* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* ECC cipher suite support in OpenSSL originally developed by
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
#ifdef REF_CHECK
# include <assert.h>
#include <openssl/objects.h>
#include <openssl/lhash.h>
#include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
+#endif
const char *SSL_version_str=OPENSSL_VERSION_TEXT;
ssl_undefined_function,
(int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
(int (*)(SSL*, int))ssl_undefined_function,
- (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
+ (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function,
+ 0, /* finish_mac_length */
+ (int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function,
+ NULL, /* client_finished_label */
+ 0, /* client_finished_label_len */
+ NULL, /* server_finished_label */
+ 0, /* server_finished_label_len */
+ (int (*)(int))ssl_undefined_function
};
int SSL_clear(SSL *s)
}
ssl_clear_cipher_ctx(s);
+ ssl_clear_hash_ctx(&s->read_hash);
+ ssl_clear_hash_ctx(&s->write_hash);
s->first_packet=0;
}
/** Used to change an SSL_CTXs default SSL method type */
-int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
+int SSL_CTX_set_ssl_version(SSL_CTX *ctx,const SSL_METHOD *meth)
{
STACK_OF(SSL_CIPHER) *sk;
s->trust = ctx->trust;
#endif
s->quiet_shutdown=ctx->quiet_shutdown;
+ s->max_send_fragment = ctx->max_send_fragment;
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->ctx=ctx;
+#ifndef OPENSSL_NO_TLSEXT
+ CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
+ s->initial_ctx=ctx;
+#endif
s->verify_result=X509_V_OK;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
+#ifndef OPENSSL_NO_PSK
+ s->psk_client_callback=ctx->psk_client_callback;
+ s->psk_server_callback=ctx->psk_server_callback;
+#endif
+
return(s);
err:
if (s != NULL)
}
ssl_clear_cipher_ctx(s);
+ ssl_clear_hash_ctx(&s->read_hash);
+ ssl_clear_hash_ctx(&s->write_hash);
if (s->cert != NULL) ssl_cert_free(s->cert);
/* Free up if allocated */
if (s->ctx) SSL_CTX_free(s->ctx);
+#ifndef OPENSSL_NO_TLSEXT
+ if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
+#ifndef OPENSSL_NO_EC
+ if (s->tlsext_ecpointformatlist) OPENSSL_free(s->tlsext_ecpointformatlist);
+ if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist);
+#endif /* OPENSSL_NO_EC */
+#endif
if (s->client_CA != NULL)
sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
}
if (ssl->cert == NULL)
{
- SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
+ SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
return 0;
}
if (ssl->cert->key->x509 == NULL)
return larg;
}
return 0;
+ case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
+ if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
+ return 0;
+ s->max_send_fragment = larg;
+ return 1;
default:
return(s->method->ssl_ctrl(s,cmd,larg,parg));
}
return(ctx->options|=larg);
case SSL_CTRL_MODE:
return(ctx->mode|=larg);
+ case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
+ if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
+ return 0;
+ ctx->max_send_fragment = larg;
+ return 1;
default:
return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
}
/* ssl_create_cipher_list may return an empty stack if it
* was unable to find a cipher matching the given rule string
* (for example if the rule string specifies a cipher which
- * has been disabled). This is not an error as far as
- * ssl_create_cipher_list is concerned, and hence
+ * has been disabled). This is not an error as far as
+ * ssl_create_cipher_list is concerned, and hence
* ctx->cipher_list and ctx->cipher_list_by_id has been
* updated. */
if (sk == NULL)
c=sk_SSL_CIPHER_value(sk,i);
for (cp=c->name; *cp; )
{
- if (len-- == 0)
+ if (len-- <= 0)
{
*p='\0';
return(buf);
}
int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
- int (*put_cb)(const SSL_CIPHER *, unsigned char *))
+ int (*put_cb)(const SSL_CIPHER *, unsigned char *))
{
int i,j=0;
SSL_CIPHER *c;
unsigned char *q;
#ifndef OPENSSL_NO_KRB5
- int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
+ int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
#endif /* OPENSSL_NO_KRB5 */
if (sk == NULL) return(0);
{
c=sk_SSL_CIPHER_value(sk,i);
#ifndef OPENSSL_NO_KRB5
- if ((c->algorithms & SSL_KRB5) && nokrb5)
- continue;
-#endif /* OPENSSL_NO_KRB5 */
-
+ if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
+ nokrb5)
+ continue;
+#endif /* OPENSSL_NO_KRB5 */
+#ifndef OPENSSL_NO_PSK
+ /* with PSK there must be client callback set */
+ if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) &&
+ s->psk_client_callback == NULL)
+ continue;
+#endif /* OPENSSL_NO_PSK */
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
p+=j;
}
return(NULL);
}
+
+#ifndef OPENSSL_TLSEXT
+/** return a servername extension value if provided in Client Hello, or NULL.
+ * So far, only host_name types are defined (RFC 3546).
+ */
+
+const char *SSL_get_servername(const SSL *s, const int type)
+ {
+ if (type != TLSEXT_NAMETYPE_host_name)
+ return NULL;
+
+ return s->session && !s->tlsext_hostname ?
+ s->session->tlsext_hostname :
+ s->tlsext_hostname;
+ }
+
+int SSL_get_servername_type(const SSL *s)
+ {
+ if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname))
+ return TLSEXT_NAMETYPE_host_name;
+ return -1;
+ }
+#endif
+
unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
{
unsigned long l;
static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *)
static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *)
-SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
+SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
{
SSL_CTX *ret=NULL;
ret->extra_certs=NULL;
ret->comp_methods=SSL_COMP_get_compression_methods();
+ ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
+
+#ifndef OPENSSL_NO_TLSEXT
+ ret->tlsext_servername_callback = 0;
+ ret->tlsext_servername_arg = NULL;
+#endif
+#ifndef OPENSSL_NO_PSK
+ ret->psk_identity_hint=NULL;
+ ret->psk_client_callback=NULL;
+ ret->psk_server_callback=NULL;
+#endif
return(ret);
err:
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
#else
a->comp_methods = NULL;
#endif
+
+#ifndef OPENSSL_NO_PSK
+ if (a->psk_identity_hint)
+ OPENSSL_free(a->psk_identity_hint);
+#endif
OPENSSL_free(a);
}
int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
int rsa_enc_export,dh_rsa_export,dh_dsa_export;
int rsa_tmp_export,dh_tmp_export,kl;
- unsigned long mask,emask;
- int have_ecc_cert, have_ecdh_tmp, ecdh_ok, ecdsa_ok, ecc_pkey_size;
+ unsigned long mask_k,mask_a,emask_k,emask_a;
+ int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
+#ifndef OPENSSL_NO_ECDH
+ int have_ecdh_tmp;
+#endif
X509 *x = NULL;
EVP_PKEY *ecc_pkey = NULL;
int signature_nid = 0;
dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_ECC]);
have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
- mask=0;
- emask=0;
+ mask_k=0;
+ mask_a=0;
+ emask_k=0;
+ emask_a=0;
#ifdef CIPHER_DEBUG
- printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
- rsa_tmp,rsa_tmp_export,dh_tmp,
+ printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+ rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp,
rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
#endif
if (rsa_enc || (rsa_tmp && rsa_sign))
- mask|=SSL_kRSA;
+ mask_k|=SSL_kRSA;
if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
- emask|=SSL_kRSA;
+ emask_k|=SSL_kRSA;
#if 0
/* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
- if ( (dh_tmp || dh_rsa || dh_dsa) &&
+ if ( (dh_tmp || dh_rsa || dh_dsa) &&
(rsa_enc || rsa_sign || dsa_sign))
- mask|=SSL_kEDH;
+ mask_k|=SSL_kEDH;
if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
(rsa_enc || rsa_sign || dsa_sign))
- emask|=SSL_kEDH;
+ emask_k|=SSL_kEDH;
#endif
- if (dh_tmp_export)
- emask|=SSL_kEDH;
+ if (dh_tmp_export)
+ emask_k|=SSL_kEDH;
if (dh_tmp)
- mask|=SSL_kEDH;
+ mask_k|=SSL_kEDH;
- if (dh_rsa) mask|=SSL_kDHr;
- if (dh_rsa_export) emask|=SSL_kDHr;
+ if (dh_rsa) mask_k|=SSL_kDHr;
+ if (dh_rsa_export) emask_k|=SSL_kDHr;
- if (dh_dsa) mask|=SSL_kDHd;
- if (dh_dsa_export) emask|=SSL_kDHd;
+ if (dh_dsa) mask_k|=SSL_kDHd;
+ if (dh_dsa_export) emask_k|=SSL_kDHd;
if (rsa_enc || rsa_sign)
{
- mask|=SSL_aRSA;
- emask|=SSL_aRSA;
+ mask_a|=SSL_aRSA;
+ emask_a|=SSL_aRSA;
}
if (dsa_sign)
{
- mask|=SSL_aDSS;
- emask|=SSL_aDSS;
+ mask_a|=SSL_aDSS;
+ emask_a|=SSL_aDSS;
}
- mask|=SSL_aNULL;
- emask|=SSL_aNULL;
+ mask_a|=SSL_aNULL;
+ emask_a|=SSL_aNULL;
#ifndef OPENSSL_NO_KRB5
- mask|=SSL_kKRB5|SSL_aKRB5;
- emask|=SSL_kKRB5|SSL_aKRB5;
+ mask_k|=SSL_kKRB5;
+ mask_a|=SSL_aKRB5;
+ emask_k|=SSL_kKRB5;
+ emask_a|=SSL_aKRB5;
#endif
/* An ECC certificate may be usable for ECDH and/or
*/
if (have_ecc_cert)
{
- /* This call populates extension flags (ex_flags) */
+ /* This call populates extension flags (ex_flags) */
x = (c->pkeys[SSL_PKEY_ECC]).x509;
X509_check_purpose(x, -1, 0);
ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
ecc_pkey = X509_get_pubkey(x);
- ecc_pkey_size = (ecc_pkey != NULL) ?
+ ecc_pkey_size = (ecc_pkey != NULL) ?
EVP_PKEY_bits(ecc_pkey) : 0;
EVP_PKEY_free(ecc_pkey);
if ((x->sig_alg) && (x->sig_alg->algorithm))
#ifndef OPENSSL_NO_ECDH
if (ecdh_ok)
{
- if ((signature_nid == NID_md5WithRSAEncryption) ||
- (signature_nid == NID_md4WithRSAEncryption) ||
- (signature_nid == NID_md2WithRSAEncryption))
+ const char *sig = OBJ_nid2ln(signature_nid);
+ if (sig == NULL)
{
- mask|=SSL_kECDH|SSL_aRSA;
+ ERR_clear_error();
+ sig = "unknown";
+ }
+
+ if (strstr(sig, "WithRSA"))
+ {
+ mask_k|=SSL_kECDHr;
+ mask_a|=SSL_aECDH;
if (ecc_pkey_size <= 163)
- emask|=SSL_kECDH|SSL_aRSA;
+ {
+ emask_k|=SSL_kECDHr;
+ emask_a|=SSL_aECDH;
+ }
}
+
if (signature_nid == NID_ecdsa_with_SHA1)
{
- mask|=SSL_kECDH|SSL_aECDSA;
+ mask_k|=SSL_kECDHe;
+ mask_a|=SSL_aECDH;
if (ecc_pkey_size <= 163)
- emask|=SSL_kECDH|SSL_aECDSA;
+ {
+ emask_k|=SSL_kECDHe;
+ emask_a|=SSL_aECDH;
+ }
}
}
#endif
#ifndef OPENSSL_NO_ECDSA
if (ecdsa_ok)
{
- mask|=SSL_aECDSA;
- emask|=SSL_aECDSA;
+ mask_a|=SSL_aECDSA;
+ emask_a|=SSL_aECDSA;
}
#endif
}
#ifndef OPENSSL_NO_ECDH
if (have_ecdh_tmp)
{
- mask|=SSL_kECDHE;
- emask|=SSL_kECDHE;
+ mask_k|=SSL_kEECDH;
+ emask_k|=SSL_kEECDH;
}
#endif
- c->mask=mask;
- c->export_mask=emask;
+
+#ifndef OPENSSL_NO_PSK
+ mask_k |= SSL_kPSK;
+ mask_a |= SSL_aPSK;
+ emask_k |= SSL_kPSK;
+ emask_a |= SSL_aPSK;
+#endif
+
+ c->mask_k=mask_k;
+ c->mask_a=mask_a;
+ c->export_mask_k=emask_k;
+ c->export_mask_a=emask_a;
c->valid=1;
}
#define ku_reject(x, usage) \
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
+int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
{
- unsigned long alg = cs->algorithms;
+ unsigned long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int keysize = 0;
int signature_nid = 0;
+ alg_k = cs->algorithm_mkey;
+ alg_a = cs->algorithm_auth;
+
if (SSL_C_IS_EXPORT(cs))
{
/* ECDH key length in export ciphers must be <= 163 bits */
X509_check_purpose(x, -1, 0);
if ((x->sig_alg) && (x->sig_alg->algorithm))
signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
- if (alg & SSL_kECDH)
+ if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
{
/* key usage, if present, must allow key agreement */
if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
{
+ SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
return 0;
}
- if (alg & SSL_aECDSA)
+ if (alg_k & SSL_kECDHe)
{
/* signature alg must be ECDSA */
if (signature_nid != NID_ecdsa_with_SHA1)
{
+ SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
return 0;
}
}
- if (alg & SSL_aRSA)
+ if (alg_k & SSL_kECDHr)
{
/* signature alg must be RSA */
- if ((signature_nid != NID_md5WithRSAEncryption) &&
- (signature_nid != NID_md4WithRSAEncryption) &&
- (signature_nid != NID_md2WithRSAEncryption))
+
+ const char *sig = OBJ_nid2ln(signature_nid);
+ if (sig == NULL)
{
+ ERR_clear_error();
+ sig = "unknown";
+ }
+ if (strstr(sig, "WithRSA") == NULL)
+ {
+ SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
return 0;
}
}
- }
- else if (alg & SSL_aECDSA)
+ }
+ if (alg_a & SSL_aECDSA)
{
/* key usage, if present, must allow signing */
if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
{
+ SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
return 0;
}
}
/* THIS NEEDS CLEANING UP */
X509 *ssl_get_server_send_cert(SSL *s)
{
- unsigned long alg,mask,kalg;
+ unsigned long alg_k,alg_a,mask_k,mask_a;
CERT *c;
int i,is_export;
c=s->cert;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
- alg=s->s3->tmp.new_cipher->algorithms;
is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
- mask=is_export?c->export_mask:c->mask;
- kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
+ if (is_export)
+ {
+ mask_k = c->export_mask_k;
+ mask_a = c->export_mask_a;
+ }
+ else
+ {
+ mask_k = c->mask_k;
+ mask_a = c->mask_a;
+ }
+
+ alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+ alg_a = s->s3->tmp.new_cipher->algorithm_auth;
- if (kalg & SSL_kECDH)
+ if (alg_k & (SSL_kECDHr|SSL_kECDHe))
{
- /* we don't need to look at SSL_kECDHE
+ /* we don't need to look at SSL_kEECDH
* since no certificate is needed for
* anon ECDH and for authenticated
- * ECDHE, the check for the auth
+ * EECDH, the check for the auth
* algorithm will set i correctly
* NOTE: For ECDH-RSA, we need an ECC
- * not an RSA cert but for ECDHE-RSA
+ * not an RSA cert but for EECDH-RSA
* we need an RSA cert. Placing the
* checks for SSL_kECDH before RSA
* checks ensures the correct cert is chosen.
*/
i=SSL_PKEY_ECC;
}
- else if (kalg & SSL_aECDSA)
+ else if (alg_a & SSL_aECDSA)
{
i=SSL_PKEY_ECC;
}
- else if (kalg & SSL_kDHr)
+ else if (alg_k & SSL_kDHr)
i=SSL_PKEY_DH_RSA;
- else if (kalg & SSL_kDHd)
+ else if (alg_k & SSL_kDHd)
i=SSL_PKEY_DH_DSA;
- else if (kalg & SSL_aDSS)
+ else if (alg_a & SSL_aDSS)
i=SSL_PKEY_DSA_SIGN;
- else if (kalg & SSL_aRSA)
+ else if (alg_a & SSL_aRSA)
{
if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
i=SSL_PKEY_RSA_SIGN;
else
i=SSL_PKEY_RSA_ENC;
}
- else if (kalg & SSL_aKRB5)
+ else if (alg_a & SSL_aKRB5)
{
/* VRS something else here? */
return(NULL);
}
- else /* if (kalg & SSL_aNULL) */
+ else /* if (alg_a & SSL_aNULL) */
{
SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
return(NULL);
EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
{
- unsigned long alg;
+ unsigned long alg_a;
CERT *c;
- alg=cipher->algorithms;
+ alg_a = cipher->algorithm_auth;
c=s->cert;
- if ((alg & SSL_aDSS) &&
+ if ((alg_a & SSL_aDSS) &&
(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
- else if (alg & SSL_aRSA)
+ else if (alg_a & SSL_aRSA)
{
if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
else
return(NULL);
}
- else if ((alg & SSL_aECDSA) &&
+ else if ((alg_a & SSL_aECDSA) &&
(c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
return(c->pkeys[SSL_PKEY_ECC].privatekey);
- else /* if (alg & SSL_aNULL) */
+ else /* if (alg_a & SSL_aNULL) */
{
SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
return(NULL);
* and it would be rather hard to do anyway :-) */
if (s->session->session_id_length == 0) return;
- i=s->ctx->session_cache_mode;
+ i=s->session_ctx->session_cache_mode;
if ((i & mode) && (!s->hit)
&& ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
- || SSL_CTX_add_session(s->ctx,s->session))
- && (s->ctx->new_session_cb != NULL))
+ || SSL_CTX_add_session(s->session_ctx,s->session))
+ && (s->session_ctx->new_session_cb != NULL))
{
CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
- if (!s->ctx->new_session_cb(s,s->session))
+ if (!s->session_ctx->new_session_cb(s,s->session))
SSL_SESSION_free(s->session);
}
((i & mode) == mode))
{
if ( (((mode & SSL_SESS_CACHE_CLIENT)
- ?s->ctx->stats.sess_connect_good
- :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
+ ?s->session_ctx->stats.sess_connect_good
+ :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff)
{
- SSL_CTX_flush_sessions(s->ctx,time(NULL));
+ SSL_CTX_flush_sessions(s->session_ctx,(unsigned long)time(NULL));
}
}
}
-SSL_METHOD *SSL_get_ssl_method(SSL *s)
+const SSL_METHOD *SSL_get_ssl_method(SSL *s)
{
return(s->method);
}
-int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
+int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
{
int conn= -1;
int ret=1;
s->handshake_func=s->method->ssl_accept;
/* clear the current cipher */
ssl_clear_cipher_ctx(s);
+ ssl_clear_hash_ctx(&s->read_hash);
+ ssl_clear_hash_ctx(&s->write_hash);
}
void SSL_set_connect_state(SSL *s)
s->handshake_func=s->method->ssl_connect;
/* clear the current cipher */
ssl_clear_cipher_ctx(s);
+ ssl_clear_hash_ctx(&s->read_hash);
+ ssl_clear_hash_ctx(&s->write_hash);
}
int ssl_undefined_function(SSL *s)
X509_NAME *xn;
SSL *ret;
int i;
-
+
if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
return(NULL);
OPENSSL_free(s->enc_write_ctx);
s->enc_write_ctx=NULL;
}
+#ifndef OPENSSL_NO_COMP
if (s->expand != NULL)
{
COMP_CTX_free(s->expand);
COMP_CTX_free(s->compress);
s->compress=NULL;
}
+#endif
}
/* Fix this function so that it takes an optional type parameter */
return(s->session->cipher);
return(NULL);
}
+#ifdef OPENSSL_NO_COMP
+const void *SSL_get_current_compression(SSL *s)
+ {
+ return NULL;
+ }
+const void *SSL_get_current_expansion(SSL *s)
+ {
+ return NULL;
+ }
+#else
const COMP_METHOD *SSL_get_current_compression(SSL *s)
{
return(s->expand->meth);
return(NULL);
}
+#endif
int ssl_init_wbio_buffer(SSL *s,int push)
{
s->wbio=BIO_pop(s->wbio);
#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
assert(s->wbio != NULL);
-#endif
+#endif
}
BIO_free(s->bbio);
s->bbio=NULL;
return(ssl->ctx);
}
+SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
+ {
+ if (ssl->ctx == ctx)
+ return ssl->ctx;
+ if (ctx == NULL)
+ ctx = ssl->initial_ctx;
+ if (ssl->cert != NULL)
+ ssl_cert_free(ssl->cert);
+ ssl->cert = ssl_cert_dup(ctx->cert);
+ CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
+ if (ssl->ctx != NULL)
+ SSL_CTX_free(ssl->ctx); /* decrement reference count */
+ ssl->ctx = ctx;
+ return(ssl->ctx);
+ }
+
#ifndef OPENSSL_NO_STDIO
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
{
#endif
void SSL_set_info_callback(SSL *ssl,
- void (*cb)(const SSL *ssl,int type,int val))
+ void (*cb)(const SSL *ssl,int type,int val))
{
ssl->info_callback=cb;
}
-void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val)
+/* One compiler (Diab DCC) doesn't like argument names in returned
+ function pointer. */
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
{
return ssl->info_callback;
}
#ifndef OPENSSL_NO_DH
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
- int keylength))
+ int keylength))
{
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
}
void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
- int keylength))
+ int keylength))
{
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
}
#ifndef OPENSSL_NO_ECDH
void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
- int keylength))
+ int keylength))
{
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
}
void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
- int keylength))
+ int keylength))
{
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
}
#endif
+#ifndef OPENSSL_NO_PSK
+int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
+ {
+ if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
+ return 0;
+ }
+ if (ctx->psk_identity_hint != NULL)
+ OPENSSL_free(ctx->psk_identity_hint);
+ if (identity_hint != NULL)
+ {
+ ctx->psk_identity_hint = BUF_strdup(identity_hint);
+ if (ctx->psk_identity_hint == NULL)
+ return 0;
+ }
+ else
+ ctx->psk_identity_hint = NULL;
+ return 1;
+ }
+
+int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
+ {
+ if (s == NULL)
+ return 0;
+
+ if (s->session == NULL)
+ return 1; /* session not created yet, ignored */
+
+ if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
+ {
+ SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
+ return 0;
+ }
+ if (s->session->psk_identity_hint != NULL)
+ OPENSSL_free(s->session->psk_identity_hint);
+ if (identity_hint != NULL)
+ {
+ s->session->psk_identity_hint = BUF_strdup(identity_hint);
+ if (s->session->psk_identity_hint == NULL)
+ return 0;
+ }
+ else
+ s->session->psk_identity_hint = NULL;
+ return 1;
+ }
+
+const char *SSL_get_psk_identity_hint(const SSL *s)
+ {
+ if (s == NULL || s->session == NULL)
+ return NULL;
+ return(s->session->psk_identity_hint);
+ }
+
+const char *SSL_get_psk_identity(const SSL *s)
+ {
+ if (s == NULL || s->session == NULL)
+ return NULL;
+ return(s->session->psk_identity);
+ }
+
+void SSL_set_psk_client_callback(SSL *s,
+ unsigned int (*cb)(SSL *ssl, const char *hint,
+ char *identity, unsigned int max_identity_len, unsigned char *psk,
+ unsigned int max_psk_len))
+ {
+ s->psk_client_callback = cb;
+ }
+
+void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
+ unsigned int (*cb)(SSL *ssl, const char *hint,
+ char *identity, unsigned int max_identity_len, unsigned char *psk,
+ unsigned int max_psk_len))
+ {
+ ctx->psk_client_callback = cb;
+ }
+
+void SSL_set_psk_server_callback(SSL *s,
+ unsigned int (*cb)(SSL *ssl, const char *identity,
+ unsigned char *psk, unsigned int max_psk_len))
+ {
+ s->psk_server_callback = cb;
+ }
+
+void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
+ unsigned int (*cb)(SSL *ssl, const char *identity,
+ unsigned char *psk, unsigned int max_psk_len))
+ {
+ ctx->psk_server_callback = cb;
+ }
+#endif
void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
{
SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
}
-
+/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
+ * vairable, freeing EVP_MD_CTX previously stored in that variable, if
+ * any. If EVP_MD pointer is passed, initializes ctx with this md
+ * Returns newly allocated ctx;
+ */
+
+EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md)
+{
+ ssl_clear_hash_ctx(hash);
+ *hash = EVP_MD_CTX_create();
+ if (md) EVP_DigestInit_ex(*hash,md,NULL);
+ return *hash;
+}
+void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
+{
+
+ if (*hash) EVP_MD_CTX_destroy(*hash);
+ *hash=NULL;
+}
#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
#include "../crypto/bio/bss_file.c"