2 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
65 static unsigned long conn_hash(SSL_SESSION
*a
);
67 static unsigned long conn_hash();
70 char *SSL_version_str
="SSLeay 0.8.1b 29-Jun-1998";
77 if (s
->method
== NULL
) return;
82 /* This is set if we are doing dynamic renegotiation so keep
83 * the old cipher. It is sort of a SSL_clear_lite :-) */
84 if (s
->new_session
) return;
86 state
=s
->state
; /* Keep to check if we throw away the session-id */
89 s
->version
=s
->method
->version
;
90 s
->rwstate
=SSL_NOTHING
;
91 s
->state
=SSL_ST_BEFORE
;
92 s
->rstate
=SSL_ST_READ_HEADER
;
93 s
->read_ahead
=s
->ctx
->default_read_ahead
;
95 /* s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */
97 if (s
->init_buf
!= NULL
)
99 BUF_MEM_free(s
->init_buf
);
103 ssl_clear_cipher_ctx(s
);
105 if (ssl_clear_bad_session(s
))
107 SSL_SESSION_free(s
->session
);
111 s
->shutdown
=(SSL_SENT_SHUTDOWN
|SSL_RECEIVED_SHUTDOWN
);
114 s
->method
->ssl_clear(s
);
117 /* Used to change an SSL_CTXs default SSL method type */
118 int SSL_CTX_set_ssl_version(ctx
,meth
)
126 sk
=ssl_create_cipher_list(ctx
->method
,&(ctx
->cipher_list
),
127 &(ctx
->cipher_list_by_id
),SSL_DEFAULT_CIPHER_LIST
);
128 if ((sk
== NULL
) || (sk_num(sk
) <= 0))
130 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION
,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS
);
143 SSLerr(SSL_F_SSL_NEW
,SSL_R_NULL_SSL_CTX
);
146 if (ctx
->method
== NULL
)
148 SSLerr(SSL_F_SSL_NEW
,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION
);
152 s
=(SSL
*)Malloc(sizeof(SSL
));
153 if (s
== NULL
) goto err
;
154 memset(s
,0,sizeof(SSL
));
156 if (ctx
->default_cert
!= NULL
)
158 CRYPTO_add(&ctx
->default_cert
->references
,1,
159 CRYPTO_LOCK_SSL_CERT
);
160 s
->cert
=ctx
->default_cert
;
164 s
->verify_mode
=ctx
->default_verify_mode
;
165 s
->verify_callback
=ctx
->default_verify_callback
;
166 CRYPTO_add(&ctx
->references
,1,CRYPTO_LOCK_SSL_CTX
);
169 s
->verify_result
=X509_V_OK
;
171 s
->method
=ctx
->method
;
173 if (!s
->method
->ssl_new(s
))
180 s
->quiet_shutdown
=ctx
->quiet_shutdown
;
184 SSLerr(SSL_F_SSL_NEW
,ERR_R_MALLOC_FAILURE
);
193 /* If the buffering BIO is in place, pop it off */
194 if (s
->bbio
== s
->wbio
)
196 s
->wbio
=BIO_pop(s
->wbio
);
201 BIO_free_all(s
->rbio
);
202 if ((s
->wbio
!= NULL
) && (s
->wbio
!= s
->rbio
))
203 BIO_free_all(s
->wbio
);
205 if (s
->init_buf
!= NULL
) BUF_MEM_free(s
->init_buf
);
207 /* add extra stuff */
208 if (s
->cipher_list
!= NULL
) sk_free(s
->cipher_list
);
209 if (s
->cipher_list_by_id
!= NULL
) sk_free(s
->cipher_list_by_id
);
211 /* Make the next call work :-) */
212 if (s
->session
!= NULL
)
214 ssl_clear_bad_session(s
);
215 SSL_SESSION_free(s
->session
);
218 ssl_clear_cipher_ctx(s
);
220 if (s
->cert
!= NULL
) ssl_cert_free(s
->cert
);
221 /* Free up if allocated */
223 if (s
->ctx
) SSL_CTX_free(s
->ctx
);
225 if (s
->client_CA
!= NULL
)
226 sk_pop_free(s
->client_CA
,X509_NAME_free
);
228 if (s
->method
!= NULL
) s
->method
->ssl_free(s
);
233 void SSL_set_bio(s
, rbio
,wbio
)
238 /* If the output buffering BIO is still in place, remove it
242 if (s
->wbio
== s
->bbio
)
244 s
->wbio
=s
->wbio
->next_bio
;
245 s
->bbio
->next_bio
=NULL
;
248 if ((s
->rbio
!= NULL
) && (s
->rbio
!= rbio
))
249 BIO_free_all(s
->rbio
);
250 if ((s
->wbio
!= NULL
) && (s
->wbio
!= wbio
) && (s
->rbio
!= s
->wbio
))
251 BIO_free_all(s
->wbio
);
271 r
=BIO_find_type(b
,BIO_TYPE_DESCRIPTOR
);
278 int SSL_set_fd(s
, fd
)
285 bio
=BIO_new(BIO_s_socket());
289 SSLerr(SSL_F_SSL_SET_FD
,ERR_R_BUF_LIB
);
292 BIO_set_fd(bio
,fd
,BIO_NOCLOSE
);
293 SSL_set_bio(s
,bio
,bio
);
299 int SSL_set_wfd(s
, fd
)
306 bio
=BIO_new(BIO_s_socket());
309 { SSLerr(SSL_F_SSL_SET_WFD
,ERR_R_BUF_LIB
); goto err
; }
310 BIO_set_fd(bio
,fd
,BIO_NOCLOSE
);
311 SSL_set_bio(s
,SSL_get_rbio(s
),bio
);
317 int SSL_set_rfd(s
, fd
)
324 bio
=BIO_new(BIO_s_socket());
328 SSLerr(SSL_F_SSL_SET_RFD
,ERR_R_BUF_LIB
);
331 BIO_set_fd(bio
,fd
,BIO_NOCLOSE
);
332 SSL_set_bio(s
,bio
,SSL_get_wbio(s
));
339 int SSL_get_verify_mode(s
)
342 return(s
->verify_mode
);
345 int (*SSL_get_verify_callback(s
))()
348 return(s
->verify_callback
);
351 int SSL_CTX_get_verify_mode(ctx
)
354 return(ctx
->default_verify_mode
);
357 int (*SSL_CTX_get_verify_callback(ctx
))()
360 return(ctx
->default_verify_callback
);
363 void SSL_set_verify(s
, mode
, callback
)
369 if (callback
!= NULL
)
370 s
->verify_callback
=callback
;
373 void SSL_set_read_ahead(s
, yes
)
380 int SSL_get_read_ahead(s
)
383 return(s
->read_ahead
);
389 return(s
->method
->ssl_pending(s
));
392 X509
*SSL_get_peer_certificate(s
)
397 if ((s
== NULL
) || (s
->session
== NULL
))
402 if (r
== NULL
) return(r
);
404 CRYPTO_add(&r
->references
,1,CRYPTO_LOCK_X509
);
409 STACK
*SSL_get_peer_cert_chain(s
)
414 if ((s
== NULL
) || (s
->session
== NULL
) || (s
->session
->cert
== NULL
))
417 r
=s
->session
->cert
->cert_chain
;
422 /* Now in theory, since the calling process own 't' it should be safe to
423 * modify. We need to be able to read f without being hassled */
424 void SSL_copy_session_id(t
,f
)
429 /* Do we need to to SSL locking? */
430 SSL_set_session(t
,SSL_get_session(f
));
432 /* what if we are setup as SSLv2 but want to talk SSLv3 or
434 if (t
->method
!= f
->method
)
436 t
->method
->ssl_free(t
); /* cleanup current */
437 t
->method
=f
->method
; /* change method */
438 t
->method
->ssl_new(t
); /* setup new */
444 CRYPTO_add(&f
->cert
->references
,1,CRYPTO_LOCK_SSL_CERT
);
449 if (tmp
!= NULL
) ssl_cert_free(tmp
);
452 int SSL_CTX_check_private_key(ctx
)
455 if ( (ctx
== NULL
) ||
456 (ctx
->default_cert
== NULL
) ||
457 (ctx
->default_cert
->key
->x509
== NULL
))
459 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY
,SSL_R_NO_CERTIFICATE_ASSIGNED
);
462 if (ctx
->default_cert
->key
->privatekey
== NULL
)
464 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY
,SSL_R_NO_PRIVATE_KEY_ASSIGNED
);
467 return(X509_check_private_key(ctx
->default_cert
->key
->x509
, ctx
->default_cert
->key
->privatekey
));
470 int SSL_check_private_key(ssl
)
475 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY
,ERR_R_PASSED_NULL_PARAMETER
);
478 if (ssl
->cert
== NULL
)
479 return(SSL_CTX_check_private_key(ssl
->ctx
));
480 if (ssl
->cert
->key
->x509
== NULL
)
482 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY
,SSL_R_NO_CERTIFICATE_ASSIGNED
);
485 if (ssl
->cert
->key
->privatekey
== NULL
)
487 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY
,SSL_R_NO_PRIVATE_KEY_ASSIGNED
);
490 return(X509_check_private_key(ssl
->cert
->key
->x509
,
491 ssl
->cert
->key
->privatekey
));
497 return(s
->method
->ssl_accept(s
));
503 return(s
->method
->ssl_connect(s
));
506 long SSL_get_default_timeout(s
)
509 return(s
->method
->get_timeout());
512 int SSL_read(s
,buf
,num
)
517 if (s
->shutdown
& SSL_RECEIVED_SHUTDOWN
)
519 s
->rwstate
=SSL_NOTHING
;
522 return(s
->method
->ssl_read(s
,buf
,num
));
525 int SSL_peek(s
,buf
,num
)
530 if (s
->shutdown
& SSL_RECEIVED_SHUTDOWN
)
534 return(s
->method
->ssl_peek(s
,buf
,num
));
537 int SSL_write(s
,buf
,num
)
542 if (s
->shutdown
& SSL_SENT_SHUTDOWN
)
544 s
->rwstate
=SSL_NOTHING
;
545 SSLerr(SSL_F_SSL_WRITE
,SSL_R_PROTOCOL_IS_SHUTDOWN
);
548 return(s
->method
->ssl_write(s
,buf
,num
));
554 if ((s
!= NULL
) && !SSL_in_init(s
))
555 return(s
->method
->ssl_shutdown(s
));
560 int SSL_renegotiate(s
)
563 return(s
->method
->ssl_renegotiate(s
));
566 long SSL_ctrl(s
,cmd
,larg
,parg
)
572 return(s
->method
->ssl_ctrl(s
,cmd
,larg
,parg
));
575 long SSL_CTX_ctrl(ctx
,cmd
,larg
,parg
)
581 return(ctx
->method
->ssl_ctx_ctrl(ctx
,cmd
,larg
,parg
));
584 int ssl_cipher_id_cmp(a
,b
)
593 return((l
> 0)?1:-1);
596 int ssl_cipher_ptr_id_cmp(ap
,bp
)
597 SSL_CIPHER
**ap
,**bp
;
601 l
=(*ap
)->id
-(*bp
)->id
;
605 return((l
> 0)?1:-1);
608 /* return a STACK of the ciphers available for the SSL and in order of
610 STACK
*SSL_get_ciphers(s
)
613 if ((s
!= NULL
) && (s
->cipher_list
!= NULL
))
615 return(s
->cipher_list
);
617 else if ((s
!= NULL
) && (s
->ctx
!= NULL
) &&
618 (s
->ctx
->cipher_list
!= NULL
))
620 return(s
->ctx
->cipher_list
);
625 /* return a STACK of the ciphers available for the SSL and in order of
627 STACK
*ssl_get_ciphers_by_id(s
)
630 if ((s
!= NULL
) && (s
->cipher_list_by_id
!= NULL
))
632 return(s
->cipher_list_by_id
);
634 else if ((s
!= NULL
) && (s
->ctx
!= NULL
) &&
635 (s
->ctx
->cipher_list_by_id
!= NULL
))
637 return(s
->ctx
->cipher_list_by_id
);
642 /* The old interface to get the same thing as SSL_get_ciphers() */
643 char *SSL_get_cipher_list(s
,n
)
650 if (s
== NULL
) return(NULL
);
651 sk
=SSL_get_ciphers(s
);
652 if ((sk
== NULL
) || (sk_num(sk
) <= n
))
654 c
=(SSL_CIPHER
*)sk_value(sk
,n
);
655 if (c
== NULL
) return(NULL
);
659 /* specify the ciphers to be used by defaut by the SSL_CTX */
660 int SSL_CTX_set_cipher_list(ctx
,str
)
666 sk
=ssl_create_cipher_list(ctx
->method
,&ctx
->cipher_list
,
667 &ctx
->cipher_list_by_id
,str
);
669 return((sk
== NULL
)?0:1);
672 /* specify the ciphers to be used by the SSL */
673 int SSL_set_cipher_list(s
, str
)
679 sk
=ssl_create_cipher_list(s
->ctx
->method
,&s
->cipher_list
,
680 &s
->cipher_list_by_id
,str
);
682 return((sk
== NULL
)?0:1);
685 /* works well for SSLv2, not so good for SSLv3 */
686 char *SSL_get_shared_ciphers(s
,buf
,len
)
696 if ((s
->session
== NULL
) || (s
->session
->ciphers
== NULL
) ||
701 sk
=s
->session
->ciphers
;
703 for (i
=0; i
<sk_num(sk
); i
++)
705 c
=(SSL_CIPHER
*)sk_value(sk
,i
);
706 for (cp
=c
->name
; *cp
; )
722 int ssl_cipher_list_to_bytes(s
,sk
,p
)
731 if (sk
== NULL
) return(0);
734 for (i
=0; i
<sk_num(sk
); i
++)
736 c
=(SSL_CIPHER
*)sk_value(sk
,i
);
737 j
=ssl_put_cipher_by_char(s
,c
,p
);
743 STACK
*ssl_bytes_to_cipher_list(s
,p
,num
,skp
)
753 n
=ssl_put_cipher_by_char(s
,NULL
,NULL
);
756 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST
,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST
);
759 if ((skp
== NULL
) || (*skp
== NULL
))
760 sk
=sk_new(NULL
); /* change perhaps later */
767 for (i
=0; i
<num
; i
+=n
)
769 c
=ssl_get_cipher_by_char(s
,p
);
773 if (!sk_push(sk
,(char *)c
))
775 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST
,ERR_R_MALLOC_FAILURE
);
785 if ((skp
== NULL
) || (*skp
== NULL
))
790 static unsigned long conn_hash(a
)
795 l
= (a
->session_id
[0] )|(a
->session_id
[1]<< 8L)|
796 (a
->session_id
[1]<<16L)|(a
->session_id
[2]<<24L);
800 static int session_cmp(a
, b
)
806 i
=a
->session_id_length
- b
->session_id_length
;
808 return(memcmp(a
->session_id
,b
->session_id
,
809 a
->session_id_length
));
813 SSL_CTX
*SSL_CTX_new(meth
)
820 SSLerr(SSL_F_SSL_CTX_NEW
,SSL_R_NULL_SSL_METHOD_PASSED
);
823 ret
=(SSL_CTX
*)Malloc(sizeof(SSL_CTX
));
827 memset(ret
,0,sizeof(SSL_CTX
));
831 ret
->cert_store
=NULL
;
832 ret
->session_cache_mode
=SSL_SESS_CACHE_SERVER
;
834 /* We take the system default */
835 ret
->session_timeout
=meth
->get_timeout();
837 ret
->new_session_cb
=NULL
;
838 ret
->remove_session_cb
=NULL
;
839 ret
->get_session_cb
=NULL
;
842 ret
->sess_connect_good
=0;
844 ret
->sess_accept_good
=0;
851 ret
->quiet_shutdown
=0;
853 /* ret->cipher=NULL;*/
854 /* ret->s2->challenge=NULL;
855 ret->master_key=NULL;
857 ret->s2->conn_id=NULL; */
859 ret
->info_callback
=NULL
;
861 ret
->app_verify_callback
=NULL
;
862 ret
->app_verify_arg
=NULL
;
864 ret
->default_read_ahead
=0;
865 ret
->default_verify_mode
=SSL_VERIFY_NONE
;
866 ret
->default_verify_callback
=NULL
;
867 if ((ret
->default_cert
=ssl_cert_new()) == NULL
)
870 ret
->default_passwd_callback
=NULL
;
871 ret
->client_cert_cb
=NULL
;
873 ret
->sessions
=lh_new(conn_hash
,session_cmp
);
874 if (ret
->sessions
== NULL
) goto err
;
875 ret
->cert_store
=X509_STORE_new();
876 if (ret
->cert_store
== NULL
) goto err
;
878 ssl_create_cipher_list(ret
->method
,
879 &ret
->cipher_list
,&ret
->cipher_list_by_id
,
880 SSL_DEFAULT_CIPHER_LIST
);
881 if ((ret
->cipher_list
== NULL
) || (sk_num(ret
->cipher_list
) <= 0))
883 SSLerr(SSL_F_SSL_CTX_NEW
,SSL_R_LIBRARY_HAS_NO_CIPHERS
);
887 if ((ret
->client_CA
=sk_new_null()) == NULL
)
892 SSLerr(SSL_F_SSL_CTX_NEW
,ERR_R_MALLOC_FAILURE
);
894 if (ret
!= NULL
) SSL_CTX_free(ret
);
903 if (a
== NULL
) return;
905 i
=CRYPTO_add(&a
->references
,-1,CRYPTO_LOCK_SSL_CTX
);
910 fprintf(stderr
,"SSL_CTX_free, bad reference count\n");
915 if (a
->sessions
!= NULL
)
917 SSL_CTX_flush_sessions(a
,0);
918 lh_free(a
->sessions
);
920 if (a
->cert_store
!= NULL
)
921 X509_STORE_free(a
->cert_store
);
922 if (a
->cipher_list
!= NULL
)
923 sk_free(a
->cipher_list
);
924 if (a
->cipher_list_by_id
!= NULL
)
925 sk_free(a
->cipher_list_by_id
);
926 if (a
->default_cert
!= NULL
)
927 ssl_cert_free(a
->default_cert
);
928 if (a
->client_CA
!= NULL
)
929 sk_pop_free(a
->client_CA
,X509_NAME_free
);
933 void SSL_CTX_set_default_passwd_cb(ctx
,cb
)
937 ctx
->default_passwd_callback
=cb
;
940 void SSL_CTX_set_cert_verify_cb(ctx
,cb
,arg
)
945 ctx
->app_verify_callback
=cb
;
946 ctx
->app_verify_arg
=arg
;
949 void SSL_CTX_set_verify(ctx
,mode
,cb
)
954 ctx
->default_verify_mode
=mode
;
955 ctx
->default_verify_callback
=cb
;
956 /* This needs cleaning up EAY EAY EAY */
957 X509_STORE_set_verify_cb_func(ctx
->cert_store
,cb
);
960 void ssl_set_cert_masks(c
)
964 int rsa_enc
,rsa_tmp
,rsa_sign
,dh_tmp
,dh_rsa
,dh_dsa
,dsa_sign
;
965 int rsa_enc_export
,dh_rsa_export
,dh_dsa_export
;
966 int rsa_tmp_export
,dh_tmp_export
;
967 unsigned long mask
,emask
;
969 if ((c
== NULL
) || (c
->valid
)) return;
972 rsa_tmp
=((c
->rsa_tmp
!= NULL
) || (c
->rsa_tmp_cb
!= NULL
))?1:0;
973 rsa_tmp_export
=((c
->rsa_tmp_cb
!= NULL
) ||
974 (rsa_tmp
&& (RSA_size(c
->rsa_tmp
)*8 <= 512)))?1:0;
976 rsa_tmp
=rsa_tmp_export
=0;
979 dh_tmp
=((c
->dh_tmp
!= NULL
) || (c
->dh_tmp_cb
!= NULL
))?1:0;
980 dh_tmp_export
=((c
->dh_tmp_cb
!= NULL
) ||
981 (dh_tmp
&& (DH_size(c
->dh_tmp
)*8 <= 512)))?1:0;
983 dh_tmp
=dh_tmp_export
=0;
986 cpk
= &(c
->pkeys
[SSL_PKEY_RSA_ENC
]);
987 rsa_enc
= ((cpk
->x509
!= NULL
) && (cpk
->privatekey
!= NULL
))?1:0;
988 rsa_enc_export
=(rsa_enc
&& (EVP_PKEY_size(cpk
->privatekey
)*8 <= 512))?1:0;
989 cpk
= &(c
->pkeys
[SSL_PKEY_RSA_SIGN
]);
990 rsa_sign
=((cpk
->x509
!= NULL
) && (cpk
->privatekey
!= NULL
))?1:0;
991 cpk
= &(c
->pkeys
[SSL_PKEY_DSA_SIGN
]);
992 dsa_sign
=((cpk
->x509
!= NULL
) && (cpk
->privatekey
!= NULL
))?1:0;
993 cpk
= &(c
->pkeys
[SSL_PKEY_DH_RSA
]);
994 dh_rsa
= ((cpk
->x509
!= NULL
) && (cpk
->privatekey
!= NULL
))?1:0;
995 dh_rsa_export
=(dh_rsa
&& (EVP_PKEY_size(cpk
->privatekey
)*8 <= 512))?1:0;
996 cpk
= &(c
->pkeys
[SSL_PKEY_DH_DSA
]);
997 /* FIX THIS EAY EAY EAY */
998 dh_dsa
= ((cpk
->x509
!= NULL
) && (cpk
->privatekey
!= NULL
))?1:0;
999 dh_dsa_export
=(dh_dsa
&& (EVP_PKEY_size(cpk
->privatekey
)*8 <= 512))?1:0;
1005 printf("rt=%d dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n",
1007 rsa_enc
,rsa_sign
,dsa_sign
,dh_rsa
,dh_dsa
);
1010 if (rsa_enc
|| (rsa_tmp
&& rsa_sign
))
1012 if (rsa_enc_export
|| (rsa_tmp_export
&& rsa_sign
))
1016 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
1017 if ( (dh_tmp
|| dh_rsa
|| dh_dsa
) &&
1018 (rsa_enc
|| rsa_sign
|| dsa_sign
))
1020 if ((dh_tmp_export
|| dh_rsa_export
|| dh_dsa_export
) &&
1021 (rsa_enc
|| rsa_sign
|| dsa_sign
))
1031 if (dh_rsa
) mask
|=SSL_kDHr
;
1032 if (dh_rsa_export
) emask
|=SSL_kDHr
;
1034 if (dh_dsa
) mask
|=SSL_kDHd
;
1035 if (dh_dsa_export
) emask
|=SSL_kDHd
;
1037 if (rsa_enc
|| rsa_sign
)
1049 #ifdef SSL_ALLOW_ADH
1055 c
->export_mask
=emask
;
1059 /* THIS NEEDS CLEANING UP */
1060 X509
*ssl_get_server_send_cert(s
)
1063 unsigned long alg
,mask
,kalg
;
1068 ssl_set_cert_masks(c
);
1069 alg
=s
->s3
->tmp
.new_cipher
->algorithms
;
1070 export
=(alg
& SSL_EXPORT
)?1:0;
1071 mask
=(export
)?c
->export_mask
:c
->mask
;
1072 kalg
=alg
&(SSL_MKEY_MASK
|SSL_AUTH_MASK
);
1074 if (kalg
& SSL_kDHr
)
1076 else if (kalg
& SSL_kDHd
)
1078 else if (kalg
& SSL_aDSS
)
1079 i
=SSL_PKEY_DSA_SIGN
;
1080 else if (kalg
& SSL_aRSA
)
1082 if (c
->pkeys
[SSL_PKEY_RSA_ENC
].x509
== NULL
)
1083 i
=SSL_PKEY_RSA_SIGN
;
1087 else /* if (kalg & SSL_aNULL) */
1089 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT
,SSL_R_INTERNAL_ERROR
);
1092 if (c
->pkeys
[i
].x509
== NULL
) return(NULL
);
1093 return(c
->pkeys
[i
].x509
);
1096 EVP_PKEY
*ssl_get_sign_pkey(s
,cipher
)
1103 alg
=cipher
->algorithms
;
1106 if ((alg
& SSL_aDSS
) &&
1107 (c
->pkeys
[SSL_PKEY_DSA_SIGN
].privatekey
!= NULL
))
1108 return(c
->pkeys
[SSL_PKEY_DSA_SIGN
].privatekey
);
1109 else if (alg
& SSL_aRSA
)
1111 if (c
->pkeys
[SSL_PKEY_RSA_SIGN
].privatekey
!= NULL
)
1112 return(c
->pkeys
[SSL_PKEY_RSA_SIGN
].privatekey
);
1113 else if (c
->pkeys
[SSL_PKEY_RSA_ENC
].privatekey
!= NULL
)
1114 return(c
->pkeys
[SSL_PKEY_RSA_ENC
].privatekey
);
1118 else /* if (alg & SSL_aNULL) */
1120 SSLerr(SSL_F_SSL_GET_SIGN_PKEY
,SSL_R_INTERNAL_ERROR
);
1125 void ssl_update_cache(s
,mode
)
1129 if ((s
->ctx
->session_cache_mode
& mode
)
1131 && SSL_CTX_add_session(s
->ctx
,s
->session
)
1132 && (s
->ctx
->new_session_cb
!= NULL
))
1134 CRYPTO_add(&s
->session
->references
,1,
1135 CRYPTO_LOCK_SSL_SESSION
);
1136 if (!s
->ctx
->new_session_cb(s
,s
->session
))
1137 SSL_SESSION_free(s
->session
);
1140 /* auto flush every 255 connections */
1141 if ((!(s
->ctx
->session_cache_mode
&
1142 SSL_SESS_CACHE_NO_AUTO_CLEAR
)) &&
1143 ((s
->ctx
->sess_connect_good
& 0xff) == 0))
1144 SSL_CTX_flush_sessions(s
->ctx
,time(NULL
));
1147 SSL_METHOD
*SSL_get_ssl_method(s
)
1153 int SSL_set_ssl_method(s
,meth
)
1160 if (s
->method
!= meth
)
1162 if (s
->handshake_func
!= NULL
)
1163 conn
=(s
->handshake_func
== s
->method
->ssl_connect
);
1165 if (s
->method
->version
== meth
->version
)
1169 s
->method
->ssl_free(s
);
1171 ret
=s
->method
->ssl_new(s
);
1175 s
->handshake_func
=meth
->ssl_connect
;
1177 s
->handshake_func
=meth
->ssl_accept
;
1182 int SSL_get_error(s
,i
)
1189 if (i
> 0) return(SSL_ERROR_NONE
);
1191 if (ERR_peek_error() != 0)
1192 return(SSL_ERROR_SSL
);
1194 if ((i
< 0) && SSL_want_read(s
))
1196 bio
=SSL_get_rbio(s
);
1197 if (BIO_should_read(bio
))
1198 return(SSL_ERROR_WANT_READ
);
1199 else if (BIO_should_write(bio
))
1200 return(SSL_ERROR_WANT_WRITE
);
1201 else if (BIO_should_io_special(bio
))
1203 reason
=BIO_get_retry_reason(bio
);
1204 if (reason
== BIO_RR_CONNECT
)
1205 return(SSL_ERROR_WANT_CONNECT
);
1207 return(SSL_ERROR_SYSCALL
); /* unknown */
1211 if ((i
< 0) && SSL_want_write(s
))
1213 bio
=SSL_get_wbio(s
);
1214 if (BIO_should_write(bio
))
1215 return(SSL_ERROR_WANT_WRITE
);
1216 else if (BIO_should_read(bio
))
1217 return(SSL_ERROR_WANT_READ
);
1218 else if (BIO_should_io_special(bio
))
1220 reason
=BIO_get_retry_reason(bio
);
1221 if (reason
== BIO_RR_CONNECT
)
1222 return(SSL_ERROR_WANT_CONNECT
);
1224 return(SSL_ERROR_SYSCALL
);
1227 if ((i
< 0) && SSL_want_x509_lookup(s
))
1229 return(SSL_ERROR_WANT_X509_LOOKUP
);
1234 if (s
->version
== 2)
1236 /* assume it is the socket being closed */
1237 return(SSL_ERROR_ZERO_RETURN
);
1241 if ((s
->shutdown
& SSL_RECEIVED_SHUTDOWN
) &&
1242 (s
->s3
->warn_alert
== SSL3_AD_CLOSE_NOTIFY
))
1243 return(SSL_ERROR_ZERO_RETURN
);
1246 return(SSL_ERROR_SYSCALL
);
1249 int SSL_do_handshake(s
)
1252 if (s
->handshake_func
== NULL
)
1254 SSLerr(SSL_F_SSL_DO_HANDSHAKE
,SSL_R_INTERNAL_ERROR
);
1257 if (SSL_in_init(s
) || SSL_in_before(s
))
1258 return(s
->handshake_func(s
));
1263 /* For the next 2 functions, SSL_clear() sets shutdown and so
1264 * one of these calls will reset it */
1265 void SSL_set_accept_state(s
)
1269 s
->state
=SSL_ST_ACCEPT
|SSL_ST_BEFORE
;
1270 s
->handshake_func
=s
->method
->ssl_accept
;
1271 /* clear the current cipher */
1272 ssl_clear_cipher_ctx(s
);
1275 void SSL_set_connect_state(s
)
1279 s
->state
=SSL_ST_CONNECT
|SSL_ST_BEFORE
;
1280 s
->handshake_func
=s
->method
->ssl_connect
;
1281 /* clear the current cipher */
1282 ssl_clear_cipher_ctx(s
);
1285 int ssl_undefined_function(s
)
1288 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION
,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
1292 SSL_METHOD
*ssl_bad_method(ver
)
1295 SSLerr(SSL_F_SSL_BAD_METHOD
,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
1299 char *SSL_get_version(s
)
1302 if (s
->version
== 3)
1304 else if (s
->version
== 2)
1318 if ((ret
=SSL_new(SSL_get_SSL_CTX(s
))) == NULL
) return(NULL
);
1320 /* This copies version, session-id, SSL_METHOD and 'cert' */
1321 SSL_copy_session_id(ret
,s
);
1323 SSL_set_read_ahead(ret
,SSL_get_read_ahead(s
));
1324 SSL_set_verify(ret
,SSL_get_verify_mode(s
),
1325 SSL_get_verify_callback(s
));
1327 SSL_set_info_callback(ret
,SSL_get_info_callback(s
));
1329 ret
->debug
=s
->debug
;
1331 /* copy app data, a little dangerous perhaps */
1332 SSL_set_app_data(ret
,SSL_get_app_data(s
));
1334 /* setup rbio, and wbio */
1335 if (s
->rbio
!= NULL
)
1337 if (!BIO_dup_state(s
->rbio
,(char *)&ret
->rbio
))
1340 if (s
->wbio
!= NULL
)
1342 if (s
->wbio
!= s
->rbio
)
1344 if (!BIO_dup_state(s
->wbio
,(char *)&ret
->rbio
))
1348 ret
->wbio
=ret
->rbio
;
1351 /* dup the cipher_list and cipher_list_by_id stacks */
1352 if (s
->cipher_list
!= NULL
)
1354 if ((ret
->cipher_list
=sk_dup(s
->cipher_list
)) == NULL
)
1357 if (s
->cipher_list_by_id
!= NULL
)
1358 if ((ret
->cipher_list_by_id
=sk_dup(s
->cipher_list_by_id
))
1362 /* Dup the client_CA list */
1363 if (s
->client_CA
!= NULL
)
1365 if ((sk
=sk_dup(s
->client_CA
)) == NULL
) goto err
;
1367 for (i
=0; i
<sk_num(sk
); i
++)
1369 xn
=(X509_NAME
*)sk_value(sk
,i
);
1370 if ((sk_value(sk
,i
)=(char *)X509_NAME_dup(xn
)) == NULL
)
1378 ret
->shutdown
=s
->shutdown
;
1379 ret
->state
=s
->state
;
1380 ret
->handshake_func
=s
->handshake_func
;
1385 if (ret
!= NULL
) SSL_free(ret
);
1391 void ssl_clear_cipher_ctx(s
)
1394 if (s
->enc_read_ctx
!= NULL
)
1396 EVP_CIPHER_CTX_cleanup(s
->enc_read_ctx
);
1397 Free(s
->enc_read_ctx
);
1398 s
->enc_read_ctx
=NULL
;
1400 if (s
->enc_write_ctx
!= NULL
)
1402 EVP_CIPHER_CTX_cleanup(s
->enc_write_ctx
);
1403 Free(s
->enc_write_ctx
);
1404 s
->enc_write_ctx
=NULL
;
1408 X509
*SSL_get_certificate(s
)
1411 if (s
->cert
!= NULL
)
1412 return(s
->cert
->key
->x509
);
1417 EVP_PKEY
*SSL_get_privatekey(s
)
1420 if (s
->cert
!= NULL
)
1421 return(s
->cert
->key
->privatekey
);
1426 SSL_CIPHER
*SSL_get_current_cipher(s
)
1429 if ((s
->session
!= NULL
) && (s
->session
->cipher
!= NULL
))
1430 return(s
->session
->cipher
);