ERROR 51
78#define TLS1_AD_EXPORT_RESTRICION 60 /* fatal */
79#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
80#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
81#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
82#define TLS1_AD_USER_CANCLED 90
83#define TLS1_AD_NO_RENEGOTIATION 100
84
85#define TLS_CT_RSA_SIGN 1
86#define TLS_CT_DSS_SIGN 2
87#define TLS_CT_RSA_FIXED_DH 3
88#define TLS_CT_DSS_FIXED_DH 4
89#define TLS_CT_NUMBER 4
90
91#define TLS1_FINISH_MAC_LENGTH 12
92
93#define TLS_MD_MAX_CONST_SIZE 20
94#define TLS_MD_CLIENT_FINISH_CONST "client finished"
95#define TLS_MD_CLIENT_FINISH_CONST_SIZE 15
96#define TLS_MD_SERVER_FINISH_CONST "server finished"
97#define TLS_MD_SERVER_FINISH_CONST_SIZE 15
98#define TLS_MD_SERVER_WRITE_KEY_CONST "server write key"
99#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE 16
100#define TLS_MD_KEY_EXPANSION_CONST "key expansion"
101#define TLS_MD_KEY_EXPANSION_CONST_SIZE 13
102#define TLS_MD_CLIENT_WRITE_KEY_CONST "client write key"
103#define TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE 16
104#define TLS_MD_SERVER_WRITE_KEY_CONST "server write key"
105#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE 16
106#define TLS_MD_IV_BLOCK_CONST "IV block"
107#define TLS_MD_IV_BLOCK_CONST_SIZE 8
108#define TLS_MD_MASTER_SECRET_CONST "master secret"
109#define TLS_MD_MASTER_SECRET_CONST_SIZE 13
110
111#ifdef __cplusplus
112}
113#endif
114#endif
115
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 09:40:51 +0000