ssl_lib.c revision 120631
155714Skris/*! \file ssl/ssl_lib.c 255714Skris * \brief Version independent SSL functions. 355714Skris */ 455714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 555714Skris * All rights reserved. 655714Skris * 755714Skris * This package is an SSL implementation written 855714Skris * by Eric Young (eay@cryptsoft.com). 955714Skris * The implementation was written so as to conform with Netscapes SSL. 1055714Skris * 1155714Skris * This library is free for commercial and non-commercial use as long as 1255714Skris * the following conditions are aheared to. The following conditions 1355714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1455714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1555714Skris * included with this distribution is covered by the same copyright terms 1655714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1755714Skris * 1855714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1955714Skris * the code are not to be removed. 2055714Skris * If this package is used in a product, Eric Young should be given attribution 2155714Skris * as the author of the parts of the library used. 2255714Skris * This can be in the form of a textual message at program startup or 2355714Skris * in documentation (online or textual) provided with the package. 2455714Skris * 2555714Skris * Redistribution and use in source and binary forms, with or without 2655714Skris * modification, are permitted provided that the following conditions 2755714Skris * are met: 2855714Skris * 1. Redistributions of source code must retain the copyright 2955714Skris * notice, this list of conditions and the following disclaimer. 3055714Skris * 2. Redistributions in binary form must reproduce the above copyright 3155714Skris * notice, this list of conditions and the following disclaimer in the 3255714Skris * documentation and/or other materials provided with the distribution. 3355714Skris * 3. All advertising materials mentioning features or use of this software 3455714Skris * must display the following acknowledgement: 3555714Skris * "This product includes cryptographic software written by 3655714Skris * Eric Young (eay@cryptsoft.com)" 3755714Skris * The word 'cryptographic' can be left out if the rouines from the library 3855714Skris * being used are not cryptographic related :-). 3955714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 4055714Skris * the apps directory (application code) you must include an acknowledgement: 4155714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4255714Skris * 4355714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4455714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4555714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4655714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4755714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4855714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4955714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 5055714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 5155714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5255714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5355714Skris * SUCH DAMAGE. 5455714Skris * 5555714Skris * The licence and distribution terms for any publically available version or 5655714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5755714Skris * copied and put under another distribution licence 5855714Skris * [including the GNU Public Licence.] 5955714Skris */ 60109998Smarkm/* ==================================================================== 61109998Smarkm * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 62109998Smarkm * 63109998Smarkm * Redistribution and use in source and binary forms, with or without 64109998Smarkm * modification, are permitted provided that the following conditions 65109998Smarkm * are met: 66109998Smarkm * 67109998Smarkm * 1. Redistributions of source code must retain the above copyright 68109998Smarkm * notice, this list of conditions and the following disclaimer. 69109998Smarkm * 70109998Smarkm * 2. Redistributions in binary form must reproduce the above copyright 71109998Smarkm * notice, this list of conditions and the following disclaimer in 72109998Smarkm * the documentation and/or other materials provided with the 73109998Smarkm * distribution. 74109998Smarkm * 75109998Smarkm * 3. All advertising materials mentioning features or use of this 76109998Smarkm * software must display the following acknowledgment: 77109998Smarkm * "This product includes software developed by the OpenSSL Project 78109998Smarkm * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 79109998Smarkm * 80109998Smarkm * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 81109998Smarkm * endorse or promote products derived from this software without 82109998Smarkm * prior written permission. For written permission, please contact 83109998Smarkm * openssl-core@openssl.org. 84109998Smarkm * 85109998Smarkm * 5. Products derived from this software may not be called "OpenSSL" 86109998Smarkm * nor may "OpenSSL" appear in their names without prior written 87109998Smarkm * permission of the OpenSSL Project. 88109998Smarkm * 89109998Smarkm * 6. Redistributions of any form whatsoever must retain the following 90109998Smarkm * acknowledgment: 91109998Smarkm * "This product includes software developed by the OpenSSL Project 92109998Smarkm * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 93109998Smarkm * 94109998Smarkm * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 95109998Smarkm * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 96109998Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 97109998Smarkm * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 98109998Smarkm * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 99109998Smarkm * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 100109998Smarkm * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 101109998Smarkm * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 102109998Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 103109998Smarkm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 104109998Smarkm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 105109998Smarkm * OF THE POSSIBILITY OF SUCH DAMAGE. 106109998Smarkm * ==================================================================== 107109998Smarkm * 108109998Smarkm * This product includes cryptographic software written by Eric Young 109109998Smarkm * (eay@cryptsoft.com). This product includes software written by Tim 110109998Smarkm * Hudson (tjh@cryptsoft.com). 111109998Smarkm * 112109998Smarkm */ 11355714Skris 11468651Skris 115109998Smarkm#ifdef REF_CHECK 116109998Smarkm# include <assert.h> 117109998Smarkm#endif 11855714Skris#include <stdio.h> 119109998Smarkm#include "ssl_locl.h" 120109998Smarkm#include "kssl_lcl.h" 12155714Skris#include <openssl/objects.h> 12255714Skris#include <openssl/lhash.h> 12359191Skris#include <openssl/x509v3.h> 124109998Smarkm#include "cryptlib.h" 12555714Skris 12659191Skrisconst char *SSL_version_str=OPENSSL_VERSION_TEXT; 12755714Skris 12855714SkrisOPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={ 12959191Skris /* evil casts, but these functions are only called if there's a library bug */ 13059191Skris (int (*)(SSL *,int))ssl_undefined_function, 13159191Skris (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, 13255714Skris ssl_undefined_function, 13359191Skris (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function, 13459191Skris (int (*)(SSL*, int))ssl_undefined_function, 13559191Skris (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function 13655714Skris }; 13755714Skris 13855714Skrisint SSL_clear(SSL *s) 13955714Skris { 14055714Skris 14155714Skris if (s->method == NULL) 14255714Skris { 14355714Skris SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); 14455714Skris return(0); 14555714Skris } 14655714Skris 147100928Snectar if (ssl_clear_bad_session(s)) 148100928Snectar { 149100928Snectar SSL_SESSION_free(s->session); 150100928Snectar s->session=NULL; 151100928Snectar } 152100928Snectar 15355714Skris s->error=0; 15455714Skris s->hit=0; 15555714Skris s->shutdown=0; 15655714Skris 15759191Skris#if 0 /* Disabled since version 1.10 of this file (early return not 15859191Skris * needed because SSL_clear is not called when doing renegotiation) */ 15955714Skris /* This is set if we are doing dynamic renegotiation so keep 16055714Skris * the old cipher. It is sort of a SSL_clear_lite :-) */ 16155714Skris if (s->new_session) return(1); 16259191Skris#else 16359191Skris if (s->new_session) 16459191Skris { 165109998Smarkm SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); 16659191Skris return 0; 16759191Skris } 16855714Skris#endif 16955714Skris 17055714Skris s->type=0; 17155714Skris 17255714Skris s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); 17355714Skris 17455714Skris s->version=s->method->version; 17555714Skris s->client_version=s->version; 17655714Skris s->rwstate=SSL_NOTHING; 17755714Skris s->rstate=SSL_ST_READ_HEADER; 17872613Skris#if 0 17955714Skris s->read_ahead=s->ctx->read_ahead; 18072613Skris#endif 18155714Skris 18255714Skris if (s->init_buf != NULL) 18355714Skris { 18455714Skris BUF_MEM_free(s->init_buf); 18555714Skris s->init_buf=NULL; 18655714Skris } 18755714Skris 18855714Skris ssl_clear_cipher_ctx(s); 18955714Skris 19055714Skris s->first_packet=0; 19155714Skris 19255714Skris#if 1 19355714Skris /* Check to see if we were changed into a different method, if 19455714Skris * so, revert back if we are not doing session-id reuse. */ 19589837Skris if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) 19655714Skris { 19755714Skris s->method->ssl_free(s); 19855714Skris s->method=s->ctx->method; 19955714Skris if (!s->method->ssl_new(s)) 20055714Skris return(0); 20155714Skris } 20255714Skris else 20355714Skris#endif 20455714Skris s->method->ssl_clear(s); 20555714Skris return(1); 20655714Skris } 20755714Skris 20855714Skris/** Used to change an SSL_CTXs default SSL method type */ 20955714Skrisint SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth) 21055714Skris { 21155714Skris STACK_OF(SSL_CIPHER) *sk; 21255714Skris 21355714Skris ctx->method=meth; 21455714Skris 21555714Skris sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), 21655714Skris &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST); 21755714Skris if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) 21855714Skris { 21955714Skris SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 22055714Skris return(0); 22155714Skris } 22255714Skris return(1); 22355714Skris } 22455714Skris 22555714SkrisSSL *SSL_new(SSL_CTX *ctx) 22655714Skris { 22755714Skris SSL *s; 22855714Skris 22955714Skris if (ctx == NULL) 23055714Skris { 23155714Skris SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX); 23255714Skris return(NULL); 23355714Skris } 23455714Skris if (ctx->method == NULL) 23555714Skris { 23655714Skris SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 23755714Skris return(NULL); 23855714Skris } 23955714Skris 24068651Skris s=(SSL *)OPENSSL_malloc(sizeof(SSL)); 24155714Skris if (s == NULL) goto err; 24255714Skris memset(s,0,sizeof(SSL)); 24355714Skris 244109998Smarkm#ifndef OPENSSL_NO_KRB5 245109998Smarkm s->kssl_ctx = kssl_ctx_new(); 246109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 247109998Smarkm 248109998Smarkm s->options=ctx->options; 249109998Smarkm s->mode=ctx->mode; 250109998Smarkm s->max_cert_list=ctx->max_cert_list; 251109998Smarkm 25255714Skris if (ctx->cert != NULL) 25355714Skris { 25455714Skris /* Earlier library versions used to copy the pointer to 25555714Skris * the CERT, not its contents; only when setting new 25655714Skris * parameters for the per-SSL copy, ssl_cert_new would be 25755714Skris * called (and the direct reference to the per-SSL_CTX 25855714Skris * settings would be lost, but those still were indirectly 25955714Skris * accessed for various purposes, and for that reason they 26055714Skris * used to be known as s->ctx->default_cert). 26155714Skris * Now we don't look at the SSL_CTX's CERT after having 26255714Skris * duplicated it once. */ 26355714Skris 26455714Skris s->cert = ssl_cert_dup(ctx->cert); 26555714Skris if (s->cert == NULL) 26655714Skris goto err; 26755714Skris } 26855714Skris else 26955714Skris s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ 270109998Smarkm 271109998Smarkm s->read_ahead=ctx->read_ahead; 272109998Smarkm s->msg_callback=ctx->msg_callback; 273109998Smarkm s->msg_callback_arg=ctx->msg_callback_arg; 274109998Smarkm s->verify_mode=ctx->verify_mode; 275109998Smarkm s->verify_depth=ctx->verify_depth; 27655714Skris s->sid_ctx_length=ctx->sid_ctx_length; 277109998Smarkm OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); 27855714Skris memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); 27955714Skris s->verify_callback=ctx->default_verify_callback; 280109998Smarkm s->generate_session_id=ctx->generate_session_id; 28159191Skris s->purpose = ctx->purpose; 28259191Skris s->trust = ctx->trust; 283109998Smarkm s->quiet_shutdown=ctx->quiet_shutdown; 284109998Smarkm 28555714Skris CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); 28655714Skris s->ctx=ctx; 28755714Skris 28855714Skris s->verify_result=X509_V_OK; 28955714Skris 29055714Skris s->method=ctx->method; 29155714Skris 29255714Skris if (!s->method->ssl_new(s)) 29355714Skris goto err; 29455714Skris 29555714Skris s->references=1; 29655714Skris s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; 297109998Smarkm 29855714Skris SSL_clear(s); 29955714Skris 300109998Smarkm CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); 30155714Skris 30255714Skris return(s); 30355714Skriserr: 30455714Skris if (s != NULL) 30555714Skris { 30655714Skris if (s->cert != NULL) 30755714Skris ssl_cert_free(s->cert); 30855714Skris if (s->ctx != NULL) 30955714Skris SSL_CTX_free(s->ctx); /* decrement reference count */ 31068651Skris OPENSSL_free(s); 31155714Skris } 31255714Skris SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); 31355714Skris return(NULL); 31455714Skris } 31555714Skris 31655714Skrisint SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, 31755714Skris unsigned int sid_ctx_len) 31855714Skris { 319109998Smarkm if(sid_ctx_len > sizeof ctx->sid_ctx) 32055714Skris { 32155714Skris SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 32255714Skris return 0; 32355714Skris } 32455714Skris ctx->sid_ctx_length=sid_ctx_len; 32555714Skris memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len); 32655714Skris 32755714Skris return 1; 32855714Skris } 32955714Skris 33055714Skrisint SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, 33155714Skris unsigned int sid_ctx_len) 33255714Skris { 33355714Skris if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) 33455714Skris { 33555714Skris SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 33655714Skris return 0; 33755714Skris } 33855714Skris ssl->sid_ctx_length=sid_ctx_len; 33955714Skris memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len); 34055714Skris 34155714Skris return 1; 34255714Skris } 34355714Skris 344109998Smarkmint SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) 345109998Smarkm { 346109998Smarkm CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 347109998Smarkm ctx->generate_session_id = cb; 348109998Smarkm CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 349109998Smarkm return 1; 35059191Skris } 351109998Smarkm 352109998Smarkmint SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) 353109998Smarkm { 354109998Smarkm CRYPTO_w_lock(CRYPTO_LOCK_SSL); 355109998Smarkm ssl->generate_session_id = cb; 356109998Smarkm CRYPTO_w_unlock(CRYPTO_LOCK_SSL); 35759191Skris return 1; 358109998Smarkm } 35959191Skris 360109998Smarkmint SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, 361109998Smarkm unsigned int id_len) 362109998Smarkm { 363109998Smarkm /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how 364109998Smarkm * we can "construct" a session to give us the desired check - ie. to 365109998Smarkm * find if there's a session in the hash table that would conflict with 366109998Smarkm * any new session built out of this id/id_len and the ssl_version in 367109998Smarkm * use by this SSL. */ 368109998Smarkm SSL_SESSION r, *p; 369109998Smarkm 370109998Smarkm if(id_len > sizeof r.session_id) 37159191Skris return 0; 372109998Smarkm 373109998Smarkm r.ssl_version = ssl->version; 374109998Smarkm r.session_id_length = id_len; 375109998Smarkm memcpy(r.session_id, id, id_len); 376109998Smarkm /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a 377109998Smarkm * callback is calling us to check the uniqueness of a shorter ID, it 378109998Smarkm * must be compared as a padded-out ID because that is what it will be 379109998Smarkm * converted to when the callback has finished choosing it. */ 380109998Smarkm if((r.ssl_version == SSL2_VERSION) && 381109998Smarkm (id_len < SSL2_SSL_SESSION_ID_LENGTH)) 382109998Smarkm { 383109998Smarkm memset(r.session_id + id_len, 0, 384109998Smarkm SSL2_SSL_SESSION_ID_LENGTH - id_len); 385109998Smarkm r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH; 386109998Smarkm } 387109998Smarkm 388109998Smarkm CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 389109998Smarkm p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r); 390109998Smarkm CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 391109998Smarkm return (p != NULL); 39259191Skris } 393109998Smarkm 394109998Smarkmint SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 395109998Smarkm { 396109998Smarkm return X509_PURPOSE_set(&s->purpose, purpose); 397109998Smarkm } 398109998Smarkm 399109998Smarkmint SSL_set_purpose(SSL *s, int purpose) 400109998Smarkm { 401109998Smarkm return X509_PURPOSE_set(&s->purpose, purpose); 402109998Smarkm } 403109998Smarkm 40459191Skrisint SSL_CTX_set_trust(SSL_CTX *s, int trust) 405109998Smarkm { 406109998Smarkm return X509_TRUST_set(&s->trust, trust); 40759191Skris } 40859191Skris 40959191Skrisint SSL_set_trust(SSL *s, int trust) 410109998Smarkm { 411109998Smarkm return X509_TRUST_set(&s->trust, trust); 41259191Skris } 41359191Skris 41455714Skrisvoid SSL_free(SSL *s) 41555714Skris { 41655714Skris int i; 41755714Skris 41855714Skris if(s == NULL) 41955714Skris return; 42055714Skris 42155714Skris i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL); 42255714Skris#ifdef REF_PRINT 42355714Skris REF_PRINT("SSL",s); 42455714Skris#endif 42555714Skris if (i > 0) return; 42655714Skris#ifdef REF_CHECK 42755714Skris if (i < 0) 42855714Skris { 42955714Skris fprintf(stderr,"SSL_free, bad reference count\n"); 43055714Skris abort(); /* ok */ 43155714Skris } 43255714Skris#endif 43355714Skris 434109998Smarkm CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); 43555714Skris 43655714Skris if (s->bbio != NULL) 43755714Skris { 43855714Skris /* If the buffering BIO is in place, pop it off */ 43955714Skris if (s->bbio == s->wbio) 44055714Skris { 44155714Skris s->wbio=BIO_pop(s->wbio); 44255714Skris } 44355714Skris BIO_free(s->bbio); 44455714Skris s->bbio=NULL; 44555714Skris } 44655714Skris if (s->rbio != NULL) 44755714Skris BIO_free_all(s->rbio); 44855714Skris if ((s->wbio != NULL) && (s->wbio != s->rbio)) 44955714Skris BIO_free_all(s->wbio); 45055714Skris 45155714Skris if (s->init_buf != NULL) BUF_MEM_free(s->init_buf); 45255714Skris 45355714Skris /* add extra stuff */ 45455714Skris if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list); 45555714Skris if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id); 45655714Skris 45755714Skris /* Make the next call work :-) */ 45855714Skris if (s->session != NULL) 45955714Skris { 46055714Skris ssl_clear_bad_session(s); 46155714Skris SSL_SESSION_free(s->session); 46255714Skris } 46355714Skris 46455714Skris ssl_clear_cipher_ctx(s); 46555714Skris 46655714Skris if (s->cert != NULL) ssl_cert_free(s->cert); 46755714Skris /* Free up if allocated */ 46855714Skris 46955714Skris if (s->ctx) SSL_CTX_free(s->ctx); 47055714Skris 47155714Skris if (s->client_CA != NULL) 47255714Skris sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free); 47355714Skris 47455714Skris if (s->method != NULL) s->method->ssl_free(s); 47555714Skris 476120631Snectar#ifndef OPENSSL_NO_KRB5 477120631Snectar if (s->kssl_ctx != NULL) 478120631Snectar kssl_ctx_free(s->kssl_ctx); 479120631Snectar#endif /* OPENSSL_NO_KRB5 */ 480120631Snectar 48168651Skris OPENSSL_free(s); 48255714Skris } 48355714Skris 48455714Skrisvoid SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) 48555714Skris { 48655714Skris /* If the output buffering BIO is still in place, remove it 48755714Skris */ 48855714Skris if (s->bbio != NULL) 48955714Skris { 49055714Skris if (s->wbio == s->bbio) 49155714Skris { 49255714Skris s->wbio=s->wbio->next_bio; 49355714Skris s->bbio->next_bio=NULL; 49455714Skris } 49555714Skris } 49655714Skris if ((s->rbio != NULL) && (s->rbio != rbio)) 49755714Skris BIO_free_all(s->rbio); 49855714Skris if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio)) 49955714Skris BIO_free_all(s->wbio); 50055714Skris s->rbio=rbio; 50155714Skris s->wbio=wbio; 50255714Skris } 50355714Skris 50455714SkrisBIO *SSL_get_rbio(SSL *s) 50555714Skris { return(s->rbio); } 50655714Skris 50755714SkrisBIO *SSL_get_wbio(SSL *s) 50855714Skris { return(s->wbio); } 50955714Skris 51055714Skrisint SSL_get_fd(SSL *s) 51155714Skris { 51289837Skris return(SSL_get_rfd(s)); 51389837Skris } 51489837Skris 51589837Skrisint SSL_get_rfd(SSL *s) 51689837Skris { 51755714Skris int ret= -1; 51855714Skris BIO *b,*r; 51955714Skris 52055714Skris b=SSL_get_rbio(s); 52155714Skris r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); 52255714Skris if (r != NULL) 52355714Skris BIO_get_fd(r,&ret); 52455714Skris return(ret); 52555714Skris } 52655714Skris 52789837Skrisint SSL_get_wfd(SSL *s) 52889837Skris { 52989837Skris int ret= -1; 53089837Skris BIO *b,*r; 53189837Skris 53289837Skris b=SSL_get_wbio(s); 53389837Skris r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); 53489837Skris if (r != NULL) 53589837Skris BIO_get_fd(r,&ret); 53689837Skris return(ret); 53789837Skris } 53889837Skris 539109998Smarkm#ifndef OPENSSL_NO_SOCK 54055714Skrisint SSL_set_fd(SSL *s,int fd) 54155714Skris { 54255714Skris int ret=0; 54355714Skris BIO *bio=NULL; 54455714Skris 54555714Skris bio=BIO_new(BIO_s_socket()); 54655714Skris 54755714Skris if (bio == NULL) 54855714Skris { 54955714Skris SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB); 55055714Skris goto err; 55155714Skris } 55255714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 55355714Skris SSL_set_bio(s,bio,bio); 55455714Skris ret=1; 55555714Skriserr: 55655714Skris return(ret); 55755714Skris } 55855714Skris 55955714Skrisint SSL_set_wfd(SSL *s,int fd) 56055714Skris { 56155714Skris int ret=0; 56255714Skris BIO *bio=NULL; 56355714Skris 56455714Skris if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) 56555714Skris || ((int)BIO_get_fd(s->rbio,NULL) != fd)) 56655714Skris { 56755714Skris bio=BIO_new(BIO_s_socket()); 56855714Skris 56955714Skris if (bio == NULL) 57055714Skris { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; } 57155714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 57255714Skris SSL_set_bio(s,SSL_get_rbio(s),bio); 57355714Skris } 57455714Skris else 57555714Skris SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s)); 57655714Skris ret=1; 57755714Skriserr: 57855714Skris return(ret); 57955714Skris } 58055714Skris 58155714Skrisint SSL_set_rfd(SSL *s,int fd) 58255714Skris { 58355714Skris int ret=0; 58455714Skris BIO *bio=NULL; 58555714Skris 58655714Skris if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) 58755714Skris || ((int)BIO_get_fd(s->wbio,NULL) != fd)) 58855714Skris { 58955714Skris bio=BIO_new(BIO_s_socket()); 59055714Skris 59155714Skris if (bio == NULL) 59255714Skris { 59355714Skris SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB); 59455714Skris goto err; 59555714Skris } 59655714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 59755714Skris SSL_set_bio(s,bio,SSL_get_wbio(s)); 59855714Skris } 59955714Skris else 60055714Skris SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s)); 60155714Skris ret=1; 60255714Skriserr: 60355714Skris return(ret); 60455714Skris } 60555714Skris#endif 60655714Skris 60759191Skris 60859191Skris/* return length of latest Finished message we sent, copy to 'buf' */ 60959191Skrissize_t SSL_get_finished(SSL *s, void *buf, size_t count) 61059191Skris { 61159191Skris size_t ret = 0; 61259191Skris 61359191Skris if (s->s3 != NULL) 61459191Skris { 61559191Skris ret = s->s3->tmp.finish_md_len; 61659191Skris if (count > ret) 61759191Skris count = ret; 61859191Skris memcpy(buf, s->s3->tmp.finish_md, count); 61959191Skris } 62059191Skris return ret; 62159191Skris } 62259191Skris 62359191Skris/* return length of latest Finished message we expected, copy to 'buf' */ 62459191Skrissize_t SSL_get_peer_finished(SSL *s, void *buf, size_t count) 62559191Skris { 62659191Skris size_t ret = 0; 62759191Skris 62859191Skris if (s->s3 != NULL) 62959191Skris { 63059191Skris ret = s->s3->tmp.peer_finish_md_len; 63159191Skris if (count > ret) 63259191Skris count = ret; 63359191Skris memcpy(buf, s->s3->tmp.peer_finish_md, count); 63459191Skris } 63559191Skris return ret; 63659191Skris } 63759191Skris 63859191Skris 63955714Skrisint SSL_get_verify_mode(SSL *s) 64055714Skris { 64155714Skris return(s->verify_mode); 64255714Skris } 64355714Skris 64455714Skrisint SSL_get_verify_depth(SSL *s) 64555714Skris { 64655714Skris return(s->verify_depth); 64755714Skris } 64855714Skris 64955714Skrisint (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) 65055714Skris { 65155714Skris return(s->verify_callback); 65255714Skris } 65355714Skris 65455714Skrisint SSL_CTX_get_verify_mode(SSL_CTX *ctx) 65555714Skris { 65655714Skris return(ctx->verify_mode); 65755714Skris } 65855714Skris 65955714Skrisint SSL_CTX_get_verify_depth(SSL_CTX *ctx) 66055714Skris { 66155714Skris return(ctx->verify_depth); 66255714Skris } 66355714Skris 66455714Skrisint (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) 66555714Skris { 66655714Skris return(ctx->default_verify_callback); 66755714Skris } 66855714Skris 66955714Skrisvoid SSL_set_verify(SSL *s,int mode, 67055714Skris int (*callback)(int ok,X509_STORE_CTX *ctx)) 67155714Skris { 67255714Skris s->verify_mode=mode; 67355714Skris if (callback != NULL) 67455714Skris s->verify_callback=callback; 67555714Skris } 67655714Skris 67755714Skrisvoid SSL_set_verify_depth(SSL *s,int depth) 67855714Skris { 67955714Skris s->verify_depth=depth; 68055714Skris } 68155714Skris 68255714Skrisvoid SSL_set_read_ahead(SSL *s,int yes) 68355714Skris { 68455714Skris s->read_ahead=yes; 68555714Skris } 68655714Skris 68755714Skrisint SSL_get_read_ahead(SSL *s) 68855714Skris { 68955714Skris return(s->read_ahead); 69055714Skris } 69155714Skris 69255714Skrisint SSL_pending(SSL *s) 69355714Skris { 694109998Smarkm /* SSL_pending cannot work properly if read-ahead is enabled 695109998Smarkm * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), 696109998Smarkm * and it is impossible to fix since SSL_pending cannot report 697109998Smarkm * errors that may be observed while scanning the new data. 698109998Smarkm * (Note that SSL_pending() is often used as a boolean value, 699109998Smarkm * so we'd better not return -1.) 700109998Smarkm */ 70155714Skris return(s->method->ssl_pending(s)); 70255714Skris } 70355714Skris 70455714SkrisX509 *SSL_get_peer_certificate(SSL *s) 70555714Skris { 70655714Skris X509 *r; 70755714Skris 70855714Skris if ((s == NULL) || (s->session == NULL)) 70955714Skris r=NULL; 71055714Skris else 71155714Skris r=s->session->peer; 71255714Skris 71355714Skris if (r == NULL) return(r); 71455714Skris 71555714Skris CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509); 71655714Skris 71755714Skris return(r); 71855714Skris } 71955714Skris 72055714SkrisSTACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) 72155714Skris { 72255714Skris STACK_OF(X509) *r; 72355714Skris 72455714Skris if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) 72555714Skris r=NULL; 72655714Skris else 72755714Skris r=s->session->sess_cert->cert_chain; 72855714Skris 72959191Skris /* If we are a client, cert_chain includes the peer's own 73059191Skris * certificate; if we are a server, it does not. */ 73159191Skris 73255714Skris return(r); 73355714Skris } 73455714Skris 73555714Skris/* Now in theory, since the calling process own 't' it should be safe to 73655714Skris * modify. We need to be able to read f without being hassled */ 73755714Skrisvoid SSL_copy_session_id(SSL *t,SSL *f) 73855714Skris { 73955714Skris CERT *tmp; 74055714Skris 74155714Skris /* Do we need to to SSL locking? */ 74255714Skris SSL_set_session(t,SSL_get_session(f)); 74355714Skris 74455714Skris /* what if we are setup as SSLv2 but want to talk SSLv3 or 74555714Skris * vice-versa */ 74655714Skris if (t->method != f->method) 74755714Skris { 74855714Skris t->method->ssl_free(t); /* cleanup current */ 74955714Skris t->method=f->method; /* change method */ 75055714Skris t->method->ssl_new(t); /* setup new */ 75155714Skris } 75255714Skris 75355714Skris tmp=t->cert; 75455714Skris if (f->cert != NULL) 75555714Skris { 75655714Skris CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT); 75755714Skris t->cert=f->cert; 75855714Skris } 75955714Skris else 76055714Skris t->cert=NULL; 76155714Skris if (tmp != NULL) ssl_cert_free(tmp); 76255714Skris SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length); 76355714Skris } 76455714Skris 76555714Skris/* Fix this so it checks all the valid key/cert options */ 76655714Skrisint SSL_CTX_check_private_key(SSL_CTX *ctx) 76755714Skris { 76855714Skris if ( (ctx == NULL) || 76955714Skris (ctx->cert == NULL) || 77055714Skris (ctx->cert->key->x509 == NULL)) 77155714Skris { 77255714Skris SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 77355714Skris return(0); 77455714Skris } 77555714Skris if (ctx->cert->key->privatekey == NULL) 77655714Skris { 77755714Skris SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); 77855714Skris return(0); 77955714Skris } 78055714Skris return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey)); 78155714Skris } 78255714Skris 78355714Skris/* Fix this function so that it takes an optional type parameter */ 78455714Skrisint SSL_check_private_key(SSL *ssl) 78555714Skris { 78655714Skris if (ssl == NULL) 78755714Skris { 78855714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER); 78955714Skris return(0); 79055714Skris } 79155714Skris if (ssl->cert == NULL) 79255714Skris { 79355714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 79455714Skris return 0; 79555714Skris } 79655714Skris if (ssl->cert->key->x509 == NULL) 79755714Skris { 79855714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 79955714Skris return(0); 80055714Skris } 80155714Skris if (ssl->cert->key->privatekey == NULL) 80255714Skris { 80355714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); 80455714Skris return(0); 80555714Skris } 80655714Skris return(X509_check_private_key(ssl->cert->key->x509, 80755714Skris ssl->cert->key->privatekey)); 80855714Skris } 80955714Skris 81055714Skrisint SSL_accept(SSL *s) 81155714Skris { 81255714Skris if (s->handshake_func == 0) 81355714Skris /* Not properly initialized yet */ 81455714Skris SSL_set_accept_state(s); 81555714Skris 81655714Skris return(s->method->ssl_accept(s)); 81755714Skris } 81855714Skris 81955714Skrisint SSL_connect(SSL *s) 82055714Skris { 82155714Skris if (s->handshake_func == 0) 82255714Skris /* Not properly initialized yet */ 82355714Skris SSL_set_connect_state(s); 82455714Skris 82555714Skris return(s->method->ssl_connect(s)); 82655714Skris } 82755714Skris 82855714Skrislong SSL_get_default_timeout(SSL *s) 82955714Skris { 83055714Skris return(s->method->get_timeout()); 83155714Skris } 83255714Skris 83376866Skrisint SSL_read(SSL *s,void *buf,int num) 83455714Skris { 83555714Skris if (s->handshake_func == 0) 83655714Skris { 83755714Skris SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 83855714Skris return -1; 83955714Skris } 84055714Skris 84155714Skris if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 84255714Skris { 84355714Skris s->rwstate=SSL_NOTHING; 84455714Skris return(0); 84555714Skris } 84655714Skris return(s->method->ssl_read(s,buf,num)); 84755714Skris } 84855714Skris 84976866Skrisint SSL_peek(SSL *s,void *buf,int num) 85055714Skris { 85176866Skris if (s->handshake_func == 0) 85276866Skris { 85376866Skris SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 85476866Skris return -1; 85576866Skris } 85676866Skris 85755714Skris if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 85855714Skris { 85955714Skris return(0); 86055714Skris } 86155714Skris return(s->method->ssl_peek(s,buf,num)); 86255714Skris } 86355714Skris 86476866Skrisint SSL_write(SSL *s,const void *buf,int num) 86555714Skris { 86655714Skris if (s->handshake_func == 0) 86755714Skris { 86855714Skris SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); 86955714Skris return -1; 87055714Skris } 87155714Skris 87255714Skris if (s->shutdown & SSL_SENT_SHUTDOWN) 87355714Skris { 87455714Skris s->rwstate=SSL_NOTHING; 87555714Skris SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN); 87655714Skris return(-1); 87755714Skris } 87855714Skris return(s->method->ssl_write(s,buf,num)); 87955714Skris } 88055714Skris 88155714Skrisint SSL_shutdown(SSL *s) 88255714Skris { 88355714Skris /* Note that this function behaves differently from what one might 88455714Skris * expect. Return values are 0 for no success (yet), 88555714Skris * 1 for success; but calling it once is usually not enough, 88655714Skris * even if blocking I/O is used (see ssl3_shutdown). 88755714Skris */ 88855714Skris 88955714Skris if (s->handshake_func == 0) 89055714Skris { 89155714Skris SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); 89255714Skris return -1; 89355714Skris } 89455714Skris 89555714Skris if ((s != NULL) && !SSL_in_init(s)) 89655714Skris return(s->method->ssl_shutdown(s)); 89755714Skris else 89855714Skris return(1); 89955714Skris } 90055714Skris 90155714Skrisint SSL_renegotiate(SSL *s) 90255714Skris { 903100928Snectar if (s->new_session == 0) 904100928Snectar { 905100928Snectar s->new_session=1; 906100928Snectar } 90755714Skris return(s->method->ssl_renegotiate(s)); 90855714Skris } 90955714Skris 910109998Smarkmint SSL_renegotiate_pending(SSL *s) 91155714Skris { 912109998Smarkm /* becomes true when negotiation is requested; 913109998Smarkm * false again once a handshake has finished */ 914109998Smarkm return (s->new_session != 0); 915109998Smarkm } 916109998Smarkm 917109998Smarkmlong SSL_ctrl(SSL *s,int cmd,long larg,void *parg) 918109998Smarkm { 91955714Skris long l; 92055714Skris 92155714Skris switch (cmd) 92255714Skris { 92355714Skris case SSL_CTRL_GET_READ_AHEAD: 92455714Skris return(s->read_ahead); 92555714Skris case SSL_CTRL_SET_READ_AHEAD: 92655714Skris l=s->read_ahead; 92755714Skris s->read_ahead=larg; 92855714Skris return(l); 929109998Smarkm 930109998Smarkm case SSL_CTRL_SET_MSG_CALLBACK_ARG: 931109998Smarkm s->msg_callback_arg = parg; 932109998Smarkm return 1; 933109998Smarkm 93455714Skris case SSL_CTRL_OPTIONS: 93555714Skris return(s->options|=larg); 93655714Skris case SSL_CTRL_MODE: 93755714Skris return(s->mode|=larg); 938109998Smarkm case SSL_CTRL_GET_MAX_CERT_LIST: 939109998Smarkm return(s->max_cert_list); 940109998Smarkm case SSL_CTRL_SET_MAX_CERT_LIST: 941109998Smarkm l=s->max_cert_list; 942109998Smarkm s->max_cert_list=larg; 943109998Smarkm return(l); 94455714Skris default: 94555714Skris return(s->method->ssl_ctrl(s,cmd,larg,parg)); 94655714Skris } 94755714Skris } 94855714Skris 94959191Skrislong SSL_callback_ctrl(SSL *s, int cmd, void (*fp)()) 95059191Skris { 95159191Skris switch(cmd) 95259191Skris { 953109998Smarkm case SSL_CTRL_SET_MSG_CALLBACK: 954109998Smarkm s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); 955109998Smarkm return 1; 956109998Smarkm 95759191Skris default: 95859191Skris return(s->method->ssl_callback_ctrl(s,cmd,fp)); 95959191Skris } 96059191Skris } 96159191Skris 96259191Skrisstruct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) 96359191Skris { 96459191Skris return ctx->sessions; 96559191Skris } 96659191Skris 967109998Smarkmlong SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) 96855714Skris { 96955714Skris long l; 97055714Skris 97155714Skris switch (cmd) 97255714Skris { 97355714Skris case SSL_CTRL_GET_READ_AHEAD: 97455714Skris return(ctx->read_ahead); 97555714Skris case SSL_CTRL_SET_READ_AHEAD: 97655714Skris l=ctx->read_ahead; 97755714Skris ctx->read_ahead=larg; 97855714Skris return(l); 979109998Smarkm 980109998Smarkm case SSL_CTRL_SET_MSG_CALLBACK_ARG: 981109998Smarkm ctx->msg_callback_arg = parg; 982109998Smarkm return 1; 98355714Skris 984109998Smarkm case SSL_CTRL_GET_MAX_CERT_LIST: 985109998Smarkm return(ctx->max_cert_list); 986109998Smarkm case SSL_CTRL_SET_MAX_CERT_LIST: 987109998Smarkm l=ctx->max_cert_list; 988109998Smarkm ctx->max_cert_list=larg; 989109998Smarkm return(l); 990109998Smarkm 99155714Skris case SSL_CTRL_SET_SESS_CACHE_SIZE: 99255714Skris l=ctx->session_cache_size; 99355714Skris ctx->session_cache_size=larg; 99455714Skris return(l); 99555714Skris case SSL_CTRL_GET_SESS_CACHE_SIZE: 99655714Skris return(ctx->session_cache_size); 99755714Skris case SSL_CTRL_SET_SESS_CACHE_MODE: 99855714Skris l=ctx->session_cache_mode; 99955714Skris ctx->session_cache_mode=larg; 100055714Skris return(l); 100155714Skris case SSL_CTRL_GET_SESS_CACHE_MODE: 100255714Skris return(ctx->session_cache_mode); 100355714Skris 100455714Skris case SSL_CTRL_SESS_NUMBER: 100555714Skris return(ctx->sessions->num_items); 100655714Skris case SSL_CTRL_SESS_CONNECT: 100755714Skris return(ctx->stats.sess_connect); 100855714Skris case SSL_CTRL_SESS_CONNECT_GOOD: 100955714Skris return(ctx->stats.sess_connect_good); 101055714Skris case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: 101155714Skris return(ctx->stats.sess_connect_renegotiate); 101255714Skris case SSL_CTRL_SESS_ACCEPT: 101355714Skris return(ctx->stats.sess_accept); 101455714Skris case SSL_CTRL_SESS_ACCEPT_GOOD: 101555714Skris return(ctx->stats.sess_accept_good); 101655714Skris case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: 101755714Skris return(ctx->stats.sess_accept_renegotiate); 101855714Skris case SSL_CTRL_SESS_HIT: 101955714Skris return(ctx->stats.sess_hit); 102055714Skris case SSL_CTRL_SESS_CB_HIT: 102155714Skris return(ctx->stats.sess_cb_hit); 102255714Skris case SSL_CTRL_SESS_MISSES: 102355714Skris return(ctx->stats.sess_miss); 102455714Skris case SSL_CTRL_SESS_TIMEOUTS: 102555714Skris return(ctx->stats.sess_timeout); 102655714Skris case SSL_CTRL_SESS_CACHE_FULL: 102755714Skris return(ctx->stats.sess_cache_full); 102855714Skris case SSL_CTRL_OPTIONS: 102955714Skris return(ctx->options|=larg); 103055714Skris case SSL_CTRL_MODE: 103155714Skris return(ctx->mode|=larg); 103255714Skris default: 103355714Skris return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); 103455714Skris } 103555714Skris } 103655714Skris 103759191Skrislong SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) 103859191Skris { 103959191Skris switch(cmd) 104059191Skris { 1041109998Smarkm case SSL_CTRL_SET_MSG_CALLBACK: 1042109998Smarkm ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); 1043109998Smarkm return 1; 1044109998Smarkm 104559191Skris default: 104659191Skris return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp)); 104759191Skris } 104859191Skris } 104959191Skris 105068651Skrisint ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) 105155714Skris { 105255714Skris long l; 105355714Skris 105455714Skris l=a->id-b->id; 105555714Skris if (l == 0L) 105655714Skris return(0); 105755714Skris else 105855714Skris return((l > 0)?1:-1); 105955714Skris } 106055714Skris 106168651Skrisint ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, 106268651Skris const SSL_CIPHER * const *bp) 106355714Skris { 106455714Skris long l; 106555714Skris 106655714Skris l=(*ap)->id-(*bp)->id; 106755714Skris if (l == 0L) 106855714Skris return(0); 106955714Skris else 107055714Skris return((l > 0)?1:-1); 107155714Skris } 107255714Skris 107355714Skris/** return a STACK of the ciphers available for the SSL and in order of 107455714Skris * preference */ 107555714SkrisSTACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s) 107655714Skris { 1077111147Snectar if (s != NULL) 107855714Skris { 1079111147Snectar if (s->cipher_list != NULL) 1080111147Snectar { 1081111147Snectar return(s->cipher_list); 1082111147Snectar } 1083111147Snectar else if ((s->ctx != NULL) && 1084111147Snectar (s->ctx->cipher_list != NULL)) 1085111147Snectar { 1086111147Snectar return(s->ctx->cipher_list); 1087111147Snectar } 108855714Skris } 108955714Skris return(NULL); 109055714Skris } 109155714Skris 109255714Skris/** return a STACK of the ciphers available for the SSL and in order of 109355714Skris * algorithm id */ 109455714SkrisSTACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) 109555714Skris { 1096111147Snectar if (s != NULL) 109755714Skris { 1098111147Snectar if (s->cipher_list_by_id != NULL) 1099111147Snectar { 1100111147Snectar return(s->cipher_list_by_id); 1101111147Snectar } 1102111147Snectar else if ((s->ctx != NULL) && 1103111147Snectar (s->ctx->cipher_list_by_id != NULL)) 1104111147Snectar { 1105111147Snectar return(s->ctx->cipher_list_by_id); 1106111147Snectar } 110755714Skris } 110855714Skris return(NULL); 110955714Skris } 111055714Skris 111155714Skris/** The old interface to get the same thing as SSL_get_ciphers() */ 111255714Skrisconst char *SSL_get_cipher_list(SSL *s,int n) 111355714Skris { 111455714Skris SSL_CIPHER *c; 111555714Skris STACK_OF(SSL_CIPHER) *sk; 111655714Skris 111755714Skris if (s == NULL) return(NULL); 111855714Skris sk=SSL_get_ciphers(s); 111955714Skris if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) 112055714Skris return(NULL); 112155714Skris c=sk_SSL_CIPHER_value(sk,n); 112255714Skris if (c == NULL) return(NULL); 112355714Skris return(c->name); 112455714Skris } 112555714Skris 112659191Skris/** specify the ciphers to be used by default by the SSL_CTX */ 112759191Skrisint SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 112855714Skris { 112955714Skris STACK_OF(SSL_CIPHER) *sk; 113055714Skris 113155714Skris sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, 113255714Skris &ctx->cipher_list_by_id,str); 113355714Skris/* XXXX */ 113455714Skris return((sk == NULL)?0:1); 113555714Skris } 113655714Skris 113755714Skris/** specify the ciphers to be used by the SSL */ 113859191Skrisint SSL_set_cipher_list(SSL *s,const char *str) 113955714Skris { 114055714Skris STACK_OF(SSL_CIPHER) *sk; 114155714Skris 114255714Skris sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, 114355714Skris &s->cipher_list_by_id,str); 114455714Skris/* XXXX */ 114555714Skris return((sk == NULL)?0:1); 114655714Skris } 114755714Skris 114855714Skris/* works well for SSLv2, not so good for SSLv3 */ 114955714Skrischar *SSL_get_shared_ciphers(SSL *s,char *buf,int len) 115055714Skris { 115155714Skris char *p; 115255714Skris const char *cp; 115355714Skris STACK_OF(SSL_CIPHER) *sk; 115455714Skris SSL_CIPHER *c; 115555714Skris int i; 115655714Skris 115755714Skris if ((s->session == NULL) || (s->session->ciphers == NULL) || 115855714Skris (len < 2)) 115955714Skris return(NULL); 116055714Skris 116155714Skris p=buf; 116255714Skris sk=s->session->ciphers; 116355714Skris for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 116455714Skris { 116555714Skris /* Decrement for either the ':' or a '\0' */ 116655714Skris len--; 116755714Skris c=sk_SSL_CIPHER_value(sk,i); 116855714Skris for (cp=c->name; *cp; ) 116955714Skris { 117055714Skris if (len-- == 0) 117155714Skris { 117255714Skris *p='\0'; 117355714Skris return(buf); 117455714Skris } 117555714Skris else 117655714Skris *(p++)= *(cp++); 117755714Skris } 117855714Skris *(p++)=':'; 117955714Skris } 118055714Skris p[-1]='\0'; 118155714Skris return(buf); 118255714Skris } 118355714Skris 118455714Skrisint ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p) 118555714Skris { 118655714Skris int i,j=0; 118755714Skris SSL_CIPHER *c; 118855714Skris unsigned char *q; 1189109998Smarkm#ifndef OPENSSL_NO_KRB5 1190109998Smarkm int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); 1191109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 119255714Skris 119355714Skris if (sk == NULL) return(0); 119455714Skris q=p; 119555714Skris 119655714Skris for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 119755714Skris { 119855714Skris c=sk_SSL_CIPHER_value(sk,i); 1199109998Smarkm#ifndef OPENSSL_NO_KRB5 1200109998Smarkm if ((c->algorithms & SSL_KRB5) && nokrb5) 1201109998Smarkm continue; 1202109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 120355714Skris j=ssl_put_cipher_by_char(s,c,p); 120455714Skris p+=j; 120555714Skris } 120655714Skris return(p-q); 120755714Skris } 120855714Skris 120955714SkrisSTACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, 121055714Skris STACK_OF(SSL_CIPHER) **skp) 121155714Skris { 121255714Skris SSL_CIPHER *c; 121355714Skris STACK_OF(SSL_CIPHER) *sk; 121455714Skris int i,n; 121555714Skris 121655714Skris n=ssl_put_cipher_by_char(s,NULL,NULL); 121755714Skris if ((num%n) != 0) 121855714Skris { 121955714Skris SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 122055714Skris return(NULL); 122155714Skris } 122255714Skris if ((skp == NULL) || (*skp == NULL)) 122368651Skris sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */ 122455714Skris else 122555714Skris { 122655714Skris sk= *skp; 122755714Skris sk_SSL_CIPHER_zero(sk); 122855714Skris } 122955714Skris 123055714Skris for (i=0; i<num; i+=n) 123155714Skris { 123255714Skris c=ssl_get_cipher_by_char(s,p); 123355714Skris p+=n; 123455714Skris if (c != NULL) 123555714Skris { 123655714Skris if (!sk_SSL_CIPHER_push(sk,c)) 123755714Skris { 123855714Skris SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE); 123955714Skris goto err; 124055714Skris } 124155714Skris } 124255714Skris } 124355714Skris 124455714Skris if (skp != NULL) 124555714Skris *skp=sk; 124655714Skris return(sk); 124755714Skriserr: 124855714Skris if ((skp == NULL) || (*skp == NULL)) 124955714Skris sk_SSL_CIPHER_free(sk); 125055714Skris return(NULL); 125155714Skris } 125255714Skris 125355714Skrisunsigned long SSL_SESSION_hash(SSL_SESSION *a) 125455714Skris { 125555714Skris unsigned long l; 125655714Skris 125755714Skris l=(unsigned long) 125855714Skris ((unsigned int) a->session_id[0] )| 125955714Skris ((unsigned int) a->session_id[1]<< 8L)| 126055714Skris ((unsigned long)a->session_id[2]<<16L)| 126155714Skris ((unsigned long)a->session_id[3]<<24L); 126255714Skris return(l); 126355714Skris } 126455714Skris 1265109998Smarkm/* NB: If this function (or indeed the hash function which uses a sort of 1266109998Smarkm * coarser function than this one) is changed, ensure 1267109998Smarkm * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being 1268109998Smarkm * able to construct an SSL_SESSION that will collide with any existing session 1269109998Smarkm * with a matching session ID. */ 127055714Skrisint SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) 127155714Skris { 127255714Skris if (a->ssl_version != b->ssl_version) 127355714Skris return(1); 127455714Skris if (a->session_id_length != b->session_id_length) 127555714Skris return(1); 127655714Skris return(memcmp(a->session_id,b->session_id,a->session_id_length)); 127755714Skris } 127855714Skris 1279109998Smarkm/* These wrapper functions should remain rather than redeclaring 1280109998Smarkm * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each 1281109998Smarkm * variable. The reason is that the functions aren't static, they're exposed via 1282109998Smarkm * ssl.h. */ 1283109998Smarkmstatic IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *) 1284109998Smarkmstatic IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *) 1285109998Smarkm 128655714SkrisSSL_CTX *SSL_CTX_new(SSL_METHOD *meth) 128755714Skris { 128855714Skris SSL_CTX *ret=NULL; 128955714Skris 129055714Skris if (meth == NULL) 129155714Skris { 129255714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED); 129355714Skris return(NULL); 129455714Skris } 129555714Skris 129655714Skris if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 129755714Skris { 129855714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 129955714Skris goto err; 130055714Skris } 130168651Skris ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); 130255714Skris if (ret == NULL) 130355714Skris goto err; 130455714Skris 130555714Skris memset(ret,0,sizeof(SSL_CTX)); 130655714Skris 130755714Skris ret->method=meth; 130855714Skris 130955714Skris ret->cert_store=NULL; 131055714Skris ret->session_cache_mode=SSL_SESS_CACHE_SERVER; 131155714Skris ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 131255714Skris ret->session_cache_head=NULL; 131355714Skris ret->session_cache_tail=NULL; 131455714Skris 131555714Skris /* We take the system default */ 131655714Skris ret->session_timeout=meth->get_timeout(); 131755714Skris 1318109998Smarkm ret->new_session_cb=0; 1319109998Smarkm ret->remove_session_cb=0; 1320109998Smarkm ret->get_session_cb=0; 1321109998Smarkm ret->generate_session_id=0; 132255714Skris 132355714Skris memset((char *)&ret->stats,0,sizeof(ret->stats)); 132455714Skris 132555714Skris ret->references=1; 132655714Skris ret->quiet_shutdown=0; 132755714Skris 132855714Skris/* ret->cipher=NULL;*/ 132955714Skris/* ret->s2->challenge=NULL; 133055714Skris ret->master_key=NULL; 133155714Skris ret->key_arg=NULL; 133255714Skris ret->s2->conn_id=NULL; */ 133355714Skris 133455714Skris ret->info_callback=NULL; 133555714Skris 1336109998Smarkm ret->app_verify_callback=0; 133755714Skris ret->app_verify_arg=NULL; 133855714Skris 1339109998Smarkm ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT; 134055714Skris ret->read_ahead=0; 1341109998Smarkm ret->msg_callback=0; 1342109998Smarkm ret->msg_callback_arg=NULL; 134355714Skris ret->verify_mode=SSL_VERIFY_NONE; 134455714Skris ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ 1345109998Smarkm ret->sid_ctx_length=0; 134655714Skris ret->default_verify_callback=NULL; 134755714Skris if ((ret->cert=ssl_cert_new()) == NULL) 134855714Skris goto err; 134955714Skris 1350109998Smarkm ret->default_passwd_callback=0; 135155714Skris ret->default_passwd_callback_userdata=NULL; 1352109998Smarkm ret->client_cert_cb=0; 135355714Skris 1354109998Smarkm ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash), 1355109998Smarkm LHASH_COMP_FN(SSL_SESSION_cmp)); 135655714Skris if (ret->sessions == NULL) goto err; 135755714Skris ret->cert_store=X509_STORE_new(); 135855714Skris if (ret->cert_store == NULL) goto err; 135955714Skris 136055714Skris ssl_create_cipher_list(ret->method, 136155714Skris &ret->cipher_list,&ret->cipher_list_by_id, 136255714Skris SSL_DEFAULT_CIPHER_LIST); 136355714Skris if (ret->cipher_list == NULL 136455714Skris || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) 136555714Skris { 136655714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS); 136755714Skris goto err2; 136855714Skris } 136955714Skris 137055714Skris if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) 137155714Skris { 137255714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); 137355714Skris goto err2; 137455714Skris } 137555714Skris if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL) 137655714Skris { 137755714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); 137855714Skris goto err2; 137955714Skris } 138055714Skris if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL) 138155714Skris { 138255714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); 138355714Skris goto err2; 138455714Skris } 138555714Skris 138655714Skris if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL) 138755714Skris goto err; 138855714Skris 1389109998Smarkm CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); 139055714Skris 139155714Skris ret->extra_certs=NULL; 139255714Skris ret->comp_methods=SSL_COMP_get_compression_methods(); 139355714Skris 139455714Skris return(ret); 139555714Skriserr: 139655714Skris SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); 139755714Skriserr2: 139855714Skris if (ret != NULL) SSL_CTX_free(ret); 139955714Skris return(NULL); 140055714Skris } 140155714Skris 1402109998Smarkm#if 0 140355714Skrisstatic void SSL_COMP_free(SSL_COMP *comp) 140468651Skris { OPENSSL_free(comp); } 1405109998Smarkm#endif 140655714Skris 140755714Skrisvoid SSL_CTX_free(SSL_CTX *a) 140855714Skris { 140955714Skris int i; 141055714Skris 141155714Skris if (a == NULL) return; 141255714Skris 141355714Skris i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX); 141455714Skris#ifdef REF_PRINT 141555714Skris REF_PRINT("SSL_CTX",a); 141655714Skris#endif 141755714Skris if (i > 0) return; 141855714Skris#ifdef REF_CHECK 141955714Skris if (i < 0) 142055714Skris { 142155714Skris fprintf(stderr,"SSL_CTX_free, bad reference count\n"); 142255714Skris abort(); /* ok */ 142355714Skris } 142455714Skris#endif 142555714Skris 1426109998Smarkm /* 1427109998Smarkm * Free internal session cache. However: the remove_cb() may reference 1428109998Smarkm * the ex_data of SSL_CTX, thus the ex_data store can only be removed 1429109998Smarkm * after the sessions were flushed. 1430109998Smarkm * As the ex_data handling routines might also touch the session cache, 1431109998Smarkm * the most secure solution seems to be: empty (flush) the cache, then 1432109998Smarkm * free ex_data, then finally free the cache. 1433109998Smarkm * (See ticket [openssl.org #212].) 1434109998Smarkm */ 143555714Skris if (a->sessions != NULL) 143655714Skris SSL_CTX_flush_sessions(a,0); 1437109998Smarkm 1438109998Smarkm CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); 1439109998Smarkm 1440109998Smarkm if (a->sessions != NULL) 144155714Skris lh_free(a->sessions); 1442109998Smarkm 144355714Skris if (a->cert_store != NULL) 144455714Skris X509_STORE_free(a->cert_store); 144555714Skris if (a->cipher_list != NULL) 144655714Skris sk_SSL_CIPHER_free(a->cipher_list); 144755714Skris if (a->cipher_list_by_id != NULL) 144855714Skris sk_SSL_CIPHER_free(a->cipher_list_by_id); 144955714Skris if (a->cert != NULL) 145055714Skris ssl_cert_free(a->cert); 145155714Skris if (a->client_CA != NULL) 145255714Skris sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free); 145355714Skris if (a->extra_certs != NULL) 145455714Skris sk_X509_pop_free(a->extra_certs,X509_free); 1455109998Smarkm#if 0 /* This should never be done, since it removes a global database */ 145655714Skris if (a->comp_methods != NULL) 145755714Skris sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); 1458109998Smarkm#else 1459109998Smarkm a->comp_methods = NULL; 1460109998Smarkm#endif 146168651Skris OPENSSL_free(a); 146255714Skris } 146355714Skris 146455714Skrisvoid SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) 146555714Skris { 146655714Skris ctx->default_passwd_callback=cb; 146755714Skris } 146855714Skris 146955714Skrisvoid SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u) 147055714Skris { 147155714Skris ctx->default_passwd_callback_userdata=u; 147255714Skris } 147355714Skris 1474109998Smarkmvoid SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg) 147555714Skris { 147655714Skris ctx->app_verify_callback=cb; 1477109998Smarkm ctx->app_verify_arg=arg; 147855714Skris } 147955714Skris 148055714Skrisvoid SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) 148155714Skris { 148255714Skris ctx->verify_mode=mode; 148355714Skris ctx->default_verify_callback=cb; 148455714Skris } 148555714Skris 148655714Skrisvoid SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) 148755714Skris { 148855714Skris ctx->verify_depth=depth; 148955714Skris } 149055714Skris 149155714Skrisvoid ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) 149255714Skris { 149355714Skris CERT_PKEY *cpk; 149455714Skris int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; 149555714Skris int rsa_enc_export,dh_rsa_export,dh_dsa_export; 149655714Skris int rsa_tmp_export,dh_tmp_export,kl; 149755714Skris unsigned long mask,emask; 149855714Skris 149955714Skris if (c == NULL) return; 150055714Skris 150155714Skris kl=SSL_C_EXPORT_PKEYLENGTH(cipher); 150255714Skris 1503109998Smarkm#ifndef OPENSSL_NO_RSA 150455714Skris rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); 150555714Skris rsa_tmp_export=(c->rsa_tmp_cb != NULL || 150655714Skris (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); 150755714Skris#else 150855714Skris rsa_tmp=rsa_tmp_export=0; 150955714Skris#endif 1510109998Smarkm#ifndef OPENSSL_NO_DH 151155714Skris dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); 151255714Skris dh_tmp_export=(c->dh_tmp_cb != NULL || 151355714Skris (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); 151455714Skris#else 151555714Skris dh_tmp=dh_tmp_export=0; 151655714Skris#endif 151755714Skris 151855714Skris cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); 151955714Skris rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); 152055714Skris rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 152155714Skris cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); 152255714Skris rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); 152355714Skris cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); 152455714Skris dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); 152555714Skris cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); 152655714Skris dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 152755714Skris dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 152855714Skris cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); 152955714Skris/* FIX THIS EAY EAY EAY */ 153055714Skris dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 153155714Skris dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 153255714Skris 153355714Skris mask=0; 153455714Skris emask=0; 153555714Skris 153655714Skris#ifdef CIPHER_DEBUG 153755714Skris printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", 153855714Skris rsa_tmp,rsa_tmp_export,dh_tmp, 153955714Skris rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); 154055714Skris#endif 154155714Skris 154255714Skris if (rsa_enc || (rsa_tmp && rsa_sign)) 154355714Skris mask|=SSL_kRSA; 154455714Skris if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) 154555714Skris emask|=SSL_kRSA; 154655714Skris 154755714Skris#if 0 154855714Skris /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ 154955714Skris if ( (dh_tmp || dh_rsa || dh_dsa) && 155055714Skris (rsa_enc || rsa_sign || dsa_sign)) 155155714Skris mask|=SSL_kEDH; 155255714Skris if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && 155355714Skris (rsa_enc || rsa_sign || dsa_sign)) 155455714Skris emask|=SSL_kEDH; 155555714Skris#endif 155655714Skris 155755714Skris if (dh_tmp_export) 155855714Skris emask|=SSL_kEDH; 155955714Skris 156055714Skris if (dh_tmp) 156155714Skris mask|=SSL_kEDH; 156255714Skris 156355714Skris if (dh_rsa) mask|=SSL_kDHr; 156455714Skris if (dh_rsa_export) emask|=SSL_kDHr; 156555714Skris 156655714Skris if (dh_dsa) mask|=SSL_kDHd; 156755714Skris if (dh_dsa_export) emask|=SSL_kDHd; 156855714Skris 156955714Skris if (rsa_enc || rsa_sign) 157055714Skris { 157155714Skris mask|=SSL_aRSA; 157255714Skris emask|=SSL_aRSA; 157355714Skris } 157455714Skris 157555714Skris if (dsa_sign) 157655714Skris { 157755714Skris mask|=SSL_aDSS; 157855714Skris emask|=SSL_aDSS; 157955714Skris } 158055714Skris 158155714Skris mask|=SSL_aNULL; 158255714Skris emask|=SSL_aNULL; 158355714Skris 1584109998Smarkm#ifndef OPENSSL_NO_KRB5 1585109998Smarkm mask|=SSL_kKRB5|SSL_aKRB5; 1586109998Smarkm emask|=SSL_kKRB5|SSL_aKRB5; 1587109998Smarkm#endif 1588109998Smarkm 158955714Skris c->mask=mask; 159055714Skris c->export_mask=emask; 159155714Skris c->valid=1; 159255714Skris } 159355714Skris 159455714Skris/* THIS NEEDS CLEANING UP */ 159555714SkrisX509 *ssl_get_server_send_cert(SSL *s) 159655714Skris { 159755714Skris unsigned long alg,mask,kalg; 159855714Skris CERT *c; 159955714Skris int i,is_export; 160055714Skris 160155714Skris c=s->cert; 160255714Skris ssl_set_cert_masks(c, s->s3->tmp.new_cipher); 160355714Skris alg=s->s3->tmp.new_cipher->algorithms; 160459191Skris is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 160555714Skris mask=is_export?c->export_mask:c->mask; 160655714Skris kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); 160755714Skris 160855714Skris if (kalg & SSL_kDHr) 160955714Skris i=SSL_PKEY_DH_RSA; 161055714Skris else if (kalg & SSL_kDHd) 161155714Skris i=SSL_PKEY_DH_DSA; 161255714Skris else if (kalg & SSL_aDSS) 161355714Skris i=SSL_PKEY_DSA_SIGN; 161455714Skris else if (kalg & SSL_aRSA) 161555714Skris { 161655714Skris if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) 161755714Skris i=SSL_PKEY_RSA_SIGN; 161855714Skris else 161955714Skris i=SSL_PKEY_RSA_ENC; 162055714Skris } 1621109998Smarkm else if (kalg & SSL_aKRB5) 1622109998Smarkm { 1623109998Smarkm /* VRS something else here? */ 1624109998Smarkm return(NULL); 1625109998Smarkm } 162655714Skris else /* if (kalg & SSL_aNULL) */ 162755714Skris { 1628109998Smarkm SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); 162955714Skris return(NULL); 163055714Skris } 163155714Skris if (c->pkeys[i].x509 == NULL) return(NULL); 163255714Skris return(c->pkeys[i].x509); 163355714Skris } 163455714Skris 163555714SkrisEVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) 163655714Skris { 163755714Skris unsigned long alg; 163855714Skris CERT *c; 163955714Skris 164055714Skris alg=cipher->algorithms; 164155714Skris c=s->cert; 164255714Skris 164355714Skris if ((alg & SSL_aDSS) && 164455714Skris (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 164555714Skris return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); 164655714Skris else if (alg & SSL_aRSA) 164755714Skris { 164855714Skris if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 164955714Skris return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); 165055714Skris else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 165155714Skris return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey); 165255714Skris else 165355714Skris return(NULL); 165455714Skris } 165555714Skris else /* if (alg & SSL_aNULL) */ 165655714Skris { 1657109998Smarkm SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); 165855714Skris return(NULL); 165955714Skris } 166055714Skris } 166155714Skris 166255714Skrisvoid ssl_update_cache(SSL *s,int mode) 166355714Skris { 166455714Skris int i; 166555714Skris 166655714Skris /* If the session_id_length is 0, we are not supposed to cache it, 166755714Skris * and it would be rather hard to do anyway :-) */ 166855714Skris if (s->session->session_id_length == 0) return; 166955714Skris 1670100928Snectar i=s->ctx->session_cache_mode; 1671100928Snectar if ((i & mode) && (!s->hit) 1672109998Smarkm && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) 1673100928Snectar || SSL_CTX_add_session(s->ctx,s->session)) 167455714Skris && (s->ctx->new_session_cb != NULL)) 167555714Skris { 167655714Skris CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION); 167755714Skris if (!s->ctx->new_session_cb(s,s->session)) 167855714Skris SSL_SESSION_free(s->session); 167955714Skris } 168055714Skris 168155714Skris /* auto flush every 255 connections */ 168255714Skris if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && 168355714Skris ((i & mode) == mode)) 168455714Skris { 168555714Skris if ( (((mode & SSL_SESS_CACHE_CLIENT) 168655714Skris ?s->ctx->stats.sess_connect_good 168755714Skris :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) 168855714Skris { 168955714Skris SSL_CTX_flush_sessions(s->ctx,time(NULL)); 169055714Skris } 169155714Skris } 169255714Skris } 169355714Skris 169455714SkrisSSL_METHOD *SSL_get_ssl_method(SSL *s) 169555714Skris { 169655714Skris return(s->method); 169755714Skris } 169855714Skris 169955714Skrisint SSL_set_ssl_method(SSL *s,SSL_METHOD *meth) 170055714Skris { 170155714Skris int conn= -1; 170255714Skris int ret=1; 170355714Skris 170455714Skris if (s->method != meth) 170555714Skris { 170655714Skris if (s->handshake_func != NULL) 170755714Skris conn=(s->handshake_func == s->method->ssl_connect); 170855714Skris 170955714Skris if (s->method->version == meth->version) 171055714Skris s->method=meth; 171155714Skris else 171255714Skris { 171355714Skris s->method->ssl_free(s); 171455714Skris s->method=meth; 171555714Skris ret=s->method->ssl_new(s); 171655714Skris } 171755714Skris 171855714Skris if (conn == 1) 171955714Skris s->handshake_func=meth->ssl_connect; 172055714Skris else if (conn == 0) 172155714Skris s->handshake_func=meth->ssl_accept; 172255714Skris } 172355714Skris return(ret); 172455714Skris } 172555714Skris 172655714Skrisint SSL_get_error(SSL *s,int i) 172755714Skris { 172855714Skris int reason; 172955714Skris unsigned long l; 173055714Skris BIO *bio; 173155714Skris 173255714Skris if (i > 0) return(SSL_ERROR_NONE); 173355714Skris 173455714Skris /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake 173555714Skris * etc, where we do encode the error */ 173655714Skris if ((l=ERR_peek_error()) != 0) 173755714Skris { 173855714Skris if (ERR_GET_LIB(l) == ERR_LIB_SYS) 173955714Skris return(SSL_ERROR_SYSCALL); 174055714Skris else 174155714Skris return(SSL_ERROR_SSL); 174255714Skris } 174355714Skris 174455714Skris if ((i < 0) && SSL_want_read(s)) 174555714Skris { 174655714Skris bio=SSL_get_rbio(s); 174755714Skris if (BIO_should_read(bio)) 174855714Skris return(SSL_ERROR_WANT_READ); 174955714Skris else if (BIO_should_write(bio)) 175055714Skris /* This one doesn't make too much sense ... We never try 175155714Skris * to write to the rbio, and an application program where 175255714Skris * rbio and wbio are separate couldn't even know what it 175355714Skris * should wait for. 175455714Skris * However if we ever set s->rwstate incorrectly 175555714Skris * (so that we have SSL_want_read(s) instead of 175655714Skris * SSL_want_write(s)) and rbio and wbio *are* the same, 175755714Skris * this test works around that bug; so it might be safer 175855714Skris * to keep it. */ 175955714Skris return(SSL_ERROR_WANT_WRITE); 176055714Skris else if (BIO_should_io_special(bio)) 176155714Skris { 176255714Skris reason=BIO_get_retry_reason(bio); 176355714Skris if (reason == BIO_RR_CONNECT) 176455714Skris return(SSL_ERROR_WANT_CONNECT); 1765109998Smarkm else if (reason == BIO_RR_ACCEPT) 1766109998Smarkm return(SSL_ERROR_WANT_ACCEPT); 176755714Skris else 176855714Skris return(SSL_ERROR_SYSCALL); /* unknown */ 176955714Skris } 177055714Skris } 177155714Skris 177255714Skris if ((i < 0) && SSL_want_write(s)) 177355714Skris { 177455714Skris bio=SSL_get_wbio(s); 177555714Skris if (BIO_should_write(bio)) 177655714Skris return(SSL_ERROR_WANT_WRITE); 177755714Skris else if (BIO_should_read(bio)) 177855714Skris /* See above (SSL_want_read(s) with BIO_should_write(bio)) */ 177955714Skris return(SSL_ERROR_WANT_READ); 178055714Skris else if (BIO_should_io_special(bio)) 178155714Skris { 178255714Skris reason=BIO_get_retry_reason(bio); 178355714Skris if (reason == BIO_RR_CONNECT) 178455714Skris return(SSL_ERROR_WANT_CONNECT); 1785109998Smarkm else if (reason == BIO_RR_ACCEPT) 1786109998Smarkm return(SSL_ERROR_WANT_ACCEPT); 178755714Skris else 178855714Skris return(SSL_ERROR_SYSCALL); 178955714Skris } 179055714Skris } 179155714Skris if ((i < 0) && SSL_want_x509_lookup(s)) 179255714Skris { 179355714Skris return(SSL_ERROR_WANT_X509_LOOKUP); 179455714Skris } 179555714Skris 179655714Skris if (i == 0) 179755714Skris { 179855714Skris if (s->version == SSL2_VERSION) 179955714Skris { 180055714Skris /* assume it is the socket being closed */ 180155714Skris return(SSL_ERROR_ZERO_RETURN); 180255714Skris } 180355714Skris else 180455714Skris { 180555714Skris if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && 180655714Skris (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) 180755714Skris return(SSL_ERROR_ZERO_RETURN); 180855714Skris } 180955714Skris } 181055714Skris return(SSL_ERROR_SYSCALL); 181155714Skris } 181255714Skris 181355714Skrisint SSL_do_handshake(SSL *s) 181455714Skris { 181555714Skris int ret=1; 181655714Skris 181755714Skris if (s->handshake_func == NULL) 181855714Skris { 181955714Skris SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET); 182055714Skris return(-1); 182155714Skris } 182255714Skris 182355714Skris s->method->ssl_renegotiate_check(s); 182455714Skris 182555714Skris if (SSL_in_init(s) || SSL_in_before(s)) 182655714Skris { 182755714Skris ret=s->handshake_func(s); 182855714Skris } 182955714Skris return(ret); 183055714Skris } 183155714Skris 183255714Skris/* For the next 2 functions, SSL_clear() sets shutdown and so 183355714Skris * one of these calls will reset it */ 183455714Skrisvoid SSL_set_accept_state(SSL *s) 183555714Skris { 183655714Skris s->server=1; 183755714Skris s->shutdown=0; 183855714Skris s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; 183955714Skris s->handshake_func=s->method->ssl_accept; 184055714Skris /* clear the current cipher */ 184155714Skris ssl_clear_cipher_ctx(s); 184255714Skris } 184355714Skris 184455714Skrisvoid SSL_set_connect_state(SSL *s) 184555714Skris { 184655714Skris s->server=0; 184755714Skris s->shutdown=0; 184855714Skris s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; 184955714Skris s->handshake_func=s->method->ssl_connect; 185055714Skris /* clear the current cipher */ 185155714Skris ssl_clear_cipher_ctx(s); 185255714Skris } 185355714Skris 185455714Skrisint ssl_undefined_function(SSL *s) 185555714Skris { 185655714Skris SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 185755714Skris return(0); 185855714Skris } 185955714Skris 186055714SkrisSSL_METHOD *ssl_bad_method(int ver) 186155714Skris { 186255714Skris SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 186355714Skris return(NULL); 186455714Skris } 186555714Skris 186659191Skrisconst char *SSL_get_version(SSL *s) 186755714Skris { 186855714Skris if (s->version == TLS1_VERSION) 186955714Skris return("TLSv1"); 187055714Skris else if (s->version == SSL3_VERSION) 187155714Skris return("SSLv3"); 187255714Skris else if (s->version == SSL2_VERSION) 187355714Skris return("SSLv2"); 187455714Skris else 187555714Skris return("unknown"); 187655714Skris } 187755714Skris 187855714SkrisSSL *SSL_dup(SSL *s) 187955714Skris { 188055714Skris STACK_OF(X509_NAME) *sk; 188155714Skris X509_NAME *xn; 188255714Skris SSL *ret; 188355714Skris int i; 188455714Skris 188555714Skris if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) 188655714Skris return(NULL); 1887109998Smarkm 1888109998Smarkm ret->version = s->version; 1889109998Smarkm ret->type = s->type; 1890109998Smarkm ret->method = s->method; 1891109998Smarkm 189255714Skris if (s->session != NULL) 189355714Skris { 189455714Skris /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ 189555714Skris SSL_copy_session_id(ret,s); 189655714Skris } 189755714Skris else 189855714Skris { 189955714Skris /* No session has been established yet, so we have to expect 190055714Skris * that s->cert or ret->cert will be changed later -- 190155714Skris * they should not both point to the same object, 190255714Skris * and thus we can't use SSL_copy_session_id. */ 190355714Skris 1904111147Snectar ret->method->ssl_free(ret); 190555714Skris ret->method = s->method; 190655714Skris ret->method->ssl_new(ret); 190755714Skris 190855714Skris if (s->cert != NULL) 190955714Skris { 191076866Skris if (ret->cert != NULL) 191176866Skris { 191276866Skris ssl_cert_free(ret->cert); 191376866Skris } 191455714Skris ret->cert = ssl_cert_dup(s->cert); 191555714Skris if (ret->cert == NULL) 191655714Skris goto err; 191755714Skris } 191855714Skris 191955714Skris SSL_set_session_id_context(ret, 192055714Skris s->sid_ctx, s->sid_ctx_length); 192155714Skris } 192255714Skris 1923109998Smarkm ret->options=s->options; 1924109998Smarkm ret->mode=s->mode; 1925109998Smarkm SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s)); 192655714Skris SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); 1927109998Smarkm ret->msg_callback = s->msg_callback; 1928109998Smarkm ret->msg_callback_arg = s->msg_callback_arg; 192955714Skris SSL_set_verify(ret,SSL_get_verify_mode(s), 193055714Skris SSL_get_verify_callback(s)); 193155714Skris SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); 1932109998Smarkm ret->generate_session_id = s->generate_session_id; 193355714Skris 193455714Skris SSL_set_info_callback(ret,SSL_get_info_callback(s)); 193555714Skris 193655714Skris ret->debug=s->debug; 193755714Skris 193855714Skris /* copy app data, a little dangerous perhaps */ 1939109998Smarkm if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) 194055714Skris goto err; 194155714Skris 194255714Skris /* setup rbio, and wbio */ 194355714Skris if (s->rbio != NULL) 194455714Skris { 194555714Skris if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)) 194655714Skris goto err; 194755714Skris } 194855714Skris if (s->wbio != NULL) 194955714Skris { 195055714Skris if (s->wbio != s->rbio) 195155714Skris { 195255714Skris if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)) 195355714Skris goto err; 195455714Skris } 195555714Skris else 195655714Skris ret->wbio=ret->rbio; 195755714Skris } 1958109998Smarkm ret->rwstate = s->rwstate; 1959109998Smarkm ret->in_handshake = s->in_handshake; 1960109998Smarkm ret->handshake_func = s->handshake_func; 1961109998Smarkm ret->server = s->server; 1962109998Smarkm ret->new_session = s->new_session; 1963109998Smarkm ret->quiet_shutdown = s->quiet_shutdown; 1964109998Smarkm ret->shutdown=s->shutdown; 1965109998Smarkm ret->state=s->state; /* SSL_dup does not really work at any state, though */ 1966109998Smarkm ret->rstate=s->rstate; 1967109998Smarkm ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ 1968109998Smarkm ret->hit=s->hit; 1969109998Smarkm ret->purpose=s->purpose; 1970109998Smarkm ret->trust=s->trust; 197155714Skris 197255714Skris /* dup the cipher_list and cipher_list_by_id stacks */ 197355714Skris if (s->cipher_list != NULL) 197455714Skris { 197555714Skris if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 197655714Skris goto err; 197755714Skris } 197855714Skris if (s->cipher_list_by_id != NULL) 197955714Skris if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id)) 198055714Skris == NULL) 198155714Skris goto err; 198255714Skris 198355714Skris /* Dup the client_CA list */ 198455714Skris if (s->client_CA != NULL) 198555714Skris { 198655714Skris if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; 198755714Skris ret->client_CA=sk; 198855714Skris for (i=0; i<sk_X509_NAME_num(sk); i++) 198955714Skris { 199055714Skris xn=sk_X509_NAME_value(sk,i); 199155714Skris if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL) 199255714Skris { 199355714Skris X509_NAME_free(xn); 199455714Skris goto err; 199555714Skris } 199655714Skris } 199755714Skris } 199855714Skris 199955714Skris if (0) 200055714Skris { 200155714Skriserr: 200255714Skris if (ret != NULL) SSL_free(ret); 200355714Skris ret=NULL; 200455714Skris } 200555714Skris return(ret); 200655714Skris } 200755714Skris 200855714Skrisvoid ssl_clear_cipher_ctx(SSL *s) 200955714Skris { 201055714Skris if (s->enc_read_ctx != NULL) 201155714Skris { 201255714Skris EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); 201368651Skris OPENSSL_free(s->enc_read_ctx); 201455714Skris s->enc_read_ctx=NULL; 201555714Skris } 201655714Skris if (s->enc_write_ctx != NULL) 201755714Skris { 201855714Skris EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); 201968651Skris OPENSSL_free(s->enc_write_ctx); 202055714Skris s->enc_write_ctx=NULL; 202155714Skris } 202255714Skris if (s->expand != NULL) 202355714Skris { 202455714Skris COMP_CTX_free(s->expand); 202555714Skris s->expand=NULL; 202655714Skris } 202755714Skris if (s->compress != NULL) 202855714Skris { 202955714Skris COMP_CTX_free(s->compress); 203055714Skris s->compress=NULL; 203155714Skris } 203255714Skris } 203355714Skris 203455714Skris/* Fix this function so that it takes an optional type parameter */ 203555714SkrisX509 *SSL_get_certificate(SSL *s) 203655714Skris { 203755714Skris if (s->cert != NULL) 203855714Skris return(s->cert->key->x509); 203955714Skris else 204055714Skris return(NULL); 204155714Skris } 204255714Skris 204355714Skris/* Fix this function so that it takes an optional type parameter */ 204455714SkrisEVP_PKEY *SSL_get_privatekey(SSL *s) 204555714Skris { 204655714Skris if (s->cert != NULL) 204755714Skris return(s->cert->key->privatekey); 204855714Skris else 204955714Skris return(NULL); 205055714Skris } 205155714Skris 205255714SkrisSSL_CIPHER *SSL_get_current_cipher(SSL *s) 205355714Skris { 205455714Skris if ((s->session != NULL) && (s->session->cipher != NULL)) 205555714Skris return(s->session->cipher); 205655714Skris return(NULL); 205755714Skris } 205855714Skris 205955714Skrisint ssl_init_wbio_buffer(SSL *s,int push) 206055714Skris { 206155714Skris BIO *bbio; 206255714Skris 206355714Skris if (s->bbio == NULL) 206455714Skris { 206555714Skris bbio=BIO_new(BIO_f_buffer()); 206655714Skris if (bbio == NULL) return(0); 206755714Skris s->bbio=bbio; 206855714Skris } 206955714Skris else 207055714Skris { 207155714Skris bbio=s->bbio; 207255714Skris if (s->bbio == s->wbio) 207355714Skris s->wbio=BIO_pop(s->wbio); 207455714Skris } 207555714Skris (void)BIO_reset(bbio); 207655714Skris/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ 207755714Skris if (!BIO_set_read_buffer_size(bbio,1)) 207855714Skris { 207955714Skris SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB); 208055714Skris return(0); 208155714Skris } 208255714Skris if (push) 208355714Skris { 208455714Skris if (s->wbio != bbio) 208555714Skris s->wbio=BIO_push(bbio,s->wbio); 208655714Skris } 208755714Skris else 208855714Skris { 208955714Skris if (s->wbio == bbio) 209055714Skris s->wbio=BIO_pop(bbio); 209155714Skris } 209255714Skris return(1); 209355714Skris } 209455714Skris 209555714Skrisvoid ssl_free_wbio_buffer(SSL *s) 209655714Skris { 209755714Skris if (s->bbio == NULL) return; 209855714Skris 209955714Skris if (s->bbio == s->wbio) 210055714Skris { 210155714Skris /* remove buffering */ 210268651Skris s->wbio=BIO_pop(s->wbio); 210368651Skris#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */ 210468651Skris assert(s->wbio != NULL); 210568651Skris#endif 210668651Skris } 210755714Skris BIO_free(s->bbio); 210855714Skris s->bbio=NULL; 210955714Skris } 211055714Skris 211155714Skrisvoid SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode) 211255714Skris { 211355714Skris ctx->quiet_shutdown=mode; 211455714Skris } 211555714Skris 211655714Skrisint SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx) 211755714Skris { 211855714Skris return(ctx->quiet_shutdown); 211955714Skris } 212055714Skris 212155714Skrisvoid SSL_set_quiet_shutdown(SSL *s,int mode) 212255714Skris { 212355714Skris s->quiet_shutdown=mode; 212455714Skris } 212555714Skris 212655714Skrisint SSL_get_quiet_shutdown(SSL *s) 212755714Skris { 212855714Skris return(s->quiet_shutdown); 212955714Skris } 213055714Skris 213155714Skrisvoid SSL_set_shutdown(SSL *s,int mode) 213255714Skris { 213355714Skris s->shutdown=mode; 213455714Skris } 213555714Skris 213655714Skrisint SSL_get_shutdown(SSL *s) 213755714Skris { 213855714Skris return(s->shutdown); 213955714Skris } 214055714Skris 214155714Skrisint SSL_version(SSL *s) 214255714Skris { 214355714Skris return(s->version); 214455714Skris } 214555714Skris 214655714SkrisSSL_CTX *SSL_get_SSL_CTX(SSL *ssl) 214755714Skris { 214855714Skris return(ssl->ctx); 214955714Skris } 215055714Skris 2151109998Smarkm#ifndef OPENSSL_NO_STDIO 215255714Skrisint SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) 215355714Skris { 215455714Skris return(X509_STORE_set_default_paths(ctx->cert_store)); 215555714Skris } 215655714Skris 215755714Skrisint SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 215855714Skris const char *CApath) 215955714Skris { 216055714Skris return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); 216155714Skris } 216255714Skris#endif 216355714Skris 2164109998Smarkmvoid SSL_set_info_callback(SSL *ssl, 2165109998Smarkm void (*cb)(const SSL *ssl,int type,int val)) 216655714Skris { 216755714Skris ssl->info_callback=cb; 216855714Skris } 216955714Skris 2170109998Smarkmvoid (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val) 217155714Skris { 2172109998Smarkm return ssl->info_callback; 217355714Skris } 217455714Skris 217555714Skrisint SSL_state(SSL *ssl) 217655714Skris { 217755714Skris return(ssl->state); 217855714Skris } 217955714Skris 218055714Skrisvoid SSL_set_verify_result(SSL *ssl,long arg) 218155714Skris { 218255714Skris ssl->verify_result=arg; 218355714Skris } 218455714Skris 218555714Skrislong SSL_get_verify_result(SSL *ssl) 218655714Skris { 218755714Skris return(ssl->verify_result); 218855714Skris } 218955714Skris 219059191Skrisint SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, 219159191Skris CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) 219255714Skris { 2193109998Smarkm return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, 2194109998Smarkm new_func, dup_func, free_func); 219555714Skris } 219655714Skris 219755714Skrisint SSL_set_ex_data(SSL *s,int idx,void *arg) 219855714Skris { 219955714Skris return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 220055714Skris } 220155714Skris 220255714Skrisvoid *SSL_get_ex_data(SSL *s,int idx) 220355714Skris { 220455714Skris return(CRYPTO_get_ex_data(&s->ex_data,idx)); 220555714Skris } 220655714Skris 220759191Skrisint SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, 220859191Skris CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) 220955714Skris { 2210109998Smarkm return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, 2211109998Smarkm new_func, dup_func, free_func); 221255714Skris } 221355714Skris 221455714Skrisint SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) 221555714Skris { 221655714Skris return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 221755714Skris } 221855714Skris 221955714Skrisvoid *SSL_CTX_get_ex_data(SSL_CTX *s,int idx) 222055714Skris { 222155714Skris return(CRYPTO_get_ex_data(&s->ex_data,idx)); 222255714Skris } 222355714Skris 222455714Skrisint ssl_ok(SSL *s) 222555714Skris { 222655714Skris return(1); 222755714Skris } 222855714Skris 222955714SkrisX509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) 223055714Skris { 223155714Skris return(ctx->cert_store); 223255714Skris } 223355714Skris 223455714Skrisvoid SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store) 223555714Skris { 223655714Skris if (ctx->cert_store != NULL) 223755714Skris X509_STORE_free(ctx->cert_store); 223855714Skris ctx->cert_store=store; 223955714Skris } 224055714Skris 224155714Skrisint SSL_want(SSL *s) 224255714Skris { 224355714Skris return(s->rwstate); 224455714Skris } 224555714Skris 224655714Skris/*! 224755714Skris * \brief Set the callback for generating temporary RSA keys. 224855714Skris * \param ctx the SSL context. 224955714Skris * \param cb the callback 225055714Skris */ 225155714Skris 2252109998Smarkm#ifndef OPENSSL_NO_RSA 225355714Skrisvoid SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl, 225455714Skris int is_export, 225555714Skris int keylength)) 225659191Skris { 225759191Skris SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb); 225859191Skris } 225955714Skris 226059191Skrisvoid SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl, 226159191Skris int is_export, 226259191Skris int keylength)) 226359191Skris { 226459191Skris SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb); 226559191Skris } 226655714Skris#endif 226755714Skris 226855714Skris#ifdef DOXYGEN 226955714Skris/*! 227055714Skris * \brief The RSA temporary key callback function. 227155714Skris * \param ssl the SSL session. 227255714Skris * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite. 227355714Skris * \param keylength if \c is_export is \c TRUE, then \c keylength is the size 227455714Skris * of the required key in bits. 227555714Skris * \return the temporary RSA key. 227655714Skris * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback 227755714Skris */ 227855714Skris 227955714SkrisRSA *cb(SSL *ssl,int is_export,int keylength) 228055714Skris {} 228155714Skris#endif 228255714Skris 228355714Skris/*! 228455714Skris * \brief Set the callback for generating temporary DH keys. 228555714Skris * \param ctx the SSL context. 228655714Skris * \param dh the callback 228755714Skris */ 228855714Skris 2289109998Smarkm#ifndef OPENSSL_NO_DH 229055714Skrisvoid SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, 229155714Skris int keylength)) 2292109998Smarkm { 2293109998Smarkm SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); 2294109998Smarkm } 229555714Skris 229655714Skrisvoid SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, 229759191Skris int keylength)) 2298109998Smarkm { 2299109998Smarkm SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); 2300109998Smarkm } 230155714Skris#endif 230255714Skris 2303109998Smarkm 2304109998Smarkmvoid SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) 2305109998Smarkm { 2306109998Smarkm SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb); 2307109998Smarkm } 2308109998Smarkmvoid SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) 2309109998Smarkm { 2310109998Smarkm SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb); 2311109998Smarkm } 2312109998Smarkm 2313109998Smarkm 2314109998Smarkm 2315109998Smarkm#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) 231655714Skris#include "../crypto/bio/bss_file.c" 231755714Skris#endif 231855714Skris 231955714SkrisIMPLEMENT_STACK_OF(SSL_CIPHER) 232055714SkrisIMPLEMENT_STACK_OF(SSL_COMP) 2321