]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/s3_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Import of old SSLeay release: SSLeay 0.9.1b (unreleased)
[thirdparty/openssl.git] / ssl / s3_lib.c
1 /* ssl/s3_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include "objects.h"
61 #include "ssl_locl.h"
62
63 char *ssl3_version_str="SSLv3 part of SSLeay 0.9.1a 06-Jul-1998";
64
65 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
66
67 #ifndef NOPROTO
68 static long ssl3_default_timeout(void );
69 #else
70 static long ssl3_default_timeout();
71 #endif
72
73 SSL_CIPHER ssl3_ciphers[]={
74 /* The RSA ciphers */
75 /* Cipher 01 */
76 {
77 1,
78 SSL3_TXT_RSA_NULL_MD5,
79 SSL3_CK_RSA_NULL_MD5,
80 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
81 0,
82 SSL_ALL_CIPHERS,
83 },
84 /* Cipher 02 */
85 {
86 1,
87 SSL3_TXT_RSA_NULL_SHA,
88 SSL3_CK_RSA_NULL_SHA,
89 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
90 0,
91 SSL_ALL_CIPHERS,
92 },
93
94 /* anon DH */
95 /* Cipher 17 */
96 {
97 1,
98 SSL3_TXT_ADH_RC4_40_MD5,
99 SSL3_CK_ADH_RC4_40_MD5,
100 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
101 0,
102 SSL_ALL_CIPHERS,
103 },
104 /* Cipher 18 */
105 {
106 1,
107 SSL3_TXT_ADH_RC4_128_MD5,
108 SSL3_CK_ADH_RC4_128_MD5,
109 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
110 0,
111 SSL_ALL_CIPHERS,
112 },
113 /* Cipher 19 */
114 {
115 1,
116 SSL3_TXT_ADH_DES_40_CBC_SHA,
117 SSL3_CK_ADH_DES_40_CBC_SHA,
118 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
119 0,
120 SSL_ALL_CIPHERS,
121 },
122 /* Cipher 1A */
123 {
124 1,
125 SSL3_TXT_ADH_DES_64_CBC_SHA,
126 SSL3_CK_ADH_DES_64_CBC_SHA,
127 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
128 0,
129 SSL_ALL_CIPHERS,
130 },
131 /* Cipher 1B */
132 {
133 1,
134 SSL3_TXT_ADH_DES_192_CBC_SHA,
135 SSL3_CK_ADH_DES_192_CBC_SHA,
136 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
137 0,
138 SSL_ALL_CIPHERS,
139 },
140
141 /* RSA again */
142 /* Cipher 03 */
143 {
144 1,
145 SSL3_TXT_RSA_RC4_40_MD5,
146 SSL3_CK_RSA_RC4_40_MD5,
147 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
148 0,
149 SSL_ALL_CIPHERS,
150 },
151 /* Cipher 04 */
152 {
153 1,
154 SSL3_TXT_RSA_RC4_128_MD5,
155 SSL3_CK_RSA_RC4_128_MD5,
156 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
157 0,
158 SSL_ALL_CIPHERS,
159 },
160 /* Cipher 05 */
161 {
162 1,
163 SSL3_TXT_RSA_RC4_128_SHA,
164 SSL3_CK_RSA_RC4_128_SHA,
165 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
166 0,
167 SSL_ALL_CIPHERS,
168 },
169 /* Cipher 06 */
170 {
171 1,
172 SSL3_TXT_RSA_RC2_40_MD5,
173 SSL3_CK_RSA_RC2_40_MD5,
174 SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
175 0,
176 SSL_ALL_CIPHERS,
177 },
178 /* Cipher 07 */
179 {
180 1,
181 SSL3_TXT_RSA_IDEA_128_SHA,
182 SSL3_CK_RSA_IDEA_128_SHA,
183 SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
184 0,
185 SSL_ALL_CIPHERS,
186 },
187 /* Cipher 08 */
188 {
189 1,
190 SSL3_TXT_RSA_DES_40_CBC_SHA,
191 SSL3_CK_RSA_DES_40_CBC_SHA,
192 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
193 0,
194 SSL_ALL_CIPHERS,
195 },
196 /* Cipher 09 */
197 {
198 1,
199 SSL3_TXT_RSA_DES_64_CBC_SHA,
200 SSL3_CK_RSA_DES_64_CBC_SHA,
201 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
202 0,
203 SSL_ALL_CIPHERS,
204 },
205 /* Cipher 0A */
206 {
207 1,
208 SSL3_TXT_RSA_DES_192_CBC3_SHA,
209 SSL3_CK_RSA_DES_192_CBC3_SHA,
210 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
211 0,
212 SSL_ALL_CIPHERS,
213 },
214
215 /* The DH ciphers */
216 /* Cipher 0B */
217 {
218 0,
219 SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
220 SSL3_CK_DH_DSS_DES_40_CBC_SHA,
221 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
222 0,
223 SSL_ALL_CIPHERS,
224 },
225 /* Cipher 0C */
226 {
227 0,
228 SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
229 SSL3_CK_DH_DSS_DES_64_CBC_SHA,
230 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
231 0,
232 SSL_ALL_CIPHERS,
233 },
234 /* Cipher 0D */
235 {
236 0,
237 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
238 SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
239 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
240 0,
241 SSL_ALL_CIPHERS,
242 },
243 /* Cipher 0E */
244 {
245 0,
246 SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
247 SSL3_CK_DH_RSA_DES_40_CBC_SHA,
248 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
249 0,
250 SSL_ALL_CIPHERS,
251 },
252 /* Cipher 0F */
253 {
254 0,
255 SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
256 SSL3_CK_DH_RSA_DES_64_CBC_SHA,
257 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
258 0,
259 SSL_ALL_CIPHERS,
260 },
261 /* Cipher 10 */
262 {
263 0,
264 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
265 SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
266 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
267 0,
268 SSL_ALL_CIPHERS,
269 },
270
271 /* The Ephemeral DH ciphers */
272 /* Cipher 11 */
273 {
274 1,
275 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
276 SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
277 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
278 0,
279 SSL_ALL_CIPHERS,
280 },
281 /* Cipher 12 */
282 {
283 1,
284 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
285 SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
286 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
287 0,
288 SSL_ALL_CIPHERS,
289 },
290 /* Cipher 13 */
291 {
292 1,
293 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
294 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
295 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
296 0,
297 SSL_ALL_CIPHERS,
298 },
299 /* Cipher 14 */
300 {
301 1,
302 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
303 SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
304 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
305 0,
306 SSL_ALL_CIPHERS,
307 },
308 /* Cipher 15 */
309 {
310 1,
311 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
312 SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
313 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
314 0,
315 SSL_ALL_CIPHERS,
316 },
317 /* Cipher 16 */
318 {
319 1,
320 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
321 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
322 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
323 0,
324 SSL_ALL_CIPHERS,
325 },
326
327 /* Fortezza */
328 /* Cipher 1C */
329 {
330 0,
331 SSL3_TXT_FZA_DMS_NULL_SHA,
332 SSL3_CK_FZA_DMS_NULL_SHA,
333 SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
334 0,
335 SSL_ALL_CIPHERS,
336 },
337
338 /* Cipher 1D */
339 {
340 0,
341 SSL3_TXT_FZA_DMS_FZA_SHA,
342 SSL3_CK_FZA_DMS_FZA_SHA,
343 SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
344 0,
345 SSL_ALL_CIPHERS,
346 },
347
348 /* Cipher 1E */
349 {
350 0,
351 SSL3_TXT_FZA_DMS_RC4_SHA,
352 SSL3_CK_FZA_DMS_RC4_SHA,
353 SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
354 0,
355 SSL_ALL_CIPHERS,
356 },
357
358 /* end of list */
359 };
360
361 static SSL3_ENC_METHOD SSLv3_enc_data={
362 ssl3_enc,
363 ssl3_mac,
364 ssl3_setup_key_block,
365 ssl3_generate_master_secret,
366 ssl3_change_cipher_state,
367 ssl3_final_finish_mac,
368 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
369 ssl3_cert_verify_mac,
370 SSL3_MD_CLIENT_FINISHED_CONST,4,
371 SSL3_MD_SERVER_FINISHED_CONST,4,
372 ssl3_alert_code,
373 };
374
375 static SSL_METHOD SSLv3_data= {
376 SSL3_VERSION,
377 ssl3_new,
378 ssl3_clear,
379 ssl3_free,
380 ssl_undefined_function,
381 ssl_undefined_function,
382 ssl3_read,
383 ssl3_peek,
384 ssl3_write,
385 ssl3_shutdown,
386 ssl3_renegotiate,
387 ssl3_renegotiate_check,
388 ssl3_ctrl,
389 ssl3_ctx_ctrl,
390 ssl3_get_cipher_by_char,
391 ssl3_put_cipher_by_char,
392 ssl3_pending,
393 ssl3_num_ciphers,
394 ssl3_get_cipher,
395 ssl_bad_method,
396 ssl3_default_timeout,
397 &SSLv3_enc_data,
398 };
399
400 static long ssl3_default_timeout()
401 {
402 /* 2 hours, the 24 hours mentioned in the SSLv3 spec
403 * is way too long for http, the cache would over fill */
404 return(60*60*2);
405 }
406
407 SSL_METHOD *sslv3_base_method()
408 {
409 return(&SSLv3_data);
410 }
411
412 int ssl3_num_ciphers()
413 {
414 return(SSL3_NUM_CIPHERS);
415 }
416
417 SSL_CIPHER *ssl3_get_cipher(u)
418 unsigned int u;
419 {
420 if (u < SSL3_NUM_CIPHERS)
421 return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
422 else
423 return(NULL);
424 }
425
426 /* The problem is that it may not be the correct record type */
427 int ssl3_pending(s)
428 SSL *s;
429 {
430 return(s->s3->rrec.length);
431 }
432
433 int ssl3_new(s)
434 SSL *s;
435 {
436 SSL3_CTX *s3;
437
438 if ((s3=(SSL3_CTX *)Malloc(sizeof(SSL3_CTX))) == NULL) goto err;
439 memset(s3,0,sizeof(SSL3_CTX));
440
441 s->s3=s3;
442 /*
443 s->s3->tmp.ca_names=NULL;
444 s->s3->tmp.key_block=NULL;
445 s->s3->tmp.key_block_length=0;
446 s->s3->rbuf.buf=NULL;
447 s->s3->wbuf.buf=NULL;
448 */
449
450 s->method->ssl_clear(s);
451 return(1);
452 err:
453 return(0);
454 }
455
456 void ssl3_free(s)
457 SSL *s;
458 {
459 ssl3_cleanup_key_block(s);
460 if (s->s3->rbuf.buf != NULL)
461 Free(s->s3->rbuf.buf);
462 if (s->s3->wbuf.buf != NULL)
463 Free(s->s3->wbuf.buf);
464 if (s->s3->rrec.comp != NULL)
465 Free(s->s3->rrec.comp);
466 #ifndef NO_DH
467 if (s->s3->tmp.dh != NULL)
468 DH_free(s->s3->tmp.dh);
469 #endif
470 if (s->s3->tmp.ca_names != NULL)
471 sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
472 memset(s->s3,0,sizeof(SSL3_CTX));
473 Free(s->s3);
474 s->s3=NULL;
475 }
476
477 void ssl3_clear(s)
478 SSL *s;
479 {
480 unsigned char *rp,*wp;
481
482 ssl3_cleanup_key_block(s);
483 if (s->s3->tmp.ca_names != NULL)
484 sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
485
486 rp=s->s3->rbuf.buf;
487 wp=s->s3->wbuf.buf;
488
489 memset(s->s3,0,sizeof(SSL3_CTX));
490 if (rp != NULL) s->s3->rbuf.buf=rp;
491 if (wp != NULL) s->s3->wbuf.buf=wp;
492
493 if (s->s3->rrec.comp != NULL)
494 {
495 Free(s->s3->rrec.comp);
496 s->s3->rrec.comp=NULL;
497 }
498
499 s->packet_length=0;
500 s->s3->renegotiate=0;
501 s->s3->total_renegotiations=0;
502 s->s3->num_renegotiations=0;
503 s->s3->in_read_app_data=0;
504 s->version=SSL3_VERSION;
505 }
506
507 long ssl3_ctrl(s,cmd,larg,parg)
508 SSL *s;
509 int cmd;
510 long larg;
511 char *parg;
512 {
513 int ret=0;
514
515 switch (cmd)
516 {
517 case SSL_CTRL_GET_SESSION_REUSED:
518 ret=s->hit;
519 break;
520 case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
521 break;
522 case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
523 ret=s->s3->num_renegotiations;
524 break;
525 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
526 ret=s->s3->num_renegotiations;
527 s->s3->num_renegotiations=0;
528 break;
529 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
530 ret=s->s3->total_renegotiations;
531 break;
532 case SSL_CTRL_GET_FLAGS:
533 ret=s->s3->flags;
534 break;
535 default:
536 break;
537 }
538 return(ret);
539 }
540
541 long ssl3_ctx_ctrl(ctx,cmd,larg,parg)
542 SSL_CTX *ctx;
543 int cmd;
544 long larg;
545 char *parg;
546 {
547 CERT *cert;
548
549 cert=ctx->default_cert;
550
551 switch (cmd)
552 {
553 #ifndef NO_RSA
554 case SSL_CTRL_NEED_TMP_RSA:
555 if ( (cert->rsa_tmp == NULL) &&
556 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
557 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))
558 )
559 return(1);
560 else
561 return(0);
562 /* break; */
563 case SSL_CTRL_SET_TMP_RSA:
564 {
565 RSA *rsa;
566 int i;
567
568 rsa=(RSA *)parg;
569 i=1;
570 if (rsa == NULL)
571 i=0;
572 else
573 {
574 if ((rsa=RSAPrivateKey_dup(rsa)) == NULL)
575 i=0;
576 }
577 if (!i)
578 {
579 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB);
580 return(0);
581 }
582 else
583 {
584 if (cert->rsa_tmp != NULL)
585 RSA_free(cert->rsa_tmp);
586 cert->rsa_tmp=rsa;
587 return(1);
588 }
589 }
590 /* break; */
591 case SSL_CTRL_SET_TMP_RSA_CB:
592 cert->rsa_tmp_cb=(RSA *(*)())parg;
593 break;
594 #endif
595 #ifndef NO_DH
596 case SSL_CTRL_SET_TMP_DH:
597 {
598 DH *new=NULL,*dh;
599 int rret=0;
600
601 dh=(DH *)parg;
602 if ( ((new=DHparams_dup(dh)) == NULL) ||
603 (!DH_generate_key(new)))
604 {
605 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
606 if (new != NULL) DH_free(new);
607 }
608 else
609 {
610 if (cert->dh_tmp != NULL)
611 DH_free(cert->dh_tmp);
612 cert->dh_tmp=new;
613 rret=1;
614 }
615 return(rret);
616 }
617 /*break; */
618 case SSL_CTRL_SET_TMP_DH_CB:
619 cert->dh_tmp_cb=(DH *(*)())parg;
620 break;
621 #endif
622 /* A Thwate special :-) */
623 case SSL_CTRL_EXTRA_CHAIN_CERT:
624 if (ctx->extra_certs == NULL)
625 {
626 if ((ctx->extra_certs=sk_new_null()) == NULL)
627 return(0);
628 }
629 sk_push(ctx->extra_certs,(char *)parg);
630 break;
631
632 default:
633 return(0);
634 }
635 return(1);
636 }
637
638 /* This function needs to check if the ciphers required are actually
639 * available */
640 SSL_CIPHER *ssl3_get_cipher_by_char(p)
641 unsigned char *p;
642 {
643 static int init=1;
644 static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
645 SSL_CIPHER c,*cp= &c,**cpp;
646 unsigned long id;
647 int i;
648
649 if (init)
650 {
651 init=0;
652
653 for (i=0; i<SSL3_NUM_CIPHERS; i++)
654 sorted[i]= &(ssl3_ciphers[i]);
655
656 qsort( (char *)sorted,
657 SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
658 FP_ICC ssl_cipher_ptr_id_cmp);
659 }
660
661 id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
662 c.id=id;
663 cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
664 (char *)sorted,
665 SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
666 (int (*)())ssl_cipher_ptr_id_cmp);
667 if ((cpp == NULL) || !(*cpp)->valid)
668 return(NULL);
669 else
670 return(*cpp);
671 }
672
673 int ssl3_put_cipher_by_char(c,p)
674 SSL_CIPHER *c;
675 unsigned char *p;
676 {
677 long l;
678
679 if (p != NULL)
680 {
681 l=c->id;
682 if ((l & 0xff000000) != 0x03000000) return(0);
683 p[0]=((unsigned char)(l>> 8L))&0xFF;
684 p[1]=((unsigned char)(l ))&0xFF;
685 }
686 return(2);
687 }
688
689 int ssl3_part_read(s,i)
690 SSL *s;
691 int i;
692 {
693 s->rwstate=SSL_READING;
694
695 if (i < 0)
696 {
697 return(i);
698 }
699 else
700 {
701 s->init_num+=i;
702 return(0);
703 }
704 }
705
706 SSL_CIPHER *ssl3_choose_cipher(s,have,pref)
707 SSL *s;
708 STACK *have,*pref;
709 {
710 SSL_CIPHER *c,*ret=NULL;
711 int i,j,ok;
712 CERT *cert;
713 unsigned long alg,mask,emask;
714
715 /* Lets see which ciphers we can supported */
716 if (s->cert != NULL)
717 cert=s->cert;
718 else
719 cert=s->ctx->default_cert;
720
721 ssl_set_cert_masks(cert);
722 mask=cert->mask;
723 emask=cert->export_mask;
724
725 sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
726
727 for (i=0; i<sk_num(have); i++)
728 {
729 c=(SSL_CIPHER *)sk_value(have,i);
730 alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
731 if (alg & SSL_EXPORT)
732 {
733 ok=((alg & emask) == alg)?1:0;
734 #ifdef CIPHER_DEBUG
735 printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name);
736 #endif
737 }
738 else
739 {
740 ok=((alg & mask) == alg)?1:0;
741 #ifdef CIPHER_DEBUG
742 printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name);
743 #endif
744 }
745
746 if (!ok) continue;
747
748 j=sk_find(pref,(char *)c);
749 if (j >= 0)
750 {
751 ret=(SSL_CIPHER *)sk_value(pref,j);
752 break;
753 }
754 }
755 return(ret);
756 }
757
758 int ssl3_get_req_cert_type(s,p)
759 SSL *s;
760 unsigned char *p;
761 {
762 int ret=0;
763 unsigned long alg;
764
765 alg=s->s3->tmp.new_cipher->algorithms;
766
767 #ifndef NO_DH
768 if (alg & (SSL_kDHr|SSL_kEDH))
769 {
770 # ifndef NO_RSA
771 p[ret++]=SSL3_CT_RSA_FIXED_DH;
772 # endif
773 # ifndef NO_DSA
774 p[ret++]=SSL3_CT_DSS_FIXED_DH;
775 # endif
776 }
777 if ((s->version == SSL3_VERSION) &&
778 (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
779 {
780 # ifndef NO_RSA
781 p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
782 # endif
783 # ifndef NO_DSA
784 p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
785 # endif
786 }
787 #endif /* !NO_DH */
788 #ifndef NO_RSA
789 p[ret++]=SSL3_CT_RSA_SIGN;
790 #endif
791 #ifndef NO_DSA
792 p[ret++]=SSL3_CT_DSS_SIGN;
793 #endif
794 return(ret);
795 }
796
797 int ssl3_shutdown(s)
798 SSL *s;
799 {
800
801 /* Don't do anything much if we have not done the handshake or
802 * we don't want to send messages :-) */
803 if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
804 {
805 s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
806 return(1);
807 }
808
809 if (!(s->shutdown & SSL_SENT_SHUTDOWN))
810 {
811 s->shutdown|=SSL_SENT_SHUTDOWN;
812 #if 1
813 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
814 #endif
815 /* our shutdown alert has been sent now, and if it still needs
816 * to be written, s->s3->alert_dispatch will be true */
817 }
818 else if (s->s3->alert_dispatch)
819 {
820 /* resend it if not sent */
821 #if 1
822 ssl3_dispatch_alert(s);
823 #endif
824 }
825 else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
826 {
827 /* If we are waiting for a close from our peer, we are closed */
828 ssl3_read_bytes(s,0,NULL,0);
829 }
830
831 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
832 !s->s3->alert_dispatch)
833 return(1);
834 else
835 return(0);
836 }
837
838 int ssl3_write(s,buf,len)
839 SSL *s;
840 char *buf;
841 int len;
842 {
843 int ret,n;
844 BIO *under;
845
846 #if 0
847 if (s->shutdown & SSL_SEND_SHUTDOWN)
848 {
849 s->rwstate=SSL_NOTHING;
850 return(0);
851 }
852 #endif
853 clear_sys_error();
854 if (s->s3->renegotiate) ssl3_renegotiate_check(s);
855
856 /* This is an experimental flag that sends the
857 * last handshake message in the same packet as the first
858 * use data - used to see if it helps the TCP protocol during
859 * session-id reuse */
860 /* The second test is because the buffer may have been removed */
861 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
862 {
863 /* First time through, we write into the buffer */
864 if (s->s3->delay_buf_pop_ret == 0)
865 {
866 ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
867 (char *)buf,len);
868 if (ret <= 0) return(ret);
869
870 s->s3->delay_buf_pop_ret=ret;
871 }
872
873 s->rwstate=SSL_WRITING;
874 n=BIO_flush(s->wbio);
875 if (n <= 0) return(n);
876 s->rwstate=SSL_NOTHING;
877
878 /* We have flushed the buffer */
879 under=BIO_pop(s->wbio);
880 s->wbio=under;
881 BIO_free(s->bbio);
882 s->bbio=NULL;
883 ret=s->s3->delay_buf_pop_ret;
884 s->s3->delay_buf_pop_ret=0;
885
886 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
887 }
888 else
889 {
890 ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
891 (char *)buf,len);
892 if (ret <= 0) return(ret);
893 }
894
895 return(ret);
896 }
897
898 int ssl3_read(s,buf,len)
899 SSL *s;
900 char *buf;
901 int len;
902 {
903 int ret;
904
905 clear_sys_error();
906 if (s->s3->renegotiate) ssl3_renegotiate_check(s);
907 s->s3->in_read_app_data=1;
908 ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
909 if ((ret == -1) && (s->s3->in_read_app_data == 0))
910 {
911 ERR_get_error(); /* clear the error */
912 s->s3->in_read_app_data=0;
913 s->in_handshake++;
914 ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
915 s->in_handshake--;
916 }
917 else
918 s->s3->in_read_app_data=0;
919
920 return(ret);
921 }
922
923 int ssl3_peek(s,buf,len)
924 SSL *s;
925 char *buf;
926 int len;
927 {
928 SSL3_RECORD *rr;
929 int n;
930
931 rr= &(s->s3->rrec);
932 if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA))
933 {
934 n=ssl3_read(s,buf,1);
935 if (n <= 0) return(n);
936 rr->length++;
937 rr->off--;
938 }
939
940 if ((unsigned int)len > rr->length)
941 n=rr->length;
942 else
943 n=len;
944 memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
945 return(n);
946 }
947
948 int ssl3_renegotiate(s)
949 SSL *s;
950 {
951 if (s->handshake_func == NULL)
952 return(1);
953
954 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
955 return(0);
956
957 s->s3->renegotiate=1;
958 return(1);
959 }
960
961 int ssl3_renegotiate_check(s)
962 SSL *s;
963 {
964 int ret=0;
965
966 if (s->s3->renegotiate)
967 {
968 if ( (s->s3->rbuf.left == 0) &&
969 (s->s3->wbuf.left == 0) &&
970 !SSL_in_init(s))
971 {
972 /*
973 if we are the server, and we have sent a 'RENEGOTIATE' message, we
974 need to go to SSL_ST_ACCEPT.\1e
975 */
976 /* SSL_ST_ACCEPT */
977 s->state=SSL_ST_RENEGOTIATE;
978 s->s3->renegotiate=0;
979 s->s3->num_renegotiations++;
980 s->s3->total_renegotiations++;
981 ret=1;
982 }
983 }
984 return(ret);
985 }
986
987
A mirror of the official openssl repository