diff options
| author |   beck <beck@openbsd.org> | 2016-09-03 11:33:34 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2016-09-03 11:33:34 +0000 |
| commit | 8204a9859e29f943f9d45fa3c5bacf005da87a21 (patch) | |
| tree | 3d72799b17122728ed1ce817d171df956c52a633 /lib/libssl/src/ssl | |
| parent | Remove NULL pointer checks before calls to free(). (diff) | |
| download | wireguard-openbsd-8204a9859e29f943f9d45fa3c5bacf005da87a21.tar.xz wireguard-openbsd-8204a9859e29f943f9d45fa3c5bacf005da87a21.zip | |
Remove the libssl/src directory
Diffstat (limited to 'lib/libssl/src/ssl')
50 files changed, 0 insertions, 40406 deletions
diff --git a/lib/libssl/src/ssl/bio_ssl.c b/lib/libssl/src/ssl/bio_ssl.c deleted file mode 100644 index 6ddbb008e6a..00000000000 --- a/lib/libssl/src/ssl/bio_ssl.c +++ /dev/null @@ -1,581 +0,0 @@ -/* $OpenBSD: bio_ssl.c,v 1.22 2015/09/29 18:08:57 deraadt Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <openssl/bio.h> -#include <openssl/crypto.h> -#include <openssl/err.h> -#include <openssl/ssl.h> - -static int ssl_write(BIO *h, const char *buf, int num); -static int ssl_read(BIO *h, char *buf, int size); -static int ssl_puts(BIO *h, const char *str); -static long ssl_ctrl(BIO *h, int cmd, long arg1, void *arg2); -static int ssl_new(BIO *h); -static int ssl_free(BIO *data); -static long ssl_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp); -typedef struct bio_ssl_st { - SSL *ssl; /* The ssl handle :-) */ - /* re-negotiate every time the total number of bytes is this size */ - int num_renegotiates; - unsigned long renegotiate_count; - unsigned long byte_count; - unsigned long renegotiate_timeout; - time_t last_time; -} BIO_SSL; - -static BIO_METHOD methods_sslp = { - .type = BIO_TYPE_SSL, - .name = "ssl", - .bwrite = ssl_write, - .bread = ssl_read, - .bputs = ssl_puts, - .ctrl = ssl_ctrl, - .create = ssl_new, - .destroy = ssl_free, - .callback_ctrl = ssl_callback_ctrl, -}; - -BIO_METHOD * -BIO_f_ssl(void) -{ - return (&methods_sslp); -} - -static int -ssl_new(BIO *bi) -{ - BIO_SSL *bs; - - bs = calloc(1, sizeof(BIO_SSL)); - if (bs == NULL) { - BIOerr(BIO_F_SSL_NEW, ERR_R_MALLOC_FAILURE); - return (0); - } - bi->init = 0; - bi->ptr = (char *)bs; - bi->flags = 0; - return (1); -} - -static int -ssl_free(BIO *a) -{ - BIO_SSL *bs; - - if (a == NULL) - return (0); - bs = (BIO_SSL *)a->ptr; - if (bs->ssl != NULL) - SSL_shutdown(bs->ssl); - if (a->shutdown) { - if (a->init && (bs->ssl != NULL)) - SSL_free(bs->ssl); - a->init = 0; - a->flags = 0; - } - free(a->ptr); - return (1); -} - -static int -ssl_read(BIO *b, char *out, int outl) -{ - int ret = 1; - BIO_SSL *sb; - SSL *ssl; - int retry_reason = 0; - int r = 0; - - if (out == NULL) - return (0); - sb = (BIO_SSL *)b->ptr; - ssl = sb->ssl; - - BIO_clear_retry_flags(b); - - ret = SSL_read(ssl, out, outl); - - switch (SSL_get_error(ssl, ret)) { - case SSL_ERROR_NONE: - if (ret <= 0) - break; - if (sb->renegotiate_count > 0) { - sb->byte_count += ret; - if (sb->byte_count > sb->renegotiate_count) { - sb->byte_count = 0; - sb->num_renegotiates++; - SSL_renegotiate(ssl); - r = 1; - } - } - if ((sb->renegotiate_timeout > 0) && (!r)) { - time_t tm; - - tm = time(NULL); - if (tm > sb->last_time + sb->renegotiate_timeout) { - sb->last_time = tm; - sb->num_renegotiates++; - SSL_renegotiate(ssl); - } - } - - break; - case SSL_ERROR_WANT_READ: - BIO_set_retry_read(b); - break; - case SSL_ERROR_WANT_WRITE: - BIO_set_retry_write(b); - break; - case SSL_ERROR_WANT_X509_LOOKUP: - BIO_set_retry_special(b); - retry_reason = BIO_RR_SSL_X509_LOOKUP; - break; - case SSL_ERROR_WANT_ACCEPT: - BIO_set_retry_special(b); - retry_reason = BIO_RR_ACCEPT; - break; - case SSL_ERROR_WANT_CONNECT: - BIO_set_retry_special(b); - retry_reason = BIO_RR_CONNECT; - break; - case SSL_ERROR_SYSCALL: - case SSL_ERROR_SSL: - case SSL_ERROR_ZERO_RETURN: - default: - break; - } - - b->retry_reason = retry_reason; - return (ret); -} - -static int -ssl_write(BIO *b, const char *out, int outl) -{ - int ret, r = 0; - int retry_reason = 0; - SSL *ssl; - BIO_SSL *bs; - - if (out == NULL) - return (0); - bs = (BIO_SSL *)b->ptr; - ssl = bs->ssl; - - BIO_clear_retry_flags(b); - -/* ret=SSL_do_handshake(ssl); - if (ret > 0) */ - ret = SSL_write(ssl, out, outl); - - switch (SSL_get_error(ssl, ret)) { - case SSL_ERROR_NONE: - if (ret <= 0) - break; - if (bs->renegotiate_count > 0) { - bs->byte_count += ret; - if (bs->byte_count > bs->renegotiate_count) { - bs->byte_count = 0; - bs->num_renegotiates++; - SSL_renegotiate(ssl); - r = 1; - } - } - if ((bs->renegotiate_timeout > 0) && (!r)) { - time_t tm; - - tm = time(NULL); - if (tm > bs->last_time + bs->renegotiate_timeout) { - bs->last_time = tm; - bs->num_renegotiates++; - SSL_renegotiate(ssl); - } - } - break; - case SSL_ERROR_WANT_WRITE: - BIO_set_retry_write(b); - break; - case SSL_ERROR_WANT_READ: - BIO_set_retry_read(b); - break; - case SSL_ERROR_WANT_X509_LOOKUP: - BIO_set_retry_special(b); - retry_reason = BIO_RR_SSL_X509_LOOKUP; - break; - case SSL_ERROR_WANT_CONNECT: - BIO_set_retry_special(b); - retry_reason = BIO_RR_CONNECT; - case SSL_ERROR_SYSCALL: - case SSL_ERROR_SSL: - default: - break; - } - - b->retry_reason = retry_reason; - return (ret); -} - -static long -ssl_ctrl(BIO *b, int cmd, long num, void *ptr) -{ - SSL **sslp, *ssl; - BIO_SSL *bs; - BIO *dbio, *bio; - long ret = 1; - - bs = (BIO_SSL *)b->ptr; - ssl = bs->ssl; - if ((ssl == NULL) && (cmd != BIO_C_SET_SSL)) - return (0); - switch (cmd) { - case BIO_CTRL_RESET: - SSL_shutdown(ssl); - - if (ssl->handshake_func == ssl->method->ssl_connect) - SSL_set_connect_state(ssl); - else if (ssl->handshake_func == ssl->method->ssl_accept) - SSL_set_accept_state(ssl); - - SSL_clear(ssl); - - if (b->next_bio != NULL) - ret = BIO_ctrl(b->next_bio, cmd, num, ptr); - else if (ssl->rbio != NULL) - ret = BIO_ctrl(ssl->rbio, cmd, num, ptr); - else - ret = 1; - break; - case BIO_CTRL_INFO: - ret = 0; - break; - case BIO_C_SSL_MODE: - if (num) /* client mode */ - SSL_set_connect_state(ssl); - else - SSL_set_accept_state(ssl); - break; - case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT: - ret = bs->renegotiate_timeout; - if (num < 60) - num = 5; - bs->renegotiate_timeout = (unsigned long)num; - bs->last_time = time(NULL); - break; - case BIO_C_SET_SSL_RENEGOTIATE_BYTES: - ret = bs->renegotiate_count; - if ((long)num >=512) - bs->renegotiate_count = (unsigned long)num; - break; - case BIO_C_GET_SSL_NUM_RENEGOTIATES: - ret = bs->num_renegotiates; - break; - case BIO_C_SET_SSL: - if (ssl != NULL) { - ssl_free(b); - if (!ssl_new(b)) - return 0; - } - b->shutdown = (int)num; - ssl = (SSL *)ptr; - ((BIO_SSL *)b->ptr)->ssl = ssl; - bio = SSL_get_rbio(ssl); - if (bio != NULL) { - if (b->next_bio != NULL) - BIO_push(bio, b->next_bio); - b->next_bio = bio; - CRYPTO_add(&bio->references, 1, CRYPTO_LOCK_BIO); - } - b->init = 1; - break; - case BIO_C_GET_SSL: - if (ptr != NULL) { - sslp = (SSL **)ptr; - *sslp = ssl; - } else - ret = 0; - break; - case BIO_CTRL_GET_CLOSE: - ret = b->shutdown; - break; - case BIO_CTRL_SET_CLOSE: - b->shutdown = (int)num; - break; - case BIO_CTRL_WPENDING: - ret = BIO_ctrl(ssl->wbio, cmd, num, ptr); - break; - case BIO_CTRL_PENDING: - ret = SSL_pending(ssl); - if (ret == 0) - ret = BIO_pending(ssl->rbio); - break; - case BIO_CTRL_FLUSH: - BIO_clear_retry_flags(b); - ret = BIO_ctrl(ssl->wbio, cmd, num, ptr); - BIO_copy_next_retry(b); - break; - case BIO_CTRL_PUSH: - if ((b->next_bio != NULL) && (b->next_bio != ssl->rbio)) { - SSL_set_bio(ssl, b->next_bio, b->next_bio); - CRYPTO_add(&b->next_bio->references, 1, CRYPTO_LOCK_BIO); - } - break; - case BIO_CTRL_POP: - /* Only detach if we are the BIO explicitly being popped */ - if (b == ptr) { - /* Shouldn't happen in practice because the - * rbio and wbio are the same when pushed. - */ - if (ssl->rbio != ssl->wbio) - BIO_free_all(ssl->wbio); - if (b->next_bio != NULL) - CRYPTO_add(&b->next_bio->references, -1, CRYPTO_LOCK_BIO); - ssl->wbio = NULL; - ssl->rbio = NULL; - } - break; - case BIO_C_DO_STATE_MACHINE: - BIO_clear_retry_flags(b); - - b->retry_reason = 0; - ret = (int)SSL_do_handshake(ssl); - - switch (SSL_get_error(ssl, (int)ret)) { - case SSL_ERROR_WANT_READ: - BIO_set_flags(b, - BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY); - break; - case SSL_ERROR_WANT_WRITE: - BIO_set_flags(b, - BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY); - break; - case SSL_ERROR_WANT_CONNECT: - BIO_set_flags(b, - BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY); - b->retry_reason = b->next_bio->retry_reason; - break; - default: - break; - } - break; - case BIO_CTRL_DUP: - dbio = (BIO *)ptr; - if (((BIO_SSL *)dbio->ptr)->ssl != NULL) - SSL_free(((BIO_SSL *)dbio->ptr)->ssl); - ((BIO_SSL *)dbio->ptr)->ssl = SSL_dup(ssl); - ((BIO_SSL *)dbio->ptr)->renegotiate_count = - ((BIO_SSL *)b->ptr)->renegotiate_count; - ((BIO_SSL *)dbio->ptr)->byte_count = - ((BIO_SSL *)b->ptr)->byte_count; - ((BIO_SSL *)dbio->ptr)->renegotiate_timeout = - ((BIO_SSL *)b->ptr)->renegotiate_timeout; - ((BIO_SSL *)dbio->ptr)->last_time = - ((BIO_SSL *)b->ptr)->last_time; - ret = (((BIO_SSL *)dbio->ptr)->ssl != NULL); - break; - case BIO_C_GET_FD: - ret = BIO_ctrl(ssl->rbio, cmd, num, ptr); - break; - case BIO_CTRL_SET_CALLBACK: - { - ret = 0; - } - break; - case BIO_CTRL_GET_CALLBACK: - { - void (**fptr)(const SSL *xssl, int type, int val); - - fptr = (void (**)(const SSL *xssl, int type, int val))ptr; - *fptr = SSL_get_info_callback(ssl); - } - break; - default: - ret = BIO_ctrl(ssl->rbio, cmd, num, ptr); - break; - } - return (ret); -} - -static long -ssl_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp) -{ - SSL *ssl; - BIO_SSL *bs; - long ret = 1; - - bs = (BIO_SSL *)b->ptr; - ssl = bs->ssl; - switch (cmd) { - case BIO_CTRL_SET_CALLBACK: - { - /* FIXME: setting this via a completely different prototype - seems like a crap idea */ - SSL_set_info_callback(ssl, (void (*)(const SSL *, int, int))fp); - } - break; - default: - ret = BIO_callback_ctrl(ssl->rbio, cmd, fp); - break; - } - return (ret); -} - -static int -ssl_puts(BIO *bp, const char *str) -{ - int n, ret; - - n = strlen(str); - ret = BIO_write(bp, str, n); - return (ret); -} - -BIO * -BIO_new_buffer_ssl_connect(SSL_CTX *ctx) -{ - BIO *ret = NULL, *buf = NULL, *ssl = NULL; - - if ((buf = BIO_new(BIO_f_buffer())) == NULL) - goto err; - if ((ssl = BIO_new_ssl_connect(ctx)) == NULL) - goto err; - if ((ret = BIO_push(buf, ssl)) == NULL) - goto err; - return (ret); - -err: - BIO_free(buf); - BIO_free(ssl); - return (NULL); -} - -BIO * -BIO_new_ssl_connect(SSL_CTX *ctx) -{ - BIO *ret = NULL, *con = NULL, *ssl = NULL; - - if ((con = BIO_new(BIO_s_connect())) == NULL) - goto err; - if ((ssl = BIO_new_ssl(ctx, 1)) == NULL) - goto err; - if ((ret = BIO_push(ssl, con)) == NULL) - goto err; - return (ret); - -err: - BIO_free(con); - BIO_free(ssl); - return (NULL); -} - -BIO * -BIO_new_ssl(SSL_CTX *ctx, int client) -{ - BIO *ret; - SSL *ssl; - - if ((ret = BIO_new(BIO_f_ssl())) == NULL) - goto err; - if ((ssl = SSL_new(ctx)) == NULL) - goto err; - - if (client) - SSL_set_connect_state(ssl); - else - SSL_set_accept_state(ssl); - - BIO_set_ssl(ret, ssl, BIO_CLOSE); - return (ret); - -err: - BIO_free(ret); - return (NULL); -} - -int -BIO_ssl_copy_session_id(BIO *t, BIO *f) -{ - t = BIO_find_type(t, BIO_TYPE_SSL); - f = BIO_find_type(f, BIO_TYPE_SSL); - if ((t == NULL) || (f == NULL)) - return (0); - if ((((BIO_SSL *)t->ptr)->ssl == NULL) || - (((BIO_SSL *)f->ptr)->ssl == NULL)) - return (0); - SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl, ((BIO_SSL *)f->ptr)->ssl); - return (1); -} - -void -BIO_ssl_shutdown(BIO *b) -{ - SSL *s; - - while (b != NULL) { - if (b->method->type == BIO_TYPE_SSL) { - s = ((BIO_SSL *)b->ptr)->ssl; - SSL_shutdown(s); - break; - } - b = b->next_bio; - } -} diff --git a/lib/libssl/src/ssl/bs_ber.c b/lib/libssl/src/ssl/bs_ber.c deleted file mode 100644 index 6e945a02466..00000000000 --- a/lib/libssl/src/ssl/bs_ber.c +++ /dev/null @@ -1,268 +0,0 @@ -/* $OpenBSD: bs_ber.c,v 1.8 2015/06/21 16:10:45 doug Exp $ */ -/* - * Copyright (c) 2014, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include <string.h> - -#include <openssl/opensslconf.h> - -#include "bytestring.h" - -/* - * kMaxDepth is a just a sanity limit. The code should be such that the length - * of the input being processes always decreases. None the less, a very large - * input could otherwise cause the stack to overflow. - */ -static const unsigned int kMaxDepth = 2048; - -/* Non-strict version that allows a relaxed DER with indefinite form. */ -static int -cbs_nonstrict_get_any_asn1_element(CBS *cbs, CBS *out, unsigned int *out_tag, - size_t *out_header_len) -{ - return cbs_get_any_asn1_element_internal(cbs, out, - out_tag, out_header_len, 0); -} - -/* - * cbs_find_indefinite walks an ASN.1 structure in |orig_in| and sets - * |*indefinite_found| depending on whether an indefinite length element was - * found. The value of |orig_in| is not modified. - * - * Returns one on success (i.e. |*indefinite_found| was set) and zero on error. - */ -static int -cbs_find_indefinite(const CBS *orig_in, char *indefinite_found, - unsigned int depth) -{ - CBS in; - - if (depth > kMaxDepth) - return 0; - - CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in)); - - while (CBS_len(&in) > 0) { - CBS contents; - unsigned int tag; - size_t header_len; - - if (!cbs_nonstrict_get_any_asn1_element(&in, &contents, &tag, - &header_len)) - return 0; - - /* Indefinite form not allowed by DER. */ - if (CBS_len(&contents) == header_len && header_len > 0 && - CBS_data(&contents)[header_len - 1] == 0x80) { - *indefinite_found = 1; - return 1; - } - if (tag & CBS_ASN1_CONSTRUCTED) { - if (!CBS_skip(&contents, header_len) || - !cbs_find_indefinite(&contents, indefinite_found, - depth + 1)) - return 0; - } - } - - *indefinite_found = 0; - return 1; -} - -/* - * is_primitive_type returns true if |tag| likely a primitive type. Normally - * one can just test the "constructed" bit in the tag but, in BER, even - * primitive tags can have the constructed bit if they have indefinite - * length. - */ -static char -is_primitive_type(unsigned int tag) -{ - return (tag & 0xc0) == 0 && - (tag & 0x1f) != (CBS_ASN1_SEQUENCE & 0x1f) && - (tag & 0x1f) != (CBS_ASN1_SET & 0x1f); -} - -/* - * is_eoc returns true if |header_len| and |contents|, as returned by - * |cbs_nonstrict_get_any_asn1_element|, indicate an "end of contents" (EOC) - * value. - */ -static char -is_eoc(size_t header_len, CBS *contents) -{ - return header_len == 2 && CBS_mem_equal(contents, "\x00\x00", 2); -} - -/* - * cbs_convert_indefinite reads data with DER encoding (but relaxed to allow - * indefinite form) from |in| and writes definite form DER data to |out|. If - * |squash_header| is set then the top-level of elements from |in| will not - * have their headers written. This is used when concatenating the fragments of - * an indefinite length, primitive value. If |looking_for_eoc| is set then any - * EOC elements found will cause the function to return after consuming it. - * It returns one on success and zero on error. - */ -static int -cbs_convert_indefinite(CBS *in, CBB *out, char squash_header, - char looking_for_eoc, unsigned int depth) -{ - if (depth > kMaxDepth) - return 0; - - while (CBS_len(in) > 0) { - CBS contents; - unsigned int tag; - size_t header_len; - CBB *out_contents, out_contents_storage; - - if (!cbs_nonstrict_get_any_asn1_element(in, &contents, &tag, - &header_len)) - return 0; - - out_contents = out; - - if (CBS_len(&contents) == header_len) { - if (is_eoc(header_len, &contents)) - return looking_for_eoc; - - if (header_len > 0 && - CBS_data(&contents)[header_len - 1] == 0x80) { - /* - * This is an indefinite length element. If - * it's a SEQUENCE or SET then we just need to - * write the out the contents as normal, but - * with a concrete length prefix. - * - * If it's a something else then the contents - * will be a series of DER elements of the same - * type which need to be concatenated. - */ - const char context_specific = (tag & 0xc0) - == 0x80; - char squash_child_headers = - is_primitive_type(tag); - - /* - * This is a hack, but it sufficies to handle - * NSS's output. If we find an indefinite - * length, context-specific tag with a definite, - * primtive tag inside it, then we assume that - * the context-specific tag is implicit and the - * tags within are fragments of a primitive type - * that need to be concatenated. - */ - if (context_specific && - (tag & CBS_ASN1_CONSTRUCTED)) { - CBS in_copy, inner_contents; - unsigned int inner_tag; - size_t inner_header_len; - - CBS_init(&in_copy, CBS_data(in), - CBS_len(in)); - if (!cbs_nonstrict_get_any_asn1_element( - &in_copy, &inner_contents, - &inner_tag, &inner_header_len)) - return 0; - - if (CBS_len(&inner_contents) > - inner_header_len && - is_primitive_type(inner_tag)) - squash_child_headers = 1; - } - - if (!squash_header) { - unsigned int out_tag = tag; - - if (squash_child_headers) - out_tag &= - ~CBS_ASN1_CONSTRUCTED; - - if (!CBB_add_asn1(out, - &out_contents_storage, out_tag)) - return 0; - - out_contents = &out_contents_storage; - } - - if (!cbs_convert_indefinite(in, out_contents, - squash_child_headers, - 1 /* looking for eoc */, depth + 1)) - return 0; - - if (out_contents != out && !CBB_flush(out)) - return 0; - - continue; - } - } - - if (!squash_header) { - if (!CBB_add_asn1(out, &out_contents_storage, tag)) - return 0; - - out_contents = &out_contents_storage; - } - - if (!CBS_skip(&contents, header_len)) - return 0; - - if (tag & CBS_ASN1_CONSTRUCTED) { - if (!cbs_convert_indefinite(&contents, out_contents, - 0 /* don't squash header */, - 0 /* not looking for eoc */, depth + 1)) - return 0; - } else { - if (!CBB_add_bytes(out_contents, CBS_data(&contents), - CBS_len(&contents))) - return 0; - } - - if (out_contents != out && !CBB_flush(out)) - return 0; - } - - return looking_for_eoc == 0; -} - -int -CBS_asn1_indefinite_to_definite(CBS *in, uint8_t **out, size_t *out_len) -{ - CBB cbb; - - /* - * First, do a quick walk to find any indefinite-length elements. Most - * of the time we hope that there aren't any and thus we can quickly - * return. - */ - char conversion_needed; - if (!cbs_find_indefinite(in, &conversion_needed, 0)) - return 0; - - if (!conversion_needed) { - *out = NULL; - *out_len = 0; - return 1; - } - - if (!CBB_init(&cbb, CBS_len(in))) - return 0; - if (!cbs_convert_indefinite(in, &cbb, 0, 0, 0)) { - CBB_cleanup(&cbb); - return 0; - } - - return CBB_finish(&cbb, out, out_len); -} diff --git a/lib/libssl/src/ssl/bs_cbb.c b/lib/libssl/src/ssl/bs_cbb.c deleted file mode 100644 index 3f8e08e0e35..00000000000 --- a/lib/libssl/src/ssl/bs_cbb.c +++ /dev/null @@ -1,442 +0,0 @@ -/* $OpenBSD: bs_cbb.c,v 1.13 2015/09/01 13:35:39 jsing Exp $ */ -/* - * Copyright (c) 2014, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -#include <openssl/opensslconf.h> - -#include "bytestring.h" - -static int -cbb_init(CBB *cbb, uint8_t *buf, size_t cap) -{ - struct cbb_buffer_st *base; - - base = malloc(sizeof(struct cbb_buffer_st)); - if (base == NULL) - return 0; - - base->buf = buf; - base->len = 0; - base->cap = cap; - base->can_resize = 1; - - cbb->base = base; - cbb->is_top_level = 1; - - return 1; -} - -int -CBB_init(CBB *cbb, size_t initial_capacity) -{ - uint8_t *buf = NULL; - - memset(cbb, 0, sizeof(*cbb)); - - if (initial_capacity > 0) { - if ((buf = malloc(initial_capacity)) == NULL) - return 0; - } - - if (!cbb_init(cbb, buf, initial_capacity)) { - free(buf); - return 0; - } - - return 1; -} - -int -CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) -{ - memset(cbb, 0, sizeof(*cbb)); - - if (!cbb_init(cbb, buf, len)) - return 0; - - cbb->base->can_resize = 0; - - return 1; -} - -void -CBB_cleanup(CBB *cbb) -{ - if (cbb->base) { - if (cbb->base->can_resize) - free(cbb->base->buf); - - free(cbb->base); - } - cbb->base = NULL; -} - -static int -cbb_buffer_add(struct cbb_buffer_st *base, uint8_t **out, size_t len) -{ - size_t newlen; - - if (base == NULL) - return 0; - - newlen = base->len + len; - if (newlen < base->len) - /* Overflow */ - return 0; - - if (newlen > base->cap) { - size_t newcap = base->cap * 2; - uint8_t *newbuf; - - if (!base->can_resize) - return 0; - - if (newcap < base->cap || newcap < newlen) - newcap = newlen; - - newbuf = realloc(base->buf, newcap); - if (newbuf == NULL) - return 0; - - base->buf = newbuf; - base->cap = newcap; - } - - if (out) - *out = base->buf + base->len; - - base->len = newlen; - return 1; -} - -static int -cbb_add_u(CBB *cbb, uint32_t v, size_t len_len) -{ - uint8_t *buf; - size_t i; - - if (len_len == 0) - return 1; - - if (len_len > 4) - return 0; - - if (!CBB_flush(cbb) || !cbb_buffer_add(cbb->base, &buf, len_len)) - return 0; - - for (i = len_len - 1; i < len_len; i--) { - buf[i] = v; - v >>= 8; - } - return 1; -} - -int -CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) -{ - if (!cbb->is_top_level) - return 0; - - if (!CBB_flush(cbb)) - return 0; - - if (cbb->base->can_resize && (out_data == NULL || out_len == NULL)) - /* - * |out_data| and |out_len| can only be NULL if the CBB is - * fixed. - */ - return 0; - - if (out_data != NULL) - *out_data = cbb->base->buf; - - if (out_len != NULL) - *out_len = cbb->base->len; - - cbb->base->buf = NULL; - CBB_cleanup(cbb); - return 1; -} - -/* - * CBB_flush recurses and then writes out any pending length prefix. The current - * length of the underlying base is taken to be the length of the - * length-prefixed data. - */ -int -CBB_flush(CBB *cbb) -{ - size_t child_start, i, len; - - if (cbb->base == NULL) - return 0; - - if (cbb->child == NULL || cbb->pending_len_len == 0) - return 1; - - child_start = cbb->offset + cbb->pending_len_len; - - if (!CBB_flush(cbb->child) || child_start < cbb->offset || - cbb->base->len < child_start) - return 0; - - len = cbb->base->len - child_start; - - if (cbb->pending_is_asn1) { - /* - * For ASN.1, we assumed that we were using short form which - * only requires a single byte for the length octet. - * - * If it turns out that we need long form, we have to move - * the contents along in order to make space for more length - * octets. - */ - size_t len_len = 1; /* total number of length octets */ - uint8_t initial_length_byte; - - /* We already wrote 1 byte for the length. */ - assert (cbb->pending_len_len == 1); - - /* Check for long form */ - if (len > 0xfffffffe) - return 0; /* 0xffffffff is reserved */ - else if (len > 0xffffff) - len_len = 5; - else if (len > 0xffff) - len_len = 4; - else if (len > 0xff) - len_len = 3; - else if (len > 0x7f) - len_len = 2; - - if (len_len == 1) { - /* For short form, the initial byte is the length. */ - initial_length_byte = len; - len = 0; - - } else { - /* - * For long form, the initial byte is the number of - * subsequent length octets (plus bit 8 set). - */ - initial_length_byte = 0x80 | (len_len - 1); - - /* - * We need to move the contents along in order to make - * space for the long form length octets. - */ - size_t extra_bytes = len_len - 1; - if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) - return 0; - - memmove(cbb->base->buf + child_start + extra_bytes, - cbb->base->buf + child_start, len); - } - cbb->base->buf[cbb->offset++] = initial_length_byte; - cbb->pending_len_len = len_len - 1; - } - - for (i = cbb->pending_len_len - 1; i < cbb->pending_len_len; i--) { - cbb->base->buf[cbb->offset + i] = len; - len >>= 8; - } - if (len != 0) - return 0; - - cbb->child->base = NULL; - cbb->child = NULL; - cbb->pending_len_len = 0; - cbb->pending_is_asn1 = 0; - cbb->offset = 0; - - return 1; -} - - -static int -cbb_add_length_prefixed(CBB *cbb, CBB *out_contents, size_t len_len) -{ - uint8_t *prefix_bytes; - - if (!CBB_flush(cbb)) - return 0; - - cbb->offset = cbb->base->len; - if (!cbb_buffer_add(cbb->base, &prefix_bytes, len_len)) - return 0; - - memset(prefix_bytes, 0, len_len); - memset(out_contents, 0, sizeof(CBB)); - out_contents->base = cbb->base; - cbb->child = out_contents; - cbb->pending_len_len = len_len; - cbb->pending_is_asn1 = 0; - - return 1; -} - -int -CBB_add_u8_length_prefixed(CBB *cbb, CBB *out_contents) -{ - return cbb_add_length_prefixed(cbb, out_contents, 1); -} - -int -CBB_add_u16_length_prefixed(CBB *cbb, CBB *out_contents) -{ - return cbb_add_length_prefixed(cbb, out_contents, 2); -} - -int -CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) -{ - return cbb_add_length_prefixed(cbb, out_contents, 3); -} - -int -CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned int tag) -{ - if (tag > UINT8_MAX) - return 0; - - /* Long form identifier octets are not supported. */ - if ((tag & 0x1f) == 0x1f) - return 0; - - /* Short-form identifier octet only needs a single byte */ - if (!CBB_flush(cbb) || !CBB_add_u8(cbb, tag)) - return 0; - - /* - * Add 1 byte to cover the short-form length octet case. If it turns - * out we need long-form, it will be extended later. - */ - cbb->offset = cbb->base->len; - if (!CBB_add_u8(cbb, 0)) - return 0; - - memset(out_contents, 0, sizeof(CBB)); - out_contents->base = cbb->base; - cbb->child = out_contents; - cbb->pending_len_len = 1; - cbb->pending_is_asn1 = 1; - - return 1; -} - -int -CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) -{ - uint8_t *dest; - - if (!CBB_add_space(cbb, &dest, len)) - return 0; - - memcpy(dest, data, len); - return 1; -} - -int -CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len) -{ - if (!CBB_flush(cbb) || !cbb_buffer_add(cbb->base, out_data, len)) - return 0; - - return 1; -} - -int -CBB_add_u8(CBB *cbb, size_t value) -{ - if (value > UINT8_MAX) - return 0; - - return cbb_add_u(cbb, (uint32_t)value, 1); -} - -int -CBB_add_u16(CBB *cbb, size_t value) -{ - if (value > UINT16_MAX) - return 0; - - return cbb_add_u(cbb, (uint32_t)value, 2); -} - -int -CBB_add_u24(CBB *cbb, size_t value) -{ - if (value > 0xffffffUL) - return 0; - - return cbb_add_u(cbb, (uint32_t)value, 3); -} - -int -CBB_add_asn1_uint64(CBB *cbb, uint64_t value) -{ - CBB child; - size_t i; - int started = 0; - - if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER)) - return 0; - - for (i = 0; i < 8; i++) { - uint8_t byte = (value >> 8 * (7 - i)) & 0xff; - - /* - * ASN.1 restriction: first 9 bits cannot be all zeroes or - * all ones. Since this function only encodes unsigned - * integers, the only concerns are not encoding leading - * zeros and adding a padding byte if necessary. - * - * In practice, this means: - * 1) Skip leading octets of all zero bits in the value - * 2) After skipping the leading zero octets, if the next 9 - * bits are all ones, add an all zero prefix octet (and - * set the high bit of the prefix octet if negative). - * - * Additionally, for an unsigned value, add an all zero - * prefix if the high bit of the first octet would be one. - */ - if (!started) { - if (byte == 0) - /* Don't encode leading zeros. */ - continue; - - /* - * If the high bit is set, add a padding byte to make it - * unsigned. - */ - if ((byte & 0x80) && !CBB_add_u8(&child, 0)) - return 0; - - started = 1; - } - if (!CBB_add_u8(&child, byte)) - return 0; - } - - /* 0 is encoded as a single 0, not the empty string. */ - if (!started && !CBB_add_u8(&child, 0)) - return 0; - - return CBB_flush(cbb); -} diff --git a/lib/libssl/src/ssl/bs_cbs.c b/lib/libssl/src/ssl/bs_cbs.c deleted file mode 100644 index ea1f0108f61..00000000000 --- a/lib/libssl/src/ssl/bs_cbs.c +++ /dev/null @@ -1,511 +0,0 @@ -/* $OpenBSD: bs_cbs.c,v 1.17 2015/06/24 09:44:18 jsing Exp $ */ -/* - * Copyright (c) 2014, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -#include <openssl/opensslconf.h> -#include <openssl/buffer.h> -#include <openssl/crypto.h> - -#include "bytestring.h" - -void -CBS_init(CBS *cbs, const uint8_t *data, size_t len) -{ - cbs->data = data; - cbs->initial_len = len; - cbs->len = len; -} - -void -CBS_dup(const CBS *cbs, CBS *out) -{ - CBS_init(out, CBS_data(cbs), CBS_len(cbs)); - out->initial_len = cbs->initial_len; -} - -static int -cbs_get(CBS *cbs, const uint8_t **p, size_t n) -{ - if (cbs->len < n) - return 0; - - *p = cbs->data; - cbs->data += n; - cbs->len -= n; - return 1; -} - -size_t -CBS_offset(const CBS *cbs) -{ - return cbs->initial_len - cbs->len; -} - -int -CBS_skip(CBS *cbs, size_t len) -{ - const uint8_t *dummy; - return cbs_get(cbs, &dummy, len); -} - -const uint8_t * -CBS_data(const CBS *cbs) -{ - return cbs->data; -} - -size_t -CBS_len(const CBS *cbs) -{ - return cbs->len; -} - -int -CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len) -{ - free(*out_ptr); - *out_ptr = NULL; - *out_len = 0; - - if (cbs->len == 0) - return 1; - - if ((*out_ptr = malloc(cbs->len)) == NULL) - return 0; - - memcpy(*out_ptr, cbs->data, cbs->len); - - *out_len = cbs->len; - return 1; -} - -int -CBS_strdup(const CBS *cbs, char **out_ptr) -{ - free(*out_ptr); - *out_ptr = strndup((const char *)cbs->data, cbs->len); - return (*out_ptr != NULL); -} - -int -CBS_write_bytes(const CBS *cbs, uint8_t *dst, size_t dst_len, size_t *copied) -{ - if (dst_len < cbs->len) - return 0; - - memmove(dst, cbs->data, cbs->len); - - if (copied != NULL) - *copied = cbs->len; - - return 1; -} - -int -CBS_contains_zero_byte(const CBS *cbs) -{ - return memchr(cbs->data, 0, cbs->len) != NULL; -} - -int -CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len) -{ - if (len != cbs->len) - return 0; - - return timingsafe_memcmp(cbs->data, data, len) == 0; -} - -static int -cbs_get_u(CBS *cbs, uint32_t *out, size_t len) -{ - uint32_t result = 0; - size_t i; - const uint8_t *data; - - if (len < 1 || len > 4) - return 0; - - if (!cbs_get(cbs, &data, len)) - return 0; - - for (i = 0; i < len; i++) { - result <<= 8; - result |= data[i]; - } - *out = result; - return 1; -} - -int -CBS_get_u8(CBS *cbs, uint8_t *out) -{ - const uint8_t *v; - - if (!cbs_get(cbs, &v, 1)) - return 0; - - *out = *v; - return 1; -} - -int -CBS_get_u16(CBS *cbs, uint16_t *out) -{ - uint32_t v; - - if (!cbs_get_u(cbs, &v, 2)) - return 0; - - *out = v; - return 1; -} - -int -CBS_get_u24(CBS *cbs, uint32_t *out) -{ - return cbs_get_u(cbs, out, 3); -} - -int -CBS_get_u32(CBS *cbs, uint32_t *out) -{ - return cbs_get_u(cbs, out, 4); -} - -int -CBS_get_bytes(CBS *cbs, CBS *out, size_t len) -{ - const uint8_t *v; - - if (!cbs_get(cbs, &v, len)) - return 0; - - CBS_init(out, v, len); - return 1; -} - -static int -cbs_get_length_prefixed(CBS *cbs, CBS *out, size_t len_len) -{ - uint32_t len; - - if (!cbs_get_u(cbs, &len, len_len)) - return 0; - - return CBS_get_bytes(cbs, out, len); -} - -int -CBS_get_u8_length_prefixed(CBS *cbs, CBS *out) -{ - return cbs_get_length_prefixed(cbs, out, 1); -} - -int -CBS_get_u16_length_prefixed(CBS *cbs, CBS *out) -{ - return cbs_get_length_prefixed(cbs, out, 2); -} - -int -CBS_get_u24_length_prefixed(CBS *cbs, CBS *out) -{ - return cbs_get_length_prefixed(cbs, out, 3); -} - -int -CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned int *out_tag, - size_t *out_header_len) -{ - return cbs_get_any_asn1_element_internal(cbs, out, out_tag, - out_header_len, 1); -} - -/* - * Review X.690 for details on ASN.1 DER encoding. - * - * If non-strict mode is enabled, then DER rules are relaxed - * for indefinite constructs (violates DER but a little closer to BER). - * Non-strict mode should only be used by bs_ber.c - * - * Sections 8, 10 and 11 for DER encoding - */ -int -cbs_get_any_asn1_element_internal(CBS *cbs, CBS *out, unsigned int *out_tag, - size_t *out_header_len, int strict) -{ - uint8_t tag, length_byte; - CBS header = *cbs; - CBS throwaway; - size_t len; - - if (out == NULL) - out = &throwaway; - - /* - * Get identifier octet and length octet. Only 1 octet for each - * is a CBS limitation. - */ - if (!CBS_get_u8(&header, &tag) || !CBS_get_u8(&header, &length_byte)) - return 0; - - /* CBS limitation: long form tags are not supported. */ - if ((tag & 0x1f) == 0x1f) - return 0; - - if (out_tag != NULL) - *out_tag = tag; - - if ((length_byte & 0x80) == 0) { - /* Short form length. */ - len = ((size_t) length_byte) + 2; - if (out_header_len != NULL) - *out_header_len = 2; - - } else { - /* Long form length. */ - const size_t num_bytes = length_byte & 0x7f; - uint32_t len32; - - /* ASN.1 reserved value for future extensions */ - if (num_bytes == 0x7f) - return 0; - - /* Handle indefinite form length */ - if (num_bytes == 0) { - /* DER encoding doesn't allow for indefinite form. */ - if (strict) - return 0; - - /* Primitive cannot use indefinite in BER or DER. */ - if ((tag & CBS_ASN1_CONSTRUCTED) == 0) - return 0; - - /* Constructed, indefinite length allowed in BER. */ - if (out_header_len != NULL) - *out_header_len = 2; - return CBS_get_bytes(cbs, out, 2); - } - - /* CBS limitation. */ - if (num_bytes > 4) - return 0; - - if (!cbs_get_u(&header, &len32, num_bytes)) - return 0; - - /* DER has a minimum length octet requirement. */ - if (len32 < 128) - /* Should have used short form instead */ - return 0; - - if ((len32 >> ((num_bytes - 1) * 8)) == 0) - /* Length should have been at least one byte shorter. */ - return 0; - - len = len32; - if (len + 2 + num_bytes < len) - /* Overflow. */ - return 0; - - len += 2 + num_bytes; - if (out_header_len != NULL) - *out_header_len = 2 + num_bytes; - } - - return CBS_get_bytes(cbs, out, len); -} - -static int -cbs_get_asn1(CBS *cbs, CBS *out, unsigned int tag_value, int skip_header) -{ - size_t header_len; - unsigned int tag; - CBS throwaway; - - if (out == NULL) - out = &throwaway; - - if (!CBS_get_any_asn1_element(cbs, out, &tag, &header_len) || - tag != tag_value) - return 0; - - if (skip_header && !CBS_skip(out, header_len)) { - assert(0); - return 0; - } - - return 1; -} - -int -CBS_get_asn1(CBS *cbs, CBS *out, unsigned int tag_value) -{ - return cbs_get_asn1(cbs, out, tag_value, 1 /* skip header */); -} - -int -CBS_get_asn1_element(CBS *cbs, CBS *out, unsigned int tag_value) -{ - return cbs_get_asn1(cbs, out, tag_value, 0 /* include header */); -} - -int -CBS_peek_asn1_tag(const CBS *cbs, unsigned int tag_value) -{ - if (CBS_len(cbs) < 1) - return 0; - - /* - * Tag number 31 indicates the start of a long form number. - * This is valid in ASN.1, but CBS only supports short form. - */ - if ((tag_value & 0x1f) == 0x1f) - return 0; - - return CBS_data(cbs)[0] == tag_value; -} - -/* Encoding details are in ASN.1: X.690 section 8.3 */ -int -CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) -{ - CBS bytes; - const uint8_t *data; - size_t i, len; - - if (!CBS_get_asn1(cbs, &bytes, CBS_ASN1_INTEGER)) - return 0; - - *out = 0; - data = CBS_data(&bytes); - len = CBS_len(&bytes); - - if (len == 0) - /* An INTEGER is encoded with at least one content octet. */ - return 0; - - if ((data[0] & 0x80) != 0) - /* Negative number. */ - return 0; - - if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) - /* Violates smallest encoding rule: excessive leading zeros. */ - return 0; - - for (i = 0; i < len; i++) { - if ((*out >> 56) != 0) - /* Too large to represent as a uint64_t. */ - return 0; - - *out <<= 8; - *out |= data[i]; - } - - return 1; -} - -int -CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present, unsigned int tag) -{ - if (CBS_peek_asn1_tag(cbs, tag)) { - if (!CBS_get_asn1(cbs, out, tag)) - return 0; - - *out_present = 1; - } else { - *out_present = 0; - } - return 1; -} - -int -CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out, int *out_present, - unsigned int tag) -{ - CBS child; - int present; - - if (!CBS_get_optional_asn1(cbs, &child, &present, tag)) - return 0; - - if (present) { - if (!CBS_get_asn1(&child, out, CBS_ASN1_OCTETSTRING) || - CBS_len(&child) != 0) - return 0; - } else { - CBS_init(out, NULL, 0); - } - if (out_present) - *out_present = present; - - return 1; -} - -int -CBS_get_optional_asn1_uint64(CBS *cbs, uint64_t *out, unsigned int tag, - uint64_t default_value) -{ - CBS child; - int present; - - if (!CBS_get_optional_asn1(cbs, &child, &present, tag)) - return 0; - - if (present) { - if (!CBS_get_asn1_uint64(&child, out) || - CBS_len(&child) != 0) - return 0; - } else { - *out = default_value; - } - return 1; -} - -int -CBS_get_optional_asn1_bool(CBS *cbs, int *out, unsigned int tag, - int default_value) -{ - CBS child, child2; - int present; - - if (!CBS_get_optional_asn1(cbs, &child, &present, tag)) - return 0; - - if (present) { - uint8_t boolean; - - if (!CBS_get_asn1(&child, &child2, CBS_ASN1_BOOLEAN) || - CBS_len(&child2) != 1 || CBS_len(&child) != 0) - return 0; - - boolean = CBS_data(&child2)[0]; - if (boolean == 0) - *out = 0; - else if (boolean == 0xff) - *out = 1; - else - return 0; - - } else { - *out = default_value; - } - return 1; -} diff --git a/lib/libssl/src/ssl/bytestring.h b/lib/libssl/src/ssl/bytestring.h deleted file mode 100644 index 8ea84005b49..00000000000 --- a/lib/libssl/src/ssl/bytestring.h +++ /dev/null @@ -1,511 +0,0 @@ -/* $OpenBSD: bytestring.h,v 1.14 2015/06/19 00:23:36 doug Exp $ */ -/* - * Copyright (c) 2014, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#ifndef OPENSSL_HEADER_BYTESTRING_H -#define OPENSSL_HEADER_BYTESTRING_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include <sys/types.h> -#include <stdint.h> - -#include <openssl/opensslconf.h> - -/* - * Bytestrings are used for parsing and building TLS and ASN.1 messages. - * - * A "CBS" (CRYPTO ByteString) represents a string of bytes in memory and - * provides utility functions for safely parsing length-prefixed structures - * like TLS and ASN.1 from it. - * - * A "CBB" (CRYPTO ByteBuilder) is a memory buffer that grows as needed and - * provides utility functions for building length-prefixed messages. - */ - -/* CRYPTO ByteString */ -typedef struct cbs_st { - const uint8_t *data; - size_t initial_len; - size_t len; -} CBS; - -/* - * CBS_init sets |cbs| to point to |data|. It does not take ownership of - * |data|. - */ -void CBS_init(CBS *cbs, const uint8_t *data, size_t len); - -/* - * CBS_skip advances |cbs| by |len| bytes. It returns one on success and zero - * otherwise. - */ -int CBS_skip(CBS *cbs, size_t len); - -/* - * CBS_data returns a pointer to the contents of |cbs|. - */ -const uint8_t *CBS_data(const CBS *cbs); - -/* - * CBS_len returns the number of bytes remaining in |cbs|. - */ -size_t CBS_len(const CBS *cbs); - -/* - * CBS_offset returns the current offset into the original data of |cbs|. - */ -size_t CBS_offset(const CBS *cbs); - -/* - * CBS_stow copies the current contents of |cbs| into |*out_ptr| and - * |*out_len|. If |*out_ptr| is not NULL, the contents are freed with - * free. It returns one on success and zero on allocation failure. On - * success, |*out_ptr| should be freed with free. If |cbs| is empty, - * |*out_ptr| will be NULL. - */ -int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len); - -/* - * CBS_strdup copies the current contents of |cbs| into |*out_ptr| as a - * NUL-terminated C string. If |*out_ptr| is not NULL, the contents are freed - * with free. It returns one on success and zero on allocation - * failure. On success, |*out_ptr| should be freed with free. - * - * NOTE: If |cbs| contains NUL bytes, the string will be truncated. Call - * |CBS_contains_zero_byte(cbs)| to check for NUL bytes. - */ -int CBS_strdup(const CBS *cbs, char **out_ptr); - -/* - * CBS_write_bytes writes all of the remaining data from |cbs| into |dst| - * if it is at most |dst_len| bytes. If |copied| is not NULL, it will be set - * to the amount copied. It returns one on success and zero otherwise. - */ -int CBS_write_bytes(const CBS *cbs, uint8_t *dst, size_t dst_len, - size_t *copied); - -/* - * CBS_contains_zero_byte returns one if the current contents of |cbs| contains - * a NUL byte and zero otherwise. - */ -int CBS_contains_zero_byte(const CBS *cbs); - -/* - * CBS_mem_equal compares the current contents of |cbs| with the |len| bytes - * starting at |data|. If they're equal, it returns one, otherwise zero. If the - * lengths match, it uses a constant-time comparison. - */ -int CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len); - -/* - * CBS_get_u8 sets |*out| to the next uint8_t from |cbs| and advances |cbs|. It - * returns one on success and zero on error. - */ -int CBS_get_u8(CBS *cbs, uint8_t *out); - -/* - * CBS_get_u16 sets |*out| to the next, big-endian uint16_t from |cbs| and - * advances |cbs|. It returns one on success and zero on error. - */ -int CBS_get_u16(CBS *cbs, uint16_t *out); - -/* - * CBS_get_u24 sets |*out| to the next, big-endian 24-bit value from |cbs| and - * advances |cbs|. It returns one on success and zero on error. - */ -int CBS_get_u24(CBS *cbs, uint32_t *out); - -/* - * CBS_get_u32 sets |*out| to the next, big-endian uint32_t value from |cbs| - * and advances |cbs|. It returns one on success and zero on error. - */ -int CBS_get_u32(CBS *cbs, uint32_t *out); - -/* - * CBS_get_bytes sets |*out| to the next |len| bytes from |cbs| and advances - * |cbs|. It returns one on success and zero on error. - */ -int CBS_get_bytes(CBS *cbs, CBS *out, size_t len); - -/* - * CBS_get_u8_length_prefixed sets |*out| to the contents of an 8-bit, - * length-prefixed value from |cbs| and advances |cbs| over it. It returns one - * on success and zero on error. - */ -int CBS_get_u8_length_prefixed(CBS *cbs, CBS *out); - -/* - * CBS_get_u16_length_prefixed sets |*out| to the contents of a 16-bit, - * big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It - * returns one on success and zero on error. - */ -int CBS_get_u16_length_prefixed(CBS *cbs, CBS *out); - -/* - * CBS_get_u24_length_prefixed sets |*out| to the contents of a 24-bit, - * big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It - * returns one on success and zero on error. - */ -int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out); - - -/* Parsing ASN.1 */ - -/* - * While an identifier can be multiple octets, this library only handles the - * single octet variety currently. This limits support up to tag number 30 - * since tag number 31 is a reserved value to indicate multiple octets. - */ - -/* Bits 8 and 7: class tag type: See X.690 section 8.1.2.2. */ -#define CBS_ASN1_UNIVERSAL 0x00 -#define CBS_ASN1_APPLICATION 0x40 -#define CBS_ASN1_CONTEXT_SPECIFIC 0x80 -#define CBS_ASN1_PRIVATE 0xc0 - -/* Bit 6: Primitive or constructed: See X.690 section 8.1.2.3. */ -#define CBS_ASN1_PRIMITIVE 0x00 -#define CBS_ASN1_CONSTRUCTED 0x20 - -/* - * Bits 5 to 1 are the tag number. See X.680 section 8.6 for tag numbers of - * the universal class. - */ - -/* - * Common universal identifier octets. - * See X.690 section 8.1 and X.680 section 8.6 for universal tag numbers. - * - * Note: These definitions are the cause of some of the strange behavior in - * CBS's bs_ber.c. - * - * In BER, it is the sender's option to use primitive or constructed for - * bitstring (X.690 section 8.6.1) and octetstring (X.690 section 8.7.1). - * - * In DER, bitstring and octetstring are required to be primitive - * (X.690 section 10.2). - */ -#define CBS_ASN1_BOOLEAN (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x1) -#define CBS_ASN1_INTEGER (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x2) -#define CBS_ASN1_BITSTRING (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x3) -#define CBS_ASN1_OCTETSTRING (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x4) -#define CBS_ASN1_OBJECT (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x6) -#define CBS_ASN1_ENUMERATED (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0xa) -#define CBS_ASN1_SEQUENCE (CBS_ASN1_UNIVERSAL | CBS_ASN1_CONSTRUCTED | 0x10) -#define CBS_ASN1_SET (CBS_ASN1_UNIVERSAL | CBS_ASN1_CONSTRUCTED | 0x11) - -/* - * CBS_get_asn1 sets |*out| to the contents of DER-encoded, ASN.1 element (not - * including tag and length bytes) and advances |cbs| over it. The ASN.1 - * element must match |tag_value|. It returns one on success and zero - * on error. - * - * Tag numbers greater than 30 are not supported (i.e. short form only). - */ -int CBS_get_asn1(CBS *cbs, CBS *out, unsigned int tag_value); - -/* - * CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the - * ASN.1 header bytes too. - */ -int CBS_get_asn1_element(CBS *cbs, CBS *out, unsigned int tag_value); - -/* - * CBS_peek_asn1_tag looks ahead at the next ASN.1 tag and returns one - * if the next ASN.1 element on |cbs| would have tag |tag_value|. If - * |cbs| is empty or the tag does not match, it returns zero. Note: if - * it returns one, CBS_get_asn1 may still fail if the rest of the - * element is malformed. - */ -int CBS_peek_asn1_tag(const CBS *cbs, unsigned int tag_value); - -/* - * CBS_get_any_asn1_element sets |*out| to contain the next ASN.1 element from - * |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to - * the tag number and |*out_header_len| to the length of the ASN.1 header. - * Each of |out|, |out_tag|, and |out_header_len| may be NULL to ignore - * the value. - * - * Tag numbers greater than 30 are not supported (i.e. short form only). - */ -int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned int *out_tag, - size_t *out_header_len); - -/* - * CBS_get_asn1_uint64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1| - * and sets |*out| to its value. It returns one on success and zero on error, - * where error includes the integer being negative, or too large to represent - * in 64 bits. - */ -int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out); - -/* - * CBS_get_optional_asn1 gets an optional explicitly-tagged element - * from |cbs| tagged with |tag| and sets |*out| to its contents. If - * present, it sets |*out_present| to one, otherwise zero. It returns - * one on success, whether or not the element was present, and zero on - * decode failure. - */ -int CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present, - unsigned int tag); - -/* - * CBS_get_optional_asn1_octet_string gets an optional - * explicitly-tagged OCTET STRING from |cbs|. If present, it sets - * |*out| to the string and |*out_present| to one. Otherwise, it sets - * |*out| to empty and |*out_present| to zero. |out_present| may be - * NULL. It returns one on success, whether or not the element was - * present, and zero on decode failure. - */ -int CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out, int *out_present, - unsigned int tag); - -/* - * CBS_get_optional_asn1_uint64 gets an optional explicitly-tagged - * INTEGER from |cbs|. If present, it sets |*out| to the - * value. Otherwise, it sets |*out| to |default_value|. It returns one - * on success, whether or not the element was present, and zero on - * decode failure. - */ -int CBS_get_optional_asn1_uint64(CBS *cbs, uint64_t *out, unsigned int tag, - uint64_t default_value); - -/* - * CBS_get_optional_asn1_bool gets an optional, explicitly-tagged BOOLEAN from - * |cbs|. If present, it sets |*out| to either zero or one, based on the - * boolean. Otherwise, it sets |*out| to |default_value|. It returns one on - * success, whether or not the element was present, and zero on decode - * failure. - */ -int CBS_get_optional_asn1_bool(CBS *cbs, int *out, unsigned int tag, - int default_value); - - -/* - * CRYPTO ByteBuilder. - * - * |CBB| objects allow one to build length-prefixed serialisations. A |CBB| - * object is associated with a buffer and new buffers are created with - * |CBB_init|. Several |CBB| objects can point at the same buffer when a - * length-prefix is pending, however only a single |CBB| can be 'current' at - * any one time. For example, if one calls |CBB_add_u8_length_prefixed| then - * the new |CBB| points at the same buffer as the original. But if the original - * |CBB| is used then the length prefix is written out and the new |CBB| must - * not be used again. - * - * If one needs to force a length prefix to be written out because a |CBB| is - * going out of scope, use |CBB_flush|. - */ - -struct cbb_buffer_st { - uint8_t *buf; - - /* The number of valid bytes. */ - size_t len; - - /* The size of buf. */ - size_t cap; - - /* - * One iff |buf| is owned by this object. If not then |buf| cannot be - * resized. - */ - char can_resize; -}; - -typedef struct cbb_st { - struct cbb_buffer_st *base; - - /* - * offset is the offset from the start of |base->buf| to the position of any - * pending length-prefix. - */ - size_t offset; - - /* child points to a child CBB if a length-prefix is pending. */ - struct cbb_st *child; - - /* - * pending_len_len contains the number of bytes in a pending length-prefix, - * or zero if no length-prefix is pending. - */ - uint8_t pending_len_len; - - char pending_is_asn1; - - /* - * is_top_level is true iff this is a top-level |CBB| (as opposed to a child - * |CBB|). Top-level objects are valid arguments for |CBB_finish|. - */ - char is_top_level; -} CBB; - -/* - * CBB_init initialises |cbb| with |initial_capacity|. Since a |CBB| grows as - * needed, the |initial_capacity| is just a hint. It returns one on success or - * zero on error. - */ -int CBB_init(CBB *cbb, size_t initial_capacity); - -/* - * CBB_init_fixed initialises |cbb| to write to |len| bytes at |buf|. Since - * |buf| cannot grow, trying to write more than |len| bytes will cause CBB - * functions to fail. It returns one on success or zero on error. - */ -int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len); - -/* - * CBB_cleanup frees all resources owned by |cbb| and other |CBB| objects - * writing to the same buffer. This should be used in an error case where a - * serialisation is abandoned. - */ -void CBB_cleanup(CBB *cbb); - -/* - * CBB_finish completes any pending length prefix and sets |*out_data| to a - * malloced buffer and |*out_len| to the length of that buffer. The caller - * takes ownership of the buffer and, unless the buffer was fixed with - * |CBB_init_fixed|, must call |free| when done. - * - * It can only be called on a "top level" |CBB|, i.e. one initialised with - * |CBB_init| or |CBB_init_fixed|. It returns one on success and zero on - * error. - */ -int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len); - -/* - * CBB_flush causes any pending length prefixes to be written out and any child - * |CBB| objects of |cbb| to be invalidated. It returns one on success or zero - * on error. - */ -int CBB_flush(CBB *cbb); - -/* - * CBB_add_u8_length_prefixed sets |*out_contents| to a new child of |cbb|. The - * data written to |*out_contents| will be prefixed in |cbb| with an 8-bit - * length. It returns one on success or zero on error. - */ -int CBB_add_u8_length_prefixed(CBB *cbb, CBB *out_contents); - -/* - * CBB_add_u16_length_prefixed sets |*out_contents| to a new child of |cbb|. - * The data written to |*out_contents| will be prefixed in |cbb| with a 16-bit, - * big-endian length. It returns one on success or zero on error. - */ -int CBB_add_u16_length_prefixed(CBB *cbb, CBB *out_contents); - -/* - * CBB_add_u24_length_prefixed sets |*out_contents| to a new child of |cbb|. - * The data written to |*out_contents| will be prefixed in |cbb| with a 24-bit, - * big-endian length. It returns one on success or zero on error. - */ -int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents); - -/* - * CBB_add_asn sets |*out_contents| to a |CBB| into which the contents of an - * ASN.1 object can be written. The |tag| argument will be used as the tag for - * the object. Passing in |tag| number 31 will return in an error since only - * single octet identifiers are supported. It returns one on success or zero - * on error. - */ -int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned int tag); - -/* - * CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on - * success and zero otherwise. - */ -int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len); - -/* - * CBB_add_space appends |len| bytes to |cbb| and sets |*out_data| to point to - * the beginning of that space. The caller must then write |len| bytes of - * actual contents to |*out_data|. It returns one on success and zero - * otherwise. - */ -int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len); - -/* - * CBB_add_u8 appends an 8-bit number from |value| to |cbb|. It returns one on - * success and zero otherwise. - */ -int CBB_add_u8(CBB *cbb, size_t value); - -/* - * CBB_add_u8 appends a 16-bit, big-endian number from |value| to |cbb|. It - * returns one on success and zero otherwise. - */ -int CBB_add_u16(CBB *cbb, size_t value); - -/* - * CBB_add_u24 appends a 24-bit, big-endian number from |value| to |cbb|. It - * returns one on success and zero otherwise. - */ -int CBB_add_u24(CBB *cbb, size_t value); - -/* - * CBB_add_asn1_uint64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1| - * and writes |value| in its contents. It returns one on success and zero on - * error. - */ -int CBB_add_asn1_uint64(CBB *cbb, uint64_t value); - -#ifdef LIBRESSL_INTERNAL -/* - * CBS_dup sets |out| to point to cbs's |data| and |len|. It results in two - * CBS that point to the same buffer. - */ -void CBS_dup(const CBS *cbs, CBS *out); - -/* - * cbs_get_any_asn1_element sets |*out| to contain the next ASN.1 element from - * |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to - * the tag number and |*out_header_len| to the length of the ASN.1 header. If - * strict mode is disabled and the element has indefinite length then |*out| - * will only contain the header. Each of |out|, |out_tag|, and - * |out_header_len| may be NULL to ignore the value. - * - * Tag numbers greater than 30 are not supported (i.e. short form only). - */ -int cbs_get_any_asn1_element_internal(CBS *cbs, CBS *out, unsigned int *out_tag, - size_t *out_header_len, int strict); - -/* - * CBS_asn1_indefinite_to_definite reads an ASN.1 structure from |in|. If it - * finds indefinite-length elements that otherwise appear to be valid DER, it - * attempts to convert the DER-like data to DER and sets |*out| and - * |*out_length| to describe a malloced buffer containing the DER data. - * Additionally, |*in| will be advanced over the ASN.1 data. - * - * If it doesn't find any indefinite-length elements then it sets |*out| to - * NULL and |*in| is unmodified. - * - * This is NOT a conversion from BER to DER. There are many restrictions when - * dealing with DER data. This is only concerned with one: indefinite vs. - * definite form. However, this suffices to handle the PKCS#7 and PKCS#12 output - * from NSS. - * - * It returns one on success and zero otherwise. - */ -int CBS_asn1_indefinite_to_definite(CBS *in, uint8_t **out, size_t *out_len); -#endif /* LIBRESSL_INTERNAL */ - -#if defined(__cplusplus) -} /* extern C */ -#endif - -#endif /* OPENSSL_HEADER_BYTESTRING_H */ diff --git a/lib/libssl/src/ssl/d1_both.c b/lib/libssl/src/ssl/d1_both.c deleted file mode 100644 index bce084f1eef..00000000000 --- a/lib/libssl/src/ssl/d1_both.c +++ /dev/null @@ -1,1374 +0,0 @@ -/* $OpenBSD: d1_both.c,v 1.39 2016/03/06 14:52:15 beck Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <limits.h> -#include <stdio.h> -#include <string.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/objects.h> -#include <openssl/x509.h> - -#include "pqueue.h" -#include "bytestring.h" - -#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) - -#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \ - if ((end) - (start) <= 8) { \ - long ii; \ - for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \ - } else { \ - long ii; \ - bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \ - for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \ - bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \ - } } - -#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \ - long ii; \ - OPENSSL_assert((msg_len) > 0); \ - is_complete = 1; \ - if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \ - if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ - if (bitmask[ii] != 0xff) { is_complete = 0; break; } } - -static unsigned char bitmask_start_values[] = { - 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 -}; -static unsigned char bitmask_end_values[] = { - 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f -}; - -/* XDTLS: figure out the right values */ -static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; - -static unsigned int dtls1_guess_mtu(unsigned int curr_mtu); -static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, - unsigned long frag_len); -static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p); -static void dtls1_set_message_header_int(SSL *s, unsigned char mt, - unsigned long len, unsigned short seq_num, unsigned long frag_off, - unsigned long frag_len); -static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, - int *ok); - -static hm_fragment * -dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) -{ - hm_fragment *frag = NULL; - unsigned char *buf = NULL; - unsigned char *bitmask = NULL; - - frag = malloc(sizeof(hm_fragment)); - if (frag == NULL) - return NULL; - - if (frag_len) { - buf = malloc(frag_len); - if (buf == NULL) { - free(frag); - return NULL; - } - } - - /* zero length fragment gets zero frag->fragment */ - frag->fragment = buf; - - /* Initialize reassembly bitmask if necessary */ - if (reassembly) { - bitmask = malloc(RSMBLY_BITMASK_SIZE(frag_len)); - if (bitmask == NULL) { - free(buf); - free(frag); - return NULL; - } - memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len)); - } - - frag->reassembly = bitmask; - - return frag; -} - -static void -dtls1_hm_fragment_free(hm_fragment *frag) -{ - if (frag == NULL) - return; - - if (frag->msg_header.is_ccs) { - EVP_CIPHER_CTX_free( - frag->msg_header.saved_retransmit_state.enc_write_ctx); - EVP_MD_CTX_destroy( - frag->msg_header.saved_retransmit_state.write_hash); - } - free(frag->fragment); - free(frag->reassembly); - free(frag); -} - -/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ -int -dtls1_do_write(SSL *s, int type) -{ - int ret; - int curr_mtu; - unsigned int len, frag_off, mac_size, blocksize; - - /* AHA! Figure out the MTU, and stick to the right size */ - if (s->d1->mtu < dtls1_min_mtu() && - !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), - BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); - - /* - * I've seen the kernel return bogus numbers when it - * doesn't know the MTU (ie., the initial write), so just - * make sure we have a reasonable number - */ - if (s->d1->mtu < dtls1_min_mtu()) { - s->d1->mtu = 0; - s->d1->mtu = dtls1_guess_mtu(s->d1->mtu); - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, - s->d1->mtu, NULL); - } - } - - OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); - /* should have something reasonable now */ - - if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) - OPENSSL_assert(s->init_num == - (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); - - if (s->write_hash) - mac_size = EVP_MD_CTX_size(s->write_hash); - else - mac_size = 0; - - if (s->enc_write_ctx && - (EVP_CIPHER_mode( s->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) - blocksize = 2 * EVP_CIPHER_block_size(s->enc_write_ctx->cipher); - else - blocksize = 0; - - frag_off = 0; - while (s->init_num) { - curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - - DTLS1_RT_HEADER_LENGTH - mac_size - blocksize; - - if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { - /* grr.. we could get an error if MTU picked was wrong */ - ret = BIO_flush(SSL_get_wbio(s)); - if (ret <= 0) - return ret; - curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH - - mac_size - blocksize; - } - - if (s->init_num > curr_mtu) - len = curr_mtu; - else - len = s->init_num; - - - /* XDTLS: this function is too long. split out the CCS part */ - if (type == SSL3_RT_HANDSHAKE) { - if (s->init_off != 0) { - OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH); - s->init_off -= DTLS1_HM_HEADER_LENGTH; - s->init_num += DTLS1_HM_HEADER_LENGTH; - - if (s->init_num > curr_mtu) - len = curr_mtu; - else - len = s->init_num; - } - - dtls1_fix_message_header(s, frag_off, - len - DTLS1_HM_HEADER_LENGTH); - - dtls1_write_message_header(s, - (unsigned char *)&s->init_buf->data[s->init_off]); - - OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH); - } - - ret = dtls1_write_bytes(s, type, - &s->init_buf->data[s->init_off], len); - if (ret < 0) { - /* - * Might need to update MTU here, but we don't know - * which previous packet caused the failure -- so - * can't really retransmit anything. continue as - * if everything is fine and wait for an alert to - * handle the retransmit - */ - if (BIO_ctrl(SSL_get_wbio(s), - BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), - BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); - else - return (-1); - } else { - - /* - * Bad if this assert fails, only part of the - * handshake message got sent. but why would - * this happen? - */ - OPENSSL_assert(len == (unsigned int)ret); - - if (type == SSL3_RT_HANDSHAKE && - !s->d1->retransmitting) { - /* - * Should not be done for 'Hello Request's, - * but in that case we'll ignore the result - * anyway - */ - unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; - const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; - int xlen; - - if (frag_off == 0) { - /* - * Reconstruct message header is if it - * is being sent in single fragment - */ - *p++ = msg_hdr->type; - l2n3(msg_hdr->msg_len, p); - s2n (msg_hdr->seq, p); - l2n3(0, p); - l2n3(msg_hdr->msg_len, p); - p -= DTLS1_HM_HEADER_LENGTH; - xlen = ret; - } else { - p += DTLS1_HM_HEADER_LENGTH; - xlen = ret - DTLS1_HM_HEADER_LENGTH; - } - - tls1_finish_mac(s, p, xlen); - } - - if (ret == s->init_num) { - if (s->msg_callback) - s->msg_callback(1, s->version, type, - s->init_buf->data, - (size_t)(s->init_off + s->init_num), - s, s->msg_callback_arg); - - s->init_off = 0; - /* done writing this message */ - s->init_num = 0; - - return (1); - } - s->init_off += ret; - s->init_num -= ret; - frag_off += (ret -= DTLS1_HM_HEADER_LENGTH); - } - } - return (0); -} - - -/* - * Obtain handshake message of message type 'mt' (any if mt == -1), - * maximum acceptable body length 'max'. - * Read an entire handshake message. Handshake messages arrive in - * fragments. - */ -long -dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) -{ - int i, al; - struct hm_header_st *msg_hdr; - unsigned char *p; - unsigned long msg_len; - - /* - * s3->tmp is used to store messages that are unexpected, caused - * by the absence of an optional handshake message - */ - if (s->s3->tmp.reuse_message) { - s->s3->tmp.reuse_message = 0; - if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_GET_MESSAGE, - SSL_R_UNEXPECTED_MESSAGE); - goto f_err; - } - *ok = 1; - s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - s->init_num = (int)s->s3->tmp.message_size; - return s->init_num; - } - - msg_hdr = &s->d1->r_msg_hdr; - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); - -again: - i = dtls1_get_message_fragment(s, st1, stn, max, ok); - if (i == DTLS1_HM_BAD_FRAGMENT || - i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ - goto again; - else if (i <= 0 && !*ok) - return i; - - p = (unsigned char *)s->init_buf->data; - msg_len = msg_hdr->msg_len; - - /* reconstruct message header */ - *(p++) = msg_hdr->type; - l2n3(msg_len, p); - s2n (msg_hdr->seq, p); - l2n3(0, p); - l2n3(msg_len, p); - - p -= DTLS1_HM_HEADER_LENGTH; - msg_len += DTLS1_HM_HEADER_LENGTH; - - tls1_finish_mac(s, p, msg_len); - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, - s, s->msg_callback_arg); - - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); - - /* Don't change sequence numbers while listening */ - if (!s->d1->listen) - s->d1->handshake_read_seq++; - - s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - return s->init_num; - -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - *ok = 0; - return -1; -} - - -static int -dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) -{ - size_t frag_off, frag_len, msg_len; - - msg_len = msg_hdr->msg_len; - frag_off = msg_hdr->frag_off; - frag_len = msg_hdr->frag_len; - - /* sanity checking */ - if ((frag_off + frag_len) > msg_len) { - SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, - SSL_R_EXCESSIVE_MESSAGE_SIZE); - return SSL_AD_ILLEGAL_PARAMETER; - } - - if ((frag_off + frag_len) > (unsigned long)max) { - SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, - SSL_R_EXCESSIVE_MESSAGE_SIZE); - return SSL_AD_ILLEGAL_PARAMETER; - } - - if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */ - { - /* - * msg_len is limited to 2^24, but is effectively checked - * against max above - */ - if (!BUF_MEM_grow_clean(s->init_buf, - msg_len + DTLS1_HM_HEADER_LENGTH)) { - SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); - return SSL_AD_INTERNAL_ERROR; - } - - s->s3->tmp.message_size = msg_len; - s->d1->r_msg_hdr.msg_len = msg_len; - s->s3->tmp.message_type = msg_hdr->type; - s->d1->r_msg_hdr.type = msg_hdr->type; - s->d1->r_msg_hdr.seq = msg_hdr->seq; - } else if (msg_len != s->d1->r_msg_hdr.msg_len) { - /* - * They must be playing with us! BTW, failure to enforce - * upper limit would open possibility for buffer overrun. - */ - SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, - SSL_R_EXCESSIVE_MESSAGE_SIZE); - return SSL_AD_ILLEGAL_PARAMETER; - } - - return 0; /* no error */ -} - -static int -dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) -{ - /* - * (0) check whether the desired fragment is available - * if so: - * (1) copy over the fragment to s->init_buf->data[] - * (2) update s->init_num - */ - pitem *item; - hm_fragment *frag; - int al; - - *ok = 0; - item = pqueue_peek(s->d1->buffered_messages); - if (item == NULL) - return 0; - - frag = (hm_fragment *)item->data; - - /* Don't return if reassembly still in progress */ - if (frag->reassembly != NULL) - return 0; - - if (s->d1->handshake_read_seq == frag->msg_header.seq) { - unsigned long frag_len = frag->msg_header.frag_len; - pqueue_pop(s->d1->buffered_messages); - - al = dtls1_preprocess_fragment(s, &frag->msg_header, max); - - if (al == 0) /* no alert */ - { - unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - memcpy(&p[frag->msg_header.frag_off], - frag->fragment, frag->msg_header.frag_len); - } - - dtls1_hm_fragment_free(frag); - pitem_free(item); - - if (al == 0) { - *ok = 1; - return frag_len; - } - - ssl3_send_alert(s, SSL3_AL_FATAL, al); - s->init_num = 0; - *ok = 0; - return -1; - } else - return 0; -} - -/* - * dtls1_max_handshake_message_len returns the maximum number of bytes - * permitted in a DTLS handshake message for |s|. The minimum is 16KB, - * but may be greater if the maximum certificate list size requires it. - */ -static unsigned long -dtls1_max_handshake_message_len(const SSL *s) -{ - unsigned long max_len; - - max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; - if (max_len < (unsigned long)s->max_cert_list) - return s->max_cert_list; - return max_len; -} - -static int -dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) -{ - hm_fragment *frag = NULL; - pitem *item = NULL; - int i = -1, is_complete; - unsigned char seq64be[8]; - unsigned long frag_len = msg_hdr->frag_len; - - if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len || - msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) - goto err; - - if (frag_len == 0) { - i = DTLS1_HM_FRAGMENT_RETRY; - goto err; - } - - /* Try to find item in queue */ - memset(seq64be, 0, sizeof(seq64be)); - seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); - seq64be[7] = (unsigned char)msg_hdr->seq; - item = pqueue_find(s->d1->buffered_messages, seq64be); - - if (item == NULL) { - frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); - if (frag == NULL) - goto err; - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - frag->msg_header.frag_len = frag->msg_header.msg_len; - frag->msg_header.frag_off = 0; - } else { - frag = (hm_fragment*)item->data; - if (frag->msg_header.msg_len != msg_hdr->msg_len) { - item = NULL; - frag = NULL; - goto err; - } - } - - /* - * If message is already reassembled, this must be a - * retransmit and can be dropped. - */ - if (frag->reassembly == NULL) { - unsigned char devnull [256]; - - while (frag_len) { - i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, - devnull, frag_len > sizeof(devnull) ? - sizeof(devnull) : frag_len, 0); - if (i <= 0) - goto err; - frag_len -= i; - } - i = DTLS1_HM_FRAGMENT_RETRY; - goto err; - } - - /* read the body of the fragment (header has already been read */ - i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, - frag->fragment + msg_hdr->frag_off, frag_len, 0); - if (i <= 0 || (unsigned long)i != frag_len) - goto err; - - RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off, - (long)(msg_hdr->frag_off + frag_len)); - - RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len, - is_complete); - - if (is_complete) { - free(frag->reassembly); - frag->reassembly = NULL; - } - - if (item == NULL) { - memset(seq64be, 0, sizeof(seq64be)); - seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); - seq64be[7] = (unsigned char)(msg_hdr->seq); - - item = pitem_new(seq64be, frag); - if (item == NULL) { - i = -1; - goto err; - } - - pqueue_insert(s->d1->buffered_messages, item); - } - - return DTLS1_HM_FRAGMENT_RETRY; - -err: - if (item == NULL && frag != NULL) - dtls1_hm_fragment_free(frag); - *ok = 0; - return i; -} - - -static int -dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) -{ - int i = -1; - hm_fragment *frag = NULL; - pitem *item = NULL; - unsigned char seq64be[8]; - unsigned long frag_len = msg_hdr->frag_len; - - if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) - goto err; - - /* Try to find item in queue, to prevent duplicate entries */ - memset(seq64be, 0, sizeof(seq64be)); - seq64be[6] = (unsigned char) (msg_hdr->seq >> 8); - seq64be[7] = (unsigned char) msg_hdr->seq; - item = pqueue_find(s->d1->buffered_messages, seq64be); - - /* - * If we already have an entry and this one is a fragment, - * don't discard it and rather try to reassemble it. - */ - if (item != NULL && frag_len < msg_hdr->msg_len) - item = NULL; - - /* - * Discard the message if sequence number was already there, is - * too far in the future, already in the queue or if we received - * a FINISHED before the SERVER_HELLO, which then must be a stale - * retransmit. - */ - if (msg_hdr->seq <= s->d1->handshake_read_seq || - msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL || - (s->d1->handshake_read_seq == 0 && - msg_hdr->type == SSL3_MT_FINISHED)) { - unsigned char devnull [256]; - - while (frag_len) { - i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, - devnull, frag_len > sizeof(devnull) ? - sizeof(devnull) : frag_len, 0); - if (i <= 0) - goto err; - frag_len -= i; - } - } else { - if (frag_len < msg_hdr->msg_len) - return dtls1_reassemble_fragment(s, msg_hdr, ok); - - if (frag_len > dtls1_max_handshake_message_len(s)) - goto err; - - frag = dtls1_hm_fragment_new(frag_len, 0); - if (frag == NULL) - goto err; - - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - - if (frag_len) { - /* read the body of the fragment (header has already been read */ - i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, - frag->fragment, frag_len, 0); - if (i <= 0 || (unsigned long)i != frag_len) - goto err; - } - - memset(seq64be, 0, sizeof(seq64be)); - seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); - seq64be[7] = (unsigned char)(msg_hdr->seq); - - item = pitem_new(seq64be, frag); - if (item == NULL) - goto err; - - pqueue_insert(s->d1->buffered_messages, item); - } - - return DTLS1_HM_FRAGMENT_RETRY; - -err: - if (item == NULL && frag != NULL) - dtls1_hm_fragment_free(frag); - *ok = 0; - return i; -} - - -static long -dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) -{ - unsigned char wire[DTLS1_HM_HEADER_LENGTH]; - unsigned long len, frag_off, frag_len; - int i, al; - struct hm_header_st msg_hdr; - -again: - /* see if we have the required fragment already */ - if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) { - if (*ok) - s->init_num = frag_len; - return frag_len; - } - - /* read handshake message header */ - i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire, - DTLS1_HM_HEADER_LENGTH, 0); - if (i <= 0) /* nbio, or an error */ - { - s->rwstate = SSL_READING; - *ok = 0; - return i; - } - /* Handshake fails if message header is incomplete */ - if (i != DTLS1_HM_HEADER_LENGTH || - /* parse the message fragment header */ - dtls1_get_message_header(wire, &msg_hdr) == 0) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, - SSL_R_UNEXPECTED_MESSAGE); - goto f_err; - } - - /* - * if this is a future (or stale) message it gets buffered - * (or dropped)--no further processing at this time - * While listening, we accept seq 1 (ClientHello with cookie) - * although we're still expecting seq 0 (ClientHello) - */ - if (msg_hdr.seq != s->d1->handshake_read_seq && - !(s->d1->listen && msg_hdr.seq == 1)) - return dtls1_process_out_of_seq_message(s, &msg_hdr, ok); - - len = msg_hdr.msg_len; - frag_off = msg_hdr.frag_off; - frag_len = msg_hdr.frag_len; - - if (frag_len && frag_len < len) - return dtls1_reassemble_fragment(s, &msg_hdr, ok); - - if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && - wire[0] == SSL3_MT_HELLO_REQUEST) { - /* - * The server may always send 'Hello Request' messages -- - * we are doing a handshake anyway now, so ignore them - * if their format is correct. Does not count for - * 'Finished' MAC. - */ - if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { - if (s->msg_callback) - s->msg_callback(0, s->version, - SSL3_RT_HANDSHAKE, wire, - DTLS1_HM_HEADER_LENGTH, s, - s->msg_callback_arg); - - s->init_num = 0; - goto again; - } - else /* Incorrectly formated Hello request */ - { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, - SSL_R_UNEXPECTED_MESSAGE); - goto f_err; - } - } - - if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) - goto f_err; - - /* XDTLS: ressurect this when restart is in place */ - s->state = stn; - - if (frag_len > 0) { - unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - - i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, - &p[frag_off], frag_len, 0); - /* XDTLS: fix this--message fragments cannot span multiple packets */ - if (i <= 0) { - s->rwstate = SSL_READING; - *ok = 0; - return i; - } - } else - i = 0; - - /* - * XDTLS: an incorrectly formatted fragment should cause the - * handshake to fail - */ - if (i != (int)frag_len) { - al = SSL3_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, - SSL3_AD_ILLEGAL_PARAMETER); - goto f_err; - } - - *ok = 1; - - /* - * Note that s->init_num is *not* used as current offset in - * s->init_buf->data, but as a counter summing up fragments' - * lengths: as soon as they sum up to handshake packet - * length, we assume we have got all the fragments. - */ - s->init_num = frag_len; - return frag_len; - -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - s->init_num = 0; - - *ok = 0; - return (-1); -} - -/* - * for these 2 messages, we need to - * ssl->enc_read_ctx re-init - * ssl->s3->read_sequence zero - * ssl->s3->read_mac_secret re-init - * ssl->session->read_sym_enc assign - * ssl->session->read_hash assign - */ -int -dtls1_send_change_cipher_spec(SSL *s, int a, int b) -{ - unsigned char *p; - - if (s->state == a) { - p = (unsigned char *)s->init_buf->data; - *p++=SSL3_MT_CCS; - s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; - s->init_num = DTLS1_CCS_HEADER_LENGTH; - - s->init_off = 0; - - dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, - s->d1->handshake_write_seq, 0, 0); - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 1); - - s->state = b; - } - - /* SSL3_ST_CW_CHANGE_B */ - return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC)); -} - -static int -dtls1_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) -{ - int n; - unsigned char *p; - - n = i2d_X509(x, NULL); - if (!BUF_MEM_grow_clean(buf, n + (*l) + 3)) { - SSLerr(SSL_F_DTLS1_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); - return 0; - } - p = (unsigned char *)&(buf->data[*l]); - l2n3(n, p); - i2d_X509(x, &p); - *l += n + 3; - - return 1; -} - -unsigned long -dtls1_output_cert_chain(SSL *s, X509 *x) -{ - unsigned char *p; - int i; - unsigned long l = 3 + DTLS1_HM_HEADER_LENGTH; - BUF_MEM *buf; - - /* TLSv1 sends a chain with nothing in it, instead of an alert */ - buf = s->init_buf; - if (!BUF_MEM_grow_clean(buf, 10)) { - SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB); - return (0); - } - if (x != NULL) { - X509_STORE_CTX xs_ctx; - - if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, - x, NULL)) { - SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_X509_LIB); - return (0); - } - - X509_verify_cert(&xs_ctx); - /* Don't leave errors in the queue */ - ERR_clear_error(); - for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { - x = sk_X509_value(xs_ctx.chain, i); - - if (!dtls1_add_cert_to_buf(buf, &l, x)) { - X509_STORE_CTX_cleanup(&xs_ctx); - return 0; - } - } - X509_STORE_CTX_cleanup(&xs_ctx); - } - /* Thawte special :-) */ - for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) { - x = sk_X509_value(s->ctx->extra_certs, i); - if (!dtls1_add_cert_to_buf(buf, &l, x)) - return 0; - } - - l -= (3 + DTLS1_HM_HEADER_LENGTH); - - p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]); - l2n3(l, p); - l += 3; - p = (unsigned char *)&(buf->data[0]); - p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l); - - l += DTLS1_HM_HEADER_LENGTH; - return (l); -} - -int -dtls1_read_failed(SSL *s, int code) -{ - if (code > 0) { -#ifdef DEBUG - fprintf(stderr, "invalid state reached %s:%d", - __FILE__, __LINE__); -#endif - return 1; - } - - if (!dtls1_is_timer_expired(s)) { - /* - * not a timeout, none of our business, let higher layers - * handle this. in fact it's probably an error - */ - return code; - } - - if (!SSL_in_init(s)) /* done, no need to send a retransmit */ - { - BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); - return code; - } - - return dtls1_handle_timeout(s); -} - -int -dtls1_get_queue_priority(unsigned short seq, int is_ccs) -{ - /* - * The index of the retransmission queue actually is the message - * sequence number, since the queue only contains messages of a - * single handshake. However, the ChangeCipherSpec has no message - * sequence number and so using only the sequence will result in - * the CCS and Finished having the same index. To prevent this, the - * sequence number is multiplied by 2. In case of a CCS 1 is - * subtracted. This does not only differ CSS and Finished, it also - * maintains the order of the index (important for priority queues) - * and fits in the unsigned short variable. - */ - return seq * 2 - is_ccs; -} - -int -dtls1_retransmit_buffered_messages(SSL *s) -{ - pqueue sent = s->d1->sent_messages; - piterator iter; - pitem *item; - hm_fragment *frag; - int found = 0; - - iter = pqueue_iterator(sent); - - for (item = pqueue_next(&iter); item != NULL; - item = pqueue_next(&iter)) { - frag = (hm_fragment *)item->data; - if (dtls1_retransmit_message(s, - (unsigned short)dtls1_get_queue_priority( - frag->msg_header.seq, frag->msg_header.is_ccs), 0, - &found) <= 0 && found) { -#ifdef DEBUG - fprintf(stderr, "dtls1_retransmit_message() failed\n"); -#endif - return -1; - } - } - - return 1; -} - -int -dtls1_buffer_message(SSL *s, int is_ccs) -{ - pitem *item; - hm_fragment *frag; - unsigned char seq64be[8]; - - /* Buffer the messsage in order to handle DTLS retransmissions. */ - - /* - * This function is called immediately after a message has - * been serialized - */ - OPENSSL_assert(s->init_off == 0); - - frag = dtls1_hm_fragment_new(s->init_num, 0); - if (frag == NULL) - return 0; - - memcpy(frag->fragment, s->init_buf->data, s->init_num); - - if (is_ccs) { - OPENSSL_assert(s->d1->w_msg_hdr.msg_len + - ((s->version == DTLS1_VERSION) ? - DTLS1_CCS_HEADER_LENGTH : 3) == (unsigned int)s->init_num); - } else { - OPENSSL_assert(s->d1->w_msg_hdr.msg_len + - DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num); - } - - frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; - frag->msg_header.seq = s->d1->w_msg_hdr.seq; - frag->msg_header.type = s->d1->w_msg_hdr.type; - frag->msg_header.frag_off = 0; - frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; - frag->msg_header.is_ccs = is_ccs; - - /* save current state*/ - frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx; - frag->msg_header.saved_retransmit_state.write_hash = s->write_hash; - frag->msg_header.saved_retransmit_state.session = s->session; - frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch; - - memset(seq64be, 0, sizeof(seq64be)); - seq64be[6] = (unsigned char)(dtls1_get_queue_priority( - frag->msg_header.seq, frag->msg_header.is_ccs) >> 8); - seq64be[7] = (unsigned char)(dtls1_get_queue_priority( - frag->msg_header.seq, frag->msg_header.is_ccs)); - - item = pitem_new(seq64be, frag); - if (item == NULL) { - dtls1_hm_fragment_free(frag); - return 0; - } - - pqueue_insert(s->d1->sent_messages, item); - return 1; -} - -int -dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, - int *found) -{ - int ret; - /* XDTLS: for now assuming that read/writes are blocking */ - pitem *item; - hm_fragment *frag; - unsigned long header_length; - unsigned char seq64be[8]; - struct dtls1_retransmit_state saved_state; - unsigned char save_write_sequence[8]; - - /* - OPENSSL_assert(s->init_num == 0); - OPENSSL_assert(s->init_off == 0); - */ - - /* XDTLS: the requested message ought to be found, otherwise error */ - memset(seq64be, 0, sizeof(seq64be)); - seq64be[6] = (unsigned char)(seq >> 8); - seq64be[7] = (unsigned char)seq; - - item = pqueue_find(s->d1->sent_messages, seq64be); - if (item == NULL) { -#ifdef DEBUG - fprintf(stderr, "retransmit: message %d non-existant\n", seq); -#endif - *found = 0; - return 0; - } - - *found = 1; - frag = (hm_fragment *)item->data; - - if (frag->msg_header.is_ccs) - header_length = DTLS1_CCS_HEADER_LENGTH; - else - header_length = DTLS1_HM_HEADER_LENGTH; - - memcpy(s->init_buf->data, frag->fragment, - frag->msg_header.msg_len + header_length); - s->init_num = frag->msg_header.msg_len + header_length; - - dtls1_set_message_header_int(s, frag->msg_header.type, - frag->msg_header.msg_len, frag->msg_header.seq, 0, - frag->msg_header.frag_len); - - /* save current state */ - saved_state.enc_write_ctx = s->enc_write_ctx; - saved_state.write_hash = s->write_hash; - saved_state.session = s->session; - saved_state.epoch = s->d1->w_epoch; - - s->d1->retransmitting = 1; - - /* restore state in which the message was originally sent */ - s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; - s->write_hash = frag->msg_header.saved_retransmit_state.write_hash; - s->session = frag->msg_header.saved_retransmit_state.session; - s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch; - - if (frag->msg_header.saved_retransmit_state.epoch == - saved_state.epoch - 1) { - memcpy(save_write_sequence, s->s3->write_sequence, - sizeof(s->s3->write_sequence)); - memcpy(s->s3->write_sequence, s->d1->last_write_sequence, - sizeof(s->s3->write_sequence)); - } - - ret = dtls1_do_write(s, frag->msg_header.is_ccs ? - SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); - - /* restore current state */ - s->enc_write_ctx = saved_state.enc_write_ctx; - s->write_hash = saved_state.write_hash; - s->session = saved_state.session; - s->d1->w_epoch = saved_state.epoch; - - if (frag->msg_header.saved_retransmit_state.epoch == - saved_state.epoch - 1) { - memcpy(s->d1->last_write_sequence, s->s3->write_sequence, - sizeof(s->s3->write_sequence)); - memcpy(s->s3->write_sequence, save_write_sequence, - sizeof(s->s3->write_sequence)); - } - - s->d1->retransmitting = 0; - - (void)BIO_flush(SSL_get_wbio(s)); - return ret; -} - -/* call this function when the buffered messages are no longer needed */ -void -dtls1_clear_record_buffer(SSL *s) -{ - pitem *item; - - for(item = pqueue_pop(s->d1->sent_messages); item != NULL; - item = pqueue_pop(s->d1->sent_messages)) { - dtls1_hm_fragment_free((hm_fragment *)item->data); - pitem_free(item); - } -} - -unsigned char * -dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt, - unsigned long len, unsigned long frag_off, unsigned long frag_len) -{ - /* Don't change sequence numbers while listening */ - if (frag_off == 0 && !s->d1->listen) { - s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; - s->d1->next_handshake_write_seq++; - } - - dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, - frag_off, frag_len); - - return p += DTLS1_HM_HEADER_LENGTH; -} - -/* don't actually do the writing, wait till the MTU has been retrieved */ -static void -dtls1_set_message_header_int(SSL *s, unsigned char mt, unsigned long len, - unsigned short seq_num, unsigned long frag_off, unsigned long frag_len) -{ - struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; - - msg_hdr->type = mt; - msg_hdr->msg_len = len; - msg_hdr->seq = seq_num; - msg_hdr->frag_off = frag_off; - msg_hdr->frag_len = frag_len; -} - -static void -dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len) -{ - struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; - - msg_hdr->frag_off = frag_off; - msg_hdr->frag_len = frag_len; -} - -static unsigned char * -dtls1_write_message_header(SSL *s, unsigned char *p) -{ - struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; - - *p++ = msg_hdr->type; - l2n3(msg_hdr->msg_len, p); - - s2n(msg_hdr->seq, p); - l2n3(msg_hdr->frag_off, p); - l2n3(msg_hdr->frag_len, p); - - return p; -} - -unsigned int -dtls1_min_mtu(void) -{ - return (g_probable_mtu[(sizeof(g_probable_mtu) / - sizeof(g_probable_mtu[0])) - 1]); -} - -static unsigned int -dtls1_guess_mtu(unsigned int curr_mtu) -{ - unsigned int i; - - if (curr_mtu == 0) - return g_probable_mtu[0]; - - for (i = 0; i < sizeof(g_probable_mtu) / sizeof(g_probable_mtu[0]); i++) - if (curr_mtu > g_probable_mtu[i]) - return g_probable_mtu[i]; - - return curr_mtu; -} - -int -dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) -{ - CBS header; - uint32_t msg_len, frag_off, frag_len; - uint16_t seq; - uint8_t type; - - CBS_init(&header, data, sizeof(*msg_hdr)); - - memset(msg_hdr, 0, sizeof(*msg_hdr)); - - if (!CBS_get_u8(&header, &type)) - return 0; - if (!CBS_get_u24(&header, &msg_len)) - return 0; - if (!CBS_get_u16(&header, &seq)) - return 0; - if (!CBS_get_u24(&header, &frag_off)) - return 0; - if (!CBS_get_u24(&header, &frag_len)) - return 0; - - msg_hdr->type = type; - msg_hdr->msg_len = msg_len; - msg_hdr->seq = seq; - msg_hdr->frag_off = frag_off; - msg_hdr->frag_len = frag_len; - - return 1; -} - -void -dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr) -{ - memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st)); - - ccs_hdr->type = *(data++); -} - -int -dtls1_shutdown(SSL *s) -{ - int ret; - - ret = ssl3_shutdown(s); - return ret; -} diff --git a/lib/libssl/src/ssl/d1_clnt.c b/lib/libssl/src/ssl/d1_clnt.c deleted file mode 100644 index e018874f0da..00000000000 --- a/lib/libssl/src/ssl/d1_clnt.c +++ /dev/null @@ -1,724 +0,0 @@ -/* $OpenBSD: d1_clnt.c,v 1.56 2016/03/11 07:08:45 mmcc Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <limits.h> -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/bn.h> -#include <openssl/buffer.h> -#include <openssl/dh.h> -#include <openssl/evp.h> -#include <openssl/md5.h> -#include <openssl/objects.h> - -#include "bytestring.h" - -static const SSL_METHOD *dtls1_get_client_method(int ver); -static int dtls1_get_hello_verify(SSL *s); - -const SSL_METHOD DTLSv1_client_method_data = { - .version = DTLS1_VERSION, - .ssl_new = dtls1_new, - .ssl_clear = dtls1_clear, - .ssl_free = dtls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = dtls1_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = dtls1_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, - .ssl_read_bytes = dtls1_read_bytes, - .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl_dispatch_alert = dtls1_dispatch_alert, - .ssl_ctrl = dtls1_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = dtls1_get_cipher, - .get_ssl_method = dtls1_get_client_method, - .get_timeout = dtls1_default_timeout, - .ssl3_enc = &DTLSv1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD * -DTLSv1_client_method(void) -{ - return &DTLSv1_client_method_data; -} - -static const SSL_METHOD * -dtls1_get_client_method(int ver) -{ - if (ver == DTLS1_VERSION) - return (DTLSv1_client_method()); - return (NULL); -} - -int -dtls1_connect(SSL *s) -{ - void (*cb)(const SSL *ssl, int type, int val) = NULL; - int ret = -1; - int new_state, state, skip = 0; - - ERR_clear_error(); - errno = 0; - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); - - - for (;;) { - state = s->state; - - switch (s->state) { - case SSL_ST_RENEGOTIATE: - s->renegotiate = 1; - s->state = SSL_ST_CONNECT; - s->ctx->stats.sess_connect_renegotiate++; - /* break */ - case SSL_ST_BEFORE: - case SSL_ST_CONNECT: - case SSL_ST_BEFORE|SSL_ST_CONNECT: - case SSL_ST_OK|SSL_ST_CONNECT: - - s->server = 0; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); - - if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) { - SSLerr(SSL_F_DTLS1_CONNECT, - ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - - /* s->version=SSL3_VERSION; */ - s->type = SSL_ST_CONNECT; - - if (!ssl3_setup_init_buffer(s)) { - ret = -1; - goto end; - } - if (!ssl3_setup_buffers(s)) { - ret = -1; - goto end; - } - if (!ssl_init_wbio_buffer(s, 0)) { - ret = -1; - goto end; - } - - /* don't push the buffering BIO quite yet */ - - s->state = SSL3_ST_CW_CLNT_HELLO_A; - s->ctx->stats.sess_connect++; - s->init_num = 0; - /* mark client_random uninitialized */ - memset(s->s3->client_random, 0, - sizeof(s->s3->client_random)); - s->d1->send_cookie = 0; - s->hit = 0; - break; - - - case SSL3_ST_CW_CLNT_HELLO_A: - case SSL3_ST_CW_CLNT_HELLO_B: - - s->shutdown = 0; - - /* every DTLS ClientHello resets Finished MAC */ - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - - dtls1_start_timer(s); - ret = ssl3_client_hello(s); - if (ret <= 0) - goto end; - - if (s->d1->send_cookie) { - s->state = SSL3_ST_CW_FLUSH; - s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A; - } else - s->state = SSL3_ST_CR_SRVR_HELLO_A; - - s->init_num = 0; - - /* turn on buffering for the next lot of output */ - if (s->bbio != s->wbio) - s->wbio = BIO_push(s->bbio, s->wbio); - - break; - - case SSL3_ST_CR_SRVR_HELLO_A: - case SSL3_ST_CR_SRVR_HELLO_B: - ret = ssl3_get_server_hello(s); - if (ret <= 0) - goto end; - else { - if (s->hit) { - - s->state = SSL3_ST_CR_FINISHED_A; - } else - s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; - } - s->init_num = 0; - break; - - case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: - case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: - - ret = dtls1_get_hello_verify(s); - if (ret <= 0) - goto end; - dtls1_stop_timer(s); - if ( s->d1->send_cookie) /* start again, with a cookie */ - s->state = SSL3_ST_CW_CLNT_HELLO_A; - else - s->state = SSL3_ST_CR_CERT_A; - s->init_num = 0; - break; - - case SSL3_ST_CR_CERT_A: - case SSL3_ST_CR_CERT_B: - ret = ssl3_check_finished(s); - if (ret <= 0) - goto end; - if (ret == 2) { - s->hit = 1; - if (s->tlsext_ticket_expected) - s->state = SSL3_ST_CR_SESSION_TICKET_A; - else - s->state = SSL3_ST_CR_FINISHED_A; - s->init_num = 0; - break; - } - /* Check if it is anon DH. */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & - SSL_aNULL)) { - ret = ssl3_get_server_certificate(s); - if (ret <= 0) - goto end; - if (s->tlsext_status_expected) - s->state = SSL3_ST_CR_CERT_STATUS_A; - else - s->state = SSL3_ST_CR_KEY_EXCH_A; - } else { - skip = 1; - s->state = SSL3_ST_CR_KEY_EXCH_A; - } - s->init_num = 0; - break; - - case SSL3_ST_CR_KEY_EXCH_A: - case SSL3_ST_CR_KEY_EXCH_B: - ret = ssl3_get_key_exchange(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_CERT_REQ_A; - s->init_num = 0; - - /* at this point we check that we have the - * required stuff from the server */ - if (!ssl3_check_cert_and_algorithm(s)) { - ret = -1; - goto end; - } - break; - - case SSL3_ST_CR_CERT_REQ_A: - case SSL3_ST_CR_CERT_REQ_B: - ret = ssl3_get_certificate_request(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_SRVR_DONE_A; - s->init_num = 0; - break; - - case SSL3_ST_CR_SRVR_DONE_A: - case SSL3_ST_CR_SRVR_DONE_B: - ret = ssl3_get_server_done(s); - if (ret <= 0) - goto end; - dtls1_stop_timer(s); - if (s->s3->tmp.cert_req) - s->s3->tmp.next_state = SSL3_ST_CW_CERT_A; - else - s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A; - s->init_num = 0; - s->state = s->s3->tmp.next_state; - break; - - case SSL3_ST_CW_CERT_A: - case SSL3_ST_CW_CERT_B: - case SSL3_ST_CW_CERT_C: - case SSL3_ST_CW_CERT_D: - dtls1_start_timer(s); - ret = dtls1_send_client_certificate(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CW_KEY_EXCH_A; - s->init_num = 0; - break; - - case SSL3_ST_CW_KEY_EXCH_A: - case SSL3_ST_CW_KEY_EXCH_B: - dtls1_start_timer(s); - ret = ssl3_send_client_key_exchange(s); - if (ret <= 0) - goto end; - - /* EAY EAY EAY need to check for DH fix cert - * sent back */ - /* For TLS, cert_req is set to 2, so a cert chain - * of nothing is sent, but no verify packet is sent */ - if (s->s3->tmp.cert_req == 1) { - s->state = SSL3_ST_CW_CERT_VRFY_A; - } else { - s->state = SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec = 0; - } - - s->init_num = 0; - break; - - case SSL3_ST_CW_CERT_VRFY_A: - case SSL3_ST_CW_CERT_VRFY_B: - dtls1_start_timer(s); - ret = ssl3_send_client_verify(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CW_CHANGE_A; - s->init_num = 0; - s->s3->change_cipher_spec = 0; - break; - - case SSL3_ST_CW_CHANGE_A: - case SSL3_ST_CW_CHANGE_B: - if (!s->hit) - dtls1_start_timer(s); - ret = dtls1_send_change_cipher_spec(s, - SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); - if (ret <= 0) - goto end; - - s->state = SSL3_ST_CW_FINISHED_A; - s->init_num = 0; - - s->session->cipher = s->s3->tmp.new_cipher; - if (!s->method->ssl3_enc->setup_key_block(s)) { - ret = -1; - goto end; - } - - if (!s->method->ssl3_enc->change_cipher_state(s, - SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { - ret = -1; - goto end; - } - - - dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); - break; - - case SSL3_ST_CW_FINISHED_A: - case SSL3_ST_CW_FINISHED_B: - if (!s->hit) - dtls1_start_timer(s); - ret = ssl3_send_finished(s, - SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B, - s->method->ssl3_enc->client_finished_label, - s->method->ssl3_enc->client_finished_label_len); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CW_FLUSH; - - /* clear flags */ - s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; - if (s->hit) { - s->s3->tmp.next_state = SSL_ST_OK; - if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { - s->state = SSL_ST_OK; - s->s3->flags |= SSL3_FLAGS_POP_BUFFER; - s->s3->delay_buf_pop_ret = 0; - } - } else { - - /* Allow NewSessionTicket if ticket expected */ - if (s->tlsext_ticket_expected) - s->s3->tmp.next_state = - SSL3_ST_CR_SESSION_TICKET_A; - else - s->s3->tmp.next_state = - SSL3_ST_CR_FINISHED_A; - } - s->init_num = 0; - break; - - case SSL3_ST_CR_SESSION_TICKET_A: - case SSL3_ST_CR_SESSION_TICKET_B: - ret = ssl3_get_new_session_ticket(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_FINISHED_A; - s->init_num = 0; - break; - - case SSL3_ST_CR_CERT_STATUS_A: - case SSL3_ST_CR_CERT_STATUS_B: - ret = ssl3_get_cert_status(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_KEY_EXCH_A; - s->init_num = 0; - break; - - case SSL3_ST_CR_FINISHED_A: - case SSL3_ST_CR_FINISHED_B: - s->d1->change_cipher_spec_ok = 1; - ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, - SSL3_ST_CR_FINISHED_B); - if (ret <= 0) - goto end; - dtls1_stop_timer(s); - - if (s->hit) - s->state = SSL3_ST_CW_CHANGE_A; - else - s->state = SSL_ST_OK; - - - s->init_num = 0; - break; - - case SSL3_ST_CW_FLUSH: - s->rwstate = SSL_WRITING; - if (BIO_flush(s->wbio) <= 0) { - /* If the write error was fatal, stop trying */ - if (!BIO_should_retry(s->wbio)) { - s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; - } - - ret = -1; - goto end; - } - s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; - break; - - case SSL_ST_OK: - /* clean a few things up */ - tls1_cleanup_key_block(s); - - /* If we are not 'joining' the last two packets, - * remove the buffering now */ - if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) - ssl_free_wbio_buffer(s); - /* else do it later in ssl3_write */ - - s->init_num = 0; - s->renegotiate = 0; - s->new_session = 0; - - ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); - if (s->hit) - s->ctx->stats.sess_hit++; - - ret = 1; - /* s->server=0; */ - s->handshake_func = dtls1_connect; - s->ctx->stats.sess_connect_good++; - - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_DONE, 1); - - /* done with handshaking */ - s->d1->handshake_read_seq = 0; - s->d1->next_handshake_write_seq = 0; - goto end; - /* break; */ - - default: - SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE); - ret = -1; - goto end; - /* break; */ - } - - /* did we do anything */ - if (!s->s3->tmp.reuse_message && !skip) { - if (s->debug) { - if ((ret = BIO_flush(s->wbio)) <= 0) - goto end; - } - - if ((cb != NULL) && (s->state != state)) { - new_state = s->state; - s->state = state; - cb(s, SSL_CB_CONNECT_LOOP, 1); - s->state = new_state; - } - } - skip = 0; - } - -end: - s->in_handshake--; - if (cb != NULL) - cb(s, SSL_CB_CONNECT_EXIT, ret); - - return (ret); -} - -static int -dtls1_get_hello_verify(SSL *s) -{ - long n; - int al, ok = 0; - size_t cookie_len; - uint16_t ssl_version; - CBS hello_verify_request, cookie; - - n = s->method->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, - DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list, &ok); - - if (!ok) - return ((int)n); - - if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { - s->d1->send_cookie = 0; - s->s3->tmp.reuse_message = 1; - return (1); - } - - if (n < 0) - goto truncated; - - CBS_init(&hello_verify_request, s->init_msg, n); - - if (!CBS_get_u16(&hello_verify_request, &ssl_version)) - goto truncated; - - if (ssl_version != s->version) { - SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION); - s->version = (s->version & 0xff00) | (ssl_version & 0xff); - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; - } - - if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie)) - goto truncated; - - if (!CBS_write_bytes(&cookie, s->d1->cookie, - sizeof(s->d1->cookie), &cookie_len)) { - s->d1->cookie_len = 0; - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; - } - s->d1->cookie_len = cookie_len; - s->d1->send_cookie = 1; - - return 1; - -truncated: - al = SSL_AD_DECODE_ERROR; -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; -} - -int -dtls1_send_client_certificate(SSL *s) -{ - X509 *x509 = NULL; - EVP_PKEY *pkey = NULL; - int i; - unsigned long l; - - if (s->state == SSL3_ST_CW_CERT_A) { - if ((s->cert == NULL) || (s->cert->key->x509 == NULL) || - (s->cert->key->privatekey == NULL)) - s->state = SSL3_ST_CW_CERT_B; - else - s->state = SSL3_ST_CW_CERT_C; - } - - /* We need to get a client cert */ - if (s->state == SSL3_ST_CW_CERT_B) { - /* If we get an error, we need to - * ssl->rwstate=SSL_X509_LOOKUP; return(-1); - * We then get retied later */ - i = 0; - i = ssl_do_client_cert_cb(s, &x509, &pkey); - if (i < 0) { - s->rwstate = SSL_X509_LOOKUP; - return (-1); - } - s->rwstate = SSL_NOTHING; - if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { - s->state = SSL3_ST_CW_CERT_B; - if (!SSL_use_certificate(s, x509) || - !SSL_use_PrivateKey(s, pkey)) - i = 0; - } else if (i == 1) { - i = 0; - SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, - SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); - } - - X509_free(x509); - EVP_PKEY_free(pkey); - if (i == 0) - s->s3->tmp.cert_req = 2; - - /* Ok, we have a cert */ - s->state = SSL3_ST_CW_CERT_C; - } - - if (s->state == SSL3_ST_CW_CERT_C) { - s->state = SSL3_ST_CW_CERT_D; - l = dtls1_output_cert_chain(s, - (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509); - s->init_num = (int)l; - s->init_off = 0; - - /* set header called by dtls1_output_cert_chain() */ - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); - } - - /* SSL3_ST_CW_CERT_D */ - return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); -} diff --git a/lib/libssl/src/ssl/d1_enc.c b/lib/libssl/src/ssl/d1_enc.c deleted file mode 100644 index 8445ceb10f7..00000000000 --- a/lib/libssl/src/ssl/d1_enc.c +++ /dev/null @@ -1,212 +0,0 @@ -/* $OpenBSD: d1_enc.c,v 1.11 2016/03/06 14:52:15 beck Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/evp.h> -#include <openssl/hmac.h> -#include <openssl/md5.h> - -/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. - * - * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too - * short etc). - * 1: if the record's padding is valid / the encryption was successful. - * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, - * an internal error occured. */ -int -dtls1_enc(SSL *s, int send) -{ - SSL3_RECORD *rec; - EVP_CIPHER_CTX *ds; - unsigned long l; - int bs, i, j, k, mac_size = 0; - const EVP_CIPHER *enc; - - if (send) { - if (EVP_MD_CTX_md(s->write_hash)) { - mac_size = EVP_MD_CTX_size(s->write_hash); - if (mac_size < 0) - return -1; - } - ds = s->enc_write_ctx; - rec = &(s->s3->wrec); - if (s->enc_write_ctx == NULL) - enc = NULL; - else { - enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); - if (rec->data != rec->input) { -#ifdef DEBUG - /* we can't write into the input stream */ - fprintf(stderr, "%s:%d: rec->data != rec->input\n", - __FILE__, __LINE__); -#endif - } else if (EVP_CIPHER_block_size(ds->cipher) > 1) { - arc4random_buf(rec->input, - EVP_CIPHER_block_size(ds->cipher)); - } - } - } else { - if (EVP_MD_CTX_md(s->read_hash)) { - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size >= 0); - } - ds = s->enc_read_ctx; - rec = &(s->s3->rrec); - if (s->enc_read_ctx == NULL) - enc = NULL; - else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - } - - - if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { - memmove(rec->data, rec->input, rec->length); - rec->input = rec->data; - } else { - l = rec->length; - bs = EVP_CIPHER_block_size(ds->cipher); - - if ((bs != 1) && send) { - i = bs - ((int)l % bs); - - /* Add weird padding of upto 256 bytes */ - - /* we need to add 'i' padding bytes of value j */ - j = i - 1; - for (k = (int)l; k < (int)(l + i); k++) - rec->input[k] = j; - l += i; - rec->length += i; - } - - - if (!send) { - if (l == 0 || l % bs != 0) - return 0; - } - - EVP_Cipher(ds, rec->data, rec->input, l); - - - if ((bs != 1) && !send) - return tls1_cbc_remove_padding(s, rec, bs, mac_size); - } - return (1); -} - diff --git a/lib/libssl/src/ssl/d1_lib.c b/lib/libssl/src/ssl/d1_lib.c deleted file mode 100644 index 23a7021d356..00000000000 --- a/lib/libssl/src/ssl/d1_lib.c +++ /dev/null @@ -1,468 +0,0 @@ -/* $OpenBSD: d1_lib.c,v 1.33 2016/02/29 06:48:03 mmcc Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/time.h> - -#include <netinet/in.h> - -#include <stdio.h> - -#include <openssl/objects.h> - -#include "pqueue.h" -#include "ssl_locl.h" - -int dtls1_listen(SSL *s, struct sockaddr *client); - -SSL3_ENC_METHOD DTLSv1_enc_data = { - .enc = dtls1_enc, - .mac = tls1_mac, - .setup_key_block = tls1_setup_key_block, - .generate_master_secret = tls1_generate_master_secret, - .change_cipher_state = tls1_change_cipher_state, - .final_finish_mac = tls1_final_finish_mac, - .finish_mac_length = TLS1_FINISH_MAC_LENGTH, - .cert_verify_mac = tls1_cert_verify_mac, - .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, - .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, - .server_finished_label = TLS_MD_SERVER_FINISH_CONST, - .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, - .alert_value = tls1_alert_code, - .export_keying_material = tls1_export_keying_material, - .enc_flags = SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV, -}; - -long -dtls1_default_timeout(void) -{ - /* 2 hours, the 24 hours mentioned in the DTLSv1 spec - * is way too long for http, the cache would over fill */ - return (60*60*2); -} - -int -dtls1_new(SSL *s) -{ - DTLS1_STATE *d1; - - if (!ssl3_new(s)) - return (0); - if ((d1 = calloc(1, sizeof *d1)) == NULL) { - ssl3_free(s); - return (0); - } - - /* d1->handshake_epoch=0; */ - - d1->unprocessed_rcds.q = pqueue_new(); - d1->processed_rcds.q = pqueue_new(); - d1->buffered_messages = pqueue_new(); - d1->sent_messages = pqueue_new(); - d1->buffered_app_data.q = pqueue_new(); - - if (s->server) { - d1->cookie_len = sizeof(s->d1->cookie); - } - - if (!d1->unprocessed_rcds.q || !d1->processed_rcds.q || - !d1->buffered_messages || !d1->sent_messages || - !d1->buffered_app_data.q) { - pqueue_free(d1->unprocessed_rcds.q); - pqueue_free(d1->processed_rcds.q); - pqueue_free(d1->buffered_messages); - pqueue_free(d1->sent_messages); - pqueue_free(d1->buffered_app_data.q); - free(d1); - ssl3_free(s); - return (0); - } - - s->d1 = d1; - s->method->ssl_clear(s); - return (1); -} - -static void -dtls1_clear_queues(SSL *s) -{ - pitem *item = NULL; - hm_fragment *frag = NULL; - DTLS1_RECORD_DATA *rdata; - - while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); - free(item->data); - pitem_free(item); - } - - while ((item = pqueue_pop(s->d1->processed_rcds.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); - free(item->data); - pitem_free(item); - } - - while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) { - frag = (hm_fragment *)item->data; - free(frag->fragment); - free(frag); - pitem_free(item); - } - - while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) { - frag = (hm_fragment *)item->data; - free(frag->fragment); - free(frag); - pitem_free(item); - } - - while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); - free(item->data); - pitem_free(item); - } -} - -void -dtls1_free(SSL *s) -{ - if (s == NULL) - return; - - ssl3_free(s); - - dtls1_clear_queues(s); - - pqueue_free(s->d1->unprocessed_rcds.q); - pqueue_free(s->d1->processed_rcds.q); - pqueue_free(s->d1->buffered_messages); - pqueue_free(s->d1->sent_messages); - pqueue_free(s->d1->buffered_app_data.q); - - explicit_bzero(s->d1, sizeof *s->d1); - free(s->d1); - s->d1 = NULL; -} - -void -dtls1_clear(SSL *s) -{ - pqueue unprocessed_rcds; - pqueue processed_rcds; - pqueue buffered_messages; - pqueue sent_messages; - pqueue buffered_app_data; - unsigned int mtu; - - if (s->d1) { - unprocessed_rcds = s->d1->unprocessed_rcds.q; - processed_rcds = s->d1->processed_rcds.q; - buffered_messages = s->d1->buffered_messages; - sent_messages = s->d1->sent_messages; - buffered_app_data = s->d1->buffered_app_data.q; - mtu = s->d1->mtu; - - dtls1_clear_queues(s); - - memset(s->d1, 0, sizeof(*(s->d1))); - - if (s->server) { - s->d1->cookie_len = sizeof(s->d1->cookie); - } - - if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) { - s->d1->mtu = mtu; - } - - s->d1->unprocessed_rcds.q = unprocessed_rcds; - s->d1->processed_rcds.q = processed_rcds; - s->d1->buffered_messages = buffered_messages; - s->d1->sent_messages = sent_messages; - s->d1->buffered_app_data.q = buffered_app_data; - } - - ssl3_clear(s); - - s->version = DTLS1_VERSION; -} - -long -dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) -{ - int ret = 0; - - switch (cmd) { - case DTLS_CTRL_GET_TIMEOUT: - if (dtls1_get_timeout(s, (struct timeval*) parg) != NULL) { - ret = 1; - } - break; - case DTLS_CTRL_HANDLE_TIMEOUT: - ret = dtls1_handle_timeout(s); - break; - case DTLS_CTRL_LISTEN: - ret = dtls1_listen(s, parg); - break; - - default: - ret = ssl3_ctrl(s, cmd, larg, parg); - break; - } - return (ret); -} - -/* - * As it's impossible to use stream ciphers in "datagram" mode, this - * simple filter is designed to disengage them in DTLS. Unfortunately - * there is no universal way to identify stream SSL_CIPHER, so we have - * to explicitly list their SSL_* codes. Currently RC4 is the only one - * available, but if new ones emerge, they will have to be added... - */ -const SSL_CIPHER * -dtls1_get_cipher(unsigned int u) -{ - const SSL_CIPHER *ciph = ssl3_get_cipher(u); - - if (ciph != NULL) { - if (ciph->algorithm_enc == SSL_RC4) - return NULL; - } - - return ciph; -} - -void -dtls1_start_timer(SSL *s) -{ - - /* If timer is not set, initialize duration with 1 second */ - if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { - s->d1->timeout_duration = 1; - } - - /* Set timeout to current time */ - gettimeofday(&(s->d1->next_timeout), NULL); - - /* Add duration to current time */ - s->d1->next_timeout.tv_sec += s->d1->timeout_duration; - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, - &(s->d1->next_timeout)); -} - -struct timeval* -dtls1_get_timeout(SSL *s, struct timeval* timeleft) -{ - struct timeval timenow; - - /* If no timeout is set, just return NULL */ - if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { - return NULL; - } - - /* Get current time */ - gettimeofday(&timenow, NULL); - - /* If timer already expired, set remaining time to 0 */ - if (s->d1->next_timeout.tv_sec < timenow.tv_sec || - (s->d1->next_timeout.tv_sec == timenow.tv_sec && - s->d1->next_timeout.tv_usec <= timenow.tv_usec)) { - memset(timeleft, 0, sizeof(struct timeval)); - return timeleft; - } - - /* Calculate time left until timer expires */ - memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval)); - timeleft->tv_sec -= timenow.tv_sec; - timeleft->tv_usec -= timenow.tv_usec; - if (timeleft->tv_usec < 0) { - timeleft->tv_sec--; - timeleft->tv_usec += 1000000; - } - - /* If remaining time is less than 15 ms, set it to 0 - * to prevent issues because of small devergences with - * socket timeouts. - */ - if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) { - memset(timeleft, 0, sizeof(struct timeval)); - } - - - return timeleft; -} - -int -dtls1_is_timer_expired(SSL *s) -{ - struct timeval timeleft; - - /* Get time left until timeout, return false if no timer running */ - if (dtls1_get_timeout(s, &timeleft) == NULL) { - return 0; - } - - /* Return false if timer is not expired yet */ - if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) { - return 0; - } - - /* Timer expired, so return true */ - return 1; -} - -void -dtls1_double_timeout(SSL *s) -{ - s->d1->timeout_duration *= 2; - if (s->d1->timeout_duration > 60) - s->d1->timeout_duration = 60; - dtls1_start_timer(s); -} - -void -dtls1_stop_timer(SSL *s) -{ - /* Reset everything */ - memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st)); - memset(&(s->d1->next_timeout), 0, sizeof(struct timeval)); - s->d1->timeout_duration = 1; - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, - &(s->d1->next_timeout)); - /* Clear retransmission buffer */ - dtls1_clear_record_buffer(s); -} - -int -dtls1_check_timeout_num(SSL *s) -{ - s->d1->timeout.num_alerts++; - - /* Reduce MTU after 2 unsuccessful retransmissions */ - if (s->d1->timeout.num_alerts > 2) { - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), - BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); - - } - - if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { - /* fail the connection, enough alerts have been sent */ - SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED); - return -1; - } - - return 0; -} - -int -dtls1_handle_timeout(SSL *s) -{ - /* if no timer is expired, don't do anything */ - if (!dtls1_is_timer_expired(s)) { - return 0; - } - - dtls1_double_timeout(s); - - if (dtls1_check_timeout_num(s) < 0) - return -1; - - s->d1->timeout.read_timeouts++; - if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { - s->d1->timeout.read_timeouts = 1; - } - - dtls1_start_timer(s); - return dtls1_retransmit_buffered_messages(s); -} - -int -dtls1_listen(SSL *s, struct sockaddr *client) -{ - int ret; - - /* Ensure there is no state left over from a previous invocation */ - SSL_clear(s); - - SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); - s->d1->listen = 1; - - ret = SSL_accept(s); - if (ret <= 0) - return ret; - - (void)BIO_dgram_get_peer(SSL_get_rbio(s), client); - return 1; -} - -void -dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq, - unsigned short epoch) -{ - unsigned char dtlsseq[SSL3_SEQUENCE_SIZE]; - unsigned char *p; - - p = dtlsseq; - s2n(epoch, p); - memcpy(p, &seq[2], SSL3_SEQUENCE_SIZE - 2); - memcpy(dst, dtlsseq, SSL3_SEQUENCE_SIZE); -} diff --git a/lib/libssl/src/ssl/d1_meth.c b/lib/libssl/src/ssl/d1_meth.c deleted file mode 100644 index 7f279a4f50c..00000000000 --- a/lib/libssl/src/ssl/d1_meth.c +++ /dev/null @@ -1,112 +0,0 @@ -/* $OpenBSD: d1_meth.c,v 1.9 2015/02/06 08:30:23 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> - -#include <openssl/objects.h> - -#include "ssl_locl.h" - -static const SSL_METHOD *dtls1_get_method(int ver); - -const SSL_METHOD DTLSv1_method_data = { - .version = DTLS1_VERSION, - .ssl_new = dtls1_new, - .ssl_clear = dtls1_clear, - .ssl_free = dtls1_free, - .ssl_accept = dtls1_accept, - .ssl_connect = dtls1_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = dtls1_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, - .ssl_read_bytes = dtls1_read_bytes, - .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl_dispatch_alert = dtls1_dispatch_alert, - .ssl_ctrl = dtls1_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = dtls1_get_cipher, - .get_ssl_method = dtls1_get_method, - .get_timeout = dtls1_default_timeout, - .ssl3_enc = &DTLSv1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD * -DTLSv1_method(void) -{ - return &DTLSv1_method_data; -} - -static const SSL_METHOD * -dtls1_get_method(int ver) -{ - if (ver == DTLS1_VERSION) - return (DTLSv1_method()); - return (NULL); -} diff --git a/lib/libssl/src/ssl/d1_pkt.c b/lib/libssl/src/ssl/d1_pkt.c deleted file mode 100644 index 5326a2c3d0c..00000000000 --- a/lib/libssl/src/ssl/d1_pkt.c +++ /dev/null @@ -1,1477 +0,0 @@ -/* $OpenBSD: d1_pkt.c,v 1.48 2015/09/11 18:08:21 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <machine/endian.h> - -#include <errno.h> -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> - -#include "pqueue.h" -#include "bytestring.h" - -/* mod 128 saturating subtract of two 64-bit values in big-endian order */ -static int -satsub64be(const unsigned char *v1, const unsigned char *v2) -{ - int ret, sat, brw, i; - - if (sizeof(long) == 8) - do { - long l; - - if (BYTE_ORDER == LITTLE_ENDIAN) - break; - /* not reached on little-endians */ - /* following test is redundant, because input is - * always aligned, but I take no chances... */ - if (((size_t)v1 | (size_t)v2) & 0x7) - break; - - l = *((long *)v1); - l -= *((long *)v2); - if (l > 128) - return 128; - else if (l<-128) - return -128; - else - return (int)l; - } while (0); - - ret = (int)v1[7] - (int)v2[7]; - sat = 0; - brw = ret >> 8; /* brw is either 0 or -1 */ - if (ret & 0x80) { - for (i = 6; i >= 0; i--) { - brw += (int)v1[i]-(int)v2[i]; - sat |= ~brw; - brw >>= 8; - } - } else { - for (i = 6; i >= 0; i--) { - brw += (int)v1[i]-(int)v2[i]; - sat |= brw; - brw >>= 8; - } - } - brw <<= 8; /* brw is either 0 or -256 */ - - if (sat & 0xff) - return brw | 0x80; - else - return brw + (ret & 0xFF); -} - -static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, - int len, int peek); -static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); -static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); -static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, - unsigned int *is_next_epoch); -static int dtls1_buffer_record(SSL *s, record_pqueue *q, - unsigned char *priority); -static int dtls1_process_record(SSL *s); - -/* copy buffered record into SSL structure */ -static int -dtls1_copy_record(SSL *s, pitem *item) -{ - DTLS1_RECORD_DATA *rdata; - - rdata = (DTLS1_RECORD_DATA *)item->data; - - free(s->s3->rbuf.buf); - - s->packet = rdata->packet; - s->packet_length = rdata->packet_length; - memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); - - /* Set proper sequence number for mac calculation */ - memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); - - return (1); -} - - -static int -dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) -{ - DTLS1_RECORD_DATA *rdata; - pitem *item; - - /* Limit the size of the queue to prevent DOS attacks */ - if (pqueue_size(queue->q) >= 100) - return 0; - - rdata = malloc(sizeof(DTLS1_RECORD_DATA)); - item = pitem_new(priority, rdata); - if (rdata == NULL || item == NULL) - goto init_err; - - rdata->packet = s->packet; - rdata->packet_length = s->packet_length; - memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); - - item->data = rdata; - - - s->packet = NULL; - s->packet_length = 0; - memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); - memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); - - if (!ssl3_setup_buffers(s)) - goto err; - - /* insert should not fail, since duplicates are dropped */ - if (pqueue_insert(queue->q, item) == NULL) - goto err; - - return (1); - -err: - free(rdata->rbuf.buf); - -init_err: - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); - free(rdata); - pitem_free(item); - return (-1); -} - - -static int -dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) -{ - pitem *item; - - item = pqueue_pop(queue->q); - if (item) { - dtls1_copy_record(s, item); - - free(item->data); - pitem_free(item); - - return (1); - } - - return (0); -} - - -/* retrieve a buffered record that belongs to the new epoch, i.e., not processed - * yet */ -#define dtls1_get_unprocessed_record(s) \ - dtls1_retrieve_buffered_record((s), \ - &((s)->d1->unprocessed_rcds)) - -/* retrieve a buffered record that belongs to the current epoch, ie, processed */ -#define dtls1_get_processed_record(s) \ - dtls1_retrieve_buffered_record((s), \ - &((s)->d1->processed_rcds)) - -static int -dtls1_process_buffered_records(SSL *s) -{ - pitem *item; - - item = pqueue_peek(s->d1->unprocessed_rcds.q); - if (item) { - /* Check if epoch is current. */ - if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) - return (1); - /* Nothing to do. */ - - /* Process all the records. */ - while (pqueue_peek(s->d1->unprocessed_rcds.q)) { - dtls1_get_unprocessed_record(s); - if (! dtls1_process_record(s)) - return (0); - if (dtls1_buffer_record(s, &(s->d1->processed_rcds), - s->s3->rrec.seq_num) < 0) - return (-1); - } - } - - /* sync epoch numbers once all the unprocessed records - * have been processed */ - s->d1->processed_rcds.epoch = s->d1->r_epoch; - s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; - - return (1); -} - -static int -dtls1_process_record(SSL *s) -{ - int i, al; - int enc_err; - SSL_SESSION *sess; - SSL3_RECORD *rr; - unsigned int mac_size, orig_len; - unsigned char md[EVP_MAX_MD_SIZE]; - - rr = &(s->s3->rrec); - sess = s->session; - - /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->packet - */ - rr->input = &(s->packet[DTLS1_RT_HEADER_LENGTH]); - - /* ok, we can now read from 's->packet' data into 'rr' - * rr->input points at rr->length bytes, which - * need to be copied into rr->data by either - * the decryption or by the decompression - * When the data is 'copied' into the rr->data buffer, - * rr->input will be pointed at the new buffer */ - - /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] - * rr->length bytes of encrypted compressed stuff. */ - - /* check is not needed I believe */ - if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - - /* decrypt in place in 'rr->input' */ - rr->data = rr->input; - - enc_err = s->method->ssl3_enc->enc(s, 0); - /* enc_err is: - * 0: (in non-constant time) if the record is publically invalid. - * 1: if the padding is valid - * -1: if the padding is invalid */ - if (enc_err == 0) { - /* For DTLS we simply ignore bad packets. */ - rr->length = 0; - s->packet_length = 0; - goto err; - } - - - /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && (s->enc_read_ctx != NULL) && - (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* s->read_hash != NULL => mac_size != -1 */ - unsigned char *mac = NULL; - unsigned char mac_tmp[EVP_MAX_MD_SIZE]; - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - - /* kludge: *_cbc_remove_padding passes padding length in rr->type */ - orig_len = rr->length + ((unsigned int)rr->type >> 8); - - /* orig_len is the length of the record before any padding was - * removed. This is public information, as is the MAC in use, - * therefore we can safely process the record in a different - * amount of time if it's too short to possibly contain a MAC. - */ - if (orig_len < mac_size || - /* CBC records must have a padding length byte too. */ - (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - - if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { - /* We update the length so that the TLS header bytes - * can be constructed correctly but we need to extract - * the MAC in constant time from within the record, - * without leaking the contents of the padding bytes. - * */ - mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); - rr->length -= mac_size; - } else { - /* In this case there's no padding, so |orig_len| - * equals |rec->length| and we checked that there's - * enough bytes for |mac_size| above. */ - rr->length -= mac_size; - mac = &rr->data[rr->length]; - } - - i = s->method->ssl3_enc->mac(s, md, 0 /* not send */); - if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) - enc_err = -1; - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) - enc_err = -1; - } - - if (enc_err < 0) { - /* decryption failed, silently discard message */ - rr->length = 0; - s->packet_length = 0; - goto err; - } - - if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; - } - - rr->off = 0; - /* So at this point the following is true - * ssl->s3->rrec.type is the type of record - * ssl->s3->rrec.length == number of bytes in record - * ssl->s3->rrec.off == offset to first valid byte - * ssl->s3->rrec.data == where to take bytes from, increment - * after use :-). - */ - - /* we have pulled in a full packet so zero things */ - s->packet_length = 0; - return (1); - -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - return (0); -} - - -/* Call this to get a new input record. - * It will return <= 0 if more data is needed, normally due to an error - * or non-blocking IO. - * When it finishes, one packet has been decoded and can be found in - * ssl->s3->rrec.type - is the type of record - * ssl->s3->rrec.data, - data - * ssl->s3->rrec.length, - number of bytes - */ -/* used only by dtls1_read_bytes */ -int -dtls1_get_record(SSL *s) -{ - int i, n; - SSL3_RECORD *rr; - unsigned char *p = NULL; - DTLS1_BITMAP *bitmap; - unsigned int is_next_epoch; - - rr = &(s->s3->rrec); - - /* The epoch may have changed. If so, process all the - * pending records. This is a non-blocking operation. */ - if (dtls1_process_buffered_records(s) < 0) - return (-1); - - /* if we're renegotiating, then there may be buffered records */ - if (dtls1_get_processed_record(s)) - return 1; - - /* get something from the wire */ - if (0) { -again: - /* dump this record on all retries */ - rr->length = 0; - s->packet_length = 0; - } - - /* check if we have the header */ - if ((s->rstate != SSL_ST_READ_BODY) || - (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { - CBS header, seq_no; - uint16_t epoch, len, ssl_version; - uint8_t type; - - n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); - /* read timeout is handled by dtls1_read_bytes */ - if (n <= 0) - return(n); /* error or non-blocking */ - - /* this packet contained a partial record, dump it */ - if (s->packet_length != DTLS1_RT_HEADER_LENGTH) - goto again; - - s->rstate = SSL_ST_READ_BODY; - - CBS_init(&header, s->packet, s->packet_length); - - /* Pull apart the header into the DTLS1_RECORD */ - if (!CBS_get_u8(&header, &type)) - goto again; - if (!CBS_get_u16(&header, &ssl_version)) - goto again; - - /* sequence number is 64 bits, with top 2 bytes = epoch */ - if (!CBS_get_u16(&header, &epoch) || - !CBS_get_bytes(&header, &seq_no, 6)) - goto again; - - if (!CBS_write_bytes(&seq_no, &(s->s3->read_sequence[2]), - sizeof(s->s3->read_sequence) - 2, NULL)) - goto again; - if (!CBS_get_u16(&header, &len)) - goto again; - - rr->type = type; - rr->epoch = epoch; - rr->length = len; - - /* unexpected version, silently discard */ - if (!s->first_packet && ssl_version != s->version) - goto again; - - /* wrong version, silently discard record */ - if ((ssl_version & 0xff00) != (s->version & 0xff00)) - goto again; - - /* record too long, silently discard it */ - if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) - goto again; - - /* now s->rstate == SSL_ST_READ_BODY */ - p = (unsigned char *)CBS_data(&header); - } - - /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ - - if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) { - /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ - i = rr->length; - n = ssl3_read_n(s, i, i, 1); - if (n <= 0) - return(n); /* error or non-blocking io */ - - /* this packet contained a partial record, dump it */ - if (n != i) - goto again; - - /* now n == rr->length, - * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */ - } - s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ - - /* match epochs. NULL means the packet is dropped on the floor */ - bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); - if (bitmap == NULL) - goto again; - - /* - * Check whether this is a repeat, or aged record. - * Don't check if we're listening and this message is - * a ClientHello. They can look as if they're replayed, - * since they arrive from different connections and - * would be dropped unnecessarily. - */ - if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && - p != NULL && *p == SSL3_MT_CLIENT_HELLO) && - !dtls1_record_replay_check(s, bitmap)) - goto again; - - /* just read a 0 length packet */ - if (rr->length == 0) - goto again; - - /* If this record is from the next epoch (either HM or ALERT), - * and a handshake is currently in progress, buffer it since it - * cannot be processed at this time. However, do not buffer - * anything while listening. - */ - if (is_next_epoch) { - if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { - if (dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), - rr->seq_num) < 0) - return (-1); - /* Mark receipt of record. */ - dtls1_record_bitmap_update(s, bitmap); - } - goto again; - } - - if (!dtls1_process_record(s)) - goto again; - - /* Mark receipt of record. */ - dtls1_record_bitmap_update(s, bitmap); - - return (1); -} - -/* Return up to 'len' payload bytes received in 'type' records. - * 'type' is one of the following: - * - * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) - * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) - * - 0 (during a shutdown, no data has to be returned) - * - * If we don't have stored data to work from, read a SSL/TLS record first - * (possibly multiple records if we still don't have anything to return). - * - * This function must handle any surprises the peer may have for us, such as - * Alert records (e.g. close_notify), ChangeCipherSpec records (not really - * a surprise, but handled as if it were), or renegotiation requests. - * Also if record payloads contain fragments too small to process, we store - * them until there is enough for the respective protocol (the record protocol - * may use arbitrary fragmentation and even interleaving): - * Change cipher spec protocol - * just 1 byte needed, no need for keeping anything stored - * Alert protocol - * 2 bytes needed (AlertLevel, AlertDescription) - * Handshake protocol - * 4 bytes needed (HandshakeType, uint24 length) -- we just have - * to detect unexpected Client Hello and Hello Request messages - * here, anything else is handled by higher layers - * Application data protocol - * none of our business - */ -int -dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) -{ - int al, i, j, ret; - unsigned int n; - SSL3_RECORD *rr; - void (*cb)(const SSL *ssl, int type2, int val) = NULL; - - if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ - if (!ssl3_setup_buffers(s)) - return (-1); - - if ((type && - type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) || - (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); - return -1; - } - - /* check whether there's a handshake message (client hello?) waiting */ - if ((ret = have_handshake_fragment(s, type, buf, len, peek))) - return ret; - - /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ - - if (!s->in_handshake && SSL_in_init(s)) - { - /* type == SSL3_RT_APPLICATION_DATA */ - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - } - -start: - s->rwstate = SSL_NOTHING; - - /* s->s3->rrec.type - is the type of record - * s->s3->rrec.data, - data - * s->s3->rrec.off, - offset into 'data' for next read - * s->s3->rrec.length, - number of bytes. */ - rr = &(s->s3->rrec); - - /* We are not handshaking and have no data yet, - * so process data buffered during the last handshake - * in advance, if any. - */ - if (s->state == SSL_ST_OK && rr->length == 0) { - pitem *item; - item = pqueue_pop(s->d1->buffered_app_data.q); - if (item) { - - dtls1_copy_record(s, item); - - free(item->data); - pitem_free(item); - } - } - - /* Check for timeout */ - if (dtls1_handle_timeout(s) > 0) - goto start; - - /* get new packet if necessary */ - if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { - ret = dtls1_get_record(s); - if (ret <= 0) { - ret = dtls1_read_failed(s, ret); - /* anything other than a timeout is an error */ - if (ret <= 0) - return (ret); - else - goto start; - } - } - - if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) { - rr->length = 0; - goto start; - } - - /* we now have a packet which can be read and processed */ - - if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, - * reset by ssl3_get_finished */ - && (rr->type != SSL3_RT_HANDSHAKE)) { - /* We now have application data between CCS and Finished. - * Most likely the packets were reordered on their way, so - * buffer the application data for later processing rather - * than dropping the connection. - */ - if (dtls1_buffer_record(s, &(s->d1->buffered_app_data), - rr->seq_num) < 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); - return (-1); - } - rr->length = 0; - goto start; - } - - /* If the other end has shut down, throw anything we read away - * (even in 'peek' mode) */ - if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { - rr->length = 0; - s->rwstate = SSL_NOTHING; - return (0); - } - - - if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ - { - /* make sure that we are not getting application data when we - * are doing a handshake for the first time */ - if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && - (s->enc_read_ctx == NULL)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; - } - - if (len <= 0) - return (len); - - if ((unsigned int)len > rr->length) - n = rr->length; - else - n = (unsigned int)len; - - memcpy(buf, &(rr->data[rr->off]), n); - if (!peek) { - rr->length -= n; - rr->off += n; - if (rr->length == 0) { - s->rstate = SSL_ST_READ_HEADER; - rr->off = 0; - } - } - - return (n); - } - - - /* If we get here, then type != rr->type; if we have a handshake - * message, then it was unexpected (Hello Request or Client Hello). */ - - /* In case of record types for which we have 'fragment' storage, - * fill that so that we can process the data at a fixed place. - */ - { - unsigned int k, dest_maxlen = 0; - unsigned char *dest = NULL; - unsigned int *dest_len = NULL; - - if (rr->type == SSL3_RT_HANDSHAKE) { - dest_maxlen = sizeof s->d1->handshake_fragment; - dest = s->d1->handshake_fragment; - dest_len = &s->d1->handshake_fragment_len; - } else if (rr->type == SSL3_RT_ALERT) { - dest_maxlen = sizeof(s->d1->alert_fragment); - dest = s->d1->alert_fragment; - dest_len = &s->d1->alert_fragment_len; - } - /* else it's a CCS message, or application data or wrong */ - else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) { - /* Application data while renegotiating - * is allowed. Try again reading. - */ - if (rr->type == SSL3_RT_APPLICATION_DATA) { - BIO *bio; - s->s3->in_read_app_data = 2; - bio = SSL_get_rbio(s); - s->rwstate = SSL_READING; - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } - - /* Not certain if this is the right error handling */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; - } - - if (dest_maxlen > 0) { - /* XDTLS: In a pathalogical case, the Client Hello - * may be fragmented--don't always expect dest_maxlen bytes */ - if (rr->length < dest_maxlen) { -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - /* - * for normal alerts rr->length is 2, while - * dest_maxlen is 7 if we were to handle this - * non-existing alert... - */ - FIX ME -#endif - s->rstate = SSL_ST_READ_HEADER; - rr->length = 0; - goto start; - } - - /* now move 'n' bytes: */ - for ( k = 0; k < dest_maxlen; k++) { - dest[k] = rr->data[rr->off++]; - rr->length--; - } - *dest_len = dest_maxlen; - } - } - - /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; - * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. - * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ - - /* If we are a client, check for an incoming 'Hello Request': */ - if ((!s->server) && - (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && - (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && - (s->session != NULL) && (s->session->cipher != NULL)) { - s->d1->handshake_fragment_len = 0; - - if ((s->d1->handshake_fragment[1] != 0) || - (s->d1->handshake_fragment[2] != 0) || - (s->d1->handshake_fragment[3] != 0)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); - goto err; - } - - /* no need to check sequence number on HELLO REQUEST messages */ - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - s->d1->handshake_fragment, 4, s, s->msg_callback_arg); - - if (SSL_is_init_finished(s) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && - !s->s3->renegotiate) { - s->d1->handshake_read_seq++; - s->new_session = 1; - ssl3_renegotiate(s); - if (ssl3_renegotiate_check(s)) { - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { - if (s->s3->rbuf.left == 0) /* no read-ahead left? */ - { - BIO *bio; - /* In the case where we try to read application data, - * but we trigger an SSL handshake, we return -1 with - * the retry option set. Otherwise renegotiation may - * cause nasty problems in the blocking world */ - s->rwstate = SSL_READING; - bio = SSL_get_rbio(s); - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } - } - } - } - /* we either finished a handshake or ignored the request, - * now try again to obtain the (application) data we were asked for */ - goto start; - } - - if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) { - int alert_level = s->d1->alert_fragment[0]; - int alert_descr = s->d1->alert_fragment[1]; - - s->d1->alert_fragment_len = 0; - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_ALERT, - s->d1->alert_fragment, 2, s, s->msg_callback_arg); - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - if (cb != NULL) { - j = (alert_level << 8) | alert_descr; - cb(s, SSL_CB_READ_ALERT, j); - } - - if (alert_level == 1) /* warning */ - { - s->s3->warn_alert = alert_descr; - if (alert_descr == SSL_AD_CLOSE_NOTIFY) { - s->shutdown |= SSL_RECEIVED_SHUTDOWN; - return (0); - } - } else if (alert_level == 2) /* fatal */ - { - s->rwstate = SSL_NOTHING; - s->s3->fatal_alert = alert_descr; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); - ERR_asprintf_error_data("SSL alert number %d", - alert_descr); - s->shutdown|=SSL_RECEIVED_SHUTDOWN; - SSL_CTX_remove_session(s->ctx, s->session); - return (0); - } else { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; - } - - goto start; - } - - if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ - { - s->rwstate = SSL_NOTHING; - rr->length = 0; - return (0); - } - - if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { - struct ccs_header_st ccs_hdr; - unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; - - dtls1_get_ccs_header(rr->data, &ccs_hdr); - - /* 'Change Cipher Spec' is just a single byte, so we know - * exactly what the record payload has to look like */ - /* XDTLS: check that epoch is consistent */ - if ((rr->length != ccs_hdr_len) || - (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { - i = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto err; - } - - rr->length = 0; - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, - rr->data, 1, s, s->msg_callback_arg); - - /* We can't process a CCS now, because previous handshake - * messages are still missing, so just drop it. - */ - if (!s->d1->change_cipher_spec_ok) { - goto start; - } - - s->d1->change_cipher_spec_ok = 0; - - s->s3->change_cipher_spec = 1; - if (!ssl3_do_change_cipher_spec(s)) - goto err; - - /* do this whenever CCS is processed */ - dtls1_reset_seq_numbers(s, SSL3_CC_READ); - - goto start; - } - - /* Unexpected handshake message (Client Hello, or protocol violation) */ - if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && - !s->in_handshake) { - struct hm_header_st msg_hdr; - - /* this may just be a stale retransmit */ - if (!dtls1_get_message_header(rr->data, &msg_hdr)) - return -1; - if (rr->epoch != s->d1->r_epoch) { - rr->length = 0; - goto start; - } - - /* If we are server, we may have a repeated FINISHED of the - * client here, then retransmit our CCS and FINISHED. - */ - if (msg_hdr.type == SSL3_MT_FINISHED) { - if (dtls1_check_timeout_num(s) < 0) - return -1; - - dtls1_retransmit_buffered_messages(s); - rr->length = 0; - goto start; - } - - if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { - s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; - s->renegotiate = 1; - s->new_session = 1; - } - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { - if (s->s3->rbuf.left == 0) /* no read-ahead left? */ - { - BIO *bio; - /* In the case where we try to read application data, - * but we trigger an SSL handshake, we return -1 with - * the retry option set. Otherwise renegotiation may - * cause nasty problems in the blocking world */ - s->rwstate = SSL_READING; - bio = SSL_get_rbio(s); - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } - } - goto start; - } - - switch (rr->type) { - default: - /* TLS just ignores unknown message types */ - if (s->version == TLS1_VERSION) { - rr->length = 0; - goto start; - } - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; - case SSL3_RT_CHANGE_CIPHER_SPEC: - case SSL3_RT_ALERT: - case SSL3_RT_HANDSHAKE: - /* we already handled all of these, with the possible exception - * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that - * should not happen when type != rr->type */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; - case SSL3_RT_APPLICATION_DATA: - /* At this point, we were expecting handshake data, - * but have application data. If the library was - * running inside ssl3_read() (i.e. in_read_app_data - * is set) and it makes sense to read application data - * at this point (session renegotiation not yet started), - * we will indulge it. - */ - if (s->s3->in_read_app_data && - (s->s3->total_renegotiations != 0) && - (((s->state & SSL_ST_CONNECT) && - (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && - (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) || ( - (s->state & SSL_ST_ACCEPT) && - (s->state <= SSL3_ST_SW_HELLO_REQ_A) && - (s->state >= SSL3_ST_SR_CLNT_HELLO_A)))) { - s->s3->in_read_app_data = 2; - return (-1); - } else { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; - } - } - /* not reached */ - -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - return (-1); -} - -int -dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) -{ - int i; - - if (SSL_in_init(s) && !s->in_handshake) - { - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return -1; - } - } - - if (len > SSL3_RT_MAX_PLAIN_LENGTH) { - SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_DTLS_MESSAGE_TOO_BIG); - return -1; - } - - i = dtls1_write_bytes(s, type, buf_, len); - return i; -} - - - /* this only happens when a client hello is received and a handshake - * is started. */ -static int -have_handshake_fragment(SSL *s, int type, unsigned char *buf, - int len, int peek) -{ - - if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) - /* (partially) satisfy request from storage */ - { - unsigned char *src = s->d1->handshake_fragment; - unsigned char *dst = buf; - unsigned int k, n; - - /* peek == 0 */ - n = 0; - while ((len > 0) && (s->d1->handshake_fragment_len > 0)) { - *dst++ = *src++; - len--; - s->d1->handshake_fragment_len--; - n++; - } - /* move any remaining fragment bytes: */ - for (k = 0; k < s->d1->handshake_fragment_len; k++) - s->d1->handshake_fragment[k] = *src++; - return n; - } - - return 0; -} - - -/* Call this to write data in records of type 'type' - * It will return <= 0 if not all data has been sent or non-blocking IO. - */ -int -dtls1_write_bytes(SSL *s, int type, const void *buf, int len) -{ - int i; - - OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); - s->rwstate = SSL_NOTHING; - i = do_dtls1_write(s, type, buf, len); - return i; -} - -int -do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) -{ - unsigned char *p, *pseq; - int i, mac_size, clear = 0; - int prefix_len = 0; - SSL3_RECORD *wr; - SSL3_BUFFER *wb; - SSL_SESSION *sess; - int bs; - - /* first check if there is a SSL3_BUFFER still being written - * out. This will happen with non blocking IO */ - if (s->s3->wbuf.left != 0) { - OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ - return (ssl3_write_pending(s, type, buf, len)); - } - - /* If we have an alert to send, lets send it */ - if (s->s3->alert_dispatch) { - i = s->method->ssl_dispatch_alert(s); - if (i <= 0) - return (i); - /* if it went, fall through and send more stuff */ - } - - if (len == 0) - return 0; - - wr = &(s->s3->wrec); - wb = &(s->s3->wbuf); - sess = s->session; - - if ((sess == NULL) || (s->enc_write_ctx == NULL) || - (EVP_MD_CTX_md(s->write_hash) == NULL)) - clear = 1; - - if (clear) - mac_size = 0; - else { - mac_size = EVP_MD_CTX_size(s->write_hash); - if (mac_size < 0) - goto err; - } - - /* DTLS implements explicit IV, so no need for empty fragments. */ - - p = wb->buf + prefix_len; - - /* write the header */ - - *(p++) = type&0xff; - wr->type = type; - - *(p++) = (s->version >> 8); - *(p++) = s->version&0xff; - - /* field where we are to write out packet epoch, seq num and len */ - pseq = p; - - p += 10; - - /* lets setup the record stuff. */ - - /* Make space for the explicit IV in case of CBC. - * (this is a bit of a boundary violation, but what the heck). - */ - if (s->enc_write_ctx && - (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE)) - bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher); - else - bs = 0; - - wr->data = p + bs; - /* make room for IV in case of CBC */ - wr->length = (int)len; - wr->input = (unsigned char *)buf; - - /* we now 'read' from wr->input, wr->length bytes into - * wr->data */ - - memcpy(wr->data, wr->input, wr->length); - wr->input = wr->data; - - /* we should still have the output to wr->data and the input - * from wr->input. Length should be wr->length. - * wr->data still points in the wb->buf */ - - if (mac_size != 0) { - if (s->method->ssl3_enc->mac(s, &(p[wr->length + bs]), 1) < 0) - goto err; - wr->length += mac_size; - } - - /* this is true regardless of mac size */ - wr->input = p; - wr->data = p; - - - /* ssl3_enc can only have an error on read */ - if (bs) /* bs != 0 in case of CBC */ - { - arc4random_buf(p, bs); - /* master IV and last CBC residue stand for - * the rest of randomness */ - wr->length += bs; - } - - s->method->ssl3_enc->enc(s, 1); - - /* record length after mac and block padding */ -/* if (type == SSL3_RT_APPLICATION_DATA || - (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */ - - /* there's only one epoch between handshake and app data */ - - s2n(s->d1->w_epoch, pseq); - - /* XDTLS: ?? */ -/* else - s2n(s->d1->handshake_epoch, pseq); -*/ - - memcpy(pseq, &(s->s3->write_sequence[2]), 6); - pseq += 6; - s2n(wr->length, pseq); - - /* we should now have - * wr->data pointing to the encrypted data, which is - * wr->length long */ - wr->type=type; /* not needed but helps for debugging */ - wr->length += DTLS1_RT_HEADER_LENGTH; - - tls1_record_sequence_increment(s->s3->write_sequence); - - /* now let's set up wb */ - wb->left = prefix_len + wr->length; - wb->offset = 0; - - /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ - s->s3->wpend_tot = len; - s->s3->wpend_buf = buf; - s->s3->wpend_type = type; - s->s3->wpend_ret = len; - - /* we now just need to write the buffer */ - return ssl3_write_pending(s, type, buf, len); -err: - return -1; -} - - - -static int -dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) -{ - int cmp; - unsigned int shift; - const unsigned char *seq = s->s3->read_sequence; - - cmp = satsub64be(seq, bitmap->max_seq_num); - if (cmp > 0) { - memcpy (s->s3->rrec.seq_num, seq, 8); - return 1; /* this record in new */ - } - shift = -cmp; - if (shift >= sizeof(bitmap->map)*8) - return 0; /* stale, outside the window */ - else if (bitmap->map & (1UL << shift)) - return 0; /* record previously received */ - - memcpy(s->s3->rrec.seq_num, seq, 8); - return 1; -} - - -static void -dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) -{ - int cmp; - unsigned int shift; - const unsigned char *seq = s->s3->read_sequence; - - cmp = satsub64be(seq, bitmap->max_seq_num); - if (cmp > 0) { - shift = cmp; - if (shift < sizeof(bitmap->map)*8) - bitmap->map <<= shift, bitmap->map |= 1UL; - else - bitmap->map = 1UL; - memcpy(bitmap->max_seq_num, seq, 8); - } else { - shift = -cmp; - if (shift < sizeof(bitmap->map) * 8) - bitmap->map |= 1UL << shift; - } -} - - -int -dtls1_dispatch_alert(SSL *s) -{ - int i, j; - void (*cb)(const SSL *ssl, int type, int val) = NULL; - unsigned char buf[DTLS1_AL_HEADER_LENGTH]; - unsigned char *ptr = &buf[0]; - - s->s3->alert_dispatch = 0; - - memset(buf, 0x00, sizeof(buf)); - *ptr++ = s->s3->send_alert[0]; - *ptr++ = s->s3->send_alert[1]; - -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { - s2n(s->d1->handshake_read_seq, ptr); - l2n3(s->d1->r_msg_hdr.frag_off, ptr); - } -#endif - - i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf)); - if (i <= 0) { - s->s3->alert_dispatch = 1; - /* fprintf( stderr, "not done with alert\n" ); */ - } else { - if (s->s3->send_alert[0] == SSL3_AL_FATAL -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE -#endif - ) - (void)BIO_flush(s->wbio); - - if (s->msg_callback) - s->msg_callback(1, s->version, SSL3_RT_ALERT, - s->s3->send_alert, 2, s, s->msg_callback_arg); - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - if (cb != NULL) { - j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; - cb(s, SSL_CB_WRITE_ALERT, j); - } - } - return (i); -} - - -static DTLS1_BITMAP * -dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) -{ - - *is_next_epoch = 0; - - /* In current epoch, accept HM, CCS, DATA, & ALERT */ - if (rr->epoch == s->d1->r_epoch) - return &s->d1->bitmap; - - /* Only HM and ALERT messages can be from the next epoch */ - else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && - (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { - *is_next_epoch = 1; - return &s->d1->next_bitmap; - } - - return NULL; -} - -void -dtls1_reset_seq_numbers(SSL *s, int rw) -{ - unsigned char *seq; - unsigned int seq_bytes = sizeof(s->s3->read_sequence); - - if (rw & SSL3_CC_READ) { - seq = s->s3->read_sequence; - s->d1->r_epoch++; - memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP)); - memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); - } else { - seq = s->s3->write_sequence; - memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence)); - s->d1->w_epoch++; - } - - memset(seq, 0x00, seq_bytes); -} diff --git a/lib/libssl/src/ssl/d1_srtp.c b/lib/libssl/src/ssl/d1_srtp.c deleted file mode 100644 index 45ce5b8d3eb..00000000000 --- a/lib/libssl/src/ssl/d1_srtp.c +++ /dev/null @@ -1,473 +0,0 @@ -/* $OpenBSD: d1_srtp.c,v 1.15 2015/07/31 00:35:06 doug Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* - * DTLS code by Eric Rescorla <ekr@rtfm.com> - * - * Copyright (C) 2006, Network Resonance, Inc. - * Copyright (C) 2011, RTFM, Inc. - */ - -#include <stdio.h> - -#include <openssl/objects.h> - -#include "ssl_locl.h" - -#ifndef OPENSSL_NO_SRTP - -#include "bytestring.h" -#include "srtp.h" - -static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { - { - "SRTP_AES128_CM_SHA1_80", - SRTP_AES128_CM_SHA1_80, - }, - { - "SRTP_AES128_CM_SHA1_32", - SRTP_AES128_CM_SHA1_32, - }, - {0} -}; - -static int -find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr, - unsigned len) -{ - SRTP_PROTECTION_PROFILE *p; - - p = srtp_known_profiles; - while (p->name) { - if ((len == strlen(p->name)) && - !strncmp(p->name, profile_name, len)) { - *pptr = p; - return 0; - } - - p++; - } - - return 1; -} - -static int -find_profile_by_num(unsigned profile_num, SRTP_PROTECTION_PROFILE **pptr) -{ - SRTP_PROTECTION_PROFILE *p; - - p = srtp_known_profiles; - while (p->name) { - if (p->id == profile_num) { - *pptr = p; - return 0; - } - p++; - } - - return 1; -} - -static int -ssl_ctx_make_profiles(const char *profiles_string, - STACK_OF(SRTP_PROTECTION_PROFILE) **out) -{ - STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; - - char *col; - char *ptr = (char *)profiles_string; - - SRTP_PROTECTION_PROFILE *p; - - if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) { - SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, - SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES); - return 1; - } - - do { - col = strchr(ptr, ':'); - - if (!find_profile_by_name(ptr, &p, - col ? col - ptr : (int)strlen(ptr))) { - sk_SRTP_PROTECTION_PROFILE_push(profiles, p); - } else { - SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, - SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); - sk_SRTP_PROTECTION_PROFILE_free(profiles); - return 1; - } - - if (col) - ptr = col + 1; - } while (col); - - *out = profiles; - - return 0; -} - -int -SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) -{ - return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles); -} - -int -SSL_set_tlsext_use_srtp(SSL *s, const char *profiles) -{ - return ssl_ctx_make_profiles(profiles, &s->srtp_profiles); -} - - -STACK_OF(SRTP_PROTECTION_PROFILE) * -SSL_get_srtp_profiles(SSL *s) -{ - if (s != NULL) { - if (s->srtp_profiles != NULL) { - return s->srtp_profiles; - } else if ((s->ctx != NULL) && - (s->ctx->srtp_profiles != NULL)) { - return s->ctx->srtp_profiles; - } - } - - return NULL; -} - -SRTP_PROTECTION_PROFILE * -SSL_get_selected_srtp_profile(SSL *s) -{ - return s->srtp_profile; -} - -/* Note: this function returns 0 length if there are no - profiles specified */ -int -ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) -{ - int ct = 0; - int i; - STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0; - SRTP_PROTECTION_PROFILE *prof; - - clnt = SSL_get_srtp_profiles(s); - - ct = sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */ - - if (p) { - if (ct == 0) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); - return 1; - } - - if ((2 + ct * 2 + 1) > maxlen) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); - return 1; - } - - /* Add the length */ - s2n(ct * 2, p); - for (i = 0; i < ct; i++) { - prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); - s2n(prof->id, p); - } - - /* Add an empty use_mki value */ - *p++ = 0; - } - - *len = 2 + ct*2 + 1; - - return 0; -} - - -int -ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len, - int *al) -{ - SRTP_PROTECTION_PROFILE *cprof, *sprof; - STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0, *srvr; - int i, j; - int ret = 1; - uint16_t id; - CBS cbs, ciphers, mki; - - if (len < 0) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - goto done; - } - - CBS_init(&cbs, d, len); - /* Pull off the cipher suite list */ - if (!CBS_get_u16_length_prefixed(&cbs, &ciphers) || - CBS_len(&ciphers) % 2) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - goto done; - } - - clnt = sk_SRTP_PROTECTION_PROFILE_new_null(); - - while (CBS_len(&ciphers) > 0) { - if (!CBS_get_u16(&ciphers, &id)) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - goto done; - } - - if (!find_profile_by_num(id, &cprof)) - sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof); - else - ; /* Ignore */ - } - - /* Extract the MKI value as a sanity check, but discard it for now. */ - if (!CBS_get_u8_length_prefixed(&cbs, &mki) || - CBS_len(&cbs) != 0) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_MKI_VALUE); - *al = SSL_AD_DECODE_ERROR; - goto done; - } - - srvr = SSL_get_srtp_profiles(s); - - /* - * Pick our most preferred profile. If no profiles have been - * configured then the outer loop doesn't run - * (sk_SRTP_PROTECTION_PROFILE_num() = -1) - * and so we just return without doing anything. - */ - for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { - sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); - - for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { - cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j); - - if (cprof->id == sprof->id) { - s->srtp_profile = sprof; - *al = 0; - ret = 0; - goto done; - } - } - } - - ret = 0; - -done: - if (clnt) - sk_SRTP_PROTECTION_PROFILE_free(clnt); - - return ret; -} - -int -ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) -{ - if (p) { - if (maxlen < 5) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, - SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); - return 1; - } - - if (s->srtp_profile == 0) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, - SSL_R_USE_SRTP_NOT_NEGOTIATED); - return 1; - } - s2n(2, p); - s2n(s->srtp_profile->id, p); - *p++ = 0; - } - *len = 5; - - return 0; -} - - -int -ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int *al) -{ - STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; - SRTP_PROTECTION_PROFILE *prof; - int i; - uint16_t id; - CBS cbs, profile_ids, mki; - - if (len < 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - CBS_init(&cbs, d, len); - - /* - * As per RFC 5764 section 4.1.1, server response MUST be a single - * profile id. - */ - if (!CBS_get_u16_length_prefixed(&cbs, &profile_ids) || - !CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - /* Must be no MKI, since we never offer one. */ - if (!CBS_get_u8_length_prefixed(&cbs, &mki) || CBS_len(&mki) != 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_MKI_VALUE); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 1; - } - - clnt = SSL_get_srtp_profiles(s); - - /* Throw an error if the server gave us an unsolicited extension. */ - if (clnt == NULL) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_NO_SRTP_PROFILES); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - /* - * Check to see if the server gave us something we support - * (and presumably offered). - */ - for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { - prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); - - if (prof->id == id) { - s->srtp_profile = prof; - *al = 0; - return 0; - } - } - - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; -} - -#endif diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c deleted file mode 100644 index f6664237aee..00000000000 --- a/lib/libssl/src/ssl/d1_srvr.c +++ /dev/null @@ -1,751 +0,0 @@ -/* $OpenBSD: d1_srvr.c,v 1.67 2015/09/13 09:20:19 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/bn.h> -#include <openssl/buffer.h> -#include <openssl/dh.h> -#include <openssl/evp.h> -#include <openssl/md5.h> -#include <openssl/objects.h> -#include <openssl/x509.h> - -static const SSL_METHOD *dtls1_get_server_method(int ver); -static int dtls1_send_hello_verify_request(SSL *s); - -const SSL_METHOD DTLSv1_server_method_data = { - .version = DTLS1_VERSION, - .ssl_new = dtls1_new, - .ssl_clear = dtls1_clear, - .ssl_free = dtls1_free, - .ssl_accept = dtls1_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = dtls1_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, - .ssl_read_bytes = dtls1_read_bytes, - .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl_dispatch_alert = dtls1_dispatch_alert, - .ssl_ctrl = dtls1_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = dtls1_get_cipher, - .get_ssl_method = dtls1_get_server_method, - .get_timeout = dtls1_default_timeout, - .ssl3_enc = &DTLSv1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD * -DTLSv1_server_method(void) -{ - return &DTLSv1_server_method_data; -} - -static const SSL_METHOD * -dtls1_get_server_method(int ver) -{ - if (ver == DTLS1_VERSION) - return (DTLSv1_server_method()); - return (NULL); -} - -int -dtls1_accept(SSL *s) -{ - void (*cb)(const SSL *ssl, int type, int val) = NULL; - unsigned long alg_k; - int ret = -1; - int new_state, state, skip = 0; - int listen; - - ERR_clear_error(); - errno = 0; - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - listen = s->d1->listen; - - /* init things to blank */ - s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); - - s->d1->listen = listen; - - if (s->cert == NULL) { - SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_NO_CERTIFICATE_SET); - ret = -1; - goto end; - } - - for (;;) { - state = s->state; - - switch (s->state) { - case SSL_ST_RENEGOTIATE: - s->renegotiate = 1; - /* s->state=SSL_ST_ACCEPT; */ - - case SSL_ST_BEFORE: - case SSL_ST_ACCEPT: - case SSL_ST_BEFORE|SSL_ST_ACCEPT: - case SSL_ST_OK|SSL_ST_ACCEPT: - - s->server = 1; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); - - if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { - SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - s->type = SSL_ST_ACCEPT; - - if (!ssl3_setup_init_buffer(s)) { - ret = -1; - goto end; - } - if (!ssl3_setup_buffers(s)) { - ret = -1; - goto end; - } - - s->init_num = 0; - - if (s->state != SSL_ST_RENEGOTIATE) { - /* Ok, we now need to push on a buffering BIO so that - * the output is sent in a way that TCP likes :-) - * ...but not with SCTP :-) - */ - if (!ssl_init_wbio_buffer(s, 1)) { - ret = -1; - goto end; - } - - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - - s->state = SSL3_ST_SR_CLNT_HELLO_A; - s->ctx->stats.sess_accept++; - } else { - /* s->state == SSL_ST_RENEGOTIATE, - * we will just send a HelloRequest */ - s->ctx->stats.sess_accept_renegotiate++; - s->state = SSL3_ST_SW_HELLO_REQ_A; - } - - break; - - case SSL3_ST_SW_HELLO_REQ_A: - case SSL3_ST_SW_HELLO_REQ_B: - - s->shutdown = 0; - dtls1_clear_record_buffer(s); - dtls1_start_timer(s); - ret = ssl3_send_hello_request(s); - if (ret <= 0) - goto end; - s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; - s->state = SSL3_ST_SW_FLUSH; - s->init_num = 0; - - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - break; - - case SSL3_ST_SW_HELLO_REQ_C: - s->state = SSL_ST_OK; - break; - - case SSL3_ST_SR_CLNT_HELLO_A: - case SSL3_ST_SR_CLNT_HELLO_B: - case SSL3_ST_SR_CLNT_HELLO_C: - - s->shutdown = 0; - ret = ssl3_get_client_hello(s); - if (ret <= 0) - goto end; - dtls1_stop_timer(s); - - if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) - s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; - else - s->state = SSL3_ST_SW_SRVR_HELLO_A; - - s->init_num = 0; - - /* Reflect ClientHello sequence to remain stateless while listening */ - if (listen) { - memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence)); - } - - /* If we're just listening, stop here */ - if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) { - ret = 2; - s->d1->listen = 0; - /* Set expected sequence numbers - * to continue the handshake. - */ - s->d1->handshake_read_seq = 2; - s->d1->handshake_write_seq = 1; - s->d1->next_handshake_write_seq = 1; - goto end; - } - - break; - - case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: - case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: - - ret = dtls1_send_hello_verify_request(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_FLUSH; - s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; - - /* HelloVerifyRequest resets Finished MAC */ - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - break; - - - case SSL3_ST_SW_SRVR_HELLO_A: - case SSL3_ST_SW_SRVR_HELLO_B: - s->renegotiate = 2; - dtls1_start_timer(s); - ret = ssl3_send_server_hello(s); - if (ret <= 0) - goto end; - - if (s->hit) { - if (s->tlsext_ticket_expected) - s->state = SSL3_ST_SW_SESSION_TICKET_A; - else - s->state = SSL3_ST_SW_CHANGE_A; - } else - s->state = SSL3_ST_SW_CERT_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_CERT_A: - case SSL3_ST_SW_CERT_B: - /* Check if it is anon DH. */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & - SSL_aNULL)) { - dtls1_start_timer(s); - ret = dtls1_send_server_certificate(s); - if (ret <= 0) - goto end; - if (s->tlsext_status_expected) - s->state = SSL3_ST_SW_CERT_STATUS_A; - else - s->state = SSL3_ST_SW_KEY_EXCH_A; - } else { - skip = 1; - s->state = SSL3_ST_SW_KEY_EXCH_A; - } - s->init_num = 0; - break; - - case SSL3_ST_SW_KEY_EXCH_A: - case SSL3_ST_SW_KEY_EXCH_B: - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - - /* Only send if using a DH key exchange. */ - if (alg_k & (SSL_kDHE|SSL_kECDHE)) { - dtls1_start_timer(s); - ret = ssl3_send_server_key_exchange(s); - if (ret <= 0) - goto end; - } else - skip = 1; - - s->state = SSL3_ST_SW_CERT_REQ_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_CERT_REQ_A: - case SSL3_ST_SW_CERT_REQ_B: - /* - * Determine whether or not we need to request a - * certificate. - * - * Do not request a certificate if: - * - * - We did not ask for it (SSL_VERIFY_PEER is unset). - * - * - SSL_VERIFY_CLIENT_ONCE is set and we are - * renegotiating. - * - * - We are using an anonymous ciphersuites - * (see section "Certificate request" in SSL 3 drafts - * and in RFC 2246) ... except when the application - * insists on verification (against the specs, but - * s3_clnt.c accepts this for SSL 3). - */ - if (!(s->verify_mode & SSL_VERIFY_PEER) || - ((s->session->peer != NULL) && - (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - ((s->s3->tmp.new_cipher->algorithm_auth & - SSL_aNULL) && !(s->verify_mode & - SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { - /* no cert request */ - skip = 1; - s->s3->tmp.cert_request = 0; - s->state = SSL3_ST_SW_SRVR_DONE_A; - } else { - s->s3->tmp.cert_request = 1; - dtls1_start_timer(s); - ret = ssl3_send_certificate_request(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_SRVR_DONE_A; - s->init_num = 0; - } - break; - - case SSL3_ST_SW_SRVR_DONE_A: - case SSL3_ST_SW_SRVR_DONE_B: - dtls1_start_timer(s); - ret = ssl3_send_server_done(s); - if (ret <= 0) - goto end; - s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; - s->state = SSL3_ST_SW_FLUSH; - s->init_num = 0; - break; - - case SSL3_ST_SW_FLUSH: - s->rwstate = SSL_WRITING; - if (BIO_flush(s->wbio) <= 0) { - /* If the write error was fatal, stop trying */ - if (!BIO_should_retry(s->wbio)) { - s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; - } - - ret = -1; - goto end; - } - s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; - break; - - case SSL3_ST_SR_CERT_A: - case SSL3_ST_SR_CERT_B: - if (s->s3->tmp.cert_request) { - ret = ssl3_get_client_certificate(s); - if (ret <= 0) - goto end; - } - s->init_num = 0; - s->state = SSL3_ST_SR_KEY_EXCH_A; - break; - - case SSL3_ST_SR_KEY_EXCH_A: - case SSL3_ST_SR_KEY_EXCH_B: - ret = ssl3_get_client_key_exchange(s); - if (ret <= 0) - goto end; - - s->state = SSL3_ST_SR_CERT_VRFY_A; - s->init_num = 0; - - if (ret == 2) { - /* For the ECDH ciphersuites when - * the client sends its ECDH pub key in - * a certificate, the CertificateVerify - * message is not sent. - */ - s->state = SSL3_ST_SR_FINISHED_A; - s->init_num = 0; - } else if (SSL_USE_SIGALGS(s)) { - s->state = SSL3_ST_SR_CERT_VRFY_A; - s->init_num = 0; - if (!s->session->peer) - break; - - /* - * For sigalgs freeze the handshake buffer - * at this point and digest cached records. - */ - if (!s->s3->handshake_buffer) { - SSLerr(SSL_F_SSL3_ACCEPT, - ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - if (!tls1_digest_cached_records(s)) { - ret = -1; - goto end; - } - } else { - s->state = SSL3_ST_SR_CERT_VRFY_A; - s->init_num = 0; - - /* We need to get hashes here so if there is - * a client cert, it can be verified */ - s->method->ssl3_enc->cert_verify_mac(s, - NID_md5, &(s->s3->tmp.cert_verify_md[0])); - s->method->ssl3_enc->cert_verify_mac(s, - NID_sha1, - &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); - } - break; - - case SSL3_ST_SR_CERT_VRFY_A: - case SSL3_ST_SR_CERT_VRFY_B: - - s->d1->change_cipher_spec_ok = 1; - /* we should decide if we expected this one */ - ret = ssl3_get_cert_verify(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SR_FINISHED_A; - s->init_num = 0; - break; - - case SSL3_ST_SR_FINISHED_A: - case SSL3_ST_SR_FINISHED_B: - s->d1->change_cipher_spec_ok = 1; - ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, - SSL3_ST_SR_FINISHED_B); - if (ret <= 0) - goto end; - dtls1_stop_timer(s); - if (s->hit) - s->state = SSL_ST_OK; - else if (s->tlsext_ticket_expected) - s->state = SSL3_ST_SW_SESSION_TICKET_A; - else - s->state = SSL3_ST_SW_CHANGE_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_SESSION_TICKET_A: - case SSL3_ST_SW_SESSION_TICKET_B: - ret = ssl3_send_newsession_ticket(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_CHANGE_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_CERT_STATUS_A: - case SSL3_ST_SW_CERT_STATUS_B: - ret = ssl3_send_cert_status(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_KEY_EXCH_A; - s->init_num = 0; - break; - - - case SSL3_ST_SW_CHANGE_A: - case SSL3_ST_SW_CHANGE_B: - - s->session->cipher = s->s3->tmp.new_cipher; - if (!s->method->ssl3_enc->setup_key_block(s)) { - ret = -1; - goto end; - } - - ret = dtls1_send_change_cipher_spec(s, - SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); - - if (ret <= 0) - goto end; - - - s->state = SSL3_ST_SW_FINISHED_A; - s->init_num = 0; - - if (!s->method->ssl3_enc->change_cipher_state(s, - SSL3_CHANGE_CIPHER_SERVER_WRITE)) { - ret = -1; - goto end; - } - - dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); - break; - - case SSL3_ST_SW_FINISHED_A: - case SSL3_ST_SW_FINISHED_B: - ret = ssl3_send_finished(s, - SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B, - s->method->ssl3_enc->server_finished_label, - s->method->ssl3_enc->server_finished_label_len); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_FLUSH; - if (s->hit) { - s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; - - } else { - s->s3->tmp.next_state = SSL_ST_OK; - } - s->init_num = 0; - break; - - case SSL_ST_OK: - /* clean a few things up */ - tls1_cleanup_key_block(s); - - /* remove buffering on output */ - ssl_free_wbio_buffer(s); - - s->init_num = 0; - - if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ - { - s->renegotiate = 0; - s->new_session = 0; - - ssl_update_cache(s, SSL_SESS_CACHE_SERVER); - - s->ctx->stats.sess_accept_good++; - /* s->server=1; */ - s->handshake_func = dtls1_accept; - - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_DONE, 1); - } - - ret = 1; - - /* done handshaking, next message is client hello */ - s->d1->handshake_read_seq = 0; - /* next message is server hello */ - s->d1->handshake_write_seq = 0; - s->d1->next_handshake_write_seq = 0; - goto end; - /* break; */ - - default: - SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_UNKNOWN_STATE); - ret = -1; - goto end; - /* break; */ - } - - if (!s->s3->tmp.reuse_message && !skip) { - if (s->debug) { - if ((ret = BIO_flush(s->wbio)) <= 0) - goto end; - } - - if ((cb != NULL) && (s->state != state)) { - new_state = s->state; - s->state = state; - cb(s, SSL_CB_ACCEPT_LOOP, 1); - s->state = new_state; - } - } - skip = 0; - } -end: - /* BIO_flush(s->wbio); */ - - s->in_handshake--; - - if (cb != NULL) - cb(s, SSL_CB_ACCEPT_EXIT, ret); - - return (ret); -} - -int -dtls1_send_hello_verify_request(SSL *s) -{ - unsigned char *d, *p; - - if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { - d = p = ssl3_handshake_msg_start(s, - DTLS1_MT_HELLO_VERIFY_REQUEST); - - *(p++) = s->version >> 8; - *(p++) = s->version & 0xFF; - - if (s->ctx->app_gen_cookie_cb == NULL || - s->ctx->app_gen_cookie_cb(s, s->d1->cookie, - &(s->d1->cookie_len)) == 0) { - SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, - ERR_R_INTERNAL_ERROR); - return 0; - } - - *(p++) = (unsigned char) s->d1->cookie_len; - memcpy(p, s->d1->cookie, s->d1->cookie_len); - p += s->d1->cookie_len; - - ssl3_handshake_msg_finish(s, p - d); - - s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; - } - - /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ - return (ssl3_handshake_write(s)); -} - -int -dtls1_send_server_certificate(SSL *s) -{ - unsigned long l; - X509 *x; - - if (s->state == SSL3_ST_SW_CERT_A) { - x = ssl_get_server_send_cert(s); - if (x == NULL) { - SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, - ERR_R_INTERNAL_ERROR); - return (0); - } - - l = dtls1_output_cert_chain(s, x); - s->state = SSL3_ST_SW_CERT_B; - s->init_num = (int)l; - s->init_off = 0; - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); - } - - /* SSL3_ST_SW_CERT_B */ - return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); -} diff --git a/lib/libssl/src/ssl/dtls1.h b/lib/libssl/src/ssl/dtls1.h deleted file mode 100644 index 5aed28e99af..00000000000 --- a/lib/libssl/src/ssl/dtls1.h +++ /dev/null @@ -1,245 +0,0 @@ -/* $OpenBSD: dtls1.h,v 1.18 2015/09/10 17:57:50 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef HEADER_DTLS1_H -#define HEADER_DTLS1_H - -#include <sys/time.h> - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <openssl/buffer.h> - -#ifdef __cplusplus -extern "C" { -#endif - -#define DTLS1_VERSION 0xFEFF - -/* lengths of messages */ -#define DTLS1_COOKIE_LENGTH 256 - -#define DTLS1_RT_HEADER_LENGTH 13 - -#define DTLS1_HM_HEADER_LENGTH 12 - -#define DTLS1_HM_BAD_FRAGMENT -2 -#define DTLS1_HM_FRAGMENT_RETRY -3 - -#define DTLS1_CCS_HEADER_LENGTH 1 - -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE -#define DTLS1_AL_HEADER_LENGTH 7 -#else -#define DTLS1_AL_HEADER_LENGTH 2 -#endif - -#ifndef OPENSSL_NO_SSL_INTERN - - -typedef struct dtls1_bitmap_st { - unsigned long map; /* track 32 packets on 32-bit systems - and 64 - on 64-bit systems */ - unsigned char max_seq_num[8]; /* max record number seen so far, - 64-bit value in big-endian - encoding */ -} DTLS1_BITMAP; - -struct dtls1_retransmit_state { - EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ - EVP_MD_CTX *write_hash; /* used for mac generation */ - SSL_SESSION *session; - unsigned short epoch; -}; - -struct hm_header_st { - unsigned char type; - unsigned long msg_len; - unsigned short seq; - unsigned long frag_off; - unsigned long frag_len; - unsigned int is_ccs; - struct dtls1_retransmit_state saved_retransmit_state; -}; - -struct ccs_header_st { - unsigned char type; - unsigned short seq; -}; - -struct dtls1_timeout_st { - /* Number of read timeouts so far */ - unsigned int read_timeouts; - - /* Number of write timeouts so far */ - unsigned int write_timeouts; - - /* Number of alerts received so far */ - unsigned int num_alerts; -}; - -struct _pqueue; - -typedef struct record_pqueue_st { - unsigned short epoch; - struct _pqueue *q; -} record_pqueue; - -typedef struct hm_fragment_st { - struct hm_header_st msg_header; - unsigned char *fragment; - unsigned char *reassembly; -} hm_fragment; - -typedef struct dtls1_state_st { - unsigned int send_cookie; - unsigned char cookie[DTLS1_COOKIE_LENGTH]; - unsigned char rcvd_cookie[DTLS1_COOKIE_LENGTH]; - unsigned int cookie_len; - - /* - * The current data and handshake epoch. This is initially - * undefined, and starts at zero once the initial handshake is - * completed - */ - unsigned short r_epoch; - unsigned short w_epoch; - - /* records being received in the current epoch */ - DTLS1_BITMAP bitmap; - - /* renegotiation starts a new set of sequence numbers */ - DTLS1_BITMAP next_bitmap; - - /* handshake message numbers */ - unsigned short handshake_write_seq; - unsigned short next_handshake_write_seq; - - unsigned short handshake_read_seq; - - /* save last sequence number for retransmissions */ - unsigned char last_write_sequence[8]; - - /* Received handshake records (processed and unprocessed) */ - record_pqueue unprocessed_rcds; - record_pqueue processed_rcds; - - /* Buffered handshake messages */ - struct _pqueue *buffered_messages; - - /* Buffered (sent) handshake records */ - struct _pqueue *sent_messages; - - /* Buffered application records. - * Only for records between CCS and Finished - * to prevent either protocol violation or - * unnecessary message loss. - */ - record_pqueue buffered_app_data; - - /* Is set when listening for new connections with dtls1_listen() */ - unsigned int listen; - - unsigned int mtu; /* max DTLS packet size */ - - struct hm_header_st w_msg_hdr; - struct hm_header_st r_msg_hdr; - - struct dtls1_timeout_st timeout; - - /* Indicates when the last handshake msg or heartbeat sent will timeout */ - struct timeval next_timeout; - - /* Timeout duration */ - unsigned short timeout_duration; - - /* storage for Alert/Handshake protocol data received but not - * yet processed by ssl3_read_bytes: */ - unsigned char alert_fragment[DTLS1_AL_HEADER_LENGTH]; - unsigned int alert_fragment_len; - unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH]; - unsigned int handshake_fragment_len; - - unsigned int retransmitting; - unsigned int change_cipher_spec_ok; - - -} DTLS1_STATE; - -typedef struct dtls1_record_data_st { - unsigned char *packet; - unsigned int packet_length; - SSL3_BUFFER rbuf; - SSL3_RECORD rrec; -} DTLS1_RECORD_DATA; - -#endif - -/* Timeout multipliers (timeout slice is defined in apps/timeouts.h */ -#define DTLS1_TMO_READ_COUNT 2 -#define DTLS1_TMO_WRITE_COUNT 2 - -#define DTLS1_TMO_ALERT_COUNT 12 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/lib/libssl/src/ssl/pqueue.c b/lib/libssl/src/ssl/pqueue.c deleted file mode 100644 index 602969deb0d..00000000000 --- a/lib/libssl/src/ssl/pqueue.c +++ /dev/null @@ -1,201 +0,0 @@ -/* $OpenBSD: pqueue.c,v 1.5 2014/06/12 15:49:31 deraadt Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdlib.h> -#include <string.h> - -#include "pqueue.h" - -typedef struct _pqueue { - pitem *items; - int count; -} pqueue_s; - -pitem * -pitem_new(unsigned char *prio64be, void *data) -{ - pitem *item = malloc(sizeof(pitem)); - - if (item == NULL) - return NULL; - - memcpy(item->priority, prio64be, sizeof(item->priority)); - - item->data = data; - item->next = NULL; - - return item; -} - -void -pitem_free(pitem *item) -{ - free(item); -} - -pqueue_s * -pqueue_new(void) -{ - return calloc(1, sizeof(pqueue_s)); -} - -void -pqueue_free(pqueue_s *pq) -{ - free(pq); -} - -pitem * -pqueue_insert(pqueue_s *pq, pitem *item) -{ - pitem *curr, *next; - - if (pq->items == NULL) { - pq->items = item; - return item; - } - - for (curr = NULL, next = pq->items; next != NULL; - curr = next, next = next->next) { - /* we can compare 64-bit value in big-endian encoding - * with memcmp:-) */ - int cmp = memcmp(next->priority, item->priority, - sizeof(item->priority)); - if (cmp > 0) { /* next > item */ - item->next = next; - - if (curr == NULL) - pq->items = item; - else - curr->next = item; - - return item; - } else if (cmp == 0) /* duplicates not allowed */ - return NULL; - } - - item->next = NULL; - curr->next = item; - - return item; -} - -pitem * -pqueue_peek(pqueue_s *pq) -{ - return pq->items; -} - -pitem * -pqueue_pop(pqueue_s *pq) -{ - pitem *item = pq->items; - - if (pq->items != NULL) - pq->items = pq->items->next; - - return item; -} - -pitem * -pqueue_find(pqueue_s *pq, unsigned char *prio64be) -{ - pitem *next; - - for (next = pq->items; next != NULL; next = next->next) - if (memcmp(next->priority, prio64be, - sizeof(next->priority)) == 0) - return next; - - return NULL; -} - -pitem * -pqueue_iterator(pqueue_s *pq) -{ - return pqueue_peek(pq); -} - -pitem * -pqueue_next(pitem **item) -{ - pitem *ret; - - if (item == NULL || *item == NULL) - return NULL; - - /* *item != NULL */ - ret = *item; - *item = (*item)->next; - - return ret; -} - -int -pqueue_size(pqueue_s *pq) -{ - pitem *item = pq->items; - int count = 0; - - while (item != NULL) { - count++; - item = item->next; - } - return count; -} diff --git a/lib/libssl/src/ssl/pqueue.h b/lib/libssl/src/ssl/pqueue.h deleted file mode 100644 index 0d7ddc04e2c..00000000000 --- a/lib/libssl/src/ssl/pqueue.h +++ /dev/null @@ -1,89 +0,0 @@ -/* $OpenBSD: pqueue.h,v 1.3 2014/06/12 15:49:31 deraadt Exp $ */ - -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef HEADER_PQUEUE_H -#define HEADER_PQUEUE_H - -typedef struct _pqueue *pqueue; - -typedef struct _pitem { - unsigned char priority[8]; /* 64-bit value in big-endian encoding */ - void *data; - struct _pitem *next; -} pitem; - -typedef struct _pitem *piterator; - -pitem *pitem_new(unsigned char *prio64be, void *data); -void pitem_free(pitem *item); - -pqueue pqueue_new(void); -void pqueue_free(pqueue pq); - -pitem *pqueue_insert(pqueue pq, pitem *item); -pitem *pqueue_peek(pqueue pq); -pitem *pqueue_pop(pqueue pq); -pitem *pqueue_find(pqueue pq, unsigned char *prio64be); -pitem *pqueue_iterator(pqueue pq); -pitem *pqueue_next(piterator *iter); - -int pqueue_size(pqueue pq); - -#endif /* ! HEADER_PQUEUE_H */ diff --git a/lib/libssl/src/ssl/s23_clnt.c b/lib/libssl/src/ssl/s23_clnt.c deleted file mode 100644 index c6920e2b344..00000000000 --- a/lib/libssl/src/ssl/s23_clnt.c +++ /dev/null @@ -1,480 +0,0 @@ -/* $OpenBSD: s23_clnt.c,v 1.46 2015/09/11 18:08:21 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/objects.h> - -static int ssl23_client_hello(SSL *s); -static int ssl23_get_server_hello(SSL *s); - -int -ssl23_connect(SSL *s) -{ - void (*cb)(const SSL *ssl, int type, int val) = NULL; - int ret = -1; - int new_state, state; - - ERR_clear_error(); - errno = 0; - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); - - for (;;) { - state = s->state; - - switch (s->state) { - case SSL_ST_BEFORE: - case SSL_ST_CONNECT: - case SSL_ST_BEFORE|SSL_ST_CONNECT: - case SSL_ST_OK|SSL_ST_CONNECT: - - if (s->session != NULL) { - SSLerr(SSL_F_SSL23_CONNECT, SSL_R_SSL23_DOING_SESSION_ID_REUSE); - ret = -1; - goto end; - } - s->server = 0; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); - - /* s->version=TLS1_VERSION; */ - s->type = SSL_ST_CONNECT; - - if (!ssl3_setup_init_buffer(s)) { - ret = -1; - goto end; - } - if (!ssl3_setup_buffers(s)) { - ret = -1; - goto end; - } - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - - s->state = SSL23_ST_CW_CLNT_HELLO_A; - s->ctx->stats.sess_connect++; - s->init_num = 0; - break; - - case SSL23_ST_CW_CLNT_HELLO_A: - case SSL23_ST_CW_CLNT_HELLO_B: - - s->shutdown = 0; - ret = ssl23_client_hello(s); - if (ret <= 0) - goto end; - s->state = SSL23_ST_CR_SRVR_HELLO_A; - s->init_num = 0; - - break; - - case SSL23_ST_CR_SRVR_HELLO_A: - case SSL23_ST_CR_SRVR_HELLO_B: - ret = ssl23_get_server_hello(s); - if (ret >= 0) - cb = NULL; - goto end; - /* break; */ - - default: - SSLerr(SSL_F_SSL23_CONNECT, SSL_R_UNKNOWN_STATE); - ret = -1; - goto end; - /* break; */ - } - - if (s->debug) { - (void)BIO_flush(s->wbio); - } - - if ((cb != NULL) && (s->state != state)) { - new_state = s->state; - s->state = state; - cb(s, SSL_CB_CONNECT_LOOP, 1); - s->state = new_state; - } - } - -end: - s->in_handshake--; - if (cb != NULL) - cb(s, SSL_CB_CONNECT_EXIT, ret); - - return (ret); -} - -static int -ssl23_client_hello(SSL *s) -{ - unsigned char *buf; - unsigned char *p, *d; - int i; - unsigned long l; - int version = 0, version_major, version_minor; - int ret; - unsigned long mask, options = s->options; - - /* - * SSL_OP_NO_X disables all protocols above X *if* there are - * some protocols below X enabled. This is required in order - * to maintain "version capability" vector contiguous. So - * that if application wants to disable TLS1.0 in favour of - * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the - * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. - */ - mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1; - version = TLS1_2_VERSION; - - if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask) - version = TLS1_1_VERSION; - mask &= ~SSL_OP_NO_TLSv1_1; - if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) - version = TLS1_VERSION; - mask &= ~SSL_OP_NO_TLSv1; - - buf = (unsigned char *)s->init_buf->data; - if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { - arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); - - if (version == TLS1_2_VERSION) { - version_major = TLS1_2_VERSION_MAJOR; - version_minor = TLS1_2_VERSION_MINOR; - } else if (version == TLS1_1_VERSION) { - version_major = TLS1_1_VERSION_MAJOR; - version_minor = TLS1_1_VERSION_MINOR; - } else if (version == TLS1_VERSION) { - version_major = TLS1_VERSION_MAJOR; - version_minor = TLS1_VERSION_MINOR; - } else { - SSLerr(SSL_F_SSL23_CLIENT_HELLO, - SSL_R_NO_PROTOCOLS_AVAILABLE); - return (-1); - } - - s->client_version = version; - - /* create Client Hello in SSL 3.0/TLS 1.0 format */ - - /* - * Do the record header (5 bytes) and handshake - * message header (4 bytes) last - */ - d = p = &(buf[SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH]); - - *(p++) = version_major; - *(p++) = version_minor; - - /* Random stuff */ - memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; - - /* Session ID (zero since there is no reuse) */ - *(p++) = 0; - - /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */ - i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]); - if (i == 0) { - SSLerr(SSL_F_SSL23_CLIENT_HELLO, - SSL_R_NO_CIPHERS_AVAILABLE); - return -1; - } - s2n(i, p); - p += i; - - /* add in (no) COMPRESSION */ - *(p++) = 1; - /* Add the NULL method */ - *(p++) = 0; - - /* TLS extensions*/ - if ((p = ssl_add_clienthello_tlsext(s, p, - buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { - SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - return -1; - } - - l = p - d; - - /* fill in 4-byte handshake header */ - d = &(buf[SSL3_RT_HEADER_LENGTH]); - *(d++) = SSL3_MT_CLIENT_HELLO; - l2n3(l, d); - - l += 4; - - if (l > SSL3_RT_MAX_PLAIN_LENGTH) { - SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - return -1; - } - - /* fill in 5-byte record header */ - d = buf; - *(d++) = SSL3_RT_HANDSHAKE; - *(d++) = version_major; - - /* - * Some servers hang if we use long client hellos - * and a record number > TLS 1.0. - */ - if (TLS1_get_client_version(s) > TLS1_VERSION) - *(d++) = 1; - else - *(d++) = version_minor; - s2n((int)l, d); - - /* number of bytes to write */ - s->init_num = p - buf; - s->init_off = 0; - - tls1_finish_mac(s, &(buf[SSL3_RT_HEADER_LENGTH]), - s->init_num - SSL3_RT_HEADER_LENGTH); - - s->state = SSL23_ST_CW_CLNT_HELLO_B; - s->init_off = 0; - } - - /* SSL3_ST_CW_CLNT_HELLO_B */ - ret = ssl23_write_bytes(s); - - if ((ret >= 2) && s->msg_callback) { - /* Client Hello has been sent; tell msg_callback */ - - s->msg_callback(1, version, SSL3_RT_HANDSHAKE, - s->init_buf->data + 5, ret - 5, s, s->msg_callback_arg); - } - - return ret; -} - -static int -ssl23_get_server_hello(SSL *s) -{ - char buf[8]; - unsigned char *p; - int i; - int n; - - n = ssl23_read_bytes(s, 7); - - if (n != 7) - return (n); - p = s->packet; - - memcpy(buf, p, n); - - /* Old unsupported sslv2 handshake */ - if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) && - (p[5] == 0x00) && (p[6] == 0x02)) { - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, - SSL_R_UNSUPPORTED_PROTOCOL); - goto err; - } - - if (p[1] == SSL3_VERSION_MAJOR && - p[2] <= TLS1_2_VERSION_MINOR && - ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) || - (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) { - /* we have sslv3 or tls1 (server hello or alert) */ - - if ((p[2] == TLS1_VERSION_MINOR) && - !(s->options & SSL_OP_NO_TLSv1)) { - s->version = TLS1_VERSION; - s->method = TLSv1_client_method(); - } else if ((p[2] == TLS1_1_VERSION_MINOR) && - !(s->options & SSL_OP_NO_TLSv1_1)) { - s->version = TLS1_1_VERSION; - s->method = TLSv1_1_client_method(); - } else if ((p[2] == TLS1_2_VERSION_MINOR) && - !(s->options & SSL_OP_NO_TLSv1_2)) { - s->version = TLS1_2_VERSION; - s->method = TLSv1_2_client_method(); - } else { - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, - SSL_R_UNSUPPORTED_PROTOCOL); - goto err; - } - - if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) { - /* fatal alert */ - void (*cb)(const SSL *ssl, int type, int val) = NULL; - int j; - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - i = p[5]; - if (cb != NULL) { - j = (i << 8) | p[6]; - cb(s, SSL_CB_READ_ALERT, j); - } - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_ALERT, - p + 5, 2, s, s->msg_callback_arg); - - s->rwstate = SSL_NOTHING; - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, - SSL_AD_REASON_OFFSET + p[6]); - goto err; - } - - if (!ssl_init_wbio_buffer(s, 1)) - goto err; - - /* we are in this state */ - s->state = SSL3_ST_CR_SRVR_HELLO_A; - - /* put the 7 bytes we have read into the input buffer - * for SSLv3 */ - s->rstate = SSL_ST_READ_HEADER; - s->packet_length = n; - if (s->s3->rbuf.buf == NULL) - if (!ssl3_setup_read_buffer(s)) - goto err; - s->packet = &(s->s3->rbuf.buf[0]); - memcpy(s->packet, buf, n); - s->s3->rbuf.left = n; - s->s3->rbuf.offset = 0; - - s->handshake_func = s->method->ssl_connect; - } else { - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } - s->init_num = 0; - - /* - * Since, if we are sending a ssl23 client hello, we are not - * reusing a session-id - */ - if (!ssl_get_new_session(s, 0)) - goto err; - - return (SSL_connect(s)); -err: - return (-1); -} diff --git a/lib/libssl/src/ssl/s23_lib.c b/lib/libssl/src/ssl/s23_lib.c deleted file mode 100644 index cd594aa3c96..00000000000 --- a/lib/libssl/src/ssl/s23_lib.c +++ /dev/null @@ -1,132 +0,0 @@ -/* $OpenBSD: s23_lib.c,v 1.18 2014/11/16 14:12:47 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include <openssl/objects.h> - -#include "ssl_locl.h" - -long -ssl23_default_timeout(void) -{ - return (300); -} - -int -ssl23_read(SSL *s, void *buf, int len) -{ - int n; - - errno = 0; - if (SSL_in_init(s) && (!s->in_handshake)) { - n = s->handshake_func(s); - if (n < 0) - return (n); - if (n == 0) { - SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - return (SSL_read(s, buf, len)); - } else { - ssl_undefined_function(s); - return (-1); - } -} - -int -ssl23_peek(SSL *s, void *buf, int len) -{ - int n; - - errno = 0; - if (SSL_in_init(s) && (!s->in_handshake)) { - n = s->handshake_func(s); - if (n < 0) - return (n); - if (n == 0) { - SSLerr(SSL_F_SSL23_PEEK, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - return (SSL_peek(s, buf, len)); - } else { - ssl_undefined_function(s); - return (-1); - } -} - -int -ssl23_write(SSL *s, const void *buf, int len) -{ - int n; - - errno = 0; - if (SSL_in_init(s) && (!s->in_handshake)) { - n = s->handshake_func(s); - if (n < 0) - return (n); - if (n == 0) { - SSLerr(SSL_F_SSL23_WRITE, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - return (SSL_write(s, buf, len)); - } else { - ssl_undefined_function(s); - return (-1); - } -} diff --git a/lib/libssl/src/ssl/s23_pkt.c b/lib/libssl/src/ssl/s23_pkt.c deleted file mode 100644 index 2081f48f08d..00000000000 --- a/lib/libssl/src/ssl/s23_pkt.c +++ /dev/null @@ -1,116 +0,0 @@ -/* $OpenBSD: s23_pkt.c,v 1.9 2014/11/16 14:12:47 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <errno.h> -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> - -int -ssl23_write_bytes(SSL *s) -{ - int i, num, tot; - char *buf; - - buf = s->init_buf->data; - tot = s->init_off; - num = s->init_num; - for (;;) { - s->rwstate = SSL_WRITING; - i = BIO_write(s->wbio, &(buf[tot]), num); - if (i <= 0) { - s->init_off = tot; - s->init_num = num; - return (i); - } - s->rwstate = SSL_NOTHING; - if (i == num) - return (tot + i); - - num -= i; - tot += i; - } -} - -/* return regularly only when we have read (at least) 'n' bytes */ -int -ssl23_read_bytes(SSL *s, int n) -{ - unsigned char *p; - int j; - - if (s->packet_length < (unsigned int)n) { - p = s->packet; - - for (;;) { - s->rwstate = SSL_READING; - j = BIO_read(s->rbio, (char *)&(p[s->packet_length]), - n - s->packet_length); - if (j <= 0) - return (j); - s->rwstate = SSL_NOTHING; - s->packet_length += j; - if (s->packet_length >= (unsigned int)n) - return (s->packet_length); - } - } - return (n); -} diff --git a/lib/libssl/src/ssl/s23_srvr.c b/lib/libssl/src/ssl/s23_srvr.c deleted file mode 100644 index ed476c70d16..00000000000 --- a/lib/libssl/src/ssl/s23_srvr.c +++ /dev/null @@ -1,514 +0,0 @@ -/* $OpenBSD: s23_srvr.c,v 1.47 2016/07/16 04:42:35 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/objects.h> - -int ssl23_get_client_hello(SSL *s); - -int -ssl23_accept(SSL *s) -{ - void (*cb)(const SSL *ssl, int type, int val) = NULL; - int ret = -1; - int new_state, state; - - ERR_clear_error(); - errno = 0; - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); - - for (;;) { - state = s->state; - - switch (s->state) { - case SSL_ST_BEFORE: - case SSL_ST_ACCEPT: - case SSL_ST_BEFORE|SSL_ST_ACCEPT: - case SSL_ST_OK|SSL_ST_ACCEPT: - - s->server = 1; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); - - /* s->version=SSL3_VERSION; */ - s->type = SSL_ST_ACCEPT; - - if (!ssl3_setup_init_buffer(s)) { - ret = -1; - goto end; - } - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - - s->state = SSL23_ST_SR_CLNT_HELLO_A; - s->ctx->stats.sess_accept++; - s->init_num = 0; - break; - - case SSL23_ST_SR_CLNT_HELLO_A: - case SSL23_ST_SR_CLNT_HELLO_B: - - s->shutdown = 0; - ret = ssl23_get_client_hello(s); - if (ret >= 0) - cb = NULL; - goto end; - /* break; */ - - default: - SSLerr(SSL_F_SSL23_ACCEPT, SSL_R_UNKNOWN_STATE); - ret = -1; - goto end; - /* break; */ - } - - if ((cb != NULL) && (s->state != state)) { - new_state = s->state; - s->state = state; - cb(s, SSL_CB_ACCEPT_LOOP, 1); - s->state = new_state; - } - } - -end: - s->in_handshake--; - if (cb != NULL) - cb(s, SSL_CB_ACCEPT_EXIT, ret); - - return (ret); -} - - -int -ssl23_get_client_hello(SSL *s) -{ - char buf[11]; - /* - * sizeof(buf) == 11, because we'll need to request this many bytes in - * the initial read. - * We can detect SSL 3.0/TLS 1.0 Client Hellos ('type == 3') correctly - * only when the following is in a single record, which is not - * guaranteed by the protocol specification: - * Byte Content - * 0 type \ - * 1/2 version > record header - * 3/4 length / - * 5 msg_type \ - * 6-8 length > Client Hello message - * 9/10 client_version / - */ - unsigned char *p, *d, *d_len, *dd; - unsigned int i; - unsigned int csl, sil, cl; - int n = 0, j; - int type = 0; - int v[2]; - - if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { - /* read the initial header */ - v[0] = v[1] = 0; - - if (!ssl3_setup_buffers(s)) - return -1; - - n = ssl23_read_bytes(s, sizeof buf); - if (n != sizeof buf) - return(n); - - p = s->packet; - - memcpy(buf, p, n); - - if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) { - /* - * SSLv2 header - */ - if ((p[3] == 0x00) && (p[4] == 0x02)) { - /* SSLv2 support has been removed */ - goto unsupported; - - } else if (p[3] == SSL3_VERSION_MAJOR) { - v[0] = p[3]; - v[1] = p[4]; - /* SSLv3/TLS */ - - if (p[4] >= TLS1_VERSION_MINOR) { - if (p[4] >= TLS1_2_VERSION_MINOR && - !(s->options & SSL_OP_NO_TLSv1_2)) { - s->version = TLS1_2_VERSION; - s->state = SSL23_ST_SR_CLNT_HELLO_B; - } else if (p[4] >= TLS1_1_VERSION_MINOR && - !(s->options & SSL_OP_NO_TLSv1_1)) { - s->version = TLS1_1_VERSION; - /* type=2; */ /* done later to survive restarts */ - s->state = SSL23_ST_SR_CLNT_HELLO_B; - } else if (!(s->options & SSL_OP_NO_TLSv1)) { - s->version = TLS1_VERSION; - /* type=2; */ /* done later to survive restarts */ - s->state = SSL23_ST_SR_CLNT_HELLO_B; - } else { - goto unsupported; - } - } else { - /* SSLv3 support has been removed */ - goto unsupported; - } - } - } else if ((p[0] == SSL3_RT_HANDSHAKE) && - (p[1] == SSL3_VERSION_MAJOR) && - (p[5] == SSL3_MT_CLIENT_HELLO) && - ((p[3] == 0 && p[4] < 5 /* silly record length? */) || - (p[9] >= p[1]))) { - /* - * SSLv3 or tls1 header - */ - - v[0] = p[1]; /* major version (= SSL3_VERSION_MAJOR) */ - /* We must look at client_version inside the Client Hello message - * to get the correct minor version. - * However if we have only a pathologically small fragment of the - * Client Hello message, this would be difficult, and we'd have - * to read more records to find out. - * No known SSL 3.0 client fragments ClientHello like this, - * so we simply reject such connections to avoid - * protocol version downgrade attacks. */ - if (p[3] == 0 && p[4] < 6) { - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, - SSL_R_RECORD_TOO_SMALL); - return -1; - } - /* if major version number > 3 set minor to a value - * which will use the highest version 3 we support. - * If TLS 2.0 ever appears we will need to revise - * this.... - */ - if (p[9] > SSL3_VERSION_MAJOR) - v[1] = 0xff; - else - v[1] = p[10]; /* minor version according to client_version */ - if (v[1] >= TLS1_VERSION_MINOR) { - if (v[1] >= TLS1_2_VERSION_MINOR && - !(s->options & SSL_OP_NO_TLSv1_2)) { - s->version = TLS1_2_VERSION; - type = 3; - } else if (v[1] >= TLS1_1_VERSION_MINOR && - !(s->options & SSL_OP_NO_TLSv1_1)) { - s->version = TLS1_1_VERSION; - type = 3; - } else if (!(s->options & SSL_OP_NO_TLSv1)) { - s->version = TLS1_VERSION; - type = 3; - } else { - goto unsupported; - } - } else { - /* SSLv3 */ - if (!(s->options & SSL_OP_NO_TLSv1)) { - /* we won't be able to use TLS of course, - * but this will send an appropriate alert */ - s->version = TLS1_VERSION; - type = 3; - } else { - goto unsupported; - } - } - } - else if ((strncmp("GET ", (char *)p, 4) == 0) || - (strncmp("POST ",(char *)p, 5) == 0) || - (strncmp("HEAD ",(char *)p, 5) == 0) || - (strncmp("PUT ", (char *)p, 4) == 0)) { - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST); - return -1; - } else if (strncmp("CONNECT", (char *)p, 7) == 0) { - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST); - return -1; - } - } - - if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { - /* we have SSLv3/TLSv1 in an SSLv2 header - * (other cases skip this state) */ - - /* - * Limit the support of "backward compatible" headers - * only to "backward" versions of TLS. If we have moved - * on to modernity, just say no. - */ - if (s->options & SSL_OP_NO_TLSv1) - goto unsupported; - - type = 2; - p = s->packet; - v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ - v[1] = p[4]; - - /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 - * header is sent directly on the wire, not wrapped as a TLS - * record. It's format is: - * Byte Content - * 0-1 msg_length - * 2 msg_type - * 3-4 version - * 5-6 cipher_spec_length - * 7-8 session_id_length - * 9-10 challenge_length - * ... ... - */ - n = ((p[0] & 0x7f) << 8) | p[1]; - if (n > (1024 * 4)) { - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); - return -1; - } - if (n < 9) { - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, - SSL_R_RECORD_LENGTH_MISMATCH); - return -1; - } - - j = ssl23_read_bytes(s, n + 2); - if (j != n + 2) - return -1; - - tls1_finish_mac(s, s->packet + 2, s->packet_length - 2); - if (s->msg_callback) - s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, - s->packet_length - 2, s, s->msg_callback_arg); - - p = s->packet; - p += 5; - n2s(p, csl); - n2s(p, sil); - n2s(p, cl); - d = (unsigned char *)s->init_buf->data; - if ((csl + sil + cl + 11) != s->packet_length) { - /* - * We can't have TLS extensions in SSL 2.0 format - * Client Hello, can we ? Error condition should be - * '>' otherwise - */ - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, - SSL_R_RECORD_LENGTH_MISMATCH); - return -1; - } - - /* record header: msg_type ... */ - *(d++) = SSL3_MT_CLIENT_HELLO; - /* ... and length (actual value will be written later) */ - d_len = d; - d += 3; - - /* client_version */ - *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */ - *(d++) = v[1]; - - /* lets populate the random area */ - /* get the challenge_length */ - i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl; - memset(d, 0, SSL3_RANDOM_SIZE); - memcpy(&(d[SSL3_RANDOM_SIZE - i]), &(p[csl + sil]), i); - d += SSL3_RANDOM_SIZE; - - /* no session-id reuse */ - *(d++) = 0; - - /* ciphers */ - j = 0; - dd = d; - d += 2; - for (i = 0; i < csl; i += 3) { - if (p[i] != 0) - continue; - *(d++) = p[i + 1]; - *(d++) = p[i + 2]; - j += 2; - } - s2n(j, dd); - - /* add in (no) COMPRESSION */ - *(d++) = 1; - *(d++) = 0; - - i = (d - (unsigned char *)s->init_buf->data) - 4; - l2n3((long)i, d_len); - - /* get the data reused from the init_buf */ - s->s3->tmp.reuse_message = 1; - s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO; - s->s3->tmp.message_size = i; - } - - /* imaginary new state (for program structure): */ - /* s->state = SSL23_SR_CLNT_HELLO_C */ - - if (type == 2 || type == 3) { - /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ - - if (!ssl_init_wbio_buffer(s, 1)) - return -1; - - /* we are in this state */ - s->state = SSL3_ST_SR_CLNT_HELLO_A; - - if (type == 3) { - /* put the 'n' bytes we have read into the input buffer - * for SSLv3 */ - s->rstate = SSL_ST_READ_HEADER; - s->packet_length = n; - if (s->s3->rbuf.buf == NULL) - if (!ssl3_setup_read_buffer(s)) - return -1; - - s->packet = &(s->s3->rbuf.buf[0]); - memcpy(s->packet, buf, n); - s->s3->rbuf.left = n; - s->s3->rbuf.offset = 0; - } else { - s->packet_length = 0; - s->s3->rbuf.left = 0; - s->s3->rbuf.offset = 0; - } - if (s->version == TLS1_2_VERSION) - s->method = TLSv1_2_server_method(); - else if (s->version == TLS1_1_VERSION) - s->method = TLSv1_1_server_method(); - else if (s->version == TLS1_VERSION) - s->method = TLSv1_server_method(); - else - goto unsupported; - s->handshake_func = s->method->ssl_accept; - } else { - /* bad, very bad */ - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - return -1; - } - s->init_num = 0; - - return (SSL_accept(s)); - - unsupported: - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); - return -1; -} diff --git a/lib/libssl/src/ssl/s3_both.c b/lib/libssl/src/ssl/s3_both.c deleted file mode 100644 index cfd0fb9b4bd..00000000000 --- a/lib/libssl/src/ssl/s3_both.c +++ /dev/null @@ -1,743 +0,0 @@ -/* $OpenBSD: s3_both.c,v 1.48 2015/09/12 15:03:39 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ - -#include <limits.h> -#include <stdio.h> -#include <string.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/objects.h> -#include <openssl/x509.h> - -#include "bytestring.h" - -/* - * Send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or - * SSL3_RT_CHANGE_CIPHER_SPEC). - */ -int -ssl3_do_write(SSL *s, int type) -{ - int ret; - - ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], - s->init_num); - if (ret < 0) - return (-1); - - if (type == SSL3_RT_HANDSHAKE) - /* - * Should not be done for 'Hello Request's, but in that case - * we'll ignore the result anyway. - */ - tls1_finish_mac(s, - (unsigned char *)&s->init_buf->data[s->init_off], ret); - - if (ret == s->init_num) { - if (s->msg_callback) - s->msg_callback(1, s->version, type, s->init_buf->data, - (size_t)(s->init_off + s->init_num), s, - s->msg_callback_arg); - return (1); - } - - s->init_off += ret; - s->init_num -= ret; - - return (0); -} - -int -ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) -{ - unsigned char *p; - int md_len; - - if (s->state == a) { - md_len = s->method->ssl3_enc->finish_mac_length; - OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); - - if (s->method->ssl3_enc->final_finish_mac(s, sender, slen, - s->s3->tmp.finish_md) != md_len) - return (0); - s->s3->tmp.finish_md_len = md_len; - - /* Copy finished so we can use it for renegotiation checks. */ - if (s->type == SSL_ST_CONNECT) { - memcpy(s->s3->previous_client_finished, - s->s3->tmp.finish_md, md_len); - s->s3->previous_client_finished_len = md_len; - } else { - memcpy(s->s3->previous_server_finished, - s->s3->tmp.finish_md, md_len); - s->s3->previous_server_finished_len = md_len; - } - - p = ssl3_handshake_msg_start(s, SSL3_MT_FINISHED); - memcpy(p, s->s3->tmp.finish_md, md_len); - ssl3_handshake_msg_finish(s, md_len); - - s->state = b; - } - - return (ssl3_handshake_write(s)); -} - -/* - * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen - * so far. - */ -static void -ssl3_take_mac(SSL *s) -{ - const char *sender; - int slen; - - /* - * If no new cipher setup return immediately: other functions will - * set the appropriate error. - */ - if (s->s3->tmp.new_cipher == NULL) - return; - - if (s->state & SSL_ST_CONNECT) { - sender = s->method->ssl3_enc->server_finished_label; - slen = s->method->ssl3_enc->server_finished_label_len; - } else { - sender = s->method->ssl3_enc->client_finished_label; - slen = s->method->ssl3_enc->client_finished_label_len; - } - - s->s3->tmp.peer_finish_md_len = - s->method->ssl3_enc->final_finish_mac(s, sender, slen, - s->s3->tmp.peer_finish_md); -} - -int -ssl3_get_finished(SSL *s, int a, int b) -{ - int al, ok, md_len; - long n; - CBS cbs; - - /* should actually be 36+4 :-) */ - n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); - if (!ok) - return ((int)n); - - /* If this occurs, we have missed a message */ - if (!s->s3->change_cipher_spec) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); - goto f_err; - } - s->s3->change_cipher_spec = 0; - - md_len = s->method->ssl3_enc->finish_mac_length; - - if (n < 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); - goto f_err; - } - - CBS_init(&cbs, s->init_msg, n); - - if (s->s3->tmp.peer_finish_md_len != md_len || - CBS_len(&cbs) != md_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); - goto f_err; - } - - if (!CBS_mem_equal(&cbs, s->s3->tmp.peer_finish_md, CBS_len(&cbs))) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED); - goto f_err; - } - - /* Copy finished so we can use it for renegotiation checks. */ - OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); - if (s->type == SSL_ST_ACCEPT) { - memcpy(s->s3->previous_client_finished, - s->s3->tmp.peer_finish_md, md_len); - s->s3->previous_client_finished_len = md_len; - } else { - memcpy(s->s3->previous_server_finished, - s->s3->tmp.peer_finish_md, md_len); - s->s3->previous_server_finished_len = md_len; - } - - return (1); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return (0); -} - -/* for these 2 messages, we need to - * ssl->enc_read_ctx re-init - * ssl->s3->read_sequence zero - * ssl->s3->read_mac_secret re-init - * ssl->session->read_sym_enc assign - * ssl->session->read_hash assign - */ -int -ssl3_send_change_cipher_spec(SSL *s, int a, int b) -{ - unsigned char *p; - - if (s->state == a) { - p = (unsigned char *)s->init_buf->data; - *p = SSL3_MT_CCS; - s->init_num = 1; - s->init_off = 0; - - s->state = b; - } - - /* SSL3_ST_CW_CHANGE_B */ - return (ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC)); -} - -static int -ssl3_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) -{ - int n; - unsigned char *p; - - n = i2d_X509(x, NULL); - if (!BUF_MEM_grow_clean(buf, n + (*l) + 3)) { - SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); - return (-1); - } - /* XXX */ - p = (unsigned char *)&(buf->data[*l]); - l2n3(n, p); - i2d_X509(x, &p); - *l += n + 3; - - return (0); -} - -unsigned long -ssl3_output_cert_chain(SSL *s, X509 *x) -{ - unsigned char *p; - unsigned long l = ssl3_handshake_msg_hdr_len(s) + 3; - BUF_MEM *buf; - int no_chain; - int i; - - if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) - no_chain = 1; - else - no_chain = 0; - - /* TLSv1 sends a chain with nothing in it, instead of an alert */ - buf = s->init_buf; - if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) + 6)) { - SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB); - return (0); - } - if (x != NULL) { - if (no_chain) { - if (ssl3_add_cert_to_buf(buf, &l, x)) - return (0); - } else { - X509_STORE_CTX xs_ctx; - - if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, - x, NULL)) { - SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, - ERR_R_X509_LIB); - return (0); - } - X509_verify_cert(&xs_ctx); - - /* Don't leave errors in the queue. */ - ERR_clear_error(); - for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { - x = sk_X509_value(xs_ctx.chain, i); - if (ssl3_add_cert_to_buf(buf, &l, x)) { - X509_STORE_CTX_cleanup(&xs_ctx); - return 0; - } - } - X509_STORE_CTX_cleanup(&xs_ctx); - } - } - /* Thawte special :-) */ - for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) { - x = sk_X509_value(s->ctx->extra_certs, i); - if (ssl3_add_cert_to_buf(buf, &l, x)) - return (0); - } - - l -= ssl3_handshake_msg_hdr_len(s) + 3; - p = (unsigned char *)&(buf->data[4]); - l2n3(l, p); - l += 3; - p = (unsigned char *)&(buf->data[0]); - *(p++) = SSL3_MT_CERTIFICATE; - l2n3(l, p); - l += 4; /* XXX */ - return (l); -} - -/* - * Obtain handshake message of message type 'mt' (any if mt == -1), - * maximum acceptable body length 'max'. - * The first four bytes (msg_type and length) are read in state 'st1', - * the body is read in state 'stn'. - */ -long -ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) -{ - unsigned char *p; - uint32_t l; - long n; - int i, al; - CBS cbs; - uint8_t u8; - - if (s->s3->tmp.reuse_message) { - s->s3->tmp.reuse_message = 0; - if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_MESSAGE, - SSL_R_UNEXPECTED_MESSAGE); - goto f_err; - } - *ok = 1; - s->init_msg = s->init_buf->data + 4; - s->init_num = (int)s->s3->tmp.message_size; - return s->init_num; - } - - p = (unsigned char *)s->init_buf->data; - - /* s->init_num < 4 */ - if (s->state == st1) { - int skip_message; - - do { - while (s->init_num < 4) { - i = s->method->ssl_read_bytes(s, - SSL3_RT_HANDSHAKE, &p[s->init_num], - 4 - s->init_num, 0); - if (i <= 0) { - s->rwstate = SSL_READING; - *ok = 0; - return i; - } - s->init_num += i; - } - - skip_message = 0; - if (!s->server && p[0] == SSL3_MT_HELLO_REQUEST) { - /* - * The server may always send 'Hello Request' - * messages -- we are doing a handshake anyway - * now, so ignore them if their format is - * correct. Does not count for 'Finished' MAC. - */ - if (p[1] == 0 && p[2] == 0 &&p[3] == 0) { - s->init_num = 0; - skip_message = 1; - - if (s->msg_callback) - s->msg_callback(0, s->version, - SSL3_RT_HANDSHAKE, p, 4, s, - s->msg_callback_arg); - } - } - } while (skip_message); - - /* s->init_num == 4 */ - - if ((mt >= 0) && (*p != mt)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_MESSAGE, - SSL_R_UNEXPECTED_MESSAGE); - goto f_err; - } - - /* XXX remove call to n2l3 */ - CBS_init(&cbs, p, 4); - if (!CBS_get_u8(&cbs, &u8) || - !CBS_get_u24(&cbs, &l)) { - SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); - goto err; - } - s->s3->tmp.message_type = u8; - - if (l > (unsigned long)max) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_MESSAGE, - SSL_R_EXCESSIVE_MESSAGE_SIZE); - goto f_err; - } - if (l && !BUF_MEM_grow_clean(s->init_buf, l + 4)) { - SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); - goto err; - } - s->s3->tmp.message_size = l; - s->state = stn; - - s->init_msg = s->init_buf->data + 4; - s->init_num = 0; - } - - /* next state (stn) */ - p = s->init_msg; - n = s->s3->tmp.message_size - s->init_num; - while (n > 0) { - i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, - &p[s->init_num], n, 0); - if (i <= 0) { - s->rwstate = SSL_READING; - *ok = 0; - return i; - } - s->init_num += i; - n -= i; - } - - /* If receiving Finished, record MAC of prior handshake messages for - * Finished verification. */ - if (*s->init_buf->data == SSL3_MT_FINISHED) - ssl3_take_mac(s); - - /* Feed this message into MAC computation. */ - tls1_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - s->init_buf->data, (size_t)s->init_num + 4, s, - s->msg_callback_arg); - - *ok = 1; - return (s->init_num); - -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - *ok = 0; - return (-1); -} - -int -ssl_cert_type(X509 *x, EVP_PKEY *pkey) -{ - EVP_PKEY *pk; - int ret = -1, i; - - if (pkey == NULL) - pk = X509_get_pubkey(x); - else - pk = pkey; - if (pk == NULL) - goto err; - - i = pk->type; - if (i == EVP_PKEY_RSA) { - ret = SSL_PKEY_RSA_ENC; - } else if (i == EVP_PKEY_DSA) { - ret = SSL_PKEY_DSA_SIGN; - } else if (i == EVP_PKEY_EC) { - ret = SSL_PKEY_ECC; - } else if (i == NID_id_GostR3410_2001 || - i == NID_id_GostR3410_2001_cc) { - ret = SSL_PKEY_GOST01; - } - -err: - if (!pkey) - EVP_PKEY_free(pk); - return (ret); -} - -int -ssl_verify_alarm_type(long type) -{ - int al; - - switch (type) { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - case X509_V_ERR_UNABLE_TO_GET_CRL: - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: - al = SSL_AD_UNKNOWN_CA; - break; - case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: - case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: - case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: - case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_CRL_NOT_YET_VALID: - case X509_V_ERR_CERT_UNTRUSTED: - case X509_V_ERR_CERT_REJECTED: - al = SSL_AD_BAD_CERTIFICATE; - break; - case X509_V_ERR_CERT_SIGNATURE_FAILURE: - case X509_V_ERR_CRL_SIGNATURE_FAILURE: - al = SSL_AD_DECRYPT_ERROR; - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_CRL_HAS_EXPIRED: - al = SSL_AD_CERTIFICATE_EXPIRED; - break; - case X509_V_ERR_CERT_REVOKED: - al = SSL_AD_CERTIFICATE_REVOKED; - break; - case X509_V_ERR_OUT_OF_MEM: - al = SSL_AD_INTERNAL_ERROR; - break; - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: - case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: - case X509_V_ERR_CERT_CHAIN_TOO_LONG: - case X509_V_ERR_PATH_LENGTH_EXCEEDED: - case X509_V_ERR_INVALID_CA: - al = SSL_AD_UNKNOWN_CA; - break; - case X509_V_ERR_APPLICATION_VERIFICATION: - al = SSL_AD_HANDSHAKE_FAILURE; - break; - case X509_V_ERR_INVALID_PURPOSE: - al = SSL_AD_UNSUPPORTED_CERTIFICATE; - break; - default: - al = SSL_AD_CERTIFICATE_UNKNOWN; - break; - } - return (al); -} - -int -ssl3_setup_init_buffer(SSL *s) -{ - BUF_MEM *buf = NULL; - - if (s->init_buf != NULL) - return (1); - - if ((buf = BUF_MEM_new()) == NULL) - goto err; - if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) - goto err; - - s->init_buf = buf; - return (1); - -err: - BUF_MEM_free(buf); - return (0); -} - -int -ssl3_setup_read_buffer(SSL *s) -{ - unsigned char *p; - size_t len, align, headerlen; - - if (SSL_IS_DTLS(s)) - headerlen = DTLS1_RT_HEADER_LENGTH; - else - headerlen = SSL3_RT_HEADER_LENGTH; - - align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); - - if (s->s3->rbuf.buf == NULL) { - len = SSL3_RT_MAX_PLAIN_LENGTH + - SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; - if ((p = malloc(len)) == NULL) - goto err; - s->s3->rbuf.buf = p; - s->s3->rbuf.len = len; - } - - s->packet = &(s->s3->rbuf.buf[0]); - return 1; - -err: - SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER, ERR_R_MALLOC_FAILURE); - return 0; -} - -int -ssl3_setup_write_buffer(SSL *s) -{ - unsigned char *p; - size_t len, align, headerlen; - - if (SSL_IS_DTLS(s)) - headerlen = DTLS1_RT_HEADER_LENGTH + 1; - else - headerlen = SSL3_RT_HEADER_LENGTH; - - align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); - - if (s->s3->wbuf.buf == NULL) { - len = s->max_send_fragment + - SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; - if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) - len += headerlen + align + - SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; - - if ((p = malloc(len)) == NULL) - goto err; - s->s3->wbuf.buf = p; - s->s3->wbuf.len = len; - } - - return 1; - -err: - SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); - return 0; -} - -int -ssl3_setup_buffers(SSL *s) -{ - if (!ssl3_setup_read_buffer(s)) - return 0; - if (!ssl3_setup_write_buffer(s)) - return 0; - return 1; -} - -int -ssl3_release_write_buffer(SSL *s) -{ - free(s->s3->wbuf.buf); - s->s3->wbuf.buf = NULL; - return 1; -} - -int -ssl3_release_read_buffer(SSL *s) -{ - free(s->s3->rbuf.buf); - s->s3->rbuf.buf = NULL; - return 1; -} diff --git a/lib/libssl/src/ssl/s3_cbc.c b/lib/libssl/src/ssl/s3_cbc.c deleted file mode 100644 index 414d493150d..00000000000 --- a/lib/libssl/src/ssl/s3_cbc.c +++ /dev/null @@ -1,656 +0,0 @@ -/* $OpenBSD: s3_cbc.c,v 1.12 2016/03/20 16:50:29 krw Exp $ */ -/* ==================================================================== - * Copyright (c) 2012 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "ssl_locl.h" - -#include <openssl/md5.h> -#include <openssl/sha.h> - -/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length - * field. (SHA-384/512 have 128-bit length.) */ -#define MAX_HASH_BIT_COUNT_BYTES 16 - -/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support. - * Currently SHA-384/512 has a 128-byte block size and that's the largest - * supported by TLS.) */ -#define MAX_HASH_BLOCK_SIZE 128 - -/* Some utility functions are needed: - * - * These macros return the given value with the MSB copied to all the other - * bits. They use the fact that arithmetic shift shifts-in the sign bit. - * However, this is not ensured by the C standard so you may need to replace - * them with something else on odd CPUs. */ -#define DUPLICATE_MSB_TO_ALL(x) ((unsigned)((int)(x) >> (sizeof(int) * 8 - 1))) -#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) - -/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */ -static unsigned -constant_time_lt(unsigned a, unsigned b) -{ - a -= b; - return DUPLICATE_MSB_TO_ALL(a); -} - -/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */ -static unsigned -constant_time_ge(unsigned a, unsigned b) -{ - a -= b; - return DUPLICATE_MSB_TO_ALL(~a); -} - -/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ -static unsigned char -constant_time_eq_8(unsigned a, unsigned b) -{ - unsigned c = a ^ b; - c--; - return DUPLICATE_MSB_TO_ALL_8(c); -} - -/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC - * record in |rec| in constant time and returns 1 if the padding is valid and - * -1 otherwise. It also removes any explicit IV from the start of the record - * without leaking any timing about whether there was enough space after the - * padding was removed. - * - * block_size: the block size of the cipher used to encrypt the record. - * returns: - * 0: (in non-constant time) if the record is publicly invalid. - * 1: if the padding was valid - * -1: otherwise. */ -int -tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, - unsigned mac_size) -{ - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - - /* Check if version requires explicit IV */ - if (SSL_USE_EXPLICIT_IV(s)) { - /* These lengths are all public so we can test them in - * non-constant time. - */ - if (overhead + block_size > rec->length) - return 0; - /* We can now safely skip explicit IV */ - rec->data += block_size; - rec->input += block_size; - rec->length -= block_size; - } else if (overhead > rec->length) - return 0; - - padding_length = rec->data[rec->length - 1]; - - if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - /* padding is already verified */ - rec->length -= padding_length + 1; - return 1; - } - - good = constant_time_ge(rec->length, overhead + padding_length); - /* The padding consists of a length byte at the end of the record and - * then that many bytes of padding, all with the same value as the - * length byte. Thus, with the length byte included, there are i+1 - * bytes of padding. - * - * We can't check just |padding_length+1| bytes because that leaks - * decrypted information. Therefore we always have to check the maximum - * amount of padding possible. (Again, the length of the record is - * public information so we can use it.) */ - to_check = 255; /* maximum amount of padding. */ - if (to_check > rec->length - 1) - to_check = rec->length - 1; - - for (i = 0; i < to_check; i++) { - unsigned char mask = constant_time_ge(padding_length, i); - unsigned char b = rec->data[rec->length - 1 - i]; - /* The final |padding_length+1| bytes should all have the value - * |padding_length|. Therefore the XOR should be zero. */ - good &= ~(mask&(padding_length ^ b)); - } - - /* If any of the final |padding_length+1| bytes had the wrong value, - * one or more of the lower eight bits of |good| will be cleared. We - * AND the bottom 8 bits together and duplicate the result to all the - * bits. */ - good &= good >> 4; - good &= good >> 2; - good &= good >> 1; - good <<= sizeof(good)*8 - 1; - good = DUPLICATE_MSB_TO_ALL(good); - - padding_length = good & (padding_length + 1); - rec->length -= padding_length; - rec->type |= padding_length<<8; /* kludge: pass padding length */ - - return (int)((good & 1) | (~good & -1)); -} - -/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in - * constant time (independent of the concrete value of rec->length, which may - * vary within a 256-byte window). - * - * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to - * this function. - * - * On entry: - * rec->orig_len >= md_size - * md_size <= EVP_MAX_MD_SIZE - * - * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with - * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into - * a single or pair of cache-lines, then the variable memory accesses don't - * actually affect the timing. CPUs with smaller cache-lines [if any] are - * not multi-core and are not considered vulnerable to cache-timing attacks. - */ -#define CBC_MAC_ROTATE_IN_PLACE - -void -ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, - unsigned md_size, unsigned orig_len) -{ -#if defined(CBC_MAC_ROTATE_IN_PLACE) - unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; - unsigned char *rotated_mac; -#else - unsigned char rotated_mac[EVP_MAX_MD_SIZE]; -#endif - - /* mac_end is the index of |rec->data| just after the end of the MAC. */ - unsigned mac_end = rec->length; - unsigned mac_start = mac_end - md_size; - /* scan_start contains the number of bytes that we can ignore because - * the MAC's position can only vary by 255 bytes. */ - unsigned scan_start = 0; - unsigned i, j; - unsigned div_spoiler; - unsigned rotate_offset; - - OPENSSL_assert(orig_len >= md_size); - OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); - -#if defined(CBC_MAC_ROTATE_IN_PLACE) - rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf)&63); -#endif - - /* This information is public so it's safe to branch based on it. */ - if (orig_len > md_size + 255 + 1) - scan_start = orig_len - (md_size + 255 + 1); - /* div_spoiler contains a multiple of md_size that is used to cause the - * modulo operation to be constant time. Without this, the time varies - * based on the amount of padding when running on Intel chips at least. - * - * The aim of right-shifting md_size is so that the compiler doesn't - * figure out that it can remove div_spoiler as that would require it - * to prove that md_size is always even, which I hope is beyond it. */ - div_spoiler = md_size >> 1; - div_spoiler <<= (sizeof(div_spoiler) - 1) * 8; - rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; - - memset(rotated_mac, 0, md_size); - for (i = scan_start, j = 0; i < orig_len; i++) { - unsigned char mac_started = constant_time_ge(i, mac_start); - unsigned char mac_ended = constant_time_ge(i, mac_end); - unsigned char b = rec->data[i]; - rotated_mac[j++] |= b & mac_started & ~mac_ended; - j &= constant_time_lt(j, md_size); - } - - /* Now rotate the MAC */ -#if defined(CBC_MAC_ROTATE_IN_PLACE) - j = 0; - for (i = 0; i < md_size; i++) { - /* in case cache-line is 32 bytes, touch second line */ - ((volatile unsigned char *)rotated_mac)[rotate_offset^32]; - out[j++] = rotated_mac[rotate_offset++]; - rotate_offset &= constant_time_lt(rotate_offset, md_size); - } -#else - memset(out, 0, md_size); - rotate_offset = md_size - rotate_offset; - rotate_offset &= constant_time_lt(rotate_offset, md_size); - for (i = 0; i < md_size; i++) { - for (j = 0; j < md_size; j++) - out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset); - rotate_offset++; - rotate_offset &= constant_time_lt(rotate_offset, md_size); - } -#endif -} - -/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in - * little-endian order. The value of p is advanced by four. */ -#define u32toLE(n, p) \ - (*((p)++)=(unsigned char)(n), \ - *((p)++)=(unsigned char)(n>>8), \ - *((p)++)=(unsigned char)(n>>16), \ - *((p)++)=(unsigned char)(n>>24)) - -/* These functions serialize the state of a hash and thus perform the standard - * "final" operation without adding the padding and length that such a function - * typically does. */ -static void -tls1_md5_final_raw(void* ctx, unsigned char *md_out) -{ - MD5_CTX *md5 = ctx; - u32toLE(md5->A, md_out); - u32toLE(md5->B, md_out); - u32toLE(md5->C, md_out); - u32toLE(md5->D, md_out); -} - -static void -tls1_sha1_final_raw(void* ctx, unsigned char *md_out) -{ - SHA_CTX *sha1 = ctx; - l2n(sha1->h0, md_out); - l2n(sha1->h1, md_out); - l2n(sha1->h2, md_out); - l2n(sha1->h3, md_out); - l2n(sha1->h4, md_out); -} -#define LARGEST_DIGEST_CTX SHA_CTX - -static void -tls1_sha256_final_raw(void* ctx, unsigned char *md_out) -{ - SHA256_CTX *sha256 = ctx; - unsigned i; - - for (i = 0; i < 8; i++) { - l2n(sha256->h[i], md_out); - } -} -#undef LARGEST_DIGEST_CTX -#define LARGEST_DIGEST_CTX SHA256_CTX - -static void -tls1_sha512_final_raw(void* ctx, unsigned char *md_out) -{ - SHA512_CTX *sha512 = ctx; - unsigned i; - - for (i = 0; i < 8; i++) { - l2n8(sha512->h[i], md_out); - } -} -#undef LARGEST_DIGEST_CTX -#define LARGEST_DIGEST_CTX SHA512_CTX - -/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function - * which ssl3_cbc_digest_record supports. */ -char -ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) -{ - switch (EVP_MD_CTX_type(ctx)) { - case NID_md5: - case NID_sha1: - case NID_sha224: - case NID_sha256: - case NID_sha384: - case NID_sha512: - return 1; - default: - return 0; - } -} - -/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS - * record. - * - * ctx: the EVP_MD_CTX from which we take the hash function. - * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX. - * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written. - * md_out_size: if non-NULL, the number of output bytes is written here. - * header: the 13-byte, TLS record header. - * data: the record data itself, less any preceeding explicit IV. - * data_plus_mac_size: the secret, reported length of the data and MAC - * once the padding has been removed. - * data_plus_mac_plus_padding_size: the public length of the whole - * record, including padding. - * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS. - * - * On entry: by virtue of having been through one of the remove_padding - * functions, above, we know that data_plus_mac_size is large enough to contain - * a padding byte and MAC. (If the padding was invalid, it might contain the - * padding too. ) */ -int -ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, - size_t* md_out_size, const unsigned char header[13], - const unsigned char *data, size_t data_plus_mac_size, - size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length, char is_sslv3) -{ - union { double align; - unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; - } md_state; - void (*md_final_raw)(void *ctx, unsigned char *md_out); - void (*md_transform)(void *ctx, const unsigned char *block); - unsigned md_size, md_block_size = 64; - unsigned sslv3_pad_length = 40, header_length, variance_blocks, - len, max_mac_bytes, num_blocks, - num_starting_blocks, k, mac_end_offset, c, index_a, index_b; - unsigned int bits; /* at most 18 bits */ - unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; - /* hmac_pad is the masked HMAC key. */ - unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; - unsigned char first_block[MAX_HASH_BLOCK_SIZE]; - unsigned char mac_out[EVP_MAX_MD_SIZE]; - unsigned i, j, md_out_size_u; - EVP_MD_CTX md_ctx; - /* mdLengthSize is the number of bytes in the length field that terminates - * the hash. */ - unsigned md_length_size = 8; - char length_is_big_endian = 1; - - /* This is a, hopefully redundant, check that allows us to forget about - * many possible overflows later in this function. */ - OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024); - - switch (EVP_MD_CTX_type(ctx)) { - case NID_md5: - MD5_Init((MD5_CTX*)md_state.c); - md_final_raw = tls1_md5_final_raw; - md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform; - md_size = 16; - sslv3_pad_length = 48; - length_is_big_endian = 0; - break; - case NID_sha1: - SHA1_Init((SHA_CTX*)md_state.c); - md_final_raw = tls1_sha1_final_raw; - md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; - md_size = 20; - break; - case NID_sha224: - SHA224_Init((SHA256_CTX*)md_state.c); - md_final_raw = tls1_sha256_final_raw; - md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; - md_size = 224/8; - break; - case NID_sha256: - SHA256_Init((SHA256_CTX*)md_state.c); - md_final_raw = tls1_sha256_final_raw; - md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; - md_size = 32; - break; - case NID_sha384: - SHA384_Init((SHA512_CTX*)md_state.c); - md_final_raw = tls1_sha512_final_raw; - md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; - md_size = 384/8; - md_block_size = 128; - md_length_size = 16; - break; - case NID_sha512: - SHA512_Init((SHA512_CTX*)md_state.c); - md_final_raw = tls1_sha512_final_raw; - md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; - md_size = 64; - md_block_size = 128; - md_length_size = 16; - break; - default: - /* ssl3_cbc_record_digest_supported should have been - * called first to check that the hash function is - * supported. */ - OPENSSL_assert(0); - if (md_out_size) - *md_out_size = 0; - return 0; - } - - OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); - OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); - OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); - - header_length = 13; - if (is_sslv3) { - header_length = mac_secret_length + sslv3_pad_length + - 8 /* sequence number */ + - 1 /* record type */ + - 2 /* record length */; - } - - /* variance_blocks is the number of blocks of the hash that we have to - * calculate in constant time because they could be altered by the - * padding value. - * - * In SSLv3, the padding must be minimal so the end of the plaintext - * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that - * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash - * termination (0x80 + 64-bit length) don't fit in the final block, we - * say that the final two blocks can vary based on the padding. - * - * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not - * required to be minimal. Therefore we say that the final six blocks - * can vary based on the padding. - * - * Later in the function, if the message is short and there obviously - * cannot be this many blocks then variance_blocks can be reduced. */ - variance_blocks = is_sslv3 ? 2 : 6; - /* From now on we're dealing with the MAC, which conceptually has 13 - * bytes of `header' before the start of the data (TLS) or 71/75 bytes - * (SSLv3) */ - len = data_plus_mac_plus_padding_size + header_length; - /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including - * |header|, assuming that there's no padding. */ - max_mac_bytes = len - md_size - 1; - /* num_blocks is the maximum number of hash blocks. */ - num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size; - /* In order to calculate the MAC in constant time we have to handle - * the final blocks specially because the padding value could cause the - * end to appear somewhere in the final |variance_blocks| blocks and we - * can't leak where. However, |num_starting_blocks| worth of data can - * be hashed right away because no padding value can affect whether - * they are plaintext. */ - num_starting_blocks = 0; - /* k is the starting byte offset into the conceptual header||data where - * we start processing. */ - k = 0; - /* mac_end_offset is the index just past the end of the data to be - * MACed. */ - mac_end_offset = data_plus_mac_size + header_length - md_size; - /* c is the index of the 0x80 byte in the final hash block that - * contains application data. */ - c = mac_end_offset % md_block_size; - /* index_a is the hash block number that contains the 0x80 terminating - * value. */ - index_a = mac_end_offset / md_block_size; - /* index_b is the hash block number that contains the 64-bit hash - * length, in bits. */ - index_b = (mac_end_offset + md_length_size) / md_block_size; - /* bits is the hash-length in bits. It includes the additional hash - * block for the masked HMAC key, or whole of |header| in the case of - * SSLv3. */ - - /* For SSLv3, if we're going to have any starting blocks then we need - * at least two because the header is larger than a single block. */ - if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) { - num_starting_blocks = num_blocks - variance_blocks; - k = md_block_size*num_starting_blocks; - } - - bits = 8*mac_end_offset; - if (!is_sslv3) { - /* Compute the initial HMAC block. For SSLv3, the padding and - * secret bytes are included in |header| because they take more - * than a single block. */ - bits += 8*md_block_size; - memset(hmac_pad, 0, md_block_size); - OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); - memcpy(hmac_pad, mac_secret, mac_secret_length); - for (i = 0; i < md_block_size; i++) - hmac_pad[i] ^= 0x36; - - md_transform(md_state.c, hmac_pad); - } - - if (length_is_big_endian) { - memset(length_bytes, 0, md_length_size - 4); - length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24); - length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16); - length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8); - length_bytes[md_length_size - 1] = (unsigned char)bits; - } else { - memset(length_bytes, 0, md_length_size); - length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24); - length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16); - length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8); - length_bytes[md_length_size - 8] = (unsigned char)bits; - } - - if (k > 0) { - if (is_sslv3) { - /* The SSLv3 header is larger than a single block. - * overhang is the number of bytes beyond a single - * block that the header consumes: either 7 bytes - * (SHA1) or 11 bytes (MD5). */ - unsigned overhang = header_length - md_block_size; - md_transform(md_state.c, header); - memcpy(first_block, header + md_block_size, overhang); - memcpy(first_block + overhang, data, md_block_size - overhang); - md_transform(md_state.c, first_block); - for (i = 1; i < k/md_block_size - 1; i++) - md_transform(md_state.c, data + md_block_size*i - overhang); - } else { - /* k is a multiple of md_block_size. */ - memcpy(first_block, header, 13); - memcpy(first_block + 13, data, md_block_size - 13); - md_transform(md_state.c, first_block); - for (i = 1; i < k/md_block_size; i++) - md_transform(md_state.c, data + md_block_size*i - 13); - } - } - - memset(mac_out, 0, sizeof(mac_out)); - - /* We now process the final hash blocks. For each block, we construct - * it in constant time. If the |i==index_a| then we'll include the 0x80 - * bytes and zero pad etc. For each block we selectively copy it, in - * constant time, to |mac_out|. */ - for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks; i++) { - unsigned char block[MAX_HASH_BLOCK_SIZE]; - unsigned char is_block_a = constant_time_eq_8(i, index_a); - unsigned char is_block_b = constant_time_eq_8(i, index_b); - for (j = 0; j < md_block_size; j++) { - unsigned char b = 0, is_past_c, is_past_cp1; - if (k < header_length) - b = header[k]; - else if (k < data_plus_mac_plus_padding_size + header_length) - b = data[k - header_length]; - k++; - - is_past_c = is_block_a & constant_time_ge(j, c); - is_past_cp1 = is_block_a & constant_time_ge(j, c + 1); - /* If this is the block containing the end of the - * application data, and we are at the offset for the - * 0x80 value, then overwrite b with 0x80. */ - b = (b&~is_past_c) | (0x80&is_past_c); - /* If this is the block containing the end of the - * application data and we're past the 0x80 value then - * just write zero. */ - b = b&~is_past_cp1; - /* If this is index_b (the final block), but not - * index_a (the end of the data), then the 64-bit - * length didn't fit into index_a and we're having to - * add an extra block of zeros. */ - b &= ~is_block_b | is_block_a; - - /* The final bytes of one of the blocks contains the - * length. */ - if (j >= md_block_size - md_length_size) { - /* If this is index_b, write a length byte. */ - b = (b&~is_block_b) | (is_block_b&length_bytes[j - (md_block_size - md_length_size)]); - } - block[j] = b; - } - - md_transform(md_state.c, block); - md_final_raw(md_state.c, block); - /* If this is index_b, copy the hash value to |mac_out|. */ - for (j = 0; j < md_size; j++) - mac_out[j] |= block[j]&is_block_b; - } - - EVP_MD_CTX_init(&md_ctx); - if (!EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */)) { - EVP_MD_CTX_cleanup(&md_ctx); - return 0; - } - if (is_sslv3) { - /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ - memset(hmac_pad, 0x5c, sslv3_pad_length); - - EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length); - EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length); - EVP_DigestUpdate(&md_ctx, mac_out, md_size); - } else { - /* Complete the HMAC in the standard manner. */ - for (i = 0; i < md_block_size; i++) - hmac_pad[i] ^= 0x6a; - - EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); - EVP_DigestUpdate(&md_ctx, mac_out, md_size); - } - EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); - if (md_out_size) - *md_out_size = md_out_size_u; - EVP_MD_CTX_cleanup(&md_ctx); - - return 1; -} diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c deleted file mode 100644 index 264cb012d5a..00000000000 --- a/lib/libssl/src/ssl/s3_clnt.c +++ /dev/null @@ -1,2635 +0,0 @@ -/* $OpenBSD: s3_clnt.c,v 1.138 2016/03/27 00:55:38 mmcc Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <limits.h> -#include <stdint.h> -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/bn.h> -#include <openssl/buffer.h> -#include <openssl/dh.h> -#include <openssl/evp.h> -#include <openssl/md5.h> -#include <openssl/objects.h> - -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif -#ifndef OPENSSL_NO_GOST -#include <openssl/gost.h> -#endif - -#include "bytestring.h" - -static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); - -int -ssl3_connect(SSL *s) -{ - void (*cb)(const SSL *ssl, int type, int val) = NULL; - int ret = -1; - int new_state, state, skip = 0; - - ERR_clear_error(); - errno = 0; - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); - - for (;;) { - state = s->state; - - switch (s->state) { - case SSL_ST_RENEGOTIATE: - s->renegotiate = 1; - s->state = SSL_ST_CONNECT; - s->ctx->stats.sess_connect_renegotiate++; - /* break */ - case SSL_ST_BEFORE: - case SSL_ST_CONNECT: - case SSL_ST_BEFORE|SSL_ST_CONNECT: - case SSL_ST_OK|SSL_ST_CONNECT: - - s->server = 0; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); - - if ((s->version & 0xff00 ) != 0x0300) { - SSLerr(SSL_F_SSL3_CONNECT, - ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - - /* s->version=SSL3_VERSION; */ - s->type = SSL_ST_CONNECT; - - if (!ssl3_setup_init_buffer(s)) { - ret = -1; - goto end; - } - if (!ssl3_setup_buffers(s)) { - ret = -1; - goto end; - } - if (!ssl_init_wbio_buffer(s, 0)) { - ret = -1; - goto end; - } - - /* don't push the buffering BIO quite yet */ - - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - - s->state = SSL3_ST_CW_CLNT_HELLO_A; - s->ctx->stats.sess_connect++; - s->init_num = 0; - break; - - case SSL3_ST_CW_CLNT_HELLO_A: - case SSL3_ST_CW_CLNT_HELLO_B: - - s->shutdown = 0; - ret = ssl3_client_hello(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_SRVR_HELLO_A; - s->init_num = 0; - - /* turn on buffering for the next lot of output */ - if (s->bbio != s->wbio) - s->wbio = BIO_push(s->bbio, s->wbio); - - break; - - case SSL3_ST_CR_SRVR_HELLO_A: - case SSL3_ST_CR_SRVR_HELLO_B: - ret = ssl3_get_server_hello(s); - if (ret <= 0) - goto end; - - if (s->hit) { - s->state = SSL3_ST_CR_FINISHED_A; - if (s->tlsext_ticket_expected) { - /* receive renewed session ticket */ - s->state = SSL3_ST_CR_SESSION_TICKET_A; - } - } else - s->state = SSL3_ST_CR_CERT_A; - s->init_num = 0; - break; - - case SSL3_ST_CR_CERT_A: - case SSL3_ST_CR_CERT_B: - ret = ssl3_check_finished(s); - if (ret <= 0) - goto end; - if (ret == 2) { - s->hit = 1; - if (s->tlsext_ticket_expected) - s->state = SSL3_ST_CR_SESSION_TICKET_A; - else - s->state = SSL3_ST_CR_FINISHED_A; - s->init_num = 0; - break; - } - /* Check if it is anon DH/ECDH. */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & - SSL_aNULL)) { - ret = ssl3_get_server_certificate(s); - if (ret <= 0) - goto end; - if (s->tlsext_status_expected) - s->state = SSL3_ST_CR_CERT_STATUS_A; - else - s->state = SSL3_ST_CR_KEY_EXCH_A; - } else { - skip = 1; - s->state = SSL3_ST_CR_KEY_EXCH_A; - } - s->init_num = 0; - break; - - case SSL3_ST_CR_KEY_EXCH_A: - case SSL3_ST_CR_KEY_EXCH_B: - ret = ssl3_get_key_exchange(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_CERT_REQ_A; - s->init_num = 0; - - /* - * At this point we check that we have the - * required stuff from the server. - */ - if (!ssl3_check_cert_and_algorithm(s)) { - ret = -1; - goto end; - } - break; - - case SSL3_ST_CR_CERT_REQ_A: - case SSL3_ST_CR_CERT_REQ_B: - ret = ssl3_get_certificate_request(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_SRVR_DONE_A; - s->init_num = 0; - break; - - case SSL3_ST_CR_SRVR_DONE_A: - case SSL3_ST_CR_SRVR_DONE_B: - ret = ssl3_get_server_done(s); - if (ret <= 0) - goto end; - if (s->s3->tmp.cert_req) - s->state = SSL3_ST_CW_CERT_A; - else - s->state = SSL3_ST_CW_KEY_EXCH_A; - s->init_num = 0; - - break; - - case SSL3_ST_CW_CERT_A: - case SSL3_ST_CW_CERT_B: - case SSL3_ST_CW_CERT_C: - case SSL3_ST_CW_CERT_D: - ret = ssl3_send_client_certificate(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CW_KEY_EXCH_A; - s->init_num = 0; - break; - - case SSL3_ST_CW_KEY_EXCH_A: - case SSL3_ST_CW_KEY_EXCH_B: - ret = ssl3_send_client_key_exchange(s); - if (ret <= 0) - goto end; - /* - * EAY EAY EAY need to check for DH fix cert - * sent back - */ - /* - * For TLS, cert_req is set to 2, so a cert chain - * of nothing is sent, but no verify packet is sent - */ - /* - * XXX: For now, we do not support client - * authentication in ECDH cipher suites with - * ECDH (rather than ECDSA) certificates. - * We need to skip the certificate verify - * message when client's ECDH public key is sent - * inside the client certificate. - */ - if (s->s3->tmp.cert_req == 1) { - s->state = SSL3_ST_CW_CERT_VRFY_A; - } else { - s->state = SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec = 0; - } - if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { - s->state = SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec = 0; - } - - s->init_num = 0; - break; - - case SSL3_ST_CW_CERT_VRFY_A: - case SSL3_ST_CW_CERT_VRFY_B: - ret = ssl3_send_client_verify(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CW_CHANGE_A; - s->init_num = 0; - s->s3->change_cipher_spec = 0; - break; - - case SSL3_ST_CW_CHANGE_A: - case SSL3_ST_CW_CHANGE_B: - ret = ssl3_send_change_cipher_spec(s, - SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); - if (ret <= 0) - goto end; - - if (s->s3->next_proto_neg_seen) - s->state = SSL3_ST_CW_NEXT_PROTO_A; - else - s->state = SSL3_ST_CW_FINISHED_A; - s->init_num = 0; - - s->session->cipher = s->s3->tmp.new_cipher; - if (!s->method->ssl3_enc->setup_key_block(s)) { - ret = -1; - goto end; - } - - if (!s->method->ssl3_enc->change_cipher_state(s, - SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { - ret = -1; - goto end; - } - - break; - - case SSL3_ST_CW_NEXT_PROTO_A: - case SSL3_ST_CW_NEXT_PROTO_B: - ret = ssl3_send_next_proto(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CW_FINISHED_A; - break; - - case SSL3_ST_CW_FINISHED_A: - case SSL3_ST_CW_FINISHED_B: - ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, - SSL3_ST_CW_FINISHED_B, - s->method->ssl3_enc->client_finished_label, - s->method->ssl3_enc->client_finished_label_len); - if (ret <= 0) - goto end; - s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->state = SSL3_ST_CW_FLUSH; - - /* clear flags */ - s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; - if (s->hit) { - s->s3->tmp.next_state = SSL_ST_OK; - if (s->s3->flags & - SSL3_FLAGS_DELAY_CLIENT_FINISHED) { - s->state = SSL_ST_OK; - s->s3->flags|=SSL3_FLAGS_POP_BUFFER; - s->s3->delay_buf_pop_ret = 0; - } - } else { - /* Allow NewSessionTicket if ticket expected */ - if (s->tlsext_ticket_expected) - s->s3->tmp.next_state = - SSL3_ST_CR_SESSION_TICKET_A; - else - - s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; - } - s->init_num = 0; - break; - - case SSL3_ST_CR_SESSION_TICKET_A: - case SSL3_ST_CR_SESSION_TICKET_B: - ret = ssl3_get_new_session_ticket(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_FINISHED_A; - s->init_num = 0; - break; - - case SSL3_ST_CR_CERT_STATUS_A: - case SSL3_ST_CR_CERT_STATUS_B: - ret = ssl3_get_cert_status(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_CR_KEY_EXCH_A; - s->init_num = 0; - break; - - case SSL3_ST_CR_FINISHED_A: - case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, - SSL3_ST_CR_FINISHED_B); - if (ret <= 0) - goto end; - - if (s->hit) - s->state = SSL3_ST_CW_CHANGE_A; - else - s->state = SSL_ST_OK; - s->init_num = 0; - break; - - case SSL3_ST_CW_FLUSH: - s->rwstate = SSL_WRITING; - if (BIO_flush(s->wbio) <= 0) { - ret = -1; - goto end; - } - s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; - break; - - case SSL_ST_OK: - /* clean a few things up */ - tls1_cleanup_key_block(s); - - if (s->init_buf != NULL) { - BUF_MEM_free(s->init_buf); - s->init_buf = NULL; - } - - /* - * If we are not 'joining' the last two packets, - * remove the buffering now - */ - if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) - ssl_free_wbio_buffer(s); - /* else do it later in ssl3_write */ - - s->init_num = 0; - s->renegotiate = 0; - s->new_session = 0; - - ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); - if (s->hit) - s->ctx->stats.sess_hit++; - - ret = 1; - /* s->server=0; */ - s->handshake_func = ssl3_connect; - s->ctx->stats.sess_connect_good++; - - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_DONE, 1); - - goto end; - /* break; */ - - default: - SSLerr(SSL_F_SSL3_CONNECT, - SSL_R_UNKNOWN_STATE); - ret = -1; - goto end; - /* break; */ - } - - /* did we do anything */ - if (!s->s3->tmp.reuse_message && !skip) { - if (s->debug) { - if ((ret = BIO_flush(s->wbio)) <= 0) - goto end; - } - - if ((cb != NULL) && (s->state != state)) { - new_state = s->state; - s->state = state; - cb(s, SSL_CB_CONNECT_LOOP, 1); - s->state = new_state; - } - } - skip = 0; - } - -end: - s->in_handshake--; - if (cb != NULL) - cb(s, SSL_CB_CONNECT_EXIT, ret); - - return (ret); -} - -int -ssl3_client_hello(SSL *s) -{ - unsigned char *bufend, *p, *d; - int i; - - if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { - SSL_SESSION *sess = s->session; - - if ((sess == NULL) || - (sess->ssl_version != s->version) || - (!sess->session_id_length && !sess->tlsext_tick) || - (sess->not_resumable)) { - if (!ssl_get_new_session(s, 0)) - goto err; - } - /* else use the pre-loaded session */ - - /* - * If a DTLS ClientHello message is being resent after a - * HelloVerifyRequest, we must retain the original client - * random value. - */ - if (!SSL_IS_DTLS(s) || s->d1->send_cookie == 0) - arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); - - d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO); - - /* - * Version indicates the negotiated version: for example from - * an SSLv2/v3 compatible client hello). The client_version - * field is the maximum version we permit and it is also - * used in RSA encrypted premaster secrets. Some servers can - * choke if we initially report a higher version then - * renegotiate to a lower one in the premaster secret. This - * didn't happen with TLS 1.0 as most servers supported it - * but it can with TLS 1.1 or later if the server only supports - * 1.0. - * - * Possible scenario with previous logic: - * 1. Client hello indicates TLS 1.2 - * 2. Server hello says TLS 1.0 - * 3. RSA encrypted premaster secret uses 1.2. - * 4. Handhaked proceeds using TLS 1.0. - * 5. Server sends hello request to renegotiate. - * 6. Client hello indicates TLS v1.0 as we now - * know that is maximum server supports. - * 7. Server chokes on RSA encrypted premaster secret - * containing version 1.0. - * - * For interoperability it should be OK to always use the - * maximum version we support in client hello and then rely - * on the checking of version to ensure the servers isn't - * being inconsistent: for example initially negotiating with - * TLS 1.0 and renegotiating with TLS 1.2. We do this by using - * client_version in client hello and not resetting it to - * the negotiated version. - */ - *(p++) = s->client_version >> 8; - *(p++) = s->client_version & 0xff; - - /* Random stuff */ - memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; - - /* Session ID */ - if (s->new_session) - i = 0; - else - i = s->session->session_id_length; - *(p++) = i; - if (i != 0) { - if (i > (int)sizeof(s->session->session_id)) { - SSLerr(SSL_F_SSL3_CLIENT_HELLO, - ERR_R_INTERNAL_ERROR); - goto err; - } - memcpy(p, s->session->session_id, i); - p += i; - } - - /* DTLS Cookie. */ - if (SSL_IS_DTLS(s)) { - if (s->d1->cookie_len > sizeof(s->d1->cookie)) { - SSLerr(SSL_F_DTLS1_CLIENT_HELLO, - ERR_R_INTERNAL_ERROR); - goto err; - } - *(p++) = s->d1->cookie_len; - memcpy(p, s->d1->cookie, s->d1->cookie_len); - p += s->d1->cookie_len; - } - - /* Ciphers supported */ - i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]); - if (i == 0) { - SSLerr(SSL_F_SSL3_CLIENT_HELLO, - SSL_R_NO_CIPHERS_AVAILABLE); - goto err; - } - s2n(i, p); - p += i; - - /* add in (no) COMPRESSION */ - *(p++) = 1; - *(p++) = 0; /* Add the NULL method */ - - /* TLS extensions*/ - bufend = (unsigned char *)s->init_buf->data + - SSL3_RT_MAX_PLAIN_LENGTH; - if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) { - SSLerr(SSL_F_SSL3_CLIENT_HELLO, - ERR_R_INTERNAL_ERROR); - goto err; - } - - ssl3_handshake_msg_finish(s, p - d); - - s->state = SSL3_ST_CW_CLNT_HELLO_B; - } - - /* SSL3_ST_CW_CLNT_HELLO_B */ - return (ssl3_handshake_write(s)); - -err: - return (-1); -} - -int -ssl3_get_server_hello(SSL *s) -{ - STACK_OF(SSL_CIPHER) *sk; - const SSL_CIPHER *c; - unsigned char *p, *q, *d; - int i, al, ok; - unsigned int j; - uint16_t cipher_value; - long n; - unsigned long alg_k; - - n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, - SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok); - - if (!ok) - return ((int)n); - - if (SSL_IS_DTLS(s)) { - if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { - if (s->d1->send_cookie == 0) { - s->s3->tmp.reuse_message = 1; - return (1); - } else { - /* Already sent a cookie. */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_BAD_MESSAGE_TYPE); - goto f_err; - } - } - } - - if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_BAD_MESSAGE_TYPE); - goto f_err; - } - - d = p = (unsigned char *)s->init_msg; - - if (2 > n) - goto truncated; - if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) { - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); - s->version = (s->version&0xff00) | p[1]; - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; - } - p += 2; - - /* load the server hello data */ - - if (p + SSL3_RANDOM_SIZE + 1 - d > n) - goto truncated; - - /* load the server random */ - memcpy(s->s3->server_random, p, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; - - /* get the session-id */ - j = *(p++); - - if ((j > sizeof s->session->session_id) || - (j > SSL3_SESSION_ID_SIZE)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; - } - - if (p + j + 2 - d > n) - goto truncated; - - /* Get the cipher value. */ - q = p + j; - n2s(q, cipher_value); - - /* - * Check if we want to resume the session based on external - * pre-shared secret - */ - if (s->tls_session_secret_cb) { - SSL_CIPHER *pref_cipher = NULL; - s->session->master_key_length = sizeof(s->session->master_key); - if (s->tls_session_secret_cb(s, s->session->master_key, - &s->session->master_key_length, NULL, &pref_cipher, - s->tls_session_secret_cb_arg)) { - s->session->cipher = pref_cipher ? pref_cipher : - ssl3_get_cipher_by_value(cipher_value); - s->s3->flags |= SSL3_FLAGS_CCS_OK; - } - } - - if (j != 0 && j == s->session->session_id_length && - timingsafe_memcmp(p, s->session->session_id, j) == 0) { - if (s->sid_ctx_length != s->session->sid_ctx_length || - timingsafe_memcmp(s->session->sid_ctx, - s->sid_ctx, s->sid_ctx_length) != 0) { - /* actually a client application bug */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); - goto f_err; - } - s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->hit = 1; - } else { - /* a miss or crap from the other end */ - - /* If we were trying for session-id reuse, make a new - * SSL_SESSION so we don't stuff up other people */ - s->hit = 0; - if (s->session->session_id_length > 0) { - if (!ssl_get_new_session(s, 0)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } - s->session->session_id_length = j; - memcpy(s->session->session_id, p, j); /* j could be 0 */ - } - p += j; - - if ((c = ssl3_get_cipher_by_value(cipher_value)) == NULL) { - /* unknown cipher */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_UNKNOWN_CIPHER_RETURNED); - goto f_err; - } - - /* TLS v1.2 only ciphersuites require v1.2 or later */ - if ((c->algorithm_ssl & SSL_TLSV1_2) && - (TLS1_get_version(s) < TLS1_2_VERSION)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; - } - p += SSL3_CIPHER_VALUE_SIZE; - - sk = ssl_get_ciphers_by_id(s); - i = sk_SSL_CIPHER_find(sk, c); - if (i < 0) { - /* we did not say we would use this cipher */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; - } - - /* - * Depending on the session caching (internal/external), the cipher - * and/or cipher_id values may not be set. Make sure that - * cipher_id is set and use it for comparison. - */ - if (s->session->cipher) - s->session->cipher_id = s->session->cipher->id; - if (s->hit && (s->session->cipher_id != c->id)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); - goto f_err; - } - s->s3->tmp.new_cipher = c; - /* - * Don't digest cached records if no sigalgs: we may need them for - * client authentication. - */ - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) && - !tls1_digest_cached_records(s)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - /* lets get the compression algorithm */ - /* COMPRESSION */ - if (p + 1 - d > n) - goto truncated; - if (*(p++) != 0) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); - goto f_err; - } - - /* TLS extensions*/ - if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) { - /* 'al' set by ssl_parse_serverhello_tlsext */ - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT); - goto f_err; - } - if (ssl_check_serverhello_tlsext(s) <= 0) { - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); - goto err; - } - - if (p != d + n) - goto truncated; - - return (1); - -truncated: - /* wrong packet length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - return (-1); -} - -int -ssl3_get_server_certificate(SSL *s) -{ - int al, i, ok, ret = -1; - long n; - CBS cbs, cert_list; - X509 *x = NULL; - const unsigned char *q; - STACK_OF(X509) *sk = NULL; - SESS_CERT *sc; - EVP_PKEY *pkey = NULL; - - n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, - SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok); - - if (!ok) - return ((int)n); - - if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { - s->s3->tmp.reuse_message = 1; - return (1); - } - - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - SSL_R_BAD_MESSAGE_TYPE); - goto f_err; - } - - - if ((sk = sk_X509_new_null()) == NULL) { - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - if (n < 0) - goto truncated; - - CBS_init(&cbs, s->init_msg, n); - if (CBS_len(&cbs) < 3) - goto truncated; - - if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) || - CBS_len(&cbs) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - while (CBS_len(&cert_list) > 0) { - CBS cert; - - if (CBS_len(&cert_list) < 3) - goto truncated; - if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; - } - - q = CBS_data(&cert); - x = d2i_X509(NULL, &q, CBS_len(&cert)); - if (x == NULL) { - al = SSL_AD_BAD_CERTIFICATE; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - ERR_R_ASN1_LIB); - goto f_err; - } - if (q != CBS_data(&cert) + CBS_len(&cert)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; - } - if (!sk_X509_push(sk, x)) { - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - ERR_R_MALLOC_FAILURE); - goto err; - } - x = NULL; - } - - i = ssl_verify_cert_chain(s, sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { - al = ssl_verify_alarm_type(s->verify_result); - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - SSL_R_CERTIFICATE_VERIFY_FAILED); - goto f_err; - - } - ERR_clear_error(); /* but we keep s->verify_result */ - - sc = ssl_sess_cert_new(); - if (sc == NULL) - goto err; - if (s->session->sess_cert) - ssl_sess_cert_free(s->session->sess_cert); - s->session->sess_cert = sc; - - sc->cert_chain = sk; - /* - * Inconsistency alert: cert_chain does include the peer's - * certificate, which we don't include in s3_srvr.c - */ - x = sk_X509_value(sk, 0); - sk = NULL; - /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ - - pkey = X509_get_pubkey(x); - - if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { - x = NULL; - al = SSL3_AL_FATAL; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); - goto f_err; - } - - i = ssl_cert_type(x, pkey); - if (i < 0) { - x = NULL; - al = SSL3_AL_FATAL; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto f_err; - } - - sc->peer_cert_type = i; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - /* - * Why would the following ever happen? - * We just created sc a couple of lines ago. - */ - X509_free(sc->peer_pkeys[i].x509); - sc->peer_pkeys[i].x509 = x; - sc->peer_key = &(sc->peer_pkeys[i]); - - X509_free(s->session->peer); - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - s->session->peer = x; - s->session->verify_result = s->verify_result; - - x = NULL; - ret = 1; - - if (0) { -truncated: - /* wrong packet length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, - SSL_R_BAD_PACKET_LENGTH); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - } -err: - EVP_PKEY_free(pkey); - X509_free(x); - sk_X509_pop_free(sk, X509_free); - return (ret); -} - -int -ssl3_get_key_exchange(SSL *s) -{ - unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2]; - EVP_MD_CTX md_ctx; - unsigned char *param, *p; - int al, i, j, param_len, ok; - long n, alg_k, alg_a; - EVP_PKEY *pkey = NULL; - const EVP_MD *md = NULL; - RSA *rsa = NULL; - DH *dh = NULL; - EC_KEY *ecdh = NULL; - BN_CTX *bn_ctx = NULL; - EC_POINT *srvr_ecpoint = NULL; - int curve_nid = 0; - int encoded_pt_len = 0; - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; - - /* - * Use same message size as in ssl3_get_certificate_request() - * as ServerKeyExchange message may be skipped. - */ - n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, - SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); - if (!ok) - return ((int)n); - - EVP_MD_CTX_init(&md_ctx); - - if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { - /* - * Do not skip server key exchange if this cipher suite uses - * ephemeral keys. - */ - if (alg_k & (SSL_kDHE|SSL_kECDHE)) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_UNEXPECTED_MESSAGE); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; - } - - s->s3->tmp.reuse_message = 1; - EVP_MD_CTX_cleanup(&md_ctx); - return (1); - } - - if (s->session->sess_cert != NULL) { - DH_free(s->session->sess_cert->peer_dh_tmp); - s->session->sess_cert->peer_dh_tmp = NULL; - - EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); - s->session->sess_cert->peer_ecdh_tmp = NULL; - } else { - s->session->sess_cert = ssl_sess_cert_new(); - if (s->session->sess_cert == NULL) - goto err; - } - - param = p = (unsigned char *)s->init_msg; - param_len = 0; - - if (alg_k & SSL_kDHE) { - if ((dh = DH_new()) == NULL) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_DH_LIB); - goto err; - } - if (2 > n) - goto truncated; - n2s(p, i); - param_len = i + 2; - if (param_len > n) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_DH_P_LENGTH); - goto f_err; - } - if (!(dh->p = BN_bin2bn(p, i, NULL))) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_BN_LIB); - goto err; - } - p += i; - - if (param_len + 2 > n) - goto truncated; - n2s(p, i); - param_len += i + 2; - if (param_len > n) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_DH_G_LENGTH); - goto f_err; - } - if (!(dh->g = BN_bin2bn(p, i, NULL))) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_BN_LIB); - goto err; - } - p += i; - - if (param_len + 2 > n) - goto truncated; - n2s(p, i); - param_len += i + 2; - if (param_len > n) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_DH_PUB_KEY_LENGTH); - goto f_err; - } - if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_BN_LIB); - goto err; - } - p += i; - n -= param_len; - - /* - * Check the strength of the DH key just constructed. - * Discard keys weaker than 1024 bits. - */ - - if (DH_size(dh) < 1024 / 8) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_DH_P_LENGTH); - goto err; - } - - if (alg_a & SSL_aRSA) - pkey = X509_get_pubkey( - s->session->sess_cert->peer_pkeys[ - SSL_PKEY_RSA_ENC].x509); - else if (alg_a & SSL_aDSS) - pkey = X509_get_pubkey( - s->session->sess_cert->peer_pkeys[ - SSL_PKEY_DSA_SIGN].x509); - /* else anonymous DH, so no certificate or pkey. */ - - s->session->sess_cert->peer_dh_tmp = dh; - dh = NULL; - } else if (alg_k & SSL_kECDHE) { - const EC_GROUP *group; - EC_GROUP *ngroup; - - if ((ecdh = EC_KEY_new()) == NULL) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - /* - * Extract elliptic curve parameters and the - * server's ephemeral ECDH public key. - * Keep accumulating lengths of various components in - * param_len and make sure it never exceeds n. - */ - - /* - * XXX: For now we only support named (not generic) curves - * and the ECParameters in this case is just three bytes. - */ - param_len = 3; - if (param_len > n) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - - /* - * Check curve is one of our preferences, if not server has - * sent an invalid curve. - */ - if (tls1_check_curve(s, p, param_len) != 1) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE); - goto f_err; - } - - if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); - goto f_err; - } - - ngroup = EC_GROUP_new_by_curve_name(curve_nid); - if (ngroup == NULL) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_EC_LIB); - goto err; - } - if (EC_KEY_set_group(ecdh, ngroup) == 0) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_EC_LIB); - goto err; - } - EC_GROUP_free(ngroup); - - group = EC_KEY_get0_group(ecdh); - - p += 3; - - /* Next, get the encoded ECPoint */ - if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || - ((bn_ctx = BN_CTX_new()) == NULL)) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - if (param_len + 1 > n) - goto truncated; - encoded_pt_len = *p; - /* length of encoded point */ - p += 1; - param_len += (1 + encoded_pt_len); - if ((param_len > n) || (EC_POINT_oct2point(group, srvr_ecpoint, - p, encoded_pt_len, bn_ctx) == 0)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_ECPOINT); - goto f_err; - } - - n -= param_len; - p += encoded_pt_len; - - /* - * The ECC/TLS specification does not mention the use - * of DSA to sign ECParameters in the server key - * exchange message. We do support RSA and ECDSA. - */ - if (alg_a & SSL_aRSA) - pkey = X509_get_pubkey( - s->session->sess_cert->peer_pkeys[ - SSL_PKEY_RSA_ENC].x509); - else if (alg_a & SSL_aECDSA) - pkey = X509_get_pubkey( - s->session->sess_cert->peer_pkeys[ - SSL_PKEY_ECC].x509); - /* Else anonymous ECDH, so no certificate or pkey. */ - EC_KEY_set_public_key(ecdh, srvr_ecpoint); - s->session->sess_cert->peer_ecdh_tmp = ecdh; - ecdh = NULL; - BN_CTX_free(bn_ctx); - bn_ctx = NULL; - EC_POINT_free(srvr_ecpoint); - srvr_ecpoint = NULL; - } else if (alg_k) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_UNEXPECTED_MESSAGE); - goto f_err; - } - - /* p points to the next byte, there are 'n' bytes left */ - - /* if it was signed, check the signature */ - if (pkey != NULL) { - if (SSL_USE_SIGALGS(s)) { - int sigalg = tls12_get_sigid(pkey); - /* Should never happen */ - if (sigalg == -1) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - /* - * Check key type is consistent - * with signature - */ - if (2 > n) - goto truncated; - if (sigalg != (int)p[1]) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_WRONG_SIGNATURE_TYPE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - md = tls12_get_hash(p[0]); - if (md == NULL) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_UNKNOWN_DIGEST); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - p += 2; - n -= 2; - } else - md = EVP_sha1(); - - if (2 > n) - goto truncated; - n2s(p, i); - n -= 2; - j = EVP_PKEY_size(pkey); - - if (i != n || n > j) { - /* wrong packet length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_WRONG_SIGNATURE_LENGTH); - goto f_err; - } - - if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { - int num; - - j = 0; - q = md_buf; - for (num = 2; num > 0; num--) { - if (!EVP_DigestInit_ex(&md_ctx, - (num == 2) ? s->ctx->md5 : s->ctx->sha1, - NULL)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - EVP_DigestUpdate(&md_ctx, - s->s3->client_random, - SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, - s->s3->server_random, - SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, param, param_len); - EVP_DigestFinal_ex(&md_ctx, q, - (unsigned int *)&i); - q += i; - j += i; - } - i = RSA_verify(NID_md5_sha1, md_buf, j, - p, n, pkey->pkey.rsa); - if (i < 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_RSA_DECRYPT); - goto f_err; - } - if (i == 0) { - /* bad signature */ - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_SIGNATURE); - goto f_err; - } - } else { - EVP_VerifyInit_ex(&md_ctx, md, NULL); - EVP_VerifyUpdate(&md_ctx, s->s3->client_random, - SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx, s->s3->server_random, - SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx, param, param_len); - if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) { - /* bad signature */ - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_SIGNATURE); - goto f_err; - } - } - } else { - /* aNULL does not need public keys. */ - if (!(alg_a & SSL_aNULL)) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - /* still data left over */ - if (n != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_EXTRA_DATA_IN_MESSAGE); - goto f_err; - } - } - EVP_PKEY_free(pkey); - EVP_MD_CTX_cleanup(&md_ctx); - return (1); -truncated: - /* wrong packet length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - EVP_PKEY_free(pkey); - RSA_free(rsa); - DH_free(dh); - BN_CTX_free(bn_ctx); - EC_POINT_free(srvr_ecpoint); - EC_KEY_free(ecdh); - EVP_MD_CTX_cleanup(&md_ctx); - return (-1); -} - -int -ssl3_get_certificate_request(SSL *s) -{ - int ok, ret = 0; - long n; - uint8_t ctype_num; - CBS cert_request, ctypes, rdn_list; - X509_NAME *xn = NULL; - const unsigned char *q; - STACK_OF(X509_NAME) *ca_sk = NULL; - - n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A, - SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list, &ok); - - if (!ok) - return ((int)n); - - s->s3->tmp.cert_req = 0; - - if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) { - s->s3->tmp.reuse_message = 1; - /* - * If we get here we don't need any cached handshake records - * as we wont be doing client auth. - */ - if (s->s3->handshake_buffer) { - if (!tls1_digest_cached_records(s)) - goto err; - } - return (1); - } - - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_WRONG_MESSAGE_TYPE); - goto err; - } - - /* TLS does not like anon-DH with client cert */ - if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); - goto err; - } - - if (n < 0) - goto truncated; - CBS_init(&cert_request, s->init_msg, n); - - if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - ERR_R_MALLOC_FAILURE); - goto err; - } - - /* get the certificate types */ - if (!CBS_get_u8(&cert_request, &ctype_num)) - goto truncated; - - if (ctype_num > SSL3_CT_NUMBER) - ctype_num = SSL3_CT_NUMBER; - if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) || - !CBS_write_bytes(&ctypes, s->s3->tmp.ctype, - sizeof(s->s3->tmp.ctype), NULL)) { - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_DATA_LENGTH_TOO_LONG); - goto err; - } - - if (SSL_USE_SIGALGS(s)) { - CBS sigalgs; - - if (CBS_len(&cert_request) < 2) { - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_DATA_LENGTH_TOO_LONG); - goto err; - } - - /* Check we have enough room for signature algorithms and - * following length value. - */ - if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_DATA_LENGTH_TOO_LONG); - goto err; - } - if ((CBS_len(&sigalgs) & 1) || - !tls1_process_sigalgs(s, CBS_data(&sigalgs), - CBS_len(&sigalgs))) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_SIGNATURE_ALGORITHMS_ERROR); - goto err; - } - } - - /* get the CA RDNs */ - if (CBS_len(&cert_request) < 2) { - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_DATA_LENGTH_TOO_LONG); - goto err; - } - - if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) || - CBS_len(&cert_request) != 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_LENGTH_MISMATCH); - goto err; - } - - while (CBS_len(&rdn_list) > 0) { - CBS rdn; - - if (CBS_len(&rdn_list) < 2) { - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_DATA_LENGTH_TOO_LONG); - goto err; - } - - if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_CA_DN_TOO_LONG); - goto err; - } - - q = CBS_data(&rdn); - if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - ERR_R_ASN1_LIB); - goto err; - } - - if (q != CBS_data(&rdn) + CBS_len(&rdn)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_CA_DN_LENGTH_MISMATCH); - goto err; - } - if (!sk_X509_NAME_push(ca_sk, xn)) { - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - ERR_R_MALLOC_FAILURE); - goto err; - } - xn = NULL; /* avoid free in err block */ - } - - /* we should setup a certificate to return.... */ - s->s3->tmp.cert_req = 1; - s->s3->tmp.ctype_num = ctype_num; - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - s->s3->tmp.ca_names = ca_sk; - ca_sk = NULL; - - ret = 1; - if (0) { -truncated: - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, - SSL_R_BAD_PACKET_LENGTH); - } -err: - X509_NAME_free(xn); - if (ca_sk != NULL) - sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); - return (ret); -} - -static int -ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) -{ - return (X509_NAME_cmp(*a, *b)); -} - -int -ssl3_get_new_session_ticket(SSL *s) -{ - int ok, al, ret = 0; - uint32_t lifetime_hint; - long n; - CBS cbs, session_ticket; - - n = s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, - SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok); - if (!ok) - return ((int)n); - - if (s->s3->tmp.message_type == SSL3_MT_FINISHED) { - s->s3->tmp.reuse_message = 1; - return (1); - } - if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, - SSL_R_BAD_MESSAGE_TYPE); - goto f_err; - } - - if (n < 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, - SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - CBS_init(&cbs, s->init_msg, n); - if (!CBS_get_u32(&cbs, &lifetime_hint) || -#if UINT32_MAX > LONG_MAX - lifetime_hint > LONG_MAX || -#endif - !CBS_get_u16_length_prefixed(&cbs, &session_ticket) || - CBS_len(&cbs) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, - SSL_R_LENGTH_MISMATCH); - goto f_err; - } - s->session->tlsext_tick_lifetime_hint = (long)lifetime_hint; - - if (!CBS_stow(&session_ticket, &s->session->tlsext_tick, - &s->session->tlsext_ticklen)) { - SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, - ERR_R_MALLOC_FAILURE); - goto err; - } - - /* - * There are two ways to detect a resumed ticket sesion. - * One is to set an appropriate session ID and then the server - * must return a match in ServerHello. This allows the normal - * client session ID matching to work and we know much - * earlier that the ticket has been accepted. - * - * The other way is to set zero length session ID when the - * ticket is presented and rely on the handshake to determine - * session resumption. - * - * We choose the former approach because this fits in with - * assumptions elsewhere in OpenSSL. The session ID is set - * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the - * ticket. - */ - EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket), - s->session->session_id, &s->session->session_id_length, - EVP_sha256(), NULL); - ret = 1; - return (ret); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - return (-1); -} - -int -ssl3_get_cert_status(SSL *s) -{ - CBS cert_status, response; - size_t stow_len; - int ok, al; - long n; - uint8_t status_type; - - n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A, - SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS, - 16384, &ok); - - if (!ok) - return ((int)n); - - if (n < 0) { - /* need at least status type + length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, - SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - CBS_init(&cert_status, s->init_msg, n); - if (!CBS_get_u8(&cert_status, &status_type) || - CBS_len(&cert_status) < 3) { - /* need at least status type + length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, - SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - if (status_type != TLSEXT_STATUSTYPE_ocsp) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, - SSL_R_UNSUPPORTED_STATUS_TYPE); - goto f_err; - } - - if (!CBS_get_u24_length_prefixed(&cert_status, &response) || - CBS_len(&cert_status) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, - SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - if (!CBS_stow(&response, &s->tlsext_ocsp_resp, - &stow_len) || stow_len > INT_MAX) { - s->tlsext_ocsp_resplen = 0; - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, - ERR_R_MALLOC_FAILURE); - goto f_err; - } - s->tlsext_ocsp_resplen = (int)stow_len; - - if (s->ctx->tlsext_status_cb) { - int ret; - ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - if (ret == 0) { - al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, - SSL_R_INVALID_STATUS_RESPONSE); - goto f_err; - } - if (ret < 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, - ERR_R_MALLOC_FAILURE); - goto f_err; - } - } - return (1); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return (-1); -} - -int -ssl3_get_server_done(SSL *s) -{ - int ok, ret = 0; - long n; - - n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A, - SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE, - 30, /* should be very small, like 0 :-) */ &ok); - - if (!ok) - return ((int)n); - if (n > 0) { - /* should contain no data */ - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH); - return (-1); - } - ret = 1; - return (ret); -} - -static int -ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, unsigned char *p, - int *outlen) -{ - unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; - EVP_PKEY *pkey = NULL; - unsigned char *q; - int ret = -1; - int n; - - pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); - if (pkey == NULL || pkey->type != EVP_PKEY_RSA || - pkey->pkey.rsa == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - tmp_buf[0] = s->client_version >> 8; - tmp_buf[1] = s->client_version & 0xff; - arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2); - - s->session->master_key_length = sizeof(tmp_buf); - - q = p; - p += 2; - - n = RSA_public_encrypt(sizeof(tmp_buf), tmp_buf, p, pkey->pkey.rsa, - RSA_PKCS1_PADDING); - if (n <= 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_BAD_RSA_ENCRYPT); - goto err; - } - - s2n(n, q); - n += 2; - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, tmp_buf, sizeof(tmp_buf)); - - *outlen = n; - ret = 1; - -err: - explicit_bzero(tmp_buf, sizeof(tmp_buf)); - EVP_PKEY_free(pkey); - - return (ret); -} - -static int -ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, unsigned char *p, - int *outlen) -{ - DH *dh_srvr = NULL, *dh_clnt = NULL; - unsigned char *key = NULL; - int key_size, n; - int ret = -1; - - /* Ensure that we have an ephemeral key for DHE. */ - if (sess_cert->peer_dh_tmp == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); - goto err; - } - dh_srvr = sess_cert->peer_dh_tmp; - - /* Generate a new random key. */ - if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); - goto err; - } - if (!DH_generate_key(dh_clnt)) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); - goto err; - } - key_size = DH_size(dh_clnt); - if ((key = malloc(key_size)) == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - n = DH_compute_key(key, dh_srvr->pub_key, dh_clnt); - if (n <= 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); - goto err; - } - - /* Generate master key from the result. */ - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, key, n); - - /* Send off the data. */ - n = BN_num_bytes(dh_clnt->pub_key); - s2n(n, p); - BN_bn2bin(dh_clnt->pub_key, p); - n += 2; - - *outlen = n; - ret = 1; - -err: - DH_free(dh_clnt); - if (key != NULL) - explicit_bzero(key, key_size); - free(key); - - return (ret); -} - -static int -ssl3_send_client_kex_ecdh(SSL *s, SESS_CERT *sess_cert, unsigned char *p, - int *outlen) -{ - EC_KEY *tkey, *clnt_ecdh = NULL; - const EC_GROUP *srvr_group = NULL; - const EC_POINT *srvr_ecpoint = NULL; - EVP_PKEY *srvr_pub_pkey = NULL; - BN_CTX *bn_ctx = NULL; - unsigned char *encodedPoint = NULL; - unsigned char *key = NULL; - unsigned long alg_k; - int encoded_pt_len = 0; - int key_size, n; - int ret = -1; - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - - /* Ensure that we have an ephemeral key for ECDHE. */ - if ((alg_k & SSL_kECDHE) && sess_cert->peer_ecdh_tmp == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - tkey = sess_cert->peer_ecdh_tmp; - - if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { - /* Get the Server Public Key from certificate. */ - srvr_pub_pkey = X509_get_pubkey( - sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); - if (srvr_pub_pkey != NULL && srvr_pub_pkey->type == EVP_PKEY_EC) - tkey = srvr_pub_pkey->pkey.ec; - } - - if (tkey == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - srvr_group = EC_KEY_get0_group(tkey); - srvr_ecpoint = EC_KEY_get0_public_key(tkey); - - if (srvr_group == NULL || srvr_ecpoint == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - if ((clnt_ecdh = EC_KEY_new()) == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); - goto err; - } - - /* Generate a new ECDH key pair. */ - if (!(EC_KEY_generate_key(clnt_ecdh))) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); - goto err; - } - key_size = ECDH_size(clnt_ecdh); - if (key_size <= 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); - goto err; - } - if ((key = malloc(key_size)) == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - } - n = ECDH_compute_key(key, key_size, srvr_ecpoint, clnt_ecdh, NULL); - if (n <= 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); - goto err; - } - - /* Generate master key from the result. */ - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, key, n); - - /* - * First check the size of encoding and allocate memory accordingly. - */ - encoded_pt_len = EC_POINT_point2oct(srvr_group, - EC_KEY_get0_public_key(clnt_ecdh), - POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); - - bn_ctx = BN_CTX_new(); - encodedPoint = malloc(encoded_pt_len); - if (encodedPoint == NULL || bn_ctx == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - /* Encode the public key */ - n = EC_POINT_point2oct(srvr_group, EC_KEY_get0_public_key(clnt_ecdh), - POINT_CONVERSION_UNCOMPRESSED, encodedPoint, encoded_pt_len, - bn_ctx); - - *p = n; /* length of encoded point */ - /* Encoded point will be copied here */ - p += 1; - - /* copy the point */ - memcpy((unsigned char *)p, encodedPoint, n); - /* increment n to account for length field */ - n += 1; - - *outlen = n; - ret = 1; - -err: - if (key != NULL) - explicit_bzero(key, key_size); - free(key); - - BN_CTX_free(bn_ctx); - free(encodedPoint); - EC_KEY_free(clnt_ecdh); - EVP_PKEY_free(srvr_pub_pkey); - - return (ret); -} - -static int -ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, unsigned char *p, - int *outlen) -{ - unsigned char premaster_secret[32], shared_ukm[32], tmp[256]; - EVP_PKEY *pub_key = NULL; - EVP_PKEY_CTX *pkey_ctx; - X509 *peer_cert; - size_t msglen; - unsigned int md_len; - EVP_MD_CTX *ukm_hash; - int ret = -1; - int nid; - int n; - - /* Get server sertificate PKEY and create ctx from it */ - peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509; - if (peer_cert == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); - goto err; - } - - pub_key = X509_get_pubkey(peer_cert); - pkey_ctx = EVP_PKEY_CTX_new(pub_key, NULL); - - /* - * If we have send a certificate, and certificate key parameters match - * those of server certificate, use certificate key for key exchange. - * Otherwise, generate ephemeral key pair. - */ - EVP_PKEY_encrypt_init(pkey_ctx); - - /* Generate session key. */ - arc4random_buf(premaster_secret, 32); - - /* - * If we have client certificate, use its secret as peer key. - */ - if (s->s3->tmp.cert_req && s->cert->key->privatekey) { - if (EVP_PKEY_derive_set_peer(pkey_ctx, - s->cert->key->privatekey) <=0) { - /* - * If there was an error - just ignore it. - * Ephemeral key would be used. - */ - ERR_clear_error(); - } - } - - /* - * Compute shared IV and store it in algorithm-specific context data. - */ - ukm_hash = EVP_MD_CTX_create(); - if (ukm_hash == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - if (ssl_get_algorithm2(s) & SSL_HANDSHAKE_MAC_GOST94) - nid = NID_id_GostR3411_94; - else - nid = NID_id_tc26_gost3411_2012_256; - if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid))) - goto err; - EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE); - EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE); - EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); - EVP_MD_CTX_destroy(ukm_hash); - if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, - EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_LIBRARY_BUG); - goto err; - } - - /* - * Make GOST keytransport blob message, encapsulate it into sequence. - */ - *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; - msglen = 255; - if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, - 32) < 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_LIBRARY_BUG); - goto err; - } - if (msglen >= 0x80) { - *(p++) = 0x81; - *(p++) = msglen & 0xff; - n = msglen + 3; - } else { - *(p++) = msglen & 0xff; - n = msglen + 2; - } - memcpy(p, tmp, msglen); - - /* Check if pubkey from client certificate was used. */ - if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, - NULL) > 0) { - /* Set flag "skip certificate verify". */ - s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; - } - EVP_PKEY_CTX_free(pkey_ctx); - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, premaster_secret, 32); - - *outlen = n; - ret = 1; - -err: - explicit_bzero(premaster_secret, sizeof(premaster_secret)); - EVP_PKEY_free(pub_key); - - return (ret); -} - -int -ssl3_send_client_key_exchange(SSL *s) -{ - SESS_CERT *sess_cert; - unsigned long alg_k; - unsigned char *p; - int n = 0; - - if (s->state == SSL3_ST_CW_KEY_EXCH_A) { - p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_KEY_EXCHANGE); - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - - if ((sess_cert = s->session->sess_cert) == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - if (alg_k & SSL_kRSA) { - if (ssl3_send_client_kex_rsa(s, sess_cert, p, &n) != 1) - goto err; - } else if (alg_k & SSL_kDHE) { - if (ssl3_send_client_kex_dhe(s, sess_cert, p, &n) != 1) - goto err; - } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { - if (ssl3_send_client_kex_ecdh(s, sess_cert, p, &n) != 1) - goto err; - } else if (alg_k & SSL_kGOST) { - if (ssl3_send_client_kex_gost(s, sess_cert, p, &n) != 1) - goto err; - } else { - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - ssl3_handshake_msg_finish(s, n); - - s->state = SSL3_ST_CW_KEY_EXCH_B; - } - - /* SSL3_ST_CW_KEY_EXCH_B */ - return (ssl3_handshake_write(s)); - -err: - return (-1); -} - -int -ssl3_send_client_verify(SSL *s) -{ - unsigned char *p; - unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; - EVP_PKEY *pkey; - EVP_PKEY_CTX *pctx = NULL; - EVP_MD_CTX mctx; - unsigned u = 0; - unsigned long n; - int j; - - EVP_MD_CTX_init(&mctx); - - if (s->state == SSL3_ST_CW_CERT_VRFY_A) { - p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_VERIFY); - - /* - * Create context from key and test if sha1 is allowed as - * digest. - */ - pkey = s->cert->key->privatekey; - pctx = EVP_PKEY_CTX_new(pkey, NULL); - EVP_PKEY_sign_init(pctx); - if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) { - if (!SSL_USE_SIGALGS(s)) - s->method->ssl3_enc->cert_verify_mac(s, - NID_sha1, &(data[MD5_DIGEST_LENGTH])); - } else { - ERR_clear_error(); - } - /* - * For TLS v1.2 send signature algorithm and signature - * using agreed digest and cached handshake records. - */ - if (SSL_USE_SIGALGS(s)) { - long hdatalen = 0; - void *hdata; - const EVP_MD *md = s->cert->key->digest; - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, - &hdata); - if (hdatalen <= 0 || - !tls12_get_sigandhash(p, pkey, md)) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_INTERNAL_ERROR); - goto err; - } - p += 2; - if (!EVP_SignInit_ex(&mctx, md, NULL) || - !EVP_SignUpdate(&mctx, hdata, hdatalen) || - !EVP_SignFinal(&mctx, p + 2, &u, pkey)) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_EVP_LIB); - goto err; - } - s2n(u, p); - n = u + 4; - if (!tls1_digest_cached_records(s)) - goto err; - } else if (pkey->type == EVP_PKEY_RSA) { - s->method->ssl3_enc->cert_verify_mac( - s, NID_md5, &(data[0])); - if (RSA_sign(NID_md5_sha1, data, - MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]), - &u, pkey->pkey.rsa) <= 0 ) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_RSA_LIB); - goto err; - } - s2n(u, p); - n = u + 2; - } else if (pkey->type == EVP_PKEY_DSA) { - if (!DSA_sign(pkey->save_type, - &(data[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH, &(p[2]), - (unsigned int *)&j, pkey->pkey.dsa)) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_DSA_LIB); - goto err; - } - s2n(j, p); - n = j + 2; - } else if (pkey->type == EVP_PKEY_EC) { - if (!ECDSA_sign(pkey->save_type, - &(data[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH, &(p[2]), - (unsigned int *)&j, pkey->pkey.ec)) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_ECDSA_LIB); - goto err; - } - s2n(j, p); - n = j + 2; -#ifndef OPENSSL_NO_GOST - } else if (pkey->type == NID_id_GostR3410_94 || - pkey->type == NID_id_GostR3410_2001) { - unsigned char signbuf[128]; - long hdatalen = 0; - void *hdata; - const EVP_MD *md; - int nid; - size_t sigsize; - - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_INTERNAL_ERROR); - goto err; - } - if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || - !(md = EVP_get_digestbynid(nid))) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_EVP_LIB); - goto err; - } - if (!EVP_DigestInit_ex(&mctx, md, NULL) || - !EVP_DigestUpdate(&mctx, hdata, hdatalen) || - !EVP_DigestFinal(&mctx, signbuf, &u) || - (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) || - (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, - EVP_PKEY_CTRL_GOST_SIG_FORMAT, - GOST_SIG_FORMAT_RS_LE, - NULL) <= 0) || - (EVP_PKEY_sign(pctx, &(p[2]), &sigsize, - signbuf, u) <= 0)) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_EVP_LIB); - goto err; - } - if (!tls1_digest_cached_records(s)) - goto err; - j = sigsize; - s2n(j, p); - n = j + 2; -#endif - } else { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, - ERR_R_INTERNAL_ERROR); - goto err; - } - - s->state = SSL3_ST_CW_CERT_VRFY_B; - - ssl3_handshake_msg_finish(s, n); - } - - EVP_MD_CTX_cleanup(&mctx); - EVP_PKEY_CTX_free(pctx); - - return (ssl3_handshake_write(s)); - -err: - EVP_MD_CTX_cleanup(&mctx); - EVP_PKEY_CTX_free(pctx); - return (-1); -} - -int -ssl3_send_client_certificate(SSL *s) -{ - X509 *x509 = NULL; - EVP_PKEY *pkey = NULL; - int i; - unsigned long l; - - if (s->state == SSL3_ST_CW_CERT_A) { - if ((s->cert == NULL) || (s->cert->key->x509 == NULL) || - (s->cert->key->privatekey == NULL)) - s->state = SSL3_ST_CW_CERT_B; - else - s->state = SSL3_ST_CW_CERT_C; - } - - /* We need to get a client cert */ - if (s->state == SSL3_ST_CW_CERT_B) { - /* - * If we get an error, we need to - * ssl->rwstate=SSL_X509_LOOKUP; return(-1); - * We then get retied later - */ - i = ssl_do_client_cert_cb(s, &x509, &pkey); - if (i < 0) { - s->rwstate = SSL_X509_LOOKUP; - return (-1); - } - s->rwstate = SSL_NOTHING; - if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { - s->state = SSL3_ST_CW_CERT_B; - if (!SSL_use_certificate(s, x509) || - !SSL_use_PrivateKey(s, pkey)) - i = 0; - } else if (i == 1) { - i = 0; - SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, - SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); - } - - X509_free(x509); - EVP_PKEY_free(pkey); - if (i == 0) - s->s3->tmp.cert_req = 2; - - /* Ok, we have a cert */ - s->state = SSL3_ST_CW_CERT_C; - } - - if (s->state == SSL3_ST_CW_CERT_C) { - s->state = SSL3_ST_CW_CERT_D; - l = ssl3_output_cert_chain(s, - (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509); - s->init_num = (int)l; - s->init_off = 0; - } - /* SSL3_ST_CW_CERT_D */ - return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); -} - -#define has_bits(i,m) (((i)&(m)) == (m)) - -int -ssl3_check_cert_and_algorithm(SSL *s) -{ - int i, idx; - long alg_k, alg_a; - EVP_PKEY *pkey = NULL; - SESS_CERT *sc; - DH *dh; - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; - - /* We don't have a certificate. */ - if (alg_a & SSL_aNULL) - return (1); - - sc = s->session->sess_cert; - if (sc == NULL) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - ERR_R_INTERNAL_ERROR); - goto err; - } - dh = s->session->sess_cert->peer_dh_tmp; - - /* This is the passed certificate. */ - - idx = sc->peer_cert_type; - if (idx == SSL_PKEY_ECC) { - if (ssl_check_srvr_ecc_cert_and_alg( - sc->peer_pkeys[idx].x509, s) == 0) { - /* check failed */ - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_BAD_ECC_CERT); - goto f_err; - } else { - return (1); - } - } - pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509); - i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); - EVP_PKEY_free(pkey); - - /* Check that we have a certificate if we require one. */ - if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_RSA_SIGNING_CERT); - goto f_err; - } else if ((alg_a & SSL_aDSS) && - !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_DSA_SIGNING_CERT); - goto f_err; - } - if ((alg_k & SSL_kRSA) && - !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_RSA_ENCRYPTING_CERT); - goto f_err; - } - if ((alg_k & SSL_kDHE) && - !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_DH_KEY); - goto f_err; - } - - return (1); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); -err: - return (0); -} - -int -ssl3_send_next_proto(SSL *s) -{ - unsigned int len, padding_len; - unsigned char *d, *p; - - if (s->state == SSL3_ST_CW_NEXT_PROTO_A) { - d = p = ssl3_handshake_msg_start(s, SSL3_MT_NEXT_PROTO); - - len = s->next_proto_negotiated_len; - padding_len = 32 - ((len + 2) % 32); - *(p++) = len; - memcpy(p, s->next_proto_negotiated, len); - p += len; - *(p++) = padding_len; - memset(p, 0, padding_len); - p += padding_len; - - ssl3_handshake_msg_finish(s, p - d); - - s->state = SSL3_ST_CW_NEXT_PROTO_B; - } - - return (ssl3_handshake_write(s)); -} - -/* - * Check to see if handshake is full or resumed. Usually this is just a - * case of checking to see if a cache hit has occurred. In the case of - * session tickets we have to check the next message to be sure. - */ - -int -ssl3_check_finished(SSL *s) -{ - int ok; - long n; - - /* If we have no ticket it cannot be a resumed session. */ - if (!s->session->tlsext_tick) - return (1); - /* this function is called when we really expect a Certificate - * message, so permit appropriate message length */ - n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, - SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok); - if (!ok) - return ((int)n); - s->s3->tmp.reuse_message = 1; - if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) || - (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) - return (2); - - return (1); -} - -int -ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) -{ - int i = 0; - -#ifndef OPENSSL_NO_ENGINE - if (s->ctx->client_cert_engine) { - i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, - SSL_get_client_CA_list(s), - px509, ppkey, NULL, NULL, NULL); - if (i != 0) - return (i); - } -#endif - if (s->ctx->client_cert_cb) - i = s->ctx->client_cert_cb(s, px509, ppkey); - return (i); -} diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c deleted file mode 100644 index e873c17c876..00000000000 --- a/lib/libssl/src/ssl/s3_lib.c +++ /dev/null @@ -1,2859 +0,0 @@ -/* $OpenBSD: s3_lib.c,v 1.108 2016/04/28 16:39:45 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <stdio.h> - -#include <openssl/dh.h> -#include <openssl/md5.h> -#include <openssl/objects.h> - -#include "ssl_locl.h" -#include "bytestring.h" - -#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) - -/* - * FIXED_NONCE_LEN is a macro that provides in the correct value to set the - * fixed nonce length in algorithms2. It is the inverse of the - * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. - */ -#define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) - -/* list of available SSLv3 ciphers (sorted by id) */ -SSL_CIPHER ssl3_ciphers[] = { - - /* The RSA ciphers */ - /* Cipher 01 */ - { - .valid = 1, - .name = SSL3_TXT_RSA_NULL_MD5, - .id = SSL3_CK_RSA_NULL_MD5, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_MD5, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher 02 */ - { - .valid = 1, - .name = SSL3_TXT_RSA_NULL_SHA, - .id = SSL3_CK_RSA_NULL_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher 04 */ - { - .valid = 1, - .name = SSL3_TXT_RSA_RC4_128_MD5, - .id = SSL3_CK_RSA_RC4_128_MD5, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_MD5, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 05 */ - { - .valid = 1, - .name = SSL3_TXT_RSA_RC4_128_SHA, - .id = SSL3_CK_RSA_RC4_128_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 07 */ -#ifndef OPENSSL_NO_IDEA - { - .valid = 1, - .name = SSL3_TXT_RSA_IDEA_128_SHA, - .id = SSL3_CK_RSA_IDEA_128_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_IDEA, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, -#endif - - /* Cipher 09 */ - { - .valid = 1, - .name = SSL3_TXT_RSA_DES_64_CBC_SHA, - .id = SSL3_CK_RSA_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 56, - .alg_bits = 56, - }, - - /* Cipher 0A */ - { - .valid = 1, - .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, - .id = SSL3_CK_RSA_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* - * Ephemeral DH (DHE) ciphers. - */ - - /* Cipher 12 */ - { - .valid = 1, - .name = SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, - .id = SSL3_CK_EDH_DSS_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 56, - .alg_bits = 56, - }, - - /* Cipher 13 */ - { - .valid = 1, - .name = SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, - .id = SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher 15 */ - { - .valid = 1, - .name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, - .id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 56, - .alg_bits = 56, - }, - - /* Cipher 16 */ - { - .valid = 1, - .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, - .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher 18 */ - { - .valid = 1, - .name = SSL3_TXT_ADH_RC4_128_MD5, - .id = SSL3_CK_ADH_RC4_128_MD5, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_MD5, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 1A */ - { - .valid = 1, - .name = SSL3_TXT_ADH_DES_64_CBC_SHA, - .id = SSL3_CK_ADH_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 56, - .alg_bits = 56, - }, - - /* Cipher 1B */ - { - .valid = 1, - .name = SSL3_TXT_ADH_DES_192_CBC_SHA, - .id = SSL3_CK_ADH_DES_192_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* - * AES ciphersuites. - */ - - /* Cipher 2F */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_AES_128_SHA, - .id = TLS1_CK_RSA_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 32 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, - .id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 33 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, - .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 34 */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_AES_128_SHA, - .id = TLS1_CK_ADH_WITH_AES_128_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 35 */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_AES_256_SHA, - .id = TLS1_CK_RSA_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 38 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, - .id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 39 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, - .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 3A */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_AES_256_SHA, - .id = TLS1_CK_ADH_WITH_AES_256_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* TLS v1.2 ciphersuites */ - /* Cipher 3B */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_NULL_SHA256, - .id = TLS1_CK_RSA_WITH_NULL_SHA256, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher 3C */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, - .id = TLS1_CK_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 3D */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, - .id = TLS1_CK_RSA_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 40 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256, - .id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - -#ifndef OPENSSL_NO_CAMELLIA - /* Camellia ciphersuites from RFC4132 (128-bit portion) */ - - /* Cipher 41 */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, - .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CAMELLIA128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 44 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - .id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_CAMELLIA128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 45 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CAMELLIA128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 46 */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, - .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_CAMELLIA128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, -#endif /* OPENSSL_NO_CAMELLIA */ - - /* TLS v1.2 ciphersuites */ - /* Cipher 67 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 6A */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256, - .id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 6B */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 6C */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, - .id = TLS1_CK_ADH_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 6D */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, - .id = TLS1_CK_ADH_WITH_AES_256_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* GOST Ciphersuites */ - - /* Cipher 81 */ - { - .valid = 1, - .name = "GOST2001-GOST89-GOST89", - .id = 0x3000081, - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eGOST2814789CNT, - .algorithm_mac = SSL_GOST89MAC, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| - TLS1_STREAM_MAC, - .strength_bits = 256, - .alg_bits = 256 - }, - - /* Cipher 83 */ - { - .valid = 1, - .name = "GOST2001-NULL-GOST94", - .id = 0x3000083, - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_GOST94, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, - .strength_bits = 0, - .alg_bits = 0 - }, - -#ifndef OPENSSL_NO_CAMELLIA - /* Camellia ciphersuites from RFC4132 (256-bit portion) */ - - /* Cipher 84 */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, - .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CAMELLIA256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 87 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - .id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_CAMELLIA256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 88 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CAMELLIA256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 89 */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, - .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_CAMELLIA256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, -#endif /* OPENSSL_NO_CAMELLIA */ - - /* - * GCM ciphersuites from RFC5288. - */ - - /* Cipher 9C */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 9D */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher 9E */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 9F */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher A2 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher A3 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher A6 */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher A7 */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - -#ifndef OPENSSL_NO_CAMELLIA - /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ - - /* Cipher BA */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, - .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CAMELLIA128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher BD */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, - .id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_CAMELLIA128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher BE */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CAMELLIA128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher BF */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, - .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_CAMELLIA128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C0 */ - { - .valid = 1, - .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, - .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CAMELLIA256, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C3 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, - .id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aDSS, - .algorithm_enc = SSL_CAMELLIA256, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C4 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CAMELLIA256, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C5 */ - { - .valid = 1, - .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, - .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_CAMELLIA256, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 256, - .alg_bits = 256, - }, -#endif /* OPENSSL_NO_CAMELLIA */ - - /* Cipher C001 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher C002 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C003 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher C004 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C005 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C006 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher C007 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C008 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher C009 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C00A */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C00B */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher C00C */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C00D */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher C00E */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C00F */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C010 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher C011 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C012 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher C013 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C014 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C015 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, - .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 0, - .alg_bits = 0, - }, - - /* Cipher C016 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C017 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher C018 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C019 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, - - - /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ - - /* Cipher C023 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C024 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA384, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C025 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C026 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA384, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C027 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C028 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA384, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C029 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, - .id = TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA256, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C02A */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, - .id = TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA384, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* GCM based TLS v1.2 ciphersuites from RFC5289 */ - - /* Cipher C02B */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C02C */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C02D */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C02E */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kECDHe, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C02F */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C030 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher C031 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES128GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher C032 */ - { - .valid = 1, - .name = TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, - .algorithm_mkey = SSL_kECDHr, - .algorithm_auth = SSL_aECDH, - .algorithm_enc = SSL_AES256GCM, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, - .strength_bits = 256, - .alg_bits = 256, - }, - -#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) - /* Cipher CC13 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD, - .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CHACHA20POLY1305_OLD, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher CC14 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD, - .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_CHACHA20POLY1305_OLD, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher CC15 */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD, - .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CHACHA20POLY1305_OLD, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher CCA8 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, - .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CHACHA20POLY1305, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher CCA9 */ - { - .valid = 1, - .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aECDSA, - .algorithm_enc = SSL_CHACHA20POLY1305, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), - .strength_bits = 256, - .alg_bits = 256, - }, - - /* Cipher CCAA */ - { - .valid = 1, - .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, - .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_CHACHA20POLY1305, - .algorithm_mac = SSL_AEAD, - .algorithm_ssl = SSL_TLSV1_2, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), - .strength_bits = 256, - .alg_bits = 256, - }, -#endif - - /* Cipher FF85 FIXME IANA */ - { - .valid = 1, - .name = "GOST2012256-GOST89-GOST89", - .id = 0x300ff85, /* FIXME IANA */ - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eGOST2814789CNT, - .algorithm_mac = SSL_GOST89MAC, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| - TLS1_STREAM_MAC, - .strength_bits = 256, - .alg_bits = 256 - }, - - /* Cipher FF87 FIXME IANA */ - { - .valid = 1, - .name = "GOST2012256-NULL-STREEBOG256", - .id = 0x300ff87, /* FIXME IANA */ - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_STREEBOG256, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, - .strength_bits = 0, - .alg_bits = 0 - }, - - - /* end of list */ -}; - -int -ssl3_num_ciphers(void) -{ - return (SSL3_NUM_CIPHERS); -} - -const SSL_CIPHER * -ssl3_get_cipher(unsigned int u) -{ - if (u < SSL3_NUM_CIPHERS) - return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); - else - return (NULL); -} - -const SSL_CIPHER * -ssl3_get_cipher_by_id(unsigned int id) -{ - const SSL_CIPHER *cp; - SSL_CIPHER c; - - c.id = id; - cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); - if (cp != NULL && cp->valid == 1) - return (cp); - - return (NULL); -} - -const SSL_CIPHER * -ssl3_get_cipher_by_value(uint16_t value) -{ - return ssl3_get_cipher_by_id(SSL3_CK_ID | value); -} - -uint16_t -ssl3_cipher_get_value(const SSL_CIPHER *c) -{ - return (c->id & SSL3_CK_VALUE_MASK); -} - -int -ssl3_pending(const SSL *s) -{ - if (s->rstate == SSL_ST_READ_BODY) - return 0; - - return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? - s->s3->rrec.length : 0; -} - -int -ssl3_handshake_msg_hdr_len(SSL *s) -{ - return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH : - SSL3_HM_HEADER_LENGTH); -} - -unsigned char * -ssl3_handshake_msg_start(SSL *s, uint8_t msg_type) -{ - unsigned char *d, *p; - - d = p = (unsigned char *)s->init_buf->data; - - /* Handshake message type and length. */ - *(p++) = msg_type; - l2n3(0, p); - - return (d + ssl3_handshake_msg_hdr_len(s)); -} - -void -ssl3_handshake_msg_finish(SSL *s, unsigned int len) -{ - unsigned char *d, *p; - uint8_t msg_type; - - d = p = (unsigned char *)s->init_buf->data; - - /* Handshake message length. */ - msg_type = *(p++); - l2n3(len, p); - - s->init_num = ssl3_handshake_msg_hdr_len(s) + (int)len; - s->init_off = 0; - - if (SSL_IS_DTLS(s)) { - dtls1_set_message_header(s, d, msg_type, len, 0, len); - dtls1_buffer_message(s, 0); - } -} - -int -ssl3_handshake_write(SSL *s) -{ - if (SSL_IS_DTLS(s)) - return dtls1_do_write(s, SSL3_RT_HANDSHAKE); - - return ssl3_do_write(s, SSL3_RT_HANDSHAKE); -} - -int -ssl3_new(SSL *s) -{ - SSL3_STATE *s3; - - if ((s3 = calloc(1, sizeof *s3)) == NULL) - goto err; - memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num)); - memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num)); - - s->s3 = s3; - - s->method->ssl_clear(s); - return (1); -err: - return (0); -} - -void -ssl3_free(SSL *s) -{ - if (s == NULL) - return; - - tls1_cleanup_key_block(s); - ssl3_release_read_buffer(s); - ssl3_release_write_buffer(s); - - DH_free(s->s3->tmp.dh); - EC_KEY_free(s->s3->tmp.ecdh); - - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - BIO_free(s->s3->handshake_buffer); - tls1_free_digest_list(s); - free(s->s3->alpn_selected); - - explicit_bzero(s->s3, sizeof *s->s3); - free(s->s3); - s->s3 = NULL; -} - -void -ssl3_clear(SSL *s) -{ - unsigned char *rp, *wp; - size_t rlen, wlen; - - tls1_cleanup_key_block(s); - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - - DH_free(s->s3->tmp.dh); - s->s3->tmp.dh = NULL; - EC_KEY_free(s->s3->tmp.ecdh); - s->s3->tmp.ecdh = NULL; - - rp = s->s3->rbuf.buf; - wp = s->s3->wbuf.buf; - rlen = s->s3->rbuf.len; - wlen = s->s3->wbuf.len; - - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - - tls1_free_digest_list(s); - - free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - - memset(s->s3, 0, sizeof *s->s3); - s->s3->rbuf.buf = rp; - s->s3->wbuf.buf = wp; - s->s3->rbuf.len = rlen; - s->s3->wbuf.len = wlen; - - ssl_free_wbio_buffer(s); - - s->packet_length = 0; - s->s3->renegotiate = 0; - s->s3->total_renegotiations = 0; - s->s3->num_renegotiations = 0; - s->s3->in_read_app_data = 0; - s->version = TLS1_VERSION; - - free(s->next_proto_negotiated); - s->next_proto_negotiated = NULL; - s->next_proto_negotiated_len = 0; -} - - -long -ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) -{ - int ret = 0; - - if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) { - if (!ssl_cert_inst(&s->cert)) { - SSLerr(SSL_F_SSL3_CTRL, - ERR_R_MALLOC_FAILURE); - return (0); - } - } - - switch (cmd) { - case SSL_CTRL_GET_SESSION_REUSED: - ret = s->hit; - break; - case SSL_CTRL_GET_CLIENT_CERT_REQUEST: - break; - case SSL_CTRL_GET_NUM_RENEGOTIATIONS: - ret = s->s3->num_renegotiations; - break; - case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: - ret = s->s3->num_renegotiations; - s->s3->num_renegotiations = 0; - break; - case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: - ret = s->s3->total_renegotiations; - break; - case SSL_CTRL_GET_FLAGS: - ret = (int)(s->s3->flags); - break; - case SSL_CTRL_NEED_TMP_RSA: - ret = 0; - break; - case SSL_CTRL_SET_TMP_RSA: - case SSL_CTRL_SET_TMP_RSA_CB: - SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - break; - case SSL_CTRL_SET_TMP_DH: - { - DH *dh = (DH *)parg; - if (dh == NULL) { - SSLerr(SSL_F_SSL3_CTRL, - ERR_R_PASSED_NULL_PARAMETER); - return (ret); - } - if ((dh = DHparams_dup(dh)) == NULL) { - SSLerr(SSL_F_SSL3_CTRL, - ERR_R_DH_LIB); - return (ret); - } - DH_free(s->cert->dh_tmp); - s->cert->dh_tmp = dh; - ret = 1; - } - break; - - case SSL_CTRL_SET_TMP_DH_CB: - SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (ret); - - case SSL_CTRL_SET_DH_AUTO: - s->cert->dh_tmp_auto = larg; - return 1; - - case SSL_CTRL_SET_TMP_ECDH: - { - EC_KEY *ecdh = NULL; - - if (parg == NULL) { - SSLerr(SSL_F_SSL3_CTRL, - ERR_R_PASSED_NULL_PARAMETER); - return (ret); - } - if (!EC_KEY_up_ref((EC_KEY *)parg)) { - SSLerr(SSL_F_SSL3_CTRL, - ERR_R_ECDH_LIB); - return (ret); - } - ecdh = (EC_KEY *)parg; - if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) { - if (!EC_KEY_generate_key(ecdh)) { - EC_KEY_free(ecdh); - SSLerr(SSL_F_SSL3_CTRL, - ERR_R_ECDH_LIB); - return (ret); - } - } - EC_KEY_free(s->cert->ecdh_tmp); - s->cert->ecdh_tmp = ecdh; - ret = 1; - } - break; - case SSL_CTRL_SET_TMP_ECDH_CB: - { - SSLerr(SSL_F_SSL3_CTRL, - ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (ret); - } - break; - case SSL_CTRL_SET_TLSEXT_HOSTNAME: - if (larg == TLSEXT_NAMETYPE_host_name) { - free(s->tlsext_hostname); - s->tlsext_hostname = NULL; - - ret = 1; - if (parg == NULL) - break; - if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { - SSLerr(SSL_F_SSL3_CTRL, - SSL_R_SSL3_EXT_INVALID_SERVERNAME); - return 0; - } - if ((s->tlsext_hostname = strdup((char *)parg)) - == NULL) { - SSLerr(SSL_F_SSL3_CTRL, - ERR_R_INTERNAL_ERROR); - return 0; - } - } else { - SSLerr(SSL_F_SSL3_CTRL, - SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); - return 0; - } - break; - case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: - s->tlsext_debug_arg = parg; - ret = 1; - break; - - case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: - s->tlsext_status_type = larg; - ret = 1; - break; - - case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: - *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts; - ret = 1; - break; - - case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: - s->tlsext_ocsp_exts = parg; - ret = 1; - break; - - case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: - *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids; - ret = 1; - break; - - case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: - s->tlsext_ocsp_ids = parg; - ret = 1; - break; - - case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: - *(unsigned char **)parg = s->tlsext_ocsp_resp; - return s->tlsext_ocsp_resplen; - - case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: - free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = parg; - s->tlsext_ocsp_resplen = larg; - ret = 1; - break; - - case SSL_CTRL_SET_ECDH_AUTO: - s->cert->ecdh_tmp_auto = larg; - ret = 1; - break; - - default: - break; - } - return (ret); -} - -long -ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) -{ - int ret = 0; - - if (cmd == SSL_CTRL_SET_TMP_DH_CB) { - if (!ssl_cert_inst(&s->cert)) { - SSLerr(SSL_F_SSL3_CALLBACK_CTRL, - ERR_R_MALLOC_FAILURE); - return (0); - } - } - - switch (cmd) { - case SSL_CTRL_SET_TMP_RSA_CB: - SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - break; - case SSL_CTRL_SET_TMP_DH_CB: - s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; - break; - case SSL_CTRL_SET_TMP_ECDH_CB: - s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; - break; - case SSL_CTRL_SET_TLSEXT_DEBUG_CB: - s->tlsext_debug_cb = (void (*)(SSL *, int , int, - unsigned char *, int, void *))fp; - break; - default: - break; - } - return (ret); -} - -long -ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) -{ - CERT *cert; - - cert = ctx->cert; - - switch (cmd) { - case SSL_CTRL_NEED_TMP_RSA: - return (0); - case SSL_CTRL_SET_TMP_RSA: - case SSL_CTRL_SET_TMP_RSA_CB: - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); - case SSL_CTRL_SET_TMP_DH: - { - DH *new = NULL, *dh; - - dh = (DH *)parg; - if ((new = DHparams_dup(dh)) == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, - ERR_R_DH_LIB); - return 0; - } - DH_free(cert->dh_tmp); - cert->dh_tmp = new; - return 1; - } - /*break; */ - - case SSL_CTRL_SET_TMP_DH_CB: - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); - - case SSL_CTRL_SET_DH_AUTO: - ctx->cert->dh_tmp_auto = larg; - return (1); - - case SSL_CTRL_SET_TMP_ECDH: - { - EC_KEY *ecdh = NULL; - - if (parg == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, - ERR_R_ECDH_LIB); - return 0; - } - ecdh = EC_KEY_dup((EC_KEY *)parg); - if (ecdh == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, - ERR_R_EC_LIB); - return 0; - } - if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) { - if (!EC_KEY_generate_key(ecdh)) { - EC_KEY_free(ecdh); - SSLerr(SSL_F_SSL3_CTX_CTRL, - ERR_R_ECDH_LIB); - return 0; - } - } - - EC_KEY_free(cert->ecdh_tmp); - cert->ecdh_tmp = ecdh; - return 1; - } - /* break; */ - case SSL_CTRL_SET_TMP_ECDH_CB: - { - SSLerr(SSL_F_SSL3_CTX_CTRL, - ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); - } - break; - case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: - ctx->tlsext_servername_arg = parg; - break; - case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: - case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: - { - unsigned char *keys = parg; - if (!keys) - return 48; - if (larg != 48) { - SSLerr(SSL_F_SSL3_CTX_CTRL, - SSL_R_INVALID_TICKET_KEYS_LENGTH); - return 0; - } - if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { - memcpy(ctx->tlsext_tick_key_name, keys, 16); - memcpy(ctx->tlsext_tick_hmac_key, - keys + 16, 16); - memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); - } else { - memcpy(keys, ctx->tlsext_tick_key_name, 16); - memcpy(keys + 16, - ctx->tlsext_tick_hmac_key, 16); - memcpy(keys + 32, - ctx->tlsext_tick_aes_key, 16); - } - return 1; - } - - case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: - ctx->tlsext_status_arg = parg; - return 1; - break; - - case SSL_CTRL_SET_ECDH_AUTO: - ctx->cert->ecdh_tmp_auto = larg; - return 1; - - /* A Thawte special :-) */ - case SSL_CTRL_EXTRA_CHAIN_CERT: - if (ctx->extra_certs == NULL) { - if ((ctx->extra_certs = sk_X509_new_null()) == NULL) - return (0); - } - sk_X509_push(ctx->extra_certs,(X509 *)parg); - break; - - case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: - *(STACK_OF(X509) **)parg = ctx->extra_certs; - break; - - case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: - if (ctx->extra_certs) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } - break; - - default: - return (0); - } - return (1); -} - -long -ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) -{ - CERT *cert; - - cert = ctx->cert; - - switch (cmd) { - case SSL_CTRL_SET_TMP_RSA_CB: - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); - case SSL_CTRL_SET_TMP_DH_CB: - cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; - break; - case SSL_CTRL_SET_TMP_ECDH_CB: - cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; - break; - case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->tlsext_servername_callback = - (int (*)(SSL *, int *, void *))fp; - break; - - case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: - ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; - break; - - case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: - ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, - unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; - break; - - default: - return (0); - } - return (1); -} - -/* - * This function needs to check if the ciphers required are actually available. - */ -const SSL_CIPHER * -ssl3_get_cipher_by_char(const unsigned char *p) -{ - CBS cipher; - uint16_t cipher_value; - - /* We have to assume it is at least 2 bytes due to existing API. */ - CBS_init(&cipher, p, 2); - if (!CBS_get_u16(&cipher, &cipher_value)) - return NULL; - - return ssl3_get_cipher_by_value(cipher_value); -} - -int -ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) -{ - if (p != NULL) { - if ((c->id & ~SSL3_CK_VALUE_MASK) != SSL3_CK_ID) - return (0); - s2n(ssl3_cipher_get_value(c), p); - } - return (2); -} - -SSL_CIPHER * -ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, - STACK_OF(SSL_CIPHER) *srvr) -{ - unsigned long alg_k, alg_a, mask_k, mask_a; - STACK_OF(SSL_CIPHER) *prio, *allow; - SSL_CIPHER *c, *ret = NULL; - int i, ii, ok; - CERT *cert; - - /* Let's see which ciphers we can support */ - cert = s->cert; - - /* - * Do not set the compare functions, because this may lead to a - * reordering by "id". We want to keep the original ordering. - * We may pay a price in performance during sk_SSL_CIPHER_find(), - * but would have to pay with the price of sk_SSL_CIPHER_dup(). - */ - - if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { - prio = srvr; - allow = clnt; - } else { - prio = clnt; - allow = srvr; - } - - for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { - c = sk_SSL_CIPHER_value(prio, i); - - /* Skip TLS v1.2 only ciphersuites if not supported. */ - if ((c->algorithm_ssl & SSL_TLSV1_2) && - !SSL_USE_TLS1_2_CIPHERS(s)) - continue; - - ssl_set_cert_masks(cert, c); - mask_k = cert->mask_k; - mask_a = cert->mask_a; - - alg_k = c->algorithm_mkey; - alg_a = c->algorithm_auth; - - - ok = (alg_k & mask_k) && (alg_a & mask_a); - - /* - * If we are considering an ECC cipher suite that uses our - * certificate check it. - */ - if (alg_a & (SSL_aECDSA|SSL_aECDH)) - ok = ok && tls1_check_ec_server_key(s); - /* - * If we are considering an ECC cipher suite that uses - * an ephemeral EC key check it. - */ - if (alg_k & SSL_kECDHE) - ok = ok && tls1_check_ec_tmp_key(s); - - if (!ok) - continue; - ii = sk_SSL_CIPHER_find(allow, c); - if (ii >= 0) { - ret = sk_SSL_CIPHER_value(allow, ii); - break; - } - } - return (ret); -} - -int -ssl3_get_req_cert_type(SSL *s, unsigned char *p) -{ - int ret = 0; - unsigned long alg_k; - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - -#ifndef OPENSSL_NO_GOST - if ((alg_k & SSL_kGOST)) { - p[ret++] = TLS_CT_GOST94_SIGN; - p[ret++] = TLS_CT_GOST01_SIGN; - p[ret++] = TLS_CT_GOST12_256_SIGN; - p[ret++] = TLS_CT_GOST12_512_SIGN; - } -#endif - - if (alg_k & SSL_kDHE) { - p[ret++] = SSL3_CT_RSA_FIXED_DH; - p[ret++] = SSL3_CT_DSS_FIXED_DH; - } - p[ret++] = SSL3_CT_RSA_SIGN; - p[ret++] = SSL3_CT_DSS_SIGN; - if ((alg_k & (SSL_kECDHr|SSL_kECDHe))) { - p[ret++] = TLS_CT_RSA_FIXED_ECDH; - p[ret++] = TLS_CT_ECDSA_FIXED_ECDH; - } - - /* - * ECDSA certs can be used with RSA cipher suites as well - * so we don't need to check for SSL_kECDH or SSL_kECDHE - */ - p[ret++] = TLS_CT_ECDSA_SIGN; - - return (ret); -} - -int -ssl3_shutdown(SSL *s) -{ - int ret; - - /* - * Don't do anything much if we have not done the handshake or - * we don't want to send messages :-) - */ - if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) { - s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); - return (1); - } - - if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { - s->shutdown|=SSL_SENT_SHUTDOWN; - ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); - /* - * Our shutdown alert has been sent now, and if it still needs - * to be written, s->s3->alert_dispatch will be true - */ - if (s->s3->alert_dispatch) - return(-1); /* return WANT_WRITE */ - } else if (s->s3->alert_dispatch) { - /* resend it if not sent */ - ret = s->method->ssl_dispatch_alert(s); - if (ret == -1) { - /* - * We only get to return -1 here the 2nd/Nth - * invocation, we must have already signalled - * return 0 upon a previous invoation, - * return WANT_WRITE - */ - return (ret); - } - } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { - /* If we are waiting for a close from our peer, we are closed */ - s->method->ssl_read_bytes(s, 0, NULL, 0, 0); - if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { - return(-1); /* return WANT_READ */ - } - } - - if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && - !s->s3->alert_dispatch) - return (1); - else - return (0); -} - -int -ssl3_write(SSL *s, const void *buf, int len) -{ - int ret, n; - -#if 0 - if (s->shutdown & SSL_SEND_SHUTDOWN) { - s->rwstate = SSL_NOTHING; - return (0); - } -#endif - errno = 0; - if (s->s3->renegotiate) - ssl3_renegotiate_check(s); - - /* - * This is an experimental flag that sends the - * last handshake message in the same packet as the first - * use data - used to see if it helps the TCP protocol during - * session-id reuse - */ - /* The second test is because the buffer may have been removed */ - if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) { - /* First time through, we write into the buffer */ - if (s->s3->delay_buf_pop_ret == 0) { - ret = ssl3_write_bytes(s, SSL3_RT_APPLICATION_DATA, - buf, len); - if (ret <= 0) - return (ret); - - s->s3->delay_buf_pop_ret = ret; - } - - s->rwstate = SSL_WRITING; - n = BIO_flush(s->wbio); - if (n <= 0) - return (n); - s->rwstate = SSL_NOTHING; - - /* We have flushed the buffer, so remove it */ - ssl_free_wbio_buffer(s); - s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; - - ret = s->s3->delay_buf_pop_ret; - s->s3->delay_buf_pop_ret = 0; - } else { - ret = s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, - buf, len); - if (ret <= 0) - return (ret); - } - - return (ret); -} - -static int -ssl3_read_internal(SSL *s, void *buf, int len, int peek) -{ - int ret; - - errno = 0; - if (s->s3->renegotiate) - ssl3_renegotiate_check(s); - s->s3->in_read_app_data = 1; - ret = s->method->ssl_read_bytes(s, - SSL3_RT_APPLICATION_DATA, buf, len, peek); - if ((ret == -1) && (s->s3->in_read_app_data == 2)) { - /* - * ssl3_read_bytes decided to call s->handshake_func, which - * called ssl3_read_bytes to read handshake data. - * However, ssl3_read_bytes actually found application data - * and thinks that application data makes sense here; so disable - * handshake processing and try to read application data again. - */ - s->in_handshake++; - ret = s->method->ssl_read_bytes(s, - SSL3_RT_APPLICATION_DATA, buf, len, peek); - s->in_handshake--; - } else - s->s3->in_read_app_data = 0; - - return (ret); -} - -int -ssl3_read(SSL *s, void *buf, int len) -{ - return ssl3_read_internal(s, buf, len, 0); -} - -int -ssl3_peek(SSL *s, void *buf, int len) -{ - return ssl3_read_internal(s, buf, len, 1); -} - -int -ssl3_renegotiate(SSL *s) -{ - if (s->handshake_func == NULL) - return (1); - - if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) - return (0); - - s->s3->renegotiate = 1; - return (1); -} - -int -ssl3_renegotiate_check(SSL *s) -{ - int ret = 0; - - if (s->s3->renegotiate) { - if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) && - !SSL_in_init(s)) { - /* - * If we are the server, and we have sent - * a 'RENEGOTIATE' message, we need to go - * to SSL_ST_ACCEPT. - */ - /* SSL_ST_ACCEPT */ - s->state = SSL_ST_RENEGOTIATE; - s->s3->renegotiate = 0; - s->s3->num_renegotiations++; - s->s3->total_renegotiations++; - ret = 1; - } - } - return (ret); -} -/* - * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF - * and handshake macs if required. - */ -long -ssl_get_algorithm2(SSL *s) -{ - long alg2 = s->s3->tmp.new_cipher->algorithm2; - - if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF && - alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) - return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; - return alg2; -} diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c deleted file mode 100644 index 0e97be6728b..00000000000 --- a/lib/libssl/src/ssl/s3_pkt.c +++ /dev/null @@ -1,1391 +0,0 @@ -/* $OpenBSD: s3_pkt.c,v 1.58 2016/07/10 23:07:34 tedu Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <errno.h> -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> - -#include "bytestring.h" - -static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment); -static int ssl3_get_record(SSL *s); - -/* If extend == 0, obtain new n-byte packet; if extend == 1, increase - * packet by another n bytes. - * The packet will be in the sub-array of s->s3->rbuf.buf specified - * by s->packet and s->packet_length. - * (If s->read_ahead is set, 'max' bytes may be stored in rbuf - * [plus s->packet_length bytes if extend == 1].) - */ -int -ssl3_read_n(SSL *s, int n, int max, int extend) -{ - int i, len, left; - size_t align; - unsigned char *pkt; - SSL3_BUFFER *rb; - - if (n <= 0) - return n; - - rb = &(s->s3->rbuf); - if (rb->buf == NULL) - if (!ssl3_setup_read_buffer(s)) - return -1; - - left = rb->left; - align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH; - align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); - - if (!extend) { - /* start with empty packet ... */ - if (left == 0) - rb->offset = align; - else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) { - /* check if next packet length is large - * enough to justify payload alignment... */ - pkt = rb->buf + rb->offset; - if (pkt[0] == SSL3_RT_APPLICATION_DATA && - (pkt[3]<<8|pkt[4]) >= 128) { - /* Note that even if packet is corrupted - * and its length field is insane, we can - * only be led to wrong decision about - * whether memmove will occur or not. - * Header values has no effect on memmove - * arguments and therefore no buffer - * overrun can be triggered. */ - memmove(rb->buf + align, pkt, left); - rb->offset = align; - } - } - s->packet = rb->buf + rb->offset; - s->packet_length = 0; - /* ... now we can act as if 'extend' was set */ - } - - /* For DTLS/UDP reads should not span multiple packets - * because the read operation returns the whole packet - * at once (as long as it fits into the buffer). */ - if (SSL_IS_DTLS(s)) { - if (left > 0 && n > left) - n = left; - } - - /* if there is enough in the buffer from a previous read, take some */ - if (left >= n) { - s->packet_length += n; - rb->left = left - n; - rb->offset += n; - return (n); - } - - /* else we need to read more data */ - - len = s->packet_length; - pkt = rb->buf + align; - /* Move any available bytes to front of buffer: - * 'len' bytes already pointed to by 'packet', - * 'left' extra ones at the end */ - if (s->packet != pkt) { - /* len > 0 */ - memmove(pkt, s->packet, len + left); - s->packet = pkt; - rb->offset = len + align; - } - - if (n > (int)(rb->len - rb->offset)) { - /* does not happen */ - SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR); - return -1; - } - - if (!s->read_ahead) { - /* ignore max parameter */ - max = n; - } else { - if (max < n) - max = n; - if (max > (int)(rb->len - rb->offset)) - max = rb->len - rb->offset; - } - - while (left < n) { - /* Now we have len+left bytes at the front of s->s3->rbuf.buf - * and need to read in more until we have len+n (up to - * len+max if possible) */ - - errno = 0; - if (s->rbio != NULL) { - s->rwstate = SSL_READING; - i = BIO_read(s->rbio, pkt + len + left, max - left); - } else { - SSLerr(SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET); - i = -1; - } - - if (i <= 0) { - rb->left = left; - if (s->mode & SSL_MODE_RELEASE_BUFFERS && - !SSL_IS_DTLS(s)) { - if (len + left == 0) - ssl3_release_read_buffer(s); - } - return (i); - } - left += i; - - /* - * reads should *never* span multiple packets for DTLS because - * the underlying transport protocol is message oriented as - * opposed to byte oriented as in the TLS case. - */ - if (SSL_IS_DTLS(s)) { - if (n > left) - n = left; /* makes the while condition false */ - } - } - - /* done reading, now the book-keeping */ - rb->offset += n; - rb->left = left - n; - s->packet_length += n; - s->rwstate = SSL_NOTHING; - return (n); -} - -/* Call this to get a new input record. - * It will return <= 0 if more data is needed, normally due to an error - * or non-blocking IO. - * When it finishes, one packet has been decoded and can be found in - * ssl->s3->rrec.type - is the type of record - * ssl->s3->rrec.data, - data - * ssl->s3->rrec.length, - number of bytes - */ -/* used only by ssl3_read_bytes */ -static int -ssl3_get_record(SSL *s) -{ - int al; - int enc_err, n, i, ret = -1; - SSL3_RECORD *rr; - SSL_SESSION *sess; - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned mac_size, orig_len; - - rr = &(s->s3->rrec); - sess = s->session; - -again: - /* check if we have the header */ - if ((s->rstate != SSL_ST_READ_BODY) || - (s->packet_length < SSL3_RT_HEADER_LENGTH)) { - CBS header; - uint16_t len, ssl_version; - uint8_t type; - - n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); - if (n <= 0) - return(n); /* error or non-blocking */ - s->rstate = SSL_ST_READ_BODY; - - CBS_init(&header, s->packet, n); - - /* Pull apart the header into the SSL3_RECORD */ - if (!CBS_get_u8(&header, &type) || - !CBS_get_u16(&header, &ssl_version) || - !CBS_get_u16(&header, &len)) { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_BAD_PACKET_LENGTH); - goto err; - } - - rr->type = type; - rr->length = len; - - /* Lets check version */ - if (!s->first_packet && ssl_version != s->version) { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - if ((s->version & 0xFF00) == (ssl_version & 0xFF00) && - !s->enc_write_ctx && !s->write_hash) - /* Send back error using their minor version number :-) */ - s->version = ssl_version; - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; - } - - if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - goto err; - } - - if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; - } - - /* now s->rstate == SSL_ST_READ_BODY */ - } - - /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ - - if (rr->length > s->packet_length - SSL3_RT_HEADER_LENGTH) { - /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ - i = rr->length; - n = ssl3_read_n(s, i, i, 1); - if (n <= 0) - return(n); /* error or non-blocking io */ - /* now n == rr->length, - * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */ - } - - s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ - - /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->packet - */ - rr->input = &(s->packet[SSL3_RT_HEADER_LENGTH]); - - /* ok, we can now read from 's->packet' data into 'rr' - * rr->input points at rr->length bytes, which - * need to be copied into rr->data by either - * the decryption or by the decompression - * When the data is 'copied' into the rr->data buffer, - * rr->input will be pointed at the new buffer */ - - /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] - * rr->length bytes of encrypted compressed stuff. */ - - /* check is not needed I believe */ - if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - - /* decrypt in place in 'rr->input' */ - rr->data = rr->input; - - enc_err = s->method->ssl3_enc->enc(s, 0); - /* enc_err is: - * 0: (in non-constant time) if the record is publically invalid. - * 1: if the padding is valid - * -1: if the padding is invalid */ - if (enc_err == 0) { - al = SSL_AD_DECRYPTION_FAILED; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - goto f_err; - } - - - /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && (s->enc_read_ctx != NULL) && - (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* s->read_hash != NULL => mac_size != -1 */ - unsigned char *mac = NULL; - unsigned char mac_tmp[EVP_MAX_MD_SIZE]; - - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - - /* kludge: *_cbc_remove_padding passes padding length in rr->type */ - orig_len = rr->length + ((unsigned int)rr->type >> 8); - - /* orig_len is the length of the record before any padding was - * removed. This is public information, as is the MAC in use, - * therefore we can safely process the record in a different - * amount of time if it's too short to possibly contain a MAC. - */ - if (orig_len < mac_size || - /* CBC records must have a padding length byte too. */ - (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - - if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { - /* We update the length so that the TLS header bytes - * can be constructed correctly but we need to extract - * the MAC in constant time from within the record, - * without leaking the contents of the padding bytes. - * */ - mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); - rr->length -= mac_size; - } else { - /* In this case there's no padding, so |orig_len| - * equals |rec->length| and we checked that there's - * enough bytes for |mac_size| above. */ - rr->length -= mac_size; - mac = &rr->data[rr->length]; - } - - i = s->method->ssl3_enc->mac(s,md,0 /* not send */); - if (i < 0 || mac == NULL || - timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) - enc_err = -1; - if (rr->length > - SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) - enc_err = -1; - } - - if (enc_err < 0) { - /* - * A separate 'decryption_failed' alert was introduced with - * TLS 1.0, SSL 3.0 only has 'bad_record_mac'. But unless a - * decryption failure is directly visible from the ciphertext - * anyway, we should not reveal which kind of error - * occurred -- this might become visible to an attacker - * (e.g. via a logfile) - */ - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; - } - - if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; - } - - rr->off = 0; - /* - * So at this point the following is true - * - * ssl->s3->rrec.type is the type of record - * ssl->s3->rrec.length == number of bytes in record - * ssl->s3->rrec.off == offset to first valid byte - * ssl->s3->rrec.data == where to take bytes from, increment - * after use :-). - */ - - /* we have pulled in a full packet so zero things */ - s->packet_length = 0; - - /* just read a 0 length packet */ - if (rr->length == 0) - goto again; - - return (1); - -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - return (ret); -} - -/* Call this to write data in records of type 'type' - * It will return <= 0 if not all data has been sent or non-blocking IO. - */ -int -ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) -{ - const unsigned char *buf = buf_; - unsigned int tot, n, nw; - int i; - - if (len < 0) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); - return -1; - } - - s->rwstate = SSL_NOTHING; - tot = s->s3->wnum; - s->s3->wnum = 0; - - if (SSL_in_init(s) && !s->in_handshake) { - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, - SSL_R_SSL_HANDSHAKE_FAILURE); - return -1; - } - } - - if (len < tot) - len = tot; - n = (len - tot); - for (;;) { - if (n > s->max_send_fragment) - nw = s->max_send_fragment; - else - nw = n; - - i = do_ssl3_write(s, type, &(buf[tot]), nw, 0); - if (i <= 0) { - s->s3->wnum = tot; - return i; - } - - if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA && - (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { - /* - * Next chunk of data should get another prepended - * empty fragment in ciphersuites with known-IV - * weakness. - */ - s->s3->empty_fragment_done = 0; - - return tot + i; - } - - n -= i; - tot += i; - } -} - -static int -do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment) -{ - unsigned char *p, *plen; - int i, mac_size, clear = 0; - int prefix_len = 0; - int eivlen; - size_t align; - SSL3_RECORD *wr; - SSL3_BUFFER *wb = &(s->s3->wbuf); - SSL_SESSION *sess; - - if (wb->buf == NULL) - if (!ssl3_setup_write_buffer(s)) - return -1; - - /* first check if there is a SSL3_BUFFER still being written - * out. This will happen with non blocking IO */ - if (wb->left != 0) - return (ssl3_write_pending(s, type, buf, len)); - - /* If we have an alert to send, lets send it */ - if (s->s3->alert_dispatch) { - i = s->method->ssl_dispatch_alert(s); - if (i <= 0) - return (i); - /* if it went, fall through and send more stuff */ - /* we may have released our buffer, so get it again */ - if (wb->buf == NULL) - if (!ssl3_setup_write_buffer(s)) - return -1; - } - - if (len == 0 && !create_empty_fragment) - return 0; - - wr = &(s->s3->wrec); - sess = s->session; - - if ((sess == NULL) || (s->enc_write_ctx == NULL) || - (EVP_MD_CTX_md(s->write_hash) == NULL)) { - clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ - mac_size = 0; - } else { - mac_size = EVP_MD_CTX_size(s->write_hash); - if (mac_size < 0) - goto err; - } - - /* - * 'create_empty_fragment' is true only when this function calls - * itself. - */ - if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done) { - /* - * Countermeasure against known-IV weakness in CBC ciphersuites - * (see http://www.openssl.org/~bodo/tls-cbc.txt) - */ - if (s->s3->need_empty_fragments && - type == SSL3_RT_APPLICATION_DATA) { - /* recursive function call with 'create_empty_fragment' set; - * this prepares and buffers the data for an empty fragment - * (these 'prefix_len' bytes are sent out later - * together with the actual payload) */ - prefix_len = do_ssl3_write(s, type, buf, 0, 1); - if (prefix_len <= 0) - goto err; - - if (prefix_len > - (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { - /* insufficient space */ - SSLerr(SSL_F_DO_SSL3_WRITE, - ERR_R_INTERNAL_ERROR); - goto err; - } - } - - s->s3->empty_fragment_done = 1; - } - - if (create_empty_fragment) { - /* extra fragment would be couple of cipher blocks, - * which would be multiple of SSL3_ALIGN_PAYLOAD, so - * if we want to align the real payload, then we can - * just pretent we simply have two headers. */ - align = (size_t)wb->buf + 2 * SSL3_RT_HEADER_LENGTH; - align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); - - p = wb->buf + align; - wb->offset = align; - } else if (prefix_len) { - p = wb->buf + wb->offset + prefix_len; - } else { - align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH; - align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); - - p = wb->buf + align; - wb->offset = align; - } - - /* write the header */ - - *(p++) = type&0xff; - wr->type = type; - - *(p++) = (s->version >> 8); - /* Some servers hang if iniatial client hello is larger than 256 - * bytes and record version number > TLS 1.0 - */ - if (s->state == SSL3_ST_CW_CLNT_HELLO_B && !s->renegotiate && - TLS1_get_version(s) > TLS1_VERSION) - *(p++) = 0x1; - else - *(p++) = s->version&0xff; - - /* field where we are to write out packet length */ - plen = p; - p += 2; - - /* Explicit IV length. */ - if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) { - int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); - if (mode == EVP_CIPH_CBC_MODE) { - eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); - if (eivlen <= 1) - eivlen = 0; - } - /* Need explicit part of IV for GCM mode */ - else if (mode == EVP_CIPH_GCM_MODE) - eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; - else - eivlen = 0; - } else if (s->aead_write_ctx != NULL && - s->aead_write_ctx->variable_nonce_in_record) { - eivlen = s->aead_write_ctx->variable_nonce_len; - } else - eivlen = 0; - - /* lets setup the record stuff. */ - wr->data = p + eivlen; - wr->length = (int)len; - wr->input = (unsigned char *)buf; - - /* we now 'read' from wr->input, wr->length bytes into wr->data */ - - memcpy(wr->data, wr->input, wr->length); - wr->input = wr->data; - - /* we should still have the output to wr->data and the input - * from wr->input. Length should be wr->length. - * wr->data still points in the wb->buf */ - - if (mac_size != 0) { - if (s->method->ssl3_enc->mac(s, - &(p[wr->length + eivlen]), 1) < 0) - goto err; - wr->length += mac_size; - } - - wr->input = p; - wr->data = p; - - if (eivlen) { - /* if (RAND_pseudo_bytes(p, eivlen) <= 0) - goto err; - */ - wr->length += eivlen; - } - - /* ssl3_enc can only have an error on read */ - s->method->ssl3_enc->enc(s, 1); - - /* record length after mac and block padding */ - s2n(wr->length, plen); - - /* we should now have - * wr->data pointing to the encrypted data, which is - * wr->length long */ - wr->type=type; /* not needed but helps for debugging */ - wr->length += SSL3_RT_HEADER_LENGTH; - - if (create_empty_fragment) { - /* we are in a recursive call; - * just return the length, don't write out anything here - */ - return wr->length; - } - - /* now let's set up wb */ - wb->left = prefix_len + wr->length; - - /* memorize arguments so that ssl3_write_pending can detect - * bad write retries later */ - s->s3->wpend_tot = len; - s->s3->wpend_buf = buf; - s->s3->wpend_type = type; - s->s3->wpend_ret = len; - - /* we now just need to write the buffer */ - return ssl3_write_pending(s, type, buf, len); -err: - return -1; -} - -/* if s->s3->wbuf.left != 0, we need to call this */ -int -ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) -{ - int i; - SSL3_BUFFER *wb = &(s->s3->wbuf); - - /* XXXX */ - if ((s->s3->wpend_tot > (int)len) || ((s->s3->wpend_buf != buf) && - !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || - (s->s3->wpend_type != type)) { - SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY); - return (-1); - } - - for (;;) { - errno = 0; - if (s->wbio != NULL) { - s->rwstate = SSL_WRITING; - i = BIO_write(s->wbio, - (char *)&(wb->buf[wb->offset]), - (unsigned int)wb->left); - } else { - SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BIO_NOT_SET); - i = -1; - } - if (i == wb->left) { - wb->left = 0; - wb->offset += i; - if (s->mode & SSL_MODE_RELEASE_BUFFERS && - !SSL_IS_DTLS(s)) - ssl3_release_write_buffer(s); - s->rwstate = SSL_NOTHING; - return (s->s3->wpend_ret); - } else if (i <= 0) { - /* - * For DTLS, just drop it. That's kind of the - * whole point in using a datagram service. - */ - if (SSL_IS_DTLS(s)) - wb->left = 0; - return (i); - } - wb->offset += i; - wb->left -= i; - } -} - -/* Return up to 'len' payload bytes received in 'type' records. - * 'type' is one of the following: - * - * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) - * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) - * - 0 (during a shutdown, no data has to be returned) - * - * If we don't have stored data to work from, read a SSL/TLS record first - * (possibly multiple records if we still don't have anything to return). - * - * This function must handle any surprises the peer may have for us, such as - * Alert records (e.g. close_notify), ChangeCipherSpec records (not really - * a surprise, but handled as if it were), or renegotiation requests. - * Also if record payloads contain fragments too small to process, we store - * them until there is enough for the respective protocol (the record protocol - * may use arbitrary fragmentation and even interleaving): - * Change cipher spec protocol - * just 1 byte needed, no need for keeping anything stored - * Alert protocol - * 2 bytes needed (AlertLevel, AlertDescription) - * Handshake protocol - * 4 bytes needed (HandshakeType, uint24 length) -- we just have - * to detect unexpected Client Hello and Hello Request messages - * here, anything else is handled by higher layers - * Application data protocol - * none of our business - */ -int -ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) -{ - int al, i, j, ret; - unsigned int n; - SSL3_RECORD *rr; - void (*cb)(const SSL *ssl, int type2, int val) = NULL; - - if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ - if (!ssl3_setup_read_buffer(s)) - return (-1); - - if (len < 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - return -1; - } - - if ((type && type != SSL3_RT_APPLICATION_DATA && - type != SSL3_RT_HANDSHAKE) || - (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - return -1; - } - - if ((type == SSL3_RT_HANDSHAKE) && - (s->s3->handshake_fragment_len > 0)) { - /* (partially) satisfy request from storage */ - unsigned char *src = s->s3->handshake_fragment; - unsigned char *dst = buf; - unsigned int k; - - /* peek == 0 */ - n = 0; - while ((len > 0) && (s->s3->handshake_fragment_len > 0)) { - *dst++ = *src++; - len--; - s->s3->handshake_fragment_len--; - n++; - } - /* move any remaining fragment bytes: */ - for (k = 0; k < s->s3->handshake_fragment_len; k++) - s->s3->handshake_fragment[k] = *src++; - return n; - } - - /* - * Now s->s3->handshake_fragment_len == 0 if - * type == SSL3_RT_HANDSHAKE. - */ - if (!s->in_handshake && SSL_in_init(s)) { - /* type == SSL3_RT_APPLICATION_DATA */ - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - } -start: - s->rwstate = SSL_NOTHING; - - /* - * s->s3->rrec.type - is the type of record - * s->s3->rrec.data, - data - * s->s3->rrec.off, - offset into 'data' for next read - * s->s3->rrec.length, - number of bytes. - */ - rr = &(s->s3->rrec); - - /* get new packet if necessary */ - if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { - ret = ssl3_get_record(s); - if (ret <= 0) - return (ret); - } - - /* we now have a packet which can be read and processed */ - - if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, - * reset by ssl3_get_finished */ - && (rr->type != SSL3_RT_HANDSHAKE)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); - goto f_err; - } - - /* If the other end has shut down, throw anything we read away - * (even in 'peek' mode) */ - if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { - rr->length = 0; - s->rwstate = SSL_NOTHING; - return (0); - } - - - /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ - if (type == rr->type) { - /* make sure that we are not getting application data when we - * are doing a handshake for the first time */ - if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && - (s->enc_read_ctx == NULL)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; - } - - if (len <= 0) - return (len); - - if ((unsigned int)len > rr->length) - n = rr->length; - else - n = (unsigned int)len; - - memcpy(buf, &(rr->data[rr->off]), n); - if (!peek) { - memset(&(rr->data[rr->off]), 0, n); - rr->length -= n; - rr->off += n; - if (rr->length == 0) { - s->rstate = SSL_ST_READ_HEADER; - rr->off = 0; - if (s->mode & SSL_MODE_RELEASE_BUFFERS && - s->s3->rbuf.left == 0) - ssl3_release_read_buffer(s); - } - } - return (n); - } - - - /* If we get here, then type != rr->type; if we have a handshake - * message, then it was unexpected (Hello Request or Client Hello). */ - - { - /* - * In case of record types for which we have 'fragment' - * storage, * fill that so that we can process the data - * at a fixed place. - */ - unsigned int dest_maxlen = 0; - unsigned char *dest = NULL; - unsigned int *dest_len = NULL; - - if (rr->type == SSL3_RT_HANDSHAKE) { - dest_maxlen = sizeof s->s3->handshake_fragment; - dest = s->s3->handshake_fragment; - dest_len = &s->s3->handshake_fragment_len; - } else if (rr->type == SSL3_RT_ALERT) { - dest_maxlen = sizeof s->s3->alert_fragment; - dest = s->s3->alert_fragment; - dest_len = &s->s3->alert_fragment_len; - } - if (dest_maxlen > 0) { - /* available space in 'dest' */ - n = dest_maxlen - *dest_len; - if (rr->length < n) - n = rr->length; /* available bytes */ - - /* now move 'n' bytes: */ - while (n-- > 0) { - dest[(*dest_len)++] = rr->data[rr->off++]; - rr->length--; - } - - if (*dest_len < dest_maxlen) - goto start; /* fragment was too small */ - } - } - - /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; - * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. - * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ - - /* If we are a client, check for an incoming 'Hello Request': */ - if ((!s->server) && (s->s3->handshake_fragment_len >= 4) && - (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && - (s->session != NULL) && (s->session->cipher != NULL)) { - s->s3->handshake_fragment_len = 0; - - if ((s->s3->handshake_fragment[1] != 0) || - (s->s3->handshake_fragment[2] != 0) || - (s->s3->handshake_fragment[3] != 0)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); - goto f_err; - } - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - s->s3->handshake_fragment, 4, s, - s->msg_callback_arg); - - if (SSL_is_init_finished(s) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && - !s->s3->renegotiate) { - ssl3_renegotiate(s); - if (ssl3_renegotiate_check(s)) { - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { - if (s->s3->rbuf.left == 0) { - /* no read-ahead left? */ - BIO *bio; - /* In the case where we try to read application data, - * but we trigger an SSL handshake, we return -1 with - * the retry option set. Otherwise renegotiation may - * cause nasty problems in the blocking world */ - s->rwstate = SSL_READING; - bio = SSL_get_rbio(s); - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } - } - } - } - /* we either finished a handshake or ignored the request, - * now try again to obtain the (application) data we were asked for */ - goto start; - } - /* If we are a server and get a client hello when renegotiation isn't - * allowed send back a no renegotiation alert and carry on. - * WARNING: experimental code, needs reviewing (steve) - */ - if (s->server && - SSL_is_init_finished(s) && - !s->s3->send_connection_binding && - (s->s3->handshake_fragment_len >= 4) && - (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && - (s->session != NULL) && (s->session->cipher != NULL)) { - /*s->s3->handshake_fragment_len = 0;*/ - rr->length = 0; - ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); - goto start; - } - if (s->s3->alert_fragment_len >= 2) { - int alert_level = s->s3->alert_fragment[0]; - int alert_descr = s->s3->alert_fragment[1]; - - s->s3->alert_fragment_len = 0; - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_ALERT, - s->s3->alert_fragment, 2, s, s->msg_callback_arg); - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - if (cb != NULL) { - j = (alert_level << 8) | alert_descr; - cb(s, SSL_CB_READ_ALERT, j); - } - - if (alert_level == 1) { - /* warning */ - s->s3->warn_alert = alert_descr; - if (alert_descr == SSL_AD_CLOSE_NOTIFY) { - s->shutdown |= SSL_RECEIVED_SHUTDOWN; - return (0); - } - /* This is a warning but we receive it if we requested - * renegotiation and the peer denied it. Terminate with - * a fatal alert because if application tried to - * renegotiatie it presumably had a good reason and - * expects it to succeed. - * - * In future we might have a renegotiation where we - * don't care if the peer refused it where we carry on. - */ - else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_NO_RENEGOTIATION); - goto f_err; - } - } else if (alert_level == 2) { - /* fatal */ - s->rwstate = SSL_NOTHING; - s->s3->fatal_alert = alert_descr; - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_AD_REASON_OFFSET + alert_descr); - ERR_asprintf_error_data("SSL alert number %d", - alert_descr); - s->shutdown |= SSL_RECEIVED_SHUTDOWN; - SSL_CTX_remove_session(s->ctx, s->session); - return (0); - } else { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; - } - - goto start; - } - - if (s->shutdown & SSL_SENT_SHUTDOWN) { - /* but we have not received a shutdown */ - s->rwstate = SSL_NOTHING; - rr->length = 0; - return (0); - } - - if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { - /* 'Change Cipher Spec' is just a single byte, so we know - * exactly what the record payload has to look like */ - if ((rr->length != 1) || (rr->off != 0) || - (rr->data[0] != SSL3_MT_CCS)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; - } - - /* Check we have a cipher to change to */ - if (s->s3->tmp.new_cipher == NULL) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_CCS_RECEIVED_EARLY); - goto f_err; - } - - /* Check that we should be receiving a Change Cipher Spec. */ - if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_CCS_RECEIVED_EARLY); - goto f_err; - } - s->s3->flags &= ~SSL3_FLAGS_CCS_OK; - - rr->length = 0; - - if (s->msg_callback) { - s->msg_callback(0, s->version, - SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, - s->msg_callback_arg); - } - - s->s3->change_cipher_spec = 1; - if (!ssl3_do_change_cipher_spec(s)) - goto err; - else - goto start; - } - - /* Unexpected handshake message (Client Hello, or protocol violation) */ - if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { - if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { - s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; - s->renegotiate = 1; - s->new_session = 1; - } - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, - SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { - if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ - BIO *bio; - /* In the case where we try to read application data, - * but we trigger an SSL handshake, we return -1 with - * the retry option set. Otherwise renegotiation may - * cause nasty problems in the blocking world */ - s->rwstate = SSL_READING; - bio = SSL_get_rbio(s); - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } - } - goto start; - } - - switch (rr->type) { - default: - /* - * TLS up to v1.1 just ignores unknown message types: - * TLS v1.2 give an unexpected message alert. - */ - if (s->version >= TLS1_VERSION && - s->version <= TLS1_1_VERSION) { - rr->length = 0; - goto start; - } - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; - case SSL3_RT_CHANGE_CIPHER_SPEC: - case SSL3_RT_ALERT: - case SSL3_RT_HANDSHAKE: - /* we already handled all of these, with the possible exception - * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that - * should not happen when type != rr->type */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; - case SSL3_RT_APPLICATION_DATA: - /* At this point, we were expecting handshake data, - * but have application data. If the library was - * running inside ssl3_read() (i.e. in_read_app_data - * is set) and it makes sense to read application data - * at this point (session renegotiation not yet started), - * we will indulge it. - */ - if (s->s3->in_read_app_data && - (s->s3->total_renegotiations != 0) && - (((s->state & SSL_ST_CONNECT) && - (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && - (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) || - ((s->state & SSL_ST_ACCEPT) && - (s->state <= SSL3_ST_SW_HELLO_REQ_A) && - (s->state >= SSL3_ST_SR_CLNT_HELLO_A)))) { - s->s3->in_read_app_data = 2; - return (-1); - } else { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; - } - } - /* not reached */ - -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - return (-1); -} - -int -ssl3_do_change_cipher_spec(SSL *s) -{ - int i; - const char *sender; - int slen; - - if (s->state & SSL_ST_ACCEPT) - i = SSL3_CHANGE_CIPHER_SERVER_READ; - else - i = SSL3_CHANGE_CIPHER_CLIENT_READ; - - if (s->s3->tmp.key_block == NULL) { - if (s->session == NULL || s->session->master_key_length == 0) { - /* might happen if dtls1_read_bytes() calls this */ - SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, - SSL_R_CCS_RECEIVED_EARLY); - return (0); - } - - s->session->cipher = s->s3->tmp.new_cipher; - if (!s->method->ssl3_enc->setup_key_block(s)) - return (0); - } - - if (!s->method->ssl3_enc->change_cipher_state(s, i)) - return (0); - - /* we have to record the message digest at - * this point so we can get it before we read - * the finished message */ - if (s->state & SSL_ST_CONNECT) { - sender = s->method->ssl3_enc->server_finished_label; - slen = s->method->ssl3_enc->server_finished_label_len; - } else { - sender = s->method->ssl3_enc->client_finished_label; - slen = s->method->ssl3_enc->client_finished_label_len; - } - - i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, - s->s3->tmp.peer_finish_md); - if (i == 0) { - SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); - return 0; - } - s->s3->tmp.peer_finish_md_len = i; - - return (1); -} - -int -ssl3_send_alert(SSL *s, int level, int desc) -{ - /* Map tls/ssl alert value to correct one */ - desc = s->method->ssl3_enc->alert_value(desc); - if (desc < 0) - return -1; - /* If a fatal one, remove from cache */ - if ((level == 2) && (s->session != NULL)) - SSL_CTX_remove_session(s->ctx, s->session); - - s->s3->alert_dispatch = 1; - s->s3->send_alert[0] = level; - s->s3->send_alert[1] = desc; - if (s->s3->wbuf.left == 0) /* data still being written out? */ - return s->method->ssl_dispatch_alert(s); - - /* else data is still being written out, we will get written - * some time in the future */ - return -1; -} - -int -ssl3_dispatch_alert(SSL *s) -{ - int i, j; - void (*cb)(const SSL *ssl, int type, int val) = NULL; - - s->s3->alert_dispatch = 0; - i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0); - if (i <= 0) { - s->s3->alert_dispatch = 1; - } else { - /* Alert sent to BIO. If it is important, flush it now. - * If the message does not get sent due to non-blocking IO, - * we will not worry too much. */ - if (s->s3->send_alert[0] == SSL3_AL_FATAL) - (void)BIO_flush(s->wbio); - - if (s->msg_callback) - s->msg_callback(1, s->version, SSL3_RT_ALERT, - s->s3->send_alert, 2, s, s->msg_callback_arg); - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - if (cb != NULL) { - j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; - cb(s, SSL_CB_WRITE_ALERT, j); - } - } - return (i); -} diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c deleted file mode 100644 index 9fe96de53e1..00000000000 --- a/lib/libssl/src/ssl/s3_srvr.c +++ /dev/null @@ -1,2692 +0,0 @@ -/* $OpenBSD: s3_srvr.c,v 1.126 2016/05/30 13:42:54 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/bn.h> -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/dh.h> -#ifndef OPENSSL_NO_GOST -#include <openssl/gost.h> -#endif -#include <openssl/hmac.h> -#include <openssl/md5.h> -#include <openssl/objects.h> -#include <openssl/x509.h> - -#include "bytestring.h" - -int -ssl3_accept(SSL *s) -{ - unsigned long alg_k; - void (*cb)(const SSL *ssl, int type, int val) = NULL; - int ret = -1; - int new_state, state, skip = 0; - - ERR_clear_error(); - errno = 0; - - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - /* init things to blank */ - s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); - - if (s->cert == NULL) { - SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET); - ret = -1; - goto end; - } - - for (;;) { - state = s->state; - - switch (s->state) { - case SSL_ST_RENEGOTIATE: - s->renegotiate = 1; - /* s->state=SSL_ST_ACCEPT; */ - - case SSL_ST_BEFORE: - case SSL_ST_ACCEPT: - case SSL_ST_BEFORE|SSL_ST_ACCEPT: - case SSL_ST_OK|SSL_ST_ACCEPT: - - s->server = 1; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); - - if ((s->version >> 8) != 3) { - SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - s->type = SSL_ST_ACCEPT; - - if (!ssl3_setup_init_buffer(s)) { - ret = -1; - goto end; - } - if (!ssl3_setup_buffers(s)) { - ret = -1; - goto end; - } - - s->init_num = 0; - - if (s->state != SSL_ST_RENEGOTIATE) { - /* - * Ok, we now need to push on a buffering BIO - * so that the output is sent in a way that - * TCP likes :-) - */ - if (!ssl_init_wbio_buffer(s, 1)) { - ret = -1; - goto end; - } - - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - - s->state = SSL3_ST_SR_CLNT_HELLO_A; - s->ctx->stats.sess_accept++; - } else if (!s->s3->send_connection_binding) { - /* - * Server attempting to renegotiate with - * client that doesn't support secure - * renegotiation. - */ - SSLerr(SSL_F_SSL3_ACCEPT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - ret = -1; - goto end; - } else { - /* - * s->state == SSL_ST_RENEGOTIATE, - * we will just send a HelloRequest - */ - s->ctx->stats.sess_accept_renegotiate++; - s->state = SSL3_ST_SW_HELLO_REQ_A; - } - break; - - case SSL3_ST_SW_HELLO_REQ_A: - case SSL3_ST_SW_HELLO_REQ_B: - - s->shutdown = 0; - ret = ssl3_send_hello_request(s); - if (ret <= 0) - goto end; - s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C; - s->state = SSL3_ST_SW_FLUSH; - s->init_num = 0; - - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } - break; - - case SSL3_ST_SW_HELLO_REQ_C: - s->state = SSL_ST_OK; - break; - - case SSL3_ST_SR_CLNT_HELLO_A: - case SSL3_ST_SR_CLNT_HELLO_B: - case SSL3_ST_SR_CLNT_HELLO_C: - - s->shutdown = 0; - if (s->rwstate != SSL_X509_LOOKUP) { - ret = ssl3_get_client_hello(s); - if (ret <= 0) - goto end; - } - - s->renegotiate = 2; - s->state = SSL3_ST_SW_SRVR_HELLO_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_SRVR_HELLO_A: - case SSL3_ST_SW_SRVR_HELLO_B: - ret = ssl3_send_server_hello(s); - if (ret <= 0) - goto end; - if (s->hit) { - if (s->tlsext_ticket_expected) - s->state = SSL3_ST_SW_SESSION_TICKET_A; - else - s->state = SSL3_ST_SW_CHANGE_A; - } - else - s->state = SSL3_ST_SW_CERT_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_CERT_A: - case SSL3_ST_SW_CERT_B: - /* Check if it is anon DH or anon ECDH. */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & - SSL_aNULL)) { - ret = ssl3_send_server_certificate(s); - if (ret <= 0) - goto end; - if (s->tlsext_status_expected) - s->state = SSL3_ST_SW_CERT_STATUS_A; - else - s->state = SSL3_ST_SW_KEY_EXCH_A; - } else { - skip = 1; - s->state = SSL3_ST_SW_KEY_EXCH_A; - } - s->init_num = 0; - break; - - case SSL3_ST_SW_KEY_EXCH_A: - case SSL3_ST_SW_KEY_EXCH_B: - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - - /* - * Only send if using a DH key exchange. - * - * For ECC ciphersuites, we send a ServerKeyExchange - * message only if the cipher suite is ECDHE. In other - * cases, the server certificate contains the server's - * public key for key exchange. - */ - if (alg_k & (SSL_kDHE|SSL_kECDHE)) { - ret = ssl3_send_server_key_exchange(s); - if (ret <= 0) - goto end; - } else - skip = 1; - - s->state = SSL3_ST_SW_CERT_REQ_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_CERT_REQ_A: - case SSL3_ST_SW_CERT_REQ_B: - /* - * Determine whether or not we need to request a - * certificate. - * - * Do not request a certificate if: - * - * - We did not ask for it (SSL_VERIFY_PEER is unset). - * - * - SSL_VERIFY_CLIENT_ONCE is set and we are - * renegotiating. - * - * - We are using an anonymous ciphersuites - * (see section "Certificate request" in SSL 3 drafts - * and in RFC 2246) ... except when the application - * insists on verification (against the specs, but - * s3_clnt.c accepts this for SSL 3). - */ - if (!(s->verify_mode & SSL_VERIFY_PEER) || - ((s->session->peer != NULL) && - (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - ((s->s3->tmp.new_cipher->algorithm_auth & - SSL_aNULL) && !(s->verify_mode & - SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { - /* No cert request */ - skip = 1; - s->s3->tmp.cert_request = 0; - s->state = SSL3_ST_SW_SRVR_DONE_A; - if (s->s3->handshake_buffer) { - if (!tls1_digest_cached_records(s)) { - ret = -1; - goto end; - } - } - } else { - s->s3->tmp.cert_request = 1; - ret = ssl3_send_certificate_request(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_SRVR_DONE_A; - s->init_num = 0; - } - break; - - case SSL3_ST_SW_SRVR_DONE_A: - case SSL3_ST_SW_SRVR_DONE_B: - ret = ssl3_send_server_done(s); - if (ret <= 0) - goto end; - s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; - s->state = SSL3_ST_SW_FLUSH; - s->init_num = 0; - break; - - case SSL3_ST_SW_FLUSH: - - /* - * This code originally checked to see if - * any data was pending using BIO_CTRL_INFO - * and then flushed. This caused problems - * as documented in PR#1939. The proposed - * fix doesn't completely resolve this issue - * as buggy implementations of BIO_CTRL_PENDING - * still exist. So instead we just flush - * unconditionally. - */ - - s->rwstate = SSL_WRITING; - if (BIO_flush(s->wbio) <= 0) { - ret = -1; - goto end; - } - s->rwstate = SSL_NOTHING; - - s->state = s->s3->tmp.next_state; - break; - - case SSL3_ST_SR_CERT_A: - case SSL3_ST_SR_CERT_B: - if (s->s3->tmp.cert_request) { - ret = ssl3_get_client_certificate(s); - if (ret <= 0) - goto end; - } - s->init_num = 0; - s->state = SSL3_ST_SR_KEY_EXCH_A; - break; - - case SSL3_ST_SR_KEY_EXCH_A: - case SSL3_ST_SR_KEY_EXCH_B: - ret = ssl3_get_client_key_exchange(s); - if (ret <= 0) - goto end; - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - if (ret == 2) { - /* - * For the ECDH ciphersuites when - * the client sends its ECDH pub key in - * a certificate, the CertificateVerify - * message is not sent. - * Also for GOST ciphersuites when - * the client uses its key from the certificate - * for key exchange. - */ - if (s->s3->next_proto_neg_seen) - s->state = SSL3_ST_SR_NEXT_PROTO_A; - else - s->state = SSL3_ST_SR_FINISHED_A; - s->init_num = 0; - } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) { - s->state = SSL3_ST_SR_CERT_VRFY_A; - s->init_num = 0; - if (!s->session->peer) - break; - /* - * For sigalgs freeze the handshake buffer - * at this point and digest cached records. - */ - if (!s->s3->handshake_buffer) { - SSLerr(SSL_F_SSL3_ACCEPT, - ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - if (!tls1_digest_cached_records(s)) { - ret = -1; - goto end; - } - } else { - int offset = 0; - int dgst_num; - - s->state = SSL3_ST_SR_CERT_VRFY_A; - s->init_num = 0; - - /* - * We need to get hashes here so if there is - * a client cert, it can be verified - * FIXME - digest processing for - * CertificateVerify should be generalized. - * But it is next step - */ - if (s->s3->handshake_buffer) { - if (!tls1_digest_cached_records(s)) { - ret = -1; - goto end; - } - } - for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; - dgst_num++) - if (s->s3->handshake_dgst[dgst_num]) { - int dgst_size; - - s->method->ssl3_enc->cert_verify_mac(s, - EVP_MD_CTX_type( - s->s3->handshake_dgst[dgst_num]), - &(s->s3->tmp.cert_verify_md[offset])); - dgst_size = EVP_MD_CTX_size( - s->s3->handshake_dgst[dgst_num]); - if (dgst_size < 0) { - ret = -1; - goto end; - } - offset += dgst_size; - } - } - break; - - case SSL3_ST_SR_CERT_VRFY_A: - case SSL3_ST_SR_CERT_VRFY_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; - - /* we should decide if we expected this one */ - ret = ssl3_get_cert_verify(s); - if (ret <= 0) - goto end; - - if (s->s3->next_proto_neg_seen) - s->state = SSL3_ST_SR_NEXT_PROTO_A; - else - s->state = SSL3_ST_SR_FINISHED_A; - s->init_num = 0; - break; - - case SSL3_ST_SR_NEXT_PROTO_A: - case SSL3_ST_SR_NEXT_PROTO_B: - ret = ssl3_get_next_proto(s); - if (ret <= 0) - goto end; - s->init_num = 0; - s->state = SSL3_ST_SR_FINISHED_A; - break; - - case SSL3_ST_SR_FINISHED_A: - case SSL3_ST_SR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, - SSL3_ST_SR_FINISHED_B); - if (ret <= 0) - goto end; - if (s->hit) - s->state = SSL_ST_OK; - else if (s->tlsext_ticket_expected) - s->state = SSL3_ST_SW_SESSION_TICKET_A; - else - s->state = SSL3_ST_SW_CHANGE_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_SESSION_TICKET_A: - case SSL3_ST_SW_SESSION_TICKET_B: - ret = ssl3_send_newsession_ticket(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_CHANGE_A; - s->init_num = 0; - break; - - case SSL3_ST_SW_CERT_STATUS_A: - case SSL3_ST_SW_CERT_STATUS_B: - ret = ssl3_send_cert_status(s); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_KEY_EXCH_A; - s->init_num = 0; - break; - - - case SSL3_ST_SW_CHANGE_A: - case SSL3_ST_SW_CHANGE_B: - - s->session->cipher = s->s3->tmp.new_cipher; - if (!s->method->ssl3_enc->setup_key_block(s)) { - ret = -1; - goto end; - } - - ret = ssl3_send_change_cipher_spec(s, - SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); - - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_FINISHED_A; - s->init_num = 0; - - if (!s->method->ssl3_enc->change_cipher_state( - s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) { - ret = -1; - goto end; - } - - break; - - case SSL3_ST_SW_FINISHED_A: - case SSL3_ST_SW_FINISHED_B: - ret = ssl3_send_finished(s, - SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B, - s->method->ssl3_enc->server_finished_label, - s->method->ssl3_enc->server_finished_label_len); - if (ret <= 0) - goto end; - s->state = SSL3_ST_SW_FLUSH; - if (s->hit) { - if (s->s3->next_proto_neg_seen) { - s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->s3->tmp.next_state = - SSL3_ST_SR_NEXT_PROTO_A; - } else - s->s3->tmp.next_state = - SSL3_ST_SR_FINISHED_A; - } else - s->s3->tmp.next_state = SSL_ST_OK; - s->init_num = 0; - break; - - case SSL_ST_OK: - /* clean a few things up */ - tls1_cleanup_key_block(s); - - BUF_MEM_free(s->init_buf); - s->init_buf = NULL; - - /* remove buffering on output */ - ssl_free_wbio_buffer(s); - - s->init_num = 0; - - /* skipped if we just sent a HelloRequest */ - if (s->renegotiate == 2) { - s->renegotiate = 0; - s->new_session = 0; - - ssl_update_cache(s, SSL_SESS_CACHE_SERVER); - - s->ctx->stats.sess_accept_good++; - /* s->server=1; */ - s->handshake_func = ssl3_accept; - - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_DONE, 1); - } - - ret = 1; - goto end; - /* break; */ - - default: - SSLerr(SSL_F_SSL3_ACCEPT, - SSL_R_UNKNOWN_STATE); - ret = -1; - goto end; - /* break; */ - } - - if (!s->s3->tmp.reuse_message && !skip) { - if (s->debug) { - if ((ret = BIO_flush(s->wbio)) <= 0) - goto end; - } - - - if ((cb != NULL) && (s->state != state)) { - new_state = s->state; - s->state = state; - cb(s, SSL_CB_ACCEPT_LOOP, 1); - s->state = new_state; - } - } - skip = 0; - } -end: - /* BIO_flush(s->wbio); */ - - s->in_handshake--; - if (cb != NULL) - cb(s, SSL_CB_ACCEPT_EXIT, ret); - return (ret); -} - -int -ssl3_send_hello_request(SSL *s) -{ - if (s->state == SSL3_ST_SW_HELLO_REQ_A) { - ssl3_handshake_msg_start(s, SSL3_MT_HELLO_REQUEST); - ssl3_handshake_msg_finish(s, 0); - - s->state = SSL3_ST_SW_HELLO_REQ_B; - } - - /* SSL3_ST_SW_HELLO_REQ_B */ - return (ssl3_handshake_write(s)); -} - -int -ssl3_get_client_hello(SSL *s) -{ - int i, j, ok, al, ret = -1; - unsigned int cookie_len; - long n; - unsigned long id; - unsigned char *p, *d; - SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *ciphers = NULL; - unsigned long alg_k; - - /* - * We do this so that we will respond with our native type. - * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, - * This down switching should be handled by a different method. - * If we are SSLv3, we will respond with SSLv3, even if prompted with - * TLSv1. - */ - if (s->state == SSL3_ST_SR_CLNT_HELLO_A) { - s->state = SSL3_ST_SR_CLNT_HELLO_B; - } - s->first_packet = 1; - n = s->method->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, - SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, - SSL3_RT_MAX_PLAIN_LENGTH, &ok); - - if (!ok) - return ((int)n); - s->first_packet = 0; - d = p = (unsigned char *)s->init_msg; - - if (2 > n) - goto truncated; - /* - * Use version from inside client hello, not from record header. - * (may differ: see RFC 2246, Appendix E, second paragraph) - */ - s->client_version = (((int)p[0]) << 8)|(int)p[1]; - p += 2; - - if ((s->version == DTLS1_VERSION && s->client_version > s->version) || - (s->version != DTLS1_VERSION && s->client_version < s->version)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_WRONG_VERSION_NUMBER); - if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && - !s->enc_write_ctx && !s->write_hash) { - /* - * Similar to ssl3_get_record, send alert using remote - * version number - */ - s->version = s->client_version; - } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; - } - - /* - * If we require cookies and this ClientHello doesn't - * contain one, just return since we do not want to - * allocate any memory yet. So check cookie length... - */ - if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { - unsigned int session_length, cookie_length; - - session_length = *(p + SSL3_RANDOM_SIZE); - cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); - - if (cookie_length == 0) - return (1); - } - - if (p + SSL3_RANDOM_SIZE + 1 - d > n) - goto truncated; - - /* load the client random */ - memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; - - /* get the session-id */ - j= *(p++); - if (p + j - d > n) - goto truncated; - - s->hit = 0; - /* - * Versions before 0.9.7 always allow clients to resume sessions in - * renegotiation. 0.9.7 and later allow this by default, but optionally - * ignore resumption requests with flag - * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag - * rather than a change to default behavior so that applications - * relying on this for security won't even compile against older - * library versions). - * - * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() - * to request renegotiation but not a new session (s->new_session - * remains unset): for servers, this essentially just means that the - * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be - * ignored. - */ - if ((s->new_session && (s->options & - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { - if (!ssl_get_new_session(s, 1)) - goto err; - } else { - i = ssl_get_prev_session(s, p, j, d + n); - if (i == 1) { /* previous session */ - s->hit = 1; - } else if (i == -1) - goto err; - else { - /* i == 0 */ - if (!ssl_get_new_session(s, 1)) - goto err; - } - } - - p += j; - - if (SSL_IS_DTLS(s)) { - /* cookie stuff */ - if (p + 1 - d > n) - goto truncated; - cookie_len = *(p++); - - /* - * The ClientHello may contain a cookie even if the - * HelloVerify message has not been sent--make sure that it - * does not cause an overflow. - */ - if (cookie_len > sizeof(s->d1->rcvd_cookie)) { - /* too much data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_COOKIE_MISMATCH); - goto f_err; - } - - if (p + cookie_len - d > n) - goto truncated; - - /* verify the cookie if appropriate option is set. */ - if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && - cookie_len > 0) { - memcpy(s->d1->rcvd_cookie, p, cookie_len); - - if (s->ctx->app_verify_cookie_cb != NULL) { - if (s->ctx->app_verify_cookie_cb(s, - s->d1->rcvd_cookie, cookie_len) == 0) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_COOKIE_MISMATCH); - goto f_err; - } - /* else cookie verification succeeded */ - } else if (timingsafe_memcmp(s->d1->rcvd_cookie, s->d1->cookie, - s->d1->cookie_len) != 0) { - /* default verification */ - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_COOKIE_MISMATCH); - goto f_err; - } - - ret = 2; - } - - p += cookie_len; - } - - if (p + 2 - d > n) - goto truncated; - n2s(p, i); - if ((i == 0) && (j != 0)) { - /* we need a cipher if we are not resuming a session */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_NO_CIPHERS_SPECIFIED); - goto f_err; - } - if (p + i - d > n) - goto truncated; - if (i > 0) { - if ((ciphers = ssl_bytes_to_cipher_list(s, p, i)) == NULL) - goto err; - } - p += i; - - /* If it is a hit, check that the cipher is in the list */ - if ((s->hit) && (i > 0)) { - j = 0; - id = s->session->cipher->id; - - for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { - c = sk_SSL_CIPHER_value(ciphers, i); - if (c->id == id) { - j = 1; - break; - } - } - if (j == 0) { - /* - * We need to have the cipher in the cipher - * list if we are asked to reuse it - */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_REQUIRED_CIPHER_MISSING); - goto f_err; - } - } - - /* compression */ - if (p + 1 - d > n) - goto truncated; - i= *(p++); - if (p + i - d > n) - goto truncated; - for (j = 0; j < i; j++) { - if (p[j] == 0) - break; - } - - p += i; - if (j >= i) { - /* no compress */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_NO_COMPRESSION_SPECIFIED); - goto f_err; - } - - /* TLS extensions*/ - if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) { - /* 'al' set by ssl_parse_clienthello_tlsext */ - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); - goto f_err; - } - if (ssl_check_clienthello_tlsext_early(s) <= 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_CLIENTHELLO_TLSEXT); - goto err; - } - - /* - * Check if we want to use external pre-shared secret for this - * handshake for not reused session only. We need to generate - * server_random before calling tls_session_secret_cb in order to allow - * SessionTicket processing to use it in key derivation. - */ - arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); - - if (!s->hit && s->tls_session_secret_cb) { - SSL_CIPHER *pref_cipher = NULL; - - s->session->master_key_length = sizeof(s->session->master_key); - if (s->tls_session_secret_cb(s, s->session->master_key, - &s->session->master_key_length, ciphers, &pref_cipher, - s->tls_session_secret_cb_arg)) { - s->hit = 1; - s->session->ciphers = ciphers; - s->session->verify_result = X509_V_OK; - - ciphers = NULL; - - /* check if some cipher was preferred by call back */ - pref_cipher = pref_cipher ? pref_cipher : - ssl3_choose_cipher(s, s->session->ciphers, - SSL_get_ciphers(s)); - if (pref_cipher == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_NO_SHARED_CIPHER); - goto f_err; - } - - s->session->cipher = pref_cipher; - - if (s->cipher_list) - sk_SSL_CIPHER_free(s->cipher_list); - - if (s->cipher_list_by_id) - sk_SSL_CIPHER_free(s->cipher_list_by_id); - - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); - s->cipher_list_by_id = - sk_SSL_CIPHER_dup(s->session->ciphers); - } - } - - /* - * Given s->session->ciphers and SSL_get_ciphers, we must - * pick a cipher - */ - - if (!s->hit) { - if (s->session->ciphers != NULL) - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; - if (ciphers == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_NO_CIPHERS_PASSED); - goto f_err; - } - ciphers = NULL; - c = ssl3_choose_cipher(s, s->session->ciphers, - SSL_get_ciphers(s)); - - if (c == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_NO_SHARED_CIPHER); - goto f_err; - } - s->s3->tmp.new_cipher = c; - } else { - s->s3->tmp.new_cipher = s->session->cipher; - } - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || - !(s->verify_mode & SSL_VERIFY_PEER)) { - if (!tls1_digest_cached_records(s)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } - - /* - * We now have the following setup. - * client_random - * cipher_list - our prefered list of ciphers - * ciphers - the clients prefered list of ciphers - * compression - basically ignored right now - * ssl version is set - sslv3 - * s->session - The ssl session has been setup. - * s->hit - session reuse flag - * s->tmp.new_cipher - the new cipher to use. - */ - - /* Handles TLS extensions that we couldn't check earlier */ - if (ssl_check_clienthello_tlsext_late(s) <= 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); - goto err; - } - - if (ret < 0) - ret = 1; - if (0) { -truncated: - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_BAD_PACKET_LENGTH); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - } -err: - if (ciphers != NULL) - sk_SSL_CIPHER_free(ciphers); - return (ret); -} - -int -ssl3_send_server_hello(SSL *s) -{ - unsigned char *bufend; - unsigned char *p, *d; - int sl; - - if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { - d = p = ssl3_handshake_msg_start(s, SSL3_MT_SERVER_HELLO); - - *(p++) = s->version >> 8; - *(p++) = s->version & 0xff; - - /* Random stuff */ - memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; - - /* - * There are several cases for the session ID to send - * back in the server hello: - * - * - For session reuse from the session cache, - * we send back the old session ID. - * - If stateless session reuse (using a session ticket) - * is successful, we send back the client's "session ID" - * (which doesn't actually identify the session). - * - If it is a new session, we send back the new - * session ID. - * - However, if we want the new session to be single-use, - * we send back a 0-length session ID. - * - * s->hit is non-zero in either case of session reuse, - * so the following won't overwrite an ID that we're supposed - * to send back. - */ - if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) - && !s->hit) - s->session->session_id_length = 0; - - sl = s->session->session_id_length; - if (sl > (int)sizeof(s->session->session_id)) { - SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, - ERR_R_INTERNAL_ERROR); - return (-1); - } - *(p++) = sl; - memcpy(p, s->session->session_id, sl); - p += sl; - - /* put the cipher */ - s2n(ssl3_cipher_get_value(s->s3->tmp.new_cipher), p); - - /* put the compression method */ - *(p++) = 0; - - bufend = (unsigned char *)s->init_buf->data + - SSL3_RT_MAX_PLAIN_LENGTH; - if ((p = ssl_add_serverhello_tlsext(s, p, bufend)) == NULL) { - SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, - ERR_R_INTERNAL_ERROR); - return (-1); - } - - ssl3_handshake_msg_finish(s, p - d); - } - - /* SSL3_ST_SW_SRVR_HELLO_B */ - return (ssl3_handshake_write(s)); -} - -int -ssl3_send_server_done(SSL *s) -{ - if (s->state == SSL3_ST_SW_SRVR_DONE_A) { - ssl3_handshake_msg_start(s, SSL3_MT_SERVER_DONE); - ssl3_handshake_msg_finish(s, 0); - - s->state = SSL3_ST_SW_SRVR_DONE_B; - } - - /* SSL3_ST_SW_SRVR_DONE_B */ - return (ssl3_handshake_write(s)); -} - -int -ssl3_send_server_key_exchange(SSL *s) -{ - unsigned char *q; - int j, num; - unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; - unsigned int u; - DH *dh = NULL, *dhp; - EC_KEY *ecdh = NULL, *ecdhp; - unsigned char *encodedPoint = NULL; - int encodedlen = 0; - int curve_id = 0; - BN_CTX *bn_ctx = NULL; - - EVP_PKEY *pkey; - const EVP_MD *md = NULL; - unsigned char *p, *d; - int al, i; - unsigned long type; - int n; - CERT *cert; - BIGNUM *r[4]; - int nr[4], kn; - BUF_MEM *buf; - EVP_MD_CTX md_ctx; - - EVP_MD_CTX_init(&md_ctx); - if (s->state == SSL3_ST_SW_KEY_EXCH_A) { - type = s->s3->tmp.new_cipher->algorithm_mkey; - cert = s->cert; - - buf = s->init_buf; - - r[0] = r[1] = r[2] = r[3] = NULL; - n = 0; - if (type & SSL_kDHE) { - if (s->cert->dh_tmp_auto != 0) { - if ((dhp = ssl_get_auto_dh(s)) == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr( - SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; - } - } else - dhp = cert->dh_tmp; - - if (dhp == NULL && s->cert->dh_tmp_cb != NULL) - dhp = s->cert->dh_tmp_cb(s, 0, - SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); - - if (dhp == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - SSL_R_MISSING_TMP_DH_KEY); - goto f_err; - } - - if (s->s3->tmp.dh != NULL) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - if (s->cert->dh_tmp_auto != 0) { - dh = dhp; - } else if ((dh = DHparams_dup(dhp)) == NULL) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_DH_LIB); - goto err; - } - s->s3->tmp.dh = dh; - if (!DH_generate_key(dh)) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_DH_LIB); - goto err; - } - r[0] = dh->p; - r[1] = dh->g; - r[2] = dh->pub_key; - } else if (type & SSL_kECDHE) { - const EC_GROUP *group; - - ecdhp = cert->ecdh_tmp; - if (s->cert->ecdh_tmp_auto != 0) { - int nid = tls1_get_shared_curve(s); - if (nid != NID_undef) - ecdhp = EC_KEY_new_by_curve_name(nid); - } else if (ecdhp == NULL && - s->cert->ecdh_tmp_cb != NULL) { - ecdhp = s->cert->ecdh_tmp_cb(s, 0, - SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); - } - if (ecdhp == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - SSL_R_MISSING_TMP_ECDH_KEY); - goto f_err; - } - - if (s->s3->tmp.ecdh != NULL) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - /* Duplicate the ECDH structure. */ - if (s->cert->ecdh_tmp_auto != 0) { - ecdh = ecdhp; - } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_ECDH_LIB); - goto err; - } - s->s3->tmp.ecdh = ecdh; - - if ((EC_KEY_get0_public_key(ecdh) == NULL) || - (EC_KEY_get0_private_key(ecdh) == NULL) || - (s->options & SSL_OP_SINGLE_ECDH_USE)) { - if (!EC_KEY_generate_key(ecdh)) { - SSLerr( - SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_ECDH_LIB); - goto err; - } - } - - if (((group = EC_KEY_get0_group(ecdh)) == NULL) || - (EC_KEY_get0_public_key(ecdh) == NULL) || - (EC_KEY_get0_private_key(ecdh) == NULL)) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_ECDH_LIB); - goto err; - } - - /* - * XXX: For now, we only support ephemeral ECDH - * keys over named (not generic) curves. For - * supported named curves, curve_id is non-zero. - */ - if ((curve_id = tls1_ec_nid2curve_id( - EC_GROUP_get_curve_name(group))) == 0) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); - goto err; - } - - /* - * Encode the public key. - * First check the size of encoding and - * allocate memory accordingly. - */ - encodedlen = EC_POINT_point2oct(group, - EC_KEY_get0_public_key(ecdh), - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, NULL); - - encodedPoint = malloc(encodedlen); - - bn_ctx = BN_CTX_new(); - if ((encodedPoint == NULL) || (bn_ctx == NULL)) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - - encodedlen = EC_POINT_point2oct(group, - EC_KEY_get0_public_key(ecdh), - POINT_CONVERSION_UNCOMPRESSED, - encodedPoint, encodedlen, bn_ctx); - - if (encodedlen == 0) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_ECDH_LIB); - goto err; - } - - BN_CTX_free(bn_ctx); - bn_ctx = NULL; - - /* - * XXX: For now, we only support named (not - * generic) curves in ECDH ephemeral key exchanges. - * In this situation, we need four additional bytes - * to encode the entire ServerECDHParams - * structure. - */ - n = 4 + encodedlen; - - /* - * We'll generate the serverKeyExchange message - * explicitly so we can set these to NULLs - */ - r[0] = NULL; - r[1] = NULL; - r[2] = NULL; - r[3] = NULL; - } else - { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); - goto f_err; - } - for (i = 0; i < 4 && r[i] != NULL; i++) { - nr[i] = BN_num_bytes(r[i]); - n += 2 + nr[i]; - } - - if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { - if ((pkey = ssl_get_sign_pkey( - s, s->s3->tmp.new_cipher, &md)) == NULL) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - kn = EVP_PKEY_size(pkey); - } else { - pkey = NULL; - kn = 0; - } - - if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) + - n + kn)) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_LIB_BUF); - goto err; - } - - d = p = ssl3_handshake_msg_start(s, - SSL3_MT_SERVER_KEY_EXCHANGE); - - for (i = 0; i < 4 && r[i] != NULL; i++) { - s2n(nr[i], p); - BN_bn2bin(r[i], p); - p += nr[i]; - } - - if (type & SSL_kECDHE) { - /* - * XXX: For now, we only support named (not generic) - * curves. - * In this situation, the serverKeyExchange message has: - * [1 byte CurveType], [2 byte CurveName] - * [1 byte length of encoded point], followed by - * the actual encoded point itself - */ - *p = NAMED_CURVE_TYPE; - p += 1; - *p = 0; - p += 1; - *p = curve_id; - p += 1; - *p = encodedlen; - p += 1; - memcpy((unsigned char*)p, - (unsigned char *)encodedPoint, encodedlen); - free(encodedPoint); - encodedPoint = NULL; - p += encodedlen; - } - - - /* not anonymous */ - if (pkey != NULL) { - /* - * n is the length of the params, they start at &(d[4]) - * and p points to the space at the end. - */ - if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { - q = md_buf; - j = 0; - for (num = 2; num > 0; num--) { - if (!EVP_DigestInit_ex(&md_ctx, - (num == 2) ? s->ctx->md5 : - s->ctx->sha1, NULL)) - goto err; - EVP_DigestUpdate(&md_ctx, - s->s3->client_random, - SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, - s->s3->server_random, - SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, d, n); - EVP_DigestFinal_ex(&md_ctx, q, - (unsigned int *)&i); - q += i; - j += i; - } - if (RSA_sign(NID_md5_sha1, md_buf, j, - &(p[2]), &u, pkey->pkey.rsa) <= 0) { - SSLerr( - SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_LIB_RSA); - goto err; - } - s2n(u, p); - n += u + 2; - } else if (md) { - /* Send signature algorithm. */ - if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash(p, pkey, md)) { - /* Should never happen */ - al = SSL_AD_INTERNAL_ERROR; - SSLerr( - SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; - } - p += 2; - } - EVP_SignInit_ex(&md_ctx, md, NULL); - EVP_SignUpdate(&md_ctx, - s->s3->client_random, - SSL3_RANDOM_SIZE); - EVP_SignUpdate(&md_ctx, - s->s3->server_random, - SSL3_RANDOM_SIZE); - EVP_SignUpdate(&md_ctx, d, n); - if (!EVP_SignFinal(&md_ctx, &p[2], - (unsigned int *)&i, pkey)) { - SSLerr( - SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - ERR_LIB_EVP); - goto err; - } - s2n(i, p); - n += i + 2; - if (SSL_USE_SIGALGS(s)) - n += 2; - } else { - /* Is this error check actually needed? */ - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, - SSL_R_UNKNOWN_PKEY_TYPE); - goto f_err; - } - } - - ssl3_handshake_msg_finish(s, n); - } - - s->state = SSL3_ST_SW_KEY_EXCH_B; - EVP_MD_CTX_cleanup(&md_ctx); - - return (ssl3_handshake_write(s)); - -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - free(encodedPoint); - BN_CTX_free(bn_ctx); - EVP_MD_CTX_cleanup(&md_ctx); - return (-1); -} - -int -ssl3_send_certificate_request(SSL *s) -{ - unsigned char *p, *d; - int i, j, nl, off, n; - STACK_OF(X509_NAME) *sk = NULL; - X509_NAME *name; - BUF_MEM *buf; - - if (s->state == SSL3_ST_SW_CERT_REQ_A) { - buf = s->init_buf; - - d = p = ssl3_handshake_msg_start(s, - SSL3_MT_CERTIFICATE_REQUEST); - - /* get the list of acceptable cert types */ - p++; - n = ssl3_get_req_cert_type(s, p); - d[0] = n; - p += n; - n++; - - if (SSL_USE_SIGALGS(s)) { - nl = tls12_get_req_sig_algs(s, p + 2); - s2n(nl, p); - p += nl + 2; - n += nl + 2; - } - - off = n; - p += 2; - n += 2; - - sk = SSL_get_client_CA_list(s); - nl = 0; - if (sk != NULL) { - for (i = 0; i < sk_X509_NAME_num(sk); i++) { - name = sk_X509_NAME_value(sk, i); - j = i2d_X509_NAME(name, NULL); - if (!BUF_MEM_grow_clean(buf, - ssl3_handshake_msg_hdr_len(s) + n + j - + 2)) { - SSLerr( - SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, - ERR_R_BUF_LIB); - goto err; - } - p = ssl3_handshake_msg_start(s, - SSL3_MT_CERTIFICATE_REQUEST) + n; - s2n(j, p); - i2d_X509_NAME(name, &p); - n += 2 + j; - nl += 2 + j; - } - } - /* else no CA names */ - p = ssl3_handshake_msg_start(s, - SSL3_MT_CERTIFICATE_REQUEST) + off; - s2n(nl, p); - - ssl3_handshake_msg_finish(s, n); - - s->state = SSL3_ST_SW_CERT_REQ_B; - } - - /* SSL3_ST_SW_CERT_REQ_B */ - return (ssl3_handshake_write(s)); -err: - return (-1); -} - -int -ssl3_get_client_key_exchange(SSL *s) -{ - int i, al, ok; - long n; - unsigned long alg_k; - unsigned char *d, *p; - RSA *rsa = NULL; - EVP_PKEY *pkey = NULL; - BIGNUM *pub = NULL; - DH *dh_srvr; - - EC_KEY *srvr_ecdh = NULL; - EVP_PKEY *clnt_pub_pkey = NULL; - EC_POINT *clnt_ecpoint = NULL; - BN_CTX *bn_ctx = NULL; - - /* 2048 maxlen is a guess. How long a key does that permit? */ - n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, - SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok); - if (!ok) - return ((int)n); - d = p = (unsigned char *)s->init_msg; - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - - if (alg_k & SSL_kRSA) { - char fakekey[SSL_MAX_MASTER_KEY_LENGTH]; - - arc4random_buf(fakekey, sizeof(fakekey)); - fakekey[0] = s->client_version >> 8; - fakekey[1] = s->client_version & 0xff; - - pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; - if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || - (pkey->pkey.rsa == NULL)) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_MISSING_RSA_CERTIFICATE); - goto f_err; - } - rsa = pkey->pkey.rsa; - - if (2 > n) - goto truncated; - n2s(p, i); - if (n != i + 2) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); - goto err; - } else - n = i; - - i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING); - - ERR_clear_error(); - - al = -1; - - if (i != SSL_MAX_MASTER_KEY_LENGTH) { - al = SSL_AD_DECODE_ERROR; - /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ - } - - if (p + 2 - d > n) /* needed in the SSL3 case */ - goto truncated; - if ((al == -1) && !((p[0] == (s->client_version >> 8)) && - (p[1] == (s->client_version & 0xff)))) { - /* - * The premaster secret must contain the same version - * number as the ClientHello to detect version rollback - * attacks (strangely, the protocol does not offer such - * protection for DH ciphersuites). - * However, buggy clients exist that send the negotiated - * protocol version instead if the server does not - * support the requested protocol version. - * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such - * clients. - */ - if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && - (p[0] == (s->version >> 8)) && - (p[1] == (s->version & 0xff)))) { - al = SSL_AD_DECODE_ERROR; - /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ - - /* - * The Klima-Pokorny-Rosa extension of - * Bleichenbacher's attack - * (http://eprint.iacr.org/2003/052/) exploits - * the version number check as a "bad version - * oracle" -- an alert would reveal that the - * plaintext corresponding to some ciphertext - * made up by the adversary is properly - * formatted except that the version number is - * wrong. - * To avoid such attacks, we should treat this - * just like any other decryption error. - */ - } - } - - if (al != -1) { - /* - * Some decryption failure -- use random value instead - * as countermeasure against Bleichenbacher's attack - * on PKCS #1 v1.5 RSA padding (see RFC 2246, - * section 7.4.7.1). - */ - i = SSL_MAX_MASTER_KEY_LENGTH; - p = fakekey; - } - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - p, i); - explicit_bzero(p, i); - } else if (alg_k & SSL_kDHE) { - if (2 > n) - goto truncated; - n2s(p, i); - if (n != i + 2) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); - goto err; - } - - if (n == 0L) { - /* the parameters are in the cert */ - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_UNABLE_TO_DECODE_DH_CERTS); - goto f_err; - } else { - if (s->s3->tmp.dh == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_MISSING_TMP_DH_KEY); - goto f_err; - } else - dh_srvr = s->s3->tmp.dh; - } - - pub = BN_bin2bn(p, i, NULL); - if (pub == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_BN_LIB); - goto err; - } - - i = DH_compute_key(p, pub, dh_srvr); - - if (i <= 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_DH_LIB); - BN_clear_free(pub); - goto err; - } - - DH_free(s->s3->tmp.dh); - s->s3->tmp.dh = NULL; - - BN_clear_free(pub); - pub = NULL; - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret( - s, s->session->master_key, p, i); - explicit_bzero(p, i); - } else - - if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { - int ret = 1; - int key_size; - const EC_KEY *tkey; - const EC_GROUP *group; - const BIGNUM *priv_key; - - /* Initialize structures for server's ECDH key pair. */ - if ((srvr_ecdh = EC_KEY_new()) == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - /* Let's get server private key and group information. */ - if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { - /* Use the certificate */ - tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; - } else { - /* - * Use the ephermeral values we saved when - * generating the ServerKeyExchange msg. - */ - tkey = s->s3->tmp.ecdh; - } - - group = EC_KEY_get0_group(tkey); - priv_key = EC_KEY_get0_private_key(tkey); - - if (!EC_KEY_set_group(srvr_ecdh, group) || - !EC_KEY_set_private_key(srvr_ecdh, priv_key)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_EC_LIB); - goto err; - } - - /* Let's get client's public key */ - if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - if (n == 0L) { - /* Client Publickey was in Client Certificate */ - - if (alg_k & SSL_kECDHE) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_MISSING_TMP_ECDH_KEY); - goto f_err; - } - if (((clnt_pub_pkey = X509_get_pubkey( - s->session->peer)) == NULL) || - (clnt_pub_pkey->type != EVP_PKEY_EC)) { - /* - * XXX: For now, we do not support client - * authentication using ECDH certificates - * so this branch (n == 0L) of the code is - * never executed. When that support is - * added, we ought to ensure the key - * received in the certificate is - * authorized for key agreement. - * ECDH_compute_key implicitly checks that - * the two ECDH shares are for the same - * group. - */ - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); - goto f_err; - } - - if (EC_POINT_copy(clnt_ecpoint, - EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) - == 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_EC_LIB); - goto err; - } - ret = 2; /* Skip certificate verify processing */ - } else { - /* - * Get client's public key from encoded point - * in the ClientKeyExchange message. - */ - if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - /* Get encoded point length */ - i = *p; - - p += 1; - if (n != 1 + i) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_EC_LIB); - goto err; - } - if (EC_POINT_oct2point(group, - clnt_ecpoint, p, i, bn_ctx) == 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_EC_LIB); - goto err; - } - /* - * p is pointing to somewhere in the buffer - * currently, so set it to the start. - */ - p = (unsigned char *)s->init_buf->data; - } - - /* Compute the shared pre-master secret */ - key_size = ECDH_size(srvr_ecdh); - if (key_size <= 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_ECDH_LIB); - goto err; - } - i = ECDH_compute_key(p, key_size, clnt_ecpoint, srvr_ecdh, - NULL); - if (i <= 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_ECDH_LIB); - goto err; - } - - EVP_PKEY_free(clnt_pub_pkey); - EC_POINT_free(clnt_ecpoint); - EC_KEY_free(srvr_ecdh); - BN_CTX_free(bn_ctx); - EC_KEY_free(s->s3->tmp.ecdh); - s->s3->tmp.ecdh = NULL; - - - /* Compute the master secret */ - s->session->master_key_length = s->method->ssl3_enc-> \ - generate_master_secret(s, s->session->master_key, p, i); - - explicit_bzero(p, i); - return (ret); - } else - if (alg_k & SSL_kGOST) { - int ret = 0; - EVP_PKEY_CTX *pkey_ctx; - EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; - unsigned char premaster_secret[32], *start; - size_t outlen = 32, inlen; - unsigned long alg_a; - int Ttag, Tclass; - long Tlen; - - /* Get our certificate private key*/ - alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if (alg_a & SSL_aGOST01) - pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; - - pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); - EVP_PKEY_decrypt_init(pkey_ctx); - /* - * If client certificate is present and is of the same type, - * maybe use it for key exchange. - * Don't mind errors from EVP_PKEY_derive_set_peer, because - * it is completely valid to use a client certificate for - * authorization only. - */ - client_pub_pkey = X509_get_pubkey(s->session->peer); - if (client_pub_pkey) { - if (EVP_PKEY_derive_set_peer(pkey_ctx, - client_pub_pkey) <= 0) - ERR_clear_error(); - } - if (2 > n) - goto truncated; - /* Decrypt session key */ - if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, - &Tclass, n) != V_ASN1_CONSTRUCTED || - Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_DECRYPTION_FAILED); - goto gerr; - } - start = p; - inlen = Tlen; - if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, - start, inlen) <=0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_DECRYPTION_FAILED); - goto gerr; - } - /* Generate master secret */ - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret( - s, s->session->master_key, premaster_secret, 32); - /* Check if pubkey from client certificate was used */ - if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, - EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) - ret = 2; - else - ret = 1; -gerr: - EVP_PKEY_free(client_pub_pkey); - EVP_PKEY_CTX_free(pkey_ctx); - if (ret) - return (ret); - else - goto err; - } else { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_UNKNOWN_CIPHER_TYPE); - goto f_err; - } - - return (1); -truncated: - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: - EVP_PKEY_free(clnt_pub_pkey); - EC_POINT_free(clnt_ecpoint); - EC_KEY_free(srvr_ecdh); - BN_CTX_free(bn_ctx); - return (-1); -} - -int -ssl3_get_cert_verify(SSL *s) -{ - EVP_PKEY *pkey = NULL; - unsigned char *p; - int al, ok, ret = 0; - long n; - int type = 0, i, j; - X509 *peer; - const EVP_MD *md = NULL; - EVP_MD_CTX mctx; - EVP_MD_CTX_init(&mctx); - - n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A, - SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok); - if (!ok) - return ((int)n); - - if (s->session->peer != NULL) { - peer = s->session->peer; - pkey = X509_get_pubkey(peer); - type = X509_certificate_type(peer, pkey); - } else { - peer = NULL; - pkey = NULL; - } - - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { - s->s3->tmp.reuse_message = 1; - if (peer != NULL) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_MISSING_VERIFY_MESSAGE); - goto f_err; - } - ret = 1; - goto end; - } - - if (peer == NULL) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_NO_CLIENT_CERT_RECEIVED); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; - } - - if (!(type & EVP_PKT_SIGN)) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; - } - - if (s->s3->change_cipher_spec) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_CCS_RECEIVED_EARLY); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; - } - - /* we now have a signature that we need to verify */ - p = (unsigned char *)s->init_msg; - /* - * Check for broken implementations of GOST ciphersuites. - * - * If key is GOST and n is exactly 64, it is a bare - * signature without length field. - */ - if (n == 64 && (pkey->type == NID_id_GostR3410_94 || - pkey->type == NID_id_GostR3410_2001) ) { - i = 64; - } else { - if (SSL_USE_SIGALGS(s)) { - int sigalg = tls12_get_sigid(pkey); - /* Should never happen */ - if (sigalg == -1) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - if (2 > n) - goto truncated; - /* Check key type is consistent with signature */ - if (sigalg != (int)p[1]) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_WRONG_SIGNATURE_TYPE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - md = tls12_get_hash(p[0]); - if (md == NULL) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_UNKNOWN_DIGEST); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - p += 2; - n -= 2; - } - if (2 > n) - goto truncated; - n2s(p, i); - n -= 2; - if (i > n) - goto truncated; - } - j = EVP_PKEY_size(pkey); - if ((i > j) || (n > j) || (n <= 0)) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_WRONG_SIGNATURE_SIZE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - - if (SSL_USE_SIGALGS(s)) { - long hdatalen = 0; - void *hdata; - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - if (!EVP_VerifyInit_ex(&mctx, md, NULL) || - !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - - if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_BAD_SIGNATURE); - goto f_err; - } - } else - if (pkey->type == EVP_PKEY_RSA) { - i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, - MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i, - pkey->pkey.rsa); - if (i < 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_BAD_RSA_DECRYPT); - goto f_err; - } - if (i == 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_BAD_RSA_SIGNATURE); - goto f_err; - } - } else - if (pkey->type == EVP_PKEY_DSA) { - j = DSA_verify(pkey->save_type, - &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa); - if (j <= 0) { - /* bad signature */ - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_BAD_DSA_SIGNATURE); - goto f_err; - } - } else - if (pkey->type == EVP_PKEY_EC) { - j = ECDSA_verify(pkey->save_type, - &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec); - if (j <= 0) { - /* bad signature */ - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_BAD_ECDSA_SIGNATURE); - goto f_err; - } - } else -#ifndef OPENSSL_NO_GOST - if (pkey->type == NID_id_GostR3410_94 || - pkey->type == NID_id_GostR3410_2001) { - long hdatalen = 0; - void *hdata; - unsigned char signature[128]; - unsigned int siglen = sizeof(signature); - int nid; - EVP_PKEY_CTX *pctx; - - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || - !(md = EVP_get_digestbynid(nid))) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - pctx = EVP_PKEY_CTX_new(pkey, NULL); - if (!pctx) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - if (!EVP_DigestInit_ex(&mctx, md, NULL) || - !EVP_DigestUpdate(&mctx, hdata, hdatalen) || - !EVP_DigestFinal(&mctx, signature, &siglen) || - (EVP_PKEY_verify_init(pctx) <= 0) || - (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) || - (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY, - EVP_PKEY_CTRL_GOST_SIG_FORMAT, - GOST_SIG_FORMAT_RS_LE, - NULL) <= 0)) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - EVP_PKEY_CTX_free(pctx); - goto f_err; - } - - if (EVP_PKEY_verify(pctx, p, i, signature, siglen) <= 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - SSL_R_BAD_SIGNATURE); - EVP_PKEY_CTX_free(pctx); - goto f_err; - } - - EVP_PKEY_CTX_free(pctx); - } else -#endif - { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, - ERR_R_INTERNAL_ERROR); - al = SSL_AD_UNSUPPORTED_CERTIFICATE; - goto f_err; - } - - - ret = 1; - if (0) { -truncated: - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_PACKET_LENGTH); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - } -end: - if (s->s3->handshake_buffer) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; - } - EVP_MD_CTX_cleanup(&mctx); - EVP_PKEY_free(pkey); - return (ret); -} - -int -ssl3_get_client_certificate(SSL *s) -{ - CBS cbs, client_certs; - int i, ok, al, ret = -1; - X509 *x = NULL; - long n; - const unsigned char *q; - STACK_OF(X509) *sk = NULL; - - n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, - -1, s->max_cert_list, &ok); - - if (!ok) - return ((int)n); - - if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { - if ((s->verify_mode & SSL_VERIFY_PEER) && - (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); - al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; - } - /* - * If tls asked for a client cert, - * the client must return a 0 list. - */ - if (s->s3->tmp.cert_request) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST - ); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; - } - s->s3->tmp.reuse_message = 1; - return (1); - } - - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - SSL_R_WRONG_MESSAGE_TYPE); - goto f_err; - } - - if (n < 0) - goto truncated; - - CBS_init(&cbs, s->init_msg, n); - - if ((sk = sk_X509_new_null()) == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!CBS_get_u24_length_prefixed(&cbs, &client_certs) || - CBS_len(&cbs) != 0) - goto truncated; - - while (CBS_len(&client_certs) > 0) { - CBS cert; - - if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; - } - - q = CBS_data(&cert); - x = d2i_X509(NULL, &q, CBS_len(&cert)); - if (x == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - ERR_R_ASN1_LIB); - goto err; - } - if (q != CBS_data(&cert) + CBS_len(&cert)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; - } - if (!sk_X509_push(sk, x)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - ERR_R_MALLOC_FAILURE); - goto err; - } - x = NULL; - } - - if (sk_X509_num(sk) <= 0) { - /* - * TLS does not mind 0 certs returned. - * Fail for TLS only if we required a certificate. - */ - if ((s->verify_mode & SSL_VERIFY_PEER) && - (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); - al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; - } - /* No client certificate so digest cached records */ - if (s->s3->handshake_buffer && !tls1_digest_cached_records(s)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } else { - i = ssl_verify_cert_chain(s, sk); - if (i <= 0) { - al = ssl_verify_alarm_type(s->verify_result); - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - SSL_R_NO_CERTIFICATE_RETURNED); - goto f_err; - } - } - - X509_free(s->session->peer); - s->session->peer = sk_X509_shift(sk); - s->session->verify_result = s->verify_result; - - /* - * With the current implementation, sess_cert will always be NULL - * when we arrive here - */ - if (s->session->sess_cert == NULL) { - s->session->sess_cert = ssl_sess_cert_new(); - if (s->session->sess_cert == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (s->session->sess_cert->cert_chain != NULL) - sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); - s->session->sess_cert->cert_chain = sk; - - /* - * Inconsistency alert: cert_chain does *not* include the - * peer's own certificate, while we do include it in s3_clnt.c - */ - - sk = NULL; - - ret = 1; - if (0) { -truncated: - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, - SSL_R_BAD_PACKET_LENGTH); -f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - } -err: - X509_free(x); - if (sk != NULL) - sk_X509_pop_free(sk, X509_free); - return (ret); -} - -int -ssl3_send_server_certificate(SSL *s) -{ - unsigned long l; - X509 *x; - - if (s->state == SSL3_ST_SW_CERT_A) { - x = ssl_get_server_send_cert(s); - if (x == NULL) { - SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, - ERR_R_INTERNAL_ERROR); - return (0); - } - - l = ssl3_output_cert_chain(s, x); - s->state = SSL3_ST_SW_CERT_B; - s->init_num = (int)l; - s->init_off = 0; - } - - /* SSL3_ST_SW_CERT_B */ - return (ssl3_handshake_write(s)); -} - -/* send a new session ticket (not necessarily for a new session) */ -int -ssl3_send_newsession_ticket(SSL *s) -{ - if (s->state == SSL3_ST_SW_SESSION_TICKET_A) { - unsigned char *d, *p, *senc, *macstart; - const unsigned char *const_p; - int len, slen_full, slen; - SSL_SESSION *sess; - unsigned int hlen; - EVP_CIPHER_CTX ctx; - HMAC_CTX hctx; - SSL_CTX *tctx = s->initial_ctx; - unsigned char iv[EVP_MAX_IV_LENGTH]; - unsigned char key_name[16]; - - /* get session encoding length */ - slen_full = i2d_SSL_SESSION(s->session, NULL); - /* - * Some length values are 16 bits, so forget it if session is - * too long - */ - if (slen_full > 0xFF00) - return (-1); - senc = malloc(slen_full); - if (!senc) - return (-1); - p = senc; - i2d_SSL_SESSION(s->session, &p); - - /* - * Create a fresh copy (not shared with other threads) to - * clean up - */ - const_p = senc; - sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); - if (sess == NULL) { - free(senc); - return (-1); - } - - /* ID is irrelevant for the ticket */ - sess->session_id_length = 0; - - slen = i2d_SSL_SESSION(sess, NULL); - if (slen > slen_full) { - /* shouldn't ever happen */ - free(senc); - return (-1); - } - p = senc; - i2d_SSL_SESSION(sess, &p); - SSL_SESSION_free(sess); - - /* - * Grow buffer if need be: the length calculation is as - * follows 1 (size of message name) + 3 (message length - * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + - * 16 (key name) + max_iv_len (iv length) + - * session_length + max_enc_block_size (max encrypted session - * length) + max_md_size (HMAC). - */ - if (!BUF_MEM_grow(s->init_buf, ssl3_handshake_msg_hdr_len(s) + - 22 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + - EVP_MAX_MD_SIZE + slen)) { - free(senc); - return (-1); - } - - d = p = ssl3_handshake_msg_start(s, SSL3_MT_NEWSESSION_TICKET); - - EVP_CIPHER_CTX_init(&ctx); - HMAC_CTX_init(&hctx); - - /* - * Initialize HMAC and cipher contexts. If callback present - * it does all the work otherwise use generated values - * from parent ctx. - */ - if (tctx->tlsext_ticket_key_cb) { - if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, - &hctx, 1) < 0) { - free(senc); - EVP_CIPHER_CTX_cleanup(&ctx); - return (-1); - } - } else { - arc4random_buf(iv, 16); - EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - tctx->tlsext_tick_aes_key, iv); - HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, - tlsext_tick_md(), NULL); - memcpy(key_name, tctx->tlsext_tick_key_name, 16); - } - - /* - * Ticket lifetime hint (advisory only): - * We leave this unspecified for resumed session - * (for simplicity), and guess that tickets for new - * sessions will live as long as their sessions. - */ - l2n(s->hit ? 0 : s->session->timeout, p); - - /* Skip ticket length for now */ - p += 2; - /* Output key name */ - macstart = p; - memcpy(p, key_name, 16); - p += 16; - /* output IV */ - memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); - p += EVP_CIPHER_CTX_iv_length(&ctx); - /* Encrypt session data */ - EVP_EncryptUpdate(&ctx, p, &len, senc, slen); - p += len; - EVP_EncryptFinal_ex(&ctx, p, &len); - p += len; - EVP_CIPHER_CTX_cleanup(&ctx); - - HMAC_Update(&hctx, macstart, p - macstart); - HMAC_Final(&hctx, p, &hlen); - HMAC_CTX_cleanup(&hctx); - p += hlen; - - /* Now write out lengths: p points to end of data written */ - /* Total length */ - len = p - d; - - /* Skip ticket lifetime hint. */ - p = d + 4; - s2n(len - 6, p); /* Message length */ - - ssl3_handshake_msg_finish(s, len); - - s->state = SSL3_ST_SW_SESSION_TICKET_B; - - free(senc); - } - - /* SSL3_ST_SW_SESSION_TICKET_B */ - return (ssl3_handshake_write(s)); -} - -int -ssl3_send_cert_status(SSL *s) -{ - unsigned char *p; - - if (s->state == SSL3_ST_SW_CERT_STATUS_A) { - /* - * Grow buffer if need be: the length calculation is as - * follows 1 (message type) + 3 (message length) + - * 1 (ocsp response type) + 3 (ocsp response length) - * + (ocsp response) - */ - if (!BUF_MEM_grow(s->init_buf, SSL3_HM_HEADER_LENGTH + 4 + - s->tlsext_ocsp_resplen)) - return (-1); - - p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_STATUS); - - *(p++) = s->tlsext_status_type; - l2n3(s->tlsext_ocsp_resplen, p); - memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); - - ssl3_handshake_msg_finish(s, s->tlsext_ocsp_resplen + 4); - - s->state = SSL3_ST_SW_CERT_STATUS_B; - } - - /* SSL3_ST_SW_CERT_STATUS_B */ - return (ssl3_handshake_write(s)); -} - -/* - * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. - * It sets the next_proto member in s if found - */ -int -ssl3_get_next_proto(SSL *s) -{ - CBS cbs, proto, padding; - int ok; - long n; - size_t len; - - /* - * Clients cannot send a NextProtocol message if we didn't see the - * extension in their ClientHello - */ - if (!s->s3->next_proto_neg_seen) { - SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, - SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); - return (-1); - } - - /* 514 maxlen is enough for the payload format below */ - n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A, - SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok); - if (!ok) - return ((int)n); - - /* - * s->state doesn't reflect whether ChangeCipherSpec has been received - * in this handshake, but s->s3->change_cipher_spec does (will be reset - * by ssl3_get_finished). - */ - if (!s->s3->change_cipher_spec) { - SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, - SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); - return (-1); - } - - if (n < 2) - return (0); - /* The body must be > 1 bytes long */ - - CBS_init(&cbs, s->init_msg, s->init_num); - - /* - * The payload looks like: - * uint8 proto_len; - * uint8 proto[proto_len]; - * uint8 padding_len; - * uint8 padding[padding_len]; - */ - if (!CBS_get_u8_length_prefixed(&cbs, &proto) || - !CBS_get_u8_length_prefixed(&cbs, &padding) || - CBS_len(&cbs) != 0) - return 0; - - /* - * XXX We should not NULL it, but this matches old behavior of not - * freeing before malloc. - */ - s->next_proto_negotiated = NULL; - s->next_proto_negotiated_len = 0; - - if (!CBS_stow(&proto, &s->next_proto_negotiated, &len)) { - SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, - ERR_R_MALLOC_FAILURE); - return (0); - } - s->next_proto_negotiated_len = (uint8_t)len; - - return (1); -} diff --git a/lib/libssl/src/ssl/srtp.h b/lib/libssl/src/ssl/srtp.h deleted file mode 100644 index 6daa02a791c..00000000000 --- a/lib/libssl/src/ssl/srtp.h +++ /dev/null @@ -1,142 +0,0 @@ -/* $OpenBSD: srtp.h,v 1.6 2015/09/01 15:18:23 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* - * DTLS code by Eric Rescorla <ekr@rtfm.com> - * - * Copyright (C) 2006, Network Resonance, Inc. - * Copyright (C) 2011, RTFM, Inc. - */ - -#ifndef HEADER_D1_SRTP_H -#define HEADER_D1_SRTP_H - -#ifdef __cplusplus -extern "C" { -#endif - -#define SRTP_AES128_CM_SHA1_80 0x0001 -#define SRTP_AES128_CM_SHA1_32 0x0002 -#define SRTP_AES128_F8_SHA1_80 0x0003 -#define SRTP_AES128_F8_SHA1_32 0x0004 -#define SRTP_NULL_SHA1_80 0x0005 -#define SRTP_NULL_SHA1_32 0x0006 - -int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles); -int SSL_set_tlsext_use_srtp(SSL *ctx, const char *profiles); - -STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl); -SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h deleted file mode 100644 index 58493fa988f..00000000000 --- a/lib/libssl/src/ssl/ssl.h +++ /dev/null @@ -1,2382 +0,0 @@ -/* $OpenBSD: ssl.h,v 1.96 2015/10/25 16:07:04 doug Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#ifndef HEADER_SSL_H -#define HEADER_SSL_H - -#include <stdint.h> - -#include <openssl/opensslconf.h> -#include <openssl/hmac.h> -#include <openssl/pem.h> -#include <openssl/safestack.h> - -#ifndef OPENSSL_NO_BIO -#include <openssl/bio.h> -#endif - -#ifndef OPENSSL_NO_DEPRECATED -#include <openssl/buffer.h> -#include <openssl/crypto.h> -#include <openssl/lhash.h> - -#ifndef OPENSSL_NO_X509 -#include <openssl/x509.h> -#endif -#endif - -#ifdef __cplusplus -extern "C" { -#endif - -/* SSLeay version number for ASN.1 encoding of the session information */ -/* Version 0 - initial version - * Version 1 - added the optional peer certificate - */ -#define SSL_SESSION_ASN1_VERSION 0x0001 - -/* text strings for the ciphers */ -#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5 -#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5 -#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 -#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5 -#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 -#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5 -#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5 -#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA -#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 -#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA - -/* VRS Additional Kerberos5 entries - */ -#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA -#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA -#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA -#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA -#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 -#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 -#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5 -#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 - -#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA -#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA -#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA -#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 -#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5 -#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5 - -#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA -#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 -#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA -#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 -#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA -#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 -#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256 - -#define SSL_MAX_SSL_SESSION_ID_LENGTH 32 -#define SSL_MAX_SID_CTX_LENGTH 32 - -#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8) -#define SSL_MAX_KEY_ARG_LENGTH 8 -#define SSL_MAX_MASTER_KEY_LENGTH 48 - - -/* These are used to specify which ciphers to use and not to use */ - -#define SSL_TXT_LOW "LOW" -#define SSL_TXT_MEDIUM "MEDIUM" -#define SSL_TXT_HIGH "HIGH" - -#define SSL_TXT_kFZA "kFZA" /* unused! */ -#define SSL_TXT_aFZA "aFZA" /* unused! */ -#define SSL_TXT_eFZA "eFZA" /* unused! */ -#define SSL_TXT_FZA "FZA" /* unused! */ - -#define SSL_TXT_aNULL "aNULL" -#define SSL_TXT_eNULL "eNULL" -#define SSL_TXT_NULL "NULL" - -#define SSL_TXT_kRSA "kRSA" -#define SSL_TXT_kDHr "kDHr" /* no such ciphersuites supported! */ -#define SSL_TXT_kDHd "kDHd" /* no such ciphersuites supported! */ -#define SSL_TXT_kDH "kDH" /* no such ciphersuites supported! */ -#define SSL_TXT_kEDH "kEDH" -#define SSL_TXT_kKRB5 "kKRB5" -#define SSL_TXT_kECDHr "kECDHr" -#define SSL_TXT_kECDHe "kECDHe" -#define SSL_TXT_kECDH "kECDH" -#define SSL_TXT_kEECDH "kEECDH" -#define SSL_TXT_kPSK "kPSK" -#define SSL_TXT_kGOST "kGOST" -#define SSL_TXT_kSRP "kSRP" - -#define SSL_TXT_aRSA "aRSA" -#define SSL_TXT_aDSS "aDSS" -#define SSL_TXT_aDH "aDH" /* no such ciphersuites supported! */ -#define SSL_TXT_aECDH "aECDH" -#define SSL_TXT_aKRB5 "aKRB5" -#define SSL_TXT_aECDSA "aECDSA" -#define SSL_TXT_aPSK "aPSK" -#define SSL_TXT_aGOST94 "aGOST94" -#define SSL_TXT_aGOST01 "aGOST01" -#define SSL_TXT_aGOST "aGOST" - -#define SSL_TXT_DSS "DSS" -#define SSL_TXT_DH "DH" -#define SSL_TXT_DHE "DHE" /* same as "kDHE:-ADH" */ -#define SSL_TXT_EDH "EDH" /* previous name for DHE */ -#define SSL_TXT_ADH "ADH" -#define SSL_TXT_RSA "RSA" -#define SSL_TXT_ECDH "ECDH" -#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE:-AECDH" */ -#define SSL_TXT_EECDH "EECDH" /* previous name for ECDHE */ -#define SSL_TXT_AECDH "AECDH" -#define SSL_TXT_ECDSA "ECDSA" -#define SSL_TXT_KRB5 "KRB5" -#define SSL_TXT_PSK "PSK" -#define SSL_TXT_SRP "SRP" - -#define SSL_TXT_DES "DES" -#define SSL_TXT_3DES "3DES" -#define SSL_TXT_RC4 "RC4" -#define SSL_TXT_RC2 "RC2" -#define SSL_TXT_IDEA "IDEA" -#define SSL_TXT_SEED "SEED" -#define SSL_TXT_AES128 "AES128" -#define SSL_TXT_AES256 "AES256" -#define SSL_TXT_AES "AES" -#define SSL_TXT_AES_GCM "AESGCM" -#define SSL_TXT_CAMELLIA128 "CAMELLIA128" -#define SSL_TXT_CAMELLIA256 "CAMELLIA256" -#define SSL_TXT_CAMELLIA "CAMELLIA" -#define SSL_TXT_CHACHA20 "CHACHA20" - -#define SSL_TXT_AEAD "AEAD" -#define SSL_TXT_MD5 "MD5" -#define SSL_TXT_SHA1 "SHA1" -#define SSL_TXT_SHA "SHA" /* same as "SHA1" */ -#define SSL_TXT_GOST94 "GOST94" -#define SSL_TXT_GOST89MAC "GOST89MAC" -#define SSL_TXT_SHA256 "SHA256" -#define SSL_TXT_SHA384 "SHA384" -#define SSL_TXT_STREEBOG256 "STREEBOG256" -#define SSL_TXT_STREEBOG512 "STREEBOG512" - -#define SSL_TXT_DTLS1 "DTLSv1" -#define SSL_TXT_SSLV2 "SSLv2" -#define SSL_TXT_SSLV3 "SSLv3" -#define SSL_TXT_TLSV1 "TLSv1" -#define SSL_TXT_TLSV1_1 "TLSv1.1" -#define SSL_TXT_TLSV1_2 "TLSv1.2" - -#define SSL_TXT_EXP "EXP" -#define SSL_TXT_EXPORT "EXPORT" - -#define SSL_TXT_ALL "ALL" - -/* - * COMPLEMENTOF* definitions. These identifiers are used to (de-select) - * ciphers normally not being used. - * Example: "RC4" will activate all ciphers using RC4 including ciphers - * without authentication, which would normally disabled by DEFAULT (due - * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" - * will make sure that it is also disabled in the specific selection. - * COMPLEMENTOF* identifiers are portable between version, as adjustments - * to the default cipher setup will also be included here. - * - * COMPLEMENTOFDEFAULT does not experience the same special treatment that - * DEFAULT gets, as only selection is being done and no sorting as needed - * for DEFAULT. - */ -#define SSL_TXT_CMPALL "COMPLEMENTOFALL" -#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" - -/* The following cipher list is used by default. - * It also is substituted when an application-defined cipher list string - * starts with 'DEFAULT'. */ -#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" -/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always - * starts with a reasonable order, and all we have to do for DEFAULT is - * throwing out anonymous and unencrypted ciphersuites! - * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable - * some of them.) - */ - -/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ -#define SSL_SENT_SHUTDOWN 1 -#define SSL_RECEIVED_SHUTDOWN 2 - - -#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 -#define SSL_FILETYPE_PEM X509_FILETYPE_PEM - -/* This is needed to stop compilers complaining about the - * 'struct ssl_st *' function parameters used to prototype callbacks - * in SSL_CTX. */ -typedef struct ssl_st *ssl_crock_st; -typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; -typedef struct ssl_method_st SSL_METHOD; -typedef struct ssl_cipher_st SSL_CIPHER; -typedef struct ssl_session_st SSL_SESSION; - -DECLARE_STACK_OF(SSL_CIPHER) - -/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/ -typedef struct srtp_protection_profile_st { - const char *name; - unsigned long id; -} SRTP_PROTECTION_PROFILE; - -DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE) - -typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, - int len, void *arg); -typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, - STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); - -#ifndef OPENSSL_NO_SSL_INTERN - -/* used to hold info on the particular ciphers used */ -struct ssl_cipher_st { - int valid; - const char *name; /* text name */ - unsigned long id; /* id, 4 bytes, first is version */ - - unsigned long algorithm_mkey; /* key exchange algorithm */ - unsigned long algorithm_auth; /* server authentication */ - unsigned long algorithm_enc; /* symmetric encryption */ - unsigned long algorithm_mac; /* symmetric authentication */ - unsigned long algorithm_ssl; /* (major) protocol version */ - - unsigned long algo_strength; /* strength and export flags */ - unsigned long algorithm2; /* Extra flags */ - int strength_bits; /* Number of bits really used */ - int alg_bits; /* Number of bits for algorithm */ -}; - - -/* Used to hold functions for SSLv3/TLSv1 functions */ -struct ssl_method_st { - int version; - int (*ssl_new)(SSL *s); - void (*ssl_clear)(SSL *s); - void (*ssl_free)(SSL *s); - int (*ssl_accept)(SSL *s); - int (*ssl_connect)(SSL *s); - int (*ssl_read)(SSL *s, void *buf, int len); - int (*ssl_peek)(SSL *s, void *buf, int len); - int (*ssl_write)(SSL *s, const void *buf, int len); - int (*ssl_shutdown)(SSL *s); - int (*ssl_renegotiate)(SSL *s); - int (*ssl_renegotiate_check)(SSL *s); - long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, - long max, int *ok); - int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, - int len, int peek); - int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len); - int (*ssl_dispatch_alert)(SSL *s); - long (*ssl_ctrl)(SSL *s, int cmd, long larg, void *parg); - long (*ssl_ctx_ctrl)(SSL_CTX *ctx, int cmd, long larg, void *parg); - const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); - int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr); - int (*ssl_pending)(const SSL *s); - int (*num_ciphers)(void); - const SSL_CIPHER *(*get_cipher)(unsigned ncipher); - const struct ssl_method_st *(*get_ssl_method)(int version); - long (*get_timeout)(void); - struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ - int (*ssl_version)(void); - long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void)); - long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void)); -}; - -/* Lets make this into an ASN.1 type structure as follows - * SSL_SESSION_ID ::= SEQUENCE { - * version INTEGER, -- structure version number - * SSLversion INTEGER, -- SSL version number - * Cipher OCTET STRING, -- the 3 byte cipher ID - * Session_ID OCTET STRING, -- the Session ID - * Master_key OCTET STRING, -- the master key - * KRB5_principal OCTET STRING -- optional Kerberos principal - * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time - * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds - * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate - * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context - * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer' - * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension - * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint - * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity - * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket - * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only) - * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method - * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username - * } - * Look in ssl/ssl_asn1.c for more details - * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). - */ -struct ssl_session_st { - int ssl_version; /* what ssl version session info is - * being kept in here? */ - - int master_key_length; - unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; - /* session_id - valid? */ - unsigned int session_id_length; - unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; - /* this is used to determine whether the session is being reused in - * the appropriate context. It is up to the application to set this, - * via SSL_new */ - unsigned int sid_ctx_length; - unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - - /* Used to indicate that session resumption is not allowed. - * Applications can also set this bit for a new session via - * not_resumable_session_cb to disable session caching and tickets. */ - int not_resumable; - - /* The cert is the certificate used to establish this connection */ - struct sess_cert_st /* SESS_CERT */ *sess_cert; - - /* This is the cert for the other end. - * On clients, it will be the same as sess_cert->peer_key->x509 - * (the latter is not enough as sess_cert is not retained - * in the external representation of sessions, see ssl_asn1.c). */ - X509 *peer; - /* when app_verify_callback accepts a session where the peer's certificate - * is not ok, we must remember the error for session reuse: */ - long verify_result; /* only for servers */ - - long timeout; - time_t time; - int references; - - const SSL_CIPHER *cipher; - unsigned long cipher_id; /* when ASN.1 loaded, this - * needs to be used to load - * the 'cipher' structure */ - - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ - - CRYPTO_EX_DATA ex_data; /* application specific data */ - - /* These are used to make removal of session-ids more - * efficient and to implement a maximum cache size. */ - struct ssl_session_st *prev, *next; - char *tlsext_hostname; - size_t tlsext_ecpointformatlist_length; - uint8_t *tlsext_ecpointformatlist; /* peer's list */ - size_t tlsext_ellipticcurvelist_length; - uint16_t *tlsext_ellipticcurvelist; /* peer's list */ - - /* RFC4507 info */ - unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ - long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ -}; - -#endif - -/* Allow initial connection to servers that don't support RI */ -#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L -#define SSL_OP_TLSEXT_PADDING 0x00000010L - -/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added - * in OpenSSL 0.9.6d. Usually (depending on the application protocol) - * the workaround is not needed. - * Unfortunately some broken SSL/TLS implementations cannot handle it - * at all, which is why it was previously included in SSL_OP_ALL. - * Now it's not. - */ -#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L - -/* DTLS options */ -#define SSL_OP_NO_QUERY_MTU 0x00001000L -/* Turn on Cookie Exchange (on relevant for servers) */ -#define SSL_OP_COOKIE_EXCHANGE 0x00002000L -/* Don't use RFC4507 ticket extension */ -#define SSL_OP_NO_TICKET 0x00004000L - -/* As server, disallow session resumption on renegotiation */ -#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L -/* If set, always create a new key when using tmp_ecdh parameters */ -#define SSL_OP_SINGLE_ECDH_USE 0x00080000L -/* If set, always create a new key when using tmp_dh parameters */ -#define SSL_OP_SINGLE_DH_USE 0x00100000L -/* Set on servers to choose the cipher according to the server's - * preferences */ -#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L -/* If set, a server will allow a client to issue a SSLv3.0 version number - * as latest version supported in the premaster secret, even when TLSv1.0 - * (version 3.1) was announced in the client hello. Normally this is - * forbidden to prevent version rollback attacks. */ -#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L - -#define SSL_OP_NO_TLSv1 0x04000000L -#define SSL_OP_NO_TLSv1_2 0x08000000L -#define SSL_OP_NO_TLSv1_1 0x10000000L - -/* Make server add server-hello extension from early version of - * cryptopro draft, when GOST ciphersuite is negotiated. - * Required for interoperability with CryptoPro CSP 3.x - */ -#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000L - -/* SSL_OP_ALL: various bug workarounds that should be rather harmless. */ -#define SSL_OP_ALL \ - (SSL_OP_LEGACY_SERVER_CONNECT | \ - SSL_OP_TLSEXT_PADDING | \ - SSL_OP_CRYPTOPRO_TLSEXT_BUG) - -/* Obsolete flags kept for compatibility. No sane code should use them. */ -#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0 -#define SSL_OP_CISCO_ANYCONNECT 0x0 -#define SSL_OP_EPHEMERAL_RSA 0x0 -#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0 -#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0 -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 -#define SSL_OP_NETSCAPE_CA_DN_BUG 0x0 -#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0 -#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0 -#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0 -#define SSL_OP_NO_COMPRESSION 0x0 -#define SSL_OP_NO_SSLv2 0x0 -#define SSL_OP_NO_SSLv3 0x0 -#define SSL_OP_PKCS1_CHECK_1 0x0 -#define SSL_OP_PKCS1_CHECK_2 0x0 -#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x0 -#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0 -#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 -#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0 -#define SSL_OP_TLS_D5_BUG 0x0 - -/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success - * when just a single record has been written): */ -#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L -/* Make it possible to retry SSL_write() with changed buffer location - * (buffer contents must stay the same!); this is not the default to avoid - * the misconception that non-blocking SSL_write() behaves like - * non-blocking write(): */ -#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L -/* Never bother the application with retries if the transport - * is blocking: */ -#define SSL_MODE_AUTO_RETRY 0x00000004L -/* Don't attempt to automatically build certificate chain */ -#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L -/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and - * TLS only.) "Released" buffers are put onto a free-list in the context - * or just freed (depending on the context's setting for freelist_max_len). */ -#define SSL_MODE_RELEASE_BUFFERS 0x00000010L - -/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, - * they cannot be used to clear bits. */ - -#define SSL_CTX_set_options(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) -#define SSL_CTX_clear_options(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) -#define SSL_CTX_get_options(ctx) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL) -#define SSL_set_options(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) -#define SSL_clear_options(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) -#define SSL_get_options(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL) - -#define SSL_CTX_set_mode(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) -#define SSL_CTX_clear_mode(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL) -#define SSL_CTX_get_mode(ctx) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL) -#define SSL_clear_mode(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL) -#define SSL_set_mode(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) -#define SSL_get_mode(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL) -#define SSL_set_mtu(ssl, mtu) \ - SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL) - -#define SSL_get_secure_renegotiation_support(ssl) \ - SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) - -void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, - int version, int content_type, const void *buf, size_t len, SSL *ssl, - void *arg)); -void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, - int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); -#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) -#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) - -struct ssl_aead_ctx_st; -typedef struct ssl_aead_ctx_st SSL_AEAD_CTX; - -#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */ - -#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20) - -/* This callback type is used inside SSL_CTX, SSL, and in the functions that set - * them. It is used to override the generation of SSL/TLS session IDs in a - * server. Return value should be zero on an error, non-zero to proceed. Also, - * callbacks should themselves check if the id they generate is unique otherwise - * the SSL handshake will fail with an error - callbacks can do this using the - * 'ssl' value they're passed by; - * SSL_has_matching_session_id(ssl, id, *id_len) - * The length value passed in is set at the maximum size the session ID can be. - * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback - * can alter this length to be less if desired, but under SSLv2 session IDs are - * supposed to be fixed at 16 bytes so the id will be padded after the callback - * returns in this case. It is also an error for the callback to set the size to - * zero. */ -typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id, - unsigned int *id_len); - -typedef struct ssl_comp_st SSL_COMP; - -#ifndef OPENSSL_NO_SSL_INTERN - -struct ssl_comp_st { - int id; - const char *name; -}; - -DECLARE_STACK_OF(SSL_COMP) -DECLARE_LHASH_OF(SSL_SESSION); - -struct ssl_ctx_st { - const SSL_METHOD *method; - - STACK_OF(SSL_CIPHER) *cipher_list; - /* same as above but sorted for lookup */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; - - struct x509_store_st /* X509_STORE */ *cert_store; - LHASH_OF(SSL_SESSION) *sessions; - /* Most session-ids that will be cached, default is - * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ - unsigned long session_cache_size; - struct ssl_session_st *session_cache_head; - struct ssl_session_st *session_cache_tail; - - /* This can have one of 2 values, ored together, - * SSL_SESS_CACHE_CLIENT, - * SSL_SESS_CACHE_SERVER, - * Default is SSL_SESSION_CACHE_SERVER, which means only - * SSL_accept which cache SSL_SESSIONS. */ - int session_cache_mode; - - /* If timeout is not 0, it is the default timeout value set - * when SSL_new() is called. This has been put in to make - * life easier to set things up */ - long session_timeout; - - /* If this callback is not null, it will be called each - * time a session id is added to the cache. If this function - * returns 1, it means that the callback will do a - * SSL_SESSION_free() when it has finished using it. Otherwise, - * on 0, it means the callback has finished with it. - * If remove_session_cb is not null, it will be called when - * a session-id is removed from the cache. After the call, - * OpenSSL will SSL_SESSION_free() it. */ - int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); - void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); - SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, - unsigned char *data, int len, int *copy); - - struct { - int sess_connect; /* SSL new conn - started */ - int sess_connect_renegotiate;/* SSL reneg - requested */ - int sess_connect_good; /* SSL new conne/reneg - finished */ - int sess_accept; /* SSL new accept - started */ - int sess_accept_renegotiate;/* SSL reneg - requested */ - int sess_accept_good; /* SSL accept/reneg - finished */ - int sess_miss; /* session lookup misses */ - int sess_timeout; /* reuse attempt on timeouted session */ - int sess_cache_full; /* session removed due to full cache */ - int sess_hit; /* session reuse actually done */ - int sess_cb_hit; /* session-id that was not - * in the cache was - * passed back via the callback. This - * indicates that the application is - * supplying session-id's from other - * processes - spooky :-) */ - } stats; - - int references; - - /* if defined, these override the X509_verify_cert() calls */ - int (*app_verify_callback)(X509_STORE_CTX *, void *); - void *app_verify_arg; - - /* Default password callback. */ - pem_password_cb *default_passwd_callback; - - /* Default password callback user data. */ - void *default_passwd_callback_userdata; - - /* get client cert callback */ - int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); - - /* cookie generate callback */ - int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, - unsigned int *cookie_len); - - /* verify cookie callback */ - int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, - unsigned int cookie_len); - - CRYPTO_EX_DATA ex_data; - - const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ - const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ - - STACK_OF(X509) *extra_certs; - - /* Default values used when no per-SSL value is defined follow */ - - void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */ - - /* what we put in client cert requests */ - STACK_OF(X509_NAME) *client_CA; - - - /* Default values to use in SSL structures follow (these are copied by SSL_new) */ - - unsigned long options; - unsigned long mode; - long max_cert_list; - - struct cert_st /* CERT */ *cert; - int read_ahead; - - /* callback that allows applications to peek at protocol messages */ - void (*msg_callback)(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg); - void *msg_callback_arg; - - int verify_mode; - unsigned int sid_ctx_length; - unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ - - /* Default generate session ID callback. */ - GEN_SESSION_CB generate_session_id; - - X509_VERIFY_PARAM *param; - - int quiet_shutdown; - - /* Maximum amount of data to send in one fragment. - * actual record size can be more than this due to - * padding and MAC overheads. - */ - unsigned int max_send_fragment; - -#ifndef OPENSSL_NO_ENGINE - /* Engine to pass requests for client certs to - */ - ENGINE *client_cert_engine; -#endif - - /* TLS extensions servername callback */ - int (*tlsext_servername_callback)(SSL*, int *, void *); - void *tlsext_servername_arg; - /* RFC 4507 session ticket keys */ - unsigned char tlsext_tick_key_name[16]; - unsigned char tlsext_tick_hmac_key[16]; - unsigned char tlsext_tick_aes_key[16]; - /* Callback to support customisation of ticket key setting */ - int (*tlsext_ticket_key_cb)(SSL *ssl, unsigned char *name, - unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); - - /* certificate status request info */ - /* Callback for status request */ - int (*tlsext_status_cb)(SSL *ssl, void *arg); - void *tlsext_status_arg; - - - - - /* Next protocol negotiation information */ - /* (for experimental NPN extension). */ - - /* For a server, this contains a callback function by which the set of - * advertised protocols can be provided. */ - int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf, - unsigned int *len, void *arg); - void *next_protos_advertised_cb_arg; - /* For a client, this contains a callback function that selects the - * next protocol from the list provided by the server. */ - int (*next_proto_select_cb)(SSL *s, unsigned char **out, - unsigned char *outlen, const unsigned char *in, - unsigned int inlen, void *arg); - void *next_proto_select_cb_arg; - - /* - * ALPN information - * (we are in the process of transitioning from NPN to ALPN). - */ - - /* - * Server callback function that allows the server to select the - * protocol for the connection. - * out: on successful return, this must point to the raw protocol - * name (without the length prefix). - * outlen: on successful return, this contains the length of out. - * in: points to the client's list of supported protocols in - * wire-format. - * inlen: the length of in. - */ - int (*alpn_select_cb)(SSL *s, const unsigned char **out, - unsigned char *outlen, const unsigned char *in, unsigned int inlen, - void *arg); - void *alpn_select_cb_arg; - - /* Client list of supported protocols in wire format. */ - unsigned char *alpn_client_proto_list; - unsigned int alpn_client_proto_list_len; - - /* SRTP profiles we are willing to do from RFC 5764 */ - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; -}; - -#endif - -#define SSL_SESS_CACHE_OFF 0x0000 -#define SSL_SESS_CACHE_CLIENT 0x0001 -#define SSL_SESS_CACHE_SERVER 0x0002 -#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER) -#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 -/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */ -#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 -#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 -#define SSL_SESS_CACHE_NO_INTERNAL \ - (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE) - -LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx); -#define SSL_CTX_sess_number(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL) -#define SSL_CTX_sess_connect(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL) -#define SSL_CTX_sess_connect_good(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL) -#define SSL_CTX_sess_connect_renegotiate(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL) -#define SSL_CTX_sess_accept(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL) -#define SSL_CTX_sess_accept_renegotiate(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL) -#define SSL_CTX_sess_accept_good(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL) -#define SSL_CTX_sess_hits(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL) -#define SSL_CTX_sess_cb_hits(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL) -#define SSL_CTX_sess_misses(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL) -#define SSL_CTX_sess_timeouts(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL) -#define SSL_CTX_sess_cache_full(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) - -void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, - int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess)); -int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, - SSL_SESSION *sess); -void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, - void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess)); -void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, - SSL_SESSION *sess); -void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, - SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, - int len, int *copy)); -SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, - unsigned char *Data, int len, int *copy); -void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl, - int type, int val)); -void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, - int val); -void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, - int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); -int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, - EVP_PKEY **pkey); -#ifndef OPENSSL_NO_ENGINE -int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); -#endif -void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, - int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, - unsigned int *cookie_len)); -void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, - int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, - unsigned int cookie_len)); -void -SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb)(SSL *ssl, - const unsigned char **out, unsigned int *outlen, void *arg), void *arg); -void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, int (*cb)(SSL *ssl, - unsigned char **out, unsigned char *outlen, const unsigned char *in, - unsigned int inlen, void *arg), void *arg); - -int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, const unsigned char *client, - unsigned int client_len); -void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, - unsigned *len); - -#define OPENSSL_NPN_UNSUPPORTED 0 -#define OPENSSL_NPN_NEGOTIATED 1 -#define OPENSSL_NPN_NO_OVERLAP 2 - -int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, - unsigned int protos_len); -int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, - unsigned int protos_len); -void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, - int (*cb)(SSL *ssl, const unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, void *arg), void *arg); -void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, - unsigned int *len); - -#define SSL_NOTHING 1 -#define SSL_WRITING 2 -#define SSL_READING 3 -#define SSL_X509_LOOKUP 4 - -/* These will only be used when doing non-blocking IO */ -#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) -#define SSL_want_read(s) (SSL_want(s) == SSL_READING) -#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) -#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) - -#define SSL_MAC_FLAG_READ_MAC_STREAM 1 -#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 - -#ifndef OPENSSL_NO_SSL_INTERN - -struct ssl_st { - /* protocol version - * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) - */ - int version; - int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ - - const SSL_METHOD *method; /* SSLv3 */ - - /* There are 2 BIO's even though they are normally both the - * same. This is so data can be read and written to different - * handlers */ - -#ifndef OPENSSL_NO_BIO - BIO *rbio; /* used by SSL_read */ - BIO *wbio; /* used by SSL_write */ - BIO *bbio; /* used during session-id reuse to concatenate - * messages */ -#else - char *rbio; /* used by SSL_read */ - char *wbio; /* used by SSL_write */ - char *bbio; -#endif - /* This holds a variable that indicates what we were doing - * when a 0 or -1 is returned. This is needed for - * non-blocking IO so we know what request needs re-doing when - * in SSL_accept or SSL_connect */ - int rwstate; - - /* true when we are actually in SSL_accept() or SSL_connect() */ - int in_handshake; - int (*handshake_func)(SSL *); - - /* Imagine that here's a boolean member "init" that is - * switched as soon as SSL_set_{accept/connect}_state - * is called for the first time, so that "state" and - * "handshake_func" are properly initialized. But as - * handshake_func is == 0 until then, we use this - * test instead of an "init" member. - */ - - int server; /* are we the server side? - mostly used by SSL_clear*/ - - int new_session;/* Generate a new session or reuse an old one. - * NB: For servers, the 'new' session may actually be a previously - * cached session or even the previous session unless - * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ - int quiet_shutdown;/* don't send shutdown packets */ - int shutdown; /* we have shut things down, 0x01 sent, 0x02 - * for received */ - int state; /* where we are */ - int rstate; /* where we are when reading */ - - BUF_MEM *init_buf; /* buffer used during init */ - void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */ - int init_num; /* amount read/written */ - int init_off; /* amount read/written */ - - /* used internally to point at a raw packet */ - unsigned char *packet; - unsigned int packet_length; - - struct ssl3_state_st *s3; /* SSLv3 variables */ - struct dtls1_state_st *d1; /* DTLSv1 variables */ - - int read_ahead; /* Read as many input bytes as possible - * (for non-blocking reads) */ - - /* callback that allows applications to peek at protocol messages */ - void (*msg_callback)(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg); - void *msg_callback_arg; - - int hit; /* reusing a previous session */ - - X509_VERIFY_PARAM *param; - - /* crypto */ - STACK_OF(SSL_CIPHER) *cipher_list; - STACK_OF(SSL_CIPHER) *cipher_list_by_id; - - /* These are the ones being used, the ones in SSL_SESSION are - * the ones to be 'copied' into these ones */ - int mac_flags; - - SSL_AEAD_CTX *aead_read_ctx; /* AEAD context. If non-NULL, then - enc_read_ctx and read_hash are - ignored. */ - - EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */ - EVP_MD_CTX *read_hash; /* used for mac generation */ - - SSL_AEAD_CTX *aead_write_ctx; /* AEAD context. If non-NULL, then - enc_write_ctx and write_hash are - ignored. */ - - EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ - EVP_MD_CTX *write_hash; /* used for mac generation */ - - /* session info */ - - /* client cert? */ - /* This is used to hold the server certificate used */ - struct cert_st /* CERT */ *cert; - - /* the session_id_context is used to ensure sessions are only reused - * in the appropriate context */ - unsigned int sid_ctx_length; - unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - - /* This can also be in the session once a session is established */ - SSL_SESSION *session; - - /* Default generate session ID callback. */ - GEN_SESSION_CB generate_session_id; - - /* Used in SSL2 and SSL3 */ - int verify_mode; /* 0 don't care about verify failure. - * 1 fail if verify fails */ - int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ - - void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ - - int error; /* error bytes to be written */ - int error_code; /* actual code */ - - - - SSL_CTX *ctx; - /* set this flag to 1 and a sleep(1) is put into all SSL_read() - * and SSL_write() calls, good for nbio debuging :-) */ - int debug; - - - /* extra application data */ - long verify_result; - CRYPTO_EX_DATA ex_data; - - /* for server side, keep the list of CA_dn we can use */ - STACK_OF(X509_NAME) *client_CA; - - int references; - unsigned long options; /* protocol behaviour */ - unsigned long mode; /* API behaviour */ - long max_cert_list; - int first_packet; - int client_version; /* what was passed, used for - * SSLv3/TLS rollback check */ - unsigned int max_send_fragment; - /* TLS extension debug callback */ - void (*tlsext_debug_cb)(SSL *s, int client_server, int type, - unsigned char *data, int len, void *arg); - void *tlsext_debug_arg; - char *tlsext_hostname; - int servername_done; /* no further mod of servername - 0 : call the servername extension callback. - 1 : prepare 2, allow last ack just after in server callback. - 2 : don't call servername callback, no ack in server hello - */ - /* certificate status request info */ - /* Status type or -1 if no status type */ - int tlsext_status_type; - /* Expect OCSP CertificateStatus message */ - int tlsext_status_expected; - /* OCSP status request only */ - STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids; - X509_EXTENSIONS *tlsext_ocsp_exts; - /* OCSP response received or to be sent */ - unsigned char *tlsext_ocsp_resp; - int tlsext_ocsp_resplen; - - /* RFC4507 session ticket expected to be received or sent */ - int tlsext_ticket_expected; - size_t tlsext_ecpointformatlist_length; - uint8_t *tlsext_ecpointformatlist; /* our list */ - size_t tlsext_ellipticcurvelist_length; - uint16_t *tlsext_ellipticcurvelist; /* our list */ - - /* TLS Session Ticket extension override */ - TLS_SESSION_TICKET_EXT *tlsext_session_ticket; - - /* TLS Session Ticket extension callback */ - tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; - void *tls_session_ticket_ext_cb_arg; - - /* TLS pre-shared secret session resumption */ - tls_session_secret_cb_fn tls_session_secret_cb; - void *tls_session_secret_cb_arg; - - SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ - - /* Next protocol negotiation. For the client, this is the protocol that - * we sent in NextProtocol and is set when handling ServerHello - * extensions. - * - * For a server, this is the client's selected_protocol from - * NextProtocol and is set when handling the NextProtocol message, - * before the Finished message. */ - unsigned char *next_proto_negotiated; - unsigned char next_proto_negotiated_len; - -#define session_ctx initial_ctx - - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */ - SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ - - unsigned int tlsext_heartbeat; /* Is use of the Heartbeat extension negotiated? - 0: disabled - 1: enabled - 2: enabled, but not allowed to send Requests - */ - unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */ - unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */ - - /* Client list of supported protocols in wire format. */ - unsigned char *alpn_client_proto_list; - unsigned int alpn_client_proto_list_len; - - int renegotiate;/* 1 if we are renegotiating. - * 2 if we are a server and are inside a handshake - * (i.e. not just sending a HelloRequest) */ - -}; - -#endif - -#ifdef __cplusplus -} -#endif - -#include <openssl/ssl2.h> -#include <openssl/ssl3.h> -#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */ -#include <openssl/dtls1.h> /* Datagram TLS */ -#include <openssl/ssl23.h> -#include <openssl/srtp.h> /* Support for the use_srtp extension */ - -#ifdef __cplusplus -extern "C" { -#endif - -/* compatibility */ -#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) -#define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) -#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a)) -#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0)) -#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0)) -#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg)) - -/* The following are the possible values for ssl->state are are - * used to indicate where we are up to in the SSL connection establishment. - * The macros that follow are about the only things you should need to use - * and even then, only when using non-blocking IO. - * It can also be useful to work out where you were when the connection - * failed */ - -#define SSL_ST_CONNECT 0x1000 -#define SSL_ST_ACCEPT 0x2000 -#define SSL_ST_MASK 0x0FFF -#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT) -#define SSL_ST_BEFORE 0x4000 -#define SSL_ST_OK 0x03 -#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) - -#define SSL_CB_LOOP 0x01 -#define SSL_CB_EXIT 0x02 -#define SSL_CB_READ 0x04 -#define SSL_CB_WRITE 0x08 -#define SSL_CB_ALERT 0x4000 /* used in callback */ -#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ) -#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE) -#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP) -#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT) -#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP) -#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT) -#define SSL_CB_HANDSHAKE_START 0x10 -#define SSL_CB_HANDSHAKE_DONE 0x20 - -/* Is the SSL_connection established? */ -#define SSL_get_state(a) SSL_state(a) -#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK) -#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT) -#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE) -#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT) -#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT) - -/* The following 2 states are kept in ssl->rstate when reads fail, - * you should not need these */ -#define SSL_ST_READ_HEADER 0xF0 -#define SSL_ST_READ_BODY 0xF1 -#define SSL_ST_READ_DONE 0xF2 - -/* Obtain latest Finished message - * -- that we sent (SSL_get_finished) - * -- that we expected from peer (SSL_get_peer_finished). - * Returns length (0 == no Finished so far), copies up to 'count' bytes. */ -size_t SSL_get_finished(const SSL *s, void *buf, size_t count); -size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); - -/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options - * are 'ored' with SSL_VERIFY_PEER if they are desired */ -#define SSL_VERIFY_NONE 0x00 -#define SSL_VERIFY_PEER 0x01 -#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 -#define SSL_VERIFY_CLIENT_ONCE 0x04 - -#define OpenSSL_add_ssl_algorithms() SSL_library_init() -#define SSLeay_add_ssl_algorithms() SSL_library_init() - -/* More backward compatibility */ -#define SSL_get_cipher(s) \ - SSL_CIPHER_get_name(SSL_get_current_cipher(s)) -#define SSL_get_cipher_bits(s,np) \ - SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np) -#define SSL_get_cipher_version(s) \ - SSL_CIPHER_get_version(SSL_get_current_cipher(s)) -#define SSL_get_cipher_name(s) \ - SSL_CIPHER_get_name(SSL_get_current_cipher(s)) -#define SSL_get_time(a) SSL_SESSION_get_time(a) -#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b)) -#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a) -#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b)) - -#define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id) -#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id) - -DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) - -#define SSL_AD_REASON_OFFSET 1000 /* offset to get SSL_R_... value from SSL_AD_... */ - -/* These alert types are for SSLv3 and TLSv1 */ -#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY -#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */ -#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */ -#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED -#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW -#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */ -#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */ -#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */ -#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE -#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE -#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED -#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED -#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN -#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */ -#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */ -#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */ -#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */ -#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR -#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */ -#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */ -#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */ -#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */ -#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ -#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED -#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION -#define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION -#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE -#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME -#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE -#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE -#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ - -#define SSL_ERROR_NONE 0 -#define SSL_ERROR_SSL 1 -#define SSL_ERROR_WANT_READ 2 -#define SSL_ERROR_WANT_WRITE 3 -#define SSL_ERROR_WANT_X509_LOOKUP 4 -#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */ -#define SSL_ERROR_ZERO_RETURN 6 -#define SSL_ERROR_WANT_CONNECT 7 -#define SSL_ERROR_WANT_ACCEPT 8 - -#define SSL_CTRL_NEED_TMP_RSA 1 -#define SSL_CTRL_SET_TMP_RSA 2 -#define SSL_CTRL_SET_TMP_DH 3 -#define SSL_CTRL_SET_TMP_ECDH 4 -#define SSL_CTRL_SET_TMP_RSA_CB 5 -#define SSL_CTRL_SET_TMP_DH_CB 6 -#define SSL_CTRL_SET_TMP_ECDH_CB 7 - -#define SSL_CTRL_GET_SESSION_REUSED 8 -#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9 -#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10 -#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11 -#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12 -#define SSL_CTRL_GET_FLAGS 13 -#define SSL_CTRL_EXTRA_CHAIN_CERT 14 - -#define SSL_CTRL_SET_MSG_CALLBACK 15 -#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16 - -/* only applies to datagram connections */ -#define SSL_CTRL_SET_MTU 17 -/* Stats */ -#define SSL_CTRL_SESS_NUMBER 20 -#define SSL_CTRL_SESS_CONNECT 21 -#define SSL_CTRL_SESS_CONNECT_GOOD 22 -#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23 -#define SSL_CTRL_SESS_ACCEPT 24 -#define SSL_CTRL_SESS_ACCEPT_GOOD 25 -#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26 -#define SSL_CTRL_SESS_HIT 27 -#define SSL_CTRL_SESS_CB_HIT 28 -#define SSL_CTRL_SESS_MISSES 29 -#define SSL_CTRL_SESS_TIMEOUTS 30 -#define SSL_CTRL_SESS_CACHE_FULL 31 -#define SSL_CTRL_OPTIONS 32 -#define SSL_CTRL_MODE 33 - -#define SSL_CTRL_GET_READ_AHEAD 40 -#define SSL_CTRL_SET_READ_AHEAD 41 -#define SSL_CTRL_SET_SESS_CACHE_SIZE 42 -#define SSL_CTRL_GET_SESS_CACHE_SIZE 43 -#define SSL_CTRL_SET_SESS_CACHE_MODE 44 -#define SSL_CTRL_GET_SESS_CACHE_MODE 45 - -#define SSL_CTRL_GET_MAX_CERT_LIST 50 -#define SSL_CTRL_SET_MAX_CERT_LIST 51 - -#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52 - -/* see tls1.h for macros based on these */ -#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 -#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 -#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 -#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56 -#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57 -#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58 -#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 -#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67 -#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69 -#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70 -#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71 - -#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 - -#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75 -#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76 -#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77 - -#define SSL_CTRL_SET_SRP_ARG 78 -#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79 -#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80 -#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81 - -#define DTLS_CTRL_GET_TIMEOUT 73 -#define DTLS_CTRL_HANDLE_TIMEOUT 74 -#define DTLS_CTRL_LISTEN 75 - -#define SSL_CTRL_GET_RI_SUPPORT 76 -#define SSL_CTRL_CLEAR_OPTIONS 77 -#define SSL_CTRL_CLEAR_MODE 78 - -#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 -#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 - -#define SSL_CTRL_SET_ECDH_AUTO 94 - -#define SSL_CTRL_SET_DH_AUTO 118 - -#define DTLSv1_get_timeout(ssl, arg) \ - SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) -#define DTLSv1_handle_timeout(ssl) \ - SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL) -#define DTLSv1_listen(ssl, peer) \ - SSL_ctrl(ssl,DTLS_CTRL_LISTEN,0, (void *)peer) - -#define SSL_session_reused(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) -#define SSL_num_renegotiations(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL) -#define SSL_clear_num_renegotiations(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL) -#define SSL_total_renegotiations(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL) - -#define SSL_CTX_need_tmp_RSA(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL) -#define SSL_CTX_set_tmp_rsa(ctx,rsa) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa) -#define SSL_CTX_set_tmp_dh(ctx,dh) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh) -#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) -#define SSL_CTX_set_dh_auto(ctx, onoff) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL) -#define SSL_CTX_set_ecdh_auto(ctx, onoff) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) - -#define SSL_need_tmp_RSA(ssl) \ - SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL) -#define SSL_set_tmp_rsa(ssl,rsa) \ - SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa) -#define SSL_set_tmp_dh(ssl,dh) \ - SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh) -#define SSL_set_tmp_ecdh(ssl,ecdh) \ - SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) -#define SSL_set_dh_auto(s, onoff) \ - SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL) -#define SSL_set_ecdh_auto(s, onoff) \ - SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) - -#define SSL_CTX_add_extra_chain_cert(ctx,x509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) -#define SSL_CTX_get_extra_chain_certs(ctx,px509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509) -#define SSL_CTX_clear_extra_chain_certs(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL) - -#ifndef OPENSSL_NO_BIO -BIO_METHOD *BIO_f_ssl(void); -BIO *BIO_new_ssl(SSL_CTX *ctx, int client); -BIO *BIO_new_ssl_connect(SSL_CTX *ctx); -BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx); -int BIO_ssl_copy_session_id(BIO *to, BIO *from); -void BIO_ssl_shutdown(BIO *ssl_bio); -#endif - -int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); -SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); -void SSL_CTX_free(SSL_CTX *); -long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); -long SSL_CTX_get_timeout(const SSL_CTX *ctx); -X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); -void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); -int SSL_want(const SSL *s); -int SSL_clear(SSL *s); - -void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm); - -const SSL_CIPHER *SSL_get_current_cipher(const SSL *s); -const SSL_CIPHER *SSL_CIPHER_get_by_id(unsigned int id); -const SSL_CIPHER *SSL_CIPHER_get_by_value(uint16_t value); -int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits); -char * SSL_CIPHER_get_version(const SSL_CIPHER *c); -const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); -unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c); -uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c); - -int SSL_get_fd(const SSL *s); -int SSL_get_rfd(const SSL *s); -int SSL_get_wfd(const SSL *s); -const char * SSL_get_cipher_list(const SSL *s, int n); -char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len); -int SSL_get_read_ahead(const SSL * s); -int SSL_pending(const SSL *s); -int SSL_set_fd(SSL *s, int fd); -int SSL_set_rfd(SSL *s, int fd); -int SSL_set_wfd(SSL *s, int fd); -#ifndef OPENSSL_NO_BIO -void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio); -BIO * SSL_get_rbio(const SSL *s); -BIO * SSL_get_wbio(const SSL *s); -#endif -int SSL_set_cipher_list(SSL *s, const char *str); -void SSL_set_read_ahead(SSL *s, int yes); -int SSL_get_verify_mode(const SSL *s); -int SSL_get_verify_depth(const SSL *s); -int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *); -void SSL_set_verify(SSL *s, int mode, - int (*callback)(int ok, X509_STORE_CTX *ctx)); -void SSL_set_verify_depth(SSL *s, int depth); -int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); -int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); -int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); -int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len); -int SSL_use_certificate(SSL *ssl, X509 *x); -int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); - -int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); -int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); -int SSL_use_certificate_file(SSL *ssl, const char *file, int type); -int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); -int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); -int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); -int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */ -int SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len); -STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); -int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, - const char *file); -int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, - const char *dir); - -void SSL_load_error_strings(void ); -const char *SSL_state_string(const SSL *s); -const char *SSL_rstate_string(const SSL *s); -const char *SSL_state_string_long(const SSL *s); -const char *SSL_rstate_string_long(const SSL *s); -long SSL_SESSION_get_time(const SSL_SESSION *s); -long SSL_SESSION_set_time(SSL_SESSION *s, long t); -long SSL_SESSION_get_timeout(const SSL_SESSION *s); -long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); -void SSL_copy_session_id(SSL *to, const SSL *from); -X509 *SSL_SESSION_get0_peer(SSL_SESSION *s); -int -SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, -unsigned int sid_ctx_len); - -SSL_SESSION *SSL_SESSION_new(void); -const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, - unsigned int *len); -unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s); -int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses); -#ifndef OPENSSL_NO_BIO -int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses); -#endif -void SSL_SESSION_free(SSL_SESSION *ses); -int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); -int SSL_set_session(SSL *to, SSL_SESSION *session); -int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); -int SSL_CTX_remove_session(SSL_CTX *, SSL_SESSION *c); -int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); -int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB); -int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, - unsigned int id_len); -SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, - long length); - -#ifdef HEADER_X509_H -X509 * SSL_get_peer_certificate(const SSL *s); -#endif - -STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s); - -int SSL_CTX_get_verify_mode(const SSL_CTX *ctx); -int SSL_CTX_get_verify_depth(const SSL_CTX *ctx); -int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *); -void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, - int (*callback)(int, X509_STORE_CTX *)); -void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); -void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg); -int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); -int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len); -int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); -int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len); -int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); -int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d); - -void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); -void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); - -int SSL_CTX_check_private_key(const SSL_CTX *ctx); -int SSL_check_private_key(const SSL *ctx); - -int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len); - -SSL *SSL_new(SSL_CTX *ctx); -int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len); - -int SSL_CTX_set_purpose(SSL_CTX *s, int purpose); -int SSL_set_purpose(SSL *s, int purpose); -int SSL_CTX_set_trust(SSL_CTX *s, int trust); -int SSL_set_trust(SSL *s, int trust); - -int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); -int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); - - -void SSL_free(SSL *ssl); -int SSL_accept(SSL *ssl); -int SSL_connect(SSL *ssl); -int SSL_read(SSL *ssl, void *buf, int num); -int SSL_peek(SSL *ssl, void *buf, int num); -int SSL_write(SSL *ssl, const void *buf, int num); -long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); -long SSL_callback_ctrl(SSL *, int, void (*)(void)); -long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg); -long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void)); - -int SSL_get_error(const SSL *s, int ret_code); -const char *SSL_get_version(const SSL *s); - -/* This sets the 'default' SSL version that SSL_new() will create */ -int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); - -const SSL_METHOD *SSLv23_method(void); /* SSLv3 or TLSv1.* */ -const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 or TLSv1.* */ -const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 or TLSv1.* */ - -const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ -const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ -const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */ - -const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */ -const SSL_METHOD *TLSv1_1_server_method(void); /* TLSv1.1 */ -const SSL_METHOD *TLSv1_1_client_method(void); /* TLSv1.1 */ - -const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */ -const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */ -const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */ - -const SSL_METHOD *TLS_method(void); /* TLS v1.0 or later */ -const SSL_METHOD *TLS_server_method(void); /* TLS v1.0 or later */ -const SSL_METHOD *TLS_client_method(void); /* TLS v1.0 or later */ - -const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ -const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */ -const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */ - -STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); - -int SSL_do_handshake(SSL *s); -int SSL_renegotiate(SSL *s); -int SSL_renegotiate_abbreviated(SSL *s); -int SSL_renegotiate_pending(SSL *s); -int SSL_shutdown(SSL *s); - -const SSL_METHOD *SSL_get_ssl_method(SSL *s); -int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method); -const char *SSL_alert_type_string_long(int value); -const char *SSL_alert_type_string(int value); -const char *SSL_alert_desc_string_long(int value); -const char *SSL_alert_desc_string(int value); - -void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); -STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s); -STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s); -int SSL_add_client_CA(SSL *ssl, X509 *x); -int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x); - -void SSL_set_connect_state(SSL *s); -void SSL_set_accept_state(SSL *s); - -long SSL_get_default_timeout(const SSL *s); - -int SSL_library_init(void ); - -char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size); -STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk); - -SSL *SSL_dup(SSL *ssl); - -X509 *SSL_get_certificate(const SSL *ssl); -/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl); - -void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode); -int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx); -void SSL_set_quiet_shutdown(SSL *ssl,int mode); -int SSL_get_quiet_shutdown(const SSL *ssl); -void SSL_set_shutdown(SSL *ssl,int mode); -int SSL_get_shutdown(const SSL *ssl); -int SSL_version(const SSL *ssl); -int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); -int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, - const char *CApath); -int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len); -#define SSL_get0_session SSL_get_session /* just peek at pointer */ -SSL_SESSION *SSL_get_session(const SSL *ssl); -SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ -SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl); -SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx); -void SSL_set_info_callback(SSL *ssl, - void (*cb)(const SSL *ssl, int type, int val)); -void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val); -int SSL_state(const SSL *ssl); -void SSL_set_state(SSL *ssl, int state); - -void SSL_set_verify_result(SSL *ssl, long v); -long SSL_get_verify_result(const SSL *ssl); - -int SSL_set_ex_data(SSL *ssl, int idx, void *data); -void *SSL_get_ex_data(const SSL *ssl, int idx); -int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); - -int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data); -void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss, int idx); -int SSL_SESSION_get_ex_new_index(long argl, void *argp, - CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, - CRYPTO_EX_free *free_func); - -int SSL_CTX_set_ex_data(SSL_CTX *ssl, int idx, void *data); -void *SSL_CTX_get_ex_data(const SSL_CTX *ssl, int idx); -int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); - -int SSL_get_ex_data_X509_STORE_CTX_idx(void ); - -#define SSL_CTX_sess_set_cache_size(ctx,t) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL) -#define SSL_CTX_sess_get_cache_size(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL) -#define SSL_CTX_set_session_cache_mode(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL) -#define SSL_CTX_get_session_cache_mode(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL) - -#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx) -#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m) -#define SSL_CTX_get_read_ahead(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) -#define SSL_CTX_set_read_ahead(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) -#define SSL_CTX_get_max_cert_list(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL) -#define SSL_CTX_set_max_cert_list(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL) -#define SSL_get_max_cert_list(ssl) \ - SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL) -#define SSL_set_max_cert_list(ssl,m) \ - SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL) - -#define SSL_CTX_set_max_send_fragment(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL) -#define SSL_set_max_send_fragment(ssl,m) \ - SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL) - -/* NB: the keylength is only applicable when is_export is true */ -void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, - RSA *(*cb)(SSL *ssl, int is_export, int keylength)); - -void SSL_set_tmp_rsa_callback(SSL *ssl, - RSA *(*cb)(SSL *ssl, int is_export, int keylength)); -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, - DH *(*dh)(SSL *ssl, int is_export, int keylength)); -void SSL_set_tmp_dh_callback(SSL *ssl, - DH *(*dh)(SSL *ssl, int is_export, int keylength)); -void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, - EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); -void SSL_set_tmp_ecdh_callback(SSL *ssl, - EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); - -const void *SSL_get_current_compression(SSL *s); -const void *SSL_get_current_expansion(SSL *s); - -const char *SSL_COMP_get_name(const void *comp); -void *SSL_COMP_get_compression_methods(void); -int SSL_COMP_add_compression_method(int id, void *cm); - -/* TLS extensions functions */ -int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); - -int SSL_set_session_ticket_ext_cb(SSL *s, - tls_session_ticket_ext_cb_fn cb, void *arg); - -/* Pre-shared secret session resumption functions */ -int SSL_set_session_secret_cb(SSL *s, - tls_session_secret_cb_fn tls_session_secret_cb, void *arg); - -void SSL_set_debug(SSL *s, int debug); -int SSL_cache_hit(SSL *s); - -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ -void ERR_load_SSL_strings(void); - -/* Error codes for the SSL functions. */ - -/* Function codes. */ -#define SSL_F_CLIENT_CERTIFICATE 100 -#define SSL_F_CLIENT_FINISHED 167 -#define SSL_F_CLIENT_HELLO 101 -#define SSL_F_CLIENT_MASTER_KEY 102 -#define SSL_F_D2I_SSL_SESSION 103 -#define SSL_F_DO_DTLS1_WRITE 245 -#define SSL_F_DO_SSL3_WRITE 104 -#define SSL_F_DTLS1_ACCEPT 246 -#define SSL_F_DTLS1_ADD_CERT_TO_BUF 295 -#define SSL_F_DTLS1_BUFFER_RECORD 247 -#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 316 -#define SSL_F_DTLS1_CLIENT_HELLO 248 -#define SSL_F_DTLS1_CONNECT 249 -#define SSL_F_DTLS1_ENC 250 -#define SSL_F_DTLS1_GET_HELLO_VERIFY 251 -#define SSL_F_DTLS1_GET_MESSAGE 252 -#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253 -#define SSL_F_DTLS1_GET_RECORD 254 -#define SSL_F_DTLS1_HANDLE_TIMEOUT 297 -#define SSL_F_DTLS1_HEARTBEAT 305 -#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 -#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 -#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 -#define SSL_F_DTLS1_PROCESS_RECORD 257 -#define SSL_F_DTLS1_READ_BYTES 258 -#define SSL_F_DTLS1_READ_FAILED 259 -#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260 -#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261 -#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262 -#define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263 -#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST 264 -#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE 265 -#define SSL_F_DTLS1_SEND_SERVER_HELLO 266 -#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267 -#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268 -#define SSL_F_GET_CLIENT_FINISHED 105 -#define SSL_F_GET_CLIENT_HELLO 106 -#define SSL_F_GET_CLIENT_MASTER_KEY 107 -#define SSL_F_GET_SERVER_FINISHED 108 -#define SSL_F_GET_SERVER_HELLO 109 -#define SSL_F_GET_SERVER_VERIFY 110 -#define SSL_F_I2D_SSL_SESSION 111 -#define SSL_F_READ_N 112 -#define SSL_F_REQUEST_CERTIFICATE 113 -#define SSL_F_SERVER_FINISH 239 -#define SSL_F_SERVER_HELLO 114 -#define SSL_F_SERVER_VERIFY 240 -#define SSL_F_SSL23_ACCEPT 115 -#define SSL_F_SSL23_CLIENT_HELLO 116 -#define SSL_F_SSL23_CONNECT 117 -#define SSL_F_SSL23_GET_CLIENT_HELLO 118 -#define SSL_F_SSL23_GET_SERVER_HELLO 119 -#define SSL_F_SSL23_PEEK 237 -#define SSL_F_SSL23_READ 120 -#define SSL_F_SSL23_WRITE 121 -#define SSL_F_SSL2_ACCEPT 122 -#define SSL_F_SSL2_CONNECT 123 -#define SSL_F_SSL2_ENC_INIT 124 -#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241 -#define SSL_F_SSL2_PEEK 234 -#define SSL_F_SSL2_READ 125 -#define SSL_F_SSL2_READ_INTERNAL 236 -#define SSL_F_SSL2_SET_CERTIFICATE 126 -#define SSL_F_SSL2_WRITE 127 -#define SSL_F_SSL3_ACCEPT 128 -#define SSL_F_SSL3_ADD_CERT_TO_BUF 296 -#define SSL_F_SSL3_CALLBACK_CTRL 233 -#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 -#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 -#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304 -#define SSL_F_SSL3_CLIENT_HELLO 131 -#define SSL_F_SSL3_CONNECT 132 -#define SSL_F_SSL3_CTRL 213 -#define SSL_F_SSL3_CTX_CTRL 133 -#define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293 -#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292 -#define SSL_F_SSL3_ENC 134 -#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238 -#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 -#define SSL_F_SSL3_GET_CERT_STATUS 289 -#define SSL_F_SSL3_GET_CERT_VERIFY 136 -#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 -#define SSL_F_SSL3_GET_CLIENT_HELLO 138 -#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139 -#define SSL_F_SSL3_GET_FINISHED 140 -#define SSL_F_SSL3_GET_KEY_EXCHANGE 141 -#define SSL_F_SSL3_GET_MESSAGE 142 -#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283 -#define SSL_F_SSL3_GET_NEXT_PROTO 306 -#define SSL_F_SSL3_GET_RECORD 143 -#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144 -#define SSL_F_SSL3_GET_SERVER_DONE 145 -#define SSL_F_SSL3_GET_SERVER_HELLO 146 -#define SSL_F_SSL3_HANDSHAKE_MAC 285 -#define SSL_F_SSL3_NEW_SESSION_TICKET 287 -#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147 -#define SSL_F_SSL3_PEEK 235 -#define SSL_F_SSL3_READ_BYTES 148 -#define SSL_F_SSL3_READ_N 149 -#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 -#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151 -#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152 -#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153 -#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154 -#define SSL_F_SSL3_SEND_SERVER_HELLO 242 -#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155 -#define SSL_F_SSL3_SETUP_KEY_BLOCK 157 -#define SSL_F_SSL3_SETUP_READ_BUFFER 156 -#define SSL_F_SSL3_SETUP_WRITE_BUFFER 291 -#define SSL_F_SSL3_WRITE_BYTES 158 -#define SSL_F_SSL3_WRITE_PENDING 159 -#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 298 -#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 277 -#define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT 307 -#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215 -#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216 -#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 299 -#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278 -#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 308 -#define SSL_F_SSL_BAD_METHOD 160 -#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 -#define SSL_F_SSL_CERT_DUP 221 -#define SSL_F_SSL_CERT_INST 222 -#define SSL_F_SSL_CERT_INSTANTIATE 214 -#define SSL_F_SSL_CERT_NEW 162 -#define SSL_F_SSL_CHECK_PRIVATE_KEY 163 -#define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 280 -#define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 279 -#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230 -#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231 -#define SSL_F_SSL_CLEAR 164 -#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165 -#define SSL_F_SSL_CREATE_CIPHER_LIST 166 -#define SSL_F_SSL_CTRL 232 -#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 -#define SSL_F_SSL_CTX_MAKE_PROFILES 309 -#define SSL_F_SSL_CTX_NEW 169 -#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269 -#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 290 -#define SSL_F_SSL_CTX_SET_PURPOSE 226 -#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219 -#define SSL_F_SSL_CTX_SET_SSL_VERSION 170 -#define SSL_F_SSL_CTX_SET_TRUST 229 -#define SSL_F_SSL_CTX_USE_CERTIFICATE 171 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176 -#define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT 272 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 -#define SSL_F_SSL_DO_HANDSHAKE 180 -#define SSL_F_SSL_GET_NEW_SESSION 181 -#define SSL_F_SSL_GET_PREV_SESSION 217 -#define SSL_F_SSL_GET_SERVER_SEND_CERT 182 -#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317 -#define SSL_F_SSL_GET_SIGN_PKEY 183 -#define SSL_F_SSL_INIT_WBIO_BUFFER 184 -#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 -#define SSL_F_SSL_NEW 186 -#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300 -#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302 -#define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 310 -#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301 -#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303 -#define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT 311 -#define SSL_F_SSL_PEEK 270 -#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281 -#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282 -#define SSL_F_SSL_READ 223 -#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 -#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 -#define SSL_F_SSL_SESSION_NEW 189 -#define SSL_F_SSL_SESSION_PRINT_FP 190 -#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 -#define SSL_F_SSL_SESS_CERT_NEW 225 -#define SSL_F_SSL_SET_CERT 191 -#define SSL_F_SSL_SET_CIPHER_LIST 271 -#define SSL_F_SSL_SET_FD 192 -#define SSL_F_SSL_SET_PKEY 193 -#define SSL_F_SSL_SET_PURPOSE 227 -#define SSL_F_SSL_SET_RFD 194 -#define SSL_F_SSL_SET_SESSION 195 -#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218 -#define SSL_F_SSL_SET_SESSION_TICKET_EXT 294 -#define SSL_F_SSL_SET_TRUST 228 -#define SSL_F_SSL_SET_WFD 196 -#define SSL_F_SSL_SHUTDOWN 224 -#define SSL_F_SSL_SRP_CTX_INIT 313 -#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243 -#define SSL_F_SSL_UNDEFINED_FUNCTION 197 -#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244 -#define SSL_F_SSL_USE_CERTIFICATE 198 -#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 -#define SSL_F_SSL_USE_CERTIFICATE_FILE 200 -#define SSL_F_SSL_USE_PRIVATEKEY 201 -#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 -#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203 -#define SSL_F_SSL_USE_PSK_IDENTITY_HINT 273 -#define SSL_F_SSL_USE_RSAPRIVATEKEY 204 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 -#define SSL_F_SSL_VERIFY_CERT_CHAIN 207 -#define SSL_F_SSL_WRITE 208 -#define SSL_F_TLS1_AEAD_CTX_INIT 339 -#define SSL_F_TLS1_CERT_VERIFY_MAC 286 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD 340 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER 338 -#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 -#define SSL_F_TLS1_ENC 210 -#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314 -#define SSL_F_TLS1_HEARTBEAT 315 -#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275 -#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276 -#define SSL_F_TLS1_PRF 284 -#define SSL_F_TLS1_SETUP_KEY_BLOCK 211 -#define SSL_F_WRITE_PENDING 212 - -/* Reason codes. */ -#define SSL_R_APP_DATA_IN_HANDSHAKE 100 -#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 -#define SSL_R_BAD_ALERT_RECORD 101 -#define SSL_R_BAD_AUTHENTICATION_TYPE 102 -#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 -#define SSL_R_BAD_CHECKSUM 104 -#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106 -#define SSL_R_BAD_DECOMPRESSION 107 -#define SSL_R_BAD_DH_G_LENGTH 108 -#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109 -#define SSL_R_BAD_DH_P_LENGTH 110 -#define SSL_R_BAD_DIGEST_LENGTH 111 -#define SSL_R_BAD_DSA_SIGNATURE 112 -#define SSL_R_BAD_ECC_CERT 304 -#define SSL_R_BAD_ECDSA_SIGNATURE 305 -#define SSL_R_BAD_ECPOINT 306 -#define SSL_R_BAD_HANDSHAKE_LENGTH 332 -#define SSL_R_BAD_HELLO_REQUEST 105 -#define SSL_R_BAD_LENGTH 271 -#define SSL_R_BAD_MAC_DECODE 113 -#define SSL_R_BAD_MAC_LENGTH 333 -#define SSL_R_BAD_MESSAGE_TYPE 114 -#define SSL_R_BAD_PACKET_LENGTH 115 -#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116 -#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH 316 -#define SSL_R_BAD_RESPONSE_ARGUMENT 117 -#define SSL_R_BAD_RSA_DECRYPT 118 -#define SSL_R_BAD_RSA_ENCRYPT 119 -#define SSL_R_BAD_RSA_E_LENGTH 120 -#define SSL_R_BAD_RSA_MODULUS_LENGTH 121 -#define SSL_R_BAD_RSA_SIGNATURE 122 -#define SSL_R_BAD_SIGNATURE 123 -#define SSL_R_BAD_SRP_A_LENGTH 347 -#define SSL_R_BAD_SRP_B_LENGTH 348 -#define SSL_R_BAD_SRP_G_LENGTH 349 -#define SSL_R_BAD_SRP_N_LENGTH 350 -#define SSL_R_BAD_SRP_S_LENGTH 351 -#define SSL_R_BAD_SRTP_MKI_VALUE 352 -#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 353 -#define SSL_R_BAD_SSL_FILETYPE 124 -#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125 -#define SSL_R_BAD_STATE 126 -#define SSL_R_BAD_WRITE_RETRY 127 -#define SSL_R_BIO_NOT_SET 128 -#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129 -#define SSL_R_BN_LIB 130 -#define SSL_R_CA_DN_LENGTH_MISMATCH 131 -#define SSL_R_CA_DN_TOO_LONG 132 -#define SSL_R_CCS_RECEIVED_EARLY 133 -#define SSL_R_CERTIFICATE_VERIFY_FAILED 134 -#define SSL_R_CERT_LENGTH_MISMATCH 135 -#define SSL_R_CHALLENGE_IS_DIFFERENT 136 -#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 -#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE 371 -#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138 -#define SSL_R_CIPHER_TABLE_SRC_ERROR 139 -#define SSL_R_CLIENTHELLO_TLSEXT 226 -#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140 -#define SSL_R_COMPRESSION_DISABLED 343 -#define SSL_R_COMPRESSION_FAILURE 141 -#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307 -#define SSL_R_COMPRESSION_LIBRARY_ERROR 142 -#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143 -#define SSL_R_CONNECTION_TYPE_NOT_SET 144 -#define SSL_R_COOKIE_MISMATCH 308 -#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 -#define SSL_R_DATA_LENGTH_TOO_LONG 146 -#define SSL_R_DECRYPTION_FAILED 147 -#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 -#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 -#define SSL_R_DIGEST_CHECK_FAILED 149 -#define SSL_R_DTLS_MESSAGE_TOO_BIG 334 -#define SSL_R_DUPLICATE_COMPRESSION_ID 309 -#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT 317 -#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 318 -#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322 -#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323 -#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310 -#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354 -#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 -#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282 -#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 -#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 -#define SSL_R_EXTRA_DATA_IN_MESSAGE 153 -#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 -#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355 -#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356 -#define SSL_R_HTTPS_PROXY_REQUEST 155 -#define SSL_R_HTTP_REQUEST 156 -#define SSL_R_ILLEGAL_PADDING 283 -#define SSL_R_INAPPROPRIATE_FALLBACK 373 -#define SSL_R_INCONSISTENT_COMPRESSION 340 -#define SSL_R_INVALID_CHALLENGE_LENGTH 158 -#define SSL_R_INVALID_COMMAND 280 -#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 -#define SSL_R_INVALID_PURPOSE 278 -#define SSL_R_INVALID_SRP_USERNAME 357 -#define SSL_R_INVALID_STATUS_RESPONSE 328 -#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325 -#define SSL_R_INVALID_TRUST 279 -#define SSL_R_KEY_ARG_TOO_LONG 284 -#define SSL_R_KRB5 285 -#define SSL_R_KRB5_C_CC_PRINC 286 -#define SSL_R_KRB5_C_GET_CRED 287 -#define SSL_R_KRB5_C_INIT 288 -#define SSL_R_KRB5_C_MK_REQ 289 -#define SSL_R_KRB5_S_BAD_TICKET 290 -#define SSL_R_KRB5_S_INIT 291 -#define SSL_R_KRB5_S_RD_REQ 292 -#define SSL_R_KRB5_S_TKT_EXPIRED 293 -#define SSL_R_KRB5_S_TKT_NYV 294 -#define SSL_R_KRB5_S_TKT_SKEW 295 -#define SSL_R_LENGTH_MISMATCH 159 -#define SSL_R_LENGTH_TOO_SHORT 160 -#define SSL_R_LIBRARY_BUG 274 -#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 -#define SSL_R_MESSAGE_TOO_LONG 296 -#define SSL_R_MISSING_DH_DSA_CERT 162 -#define SSL_R_MISSING_DH_KEY 163 -#define SSL_R_MISSING_DH_RSA_CERT 164 -#define SSL_R_MISSING_DSA_SIGNING_CERT 165 -#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166 -#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167 -#define SSL_R_MISSING_RSA_CERTIFICATE 168 -#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 -#define SSL_R_MISSING_RSA_SIGNING_CERT 170 -#define SSL_R_MISSING_SRP_PARAM 358 -#define SSL_R_MISSING_TMP_DH_KEY 171 -#define SSL_R_MISSING_TMP_ECDH_KEY 311 -#define SSL_R_MISSING_TMP_RSA_KEY 172 -#define SSL_R_MISSING_TMP_RSA_PKEY 173 -#define SSL_R_MISSING_VERIFY_MESSAGE 174 -#define SSL_R_MULTIPLE_SGC_RESTARTS 346 -#define SSL_R_NON_SSLV2_INITIAL_PACKET 175 -#define SSL_R_NO_CERTIFICATES_RETURNED 176 -#define SSL_R_NO_CERTIFICATE_ASSIGNED 177 -#define SSL_R_NO_CERTIFICATE_RETURNED 178 -#define SSL_R_NO_CERTIFICATE_SET 179 -#define SSL_R_NO_CERTIFICATE_SPECIFIED 180 -#define SSL_R_NO_CIPHERS_AVAILABLE 181 -#define SSL_R_NO_CIPHERS_PASSED 182 -#define SSL_R_NO_CIPHERS_SPECIFIED 183 -#define SSL_R_NO_CIPHER_LIST 184 -#define SSL_R_NO_CIPHER_MATCH 185 -#define SSL_R_NO_CLIENT_CERT_METHOD 331 -#define SSL_R_NO_CLIENT_CERT_RECEIVED 186 -#define SSL_R_NO_COMPRESSION_SPECIFIED 187 -#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330 -#define SSL_R_NO_METHOD_SPECIFIED 188 -#define SSL_R_NO_PRIVATEKEY 189 -#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 -#define SSL_R_NO_PROTOCOLS_AVAILABLE 191 -#define SSL_R_NO_PUBLICKEY 192 -#define SSL_R_NO_RENEGOTIATION 339 -#define SSL_R_NO_REQUIRED_DIGEST 324 -#define SSL_R_NO_SHARED_CIPHER 193 -#define SSL_R_NO_SRTP_PROFILES 359 -#define SSL_R_NO_VERIFY_CALLBACK 194 -#define SSL_R_NULL_SSL_CTX 195 -#define SSL_R_NULL_SSL_METHOD_PASSED 196 -#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 -#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344 -#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297 -#define SSL_R_PACKET_LENGTH_TOO_LONG 198 -#define SSL_R_PARSE_TLSEXT 227 -#define SSL_R_PATH_TOO_LONG 270 -#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 -#define SSL_R_PEER_ERROR 200 -#define SSL_R_PEER_ERROR_CERTIFICATE 201 -#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202 -#define SSL_R_PEER_ERROR_NO_CIPHER 203 -#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204 -#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205 -#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206 -#define SSL_R_PROTOCOL_IS_SHUTDOWN 207 -#define SSL_R_PSK_IDENTITY_NOT_FOUND 223 -#define SSL_R_PSK_NO_CLIENT_CB 224 -#define SSL_R_PSK_NO_SERVER_CB 225 -#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208 -#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209 -#define SSL_R_PUBLIC_KEY_NOT_RSA 210 -#define SSL_R_READ_BIO_NOT_SET 211 -#define SSL_R_READ_TIMEOUT_EXPIRED 312 -#define SSL_R_READ_WRONG_PACKET_TYPE 212 -#define SSL_R_RECORD_LENGTH_MISMATCH 213 -#define SSL_R_RECORD_TOO_LARGE 214 -#define SSL_R_RECORD_TOO_SMALL 298 -#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 335 -#define SSL_R_RENEGOTIATION_ENCODING_ERR 336 -#define SSL_R_RENEGOTIATION_MISMATCH 337 -#define SSL_R_REQUIRED_CIPHER_MISSING 215 -#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342 -#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 -#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 -#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 -#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 -#define SSL_R_SERVERHELLO_TLSEXT 275 -#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 -#define SSL_R_SHORT_READ 219 -#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360 -#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 -#define SSL_R_SRP_A_CALC 361 -#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 362 -#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 363 -#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 364 -#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 -#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299 -#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321 -#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 319 -#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 320 -#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300 -#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 -#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 -#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 -#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 -#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044 -#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046 -#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030 -#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 -#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 -#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 -#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 -#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 -#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 -#define SSL_R_SSL_HANDSHAKE_FAILURE 229 -#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 -#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301 -#define SSL_R_SSL_SESSION_ID_CONFLICT 302 -#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 -#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303 -#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 -#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 -#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 -#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 -#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 -#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 -#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 -#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 -#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 -#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 -#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 -#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 -#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 -#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 -#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 -#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 -#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 -#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 -#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 -#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 -#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365 -#define SSL_R_TLS_HEARTBEAT_PENDING 366 -#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367 -#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 -#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 -#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 -#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 -#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 -#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313 -#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237 -#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238 -#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314 -#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 -#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240 -#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241 -#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 -#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 -#define SSL_R_UNEXPECTED_MESSAGE 244 -#define SSL_R_UNEXPECTED_RECORD 245 -#define SSL_R_UNINITIALIZED 276 -#define SSL_R_UNKNOWN_ALERT_TYPE 246 -#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 -#define SSL_R_UNKNOWN_CIPHER_RETURNED 248 -#define SSL_R_UNKNOWN_CIPHER_TYPE 249 -#define SSL_R_UNKNOWN_DIGEST 368 -#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250 -#define SSL_R_UNKNOWN_PKEY_TYPE 251 -#define SSL_R_UNKNOWN_PROTOCOL 252 -#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 -#define SSL_R_UNKNOWN_SSL_VERSION 254 -#define SSL_R_UNKNOWN_STATE 255 -#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338 -#define SSL_R_UNSUPPORTED_CIPHER 256 -#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 -#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326 -#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315 -#define SSL_R_UNSUPPORTED_PROTOCOL 258 -#define SSL_R_UNSUPPORTED_SSL_VERSION 259 -#define SSL_R_UNSUPPORTED_STATUS_TYPE 329 -#define SSL_R_USE_SRTP_NOT_NEGOTIATED 369 -#define SSL_R_WRITE_BIO_NOT_SET 260 -#define SSL_R_WRONG_CIPHER_RETURNED 261 -#define SSL_R_WRONG_CURVE 378 -#define SSL_R_WRONG_MESSAGE_TYPE 262 -#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263 -#define SSL_R_WRONG_SIGNATURE_LENGTH 264 -#define SSL_R_WRONG_SIGNATURE_SIZE 265 -#define SSL_R_WRONG_SIGNATURE_TYPE 370 -#define SSL_R_WRONG_SSL_VERSION 266 -#define SSL_R_WRONG_VERSION_NUMBER 267 -#define SSL_R_X509_LIB 268 -#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/lib/libssl/src/ssl/ssl2.h b/lib/libssl/src/ssl/ssl2.h deleted file mode 100644 index 3a8d300729a..00000000000 --- a/lib/libssl/src/ssl/ssl2.h +++ /dev/null @@ -1,153 +0,0 @@ -/* $OpenBSD: ssl2.h,v 1.12 2014/12/14 15:30:50 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_SSL2_H -#define HEADER_SSL2_H - -#ifdef __cplusplus -extern "C" { -#endif - -/* Protocol Version Codes */ -#define SSL2_VERSION 0x0002 -#define SSL2_VERSION_MAJOR 0x00 -#define SSL2_VERSION_MINOR 0x02 -/* #define SSL2_CLIENT_VERSION 0x0002 */ -/* #define SSL2_SERVER_VERSION 0x0002 */ - -/* Protocol Message Codes */ -#define SSL2_MT_ERROR 0 -#define SSL2_MT_CLIENT_HELLO 1 -#define SSL2_MT_CLIENT_MASTER_KEY 2 -#define SSL2_MT_CLIENT_FINISHED 3 -#define SSL2_MT_SERVER_HELLO 4 -#define SSL2_MT_SERVER_VERIFY 5 -#define SSL2_MT_SERVER_FINISHED 6 -#define SSL2_MT_REQUEST_CERTIFICATE 7 -#define SSL2_MT_CLIENT_CERTIFICATE 8 - -/* Error Message Codes */ -#define SSL2_PE_UNDEFINED_ERROR 0x0000 -#define SSL2_PE_NO_CIPHER 0x0001 -#define SSL2_PE_NO_CERTIFICATE 0x0002 -#define SSL2_PE_BAD_CERTIFICATE 0x0004 -#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006 - -/* Cipher Kind Values */ -#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */ -#define SSL2_CK_RC4_128_WITH_MD5 0x02010080 -#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080 -#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080 -#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080 -#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080 -#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040 -#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */ -#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0 -#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */ -#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */ - -#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */ -#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */ - -#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1" -#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5" -#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5" -#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5" -#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5" -#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5" -#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5" -#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5" -#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA" -#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5" -#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA" -#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5" - -#define SSL2_TXT_NULL "NULL" - -/* Flags for the SSL_CIPHER.algorithm2 field */ -#define SSL2_CF_5_BYTE_ENC 0x01 -#define SSL2_CF_8_BYTE_ENC 0x02 - -/* Certificate Type Codes */ -#define SSL2_CT_X509_CERTIFICATE 0x01 - -/* Authentication Type Code */ -#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01 - -#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32 - -/* Upper/Lower Bounds */ -#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ -#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ - -#define SSL2_CHALLENGE_LENGTH 16 -/*#define SSL2_CHALLENGE_LENGTH 32 */ -#define SSL2_MIN_CHALLENGE_LENGTH 16 -#define SSL2_MAX_CHALLENGE_LENGTH 32 -#define SSL2_CONNECTION_ID_LENGTH 16 -#define SSL2_MAX_CONNECTION_ID_LENGTH 16 -#define SSL2_SSL_SESSION_ID_LENGTH 16 -#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32 -#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16 -#define SSL2_MAX_KEY_MATERIAL_LENGTH 24 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/lib/libssl/src/ssl/ssl23.h b/lib/libssl/src/ssl/ssl23.h deleted file mode 100644 index 570e4b01714..00000000000 --- a/lib/libssl/src/ssl/ssl23.h +++ /dev/null @@ -1,82 +0,0 @@ -/* $OpenBSD: ssl23.h,v 1.4 2014/12/14 15:30:50 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_SSL23_H -#define HEADER_SSL23_H - -#ifdef __cplusplus -extern "C" { -#endif - -/*client */ -/* write to server */ -#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT) -#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT) -/* read from server */ -#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT) -#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT) - -/* server */ -/* read from client */ -#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT) -#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT) - -#ifdef __cplusplus -} -#endif -#endif diff --git a/lib/libssl/src/ssl/ssl3.h b/lib/libssl/src/ssl/ssl3.h deleted file mode 100644 index 5ec2fe6f884..00000000000 --- a/lib/libssl/src/ssl/ssl3.h +++ /dev/null @@ -1,617 +0,0 @@ -/* $OpenBSD: ssl3.h,v 1.41 2015/07/19 06:23:51 doug Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ - -#ifndef HEADER_SSL3_H -#define HEADER_SSL3_H - -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/ssl.h> - -#ifdef __cplusplus -extern "C" { -#endif - -/* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */ -#define SSL3_CK_SCSV 0x030000FF - -/* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */ -#define SSL3_CK_FALLBACK_SCSV 0x03005600 - -#define SSL3_CK_RSA_NULL_MD5 0x03000001 -#define SSL3_CK_RSA_NULL_SHA 0x03000002 -#define SSL3_CK_RSA_RC4_40_MD5 0x03000003 -#define SSL3_CK_RSA_RC4_128_MD5 0x03000004 -#define SSL3_CK_RSA_RC4_128_SHA 0x03000005 -#define SSL3_CK_RSA_RC2_40_MD5 0x03000006 -#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007 -#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008 -#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009 -#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A - -#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B -#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C -#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D -#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E -#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F -#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010 - -#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011 -#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012 -#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013 -#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014 -#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015 -#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016 - -#define SSL3_CK_ADH_RC4_40_MD5 0x03000017 -#define SSL3_CK_ADH_RC4_128_MD5 0x03000018 -#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019 -#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A -#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B - -/* VRS Additional Kerberos5 entries - */ -#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E -#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F -#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020 -#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021 -#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022 -#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023 -#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024 -#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025 - -#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026 -#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027 -#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028 -#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029 -#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A -#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B - -#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5" -#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA" -#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5" -#define SSL3_TXT_RSA_RC4_128_MD5 "RC4-MD5" -#define SSL3_TXT_RSA_RC4_128_SHA "RC4-SHA" -#define SSL3_TXT_RSA_RC2_40_MD5 "EXP-RC2-CBC-MD5" -#define SSL3_TXT_RSA_IDEA_128_SHA "IDEA-CBC-SHA" -#define SSL3_TXT_RSA_DES_40_CBC_SHA "EXP-DES-CBC-SHA" -#define SSL3_TXT_RSA_DES_64_CBC_SHA "DES-CBC-SHA" -#define SSL3_TXT_RSA_DES_192_CBC3_SHA "DES-CBC3-SHA" - -#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA "EXP-DH-DSS-DES-CBC-SHA" -#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA "DH-DSS-DES-CBC-SHA" -#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA "DH-DSS-DES-CBC3-SHA" -#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA "EXP-DH-RSA-DES-CBC-SHA" -#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA "DH-RSA-DES-CBC-SHA" -#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA "DH-RSA-DES-CBC3-SHA" - -#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA "EXP-EDH-DSS-DES-CBC-SHA" -#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA "EDH-DSS-DES-CBC-SHA" -#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA "EDH-DSS-DES-CBC3-SHA" -#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA "EXP-EDH-RSA-DES-CBC-SHA" -#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA "EDH-RSA-DES-CBC-SHA" -#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA "EDH-RSA-DES-CBC3-SHA" - -#define SSL3_TXT_ADH_RC4_40_MD5 "EXP-ADH-RC4-MD5" -#define SSL3_TXT_ADH_RC4_128_MD5 "ADH-RC4-MD5" -#define SSL3_TXT_ADH_DES_40_CBC_SHA "EXP-ADH-DES-CBC-SHA" -#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA" -#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA" - -#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA" -#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA" -#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA" -#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA" -#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5" -#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5" -#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5" -#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5" - -#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA" -#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA" -#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA" -#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5" -#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5" -#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5" - -#define SSL3_SSL_SESSION_ID_LENGTH 32 -#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32 - -#define SSL3_MASTER_SECRET_SIZE 48 -#define SSL3_RANDOM_SIZE 32 -#define SSL3_SEQUENCE_SIZE 8 -#define SSL3_SESSION_ID_SIZE 32 -#define SSL3_CIPHER_VALUE_SIZE 2 - -#define SSL3_RT_HEADER_LENGTH 5 -#define SSL3_HM_HEADER_LENGTH 4 - -#define SSL3_ALIGN_PAYLOAD 8 - -/* This is the maximum MAC (digest) size used by the SSL library. - * Currently maximum of 20 is used by SHA1, but we reserve for - * future extension for 512-bit hashes. - */ - -#define SSL3_RT_MAX_MD_SIZE 64 - -/* Maximum block size used in all ciphersuites. Currently 16 for AES. - */ - -#define SSL_RT_MAX_CIPHER_BLOCK_SIZE 16 - -#define SSL3_RT_MAX_EXTRA (16384) - -/* Maximum plaintext length: defined by SSL/TLS standards */ -#define SSL3_RT_MAX_PLAIN_LENGTH 16384 -/* Maximum compression overhead: defined by SSL/TLS standards */ -#define SSL3_RT_MAX_COMPRESSED_OVERHEAD 1024 - -/* The standards give a maximum encryption overhead of 1024 bytes. - * In practice the value is lower than this. The overhead is the maximum - * number of padding bytes (256) plus the mac size. - */ -#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE) - -/* OpenSSL currently only uses a padding length of at most one block so - * the send overhead is smaller. - */ - -#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \ - (SSL_RT_MAX_CIPHER_BLOCK_SIZE + SSL3_RT_MAX_MD_SIZE) - -/* If compression isn't used don't include the compression overhead */ -#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH -#define SSL3_RT_MAX_ENCRYPTED_LENGTH \ - (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH) -#define SSL3_RT_MAX_PACKET_SIZE \ - (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH) - -#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54" -#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52" - -#define SSL3_VERSION 0x0300 -#define SSL3_VERSION_MAJOR 0x03 -#define SSL3_VERSION_MINOR 0x00 - -#define SSL3_RT_CHANGE_CIPHER_SPEC 20 -#define SSL3_RT_ALERT 21 -#define SSL3_RT_HANDSHAKE 22 -#define SSL3_RT_APPLICATION_DATA 23 -#define TLS1_RT_HEARTBEAT 24 - -#define SSL3_AL_WARNING 1 -#define SSL3_AL_FATAL 2 - -#define SSL3_AD_CLOSE_NOTIFY 0 -#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */ -#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */ -#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */ -#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */ -#define SSL3_AD_NO_CERTIFICATE 41 -#define SSL3_AD_BAD_CERTIFICATE 42 -#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43 -#define SSL3_AD_CERTIFICATE_REVOKED 44 -#define SSL3_AD_CERTIFICATE_EXPIRED 45 -#define SSL3_AD_CERTIFICATE_UNKNOWN 46 -#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */ - -#define TLS1_HB_REQUEST 1 -#define TLS1_HB_RESPONSE 2 - -#ifndef OPENSSL_NO_SSL_INTERN - -typedef struct ssl3_record_st { -/*r */ int type; /* type of record */ -/*rw*/ unsigned int length; /* How many bytes available */ -/*r */ unsigned int off; /* read/write offset into 'buf' */ -/*rw*/ unsigned char *data; /* pointer to the record data */ -/*rw*/ unsigned char *input; /* where the decode bytes are */ -/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ -/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ -} SSL3_RECORD; - -typedef struct ssl3_buffer_st { - unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, - * see ssl3_setup_buffers() */ - size_t len; /* buffer size */ - int offset; /* where to 'copy from' */ - int left; /* how many bytes left */ -} SSL3_BUFFER; - -#endif - -#define SSL3_CT_RSA_SIGN 1 -#define SSL3_CT_DSS_SIGN 2 -#define SSL3_CT_RSA_FIXED_DH 3 -#define SSL3_CT_DSS_FIXED_DH 4 -#define SSL3_CT_RSA_EPHEMERAL_DH 5 -#define SSL3_CT_DSS_EPHEMERAL_DH 6 -#define SSL3_CT_FORTEZZA_DMS 20 -/* SSL3_CT_NUMBER is used to size arrays and it must be large - * enough to contain all of the cert types defined either for - * SSLv3 and TLSv1. - */ -#define SSL3_CT_NUMBER 11 - - -#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 -#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 -#define SSL3_FLAGS_POP_BUFFER 0x0004 -#define TLS1_FLAGS_TLS_PADDING_BUG 0x0 -#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 -#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 -#define SSL3_FLAGS_CCS_OK 0x0080 - -#ifndef OPENSSL_NO_SSL_INTERN - -typedef struct ssl3_state_st { - long flags; - int delay_buf_pop_ret; - - unsigned char read_sequence[SSL3_SEQUENCE_SIZE]; - int read_mac_secret_size; - unsigned char read_mac_secret[EVP_MAX_MD_SIZE]; - unsigned char write_sequence[SSL3_SEQUENCE_SIZE]; - int write_mac_secret_size; - unsigned char write_mac_secret[EVP_MAX_MD_SIZE]; - - unsigned char server_random[SSL3_RANDOM_SIZE]; - unsigned char client_random[SSL3_RANDOM_SIZE]; - - /* flags for countermeasure against known-IV weakness */ - int need_empty_fragments; - int empty_fragment_done; - - SSL3_BUFFER rbuf; /* read IO goes into here */ - SSL3_BUFFER wbuf; /* write IO goes into here */ - - SSL3_RECORD rrec; /* each decoded record goes in here */ - SSL3_RECORD wrec; /* goes out from here */ - - /* storage for Alert/Handshake protocol data received but not - * yet processed by ssl3_read_bytes: */ - unsigned char alert_fragment[2]; - unsigned int alert_fragment_len; - unsigned char handshake_fragment[4]; - unsigned int handshake_fragment_len; - - /* partial write - check the numbers match */ - unsigned int wnum; /* number of bytes sent so far */ - int wpend_tot; /* number bytes written */ - int wpend_type; - int wpend_ret; /* number of bytes submitted */ - const unsigned char *wpend_buf; - - /* used during startup, digest all incoming/outgoing packets */ - BIO *handshake_buffer; - /* When set of handshake digests is determined, buffer is hashed - * and freed and MD_CTX-es for all required digests are stored in - * this array */ - EVP_MD_CTX **handshake_dgst; - /* this is set whenerver we see a change_cipher_spec message - * come in when we are not looking for one */ - int change_cipher_spec; - - int warn_alert; - int fatal_alert; - /* we allow one fatal and one warning alert to be outstanding, - * send close alert via the warning alert */ - int alert_dispatch; - unsigned char send_alert[2]; - - /* This flag is set when we should renegotiate ASAP, basically when - * there is no more data in the read or write buffers */ - int renegotiate; - int total_renegotiations; - int num_renegotiations; - - int in_read_app_data; - - struct { - /* actually only needs to be 16+20 */ - unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; - - /* actually only need to be 16+20 for SSLv3 and 12 for TLS */ - unsigned char finish_md[EVP_MAX_MD_SIZE*2]; - int finish_md_len; - unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2]; - int peer_finish_md_len; - - unsigned long message_size; - int message_type; - - /* used to hold the new cipher we are going to use */ - const SSL_CIPHER *new_cipher; - DH *dh; - - EC_KEY *ecdh; /* holds short lived ECDH key */ - - /* used when SSL_ST_FLUSH_DATA is entered */ - int next_state; - - int reuse_message; - - /* used for certificate requests */ - int cert_req; - int ctype_num; - char ctype[SSL3_CT_NUMBER]; - STACK_OF(X509_NAME) *ca_names; - - int key_block_length; - unsigned char *key_block; - - const EVP_CIPHER *new_sym_enc; - const EVP_AEAD *new_aead; - const EVP_MD *new_hash; - int new_mac_pkey_type; - int new_mac_secret_size; - int cert_request; - } tmp; - - /* Connection binding to prevent renegotiation attacks */ - unsigned char previous_client_finished[EVP_MAX_MD_SIZE]; - unsigned char previous_client_finished_len; - unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; - unsigned char previous_server_finished_len; - int send_connection_binding; /* TODOEKR */ - - /* Set if we saw the Next Protocol Negotiation extension from our peer. - */ - int next_proto_neg_seen; - - /* - * ALPN information - * (we are in the process of transitioning from NPN to ALPN). - */ - - /* - * In a server these point to the selected ALPN protocol after the - * ClientHello has been processed. In a client these contain the - * protocol that the server selected once the ServerHello has been - * processed. - */ - unsigned char *alpn_selected; - unsigned int alpn_selected_len; -} SSL3_STATE; - -#endif - -/* SSLv3 */ -/*client */ -/* extra state */ -#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT) -/* write to server */ -#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT) -#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT) -/* read from server */ -#define SSL3_ST_CR_SRVR_HELLO_A (0x120|SSL_ST_CONNECT) -#define SSL3_ST_CR_SRVR_HELLO_B (0x121|SSL_ST_CONNECT) -#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126|SSL_ST_CONNECT) -#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B (0x127|SSL_ST_CONNECT) -#define SSL3_ST_CR_CERT_A (0x130|SSL_ST_CONNECT) -#define SSL3_ST_CR_CERT_B (0x131|SSL_ST_CONNECT) -#define SSL3_ST_CR_KEY_EXCH_A (0x140|SSL_ST_CONNECT) -#define SSL3_ST_CR_KEY_EXCH_B (0x141|SSL_ST_CONNECT) -#define SSL3_ST_CR_CERT_REQ_A (0x150|SSL_ST_CONNECT) -#define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT) -#define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT) -#define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT) -/* write to server */ -#define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT) -#define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT) -#define SSL3_ST_CW_CERT_C (0x172|SSL_ST_CONNECT) -#define SSL3_ST_CW_CERT_D (0x173|SSL_ST_CONNECT) -#define SSL3_ST_CW_KEY_EXCH_A (0x180|SSL_ST_CONNECT) -#define SSL3_ST_CW_KEY_EXCH_B (0x181|SSL_ST_CONNECT) -#define SSL3_ST_CW_CERT_VRFY_A (0x190|SSL_ST_CONNECT) -#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) -#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) -#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) -#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) -#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) -#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) -#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) -/* read from server */ -#define SSL3_ST_CR_CHANGE_A (0x1C0|SSL_ST_CONNECT) -#define SSL3_ST_CR_CHANGE_B (0x1C1|SSL_ST_CONNECT) -#define SSL3_ST_CR_FINISHED_A (0x1D0|SSL_ST_CONNECT) -#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT) -#define SSL3_ST_CR_SESSION_TICKET_A (0x1E0|SSL_ST_CONNECT) -#define SSL3_ST_CR_SESSION_TICKET_B (0x1E1|SSL_ST_CONNECT) -#define SSL3_ST_CR_CERT_STATUS_A (0x1F0|SSL_ST_CONNECT) -#define SSL3_ST_CR_CERT_STATUS_B (0x1F1|SSL_ST_CONNECT) - -/* server */ -/* extra state */ -#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT) -/* read from client */ -/* Do not change the number values, they do matter */ -#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT) -#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT) -#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT) -/* write to client */ -#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT) -#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT) -#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT) -#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT) -#define SSL3_ST_SW_HELLO_REQ_C (0x122|SSL_ST_ACCEPT) -#define SSL3_ST_SW_SRVR_HELLO_A (0x130|SSL_ST_ACCEPT) -#define SSL3_ST_SW_SRVR_HELLO_B (0x131|SSL_ST_ACCEPT) -#define SSL3_ST_SW_CERT_A (0x140|SSL_ST_ACCEPT) -#define SSL3_ST_SW_CERT_B (0x141|SSL_ST_ACCEPT) -#define SSL3_ST_SW_KEY_EXCH_A (0x150|SSL_ST_ACCEPT) -#define SSL3_ST_SW_KEY_EXCH_B (0x151|SSL_ST_ACCEPT) -#define SSL3_ST_SW_CERT_REQ_A (0x160|SSL_ST_ACCEPT) -#define SSL3_ST_SW_CERT_REQ_B (0x161|SSL_ST_ACCEPT) -#define SSL3_ST_SW_SRVR_DONE_A (0x170|SSL_ST_ACCEPT) -#define SSL3_ST_SW_SRVR_DONE_B (0x171|SSL_ST_ACCEPT) -/* read from client */ -#define SSL3_ST_SR_CERT_A (0x180|SSL_ST_ACCEPT) -#define SSL3_ST_SR_CERT_B (0x181|SSL_ST_ACCEPT) -#define SSL3_ST_SR_KEY_EXCH_A (0x190|SSL_ST_ACCEPT) -#define SSL3_ST_SR_KEY_EXCH_B (0x191|SSL_ST_ACCEPT) -#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT) -#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) -#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) -#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) -#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) -#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) -#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) -#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) -/* write to client */ -#define SSL3_ST_SW_CHANGE_A (0x1D0|SSL_ST_ACCEPT) -#define SSL3_ST_SW_CHANGE_B (0x1D1|SSL_ST_ACCEPT) -#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT) -#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT) -#define SSL3_ST_SW_SESSION_TICKET_A (0x1F0|SSL_ST_ACCEPT) -#define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT) -#define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT) -#define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT) - -#define SSL3_MT_HELLO_REQUEST 0 -#define SSL3_MT_CLIENT_HELLO 1 -#define SSL3_MT_SERVER_HELLO 2 -#define SSL3_MT_NEWSESSION_TICKET 4 -#define SSL3_MT_CERTIFICATE 11 -#define SSL3_MT_SERVER_KEY_EXCHANGE 12 -#define SSL3_MT_CERTIFICATE_REQUEST 13 -#define SSL3_MT_SERVER_DONE 14 -#define SSL3_MT_CERTIFICATE_VERIFY 15 -#define SSL3_MT_CLIENT_KEY_EXCHANGE 16 -#define SSL3_MT_FINISHED 20 -#define SSL3_MT_CERTIFICATE_STATUS 22 - -#define SSL3_MT_NEXT_PROTO 67 - -#define DTLS1_MT_HELLO_VERIFY_REQUEST 3 - -#define SSL3_MT_CCS 1 - -/* These are used when changing over to a new cipher */ -#define SSL3_CC_READ 0x01 -#define SSL3_CC_WRITE 0x02 -#define SSL3_CC_CLIENT 0x10 -#define SSL3_CC_SERVER 0x20 -#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE) -#define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ) -#define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ) -#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE) - -#ifdef __cplusplus -} -#endif -#endif diff --git a/lib/libssl/src/ssl/ssl_algs.c b/lib/libssl/src/ssl/ssl_algs.c deleted file mode 100644 index 3010a735c96..00000000000 --- a/lib/libssl/src/ssl/ssl_algs.c +++ /dev/null @@ -1,131 +0,0 @@ -/* $OpenBSD: ssl_algs.c,v 1.22 2014/12/14 15:30:50 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include <openssl/lhash.h> -#include <openssl/objects.h> - -#include "ssl_locl.h" - -int -SSL_library_init(void) -{ - -#ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cbc()); - EVP_add_cipher(EVP_des_ede3_cbc()); -#endif -#ifndef OPENSSL_NO_IDEA - EVP_add_cipher(EVP_idea_cbc()); -#endif -#ifndef OPENSSL_NO_RC4 - EVP_add_cipher(EVP_rc4()); -#if !defined(OPENSSL_NO_MD5) && (defined(__x86_64) || defined(__x86_64__)) - EVP_add_cipher(EVP_rc4_hmac_md5()); -#endif -#endif -#ifndef OPENSSL_NO_RC2 - EVP_add_cipher(EVP_rc2_cbc()); - /* Not actually used for SSL/TLS but this makes PKCS#12 work - * if an application only calls SSL_library_init(). - */ - EVP_add_cipher(EVP_rc2_40_cbc()); -#endif - EVP_add_cipher(EVP_aes_128_cbc()); - EVP_add_cipher(EVP_aes_192_cbc()); - EVP_add_cipher(EVP_aes_256_cbc()); - EVP_add_cipher(EVP_aes_128_gcm()); - EVP_add_cipher(EVP_aes_256_gcm()); - EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); - EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); -#ifndef OPENSSL_NO_CAMELLIA - EVP_add_cipher(EVP_camellia_128_cbc()); - EVP_add_cipher(EVP_camellia_256_cbc()); -#endif -#ifndef OPENSSL_NO_GOST - EVP_add_cipher(EVP_gost2814789_cfb64()); - EVP_add_cipher(EVP_gost2814789_cnt()); -#endif - - EVP_add_digest(EVP_md5()); - EVP_add_digest_alias(SN_md5, "ssl2-md5"); - EVP_add_digest_alias(SN_md5, "ssl3-md5"); - EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ - EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); - EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); - EVP_add_digest(EVP_sha224()); - EVP_add_digest(EVP_sha256()); - EVP_add_digest(EVP_sha384()); - EVP_add_digest(EVP_sha512()); - EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ - EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); - EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); - EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); - EVP_add_digest(EVP_ecdsa()); -#ifndef OPENSSL_NO_GOST - EVP_add_digest(EVP_gostr341194()); - EVP_add_digest(EVP_gost2814789imit()); - EVP_add_digest(EVP_streebog256()); - EVP_add_digest(EVP_streebog512()); -#endif - /* initialize cipher/digest methods table */ - ssl_load_ciphers(); - return (1); -} - diff --git a/lib/libssl/src/ssl/ssl_asn1.c b/lib/libssl/src/ssl/ssl_asn1.c deleted file mode 100644 index ee00cb286d2..00000000000 --- a/lib/libssl/src/ssl/ssl_asn1.c +++ /dev/null @@ -1,691 +0,0 @@ -/* $OpenBSD: ssl_asn1.c,v 1.41 2016/03/11 07:08:45 mmcc Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> -#include <stdlib.h> - -#include "ssl_locl.h" - -#include <openssl/objects.h> -#include <openssl/x509.h> - -/* XXX - these are here to avoid including asn1_mac.h */ -int asn1_GetSequence(ASN1_const_CTX *c, long *length); -void asn1_add_error(const unsigned char *address, int offset); - -typedef struct ssl_session_asn1_st { - ASN1_INTEGER version; - ASN1_INTEGER ssl_version; - ASN1_OCTET_STRING cipher; - ASN1_OCTET_STRING master_key; - ASN1_OCTET_STRING session_id; - ASN1_OCTET_STRING session_id_context; - ASN1_INTEGER time; - ASN1_INTEGER timeout; - ASN1_INTEGER verify_result; - ASN1_OCTET_STRING tlsext_hostname; - ASN1_INTEGER tlsext_tick_lifetime; - ASN1_OCTET_STRING tlsext_tick; -} SSL_SESSION_ASN1; - -int -i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) -{ -#define LSIZE2 (sizeof(long)*2) - int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0, v6 = 0, v9 = 0, v10 = 0; - unsigned char buf[4], ibuf1[LSIZE2], ibuf2[LSIZE2]; - unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2]; - unsigned char ibuf6[LSIZE2]; - SSL_SESSION_ASN1 a; - unsigned char *p; - int len = 0, ret; - long l; - - if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0))) - return (0); - - /* - * Note that I cheat in the following 2 assignments. - * I know that if the ASN1_INTEGER passed to ASN1_INTEGER_set - * is > sizeof(long)+1, the buffer will not be re-malloc()ed. - * This is a bit evil but makes things simple, no dynamic allocation - * to clean up :-) - */ - a.version.length = LSIZE2; - a.version.type = V_ASN1_INTEGER; - a.version.data = ibuf1; - ASN1_INTEGER_set(&(a.version), SSL_SESSION_ASN1_VERSION); - len += i2d_ASN1_INTEGER(&(a.version), NULL); - - a.ssl_version.length = LSIZE2; - a.ssl_version.type = V_ASN1_INTEGER; - a.ssl_version.data = ibuf2; - ASN1_INTEGER_set(&(a.ssl_version), in->ssl_version); - len += i2d_ASN1_INTEGER(&(a.ssl_version), NULL); - - a.cipher.length = 2; - a.cipher.type = V_ASN1_OCTET_STRING; - l = (in->cipher == NULL) ? in->cipher_id : in->cipher->id; - buf[0] = ((unsigned char)(l >> 8L)) & 0xff; - buf[1] = ((unsigned char)(l)) & 0xff; - a.cipher.data = buf; - len += i2d_ASN1_OCTET_STRING(&(a.cipher), NULL); - - a.master_key.length = in->master_key_length; - a.master_key.type = V_ASN1_OCTET_STRING; - a.master_key.data = in->master_key; - len += i2d_ASN1_OCTET_STRING(&(a.master_key), NULL); - - a.session_id.length = in->session_id_length; - a.session_id.type = V_ASN1_OCTET_STRING; - a.session_id.data = in->session_id; - len += i2d_ASN1_OCTET_STRING(&(a.session_id), NULL); - - if (in->time != 0L) { - a.time.length = LSIZE2; - a.time.type = V_ASN1_INTEGER; - a.time.data = ibuf3; - ASN1_INTEGER_set(&(a.time), in->time); /* XXX 2038 */ - v1 = i2d_ASN1_INTEGER(&(a.time), NULL); - len += ASN1_object_size(1, v1, 1); - } - - if (in->timeout != 0L) { - a.timeout.length = LSIZE2; - a.timeout.type = V_ASN1_INTEGER; - a.timeout.data = ibuf4; - ASN1_INTEGER_set(&(a.timeout), in->timeout); - v2 = i2d_ASN1_INTEGER(&(a.timeout), NULL); - len += ASN1_object_size(1, v2, 2); - } - - if (in->peer != NULL) { - v3 = i2d_X509(in->peer, NULL); - len += ASN1_object_size(1, v3, 3); - } - - a.session_id_context.length = in->sid_ctx_length; - a.session_id_context.type = V_ASN1_OCTET_STRING; - a.session_id_context.data = in->sid_ctx; - v4 = i2d_ASN1_OCTET_STRING(&(a.session_id_context), NULL); - len += ASN1_object_size(1, v4, 4); - - if (in->verify_result != X509_V_OK) { - a.verify_result.length = LSIZE2; - a.verify_result.type = V_ASN1_INTEGER; - a.verify_result.data = ibuf5; - ASN1_INTEGER_set(&a.verify_result, in->verify_result); - v5 = i2d_ASN1_INTEGER(&(a.verify_result), NULL); - len += ASN1_object_size(1, v5, 5); - } - - if (in->tlsext_hostname) { - a.tlsext_hostname.length = strlen(in->tlsext_hostname); - a.tlsext_hostname.type = V_ASN1_OCTET_STRING; - a.tlsext_hostname.data = (unsigned char *)in->tlsext_hostname; - v6 = i2d_ASN1_OCTET_STRING(&(a.tlsext_hostname), NULL); - len += ASN1_object_size(1, v6, 6); - } - - /* 7 - PSK identity hint. */ - /* 8 - PSK identity. */ - - if (in->tlsext_tick_lifetime_hint > 0) { - a.tlsext_tick_lifetime.length = LSIZE2; - a.tlsext_tick_lifetime.type = V_ASN1_INTEGER; - a.tlsext_tick_lifetime.data = ibuf6; - ASN1_INTEGER_set(&a.tlsext_tick_lifetime, - in->tlsext_tick_lifetime_hint); - v9 = i2d_ASN1_INTEGER(&(a.tlsext_tick_lifetime), NULL); - len += ASN1_object_size(1, v9, 9); - } - - if (in->tlsext_tick) { - a.tlsext_tick.length = in->tlsext_ticklen; - a.tlsext_tick.type = V_ASN1_OCTET_STRING; - a.tlsext_tick.data = (unsigned char *)in->tlsext_tick; - v10 = i2d_ASN1_OCTET_STRING(&(a.tlsext_tick), NULL); - len += ASN1_object_size(1, v10, 10); - } - - /* 11 - Compression method. */ - /* 12 - SRP username. */ - - /* If given a NULL pointer, return the length only. */ - ret = (ASN1_object_size(1, len, V_ASN1_SEQUENCE)); - if (pp == NULL) - return (ret); - - /* Burp out the ASN1. */ - p = *pp; - ASN1_put_object(&p, 1, len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); - i2d_ASN1_INTEGER(&(a.version), &p); - i2d_ASN1_INTEGER(&(a.ssl_version), &p); - i2d_ASN1_OCTET_STRING(&(a.cipher), &p); - i2d_ASN1_OCTET_STRING(&(a.session_id), &p); - i2d_ASN1_OCTET_STRING(&(a.master_key), &p); - if (in->time != 0L) { - ASN1_put_object(&p, 1, v1, 1, V_ASN1_CONTEXT_SPECIFIC); - i2d_ASN1_INTEGER(&(a.time), &p); - } - if (in->timeout != 0L) { - ASN1_put_object(&p, 1, v2, 2, V_ASN1_CONTEXT_SPECIFIC); - i2d_ASN1_INTEGER(&(a.timeout), &p); - } - if (in->peer != NULL) { - ASN1_put_object(&p, 1, v3, 3, V_ASN1_CONTEXT_SPECIFIC); - i2d_X509(in->peer, &p); - } - ASN1_put_object(&p, 1, v4, 4, V_ASN1_CONTEXT_SPECIFIC); - i2d_ASN1_OCTET_STRING(&(a.session_id_context), &p); - if (in->verify_result != X509_V_OK) { - ASN1_put_object(&p, 1, v5, 5, V_ASN1_CONTEXT_SPECIFIC); - i2d_ASN1_INTEGER(&(a.verify_result), &p); - } - if (in->tlsext_hostname) { - ASN1_put_object(&p, 1, v6, 6, V_ASN1_CONTEXT_SPECIFIC); - i2d_ASN1_OCTET_STRING(&(a.tlsext_hostname), &p); - } - /* 7 - PSK identity hint. */ - /* 8 - PSK identity. */ - if (in->tlsext_tick_lifetime_hint > 0) { - ASN1_put_object(&p, 1, v9, 9, V_ASN1_CONTEXT_SPECIFIC); - i2d_ASN1_INTEGER(&(a.tlsext_tick_lifetime), &p); - } - if (in->tlsext_tick) { - ASN1_put_object(&p, 1, v10, 10, V_ASN1_CONTEXT_SPECIFIC); - i2d_ASN1_OCTET_STRING(&(a.tlsext_tick), &p); - } - /* 11 - Compression method. */ - /* 12 - SRP username. */ - - *pp = p; - return (ret); -} - -SSL_SESSION * -d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) -{ - SSL_SESSION *ret = NULL; - ASN1_const_CTX c; - ASN1_INTEGER ai, *aip; - ASN1_OCTET_STRING os, *osp; - int ssl_version = 0, i; - int Tinf, Ttag, Tclass; - long Tlen; - long id; - - c.pp = pp; - c.p = *pp; - c.q = *pp; - c.max = (length == 0) ? 0 : (c.p + length); - c.slen = length; - - if (a == NULL || *a == NULL) { - if ((ret = SSL_SESSION_new()) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - } else - ret = *a; - - aip = &ai; - osp = &os; - - if (!asn1_GetSequence(&c, &length)) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - - ai.data = NULL; - ai.length = 0; - c.q = c.p; - if (d2i_ASN1_INTEGER(&aip, &c.p, c.slen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - c.slen -= (c.p - c.q); - - if (ai.data != NULL) { - free(ai.data); - ai.data = NULL; - ai.length = 0; - } - - /* we don't care about the version right now :-) */ - c.q = c.p; - if (d2i_ASN1_INTEGER(&aip, &c.p, c.slen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - c.slen -= (c.p - c.q); - ssl_version = (int)ASN1_INTEGER_get(aip); - ret->ssl_version = ssl_version; - if (ai.data != NULL) { - free(ai.data); - ai.data = NULL; - ai.length = 0; - } - - os.data = NULL; - os.length = 0; - c.q = c.p; - if (d2i_ASN1_OCTET_STRING(&osp, &c.p, c.slen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - c.slen -= (c.p - c.q); - if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) { - if (os.length != 2) { - SSLerr(SSL_F_D2I_SSL_SESSION, - SSL_R_CIPHER_CODE_WRONG_LENGTH); - goto err; - } - id = 0x03000000L | ((unsigned long)os.data[0]<<8L) | - (unsigned long)os.data[1]; - } else { - SSLerr(SSL_F_D2I_SSL_SESSION, SSL_R_UNKNOWN_SSL_VERSION); - goto err; - } - - ret->cipher = NULL; - ret->cipher_id = id; - - c.q = c.p; - if (d2i_ASN1_OCTET_STRING(&osp, &c.p, c.slen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - c.slen -= (c.p - c.q); - - i = SSL3_MAX_SSL_SESSION_ID_LENGTH; - if (os.length > i) - os.length = i; - if (os.length > (int)sizeof(ret->session_id)) /* can't happen */ - os.length = sizeof(ret->session_id); - - ret->session_id_length = os.length; - OPENSSL_assert(os.length <= (int)sizeof(ret->session_id)); - memcpy(ret->session_id, os.data, os.length); - - c.q = c.p; - if (d2i_ASN1_OCTET_STRING(&osp, &c.p, c.slen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - c.slen -= (c.p - c.q); - if (os.length > SSL_MAX_MASTER_KEY_LENGTH) - ret->master_key_length = SSL_MAX_MASTER_KEY_LENGTH; - else - ret->master_key_length = os.length; - memcpy(ret->master_key, os.data, ret->master_key_length); - - os.length = 0; - - /* 1 - Time (INTEGER). */ - /* XXX 2038 */ - ai.length = 0; - if (c.slen != 0L && - *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 1)) { - c.q = c.p; - Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen); - if (Tinf & 0x80) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_BAD_ASN1_OBJECT_HEADER); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) - Tlen = c.slen - (c.p - c.q) - 2; - if (d2i_ASN1_INTEGER(&aip, &c.p, Tlen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) { - Tlen = c.slen - (c.p - c.q); - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_MISSING_ASN1_EOS); - goto err; - } - } - c.slen -= (c.p - c.q); - } - if (ai.data != NULL) { - ret->time = ASN1_INTEGER_get(aip); - free(ai.data); - ai.data = NULL; - ai.length = 0; - } else - ret->time = time(NULL); - - /* 2 - Timeout (INTEGER). */ - ai.length = 0; - if (c.slen != 0L && - *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 2)) { - c.q = c.p; - Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen); - if (Tinf & 0x80) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_BAD_ASN1_OBJECT_HEADER); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) - Tlen = c.slen - (c.p - c.q) - 2; - if (d2i_ASN1_INTEGER(&aip, &c.p, Tlen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) { - Tlen = c.slen - (c.p - c.q); - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_MISSING_ASN1_EOS); - goto err; - } - } - c.slen -= (c.p - c.q); - } - if (ai.data != NULL) { - ret->timeout = ASN1_INTEGER_get(aip); - free(ai.data); - ai.data = NULL; - ai.length = 0; - } else - ret->timeout = 3; - - /* 3 - Peer (X509). */ - X509_free(ret->peer); - ret->peer = NULL; - - if (c.slen != 0L && - *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 3)) { - c.q = c.p; - Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen); - if (Tinf & 0x80) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_BAD_ASN1_OBJECT_HEADER); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) - Tlen = c.slen - (c.p - c.q) - 2; - if (d2i_X509(&ret->peer, &c.p, Tlen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) { - Tlen = c.slen - (c.p - c.q); - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_MISSING_ASN1_EOS); - goto err; - } - } - c.slen -= (c.p - c.q); - } - - /* 4 - Session ID (OCTET STRING). */ - os.length = 0; - free(os.data); - os.data = NULL; - if (c.slen != 0L && - *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 4)) { - c.q = c.p; - Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen); - if (Tinf & 0x80) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_BAD_ASN1_OBJECT_HEADER); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) - Tlen = c.slen - (c.p - c.q) - 2; - if (d2i_ASN1_OCTET_STRING(&osp, &c.p, Tlen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) { - Tlen = c.slen - (c.p - c.q); - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_MISSING_ASN1_EOS); - goto err; - } - } - c.slen -= (c.p - c.q); - } - if (os.data != NULL) { - if (os.length > SSL_MAX_SID_CTX_LENGTH) { - SSLerr(SSL_F_D2I_SSL_SESSION, SSL_R_BAD_LENGTH); - goto err; - } else { - ret->sid_ctx_length = os.length; - memcpy(ret->sid_ctx, os.data, os.length); - } - free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->sid_ctx_length = 0; - - /* 5 - Verify_result. */ - ai.length = 0; - if (c.slen != 0L && - *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 5)) { - c.q = c.p; - Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen); - if (Tinf & 0x80) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_BAD_ASN1_OBJECT_HEADER); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) - Tlen = c.slen - (c.p - c.q) - 2; - if (d2i_ASN1_INTEGER(&aip, &c.p, Tlen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) { - Tlen = c.slen - (c.p - c.q); - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_MISSING_ASN1_EOS); - goto err; - } - } - c.slen -= (c.p - c.q); - } - if (ai.data != NULL) { - ret->verify_result = ASN1_INTEGER_get(aip); - free(ai.data); - ai.data = NULL; - ai.length = 0; - } else - ret->verify_result = X509_V_OK; - - /* 6 - HostName (OCTET STRING). */ - os.length = 0; - os.data = NULL; - if (c.slen != 0L && - *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 6)) { - c.q = c.p; - Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen); - if (Tinf & 0x80) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_BAD_ASN1_OBJECT_HEADER); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) - Tlen = c.slen - (c.p - c.q) - 2; - if (d2i_ASN1_OCTET_STRING(&osp, &c.p, Tlen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) { - Tlen = c.slen - (c.p - c.q); - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_MISSING_ASN1_EOS); - goto err; - } - } - c.slen -= (c.p - c.q); - } - if (os.data) { - ret->tlsext_hostname = strndup((char *)os.data, os.length); - free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->tlsext_hostname = NULL; - - /* 7 - PSK identity hint (OCTET STRING). */ - /* 8 - PSK identity (OCTET STRING). */ - - /* 9 - Ticket lifetime. */ - ai.length = 0; - if (c.slen != 0L && - *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 9)) { - c.q = c.p; - Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen); - if (Tinf & 0x80) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_BAD_ASN1_OBJECT_HEADER); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) - Tlen = c.slen - (c.p - c.q) - 2; - if (d2i_ASN1_INTEGER(&aip, &c.p, Tlen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) { - Tlen = c.slen - (c.p - c.q); - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_MISSING_ASN1_EOS); - goto err; - } - } - c.slen -= (c.p - c.q); - } - if (ai.data != NULL) { - ret->tlsext_tick_lifetime_hint = ASN1_INTEGER_get(aip); - free(ai.data); - ai.data = NULL; - ai.length = 0; - } else if (ret->tlsext_ticklen && ret->session_id_length) - ret->tlsext_tick_lifetime_hint = -1; - else - ret->tlsext_tick_lifetime_hint = 0; - os.length = 0; - os.data = NULL; - - /* 10 - Ticket (OCTET STRING). */ - if (c.slen != 0L && - *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 10)) { - c.q = c.p; - Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen); - if (Tinf & 0x80) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_BAD_ASN1_OBJECT_HEADER); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) - Tlen = c.slen - (c.p - c.q) - 2; - if (d2i_ASN1_OCTET_STRING(&osp, &c.p, Tlen) == NULL) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - if (Tinf == (V_ASN1_CONSTRUCTED + 1)) { - Tlen = c.slen - (c.p - c.q); - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) { - SSLerr(SSL_F_D2I_SSL_SESSION, - ERR_R_MISSING_ASN1_EOS); - goto err; - } - } - c.slen -= (c.p - c.q); - } - if (os.data) { - ret->tlsext_tick = os.data; - ret->tlsext_ticklen = os.length; - os.data = NULL; - os.length = 0; - } else - ret->tlsext_tick = NULL; - - /* 11 - Compression method (OCTET STRING). */ - /* 12 - SRP username (OCTET STRING). */ - - if (!asn1_const_Finish(&c)) { - SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR); - goto err; - } - - *pp = c.p; - if (a != NULL) - *a = ret; - - return (ret); - -err: - ERR_asprintf_error_data("offset=%d", (int)(c.q - *pp)); - if (ret != NULL && (a == NULL || *a != ret)) - SSL_SESSION_free(ret); - - return (NULL); -} diff --git a/lib/libssl/src/ssl/ssl_cert.c b/lib/libssl/src/ssl/ssl_cert.c deleted file mode 100644 index 7e92812e56a..00000000000 --- a/lib/libssl/src/ssl/ssl_cert.c +++ /dev/null @@ -1,722 +0,0 @@ -/* $OpenBSD: ssl_cert.c,v 1.52 2016/03/11 07:08:45 mmcc Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ - -#include <sys/types.h> - -#include <dirent.h> -#include <stdio.h> -#include <unistd.h> - -#include <openssl/bio.h> -#include <openssl/bn.h> -#include <openssl/dh.h> -#include <openssl/objects.h> -#include <openssl/opensslconf.h> -#include <openssl/pem.h> -#include <openssl/x509v3.h> - -#include "ssl_locl.h" - -int -SSL_get_ex_data_X509_STORE_CTX_idx(void) -{ - static volatile int ssl_x509_store_ctx_idx = -1; - int got_write_lock = 0; - - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - - if (ssl_x509_store_ctx_idx < 0) { - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - got_write_lock = 1; - - if (ssl_x509_store_ctx_idx < 0) { - ssl_x509_store_ctx_idx = - X509_STORE_CTX_get_ex_new_index( - 0, "SSL for verify callback", NULL, NULL, NULL); - } - } - - if (got_write_lock) - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); - else - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - - return ssl_x509_store_ctx_idx; -} - -static void -ssl_cert_set_default_md(CERT *cert) -{ - /* Set digest values to defaults */ - cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); - cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); -#ifndef OPENSSL_NO_GOST - cert->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); -#endif -} - -CERT * -ssl_cert_new(void) -{ - CERT *ret; - - ret = calloc(1, sizeof(CERT)); - if (ret == NULL) { - SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE); - return (NULL); - } - ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); - ret->references = 1; - ssl_cert_set_default_md(ret); - return (ret); -} - -CERT * -ssl_cert_dup(CERT *cert) -{ - CERT *ret; - int i; - - ret = calloc(1, sizeof(CERT)); - if (ret == NULL) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); - return (NULL); - } - - /* - * same as ret->key = ret->pkeys + (cert->key - cert->pkeys), - * if you find that more readable - */ - ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; - - ret->valid = cert->valid; - ret->mask_k = cert->mask_k; - ret->mask_a = cert->mask_a; - - if (cert->dh_tmp != NULL) { - ret->dh_tmp = DHparams_dup(cert->dh_tmp); - if (ret->dh_tmp == NULL) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); - goto err; - } - if (cert->dh_tmp->priv_key) { - BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); - if (!b) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); - goto err; - } - ret->dh_tmp->priv_key = b; - } - if (cert->dh_tmp->pub_key) { - BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); - if (!b) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); - goto err; - } - ret->dh_tmp->pub_key = b; - } - } - ret->dh_tmp_cb = cert->dh_tmp_cb; - ret->dh_tmp_auto = cert->dh_tmp_auto; - - if (cert->ecdh_tmp) { - ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); - if (ret->ecdh_tmp == NULL) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB); - goto err; - } - } - ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; - ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; - - for (i = 0; i < SSL_PKEY_NUM; i++) { - if (cert->pkeys[i].x509 != NULL) { - ret->pkeys[i].x509 = cert->pkeys[i].x509; - CRYPTO_add(&ret->pkeys[i].x509->references, 1, - CRYPTO_LOCK_X509); - } - - if (cert->pkeys[i].privatekey != NULL) { - ret->pkeys[i].privatekey = cert->pkeys[i].privatekey; - CRYPTO_add(&ret->pkeys[i].privatekey->references, 1, - CRYPTO_LOCK_EVP_PKEY); - - switch (i) { - /* - * If there was anything special to do for - * certain types of keys, we'd do it here. - * (Nothing at the moment, I think.) - */ - - case SSL_PKEY_RSA_ENC: - case SSL_PKEY_RSA_SIGN: - /* We have an RSA key. */ - break; - - case SSL_PKEY_DSA_SIGN: - /* We have a DSA key. */ - break; - - case SSL_PKEY_DH_RSA: - case SSL_PKEY_DH_DSA: - /* We have a DH key. */ - break; - - case SSL_PKEY_ECC: - /* We have an ECC key */ - break; - - default: - /* Can't happen. */ - SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG); - } - } - } - - /* - * ret->extra_certs *should* exist, but currently the own certificate - * chain is held inside SSL_CTX - */ - - ret->references = 1; - /* - * Set digests to defaults. NB: we don't copy existing values - * as they will be set during handshake. - */ - ssl_cert_set_default_md(ret); - - return (ret); - -err: - DH_free(ret->dh_tmp); - EC_KEY_free(ret->ecdh_tmp); - - for (i = 0; i < SSL_PKEY_NUM; i++) { - X509_free(ret->pkeys[i].x509); - EVP_PKEY_free(ret->pkeys[i].privatekey); - } - free (ret); - return NULL; -} - - -void -ssl_cert_free(CERT *c) -{ - int i; - - if (c == NULL) - return; - - i = CRYPTO_add(&c->references, -1, CRYPTO_LOCK_SSL_CERT); - if (i > 0) - return; - - DH_free(c->dh_tmp); - EC_KEY_free(c->ecdh_tmp); - - for (i = 0; i < SSL_PKEY_NUM; i++) { - X509_free(c->pkeys[i].x509); - EVP_PKEY_free(c->pkeys[i].privatekey); - } - - free(c); -} - -int -ssl_cert_inst(CERT **o) -{ - /* - * Create a CERT if there isn't already one - * (which cannot really happen, as it is initially created in - * SSL_CTX_new; but the earlier code usually allows for that one - * being non-existant, so we follow that behaviour, as it might - * turn out that there actually is a reason for it -- but I'm - * not sure that *all* of the existing code could cope with - * s->cert being NULL, otherwise we could do without the - * initialization in SSL_CTX_new). - */ - - if (o == NULL) { - SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (*o == NULL) { - if ((*o = ssl_cert_new()) == NULL) { - SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE); - return (0); - } - } - return (1); -} - - -SESS_CERT * -ssl_sess_cert_new(void) -{ - SESS_CERT *ret; - - ret = calloc(1, sizeof *ret); - if (ret == NULL) { - SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); - return NULL; - } - ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); - ret->references = 1; - - return ret; -} - -void -ssl_sess_cert_free(SESS_CERT *sc) -{ - int i; - - if (sc == NULL) - return; - - i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT); - if (i > 0) - return; - - /* i == 0 */ - if (sc->cert_chain != NULL) - sk_X509_pop_free(sc->cert_chain, X509_free); - for (i = 0; i < SSL_PKEY_NUM; i++) - X509_free(sc->peer_pkeys[i].x509); - - DH_free(sc->peer_dh_tmp); - EC_KEY_free(sc->peer_ecdh_tmp); - - free(sc); -} - -int -ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) -{ - X509_STORE_CTX ctx; - X509 *x; - int ret; - - if ((sk == NULL) || (sk_X509_num(sk) == 0)) - return (0); - - x = sk_X509_value(sk, 0); - if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) { - SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB); - return (0); - } - X509_STORE_CTX_set_ex_data(&ctx, - SSL_get_ex_data_X509_STORE_CTX_idx(), s); - - /* - * We need to inherit the verify parameters. These can be - * determined by the context: if its a server it will verify - * SSL client certificates or vice versa. - */ - X509_STORE_CTX_set_default(&ctx, - s->server ? "ssl_client" : "ssl_server"); - - /* - * Anything non-default in "param" should overwrite anything - * in the ctx. - */ - X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); - - if (s->verify_callback) - X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); - - if (s->ctx->app_verify_callback != NULL) - ret = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); - else - ret = X509_verify_cert(&ctx); - - s->verify_result = ctx.error; - X509_STORE_CTX_cleanup(&ctx); - - return (ret); -} - -static void -set_client_CA_list(STACK_OF(X509_NAME) **ca_list, - STACK_OF(X509_NAME) *name_list) -{ - if (*ca_list != NULL) - sk_X509_NAME_pop_free(*ca_list, X509_NAME_free); - - *ca_list = name_list; -} - -STACK_OF(X509_NAME) * -SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) -{ - int i; - STACK_OF(X509_NAME) *ret; - X509_NAME *name; - - ret = sk_X509_NAME_new_null(); - for (i = 0; i < sk_X509_NAME_num(sk); i++) { - name = X509_NAME_dup(sk_X509_NAME_value(sk, i)); - if ((name == NULL) || !sk_X509_NAME_push(ret, name)) { - sk_X509_NAME_pop_free(ret, X509_NAME_free); - return (NULL); - } - } - return (ret); -} - -void -SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) -{ - set_client_CA_list(&(s->client_CA), name_list); -} - -void -SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) -{ - set_client_CA_list(&(ctx->client_CA), name_list); -} - -STACK_OF(X509_NAME) * -SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) -{ - return (ctx->client_CA); -} - -STACK_OF(X509_NAME) * -SSL_get_client_CA_list(const SSL *s) -{ - if (s->type == SSL_ST_CONNECT) { - /* We are in the client. */ - if (((s->version >> 8) == SSL3_VERSION_MAJOR) && - (s->s3 != NULL)) - return (s->s3->tmp.ca_names); - else - return (NULL); - } else { - if (s->client_CA != NULL) - return (s->client_CA); - else - return (s->ctx->client_CA); - } -} - -static int -add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) -{ - X509_NAME *name; - - if (x == NULL) - return (0); - if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL)) - return (0); - - if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL) - return (0); - - if (!sk_X509_NAME_push(*sk, name)) { - X509_NAME_free(name); - return (0); - } - return (1); -} - -int -SSL_add_client_CA(SSL *ssl, X509 *x) -{ - return (add_client_CA(&(ssl->client_CA), x)); -} - -int -SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) -{ - return (add_client_CA(&(ctx->client_CA), x)); -} - -static int -xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) -{ - return (X509_NAME_cmp(*a, *b)); -} - -/*! - * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed; - * it doesn't really have anything to do with clients (except that a common use - * for a stack of CAs is to send it to the client). Actually, it doesn't have - * much to do with CAs, either, since it will load any old cert. - * \param file the file containing one or more certs. - * \return a ::STACK containing the certs. - */ -STACK_OF(X509_NAME) * -SSL_load_client_CA_file(const char *file) -{ - BIO *in; - X509 *x = NULL; - X509_NAME *xn = NULL; - STACK_OF(X509_NAME) *ret = NULL, *sk; - - sk = sk_X509_NAME_new(xname_cmp); - - in = BIO_new(BIO_s_file_internal()); - - if ((sk == NULL) || (in == NULL)) { - SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!BIO_read_filename(in, file)) - goto err; - - for (;;) { - if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) - break; - if (ret == NULL) { - ret = sk_X509_NAME_new_null(); - if (ret == NULL) { - SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, - ERR_R_MALLOC_FAILURE); - goto err; - } - } - if ((xn = X509_get_subject_name(x)) == NULL) goto err; - /* check for duplicates */ - xn = X509_NAME_dup(xn); - if (xn == NULL) - goto err; - if (sk_X509_NAME_find(sk, xn) >= 0) - X509_NAME_free(xn); - else { - sk_X509_NAME_push(sk, xn); - sk_X509_NAME_push(ret, xn); - } - } - - if (0) { -err: - if (ret != NULL) - sk_X509_NAME_pop_free(ret, X509_NAME_free); - ret = NULL; - } - if (sk != NULL) - sk_X509_NAME_free(sk); - BIO_free(in); - X509_free(x); - if (ret != NULL) - ERR_clear_error(); - return (ret); -} - -/*! - * Add a file of certs to a stack. - * \param stack the stack to add to. - * \param file the file to add from. All certs in this file that are not - * already in the stack will be added. - * \return 1 for success, 0 for failure. Note that in the case of failure some - * certs may have been added to \c stack. - */ - -int -SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, - const char *file) -{ - BIO *in; - X509 *x = NULL; - X509_NAME *xn = NULL; - int ret = 1; - int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b); - - oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp); - - in = BIO_new(BIO_s_file_internal()); - - if (in == NULL) { - SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK, - ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!BIO_read_filename(in, file)) - goto err; - - for (;;) { - if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL) - break; - if ((xn = X509_get_subject_name(x)) == NULL) goto err; - xn = X509_NAME_dup(xn); - if (xn == NULL) - goto err; - if (sk_X509_NAME_find(stack, xn) >= 0) - X509_NAME_free(xn); - else - sk_X509_NAME_push(stack, xn); - } - - ERR_clear_error(); - - if (0) { -err: - ret = 0; - } - BIO_free(in); - X509_free(x); - - (void)sk_X509_NAME_set_cmp_func(stack, oldcmp); - - return ret; -} - -/*! - * Add a directory of certs to a stack. - * \param stack the stack to append to. - * \param dir the directory to append from. All files in this directory will be - * examined as potential certs. Any that are acceptable to - * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will - * be included. - * \return 1 for success, 0 for failure. Note that in the case of failure some - * certs may have been added to \c stack. - */ - -int -SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) -{ - DIR *dirp = NULL; - char *path = NULL; - int ret = 0; - - dirp = opendir(dir); - if (dirp) { - struct dirent *dp; - while ((dp = readdir(dirp)) != NULL) { - if (asprintf(&path, "%s/%s", dir, dp->d_name) != -1) { - ret = SSL_add_file_cert_subjects_to_stack( - stack, path); - free(path); - } - if (!ret) - break; - } - (void) closedir(dirp); - } - if (!ret) { - SYSerr(SYS_F_OPENDIR, errno); - ERR_asprintf_error_data("opendir ('%s')", dir); - SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); - } - return ret; -} diff --git a/lib/libssl/src/ssl/ssl_ciph.c b/lib/libssl/src/ssl/ssl_ciph.c deleted file mode 100644 index 526d98e2937..00000000000 --- a/lib/libssl/src/ssl/ssl_ciph.c +++ /dev/null @@ -1,1798 +0,0 @@ -/* $OpenBSD: ssl_ciph.c,v 1.86 2016/04/28 16:39:45 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <stdio.h> - -#include <openssl/objects.h> - -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif - -#include "ssl_locl.h" - -#define SSL_ENC_DES_IDX 0 -#define SSL_ENC_3DES_IDX 1 -#define SSL_ENC_RC4_IDX 2 -#define SSL_ENC_IDEA_IDX 3 -#define SSL_ENC_NULL_IDX 4 -#define SSL_ENC_AES128_IDX 5 -#define SSL_ENC_AES256_IDX 6 -#define SSL_ENC_CAMELLIA128_IDX 7 -#define SSL_ENC_CAMELLIA256_IDX 8 -#define SSL_ENC_GOST89_IDX 9 -#define SSL_ENC_AES128GCM_IDX 10 -#define SSL_ENC_AES256GCM_IDX 11 -#define SSL_ENC_NUM_IDX 12 - - -static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = { - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL -}; - -#define SSL_MD_MD5_IDX 0 -#define SSL_MD_SHA1_IDX 1 -#define SSL_MD_GOST94_IDX 2 -#define SSL_MD_GOST89MAC_IDX 3 -#define SSL_MD_SHA256_IDX 4 -#define SSL_MD_SHA384_IDX 5 -#define SSL_MD_STREEBOG256_IDX 6 -#define SSL_MD_STREEBOG512_IDX 7 -/*Constant SSL_MAX_DIGEST equal to size of digests array should be - * defined in the - * ssl_locl.h */ -#define SSL_MD_NUM_IDX SSL_MAX_DIGEST -static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL -}; - -static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { - EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT, - EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, -}; - -static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = { - 0, 0, 0, 0, 0, 0, 0, 0 -}; - -static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = { - SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA, - SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256, - SSL_HANDSHAKE_MAC_SHA384, SSL_HANDSHAKE_MAC_STREEBOG256, - SSL_HANDSHAKE_MAC_STREEBOG512 -}; - -#define CIPHER_ADD 1 -#define CIPHER_KILL 2 -#define CIPHER_DEL 3 -#define CIPHER_ORD 4 -#define CIPHER_SPECIAL 5 - -typedef struct cipher_order_st { - const SSL_CIPHER *cipher; - int active; - int dead; - struct cipher_order_st *next, *prev; -} CIPHER_ORDER; - -static const SSL_CIPHER cipher_aliases[] = { - - /* "ALL" doesn't include eNULL (must be specifically enabled) */ - { - .name = SSL_TXT_ALL, - .algorithm_enc = ~SSL_eNULL, - }, - - /* "COMPLEMENTOFALL" */ - { - .name = SSL_TXT_CMPALL, - .algorithm_enc = SSL_eNULL, - }, - - /* - * "COMPLEMENTOFDEFAULT" - * (does *not* include ciphersuites not found in ALL!) - */ - { - .name = SSL_TXT_CMPDEF, - .algorithm_mkey = SSL_kDHE|SSL_kECDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = ~SSL_eNULL, - }, - - /* - * key exchange aliases - * (some of those using only a single bit here combine multiple key - * exchange algs according to the RFCs, e.g. kEDH combines DHE_DSS - * and DHE_RSA) - */ - { - .name = SSL_TXT_kRSA, - .algorithm_mkey = SSL_kRSA, - }, - { - .name = SSL_TXT_kEDH, - .algorithm_mkey = SSL_kDHE, - }, - { - .name = SSL_TXT_DH, - .algorithm_mkey = SSL_kDHE, - }, - - { - .name = SSL_TXT_kECDHr, - .algorithm_mkey = SSL_kECDHr, - }, - { - .name = SSL_TXT_kECDHe, - .algorithm_mkey = SSL_kECDHe, - }, - { - .name = SSL_TXT_kECDH, - .algorithm_mkey = SSL_kECDHr|SSL_kECDHe, - }, - { - .name = SSL_TXT_kEECDH, - .algorithm_mkey = SSL_kECDHE, - }, - { - .name = SSL_TXT_ECDH, - .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kECDHE, - }, - - { - .name = SSL_TXT_kGOST, - .algorithm_mkey = SSL_kGOST, - }, - - /* server authentication aliases */ - { - .name = SSL_TXT_aRSA, - .algorithm_auth = SSL_aRSA, - }, - { - .name = SSL_TXT_aDSS, - .algorithm_auth = SSL_aDSS, - }, - { - .name = SSL_TXT_DSS, - .algorithm_auth = SSL_aDSS, - }, - { - .name = SSL_TXT_aNULL, - .algorithm_auth = SSL_aNULL, - }, - { - .name = SSL_TXT_aECDH, - .algorithm_auth = SSL_aECDH, - }, - { - .name = SSL_TXT_aECDSA, - .algorithm_auth = SSL_aECDSA, - }, - { - .name = SSL_TXT_ECDSA, - .algorithm_auth = SSL_aECDSA, - }, - { - .name = SSL_TXT_aGOST01, - .algorithm_auth = SSL_aGOST01, - }, - { - .name = SSL_TXT_aGOST, - .algorithm_auth = SSL_aGOST01, - }, - - /* aliases combining key exchange and server authentication */ - { - .name = SSL_TXT_DHE, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = ~SSL_aNULL, - }, - { - .name = SSL_TXT_EDH, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = ~SSL_aNULL, - }, - { - .name = SSL_TXT_ECDHE, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = ~SSL_aNULL, - }, - { - .name = SSL_TXT_EECDH, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = ~SSL_aNULL, - }, - { - .name = SSL_TXT_NULL, - .algorithm_enc = SSL_eNULL, - }, - { - .name = SSL_TXT_RSA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - }, - { - .name = SSL_TXT_ADH, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - }, - { - .name = SSL_TXT_AECDH, - .algorithm_mkey = SSL_kECDHE, - .algorithm_auth = SSL_aNULL, - }, - - /* symmetric encryption aliases */ - { - .name = SSL_TXT_DES, - .algorithm_enc = SSL_DES, - }, - { - .name = SSL_TXT_3DES, - .algorithm_enc = SSL_3DES, - }, - { - .name = SSL_TXT_RC4, - .algorithm_enc = SSL_RC4, - }, - { - .name = SSL_TXT_IDEA, - .algorithm_enc = SSL_IDEA, - }, - { - .name = SSL_TXT_eNULL, - .algorithm_enc = SSL_eNULL, - }, - { - .name = SSL_TXT_AES128, - .algorithm_enc = SSL_AES128|SSL_AES128GCM, - }, - { - .name = SSL_TXT_AES256, - .algorithm_enc = SSL_AES256|SSL_AES256GCM, - }, - { - .name = SSL_TXT_AES, - .algorithm_enc = SSL_AES, - }, - { - .name = SSL_TXT_AES_GCM, - .algorithm_enc = SSL_AES128GCM|SSL_AES256GCM, - }, - { - .name = SSL_TXT_CAMELLIA128, - .algorithm_enc = SSL_CAMELLIA128, - }, - { - .name = SSL_TXT_CAMELLIA256, - .algorithm_enc = SSL_CAMELLIA256, - }, - { - .name = SSL_TXT_CAMELLIA, - .algorithm_enc = SSL_CAMELLIA128|SSL_CAMELLIA256, - }, - { - .name = SSL_TXT_CHACHA20, - .algorithm_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD, - }, - - /* MAC aliases */ - { - .name = SSL_TXT_AEAD, - .algorithm_mac = SSL_AEAD, - }, - { - .name = SSL_TXT_MD5, - .algorithm_mac = SSL_MD5, - }, - { - .name = SSL_TXT_SHA1, - .algorithm_mac = SSL_SHA1, - }, - { - .name = SSL_TXT_SHA, - .algorithm_mac = SSL_SHA1, - }, - { - .name = SSL_TXT_GOST94, - .algorithm_mac = SSL_GOST94, - }, - { - .name = SSL_TXT_GOST89MAC, - .algorithm_mac = SSL_GOST89MAC, - }, - { - .name = SSL_TXT_SHA256, - .algorithm_mac = SSL_SHA256, - }, - { - .name = SSL_TXT_SHA384, - .algorithm_mac = SSL_SHA384, - }, - { - .name = SSL_TXT_STREEBOG256, - .algorithm_mac = SSL_STREEBOG256, - }, - { - .name = SSL_TXT_STREEBOG512, - .algorithm_mac = SSL_STREEBOG512, - }, - - /* protocol version aliases */ - { - .name = SSL_TXT_SSLV3, - .algorithm_ssl = SSL_SSLV3, - }, - { - .name = SSL_TXT_TLSV1, - .algorithm_ssl = SSL_TLSV1, - }, - { - .name = SSL_TXT_TLSV1_2, - .algorithm_ssl = SSL_TLSV1_2, - }, - - /* strength classes */ - { - .name = SSL_TXT_LOW, - .algo_strength = SSL_LOW, - }, - { - .name = SSL_TXT_MEDIUM, - .algo_strength = SSL_MEDIUM, - }, - { - .name = SSL_TXT_HIGH, - .algo_strength = SSL_HIGH, - }, -}; - -void -ssl_load_ciphers(void) -{ - ssl_cipher_methods[SSL_ENC_DES_IDX] = - EVP_get_cipherbyname(SN_des_cbc); - ssl_cipher_methods[SSL_ENC_3DES_IDX] = - EVP_get_cipherbyname(SN_des_ede3_cbc); - ssl_cipher_methods[SSL_ENC_RC4_IDX] = - EVP_get_cipherbyname(SN_rc4); -#ifndef OPENSSL_NO_IDEA - ssl_cipher_methods[SSL_ENC_IDEA_IDX] = - EVP_get_cipherbyname(SN_idea_cbc); -#else - ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL; -#endif - ssl_cipher_methods[SSL_ENC_AES128_IDX] = - EVP_get_cipherbyname(SN_aes_128_cbc); - ssl_cipher_methods[SSL_ENC_AES256_IDX] = - EVP_get_cipherbyname(SN_aes_256_cbc); - ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] = - EVP_get_cipherbyname(SN_camellia_128_cbc); - ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] = - EVP_get_cipherbyname(SN_camellia_256_cbc); - ssl_cipher_methods[SSL_ENC_GOST89_IDX] = - EVP_get_cipherbyname(SN_gost89_cnt); - - ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] = - EVP_get_cipherbyname(SN_aes_128_gcm); - ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] = - EVP_get_cipherbyname(SN_aes_256_gcm); - - ssl_digest_methods[SSL_MD_MD5_IDX] = - EVP_get_digestbyname(SN_md5); - ssl_mac_secret_size[SSL_MD_MD5_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0); - ssl_digest_methods[SSL_MD_SHA1_IDX] = - EVP_get_digestbyname(SN_sha1); - ssl_mac_secret_size[SSL_MD_SHA1_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0); - ssl_digest_methods[SSL_MD_GOST94_IDX] = - EVP_get_digestbyname(SN_id_GostR3411_94); - if (ssl_digest_methods[SSL_MD_GOST94_IDX]) { - ssl_mac_secret_size[SSL_MD_GOST94_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0); - } - ssl_digest_methods[SSL_MD_GOST89MAC_IDX] = - EVP_get_digestbyname(SN_id_Gost28147_89_MAC); - if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { - ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; - } - - ssl_digest_methods[SSL_MD_SHA256_IDX] = - EVP_get_digestbyname(SN_sha256); - ssl_mac_secret_size[SSL_MD_SHA256_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]); - ssl_digest_methods[SSL_MD_SHA384_IDX] = - EVP_get_digestbyname(SN_sha384); - ssl_mac_secret_size[SSL_MD_SHA384_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); - ssl_digest_methods[SSL_MD_STREEBOG256_IDX] = - EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256); - ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]); - ssl_digest_methods[SSL_MD_STREEBOG512_IDX] = - EVP_get_digestbyname(SN_id_tc26_gost3411_2012_512); - ssl_mac_secret_size[SSL_MD_STREEBOG512_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG512_IDX]); -} - -int -ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, - const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size) -{ - const SSL_CIPHER *c; - int i; - - c = s->cipher; - if (c == NULL) - return (0); - - /* - * This function does not handle EVP_AEAD. - * See ssl_cipher_get_aead_evp instead. - */ - if (c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) - return(0); - - if ((enc == NULL) || (md == NULL)) - return (0); - - switch (c->algorithm_enc) { - case SSL_DES: - i = SSL_ENC_DES_IDX; - break; - case SSL_3DES: - i = SSL_ENC_3DES_IDX; - break; - case SSL_RC4: - i = SSL_ENC_RC4_IDX; - break; - case SSL_IDEA: - i = SSL_ENC_IDEA_IDX; - break; - case SSL_eNULL: - i = SSL_ENC_NULL_IDX; - break; - case SSL_AES128: - i = SSL_ENC_AES128_IDX; - break; - case SSL_AES256: - i = SSL_ENC_AES256_IDX; - break; - case SSL_CAMELLIA128: - i = SSL_ENC_CAMELLIA128_IDX; - break; - case SSL_CAMELLIA256: - i = SSL_ENC_CAMELLIA256_IDX; - break; - case SSL_eGOST2814789CNT: - i = SSL_ENC_GOST89_IDX; - break; - case SSL_AES128GCM: - i = SSL_ENC_AES128GCM_IDX; - break; - case SSL_AES256GCM: - i = SSL_ENC_AES256GCM_IDX; - break; - default: - i = -1; - break; - } - - if ((i < 0) || (i >= SSL_ENC_NUM_IDX)) - *enc = NULL; - else { - if (i == SSL_ENC_NULL_IDX) - *enc = EVP_enc_null(); - else - *enc = ssl_cipher_methods[i]; - } - - switch (c->algorithm_mac) { - case SSL_MD5: - i = SSL_MD_MD5_IDX; - break; - case SSL_SHA1: - i = SSL_MD_SHA1_IDX; - break; - case SSL_SHA256: - i = SSL_MD_SHA256_IDX; - break; - case SSL_SHA384: - i = SSL_MD_SHA384_IDX; - break; - case SSL_GOST94: - i = SSL_MD_GOST94_IDX; - break; - case SSL_GOST89MAC: - i = SSL_MD_GOST89MAC_IDX; - break; - case SSL_STREEBOG256: - i = SSL_MD_STREEBOG256_IDX; - break; - case SSL_STREEBOG512: - i = SSL_MD_STREEBOG512_IDX; - break; - default: - i = -1; - break; - } - if ((i < 0) || (i >= SSL_MD_NUM_IDX)) { - *md = NULL; - - if (mac_pkey_type != NULL) - *mac_pkey_type = NID_undef; - if (mac_secret_size != NULL) - *mac_secret_size = 0; - if (c->algorithm_mac == SSL_AEAD) - mac_pkey_type = NULL; - } else { - *md = ssl_digest_methods[i]; - if (mac_pkey_type != NULL) - *mac_pkey_type = ssl_mac_pkey_id[i]; - if (mac_secret_size != NULL) - *mac_secret_size = ssl_mac_secret_size[i]; - } - - if ((*enc != NULL) && - (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && - (!mac_pkey_type || *mac_pkey_type != NID_undef)) { - const EVP_CIPHER *evp; - - if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR || - s->ssl_version < TLS1_VERSION) - return 1; - - if (c->algorithm_enc == SSL_RC4 && - c->algorithm_mac == SSL_MD5 && - (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) - *enc = evp, *md = NULL; - else if (c->algorithm_enc == SSL_AES128 && - c->algorithm_mac == SSL_SHA1 && - (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) - *enc = evp, *md = NULL; - else if (c->algorithm_enc == SSL_AES256 && - c->algorithm_mac == SSL_SHA1 && - (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) - *enc = evp, *md = NULL; - return (1); - } else - return (0); -} - -/* - * ssl_cipher_get_evp_aead sets aead to point to the correct EVP_AEAD object - * for s->cipher. It returns 1 on success and 0 on error. - */ -int -ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) -{ - const SSL_CIPHER *c = s->cipher; - - *aead = NULL; - - if (c == NULL) - return 0; - if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0) - return 0; - - switch (c->algorithm_enc) { -#ifndef OPENSSL_NO_AES - case SSL_AES128GCM: - *aead = EVP_aead_aes_128_gcm(); - return 1; - case SSL_AES256GCM: - *aead = EVP_aead_aes_256_gcm(); - return 1; -#endif -#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) - case SSL_CHACHA20POLY1305: - *aead = EVP_aead_chacha20_poly1305(); - return 1; - case SSL_CHACHA20POLY1305_OLD: - *aead = EVP_aead_chacha20_poly1305_old(); - return 1; -#endif - default: - break; - } - return 0; -} - -int -ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) -{ - if (idx < 0 || idx >= SSL_MD_NUM_IDX) { - return 0; - } - *mask = ssl_handshake_digest_flag[idx]; - if (*mask) - *md = ssl_digest_methods[idx]; - else - *md = NULL; - return 1; -} - -#define ITEM_SEP(a) \ - (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) - -static void -ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, - CIPHER_ORDER **tail) -{ - if (curr == *tail) - return; - if (curr == *head) - *head = curr->next; - if (curr->prev != NULL) - curr->prev->next = curr->next; - if (curr->next != NULL) - curr->next->prev = curr->prev; - (*tail)->next = curr; - curr->prev= *tail; - curr->next = NULL; - *tail = curr; -} - -static void -ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, - CIPHER_ORDER **tail) -{ - if (curr == *head) - return; - if (curr == *tail) - *tail = curr->prev; - if (curr->next != NULL) - curr->next->prev = curr->prev; - if (curr->prev != NULL) - curr->prev->next = curr->next; - (*head)->prev = curr; - curr->next= *head; - curr->prev = NULL; - *head = curr; -} - -static void -ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, - unsigned long *enc, unsigned long *mac, unsigned long *ssl) -{ - *mkey = 0; - *auth = 0; - *enc = 0; - *mac = 0; - *ssl = 0; - - /* - * Check for the availability of GOST 34.10 public/private key - * algorithms. If they are not available disable the associated - * authentication and key exchange algorithms. - */ - if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL) { - *auth |= SSL_aGOST01; - *mkey |= SSL_kGOST; - } - -#ifdef SSL_FORBID_ENULL - *enc |= SSL_eNULL; -#endif - - *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0; - - *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0; - *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0; - *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0; - *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0; - *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0; - *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0; - *mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0; - *mac |= (ssl_digest_methods[SSL_MD_STREEBOG512_IDX] == NULL) ? SSL_STREEBOG512 : 0; - -} - -static void -ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, - unsigned long disabled_mkey, unsigned long disabled_auth, - unsigned long disabled_enc, unsigned long disabled_mac, - unsigned long disabled_ssl, CIPHER_ORDER *co_list, - CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) -{ - int i, co_list_num; - const SSL_CIPHER *c; - - /* - * We have num_of_ciphers descriptions compiled in, depending on the - * method selected (SSLv3, TLSv1, etc). These will later be sorted in - * a linked list with at most num entries. - */ - - /* Get the initial list of ciphers */ - co_list_num = 0; /* actual count of ciphers */ - for (i = 0; i < num_of_ciphers; i++) { - c = ssl_method->get_cipher(i); - /* drop those that use any of that is not available */ - if ((c != NULL) && c->valid && - !(c->algorithm_mkey & disabled_mkey) && - !(c->algorithm_auth & disabled_auth) && - !(c->algorithm_enc & disabled_enc) && - !(c->algorithm_mac & disabled_mac) && - !(c->algorithm_ssl & disabled_ssl)) { - co_list[co_list_num].cipher = c; - co_list[co_list_num].next = NULL; - co_list[co_list_num].prev = NULL; - co_list[co_list_num].active = 0; - co_list_num++; - /* - if (!sk_push(ca_list,(char *)c)) goto err; - */ - } - } - - /* - * Prepare linked list from list entries - */ - if (co_list_num > 0) { - co_list[0].prev = NULL; - - if (co_list_num > 1) { - co_list[0].next = &co_list[1]; - - for (i = 1; i < co_list_num - 1; i++) { - co_list[i].prev = &co_list[i - 1]; - co_list[i].next = &co_list[i + 1]; - } - - co_list[co_list_num - 1].prev = - &co_list[co_list_num - 2]; - } - - co_list[co_list_num - 1].next = NULL; - - *head_p = &co_list[0]; - *tail_p = &co_list[co_list_num - 1]; - } -} - -static void -ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases, - unsigned long disabled_mkey, unsigned long disabled_auth, - unsigned long disabled_enc, unsigned long disabled_mac, - unsigned long disabled_ssl, CIPHER_ORDER *head) -{ - CIPHER_ORDER *ciph_curr; - const SSL_CIPHER **ca_curr; - int i; - unsigned long mask_mkey = ~disabled_mkey; - unsigned long mask_auth = ~disabled_auth; - unsigned long mask_enc = ~disabled_enc; - unsigned long mask_mac = ~disabled_mac; - unsigned long mask_ssl = ~disabled_ssl; - - /* - * First, add the real ciphers as already collected - */ - ciph_curr = head; - ca_curr = ca_list; - while (ciph_curr != NULL) { - *ca_curr = ciph_curr->cipher; - ca_curr++; - ciph_curr = ciph_curr->next; - } - - /* - * Now we add the available ones from the cipher_aliases[] table. - * They represent either one or more algorithms, some of which - * in any affected category must be supported (set in enabled_mask), - * or represent a cipher strength value (will be added in any case because algorithms=0). - */ - for (i = 0; i < num_of_group_aliases; i++) { - unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey; - unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth; - unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc; - unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac; - unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl; - - if (algorithm_mkey) - if ((algorithm_mkey & mask_mkey) == 0) - continue; - - if (algorithm_auth) - if ((algorithm_auth & mask_auth) == 0) - continue; - - if (algorithm_enc) - if ((algorithm_enc & mask_enc) == 0) - continue; - - if (algorithm_mac) - if ((algorithm_mac & mask_mac) == 0) - continue; - - if (algorithm_ssl) - if ((algorithm_ssl & mask_ssl) == 0) - continue; - - *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); - ca_curr++; - } - - *ca_curr = NULL; /* end of list */ -} - -static void -ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, - unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac, - unsigned long alg_ssl, unsigned long algo_strength, - int rule, int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) -{ - CIPHER_ORDER *head, *tail, *curr, *next, *last; - const SSL_CIPHER *cp; - int reverse = 0; - - - if (rule == CIPHER_DEL) - reverse = 1; /* needed to maintain sorting between currently deleted ciphers */ - - head = *head_p; - tail = *tail_p; - - if (reverse) { - next = tail; - last = head; - } else { - next = head; - last = tail; - } - - curr = NULL; - for (;;) { - if (curr == last) - break; - curr = next; - next = reverse ? curr->prev : curr->next; - - cp = curr->cipher; - - /* - * Selection criteria is either the value of strength_bits - * or the algorithms used. - */ - if (strength_bits >= 0) { - if (strength_bits != cp->strength_bits) - continue; - } else { - - if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) - continue; - if (alg_auth && !(alg_auth & cp->algorithm_auth)) - continue; - if (alg_enc && !(alg_enc & cp->algorithm_enc)) - continue; - if (alg_mac && !(alg_mac & cp->algorithm_mac)) - continue; - if (alg_ssl && !(alg_ssl & cp->algorithm_ssl)) - continue; - if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) - continue; - } - - - /* add the cipher if it has not been added yet. */ - if (rule == CIPHER_ADD) { - /* reverse == 0 */ - if (!curr->active) { - ll_append_tail(&head, curr, &tail); - curr->active = 1; - } - } - /* Move the added cipher to this location */ - else if (rule == CIPHER_ORD) { - /* reverse == 0 */ - if (curr->active) { - ll_append_tail(&head, curr, &tail); - } - } else if (rule == CIPHER_DEL) { - /* reverse == 1 */ - if (curr->active) { - /* most recently deleted ciphersuites get best positions - * for any future CIPHER_ADD (note that the CIPHER_DEL loop - * works in reverse to maintain the order) */ - ll_append_head(&head, curr, &tail); - curr->active = 0; - } - } else if (rule == CIPHER_KILL) { - /* reverse == 0 */ - if (head == curr) - head = curr->next; - else - curr->prev->next = curr->next; - if (tail == curr) - tail = curr->prev; - curr->active = 0; - if (curr->next != NULL) - curr->next->prev = curr->prev; - if (curr->prev != NULL) - curr->prev->next = curr->next; - curr->next = NULL; - curr->prev = NULL; - } - } - - *head_p = head; - *tail_p = tail; -} - -static int -ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) -{ - int max_strength_bits, i, *number_uses; - CIPHER_ORDER *curr; - - /* - * This routine sorts the ciphers with descending strength. The sorting - * must keep the pre-sorted sequence, so we apply the normal sorting - * routine as '+' movement to the end of the list. - */ - max_strength_bits = 0; - curr = *head_p; - while (curr != NULL) { - if (curr->active && - (curr->cipher->strength_bits > max_strength_bits)) - max_strength_bits = curr->cipher->strength_bits; - curr = curr->next; - } - - number_uses = calloc((max_strength_bits + 1), sizeof(int)); - if (!number_uses) { - SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE); - return (0); - } - - /* - * Now find the strength_bits values actually used - */ - curr = *head_p; - while (curr != NULL) { - if (curr->active) - number_uses[curr->cipher->strength_bits]++; - curr = curr->next; - } - /* - * Go through the list of used strength_bits values in descending - * order. - */ - for (i = max_strength_bits; i >= 0; i--) - if (number_uses[i] > 0) - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p); - - free(number_uses); - return (1); -} - -static int -ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list) -{ - unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; - unsigned long algo_strength; - int j, multi, found, rule, retval, ok, buflen; - unsigned long cipher_id = 0; - const char *l, *buf; - char ch; - - retval = 1; - l = rule_str; - for (;;) { - ch = *l; - - if (ch == '\0') - break; - - if (ch == '-') { - rule = CIPHER_DEL; - l++; - } else if (ch == '+') { - rule = CIPHER_ORD; - l++; - } else if (ch == '!') { - rule = CIPHER_KILL; - l++; - } else if (ch == '@') { - rule = CIPHER_SPECIAL; - l++; - } else { - rule = CIPHER_ADD; - } - - if (ITEM_SEP(ch)) { - l++; - continue; - } - - alg_mkey = 0; - alg_auth = 0; - alg_enc = 0; - alg_mac = 0; - alg_ssl = 0; - algo_strength = 0; - - for (;;) { - ch = *l; - buf = l; - buflen = 0; - while (((ch >= 'A') && (ch <= 'Z')) || - ((ch >= '0') && (ch <= '9')) || - ((ch >= 'a') && (ch <= 'z')) || - (ch == '-') || (ch == '.')) { - ch = *(++l); - buflen++; - } - - if (buflen == 0) { - /* - * We hit something we cannot deal with, - * it is no command or separator nor - * alphanumeric, so we call this an error. - */ - SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, - SSL_R_INVALID_COMMAND); - retval = found = 0; - l++; - break; - } - - if (rule == CIPHER_SPECIAL) { - /* unused -- avoid compiler warning */ - found = 0; - /* special treatment */ - break; - } - - /* check for multi-part specification */ - if (ch == '+') { - multi = 1; - l++; - } else - multi = 0; - - /* - * Now search for the cipher alias in the ca_list. - * Be careful with the strncmp, because the "buflen" - * limitation will make the rule "ADH:SOME" and the - * cipher "ADH-MY-CIPHER" look like a match for - * buflen=3. So additionally check whether the cipher - * name found has the correct length. We can save a - * strlen() call: just checking for the '\0' at the - * right place is sufficient, we have to strncmp() - * anyway (we cannot use strcmp(), because buf is not - * '\0' terminated.) - */ - j = found = 0; - cipher_id = 0; - while (ca_list[j]) { - if (!strncmp(buf, ca_list[j]->name, buflen) && - (ca_list[j]->name[buflen] == '\0')) { - found = 1; - break; - } else - j++; - } - - if (!found) - break; /* ignore this entry */ - - if (ca_list[j]->algorithm_mkey) { - if (alg_mkey) { - alg_mkey &= ca_list[j]->algorithm_mkey; - if (!alg_mkey) { - found = 0; - break; - } - } else - alg_mkey = ca_list[j]->algorithm_mkey; - } - - if (ca_list[j]->algorithm_auth) { - if (alg_auth) { - alg_auth &= ca_list[j]->algorithm_auth; - if (!alg_auth) { - found = 0; - break; - } - } else - alg_auth = ca_list[j]->algorithm_auth; - } - - if (ca_list[j]->algorithm_enc) { - if (alg_enc) { - alg_enc &= ca_list[j]->algorithm_enc; - if (!alg_enc) { - found = 0; - break; - } - } else - alg_enc = ca_list[j]->algorithm_enc; - } - - if (ca_list[j]->algorithm_mac) { - if (alg_mac) { - alg_mac &= ca_list[j]->algorithm_mac; - if (!alg_mac) { - found = 0; - break; - } - } else - alg_mac = ca_list[j]->algorithm_mac; - } - - if (ca_list[j]->algo_strength & SSL_STRONG_MASK) { - if (algo_strength & SSL_STRONG_MASK) { - algo_strength &= - (ca_list[j]->algo_strength & - SSL_STRONG_MASK) | ~SSL_STRONG_MASK; - if (!(algo_strength & - SSL_STRONG_MASK)) { - found = 0; - break; - } - } else - algo_strength |= - ca_list[j]->algo_strength & - SSL_STRONG_MASK; - } - - if (ca_list[j]->valid) { - /* - * explicit ciphersuite found; its protocol - * version does not become part of the search - * pattern! - */ - cipher_id = ca_list[j]->id; - } else { - /* - * not an explicit ciphersuite; only in this - * case, the protocol version is considered - * part of the search pattern - */ - if (ca_list[j]->algorithm_ssl) { - if (alg_ssl) { - alg_ssl &= - ca_list[j]->algorithm_ssl; - if (!alg_ssl) { - found = 0; - break; - } - } else - alg_ssl = - ca_list[j]->algorithm_ssl; - } - } - - if (!multi) - break; - } - - /* - * Ok, we have the rule, now apply it - */ - if (rule == CIPHER_SPECIAL) { - /* special command */ - ok = 0; - if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) - ok = ssl_cipher_strength_sort(head_p, tail_p); - else - SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, - SSL_R_INVALID_COMMAND); - if (ok == 0) - retval = 0; - /* - * We do not support any "multi" options - * together with "@", so throw away the - * rest of the command, if any left, until - * end or ':' is found. - */ - while ((*l != '\0') && !ITEM_SEP(*l)) - l++; - } else if (found) { - ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, - alg_enc, alg_mac, alg_ssl, algo_strength, rule, - -1, head_p, tail_p); - } else { - while ((*l != '\0') && !ITEM_SEP(*l)) - l++; - } - if (*l == '\0') - break; /* done */ - } - - return (retval); -} - -static inline int -ssl_aes_is_accelerated(void) -{ -#if defined(__i386__) || defined(__x86_64__) - return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0); -#else - return (0); -#endif -} - -STACK_OF(SSL_CIPHER) * -ssl_create_cipher_list(const SSL_METHOD *ssl_method, - STACK_OF(SSL_CIPHER) **cipher_list, - STACK_OF(SSL_CIPHER) **cipher_list_by_id, - const char *rule_str) -{ - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; - unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; - STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; - const char *rule_p; - CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; - const SSL_CIPHER **ca_list = NULL; - - /* - * Return with error if nothing to do. - */ - if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) - return NULL; - - /* - * To reduce the work to do we only want to process the compiled - * in algorithms, so we first get the mask of disabled ciphers. - */ - ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl); - - /* - * Now we have to collect the available ciphers from the compiled - * in ciphers. We cannot get more than the number compiled in, so - * it is used for allocation. - */ - num_of_ciphers = ssl_method->num_ciphers(); - co_list = reallocarray(NULL, num_of_ciphers, sizeof(CIPHER_ORDER)); - if (co_list == NULL) { - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - return(NULL); /* Failure */ - } - - ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, - disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, - co_list, &head, &tail); - - - /* Now arrange all ciphers by preference: */ - - /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */ - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); - - if (ssl_aes_is_accelerated() == 1) { - /* - * We have hardware assisted AES - prefer AES as a symmetric - * cipher, with CHACHA20 second. - */ - ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, - CIPHER_ADD, -1, &head, &tail); - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, - 0, 0, 0, CIPHER_ADD, -1, &head, &tail); - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD, - 0, 0, 0, CIPHER_ADD, -1, &head, &tail); - } else { - /* - * CHACHA20 is fast and safe on all hardware and is thus our - * preferred symmetric cipher, with AES second. - */ - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, - 0, 0, 0, CIPHER_ADD, -1, &head, &tail); - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD, - 0, 0, 0, CIPHER_ADD, -1, &head, &tail); - ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, - CIPHER_ADD, -1, &head, &tail); - } - - /* Temporarily enable everything else for sorting */ - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); - - /* Low priority for MD5 */ - ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail); - - /* Move anonymous ciphers to the end. Usually, these will remain disabled. - * (For applications that allow them, they aren't too bad, but we prefer - * authenticated ciphers.) */ - ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - - /* Move ciphers without forward secrecy to the end */ - ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - - /* RC4 is sort of broken - move it to the end */ - ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - - /* Now sort by symmetric encryption strength. The above ordering remains - * in force within each class */ - if (!ssl_cipher_strength_sort(&head, &tail)) { - free(co_list); - return NULL; - } - - /* Now disable everything (maintaining the ordering!) */ - ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); - - - /* - * We also need cipher aliases for selecting based on the rule_str. - * There might be two types of entries in the rule_str: 1) names - * of ciphers themselves 2) aliases for groups of ciphers. - * For 1) we need the available ciphers and for 2) the cipher - * groups of cipher_aliases added together in one list (otherwise - * we would be happy with just the cipher_aliases table). - */ - num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); - num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; - ca_list = reallocarray(NULL, num_of_alias_max, sizeof(SSL_CIPHER *)); - if (ca_list == NULL) { - free(co_list); - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - return(NULL); /* Failure */ - } - ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, - disabled_mkey, disabled_auth, disabled_enc, - disabled_mac, disabled_ssl, head); - - /* - * If the rule_string begins with DEFAULT, apply the default rule - * before using the (possibly available) additional rules. - */ - ok = 1; - rule_p = rule_str; - if (strncmp(rule_str, "DEFAULT", 7) == 0) { - ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - &head, &tail, ca_list); - rule_p += 7; - if (*rule_p == ':') - rule_p++; - } - - if (ok && (strlen(rule_p) > 0)) - ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list); - - free((void *)ca_list); /* Not needed anymore */ - - if (!ok) { - /* Rule processing failure */ - free(co_list); - return (NULL); - } - - /* - * Allocate new "cipherstack" for the result, return with error - * if we cannot get one. - */ - if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { - free(co_list); - return (NULL); - } - - /* - * The cipher selection for the list is done. The ciphers are added - * to the resulting precedence to the STACK_OF(SSL_CIPHER). - */ - for (curr = head; curr != NULL; curr = curr->next) { - if (curr->active) { - sk_SSL_CIPHER_push(cipherstack, curr->cipher); - } - } - free(co_list); /* Not needed any longer */ - - tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); - if (tmp_cipher_list == NULL) { - sk_SSL_CIPHER_free(cipherstack); - return NULL; - } - if (*cipher_list != NULL) - sk_SSL_CIPHER_free(*cipher_list); - *cipher_list = cipherstack; - if (*cipher_list_by_id != NULL) - sk_SSL_CIPHER_free(*cipher_list_by_id); - *cipher_list_by_id = tmp_cipher_list; - (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, - ssl_cipher_ptr_id_cmp); - - sk_SSL_CIPHER_sort(*cipher_list_by_id); - return (cipherstack); -} - -const SSL_CIPHER * -SSL_CIPHER_get_by_id(unsigned int id) -{ - return ssl3_get_cipher_by_id(id); -} - -const SSL_CIPHER * -SSL_CIPHER_get_by_value(uint16_t value) -{ - return ssl3_get_cipher_by_value(value); -} - -char * -SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) -{ - unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, alg2; - const char *ver, *kx, *au, *enc, *mac; - char *ret; - int l; - - alg_mkey = cipher->algorithm_mkey; - alg_auth = cipher->algorithm_auth; - alg_enc = cipher->algorithm_enc; - alg_mac = cipher->algorithm_mac; - alg_ssl = cipher->algorithm_ssl; - - alg2 = cipher->algorithm2; - - if (alg_ssl & SSL_SSLV3) - ver = "SSLv3"; - else if (alg_ssl & SSL_TLSV1_2) - ver = "TLSv1.2"; - else - ver = "unknown"; - - switch (alg_mkey) { - case SSL_kRSA: - kx = "RSA"; - break; - case SSL_kDHE: - kx = "DH"; - break; - case SSL_kECDHr: - kx = "ECDH/RSA"; - break; - case SSL_kECDHe: - kx = "ECDH/ECDSA"; - break; - case SSL_kECDHE: - kx = "ECDH"; - break; - case SSL_kGOST: - kx = "GOST"; - break; - default: - kx = "unknown"; - } - - switch (alg_auth) { - case SSL_aRSA: - au = "RSA"; - break; - case SSL_aDSS: - au = "DSS"; - break; - case SSL_aECDH: - au = "ECDH"; - break; - case SSL_aNULL: - au = "None"; - break; - case SSL_aECDSA: - au = "ECDSA"; - break; - case SSL_aGOST01: - au = "GOST01"; - break; - default: - au = "unknown"; - break; - } - - switch (alg_enc) { - case SSL_DES: - enc = "DES(56)"; - break; - case SSL_3DES: - enc = "3DES(168)"; - break; - case SSL_RC4: - enc = alg2 & SSL2_CF_8_BYTE_ENC ? "RC4(64)" : "RC4(128)"; - break; - case SSL_IDEA: - enc = "IDEA(128)"; - break; - case SSL_eNULL: - enc = "None"; - break; - case SSL_AES128: - enc = "AES(128)"; - break; - case SSL_AES256: - enc = "AES(256)"; - break; - case SSL_AES128GCM: - enc = "AESGCM(128)"; - break; - case SSL_AES256GCM: - enc = "AESGCM(256)"; - break; - case SSL_CAMELLIA128: - enc = "Camellia(128)"; - break; - case SSL_CAMELLIA256: - enc = "Camellia(256)"; - break; - case SSL_CHACHA20POLY1305: - enc = "ChaCha20-Poly1305"; - break; - case SSL_CHACHA20POLY1305_OLD: - enc = "ChaCha20-Poly1305-Old"; - break; - case SSL_eGOST2814789CNT: - enc = "GOST-28178-89-CNT"; - break; - default: - enc = "unknown"; - break; - } - - switch (alg_mac) { - case SSL_MD5: - mac = "MD5"; - break; - case SSL_SHA1: - mac = "SHA1"; - break; - case SSL_SHA256: - mac = "SHA256"; - break; - case SSL_SHA384: - mac = "SHA384"; - break; - case SSL_AEAD: - mac = "AEAD"; - break; - case SSL_GOST94: - mac = "GOST94"; - break; - case SSL_GOST89MAC: - mac = "GOST89IMIT"; - break; - case SSL_STREEBOG256: - mac = "STREEBOG256"; - break; - case SSL_STREEBOG512: - mac = "STREEBOG512"; - break; - default: - mac = "unknown"; - break; - } - - if (asprintf(&ret, "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n", - cipher->name, ver, kx, au, enc, mac) == -1) - return "OPENSSL_malloc Error"; - - if (buf != NULL) { - l = strlcpy(buf, ret, len); - free(ret); - ret = buf; - if (l >= len) - ret = "Buffer too small"; - } - - return (ret); -} - -char * -SSL_CIPHER_get_version(const SSL_CIPHER *c) -{ - if (c == NULL) - return("(NONE)"); - if ((c->id >> 24) == 3) - return("TLSv1/SSLv3"); - else - return("unknown"); -} - -/* return the actual cipher being used */ -const char * -SSL_CIPHER_get_name(const SSL_CIPHER *c) -{ - if (c != NULL) - return (c->name); - return("(NONE)"); -} - -/* number of bits for symmetric cipher */ -int -SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) -{ - int ret = 0; - - if (c != NULL) { - if (alg_bits != NULL) - *alg_bits = c->alg_bits; - ret = c->strength_bits; - } - return (ret); -} - -unsigned long -SSL_CIPHER_get_id(const SSL_CIPHER *c) -{ - return c->id; -} - -uint16_t -SSL_CIPHER_get_value(const SSL_CIPHER *c) -{ - return ssl3_cipher_get_value(c); -} - -void * -SSL_COMP_get_compression_methods(void) -{ - return NULL; -} - -int -SSL_COMP_add_compression_method(int id, void *cm) -{ - return 1; -} - -const char * -SSL_COMP_get_name(const void *comp) -{ - return NULL; -} diff --git a/lib/libssl/src/ssl/ssl_err.c b/lib/libssl/src/ssl/ssl_err.c deleted file mode 100644 index 04742b60ca2..00000000000 --- a/lib/libssl/src/ssl/ssl_err.c +++ /dev/null @@ -1,615 +0,0 @@ -/* $OpenBSD: ssl_err.c,v 1.29 2015/02/22 15:54:27 jsing Exp $ */ -/* ==================================================================== - * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - -#include <stdio.h> - -#include <openssl/err.h> -#include <openssl/ssl.h> - -/* BEGIN ERROR CODES */ -#ifndef OPENSSL_NO_ERR - -#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0) -#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason) - -static ERR_STRING_DATA SSL_str_functs[]= { - {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"}, - {ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"}, - {ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"}, - {ERR_FUNC(SSL_F_CLIENT_MASTER_KEY), "CLIENT_MASTER_KEY"}, - {ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"}, - {ERR_FUNC(SSL_F_DO_DTLS1_WRITE), "DO_DTLS1_WRITE"}, - {ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"}, - {ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"}, - {ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"}, - {ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"}, - {ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM), "DTLS1_CHECK_TIMEOUT_NUM"}, - {ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"}, - {ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"}, - {ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"}, - {ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"}, - {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "DTLS1_GET_MESSAGE"}, - {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"}, - {ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"}, - {ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "DTLS1_HANDLE_TIMEOUT"}, - {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"}, - {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"}, - {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"}, - {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"}, - {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"}, - {ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "DTLS1_READ_BYTES"}, - {ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "DTLS1_READ_FAILED"}, - {ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST), "DTLS1_SEND_CERTIFICATE_REQUEST"}, - {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE), "DTLS1_SEND_CLIENT_CERTIFICATE"}, - {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE), "DTLS1_SEND_CLIENT_KEY_EXCHANGE"}, - {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY), "DTLS1_SEND_CLIENT_VERIFY"}, - {ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST), "DTLS1_SEND_HELLO_VERIFY_REQUEST"}, - {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE), "DTLS1_SEND_SERVER_CERTIFICATE"}, - {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "DTLS1_SEND_SERVER_HELLO"}, - {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE), "DTLS1_SEND_SERVER_KEY_EXCHANGE"}, - {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "DTLS1_WRITE_APP_DATA_BYTES"}, - {ERR_FUNC(SSL_F_GET_CLIENT_FINISHED), "GET_CLIENT_FINISHED"}, - {ERR_FUNC(SSL_F_GET_CLIENT_HELLO), "GET_CLIENT_HELLO"}, - {ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"}, - {ERR_FUNC(SSL_F_GET_SERVER_FINISHED), "GET_SERVER_FINISHED"}, - {ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"}, - {ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"}, - {ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"}, - {ERR_FUNC(SSL_F_READ_N), "READ_N"}, - {ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"}, - {ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"}, - {ERR_FUNC(SSL_F_SERVER_HELLO), "SERVER_HELLO"}, - {ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"}, - {ERR_FUNC(SSL_F_SSL23_ACCEPT), "SSL23_ACCEPT"}, - {ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"}, - {ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"}, - {ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO), "SSL23_GET_CLIENT_HELLO"}, - {ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO), "SSL23_GET_SERVER_HELLO"}, - {ERR_FUNC(SSL_F_SSL23_PEEK), "SSL23_PEEK"}, - {ERR_FUNC(SSL_F_SSL23_READ), "SSL23_READ"}, - {ERR_FUNC(SSL_F_SSL23_WRITE), "SSL23_WRITE"}, - {ERR_FUNC(SSL_F_SSL2_ACCEPT), "SSL2_ACCEPT"}, - {ERR_FUNC(SSL_F_SSL2_CONNECT), "SSL2_CONNECT"}, - {ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"}, - {ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL), "SSL2_GENERATE_KEY_MATERIAL"}, - {ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"}, - {ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"}, - {ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"}, - {ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"}, - {ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"}, - {ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"}, - {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"}, - {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, - {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, - {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, - {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"}, - {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, - {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"}, - {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"}, - {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"}, - {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "SSL3_DIGEST_CACHED_RECORDS"}, - {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"}, - {ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"}, - {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"}, - {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, - {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"}, - {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"}, - {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"}, - {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"}, - {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"}, - {ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"}, - {ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"}, - {ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"}, - {ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"}, - {ERR_FUNC(SSL_F_SSL3_GET_NEXT_PROTO), "SSL3_GET_NEXT_PROTO"}, - {ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"}, - {ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"}, - {ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"}, - {ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"}, - {ERR_FUNC(SSL_F_SSL3_HANDSHAKE_MAC), "ssl3_handshake_mac"}, - {ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET), "SSL3_NEW_SESSION_TICKET"}, - {ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "SSL3_OUTPUT_CERT_CHAIN"}, - {ERR_FUNC(SSL_F_SSL3_PEEK), "SSL3_PEEK"}, - {ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"}, - {ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"}, - {ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"}, - {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"}, - {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"}, - {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"}, - {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE), "SSL3_SEND_SERVER_CERTIFICATE"}, - {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO), "SSL3_SEND_SERVER_HELLO"}, - {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"}, - {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "SSL3_SETUP_KEY_BLOCK"}, - {ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "SSL3_SETUP_READ_BUFFER"}, - {ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "SSL3_SETUP_WRITE_BUFFER"}, - {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "SSL3_WRITE_BYTES"}, - {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"}, - {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"}, - {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT), "SSL_ADD_CLIENTHELLO_USE_SRTP_EXT"}, - {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"}, - {ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"}, - {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"}, - {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT), "SSL_ADD_SERVERHELLO_USE_SRTP_EXT"}, - {ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"}, - {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"}, - {ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"}, - {ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"}, - {ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE), "SSL_CERT_INSTANTIATE"}, - {ERR_FUNC(SSL_F_SSL_CERT_NEW), "SSL_CERT_NEW"}, - {ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"}, - {ERR_FUNC(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT), "SSL_CHECK_SERVERHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG), "SSL_CHECK_SRVR_ECC_CERT_AND_ALG"}, - {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"}, - {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"}, - {ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"}, - {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"}, - {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"}, - {ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"}, - {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"}, - {ERR_FUNC(SSL_F_SSL_CTX_MAKE_PROFILES), "SSL_CTX_MAKE_PROFILES"}, - {ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST), "SSL_CTX_set_trust"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE), "SSL_CTX_use_certificate_chain_file"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), "SSL_CTX_use_certificate_file"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), "SSL_CTX_use_PrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), "SSL_CTX_use_PrivateKey_file"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT), "SSL_CTX_use_psk_identity_hint"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1), "SSL_CTX_use_RSAPrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), "SSL_CTX_use_RSAPrivateKey_file"}, - {ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"}, - {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"}, - {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"}, - {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, - {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY), "SSL_GET_SERVER_SEND_PKEY"}, - {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, - {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, - {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, - {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, - {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, - {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT), "SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT"}, - {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, - {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT), "SSL_PARSE_SERVERHELLO_USE_SRTP_EXT"}, - {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, - {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, - {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"}, - {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"}, - {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, - {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, - {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"}, - {ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"}, - {ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"}, - {ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"}, - {ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"}, - {ERR_FUNC(SSL_F_SSL_SET_PKEY), "SSL_SET_PKEY"}, - {ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"}, - {ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"}, - {ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"}, - {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"}, - {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, - {ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"}, - {ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"}, - {ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"}, - {ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT), "SSL_SRP_CTX_init"}, - {ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"}, - {ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"}, - {ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), "SSL_UNDEFINED_VOID_FUNCTION"}, - {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"}, - {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"}, - {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"}, - {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"}, - {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"}, - {ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"}, - {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"}, - {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"}, - {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"}, - {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, - {ERR_FUNC(SSL_F_TLS1_AEAD_CTX_INIT), "TLS1_AEAD_CTX_INIT"}, - {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"}, - {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"}, - {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD), "TLS1_CHANGE_CIPHER_STATE_AEAD"}, - {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER), "TLS1_CHANGE_CIPHER_STATE_CIPHER"}, - {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, - {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "TLS1_EXPORT_KEYING_MATERIAL"}, - {ERR_FUNC(SSL_F_TLS1_HEARTBEAT), "SSL_F_TLS1_HEARTBEAT"}, - {ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT), "TLS1_PREPARE_CLIENTHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT), "TLS1_PREPARE_SERVERHELLO_TLSEXT"}, - {ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"}, - {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, - {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, - {0, NULL} -}; - -static ERR_STRING_DATA SSL_str_reasons[]= { - {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) , "app data in handshake"}, - {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), "attempt to reuse session in different context"}, - {ERR_REASON(SSL_R_BAD_ALERT_RECORD) , "bad alert record"}, - {ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE), "bad authentication type"}, - {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC), "bad change cipher spec"}, - {ERR_REASON(SSL_R_BAD_CHECKSUM) , "bad checksum"}, - {ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK), "bad data returned by callback"}, - {ERR_REASON(SSL_R_BAD_DECOMPRESSION) , "bad decompression"}, - {ERR_REASON(SSL_R_BAD_DH_G_LENGTH) , "bad dh g length"}, - {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) , "bad dh pub key length"}, - {ERR_REASON(SSL_R_BAD_DH_P_LENGTH) , "bad dh p length"}, - {ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) , "bad digest length"}, - {ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) , "bad dsa signature"}, - {ERR_REASON(SSL_R_BAD_ECC_CERT) , "bad ecc cert"}, - {ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE) , "bad ecdsa signature"}, - {ERR_REASON(SSL_R_BAD_ECPOINT) , "bad ecpoint"}, - {ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH) , "bad handshake length"}, - {ERR_REASON(SSL_R_BAD_HELLO_REQUEST) , "bad hello request"}, - {ERR_REASON(SSL_R_BAD_LENGTH) , "bad length"}, - {ERR_REASON(SSL_R_BAD_MAC_DECODE) , "bad mac decode"}, - {ERR_REASON(SSL_R_BAD_MAC_LENGTH) , "bad mac length"}, - {ERR_REASON(SSL_R_BAD_MESSAGE_TYPE) , "bad message type"}, - {ERR_REASON(SSL_R_BAD_PACKET_LENGTH) , "bad packet length"}, - {ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER), "bad protocol version number"}, - {ERR_REASON(SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH), "bad psk identity hint length"}, - {ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) , "bad response argument"}, - {ERR_REASON(SSL_R_BAD_RSA_DECRYPT) , "bad rsa decrypt"}, - {ERR_REASON(SSL_R_BAD_RSA_ENCRYPT) , "bad rsa encrypt"}, - {ERR_REASON(SSL_R_BAD_RSA_E_LENGTH) , "bad rsa e length"}, - {ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH), "bad rsa modulus length"}, - {ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) , "bad rsa signature"}, - {ERR_REASON(SSL_R_BAD_SIGNATURE) , "bad signature"}, - {ERR_REASON(SSL_R_BAD_SRP_A_LENGTH) , "bad srp a length"}, - {ERR_REASON(SSL_R_BAD_SRP_B_LENGTH) , "bad srp b length"}, - {ERR_REASON(SSL_R_BAD_SRP_G_LENGTH) , "bad srp g length"}, - {ERR_REASON(SSL_R_BAD_SRP_N_LENGTH) , "bad srp n length"}, - {ERR_REASON(SSL_R_BAD_SRP_S_LENGTH) , "bad srp s length"}, - {ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE) , "bad srtp mki value"}, - {ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST), "bad srtp protection profile list"}, - {ERR_REASON(SSL_R_BAD_SSL_FILETYPE) , "bad ssl filetype"}, - {ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH), "bad ssl session id length"}, - {ERR_REASON(SSL_R_BAD_STATE) , "bad state"}, - {ERR_REASON(SSL_R_BAD_WRITE_RETRY) , "bad write retry"}, - {ERR_REASON(SSL_R_BIO_NOT_SET) , "bio not set"}, - {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "block cipher pad is wrong"}, - {ERR_REASON(SSL_R_BN_LIB) , "bn lib"}, - {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) , "ca dn length mismatch"}, - {ERR_REASON(SSL_R_CA_DN_TOO_LONG) , "ca dn too long"}, - {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) , "ccs received early"}, - {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"}, - {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"}, - {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"}, - {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"}, - {ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"}, - {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"}, - {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"}, - {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) , "clienthello tlsext"}, - {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG), "compressed length too long"}, - {ERR_REASON(SSL_R_COMPRESSION_DISABLED) , "compression disabled"}, - {ERR_REASON(SSL_R_COMPRESSION_FAILURE) , "compression failure"}, - {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE), "compression id not within private range"}, - {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), "compression library error"}, - {ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT), "connection id is different"}, - {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"}, - {ERR_REASON(SSL_R_COOKIE_MISMATCH) , "cookie mismatch"}, - {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED), "data between ccs and finished"}, - {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) , "data length too long"}, - {ERR_REASON(SSL_R_DECRYPTION_FAILED) , "decryption failed"}, - {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), "decryption failed or bad record mac"}, - {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), "dh public value length is wrong"}, - {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) , "digest check failed"}, - {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) , "dtls message too big"}, - {ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID), "duplicate compression id"}, - {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT), "ecc cert not for key agreement"}, - {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING), "ecc cert not for signing"}, - {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE), "ecc cert should have rsa signature"}, - {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE), "ecc cert should have sha1 signature"}, - {ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER), "ecgroup too large for cipher"}, - {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), "empty srtp protection profile list"}, - {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"}, - {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY), "error generating tmp rsa key"}, - {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), "error in received cipher list"}, - {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE), "excessive message size"}, - {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) , "extra data in message"}, - {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS), "got a fin before a ccs"}, - {ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS), "got next proto before a ccs"}, - {ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION), "got next proto without seeing extension"}, - {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) , "https proxy request"}, - {ERR_REASON(SSL_R_HTTP_REQUEST) , "http request"}, - {ERR_REASON(SSL_R_ILLEGAL_PADDING) , "illegal padding"}, - {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"}, - {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"}, - {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH), "invalid challenge length"}, - {ERR_REASON(SSL_R_INVALID_COMMAND) , "invalid command"}, - {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM), "invalid compression algorithm"}, - {ERR_REASON(SSL_R_INVALID_PURPOSE) , "invalid purpose"}, - {ERR_REASON(SSL_R_INVALID_SRP_USERNAME) , "invalid srp username"}, - {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE), "invalid status response"}, - {ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH), "invalid ticket keys length"}, - {ERR_REASON(SSL_R_INVALID_TRUST) , "invalid trust"}, - {ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) , "key arg too long"}, - {ERR_REASON(SSL_R_KRB5) , "krb5"}, - {ERR_REASON(SSL_R_KRB5_C_CC_PRINC) , "krb5 client cc principal (no tkt?)"}, - {ERR_REASON(SSL_R_KRB5_C_GET_CRED) , "krb5 client get cred"}, - {ERR_REASON(SSL_R_KRB5_C_INIT) , "krb5 client init"}, - {ERR_REASON(SSL_R_KRB5_C_MK_REQ) , "krb5 client mk_req (expired tkt?)"}, - {ERR_REASON(SSL_R_KRB5_S_BAD_TICKET) , "krb5 server bad ticket"}, - {ERR_REASON(SSL_R_KRB5_S_INIT) , "krb5 server init"}, - {ERR_REASON(SSL_R_KRB5_S_RD_REQ) , "krb5 server rd_req (keytab perms?)"}, - {ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED) , "krb5 server tkt expired"}, - {ERR_REASON(SSL_R_KRB5_S_TKT_NYV) , "krb5 server tkt not yet valid"}, - {ERR_REASON(SSL_R_KRB5_S_TKT_SKEW) , "krb5 server tkt skew"}, - {ERR_REASON(SSL_R_LENGTH_MISMATCH) , "length mismatch"}, - {ERR_REASON(SSL_R_LENGTH_TOO_SHORT) , "length too short"}, - {ERR_REASON(SSL_R_LIBRARY_BUG) , "library bug"}, - {ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS), "library has no ciphers"}, - {ERR_REASON(SSL_R_MESSAGE_TOO_LONG) , "message too long"}, - {ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) , "missing dh dsa cert"}, - {ERR_REASON(SSL_R_MISSING_DH_KEY) , "missing dh key"}, - {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) , "missing dh rsa cert"}, - {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT), "missing dsa signing cert"}, - {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), "missing export tmp dh key"}, - {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY), "missing export tmp rsa key"}, - {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"}, - {ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT), "missing rsa encrypting cert"}, - {ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT), "missing rsa signing cert"}, - {ERR_REASON(SSL_R_MISSING_SRP_PARAM) , "can't find SRP server param"}, - {ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) , "missing tmp dh key"}, - {ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) , "missing tmp ecdh key"}, - {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) , "missing tmp rsa key"}, - {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) , "missing tmp rsa pkey"}, - {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE), "missing verify message"}, - {ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) , "multiple sgc restarts"}, - {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET), "non sslv2 initial packet"}, - {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED), "no certificates returned"}, - {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED), "no certificate assigned"}, - {ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED), "no certificate returned"}, - {ERR_REASON(SSL_R_NO_CERTIFICATE_SET) , "no certificate set"}, - {ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED), "no certificate specified"}, - {ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE) , "no ciphers available"}, - {ERR_REASON(SSL_R_NO_CIPHERS_PASSED) , "no ciphers passed"}, - {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) , "no ciphers specified"}, - {ERR_REASON(SSL_R_NO_CIPHER_LIST) , "no cipher list"}, - {ERR_REASON(SSL_R_NO_CIPHER_MATCH) , "no cipher match"}, - {ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) , "no client cert method"}, - {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED), "no client cert received"}, - {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED), "no compression specified"}, - {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, - {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) , "no method specified"}, - {ERR_REASON(SSL_R_NO_PRIVATEKEY) , "no privatekey"}, - {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"}, - {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"}, - {ERR_REASON(SSL_R_NO_PUBLICKEY) , "no publickey"}, - {ERR_REASON(SSL_R_NO_RENEGOTIATION) , "no renegotiation"}, - {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST) , "digest requred for handshake isn't computed"}, - {ERR_REASON(SSL_R_NO_SHARED_CIPHER) , "no shared cipher"}, - {ERR_REASON(SSL_R_NO_SRTP_PROFILES) , "no srtp profiles"}, - {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) , "no verify callback"}, - {ERR_REASON(SSL_R_NULL_SSL_CTX) , "null ssl ctx"}, - {ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED), "null ssl method passed"}, - {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), "old session cipher not returned"}, - {ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), "old session compression algorithm not returned"}, - {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE), "only tls allowed in fips mode"}, - {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"}, - {ERR_REASON(SSL_R_PARSE_TLSEXT) , "parse tlsext"}, - {ERR_REASON(SSL_R_PATH_TOO_LONG) , "path too long"}, - {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE), "peer did not return a certificate"}, - {ERR_REASON(SSL_R_PEER_ERROR) , "peer error"}, - {ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE), "peer error certificate"}, - {ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE), "peer error no certificate"}, - {ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER) , "peer error no cipher"}, - {ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE), "peer error unsupported certificate type"}, - {ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG), "pre mac length too long"}, - {ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS), "problems mapping cipher functions"}, - {ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN) , "protocol is shutdown"}, - {ERR_REASON(SSL_R_PSK_IDENTITY_NOT_FOUND), "psk identity not found"}, - {ERR_REASON(SSL_R_PSK_NO_CLIENT_CB) , "psk no client cb"}, - {ERR_REASON(SSL_R_PSK_NO_SERVER_CB) , "psk no server cb"}, - {ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR), "public key encrypt error"}, - {ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) , "public key is not rsa"}, - {ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) , "public key not rsa"}, - {ERR_REASON(SSL_R_READ_BIO_NOT_SET) , "read bio not set"}, - {ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED) , "read timeout expired"}, - {ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE), "read wrong packet type"}, - {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH), "record length mismatch"}, - {ERR_REASON(SSL_R_RECORD_TOO_LARGE) , "record too large"}, - {ERR_REASON(SSL_R_RECORD_TOO_SMALL) , "record too small"}, - {ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG), "renegotiate ext too long"}, - {ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR), "renegotiation encoding err"}, - {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH), "renegotiation mismatch"}, - {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING), "required cipher missing"}, - {ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING), "required compresssion algorithm missing"}, - {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO), "reuse cert length not zero"}, - {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO), "reuse cert type not zero"}, - {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO), "reuse cipher list not zero"}, - {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), "scsv received when renegotiating"}, - {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) , "serverhello tlsext"}, - {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), "session id context uninitialized"}, - {ERR_REASON(SSL_R_SHORT_READ) , "short read"}, - {ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR), "signature algorithms error"}, - {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), "signature for non signing certificate"}, - {ERR_REASON(SSL_R_SRP_A_CALC) , "error with the srp params"}, - {ERR_REASON(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES), "srtp could not allocate profiles"}, - {ERR_REASON(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG), "srtp protection profile list too long"}, - {ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE), "srtp unknown protection profile"}, - {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE), "ssl23 doing session id reuse"}, - {ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG), "ssl2 connection id too long"}, - {ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT), "ssl3 ext invalid ecpointformat"}, - {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME), "ssl3 ext invalid servername"}, - {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), "ssl3 ext invalid servername type"}, - {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"}, - {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), "ssl3 session id too short"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE), "sslv3 alert bad certificate"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC), "sslv3 alert bad record mac"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED), "sslv3 alert certificate expired"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED), "sslv3 alert certificate revoked"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN), "sslv3 alert certificate unknown"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE), "sslv3 alert decompression failure"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE), "sslv3 alert handshake failure"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER), "sslv3 alert illegal parameter"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE), "sslv3 alert no certificate"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE), "sslv3 alert unexpected message"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE), "sslv3 alert unsupported certificate"}, - {ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION), "ssl ctx has no default ssl version"}, - {ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) , "ssl handshake failure"}, - {ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS), "ssl library has no ciphers"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED), "ssl session id callback failed"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT), "ssl session id conflict"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG), "ssl session id context too long"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), "ssl session id has bad length"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT), "ssl session id is different"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION), "tlsv1 alert protocol version"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW), "tlsv1 alert record overflow"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA), "tlsv1 alert unknown ca"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED), "tlsv1 alert user cancelled"}, - {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE), "tlsv1 bad certificate hash value"}, - {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE), "tlsv1 bad certificate status response"}, - {ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE), "tlsv1 certificate unobtainable"}, - {ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME), "tlsv1 unrecognized name"}, - {ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION), "tlsv1 unsupported extension"}, - {ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER), "tls client cert req with anon cipher"}, - {ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT), "peer does not accept heartbeats"}, - {ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING) , "heartbeat request already pending"}, - {ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL), "tls illegal exporter label"}, - {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST), "tls invalid ecpointformat list"}, - {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST), "tls peer did not respond with certificate list"}, - {ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG), "tls rsa encrypted value length is wrong"}, - {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER), "tried to use unsupported cipher"}, - {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"}, - {ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS), "unable to decode ecdh certs"}, - {ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY), "unable to extract public key"}, - {ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS), "unable to find dh parameters"}, - {ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS), "unable to find ecdh parameters"}, - {ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS), "unable to find public key parameters"}, - {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), "unable to find ssl method"}, - {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES), "unable to load ssl2 md5 routines"}, - {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES), "unable to load ssl3 md5 routines"}, - {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES), "unable to load ssl3 sha1 routines"}, - {ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) , "unexpected message"}, - {ERR_REASON(SSL_R_UNEXPECTED_RECORD) , "unexpected record"}, - {ERR_REASON(SSL_R_UNINITIALIZED) , "uninitialized"}, - {ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) , "unknown alert type"}, - {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE), "unknown certificate type"}, - {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED), "unknown cipher returned"}, - {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) , "unknown cipher type"}, - {ERR_REASON(SSL_R_UNKNOWN_DIGEST) , "unknown digest"}, - {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "unknown key exchange type"}, - {ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) , "unknown pkey type"}, - {ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) , "unknown protocol"}, - {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "unknown remote error type"}, - {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) , "unknown ssl version"}, - {ERR_REASON(SSL_R_UNKNOWN_STATE) , "unknown state"}, - {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED), "unsafe legacy renegotiation disabled"}, - {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) , "unsupported cipher"}, - {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "unsupported compression algorithm"}, - {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE), "unsupported digest type"}, - {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE), "unsupported elliptic curve"}, - {ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) , "unsupported protocol"}, - {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION), "unsupported ssl version"}, - {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE), "unsupported status type"}, - {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED), "use srtp not negotiated"}, - {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) , "write bio not set"}, - {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) , "wrong cipher returned"}, - {ERR_REASON(SSL_R_WRONG_CURVE) , "wrong curve"}, - {ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) , "wrong message type"}, - {ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS), "wrong number of key bits"}, - {ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"}, - {ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) , "wrong signature size"}, - {ERR_REASON(SSL_R_WRONG_SIGNATURE_TYPE) , "wrong signature type"}, - {ERR_REASON(SSL_R_WRONG_SSL_VERSION) , "wrong ssl version"}, - {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) , "wrong version number"}, - {ERR_REASON(SSL_R_X509_LIB) , "x509 lib"}, - {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), "x509 verification setup problems"}, - {0, NULL} -}; - -#endif - -void -ERR_load_SSL_strings(void) -{ -#ifndef OPENSSL_NO_ERR - - if (ERR_func_error_string(SSL_str_functs[0].error) == NULL) { - ERR_load_strings(0, SSL_str_functs); - ERR_load_strings(0, SSL_str_reasons); - } -#endif -} diff --git a/lib/libssl/src/ssl/ssl_err2.c b/lib/libssl/src/ssl/ssl_err2.c deleted file mode 100644 index 9aad13cdc58..00000000000 --- a/lib/libssl/src/ssl/ssl_err2.c +++ /dev/null @@ -1,72 +0,0 @@ -/* $OpenBSD: ssl_err2.c,v 1.7 2014/12/14 15:30:50 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include <openssl/err.h> -#include <openssl/ssl.h> - -void -SSL_load_error_strings(void) -{ -#ifndef OPENSSL_NO_ERR - ERR_load_crypto_strings(); - ERR_load_SSL_strings(); -#endif -} - diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c deleted file mode 100644 index 5b9b952e720..00000000000 --- a/lib/libssl/src/ssl/ssl_lib.c +++ /dev/null @@ -1,3062 +0,0 @@ -/* $OpenBSD: ssl_lib.c,v 1.116 2015/10/25 15:52:49 doug Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/bn.h> -#include <openssl/dh.h> -#include <openssl/lhash.h> -#include <openssl/objects.h> -#include <openssl/ocsp.h> -#include <openssl/x509v3.h> - -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif - -#include "bytestring.h" - -const char *SSL_version_str = OPENSSL_VERSION_TEXT; - -SSL3_ENC_METHOD ssl3_undef_enc_method = { - /* - * Evil casts, but these functions are only called if there's a - * library bug. - */ - .enc = (int (*)(SSL *, int))ssl_undefined_function, - .mac = (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, - .setup_key_block = ssl_undefined_function, - .generate_master_secret = (int (*)(SSL *, unsigned char *, - unsigned char *, int))ssl_undefined_function, - .change_cipher_state = (int (*)(SSL*, int))ssl_undefined_function, - .final_finish_mac = (int (*)(SSL *, const char*, int, - unsigned char *))ssl_undefined_function, - .finish_mac_length = 0, - .cert_verify_mac = (int (*)(SSL *, int, - unsigned char *))ssl_undefined_function, - .client_finished_label = NULL, - .client_finished_label_len = 0, - .server_finished_label = NULL, - .server_finished_label_len = 0, - .alert_value = (int (*)(int))ssl_undefined_function, - .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, - const char *, size_t, const unsigned char *, size_t, - int use_context))ssl_undefined_function, - .enc_flags = 0, -}; - -int -SSL_clear(SSL *s) -{ - if (s->method == NULL) { - SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED); - return (0); - } - - if (ssl_clear_bad_session(s)) { - SSL_SESSION_free(s->session); - s->session = NULL; - } - - s->error = 0; - s->hit = 0; - s->shutdown = 0; - - if (s->renegotiate) { - SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR); - return (0); - } - - s->type = 0; - - s->state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); - - s->version = s->method->version; - s->client_version = s->version; - s->rwstate = SSL_NOTHING; - s->rstate = SSL_ST_READ_HEADER; - - BUF_MEM_free(s->init_buf); - s->init_buf = NULL; - - ssl_clear_cipher_ctx(s); - ssl_clear_hash_ctx(&s->read_hash); - ssl_clear_hash_ctx(&s->write_hash); - - s->first_packet = 0; - - /* - * Check to see if we were changed into a different method, if - * so, revert back if we are not doing session-id reuse. - */ - if (!s->in_handshake && (s->session == NULL) && - (s->method != s->ctx->method)) { - s->method->ssl_free(s); - s->method = s->ctx->method; - if (!s->method->ssl_new(s)) - return (0); - } else - s->method->ssl_clear(s); - - return (1); -} - -/* Used to change an SSL_CTXs default SSL method type */ -int -SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) -{ - STACK_OF(SSL_CIPHER) *sk; - - ctx->method = meth; - - sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), - &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); - if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { - SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, - SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); - return (0); - } - return (1); -} - -SSL * -SSL_new(SSL_CTX *ctx) -{ - SSL *s; - - if (ctx == NULL) { - SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX); - return (NULL); - } - if (ctx->method == NULL) { - SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); - return (NULL); - } - - s = calloc(1, sizeof(SSL)); - if (s == NULL) - goto err; - - - s->options = ctx->options; - s->mode = ctx->mode; - s->max_cert_list = ctx->max_cert_list; - - if (ctx->cert != NULL) { - /* - * Earlier library versions used to copy the pointer to - * the CERT, not its contents; only when setting new - * parameters for the per-SSL copy, ssl_cert_new would be - * called (and the direct reference to the per-SSL_CTX - * settings would be lost, but those still were indirectly - * accessed for various purposes, and for that reason they - * used to be known as s->ctx->default_cert). - * Now we don't look at the SSL_CTX's CERT after having - * duplicated it once. - */ - s->cert = ssl_cert_dup(ctx->cert); - if (s->cert == NULL) - goto err; - } else - s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ - - s->read_ahead = ctx->read_ahead; - s->msg_callback = ctx->msg_callback; - s->msg_callback_arg = ctx->msg_callback_arg; - s->verify_mode = ctx->verify_mode; - s->sid_ctx_length = ctx->sid_ctx_length; - OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); - memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); - s->verify_callback = ctx->default_verify_callback; - s->generate_session_id = ctx->generate_session_id; - - s->param = X509_VERIFY_PARAM_new(); - if (!s->param) - goto err; - X509_VERIFY_PARAM_inherit(s->param, ctx->param); - s->quiet_shutdown = ctx->quiet_shutdown; - s->max_send_fragment = ctx->max_send_fragment; - - CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); - s->ctx = ctx; - s->tlsext_debug_cb = 0; - s->tlsext_debug_arg = NULL; - s->tlsext_ticket_expected = 0; - s->tlsext_status_type = -1; - s->tlsext_status_expected = 0; - s->tlsext_ocsp_ids = NULL; - s->tlsext_ocsp_exts = NULL; - s->tlsext_ocsp_resp = NULL; - s->tlsext_ocsp_resplen = -1; - CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); - s->initial_ctx = ctx; - s->next_proto_negotiated = NULL; - - if (s->ctx->alpn_client_proto_list != NULL) { - s->alpn_client_proto_list = - malloc(s->ctx->alpn_client_proto_list_len); - if (s->alpn_client_proto_list == NULL) - goto err; - memcpy(s->alpn_client_proto_list, - s->ctx->alpn_client_proto_list, - s->ctx->alpn_client_proto_list_len); - s->alpn_client_proto_list_len = - s->ctx->alpn_client_proto_list_len; - } - - s->verify_result = X509_V_OK; - - s->method = ctx->method; - - if (!s->method->ssl_new(s)) - goto err; - - s->references = 1; - s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; - - SSL_clear(s); - - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); - - return (s); - -err: - SSL_free(s); - SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); - return (NULL); -} - -int -SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, - unsigned int sid_ctx_len) -{ - if (sid_ctx_len > sizeof ctx->sid_ctx) { - SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, - SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); - return (0); - } - ctx->sid_ctx_length = sid_ctx_len; - memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); - - return (1); -} - -int -SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, - unsigned int sid_ctx_len) -{ - if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { - SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT, - SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); - return (0); - } - ssl->sid_ctx_length = sid_ctx_len; - memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len); - - return (1); -} - -int -SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) -{ - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - ctx->generate_session_id = cb; - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); - return (1); -} - -int -SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) -{ - CRYPTO_w_lock(CRYPTO_LOCK_SSL); - ssl->generate_session_id = cb; - CRYPTO_w_unlock(CRYPTO_LOCK_SSL); - return (1); -} - -int -SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, - unsigned int id_len) -{ - /* - * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp - * shows how we can "construct" a session to give us the desired - * check - ie. to find if there's a session in the hash table - * that would conflict with any new session built out of this - * id/id_len and the ssl_version in use by this SSL. - */ - SSL_SESSION r, *p; - - if (id_len > sizeof r.session_id) - return (0); - - r.ssl_version = ssl->version; - r.session_id_length = id_len; - memcpy(r.session_id, id, id_len); - - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r); - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - return (p != NULL); -} - -int -SSL_CTX_set_purpose(SSL_CTX *s, int purpose) -{ - return (X509_VERIFY_PARAM_set_purpose(s->param, purpose)); -} - -int -SSL_set_purpose(SSL *s, int purpose) -{ - return (X509_VERIFY_PARAM_set_purpose(s->param, purpose)); -} - -int -SSL_CTX_set_trust(SSL_CTX *s, int trust) -{ - return (X509_VERIFY_PARAM_set_trust(s->param, trust)); -} - -int -SSL_set_trust(SSL *s, int trust) -{ - return (X509_VERIFY_PARAM_set_trust(s->param, trust)); -} - -int -SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) -{ - return (X509_VERIFY_PARAM_set1(ctx->param, vpm)); -} - -int -SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) -{ - return (X509_VERIFY_PARAM_set1(ssl->param, vpm)); -} - -void -SSL_free(SSL *s) -{ - int i; - - if (s == NULL) - return; - - i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL); - if (i > 0) - return; - - if (s->param) - X509_VERIFY_PARAM_free(s->param); - - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); - - if (s->bbio != NULL) { - /* If the buffering BIO is in place, pop it off */ - if (s->bbio == s->wbio) { - s->wbio = BIO_pop(s->wbio); - } - BIO_free(s->bbio); - s->bbio = NULL; - } - - if (s->rbio != s->wbio) - BIO_free_all(s->rbio); - BIO_free_all(s->wbio); - - if (s->init_buf != NULL) - BUF_MEM_free(s->init_buf); - - /* add extra stuff */ - if (s->cipher_list != NULL) - sk_SSL_CIPHER_free(s->cipher_list); - if (s->cipher_list_by_id != NULL) - sk_SSL_CIPHER_free(s->cipher_list_by_id); - - /* Make the next call work :-) */ - if (s->session != NULL) { - ssl_clear_bad_session(s); - SSL_SESSION_free(s->session); - } - - ssl_clear_cipher_ctx(s); - ssl_clear_hash_ctx(&s->read_hash); - ssl_clear_hash_ctx(&s->write_hash); - - if (s->cert != NULL) - ssl_cert_free(s->cert); - /* Free up if allocated */ - - free(s->tlsext_hostname); - SSL_CTX_free(s->initial_ctx); - free(s->tlsext_ecpointformatlist); - free(s->tlsext_ellipticcurvelist); - if (s->tlsext_ocsp_exts) - sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, - X509_EXTENSION_free); - if (s->tlsext_ocsp_ids) - sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); - free(s->tlsext_ocsp_resp); - - if (s->client_CA != NULL) - sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); - - if (s->method != NULL) - s->method->ssl_free(s); - - SSL_CTX_free(s->ctx); - - - free(s->next_proto_negotiated); - free(s->alpn_client_proto_list); - -#ifndef OPENSSL_NO_SRTP - if (s->srtp_profiles) - sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); -#endif - - free(s); -} - -void -SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) -{ - /* If the output buffering BIO is still in place, remove it */ - if (s->bbio != NULL) { - if (s->wbio == s->bbio) { - s->wbio = s->wbio->next_bio; - s->bbio->next_bio = NULL; - } - } - - if (s->rbio != rbio && s->rbio != s->wbio) - BIO_free_all(s->rbio); - if (s->wbio != wbio) - BIO_free_all(s->wbio); - s->rbio = rbio; - s->wbio = wbio; -} - -BIO * -SSL_get_rbio(const SSL *s) -{ - return (s->rbio); -} - -BIO * -SSL_get_wbio(const SSL *s) -{ - return (s->wbio); -} - -int -SSL_get_fd(const SSL *s) -{ - return (SSL_get_rfd(s)); -} - -int -SSL_get_rfd(const SSL *s) -{ - int ret = -1; - BIO *b, *r; - - b = SSL_get_rbio(s); - r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); - if (r != NULL) - BIO_get_fd(r, &ret); - return (ret); -} - -int -SSL_get_wfd(const SSL *s) -{ - int ret = -1; - BIO *b, *r; - - b = SSL_get_wbio(s); - r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); - if (r != NULL) - BIO_get_fd(r, &ret); - return (ret); -} - -int -SSL_set_fd(SSL *s, int fd) -{ - int ret = 0; - BIO *bio = NULL; - - bio = BIO_new(BIO_s_socket()); - - if (bio == NULL) { - SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); - goto err; - } - BIO_set_fd(bio, fd, BIO_NOCLOSE); - SSL_set_bio(s, bio, bio); - ret = 1; -err: - return (ret); -} - -int -SSL_set_wfd(SSL *s, int fd) -{ - int ret = 0; - BIO *bio = NULL; - - if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) - || ((int)BIO_get_fd(s->rbio, NULL) != fd)) { - bio = BIO_new(BIO_s_socket()); - - if (bio == NULL) { - SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB); - goto err; - } - BIO_set_fd(bio, fd, BIO_NOCLOSE); - SSL_set_bio(s, SSL_get_rbio(s), bio); - } else - SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s)); - ret = 1; -err: - return (ret); -} - -int -SSL_set_rfd(SSL *s, int fd) -{ - int ret = 0; - BIO *bio = NULL; - - if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) - || ((int)BIO_get_fd(s->wbio, NULL) != fd)) { - bio = BIO_new(BIO_s_socket()); - - if (bio == NULL) { - SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB); - goto err; - } - BIO_set_fd(bio, fd, BIO_NOCLOSE); - SSL_set_bio(s, bio, SSL_get_wbio(s)); - } else - SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s)); - ret = 1; -err: - return (ret); -} - - -/* return length of latest Finished message we sent, copy to 'buf' */ -size_t -SSL_get_finished(const SSL *s, void *buf, size_t count) -{ - size_t ret = 0; - - if (s->s3 != NULL) { - ret = s->s3->tmp.finish_md_len; - if (count > ret) - count = ret; - memcpy(buf, s->s3->tmp.finish_md, count); - } - return (ret); -} - -/* return length of latest Finished message we expected, copy to 'buf' */ -size_t -SSL_get_peer_finished(const SSL *s, void *buf, size_t count) -{ - size_t ret = 0; - - if (s->s3 != NULL) { - ret = s->s3->tmp.peer_finish_md_len; - if (count > ret) - count = ret; - memcpy(buf, s->s3->tmp.peer_finish_md, count); - } - return (ret); -} - - -int -SSL_get_verify_mode(const SSL *s) -{ - return (s->verify_mode); -} - -int -SSL_get_verify_depth(const SSL *s) -{ - return (X509_VERIFY_PARAM_get_depth(s->param)); -} - -int -(*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) -{ - return (s->verify_callback); -} - -int -SSL_CTX_get_verify_mode(const SSL_CTX *ctx) -{ - return (ctx->verify_mode); -} - -int -SSL_CTX_get_verify_depth(const SSL_CTX *ctx) -{ - return (X509_VERIFY_PARAM_get_depth(ctx->param)); -} - -int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) -{ - return (ctx->default_verify_callback); -} - -void -SSL_set_verify(SSL *s, int mode, - int (*callback)(int ok, X509_STORE_CTX *ctx)) -{ - s->verify_mode = mode; - if (callback != NULL) - s->verify_callback = callback; -} - -void -SSL_set_verify_depth(SSL *s, int depth) -{ - X509_VERIFY_PARAM_set_depth(s->param, depth); -} - -void -SSL_set_read_ahead(SSL *s, int yes) -{ - s->read_ahead = yes; -} - -int -SSL_get_read_ahead(const SSL *s) -{ - return (s->read_ahead); -} - -int -SSL_pending(const SSL *s) -{ - /* - * SSL_pending cannot work properly if read-ahead is enabled - * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), - * and it is impossible to fix since SSL_pending cannot report - * errors that may be observed while scanning the new data. - * (Note that SSL_pending() is often used as a boolean value, - * so we'd better not return -1.) - */ - return (s->method->ssl_pending(s)); -} - -X509 * -SSL_get_peer_certificate(const SSL *s) -{ - X509 *r; - - if ((s == NULL) || (s->session == NULL)) - r = NULL; - else - r = s->session->peer; - - if (r == NULL) - return (r); - - CRYPTO_add(&r->references, 1, CRYPTO_LOCK_X509); - - return (r); -} - -STACK_OF(X509) * -SSL_get_peer_cert_chain(const SSL *s) -{ - STACK_OF(X509) *r; - - if ((s == NULL) || (s->session == NULL) || - (s->session->sess_cert == NULL)) - r = NULL; - else - r = s->session->sess_cert->cert_chain; - - /* - * If we are a client, cert_chain includes the peer's own - * certificate; - * if we are a server, it does not. - */ - return (r); -} - -/* - * Now in theory, since the calling process own 't' it should be safe to - * modify. We need to be able to read f without being hassled - */ -void -SSL_copy_session_id(SSL *t, const SSL *f) -{ - CERT *tmp; - - /* Do we need to to SSL locking? */ - SSL_set_session(t, SSL_get_session(f)); - - /* - * What if we are setup as SSLv2 but want to talk SSLv3 or - * vice-versa. - */ - if (t->method != f->method) { - t->method->ssl_free(t); /* cleanup current */ - t->method=f->method; /* change method */ - t->method->ssl_new(t); /* setup new */ - } - - tmp = t->cert; - if (f->cert != NULL) { - CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT); - t->cert = f->cert; - } else - t->cert = NULL; - if (tmp != NULL) - ssl_cert_free(tmp); - SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length); -} - -/* Fix this so it checks all the valid key/cert options */ -int -SSL_CTX_check_private_key(const SSL_CTX *ctx) -{ - if ((ctx == NULL) || (ctx->cert == NULL) || - (ctx->cert->key->x509 == NULL)) { - SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, - SSL_R_NO_CERTIFICATE_ASSIGNED); - return (0); - } - if (ctx->cert->key->privatekey == NULL) { - SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, - SSL_R_NO_PRIVATE_KEY_ASSIGNED); - return (0); - } - return (X509_check_private_key(ctx->cert->key->x509, - ctx->cert->key->privatekey)); -} - -/* Fix this function so that it takes an optional type parameter */ -int -SSL_check_private_key(const SSL *ssl) -{ - if (ssl == NULL) { - SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, - ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (ssl->cert == NULL) { - SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, - SSL_R_NO_CERTIFICATE_ASSIGNED); - return (0); - } - if (ssl->cert->key->x509 == NULL) { - SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, - SSL_R_NO_CERTIFICATE_ASSIGNED); - return (0); - } - if (ssl->cert->key->privatekey == NULL) { - SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, - SSL_R_NO_PRIVATE_KEY_ASSIGNED); - return (0); - } - return (X509_check_private_key(ssl->cert->key->x509, - ssl->cert->key->privatekey)); -} - -int -SSL_accept(SSL *s) -{ - if (s->handshake_func == NULL) - SSL_set_accept_state(s); /* Not properly initialized yet */ - - return (s->method->ssl_accept(s)); -} - -int -SSL_connect(SSL *s) -{ - if (s->handshake_func == NULL) - SSL_set_connect_state(s); /* Not properly initialized yet */ - - return (s->method->ssl_connect(s)); -} - -long -SSL_get_default_timeout(const SSL *s) -{ - return (s->method->get_timeout()); -} - -int -SSL_read(SSL *s, void *buf, int num) -{ - if (s->handshake_func == NULL) { - SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); - return (-1); - } - - if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { - s->rwstate = SSL_NOTHING; - return (0); - } - return (s->method->ssl_read(s, buf, num)); -} - -int -SSL_peek(SSL *s, void *buf, int num) -{ - if (s->handshake_func == NULL) { - SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); - return (-1); - } - - if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { - return (0); - } - return (s->method->ssl_peek(s, buf, num)); -} - -int -SSL_write(SSL *s, const void *buf, int num) -{ - if (s->handshake_func == NULL) { - SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); - return (-1); - } - - if (s->shutdown & SSL_SENT_SHUTDOWN) { - s->rwstate = SSL_NOTHING; - SSLerr(SSL_F_SSL_WRITE, SSL_R_PROTOCOL_IS_SHUTDOWN); - return (-1); - } - return (s->method->ssl_write(s, buf, num)); -} - -int -SSL_shutdown(SSL *s) -{ - /* - * Note that this function behaves differently from what one might - * expect. Return values are 0 for no success (yet), - * 1 for success; but calling it once is usually not enough, - * even if blocking I/O is used (see ssl3_shutdown). - */ - - if (s->handshake_func == NULL) { - SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); - return (-1); - } - - if ((s != NULL) && !SSL_in_init(s)) - return (s->method->ssl_shutdown(s)); - else - return (1); -} - -int -SSL_renegotiate(SSL *s) -{ - if (s->renegotiate == 0) - s->renegotiate = 1; - - s->new_session = 1; - - return (s->method->ssl_renegotiate(s)); -} - -int -SSL_renegotiate_abbreviated(SSL *s) -{ - if (s->renegotiate == 0) - s->renegotiate = 1; - - s->new_session = 0; - - return (s->method->ssl_renegotiate(s)); -} - -int -SSL_renegotiate_pending(SSL *s) -{ - /* - * Becomes true when negotiation is requested; - * false again once a handshake has finished. - */ - return (s->renegotiate != 0); -} - -long -SSL_ctrl(SSL *s, int cmd, long larg, void *parg) -{ - long l; - - switch (cmd) { - case SSL_CTRL_GET_READ_AHEAD: - return (s->read_ahead); - case SSL_CTRL_SET_READ_AHEAD: - l = s->read_ahead; - s->read_ahead = larg; - return (l); - - case SSL_CTRL_SET_MSG_CALLBACK_ARG: - s->msg_callback_arg = parg; - return (1); - - case SSL_CTRL_OPTIONS: - return (s->options|=larg); - case SSL_CTRL_CLEAR_OPTIONS: - return (s->options&=~larg); - case SSL_CTRL_MODE: - return (s->mode|=larg); - case SSL_CTRL_CLEAR_MODE: - return (s->mode &=~larg); - case SSL_CTRL_GET_MAX_CERT_LIST: - return (s->max_cert_list); - case SSL_CTRL_SET_MAX_CERT_LIST: - l = s->max_cert_list; - s->max_cert_list = larg; - return (l); - case SSL_CTRL_SET_MTU: -#ifndef OPENSSL_NO_DTLS1 - if (larg < (long)dtls1_min_mtu()) - return (0); -#endif - if (SSL_IS_DTLS(s)) { - s->d1->mtu = larg; - return (larg); - } - return (0); - case SSL_CTRL_SET_MAX_SEND_FRAGMENT: - if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) - return (0); - s->max_send_fragment = larg; - return (1); - case SSL_CTRL_GET_RI_SUPPORT: - if (s->s3) - return (s->s3->send_connection_binding); - else return (0); - default: - return (s->method->ssl_ctrl(s, cmd, larg, parg)); - } -} - -long -SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) -{ - switch (cmd) { - case SSL_CTRL_SET_MSG_CALLBACK: - s->msg_callback = (void (*)(int write_p, int version, - int content_type, const void *buf, size_t len, - SSL *ssl, void *arg))(fp); - return (1); - - default: - return (s->method->ssl_callback_ctrl(s, cmd, fp)); - } -} - -LHASH_OF(SSL_SESSION) * -SSL_CTX_sessions(SSL_CTX *ctx) -{ - return (ctx->sessions); -} - -long -SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) -{ - long l; - - switch (cmd) { - case SSL_CTRL_GET_READ_AHEAD: - return (ctx->read_ahead); - case SSL_CTRL_SET_READ_AHEAD: - l = ctx->read_ahead; - ctx->read_ahead = larg; - return (l); - - case SSL_CTRL_SET_MSG_CALLBACK_ARG: - ctx->msg_callback_arg = parg; - return (1); - - case SSL_CTRL_GET_MAX_CERT_LIST: - return (ctx->max_cert_list); - case SSL_CTRL_SET_MAX_CERT_LIST: - l = ctx->max_cert_list; - ctx->max_cert_list = larg; - return (l); - - case SSL_CTRL_SET_SESS_CACHE_SIZE: - l = ctx->session_cache_size; - ctx->session_cache_size = larg; - return (l); - case SSL_CTRL_GET_SESS_CACHE_SIZE: - return (ctx->session_cache_size); - case SSL_CTRL_SET_SESS_CACHE_MODE: - l = ctx->session_cache_mode; - ctx->session_cache_mode = larg; - return (l); - case SSL_CTRL_GET_SESS_CACHE_MODE: - return (ctx->session_cache_mode); - - case SSL_CTRL_SESS_NUMBER: - return (lh_SSL_SESSION_num_items(ctx->sessions)); - case SSL_CTRL_SESS_CONNECT: - return (ctx->stats.sess_connect); - case SSL_CTRL_SESS_CONNECT_GOOD: - return (ctx->stats.sess_connect_good); - case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: - return (ctx->stats.sess_connect_renegotiate); - case SSL_CTRL_SESS_ACCEPT: - return (ctx->stats.sess_accept); - case SSL_CTRL_SESS_ACCEPT_GOOD: - return (ctx->stats.sess_accept_good); - case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: - return (ctx->stats.sess_accept_renegotiate); - case SSL_CTRL_SESS_HIT: - return (ctx->stats.sess_hit); - case SSL_CTRL_SESS_CB_HIT: - return (ctx->stats.sess_cb_hit); - case SSL_CTRL_SESS_MISSES: - return (ctx->stats.sess_miss); - case SSL_CTRL_SESS_TIMEOUTS: - return (ctx->stats.sess_timeout); - case SSL_CTRL_SESS_CACHE_FULL: - return (ctx->stats.sess_cache_full); - case SSL_CTRL_OPTIONS: - return (ctx->options|=larg); - case SSL_CTRL_CLEAR_OPTIONS: - return (ctx->options&=~larg); - case SSL_CTRL_MODE: - return (ctx->mode|=larg); - case SSL_CTRL_CLEAR_MODE: - return (ctx->mode&=~larg); - case SSL_CTRL_SET_MAX_SEND_FRAGMENT: - if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) - return (0); - ctx->max_send_fragment = larg; - return (1); - default: - return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); - } -} - -long -SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) -{ - switch (cmd) { - case SSL_CTRL_SET_MSG_CALLBACK: - ctx->msg_callback = (void (*)(int write_p, int version, - int content_type, const void *buf, size_t len, SSL *ssl, - void *arg))(fp); - return (1); - - default: - return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp)); - } -} - -int -ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) -{ - long l; - - l = a->id - b->id; - if (l == 0L) - return (0); - else - return ((l > 0) ? 1:-1); -} - -int -ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, - const SSL_CIPHER * const *bp) -{ - long l; - - l = (*ap)->id - (*bp)->id; - if (l == 0L) - return (0); - else - return ((l > 0) ? 1:-1); -} - -/* - * Return a STACK of the ciphers available for the SSL and in order of - * preference. - */ -STACK_OF(SSL_CIPHER) * -SSL_get_ciphers(const SSL *s) -{ - if (s != NULL) { - if (s->cipher_list != NULL) { - return (s->cipher_list); - } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { - return (s->ctx->cipher_list); - } - } - return (NULL); -} - -/* - * Return a STACK of the ciphers available for the SSL and in order of - * algorithm id. - */ -STACK_OF(SSL_CIPHER) * -ssl_get_ciphers_by_id(SSL *s) -{ - if (s != NULL) { - if (s->cipher_list_by_id != NULL) { - return (s->cipher_list_by_id); - } else if ((s->ctx != NULL) && - (s->ctx->cipher_list_by_id != NULL)) { - return (s->ctx->cipher_list_by_id); - } - } - return (NULL); -} - -/* The old interface to get the same thing as SSL_get_ciphers(). */ -const char * -SSL_get_cipher_list(const SSL *s, int n) -{ - SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; - - if (s == NULL) - return (NULL); - sk = SSL_get_ciphers(s); - if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) - return (NULL); - c = sk_SSL_CIPHER_value(sk, n); - if (c == NULL) - return (NULL); - return (c->name); -} - -/* Specify the ciphers to be used by default by the SSL_CTX. */ -int -SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) -{ - STACK_OF(SSL_CIPHER) *sk; - - sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - &ctx->cipher_list_by_id, str); - /* - * ssl_create_cipher_list may return an empty stack if it - * was unable to find a cipher matching the given rule string - * (for example if the rule string specifies a cipher which - * has been disabled). This is not an error as far as - * ssl_create_cipher_list is concerned, and hence - * ctx->cipher_list and ctx->cipher_list_by_id has been - * updated. - */ - if (sk == NULL) - return (0); - else if (sk_SSL_CIPHER_num(sk) == 0) { - SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); - return (0); - } - return (1); -} - -/* Specify the ciphers to be used by the SSL. */ -int -SSL_set_cipher_list(SSL *s, const char *str) -{ - STACK_OF(SSL_CIPHER) *sk; - - sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, - &s->cipher_list_by_id, str); - /* see comment in SSL_CTX_set_cipher_list */ - if (sk == NULL) - return (0); - else if (sk_SSL_CIPHER_num(sk) == 0) { - SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); - return (0); - } - return (1); -} - -/* works well for SSLv2, not so good for SSLv3 */ -char * -SSL_get_shared_ciphers(const SSL *s, char *buf, int len) -{ - char *end; - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *c; - size_t curlen = 0; - int i; - - if (s->session == NULL || s->session->ciphers == NULL || len < 2) - return (NULL); - - sk = s->session->ciphers; - if (sk_SSL_CIPHER_num(sk) == 0) - return (NULL); - - buf[0] = '\0'; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); - end = buf + curlen; - if (strlcat(buf, c->name, len) >= len || - (curlen = strlcat(buf, ":", len)) >= len) { - /* remove truncated cipher from list */ - *end = '\0'; - break; - } - } - /* remove trailing colon */ - if ((end = strrchr(buf, ':')) != NULL) - *end = '\0'; - return (buf); -} - -int -ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p) -{ - int i; - SSL_CIPHER *c; - unsigned char *q; - - if (sk == NULL) - return (0); - q = p; - - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); - - /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */ - if ((c->algorithm_ssl & SSL_TLSV1_2) && - (TLS1_get_client_version(s) < TLS1_2_VERSION)) - continue; - - s2n(ssl3_cipher_get_value(c), p); - } - - /* - * If p == q, no ciphers and caller indicates an error. Otherwise - * add SCSV if not renegotiating. - */ - if (p != q && !s->renegotiate) - s2n(SSL3_CK_SCSV & SSL3_CK_VALUE_MASK, p); - - return (p - q); -} - -STACK_OF(SSL_CIPHER) * -ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) -{ - CBS cbs; - const SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk = NULL; - unsigned long cipher_id; - uint16_t cipher_value, max_version; - - if (s->s3) - s->s3->send_connection_binding = 0; - - /* - * RFC 5246 section 7.4.1.2 defines the interval as [2,2^16-2]. - */ - if (num < 2 || num > 0x10000 - 2) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - return (NULL); - } - - if ((sk = sk_SSL_CIPHER_new_null()) == NULL) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - goto err; - } - - CBS_init(&cbs, p, num); - while (CBS_len(&cbs) > 0) { - if (!CBS_get_u16(&cbs, &cipher_value)) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - goto err; - } - - cipher_id = SSL3_CK_ID | cipher_value; - - if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) { - /* - * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if - * renegotiating. - */ - if (s->renegotiate) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - - goto err; - } - s->s3->send_connection_binding = 1; - continue; - } - - if (cipher_id == SSL3_CK_FALLBACK_SCSV) { - /* - * TLS_FALLBACK_SCSV indicates that the client - * previously tried a higher protocol version. - * Fail if the current version is an unexpected - * downgrade. - */ - max_version = ssl_max_server_version(s); - if (max_version == 0 || s->version < max_version) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_INAPPROPRIATE_FALLBACK); - if (s->s3 != NULL) - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_INAPPROPRIATE_FALLBACK); - goto err; - } - continue; - } - - if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) { - if (!sk_SSL_CIPHER_push(sk, c)) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - ERR_R_MALLOC_FAILURE); - goto err; - } - } - } - - return (sk); - -err: - sk_SSL_CIPHER_free(sk); - - return (NULL); -} - - -/* - * Return a servername extension value if provided in Client Hello, or NULL. - * So far, only host_name types are defined (RFC 3546). - */ -const char * -SSL_get_servername(const SSL *s, const int type) -{ - if (type != TLSEXT_NAMETYPE_host_name) - return (NULL); - - return (s->session && !s->tlsext_hostname ? - s->session->tlsext_hostname : - s->tlsext_hostname); -} - -int -SSL_get_servername_type(const SSL *s) -{ - if (s->session && - (!s->tlsext_hostname ? - s->session->tlsext_hostname : s->tlsext_hostname)) - return (TLSEXT_NAMETYPE_host_name); - return (-1); -} - -/* - * SSL_select_next_proto implements the standard protocol selection. It is - * expected that this function is called from the callback set by - * SSL_CTX_set_next_proto_select_cb. - * - * The protocol data is assumed to be a vector of 8-bit, length prefixed byte - * strings. The length byte itself is not included in the length. A byte - * string of length 0 is invalid. No byte string may be truncated. - * - * The current, but experimental algorithm for selecting the protocol is: - * - * 1) If the server doesn't support NPN then this is indicated to the - * callback. In this case, the client application has to abort the connection - * or have a default application level protocol. - * - * 2) If the server supports NPN, but advertises an empty list then the - * client selects the first protcol in its list, but indicates via the - * API that this fallback case was enacted. - * - * 3) Otherwise, the client finds the first protocol in the server's list - * that it supports and selects this protocol. This is because it's - * assumed that the server has better information about which protocol - * a client should use. - * - * 4) If the client doesn't support any of the server's advertised - * protocols, then this is treated the same as case 2. - * - * It returns either - * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or - * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached. - */ -int -SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - const unsigned char *server, unsigned int server_len, - const unsigned char *client, unsigned int client_len) -{ - unsigned int i, j; - const unsigned char *result; - int status = OPENSSL_NPN_UNSUPPORTED; - - /* - * For each protocol in server preference order, - * see if we support it. - */ - for (i = 0; i < server_len; ) { - for (j = 0; j < client_len; ) { - if (server[i] == client[j] && - memcmp(&server[i + 1], - &client[j + 1], server[i]) == 0) { - /* We found a match */ - result = &server[i]; - status = OPENSSL_NPN_NEGOTIATED; - goto found; - } - j += client[j]; - j++; - } - i += server[i]; - i++; - } - - /* There's no overlap between our protocols and the server's list. */ - result = client; - status = OPENSSL_NPN_NO_OVERLAP; - -found: - *out = (unsigned char *) result + 1; - *outlen = result[0]; - return (status); -} - -/* - * SSL_get0_next_proto_negotiated sets *data and *len to point to the client's - * requested protocol for this connection and returns 0. If the client didn't - * request any protocol, then *data is set to NULL. - * - * Note that the client can request any protocol it chooses. The value returned - * from this function need not be a member of the list of supported protocols - * provided by the callback. - */ -void -SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, - unsigned *len) -{ - *data = s->next_proto_negotiated; - if (!*data) { - *len = 0; - } else { - *len = s->next_proto_negotiated_len; - } -} - -/* - * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a - * TLS server needs a list of supported protocols for Next Protocol - * Negotiation. The returned list must be in wire format. The list is returned - * by setting |out| to point to it and |outlen| to its length. This memory will - * not be modified, but one should assume that the SSL* keeps a reference to - * it. - * - * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. - * Otherwise, no such extension will be included in the ServerHello. - */ -void -SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, - const unsigned char **out, unsigned int *outlen, void *arg), void *arg) -{ - ctx->next_protos_advertised_cb = cb; - ctx->next_protos_advertised_cb_arg = arg; -} - -/* - * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a - * client needs to select a protocol from the server's provided list. |out| - * must be set to point to the selected protocol (which may be within |in|). - * The length of the protocol name must be written into |outlen|. The server's - * advertised protocols are provided in |in| and |inlen|. The callback can - * assume that |in| is syntactically valid. - * - * The client must select a protocol. It is fatal to the connection if this - * callback returns a value other than SSL_TLSEXT_ERR_OK. - */ -void -SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, - unsigned char **out, unsigned char *outlen, const unsigned char *in, - unsigned int inlen, void *arg), void *arg) -{ - ctx->next_proto_select_cb = cb; - ctx->next_proto_select_cb_arg = arg; -} - -/* - * SSL_CTX_set_alpn_protos sets the ALPN protocol list to the specified - * protocols, which must be in wire-format (i.e. a series of non-empty, - * 8-bit length-prefixed strings). Returns 0 on success. - */ -int -SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, - unsigned int protos_len) -{ - free(ctx->alpn_client_proto_list); - if ((ctx->alpn_client_proto_list = malloc(protos_len)) == NULL) - return (1); - memcpy(ctx->alpn_client_proto_list, protos, protos_len); - ctx->alpn_client_proto_list_len = protos_len; - - return (0); -} - -/* - * SSL_set_alpn_protos sets the ALPN protocol list to the specified - * protocols, which must be in wire-format (i.e. a series of non-empty, - * 8-bit length-prefixed strings). Returns 0 on success. - */ -int -SSL_set_alpn_protos(SSL *ssl, const unsigned char* protos, - unsigned int protos_len) -{ - free(ssl->alpn_client_proto_list); - if ((ssl->alpn_client_proto_list = malloc(protos_len)) == NULL) - return (1); - memcpy(ssl->alpn_client_proto_list, protos, protos_len); - ssl->alpn_client_proto_list_len = protos_len; - - return (0); -} - -/* - * SSL_CTX_set_alpn_select_cb sets a callback function that is called during - * ClientHello processing in order to select an ALPN protocol from the - * client's list of offered protocols. - */ -void -SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, - int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, void *arg), void *arg) -{ - ctx->alpn_select_cb = cb; - ctx->alpn_select_cb_arg = arg; -} - -/* - * SSL_get0_alpn_selected gets the selected ALPN protocol (if any). On return - * it sets data to point to len bytes of protocol name (not including the - * leading length-prefix byte). If the server didn't respond with* a negotiated - * protocol then len will be zero. - */ -void -SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, - unsigned *len) -{ - *data = NULL; - *len = 0; - - if (ssl->s3 != NULL) { - *data = ssl->s3->alpn_selected; - *len = ssl->s3->alpn_selected_len; - } -} - -int -SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *p, size_t plen, - int use_context) -{ - return (s->method->ssl3_enc->export_keying_material(s, out, olen, - label, llen, p, plen, use_context)); -} - -static unsigned long -ssl_session_hash(const SSL_SESSION *a) -{ - unsigned long l; - - l = (unsigned long) - ((unsigned int) a->session_id[0] )| - ((unsigned int) a->session_id[1]<< 8L)| - ((unsigned long)a->session_id[2]<<16L)| - ((unsigned long)a->session_id[3]<<24L); - return (l); -} - -/* - * NB: If this function (or indeed the hash function which uses a sort of - * coarser function than this one) is changed, ensure - * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being - * able to construct an SSL_SESSION that will collide with any existing session - * with a matching session ID. - */ -static int -ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) -{ - if (a->ssl_version != b->ssl_version) - return (1); - if (a->session_id_length != b->session_id_length) - return (1); - if (timingsafe_memcmp(a->session_id, b->session_id, a->session_id_length) != 0) - return (1); - return (0); -} - -/* - * These wrapper functions should remain rather than redeclaring - * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each - * variable. The reason is that the functions aren't static, they're exposed via - * ssl.h. - */ -static -IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION) -static -IMPLEMENT_LHASH_COMP_FN(ssl_session, SSL_SESSION) - -SSL_CTX * -SSL_CTX_new(const SSL_METHOD *meth) -{ - SSL_CTX *ret = NULL; - - if (meth == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); - return (NULL); - } - - if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { - SSLerr(SSL_F_SSL_CTX_NEW, - SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); - goto err; - } - ret = calloc(1, sizeof(SSL_CTX)); - if (ret == NULL) - goto err; - - ret->method = meth; - - ret->cert_store = NULL; - ret->session_cache_mode = SSL_SESS_CACHE_SERVER; - ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; - ret->session_cache_head = NULL; - ret->session_cache_tail = NULL; - - /* We take the system default */ - ret->session_timeout = meth->get_timeout(); - - ret->new_session_cb = 0; - ret->remove_session_cb = 0; - ret->get_session_cb = 0; - ret->generate_session_id = 0; - - memset((char *)&ret->stats, 0, sizeof(ret->stats)); - - ret->references = 1; - ret->quiet_shutdown = 0; - - ret->info_callback = NULL; - - ret->app_verify_callback = 0; - ret->app_verify_arg = NULL; - - ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; - ret->read_ahead = 0; - ret->msg_callback = 0; - ret->msg_callback_arg = NULL; - ret->verify_mode = SSL_VERIFY_NONE; - ret->sid_ctx_length = 0; - ret->default_verify_callback = NULL; - if ((ret->cert = ssl_cert_new()) == NULL) - goto err; - - ret->default_passwd_callback = 0; - ret->default_passwd_callback_userdata = NULL; - ret->client_cert_cb = 0; - ret->app_gen_cookie_cb = 0; - ret->app_verify_cookie_cb = 0; - - ret->sessions = lh_SSL_SESSION_new(); - if (ret->sessions == NULL) - goto err; - ret->cert_store = X509_STORE_new(); - if (ret->cert_store == NULL) - goto err; - - ssl_create_cipher_list(ret->method, &ret->cipher_list, - &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); - if (ret->cipher_list == NULL || - sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; - } - - ret->param = X509_VERIFY_PARAM_new(); - if (!ret->param) - goto err; - - if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, - SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); - goto err2; - } - if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, - SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); - goto err2; - } - - if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) - goto err; - - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); - - ret->extra_certs = NULL; - - ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - - ret->tlsext_servername_callback = 0; - ret->tlsext_servername_arg = NULL; - - /* Setup RFC4507 ticket keys */ - arc4random_buf(ret->tlsext_tick_key_name, 16); - arc4random_buf(ret->tlsext_tick_hmac_key, 16); - arc4random_buf(ret->tlsext_tick_aes_key, 16); - - ret->tlsext_status_cb = 0; - ret->tlsext_status_arg = NULL; - - ret->next_protos_advertised_cb = 0; - ret->next_proto_select_cb = 0; -#ifndef OPENSSL_NO_ENGINE - ret->client_cert_engine = NULL; -#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO -#define eng_strx(x) #x -#define eng_str(x) eng_strx(x) - /* Use specific client engine automatically... ignore errors */ - { - ENGINE *eng; - eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); - if (!eng) { - ERR_clear_error(); - ENGINE_load_builtin_engines(); - eng = ENGINE_by_id(eng_str( - OPENSSL_SSL_CLIENT_ENGINE_AUTO)); - } - if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) - ERR_clear_error(); - } -#endif -#endif - /* - * Default is to connect to non-RI servers. When RI is more widely - * deployed might change this. - */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; - - return (ret); -err: - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); -err2: - SSL_CTX_free(ret); - return (NULL); -} - -void -SSL_CTX_free(SSL_CTX *a) -{ - int i; - - if (a == NULL) - return; - - i = CRYPTO_add(&a->references, -1, CRYPTO_LOCK_SSL_CTX); - if (i > 0) - return; - - if (a->param) - X509_VERIFY_PARAM_free(a->param); - - /* - * Free internal session cache. However: the remove_cb() may reference - * the ex_data of SSL_CTX, thus the ex_data store can only be removed - * after the sessions were flushed. - * As the ex_data handling routines might also touch the session cache, - * the most secure solution seems to be: empty (flush) the cache, then - * free ex_data, then finally free the cache. - * (See ticket [openssl.org #212].) - */ - if (a->sessions != NULL) - SSL_CTX_flush_sessions(a, 0); - - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); - - if (a->sessions != NULL) - lh_SSL_SESSION_free(a->sessions); - - if (a->cert_store != NULL) - X509_STORE_free(a->cert_store); - if (a->cipher_list != NULL) - sk_SSL_CIPHER_free(a->cipher_list); - if (a->cipher_list_by_id != NULL) - sk_SSL_CIPHER_free(a->cipher_list_by_id); - if (a->cert != NULL) - ssl_cert_free(a->cert); - if (a->client_CA != NULL) - sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); - if (a->extra_certs != NULL) - sk_X509_pop_free(a->extra_certs, X509_free); - -#ifndef OPENSSL_NO_SRTP - if (a->srtp_profiles) - sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); -#endif - -#ifndef OPENSSL_NO_ENGINE - if (a->client_cert_engine) - ENGINE_finish(a->client_cert_engine); -#endif - - free(a->alpn_client_proto_list); - - free(a); -} - -void -SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) -{ - ctx->default_passwd_callback = cb; -} - -void -SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) -{ - ctx->default_passwd_callback_userdata = u; -} - -void -SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, - void *), void *arg) -{ - ctx->app_verify_callback = cb; - ctx->app_verify_arg = arg; -} - -void -SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *)) -{ - ctx->verify_mode = mode; - ctx->default_verify_callback = cb; -} - -void -SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) -{ - X509_VERIFY_PARAM_set_depth(ctx->param, depth); -} - -void -ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) -{ - CERT_PKEY *cpk; - int rsa_enc, rsa_sign, dh_tmp, dsa_sign; - unsigned long mask_k, mask_a; - int have_ecc_cert, ecdh_ok, ecdsa_ok; - int have_ecdh_tmp; - X509 *x = NULL; - EVP_PKEY *ecc_pkey = NULL; - int signature_nid = 0, pk_nid = 0, md_nid = 0; - - if (c == NULL) - return; - - dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || - c->dh_tmp_auto != 0); - - have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || - c->ecdh_tmp_auto != 0); - cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); - rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); - cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); - rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); - cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); - dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); -/* FIX THIS EAY EAY EAY */ - cpk = &(c->pkeys[SSL_PKEY_ECC]); - have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); - mask_k = 0; - mask_a = 0; - - cpk = &(c->pkeys[SSL_PKEY_GOST01]); - if (cpk->x509 != NULL && cpk->privatekey !=NULL) { - mask_k |= SSL_kGOST; - mask_a |= SSL_aGOST01; - } - - if (rsa_enc) - mask_k|=SSL_kRSA; - - if (dh_tmp) - mask_k|=SSL_kDHE; - - if (rsa_enc || rsa_sign) - mask_a|=SSL_aRSA; - - if (dsa_sign) - mask_a|=SSL_aDSS; - - mask_a|=SSL_aNULL; - - /* - * An ECC certificate may be usable for ECDH and/or - * ECDSA cipher suites depending on the key usage extension. - */ - if (have_ecc_cert) { - /* This call populates extension flags (ex_flags) */ - x = (c->pkeys[SSL_PKEY_ECC]).x509; - X509_check_purpose(x, -1, 0); - ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? - (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; - ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? - (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; - ecc_pkey = X509_get_pubkey(x); - EVP_PKEY_free(ecc_pkey); - if ((x->sig_alg) && (x->sig_alg->algorithm)) { - signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); - OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); - } - if (ecdh_ok) { - if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { - mask_k|=SSL_kECDHr; - mask_a|=SSL_aECDH; - } - if (pk_nid == NID_X9_62_id_ecPublicKey) { - mask_k|=SSL_kECDHe; - mask_a|=SSL_aECDH; - } - } - if (ecdsa_ok) - mask_a|=SSL_aECDSA; - } - - if (have_ecdh_tmp) { - mask_k|=SSL_kECDHE; - } - - - c->mask_k = mask_k; - c->mask_a = mask_a; - c->valid = 1; -} - -/* This handy macro borrowed from crypto/x509v3/v3_purp.c */ -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) - - -int -ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) -{ - unsigned long alg_k, alg_a; - int signature_nid = 0, md_nid = 0, pk_nid = 0; - const SSL_CIPHER *cs = s->s3->tmp.new_cipher; - - alg_k = cs->algorithm_mkey; - alg_a = cs->algorithm_auth; - - /* This call populates the ex_flags field correctly */ - X509_check_purpose(x, -1, 0); - if ((x->sig_alg) && (x->sig_alg->algorithm)) { - signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); - OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); - } - if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) { - /* key usage, if present, must allow key agreement */ - if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) { - SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, - SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT); - return (0); - } - if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < - TLS1_2_VERSION) { - /* signature alg must be ECDSA */ - if (pk_nid != NID_X9_62_id_ecPublicKey) { - SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, - SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); - return (0); - } - } - if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < - TLS1_2_VERSION) { - /* signature alg must be RSA */ - if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) { - SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, - SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); - return (0); - } - } - } - if (alg_a & SSL_aECDSA) { - /* key usage, if present, must allow signing */ - if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) { - SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, - SSL_R_ECC_CERT_NOT_FOR_SIGNING); - return (0); - } - } - - return (1); - /* all checks are ok */ -} - - -/* THIS NEEDS CLEANING UP */ -CERT_PKEY * -ssl_get_server_send_pkey(const SSL *s) -{ - unsigned long alg_k, alg_a; - CERT *c; - int i; - - c = s->cert; - ssl_set_cert_masks(c, s->s3->tmp.new_cipher); - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; - - if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { - /* - * We don't need to look at SSL_kECDHE - * since no certificate is needed for - * anon ECDH and for authenticated - * ECDHE, the check for the auth - * algorithm will set i correctly - * NOTE: For ECDH-RSA, we need an ECC - * not an RSA cert but for EECDH-RSA - * we need an RSA cert. Placing the - * checks for SSL_kECDH before RSA - * checks ensures the correct cert is chosen. - */ - i = SSL_PKEY_ECC; - } else if (alg_a & SSL_aECDSA) { - i = SSL_PKEY_ECC; - } else if (alg_a & SSL_aDSS) { - i = SSL_PKEY_DSA_SIGN; - } else if (alg_a & SSL_aRSA) { - if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) - i = SSL_PKEY_RSA_SIGN; - else - i = SSL_PKEY_RSA_ENC; - } else if (alg_a & SSL_aGOST01) { - i = SSL_PKEY_GOST01; - } else { /* if (alg_a & SSL_aNULL) */ - SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY, ERR_R_INTERNAL_ERROR); - return (NULL); - } - - return (c->pkeys + i); -} - -X509 * -ssl_get_server_send_cert(const SSL *s) -{ - CERT_PKEY *cpk; - - cpk = ssl_get_server_send_pkey(s); - if (!cpk) - return (NULL); - return (cpk->x509); -} - -EVP_PKEY * -ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) -{ - unsigned long alg_a; - CERT *c; - int idx = -1; - - alg_a = cipher->algorithm_auth; - c = s->cert; - - if ((alg_a & SSL_aDSS) && - (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) - idx = SSL_PKEY_DSA_SIGN; - else if (alg_a & SSL_aRSA) { - if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) - idx = SSL_PKEY_RSA_SIGN; - else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) - idx = SSL_PKEY_RSA_ENC; - } else if ((alg_a & SSL_aECDSA) && - (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) - idx = SSL_PKEY_ECC; - if (idx == -1) { - SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR); - return (NULL); - } - if (pmd) - *pmd = c->pkeys[idx].digest; - return (c->pkeys[idx].privatekey); -} - -DH * -ssl_get_auto_dh(SSL *s) -{ - CERT_PKEY *cpk; - int keylen; - DH *dhp; - - if (s->cert->dh_tmp_auto == 2) { - keylen = 1024; - } else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { - keylen = 1024; - if (s->s3->tmp.new_cipher->strength_bits == 256) - keylen = 3072; - } else { - if ((cpk = ssl_get_server_send_pkey(s)) == NULL) - return (NULL); - if (cpk->privatekey == NULL || cpk->privatekey->pkey.dh == NULL) - return (NULL); - keylen = EVP_PKEY_bits(cpk->privatekey); - } - - if ((dhp = DH_new()) == NULL) - return (NULL); - - dhp->g = BN_new(); - if (dhp->g != NULL) - BN_set_word(dhp->g, 2); - - if (keylen >= 8192) - dhp->p = get_rfc3526_prime_8192(NULL); - else if (keylen >= 4096) - dhp->p = get_rfc3526_prime_4096(NULL); - else if (keylen >= 3072) - dhp->p = get_rfc3526_prime_3072(NULL); - else if (keylen >= 2048) - dhp->p = get_rfc3526_prime_2048(NULL); - else if (keylen >= 1536) - dhp->p = get_rfc3526_prime_1536(NULL); - else - dhp->p = get_rfc2409_prime_1024(NULL); - - if (dhp->p == NULL || dhp->g == NULL) { - DH_free(dhp); - return (NULL); - } - return (dhp); -} - -void -ssl_update_cache(SSL *s, int mode) -{ - int i; - - /* - * If the session_id_length is 0, we are not supposed to cache it, - * and it would be rather hard to do anyway :-) - */ - if (s->session->session_id_length == 0) - return; - - i = s->session_ctx->session_cache_mode; - if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) - || SSL_CTX_add_session(s->session_ctx, s->session)) - && (s->session_ctx->new_session_cb != NULL)) { - CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (!s->session_ctx->new_session_cb(s, s->session)) - SSL_SESSION_free(s->session); - } - - /* auto flush every 255 connections */ - if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && - ((i & mode) == mode)) { - if ((((mode & SSL_SESS_CACHE_CLIENT) ? - s->session_ctx->stats.sess_connect_good : - s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) { - SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); - } - } -} - -const SSL_METHOD * -SSL_get_ssl_method(SSL *s) -{ - return (s->method); -} - -int -SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) -{ - int conn = -1; - int ret = 1; - - if (s->method != meth) { - if (s->handshake_func != NULL) - conn = (s->handshake_func == s->method->ssl_connect); - - if (s->method->version == meth->version) - s->method = meth; - else { - s->method->ssl_free(s); - s->method = meth; - ret = s->method->ssl_new(s); - } - - if (conn == 1) - s->handshake_func = meth->ssl_connect; - else if (conn == 0) - s->handshake_func = meth->ssl_accept; - } - return (ret); -} - -int -SSL_get_error(const SSL *s, int i) -{ - int reason; - unsigned long l; - BIO *bio; - - if (i > 0) - return (SSL_ERROR_NONE); - - /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake - * etc, where we do encode the error */ - if ((l = ERR_peek_error()) != 0) { - if (ERR_GET_LIB(l) == ERR_LIB_SYS) - return (SSL_ERROR_SYSCALL); - else - return (SSL_ERROR_SSL); - } - - if ((i < 0) && SSL_want_read(s)) { - bio = SSL_get_rbio(s); - if (BIO_should_read(bio)) { - return (SSL_ERROR_WANT_READ); - } else if (BIO_should_write(bio)) { - /* - * This one doesn't make too much sense... We never - * try to write to the rbio, and an application - * program where rbio and wbio are separate couldn't - * even know what it should wait for. However if we - * ever set s->rwstate incorrectly (so that we have - * SSL_want_read(s) instead of SSL_want_write(s)) - * and rbio and wbio *are* the same, this test works - * around that bug; so it might be safer to keep it. - */ - return (SSL_ERROR_WANT_WRITE); - } else if (BIO_should_io_special(bio)) { - reason = BIO_get_retry_reason(bio); - if (reason == BIO_RR_CONNECT) - return (SSL_ERROR_WANT_CONNECT); - else if (reason == BIO_RR_ACCEPT) - return (SSL_ERROR_WANT_ACCEPT); - else - return (SSL_ERROR_SYSCALL); /* unknown */ - } - } - - if ((i < 0) && SSL_want_write(s)) { - bio = SSL_get_wbio(s); - if (BIO_should_write(bio)) { - return (SSL_ERROR_WANT_WRITE); - } else if (BIO_should_read(bio)) { - /* - * See above (SSL_want_read(s) with - * BIO_should_write(bio)) - */ - return (SSL_ERROR_WANT_READ); - } else if (BIO_should_io_special(bio)) { - reason = BIO_get_retry_reason(bio); - if (reason == BIO_RR_CONNECT) - return (SSL_ERROR_WANT_CONNECT); - else if (reason == BIO_RR_ACCEPT) - return (SSL_ERROR_WANT_ACCEPT); - else - return (SSL_ERROR_SYSCALL); - } - } - if ((i < 0) && SSL_want_x509_lookup(s)) { - return (SSL_ERROR_WANT_X509_LOOKUP); - } - - if (i == 0) { - if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && - (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) - return (SSL_ERROR_ZERO_RETURN); - } - return (SSL_ERROR_SYSCALL); -} - -int -SSL_do_handshake(SSL *s) -{ - int ret = 1; - - if (s->handshake_func == NULL) { - SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET); - return (-1); - } - - s->method->ssl_renegotiate_check(s); - - if (SSL_in_init(s) || SSL_in_before(s)) { - ret = s->handshake_func(s); - } - return (ret); -} - -/* - * For the next 2 functions, SSL_clear() sets shutdown and so - * one of these calls will reset it - */ -void -SSL_set_accept_state(SSL *s) -{ - s->server = 1; - s->shutdown = 0; - s->state = SSL_ST_ACCEPT|SSL_ST_BEFORE; - s->handshake_func = s->method->ssl_accept; - /* clear the current cipher */ - ssl_clear_cipher_ctx(s); - ssl_clear_hash_ctx(&s->read_hash); - ssl_clear_hash_ctx(&s->write_hash); -} - -void -SSL_set_connect_state(SSL *s) -{ - s->server = 0; - s->shutdown = 0; - s->state = SSL_ST_CONNECT|SSL_ST_BEFORE; - s->handshake_func = s->method->ssl_connect; - /* clear the current cipher */ - ssl_clear_cipher_ctx(s); - ssl_clear_hash_ctx(&s->read_hash); - ssl_clear_hash_ctx(&s->write_hash); -} - -int -ssl_undefined_function(SSL *s) -{ - SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, - ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); -} - -int -ssl_undefined_void_function(void) -{ - SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION, - ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); -} - -int -ssl_undefined_const_function(const SSL *s) -{ - SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION, - ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); -} - -const char * -ssl_version_string(int ver) -{ - switch (ver) { - case DTLS1_VERSION: - return (SSL_TXT_DTLS1); - case TLS1_VERSION: - return (SSL_TXT_TLSV1); - case TLS1_1_VERSION: - return (SSL_TXT_TLSV1_1); - case TLS1_2_VERSION: - return (SSL_TXT_TLSV1_2); - default: - return ("unknown"); - } -} - -const char * -SSL_get_version(const SSL *s) -{ - return ssl_version_string(s->version); -} - -uint16_t -ssl_max_server_version(SSL *s) -{ - uint16_t max_version; - - /* - * The SSL method will be changed during version negotiation, as such - * we want to use the SSL method from the context. - */ - max_version = s->ctx->method->version; - - if (SSL_IS_DTLS(s)) - return (DTLS1_VERSION); - - if ((s->options & SSL_OP_NO_TLSv1_2) == 0 && - max_version >= TLS1_2_VERSION) - return (TLS1_2_VERSION); - if ((s->options & SSL_OP_NO_TLSv1_1) == 0 && - max_version >= TLS1_1_VERSION) - return (TLS1_1_VERSION); - if ((s->options & SSL_OP_NO_TLSv1) == 0 && - max_version >= TLS1_VERSION) - return (TLS1_VERSION); - - return (0); -} - -SSL * -SSL_dup(SSL *s) -{ - STACK_OF(X509_NAME) *sk; - X509_NAME *xn; - SSL *ret; - int i; - - if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL) - return (NULL); - - ret->version = s->version; - ret->type = s->type; - ret->method = s->method; - - if (s->session != NULL) { - /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ - SSL_copy_session_id(ret, s); - } else { - /* - * No session has been established yet, so we have to expect - * that s->cert or ret->cert will be changed later -- - * they should not both point to the same object, - * and thus we can't use SSL_copy_session_id. - */ - - ret->method->ssl_free(ret); - ret->method = s->method; - ret->method->ssl_new(ret); - - if (s->cert != NULL) { - if (ret->cert != NULL) { - ssl_cert_free(ret->cert); - } - ret->cert = ssl_cert_dup(s->cert); - if (ret->cert == NULL) - goto err; - } - - SSL_set_session_id_context(ret, - s->sid_ctx, s->sid_ctx_length); - } - - ret->options = s->options; - ret->mode = s->mode; - SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); - SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); - ret->msg_callback = s->msg_callback; - ret->msg_callback_arg = s->msg_callback_arg; - SSL_set_verify(ret, SSL_get_verify_mode(s), - SSL_get_verify_callback(s)); - SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); - ret->generate_session_id = s->generate_session_id; - - SSL_set_info_callback(ret, SSL_get_info_callback(s)); - - ret->debug = s->debug; - - /* copy app data, a little dangerous perhaps */ - if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, - &ret->ex_data, &s->ex_data)) - goto err; - - /* setup rbio, and wbio */ - if (s->rbio != NULL) { - if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)) - goto err; - } - if (s->wbio != NULL) { - if (s->wbio != s->rbio) { - if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)) - goto err; - } else - ret->wbio = ret->rbio; - } - ret->rwstate = s->rwstate; - ret->in_handshake = s->in_handshake; - ret->handshake_func = s->handshake_func; - ret->server = s->server; - ret->renegotiate = s->renegotiate; - ret->new_session = s->new_session; - ret->quiet_shutdown = s->quiet_shutdown; - ret->shutdown = s->shutdown; - /* SSL_dup does not really work at any state, though */ - ret->state=s->state; - ret->rstate = s->rstate; - - /* - * Would have to copy ret->init_buf, ret->init_msg, ret->init_num, - * ret->init_off - */ - ret->init_num = 0; - - ret->hit = s->hit; - - X509_VERIFY_PARAM_inherit(ret->param, s->param); - - /* dup the cipher_list and cipher_list_by_id stacks */ - if (s->cipher_list != NULL) { - if ((ret->cipher_list = - sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) - goto err; - } - if (s->cipher_list_by_id != NULL) { - if ((ret->cipher_list_by_id = - sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL) - goto err; - } - - /* Dup the client_CA list */ - if (s->client_CA != NULL) { - if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; - ret->client_CA = sk; - for (i = 0; i < sk_X509_NAME_num(sk); i++) { - xn = sk_X509_NAME_value(sk, i); - if (sk_X509_NAME_set(sk, i, - X509_NAME_dup(xn)) == NULL) { - X509_NAME_free(xn); - goto err; - } - } - } - - if (0) { -err: - if (ret != NULL) - SSL_free(ret); - ret = NULL; - } - return (ret); -} - -void -ssl_clear_cipher_ctx(SSL *s) -{ - EVP_CIPHER_CTX_free(s->enc_read_ctx); - s->enc_read_ctx = NULL; - EVP_CIPHER_CTX_free(s->enc_write_ctx); - s->enc_write_ctx = NULL; - - if (s->aead_read_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&s->aead_read_ctx->ctx); - free(s->aead_read_ctx); - s->aead_read_ctx = NULL; - } - if (s->aead_write_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&s->aead_write_ctx->ctx); - free(s->aead_write_ctx); - s->aead_write_ctx = NULL; - } - -} - -/* Fix this function so that it takes an optional type parameter */ -X509 * -SSL_get_certificate(const SSL *s) -{ - if (s->cert != NULL) - return (s->cert->key->x509); - else - return (NULL); -} - -/* Fix this function so that it takes an optional type parameter */ -EVP_PKEY * -SSL_get_privatekey(SSL *s) -{ - if (s->cert != NULL) - return (s->cert->key->privatekey); - else - return (NULL); -} - -const SSL_CIPHER * -SSL_get_current_cipher(const SSL *s) -{ - if ((s->session != NULL) && (s->session->cipher != NULL)) - return (s->session->cipher); - return (NULL); -} -const void * -SSL_get_current_compression(SSL *s) -{ - return (NULL); -} - -const void * -SSL_get_current_expansion(SSL *s) -{ - return (NULL); -} - -int -ssl_init_wbio_buffer(SSL *s, int push) -{ - BIO *bbio; - - if (s->bbio == NULL) { - bbio = BIO_new(BIO_f_buffer()); - if (bbio == NULL) - return (0); - s->bbio = bbio; - } else { - bbio = s->bbio; - if (s->bbio == s->wbio) - s->wbio = BIO_pop(s->wbio); - } - (void)BIO_reset(bbio); -/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ - if (!BIO_set_read_buffer_size(bbio, 1)) { - SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB); - return (0); - } - if (push) { - if (s->wbio != bbio) - s->wbio = BIO_push(bbio, s->wbio); - } else { - if (s->wbio == bbio) - s->wbio = BIO_pop(bbio); - } - return (1); -} - -void -ssl_free_wbio_buffer(SSL *s) -{ - if (s == NULL) - return; - - if (s->bbio == NULL) - return; - - if (s->bbio == s->wbio) { - /* remove buffering */ - s->wbio = BIO_pop(s->wbio); - } - BIO_free(s->bbio); - s->bbio = NULL; -} - -void -SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) -{ - ctx->quiet_shutdown = mode; -} - -int -SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) -{ - return (ctx->quiet_shutdown); -} - -void -SSL_set_quiet_shutdown(SSL *s, int mode) -{ - s->quiet_shutdown = mode; -} - -int -SSL_get_quiet_shutdown(const SSL *s) -{ - return (s->quiet_shutdown); -} - -void -SSL_set_shutdown(SSL *s, int mode) -{ - s->shutdown = mode; -} - -int -SSL_get_shutdown(const SSL *s) -{ - return (s->shutdown); -} - -int -SSL_version(const SSL *s) -{ - return (s->version); -} - -SSL_CTX * -SSL_get_SSL_CTX(const SSL *ssl) -{ - return (ssl->ctx); -} - -SSL_CTX * -SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) -{ - if (ssl->ctx == ctx) - return (ssl->ctx); - if (ctx == NULL) - ctx = ssl->initial_ctx; - if (ssl->cert != NULL) - ssl_cert_free(ssl->cert); - ssl->cert = ssl_cert_dup(ctx->cert); - CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); - SSL_CTX_free(ssl->ctx); /* decrement reference count */ - ssl->ctx = ctx; - return (ssl->ctx); -} - -int -SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) -{ - return (X509_STORE_set_default_paths(ctx->cert_store)); -} - -int -SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, - const char *CApath) -{ - return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); -} - -int -SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) -{ - return (X509_STORE_load_mem(ctx->cert_store, buf, len)); -} - -void -SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) -{ - ssl->info_callback = cb; -} - -void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val) -{ - return (ssl->info_callback); -} - -int -SSL_state(const SSL *ssl) -{ - return (ssl->state); -} - -void -SSL_set_state(SSL *ssl, int state) -{ - ssl->state = state; -} - -void -SSL_set_verify_result(SSL *ssl, long arg) -{ - ssl->verify_result = arg; -} - -long -SSL_get_verify_result(const SSL *ssl) -{ - return (ssl->verify_result); -} - -int -SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) -{ - return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, - new_func, dup_func, free_func)); -} - -int -SSL_set_ex_data(SSL *s, int idx, void *arg) -{ - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); -} - -void * -SSL_get_ex_data(const SSL *s, int idx) -{ - return (CRYPTO_get_ex_data(&s->ex_data, idx)); -} - -int -SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) -{ - return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, - new_func, dup_func, free_func)); -} - -int -SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) -{ - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); -} - -void * -SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) -{ - return (CRYPTO_get_ex_data(&s->ex_data, idx)); -} - -int -ssl_ok(SSL *s) -{ - return (1); -} - -X509_STORE * -SSL_CTX_get_cert_store(const SSL_CTX *ctx) -{ - return (ctx->cert_store); -} - -void -SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) -{ - if (ctx->cert_store != NULL) - X509_STORE_free(ctx->cert_store); - ctx->cert_store = store; -} - -int -SSL_want(const SSL *s) -{ - return (s->rwstate); -} - -void -SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, - int keylength)) -{ - SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); -} - -void -SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export, - int keylength)) -{ - SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); -} - -void -SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export, - int keylength)) -{ - SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); -} - -void -SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export, - int keylength)) -{ - SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); -} - -void -SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, - int is_export, int keylength)) -{ - SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB, - (void (*)(void))ecdh); -} - -void -SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, - int keylength)) -{ - SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); -} - - -void -SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, - int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) -{ - SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, - (void (*)(void))cb); -} - -void -SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, - int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) -{ - SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); -} - -void -ssl_clear_hash_ctx(EVP_MD_CTX **hash) -{ - if (*hash) - EVP_MD_CTX_destroy(*hash); - *hash = NULL; -} - -void -SSL_set_debug(SSL *s, int debug) -{ - s->debug = debug; -} - -int -SSL_cache_hit(SSL *s) -{ - return (s->hit); -} - -IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h deleted file mode 100644 index 2a521fe26a3..00000000000 --- a/lib/libssl/src/ssl/ssl_locl.h +++ /dev/null @@ -1,847 +0,0 @@ -/* $OpenBSD: ssl_locl.h,v 1.129 2016/04/28 16:39:45 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#ifndef HEADER_SSL_LOCL_H -#define HEADER_SSL_LOCL_H - -#include <sys/types.h> - -#include <errno.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <unistd.h> - -#include <openssl/opensslconf.h> -#include <openssl/bio.h> -#include <openssl/buffer.h> -#include <openssl/dsa.h> -#include <openssl/err.h> -#include <openssl/rsa.h> -#include <openssl/ssl.h> -#include <openssl/stack.h> - -#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \ - l|=(((unsigned long)(*((c)++)))<< 8), \ - l|=(((unsigned long)(*((c)++)))<<16), \ - l|=(((unsigned long)(*((c)++)))<<24)) - -/* NOTE - c is not incremented as per c2l */ -#define c2ln(c,l1,l2,n) { \ - c+=n; \ - l1=l2=0; \ - switch (n) { \ - case 8: l2 =((unsigned long)(*(--(c))))<<24; \ - case 7: l2|=((unsigned long)(*(--(c))))<<16; \ - case 6: l2|=((unsigned long)(*(--(c))))<< 8; \ - case 5: l2|=((unsigned long)(*(--(c)))); \ - case 4: l1 =((unsigned long)(*(--(c))))<<24; \ - case 3: l1|=((unsigned long)(*(--(c))))<<16; \ - case 2: l1|=((unsigned long)(*(--(c))))<< 8; \ - case 1: l1|=((unsigned long)(*(--(c)))); \ - } \ - } - -#define l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>>24)&0xff)) - -#define n2l(c,l) (l =((unsigned long)(*((c)++)))<<24, \ - l|=((unsigned long)(*((c)++)))<<16, \ - l|=((unsigned long)(*((c)++)))<< 8, \ - l|=((unsigned long)(*((c)++)))) - -#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) - -#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ - *((c)++)=(unsigned char)(((l)>>48)&0xff), \ - *((c)++)=(unsigned char)(((l)>>40)&0xff), \ - *((c)++)=(unsigned char)(((l)>>32)&0xff), \ - *((c)++)=(unsigned char)(((l)>>24)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) - -/* NOTE - c is not incremented as per l2c */ -#define l2cn(l1,l2,c,n) { \ - c+=n; \ - switch (n) { \ - case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \ - case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \ - case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \ - case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \ - case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \ - case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \ - case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \ - case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \ - } \ - } - -#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \ - (((unsigned int)(c[1])) )),c+=2) -#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ - c[1]=(unsigned char)(((s) )&0xff)),c+=2) - -#define n2l3(c,l) ((l =(((unsigned long)(c[0]))<<16)| \ - (((unsigned long)(c[1]))<< 8)| \ - (((unsigned long)(c[2])) )),c+=3) - -#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \ - c[1]=(unsigned char)(((l)>> 8)&0xff), \ - c[2]=(unsigned char)(((l) )&0xff)),c+=3) - -/* LOCAL STUFF */ - -#define SSL_DECRYPT 0 -#define SSL_ENCRYPT 1 - -/* - * Define the Bitmasks for SSL_CIPHER.algorithms. - * This bits are used packed as dense as possible. If new methods/ciphers - * etc will be added, the bits a likely to change, so this information - * is for internal library use only, even though SSL_CIPHER.algorithms - * can be publicly accessed. - * Use the according functions for cipher management instead. - * - * The bit mask handling in the selection and sorting scheme in - * ssl_create_cipher_list() has only limited capabilities, reflecting - * that the different entities within are mutually exclusive: - * ONLY ONE BIT PER MASK CAN BE SET AT A TIME. - */ - -/* Bits for algorithm_mkey (key exchange algorithm) */ -#define SSL_kRSA 0x00000001L /* RSA key exchange */ -#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ -#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ -#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ -#define SSL_kECDHE 0x00000080L /* ephemeral ECDH */ -#define SSL_kGOST 0x00000200L /* GOST key exchange */ - -/* Bits for algorithm_auth (server authentication) */ -#define SSL_aRSA 0x00000001L /* RSA auth */ -#define SSL_aDSS 0x00000002L /* DSS auth */ -#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ -#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ -#define SSL_aECDSA 0x00000040L /* ECDSA auth*/ -#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ - - -/* Bits for algorithm_enc (symmetric encryption) */ -#define SSL_DES 0x00000001L -#define SSL_3DES 0x00000002L -#define SSL_RC4 0x00000004L -#define SSL_IDEA 0x00000008L -#define SSL_eNULL 0x00000010L -#define SSL_AES128 0x00000020L -#define SSL_AES256 0x00000040L -#define SSL_CAMELLIA128 0x00000080L -#define SSL_CAMELLIA256 0x00000100L -#define SSL_eGOST2814789CNT 0x00000200L -#define SSL_AES128GCM 0x00000400L -#define SSL_AES256GCM 0x00000800L -#define SSL_CHACHA20POLY1305 0x00001000L -#define SSL_CHACHA20POLY1305_OLD 0x00002000L - -#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) -#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) - - -/* Bits for algorithm_mac (symmetric authentication) */ - -#define SSL_MD5 0x00000001L -#define SSL_SHA1 0x00000002L -#define SSL_GOST94 0x00000004L -#define SSL_GOST89MAC 0x00000008L -#define SSL_SHA256 0x00000010L -#define SSL_SHA384 0x00000020L -/* Not a real MAC, just an indication it is part of cipher */ -#define SSL_AEAD 0x00000040L -#define SSL_STREEBOG256 0x00000080L -#define SSL_STREEBOG512 0x00000100L - -/* Bits for algorithm_ssl (protocol version) */ -#define SSL_SSLV3 0x00000002L -#define SSL_TLSV1 SSL_SSLV3 /* for now */ -#define SSL_TLSV1_2 0x00000004L - - -/* Bits for algorithm2 (handshake digests and other extra flags) */ - -#define SSL_HANDSHAKE_MAC_MD5 0x10 -#define SSL_HANDSHAKE_MAC_SHA 0x20 -#define SSL_HANDSHAKE_MAC_GOST94 0x40 -#define SSL_HANDSHAKE_MAC_SHA256 0x80 -#define SSL_HANDSHAKE_MAC_SHA384 0x100 -#define SSL_HANDSHAKE_MAC_STREEBOG256 0x200 -#define SSL_HANDSHAKE_MAC_STREEBOG512 0x400 -#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) - -/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX - * make sure to update this constant too */ -#define SSL_MAX_DIGEST 8 - -#define SSL3_CK_ID 0x03000000 -#define SSL3_CK_VALUE_MASK 0x0000ffff - -#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) - -#define TLS1_PRF_DGST_SHIFT 10 -#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT) -#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT) -#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT) -#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT) -#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT) -#define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT) -#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1) - -/* Stream MAC for GOST ciphersuites from cryptopro draft - * (currently this also goes into algorithm2) */ -#define TLS1_STREAM_MAC 0x04 - -/* - * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that - * indicates that the variable part of the nonce is included as a prefix of - * the record (AES-GCM, for example, does this with an 8-byte variable nonce.) - */ -#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22) - -/* - * SSL_CIPHER_ALGORITHM2_AEAD is an algorithm2 flag that indicates the cipher - * is implemented via an EVP_AEAD. - */ -#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23) - -/* - * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce - * for an SSL_CIPHER with the SSL_CIPHER_ALGORITHM2_AEAD flag. - */ -#define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \ - (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2) - -/* - * Cipher strength information. - */ -#define SSL_STRONG_MASK 0x000001fcL -#define SSL_STRONG_NONE 0x00000004L -#define SSL_LOW 0x00000020L -#define SSL_MEDIUM 0x00000040L -#define SSL_HIGH 0x00000080L - -/* - * The keylength (measured in RSA key bits, I guess) for temporary keys. - * Cipher argument is so that this can be variable in the future. - */ -#define SSL_C_PKEYLENGTH(c) 1024 - -/* Check if an SSL structure is using DTLS. */ -#define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) - -/* See if we need explicit IV. */ -#define SSL_USE_EXPLICIT_IV(s) \ - (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) - -/* See if we use signature algorithms extension. */ -#define SSL_USE_SIGALGS(s) \ - (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS) - -/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ -#define SSL_USE_TLS1_2_CIPHERS(s) \ - (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) - -/* Mostly for SSLv3 */ -#define SSL_PKEY_RSA_ENC 0 -#define SSL_PKEY_RSA_SIGN 1 -#define SSL_PKEY_DSA_SIGN 2 -#define SSL_PKEY_DH_RSA 3 -#define SSL_PKEY_DH_DSA 4 -#define SSL_PKEY_ECC 5 -#define SSL_PKEY_GOST01 6 -#define SSL_PKEY_NUM 7 - -/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | - * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) - * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) - * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN - * SSL_aRSA <- RSA_ENC | RSA_SIGN - * SSL_aDSS <- DSA_SIGN - */ - -/* -#define CERT_INVALID 0 -#define CERT_PUBLIC_KEY 1 -#define CERT_PRIVATE_KEY 2 -*/ - -/* From ECC-TLS draft, used in encoding the curve type in - * ECParameters - */ -#define EXPLICIT_PRIME_CURVE_TYPE 1 -#define EXPLICIT_CHAR2_CURVE_TYPE 2 -#define NAMED_CURVE_TYPE 3 - -typedef struct cert_pkey_st { - X509 *x509; - EVP_PKEY *privatekey; - /* Digest to use when signing */ - const EVP_MD *digest; -} CERT_PKEY; - -typedef struct cert_st { - /* Current active set */ - CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array - * Probably it would make more sense to store - * an index, not a pointer. */ - - /* The following masks are for the key and auth - * algorithms that are supported by the certs below */ - int valid; - unsigned long mask_k; - unsigned long mask_a; - - DH *dh_tmp; - DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); - int dh_tmp_auto; - - EC_KEY *ecdh_tmp; - EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); - int ecdh_tmp_auto; - - CERT_PKEY pkeys[SSL_PKEY_NUM]; - - int references; /* >1 only if SSL_copy_session_id is used */ -} CERT; - - -typedef struct sess_cert_st { - STACK_OF(X509) *cert_chain; /* as received from peer */ - - /* The 'peer_...' members are used only by clients. */ - int peer_cert_type; - - CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */ - CERT_PKEY peer_pkeys[SSL_PKEY_NUM]; - /* Obviously we don't have the private keys of these, - * so maybe we shouldn't even use the CERT_PKEY type here. */ - - DH *peer_dh_tmp; - EC_KEY *peer_ecdh_tmp; - - int references; /* actually always 1 at the moment */ -} SESS_CERT; - - -/*#define SSL_DEBUG */ -/*#define RSA_DEBUG */ - -/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff - * It is a bit of a mess of functions, but hell, think of it as - * an opaque structure :-) */ -typedef struct ssl3_enc_method { - int (*enc)(SSL *, int); - int (*mac)(SSL *, unsigned char *, int); - int (*setup_key_block)(SSL *); - int (*generate_master_secret)(SSL *, unsigned char *, - unsigned char *, int); - int (*change_cipher_state)(SSL *, int); - int (*final_finish_mac)(SSL *, const char *, int, unsigned char *); - int finish_mac_length; - int (*cert_verify_mac)(SSL *, int, unsigned char *); - const char *client_finished_label; - int client_finished_label_len; - const char *server_finished_label; - int server_finished_label_len; - int (*alert_value)(int); - int (*export_keying_material)(SSL *, unsigned char *, size_t, - const char *, size_t, const unsigned char *, size_t, - int use_context); - /* Flags indicating protocol version requirements. */ - unsigned int enc_flags; -} SSL3_ENC_METHOD; - -/* - * Flag values for enc_flags. - */ - -/* Uses explicit IV. */ -#define SSL_ENC_FLAG_EXPLICIT_IV (1 << 0) - -/* Uses signature algorithms extension. */ -#define SSL_ENC_FLAG_SIGALGS (1 << 1) - -/* Uses SHA256 default PRF. */ -#define SSL_ENC_FLAG_SHA256_PRF (1 << 2) - -/* Is DTLS. */ -#define SSL_ENC_FLAG_DTLS (1 << 3) - -/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ -#define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) - -/* - * ssl_aead_ctx_st contains information about an AEAD that is being used to - * encrypt an SSL connection. - */ -struct ssl_aead_ctx_st { - EVP_AEAD_CTX ctx; - /* - * fixed_nonce contains any bytes of the nonce that are fixed for all - * records. - */ - unsigned char fixed_nonce[12]; - unsigned char fixed_nonce_len; - unsigned char variable_nonce_len; - unsigned char xor_fixed_nonce; - unsigned char tag_len; - /* - * variable_nonce_in_record is non-zero if the variable nonce - * for a record is included as a prefix before the ciphertext. - */ - char variable_nonce_in_record; -}; - -extern SSL3_ENC_METHOD ssl3_undef_enc_method; -extern SSL_CIPHER ssl3_ciphers[]; - -const char *ssl_version_string(int ver); -uint16_t ssl_max_server_version(SSL *s); - -extern SSL3_ENC_METHOD DTLSv1_enc_data; -extern SSL3_ENC_METHOD TLSv1_enc_data; -extern SSL3_ENC_METHOD TLSv1_1_enc_data; -extern SSL3_ENC_METHOD TLSv1_2_enc_data; - -void ssl_clear_cipher_ctx(SSL *s); -int ssl_clear_bad_session(SSL *s); -CERT *ssl_cert_new(void); -CERT *ssl_cert_dup(CERT *cert); -int ssl_cert_inst(CERT **o); -void ssl_cert_free(CERT *c); -SESS_CERT *ssl_sess_cert_new(void); -void ssl_sess_cert_free(SESS_CERT *sc); -int ssl_get_new_session(SSL *s, int session); -int ssl_get_prev_session(SSL *s, unsigned char *session, int len, - const unsigned char *limit); -int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); -DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); -int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, - const SSL_CIPHER * const *bp); -STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, - int num); -int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, - unsigned char *p); -STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, - STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted, - const char *rule_str); -void ssl_update_cache(SSL *s, int mode); -int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, - const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); -int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead); -int ssl_get_handshake_digest(int i, long *mask, const EVP_MD **md); - -int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk); -int ssl_undefined_function(SSL *s); -int ssl_undefined_void_function(void); -int ssl_undefined_const_function(const SSL *s); -CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); -X509 *ssl_get_server_send_cert(const SSL *); -EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); -DH *ssl_get_auto_dh(SSL *s); -int ssl_cert_type(X509 *x, EVP_PKEY *pkey); -void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); -STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); -int ssl_verify_alarm_type(long type); -void ssl_load_ciphers(void); - -const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); -int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); -int ssl3_send_server_certificate(SSL *s); -int ssl3_send_newsession_ticket(SSL *s); -int ssl3_send_cert_status(SSL *s); -int ssl3_get_finished(SSL *s, int state_a, int state_b); -int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b); -int ssl3_do_write(SSL *s, int type); -int ssl3_send_alert(SSL *s, int level, int desc); -int ssl3_get_req_cert_type(SSL *s, unsigned char *p); -long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok); -int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen); -int ssl3_num_ciphers(void); -const SSL_CIPHER *ssl3_get_cipher(unsigned int u); -const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned int id); -const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value); -uint16_t ssl3_cipher_get_value(const SSL_CIPHER *c); -int ssl3_renegotiate(SSL *ssl); - -int ssl3_renegotiate_check(SSL *ssl); - -int ssl3_dispatch_alert(SSL *s); -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); -int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); -unsigned long ssl3_output_cert_chain(SSL *s, X509 *x); -SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, - STACK_OF(SSL_CIPHER) *srvr); -int ssl3_setup_buffers(SSL *s); -int ssl3_setup_init_buffer(SSL *s); -int ssl3_setup_read_buffer(SSL *s); -int ssl3_setup_write_buffer(SSL *s); -int ssl3_release_read_buffer(SSL *s); -int ssl3_release_write_buffer(SSL *s); -int ssl3_new(SSL *s); -void ssl3_free(SSL *s); -int ssl3_accept(SSL *s); -int ssl3_connect(SSL *s); -int ssl3_read(SSL *s, void *buf, int len); -int ssl3_peek(SSL *s, void *buf, int len); -int ssl3_write(SSL *s, const void *buf, int len); -int ssl3_shutdown(SSL *s); -void ssl3_clear(SSL *s); -long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg); -long ssl3_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg); -long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)); -long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void)); -int ssl3_pending(const SSL *s); - -int ssl3_handshake_msg_hdr_len(SSL *s); -unsigned char *ssl3_handshake_msg_start(SSL *s, uint8_t htype); -void ssl3_handshake_msg_finish(SSL *s, unsigned int len); -int ssl3_handshake_write(SSL *s); - -void tls1_record_sequence_increment(unsigned char *seq); -int ssl3_do_change_cipher_spec(SSL *ssl); - -int ssl23_read(SSL *s, void *buf, int len); -int ssl23_peek(SSL *s, void *buf, int len); -int ssl23_write(SSL *s, const void *buf, int len); -long ssl23_default_timeout(void); - -long tls1_default_timeout(void); -int dtls1_do_write(SSL *s, int type); -int ssl3_read_n(SSL *s, int n, int max, int extend); -int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); -int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, - unsigned int len); -unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p, - unsigned char mt, unsigned long len, unsigned long frag_off, - unsigned long frag_len); - -int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len); -int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); - -int dtls1_send_change_cipher_spec(SSL *s, int a, int b); -unsigned long dtls1_output_cert_chain(SSL *s, X509 *x); -int dtls1_read_failed(SSL *s, int code); -int dtls1_buffer_message(SSL *s, int ccs); -int dtls1_retransmit_message(SSL *s, unsigned short seq, - unsigned long frag_off, int *found); -int dtls1_get_queue_priority(unsigned short seq, int is_ccs); -int dtls1_retransmit_buffered_messages(SSL *s); -void dtls1_clear_record_buffer(SSL *s); -int dtls1_get_message_header(unsigned char *data, - struct hm_header_st *msg_hdr); -void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); -void dtls1_reset_seq_numbers(SSL *s, int rw); -void dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq, - unsigned short epoch); -long dtls1_default_timeout(void); -struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); -int dtls1_check_timeout_num(SSL *s); -int dtls1_handle_timeout(SSL *s); -const SSL_CIPHER *dtls1_get_cipher(unsigned int u); -void dtls1_start_timer(SSL *s); -void dtls1_stop_timer(SSL *s); -int dtls1_is_timer_expired(SSL *s); -void dtls1_double_timeout(SSL *s); -unsigned int dtls1_min_mtu(void); - -/* some client-only functions */ -int ssl3_client_hello(SSL *s); -int ssl3_get_server_hello(SSL *s); -int ssl3_get_certificate_request(SSL *s); -int ssl3_get_new_session_ticket(SSL *s); -int ssl3_get_cert_status(SSL *s); -int ssl3_get_server_done(SSL *s); -int ssl3_send_client_verify(SSL *s); -int ssl3_send_client_certificate(SSL *s); -int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey); -int ssl3_send_client_key_exchange(SSL *s); -int ssl3_get_key_exchange(SSL *s); -int ssl3_get_server_certificate(SSL *s); -int ssl3_check_cert_and_algorithm(SSL *s); -int ssl3_check_finished(SSL *s); -int ssl3_send_next_proto(SSL *s); - -int dtls1_send_client_certificate(SSL *s); - -/* some server-only functions */ -int ssl3_get_client_hello(SSL *s); -int ssl3_send_server_hello(SSL *s); -int ssl3_send_hello_request(SSL *s); -int ssl3_send_server_key_exchange(SSL *s); -int ssl3_send_certificate_request(SSL *s); -int ssl3_send_server_done(SSL *s); -int ssl3_get_client_certificate(SSL *s); -int ssl3_get_client_key_exchange(SSL *s); -int ssl3_get_cert_verify(SSL *s); -int ssl3_get_next_proto(SSL *s); - -int dtls1_send_server_certificate(SSL *s); - -int ssl23_accept(SSL *s); -int ssl23_connect(SSL *s); -int ssl23_read_bytes(SSL *s, int n); -int ssl23_write_bytes(SSL *s); - -int tls1_new(SSL *s); -void tls1_free(SSL *s); -void tls1_clear(SSL *s); -long tls1_ctrl(SSL *s, int cmd, long larg, void *parg); -long tls1_callback_ctrl(SSL *s, int cmd, void (*fp)(void)); - -int dtls1_new(SSL *s); -int dtls1_accept(SSL *s); -int dtls1_connect(SSL *s); -void dtls1_free(SSL *s); -void dtls1_clear(SSL *s); -long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg); -int dtls1_shutdown(SSL *s); - -long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok); -int dtls1_get_record(SSL *s); -int do_dtls1_write(SSL *s, int type, const unsigned char *buf, - unsigned int len); -int dtls1_dispatch_alert(SSL *s); -int dtls1_enc(SSL *s, int snd); - -int ssl_init_wbio_buffer(SSL *s, int push); -void ssl_free_wbio_buffer(SSL *s); - -int tls1_init_finished_mac(SSL *s); -void tls1_finish_mac(SSL *s, const unsigned char *buf, int len); -void tls1_free_digest_list(SSL *s); -void tls1_cleanup_key_block(SSL *s); -int tls1_digest_cached_records(SSL *s); -int tls1_change_cipher_state(SSL *s, int which); -int tls1_setup_key_block(SSL *s); -int tls1_enc(SSL *s, int snd); -int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p); -int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p); -int tls1_mac(SSL *ssl, unsigned char *md, int snd); -int tls1_generate_master_secret(SSL *s, unsigned char *out, - unsigned char *p, int len); -int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *p, size_t plen, - int use_context); -int tls1_alert_code(int code); -int ssl_ok(SSL *s); - -int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); - -SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); - -int tls1_ec_curve_id2nid(uint16_t curve_id); -uint16_t tls1_ec_nid2curve_id(int nid); -int tls1_check_curve(SSL *s, const unsigned char *p, size_t len); -int tls1_get_shared_curve(SSL *s); - -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, - unsigned char *limit); - -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, - unsigned char *limit); - -int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, - unsigned char *d, int n, int *al); -int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, - unsigned char *d, int n, int *al); -int ssl_check_clienthello_tlsext_early(SSL *s); -int ssl_check_clienthello_tlsext_late(SSL *s); -int ssl_check_serverhello_tlsext(SSL *s); - -#define tlsext_tick_md EVP_sha256 -int tls1_process_ticket(SSL *s, const unsigned char *session_id, int len, - const unsigned char *limit, SSL_SESSION **ret); -int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, - const EVP_MD *md); -int tls12_get_sigid(const EVP_PKEY *pk); -const EVP_MD *tls12_get_hash(unsigned char hash_alg); - -void ssl_clear_hash_ctx(EVP_MD_CTX **hash); -int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -int ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, - int len, int *al); -int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -int ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, - int len, int *al); -long ssl_get_algorithm2(SSL *s); -int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); -int tls12_get_req_sig_algs(SSL *s, unsigned char *p); - -int tls1_check_ec_server_key(SSL *s); -int tls1_check_ec_tmp_key(SSL *s); - -int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -int ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, - int len, int *al); -int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -int ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, - int len, int *al); - -/* s3_cbc.c */ -void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD *rec, - unsigned md_size, unsigned orig_len); -int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD *rec, - unsigned block_size, unsigned mac_size); -char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); -int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, - size_t *md_out_size, const unsigned char header[13], - const unsigned char *data, size_t data_plus_mac_size, - size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length, char is_sslv3); - -#endif diff --git a/lib/libssl/src/ssl/ssl_rsa.c b/lib/libssl/src/ssl/ssl_rsa.c deleted file mode 100644 index 7481524942a..00000000000 --- a/lib/libssl/src/ssl/ssl_rsa.c +++ /dev/null @@ -1,751 +0,0 @@ -/* $OpenBSD: ssl_rsa.c,v 1.21 2016/03/11 07:08:45 mmcc Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/bio.h> -#include <openssl/evp.h> -#include <openssl/objects.h> -#include <openssl/pem.h> -#include <openssl/x509.h> - -static int ssl_set_cert(CERT *c, X509 *x509); -static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); -static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *); - -int -SSL_use_certificate(SSL *ssl, X509 *x) -{ - if (x == NULL) { - SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (!ssl_cert_inst(&ssl->cert)) { - SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); - return (0); - } - return (ssl_set_cert(ssl->cert, x)); -} - -int -SSL_use_certificate_file(SSL *ssl, const char *file, int type) -{ - int j; - BIO *in; - int ret = 0; - X509 *x = NULL; - - in = BIO_new(BIO_s_file_internal()); - if (in == NULL) { - SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); - goto end; - } - if (type == SSL_FILETYPE_ASN1) { - j = ERR_R_ASN1_LIB; - x = d2i_X509_bio(in, NULL); - } else if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - x = PEM_read_bio_X509(in, NULL, - ssl->ctx->default_passwd_callback, - ssl->ctx->default_passwd_callback_userdata); - } else { - SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); - goto end; - } - - if (x == NULL) { - SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j); - goto end; - } - - ret = SSL_use_certificate(ssl, x); -end: - X509_free(x); - BIO_free(in); - return (ret); -} - -int -SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) -{ - X509 *x; - int ret; - - x = d2i_X509(NULL, &d,(long)len); - if (x == NULL) { - SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); - return (0); - } - - ret = SSL_use_certificate(ssl, x); - X509_free(x); - return (ret); -} - -int -SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) -{ - EVP_PKEY *pkey; - int ret; - - if (rsa == NULL) { - SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (!ssl_cert_inst(&ssl->cert)) { - SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); - return (0); - } - if ((pkey = EVP_PKEY_new()) == NULL) { - SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); - return (0); - } - - RSA_up_ref(rsa); - EVP_PKEY_assign_RSA(pkey, rsa); - - ret = ssl_set_pkey(ssl->cert, pkey); - EVP_PKEY_free(pkey); - return (ret); -} - -static int -ssl_set_pkey(CERT *c, EVP_PKEY *pkey) -{ - int i; - - i = ssl_cert_type(NULL, pkey); - if (i < 0) { - SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - return (0); - } - - if (c->pkeys[i].x509 != NULL) { - EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(c->pkeys[i].x509); - EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_free(pktmp); - ERR_clear_error(); - - /* - * Don't check the public/private key, this is mostly - * for smart cards. - */ - if ((pkey->type == EVP_PKEY_RSA) && - (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) -; - else - if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { - X509_free(c->pkeys[i].x509); - c->pkeys[i].x509 = NULL; - return 0; - } - } - - EVP_PKEY_free(c->pkeys[i].privatekey); - CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); - c->pkeys[i].privatekey = pkey; - c->key = &(c->pkeys[i]); - - c->valid = 0; - return (1); -} - -int -SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) -{ - int j, ret = 0; - BIO *in; - RSA *rsa = NULL; - - in = BIO_new(BIO_s_file_internal()); - if (in == NULL) { - SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); - goto end; - } - if (type == SSL_FILETYPE_ASN1) { - j = ERR_R_ASN1_LIB; - rsa = d2i_RSAPrivateKey_bio(in, NULL); - } else if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - rsa = PEM_read_bio_RSAPrivateKey(in, NULL, - ssl->ctx->default_passwd_callback, - ssl->ctx->default_passwd_callback_userdata); - } else { - SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); - goto end; - } - if (rsa == NULL) { - SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j); - goto end; - } - ret = SSL_use_RSAPrivateKey(ssl, rsa); - RSA_free(rsa); -end: - BIO_free(in); - return (ret); -} - -int -SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) -{ - int ret; - const unsigned char *p; - RSA *rsa; - - p = d; - if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { - SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); - } - - ret = SSL_use_RSAPrivateKey(ssl, rsa); - RSA_free(rsa); - return (ret); -} - -int -SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) -{ - int ret; - - if (pkey == NULL) { - SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (!ssl_cert_inst(&ssl->cert)) { - SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); - return (0); - } - ret = ssl_set_pkey(ssl->cert, pkey); - return (ret); -} - -int -SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) -{ - int j, ret = 0; - BIO *in; - EVP_PKEY *pkey = NULL; - - in = BIO_new(BIO_s_file_internal()); - if (in == NULL) { - SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); - goto end; - } - if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - pkey = PEM_read_bio_PrivateKey(in, NULL, - ssl->ctx->default_passwd_callback, - ssl->ctx->default_passwd_callback_userdata); - } else if (type == SSL_FILETYPE_ASN1) { - j = ERR_R_ASN1_LIB; - pkey = d2i_PrivateKey_bio(in, NULL); - } else { - SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); - goto end; - } - if (pkey == NULL) { - SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j); - goto end; - } - ret = SSL_use_PrivateKey(ssl, pkey); - EVP_PKEY_free(pkey); -end: - BIO_free(in); - return (ret); -} - -int -SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) -{ - int ret; - const unsigned char *p; - EVP_PKEY *pkey; - - p = d; - if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { - SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); - } - - ret = SSL_use_PrivateKey(ssl, pkey); - EVP_PKEY_free(pkey); - return (ret); -} - -int -SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) -{ - if (x == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (!ssl_cert_inst(&ctx->cert)) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); - return (0); - } - return (ssl_set_cert(ctx->cert, x)); -} - -static int -ssl_set_cert(CERT *c, X509 *x) -{ - EVP_PKEY *pkey; - int i; - - pkey = X509_get_pubkey(x); - if (pkey == NULL) { - SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); - return (0); - } - - i = ssl_cert_type(x, pkey); - if (i < 0) { - SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - EVP_PKEY_free(pkey); - return (0); - } - - if (c->pkeys[i].privatekey != NULL) { - EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); - ERR_clear_error(); - - /* - * Don't check the public/private key, this is mostly - * for smart cards. - */ - if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && - (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & - RSA_METHOD_FLAG_NO_CHECK)) -; - else - if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { - /* - * don't fail for a cert/key mismatch, just free - * current private key (when switching to a different - * cert & key, first this function should be used, - * then ssl_set_pkey - */ - EVP_PKEY_free(c->pkeys[i].privatekey); - c->pkeys[i].privatekey = NULL; - /* clear error queue */ - ERR_clear_error(); - } - } - - EVP_PKEY_free(pkey); - - X509_free(c->pkeys[i].x509); - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - c->pkeys[i].x509 = x; - c->key = &(c->pkeys[i]); - - c->valid = 0; - return (1); -} - -int -SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) -{ - int j; - BIO *in; - int ret = 0; - X509 *x = NULL; - - in = BIO_new(BIO_s_file_internal()); - if (in == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); - goto end; - } - if (type == SSL_FILETYPE_ASN1) { - j = ERR_R_ASN1_LIB; - x = d2i_X509_bio(in, NULL); - } else if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); - } else { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); - goto end; - } - - if (x == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j); - goto end; - } - - ret = SSL_CTX_use_certificate(ctx, x); -end: - X509_free(x); - BIO_free(in); - return (ret); -} - -int -SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) -{ - X509 *x; - int ret; - - x = d2i_X509(NULL, &d,(long)len); - if (x == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); - return (0); - } - - ret = SSL_CTX_use_certificate(ctx, x); - X509_free(x); - return (ret); -} - -int -SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) -{ - int ret; - EVP_PKEY *pkey; - - if (rsa == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (!ssl_cert_inst(&ctx->cert)) { - SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); - return (0); - } - if ((pkey = EVP_PKEY_new()) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); - return (0); - } - - RSA_up_ref(rsa); - EVP_PKEY_assign_RSA(pkey, rsa); - - ret = ssl_set_pkey(ctx->cert, pkey); - EVP_PKEY_free(pkey); - return (ret); -} - -int -SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) -{ - int j, ret = 0; - BIO *in; - RSA *rsa = NULL; - - in = BIO_new(BIO_s_file_internal()); - if (in == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); - goto end; - } - if (type == SSL_FILETYPE_ASN1) { - j = ERR_R_ASN1_LIB; - rsa = d2i_RSAPrivateKey_bio(in, NULL); - } else if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - rsa = PEM_read_bio_RSAPrivateKey(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); - } else { - SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); - goto end; - } - if (rsa == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j); - goto end; - } - ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); - RSA_free(rsa); -end: - BIO_free(in); - return (ret); -} - -int -SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len) -{ - int ret; - const unsigned char *p; - RSA *rsa; - - p = d; - if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); - } - - ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); - RSA_free(rsa); - return (ret); -} - -int -SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) -{ - if (pkey == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, - ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (!ssl_cert_inst(&ctx->cert)) { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); - return (0); - } - return (ssl_set_pkey(ctx->cert, pkey)); -} - -int -SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) -{ - int j, ret = 0; - BIO *in; - EVP_PKEY *pkey = NULL; - - in = BIO_new(BIO_s_file_internal()); - if (in == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); - goto end; - } - if (type == SSL_FILETYPE_PEM) { - j = ERR_R_PEM_LIB; - pkey = PEM_read_bio_PrivateKey(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); - } else if (type == SSL_FILETYPE_ASN1) { - j = ERR_R_ASN1_LIB; - pkey = d2i_PrivateKey_bio(in, NULL); - } else { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, - SSL_R_BAD_SSL_FILETYPE); - goto end; - } - if (pkey == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); - goto end; - } - ret = SSL_CTX_use_PrivateKey(ctx, pkey); - EVP_PKEY_free(pkey); -end: - BIO_free(in); - return (ret); -} - -int -SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, - long len) -{ - int ret; - const unsigned char *p; - EVP_PKEY *pkey; - - p = d; - if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); - } - - ret = SSL_CTX_use_PrivateKey(ctx, pkey); - EVP_PKEY_free(pkey); - return (ret); -} - - -/* - * Read a bio that contains our certificate in "PEM" format, - * possibly followed by a sequence of CA certificates that should be - * sent to the peer in the Certificate message. - */ -static int -ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) -{ - int ret = 0; - X509 *x = NULL; - - ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ - - x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); - if (x == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); - goto end; - } - - ret = SSL_CTX_use_certificate(ctx, x); - - if (ERR_peek_error() != 0) - ret = 0; - /* Key/certificate mismatch doesn't imply ret==0 ... */ - if (ret) { - /* - * If we could set up our certificate, now proceed to - * the CA certificates. - */ - X509 *ca; - int r; - unsigned long err; - - if (ctx->extra_certs != NULL) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } - - while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { - r = SSL_CTX_add_extra_chain_cert(ctx, ca); - if (!r) { - X509_free(ca); - ret = 0; - goto end; - } - /* - * Note that we must not free r if it was successfully - * added to the chain (while we must free the main - * certificate, since its reference count is increased - * by SSL_CTX_use_certificate). - */ - } - - /* When the while loop ends, it's usually just EOF. */ - err = ERR_peek_last_error(); - if (ERR_GET_LIB(err) == ERR_LIB_PEM && - ERR_GET_REASON(err) == PEM_R_NO_START_LINE) - ERR_clear_error(); - else - ret = 0; /* some real error */ - } - -end: - X509_free(x); - return (ret); -} - -int -SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) -{ - BIO *in; - int ret = 0; - - in = BIO_new(BIO_s_file_internal()); - if (in == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(in, file) <= 0) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); - goto end; - } - - ret = ssl_ctx_use_certificate_chain_bio(ctx, in); - -end: - BIO_free(in); - return (ret); -} - -int -SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) -{ - BIO *in; - int ret = 0; - - in = BIO_new_mem_buf(buf, len); - if (in == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); - goto end; - } - - ret = ssl_ctx_use_certificate_chain_bio(ctx, in); - -end: - BIO_free(in); - return (ret); -} diff --git a/lib/libssl/src/ssl/ssl_sess.c b/lib/libssl/src/ssl/ssl_sess.c deleted file mode 100644 index 16dd5c444cb..00000000000 --- a/lib/libssl/src/ssl/ssl_sess.c +++ /dev/null @@ -1,1099 +0,0 @@ -/* $OpenBSD: ssl_sess.c,v 1.49 2016/03/11 07:08:45 mmcc Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <openssl/lhash.h> - -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif - -#include "ssl_locl.h" - -static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); -static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s); -static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); - -/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ -SSL_SESSION * -SSL_get_session(const SSL *ssl) -{ - return (ssl->session); -} - -/* variant of SSL_get_session: caller really gets something */ -SSL_SESSION * -SSL_get1_session(SSL *ssl) -{ - SSL_SESSION *sess; - - /* - * Need to lock this all up rather than just use CRYPTO_add so that - * somebody doesn't free ssl->session between when we check it's - * non-null and when we up the reference count. - */ - CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION); - sess = ssl->session; - if (sess) - sess->references++; - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION); - - return (sess); -} - -int -SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) -{ - return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, - argl, argp, new_func, dup_func, free_func); -} - -int -SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) -{ - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); -} - -void * -SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx) -{ - return (CRYPTO_get_ex_data(&s->ex_data, idx)); -} - -SSL_SESSION * -SSL_SESSION_new(void) -{ - SSL_SESSION *ss; - - ss = calloc(1, sizeof(SSL_SESSION)); - if (ss == NULL) { - SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); - return (0); - } - - ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ - ss->references = 1; - ss->timeout=60*5+4; /* 5 minute timeout by default */ - ss->time = time(NULL); - ss->prev = NULL; - ss->next = NULL; - ss->tlsext_hostname = NULL; - - ss->tlsext_ecpointformatlist_length = 0; - ss->tlsext_ecpointformatlist = NULL; - ss->tlsext_ellipticcurvelist_length = 0; - ss->tlsext_ellipticcurvelist = NULL; - - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); - - return (ss); -} - -const unsigned char * -SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) -{ - if (len) - *len = s->session_id_length; - return s->session_id; -} - -unsigned int -SSL_SESSION_get_compress_id(const SSL_SESSION *s) -{ - return 0; -} - -/* - * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling - * the ID with random gunk repeatedly until we have no conflict is going to - * complete in one iteration pretty much "most" of the time (btw: - * understatement). So, if it takes us 10 iterations and we still can't avoid - * a conflict - well that's a reasonable point to call it quits. Either the - * arc4random code is broken or someone is trying to open roughly very close to - * 2^128 (or 2^256) SSL sessions to our server. How you might store that many - * sessions is perhaps a more interesting question... - */ - -#define MAX_SESS_ID_ATTEMPTS 10 - -static int -def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len) -{ - unsigned int retry = 0; - - do { - arc4random_buf(id, *id_len); - } while (SSL_has_matching_session_id(ssl, id, *id_len) && - (++retry < MAX_SESS_ID_ATTEMPTS)); - - if (retry < MAX_SESS_ID_ATTEMPTS) - return 1; - - /* else - woops a session_id match */ - /* XXX We should also check the external cache -- - * but the probability of a collision is negligible, and - * we could not prevent the concurrent creation of sessions - * with identical IDs since we currently don't have means - * to atomically check whether a session ID already exists - * and make a reservation for it if it does not - * (this problem applies to the internal cache as well). - */ - return 0; -} - -int -ssl_get_new_session(SSL *s, int session) -{ - unsigned int tmp; - SSL_SESSION *ss = NULL; - GEN_SESSION_CB cb = def_generate_session_id; - - /* This gets used by clients and servers. */ - - if ((ss = SSL_SESSION_new()) == NULL) - return (0); - - /* If the context has a default timeout, use it */ - if (s->session_ctx->session_timeout == 0) - ss->timeout = SSL_get_default_timeout(s); - else - ss->timeout = s->session_ctx->session_timeout; - - if (s->session != NULL) { - SSL_SESSION_free(s->session); - s->session = NULL; - } - - if (session) { - switch (s->version) { - case TLS1_VERSION: - case TLS1_1_VERSION: - case TLS1_2_VERSION: - case DTLS1_VERSION: - ss->ssl_version = s->version; - ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - break; - default: - SSLerr(SSL_F_SSL_GET_NEW_SESSION, - SSL_R_UNSUPPORTED_SSL_VERSION); - SSL_SESSION_free(ss); - return (0); - } - - /* If RFC4507 ticket use empty session ID. */ - if (s->tlsext_ticket_expected) { - ss->session_id_length = 0; - goto sess_id_done; - } - - /* Choose which callback will set the session ID. */ - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - if (s->generate_session_id) - cb = s->generate_session_id; - else if (s->session_ctx->generate_session_id) - cb = s->session_ctx->generate_session_id; - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - - /* Choose a session ID. */ - tmp = ss->session_id_length; - if (!cb(s, ss->session_id, &tmp)) { - /* The callback failed */ - SSLerr(SSL_F_SSL_GET_NEW_SESSION, - SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); - SSL_SESSION_free(ss); - return (0); - } - - /* - * Don't allow the callback to set the session length to zero. - * nor set it higher than it was. - */ - if (!tmp || (tmp > ss->session_id_length)) { - /* The callback set an illegal length */ - SSLerr(SSL_F_SSL_GET_NEW_SESSION, - SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); - SSL_SESSION_free(ss); - return (0); - } - ss->session_id_length = tmp; - - /* Finally, check for a conflict. */ - if (SSL_has_matching_session_id(s, ss->session_id, - ss->session_id_length)) { - SSLerr(SSL_F_SSL_GET_NEW_SESSION, - SSL_R_SSL_SESSION_ID_CONFLICT); - SSL_SESSION_free(ss); - return (0); - } - -sess_id_done: - if (s->tlsext_hostname) { - ss->tlsext_hostname = strdup(s->tlsext_hostname); - if (ss->tlsext_hostname == NULL) { - SSLerr(SSL_F_SSL_GET_NEW_SESSION, - ERR_R_INTERNAL_ERROR); - SSL_SESSION_free(ss); - return 0; - } - } - } else { - ss->session_id_length = 0; - } - - if (s->sid_ctx_length > sizeof ss->sid_ctx) { - SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); - SSL_SESSION_free(ss); - return 0; - } - - memcpy(ss->sid_ctx, s->sid_ctx, s->sid_ctx_length); - ss->sid_ctx_length = s->sid_ctx_length; - s->session = ss; - ss->ssl_version = s->version; - ss->verify_result = X509_V_OK; - - return (1); -} - -/* - * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this - * connection. It is only called by servers. - * - * session_id: points at the session ID in the ClientHello. This code will - * read past the end of this in order to parse out the session ticket - * extension, if any. - * len: the length of the session ID. - * limit: a pointer to the first byte after the ClientHello. - * - * Returns: - * -1: error - * 0: a session may have been found. - * - * Side effects: - * - If a session is found then s->session is pointed at it (after freeing - * an existing session if need be) and s->verify_result is set from the - * session. - * - Both for new and resumed sessions, s->tlsext_ticket_expected is set - * to 1 if the server should issue a new session ticket (to 0 otherwise). - */ -int -ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - const unsigned char *limit) -{ - SSL_SESSION *ret = NULL; - int fatal = 0; - int try_session_cache = 1; - int r; - - /* This is used only by servers. */ - - if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) - goto err; - - if (len == 0) - try_session_cache = 0; - - /* Sets s->tlsext_ticket_expected. */ - r = tls1_process_ticket(s, session_id, len, limit, &ret); - switch (r) { - case -1: /* Error during processing */ - fatal = 1; - goto err; - case 0: /* No ticket found */ - case 1: /* Zero length ticket found */ - break; /* Ok to carry on processing session id. */ - case 2: /* Ticket found but not decrypted. */ - case 3: /* Ticket decrypted, *ret has been set. */ - try_session_cache = 0; - break; - default: - abort(); - } - - if (try_session_cache && ret == NULL && - !(s->session_ctx->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { - SSL_SESSION data; - data.ssl_version = s->version; - data.session_id_length = len; - memcpy(data.session_id, session_id, len); - - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); - if (ret != NULL) { - /* Don't allow other threads to steal it. */ - CRYPTO_add(&ret->references, 1, - CRYPTO_LOCK_SSL_SESSION); - } - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - - if (ret == NULL) - s->session_ctx->stats.sess_miss++; - } - - if (try_session_cache && ret == NULL && - s->session_ctx->get_session_cb != NULL) { - int copy = 1; - - if ((ret = s->session_ctx->get_session_cb(s, session_id, - len, ©))) { - s->session_ctx->stats.sess_cb_hit++; - - /* - * Increment reference count now if the session - * callback asks us to do so (note that if the session - * structures returned by the callback are shared - * between threads, it must handle the reference count - * itself [i.e. copy == 0], or things won't be - * thread-safe). - */ - if (copy) - CRYPTO_add(&ret->references, 1, - CRYPTO_LOCK_SSL_SESSION); - - /* - * Add the externally cached session to the internal - * cache as well if and only if we are supposed to. - */ - if (!(s->session_ctx->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_STORE)) - /* - * The following should not return 1, - * otherwise, things are very strange. - */ - SSL_CTX_add_session(s->session_ctx, ret); - } - } - - if (ret == NULL) - goto err; - - /* Now ret is non-NULL and we own one of its reference counts. */ - - if (ret->sid_ctx_length != s->sid_ctx_length || - timingsafe_memcmp(ret->sid_ctx, - s->sid_ctx, ret->sid_ctx_length) != 0) { - /* We have the session requested by the client, but we don't - * want to use it in this context. */ - goto err; /* treat like cache miss */ - } - - if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) { - /* - * We can't be sure if this session is being used out of - * context, which is especially important for SSL_VERIFY_PEER. - * The application should have used - * SSL[_CTX]_set_session_id_context. - * - * For this error case, we generate an error instead of treating - * the event like a cache miss (otherwise it would be easy for - * applications to effectively disable the session cache by - * accident without anyone noticing). - */ - SSLerr(SSL_F_SSL_GET_PREV_SESSION, - SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); - fatal = 1; - goto err; - } - - if (ret->cipher == NULL) { - ret->cipher = ssl3_get_cipher_by_id(ret->cipher_id); - if (ret->cipher == NULL) - goto err; - } - - if (ret->timeout < (time(NULL) - ret->time)) { - /* timeout */ - s->session_ctx->stats.sess_timeout++; - if (try_session_cache) { - /* session was from the cache, so remove it */ - SSL_CTX_remove_session(s->session_ctx, ret); - } - goto err; - } - - s->session_ctx->stats.sess_hit++; - - if (s->session != NULL) - SSL_SESSION_free(s->session); - s->session = ret; - s->verify_result = s->session->verify_result; - return 1; - -err: - if (ret != NULL) { - SSL_SESSION_free(ret); - if (!try_session_cache) { - /* - * The session was from a ticket, so we should - * issue a ticket for the new session. - */ - s->tlsext_ticket_expected = 1; - } - } - if (fatal) - return -1; - else - return 0; -} - -int -SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) -{ - int ret = 0; - SSL_SESSION *s; - - /* - * Add just 1 reference count for the SSL_CTX's session cache - * even though it has two ways of access: each session is in a - * doubly linked list and an lhash. - */ - CRYPTO_add(&c->references, 1, CRYPTO_LOCK_SSL_SESSION); - - /* - * If session c is in already in cache, we take back the increment - * later. - */ - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - s = lh_SSL_SESSION_insert(ctx->sessions, c); - - /* - * s != NULL iff we already had a session with the given PID. - * In this case, s == c should hold (then we did not really modify - * ctx->sessions), or we're in trouble. - */ - if (s != NULL && s != c) { - /* We *are* in trouble ... */ - SSL_SESSION_list_remove(ctx, s); - SSL_SESSION_free(s); - /* - * ... so pretend the other session did not exist in cache - * (we cannot handle two SSL_SESSION structures with identical - * session ID in the same cache, which could happen e.g. when - * two threads concurrently obtain the same session from an - * external cache). - */ - s = NULL; - } - - /* Put at the head of the queue unless it is already in the cache */ - if (s == NULL) - SSL_SESSION_list_add(ctx, c); - - if (s != NULL) { - /* - * existing cache entry -- decrement previously incremented - * reference count because it already takes into account the - * cache. - */ - SSL_SESSION_free(s); /* s == c */ - ret = 0; - } else { - /* - * New cache entry -- remove old ones if cache has become - * too large. - */ - - ret = 1; - - if (SSL_CTX_sess_get_cache_size(ctx) > 0) { - while (SSL_CTX_sess_number(ctx) > - SSL_CTX_sess_get_cache_size(ctx)) { - if (!remove_session_lock(ctx, - ctx->session_cache_tail, 0)) - break; - else - ctx->stats.sess_cache_full++; - } - } - } - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); - return (ret); -} - -int -SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c) -{ - return remove_session_lock(ctx, c, 1); -} - -static int -remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) -{ - SSL_SESSION *r; - int ret = 0; - - if ((c != NULL) && (c->session_id_length != 0)) { - if (lck) - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) { - ret = 1; - r = lh_SSL_SESSION_delete(ctx->sessions, c); - SSL_SESSION_list_remove(ctx, c); - } - if (lck) - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); - - if (ret) { - r->not_resumable = 1; - if (ctx->remove_session_cb != NULL) - ctx->remove_session_cb(ctx, r); - SSL_SESSION_free(r); - } - } else - ret = 0; - return (ret); -} - -void -SSL_SESSION_free(SSL_SESSION *ss) -{ - int i; - - if (ss == NULL) - return; - - i = CRYPTO_add(&ss->references, -1, CRYPTO_LOCK_SSL_SESSION); - if (i > 0) - return; - - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); - - explicit_bzero(ss->master_key, sizeof ss->master_key); - explicit_bzero(ss->session_id, sizeof ss->session_id); - if (ss->sess_cert != NULL) - ssl_sess_cert_free(ss->sess_cert); - X509_free(ss->peer); - if (ss->ciphers != NULL) - sk_SSL_CIPHER_free(ss->ciphers); - free(ss->tlsext_hostname); - free(ss->tlsext_tick); - ss->tlsext_ecpointformatlist_length = 0; - free(ss->tlsext_ecpointformatlist); - ss->tlsext_ellipticcurvelist_length = 0; - free(ss->tlsext_ellipticcurvelist); - explicit_bzero(ss, sizeof(*ss)); - free(ss); -} - -int -SSL_set_session(SSL *s, SSL_SESSION *session) -{ - int ret = 0; - const SSL_METHOD *meth; - - if (session != NULL) { - meth = s->ctx->method->get_ssl_method(session->ssl_version); - if (meth == NULL) - meth = s->method->get_ssl_method(session->ssl_version); - if (meth == NULL) { - SSLerr(SSL_F_SSL_SET_SESSION, - SSL_R_UNABLE_TO_FIND_SSL_METHOD); - return (0); - } - - if (meth != s->method) { - if (!SSL_set_ssl_method(s, meth)) - return (0); - } - - - /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ - CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (s->session != NULL) - SSL_SESSION_free(s->session); - s->session = session; - s->verify_result = s->session->verify_result; - /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ - ret = 1; - } else { - if (s->session != NULL) { - SSL_SESSION_free(s->session); - s->session = NULL; - } - - meth = s->ctx->method; - if (meth != s->method) { - if (!SSL_set_ssl_method(s, meth)) - return (0); - } - ret = 1; - } - return (ret); -} - -long -SSL_SESSION_set_timeout(SSL_SESSION *s, long t) -{ - if (s == NULL) - return (0); - s->timeout = t; - return (1); -} - -long -SSL_SESSION_get_timeout(const SSL_SESSION *s) -{ - if (s == NULL) - return (0); - return (s->timeout); -} - -/* XXX 2038 */ -long -SSL_SESSION_get_time(const SSL_SESSION *s) -{ - if (s == NULL) - return (0); - return (s->time); -} - -/* XXX 2038 */ -long -SSL_SESSION_set_time(SSL_SESSION *s, long t) -{ - if (s == NULL) - return (0); - s->time = t; - return (t); -} - -X509 * -SSL_SESSION_get0_peer(SSL_SESSION *s) -{ - return s->peer; -} - -int -SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, - unsigned int sid_ctx_len) -{ - if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { - SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT, - SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); - return 0; - } - s->sid_ctx_length = sid_ctx_len; - memcpy(s->sid_ctx, sid_ctx, sid_ctx_len); - - return 1; -} - -long -SSL_CTX_set_timeout(SSL_CTX *s, long t) -{ - long l; - - if (s == NULL) - return (0); - l = s->session_timeout; - s->session_timeout = t; - - return (l); -} - -long -SSL_CTX_get_timeout(const SSL_CTX *s) -{ - if (s == NULL) - return (0); - return (s->session_timeout); -} - -int -SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, - void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, - SSL_CIPHER **cipher, void *arg), void *arg) -{ - if (s == NULL) - return (0); - s->tls_session_secret_cb = tls_session_secret_cb; - s->tls_session_secret_cb_arg = arg; - return (1); -} - -int -SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, - void *arg) -{ - if (s == NULL) - return (0); - s->tls_session_ticket_ext_cb = cb; - s->tls_session_ticket_ext_cb_arg = arg; - return (1); -} - -int -SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) -{ - if (s->version >= TLS1_VERSION) { - free(s->tlsext_session_ticket); - s->tlsext_session_ticket = - malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); - if (!s->tlsext_session_ticket) { - SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, - ERR_R_MALLOC_FAILURE); - return 0; - } - - if (ext_data) { - s->tlsext_session_ticket->length = ext_len; - s->tlsext_session_ticket->data = - s->tlsext_session_ticket + 1; - memcpy(s->tlsext_session_ticket->data, - ext_data, ext_len); - } else { - s->tlsext_session_ticket->length = 0; - s->tlsext_session_ticket->data = NULL; - } - - return 1; - } - - return 0; -} - -typedef struct timeout_param_st { - SSL_CTX *ctx; - long time; - LHASH_OF(SSL_SESSION) *cache; -} TIMEOUT_PARAM; - -static void -timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) -{ - if ((p->time == 0) || (p->time > (s->time + s->timeout))) { - /* timeout */ - /* The reason we don't call SSL_CTX_remove_session() is to - * save on locking overhead */ - (void)lh_SSL_SESSION_delete(p->cache, s); - SSL_SESSION_list_remove(p->ctx, s); - s->not_resumable = 1; - if (p->ctx->remove_session_cb != NULL) - p->ctx->remove_session_cb(p->ctx, s); - SSL_SESSION_free(s); - } -} - -static -IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM) - -/* XXX 2038 */ -void -SSL_CTX_flush_sessions(SSL_CTX *s, long t) -{ - unsigned long i; - TIMEOUT_PARAM tp; - - tp.ctx = s; - tp.cache = s->sessions; - if (tp.cache == NULL) - return; - tp.time = t; - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - i = CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load; - CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load = 0; - lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), - TIMEOUT_PARAM, &tp); - CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load = i; - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); -} - -int -ssl_clear_bad_session(SSL *s) -{ - if ((s->session != NULL) && !(s->shutdown & SSL_SENT_SHUTDOWN) && - !(SSL_in_init(s) || SSL_in_before(s))) { - SSL_CTX_remove_session(s->ctx, s->session); - return (1); - } else - return (0); -} - -/* locked by SSL_CTX in the calling function */ -static void -SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) -{ - if ((s->next == NULL) || (s->prev == NULL)) - return; - - if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) { - /* last element in list */ - if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { - /* only one element in list */ - ctx->session_cache_head = NULL; - ctx->session_cache_tail = NULL; - } else { - ctx->session_cache_tail = s->prev; - s->prev->next = - (SSL_SESSION *)&(ctx->session_cache_tail); - } - } else { - if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { - /* first element in list */ - ctx->session_cache_head = s->next; - s->next->prev = - (SSL_SESSION *)&(ctx->session_cache_head); - } else { - /* middle of list */ - s->next->prev = s->prev; - s->prev->next = s->next; - } - } - s->prev = s->next = NULL; -} - -static void -SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) -{ - if ((s->next != NULL) && (s->prev != NULL)) - SSL_SESSION_list_remove(ctx, s); - - if (ctx->session_cache_head == NULL) { - ctx->session_cache_head = s; - ctx->session_cache_tail = s; - s->prev = (SSL_SESSION *)&(ctx->session_cache_head); - s->next = (SSL_SESSION *)&(ctx->session_cache_tail); - } else { - s->next = ctx->session_cache_head; - s->next->prev = s; - s->prev = (SSL_SESSION *)&(ctx->session_cache_head); - ctx->session_cache_head = s; - } -} - -void -SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, - int (*cb)(struct ssl_st *ssl, SSL_SESSION *sess)) { - ctx->new_session_cb = cb; -} - -int -(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) -{ - return ctx->new_session_cb; -} - -void -SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, - void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess)) -{ - ctx->remove_session_cb = cb; -} - -void -(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess) -{ - return ctx->remove_session_cb; -} - -void -SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl, - unsigned char *data, int len, int *copy)) -{ - ctx->get_session_cb = cb; -} - -SSL_SESSION * -(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, - int len, int *copy) -{ - return ctx->get_session_cb; -} - -void -SSL_CTX_set_info_callback(SSL_CTX *ctx, - void (*cb)(const SSL *ssl, int type, int val)) -{ - ctx->info_callback = cb; -} - -void -(*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val) -{ - return ctx->info_callback; -} - -void -SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, - int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)) -{ - ctx->client_cert_cb = cb; -} - -int -(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509, - EVP_PKEY **pkey) -{ - return ctx->client_cert_cb; -} - -#ifndef OPENSSL_NO_ENGINE -int -SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) -{ - if (!ENGINE_init(e)) { - SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, - ERR_R_ENGINE_LIB); - return 0; - } - if (!ENGINE_get_ssl_client_cert_function(e)) { - SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, - SSL_R_NO_CLIENT_CERT_METHOD); - ENGINE_finish(e); - return 0; - } - ctx->client_cert_engine = e; - return 1; -} -#endif - -void -SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, - int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) -{ - ctx->app_gen_cookie_cb = cb; -} - -void -SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, - int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) -{ - ctx->app_verify_cookie_cb = cb; -} - -IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION) diff --git a/lib/libssl/src/ssl/ssl_stat.c b/lib/libssl/src/ssl/ssl_stat.c deleted file mode 100644 index 6d67d19c253..00000000000 --- a/lib/libssl/src/ssl/ssl_stat.c +++ /dev/null @@ -1,801 +0,0 @@ -/* $OpenBSD: ssl_stat.c,v 1.12 2014/11/16 14:12:47 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -const char * -SSL_state_string_long(const SSL *s) -{ - const char *str; - - switch (s->state) { - case SSL_ST_BEFORE: - str = "before SSL initialization"; - break; - case SSL_ST_ACCEPT: - str = "before accept initialization"; - break; - case SSL_ST_CONNECT: - str = "before connect initialization"; - break; - case SSL_ST_OK: - str = "SSL negotiation finished successfully"; - break; - case SSL_ST_RENEGOTIATE: - str = "SSL renegotiate ciphers"; - break; - case SSL_ST_BEFORE|SSL_ST_CONNECT: - str = "before/connect initialization"; - break; - case SSL_ST_OK|SSL_ST_CONNECT: - str = "ok/connect SSL initialization"; - break; - case SSL_ST_BEFORE|SSL_ST_ACCEPT: - str = "before/accept initialization"; - break; - case SSL_ST_OK|SSL_ST_ACCEPT: - str = "ok/accept SSL initialization"; - break; - - /* SSLv3 additions */ - case SSL3_ST_CW_CLNT_HELLO_A: - str = "SSLv3 write client hello A"; - break; - case SSL3_ST_CW_CLNT_HELLO_B: - str = "SSLv3 write client hello B"; - break; - case SSL3_ST_CR_SRVR_HELLO_A: - str = "SSLv3 read server hello A"; - break; - case SSL3_ST_CR_SRVR_HELLO_B: - str = "SSLv3 read server hello B"; - break; - case SSL3_ST_CR_CERT_A: - str = "SSLv3 read server certificate A"; - break; - case SSL3_ST_CR_CERT_B: - str = "SSLv3 read server certificate B"; - break; - case SSL3_ST_CR_KEY_EXCH_A: - str = "SSLv3 read server key exchange A"; - break; - case SSL3_ST_CR_KEY_EXCH_B: - str = "SSLv3 read server key exchange B"; - break; - case SSL3_ST_CR_CERT_REQ_A: - str = "SSLv3 read server certificate request A"; - break; - case SSL3_ST_CR_CERT_REQ_B: - str = "SSLv3 read server certificate request B"; - break; - case SSL3_ST_CR_SESSION_TICKET_A: - str = "SSLv3 read server session ticket A"; - break; - case SSL3_ST_CR_SESSION_TICKET_B: - str = "SSLv3 read server session ticket B"; - break; - case SSL3_ST_CR_SRVR_DONE_A: - str = "SSLv3 read server done A"; - break; - case SSL3_ST_CR_SRVR_DONE_B: - str = "SSLv3 read server done B"; - break; - case SSL3_ST_CW_CERT_A: - str = "SSLv3 write client certificate A"; - break; - case SSL3_ST_CW_CERT_B: - str = "SSLv3 write client certificate B"; - break; - case SSL3_ST_CW_CERT_C: - str = "SSLv3 write client certificate C"; - break; - case SSL3_ST_CW_CERT_D: - str = "SSLv3 write client certificate D"; - break; - case SSL3_ST_CW_KEY_EXCH_A: - str = "SSLv3 write client key exchange A"; - break; - case SSL3_ST_CW_KEY_EXCH_B: - str = "SSLv3 write client key exchange B"; - break; - case SSL3_ST_CW_CERT_VRFY_A: - str = "SSLv3 write certificate verify A"; - break; - case SSL3_ST_CW_CERT_VRFY_B: - str = "SSLv3 write certificate verify B"; - break; - - case SSL3_ST_CW_CHANGE_A: - case SSL3_ST_SW_CHANGE_A: - str = "SSLv3 write change cipher spec A"; - break; - case SSL3_ST_CW_CHANGE_B: - case SSL3_ST_SW_CHANGE_B: - str = "SSLv3 write change cipher spec B"; - break; - case SSL3_ST_CW_FINISHED_A: - case SSL3_ST_SW_FINISHED_A: - str = "SSLv3 write finished A"; - break; - case SSL3_ST_CW_FINISHED_B: - case SSL3_ST_SW_FINISHED_B: - str = "SSLv3 write finished B"; - break; - case SSL3_ST_CR_CHANGE_A: - case SSL3_ST_SR_CHANGE_A: - str = "SSLv3 read change cipher spec A"; - break; - case SSL3_ST_CR_CHANGE_B: - case SSL3_ST_SR_CHANGE_B: - str = "SSLv3 read change cipher spec B"; - break; - case SSL3_ST_CR_FINISHED_A: - case SSL3_ST_SR_FINISHED_A: - str = "SSLv3 read finished A"; - break; - case SSL3_ST_CR_FINISHED_B: - case SSL3_ST_SR_FINISHED_B: - str = "SSLv3 read finished B"; - break; - - case SSL3_ST_CW_FLUSH: - case SSL3_ST_SW_FLUSH: - str = "SSLv3 flush data"; - break; - - case SSL3_ST_SR_CLNT_HELLO_A: - str = "SSLv3 read client hello A"; - break; - case SSL3_ST_SR_CLNT_HELLO_B: - str = "SSLv3 read client hello B"; - break; - case SSL3_ST_SR_CLNT_HELLO_C: - str = "SSLv3 read client hello C"; - break; - case SSL3_ST_SW_HELLO_REQ_A: - str = "SSLv3 write hello request A"; - break; - case SSL3_ST_SW_HELLO_REQ_B: - str = "SSLv3 write hello request B"; - break; - case SSL3_ST_SW_HELLO_REQ_C: - str = "SSLv3 write hello request C"; - break; - case SSL3_ST_SW_SRVR_HELLO_A: - str = "SSLv3 write server hello A"; - break; - case SSL3_ST_SW_SRVR_HELLO_B: - str = "SSLv3 write server hello B"; - break; - case SSL3_ST_SW_CERT_A: - str = "SSLv3 write certificate A"; - break; - case SSL3_ST_SW_CERT_B: - str = "SSLv3 write certificate B"; - break; - case SSL3_ST_SW_KEY_EXCH_A: - str = "SSLv3 write key exchange A"; - break; - case SSL3_ST_SW_KEY_EXCH_B: - str = "SSLv3 write key exchange B"; - break; - case SSL3_ST_SW_CERT_REQ_A: - str = "SSLv3 write certificate request A"; - break; - case SSL3_ST_SW_CERT_REQ_B: - str = "SSLv3 write certificate request B"; - break; - case SSL3_ST_SW_SESSION_TICKET_A: - str = "SSLv3 write session ticket A"; - break; - case SSL3_ST_SW_SESSION_TICKET_B: - str = "SSLv3 write session ticket B"; - break; - case SSL3_ST_SW_SRVR_DONE_A: - str = "SSLv3 write server done A"; - break; - case SSL3_ST_SW_SRVR_DONE_B: - str = "SSLv3 write server done B"; - break; - case SSL3_ST_SR_CERT_A: - str = "SSLv3 read client certificate A"; - break; - case SSL3_ST_SR_CERT_B: - str = "SSLv3 read client certificate B"; - break; - case SSL3_ST_SR_KEY_EXCH_A: - str = "SSLv3 read client key exchange A"; - break; - case SSL3_ST_SR_KEY_EXCH_B: - str = "SSLv3 read client key exchange B"; - break; - case SSL3_ST_SR_CERT_VRFY_A: - str = "SSLv3 read certificate verify A"; - break; - case SSL3_ST_SR_CERT_VRFY_B: - str = "SSLv3 read certificate verify B"; - break; - - /* DTLS */ - case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: - str = "DTLS1 read hello verify request A"; - break; - case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: - str = "DTLS1 read hello verify request B"; - break; - case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: - str = "DTLS1 write hello verify request A"; - break; - case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: - str = "DTLS1 write hello verify request B"; - break; - - default: - str = "unknown state"; - break; - } - return (str); -} - -const char * -SSL_rstate_string_long(const SSL *s) -{ - const char *str; - - switch (s->rstate) { - case SSL_ST_READ_HEADER: - str = "read header"; - break; - case SSL_ST_READ_BODY: - str = "read body"; - break; - case SSL_ST_READ_DONE: - str = "read done"; - break; - default: - str = "unknown"; - break; - } - return (str); -} - -const char * -SSL_state_string(const SSL *s) -{ - const char *str; - - switch (s->state) { - case SSL_ST_BEFORE: - str = "PINIT "; - break; - case SSL_ST_ACCEPT: - str = "AINIT "; - break; - case SSL_ST_CONNECT: - str = "CINIT "; - break; - case SSL_ST_OK: - str = "SSLOK "; - break; - - /* SSLv3 additions */ - case SSL3_ST_SW_FLUSH: - case SSL3_ST_CW_FLUSH: - str = "3FLUSH"; - break; - case SSL3_ST_CW_CLNT_HELLO_A: - str = "3WCH_A"; - break; - case SSL3_ST_CW_CLNT_HELLO_B: - str = "3WCH_B"; - break; - case SSL3_ST_CR_SRVR_HELLO_A: - str = "3RSH_A"; - break; - case SSL3_ST_CR_SRVR_HELLO_B: - str = "3RSH_B"; - break; - case SSL3_ST_CR_CERT_A: - str = "3RSC_A"; - break; - case SSL3_ST_CR_CERT_B: - str = "3RSC_B"; - break; - case SSL3_ST_CR_KEY_EXCH_A: - str = "3RSKEA"; - break; - case SSL3_ST_CR_KEY_EXCH_B: - str = "3RSKEB"; - break; - case SSL3_ST_CR_CERT_REQ_A: - str = "3RCR_A"; - break; - case SSL3_ST_CR_CERT_REQ_B: - str = "3RCR_B"; - break; - case SSL3_ST_CR_SRVR_DONE_A: - str = "3RSD_A"; - break; - case SSL3_ST_CR_SRVR_DONE_B: - str = "3RSD_B"; - break; - case SSL3_ST_CW_CERT_A: - str = "3WCC_A"; - break; - case SSL3_ST_CW_CERT_B: - str = "3WCC_B"; - break; - case SSL3_ST_CW_CERT_C: - str = "3WCC_C"; - break; - case SSL3_ST_CW_CERT_D: - str = "3WCC_D"; - break; - case SSL3_ST_CW_KEY_EXCH_A: - str = "3WCKEA"; - break; - case SSL3_ST_CW_KEY_EXCH_B: - str = "3WCKEB"; - break; - case SSL3_ST_CW_CERT_VRFY_A: - str = "3WCV_A"; - break; - case SSL3_ST_CW_CERT_VRFY_B: - str = "3WCV_B"; - break; - - case SSL3_ST_SW_CHANGE_A: - case SSL3_ST_CW_CHANGE_A: - str = "3WCCSA"; - break; - case SSL3_ST_SW_CHANGE_B: - case SSL3_ST_CW_CHANGE_B: - str = "3WCCSB"; - break; - case SSL3_ST_SW_FINISHED_A: - case SSL3_ST_CW_FINISHED_A: - str = "3WFINA"; - break; - case SSL3_ST_SW_FINISHED_B: - case SSL3_ST_CW_FINISHED_B: - str = "3WFINB"; - break; - case SSL3_ST_SR_CHANGE_A: - case SSL3_ST_CR_CHANGE_A: - str = "3RCCSA"; - break; - case SSL3_ST_SR_CHANGE_B: - case SSL3_ST_CR_CHANGE_B: - str = "3RCCSB"; - break; - case SSL3_ST_SR_FINISHED_A: - case SSL3_ST_CR_FINISHED_A: - str = "3RFINA"; - break; - case SSL3_ST_SR_FINISHED_B: - case SSL3_ST_CR_FINISHED_B: - str = "3RFINB"; - break; - - case SSL3_ST_SW_HELLO_REQ_A: - str = "3WHR_A"; - break; - case SSL3_ST_SW_HELLO_REQ_B: - str = "3WHR_B"; - break; - case SSL3_ST_SW_HELLO_REQ_C: - str = "3WHR_C"; - break; - case SSL3_ST_SR_CLNT_HELLO_A: - str = "3RCH_A"; - break; - case SSL3_ST_SR_CLNT_HELLO_B: - str = "3RCH_B"; - break; - case SSL3_ST_SR_CLNT_HELLO_C: - str = "3RCH_C"; - break; - case SSL3_ST_SW_SRVR_HELLO_A: - str = "3WSH_A"; - break; - case SSL3_ST_SW_SRVR_HELLO_B: - str = "3WSH_B"; - break; - case SSL3_ST_SW_CERT_A: - str = "3WSC_A"; - break; - case SSL3_ST_SW_CERT_B: - str = "3WSC_B"; - break; - case SSL3_ST_SW_KEY_EXCH_A: - str = "3WSKEA"; - break; - case SSL3_ST_SW_KEY_EXCH_B: - str = "3WSKEB"; - break; - case SSL3_ST_SW_CERT_REQ_A: - str = "3WCR_A"; - break; - case SSL3_ST_SW_CERT_REQ_B: - str = "3WCR_B"; - break; - case SSL3_ST_SW_SRVR_DONE_A: - str = "3WSD_A"; - break; - case SSL3_ST_SW_SRVR_DONE_B: - str = "3WSD_B"; - break; - case SSL3_ST_SR_CERT_A: - str = "3RCC_A"; - break; - case SSL3_ST_SR_CERT_B: - str = "3RCC_B"; - break; - case SSL3_ST_SR_KEY_EXCH_A: - str = "3RCKEA"; - break; - case SSL3_ST_SR_KEY_EXCH_B: - str = "3RCKEB"; - break; - case SSL3_ST_SR_CERT_VRFY_A: - str = "3RCV_A"; - break; - case SSL3_ST_SR_CERT_VRFY_B: - str = "3RCV_B"; - break; - - /* DTLS */ - case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: - str = "DRCHVA"; - break; - case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: - str = "DRCHVB"; - break; - case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: - str = "DWCHVA"; - break; - case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: - str = "DWCHVB"; - break; - - default: - str = "UNKWN "; - break; - } - return (str); -} - -const char * -SSL_alert_type_string_long(int value) -{ - value >>= 8; - if (value == SSL3_AL_WARNING) - return ("warning"); - else if (value == SSL3_AL_FATAL) - return ("fatal"); - else - return ("unknown"); -} - -const char * -SSL_alert_type_string(int value) -{ - value >>= 8; - if (value == SSL3_AL_WARNING) - return ("W"); - else if (value == SSL3_AL_FATAL) - return ("F"); - else - return ("U"); -} - -const char * -SSL_alert_desc_string(int value) -{ - const char *str; - - switch (value & 0xff) { - case SSL3_AD_CLOSE_NOTIFY: - str = "CN"; - break; - case SSL3_AD_UNEXPECTED_MESSAGE: - str = "UM"; - break; - case SSL3_AD_BAD_RECORD_MAC: - str = "BM"; - break; - case SSL3_AD_DECOMPRESSION_FAILURE: - str = "DF"; - break; - case SSL3_AD_HANDSHAKE_FAILURE: - str = "HF"; - break; - case SSL3_AD_NO_CERTIFICATE: - str = "NC"; - break; - case SSL3_AD_BAD_CERTIFICATE: - str = "BC"; - break; - case SSL3_AD_UNSUPPORTED_CERTIFICATE: - str = "UC"; - break; - case SSL3_AD_CERTIFICATE_REVOKED: - str = "CR"; - break; - case SSL3_AD_CERTIFICATE_EXPIRED: - str = "CE"; - break; - case SSL3_AD_CERTIFICATE_UNKNOWN: - str = "CU"; - break; - case SSL3_AD_ILLEGAL_PARAMETER: - str = "IP"; - break; - case TLS1_AD_DECRYPTION_FAILED: - str = "DC"; - break; - case TLS1_AD_RECORD_OVERFLOW: - str = "RO"; - break; - case TLS1_AD_UNKNOWN_CA: - str = "CA"; - break; - case TLS1_AD_ACCESS_DENIED: - str = "AD"; - break; - case TLS1_AD_DECODE_ERROR: - str = "DE"; - break; - case TLS1_AD_DECRYPT_ERROR: - str = "CY"; - break; - case TLS1_AD_EXPORT_RESTRICTION: - str = "ER"; - break; - case TLS1_AD_PROTOCOL_VERSION: - str = "PV"; - break; - case TLS1_AD_INSUFFICIENT_SECURITY: - str = "IS"; - break; - case TLS1_AD_INTERNAL_ERROR: - str = "IE"; - break; - case TLS1_AD_USER_CANCELLED: - str = "US"; - break; - case TLS1_AD_NO_RENEGOTIATION: - str = "NR"; - break; - case TLS1_AD_UNSUPPORTED_EXTENSION: - str = "UE"; - break; - case TLS1_AD_CERTIFICATE_UNOBTAINABLE: - str = "CO"; - break; - case TLS1_AD_UNRECOGNIZED_NAME: - str = "UN"; - break; - case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: - str = "BR"; - break; - case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: - str = "BH"; - break; - case TLS1_AD_UNKNOWN_PSK_IDENTITY: - str = "UP"; - break; - default: - str = "UK"; - break; - } - return (str); -} - -const char * -SSL_alert_desc_string_long(int value) -{ - const char *str; - - switch (value & 0xff) { - case SSL3_AD_CLOSE_NOTIFY: - str = "close notify"; - break; - case SSL3_AD_UNEXPECTED_MESSAGE: - str = "unexpected_message"; - break; - case SSL3_AD_BAD_RECORD_MAC: - str = "bad record mac"; - break; - case SSL3_AD_DECOMPRESSION_FAILURE: - str = "decompression failure"; - break; - case SSL3_AD_HANDSHAKE_FAILURE: - str = "handshake failure"; - break; - case SSL3_AD_NO_CERTIFICATE: - str = "no certificate"; - break; - case SSL3_AD_BAD_CERTIFICATE: - str = "bad certificate"; - break; - case SSL3_AD_UNSUPPORTED_CERTIFICATE: - str = "unsupported certificate"; - break; - case SSL3_AD_CERTIFICATE_REVOKED: - str = "certificate revoked"; - break; - case SSL3_AD_CERTIFICATE_EXPIRED: - str = "certificate expired"; - break; - case SSL3_AD_CERTIFICATE_UNKNOWN: - str = "certificate unknown"; - break; - case SSL3_AD_ILLEGAL_PARAMETER: - str = "illegal parameter"; - break; - case TLS1_AD_DECRYPTION_FAILED: - str = "decryption failed"; - break; - case TLS1_AD_RECORD_OVERFLOW: - str = "record overflow"; - break; - case TLS1_AD_UNKNOWN_CA: - str = "unknown CA"; - break; - case TLS1_AD_ACCESS_DENIED: - str = "access denied"; - break; - case TLS1_AD_DECODE_ERROR: - str = "decode error"; - break; - case TLS1_AD_DECRYPT_ERROR: - str = "decrypt error"; - break; - case TLS1_AD_EXPORT_RESTRICTION: - str = "export restriction"; - break; - case TLS1_AD_PROTOCOL_VERSION: - str = "protocol version"; - break; - case TLS1_AD_INSUFFICIENT_SECURITY: - str = "insufficient security"; - break; - case TLS1_AD_INTERNAL_ERROR: - str = "internal error"; - break; - case TLS1_AD_USER_CANCELLED: - str = "user canceled"; - break; - case TLS1_AD_NO_RENEGOTIATION: - str = "no renegotiation"; - break; - case TLS1_AD_UNSUPPORTED_EXTENSION: - str = "unsupported extension"; - break; - case TLS1_AD_CERTIFICATE_UNOBTAINABLE: - str = "certificate unobtainable"; - break; - case TLS1_AD_UNRECOGNIZED_NAME: - str = "unrecognized name"; - break; - case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: - str = "bad certificate status response"; - break; - case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: - str = "bad certificate hash value"; - break; - case TLS1_AD_UNKNOWN_PSK_IDENTITY: - str = "unknown PSK identity"; - break; - default: - str = "unknown"; - break; - } - return (str); -} - -const char * -SSL_rstate_string(const SSL *s) -{ - const char *str; - - switch (s->rstate) { - case SSL_ST_READ_HEADER: - str = "RH"; - break; - case SSL_ST_READ_BODY: - str = "RB"; - break; - case SSL_ST_READ_DONE: - str = "RD"; - break; - default: - str = "unknown"; - break; - } - return (str); -} diff --git a/lib/libssl/src/ssl/ssl_txt.c b/lib/libssl/src/ssl/ssl_txt.c deleted file mode 100644 index c3626dc03a1..00000000000 --- a/lib/libssl/src/ssl/ssl_txt.c +++ /dev/null @@ -1,187 +0,0 @@ -/* $OpenBSD: ssl_txt.c,v 1.26 2014/12/14 15:30:50 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <stdio.h> - -#include <openssl/buffer.h> - -#include "ssl_locl.h" - -int -SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) -{ - BIO *b; - int ret; - - if ((b = BIO_new(BIO_s_file_internal())) == NULL) { - SSLerr(SSL_F_SSL_SESSION_PRINT_FP, ERR_R_BUF_LIB); - return (0); - } - BIO_set_fp(b, fp, BIO_NOCLOSE); - ret = SSL_SESSION_print(b, x); - BIO_free(b); - return (ret); -} - -int -SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) -{ - unsigned int i; - const char *s; - - if (x == NULL) - goto err; - if (BIO_puts(bp, "SSL-Session:\n") <= 0) - goto err; - - s = ssl_version_string(x->ssl_version); - if (BIO_printf(bp, " Protocol : %s\n", s) <= 0) - goto err; - - if (x->cipher == NULL) { - if (((x->cipher_id) & 0xff000000) == 0x02000000) { - if (BIO_printf(bp, " Cipher : %06lX\n", x->cipher_id&0xffffff) <= 0) - goto err; - } else { - if (BIO_printf(bp, " Cipher : %04lX\n", x->cipher_id&0xffff) <= 0) - goto err; - } - } else { - if (BIO_printf(bp, " Cipher : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0) - goto err; - } - if (BIO_puts(bp, " Session-ID: ") <= 0) - goto err; - for (i = 0; i < x->session_id_length; i++) { - if (BIO_printf(bp, "%02X", x->session_id[i]) <= 0) - goto err; - } - if (BIO_puts(bp, "\n Session-ID-ctx: ") <= 0) - goto err; - for (i = 0; i < x->sid_ctx_length; i++) { - if (BIO_printf(bp, "%02X", x->sid_ctx[i]) <= 0) - goto err; - } - if (BIO_puts(bp, "\n Master-Key: ") <= 0) - goto err; - for (i = 0; i < (unsigned int)x->master_key_length; i++) { - if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) - goto err; - } - if (x->tlsext_tick_lifetime_hint) { - if (BIO_printf(bp, - "\n TLS session ticket lifetime hint: %ld (seconds)", - x->tlsext_tick_lifetime_hint) <= 0) - goto err; - } - if (x->tlsext_tick) { - if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) - goto err; - if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0) - goto err; - } - - if (x->time != 0) { - if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0) - goto err; - } - if (x->timeout != 0L) { - if (BIO_printf(bp, "\n Timeout : %ld (sec)", x->timeout) <= 0) - goto err; - } - if (BIO_puts(bp, "\n") <= 0) - goto err; - - if (BIO_puts(bp, " Verify return code: ") <= 0) - goto err; - - if (BIO_printf(bp, "%ld (%s)\n", x->verify_result, - X509_verify_cert_error_string(x->verify_result)) <= 0) - goto err; - - return (1); -err: - return (0); -} - diff --git a/lib/libssl/src/ssl/t1_clnt.c b/lib/libssl/src/ssl/t1_clnt.c deleted file mode 100644 index 0853a3cb33a..00000000000 --- a/lib/libssl/src/ssl/t1_clnt.c +++ /dev/null @@ -1,237 +0,0 @@ -/* $OpenBSD: t1_clnt.c,v 1.18 2015/09/11 14:39:05 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/objects.h> - -static const SSL_METHOD *tls1_get_client_method(int ver); - -const SSL_METHOD TLS_client_method_data = { - .version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl23_connect, - .ssl_read = ssl23_read, - .ssl_peek = ssl23_peek, - .ssl_write = ssl23_write, - .ssl_shutdown = ssl_undefined_function, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl_undefined_const_function, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_client_method, - .get_timeout = ssl23_default_timeout, - .ssl3_enc = &ssl3_undef_enc_method, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_client_method_data = { - .version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_1_client_method_data = { - .version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_2_client_method_data = { - .version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_2_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -static const SSL_METHOD * -tls1_get_client_method(int ver) -{ - if (ver == TLS1_2_VERSION) - return (TLSv1_2_client_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_client_method()); - if (ver == TLS1_VERSION) - return (TLSv1_client_method()); - return (NULL); -} - -const SSL_METHOD * -SSLv23_client_method(void) -{ - return (TLS_client_method()); -} - -const SSL_METHOD * -TLS_client_method(void) -{ - return (&TLS_client_method_data); -} - -const SSL_METHOD * -TLSv1_client_method(void) -{ - return (&TLSv1_client_method_data); -} - -const SSL_METHOD * -TLSv1_1_client_method(void) -{ - return (&TLSv1_1_client_method_data); -} - -const SSL_METHOD * -TLSv1_2_client_method(void) -{ - return (&TLSv1_2_client_method_data); -} diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c deleted file mode 100644 index 53570b2d4f7..00000000000 --- a/lib/libssl/src/ssl/t1_enc.c +++ /dev/null @@ -1,1419 +0,0 @@ -/* $OpenBSD: t1_enc.c,v 1.85 2016/04/28 16:39:45 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/evp.h> -#include <openssl/hmac.h> -#include <openssl/md5.h> - -void -tls1_cleanup_key_block(SSL *s) -{ - if (s->s3->tmp.key_block != NULL) { - explicit_bzero(s->s3->tmp.key_block, - s->s3->tmp.key_block_length); - free(s->s3->tmp.key_block); - s->s3->tmp.key_block = NULL; - } - s->s3->tmp.key_block_length = 0; -} - -int -tls1_init_finished_mac(SSL *s) -{ - BIO_free(s->s3->handshake_buffer); - tls1_free_digest_list(s); - - s->s3->handshake_buffer = BIO_new(BIO_s_mem()); - if (s->s3->handshake_buffer == NULL) - return (0); - - (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); - - return (1); -} - -void -tls1_free_digest_list(SSL *s) -{ - int i; - - if (s == NULL) - return; - - if (s->s3->handshake_dgst == NULL) - return; - for (i = 0; i < SSL_MAX_DIGEST; i++) { - if (s->s3->handshake_dgst[i]) - EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]); - } - free(s->s3->handshake_dgst); - s->s3->handshake_dgst = NULL; -} - -void -tls1_finish_mac(SSL *s, const unsigned char *buf, int len) -{ - if (s->s3->handshake_buffer && - !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { - BIO_write(s->s3->handshake_buffer, (void *)buf, len); - } else { - int i; - for (i = 0; i < SSL_MAX_DIGEST; i++) { - if (s->s3->handshake_dgst[i]!= NULL) - EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len); - } - } -} - -int -tls1_digest_cached_records(SSL *s) -{ - int i; - long mask; - const EVP_MD *md; - long hdatalen; - void *hdata; - - tls1_free_digest_list(s); - - s->s3->handshake_dgst = calloc(SSL_MAX_DIGEST, sizeof(EVP_MD_CTX *)); - if (s->s3->handshake_dgst == NULL) { - SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); - return 0; - } - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, - SSL_R_BAD_HANDSHAKE_LENGTH); - return 0; - } - - /* Loop through bits of the algorithm2 field and create MD contexts. */ - for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) { - if ((mask & ssl_get_algorithm2(s)) && md) { - s->s3->handshake_dgst[i] = EVP_MD_CTX_create(); - if (s->s3->handshake_dgst[i] == NULL) { - SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, - ERR_R_MALLOC_FAILURE); - return 0; - } - if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], - md, NULL)) { - EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]); - return 0; - } - if (!EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, - hdatalen)) - return 0; - } - } - - if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - } - - return 1; -} - -void -tls1_record_sequence_increment(unsigned char *seq) -{ - int i; - - for (i = SSL3_SEQUENCE_SIZE - 1; i >= 0; i--) { - if (++seq[i] != 0) - break; - } -} - -/* seed1 through seed5 are virtually concatenated */ -static int -tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, - const void *seed1, int seed1_len, const void *seed2, int seed2_len, - const void *seed3, int seed3_len, const void *seed4, int seed4_len, - const void *seed5, int seed5_len, unsigned char *out, int olen) -{ - int chunk; - size_t j; - EVP_MD_CTX ctx, ctx_tmp; - EVP_PKEY *mac_key; - unsigned char A1[EVP_MAX_MD_SIZE]; - size_t A1_len; - int ret = 0; - - chunk = EVP_MD_size(md); - OPENSSL_assert(chunk >= 0); - - EVP_MD_CTX_init(&ctx); - EVP_MD_CTX_init(&ctx_tmp); - mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); - if (!mac_key) - goto err; - if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) - goto err; - if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key)) - goto err; - if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) - goto err; - if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) - goto err; - if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) - goto err; - if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) - goto err; - if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) - goto err; - if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) - goto err; - - for (;;) { - /* Reinit mac contexts */ - if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) - goto err; - if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key)) - goto err; - if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) - goto err; - if (!EVP_DigestSignUpdate(&ctx_tmp, A1, A1_len)) - goto err; - if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) - goto err; - if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) - goto err; - if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) - goto err; - if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) - goto err; - if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) - goto err; - - if (olen > chunk) { - if (!EVP_DigestSignFinal(&ctx, out, &j)) - goto err; - out += j; - olen -= j; - /* calc the next A1 value */ - if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) - goto err; - } else { - /* last one */ - if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) - goto err; - memcpy(out, A1, olen); - break; - } - } - ret = 1; - -err: - EVP_PKEY_free(mac_key); - EVP_MD_CTX_cleanup(&ctx); - EVP_MD_CTX_cleanup(&ctx_tmp); - explicit_bzero(A1, sizeof(A1)); - return ret; -} - -/* seed1 through seed5 are virtually concatenated */ -static int -tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, - int seed2_len, const void *seed3, int seed3_len, const void *seed4, - int seed4_len, const void *seed5, int seed5_len, const unsigned char *sec, - int slen, unsigned char *out1, unsigned char *out2, int olen) -{ - int len, i, idx, count; - const unsigned char *S1; - long m; - const EVP_MD *md; - int ret = 0; - - /* Count number of digests and partition sec evenly */ - count = 0; - for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) { - if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) - count++; - } - if (count == 0) { - SSLerr(SSL_F_TLS1_PRF, - SSL_R_SSL_HANDSHAKE_FAILURE); - goto err; - } - len = slen / count; - if (count == 1) - slen = 0; - S1 = sec; - memset(out1, 0, olen); - for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) { - if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) { - if (!md) { - SSLerr(SSL_F_TLS1_PRF, - SSL_R_UNSUPPORTED_DIGEST_TYPE); - goto err; - } - if (!tls1_P_hash(md , S1, len + (slen&1), seed1, - seed1_len, seed2, seed2_len, seed3, seed3_len, - seed4, seed4_len, seed5, seed5_len, out2, olen)) - goto err; - S1 += len; - for (i = 0; i < olen; i++) { - out1[i] ^= out2[i]; - } - } - } - ret = 1; - -err: - return ret; -} - -static int -tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) -{ - int ret; - - ret = tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, - s->s3->server_random, SSL3_RANDOM_SIZE, - s->s3->client_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, - s->session->master_key, s->session->master_key_length, - km, tmp, num); - return ret; -} - -/* - * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success - * and 0 on failure. - */ -static int -tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) -{ - if (*aead_ctx != NULL) { - EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); - return (1); - } - - *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); - if (*aead_ctx == NULL) { - SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE); - return (0); - } - - return (1); -} - -static int -tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, - unsigned key_len, const unsigned char *iv, unsigned iv_len) -{ - const EVP_AEAD *aead = s->s3->tmp.new_aead; - SSL_AEAD_CTX *aead_ctx; - - if (is_read) { - if (!tls1_aead_ctx_init(&s->aead_read_ctx)) - return 0; - aead_ctx = s->aead_read_ctx; - } else { - if (!tls1_aead_ctx_init(&s->aead_write_ctx)) - return 0; - aead_ctx = s->aead_write_ctx; - } - - if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, - EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) - return (0); - if (iv_len > sizeof(aead_ctx->fixed_nonce)) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, - ERR_R_INTERNAL_ERROR); - return (0); - } - memcpy(aead_ctx->fixed_nonce, iv, iv_len); - aead_ctx->fixed_nonce_len = iv_len; - aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ - aead_ctx->variable_nonce_in_record = - (s->s3->tmp.new_cipher->algorithm2 & - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; - aead_ctx->xor_fixed_nonce = - s->s3->tmp.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; - aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); - - if (aead_ctx->xor_fixed_nonce) { - if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) || - aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, - ERR_R_INTERNAL_ERROR); - return (0); - } - } else { - if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != - EVP_AEAD_nonce_length(aead)) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, - ERR_R_INTERNAL_ERROR); - return (0); - } - } - - return (1); -} - -/* - * tls1_change_cipher_state_cipher performs the work needed to switch cipher - * states when using EVP_CIPHER. The argument is_read is true iff this function - * is being called due to reading, as opposed to writing, a ChangeCipherSpec - * message. In order to support export ciphersuites, use_client_keys indicates - * whether the key material provided is in the "client write" direction. - */ -static int -tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, - const unsigned char *mac_secret, unsigned int mac_secret_size, - const unsigned char *key, unsigned int key_len, const unsigned char *iv, - unsigned int iv_len) -{ - EVP_CIPHER_CTX *cipher_ctx; - const EVP_CIPHER *cipher; - EVP_MD_CTX *mac_ctx; - const EVP_MD *mac; - int mac_type; - - cipher = s->s3->tmp.new_sym_enc; - mac = s->s3->tmp.new_hash; - mac_type = s->s3->tmp.new_mac_pkey_type; - - if (is_read) { - if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) - s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; - else - s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; - - EVP_CIPHER_CTX_free(s->enc_read_ctx); - s->enc_read_ctx = NULL; - EVP_MD_CTX_destroy(s->read_hash); - s->read_hash = NULL; - - if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - s->enc_read_ctx = cipher_ctx; - if ((mac_ctx = EVP_MD_CTX_create()) == NULL) - goto err; - s->read_hash = mac_ctx; - } else { - if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) - s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; - else - s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; - - /* - * DTLS fragments retain a pointer to the compression, cipher - * and hash contexts, so that it can restore state in order - * to perform retransmissions. As such, we cannot free write - * contexts that are used for DTLS - these are instead freed - * by DTLS when its frees a ChangeCipherSpec fragment. - */ - if (!SSL_IS_DTLS(s)) { - EVP_CIPHER_CTX_free(s->enc_write_ctx); - s->enc_write_ctx = NULL; - EVP_MD_CTX_destroy(s->write_hash); - s->write_hash = NULL; - } - if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - s->enc_write_ctx = cipher_ctx; - if ((mac_ctx = EVP_MD_CTX_create()) == NULL) - goto err; - s->write_hash = mac_ctx; - } - - if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) { - EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, NULL, - !is_read); - EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED, - iv_len, (unsigned char *)iv); - } else - EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read); - - if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { - EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, - mac_secret, mac_secret_size); - if (mac_key == NULL) - goto err; - EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key); - EVP_PKEY_free(mac_key); - } else if (mac_secret_size > 0) { - /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ - EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, - mac_secret_size, (unsigned char *)mac_secret); - } - - if (s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) { - int nid; - if (s->s3->tmp.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) - nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; - else - nid = NID_id_tc26_gost_28147_param_Z; - - EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GOST_SET_SBOX, nid, 0); - if (s->s3->tmp.new_cipher->algorithm_mac == SSL_GOST89MAC) - EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_GOST_SET_SBOX, nid, 0); - } - - return (1); - -err: - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER, ERR_R_MALLOC_FAILURE); - return (0); -} - -int -tls1_change_cipher_state(SSL *s, int which) -{ - const unsigned char *client_write_mac_secret, *server_write_mac_secret; - const unsigned char *client_write_key, *server_write_key; - const unsigned char *client_write_iv, *server_write_iv; - const unsigned char *mac_secret, *key, *iv; - int mac_secret_size, key_len, iv_len; - unsigned char *key_block, *seq; - const EVP_CIPHER *cipher; - const EVP_AEAD *aead; - char is_read, use_client_keys; - - - cipher = s->s3->tmp.new_sym_enc; - aead = s->s3->tmp.new_aead; - - /* - * is_read is true if we have just read a ChangeCipherSpec message, - * that is we need to update the read cipherspec. Otherwise we have - * just written one. - */ - is_read = (which & SSL3_CC_READ) != 0; - - /* - * use_client_keys is true if we wish to use the keys for the "client - * write" direction. This is the case if we're a client sending a - * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. - */ - use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || - (which == SSL3_CHANGE_CIPHER_SERVER_READ)); - - - /* - * Reset sequence number to zero - for DTLS this is handled in - * dtls1_reset_seq_numbers(). - */ - if (!SSL_IS_DTLS(s)) { - seq = is_read ? s->s3->read_sequence : s->s3->write_sequence; - memset(seq, 0, SSL3_SEQUENCE_SIZE); - } - - if (aead != NULL) { - key_len = EVP_AEAD_key_length(aead); - iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher); - } else { - key_len = EVP_CIPHER_key_length(cipher); - iv_len = EVP_CIPHER_iv_length(cipher); - - /* If GCM mode only part of IV comes from PRF. */ - if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) - iv_len = EVP_GCM_TLS_FIXED_IV_LEN; - } - - mac_secret_size = s->s3->tmp.new_mac_secret_size; - - key_block = s->s3->tmp.key_block; - client_write_mac_secret = key_block; - key_block += mac_secret_size; - server_write_mac_secret = key_block; - key_block += mac_secret_size; - client_write_key = key_block; - key_block += key_len; - server_write_key = key_block; - key_block += key_len; - client_write_iv = key_block; - key_block += iv_len; - server_write_iv = key_block; - key_block += iv_len; - - if (use_client_keys) { - mac_secret = client_write_mac_secret; - key = client_write_key; - iv = client_write_iv; - } else { - mac_secret = server_write_mac_secret; - key = server_write_key; - iv = server_write_iv; - } - - if (key_block - s->s3->tmp.key_block != s->s3->tmp.key_block_length) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; - } - - if (is_read) { - memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_size); - s->s3->read_mac_secret_size = mac_secret_size; - } else { - memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_size); - s->s3->write_mac_secret_size = mac_secret_size; - } - - if (aead != NULL) { - return tls1_change_cipher_state_aead(s, is_read, key, key_len, - iv, iv_len); - } - - return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, - mac_secret, mac_secret_size, key, key_len, iv, iv_len); - -err2: - return (0); -} - -int -tls1_setup_key_block(SSL *s) -{ - unsigned char *key_block, *tmp_block = NULL; - int mac_type = NID_undef, mac_secret_size = 0; - int key_block_len, key_len, iv_len; - const EVP_CIPHER *cipher = NULL; - const EVP_AEAD *aead = NULL; - const EVP_MD *mac = NULL; - int ret = 0; - - if (s->s3->tmp.key_block_length != 0) - return (1); - - if (s->session->cipher && - (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) { - if (!ssl_cipher_get_evp_aead(s->session, &aead)) { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, - SSL_R_CIPHER_OR_HASH_UNAVAILABLE); - return (0); - } - key_len = EVP_AEAD_key_length(aead); - iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); - } else { - if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, - &mac_secret_size)) { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, - SSL_R_CIPHER_OR_HASH_UNAVAILABLE); - return (0); - } - key_len = EVP_CIPHER_key_length(cipher); - iv_len = EVP_CIPHER_iv_length(cipher); - - /* If GCM mode only part of IV comes from PRF. */ - if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) - iv_len = EVP_GCM_TLS_FIXED_IV_LEN; - } - - s->s3->tmp.new_aead = aead; - s->s3->tmp.new_sym_enc = cipher; - s->s3->tmp.new_hash = mac; - s->s3->tmp.new_mac_pkey_type = mac_type; - s->s3->tmp.new_mac_secret_size = mac_secret_size; - - tls1_cleanup_key_block(s); - - if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len, - 2)) == NULL) { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); - goto err; - } - key_block_len = (mac_secret_size + key_len + iv_len) * 2; - - s->s3->tmp.key_block_length = key_block_len; - s->s3->tmp.key_block = key_block; - - if ((tmp_block = malloc(key_block_len)) == NULL) { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!tls1_generate_key_block(s, key_block, tmp_block, key_block_len)) - goto err; - - if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && - s->method->version <= TLS1_VERSION) { - /* - * Enable vulnerability countermeasure for CBC ciphers with - * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) - */ - s->s3->need_empty_fragments = 1; - - if (s->session->cipher != NULL) { - if (s->session->cipher->algorithm_enc == SSL_eNULL) - s->s3->need_empty_fragments = 0; - -#ifndef OPENSSL_NO_RC4 - if (s->session->cipher->algorithm_enc == SSL_RC4) - s->s3->need_empty_fragments = 0; -#endif - } - } - - ret = 1; - -err: - if (tmp_block) { - explicit_bzero(tmp_block, key_block_len); - free(tmp_block); - } - return (ret); -} - -/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. - * - * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too - * short etc). - * 1: if the record's padding is valid / the encryption was successful. - * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, - * an internal error occured. - */ -int -tls1_enc(SSL *s, int send) -{ - const SSL_AEAD_CTX *aead; - const EVP_CIPHER *enc; - EVP_CIPHER_CTX *ds; - SSL3_RECORD *rec; - unsigned char *seq; - unsigned long l; - int bs, i, j, k, pad = 0, ret, mac_size = 0; - - if (send) { - aead = s->aead_write_ctx; - rec = &s->s3->wrec; - seq = s->s3->write_sequence; - } else { - aead = s->aead_read_ctx; - rec = &s->s3->rrec; - seq = s->s3->read_sequence; - } - - if (aead) { - unsigned char ad[13], *in, *out, nonce[16]; - size_t out_len, pad_len = 0; - unsigned int nonce_used; - - if (SSL_IS_DTLS(s)) { - dtls1_build_sequence_number(ad, seq, - send ? s->d1->w_epoch : s->d1->r_epoch); - } else { - memcpy(ad, seq, SSL3_SEQUENCE_SIZE); - tls1_record_sequence_increment(seq); - } - - ad[8] = rec->type; - ad[9] = (unsigned char)(s->version >> 8); - ad[10] = (unsigned char)(s->version); - - if (aead->variable_nonce_len > 8 || - aead->variable_nonce_len > sizeof(nonce)) - return -1; - - if (aead->xor_fixed_nonce) { - if (aead->fixed_nonce_len > sizeof(nonce) || - aead->variable_nonce_len > aead->fixed_nonce_len) - return -1; /* Should never happen. */ - pad_len = aead->fixed_nonce_len - aead->variable_nonce_len; - } else { - if (aead->fixed_nonce_len + - aead->variable_nonce_len > sizeof(nonce)) - return -1; /* Should never happen. */ - } - - if (send) { - size_t len = rec->length; - size_t eivlen = 0; - in = rec->input; - out = rec->data; - - if (aead->xor_fixed_nonce) { - /* - * The sequence number is left zero - * padded, then xored with the fixed - * nonce. - */ - memset(nonce, 0, pad_len); - memcpy(nonce + pad_len, ad, - aead->variable_nonce_len); - for (i = 0; i < aead->fixed_nonce_len; i++) - nonce[i] ^= aead->fixed_nonce[i]; - nonce_used = aead->fixed_nonce_len; - } else { - /* - * When sending we use the sequence number as - * the variable part of the nonce. - */ - memcpy(nonce, aead->fixed_nonce, - aead->fixed_nonce_len); - nonce_used = aead->fixed_nonce_len; - memcpy(nonce + nonce_used, ad, - aead->variable_nonce_len); - nonce_used += aead->variable_nonce_len; - } - - /* - * In do_ssl3_write, rec->input is moved forward by - * variable_nonce_len in order to leave space for the - * variable nonce. Thus we can copy the sequence number - * bytes into place without overwriting any of the - * plaintext. - */ - if (aead->variable_nonce_in_record) { - memcpy(out, ad, aead->variable_nonce_len); - len -= aead->variable_nonce_len; - eivlen = aead->variable_nonce_len; - } - - ad[11] = len >> 8; - ad[12] = len & 0xff; - - if (!EVP_AEAD_CTX_seal(&aead->ctx, - out + eivlen, &out_len, len + aead->tag_len, nonce, - nonce_used, in + eivlen, len, ad, sizeof(ad))) - return -1; - if (aead->variable_nonce_in_record) - out_len += aead->variable_nonce_len; - } else { - /* receive */ - size_t len = rec->length; - - if (rec->data != rec->input) - return -1; /* internal error - should never happen. */ - out = in = rec->input; - - if (len < aead->variable_nonce_len) - return 0; - - if (aead->xor_fixed_nonce) { - /* - * The sequence number is left zero - * padded, then xored with the fixed - * nonce. - */ - memset(nonce, 0, pad_len); - memcpy(nonce + pad_len, ad, - aead->variable_nonce_len); - for (i = 0; i < aead->fixed_nonce_len; i++) - nonce[i] ^= aead->fixed_nonce[i]; - nonce_used = aead->fixed_nonce_len; - } else { - memcpy(nonce, aead->fixed_nonce, - aead->fixed_nonce_len); - nonce_used = aead->fixed_nonce_len; - - memcpy(nonce + nonce_used, - aead->variable_nonce_in_record ? in : ad, - aead->variable_nonce_len); - nonce_used += aead->variable_nonce_len; - } - - if (aead->variable_nonce_in_record) { - in += aead->variable_nonce_len; - len -= aead->variable_nonce_len; - out += aead->variable_nonce_len; - } - - if (len < aead->tag_len) - return 0; - len -= aead->tag_len; - - ad[11] = len >> 8; - ad[12] = len & 0xff; - - if (!EVP_AEAD_CTX_open(&aead->ctx, out, &out_len, len, - nonce, nonce_used, in, len + aead->tag_len, ad, - sizeof(ad))) - return -1; - - rec->data = rec->input = out; - } - - rec->length = out_len; - - return 1; - } - - if (send) { - if (EVP_MD_CTX_md(s->write_hash)) { - int n = EVP_MD_CTX_size(s->write_hash); - OPENSSL_assert(n >= 0); - } - ds = s->enc_write_ctx; - if (s->enc_write_ctx == NULL) - enc = NULL; - else { - int ivlen = 0; - enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); - if (SSL_USE_EXPLICIT_IV(s) && - EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) - ivlen = EVP_CIPHER_iv_length(enc); - if (ivlen > 1) { - if (rec->data != rec->input) { -#ifdef DEBUG - /* we can't write into the input stream: - * Can this ever happen?? (steve) - */ - fprintf(stderr, - "%s:%d: rec->data != rec->input\n", - __FILE__, __LINE__); -#endif - } else - arc4random_buf(rec->input, ivlen); - } - } - } else { - if (EVP_MD_CTX_md(s->read_hash)) { - int n = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(n >= 0); - } - ds = s->enc_read_ctx; - if (s->enc_read_ctx == NULL) - enc = NULL; - else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - } - - if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { - memmove(rec->data, rec->input, rec->length); - rec->input = rec->data; - ret = 1; - } else { - l = rec->length; - bs = EVP_CIPHER_block_size(ds->cipher); - - if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - unsigned char buf[13]; - - if (SSL_IS_DTLS(s)) { - dtls1_build_sequence_number(buf, seq, - send ? s->d1->w_epoch : s->d1->r_epoch); - } else { - memcpy(buf, seq, SSL3_SEQUENCE_SIZE); - tls1_record_sequence_increment(seq); - } - - buf[8] = rec->type; - buf[9] = (unsigned char)(s->version >> 8); - buf[10] = (unsigned char)(s->version); - buf[11] = rec->length >> 8; - buf[12] = rec->length & 0xff; - pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); - if (send) { - l += pad; - rec->length += pad; - } - } else if ((bs != 1) && send) { - i = bs - ((int)l % bs); - - /* Add weird padding of upto 256 bytes */ - - /* we need to add 'i' padding bytes of value j */ - j = i - 1; - for (k = (int)l; k < (int)(l + i); k++) - rec->input[k] = j; - l += i; - rec->length += i; - } - - if (!send) { - if (l == 0 || l % bs != 0) - return 0; - } - - i = EVP_Cipher(ds, rec->data, rec->input, l); - if ((EVP_CIPHER_flags(ds->cipher) & - EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0)) - return -1; /* AEAD can fail to verify MAC */ - if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { - rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; - rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; - rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; - } - - ret = 1; - if (EVP_MD_CTX_md(s->read_hash) != NULL) - mac_size = EVP_MD_CTX_size(s->read_hash); - if ((bs != 1) && !send) - ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); - if (pad && !send) - rec->length -= pad; - } - return ret; -} - -int -tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) -{ - EVP_MD_CTX ctx, *d = NULL; - unsigned int ret; - int i; - - if (s->s3->handshake_buffer) - if (!tls1_digest_cached_records(s)) - return 0; - - for (i = 0; i < SSL_MAX_DIGEST; i++) { - if (s->s3->handshake_dgst[i] && - EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { - d = s->s3->handshake_dgst[i]; - break; - } - } - if (d == NULL) { - SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST); - return 0; - } - - EVP_MD_CTX_init(&ctx); - if (!EVP_MD_CTX_copy_ex(&ctx, d)) - return 0; - EVP_DigestFinal_ex(&ctx, out, &ret); - EVP_MD_CTX_cleanup(&ctx); - - return ((int)ret); -} - -int -tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) -{ - unsigned int i; - EVP_MD_CTX ctx; - unsigned char buf[2*EVP_MAX_MD_SIZE]; - unsigned char *q, buf2[12]; - int idx; - long mask; - int err = 0; - const EVP_MD *md; - - q = buf; - - if (s->s3->handshake_buffer) - if (!tls1_digest_cached_records(s)) - return 0; - - EVP_MD_CTX_init(&ctx); - - for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) { - if (ssl_get_algorithm2(s) & mask) { - int hashsize = EVP_MD_size(md); - EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; - if (!hdgst || hashsize < 0 || - hashsize > (int)(sizeof buf - (size_t)(q - buf))) { - /* internal error: 'buf' is too small for this cipersuite! */ - err = 1; - } else { - if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || - !EVP_DigestFinal_ex(&ctx, q, &i) || - (i != (unsigned int)hashsize)) - err = 1; - q += hashsize; - } - } - } - - if (!tls1_PRF(ssl_get_algorithm2(s), str, slen, buf, (int)(q - buf), - NULL, 0, NULL, 0, NULL, 0, - s->session->master_key, s->session->master_key_length, - out, buf2, sizeof buf2)) - err = 1; - EVP_MD_CTX_cleanup(&ctx); - - if (err) - return 0; - else - return sizeof buf2; -} - -int -tls1_mac(SSL *ssl, unsigned char *md, int send) -{ - SSL3_RECORD *rec; - unsigned char *seq; - EVP_MD_CTX *hash; - size_t md_size, orig_len; - EVP_MD_CTX hmac, *mac_ctx; - unsigned char header[13]; - int stream_mac = (send ? - (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : - (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); - int t; - - if (send) { - rec = &(ssl->s3->wrec); - seq = &(ssl->s3->write_sequence[0]); - hash = ssl->write_hash; - } else { - rec = &(ssl->s3->rrec); - seq = &(ssl->s3->read_sequence[0]); - hash = ssl->read_hash; - } - - t = EVP_MD_CTX_size(hash); - OPENSSL_assert(t >= 0); - md_size = t; - - /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - if (stream_mac) { - mac_ctx = hash; - } else { - if (!EVP_MD_CTX_copy(&hmac, hash)) - return -1; - mac_ctx = &hmac; - } - - if (SSL_IS_DTLS(ssl)) - dtls1_build_sequence_number(header, seq, - send ? ssl->d1->w_epoch : ssl->d1->r_epoch); - else - memcpy(header, seq, SSL3_SEQUENCE_SIZE); - - /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ - orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); - rec->type &= 0xff; - - header[8] = rec->type; - header[9] = (unsigned char)(ssl->version >> 8); - header[10] = (unsigned char)(ssl->version); - header[11] = (rec->length) >> 8; - header[12] = (rec->length) & 0xff; - - if (!send && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(mac_ctx)) { - /* This is a CBC-encrypted record. We must avoid leaking any - * timing-side channel information about how many blocks of - * data we are hashing because that gives an attacker a - * timing-oracle. */ - if (!ssl3_cbc_digest_record(mac_ctx, - md, &md_size, header, rec->input, - rec->length + md_size, orig_len, - ssl->s3->read_mac_secret, - ssl->s3->read_mac_secret_size, - 0 /* not SSLv3 */)) - return -1; - } else { - EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); - EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); - t = EVP_DigestSignFinal(mac_ctx, md, &md_size); - OPENSSL_assert(t > 0); - } - - if (!stream_mac) - EVP_MD_CTX_cleanup(&hmac); - - if (!SSL_IS_DTLS(ssl)) - tls1_record_sequence_increment(seq); - - return (md_size); -} - -int -tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, - int len) -{ - unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; - - tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, - s->s3->client_random, SSL3_RANDOM_SIZE, NULL, 0, - s->s3->server_random, SSL3_RANDOM_SIZE, NULL, 0, - p, len, s->session->master_key, buff, sizeof buff); - - return (SSL3_MASTER_SECRET_SIZE); -} - -int -tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *context, - size_t contextlen, int use_context) -{ - unsigned char *buff; - unsigned char *val = NULL; - size_t vallen, currentvalpos; - int rv; - - buff = malloc(olen); - if (buff == NULL) - goto err2; - - /* construct PRF arguments - * we construct the PRF argument ourself rather than passing separate - * values into the TLS PRF to ensure that the concatenation of values - * does not create a prohibited label. - */ - vallen = llen + SSL3_RANDOM_SIZE * 2; - if (use_context) { - vallen += 2 + contextlen; - } - - val = malloc(vallen); - if (val == NULL) - goto err2; - currentvalpos = 0; - memcpy(val + currentvalpos, (unsigned char *) label, llen); - currentvalpos += llen; - memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); - currentvalpos += SSL3_RANDOM_SIZE; - memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); - currentvalpos += SSL3_RANDOM_SIZE; - - if (use_context) { - val[currentvalpos] = (contextlen >> 8) & 0xff; - currentvalpos++; - val[currentvalpos] = contextlen & 0xff; - currentvalpos++; - if ((contextlen > 0) || (context != NULL)) { - memcpy(val + currentvalpos, context, contextlen); - } - } - - /* disallow prohibited labels - * note that SSL3_RANDOM_SIZE > max(prohibited label len) = - * 15, so size of val > max(prohibited label len) = 15 and the - * comparisons won't have buffer overflow - */ - if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, - TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) - goto err1; - if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, - TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) - goto err1; - if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, - TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) - goto err1; - if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, - TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) - goto err1; - - rv = tls1_PRF(ssl_get_algorithm2(s), - val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, - s->session->master_key, s->session->master_key_length, - out, buff, olen); - - goto ret; -err1: - SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, - SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); - rv = 0; - goto ret; -err2: - SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); - rv = 0; -ret: - free(buff); - free(val); - - return (rv); -} - -int -tls1_alert_code(int code) -{ - switch (code) { - case SSL_AD_CLOSE_NOTIFY: - return (SSL3_AD_CLOSE_NOTIFY); - case SSL_AD_UNEXPECTED_MESSAGE: - return (SSL3_AD_UNEXPECTED_MESSAGE); - case SSL_AD_BAD_RECORD_MAC: - return (SSL3_AD_BAD_RECORD_MAC); - case SSL_AD_DECRYPTION_FAILED: - return (TLS1_AD_DECRYPTION_FAILED); - case SSL_AD_RECORD_OVERFLOW: - return (TLS1_AD_RECORD_OVERFLOW); - case SSL_AD_DECOMPRESSION_FAILURE: - return (SSL3_AD_DECOMPRESSION_FAILURE); - case SSL_AD_HANDSHAKE_FAILURE: - return (SSL3_AD_HANDSHAKE_FAILURE); - case SSL_AD_NO_CERTIFICATE: - return (-1); - case SSL_AD_BAD_CERTIFICATE: - return (SSL3_AD_BAD_CERTIFICATE); - case SSL_AD_UNSUPPORTED_CERTIFICATE: - return (SSL3_AD_UNSUPPORTED_CERTIFICATE); - case SSL_AD_CERTIFICATE_REVOKED: - return (SSL3_AD_CERTIFICATE_REVOKED); - case SSL_AD_CERTIFICATE_EXPIRED: - return (SSL3_AD_CERTIFICATE_EXPIRED); - case SSL_AD_CERTIFICATE_UNKNOWN: - return (SSL3_AD_CERTIFICATE_UNKNOWN); - case SSL_AD_ILLEGAL_PARAMETER: - return (SSL3_AD_ILLEGAL_PARAMETER); - case SSL_AD_UNKNOWN_CA: - return (TLS1_AD_UNKNOWN_CA); - case SSL_AD_ACCESS_DENIED: - return (TLS1_AD_ACCESS_DENIED); - case SSL_AD_DECODE_ERROR: - return (TLS1_AD_DECODE_ERROR); - case SSL_AD_DECRYPT_ERROR: - return (TLS1_AD_DECRYPT_ERROR); - case SSL_AD_EXPORT_RESTRICTION: - return (TLS1_AD_EXPORT_RESTRICTION); - case SSL_AD_PROTOCOL_VERSION: - return (TLS1_AD_PROTOCOL_VERSION); - case SSL_AD_INSUFFICIENT_SECURITY: - return (TLS1_AD_INSUFFICIENT_SECURITY); - case SSL_AD_INTERNAL_ERROR: - return (TLS1_AD_INTERNAL_ERROR); - case SSL_AD_INAPPROPRIATE_FALLBACK: - return(TLS1_AD_INAPPROPRIATE_FALLBACK); - case SSL_AD_USER_CANCELLED: - return (TLS1_AD_USER_CANCELLED); - case SSL_AD_NO_RENEGOTIATION: - return (TLS1_AD_NO_RENEGOTIATION); - case SSL_AD_UNSUPPORTED_EXTENSION: - return (TLS1_AD_UNSUPPORTED_EXTENSION); - case SSL_AD_CERTIFICATE_UNOBTAINABLE: - return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); - case SSL_AD_UNRECOGNIZED_NAME: - return (TLS1_AD_UNRECOGNIZED_NAME); - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: - return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: - return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); - case SSL_AD_UNKNOWN_PSK_IDENTITY: - return (TLS1_AD_UNKNOWN_PSK_IDENTITY); - default: - return (-1); - } -} diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c deleted file mode 100644 index 3022469ea91..00000000000 --- a/lib/libssl/src/ssl/t1_lib.c +++ /dev/null @@ -1,2424 +0,0 @@ -/* $OpenBSD: t1_lib.c,v 1.88 2016/08/27 15:58:06 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> - -#include <openssl/evp.h> -#include <openssl/hmac.h> -#include <openssl/objects.h> -#include <openssl/ocsp.h> - -#include "ssl_locl.h" -#include "bytestring.h" - -static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, - const unsigned char *sess_id, int sesslen, - SSL_SESSION **psess); - -SSL3_ENC_METHOD TLSv1_enc_data = { - .enc = tls1_enc, - .mac = tls1_mac, - .setup_key_block = tls1_setup_key_block, - .generate_master_secret = tls1_generate_master_secret, - .change_cipher_state = tls1_change_cipher_state, - .final_finish_mac = tls1_final_finish_mac, - .finish_mac_length = TLS1_FINISH_MAC_LENGTH, - .cert_verify_mac = tls1_cert_verify_mac, - .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, - .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, - .server_finished_label = TLS_MD_SERVER_FINISH_CONST, - .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, - .alert_value = tls1_alert_code, - .export_keying_material = tls1_export_keying_material, - .enc_flags = 0, -}; - -SSL3_ENC_METHOD TLSv1_1_enc_data = { - .enc = tls1_enc, - .mac = tls1_mac, - .setup_key_block = tls1_setup_key_block, - .generate_master_secret = tls1_generate_master_secret, - .change_cipher_state = tls1_change_cipher_state, - .final_finish_mac = tls1_final_finish_mac, - .finish_mac_length = TLS1_FINISH_MAC_LENGTH, - .cert_verify_mac = tls1_cert_verify_mac, - .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, - .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, - .server_finished_label = TLS_MD_SERVER_FINISH_CONST, - .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, - .alert_value = tls1_alert_code, - .export_keying_material = tls1_export_keying_material, - .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, -}; - -SSL3_ENC_METHOD TLSv1_2_enc_data = { - .enc = tls1_enc, - .mac = tls1_mac, - .setup_key_block = tls1_setup_key_block, - .generate_master_secret = tls1_generate_master_secret, - .change_cipher_state = tls1_change_cipher_state, - .final_finish_mac = tls1_final_finish_mac, - .finish_mac_length = TLS1_FINISH_MAC_LENGTH, - .cert_verify_mac = tls1_cert_verify_mac, - .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, - .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, - .server_finished_label = TLS_MD_SERVER_FINISH_CONST, - .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, - .alert_value = tls1_alert_code, - .export_keying_material = tls1_export_keying_material, - .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| - SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, -}; - -long -tls1_default_timeout(void) -{ - /* 2 hours, the 24 hours mentioned in the TLSv1 spec - * is way too long for http, the cache would over fill */ - return (60 * 60 * 2); -} - -int -tls1_new(SSL *s) -{ - if (!ssl3_new(s)) - return (0); - s->method->ssl_clear(s); - return (1); -} - -void -tls1_free(SSL *s) -{ - if (s == NULL) - return; - - free(s->tlsext_session_ticket); - ssl3_free(s); -} - -void -tls1_clear(SSL *s) -{ - ssl3_clear(s); - s->version = s->method->version; -} - - -static int nid_list[] = { - NID_sect163k1, /* sect163k1 (1) */ - NID_sect163r1, /* sect163r1 (2) */ - NID_sect163r2, /* sect163r2 (3) */ - NID_sect193r1, /* sect193r1 (4) */ - NID_sect193r2, /* sect193r2 (5) */ - NID_sect233k1, /* sect233k1 (6) */ - NID_sect233r1, /* sect233r1 (7) */ - NID_sect239k1, /* sect239k1 (8) */ - NID_sect283k1, /* sect283k1 (9) */ - NID_sect283r1, /* sect283r1 (10) */ - NID_sect409k1, /* sect409k1 (11) */ - NID_sect409r1, /* sect409r1 (12) */ - NID_sect571k1, /* sect571k1 (13) */ - NID_sect571r1, /* sect571r1 (14) */ - NID_secp160k1, /* secp160k1 (15) */ - NID_secp160r1, /* secp160r1 (16) */ - NID_secp160r2, /* secp160r2 (17) */ - NID_secp192k1, /* secp192k1 (18) */ - NID_X9_62_prime192v1, /* secp192r1 (19) */ - NID_secp224k1, /* secp224k1 (20) */ - NID_secp224r1, /* secp224r1 (21) */ - NID_secp256k1, /* secp256k1 (22) */ - NID_X9_62_prime256v1, /* secp256r1 (23) */ - NID_secp384r1, /* secp384r1 (24) */ - NID_secp521r1, /* secp521r1 (25) */ - NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ - NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ - NID_brainpoolP512r1 /* brainpoolP512r1 (28) */ -}; - -static const uint8_t ecformats_default[] = { - TLSEXT_ECPOINTFORMAT_uncompressed, - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 -}; - -static const uint16_t eccurves_default[] = { - 14, /* sect571r1 (14) */ - 13, /* sect571k1 (13) */ - 25, /* secp521r1 (25) */ - 28, /* brainpool512r1 (28) */ - 11, /* sect409k1 (11) */ - 12, /* sect409r1 (12) */ - 27, /* brainpoolP384r1 (27) */ - 24, /* secp384r1 (24) */ - 9, /* sect283k1 (9) */ - 10, /* sect283r1 (10) */ - 26, /* brainpoolP256r1 (26) */ - 22, /* secp256k1 (22) */ - 23, /* secp256r1 (23) */ - 8, /* sect239k1 (8) */ - 6, /* sect233k1 (6) */ - 7, /* sect233r1 (7) */ - 20, /* secp224k1 (20) */ - 21, /* secp224r1 (21) */ - 4, /* sect193r1 (4) */ - 5, /* sect193r2 (5) */ - 18, /* secp192k1 (18) */ - 19, /* secp192r1 (19) */ - 1, /* sect163k1 (1) */ - 2, /* sect163r1 (2) */ - 3, /* sect163r2 (3) */ - 15, /* secp160k1 (15) */ - 16, /* secp160r1 (16) */ - 17, /* secp160r2 (17) */ -}; - -int -tls1_ec_curve_id2nid(uint16_t curve_id) -{ - /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ - if ((curve_id < 1) || - ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) - return 0; - return nid_list[curve_id - 1]; -} - -uint16_t -tls1_ec_nid2curve_id(int nid) -{ - /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ - switch (nid) { - case NID_sect163k1: /* sect163k1 (1) */ - return 1; - case NID_sect163r1: /* sect163r1 (2) */ - return 2; - case NID_sect163r2: /* sect163r2 (3) */ - return 3; - case NID_sect193r1: /* sect193r1 (4) */ - return 4; - case NID_sect193r2: /* sect193r2 (5) */ - return 5; - case NID_sect233k1: /* sect233k1 (6) */ - return 6; - case NID_sect233r1: /* sect233r1 (7) */ - return 7; - case NID_sect239k1: /* sect239k1 (8) */ - return 8; - case NID_sect283k1: /* sect283k1 (9) */ - return 9; - case NID_sect283r1: /* sect283r1 (10) */ - return 10; - case NID_sect409k1: /* sect409k1 (11) */ - return 11; - case NID_sect409r1: /* sect409r1 (12) */ - return 12; - case NID_sect571k1: /* sect571k1 (13) */ - return 13; - case NID_sect571r1: /* sect571r1 (14) */ - return 14; - case NID_secp160k1: /* secp160k1 (15) */ - return 15; - case NID_secp160r1: /* secp160r1 (16) */ - return 16; - case NID_secp160r2: /* secp160r2 (17) */ - return 17; - case NID_secp192k1: /* secp192k1 (18) */ - return 18; - case NID_X9_62_prime192v1: /* secp192r1 (19) */ - return 19; - case NID_secp224k1: /* secp224k1 (20) */ - return 20; - case NID_secp224r1: /* secp224r1 (21) */ - return 21; - case NID_secp256k1: /* secp256k1 (22) */ - return 22; - case NID_X9_62_prime256v1: /* secp256r1 (23) */ - return 23; - case NID_secp384r1: /* secp384r1 (24) */ - return 24; - case NID_secp521r1: /* secp521r1 (25) */ - return 25; - case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ - return 26; - case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ - return 27; - case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ - return 28; - default: - return 0; - } -} - -/* - * Return the appropriate format list. If client_formats is non-zero, return - * the client/session formats. Otherwise return the custom format list if one - * exists, or the default formats if a custom list has not been specified. - */ -static void -tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, - size_t *pformatslen) -{ - if (client_formats != 0) { - *pformats = s->session->tlsext_ecpointformatlist; - *pformatslen = s->session->tlsext_ecpointformatlist_length; - return; - } - - *pformats = s->tlsext_ecpointformatlist; - *pformatslen = s->tlsext_ecpointformatlist_length; - if (*pformats == NULL) { - *pformats = ecformats_default; - *pformatslen = sizeof(ecformats_default); - } -} - -/* - * Return the appropriate curve list. If client_curves is non-zero, return - * the client/session curves. Otherwise return the custom curve list if one - * exists, or the default curves if a custom list has not been specified. - */ -static void -tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, - size_t *pcurveslen) -{ - if (client_curves != 0) { - *pcurves = s->session->tlsext_ellipticcurvelist; - *pcurveslen = s->session->tlsext_ellipticcurvelist_length; - return; - } - - *pcurves = s->tlsext_ellipticcurvelist; - *pcurveslen = s->tlsext_ellipticcurvelist_length; - if (*pcurves == NULL) { - *pcurves = eccurves_default; - *pcurveslen = sizeof(eccurves_default) / 2; - } -} - -/* Check that a curve is one of our preferences. */ -int -tls1_check_curve(SSL *s, const unsigned char *p, size_t len) -{ - CBS cbs; - const uint16_t *curves; - size_t curveslen, i; - uint8_t type; - uint16_t cid; - - CBS_init(&cbs, p, len); - - /* Only named curves are supported. */ - if (CBS_len(&cbs) != 3 || - !CBS_get_u8(&cbs, &type) || - type != NAMED_CURVE_TYPE || - !CBS_get_u16(&cbs, &cid)) - return (0); - - tls1_get_curvelist(s, 0, &curves, &curveslen); - - for (i = 0; i < curveslen; i++) { - if (curves[i] == cid) - return (1); - } - return (0); -} - -int -tls1_get_shared_curve(SSL *s) -{ - size_t preflen, supplen, i, j; - const uint16_t *pref, *supp; - unsigned long server_pref; - - /* Cannot do anything on the client side. */ - if (s->server == 0) - return (NID_undef); - - /* Return first preference shared curve. */ - server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE); - tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); - tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); - - for (i = 0; i < preflen; i++) { - for (j = 0; j < supplen; j++) { - if (pref[i] == supp[j]) - return (tls1_ec_curve_id2nid(pref[i])); - } - } - return (NID_undef); -} - -/* For an EC key set TLS ID and required compression based on parameters. */ -static int -tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) -{ - const EC_GROUP *grp; - const EC_METHOD *meth; - int is_prime = 0; - int nid, id; - - if (ec == NULL) - return (0); - - /* Determine if it is a prime field. */ - if ((grp = EC_KEY_get0_group(ec)) == NULL) - return (0); - if ((meth = EC_GROUP_method_of(grp)) == NULL) - return (0); - if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) - is_prime = 1; - - /* Determine curve ID. */ - nid = EC_GROUP_get_curve_name(grp); - id = tls1_ec_nid2curve_id(nid); - - /* If we have an ID set it, otherwise set arbitrary explicit curve. */ - if (id != 0) - *curve_id = id; - else - *curve_id = is_prime ? 0xff01 : 0xff02; - - /* Specify the compression identifier. */ - if (comp_id != NULL) { - if (EC_KEY_get0_public_key(ec) == NULL) - return (0); - - if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { - *comp_id = is_prime ? - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - } else { - *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; - } - } - return (1); -} - -/* Check that an EC key is compatible with extensions. */ -static int -tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) -{ - size_t curveslen, formatslen, i; - const uint16_t *curves; - const uint8_t *formats; - - /* - * Check point formats extension if present, otherwise everything - * is supported (see RFC4492). - */ - tls1_get_formatlist(s, 1, &formats, &formatslen); - if (comp_id != NULL && formats != NULL) { - for (i = 0; i < formatslen; i++) { - if (formats[i] == *comp_id) - break; - } - if (i == formatslen) - return (0); - } - - /* - * Check curve list if present, otherwise everything is supported. - */ - tls1_get_curvelist(s, 1, &curves, &curveslen); - if (curve_id != NULL && curves != NULL) { - for (i = 0; i < curveslen; i++) { - if (curves[i] == *curve_id) - break; - } - if (i == curveslen) - return (0); - } - - return (1); -} - -/* Check EC server key is compatible with client extensions. */ -int -tls1_check_ec_server_key(SSL *s) -{ - CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; - uint16_t curve_id; - uint8_t comp_id; - EVP_PKEY *pkey; - int rv; - - if (cpk->x509 == NULL || cpk->privatekey == NULL) - return (0); - if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) - return (0); - rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); - EVP_PKEY_free(pkey); - if (rv != 1) - return (0); - - return tls1_check_ec_key(s, &curve_id, &comp_id); -} - -/* Check EC temporary key is compatible with client extensions. */ -int -tls1_check_ec_tmp_key(SSL *s) -{ - EC_KEY *ec = s->cert->ecdh_tmp; - uint16_t curve_id; - - if (s->cert->ecdh_tmp_auto != 0) { - /* Need a shared curve. */ - if (tls1_get_shared_curve(s) != NID_undef) - return (1); - return (0); - } - - if (ec == NULL) { - if (s->cert->ecdh_tmp_cb != NULL) - return (1); - return (0); - } - if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) - return (0); - - return tls1_check_ec_key(s, &curve_id, NULL); -} - -/* - * List of supported signature algorithms and hashes. Should make this - * customisable at some point, for now include everything we support. - */ - -static unsigned char tls12_sigalgs[] = { - TLSEXT_hash_sha512, TLSEXT_signature_rsa, - TLSEXT_hash_sha512, TLSEXT_signature_dsa, - TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, -#ifndef OPENSSL_NO_GOST - TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, -#endif - - TLSEXT_hash_sha384, TLSEXT_signature_rsa, - TLSEXT_hash_sha384, TLSEXT_signature_dsa, - TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, - - TLSEXT_hash_sha256, TLSEXT_signature_rsa, - TLSEXT_hash_sha256, TLSEXT_signature_dsa, - TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, - -#ifndef OPENSSL_NO_GOST - TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, - TLSEXT_hash_gost94, TLSEXT_signature_gostr01, -#endif - - TLSEXT_hash_sha224, TLSEXT_signature_rsa, - TLSEXT_hash_sha224, TLSEXT_signature_dsa, - TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, - - TLSEXT_hash_sha1, TLSEXT_signature_rsa, - TLSEXT_hash_sha1, TLSEXT_signature_dsa, - TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, -}; - -int -tls12_get_req_sig_algs(SSL *s, unsigned char *p) -{ - size_t slen = sizeof(tls12_sigalgs); - - if (p) - memcpy(p, tls12_sigalgs, slen); - return (int)slen; -} - -unsigned char * -ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) -{ - int extdatalen = 0; - unsigned char *ret = p; - int using_ecc = 0; - - /* See if we support any ECC ciphersuites. */ - if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) { - STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); - unsigned long alg_k, alg_a; - int i; - - for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { - SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); - - alg_k = c->algorithm_mkey; - alg_a = c->algorithm_auth; - - if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || - (alg_a & SSL_aECDSA))) { - using_ecc = 1; - break; - } - } - } - - ret += 2; - - if (ret >= limit) - return NULL; /* this really never occurs, but ... */ - - if (s->tlsext_hostname != NULL) { - /* Add TLS extension servername to the Client Hello message */ - size_t size_str, lenmax; - - /* check for enough space. - 4 for the servername type and extension length - 2 for servernamelist length - 1 for the hostname type - 2 for hostname length - + hostname length - */ - - if ((size_t)(limit - ret) < 9) - return NULL; - - lenmax = limit - ret - 9; - if ((size_str = strlen(s->tlsext_hostname)) > lenmax) - return NULL; - - /* extension type and length */ - s2n(TLSEXT_TYPE_server_name, ret); - - s2n(size_str + 5, ret); - - /* length of servername list */ - s2n(size_str + 3, ret); - - /* hostname type, length and hostname */ - *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; - s2n(size_str, ret); - memcpy(ret, s->tlsext_hostname, size_str); - ret += size_str; - } - - /* Add RI if renegotiating */ - if (s->renegotiate) { - int el; - - if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - - if ((size_t)(limit - ret) < 4 + el) - return NULL; - - s2n(TLSEXT_TYPE_renegotiate, ret); - s2n(el, ret); - - if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } - - if (using_ecc) { - size_t curveslen, formatslen, lenmax; - const uint16_t *curves; - const uint8_t *formats; - int i; - - /* - * Add TLS extension ECPointFormats to the ClientHello message. - */ - tls1_get_formatlist(s, 0, &formats, &formatslen); - - if ((size_t)(limit - ret) < 5) - return NULL; - - lenmax = limit - ret - 5; - if (formatslen > lenmax) - return NULL; - if (formatslen > 255) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - - s2n(TLSEXT_TYPE_ec_point_formats, ret); - s2n(formatslen + 1, ret); - *(ret++) = (unsigned char)formatslen; - memcpy(ret, formats, formatslen); - ret += formatslen; - - /* - * Add TLS extension EllipticCurves to the ClientHello message. - */ - tls1_get_curvelist(s, 0, &curves, &curveslen); - - if ((size_t)(limit - ret) < 6) - return NULL; - - lenmax = limit - ret - 6; - if (curveslen > lenmax) - return NULL; - if (curveslen > 65532) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - - s2n(TLSEXT_TYPE_elliptic_curves, ret); - s2n((curveslen * 2) + 2, ret); - - /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for - * elliptic_curve_list, but the examples use two bytes. - * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html - * resolves this to two bytes. - */ - s2n(curveslen * 2, ret); - for (i = 0; i < curveslen; i++) - s2n(curves[i], ret); - } - - if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { - int ticklen; - if (!s->new_session && s->session && s->session->tlsext_tick) - ticklen = s->session->tlsext_ticklen; - else if (s->session && s->tlsext_session_ticket && - s->tlsext_session_ticket->data) { - ticklen = s->tlsext_session_ticket->length; - s->session->tlsext_tick = malloc(ticklen); - if (!s->session->tlsext_tick) - return NULL; - memcpy(s->session->tlsext_tick, - s->tlsext_session_ticket->data, ticklen); - s->session->tlsext_ticklen = ticklen; - } else - ticklen = 0; - if (ticklen == 0 && s->tlsext_session_ticket && - s->tlsext_session_ticket->data == NULL) - goto skip_ext; - /* Check for enough room 2 for extension type, 2 for len - * rest for ticket - */ - if ((size_t)(limit - ret) < 4 + ticklen) - return NULL; - s2n(TLSEXT_TYPE_session_ticket, ret); - - s2n(ticklen, ret); - if (ticklen) { - memcpy(ret, s->session->tlsext_tick, ticklen); - ret += ticklen; - } - } -skip_ext: - - if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { - if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) - return NULL; - - s2n(TLSEXT_TYPE_signature_algorithms, ret); - s2n(sizeof(tls12_sigalgs) + 2, ret); - s2n(sizeof(tls12_sigalgs), ret); - memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); - ret += sizeof(tls12_sigalgs); - } - - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->version != DTLS1_VERSION) { - int i; - long extlen, idlen, itmp; - OCSP_RESPID *id; - - idlen = 0; - for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { - id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); - itmp = i2d_OCSP_RESPID(id, NULL); - if (itmp <= 0) - return NULL; - idlen += itmp + 2; - } - - if (s->tlsext_ocsp_exts) { - extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); - if (extlen < 0) - return NULL; - } else - extlen = 0; - - if ((size_t)(limit - ret) < 7 + extlen + idlen) - return NULL; - s2n(TLSEXT_TYPE_status_request, ret); - if (extlen + idlen > 0xFFF0) - return NULL; - s2n(extlen + idlen + 5, ret); - *(ret++) = TLSEXT_STATUSTYPE_ocsp; - s2n(idlen, ret); - for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { - /* save position of id len */ - unsigned char *q = ret; - id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); - /* skip over id len */ - ret += 2; - itmp = i2d_OCSP_RESPID(id, &ret); - /* write id len */ - s2n(itmp, q); - } - s2n(extlen, ret); - if (extlen > 0) - i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); - } - - if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { - /* The client advertises an emtpy extension to indicate its - * support for Next Protocol Negotiation */ - if ((size_t)(limit - ret) < 4) - return NULL; - s2n(TLSEXT_TYPE_next_proto_neg, ret); - s2n(0, ret); - } - - if (s->alpn_client_proto_list != NULL && - s->s3->tmp.finish_md_len == 0) { - if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) - return (NULL); - s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); - s2n(2 + s->alpn_client_proto_list_len, ret); - s2n(s->alpn_client_proto_list_len, ret); - memcpy(ret, s->alpn_client_proto_list, - s->alpn_client_proto_list_len); - ret += s->alpn_client_proto_list_len; - } - -#ifndef OPENSSL_NO_SRTP - if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { - int el; - - ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - - if ((size_t)(limit - ret) < 4 + el) - return NULL; - - s2n(TLSEXT_TYPE_use_srtp, ret); - s2n(el, ret); - - if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - ret += el; - } -#endif - - /* - * Add padding to workaround bugs in F5 terminators. - * See https://tools.ietf.org/html/draft-agl-tls-padding-03 - * - * Note that this seems to trigger issues with IronPort SMTP - * appliances. - * - * NB: because this code works out the length of all existing - * extensions it MUST always appear last. - */ - if (s->options & SSL_OP_TLSEXT_PADDING) { - int hlen = ret - (unsigned char *)s->init_buf->data; - - /* - * The code in s23_clnt.c to build ClientHello messages - * includes the 5-byte record header in the buffer, while the - * code in s3_clnt.c does not. - */ - if (s->state == SSL23_ST_CW_CLNT_HELLO_A) - hlen -= 5; - if (hlen > 0xff && hlen < 0x200) { - hlen = 0x200 - hlen; - if (hlen >= 4) - hlen -= 4; - else - hlen = 0; - - s2n(TLSEXT_TYPE_padding, ret); - s2n(hlen, ret); - memset(ret, 0, hlen); - ret += hlen; - } - } - - if ((extdatalen = ret - p - 2) == 0) - return p; - - s2n(extdatalen, p); - return ret; -} - -unsigned char * -ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) -{ - int using_ecc, extdatalen = 0; - unsigned long alg_a, alg_k; - unsigned char *ret = p; - int next_proto_neg_seen; - - alg_a = s->s3->tmp.new_cipher->algorithm_auth; - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) || - alg_a & SSL_aECDSA) && - s->session->tlsext_ecpointformatlist != NULL; - - ret += 2; - if (ret >= limit) - return NULL; /* this really never occurs, but ... */ - - if (!s->hit && s->servername_done == 1 && - s->session->tlsext_hostname != NULL) { - if ((size_t)(limit - ret) < 4) - return NULL; - - s2n(TLSEXT_TYPE_server_name, ret); - s2n(0, ret); - } - - if (s->s3->send_connection_binding) { - int el; - - if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - - if ((size_t)(limit - ret) < 4 + el) - return NULL; - - s2n(TLSEXT_TYPE_renegotiate, ret); - s2n(el, ret); - - if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } - - if (using_ecc && s->version != DTLS1_VERSION) { - const unsigned char *formats; - size_t formatslen, lenmax; - - /* - * Add TLS extension ECPointFormats to the ServerHello message. - */ - tls1_get_formatlist(s, 0, &formats, &formatslen); - - if ((size_t)(limit - ret) < 5) - return NULL; - - lenmax = limit - ret - 5; - if (formatslen > lenmax) - return NULL; - if (formatslen > 255) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - - s2n(TLSEXT_TYPE_ec_point_formats, ret); - s2n(formatslen + 1, ret); - *(ret++) = (unsigned char)formatslen; - memcpy(ret, formats, formatslen); - ret += formatslen; - } - - /* - * Currently the server should not respond with a SupportedCurves - * extension. - */ - - if (s->tlsext_ticket_expected && - !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { - if ((size_t)(limit - ret) < 4) - return NULL; - - s2n(TLSEXT_TYPE_session_ticket, ret); - s2n(0, ret); - } - - if (s->tlsext_status_expected) { - if ((size_t)(limit - ret) < 4) - return NULL; - - s2n(TLSEXT_TYPE_status_request, ret); - s2n(0, ret); - } - -#ifndef OPENSSL_NO_SRTP - if (SSL_IS_DTLS(s) && s->srtp_profile) { - int el; - - ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - - if ((size_t)(limit - ret) < 4 + el) - return NULL; - - s2n(TLSEXT_TYPE_use_srtp, ret); - s2n(el, ret); - - if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, - ERR_R_INTERNAL_ERROR); - return NULL; - } - ret += el; - } -#endif - - if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || - (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && - (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { - static const unsigned char cryptopro_ext[36] = { - 0xfd, 0xe8, /*65000*/ - 0x00, 0x20, /*32 bytes length*/ - 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, - 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, - 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 - }; - if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) - return NULL; - memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); - ret += sizeof(cryptopro_ext); - } - - next_proto_neg_seen = s->s3->next_proto_neg_seen; - s->s3->next_proto_neg_seen = 0; - if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { - const unsigned char *npa; - unsigned int npalen; - int r; - - r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, - s->ctx->next_protos_advertised_cb_arg); - if (r == SSL_TLSEXT_ERR_OK) { - if ((size_t)(limit - ret) < 4 + npalen) - return NULL; - s2n(TLSEXT_TYPE_next_proto_neg, ret); - s2n(npalen, ret); - memcpy(ret, npa, npalen); - ret += npalen; - s->s3->next_proto_neg_seen = 1; - } - } - - if (s->s3->alpn_selected != NULL) { - const unsigned char *selected = s->s3->alpn_selected; - unsigned int len = s->s3->alpn_selected_len; - - if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) - return (NULL); - s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); - s2n(3 + len, ret); - s2n(1 + len, ret); - *ret++ = len; - memcpy(ret, selected, len); - ret += len; - } - - if ((extdatalen = ret - p - 2) == 0) - return p; - - s2n(extdatalen, p); - return ret; -} - -/* - * tls1_alpn_handle_client_hello is called to process the ALPN extension in a - * ClientHello. - * data: the contents of the extension, not including the type and length. - * data_len: the number of bytes in data. - * al: a pointer to the alert value to send in the event of a non-zero - * return. - * returns: 1 on success. - */ -static int -tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, - unsigned int data_len, int *al) -{ - CBS cbs, proto_name_list, alpn; - const unsigned char *selected; - unsigned char selected_len; - int r; - - if (s->ctx->alpn_select_cb == NULL) - return (1); - - if (data_len < 2) - goto parse_error; - - CBS_init(&cbs, data, data_len); - - /* - * data should contain a uint16 length followed by a series of 8-bit, - * length-prefixed strings. - */ - if (!CBS_get_u16_length_prefixed(&cbs, &alpn) || - CBS_len(&alpn) < 2 || - CBS_len(&cbs) != 0) - goto parse_error; - - /* Validate data before sending to callback. */ - CBS_dup(&alpn, &proto_name_list); - while (CBS_len(&proto_name_list) > 0) { - CBS proto_name; - - if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) || - CBS_len(&proto_name) == 0) - goto parse_error; - } - - r = s->ctx->alpn_select_cb(s, &selected, &selected_len, - CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); - if (r == SSL_TLSEXT_ERR_OK) { - free(s->s3->alpn_selected); - if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - return (-1); - } - memcpy(s->s3->alpn_selected, selected, selected_len); - s->s3->alpn_selected_len = selected_len; - } - - return (1); - -parse_error: - *al = SSL_AD_DECODE_ERROR; - return (0); -} - -int -ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, - int n, int *al) -{ - unsigned short type; - unsigned short size; - unsigned short len; - unsigned char *data = *p; - unsigned char *end = d + n; - int renegotiate_seen = 0; - int sigalg_seen = 0; - - s->servername_done = 0; - s->tlsext_status_type = -1; - s->s3->next_proto_neg_seen = 0; - free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - s->srtp_profile = NULL; - - if (data == end) - goto ri_check; - - if (end - data < 2) - goto err; - n2s(data, len); - - if (end - data != len) - goto err; - - while (end - data >= 4) { - n2s(data, type); - n2s(data, size); - - if (end - data < size) - goto err; - - if (s->tlsext_debug_cb) - s->tlsext_debug_cb(s, 0, type, data, size, - s->tlsext_debug_arg); -/* The servername extension is treated as follows: - - - Only the hostname type is supported with a maximum length of 255. - - The servername is rejected if too long or if it contains zeros, - in which case an fatal alert is generated. - - The servername field is maintained together with the session cache. - - When a session is resumed, the servername call back invoked in order - to allow the application to position itself to the right context. - - The servername is acknowledged if it is new for a session or when - it is identical to a previously used for the same session. - Applications can control the behaviour. They can at any time - set a 'desirable' servername for a new SSL object. This can be the - case for example with HTTPS when a Host: header field is received and - a renegotiation is requested. In this case, a possible servername - presented in the new client hello is only acknowledged if it matches - the value of the Host: field. - - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION - if they provide for changing an explicit servername context for the session, - i.e. when the session has been established with a servername extension. - - On session reconnect, the servername extension may be absent. - -*/ - - if (type == TLSEXT_TYPE_server_name) { - unsigned char *sdata; - int servname_type; - int dsize; - - if (size < 2) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - n2s(data, dsize); - - size -= 2; - if (dsize > size) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - - sdata = data; - while (dsize > 3) { - servname_type = *(sdata++); - - n2s(sdata, len); - dsize -= 3; - - if (len > dsize) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - if (s->servername_done == 0) - switch (servname_type) { - case TLSEXT_NAMETYPE_host_name: - if (!s->hit) { - if (s->session->tlsext_hostname) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - if (len > TLSEXT_MAXLEN_host_name) { - *al = TLS1_AD_UNRECOGNIZED_NAME; - return 0; - } - if ((s->session->tlsext_hostname = - malloc(len + 1)) == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - memcpy(s->session->tlsext_hostname, sdata, len); - s->session->tlsext_hostname[len] = '\0'; - if (strlen(s->session->tlsext_hostname) != len) { - free(s->session->tlsext_hostname); - s->session->tlsext_hostname = NULL; - *al = TLS1_AD_UNRECOGNIZED_NAME; - return 0; - } - s->servername_done = 1; - - - } else { - s->servername_done = s->session->tlsext_hostname && - strlen(s->session->tlsext_hostname) == len && - strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; - } - break; - - default: - break; - } - - dsize -= len; - } - if (dsize != 0) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - - } - - else if (type == TLSEXT_TYPE_ec_point_formats && - s->version != DTLS1_VERSION) { - unsigned char *sdata = data; - size_t formatslen; - uint8_t *formats; - - if (size < 1) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - formatslen = *(sdata++); - if (formatslen != size - 1) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - - if (!s->hit) { - free(s->session->tlsext_ecpointformatlist); - s->session->tlsext_ecpointformatlist = NULL; - s->session->tlsext_ecpointformatlist_length = 0; - - if ((formats = reallocarray(NULL, formatslen, - sizeof(uint8_t))) == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - memcpy(formats, sdata, formatslen); - s->session->tlsext_ecpointformatlist = formats; - s->session->tlsext_ecpointformatlist_length = - formatslen; - } - } else if (type == TLSEXT_TYPE_elliptic_curves && - s->version != DTLS1_VERSION) { - unsigned char *sdata = data; - size_t curveslen, i; - uint16_t *curves; - - if (size < 2) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - n2s(sdata, curveslen); - if (curveslen != size - 2 || curveslen % 2 != 0) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - curveslen /= 2; - - if (!s->hit) { - if (s->session->tlsext_ellipticcurvelist) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - s->session->tlsext_ellipticcurvelist_length = 0; - if ((curves = reallocarray(NULL, curveslen, - sizeof(uint16_t))) == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - for (i = 0; i < curveslen; i++) - n2s(sdata, curves[i]); - s->session->tlsext_ellipticcurvelist = curves; - s->session->tlsext_ellipticcurvelist_length = curveslen; - } - } - else if (type == TLSEXT_TYPE_session_ticket) { - if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - } else if (type == TLSEXT_TYPE_renegotiate) { - if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) - return 0; - renegotiate_seen = 1; - } else if (type == TLSEXT_TYPE_signature_algorithms) { - int dsize; - if (sigalg_seen || size < 2) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - sigalg_seen = 1; - n2s(data, dsize); - size -= 2; - if (dsize != size || dsize & 1) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - if (!tls1_process_sigalgs(s, data, dsize)) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - } else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) { - - if (size < 5) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - - s->tlsext_status_type = *data++; - size--; - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { - const unsigned char *sdata; - int dsize; - /* Read in responder_id_list */ - n2s(data, dsize); - size -= 2; - if (dsize > size ) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - while (dsize > 0) { - OCSP_RESPID *id; - int idsize; - if (dsize < 4) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - n2s(data, idsize); - dsize -= 2 + idsize; - size -= 2 + idsize; - if (dsize < 0) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - sdata = data; - data += idsize; - id = d2i_OCSP_RESPID(NULL, - &sdata, idsize); - if (!id) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - if (data != sdata) { - OCSP_RESPID_free(id); - *al = SSL_AD_DECODE_ERROR; - return 0; - } - if (!s->tlsext_ocsp_ids && - !(s->tlsext_ocsp_ids = - sk_OCSP_RESPID_new_null())) { - OCSP_RESPID_free(id); - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } - if (!sk_OCSP_RESPID_push( - s->tlsext_ocsp_ids, id)) { - OCSP_RESPID_free(id); - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } - } - - /* Read in request_extensions */ - if (size < 2) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - n2s(data, dsize); - size -= 2; - if (dsize != size) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - sdata = data; - if (dsize > 0) { - if (s->tlsext_ocsp_exts) { - sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, - X509_EXTENSION_free); - } - - s->tlsext_ocsp_exts = - d2i_X509_EXTENSIONS(NULL, - &sdata, dsize); - if (!s->tlsext_ocsp_exts || - (data + dsize != sdata)) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - } - } else { - /* We don't know what to do with any other type - * so ignore it. - */ - s->tlsext_status_type = -1; - } - } - else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0 && - s->s3->alpn_selected == NULL) { - /* We shouldn't accept this extension on a - * renegotiation. - * - * s->new_session will be set on renegotiation, but we - * probably shouldn't rely that it couldn't be set on - * the initial renegotation too in certain cases (when - * there's some other reason to disallow resuming an - * earlier session -- the current code won't be doing - * anything like that, but this might change). - - * A valid sign that there's been a previous handshake - * in this connection is if s->s3->tmp.finish_md_len > - * 0. (We are talking about a check that will happen - * in the Hello protocol round, well before a new - * Finished message could have been computed.) */ - s->s3->next_proto_neg_seen = 1; - } - else if (type == - TLSEXT_TYPE_application_layer_protocol_negotiation && - s->ctx->alpn_select_cb != NULL && - s->s3->tmp.finish_md_len == 0) { - if (tls1_alpn_handle_client_hello(s, data, - size, al) != 1) - return (0); - /* ALPN takes precedence over NPN. */ - s->s3->next_proto_neg_seen = 0; - } - - /* session ticket processed earlier */ -#ifndef OPENSSL_NO_SRTP - else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { - if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) - return 0; - } -#endif - - data += size; - } - - /* Spurious data on the end */ - if (data != end) - goto err; - - *p = data; - -ri_check: - - /* Need RI if renegotiating */ - - if (!renegotiate_seen && s->renegotiate) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - - return 1; - -err: - *al = SSL_AD_DECODE_ERROR; - return 0; -} - -/* - * ssl_next_proto_validate validates a Next Protocol Negotiation block. No - * elements of zero length are allowed and the set of elements must exactly fill - * the length of the block. - */ -static char -ssl_next_proto_validate(const unsigned char *d, unsigned int len) -{ - CBS npn, value; - - CBS_init(&npn, d, len); - while (CBS_len(&npn) > 0) { - if (!CBS_get_u8_length_prefixed(&npn, &value) || - CBS_len(&value) == 0) - return 0; - } - return 1; -} - -int -ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, - int n, int *al) -{ - unsigned short type; - unsigned short size; - unsigned short len; - unsigned char *data = *p; - unsigned char *end = d + n; - int tlsext_servername = 0; - int renegotiate_seen = 0; - - s->s3->next_proto_neg_seen = 0; - free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - - if (data == end) - goto ri_check; - - if (end - data < 2) - goto err; - n2s(data, len); - - if (end - data != len) - goto err; - - while (end - data >= 4) { - n2s(data, type); - n2s(data, size); - - if (end - data < size) - goto err; - - if (s->tlsext_debug_cb) - s->tlsext_debug_cb(s, 1, type, data, size, - s->tlsext_debug_arg); - - if (type == TLSEXT_TYPE_server_name) { - if (s->tlsext_hostname == NULL || size > 0) { - *al = TLS1_AD_UNRECOGNIZED_NAME; - return 0; - } - tlsext_servername = 1; - - } - else if (type == TLSEXT_TYPE_ec_point_formats && - s->version != DTLS1_VERSION) { - unsigned char *sdata = data; - size_t formatslen; - uint8_t *formats; - - if (size < 1) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - formatslen = *(sdata++); - if (formatslen != size - 1) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - - if (!s->hit) { - free(s->session->tlsext_ecpointformatlist); - s->session->tlsext_ecpointformatlist = NULL; - s->session->tlsext_ecpointformatlist_length = 0; - - if ((formats = reallocarray(NULL, formatslen, - sizeof(uint8_t))) == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - memcpy(formats, sdata, formatslen); - s->session->tlsext_ecpointformatlist = formats; - s->session->tlsext_ecpointformatlist_length = - formatslen; - } - } - else if (type == TLSEXT_TYPE_session_ticket) { - if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - s->tlsext_ticket_expected = 1; - } - else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) { - /* MUST be empty and only sent if we've requested - * a status request message. - */ - if ((s->tlsext_status_type == -1) || (size > 0)) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - /* Set flag to expect CertificateStatus message */ - s->tlsext_status_expected = 1; - } - else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) { - unsigned char *selected; - unsigned char selected_len; - - /* We must have requested it. */ - if (s->ctx->next_proto_select_cb == NULL) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - /* The data must be valid */ - if (!ssl_next_proto_validate(data, size)) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - s->next_proto_negotiated = malloc(selected_len); - if (!s->next_proto_negotiated) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - memcpy(s->next_proto_negotiated, selected, selected_len); - s->next_proto_negotiated_len = selected_len; - s->s3->next_proto_neg_seen = 1; - } - else if (type == - TLSEXT_TYPE_application_layer_protocol_negotiation) { - unsigned int len; - - /* We must have requested it. */ - if (s->alpn_client_proto_list == NULL) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - if (size < 4) { - *al = TLS1_AD_DECODE_ERROR; - return (0); - } - - /* The extension data consists of: - * uint16 list_length - * uint8 proto_length; - * uint8 proto[proto_length]; */ - len = ((unsigned int)data[0]) << 8 | - ((unsigned int)data[1]); - if (len != (unsigned int)size - 2) { - *al = TLS1_AD_DECODE_ERROR; - return (0); - } - len = data[2]; - if (len != (unsigned int)size - 3) { - *al = TLS1_AD_DECODE_ERROR; - return (0); - } - free(s->s3->alpn_selected); - s->s3->alpn_selected = malloc(len); - if (s->s3->alpn_selected == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return (0); - } - memcpy(s->s3->alpn_selected, data + 3, len); - s->s3->alpn_selected_len = len; - - } else if (type == TLSEXT_TYPE_renegotiate) { - if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) - return 0; - renegotiate_seen = 1; - } -#ifndef OPENSSL_NO_SRTP - else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { - if (ssl_parse_serverhello_use_srtp_ext(s, data, - size, al)) - return 0; - } -#endif - - data += size; - - } - - if (data != d + n) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - - if (!s->hit && tlsext_servername == 1) { - if (s->tlsext_hostname) { - if (s->session->tlsext_hostname == NULL) { - s->session->tlsext_hostname = - strdup(s->tlsext_hostname); - - if (!s->session->tlsext_hostname) { - *al = SSL_AD_UNRECOGNIZED_NAME; - return 0; - } - } else { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - } - } - - *p = data; - -ri_check: - - /* Determine if we need to see RI. Strictly speaking if we want to - * avoid an attack we should *always* see RI even on initial server - * hello because the client doesn't see any renegotiation during an - * attack. However this would mean we could not connect to any server - * which doesn't support RI so for the immediate future tolerate RI - * absence on initial connect only. - */ - if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - - return 1; - -err: - *al = SSL_AD_DECODE_ERROR; - return 0; -} - -int -ssl_check_clienthello_tlsext_early(SSL *s) -{ - int ret = SSL_TLSEXT_ERR_NOACK; - int al = SSL_AD_UNRECOGNIZED_NAME; - - /* The handling of the ECPointFormats extension is done elsewhere, namely in - * ssl3_choose_cipher in s3_lib.c. - */ - /* The handling of the EllipticCurves extension is done elsewhere, namely in - * ssl3_choose_cipher in s3_lib.c. - */ - - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) - ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) - ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); - - switch (ret) { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s, SSL3_AL_WARNING, al); - return 1; - case SSL_TLSEXT_ERR_NOACK: - s->servername_done = 0; - default: - return 1; - } -} - -int -ssl_check_clienthello_tlsext_late(SSL *s) -{ - int ret = SSL_TLSEXT_ERR_OK; - int al = 0; /* XXX gcc3 */ - - /* If status request then ask callback what to do. - * Note: this must be called after servername callbacks in case - * the certificate has changed, and must be called after the cipher - * has been chosen because this may influence which certificate is sent - */ - if ((s->tlsext_status_type != -1) && - s->ctx && s->ctx->tlsext_status_cb) { - int r; - CERT_PKEY *certpkey; - certpkey = ssl_get_server_send_pkey(s); - /* If no certificate can't return certificate status */ - if (certpkey == NULL) { - s->tlsext_status_expected = 0; - return 1; - } - /* Set current certificate to one we will use so - * SSL_get_certificate et al can pick it up. - */ - s->cert->key = certpkey; - r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - switch (r) { - /* We don't want to send a status request response */ - case SSL_TLSEXT_ERR_NOACK: - s->tlsext_status_expected = 0; - break; - /* status request response should be sent */ - case SSL_TLSEXT_ERR_OK: - if (s->tlsext_ocsp_resp) - s->tlsext_status_expected = 1; - else - s->tlsext_status_expected = 0; - break; - /* something bad happened */ - case SSL_TLSEXT_ERR_ALERT_FATAL: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - al = SSL_AD_INTERNAL_ERROR; - goto err; - } - } else - s->tlsext_status_expected = 0; - -err: - switch (ret) { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s, SSL3_AL_WARNING, al); - return 1; - default: - return 1; - } -} - -int -ssl_check_serverhello_tlsext(SSL *s) -{ - int ret = SSL_TLSEXT_ERR_NOACK; - int al = SSL_AD_UNRECOGNIZED_NAME; - - /* If we are client and using an elliptic curve cryptography cipher - * suite, then if server returns an EC point formats lists extension - * it must contain uncompressed. - */ - unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if ((s->tlsext_ecpointformatlist != NULL) && - (s->tlsext_ecpointformatlist_length > 0) && - (s->session->tlsext_ecpointformatlist != NULL) && - (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { - /* we are using an ECC cipher */ - size_t i; - unsigned char *list; - int found_uncompressed = 0; - list = s->session->tlsext_ecpointformatlist; - for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { - if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { - found_uncompressed = 1; - break; - } - } - if (!found_uncompressed) { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); - return -1; - } - } - ret = SSL_TLSEXT_ERR_OK; - - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) - ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) - ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); - - /* If we've requested certificate status and we wont get one - * tell the callback - */ - if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && - s->ctx && s->ctx->tlsext_status_cb) { - int r; - /* Set resp to NULL, resplen to -1 so callback knows - * there is no response. - */ - free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = NULL; - s->tlsext_ocsp_resplen = -1; - r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - if (r == 0) { - al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - } - if (r < 0) { - al = SSL_AD_INTERNAL_ERROR; - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - } - } - - switch (ret) { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - - return -1; - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s, SSL3_AL_WARNING, al); - - return 1; - case SSL_TLSEXT_ERR_NOACK: - s->servername_done = 0; - default: - return 1; - } -} - -/* Since the server cache lookup is done early on in the processing of the - * ClientHello, and other operations depend on the result, we need to handle - * any TLS session ticket extension at the same time. - * - * session_id: points at the session ID in the ClientHello. This code will - * read past the end of this in order to parse out the session ticket - * extension, if any. - * len: the length of the session ID. - * limit: a pointer to the first byte after the ClientHello. - * ret: (output) on return, if a ticket was decrypted, then this is set to - * point to the resulting session. - * - * If s->tls_session_secret_cb is set then we are expecting a pre-shared key - * ciphersuite, in which case we have no use for session tickets and one will - * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. - * - * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 0: no ticket was found (or was ignored, based on settings). - * 1: a zero length extension was found, indicating that the client supports - * session tickets but doesn't currently have one to offer. - * 2: either s->tls_session_secret_cb was set, or a ticket was offered but - * couldn't be decrypted because of a non-fatal error. - * 3: a ticket was successfully decrypted and *ret was set. - * - * Side effects: - * Sets s->tlsext_ticket_expected to 1 if the server will have to issue - * a new session ticket to the client because the client indicated support - * (and s->tls_session_secret_cb is NULL) but the client either doesn't have - * a session ticket or we couldn't use the one it gave us, or if - * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. - * Otherwise, s->tlsext_ticket_expected is set to 0. - */ -int -tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, - const unsigned char *limit, SSL_SESSION **ret) -{ - /* Point after session ID in client hello */ - CBS session_id, cookie, cipher_list, compress_algo, extensions; - - *ret = NULL; - s->tlsext_ticket_expected = 0; - - /* If tickets disabled behave as if no ticket present - * to permit stateful resumption. - */ - if (SSL_get_options(s) & SSL_OP_NO_TICKET) - return 0; - if (!limit) - return 0; - - if (limit < session) - return -1; - - CBS_init(&session_id, session, limit - session); - - /* Skip past the session id */ - if (!CBS_skip(&session_id, session_len)) - return -1; - - /* Skip past DTLS cookie */ - if (SSL_IS_DTLS(s)) { - if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) - return -1; - } - - /* Skip past cipher list */ - if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) - return -1; - - /* Skip past compression algorithm list */ - if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) - return -1; - - /* Now at start of extensions */ - if (CBS_len(&session_id) == 0) - return 0; - if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) - return -1; - - while (CBS_len(&extensions) > 0) { - CBS ext_data; - uint16_t ext_type; - - if (!CBS_get_u16(&extensions, &ext_type) || - !CBS_get_u16_length_prefixed(&extensions, &ext_data)) - return -1; - - if (ext_type == TLSEXT_TYPE_session_ticket) { - int r; - if (CBS_len(&ext_data) == 0) { - /* The client will accept a ticket but doesn't - * currently have one. */ - s->tlsext_ticket_expected = 1; - return 1; - } - if (s->tls_session_secret_cb) { - /* Indicate that the ticket couldn't be - * decrypted rather than generating the session - * from ticket now, trigger abbreviated - * handshake based on external mechanism to - * calculate the master secret later. */ - return 2; - } - - r = tls_decrypt_ticket(s, CBS_data(&ext_data), - CBS_len(&ext_data), session, session_len, ret); - - switch (r) { - case 2: /* ticket couldn't be decrypted */ - s->tlsext_ticket_expected = 1; - return 2; - case 3: /* ticket was decrypted */ - return r; - case 4: /* ticket decrypted but need to renew */ - s->tlsext_ticket_expected = 1; - return 3; - default: /* fatal error */ - return -1; - } - } - } - return 0; -} - -/* tls_decrypt_ticket attempts to decrypt a session ticket. - * - * etick: points to the body of the session ticket extension. - * eticklen: the length of the session tickets extenion. - * sess_id: points at the session ID. - * sesslen: the length of the session ID. - * psess: (output) on return, if a ticket was decrypted, then this is set to - * point to the resulting session. - * - * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 2: the ticket couldn't be decrypted. - * 3: a ticket was successfully decrypted and *psess was set. - * 4: same as 3, but the ticket needs to be renewed. - */ -static int -tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, - const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) -{ - SSL_SESSION *sess; - unsigned char *sdec; - const unsigned char *p; - int slen, mlen, renew_ticket = 0; - unsigned char tick_hmac[EVP_MAX_MD_SIZE]; - HMAC_CTX hctx; - EVP_CIPHER_CTX ctx; - SSL_CTX *tctx = s->initial_ctx; - /* Need at least keyname + iv + some encrypted data */ - if (eticklen < 48) - return 2; - /* Initialize session ticket encryption and HMAC contexts */ - HMAC_CTX_init(&hctx); - EVP_CIPHER_CTX_init(&ctx); - if (tctx->tlsext_ticket_key_cb) { - unsigned char *nctick = (unsigned char *)etick; - int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, - &ctx, &hctx, 0); - if (rv < 0) { - EVP_CIPHER_CTX_cleanup(&ctx); - return -1; - } - if (rv == 0) { - EVP_CIPHER_CTX_cleanup(&ctx); - return 2; - } - if (rv == 2) - renew_ticket = 1; - } else { - /* Check key name matches */ - if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16)) - return 2; - HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, - tlsext_tick_md(), NULL); - EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - tctx->tlsext_tick_aes_key, etick + 16); - } - /* Attempt to process session ticket, first conduct sanity and - * integrity checks on ticket. - */ - mlen = HMAC_size(&hctx); - if (mlen < 0) { - EVP_CIPHER_CTX_cleanup(&ctx); - return -1; - } - eticklen -= mlen; - /* Check HMAC of encrypted ticket */ - HMAC_Update(&hctx, etick, eticklen); - HMAC_Final(&hctx, tick_hmac, NULL); - HMAC_CTX_cleanup(&hctx); - if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { - EVP_CIPHER_CTX_cleanup(&ctx); - return 2; - } - /* Attempt to decrypt session data */ - /* Move p after IV to start of encrypted ticket, update length */ - p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); - eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); - sdec = malloc(eticklen); - if (!sdec) { - EVP_CIPHER_CTX_cleanup(&ctx); - return -1; - } - EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); - if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { - free(sdec); - EVP_CIPHER_CTX_cleanup(&ctx); - return 2; - } - slen += mlen; - EVP_CIPHER_CTX_cleanup(&ctx); - p = sdec; - - sess = d2i_SSL_SESSION(NULL, &p, slen); - free(sdec); - if (sess) { - /* The session ID, if non-empty, is used by some clients to - * detect that the ticket has been accepted. So we copy it to - * the session structure. If it is empty set length to zero - * as required by standard. - */ - if (sesslen) - memcpy(sess->session_id, sess_id, sesslen); - sess->session_id_length = sesslen; - *psess = sess; - if (renew_ticket) - return 4; - else - return 3; - } - ERR_clear_error(); - /* For session parse failure, indicate that we need to send a new - * ticket. */ - return 2; -} - -/* Tables to translate from NIDs to TLS v1.2 ids */ - -typedef struct { - int nid; - int id; -} tls12_lookup; - -static tls12_lookup tls12_md[] = { - {NID_md5, TLSEXT_hash_md5}, - {NID_sha1, TLSEXT_hash_sha1}, - {NID_sha224, TLSEXT_hash_sha224}, - {NID_sha256, TLSEXT_hash_sha256}, - {NID_sha384, TLSEXT_hash_sha384}, - {NID_sha512, TLSEXT_hash_sha512}, - {NID_id_GostR3411_94, TLSEXT_hash_gost94}, - {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, - {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} -}; - -static tls12_lookup tls12_sig[] = { - {EVP_PKEY_RSA, TLSEXT_signature_rsa}, - {EVP_PKEY_DSA, TLSEXT_signature_dsa}, - {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, - {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, -}; - -static int -tls12_find_id(int nid, tls12_lookup *table, size_t tlen) -{ - size_t i; - for (i = 0; i < tlen; i++) { - if (table[i].nid == nid) - return table[i].id; - } - return -1; -} - -int -tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) -{ - int sig_id, md_id; - if (!md) - return 0; - md_id = tls12_find_id(EVP_MD_type(md), tls12_md, - sizeof(tls12_md) / sizeof(tls12_lookup)); - if (md_id == -1) - return 0; - sig_id = tls12_get_sigid(pk); - if (sig_id == -1) - return 0; - p[0] = (unsigned char)md_id; - p[1] = (unsigned char)sig_id; - return 1; -} - -int -tls12_get_sigid(const EVP_PKEY *pk) -{ - return tls12_find_id(pk->type, tls12_sig, - sizeof(tls12_sig) / sizeof(tls12_lookup)); -} - -const EVP_MD * -tls12_get_hash(unsigned char hash_alg) -{ - switch (hash_alg) { - case TLSEXT_hash_sha1: - return EVP_sha1(); - case TLSEXT_hash_sha224: - return EVP_sha224(); - case TLSEXT_hash_sha256: - return EVP_sha256(); - case TLSEXT_hash_sha384: - return EVP_sha384(); - case TLSEXT_hash_sha512: - return EVP_sha512(); -#ifndef OPENSSL_NO_GOST - case TLSEXT_hash_gost94: - return EVP_gostr341194(); - case TLSEXT_hash_streebog_256: - return EVP_streebog256(); - case TLSEXT_hash_streebog_512: - return EVP_streebog512(); -#endif - default: - return NULL; - } -} - -/* Set preferred digest for each key type */ - -int -tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) -{ - int idx; - const EVP_MD *md; - CERT *c = s->cert; - CBS cbs; - - /* Extension ignored for inappropriate versions */ - if (!SSL_USE_SIGALGS(s)) - return 1; - - /* Should never happen */ - if (!c || dsize < 0) - return 0; - - CBS_init(&cbs, data, dsize); - - c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; - c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; - c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; - c->pkeys[SSL_PKEY_ECC].digest = NULL; - c->pkeys[SSL_PKEY_GOST01].digest = NULL; - - while (CBS_len(&cbs) > 0) { - uint8_t hash_alg, sig_alg; - - if (!CBS_get_u8(&cbs, &hash_alg) || - !CBS_get_u8(&cbs, &sig_alg)) { - /* Should never happen */ - return 0; - } - - switch (sig_alg) { - case TLSEXT_signature_rsa: - idx = SSL_PKEY_RSA_SIGN; - break; - case TLSEXT_signature_dsa: - idx = SSL_PKEY_DSA_SIGN; - break; - case TLSEXT_signature_ecdsa: - idx = SSL_PKEY_ECC; - break; - case TLSEXT_signature_gostr01: - case TLSEXT_signature_gostr12_256: - case TLSEXT_signature_gostr12_512: - idx = SSL_PKEY_GOST01; - break; - default: - continue; - } - - if (c->pkeys[idx].digest == NULL) { - md = tls12_get_hash(hash_alg); - if (md) { - c->pkeys[idx].digest = md; - if (idx == SSL_PKEY_RSA_SIGN) - c->pkeys[SSL_PKEY_RSA_ENC].digest = md; - } - } - - } - - /* Set any remaining keys to default values. NOTE: if alg is not - * supported it stays as NULL. - */ - if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) - c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { - c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - } - if (!c->pkeys[SSL_PKEY_ECC].digest) - c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); -#ifndef OPENSSL_NO_GOST - if (!c->pkeys[SSL_PKEY_GOST01].digest) - c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); -#endif - return 1; -} diff --git a/lib/libssl/src/ssl/t1_meth.c b/lib/libssl/src/ssl/t1_meth.c deleted file mode 100644 index aea4c04547f..00000000000 --- a/lib/libssl/src/ssl/t1_meth.c +++ /dev/null @@ -1,235 +0,0 @@ -/* $OpenBSD: t1_meth.c,v 1.17 2015/09/11 14:52:17 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include <openssl/objects.h> - -#include "ssl_locl.h" - -static const SSL_METHOD *tls1_get_method(int ver); - -const SSL_METHOD TLS_method_data = { - .version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl23_accept, - .ssl_connect = ssl23_connect, - .ssl_read = ssl23_read, - .ssl_peek = ssl23_peek, - .ssl_write = ssl23_write, - .ssl_shutdown = ssl_undefined_function, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl_undefined_const_function, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_method, - .get_timeout = ssl23_default_timeout, - .ssl3_enc = &ssl3_undef_enc_method, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_method_data = { - .version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_1_method_data = { - .version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_2_method_data = { - .version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_2_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -static const SSL_METHOD * -tls1_get_method(int ver) -{ - if (ver == TLS1_2_VERSION) - return (TLSv1_2_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_method()); - if (ver == TLS1_VERSION) - return (TLSv1_method()); - return (NULL); -} - -const SSL_METHOD * -SSLv23_method(void) -{ - return (TLS_method()); -} - -const SSL_METHOD * -TLS_method(void) -{ - return &TLS_method_data; -} - -const SSL_METHOD * -TLSv1_method(void) -{ - return (&TLSv1_method_data); -} - -const SSL_METHOD * -TLSv1_1_method(void) -{ - return (&TLSv1_1_method_data); -} - -const SSL_METHOD * -TLSv1_2_method(void) -{ - return (&TLSv1_2_method_data); -} diff --git a/lib/libssl/src/ssl/t1_reneg.c b/lib/libssl/src/ssl/t1_reneg.c deleted file mode 100644 index 294a632b8f3..00000000000 --- a/lib/libssl/src/ssl/t1_reneg.c +++ /dev/null @@ -1,286 +0,0 @@ -/* $OpenBSD: t1_reneg.c,v 1.11 2015/06/20 16:42:48 doug Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2009 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> - -#include <openssl/objects.h> - -#include "ssl_locl.h" -#include "bytestring.h" - -/* Add the client's renegotiation binding */ -int -ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, - int maxlen) -{ - if (p) { - if ((s->s3->previous_client_finished_len + 1) > maxlen) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATE_EXT_TOO_LONG); - return 0; - } - - /* Length byte */ - *p = s->s3->previous_client_finished_len; - p++; - - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); - - } - - *len = s->s3->previous_client_finished_len + 1; - - return 1; -} - -/* Parse the client's renegotiation binding and abort if it's not - right */ -int -ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len, - int *al) -{ - CBS cbs, reneg; - - if (len < 0) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_ENCODING_ERR); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - CBS_init(&cbs, d, len); - if (!CBS_get_u8_length_prefixed(&cbs, &reneg) || - /* Consistency check */ - CBS_len(&cbs) != 0) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_ENCODING_ERR); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - /* Check that the extension matches */ - if (CBS_len(&reneg) != s->s3->previous_client_finished_len) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, - s->s3->previous_client_finished_len)) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - s->s3->send_connection_binding = 1; - - return 1; -} - -/* Add the server's renegotiation binding */ -int -ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, - int maxlen) -{ - if (p) { - if ((s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len + 1) > maxlen) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATE_EXT_TOO_LONG); - return 0; - } - - /* Length byte */ - *p = s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len; - p++; - - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); - p += s->s3->previous_client_finished_len; - - memcpy(p, s->s3->previous_server_finished, - s->s3->previous_server_finished_len); - - } - - *len = s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len + 1; - - return 1; -} - -/* Parse the server's renegotiation binding and abort if it's not - right */ -int -ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, int *al) -{ - CBS cbs, reneg, previous_client, previous_server; - int expected_len = s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len; - - /* Check for logic errors */ - OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); - OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); - - if (len < 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_ENCODING_ERR); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - CBS_init(&cbs, d, len); - - if (!CBS_get_u8_length_prefixed(&cbs, &reneg) || - /* Consistency check */ - CBS_len(&cbs) != 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_ENCODING_ERR); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - /* Check that the extension matches */ - if (CBS_len(&reneg) != expected_len || - !CBS_get_bytes(&reneg, &previous_client, - s->s3->previous_client_finished_len) || - !CBS_get_bytes(&reneg, &previous_server, - s->s3->previous_server_finished_len) || - CBS_len(&reneg) != 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - if (!CBS_mem_equal(&previous_client, s->s3->previous_client_finished, - CBS_len(&previous_client))) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - if (!CBS_mem_equal(&previous_server, s->s3->previous_server_finished, - CBS_len(&previous_server))) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - s->s3->send_connection_binding = 1; - - return 1; -} diff --git a/lib/libssl/src/ssl/t1_srvr.c b/lib/libssl/src/ssl/t1_srvr.c deleted file mode 100644 index 902cd93cd7c..00000000000 --- a/lib/libssl/src/ssl/t1_srvr.c +++ /dev/null @@ -1,238 +0,0 @@ -/* $OpenBSD: t1_srvr.c,v 1.19 2015/09/11 14:47:56 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> - -#include "ssl_locl.h" - -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/objects.h> -#include <openssl/x509.h> - -static const SSL_METHOD *tls1_get_server_method(int ver); - -const SSL_METHOD TLS_server_method_data = { - .version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl23_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl23_read, - .ssl_peek = ssl23_peek, - .ssl_write = ssl23_write, - .ssl_shutdown = ssl_undefined_function, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl_undefined_const_function, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_server_method, - .get_timeout = ssl23_default_timeout, - .ssl3_enc = &ssl3_undef_enc_method, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_server_method_data = { - .version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_1_server_method_data = { - .version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_1_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -const SSL_METHOD TLSv1_2_server_method_data = { - .version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl_dispatch_alert = ssl3_dispatch_alert, - .ssl_ctrl = ssl3_ctrl, - .ssl_ctx_ctrl = ssl3_ctx_ctrl, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .ssl_pending = ssl3_pending, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_2_enc_data, - .ssl_version = ssl_undefined_void_function, - .ssl_callback_ctrl = ssl3_callback_ctrl, - .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, -}; - -static const SSL_METHOD * -tls1_get_server_method(int ver) -{ - if (ver == TLS1_2_VERSION) - return (TLSv1_2_server_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_server_method()); - if (ver == TLS1_VERSION) - return (TLSv1_server_method()); - return (NULL); -} - -const SSL_METHOD * -SSLv23_server_method(void) -{ - return (TLS_server_method()); -} - -const SSL_METHOD * -TLS_server_method(void) -{ - return (&TLS_server_method_data); -} - -const SSL_METHOD * -TLSv1_server_method(void) -{ - return (&TLSv1_server_method_data); -} - -const SSL_METHOD * -TLSv1_1_server_method(void) -{ - return (&TLSv1_1_server_method_data); -} - -const SSL_METHOD * -TLSv1_2_server_method(void) -{ - return (&TLSv1_2_server_method_data); -} diff --git a/lib/libssl/src/ssl/tls1.h b/lib/libssl/src/ssl/tls1.h deleted file mode 100644 index e1231178661..00000000000 --- a/lib/libssl/src/ssl/tls1.h +++ /dev/null @@ -1,758 +0,0 @@ -/* $OpenBSD: tls1.h,v 1.28 2016/04/28 16:39:45 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#ifndef HEADER_TLS1_H -#define HEADER_TLS1_H - -#include <openssl/buffer.h> - -#ifdef __cplusplus -extern "C" { -#endif - -#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 - -#define TLS1_2_VERSION 0x0303 -#define TLS1_2_VERSION_MAJOR 0x03 -#define TLS1_2_VERSION_MINOR 0x03 - -#define TLS1_1_VERSION 0x0302 -#define TLS1_1_VERSION_MAJOR 0x03 -#define TLS1_1_VERSION_MINOR 0x02 - -#define TLS1_VERSION 0x0301 -#define TLS1_VERSION_MAJOR 0x03 -#define TLS1_VERSION_MINOR 0x01 - -#define TLS1_get_version(s) \ - ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) - -#define TLS1_get_client_version(s) \ - ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0) - -/* - * TLS Alert codes. - * - * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6 - */ - -#define TLS1_AD_DECRYPTION_FAILED 21 -#define TLS1_AD_RECORD_OVERFLOW 22 -#define TLS1_AD_UNKNOWN_CA 48 /* fatal */ -#define TLS1_AD_ACCESS_DENIED 49 /* fatal */ -#define TLS1_AD_DECODE_ERROR 50 /* fatal */ -#define TLS1_AD_DECRYPT_ERROR 51 -#define TLS1_AD_EXPORT_RESTRICTION 60 /* fatal */ -#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ -#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ -#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ -/* Code 86 from RFC 7507. */ -#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ -#define TLS1_AD_USER_CANCELLED 90 -#define TLS1_AD_NO_RENEGOTIATION 100 -/* Codes 110-114 from RFC 3546. */ -#define TLS1_AD_UNSUPPORTED_EXTENSION 110 -#define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111 -#define TLS1_AD_UNRECOGNIZED_NAME 112 -#define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113 -#define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114 -/* Code 115 from RFC 4279. */ -#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */ - -/* - * TLS ExtensionType values. - * - * https://www.iana.org/assignments/tls-extensiontype-values/ - */ - -/* ExtensionType values from RFC 3546, RFC 4366 and RFC 6066. */ -#define TLSEXT_TYPE_server_name 0 -#define TLSEXT_TYPE_max_fragment_length 1 -#define TLSEXT_TYPE_client_certificate_url 2 -#define TLSEXT_TYPE_trusted_ca_keys 3 -#define TLSEXT_TYPE_truncated_hmac 4 -#define TLSEXT_TYPE_status_request 5 - -/* ExtensionType values from RFC 4681. */ -#define TLSEXT_TYPE_user_mapping 6 - -/* ExtensionType values from RFC 5878. */ -#define TLSEXT_TYPE_client_authz 7 -#define TLSEXT_TYPE_server_authz 8 - -/* ExtensionType values from RFC 6091. */ -#define TLSEXT_TYPE_cert_type 9 - -/* ExtensionType values from RFC 4492. */ -#define TLSEXT_TYPE_elliptic_curves 10 -#define TLSEXT_TYPE_ec_point_formats 11 - -/* ExtensionType value from RFC 5054. */ -#define TLSEXT_TYPE_srp 12 - -/* ExtensionType values from RFC 5246. */ -#define TLSEXT_TYPE_signature_algorithms 13 - -/* ExtensionType value from RFC 5764. */ -#define TLSEXT_TYPE_use_srtp 14 - -/* ExtensionType value from RFC 5620. */ -#define TLSEXT_TYPE_heartbeat 15 - -/* ExtensionType value from RFC 7301. */ -#define TLSEXT_TYPE_application_layer_protocol_negotiation 16 - -/* ExtensionType value for TLS padding extension. - * (TEMPORARY - registered 2014-03-12, expires 2015-03-12) - * https://tools.ietf.org/html/draft-agl-tls-padding-03 - */ -#define TLSEXT_TYPE_padding 21 - -/* ExtensionType value from RFC 4507. */ -#define TLSEXT_TYPE_session_ticket 35 - -/* Temporary extension type */ -#define TLSEXT_TYPE_renegotiate 0xff01 - -/* This is not an IANA defined extension number */ -#define TLSEXT_TYPE_next_proto_neg 13172 - -/* NameType value from RFC 3546. */ -#define TLSEXT_NAMETYPE_host_name 0 -/* status request value from RFC 3546 */ -#define TLSEXT_STATUSTYPE_ocsp 1 - -/* ECPointFormat values from RFC 4492. */ -#define TLSEXT_ECPOINTFORMAT_first 0 -#define TLSEXT_ECPOINTFORMAT_uncompressed 0 -#define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime 1 -#define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 2 -#define TLSEXT_ECPOINTFORMAT_last 2 - -/* Signature and hash algorithms from RFC 5246. */ - -#define TLSEXT_signature_anonymous 0 -#define TLSEXT_signature_rsa 1 -#define TLSEXT_signature_dsa 2 -#define TLSEXT_signature_ecdsa 3 -/* FIXME IANA */ -#define TLSEXT_signature_gostr01 237 -#define TLSEXT_signature_gostr12_256 238 -#define TLSEXT_signature_gostr12_512 239 - -#define TLSEXT_hash_none 0 -#define TLSEXT_hash_md5 1 -#define TLSEXT_hash_sha1 2 -#define TLSEXT_hash_sha224 3 -#define TLSEXT_hash_sha256 4 -#define TLSEXT_hash_sha384 5 -#define TLSEXT_hash_sha512 6 -/* FIXME IANA */ -#define TLSEXT_hash_gost94 237 -#define TLSEXT_hash_streebog_256 238 -#define TLSEXT_hash_streebog_512 239 - -#define TLSEXT_MAXLEN_host_name 255 - -const char *SSL_get_servername(const SSL *s, const int type); -int SSL_get_servername_type(const SSL *s); -/* SSL_export_keying_material exports a value derived from the master secret, - * as specified in RFC 5705. It writes |olen| bytes to |out| given a label and - * optional context. (Since a zero length context is allowed, the |use_context| - * flag controls whether a context is included.) - * - * It returns 1 on success and zero otherwise. - */ -int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *p, size_t plen, - int use_context); - -#define SSL_set_tlsext_host_name(s,name) \ -SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name) - -#define SSL_set_tlsext_debug_callback(ssl, cb) \ -SSL_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_CB,(void (*)(void))cb) - -#define SSL_set_tlsext_debug_arg(ssl, arg) \ -SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_ARG,0, (void *)arg) - -#define SSL_set_tlsext_status_type(ssl, type) \ -SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type, NULL) - -#define SSL_get_tlsext_status_exts(ssl, arg) \ -SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS,0, (void *)arg) - -#define SSL_set_tlsext_status_exts(ssl, arg) \ -SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS,0, (void *)arg) - -#define SSL_get_tlsext_status_ids(ssl, arg) \ -SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS,0, (void *)arg) - -#define SSL_set_tlsext_status_ids(ssl, arg) \ -SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS,0, (void *)arg) - -#define SSL_get_tlsext_status_ocsp_resp(ssl, arg) \ -SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP,0, (void *)arg) - -#define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen) \ -SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,arglen, (void *)arg) - -#define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \ -SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb) - -#define SSL_TLSEXT_ERR_OK 0 -#define SSL_TLSEXT_ERR_ALERT_WARNING 1 -#define SSL_TLSEXT_ERR_ALERT_FATAL 2 -#define SSL_TLSEXT_ERR_NOACK 3 - -#define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \ -SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg) - -#define SSL_CTX_get_tlsext_ticket_keys(ctx, keys, keylen) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_GET_TLSEXT_TICKET_KEYS,(keylen),(keys)) -#define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,(keylen),(keys)) - -#define SSL_CTX_set_tlsext_status_cb(ssl, cb) \ -SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB,(void (*)(void))cb) - -#define SSL_CTX_set_tlsext_status_arg(ssl, arg) \ -SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg) - -#define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \ -SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) - -/* PSK ciphersuites from RFC 4279. */ -#define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A -#define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x0300008B -#define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C -#define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D - -/* Additional TLS ciphersuites from expired Internet Draft - * draft-ietf-tls-56-bit-ciphersuites-01.txt - * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see - * s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably - * shouldn't. Note that the first two are actually not in the IDs. */ -#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 /* not in ID */ -#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 /* not in ID */ -#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062 -#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063 -#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064 -#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065 -#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066 - -/* AES ciphersuites from RFC 3268. */ - -#define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F -#define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030 -#define TLS1_CK_DH_RSA_WITH_AES_128_SHA 0x03000031 -#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA 0x03000032 -#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA 0x03000033 -#define TLS1_CK_ADH_WITH_AES_128_SHA 0x03000034 - -#define TLS1_CK_RSA_WITH_AES_256_SHA 0x03000035 -#define TLS1_CK_DH_DSS_WITH_AES_256_SHA 0x03000036 -#define TLS1_CK_DH_RSA_WITH_AES_256_SHA 0x03000037 -#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA 0x03000038 -#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA 0x03000039 -#define TLS1_CK_ADH_WITH_AES_256_SHA 0x0300003A - -/* TLS v1.2 ciphersuites */ -#define TLS1_CK_RSA_WITH_NULL_SHA256 0x0300003B -#define TLS1_CK_RSA_WITH_AES_128_SHA256 0x0300003C -#define TLS1_CK_RSA_WITH_AES_256_SHA256 0x0300003D -#define TLS1_CK_DH_DSS_WITH_AES_128_SHA256 0x0300003E -#define TLS1_CK_DH_RSA_WITH_AES_128_SHA256 0x0300003F -#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA256 0x03000040 - -/* Camellia ciphersuites from RFC 4132. */ -#define TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000041 -#define TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x03000042 -#define TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000043 -#define TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x03000044 -#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000045 -#define TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA 0x03000046 - -/* TLS v1.2 ciphersuites */ -#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA256 0x03000067 -#define TLS1_CK_DH_DSS_WITH_AES_256_SHA256 0x03000068 -#define TLS1_CK_DH_RSA_WITH_AES_256_SHA256 0x03000069 -#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA256 0x0300006A -#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA256 0x0300006B -#define TLS1_CK_ADH_WITH_AES_128_SHA256 0x0300006C -#define TLS1_CK_ADH_WITH_AES_256_SHA256 0x0300006D - -/* Camellia ciphersuites from RFC 4132. */ -#define TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000084 -#define TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x03000085 -#define TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000086 -#define TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x03000087 -#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000088 -#define TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA 0x03000089 - -/* SEED ciphersuites from RFC 4162. */ -#define TLS1_CK_RSA_WITH_SEED_SHA 0x03000096 -#define TLS1_CK_DH_DSS_WITH_SEED_SHA 0x03000097 -#define TLS1_CK_DH_RSA_WITH_SEED_SHA 0x03000098 -#define TLS1_CK_DHE_DSS_WITH_SEED_SHA 0x03000099 -#define TLS1_CK_DHE_RSA_WITH_SEED_SHA 0x0300009A -#define TLS1_CK_ADH_WITH_SEED_SHA 0x0300009B - -/* TLS v1.2 GCM ciphersuites from RFC 5288. */ -#define TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 0x0300009C -#define TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 0x0300009D -#define TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 0x0300009E -#define TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384 0x0300009F -#define TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256 0x030000A0 -#define TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384 0x030000A1 -#define TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256 0x030000A2 -#define TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384 0x030000A3 -#define TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256 0x030000A4 -#define TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384 0x030000A5 -#define TLS1_CK_ADH_WITH_AES_128_GCM_SHA256 0x030000A6 -#define TLS1_CK_ADH_WITH_AES_256_GCM_SHA384 0x030000A7 - -/* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ -#define TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256 0x030000BA -#define TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 0x030000BB -#define TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 0x030000BC -#define TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 0x030000BD -#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0x030000BE -#define TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256 0x030000BF - -#define TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256 0x030000C0 -#define TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 0x030000C1 -#define TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 0x030000C2 -#define TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 0x030000C3 -#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0x030000C4 -#define TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256 0x030000C5 - -/* ECC ciphersuites from RFC 4492. */ -#define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA 0x0300C001 -#define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA 0x0300C002 -#define TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA 0x0300C003 -#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0x0300C004 -#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0x0300C005 - -#define TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA 0x0300C006 -#define TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA 0x0300C007 -#define TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA 0x0300C008 -#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0x0300C009 -#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0x0300C00A - -#define TLS1_CK_ECDH_RSA_WITH_NULL_SHA 0x0300C00B -#define TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA 0x0300C00C -#define TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA 0x0300C00D -#define TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA 0x0300C00E -#define TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA 0x0300C00F - -#define TLS1_CK_ECDHE_RSA_WITH_NULL_SHA 0x0300C010 -#define TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA 0x0300C011 -#define TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA 0x0300C012 -#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA 0x0300C013 -#define TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA 0x0300C014 - -#define TLS1_CK_ECDH_anon_WITH_NULL_SHA 0x0300C015 -#define TLS1_CK_ECDH_anon_WITH_RC4_128_SHA 0x0300C016 -#define TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA 0x0300C017 -#define TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA 0x0300C018 -#define TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA 0x0300C019 - -/* SRP ciphersuites from RFC 5054. */ -#define TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA 0x0300C01A -#define TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA 0x0300C01B -#define TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA 0x0300C01C -#define TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA 0x0300C01D -#define TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA 0x0300C01E -#define TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA 0x0300C01F -#define TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA 0x0300C020 -#define TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA 0x0300C021 -#define TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA 0x0300C022 - -/* ECDH HMAC based ciphersuites from RFC 5289. */ -#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 0x0300C023 -#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 0x0300C024 -#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256 0x0300C025 -#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384 0x0300C026 -#define TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256 0x0300C027 -#define TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 0x0300C028 -#define TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256 0x0300C029 -#define TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384 0x0300C02A - -/* ECDH GCM based ciphersuites from RFC 5289. */ -#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02B -#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0x0300C02C -#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02D -#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0x0300C02E -#define TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0x0300C02F -#define TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0x0300C030 -#define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256 0x0300C031 -#define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032 - -/* ChaCha20-Poly1305 based ciphersuites. */ -#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC13 -#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD 0x0300CC14 -#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC15 -#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CCA8 -#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CCA9 -#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CCAA - -#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5" -#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5" -#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DES-CBC-SHA" -#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DHE-DSS-DES-CBC-SHA" -#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA "EXP1024-RC4-SHA" -#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA" -#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA" - -/* AES ciphersuites from RFC 3268. */ -#define TLS1_TXT_RSA_WITH_AES_128_SHA "AES128-SHA" -#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AES128-SHA" -#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AES128-SHA" -#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA "DHE-DSS-AES128-SHA" -#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA "DHE-RSA-AES128-SHA" -#define TLS1_TXT_ADH_WITH_AES_128_SHA "ADH-AES128-SHA" - -#define TLS1_TXT_RSA_WITH_AES_256_SHA "AES256-SHA" -#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA "DH-DSS-AES256-SHA" -#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA "DH-RSA-AES256-SHA" -#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA "DHE-DSS-AES256-SHA" -#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AES256-SHA" -#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AES256-SHA" - -/* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */ -#define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA "ECDH-ECDSA-NULL-SHA" -#define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA "ECDH-ECDSA-RC4-SHA" -#define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA "ECDH-ECDSA-DES-CBC3-SHA" -#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA "ECDH-ECDSA-AES128-SHA" -#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA "ECDH-ECDSA-AES256-SHA" - -#define TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA "ECDHE-ECDSA-NULL-SHA" -#define TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA "ECDHE-ECDSA-RC4-SHA" -#define TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA "ECDHE-ECDSA-DES-CBC3-SHA" -#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA "ECDHE-ECDSA-AES128-SHA" -#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA "ECDHE-ECDSA-AES256-SHA" - -#define TLS1_TXT_ECDH_RSA_WITH_NULL_SHA "ECDH-RSA-NULL-SHA" -#define TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA "ECDH-RSA-RC4-SHA" -#define TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA "ECDH-RSA-DES-CBC3-SHA" -#define TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA "ECDH-RSA-AES128-SHA" -#define TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA "ECDH-RSA-AES256-SHA" - -#define TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA "ECDHE-RSA-NULL-SHA" -#define TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA "ECDHE-RSA-RC4-SHA" -#define TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA "ECDHE-RSA-DES-CBC3-SHA" -#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA "ECDHE-RSA-AES128-SHA" -#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA "ECDHE-RSA-AES256-SHA" - -#define TLS1_TXT_ECDH_anon_WITH_NULL_SHA "AECDH-NULL-SHA" -#define TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA "AECDH-RC4-SHA" -#define TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA "AECDH-DES-CBC3-SHA" -#define TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA "AECDH-AES128-SHA" -#define TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA "AECDH-AES256-SHA" - -/* PSK ciphersuites from RFC 4279. */ -#define TLS1_TXT_PSK_WITH_RC4_128_SHA "PSK-RC4-SHA" -#define TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA "PSK-3DES-EDE-CBC-SHA" -#define TLS1_TXT_PSK_WITH_AES_128_CBC_SHA "PSK-AES128-CBC-SHA" -#define TLS1_TXT_PSK_WITH_AES_256_CBC_SHA "PSK-AES256-CBC-SHA" - -/* SRP ciphersuite from RFC 5054. */ -#define TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA "SRP-3DES-EDE-CBC-SHA" -#define TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA "SRP-RSA-3DES-EDE-CBC-SHA" -#define TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA "SRP-DSS-3DES-EDE-CBC-SHA" -#define TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA "SRP-AES-128-CBC-SHA" -#define TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA "SRP-RSA-AES-128-CBC-SHA" -#define TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA "SRP-DSS-AES-128-CBC-SHA" -#define TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA "SRP-AES-256-CBC-SHA" -#define TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA "SRP-RSA-AES-256-CBC-SHA" -#define TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA "SRP-DSS-AES-256-CBC-SHA" - -/* Camellia ciphersuites from RFC 4132. */ -#define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA "CAMELLIA128-SHA" -#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA "DH-DSS-CAMELLIA128-SHA" -#define TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA "DH-RSA-CAMELLIA128-SHA" -#define TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA "DHE-DSS-CAMELLIA128-SHA" -#define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA "DHE-RSA-CAMELLIA128-SHA" -#define TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA "ADH-CAMELLIA128-SHA" - -#define TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA "CAMELLIA256-SHA" -#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA "DH-DSS-CAMELLIA256-SHA" -#define TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA "DH-RSA-CAMELLIA256-SHA" -#define TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA "DHE-DSS-CAMELLIA256-SHA" -#define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA "DHE-RSA-CAMELLIA256-SHA" -#define TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA "ADH-CAMELLIA256-SHA" - -/* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ -#define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256 "CAMELLIA128-SHA256" -#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 "DH-DSS-CAMELLIA128-SHA256" -#define TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 "DH-RSA-CAMELLIA128-SHA256" -#define TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 "DHE-DSS-CAMELLIA128-SHA256" -#define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 "DHE-RSA-CAMELLIA128-SHA256" -#define TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256 "ADH-CAMELLIA128-SHA256" - -#define TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256 "CAMELLIA256-SHA256" -#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 "DH-DSS-CAMELLIA256-SHA256" -#define TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 "DH-RSA-CAMELLIA256-SHA256" -#define TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 "DHE-DSS-CAMELLIA256-SHA256" -#define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 "DHE-RSA-CAMELLIA256-SHA256" -#define TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256 "ADH-CAMELLIA256-SHA256" - -/* SEED ciphersuites from RFC 4162. */ -#define TLS1_TXT_RSA_WITH_SEED_SHA "SEED-SHA" -#define TLS1_TXT_DH_DSS_WITH_SEED_SHA "DH-DSS-SEED-SHA" -#define TLS1_TXT_DH_RSA_WITH_SEED_SHA "DH-RSA-SEED-SHA" -#define TLS1_TXT_DHE_DSS_WITH_SEED_SHA "DHE-DSS-SEED-SHA" -#define TLS1_TXT_DHE_RSA_WITH_SEED_SHA "DHE-RSA-SEED-SHA" -#define TLS1_TXT_ADH_WITH_SEED_SHA "ADH-SEED-SHA" - -/* TLS v1.2 ciphersuites. */ -#define TLS1_TXT_RSA_WITH_NULL_SHA256 "NULL-SHA256" -#define TLS1_TXT_RSA_WITH_AES_128_SHA256 "AES128-SHA256" -#define TLS1_TXT_RSA_WITH_AES_256_SHA256 "AES256-SHA256" -#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA256 "DH-DSS-AES128-SHA256" -#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA256 "DH-RSA-AES128-SHA256" -#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256 "DHE-DSS-AES128-SHA256" -#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 "DHE-RSA-AES128-SHA256" -#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA256 "DH-DSS-AES256-SHA256" -#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA256 "DH-RSA-AES256-SHA256" -#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256 "DHE-DSS-AES256-SHA256" -#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 "DHE-RSA-AES256-SHA256" -#define TLS1_TXT_ADH_WITH_AES_128_SHA256 "ADH-AES128-SHA256" -#define TLS1_TXT_ADH_WITH_AES_256_SHA256 "ADH-AES256-SHA256" - -/* TLS v1.2 GCM ciphersuites from RFC 5288. */ -#define TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256 "AES128-GCM-SHA256" -#define TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384 "AES256-GCM-SHA384" -#define TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 "DHE-RSA-AES128-GCM-SHA256" -#define TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 "DHE-RSA-AES256-GCM-SHA384" -#define TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256 "DH-RSA-AES128-GCM-SHA256" -#define TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384 "DH-RSA-AES256-GCM-SHA384" -#define TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256 "DHE-DSS-AES128-GCM-SHA256" -#define TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384 "DHE-DSS-AES256-GCM-SHA384" -#define TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256 "DH-DSS-AES128-GCM-SHA256" -#define TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384 "DH-DSS-AES256-GCM-SHA384" -#define TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256 "ADH-AES128-GCM-SHA256" -#define TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384 "ADH-AES256-GCM-SHA384" - -/* ECDH HMAC based ciphersuites from RFC 5289. */ - -#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256 "ECDHE-ECDSA-AES128-SHA256" -#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384 "ECDHE-ECDSA-AES256-SHA384" -#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256 "ECDH-ECDSA-AES128-SHA256" -#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384 "ECDH-ECDSA-AES256-SHA384" -#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 "ECDHE-RSA-AES128-SHA256" -#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 "ECDHE-RSA-AES256-SHA384" -#define TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256 "ECDH-RSA-AES128-SHA256" -#define TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384 "ECDH-RSA-AES256-SHA384" - -/* ECDH GCM based ciphersuites from RFC 5289. */ -#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 "ECDHE-ECDSA-AES128-GCM-SHA256" -#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 "ECDHE-ECDSA-AES256-GCM-SHA384" -#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 "ECDH-ECDSA-AES128-GCM-SHA256" -#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 "ECDH-ECDSA-AES256-GCM-SHA384" -#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 "ECDHE-RSA-AES128-GCM-SHA256" -#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 "ECDHE-RSA-AES256-GCM-SHA384" -#define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256 "ECDH-RSA-AES128-GCM-SHA256" -#define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384" - -/* ChaCha20-Poly1305 based ciphersuites. */ -#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-RSA-CHACHA20-POLY1305-OLD" -#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-ECDSA-CHACHA20-POLY1305-OLD" -#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD "DHE-RSA-CHACHA20-POLY1305-OLD" -#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305" -#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" -#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" - -#define TLS_CT_RSA_SIGN 1 -#define TLS_CT_DSS_SIGN 2 -#define TLS_CT_RSA_FIXED_DH 3 -#define TLS_CT_DSS_FIXED_DH 4 -#define TLS_CT_ECDSA_SIGN 64 -#define TLS_CT_RSA_FIXED_ECDH 65 -#define TLS_CT_ECDSA_FIXED_ECDH 66 -#define TLS_CT_GOST94_SIGN 21 -#define TLS_CT_GOST01_SIGN 22 -#define TLS_CT_GOST12_256_SIGN 238 /* FIXME: IANA */ -#define TLS_CT_GOST12_512_SIGN 239 /* FIXME: IANA */ -/* when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see - * comment there) */ -#define TLS_CT_NUMBER 11 - -#define TLS1_FINISH_MAC_LENGTH 12 - -#define TLS_MD_MAX_CONST_SIZE 20 -#define TLS_MD_CLIENT_FINISH_CONST "client finished" -#define TLS_MD_CLIENT_FINISH_CONST_SIZE 15 -#define TLS_MD_SERVER_FINISH_CONST "server finished" -#define TLS_MD_SERVER_FINISH_CONST_SIZE 15 -#define TLS_MD_SERVER_WRITE_KEY_CONST "server write key" -#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE 16 -#define TLS_MD_KEY_EXPANSION_CONST "key expansion" -#define TLS_MD_KEY_EXPANSION_CONST_SIZE 13 -#define TLS_MD_CLIENT_WRITE_KEY_CONST "client write key" -#define TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE 16 -#define TLS_MD_SERVER_WRITE_KEY_CONST "server write key" -#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE 16 -#define TLS_MD_IV_BLOCK_CONST "IV block" -#define TLS_MD_IV_BLOCK_CONST_SIZE 8 -#define TLS_MD_MASTER_SECRET_CONST "master secret" -#define TLS_MD_MASTER_SECRET_CONST_SIZE 13 - -/* TLS Session Ticket extension struct. */ -struct tls_session_ticket_ext_st { - unsigned short length; - void *data; -}; - -#ifdef __cplusplus -} -#endif -#endif |