1 /*! \file ssl/ssl_lib.c 2 * \brief Version independent SSL functions. 3 */ 4 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 5 * All rights reserved. 6 * 7 * This package is an SSL implementation written 8 * by Eric Young (eay@cryptsoft.com). 9 * The implementation was written so as to conform with Netscapes SSL. 10 * 11 * This library is free for commercial and non-commercial use as long as 12 * the following conditions are aheared to. The following conditions 13 * apply to all code found in this distribution, be it the RC4, RSA, 14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 15 * included with this distribution is covered by the same copyright terms 16 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 17 * 18 * Copyright remains Eric Young's, and as such any Copyright notices in 19 * the code are not to be removed. 20 * If this package is used in a product, Eric Young should be given attribution 21 * as the author of the parts of the library used. 22 * This can be in the form of a textual message at program startup or 23 * in documentation (online or textual) provided with the package. 24 * 25 * Redistribution and use in source and binary forms, with or without 26 * modification, are permitted provided that the following conditions 27 * are met: 28 * 1. Redistributions of source code must retain the copyright 29 * notice, this list of conditions and the following disclaimer. 30 * 2. Redistributions in binary form must reproduce the above copyright 31 * notice, this list of conditions and the following disclaimer in the 32 * documentation and/or other materials provided with the distribution. 33 * 3. All advertising materials mentioning features or use of this software 34 * must display the following acknowledgement: 35 * "This product includes cryptographic software written by 36 * Eric Young (eay@cryptsoft.com)" 37 * The word 'cryptographic' can be left out if the rouines from the library 38 * being used are not cryptographic related :-). 39 * 4. If you include any Windows specific code (or a derivative thereof) from 40 * the apps directory (application code) you must include an acknowledgement: 41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 42 * 43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 46 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 47 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 48 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 49 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 53 * SUCH DAMAGE. 54 * 55 * The licence and distribution terms for any publically available version or 56 * derivative of this code cannot be changed. i.e. this code cannot simply be 57 * copied and put under another distribution licence 58 * [including the GNU Public Licence.] 59 */ 60 61 62 #include <assert.h> 63 #include <stdio.h> 64 #include <openssl/objects.h> 65 #include <openssl/lhash.h> 66 #include <openssl/x509v3.h> 67 #include "ssl_locl.h" 68 69 const char *SSL_version_str=OPENSSL_VERSION_TEXT; 70 71 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL; 72 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL; 73 static int ssl_meth_num=0; 74 static int ssl_ctx_meth_num=0; 75 76 OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={ 77 /* evil casts, but these functions are only called if there's a library bug */ 78 (int (*)(SSL *,int))ssl_undefined_function, 79 (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, 80 ssl_undefined_function, 81 (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function, 82 (int (*)(SSL*, int))ssl_undefined_function, 83 (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function 84 }; 85 86 int SSL_clear(SSL *s) 87 { 88 89 if (s->method == NULL) 90 { 91 SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); 92 return(0); 93 } 94 95 if (ssl_clear_bad_session(s)) 96 { 97 SSL_SESSION_free(s->session); 98 s->session=NULL; 99 } 100 101 s->error=0; 102 s->hit=0; 103 s->shutdown=0; 104 105 #if 0 /* Disabled since version 1.10 of this file (early return not 106 * needed because SSL_clear is not called when doing renegotiation) */ 107 /* This is set if we are doing dynamic renegotiation so keep 108 * the old cipher. It is sort of a SSL_clear_lite :-) */ 109 if (s->new_session) return(1); 110 #else 111 if (s->new_session) 112 { 113 SSLerr(SSL_F_SSL_CLEAR,SSL_R_INTERNAL_ERROR); 114 return 0; 115 } 116 #endif 117 118 s->type=0; 119 120 s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); 121 122 s->version=s->method->version; 123 s->client_version=s->version; 124 s->rwstate=SSL_NOTHING; 125 s->rstate=SSL_ST_READ_HEADER; 126 #if 0 127 s->read_ahead=s->ctx->read_ahead; 128 #endif 129 130 if (s->init_buf != NULL) 131 { 132 BUF_MEM_free(s->init_buf); 133 s->init_buf=NULL; 134 } 135 136 ssl_clear_cipher_ctx(s); 137 138 s->first_packet=0; 139 140 #if 1 141 /* Check to see if we were changed into a different method, if 142 * so, revert back if we are not doing session-id reuse. */ 143 if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) 144 { 145 s->method->ssl_free(s); 146 s->method=s->ctx->method; 147 if (!s->method->ssl_new(s)) 148 return(0); 149 } 150 else 151 #endif 152 s->method->ssl_clear(s); 153 return(1); 154 } 155 156 /** Used to change an SSL_CTXs default SSL method type */ 157 int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth) 158 { 159 STACK_OF(SSL_CIPHER) *sk; 160 161 ctx->method=meth; 162 163 sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), 164 &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST); 165 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) 166 { 167 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 168 return(0); 169 } 170 return(1); 171 } 172 173 SSL *SSL_new(SSL_CTX *ctx) 174 { 175 SSL *s; 176 177 if (ctx == NULL) 178 { 179 SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX); 180 return(NULL); 181 } 182 if (ctx->method == NULL) 183 { 184 SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 185 return(NULL); 186 } 187 188 s=(SSL *)OPENSSL_malloc(sizeof(SSL)); 189 if (s == NULL) goto err; 190 memset(s,0,sizeof(SSL)); 191 192 if (ctx->cert != NULL) 193 { 194 /* Earlier library versions used to copy the pointer to 195 * the CERT, not its contents; only when setting new 196 * parameters for the per-SSL copy, ssl_cert_new would be 197 * called (and the direct reference to the per-SSL_CTX 198 * settings would be lost, but those still were indirectly 199 * accessed for various purposes, and for that reason they 200 * used to be known as s->ctx->default_cert). 201 * Now we don't look at the SSL_CTX's CERT after having 202 * duplicated it once. */ 203 204 s->cert = ssl_cert_dup(ctx->cert); 205 if (s->cert == NULL) 206 goto err; 207 } 208 else 209 s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ 210 s->sid_ctx_length=ctx->sid_ctx_length; 211 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); 212 s->verify_mode=ctx->verify_mode; 213 s->verify_depth=ctx->verify_depth; 214 s->verify_callback=ctx->default_verify_callback; 215 s->purpose = ctx->purpose; 216 s->trust = ctx->trust; 217 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); 218 s->ctx=ctx; 219 220 s->verify_result=X509_V_OK; 221 222 s->method=ctx->method; 223 224 if (!s->method->ssl_new(s)) 225 goto err; 226 227 s->quiet_shutdown=ctx->quiet_shutdown; 228 s->references=1; 229 s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; 230 s->options=ctx->options; 231 s->mode=ctx->mode; 232 s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */ 233 SSL_clear(s); 234 235 CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data); 236 237 return(s); 238 err: 239 if (s != NULL) 240 { 241 if (s->cert != NULL) 242 ssl_cert_free(s->cert); 243 if (s->ctx != NULL) 244 SSL_CTX_free(s->ctx); /* decrement reference count */ 245 OPENSSL_free(s); 246 } 247 SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); 248 return(NULL); 249 } 250 251 int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, 252 unsigned int sid_ctx_len) 253 { 254 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) 255 { 256 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 257 return 0; 258 } 259 ctx->sid_ctx_length=sid_ctx_len; 260 memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len); 261 262 return 1; 263 } 264 265 int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, 266 unsigned int sid_ctx_len) 267 { 268 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) 269 { 270 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 271 return 0; 272 } 273 ssl->sid_ctx_length=sid_ctx_len; 274 memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len); 275 276 return 1; 277 } 278 279 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 280 { 281 if(X509_PURPOSE_get_by_id(purpose) == -1) { 282 SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE); 283 return 0; 284 } 285 s->purpose = purpose; 286 return 1; 287 } 288 289 int SSL_set_purpose(SSL *s, int purpose) 290 { 291 if(X509_PURPOSE_get_by_id(purpose) == -1) { 292 SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE); 293 return 0; 294 } 295 s->purpose = purpose; 296 return 1; 297 } 298 299 int SSL_CTX_set_trust(SSL_CTX *s, int trust) 300 { 301 if(X509_TRUST_get_by_id(trust) == -1) { 302 SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST); 303 return 0; 304 } 305 s->trust = trust; 306 return 1; 307 } 308 309 int SSL_set_trust(SSL *s, int trust) 310 { 311 if(X509_TRUST_get_by_id(trust) == -1) { 312 SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST); 313 return 0; 314 } 315 s->trust = trust; 316 return 1; 317 } 318 319 void SSL_free(SSL *s) 320 { 321 int i; 322 323 if(s == NULL) 324 return; 325 326 i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL); 327 #ifdef REF_PRINT 328 REF_PRINT("SSL",s); 329 #endif 330 if (i > 0) return; 331 #ifdef REF_CHECK 332 if (i < 0) 333 { 334 fprintf(stderr,"SSL_free, bad reference count\n"); 335 abort(); /* ok */ 336 } 337 #endif 338 339 CRYPTO_free_ex_data(ssl_meth,(char *)s,&s->ex_data); 340 341 if (s->bbio != NULL) 342 { 343 /* If the buffering BIO is in place, pop it off */ 344 if (s->bbio == s->wbio) 345 { 346 s->wbio=BIO_pop(s->wbio); 347 } 348 BIO_free(s->bbio); 349 s->bbio=NULL; 350 } 351 if (s->rbio != NULL) 352 BIO_free_all(s->rbio); 353 if ((s->wbio != NULL) && (s->wbio != s->rbio)) 354 BIO_free_all(s->wbio); 355 356 if (s->init_buf != NULL) BUF_MEM_free(s->init_buf); 357 358 /* add extra stuff */ 359 if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list); 360 if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id); 361 362 /* Make the next call work :-) */ 363 if (s->session != NULL) 364 { 365 ssl_clear_bad_session(s); 366 SSL_SESSION_free(s->session); 367 } 368 369 ssl_clear_cipher_ctx(s); 370 371 if (s->cert != NULL) ssl_cert_free(s->cert); 372 /* Free up if allocated */ 373 374 if (s->ctx) SSL_CTX_free(s->ctx); 375 376 if (s->client_CA != NULL) 377 sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free); 378 379 if (s->method != NULL) s->method->ssl_free(s); 380 381 OPENSSL_free(s); 382 } 383 384 void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) 385 { 386 /* If the output buffering BIO is still in place, remove it 387 */ 388 if (s->bbio != NULL) 389 { 390 if (s->wbio == s->bbio) 391 { 392 s->wbio=s->wbio->next_bio; 393 s->bbio->next_bio=NULL; 394 } 395 } 396 if ((s->rbio != NULL) && (s->rbio != rbio)) 397 BIO_free_all(s->rbio); 398 if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio)) 399 BIO_free_all(s->wbio); 400 s->rbio=rbio; 401 s->wbio=wbio; 402 } 403 404 BIO *SSL_get_rbio(SSL *s) 405 { return(s->rbio); } 406 407 BIO *SSL_get_wbio(SSL *s) 408 { return(s->wbio); } 409 410 int SSL_get_fd(SSL *s) 411 { 412 return(SSL_get_rfd(s)); 413 } 414 415 int SSL_get_rfd(SSL *s) 416 { 417 int ret= -1; 418 BIO *b,*r; 419 420 b=SSL_get_rbio(s); 421 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); 422 if (r != NULL) 423 BIO_get_fd(r,&ret); 424 return(ret); 425 } 426 427 int SSL_get_wfd(SSL *s) 428 { 429 int ret= -1; 430 BIO *b,*r; 431 432 b=SSL_get_wbio(s); 433 r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); 434 if (r != NULL) 435 BIO_get_fd(r,&ret); 436 return(ret); 437 } 438 439 #ifndef NO_SOCK 440 int SSL_set_fd(SSL *s,int fd) 441 { 442 int ret=0; 443 BIO *bio=NULL; 444 445 bio=BIO_new(BIO_s_socket()); 446 447 if (bio == NULL) 448 { 449 SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB); 450 goto err; 451 } 452 BIO_set_fd(bio,fd,BIO_NOCLOSE); 453 SSL_set_bio(s,bio,bio); 454 ret=1; 455 err: 456 return(ret); 457 } 458 459 int SSL_set_wfd(SSL *s,int fd) 460 { 461 int ret=0; 462 BIO *bio=NULL; 463 464 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) 465 || ((int)BIO_get_fd(s->rbio,NULL) != fd)) 466 { 467 bio=BIO_new(BIO_s_socket()); 468 469 if (bio == NULL) 470 { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; } 471 BIO_set_fd(bio,fd,BIO_NOCLOSE); 472 SSL_set_bio(s,SSL_get_rbio(s),bio); 473 } 474 else 475 SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s)); 476 ret=1; 477 err: 478 return(ret); 479 } 480 481 int SSL_set_rfd(SSL *s,int fd) 482 { 483 int ret=0; 484 BIO *bio=NULL; 485 486 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) 487 || ((int)BIO_get_fd(s->wbio,NULL) != fd)) 488 { 489 bio=BIO_new(BIO_s_socket()); 490 491 if (bio == NULL) 492 { 493 SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB); 494 goto err; 495 } 496 BIO_set_fd(bio,fd,BIO_NOCLOSE); 497 SSL_set_bio(s,bio,SSL_get_wbio(s)); 498 } 499 else 500 SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s)); 501 ret=1; 502 err: 503 return(ret); 504 } 505 #endif 506 507 508 /* return length of latest Finished message we sent, copy to 'buf' */ 509 size_t SSL_get_finished(SSL *s, void *buf, size_t count) 510 { 511 size_t ret = 0; 512 513 if (s->s3 != NULL) 514 { 515 ret = s->s3->tmp.finish_md_len; 516 if (count > ret) 517 count = ret; 518 memcpy(buf, s->s3->tmp.finish_md, count); 519 } 520 return ret; 521 } 522 523 /* return length of latest Finished message we expected, copy to 'buf' */ 524 size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count) 525 { 526 size_t ret = 0; 527 528 if (s->s3 != NULL) 529 { 530 ret = s->s3->tmp.peer_finish_md_len; 531 if (count > ret) 532 count = ret; 533 memcpy(buf, s->s3->tmp.peer_finish_md, count); 534 } 535 return ret; 536 } 537 538 539 int SSL_get_verify_mode(SSL *s) 540 { 541 return(s->verify_mode); 542 } 543 544 int SSL_get_verify_depth(SSL *s) 545 { 546 return(s->verify_depth); 547 } 548 549 int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) 550 { 551 return(s->verify_callback); 552 } 553 554 int SSL_CTX_get_verify_mode(SSL_CTX *ctx) 555 { 556 return(ctx->verify_mode); 557 } 558 559 int SSL_CTX_get_verify_depth(SSL_CTX *ctx) 560 { 561 return(ctx->verify_depth); 562 } 563 564 int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) 565 { 566 return(ctx->default_verify_callback); 567 } 568 569 void SSL_set_verify(SSL *s,int mode, 570 int (*callback)(int ok,X509_STORE_CTX *ctx)) 571 { 572 s->verify_mode=mode; 573 if (callback != NULL) 574 s->verify_callback=callback; 575 } 576 577 void SSL_set_verify_depth(SSL *s,int depth) 578 { 579 s->verify_depth=depth; 580 } 581 582 void SSL_set_read_ahead(SSL *s,int yes) 583 { 584 s->read_ahead=yes; 585 } 586 587 int SSL_get_read_ahead(SSL *s) 588 { 589 return(s->read_ahead); 590 } 591 592 int SSL_pending(SSL *s) 593 { 594 return(s->method->ssl_pending(s)); 595 } 596 597 X509 *SSL_get_peer_certificate(SSL *s) 598 { 599 X509 *r; 600 601 if ((s == NULL) || (s->session == NULL)) 602 r=NULL; 603 else 604 r=s->session->peer; 605 606 if (r == NULL) return(r); 607 608 CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509); 609 610 return(r); 611 } 612 613 STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) 614 { 615 STACK_OF(X509) *r; 616 617 if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) 618 r=NULL; 619 else 620 r=s->session->sess_cert->cert_chain; 621 622 /* If we are a client, cert_chain includes the peer's own 623 * certificate; if we are a server, it does not. */ 624 625 return(r); 626 } 627 628 /* Now in theory, since the calling process own 't' it should be safe to 629 * modify. We need to be able to read f without being hassled */ 630 void SSL_copy_session_id(SSL *t,SSL *f) 631 { 632 CERT *tmp; 633 634 /* Do we need to to SSL locking? */ 635 SSL_set_session(t,SSL_get_session(f)); 636 637 /* what if we are setup as SSLv2 but want to talk SSLv3 or 638 * vice-versa */ 639 if (t->method != f->method) 640 { 641 t->method->ssl_free(t); /* cleanup current */ 642 t->method=f->method; /* change method */ 643 t->method->ssl_new(t); /* setup new */ 644 } 645 646 tmp=t->cert; 647 if (f->cert != NULL) 648 { 649 CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT); 650 t->cert=f->cert; 651 } 652 else 653 t->cert=NULL; 654 if (tmp != NULL) ssl_cert_free(tmp); 655 SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length); 656 } 657 658 /* Fix this so it checks all the valid key/cert options */ 659 int SSL_CTX_check_private_key(SSL_CTX *ctx) 660 { 661 if ( (ctx == NULL) || 662 (ctx->cert == NULL) || 663 (ctx->cert->key->x509 == NULL)) 664 { 665 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 666 return(0); 667 } 668 if (ctx->cert->key->privatekey == NULL) 669 { 670 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); 671 return(0); 672 } 673 return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey)); 674 } 675 676 /* Fix this function so that it takes an optional type parameter */ 677 int SSL_check_private_key(SSL *ssl) 678 { 679 if (ssl == NULL) 680 { 681 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER); 682 return(0); 683 } 684 if (ssl->cert == NULL) 685 { 686 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 687 return 0; 688 } 689 if (ssl->cert->key->x509 == NULL) 690 { 691 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); 692 return(0); 693 } 694 if (ssl->cert->key->privatekey == NULL) 695 { 696 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); 697 return(0); 698 } 699 return(X509_check_private_key(ssl->cert->key->x509, 700 ssl->cert->key->privatekey)); 701 } 702 703 int SSL_accept(SSL *s) 704 { 705 if (s->handshake_func == 0) 706 /* Not properly initialized yet */ 707 SSL_set_accept_state(s); 708 709 return(s->method->ssl_accept(s)); 710 } 711 712 int SSL_connect(SSL *s) 713 { 714 if (s->handshake_func == 0) 715 /* Not properly initialized yet */ 716 SSL_set_connect_state(s); 717 718 return(s->method->ssl_connect(s)); 719 } 720 721 long SSL_get_default_timeout(SSL *s) 722 { 723 return(s->method->get_timeout()); 724 } 725 726 int SSL_read(SSL *s,void *buf,int num) 727 { 728 if (s->handshake_func == 0) 729 { 730 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 731 return -1; 732 } 733 734 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 735 { 736 s->rwstate=SSL_NOTHING; 737 return(0); 738 } 739 return(s->method->ssl_read(s,buf,num)); 740 } 741 742 int SSL_peek(SSL *s,void *buf,int num) 743 { 744 if (s->handshake_func == 0) 745 { 746 SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); 747 return -1; 748 } 749 750 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 751 { 752 return(0); 753 } 754 return(s->method->ssl_peek(s,buf,num)); 755 } 756 757 int SSL_write(SSL *s,const void *buf,int num) 758 { 759 if (s->handshake_func == 0) 760 { 761 SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); 762 return -1; 763 } 764 765 if (s->shutdown & SSL_SENT_SHUTDOWN) 766 { 767 s->rwstate=SSL_NOTHING; 768 SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN); 769 return(-1); 770 } 771 return(s->method->ssl_write(s,buf,num)); 772 } 773 774 int SSL_shutdown(SSL *s) 775 { 776 /* Note that this function behaves differently from what one might 777 * expect. Return values are 0 for no success (yet), 778 * 1 for success; but calling it once is usually not enough, 779 * even if blocking I/O is used (see ssl3_shutdown). 780 */ 781 782 if (s->handshake_func == 0) 783 { 784 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); 785 return -1; 786 } 787 788 if ((s != NULL) && !SSL_in_init(s)) 789 return(s->method->ssl_shutdown(s)); 790 else 791 return(1); 792 } 793 794 int SSL_renegotiate(SSL *s) 795 { 796 if (s->new_session == 0) 797 { 798 s->new_session=1; 799 } 800 return(s->method->ssl_renegotiate(s)); 801 } 802 803 long SSL_ctrl(SSL *s,int cmd,long larg,char *parg) 804 { 805 long l; 806 807 switch (cmd) 808 { 809 case SSL_CTRL_GET_READ_AHEAD: 810 return(s->read_ahead); 811 case SSL_CTRL_SET_READ_AHEAD: 812 l=s->read_ahead; 813 s->read_ahead=larg; 814 return(l); 815 case SSL_CTRL_OPTIONS: 816 return(s->options|=larg); 817 case SSL_CTRL_MODE: 818 return(s->mode|=larg); 819 default: 820 return(s->method->ssl_ctrl(s,cmd,larg,parg)); 821 } 822 } 823 824 long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)()) 825 { 826 switch(cmd) 827 { 828 default: 829 return(s->method->ssl_callback_ctrl(s,cmd,fp)); 830 } 831 } 832 833 struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) 834 { 835 return ctx->sessions; 836 } 837 838 long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg) 839 { 840 long l; 841 842 switch (cmd) 843 { 844 case SSL_CTRL_GET_READ_AHEAD: 845 return(ctx->read_ahead); 846 case SSL_CTRL_SET_READ_AHEAD: 847 l=ctx->read_ahead; 848 ctx->read_ahead=larg; 849 return(l); 850 851 case SSL_CTRL_SET_SESS_CACHE_SIZE: 852 l=ctx->session_cache_size; 853 ctx->session_cache_size=larg; 854 return(l); 855 case SSL_CTRL_GET_SESS_CACHE_SIZE: 856 return(ctx->session_cache_size); 857 case SSL_CTRL_SET_SESS_CACHE_MODE: 858 l=ctx->session_cache_mode; 859 ctx->session_cache_mode=larg; 860 return(l); 861 case SSL_CTRL_GET_SESS_CACHE_MODE: 862 return(ctx->session_cache_mode); 863 864 case SSL_CTRL_SESS_NUMBER: 865 return(ctx->sessions->num_items); 866 case SSL_CTRL_SESS_CONNECT: 867 return(ctx->stats.sess_connect); 868 case SSL_CTRL_SESS_CONNECT_GOOD: 869 return(ctx->stats.sess_connect_good); 870 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: 871 return(ctx->stats.sess_connect_renegotiate); 872 case SSL_CTRL_SESS_ACCEPT: 873 return(ctx->stats.sess_accept); 874 case SSL_CTRL_SESS_ACCEPT_GOOD: 875 return(ctx->stats.sess_accept_good); 876 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: 877 return(ctx->stats.sess_accept_renegotiate); 878 case SSL_CTRL_SESS_HIT: 879 return(ctx->stats.sess_hit); 880 case SSL_CTRL_SESS_CB_HIT: 881 return(ctx->stats.sess_cb_hit); 882 case SSL_CTRL_SESS_MISSES: 883 return(ctx->stats.sess_miss); 884 case SSL_CTRL_SESS_TIMEOUTS: 885 return(ctx->stats.sess_timeout); 886 case SSL_CTRL_SESS_CACHE_FULL: 887 return(ctx->stats.sess_cache_full); 888 case SSL_CTRL_OPTIONS: 889 return(ctx->options|=larg); 890 case SSL_CTRL_MODE: 891 return(ctx->mode|=larg); 892 default: 893 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); 894 } 895 } 896 897 long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) 898 { 899 switch(cmd) 900 { 901 default: 902 return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp)); 903 } 904 } 905 906 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) 907 { 908 long l; 909 910 l=a->id-b->id; 911 if (l == 0L) 912 return(0); 913 else 914 return((l > 0)?1:-1); 915 } 916 917 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, 918 const SSL_CIPHER * const *bp) 919 { 920 long l; 921 922 l=(*ap)->id-(*bp)->id; 923 if (l == 0L) 924 return(0); 925 else 926 return((l > 0)?1:-1); 927 } 928 929 /** return a STACK of the ciphers available for the SSL and in order of 930 * preference */ 931 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s) 932 { 933 if ((s != NULL) && (s->cipher_list != NULL)) 934 { 935 return(s->cipher_list); 936 } 937 else if ((s->ctx != NULL) && 938 (s->ctx->cipher_list != NULL)) 939 { 940 return(s->ctx->cipher_list); 941 } 942 return(NULL); 943 } 944 945 /** return a STACK of the ciphers available for the SSL and in order of 946 * algorithm id */ 947 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) 948 { 949 if ((s != NULL) && (s->cipher_list_by_id != NULL)) 950 { 951 return(s->cipher_list_by_id); 952 } 953 else if ((s != NULL) && (s->ctx != NULL) && 954 (s->ctx->cipher_list_by_id != NULL)) 955 { 956 return(s->ctx->cipher_list_by_id); 957 } 958 return(NULL); 959 } 960 961 /** The old interface to get the same thing as SSL_get_ciphers() */ 962 const char *SSL_get_cipher_list(SSL *s,int n) 963 { 964 SSL_CIPHER *c; 965 STACK_OF(SSL_CIPHER) *sk; 966 967 if (s == NULL) return(NULL); 968 sk=SSL_get_ciphers(s); 969 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) 970 return(NULL); 971 c=sk_SSL_CIPHER_value(sk,n); 972 if (c == NULL) return(NULL); 973 return(c->name); 974 } 975 976 /** specify the ciphers to be used by default by the SSL_CTX */ 977 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 978 { 979 STACK_OF(SSL_CIPHER) *sk; 980 981 sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, 982 &ctx->cipher_list_by_id,str); 983 /* XXXX */ 984 return((sk == NULL)?0:1); 985 } 986 987 /** specify the ciphers to be used by the SSL */ 988 int SSL_set_cipher_list(SSL *s,const char *str) 989 { 990 STACK_OF(SSL_CIPHER) *sk; 991 992 sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, 993 &s->cipher_list_by_id,str); 994 /* XXXX */ 995 return((sk == NULL)?0:1); 996 } 997 998 /* works well for SSLv2, not so good for SSLv3 */ 999 char *SSL_get_shared_ciphers(SSL *s,char *buf,int len) 1000 { 1001 char *p; 1002 const char *cp; 1003 STACK_OF(SSL_CIPHER) *sk; 1004 SSL_CIPHER *c; 1005 int i; 1006 1007 if ((s->session == NULL) || (s->session->ciphers == NULL) || 1008 (len < 2)) 1009 return(NULL); 1010 1011 p=buf; 1012 sk=s->session->ciphers; 1013 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1014 { 1015 /* Decrement for either the ':' or a '\0' */ 1016 len--; 1017 c=sk_SSL_CIPHER_value(sk,i); 1018 for (cp=c->name; *cp; ) 1019 { 1020 if (len-- == 0) 1021 { 1022 *p='\0'; 1023 return(buf); 1024 } 1025 else 1026 *(p++)= *(cp++); 1027 } 1028 *(p++)=':'; 1029 } 1030 p[-1]='\0'; 1031 return(buf); 1032 } 1033 1034 int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p) 1035 { 1036 int i,j=0; 1037 SSL_CIPHER *c; 1038 unsigned char *q; 1039 1040 if (sk == NULL) return(0); 1041 q=p; 1042 1043 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1044 { 1045 c=sk_SSL_CIPHER_value(sk,i); 1046 j=ssl_put_cipher_by_char(s,c,p); 1047 p+=j; 1048 } 1049 return(p-q); 1050 } 1051 1052 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, 1053 STACK_OF(SSL_CIPHER) **skp) 1054 { 1055 SSL_CIPHER *c; 1056 STACK_OF(SSL_CIPHER) *sk; 1057 int i,n; 1058 1059 n=ssl_put_cipher_by_char(s,NULL,NULL); 1060 if ((num%n) != 0) 1061 { 1062 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 1063 return(NULL); 1064 } 1065 if ((skp == NULL) || (*skp == NULL)) 1066 sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */ 1067 else 1068 { 1069 sk= *skp; 1070 sk_SSL_CIPHER_zero(sk); 1071 } 1072 1073 for (i=0; i<num; i+=n) 1074 { 1075 c=ssl_get_cipher_by_char(s,p); 1076 p+=n; 1077 if (c != NULL) 1078 { 1079 if (!sk_SSL_CIPHER_push(sk,c)) 1080 { 1081 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE); 1082 goto err; 1083 } 1084 } 1085 } 1086 1087 if (skp != NULL) 1088 *skp=sk; 1089 return(sk); 1090 err: 1091 if ((skp == NULL) || (*skp == NULL)) 1092 sk_SSL_CIPHER_free(sk); 1093 return(NULL); 1094 } 1095 1096 unsigned long SSL_SESSION_hash(SSL_SESSION *a) 1097 { 1098 unsigned long l; 1099 1100 l=(unsigned long) 1101 ((unsigned int) a->session_id[0] )| 1102 ((unsigned int) a->session_id[1]<< 8L)| 1103 ((unsigned long)a->session_id[2]<<16L)| 1104 ((unsigned long)a->session_id[3]<<24L); 1105 return(l); 1106 } 1107 1108 int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) 1109 { 1110 if (a->ssl_version != b->ssl_version) 1111 return(1); 1112 if (a->session_id_length != b->session_id_length) 1113 return(1); 1114 return(memcmp(a->session_id,b->session_id,a->session_id_length)); 1115 } 1116 1117 SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) 1118 { 1119 SSL_CTX *ret=NULL; 1120 1121 if (meth == NULL) 1122 { 1123 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED); 1124 return(NULL); 1125 } 1126 1127 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 1128 { 1129 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 1130 goto err; 1131 } 1132 ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); 1133 if (ret == NULL) 1134 goto err; 1135 1136 memset(ret,0,sizeof(SSL_CTX)); 1137 1138 ret->method=meth; 1139 1140 ret->cert_store=NULL; 1141 ret->session_cache_mode=SSL_SESS_CACHE_SERVER; 1142 ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 1143 ret->session_cache_head=NULL; 1144 ret->session_cache_tail=NULL; 1145 1146 /* We take the system default */ 1147 ret->session_timeout=meth->get_timeout(); 1148 1149 ret->new_session_cb=NULL; 1150 ret->remove_session_cb=NULL; 1151 ret->get_session_cb=NULL; 1152 1153 memset((char *)&ret->stats,0,sizeof(ret->stats)); 1154 1155 ret->references=1; 1156 ret->quiet_shutdown=0; 1157 1158 /* ret->cipher=NULL;*/ 1159 /* ret->s2->challenge=NULL; 1160 ret->master_key=NULL; 1161 ret->key_arg=NULL; 1162 ret->s2->conn_id=NULL; */ 1163 1164 ret->info_callback=NULL; 1165 1166 ret->app_verify_callback=NULL; 1167 ret->app_verify_arg=NULL; 1168 1169 ret->read_ahead=0; 1170 ret->verify_mode=SSL_VERIFY_NONE; 1171 ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ 1172 ret->default_verify_callback=NULL; 1173 if ((ret->cert=ssl_cert_new()) == NULL) 1174 goto err; 1175 1176 ret->default_passwd_callback=NULL; 1177 ret->default_passwd_callback_userdata=NULL; 1178 ret->client_cert_cb=NULL; 1179 1180 ret->sessions=lh_new(SSL_SESSION_hash,SSL_SESSION_cmp); 1181 if (ret->sessions == NULL) goto err; 1182 ret->cert_store=X509_STORE_new(); 1183 if (ret->cert_store == NULL) goto err; 1184 1185 ssl_create_cipher_list(ret->method, 1186 &ret->cipher_list,&ret->cipher_list_by_id, 1187 SSL_DEFAULT_CIPHER_LIST); 1188 if (ret->cipher_list == NULL 1189 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) 1190 { 1191 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS); 1192 goto err2; 1193 } 1194 1195 if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) 1196 { 1197 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); 1198 goto err2; 1199 } 1200 if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL) 1201 { 1202 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); 1203 goto err2; 1204 } 1205 if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL) 1206 { 1207 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); 1208 goto err2; 1209 } 1210 1211 if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL) 1212 goto err; 1213 1214 CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data); 1215 1216 ret->extra_certs=NULL; 1217 ret->comp_methods=SSL_COMP_get_compression_methods(); 1218 1219 return(ret); 1220 err: 1221 SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); 1222 err2: 1223 if (ret != NULL) SSL_CTX_free(ret); 1224 return(NULL); 1225 } 1226 1227 static void SSL_COMP_free(SSL_COMP *comp) 1228 { OPENSSL_free(comp); } 1229 1230 void SSL_CTX_free(SSL_CTX *a) 1231 { 1232 int i; 1233 1234 if (a == NULL) return; 1235 1236 i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX); 1237 #ifdef REF_PRINT 1238 REF_PRINT("SSL_CTX",a); 1239 #endif 1240 if (i > 0) return; 1241 #ifdef REF_CHECK 1242 if (i < 0) 1243 { 1244 fprintf(stderr,"SSL_CTX_free, bad reference count\n"); 1245 abort(); /* ok */ 1246 } 1247 #endif 1248 CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data); 1249 1250 if (a->sessions != NULL) 1251 { 1252 SSL_CTX_flush_sessions(a,0); 1253 lh_free(a->sessions); 1254 } 1255 if (a->cert_store != NULL) 1256 X509_STORE_free(a->cert_store); 1257 if (a->cipher_list != NULL) 1258 sk_SSL_CIPHER_free(a->cipher_list); 1259 if (a->cipher_list_by_id != NULL) 1260 sk_SSL_CIPHER_free(a->cipher_list_by_id); 1261 if (a->cert != NULL) 1262 ssl_cert_free(a->cert); 1263 if (a->client_CA != NULL) 1264 sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free); 1265 if (a->extra_certs != NULL) 1266 sk_X509_pop_free(a->extra_certs,X509_free); 1267 if (a->comp_methods != NULL) 1268 sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); 1269 OPENSSL_free(a); 1270 } 1271 1272 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) 1273 { 1274 ctx->default_passwd_callback=cb; 1275 } 1276 1277 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u) 1278 { 1279 ctx->default_passwd_callback_userdata=u; 1280 } 1281 1282 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg) 1283 { 1284 /* now 1285 * int (*cb)(X509_STORE_CTX *), 1286 * but should be 1287 * int (*cb)(X509_STORE_CTX *, void *arg) 1288 */ 1289 ctx->app_verify_callback=cb; 1290 ctx->app_verify_arg=arg; /* never used */ 1291 } 1292 1293 void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) 1294 { 1295 ctx->verify_mode=mode; 1296 ctx->default_verify_callback=cb; 1297 } 1298 1299 void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) 1300 { 1301 ctx->verify_depth=depth; 1302 } 1303 1304 void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) 1305 { 1306 CERT_PKEY *cpk; 1307 int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; 1308 int rsa_enc_export,dh_rsa_export,dh_dsa_export; 1309 int rsa_tmp_export,dh_tmp_export,kl; 1310 unsigned long mask,emask; 1311 1312 if (c == NULL) return; 1313 1314 kl=SSL_C_EXPORT_PKEYLENGTH(cipher); 1315 1316 #ifndef NO_RSA 1317 rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); 1318 rsa_tmp_export=(c->rsa_tmp_cb != NULL || 1319 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); 1320 #else 1321 rsa_tmp=rsa_tmp_export=0; 1322 #endif 1323 #ifndef NO_DH 1324 dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); 1325 dh_tmp_export=(c->dh_tmp_cb != NULL || 1326 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); 1327 #else 1328 dh_tmp=dh_tmp_export=0; 1329 #endif 1330 1331 cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); 1332 rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); 1333 rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 1334 cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); 1335 rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); 1336 cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); 1337 dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); 1338 cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); 1339 dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 1340 dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 1341 cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); 1342 /* FIX THIS EAY EAY EAY */ 1343 dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); 1344 dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 1345 1346 mask=0; 1347 emask=0; 1348 1349 #ifdef CIPHER_DEBUG 1350 printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", 1351 rsa_tmp,rsa_tmp_export,dh_tmp, 1352 rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); 1353 #endif 1354 1355 if (rsa_enc || (rsa_tmp && rsa_sign)) 1356 mask|=SSL_kRSA; 1357 if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) 1358 emask|=SSL_kRSA; 1359 1360 #if 0 1361 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ 1362 if ( (dh_tmp || dh_rsa || dh_dsa) && 1363 (rsa_enc || rsa_sign || dsa_sign)) 1364 mask|=SSL_kEDH; 1365 if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && 1366 (rsa_enc || rsa_sign || dsa_sign)) 1367 emask|=SSL_kEDH; 1368 #endif 1369 1370 if (dh_tmp_export) 1371 emask|=SSL_kEDH; 1372 1373 if (dh_tmp) 1374 mask|=SSL_kEDH; 1375 1376 if (dh_rsa) mask|=SSL_kDHr; 1377 if (dh_rsa_export) emask|=SSL_kDHr; 1378 1379 if (dh_dsa) mask|=SSL_kDHd; 1380 if (dh_dsa_export) emask|=SSL_kDHd; 1381 1382 if (rsa_enc || rsa_sign) 1383 { 1384 mask|=SSL_aRSA; 1385 emask|=SSL_aRSA; 1386 } 1387 1388 if (dsa_sign) 1389 { 1390 mask|=SSL_aDSS; 1391 emask|=SSL_aDSS; 1392 } 1393 1394 mask|=SSL_aNULL; 1395 emask|=SSL_aNULL; 1396 1397 c->mask=mask; 1398 c->export_mask=emask; 1399 c->valid=1; 1400 } 1401 1402 /* THIS NEEDS CLEANING UP */ 1403 X509 *ssl_get_server_send_cert(SSL *s) 1404 { 1405 unsigned long alg,mask,kalg; 1406 CERT *c; 1407 int i,is_export; 1408 1409 c=s->cert; 1410 ssl_set_cert_masks(c, s->s3->tmp.new_cipher); 1411 alg=s->s3->tmp.new_cipher->algorithms; 1412 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 1413 mask=is_export?c->export_mask:c->mask; 1414 kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); 1415 1416 if (kalg & SSL_kDHr) 1417 i=SSL_PKEY_DH_RSA; 1418 else if (kalg & SSL_kDHd) 1419 i=SSL_PKEY_DH_DSA; 1420 else if (kalg & SSL_aDSS) 1421 i=SSL_PKEY_DSA_SIGN; 1422 else if (kalg & SSL_aRSA) 1423 { 1424 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) 1425 i=SSL_PKEY_RSA_SIGN; 1426 else 1427 i=SSL_PKEY_RSA_ENC; 1428 } 1429 else /* if (kalg & SSL_aNULL) */ 1430 { 1431 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,SSL_R_INTERNAL_ERROR); 1432 return(NULL); 1433 } 1434 if (c->pkeys[i].x509 == NULL) return(NULL); 1435 return(c->pkeys[i].x509); 1436 } 1437 1438 EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) 1439 { 1440 unsigned long alg; 1441 CERT *c; 1442 1443 alg=cipher->algorithms; 1444 c=s->cert; 1445 1446 if ((alg & SSL_aDSS) && 1447 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 1448 return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); 1449 else if (alg & SSL_aRSA) 1450 { 1451 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 1452 return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); 1453 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 1454 return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey); 1455 else 1456 return(NULL); 1457 } 1458 else /* if (alg & SSL_aNULL) */ 1459 { 1460 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,SSL_R_INTERNAL_ERROR); 1461 return(NULL); 1462 } 1463 } 1464 1465 void ssl_update_cache(SSL *s,int mode) 1466 { 1467 int i; 1468 1469 /* If the session_id_length is 0, we are not supposed to cache it, 1470 * and it would be rather hard to do anyway :-) */ 1471 if (s->session->session_id_length == 0) return; 1472 1473 i=s->ctx->session_cache_mode; 1474 if ((i & mode) && (!s->hit) 1475 && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) 1476 || SSL_CTX_add_session(s->ctx,s->session)) 1477 && (s->ctx->new_session_cb != NULL)) 1478 { 1479 CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION); 1480 if (!s->ctx->new_session_cb(s,s->session)) 1481 SSL_SESSION_free(s->session); 1482 } 1483 1484 /* auto flush every 255 connections */ 1485 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && 1486 ((i & mode) == mode)) 1487 { 1488 if ( (((mode & SSL_SESS_CACHE_CLIENT) 1489 ?s->ctx->stats.sess_connect_good 1490 :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) 1491 { 1492 SSL_CTX_flush_sessions(s->ctx,time(NULL)); 1493 } 1494 } 1495 } 1496 1497 SSL_METHOD *SSL_get_ssl_method(SSL *s) 1498 { 1499 return(s->method); 1500 } 1501 1502 int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth) 1503 { 1504 int conn= -1; 1505 int ret=1; 1506 1507 if (s->method != meth) 1508 { 1509 if (s->handshake_func != NULL) 1510 conn=(s->handshake_func == s->method->ssl_connect); 1511 1512 if (s->method->version == meth->version) 1513 s->method=meth; 1514 else 1515 { 1516 s->method->ssl_free(s); 1517 s->method=meth; 1518 ret=s->method->ssl_new(s); 1519 } 1520 1521 if (conn == 1) 1522 s->handshake_func=meth->ssl_connect; 1523 else if (conn == 0) 1524 s->handshake_func=meth->ssl_accept; 1525 } 1526 return(ret); 1527 } 1528 1529 int SSL_get_error(SSL *s,int i) 1530 { 1531 int reason; 1532 unsigned long l; 1533 BIO *bio; 1534 1535 if (i > 0) return(SSL_ERROR_NONE); 1536 1537 /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake 1538 * etc, where we do encode the error */ 1539 if ((l=ERR_peek_error()) != 0) 1540 { 1541 if (ERR_GET_LIB(l) == ERR_LIB_SYS) 1542 return(SSL_ERROR_SYSCALL); 1543 else 1544 return(SSL_ERROR_SSL); 1545 } 1546 1547 if ((i < 0) && SSL_want_read(s)) 1548 { 1549 bio=SSL_get_rbio(s); 1550 if (BIO_should_read(bio)) 1551 return(SSL_ERROR_WANT_READ); 1552 else if (BIO_should_write(bio)) 1553 /* This one doesn't make too much sense ... We never try 1554 * to write to the rbio, and an application program where 1555 * rbio and wbio are separate couldn't even know what it 1556 * should wait for. 1557 * However if we ever set s->rwstate incorrectly 1558 * (so that we have SSL_want_read(s) instead of 1559 * SSL_want_write(s)) and rbio and wbio *are* the same, 1560 * this test works around that bug; so it might be safer 1561 * to keep it. */ 1562 return(SSL_ERROR_WANT_WRITE); 1563 else if (BIO_should_io_special(bio)) 1564 { 1565 reason=BIO_get_retry_reason(bio); 1566 if (reason == BIO_RR_CONNECT) 1567 return(SSL_ERROR_WANT_CONNECT); 1568 else 1569 return(SSL_ERROR_SYSCALL); /* unknown */ 1570 } 1571 } 1572 1573 if ((i < 0) && SSL_want_write(s)) 1574 { 1575 bio=SSL_get_wbio(s); 1576 if (BIO_should_write(bio)) 1577 return(SSL_ERROR_WANT_WRITE); 1578 else if (BIO_should_read(bio)) 1579 /* See above (SSL_want_read(s) with BIO_should_write(bio)) */ 1580 return(SSL_ERROR_WANT_READ); 1581 else if (BIO_should_io_special(bio)) 1582 { 1583 reason=BIO_get_retry_reason(bio); 1584 if (reason == BIO_RR_CONNECT) 1585 return(SSL_ERROR_WANT_CONNECT); 1586 else 1587 return(SSL_ERROR_SYSCALL); 1588 } 1589 } 1590 if ((i < 0) && SSL_want_x509_lookup(s)) 1591 { 1592 return(SSL_ERROR_WANT_X509_LOOKUP); 1593 } 1594 1595 if (i == 0) 1596 { 1597 if (s->version == SSL2_VERSION) 1598 { 1599 /* assume it is the socket being closed */ 1600 return(SSL_ERROR_ZERO_RETURN); 1601 } 1602 else 1603 { 1604 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && 1605 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) 1606 return(SSL_ERROR_ZERO_RETURN); 1607 } 1608 } 1609 return(SSL_ERROR_SYSCALL); 1610 } 1611 1612 int SSL_do_handshake(SSL *s) 1613 { 1614 int ret=1; 1615 1616 if (s->handshake_func == NULL) 1617 { 1618 SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET); 1619 return(-1); 1620 } 1621 1622 s->method->ssl_renegotiate_check(s); 1623 1624 if (SSL_in_init(s) || SSL_in_before(s)) 1625 { 1626 ret=s->handshake_func(s); 1627 } 1628 return(ret); 1629 } 1630 1631 /* For the next 2 functions, SSL_clear() sets shutdown and so 1632 * one of these calls will reset it */ 1633 void SSL_set_accept_state(SSL *s) 1634 { 1635 s->server=1; 1636 s->shutdown=0; 1637 s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; 1638 s->handshake_func=s->method->ssl_accept; 1639 /* clear the current cipher */ 1640 ssl_clear_cipher_ctx(s); 1641 } 1642 1643 void SSL_set_connect_state(SSL *s) 1644 { 1645 s->server=0; 1646 s->shutdown=0; 1647 s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; 1648 s->handshake_func=s->method->ssl_connect; 1649 /* clear the current cipher */ 1650 ssl_clear_cipher_ctx(s); 1651 } 1652 1653 int ssl_undefined_function(SSL *s) 1654 { 1655 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1656 return(0); 1657 } 1658 1659 SSL_METHOD *ssl_bad_method(int ver) 1660 { 1661 SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1662 return(NULL); 1663 } 1664 1665 const char *SSL_get_version(SSL *s) 1666 { 1667 if (s->version == TLS1_VERSION) 1668 return("TLSv1"); 1669 else if (s->version == SSL3_VERSION) 1670 return("SSLv3"); 1671 else if (s->version == SSL2_VERSION) 1672 return("SSLv2"); 1673 else 1674 return("unknown"); 1675 } 1676 1677 SSL *SSL_dup(SSL *s) 1678 { 1679 STACK_OF(X509_NAME) *sk; 1680 X509_NAME *xn; 1681 SSL *ret; 1682 int i; 1683 1684 if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) 1685 return(NULL); 1686 1687 if (s->session != NULL) 1688 { 1689 /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ 1690 SSL_copy_session_id(ret,s); 1691 } 1692 else 1693 { 1694 /* No session has been established yet, so we have to expect 1695 * that s->cert or ret->cert will be changed later -- 1696 * they should not both point to the same object, 1697 * and thus we can't use SSL_copy_session_id. */ 1698 1699 ret->method = s->method; 1700 ret->method->ssl_new(ret); 1701 1702 if (s->cert != NULL) 1703 { 1704 if (ret->cert != NULL) 1705 { 1706 ssl_cert_free(ret->cert); 1707 } 1708 ret->cert = ssl_cert_dup(s->cert); 1709 if (ret->cert == NULL) 1710 goto err; 1711 } 1712 1713 SSL_set_session_id_context(ret, 1714 s->sid_ctx, s->sid_ctx_length); 1715 } 1716 1717 SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); 1718 SSL_set_verify(ret,SSL_get_verify_mode(s), 1719 SSL_get_verify_callback(s)); 1720 SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); 1721 1722 SSL_set_info_callback(ret,SSL_get_info_callback(s)); 1723 1724 ret->debug=s->debug; 1725 ret->options=s->options; 1726 1727 /* copy app data, a little dangerous perhaps */ 1728 if (!CRYPTO_dup_ex_data(ssl_meth,&ret->ex_data,&s->ex_data)) 1729 goto err; 1730 1731 /* setup rbio, and wbio */ 1732 if (s->rbio != NULL) 1733 { 1734 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)) 1735 goto err; 1736 } 1737 if (s->wbio != NULL) 1738 { 1739 if (s->wbio != s->rbio) 1740 { 1741 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)) 1742 goto err; 1743 } 1744 else 1745 ret->wbio=ret->rbio; 1746 } 1747 1748 /* dup the cipher_list and cipher_list_by_id stacks */ 1749 if (s->cipher_list != NULL) 1750 { 1751 if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 1752 goto err; 1753 } 1754 if (s->cipher_list_by_id != NULL) 1755 if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id)) 1756 == NULL) 1757 goto err; 1758 1759 /* Dup the client_CA list */ 1760 if (s->client_CA != NULL) 1761 { 1762 if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; 1763 ret->client_CA=sk; 1764 for (i=0; i<sk_X509_NAME_num(sk); i++) 1765 { 1766 xn=sk_X509_NAME_value(sk,i); 1767 if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL) 1768 { 1769 X509_NAME_free(xn); 1770 goto err; 1771 } 1772 } 1773 } 1774 1775 ret->shutdown=s->shutdown; 1776 ret->state=s->state; 1777 ret->handshake_func=s->handshake_func; 1778 ret->server=s->server; 1779 1780 if (0) 1781 { 1782 err: 1783 if (ret != NULL) SSL_free(ret); 1784 ret=NULL; 1785 } 1786 return(ret); 1787 } 1788 1789 void ssl_clear_cipher_ctx(SSL *s) 1790 { 1791 if (s->enc_read_ctx != NULL) 1792 { 1793 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); 1794 OPENSSL_free(s->enc_read_ctx); 1795 s->enc_read_ctx=NULL; 1796 } 1797 if (s->enc_write_ctx != NULL) 1798 { 1799 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); 1800 OPENSSL_free(s->enc_write_ctx); 1801 s->enc_write_ctx=NULL; 1802 } 1803 if (s->expand != NULL) 1804 { 1805 COMP_CTX_free(s->expand); 1806 s->expand=NULL; 1807 } 1808 if (s->compress != NULL) 1809 { 1810 COMP_CTX_free(s->compress); 1811 s->compress=NULL; 1812 } 1813 } 1814 1815 /* Fix this function so that it takes an optional type parameter */ 1816 X509 *SSL_get_certificate(SSL *s) 1817 { 1818 if (s->cert != NULL) 1819 return(s->cert->key->x509); 1820 else 1821 return(NULL); 1822 } 1823 1824 /* Fix this function so that it takes an optional type parameter */ 1825 EVP_PKEY *SSL_get_privatekey(SSL *s) 1826 { 1827 if (s->cert != NULL) 1828 return(s->cert->key->privatekey); 1829 else 1830 return(NULL); 1831 } 1832 1833 SSL_CIPHER *SSL_get_current_cipher(SSL *s) 1834 { 1835 if ((s->session != NULL) && (s->session->cipher != NULL)) 1836 return(s->session->cipher); 1837 return(NULL); 1838 } 1839 1840 int ssl_init_wbio_buffer(SSL *s,int push) 1841 { 1842 BIO *bbio; 1843 1844 if (s->bbio == NULL) 1845 { 1846 bbio=BIO_new(BIO_f_buffer()); 1847 if (bbio == NULL) return(0); 1848 s->bbio=bbio; 1849 } 1850 else 1851 { 1852 bbio=s->bbio; 1853 if (s->bbio == s->wbio) 1854 s->wbio=BIO_pop(s->wbio); 1855 } 1856 (void)BIO_reset(bbio); 1857 /* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ 1858 if (!BIO_set_read_buffer_size(bbio,1)) 1859 { 1860 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB); 1861 return(0); 1862 } 1863 if (push) 1864 { 1865 if (s->wbio != bbio) 1866 s->wbio=BIO_push(bbio,s->wbio); 1867 } 1868 else 1869 { 1870 if (s->wbio == bbio) 1871 s->wbio=BIO_pop(bbio); 1872 } 1873 return(1); 1874 } 1875 1876 void ssl_free_wbio_buffer(SSL *s) 1877 { 1878 if (s->bbio == NULL) return; 1879 1880 if (s->bbio == s->wbio) 1881 { 1882 /* remove buffering */ 1883 s->wbio=BIO_pop(s->wbio); 1884 #ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */ 1885 assert(s->wbio != NULL); 1886 #endif 1887 } 1888 BIO_free(s->bbio); 1889 s->bbio=NULL; 1890 } 1891 1892 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode) 1893 { 1894 ctx->quiet_shutdown=mode; 1895 } 1896 1897 int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx) 1898 { 1899 return(ctx->quiet_shutdown); 1900 } 1901 1902 void SSL_set_quiet_shutdown(SSL *s,int mode) 1903 { 1904 s->quiet_shutdown=mode; 1905 } 1906 1907 int SSL_get_quiet_shutdown(SSL *s) 1908 { 1909 return(s->quiet_shutdown); 1910 } 1911 1912 void SSL_set_shutdown(SSL *s,int mode) 1913 { 1914 s->shutdown=mode; 1915 } 1916 1917 int SSL_get_shutdown(SSL *s) 1918 { 1919 return(s->shutdown); 1920 } 1921 1922 int SSL_version(SSL *s) 1923 { 1924 return(s->version); 1925 } 1926 1927 SSL_CTX *SSL_get_SSL_CTX(SSL *ssl) 1928 { 1929 return(ssl->ctx); 1930 } 1931 1932 #ifndef NO_STDIO 1933 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) 1934 { 1935 return(X509_STORE_set_default_paths(ctx->cert_store)); 1936 } 1937 1938 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 1939 const char *CApath) 1940 { 1941 return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); 1942 } 1943 #endif 1944 1945 void SSL_set_info_callback(SSL *ssl,void (*cb)()) 1946 { 1947 ssl->info_callback=cb; 1948 } 1949 1950 void (*SSL_get_info_callback(SSL *ssl))(void) 1951 { 1952 return((void (*)())ssl->info_callback); 1953 } 1954 1955 int SSL_state(SSL *ssl) 1956 { 1957 return(ssl->state); 1958 } 1959 1960 void SSL_set_verify_result(SSL *ssl,long arg) 1961 { 1962 ssl->verify_result=arg; 1963 } 1964 1965 long SSL_get_verify_result(SSL *ssl) 1966 { 1967 return(ssl->verify_result); 1968 } 1969 1970 int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, 1971 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) 1972 { 1973 ssl_meth_num++; 1974 return(CRYPTO_get_ex_new_index(ssl_meth_num-1, 1975 &ssl_meth,argl,argp,new_func,dup_func,free_func)); 1976 } 1977 1978 int SSL_set_ex_data(SSL *s,int idx,void *arg) 1979 { 1980 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 1981 } 1982 1983 void *SSL_get_ex_data(SSL *s,int idx) 1984 { 1985 return(CRYPTO_get_ex_data(&s->ex_data,idx)); 1986 } 1987 1988 int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, 1989 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) 1990 { 1991 ssl_ctx_meth_num++; 1992 return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1, 1993 &ssl_ctx_meth,argl,argp,new_func,dup_func,free_func)); 1994 } 1995 1996 int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) 1997 { 1998 return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); 1999 } 2000 2001 void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx) 2002 { 2003 return(CRYPTO_get_ex_data(&s->ex_data,idx)); 2004 } 2005 2006 int ssl_ok(SSL *s) 2007 { 2008 return(1); 2009 } 2010 2011 X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) 2012 { 2013 return(ctx->cert_store); 2014 } 2015 2016 void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store) 2017 { 2018 if (ctx->cert_store != NULL) 2019 X509_STORE_free(ctx->cert_store); 2020 ctx->cert_store=store; 2021 } 2022 2023 int SSL_want(SSL *s) 2024 { 2025 return(s->rwstate); 2026 } 2027 2028 /*! 2029 * \brief Set the callback for generating temporary RSA keys. 2030 * \param ctx the SSL context. 2031 * \param cb the callback 2032 */ 2033 2034 #ifndef NO_RSA 2035 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl, 2036 int is_export, 2037 int keylength)) 2038 { 2039 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb); 2040 } 2041 2042 void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl, 2043 int is_export, 2044 int keylength)) 2045 { 2046 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb); 2047 } 2048 #endif 2049 2050 #ifdef DOXYGEN 2051 /*! 2052 * \brief The RSA temporary key callback function. 2053 * \param ssl the SSL session. 2054 * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite. 2055 * \param keylength if \c is_export is \c TRUE, then \c keylength is the size 2056 * of the required key in bits. 2057 * \return the temporary RSA key. 2058 * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback 2059 */ 2060 2061 RSA *cb(SSL *ssl,int is_export,int keylength) 2062 {} 2063 #endif 2064 2065 /*! 2066 * \brief Set the callback for generating temporary DH keys. 2067 * \param ctx the SSL context. 2068 * \param dh the callback 2069 */ 2070 2071 #ifndef NO_DH 2072 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, 2073 int keylength)) 2074 { 2075 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); 2076 } 2077 2078 void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, 2079 int keylength)) 2080 { 2081 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); 2082 } 2083 #endif 2084 2085 #if defined(_WINDLL) && defined(WIN16) 2086 #include "../crypto/bio/bss_file.c" 2087 #endif 2088 2089 IMPLEMENT_STACK_OF(SSL_CIPHER) 2090 IMPLEMENT_STACK_OF(SSL_COMP) 2091