Use #error in openssl/srp.h

[openssl.git] / ssl / s3_lib.c
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c

index 948e14e5a4769336a388ee7aa99ac3fa092009ad..e7f1898e8130e126fb1e6340a43bc2758d3f703b 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -151,7 +151,6 @@
  #include <stdio.h>
  #include <openssl/objects.h>
  #include "ssl_locl.h"
-#include "kssl_lcl.h"
  #include <openssl/md5.h>
  #ifndef OPENSSL_NO_DH
  # include <openssl/dh.h>
@@ -159,7 +158,7 @@
  
  const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT;
  
-#define SSL3_NUM_CIPHERS        (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
+#define SSL3_NUM_CIPHERS        OSSL_NELEM(ssl3_ciphers)
  
  /* list of available SSLv3 ciphers (sorted by id) */
  OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
@@ -601,233 +600,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
       168,
       },
  
-#ifndef OPENSSL_NO_KRB5
-/* The Kerberos ciphers*/
-/* Cipher 1E */
-    {
-     1,
-     SSL3_TXT_KRB5_DES_64_CBC_SHA,
-     SSL3_CK_KRB5_DES_64_CBC_SHA,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
-/* Cipher 1F */
-    {
-     1,
-     SSL3_TXT_KRB5_DES_192_CBC3_SHA,
-     SSL3_CK_KRB5_DES_192_CBC3_SHA,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_3DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     112,
-     168,
-     },
-
-/* Cipher 20 */
-    {
-     1,
-     SSL3_TXT_KRB5_RC4_128_SHA,
-     SSL3_CK_KRB5_RC4_128_SHA,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_EXP | SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     128,
-     128,
-     },
-
-/* Cipher 21 */
-    {
-     1,
-     SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
-     SSL3_CK_KRB5_IDEA_128_CBC_SHA,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_IDEA,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_NOT_EXP | SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     128,
-     128,
-     },
-
-/* Cipher 22 */
-    {
-     1,
-     SSL3_TXT_KRB5_DES_64_CBC_MD5,
-     SSL3_CK_KRB5_DES_64_CBC_MD5,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_DES,
-     SSL_MD5,
-     SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
-/* Cipher 23 */
-    {
-     1,
-     SSL3_TXT_KRB5_DES_192_CBC3_MD5,
-     SSL3_CK_KRB5_DES_192_CBC3_MD5,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_3DES,
-     SSL_MD5,
-     SSL_SSLV3,
-     SSL_NOT_EXP | SSL_HIGH,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     112,
-     168,
-     },
-
-/* Cipher 24 */
-    {
-     1,
-     SSL3_TXT_KRB5_RC4_128_MD5,
-     SSL3_CK_KRB5_RC4_128_MD5,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_RC4,
-     SSL_MD5,
-     SSL_SSLV3,
-     SSL_NOT_EXP | SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     128,
-     128,
-     },
-
-/* Cipher 25 */
-    {
-     1,
-     SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
-     SSL3_CK_KRB5_IDEA_128_CBC_MD5,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_IDEA,
-     SSL_MD5,
-     SSL_SSLV3,
-     SSL_NOT_EXP | SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     128,
-     128,
-     },
-
-/* Cipher 26 */
-    {
-     1,
-     SSL3_TXT_KRB5_DES_40_CBC_SHA,
-     SSL3_CK_KRB5_DES_40_CBC_SHA,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     40,
-     56,
-     },
-
-/* Cipher 27 */
-    {
-     1,
-     SSL3_TXT_KRB5_RC2_40_CBC_SHA,
-     SSL3_CK_KRB5_RC2_40_CBC_SHA,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_RC2,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     40,
-     128,
-     },
-
-/* Cipher 28 */
-    {
-     1,
-     SSL3_TXT_KRB5_RC4_40_SHA,
-     SSL3_CK_KRB5_RC4_40_SHA,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     40,
-     128,
-     },
-
-/* Cipher 29 */
-    {
-     1,
-     SSL3_TXT_KRB5_DES_40_CBC_MD5,
-     SSL3_CK_KRB5_DES_40_CBC_MD5,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_DES,
-     SSL_MD5,
-     SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     40,
-     56,
-     },
-
-/* Cipher 2A */
-    {
-     1,
-     SSL3_TXT_KRB5_RC2_40_CBC_MD5,
-     SSL3_CK_KRB5_RC2_40_CBC_MD5,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_RC2,
-     SSL_MD5,
-     SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     40,
-     128,
-     },
-
-/* Cipher 2B */
-    {
-     1,
-     SSL3_TXT_KRB5_RC4_40_MD5,
-     SSL3_CK_KRB5_RC4_40_MD5,
-     SSL_kKRB5,
-     SSL_aKRB5,
-     SSL_RC4,
-     SSL_MD5,
-     SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     40,
-     128,
-     },
-#endif                          /* OPENSSL_NO_KRB5 */
-
  /* New AES ciphersuites */
  /* Cipher 2F */
      {
@@ -1839,21 +1611,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
       256,
       256,
       },
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    {
-     1,
-     "SCSV",
-     SSL3_CK_SCSV,
-     0,
-     0,
-     0,
-     0,
-     0,
-     0,
-     0,
-     0,
-     0},
-#endif
  
  #ifndef OPENSSL_NO_CAMELLIA
      /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
@@ -2051,6 +1808,23 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
       },
  #endif
  
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+    /* Cipher FF */
+    {
+     1,
+     "SCSV",
+     SSL3_CK_SCSV,
+     0,
+     0,
+     0,
+     0,
+     0,
+     0,
+     0,
+     0,
+     0},
+#endif
+
  #ifndef OPENSSL_NO_EC
      /* Cipher C001 */
      {
@@ -3078,15 +2852,6 @@ const SSL_CIPHER *ssl3_get_cipher(unsigned int u)
          return (NULL);
  }
  
-int ssl3_pending(const SSL *s)
-{
-    if (s->rstate == SSL_ST_READ_BODY)
-        return 0;
-
-    return (s->s3->rrec.type ==
-            SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
-}
-
  int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len)
  {
      unsigned char *p = (unsigned char *)s->init_buf->data;
@@ -3107,16 +2872,13 @@ int ssl3_new(SSL *s)
  {
      SSL3_STATE *s3;
  
-    if ((s3 = OPENSSL_malloc(sizeof *s3)) == NULL)
+    if ((s3 = OPENSSL_malloc(sizeof(*s3))) == NULL)
          goto err;
-    memset(s3, 0, sizeof *s3);
-    memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num));
-    memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num));
-
+    memset(s3, 0, sizeof(*s3));
      s->s3 = s3;
-
+    
  #ifndef OPENSSL_NO_SRP
-    if(!SSL_SRP_CTX_init(s))
+    if (!SSL_SRP_CTX_init(s))
            goto err;
  #endif
      s->method->ssl_clear(s);
@@ -3131,8 +2893,6 @@ void ssl3_free(SSL *s)
          return;
  
      ssl3_cleanup_key_block(s);
-    if (s->s3->rrec.comp != NULL)
-        OPENSSL_free(s->s3->rrec.comp);
  #ifndef OPENSSL_NO_DH
      DH_free(s->s3->tmp.dh);
  #endif
@@ -3140,21 +2900,18 @@ void ssl3_free(SSL *s)
      EC_KEY_free(s->s3->tmp.ecdh);
  #endif
  
-    if (s->s3->tmp.ca_names != NULL)
-        sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
+    sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
      BIO_free(s->s3->handshake_buffer);
      if (s->s3->handshake_dgst)
          ssl3_free_digest_list(s);
  #ifndef OPENSSL_NO_TLSEXT
-    if (s->s3->alpn_selected)
-        OPENSSL_free(s->s3->alpn_selected);
+    OPENSSL_free(s->s3->alpn_selected);
  #endif
  
  #ifndef OPENSSL_NO_SRP
      SSL_SRP_CTX_free(s);
  #endif
-    OPENSSL_cleanse(s->s3, sizeof *s->s3);
-    OPENSSL_free(s->s3);
+    OPENSSL_clear_free(s->s3, sizeof(*s->s3));
      s->s3 = NULL;
  }
  
@@ -3163,13 +2920,8 @@ void ssl3_clear(SSL *s)
      int init_extra;
  
      ssl3_cleanup_key_block(s);
-    if (s->s3->tmp.ca_names != NULL)
-        sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
+    sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
  
-    if (s->s3->rrec.comp != NULL) {
-        OPENSSL_free(s->s3->rrec.comp);
-        s->s3->rrec.comp = NULL;
-    }
  #ifndef OPENSSL_NO_DH
      DH_free(s->s3->tmp.dh);
      s->s3->tmp.dh = NULL;
@@ -3196,12 +2948,11 @@ void ssl3_clear(SSL *s)
          s->s3->alpn_selected = NULL;
      }
  #endif
-    memset(s->s3, 0, sizeof *s->s3);
+    memset(s->s3, 0, sizeof(*s->s3));
      s->s3->init_extra = init_extra;
  
      ssl_free_wbio_buffer(s);
  
-    s->packet_length = 0;
      s->s3->renegotiate = 0;
      s->s3->total_renegotiations = 0;
      s->s3->num_renegotiations = 0;
@@ -3209,11 +2960,9 @@ void ssl3_clear(SSL *s)
      s->version = SSL3_VERSION;
  
  #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
-    if (s->next_proto_negotiated) {
-        OPENSSL_free(s->next_proto_negotiated);
-        s->next_proto_negotiated = NULL;
-        s->next_proto_negotiated_len = 0;
-    }
+    OPENSSL_free(s->next_proto_negotiated);
+    s->next_proto_negotiated = NULL;
+    s->next_proto_negotiated_len = 0;
  #endif
  }
  
@@ -3353,8 +3102,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
  #ifndef OPENSSL_NO_TLSEXT
      case SSL_CTRL_SET_TLSEXT_HOSTNAME:
          if (larg == TLSEXT_NAMETYPE_host_name) {
-            if (s->tlsext_hostname != NULL)
-                OPENSSL_free(s->tlsext_hostname);
+            OPENSSL_free(s->tlsext_hostname);
              s->tlsext_hostname = NULL;
  
              ret = 1;
@@ -3408,8 +3156,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
          return s->tlsext_ocsp_resplen;
  
      case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
-        if (s->tlsext_ocsp_resp)
-            OPENSSL_free(s->tlsext_ocsp_resp);
+        OPENSSL_free(s->tlsext_ocsp_resp);
          s->tlsext_ocsp_resp = parg;
          s->tlsext_ocsp_resplen = larg;
          ret = 1;
@@ -3596,7 +3343,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
              ptmp = EVP_PKEY_new();
              if (!ptmp)
                  return 0;
-            if (0) ;
  #ifndef OPENSSL_NO_RSA
              else if (sc->peer_rsa_tmp)
                  rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
@@ -3855,8 +3601,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
  # ifndef OPENSSL_NO_SRP
      case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
          ctx->srp_ctx.srp_Mask |= SSL_kSRP;
-        if (ctx->srp_ctx.login != NULL)
-            OPENSSL_free(ctx->srp_ctx.login);
+        OPENSSL_free(ctx->srp_ctx.login);
          ctx->srp_ctx.login = NULL;
          if (parg == NULL)
              break;
@@ -3944,10 +3689,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
          break;
  
      case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
-        if (ctx->extra_certs) {
-            sk_X509_pop_free(ctx->extra_certs, X509_free);
-            ctx->extra_certs = NULL;
-        }
+        sk_X509_pop_free(ctx->extra_certs, X509_free);
+        ctx->extra_certs = NULL;
          break;
  
      case SSL_CTRL_CHAIN:
@@ -4153,22 +3896,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
          }
  #endif
  
-#ifdef KSSL_DEBUG
-        /*
-         * fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n",
-         * i,c->algorithms);
-         */
-#endif                          /* KSSL_DEBUG */
-
          alg_k = c->algorithm_mkey;
          alg_a = c->algorithm_auth;
  
-#ifndef OPENSSL_NO_KRB5
-        if (alg_k & SSL_kKRB5) {
-            if (!kssl_keytab_is_available(s->kssl_ctx))
-                continue;
-        }
-#endif                          /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
          /* with PSK there must be server callback set */
          if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL)
@@ -4305,10 +4035,8 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
  
  static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len)
  {
-    if (c->ctypes) {
-        OPENSSL_free(c->ctypes);
-        c->ctypes = NULL;
-    }
+    OPENSSL_free(c->ctypes);
+    c->ctypes = NULL;
      if (!p || !len)
          return 1;
      if (len > 0xff)
@@ -4480,8 +4208,8 @@ int ssl3_renegotiate_check(SSL *s)
      int ret = 0;
  
      if (s->s3->renegotiate) {
-        if ((SSL3_BUFFER_get_left(RECORD_LAYER_get_rbuf(&s->rlayer)) == 0)
-            && (SSL3_BUFFER_get_left(RECORD_LAYER_get_wbuf(&s->rlayer)) == 0)
+        if (!RECORD_LAYER_read_pending(&s->rlayer)
+            && !RECORD_LAYER_write_pending(&s->rlayer)
              && !SSL_in_init(s)) {
              /*
               * if we are the server, and we have sent a 'RENEGOTIATE'