1 |
/*! \file ssl/ssl_lib.c |
2 |
* \brief Version independent SSL functions. |
3 |
*/ |
4 |
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
5 |
* All rights reserved. |
6 |
* |
7 |
* This package is an SSL implementation written |
8 |
* by Eric Young (eay@cryptsoft.com). |
9 |
* The implementation was written so as to conform with Netscapes SSL. |
10 |
* |
11 |
* This library is free for commercial and non-commercial use as long as |
12 |
* the following conditions are aheared to. The following conditions |
13 |
* apply to all code found in this distribution, be it the RC4, RSA, |
14 |
* lhash, DES, etc., code; not just the SSL code. The SSL documentation |
15 |
* included with this distribution is covered by the same copyright terms |
16 |
* except that the holder is Tim Hudson (tjh@cryptsoft.com). |
17 |
* |
18 |
* Copyright remains Eric Young's, and as such any Copyright notices in |
19 |
* the code are not to be removed. |
20 |
* If this package is used in a product, Eric Young should be given attribution |
21 |
* as the author of the parts of the library used. |
22 |
* This can be in the form of a textual message at program startup or |
23 |
* in documentation (online or textual) provided with the package. |
24 |
* |
25 |
* Redistribution and use in source and binary forms, with or without |
26 |
* modification, are permitted provided that the following conditions |
27 |
* are met: |
28 |
* 1. Redistributions of source code must retain the copyright |
29 |
* notice, this list of conditions and the following disclaimer. |
30 |
* 2. Redistributions in binary form must reproduce the above copyright |
31 |
* notice, this list of conditions and the following disclaimer in the |
32 |
* documentation and/or other materials provided with the distribution. |
33 |
* 3. All advertising materials mentioning features or use of this software |
34 |
* must display the following acknowledgement: |
35 |
* "This product includes cryptographic software written by |
36 |
* Eric Young (eay@cryptsoft.com)" |
37 |
* The word 'cryptographic' can be left out if the rouines from the library |
38 |
* being used are not cryptographic related :-). |
39 |
* 4. If you include any Windows specific code (or a derivative thereof) from |
40 |
* the apps directory (application code) you must include an acknowledgement: |
41 |
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
42 |
* |
43 |
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
44 |
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
45 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
46 |
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
47 |
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
48 |
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
49 |
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
50 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
51 |
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
52 |
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
53 |
* SUCH DAMAGE. |
54 |
* |
55 |
* The licence and distribution terms for any publically available version or |
56 |
* derivative of this code cannot be changed. i.e. this code cannot simply be |
57 |
* copied and put under another distribution licence |
58 |
* [including the GNU Public Licence.] |
59 |
*/ |
60 |
/* ==================================================================== |
61 |
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. |
62 |
* |
63 |
* Redistribution and use in source and binary forms, with or without |
64 |
* modification, are permitted provided that the following conditions |
65 |
* are met: |
66 |
* |
67 |
* 1. Redistributions of source code must retain the above copyright |
68 |
* notice, this list of conditions and the following disclaimer. |
69 |
* |
70 |
* 2. Redistributions in binary form must reproduce the above copyright |
71 |
* notice, this list of conditions and the following disclaimer in |
72 |
* the documentation and/or other materials provided with the |
73 |
* distribution. |
74 |
* |
75 |
* 3. All advertising materials mentioning features or use of this |
76 |
* software must display the following acknowledgment: |
77 |
* "This product includes software developed by the OpenSSL Project |
78 |
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
79 |
* |
80 |
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
81 |
* endorse or promote products derived from this software without |
82 |
* prior written permission. For written permission, please contact |
83 |
* openssl-core@openssl.org. |
84 |
* |
85 |
* 5. Products derived from this software may not be called "OpenSSL" |
86 |
* nor may "OpenSSL" appear in their names without prior written |
87 |
* permission of the OpenSSL Project. |
88 |
* |
89 |
* 6. Redistributions of any form whatsoever must retain the following |
90 |
* acknowledgment: |
91 |
* "This product includes software developed by the OpenSSL Project |
92 |
* for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
93 |
* |
94 |
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
95 |
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
96 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
97 |
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
98 |
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
99 |
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
100 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
101 |
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
102 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
103 |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
104 |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
105 |
* OF THE POSSIBILITY OF SUCH DAMAGE. |
106 |
* ==================================================================== |
107 |
* |
108 |
* This product includes cryptographic software written by Eric Young |
109 |
* (eay@cryptsoft.com). This product includes software written by Tim |
110 |
* Hudson (tjh@cryptsoft.com). |
111 |
* |
112 |
*/ |
113 |
/* ==================================================================== |
114 |
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
115 |
* ECC cipher suite support in OpenSSL originally developed by |
116 |
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. |
117 |
*/ |
118 |
|
119 |
#ifdef REF_CHECK |
120 |
# include <assert.h> |
121 |
#endif |
122 |
#include <stdio.h> |
123 |
#include "ssl_locl.h" |
124 |
#include "kssl_lcl.h" |
125 |
#include <openssl/objects.h> |
126 |
#include <openssl/lhash.h> |
127 |
#include <openssl/x509v3.h> |
128 |
#include <openssl/rand.h> |
129 |
#include <openssl/ocsp.h> |
130 |
#ifndef OPENSSL_NO_DH |
131 |
#include <openssl/dh.h> |
132 |
#endif |
133 |
#ifndef OPENSSL_NO_ENGINE |
134 |
#include <openssl/engine.h> |
135 |
#endif |
136 |
|
137 |
const char *SSL_version_str=OPENSSL_VERSION_TEXT; |
138 |
|
139 |
SSL3_ENC_METHOD ssl3_undef_enc_method={ |
140 |
/* evil casts, but these functions are only called if there's a library bug */ |
141 |
(int (*)(SSL *,int))ssl_undefined_function, |
142 |
(int (*)(SSL *, unsigned char *, int))ssl_undefined_function, |
143 |
ssl_undefined_function, |
144 |
(int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function, |
145 |
(int (*)(SSL*, int))ssl_undefined_function, |
146 |
(int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function, |
147 |
0, /* finish_mac_length */ |
148 |
(int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function, |
149 |
NULL, /* client_finished_label */ |
150 |
0, /* client_finished_label_len */ |
151 |
NULL, /* server_finished_label */ |
152 |
0, /* server_finished_label_len */ |
153 |
(int (*)(int))ssl_undefined_function |
154 |
}; |
155 |
|
156 |
int SSL_clear(SSL *s) |
157 |
{ |
158 |
|
159 |
if (s->method == NULL) |
160 |
{ |
161 |
SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); |
162 |
return(0); |
163 |
} |
164 |
|
165 |
if (ssl_clear_bad_session(s)) |
166 |
{ |
167 |
SSL_SESSION_free(s->session); |
168 |
s->session=NULL; |
169 |
} |
170 |
|
171 |
s->error=0; |
172 |
s->hit=0; |
173 |
s->shutdown=0; |
174 |
|
175 |
#if 0 /* Disabled since version 1.10 of this file (early return not |
176 |
* needed because SSL_clear is not called when doing renegotiation) */ |
177 |
/* This is set if we are doing dynamic renegotiation so keep |
178 |
* the old cipher. It is sort of a SSL_clear_lite :-) */ |
179 |
if (s->new_session) return(1); |
180 |
#else |
181 |
if (s->new_session) |
182 |
{ |
183 |
SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); |
184 |
return 0; |
185 |
} |
186 |
#endif |
187 |
|
188 |
s->type=0; |
189 |
|
190 |
s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); |
191 |
|
192 |
s->version=s->method->version; |
193 |
s->client_version=s->version; |
194 |
s->rwstate=SSL_NOTHING; |
195 |
s->rstate=SSL_ST_READ_HEADER; |
196 |
#if 0 |
197 |
s->read_ahead=s->ctx->read_ahead; |
198 |
#endif |
199 |
|
200 |
if (s->init_buf != NULL) |
201 |
{ |
202 |
BUF_MEM_free(s->init_buf); |
203 |
s->init_buf=NULL; |
204 |
} |
205 |
|
206 |
ssl_clear_cipher_ctx(s); |
207 |
|
208 |
s->first_packet=0; |
209 |
|
210 |
#if 1 |
211 |
/* Check to see if we were changed into a different method, if |
212 |
* so, revert back if we are not doing session-id reuse. */ |
213 |
if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) |
214 |
{ |
215 |
s->method->ssl_free(s); |
216 |
s->method=s->ctx->method; |
217 |
if (!s->method->ssl_new(s)) |
218 |
return(0); |
219 |
} |
220 |
else |
221 |
#endif |
222 |
s->method->ssl_clear(s); |
223 |
return(1); |
224 |
} |
225 |
|
226 |
/** Used to change an SSL_CTXs default SSL method type */ |
227 |
int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth) |
228 |
{ |
229 |
STACK_OF(SSL_CIPHER) *sk; |
230 |
|
231 |
ctx->method=meth; |
232 |
|
233 |
sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), |
234 |
&(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST); |
235 |
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) |
236 |
{ |
237 |
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); |
238 |
return(0); |
239 |
} |
240 |
return(1); |
241 |
} |
242 |
|
243 |
SSL *SSL_new(SSL_CTX *ctx) |
244 |
{ |
245 |
SSL *s; |
246 |
|
247 |
if (ctx == NULL) |
248 |
{ |
249 |
SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX); |
250 |
return(NULL); |
251 |
} |
252 |
if (ctx->method == NULL) |
253 |
{ |
254 |
SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); |
255 |
return(NULL); |
256 |
} |
257 |
|
258 |
s=(SSL *)OPENSSL_malloc(sizeof(SSL)); |
259 |
if (s == NULL) goto err; |
260 |
memset(s,0,sizeof(SSL)); |
261 |
|
262 |
#ifndef OPENSSL_NO_KRB5 |
263 |
s->kssl_ctx = kssl_ctx_new(); |
264 |
#endif /* OPENSSL_NO_KRB5 */ |
265 |
|
266 |
s->options=ctx->options; |
267 |
s->mode=ctx->mode; |
268 |
s->max_cert_list=ctx->max_cert_list; |
269 |
|
270 |
if (ctx->cert != NULL) |
271 |
{ |
272 |
/* Earlier library versions used to copy the pointer to |
273 |
* the CERT, not its contents; only when setting new |
274 |
* parameters for the per-SSL copy, ssl_cert_new would be |
275 |
* called (and the direct reference to the per-SSL_CTX |
276 |
* settings would be lost, but those still were indirectly |
277 |
* accessed for various purposes, and for that reason they |
278 |
* used to be known as s->ctx->default_cert). |
279 |
* Now we don't look at the SSL_CTX's CERT after having |
280 |
* duplicated it once. */ |
281 |
|
282 |
s->cert = ssl_cert_dup(ctx->cert); |
283 |
if (s->cert == NULL) |
284 |
goto err; |
285 |
} |
286 |
else |
287 |
s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ |
288 |
|
289 |
s->read_ahead=ctx->read_ahead; |
290 |
s->msg_callback=ctx->msg_callback; |
291 |
s->msg_callback_arg=ctx->msg_callback_arg; |
292 |
s->verify_mode=ctx->verify_mode; |
293 |
#if 0 |
294 |
s->verify_depth=ctx->verify_depth; |
295 |
#endif |
296 |
s->sid_ctx_length=ctx->sid_ctx_length; |
297 |
OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); |
298 |
memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); |
299 |
s->verify_callback=ctx->default_verify_callback; |
300 |
s->generate_session_id=ctx->generate_session_id; |
301 |
|
302 |
s->param = X509_VERIFY_PARAM_new(); |
303 |
if (!s->param) |
304 |
goto err; |
305 |
X509_VERIFY_PARAM_inherit(s->param, ctx->param); |
306 |
#if 0 |
307 |
s->purpose = ctx->purpose; |
308 |
s->trust = ctx->trust; |
309 |
#endif |
310 |
s->quiet_shutdown=ctx->quiet_shutdown; |
311 |
|
312 |
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); |
313 |
s->ctx=ctx; |
314 |
#ifndef OPENSSL_NO_TLSEXT |
315 |
s->tlsext_debug_cb = 0; |
316 |
s->tlsext_debug_arg = NULL; |
317 |
s->tlsext_ticket_expected = 0; |
318 |
s->tlsext_status_type = -1; |
319 |
s->tlsext_status_expected = 0; |
320 |
s->tlsext_ocsp_ids = NULL; |
321 |
s->tlsext_ocsp_exts = NULL; |
322 |
s->tlsext_ocsp_resp = NULL; |
323 |
s->tlsext_ocsp_resplen = -1; |
324 |
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); |
325 |
s->initial_ctx=ctx; |
326 |
#endif |
327 |
s->verify_result=X509_V_OK; |
328 |
|
329 |
s->method=ctx->method; |
330 |
|
331 |
if (!s->method->ssl_new(s)) |
332 |
goto err; |
333 |
|
334 |
s->references=1; |
335 |
s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; |
336 |
|
337 |
SSL_clear(s); |
338 |
|
339 |
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); |
340 |
|
341 |
return(s); |
342 |
err: |
343 |
if (s != NULL) |
344 |
{ |
345 |
if (s->cert != NULL) |
346 |
ssl_cert_free(s->cert); |
347 |
if (s->ctx != NULL) |
348 |
SSL_CTX_free(s->ctx); /* decrement reference count */ |
349 |
OPENSSL_free(s); |
350 |
} |
351 |
SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); |
352 |
return(NULL); |
353 |
} |
354 |
|
355 |
int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, |
356 |
unsigned int sid_ctx_len) |
357 |
{ |
358 |
if(sid_ctx_len > sizeof ctx->sid_ctx) |
359 |
{ |
360 |
SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); |
361 |
return 0; |
362 |
} |
363 |
ctx->sid_ctx_length=sid_ctx_len; |
364 |
memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len); |
365 |
|
366 |
return 1; |
367 |
} |
368 |
|
369 |
int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, |
370 |
unsigned int sid_ctx_len) |
371 |
{ |
372 |
if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) |
373 |
{ |
374 |
SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); |
375 |
return 0; |
376 |
} |
377 |
ssl->sid_ctx_length=sid_ctx_len; |
378 |
memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len); |
379 |
|
380 |
return 1; |
381 |
} |
382 |
|
383 |
int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) |
384 |
{ |
385 |
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
386 |
ctx->generate_session_id = cb; |
387 |
CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
388 |
return 1; |
389 |
} |
390 |
|
391 |
int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) |
392 |
{ |
393 |
CRYPTO_w_lock(CRYPTO_LOCK_SSL); |
394 |
ssl->generate_session_id = cb; |
395 |
CRYPTO_w_unlock(CRYPTO_LOCK_SSL); |
396 |
return 1; |
397 |
} |
398 |
|
399 |
int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, |
400 |
unsigned int id_len) |
401 |
{ |
402 |
/* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how |
403 |
* we can "construct" a session to give us the desired check - ie. to |
404 |
* find if there's a session in the hash table that would conflict with |
405 |
* any new session built out of this id/id_len and the ssl_version in |
406 |
* use by this SSL. */ |
407 |
SSL_SESSION r, *p; |
408 |
|
409 |
if(id_len > sizeof r.session_id) |
410 |
return 0; |
411 |
|
412 |
r.ssl_version = ssl->version; |
413 |
r.session_id_length = id_len; |
414 |
memcpy(r.session_id, id, id_len); |
415 |
/* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a |
416 |
* callback is calling us to check the uniqueness of a shorter ID, it |
417 |
* must be compared as a padded-out ID because that is what it will be |
418 |
* converted to when the callback has finished choosing it. */ |
419 |
if((r.ssl_version == SSL2_VERSION) && |
420 |
(id_len < SSL2_SSL_SESSION_ID_LENGTH)) |
421 |
{ |
422 |
memset(r.session_id + id_len, 0, |
423 |
SSL2_SSL_SESSION_ID_LENGTH - id_len); |
424 |
r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH; |
425 |
} |
426 |
|
427 |
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); |
428 |
p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r); |
429 |
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
430 |
return (p != NULL); |
431 |
} |
432 |
|
433 |
int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) |
434 |
{ |
435 |
return X509_VERIFY_PARAM_set_purpose(s->param, purpose); |
436 |
} |
437 |
|
438 |
int SSL_set_purpose(SSL *s, int purpose) |
439 |
{ |
440 |
return X509_VERIFY_PARAM_set_purpose(s->param, purpose); |
441 |
} |
442 |
|
443 |
int SSL_CTX_set_trust(SSL_CTX *s, int trust) |
444 |
{ |
445 |
return X509_VERIFY_PARAM_set_trust(s->param, trust); |
446 |
} |
447 |
|
448 |
int SSL_set_trust(SSL *s, int trust) |
449 |
{ |
450 |
return X509_VERIFY_PARAM_set_trust(s->param, trust); |
451 |
} |
452 |
|
453 |
void SSL_free(SSL *s) |
454 |
{ |
455 |
int i; |
456 |
|
457 |
if(s == NULL) |
458 |
return; |
459 |
|
460 |
i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL); |
461 |
#ifdef REF_PRINT |
462 |
REF_PRINT("SSL",s); |
463 |
#endif |
464 |
if (i > 0) return; |
465 |
#ifdef REF_CHECK |
466 |
if (i < 0) |
467 |
{ |
468 |
fprintf(stderr,"SSL_free, bad reference count\n"); |
469 |
abort(); /* ok */ |
470 |
} |
471 |
#endif |
472 |
|
473 |
if (s->param) |
474 |
X509_VERIFY_PARAM_free(s->param); |
475 |
|
476 |
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); |
477 |
|
478 |
if (s->bbio != NULL) |
479 |
{ |
480 |
/* If the buffering BIO is in place, pop it off */ |
481 |
if (s->bbio == s->wbio) |
482 |
{ |
483 |
s->wbio=BIO_pop(s->wbio); |
484 |
} |
485 |
BIO_free(s->bbio); |
486 |
s->bbio=NULL; |
487 |
} |
488 |
if (s->rbio != NULL) |
489 |
BIO_free_all(s->rbio); |
490 |
if ((s->wbio != NULL) && (s->wbio != s->rbio)) |
491 |
BIO_free_all(s->wbio); |
492 |
|
493 |
if (s->init_buf != NULL) BUF_MEM_free(s->init_buf); |
494 |
|
495 |
/* add extra stuff */ |
496 |
if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list); |
497 |
if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id); |
498 |
|
499 |
/* Make the next call work :-) */ |
500 |
if (s->session != NULL) |
501 |
{ |
502 |
ssl_clear_bad_session(s); |
503 |
SSL_SESSION_free(s->session); |
504 |
} |
505 |
|
506 |
ssl_clear_cipher_ctx(s); |
507 |
|
508 |
if (s->cert != NULL) ssl_cert_free(s->cert); |
509 |
/* Free up if allocated */ |
510 |
|
511 |
#ifndef OPENSSL_NO_TLSEXT |
512 |
if (s->tlsext_hostname) |
513 |
OPENSSL_free(s->tlsext_hostname); |
514 |
if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); |
515 |
if (s->tlsext_ocsp_exts) |
516 |
sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, |
517 |
X509_EXTENSION_free); |
518 |
if (s->tlsext_ocsp_ids) |
519 |
sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); |
520 |
if (s->tlsext_ocsp_resp) |
521 |
OPENSSL_free(s->tlsext_ocsp_resp); |
522 |
#endif |
523 |
if (s->client_CA != NULL) |
524 |
sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free); |
525 |
|
526 |
if (s->method != NULL) s->method->ssl_free(s); |
527 |
|
528 |
if (s->ctx) SSL_CTX_free(s->ctx); |
529 |
|
530 |
#ifndef OPENSSL_NO_KRB5 |
531 |
if (s->kssl_ctx != NULL) |
532 |
kssl_ctx_free(s->kssl_ctx); |
533 |
#endif /* OPENSSL_NO_KRB5 */ |
534 |
|
535 |
OPENSSL_free(s); |
536 |
} |
537 |
|
538 |
void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) |
539 |
{ |
540 |
/* If the output buffering BIO is still in place, remove it |
541 |
*/ |
542 |
if (s->bbio != NULL) |
543 |
{ |
544 |
if (s->wbio == s->bbio) |
545 |
{ |
546 |
s->wbio=s->wbio->next_bio; |
547 |
s->bbio->next_bio=NULL; |
548 |
} |
549 |
} |
550 |
if ((s->rbio != NULL) && (s->rbio != rbio)) |
551 |
BIO_free_all(s->rbio); |
552 |
if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio)) |
553 |
BIO_free_all(s->wbio); |
554 |
s->rbio=rbio; |
555 |
s->wbio=wbio; |
556 |
} |
557 |
|
558 |
BIO *SSL_get_rbio(const SSL *s) |
559 |
{ return(s->rbio); } |
560 |
|
561 |
BIO *SSL_get_wbio(const SSL *s) |
562 |
{ return(s->wbio); } |
563 |
|
564 |
int SSL_get_fd(const SSL *s) |
565 |
{ |
566 |
return(SSL_get_rfd(s)); |
567 |
} |
568 |
|
569 |
int SSL_get_rfd(const SSL *s) |
570 |
{ |
571 |
int ret= -1; |
572 |
BIO *b,*r; |
573 |
|
574 |
b=SSL_get_rbio(s); |
575 |
r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); |
576 |
if (r != NULL) |
577 |
BIO_get_fd(r,&ret); |
578 |
return(ret); |
579 |
} |
580 |
|
581 |
int SSL_get_wfd(const SSL *s) |
582 |
{ |
583 |
int ret= -1; |
584 |
BIO *b,*r; |
585 |
|
586 |
b=SSL_get_wbio(s); |
587 |
r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); |
588 |
if (r != NULL) |
589 |
BIO_get_fd(r,&ret); |
590 |
return(ret); |
591 |
} |
592 |
|
593 |
#ifndef OPENSSL_NO_SOCK |
594 |
int SSL_set_fd(SSL *s,int fd) |
595 |
{ |
596 |
int ret=0; |
597 |
BIO *bio=NULL; |
598 |
|
599 |
bio=BIO_new(BIO_s_socket()); |
600 |
|
601 |
if (bio == NULL) |
602 |
{ |
603 |
SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB); |
604 |
goto err; |
605 |
} |
606 |
BIO_set_fd(bio,fd,BIO_NOCLOSE); |
607 |
SSL_set_bio(s,bio,bio); |
608 |
ret=1; |
609 |
err: |
610 |
return(ret); |
611 |
} |
612 |
|
613 |
int SSL_set_wfd(SSL *s,int fd) |
614 |
{ |
615 |
int ret=0; |
616 |
BIO *bio=NULL; |
617 |
|
618 |
if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) |
619 |
|| ((int)BIO_get_fd(s->rbio,NULL) != fd)) |
620 |
{ |
621 |
bio=BIO_new(BIO_s_socket()); |
622 |
|
623 |
if (bio == NULL) |
624 |
{ SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; } |
625 |
BIO_set_fd(bio,fd,BIO_NOCLOSE); |
626 |
SSL_set_bio(s,SSL_get_rbio(s),bio); |
627 |
} |
628 |
else |
629 |
SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s)); |
630 |
ret=1; |
631 |
err: |
632 |
return(ret); |
633 |
} |
634 |
|
635 |
int SSL_set_rfd(SSL *s,int fd) |
636 |
{ |
637 |
int ret=0; |
638 |
BIO *bio=NULL; |
639 |
|
640 |
if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) |
641 |
|| ((int)BIO_get_fd(s->wbio,NULL) != fd)) |
642 |
{ |
643 |
bio=BIO_new(BIO_s_socket()); |
644 |
|
645 |
if (bio == NULL) |
646 |
{ |
647 |
SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB); |
648 |
goto err; |
649 |
} |
650 |
BIO_set_fd(bio,fd,BIO_NOCLOSE); |
651 |
SSL_set_bio(s,bio,SSL_get_wbio(s)); |
652 |
} |
653 |
else |
654 |
SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s)); |
655 |
ret=1; |
656 |
err: |
657 |
return(ret); |
658 |
} |
659 |
#endif |
660 |
|
661 |
|
662 |
/* return length of latest Finished message we sent, copy to 'buf' */ |
663 |
size_t SSL_get_finished(const SSL *s, void *buf, size_t count) |
664 |
{ |
665 |
size_t ret = 0; |
666 |
|
667 |
if (s->s3 != NULL) |
668 |
{ |
669 |
ret = s->s3->tmp.finish_md_len; |
670 |
if (count > ret) |
671 |
count = ret; |
672 |
memcpy(buf, s->s3->tmp.finish_md, count); |
673 |
} |
674 |
return ret; |
675 |
} |
676 |
|
677 |
/* return length of latest Finished message we expected, copy to 'buf' */ |
678 |
size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) |
679 |
{ |
680 |
size_t ret = 0; |
681 |
|
682 |
if (s->s3 != NULL) |
683 |
{ |
684 |
ret = s->s3->tmp.peer_finish_md_len; |
685 |
if (count > ret) |
686 |
count = ret; |
687 |
memcpy(buf, s->s3->tmp.peer_finish_md, count); |
688 |
} |
689 |
return ret; |
690 |
} |
691 |
|
692 |
|
693 |
int SSL_get_verify_mode(const SSL *s) |
694 |
{ |
695 |
return(s->verify_mode); |
696 |
} |
697 |
|
698 |
int SSL_get_verify_depth(const SSL *s) |
699 |
{ |
700 |
return X509_VERIFY_PARAM_get_depth(s->param); |
701 |
} |
702 |
|
703 |
int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *) |
704 |
{ |
705 |
return(s->verify_callback); |
706 |
} |
707 |
|
708 |
int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) |
709 |
{ |
710 |
return(ctx->verify_mode); |
711 |
} |
712 |
|
713 |
int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) |
714 |
{ |
715 |
return X509_VERIFY_PARAM_get_depth(ctx->param); |
716 |
} |
717 |
|
718 |
int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *) |
719 |
{ |
720 |
return(ctx->default_verify_callback); |
721 |
} |
722 |
|
723 |
void SSL_set_verify(SSL *s,int mode, |
724 |
int (*callback)(int ok,X509_STORE_CTX *ctx)) |
725 |
{ |
726 |
s->verify_mode=mode; |
727 |
if (callback != NULL) |
728 |
s->verify_callback=callback; |
729 |
} |
730 |
|
731 |
void SSL_set_verify_depth(SSL *s,int depth) |
732 |
{ |
733 |
X509_VERIFY_PARAM_set_depth(s->param, depth); |
734 |
} |
735 |
|
736 |
void SSL_set_read_ahead(SSL *s,int yes) |
737 |
{ |
738 |
s->read_ahead=yes; |
739 |
} |
740 |
|
741 |
int SSL_get_read_ahead(const SSL *s) |
742 |
{ |
743 |
return(s->read_ahead); |
744 |
} |
745 |
|
746 |
int SSL_pending(const SSL *s) |
747 |
{ |
748 |
/* SSL_pending cannot work properly if read-ahead is enabled |
749 |
* (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), |
750 |
* and it is impossible to fix since SSL_pending cannot report |
751 |
* errors that may be observed while scanning the new data. |
752 |
* (Note that SSL_pending() is often used as a boolean value, |
753 |
* so we'd better not return -1.) |
754 |
*/ |
755 |
return(s->method->ssl_pending(s)); |
756 |
} |
757 |
|
758 |
X509 *SSL_get_peer_certificate(const SSL *s) |
759 |
{ |
760 |
X509 *r; |
761 |
|
762 |
if ((s == NULL) || (s->session == NULL)) |
763 |
r=NULL; |
764 |
else |
765 |
r=s->session->peer; |
766 |
|
767 |
if (r == NULL) return(r); |
768 |
|
769 |
CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509); |
770 |
|
771 |
return(r); |
772 |
} |
773 |
|
774 |
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) |
775 |
{ |
776 |
STACK_OF(X509) *r; |
777 |
|
778 |
if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) |
779 |
r=NULL; |
780 |
else |
781 |
r=s->session->sess_cert->cert_chain; |
782 |
|
783 |
/* If we are a client, cert_chain includes the peer's own |
784 |
* certificate; if we are a server, it does not. */ |
785 |
|
786 |
return(r); |
787 |
} |
788 |
|
789 |
/* Now in theory, since the calling process own 't' it should be safe to |
790 |
* modify. We need to be able to read f without being hassled */ |
791 |
void SSL_copy_session_id(SSL *t,const SSL *f) |
792 |
{ |
793 |
CERT *tmp; |
794 |
|
795 |
/* Do we need to to SSL locking? */ |
796 |
SSL_set_session(t,SSL_get_session(f)); |
797 |
|
798 |
/* what if we are setup as SSLv2 but want to talk SSLv3 or |
799 |
* vice-versa */ |
800 |
if (t->method != f->method) |
801 |
{ |
802 |
t->method->ssl_free(t); /* cleanup current */ |
803 |
t->method=f->method; /* change method */ |
804 |
t->method->ssl_new(t); /* setup new */ |
805 |
} |
806 |
|
807 |
tmp=t->cert; |
808 |
if (f->cert != NULL) |
809 |
{ |
810 |
CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT); |
811 |
t->cert=f->cert; |
812 |
} |
813 |
else |
814 |
t->cert=NULL; |
815 |
if (tmp != NULL) ssl_cert_free(tmp); |
816 |
SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length); |
817 |
} |
818 |
|
819 |
/* Fix this so it checks all the valid key/cert options */ |
820 |
int SSL_CTX_check_private_key(const SSL_CTX *ctx) |
821 |
{ |
822 |
if ( (ctx == NULL) || |
823 |
(ctx->cert == NULL) || |
824 |
(ctx->cert->key->x509 == NULL)) |
825 |
{ |
826 |
SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); |
827 |
return(0); |
828 |
} |
829 |
if (ctx->cert->key->privatekey == NULL) |
830 |
{ |
831 |
SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); |
832 |
return(0); |
833 |
} |
834 |
return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey)); |
835 |
} |
836 |
|
837 |
/* Fix this function so that it takes an optional type parameter */ |
838 |
int SSL_check_private_key(const SSL *ssl) |
839 |
{ |
840 |
if (ssl == NULL) |
841 |
{ |
842 |
SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER); |
843 |
return(0); |
844 |
} |
845 |
if (ssl->cert == NULL) |
846 |
{ |
847 |
SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); |
848 |
return 0; |
849 |
} |
850 |
if (ssl->cert->key->x509 == NULL) |
851 |
{ |
852 |
SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); |
853 |
return(0); |
854 |
} |
855 |
if (ssl->cert->key->privatekey == NULL) |
856 |
{ |
857 |
SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); |
858 |
return(0); |
859 |
} |
860 |
return(X509_check_private_key(ssl->cert->key->x509, |
861 |
ssl->cert->key->privatekey)); |
862 |
} |
863 |
|
864 |
int SSL_accept(SSL *s) |
865 |
{ |
866 |
if (s->handshake_func == 0) |
867 |
/* Not properly initialized yet */ |
868 |
SSL_set_accept_state(s); |
869 |
|
870 |
return(s->method->ssl_accept(s)); |
871 |
} |
872 |
|
873 |
int SSL_connect(SSL *s) |
874 |
{ |
875 |
if (s->handshake_func == 0) |
876 |
/* Not properly initialized yet */ |
877 |
SSL_set_connect_state(s); |
878 |
|
879 |
return(s->method->ssl_connect(s)); |
880 |
} |
881 |
|
882 |
long SSL_get_default_timeout(const SSL *s) |
883 |
{ |
884 |
return(s->method->get_timeout()); |
885 |
} |
886 |
|
887 |
int SSL_read(SSL *s,void *buf,int num) |
888 |
{ |
889 |
if (s->handshake_func == 0) |
890 |
{ |
891 |
SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); |
892 |
return -1; |
893 |
} |
894 |
|
895 |
if (s->shutdown & SSL_RECEIVED_SHUTDOWN) |
896 |
{ |
897 |
s->rwstate=SSL_NOTHING; |
898 |
return(0); |
899 |
} |
900 |
return(s->method->ssl_read(s,buf,num)); |
901 |
} |
902 |
|
903 |
int SSL_peek(SSL *s,void *buf,int num) |
904 |
{ |
905 |
if (s->handshake_func == 0) |
906 |
{ |
907 |
SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); |
908 |
return -1; |
909 |
} |
910 |
|
911 |
if (s->shutdown & SSL_RECEIVED_SHUTDOWN) |
912 |
{ |
913 |
return(0); |
914 |
} |
915 |
return(s->method->ssl_peek(s,buf,num)); |
916 |
} |
917 |
|
918 |
int SSL_write(SSL *s,const void *buf,int num) |
919 |
{ |
920 |
if (s->handshake_func == 0) |
921 |
{ |
922 |
SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); |
923 |
return -1; |
924 |
} |
925 |
|
926 |
if (s->shutdown & SSL_SENT_SHUTDOWN) |
927 |
{ |
928 |
s->rwstate=SSL_NOTHING; |
929 |
SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN); |
930 |
return(-1); |
931 |
} |
932 |
return(s->method->ssl_write(s,buf,num)); |
933 |
} |
934 |
|
935 |
int SSL_shutdown(SSL *s) |
936 |
{ |
937 |
/* Note that this function behaves differently from what one might |
938 |
* expect. Return values are 0 for no success (yet), |
939 |
* 1 for success; but calling it once is usually not enough, |
940 |
* even if blocking I/O is used (see ssl3_shutdown). |
941 |
*/ |
942 |
|
943 |
if (s->handshake_func == 0) |
944 |
{ |
945 |
SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); |
946 |
return -1; |
947 |
} |
948 |
|
949 |
if ((s != NULL) && !SSL_in_init(s)) |
950 |
return(s->method->ssl_shutdown(s)); |
951 |
else |
952 |
return(1); |
953 |
} |
954 |
|
955 |
int SSL_renegotiate(SSL *s) |
956 |
{ |
957 |
if (s->new_session == 0) |
958 |
{ |
959 |
s->new_session=1; |
960 |
} |
961 |
return(s->method->ssl_renegotiate(s)); |
962 |
} |
963 |
|
964 |
int SSL_renegotiate_pending(SSL *s) |
965 |
{ |
966 |
/* becomes true when negotiation is requested; |
967 |
* false again once a handshake has finished */ |
968 |
return (s->new_session != 0); |
969 |
} |
970 |
|
971 |
long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) |
972 |
{ |
973 |
long l; |
974 |
|
975 |
switch (cmd) |
976 |
{ |
977 |
case SSL_CTRL_GET_READ_AHEAD: |
978 |
return(s->read_ahead); |
979 |
case SSL_CTRL_SET_READ_AHEAD: |
980 |
l=s->read_ahead; |
981 |
s->read_ahead=larg; |
982 |
return(l); |
983 |
|
984 |
case SSL_CTRL_SET_MSG_CALLBACK_ARG: |
985 |
s->msg_callback_arg = parg; |
986 |
return 1; |
987 |
|
988 |
case SSL_CTRL_OPTIONS: |
989 |
return(s->options|=larg); |
990 |
case SSL_CTRL_CLEAR_OPTIONS: |
991 |
return(s->options&=~larg); |
992 |
case SSL_CTRL_MODE: |
993 |
return(s->mode|=larg); |
994 |
case SSL_CTRL_CLEAR_MODE: |
995 |
return(s->mode &=~larg); |
996 |
case SSL_CTRL_GET_MAX_CERT_LIST: |
997 |
return(s->max_cert_list); |
998 |
case SSL_CTRL_SET_MAX_CERT_LIST: |
999 |
l=s->max_cert_list; |
1000 |
s->max_cert_list=larg; |
1001 |
return(l); |
1002 |
case SSL_CTRL_SET_MTU: |
1003 |
#ifndef OPENSSL_NO_DTLS1 |
1004 |
if (larg < (long)dtls1_min_mtu()) |
1005 |
return 0; |
1006 |
#endif |
1007 |
|
1008 |
if (SSL_version(s) == DTLS1_VERSION || |
1009 |
SSL_version(s) == DTLS1_BAD_VER) |
1010 |
{ |
1011 |
s->d1->mtu = larg; |
1012 |
return larg; |
1013 |
} |
1014 |
return 0; |
1015 |
case SSL_CTRL_GET_RI_SUPPORT: |
1016 |
if (s->s3) |
1017 |
return s->s3->send_connection_binding; |
1018 |
else return 0; |
1019 |
default: |
1020 |
return(s->method->ssl_ctrl(s,cmd,larg,parg)); |
1021 |
} |
1022 |
} |
1023 |
|
1024 |
long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) |
1025 |
{ |
1026 |
switch(cmd) |
1027 |
{ |
1028 |
case SSL_CTRL_SET_MSG_CALLBACK: |
1029 |
s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); |
1030 |
return 1; |
1031 |
|
1032 |
default: |
1033 |
return(s->method->ssl_callback_ctrl(s,cmd,fp)); |
1034 |
} |
1035 |
} |
1036 |
|
1037 |
struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) |
1038 |
{ |
1039 |
return ctx->sessions; |
1040 |
} |
1041 |
|
1042 |
long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) |
1043 |
{ |
1044 |
long l; |
1045 |
|
1046 |
switch (cmd) |
1047 |
{ |
1048 |
case SSL_CTRL_GET_READ_AHEAD: |
1049 |
return(ctx->read_ahead); |
1050 |
case SSL_CTRL_SET_READ_AHEAD: |
1051 |
l=ctx->read_ahead; |
1052 |
ctx->read_ahead=larg; |
1053 |
return(l); |
1054 |
|
1055 |
case SSL_CTRL_SET_MSG_CALLBACK_ARG: |
1056 |
ctx->msg_callback_arg = parg; |
1057 |
return 1; |
1058 |
|
1059 |
case SSL_CTRL_GET_MAX_CERT_LIST: |
1060 |
return(ctx->max_cert_list); |
1061 |
case SSL_CTRL_SET_MAX_CERT_LIST: |
1062 |
l=ctx->max_cert_list; |
1063 |
ctx->max_cert_list=larg; |
1064 |
return(l); |
1065 |
|
1066 |
case SSL_CTRL_SET_SESS_CACHE_SIZE: |
1067 |
l=ctx->session_cache_size; |
1068 |
ctx->session_cache_size=larg; |
1069 |
return(l); |
1070 |
case SSL_CTRL_GET_SESS_CACHE_SIZE: |
1071 |
return(ctx->session_cache_size); |
1072 |
case SSL_CTRL_SET_SESS_CACHE_MODE: |
1073 |
l=ctx->session_cache_mode; |
1074 |
ctx->session_cache_mode=larg; |
1075 |
return(l); |
1076 |
case SSL_CTRL_GET_SESS_CACHE_MODE: |
1077 |
return(ctx->session_cache_mode); |
1078 |
|
1079 |
case SSL_CTRL_SESS_NUMBER: |
1080 |
return(ctx->sessions->num_items); |
1081 |
case SSL_CTRL_SESS_CONNECT: |
1082 |
return(ctx->stats.sess_connect); |
1083 |
case SSL_CTRL_SESS_CONNECT_GOOD: |
1084 |
return(ctx->stats.sess_connect_good); |
1085 |
case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: |
1086 |
return(ctx->stats.sess_connect_renegotiate); |
1087 |
case SSL_CTRL_SESS_ACCEPT: |
1088 |
return(ctx->stats.sess_accept); |
1089 |
case SSL_CTRL_SESS_ACCEPT_GOOD: |
1090 |
return(ctx->stats.sess_accept_good); |
1091 |
case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: |
1092 |
return(ctx->stats.sess_accept_renegotiate); |
1093 |
case SSL_CTRL_SESS_HIT: |
1094 |
return(ctx->stats.sess_hit); |
1095 |
case SSL_CTRL_SESS_CB_HIT: |
1096 |
return(ctx->stats.sess_cb_hit); |
1097 |
case SSL_CTRL_SESS_MISSES: |
1098 |
return(ctx->stats.sess_miss); |
1099 |
case SSL_CTRL_SESS_TIMEOUTS: |
1100 |
return(ctx->stats.sess_timeout); |
1101 |
case SSL_CTRL_SESS_CACHE_FULL: |
1102 |
return(ctx->stats.sess_cache_full); |
1103 |
case SSL_CTRL_OPTIONS: |
1104 |
return(ctx->options|=larg); |
1105 |
case SSL_CTRL_CLEAR_OPTIONS: |
1106 |
return(ctx->options&=~larg); |
1107 |
case SSL_CTRL_MODE: |
1108 |
return(ctx->mode|=larg); |
1109 |
case SSL_CTRL_CLEAR_MODE: |
1110 |
return(ctx->mode&=~larg); |
1111 |
default: |
1112 |
return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); |
1113 |
} |
1114 |
} |
1115 |
|
1116 |
long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) |
1117 |
{ |
1118 |
switch(cmd) |
1119 |
{ |
1120 |
case SSL_CTRL_SET_MSG_CALLBACK: |
1121 |
ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); |
1122 |
return 1; |
1123 |
|
1124 |
default: |
1125 |
return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp)); |
1126 |
} |
1127 |
} |
1128 |
|
1129 |
int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) |
1130 |
{ |
1131 |
long l; |
1132 |
|
1133 |
l=a->id-b->id; |
1134 |
if (l == 0L) |
1135 |
return(0); |
1136 |
else |
1137 |
return((l > 0)?1:-1); |
1138 |
} |
1139 |
|
1140 |
int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, |
1141 |
const SSL_CIPHER * const *bp) |
1142 |
{ |
1143 |
long l; |
1144 |
|
1145 |
l=(*ap)->id-(*bp)->id; |
1146 |
if (l == 0L) |
1147 |
return(0); |
1148 |
else |
1149 |
return((l > 0)?1:-1); |
1150 |
} |
1151 |
|
1152 |
/** return a STACK of the ciphers available for the SSL and in order of |
1153 |
* preference */ |
1154 |
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) |
1155 |
{ |
1156 |
if (s != NULL) |
1157 |
{ |
1158 |
if (s->cipher_list != NULL) |
1159 |
{ |
1160 |
return(s->cipher_list); |
1161 |
} |
1162 |
else if ((s->ctx != NULL) && |
1163 |
(s->ctx->cipher_list != NULL)) |
1164 |
{ |
1165 |
return(s->ctx->cipher_list); |
1166 |
} |
1167 |
} |
1168 |
return(NULL); |
1169 |
} |
1170 |
|
1171 |
/** return a STACK of the ciphers available for the SSL and in order of |
1172 |
* algorithm id */ |
1173 |
STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) |
1174 |
{ |
1175 |
if (s != NULL) |
1176 |
{ |
1177 |
if (s->cipher_list_by_id != NULL) |
1178 |
{ |
1179 |
return(s->cipher_list_by_id); |
1180 |
} |
1181 |
else if ((s->ctx != NULL) && |
1182 |
(s->ctx->cipher_list_by_id != NULL)) |
1183 |
{ |
1184 |
return(s->ctx->cipher_list_by_id); |
1185 |
} |
1186 |
} |
1187 |
return(NULL); |
1188 |
} |
1189 |
|
1190 |
/** The old interface to get the same thing as SSL_get_ciphers() */ |
1191 |
const char *SSL_get_cipher_list(const SSL *s,int n) |
1192 |
{ |
1193 |
SSL_CIPHER *c; |
1194 |
STACK_OF(SSL_CIPHER) *sk; |
1195 |
|
1196 |
if (s == NULL) return(NULL); |
1197 |
sk=SSL_get_ciphers(s); |
1198 |
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) |
1199 |
return(NULL); |
1200 |
c=sk_SSL_CIPHER_value(sk,n); |
1201 |
if (c == NULL) return(NULL); |
1202 |
return(c->name); |
1203 |
} |
1204 |
|
1205 |
/** specify the ciphers to be used by default by the SSL_CTX */ |
1206 |
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) |
1207 |
{ |
1208 |
STACK_OF(SSL_CIPHER) *sk; |
1209 |
|
1210 |
sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, |
1211 |
&ctx->cipher_list_by_id,str); |
1212 |
/* ssl_create_cipher_list may return an empty stack if it |
1213 |
* was unable to find a cipher matching the given rule string |
1214 |
* (for example if the rule string specifies a cipher which |
1215 |
* has been disabled). This is not an error as far as |
1216 |
* ssl_create_cipher_list is concerned, and hence |
1217 |
* ctx->cipher_list and ctx->cipher_list_by_id has been |
1218 |
* updated. */ |
1219 |
if (sk == NULL) |
1220 |
return 0; |
1221 |
else if (sk_SSL_CIPHER_num(sk) == 0) |
1222 |
{ |
1223 |
SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); |
1224 |
return 0; |
1225 |
} |
1226 |
return 1; |
1227 |
} |
1228 |
|
1229 |
/** specify the ciphers to be used by the SSL */ |
1230 |
int SSL_set_cipher_list(SSL *s,const char *str) |
1231 |
{ |
1232 |
STACK_OF(SSL_CIPHER) *sk; |
1233 |
|
1234 |
sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, |
1235 |
&s->cipher_list_by_id,str); |
1236 |
/* see comment in SSL_CTX_set_cipher_list */ |
1237 |
if (sk == NULL) |
1238 |
return 0; |
1239 |
else if (sk_SSL_CIPHER_num(sk) == 0) |
1240 |
{ |
1241 |
SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); |
1242 |
return 0; |
1243 |
} |
1244 |
return 1; |
1245 |
} |
1246 |
|
1247 |
/* works well for SSLv2, not so good for SSLv3 */ |
1248 |
char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) |
1249 |
{ |
1250 |
char *p; |
1251 |
STACK_OF(SSL_CIPHER) *sk; |
1252 |
SSL_CIPHER *c; |
1253 |
int i; |
1254 |
|
1255 |
if ((s->session == NULL) || (s->session->ciphers == NULL) || |
1256 |
(len < 2)) |
1257 |
return(NULL); |
1258 |
|
1259 |
p=buf; |
1260 |
sk=s->session->ciphers; |
1261 |
|
1262 |
if (sk_SSL_CIPHER_num(sk) == 0) |
1263 |
return NULL; |
1264 |
|
1265 |
for (i=0; i<sk_SSL_CIPHER_num(sk); i++) |
1266 |
{ |
1267 |
int n; |
1268 |
|
1269 |
c=sk_SSL_CIPHER_value(sk,i); |
1270 |
n=strlen(c->name); |
1271 |
if (n+1 > len) |
1272 |
{ |
1273 |
if (p != buf) |
1274 |
--p; |
1275 |
*p='\0'; |
1276 |
return buf; |
1277 |
} |
1278 |
strcpy(p,c->name); |
1279 |
p+=n; |
1280 |
*(p++)=':'; |
1281 |
len-=n+1; |
1282 |
} |
1283 |
p[-1]='\0'; |
1284 |
return(buf); |
1285 |
} |
1286 |
|
1287 |
int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, |
1288 |
int (*put_cb)(const SSL_CIPHER *, unsigned char *)) |
1289 |
{ |
1290 |
int i,j=0; |
1291 |
SSL_CIPHER *c; |
1292 |
unsigned char *q; |
1293 |
#ifndef OPENSSL_NO_KRB5 |
1294 |
int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); |
1295 |
#endif /* OPENSSL_NO_KRB5 */ |
1296 |
|
1297 |
if (sk == NULL) return(0); |
1298 |
q=p; |
1299 |
if (put_cb == NULL) |
1300 |
put_cb = s->method->put_cipher_by_char; |
1301 |
|
1302 |
for (i=0; i<sk_SSL_CIPHER_num(sk); i++) |
1303 |
{ |
1304 |
c=sk_SSL_CIPHER_value(sk,i); |
1305 |
#ifndef OPENSSL_NO_KRB5 |
1306 |
if ((c->algorithms & SSL_KRB5) && nokrb5) |
1307 |
continue; |
1308 |
#endif /* OPENSSL_NO_KRB5 */ |
1309 |
|
1310 |
j = put_cb(c,p); |
1311 |
p+=j; |
1312 |
} |
1313 |
/* If p == q, no ciphers; caller indicates an error. |
1314 |
* Otherwise, add applicable SCSVs. */ |
1315 |
if (p != q) |
1316 |
{ |
1317 |
if (!s->new_session) |
1318 |
{ |
1319 |
static SSL_CIPHER scsv = |
1320 |
{ |
1321 |
0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, |
1322 |
}; |
1323 |
j = put_cb(&scsv,p); |
1324 |
p+=j; |
1325 |
#ifdef OPENSSL_RI_DEBUG |
1326 |
fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); |
1327 |
#endif |
1328 |
} |
1329 |
|
1330 |
if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) |
1331 |
{ |
1332 |
static SSL_CIPHER scsv = |
1333 |
{ |
1334 |
0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, |
1335 |
}; |
1336 |
j = put_cb(&scsv,p); |
1337 |
p+=j; |
1338 |
} |
1339 |
} |
1340 |
|
1341 |
return(p-q); |
1342 |
} |
1343 |
|
1344 |
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, |
1345 |
STACK_OF(SSL_CIPHER) **skp) |
1346 |
{ |
1347 |
SSL_CIPHER *c; |
1348 |
STACK_OF(SSL_CIPHER) *sk; |
1349 |
int i,n; |
1350 |
|
1351 |
if (s->s3) |
1352 |
s->s3->send_connection_binding = 0; |
1353 |
|
1354 |
n=ssl_put_cipher_by_char(s,NULL,NULL); |
1355 |
if (n == 0 || (num%n) != 0) |
1356 |
{ |
1357 |
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); |
1358 |
return(NULL); |
1359 |
} |
1360 |
if ((skp == NULL) || (*skp == NULL)) |
1361 |
sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */ |
1362 |
else |
1363 |
{ |
1364 |
sk= *skp; |
1365 |
sk_SSL_CIPHER_zero(sk); |
1366 |
} |
1367 |
|
1368 |
for (i=0; i<num; i+=n) |
1369 |
{ |
1370 |
/* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ |
1371 |
if (s->s3 && (n != 3 || !p[0]) && |
1372 |
(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && |
1373 |
(p[n-1] == (SSL3_CK_SCSV & 0xff))) |
1374 |
{ |
1375 |
/* SCSV fatal if renegotiating */ |
1376 |
if (s->new_session) |
1377 |
{ |
1378 |
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); |
1379 |
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
1380 |
goto err; |
1381 |
} |
1382 |
s->s3->send_connection_binding = 1; |
1383 |
p += n; |
1384 |
#ifdef OPENSSL_RI_DEBUG |
1385 |
fprintf(stderr, "SCSV received by server\n"); |
1386 |
#endif |
1387 |
continue; |
1388 |
} |
1389 |
|
1390 |
/* Check for TLS_FALLBACK_SCSV */ |
1391 |
if ((n != 3 || !p[0]) && |
1392 |
(p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && |
1393 |
(p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) |
1394 |
{ |
1395 |
/* The SCSV indicates that the client previously tried a higher version. |
1396 |
* Fail if the current version is an unexpected downgrade. */ |
1397 |
if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) |
1398 |
{ |
1399 |
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK); |
1400 |
if (s->s3) |
1401 |
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); |
1402 |
goto err; |
1403 |
} |
1404 |
p += n; |
1405 |
continue; |
1406 |
} |
1407 |
|
1408 |
c=ssl_get_cipher_by_char(s,p); |
1409 |
p+=n; |
1410 |
if (c != NULL) |
1411 |
{ |
1412 |
if (!sk_SSL_CIPHER_push(sk,c)) |
1413 |
{ |
1414 |
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE); |
1415 |
goto err; |
1416 |
} |
1417 |
} |
1418 |
} |
1419 |
|
1420 |
if (skp != NULL) |
1421 |
*skp=sk; |
1422 |
return(sk); |
1423 |
err: |
1424 |
if ((skp == NULL) || (*skp == NULL)) |
1425 |
sk_SSL_CIPHER_free(sk); |
1426 |
return(NULL); |
1427 |
} |
1428 |
|
1429 |
#ifndef OPENSSL_NO_TLSEXT |
1430 |
/** return a servername extension value if provided in Client Hello, or NULL. |
1431 |
* So far, only host_name types are defined (RFC 3546). |
1432 |
*/ |
1433 |
|
1434 |
const char *SSL_get_servername(const SSL *s, const int type) |
1435 |
{ |
1436 |
if (type != TLSEXT_NAMETYPE_host_name) |
1437 |
return NULL; |
1438 |
|
1439 |
return s->session && !s->tlsext_hostname ? |
1440 |
s->session->tlsext_hostname : |
1441 |
s->tlsext_hostname; |
1442 |
} |
1443 |
|
1444 |
int SSL_get_servername_type(const SSL *s) |
1445 |
{ |
1446 |
if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname)) |
1447 |
return TLSEXT_NAMETYPE_host_name; |
1448 |
return -1; |
1449 |
} |
1450 |
#endif |
1451 |
|
1452 |
unsigned long SSL_SESSION_hash(const SSL_SESSION *a) |
1453 |
{ |
1454 |
unsigned long l; |
1455 |
|
1456 |
l=(unsigned long) |
1457 |
((unsigned int) a->session_id[0] )| |
1458 |
((unsigned int) a->session_id[1]<< 8L)| |
1459 |
((unsigned long)a->session_id[2]<<16L)| |
1460 |
((unsigned long)a->session_id[3]<<24L); |
1461 |
return(l); |
1462 |
} |
1463 |
|
1464 |
/* NB: If this function (or indeed the hash function which uses a sort of |
1465 |
* coarser function than this one) is changed, ensure |
1466 |
* SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being |
1467 |
* able to construct an SSL_SESSION that will collide with any existing session |
1468 |
* with a matching session ID. */ |
1469 |
int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b) |
1470 |
{ |
1471 |
if (a->ssl_version != b->ssl_version) |
1472 |
return(1); |
1473 |
if (a->session_id_length != b->session_id_length) |
1474 |
return(1); |
1475 |
return(memcmp(a->session_id,b->session_id,a->session_id_length)); |
1476 |
} |
1477 |
|
1478 |
/* These wrapper functions should remain rather than redeclaring |
1479 |
* SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each |
1480 |
* variable. The reason is that the functions aren't static, they're exposed via |
1481 |
* ssl.h. */ |
1482 |
static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *) |
1483 |
static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *) |
1484 |
|
1485 |
SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) |
1486 |
{ |
1487 |
SSL_CTX *ret=NULL; |
1488 |
|
1489 |
if (meth == NULL) |
1490 |
{ |
1491 |
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED); |
1492 |
return(NULL); |
1493 |
} |
1494 |
|
1495 |
#ifdef OPENSSL_FIPS |
1496 |
if (FIPS_mode() && (meth->version < TLS1_VERSION)) |
1497 |
{ |
1498 |
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); |
1499 |
return NULL; |
1500 |
} |
1501 |
#endif |
1502 |
|
1503 |
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) |
1504 |
{ |
1505 |
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); |
1506 |
goto err; |
1507 |
} |
1508 |
ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); |
1509 |
if (ret == NULL) |
1510 |
goto err; |
1511 |
|
1512 |
memset(ret,0,sizeof(SSL_CTX)); |
1513 |
|
1514 |
ret->method=meth; |
1515 |
|
1516 |
ret->cert_store=NULL; |
1517 |
ret->session_cache_mode=SSL_SESS_CACHE_SERVER; |
1518 |
ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; |
1519 |
ret->session_cache_head=NULL; |
1520 |
ret->session_cache_tail=NULL; |
1521 |
|
1522 |
/* We take the system default */ |
1523 |
ret->session_timeout=meth->get_timeout(); |
1524 |
|
1525 |
ret->new_session_cb=0; |
1526 |
ret->remove_session_cb=0; |
1527 |
ret->get_session_cb=0; |
1528 |
ret->generate_session_id=0; |
1529 |
|
1530 |
memset((char *)&ret->stats,0,sizeof(ret->stats)); |
1531 |
|
1532 |
ret->references=1; |
1533 |
ret->quiet_shutdown=0; |
1534 |
|
1535 |
/* ret->cipher=NULL;*/ |
1536 |
/* ret->s2->challenge=NULL; |
1537 |
ret->master_key=NULL; |
1538 |
ret->key_arg=NULL; |
1539 |
ret->s2->conn_id=NULL; */ |
1540 |
|
1541 |
ret->info_callback=NULL; |
1542 |
|
1543 |
ret->app_verify_callback=0; |
1544 |
ret->app_verify_arg=NULL; |
1545 |
|
1546 |
ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT; |
1547 |
ret->read_ahead=0; |
1548 |
ret->msg_callback=0; |
1549 |
ret->msg_callback_arg=NULL; |
1550 |
ret->verify_mode=SSL_VERIFY_NONE; |
1551 |
#if 0 |
1552 |
ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ |
1553 |
#endif |
1554 |
ret->sid_ctx_length=0; |
1555 |
ret->default_verify_callback=NULL; |
1556 |
if ((ret->cert=ssl_cert_new()) == NULL) |
1557 |
goto err; |
1558 |
|
1559 |
ret->default_passwd_callback=0; |
1560 |
ret->default_passwd_callback_userdata=NULL; |
1561 |
ret->client_cert_cb=0; |
1562 |
ret->app_gen_cookie_cb=0; |
1563 |
ret->app_verify_cookie_cb=0; |
1564 |
|
1565 |
ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash), |
1566 |
LHASH_COMP_FN(SSL_SESSION_cmp)); |
1567 |
if (ret->sessions == NULL) goto err; |
1568 |
ret->cert_store=X509_STORE_new(); |
1569 |
if (ret->cert_store == NULL) goto err; |
1570 |
|
1571 |
ssl_create_cipher_list(ret->method, |
1572 |
&ret->cipher_list,&ret->cipher_list_by_id, |
1573 |
SSL_DEFAULT_CIPHER_LIST); |
1574 |
if (ret->cipher_list == NULL |
1575 |
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) |
1576 |
{ |
1577 |
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS); |
1578 |
goto err2; |
1579 |
} |
1580 |
|
1581 |
ret->param = X509_VERIFY_PARAM_new(); |
1582 |
if (!ret->param) |
1583 |
goto err; |
1584 |
|
1585 |
if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) |
1586 |
{ |
1587 |
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); |
1588 |
goto err2; |
1589 |
} |
1590 |
if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL) |
1591 |
{ |
1592 |
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); |
1593 |
goto err2; |
1594 |
} |
1595 |
if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL) |
1596 |
{ |
1597 |
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); |
1598 |
goto err2; |
1599 |
} |
1600 |
|
1601 |
if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL) |
1602 |
goto err; |
1603 |
|
1604 |
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); |
1605 |
|
1606 |
ret->extra_certs=NULL; |
1607 |
/* No compression for DTLS */ |
1608 |
if (meth->version != DTLS1_VERSION) |
1609 |
ret->comp_methods=SSL_COMP_get_compression_methods(); |
1610 |
|
1611 |
#ifndef OPENSSL_NO_TLSEXT |
1612 |
ret->tlsext_servername_callback = 0; |
1613 |
ret->tlsext_servername_arg = NULL; |
1614 |
/* Setup RFC4507 ticket keys */ |
1615 |
if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) |
1616 |
|| (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) |
1617 |
|| (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) |
1618 |
ret->options |= SSL_OP_NO_TICKET; |
1619 |
|
1620 |
ret->tlsext_status_cb = 0; |
1621 |
ret->tlsext_status_arg = NULL; |
1622 |
|
1623 |
#endif |
1624 |
|
1625 |
#ifndef OPENSSL_NO_ENGINE |
1626 |
ret->client_cert_engine = NULL; |
1627 |
#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO |
1628 |
#define eng_strx(x) #x |
1629 |
#define eng_str(x) eng_strx(x) |
1630 |
/* Use specific client engine automatically... ignore errors */ |
1631 |
{ |
1632 |
ENGINE *eng; |
1633 |
eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); |
1634 |
if (!eng) |
1635 |
{ |
1636 |
ERR_clear_error(); |
1637 |
ENGINE_load_builtin_engines(); |
1638 |
eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); |
1639 |
} |
1640 |
if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) |
1641 |
ERR_clear_error(); |
1642 |
} |
1643 |
#endif |
1644 |
#endif |
1645 |
/* Default is to connect to non-RI servers. When RI is more widely |
1646 |
* deployed might change this. |
1647 |
*/ |
1648 |
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; |
1649 |
|
1650 |
return(ret); |
1651 |
err: |
1652 |
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); |
1653 |
err2: |
1654 |
if (ret != NULL) SSL_CTX_free(ret); |
1655 |
return(NULL); |
1656 |
} |
1657 |
|
1658 |
#if 0 |
1659 |
static void SSL_COMP_free(SSL_COMP *comp) |
1660 |
{ OPENSSL_free(comp); } |
1661 |
#endif |
1662 |
|
1663 |
void SSL_CTX_free(SSL_CTX *a) |
1664 |
{ |
1665 |
int i; |
1666 |
|
1667 |
if (a == NULL) return; |
1668 |
|
1669 |
i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX); |
1670 |
#ifdef REF_PRINT |
1671 |
REF_PRINT("SSL_CTX",a); |
1672 |
#endif |
1673 |
if (i > 0) return; |
1674 |
#ifdef REF_CHECK |
1675 |
if (i < 0) |
1676 |
{ |
1677 |
fprintf(stderr,"SSL_CTX_free, bad reference count\n"); |
1678 |
abort(); /* ok */ |
1679 |
} |
1680 |
#endif |
1681 |
|
1682 |
if (a->param) |
1683 |
X509_VERIFY_PARAM_free(a->param); |
1684 |
|
1685 |
/* |
1686 |
* Free internal session cache. However: the remove_cb() may reference |
1687 |
* the ex_data of SSL_CTX, thus the ex_data store can only be removed |
1688 |
* after the sessions were flushed. |
1689 |
* As the ex_data handling routines might also touch the session cache, |
1690 |
* the most secure solution seems to be: empty (flush) the cache, then |
1691 |
* free ex_data, then finally free the cache. |
1692 |
* (See ticket [openssl.org #212].) |
1693 |
*/ |
1694 |
if (a->sessions != NULL) |
1695 |
SSL_CTX_flush_sessions(a,0); |
1696 |
|
1697 |
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); |
1698 |
|
1699 |
if (a->sessions != NULL) |
1700 |
lh_free(a->sessions); |
1701 |
|
1702 |
if (a->cert_store != NULL) |
1703 |
X509_STORE_free(a->cert_store); |
1704 |
if (a->cipher_list != NULL) |
1705 |
sk_SSL_CIPHER_free(a->cipher_list); |
1706 |
if (a->cipher_list_by_id != NULL) |
1707 |
sk_SSL_CIPHER_free(a->cipher_list_by_id); |
1708 |
if (a->cert != NULL) |
1709 |
ssl_cert_free(a->cert); |
1710 |
if (a->client_CA != NULL) |
1711 |
sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free); |
1712 |
if (a->extra_certs != NULL) |
1713 |
sk_X509_pop_free(a->extra_certs,X509_free); |
1714 |
#if 0 /* This should never be done, since it removes a global database */ |
1715 |
if (a->comp_methods != NULL) |
1716 |
sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); |
1717 |
#else |
1718 |
a->comp_methods = NULL; |
1719 |
#endif |
1720 |
#ifndef OPENSSL_NO_ENGINE |
1721 |
if (a->client_cert_engine) |
1722 |
ENGINE_finish(a->client_cert_engine); |
1723 |
#endif |
1724 |
OPENSSL_free(a); |
1725 |
} |
1726 |
|
1727 |
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) |
1728 |
{ |
1729 |
ctx->default_passwd_callback=cb; |
1730 |
} |
1731 |
|
1732 |
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u) |
1733 |
{ |
1734 |
ctx->default_passwd_callback_userdata=u; |
1735 |
} |
1736 |
|
1737 |
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg) |
1738 |
{ |
1739 |
ctx->app_verify_callback=cb; |
1740 |
ctx->app_verify_arg=arg; |
1741 |
} |
1742 |
|
1743 |
void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) |
1744 |
{ |
1745 |
ctx->verify_mode=mode; |
1746 |
ctx->default_verify_callback=cb; |
1747 |
} |
1748 |
|
1749 |
void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) |
1750 |
{ |
1751 |
X509_VERIFY_PARAM_set_depth(ctx->param, depth); |
1752 |
} |
1753 |
|
1754 |
void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) |
1755 |
{ |
1756 |
CERT_PKEY *cpk; |
1757 |
int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; |
1758 |
int rsa_enc_export,dh_rsa_export,dh_dsa_export; |
1759 |
int rsa_tmp_export,dh_tmp_export,kl; |
1760 |
unsigned long mask,emask; |
1761 |
int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; |
1762 |
#ifndef OPENSSL_NO_ECDH |
1763 |
int have_ecdh_tmp; |
1764 |
#endif |
1765 |
X509 *x = NULL; |
1766 |
EVP_PKEY *ecc_pkey = NULL; |
1767 |
int signature_nid = 0; |
1768 |
|
1769 |
if (c == NULL) return; |
1770 |
|
1771 |
kl=SSL_C_EXPORT_PKEYLENGTH(cipher); |
1772 |
|
1773 |
#ifndef OPENSSL_NO_RSA |
1774 |
rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); |
1775 |
rsa_tmp_export=(c->rsa_tmp_cb != NULL || |
1776 |
(rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); |
1777 |
#else |
1778 |
rsa_tmp=rsa_tmp_export=0; |
1779 |
#endif |
1780 |
#ifndef OPENSSL_NO_DH |
1781 |
dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); |
1782 |
dh_tmp_export=(c->dh_tmp_cb != NULL || |
1783 |
(dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); |
1784 |
#else |
1785 |
dh_tmp=dh_tmp_export=0; |
1786 |
#endif |
1787 |
|
1788 |
#ifndef OPENSSL_NO_ECDH |
1789 |
have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); |
1790 |
#endif |
1791 |
cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); |
1792 |
rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); |
1793 |
rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); |
1794 |
cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); |
1795 |
rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); |
1796 |
cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); |
1797 |
dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); |
1798 |
cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); |
1799 |
dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); |
1800 |
dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); |
1801 |
cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); |
1802 |
/* FIX THIS EAY EAY EAY */ |
1803 |
dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); |
1804 |
dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); |
1805 |
cpk= &(c->pkeys[SSL_PKEY_ECC]); |
1806 |
have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL); |
1807 |
mask=0; |
1808 |
emask=0; |
1809 |
|
1810 |
#ifdef CIPHER_DEBUG |
1811 |
printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", |
1812 |
rsa_tmp,rsa_tmp_export,dh_tmp, |
1813 |
rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); |
1814 |
#endif |
1815 |
|
1816 |
if (rsa_enc || (rsa_tmp && rsa_sign)) |
1817 |
mask|=SSL_kRSA; |
1818 |
if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) |
1819 |
emask|=SSL_kRSA; |
1820 |
|
1821 |
#if 0 |
1822 |
/* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ |
1823 |
if ( (dh_tmp || dh_rsa || dh_dsa) && |
1824 |
(rsa_enc || rsa_sign || dsa_sign)) |
1825 |
mask|=SSL_kEDH; |
1826 |
if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && |
1827 |
(rsa_enc || rsa_sign || dsa_sign)) |
1828 |
emask|=SSL_kEDH; |
1829 |
#endif |
1830 |
|
1831 |
if (dh_tmp_export) |
1832 |
emask|=SSL_kEDH; |
1833 |
|
1834 |
if (dh_tmp) |
1835 |
mask|=SSL_kEDH; |
1836 |
|
1837 |
if (dh_rsa) mask|=SSL_kDHr; |
1838 |
if (dh_rsa_export) emask|=SSL_kDHr; |
1839 |
|
1840 |
if (dh_dsa) mask|=SSL_kDHd; |
1841 |
if (dh_dsa_export) emask|=SSL_kDHd; |
1842 |
|
1843 |
if (rsa_enc || rsa_sign) |
1844 |
{ |
1845 |
mask|=SSL_aRSA; |
1846 |
emask|=SSL_aRSA; |
1847 |
} |
1848 |
|
1849 |
if (dsa_sign) |
1850 |
{ |
1851 |
mask|=SSL_aDSS; |
1852 |
emask|=SSL_aDSS; |
1853 |
} |
1854 |
|
1855 |
mask|=SSL_aNULL; |
1856 |
emask|=SSL_aNULL; |
1857 |
|
1858 |
#ifndef OPENSSL_NO_KRB5 |
1859 |
mask|=SSL_kKRB5|SSL_aKRB5; |
1860 |
emask|=SSL_kKRB5|SSL_aKRB5; |
1861 |
#endif |
1862 |
|
1863 |
/* An ECC certificate may be usable for ECDH and/or |
1864 |
* ECDSA cipher suites depending on the key usage extension. |
1865 |
*/ |
1866 |
if (have_ecc_cert) |
1867 |
{ |
1868 |
/* This call populates extension flags (ex_flags) */ |
1869 |
x = (c->pkeys[SSL_PKEY_ECC]).x509; |
1870 |
X509_check_purpose(x, -1, 0); |
1871 |
ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? |
1872 |
(x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; |
1873 |
ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? |
1874 |
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; |
1875 |
ecc_pkey = X509_get_pubkey(x); |
1876 |
ecc_pkey_size = (ecc_pkey != NULL) ? |
1877 |
EVP_PKEY_bits(ecc_pkey) : 0; |
1878 |
EVP_PKEY_free(ecc_pkey); |
1879 |
if ((x->sig_alg) && (x->sig_alg->algorithm)) |
1880 |
signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); |
1881 |
#ifndef OPENSSL_NO_ECDH |
1882 |
if (ecdh_ok) |
1883 |
{ |
1884 |
if ((signature_nid == NID_md5WithRSAEncryption) || |
1885 |
(signature_nid == NID_md4WithRSAEncryption) || |
1886 |
(signature_nid == NID_md2WithRSAEncryption)) |
1887 |
{ |
1888 |
mask|=SSL_kECDH|SSL_aRSA; |
1889 |
if (ecc_pkey_size <= 163) |
1890 |
emask|=SSL_kECDH|SSL_aRSA; |
1891 |
} |
1892 |
if (signature_nid == NID_ecdsa_with_SHA1) |
1893 |
{ |
1894 |
mask|=SSL_kECDH|SSL_aECDSA; |
1895 |
if (ecc_pkey_size <= 163) |
1896 |
emask|=SSL_kECDH|SSL_aECDSA; |
1897 |
} |
1898 |
} |
1899 |
#endif |
1900 |
#ifndef OPENSSL_NO_ECDSA |
1901 |
if (ecdsa_ok) |
1902 |
{ |
1903 |
mask|=SSL_aECDSA; |
1904 |
emask|=SSL_aECDSA; |
1905 |
} |
1906 |
#endif |
1907 |
} |
1908 |
|
1909 |
#ifndef OPENSSL_NO_ECDH |
1910 |
if (have_ecdh_tmp) |
1911 |
{ |
1912 |
mask|=SSL_kECDHE; |
1913 |
emask|=SSL_kECDHE; |
1914 |
} |
1915 |
#endif |
1916 |
c->mask=mask; |
1917 |
c->export_mask=emask; |
1918 |
c->valid=1; |
1919 |
} |
1920 |
|
1921 |
/* This handy macro borrowed from crypto/x509v3/v3_purp.c */ |
1922 |
#define ku_reject(x, usage) \ |
1923 |
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) |
1924 |
|
1925 |
int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs) |
1926 |
{ |
1927 |
unsigned long alg = cs->algorithms; |
1928 |
EVP_PKEY *pkey = NULL; |
1929 |
int keysize = 0; |
1930 |
int signature_nid = 0; |
1931 |
|
1932 |
if (SSL_C_IS_EXPORT(cs)) |
1933 |
{ |
1934 |
/* ECDH key length in export ciphers must be <= 163 bits */ |
1935 |
pkey = X509_get_pubkey(x); |
1936 |
if (pkey == NULL) return 0; |
1937 |
keysize = EVP_PKEY_bits(pkey); |
1938 |
EVP_PKEY_free(pkey); |
1939 |
if (keysize > 163) return 0; |
1940 |
} |
1941 |
|
1942 |
/* This call populates the ex_flags field correctly */ |
1943 |
X509_check_purpose(x, -1, 0); |
1944 |
if ((x->sig_alg) && (x->sig_alg->algorithm)) |
1945 |
signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); |
1946 |
if (alg & SSL_kECDH) |
1947 |
{ |
1948 |
/* key usage, if present, must allow key agreement */ |
1949 |
if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) |
1950 |
{ |
1951 |
return 0; |
1952 |
} |
1953 |
if (alg & SSL_aECDSA) |
1954 |
{ |
1955 |
/* signature alg must be ECDSA */ |
1956 |
if (signature_nid != NID_ecdsa_with_SHA1) |
1957 |
{ |
1958 |
return 0; |
1959 |
} |
1960 |
} |
1961 |
if (alg & SSL_aRSA) |
1962 |
{ |
1963 |
/* signature alg must be RSA */ |
1964 |
if ((signature_nid != NID_md5WithRSAEncryption) && |
1965 |
(signature_nid != NID_md4WithRSAEncryption) && |
1966 |
(signature_nid != NID_md2WithRSAEncryption)) |
1967 |
{ |
1968 |
return 0; |
1969 |
} |
1970 |
} |
1971 |
} |
1972 |
else if (alg & SSL_aECDSA) |
1973 |
{ |
1974 |
/* key usage, if present, must allow signing */ |
1975 |
if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) |
1976 |
{ |
1977 |
return 0; |
1978 |
} |
1979 |
} |
1980 |
|
1981 |
return 1; /* all checks are ok */ |
1982 |
} |
1983 |
|
1984 |
/* THIS NEEDS CLEANING UP */ |
1985 |
CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) |
1986 |
{ |
1987 |
unsigned long alg,kalg; |
1988 |
CERT *c; |
1989 |
int i; |
1990 |
|
1991 |
c=s->cert; |
1992 |
ssl_set_cert_masks(c, s->s3->tmp.new_cipher); |
1993 |
alg=s->s3->tmp.new_cipher->algorithms; |
1994 |
kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); |
1995 |
|
1996 |
if (kalg & SSL_kECDH) |
1997 |
{ |
1998 |
/* we don't need to look at SSL_kECDHE |
1999 |
* since no certificate is needed for |
2000 |
* anon ECDH and for authenticated |
2001 |
* ECDHE, the check for the auth |
2002 |
* algorithm will set i correctly |
2003 |
* NOTE: For ECDH-RSA, we need an ECC |
2004 |
* not an RSA cert but for ECDHE-RSA |
2005 |
* we need an RSA cert. Placing the |
2006 |
* checks for SSL_kECDH before RSA |
2007 |
* checks ensures the correct cert is chosen. |
2008 |
*/ |
2009 |
i=SSL_PKEY_ECC; |
2010 |
} |
2011 |
else if (kalg & SSL_aECDSA) |
2012 |
{ |
2013 |
i=SSL_PKEY_ECC; |
2014 |
} |
2015 |
else if (kalg & SSL_kDHr) |
2016 |
i=SSL_PKEY_DH_RSA; |
2017 |
else if (kalg & SSL_kDHd) |
2018 |
i=SSL_PKEY_DH_DSA; |
2019 |
else if (kalg & SSL_aDSS) |
2020 |
i=SSL_PKEY_DSA_SIGN; |
2021 |
else if (kalg & SSL_aRSA) |
2022 |
{ |
2023 |
if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) |
2024 |
i=SSL_PKEY_RSA_SIGN; |
2025 |
else |
2026 |
i=SSL_PKEY_RSA_ENC; |
2027 |
} |
2028 |
else if (kalg & SSL_aKRB5) |
2029 |
{ |
2030 |
/* VRS something else here? */ |
2031 |
return(NULL); |
2032 |
} |
2033 |
else /* if (kalg & SSL_aNULL) */ |
2034 |
{ |
2035 |
SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR); |
2036 |
return(NULL); |
2037 |
} |
2038 |
|
2039 |
return c->pkeys + i; |
2040 |
} |
2041 |
|
2042 |
X509 *ssl_get_server_send_cert(const SSL *s) |
2043 |
{ |
2044 |
CERT_PKEY *cpk; |
2045 |
cpk = ssl_get_server_send_pkey(s); |
2046 |
if (!cpk) |
2047 |
return NULL; |
2048 |
return cpk->x509; |
2049 |
} |
2050 |
|
2051 |
EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) |
2052 |
{ |
2053 |
unsigned long alg; |
2054 |
CERT *c; |
2055 |
|
2056 |
alg=cipher->algorithms; |
2057 |
c=s->cert; |
2058 |
|
2059 |
if ((alg & SSL_aDSS) && |
2060 |
(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) |
2061 |
return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); |
2062 |
else if (alg & SSL_aRSA) |
2063 |
{ |
2064 |
if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) |
2065 |
return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); |
2066 |
else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) |
2067 |
return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey); |
2068 |
else |
2069 |
return(NULL); |
2070 |
} |
2071 |
else if ((alg & SSL_aECDSA) && |
2072 |
(c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) |
2073 |
return(c->pkeys[SSL_PKEY_ECC].privatekey); |
2074 |
else /* if (alg & SSL_aNULL) */ |
2075 |
{ |
2076 |
SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); |
2077 |
return(NULL); |
2078 |
} |
2079 |
} |
2080 |
|
2081 |
void ssl_update_cache(SSL *s,int mode) |
2082 |
{ |
2083 |
int i; |
2084 |
|
2085 |
/* If the session_id_length is 0, we are not supposed to cache it, |
2086 |
* and it would be rather hard to do anyway :-) */ |
2087 |
if (s->session->session_id_length == 0) return; |
2088 |
|
2089 |
i=s->ctx->session_cache_mode; |
2090 |
if ((i & mode) && (!s->hit) |
2091 |
&& ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) |
2092 |
|| SSL_CTX_add_session(s->ctx,s->session)) |
2093 |
&& (s->ctx->new_session_cb != NULL)) |
2094 |
{ |
2095 |
CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION); |
2096 |
if (!s->ctx->new_session_cb(s,s->session)) |
2097 |
SSL_SESSION_free(s->session); |
2098 |
} |
2099 |
|
2100 |
/* auto flush every 255 connections */ |
2101 |
if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && |
2102 |
((i & mode) == mode)) |
2103 |
{ |
2104 |
if ( (((mode & SSL_SESS_CACHE_CLIENT) |
2105 |
?s->ctx->stats.sess_connect_good |
2106 |
:s->ctx->stats.sess_accept_good) & 0xff) == 0xff) |
2107 |
{ |
2108 |
SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL)); |
2109 |
} |
2110 |
} |
2111 |
} |
2112 |
|
2113 |
SSL_METHOD *SSL_get_ssl_method(SSL *s) |
2114 |
{ |
2115 |
return(s->method); |
2116 |
} |
2117 |
|
2118 |
int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth) |
2119 |
{ |
2120 |
int conn= -1; |
2121 |
int ret=1; |
2122 |
|
2123 |
if (s->method != meth) |
2124 |
{ |
2125 |
if (s->handshake_func != NULL) |
2126 |
conn=(s->handshake_func == s->method->ssl_connect); |
2127 |
|
2128 |
if (s->method->version == meth->version) |
2129 |
s->method=meth; |
2130 |
else |
2131 |
{ |
2132 |
s->method->ssl_free(s); |
2133 |
s->method=meth; |
2134 |
ret=s->method->ssl_new(s); |
2135 |
} |
2136 |
|
2137 |
if (conn == 1) |
2138 |
s->handshake_func=meth->ssl_connect; |
2139 |
else if (conn == 0) |
2140 |
s->handshake_func=meth->ssl_accept; |
2141 |
} |
2142 |
return(ret); |
2143 |
} |
2144 |
|
2145 |
int SSL_get_error(const SSL *s,int i) |
2146 |
{ |
2147 |
int reason; |
2148 |
unsigned long l; |
2149 |
BIO *bio; |
2150 |
|
2151 |
if (i > 0) return(SSL_ERROR_NONE); |
2152 |
|
2153 |
/* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake |
2154 |
* etc, where we do encode the error */ |
2155 |
if ((l=ERR_peek_error()) != 0) |
2156 |
{ |
2157 |
if (ERR_GET_LIB(l) == ERR_LIB_SYS) |
2158 |
return(SSL_ERROR_SYSCALL); |
2159 |
else |
2160 |
return(SSL_ERROR_SSL); |
2161 |
} |
2162 |
|
2163 |
if ((i < 0) && SSL_want_read(s)) |
2164 |
{ |
2165 |
bio=SSL_get_rbio(s); |
2166 |
if (BIO_should_read(bio)) |
2167 |
return(SSL_ERROR_WANT_READ); |
2168 |
else if (BIO_should_write(bio)) |
2169 |
/* This one doesn't make too much sense ... We never try |
2170 |
* to write to the rbio, and an application program where |
2171 |
* rbio and wbio are separate couldn't even know what it |
2172 |
* should wait for. |
2173 |
* However if we ever set s->rwstate incorrectly |
2174 |
* (so that we have SSL_want_read(s) instead of |
2175 |
* SSL_want_write(s)) and rbio and wbio *are* the same, |
2176 |
* this test works around that bug; so it might be safer |
2177 |
* to keep it. */ |
2178 |
return(SSL_ERROR_WANT_WRITE); |
2179 |
else if (BIO_should_io_special(bio)) |
2180 |
{ |
2181 |
reason=BIO_get_retry_reason(bio); |
2182 |
if (reason == BIO_RR_CONNECT) |
2183 |
return(SSL_ERROR_WANT_CONNECT); |
2184 |
else if (reason == BIO_RR_ACCEPT) |
2185 |
return(SSL_ERROR_WANT_ACCEPT); |
2186 |
else |
2187 |
return(SSL_ERROR_SYSCALL); /* unknown */ |
2188 |
} |
2189 |
} |
2190 |
|
2191 |
if ((i < 0) && SSL_want_write(s)) |
2192 |
{ |
2193 |
bio=SSL_get_wbio(s); |
2194 |
if (BIO_should_write(bio)) |
2195 |
return(SSL_ERROR_WANT_WRITE); |
2196 |
else if (BIO_should_read(bio)) |
2197 |
/* See above (SSL_want_read(s) with BIO_should_write(bio)) */ |
2198 |
return(SSL_ERROR_WANT_READ); |
2199 |
else if (BIO_should_io_special(bio)) |
2200 |
{ |
2201 |
reason=BIO_get_retry_reason(bio); |
2202 |
if (reason == BIO_RR_CONNECT) |
2203 |
return(SSL_ERROR_WANT_CONNECT); |
2204 |
else if (reason == BIO_RR_ACCEPT) |
2205 |
return(SSL_ERROR_WANT_ACCEPT); |
2206 |
else |
2207 |
return(SSL_ERROR_SYSCALL); |
2208 |
} |
2209 |
} |
2210 |
if ((i < 0) && SSL_want_x509_lookup(s)) |
2211 |
{ |
2212 |
return(SSL_ERROR_WANT_X509_LOOKUP); |
2213 |
} |
2214 |
|
2215 |
if (i == 0) |
2216 |
{ |
2217 |
if (s->version == SSL2_VERSION) |
2218 |
{ |
2219 |
/* assume it is the socket being closed */ |
2220 |
return(SSL_ERROR_ZERO_RETURN); |
2221 |
} |
2222 |
else |
2223 |
{ |
2224 |
if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && |
2225 |
(s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) |
2226 |
return(SSL_ERROR_ZERO_RETURN); |
2227 |
} |
2228 |
} |
2229 |
return(SSL_ERROR_SYSCALL); |
2230 |
} |
2231 |
|
2232 |
int SSL_do_handshake(SSL *s) |
2233 |
{ |
2234 |
int ret=1; |
2235 |
|
2236 |
if (s->handshake_func == NULL) |
2237 |
{ |
2238 |
SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET); |
2239 |
return(-1); |
2240 |
} |
2241 |
|
2242 |
s->method->ssl_renegotiate_check(s); |
2243 |
|
2244 |
if (SSL_in_init(s) || SSL_in_before(s)) |
2245 |
{ |
2246 |
ret=s->handshake_func(s); |
2247 |
} |
2248 |
return(ret); |
2249 |
} |
2250 |
|
2251 |
/* For the next 2 functions, SSL_clear() sets shutdown and so |
2252 |
* one of these calls will reset it */ |
2253 |
void SSL_set_accept_state(SSL *s) |
2254 |
{ |
2255 |
s->server=1; |
2256 |
s->shutdown=0; |
2257 |
s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; |
2258 |
s->handshake_func=s->method->ssl_accept; |
2259 |
/* clear the current cipher */ |
2260 |
ssl_clear_cipher_ctx(s); |
2261 |
} |
2262 |
|
2263 |
void SSL_set_connect_state(SSL *s) |
2264 |
{ |
2265 |
s->server=0; |
2266 |
s->shutdown=0; |
2267 |
s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; |
2268 |
s->handshake_func=s->method->ssl_connect; |
2269 |
/* clear the current cipher */ |
2270 |
ssl_clear_cipher_ctx(s); |
2271 |
} |
2272 |
|
2273 |
int ssl_undefined_function(SSL *s) |
2274 |
{ |
2275 |
SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
2276 |
return(0); |
2277 |
} |
2278 |
|
2279 |
int ssl_undefined_void_function(void) |
2280 |
{ |
2281 |
SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
2282 |
return(0); |
2283 |
} |
2284 |
|
2285 |
int ssl_undefined_const_function(const SSL *s) |
2286 |
{ |
2287 |
SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
2288 |
return(0); |
2289 |
} |
2290 |
|
2291 |
SSL_METHOD *ssl_bad_method(int ver) |
2292 |
{ |
2293 |
SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
2294 |
return(NULL); |
2295 |
} |
2296 |
|
2297 |
const char *SSL_get_version(const SSL *s) |
2298 |
{ |
2299 |
if (s->version == TLS1_VERSION) |
2300 |
return("TLSv1"); |
2301 |
else if (s->version == SSL3_VERSION) |
2302 |
return("SSLv3"); |
2303 |
else if (s->version == SSL2_VERSION) |
2304 |
return("SSLv2"); |
2305 |
else |
2306 |
return("unknown"); |
2307 |
} |
2308 |
|
2309 |
SSL *SSL_dup(SSL *s) |
2310 |
{ |
2311 |
STACK_OF(X509_NAME) *sk; |
2312 |
X509_NAME *xn; |
2313 |
SSL *ret; |
2314 |
int i; |
2315 |
|
2316 |
if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) |
2317 |
return(NULL); |
2318 |
|
2319 |
ret->version = s->version; |
2320 |
ret->type = s->type; |
2321 |
ret->method = s->method; |
2322 |
|
2323 |
if (s->session != NULL) |
2324 |
{ |
2325 |
/* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ |
2326 |
SSL_copy_session_id(ret,s); |
2327 |
} |
2328 |
else |
2329 |
{ |
2330 |
/* No session has been established yet, so we have to expect |
2331 |
* that s->cert or ret->cert will be changed later -- |
2332 |
* they should not both point to the same object, |
2333 |
* and thus we can't use SSL_copy_session_id. */ |
2334 |
|
2335 |
ret->method->ssl_free(ret); |
2336 |
ret->method = s->method; |
2337 |
ret->method->ssl_new(ret); |
2338 |
|
2339 |
if (s->cert != NULL) |
2340 |
{ |
2341 |
if (ret->cert != NULL) |
2342 |
{ |
2343 |
ssl_cert_free(ret->cert); |
2344 |
} |
2345 |
ret->cert = ssl_cert_dup(s->cert); |
2346 |
if (ret->cert == NULL) |
2347 |
goto err; |
2348 |
} |
2349 |
|
2350 |
SSL_set_session_id_context(ret, |
2351 |
s->sid_ctx, s->sid_ctx_length); |
2352 |
} |
2353 |
|
2354 |
ret->options=s->options; |
2355 |
ret->mode=s->mode; |
2356 |
SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s)); |
2357 |
SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); |
2358 |
ret->msg_callback = s->msg_callback; |
2359 |
ret->msg_callback_arg = s->msg_callback_arg; |
2360 |
SSL_set_verify(ret,SSL_get_verify_mode(s), |
2361 |
SSL_get_verify_callback(s)); |
2362 |
SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); |
2363 |
ret->generate_session_id = s->generate_session_id; |
2364 |
|
2365 |
SSL_set_info_callback(ret,SSL_get_info_callback(s)); |
2366 |
|
2367 |
ret->debug=s->debug; |
2368 |
|
2369 |
/* copy app data, a little dangerous perhaps */ |
2370 |
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) |
2371 |
goto err; |
2372 |
|
2373 |
/* setup rbio, and wbio */ |
2374 |
if (s->rbio != NULL) |
2375 |
{ |
2376 |
if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)) |
2377 |
goto err; |
2378 |
} |
2379 |
if (s->wbio != NULL) |
2380 |
{ |
2381 |
if (s->wbio != s->rbio) |
2382 |
{ |
2383 |
if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)) |
2384 |
goto err; |
2385 |
} |
2386 |
else |
2387 |
ret->wbio=ret->rbio; |
2388 |
} |
2389 |
ret->rwstate = s->rwstate; |
2390 |
ret->in_handshake = s->in_handshake; |
2391 |
ret->handshake_func = s->handshake_func; |
2392 |
ret->server = s->server; |
2393 |
ret->new_session = s->new_session; |
2394 |
ret->quiet_shutdown = s->quiet_shutdown; |
2395 |
ret->shutdown=s->shutdown; |
2396 |
ret->state=s->state; /* SSL_dup does not really work at any state, though */ |
2397 |
ret->rstate=s->rstate; |
2398 |
ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ |
2399 |
ret->hit=s->hit; |
2400 |
|
2401 |
X509_VERIFY_PARAM_inherit(ret->param, s->param); |
2402 |
|
2403 |
/* dup the cipher_list and cipher_list_by_id stacks */ |
2404 |
if (s->cipher_list != NULL) |
2405 |
{ |
2406 |
if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) |
2407 |
goto err; |
2408 |
} |
2409 |
if (s->cipher_list_by_id != NULL) |
2410 |
if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id)) |
2411 |
== NULL) |
2412 |
goto err; |
2413 |
|
2414 |
/* Dup the client_CA list */ |
2415 |
if (s->client_CA != NULL) |
2416 |
{ |
2417 |
if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; |
2418 |
ret->client_CA=sk; |
2419 |
for (i=0; i<sk_X509_NAME_num(sk); i++) |
2420 |
{ |
2421 |
xn=sk_X509_NAME_value(sk,i); |
2422 |
if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL) |
2423 |
{ |
2424 |
X509_NAME_free(xn); |
2425 |
goto err; |
2426 |
} |
2427 |
} |
2428 |
} |
2429 |
|
2430 |
if (0) |
2431 |
{ |
2432 |
err: |
2433 |
if (ret != NULL) SSL_free(ret); |
2434 |
ret=NULL; |
2435 |
} |
2436 |
return(ret); |
2437 |
} |
2438 |
|
2439 |
void ssl_clear_cipher_ctx(SSL *s) |
2440 |
{ |
2441 |
if (s->enc_read_ctx != NULL) |
2442 |
{ |
2443 |
EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); |
2444 |
OPENSSL_free(s->enc_read_ctx); |
2445 |
s->enc_read_ctx=NULL; |
2446 |
} |
2447 |
if (s->enc_write_ctx != NULL) |
2448 |
{ |
2449 |
EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); |
2450 |
OPENSSL_free(s->enc_write_ctx); |
2451 |
s->enc_write_ctx=NULL; |
2452 |
} |
2453 |
#ifndef OPENSSL_NO_COMP |
2454 |
if (s->expand != NULL) |
2455 |
{ |
2456 |
COMP_CTX_free(s->expand); |
2457 |
s->expand=NULL; |
2458 |
} |
2459 |
if (s->compress != NULL) |
2460 |
{ |
2461 |
COMP_CTX_free(s->compress); |
2462 |
s->compress=NULL; |
2463 |
} |
2464 |
#endif |
2465 |
} |
2466 |
|
2467 |
/* Fix this function so that it takes an optional type parameter */ |
2468 |
X509 *SSL_get_certificate(const SSL *s) |
2469 |
{ |
2470 |
if (s->cert != NULL) |
2471 |
return(s->cert->key->x509); |
2472 |
else |
2473 |
return(NULL); |
2474 |
} |
2475 |
|
2476 |
/* Fix this function so that it takes an optional type parameter */ |
2477 |
EVP_PKEY *SSL_get_privatekey(SSL *s) |
2478 |
{ |
2479 |
if (s->cert != NULL) |
2480 |
return(s->cert->key->privatekey); |
2481 |
else |
2482 |
return(NULL); |
2483 |
} |
2484 |
|
2485 |
SSL_CIPHER *SSL_get_current_cipher(const SSL *s) |
2486 |
{ |
2487 |
if ((s->session != NULL) && (s->session->cipher != NULL)) |
2488 |
return(s->session->cipher); |
2489 |
return(NULL); |
2490 |
} |
2491 |
#ifdef OPENSSL_NO_COMP |
2492 |
const void *SSL_get_current_compression(SSL *s) |
2493 |
{ |
2494 |
return NULL; |
2495 |
} |
2496 |
const void *SSL_get_current_expansion(SSL *s) |
2497 |
{ |
2498 |
return NULL; |
2499 |
} |
2500 |
#else |
2501 |
|
2502 |
const COMP_METHOD *SSL_get_current_compression(SSL *s) |
2503 |
{ |
2504 |
if (s->compress != NULL) |
2505 |
return(s->compress->meth); |
2506 |
return(NULL); |
2507 |
} |
2508 |
|
2509 |
const COMP_METHOD *SSL_get_current_expansion(SSL *s) |
2510 |
{ |
2511 |
if (s->expand != NULL) |
2512 |
return(s->expand->meth); |
2513 |
return(NULL); |
2514 |
} |
2515 |
#endif |
2516 |
|
2517 |
int ssl_init_wbio_buffer(SSL *s,int push) |
2518 |
{ |
2519 |
BIO *bbio; |
2520 |
|
2521 |
if (s->bbio == NULL) |
2522 |
{ |
2523 |
bbio=BIO_new(BIO_f_buffer()); |
2524 |
if (bbio == NULL) return(0); |
2525 |
s->bbio=bbio; |
2526 |
} |
2527 |
else |
2528 |
{ |
2529 |
bbio=s->bbio; |
2530 |
if (s->bbio == s->wbio) |
2531 |
s->wbio=BIO_pop(s->wbio); |
2532 |
} |
2533 |
(void)BIO_reset(bbio); |
2534 |
/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ |
2535 |
if (!BIO_set_read_buffer_size(bbio,1)) |
2536 |
{ |
2537 |
SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB); |
2538 |
return(0); |
2539 |
} |
2540 |
if (push) |
2541 |
{ |
2542 |
if (s->wbio != bbio) |
2543 |
s->wbio=BIO_push(bbio,s->wbio); |
2544 |
} |
2545 |
else |
2546 |
{ |
2547 |
if (s->wbio == bbio) |
2548 |
s->wbio=BIO_pop(bbio); |
2549 |
} |
2550 |
return(1); |
2551 |
} |
2552 |
|
2553 |
void ssl_free_wbio_buffer(SSL *s) |
2554 |
{ |
2555 |
if (s->bbio == NULL) return; |
2556 |
|
2557 |
if (s->bbio == s->wbio) |
2558 |
{ |
2559 |
/* remove buffering */ |
2560 |
s->wbio=BIO_pop(s->wbio); |
2561 |
#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */ |
2562 |
assert(s->wbio != NULL); |
2563 |
#endif |
2564 |
} |
2565 |
BIO_free(s->bbio); |
2566 |
s->bbio=NULL; |
2567 |
} |
2568 |
|
2569 |
void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode) |
2570 |
{ |
2571 |
ctx->quiet_shutdown=mode; |
2572 |
} |
2573 |
|
2574 |
int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) |
2575 |
{ |
2576 |
return(ctx->quiet_shutdown); |
2577 |
} |
2578 |
|
2579 |
void SSL_set_quiet_shutdown(SSL *s,int mode) |
2580 |
{ |
2581 |
s->quiet_shutdown=mode; |
2582 |
} |
2583 |
|
2584 |
int SSL_get_quiet_shutdown(const SSL *s) |
2585 |
{ |
2586 |
return(s->quiet_shutdown); |
2587 |
} |
2588 |
|
2589 |
void SSL_set_shutdown(SSL *s,int mode) |
2590 |
{ |
2591 |
s->shutdown=mode; |
2592 |
} |
2593 |
|
2594 |
int SSL_get_shutdown(const SSL *s) |
2595 |
{ |
2596 |
return(s->shutdown); |
2597 |
} |
2598 |
|
2599 |
int SSL_version(const SSL *s) |
2600 |
{ |
2601 |
return(s->version); |
2602 |
} |
2603 |
|
2604 |
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) |
2605 |
{ |
2606 |
return(ssl->ctx); |
2607 |
} |
2608 |
|
2609 |
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) |
2610 |
{ |
2611 |
if (ssl->ctx == ctx) |
2612 |
return ssl->ctx; |
2613 |
#ifndef OPENSSL_NO_TLSEXT |
2614 |
if (ctx == NULL) |
2615 |
ctx = ssl->initial_ctx; |
2616 |
#endif |
2617 |
if (ssl->cert != NULL) |
2618 |
ssl_cert_free(ssl->cert); |
2619 |
ssl->cert = ssl_cert_dup(ctx->cert); |
2620 |
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); |
2621 |
if (ssl->ctx != NULL) |
2622 |
SSL_CTX_free(ssl->ctx); /* decrement reference count */ |
2623 |
ssl->ctx = ctx; |
2624 |
return(ssl->ctx); |
2625 |
} |
2626 |
|
2627 |
#ifndef OPENSSL_NO_STDIO |
2628 |
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) |
2629 |
{ |
2630 |
return(X509_STORE_set_default_paths(ctx->cert_store)); |
2631 |
} |
2632 |
|
2633 |
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, |
2634 |
const char *CApath) |
2635 |
{ |
2636 |
return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); |
2637 |
} |
2638 |
#endif |
2639 |
|
2640 |
void SSL_set_info_callback(SSL *ssl, |
2641 |
void (*cb)(const SSL *ssl,int type,int val)) |
2642 |
{ |
2643 |
ssl->info_callback=cb; |
2644 |
} |
2645 |
|
2646 |
/* One compiler (Diab DCC) doesn't like argument names in returned |
2647 |
function pointer. */ |
2648 |
void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) |
2649 |
{ |
2650 |
return ssl->info_callback; |
2651 |
} |
2652 |
|
2653 |
int SSL_state(const SSL *ssl) |
2654 |
{ |
2655 |
return(ssl->state); |
2656 |
} |
2657 |
|
2658 |
void SSL_set_verify_result(SSL *ssl,long arg) |
2659 |
{ |
2660 |
ssl->verify_result=arg; |
2661 |
} |
2662 |
|
2663 |
long SSL_get_verify_result(const SSL *ssl) |
2664 |
{ |
2665 |
return(ssl->verify_result); |
2666 |
} |
2667 |
|
2668 |
int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, |
2669 |
CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) |
2670 |
{ |
2671 |
return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, |
2672 |
new_func, dup_func, free_func); |
2673 |
} |
2674 |
|
2675 |
int SSL_set_ex_data(SSL *s,int idx,void *arg) |
2676 |
{ |
2677 |
return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); |
2678 |
} |
2679 |
|
2680 |
void *SSL_get_ex_data(const SSL *s,int idx) |
2681 |
{ |
2682 |
return(CRYPTO_get_ex_data(&s->ex_data,idx)); |
2683 |
} |
2684 |
|
2685 |
int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, |
2686 |
CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) |
2687 |
{ |
2688 |
return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, |
2689 |
new_func, dup_func, free_func); |
2690 |
} |
2691 |
|
2692 |
int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) |
2693 |
{ |
2694 |
return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); |
2695 |
} |
2696 |
|
2697 |
void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx) |
2698 |
{ |
2699 |
return(CRYPTO_get_ex_data(&s->ex_data,idx)); |
2700 |
} |
2701 |
|
2702 |
int ssl_ok(SSL *s) |
2703 |
{ |
2704 |
return(1); |
2705 |
} |
2706 |
|
2707 |
X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) |
2708 |
{ |
2709 |
return(ctx->cert_store); |
2710 |
} |
2711 |
|
2712 |
void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store) |
2713 |
{ |
2714 |
if (ctx->cert_store != NULL) |
2715 |
X509_STORE_free(ctx->cert_store); |
2716 |
ctx->cert_store=store; |
2717 |
} |
2718 |
|
2719 |
int SSL_want(const SSL *s) |
2720 |
{ |
2721 |
return(s->rwstate); |
2722 |
} |
2723 |
|
2724 |
/*! |
2725 |
* \brief Set the callback for generating temporary RSA keys. |
2726 |
* \param ctx the SSL context. |
2727 |
* \param cb the callback |
2728 |
*/ |
2729 |
|
2730 |
#ifndef OPENSSL_NO_RSA |
2731 |
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl, |
2732 |
int is_export, |
2733 |
int keylength)) |
2734 |
{ |
2735 |
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); |
2736 |
} |
2737 |
|
2738 |
void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl, |
2739 |
int is_export, |
2740 |
int keylength)) |
2741 |
{ |
2742 |
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); |
2743 |
} |
2744 |
#endif |
2745 |
|
2746 |
#ifdef DOXYGEN |
2747 |
/*! |
2748 |
* \brief The RSA temporary key callback function. |
2749 |
* \param ssl the SSL session. |
2750 |
* \param is_export \c TRUE if the temp RSA key is for an export ciphersuite. |
2751 |
* \param keylength if \c is_export is \c TRUE, then \c keylength is the size |
2752 |
* of the required key in bits. |
2753 |
* \return the temporary RSA key. |
2754 |
* \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback |
2755 |
*/ |
2756 |
|
2757 |
RSA *cb(SSL *ssl,int is_export,int keylength) |
2758 |
{} |
2759 |
#endif |
2760 |
|
2761 |
/*! |
2762 |
* \brief Set the callback for generating temporary DH keys. |
2763 |
* \param ctx the SSL context. |
2764 |
* \param dh the callback |
2765 |
*/ |
2766 |
|
2767 |
#ifndef OPENSSL_NO_DH |
2768 |
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, |
2769 |
int keylength)) |
2770 |
{ |
2771 |
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); |
2772 |
} |
2773 |
|
2774 |
void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, |
2775 |
int keylength)) |
2776 |
{ |
2777 |
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); |
2778 |
} |
2779 |
#endif |
2780 |
|
2781 |
#ifndef OPENSSL_NO_ECDH |
2782 |
void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export, |
2783 |
int keylength)) |
2784 |
{ |
2785 |
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); |
2786 |
} |
2787 |
|
2788 |
void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export, |
2789 |
int keylength)) |
2790 |
{ |
2791 |
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); |
2792 |
} |
2793 |
#endif |
2794 |
|
2795 |
|
2796 |
void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) |
2797 |
{ |
2798 |
SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); |
2799 |
} |
2800 |
void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) |
2801 |
{ |
2802 |
SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); |
2803 |
} |
2804 |
|
2805 |
|
2806 |
|
2807 |
#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) |
2808 |
#include "../crypto/bio/bss_file.c" |
2809 |
#endif |
2810 |
|
2811 |
IMPLEMENT_STACK_OF(SSL_CIPHER) |
2812 |
IMPLEMENT_STACK_OF(SSL_COMP) |