ssl_lib.c revision 172429
155714Skris/*! \file ssl/ssl_lib.c 255714Skris * \brief Version independent SSL functions. 355714Skris */ 455714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 555714Skris * All rights reserved. 655714Skris * 755714Skris * This package is an SSL implementation written 855714Skris * by Eric Young (eay@cryptsoft.com). 955714Skris * The implementation was written so as to conform with Netscapes SSL. 1055714Skris * 1155714Skris * This library is free for commercial and non-commercial use as long as 1255714Skris * the following conditions are aheared to. The following conditions 1355714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1455714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1555714Skris * included with this distribution is covered by the same copyright terms 1655714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1755714Skris * 1855714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1955714Skris * the code are not to be removed. 2055714Skris * If this package is used in a product, Eric Young should be given attribution 2155714Skris * as the author of the parts of the library used. 2255714Skris * This can be in the form of a textual message at program startup or 2355714Skris * in documentation (online or textual) provided with the package. 2455714Skris * 2555714Skris * Redistribution and use in source and binary forms, with or without 2655714Skris * modification, are permitted provided that the following conditions 2755714Skris * are met: 2855714Skris * 1. Redistributions of source code must retain the copyright 2955714Skris * notice, this list of conditions and the following disclaimer. 3055714Skris * 2. Redistributions in binary form must reproduce the above copyright 3155714Skris * notice, this list of conditions and the following disclaimer in the 3255714Skris * documentation and/or other materials provided with the distribution. 3355714Skris * 3. All advertising materials mentioning features or use of this software 3455714Skris * must display the following acknowledgement: 3555714Skris * "This product includes cryptographic software written by 3655714Skris * Eric Young (eay@cryptsoft.com)" 3755714Skris * The word 'cryptographic' can be left out if the rouines from the library 3855714Skris * being used are not cryptographic related :-). 3955714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 4055714Skris * the apps directory (application code) you must include an acknowledgement: 4155714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4255714Skris * 4355714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4455714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4555714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4655714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4755714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4855714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4955714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 5055714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 5155714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5255714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5355714Skris * SUCH DAMAGE. 5455714Skris * 5555714Skris * The licence and distribution terms for any publically available version or 5655714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5755714Skris * copied and put under another distribution licence 5855714Skris * [including the GNU Public Licence.] 5955714Skris */ 60109998Smarkm/* ==================================================================== 61109998Smarkm * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 62109998Smarkm * 63109998Smarkm * Redistribution and use in source and binary forms, with or without 64109998Smarkm * modification, are permitted provided that the following conditions 65109998Smarkm * are met: 66109998Smarkm * 67109998Smarkm * 1. Redistributions of source code must retain the above copyright 68109998Smarkm * notice, this list of conditions and the following disclaimer. 69109998Smarkm * 70109998Smarkm * 2. Redistributions in binary form must reproduce the above copyright 71109998Smarkm * notice, this list of conditions and the following disclaimer in 72109998Smarkm * the documentation and/or other materials provided with the 73109998Smarkm * distribution. 74109998Smarkm * 75109998Smarkm * 3. All advertising materials mentioning features or use of this 76109998Smarkm * software must display the following acknowledgment: 77109998Smarkm * "This product includes software developed by the OpenSSL Project 78109998Smarkm * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 79109998Smarkm * 80109998Smarkm * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 81109998Smarkm * endorse or promote products derived from this software without 82109998Smarkm * prior written permission. For written permission, please contact 83109998Smarkm * openssl-core@openssl.org. 84109998Smarkm * 85109998Smarkm * 5. Products derived from this software may not be called "OpenSSL" 86109998Smarkm * nor may "OpenSSL" appear in their names without prior written 87109998Smarkm * permission of the OpenSSL Project. 88109998Smarkm * 89109998Smarkm * 6. Redistributions of any form whatsoever must retain the following 90109998Smarkm * acknowledgment: 91109998Smarkm * "This product includes software developed by the OpenSSL Project 92109998Smarkm * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 93109998Smarkm * 94109998Smarkm * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 95109998Smarkm * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 96109998Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 97109998Smarkm * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 98109998Smarkm * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 99109998Smarkm * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 100109998Smarkm * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 101109998Smarkm * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 102109998Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 103109998Smarkm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 104109998Smarkm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 105109998Smarkm * OF THE POSSIBILITY OF SUCH DAMAGE. 106109998Smarkm * ==================================================================== 107109998Smarkm * 108109998Smarkm * This product includes cryptographic software written by Eric Young 109109998Smarkm * (eay@cryptsoft.com). This product includes software written by Tim 110109998Smarkm * Hudson (tjh@cryptsoft.com). 111109998Smarkm * 112109998Smarkm */ 113160814Ssimon/* ==================================================================== 114160814Ssimon * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 115160814Ssimon * ECC cipher suite support in OpenSSL originally developed by 116160814Ssimon * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 117160814Ssimon */ 11855714Skris 119109998Smarkm#ifdef REF_CHECK 120109998Smarkm# include <assert.h> 121109998Smarkm#endif 12255714Skris#include <stdio.h> 123109998Smarkm#include "ssl_locl.h" 124109998Smarkm#include "kssl_lcl.h" 12555714Skris#include <openssl/objects.h> 12655714Skris#include <openssl/lhash.h> 12759191Skris#include <openssl/x509v3.h> 128160814Ssimon#ifndef OPENSSL_NO_DH 129160814Ssimon#include <openssl/dh.h> 130160814Ssimon#endif 13155714Skris 13259191Skrisconst char *SSL_version_str=OPENSSL_VERSION_TEXT; 13355714Skris 134160814SsimonSSL3_ENC_METHOD ssl3_undef_enc_method={ 13559191Skris /* evil casts, but these functions are only called if there's a library bug */ 13659191Skris (int (*)(SSL *,int))ssl_undefined_function, 13759191Skris (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, 13855714Skris ssl_undefined_function, 13959191Skris (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function, 14059191Skris (int (*)(SSL*, int))ssl_undefined_function, 141160814Ssimon (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function, 142160814Ssimon 0, /* finish_mac_length */ 143160814Ssimon (int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function, 144160814Ssimon NULL, /* client_finished_label */ 145160814Ssimon 0, /* client_finished_label_len */ 146160814Ssimon NULL, /* server_finished_label */ 147160814Ssimon 0, /* server_finished_label_len */ 148160814Ssimon (int (*)(int))ssl_undefined_function 14955714Skris }; 15055714Skris 15155714Skrisint SSL_clear(SSL *s) 15255714Skris { 15355714Skris 15455714Skris if (s->method == NULL) 15555714Skris { 15655714Skris SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); 15755714Skris return(0); 15855714Skris } 15955714Skris 160100928Snectar if (ssl_clear_bad_session(s)) 161100928Snectar { 162100928Snectar SSL_SESSION_free(s->session); 163100928Snectar s->session=NULL; 164100928Snectar } 165100928Snectar 16655714Skris s->error=0; 16755714Skris s->hit=0; 16855714Skris s->shutdown=0; 16955714Skris 17059191Skris#if 0 /* Disabled since version 1.10 of this file (early return not 17159191Skris * needed because SSL_clear is not called when doing renegotiation) */ 17255714Skris /* This is set if we are doing dynamic renegotiation so keep 17355714Skris * the old cipher. It is sort of a SSL_clear_lite :-) */ 17455714Skris if (s->new_session) return(1); 17559191Skris#else 17659191Skris if (s->new_session) 17759191Skris { 178109998Smarkm SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); 17959191Skris return 0; 18059191Skris } 18155714Skris#endif 18255714Skris 18355714Skris s->type=0; 18455714Skris 18555714Skris s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); 18655714Skris 18755714Skris s->version=s->method->version; 18855714Skris s->client_version=s->version; 18955714Skris s->rwstate=SSL_NOTHING; 19055714Skris s->rstate=SSL_ST_READ_HEADER; 19172613Skris#if 0 19255714Skris s->read_ahead=s->ctx->read_ahead; 19372613Skris#endif 19455714Skris 19555714Skris if (s->init_buf != NULL) 19655714Skris { 19755714Skris BUF_MEM_free(s->init_buf); 19855714Skris s->init_buf=NULL; 19955714Skris } 20055714Skris 20155714Skris ssl_clear_cipher_ctx(s); 20255714Skris 20355714Skris s->first_packet=0; 20455714Skris 20555714Skris#if 1 20655714Skris /* Check to see if we were changed into a different method, if 20755714Skris * so, revert back if we are not doing session-id reuse. */ 20889837Skris if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) 20955714Skris { 21055714Skris s->method->ssl_free(s); 21155714Skris s->method=s->ctx->method; 21255714Skris if (!s->method->ssl_new(s)) 21355714Skris return(0); 21455714Skris } 21555714Skris else 21655714Skris#endif 21755714Skris s->method->ssl_clear(s); 21855714Skris return(1); 21955714Skris } 22055714Skris 22155714Skris/** Used to change an SSL_CTXs default SSL method type */ 22255714Skrisint SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth) 22355714Skris { 22455714Skris STACK_OF(SSL_CIPHER) *sk; 22555714Skris 22655714Skris ctx->method=meth; 22755714Skris 22855714Skris sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), 22955714Skris &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST); 23055714Skris if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) 23155714Skris { 23255714Skris SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 23355714Skris return(0); 23455714Skris } 23555714Skris return(1); 23655714Skris } 23755714Skris 23855714SkrisSSL *SSL_new(SSL_CTX *ctx) 23955714Skris { 24055714Skris SSL *s; 24155714Skris 24255714Skris if (ctx == NULL) 24355714Skris { 24455714Skris SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX); 24555714Skris return(NULL); 24655714Skris } 24755714Skris if (ctx->method == NULL) 24855714Skris { 24955714Skris SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 25055714Skris return(NULL); 25155714Skris } 25255714Skris 25368651Skris s=(SSL *)OPENSSL_malloc(sizeof(SSL)); 25455714Skris if (s == NULL) goto err; 25555714Skris memset(s,0,sizeof(SSL)); 25655714Skris 257109998Smarkm#ifndef OPENSSL_NO_KRB5 258109998Smarkm s->kssl_ctx = kssl_ctx_new(); 259109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 260109998Smarkm 261109998Smarkm s->options=ctx->options; 262109998Smarkm s->mode=ctx->mode; 263109998Smarkm s->max_cert_list=ctx->max_cert_list; 264109998Smarkm 26555714Skris if (ctx->cert != NULL) 26655714Skris { 26755714Skris /* Earlier library versions used to copy the pointer to 26855714Skris * the CERT, not its contents; only when setting new 26955714Skris * parameters for the per-SSL copy, ssl_cert_new would be 27055714Skris * called (and the direct reference to the per-SSL_CTX 27155714Skris * settings would be lost, but those still were indirectly 27255714Skris * accessed for various purposes, and for that reason they 27355714Skris * used to be known as s->ctx->default_cert). 27455714Skris * Now we don't look at the SSL_CTX's CERT after having 27555714Skris * duplicated it once. */ 27655714Skris 27755714Skris s->cert = ssl_cert_dup(ctx->cert); 27855714Skris if (s->cert == NULL) 27955714Skris goto err; 28055714Skris } 28155714Skris else 28255714Skris s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ 283109998Smarkm 284109998Smarkm s->read_ahead=ctx->read_ahead; 285109998Smarkm s->msg_callback=ctx->msg_callback; 286109998Smarkm s->msg_callback_arg=ctx->msg_callback_arg; 287109998Smarkm s->verify_mode=ctx->verify_mode; 288160814Ssimon#if 0 289109998Smarkm s->verify_depth=ctx->verify_depth; 290160814Ssimon#endif 29155714Skris s->sid_ctx_length=ctx->sid_ctx_length; 292109998Smarkm OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); 29355714Skris memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); 29455714Skris s->verify_callback=ctx->default_verify_callback; 295109998Smarkm s->generate_session_id=ctx->generate_session_id; 296160814Ssimon 297160814Ssimon s->param = X509_VERIFY_PARAM_new(); 298160814Ssimon if (!s->param) 299160814Ssimon goto err; 300160814Ssimon X509_VERIFY_PARAM_inherit(s->param, ctx->param); 301160814Ssimon#if 0 30259191Skris s->purpose = ctx->purpose; 30359191Skris s->trust = ctx->trust; 304160814Ssimon#endif 305109998Smarkm s->quiet_shutdown=ctx->quiet_shutdown; 306109998Smarkm 30755714Skris CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); 30855714Skris s->ctx=ctx; 30955714Skris 31055714Skris s->verify_result=X509_V_OK; 31155714Skris 31255714Skris s->method=ctx->method; 31355714Skris 31455714Skris if (!s->method->ssl_new(s)) 31555714Skris goto err; 31655714Skris 31755714Skris s->references=1; 31855714Skris s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; 319109998Smarkm 32055714Skris SSL_clear(s); 32155714Skris 322109998Smarkm CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); 32355714Skris 32455714Skris return(s); 32555714Skriserr: 32655714Skris if (s != NULL) 32755714Skris { 32855714Skris if (s->cert != NULL) 32955714Skris ssl_cert_free(s->cert); 33055714Skris if (s->ctx != NULL) 33155714Skris SSL_CTX_free(s->ctx); /* decrement reference count */ 33268651Skris OPENSSL_free(s); 33355714Skris } 33455714Skris SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); 33555714Skris return(NULL); 33655714Skris } 33755714Skris 33855714Skrisint SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, 33955714Skris unsigned int sid_ctx_len) 34055714Skris { 341109998Smarkm if(sid_ctx_len > sizeof ctx->sid_ctx) 34255714Skris { 34355714Skris SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 34455714Skris return 0; 34555714Skris } 34655714Skris ctx->sid_ctx_length=sid_ctx_len; 34755714Skris memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len); 34855714Skris 34955714Skris return 1; 35055714Skris } 35155714Skris 35255714Skrisint SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, 35355714Skris unsigned int sid_ctx_len) 35455714Skris { 35555714Skris if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) 35655714Skris { 35755714Skris SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 35855714Skris return 0; 35955714Skris } 36055714Skris ssl->sid_ctx_length=sid_ctx_len; 36155714Skris memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len); 36255714Skris 36355714Skris return 1; 36455714Skris } 36555714Skris 366109998Smarkmint SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) 367109998Smarkm { 368109998Smarkm CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 369109998Smarkm ctx->generate_session_id = cb; 370109998Smarkm CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 371109998Smarkm return 1; 37259191Skris } 373109998Smarkm 374109998Smarkmint SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) 375109998Smarkm { 376109998Smarkm CRYPTO_w_lock(CRYPTO_LOCK_SSL); 377109998Smarkm ssl->generate_session_id = cb; 378109998Smarkm CRYPTO_w_unlock(CRYPTO_LOCK_SSL); 37959191Skris return 1; 380109998Smarkm } 38159191Skris 382109998Smarkmint SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, 383109998Smarkm unsigned int id_len) 384109998Smarkm { 385109998Smarkm /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how 386109998Smarkm * we can "construct" a session to give us the desired check - ie. to 387109998Smarkm * find if there's a session in the hash table that would conflict with 388109998Smarkm * any new session built out of this id/id_len and the ssl_version in 389109998Smarkm * use by this SSL. */ 390109998Smarkm SSL_SESSION r, *p; 391109998Smarkm 392109998Smarkm if(id_len > sizeof r.session_id) 39359191Skris return 0; 394109998Smarkm 395109998Smarkm r.ssl_version = ssl->version; 396109998Smarkm r.session_id_length = id_len; 397109998Smarkm memcpy(r.session_id, id, id_len); 398109998Smarkm /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a 399109998Smarkm * callback is calling us to check the uniqueness of a shorter ID, it 400109998Smarkm * must be compared as a padded-out ID because that is what it will be 401109998Smarkm * converted to when the callback has finished choosing it. */ 402109998Smarkm if((r.ssl_version == SSL2_VERSION) && 403109998Smarkm (id_len < SSL2_SSL_SESSION_ID_LENGTH)) 404109998Smarkm { 405109998Smarkm memset(r.session_id + id_len, 0, 406109998Smarkm SSL2_SSL_SESSION_ID_LENGTH - id_len); 407109998Smarkm r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH; 408109998Smarkm } 409109998Smarkm 410109998Smarkm CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 411109998Smarkm p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r); 412109998Smarkm CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 413109998Smarkm return (p != NULL); 41459191Skris } 415109998Smarkm 416109998Smarkmint SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 417109998Smarkm { 418160814Ssimon return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 419109998Smarkm } 420109998Smarkm 421109998Smarkmint SSL_set_purpose(SSL *s, int purpose) 422109998Smarkm { 423160814Ssimon return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 424109998Smarkm } 425109998Smarkm 42659191Skrisint SSL_CTX_set_trust(SSL_CTX *s, int trust) 427109998Smarkm { 428160814Ssimon return X509_VERIFY_PARAM_set_trust(s->param, trust); 42959191Skris } 43059191Skris 43159191Skrisint SSL_set_trust(SSL *s, int trust) 432109998Smarkm { 433160814Ssimon return X509_VERIFY_PARAM_set_trust(s->param, trust); 43459191Skris } 43559191Skris 43655714Skrisvoid SSL_free(SSL *s) 43755714Skris { 43855714Skris int i; 43955714Skris 44055714Skris if(s == NULL) 44155714Skris return; 44255714Skris 44355714Skris i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL); 44455714Skris#ifdef REF_PRINT 44555714Skris REF_PRINT("SSL",s); 44655714Skris#endif 44755714Skris if (i > 0) return; 44855714Skris#ifdef REF_CHECK 44955714Skris if (i < 0) 45055714Skris { 45155714Skris fprintf(stderr,"SSL_free, bad reference count\n"); 45255714Skris abort(); /* ok */ 45355714Skris } 45455714Skris#endif 45555714Skris 456160814Ssimon if (s->param) 457160814Ssimon X509_VERIFY_PARAM_free(s->param); 458160814Ssimon 459109998Smarkm CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); 46055714Skris 46155714Skris if (s->bbio != NULL) 46255714Skris { 46355714Skris /* If the buffering BIO is in place, pop it off */ 46455714Skris if (s->bbio == s->wbio) 46555714Skris { 46655714Skris s->wbio=BIO_pop(s->wbio); 46755714Skris } 46855714Skris BIO_free(s->bbio); 46955714Skris s->bbio=NULL; 47055714Skris } 47155714Skris if (s->rbio != NULL) 47255714Skris BIO_free_all(s->rbio); 47355714Skris if ((s->wbio != NULL) && (s->wbio != s->rbio)) 47455714Skris BIO_free_all(s->wbio); 47555714Skris 47655714Skris if (s->init_buf != NULL) BUF_MEM_free(s->init_buf); 47755714Skris 47855714Skris /* add extra stuff */ 47955714Skris if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list); 48055714Skris if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id); 48155714Skris 48255714Skris /* Make the next call work :-) */ 48355714Skris if (s->session != NULL) 48455714Skris { 48555714Skris ssl_clear_bad_session(s); 48655714Skris SSL_SESSION_free(s->session); 48755714Skris } 48855714Skris 48955714Skris ssl_clear_cipher_ctx(s); 49055714Skris 49155714Skris if (s->cert != NULL) ssl_cert_free(s->cert); 49255714Skris /* Free up if allocated */ 49355714Skris 49455714Skris if (s->ctx) SSL_CTX_free(s->ctx); 49555714Skris 49655714Skris if (s->client_CA != NULL) 49755714Skris sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free); 49855714Skris 49955714Skris if (s->method != NULL) s->method->ssl_free(s); 50055714Skris 501120631Snectar#ifndef OPENSSL_NO_KRB5 502120631Snectar if (s->kssl_ctx != NULL) 503120631Snectar kssl_ctx_free(s->kssl_ctx); 504120631Snectar#endif /* OPENSSL_NO_KRB5 */ 505120631Snectar 50668651Skris OPENSSL_free(s); 50755714Skris } 50855714Skris 50955714Skrisvoid SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) 51055714Skris { 51155714Skris /* If the output buffering BIO is still in place, remove it 51255714Skris */ 51355714Skris if (s->bbio != NULL) 51455714Skris { 51555714Skris if (s->wbio == s->bbio) 51655714Skris { 51755714Skris s->wbio=s->wbio->next_bio; 51855714Skris s->bbio->next_bio=NULL; 51955714Skris } 52055714Skris } 52155714Skris if ((s->rbio != NULL) && (s->rbio != rbio)) 52255714Skris BIO_free_all(s->rbio); 52355714Skris if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio)) 52455714Skris BIO_free_all(s->wbio); 52555714Skris s->rbio=rbio; 52655714Skris s->wbio=wbio; 52755714Skris } 52855714Skris 529160814SsimonBIO *SSL_get_rbio(const SSL *s) 53055714Skris { return(s->rbio); } 53155714Skris 532160814SsimonBIO *SSL_get_wbio(const SSL *s) 53355714Skris { return(s->wbio); } 53455714Skris 535160814Ssimonint SSL_get_fd(const SSL *s) 53655714Skris { 53789837Skris return(SSL_get_rfd(s)); 53889837Skris } 53989837Skris 540160814Ssimonint SSL_get_rfd(const SSL *s) 54189837Skris { 54255714Skris int ret= -1; 54355714Skris BIO *b,*r; 54455714Skris 54555714Skris b=SSL_get_rbio(s); 54655714Skris r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); 54755714Skris if (r != NULL) 54855714Skris BIO_get_fd(r,&ret); 54955714Skris return(ret); 55055714Skris } 55155714Skris 552160814Ssimonint SSL_get_wfd(const SSL *s) 55389837Skris { 55489837Skris int ret= -1; 55589837Skris BIO *b,*r; 55689837Skris 55789837Skris b=SSL_get_wbio(s); 55889837Skris r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); 55989837Skris if (r != NULL) 56089837Skris BIO_get_fd(r,&ret); 56189837Skris return(ret); 56289837Skris } 56389837Skris 564109998Smarkm#ifndef OPENSSL_NO_SOCK 56555714Skrisint SSL_set_fd(SSL *s,int fd) 56655714Skris { 56755714Skris int ret=0; 56855714Skris BIO *bio=NULL; 56955714Skris 57055714Skris bio=BIO_new(BIO_s_socket()); 57155714Skris 57255714Skris if (bio == NULL) 57355714Skris { 57455714Skris SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB); 57555714Skris goto err; 57655714Skris } 57755714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 57855714Skris SSL_set_bio(s,bio,bio); 57955714Skris ret=1; 58055714Skriserr: 58155714Skris return(ret); 58255714Skris } 58355714Skris 58455714Skrisint SSL_set_wfd(SSL *s,int fd) 58555714Skris { 58655714Skris int ret=0; 58755714Skris BIO *bio=NULL; 58855714Skris 58955714Skris if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) 59055714Skris || ((int)BIO_get_fd(s->rbio,NULL) != fd)) 59155714Skris { 59255714Skris bio=BIO_new(BIO_s_socket()); 59355714Skris 59455714Skris if (bio == NULL) 59555714Skris { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; } 59655714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 59755714Skris SSL_set_bio(s,SSL_get_rbio(s),bio); 59855714Skris } 59955714Skris else 60055714Skris SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s)); 60155714Skris ret=1; 60255714Skriserr: 60355714Skris return(ret); 60455714Skris } 60555714Skris 60655714Skrisint SSL_set_rfd(SSL *s,int fd) 60755714Skris { 60855714Skris int ret=0; 60955714Skris BIO *bio=NULL; 61055714Skris 61155714Skris if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) 61255714Skris || ((int)BIO_get_fd(s->wbio,NULL) != fd)) 61355714Skris { 61455714Skris bio=BIO_new(BIO_s_socket()); 61555714Skris 61655714Skris if (bio == NULL) 61755714Skris { 61855714Skris SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB); 61955714Skris goto err; 62055714Skris } 62155714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 62255714Skris SSL_set_bio(s,bio,SSL_get_wbio(s)); 62355714Skris } 62455714Skris else 62555714Skris SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s)); 62655714Skris ret=1; 62755714Skriserr: 62855714Skris return(ret); 62955714Skris } 63055714Skris#endif 63155714Skris 63259191Skris 63359191Skris/* return length of latest Finished message we sent, copy to 'buf' */ 634160814Ssimonsize_t SSL_get_finished(const SSL *s, void *buf, size_t count) 63559191Skris { 63659191Skris size_t ret = 0; 63759191Skris 63859191Skris if (s->s3 != NULL) 63959191Skris { 64059191Skris ret = s->s3->tmp.finish_md_len; 64159191Skris if (count > ret) 64259191Skris count = ret; 64359191Skris memcpy(buf, s->s3->tmp.finish_md, count); 64459191Skris } 64559191Skris return ret; 64659191Skris } 64759191Skris 64859191Skris/* return length of latest Finished message we expected, copy to 'buf' */ 649160814Ssimonsize_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) 65059191Skris { 65159191Skris size_t ret = 0; 65259191Skris 65359191Skris if (s->s3 != NULL) 65459191Skris { 65559191Skris ret = s->s3->tmp.peer_finish_md_len; 65659191Skris if (count > ret) 65759191Skris count = ret; 65859191Skris memcpy(buf, s->s3->tmp.peer_finish_md, count); 65959191Skris } 66059191Skris return ret; 66159191Skris } 66259191Skris 66359191Skris 664160814Ssimonint SSL_get_verify_mode(const SSL *s) 66555714Skris { 66655714Skris return(s->verify_mode); 66755714Skris } 66855714Skris 669160814Ssimonint SSL_get_verify_depth(const SSL *s) 67055714Skris { 671160814Ssimon return X509_VERIFY_PARAM_get_depth(s->param); 67255714Skris } 67355714Skris 674160814Ssimonint (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *) 67555714Skris { 67655714Skris return(s->verify_callback); 67755714Skris } 67855714Skris 679160814Ssimonint SSL_CTX_get_verify_mode(const SSL_CTX *ctx) 68055714Skris { 68155714Skris return(ctx->verify_mode); 68255714Skris } 68355714Skris 684160814Ssimonint SSL_CTX_get_verify_depth(const SSL_CTX *ctx) 68555714Skris { 686160814Ssimon return X509_VERIFY_PARAM_get_depth(ctx->param); 68755714Skris } 68855714Skris 689160814Ssimonint (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *) 69055714Skris { 69155714Skris return(ctx->default_verify_callback); 69255714Skris } 69355714Skris 69455714Skrisvoid SSL_set_verify(SSL *s,int mode, 69555714Skris int (*callback)(int ok,X509_STORE_CTX *ctx)) 69655714Skris { 69755714Skris s->verify_mode=mode; 69855714Skris if (callback != NULL) 69955714Skris s->verify_callback=callback; 70055714Skris } 70155714Skris 70255714Skrisvoid SSL_set_verify_depth(SSL *s,int depth) 70355714Skris { 704160814Ssimon X509_VERIFY_PARAM_set_depth(s->param, depth); 70555714Skris } 70655714Skris 70755714Skrisvoid SSL_set_read_ahead(SSL *s,int yes) 70855714Skris { 70955714Skris s->read_ahead=yes; 71055714Skris } 71155714Skris 712160814Ssimonint SSL_get_read_ahead(const SSL *s) 71355714Skris { 71455714Skris return(s->read_ahead); 71555714Skris } 71655714Skris 717160814Ssimonint SSL_pending(const SSL *s) 71855714Skris { 719109998Smarkm /* SSL_pending cannot work properly if read-ahead is enabled 720109998Smarkm * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), 721109998Smarkm * and it is impossible to fix since SSL_pending cannot report 722109998Smarkm * errors that may be observed while scanning the new data. 723109998Smarkm * (Note that SSL_pending() is often used as a boolean value, 724109998Smarkm * so we'd better not return -1.) 725109998Smarkm */ 72655714Skris return(s->method->ssl_pending(s)); 72755714Skris } 72855714Skris 729160814SsimonX509 *SSL_get_peer_certificate(const SSL *s) 73055714Skris { 73155714Skris X509 *r; 73255714Skris 73355714Skris if ((s == NULL) || (s->session == NULL)) 73455714Skris r=NULL; 73555714Skris else 73655714Skris r=s->session->peer; 73755714Skris 73855714Skris if (r == NULL) return(r); 73955714Skris 74055714Skris CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509); 74155714Skris 74255714Skris return(r); 74355714Skris } 74455714Skris 745160814SsimonSTACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) 74655714Skris { 74755714Skris STACK_OF(X509) *r; 74855714Skris 74955714Skris if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) 75055714Skris r=NULL; 75155714Skris else 75255714Skris r=s->session->sess_cert->cert_chain; 75355714Skris 75459191Skris /* If we are a client, cert_chain includes the peer's own 75559191Skris * certificate; if we are a server, it does not. */ 75659191Skris 75755714Skris return(r); 75855714Skris } 75955714Skris 76055714Skris/* Now in theory, since the calling process own 't' it should be safe to 76155714Skris * modify. We need to be able to read f without being hassled */ 762160814Ssimonvoid SSL_copy_session_id(SSL *t,const SSL *f) 76355714Skris { 76455714Skris CERT *tmp; 76555714Skris 76655714Skris /* Do we need to to SSL locking? */ 76755714Skris SSL_set_session(t,SSL_get_session(f)); 76855714Skris 76955714Skris /* what if we are setup as SSLv2 but want to talk SSLv3 or 77055714Skris * vice-versa */ 77155714Skris if (t->method != f->method) 77255714Skris { 77355714Skris t->method->ssl_free(t); /* cleanup current */ 77455714Skris t->method=f->method; /* change method */ 77555714Skris t->method->ssl_new(t); /* setup new */ 77655714Skris } 77755714Skris 77855714Skris tmp=t->cert; 77955714Skris if (f->cert != NULL) 78055714Skris { 78155714Skris CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT); 78255714Skris t->cert=f->cert; 78355714Skris } 78455714Skris else 78555714Skris t->cert=NULL; 78655714Skris if (tmp != NULL) ssl_cert_free(tmp); 78755714Skris SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length); 78855714Skris } 78955714Skris 79055714Skris/* Fix this so it checks all the valid key/cert options */ 791160814Ssimonint SSL_CTX_check_private_key(const SSL_CTX *ctx) 79255714Skris { 79355714Skris if ( (ctx == NULL) || 79455714Skris (ctx->cert == NULL) || 79555714Skris (ctx->cert->key->x509 == NULL)) 79655714Skris { 79755714Skris SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 79855714Skris return(0); 79955714Skris } 80055714Skris if (ctx->cert->key->privatekey == NULL) 80155714Skris { 80255714Skris SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); 80355714Skris return(0); 80455714Skris } 80555714Skris return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey)); 80655714Skris } 80755714Skris 80855714Skris/* Fix this function so that it takes an optional type parameter */ 809160814Ssimonint SSL_check_private_key(const SSL *ssl) 81055714Skris { 81155714Skris if (ssl == NULL) 81255714Skris { 81355714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER); 81455714Skris return(0); 81555714Skris } 81655714Skris if (ssl->cert == NULL) 81755714Skris { 81855714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 81955714Skris return 0; 82055714Skris } 82155714Skris if (ssl->cert->key->x509 == NULL) 82255714Skris { 82355714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 82455714Skris return(0); 82555714Skris } 82655714Skris if (ssl->cert->key->privatekey == NULL) 82755714Skris { 82855714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); 82955714Skris return(0); 83055714Skris } 83155714Skris return(X509_check_private_key(ssl->cert->key->x509, 83255714Skris ssl->cert->key->privatekey)); 83355714Skris } 83455714Skris 83555714Skrisint SSL_accept(SSL *s) 83655714Skris { 83755714Skris if (s->handshake_func == 0) 83855714Skris /* Not properly initialized yet */ 83955714Skris SSL_set_accept_state(s); 84055714Skris 84155714Skris return(s->method->ssl_accept(s)); 84255714Skris } 84355714Skris 84455714Skrisint SSL_connect(SSL *s) 84555714Skris { 84655714Skris if (s->handshake_func == 0) 84755714Skris /* Not properly initialized yet */ 84855714Skris SSL_set_connect_state(s); 84955714Skris 85055714Skris return(s->method->ssl_connect(s)); 85155714Skris } 85255714Skris 853160814Ssimonlong SSL_get_default_timeout(const SSL *s) 85455714Skris { 85555714Skris return(s->method->get_timeout()); 85655714Skris } 85755714Skris 85876866Skrisint SSL_read(SSL *s,void *buf,int num) 85955714Skris { 86055714Skris if (s->handshake_func == 0) 86155714Skris { 86255714Skris SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 86355714Skris return -1; 86455714Skris } 86555714Skris 86655714Skris if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 86755714Skris { 86855714Skris s->rwstate=SSL_NOTHING; 86955714Skris return(0); 87055714Skris } 87155714Skris return(s->method->ssl_read(s,buf,num)); 87255714Skris } 87355714Skris 87476866Skrisint SSL_peek(SSL *s,void *buf,int num) 87555714Skris { 87676866Skris if (s->handshake_func == 0) 87776866Skris { 878160814Ssimon SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); 87976866Skris return -1; 88076866Skris } 88176866Skris 88255714Skris if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 88355714Skris { 88455714Skris return(0); 88555714Skris } 88655714Skris return(s->method->ssl_peek(s,buf,num)); 88755714Skris } 88855714Skris 88976866Skrisint SSL_write(SSL *s,const void *buf,int num) 89055714Skris { 89155714Skris if (s->handshake_func == 0) 89255714Skris { 89355714Skris SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); 89455714Skris return -1; 89555714Skris } 89655714Skris 89755714Skris if (s->shutdown & SSL_SENT_SHUTDOWN) 89855714Skris { 89955714Skris s->rwstate=SSL_NOTHING; 90055714Skris SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN); 90155714Skris return(-1); 90255714Skris } 90355714Skris return(s->method->ssl_write(s,buf,num)); 90455714Skris } 90555714Skris 90655714Skrisint SSL_shutdown(SSL *s) 90755714Skris { 90855714Skris /* Note that this function behaves differently from what one might 90955714Skris * expect. Return values are 0 for no success (yet), 91055714Skris * 1 for success; but calling it once is usually not enough, 91155714Skris * even if blocking I/O is used (see ssl3_shutdown). 91255714Skris */ 91355714Skris 91455714Skris if (s->handshake_func == 0) 91555714Skris { 91655714Skris SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); 91755714Skris return -1; 91855714Skris } 91955714Skris 92055714Skris if ((s != NULL) && !SSL_in_init(s)) 92155714Skris return(s->method->ssl_shutdown(s)); 92255714Skris else 92355714Skris return(1); 92455714Skris } 92555714Skris 92655714Skrisint SSL_renegotiate(SSL *s) 92755714Skris { 928100928Snectar if (s->new_session == 0) 929100928Snectar { 930100928Snectar s->new_session=1; 931100928Snectar } 93255714Skris return(s->method->ssl_renegotiate(s)); 93355714Skris } 93455714Skris 935109998Smarkmint SSL_renegotiate_pending(SSL *s) 93655714Skris { 937109998Smarkm /* becomes true when negotiation is requested; 938109998Smarkm * false again once a handshake has finished */ 939109998Smarkm return (s->new_session != 0); 940109998Smarkm } 941109998Smarkm 942109998Smarkmlong SSL_ctrl(SSL *s,int cmd,long larg,void *parg) 943109998Smarkm { 94455714Skris long l; 94555714Skris 94655714Skris switch (cmd) 94755714Skris { 94855714Skris case SSL_CTRL_GET_READ_AHEAD: 94955714Skris return(s->read_ahead); 95055714Skris case SSL_CTRL_SET_READ_AHEAD: 95155714Skris l=s->read_ahead; 95255714Skris s->read_ahead=larg; 95355714Skris return(l); 954109998Smarkm 955109998Smarkm case SSL_CTRL_SET_MSG_CALLBACK_ARG: 956109998Smarkm s->msg_callback_arg = parg; 957109998Smarkm return 1; 958109998Smarkm 95955714Skris case SSL_CTRL_OPTIONS: 96055714Skris return(s->options|=larg); 96155714Skris case SSL_CTRL_MODE: 96255714Skris return(s->mode|=larg); 963109998Smarkm case SSL_CTRL_GET_MAX_CERT_LIST: 964109998Smarkm return(s->max_cert_list); 965109998Smarkm case SSL_CTRL_SET_MAX_CERT_LIST: 966109998Smarkm l=s->max_cert_list; 967109998Smarkm s->max_cert_list=larg; 968109998Smarkm return(l); 969160814Ssimon case SSL_CTRL_SET_MTU: 970160814Ssimon if (SSL_version(s) == DTLS1_VERSION) 971160814Ssimon { 972160814Ssimon s->d1->mtu = larg; 973160814Ssimon return larg; 974160814Ssimon } 975160814Ssimon return 0; 97655714Skris default: 97755714Skris return(s->method->ssl_ctrl(s,cmd,larg,parg)); 97855714Skris } 97955714Skris } 98055714Skris 981160814Ssimonlong SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 98259191Skris { 98359191Skris switch(cmd) 98459191Skris { 985109998Smarkm case SSL_CTRL_SET_MSG_CALLBACK: 986109998Smarkm s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); 987109998Smarkm return 1; 988109998Smarkm 98959191Skris default: 99059191Skris return(s->method->ssl_callback_ctrl(s,cmd,fp)); 99159191Skris } 99259191Skris } 99359191Skris 99459191Skrisstruct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) 99559191Skris { 99659191Skris return ctx->sessions; 99759191Skris } 99859191Skris 999109998Smarkmlong SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) 100055714Skris { 100155714Skris long l; 100255714Skris 100355714Skris switch (cmd) 100455714Skris { 100555714Skris case SSL_CTRL_GET_READ_AHEAD: 100655714Skris return(ctx->read_ahead); 100755714Skris case SSL_CTRL_SET_READ_AHEAD: 100855714Skris l=ctx->read_ahead; 100955714Skris ctx->read_ahead=larg; 101055714Skris return(l); 1011109998Smarkm 1012109998Smarkm case SSL_CTRL_SET_MSG_CALLBACK_ARG: 1013109998Smarkm ctx->msg_callback_arg = parg; 1014109998Smarkm return 1; 101555714Skris 1016109998Smarkm case SSL_CTRL_GET_MAX_CERT_LIST: 1017109998Smarkm return(ctx->max_cert_list); 1018109998Smarkm case SSL_CTRL_SET_MAX_CERT_LIST: 1019109998Smarkm l=ctx->max_cert_list; 1020109998Smarkm ctx->max_cert_list=larg; 1021109998Smarkm return(l); 1022109998Smarkm 102355714Skris case SSL_CTRL_SET_SESS_CACHE_SIZE: 102455714Skris l=ctx->session_cache_size; 102555714Skris ctx->session_cache_size=larg; 102655714Skris return(l); 102755714Skris case SSL_CTRL_GET_SESS_CACHE_SIZE: 102855714Skris return(ctx->session_cache_size); 102955714Skris case SSL_CTRL_SET_SESS_CACHE_MODE: 103055714Skris l=ctx->session_cache_mode; 103155714Skris ctx->session_cache_mode=larg; 103255714Skris return(l); 103355714Skris case SSL_CTRL_GET_SESS_CACHE_MODE: 103455714Skris return(ctx->session_cache_mode); 103555714Skris 103655714Skris case SSL_CTRL_SESS_NUMBER: 103755714Skris return(ctx->sessions->num_items); 103855714Skris case SSL_CTRL_SESS_CONNECT: 103955714Skris return(ctx->stats.sess_connect); 104055714Skris case SSL_CTRL_SESS_CONNECT_GOOD: 104155714Skris return(ctx->stats.sess_connect_good); 104255714Skris case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: 104355714Skris return(ctx->stats.sess_connect_renegotiate); 104455714Skris case SSL_CTRL_SESS_ACCEPT: 104555714Skris return(ctx->stats.sess_accept); 104655714Skris case SSL_CTRL_SESS_ACCEPT_GOOD: 104755714Skris return(ctx->stats.sess_accept_good); 104855714Skris case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: 104955714Skris return(ctx->stats.sess_accept_renegotiate); 105055714Skris case SSL_CTRL_SESS_HIT: 105155714Skris return(ctx->stats.sess_hit); 105255714Skris case SSL_CTRL_SESS_CB_HIT: 105355714Skris return(ctx->stats.sess_cb_hit); 105455714Skris case SSL_CTRL_SESS_MISSES: 105555714Skris return(ctx->stats.sess_miss); 105655714Skris case SSL_CTRL_SESS_TIMEOUTS: 105755714Skris return(ctx->stats.sess_timeout); 105855714Skris case SSL_CTRL_SESS_CACHE_FULL: 105955714Skris return(ctx->stats.sess_cache_full); 106055714Skris case SSL_CTRL_OPTIONS: 106155714Skris return(ctx->options|=larg); 106255714Skris case SSL_CTRL_MODE: 106355714Skris return(ctx->mode|=larg); 106455714Skris default: 106555714Skris return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); 106655714Skris } 106755714Skris } 106855714Skris 1069160814Ssimonlong SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 107059191Skris { 107159191Skris switch(cmd) 107259191Skris { 1073109998Smarkm case SSL_CTRL_SET_MSG_CALLBACK: 1074109998Smarkm ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); 1075109998Smarkm return 1; 1076109998Smarkm 107759191Skris default: 107859191Skris return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp)); 107959191Skris } 108059191Skris } 108159191Skris 108268651Skrisint ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) 108355714Skris { 108455714Skris long l; 108555714Skris 108655714Skris l=a->id-b->id; 108755714Skris if (l == 0L) 108855714Skris return(0); 108955714Skris else 109055714Skris return((l > 0)?1:-1); 109155714Skris } 109255714Skris 109368651Skrisint ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, 109468651Skris const SSL_CIPHER * const *bp) 109555714Skris { 109655714Skris long l; 109755714Skris 109855714Skris l=(*ap)->id-(*bp)->id; 109955714Skris if (l == 0L) 110055714Skris return(0); 110155714Skris else 110255714Skris return((l > 0)?1:-1); 110355714Skris } 110455714Skris 110555714Skris/** return a STACK of the ciphers available for the SSL and in order of 110655714Skris * preference */ 1107160814SsimonSTACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) 110855714Skris { 1109111147Snectar if (s != NULL) 111055714Skris { 1111111147Snectar if (s->cipher_list != NULL) 1112111147Snectar { 1113111147Snectar return(s->cipher_list); 1114111147Snectar } 1115111147Snectar else if ((s->ctx != NULL) && 1116111147Snectar (s->ctx->cipher_list != NULL)) 1117111147Snectar { 1118111147Snectar return(s->ctx->cipher_list); 1119111147Snectar } 112055714Skris } 112155714Skris return(NULL); 112255714Skris } 112355714Skris 112455714Skris/** return a STACK of the ciphers available for the SSL and in order of 112555714Skris * algorithm id */ 112655714SkrisSTACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) 112755714Skris { 1128111147Snectar if (s != NULL) 112955714Skris { 1130111147Snectar if (s->cipher_list_by_id != NULL) 1131111147Snectar { 1132111147Snectar return(s->cipher_list_by_id); 1133111147Snectar } 1134111147Snectar else if ((s->ctx != NULL) && 1135111147Snectar (s->ctx->cipher_list_by_id != NULL)) 1136111147Snectar { 1137111147Snectar return(s->ctx->cipher_list_by_id); 1138111147Snectar } 113955714Skris } 114055714Skris return(NULL); 114155714Skris } 114255714Skris 114355714Skris/** The old interface to get the same thing as SSL_get_ciphers() */ 1144160814Ssimonconst char *SSL_get_cipher_list(const SSL *s,int n) 114555714Skris { 114655714Skris SSL_CIPHER *c; 114755714Skris STACK_OF(SSL_CIPHER) *sk; 114855714Skris 114955714Skris if (s == NULL) return(NULL); 115055714Skris sk=SSL_get_ciphers(s); 115155714Skris if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) 115255714Skris return(NULL); 115355714Skris c=sk_SSL_CIPHER_value(sk,n); 115455714Skris if (c == NULL) return(NULL); 115555714Skris return(c->name); 115655714Skris } 115755714Skris 115859191Skris/** specify the ciphers to be used by default by the SSL_CTX */ 115959191Skrisint SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 116055714Skris { 116155714Skris STACK_OF(SSL_CIPHER) *sk; 116255714Skris 116355714Skris sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, 116455714Skris &ctx->cipher_list_by_id,str); 1165160814Ssimon /* ssl_create_cipher_list may return an empty stack if it 1166160814Ssimon * was unable to find a cipher matching the given rule string 1167160814Ssimon * (for example if the rule string specifies a cipher which 1168160814Ssimon * has been disabled). This is not an error as far as 1169160814Ssimon * ssl_create_cipher_list is concerned, and hence 1170160814Ssimon * ctx->cipher_list and ctx->cipher_list_by_id has been 1171160814Ssimon * updated. */ 1172160814Ssimon if (sk == NULL) 1173160814Ssimon return 0; 1174160814Ssimon else if (sk_SSL_CIPHER_num(sk) == 0) 1175160814Ssimon { 1176160814Ssimon SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); 1177160814Ssimon return 0; 1178160814Ssimon } 1179160814Ssimon return 1; 118055714Skris } 118155714Skris 118255714Skris/** specify the ciphers to be used by the SSL */ 118359191Skrisint SSL_set_cipher_list(SSL *s,const char *str) 118455714Skris { 118555714Skris STACK_OF(SSL_CIPHER) *sk; 118655714Skris 118755714Skris sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, 118855714Skris &s->cipher_list_by_id,str); 1189160814Ssimon /* see comment in SSL_CTX_set_cipher_list */ 1190160814Ssimon if (sk == NULL) 1191160814Ssimon return 0; 1192160814Ssimon else if (sk_SSL_CIPHER_num(sk) == 0) 1193160814Ssimon { 1194160814Ssimon SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); 1195160814Ssimon return 0; 1196160814Ssimon } 1197160814Ssimon return 1; 119855714Skris } 119955714Skris 120055714Skris/* works well for SSLv2, not so good for SSLv3 */ 1201160814Ssimonchar *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) 120255714Skris { 120355714Skris char *p; 120455714Skris STACK_OF(SSL_CIPHER) *sk; 120555714Skris SSL_CIPHER *c; 120655714Skris int i; 120755714Skris 120855714Skris if ((s->session == NULL) || (s->session->ciphers == NULL) || 120955714Skris (len < 2)) 121055714Skris return(NULL); 121155714Skris 121255714Skris p=buf; 121355714Skris sk=s->session->ciphers; 121455714Skris for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 121555714Skris { 1216172429Ssimon int n; 1217172429Ssimon 121855714Skris c=sk_SSL_CIPHER_value(sk,i); 1219172429Ssimon n=strlen(c->name); 1220172429Ssimon if (n+1 > len) 122155714Skris { 1222172429Ssimon if (p != buf) 1223172429Ssimon --p; 1224172429Ssimon *p='\0'; 1225172429Ssimon return buf; 122655714Skris } 1227172429Ssimon strcpy(p,c->name); 1228172429Ssimon p+=n; 122955714Skris *(p++)=':'; 1230172429Ssimon len-=n+1; 123155714Skris } 123255714Skris p[-1]='\0'; 123355714Skris return(buf); 123455714Skris } 123555714Skris 1236160814Ssimonint ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, 1237160814Ssimon int (*put_cb)(const SSL_CIPHER *, unsigned char *)) 123855714Skris { 123955714Skris int i,j=0; 124055714Skris SSL_CIPHER *c; 124155714Skris unsigned char *q; 1242109998Smarkm#ifndef OPENSSL_NO_KRB5 1243109998Smarkm int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); 1244109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 124555714Skris 124655714Skris if (sk == NULL) return(0); 124755714Skris q=p; 124855714Skris 124955714Skris for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 125055714Skris { 125155714Skris c=sk_SSL_CIPHER_value(sk,i); 1252109998Smarkm#ifndef OPENSSL_NO_KRB5 1253109998Smarkm if ((c->algorithms & SSL_KRB5) && nokrb5) 1254109998Smarkm continue; 1255109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 1256160814Ssimon 1257160814Ssimon j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); 125855714Skris p+=j; 125955714Skris } 126055714Skris return(p-q); 126155714Skris } 126255714Skris 126355714SkrisSTACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, 126455714Skris STACK_OF(SSL_CIPHER) **skp) 126555714Skris { 126655714Skris SSL_CIPHER *c; 126755714Skris STACK_OF(SSL_CIPHER) *sk; 126855714Skris int i,n; 126955714Skris 127055714Skris n=ssl_put_cipher_by_char(s,NULL,NULL); 127155714Skris if ((num%n) != 0) 127255714Skris { 127355714Skris SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 127455714Skris return(NULL); 127555714Skris } 127655714Skris if ((skp == NULL) || (*skp == NULL)) 127768651Skris sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */ 127855714Skris else 127955714Skris { 128055714Skris sk= *skp; 128155714Skris sk_SSL_CIPHER_zero(sk); 128255714Skris } 128355714Skris 128455714Skris for (i=0; i<num; i+=n) 128555714Skris { 128655714Skris c=ssl_get_cipher_by_char(s,p); 128755714Skris p+=n; 128855714Skris if (c != NULL) 128955714Skris { 129055714Skris if (!sk_SSL_CIPHER_push(sk,c)) 129155714Skris { 129255714Skris SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE); 129355714Skris goto err; 129455714Skris } 129555714Skris } 129655714Skris } 129755714Skris 129855714Skris if (skp != NULL) 129955714Skris *skp=sk; 130055714Skris return(sk); 130155714Skriserr: 130255714Skris if ((skp == NULL) || (*skp == NULL)) 130355714Skris sk_SSL_CIPHER_free(sk); 130455714Skris return(NULL); 130555714Skris } 130655714Skris 1307160814Ssimonunsigned long SSL_SESSION_hash(const SSL_SESSION *a) 130855714Skris { 130955714Skris unsigned long l; 131055714Skris 131155714Skris l=(unsigned long) 131255714Skris ((unsigned int) a->session_id[0] )| 131355714Skris ((unsigned int) a->session_id[1]<< 8L)| 131455714Skris ((unsigned long)a->session_id[2]<<16L)| 131555714Skris ((unsigned long)a->session_id[3]<<24L); 131655714Skris return(l); 131755714Skris } 131855714Skris 1319109998Smarkm/* NB: If this function (or indeed the hash function which uses a sort of 1320109998Smarkm * coarser function than this one) is changed, ensure 1321109998Smarkm * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being 1322109998Smarkm * able to construct an SSL_SESSION that will collide with any existing session 1323109998Smarkm * with a matching session ID. */ 1324160814Ssimonint SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b) 132555714Skris { 132655714Skris if (a->ssl_version != b->ssl_version) 132755714Skris return(1); 132855714Skris if (a->session_id_length != b->session_id_length) 132955714Skris return(1); 133055714Skris return(memcmp(a->session_id,b->session_id,a->session_id_length)); 133155714Skris } 133255714Skris 1333109998Smarkm/* These wrapper functions should remain rather than redeclaring 1334109998Smarkm * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each 1335109998Smarkm * variable. The reason is that the functions aren't static, they're exposed via 1336109998Smarkm * ssl.h. */ 1337109998Smarkmstatic IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *) 1338109998Smarkmstatic IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *) 1339109998Smarkm 134055714SkrisSSL_CTX *SSL_CTX_new(SSL_METHOD *meth) 134155714Skris { 134255714Skris SSL_CTX *ret=NULL; 134355714Skris 134455714Skris if (meth == NULL) 134555714Skris { 134655714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED); 134755714Skris return(NULL); 134855714Skris } 134955714Skris 135055714Skris if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 135155714Skris { 135255714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 135355714Skris goto err; 135455714Skris } 135568651Skris ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); 135655714Skris if (ret == NULL) 135755714Skris goto err; 135855714Skris 135955714Skris memset(ret,0,sizeof(SSL_CTX)); 136055714Skris 136155714Skris ret->method=meth; 136255714Skris 136355714Skris ret->cert_store=NULL; 136455714Skris ret->session_cache_mode=SSL_SESS_CACHE_SERVER; 136555714Skris ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 136655714Skris ret->session_cache_head=NULL; 136755714Skris ret->session_cache_tail=NULL; 136855714Skris 136955714Skris /* We take the system default */ 137055714Skris ret->session_timeout=meth->get_timeout(); 137155714Skris 1372109998Smarkm ret->new_session_cb=0; 1373109998Smarkm ret->remove_session_cb=0; 1374109998Smarkm ret->get_session_cb=0; 1375109998Smarkm ret->generate_session_id=0; 137655714Skris 137755714Skris memset((char *)&ret->stats,0,sizeof(ret->stats)); 137855714Skris 137955714Skris ret->references=1; 138055714Skris ret->quiet_shutdown=0; 138155714Skris 138255714Skris/* ret->cipher=NULL;*/ 138355714Skris/* ret->s2->challenge=NULL; 138455714Skris ret->master_key=NULL; 138555714Skris ret->key_arg=NULL; 138655714Skris ret->s2->conn_id=NULL; */ 138755714Skris 138855714Skris ret->info_callback=NULL; 138955714Skris 1390109998Smarkm ret->app_verify_callback=0; 139155714Skris ret->app_verify_arg=NULL; 139255714Skris 1393109998Smarkm ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT; 139455714Skris ret->read_ahead=0; 1395109998Smarkm ret->msg_callback=0; 1396109998Smarkm ret->msg_callback_arg=NULL; 139755714Skris ret->verify_mode=SSL_VERIFY_NONE; 1398160814Ssimon#if 0 139955714Skris ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ 1400160814Ssimon#endif 1401109998Smarkm ret->sid_ctx_length=0; 140255714Skris ret->default_verify_callback=NULL; 140355714Skris if ((ret->cert=ssl_cert_new()) == NULL) 140455714Skris goto err; 140555714Skris 1406109998Smarkm ret->default_passwd_callback=0; 140755714Skris ret->default_passwd_callback_userdata=NULL; 1408109998Smarkm ret->client_cert_cb=0; 1409160814Ssimon ret->app_gen_cookie_cb=0; 1410160814Ssimon ret->app_verify_cookie_cb=0; 141155714Skris 1412109998Smarkm ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash), 1413109998Smarkm LHASH_COMP_FN(SSL_SESSION_cmp)); 141455714Skris if (ret->sessions == NULL) goto err; 141555714Skris ret->cert_store=X509_STORE_new(); 141655714Skris if (ret->cert_store == NULL) goto err; 141755714Skris 141855714Skris ssl_create_cipher_list(ret->method, 141955714Skris &ret->cipher_list,&ret->cipher_list_by_id, 142055714Skris SSL_DEFAULT_CIPHER_LIST); 142155714Skris if (ret->cipher_list == NULL 142255714Skris || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) 142355714Skris { 142455714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS); 142555714Skris goto err2; 142655714Skris } 142755714Skris 1428160814Ssimon ret->param = X509_VERIFY_PARAM_new(); 1429160814Ssimon if (!ret->param) 1430160814Ssimon goto err; 1431160814Ssimon 143255714Skris if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) 143355714Skris { 143455714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); 143555714Skris goto err2; 143655714Skris } 143755714Skris if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL) 143855714Skris { 143955714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); 144055714Skris goto err2; 144155714Skris } 144255714Skris if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL) 144355714Skris { 144455714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); 144555714Skris goto err2; 144655714Skris } 144755714Skris 144855714Skris if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL) 144955714Skris goto err; 145055714Skris 1451109998Smarkm CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); 145255714Skris 145355714Skris ret->extra_certs=NULL; 145455714Skris ret->comp_methods=SSL_COMP_get_compression_methods(); 145555714Skris 145655714Skris return(ret); 145755714Skriserr: 145855714Skris SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); 145955714Skriserr2: 146055714Skris if (ret != NULL) SSL_CTX_free(ret); 146155714Skris return(NULL); 146255714Skris } 146355714Skris 1464109998Smarkm#if 0 146555714Skrisstatic void SSL_COMP_free(SSL_COMP *comp) 146668651Skris { OPENSSL_free(comp); } 1467109998Smarkm#endif 146855714Skris 146955714Skrisvoid SSL_CTX_free(SSL_CTX *a) 147055714Skris { 147155714Skris int i; 147255714Skris 147355714Skris if (a == NULL) return; 147455714Skris 147555714Skris i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX); 147655714Skris#ifdef REF_PRINT 147755714Skris REF_PRINT("SSL_CTX",a); 147855714Skris#endif 147955714Skris if (i > 0) return; 148055714Skris#ifdef REF_CHECK 148155714Skris if (i < 0) 148255714Skris { 148355714Skris fprintf(stderr,"SSL_CTX_free, bad reference count\n"); 148455714Skris abort(); /* ok */ 148555714Skris } 148655714Skris#endif 148755714Skris 1488160814Ssimon if (a->param) 1489160814Ssimon X509_VERIFY_PARAM_free(a->param); 1490160814Ssimon 1491109998Smarkm /* 1492109998Smarkm * Free internal session cache. However: the remove_cb() may reference 1493109998Smarkm * the ex_data of SSL_CTX, thus the ex_data store can only be removed 1494109998Smarkm * after the sessions were flushed. 1495109998Smarkm * As the ex_data handling routines might also touch the session cache, 1496109998Smarkm * the most secure solution seems to be: empty (flush) the cache, then 1497109998Smarkm * free ex_data, then finally free the cache. 1498109998Smarkm * (See ticket [openssl.org #212].) 1499109998Smarkm */ 150055714Skris if (a->sessions != NULL) 150155714Skris SSL_CTX_flush_sessions(a,0); 1502109998Smarkm 1503109998Smarkm CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); 1504109998Smarkm 1505109998Smarkm if (a->sessions != NULL) 150655714Skris lh_free(a->sessions); 1507109998Smarkm 150855714Skris if (a->cert_store != NULL) 150955714Skris X509_STORE_free(a->cert_store); 151055714Skris if (a->cipher_list != NULL) 151155714Skris sk_SSL_CIPHER_free(a->cipher_list); 151255714Skris if (a->cipher_list_by_id != NULL) 151355714Skris sk_SSL_CIPHER_free(a->cipher_list_by_id); 151455714Skris if (a->cert != NULL) 151555714Skris ssl_cert_free(a->cert); 151655714Skris if (a->client_CA != NULL) 151755714Skris sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free); 151855714Skris if (a->extra_certs != NULL) 151955714Skris sk_X509_pop_free(a->extra_certs,X509_free); 1520109998Smarkm#if 0 /* This should never be done, since it removes a global database */ 152155714Skris if (a->comp_methods != NULL) 152255714Skris sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); 1523109998Smarkm#else 1524109998Smarkm a->comp_methods = NULL; 1525109998Smarkm#endif 152668651Skris OPENSSL_free(a); 152755714Skris } 152855714Skris 152955714Skrisvoid SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) 153055714Skris { 153155714Skris ctx->default_passwd_callback=cb; 153255714Skris } 153355714Skris 153455714Skrisvoid SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u) 153555714Skris { 153655714Skris ctx->default_passwd_callback_userdata=u; 153755714Skris } 153855714Skris 1539109998Smarkmvoid SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg) 154055714Skris { 154155714Skris ctx->app_verify_callback=cb; 1542109998Smarkm ctx->app_verify_arg=arg; 154355714Skris } 154455714Skris 154555714Skrisvoid SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) 154655714Skris { 154755714Skris ctx->verify_mode=mode; 154855714Skris ctx->default_verify_callback=cb; 154955714Skris } 155055714Skris 155155714Skrisvoid SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) 155255714Skris { 1553160814Ssimon X509_VERIFY_PARAM_set_depth(ctx->param, depth); 155455714Skris } 155555714Skris 155655714Skrisvoid ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) 155755714Skris { 155855714Skris CERT_PKEY *cpk; 155955714Skris int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; 156055714Skris int rsa_enc_export,dh_rsa_export,dh_dsa_export; 156155714Skris int rsa_tmp_export,dh_tmp_export,kl; 156255714Skris unsigned long mask,emask; 1563160814Ssimon int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; 1564160814Ssimon#ifndef OPENSSL_NO_ECDH 1565160814Ssimon int have_ecdh_tmp; 1566160814Ssimon#endif 1567160814Ssimon X509 *x = NULL; 1568160814Ssimon EVP_PKEY *ecc_pkey = NULL; 1569160814Ssimon int signature_nid = 0; 157055714Skris 157155714Skris if (c == NULL) return; 157255714Skris 157355714Skris kl=SSL_C_EXPORT_PKEYLENGTH(cipher); 157455714Skris 1575109998Smarkm#ifndef OPENSSL_NO_RSA 157655714Skris rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); 157755714Skris rsa_tmp_export=(c->rsa_tmp_cb != NULL || 157855714Skris (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); 157955714Skris#else 158055714Skris rsa_tmp=rsa_tmp_export=0; 158155714Skris#endif 1582109998Smarkm#ifndef OPENSSL_NO_DH 158355714Skris dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); 158455714Skris dh_tmp_export=(c->dh_tmp_cb != NULL || 158555714Skris (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); 158655714Skris#else 158755714Skris dh_tmp=dh_tmp_export=0; 158855714Skris#endif 158955714Skris 1590160814Ssimon#ifndef OPENSSL_NO_ECDH 1591160814Ssimon have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); 1592160814Ssimon#endif 159355714Skris cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); 159455714Skris rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); 159555714Skris rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 159655714Skris cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); 159755714Skris rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); 159855714Skris cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); 159955714Skris dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); 160055714Skris cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); 160155714Skris dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 160255714Skris dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 160355714Skris cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); 160455714Skris/* FIX THIS EAY EAY EAY */ 160555714Skris dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 160655714Skris dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 1607160814Ssimon cpk= &(c->pkeys[SSL_PKEY_ECC]); 1608160814Ssimon have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL); 160955714Skris mask=0; 161055714Skris emask=0; 161155714Skris 161255714Skris#ifdef CIPHER_DEBUG 161355714Skris printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", 161455714Skris rsa_tmp,rsa_tmp_export,dh_tmp, 161555714Skris rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); 161655714Skris#endif 161755714Skris 161855714Skris if (rsa_enc || (rsa_tmp && rsa_sign)) 161955714Skris mask|=SSL_kRSA; 162055714Skris if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) 162155714Skris emask|=SSL_kRSA; 162255714Skris 162355714Skris#if 0 162455714Skris /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ 162555714Skris if ( (dh_tmp || dh_rsa || dh_dsa) && 162655714Skris (rsa_enc || rsa_sign || dsa_sign)) 162755714Skris mask|=SSL_kEDH; 162855714Skris if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && 162955714Skris (rsa_enc || rsa_sign || dsa_sign)) 163055714Skris emask|=SSL_kEDH; 163155714Skris#endif 163255714Skris 163355714Skris if (dh_tmp_export) 163455714Skris emask|=SSL_kEDH; 163555714Skris 163655714Skris if (dh_tmp) 163755714Skris mask|=SSL_kEDH; 163855714Skris 163955714Skris if (dh_rsa) mask|=SSL_kDHr; 164055714Skris if (dh_rsa_export) emask|=SSL_kDHr; 164155714Skris 164255714Skris if (dh_dsa) mask|=SSL_kDHd; 164355714Skris if (dh_dsa_export) emask|=SSL_kDHd; 164455714Skris 164555714Skris if (rsa_enc || rsa_sign) 164655714Skris { 164755714Skris mask|=SSL_aRSA; 164855714Skris emask|=SSL_aRSA; 164955714Skris } 165055714Skris 165155714Skris if (dsa_sign) 165255714Skris { 165355714Skris mask|=SSL_aDSS; 165455714Skris emask|=SSL_aDSS; 165555714Skris } 165655714Skris 165755714Skris mask|=SSL_aNULL; 165855714Skris emask|=SSL_aNULL; 165955714Skris 1660109998Smarkm#ifndef OPENSSL_NO_KRB5 1661109998Smarkm mask|=SSL_kKRB5|SSL_aKRB5; 1662109998Smarkm emask|=SSL_kKRB5|SSL_aKRB5; 1663109998Smarkm#endif 1664109998Smarkm 1665160814Ssimon /* An ECC certificate may be usable for ECDH and/or 1666160814Ssimon * ECDSA cipher suites depending on the key usage extension. 1667160814Ssimon */ 1668160814Ssimon if (have_ecc_cert) 1669160814Ssimon { 1670160814Ssimon /* This call populates extension flags (ex_flags) */ 1671160814Ssimon x = (c->pkeys[SSL_PKEY_ECC]).x509; 1672160814Ssimon X509_check_purpose(x, -1, 0); 1673160814Ssimon ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? 1674160814Ssimon (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; 1675160814Ssimon ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? 1676160814Ssimon (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; 1677160814Ssimon ecc_pkey = X509_get_pubkey(x); 1678160814Ssimon ecc_pkey_size = (ecc_pkey != NULL) ? 1679160814Ssimon EVP_PKEY_bits(ecc_pkey) : 0; 1680160814Ssimon EVP_PKEY_free(ecc_pkey); 1681160814Ssimon if ((x->sig_alg) && (x->sig_alg->algorithm)) 1682160814Ssimon signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); 1683160814Ssimon#ifndef OPENSSL_NO_ECDH 1684160814Ssimon if (ecdh_ok) 1685160814Ssimon { 1686160814Ssimon if ((signature_nid == NID_md5WithRSAEncryption) || 1687160814Ssimon (signature_nid == NID_md4WithRSAEncryption) || 1688160814Ssimon (signature_nid == NID_md2WithRSAEncryption)) 1689160814Ssimon { 1690160814Ssimon mask|=SSL_kECDH|SSL_aRSA; 1691160814Ssimon if (ecc_pkey_size <= 163) 1692160814Ssimon emask|=SSL_kECDH|SSL_aRSA; 1693160814Ssimon } 1694160814Ssimon if (signature_nid == NID_ecdsa_with_SHA1) 1695160814Ssimon { 1696160814Ssimon mask|=SSL_kECDH|SSL_aECDSA; 1697160814Ssimon if (ecc_pkey_size <= 163) 1698160814Ssimon emask|=SSL_kECDH|SSL_aECDSA; 1699160814Ssimon } 1700160814Ssimon } 1701160814Ssimon#endif 1702160814Ssimon#ifndef OPENSSL_NO_ECDSA 1703160814Ssimon if (ecdsa_ok) 1704160814Ssimon { 1705160814Ssimon mask|=SSL_aECDSA; 1706160814Ssimon emask|=SSL_aECDSA; 1707160814Ssimon } 1708160814Ssimon#endif 1709160814Ssimon } 1710160814Ssimon 1711160814Ssimon#ifndef OPENSSL_NO_ECDH 1712160814Ssimon if (have_ecdh_tmp) 1713160814Ssimon { 1714160814Ssimon mask|=SSL_kECDHE; 1715160814Ssimon emask|=SSL_kECDHE; 1716160814Ssimon } 1717160814Ssimon#endif 171855714Skris c->mask=mask; 171955714Skris c->export_mask=emask; 172055714Skris c->valid=1; 172155714Skris } 172255714Skris 1723160814Ssimon/* This handy macro borrowed from crypto/x509v3/v3_purp.c */ 1724160814Ssimon#define ku_reject(x, usage) \ 1725160814Ssimon (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) 1726160814Ssimon 1727160814Ssimonint check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs) 1728160814Ssimon { 1729160814Ssimon unsigned long alg = cs->algorithms; 1730160814Ssimon EVP_PKEY *pkey = NULL; 1731160814Ssimon int keysize = 0; 1732160814Ssimon int signature_nid = 0; 1733160814Ssimon 1734160814Ssimon if (SSL_C_IS_EXPORT(cs)) 1735160814Ssimon { 1736160814Ssimon /* ECDH key length in export ciphers must be <= 163 bits */ 1737160814Ssimon pkey = X509_get_pubkey(x); 1738160814Ssimon if (pkey == NULL) return 0; 1739160814Ssimon keysize = EVP_PKEY_bits(pkey); 1740160814Ssimon EVP_PKEY_free(pkey); 1741160814Ssimon if (keysize > 163) return 0; 1742160814Ssimon } 1743160814Ssimon 1744160814Ssimon /* This call populates the ex_flags field correctly */ 1745160814Ssimon X509_check_purpose(x, -1, 0); 1746160814Ssimon if ((x->sig_alg) && (x->sig_alg->algorithm)) 1747160814Ssimon signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); 1748160814Ssimon if (alg & SSL_kECDH) 1749160814Ssimon { 1750160814Ssimon /* key usage, if present, must allow key agreement */ 1751160814Ssimon if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) 1752160814Ssimon { 1753160814Ssimon return 0; 1754160814Ssimon } 1755160814Ssimon if (alg & SSL_aECDSA) 1756160814Ssimon { 1757160814Ssimon /* signature alg must be ECDSA */ 1758160814Ssimon if (signature_nid != NID_ecdsa_with_SHA1) 1759160814Ssimon { 1760160814Ssimon return 0; 1761160814Ssimon } 1762160814Ssimon } 1763160814Ssimon if (alg & SSL_aRSA) 1764160814Ssimon { 1765160814Ssimon /* signature alg must be RSA */ 1766160814Ssimon if ((signature_nid != NID_md5WithRSAEncryption) && 1767160814Ssimon (signature_nid != NID_md4WithRSAEncryption) && 1768160814Ssimon (signature_nid != NID_md2WithRSAEncryption)) 1769160814Ssimon { 1770160814Ssimon return 0; 1771160814Ssimon } 1772160814Ssimon } 1773160814Ssimon } 1774160814Ssimon else if (alg & SSL_aECDSA) 1775160814Ssimon { 1776160814Ssimon /* key usage, if present, must allow signing */ 1777160814Ssimon if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) 1778160814Ssimon { 1779160814Ssimon return 0; 1780160814Ssimon } 1781160814Ssimon } 1782160814Ssimon 1783160814Ssimon return 1; /* all checks are ok */ 1784160814Ssimon } 1785160814Ssimon 178655714Skris/* THIS NEEDS CLEANING UP */ 178755714SkrisX509 *ssl_get_server_send_cert(SSL *s) 178855714Skris { 178955714Skris unsigned long alg,mask,kalg; 179055714Skris CERT *c; 179155714Skris int i,is_export; 179255714Skris 179355714Skris c=s->cert; 179455714Skris ssl_set_cert_masks(c, s->s3->tmp.new_cipher); 179555714Skris alg=s->s3->tmp.new_cipher->algorithms; 179659191Skris is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 179755714Skris mask=is_export?c->export_mask:c->mask; 179855714Skris kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); 179955714Skris 1800160814Ssimon if (kalg & SSL_kECDH) 1801160814Ssimon { 1802160814Ssimon /* we don't need to look at SSL_kECDHE 1803160814Ssimon * since no certificate is needed for 1804160814Ssimon * anon ECDH and for authenticated 1805160814Ssimon * ECDHE, the check for the auth 1806160814Ssimon * algorithm will set i correctly 1807160814Ssimon * NOTE: For ECDH-RSA, we need an ECC 1808160814Ssimon * not an RSA cert but for ECDHE-RSA 1809160814Ssimon * we need an RSA cert. Placing the 1810160814Ssimon * checks for SSL_kECDH before RSA 1811160814Ssimon * checks ensures the correct cert is chosen. 1812160814Ssimon */ 1813160814Ssimon i=SSL_PKEY_ECC; 1814160814Ssimon } 1815160814Ssimon else if (kalg & SSL_aECDSA) 1816160814Ssimon { 1817160814Ssimon i=SSL_PKEY_ECC; 1818160814Ssimon } 1819160814Ssimon else if (kalg & SSL_kDHr) 182055714Skris i=SSL_PKEY_DH_RSA; 182155714Skris else if (kalg & SSL_kDHd) 182255714Skris i=SSL_PKEY_DH_DSA; 182355714Skris else if (kalg & SSL_aDSS) 182455714Skris i=SSL_PKEY_DSA_SIGN; 182555714Skris else if (kalg & SSL_aRSA) 182655714Skris { 182755714Skris if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) 182855714Skris i=SSL_PKEY_RSA_SIGN; 182955714Skris else 183055714Skris i=SSL_PKEY_RSA_ENC; 183155714Skris } 1832109998Smarkm else if (kalg & SSL_aKRB5) 1833109998Smarkm { 1834109998Smarkm /* VRS something else here? */ 1835109998Smarkm return(NULL); 1836109998Smarkm } 183755714Skris else /* if (kalg & SSL_aNULL) */ 183855714Skris { 1839109998Smarkm SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); 184055714Skris return(NULL); 184155714Skris } 184255714Skris if (c->pkeys[i].x509 == NULL) return(NULL); 1843160814Ssimon 184455714Skris return(c->pkeys[i].x509); 184555714Skris } 184655714Skris 184755714SkrisEVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) 184855714Skris { 184955714Skris unsigned long alg; 185055714Skris CERT *c; 185155714Skris 185255714Skris alg=cipher->algorithms; 185355714Skris c=s->cert; 185455714Skris 185555714Skris if ((alg & SSL_aDSS) && 185655714Skris (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 185755714Skris return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); 185855714Skris else if (alg & SSL_aRSA) 185955714Skris { 186055714Skris if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 186155714Skris return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); 186255714Skris else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 186355714Skris return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey); 186455714Skris else 186555714Skris return(NULL); 186655714Skris } 1867160814Ssimon else if ((alg & SSL_aECDSA) && 1868160814Ssimon (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) 1869160814Ssimon return(c->pkeys[SSL_PKEY_ECC].privatekey); 187055714Skris else /* if (alg & SSL_aNULL) */ 187155714Skris { 1872109998Smarkm SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); 187355714Skris return(NULL); 187455714Skris } 187555714Skris } 187655714Skris 187755714Skrisvoid ssl_update_cache(SSL *s,int mode) 187855714Skris { 187955714Skris int i; 188055714Skris 188155714Skris /* If the session_id_length is 0, we are not supposed to cache it, 188255714Skris * and it would be rather hard to do anyway :-) */ 188355714Skris if (s->session->session_id_length == 0) return; 188455714Skris 1885100928Snectar i=s->ctx->session_cache_mode; 1886100928Snectar if ((i & mode) && (!s->hit) 1887109998Smarkm && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) 1888100928Snectar || SSL_CTX_add_session(s->ctx,s->session)) 188955714Skris && (s->ctx->new_session_cb != NULL)) 189055714Skris { 189155714Skris CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION); 189255714Skris if (!s->ctx->new_session_cb(s,s->session)) 189355714Skris SSL_SESSION_free(s->session); 189455714Skris } 189555714Skris 189655714Skris /* auto flush every 255 connections */ 189755714Skris if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && 189855714Skris ((i & mode) == mode)) 189955714Skris { 190055714Skris if ( (((mode & SSL_SESS_CACHE_CLIENT) 190155714Skris ?s->ctx->stats.sess_connect_good 190255714Skris :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) 190355714Skris { 1904160814Ssimon SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL)); 190555714Skris } 190655714Skris } 190755714Skris } 190855714Skris 190955714SkrisSSL_METHOD *SSL_get_ssl_method(SSL *s) 191055714Skris { 191155714Skris return(s->method); 191255714Skris } 191355714Skris 191455714Skrisint SSL_set_ssl_method(SSL *s,SSL_METHOD *meth) 191555714Skris { 191655714Skris int conn= -1; 191755714Skris int ret=1; 191855714Skris 191955714Skris if (s->method != meth) 192055714Skris { 192155714Skris if (s->handshake_func != NULL) 192255714Skris conn=(s->handshake_func == s->method->ssl_connect); 192355714Skris 192455714Skris if (s->method->version == meth->version) 192555714Skris s->method=meth; 192655714Skris else 192755714Skris { 192855714Skris s->method->ssl_free(s); 192955714Skris s->method=meth; 193055714Skris ret=s->method->ssl_new(s); 193155714Skris } 193255714Skris 193355714Skris if (conn == 1) 193455714Skris s->handshake_func=meth->ssl_connect; 193555714Skris else if (conn == 0) 193655714Skris s->handshake_func=meth->ssl_accept; 193755714Skris } 193855714Skris return(ret); 193955714Skris } 194055714Skris 1941160814Ssimonint SSL_get_error(const SSL *s,int i) 194255714Skris { 194355714Skris int reason; 194455714Skris unsigned long l; 194555714Skris BIO *bio; 194655714Skris 194755714Skris if (i > 0) return(SSL_ERROR_NONE); 194855714Skris 194955714Skris /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake 195055714Skris * etc, where we do encode the error */ 195155714Skris if ((l=ERR_peek_error()) != 0) 195255714Skris { 195355714Skris if (ERR_GET_LIB(l) == ERR_LIB_SYS) 195455714Skris return(SSL_ERROR_SYSCALL); 195555714Skris else 195655714Skris return(SSL_ERROR_SSL); 195755714Skris } 195855714Skris 195955714Skris if ((i < 0) && SSL_want_read(s)) 196055714Skris { 196155714Skris bio=SSL_get_rbio(s); 196255714Skris if (BIO_should_read(bio)) 196355714Skris return(SSL_ERROR_WANT_READ); 196455714Skris else if (BIO_should_write(bio)) 196555714Skris /* This one doesn't make too much sense ... We never try 196655714Skris * to write to the rbio, and an application program where 196755714Skris * rbio and wbio are separate couldn't even know what it 196855714Skris * should wait for. 196955714Skris * However if we ever set s->rwstate incorrectly 197055714Skris * (so that we have SSL_want_read(s) instead of 197155714Skris * SSL_want_write(s)) and rbio and wbio *are* the same, 197255714Skris * this test works around that bug; so it might be safer 197355714Skris * to keep it. */ 197455714Skris return(SSL_ERROR_WANT_WRITE); 197555714Skris else if (BIO_should_io_special(bio)) 197655714Skris { 197755714Skris reason=BIO_get_retry_reason(bio); 197855714Skris if (reason == BIO_RR_CONNECT) 197955714Skris return(SSL_ERROR_WANT_CONNECT); 1980109998Smarkm else if (reason == BIO_RR_ACCEPT) 1981109998Smarkm return(SSL_ERROR_WANT_ACCEPT); 198255714Skris else 198355714Skris return(SSL_ERROR_SYSCALL); /* unknown */ 198455714Skris } 198555714Skris } 198655714Skris 198755714Skris if ((i < 0) && SSL_want_write(s)) 198855714Skris { 198955714Skris bio=SSL_get_wbio(s); 199055714Skris if (BIO_should_write(bio)) 199155714Skris return(SSL_ERROR_WANT_WRITE); 199255714Skris else if (BIO_should_read(bio)) 199355714Skris /* See above (SSL_want_read(s) with BIO_should_write(bio)) */ 199455714Skris return(SSL_ERROR_WANT_READ); 199555714Skris else if (BIO_should_io_special(bio)) 199655714Skris { 199755714Skris reason=BIO_get_retry_reason(bio); 199855714Skris if (reason == BIO_RR_CONNECT) 199955714Skris return(SSL_ERROR_WANT_CONNECT); 2000109998Smarkm else if (reason == BIO_RR_ACCEPT) 2001109998Smarkm return(SSL_ERROR_WANT_ACCEPT); 200255714Skris else 200355714Skris return(SSL_ERROR_SYSCALL); 200455714Skris } 200555714Skris } 200655714Skris if ((i < 0) && SSL_want_x509_lookup(s)) 200755714Skris { 200855714Skris return(SSL_ERROR_WANT_X509_LOOKUP); 200955714Skris } 201055714Skris 201155714Skris if (i == 0) 201255714Skris { 201355714Skris if (s->version == SSL2_VERSION) 201455714Skris { 201555714Skris /* assume it is the socket being closed */ 201655714Skris return(SSL_ERROR_ZERO_RETURN); 201755714Skris } 201855714Skris else 201955714Skris { 202055714Skris if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && 202155714Skris (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) 202255714Skris return(SSL_ERROR_ZERO_RETURN); 202355714Skris } 202455714Skris } 202555714Skris return(SSL_ERROR_SYSCALL); 202655714Skris } 202755714Skris 202855714Skrisint SSL_do_handshake(SSL *s) 202955714Skris { 203055714Skris int ret=1; 203155714Skris 203255714Skris if (s->handshake_func == NULL) 203355714Skris { 203455714Skris SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET); 203555714Skris return(-1); 203655714Skris } 203755714Skris 203855714Skris s->method->ssl_renegotiate_check(s); 203955714Skris 204055714Skris if (SSL_in_init(s) || SSL_in_before(s)) 204155714Skris { 204255714Skris ret=s->handshake_func(s); 204355714Skris } 204455714Skris return(ret); 204555714Skris } 204655714Skris 204755714Skris/* For the next 2 functions, SSL_clear() sets shutdown and so 204855714Skris * one of these calls will reset it */ 204955714Skrisvoid SSL_set_accept_state(SSL *s) 205055714Skris { 205155714Skris s->server=1; 205255714Skris s->shutdown=0; 205355714Skris s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; 205455714Skris s->handshake_func=s->method->ssl_accept; 205555714Skris /* clear the current cipher */ 205655714Skris ssl_clear_cipher_ctx(s); 205755714Skris } 205855714Skris 205955714Skrisvoid SSL_set_connect_state(SSL *s) 206055714Skris { 206155714Skris s->server=0; 206255714Skris s->shutdown=0; 206355714Skris s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; 206455714Skris s->handshake_func=s->method->ssl_connect; 206555714Skris /* clear the current cipher */ 206655714Skris ssl_clear_cipher_ctx(s); 206755714Skris } 206855714Skris 206955714Skrisint ssl_undefined_function(SSL *s) 207055714Skris { 207155714Skris SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 207255714Skris return(0); 207355714Skris } 207455714Skris 2075160814Ssimonint ssl_undefined_void_function(void) 2076160814Ssimon { 2077160814Ssimon SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2078160814Ssimon return(0); 2079160814Ssimon } 2080160814Ssimon 2081160814Ssimonint ssl_undefined_const_function(const SSL *s) 2082160814Ssimon { 2083160814Ssimon SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2084160814Ssimon return(0); 2085160814Ssimon } 2086160814Ssimon 208755714SkrisSSL_METHOD *ssl_bad_method(int ver) 208855714Skris { 208955714Skris SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 209055714Skris return(NULL); 209155714Skris } 209255714Skris 2093160814Ssimonconst char *SSL_get_version(const SSL *s) 209455714Skris { 209555714Skris if (s->version == TLS1_VERSION) 209655714Skris return("TLSv1"); 209755714Skris else if (s->version == SSL3_VERSION) 209855714Skris return("SSLv3"); 209955714Skris else if (s->version == SSL2_VERSION) 210055714Skris return("SSLv2"); 210155714Skris else 210255714Skris return("unknown"); 210355714Skris } 210455714Skris 210555714SkrisSSL *SSL_dup(SSL *s) 210655714Skris { 210755714Skris STACK_OF(X509_NAME) *sk; 210855714Skris X509_NAME *xn; 210955714Skris SSL *ret; 211055714Skris int i; 211155714Skris 211255714Skris if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) 211355714Skris return(NULL); 2114109998Smarkm 2115109998Smarkm ret->version = s->version; 2116109998Smarkm ret->type = s->type; 2117109998Smarkm ret->method = s->method; 2118109998Smarkm 211955714Skris if (s->session != NULL) 212055714Skris { 212155714Skris /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ 212255714Skris SSL_copy_session_id(ret,s); 212355714Skris } 212455714Skris else 212555714Skris { 212655714Skris /* No session has been established yet, so we have to expect 212755714Skris * that s->cert or ret->cert will be changed later -- 212855714Skris * they should not both point to the same object, 212955714Skris * and thus we can't use SSL_copy_session_id. */ 213055714Skris 2131111147Snectar ret->method->ssl_free(ret); 213255714Skris ret->method = s->method; 213355714Skris ret->method->ssl_new(ret); 213455714Skris 213555714Skris if (s->cert != NULL) 213655714Skris { 213776866Skris if (ret->cert != NULL) 213876866Skris { 213976866Skris ssl_cert_free(ret->cert); 214076866Skris } 214155714Skris ret->cert = ssl_cert_dup(s->cert); 214255714Skris if (ret->cert == NULL) 214355714Skris goto err; 214455714Skris } 214555714Skris 214655714Skris SSL_set_session_id_context(ret, 214755714Skris s->sid_ctx, s->sid_ctx_length); 214855714Skris } 214955714Skris 2150109998Smarkm ret->options=s->options; 2151109998Smarkm ret->mode=s->mode; 2152109998Smarkm SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s)); 215355714Skris SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); 2154109998Smarkm ret->msg_callback = s->msg_callback; 2155109998Smarkm ret->msg_callback_arg = s->msg_callback_arg; 215655714Skris SSL_set_verify(ret,SSL_get_verify_mode(s), 215755714Skris SSL_get_verify_callback(s)); 215855714Skris SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); 2159109998Smarkm ret->generate_session_id = s->generate_session_id; 216055714Skris 216155714Skris SSL_set_info_callback(ret,SSL_get_info_callback(s)); 216255714Skris 216355714Skris ret->debug=s->debug; 216455714Skris 216555714Skris /* copy app data, a little dangerous perhaps */ 2166109998Smarkm if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) 216755714Skris goto err; 216855714Skris 216955714Skris /* setup rbio, and wbio */ 217055714Skris if (s->rbio != NULL) 217155714Skris { 217255714Skris if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)) 217355714Skris goto err; 217455714Skris } 217555714Skris if (s->wbio != NULL) 217655714Skris { 217755714Skris if (s->wbio != s->rbio) 217855714Skris { 217955714Skris if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)) 218055714Skris goto err; 218155714Skris } 218255714Skris else 218355714Skris ret->wbio=ret->rbio; 218455714Skris } 2185109998Smarkm ret->rwstate = s->rwstate; 2186109998Smarkm ret->in_handshake = s->in_handshake; 2187109998Smarkm ret->handshake_func = s->handshake_func; 2188109998Smarkm ret->server = s->server; 2189109998Smarkm ret->new_session = s->new_session; 2190109998Smarkm ret->quiet_shutdown = s->quiet_shutdown; 2191109998Smarkm ret->shutdown=s->shutdown; 2192109998Smarkm ret->state=s->state; /* SSL_dup does not really work at any state, though */ 2193109998Smarkm ret->rstate=s->rstate; 2194109998Smarkm ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ 2195109998Smarkm ret->hit=s->hit; 219655714Skris 2197160814Ssimon X509_VERIFY_PARAM_inherit(ret->param, s->param); 2198160814Ssimon 219955714Skris /* dup the cipher_list and cipher_list_by_id stacks */ 220055714Skris if (s->cipher_list != NULL) 220155714Skris { 220255714Skris if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 220355714Skris goto err; 220455714Skris } 220555714Skris if (s->cipher_list_by_id != NULL) 220655714Skris if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id)) 220755714Skris == NULL) 220855714Skris goto err; 220955714Skris 221055714Skris /* Dup the client_CA list */ 221155714Skris if (s->client_CA != NULL) 221255714Skris { 221355714Skris if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; 221455714Skris ret->client_CA=sk; 221555714Skris for (i=0; i<sk_X509_NAME_num(sk); i++) 221655714Skris { 221755714Skris xn=sk_X509_NAME_value(sk,i); 221855714Skris if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL) 221955714Skris { 222055714Skris X509_NAME_free(xn); 222155714Skris goto err; 222255714Skris } 222355714Skris } 222455714Skris } 222555714Skris 222655714Skris if (0) 222755714Skris { 222855714Skriserr: 222955714Skris if (ret != NULL) SSL_free(ret); 223055714Skris ret=NULL; 223155714Skris } 223255714Skris return(ret); 223355714Skris } 223455714Skris 223555714Skrisvoid ssl_clear_cipher_ctx(SSL *s) 223655714Skris { 223755714Skris if (s->enc_read_ctx != NULL) 223855714Skris { 223955714Skris EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); 224068651Skris OPENSSL_free(s->enc_read_ctx); 224155714Skris s->enc_read_ctx=NULL; 224255714Skris } 224355714Skris if (s->enc_write_ctx != NULL) 224455714Skris { 224555714Skris EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); 224668651Skris OPENSSL_free(s->enc_write_ctx); 224755714Skris s->enc_write_ctx=NULL; 224855714Skris } 2249160814Ssimon#ifndef OPENSSL_NO_COMP 225055714Skris if (s->expand != NULL) 225155714Skris { 225255714Skris COMP_CTX_free(s->expand); 225355714Skris s->expand=NULL; 225455714Skris } 225555714Skris if (s->compress != NULL) 225655714Skris { 225755714Skris COMP_CTX_free(s->compress); 225855714Skris s->compress=NULL; 225955714Skris } 2260160814Ssimon#endif 226155714Skris } 226255714Skris 226355714Skris/* Fix this function so that it takes an optional type parameter */ 2264160814SsimonX509 *SSL_get_certificate(const SSL *s) 226555714Skris { 226655714Skris if (s->cert != NULL) 226755714Skris return(s->cert->key->x509); 226855714Skris else 226955714Skris return(NULL); 227055714Skris } 227155714Skris 227255714Skris/* Fix this function so that it takes an optional type parameter */ 227355714SkrisEVP_PKEY *SSL_get_privatekey(SSL *s) 227455714Skris { 227555714Skris if (s->cert != NULL) 227655714Skris return(s->cert->key->privatekey); 227755714Skris else 227855714Skris return(NULL); 227955714Skris } 228055714Skris 2281160814SsimonSSL_CIPHER *SSL_get_current_cipher(const SSL *s) 228255714Skris { 228355714Skris if ((s->session != NULL) && (s->session->cipher != NULL)) 228455714Skris return(s->session->cipher); 228555714Skris return(NULL); 228655714Skris } 2287160814Ssimon#ifdef OPENSSL_NO_COMP 2288160814Ssimonconst void *SSL_get_current_compression(SSL *s) 2289160814Ssimon { 2290160814Ssimon return NULL; 2291160814Ssimon } 2292160814Ssimonconst void *SSL_get_current_expansion(SSL *s) 2293160814Ssimon { 2294160814Ssimon return NULL; 2295160814Ssimon } 2296160814Ssimon#else 229755714Skris 2298160814Ssimonconst COMP_METHOD *SSL_get_current_compression(SSL *s) 2299160814Ssimon { 2300160814Ssimon if (s->compress != NULL) 2301160814Ssimon return(s->compress->meth); 2302160814Ssimon return(NULL); 2303160814Ssimon } 2304160814Ssimon 2305160814Ssimonconst COMP_METHOD *SSL_get_current_expansion(SSL *s) 2306160814Ssimon { 2307160814Ssimon if (s->expand != NULL) 2308160814Ssimon return(s->expand->meth); 2309160814Ssimon return(NULL); 2310160814Ssimon } 2311160814Ssimon#endif 2312160814Ssimon 231355714Skrisint ssl_init_wbio_buffer(SSL *s,int push) 231455714Skris { 231555714Skris BIO *bbio; 231655714Skris 231755714Skris if (s->bbio == NULL) 231855714Skris { 231955714Skris bbio=BIO_new(BIO_f_buffer()); 232055714Skris if (bbio == NULL) return(0); 232155714Skris s->bbio=bbio; 232255714Skris } 232355714Skris else 232455714Skris { 232555714Skris bbio=s->bbio; 232655714Skris if (s->bbio == s->wbio) 232755714Skris s->wbio=BIO_pop(s->wbio); 232855714Skris } 232955714Skris (void)BIO_reset(bbio); 233055714Skris/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ 233155714Skris if (!BIO_set_read_buffer_size(bbio,1)) 233255714Skris { 233355714Skris SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB); 233455714Skris return(0); 233555714Skris } 233655714Skris if (push) 233755714Skris { 233855714Skris if (s->wbio != bbio) 233955714Skris s->wbio=BIO_push(bbio,s->wbio); 234055714Skris } 234155714Skris else 234255714Skris { 234355714Skris if (s->wbio == bbio) 234455714Skris s->wbio=BIO_pop(bbio); 234555714Skris } 234655714Skris return(1); 234755714Skris } 234855714Skris 234955714Skrisvoid ssl_free_wbio_buffer(SSL *s) 235055714Skris { 235155714Skris if (s->bbio == NULL) return; 235255714Skris 235355714Skris if (s->bbio == s->wbio) 235455714Skris { 235555714Skris /* remove buffering */ 235668651Skris s->wbio=BIO_pop(s->wbio); 235768651Skris#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */ 235868651Skris assert(s->wbio != NULL); 235968651Skris#endif 236068651Skris } 236155714Skris BIO_free(s->bbio); 236255714Skris s->bbio=NULL; 236355714Skris } 236455714Skris 236555714Skrisvoid SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode) 236655714Skris { 236755714Skris ctx->quiet_shutdown=mode; 236855714Skris } 236955714Skris 2370160814Ssimonint SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) 237155714Skris { 237255714Skris return(ctx->quiet_shutdown); 237355714Skris } 237455714Skris 237555714Skrisvoid SSL_set_quiet_shutdown(SSL *s,int mode) 237655714Skris { 237755714Skris s->quiet_shutdown=mode; 237855714Skris } 237955714Skris 2380160814Ssimonint SSL_get_quiet_shutdown(const SSL *s) 238155714Skris { 238255714Skris return(s->quiet_shutdown); 238355714Skris } 238455714Skris 238555714Skrisvoid SSL_set_shutdown(SSL *s,int mode) 238655714Skris { 238755714Skris s->shutdown=mode; 238855714Skris } 238955714Skris 2390160814Ssimonint SSL_get_shutdown(const SSL *s) 239155714Skris { 239255714Skris return(s->shutdown); 239355714Skris } 239455714Skris 2395160814Ssimonint SSL_version(const SSL *s) 239655714Skris { 239755714Skris return(s->version); 239855714Skris } 239955714Skris 2400160814SsimonSSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) 240155714Skris { 240255714Skris return(ssl->ctx); 240355714Skris } 240455714Skris 2405109998Smarkm#ifndef OPENSSL_NO_STDIO 240655714Skrisint SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) 240755714Skris { 240855714Skris return(X509_STORE_set_default_paths(ctx->cert_store)); 240955714Skris } 241055714Skris 241155714Skrisint SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 241255714Skris const char *CApath) 241355714Skris { 2414160814Ssimon return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); 241555714Skris } 241655714Skris#endif 241755714Skris 2418109998Smarkmvoid SSL_set_info_callback(SSL *ssl, 2419167612Ssimon void (*cb)(const SSL *ssl,int type,int val)) 242055714Skris { 242155714Skris ssl->info_callback=cb; 242255714Skris } 242355714Skris 2424160814Ssimon/* One compiler (Diab DCC) doesn't like argument names in returned 2425160814Ssimon function pointer. */ 2426167612Ssimonvoid (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) 242755714Skris { 2428109998Smarkm return ssl->info_callback; 242955714Skris } 243055714Skris 2431160814Ssimonint SSL_state(const SSL *ssl) 243255714Skris { 243355714Skris return(ssl->state); 243455714Skris } 243555714Skris 243655714Skrisvoid SSL_set_verify_result(SSL *ssl,long arg) 243755714Skris { 243855714Skris ssl->verify_result=arg; 243955714Skris } 244055714Skris 2441160814Ssimonlong SSL_get_verify_result(const SSL *ssl) 244255714Skris { 244355714Skris return(ssl->verify_result); 244455714Skris } 244555714Skris 244659191Skrisint SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, 244759191Skris CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) 244855714Skris { 2449109998Smarkm return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, 2450109998Smarkm new_func, dup_func, free_func); 245155714Skris } 245255714Skris 245355714Skrisint SSL_set_ex_data(SSL *s,int idx,void *arg) 245455714Skris { 245555714Skris return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 245655714Skris } 245755714Skris 2458160814Ssimonvoid *SSL_get_ex_data(const SSL *s,int idx) 245955714Skris { 246055714Skris return(CRYPTO_get_ex_data(&s->ex_data,idx)); 246155714Skris } 246255714Skris 246359191Skrisint SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, 246459191Skris CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) 246555714Skris { 2466109998Smarkm return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, 2467109998Smarkm new_func, dup_func, free_func); 246855714Skris } 246955714Skris 247055714Skrisint SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) 247155714Skris { 247255714Skris return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 247355714Skris } 247455714Skris 2475160814Ssimonvoid *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx) 247655714Skris { 247755714Skris return(CRYPTO_get_ex_data(&s->ex_data,idx)); 247855714Skris } 247955714Skris 248055714Skrisint ssl_ok(SSL *s) 248155714Skris { 248255714Skris return(1); 248355714Skris } 248455714Skris 2485160814SsimonX509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) 248655714Skris { 248755714Skris return(ctx->cert_store); 248855714Skris } 248955714Skris 249055714Skrisvoid SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store) 249155714Skris { 249255714Skris if (ctx->cert_store != NULL) 249355714Skris X509_STORE_free(ctx->cert_store); 249455714Skris ctx->cert_store=store; 249555714Skris } 249655714Skris 2497160814Ssimonint SSL_want(const SSL *s) 249855714Skris { 249955714Skris return(s->rwstate); 250055714Skris } 250155714Skris 250255714Skris/*! 250355714Skris * \brief Set the callback for generating temporary RSA keys. 250455714Skris * \param ctx the SSL context. 250555714Skris * \param cb the callback 250655714Skris */ 250755714Skris 2508109998Smarkm#ifndef OPENSSL_NO_RSA 250955714Skrisvoid SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl, 251055714Skris int is_export, 251155714Skris int keylength)) 251259191Skris { 2513160814Ssimon SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); 251459191Skris } 251555714Skris 251659191Skrisvoid SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl, 251759191Skris int is_export, 251859191Skris int keylength)) 251959191Skris { 2520160814Ssimon SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); 252159191Skris } 252255714Skris#endif 252355714Skris 252455714Skris#ifdef DOXYGEN 252555714Skris/*! 252655714Skris * \brief The RSA temporary key callback function. 252755714Skris * \param ssl the SSL session. 252855714Skris * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite. 252955714Skris * \param keylength if \c is_export is \c TRUE, then \c keylength is the size 253055714Skris * of the required key in bits. 253155714Skris * \return the temporary RSA key. 253255714Skris * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback 253355714Skris */ 253455714Skris 253555714SkrisRSA *cb(SSL *ssl,int is_export,int keylength) 253655714Skris {} 253755714Skris#endif 253855714Skris 253955714Skris/*! 254055714Skris * \brief Set the callback for generating temporary DH keys. 254155714Skris * \param ctx the SSL context. 254255714Skris * \param dh the callback 254355714Skris */ 254455714Skris 2545109998Smarkm#ifndef OPENSSL_NO_DH 254655714Skrisvoid SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, 254755714Skris int keylength)) 2548109998Smarkm { 2549160814Ssimon SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); 2550109998Smarkm } 255155714Skris 255255714Skrisvoid SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, 255359191Skris int keylength)) 2554109998Smarkm { 2555160814Ssimon SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); 2556109998Smarkm } 255755714Skris#endif 255855714Skris 2559160814Ssimon#ifndef OPENSSL_NO_ECDH 2560160814Ssimonvoid SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export, 2561160814Ssimon int keylength)) 2562160814Ssimon { 2563160814Ssimon SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); 2564160814Ssimon } 2565109998Smarkm 2566160814Ssimonvoid SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export, 2567160814Ssimon int keylength)) 2568160814Ssimon { 2569160814Ssimon SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); 2570160814Ssimon } 2571160814Ssimon#endif 2572160814Ssimon 2573160814Ssimon 2574109998Smarkmvoid SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) 2575109998Smarkm { 2576160814Ssimon SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 2577109998Smarkm } 2578109998Smarkmvoid SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) 2579109998Smarkm { 2580160814Ssimon SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 2581109998Smarkm } 2582109998Smarkm 2583109998Smarkm 2584109998Smarkm 2585109998Smarkm#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) 258655714Skris#include "../crypto/bio/bss_file.c" 258755714Skris#endif 258855714Skris 258955714SkrisIMPLEMENT_STACK_OF(SSL_CIPHER) 259055714SkrisIMPLEMENT_STACK_OF(SSL_COMP) 2591