ssl_lib.c 59 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499
  1. /*! \file ssl/ssl_lib.c
  2. * \brief Version independent SSL functions.
  3. */
  4. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  5. * All rights reserved.
  6. *
  7. * This package is an SSL implementation written
  8. * by Eric Young (eay@cryptsoft.com).
  9. * The implementation was written so as to conform with Netscapes SSL.
  10. *
  11. * This library is free for commercial and non-commercial use as long as
  12. * the following conditions are aheared to. The following conditions
  13. * apply to all code found in this distribution, be it the RC4, RSA,
  14. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  15. * included with this distribution is covered by the same copyright terms
  16. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  17. *
  18. * Copyright remains Eric Young's, and as such any Copyright notices in
  19. * the code are not to be removed.
  20. * If this package is used in a product, Eric Young should be given attribution
  21. * as the author of the parts of the library used.
  22. * This can be in the form of a textual message at program startup or
  23. * in documentation (online or textual) provided with the package.
  24. *
  25. * Redistribution and use in source and binary forms, with or without
  26. * modification, are permitted provided that the following conditions
  27. * are met:
  28. * 1. Redistributions of source code must retain the copyright
  29. * notice, this list of conditions and the following disclaimer.
  30. * 2. Redistributions in binary form must reproduce the above copyright
  31. * notice, this list of conditions and the following disclaimer in the
  32. * documentation and/or other materials provided with the distribution.
  33. * 3. All advertising materials mentioning features or use of this software
  34. * must display the following acknowledgement:
  35. * "This product includes cryptographic software written by
  36. * Eric Young (eay@cryptsoft.com)"
  37. * The word 'cryptographic' can be left out if the rouines from the library
  38. * being used are not cryptographic related :-).
  39. * 4. If you include any Windows specific code (or a derivative thereof) from
  40. * the apps directory (application code) you must include an acknowledgement:
  41. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  42. *
  43. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  44. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  45. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  46. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  47. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  48. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  49. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  50. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  51. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  52. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  53. * SUCH DAMAGE.
  54. *
  55. * The licence and distribution terms for any publically available version or
  56. * derivative of this code cannot be changed. i.e. this code cannot simply be
  57. * copied and put under another distribution licence
  58. * [including the GNU Public Licence.]
  59. */
  60. /* ====================================================================
  61. * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
  62. *
  63. * Redistribution and use in source and binary forms, with or without
  64. * modification, are permitted provided that the following conditions
  65. * are met:
  66. *
  67. * 1. Redistributions of source code must retain the above copyright
  68. * notice, this list of conditions and the following disclaimer.
  69. *
  70. * 2. Redistributions in binary form must reproduce the above copyright
  71. * notice, this list of conditions and the following disclaimer in
  72. * the documentation and/or other materials provided with the
  73. * distribution.
  74. *
  75. * 3. All advertising materials mentioning features or use of this
  76. * software must display the following acknowledgment:
  77. * "This product includes software developed by the OpenSSL Project
  78. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  79. *
  80. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  81. * endorse or promote products derived from this software without
  82. * prior written permission. For written permission, please contact
  83. * openssl-core@openssl.org.
  84. *
  85. * 5. Products derived from this software may not be called "OpenSSL"
  86. * nor may "OpenSSL" appear in their names without prior written
  87. * permission of the OpenSSL Project.
  88. *
  89. * 6. Redistributions of any form whatsoever must retain the following
  90. * acknowledgment:
  91. * "This product includes software developed by the OpenSSL Project
  92. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  93. *
  94. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  95. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  96. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  97. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  98. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  99. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  100. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  101. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  102. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  103. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  104. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  105. * OF THE POSSIBILITY OF SUCH DAMAGE.
  106. * ====================================================================
  107. *
  108. * This product includes cryptographic software written by Eric Young
  109. * (eay@cryptsoft.com). This product includes software written by Tim
  110. * Hudson (tjh@cryptsoft.com).
  111. *
  112. */
  113. /* ====================================================================
  114. * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  115. * ECC cipher suite support in OpenSSL originally developed by
  116. * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
  117. */
  118. #ifdef REF_CHECK
  119. # include <assert.h>
  120. #endif
  121. #include <stdio.h>
  122. #include "ssl_locl.h"
  123. #include "kssl_lcl.h"
  124. #include <openssl/objects.h>
  125. #include <openssl/lhash.h>
  126. #include <openssl/x509v3.h>
  127. #include <openssl/dh.h>
  128. const char *SSL_version_str=OPENSSL_VERSION_TEXT;
  129. OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
  130. /* evil casts, but these functions are only called if there's a library bug */
  131. (int (*)(SSL *,int))ssl_undefined_function,
  132. (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
  133. ssl_undefined_function,
  134. (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
  135. (int (*)(SSL*, int))ssl_undefined_function,
  136. (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
  137. };
  138. int SSL_clear(SSL *s)
  139. {
  140. if (s->method == NULL)
  141. {
  142. SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
  143. return(0);
  144. }
  145. if (ssl_clear_bad_session(s))
  146. {
  147. SSL_SESSION_free(s->session);
  148. s->session=NULL;
  149. }
  150. s->error=0;
  151. s->hit=0;
  152. s->shutdown=0;
  153. #if 0 /* Disabled since version 1.10 of this file (early return not
  154. * needed because SSL_clear is not called when doing renegotiation) */
  155. /* This is set if we are doing dynamic renegotiation so keep
  156. * the old cipher. It is sort of a SSL_clear_lite :-) */
  157. if (s->new_session) return(1);
  158. #else
  159. if (s->new_session)
  160. {
  161. SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
  162. return 0;
  163. }
  164. #endif
  165. s->type=0;
  166. s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
  167. s->version=s->method->version;
  168. s->client_version=s->version;
  169. s->rwstate=SSL_NOTHING;
  170. s->rstate=SSL_ST_READ_HEADER;
  171. #if 0
  172. s->read_ahead=s->ctx->read_ahead;
  173. #endif
  174. if (s->init_buf != NULL)
  175. {
  176. BUF_MEM_free(s->init_buf);
  177. s->init_buf=NULL;
  178. }
  179. ssl_clear_cipher_ctx(s);
  180. s->first_packet=0;
  181. #if 1
  182. /* Check to see if we were changed into a different method, if
  183. * so, revert back if we are not doing session-id reuse. */
  184. if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
  185. {
  186. s->method->ssl_free(s);
  187. s->method=s->ctx->method;
  188. if (!s->method->ssl_new(s))
  189. return(0);
  190. }
  191. else
  192. #endif
  193. s->method->ssl_clear(s);
  194. return(1);
  195. }
  196. /** Used to change an SSL_CTXs default SSL method type */
  197. int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
  198. {
  199. STACK_OF(SSL_CIPHER) *sk;
  200. ctx->method=meth;
  201. sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
  202. &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
  203. if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
  204. {
  205. SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
  206. return(0);
  207. }
  208. return(1);
  209. }
  210. SSL *SSL_new(SSL_CTX *ctx)
  211. {
  212. SSL *s;
  213. if (ctx == NULL)
  214. {
  215. SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
  216. return(NULL);
  217. }
  218. if (ctx->method == NULL)
  219. {
  220. SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
  221. return(NULL);
  222. }
  223. s=(SSL *)OPENSSL_malloc(sizeof(SSL));
  224. if (s == NULL) goto err;
  225. memset(s,0,sizeof(SSL));
  226. #ifndef OPENSSL_NO_KRB5
  227. s->kssl_ctx = kssl_ctx_new();
  228. #endif /* OPENSSL_NO_KRB5 */
  229. s->options=ctx->options;
  230. s->mode=ctx->mode;
  231. s->max_cert_list=ctx->max_cert_list;
  232. if (ctx->cert != NULL)
  233. {
  234. /* Earlier library versions used to copy the pointer to
  235. * the CERT, not its contents; only when setting new
  236. * parameters for the per-SSL copy, ssl_cert_new would be
  237. * called (and the direct reference to the per-SSL_CTX
  238. * settings would be lost, but those still were indirectly
  239. * accessed for various purposes, and for that reason they
  240. * used to be known as s->ctx->default_cert).
  241. * Now we don't look at the SSL_CTX's CERT after having
  242. * duplicated it once. */
  243. s->cert = ssl_cert_dup(ctx->cert);
  244. if (s->cert == NULL)
  245. goto err;
  246. }
  247. else
  248. s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
  249. s->read_ahead=ctx->read_ahead;
  250. s->msg_callback=ctx->msg_callback;
  251. s->msg_callback_arg=ctx->msg_callback_arg;
  252. s->verify_mode=ctx->verify_mode;
  253. s->verify_depth=ctx->verify_depth;
  254. s->sid_ctx_length=ctx->sid_ctx_length;
  255. OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
  256. memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
  257. s->verify_callback=ctx->default_verify_callback;
  258. s->generate_session_id=ctx->generate_session_id;
  259. s->purpose = ctx->purpose;
  260. s->trust = ctx->trust;
  261. s->quiet_shutdown=ctx->quiet_shutdown;
  262. CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
  263. s->ctx=ctx;
  264. s->verify_result=X509_V_OK;
  265. s->method=ctx->method;
  266. if (!s->method->ssl_new(s))
  267. goto err;
  268. s->references=1;
  269. s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
  270. SSL_clear(s);
  271. CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
  272. return(s);
  273. err:
  274. if (s != NULL)
  275. {
  276. if (s->cert != NULL)
  277. ssl_cert_free(s->cert);
  278. if (s->ctx != NULL)
  279. SSL_CTX_free(s->ctx); /* decrement reference count */
  280. OPENSSL_free(s);
  281. }
  282. SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
  283. return(NULL);
  284. }
  285. int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
  286. unsigned int sid_ctx_len)
  287. {
  288. if(sid_ctx_len > sizeof ctx->sid_ctx)
  289. {
  290. SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
  291. return 0;
  292. }
  293. ctx->sid_ctx_length=sid_ctx_len;
  294. memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
  295. return 1;
  296. }
  297. int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
  298. unsigned int sid_ctx_len)
  299. {
  300. if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
  301. {
  302. SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
  303. return 0;
  304. }
  305. ssl->sid_ctx_length=sid_ctx_len;
  306. memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
  307. return 1;
  308. }
  309. int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
  310. {
  311. CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
  312. ctx->generate_session_id = cb;
  313. CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
  314. return 1;
  315. }
  316. int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
  317. {
  318. CRYPTO_w_lock(CRYPTO_LOCK_SSL);
  319. ssl->generate_session_id = cb;
  320. CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
  321. return 1;
  322. }
  323. int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
  324. unsigned int id_len)
  325. {
  326. /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
  327. * we can "construct" a session to give us the desired check - ie. to
  328. * find if there's a session in the hash table that would conflict with
  329. * any new session built out of this id/id_len and the ssl_version in
  330. * use by this SSL. */
  331. SSL_SESSION r, *p;
  332. if(id_len > sizeof r.session_id)
  333. return 0;
  334. r.ssl_version = ssl->version;
  335. r.session_id_length = id_len;
  336. memcpy(r.session_id, id, id_len);
  337. /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
  338. * callback is calling us to check the uniqueness of a shorter ID, it
  339. * must be compared as a padded-out ID because that is what it will be
  340. * converted to when the callback has finished choosing it. */
  341. if((r.ssl_version == SSL2_VERSION) &&
  342. (id_len < SSL2_SSL_SESSION_ID_LENGTH))
  343. {
  344. memset(r.session_id + id_len, 0,
  345. SSL2_SSL_SESSION_ID_LENGTH - id_len);
  346. r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
  347. }
  348. CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
  349. p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r);
  350. CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
  351. return (p != NULL);
  352. }
  353. int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
  354. {
  355. return X509_PURPOSE_set(&s->purpose, purpose);
  356. }
  357. int SSL_set_purpose(SSL *s, int purpose)
  358. {
  359. return X509_PURPOSE_set(&s->purpose, purpose);
  360. }
  361. int SSL_CTX_set_trust(SSL_CTX *s, int trust)
  362. {
  363. return X509_TRUST_set(&s->trust, trust);
  364. }
  365. int SSL_set_trust(SSL *s, int trust)
  366. {
  367. return X509_TRUST_set(&s->trust, trust);
  368. }
  369. void SSL_free(SSL *s)
  370. {
  371. int i;
  372. if(s == NULL)
  373. return;
  374. i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
  375. #ifdef REF_PRINT
  376. REF_PRINT("SSL",s);
  377. #endif
  378. if (i > 0) return;
  379. #ifdef REF_CHECK
  380. if (i < 0)
  381. {
  382. fprintf(stderr,"SSL_free, bad reference count\n");
  383. abort(); /* ok */
  384. }
  385. #endif
  386. CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
  387. if (s->bbio != NULL)
  388. {
  389. /* If the buffering BIO is in place, pop it off */
  390. if (s->bbio == s->wbio)
  391. {
  392. s->wbio=BIO_pop(s->wbio);
  393. }
  394. BIO_free(s->bbio);
  395. s->bbio=NULL;
  396. }
  397. if (s->rbio != NULL)
  398. BIO_free_all(s->rbio);
  399. if ((s->wbio != NULL) && (s->wbio != s->rbio))
  400. BIO_free_all(s->wbio);
  401. if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
  402. /* add extra stuff */
  403. if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
  404. if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
  405. /* Make the next call work :-) */
  406. if (s->session != NULL)
  407. {
  408. ssl_clear_bad_session(s);
  409. SSL_SESSION_free(s->session);
  410. }
  411. ssl_clear_cipher_ctx(s);
  412. if (s->cert != NULL) ssl_cert_free(s->cert);
  413. /* Free up if allocated */
  414. if (s->ctx) SSL_CTX_free(s->ctx);
  415. if (s->client_CA != NULL)
  416. sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
  417. if (s->method != NULL) s->method->ssl_free(s);
  418. #ifndef OPENSSL_NO_KRB5
  419. if (s->kssl_ctx != NULL)
  420. kssl_ctx_free(s->kssl_ctx);
  421. #endif /* OPENSSL_NO_KRB5 */
  422. OPENSSL_free(s);
  423. }
  424. void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
  425. {
  426. /* If the output buffering BIO is still in place, remove it
  427. */
  428. if (s->bbio != NULL)
  429. {
  430. if (s->wbio == s->bbio)
  431. {
  432. s->wbio=s->wbio->next_bio;
  433. s->bbio->next_bio=NULL;
  434. }
  435. }
  436. if ((s->rbio != NULL) && (s->rbio != rbio))
  437. BIO_free_all(s->rbio);
  438. if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
  439. BIO_free_all(s->wbio);
  440. s->rbio=rbio;
  441. s->wbio=wbio;
  442. }
  443. BIO *SSL_get_rbio(SSL *s)
  444. { return(s->rbio); }
  445. BIO *SSL_get_wbio(SSL *s)
  446. { return(s->wbio); }
  447. int SSL_get_fd(SSL *s)
  448. {
  449. return(SSL_get_rfd(s));
  450. }
  451. int SSL_get_rfd(SSL *s)
  452. {
  453. int ret= -1;
  454. BIO *b,*r;
  455. b=SSL_get_rbio(s);
  456. r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
  457. if (r != NULL)
  458. BIO_get_fd(r,&ret);
  459. return(ret);
  460. }
  461. int SSL_get_wfd(SSL *s)
  462. {
  463. int ret= -1;
  464. BIO *b,*r;
  465. b=SSL_get_wbio(s);
  466. r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
  467. if (r != NULL)
  468. BIO_get_fd(r,&ret);
  469. return(ret);
  470. }
  471. #ifndef OPENSSL_NO_SOCK
  472. int SSL_set_fd(SSL *s,int fd)
  473. {
  474. int ret=0;
  475. BIO *bio=NULL;
  476. bio=BIO_new(BIO_s_socket());
  477. if (bio == NULL)
  478. {
  479. SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
  480. goto err;
  481. }
  482. BIO_set_fd(bio,fd,BIO_NOCLOSE);
  483. SSL_set_bio(s,bio,bio);
  484. ret=1;
  485. err:
  486. return(ret);
  487. }
  488. int SSL_set_wfd(SSL *s,int fd)
  489. {
  490. int ret=0;
  491. BIO *bio=NULL;
  492. if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
  493. || ((int)BIO_get_fd(s->rbio,NULL) != fd))
  494. {
  495. bio=BIO_new(BIO_s_socket());
  496. if (bio == NULL)
  497. { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
  498. BIO_set_fd(bio,fd,BIO_NOCLOSE);
  499. SSL_set_bio(s,SSL_get_rbio(s),bio);
  500. }
  501. else
  502. SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
  503. ret=1;
  504. err:
  505. return(ret);
  506. }
  507. int SSL_set_rfd(SSL *s,int fd)
  508. {
  509. int ret=0;
  510. BIO *bio=NULL;
  511. if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
  512. || ((int)BIO_get_fd(s->wbio,NULL) != fd))
  513. {
  514. bio=BIO_new(BIO_s_socket());
  515. if (bio == NULL)
  516. {
  517. SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
  518. goto err;
  519. }
  520. BIO_set_fd(bio,fd,BIO_NOCLOSE);
  521. SSL_set_bio(s,bio,SSL_get_wbio(s));
  522. }
  523. else
  524. SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
  525. ret=1;
  526. err:
  527. return(ret);
  528. }
  529. #endif
  530. /* return length of latest Finished message we sent, copy to 'buf' */
  531. size_t SSL_get_finished(SSL *s, void *buf, size_t count)
  532. {
  533. size_t ret = 0;
  534. if (s->s3 != NULL)
  535. {
  536. ret = s->s3->tmp.finish_md_len;
  537. if (count > ret)
  538. count = ret;
  539. memcpy(buf, s->s3->tmp.finish_md, count);
  540. }
  541. return ret;
  542. }
  543. /* return length of latest Finished message we expected, copy to 'buf' */
  544. size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
  545. {
  546. size_t ret = 0;
  547. if (s->s3 != NULL)
  548. {
  549. ret = s->s3->tmp.peer_finish_md_len;
  550. if (count > ret)
  551. count = ret;
  552. memcpy(buf, s->s3->tmp.peer_finish_md, count);
  553. }
  554. return ret;
  555. }
  556. int SSL_get_verify_mode(SSL *s)
  557. {
  558. return(s->verify_mode);
  559. }
  560. int SSL_get_verify_depth(SSL *s)
  561. {
  562. return(s->verify_depth);
  563. }
  564. int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
  565. {
  566. return(s->verify_callback);
  567. }
  568. int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
  569. {
  570. return(ctx->verify_mode);
  571. }
  572. int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
  573. {
  574. return(ctx->verify_depth);
  575. }
  576. int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
  577. {
  578. return(ctx->default_verify_callback);
  579. }
  580. void SSL_set_verify(SSL *s,int mode,
  581. int (*callback)(int ok,X509_STORE_CTX *ctx))
  582. {
  583. s->verify_mode=mode;
  584. if (callback != NULL)
  585. s->verify_callback=callback;
  586. }
  587. void SSL_set_verify_depth(SSL *s,int depth)
  588. {
  589. s->verify_depth=depth;
  590. }
  591. void SSL_set_read_ahead(SSL *s,int yes)
  592. {
  593. s->read_ahead=yes;
  594. }
  595. int SSL_get_read_ahead(SSL *s)
  596. {
  597. return(s->read_ahead);
  598. }
  599. int SSL_pending(SSL *s)
  600. {
  601. /* SSL_pending cannot work properly if read-ahead is enabled
  602. * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
  603. * and it is impossible to fix since SSL_pending cannot report
  604. * errors that may be observed while scanning the new data.
  605. * (Note that SSL_pending() is often used as a boolean value,
  606. * so we'd better not return -1.)
  607. */
  608. return(s->method->ssl_pending(s));
  609. }
  610. X509 *SSL_get_peer_certificate(SSL *s)
  611. {
  612. X509 *r;
  613. if ((s == NULL) || (s->session == NULL))
  614. r=NULL;
  615. else
  616. r=s->session->peer;
  617. if (r == NULL) return(r);
  618. CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
  619. return(r);
  620. }
  621. STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
  622. {
  623. STACK_OF(X509) *r;
  624. if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
  625. r=NULL;
  626. else
  627. r=s->session->sess_cert->cert_chain;
  628. /* If we are a client, cert_chain includes the peer's own
  629. * certificate; if we are a server, it does not. */
  630. return(r);
  631. }
  632. /* Now in theory, since the calling process own 't' it should be safe to
  633. * modify. We need to be able to read f without being hassled */
  634. void SSL_copy_session_id(SSL *t,SSL *f)
  635. {
  636. CERT *tmp;
  637. /* Do we need to to SSL locking? */
  638. SSL_set_session(t,SSL_get_session(f));
  639. /* what if we are setup as SSLv2 but want to talk SSLv3 or
  640. * vice-versa */
  641. if (t->method != f->method)
  642. {
  643. t->method->ssl_free(t); /* cleanup current */
  644. t->method=f->method; /* change method */
  645. t->method->ssl_new(t); /* setup new */
  646. }
  647. tmp=t->cert;
  648. if (f->cert != NULL)
  649. {
  650. CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
  651. t->cert=f->cert;
  652. }
  653. else
  654. t->cert=NULL;
  655. if (tmp != NULL) ssl_cert_free(tmp);
  656. SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
  657. }
  658. /* Fix this so it checks all the valid key/cert options */
  659. int SSL_CTX_check_private_key(SSL_CTX *ctx)
  660. {
  661. if ( (ctx == NULL) ||
  662. (ctx->cert == NULL) ||
  663. (ctx->cert->key->x509 == NULL))
  664. {
  665. SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
  666. return(0);
  667. }
  668. if (ctx->cert->key->privatekey == NULL)
  669. {
  670. SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
  671. return(0);
  672. }
  673. return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
  674. }
  675. /* Fix this function so that it takes an optional type parameter */
  676. int SSL_check_private_key(SSL *ssl)
  677. {
  678. if (ssl == NULL)
  679. {
  680. SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
  681. return(0);
  682. }
  683. if (ssl->cert == NULL)
  684. {
  685. SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
  686. return 0;
  687. }
  688. if (ssl->cert->key->x509 == NULL)
  689. {
  690. SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
  691. return(0);
  692. }
  693. if (ssl->cert->key->privatekey == NULL)
  694. {
  695. SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
  696. return(0);
  697. }
  698. return(X509_check_private_key(ssl->cert->key->x509,
  699. ssl->cert->key->privatekey));
  700. }
  701. int SSL_accept(SSL *s)
  702. {
  703. if (s->handshake_func == 0)
  704. /* Not properly initialized yet */
  705. SSL_set_accept_state(s);
  706. return(s->method->ssl_accept(s));
  707. }
  708. int SSL_connect(SSL *s)
  709. {
  710. if (s->handshake_func == 0)
  711. /* Not properly initialized yet */
  712. SSL_set_connect_state(s);
  713. return(s->method->ssl_connect(s));
  714. }
  715. long SSL_get_default_timeout(SSL *s)
  716. {
  717. return(s->method->get_timeout());
  718. }
  719. int SSL_read(SSL *s,void *buf,int num)
  720. {
  721. if (s->handshake_func == 0)
  722. {
  723. SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
  724. return -1;
  725. }
  726. if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
  727. {
  728. s->rwstate=SSL_NOTHING;
  729. return(0);
  730. }
  731. return(s->method->ssl_read(s,buf,num));
  732. }
  733. int SSL_peek(SSL *s,void *buf,int num)
  734. {
  735. if (s->handshake_func == 0)
  736. {
  737. SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
  738. return -1;
  739. }
  740. if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
  741. {
  742. return(0);
  743. }
  744. return(s->method->ssl_peek(s,buf,num));
  745. }
  746. int SSL_write(SSL *s,const void *buf,int num)
  747. {
  748. if (s->handshake_func == 0)
  749. {
  750. SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
  751. return -1;
  752. }
  753. if (s->shutdown & SSL_SENT_SHUTDOWN)
  754. {
  755. s->rwstate=SSL_NOTHING;
  756. SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
  757. return(-1);
  758. }
  759. return(s->method->ssl_write(s,buf,num));
  760. }
  761. int SSL_shutdown(SSL *s)
  762. {
  763. /* Note that this function behaves differently from what one might
  764. * expect. Return values are 0 for no success (yet),
  765. * 1 for success; but calling it once is usually not enough,
  766. * even if blocking I/O is used (see ssl3_shutdown).
  767. */
  768. if (s->handshake_func == 0)
  769. {
  770. SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
  771. return -1;
  772. }
  773. if ((s != NULL) && !SSL_in_init(s))
  774. return(s->method->ssl_shutdown(s));
  775. else
  776. return(1);
  777. }
  778. int SSL_renegotiate(SSL *s)
  779. {
  780. if (s->new_session == 0)
  781. {
  782. s->new_session=1;
  783. }
  784. return(s->method->ssl_renegotiate(s));
  785. }
  786. int SSL_renegotiate_pending(SSL *s)
  787. {
  788. /* becomes true when negotiation is requested;
  789. * false again once a handshake has finished */
  790. return (s->new_session != 0);
  791. }
  792. long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
  793. {
  794. long l;
  795. switch (cmd)
  796. {
  797. case SSL_CTRL_GET_READ_AHEAD:
  798. return(s->read_ahead);
  799. case SSL_CTRL_SET_READ_AHEAD:
  800. l=s->read_ahead;
  801. s->read_ahead=larg;
  802. return(l);
  803. case SSL_CTRL_SET_MSG_CALLBACK_ARG:
  804. s->msg_callback_arg = parg;
  805. return 1;
  806. case SSL_CTRL_OPTIONS:
  807. return(s->options|=larg);
  808. case SSL_CTRL_MODE:
  809. return(s->mode|=larg);
  810. case SSL_CTRL_GET_MAX_CERT_LIST:
  811. return(s->max_cert_list);
  812. case SSL_CTRL_SET_MAX_CERT_LIST:
  813. l=s->max_cert_list;
  814. s->max_cert_list=larg;
  815. return(l);
  816. default:
  817. return(s->method->ssl_ctrl(s,cmd,larg,parg));
  818. }
  819. }
  820. long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
  821. {
  822. switch(cmd)
  823. {
  824. case SSL_CTRL_SET_MSG_CALLBACK:
  825. s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
  826. return 1;
  827. default:
  828. return(s->method->ssl_callback_ctrl(s,cmd,fp));
  829. }
  830. }
  831. struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
  832. {
  833. return ctx->sessions;
  834. }
  835. long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
  836. {
  837. long l;
  838. switch (cmd)
  839. {
  840. case SSL_CTRL_GET_READ_AHEAD:
  841. return(ctx->read_ahead);
  842. case SSL_CTRL_SET_READ_AHEAD:
  843. l=ctx->read_ahead;
  844. ctx->read_ahead=larg;
  845. return(l);
  846. case SSL_CTRL_SET_MSG_CALLBACK_ARG:
  847. ctx->msg_callback_arg = parg;
  848. return 1;
  849. case SSL_CTRL_GET_MAX_CERT_LIST:
  850. return(ctx->max_cert_list);
  851. case SSL_CTRL_SET_MAX_CERT_LIST:
  852. l=ctx->max_cert_list;
  853. ctx->max_cert_list=larg;
  854. return(l);
  855. case SSL_CTRL_SET_SESS_CACHE_SIZE:
  856. l=ctx->session_cache_size;
  857. ctx->session_cache_size=larg;
  858. return(l);
  859. case SSL_CTRL_GET_SESS_CACHE_SIZE:
  860. return(ctx->session_cache_size);
  861. case SSL_CTRL_SET_SESS_CACHE_MODE:
  862. l=ctx->session_cache_mode;
  863. ctx->session_cache_mode=larg;
  864. return(l);
  865. case SSL_CTRL_GET_SESS_CACHE_MODE:
  866. return(ctx->session_cache_mode);
  867. case SSL_CTRL_SESS_NUMBER:
  868. return(ctx->sessions->num_items);
  869. case SSL_CTRL_SESS_CONNECT:
  870. return(ctx->stats.sess_connect);
  871. case SSL_CTRL_SESS_CONNECT_GOOD:
  872. return(ctx->stats.sess_connect_good);
  873. case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
  874. return(ctx->stats.sess_connect_renegotiate);
  875. case SSL_CTRL_SESS_ACCEPT:
  876. return(ctx->stats.sess_accept);
  877. case SSL_CTRL_SESS_ACCEPT_GOOD:
  878. return(ctx->stats.sess_accept_good);
  879. case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
  880. return(ctx->stats.sess_accept_renegotiate);
  881. case SSL_CTRL_SESS_HIT:
  882. return(ctx->stats.sess_hit);
  883. case SSL_CTRL_SESS_CB_HIT:
  884. return(ctx->stats.sess_cb_hit);
  885. case SSL_CTRL_SESS_MISSES:
  886. return(ctx->stats.sess_miss);
  887. case SSL_CTRL_SESS_TIMEOUTS:
  888. return(ctx->stats.sess_timeout);
  889. case SSL_CTRL_SESS_CACHE_FULL:
  890. return(ctx->stats.sess_cache_full);
  891. case SSL_CTRL_OPTIONS:
  892. return(ctx->options|=larg);
  893. case SSL_CTRL_MODE:
  894. return(ctx->mode|=larg);
  895. default:
  896. return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
  897. }
  898. }
  899. long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
  900. {
  901. switch(cmd)
  902. {
  903. case SSL_CTRL_SET_MSG_CALLBACK:
  904. ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
  905. return 1;
  906. default:
  907. return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
  908. }
  909. }
  910. int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
  911. {
  912. long l;
  913. l=a->id-b->id;
  914. if (l == 0L)
  915. return(0);
  916. else
  917. return((l > 0)?1:-1);
  918. }
  919. int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
  920. const SSL_CIPHER * const *bp)
  921. {
  922. long l;
  923. l=(*ap)->id-(*bp)->id;
  924. if (l == 0L)
  925. return(0);
  926. else
  927. return((l > 0)?1:-1);
  928. }
  929. /** return a STACK of the ciphers available for the SSL and in order of
  930. * preference */
  931. STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
  932. {
  933. if (s != NULL)
  934. {
  935. if (s->cipher_list != NULL)
  936. {
  937. return(s->cipher_list);
  938. }
  939. else if ((s->ctx != NULL) &&
  940. (s->ctx->cipher_list != NULL))
  941. {
  942. return(s->ctx->cipher_list);
  943. }
  944. }
  945. return(NULL);
  946. }
  947. /** return a STACK of the ciphers available for the SSL and in order of
  948. * algorithm id */
  949. STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
  950. {
  951. if (s != NULL)
  952. {
  953. if (s->cipher_list_by_id != NULL)
  954. {
  955. return(s->cipher_list_by_id);
  956. }
  957. else if ((s->ctx != NULL) &&
  958. (s->ctx->cipher_list_by_id != NULL))
  959. {
  960. return(s->ctx->cipher_list_by_id);
  961. }
  962. }
  963. return(NULL);
  964. }
  965. /** The old interface to get the same thing as SSL_get_ciphers() */
  966. const char *SSL_get_cipher_list(SSL *s,int n)
  967. {
  968. SSL_CIPHER *c;
  969. STACK_OF(SSL_CIPHER) *sk;
  970. if (s == NULL) return(NULL);
  971. sk=SSL_get_ciphers(s);
  972. if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
  973. return(NULL);
  974. c=sk_SSL_CIPHER_value(sk,n);
  975. if (c == NULL) return(NULL);
  976. return(c->name);
  977. }
  978. /** specify the ciphers to be used by default by the SSL_CTX */
  979. int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
  980. {
  981. STACK_OF(SSL_CIPHER) *sk;
  982. sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
  983. &ctx->cipher_list_by_id,str);
  984. /* XXXX */
  985. return((sk == NULL)?0:1);
  986. }
  987. /** specify the ciphers to be used by the SSL */
  988. int SSL_set_cipher_list(SSL *s,const char *str)
  989. {
  990. STACK_OF(SSL_CIPHER) *sk;
  991. sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
  992. &s->cipher_list_by_id,str);
  993. /* XXXX */
  994. return((sk == NULL)?0:1);
  995. }
  996. /* works well for SSLv2, not so good for SSLv3 */
  997. char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
  998. {
  999. char *p;
  1000. const char *cp;
  1001. STACK_OF(SSL_CIPHER) *sk;
  1002. SSL_CIPHER *c;
  1003. int i;
  1004. if ((s->session == NULL) || (s->session->ciphers == NULL) ||
  1005. (len < 2))
  1006. return(NULL);
  1007. p=buf;
  1008. sk=s->session->ciphers;
  1009. for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
  1010. {
  1011. /* Decrement for either the ':' or a '\0' */
  1012. len--;
  1013. c=sk_SSL_CIPHER_value(sk,i);
  1014. for (cp=c->name; *cp; )
  1015. {
  1016. if (len-- == 0)
  1017. {
  1018. *p='\0';
  1019. return(buf);
  1020. }
  1021. else
  1022. *(p++)= *(cp++);
  1023. }
  1024. *(p++)=':';
  1025. }
  1026. p[-1]='\0';
  1027. return(buf);
  1028. }
  1029. int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
  1030. {
  1031. int i,j=0;
  1032. SSL_CIPHER *c;
  1033. unsigned char *q;
  1034. #ifndef OPENSSL_NO_KRB5
  1035. int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
  1036. #endif /* OPENSSL_NO_KRB5 */
  1037. if (sk == NULL) return(0);
  1038. q=p;
  1039. for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
  1040. {
  1041. c=sk_SSL_CIPHER_value(sk,i);
  1042. #ifndef OPENSSL_NO_KRB5
  1043. if ((c->algorithms & SSL_KRB5) && nokrb5)
  1044. continue;
  1045. #endif /* OPENSSL_NO_KRB5 */
  1046. j=ssl_put_cipher_by_char(s,c,p);
  1047. p+=j;
  1048. }
  1049. return(p-q);
  1050. }
  1051. STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
  1052. STACK_OF(SSL_CIPHER) **skp)
  1053. {
  1054. SSL_CIPHER *c;
  1055. STACK_OF(SSL_CIPHER) *sk;
  1056. int i,n;
  1057. n=ssl_put_cipher_by_char(s,NULL,NULL);
  1058. if ((num%n) != 0)
  1059. {
  1060. SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
  1061. return(NULL);
  1062. }
  1063. if ((skp == NULL) || (*skp == NULL))
  1064. sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */
  1065. else
  1066. {
  1067. sk= *skp;
  1068. sk_SSL_CIPHER_zero(sk);
  1069. }
  1070. for (i=0; i<num; i+=n)
  1071. {
  1072. c=ssl_get_cipher_by_char(s,p);
  1073. p+=n;
  1074. if (c != NULL)
  1075. {
  1076. if (!sk_SSL_CIPHER_push(sk,c))
  1077. {
  1078. SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
  1079. goto err;
  1080. }
  1081. }
  1082. }
  1083. if (skp != NULL)
  1084. *skp=sk;
  1085. return(sk);
  1086. err:
  1087. if ((skp == NULL) || (*skp == NULL))
  1088. sk_SSL_CIPHER_free(sk);
  1089. return(NULL);
  1090. }
  1091. unsigned long SSL_SESSION_hash(SSL_SESSION *a)
  1092. {
  1093. unsigned long l;
  1094. l=(unsigned long)
  1095. ((unsigned int) a->session_id[0] )|
  1096. ((unsigned int) a->session_id[1]<< 8L)|
  1097. ((unsigned long)a->session_id[2]<<16L)|
  1098. ((unsigned long)a->session_id[3]<<24L);
  1099. return(l);
  1100. }
  1101. /* NB: If this function (or indeed the hash function which uses a sort of
  1102. * coarser function than this one) is changed, ensure
  1103. * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
  1104. * able to construct an SSL_SESSION that will collide with any existing session
  1105. * with a matching session ID. */
  1106. int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
  1107. {
  1108. if (a->ssl_version != b->ssl_version)
  1109. return(1);
  1110. if (a->session_id_length != b->session_id_length)
  1111. return(1);
  1112. return(memcmp(a->session_id,b->session_id,a->session_id_length));
  1113. }
  1114. /* These wrapper functions should remain rather than redeclaring
  1115. * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
  1116. * variable. The reason is that the functions aren't static, they're exposed via
  1117. * ssl.h. */
  1118. static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *)
  1119. static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *)
  1120. SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
  1121. {
  1122. SSL_CTX *ret=NULL;
  1123. if (meth == NULL)
  1124. {
  1125. SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
  1126. return(NULL);
  1127. }
  1128. if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
  1129. {
  1130. SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
  1131. goto err;
  1132. }
  1133. ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
  1134. if (ret == NULL)
  1135. goto err;
  1136. memset(ret,0,sizeof(SSL_CTX));
  1137. ret->method=meth;
  1138. ret->cert_store=NULL;
  1139. ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
  1140. ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
  1141. ret->session_cache_head=NULL;
  1142. ret->session_cache_tail=NULL;
  1143. /* We take the system default */
  1144. ret->session_timeout=meth->get_timeout();
  1145. ret->new_session_cb=0;
  1146. ret->remove_session_cb=0;
  1147. ret->get_session_cb=0;
  1148. ret->generate_session_id=0;
  1149. memset((char *)&ret->stats,0,sizeof(ret->stats));
  1150. ret->references=1;
  1151. ret->quiet_shutdown=0;
  1152. /* ret->cipher=NULL;*/
  1153. /* ret->s2->challenge=NULL;
  1154. ret->master_key=NULL;
  1155. ret->key_arg=NULL;
  1156. ret->s2->conn_id=NULL; */
  1157. ret->info_callback=NULL;
  1158. ret->app_verify_callback=0;
  1159. ret->app_verify_arg=NULL;
  1160. ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
  1161. ret->read_ahead=0;
  1162. ret->msg_callback=0;
  1163. ret->msg_callback_arg=NULL;
  1164. ret->verify_mode=SSL_VERIFY_NONE;
  1165. ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
  1166. ret->sid_ctx_length=0;
  1167. ret->default_verify_callback=NULL;
  1168. if ((ret->cert=ssl_cert_new()) == NULL)
  1169. goto err;
  1170. ret->default_passwd_callback=0;
  1171. ret->default_passwd_callback_userdata=NULL;
  1172. ret->client_cert_cb=0;
  1173. ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
  1174. LHASH_COMP_FN(SSL_SESSION_cmp));
  1175. if (ret->sessions == NULL) goto err;
  1176. ret->cert_store=X509_STORE_new();
  1177. if (ret->cert_store == NULL) goto err;
  1178. ssl_create_cipher_list(ret->method,
  1179. &ret->cipher_list,&ret->cipher_list_by_id,
  1180. SSL_DEFAULT_CIPHER_LIST);
  1181. if (ret->cipher_list == NULL
  1182. || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
  1183. {
  1184. SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
  1185. goto err2;
  1186. }
  1187. if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
  1188. {
  1189. SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
  1190. goto err2;
  1191. }
  1192. if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
  1193. {
  1194. SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
  1195. goto err2;
  1196. }
  1197. if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
  1198. {
  1199. SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
  1200. goto err2;
  1201. }
  1202. if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
  1203. goto err;
  1204. CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
  1205. ret->extra_certs=NULL;
  1206. ret->comp_methods=SSL_COMP_get_compression_methods();
  1207. return(ret);
  1208. err:
  1209. SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
  1210. err2:
  1211. if (ret != NULL) SSL_CTX_free(ret);
  1212. return(NULL);
  1213. }
  1214. #if 0
  1215. static void SSL_COMP_free(SSL_COMP *comp)
  1216. { OPENSSL_free(comp); }
  1217. #endif
  1218. void SSL_CTX_free(SSL_CTX *a)
  1219. {
  1220. int i;
  1221. if (a == NULL) return;
  1222. i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
  1223. #ifdef REF_PRINT
  1224. REF_PRINT("SSL_CTX",a);
  1225. #endif
  1226. if (i > 0) return;
  1227. #ifdef REF_CHECK
  1228. if (i < 0)
  1229. {
  1230. fprintf(stderr,"SSL_CTX_free, bad reference count\n");
  1231. abort(); /* ok */
  1232. }
  1233. #endif
  1234. /*
  1235. * Free internal session cache. However: the remove_cb() may reference
  1236. * the ex_data of SSL_CTX, thus the ex_data store can only be removed
  1237. * after the sessions were flushed.
  1238. * As the ex_data handling routines might also touch the session cache,
  1239. * the most secure solution seems to be: empty (flush) the cache, then
  1240. * free ex_data, then finally free the cache.
  1241. * (See ticket [openssl.org #212].)
  1242. */
  1243. if (a->sessions != NULL)
  1244. SSL_CTX_flush_sessions(a,0);
  1245. CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
  1246. if (a->sessions != NULL)
  1247. lh_free(a->sessions);
  1248. if (a->cert_store != NULL)
  1249. X509_STORE_free(a->cert_store);
  1250. if (a->cipher_list != NULL)
  1251. sk_SSL_CIPHER_free(a->cipher_list);
  1252. if (a->cipher_list_by_id != NULL)
  1253. sk_SSL_CIPHER_free(a->cipher_list_by_id);
  1254. if (a->cert != NULL)
  1255. ssl_cert_free(a->cert);
  1256. if (a->client_CA != NULL)
  1257. sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
  1258. if (a->extra_certs != NULL)
  1259. sk_X509_pop_free(a->extra_certs,X509_free);
  1260. #if 0 /* This should never be done, since it removes a global database */
  1261. if (a->comp_methods != NULL)
  1262. sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
  1263. #else
  1264. a->comp_methods = NULL;
  1265. #endif
  1266. OPENSSL_free(a);
  1267. }
  1268. void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
  1269. {
  1270. ctx->default_passwd_callback=cb;
  1271. }
  1272. void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
  1273. {
  1274. ctx->default_passwd_callback_userdata=u;
  1275. }
  1276. void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
  1277. {
  1278. ctx->app_verify_callback=cb;
  1279. ctx->app_verify_arg=arg;
  1280. }
  1281. void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
  1282. {
  1283. ctx->verify_mode=mode;
  1284. ctx->default_verify_callback=cb;
  1285. }
  1286. void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
  1287. {
  1288. ctx->verify_depth=depth;
  1289. }
  1290. void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
  1291. {
  1292. CERT_PKEY *cpk;
  1293. int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
  1294. int rsa_enc_export,dh_rsa_export,dh_dsa_export;
  1295. int rsa_tmp_export,dh_tmp_export,kl;
  1296. unsigned long mask,emask;
  1297. int have_ecc_cert, have_ecdh_tmp, ecdh_ok, ecdsa_ok, ecc_pkey_size;
  1298. X509 *x = NULL;
  1299. EVP_PKEY *ecc_pkey = NULL;
  1300. int signature_nid = 0;
  1301. if (c == NULL) return;
  1302. kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
  1303. #ifndef OPENSSL_NO_RSA
  1304. rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
  1305. rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
  1306. (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
  1307. #else
  1308. rsa_tmp=rsa_tmp_export=0;
  1309. #endif
  1310. #ifndef OPENSSL_NO_DH
  1311. dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
  1312. dh_tmp_export=(c->dh_tmp_cb != NULL ||
  1313. (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
  1314. #else
  1315. dh_tmp=dh_tmp_export=0;
  1316. #endif
  1317. #ifndef OPENSSL_NO_ECDH
  1318. have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
  1319. #endif
  1320. cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
  1321. rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
  1322. rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
  1323. cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
  1324. rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
  1325. cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
  1326. dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
  1327. cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
  1328. dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
  1329. dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
  1330. cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
  1331. /* FIX THIS EAY EAY EAY */
  1332. dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
  1333. dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
  1334. cpk= &(c->pkeys[SSL_PKEY_ECC]);
  1335. have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
  1336. mask=0;
  1337. emask=0;
  1338. #ifdef CIPHER_DEBUG
  1339. printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
  1340. rsa_tmp,rsa_tmp_export,dh_tmp,
  1341. rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
  1342. #endif
  1343. if (rsa_enc || (rsa_tmp && rsa_sign))
  1344. mask|=SSL_kRSA;
  1345. if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
  1346. emask|=SSL_kRSA;
  1347. #if 0
  1348. /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
  1349. if ( (dh_tmp || dh_rsa || dh_dsa) &&
  1350. (rsa_enc || rsa_sign || dsa_sign))
  1351. mask|=SSL_kEDH;
  1352. if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
  1353. (rsa_enc || rsa_sign || dsa_sign))
  1354. emask|=SSL_kEDH;
  1355. #endif
  1356. if (dh_tmp_export)
  1357. emask|=SSL_kEDH;
  1358. if (dh_tmp)
  1359. mask|=SSL_kEDH;
  1360. if (dh_rsa) mask|=SSL_kDHr;
  1361. if (dh_rsa_export) emask|=SSL_kDHr;
  1362. if (dh_dsa) mask|=SSL_kDHd;
  1363. if (dh_dsa_export) emask|=SSL_kDHd;
  1364. if (rsa_enc || rsa_sign)
  1365. {
  1366. mask|=SSL_aRSA;
  1367. mask|=SSL_aRSA;
  1368. }
  1369. if (dsa_sign)
  1370. {
  1371. mask|=SSL_aDSS;
  1372. emask|=SSL_aDSS;
  1373. }
  1374. mask|=SSL_aNULL;
  1375. emask|=SSL_aNULL;
  1376. #ifndef OPENSSL_NO_KRB5
  1377. mask|=SSL_kKRB5|SSL_aKRB5;
  1378. emask|=SSL_kKRB5|SSL_aKRB5;
  1379. #endif
  1380. /* An ECC certificate may be usable for ECDH and/or
  1381. * ECDSA cipher suites depending on the key usage extension.
  1382. */
  1383. if (have_ecc_cert)
  1384. {
  1385. /* This call populates extension flags (ex_flags) */
  1386. x = (c->pkeys[SSL_PKEY_ECC]).x509;
  1387. X509_check_purpose(x, -1, 0);
  1388. ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
  1389. (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
  1390. ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
  1391. (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
  1392. ecc_pkey = X509_get_pubkey(x);
  1393. ecc_pkey_size = (ecc_pkey != NULL) ?
  1394. EVP_PKEY_bits(ecc_pkey) : 0;
  1395. EVP_PKEY_free(ecc_pkey);
  1396. if ((x->sig_alg) && (x->sig_alg->algorithm))
  1397. signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
  1398. #ifndef OPENSSL_NO_ECDH
  1399. if (ecdh_ok)
  1400. {
  1401. if ((signature_nid == NID_md5WithRSAEncryption) ||
  1402. (signature_nid == NID_md4WithRSAEncryption) ||
  1403. (signature_nid == NID_md2WithRSAEncryption))
  1404. {
  1405. mask|=SSL_kECDH|SSL_aRSA;
  1406. if (ecc_pkey_size <= 163)
  1407. emask|=SSL_kECDH|SSL_aRSA;
  1408. }
  1409. if (signature_nid == NID_ecdsa_with_SHA1)
  1410. {
  1411. mask|=SSL_kECDH|SSL_aECDSA;
  1412. if (ecc_pkey_size <= 163)
  1413. emask|=SSL_kECDH|SSL_aECDSA;
  1414. }
  1415. }
  1416. #endif
  1417. #ifndef OPENSSL_NO_ECDSA
  1418. if (ecdsa_ok)
  1419. {
  1420. mask|=SSL_aECDSA;
  1421. emask|=SSL_aECDSA;
  1422. }
  1423. #endif
  1424. }
  1425. #ifndef OPENSSL_NO_ECDH
  1426. if (have_ecdh_tmp)
  1427. {
  1428. mask|=SSL_kECDHE;
  1429. emask|=SSL_kECDHE;
  1430. }
  1431. #endif
  1432. c->mask=mask;
  1433. c->export_mask=emask;
  1434. c->valid=1;
  1435. }
  1436. /* This handy macro borrowed from crypto/x509v3/v3_purp.c */
  1437. #define ku_reject(x, usage) \
  1438. (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
  1439. int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
  1440. {
  1441. unsigned long alg = cs->algorithms;
  1442. EVP_PKEY *pkey = NULL;
  1443. int keysize = 0;
  1444. int signature_nid = 0;
  1445. if (SSL_C_IS_EXPORT(cs))
  1446. {
  1447. /* ECDH key length in export ciphers must be <= 163 bits */
  1448. pkey = X509_get_pubkey(x);
  1449. if (pkey == NULL) return 0;
  1450. keysize = EVP_PKEY_bits(pkey);
  1451. EVP_PKEY_free(pkey);
  1452. if (keysize > 163) return 0;
  1453. }
  1454. /* This call populates the ex_flags field correctly */
  1455. X509_check_purpose(x, -1, 0);
  1456. if ((x->sig_alg) && (x->sig_alg->algorithm))
  1457. signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
  1458. if (alg & SSL_kECDH)
  1459. {
  1460. /* key usage, if present, must allow key agreement */
  1461. if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
  1462. {
  1463. return 0;
  1464. }
  1465. if (alg & SSL_aECDSA)
  1466. {
  1467. /* signature alg must be ECDSA */
  1468. if (signature_nid != NID_ecdsa_with_SHA1)
  1469. {
  1470. return 0;
  1471. }
  1472. }
  1473. if (alg & SSL_aRSA)
  1474. {
  1475. /* signature alg must be RSA */
  1476. if ((signature_nid != NID_md5WithRSAEncryption) &&
  1477. (signature_nid != NID_md4WithRSAEncryption) &&
  1478. (signature_nid != NID_md2WithRSAEncryption))
  1479. {
  1480. return 0;
  1481. }
  1482. }
  1483. }
  1484. else if (alg & SSL_aECDSA)
  1485. {
  1486. /* key usage, if present, must allow signing */
  1487. if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
  1488. {
  1489. return 0;
  1490. }
  1491. }
  1492. return 1; /* all checks are ok */
  1493. }
  1494. /* THIS NEEDS CLEANING UP */
  1495. X509 *ssl_get_server_send_cert(SSL *s)
  1496. {
  1497. unsigned long alg,mask,kalg;
  1498. CERT *c;
  1499. int i,is_export;
  1500. c=s->cert;
  1501. ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
  1502. alg=s->s3->tmp.new_cipher->algorithms;
  1503. is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
  1504. mask=is_export?c->export_mask:c->mask;
  1505. kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
  1506. if (kalg & SSL_kECDH)
  1507. {
  1508. /* we don't need to look at SSL_kECDHE
  1509. * since no certificate is needed for
  1510. * anon ECDH and for authenticated
  1511. * ECDHE, the check for the auth
  1512. * algorithm will set i correctly
  1513. * NOTE: For ECDH-RSA, we need an ECC
  1514. * not an RSA cert but for ECDHE-RSA
  1515. * we need an RSA cert. Placing the
  1516. * checks for SSL_kECDH before RSA
  1517. * checks ensures the correct cert is chosen.
  1518. */
  1519. i=SSL_PKEY_ECC;
  1520. }
  1521. else if (kalg & SSL_aECDSA)
  1522. {
  1523. i=SSL_PKEY_ECC;
  1524. }
  1525. else if (kalg & SSL_kDHr)
  1526. i=SSL_PKEY_DH_RSA;
  1527. else if (kalg & SSL_kDHd)
  1528. i=SSL_PKEY_DH_DSA;
  1529. else if (kalg & SSL_aDSS)
  1530. i=SSL_PKEY_DSA_SIGN;
  1531. else if (kalg & SSL_aRSA)
  1532. {
  1533. if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
  1534. i=SSL_PKEY_RSA_SIGN;
  1535. else
  1536. i=SSL_PKEY_RSA_ENC;
  1537. }
  1538. else if (kalg & SSL_aKRB5)
  1539. {
  1540. /* VRS something else here? */
  1541. return(NULL);
  1542. }
  1543. else /* if (kalg & SSL_aNULL) */
  1544. {
  1545. SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
  1546. return(NULL);
  1547. }
  1548. if (c->pkeys[i].x509 == NULL) return(NULL);
  1549. return(c->pkeys[i].x509);
  1550. }
  1551. EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
  1552. {
  1553. unsigned long alg;
  1554. CERT *c;
  1555. alg=cipher->algorithms;
  1556. c=s->cert;
  1557. if ((alg & SSL_aDSS) &&
  1558. (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
  1559. return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
  1560. else if (alg & SSL_aRSA)
  1561. {
  1562. if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
  1563. return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
  1564. else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
  1565. return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
  1566. else
  1567. return(NULL);
  1568. }
  1569. else if ((alg & SSL_aECDSA) &&
  1570. (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
  1571. return(c->pkeys[SSL_PKEY_ECC].privatekey);
  1572. else /* if (alg & SSL_aNULL) */
  1573. {
  1574. SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
  1575. return(NULL);
  1576. }
  1577. }
  1578. void ssl_update_cache(SSL *s,int mode)
  1579. {
  1580. int i;
  1581. /* If the session_id_length is 0, we are not supposed to cache it,
  1582. * and it would be rather hard to do anyway :-) */
  1583. if (s->session->session_id_length == 0) return;
  1584. i=s->ctx->session_cache_mode;
  1585. if ((i & mode) && (!s->hit)
  1586. && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
  1587. || SSL_CTX_add_session(s->ctx,s->session))
  1588. && (s->ctx->new_session_cb != NULL))
  1589. {
  1590. CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
  1591. if (!s->ctx->new_session_cb(s,s->session))
  1592. SSL_SESSION_free(s->session);
  1593. }
  1594. /* auto flush every 255 connections */
  1595. if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
  1596. ((i & mode) == mode))
  1597. {
  1598. if ( (((mode & SSL_SESS_CACHE_CLIENT)
  1599. ?s->ctx->stats.sess_connect_good
  1600. :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
  1601. {
  1602. SSL_CTX_flush_sessions(s->ctx,time(NULL));
  1603. }
  1604. }
  1605. }
  1606. SSL_METHOD *SSL_get_ssl_method(SSL *s)
  1607. {
  1608. return(s->method);
  1609. }
  1610. int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
  1611. {
  1612. int conn= -1;
  1613. int ret=1;
  1614. if (s->method != meth)
  1615. {
  1616. if (s->handshake_func != NULL)
  1617. conn=(s->handshake_func == s->method->ssl_connect);
  1618. if (s->method->version == meth->version)
  1619. s->method=meth;
  1620. else
  1621. {
  1622. s->method->ssl_free(s);
  1623. s->method=meth;
  1624. ret=s->method->ssl_new(s);
  1625. }
  1626. if (conn == 1)
  1627. s->handshake_func=meth->ssl_connect;
  1628. else if (conn == 0)
  1629. s->handshake_func=meth->ssl_accept;
  1630. }
  1631. return(ret);
  1632. }
  1633. int SSL_get_error(SSL *s,int i)
  1634. {
  1635. int reason;
  1636. unsigned long l;
  1637. BIO *bio;
  1638. if (i > 0) return(SSL_ERROR_NONE);
  1639. /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
  1640. * etc, where we do encode the error */
  1641. if ((l=ERR_peek_error()) != 0)
  1642. {
  1643. if (ERR_GET_LIB(l) == ERR_LIB_SYS)
  1644. return(SSL_ERROR_SYSCALL);
  1645. else
  1646. return(SSL_ERROR_SSL);
  1647. }
  1648. if ((i < 0) && SSL_want_read(s))
  1649. {
  1650. bio=SSL_get_rbio(s);
  1651. if (BIO_should_read(bio))
  1652. return(SSL_ERROR_WANT_READ);
  1653. else if (BIO_should_write(bio))
  1654. /* This one doesn't make too much sense ... We never try
  1655. * to write to the rbio, and an application program where
  1656. * rbio and wbio are separate couldn't even know what it
  1657. * should wait for.
  1658. * However if we ever set s->rwstate incorrectly
  1659. * (so that we have SSL_want_read(s) instead of
  1660. * SSL_want_write(s)) and rbio and wbio *are* the same,
  1661. * this test works around that bug; so it might be safer
  1662. * to keep it. */
  1663. return(SSL_ERROR_WANT_WRITE);
  1664. else if (BIO_should_io_special(bio))
  1665. {
  1666. reason=BIO_get_retry_reason(bio);
  1667. if (reason == BIO_RR_CONNECT)
  1668. return(SSL_ERROR_WANT_CONNECT);
  1669. else if (reason == BIO_RR_ACCEPT)
  1670. return(SSL_ERROR_WANT_ACCEPT);
  1671. else
  1672. return(SSL_ERROR_SYSCALL); /* unknown */
  1673. }
  1674. }
  1675. if ((i < 0) && SSL_want_write(s))
  1676. {
  1677. bio=SSL_get_wbio(s);
  1678. if (BIO_should_write(bio))
  1679. return(SSL_ERROR_WANT_WRITE);
  1680. else if (BIO_should_read(bio))
  1681. /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
  1682. return(SSL_ERROR_WANT_READ);
  1683. else if (BIO_should_io_special(bio))
  1684. {
  1685. reason=BIO_get_retry_reason(bio);
  1686. if (reason == BIO_RR_CONNECT)
  1687. return(SSL_ERROR_WANT_CONNECT);
  1688. else if (reason == BIO_RR_ACCEPT)
  1689. return(SSL_ERROR_WANT_ACCEPT);
  1690. else
  1691. return(SSL_ERROR_SYSCALL);
  1692. }
  1693. }
  1694. if ((i < 0) && SSL_want_x509_lookup(s))
  1695. {
  1696. return(SSL_ERROR_WANT_X509_LOOKUP);
  1697. }
  1698. if (i == 0)
  1699. {
  1700. if (s->version == SSL2_VERSION)
  1701. {
  1702. /* assume it is the socket being closed */
  1703. return(SSL_ERROR_ZERO_RETURN);
  1704. }
  1705. else
  1706. {
  1707. if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
  1708. (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
  1709. return(SSL_ERROR_ZERO_RETURN);
  1710. }
  1711. }
  1712. return(SSL_ERROR_SYSCALL);
  1713. }
  1714. int SSL_do_handshake(SSL *s)
  1715. {
  1716. int ret=1;
  1717. if (s->handshake_func == NULL)
  1718. {
  1719. SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
  1720. return(-1);
  1721. }
  1722. s->method->ssl_renegotiate_check(s);
  1723. if (SSL_in_init(s) || SSL_in_before(s))
  1724. {
  1725. ret=s->handshake_func(s);
  1726. }
  1727. return(ret);
  1728. }
  1729. /* For the next 2 functions, SSL_clear() sets shutdown and so
  1730. * one of these calls will reset it */
  1731. void SSL_set_accept_state(SSL *s)
  1732. {
  1733. s->server=1;
  1734. s->shutdown=0;
  1735. s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
  1736. s->handshake_func=s->method->ssl_accept;
  1737. /* clear the current cipher */
  1738. ssl_clear_cipher_ctx(s);
  1739. }
  1740. void SSL_set_connect_state(SSL *s)
  1741. {
  1742. s->server=0;
  1743. s->shutdown=0;
  1744. s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
  1745. s->handshake_func=s->method->ssl_connect;
  1746. /* clear the current cipher */
  1747. ssl_clear_cipher_ctx(s);
  1748. }
  1749. int ssl_undefined_function(SSL *s)
  1750. {
  1751. SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  1752. return(0);
  1753. }
  1754. SSL_METHOD *ssl_bad_method(int ver)
  1755. {
  1756. SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  1757. return(NULL);
  1758. }
  1759. const char *SSL_get_version(SSL *s)
  1760. {
  1761. if (s->version == TLS1_VERSION)
  1762. return("TLSv1");
  1763. else if (s->version == SSL3_VERSION)
  1764. return("SSLv3");
  1765. else if (s->version == SSL2_VERSION)
  1766. return("SSLv2");
  1767. else
  1768. return("unknown");
  1769. }
  1770. SSL *SSL_dup(SSL *s)
  1771. {
  1772. STACK_OF(X509_NAME) *sk;
  1773. X509_NAME *xn;
  1774. SSL *ret;
  1775. int i;
  1776. if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
  1777. return(NULL);
  1778. ret->version = s->version;
  1779. ret->type = s->type;
  1780. ret->method = s->method;
  1781. if (s->session != NULL)
  1782. {
  1783. /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
  1784. SSL_copy_session_id(ret,s);
  1785. }
  1786. else
  1787. {
  1788. /* No session has been established yet, so we have to expect
  1789. * that s->cert or ret->cert will be changed later --
  1790. * they should not both point to the same object,
  1791. * and thus we can't use SSL_copy_session_id. */
  1792. ret->method->ssl_free(ret);
  1793. ret->method = s->method;
  1794. ret->method->ssl_new(ret);
  1795. if (s->cert != NULL)
  1796. {
  1797. if (ret->cert != NULL)
  1798. {
  1799. ssl_cert_free(ret->cert);
  1800. }
  1801. ret->cert = ssl_cert_dup(s->cert);
  1802. if (ret->cert == NULL)
  1803. goto err;
  1804. }
  1805. SSL_set_session_id_context(ret,
  1806. s->sid_ctx, s->sid_ctx_length);
  1807. }
  1808. ret->options=s->options;
  1809. ret->mode=s->mode;
  1810. SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
  1811. SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
  1812. ret->msg_callback = s->msg_callback;
  1813. ret->msg_callback_arg = s->msg_callback_arg;
  1814. SSL_set_verify(ret,SSL_get_verify_mode(s),
  1815. SSL_get_verify_callback(s));
  1816. SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
  1817. ret->generate_session_id = s->generate_session_id;
  1818. SSL_set_info_callback(ret,SSL_get_info_callback(s));
  1819. ret->debug=s->debug;
  1820. /* copy app data, a little dangerous perhaps */
  1821. if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
  1822. goto err;
  1823. /* setup rbio, and wbio */
  1824. if (s->rbio != NULL)
  1825. {
  1826. if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
  1827. goto err;
  1828. }
  1829. if (s->wbio != NULL)
  1830. {
  1831. if (s->wbio != s->rbio)
  1832. {
  1833. if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
  1834. goto err;
  1835. }
  1836. else
  1837. ret->wbio=ret->rbio;
  1838. }
  1839. ret->rwstate = s->rwstate;
  1840. ret->in_handshake = s->in_handshake;
  1841. ret->handshake_func = s->handshake_func;
  1842. ret->server = s->server;
  1843. ret->new_session = s->new_session;
  1844. ret->quiet_shutdown = s->quiet_shutdown;
  1845. ret->shutdown=s->shutdown;
  1846. ret->state=s->state; /* SSL_dup does not really work at any state, though */
  1847. ret->rstate=s->rstate;
  1848. ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
  1849. ret->hit=s->hit;
  1850. ret->purpose=s->purpose;
  1851. ret->trust=s->trust;
  1852. /* dup the cipher_list and cipher_list_by_id stacks */
  1853. if (s->cipher_list != NULL)
  1854. {
  1855. if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
  1856. goto err;
  1857. }
  1858. if (s->cipher_list_by_id != NULL)
  1859. if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
  1860. == NULL)
  1861. goto err;
  1862. /* Dup the client_CA list */
  1863. if (s->client_CA != NULL)
  1864. {
  1865. if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
  1866. ret->client_CA=sk;
  1867. for (i=0; i<sk_X509_NAME_num(sk); i++)
  1868. {
  1869. xn=sk_X509_NAME_value(sk,i);
  1870. if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
  1871. {
  1872. X509_NAME_free(xn);
  1873. goto err;
  1874. }
  1875. }
  1876. }
  1877. if (0)
  1878. {
  1879. err:
  1880. if (ret != NULL) SSL_free(ret);
  1881. ret=NULL;
  1882. }
  1883. return(ret);
  1884. }
  1885. void ssl_clear_cipher_ctx(SSL *s)
  1886. {
  1887. if (s->enc_read_ctx != NULL)
  1888. {
  1889. EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
  1890. OPENSSL_free(s->enc_read_ctx);
  1891. s->enc_read_ctx=NULL;
  1892. }
  1893. if (s->enc_write_ctx != NULL)
  1894. {
  1895. EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
  1896. OPENSSL_free(s->enc_write_ctx);
  1897. s->enc_write_ctx=NULL;
  1898. }
  1899. if (s->expand != NULL)
  1900. {
  1901. COMP_CTX_free(s->expand);
  1902. s->expand=NULL;
  1903. }
  1904. if (s->compress != NULL)
  1905. {
  1906. COMP_CTX_free(s->compress);
  1907. s->compress=NULL;
  1908. }
  1909. }
  1910. /* Fix this function so that it takes an optional type parameter */
  1911. X509 *SSL_get_certificate(SSL *s)
  1912. {
  1913. if (s->cert != NULL)
  1914. return(s->cert->key->x509);
  1915. else
  1916. return(NULL);
  1917. }
  1918. /* Fix this function so that it takes an optional type parameter */
  1919. EVP_PKEY *SSL_get_privatekey(SSL *s)
  1920. {
  1921. if (s->cert != NULL)
  1922. return(s->cert->key->privatekey);
  1923. else
  1924. return(NULL);
  1925. }
  1926. SSL_CIPHER *SSL_get_current_cipher(SSL *s)
  1927. {
  1928. if ((s->session != NULL) && (s->session->cipher != NULL))
  1929. return(s->session->cipher);
  1930. return(NULL);
  1931. }
  1932. const COMP_METHOD *SSL_get_current_compression(SSL *s)
  1933. {
  1934. if (s->compress != NULL)
  1935. return(s->compress->meth);
  1936. return(NULL);
  1937. }
  1938. const COMP_METHOD *SSL_get_current_expansion(SSL *s)
  1939. {
  1940. if (s->expand != NULL)
  1941. return(s->expand->meth);
  1942. return(NULL);
  1943. }
  1944. int ssl_init_wbio_buffer(SSL *s,int push)
  1945. {
  1946. BIO *bbio;
  1947. if (s->bbio == NULL)
  1948. {
  1949. bbio=BIO_new(BIO_f_buffer());
  1950. if (bbio == NULL) return(0);
  1951. s->bbio=bbio;
  1952. }
  1953. else
  1954. {
  1955. bbio=s->bbio;
  1956. if (s->bbio == s->wbio)
  1957. s->wbio=BIO_pop(s->wbio);
  1958. }
  1959. (void)BIO_reset(bbio);
  1960. /* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
  1961. if (!BIO_set_read_buffer_size(bbio,1))
  1962. {
  1963. SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
  1964. return(0);
  1965. }
  1966. if (push)
  1967. {
  1968. if (s->wbio != bbio)
  1969. s->wbio=BIO_push(bbio,s->wbio);
  1970. }
  1971. else
  1972. {
  1973. if (s->wbio == bbio)
  1974. s->wbio=BIO_pop(bbio);
  1975. }
  1976. return(1);
  1977. }
  1978. void ssl_free_wbio_buffer(SSL *s)
  1979. {
  1980. if (s->bbio == NULL) return;
  1981. if (s->bbio == s->wbio)
  1982. {
  1983. /* remove buffering */
  1984. s->wbio=BIO_pop(s->wbio);
  1985. #ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
  1986. assert(s->wbio != NULL);
  1987. #endif
  1988. }
  1989. BIO_free(s->bbio);
  1990. s->bbio=NULL;
  1991. }
  1992. void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
  1993. {
  1994. ctx->quiet_shutdown=mode;
  1995. }
  1996. int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx)
  1997. {
  1998. return(ctx->quiet_shutdown);
  1999. }
  2000. void SSL_set_quiet_shutdown(SSL *s,int mode)
  2001. {
  2002. s->quiet_shutdown=mode;
  2003. }
  2004. int SSL_get_quiet_shutdown(SSL *s)
  2005. {
  2006. return(s->quiet_shutdown);
  2007. }
  2008. void SSL_set_shutdown(SSL *s,int mode)
  2009. {
  2010. s->shutdown=mode;
  2011. }
  2012. int SSL_get_shutdown(SSL *s)
  2013. {
  2014. return(s->shutdown);
  2015. }
  2016. int SSL_version(SSL *s)
  2017. {
  2018. return(s->version);
  2019. }
  2020. SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
  2021. {
  2022. return(ssl->ctx);
  2023. }
  2024. #ifndef OPENSSL_NO_STDIO
  2025. int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
  2026. {
  2027. return(X509_STORE_set_default_paths(ctx->cert_store));
  2028. }
  2029. int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
  2030. const char *CApath)
  2031. {
  2032. return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
  2033. }
  2034. #endif
  2035. void SSL_set_info_callback(SSL *ssl,
  2036. void (*cb)(const SSL *ssl,int type,int val))
  2037. {
  2038. ssl->info_callback=cb;
  2039. }
  2040. void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val)
  2041. {
  2042. return ssl->info_callback;
  2043. }
  2044. int SSL_state(SSL *ssl)
  2045. {
  2046. return(ssl->state);
  2047. }
  2048. void SSL_set_verify_result(SSL *ssl,long arg)
  2049. {
  2050. ssl->verify_result=arg;
  2051. }
  2052. long SSL_get_verify_result(SSL *ssl)
  2053. {
  2054. return(ssl->verify_result);
  2055. }
  2056. int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
  2057. CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
  2058. {
  2059. return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
  2060. new_func, dup_func, free_func);
  2061. }
  2062. int SSL_set_ex_data(SSL *s,int idx,void *arg)
  2063. {
  2064. return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
  2065. }
  2066. void *SSL_get_ex_data(SSL *s,int idx)
  2067. {
  2068. return(CRYPTO_get_ex_data(&s->ex_data,idx));
  2069. }
  2070. int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
  2071. CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
  2072. {
  2073. return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
  2074. new_func, dup_func, free_func);
  2075. }
  2076. int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
  2077. {
  2078. return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
  2079. }
  2080. void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx)
  2081. {
  2082. return(CRYPTO_get_ex_data(&s->ex_data,idx));
  2083. }
  2084. int ssl_ok(SSL *s)
  2085. {
  2086. return(1);
  2087. }
  2088. X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
  2089. {
  2090. return(ctx->cert_store);
  2091. }
  2092. void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
  2093. {
  2094. if (ctx->cert_store != NULL)
  2095. X509_STORE_free(ctx->cert_store);
  2096. ctx->cert_store=store;
  2097. }
  2098. int SSL_want(SSL *s)
  2099. {
  2100. return(s->rwstate);
  2101. }
  2102. /*!
  2103. * \brief Set the callback for generating temporary RSA keys.
  2104. * \param ctx the SSL context.
  2105. * \param cb the callback
  2106. */
  2107. #ifndef OPENSSL_NO_RSA
  2108. void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
  2109. int is_export,
  2110. int keylength))
  2111. {
  2112. SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
  2113. }
  2114. void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
  2115. int is_export,
  2116. int keylength))
  2117. {
  2118. SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
  2119. }
  2120. #endif
  2121. #ifdef DOXYGEN
  2122. /*!
  2123. * \brief The RSA temporary key callback function.
  2124. * \param ssl the SSL session.
  2125. * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
  2126. * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
  2127. * of the required key in bits.
  2128. * \return the temporary RSA key.
  2129. * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
  2130. */
  2131. RSA *cb(SSL *ssl,int is_export,int keylength)
  2132. {}
  2133. #endif
  2134. /*!
  2135. * \brief Set the callback for generating temporary DH keys.
  2136. * \param ctx the SSL context.
  2137. * \param dh the callback
  2138. */
  2139. #ifndef OPENSSL_NO_DH
  2140. void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
  2141. int keylength))
  2142. {
  2143. SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
  2144. }
  2145. void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
  2146. int keylength))
  2147. {
  2148. SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
  2149. }
  2150. #endif
  2151. #ifndef OPENSSL_NO_ECDH
  2152. void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
  2153. int keylength))
  2154. {
  2155. SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)())ecdh);
  2156. }
  2157. void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
  2158. int keylength))
  2159. {
  2160. SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)())ecdh);
  2161. }
  2162. #endif
  2163. void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
  2164. {
  2165. SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
  2166. }
  2167. void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
  2168. {
  2169. SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
  2170. }
  2171. #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
  2172. #include "../crypto/bio/bss_file.c"
  2173. #endif
  2174. IMPLEMENT_STACK_OF(SSL_CIPHER)
  2175. IMPLEMENT_STACK_OF(SSL_COMP)