ssl_lib.c revision 89837
155714Skris/*! \file ssl/ssl_lib.c 255714Skris * \brief Version independent SSL functions. 355714Skris */ 455714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 555714Skris * All rights reserved. 655714Skris * 755714Skris * This package is an SSL implementation written 855714Skris * by Eric Young (eay@cryptsoft.com). 955714Skris * The implementation was written so as to conform with Netscapes SSL. 1055714Skris * 1155714Skris * This library is free for commercial and non-commercial use as long as 1255714Skris * the following conditions are aheared to. The following conditions 1355714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1455714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1555714Skris * included with this distribution is covered by the same copyright terms 1655714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1755714Skris * 1855714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1955714Skris * the code are not to be removed. 2055714Skris * If this package is used in a product, Eric Young should be given attribution 2155714Skris * as the author of the parts of the library used. 2255714Skris * This can be in the form of a textual message at program startup or 2355714Skris * in documentation (online or textual) provided with the package. 2455714Skris * 2555714Skris * Redistribution and use in source and binary forms, with or without 2655714Skris * modification, are permitted provided that the following conditions 2755714Skris * are met: 2855714Skris * 1. Redistributions of source code must retain the copyright 2955714Skris * notice, this list of conditions and the following disclaimer. 3055714Skris * 2. Redistributions in binary form must reproduce the above copyright 3155714Skris * notice, this list of conditions and the following disclaimer in the 3255714Skris * documentation and/or other materials provided with the distribution. 3355714Skris * 3. All advertising materials mentioning features or use of this software 3455714Skris * must display the following acknowledgement: 3555714Skris * "This product includes cryptographic software written by 3655714Skris * Eric Young (eay@cryptsoft.com)" 3755714Skris * The word 'cryptographic' can be left out if the rouines from the library 3855714Skris * being used are not cryptographic related :-). 3955714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 4055714Skris * the apps directory (application code) you must include an acknowledgement: 4155714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4255714Skris * 4355714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4455714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4555714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4655714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4755714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4855714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4955714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 5055714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 5155714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5255714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5355714Skris * SUCH DAMAGE. 5455714Skris * 5555714Skris * The licence and distribution terms for any publically available version or 5655714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5755714Skris * copied and put under another distribution licence 5855714Skris * [including the GNU Public Licence.] 5955714Skris */ 6055714Skris 6168651Skris 6268651Skris#include <assert.h> 6355714Skris#include <stdio.h> 6455714Skris#include <openssl/objects.h> 6555714Skris#include <openssl/lhash.h> 6659191Skris#include <openssl/x509v3.h> 6755714Skris#include "ssl_locl.h" 6855714Skris 6959191Skrisconst char *SSL_version_str=OPENSSL_VERSION_TEXT; 7055714Skris 7159191Skrisstatic STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL; 7259191Skrisstatic STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL; 7355714Skrisstatic int ssl_meth_num=0; 7455714Skrisstatic int ssl_ctx_meth_num=0; 7555714Skris 7655714SkrisOPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={ 7759191Skris /* evil casts, but these functions are only called if there's a library bug */ 7859191Skris (int (*)(SSL *,int))ssl_undefined_function, 7959191Skris (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, 8055714Skris ssl_undefined_function, 8159191Skris (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function, 8259191Skris (int (*)(SSL*, int))ssl_undefined_function, 8359191Skris (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function 8455714Skris }; 8555714Skris 8655714Skrisint SSL_clear(SSL *s) 8755714Skris { 8855714Skris int state; 8955714Skris 9055714Skris if (s->method == NULL) 9155714Skris { 9255714Skris SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); 9355714Skris return(0); 9455714Skris } 9555714Skris 9655714Skris s->error=0; 9755714Skris s->hit=0; 9855714Skris s->shutdown=0; 9955714Skris 10059191Skris#if 0 /* Disabled since version 1.10 of this file (early return not 10159191Skris * needed because SSL_clear is not called when doing renegotiation) */ 10255714Skris /* This is set if we are doing dynamic renegotiation so keep 10355714Skris * the old cipher. It is sort of a SSL_clear_lite :-) */ 10455714Skris if (s->new_session) return(1); 10559191Skris#else 10659191Skris if (s->new_session) 10759191Skris { 10859191Skris SSLerr(SSL_F_SSL_CLEAR,SSL_R_INTERNAL_ERROR); 10959191Skris return 0; 11059191Skris } 11155714Skris#endif 11255714Skris 11355714Skris state=s->state; /* Keep to check if we throw away the session-id */ 11455714Skris s->type=0; 11555714Skris 11655714Skris s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); 11755714Skris 11855714Skris s->version=s->method->version; 11955714Skris s->client_version=s->version; 12055714Skris s->rwstate=SSL_NOTHING; 12155714Skris s->rstate=SSL_ST_READ_HEADER; 12272613Skris#if 0 12355714Skris s->read_ahead=s->ctx->read_ahead; 12472613Skris#endif 12555714Skris 12655714Skris if (s->init_buf != NULL) 12755714Skris { 12855714Skris BUF_MEM_free(s->init_buf); 12955714Skris s->init_buf=NULL; 13055714Skris } 13155714Skris 13255714Skris ssl_clear_cipher_ctx(s); 13355714Skris 13455714Skris if (ssl_clear_bad_session(s)) 13555714Skris { 13655714Skris SSL_SESSION_free(s->session); 13755714Skris s->session=NULL; 13855714Skris } 13955714Skris 14055714Skris s->first_packet=0; 14155714Skris 14255714Skris#if 1 14355714Skris /* Check to see if we were changed into a different method, if 14455714Skris * so, revert back if we are not doing session-id reuse. */ 14589837Skris if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) 14655714Skris { 14755714Skris s->method->ssl_free(s); 14855714Skris s->method=s->ctx->method; 14955714Skris if (!s->method->ssl_new(s)) 15055714Skris return(0); 15155714Skris } 15255714Skris else 15355714Skris#endif 15455714Skris s->method->ssl_clear(s); 15555714Skris return(1); 15655714Skris } 15755714Skris 15855714Skris/** Used to change an SSL_CTXs default SSL method type */ 15955714Skrisint SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth) 16055714Skris { 16155714Skris STACK_OF(SSL_CIPHER) *sk; 16255714Skris 16355714Skris ctx->method=meth; 16455714Skris 16555714Skris sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), 16655714Skris &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST); 16755714Skris if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) 16855714Skris { 16955714Skris SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 17055714Skris return(0); 17155714Skris } 17255714Skris return(1); 17355714Skris } 17455714Skris 17555714SkrisSSL *SSL_new(SSL_CTX *ctx) 17655714Skris { 17755714Skris SSL *s; 17855714Skris 17955714Skris if (ctx == NULL) 18055714Skris { 18155714Skris SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX); 18255714Skris return(NULL); 18355714Skris } 18455714Skris if (ctx->method == NULL) 18555714Skris { 18655714Skris SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 18755714Skris return(NULL); 18855714Skris } 18955714Skris 19068651Skris s=(SSL *)OPENSSL_malloc(sizeof(SSL)); 19155714Skris if (s == NULL) goto err; 19255714Skris memset(s,0,sizeof(SSL)); 19355714Skris 19455714Skris if (ctx->cert != NULL) 19555714Skris { 19655714Skris /* Earlier library versions used to copy the pointer to 19755714Skris * the CERT, not its contents; only when setting new 19855714Skris * parameters for the per-SSL copy, ssl_cert_new would be 19955714Skris * called (and the direct reference to the per-SSL_CTX 20055714Skris * settings would be lost, but those still were indirectly 20155714Skris * accessed for various purposes, and for that reason they 20255714Skris * used to be known as s->ctx->default_cert). 20355714Skris * Now we don't look at the SSL_CTX's CERT after having 20455714Skris * duplicated it once. */ 20555714Skris 20655714Skris s->cert = ssl_cert_dup(ctx->cert); 20755714Skris if (s->cert == NULL) 20855714Skris goto err; 20955714Skris } 21055714Skris else 21155714Skris s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ 21255714Skris s->sid_ctx_length=ctx->sid_ctx_length; 21355714Skris memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); 21455714Skris s->verify_mode=ctx->verify_mode; 21555714Skris s->verify_depth=ctx->verify_depth; 21655714Skris s->verify_callback=ctx->default_verify_callback; 21759191Skris s->purpose = ctx->purpose; 21859191Skris s->trust = ctx->trust; 21955714Skris CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); 22055714Skris s->ctx=ctx; 22155714Skris 22255714Skris s->verify_result=X509_V_OK; 22355714Skris 22455714Skris s->method=ctx->method; 22555714Skris 22655714Skris if (!s->method->ssl_new(s)) 22755714Skris goto err; 22855714Skris 22955714Skris s->quiet_shutdown=ctx->quiet_shutdown; 23055714Skris s->references=1; 23155714Skris s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; 23255714Skris s->options=ctx->options; 23355714Skris s->mode=ctx->mode; 23472613Skris s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */ 23555714Skris SSL_clear(s); 23655714Skris 23759191Skris CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data); 23855714Skris 23955714Skris return(s); 24055714Skriserr: 24155714Skris if (s != NULL) 24255714Skris { 24355714Skris if (s->cert != NULL) 24455714Skris ssl_cert_free(s->cert); 24555714Skris if (s->ctx != NULL) 24655714Skris SSL_CTX_free(s->ctx); /* decrement reference count */ 24768651Skris OPENSSL_free(s); 24855714Skris } 24955714Skris SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); 25055714Skris return(NULL); 25155714Skris } 25255714Skris 25355714Skrisint SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, 25455714Skris unsigned int sid_ctx_len) 25555714Skris { 25655714Skris if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) 25755714Skris { 25855714Skris SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 25955714Skris return 0; 26055714Skris } 26155714Skris ctx->sid_ctx_length=sid_ctx_len; 26255714Skris memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len); 26355714Skris 26455714Skris return 1; 26555714Skris } 26655714Skris 26755714Skrisint SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, 26855714Skris unsigned int sid_ctx_len) 26955714Skris { 27055714Skris if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) 27155714Skris { 27255714Skris SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 27355714Skris return 0; 27455714Skris } 27555714Skris ssl->sid_ctx_length=sid_ctx_len; 27655714Skris memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len); 27755714Skris 27855714Skris return 1; 27955714Skris } 28055714Skris 28159191Skrisint SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 28259191Skris{ 28359191Skris if(X509_PURPOSE_get_by_id(purpose) == -1) { 28459191Skris SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE); 28559191Skris return 0; 28659191Skris } 28759191Skris s->purpose = purpose; 28859191Skris return 1; 28959191Skris} 29059191Skris 29159191Skrisint SSL_set_purpose(SSL *s, int purpose) 29259191Skris{ 29359191Skris if(X509_PURPOSE_get_by_id(purpose) == -1) { 29459191Skris SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE); 29559191Skris return 0; 29659191Skris } 29759191Skris s->purpose = purpose; 29859191Skris return 1; 29959191Skris} 30059191Skris 30159191Skrisint SSL_CTX_set_trust(SSL_CTX *s, int trust) 30259191Skris{ 30359191Skris if(X509_TRUST_get_by_id(trust) == -1) { 30459191Skris SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST); 30559191Skris return 0; 30659191Skris } 30759191Skris s->trust = trust; 30859191Skris return 1; 30959191Skris} 31059191Skris 31159191Skrisint SSL_set_trust(SSL *s, int trust) 31259191Skris{ 31359191Skris if(X509_TRUST_get_by_id(trust) == -1) { 31459191Skris SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST); 31559191Skris return 0; 31659191Skris } 31759191Skris s->trust = trust; 31859191Skris return 1; 31959191Skris} 32059191Skris 32155714Skrisvoid SSL_free(SSL *s) 32255714Skris { 32355714Skris int i; 32455714Skris 32555714Skris if(s == NULL) 32655714Skris return; 32755714Skris 32855714Skris i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL); 32955714Skris#ifdef REF_PRINT 33055714Skris REF_PRINT("SSL",s); 33155714Skris#endif 33255714Skris if (i > 0) return; 33355714Skris#ifdef REF_CHECK 33455714Skris if (i < 0) 33555714Skris { 33655714Skris fprintf(stderr,"SSL_free, bad reference count\n"); 33755714Skris abort(); /* ok */ 33855714Skris } 33955714Skris#endif 34055714Skris 34155714Skris CRYPTO_free_ex_data(ssl_meth,(char *)s,&s->ex_data); 34255714Skris 34355714Skris if (s->bbio != NULL) 34455714Skris { 34555714Skris /* If the buffering BIO is in place, pop it off */ 34655714Skris if (s->bbio == s->wbio) 34755714Skris { 34855714Skris s->wbio=BIO_pop(s->wbio); 34955714Skris } 35055714Skris BIO_free(s->bbio); 35155714Skris s->bbio=NULL; 35255714Skris } 35355714Skris if (s->rbio != NULL) 35455714Skris BIO_free_all(s->rbio); 35555714Skris if ((s->wbio != NULL) && (s->wbio != s->rbio)) 35655714Skris BIO_free_all(s->wbio); 35755714Skris 35855714Skris if (s->init_buf != NULL) BUF_MEM_free(s->init_buf); 35955714Skris 36055714Skris /* add extra stuff */ 36155714Skris if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list); 36255714Skris if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id); 36355714Skris 36455714Skris /* Make the next call work :-) */ 36555714Skris if (s->session != NULL) 36655714Skris { 36755714Skris ssl_clear_bad_session(s); 36855714Skris SSL_SESSION_free(s->session); 36955714Skris } 37055714Skris 37155714Skris ssl_clear_cipher_ctx(s); 37255714Skris 37355714Skris if (s->cert != NULL) ssl_cert_free(s->cert); 37455714Skris /* Free up if allocated */ 37555714Skris 37655714Skris if (s->ctx) SSL_CTX_free(s->ctx); 37755714Skris 37855714Skris if (s->client_CA != NULL) 37955714Skris sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free); 38055714Skris 38155714Skris if (s->method != NULL) s->method->ssl_free(s); 38255714Skris 38368651Skris OPENSSL_free(s); 38455714Skris } 38555714Skris 38655714Skrisvoid SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) 38755714Skris { 38855714Skris /* If the output buffering BIO is still in place, remove it 38955714Skris */ 39055714Skris if (s->bbio != NULL) 39155714Skris { 39255714Skris if (s->wbio == s->bbio) 39355714Skris { 39455714Skris s->wbio=s->wbio->next_bio; 39555714Skris s->bbio->next_bio=NULL; 39655714Skris } 39755714Skris } 39855714Skris if ((s->rbio != NULL) && (s->rbio != rbio)) 39955714Skris BIO_free_all(s->rbio); 40055714Skris if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio)) 40155714Skris BIO_free_all(s->wbio); 40255714Skris s->rbio=rbio; 40355714Skris s->wbio=wbio; 40455714Skris } 40555714Skris 40655714SkrisBIO *SSL_get_rbio(SSL *s) 40755714Skris { return(s->rbio); } 40855714Skris 40955714SkrisBIO *SSL_get_wbio(SSL *s) 41055714Skris { return(s->wbio); } 41155714Skris 41255714Skrisint SSL_get_fd(SSL *s) 41355714Skris { 41489837Skris return(SSL_get_rfd(s)); 41589837Skris } 41689837Skris 41789837Skrisint SSL_get_rfd(SSL *s) 41889837Skris { 41955714Skris int ret= -1; 42055714Skris BIO *b,*r; 42155714Skris 42255714Skris b=SSL_get_rbio(s); 42355714Skris r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); 42455714Skris if (r != NULL) 42555714Skris BIO_get_fd(r,&ret); 42655714Skris return(ret); 42755714Skris } 42855714Skris 42989837Skrisint SSL_get_wfd(SSL *s) 43089837Skris { 43189837Skris int ret= -1; 43289837Skris BIO *b,*r; 43389837Skris 43489837Skris b=SSL_get_wbio(s); 43589837Skris r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); 43689837Skris if (r != NULL) 43789837Skris BIO_get_fd(r,&ret); 43889837Skris return(ret); 43989837Skris } 44089837Skris 44155714Skris#ifndef NO_SOCK 44255714Skrisint SSL_set_fd(SSL *s,int fd) 44355714Skris { 44455714Skris int ret=0; 44555714Skris BIO *bio=NULL; 44655714Skris 44755714Skris bio=BIO_new(BIO_s_socket()); 44855714Skris 44955714Skris if (bio == NULL) 45055714Skris { 45155714Skris SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB); 45255714Skris goto err; 45355714Skris } 45455714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 45555714Skris SSL_set_bio(s,bio,bio); 45655714Skris ret=1; 45755714Skriserr: 45855714Skris return(ret); 45955714Skris } 46055714Skris 46155714Skrisint SSL_set_wfd(SSL *s,int fd) 46255714Skris { 46355714Skris int ret=0; 46455714Skris BIO *bio=NULL; 46555714Skris 46655714Skris if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) 46755714Skris || ((int)BIO_get_fd(s->rbio,NULL) != fd)) 46855714Skris { 46955714Skris bio=BIO_new(BIO_s_socket()); 47055714Skris 47155714Skris if (bio == NULL) 47255714Skris { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; } 47355714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 47455714Skris SSL_set_bio(s,SSL_get_rbio(s),bio); 47555714Skris } 47655714Skris else 47755714Skris SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s)); 47855714Skris ret=1; 47955714Skriserr: 48055714Skris return(ret); 48155714Skris } 48255714Skris 48355714Skrisint SSL_set_rfd(SSL *s,int fd) 48455714Skris { 48555714Skris int ret=0; 48655714Skris BIO *bio=NULL; 48755714Skris 48855714Skris if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) 48955714Skris || ((int)BIO_get_fd(s->wbio,NULL) != fd)) 49055714Skris { 49155714Skris bio=BIO_new(BIO_s_socket()); 49255714Skris 49355714Skris if (bio == NULL) 49455714Skris { 49555714Skris SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB); 49655714Skris goto err; 49755714Skris } 49855714Skris BIO_set_fd(bio,fd,BIO_NOCLOSE); 49955714Skris SSL_set_bio(s,bio,SSL_get_wbio(s)); 50055714Skris } 50155714Skris else 50255714Skris SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s)); 50355714Skris ret=1; 50455714Skriserr: 50555714Skris return(ret); 50655714Skris } 50755714Skris#endif 50855714Skris 50959191Skris 51059191Skris/* return length of latest Finished message we sent, copy to 'buf' */ 51159191Skrissize_t SSL_get_finished(SSL *s, void *buf, size_t count) 51259191Skris { 51359191Skris size_t ret = 0; 51459191Skris 51559191Skris if (s->s3 != NULL) 51659191Skris { 51759191Skris ret = s->s3->tmp.finish_md_len; 51859191Skris if (count > ret) 51959191Skris count = ret; 52059191Skris memcpy(buf, s->s3->tmp.finish_md, count); 52159191Skris } 52259191Skris return ret; 52359191Skris } 52459191Skris 52559191Skris/* return length of latest Finished message we expected, copy to 'buf' */ 52659191Skrissize_t SSL_get_peer_finished(SSL *s, void *buf, size_t count) 52759191Skris { 52859191Skris size_t ret = 0; 52959191Skris 53059191Skris if (s->s3 != NULL) 53159191Skris { 53259191Skris ret = s->s3->tmp.peer_finish_md_len; 53359191Skris if (count > ret) 53459191Skris count = ret; 53559191Skris memcpy(buf, s->s3->tmp.peer_finish_md, count); 53659191Skris } 53759191Skris return ret; 53859191Skris } 53959191Skris 54059191Skris 54155714Skrisint SSL_get_verify_mode(SSL *s) 54255714Skris { 54355714Skris return(s->verify_mode); 54455714Skris } 54555714Skris 54655714Skrisint SSL_get_verify_depth(SSL *s) 54755714Skris { 54855714Skris return(s->verify_depth); 54955714Skris } 55055714Skris 55155714Skrisint (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) 55255714Skris { 55355714Skris return(s->verify_callback); 55455714Skris } 55555714Skris 55655714Skrisint SSL_CTX_get_verify_mode(SSL_CTX *ctx) 55755714Skris { 55855714Skris return(ctx->verify_mode); 55955714Skris } 56055714Skris 56155714Skrisint SSL_CTX_get_verify_depth(SSL_CTX *ctx) 56255714Skris { 56355714Skris return(ctx->verify_depth); 56455714Skris } 56555714Skris 56655714Skrisint (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) 56755714Skris { 56855714Skris return(ctx->default_verify_callback); 56955714Skris } 57055714Skris 57155714Skrisvoid SSL_set_verify(SSL *s,int mode, 57255714Skris int (*callback)(int ok,X509_STORE_CTX *ctx)) 57355714Skris { 57455714Skris s->verify_mode=mode; 57555714Skris if (callback != NULL) 57655714Skris s->verify_callback=callback; 57755714Skris } 57855714Skris 57955714Skrisvoid SSL_set_verify_depth(SSL *s,int depth) 58055714Skris { 58155714Skris s->verify_depth=depth; 58255714Skris } 58355714Skris 58455714Skrisvoid SSL_set_read_ahead(SSL *s,int yes) 58555714Skris { 58655714Skris s->read_ahead=yes; 58755714Skris } 58855714Skris 58955714Skrisint SSL_get_read_ahead(SSL *s) 59055714Skris { 59155714Skris return(s->read_ahead); 59255714Skris } 59355714Skris 59455714Skrisint SSL_pending(SSL *s) 59555714Skris { 59655714Skris return(s->method->ssl_pending(s)); 59755714Skris } 59855714Skris 59955714SkrisX509 *SSL_get_peer_certificate(SSL *s) 60055714Skris { 60155714Skris X509 *r; 60255714Skris 60355714Skris if ((s == NULL) || (s->session == NULL)) 60455714Skris r=NULL; 60555714Skris else 60655714Skris r=s->session->peer; 60755714Skris 60855714Skris if (r == NULL) return(r); 60955714Skris 61055714Skris CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509); 61155714Skris 61255714Skris return(r); 61355714Skris } 61455714Skris 61555714SkrisSTACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) 61655714Skris { 61755714Skris STACK_OF(X509) *r; 61855714Skris 61955714Skris if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) 62055714Skris r=NULL; 62155714Skris else 62255714Skris r=s->session->sess_cert->cert_chain; 62355714Skris 62459191Skris /* If we are a client, cert_chain includes the peer's own 62559191Skris * certificate; if we are a server, it does not. */ 62659191Skris 62755714Skris return(r); 62855714Skris } 62955714Skris 63055714Skris/* Now in theory, since the calling process own 't' it should be safe to 63155714Skris * modify. We need to be able to read f without being hassled */ 63255714Skrisvoid SSL_copy_session_id(SSL *t,SSL *f) 63355714Skris { 63455714Skris CERT *tmp; 63555714Skris 63655714Skris /* Do we need to to SSL locking? */ 63755714Skris SSL_set_session(t,SSL_get_session(f)); 63855714Skris 63955714Skris /* what if we are setup as SSLv2 but want to talk SSLv3 or 64055714Skris * vice-versa */ 64155714Skris if (t->method != f->method) 64255714Skris { 64355714Skris t->method->ssl_free(t); /* cleanup current */ 64455714Skris t->method=f->method; /* change method */ 64555714Skris t->method->ssl_new(t); /* setup new */ 64655714Skris } 64755714Skris 64855714Skris tmp=t->cert; 64955714Skris if (f->cert != NULL) 65055714Skris { 65155714Skris CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT); 65255714Skris t->cert=f->cert; 65355714Skris } 65455714Skris else 65555714Skris t->cert=NULL; 65655714Skris if (tmp != NULL) ssl_cert_free(tmp); 65755714Skris SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length); 65855714Skris } 65955714Skris 66055714Skris/* Fix this so it checks all the valid key/cert options */ 66155714Skrisint SSL_CTX_check_private_key(SSL_CTX *ctx) 66255714Skris { 66355714Skris if ( (ctx == NULL) || 66455714Skris (ctx->cert == NULL) || 66555714Skris (ctx->cert->key->x509 == NULL)) 66655714Skris { 66755714Skris SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 66855714Skris return(0); 66955714Skris } 67055714Skris if (ctx->cert->key->privatekey == NULL) 67155714Skris { 67255714Skris SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); 67355714Skris return(0); 67455714Skris } 67555714Skris return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey)); 67655714Skris } 67755714Skris 67855714Skris/* Fix this function so that it takes an optional type parameter */ 67955714Skrisint SSL_check_private_key(SSL *ssl) 68055714Skris { 68155714Skris if (ssl == NULL) 68255714Skris { 68355714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER); 68455714Skris return(0); 68555714Skris } 68655714Skris if (ssl->cert == NULL) 68755714Skris { 68855714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 68955714Skris return 0; 69055714Skris } 69155714Skris if (ssl->cert->key->x509 == NULL) 69255714Skris { 69355714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 69455714Skris return(0); 69555714Skris } 69655714Skris if (ssl->cert->key->privatekey == NULL) 69755714Skris { 69855714Skris SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); 69955714Skris return(0); 70055714Skris } 70155714Skris return(X509_check_private_key(ssl->cert->key->x509, 70255714Skris ssl->cert->key->privatekey)); 70355714Skris } 70455714Skris 70555714Skrisint SSL_accept(SSL *s) 70655714Skris { 70755714Skris if (s->handshake_func == 0) 70855714Skris /* Not properly initialized yet */ 70955714Skris SSL_set_accept_state(s); 71055714Skris 71155714Skris return(s->method->ssl_accept(s)); 71255714Skris } 71355714Skris 71455714Skrisint SSL_connect(SSL *s) 71555714Skris { 71655714Skris if (s->handshake_func == 0) 71755714Skris /* Not properly initialized yet */ 71855714Skris SSL_set_connect_state(s); 71955714Skris 72055714Skris return(s->method->ssl_connect(s)); 72155714Skris } 72255714Skris 72355714Skrislong SSL_get_default_timeout(SSL *s) 72455714Skris { 72555714Skris return(s->method->get_timeout()); 72655714Skris } 72755714Skris 72876866Skrisint SSL_read(SSL *s,void *buf,int num) 72955714Skris { 73055714Skris if (s->handshake_func == 0) 73155714Skris { 73255714Skris SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 73355714Skris return -1; 73455714Skris } 73555714Skris 73655714Skris if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 73755714Skris { 73855714Skris s->rwstate=SSL_NOTHING; 73955714Skris return(0); 74055714Skris } 74155714Skris return(s->method->ssl_read(s,buf,num)); 74255714Skris } 74355714Skris 74476866Skrisint SSL_peek(SSL *s,void *buf,int num) 74555714Skris { 74676866Skris if (s->handshake_func == 0) 74776866Skris { 74876866Skris SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 74976866Skris return -1; 75076866Skris } 75176866Skris 75255714Skris if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 75355714Skris { 75455714Skris return(0); 75555714Skris } 75655714Skris return(s->method->ssl_peek(s,buf,num)); 75755714Skris } 75855714Skris 75976866Skrisint SSL_write(SSL *s,const void *buf,int num) 76055714Skris { 76155714Skris if (s->handshake_func == 0) 76255714Skris { 76355714Skris SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); 76455714Skris return -1; 76555714Skris } 76655714Skris 76755714Skris if (s->shutdown & SSL_SENT_SHUTDOWN) 76855714Skris { 76955714Skris s->rwstate=SSL_NOTHING; 77055714Skris SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN); 77155714Skris return(-1); 77255714Skris } 77355714Skris return(s->method->ssl_write(s,buf,num)); 77455714Skris } 77555714Skris 77655714Skrisint SSL_shutdown(SSL *s) 77755714Skris { 77855714Skris /* Note that this function behaves differently from what one might 77955714Skris * expect. Return values are 0 for no success (yet), 78055714Skris * 1 for success; but calling it once is usually not enough, 78155714Skris * even if blocking I/O is used (see ssl3_shutdown). 78255714Skris */ 78355714Skris 78455714Skris if (s->handshake_func == 0) 78555714Skris { 78655714Skris SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); 78755714Skris return -1; 78855714Skris } 78955714Skris 79055714Skris if ((s != NULL) && !SSL_in_init(s)) 79155714Skris return(s->method->ssl_shutdown(s)); 79255714Skris else 79355714Skris return(1); 79455714Skris } 79555714Skris 79655714Skrisint SSL_renegotiate(SSL *s) 79755714Skris { 79855714Skris s->new_session=1; 79955714Skris return(s->method->ssl_renegotiate(s)); 80055714Skris } 80155714Skris 80255714Skrislong SSL_ctrl(SSL *s,int cmd,long larg,char *parg) 80355714Skris { 80455714Skris long l; 80555714Skris 80655714Skris switch (cmd) 80755714Skris { 80855714Skris case SSL_CTRL_GET_READ_AHEAD: 80955714Skris return(s->read_ahead); 81055714Skris case SSL_CTRL_SET_READ_AHEAD: 81155714Skris l=s->read_ahead; 81255714Skris s->read_ahead=larg; 81355714Skris return(l); 81455714Skris case SSL_CTRL_OPTIONS: 81555714Skris return(s->options|=larg); 81655714Skris case SSL_CTRL_MODE: 81755714Skris return(s->mode|=larg); 81855714Skris default: 81955714Skris return(s->method->ssl_ctrl(s,cmd,larg,parg)); 82055714Skris } 82155714Skris } 82255714Skris 82359191Skrislong SSL_callback_ctrl(SSL *s, int cmd, void (*fp)()) 82459191Skris { 82559191Skris switch(cmd) 82659191Skris { 82759191Skris default: 82859191Skris return(s->method->ssl_callback_ctrl(s,cmd,fp)); 82959191Skris } 83059191Skris } 83159191Skris 83259191Skrisstruct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) 83359191Skris { 83459191Skris return ctx->sessions; 83559191Skris } 83659191Skris 83755714Skrislong SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg) 83855714Skris { 83955714Skris long l; 84055714Skris 84155714Skris switch (cmd) 84255714Skris { 84355714Skris case SSL_CTRL_GET_READ_AHEAD: 84455714Skris return(ctx->read_ahead); 84555714Skris case SSL_CTRL_SET_READ_AHEAD: 84655714Skris l=ctx->read_ahead; 84755714Skris ctx->read_ahead=larg; 84855714Skris return(l); 84955714Skris 85055714Skris case SSL_CTRL_SET_SESS_CACHE_SIZE: 85155714Skris l=ctx->session_cache_size; 85255714Skris ctx->session_cache_size=larg; 85355714Skris return(l); 85455714Skris case SSL_CTRL_GET_SESS_CACHE_SIZE: 85555714Skris return(ctx->session_cache_size); 85655714Skris case SSL_CTRL_SET_SESS_CACHE_MODE: 85755714Skris l=ctx->session_cache_mode; 85855714Skris ctx->session_cache_mode=larg; 85955714Skris return(l); 86055714Skris case SSL_CTRL_GET_SESS_CACHE_MODE: 86155714Skris return(ctx->session_cache_mode); 86255714Skris 86355714Skris case SSL_CTRL_SESS_NUMBER: 86455714Skris return(ctx->sessions->num_items); 86555714Skris case SSL_CTRL_SESS_CONNECT: 86655714Skris return(ctx->stats.sess_connect); 86755714Skris case SSL_CTRL_SESS_CONNECT_GOOD: 86855714Skris return(ctx->stats.sess_connect_good); 86955714Skris case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: 87055714Skris return(ctx->stats.sess_connect_renegotiate); 87155714Skris case SSL_CTRL_SESS_ACCEPT: 87255714Skris return(ctx->stats.sess_accept); 87355714Skris case SSL_CTRL_SESS_ACCEPT_GOOD: 87455714Skris return(ctx->stats.sess_accept_good); 87555714Skris case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: 87655714Skris return(ctx->stats.sess_accept_renegotiate); 87755714Skris case SSL_CTRL_SESS_HIT: 87855714Skris return(ctx->stats.sess_hit); 87955714Skris case SSL_CTRL_SESS_CB_HIT: 88055714Skris return(ctx->stats.sess_cb_hit); 88155714Skris case SSL_CTRL_SESS_MISSES: 88255714Skris return(ctx->stats.sess_miss); 88355714Skris case SSL_CTRL_SESS_TIMEOUTS: 88455714Skris return(ctx->stats.sess_timeout); 88555714Skris case SSL_CTRL_SESS_CACHE_FULL: 88655714Skris return(ctx->stats.sess_cache_full); 88755714Skris case SSL_CTRL_OPTIONS: 88855714Skris return(ctx->options|=larg); 88955714Skris case SSL_CTRL_MODE: 89055714Skris return(ctx->mode|=larg); 89155714Skris default: 89255714Skris return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); 89355714Skris } 89455714Skris } 89555714Skris 89659191Skrislong SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) 89759191Skris { 89859191Skris switch(cmd) 89959191Skris { 90059191Skris default: 90159191Skris return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp)); 90259191Skris } 90359191Skris } 90459191Skris 90568651Skrisint ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) 90655714Skris { 90755714Skris long l; 90855714Skris 90955714Skris l=a->id-b->id; 91055714Skris if (l == 0L) 91155714Skris return(0); 91255714Skris else 91355714Skris return((l > 0)?1:-1); 91455714Skris } 91555714Skris 91668651Skrisint ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, 91768651Skris const SSL_CIPHER * const *bp) 91855714Skris { 91955714Skris long l; 92055714Skris 92155714Skris l=(*ap)->id-(*bp)->id; 92255714Skris if (l == 0L) 92355714Skris return(0); 92455714Skris else 92555714Skris return((l > 0)?1:-1); 92655714Skris } 92755714Skris 92855714Skris/** return a STACK of the ciphers available for the SSL and in order of 92955714Skris * preference */ 93055714SkrisSTACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s) 93155714Skris { 93255714Skris if ((s != NULL) && (s->cipher_list != NULL)) 93355714Skris { 93455714Skris return(s->cipher_list); 93555714Skris } 93655714Skris else if ((s->ctx != NULL) && 93755714Skris (s->ctx->cipher_list != NULL)) 93855714Skris { 93955714Skris return(s->ctx->cipher_list); 94055714Skris } 94155714Skris return(NULL); 94255714Skris } 94355714Skris 94455714Skris/** return a STACK of the ciphers available for the SSL and in order of 94555714Skris * algorithm id */ 94655714SkrisSTACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) 94755714Skris { 94855714Skris if ((s != NULL) && (s->cipher_list_by_id != NULL)) 94955714Skris { 95055714Skris return(s->cipher_list_by_id); 95155714Skris } 95255714Skris else if ((s != NULL) && (s->ctx != NULL) && 95355714Skris (s->ctx->cipher_list_by_id != NULL)) 95455714Skris { 95555714Skris return(s->ctx->cipher_list_by_id); 95655714Skris } 95755714Skris return(NULL); 95855714Skris } 95955714Skris 96055714Skris/** The old interface to get the same thing as SSL_get_ciphers() */ 96155714Skrisconst char *SSL_get_cipher_list(SSL *s,int n) 96255714Skris { 96355714Skris SSL_CIPHER *c; 96455714Skris STACK_OF(SSL_CIPHER) *sk; 96555714Skris 96655714Skris if (s == NULL) return(NULL); 96755714Skris sk=SSL_get_ciphers(s); 96855714Skris if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) 96955714Skris return(NULL); 97055714Skris c=sk_SSL_CIPHER_value(sk,n); 97155714Skris if (c == NULL) return(NULL); 97255714Skris return(c->name); 97355714Skris } 97455714Skris 97559191Skris/** specify the ciphers to be used by default by the SSL_CTX */ 97659191Skrisint SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 97755714Skris { 97855714Skris STACK_OF(SSL_CIPHER) *sk; 97955714Skris 98055714Skris sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, 98155714Skris &ctx->cipher_list_by_id,str); 98255714Skris/* XXXX */ 98355714Skris return((sk == NULL)?0:1); 98455714Skris } 98555714Skris 98655714Skris/** specify the ciphers to be used by the SSL */ 98759191Skrisint SSL_set_cipher_list(SSL *s,const char *str) 98855714Skris { 98955714Skris STACK_OF(SSL_CIPHER) *sk; 99055714Skris 99155714Skris sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, 99255714Skris &s->cipher_list_by_id,str); 99355714Skris/* XXXX */ 99455714Skris return((sk == NULL)?0:1); 99555714Skris } 99655714Skris 99755714Skris/* works well for SSLv2, not so good for SSLv3 */ 99855714Skrischar *SSL_get_shared_ciphers(SSL *s,char *buf,int len) 99955714Skris { 100055714Skris char *p; 100155714Skris const char *cp; 100255714Skris STACK_OF(SSL_CIPHER) *sk; 100355714Skris SSL_CIPHER *c; 100455714Skris int i; 100555714Skris 100655714Skris if ((s->session == NULL) || (s->session->ciphers == NULL) || 100755714Skris (len < 2)) 100855714Skris return(NULL); 100955714Skris 101055714Skris p=buf; 101155714Skris sk=s->session->ciphers; 101255714Skris for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 101355714Skris { 101455714Skris /* Decrement for either the ':' or a '\0' */ 101555714Skris len--; 101655714Skris c=sk_SSL_CIPHER_value(sk,i); 101755714Skris for (cp=c->name; *cp; ) 101855714Skris { 101955714Skris if (len-- == 0) 102055714Skris { 102155714Skris *p='\0'; 102255714Skris return(buf); 102355714Skris } 102455714Skris else 102555714Skris *(p++)= *(cp++); 102655714Skris } 102755714Skris *(p++)=':'; 102855714Skris } 102955714Skris p[-1]='\0'; 103055714Skris return(buf); 103155714Skris } 103255714Skris 103355714Skrisint ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p) 103455714Skris { 103555714Skris int i,j=0; 103655714Skris SSL_CIPHER *c; 103755714Skris unsigned char *q; 103855714Skris 103955714Skris if (sk == NULL) return(0); 104055714Skris q=p; 104155714Skris 104255714Skris for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 104355714Skris { 104455714Skris c=sk_SSL_CIPHER_value(sk,i); 104555714Skris j=ssl_put_cipher_by_char(s,c,p); 104655714Skris p+=j; 104755714Skris } 104855714Skris return(p-q); 104955714Skris } 105055714Skris 105155714SkrisSTACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, 105255714Skris STACK_OF(SSL_CIPHER) **skp) 105355714Skris { 105455714Skris SSL_CIPHER *c; 105555714Skris STACK_OF(SSL_CIPHER) *sk; 105655714Skris int i,n; 105755714Skris 105855714Skris n=ssl_put_cipher_by_char(s,NULL,NULL); 105955714Skris if ((num%n) != 0) 106055714Skris { 106155714Skris SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 106255714Skris return(NULL); 106355714Skris } 106455714Skris if ((skp == NULL) || (*skp == NULL)) 106568651Skris sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */ 106655714Skris else 106755714Skris { 106855714Skris sk= *skp; 106955714Skris sk_SSL_CIPHER_zero(sk); 107055714Skris } 107155714Skris 107255714Skris for (i=0; i<num; i+=n) 107355714Skris { 107455714Skris c=ssl_get_cipher_by_char(s,p); 107555714Skris p+=n; 107655714Skris if (c != NULL) 107755714Skris { 107855714Skris if (!sk_SSL_CIPHER_push(sk,c)) 107955714Skris { 108055714Skris SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE); 108155714Skris goto err; 108255714Skris } 108355714Skris } 108455714Skris } 108555714Skris 108655714Skris if (skp != NULL) 108755714Skris *skp=sk; 108855714Skris return(sk); 108955714Skriserr: 109055714Skris if ((skp == NULL) || (*skp == NULL)) 109155714Skris sk_SSL_CIPHER_free(sk); 109255714Skris return(NULL); 109355714Skris } 109455714Skris 109555714Skrisunsigned long SSL_SESSION_hash(SSL_SESSION *a) 109655714Skris { 109755714Skris unsigned long l; 109855714Skris 109955714Skris l=(unsigned long) 110055714Skris ((unsigned int) a->session_id[0] )| 110155714Skris ((unsigned int) a->session_id[1]<< 8L)| 110255714Skris ((unsigned long)a->session_id[2]<<16L)| 110355714Skris ((unsigned long)a->session_id[3]<<24L); 110455714Skris return(l); 110555714Skris } 110655714Skris 110755714Skrisint SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) 110855714Skris { 110955714Skris if (a->ssl_version != b->ssl_version) 111055714Skris return(1); 111155714Skris if (a->session_id_length != b->session_id_length) 111255714Skris return(1); 111355714Skris return(memcmp(a->session_id,b->session_id,a->session_id_length)); 111455714Skris } 111555714Skris 111655714SkrisSSL_CTX *SSL_CTX_new(SSL_METHOD *meth) 111755714Skris { 111855714Skris SSL_CTX *ret=NULL; 111955714Skris 112055714Skris if (meth == NULL) 112155714Skris { 112255714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED); 112355714Skris return(NULL); 112455714Skris } 112555714Skris 112655714Skris if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 112755714Skris { 112855714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 112955714Skris goto err; 113055714Skris } 113168651Skris ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); 113255714Skris if (ret == NULL) 113355714Skris goto err; 113455714Skris 113555714Skris memset(ret,0,sizeof(SSL_CTX)); 113655714Skris 113755714Skris ret->method=meth; 113855714Skris 113955714Skris ret->cert_store=NULL; 114055714Skris ret->session_cache_mode=SSL_SESS_CACHE_SERVER; 114155714Skris ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 114255714Skris ret->session_cache_head=NULL; 114355714Skris ret->session_cache_tail=NULL; 114455714Skris 114555714Skris /* We take the system default */ 114655714Skris ret->session_timeout=meth->get_timeout(); 114755714Skris 114855714Skris ret->new_session_cb=NULL; 114955714Skris ret->remove_session_cb=NULL; 115055714Skris ret->get_session_cb=NULL; 115155714Skris 115255714Skris memset((char *)&ret->stats,0,sizeof(ret->stats)); 115355714Skris 115455714Skris ret->references=1; 115555714Skris ret->quiet_shutdown=0; 115655714Skris 115755714Skris/* ret->cipher=NULL;*/ 115855714Skris/* ret->s2->challenge=NULL; 115955714Skris ret->master_key=NULL; 116055714Skris ret->key_arg=NULL; 116155714Skris ret->s2->conn_id=NULL; */ 116255714Skris 116355714Skris ret->info_callback=NULL; 116455714Skris 116555714Skris ret->app_verify_callback=NULL; 116655714Skris ret->app_verify_arg=NULL; 116755714Skris 116855714Skris ret->read_ahead=0; 116955714Skris ret->verify_mode=SSL_VERIFY_NONE; 117055714Skris ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ 117155714Skris ret->default_verify_callback=NULL; 117255714Skris if ((ret->cert=ssl_cert_new()) == NULL) 117355714Skris goto err; 117455714Skris 117555714Skris ret->default_passwd_callback=NULL; 117655714Skris ret->default_passwd_callback_userdata=NULL; 117755714Skris ret->client_cert_cb=NULL; 117855714Skris 117955714Skris ret->sessions=lh_new(SSL_SESSION_hash,SSL_SESSION_cmp); 118055714Skris if (ret->sessions == NULL) goto err; 118155714Skris ret->cert_store=X509_STORE_new(); 118255714Skris if (ret->cert_store == NULL) goto err; 118355714Skris 118455714Skris ssl_create_cipher_list(ret->method, 118555714Skris &ret->cipher_list,&ret->cipher_list_by_id, 118655714Skris SSL_DEFAULT_CIPHER_LIST); 118755714Skris if (ret->cipher_list == NULL 118855714Skris || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) 118955714Skris { 119055714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS); 119155714Skris goto err2; 119255714Skris } 119355714Skris 119455714Skris if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) 119555714Skris { 119655714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); 119755714Skris goto err2; 119855714Skris } 119955714Skris if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL) 120055714Skris { 120155714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); 120255714Skris goto err2; 120355714Skris } 120455714Skris if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL) 120555714Skris { 120655714Skris SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); 120755714Skris goto err2; 120855714Skris } 120955714Skris 121055714Skris if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL) 121155714Skris goto err; 121255714Skris 121355714Skris CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data); 121455714Skris 121555714Skris ret->extra_certs=NULL; 121655714Skris ret->comp_methods=SSL_COMP_get_compression_methods(); 121755714Skris 121855714Skris return(ret); 121955714Skriserr: 122055714Skris SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); 122155714Skriserr2: 122255714Skris if (ret != NULL) SSL_CTX_free(ret); 122355714Skris return(NULL); 122455714Skris } 122555714Skris 122655714Skrisstatic void SSL_COMP_free(SSL_COMP *comp) 122768651Skris { OPENSSL_free(comp); } 122855714Skris 122955714Skrisvoid SSL_CTX_free(SSL_CTX *a) 123055714Skris { 123155714Skris int i; 123255714Skris 123355714Skris if (a == NULL) return; 123455714Skris 123555714Skris i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX); 123655714Skris#ifdef REF_PRINT 123755714Skris REF_PRINT("SSL_CTX",a); 123855714Skris#endif 123955714Skris if (i > 0) return; 124055714Skris#ifdef REF_CHECK 124155714Skris if (i < 0) 124255714Skris { 124355714Skris fprintf(stderr,"SSL_CTX_free, bad reference count\n"); 124455714Skris abort(); /* ok */ 124555714Skris } 124655714Skris#endif 124755714Skris CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data); 124855714Skris 124955714Skris if (a->sessions != NULL) 125055714Skris { 125155714Skris SSL_CTX_flush_sessions(a,0); 125255714Skris lh_free(a->sessions); 125355714Skris } 125455714Skris if (a->cert_store != NULL) 125555714Skris X509_STORE_free(a->cert_store); 125655714Skris if (a->cipher_list != NULL) 125755714Skris sk_SSL_CIPHER_free(a->cipher_list); 125855714Skris if (a->cipher_list_by_id != NULL) 125955714Skris sk_SSL_CIPHER_free(a->cipher_list_by_id); 126055714Skris if (a->cert != NULL) 126155714Skris ssl_cert_free(a->cert); 126255714Skris if (a->client_CA != NULL) 126355714Skris sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free); 126455714Skris if (a->extra_certs != NULL) 126555714Skris sk_X509_pop_free(a->extra_certs,X509_free); 126655714Skris if (a->comp_methods != NULL) 126755714Skris sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); 126868651Skris OPENSSL_free(a); 126955714Skris } 127055714Skris 127155714Skrisvoid SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) 127255714Skris { 127355714Skris ctx->default_passwd_callback=cb; 127455714Skris } 127555714Skris 127655714Skrisvoid SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u) 127755714Skris { 127855714Skris ctx->default_passwd_callback_userdata=u; 127955714Skris } 128055714Skris 128155714Skrisvoid SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg) 128255714Skris { 128355714Skris /* now 128455714Skris * int (*cb)(X509_STORE_CTX *), 128555714Skris * but should be 128655714Skris * int (*cb)(X509_STORE_CTX *, void *arg) 128755714Skris */ 128855714Skris ctx->app_verify_callback=cb; 128955714Skris ctx->app_verify_arg=arg; /* never used */ 129055714Skris } 129155714Skris 129255714Skrisvoid SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) 129355714Skris { 129455714Skris ctx->verify_mode=mode; 129555714Skris ctx->default_verify_callback=cb; 129655714Skris } 129755714Skris 129855714Skrisvoid SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) 129955714Skris { 130055714Skris ctx->verify_depth=depth; 130155714Skris } 130255714Skris 130355714Skrisvoid ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) 130455714Skris { 130555714Skris CERT_PKEY *cpk; 130655714Skris int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; 130755714Skris int rsa_enc_export,dh_rsa_export,dh_dsa_export; 130855714Skris int rsa_tmp_export,dh_tmp_export,kl; 130955714Skris unsigned long mask,emask; 131055714Skris 131155714Skris if (c == NULL) return; 131255714Skris 131355714Skris kl=SSL_C_EXPORT_PKEYLENGTH(cipher); 131455714Skris 131555714Skris#ifndef NO_RSA 131655714Skris rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); 131755714Skris rsa_tmp_export=(c->rsa_tmp_cb != NULL || 131855714Skris (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); 131955714Skris#else 132055714Skris rsa_tmp=rsa_tmp_export=0; 132155714Skris#endif 132255714Skris#ifndef NO_DH 132355714Skris dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); 132455714Skris dh_tmp_export=(c->dh_tmp_cb != NULL || 132555714Skris (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); 132655714Skris#else 132755714Skris dh_tmp=dh_tmp_export=0; 132855714Skris#endif 132955714Skris 133055714Skris cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); 133155714Skris rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); 133255714Skris rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 133355714Skris cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); 133455714Skris rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); 133555714Skris cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); 133655714Skris dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); 133755714Skris cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); 133855714Skris dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 133955714Skris dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 134055714Skris cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); 134155714Skris/* FIX THIS EAY EAY EAY */ 134255714Skris dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 134355714Skris dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 134455714Skris 134555714Skris mask=0; 134655714Skris emask=0; 134755714Skris 134855714Skris#ifdef CIPHER_DEBUG 134955714Skris printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", 135055714Skris rsa_tmp,rsa_tmp_export,dh_tmp, 135155714Skris rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); 135255714Skris#endif 135355714Skris 135455714Skris if (rsa_enc || (rsa_tmp && rsa_sign)) 135555714Skris mask|=SSL_kRSA; 135655714Skris if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) 135755714Skris emask|=SSL_kRSA; 135855714Skris 135955714Skris#if 0 136055714Skris /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ 136155714Skris if ( (dh_tmp || dh_rsa || dh_dsa) && 136255714Skris (rsa_enc || rsa_sign || dsa_sign)) 136355714Skris mask|=SSL_kEDH; 136455714Skris if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && 136555714Skris (rsa_enc || rsa_sign || dsa_sign)) 136655714Skris emask|=SSL_kEDH; 136755714Skris#endif 136855714Skris 136955714Skris if (dh_tmp_export) 137055714Skris emask|=SSL_kEDH; 137155714Skris 137255714Skris if (dh_tmp) 137355714Skris mask|=SSL_kEDH; 137455714Skris 137555714Skris if (dh_rsa) mask|=SSL_kDHr; 137655714Skris if (dh_rsa_export) emask|=SSL_kDHr; 137755714Skris 137855714Skris if (dh_dsa) mask|=SSL_kDHd; 137955714Skris if (dh_dsa_export) emask|=SSL_kDHd; 138055714Skris 138155714Skris if (rsa_enc || rsa_sign) 138255714Skris { 138355714Skris mask|=SSL_aRSA; 138455714Skris emask|=SSL_aRSA; 138555714Skris } 138655714Skris 138755714Skris if (dsa_sign) 138855714Skris { 138955714Skris mask|=SSL_aDSS; 139055714Skris emask|=SSL_aDSS; 139155714Skris } 139255714Skris 139355714Skris mask|=SSL_aNULL; 139455714Skris emask|=SSL_aNULL; 139555714Skris 139655714Skris c->mask=mask; 139755714Skris c->export_mask=emask; 139855714Skris c->valid=1; 139955714Skris } 140055714Skris 140155714Skris/* THIS NEEDS CLEANING UP */ 140255714SkrisX509 *ssl_get_server_send_cert(SSL *s) 140355714Skris { 140455714Skris unsigned long alg,mask,kalg; 140555714Skris CERT *c; 140655714Skris int i,is_export; 140755714Skris 140855714Skris c=s->cert; 140955714Skris ssl_set_cert_masks(c, s->s3->tmp.new_cipher); 141055714Skris alg=s->s3->tmp.new_cipher->algorithms; 141159191Skris is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 141255714Skris mask=is_export?c->export_mask:c->mask; 141355714Skris kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); 141455714Skris 141555714Skris if (kalg & SSL_kDHr) 141655714Skris i=SSL_PKEY_DH_RSA; 141755714Skris else if (kalg & SSL_kDHd) 141855714Skris i=SSL_PKEY_DH_DSA; 141955714Skris else if (kalg & SSL_aDSS) 142055714Skris i=SSL_PKEY_DSA_SIGN; 142155714Skris else if (kalg & SSL_aRSA) 142255714Skris { 142355714Skris if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) 142455714Skris i=SSL_PKEY_RSA_SIGN; 142555714Skris else 142655714Skris i=SSL_PKEY_RSA_ENC; 142755714Skris } 142855714Skris else /* if (kalg & SSL_aNULL) */ 142955714Skris { 143055714Skris SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,SSL_R_INTERNAL_ERROR); 143155714Skris return(NULL); 143255714Skris } 143355714Skris if (c->pkeys[i].x509 == NULL) return(NULL); 143455714Skris return(c->pkeys[i].x509); 143555714Skris } 143655714Skris 143755714SkrisEVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) 143855714Skris { 143955714Skris unsigned long alg; 144055714Skris CERT *c; 144155714Skris 144255714Skris alg=cipher->algorithms; 144355714Skris c=s->cert; 144455714Skris 144555714Skris if ((alg & SSL_aDSS) && 144655714Skris (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 144755714Skris return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); 144855714Skris else if (alg & SSL_aRSA) 144955714Skris { 145055714Skris if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 145155714Skris return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); 145255714Skris else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 145355714Skris return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey); 145455714Skris else 145555714Skris return(NULL); 145655714Skris } 145755714Skris else /* if (alg & SSL_aNULL) */ 145855714Skris { 145955714Skris SSLerr(SSL_F_SSL_GET_SIGN_PKEY,SSL_R_INTERNAL_ERROR); 146055714Skris return(NULL); 146155714Skris } 146255714Skris } 146355714Skris 146455714Skrisvoid ssl_update_cache(SSL *s,int mode) 146555714Skris { 146655714Skris int i; 146755714Skris 146855714Skris /* If the session_id_length is 0, we are not supposed to cache it, 146955714Skris * and it would be rather hard to do anyway :-) */ 147055714Skris if (s->session->session_id_length == 0) return; 147155714Skris 147255714Skris if ((s->ctx->session_cache_mode & mode) 147355714Skris && (!s->hit) 147455714Skris && SSL_CTX_add_session(s->ctx,s->session) 147555714Skris && (s->ctx->new_session_cb != NULL)) 147655714Skris { 147755714Skris CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION); 147855714Skris if (!s->ctx->new_session_cb(s,s->session)) 147955714Skris SSL_SESSION_free(s->session); 148055714Skris } 148155714Skris 148255714Skris /* auto flush every 255 connections */ 148355714Skris i=s->ctx->session_cache_mode; 148455714Skris if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && 148555714Skris ((i & mode) == mode)) 148655714Skris { 148755714Skris if ( (((mode & SSL_SESS_CACHE_CLIENT) 148855714Skris ?s->ctx->stats.sess_connect_good 148955714Skris :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) 149055714Skris { 149155714Skris SSL_CTX_flush_sessions(s->ctx,time(NULL)); 149255714Skris } 149355714Skris } 149455714Skris } 149555714Skris 149655714SkrisSSL_METHOD *SSL_get_ssl_method(SSL *s) 149755714Skris { 149855714Skris return(s->method); 149955714Skris } 150055714Skris 150155714Skrisint SSL_set_ssl_method(SSL *s,SSL_METHOD *meth) 150255714Skris { 150355714Skris int conn= -1; 150455714Skris int ret=1; 150555714Skris 150655714Skris if (s->method != meth) 150755714Skris { 150855714Skris if (s->handshake_func != NULL) 150955714Skris conn=(s->handshake_func == s->method->ssl_connect); 151055714Skris 151155714Skris if (s->method->version == meth->version) 151255714Skris s->method=meth; 151355714Skris else 151455714Skris { 151555714Skris s->method->ssl_free(s); 151655714Skris s->method=meth; 151755714Skris ret=s->method->ssl_new(s); 151855714Skris } 151955714Skris 152055714Skris if (conn == 1) 152155714Skris s->handshake_func=meth->ssl_connect; 152255714Skris else if (conn == 0) 152355714Skris s->handshake_func=meth->ssl_accept; 152455714Skris } 152555714Skris return(ret); 152655714Skris } 152755714Skris 152855714Skrisint SSL_get_error(SSL *s,int i) 152955714Skris { 153055714Skris int reason; 153155714Skris unsigned long l; 153255714Skris BIO *bio; 153355714Skris 153455714Skris if (i > 0) return(SSL_ERROR_NONE); 153555714Skris 153655714Skris /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake 153755714Skris * etc, where we do encode the error */ 153855714Skris if ((l=ERR_peek_error()) != 0) 153955714Skris { 154055714Skris if (ERR_GET_LIB(l) == ERR_LIB_SYS) 154155714Skris return(SSL_ERROR_SYSCALL); 154255714Skris else 154355714Skris return(SSL_ERROR_SSL); 154455714Skris } 154555714Skris 154655714Skris if ((i < 0) && SSL_want_read(s)) 154755714Skris { 154855714Skris bio=SSL_get_rbio(s); 154955714Skris if (BIO_should_read(bio)) 155055714Skris return(SSL_ERROR_WANT_READ); 155155714Skris else if (BIO_should_write(bio)) 155255714Skris /* This one doesn't make too much sense ... We never try 155355714Skris * to write to the rbio, and an application program where 155455714Skris * rbio and wbio are separate couldn't even know what it 155555714Skris * should wait for. 155655714Skris * However if we ever set s->rwstate incorrectly 155755714Skris * (so that we have SSL_want_read(s) instead of 155855714Skris * SSL_want_write(s)) and rbio and wbio *are* the same, 155955714Skris * this test works around that bug; so it might be safer 156055714Skris * to keep it. */ 156155714Skris return(SSL_ERROR_WANT_WRITE); 156255714Skris else if (BIO_should_io_special(bio)) 156355714Skris { 156455714Skris reason=BIO_get_retry_reason(bio); 156555714Skris if (reason == BIO_RR_CONNECT) 156655714Skris return(SSL_ERROR_WANT_CONNECT); 156755714Skris else 156855714Skris return(SSL_ERROR_SYSCALL); /* unknown */ 156955714Skris } 157055714Skris } 157155714Skris 157255714Skris if ((i < 0) && SSL_want_write(s)) 157355714Skris { 157455714Skris bio=SSL_get_wbio(s); 157555714Skris if (BIO_should_write(bio)) 157655714Skris return(SSL_ERROR_WANT_WRITE); 157755714Skris else if (BIO_should_read(bio)) 157855714Skris /* See above (SSL_want_read(s) with BIO_should_write(bio)) */ 157955714Skris return(SSL_ERROR_WANT_READ); 158055714Skris else if (BIO_should_io_special(bio)) 158155714Skris { 158255714Skris reason=BIO_get_retry_reason(bio); 158355714Skris if (reason == BIO_RR_CONNECT) 158455714Skris return(SSL_ERROR_WANT_CONNECT); 158555714Skris else 158655714Skris return(SSL_ERROR_SYSCALL); 158755714Skris } 158855714Skris } 158955714Skris if ((i < 0) && SSL_want_x509_lookup(s)) 159055714Skris { 159155714Skris return(SSL_ERROR_WANT_X509_LOOKUP); 159255714Skris } 159355714Skris 159455714Skris if (i == 0) 159555714Skris { 159655714Skris if (s->version == SSL2_VERSION) 159755714Skris { 159855714Skris /* assume it is the socket being closed */ 159955714Skris return(SSL_ERROR_ZERO_RETURN); 160055714Skris } 160155714Skris else 160255714Skris { 160355714Skris if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && 160455714Skris (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) 160555714Skris return(SSL_ERROR_ZERO_RETURN); 160655714Skris } 160755714Skris } 160855714Skris return(SSL_ERROR_SYSCALL); 160955714Skris } 161055714Skris 161155714Skrisint SSL_do_handshake(SSL *s) 161255714Skris { 161355714Skris int ret=1; 161455714Skris 161555714Skris if (s->handshake_func == NULL) 161655714Skris { 161755714Skris SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET); 161855714Skris return(-1); 161955714Skris } 162055714Skris 162155714Skris s->method->ssl_renegotiate_check(s); 162255714Skris 162355714Skris if (SSL_in_init(s) || SSL_in_before(s)) 162455714Skris { 162555714Skris ret=s->handshake_func(s); 162655714Skris } 162755714Skris return(ret); 162855714Skris } 162955714Skris 163055714Skris/* For the next 2 functions, SSL_clear() sets shutdown and so 163155714Skris * one of these calls will reset it */ 163255714Skrisvoid SSL_set_accept_state(SSL *s) 163355714Skris { 163455714Skris s->server=1; 163555714Skris s->shutdown=0; 163655714Skris s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; 163755714Skris s->handshake_func=s->method->ssl_accept; 163855714Skris /* clear the current cipher */ 163955714Skris ssl_clear_cipher_ctx(s); 164055714Skris } 164155714Skris 164255714Skrisvoid SSL_set_connect_state(SSL *s) 164355714Skris { 164455714Skris s->server=0; 164555714Skris s->shutdown=0; 164655714Skris s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; 164755714Skris s->handshake_func=s->method->ssl_connect; 164855714Skris /* clear the current cipher */ 164955714Skris ssl_clear_cipher_ctx(s); 165055714Skris } 165155714Skris 165255714Skrisint ssl_undefined_function(SSL *s) 165355714Skris { 165455714Skris SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 165555714Skris return(0); 165655714Skris } 165755714Skris 165855714SkrisSSL_METHOD *ssl_bad_method(int ver) 165955714Skris { 166055714Skris SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 166155714Skris return(NULL); 166255714Skris } 166355714Skris 166459191Skrisconst char *SSL_get_version(SSL *s) 166555714Skris { 166655714Skris if (s->version == TLS1_VERSION) 166755714Skris return("TLSv1"); 166855714Skris else if (s->version == SSL3_VERSION) 166955714Skris return("SSLv3"); 167055714Skris else if (s->version == SSL2_VERSION) 167155714Skris return("SSLv2"); 167255714Skris else 167355714Skris return("unknown"); 167455714Skris } 167555714Skris 167655714SkrisSSL *SSL_dup(SSL *s) 167755714Skris { 167855714Skris STACK_OF(X509_NAME) *sk; 167955714Skris X509_NAME *xn; 168055714Skris SSL *ret; 168155714Skris int i; 168255714Skris 168355714Skris if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) 168455714Skris return(NULL); 168555714Skris 168655714Skris if (s->session != NULL) 168755714Skris { 168855714Skris /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ 168955714Skris SSL_copy_session_id(ret,s); 169055714Skris } 169155714Skris else 169255714Skris { 169355714Skris /* No session has been established yet, so we have to expect 169455714Skris * that s->cert or ret->cert will be changed later -- 169555714Skris * they should not both point to the same object, 169655714Skris * and thus we can't use SSL_copy_session_id. */ 169755714Skris 169855714Skris ret->method = s->method; 169955714Skris ret->method->ssl_new(ret); 170055714Skris 170155714Skris if (s->cert != NULL) 170255714Skris { 170376866Skris if (ret->cert != NULL) 170476866Skris { 170576866Skris ssl_cert_free(ret->cert); 170676866Skris } 170755714Skris ret->cert = ssl_cert_dup(s->cert); 170855714Skris if (ret->cert == NULL) 170955714Skris goto err; 171055714Skris } 171155714Skris 171255714Skris SSL_set_session_id_context(ret, 171355714Skris s->sid_ctx, s->sid_ctx_length); 171455714Skris } 171555714Skris 171655714Skris SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); 171755714Skris SSL_set_verify(ret,SSL_get_verify_mode(s), 171855714Skris SSL_get_verify_callback(s)); 171955714Skris SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); 172055714Skris 172155714Skris SSL_set_info_callback(ret,SSL_get_info_callback(s)); 172255714Skris 172355714Skris ret->debug=s->debug; 172455714Skris ret->options=s->options; 172555714Skris 172655714Skris /* copy app data, a little dangerous perhaps */ 172755714Skris if (!CRYPTO_dup_ex_data(ssl_meth,&ret->ex_data,&s->ex_data)) 172855714Skris goto err; 172955714Skris 173055714Skris /* setup rbio, and wbio */ 173155714Skris if (s->rbio != NULL) 173255714Skris { 173355714Skris if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)) 173455714Skris goto err; 173555714Skris } 173655714Skris if (s->wbio != NULL) 173755714Skris { 173855714Skris if (s->wbio != s->rbio) 173955714Skris { 174055714Skris if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)) 174155714Skris goto err; 174255714Skris } 174355714Skris else 174455714Skris ret->wbio=ret->rbio; 174555714Skris } 174655714Skris 174755714Skris /* dup the cipher_list and cipher_list_by_id stacks */ 174855714Skris if (s->cipher_list != NULL) 174955714Skris { 175055714Skris if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 175155714Skris goto err; 175255714Skris } 175355714Skris if (s->cipher_list_by_id != NULL) 175455714Skris if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id)) 175555714Skris == NULL) 175655714Skris goto err; 175755714Skris 175855714Skris /* Dup the client_CA list */ 175955714Skris if (s->client_CA != NULL) 176055714Skris { 176155714Skris if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; 176255714Skris ret->client_CA=sk; 176355714Skris for (i=0; i<sk_X509_NAME_num(sk); i++) 176455714Skris { 176555714Skris xn=sk_X509_NAME_value(sk,i); 176655714Skris if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL) 176755714Skris { 176855714Skris X509_NAME_free(xn); 176955714Skris goto err; 177055714Skris } 177155714Skris } 177255714Skris } 177355714Skris 177455714Skris ret->shutdown=s->shutdown; 177555714Skris ret->state=s->state; 177655714Skris ret->handshake_func=s->handshake_func; 177755714Skris ret->server=s->server; 177855714Skris 177955714Skris if (0) 178055714Skris { 178155714Skriserr: 178255714Skris if (ret != NULL) SSL_free(ret); 178355714Skris ret=NULL; 178455714Skris } 178555714Skris return(ret); 178655714Skris } 178755714Skris 178855714Skrisvoid ssl_clear_cipher_ctx(SSL *s) 178955714Skris { 179055714Skris if (s->enc_read_ctx != NULL) 179155714Skris { 179255714Skris EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); 179368651Skris OPENSSL_free(s->enc_read_ctx); 179455714Skris s->enc_read_ctx=NULL; 179555714Skris } 179655714Skris if (s->enc_write_ctx != NULL) 179755714Skris { 179855714Skris EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); 179968651Skris OPENSSL_free(s->enc_write_ctx); 180055714Skris s->enc_write_ctx=NULL; 180155714Skris } 180255714Skris if (s->expand != NULL) 180355714Skris { 180455714Skris COMP_CTX_free(s->expand); 180555714Skris s->expand=NULL; 180655714Skris } 180755714Skris if (s->compress != NULL) 180855714Skris { 180955714Skris COMP_CTX_free(s->compress); 181055714Skris s->compress=NULL; 181155714Skris } 181255714Skris } 181355714Skris 181455714Skris/* Fix this function so that it takes an optional type parameter */ 181555714SkrisX509 *SSL_get_certificate(SSL *s) 181655714Skris { 181755714Skris if (s->cert != NULL) 181855714Skris return(s->cert->key->x509); 181955714Skris else 182055714Skris return(NULL); 182155714Skris } 182255714Skris 182355714Skris/* Fix this function so that it takes an optional type parameter */ 182455714SkrisEVP_PKEY *SSL_get_privatekey(SSL *s) 182555714Skris { 182655714Skris if (s->cert != NULL) 182755714Skris return(s->cert->key->privatekey); 182855714Skris else 182955714Skris return(NULL); 183055714Skris } 183155714Skris 183255714SkrisSSL_CIPHER *SSL_get_current_cipher(SSL *s) 183355714Skris { 183455714Skris if ((s->session != NULL) && (s->session->cipher != NULL)) 183555714Skris return(s->session->cipher); 183655714Skris return(NULL); 183755714Skris } 183855714Skris 183955714Skrisint ssl_init_wbio_buffer(SSL *s,int push) 184055714Skris { 184155714Skris BIO *bbio; 184255714Skris 184355714Skris if (s->bbio == NULL) 184455714Skris { 184555714Skris bbio=BIO_new(BIO_f_buffer()); 184655714Skris if (bbio == NULL) return(0); 184755714Skris s->bbio=bbio; 184855714Skris } 184955714Skris else 185055714Skris { 185155714Skris bbio=s->bbio; 185255714Skris if (s->bbio == s->wbio) 185355714Skris s->wbio=BIO_pop(s->wbio); 185455714Skris } 185555714Skris (void)BIO_reset(bbio); 185655714Skris/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ 185755714Skris if (!BIO_set_read_buffer_size(bbio,1)) 185855714Skris { 185955714Skris SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB); 186055714Skris return(0); 186155714Skris } 186255714Skris if (push) 186355714Skris { 186455714Skris if (s->wbio != bbio) 186555714Skris s->wbio=BIO_push(bbio,s->wbio); 186655714Skris } 186755714Skris else 186855714Skris { 186955714Skris if (s->wbio == bbio) 187055714Skris s->wbio=BIO_pop(bbio); 187155714Skris } 187255714Skris return(1); 187355714Skris } 187455714Skris 187555714Skrisvoid ssl_free_wbio_buffer(SSL *s) 187655714Skris { 187755714Skris if (s->bbio == NULL) return; 187855714Skris 187955714Skris if (s->bbio == s->wbio) 188055714Skris { 188155714Skris /* remove buffering */ 188268651Skris s->wbio=BIO_pop(s->wbio); 188368651Skris#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */ 188468651Skris assert(s->wbio != NULL); 188568651Skris#endif 188668651Skris } 188755714Skris BIO_free(s->bbio); 188855714Skris s->bbio=NULL; 188955714Skris } 189055714Skris 189155714Skrisvoid SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode) 189255714Skris { 189355714Skris ctx->quiet_shutdown=mode; 189455714Skris } 189555714Skris 189655714Skrisint SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx) 189755714Skris { 189855714Skris return(ctx->quiet_shutdown); 189955714Skris } 190055714Skris 190155714Skrisvoid SSL_set_quiet_shutdown(SSL *s,int mode) 190255714Skris { 190355714Skris s->quiet_shutdown=mode; 190455714Skris } 190555714Skris 190655714Skrisint SSL_get_quiet_shutdown(SSL *s) 190755714Skris { 190855714Skris return(s->quiet_shutdown); 190955714Skris } 191055714Skris 191155714Skrisvoid SSL_set_shutdown(SSL *s,int mode) 191255714Skris { 191355714Skris s->shutdown=mode; 191455714Skris } 191555714Skris 191655714Skrisint SSL_get_shutdown(SSL *s) 191755714Skris { 191855714Skris return(s->shutdown); 191955714Skris } 192055714Skris 192155714Skrisint SSL_version(SSL *s) 192255714Skris { 192355714Skris return(s->version); 192455714Skris } 192555714Skris 192655714SkrisSSL_CTX *SSL_get_SSL_CTX(SSL *ssl) 192755714Skris { 192855714Skris return(ssl->ctx); 192955714Skris } 193055714Skris 193155714Skris#ifndef NO_STDIO 193255714Skrisint SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) 193355714Skris { 193455714Skris return(X509_STORE_set_default_paths(ctx->cert_store)); 193555714Skris } 193655714Skris 193755714Skrisint SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 193855714Skris const char *CApath) 193955714Skris { 194055714Skris return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); 194155714Skris } 194255714Skris#endif 194355714Skris 194455714Skrisvoid SSL_set_info_callback(SSL *ssl,void (*cb)()) 194555714Skris { 194655714Skris ssl->info_callback=cb; 194755714Skris } 194855714Skris 194955714Skrisvoid (*SSL_get_info_callback(SSL *ssl))(void) 195055714Skris { 195155714Skris return((void (*)())ssl->info_callback); 195255714Skris } 195355714Skris 195455714Skrisint SSL_state(SSL *ssl) 195555714Skris { 195655714Skris return(ssl->state); 195755714Skris } 195855714Skris 195955714Skrisvoid SSL_set_verify_result(SSL *ssl,long arg) 196055714Skris { 196155714Skris ssl->verify_result=arg; 196255714Skris } 196355714Skris 196455714Skrislong SSL_get_verify_result(SSL *ssl) 196555714Skris { 196655714Skris return(ssl->verify_result); 196755714Skris } 196855714Skris 196959191Skrisint SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, 197059191Skris CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) 197155714Skris { 197255714Skris ssl_meth_num++; 197355714Skris return(CRYPTO_get_ex_new_index(ssl_meth_num-1, 197455714Skris &ssl_meth,argl,argp,new_func,dup_func,free_func)); 197555714Skris } 197655714Skris 197755714Skrisint SSL_set_ex_data(SSL *s,int idx,void *arg) 197855714Skris { 197955714Skris return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 198055714Skris } 198155714Skris 198255714Skrisvoid *SSL_get_ex_data(SSL *s,int idx) 198355714Skris { 198455714Skris return(CRYPTO_get_ex_data(&s->ex_data,idx)); 198555714Skris } 198655714Skris 198759191Skrisint SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, 198859191Skris CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) 198955714Skris { 199055714Skris ssl_ctx_meth_num++; 199155714Skris return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1, 199255714Skris &ssl_ctx_meth,argl,argp,new_func,dup_func,free_func)); 199355714Skris } 199455714Skris 199555714Skrisint SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) 199655714Skris { 199755714Skris return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 199855714Skris } 199955714Skris 200055714Skrisvoid *SSL_CTX_get_ex_data(SSL_CTX *s,int idx) 200155714Skris { 200255714Skris return(CRYPTO_get_ex_data(&s->ex_data,idx)); 200355714Skris } 200455714Skris 200555714Skrisint ssl_ok(SSL *s) 200655714Skris { 200755714Skris return(1); 200855714Skris } 200955714Skris 201055714SkrisX509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) 201155714Skris { 201255714Skris return(ctx->cert_store); 201355714Skris } 201455714Skris 201555714Skrisvoid SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store) 201655714Skris { 201755714Skris if (ctx->cert_store != NULL) 201855714Skris X509_STORE_free(ctx->cert_store); 201955714Skris ctx->cert_store=store; 202055714Skris } 202155714Skris 202255714Skrisint SSL_want(SSL *s) 202355714Skris { 202455714Skris return(s->rwstate); 202555714Skris } 202655714Skris 202755714Skris/*! 202855714Skris * \brief Set the callback for generating temporary RSA keys. 202955714Skris * \param ctx the SSL context. 203055714Skris * \param cb the callback 203155714Skris */ 203255714Skris 203355714Skris#ifndef NO_RSA 203455714Skrisvoid SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl, 203555714Skris int is_export, 203655714Skris int keylength)) 203759191Skris { 203859191Skris SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb); 203959191Skris } 204055714Skris 204159191Skrisvoid SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl, 204259191Skris int is_export, 204359191Skris int keylength)) 204459191Skris { 204559191Skris SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb); 204659191Skris } 204755714Skris#endif 204855714Skris 204955714Skris#ifdef DOXYGEN 205055714Skris/*! 205155714Skris * \brief The RSA temporary key callback function. 205255714Skris * \param ssl the SSL session. 205355714Skris * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite. 205455714Skris * \param keylength if \c is_export is \c TRUE, then \c keylength is the size 205555714Skris * of the required key in bits. 205655714Skris * \return the temporary RSA key. 205755714Skris * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback 205855714Skris */ 205955714Skris 206055714SkrisRSA *cb(SSL *ssl,int is_export,int keylength) 206155714Skris {} 206255714Skris#endif 206355714Skris 206455714Skris/*! 206555714Skris * \brief Set the callback for generating temporary DH keys. 206655714Skris * \param ctx the SSL context. 206755714Skris * \param dh the callback 206855714Skris */ 206955714Skris 207055714Skris#ifndef NO_DH 207155714Skrisvoid SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, 207255714Skris int keylength)) 207359191Skris { 207459191Skris SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); 207559191Skris } 207655714Skris 207755714Skrisvoid SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, 207859191Skris int keylength)) 207959191Skris { 208059191Skris SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); 208159191Skris } 208255714Skris#endif 208355714Skris 208455714Skris#if defined(_WINDLL) && defined(WIN16) 208555714Skris#include "../crypto/bio/bss_file.c" 208655714Skris#endif 208755714Skris 208855714SkrisIMPLEMENT_STACK_OF(SSL_CIPHER) 208955714SkrisIMPLEMENT_STACK_OF(SSL_COMP) 2090