|
1 /*! \file ssl/ssl_lib.c |
|
2 * \brief Version independent SSL functions. |
|
3 */ |
|
4 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
|
5 * All rights reserved. |
|
6 * |
|
7 * This package is an SSL implementation written |
|
8 * by Eric Young (eay@cryptsoft.com). |
|
9 * The implementation was written so as to conform with Netscapes SSL. |
|
10 * |
|
11 * This library is free for commercial and non-commercial use as long as |
|
12 * the following conditions are aheared to. The following conditions |
|
13 * apply to all code found in this distribution, be it the RC4, RSA, |
|
14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
|
15 * included with this distribution is covered by the same copyright terms |
|
16 * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
|
17 * |
|
18 * Copyright remains Eric Young's, and as such any Copyright notices in |
|
19 * the code are not to be removed. |
|
20 * If this package is used in a product, Eric Young should be given attribution |
|
21 * as the author of the parts of the library used. |
|
22 * This can be in the form of a textual message at program startup or |
|
23 * in documentation (online or textual) provided with the package. |
|
24 * |
|
25 * Redistribution and use in source and binary forms, with or without |
|
26 * modification, are permitted provided that the following conditions |
|
27 * are met: |
|
28 * 1. Redistributions of source code must retain the copyright |
|
29 * notice, this list of conditions and the following disclaimer. |
|
30 * 2. Redistributions in binary form must reproduce the above copyright |
|
31 * notice, this list of conditions and the following disclaimer in the |
|
32 * documentation and/or other materials provided with the distribution. |
|
33 * 3. All advertising materials mentioning features or use of this software |
|
34 * must display the following acknowledgement: |
|
35 * "This product includes cryptographic software written by |
|
36 * Eric Young (eay@cryptsoft.com)" |
|
37 * The word 'cryptographic' can be left out if the rouines from the library |
|
38 * being used are not cryptographic related :-). |
|
39 * 4. If you include any Windows specific code (or a derivative thereof) from |
|
40 * the apps directory (application code) you must include an acknowledgement: |
|
41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
|
42 * |
|
43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
|
44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
46 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
|
47 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
|
48 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
|
49 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|
50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
|
52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
|
53 * SUCH DAMAGE. |
|
54 * |
|
55 * The licence and distribution terms for any publically available version or |
|
56 * derivative of this code cannot be changed. i.e. this code cannot simply be |
|
57 * copied and put under another distribution licence |
|
58 * [including the GNU Public Licence.] |
|
59 */ |
|
60 /* ==================================================================== |
|
61 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. |
|
62 * |
|
63 * Redistribution and use in source and binary forms, with or without |
|
64 * modification, are permitted provided that the following conditions |
|
65 * are met: |
|
66 * |
|
67 * 1. Redistributions of source code must retain the above copyright |
|
68 * notice, this list of conditions and the following disclaimer. |
|
69 * |
|
70 * 2. Redistributions in binary form must reproduce the above copyright |
|
71 * notice, this list of conditions and the following disclaimer in |
|
72 * the documentation and/or other materials provided with the |
|
73 * distribution. |
|
74 * |
|
75 * 3. All advertising materials mentioning features or use of this |
|
76 * software must display the following acknowledgment: |
|
77 * "This product includes software developed by the OpenSSL Project |
|
78 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
|
79 * |
|
80 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
|
81 * endorse or promote products derived from this software without |
|
82 * prior written permission. For written permission, please contact |
|
83 * openssl-core@openssl.org. |
|
84 * |
|
85 * 5. Products derived from this software may not be called "OpenSSL" |
|
86 * nor may "OpenSSL" appear in their names without prior written |
|
87 * permission of the OpenSSL Project. |
|
88 * |
|
89 * 6. Redistributions of any form whatsoever must retain the following |
|
90 * acknowledgment: |
|
91 * "This product includes software developed by the OpenSSL Project |
|
92 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
|
93 * |
|
94 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
|
95 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
|
97 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
|
98 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
|
99 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
|
100 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
|
101 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|
102 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
|
103 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|
104 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
|
105 * OF THE POSSIBILITY OF SUCH DAMAGE. |
|
106 * ==================================================================== |
|
107 * |
|
108 * This product includes cryptographic software written by Eric Young |
|
109 * (eay@cryptsoft.com). This product includes software written by Tim |
|
110 * Hudson (tjh@cryptsoft.com). |
|
111 * |
|
112 */ |
|
113 /* ==================================================================== |
|
114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
|
115 * ECC cipher suite support in OpenSSL originally developed by |
|
116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. |
|
117 */ |
|
118 /* |
|
119 © Portions copyright (c) 2006 Nokia Corporation. All rights reserved. |
|
120 */ |
|
121 |
|
122 #ifdef REF_CHECK |
|
123 # include <assert.h> |
|
124 #endif |
|
125 #include <stdio.h> |
|
126 #include "ssl_locl.h" |
|
127 #include "kssl_lcl.h" |
|
128 #include <openssl/objects.h> |
|
129 #include <openssl/lhash.h> |
|
130 #include <openssl/x509v3.h> |
|
131 #ifndef OPENSSL_NO_DH |
|
132 #include <openssl/dh.h> |
|
133 #endif |
|
134 |
|
135 #ifdef EMULATOR |
|
136 #include "libssl_wsd.h" |
|
137 #endif |
|
138 |
|
139 const char *SSL_version_str=OPENSSL_VERSION_TEXT; |
|
140 |
|
141 #ifdef EMULATOR |
|
142 GET_GLOBAL_VAR_FROM_TLS(ssl3_undef_enc_method,ssl_lib,SSL3_ENC_METHOD) |
|
143 |
|
144 #define ssl3_undef_enc_method (GET_WSD_VAR_NAME(ssl3_undef_enc_method,ssl_lib,g)()) |
|
145 #endif |
|
146 |
|
147 #ifndef EMULATOR |
|
148 SSL3_ENC_METHOD ssl3_undef_enc_method={ |
|
149 #else |
|
150 const SSL3_ENC_METHOD temp_ssl3_undef_enc_method={ |
|
151 #endif |
|
152 /* evil casts, but these functions are only called if there's a library bug */ |
|
153 (int (*)(SSL *,int))ssl_undefined_function, |
|
154 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, |
|
155 ssl_undefined_function, |
|
156 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function, |
|
157 (int (*)(SSL*, int))ssl_undefined_function, |
|
158 (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function, |
|
159 0, /* finish_mac_length */ |
|
160 (int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function, |
|
161 NULL, /* client_finished_label */ |
|
162 0, /* client_finished_label_len */ |
|
163 NULL, /* server_finished_label */ |
|
164 0, /* server_finished_label_len */ |
|
165 (int (*)(int))ssl_undefined_function |
|
166 }; |
|
167 |
|
168 EXPORT_C int SSL_clear(SSL *s) |
|
169 { |
|
170 |
|
171 if (s->method == NULL) |
|
172 { |
|
173 SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); |
|
174 return(0); |
|
175 } |
|
176 |
|
177 if (ssl_clear_bad_session(s)) |
|
178 { |
|
179 SSL_SESSION_free(s->session); |
|
180 s->session=NULL; |
|
181 } |
|
182 |
|
183 s->error=0; |
|
184 s->hit=0; |
|
185 s->shutdown=0; |
|
186 |
|
187 #if 0 /* Disabled since version 1.10 of this file (early return not |
|
188 * needed because SSL_clear is not called when doing renegotiation) */ |
|
189 /* This is set if we are doing dynamic renegotiation so keep |
|
190 * the old cipher. It is sort of a SSL_clear_lite :-) */ |
|
191 if (s->new_session) return(1); |
|
192 #else |
|
193 if (s->new_session) |
|
194 { |
|
195 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); |
|
196 return 0; |
|
197 } |
|
198 #endif |
|
199 |
|
200 s->type=0; |
|
201 |
|
202 s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); |
|
203 |
|
204 s->version=s->method->version; |
|
205 s->client_version=s->version; |
|
206 s->rwstate=SSL_NOTHING; |
|
207 s->rstate=SSL_ST_READ_HEADER; |
|
208 #if 0 |
|
209 s->read_ahead=s->ctx->read_ahead; |
|
210 #endif |
|
211 |
|
212 if (s->init_buf != NULL) |
|
213 { |
|
214 BUF_MEM_free(s->init_buf); |
|
215 s->init_buf=NULL; |
|
216 } |
|
217 |
|
218 ssl_clear_cipher_ctx(s); |
|
219 |
|
220 s->first_packet=0; |
|
221 |
|
222 #if 1 |
|
223 /* Check to see if we were changed into a different method, if |
|
224 * so, revert back if we are not doing session-id reuse. */ |
|
225 if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) |
|
226 { |
|
227 s->method->ssl_free(s); |
|
228 s->method=s->ctx->method; |
|
229 if (!s->method->ssl_new(s)) |
|
230 return(0); |
|
231 } |
|
232 else |
|
233 #endif |
|
234 s->method->ssl_clear(s); |
|
235 return(1); |
|
236 } |
|
237 |
|
238 /** Used to change an SSL_CTXs default SSL method type */ |
|
239 EXPORT_C int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth) |
|
240 { |
|
241 STACK_OF(SSL_CIPHER) *sk; |
|
242 |
|
243 ctx->method=meth; |
|
244 |
|
245 sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), |
|
246 &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST); |
|
247 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) |
|
248 { |
|
249 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); |
|
250 return(0); |
|
251 } |
|
252 return(1); |
|
253 } |
|
254 |
|
255 EXPORT_C SSL *SSL_new(SSL_CTX *ctx) |
|
256 { |
|
257 SSL *s; |
|
258 |
|
259 if (ctx == NULL) |
|
260 { |
|
261 SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX); |
|
262 return(NULL); |
|
263 } |
|
264 if (ctx->method == NULL) |
|
265 { |
|
266 SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); |
|
267 return(NULL); |
|
268 } |
|
269 |
|
270 s=(SSL *)OPENSSL_malloc(sizeof(SSL)); |
|
271 if (s == NULL) goto err; |
|
272 memset(s,0,sizeof(SSL)); |
|
273 |
|
274 #ifndef OPENSSL_NO_KRB5 |
|
275 s->kssl_ctx = kssl_ctx_new(); |
|
276 #endif /* OPENSSL_NO_KRB5 */ |
|
277 |
|
278 s->options=ctx->options; |
|
279 s->mode=ctx->mode; |
|
280 s->max_cert_list=ctx->max_cert_list; |
|
281 |
|
282 if (ctx->cert != NULL) |
|
283 { |
|
284 /* Earlier library versions used to copy the pointer to |
|
285 * the CERT, not its contents; only when setting new |
|
286 * parameters for the per-SSL copy, ssl_cert_new would be |
|
287 * called (and the direct reference to the per-SSL_CTX |
|
288 * settings would be lost, but those still were indirectly |
|
289 * accessed for various purposes, and for that reason they |
|
290 * used to be known as s->ctx->default_cert). |
|
291 * Now we don't look at the SSL_CTX's CERT after having |
|
292 * duplicated it once. */ |
|
293 |
|
294 s->cert = ssl_cert_dup(ctx->cert); |
|
295 if (s->cert == NULL) |
|
296 goto err; |
|
297 } |
|
298 else |
|
299 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ |
|
300 |
|
301 s->read_ahead=ctx->read_ahead; |
|
302 s->msg_callback=ctx->msg_callback; |
|
303 s->msg_callback_arg=ctx->msg_callback_arg; |
|
304 s->verify_mode=ctx->verify_mode; |
|
305 #if 0 |
|
306 s->verify_depth=ctx->verify_depth; |
|
307 #endif |
|
308 s->sid_ctx_length=ctx->sid_ctx_length; |
|
309 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); |
|
310 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); |
|
311 s->verify_callback=ctx->default_verify_callback; |
|
312 s->generate_session_id=ctx->generate_session_id; |
|
313 |
|
314 s->param = X509_VERIFY_PARAM_new(); |
|
315 if (!s->param) |
|
316 goto err; |
|
317 X509_VERIFY_PARAM_inherit(s->param, ctx->param); |
|
318 #if 0 |
|
319 s->purpose = ctx->purpose; |
|
320 s->trust = ctx->trust; |
|
321 #endif |
|
322 s->quiet_shutdown=ctx->quiet_shutdown; |
|
323 |
|
324 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); |
|
325 s->ctx=ctx; |
|
326 |
|
327 s->verify_result=X509_V_OK; |
|
328 |
|
329 s->method=ctx->method; |
|
330 |
|
331 if (!s->method->ssl_new(s)) |
|
332 goto err; |
|
333 |
|
334 s->references=1; |
|
335 s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; |
|
336 |
|
337 SSL_clear(s); |
|
338 |
|
339 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); |
|
340 |
|
341 return(s); |
|
342 err: |
|
343 if (s != NULL) |
|
344 { |
|
345 if (s->cert != NULL) |
|
346 ssl_cert_free(s->cert); |
|
347 if (s->ctx != NULL) |
|
348 SSL_CTX_free(s->ctx); /* decrement reference count */ |
|
349 OPENSSL_free(s); |
|
350 } |
|
351 SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); |
|
352 return(NULL); |
|
353 } |
|
354 |
|
355 EXPORT_C int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, |
|
356 unsigned int sid_ctx_len) |
|
357 { |
|
358 if(sid_ctx_len > sizeof ctx->sid_ctx) |
|
359 { |
|
360 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); |
|
361 return 0; |
|
362 } |
|
363 ctx->sid_ctx_length=sid_ctx_len; |
|
364 memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len); |
|
365 |
|
366 return 1; |
|
367 } |
|
368 |
|
369 EXPORT_C int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, |
|
370 unsigned int sid_ctx_len) |
|
371 { |
|
372 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) |
|
373 { |
|
374 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); |
|
375 return 0; |
|
376 } |
|
377 ssl->sid_ctx_length=sid_ctx_len; |
|
378 memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len); |
|
379 |
|
380 return 1; |
|
381 } |
|
382 |
|
383 EXPORT_C int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) |
|
384 { |
|
385 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
|
386 ctx->generate_session_id = cb; |
|
387 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
|
388 return 1; |
|
389 } |
|
390 |
|
391 EXPORT_C int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) |
|
392 { |
|
393 CRYPTO_w_lock(CRYPTO_LOCK_SSL); |
|
394 ssl->generate_session_id = cb; |
|
395 CRYPTO_w_unlock(CRYPTO_LOCK_SSL); |
|
396 return 1; |
|
397 } |
|
398 |
|
399 EXPORT_C int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, |
|
400 unsigned int id_len) |
|
401 { |
|
402 /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how |
|
403 * we can "construct" a session to give us the desired check - ie. to |
|
404 * find if there's a session in the hash table that would conflict with |
|
405 * any new session built out of this id/id_len and the ssl_version in |
|
406 * use by this SSL. */ |
|
407 SSL_SESSION r, *p; |
|
408 |
|
409 if(id_len > sizeof r.session_id) |
|
410 return 0; |
|
411 |
|
412 r.ssl_version = ssl->version; |
|
413 r.session_id_length = id_len; |
|
414 memcpy(r.session_id, id, id_len); |
|
415 /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a |
|
416 * callback is calling us to check the uniqueness of a shorter ID, it |
|
417 * must be compared as a padded-out ID because that is what it will be |
|
418 * converted to when the callback has finished choosing it. */ |
|
419 if((r.ssl_version == SSL2_VERSION) && |
|
420 (id_len < SSL2_SSL_SESSION_ID_LENGTH)) |
|
421 { |
|
422 memset(r.session_id + id_len, 0, |
|
423 SSL2_SSL_SESSION_ID_LENGTH - id_len); |
|
424 r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH; |
|
425 } |
|
426 |
|
427 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); |
|
428 p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r); |
|
429 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
|
430 return (p != NULL); |
|
431 } |
|
432 |
|
433 EXPORT_C int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) |
|
434 { |
|
435 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); |
|
436 } |
|
437 |
|
438 EXPORT_C int SSL_set_purpose(SSL *s, int purpose) |
|
439 { |
|
440 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); |
|
441 } |
|
442 |
|
443 EXPORT_C int SSL_CTX_set_trust(SSL_CTX *s, int trust) |
|
444 { |
|
445 return X509_VERIFY_PARAM_set_trust(s->param, trust); |
|
446 } |
|
447 |
|
448 EXPORT_C int SSL_set_trust(SSL *s, int trust) |
|
449 { |
|
450 return X509_VERIFY_PARAM_set_trust(s->param, trust); |
|
451 } |
|
452 |
|
453 EXPORT_C void SSL_free(SSL *s) |
|
454 { |
|
455 int i; |
|
456 |
|
457 if(s == NULL) |
|
458 return; |
|
459 |
|
460 i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL); |
|
461 #ifdef REF_PRINT |
|
462 REF_PRINT("SSL",s); |
|
463 #endif |
|
464 if (i > 0) return; |
|
465 #ifdef REF_CHECK |
|
466 if (i < 0) |
|
467 { |
|
468 fprintf(stderr,"SSL_free, bad reference count\n"); |
|
469 abort(); /* ok */ |
|
470 } |
|
471 #endif |
|
472 |
|
473 if (s->param) |
|
474 X509_VERIFY_PARAM_free(s->param); |
|
475 |
|
476 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); |
|
477 |
|
478 if (s->bbio != NULL) |
|
479 { |
|
480 /* If the buffering BIO is in place, pop it off */ |
|
481 if (s->bbio == s->wbio) |
|
482 { |
|
483 s->wbio=BIO_pop(s->wbio); |
|
484 } |
|
485 BIO_free(s->bbio); |
|
486 s->bbio=NULL; |
|
487 } |
|
488 if (s->rbio != NULL) |
|
489 BIO_free_all(s->rbio); |
|
490 if ((s->wbio != NULL) && (s->wbio != s->rbio)) |
|
491 BIO_free_all(s->wbio); |
|
492 |
|
493 if (s->init_buf != NULL) BUF_MEM_free(s->init_buf); |
|
494 |
|
495 /* add extra stuff */ |
|
496 if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list); |
|
497 if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id); |
|
498 |
|
499 /* Make the next call work :-) */ |
|
500 if (s->session != NULL) |
|
501 { |
|
502 ssl_clear_bad_session(s); |
|
503 SSL_SESSION_free(s->session); |
|
504 } |
|
505 |
|
506 ssl_clear_cipher_ctx(s); |
|
507 |
|
508 if (s->cert != NULL) ssl_cert_free(s->cert); |
|
509 /* Free up if allocated */ |
|
510 |
|
511 if (s->ctx) SSL_CTX_free(s->ctx); |
|
512 if (s->client_CA != NULL) |
|
513 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free); |
|
514 |
|
515 if (s->method != NULL) s->method->ssl_free(s); |
|
516 |
|
517 #ifndef OPENSSL_NO_KRB5 |
|
518 if (s->kssl_ctx != NULL) |
|
519 kssl_ctx_free(s->kssl_ctx); |
|
520 #endif /* OPENSSL_NO_KRB5 */ |
|
521 |
|
522 OPENSSL_free(s); |
|
523 } |
|
524 |
|
525 EXPORT_C void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) |
|
526 { |
|
527 /* If the output buffering BIO is still in place, remove it |
|
528 */ |
|
529 if (s->bbio != NULL) |
|
530 { |
|
531 if (s->wbio == s->bbio) |
|
532 { |
|
533 s->wbio=s->wbio->next_bio; |
|
534 s->bbio->next_bio=NULL; |
|
535 } |
|
536 } |
|
537 if ((s->rbio != NULL) && (s->rbio != rbio)) |
|
538 BIO_free_all(s->rbio); |
|
539 if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio)) |
|
540 BIO_free_all(s->wbio); |
|
541 s->rbio=rbio; |
|
542 s->wbio=wbio; |
|
543 } |
|
544 |
|
545 EXPORT_C BIO *SSL_get_rbio(const SSL *s) |
|
546 { return(s->rbio); } |
|
547 |
|
548 EXPORT_C BIO *SSL_get_wbio(const SSL *s) |
|
549 { return(s->wbio); } |
|
550 |
|
551 EXPORT_C int SSL_get_fd(const SSL *s) |
|
552 { |
|
553 return(SSL_get_rfd(s)); |
|
554 } |
|
555 |
|
556 EXPORT_C int SSL_get_rfd(const SSL *s) |
|
557 { |
|
558 int ret= -1; |
|
559 BIO *b,*r; |
|
560 |
|
561 b=SSL_get_rbio(s); |
|
562 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); |
|
563 if (r != NULL) |
|
564 BIO_get_fd(r,&ret); |
|
565 return(ret); |
|
566 } |
|
567 |
|
568 EXPORT_C int SSL_get_wfd(const SSL *s) |
|
569 { |
|
570 int ret= -1; |
|
571 BIO *b,*r; |
|
572 |
|
573 b=SSL_get_wbio(s); |
|
574 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); |
|
575 if (r != NULL) |
|
576 BIO_get_fd(r,&ret); |
|
577 return(ret); |
|
578 } |
|
579 |
|
580 #ifndef OPENSSL_NO_SOCK |
|
581 EXPORT_C int SSL_set_fd(SSL *s,int fd) |
|
582 { |
|
583 int ret=0; |
|
584 BIO *bio=NULL; |
|
585 |
|
586 bio=BIO_new(BIO_s_socket()); |
|
587 |
|
588 if (bio == NULL) |
|
589 { |
|
590 SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB); |
|
591 goto err; |
|
592 } |
|
593 BIO_set_fd(bio,fd,BIO_NOCLOSE); |
|
594 SSL_set_bio(s,bio,bio); |
|
595 ret=1; |
|
596 err: |
|
597 return(ret); |
|
598 } |
|
599 |
|
600 EXPORT_C int SSL_set_wfd(SSL *s,int fd) |
|
601 { |
|
602 int ret=0; |
|
603 BIO *bio=NULL; |
|
604 |
|
605 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) |
|
606 || ((int)BIO_get_fd(s->rbio,NULL) != fd)) |
|
607 { |
|
608 bio=BIO_new(BIO_s_socket()); |
|
609 |
|
610 if (bio == NULL) |
|
611 { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; } |
|
612 BIO_set_fd(bio,fd,BIO_NOCLOSE); |
|
613 SSL_set_bio(s,SSL_get_rbio(s),bio); |
|
614 } |
|
615 else |
|
616 SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s)); |
|
617 ret=1; |
|
618 err: |
|
619 return(ret); |
|
620 } |
|
621 |
|
622 EXPORT_C int SSL_set_rfd(SSL *s,int fd) |
|
623 { |
|
624 int ret=0; |
|
625 BIO *bio=NULL; |
|
626 |
|
627 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) |
|
628 || ((int)BIO_get_fd(s->wbio,NULL) != fd)) |
|
629 { |
|
630 bio=BIO_new(BIO_s_socket()); |
|
631 |
|
632 if (bio == NULL) |
|
633 { |
|
634 SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB); |
|
635 goto err; |
|
636 } |
|
637 BIO_set_fd(bio,fd,BIO_NOCLOSE); |
|
638 SSL_set_bio(s,bio,SSL_get_wbio(s)); |
|
639 } |
|
640 else |
|
641 SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s)); |
|
642 ret=1; |
|
643 err: |
|
644 return(ret); |
|
645 } |
|
646 #endif |
|
647 |
|
648 |
|
649 /* return length of latest Finished message we sent, copy to 'buf' */ |
|
650 EXPORT_C size_t SSL_get_finished(const SSL *s, void *buf, size_t count) |
|
651 { |
|
652 size_t ret = 0; |
|
653 |
|
654 if (s->s3 != NULL) |
|
655 { |
|
656 ret = s->s3->tmp.finish_md_len; |
|
657 if (count > ret) |
|
658 count = ret; |
|
659 memcpy(buf, s->s3->tmp.finish_md, count); |
|
660 } |
|
661 return ret; |
|
662 } |
|
663 |
|
664 /* return length of latest Finished message we expected, copy to 'buf' */ |
|
665 EXPORT_C size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) |
|
666 { |
|
667 size_t ret = 0; |
|
668 |
|
669 if (s->s3 != NULL) |
|
670 { |
|
671 ret = s->s3->tmp.peer_finish_md_len; |
|
672 if (count > ret) |
|
673 count = ret; |
|
674 memcpy(buf, s->s3->tmp.peer_finish_md, count); |
|
675 } |
|
676 return ret; |
|
677 } |
|
678 |
|
679 |
|
680 EXPORT_C int SSL_get_verify_mode(const SSL *s) |
|
681 { |
|
682 return(s->verify_mode); |
|
683 } |
|
684 |
|
685 EXPORT_C int SSL_get_verify_depth(const SSL *s) |
|
686 { |
|
687 return X509_VERIFY_PARAM_get_depth(s->param); |
|
688 } |
|
689 |
|
690 EXPORT_C int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *) |
|
691 { |
|
692 return(s->verify_callback); |
|
693 } |
|
694 |
|
695 EXPORT_C int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) |
|
696 { |
|
697 return(ctx->verify_mode); |
|
698 } |
|
699 |
|
700 EXPORT_C int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) |
|
701 { |
|
702 return X509_VERIFY_PARAM_get_depth(ctx->param); |
|
703 } |
|
704 |
|
705 EXPORT_C int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *) |
|
706 { |
|
707 return(ctx->default_verify_callback); |
|
708 } |
|
709 |
|
710 EXPORT_C void SSL_set_verify(SSL *s,int mode, |
|
711 int (*callback)(int ok,X509_STORE_CTX *ctx)) |
|
712 { |
|
713 s->verify_mode=mode; |
|
714 if (callback != NULL) |
|
715 s->verify_callback=callback; |
|
716 } |
|
717 |
|
718 EXPORT_C void SSL_set_verify_depth(SSL *s,int depth) |
|
719 { |
|
720 X509_VERIFY_PARAM_set_depth(s->param, depth); |
|
721 } |
|
722 |
|
723 EXPORT_C void SSL_set_read_ahead(SSL *s,int yes) |
|
724 { |
|
725 s->read_ahead=yes; |
|
726 } |
|
727 |
|
728 EXPORT_C int SSL_get_read_ahead(const SSL *s) |
|
729 { |
|
730 return(s->read_ahead); |
|
731 } |
|
732 |
|
733 EXPORT_C int SSL_pending(const SSL *s) |
|
734 { |
|
735 /* SSL_pending cannot work properly if read-ahead is enabled |
|
736 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), |
|
737 * and it is impossible to fix since SSL_pending cannot report |
|
738 * errors that may be observed while scanning the new data. |
|
739 * (Note that SSL_pending() is often used as a boolean value, |
|
740 * so we'd better not return -1.) |
|
741 */ |
|
742 return(s->method->ssl_pending(s)); |
|
743 } |
|
744 |
|
745 EXPORT_C X509 *SSL_get_peer_certificate(const SSL *s) |
|
746 { |
|
747 X509 *r; |
|
748 |
|
749 if ((s == NULL) || (s->session == NULL)) |
|
750 r=NULL; |
|
751 else |
|
752 r=s->session->peer; |
|
753 |
|
754 if (r == NULL) return(r); |
|
755 |
|
756 CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509); |
|
757 |
|
758 return(r); |
|
759 } |
|
760 |
|
761 EXPORT_C STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) |
|
762 { |
|
763 STACK_OF(X509) *r; |
|
764 |
|
765 if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) |
|
766 r=NULL; |
|
767 else |
|
768 r=s->session->sess_cert->cert_chain; |
|
769 |
|
770 /* If we are a client, cert_chain includes the peer's own |
|
771 * certificate; if we are a server, it does not. */ |
|
772 |
|
773 return(r); |
|
774 } |
|
775 |
|
776 /* Now in theory, since the calling process own 't' it should be safe to |
|
777 * modify. We need to be able to read f without being hassled */ |
|
778 EXPORT_C void SSL_copy_session_id(SSL *t,const SSL *f) |
|
779 { |
|
780 CERT *tmp; |
|
781 |
|
782 /* Do we need to to SSL locking? */ |
|
783 SSL_set_session(t,SSL_get_session(f)); |
|
784 |
|
785 /* what if we are setup as SSLv2 but want to talk SSLv3 or |
|
786 * vice-versa */ |
|
787 if (t->method != f->method) |
|
788 { |
|
789 t->method->ssl_free(t); /* cleanup current */ |
|
790 t->method=f->method; /* change method */ |
|
791 t->method->ssl_new(t); /* setup new */ |
|
792 } |
|
793 |
|
794 tmp=t->cert; |
|
795 if (f->cert != NULL) |
|
796 { |
|
797 CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT); |
|
798 t->cert=f->cert; |
|
799 } |
|
800 else |
|
801 t->cert=NULL; |
|
802 if (tmp != NULL) ssl_cert_free(tmp); |
|
803 SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length); |
|
804 } |
|
805 |
|
806 /* Fix this so it checks all the valid key/cert options */ |
|
807 EXPORT_C int SSL_CTX_check_private_key(const SSL_CTX *ctx) |
|
808 { |
|
809 if ( (ctx == NULL) || |
|
810 (ctx->cert == NULL) || |
|
811 (ctx->cert->key->x509 == NULL)) |
|
812 { |
|
813 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); |
|
814 return(0); |
|
815 } |
|
816 if (ctx->cert->key->privatekey == NULL) |
|
817 { |
|
818 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); |
|
819 return(0); |
|
820 } |
|
821 return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey)); |
|
822 } |
|
823 |
|
824 /* Fix this function so that it takes an optional type parameter */ |
|
825 EXPORT_C int SSL_check_private_key(const SSL *ssl) |
|
826 { |
|
827 if (ssl == NULL) |
|
828 { |
|
829 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER); |
|
830 return(0); |
|
831 } |
|
832 if (ssl->cert == NULL) |
|
833 { |
|
834 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); |
|
835 return 0; |
|
836 } |
|
837 if (ssl->cert->key->x509 == NULL) |
|
838 { |
|
839 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); |
|
840 return(0); |
|
841 } |
|
842 if (ssl->cert->key->privatekey == NULL) |
|
843 { |
|
844 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); |
|
845 return(0); |
|
846 } |
|
847 return(X509_check_private_key(ssl->cert->key->x509, |
|
848 ssl->cert->key->privatekey)); |
|
849 } |
|
850 |
|
851 EXPORT_C int SSL_accept(SSL *s) |
|
852 { |
|
853 if (s->handshake_func == 0) |
|
854 /* Not properly initialized yet */ |
|
855 SSL_set_accept_state(s); |
|
856 |
|
857 return(s->method->ssl_accept(s)); |
|
858 } |
|
859 |
|
860 EXPORT_C int SSL_connect(SSL *s) |
|
861 { |
|
862 if (s->handshake_func == 0) |
|
863 /* Not properly initialized yet */ |
|
864 SSL_set_connect_state(s); |
|
865 |
|
866 return(s->method->ssl_connect(s)); |
|
867 } |
|
868 |
|
869 EXPORT_C long SSL_get_default_timeout(const SSL *s) |
|
870 { |
|
871 return(s->method->get_timeout()); |
|
872 } |
|
873 |
|
874 EXPORT_C int SSL_read(SSL *s,void *buf,int num) |
|
875 { |
|
876 if (s->handshake_func == 0) |
|
877 { |
|
878 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); |
|
879 return -1; |
|
880 } |
|
881 |
|
882 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) |
|
883 { |
|
884 s->rwstate=SSL_NOTHING; |
|
885 return(0); |
|
886 } |
|
887 return(s->method->ssl_read(s,buf,num)); |
|
888 } |
|
889 |
|
890 EXPORT_C int SSL_peek(SSL *s,void *buf,int num) |
|
891 { |
|
892 if (s->handshake_func == 0) |
|
893 { |
|
894 SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); |
|
895 return -1; |
|
896 } |
|
897 |
|
898 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) |
|
899 { |
|
900 return(0); |
|
901 } |
|
902 return(s->method->ssl_peek(s,buf,num)); |
|
903 } |
|
904 |
|
905 EXPORT_C int SSL_write(SSL *s,const void *buf,int num) |
|
906 { |
|
907 if (s->handshake_func == 0) |
|
908 { |
|
909 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); |
|
910 return -1; |
|
911 } |
|
912 |
|
913 if (s->shutdown & SSL_SENT_SHUTDOWN) |
|
914 { |
|
915 s->rwstate=SSL_NOTHING; |
|
916 SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN); |
|
917 return(-1); |
|
918 } |
|
919 return(s->method->ssl_write(s,buf,num)); |
|
920 } |
|
921 |
|
922 EXPORT_C int SSL_shutdown(SSL *s) |
|
923 { |
|
924 /* Note that this function behaves differently from what one might |
|
925 * expect. Return values are 0 for no success (yet), |
|
926 * 1 for success; but calling it once is usually not enough, |
|
927 * even if blocking I/O is used (see ssl3_shutdown). |
|
928 */ |
|
929 |
|
930 if (s->handshake_func == 0) |
|
931 { |
|
932 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); |
|
933 return -1; |
|
934 } |
|
935 |
|
936 if ((s != NULL) && !SSL_in_init(s)) |
|
937 return(s->method->ssl_shutdown(s)); |
|
938 else |
|
939 return(1); |
|
940 } |
|
941 |
|
942 EXPORT_C int SSL_renegotiate(SSL *s) |
|
943 { |
|
944 if (s->new_session == 0) |
|
945 { |
|
946 s->new_session=1; |
|
947 } |
|
948 return(s->method->ssl_renegotiate(s)); |
|
949 } |
|
950 |
|
951 EXPORT_C int SSL_renegotiate_pending(SSL *s) |
|
952 { |
|
953 /* becomes true when negotiation is requested; |
|
954 * false again once a handshake has finished */ |
|
955 return (s->new_session != 0); |
|
956 } |
|
957 |
|
958 EXPORT_C long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) |
|
959 { |
|
960 long l; |
|
961 |
|
962 switch (cmd) |
|
963 { |
|
964 case SSL_CTRL_GET_READ_AHEAD: |
|
965 return(s->read_ahead); |
|
966 case SSL_CTRL_SET_READ_AHEAD: |
|
967 l=s->read_ahead; |
|
968 s->read_ahead=larg; |
|
969 return(l); |
|
970 |
|
971 case SSL_CTRL_SET_MSG_CALLBACK_ARG: |
|
972 s->msg_callback_arg = parg; |
|
973 return 1; |
|
974 |
|
975 case SSL_CTRL_OPTIONS: |
|
976 return(s->options|=larg); |
|
977 case SSL_CTRL_MODE: |
|
978 return(s->mode|=larg); |
|
979 case SSL_CTRL_GET_MAX_CERT_LIST: |
|
980 return(s->max_cert_list); |
|
981 case SSL_CTRL_SET_MAX_CERT_LIST: |
|
982 l=s->max_cert_list; |
|
983 s->max_cert_list=larg; |
|
984 return(l); |
|
985 case SSL_CTRL_SET_MTU: |
|
986 if (SSL_version(s) == DTLS1_VERSION) |
|
987 { |
|
988 s->d1->mtu = larg; |
|
989 return larg; |
|
990 } |
|
991 return 0; |
|
992 default: |
|
993 return(s->method->ssl_ctrl(s,cmd,larg,parg)); |
|
994 } |
|
995 } |
|
996 |
|
997 EXPORT_C long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) |
|
998 { |
|
999 switch(cmd) |
|
1000 { |
|
1001 case SSL_CTRL_SET_MSG_CALLBACK: |
|
1002 s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); |
|
1003 return 1; |
|
1004 |
|
1005 default: |
|
1006 return(s->method->ssl_callback_ctrl(s,cmd,fp)); |
|
1007 } |
|
1008 } |
|
1009 |
|
1010 EXPORT_C struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) |
|
1011 { |
|
1012 return ctx->sessions; |
|
1013 } |
|
1014 |
|
1015 EXPORT_C long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) |
|
1016 { |
|
1017 long l; |
|
1018 |
|
1019 switch (cmd) |
|
1020 { |
|
1021 case SSL_CTRL_GET_READ_AHEAD: |
|
1022 return(ctx->read_ahead); |
|
1023 case SSL_CTRL_SET_READ_AHEAD: |
|
1024 l=ctx->read_ahead; |
|
1025 ctx->read_ahead=larg; |
|
1026 return(l); |
|
1027 |
|
1028 case SSL_CTRL_SET_MSG_CALLBACK_ARG: |
|
1029 ctx->msg_callback_arg = parg; |
|
1030 return 1; |
|
1031 |
|
1032 case SSL_CTRL_GET_MAX_CERT_LIST: |
|
1033 return(ctx->max_cert_list); |
|
1034 case SSL_CTRL_SET_MAX_CERT_LIST: |
|
1035 l=ctx->max_cert_list; |
|
1036 ctx->max_cert_list=larg; |
|
1037 return(l); |
|
1038 |
|
1039 case SSL_CTRL_SET_SESS_CACHE_SIZE: |
|
1040 l=ctx->session_cache_size; |
|
1041 ctx->session_cache_size=larg; |
|
1042 return(l); |
|
1043 case SSL_CTRL_GET_SESS_CACHE_SIZE: |
|
1044 return(ctx->session_cache_size); |
|
1045 case SSL_CTRL_SET_SESS_CACHE_MODE: |
|
1046 l=ctx->session_cache_mode; |
|
1047 ctx->session_cache_mode=larg; |
|
1048 return(l); |
|
1049 case SSL_CTRL_GET_SESS_CACHE_MODE: |
|
1050 return(ctx->session_cache_mode); |
|
1051 |
|
1052 case SSL_CTRL_SESS_NUMBER: |
|
1053 return(ctx->sessions->num_items); |
|
1054 case SSL_CTRL_SESS_CONNECT: |
|
1055 return(ctx->stats.sess_connect); |
|
1056 case SSL_CTRL_SESS_CONNECT_GOOD: |
|
1057 return(ctx->stats.sess_connect_good); |
|
1058 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: |
|
1059 return(ctx->stats.sess_connect_renegotiate); |
|
1060 case SSL_CTRL_SESS_ACCEPT: |
|
1061 return(ctx->stats.sess_accept); |
|
1062 case SSL_CTRL_SESS_ACCEPT_GOOD: |
|
1063 return(ctx->stats.sess_accept_good); |
|
1064 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: |
|
1065 return(ctx->stats.sess_accept_renegotiate); |
|
1066 case SSL_CTRL_SESS_HIT: |
|
1067 return(ctx->stats.sess_hit); |
|
1068 case SSL_CTRL_SESS_CB_HIT: |
|
1069 return(ctx->stats.sess_cb_hit); |
|
1070 case SSL_CTRL_SESS_MISSES: |
|
1071 return(ctx->stats.sess_miss); |
|
1072 case SSL_CTRL_SESS_TIMEOUTS: |
|
1073 return(ctx->stats.sess_timeout); |
|
1074 case SSL_CTRL_SESS_CACHE_FULL: |
|
1075 return(ctx->stats.sess_cache_full); |
|
1076 case SSL_CTRL_OPTIONS: |
|
1077 return(ctx->options|=larg); |
|
1078 case SSL_CTRL_MODE: |
|
1079 return(ctx->mode|=larg); |
|
1080 default: |
|
1081 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); |
|
1082 } |
|
1083 } |
|
1084 |
|
1085 EXPORT_C long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) |
|
1086 { |
|
1087 switch(cmd) |
|
1088 { |
|
1089 case SSL_CTRL_SET_MSG_CALLBACK: |
|
1090 ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); |
|
1091 return 1; |
|
1092 |
|
1093 default: |
|
1094 return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp)); |
|
1095 } |
|
1096 } |
|
1097 |
|
1098 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) |
|
1099 { |
|
1100 long l; |
|
1101 |
|
1102 l=a->id-b->id; |
|
1103 if (l == 0L) |
|
1104 return(0); |
|
1105 else |
|
1106 return((l > 0)?1:-1); |
|
1107 } |
|
1108 |
|
1109 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, |
|
1110 const SSL_CIPHER * const *bp) |
|
1111 { |
|
1112 long l; |
|
1113 |
|
1114 l=(*ap)->id-(*bp)->id; |
|
1115 if (l == 0L) |
|
1116 return(0); |
|
1117 else |
|
1118 return((l > 0)?1:-1); |
|
1119 } |
|
1120 |
|
1121 /** return a STACK of the ciphers available for the SSL and in order of |
|
1122 * preference */ |
|
1123 EXPORT_C STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) |
|
1124 { |
|
1125 if (s != NULL) |
|
1126 { |
|
1127 if (s->cipher_list != NULL) |
|
1128 { |
|
1129 return(s->cipher_list); |
|
1130 } |
|
1131 else if ((s->ctx != NULL) && |
|
1132 (s->ctx->cipher_list != NULL)) |
|
1133 { |
|
1134 return(s->ctx->cipher_list); |
|
1135 } |
|
1136 } |
|
1137 return(NULL); |
|
1138 } |
|
1139 |
|
1140 /** return a STACK of the ciphers available for the SSL and in order of |
|
1141 * algorithm id */ |
|
1142 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) |
|
1143 { |
|
1144 if (s != NULL) |
|
1145 { |
|
1146 if (s->cipher_list_by_id != NULL) |
|
1147 { |
|
1148 return(s->cipher_list_by_id); |
|
1149 } |
|
1150 else if ((s->ctx != NULL) && |
|
1151 (s->ctx->cipher_list_by_id != NULL)) |
|
1152 { |
|
1153 return(s->ctx->cipher_list_by_id); |
|
1154 } |
|
1155 } |
|
1156 return(NULL); |
|
1157 } |
|
1158 |
|
1159 /** The old interface to get the same thing as SSL_get_ciphers() */ |
|
1160 EXPORT_C const char *SSL_get_cipher_list(const SSL *s,int n) |
|
1161 { |
|
1162 SSL_CIPHER *c; |
|
1163 STACK_OF(SSL_CIPHER) *sk; |
|
1164 |
|
1165 if (s == NULL) return(NULL); |
|
1166 sk=SSL_get_ciphers(s); |
|
1167 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) |
|
1168 return(NULL); |
|
1169 c=sk_SSL_CIPHER_value(sk,n); |
|
1170 if (c == NULL) return(NULL); |
|
1171 return(c->name); |
|
1172 } |
|
1173 |
|
1174 /** specify the ciphers to be used by default by the SSL_CTX */ |
|
1175 EXPORT_C int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) |
|
1176 { |
|
1177 STACK_OF(SSL_CIPHER) *sk; |
|
1178 |
|
1179 sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, |
|
1180 &ctx->cipher_list_by_id,str); |
|
1181 /* ssl_create_cipher_list may return an empty stack if it |
|
1182 * was unable to find a cipher matching the given rule string |
|
1183 * (for example if the rule string specifies a cipher which |
|
1184 * has been disabled). This is not an error as far as |
|
1185 * ssl_create_cipher_list is concerned, and hence |
|
1186 * ctx->cipher_list and ctx->cipher_list_by_id has been |
|
1187 * updated. */ |
|
1188 if (sk == NULL) |
|
1189 return 0; |
|
1190 else if (sk_SSL_CIPHER_num(sk) == 0) |
|
1191 { |
|
1192 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); |
|
1193 return 0; |
|
1194 } |
|
1195 return 1; |
|
1196 } |
|
1197 |
|
1198 /** specify the ciphers to be used by the SSL */ |
|
1199 EXPORT_C int SSL_set_cipher_list(SSL *s,const char *str) |
|
1200 { |
|
1201 STACK_OF(SSL_CIPHER) *sk; |
|
1202 |
|
1203 sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, |
|
1204 &s->cipher_list_by_id,str); |
|
1205 /* see comment in SSL_CTX_set_cipher_list */ |
|
1206 if (sk == NULL) |
|
1207 return 0; |
|
1208 else if (sk_SSL_CIPHER_num(sk) == 0) |
|
1209 { |
|
1210 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); |
|
1211 return 0; |
|
1212 } |
|
1213 return 1; |
|
1214 } |
|
1215 |
|
1216 /* works well for SSLv2, not so good for SSLv3 */ |
|
1217 EXPORT_C char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) |
|
1218 { |
|
1219 char *p; |
|
1220 STACK_OF(SSL_CIPHER) *sk; |
|
1221 SSL_CIPHER *c; |
|
1222 int i; |
|
1223 |
|
1224 if ((s->session == NULL) || (s->session->ciphers == NULL) || |
|
1225 (len < 2)) |
|
1226 return(NULL); |
|
1227 |
|
1228 p=buf; |
|
1229 sk=s->session->ciphers; |
|
1230 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) |
|
1231 { |
|
1232 int n; |
|
1233 |
|
1234 c=sk_SSL_CIPHER_value(sk,i); |
|
1235 n=strlen(c->name); |
|
1236 if (n+1 > len) |
|
1237 { |
|
1238 if (p != buf) |
|
1239 --p; |
|
1240 *p='\0'; |
|
1241 return buf; |
|
1242 } |
|
1243 strcpy(p,c->name); |
|
1244 p+=n; |
|
1245 *(p++)=':'; |
|
1246 len-=n+1; |
|
1247 } |
|
1248 p[-1]='\0'; |
|
1249 return(buf); |
|
1250 } |
|
1251 |
|
1252 int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, |
|
1253 int (*put_cb)(const SSL_CIPHER *, unsigned char *)) |
|
1254 { |
|
1255 int i,j=0; |
|
1256 SSL_CIPHER *c; |
|
1257 unsigned char *q; |
|
1258 #ifndef OPENSSL_NO_KRB5 |
|
1259 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); |
|
1260 #endif /* OPENSSL_NO_KRB5 */ |
|
1261 |
|
1262 if (sk == NULL) return(0); |
|
1263 q=p; |
|
1264 |
|
1265 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) |
|
1266 { |
|
1267 c=sk_SSL_CIPHER_value(sk,i); |
|
1268 #ifndef OPENSSL_NO_KRB5 |
|
1269 if ((c->algorithms & SSL_KRB5) && nokrb5) |
|
1270 continue; |
|
1271 #endif /* OPENSSL_NO_KRB5 */ |
|
1272 |
|
1273 j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); |
|
1274 p+=j; |
|
1275 } |
|
1276 return(p-q); |
|
1277 } |
|
1278 |
|
1279 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, |
|
1280 STACK_OF(SSL_CIPHER) **skp) |
|
1281 { |
|
1282 SSL_CIPHER *c; |
|
1283 STACK_OF(SSL_CIPHER) *sk; |
|
1284 int i,n; |
|
1285 |
|
1286 n=ssl_put_cipher_by_char(s,NULL,NULL); |
|
1287 if ((num%n) != 0) |
|
1288 { |
|
1289 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); |
|
1290 return(NULL); |
|
1291 } |
|
1292 if ((skp == NULL) || (*skp == NULL)) |
|
1293 sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */ |
|
1294 else |
|
1295 { |
|
1296 sk= *skp; |
|
1297 sk_SSL_CIPHER_zero(sk); |
|
1298 } |
|
1299 |
|
1300 for (i=0; i<num; i+=n) |
|
1301 { |
|
1302 c=ssl_get_cipher_by_char(s,p); |
|
1303 p+=n; |
|
1304 if (c != NULL) |
|
1305 { |
|
1306 if (!sk_SSL_CIPHER_push(sk,c)) |
|
1307 { |
|
1308 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE); |
|
1309 goto err; |
|
1310 } |
|
1311 } |
|
1312 } |
|
1313 |
|
1314 if (skp != NULL) |
|
1315 *skp=sk; |
|
1316 return(sk); |
|
1317 err: |
|
1318 if ((skp == NULL) || (*skp == NULL)) |
|
1319 sk_SSL_CIPHER_free(sk); |
|
1320 return(NULL); |
|
1321 } |
|
1322 |
|
1323 |
|
1324 EXPORT_C unsigned long SSL_SESSION_hash(const SSL_SESSION *a) |
|
1325 { |
|
1326 unsigned long l; |
|
1327 |
|
1328 l=(unsigned long) |
|
1329 ((unsigned int) a->session_id[0] )| |
|
1330 ((unsigned int) a->session_id[1]<< 8L)| |
|
1331 ((unsigned long)a->session_id[2]<<16L)| |
|
1332 ((unsigned long)a->session_id[3]<<24L); |
|
1333 return(l); |
|
1334 } |
|
1335 |
|
1336 /* NB: If this function (or indeed the hash function which uses a sort of |
|
1337 * coarser function than this one) is changed, ensure |
|
1338 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being |
|
1339 * able to construct an SSL_SESSION that will collide with any existing session |
|
1340 * with a matching session ID. */ |
|
1341 EXPORT_C int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b) |
|
1342 { |
|
1343 if (a->ssl_version != b->ssl_version) |
|
1344 return(1); |
|
1345 if (a->session_id_length != b->session_id_length) |
|
1346 return(1); |
|
1347 return(memcmp(a->session_id,b->session_id,a->session_id_length)); |
|
1348 } |
|
1349 |
|
1350 /* These wrapper functions should remain rather than redeclaring |
|
1351 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each |
|
1352 * variable. The reason is that the functions aren't static, they're exposed via |
|
1353 * ssl.h. */ |
|
1354 static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *) |
|
1355 static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *) |
|
1356 |
|
1357 EXPORT_C SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) |
|
1358 { |
|
1359 SSL_CTX *ret=NULL; |
|
1360 |
|
1361 if (meth == NULL) |
|
1362 { |
|
1363 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED); |
|
1364 return(NULL); |
|
1365 } |
|
1366 |
|
1367 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) |
|
1368 { |
|
1369 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); |
|
1370 goto err; |
|
1371 } |
|
1372 ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); |
|
1373 if (ret == NULL) |
|
1374 goto err; |
|
1375 |
|
1376 memset(ret,0,sizeof(SSL_CTX)); |
|
1377 |
|
1378 ret->method=meth; |
|
1379 |
|
1380 ret->cert_store=NULL; |
|
1381 ret->session_cache_mode=SSL_SESS_CACHE_SERVER; |
|
1382 ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; |
|
1383 ret->session_cache_head=NULL; |
|
1384 ret->session_cache_tail=NULL; |
|
1385 |
|
1386 /* We take the system default */ |
|
1387 ret->session_timeout=meth->get_timeout(); |
|
1388 |
|
1389 ret->new_session_cb=0; |
|
1390 ret->remove_session_cb=0; |
|
1391 ret->get_session_cb=0; |
|
1392 ret->generate_session_id=0; |
|
1393 |
|
1394 memset((char *)&ret->stats,0,sizeof(ret->stats)); |
|
1395 |
|
1396 ret->references=1; |
|
1397 ret->quiet_shutdown=0; |
|
1398 |
|
1399 /* ret->cipher=NULL;*/ |
|
1400 /* ret->s2->challenge=NULL; |
|
1401 ret->master_key=NULL; |
|
1402 ret->key_arg=NULL; |
|
1403 ret->s2->conn_id=NULL; */ |
|
1404 |
|
1405 ret->info_callback=NULL; |
|
1406 |
|
1407 ret->app_verify_callback=0; |
|
1408 ret->app_verify_arg=NULL; |
|
1409 |
|
1410 ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT; |
|
1411 ret->read_ahead=0; |
|
1412 ret->msg_callback=0; |
|
1413 ret->msg_callback_arg=NULL; |
|
1414 ret->verify_mode=SSL_VERIFY_NONE; |
|
1415 #if 0 |
|
1416 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ |
|
1417 #endif |
|
1418 ret->sid_ctx_length=0; |
|
1419 ret->default_verify_callback=NULL; |
|
1420 if ((ret->cert=ssl_cert_new()) == NULL) |
|
1421 goto err; |
|
1422 |
|
1423 ret->default_passwd_callback=0; |
|
1424 ret->default_passwd_callback_userdata=NULL; |
|
1425 ret->client_cert_cb=0; |
|
1426 ret->app_gen_cookie_cb=0; |
|
1427 ret->app_verify_cookie_cb=0; |
|
1428 |
|
1429 ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash), |
|
1430 LHASH_COMP_FN(SSL_SESSION_cmp)); |
|
1431 if (ret->sessions == NULL) goto err; |
|
1432 ret->cert_store=X509_STORE_new(); |
|
1433 if (ret->cert_store == NULL) goto err; |
|
1434 |
|
1435 ssl_create_cipher_list(ret->method, |
|
1436 &ret->cipher_list,&ret->cipher_list_by_id, |
|
1437 SSL_DEFAULT_CIPHER_LIST); |
|
1438 if (ret->cipher_list == NULL |
|
1439 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) |
|
1440 { |
|
1441 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS); |
|
1442 goto err2; |
|
1443 } |
|
1444 |
|
1445 ret->param = X509_VERIFY_PARAM_new(); |
|
1446 if (!ret->param) |
|
1447 goto err; |
|
1448 |
|
1449 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) |
|
1450 { |
|
1451 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); |
|
1452 goto err2; |
|
1453 } |
|
1454 if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL) |
|
1455 { |
|
1456 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); |
|
1457 goto err2; |
|
1458 } |
|
1459 if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL) |
|
1460 { |
|
1461 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); |
|
1462 goto err2; |
|
1463 } |
|
1464 |
|
1465 if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL) |
|
1466 goto err; |
|
1467 |
|
1468 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); |
|
1469 |
|
1470 ret->extra_certs=NULL; |
|
1471 ret->comp_methods=SSL_COMP_get_compression_methods(); |
|
1472 |
|
1473 return(ret); |
|
1474 err: |
|
1475 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); |
|
1476 err2: |
|
1477 if (ret != NULL) SSL_CTX_free(ret); |
|
1478 return(NULL); |
|
1479 } |
|
1480 |
|
1481 #if 0 |
|
1482 static void SSL_COMP_free(SSL_COMP *comp) |
|
1483 { OPENSSL_free(comp); } |
|
1484 #endif |
|
1485 |
|
1486 EXPORT_C void SSL_CTX_free(SSL_CTX *a) |
|
1487 { |
|
1488 int i; |
|
1489 |
|
1490 if (a == NULL) return; |
|
1491 |
|
1492 i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX); |
|
1493 #ifdef REF_PRINT |
|
1494 REF_PRINT("SSL_CTX",a); |
|
1495 #endif |
|
1496 if (i > 0) return; |
|
1497 #ifdef REF_CHECK |
|
1498 if (i < 0) |
|
1499 { |
|
1500 fprintf(stderr,"SSL_CTX_free, bad reference count\n"); |
|
1501 abort(); /* ok */ |
|
1502 } |
|
1503 #endif |
|
1504 |
|
1505 if (a->param) |
|
1506 X509_VERIFY_PARAM_free(a->param); |
|
1507 |
|
1508 /* |
|
1509 * Free internal session cache. However: the remove_cb() may reference |
|
1510 * the ex_data of SSL_CTX, thus the ex_data store can only be removed |
|
1511 * after the sessions were flushed. |
|
1512 * As the ex_data handling routines might also touch the session cache, |
|
1513 * the most secure solution seems to be: empty (flush) the cache, then |
|
1514 * free ex_data, then finally free the cache. |
|
1515 * (See ticket [openssl.org #212].) |
|
1516 */ |
|
1517 if (a->sessions != NULL) |
|
1518 SSL_CTX_flush_sessions(a,0); |
|
1519 |
|
1520 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); |
|
1521 |
|
1522 if (a->sessions != NULL) |
|
1523 lh_free(a->sessions); |
|
1524 |
|
1525 if (a->cert_store != NULL) |
|
1526 X509_STORE_free(a->cert_store); |
|
1527 if (a->cipher_list != NULL) |
|
1528 sk_SSL_CIPHER_free(a->cipher_list); |
|
1529 if (a->cipher_list_by_id != NULL) |
|
1530 sk_SSL_CIPHER_free(a->cipher_list_by_id); |
|
1531 if (a->cert != NULL) |
|
1532 ssl_cert_free(a->cert); |
|
1533 if (a->client_CA != NULL) |
|
1534 sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free); |
|
1535 if (a->extra_certs != NULL) |
|
1536 sk_X509_pop_free(a->extra_certs,X509_free); |
|
1537 #if 0 /* This should never be done, since it removes a global database */ |
|
1538 if (a->comp_methods != NULL) |
|
1539 sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); |
|
1540 #else |
|
1541 a->comp_methods = NULL; |
|
1542 #endif |
|
1543 OPENSSL_free(a); |
|
1544 } |
|
1545 |
|
1546 EXPORT_C void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) |
|
1547 { |
|
1548 ctx->default_passwd_callback=cb; |
|
1549 } |
|
1550 |
|
1551 EXPORT_C void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u) |
|
1552 { |
|
1553 ctx->default_passwd_callback_userdata=u; |
|
1554 } |
|
1555 |
|
1556 EXPORT_C void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg) |
|
1557 { |
|
1558 ctx->app_verify_callback=cb; |
|
1559 ctx->app_verify_arg=arg; |
|
1560 } |
|
1561 |
|
1562 EXPORT_C void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) |
|
1563 { |
|
1564 ctx->verify_mode=mode; |
|
1565 ctx->default_verify_callback=cb; |
|
1566 } |
|
1567 |
|
1568 EXPORT_C void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) |
|
1569 { |
|
1570 X509_VERIFY_PARAM_set_depth(ctx->param, depth); |
|
1571 } |
|
1572 |
|
1573 void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) |
|
1574 { |
|
1575 CERT_PKEY *cpk; |
|
1576 int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; |
|
1577 int rsa_enc_export,dh_rsa_export,dh_dsa_export; |
|
1578 int rsa_tmp_export,dh_tmp_export,kl; |
|
1579 unsigned long mask,emask; |
|
1580 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; |
|
1581 #ifndef OPENSSL_NO_ECDH |
|
1582 int have_ecdh_tmp; |
|
1583 #endif |
|
1584 X509 *x = NULL; |
|
1585 EVP_PKEY *ecc_pkey = NULL; |
|
1586 int signature_nid = 0; |
|
1587 |
|
1588 if (c == NULL) return; |
|
1589 |
|
1590 kl=SSL_C_EXPORT_PKEYLENGTH(cipher); |
|
1591 |
|
1592 #ifndef OPENSSL_NO_RSA |
|
1593 rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); |
|
1594 rsa_tmp_export=(c->rsa_tmp_cb != NULL || |
|
1595 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); |
|
1596 #else |
|
1597 rsa_tmp=rsa_tmp_export=0; |
|
1598 #endif |
|
1599 #ifndef OPENSSL_NO_DH |
|
1600 dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); |
|
1601 dh_tmp_export=(c->dh_tmp_cb != NULL || |
|
1602 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); |
|
1603 #else |
|
1604 dh_tmp=dh_tmp_export=0; |
|
1605 #endif |
|
1606 |
|
1607 #ifndef OPENSSL_NO_ECDH |
|
1608 have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); |
|
1609 #endif |
|
1610 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); |
|
1611 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); |
|
1612 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); |
|
1613 cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); |
|
1614 rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); |
|
1615 cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); |
|
1616 dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); |
|
1617 cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); |
|
1618 dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); |
|
1619 dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); |
|
1620 cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); |
|
1621 /* FIX THIS EAY EAY EAY */ |
|
1622 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); |
|
1623 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); |
|
1624 cpk= &(c->pkeys[SSL_PKEY_ECC]); |
|
1625 have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL); |
|
1626 mask=0; |
|
1627 emask=0; |
|
1628 |
|
1629 #ifdef CIPHER_DEBUG |
|
1630 printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", |
|
1631 rsa_tmp,rsa_tmp_export,dh_tmp, |
|
1632 rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); |
|
1633 #endif |
|
1634 |
|
1635 if (rsa_enc || (rsa_tmp && rsa_sign)) |
|
1636 mask|=SSL_kRSA; |
|
1637 if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) |
|
1638 emask|=SSL_kRSA; |
|
1639 |
|
1640 #if 0 |
|
1641 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ |
|
1642 if ( (dh_tmp || dh_rsa || dh_dsa) && |
|
1643 (rsa_enc || rsa_sign || dsa_sign)) |
|
1644 mask|=SSL_kEDH; |
|
1645 if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && |
|
1646 (rsa_enc || rsa_sign || dsa_sign)) |
|
1647 emask|=SSL_kEDH; |
|
1648 #endif |
|
1649 |
|
1650 if (dh_tmp_export) |
|
1651 emask|=SSL_kEDH; |
|
1652 |
|
1653 if (dh_tmp) |
|
1654 mask|=SSL_kEDH; |
|
1655 |
|
1656 if (dh_rsa) mask|=SSL_kDHr; |
|
1657 if (dh_rsa_export) emask|=SSL_kDHr; |
|
1658 |
|
1659 if (dh_dsa) mask|=SSL_kDHd; |
|
1660 if (dh_dsa_export) emask|=SSL_kDHd; |
|
1661 |
|
1662 if (rsa_enc || rsa_sign) |
|
1663 { |
|
1664 mask|=SSL_aRSA; |
|
1665 emask|=SSL_aRSA; |
|
1666 } |
|
1667 |
|
1668 if (dsa_sign) |
|
1669 { |
|
1670 mask|=SSL_aDSS; |
|
1671 emask|=SSL_aDSS; |
|
1672 } |
|
1673 |
|
1674 mask|=SSL_aNULL; |
|
1675 emask|=SSL_aNULL; |
|
1676 |
|
1677 #ifndef OPENSSL_NO_KRB5 |
|
1678 mask|=SSL_kKRB5|SSL_aKRB5; |
|
1679 emask|=SSL_kKRB5|SSL_aKRB5; |
|
1680 #endif |
|
1681 |
|
1682 /* An ECC certificate may be usable for ECDH and/or |
|
1683 * ECDSA cipher suites depending on the key usage extension. |
|
1684 */ |
|
1685 if (have_ecc_cert) |
|
1686 { |
|
1687 /* This call populates extension flags (ex_flags) */ |
|
1688 x = (c->pkeys[SSL_PKEY_ECC]).x509; |
|
1689 X509_check_purpose(x, -1, 0); |
|
1690 ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? |
|
1691 (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; |
|
1692 ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? |
|
1693 (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; |
|
1694 ecc_pkey = X509_get_pubkey(x); |
|
1695 ecc_pkey_size = (ecc_pkey != NULL) ? |
|
1696 EVP_PKEY_bits(ecc_pkey) : 0; |
|
1697 EVP_PKEY_free(ecc_pkey); |
|
1698 if ((x->sig_alg) && (x->sig_alg->algorithm)) |
|
1699 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); |
|
1700 #ifndef OPENSSL_NO_ECDH |
|
1701 if (ecdh_ok) |
|
1702 { |
|
1703 if ((signature_nid == NID_md5WithRSAEncryption) || |
|
1704 (signature_nid == NID_md4WithRSAEncryption) || |
|
1705 (signature_nid == NID_md2WithRSAEncryption)) |
|
1706 { |
|
1707 mask|=SSL_kECDH|SSL_aRSA; |
|
1708 if (ecc_pkey_size <= 163) |
|
1709 emask|=SSL_kECDH|SSL_aRSA; |
|
1710 } |
|
1711 if (signature_nid == NID_ecdsa_with_SHA1) |
|
1712 { |
|
1713 mask|=SSL_kECDH|SSL_aECDSA; |
|
1714 if (ecc_pkey_size <= 163) |
|
1715 emask|=SSL_kECDH|SSL_aECDSA; |
|
1716 } |
|
1717 } |
|
1718 #endif |
|
1719 #ifndef OPENSSL_NO_ECDSA |
|
1720 if (ecdsa_ok) |
|
1721 { |
|
1722 mask|=SSL_aECDSA; |
|
1723 emask|=SSL_aECDSA; |
|
1724 } |
|
1725 #endif |
|
1726 } |
|
1727 |
|
1728 #ifndef OPENSSL_NO_ECDH |
|
1729 if (have_ecdh_tmp) |
|
1730 { |
|
1731 mask|=SSL_kECDHE; |
|
1732 emask|=SSL_kECDHE; |
|
1733 } |
|
1734 #endif |
|
1735 c->mask=mask; |
|
1736 c->export_mask=emask; |
|
1737 c->valid=1; |
|
1738 } |
|
1739 |
|
1740 /* This handy macro borrowed from crypto/x509v3/v3_purp.c */ |
|
1741 #define ku_reject(x, usage) \ |
|
1742 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) |
|
1743 |
|
1744 int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs) |
|
1745 { |
|
1746 unsigned long alg = cs->algorithms; |
|
1747 EVP_PKEY *pkey = NULL; |
|
1748 int keysize = 0; |
|
1749 int signature_nid = 0; |
|
1750 |
|
1751 if (SSL_C_IS_EXPORT(cs)) |
|
1752 { |
|
1753 /* ECDH key length in export ciphers must be <= 163 bits */ |
|
1754 pkey = X509_get_pubkey(x); |
|
1755 if (pkey == NULL) return 0; |
|
1756 keysize = EVP_PKEY_bits(pkey); |
|
1757 EVP_PKEY_free(pkey); |
|
1758 if (keysize > 163) return 0; |
|
1759 } |
|
1760 |
|
1761 /* This call populates the ex_flags field correctly */ |
|
1762 X509_check_purpose(x, -1, 0); |
|
1763 if ((x->sig_alg) && (x->sig_alg->algorithm)) |
|
1764 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); |
|
1765 if (alg & SSL_kECDH) |
|
1766 { |
|
1767 /* key usage, if present, must allow key agreement */ |
|
1768 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) |
|
1769 { |
|
1770 return 0; |
|
1771 } |
|
1772 if (alg & SSL_aECDSA) |
|
1773 { |
|
1774 /* signature alg must be ECDSA */ |
|
1775 if (signature_nid != NID_ecdsa_with_SHA1) |
|
1776 { |
|
1777 return 0; |
|
1778 } |
|
1779 } |
|
1780 if (alg & SSL_aRSA) |
|
1781 { |
|
1782 /* signature alg must be RSA */ |
|
1783 if ((signature_nid != NID_md5WithRSAEncryption) && |
|
1784 (signature_nid != NID_md4WithRSAEncryption) && |
|
1785 (signature_nid != NID_md2WithRSAEncryption)) |
|
1786 { |
|
1787 return 0; |
|
1788 } |
|
1789 } |
|
1790 } |
|
1791 else if (alg & SSL_aECDSA) |
|
1792 { |
|
1793 /* key usage, if present, must allow signing */ |
|
1794 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) |
|
1795 { |
|
1796 return 0; |
|
1797 } |
|
1798 } |
|
1799 |
|
1800 return 1; /* all checks are ok */ |
|
1801 } |
|
1802 |
|
1803 /* THIS NEEDS CLEANING UP */ |
|
1804 X509 *ssl_get_server_send_cert(SSL *s) |
|
1805 { |
|
1806 unsigned long alg,mask,kalg; |
|
1807 CERT *c; |
|
1808 int i,is_export; |
|
1809 |
|
1810 c=s->cert; |
|
1811 ssl_set_cert_masks(c, s->s3->tmp.new_cipher); |
|
1812 alg=s->s3->tmp.new_cipher->algorithms; |
|
1813 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); |
|
1814 mask=is_export?c->export_mask:c->mask; |
|
1815 kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); |
|
1816 |
|
1817 if (kalg & SSL_kECDH) |
|
1818 { |
|
1819 /* we don't need to look at SSL_kECDHE |
|
1820 * since no certificate is needed for |
|
1821 * anon ECDH and for authenticated |
|
1822 * ECDHE, the check for the auth |
|
1823 * algorithm will set i correctly |
|
1824 * NOTE: For ECDH-RSA, we need an ECC |
|
1825 * not an RSA cert but for ECDHE-RSA |
|
1826 * we need an RSA cert. Placing the |
|
1827 * checks for SSL_kECDH before RSA |
|
1828 * checks ensures the correct cert is chosen. |
|
1829 */ |
|
1830 i=SSL_PKEY_ECC; |
|
1831 } |
|
1832 else if (kalg & SSL_aECDSA) |
|
1833 { |
|
1834 i=SSL_PKEY_ECC; |
|
1835 } |
|
1836 else if (kalg & SSL_kDHr) |
|
1837 i=SSL_PKEY_DH_RSA; |
|
1838 else if (kalg & SSL_kDHd) |
|
1839 i=SSL_PKEY_DH_DSA; |
|
1840 else if (kalg & SSL_aDSS) |
|
1841 i=SSL_PKEY_DSA_SIGN; |
|
1842 else if (kalg & SSL_aRSA) |
|
1843 { |
|
1844 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) |
|
1845 i=SSL_PKEY_RSA_SIGN; |
|
1846 else |
|
1847 i=SSL_PKEY_RSA_ENC; |
|
1848 } |
|
1849 else if (kalg & SSL_aKRB5) |
|
1850 { |
|
1851 /* VRS something else here? */ |
|
1852 return(NULL); |
|
1853 } |
|
1854 else /* if (kalg & SSL_aNULL) */ |
|
1855 { |
|
1856 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); |
|
1857 return(NULL); |
|
1858 } |
|
1859 if (c->pkeys[i].x509 == NULL) return(NULL); |
|
1860 |
|
1861 return(c->pkeys[i].x509); |
|
1862 } |
|
1863 |
|
1864 EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) |
|
1865 { |
|
1866 unsigned long alg; |
|
1867 CERT *c; |
|
1868 |
|
1869 alg=cipher->algorithms; |
|
1870 c=s->cert; |
|
1871 |
|
1872 if ((alg & SSL_aDSS) && |
|
1873 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) |
|
1874 return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); |
|
1875 else if (alg & SSL_aRSA) |
|
1876 { |
|
1877 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) |
|
1878 return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); |
|
1879 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) |
|
1880 return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey); |
|
1881 else |
|
1882 return(NULL); |
|
1883 } |
|
1884 else if ((alg & SSL_aECDSA) && |
|
1885 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) |
|
1886 return(c->pkeys[SSL_PKEY_ECC].privatekey); |
|
1887 else /* if (alg & SSL_aNULL) */ |
|
1888 { |
|
1889 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); |
|
1890 return(NULL); |
|
1891 } |
|
1892 } |
|
1893 |
|
1894 void ssl_update_cache(SSL *s,int mode) |
|
1895 { |
|
1896 int i; |
|
1897 |
|
1898 /* If the session_id_length is 0, we are not supposed to cache it, |
|
1899 * and it would be rather hard to do anyway :-) */ |
|
1900 if (s->session->session_id_length == 0) return; |
|
1901 |
|
1902 i=s->ctx->session_cache_mode; |
|
1903 if ((i & mode) && (!s->hit) |
|
1904 && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) |
|
1905 || SSL_CTX_add_session(s->ctx,s->session)) |
|
1906 && (s->ctx->new_session_cb != NULL)) |
|
1907 { |
|
1908 CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION); |
|
1909 if (!s->ctx->new_session_cb(s,s->session)) |
|
1910 SSL_SESSION_free(s->session); |
|
1911 } |
|
1912 |
|
1913 /* auto flush every 255 connections */ |
|
1914 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && |
|
1915 ((i & mode) == mode)) |
|
1916 { |
|
1917 if ( (((mode & SSL_SESS_CACHE_CLIENT) |
|
1918 ?s->ctx->stats.sess_connect_good |
|
1919 :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) |
|
1920 { |
|
1921 SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL)); |
|
1922 } |
|
1923 } |
|
1924 } |
|
1925 |
|
1926 EXPORT_C SSL_METHOD *SSL_get_ssl_method(SSL *s) |
|
1927 { |
|
1928 return(s->method); |
|
1929 } |
|
1930 |
|
1931 EXPORT_C int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth) |
|
1932 { |
|
1933 int conn= -1; |
|
1934 int ret=1; |
|
1935 |
|
1936 if (s->method != meth) |
|
1937 { |
|
1938 if (s->handshake_func != NULL) |
|
1939 conn=(s->handshake_func == s->method->ssl_connect); |
|
1940 |
|
1941 if (s->method->version == meth->version) |
|
1942 s->method=meth; |
|
1943 else |
|
1944 { |
|
1945 s->method->ssl_free(s); |
|
1946 s->method=meth; |
|
1947 ret=s->method->ssl_new(s); |
|
1948 } |
|
1949 |
|
1950 if (conn == 1) |
|
1951 s->handshake_func=meth->ssl_connect; |
|
1952 else if (conn == 0) |
|
1953 s->handshake_func=meth->ssl_accept; |
|
1954 } |
|
1955 return(ret); |
|
1956 } |
|
1957 |
|
1958 EXPORT_C int SSL_get_error(const SSL *s,int i) |
|
1959 { |
|
1960 int reason; |
|
1961 unsigned long l; |
|
1962 BIO *bio; |
|
1963 |
|
1964 if (i > 0) return(SSL_ERROR_NONE); |
|
1965 |
|
1966 /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake |
|
1967 * etc, where we do encode the error */ |
|
1968 if ((l=ERR_peek_error()) != 0) |
|
1969 { |
|
1970 if (ERR_GET_LIB(l) == ERR_LIB_SYS) |
|
1971 return(SSL_ERROR_SYSCALL); |
|
1972 else |
|
1973 return(SSL_ERROR_SSL); |
|
1974 } |
|
1975 |
|
1976 if ((i < 0) && SSL_want_read(s)) |
|
1977 { |
|
1978 bio=SSL_get_rbio(s); |
|
1979 if (BIO_should_read(bio)) |
|
1980 return(SSL_ERROR_WANT_READ); |
|
1981 else if (BIO_should_write(bio)) |
|
1982 /* This one doesn't make too much sense ... We never try |
|
1983 * to write to the rbio, and an application program where |
|
1984 * rbio and wbio are separate couldn't even know what it |
|
1985 * should wait for. |
|
1986 * However if we ever set s->rwstate incorrectly |
|
1987 * (so that we have SSL_want_read(s) instead of |
|
1988 * SSL_want_write(s)) and rbio and wbio *are* the same, |
|
1989 * this test works around that bug; so it might be safer |
|
1990 * to keep it. */ |
|
1991 return(SSL_ERROR_WANT_WRITE); |
|
1992 else if (BIO_should_io_special(bio)) |
|
1993 { |
|
1994 reason=BIO_get_retry_reason(bio); |
|
1995 if (reason == BIO_RR_CONNECT) |
|
1996 return(SSL_ERROR_WANT_CONNECT); |
|
1997 else if (reason == BIO_RR_ACCEPT) |
|
1998 return(SSL_ERROR_WANT_ACCEPT); |
|
1999 else |
|
2000 return(SSL_ERROR_SYSCALL); /* unknown */ |
|
2001 } |
|
2002 } |
|
2003 |
|
2004 if ((i < 0) && SSL_want_write(s)) |
|
2005 { |
|
2006 bio=SSL_get_wbio(s); |
|
2007 if (BIO_should_write(bio)) |
|
2008 return(SSL_ERROR_WANT_WRITE); |
|
2009 else if (BIO_should_read(bio)) |
|
2010 /* See above (SSL_want_read(s) with BIO_should_write(bio)) */ |
|
2011 return(SSL_ERROR_WANT_READ); |
|
2012 else if (BIO_should_io_special(bio)) |
|
2013 { |
|
2014 reason=BIO_get_retry_reason(bio); |
|
2015 if (reason == BIO_RR_CONNECT) |
|
2016 return(SSL_ERROR_WANT_CONNECT); |
|
2017 else if (reason == BIO_RR_ACCEPT) |
|
2018 return(SSL_ERROR_WANT_ACCEPT); |
|
2019 else |
|
2020 return(SSL_ERROR_SYSCALL); |
|
2021 } |
|
2022 } |
|
2023 if ((i < 0) && SSL_want_x509_lookup(s)) |
|
2024 { |
|
2025 return(SSL_ERROR_WANT_X509_LOOKUP); |
|
2026 } |
|
2027 |
|
2028 if (i == 0) |
|
2029 { |
|
2030 if (s->version == SSL2_VERSION) |
|
2031 { |
|
2032 /* assume it is the socket being closed */ |
|
2033 return(SSL_ERROR_ZERO_RETURN); |
|
2034 } |
|
2035 else |
|
2036 { |
|
2037 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && |
|
2038 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) |
|
2039 return(SSL_ERROR_ZERO_RETURN); |
|
2040 } |
|
2041 } |
|
2042 return(SSL_ERROR_SYSCALL); |
|
2043 } |
|
2044 |
|
2045 EXPORT_C int SSL_do_handshake(SSL *s) |
|
2046 { |
|
2047 int ret=1; |
|
2048 |
|
2049 if (s->handshake_func == NULL) |
|
2050 { |
|
2051 SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET); |
|
2052 return(-1); |
|
2053 } |
|
2054 |
|
2055 s->method->ssl_renegotiate_check(s); |
|
2056 |
|
2057 if (SSL_in_init(s) || SSL_in_before(s)) |
|
2058 { |
|
2059 ret=s->handshake_func(s); |
|
2060 } |
|
2061 return(ret); |
|
2062 } |
|
2063 |
|
2064 /* For the next 2 functions, SSL_clear() sets shutdown and so |
|
2065 * one of these calls will reset it */ |
|
2066 EXPORT_C void SSL_set_accept_state(SSL *s) |
|
2067 { |
|
2068 s->server=1; |
|
2069 s->shutdown=0; |
|
2070 s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; |
|
2071 s->handshake_func=s->method->ssl_accept; |
|
2072 /* clear the current cipher */ |
|
2073 ssl_clear_cipher_ctx(s); |
|
2074 } |
|
2075 |
|
2076 EXPORT_C void SSL_set_connect_state(SSL *s) |
|
2077 { |
|
2078 s->server=0; |
|
2079 s->shutdown=0; |
|
2080 s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; |
|
2081 s->handshake_func=s->method->ssl_connect; |
|
2082 /* clear the current cipher */ |
|
2083 ssl_clear_cipher_ctx(s); |
|
2084 } |
|
2085 |
|
2086 int ssl_undefined_function(SSL *s) |
|
2087 { |
|
2088 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
|
2089 return(0); |
|
2090 } |
|
2091 |
|
2092 int ssl_undefined_void_function(void) |
|
2093 { |
|
2094 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
|
2095 return(0); |
|
2096 } |
|
2097 |
|
2098 int ssl_undefined_const_function(const SSL *s) |
|
2099 { |
|
2100 SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
|
2101 return(0); |
|
2102 } |
|
2103 |
|
2104 SSL_METHOD *ssl_bad_method(int ver) |
|
2105 { |
|
2106 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
|
2107 return(NULL); |
|
2108 } |
|
2109 |
|
2110 EXPORT_C const char *SSL_get_version(const SSL *s) |
|
2111 { |
|
2112 if (s->version == TLS1_VERSION) |
|
2113 return("TLSv1"); |
|
2114 else if (s->version == SSL3_VERSION) |
|
2115 return("SSLv3"); |
|
2116 else if (s->version == SSL2_VERSION) |
|
2117 return("SSLv2"); |
|
2118 else |
|
2119 return("unknown"); |
|
2120 } |
|
2121 |
|
2122 EXPORT_C SSL *SSL_dup(SSL *s) |
|
2123 { |
|
2124 STACK_OF(X509_NAME) *sk; |
|
2125 X509_NAME *xn; |
|
2126 SSL *ret; |
|
2127 int i; |
|
2128 |
|
2129 if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) |
|
2130 return(NULL); |
|
2131 |
|
2132 ret->version = s->version; |
|
2133 ret->type = s->type; |
|
2134 ret->method = s->method; |
|
2135 |
|
2136 if (s->session != NULL) |
|
2137 { |
|
2138 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ |
|
2139 SSL_copy_session_id(ret,s); |
|
2140 } |
|
2141 else |
|
2142 { |
|
2143 /* No session has been established yet, so we have to expect |
|
2144 * that s->cert or ret->cert will be changed later -- |
|
2145 * they should not both point to the same object, |
|
2146 * and thus we can't use SSL_copy_session_id. */ |
|
2147 |
|
2148 ret->method->ssl_free(ret); |
|
2149 ret->method = s->method; |
|
2150 ret->method->ssl_new(ret); |
|
2151 |
|
2152 if (s->cert != NULL) |
|
2153 { |
|
2154 if (ret->cert != NULL) |
|
2155 { |
|
2156 ssl_cert_free(ret->cert); |
|
2157 } |
|
2158 ret->cert = ssl_cert_dup(s->cert); |
|
2159 if (ret->cert == NULL) |
|
2160 goto err; |
|
2161 } |
|
2162 |
|
2163 SSL_set_session_id_context(ret, |
|
2164 s->sid_ctx, s->sid_ctx_length); |
|
2165 } |
|
2166 |
|
2167 ret->options=s->options; |
|
2168 ret->mode=s->mode; |
|
2169 SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s)); |
|
2170 SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); |
|
2171 ret->msg_callback = s->msg_callback; |
|
2172 ret->msg_callback_arg = s->msg_callback_arg; |
|
2173 SSL_set_verify(ret,SSL_get_verify_mode(s), |
|
2174 SSL_get_verify_callback(s)); |
|
2175 SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); |
|
2176 ret->generate_session_id = s->generate_session_id; |
|
2177 |
|
2178 SSL_set_info_callback(ret,SSL_get_info_callback(s)); |
|
2179 |
|
2180 ret->debug=s->debug; |
|
2181 |
|
2182 /* copy app data, a little dangerous perhaps */ |
|
2183 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) |
|
2184 goto err; |
|
2185 |
|
2186 /* setup rbio, and wbio */ |
|
2187 if (s->rbio != NULL) |
|
2188 { |
|
2189 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)) |
|
2190 goto err; |
|
2191 } |
|
2192 if (s->wbio != NULL) |
|
2193 { |
|
2194 if (s->wbio != s->rbio) |
|
2195 { |
|
2196 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)) |
|
2197 goto err; |
|
2198 } |
|
2199 else |
|
2200 ret->wbio=ret->rbio; |
|
2201 } |
|
2202 ret->rwstate = s->rwstate; |
|
2203 ret->in_handshake = s->in_handshake; |
|
2204 ret->handshake_func = s->handshake_func; |
|
2205 ret->server = s->server; |
|
2206 ret->new_session = s->new_session; |
|
2207 ret->quiet_shutdown = s->quiet_shutdown; |
|
2208 ret->shutdown=s->shutdown; |
|
2209 ret->state=s->state; /* SSL_dup does not really work at any state, though */ |
|
2210 ret->rstate=s->rstate; |
|
2211 ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ |
|
2212 ret->hit=s->hit; |
|
2213 |
|
2214 X509_VERIFY_PARAM_inherit(ret->param, s->param); |
|
2215 |
|
2216 /* dup the cipher_list and cipher_list_by_id stacks */ |
|
2217 if (s->cipher_list != NULL) |
|
2218 { |
|
2219 if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) |
|
2220 goto err; |
|
2221 } |
|
2222 if (s->cipher_list_by_id != NULL) |
|
2223 if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id)) |
|
2224 == NULL) |
|
2225 goto err; |
|
2226 |
|
2227 /* Dup the client_CA list */ |
|
2228 if (s->client_CA != NULL) |
|
2229 { |
|
2230 if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; |
|
2231 ret->client_CA=sk; |
|
2232 for (i=0; i<sk_X509_NAME_num(sk); i++) |
|
2233 { |
|
2234 xn=sk_X509_NAME_value(sk,i); |
|
2235 if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL) |
|
2236 { |
|
2237 X509_NAME_free(xn); |
|
2238 goto err; |
|
2239 } |
|
2240 } |
|
2241 } |
|
2242 |
|
2243 if (0) |
|
2244 { |
|
2245 err: |
|
2246 if (ret != NULL) SSL_free(ret); |
|
2247 ret=NULL; |
|
2248 } |
|
2249 return(ret); |
|
2250 } |
|
2251 |
|
2252 void ssl_clear_cipher_ctx(SSL *s) |
|
2253 { |
|
2254 if (s->enc_read_ctx != NULL) |
|
2255 { |
|
2256 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); |
|
2257 OPENSSL_free(s->enc_read_ctx); |
|
2258 s->enc_read_ctx=NULL; |
|
2259 } |
|
2260 if (s->enc_write_ctx != NULL) |
|
2261 { |
|
2262 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); |
|
2263 OPENSSL_free(s->enc_write_ctx); |
|
2264 s->enc_write_ctx=NULL; |
|
2265 } |
|
2266 #ifndef OPENSSL_NO_COMP |
|
2267 if (s->expand != NULL) |
|
2268 { |
|
2269 COMP_CTX_free(s->expand); |
|
2270 s->expand=NULL; |
|
2271 } |
|
2272 if (s->compress != NULL) |
|
2273 { |
|
2274 COMP_CTX_free(s->compress); |
|
2275 s->compress=NULL; |
|
2276 } |
|
2277 #endif |
|
2278 } |
|
2279 |
|
2280 /* Fix this function so that it takes an optional type parameter */ |
|
2281 EXPORT_C X509 *SSL_get_certificate(const SSL *s) |
|
2282 { |
|
2283 if (s->cert != NULL) |
|
2284 return(s->cert->key->x509); |
|
2285 else |
|
2286 return(NULL); |
|
2287 } |
|
2288 |
|
2289 /* Fix this function so that it takes an optional type parameter */ |
|
2290 EXPORT_C EVP_PKEY *SSL_get_privatekey(SSL *s) |
|
2291 { |
|
2292 if (s->cert != NULL) |
|
2293 return(s->cert->key->privatekey); |
|
2294 else |
|
2295 return(NULL); |
|
2296 } |
|
2297 |
|
2298 EXPORT_C SSL_CIPHER *SSL_get_current_cipher(const SSL *s) |
|
2299 { |
|
2300 if ((s->session != NULL) && (s->session->cipher != NULL)) |
|
2301 return(s->session->cipher); |
|
2302 return(NULL); |
|
2303 } |
|
2304 #ifdef OPENSSL_NO_COMP |
|
2305 EXPORT_C const void *SSL_get_current_compression(SSL *s) |
|
2306 { |
|
2307 return NULL; |
|
2308 } |
|
2309 EXPORT_C const void *SSL_get_current_expansion(SSL *s) |
|
2310 { |
|
2311 return NULL; |
|
2312 } |
|
2313 #else |
|
2314 |
|
2315 EXPORT_C const COMP_METHOD *SSL_get_current_compression(SSL *s) |
|
2316 { |
|
2317 if (s->compress != NULL) |
|
2318 return(s->compress->meth); |
|
2319 return(NULL); |
|
2320 } |
|
2321 |
|
2322 EXPORT_C const COMP_METHOD *SSL_get_current_expansion(SSL *s) |
|
2323 { |
|
2324 if (s->expand != NULL) |
|
2325 return(s->expand->meth); |
|
2326 return(NULL); |
|
2327 } |
|
2328 #endif |
|
2329 |
|
2330 int ssl_init_wbio_buffer(SSL *s,int push) |
|
2331 { |
|
2332 BIO *bbio; |
|
2333 |
|
2334 if (s->bbio == NULL) |
|
2335 { |
|
2336 bbio=BIO_new(BIO_f_buffer()); |
|
2337 if (bbio == NULL) return(0); |
|
2338 s->bbio=bbio; |
|
2339 } |
|
2340 else |
|
2341 { |
|
2342 bbio=s->bbio; |
|
2343 if (s->bbio == s->wbio) |
|
2344 s->wbio=BIO_pop(s->wbio); |
|
2345 } |
|
2346 (void)BIO_reset(bbio); |
|
2347 /* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ |
|
2348 if (!BIO_set_read_buffer_size(bbio,1)) |
|
2349 { |
|
2350 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB); |
|
2351 return(0); |
|
2352 } |
|
2353 if (push) |
|
2354 { |
|
2355 if (s->wbio != bbio) |
|
2356 s->wbio=BIO_push(bbio,s->wbio); |
|
2357 } |
|
2358 else |
|
2359 { |
|
2360 if (s->wbio == bbio) |
|
2361 s->wbio=BIO_pop(bbio); |
|
2362 } |
|
2363 return(1); |
|
2364 } |
|
2365 |
|
2366 void ssl_free_wbio_buffer(SSL *s) |
|
2367 { |
|
2368 if (s->bbio == NULL) return; |
|
2369 |
|
2370 if (s->bbio == s->wbio) |
|
2371 { |
|
2372 /* remove buffering */ |
|
2373 s->wbio=BIO_pop(s->wbio); |
|
2374 #ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */ |
|
2375 assert(s->wbio != NULL); |
|
2376 #endif |
|
2377 } |
|
2378 BIO_free(s->bbio); |
|
2379 s->bbio=NULL; |
|
2380 } |
|
2381 |
|
2382 EXPORT_C void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode) |
|
2383 { |
|
2384 ctx->quiet_shutdown=mode; |
|
2385 } |
|
2386 |
|
2387 EXPORT_C int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) |
|
2388 { |
|
2389 return(ctx->quiet_shutdown); |
|
2390 } |
|
2391 |
|
2392 EXPORT_C void SSL_set_quiet_shutdown(SSL *s,int mode) |
|
2393 { |
|
2394 s->quiet_shutdown=mode; |
|
2395 } |
|
2396 |
|
2397 EXPORT_C int SSL_get_quiet_shutdown(const SSL *s) |
|
2398 { |
|
2399 return(s->quiet_shutdown); |
|
2400 } |
|
2401 |
|
2402 EXPORT_C void SSL_set_shutdown(SSL *s,int mode) |
|
2403 { |
|
2404 s->shutdown=mode; |
|
2405 } |
|
2406 |
|
2407 EXPORT_C int SSL_get_shutdown(const SSL *s) |
|
2408 { |
|
2409 return(s->shutdown); |
|
2410 } |
|
2411 |
|
2412 EXPORT_C int SSL_version(const SSL *s) |
|
2413 { |
|
2414 return(s->version); |
|
2415 } |
|
2416 |
|
2417 EXPORT_C SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) |
|
2418 { |
|
2419 return(ssl->ctx); |
|
2420 } |
|
2421 |
|
2422 EXPORT_C SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) |
|
2423 { |
|
2424 if (ssl->ctx == ctx) |
|
2425 return ssl->ctx; |
|
2426 |
|
2427 if (ssl->cert != NULL) |
|
2428 ssl_cert_free(ssl->cert); |
|
2429 ssl->cert = ssl_cert_dup(ctx->cert); |
|
2430 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); |
|
2431 if (ssl->ctx != NULL) |
|
2432 SSL_CTX_free(ssl->ctx); /* decrement reference count */ |
|
2433 ssl->ctx = ctx; |
|
2434 return(ssl->ctx); |
|
2435 } |
|
2436 #ifndef OPENSSL_NO_STDIO |
|
2437 EXPORT_C int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) |
|
2438 { |
|
2439 return(X509_STORE_set_default_paths(ctx->cert_store)); |
|
2440 } |
|
2441 |
|
2442 EXPORT_C int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, |
|
2443 const char *CApath) |
|
2444 { |
|
2445 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); |
|
2446 } |
|
2447 #endif |
|
2448 |
|
2449 EXPORT_C void SSL_set_info_callback(SSL *ssl, |
|
2450 void (*cb)(const SSL *ssl,int type,int val)) |
|
2451 { |
|
2452 ssl->info_callback=cb; |
|
2453 } |
|
2454 |
|
2455 /* One compiler (Diab DCC) doesn't like argument names in returned |
|
2456 function pointer. */ |
|
2457 EXPORT_C void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) |
|
2458 { |
|
2459 return ssl->info_callback; |
|
2460 } |
|
2461 |
|
2462 EXPORT_C int SSL_state(const SSL *ssl) |
|
2463 { |
|
2464 return(ssl->state); |
|
2465 } |
|
2466 |
|
2467 EXPORT_C void SSL_set_verify_result(SSL *ssl,long arg) |
|
2468 { |
|
2469 ssl->verify_result=arg; |
|
2470 } |
|
2471 |
|
2472 EXPORT_C long SSL_get_verify_result(const SSL *ssl) |
|
2473 { |
|
2474 return(ssl->verify_result); |
|
2475 } |
|
2476 |
|
2477 EXPORT_C int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, |
|
2478 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) |
|
2479 { |
|
2480 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, |
|
2481 new_func, dup_func, free_func); |
|
2482 } |
|
2483 |
|
2484 EXPORT_C int SSL_set_ex_data(SSL *s,int idx,void *arg) |
|
2485 { |
|
2486 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); |
|
2487 } |
|
2488 |
|
2489 EXPORT_C void *SSL_get_ex_data(const SSL *s,int idx) |
|
2490 { |
|
2491 return(CRYPTO_get_ex_data(&s->ex_data,idx)); |
|
2492 } |
|
2493 |
|
2494 EXPORT_C int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, |
|
2495 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) |
|
2496 { |
|
2497 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, |
|
2498 new_func, dup_func, free_func); |
|
2499 } |
|
2500 |
|
2501 EXPORT_C int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) |
|
2502 { |
|
2503 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); |
|
2504 } |
|
2505 |
|
2506 EXPORT_C void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx) |
|
2507 { |
|
2508 return(CRYPTO_get_ex_data(&s->ex_data,idx)); |
|
2509 } |
|
2510 |
|
2511 int ssl_ok(SSL *s) |
|
2512 { |
|
2513 return(1); |
|
2514 } |
|
2515 |
|
2516 EXPORT_C X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) |
|
2517 { |
|
2518 return(ctx->cert_store); |
|
2519 } |
|
2520 |
|
2521 EXPORT_C void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store) |
|
2522 { |
|
2523 if (ctx->cert_store != NULL) |
|
2524 X509_STORE_free(ctx->cert_store); |
|
2525 ctx->cert_store=store; |
|
2526 } |
|
2527 |
|
2528 EXPORT_C int SSL_want(const SSL *s) |
|
2529 { |
|
2530 return(s->rwstate); |
|
2531 } |
|
2532 |
|
2533 /*! |
|
2534 * \brief Set the callback for generating temporary RSA keys. |
|
2535 * \param ctx the SSL context. |
|
2536 * \param cb the callback |
|
2537 */ |
|
2538 |
|
2539 #ifndef OPENSSL_NO_RSA |
|
2540 EXPORT_C void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl, |
|
2541 int is_export, |
|
2542 int keylength)) |
|
2543 { |
|
2544 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); |
|
2545 } |
|
2546 |
|
2547 EXPORT_C void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl, |
|
2548 int is_export, |
|
2549 int keylength)) |
|
2550 { |
|
2551 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); |
|
2552 } |
|
2553 #endif |
|
2554 |
|
2555 #ifdef DOXYGEN |
|
2556 /*! |
|
2557 * \brief The RSA temporary key callback function. |
|
2558 * \param ssl the SSL session. |
|
2559 * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite. |
|
2560 * \param keylength if \c is_export is \c TRUE, then \c keylength is the size |
|
2561 * of the required key in bits. |
|
2562 * \return the temporary RSA key. |
|
2563 * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback |
|
2564 */ |
|
2565 |
|
2566 RSA *cb(SSL *ssl,int is_export,int keylength) |
|
2567 {} |
|
2568 #endif |
|
2569 |
|
2570 /*! |
|
2571 * \brief Set the callback for generating temporary DH keys. |
|
2572 * \param ctx the SSL context. |
|
2573 * \param dh the callback |
|
2574 */ |
|
2575 |
|
2576 #ifndef OPENSSL_NO_DH |
|
2577 EXPORT_C void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, |
|
2578 int keylength)) |
|
2579 { |
|
2580 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); |
|
2581 } |
|
2582 |
|
2583 EXPORT_C void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, |
|
2584 int keylength)) |
|
2585 { |
|
2586 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); |
|
2587 } |
|
2588 #endif |
|
2589 |
|
2590 #ifndef OPENSSL_NO_ECDH |
|
2591 EXPORT_C void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export, |
|
2592 int keylength)) |
|
2593 { |
|
2594 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); |
|
2595 } |
|
2596 |
|
2597 EXPORT_C void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export, |
|
2598 int keylength)) |
|
2599 { |
|
2600 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); |
|
2601 } |
|
2602 #endif |
|
2603 |
|
2604 |
|
2605 EXPORT_C void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) |
|
2606 { |
|
2607 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); |
|
2608 } |
|
2609 EXPORT_C void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) |
|
2610 { |
|
2611 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); |
|
2612 } |
|
2613 |
|
2614 |
|
2615 |
|
2616 #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) |
|
2617 #include "../crypto/bio/bss_file.c" |
|
2618 #endif |
|
2619 |
|
2620 IMPLEMENT_STACK_OF(SSL_CIPHER) |
|
2621 IMPLEMENT_STACK_OF(SSL_COMP) |