summaryrefslogtreecommitdiffstats
path: root/lib/libssl/src/ssl
diff options
context:
space:
mode:
authorbeck <beck@openbsd.org>1999-09-29 04:35:07 +0000
committerbeck <beck@openbsd.org>1999-09-29 04:35:07 +0000
commit913ec974266f8a62ab2e5ca34a31d6e6f75b3cf0 (patch)
tree62c001f84cb6413a049c5c811a08bfbe7c747b77 /lib/libssl/src/ssl
parentfix byte counters; imain@netidea.com (diff)
downloadwireguard-openbsd-913ec974266f8a62ab2e5ca34a31d6e6f75b3cf0.tar.xz
wireguard-openbsd-913ec974266f8a62ab2e5ca34a31d6e6f75b3cf0.zip
OpenSSL 0.9.4 merge
Diffstat (limited to 'lib/libssl/src/ssl')
-rw-r--r--lib/libssl/src/ssl/Makefile.ssl772
-rw-r--r--lib/libssl/src/ssl/bio_ssl.c62
-rw-r--r--lib/libssl/src/ssl/install.com102
-rw-r--r--lib/libssl/src/ssl/readme277
-rw-r--r--lib/libssl/src/ssl/s23_clnt.c55
-rw-r--r--lib/libssl/src/ssl/s23_lib.c52
-rw-r--r--lib/libssl/src/ssl/s23_meth.c10
-rw-r--r--lib/libssl/src/ssl/s23_pkt.c13
-rw-r--r--lib/libssl/src/ssl/s23_srvr.c72
-rw-r--r--lib/libssl/src/ssl/s2_clnt.c174
-rw-r--r--lib/libssl/src/ssl/s2_enc.c19
-rw-r--r--lib/libssl/src/ssl/s2_lib.c102
-rw-r--r--lib/libssl/src/ssl/s2_meth.c13
-rw-r--r--lib/libssl/src/ssl/s2_pkt.c101
-rw-r--r--lib/libssl/src/ssl/s2_srvr.c162
-rw-r--r--lib/libssl/src/ssl/s3_both.c85
-rw-r--r--lib/libssl/src/ssl/s3_clnt.c363
-rw-r--r--lib/libssl/src/ssl/s3_enc.c176
-rw-r--r--lib/libssl/src/ssl/s3_lib.c382
-rw-r--r--lib/libssl/src/ssl/s3_meth.c10
-rw-r--r--lib/libssl/src/ssl/s3_pkt.c160
-rw-r--r--lib/libssl/src/ssl/s3_srvr.c336
-rw-r--r--lib/libssl/src/ssl/ssl-lib.com1200
-rw-r--r--lib/libssl/src/ssl/ssl.c172
-rw-r--r--lib/libssl/src/ssl/ssl.err290
-rw-r--r--lib/libssl/src/ssl/ssl.h1161
-rw-r--r--lib/libssl/src/ssl/ssl2.h6
-rw-r--r--lib/libssl/src/ssl/ssl3.h32
-rw-r--r--lib/libssl/src/ssl/ssl_algs.c23
-rw-r--r--lib/libssl/src/ssl/ssl_asn1.c44
-rw-r--r--lib/libssl/src/ssl/ssl_cert.c537
-rw-r--r--lib/libssl/src/ssl/ssl_ciph.c193
-rw-r--r--lib/libssl/src/ssl/ssl_err.c158
-rw-r--r--lib/libssl/src/ssl/ssl_err2.c6
-rw-r--r--lib/libssl/src/ssl/ssl_lib.c1016
-rw-r--r--lib/libssl/src/ssl/ssl_locl.h299
-rw-r--r--lib/libssl/src/ssl/ssl_rsa.c332
-rw-r--r--lib/libssl/src/ssl/ssl_sess.c257
-rw-r--r--lib/libssl/src/ssl/ssl_stat.c42
-rw-r--r--lib/libssl/src/ssl/ssl_task.c20
-rw-r--r--lib/libssl/src/ssl/ssl_txt.c61
-rw-r--r--lib/libssl/src/ssl/ssltest.c510
-rw-r--r--lib/libssl/src/ssl/t1_clnt.c16
-rw-r--r--lib/libssl/src/ssl/t1_enc.c188
-rw-r--r--lib/libssl/src/ssl/t1_lib.c24
-rw-r--r--lib/libssl/src/ssl/t1_meth.c10
-rw-r--r--lib/libssl/src/ssl/t1_srvr.c18
-rw-r--r--lib/libssl/src/ssl/tls1.h40
48 files changed, 6388 insertions, 3765 deletions
diff --git a/lib/libssl/src/ssl/Makefile.ssl b/lib/libssl/src/ssl/Makefile.ssl
index f4b13bf83b8..7f9c6ead8a8 100644
--- a/lib/libssl/src/ssl/Makefile.ssl
+++ b/lib/libssl/src/ssl/Makefile.ssl
@@ -7,17 +7,17 @@ TOP= ..
CC= cc
INCLUDES= -I../crypto -I../include
CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR= /usr/local/ssl
INSTALLTOP=/usr/local/ssl
MAKE= make -f Makefile.ssl
-MAKEDEPEND= makedepend -f Makefile.ssl
+MAKEDEPEND= $(TOP)/util/domd $(TOP)
MAKEFILE= Makefile.ssl
AR= ar r
CFLAGS= $(INCLUDES) $(CFLAG)
-ERR=ssl
-ERRC=ssl_err
-GENERAL=Makefile README
+GENERAL=Makefile README ssl-lib.com install.com
TEST=ssltest.c
APPS=
@@ -30,7 +30,7 @@ LIBSRC= \
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
ssl_ciph.c ssl_stat.c ssl_rsa.c \
ssl_asn1.c ssl_txt.c ssl_algs.c \
- bio_ssl.c $(ERRC).c
+ bio_ssl.c ssl_err.c
LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
@@ -39,7 +39,7 @@ LIBOBJ= \
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
ssl_ciph.o ssl_stat.o ssl_rsa.o \
ssl_asn1.o ssl_txt.o ssl_algs.o \
- bio_ssl.o $(ERRC).o
+ bio_ssl.o ssl_err.o
SRC= $(LIBSRC)
@@ -55,24 +55,23 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- sh $(TOP)/util/ranlib.sh $(LIB)
+ $(RANLIB) $(LIB)
@touch lib
files:
- perl $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+ $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
links:
- /bin/rm -f Makefile
- $(TOP)/util/point.sh Makefile.ssl Makefile ;
- $(TOP)/util/mklink.sh ../include $(EXHEADER)
- $(TOP)/util/mklink.sh ../test $(TEST)
- $(TOP)/util/mklink.sh ../apps $(APPS)
+ @$(TOP)/util/point.sh Makefile.ssl Makefile
+ @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+ @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+ @$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
install:
@for i in $(EXHEADER) ; \
do \
- (cp $$i $(INSTALLTOP)/include/$$i; \
- chmod 644 $(INSTALLTOP)/include/$$i ); \
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
tags:
@@ -84,17 +83,746 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
dclean:
- perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
mv -f Makefile.new $(MAKEFILE)
clean:
- /bin/rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-
-errors:
- perl $(TOP)/util/err-ins.pl $(ERR).err $(ERR).h
- perl ../crypto/err/err_genc.pl -s $(ERR).h $(ERRC).c
+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bio_ssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+bio_ssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+bio_ssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+bio_ssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+bio_ssl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+bio_ssl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+bio_ssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+bio_ssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+bio_ssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+bio_ssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+bio_ssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+bio_ssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+bio_ssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+bio_ssl.o: ../include/openssl/x509_vfy.h
+s23_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s23_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s23_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s23_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s2_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s2_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_both.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_both.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_both.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_both.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_both.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_both.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_both.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_both.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_both.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_both.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_both.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_both.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_both.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_algs.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_algs.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_algs.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_algs.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_algs.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_algs.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_algs.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_algs.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_algs.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h
+ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_asn1.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssl_asn1.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_asn1.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_asn1.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_cert.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_cert.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_cert.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_cert.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_cert.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_cert.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_cert.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_cert.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_cert.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_cert.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_cert.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_cert.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_cert.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_cert.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_ciph.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_ciph.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_ciph.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_ciph.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_ciph.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_ciph.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_ciph.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_err.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_err.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_err.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_err.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_err.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_err.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_err.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_err.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_err.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_err.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err.o: ../include/openssl/x509_vfy.h
+ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_err2.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_err2.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err2.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_err2.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_err2.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err2.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_err2.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err2.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_err2.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_err2.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_err2.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err2.o: ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_rsa.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_rsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_sess.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_sess.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+ssl_sess.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_sess.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_sess.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_stat.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_stat.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_stat.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_stat.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_stat.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_stat.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_stat.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_stat.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_txt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_txt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_txt.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_txt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_txt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_txt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_txt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_txt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+t1_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+t1_enc.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+t1_enc.o: ../include/openssl/md2.h ../include/openssl/md5.h
+t1_enc.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+t1_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_enc.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+t1_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
diff --git a/lib/libssl/src/ssl/bio_ssl.c b/lib/libssl/src/ssl/bio_ssl.c
index 58a6d69b9ba..f62cde4e5d5 100644
--- a/lib/libssl/src/ssl/bio_ssl.c
+++ b/lib/libssl/src/ssl/bio_ssl.c
@@ -60,27 +60,17 @@
#include <stdlib.h>
#include <string.h>
#include <errno.h>
-#include "crypto.h"
-#include "bio.h"
-#include "err.h"
-#include "ssl.h"
+#include <openssl/crypto.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
-#ifndef NOPROTO
static int ssl_write(BIO *h,char *buf,int num);
static int ssl_read(BIO *h,char *buf,int size);
static int ssl_puts(BIO *h,char *str);
static long ssl_ctrl(BIO *h,int cmd,long arg1,char *arg2);
static int ssl_new(BIO *h);
static int ssl_free(BIO *data);
-#else
-static int ssl_write();
-static int ssl_read();
-static int ssl_puts();
-static long ssl_ctrl();
-static int ssl_new();
-static int ssl_free();
-#endif
-
typedef struct bio_ssl_st
{
SSL *ssl; /* The ssl handle :-) */
@@ -104,13 +94,12 @@ static BIO_METHOD methods_sslp=
ssl_free,
};
-BIO_METHOD *BIO_f_ssl()
+BIO_METHOD *BIO_f_ssl(void)
{
return(&methods_sslp);
}
-static int ssl_new(bi)
-BIO *bi;
+static int ssl_new(BIO *bi)
{
BIO_SSL *bs;
@@ -127,8 +116,7 @@ BIO *bi;
return(1);
}
-static int ssl_free(a)
-BIO *a;
+static int ssl_free(BIO *a)
{
BIO_SSL *bs;
@@ -147,10 +135,7 @@ BIO *a;
return(1);
}
-static int ssl_read(b,out,outl)
-BIO *b;
-char *out;
-int outl;
+static int ssl_read(BIO *b, char *out, int outl)
{
int ret=1;
BIO_SSL *sb;
@@ -234,10 +219,7 @@ int outl;
return(ret);
}
-static int ssl_write(b,out,outl)
-BIO *b;
-char *out;
-int outl;
+static int ssl_write(BIO *b, char *out, int outl)
{
int ret,r=0;
int retry_reason=0;
@@ -305,11 +287,7 @@ int outl;
return(ret);
}
-static long ssl_ctrl(b,cmd,num,ptr)
-BIO *b;
-int cmd;
-long num;
-char *ptr;
+static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr)
{
SSL **sslp,*ssl;
BIO_SSL *bs;
@@ -483,9 +461,7 @@ char *ptr;
return(ret);
}
-static int ssl_puts(bp,str)
-BIO *bp;
-char *str;
+static int ssl_puts(BIO *bp, char *str)
{
int n,ret;
@@ -494,8 +470,7 @@ char *str;
return(ret);
}
-BIO *BIO_new_buffer_ssl_connect(ctx)
-SSL_CTX *ctx;
+BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx)
{
BIO *ret=NULL,*buf=NULL,*ssl=NULL;
@@ -512,8 +487,7 @@ err:
return(NULL);
}
-BIO *BIO_new_ssl_connect(ctx)
-SSL_CTX *ctx;
+BIO *BIO_new_ssl_connect(SSL_CTX *ctx)
{
BIO *ret=NULL,*con=NULL,*ssl=NULL;
@@ -530,9 +504,7 @@ err:
return(NULL);
}
-BIO *BIO_new_ssl(ctx,client)
-SSL_CTX *ctx;
-int client;
+BIO *BIO_new_ssl(SSL_CTX *ctx, int client)
{
BIO *ret;
SSL *ssl;
@@ -553,8 +525,7 @@ int client;
return(ret);
}
-int BIO_ssl_copy_session_id(t,f)
-BIO *t,*f;
+int BIO_ssl_copy_session_id(BIO *t, BIO *f)
{
t=BIO_find_type(t,BIO_TYPE_SSL);
f=BIO_find_type(f,BIO_TYPE_SSL);
@@ -567,8 +538,7 @@ BIO *t,*f;
return(1);
}
-void BIO_ssl_shutdown(b)
-BIO *b;
+void BIO_ssl_shutdown(BIO *b)
{
SSL *s;
diff --git a/lib/libssl/src/ssl/install.com b/lib/libssl/src/ssl/install.com
new file mode 100644
index 00000000000..2b62f4e499d
--- /dev/null
+++ b/lib/libssl/src/ssl/install.com
@@ -0,0 +1,102 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! P1 root of the directory tree
+$!
+$ IF P1 .EQS. ""
+$ THEN
+$ WRITE SYS$OUTPUT "First argument missing."
+$ WRITE SYS$OUTPUT "Should be the directory where you want things installed."
+$ EXIT
+$ ENDIF
+$
+$ ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"
+$ ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")
+$ ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -
+ - "[000000." - "][" - "[" - "]"
+$ ROOT = ROOT_DEV + "[" + ROOT_DIR
+$
+$ DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC
+$ DEFINE/NOLOG WRK_SSLVLIB WRK_SSLROOT:[VAX_LIB]
+$ DEFINE/NOLOG WRK_SSLALIB WRK_SSLROOT:[ALPHA_LIB]
+$ DEFINE/NOLOG WRK_SSLINCLUDE WRK_SSLROOT:[INCLUDE]
+$ DEFINE/NOLOG WRK_SSLVEXE WRK_SSLROOT:[VAX_EXE]
+$ DEFINE/NOLOG WRK_SSLAEXE WRK_SSLROOT:[ALPHA_EXE]
+$
+$ IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN -
+ CREATE/DIR/LOG WRK_SSLROOT:[000000]
+$ IF F$PARSE("WRK_SSLVLIB:") .EQS. "" THEN -
+ CREATE/DIR/LOG WRK_SSLVLIB:
+$ IF F$PARSE("WRK_SSLALIB:") .EQS. "" THEN -
+ CREATE/DIR/LOG WRK_SSLALIB:
+$ IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
+ CREATE/DIR/LOG WRK_SSLINCLUDE:
+$ IF F$PARSE("WRK_SSLVEXE:") .EQS. "" THEN -
+ CREATE/DIR/LOG WRK_SSLVEXE:
+$ IF F$PARSE("WRK_SSLAEXE:") .EQS. "" THEN -
+ CREATE/DIR/LOG WRK_SSLAEXE:
+$
+$ EXHEADER := ssl.h,ssl2.h,ssl3.h,ssl23.h,tls1.h
+$ E_EXE := ssl_task
+$ LIBS := LIBSSL
+$
+$ VEXE_DIR := [-.VAX.EXE.SSL]
+$ AEXE_DIR := [-.AXP.EXE.SSL]
+$
+$ COPY 'EXHEADER' WRK_SSLINCLUDE:/LOG
+$
+$ I = 0
+$ LOOP_EXE:
+$ E = F$EDIT(F$ELEMENT(I, ",", E_EXE),"TRIM")
+$ I = I + 1
+$ IF E .EQS. "," THEN GOTO LOOP_EXE_END
+$ SET NOON
+$ IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. ""
+$ THEN
+$ COPY 'VEXE_DIR''E'.EXE WRK_SSLVEXE:'E'.EXE/log
+$ SET FILE/PROT=W:RE WRK_SSLVEXE:'E'.EXE
+$ ENDIF
+$ IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. ""
+$ THEN
+$ COPY 'AEXE_DIR''E'.EXE WRK_SSLAEXE:'E'.EXE/log
+$ SET FILE/PROT=W:RE WRK_SSLAEXE:'E'.EXE
+$ ENDIF
+$ SET ON
+$ GOTO LOOP_EXE
+$ LOOP_EXE_END:
+$
+$ I = 0
+$ LOOP_LIB:
+$ E = F$EDIT(F$ELEMENT(I, ",", LIBS),"TRIM")
+$ I = I + 1
+$ IF E .EQS. "," THEN GOTO LOOP_LIB_END
+$ SET NOON
+$ IF F$SEARCH(VEXE_DIR+E+".OLB") .NES. ""
+$ THEN
+$ COPY 'VEXE_DIR''E'.OLB WRK_SSLVLIB:'E'.OLB/log
+$ SET FILE/PROT=W:RE WRK_SSLVLIB:'E'.OLB
+$ ENDIF
+$ ! Preparing for the time when we have shareable images
+$ IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. ""
+$ THEN
+$ COPY 'VEXE_DIR''E'.EXE WRK_SSLVLIB:'E'.EXE/log
+$ SET FILE/PROT=W:RE WRK_SSLVLIB:'E'.EXE
+$ ENDIF
+$ IF F$SEARCH(AEXE_DIR+E+".OLB") .NES. ""
+$ THEN
+$ COPY 'AEXE_DIR''E'.OLB WRK_SSLALIB:'E'.OLB/log
+$ SET FILE/PROT=W:RE WRK_SSLALIB:'E'.OLB
+$ ENDIF
+$ ! Preparing for the time when we have shareable images
+$ IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. ""
+$ THEN
+$ COPY 'AEXE_DIR''E'.EXE WRK_SSLALIB:'E'.EXE/log
+$ SET FILE/PROT=W:RE WRK_SSLALIB:'E'.EXE
+$ ENDIF
+$ SET ON
+$ GOTO LOOP_LIB
+$ LOOP_LIB_END:
+$
+$ EXIT
diff --git a/lib/libssl/src/ssl/readme b/lib/libssl/src/ssl/readme
deleted file mode 100644
index ca174848a1f..00000000000
--- a/lib/libssl/src/ssl/readme
+++ /dev/null
@@ -1,277 +0,0 @@
-22 Jun 1996
-This file belongs in ../apps, but I'll leave it here because it deals
-with SSL :-) It is rather dated but it gives you an idea of how
-things work.
-===
-
-17 Jul 1995
-I have been changing things quite a bit and have not fully updated
-this file, so take what you read with a grain of salt
-eric
-===
-The s_client and s_server programs can be used to test SSL capable
-IP/port addresses and the verification of the X509 certificates in use
-by these services. I strongly advise having a look at the code to get
-an idea of how to use the authentication under SSLeay. Any feedback
-on changes and improvements would be greatly accepted.
-
-This file will probably be gibberish unless you have read
-rfc1421, rfc1422, rfc1423 and rfc1424 which describe PEM
-authentication.
-
-A Brief outline (and examples) how to use them to do so.
-
-NOTE:
-The environment variable SSL_CIPER is used to specify the prefered
-cipher to use, play around with setting it's value to combinations of
-RC4-MD5, EXP-RC4-MD5, CBC-DES-MD5, CBC3-DES-MD5, CFB-DES-NULL
-in a : separated list.
-
-This directory contains 3 X509 certificates which can be used by these programs.
-client.pem: a file containing a certificate and private key to be used
- by s_client.
-server.pem :a file containing a certificate and private key to be used
- by s_server.
-eay1024.pem:the certificate used to sign client.pem and server.pem.
- This would be your CA's certificate. There is also a link
- from the file a8556381.0 to eay1024.PEM. The value a8556381
- is returned by 'x509 -hash -noout <eay1024.pem' and is the
- value used by X509 verification routines to 'find' this
- certificte when search a directory for it.
- [the above is not true any more, the CA cert is
- ../certs/testca.pem which is signed by ../certs/mincomca.pem]
-
-When testing the s_server, you may get
-bind: Address already in use
-errors. These indicate the port is still being held by the unix
-kernel and you are going to have to wait for it to let go of it. If
-this is the case, remember to use the port commands on the s_server and
-s_client to talk on an alternative port.
-
-=====
-s_client.
-This program can be used to connect to any IP/hostname:port that is
-talking SSL. Once connected, it will attempt to authenticate the
-certificate it was passed and if everything works as expected, a 2
-directional channel will be open. Any text typed will be sent to the
-other end. type Q<cr> to exit. Flags are as follows.
--host arg : Arg is the host or IP address to connect to.
--port arg : Arg is the port to connect to (https is 443).
--verify arg : Turn on authentication of the server certificate.
- : Arg specifies the 'depth', this will covered below.
--cert arg : The optional certificate to use. This certificate
- : will be returned to the server if the server
- : requests it for client authentication.
--key arg : The private key that matches the certificate
- : specified by the -cert option. If this is not
- : specified (but -cert is), the -cert file will be
- : searched for the Private key. Both files are
- : assumed to be in PEM format.
--CApath arg : When to look for certificates when 'verifying' the
- : certificate from the server.
--CAfile arg : A file containing certificates to be used for
- : 'verifying' the server certificate.
--reconnect : Once a connection has been made, drop it and
- : reconnect with same session-id. This is for testing :-).
-
-The '-verify n' parameter specifies not only to verify the servers
-certificate but to also only take notice of 'n' levels. The best way
-to explain is to show via examples.
-Given
-s_server -cert server.PEM is running.
-
-s_client
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
- issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify error:num=1:unable to get issuer certificate
- verify return:1
- CIPHER is CBC-DES-MD5
-What has happened is that the 'SSLeay demo server' certificate's
-issuer ('CA') could not be found but because verify is not on, we
-don't care and the connection has been made anyway. It is now 'up'
-using CBC-DES-MD5 mode. This is an unauthenticate secure channel.
-You may not be talking to the right person but the data going to them
-is encrypted.
-
-s_client -verify 0
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
- issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify error:num=1:unable to get issuer certificate
- verify return:1
- CIPHER is CBC-DES-MD5
-We are 'verifying' but only to depth 0, so since the 'SSLeay demo server'
-certificate passed the date and checksum, we are happy to proceed.
-
-s_client -verify 1
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
- issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify error:num=1:unable to get issuer certificate
- verify return:0
- ERROR
- verify error:unable to get issuer certificate
-In this case we failed to make the connection because we could not
-authenticate the certificate because we could not find the
-'CA' certificate.
-
-s_client -verify 1 -CAfile eay1024.PEM
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
- verify return:1
- depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify return:1
- CIPHER is CBC-DES-MD5
-We loaded the certificates from the file eay1024.PEM. Everything
-checked out and so we made the connection.
-
-s_client -verify 1 -CApath .
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
- verify return:1
- depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify return:1
- CIPHER is CBC-DES-MD5
-We looked in out local directory for issuer certificates and 'found'
-a8556381.0 and so everything is ok.
-
-It is worth noting that 'CA' is a self certified certificate. If you
-are passed one of these, it will fail to 'verify' at depth 0 because
-we need to lookup the certifier of a certificate from some information
-that we trust and keep locally.
-
-SSL_CIPHER=CBC3-DES-MD5:RC4-MD5
-export SSL_CIPHER
-s_client -verify 10 -CApath . -reconnect
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
- verify return:1
- depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify return:1
- drop the connection and reconnect with the same session id
- CIPHER is CBC3-DES-MD5
-This has done a full connection and then re-estabished it with the
-same session id but a new socket. No RSA stuff occures on the second
-connection. Note that we said we would prefer to use CBC3-DES-MD5
-encryption and so, since the server supports it, we are.
-
-=====
-s_server
-This program accepts SSL connections on a specified port
-Once connected, it will estabish an SSL connection and optionaly
-attempt to authenticate the client. A 2 directional channel will be
-open. Any text typed will be sent to the other end. Type Q<cr> to exit.
-Flags are as follows.
--port arg : Arg is the port to listen on.
--verify arg : Turn on authentication of the client if they have a
- : certificate. Arg specifies the 'depth'.
--Verify arg : Turn on authentication of the client. If they don't
- : have a valid certificate, drop the connection.
--cert arg : The certificate to use. This certificate
- : will be passed to the client. If it is not
- : specified, it will default to server.PEM
--key arg : The private key that matches the certificate
- : specified by the -cert option. If this is not
- : specified (but -cert is), the -cert file will be
- : searched for the Private key. Both files are
- : assumed to be in PEM format. Default is server.PEM
--CApath arg : When to look for certificates when 'verifying' the
- : certificate from the client.
--CAfile arg : A file containing certificates to be used for
- : 'verifying' the client certificate.
-
-For the following 'demo' I will specify the s_server command and
-the s_client command and then list the output from the s_server.
-s_server
-s_client
- CONNECTED
- CIPHER is CBC-DES-MD5
-Everything up and running
-
-s_server -verify 0
-s_client
- CONNECTED
- CIPHER is CBC-DES-MD5
-Ok since no certificate was returned and we don't care.
-
-s_server -verify 0
-./s_client -cert client.PEM
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
- issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify error:num=1:unable to get issuer certificate
- verify return:1
- CIPHER is CBC-DES-MD5
-Ok since we were only verifying to level 0
-
-s_server -verify 4
-s_client -cert client.PEM
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
- issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify error:num=1:unable to get issuer certificate
- verify return:0
- ERROR
- verify error:unable to get issuer certificate
-Bad because we could not authenticate the returned certificate.
-
-s_server -verify 4 -CApath .
-s_client -cert client.PEM
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
- verify return:1
- depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify return:1
- CIPHER is CBC-DES-MD5
-Ok because we could authenticate the returned certificate :-).
-
-s_server -Verify 0 -CApath .
-s_client
- CONNECTED
- ERROR
- SSL error:function is:REQUEST_CERTIFICATE
- :error is :client end did not return a certificate
-Error because no certificate returned.
-
-s_server -Verify 4 -CApath .
-s_client -cert client.PEM
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
- verify return:1
- depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify return:1
- CIPHER is CBC-DES-MD5
-Full authentication of the client.
-
-So in summary to do full authentication of both ends
-s_server -Verify 9 -CApath .
-s_client -cert client.PEM -CApath . -verify 9
-From the server side
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
- verify return:1
- depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify return:1
- CIPHER is CBC-DES-MD5
-From the client side
- CONNECTED
- depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
- verify return:1
- depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
- verify return:1
- CIPHER is CBC-DES-MD5
-
-For general probing of the 'internet https' servers for the
-distribution area, run
-s_client -host www.netscape.com -port 443 -verify 4 -CApath ../rsa/hash
-Then enter
-GET /
-and you should be talking to the https server on that host.
-
-www.rsa.com was refusing to respond to connections on 443 when I was
-testing.
-
-have fun :-).
-
-eric
diff --git a/lib/libssl/src/ssl/s23_clnt.c b/lib/libssl/src/ssl/s23_clnt.c
index a4661ebb687..299d2ae5d28 100644
--- a/lib/libssl/src/ssl/s23_clnt.c
+++ b/lib/libssl/src/ssl/s23_clnt.c
@@ -57,28 +57,20 @@
*/
#include <stdio.h>
-#include "buffer.h"
-#include "rand.h"
-#include "objects.h"
-#include "evp.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
#include "ssl_locl.h"
-#define BREAK break
-
-#ifndef NOPROTO
+static SSL_METHOD *ssl23_get_client_method(int ver);
static int ssl23_client_hello(SSL *s);
static int ssl23_get_server_hello(SSL *s);
-#else
-static int ssl23_client_hello();
-static int ssl23_get_server_hello();
-#endif
-
-static SSL_METHOD *ssl23_get_client_method(ver)
-int ver;
+static SSL_METHOD *ssl23_get_client_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
- else if (ver == SSL3_VERSION)
+ if (ver == SSL3_VERSION)
return(SSLv3_client_method());
else if (ver == TLS1_VERSION)
return(TLSv1_client_method());
@@ -86,24 +78,23 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv23_client_method()
+SSL_METHOD *SSLv23_client_method(void)
{
static int init=1;
static SSL_METHOD SSLv23_client_data;
if (init)
{
- init=0;
memcpy((char *)&SSLv23_client_data,
(char *)sslv23_base_method(),sizeof(SSL_METHOD));
SSLv23_client_data.ssl_connect=ssl23_connect;
SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
+ init=0;
}
return(&SSLv23_client_data);
}
-int ssl23_connect(s)
-SSL *s;
+int ssl23_connect(SSL *s)
{
BUF_MEM *buf;
unsigned long Time=time(NULL);
@@ -111,7 +102,7 @@ SSL *s;
int ret= -1;
int new_state,state;
- RAND_seed((unsigned char *)&Time,sizeof(Time));
+ RAND_seed(&Time,sizeof(Time));
ERR_clear_error();
clear_sys_error();
@@ -134,6 +125,13 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_CONNECT:
case SSL_ST_OK|SSL_ST_CONNECT:
+ if (s->session != NULL)
+ {
+ SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE);
+ ret= -1;
+ goto end;
+ }
+ s->server=0;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
/* s->version=TLS1_VERSION; */
@@ -159,7 +157,7 @@ SSL *s;
ssl3_init_finished_mac(s);
s->state=SSL23_ST_CW_CLNT_HELLO_A;
- s->ctx->sess_connect++;
+ s->ctx->stats.sess_connect++;
s->init_num=0;
break;
@@ -179,7 +177,7 @@ SSL *s;
ret=ssl23_get_server_hello(s);
if (ret >= 0) cb=NULL;
goto end;
- break;
+ /* break; */
default:
SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE);
@@ -188,7 +186,7 @@ SSL *s;
/* break; */
}
- if (s->debug) BIO_flush(s->wbio);
+ if (s->debug) { (void)BIO_flush(s->wbio); }
if ((cb != NULL) && (s->state != state))
{
@@ -206,8 +204,7 @@ end:
}
-static int ssl23_client_hello(s)
-SSL *s;
+static int ssl23_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
@@ -236,16 +233,19 @@ SSL *s;
{
*(d++)=TLS1_VERSION_MAJOR;
*(d++)=TLS1_VERSION_MINOR;
+ s->client_version=TLS1_VERSION;
}
else if (!(s->options & SSL_OP_NO_SSLv3))
{
*(d++)=SSL3_VERSION_MAJOR;
*(d++)=SSL3_VERSION_MINOR;
+ s->client_version=SSL3_VERSION;
}
else if (!(s->options & SSL_OP_NO_SSLv2))
{
*(d++)=SSL2_VERSION_MAJOR;
*(d++)=SSL2_VERSION_MINOR;
+ s->client_version=SSL2_VERSION;
}
else
{
@@ -303,8 +303,7 @@ SSL *s;
return(ssl23_write_bytes(s));
}
-static int ssl23_get_server_hello(s)
-SSL *s;
+static int ssl23_get_server_hello(SSL *s)
{
char buf[8];
unsigned char *p;
@@ -443,7 +442,7 @@ SSL *s;
}
s->rwstate=SSL_NOTHING;
- SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,1000+p[6]);
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
goto err;
}
else
diff --git a/lib/libssl/src/ssl/s23_lib.c b/lib/libssl/src/ssl/s23_lib.c
index e16f641101a..822a3958372 100644
--- a/lib/libssl/src/ssl/s23_lib.c
+++ b/lib/libssl/src/ssl/s23_lib.c
@@ -57,28 +57,17 @@
*/
#include <stdio.h>
-#include "objects.h"
+#include <openssl/objects.h>
#include "ssl_locl.h"
-#ifndef NOPROTO
static int ssl23_num_ciphers(void );
static SSL_CIPHER *ssl23_get_cipher(unsigned int u);
-static int ssl23_read(SSL *s, char *buf, int len);
-static int ssl23_write(SSL *s, char *buf, int len);
+static int ssl23_read(SSL *s, void *buf, int len);
+static int ssl23_write(SSL *s, const void *buf, int len);
static long ssl23_default_timeout(void );
-static int ssl23_put_cipher_by_char(SSL_CIPHER *c, unsigned char *p);
-static SSL_CIPHER *ssl23_get_cipher_by_char(unsigned char *p);
-#else
-static int ssl23_num_ciphers();
-static SSL_CIPHER *ssl23_get_cipher();
-static int ssl23_read();
-static int ssl23_write();
-static long ssl23_default_timeout();
-static int ssl23_put_cipher_by_char();
-static SSL_CIPHER *ssl23_get_cipher_by_char();
-#endif
-
-char *SSL23_version_str="SSLv2/3 compatablity part of SSLeay 0.7.0 30-Jan-1997";
+static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
+static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
+char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT;
static SSL_METHOD SSLv23_data= {
TLS1_VERSION,
@@ -88,10 +77,11 @@ static SSL_METHOD SSLv23_data= {
ssl_undefined_function,
ssl_undefined_function,
ssl23_read,
- ssl_undefined_function,
+ (int (*)(struct ssl_st *, char *, int))ssl_undefined_function,
ssl23_write,
ssl_undefined_function,
ssl_undefined_function,
+ ssl_ok,
ssl3_ctrl,
ssl3_ctx_ctrl,
ssl23_get_cipher_by_char,
@@ -104,23 +94,22 @@ static SSL_METHOD SSLv23_data= {
&ssl3_undef_enc_method,
};
-static long ssl23_default_timeout()
+static long ssl23_default_timeout(void)
{
return(300);
}
-SSL_METHOD *sslv23_base_method()
+SSL_METHOD *sslv23_base_method(void)
{
return(&SSLv23_data);
}
-static int ssl23_num_ciphers()
+static int ssl23_num_ciphers(void)
{
return(ssl3_num_ciphers()+ssl2_num_ciphers());
}
-static SSL_CIPHER *ssl23_get_cipher(u)
-unsigned int u;
+static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
{
unsigned int uu=ssl3_num_ciphers();
@@ -132,8 +121,7 @@ unsigned int u;
/* This function needs to check if the ciphers required are actually
* available */
-static SSL_CIPHER *ssl23_get_cipher_by_char(p)
-unsigned char *p;
+static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
{
SSL_CIPHER c,*cp;
unsigned long id;
@@ -149,9 +137,7 @@ unsigned char *p;
return(cp);
}
-static int ssl23_put_cipher_by_char(c,p)
-SSL_CIPHER *c;
-unsigned char *p;
+static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
{
long l;
@@ -166,10 +152,7 @@ unsigned char *p;
return(3);
}
-static int ssl23_read(s,buf,len)
-SSL *s;
-char *buf;
-int len;
+static int ssl23_read(SSL *s, void *buf, int len)
{
int n;
@@ -199,10 +182,7 @@ int len;
}
}
-static int ssl23_write(s,buf,len)
-SSL *s;
-char *buf;
-int len;
+static int ssl23_write(SSL *s, const void *buf, int len)
{
int n;
diff --git a/lib/libssl/src/ssl/s23_meth.c b/lib/libssl/src/ssl/s23_meth.c
index 1eed7a54bcf..b52ca1d58b3 100644
--- a/lib/libssl/src/ssl/s23_meth.c
+++ b/lib/libssl/src/ssl/s23_meth.c
@@ -57,11 +57,11 @@
*/
#include <stdio.h>
-#include "objects.h"
+#include <openssl/objects.h>
#include "ssl_locl.h"
-static SSL_METHOD *ssl23_get_method(ver)
-int ver;
+static SSL_METHOD *ssl23_get_method(int ver);
+static SSL_METHOD *ssl23_get_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv23_method());
@@ -73,19 +73,19 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv23_method()
+SSL_METHOD *SSLv23_method(void)
{
static int init=1;
static SSL_METHOD SSLv23_data;
if (init)
{
- init=0;
memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
sizeof(SSL_METHOD));
SSLv23_data.ssl_connect=ssl23_connect;
SSLv23_data.ssl_accept=ssl23_accept;
SSLv23_data.get_ssl_method=ssl23_get_method;
+ init=0;
}
return(&SSLv23_data);
}
diff --git a/lib/libssl/src/ssl/s23_pkt.c b/lib/libssl/src/ssl/s23_pkt.c
index c25c3127725..8370ea508c7 100644
--- a/lib/libssl/src/ssl/s23_pkt.c
+++ b/lib/libssl/src/ssl/s23_pkt.c
@@ -59,12 +59,11 @@
#include <stdio.h>
#include <errno.h>
#define USE_SOCKETS
-#include "evp.h"
-#include "buffer.h"
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
#include "ssl_locl.h"
-int ssl23_write_bytes(s)
-SSL *s;
+int ssl23_write_bytes(SSL *s)
{
int i,num,tot;
char *buf;
@@ -76,7 +75,7 @@ SSL *s;
{
s->rwstate=SSL_WRITING;
i=BIO_write(s->wbio,&(buf[tot]),num);
- if (i < 0)
+ if (i <= 0)
{
s->init_off=tot;
s->init_num=num;
@@ -91,9 +90,7 @@ SSL *s;
}
/* only return when we have read 'n' bytes */
-int ssl23_read_bytes(s,n)
-SSL *s;
-int n;
+int ssl23_read_bytes(SSL *s, int n)
{
unsigned char *p;
int j;
diff --git a/lib/libssl/src/ssl/s23_srvr.c b/lib/libssl/src/ssl/s23_srvr.c
index c7b9ecbcf28..e4122f2d78d 100644
--- a/lib/libssl/src/ssl/s23_srvr.c
+++ b/lib/libssl/src/ssl/s23_srvr.c
@@ -57,26 +57,19 @@
*/
#include <stdio.h>
-#include "buffer.h"
-#include "rand.h"
-#include "objects.h"
-#include "evp.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
#include "ssl_locl.h"
-#define BREAK break
-
-#ifndef NOPROTO
+static SSL_METHOD *ssl23_get_server_method(int ver);
int ssl23_get_client_hello(SSL *s);
-#else
-int ssl23_get_client_hello();
-#endif
-
-static SSL_METHOD *ssl23_get_server_method(ver)
-int ver;
+static SSL_METHOD *ssl23_get_server_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
- else if (ver == SSL3_VERSION)
+ if (ver == SSL3_VERSION)
return(SSLv3_server_method());
else if (ver == TLS1_VERSION)
return(TLSv1_server_method());
@@ -84,24 +77,23 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv23_server_method()
+SSL_METHOD *SSLv23_server_method(void)
{
static int init=1;
static SSL_METHOD SSLv23_server_data;
if (init)
{
- init=0;
memcpy((char *)&SSLv23_server_data,
(char *)sslv23_base_method(),sizeof(SSL_METHOD));
SSLv23_server_data.ssl_accept=ssl23_accept;
SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
+ init=0;
}
return(&SSLv23_server_data);
}
-int ssl23_accept(s)
-SSL *s;
+int ssl23_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long Time=time(NULL);
@@ -109,7 +101,7 @@ SSL *s;
int ret= -1;
int new_state,state;
- RAND_seed((unsigned char *)&Time,sizeof(Time));
+ RAND_seed(&Time,sizeof(Time));
ERR_clear_error();
clear_sys_error();
@@ -132,6 +124,7 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
case SSL_ST_OK|SSL_ST_ACCEPT:
+ s->server=1;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
/* s->version=SSL3_VERSION; */
@@ -155,7 +148,7 @@ SSL *s;
ssl3_init_finished_mac(s);
s->state=SSL23_ST_SR_CLNT_HELLO_A;
- s->ctx->sess_accept++;
+ s->ctx->stats.sess_accept++;
s->init_num=0;
break;
@@ -166,7 +159,7 @@ SSL *s;
ret=ssl23_get_client_hello(s);
if (ret >= 0) cb=NULL;
goto end;
- break;
+ /* break; */
default:
SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE);
@@ -191,8 +184,7 @@ end:
}
-int ssl23_get_client_hello(s)
-SSL *s;
+int ssl23_get_client_hello(SSL *s)
{
char buf_space[8];
char *buf= &(buf_space[0]);
@@ -201,14 +193,16 @@ SSL *s;
unsigned int csl,sil,cl;
int n=0,j,tls1=0;
int type=0,use_sslv2_strong=0;
+ int v[2];
/* read the initial header */
+ v[0]=v[1]=0;
if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
{
if (!ssl3_setup_buffers(s)) goto err;
n=ssl23_read_bytes(s,7);
- if (n != 7) return(n);
+ if (n != 7) return(n); /* n == -1 || n == 0 */
p=s->packet;
@@ -219,12 +213,14 @@ SSL *s;
/* SSLv2 header */
if ((p[3] == 0x00) && (p[4] == 0x02))
{
+ v[0]=p[3]; v[1]=p[4];
/* SSLv2 */
if (!(s->options & SSL_OP_NO_SSLv2))
type=1;
}
else if (p[3] == SSL3_VERSION_MAJOR)
{
+ v[0]=p[3]; v[1]=p[4];
/* SSLv3/TLSv1 */
if (p[4] >= TLS1_VERSION_MINOR)
{
@@ -237,13 +233,19 @@ SSL *s;
{
s->state=SSL23_ST_SR_CLNT_HELLO_B;
}
+ else if (!(s->options & SSL_OP_NO_SSLv2))
+ {
+ type=1;
+ }
}
else if (!(s->options & SSL_OP_NO_SSLv3))
s->state=SSL23_ST_SR_CLNT_HELLO_B;
+ else if (!(s->options & SSL_OP_NO_SSLv2))
+ type=1;
if (s->options & SSL_OP_NON_EXPORT_FIRST)
{
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *c;
int ne2,ne3;
@@ -274,10 +276,10 @@ SSL *s;
if (sk != NULL)
{
ne2=ne3=0;
- for (j=0; j<sk_num(sk); j++)
+ for (j=0; j<sk_SSL_CIPHER_num(sk); j++)
{
- c=(SSL_CIPHER *)sk_value(sk,j);
- if (!(c->algorithms & SSL_EXP))
+ c=sk_SSL_CIPHER_value(sk,j);
+ if (!SSL_C_IS_EXPORT(c))
{
if ((c->id>>24L) == 2L)
ne2=1;
@@ -299,6 +301,7 @@ SSL *s;
(p[1] == SSL3_VERSION_MAJOR) &&
(p[5] == SSL3_MT_CLIENT_HELLO))
{
+ v[0]=p[1]; v[1]=p[2];
/* true SSLv3 or tls1 */
if (p[2] >= TLS1_VERSION_MINOR)
{
@@ -313,15 +316,15 @@ SSL *s;
else if (!(s->options & SSL_OP_NO_SSLv3))
type=3;
}
- else if ((strncmp("GET ", p,4) == 0) ||
- (strncmp("POST ",p,5) == 0) ||
- (strncmp("HEAD ",p,5) == 0) ||
- (strncmp("PUT ", p,4) == 0))
+ else if ((strncmp("GET ", (char *)p,4) == 0) ||
+ (strncmp("POST ",(char *)p,5) == 0) ||
+ (strncmp("HEAD ",(char *)p,5) == 0) ||
+ (strncmp("PUT ", (char *)p,4) == 0))
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST);
goto err;
}
- else if (strncmp("CONNECT",p,7) == 0)
+ else if (strncmp("CONNECT",(char *)p,7) == 0)
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST);
goto err;
@@ -387,7 +390,7 @@ next_bit:
}
s2n(j,dd);
- /* compression */
+ /* COMPRESSION */
*(d++)=1;
*(d++)=0;
@@ -478,6 +481,7 @@ next_bit:
s->version=SSL3_VERSION;
s->method=SSLv3_server_method();
}
+ s->client_version=(v[0]<<8)|v[1];
s->handshake_func=s->method->ssl_accept;
}
diff --git a/lib/libssl/src/ssl/s2_clnt.c b/lib/libssl/src/ssl/s2_clnt.c
index 16df9ec5655..1fe8bd627db 100644
--- a/lib/libssl/src/ssl/s2_clnt.c
+++ b/lib/libssl/src/ssl/s2_clnt.c
@@ -56,14 +56,15 @@
* [including the GNU Public Licence.]
*/
+#ifndef NO_RSA
#include <stdio.h>
-#include "rand.h"
-#include "buffer.h"
-#include "objects.h"
+#include <openssl/rand.h>
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
#include "ssl_locl.h"
-#include "evp.h"
+#include <openssl/evp.h>
-#ifndef NOPROTO
+static SSL_METHOD *ssl2_get_client_method(int ver);
static int get_server_finished(SSL *s);
static int get_server_verify(SSL *s);
static int get_server_hello(SSL *s);
@@ -71,23 +72,11 @@ static int client_hello(SSL *s);
static int client_master_key(SSL *s);
static int client_finished(SSL *s);
static int client_certificate(SSL *s);
-static int ssl_rsa_public_encrypt(CERT *c, int len, unsigned char *from,
+static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
unsigned char *to,int padding);
-#else
-static int get_server_finished();
-static int get_server_verify();
-static int get_server_hello();
-static int client_hello();
-static int client_master_key();
-static int client_finished();
-static int client_certificate();
-static int ssl_rsa_public_encrypt();
-#endif
-
#define BREAK break
-static SSL_METHOD *ssl2_get_client_method(ver)
-int ver;
+static SSL_METHOD *ssl2_get_client_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
@@ -95,24 +84,23 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv2_client_method()
+SSL_METHOD *SSLv2_client_method(void)
{
static int init=1;
static SSL_METHOD SSLv2_client_data;
if (init)
{
- init=0;
memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
sizeof(SSL_METHOD));
SSLv2_client_data.ssl_connect=ssl2_connect;
SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
+ init=0;
}
return(&SSLv2_client_data);
}
-int ssl2_connect(s)
-SSL *s;
+int ssl2_connect(SSL *s)
{
unsigned long l=time(NULL);
BUF_MEM *buf=NULL;
@@ -120,7 +108,7 @@ SSL *s;
void (*cb)()=NULL;
int new_state,state;
- RAND_seed((unsigned char *)&l,sizeof(l));
+ RAND_seed(&l,sizeof(l));
ERR_clear_error();
clear_sys_error();
@@ -144,6 +132,7 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_CONNECT:
case SSL_ST_OK|SSL_ST_CONNECT:
+ s->server=0;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
s->version=SSL2_VERSION;
@@ -164,7 +153,7 @@ SSL *s;
s->init_buf=buf;
s->init_num=0;
s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
- s->ctx->sess_connect++;
+ s->ctx->stats.sess_connect++;
s->handshake_func=ssl2_connect;
BREAK;
@@ -247,8 +236,11 @@ SSL *s;
break;
case SSL_ST_OK:
- BUF_MEM_free(s->init_buf);
- s->init_buf=NULL;
+ if (s->init_buf != NULL)
+ {
+ BUF_MEM_free(s->init_buf);
+ s->init_buf=NULL;
+ }
s->init_num=0;
/* ERR_clear_error();*/
@@ -259,16 +251,16 @@ SSL *s;
*/
ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
- if (s->hit) s->ctx->sess_hit++;
+ if (s->hit) s->ctx->stats.sess_hit++;
ret=1;
/* s->server=0; */
- s->ctx->sess_connect_good++;
+ s->ctx->stats.sess_connect_good++;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
goto end;
- break;
+ /* break; */
default:
SSLerr(SSL_F_SSL2_CONNECT,SSL_R_UNKNOWN_STATE);
return(-1);
@@ -290,13 +282,12 @@ end:
return(ret);
}
-static int get_server_hello(s)
-SSL *s;
+static int get_server_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p;
int i,j;
- STACK *sk=NULL,*cl;
+ STACK_OF(SSL_CIPHER) *sk=NULL,*cl;
buf=(unsigned char *)s->init_buf->data;
p=buf;
@@ -405,7 +396,7 @@ SSL *s;
/* load the ciphers */
sk=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.csl,
- &s->session->ciphers);
+ &s->session->ciphers);
p+=s->s2->tmp.csl;
if (sk == NULL)
{
@@ -414,7 +405,7 @@ SSL *s;
return(-1);
}
- sk_set_cmp_func(sk,ssl_cipher_ptr_id_cmp);
+ sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp);
/* get the array of ciphers we will accept */
cl=ssl_get_ciphers_by_id(s);
@@ -424,38 +415,46 @@ SSL *s;
* will check against the list we origionally sent and
* for performance reasons we should not bother to match
* the two lists up just to check. */
- for (i=0; i<sk_num(cl); i++)
+ for (i=0; i<sk_SSL_CIPHER_num(cl); i++)
{
- if (sk_find(sk,sk_value(cl,i)) >= 0)
+ if (sk_SSL_CIPHER_find(sk,
+ sk_SSL_CIPHER_value(cl,i)) >= 0)
break;
}
- if (i >= sk_num(cl))
+ if (i >= sk_SSL_CIPHER_num(cl))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH);
return(-1);
}
- s->session->cipher=(SSL_CIPHER *)sk_value(cl,i);
+ s->session->cipher=sk_SSL_CIPHER_value(cl,i);
}
- if ((s->session != NULL) && (s->session->peer != NULL))
+ if (s->session->peer != NULL)
X509_free(s->session->peer);
+#if 0 /* What is all this meant to accomplish?? */
/* hmmm, can we have the problem of the other session with this
* cert, Free's it before we increment the reference count. */
CRYPTO_w_lock(CRYPTO_LOCK_X509);
- s->session->peer=s->session->cert->key->x509;
- CRYPTO_add(&s->session->peer->references,1,CRYPTO_LOCK_X509);
+ s->session->peer=s->session->sess_cert->key->x509;
+ /* Shouldn't do this: already locked */
+ /*CRYPTO_add(&s->session->peer->references,1,CRYPTO_LOCK_X509);*/
+ s->session->peer->references++;
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+#else
+ s->session->peer = s->session->sess_cert->peer_key->x509;
+ /* peer_key->x509 has been set by ssl2_set_certificate. */
+ CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
+#endif
s->s2->conn_id_length=s->s2->tmp.conn_id_length;
memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
return(1);
}
-static int client_hello(s)
-SSL *s;
+static int client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
@@ -479,7 +478,7 @@ SSL *s;
p=buf; /* header */
d=p+9; /* data section */
*(p++)=SSL2_MT_CLIENT_HELLO; /* type */
- s2n(SSL2_CLIENT_VERSION,p); /* version */
+ s2n(SSL2_VERSION,p); /* version */
n=j=0;
n=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),d);
@@ -522,21 +521,20 @@ SSL *s;
return(ssl2_do_write(s));
}
-static int client_master_key(s)
-SSL *s;
+static int client_master_key(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
int clear,enc,karg,i;
SSL_SESSION *sess;
- EVP_CIPHER *c;
- EVP_MD *md;
+ const EVP_CIPHER *c;
+ const EVP_MD *md;
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)
{
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
@@ -562,7 +560,7 @@ SSL *s;
if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
enc=8;
- else if (sess->cipher->algorithms & SSL_EXP)
+ else if (SSL_C_IS_EXPORT(sess->cipher))
enc=5;
else
enc=i;
@@ -578,7 +576,7 @@ SSL *s;
memcpy(d,sess->master_key,(unsigned int)clear);
d+=clear;
- enc=ssl_rsa_public_encrypt(sess->cert,enc,
+ enc=ssl_rsa_public_encrypt(sess->sess_cert,enc,
&(sess->master_key[clear]),d,
(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
if (enc <= 0)
@@ -587,6 +585,11 @@ SSL *s;
SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PUBLIC_KEY_ENCRYPT_ERROR);
return(-1);
}
+#ifdef PKCS1_CHECK
+ if (s->options & SSL_OP_PKCS1_CHECK_1) d[1]++;
+ if (s->options & SSL_OP_PKCS1_CHECK_2)
+ sess->master_key[clear]++;
+#endif
s2n(enc,p);
d+=enc;
karg=sess->key_arg_length;
@@ -603,8 +606,7 @@ SSL *s;
return(ssl2_do_write(s));
}
-static int client_finished(s)
-SSL *s;
+static int client_finished(SSL *s)
{
unsigned char *p;
@@ -622,8 +624,7 @@ SSL *s;
}
/* read the data and then respond */
-static int client_certificate(s)
-SSL *s;
+static int client_certificate(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
@@ -738,7 +739,7 @@ SSL *s;
EVP_SignUpdate(&ctx,s->s2->key_material,
(unsigned int)s->s2->key_material_length);
EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len);
- n=i2d_X509(s->session->cert->key->x509,&p);
+ n=i2d_X509(s->session->sess_cert->peer_key->x509,&p);
EVP_SignUpdate(&ctx,buf,(unsigned int)n);
p=buf;
@@ -767,8 +768,7 @@ SSL *s;
return(ssl2_do_write(s));
}
-static int get_server_verify(s)
-SSL *s;
+static int get_server_verify(SSL *s)
{
unsigned char *p;
int i;
@@ -811,8 +811,7 @@ SSL *s;
return(1);
}
-static int get_server_finished(s)
-SSL *s;
+static int get_server_finished(SSL *s)
{
unsigned char *buf;
unsigned char *p;
@@ -877,15 +876,11 @@ SSL *s;
}
/* loads in the certificate from the server */
-int ssl2_set_certificate(s, type, len, data)
-SSL *s;
-int type;
-int len;
-unsigned char *data;
+int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data)
{
- STACK *sk=NULL;
+ STACK_OF(X509) *sk=NULL;
EVP_PKEY *pkey=NULL;
- CERT *c=NULL;
+ SESS_CERT *sc=NULL;
int i;
X509 *x509=NULL;
int ret=0;
@@ -897,8 +892,7 @@ unsigned char *data;
goto err;
}
- if (((sk=sk_new_null()) == NULL) ||
- (!sk_push(sk,(char *)x509)))
+ if ((sk=sk_X509_new_null()) == NULL || !sk_X509_push(sk,x509))
{
SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_MALLOC_FAILURE);
goto err;
@@ -912,22 +906,18 @@ unsigned char *data;
goto err;
}
- /* cert for ssl */
- c=ssl_cert_new();
- if (c == NULL)
+ /* server's cert for this session */
+ sc=ssl_sess_cert_new();
+ if (sc == NULL)
{
ret= -1;
goto err;
}
+ if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
+ s->session->sess_cert=sc;
- /* cert for session */
- if (s->session->cert) ssl_cert_free(s->session->cert);
- s->session->cert=c;
-
-/* c->cert_type=type; */
-
- c->pkeys[SSL_PKEY_RSA_ENC].x509=x509;
- c->key= &(c->pkeys[SSL_PKEY_RSA_ENC]);
+ sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509=x509;
+ sc->peer_key= &(sc->peer_pkeys[SSL_PKEY_RSA_ENC]);
pkey=X509_get_pubkey(x509);
x509=NULL;
@@ -942,27 +932,24 @@ unsigned char *data;
goto err;
}
- if (!ssl_set_cert_type(c,SSL2_CT_X509_CERTIFICATE))
+ if (!ssl_set_peer_cert_type(sc,SSL2_CT_X509_CERTIFICATE))
goto err;
ret=1;
err:
- if (sk != NULL) sk_free(sk);
- if (x509 != NULL) X509_free(x509);
+ sk_X509_free(sk);
+ X509_free(x509);
+ EVP_PKEY_free(pkey);
return(ret);
}
-static int ssl_rsa_public_encrypt(c, len, from, to, padding)
-CERT *c;
-int len;
-unsigned char *from;
-unsigned char *to;
-int padding;
+static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
+ unsigned char *to, int padding)
{
EVP_PKEY *pkey=NULL;
int i= -1;
- if ((c == NULL) || (c->key->x509 == NULL) ||
- ((pkey=X509_get_pubkey(c->key->x509)) == NULL))
+ if ((sc == NULL) || (sc->peer_key->x509 == NULL) ||
+ ((pkey=X509_get_pubkey(sc->peer_key->x509)) == NULL))
{
SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_NO_PUBLICKEY);
return(-1);
@@ -978,6 +965,7 @@ int padding;
if (i < 0)
SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,ERR_R_RSA_LIB);
end:
+ EVP_PKEY_free(pkey);
return(i);
}
-
+#endif
diff --git a/lib/libssl/src/ssl/s2_enc.c b/lib/libssl/src/ssl/s2_enc.c
index b43056fa14f..09835008a99 100644
--- a/lib/libssl/src/ssl/s2_enc.c
+++ b/lib/libssl/src/ssl/s2_enc.c
@@ -59,17 +59,15 @@
#include <stdio.h>
#include "ssl_locl.h"
-int ssl2_enc_init(s, client)
-SSL *s;
-int client;
+int ssl2_enc_init(SSL *s, int client)
{
/* Max number of bytes needed */
EVP_CIPHER_CTX *rs,*ws;
- EVP_CIPHER *c;
- EVP_MD *md;
+ const EVP_CIPHER *c;
+ const EVP_MD *md;
int num;
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
@@ -114,9 +112,7 @@ err:
/* read/writes from s->s2->mac_data using length for encrypt and
* decrypt. It sets the s->s2->padding, s->[rw]length and
* s->s2->pad_data ptr if we are encrypting */
-void ssl2_enc(s,send)
-SSL *s;
-int send;
+void ssl2_enc(SSL *s, int send)
{
EVP_CIPHER_CTX *ds;
unsigned long l;
@@ -146,10 +142,7 @@ int send;
EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l);
}
-void ssl2_mac(s, md,send)
-SSL *s;
-unsigned char *md;
-int send;
+void ssl2_mac(SSL *s, unsigned char *md, int send)
{
EVP_MD_CTX c;
unsigned char sequence[4],*p,*sec,*act;
diff --git a/lib/libssl/src/ssl/s2_lib.c b/lib/libssl/src/ssl/s2_lib.c
index 275eb52f13e..ff804d8e0d1 100644
--- a/lib/libssl/src/ssl/s2_lib.c
+++ b/lib/libssl/src/ssl/s2_lib.c
@@ -56,31 +56,26 @@
* [including the GNU Public Licence.]
*/
+#ifndef NO_RSA
#include <stdio.h>
-#include "rsa.h"
-#include "objects.h"
+#include <openssl/rsa.h>
+#include <openssl/objects.h>
+#include <openssl/md5.h>
#include "ssl_locl.h"
-#ifndef NOPROTO
-static int ssl2_ok(SSL *s);
static long ssl2_default_timeout(void );
-#else
-static int ssl2_ok();
-static long ssl2_default_timeout();
-#endif
-
-char *ssl2_version_str="SSLv2 part of SSLeay 0.9.0b 29-Jun-1998";
+const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
#define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
-SSL_CIPHER ssl2_ciphers[]={
+OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
/* NULL_WITH_MD5 v3 */
#if 0
{
1,
SSL2_TXT_NULL_WITH_MD5,
SSL2_CK_NULL_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP40|SSL_SSLV2,
0,
SSL_ALL_CIPHERS,
},
@@ -90,7 +85,7 @@ SSL_CIPHER ssl2_ciphers[]={
1,
SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP40|SSL_SSLV2,
SSL2_CF_5_BYTE_ENC,
SSL_ALL_CIPHERS,
},
@@ -108,7 +103,7 @@ SSL_CIPHER ssl2_ciphers[]={
1,
SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP40|SSL_SSLV2,
SSL2_CF_5_BYTE_ENC,
SSL_ALL_CIPHERS,
},
@@ -184,7 +179,8 @@ static SSL_METHOD SSLv2_data= {
ssl2_peek,
ssl2_write,
ssl2_shutdown,
- ssl2_ok,
+ ssl_ok, /* NULL - renegotiate */
+ ssl_ok, /* NULL - check renegotiate */
ssl2_ctrl, /* local */
ssl2_ctx_ctrl, /* local */
ssl2_get_cipher_by_char,
@@ -197,23 +193,22 @@ static SSL_METHOD SSLv2_data= {
&ssl3_undef_enc_method,
};
-static long ssl2_default_timeout()
+static long ssl2_default_timeout(void)
{
return(300);
}
-SSL_METHOD *sslv2_base_method()
+SSL_METHOD *sslv2_base_method(void)
{
return(&SSLv2_data);
}
-int ssl2_num_ciphers()
+int ssl2_num_ciphers(void)
{
return(SSL2_NUM_CIPHERS);
}
-SSL_CIPHER *ssl2_get_cipher(u)
-unsigned int u;
+SSL_CIPHER *ssl2_get_cipher(unsigned int u)
{
if (u < SSL2_NUM_CIPHERS)
return(&(ssl2_ciphers[SSL2_NUM_CIPHERS-1-u]));
@@ -221,14 +216,12 @@ unsigned int u;
return(NULL);
}
-int ssl2_pending(s)
-SSL *s;
+int ssl2_pending(SSL *s)
{
return(s->s2->ract_data_length);
}
-int ssl2_new(s)
-SSL *s;
+int ssl2_new(SSL *s)
{
SSL2_CTX *s2;
@@ -253,11 +246,13 @@ err:
return(0);
}
-void ssl2_free(s)
-SSL *s;
+void ssl2_free(SSL *s)
{
SSL2_CTX *s2;
+ if(s == NULL)
+ return;
+
s2=s->s2;
if (s2->rbuf != NULL) Free(s2->rbuf);
if (s2->wbuf != NULL) Free(s2->wbuf);
@@ -266,8 +261,7 @@ SSL *s;
s->s2=NULL;
}
-void ssl2_clear(s)
-SSL *s;
+void ssl2_clear(SSL *s)
{
SSL2_CTX *s2;
unsigned char *rbuf,*wbuf;
@@ -287,11 +281,7 @@ SSL *s;
s->packet_length=0;
}
-long ssl2_ctrl(s,cmd,larg,parg)
-SSL *s;
-int cmd;
-long larg;
-char *parg;
+long ssl2_ctrl(SSL *s, int cmd, long larg, char *parg)
{
int ret=0;
@@ -306,19 +296,14 @@ char *parg;
return(ret);
}
-long ssl2_ctx_ctrl(ctx,cmd,larg,parg)
-SSL_CTX *ctx;
-int cmd;
-long larg;
-char *parg;
+long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
{
return(0);
}
/* This function needs to check if the ciphers required are actually
* available */
-SSL_CIPHER *ssl2_get_cipher_by_char(p)
-unsigned char *p;
+SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
{
static int init=1;
static SSL_CIPHER *sorted[SSL2_NUM_CIPHERS];
@@ -328,7 +313,7 @@ unsigned char *p;
if (init)
{
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL);
for (i=0; i<SSL2_NUM_CIPHERS; i++)
sorted[i]= &(ssl2_ciphers[i]);
@@ -336,6 +321,9 @@ unsigned char *p;
qsort( (char *)sorted,
SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
FP_ICC ssl_cipher_ptr_id_cmp);
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
+ init=0;
}
id=0x02000000L|((unsigned long)p[0]<<16L)|
@@ -351,9 +339,7 @@ unsigned char *p;
return(*cpp);
}
-int ssl2_put_cipher_by_char(c,p)
-SSL_CIPHER *c;
-unsigned char *p;
+int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
{
long l;
@@ -368,14 +354,18 @@ unsigned char *p;
return(3);
}
-void ssl2_generate_key_material(s)
-SSL *s;
+void ssl2_generate_key_material(SSL *s)
{
unsigned int i;
MD5_CTX ctx;
unsigned char *km;
unsigned char c='0';
+#ifdef CHARSET_EBCDIC
+ c = os_toascii['0']; /* Must be an ASCII '0', not EBCDIC '0',
+ see SSLv2 docu */
+#endif
+
km=s->s2->key_material;
for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
{
@@ -391,9 +381,7 @@ SSL *s;
}
}
-void ssl2_return_error(s,err)
-SSL *s;
-int err;
+void ssl2_return_error(SSL *s, int err)
{
if (!s->error)
{
@@ -405,10 +393,9 @@ int err;
}
-void ssl2_write_error(s)
-SSL *s;
+void ssl2_write_error(SSL *s)
{
- char buf[3];
+ unsigned char buf[3];
int i,error;
buf[0]=SSL2_MT_ERROR;
@@ -429,16 +416,9 @@ SSL *s;
s->error=0; */
}
-static int ssl2_ok(s)
-SSL *s;
- {
- return(1);
- }
-
-int ssl2_shutdown(s)
-SSL *s;
+int ssl2_shutdown(SSL *s)
{
s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
return(1);
}
-
+#endif
diff --git a/lib/libssl/src/ssl/s2_meth.c b/lib/libssl/src/ssl/s2_meth.c
index cfc8828cc71..e2add164ddb 100644
--- a/lib/libssl/src/ssl/s2_meth.c
+++ b/lib/libssl/src/ssl/s2_meth.c
@@ -56,12 +56,13 @@
* [including the GNU Public Licence.]
*/
+#ifndef NO_RSA
#include <stdio.h>
-#include "objects.h"
+#include <openssl/objects.h>
#include "ssl_locl.h"
-static SSL_METHOD *ssl2_get_method(ver)
-int ver;
+static SSL_METHOD *ssl2_get_method(int ver);
+static SSL_METHOD *ssl2_get_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv2_method());
@@ -69,20 +70,20 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv2_method()
+SSL_METHOD *SSLv2_method(void)
{
static int init=1;
static SSL_METHOD SSLv2_data;
if (init)
{
- init=0;
memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
sizeof(SSL_METHOD));
SSLv2_data.ssl_connect=ssl2_connect;
SSLv2_data.ssl_accept=ssl2_accept;
SSLv2_data.get_ssl_method=ssl2_get_method;
+ init=0;
}
return(&SSLv2_data);
}
-
+#endif
diff --git a/lib/libssl/src/ssl/s2_pkt.c b/lib/libssl/src/ssl/s2_pkt.c
index e4167b53af5..a1bb5bca4b8 100644
--- a/lib/libssl/src/ssl/s2_pkt.c
+++ b/lib/libssl/src/ssl/s2_pkt.c
@@ -61,29 +61,11 @@
#define USE_SOCKETS
#include "ssl_locl.h"
-/* SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_PEER_ERROR_NO_CIPHER);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_PEER_ERROR_NO_CERTIFICATE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_PEER_ERROR_CERTIFICATE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_UNKNOWN_REMOTE_ERROR_TYPE);
- */
-
-#ifndef NOPROTO
static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
-static int do_ssl_write(SSL *s, char *buf, unsigned int len);
-static int write_pending(SSL *s, char *buf, unsigned int len);
+static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len);
+static int write_pending(SSL *s, const unsigned char *buf, unsigned int len);
static int ssl_mt_error(int n);
-#else
-static int read_n();
-static int do_ssl_write();
-static int write_pending();
-static int ssl_mt_error();
-#endif
-
-int ssl2_peek(s,buf,len)
-SSL *s;
-char *buf;
-int len;
+int ssl2_peek(SSL *s, char *buf, int len)
{
int ret;
@@ -99,10 +81,7 @@ int len;
/* SSL_read -
* This routine will return 0 to len bytes, decrypted etc if required.
*/
-int ssl2_read(s, buf, len)
-SSL *s;
-char *buf;
-int len;
+int ssl2_read(SSL *s, void *buf, int len)
{
int n;
unsigned char mac[MAX_MAC_SIZE];
@@ -110,6 +89,7 @@ int len;
int i;
unsigned int mac_size=0;
+ssl2_read_again:
if (SSL_in_init(s) && !s->in_handshake)
{
n=s->handshake_func(s);
@@ -237,6 +217,25 @@ int len;
INC32(s->s2->read_sequence); /* expect next number */
/* s->s2->ract_data is now available for processing */
+#if 1
+ /* How should we react when a packet containing 0
+ * bytes is received? (Note that SSLeay/OpenSSL itself
+ * never sends such packets; see ssl2_write.)
+ * Returning 0 would be interpreted by the caller as
+ * indicating EOF, so it's not a good idea.
+ * Instead, we just continue reading. Note that using
+ * select() for blocking sockets *never* guarantees
+ * that the next SSL_read will not block -- the available
+ * data may contain incomplete packets, and except for SSL 2
+ * renegotiation can confuse things even more. */
+
+ goto ssl2_read_again; /* This should really be
+ * "return ssl2_read(s,buf,len)",
+ * but that would allow for
+ * denial-of-service attacks if a
+ * C compiler is used that does not
+ * recognize end-recursion. */
+#else
/* If a 0 byte packet was sent, return 0, otherwise
* we play havoc with people using select with
* blocking sockets. Let them handle a packet at a time,
@@ -244,6 +243,7 @@ int len;
if (s->s2->ract_data_length == 0)
return(0);
return(ssl2_read(s,buf,len));
+#endif
}
else
{
@@ -252,11 +252,8 @@ int len;
}
}
-static int read_n(s, n, max, extend)
-SSL *s;
-unsigned int n;
-unsigned int max;
-unsigned int extend;
+static int read_n(SSL *s, unsigned int n, unsigned int max,
+ unsigned int extend)
{
int i,off,newb;
@@ -354,11 +351,9 @@ unsigned int extend;
return(n);
}
-int ssl2_write(s, buf, len)
-SSL *s;
-char *buf;
-int len;
+int ssl2_write(SSL *s, const void *_buf, int len)
{
+ const unsigned char *buf=_buf;
unsigned int n,tot;
int i;
@@ -396,17 +391,18 @@ int len;
s->s2->wnum=tot;
return(i);
}
- if (i == (int)n) return(tot+i);
-
+ if ((i == (int)n) ||
+ (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))
+ {
+ return(tot+i);
+ }
+
n-=i;
tot+=i;
}
}
-static int write_pending(s,buf,len)
-SSL *s;
-char *buf;
-unsigned int len;
+static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
{
int i;
@@ -414,7 +410,9 @@ unsigned int len;
/* check that they have given us the same buffer to
* write */
- if ((s->s2->wpend_tot > (int)len) || (s->s2->wpend_buf != buf))
+ if ((s->s2->wpend_tot > (int)len) ||
+ ((s->s2->wpend_buf != buf) &&
+ !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)))
{
SSLerr(SSL_F_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
return(-1);
@@ -451,10 +449,7 @@ unsigned int len;
}
}
-static int do_ssl_write(s, buf, len)
-SSL *s;
-char *buf;
-unsigned int len;
+static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
{
unsigned int j,k,olen,p,mac_size,bs;
register unsigned char *pp;
@@ -567,7 +562,7 @@ unsigned int len;
/* lets try to actually write the data */
s->s2->wpend_tot=olen;
- s->s2->wpend_buf=(char *)buf;
+ s->s2->wpend_buf=buf;
s->s2->wpend_ret=len;
@@ -575,10 +570,7 @@ unsigned int len;
return(write_pending(s,buf,olen));
}
-int ssl2_part_read(s,f,i)
-SSL *s;
-unsigned long f;
-int i;
+int ssl2_part_read(SSL *s, unsigned long f, int i)
{
unsigned char *p;
int j;
@@ -608,13 +600,11 @@ int i;
}
}
-int ssl2_do_write(s)
-SSL *s;
+int ssl2_do_write(SSL *s)
{
int ret;
- ret=ssl2_write(s,(char *)&(s->init_buf->data[s->init_off]),
- s->init_num);
+ ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num);
if (ret == s->init_num)
return(1);
if (ret < 0)
@@ -624,8 +614,7 @@ SSL *s;
return(0);
}
-static int ssl_mt_error(n)
-int n;
+static int ssl_mt_error(int n)
{
int ret;
diff --git a/lib/libssl/src/ssl/s2_srvr.c b/lib/libssl/src/ssl/s2_srvr.c
index c6c8ea32f14..9aeedef55f6 100644
--- a/lib/libssl/src/ssl/s2_srvr.c
+++ b/lib/libssl/src/ssl/s2_srvr.c
@@ -56,14 +56,15 @@
* [including the GNU Public Licence.]
*/
+#ifndef NO_RSA
#include <stdio.h>
-#include "bio.h"
-#include "rand.h"
-#include "objects.h"
+#include <openssl/bio.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
#include "ssl_locl.h"
-#include "evp.h"
+#include <openssl/evp.h>
-#ifndef NOPROTO
+static SSL_METHOD *ssl2_get_server_method(int ver);
static int get_client_master_key(SSL *s);
static int get_client_hello(SSL *s);
static int server_hello(SSL *s);
@@ -73,21 +74,9 @@ static int server_finish(SSL *s);
static int request_certificate(SSL *s);
static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
unsigned char *to,int padding);
-#else
-static int get_client_master_key();
-static int get_client_hello();
-static int server_hello();
-static int get_client_finished();
-static int server_verify();
-static int server_finish();
-static int request_certificate();
-static int ssl_rsa_private_decrypt();
-#endif
-
#define BREAK break
-static SSL_METHOD *ssl2_get_server_method(ver)
-int ver;
+static SSL_METHOD *ssl2_get_server_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
@@ -95,24 +84,23 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv2_server_method()
+SSL_METHOD *SSLv2_server_method(void)
{
static int init=1;
static SSL_METHOD SSLv2_server_data;
if (init)
{
- init=0;
memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
sizeof(SSL_METHOD));
SSLv2_server_data.ssl_accept=ssl2_accept;
SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
+ init=0;
}
return(&SSLv2_server_data);
}
-int ssl2_accept(s)
-SSL *s;
+int ssl2_accept(SSL *s)
{
unsigned long l=time(NULL);
BUF_MEM *buf=NULL;
@@ -121,7 +109,7 @@ SSL *s;
void (*cb)()=NULL;
int new_state,state;
- RAND_seed((unsigned char *)&l,sizeof(l));
+ RAND_seed(&l,sizeof(l));
ERR_clear_error();
clear_sys_error();
@@ -134,8 +122,7 @@ SSL *s;
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
s->in_handshake++;
- if (((s->session == NULL) || (s->session->cert == NULL)) &&
- (s->cert == NULL))
+ if (s->cert == NULL)
{
SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
return(-1);
@@ -153,6 +140,7 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
case SSL_ST_OK|SSL_ST_ACCEPT:
+ s->server=1;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
s->version=SSL2_VERSION;
@@ -166,7 +154,7 @@ SSL *s;
{ ret= -1; goto end; }
s->init_buf=buf;
s->init_num=0;
- s->ctx->sess_accept++;
+ s->ctx->stats.sess_accept++;
s->handshake_func=ssl2_accept;
s->state=SSL2_ST_GET_CLIENT_HELLO_A;
BREAK;
@@ -293,13 +281,14 @@ SSL *s;
case SSL_ST_OK:
BUF_MEM_free(s->init_buf);
+ ssl_free_wbio_buffer(s);
s->init_buf=NULL;
s->init_num=0;
/* ERR_clear_error();*/
ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
- s->ctx->sess_accept_good++;
+ s->ctx->stats.sess_accept_good++;
/* s->server=1; */
ret=1;
@@ -330,14 +319,13 @@ end:
return(ret);
}
-static int get_client_master_key(s)
-SSL *s;
+static int get_client_master_key(SSL *s)
{
- int export,i,n,keya,error=0,ek;
+ int is_export,i,n,keya,ek;
unsigned char *p;
SSL_CIPHER *cp;
- EVP_CIPHER *c;
- EVP_MD *md;
+ const EVP_CIPHER *c;
+ const EVP_MD *md;
p=(unsigned char *)s->init_buf->data;
if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A)
@@ -387,7 +375,7 @@ SSL *s;
memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
(unsigned int)keya);
- if (s->session->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
+ if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
@@ -397,9 +385,9 @@ SSL *s;
&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
- export=(s->session->cipher->algorithms & SSL_EXP)?1:0;
+ is_export=SSL_C_IS_EXPORT(s->session->cipher);
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))
+ if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
@@ -408,7 +396,7 @@ SSL *s;
if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
{
- export=1;
+ is_export=1;
ek=8;
}
else
@@ -419,11 +407,11 @@ SSL *s;
/* If a bad decrypt, continue with protocol but with a
* dud master secret */
if ((i < 0) ||
- ((!export && (i != EVP_CIPHER_key_length(c)))
- || ( export && ((i != ek) || (s->s2->tmp.clear+i !=
+ ((!is_export && (i != EVP_CIPHER_key_length(c)))
+ || (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
EVP_CIPHER_key_length(c))))))
{
- if (export)
+ if (is_export)
i=ek;
else
i=EVP_CIPHER_key_length(c);
@@ -436,8 +424,8 @@ SSL *s;
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT);
}
/* incorrect number of key bytes for non export cipher */
- else if ((!export && (i != EVP_CIPHER_key_length(c)))
- || ( export && ((i != ek) || (s->s2->tmp.clear+i !=
+ else if ((!is_export && (i != EVP_CIPHER_key_length(c)))
+ || (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
EVP_CIPHER_key_length(c)))))
{
error=1;
@@ -450,19 +438,18 @@ SSL *s;
}
#endif
- if (export) i+=s->s2->tmp.clear;
+ if (is_export) i+=s->s2->tmp.clear;
s->session->master_key_length=i;
memcpy(s->session->master_key,p,(unsigned int)i);
return(1);
}
-static int get_client_hello(s)
-SSL *s;
+static int get_client_hello(SSL *s)
{
int i,n;
unsigned char *p;
- STACK *cs; /* a stack of SSL_CIPHERS */
- STACK *cl; /* the ones we want to use */
+ STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
+ STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */
int z;
/* This is a bit of a hack to check for the correct packet
@@ -570,11 +557,11 @@ SSL *s;
cl=ssl_get_ciphers_by_id(s);
- for (z=0; z<sk_num(cs); z++)
+ for (z=0; z<sk_SSL_CIPHER_num(cs); z++)
{
- if (sk_find(cl,sk_value(cs,z)) < 0)
+ if (sk_SSL_CIPHER_find(cl,sk_SSL_CIPHER_value(cs,z)) < 0)
{
- sk_delete(cs,z);
+ sk_SSL_CIPHER_delete(cs,z);
z--;
}
}
@@ -599,12 +586,11 @@ mem_err:
return(0);
}
-static int server_hello(s)
-SSL *s;
+static int server_hello(SSL *s)
{
unsigned char *p,*d;
int n,hit;
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
p=(unsigned char *)s->init_buf->data;
if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
@@ -613,27 +599,52 @@ SSL *s;
*(p++)=SSL2_MT_SERVER_HELLO; /* type */
hit=s->hit;
*(p++)=(unsigned char)hit;
+#if 1
+ if (!hit)
+ {
+ if (s->session->sess_cert != NULL)
+ /* This can't really happen because get_client_hello
+ * has called ssl_get_new_session, which does not set
+ * sess_cert. */
+ ssl_sess_cert_free(s->session->sess_cert);
+ s->session->sess_cert = ssl_sess_cert_new();
+ if (s->session->sess_cert == NULL)
+ {
+ SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
+ return(-1);
+ }
+ }
+ /* If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
+ * depending on whether it survived in the internal cache
+ * or was retrieved from an external cache.
+ * If it is NULL, we cannot put any useful data in it anyway,
+ * so we don't touch it.
+ */
+
+#else /* That's what used to be done when cert_st and sess_cert_st were
+ * the same. */
if (!hit)
{ /* else add cert to session */
CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
- if (s->session->cert != NULL)
- ssl_cert_free(s->session->cert);
- s->session->cert=s->cert;
+ if (s->session->sess_cert != NULL)
+ ssl_cert_free(s->session->sess_cert);
+ s->session->sess_cert=s->cert;
}
else /* We have a session id-cache hit, if the
* session-id has no certificate listed against
* the 'cert' structure, grab the 'old' one
* listed against the SSL connection */
{
- if (s->session->cert == NULL)
+ if (s->session->sess_cert == NULL)
{
CRYPTO_add(&s->cert->references,1,
CRYPTO_LOCK_SSL_CERT);
- s->session->cert=s->cert;
+ s->session->sess_cert=s->cert;
}
}
+#endif
- if (s->session->cert == NULL)
+ if (s->cert == NULL)
{
ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED);
@@ -690,8 +701,7 @@ SSL *s;
return(ssl2_do_write(s));
}
-static int get_client_finished(s)
-SSL *s;
+static int get_client_finished(SSL *s)
{
unsigned char *p;
int i;
@@ -733,8 +743,7 @@ SSL *s;
return(1);
}
-static int server_verify(s)
-SSL *s;
+static int server_verify(SSL *s)
{
unsigned char *p;
@@ -752,8 +761,7 @@ SSL *s;
return(ssl2_do_write(s));
}
-static int server_finish(s)
-SSL *s;
+static int server_finish(SSL *s)
{
unsigned char *p;
@@ -776,14 +784,13 @@ SSL *s;
}
/* send the request and check the response */
-static int request_certificate(s)
-SSL *s;
+static int request_certificate(SSL *s)
{
unsigned char *p,*p2,*buf2;
unsigned char *ccd;
int i,j,ctype,ret= -1;
X509 *x509=NULL;
- STACK *sk=NULL;
+ STACK_OF(X509) *sk=NULL;
ccd=s->s2->tmp.ccl;
if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A)
@@ -872,7 +879,7 @@ SSL *s;
goto msg_end;
}
- if (((sk=sk_new_null()) == NULL) || (!sk_push(sk,(char *)x509)))
+ if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509)))
{
SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
goto msg_end;
@@ -890,7 +897,7 @@ SSL *s;
(unsigned int)s->s2->key_material_length);
EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
- i=i2d_X509(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
+ i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
buf2=(unsigned char *)Malloc((unsigned int)i);
if (buf2 == NULL)
{
@@ -898,13 +905,14 @@ SSL *s;
goto msg_end;
}
p2=buf2;
- i=i2d_X509(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
+ i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
Free(buf2);
pkey=X509_get_pubkey(x509);
if (pkey == NULL) goto end;
i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey);
+ EVP_PKEY_free(pkey);
memset(&ctx,0,sizeof(ctx));
if (i)
@@ -928,17 +936,13 @@ msg_end:
ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
}
end:
- if (sk != NULL) sk_free(sk);
- if (x509 != NULL) X509_free(x509);
+ sk_X509_free(sk);
+ X509_free(x509);
return(ret);
}
-static int ssl_rsa_private_decrypt(c, len, from, to,padding)
-CERT *c;
-int len;
-unsigned char *from;
-unsigned char *to;
-int padding;
+static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
+ unsigned char *to, int padding)
{
RSA *rsa;
int i;
@@ -961,4 +965,4 @@ int padding;
SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
return(i);
}
-
+#endif
diff --git a/lib/libssl/src/ssl/s3_both.c b/lib/libssl/src/ssl/s3_both.c
index 6de62e15916..f3f27715d57 100644
--- a/lib/libssl/src/ssl/s3_both.c
+++ b/lib/libssl/src/ssl/s3_both.c
@@ -57,24 +57,15 @@
*/
#include <stdio.h>
-#include "buffer.h"
-#include "rand.h"
-#include "objects.h"
-#include "evp.h"
-#include "x509.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
#include "ssl_locl.h"
-#define BREAK break
-
-/* SSL3err(SSL_F_SSL3_GET_FINISHED,SSL_R_EXCESSIVE_MESSAGE_SIZE);
- */
-
-int ssl3_send_finished(s,a,b,sender,slen)
-SSL *s;
-int a;
-int b;
-unsigned char *sender;
-int slen;
+int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender,
+ int slen)
{
unsigned char *p,*d;
int i;
@@ -92,6 +83,13 @@ int slen;
p+=i;
l=i;
+#ifdef WIN16
+ /* MSVC 1.5 does not clear the top bytes of the word unless
+ * I do this.
+ */
+ l&=0xffff;
+#endif
+
*(d++)=SSL3_MT_FINISHED;
l2n3(l,d);
s->init_num=(int)l+4;
@@ -104,10 +102,7 @@ int slen;
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
-int ssl3_get_finished(s,a,b)
-SSL *s;
-int a;
-int b;
+int ssl3_get_finished(SSL *s, int a, int b)
{
int al,i,ok;
long n;
@@ -167,9 +162,7 @@ f_err:
* ssl->session->read_compression assign
* ssl->session->read_hash assign
*/
-int ssl3_send_change_cipher_spec(s,a,b)
-SSL *s;
-int a,b;
+int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
{
unsigned char *p;
@@ -187,9 +180,7 @@ int a,b;
return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
}
-unsigned long ssl3_output_cert_chain(s,x)
-SSL *s;
-X509 *x;
+unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
{
unsigned char *p;
int n,i;
@@ -236,6 +227,23 @@ X509 *x;
X509_STORE_CTX_cleanup(&xs_ctx);
}
+ /* Thawte special :-) */
+ if (s->ctx->extra_certs != NULL)
+ for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
+ {
+ x=sk_X509_value(s->ctx->extra_certs,i);
+ n=i2d_X509(x,NULL);
+ if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+ {
+ SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+ return(0);
+ }
+ p=(unsigned char *)&(buf->data[l]);
+ l2n3(n,p);
+ i2d_X509(x,&p);
+ l+=n+3;
+ }
+
l-=7;
p=(unsigned char *)&(buf->data[4]);
l2n3(l,p);
@@ -247,11 +255,7 @@ X509 *x;
return(l);
}
-long ssl3_get_message(s,st1,stn,mt,max,ok)
-SSL *s;
-int st1,stn,mt;
-long max;
-int *ok;
+long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
{
unsigned char *p;
unsigned long l;
@@ -275,9 +279,8 @@ int *ok;
if (s->state == st1)
{
- i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,
- (char *)&(p[s->init_num]),
- 4-s->init_num);
+ i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
+ 4-s->init_num);
if (i < (4-s->init_num))
{
*ok=0;
@@ -315,8 +318,7 @@ int *ok;
n=s->s3->tmp.message_size;
if (n > 0)
{
- i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,
- (char *)&(p[s->init_num]),(int)n);
+ i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n);
if (i != (int)n)
{
*ok=0;
@@ -332,9 +334,7 @@ err:
return(-1);
}
-int ssl_cert_type(x,pkey)
-X509 *x;
-EVP_PKEY *pkey;
+int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
{
EVP_PKEY *pk;
int ret= -1,i,j;
@@ -380,11 +380,11 @@ EVP_PKEY *pkey;
ret= -1;
err:
+ if(!pkey) EVP_PKEY_free(pk);
return(ret);
}
-int ssl_verify_alarm_type(type)
-long type;
+int ssl_verify_alarm_type(long type)
{
int al;
@@ -436,8 +436,7 @@ long type;
return(al);
}
-int ssl3_setup_buffers(s)
-SSL *s;
+int ssl3_setup_buffers(SSL *s)
{
unsigned char *p;
unsigned int extra;
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c
index 940c6a458f3..d3e6b4d1e58 100644
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -57,23 +57,15 @@
*/
#include <stdio.h>
-#include "buffer.h"
-#include "rand.h"
-#include "objects.h"
-#include "evp.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
#include "ssl_locl.h"
-#define BREAK break
-/* SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_SERVER_DONE,ERR_R_MALLOC_FAILURE);
-SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
- */
-
-#ifndef NOPROTO
+static SSL_METHOD *ssl3_get_client_method(int ver);
static int ssl3_client_hello(SSL *s);
static int ssl3_get_server_hello(SSL *s);
static int ssl3_get_certificate_request(SSL *s);
@@ -85,22 +77,7 @@ static int ssl3_send_client_key_exchange(SSL *s);
static int ssl3_get_key_exchange(SSL *s);
static int ssl3_get_server_certificate(SSL *s);
static int ssl3_check_cert_and_algorithm(SSL *s);
-#else
-static int ssl3_client_hello();
-static int ssl3_get_server_hello();
-static int ssl3_get_certificate_request();
-static int ca_dn_cmp();
-static int ssl3_get_server_done();
-static int ssl3_send_client_verify();
-static int ssl3_send_client_certificate();
-static int ssl3_send_client_key_exchange();
-static int ssl3_get_key_exchange();
-static int ssl3_get_server_certificate();
-static int ssl3_check_cert_and_algorithm();
-#endif
-
-static SSL_METHOD *ssl3_get_client_method(ver)
-int ver;
+static SSL_METHOD *ssl3_get_client_method(int ver)
{
if (ver == SSL3_VERSION)
return(SSLv3_client_method());
@@ -108,7 +85,7 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv3_client_method()
+SSL_METHOD *SSLv3_client_method(void)
{
static int init=1;
static SSL_METHOD SSLv3_client_data;
@@ -124,18 +101,16 @@ SSL_METHOD *SSLv3_client_method()
return(&SSLv3_client_data);
}
-int ssl3_connect(s)
-SSL *s;
+int ssl3_connect(SSL *s)
{
BUF_MEM *buf;
unsigned long Time=time(NULL),l;
long num1;
void (*cb)()=NULL;
int ret= -1;
- BIO *under;
int new_state,state,skip=0;;
- RAND_seed((unsigned char *)&Time,sizeof(Time));
+ RAND_seed(&Time,sizeof(Time));
ERR_clear_error();
clear_sys_error();
@@ -156,13 +131,14 @@ SSL *s;
case SSL_ST_RENEGOTIATE:
s->new_session=1;
s->state=SSL_ST_CONNECT;
- s->ctx->sess_connect_renegotiate++;
+ s->ctx->stats.sess_connect_renegotiate++;
/* break */
case SSL_ST_BEFORE:
case SSL_ST_CONNECT:
case SSL_ST_BEFORE|SSL_ST_CONNECT:
case SSL_ST_OK|SSL_ST_CONNECT:
+ s->server=0;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
if ((s->version & 0xff00 ) != 0x0300)
@@ -195,7 +171,7 @@ SSL *s;
ssl3_init_finished_mac(s);
s->state=SSL3_ST_CW_CLNT_HELLO_A;
- s->ctx->sess_connect++;
+ s->ctx->stats.sess_connect++;
s->init_num=0;
break;
@@ -278,6 +254,7 @@ SSL *s;
case SSL3_ST_CW_CERT_A:
case SSL3_ST_CW_CERT_B:
case SSL3_ST_CW_CERT_C:
+ case SSL3_ST_CW_CERT_D:
ret=ssl3_send_client_certificate(s);
if (ret <= 0) goto end;
s->state=SSL3_ST_CW_KEY_EXCH_A;
@@ -324,6 +301,11 @@ SSL *s;
s->init_num=0;
s->session->cipher=s->s3->tmp.new_cipher;
+ if (s->s3->tmp.new_compression == NULL)
+ s->session->compress_meth=0;
+ else
+ s->session->compress_meth=
+ s->s3->tmp.new_compression->id;
if (!s->method->ssl3_enc->setup_key_block(s))
{
ret= -1;
@@ -399,38 +381,33 @@ SSL *s;
/* clean a few things up */
ssl3_cleanup_key_block(s);
- BUF_MEM_free(s->init_buf);
- s->init_buf=NULL;
-
- if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
+ if (s->init_buf != NULL)
{
- /* remove buffering */
- under=BIO_pop(s->wbio);
- if (under != NULL)
- s->wbio=under;
- else
- abort(); /* ok */
-
- BIO_free(s->bbio);
- s->bbio=NULL;
+ BUF_MEM_free(s->init_buf);
+ s->init_buf=NULL;
}
- /* else do it later */
+
+ /* If we are not 'joining' the last two packets,
+ * remove the buffering now */
+ if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
+ ssl_free_wbio_buffer(s);
+ /* else do it later in ssl3_write */
s->init_num=0;
s->new_session=0;
ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
- if (s->hit) s->ctx->sess_hit++;
+ if (s->hit) s->ctx->stats.sess_hit++;
ret=1;
/* s->server=0; */
s->handshake_func=ssl3_connect;
- s->ctx->sess_connect_good++;
+ s->ctx->stats.sess_connect_good++;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
goto end;
- break;
+ /* break; */
default:
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
@@ -466,19 +443,20 @@ end:
}
-static int ssl3_client_hello(s)
-SSL *s;
+static int ssl3_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
- int i;
+ int i,j;
unsigned long Time,l;
+ SSL_COMP *comp;
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
{
if ((s->session == NULL) ||
- (s->session->ssl_version != s->version))
+ (s->session->ssl_version != s->version) ||
+ (s->session->not_resumable))
{
if (!ssl_get_new_session(s,0))
goto err;
@@ -488,13 +466,14 @@ SSL *s;
p=s->s3->client_random;
Time=time(NULL); /* Time */
l2n(Time,p);
- RAND_bytes(&(p[4]),SSL3_RANDOM_SIZE-sizeof(Time));
+ RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
/* Do the message type and length last */
d=p= &(buf[4]);
*(p++)=s->version>>8;
*(p++)=s->version&0xff;
+ s->client_version=s->version;
/* Random stuff */
memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
@@ -522,9 +501,18 @@ SSL *s;
s2n(i,p);
p+=i;
- /* hardwire in the NULL compression algorithm. */
- *(p++)=1;
- *(p++)=0;
+ /* COMPRESSION */
+ if (s->ctx->comp_methods == NULL)
+ j=0;
+ else
+ j=sk_SSL_COMP_num(s->ctx->comp_methods);
+ *(p++)=1+j;
+ for (i=0; i<j; i++)
+ {
+ comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
+ *(p++)=comp->id;
+ }
+ *(p++)=0; /* Add the NULL method */
l=(p-d);
d=buf;
@@ -543,15 +531,15 @@ err:
return(-1);
}
-static int ssl3_get_server_hello(s)
-SSL *s;
+static int ssl3_get_server_hello(SSL *s)
{
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *c;
unsigned char *p,*d;
int i,al,ok;
unsigned int j;
long n;
+ SSL_COMP *comp;
n=ssl3_get_message(s,
SSL3_ST_CR_SRVR_HELLO_A,
@@ -590,9 +578,18 @@ SSL *s;
goto f_err;
}
}
- if ((j != 0) && (j == s->session->session_id_length) &&
- (memcmp(p,s->session->session_id,j) == 0))
- s->hit=1;
+ if (j != 0 && j == s->session->session_id_length
+ && memcmp(p,s->session->session_id,j) == 0)
+ {
+ if(s->sid_ctx_length != s->session->sid_ctx_length
+ || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
+ {
+ al=SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+ goto f_err;
+ }
+ s->hit=1;
+ }
else /* a miss or crap from the other end */
{
/* If we were trying for session-id reuse, make a new
@@ -621,7 +618,7 @@ SSL *s;
p+=ssl_put_cipher_by_char(s,NULL,NULL);
sk=ssl_get_ciphers_by_id(s);
- i=sk_find(sk,(char *)c);
+ i=sk_SSL_CIPHER_find(sk,c);
if (i < 0)
{
/* we did not say we would use this cipher */
@@ -643,13 +640,23 @@ SSL *s;
s->s3->tmp.new_cipher=c;
/* lets get the compression algorithm */
+ /* COMPRESSION */
j= *(p++);
- if (j != 0)
+ if (j == 0)
+ comp=NULL;
+ else
+ comp=ssl3_comp_find(s->ctx->comp_methods,j);
+
+ if ((j != 0) && (comp == NULL))
{
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
goto f_err;
}
+ else
+ {
+ s->s3->tmp.new_compression=comp;
+ }
if (p != (d+n))
{
@@ -666,15 +673,14 @@ err:
return(-1);
}
-static int ssl3_get_server_certificate(s)
-SSL *s;
+static int ssl3_get_server_certificate(SSL *s)
{
int al,i,ok,ret= -1;
unsigned long n,nc,llen,l;
X509 *x=NULL;
unsigned char *p,*d,*q;
- STACK *sk=NULL;
- CERT *c;
+ STACK_OF(X509) *sk=NULL;
+ SESS_CERT *sc;
EVP_PKEY *pkey=NULL;
n=ssl3_get_message(s,
@@ -704,7 +710,7 @@ SSL *s;
}
d=p=(unsigned char *)s->init_buf->data;
- if ((sk=sk_new_null()) == NULL)
+ if ((sk=sk_X509_new_null()) == NULL)
{
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
goto err;
@@ -741,7 +747,7 @@ SSL *s;
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
goto f_err;
}
- if (!sk_push(sk,(char *)x))
+ if (!sk_X509_push(sk,x))
{
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
goto err;
@@ -752,26 +758,26 @@ SSL *s;
}
i=ssl_verify_cert_chain(s,sk);
- if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
+ if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
{
al=ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
goto f_err;
}
- c=ssl_cert_new();
- if (c == NULL) goto err;
+ sc=ssl_sess_cert_new();
+ if (sc == NULL) goto err;
- if (s->session->cert) ssl_cert_free(s->session->cert);
- s->session->cert=c;
+ if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
+ s->session->sess_cert=sc;
- c->cert_chain=sk;
- x=(X509 *)sk_value(sk,0);
+ sc->cert_chain=sk;
+ x=sk_X509_value(sk,0);
sk=NULL;
pkey=X509_get_pubkey(x);
- if (EVP_PKEY_missing_parameters(pkey))
+ if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
{
x=NULL;
al=SSL3_AL_FATAL;
@@ -788,14 +794,16 @@ SSL *s;
goto f_err;
}
- c->cert_type=i;
+ sc->peer_cert_type=i;
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
- if (c->pkeys[i].x509 != NULL)
- X509_free(c->pkeys[i].x509);
- c->pkeys[i].x509=x;
- c->key= &(c->pkeys[i]);
-
- if ((s->session != NULL) && (s->session->peer != NULL))
+ if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen?
+ * We just created sc a couple of
+ * lines ago. */
+ X509_free(sc->peer_pkeys[i].x509);
+ sc->peer_pkeys[i].x509=x;
+ sc->peer_key= &(sc->peer_pkeys[i]);
+
+ if (s->session->peer != NULL)
X509_free(s->session->peer);
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
s->session->peer=x;
@@ -809,13 +817,13 @@ f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
}
err:
- if (x != NULL) X509_free(x);
- if (sk != NULL) sk_pop_free(sk,X509_free);
+ EVP_PKEY_free(pkey);
+ X509_free(x);
+ sk_X509_pop_free(sk,X509_free);
return(ret);
}
-static int ssl3_get_key_exchange(s)
-SSL *s;
+static int ssl3_get_key_exchange(SSL *s)
{
#ifndef NO_RSA
unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
@@ -825,7 +833,9 @@ SSL *s;
int al,i,j,param_len,ok;
long n,alg;
EVP_PKEY *pkey=NULL;
+#ifndef NO_RSA
RSA *rsa=NULL;
+#endif
#ifndef NO_DH
DH *dh=NULL;
#endif
@@ -847,26 +857,26 @@ SSL *s;
param=p=(unsigned char *)s->init_buf->data;
- if (s->session->cert != NULL)
+ if (s->session->sess_cert != NULL)
{
#ifndef NO_RSA
- if (s->session->cert->rsa_tmp != NULL)
+ if (s->session->sess_cert->peer_rsa_tmp != NULL)
{
- RSA_free(s->session->cert->rsa_tmp);
- s->session->cert->rsa_tmp=NULL;
+ RSA_free(s->session->sess_cert->peer_rsa_tmp);
+ s->session->sess_cert->peer_rsa_tmp=NULL;
}
#endif
#ifndef NO_DH
- if (s->session->cert->dh_tmp)
+ if (s->session->sess_cert->peer_dh_tmp)
{
- DH_free(s->session->cert->dh_tmp);
- s->session->cert->dh_tmp=NULL;
+ DH_free(s->session->sess_cert->peer_dh_tmp);
+ s->session->sess_cert->peer_dh_tmp=NULL;
}
#endif
}
else
{
- s->session->cert=ssl_cert_new();
+ s->session->sess_cert=ssl_sess_cert_new();
}
param_len=0;
@@ -911,16 +921,16 @@ SSL *s;
p+=i;
n-=param_len;
-/* s->session->cert->rsa_tmp=rsa;*/
/* this should be because we are using an export cipher */
if (alg & SSL_aRSA)
- pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
+ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
else
{
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
goto err;
}
- s->session->cert->rsa_tmp=rsa;
+ s->session->sess_cert->peer_rsa_tmp=rsa;
+ rsa=NULL;
}
else
#endif
@@ -980,16 +990,17 @@ SSL *s;
#ifndef NO_RSA
if (alg & SSL_aRSA)
- pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
+ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
else
#endif
#ifndef NO_DSA
if (alg & SSL_aDSS)
- pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_DSA_SIGN].x509);
+ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
#endif
/* else anonymous DH, so no certificate or pkey. */
- s->session->cert->dh_tmp=dh;
+ s->session->sess_cert->peer_dh_tmp=dh;
+ dh=NULL;
}
else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
{
@@ -998,6 +1009,13 @@ SSL *s;
goto f_err;
}
#endif
+ if (alg & SSL_aFZA)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
+ goto f_err;
+ }
+
/* p points to the next byte, there are 'n' bytes left */
@@ -1014,7 +1032,7 @@ SSL *s;
/* wrong packet length */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
- goto err;
+ goto f_err;
}
#ifndef NO_RSA
@@ -1091,23 +1109,31 @@ SSL *s;
goto f_err;
}
}
-
+ EVP_PKEY_free(pkey);
return(1);
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
+ EVP_PKEY_free(pkey);
+#ifndef NO_RSA
+ if (rsa != NULL)
+ RSA_free(rsa);
+#endif
+#ifndef NO_DH
+ if (dh != NULL)
+ DH_free(dh);
+#endif
return(-1);
}
-static int ssl3_get_certificate_request(s)
-SSL *s;
+static int ssl3_get_certificate_request(SSL *s)
{
int ok,ret=0;
unsigned long n,nc,l;
unsigned int llen,ctype_num,i;
X509_NAME *xn=NULL;
unsigned char *p,*d,*q;
- STACK *ca_sk=NULL;
+ STACK_OF(X509_NAME) *ca_sk=NULL;
n=ssl3_get_message(s,
SSL3_ST_CR_CERT_REQ_A,
@@ -1151,7 +1177,7 @@ SSL *s;
d=p=(unsigned char *)s->init_buf->data;
- if ((ca_sk=sk_new(ca_dn_cmp)) == NULL)
+ if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
{
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
goto err;
@@ -1167,6 +1193,15 @@ SSL *s;
/* get the CA RDNs */
n2s(p,llen);
+#if 0
+{
+FILE *out;
+out=fopen("/tmp/vsign.der","w");
+fwrite(p,1,llen,out);
+fclose(out);
+}
+#endif
+
if ((llen+ctype_num+2+1) != n)
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
@@ -1207,7 +1242,7 @@ SSL *s;
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
goto err;
}
- if (!sk_push(ca_sk,(char *)xn))
+ if (!sk_X509_NAME_push(ca_sk,xn))
{
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
goto err;
@@ -1227,24 +1262,22 @@ cont:
s->s3->tmp.cert_req=1;
s->s3->tmp.ctype_num=ctype_num;
if (s->s3->tmp.ca_names != NULL)
- sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+ sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
s->s3->tmp.ca_names=ca_sk;
ca_sk=NULL;
ret=1;
err:
- if (ca_sk != NULL) sk_pop_free(ca_sk,X509_NAME_free);
+ if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
return(ret);
}
-static int ca_dn_cmp(a,b)
-X509_NAME **a,**b;
+static int ca_dn_cmp(X509_NAME **a, X509_NAME **b)
{
return(X509_NAME_cmp(*a,*b));
}
-static int ssl3_get_server_done(s)
-SSL *s;
+static int ssl3_get_server_done(SSL *s)
{
int ok,ret=0;
long n;
@@ -1267,13 +1300,15 @@ SSL *s;
return(ret);
}
-static int ssl3_send_client_key_exchange(s)
-SSL *s;
+static int ssl3_send_client_key_exchange(SSL *s)
{
- unsigned char *p,*q,*d;
+ unsigned char *p,*d;
int n;
unsigned long l;
+#ifndef NO_RSA
+ unsigned char *q;
EVP_PKEY *pkey=NULL;
+#endif
if (s->state == SSL3_ST_CW_KEY_EXCH_A)
{
@@ -1286,13 +1321,13 @@ SSL *s;
if (l & SSL_kRSA)
{
RSA *rsa;
- unsigned char tmp_buf[48];
+ unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
- if (s->session->cert->rsa_tmp != NULL)
- rsa=s->session->cert->rsa_tmp;
+ if (s->session->sess_cert->peer_rsa_tmp != NULL)
+ rsa=s->session->sess_cert->peer_rsa_tmp;
else
{
- pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
+ pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
if ((pkey == NULL) ||
(pkey->type != EVP_PKEY_RSA) ||
(pkey->pkey.rsa == NULL))
@@ -1301,10 +1336,11 @@ SSL *s;
goto err;
}
rsa=pkey->pkey.rsa;
+ EVP_PKEY_free(pkey);
}
- tmp_buf[0]=s->version>>8;
- tmp_buf[1]=s->version&0xff;
+ tmp_buf[0]=s->client_version>>8;
+ tmp_buf[1]=s->client_version&0xff;
RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
@@ -1315,6 +1351,10 @@ SSL *s;
p+=2;
n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
tmp_buf,p,rsa,RSA_PKCS1_PADDING);
+#ifdef PKCS1_CHECK
+ if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
+ if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
+#endif
if (n <= 0)
{
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
@@ -1331,8 +1371,8 @@ SSL *s;
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,
- tmp_buf,48);
- memset(tmp_buf,0,48);
+ tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
+ memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
}
else
#endif
@@ -1341,8 +1381,8 @@ SSL *s;
{
DH *dh_srvr,*dh_clnt;
- if (s->session->cert->dh_tmp != NULL)
- dh_srvr=s->session->cert->dh_tmp;
+ if (s->session->sess_cert->peer_dh_tmp != NULL)
+ dh_srvr=s->session->sess_cert->peer_dh_tmp;
else
{
/* we get them from the cert */
@@ -1414,13 +1454,14 @@ err:
return(-1);
}
-static int ssl3_send_client_verify(s)
-SSL *s;
+static int ssl3_send_client_verify(SSL *s)
{
unsigned char *p,*d;
unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
EVP_PKEY *pkey;
+#ifndef NO_RSA
int i=0;
+#endif
unsigned long n;
#ifndef NO_DSA
int j;
@@ -1485,8 +1526,7 @@ err:
return(-1);
}
-static int ssl3_send_client_certificate(s)
-SSL *s;
+static int ssl3_send_client_certificate(SSL *s)
{
X509 *x509=NULL;
EVP_PKEY *pkey=NULL;
@@ -1565,19 +1605,22 @@ SSL *s;
#define has_bits(i,m) (((i)&(m)) == (m))
-static int ssl3_check_cert_and_algorithm(s)
-SSL *s;
+static int ssl3_check_cert_and_algorithm(SSL *s)
{
int i,idx;
long algs;
EVP_PKEY *pkey=NULL;
- CERT *c;
+ SESS_CERT *sc;
+#ifndef NO_RSA
RSA *rsa;
+#endif
+#ifndef NO_DH
DH *dh;
+#endif
- c=s->session->cert;
+ sc=s->session->sess_cert;
- if (c == NULL)
+ if (sc == NULL)
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR);
goto err;
@@ -1589,14 +1632,19 @@ SSL *s;
if (algs & (SSL_aDH|SSL_aNULL))
return(1);
- rsa=s->session->cert->rsa_tmp;
- dh=s->session->cert->dh_tmp;
+#ifndef NO_RSA
+ rsa=s->session->sess_cert->peer_rsa_tmp;
+#endif
+#ifndef NO_DH
+ dh=s->session->sess_cert->peer_dh_tmp;
+#endif
/* This is the passed certificate */
- idx=c->cert_type;
- pkey=X509_get_pubkey(c->pkeys[idx].x509);
- i=X509_certificate_type(c->pkeys[idx].x509,pkey);
+ idx=sc->peer_cert_type;
+ pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
+ i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
+ EVP_PKEY_free(pkey);
/* Check that we have a certificate if we require one */
@@ -1612,15 +1660,16 @@ SSL *s;
goto f_err;
}
#endif
-
+#ifndef NO_RSA
if ((algs & SSL_kRSA) &&
!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
goto f_err;
}
+#endif
#ifndef NO_DH
- else if ((algs & SSL_kEDH) &&
+ if ((algs & SSL_kEDH) &&
!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
@@ -1640,12 +1689,13 @@ SSL *s;
#endif
#endif
- if ((algs & SSL_EXP) && !has_bits(i,EVP_PKT_EXP))
+ if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP))
{
#ifndef NO_RSA
if (algs & SSL_kRSA)
{
- if ((rsa == NULL) || (RSA_size(rsa) > 512))
+ if (rsa == NULL
+ || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
goto f_err;
@@ -1655,8 +1705,9 @@ SSL *s;
#endif
#ifndef NO_DH
if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
- {
- if ((dh == NULL) || (DH_size(dh) > 512))
+ {
+ if (dh == NULL
+ || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
goto f_err;
diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c
index bbd9b637c5c..15d4af6dfba 100644
--- a/lib/libssl/src/ssl/s3_enc.c
+++ b/lib/libssl/src/ssl/s3_enc.c
@@ -57,7 +57,9 @@
*/
#include <stdio.h>
-#include "evp.h"
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
#include "ssl_locl.h"
static unsigned char ssl3_pad_1[48]={
@@ -83,10 +85,7 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
static int ssl3_handshake_mac();
#endif
-static void ssl3_generate_key_block(s,km,num)
-SSL *s;
-unsigned char *km;
-int num;
+static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
{
MD5_CTX m5;
SHA_CTX s1;
@@ -94,6 +93,9 @@ int num;
unsigned char c='A';
int i,j,k;
+#ifdef CHARSET_EBCDIC
+ c = os_toascii[c]; /*'A' in ASCII */
+#endif
k=0;
for (i=0; i<num; i+=MD5_DIGEST_LENGTH)
{
@@ -126,25 +128,26 @@ int num;
memset(smd,0,SHA_DIGEST_LENGTH);
}
-int ssl3_change_cipher_state(s,which)
-SSL *s;
-int which;
+int ssl3_change_cipher_state(SSL *s, int which)
{
unsigned char *p,*key_block,*mac_secret;
unsigned char exp_key[EVP_MAX_KEY_LENGTH];
unsigned char exp_iv[EVP_MAX_KEY_LENGTH];
unsigned char *ms,*key,*iv,*er1,*er2;
EVP_CIPHER_CTX *dd;
- EVP_CIPHER *c;
- SSL_COMPRESSION *comp;
- EVP_MD *m;
+ const EVP_CIPHER *c;
+ COMP_METHOD *comp;
+ const EVP_MD *m;
MD5_CTX md;
- int exp,n,i,j,k;
+ int exp,n,i,j,k,cl;
- exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0;
+ exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c=s->s3->tmp.new_sym_enc;
m=s->s3->tmp.new_hash;
- comp=s->s3->tmp.new_compression;
+ if (s->s3->tmp.new_compression == NULL)
+ comp=NULL;
+ else
+ comp=s->s3->tmp.new_compression->method;
key_block=s->s3->tmp.key_block;
if (which & SSL3_CC_READ)
@@ -155,7 +158,26 @@ int which;
goto err;
dd= s->enc_read_ctx;
s->read_hash=m;
- s->read_compression=comp;
+ /* COMPRESS */
+ if (s->expand != NULL)
+ {
+ COMP_CTX_free(s->expand);
+ s->expand=NULL;
+ }
+ if (comp != NULL)
+ {
+ s->expand=COMP_CTX_new(comp);
+ if (s->expand == NULL)
+ {
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+ goto err2;
+ }
+ if (s->s3->rrec.comp == NULL)
+ s->s3->rrec.comp=(unsigned char *)
+ Malloc(SSL3_RT_MAX_PLAIN_LENGTH);
+ if (s->s3->rrec.comp == NULL)
+ goto err;
+ }
memset(&(s->s3->read_sequence[0]),0,8);
mac_secret= &(s->s3->read_mac_secret[0]);
}
@@ -167,7 +189,21 @@ int which;
goto err;
dd= s->enc_write_ctx;
s->write_hash=m;
- s->write_compression=comp;
+ /* COMPRESS */
+ if (s->compress != NULL)
+ {
+ COMP_CTX_free(s->compress);
+ s->compress=NULL;
+ }
+ if (comp != NULL)
+ {
+ s->compress=COMP_CTX_new(comp);
+ if (s->compress == NULL)
+ {
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+ goto err2;
+ }
+ }
memset(&(s->s3->write_sequence[0]),0,8);
mac_secret= &(s->s3->write_mac_secret[0]);
}
@@ -176,7 +212,10 @@ int which;
p=s->s3->tmp.key_block;
i=EVP_MD_size(m);
- j=(exp)?5:EVP_CIPHER_key_length(c);
+ cl=EVP_CIPHER_key_length(c);
+ j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+ cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+ /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
k=EVP_CIPHER_iv_length(c);
if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
(which == SSL3_CHANGE_CIPHER_SERVER_READ))
@@ -239,18 +278,18 @@ err2:
return(0);
}
-int ssl3_setup_key_block(s)
-SSL *s;
+int ssl3_setup_key_block(SSL *s)
{
unsigned char *p;
- EVP_CIPHER *c;
- EVP_MD *hash;
- int num,exp;
+ const EVP_CIPHER *c;
+ const EVP_MD *hash;
+ int num;
+ SSL_COMP *comp;
if (s->s3->tmp.key_block_length != 0)
return(1);
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash))
+ if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
{
SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return(0);
@@ -258,8 +297,7 @@ SSL *s;
s->s3->tmp.new_sym_enc=c;
s->s3->tmp.new_hash=hash;
-
- exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
+ s->s3->tmp.new_compression=comp;
num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
num*=2;
@@ -280,8 +318,7 @@ err:
return(0);
}
-void ssl3_cleanup_key_block(s)
-SSL *s;
+void ssl3_cleanup_key_block(SSL *s)
{
if (s->s3->tmp.key_block != NULL)
{
@@ -293,44 +330,35 @@ SSL *s;
s->s3->tmp.key_block_length=0;
}
-int ssl3_enc(s,send)
-SSL *s;
-int send;
+int ssl3_enc(SSL *s, int send)
{
SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds;
unsigned long l;
int bs,i;
- EVP_CIPHER *enc;
- SSL_COMPRESSION *comp;
+ const EVP_CIPHER *enc;
if (send)
{
ds=s->enc_write_ctx;
rec= &(s->s3->wrec);
if (s->enc_write_ctx == NULL)
- { enc=NULL; comp=NULL; }
+ enc=NULL;
else
- {
enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
- comp=s->write_compression;
- }
}
else
{
ds=s->enc_read_ctx;
rec= &(s->s3->rrec);
if (s->enc_read_ctx == NULL)
- { enc=NULL; comp=NULL; }
+ enc=NULL;
else
- {
enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
- comp=s->read_compression;
- }
}
if ((s->session == NULL) || (ds == NULL) ||
- ((enc == NULL) && (comp == NULL)))
+ (enc == NULL))
{
memcpy(rec->data,rec->input,rec->length);
rec->input=rec->data;
@@ -340,6 +368,8 @@ int send;
l=rec->length;
bs=EVP_CIPHER_block_size(ds->cipher);
+ /* COMPRESS */
+
/* This should be using (bs-1) and bs instead of 7 and 8 */
if ((bs != 1) && send)
{
@@ -368,36 +398,25 @@ int send;
return(1);
}
-void ssl3_init_finished_mac(s)
-SSL *s;
+void ssl3_init_finished_mac(SSL *s)
{
EVP_DigestInit(&(s->s3->finish_dgst1),s->ctx->md5);
EVP_DigestInit(&(s->s3->finish_dgst2),s->ctx->sha1);
}
-void ssl3_finish_mac(s,buf,len)
-SSL *s;
-unsigned char *buf;
-int len;
+void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
{
EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len);
EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len);
}
-int ssl3_cert_verify_mac(s,ctx,p)
-SSL *s;
-EVP_MD_CTX *ctx;
-unsigned char *p;
+int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p)
{
return(ssl3_handshake_mac(s,ctx,NULL,0,p));
}
-int ssl3_final_finish_mac(s,ctx1,ctx2,sender,len,p)
-SSL *s;
-EVP_MD_CTX *ctx1,*ctx2;
-unsigned char *sender;
-int len;
-unsigned char *p;
+int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
+ unsigned char *sender, int len, unsigned char *p)
{
int ret;
@@ -407,12 +426,8 @@ unsigned char *p;
return(ret);
}
-static int ssl3_handshake_mac(s,in_ctx,sender,len,p)
-SSL *s;
-EVP_MD_CTX *in_ctx;
-unsigned char *sender;
-int len;
-unsigned char *p;
+static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
+ unsigned char *sender, int len, unsigned char *p)
{
unsigned int ret;
int npad,n;
@@ -420,7 +435,7 @@ unsigned char *p;
unsigned char md_buf[EVP_MAX_MD_SIZE];
EVP_MD_CTX ctx;
- memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_copy(&ctx,in_ctx);
n=EVP_MD_CTX_size(&ctx);
npad=(48/n)*n;
@@ -444,15 +459,12 @@ unsigned char *p;
return((int)ret);
}
-int ssl3_mac(ssl,md,send)
-SSL *ssl;
-unsigned char *md;
-int send;
+int ssl3_mac(SSL *ssl, unsigned char *md, int send)
{
SSL3_RECORD *rec;
unsigned char *mac_sec,*seq;
EVP_MD_CTX md_ctx;
- EVP_MD *hash;
+ const EVP_MD *hash;
unsigned char *p,rec_char;
unsigned int md_size;
int npad,i;
@@ -501,16 +513,19 @@ int send;
return(md_size);
}
-int ssl3_generate_master_secret(s,out,p,len)
-SSL *s;
-unsigned char *out;
-unsigned char *p;
-int len;
+int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
+ int len)
{
- static unsigned char *salt[3]={
- (unsigned char *)"A",
- (unsigned char *)"BB",
- (unsigned char *)"CCC",
+ static const unsigned char *salt[3]={
+#ifndef CHARSET_EBCDIC
+ (const unsigned char *)"A",
+ (const unsigned char *)"BB",
+ (const unsigned char *)"CCC",
+#else
+ (const unsigned char *)"\x41",
+ (const unsigned char *)"\x42\x42",
+ (const unsigned char *)"\x43\x43\x43",
+#endif
};
unsigned char buf[EVP_MAX_MD_SIZE];
EVP_MD_CTX ctx;
@@ -520,7 +535,7 @@ int len;
for (i=0; i<3; i++)
{
EVP_DigestInit(&ctx,s->ctx->sha1);
- EVP_DigestUpdate(&ctx,salt[i],strlen((char *)salt[i]));
+ EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i]));
EVP_DigestUpdate(&ctx,p,len);
EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
SSL3_RANDOM_SIZE);
@@ -538,8 +553,7 @@ int len;
return(ret);
}
-int ssl3_alert_code(code)
-int code;
+int ssl3_alert_code(int code)
{
switch (code)
{
diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c
index 0fd945025d2..aeff6b5c5bc 100644
--- a/lib/libssl/src/ssl/s3_lib.c
+++ b/lib/libssl/src/ssl/s3_lib.c
@@ -57,20 +57,18 @@
*/
#include <stdio.h>
-#include "objects.h"
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/objects.h>
#include "ssl_locl.h"
-char *ssl3_version_str="SSLv3 part of SSLeay 0.9.0b 29-Jun-1998";
+const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
-#ifndef NOPROTO
static long ssl3_default_timeout(void );
-#else
-static long ssl3_default_timeout();
-#endif
-SSL_CIPHER ssl3_ciphers[]={
+OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
/* The RSA ciphers */
/* Cipher 01 */
{
@@ -97,7 +95,7 @@ SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_ADH_RC4_40_MD5,
SSL3_CK_ADH_RC4_40_MD5,
- SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -115,7 +113,7 @@ SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_ADH_DES_40_CBC_SHA,
SSL3_CK_ADH_DES_40_CBC_SHA,
- SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -144,7 +142,7 @@ SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_RSA_RC4_40_MD5,
SSL3_CK_RSA_RC4_40_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -171,7 +169,7 @@ SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_RSA_RC2_40_MD5,
SSL3_CK_RSA_RC2_40_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -189,7 +187,7 @@ SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_RSA_DES_40_CBC_SHA,
SSL3_CK_RSA_DES_40_CBC_SHA,
- SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -218,7 +216,7 @@ SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
SSL3_CK_DH_DSS_DES_40_CBC_SHA,
- SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -245,7 +243,7 @@ SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
SSL3_CK_DH_RSA_DES_40_CBC_SHA,
- SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -274,7 +272,7 @@ SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
- SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -301,7 +299,7 @@ SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
- SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -355,6 +353,73 @@ SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_CIPHERS,
},
+#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
+ /* New TLS Export CipherSuites */
+ /* Cipher 60 */
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
+ TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+ /* Cipher 61 */
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+ TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+ SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+ /* Cipher 62 */
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+ TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+ SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+ /* Cipher 63 */
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+ TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+ SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+ /* Cipher 64 */
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
+ TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+ /* Cipher 65 */
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+ TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+ SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+ /* Cipher 66 */
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
+ TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
+ SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+#endif
+
/* end of list */
};
@@ -384,6 +449,7 @@ static SSL_METHOD SSLv3_data= {
ssl3_write,
ssl3_shutdown,
ssl3_renegotiate,
+ ssl3_renegotiate_check,
ssl3_ctrl,
ssl3_ctx_ctrl,
ssl3_get_cipher_by_char,
@@ -396,25 +462,24 @@ static SSL_METHOD SSLv3_data= {
&SSLv3_enc_data,
};
-static long ssl3_default_timeout()
+static long ssl3_default_timeout(void)
{
/* 2 hours, the 24 hours mentioned in the SSLv3 spec
* is way too long for http, the cache would over fill */
return(60*60*2);
}
-SSL_METHOD *sslv3_base_method()
+SSL_METHOD *sslv3_base_method(void)
{
return(&SSLv3_data);
}
-int ssl3_num_ciphers()
+int ssl3_num_ciphers(void)
{
return(SSL3_NUM_CIPHERS);
}
-SSL_CIPHER *ssl3_get_cipher(u)
-unsigned int u;
+SSL_CIPHER *ssl3_get_cipher(unsigned int u)
{
if (u < SSL3_NUM_CIPHERS)
return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
@@ -423,14 +488,12 @@ unsigned int u;
}
/* The problem is that it may not be the correct record type */
-int ssl3_pending(s)
-SSL *s;
+int ssl3_pending(SSL *s)
{
return(s->s3->rrec.length);
}
-int ssl3_new(s)
-SSL *s;
+int ssl3_new(SSL *s)
{
SSL3_CTX *s3;
@@ -452,33 +515,42 @@ err:
return(0);
}
-void ssl3_free(s)
-SSL *s;
+void ssl3_free(SSL *s)
{
+ if(s == NULL)
+ return;
+
ssl3_cleanup_key_block(s);
if (s->s3->rbuf.buf != NULL)
Free(s->s3->rbuf.buf);
if (s->s3->wbuf.buf != NULL)
Free(s->s3->wbuf.buf);
+ if (s->s3->rrec.comp != NULL)
+ Free(s->s3->rrec.comp);
#ifndef NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
#endif
if (s->s3->tmp.ca_names != NULL)
- sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+ sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
memset(s->s3,0,sizeof(SSL3_CTX));
Free(s->s3);
s->s3=NULL;
}
-void ssl3_clear(s)
-SSL *s;
+void ssl3_clear(SSL *s)
{
unsigned char *rp,*wp;
ssl3_cleanup_key_block(s);
if (s->s3->tmp.ca_names != NULL)
- sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+ sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+
+ if (s->s3->rrec.comp != NULL)
+ {
+ Free(s->s3->rrec.comp);
+ s->s3->rrec.comp=NULL;
+ }
rp=s->s3->rbuf.buf;
wp=s->s3->wbuf.buf;
@@ -486,6 +558,9 @@ SSL *s;
memset(s->s3,0,sizeof(SSL3_CTX));
if (rp != NULL) s->s3->rbuf.buf=rp;
if (wp != NULL) s->s3->wbuf.buf=wp;
+
+ ssl_free_wbio_buffer(s);
+
s->packet_length=0;
s->s3->renegotiate=0;
s->s3->total_renegotiations=0;
@@ -494,14 +569,30 @@ SSL *s;
s->version=SSL3_VERSION;
}
-long ssl3_ctrl(s,cmd,larg,parg)
-SSL *s;
-int cmd;
-long larg;
-char *parg;
+long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
{
int ret=0;
+#if !defined(NO_DSA) || !defined(NO_RSA)
+ if (
+#ifndef NO_RSA
+ cmd == SSL_CTRL_SET_TMP_RSA ||
+ cmd == SSL_CTRL_SET_TMP_RSA_CB ||
+#endif
+#ifndef NO_DSA
+ cmd == SSL_CTRL_SET_TMP_DH ||
+ cmd == SSL_CTRL_SET_TMP_DH_CB ||
+#endif
+ 0)
+ {
+ if (!ssl_cert_inst(&s->cert))
+ {
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
+ return(0);
+ }
+ }
+#endif
+
switch (cmd)
{
case SSL_CTRL_GET_SESSION_REUSED:
@@ -519,21 +610,75 @@ char *parg;
case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
ret=s->s3->total_renegotiations;
break;
+ case SSL_CTRL_GET_FLAGS:
+ ret=(int)(s->s3->flags);
+ break;
+#ifndef NO_RSA
+ case SSL_CTRL_NEED_TMP_RSA:
+ if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
+ ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
+ (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))))
+ ret = 1;
+ break;
+ case SSL_CTRL_SET_TMP_RSA:
+ {
+ RSA *rsa = (RSA *)parg;
+ if (rsa == NULL) {
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
+ return(ret);
+ }
+ if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) {
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
+ return(ret);
+ }
+ if (s->cert->rsa_tmp != NULL)
+ RSA_free(s->cert->rsa_tmp);
+ s->cert->rsa_tmp = rsa;
+ ret = 1;
+ }
+ break;
+ case SSL_CTRL_SET_TMP_RSA_CB:
+ s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))parg;
+ break;
+#endif
+#ifndef NO_DH
+ case SSL_CTRL_SET_TMP_DH:
+ {
+ DH *dh = (DH *)parg;
+ if (dh == NULL) {
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
+ return(ret);
+ }
+ if ((dh = DHparams_dup(dh)) == NULL) {
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+ return(ret);
+ }
+ if (!DH_generate_key(dh)) {
+ DH_free(dh);
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+ return(ret);
+ }
+ if (s->cert->dh_tmp != NULL)
+ DH_free(s->cert->dh_tmp);
+ s->cert->dh_tmp = dh;
+ ret = 1;
+ }
+ break;
+ case SSL_CTRL_SET_TMP_DH_CB:
+ s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))parg;
+ break;
+#endif
default:
break;
}
return(ret);
}
-long ssl3_ctx_ctrl(ctx,cmd,larg,parg)
-SSL_CTX *ctx;
-int cmd;
-long larg;
-char *parg;
+long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
{
CERT *cert;
- cert=ctx->default_cert;
+ cert=ctx->cert;
switch (cmd)
{
@@ -546,7 +691,7 @@ char *parg;
return(1);
else
return(0);
- break;
+ /* break; */
case SSL_CTRL_SET_TMP_RSA:
{
RSA *rsa;
@@ -574,15 +719,16 @@ char *parg;
return(1);
}
}
- break;
+ /* break; */
case SSL_CTRL_SET_TMP_RSA_CB:
- cert->rsa_tmp_cb=(RSA *(*)())parg;
+ cert->rsa_tmp_cb=(RSA *(*)(SSL *, int, int))parg;
break;
#endif
#ifndef NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *new=NULL,*dh;
+ int rret=0;
dh=(DH *)parg;
if ( ((new=DHparams_dup(dh)) == NULL) ||
@@ -590,21 +736,31 @@ char *parg;
{
SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
if (new != NULL) DH_free(new);
- return(0);
}
else
{
if (cert->dh_tmp != NULL)
DH_free(cert->dh_tmp);
cert->dh_tmp=new;
- return(1);
+ rret=1;
}
+ return(rret);
}
- break;
+ /*break; */
case SSL_CTRL_SET_TMP_DH_CB:
- cert->dh_tmp_cb=(DH *(*)())parg;
+ cert->dh_tmp_cb=(DH *(*)(SSL *, int, int))parg;
break;
#endif
+ /* A Thawte special :-) */
+ case SSL_CTRL_EXTRA_CHAIN_CERT:
+ if (ctx->extra_certs == NULL)
+ {
+ if ((ctx->extra_certs=sk_X509_new_null()) == NULL)
+ return(0);
+ }
+ sk_X509_push(ctx->extra_certs,(X509 *)parg);
+ break;
+
default:
return(0);
}
@@ -613,8 +769,7 @@ char *parg;
/* This function needs to check if the ciphers required are actually
* available */
-SSL_CIPHER *ssl3_get_cipher_by_char(p)
-unsigned char *p;
+SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
{
static int init=1;
static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
@@ -624,7 +779,7 @@ unsigned char *p;
if (init)
{
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL);
for (i=0; i<SSL3_NUM_CIPHERS; i++)
sorted[i]= &(ssl3_ciphers[i]);
@@ -632,6 +787,10 @@ unsigned char *p;
qsort( (char *)sorted,
SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
FP_ICC ssl_cipher_ptr_id_cmp);
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
+
+ init=0;
}
id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
@@ -646,9 +805,7 @@ unsigned char *p;
return(*cpp);
}
-int ssl3_put_cipher_by_char(c,p)
-SSL_CIPHER *c;
-unsigned char *p;
+int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
{
long l;
@@ -662,9 +819,7 @@ unsigned char *p;
return(2);
}
-int ssl3_part_read(s,i)
-SSL *s;
-int i;
+int ssl3_part_read(SSL *s, int i)
{
s->rwstate=SSL_READING;
@@ -679,61 +834,67 @@ int i;
}
}
-SSL_CIPHER *ssl3_choose_cipher(s,have,pref)
-SSL *s;
-STACK *have,*pref;
+SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
+ STACK_OF(SSL_CIPHER) *pref)
{
SSL_CIPHER *c,*ret=NULL;
int i,j,ok;
CERT *cert;
unsigned long alg,mask,emask;
- /* Lets see which ciphers we can supported */
- if (s->cert != NULL)
- cert=s->cert;
- else
- cert=s->ctx->default_cert;
+ /* Let's see which ciphers we can support */
+ cert=s->cert;
- ssl_set_cert_masks(cert);
- mask=cert->mask;
- emask=cert->export_mask;
-
- sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
+ sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
- for (i=0; i<sk_num(have); i++)
+#ifdef CIPHER_DEBUG
+ printf("Have:\n");
+ for(i=0 ; i < sk_num(pref) ; ++i)
+ {
+ c=(SSL_CIPHER *)sk_value(pref,i);
+ printf("%p:%s\n",c,c->name);
+ }
+#endif
+
+ for (i=0; i<sk_SSL_CIPHER_num(have); i++)
{
- c=(SSL_CIPHER *)sk_value(have,i);
+ c=sk_SSL_CIPHER_value(have,i);
+
+ ssl_set_cert_masks(cert,c);
+ mask=cert->mask;
+ emask=cert->export_mask;
+
alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
- if (alg & SSL_EXPORT)
+ if (SSL_IS_EXPORT(c->algorithms))
{
ok=((alg & emask) == alg)?1:0;
#ifdef CIPHER_DEBUG
- printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name);
+ printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
+ c,c->name);
#endif
}
else
{
ok=((alg & mask) == alg)?1:0;
#ifdef CIPHER_DEBUG
- printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name);
+ printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
+ c->name);
#endif
}
if (!ok) continue;
- j=sk_find(pref,(char *)c);
+ j=sk_SSL_CIPHER_find(pref,c);
if (j >= 0)
{
- ret=(SSL_CIPHER *)sk_value(pref,j);
+ ret=sk_SSL_CIPHER_value(pref,j);
break;
}
}
return(ret);
}
-int ssl3_get_req_cert_type(s,p)
-SSL *s;
-unsigned char *p;
+int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
{
int ret=0;
unsigned long alg;
@@ -743,33 +904,34 @@ unsigned char *p;
#ifndef NO_DH
if (alg & (SSL_kDHr|SSL_kEDH))
{
-#ifndef NO_RSA
+# ifndef NO_RSA
p[ret++]=SSL3_CT_RSA_FIXED_DH;
-#endif
-#ifndef NO_DSA
+# endif
+# ifndef NO_DSA
p[ret++]=SSL3_CT_DSS_FIXED_DH;
-#endif
+# endif
}
if ((s->version == SSL3_VERSION) &&
(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
{
-#ifndef NO_RSA
+# ifndef NO_RSA
p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
-#endif
-#ifndef NO_DSA
+# endif
+# ifndef NO_DSA
p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
-#endif
+# endif
}
#endif /* !NO_DH */
#ifndef NO_RSA
p[ret++]=SSL3_CT_RSA_SIGN;
#endif
+#ifndef NO_DSA
p[ret++]=SSL3_CT_DSS_SIGN;
+#endif
return(ret);
}
-int ssl3_shutdown(s)
-SSL *s;
+int ssl3_shutdown(SSL *s)
{
/* Don't do anything much if we have not done the handshake or
@@ -809,13 +971,9 @@ SSL *s;
return(0);
}
-int ssl3_write(s,buf,len)
-SSL *s;
-char *buf;
-int len;
+int ssl3_write(SSL *s, const void *buf, int len)
{
int ret,n;
- BIO *under;
#if 0
if (s->shutdown & SSL_SEND_SHUTDOWN)
@@ -838,7 +996,7 @@ int len;
if (s->s3->delay_buf_pop_ret == 0)
{
ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
- (char *)buf,len);
+ buf,len);
if (ret <= 0) return(ret);
s->s3->delay_buf_pop_ret=ret;
@@ -849,30 +1007,24 @@ int len;
if (n <= 0) return(n);
s->rwstate=SSL_NOTHING;
- /* We have flushed the buffer */
- under=BIO_pop(s->wbio);
- s->wbio=under;
- BIO_free(s->bbio);
- s->bbio=NULL;
+ /* We have flushed the buffer, so remove it */
+ ssl_free_wbio_buffer(s);
+ s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
+
ret=s->s3->delay_buf_pop_ret;
s->s3->delay_buf_pop_ret=0;
-
- s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
}
else
{
ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
- (char *)buf,len);
+ buf,len);
if (ret <= 0) return(ret);
}
return(ret);
}
-int ssl3_read(s,buf,len)
-SSL *s;
-char *buf;
-int len;
+int ssl3_read(SSL *s, void *buf, int len)
{
int ret;
@@ -894,10 +1046,7 @@ int len;
return(ret);
}
-int ssl3_peek(s,buf,len)
-SSL *s;
-char *buf;
-int len;
+int ssl3_peek(SSL *s, char *buf, int len)
{
SSL3_RECORD *rr;
int n;
@@ -919,8 +1068,7 @@ int len;
return(n);
}
-int ssl3_renegotiate(s)
-SSL *s;
+int ssl3_renegotiate(SSL *s)
{
if (s->handshake_func == NULL)
return(1);
@@ -932,8 +1080,7 @@ SSL *s;
return(1);
}
-int ssl3_renegotiate_check(s)
-SSL *s;
+int ssl3_renegotiate_check(SSL *s)
{
int ret=0;
@@ -958,4 +1105,3 @@ need to go to SSL_ST_ACCEPT.
return(ret);
}
-
diff --git a/lib/libssl/src/ssl/s3_meth.c b/lib/libssl/src/ssl/s3_meth.c
index 3d66b4643aa..81bcad89c52 100644
--- a/lib/libssl/src/ssl/s3_meth.c
+++ b/lib/libssl/src/ssl/s3_meth.c
@@ -57,11 +57,11 @@
*/
#include <stdio.h>
-#include "objects.h"
+#include <openssl/objects.h>
#include "ssl_locl.h"
-static SSL_METHOD *ssl3_get_method(ver)
-int ver;
+static SSL_METHOD *ssl3_get_method(int ver);
+static SSL_METHOD *ssl3_get_method(int ver)
{
if (ver == SSL3_VERSION)
return(SSLv3_method());
@@ -69,19 +69,19 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv3_method()
+SSL_METHOD *SSLv3_method(void)
{
static int init=1;
static SSL_METHOD SSLv3_data;
if (init)
{
- init=0;
memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
sizeof(SSL_METHOD));
SSLv3_data.ssl_connect=ssl3_connect;
SSLv3_data.ssl_accept=ssl3_accept;
SSLv3_data.get_ssl_method=ssl3_get_method;
+ init=0;
}
return(&SSLv3_data);
}
diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c
index 23850803479..7893d03123d 100644
--- a/lib/libssl/src/ssl/s3_pkt.c
+++ b/lib/libssl/src/ssl/s3_pkt.c
@@ -59,49 +59,19 @@
#include <stdio.h>
#include <errno.h>
#define USE_SOCKETS
-#include "evp.h"
-#include "buffer.h"
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
#include "ssl_locl.h"
-/* SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_BAD_RECORD_MAC);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_NO_CERTIFICATE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_BAD_CERTIFICATE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN);
- * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);
- */
-
-#ifndef NOPROTO
-static int do_ssl3_write(SSL *s, int type, char *buf, unsigned int len);
-static int ssl3_write_pending(SSL *s, int type, char *buf, unsigned int len);
+static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+ unsigned int len);
+static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
+ unsigned int len);
static int ssl3_get_record(SSL *s);
static int do_compress(SSL *ssl);
static int do_uncompress(SSL *ssl);
static int do_change_cipher_spec(SSL *ssl);
-#else
-static int do_ssl3_write();
-static int ssl3_write_pending();
-static int ssl3_get_record();
-static int do_compress();
-static int do_uncompress();
-static int do_change_cipher_spec();
-#endif
-
-static int ssl3_read_n(s,n,max,extend)
-SSL *s;
-int n;
-int max;
-int extend;
+static int ssl3_read_n(SSL *s, int n, int max, int extend)
{
int i,off,newb;
@@ -210,10 +180,8 @@ int extend;
* ssl->s3->rrec.data, - data
* ssl->s3->rrec.length, - number of bytes
*/
-static int ssl3_get_record(s)
-SSL *s;
+static int ssl3_get_record(SSL *s)
{
- char tmp_buf[512];
int ssl_major,ssl_minor,al;
int n,i,ret= -1;
SSL3_BUFFER *rb;
@@ -331,7 +299,6 @@ again:
/* decrypt in place in 'rr->input' */
rr->data=rr->input;
- memcpy(tmp_buf,rr->input,(rr->length > 512)?512:rr->length);
if (!s->method->ssl3_enc->enc(s,0))
{
@@ -340,7 +307,7 @@ again:
}
#ifdef TLS_DEBUG
printf("dec %d\n",rr->length);
-{ int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
+{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
printf("\n");
#endif
/* r->length is now the compressed data plus mac */
@@ -378,7 +345,7 @@ printf("\n");
}
/* r->length is now just compressed */
- if ((sess != NULL) && (sess->read_compression != NULL))
+ if (s->expand != NULL)
{
if (rr->length >
(unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
@@ -424,27 +391,47 @@ err:
return(ret);
}
-static int do_uncompress(ssl)
-SSL *ssl;
+static int do_uncompress(SSL *ssl)
{
+ int i;
+ SSL3_RECORD *rr;
+
+ rr= &(ssl->s3->rrec);
+ i=COMP_expand_block(ssl->expand,rr->comp,
+ SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
+ if (i < 0)
+ return(0);
+ else
+ rr->length=i;
+ rr->data=rr->comp;
+
return(1);
}
-static int do_compress(ssl)
-SSL *ssl;
+static int do_compress(SSL *ssl)
{
+ int i;
+ SSL3_RECORD *wr;
+
+ wr= &(ssl->s3->wrec);
+ i=COMP_compress_block(ssl->compress,wr->data,
+ SSL3_RT_MAX_COMPRESSED_LENGTH,
+ wr->input,(int)wr->length);
+ if (i < 0)
+ return(0);
+ else
+ wr->length=i;
+
+ wr->input=wr->data;
return(1);
}
/* Call this to write data
* It will return <= 0 if not all data has been sent or non-blocking IO.
*/
-int ssl3_write_bytes(s,type,buf,len)
-SSL *s;
-int type;
-char *buf;
-int len;
+int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
{
+ const unsigned char *buf=_buf;
unsigned int tot,n,nw;
int i;
@@ -479,20 +466,22 @@ int len;
}
if (type == SSL3_RT_HANDSHAKE)
- ssl3_finish_mac(s,(unsigned char *)&(buf[tot]),i);
+ ssl3_finish_mac(s,&(buf[tot]),i);
- if (i == (int)n) return(tot+i);
+ if ((i == (int)n) ||
+ (type == SSL3_RT_APPLICATION_DATA &&
+ (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
+ {
+ return(tot+i);
+ }
n-=i;
tot+=i;
}
}
-static int do_ssl3_write(s,type,buf,len)
-SSL *s;
-int type;
-char *buf;
-unsigned int len;
+static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+ unsigned int len)
{
unsigned char *p,*plen;
int i,mac_size,clear=0;
@@ -552,7 +541,7 @@ unsigned int len;
* wr->data */
/* first we compress */
- if ((sess != NULL) && (sess->write_compression != NULL))
+ if (s->compress != NULL)
{
if (!do_compress(s))
{
@@ -606,16 +595,15 @@ err:
}
/* if s->s3->wbuf.left != 0, we need to call this */
-static int ssl3_write_pending(s,type,buf,len)
-SSL *s;
-int type;
-char *buf;
-unsigned int len;
+static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
+ unsigned int len)
{
int i;
/* XXXX */
- if ((s->s3->wpend_tot > (int)len) || (s->s3->wpend_buf != buf)
+ if ((s->s3->wpend_tot > (int)len)
+ || ((s->s3->wpend_buf != buf) &&
+ !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
|| (s->s3->wpend_type != type))
{
SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
@@ -650,18 +638,14 @@ unsigned int len;
}
}
-int ssl3_read_bytes(s,type,buf,len)
-SSL *s;
-int type;
-char *buf;
-int len;
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
{
int al,i,j,n,ret;
SSL3_RECORD *rr;
void (*cb)()=NULL;
BIO *bio;
- if (s->s3->rbuf.buf == NULL) /* Not initalised yet */
+ if (s->s3->rbuf.buf == NULL) /* Not initialize yet */
if (!ssl3_setup_buffers(s))
return(-1);
@@ -786,7 +770,8 @@ start:
s->rwstate=SSL_NOTHING;
s->s3->fatal_alert=n;
- SSLerr(SSL_F_SSL3_READ_BYTES,1000+n);
+ SSLerr(SSL_F_SSL3_READ_BYTES,
+ SSL_AD_REASON_OFFSET+n);
sprintf(tmp,"%d",n);
ERR_add_error_data(2,"SSL alert number ",tmp);
s->shutdown|=SSL_RECEIVED_SHUTDOWN;
@@ -836,7 +821,9 @@ start:
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
{
- s->state=SSL_ST_BEFORE;
+ s->state=SSL_ST_BEFORE|(s->server)
+ ?SSL_ST_ACCEPT
+ :SSL_ST_CONNECT;
s->new_session=1;
}
n=s->handshake_func(s);
@@ -937,7 +924,7 @@ start:
}
if (type == SSL3_RT_HANDSHAKE)
- ssl3_finish_mac(s,(unsigned char *)buf,n);
+ ssl3_finish_mac(s,buf,n);
return(n);
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -945,8 +932,7 @@ err:
return(-1);
}
-static int do_change_cipher_spec(s)
-SSL *s;
+static int do_change_cipher_spec(SSL *s)
{
int i;
unsigned char *sender;
@@ -988,14 +974,12 @@ SSL *s;
return(1);
}
-int ssl3_do_write(s,type)
-SSL *s;
-int type;
+int ssl3_do_write(SSL *s, int type)
{
int ret;
- ret=ssl3_write_bytes(s,type,(char *)
- &(s->init_buf->data[s->init_off]),s->init_num);
+ ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
+ s->init_num);
if (ret == s->init_num)
return(1);
if (ret < 0) return(-1);
@@ -1004,10 +988,7 @@ int type;
return(0);
}
-void ssl3_send_alert(s,level,desc)
-SSL *s;
-int level;
-int desc;
+void ssl3_send_alert(SSL *s, int level, int desc)
{
/* Map tls/ssl alert value to correct one */
desc=s->method->ssl3_enc->alert_value(desc);
@@ -1025,14 +1006,13 @@ int desc;
* some time in the future */
}
-int ssl3_dispatch_alert(s)
-SSL *s;
+int ssl3_dispatch_alert(SSL *s)
{
int i,j;
void (*cb)()=NULL;
s->s3->alert_dispatch=0;
- i=do_ssl3_write(s,SSL3_RT_ALERT,&(s->s3->send_alert[0]),2);
+ i=do_ssl3_write(s,SSL3_RT_ALERT,&s->s3->send_alert[0],2);
if (i <= 0)
{
s->s3->alert_dispatch=1;
@@ -1043,7 +1023,7 @@ SSL *s;
* does not get sent due to non-blocking IO, we will
* not worry too much. */
if (s->s3->send_alert[0] == SSL3_AL_FATAL)
- BIO_flush(s->wbio);
+ (void)BIO_flush(s->wbio);
if (s->info_callback != NULL)
cb=s->info_callback;
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index 64903af1519..e003d883574 100644
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -59,22 +59,16 @@
#define REUSE_CIPHER_BUG
#include <stdio.h>
-#include "buffer.h"
-#include "rand.h"
-#include "objects.h"
-#include "evp.h"
-#include "x509.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
#include "ssl_locl.h"
-#define BREAK break
-/* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE);
- * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
- */
-
-#ifndef NOPROTO
+static SSL_METHOD *ssl3_get_server_method(int ver);
static int ssl3_get_client_hello(SSL *s);
static int ssl3_send_server_hello(SSL *s);
static int ssl3_send_server_key_exchange(SSL *s);
@@ -85,22 +79,7 @@ static int ssl3_get_client_key_exchange(SSL *s);
static int ssl3_get_client_certificate(SSL *s);
static int ssl3_send_hello_request(SSL *s);
-#else
-
-static int ssl3_get_client_hello();
-static int ssl3_send_server_hello();
-static int ssl3_send_server_key_exchange();
-static int ssl3_send_certificate_request();
-static int ssl3_send_server_done();
-static int ssl3_get_cert_verify();
-static int ssl3_get_client_key_exchange();
-static int ssl3_get_client_certificate();
-static int ssl3_send_hello_request();
-
-#endif
-
-static SSL_METHOD *ssl3_get_server_method(ver)
-int ver;
+static SSL_METHOD *ssl3_get_server_method(int ver)
{
if (ver == SSL3_VERSION)
return(SSLv3_server_method());
@@ -108,35 +87,32 @@ int ver;
return(NULL);
}
-SSL_METHOD *SSLv3_server_method()
+SSL_METHOD *SSLv3_server_method(void)
{
static int init=1;
static SSL_METHOD SSLv3_server_data;
if (init)
{
- init=0;
memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
sizeof(SSL_METHOD));
SSLv3_server_data.ssl_accept=ssl3_accept;
SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+ init=0;
}
return(&SSLv3_server_data);
}
-int ssl3_accept(s)
-SSL *s;
+int ssl3_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long l,Time=time(NULL);
void (*cb)()=NULL;
long num1;
int ret= -1;
- CERT *ct;
- BIO *under;
int new_state,state,skip=0;
- RAND_seed((unsigned char *)&Time,sizeof(Time));
+ RAND_seed(&Time,sizeof(Time));
ERR_clear_error();
clear_sys_error();
@@ -149,17 +125,11 @@ SSL *s;
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
s->in_handshake++;
-#ifdef undef
- /* FIX THIS EAY EAY EAY */
- /* we don't actually need a cert, we just need a cert or a DH_tmp */
- if (((s->session == NULL) || (s->session->cert == NULL)) &&
- (s->cert == NULL))
+ if (s->cert == NULL)
{
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
- ret= -1;
- goto end;
+ return(-1);
}
-#endif
for (;;)
{
@@ -176,6 +146,7 @@ SSL *s;
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
case SSL_ST_OK|SSL_ST_ACCEPT:
+ s->server=1;
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
if ((s->version>>8) != 3)
@@ -215,11 +186,11 @@ SSL *s;
{
s->state=SSL3_ST_SR_CLNT_HELLO_A;
ssl3_init_finished_mac(s);
- s->ctx->sess_accept++;
+ s->ctx->stats.sess_accept++;
}
else
{
- s->ctx->sess_accept_renegotiate++;
+ s->ctx->stats.sess_accept_renegotiate++;
s->state=SSL3_ST_SW_HELLO_REQ_A;
}
break;
@@ -238,15 +209,6 @@ SSL *s;
break;
case SSL3_ST_SW_HELLO_REQ_C:
- /* remove buffering on output */
- under=BIO_pop(s->wbio);
- if (under != NULL)
- s->wbio=under;
- else
- abort(); /* ok */
- BIO_free(s->bbio);
- s->bbio=NULL;
-
s->state=SSL_ST_OK;
ret=1;
goto end;
@@ -292,20 +254,6 @@ SSL *s;
case SSL3_ST_SW_KEY_EXCH_A:
case SSL3_ST_SW_KEY_EXCH_B:
l=s->s3->tmp.new_cipher->algorithms;
- if (s->session->cert == NULL)
- {
- if (s->cert != NULL)
- {
- CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
- s->session->cert=s->cert;
- }
- else
- {
- CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
- s->session->cert=s->ctx->default_cert;
- }
- }
- ct=s->session->cert;
/* clear this, it may get reset by
* send_server_key_exchange */
@@ -316,16 +264,16 @@ SSL *s;
/* only send if a DH key exchange, fortezza or
* RSA but we have a sign only certificate */
- if ( s->s3->tmp.use_rsa_tmp ||
- (l & (SSL_DH|SSL_kFZA)) ||
- ((l & SSL_kRSA) &&
- ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)||
- ((l & SSL_EXPORT) &&
- (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512)
- )
- )
+ if (s->s3->tmp.use_rsa_tmp
+ || (l & (SSL_DH|SSL_kFZA))
+ || ((l & SSL_kRSA)
+ && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
+ || (SSL_IS_EXPORT(l)
+ && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
+ )
+ )
+ )
)
- )
{
ret=ssl3_send_server_key_exchange(s);
if (ret <= 0) goto end;
@@ -478,20 +426,14 @@ SSL *s;
s->init_buf=NULL;
/* remove buffering on output */
- under=BIO_pop(s->wbio);
- if (under != NULL)
- s->wbio=under;
- else
- abort(); /* ok */
- BIO_free(s->bbio);
- s->bbio=NULL;
+ ssl_free_wbio_buffer(s);
s->new_session=0;
s->init_num=0;
ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
- s->ctx->sess_accept_good++;
+ s->ctx->stats.sess_accept_good++;
/* s->server=1; */
s->handshake_func=ssl3_accept;
ret=1;
@@ -536,8 +478,7 @@ end:
return(ret);
}
-static int ssl3_send_hello_request(s)
-SSL *s;
+static int ssl3_send_hello_request(SSL *s)
{
unsigned char *p;
@@ -559,15 +500,15 @@ SSL *s;
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
-static int ssl3_get_client_hello(s)
-SSL *s;
+static int ssl3_get_client_hello(SSL *s)
{
int i,j,ok,al,ret= -1;
long n;
unsigned long id;
- unsigned char *p,*d;
+ unsigned char *p,*d,*q;
SSL_CIPHER *c;
- STACK *ciphers=NULL;
+ SSL_COMP *comp=NULL;
+ STACK_OF(SSL_CIPHER) *ciphers=NULL;
/* We do this so that we will respond with our native type.
* If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
@@ -593,6 +534,7 @@ SSL *s;
/* The version number has already been checked in ssl3_get_message.
* I a native TLSv1/SSLv3 method, the match must be correct except
* perhaps for the first message */
+/* s->client_version=(((int)p[0])<<8)|(int)p[1]; */
p+=2;
/* load the client random */
@@ -615,7 +557,9 @@ SSL *s;
{ /* previous session */
s->hit=1;
}
- else
+ else if (i == -1)
+ goto err;
+ else /* i == 0 */
{
if (!ssl_get_new_session(s,1))
goto err;
@@ -651,9 +595,16 @@ SSL *s;
j=0;
id=s->session->cipher->id;
- for (i=0; i<sk_num(ciphers); i++)
+#ifdef CIPHER_DEBUG
+ printf("client sent %d ciphers\n",sk_num(ciphers));
+#endif
+ for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
{
- c=(SSL_CIPHER *)sk_value(ciphers,i);
+ c=sk_SSL_CIPHER_value(ciphers,i);
+#ifdef CIPHER_DEBUG
+ printf("client [%2d of %2d]:%s\n",
+ i,sk_num(ciphers),SSL_CIPHER_get_name(c));
+#endif
if (c->id == id)
{
j=1;
@@ -662,11 +613,11 @@ SSL *s;
}
if (j == 0)
{
- if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_num(ciphers) == 1))
+ if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
{
/* Very bad for multi-threading.... */
- s->session->cipher=
- (SSL_CIPHER *)sk_value(ciphers,0);
+ s->session->cipher=sk_SSL_CIPHER_value(ciphers,
+ 0);
}
else
{
@@ -681,8 +632,11 @@ SSL *s;
/* compression */
i= *(p++);
+ q=p;
for (j=0; j<i; j++)
+ {
if (p[j] == 0) break;
+ }
p+=i;
if (j >= i)
@@ -693,6 +647,35 @@ SSL *s;
goto f_err;
}
+ /* Worst case, we will use the NULL compression, but if we have other
+ * options, we will now look for them. We have i-1 compression
+ * algorithms from the client, starting at q. */
+ s->s3->tmp.new_compression=NULL;
+ if (s->ctx->comp_methods != NULL)
+ { /* See if we have a match */
+ int m,nn,o,v,done=0;
+
+ nn=sk_SSL_COMP_num(s->ctx->comp_methods);
+ for (m=0; m<nn; m++)
+ {
+ comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
+ v=comp->id;
+ for (o=0; o<i; o++)
+ {
+ if (v == q[o])
+ {
+ done=1;
+ break;
+ }
+ }
+ if (done) break;
+ }
+ if (done)
+ s->s3->tmp.new_compression=comp;
+ else
+ comp=NULL;
+ }
+
/* TLS does not mind if there is extra stuff */
if (s->version == SSL3_VERSION)
{
@@ -706,15 +689,14 @@ SSL *s;
}
}
- /* do nothing with compression */
-
/* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
* pick a cipher */
if (!s->hit)
{
+ s->session->compress_meth=(comp == NULL)?0:comp->id;
if (s->session->ciphers != NULL)
- sk_free(s->session->ciphers);
+ sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers=ciphers;
if (ciphers == NULL)
{
@@ -724,7 +706,7 @@ SSL *s;
}
ciphers=NULL;
c=ssl3_choose_cipher(s,s->session->ciphers,
- ssl_get_ciphers_by_id(s));
+ ssl_get_ciphers_by_id(s));
if (c == NULL)
{
@@ -738,19 +720,19 @@ SSL *s;
{
/* Session-id reuse */
#ifdef REUSE_CIPHER_BUG
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *nc=NULL;
SSL_CIPHER *ec=NULL;
if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
{
sk=s->session->ciphers;
- for (i=0; i<sk_num(sk); i++)
+ for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
- c=(SSL_CIPHER *)sk_value(sk,i);
+ c=sk_SSL_CIPHER_value(sk,i);
if (c->algorithms & SSL_eNULL)
nc=c;
- if (c->algorithms & SSL_EXP)
+ if (SSL_C_IS_EXPORT(c))
ec=c;
}
if (nc != NULL)
@@ -783,12 +765,11 @@ f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
}
err:
- if (ciphers != NULL) sk_free(ciphers);
+ if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
return(ret);
}
-static int ssl3_send_server_hello(s)
-SSL *s;
+static int ssl3_send_server_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
@@ -833,7 +814,10 @@ SSL *s;
p+=i;
/* put the compression method */
- *(p++)=0;
+ if (s->s3->tmp.new_compression == NULL)
+ *(p++)=0;
+ else
+ *(p++)=s->s3->tmp.new_compression->id;
/* do the header */
l=(p-d);
@@ -851,8 +835,7 @@ SSL *s;
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
-static int ssl3_send_server_done(s)
-SSL *s;
+static int ssl3_send_server_done(SSL *s)
{
unsigned char *p;
@@ -876,8 +859,7 @@ SSL *s;
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
-static int ssl3_send_server_key_exchange(s)
-SSL *s;
+static int ssl3_send_server_key_exchange(SSL *s)
{
#ifndef NO_RSA
unsigned char *q;
@@ -902,7 +884,7 @@ SSL *s;
if (s->state == SSL3_ST_SW_KEY_EXCH_A)
{
type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
- cert=s->session->cert;
+ cert=s->cert;
buf=s->init_buf;
@@ -912,11 +894,11 @@ SSL *s;
if (type & SSL_kRSA)
{
rsa=cert->rsa_tmp;
- if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
+ if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
{
- rsa=s->ctx->default_cert->rsa_tmp_cb(s,
- (s->s3->tmp.new_cipher->algorithms|
- SSL_NOT_EXP)?0:1);
+ rsa=s->cert->rsa_tmp_cb(s,
+ SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+ SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
cert->rsa_tmp=rsa;
}
@@ -936,10 +918,10 @@ SSL *s;
if (type & SSL_kEDH)
{
dhp=cert->dh_tmp;
- if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
- dhp=cert->dh_tmp_cb(s,
- (s->s3->tmp.new_cipher->algorithms|
- SSL_NOT_EXP)?0:1);
+ if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
+ dhp=s->cert->dh_tmp_cb(s,
+ !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+ SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
if (dhp == NULL)
{
al=SSL_AD_HANDSHAKE_FAILURE;
@@ -953,13 +935,16 @@ SSL *s;
}
s->s3->tmp.dh=dh;
- if (((dhp->pub_key == NULL) ||
- (dhp->priv_key == NULL) ||
- (s->options & SSL_OP_SINGLE_DH_USE)) &&
- (!DH_generate_key(dh)))
+ if ((dhp->pub_key == NULL ||
+ dhp->priv_key == NULL ||
+ (s->options & SSL_OP_SINGLE_DH_USE)))
{
- SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
- goto err;
+ if(!DH_generate_key(dh))
+ {
+ SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+ ERR_R_DH_LIB);
+ goto err;
+ }
}
else
{
@@ -1098,12 +1083,11 @@ err:
return(-1);
}
-static int ssl3_send_certificate_request(s)
-SSL *s;
+static int ssl3_send_certificate_request(SSL *s)
{
unsigned char *p,*d;
int i,j,nl,off,n;
- STACK *sk=NULL;
+ STACK_OF(X509_NAME) *sk=NULL;
X509_NAME *name;
BUF_MEM *buf;
@@ -1128,9 +1112,9 @@ SSL *s;
nl=0;
if (sk != NULL)
{
- for (i=0; i<sk_num(sk); i++)
+ for (i=0; i<sk_X509_NAME_num(sk); i++)
{
- name=(X509_NAME *)sk_value(sk,i);
+ name=sk_X509_NAME_value(sk,i);
j=i2d_X509_NAME(name,NULL);
if (!BUF_MEM_grow(buf,4+n+j+2))
{
@@ -1176,15 +1160,16 @@ err:
return(-1);
}
-static int ssl3_get_client_key_exchange(s)
-SSL *s;
+static int ssl3_get_client_key_exchange(SSL *s)
{
int i,al,ok;
long n;
unsigned long l;
unsigned char *p;
+#ifndef NO_RSA
RSA *rsa=NULL;
EVP_PKEY *pkey=NULL;
+#endif
#ifndef NO_DH
BIGNUM *pub=NULL;
DH *dh_srvr;
@@ -1208,12 +1193,8 @@ SSL *s;
/* FIX THIS UP EAY EAY EAY EAY */
if (s->s3->tmp.use_rsa_tmp)
{
- if ((s->session->cert != NULL) &&
- (s->session->cert->rsa_tmp != NULL))
- rsa=s->session->cert->rsa_tmp;
- else if ((s->ctx->default_cert != NULL) &&
- (s->ctx->default_cert->rsa_tmp != NULL))
- rsa=s->ctx->default_cert->rsa_tmp;
+ if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
+ rsa=s->cert->rsa_tmp;
/* Don't do a callback because rsa_tmp should
* be sent already */
if (rsa == NULL)
@@ -1259,15 +1240,28 @@ SSL *s;
i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
#if 1
- /* If a bad decrypt, use a dud master key */
+ /* If a bad decrypt, use a random master key */
if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
- ((p[0] != (s->version>>8)) ||
- (p[1] != (s->version & 0xff))))
+ ((p[0] != (s->client_version>>8)) ||
+ (p[1] != (s->client_version & 0xff))))
{
- p[0]=(s->version>>8);
- p[1]=(s->version & 0xff);
- RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
- i=SSL_MAX_MASTER_KEY_LENGTH;
+ int bad=1;
+
+ if ((i == SSL_MAX_MASTER_KEY_LENGTH) &&
+ (p[0] == (s->version>>8)) &&
+ (p[1] == 0))
+ {
+ if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
+ bad=0;
+ }
+ if (bad)
+ {
+ p[0]=(s->version>>8);
+ p[1]=(s->version & 0xff);
+ RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+ i=SSL_MAX_MASTER_KEY_LENGTH;
+ }
+ /* else, an SSLeay bug, ssl only server, tls client */
}
#else
if (i != SSL_MAX_MASTER_KEY_LENGTH)
@@ -1370,8 +1364,7 @@ err:
return(-1);
}
-static int ssl3_get_cert_verify(s)
-SSL *s;
+static int ssl3_get_cert_verify(SSL *s)
{
EVP_PKEY *pkey=NULL;
unsigned char *p;
@@ -1505,17 +1498,17 @@ f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
}
end:
+ EVP_PKEY_free(pkey);
return(ret);
}
-static int ssl3_get_client_certificate(s)
-SSL *s;
+static int ssl3_get_client_certificate(SSL *s)
{
int i,ok,al,ret= -1;
X509 *x=NULL;
unsigned long l,nc,llen,n;
unsigned char *p,*d,*q;
- STACK *sk=NULL;
+ STACK_OF(X509) *sk=NULL;
n=ssl3_get_message(s,
SSL3_ST_SR_CERT_A,
@@ -1558,7 +1551,7 @@ SSL *s;
}
d=p=(unsigned char *)s->init_buf->data;
- if ((sk=sk_new_null()) == NULL)
+ if ((sk=sk_X509_new_null()) == NULL)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
goto err;
@@ -1594,7 +1587,7 @@ SSL *s;
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
goto f_err;
}
- if (!sk_push(sk,(char *)x))
+ if (!sk_X509_push(sk,x))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
goto err;
@@ -1603,7 +1596,7 @@ SSL *s;
nc+=l+3;
}
- if (sk_num(sk) <= 0)
+ if (sk_X509_num(sk) <= 0)
{
/* TLS does not mind 0 certs returned */
if (s->version == SSL3_VERSION)
@@ -1632,10 +1625,26 @@ SSL *s;
}
}
- /* This should not be needed */
- if (s->session->peer != NULL)
+ if (s->session->peer != NULL) /* This should not be needed */
X509_free(s->session->peer);
- s->session->peer=(X509 *)sk_shift(sk);
+ s->session->peer=sk_X509_shift(sk);
+
+ /* With the current implementation, sess_cert will always be NULL
+ * when we arrive here. */
+ if (s->session->sess_cert == NULL)
+ {
+ s->session->sess_cert = ssl_sess_cert_new();
+ if (s->session->sess_cert == NULL)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ }
+ if (s->session->sess_cert->cert_chain != NULL)
+ sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
+ s->session->sess_cert->cert_chain=sk;
+
+ sk=NULL;
ret=1;
if (0)
@@ -1645,12 +1654,11 @@ f_err:
}
err:
if (x != NULL) X509_free(x);
- if (sk != NULL) sk_pop_free(sk,X509_free);
+ if (sk != NULL) sk_X509_pop_free(sk,X509_free);
return(ret);
}
-int ssl3_send_server_certificate(s)
-SSL *s;
+int ssl3_send_server_certificate(SSL *s)
{
unsigned long l;
X509 *x;
diff --git a/lib/libssl/src/ssl/ssl-lib.com b/lib/libssl/src/ssl/ssl-lib.com
new file mode 100644
index 00000000000..75fa89f1930
--- /dev/null
+++ b/lib/libssl/src/ssl/ssl-lib.com
@@ -0,0 +1,1200 @@
+$!
+$! SSL-LIB.COM
+$! Written By: Robert Byer
+$! Vice-President
+$! A-Com Computing, Inc.
+$! byer@mail.all-net.net
+$!
+$! Changes by Richard Levitte <richard@levitte.org>
+$!
+$! This command file compiles and creates the "[.xxx.EXE.SSL]LIBSSL.OLB"
+$! library for OpenSSL. The "xxx" denotes the machine architecture of AXP
+$! or VAX.
+$!
+$! It is written to detect what type of machine you are compiling on
+$! (i.e. AXP or VAX) and which "C" compiler you have (i.e. VAXC, DECC
+$! or GNU C) or you can specify which compiler to use.
+$!
+$! Specify the following as P1 to build just that part or ALL to just
+$! build everything.
+$!
+$! LIBRARY To just compile the [.xxx.EXE.SSL]LIBSSL.OLB Library.
+$! SSL_TASK To just compile the [.xxx.EXE.SSL]SSL_TASK.EXE
+$!
+$! Specify RSAREF as P2 to compile with the RSAREF library instead of
+$! the regular one. If you specify NORSAREF it will compile with the
+$! regular RSAREF routines. (Note: If you are in the United States
+$! you MUST compile with RSAREF unless you have a license from RSA).
+$!
+$! Note: The RSAREF libraries are NOT INCLUDED and you have to
+$! download it from "ftp://ftp.rsa.com/rsaref". You have to
+$! get the ".tar-Z" file as the ".zip" file dosen't have the
+$! directory structure stored. You have to extract the file
+$! into the [.RSAREF] directory under the root directory as that
+$! is where the scripts will look for the files.
+$!
+$! Specify DEBUG or NODEBUG as P3 to compile with or without debugger
+$! information.
+$!
+$! Specify which compiler at P4 to try to compile under.
+$!
+$! VAXC For VAX C.
+$! DECC For DEC C.
+$! GNUC For GNU C.
+$!
+$! If you don't speficy a compiler, it will try to determine which
+$! "C" compiler to use.
+$!
+$! P5, if defined, sets a TCP/IP library to use, through one of the following
+$! keywords:
+$!
+$! UCX for UCX
+$! SOCKETSHR for SOCKETSHR+NETLIB
+$!
+$! P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!
+$!
+$! Define A TCP/IP Library That We Will Need To Link To.
+$! (That Is, If We Need To Link To One.)
+$!
+$ TCPIP_LIB = ""
+$!
+$! Check Which Architecture We Are Using.
+$!
+$ IF (F$GETSYI("CPU").GE.128)
+$ THEN
+$!
+$! The Architecture Is AXP.
+$!
+$ ARCH := AXP
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! The Architecture Is VAX.
+$!
+$ ARCH := VAX
+$!
+$! End The Architecture Check.
+$!
+$ ENDIF
+$!
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
+$!
+$! Initialise logical names and such
+$!
+$ GOSUB INITIALISE
+$!
+$! Tell The User What Kind of Machine We Run On.
+$!
+$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$!
+$! Define The OBJ Directory.
+$!
+$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.SSL]
+$!
+$! Check To See If The Architecture Specific OBJ Directory Exists.
+$!
+$ IF (F$PARSE(OBJ_DIR).EQS."")
+$ THEN
+$!
+$! It Dosen't Exist, So Create It.
+$!
+$ CREATE/DIR 'OBJ_DIR'
+$!
+$! End The Architecture Specific OBJ Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The EXE Directory.
+$!
+$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.SSL]
+$!
+$! Check To See If The Architecture Specific Directory Exists.
+$!
+$ IF (F$PARSE(EXE_DIR).EQS."")
+$ THEN
+$!
+$! It Dosen't Exist, So Create It.
+$!
+$ CREATE/DIR 'EXE_DIR'
+$!
+$! End The Architecture Specific Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The Library Name.
+$!
+$ SSL_LIB := 'EXE_DIR'LIBSSL.OLB
+$!
+$! Define The CRYPTO-LIB We Are To Use.
+$!
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
+$!
+$! Define The RSAREF-LIB We Are To Use.
+$!
+$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
+$!
+$! Check To See What We Are To Do.
+$!
+$ IF (BUILDALL.EQS."TRUE")
+$ THEN
+$!
+$! Since Nothing Special Was Specified, Do Everything.
+$!
+$ GOSUB LIBRARY
+$ GOSUB SSL_TASK
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Build Just What The User Wants Us To Build.
+$!
+$ GOSUB 'BUILDALL'
+$!
+$! End The BUILDALL Check.
+$!
+$ ENDIF
+$!
+$! Time To EXIT.
+$!
+$ EXIT:
+$ GOSUB CLEANUP
+$ EXIT
+$!
+$! Compile The Library.
+$!
+$ LIBRARY:
+$!
+$! Check To See If We Already Have A "[.xxx.EXE.SSL]LIBSSL.OLB" Library...
+$!
+$ IF (F$SEARCH(SSL_LIB).EQS."")
+$ THEN
+$!
+$! Guess Not, Create The Library.
+$!
+$ LIBRARY/CREATE/OBJECT 'SSL_LIB'
+$!
+$! End The Library Exist Check.
+$!
+$ ENDIF
+$!
+$! Define The Different SSL "library" Files.
+$!
+$ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ -
+ "s3_meth,s3_srvr,s3_clnt,s3_lib,s3_enc,s3_pkt,s3_both,"+ -
+ "s23_meth,s23_srvr,s23_clnt,s23_lib,s23_pkt,"+ -
+ "t1_meth,t1_srvr,t1_clnt,t1_lib,t1_enc,"+ -
+ "ssl_lib,ssl_err2,ssl_cert,ssl_sess,"+ -
+ "ssl_ciph,ssl_stat,ssl_rsa,"+ -
+ "ssl_asn1,ssl_txt,ssl_algs,"+ -
+ "bio_ssl,ssl_err"
+$!
+$! Tell The User That We Are Compiling The Library.
+$!
+$ WRITE SYS$OUTPUT "Building The ",SSL_LIB," Library."
+$!
+$! Define A File Counter And Set It To "0"
+$!
+$ FILE_COUNTER = 0
+$!
+$! Top Of The File Loop.
+$!
+$ NEXT_FILE:
+$!
+$! O.K, Extract The File Name From The File List.
+$!
+$ FILE_NAME = F$ELEMENT(FILE_COUNTER,",",LIB_SSL)
+$!
+$! Check To See If We Are At The End Of The File List.
+$!
+$ IF (FILE_NAME.EQS.",") THEN GOTO FILE_DONE
+$!
+$! Increment The Counter.
+$!
+$ FILE_COUNTER = FILE_COUNTER + 1
+$!
+$! Create The Source File Name.
+$!
+$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
+$!
+$! Create The Object File Name.
+$!
+$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ"
+$ ON WARNING THEN GOTO NEXT_FILE
+$!
+$! Check To See If The File We Want To Compile Is Actually There.
+$!
+$ IF (F$SEARCH(SOURCE_FILE).EQS."")
+$ THEN
+$!
+$! Tell The User That The File Dosen't Exist.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Exit The Build.
+$!
+$ EXIT
+$!
+$! End The File Exists Check.
+$!
+$ ENDIF
+$!
+$! Tell The User What File We Are Compiling.
+$!
+$ WRITE SYS$OUTPUT " ",FILE_NAME,".c"
+$!
+$! Compile The File.
+$!
+$ ON ERROR THEN GOTO NEXT_FILE
+$ CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$!
+$! Add It To The Library.
+$!
+$ LIBRARY/REPLACE/OBJECT 'SSL_LIB' 'OBJECT_FILE'
+$!
+$! Time To Clean Up The Object File.
+$!
+$ DELETE 'OBJECT_FILE';*
+$!
+$! Go Back And Get The Next File Name.
+$!
+$ GOTO NEXT_FILE
+$!
+$! All Done With This Library.
+$!
+$ FILE_DONE:
+$!
+$! Tell The User That We Are All Done.
+$!
+$ WRITE SYS$OUTPUT "Library ",SSL_LIB," Compiled."
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$ SSL_TASK:
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Check To See If The File We Want To Compile Is Actually There.
+$!
+$ IF (F$SEARCH("SYS$DISK:[]SSL_TASK.C").EQS."")
+$ THEN
+$!
+$! Tell The User That The File Dosen't Exist.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "The File SSL_TASK.C Dosen't Exist."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Exit The Build.
+$!
+$ EXIT
+$!
+$! End The SSL_TASK.C File Check.
+$!
+$ ENDIF
+$!
+$! Tell The User We Are Creating The SSL_TASK.
+$!
+$ WRITE SYS$OUTPUT "Creating SSL_TASK OSU HTTP SSL Engine."
+$!
+$! Compile The File.
+$!
+$ CC5/OBJECT='OBJ_DIR'SSL_TASK.OBJ SYS$DISK:[]SSL_TASK.C
+$!
+$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$ IF (TCPIP_LIB.NES."")
+$ THEN
+$!
+$! Link With The RSAREF Library And A Specific TCP/IP Library.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+ 'OBJ_DIR'SSL_TASK.OBJ, -
+ 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+ 'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Link With The RSAREF Library And NO TCP/IP Library.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+ 'OBJ_DIR'SSL_TASK.OBJ, -
+ 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+ 'OPT_FILE'/OPTION
+$!
+$! End The TCP/IP Library Check.
+$!
+$ ENDIF
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Don't Link With The RSAREF Routines.
+$!
+$!
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$ IF (TCPIP_LIB.NES."")
+$ THEN
+$!
+$! Don't Link With The RSAREF Routines And TCP/IP Library.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+ 'OBJ_DIR'SSL_TASK.OBJ, -
+ 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+ 'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+ 'OBJ_DIR'SSL_TASK.OBJ,-
+ 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+ 'OPT_FILE'/OPTION
+$!
+$! End The TCP/IP Library Check.
+$!
+$ ENDIF
+$!
+$! End The RSAREF Link Check.
+$!
+$ ENDIF
+$!
+$! Time To Return.
+$!
+$ RETURN
+$!
+$! Check For The Link Option FIle.
+$!
+$ CHECK_OPT_FILE:
+$!
+$! Check To See If We Need To Make A VAX C Option File.
+$!
+$ IF (COMPILER.EQS."VAXC")
+$ THEN
+$!
+$! Check To See If We Already Have A VAX C Linker Option File.
+$!
+$ IF (F$SEARCH(OPT_FILE).EQS."")
+$ THEN
+$!
+$! We Need A VAX C Linker Option File.
+$!
+$ CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst
+! The Sharable VAX C Runtime Library.
+!
+SYS$SHARE:VAXCRTL.EXE/SHARE
+$EOD
+$!
+$! End The Option File Check.
+$!
+$ ENDIF
+$!
+$! End The VAXC Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A GNU C Option File.
+$!
+$ IF (COMPILER.EQS."GNUC")
+$ THEN
+$!
+$! Check To See If We Already Have A GNU C Linker Option File.
+$!
+$ IF (F$SEARCH(OPT_FILE).EQS."")
+$ THEN
+$!
+$! We Need A GNU C Linker Option File.
+$!
+$ CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst
+! The Sharable C Runtime Library.
+!
+GNU_CC:[000000]GCCLIB/LIBRARY
+SYS$SHARE:VAXCRTL/SHARE
+$EOD
+$!
+$! End The Option File Check.
+$!
+$ ENDIF
+$!
+$! End The GNU C Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A DEC C Option File.
+$!
+$ IF (COMPILER.EQS."DECC")
+$ THEN
+$!
+$! Check To See If We Already Have A DEC C Linker Option File.
+$!
+$ IF (F$SEARCH(OPT_FILE).EQS."")
+$ THEN
+$!
+$! Figure Out If We Need An AXP Or A VAX Linker Option File.
+$!
+$ IF (ARCH.EQS."VAX")
+$ THEN
+$!
+$! We Need A DEC C Linker Option File For VAX.
+$!
+$ CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst
+! The Sharable DEC C Runtime Library.
+!
+SYS$SHARE:DECC$SHR.EXE/SHARE
+$EOD
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Create The AXP Linker Option File.
+$!
+$ CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File For AXP To Link Agianst
+! The Sharable C Runtime Library.
+!
+SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
+SYS$SHARE:CMA$OPEN_RTL/SHARE
+$EOD
+$!
+$! End The VAX/AXP DEC C Option File Check.
+$!
+$ ENDIF
+$!
+$! End The Option File Search.
+$!
+$ ENDIF
+$!
+$! End The DEC C Check.
+$!
+$ ENDIF
+$!
+$! Tell The User What Linker Option File We Are Using.
+$!
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$ LIB_CHECK:
+$!
+$! Look For The VAX Library LIBSSL.OLB.
+$!
+$ IF (F$SEARCH(SSL_LIB).EQS."")
+$ THEN
+$!
+$! Tell The User We Can't Find The LIBSSL.OLB Library.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "Can't Find The Library ",SSL_LIB,"."
+$ WRITE SYS$OUTPUT "We Can't Link Without It."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Since We Can't Link Without It, Exit.
+$!
+$ EXIT
+$!
+$! End The LIBSSL.OLB Library Check.
+$!
+$ ENDIF
+$!
+$! Look For The Library LIBCRYPTO.OLB.
+$!
+$ IF (F$SEARCH(CRYPTO_LIB).EQS."")
+$ THEN
+$!
+$! Tell The User We Can't Find The LIBCRYPTO.OLB Library.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "Can't Find The Library ",CRYPTO_LIB,"."
+$ WRITE SYS$OUTPUT "We Can't Link Without It."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Since We Can't Link Without It, Exit.
+$!
+$ EXIT
+$!
+$! End The LIBCRYPTO.OLB Library Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need The RSAREF Library.
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$! Look For The Library LIBRSAGLUE.OLB.
+$!
+$ IF (F$SEARCH(RSAREF_LIB).EQS."")
+$ THEN
+$!
+$! Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
+$ WRITE SYS$OUTPUT "We Can't Link Without It."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Since We Can't Link Without It, Exit.
+$!
+$ EXIT
+$!
+$! End The LIBRSAGLUE.OLB Library Check.
+$!
+$ ENDIF
+$!
+$! End The RSAREF Library Check.
+$!
+$ ENDIF
+$!
+$! Time To Return.
+$!
+$ RETURN
+$!
+$! Check The User's Options.
+$!
+$ CHECK_OPTIONS:
+$!
+$! Check To See If P1 Is Blank.
+$!
+$ IF (P1.EQS."ALL")
+$ THEN
+$!
+$! P1 Is Blank, So Build Everything.
+$!
+$ BUILDALL = "TRUE"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Else, Check To See If P1 Has A Valid Arguement.
+$!
+$ IF (P1.EQS."LIBRARY").OR.(P1.EQS."SSL_TASK")
+$ THEN
+$!
+$! A Valid Arguement.
+$!
+$ BUILDALL = P1
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Tell The User We Don't Know What They Want.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "The Option ",P1," Is Invalid. The Valid Options Are:"
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT " ALL : Just Build Everything."
+$ WRITE SYS$OUTPUT " LIBRARY : To Compile Just The [.xxx.EXE.SSL]LIBSSL.OLB Library."
+$ WRITE SYS$OUTPUT " SSL_TASK : To Compile Just The [.xxx.EXE.SSL]SSL_TASK.EXE Program."
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT " AXP : Alpha Architecture."
+$ WRITE SYS$OUTPUT " VAX : VAX Architecture."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Time To EXIT.
+$!
+$ EXIT
+$!
+$! End The Valid Arguement Check.
+$!
+$ ENDIF
+$!
+$! End The P1 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P2 Is Blank.
+$!
+$ IF (P2.EQS."NORSAREF")
+$ THEN
+$!
+$! P2 Is NORSAREF, So Compile With The Regular RSA Libraries.
+$!
+$ RSAREF = "FALSE"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Check To See If We Are To Use The RSAREF Library.
+$!
+$ IF (P2.EQS."RSAREF")
+$ THEN
+$!
+$! Check To Make Sure We Have The RSAREF Source Code Directory.
+$!
+$ IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
+$ THEN
+$!
+$! We Don't Have The RSAREF Souce Code Directory, So Tell The
+$! User This.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
+$ WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'. You have to"
+$ WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
+$ WRITE SYS$OUTPUT "directory structure stored. You have to extract the file"
+$ WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
+$ WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Time To Exit.
+$!
+$ EXIT
+$!
+$! Else, Compile Using The RSAREF Library.
+$!
+$ ELSE
+$ RSAREF = "TRUE"
+$ ENDIF
+$ ELSE
+$!
+$! They Entered An Invalid Option..
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "The Option ",P2," Is Invalid. The Valid Options Are:"
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT " RSAREF : Compile With The RSAREF Library."
+$ WRITE SYS$OUTPUT " NORSAREF : Compile With The Regular RSA Library."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Time To EXIT.
+$!
+$ EXIT
+$!
+$! End The Valid Arguement Check.
+$!
+$ ENDIF
+$!
+$! End The P2 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P3 Is Blank.
+$!
+$ IF (P3.EQS."NODEBUG")
+$ THEN
+$!
+$! P3 Is NODEBUG, So Compile Without Debugger Information.
+$!
+$ DEBUGGER = "NODEBUG"
+$ TRACEBACK = "NOTRACEBACK"
+$ GCC_OPTIMIZE = "OPTIMIZE"
+$ CC_OPTIMIZE = "OPTIMIZE"
+$ WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$ WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Check To See If We Are To Compile With Debugger Information.
+$!
+$ IF (P3.EQS."DEBUG")
+$ THEN
+$!
+$! Compile With Debugger Information.
+$!
+$ DEBUGGER = "DEBUG"
+$ TRACEBACK = "TRACEBACK"
+$ GCC_OPTIMIZE = "NOOPTIMIZE"
+$ CC_OPTIMIZE = "NOOPTIMIZE"
+$ WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
+$ WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
+$ ELSE
+$!
+$! Tell The User Entered An Invalid Option..
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "The Option ",P3," Is Invalid. The Valid Options Are:"
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT " DEBUG : Compile With The Debugger Information."
+$ WRITE SYS$OUTPUT " NODEBUG : Compile Without The Debugger Information."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Time To EXIT.
+$!
+$ EXIT
+$!
+$! End The Valid Arguement Check.
+$!
+$ ENDIF
+$!
+$! End The P3 Check.
+$!
+$ ENDIF
+$!
+$! Special Threads For OpenVMS v7.1 Or Later
+$!
+$! Written By: Richard Levitte
+$! richard@levitte.org
+$!
+$!
+$! Check To See If We Have A Option For P6.
+$!
+$ IF (P6.EQS."")
+$ THEN
+$!
+$! Get The Version Of VMS We Are Using.
+$!
+$ ISSEVEN :=
+$ TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,F$GETSYI("VERSION")))
+$ TMP = F$INTEGER(F$ELEMENT(0,".",TMP)+F$ELEMENT(1,".",TMP))
+$!
+$! Check To See If The VMS Version Is v7.1 Or Later.
+$!
+$ IF (TMP.GE.71)
+$ THEN
+$!
+$! We Have OpenVMS v7.1 Or Later, So Use The Special Threads.
+$!
+$ ISSEVEN := ,PTHREAD_USE_D4
+$!
+$! End The VMS Version Check.
+$!
+$ ENDIF
+$!
+$! End The P6 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P4 Is Blank.
+$!
+$ IF (P4.EQS."")
+$ THEN
+$!
+$! O.K., The User Didn't Specify A Compiler, Let's Try To
+$! Find Out Which One To Use.
+$!
+$! Check To See If We Have GNU C.
+$!
+$ IF (F$TRNLNM("GNU_CC").NES."")
+$ THEN
+$!
+$! Looks Like GNUC, Set To Use GNUC.
+$!
+$ P4 = "GNUC"
+$!
+$! End The GNU C Compiler Check.
+$!
+$ ELSE
+$!
+$! Check To See If We Have VAXC Or DECC.
+$!
+$ IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."")
+$ THEN
+$!
+$! Looks Like DECC, Set To Use DECC.
+$!
+$ P4 = "DECC"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$! Looks Like VAXC, Set To Use VAXC.
+$!
+$ P4 = "VAXC"
+$!
+$! End The VAXC Compiler Check.
+$!
+$ ENDIF
+$!
+$! End The DECC & VAXC Compiler Check.
+$!
+$ ENDIF
+$!
+$! End The Compiler Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have A Option For P5.
+$!
+$ IF (P5.EQS."")
+$ THEN
+$!
+$! Find out what socket library we have available
+$!
+$ IF F$PARSE("SOCKETSHR:") .NES. ""
+$ THEN
+$!
+$! We have SOCKETSHR, and it is my opinion that it's the best to use.
+$!
+$ P5 = "SOCKETSHR"
+$!
+$! Tell the user
+$!
+$ WRITE SYS$OUTPUT "Using SOCKETSHR for TCP/IP"
+$!
+$! Else, let's look for something else
+$!
+$ ELSE
+$!
+$! Like UCX (the reason to do this before Multinet is that the UCX
+$! emulation is easier to use...)
+$!
+$ IF F$TRNLNM("UCX$IPC_SHR") .NES. "" -
+ .OR. F$PARSE("SYS$SHARE:UCX$IPC_SHR.EXE") .NES. "" -
+ .OR. F$PARSE("SYS$LIBRARY:UCX$IPC.OLB") .NES. ""
+$ THEN
+$!
+$! Last resort: a UCX or UCX-compatible library
+$!
+$ P5 = "UCX"
+$!
+$! Tell the user
+$!
+$ WRITE SYS$OUTPUT "Using UCX or an emulation thereof for TCP/IP"
+$!
+$! That was all...
+$!
+$ ENDIF
+$ ENDIF
+$ ENDIF
+$!
+$! Set Up Initial CC Definitions, Possibly With User Ones
+$!
+$ CCDEFS = "VMS=1,TCPIP_TYPE_''P5'"
+$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
+$ CCEXTRAFLAGS = ""
+$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
+$ CCDISABLEWARNINGS = ""
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
+ CCDISABLEWARNINGS = USER_CCDISABLEWARNINGS
+$!
+$! Check To See If The User Entered A Valid Paramter.
+$!
+$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC")
+$ THEN
+$!
+$! Check To See If The User Wanted DECC.
+$!
+$ IF (P4.EQS."DECC")
+$ THEN
+$!
+$! Looks Like DECC, Set To Use DECC.
+$!
+$ COMPILER = "DECC"
+$!
+$! Tell The User We Are Using DECC.
+$!
+$ WRITE SYS$OUTPUT "Using DECC 'C' Compiler."
+$!
+$! Use DECC...
+$!
+$ CC = "CC"
+$ IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
+ THEN CC = "CC/DECC"
+$ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
+ "/NOLIST/PREFIX=ALL" + -
+ "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[.SOURCE])" + CCEXTRAFLAGS
+$!
+$! Define The Linker Options File Name.
+$!
+$ OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT"
+$!
+$! End DECC Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Are To Use VAXC.
+$!
+$ IF (P4.EQS."VAXC")
+$ THEN
+$!
+$! Looks Like VAXC, Set To Use VAXC.
+$!
+$ COMPILER = "VAXC"
+$!
+$! Tell The User We Are Using VAX C.
+$!
+$ WRITE SYS$OUTPUT "Using VAXC 'C' Compiler."
+$!
+$! Compile Using VAXC.
+$!
+$ CC = "CC"
+$ IF ARCH.EQS."AXP"
+$ THEN
+$ WRITE SYS$OUTPUT "There is no VAX C on Alpha!"
+$ EXIT
+$ ENDIF
+$ IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
+$ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+ "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[.SOURCE])" + CCEXTRAFLAGS
+$ CCDEFS = CCDEFS + ",""VAXC"""
+$!
+$! Define <sys> As SYS$COMMON:[SYSLIB]
+$!
+$ DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
+$!
+$! Define The Linker Options File Name.
+$!
+$ OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT"
+$!
+$! End VAXC Check
+$!
+$ ENDIF
+$!
+$! Check To See If We Are To Use GNU C.
+$!
+$ IF (P4.EQS."GNUC")
+$ THEN
+$!
+$! Looks Like GNUC, Set To Use GNUC.
+$!
+$ COMPILER = "GNUC"
+$!
+$! Tell The User We Are Using GNUC.
+$!
+$ WRITE SYS$OUTPUT "Using GNU 'C' Compiler."
+$!
+$! Use GNU C...
+$!
+$ IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
+$ CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+ "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[.SOURCE])" + CCEXTRAFLAGS
+$!
+$! Define The Linker Options File Name.
+$!
+$ OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT"
+$!
+$! End The GNU C Check.
+$!
+$ ENDIF
+$!
+$! Set up default defines
+$!
+$ CCDEFS = """FLAT_INC=1""," + CCDEFS
+$!
+$! Check To See If We Are To Compile With RSAREF Routines.
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$! Compile With RSAREF.
+$!
+$ CCDEFS = CCDEFS + ",""RSAref=1"""
+$!
+$! Tell The User This.
+$!
+$ WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
+$!
+$! Else, We Don't Care. Compile Without The RSAREF Library.
+$!
+$ ELSE
+$!
+$! Tell The User We Are Compile Without The RSAREF Routines.
+$!
+$ WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
+$!
+$! End The RSAREF Check.
+$!
+$ ENDIF
+$!
+$! Finish up the definition of CC.
+$!
+$ IF COMPILER .EQS. "DECC"
+$ THEN
+$ IF CCDISABLEWARNINGS .EQS. ""
+$ THEN
+$ CC4DISABLEWARNINGS = "DOLLARID"
+$ ELSE
+$ CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$ CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$ ENDIF
+$ CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$ ELSE
+$ CCDISABLEWARNINGS = ""
+$ CC4DISABLEWARNINGS = ""
+$ ENDIF
+$ CC2 = CC + "/DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS
+$ CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
+$ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$ IF COMPILER .EQS. "DECC"
+$ THEN
+$ CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$ CC5 = CC3 - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$ ELSE
+$ CC4 = CC
+$ CC5 = CC3
+$ ENDIF
+$!
+$! Show user the result
+$!
+$ WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$!
+$! Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$! Tell The User We Don't Know What They Want.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "The Option ",P4," Is Invalid. The Valid Options Are:"
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT " VAXC : To Compile With VAX C."
+$ WRITE SYS$OUTPUT " DECC : To Compile With DEC C."
+$ WRITE SYS$OUTPUT " GNUC : To Compile With GNU C."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Time To EXIT.
+$!
+$ EXIT
+$ ENDIF
+$!
+$! Time to check the contents, and to make sure we get the correct library.
+$!
+$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX"
+$ THEN
+$!
+$! Check to see if SOCKETSHR was chosen
+$!
+$ IF P5.EQS."SOCKETSHR"
+$ THEN
+$!
+$! Set the library to use SOCKETSHR
+$!
+$ TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$!
+$! Done with SOCKETSHR
+$!
+$ ENDIF
+$!
+$! Check to see if MULTINET was chosen
+$!
+$ IF P5.EQS."MULTINET"
+$ THEN
+$!
+$! Set the library to use UCX emulation.
+$!
+$ P5 = "UCX"
+$!
+$! Done with MULTINET
+$!
+$ ENDIF
+$!
+$! Check to see if UCX was chosen
+$!
+$ IF P5.EQS."UCX"
+$ THEN
+$!
+$! Set the library to use UCX.
+$!
+$ TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$ IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
+$ THEN
+$ TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$ ELSE
+$ IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
+ TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+$ ENDIF
+$!
+$! Done with UCX
+$!
+$ ENDIF
+$!
+$! Print info
+$!
+$ WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$!
+$! Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$! Tell The User We Don't Know What They Want.
+$!
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT "The Option ",P5," Is Invalid. The Valid Options Are:"
+$ WRITE SYS$OUTPUT ""
+$ WRITE SYS$OUTPUT " SOCKETSHR : To link with SOCKETSHR TCP/IP library."
+$ WRITE SYS$OUTPUT " UCX : To link with UCX TCP/IP library."
+$ WRITE SYS$OUTPUT ""
+$!
+$! Time To EXIT.
+$!
+$ EXIT
+$!
+$! Done with TCP/IP libraries
+$!
+$ ENDIF
+$!
+$! Time To RETURN...
+$!
+$ RETURN
+$!
+$ INITIALISE:
+$!
+$! Save old value of the logical name OPENSSL
+$!
+$ __SAVE_OPENSSL = F$TRNLNM("OPENSSL","LNM$PROCESS_TABLE")
+$!
+$! Save directory information
+$!
+$ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
+$ __TOP = __HERE - "SSL]"
+$ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
+$!
+$! Set up the logical name OPENSSL to point at the include directory
+$!
+$ DEFINE OPENSSL/NOLOG '__INCLUDE'
+$!
+$! Done
+$!
+$ RETURN
+$!
+$ CLEANUP:
+$!
+$! Restore the logical name OPENSSL if it had a value
+$!
+$ IF __SAVE_OPENSSL .EQS. ""
+$ THEN
+$ DEASSIGN OPENSSL
+$ ELSE
+$ DEFINE/NOLOG OPENSSL '__SAVE_OPENSSL'
+$ ENDIF
+$!
+$! Done
+$!
+$ RETURN
diff --git a/lib/libssl/src/ssl/ssl.c b/lib/libssl/src/ssl/ssl.c
deleted file mode 100644
index 7f506ce48f1..00000000000
--- a/lib/libssl/src/ssl/ssl.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/* ssl/ssl.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#define USE_SOCKETS
-#include "../e_os.h"
-
-#include "buffer.h"
-#include "stack.h"
-#include "lhash.h"
-
-#include "bio.h"
-#include "err.h"
-
-#include "bn.h"
-
-#include "rand.h"
-#include "conf.h"
-#include "txt_db.h"
-
-#include "err.h"
-#include "evp.h"
-
-#include "x509.h"
-#include "pkcs7.h"
-#include "pem.h"
-#include "asn1.h"
-#include "objects.h"
-
-#include "ssl_locl.h"
-
-#if !(BUILD_SSLV23) && !defined(BUILD_SSLV2) && !defined(BUILD_SSLV3) && !defined(BUILD_SSL_COMMON) && !defined(BUILD_SSL_BIO) && !defined(BUILD_SSL_OPTIONAL)
-#define BUILD_SSLV23
-#define BUILD_SSLV2
-#define BUILD_SSLV3
-#define BUILD_TLS1
-#define BUILD_SSL_COMMON
-#define BUILD_SSL_BIO
-#define BUILD_SSL_OPTIONAL
-#endif
-
-#ifdef NO_RSA
-#undef BUILD_SSLV2
-#undef BUILD_SSLV23
-#endif
-
-#ifdef NO_SSL2
-#undef BUILD_SSLV2
-#undef BUILD_SSLV23
-#endif
-
-#ifdef NO_SSL3
-#undef BUILD_SSL3
-#undef BUILD_SSLV23
-#endif
-
-#ifdef BUILD_SSLV23
-#include "s23_clnt.c"
-#include "s23_srvr.c"
-#include "s23_pkt.c"
-#include "s23_lib.c"
-#include "s23_meth.c"
-#endif
-
-#ifdef BUILD_SSLV2
-#include "s2_clnt.c"
-#include "s2_srvr.c"
-#include "s2_pkt.c"
-#include "s2_enc.c"
-#include "s2_lib.c"
-#include "s2_meth.c"
-#endif
-
-#ifdef BUILD_SSLV3
-#include "s3_clnt.c"
-#include "s3_both.c"
-#include "s3_srvr.c"
-#include "s3_pkt.c"
-#include "s3_enc.c"
-#include "s3_lib.c"
-#include "s3_meth.c"
-#endif
-
-#ifdef BUILD_TLS1
-#include "t1_clnt.c"
-#include "t1_enc.c"
-#include "t1_lib.c"
-#include "t1_meth.c"
-#include "t1_srvr.c"
-#endif
-
-
-#ifdef BUILD_SSL_COMMON
-#include "ssl_lib.c"
-#include "ssl_algs.c"
-#include "ssl_cert.c"
-#include "ssl_ciph.c"
-#include "ssl_sess.c"
-#include "ssl_rsa.c"
-#endif
-
-/* Extra things */
-#ifdef BUILD_SSL_BIO
-#include "bio_ssl.c"
-#endif
-
-#ifdef BUILD_SSL_OPTIONAL
-#include "ssl_asn1.c"
-#include "ssl_txt.c"
-#include "ssl_stat.c"
-#include "ssl_err.c"
-#include "ssl_err2.c"
-#endif
-
diff --git a/lib/libssl/src/ssl/ssl.err b/lib/libssl/src/ssl/ssl.err
deleted file mode 100644
index c54326c624b..00000000000
--- a/lib/libssl/src/ssl/ssl.err
+++ /dev/null
@@ -1,290 +0,0 @@
-/* Error codes for the SSL functions. */
-
-/* Function codes. */
-#define SSL_F_CLIENT_CERTIFICATE 100
-#define SSL_F_CLIENT_HELLO 101
-#define SSL_F_CLIENT_MASTER_KEY 102
-#define SSL_F_D2I_SSL_SESSION 103
-#define SSL_F_DO_SSL3_WRITE 104
-#define SSL_F_GET_CLIENT_FINISHED 105
-#define SSL_F_GET_CLIENT_HELLO 106
-#define SSL_F_GET_CLIENT_MASTER_KEY 107
-#define SSL_F_GET_SERVER_FINISHED 108
-#define SSL_F_GET_SERVER_HELLO 109
-#define SSL_F_GET_SERVER_VERIFY 110
-#define SSL_F_I2D_SSL_SESSION 111
-#define SSL_F_READ_N 112
-#define SSL_F_REQUEST_CERTIFICATE 113
-#define SSL_F_SERVER_HELLO 114
-#define SSL_F_SSL23_ACCEPT 115
-#define SSL_F_SSL23_CLIENT_HELLO 116
-#define SSL_F_SSL23_CONNECT 117
-#define SSL_F_SSL23_GET_CLIENT_HELLO 118
-#define SSL_F_SSL23_GET_SERVER_HELLO 119
-#define SSL_F_SSL23_READ 120
-#define SSL_F_SSL23_WRITE 121
-#define SSL_F_SSL2_ACCEPT 122
-#define SSL_F_SSL2_CONNECT 123
-#define SSL_F_SSL2_ENC_INIT 124
-#define SSL_F_SSL2_READ 125
-#define SSL_F_SSL2_SET_CERTIFICATE 126
-#define SSL_F_SSL2_WRITE 127
-#define SSL_F_SSL3_ACCEPT 128
-#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
-#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
-#define SSL_F_SSL3_CLIENT_HELLO 131
-#define SSL_F_SSL3_CONNECT 132
-#define SSL_F_SSL3_CTX_CTRL 133
-#define SSL_F_SSL3_ENC 134
-#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
-#define SSL_F_SSL3_GET_CERT_VERIFY 136
-#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
-#define SSL_F_SSL3_GET_CLIENT_HELLO 138
-#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
-#define SSL_F_SSL3_GET_FINISHED 140
-#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
-#define SSL_F_SSL3_GET_MESSAGE 142
-#define SSL_F_SSL3_GET_RECORD 143
-#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
-#define SSL_F_SSL3_GET_SERVER_DONE 145
-#define SSL_F_SSL3_GET_SERVER_HELLO 146
-#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
-#define SSL_F_SSL3_READ_BYTES 148
-#define SSL_F_SSL3_READ_N 149
-#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
-#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
-#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
-#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
-#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
-#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
-#define SSL_F_SSL3_SETUP_BUFFERS 156
-#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
-#define SSL_F_SSL3_WRITE_BYTES 158
-#define SSL_F_SSL3_WRITE_PENDING 159
-#define SSL_F_SSL_BAD_METHOD 160
-#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
-#define SSL_F_SSL_CERT_NEW 162
-#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
-#define SSL_F_SSL_CREATE_CIPHER_LIST 164
-#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165
-#define SSL_F_SSL_CTX_NEW 166
-#define SSL_F_SSL_CTX_SET_SSL_VERSION 167
-#define SSL_F_SSL_CTX_USE_CERTIFICATE 168
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176
-#define SSL_F_SSL_DO_HANDSHAKE 177
-#define SSL_F_SSL_GET_NEW_SESSION 178
-#define SSL_F_SSL_GET_SERVER_SEND_CERT 179
-#define SSL_F_SSL_GET_SIGN_PKEY 180
-#define SSL_F_SSL_INIT_WBIO_BUFFER 181
-#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182
-#define SSL_F_SSL_NEW 183
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185
-#define SSL_F_SSL_SESSION_NEW 186
-#define SSL_F_SSL_SESSION_PRINT_FP 187
-#define SSL_F_SSL_SET_CERT 188
-#define SSL_F_SSL_SET_FD 189
-#define SSL_F_SSL_SET_PKEY 190
-#define SSL_F_SSL_SET_RFD 191
-#define SSL_F_SSL_SET_SESSION 192
-#define SSL_F_SSL_SET_WFD 193
-#define SSL_F_SSL_UNDEFINED_FUNCTION 194
-#define SSL_F_SSL_USE_CERTIFICATE 195
-#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196
-#define SSL_F_SSL_USE_CERTIFICATE_FILE 197
-#define SSL_F_SSL_USE_PRIVATEKEY 198
-#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199
-#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200
-#define SSL_F_SSL_USE_RSAPRIVATEKEY 201
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203
-#define SSL_F_SSL_WRITE 204
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE 205
-#define SSL_F_TLS1_ENC 206
-#define SSL_F_TLS1_SETUP_KEY_BLOCK 207
-#define SSL_F_WRITE_PENDING 208
-
-/* Reason codes. */
-#define SSL_R_APP_DATA_IN_HANDSHAKE 100
-#define SSL_R_BAD_ALERT_RECORD 101
-#define SSL_R_BAD_AUTHENTICATION_TYPE 102
-#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
-#define SSL_R_BAD_CHECKSUM 104
-#define SSL_R_BAD_CLIENT_REQUEST 105
-#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
-#define SSL_R_BAD_DECOMPRESSION 107
-#define SSL_R_BAD_DH_G_LENGTH 108
-#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
-#define SSL_R_BAD_DH_P_LENGTH 110
-#define SSL_R_BAD_DIGEST_LENGTH 111
-#define SSL_R_BAD_DSA_SIGNATURE 112
-#define SSL_R_BAD_MAC_DECODE 113
-#define SSL_R_BAD_MESSAGE_TYPE 114
-#define SSL_R_BAD_PACKET_LENGTH 115
-#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
-#define SSL_R_BAD_RESPONSE_ARGUMENT 117
-#define SSL_R_BAD_RSA_DECRYPT 118
-#define SSL_R_BAD_RSA_ENCRYPT 119
-#define SSL_R_BAD_RSA_E_LENGTH 120
-#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
-#define SSL_R_BAD_RSA_SIGNATURE 122
-#define SSL_R_BAD_SIGNATURE 123
-#define SSL_R_BAD_SSL_FILETYPE 124
-#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
-#define SSL_R_BAD_STATE 126
-#define SSL_R_BAD_WRITE_RETRY 127
-#define SSL_R_BIO_NOT_SET 128
-#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
-#define SSL_R_BN_LIB 130
-#define SSL_R_CA_DN_LENGTH_MISMATCH 131
-#define SSL_R_CA_DN_TOO_LONG 132
-#define SSL_R_CCS_RECEIVED_EARLY 133
-#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
-#define SSL_R_CERT_LENGTH_MISMATCH 135
-#define SSL_R_CHALLENGE_IS_DIFFERENT 136
-#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
-#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
-#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
-#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
-#define SSL_R_COMPRESSION_FAILURE 141
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT 142
-#define SSL_R_CONNECTION_TYPE_NOT_SET 143
-#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 144
-#define SSL_R_DATA_LENGTH_TOO_LONG 145
-#define SSL_R_DECRYPTION_FAILED 146
-#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 147
-#define SSL_R_DIGEST_CHECK_FAILED 148
-#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 149
-#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 150
-#define SSL_R_EXCESSIVE_MESSAGE_SIZE 151
-#define SSL_R_EXTRA_DATA_IN_MESSAGE 152
-#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 153
-#define SSL_R_HTTPS_PROXY_REQUEST 154
-#define SSL_R_HTTP_REQUEST 155
-#define SSL_R_INTERNAL_ERROR 156
-#define SSL_R_INVALID_CHALLENGE_LENGTH 157
-#define SSL_R_LENGTH_MISMATCH 158
-#define SSL_R_LENGTH_TOO_SHORT 159
-#define SSL_R_LIBRARY_HAS_NO_CIPHERS 160
-#define SSL_R_MISSING_DH_DSA_CERT 161
-#define SSL_R_MISSING_DH_KEY 162
-#define SSL_R_MISSING_DH_RSA_CERT 163
-#define SSL_R_MISSING_DSA_SIGNING_CERT 164
-#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 165
-#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 166
-#define SSL_R_MISSING_RSA_CERTIFICATE 167
-#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 168
-#define SSL_R_MISSING_RSA_SIGNING_CERT 169
-#define SSL_R_MISSING_TMP_DH_KEY 170
-#define SSL_R_MISSING_TMP_RSA_KEY 171
-#define SSL_R_MISSING_TMP_RSA_PKEY 172
-#define SSL_R_MISSING_VERIFY_MESSAGE 173
-#define SSL_R_NON_SSLV2_INITIAL_PACKET 174
-#define SSL_R_NO_CERTIFICATES_RETURNED 175
-#define SSL_R_NO_CERTIFICATE_ASSIGNED 176
-#define SSL_R_NO_CERTIFICATE_RETURNED 177
-#define SSL_R_NO_CERTIFICATE_SET 178
-#define SSL_R_NO_CERTIFICATE_SPECIFIED 179
-#define SSL_R_NO_CIPHERS_AVAILABLE 180
-#define SSL_R_NO_CIPHERS_PASSED 181
-#define SSL_R_NO_CIPHERS_SPECIFIED 182
-#define SSL_R_NO_CIPHER_LIST 183
-#define SSL_R_NO_CIPHER_MATCH 184
-#define SSL_R_NO_CLIENT_CERT_RECEIVED 185
-#define SSL_R_NO_COMPRESSION_SPECIFIED 186
-#define SSL_R_NO_PRIVATEKEY 187
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 188
-#define SSL_R_NO_PROTOCOLS_AVAILABLE 189
-#define SSL_R_NO_PUBLICKEY 190
-#define SSL_R_NO_SHARED_CIPHER 191
-#define SSL_R_NULL_SSL_CTX 192
-#define SSL_R_NULL_SSL_METHOD_PASSED 193
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 194
-#define SSL_R_PACKET_LENGTH_TOO_LONG 195
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 196
-#define SSL_R_PEER_ERROR 197
-#define SSL_R_PEER_ERROR_CERTIFICATE 198
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE 199
-#define SSL_R_PEER_ERROR_NO_CIPHER 200
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 201
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 202
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 203
-#define SSL_R_PROTOCOL_IS_SHUTDOWN 204
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 205
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 206
-#define SSL_R_PUBLIC_KEY_NOT_RSA 207
-#define SSL_R_READ_BIO_NOT_SET 208
-#define SSL_R_READ_WRONG_PACKET_TYPE 209
-#define SSL_R_RECORD_LENGTH_MISMATCH 210
-#define SSL_R_RECORD_TOO_LARGE 211
-#define SSL_R_REQUIRED_CIPHER_MISSING 212
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 213
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 214
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 215
-#define SSL_R_SHORT_READ 216
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 217
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 218
-#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
-#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
-#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
-#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
-#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
-#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 219
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 220
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 221
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 222
-#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 223
-#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 224
-#define SSL_R_SSL_HANDSHAKE_FAILURE 225
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 226
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 227
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 228
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 229
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 230
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 231
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 232
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 233
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 234
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 235
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 236
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 237
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 238
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 239
-#define SSL_R_UNEXPECTED_MESSAGE 240
-#define SSL_R_UNEXPECTED_RECORD 241
-#define SSL_R_UNKNOWN_ALERT_TYPE 242
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 243
-#define SSL_R_UNKNOWN_CIPHER_RETURNED 244
-#define SSL_R_UNKNOWN_CIPHER_TYPE 245
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 246
-#define SSL_R_UNKNOWN_PKEY_TYPE 247
-#define SSL_R_UNKNOWN_PROTOCOL 248
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 249
-#define SSL_R_UNKNOWN_SSL_VERSION 250
-#define SSL_R_UNKNOWN_STATE 251
-#define SSL_R_UNSUPPORTED_CIPHER 252
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 253
-#define SSL_R_UNSUPPORTED_PROTOCOL 254
-#define SSL_R_UNSUPPORTED_SSL_VERSION 255
-#define SSL_R_WRITE_BIO_NOT_SET 256
-#define SSL_R_WRONG_CIPHER_RETURNED 257
-#define SSL_R_WRONG_MESSAGE_TYPE 258
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 259
-#define SSL_R_WRONG_SIGNATURE_LENGTH 260
-#define SSL_R_WRONG_SIGNATURE_SIZE 261
-#define SSL_R_WRONG_SSL_VERSION 262
-#define SSL_R_WRONG_VERSION_NUMBER 263
-#define SSL_R_X509_LIB 264
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index cf8f9651b2b..fbe4f667fa1 100644
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -63,6 +63,8 @@
extern "C" {
#endif
+#include <openssl/safestack.h>
+
/* SSLeay version number for ASN.1 encoding of the session information */
/* Version 0 - initial version
* Version 1 - added the optional peer certificate
@@ -82,6 +84,7 @@ extern "C" {
#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
+#define SSL_MAX_SID_CTX_LENGTH 32
#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
#define SSL_MAX_KEY_ARG_LENGTH 8
@@ -120,10 +123,12 @@ extern "C" {
#define SSL_TXT_MD5 "MD5"
#define SSL_TXT_SHA1 "SHA1"
#define SSL_TXT_SHA "SHA"
-#define SSL_TXT_EXP "EXP"
+#define SSL_TXT_EXP40 "EXP"
#define SSL_TXT_EXPORT "EXPORT"
+#define SSL_TXT_EXP56 "EXPORT56"
#define SSL_TXT_SSLV2 "SSLv2"
#define SSL_TXT_SSLV3 "SSLv3"
+#define SSL_TXT_TLSV1 "TLSv1"
#define SSL_TXT_ALL "ALL"
/* 'DEFAULT' at the start of the cipher list insert the following string
@@ -139,11 +144,12 @@ extern "C" {
#define SSL_SENT_SHUTDOWN 1
#define SSL_RECEIVED_SHUTDOWN 2
-#include "crypto.h"
-#include "lhash.h"
-#include "buffer.h"
-#include "bio.h"
-#include "x509.h"
+#include <openssl/crypto.h>
+#include <openssl/lhash.h>
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
@@ -157,44 +163,46 @@ typedef struct ssl_st *ssl_crock_st;
typedef struct ssl_cipher_st
{
int valid;
- char *name; /* text name */
+ const char *name; /* text name */
unsigned long id; /* id, 4 bytes, first is version */
unsigned long algorithms; /* what ciphers are used */
unsigned long algorithm2; /* Extra flags */
unsigned long mask; /* used for matching */
} SSL_CIPHER;
+DECLARE_STACK_OF(SSL_CIPHER)
+
+typedef struct ssl_st SSL;
+typedef struct ssl_ctx_st SSL_CTX;
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
int version;
- int (*ssl_new)();
- void (*ssl_clear)();
- void (*ssl_free)();
- int (*ssl_accept)();
- int (*ssl_connect)();
- int (*ssl_read)();
- int (*ssl_peek)();
- int (*ssl_write)();
- int (*ssl_shutdown)();
- int (*ssl_renegotiate)();
- long (*ssl_ctrl)();
- long (*ssl_ctx_ctrl)();
- SSL_CIPHER *(*get_cipher_by_char)();
- int (*put_cipher_by_char)();
- int (*ssl_pending)();
- int (*num_ciphers)();
- SSL_CIPHER *(*get_cipher)();
- struct ssl_method_st *(*get_ssl_method)();
- long (*get_timeout)();
+ int (*ssl_new)(SSL *s);
+ void (*ssl_clear)(SSL *s);
+ void (*ssl_free)(SSL *s);
+ int (*ssl_accept)(SSL *s);
+ int (*ssl_connect)(SSL *s);
+ int (*ssl_read)(SSL *s,void *buf,int len);
+ int (*ssl_peek)(SSL *s,char *buf,int len);
+ int (*ssl_write)(SSL *s,const void *buf,int len);
+ int (*ssl_shutdown)(SSL *s);
+ int (*ssl_renegotiate)(SSL *s);
+ int (*ssl_renegotiate_check)(SSL *s);
+ long (*ssl_ctrl)(SSL *s,int cmd,long larg,char *parg);
+ long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,char *parg);
+ SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
+ int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
+ int (*ssl_pending)(SSL *s);
+ int (*num_ciphers)(void);
+ SSL_CIPHER *(*get_cipher)(unsigned ncipher);
+ struct ssl_method_st *(*get_ssl_method)(int version);
+ long (*get_timeout)(void);
struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
+ int (*ssl_version)();
} SSL_METHOD;
-typedef struct ssl_compression_st
- {
- char *stuff;
- } SSL_COMPRESSION;
-
/* Lets make this into an ASN.1 type structure as follows
* SSL_SESSION_ID ::= SEQUENCE {
* version INTEGER, -- structure version number
@@ -206,6 +214,8 @@ typedef struct ssl_compression_st
* Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
* Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
* Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
+ * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context
+ * Compression [5] IMPLICIT ASN1_OBJECT -- compression OID XXXXX
* }
* Look in ssl/ssl_asn1.c for more details
* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
@@ -223,29 +233,35 @@ typedef struct ssl_session_st
/* session_id - valid? */
unsigned int session_id_length;
unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+ /* this is used to determine whether the session is being reused in
+ * the appropriate context. It is up to the application to set this,
+ * via SSL_new */
+ unsigned int sid_ctx_length;
+ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
int not_resumable;
/* The cert is the certificate used to establish this connection */
- struct cert_st /* CERT */ *cert;
+ struct sess_cert_st /* SESS_CERT */ *sess_cert;
- /* This is the cert for the other end. On servers, it will be
- * the same as cert->x509 */
+ /* This is the cert for the other end.
+ * On clients, it will be the same as sess_cert->peer_key->x509
+ * (the latter is not enough as sess_cert is not retained
+ * in the external representation of sessions, see ssl_asn1.c). */
X509 *peer;
int references;
long timeout;
long time;
- SSL_COMPRESSION *read_compression;
- SSL_COMPRESSION *write_compression;
+ int compress_meth; /* Need to lookup the method */
SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this
* needs to be used to load
* the 'cipher' structure */
- STACK /* SSL_CIPHER */ *ciphers; /* shared ciphers? */
+ STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
CRYPTO_EX_DATA ex_data; /* application specific data */
@@ -262,42 +278,81 @@ typedef struct ssl_session_st
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
-#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
+#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
+#define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L
-/* If set, only use tmp_dh parameters once */
+/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
/* Set to also use the tmp_rsa key when doing RSA operations. */
#define SSL_OP_EPHEMERAL_RSA 0x00200000L
+/* The next flag deliberately changes the ciphertest, this is a check
+ * for the PKCS#1 attack */
+#define SSL_OP_PKCS1_CHECK_1 0x08000000L
+#define SSL_OP_PKCS1_CHECK_2 0x10000000L
#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
#define SSL_OP_NON_EXPORT_FIRST 0x40000000L
#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L
#define SSL_OP_ALL 0x000FFFFFL
-#define SSL_CTX_set_options(ctx,op) ((ctx)->options|=(op))
-#define SSL_set_options(ssl,op) ((ssl)->options|=(op))
-
#define SSL_OP_NO_SSLv2 0x01000000L
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
-/* Normally you will only use these if your application wants to use
- * the certificate store in other places, perhaps PKCS7 */
-#define SSL_CTX_get_cert_store(ctx) ((ctx)->cert_store)
-#define SSL_CTX_set_cert_store(ctx,cs) \
- (X509_STORE_free((ctx)->cert_store),(ctx)->cert_store=(cs))
-
+/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
+ * when just a single record has been written): */
+#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
+/* Make it possible to retry SSL_write() with changed buffer location
+ * (buffer contents must stay the same!); this is not the default to avoid
+ * the misconception that non-blocking SSL_write() behaves like
+ * non-blocking write(): */
+#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
+
+/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
+ * they cannot be used to clear bits. */
+
+#define SSL_CTX_set_options(ctx,op) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL)
+#define SSL_CTX_get_options(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
+#define SSL_set_options(ssl,op) \
+ SSL_ctrl(ssl,SSL_CTRL_OPTIONS,op,NULL)
+#define SSL_get_options(ssl) \
+ SSL_ctrl(ssl,SSL_CTRL_OPTIONS,0,NULL)
+
+#define SSL_CTX_set_mode(ctx,op) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,op,NULL)
+#define SSL_CTX_get_mode(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,0,NULL)
+#define SSL_set_mode(ssl,op) \
+ SSL_ctrl(ssl,SSL_CTRL_MODE,op,NULL)
+#define SSL_get_mode(ssl) \
+ SSL_ctrl(ssl,SSL_CTRL_MODE,0,NULL)
#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
-typedef struct ssl_ctx_st
+typedef struct ssl_comp_st
+{
+ int id;
+ char *name;
+#ifdef HEADER_COMP_H
+ COMP_METHOD *method;
+#else
+ char *method;
+#endif
+} SSL_COMP;
+
+DECLARE_STACK_OF(SSL_COMP)
+
+struct ssl_ctx_st
{
SSL_METHOD *method;
unsigned long options;
+ unsigned long mode;
- STACK /* SSL_CIPHER */ *cipher_list;
+ STACK_OF(SSL_CIPHER) *cipher_list;
/* same as above but sorted for lookup */
- STACK /* SSL_CIPHER */ *cipher_list_by_id;
+ STACK_OF(SSL_CIPHER) *cipher_list_by_id;
struct x509_store_st /* X509_STORE */ *cert_store;
struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSION's */
@@ -328,64 +383,70 @@ typedef struct ssl_ctx_st
* a session-id is removed from the cache. Again, a return
* of 0 mens that SSLeay should not SSL_SESSION_free() since
* the application is doing something with it. */
-#ifndef NOPROTO
int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
unsigned char *data,int len,int *copy);
-#else
- int (*new_session_cb)();
- void (*remove_session_cb)();
- SSL_SESSION *(*get_session_cb)();
-#endif
-
- int sess_connect; /* SSL new connection - started */
- int sess_connect_renegotiate;/* SSL renegotiatene - requested */
- int sess_connect_good; /* SSL new connection/renegotiate - finished */
- int sess_accept; /* SSL new accept - started */
- int sess_accept_renegotiate;/* SSL renegotiatene - requested */
- int sess_accept_good; /* SSL accept/renegotiate - finished */
- int sess_miss; /* session lookup misses */
- int sess_timeout; /* session reuse attempt on timeouted session */
- int sess_cache_full; /* session removed due to full cache */
- int sess_hit; /* session reuse actually done */
- int sess_cb_hit; /* session-id that was not in the cache was
- * passed back via the callback. This
- * indicates that the application is supplying
- * session-id's from other processes -
- * spooky :-) */
+ struct
+ {
+ int sess_connect; /* SSL new conn - started */
+ int sess_connect_renegotiate;/* SSL reneg - requested */
+ int sess_connect_good; /* SSL new conne/reneg - finished */
+ int sess_accept; /* SSL new accept - started */
+ int sess_accept_renegotiate;/* SSL reneg - requested */
+ int sess_accept_good; /* SSL accept/reneg - finished */
+ int sess_miss; /* session lookup misses */
+ int sess_timeout; /* reuse attempt on timeouted session */
+ int sess_cache_full; /* session removed due to full cache */
+ int sess_hit; /* session reuse actually done */
+ int sess_cb_hit; /* session-id that was not
+ * in the cache was
+ * passed back via the callback. This
+ * indicates that the application is
+ * supplying session-id's from other
+ * processes - spooky :-) */
+ } stats;
int references;
- void (*info_callback)();
+/**/ void (*info_callback)();
/* if defined, these override the X509_verify_cert() calls */
- int (*app_verify_callback)();
- char *app_verify_arg;
+/**/ int (*app_verify_callback)();
+/**/ char *app_verify_arg; /* never used; should be void * */
/* default values to use in SSL structures */
- struct cert_st /* CERT */ *default_cert;
- int default_read_ahead;
- int default_verify_mode;
- int (*default_verify_callback)();
+/**/ struct cert_st /* CERT */ *cert;
+/**/ int read_ahead;
+/**/ int verify_mode;
+/**/ int verify_depth;
+/**/ unsigned int sid_ctx_length;
+/**/ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+/**/ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
/* Default password callback. */
- int (*default_passwd_callback)();
+/**/ pem_password_cb *default_passwd_callback;
+
+ /* Default password callback user data. */
+/**/ void *default_passwd_callback_userdata;
/* get client cert callback */
- int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
+/**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
/* what we put in client requests */
- STACK *client_CA;
+ STACK_OF(X509_NAME) *client_CA;
- int quiet_shutdown;
+/**/ int quiet_shutdown;
CRYPTO_EX_DATA ex_data;
- EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
- EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
- EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
- } SSL_CTX;
+ const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
+ const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
+ const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
+
+ STACK_OF(X509) *extra_certs;
+ STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
+ };
#define SSL_SESS_CACHE_OFF 0x0000
#define SSL_SESS_CACHE_CLIENT 0x0001
@@ -397,23 +458,30 @@ typedef struct ssl_ctx_st
* defined, this will still get called. */
#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
-#define SSL_CTX_sessions(ctx) ((ctx)->sessions)
-/* You will need to include lhash.h to access the following #define */
-#define SSL_CTX_sess_number(ctx) ((ctx)->sessions->num_items)
-#define SSL_CTX_sess_connect(ctx) ((ctx)->sess_connect)
-#define SSL_CTX_sess_connect_good(ctx) ((ctx)->sess_connect_good)
-#define SSL_CTX_sess_accept(ctx) ((ctx)->sess_accept)
-#define SSL_CTX_sess_accept_renegotiate(ctx) ((ctx)->sess_accept_renegotiate)
-#define SSL_CTX_sess_connect_renegotiate(ctx) ((ctx)->sess_connect_renegotiate)
-#define SSL_CTX_sess_accept_good(ctx) ((ctx)->sess_accept_good)
-#define SSL_CTX_sess_hits(ctx) ((ctx)->sess_hit)
-#define SSL_CTX_sess_cb_hits(ctx) ((ctx)->sess_cb_hit)
-#define SSL_CTX_sess_misses(ctx) ((ctx)->sess_miss)
-#define SSL_CTX_sess_timeouts(ctx) ((ctx)->sess_timeout)
-#define SSL_CTX_sess_cache_full(ctx) ((ctx)->sess_cache_full)
-
-#define SSL_CTX_sess_set_cache_size(ctx,t) ((ctx)->session_cache_size=(t))
-#define SSL_CTX_sess_get_cache_size(ctx) ((ctx)->session_cache_size)
+#define SSL_CTX_sess_number(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
+#define SSL_CTX_sess_connect(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
+#define SSL_CTX_sess_connect_good(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
+#define SSL_CTX_sess_connect_renegotiate(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
+#define SSL_CTX_sess_accept(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
+#define SSL_CTX_sess_accept_renegotiate(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
+#define SSL_CTX_sess_accept_good(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
+#define SSL_CTX_sess_hits(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
+#define SSL_CTX_sess_cb_hits(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
+#define SSL_CTX_sess_misses(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
+#define SSL_CTX_sess_timeouts(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
+#define SSL_CTX_sess_cache_full(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb)
@@ -421,15 +489,8 @@ typedef struct ssl_ctx_st
#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb)
-#define SSL_CTX_set_session_cache_mode(ctx,m) ((ctx)->session_cache_mode=(m))
-#define SSL_CTX_get_session_cache_mode(ctx) ((ctx)->session_cache_mode)
-#define SSL_CTX_set_timeout(ctx,t) ((ctx)->session_timeout=(t))
-#define SSL_CTX_get_timeout(ctx) ((ctx)->session_timeout)
-
#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb))
#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback)
-#define SSL_CTX_set_default_read_ahead(ctx,m) (((ctx)->default_read_ahead)=(m))
-
#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb))
#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb)
@@ -439,18 +500,16 @@ typedef struct ssl_ctx_st
#define SSL_X509_LOOKUP 4
/* These will only be used when doing non-blocking IO */
-#define SSL_want(s) ((s)->rwstate)
-#define SSL_want_nothing(s) ((s)->rwstate == SSL_NOTHING)
-#define SSL_want_read(s) ((s)->rwstate == SSL_READING)
-#define SSL_want_write(s) ((s)->rwstate == SSL_WRITING)
-#define SSL_want_x509_lookup(s) ((s)->rwstate == SSL_X509_LOOKUP)
+#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
+#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
+#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
+#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
-typedef struct ssl_st
+struct ssl_st
{
- /* procol version
- * 2 for SSLv2
- * 3 for SSLv3
- * -3 for SSLv3 but accept SSLv2 */
+ /* protocol version
+ * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION)
+ */
int version;
int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
@@ -480,7 +539,15 @@ typedef struct ssl_st
int in_handshake;
int (*handshake_func)();
-/* int server;*/ /* are we the server side? */
+ /* Imagine that here's a boolean member "init" that is
+ * switched as soon as SSL_set_{accept/connect}_state
+ * is called for the first time, so that "state" and
+ * "handshake_func" are properly initialized. But as
+ * handshake_func is == 0 until then, we use this
+ * test instead of an "init" member.
+ */
+
+ int server; /* are we the server side? - mostly used by SSL_clear*/
int new_session;/* 1 if we are to use a new session */
int quiet_shutdown;/* don't send shutdown packets */
@@ -504,19 +571,27 @@ typedef struct ssl_st
int hit; /* reusing a previous session */
/* crypto */
- STACK /* SSL_CIPHER */ *cipher_list;
- STACK /* SSL_CIPHER */ *cipher_list_by_id;
+ STACK_OF(SSL_CIPHER) *cipher_list;
+ STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* These are the ones being used, the ones is SSL_SESSION are
* the ones to be 'copied' into these ones */
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
- EVP_MD *read_hash; /* used for mac generation */
- SSL_COMPRESSION *read_compression; /* compression */
+ const EVP_MD *read_hash; /* used for mac generation */
+#ifdef HEADER_COMP_H
+ COMP_CTX *expand; /* uncompress */
+#else
+ char *expand;
+#endif
EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
- EVP_MD *write_hash; /* used for mac generation */
- SSL_COMPRESSION *write_compression; /* compression */
+ const EVP_MD *write_hash; /* used for mac generation */
+#ifdef HEADER_COMP_H
+ COMP_CTX *compress; /* compression */
+#else
+ char *compress;
+#endif
/* session info */
@@ -524,13 +599,19 @@ typedef struct ssl_st
/* This is used to hold the server certificate used */
struct cert_st /* CERT */ *cert;
+ /* the session_id_context is used to ensure sessions are only reused
+ * in the appropriate context */
+ unsigned int sid_ctx_length;
+ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+
/* This can also be in the session once a session is established */
SSL_SESSION *session;
/* Used in SSL2 and SSL3 */
int verify_mode; /* 0 don't care about verify failure.
* 1 fail if verify fails */
- int (*verify_callback)(); /* fail if callback returns 0 */
+ int verify_depth;
+ int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
void (*info_callback)(); /* optional informational callback */
int error; /* error bytes to be written */
@@ -546,17 +627,20 @@ typedef struct ssl_st
CRYPTO_EX_DATA ex_data;
/* for server side, keep the list of CA_dn we can use */
- STACK /* X509_NAME */ *client_CA;
+ STACK_OF(X509_NAME) *client_CA;
int references;
- unsigned long options;
+ unsigned long options; /* protocol behaviour */
+ unsigned long mode; /* API behaviour */
int first_packet;
- } SSL;
+ int client_version; /* what was passed, used for
+ * SSLv3/TLS rolback check */
+ };
-#include "ssl2.h"
-#include "ssl3.h"
-#include "tls1.h" /* This is mostly sslv3 with a few tweaks */
-#include "ssl23.h"
+#include <openssl/ssl2.h>
+#include <openssl/ssl3.h>
+#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
+#include <openssl/ssl23.h>
/* compatablity */
#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
@@ -616,6 +700,8 @@ typedef struct ssl_st
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
#define SSL_VERIFY_CLIENT_ONCE 0x04
+#define SSLeay_add_ssl_algorithms() SSL_library_init()
+
/* this is for backward compatablility */
#if 0 /* NEW_SSLEAY */
#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
@@ -638,28 +724,25 @@ typedef struct ssl_st
#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
-/* VMS linker has a 31 char name limit */
-#define SSL_CTX_set_cert_verify_callback(a,b,c) \
- SSL_CTX_set_cert_verify_cb((a),(b),(c))
-
#if 1 /*SSLEAY_MACROS*/
#define d2i_SSL_SESSION_bio(bp,s_id) (SSL_SESSION *)ASN1_d2i_bio( \
(char *(*)())SSL_SESSION_new,(char *(*)())d2i_SSL_SESSION, \
(bp),(unsigned char **)(s_id))
#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio(i2d_SSL_SESSION, \
bp,(unsigned char *)s_id)
-#define PEM_read_SSL_SESSION(fp,x,cb) (SSL_SESSION *)PEM_ASN1_read( \
- (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb)
-#define PEM_read_bio_SSL_SESSION(bp,x,cb) (SSL_SESSION *)PEM_ASN1_read_bio( \
- (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb)
+#define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
+ (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u)
+#define PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \
+ (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u)
#define PEM_write_SSL_SESSION(fp,x) \
PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
- PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL)
+ PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
#define PEM_write_bio_SSL_SESSION(bp,x) \
PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
- PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL)
+ PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL)
#endif
+#define SSL_AD_REASON_OFFSET 1000
/* These alert types are for SSLv3 and TLSv1 */
#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
@@ -691,7 +774,7 @@ typedef struct ssl_st
#define SSL_ERROR_WANT_READ 2
#define SSL_ERROR_WANT_WRITE 3
#define SSL_ERROR_WANT_X509_LOOKUP 4
-#define SSL_ERROR_SYSCALL 5 /* look at errno */
+#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
#define SSL_ERROR_ZERO_RETURN 6
#define SSL_ERROR_WANT_CONNECT 7
@@ -706,6 +789,31 @@ typedef struct ssl_st
#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8
#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9
#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10
+#define SSL_CTRL_GET_FLAGS 11
+#define SSL_CTRL_EXTRA_CHAIN_CERT 12
+
+/* Stats */
+#define SSL_CTRL_SESS_NUMBER 20
+#define SSL_CTRL_SESS_CONNECT 21
+#define SSL_CTRL_SESS_CONNECT_GOOD 22
+#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
+#define SSL_CTRL_SESS_ACCEPT 24
+#define SSL_CTRL_SESS_ACCEPT_GOOD 25
+#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
+#define SSL_CTRL_SESS_HIT 27
+#define SSL_CTRL_SESS_CB_HIT 28
+#define SSL_CTRL_SESS_MISSES 29
+#define SSL_CTRL_SESS_TIMEOUTS 30
+#define SSL_CTRL_SESS_CACHE_FULL 31
+#define SSL_CTRL_OPTIONS 32
+#define SSL_CTRL_MODE 33
+
+#define SSL_CTRL_GET_READ_AHEAD 40
+#define SSL_CTRL_SET_READ_AHEAD 41
+#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
+#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
+#define SSL_CTRL_SET_SESS_CACHE_MODE 44
+#define SSL_CTRL_GET_SESS_CACHE_MODE 45
#define SSL_session_reused(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
@@ -723,16 +831,31 @@ typedef struct ssl_st
#define SSL_CTX_set_tmp_dh(ctx,dh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
-/* For the next 2, the callbacks are
- * RSA *tmp_rsa_cb(int export)
- * DH *tmp_dh_cb(int export)
- */
-#define SSL_CTX_set_tmp_rsa_callback(ctx,cb) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb)
-#define SSL_CTX_set_tmp_dh_callback(ctx,dh) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh)
-
-#ifndef NOPROTO
+#define SSL_need_tmp_RSA(ssl) \
+ SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
+#define SSL_set_tmp_rsa(ssl,rsa) \
+ SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
+#define SSL_set_tmp_dh(ssl,dh) \
+ SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
+
+#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
+
+/* VMS uses only 31 characters for symbols. */
+#ifdef VMS
+#undef SSL_CTX_set_cert_verify_callback
+#define SSL_CTX_set_cert_verify_callback SSL_CTX_set_cert_verify_cb
+#undef SSL_CTX_use_certificate_chain_file
+#define SSL_CTX_use_certificate_chain_file SSL_CTX_use_cert_chain_file
+#undef SSL_CTX_set_default_verify_paths
+#define SSL_CTX_set_default_verify_paths SSL_CTX_set_def_verify_paths
+#undef SSL_get_ex_data_X509_STORE_CTX_idx
+#define SSL_get_ex_data_X509_STORE_CTX_idx SSL_get_ex_data_X509_STOR_CTX_i
+#undef SSL_add_file_cert_subjects_to_stack
+#define SSL_add_file_cert_subjects_to_stack SSL_add_file_cert_sub_to_stack
+#undef SSL_add_dir_cert_subjects_to_stack
+#define SSL_add_dir_cert_subjects_to_stack SSL_add_dir_cert_sub_to_stack
+#endif
#ifdef HEADER_BIO_H
BIO_METHOD *BIO_f_ssl(void);
@@ -747,16 +870,22 @@ void BIO_ssl_shutdown(BIO *ssl_bio);
int SSL_CTX_set_cipher_list(SSL_CTX *,char *str);
SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
void SSL_CTX_free(SSL_CTX *);
-void SSL_clear(SSL *s);
+long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
+long SSL_CTX_get_timeout(SSL_CTX *ctx);
+X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
+int SSL_want(SSL *s);
+int SSL_clear(SSL *s);
+
void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
SSL_CIPHER *SSL_get_current_cipher(SSL *s);
int SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits);
char * SSL_CIPHER_get_version(SSL_CIPHER *c);
-char * SSL_CIPHER_get_name(SSL_CIPHER *c);
+const char * SSL_CIPHER_get_name(SSL_CIPHER *c);
int SSL_get_fd(SSL *s);
-char * SSL_get_cipher_list(SSL *s,int n);
+const char * SSL_get_cipher_list(SSL *s,int n);
char * SSL_get_shared_ciphers(SSL *s, char *buf, int len);
int SSL_get_read_ahead(SSL * s);
int SSL_pending(SSL *s);
@@ -773,23 +902,33 @@ BIO * SSL_get_wbio(SSL *s);
int SSL_set_cipher_list(SSL *s, char *str);
void SSL_set_read_ahead(SSL *s, int yes);
int SSL_get_verify_mode(SSL *s);
-int (*SSL_get_verify_callback(SSL *s))();
-void SSL_set_verify(SSL *s, int mode, int (*callback) ());
+int SSL_get_verify_depth(SSL *s);
+int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
+void SSL_set_verify(SSL *s, int mode,
+ int (*callback)(int ok,X509_STORE_CTX *ctx));
+void SSL_set_verify_depth(SSL *s, int depth);
+#ifndef NO_RSA
int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
+#endif
int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
int SSL_use_certificate(SSL *ssl, X509 *x);
-int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);
+int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
#ifndef NO_STDIO
-int SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type);
-int SSL_use_PrivateKey_file(SSL *ssl, char *file, int type);
-int SSL_use_certificate_file(SSL *ssl, char *file, int type);
-int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, char *file, int type);
-int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, char *file, int type);
-int SSL_CTX_use_certificate_file(SSL_CTX *ctx, char *file, int type);
-STACK * SSL_load_client_CA_file(char *file);
+int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
+int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
+int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
+int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
+int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
+STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
+ const char *file);
+int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
+ const char *dir);
#endif
void ERR_load_SSL_strings(void );
@@ -824,13 +963,22 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
X509 * SSL_get_peer_certificate(SSL *s);
#endif
-STACK * SSL_get_peer_cert_chain(SSL *s);
+STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
+
+#ifdef VMS
+#define SSL_CTX_set_default_passwd_cb_userdata SSL_CTX_set_def_passwd_cb_ud
+#endif
int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))();
-void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*callback)());
-void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg);
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
+int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
+void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
+ int (*callback)(int, X509_STORE_CTX *));
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(),char *arg);
+#ifndef NO_RSA
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
+#endif
int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
@@ -838,19 +986,24 @@ int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
-void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx,int (*cb)());
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
int SSL_CTX_check_private_key(SSL_CTX *ctx);
int SSL_check_private_key(SSL *ctx);
+int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
+ unsigned int sid_ctx_len);
+
SSL * SSL_new(SSL_CTX *ctx);
-void SSL_clear(SSL *s);
+int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
+ unsigned int sid_ctx_len);
void SSL_free(SSL *ssl);
int SSL_accept(SSL *ssl);
int SSL_connect(SSL *ssl);
int SSL_read(SSL *ssl,char *buf,int num);
int SSL_peek(SSL *ssl,char *buf,int num);
-int SSL_write(SSL *ssl,char *buf,int num);
+int SSL_write(SSL *ssl,const char *buf,int num);
long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg);
@@ -876,7 +1029,7 @@ SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
-STACK *SSL_get_ciphers(SSL *s);
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
int SSL_do_handshake(SSL *s);
int SSL_renegotiate(SSL *s);
@@ -889,10 +1042,10 @@ char *SSL_alert_type_string(int value);
char *SSL_alert_desc_string_long(int value);
char *SSL_alert_desc_string(int value);
-void SSL_set_client_CA_list(SSL *s, STACK *list);
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK *list);
-STACK *SSL_get_client_CA_list(SSL *s);
-STACK *SSL_CTX_get_client_CA_list(SSL_CTX *s);
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s);
int SSL_add_client_CA(SSL *ssl,X509 *x);
int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
@@ -901,10 +1054,10 @@ void SSL_set_accept_state(SSL *s);
long SSL_get_default_timeout(SSL *s);
-void SSLeay_add_ssl_algorithms(void );
+int SSL_library_init(void );
char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
-STACK *SSL_dup_CA_list(STACK *sk);
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
SSL *SSL_dup(SSL *ssl);
@@ -919,7 +1072,8 @@ void SSL_set_shutdown(SSL *ssl,int mode);
int SSL_get_shutdown(SSL *ssl);
int SSL_version(SSL *ssl);
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
-int SSL_CTX_load_verify_locations(SSL_CTX *ctx,char *CAfile,char *CApath);
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+ const char *CApath);
SSL_SESSION *SSL_get_session(SSL *ssl);
SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
void SSL_set_info_callback(SSL *ssl,void (*cb)());
@@ -929,232 +1083,69 @@ int SSL_state(SSL *ssl);
void SSL_set_verify_result(SSL *ssl,long v);
long SSL_get_verify_result(SSL *ssl);
-int SSL_set_ex_data(SSL *ssl,int idx,char *data);
-char *SSL_get_ex_data(SSL *ssl,int idx);
+int SSL_set_ex_data(SSL *ssl,int idx,void *data);
+void *SSL_get_ex_data(SSL *ssl,int idx);
int SSL_get_ex_new_index(long argl, char *argp, int (*new_func)(),
int (*dup_func)(), void (*free_func)());
-int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,char *data);
-char *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
+int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
+void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
int (*dup_func)(), void (*free_func)());
-int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,char *data);
-char *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
+int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
+void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
int (*dup_func)(), void (*free_func)());
-#else
-
-BIO_METHOD *BIO_f_ssl();
-BIO *BIO_new_ssl();
-BIO *BIO_new_ssl_connect();
-BIO *BIO_new_buffer_ssl_connect();
-int BIO_ssl_copy_session_id();
-void BIO_ssl_shutdown();
-
-int SSL_CTX_set_cipher_list();
-SSL_CTX *SSL_CTX_new();
-void SSL_CTX_free();
-void SSL_clear();
-void SSL_CTX_flush_sessions();
-
-SSL_CIPHER *SSL_get_current_cipher();
-int SSL_CIPHER_get_bits();
-char * SSL_CIPHER_get_version();
-char * SSL_CIPHER_get_name();
-
-int SSL_get_fd();
-char * SSL_get_cipher_list();
-char * SSL_get_shared_ciphers();
-int SSL_get_read_ahead();
-int SSL_pending();
-#ifndef NO_SOCK
-int SSL_set_fd();
-int SSL_set_rfd();
-int SSL_set_wfd();
-#endif
-#ifdef HEADER_BIO_H
-void SSL_set_bio();
-BIO * SSL_get_rbio();
-BIO * SSL_get_wbio();
-#endif
-int SSL_set_cipher_list();
-void SSL_set_read_ahead();
-int SSL_get_verify_mode();
-
-void SSL_set_verify();
-int SSL_use_RSAPrivateKey();
-int SSL_use_RSAPrivateKey_ASN1();
-int SSL_use_PrivateKey();
-int SSL_use_PrivateKey_ASN1();
-int SSL_use_certificate();
-int SSL_use_certificate_ASN1();
-
-#ifndef NO_STDIO
-int SSL_use_RSAPrivateKey_file();
-int SSL_use_PrivateKey_file();
-int SSL_use_certificate_file();
-int SSL_CTX_use_RSAPrivateKey_file();
-int SSL_CTX_use_PrivateKey_file();
-int SSL_CTX_use_certificate_file();
-STACK * SSL_load_client_CA_file();
-#endif
+int SSL_get_ex_data_X509_STORE_CTX_idx(void );
+
+#define SSL_CTX_sess_set_cache_size(ctx,t) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
+#define SSL_CTX_sess_get_cache_size(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
+#define SSL_CTX_set_session_cache_mode(ctx,m) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
+#define SSL_CTX_get_session_cache_mode(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
+
+#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
+#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
+#define SSL_CTX_get_read_ahead(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
+#define SSL_CTX_set_read_ahead(ctx,m) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL)
+
+ /* NB: the keylength is only applicable when is_export is true */
+#ifndef NO_RSA
+void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
+ RSA *(*cb)(SSL *ssl,int is_export,
+ int keylength));
-void ERR_load_SSL_strings();
-void SSL_load_error_strings();
-char * SSL_state_string();
-char * SSL_rstate_string();
-char * SSL_state_string_long();
-char * SSL_rstate_string_long();
-long SSL_SESSION_get_time();
-long SSL_SESSION_set_time();
-long SSL_SESSION_get_timeout();
-long SSL_SESSION_set_timeout();
-void SSL_copy_session_id();
-
-SSL_SESSION *SSL_SESSION_new();
-unsigned long SSL_SESSION_hash();
-int SSL_SESSION_cmp();
-#ifndef NO_FP_API
-int SSL_SESSION_print_fp();
+void SSL_set_tmp_rsa_callback(SSL *ssl,
+ RSA *(*cb)(SSL *ssl,int is_export,
+ int keylength));
#endif
-#ifdef HEADER_BIO_H
-int SSL_SESSION_print();
-#endif
-void SSL_SESSION_free();
-int i2d_SSL_SESSION();
-int SSL_set_session();
-int SSL_CTX_add_session();
-int SSL_CTX_remove_session();
-SSL_SESSION *d2i_SSL_SESSION();
-
-#ifdef HEADER_X509_H
-X509 * SSL_get_peer_certificate();
-#endif
-
-STACK * SSL_get_peer_cert_chain();
-
-int SSL_CTX_get_verify_mode();
-int (*SSL_CTX_get_verify_callback())();
-void SSL_CTX_set_verify();
-void SSL_CTX_set_cert_verify_cb();
-int SSL_CTX_use_RSAPrivateKey();
-int SSL_CTX_use_RSAPrivateKey_ASN1();
-int SSL_CTX_use_PrivateKey();
-int SSL_CTX_use_PrivateKey_ASN1();
-int SSL_CTX_use_certificate();
-int SSL_CTX_use_certificate_ASN1();
-
-void SSL_CTX_set_default_passwd_cb();
-
-int SSL_CTX_check_private_key();
-int SSL_check_private_key();
-
-SSL * SSL_new();
-void SSL_clear();
-void SSL_free();
-int SSL_accept();
-int SSL_connect();
-int SSL_read();
-int SSL_peek();
-int SSL_write();
-long SSL_ctrl();
-long SSL_CTX_ctrl();
-
-int SSL_get_error();
-char * SSL_get_version();
-
-int SSL_CTX_set_ssl_version();
-
-SSL_METHOD *SSLv2_method();
-SSL_METHOD *SSLv2_server_method();
-SSL_METHOD *SSLv2_client_method();
-
-SSL_METHOD *SSLv3_method();
-SSL_METHOD *SSLv3_server_method();
-SSL_METHOD *SSLv3_client_method();
-
-SSL_METHOD *SSLv23_method();
-SSL_METHOD *SSLv23_server_method();
-SSL_METHOD *SSLv23_client_method();
-
-SSL_METHOD *TLSv1_method();
-SSL_METHOD *TLSv1_server_method();
-SSL_METHOD *TLSv1_client_method();
-
-STACK *SSL_get_ciphers();
-
-int SSL_do_handshake();
-int SSL_renegotiate();
-int SSL_shutdown();
-
-SSL_METHOD *SSL_get_ssl_method();
-int SSL_set_ssl_method();
-char *SSL_alert_type_string_long();
-char *SSL_alert_type_string();
-char *SSL_alert_desc_string_long();
-char *SSL_alert_desc_string();
-
-void SSL_set_client_CA_list();
-void SSL_CTX_set_client_CA_list();
-STACK *SSL_get_client_CA_list();
-STACK *SSL_CTX_get_client_CA_list();
-int SSL_add_client_CA();
-int SSL_CTX_add_client_CA();
-
-void SSL_set_connect_state();
-void SSL_set_accept_state();
-
-long SSL_get_default_timeout();
-
-void SSLeay_add_ssl_algorithms();
-
-char *SSL_CIPHER_description();
-STACK *SSL_dup_CA_list();
-
-SSL *SSL_dup();
-
-X509 *SSL_get_certificate();
-/* EVP * */ struct evp_pkey_st *SSL_get_privatekey();
-
-#ifdef this_is_for_mk1mf_pl
-EVP *SSL_get_privatekey();
-
-void SSL_CTX_set_quiet_shutdown();
-int SSL_CTX_get_quiet_shutdown();
-void SSL_set_quiet_shutdown();
-int SSL_get_quiet_shutdown();
-void SSL_set_shutdown();
-int SSL_get_shutdown();
-int SSL_version();
-int SSL_CTX_set_default_verify_paths();
-int SSL_CTX_load_verify_locations();
-SSL_SESSION *SSL_get_session();
-SSL_CTX *SSL_get_SSL_CTX();
-void SSL_set_info_callback();
-int (*SSL_get_info_callback())();
-int SSL_state();
-void SSL_set_verify_result();
-long SSL_get_verify_result();
-
-int SSL_set_ex_data();
-char *SSL_get_ex_data();
-int SSL_get_ex_new_index();
-
-int SSL_SESSION_set_ex_data();
-char *SSL_SESSION_get_ex_data();
-int SSL_SESSION_get_ex_new_index();
-
-int SSL_CTX_set_ex_data();
-char *SSL_CTX_get_ex_data();
-int SSL_CTX_get_ex_new_index();
-
+#ifndef NO_DH
+void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
+ DH *(*dh)(SSL *ssl,int is_export,
+ int keylength));
+void SSL_set_tmp_dh_callback(SSL *ssl,
+ DH *(*dh)(SSL *ssl,int is_export,
+ int keylength));
#endif
+#ifdef HEADER_COMP_H
+int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
+#else
+int SSL_COMP_add_compression_method(int id,char *cm);
#endif
/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
/* Error codes for the SSL functions. */
/* Function codes. */
@@ -1191,6 +1182,7 @@ int SSL_CTX_get_ex_new_index();
#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
#define SSL_F_SSL3_CLIENT_HELLO 131
#define SSL_F_SSL3_CONNECT 132
+#define SSL_F_SSL3_CTRL 213
#define SSL_F_SSL3_CTX_CTRL 133
#define SSL_F_SSL3_ENC 134
#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
@@ -1218,58 +1210,74 @@ int SSL_CTX_get_ex_new_index();
#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
#define SSL_F_SSL3_WRITE_BYTES 158
#define SSL_F_SSL3_WRITE_PENDING 159
+#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
+#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
#define SSL_F_SSL_BAD_METHOD 160
#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
+#define SSL_F_SSL_CERT_DUP 221
+#define SSL_F_SSL_CERT_INST 222
+#define SSL_F_SSL_CERT_INSTANTIATE 214
#define SSL_F_SSL_CERT_NEW 162
#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
-#define SSL_F_SSL_CREATE_CIPHER_LIST 164
-#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165
-#define SSL_F_SSL_CTX_NEW 166
-#define SSL_F_SSL_CTX_SET_SSL_VERSION 167
-#define SSL_F_SSL_CTX_USE_CERTIFICATE 168
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176
-#define SSL_F_SSL_DO_HANDSHAKE 177
-#define SSL_F_SSL_GET_NEW_SESSION 178
-#define SSL_F_SSL_GET_SERVER_SEND_CERT 179
-#define SSL_F_SSL_GET_SIGN_PKEY 180
-#define SSL_F_SSL_INIT_WBIO_BUFFER 181
-#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182
-#define SSL_F_SSL_NEW 183
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185
-#define SSL_F_SSL_SESSION_NEW 186
-#define SSL_F_SSL_SESSION_PRINT_FP 187
-#define SSL_F_SSL_SET_CERT 188
-#define SSL_F_SSL_SET_FD 189
-#define SSL_F_SSL_SET_PKEY 190
-#define SSL_F_SSL_SET_RFD 191
-#define SSL_F_SSL_SET_SESSION 192
-#define SSL_F_SSL_SET_WFD 193
-#define SSL_F_SSL_UNDEFINED_FUNCTION 194
-#define SSL_F_SSL_USE_CERTIFICATE 195
-#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196
-#define SSL_F_SSL_USE_CERTIFICATE_FILE 197
-#define SSL_F_SSL_USE_PRIVATEKEY 198
-#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199
-#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200
-#define SSL_F_SSL_USE_RSAPRIVATEKEY 201
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203
-#define SSL_F_SSL_WRITE 204
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE 205
-#define SSL_F_TLS1_ENC 206
-#define SSL_F_TLS1_SETUP_KEY_BLOCK 207
-#define SSL_F_WRITE_PENDING 208
+#define SSL_F_SSL_CLEAR 164
+#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
+#define SSL_F_SSL_CREATE_CIPHER_LIST 166
+#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
+#define SSL_F_SSL_CTX_NEW 169
+#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
+#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
+#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
+#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
+#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
+#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
+#define SSL_F_SSL_DO_HANDSHAKE 180
+#define SSL_F_SSL_GET_NEW_SESSION 181
+#define SSL_F_SSL_GET_PREV_SESSION 217
+#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
+#define SSL_F_SSL_GET_SIGN_PKEY 183
+#define SSL_F_SSL_INIT_WBIO_BUFFER 184
+#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
+#define SSL_F_SSL_NEW 186
+#define SSL_F_SSL_READ 223
+#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
+#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
+#define SSL_F_SSL_SESSION_NEW 189
+#define SSL_F_SSL_SESSION_PRINT_FP 190
+#define SSL_F_SSL_SESS_CERT_NEW 225
+#define SSL_F_SSL_SET_CERT 191
+#define SSL_F_SSL_SET_FD 192
+#define SSL_F_SSL_SET_PKEY 193
+#define SSL_F_SSL_SET_RFD 194
+#define SSL_F_SSL_SET_SESSION 195
+#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
+#define SSL_F_SSL_SET_WFD 196
+#define SSL_F_SSL_SHUTDOWN 224
+#define SSL_F_SSL_UNDEFINED_FUNCTION 197
+#define SSL_F_SSL_USE_CERTIFICATE 198
+#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
+#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
+#define SSL_F_SSL_USE_PRIVATEKEY 201
+#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
+#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
+#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
+#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
+#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
+#define SSL_F_SSL_WRITE 208
+#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
+#define SSL_F_TLS1_ENC 210
+#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
+#define SSL_F_WRITE_PENDING 212
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
+#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
#define SSL_R_BAD_ALERT_RECORD 101
#define SSL_R_BAD_AUTHENTICATION_TYPE 102
#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
@@ -1282,6 +1290,7 @@ int SSL_CTX_get_ex_new_index();
#define SSL_R_BAD_DH_P_LENGTH 110
#define SSL_R_BAD_DIGEST_LENGTH 111
#define SSL_R_BAD_DSA_SIGNATURE 112
+#define SSL_R_BAD_LENGTH 271
#define SSL_R_BAD_MAC_DECODE 113
#define SSL_R_BAD_MESSAGE_TYPE 114
#define SSL_R_BAD_PACKET_LENGTH 115
@@ -1311,83 +1320,90 @@ int SSL_CTX_get_ex_new_index();
#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
#define SSL_R_COMPRESSION_FAILURE 141
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT 142
-#define SSL_R_CONNECTION_TYPE_NOT_SET 143
-#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 144
-#define SSL_R_DATA_LENGTH_TOO_LONG 145
-#define SSL_R_DECRYPTION_FAILED 146
-#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 147
-#define SSL_R_DIGEST_CHECK_FAILED 148
-#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 149
-#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 150
-#define SSL_R_EXCESSIVE_MESSAGE_SIZE 151
-#define SSL_R_EXTRA_DATA_IN_MESSAGE 152
-#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 153
-#define SSL_R_HTTPS_PROXY_REQUEST 154
-#define SSL_R_HTTP_REQUEST 155
-#define SSL_R_INTERNAL_ERROR 156
-#define SSL_R_INVALID_CHALLENGE_LENGTH 157
-#define SSL_R_LENGTH_MISMATCH 158
-#define SSL_R_LENGTH_TOO_SHORT 159
-#define SSL_R_LIBRARY_HAS_NO_CIPHERS 160
-#define SSL_R_MISSING_DH_DSA_CERT 161
-#define SSL_R_MISSING_DH_KEY 162
-#define SSL_R_MISSING_DH_RSA_CERT 163
-#define SSL_R_MISSING_DSA_SIGNING_CERT 164
-#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 165
-#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 166
-#define SSL_R_MISSING_RSA_CERTIFICATE 167
-#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 168
-#define SSL_R_MISSING_RSA_SIGNING_CERT 169
-#define SSL_R_MISSING_TMP_DH_KEY 170
-#define SSL_R_MISSING_TMP_RSA_KEY 171
-#define SSL_R_MISSING_TMP_RSA_PKEY 172
-#define SSL_R_MISSING_VERIFY_MESSAGE 173
-#define SSL_R_NON_SSLV2_INITIAL_PACKET 174
-#define SSL_R_NO_CERTIFICATES_RETURNED 175
-#define SSL_R_NO_CERTIFICATE_ASSIGNED 176
-#define SSL_R_NO_CERTIFICATE_RETURNED 177
-#define SSL_R_NO_CERTIFICATE_SET 178
-#define SSL_R_NO_CERTIFICATE_SPECIFIED 179
-#define SSL_R_NO_CIPHERS_AVAILABLE 180
-#define SSL_R_NO_CIPHERS_PASSED 181
-#define SSL_R_NO_CIPHERS_SPECIFIED 182
-#define SSL_R_NO_CIPHER_LIST 183
-#define SSL_R_NO_CIPHER_MATCH 184
-#define SSL_R_NO_CLIENT_CERT_RECEIVED 185
-#define SSL_R_NO_COMPRESSION_SPECIFIED 186
-#define SSL_R_NO_PRIVATEKEY 187
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 188
-#define SSL_R_NO_PROTOCOLS_AVAILABLE 189
-#define SSL_R_NO_PUBLICKEY 190
-#define SSL_R_NO_SHARED_CIPHER 191
-#define SSL_R_NULL_SSL_CTX 192
-#define SSL_R_NULL_SSL_METHOD_PASSED 193
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 194
-#define SSL_R_PACKET_LENGTH_TOO_LONG 195
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 196
-#define SSL_R_PEER_ERROR 197
-#define SSL_R_PEER_ERROR_CERTIFICATE 198
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE 199
-#define SSL_R_PEER_ERROR_NO_CIPHER 200
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 201
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 202
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 203
-#define SSL_R_PROTOCOL_IS_SHUTDOWN 204
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 205
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 206
-#define SSL_R_PUBLIC_KEY_NOT_RSA 207
-#define SSL_R_READ_BIO_NOT_SET 208
-#define SSL_R_READ_WRONG_PACKET_TYPE 209
-#define SSL_R_RECORD_LENGTH_MISMATCH 210
-#define SSL_R_RECORD_TOO_LARGE 211
-#define SSL_R_REQUIRED_CIPHER_MISSING 212
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 213
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 214
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 215
-#define SSL_R_SHORT_READ 216
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 217
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 218
+#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
+#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
+#define SSL_R_CONNECTION_TYPE_NOT_SET 144
+#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
+#define SSL_R_DATA_LENGTH_TOO_LONG 146
+#define SSL_R_DECRYPTION_FAILED 147
+#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
+#define SSL_R_DIGEST_CHECK_FAILED 149
+#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
+#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
+#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
+#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
+#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
+#define SSL_R_HTTPS_PROXY_REQUEST 155
+#define SSL_R_HTTP_REQUEST 156
+#define SSL_R_INTERNAL_ERROR 157
+#define SSL_R_INVALID_CHALLENGE_LENGTH 158
+#define SSL_R_LENGTH_MISMATCH 159
+#define SSL_R_LENGTH_TOO_SHORT 160
+#define SSL_R_LIBRARY_BUG 274
+#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
+#define SSL_R_MISSING_DH_DSA_CERT 162
+#define SSL_R_MISSING_DH_KEY 163
+#define SSL_R_MISSING_DH_RSA_CERT 164
+#define SSL_R_MISSING_DSA_SIGNING_CERT 165
+#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
+#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
+#define SSL_R_MISSING_RSA_CERTIFICATE 168
+#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
+#define SSL_R_MISSING_RSA_SIGNING_CERT 170
+#define SSL_R_MISSING_TMP_DH_KEY 171
+#define SSL_R_MISSING_TMP_RSA_KEY 172
+#define SSL_R_MISSING_TMP_RSA_PKEY 173
+#define SSL_R_MISSING_VERIFY_MESSAGE 174
+#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
+#define SSL_R_NO_CERTIFICATES_RETURNED 176
+#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
+#define SSL_R_NO_CERTIFICATE_RETURNED 178
+#define SSL_R_NO_CERTIFICATE_SET 179
+#define SSL_R_NO_CERTIFICATE_SPECIFIED 180
+#define SSL_R_NO_CIPHERS_AVAILABLE 181
+#define SSL_R_NO_CIPHERS_PASSED 182
+#define SSL_R_NO_CIPHERS_SPECIFIED 183
+#define SSL_R_NO_CIPHER_LIST 184
+#define SSL_R_NO_CIPHER_MATCH 185
+#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
+#define SSL_R_NO_COMPRESSION_SPECIFIED 187
+#define SSL_R_NO_METHOD_SPECIFIED 188
+#define SSL_R_NO_PRIVATEKEY 189
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
+#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
+#define SSL_R_NO_PUBLICKEY 192
+#define SSL_R_NO_SHARED_CIPHER 193
+#define SSL_R_NO_VERIFY_CALLBACK 194
+#define SSL_R_NULL_SSL_CTX 195
+#define SSL_R_NULL_SSL_METHOD_PASSED 196
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
+#define SSL_R_PACKET_LENGTH_TOO_LONG 198
+#define SSL_R_PATH_TOO_LONG 270
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
+#define SSL_R_PEER_ERROR 200
+#define SSL_R_PEER_ERROR_CERTIFICATE 201
+#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
+#define SSL_R_PEER_ERROR_NO_CIPHER 203
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
+#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
+#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
+#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
+#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
+#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
+#define SSL_R_PUBLIC_KEY_NOT_RSA 210
+#define SSL_R_READ_BIO_NOT_SET 211
+#define SSL_R_READ_WRONG_PACKET_TYPE 212
+#define SSL_R_RECORD_LENGTH_MISMATCH 213
+#define SSL_R_RECORD_TOO_LARGE 214
+#define SSL_R_REQUIRED_CIPHER_MISSING 215
+#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
+#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
+#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
+#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
+#define SSL_R_SHORT_READ 219
+#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
+#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
+#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
@@ -1397,55 +1413,70 @@ int SSL_CTX_get_ex_new_index();
#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 219
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 220
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 221
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 222
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225
+#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 223
+#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227
#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 224
-#define SSL_R_SSL_HANDSHAKE_FAILURE 225
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 226
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 227
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 228
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 229
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 230
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 231
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 232
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 233
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 234
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 235
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 236
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 237
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 238
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 239
-#define SSL_R_UNEXPECTED_MESSAGE 240
-#define SSL_R_UNEXPECTED_RECORD 241
-#define SSL_R_UNKNOWN_ALERT_TYPE 242
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 243
-#define SSL_R_UNKNOWN_CIPHER_RETURNED 244
-#define SSL_R_UNKNOWN_CIPHER_TYPE 245
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 246
-#define SSL_R_UNKNOWN_PKEY_TYPE 247
-#define SSL_R_UNKNOWN_PROTOCOL 248
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 249
-#define SSL_R_UNKNOWN_SSL_VERSION 250
-#define SSL_R_UNKNOWN_STATE 251
-#define SSL_R_UNSUPPORTED_CIPHER 252
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 253
-#define SSL_R_UNSUPPORTED_PROTOCOL 254
-#define SSL_R_UNSUPPORTED_SSL_VERSION 255
-#define SSL_R_WRITE_BIO_NOT_SET 256
-#define SSL_R_WRONG_CIPHER_RETURNED 257
-#define SSL_R_WRONG_MESSAGE_TYPE 258
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 259
-#define SSL_R_WRONG_SIGNATURE_LENGTH 260
-#define SSL_R_WRONG_SIGNATURE_SIZE 261
-#define SSL_R_WRONG_SSL_VERSION 262
-#define SSL_R_WRONG_VERSION_NUMBER 263
-#define SSL_R_X509_LIB 264
-
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
+#define SSL_R_SSL_HANDSHAKE_FAILURE 229
+#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
+#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
+#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
+#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
+#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
+#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
+#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
+#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICION 1060
+#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
+#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
+#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
+#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
+#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
+#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
+#define SSL_R_TLSV1_ALERT_USER_CANCLED 1090
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
+#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
+#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
+#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
+#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
+#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
+#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
+#define SSL_R_UNEXPECTED_MESSAGE 244
+#define SSL_R_UNEXPECTED_RECORD 245
+#define SSL_R_UNINITIALIZED 276
+#define SSL_R_UNKNOWN_ALERT_TYPE 246
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
+#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
+#define SSL_R_UNKNOWN_CIPHER_TYPE 249
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
+#define SSL_R_UNKNOWN_PKEY_TYPE 251
+#define SSL_R_UNKNOWN_PROTOCOL 252
+#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
+#define SSL_R_UNKNOWN_SSL_VERSION 254
+#define SSL_R_UNKNOWN_STATE 255
+#define SSL_R_UNSUPPORTED_CIPHER 256
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+#define SSL_R_UNSUPPORTED_PROTOCOL 258
+#define SSL_R_UNSUPPORTED_SSL_VERSION 259
+#define SSL_R_WRITE_BIO_NOT_SET 260
+#define SSL_R_WRONG_CIPHER_RETURNED 261
+#define SSL_R_WRONG_MESSAGE_TYPE 262
+#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
+#define SSL_R_WRONG_SIGNATURE_LENGTH 264
+#define SSL_R_WRONG_SIGNATURE_SIZE 265
+#define SSL_R_WRONG_SSL_VERSION 266
+#define SSL_R_WRONG_VERSION_NUMBER 267
+#define SSL_R_X509_LIB 268
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
+
#ifdef __cplusplus
}
#endif
diff --git a/lib/libssl/src/ssl/ssl2.h b/lib/libssl/src/ssl/ssl2.h
index 3dc94e520bb..d7f24ac1b4e 100644
--- a/lib/libssl/src/ssl/ssl2.h
+++ b/lib/libssl/src/ssl/ssl2.h
@@ -67,8 +67,8 @@ extern "C" {
#define SSL2_VERSION 0x0002
#define SSL2_VERSION_MAJOR 0x00
#define SSL2_VERSION_MINOR 0x02
-#define SSL2_CLIENT_VERSION 0x0002
-#define SSL2_SERVER_VERSION 0x0002
+/* #define SSL2_CLIENT_VERSION 0x0002 */
+/* #define SSL2_SERVER_VERSION 0x0002 */
/* Protocol Message Codes */
#define SSL2_MT_ERROR 0
@@ -162,7 +162,7 @@ typedef struct ssl2_ctx_st
* args were passwd */
unsigned int wnum; /* number of bytes sent so far */
int wpend_tot;
- char *wpend_buf;
+ const unsigned char *wpend_buf;
int wpend_off; /* offset to data to write */
int wpend_len; /* number of bytes passwd to write */
diff --git a/lib/libssl/src/ssl/ssl3.h b/lib/libssl/src/ssl/ssl3.h
index 95772eef60c..2a9714fc19b 100644
--- a/lib/libssl/src/ssl/ssl3.h
+++ b/lib/libssl/src/ssl/ssl3.h
@@ -59,7 +59,9 @@
#ifndef HEADER_SSL3_H
#define HEADER_SSL3_H
-#include "buffer.h"
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+#include <openssl/ssl.h>
#ifdef __cplusplus
extern "C" {
@@ -208,7 +210,7 @@ typedef struct ssl3_record_st
/*r */ unsigned int off; /* read/write offset into 'buf' */
/*rw*/ unsigned char *data; /* pointer to the record data */
/*rw*/ unsigned char *input; /* where the decode bytes are */
-/*rw*/ unsigned char *comp; /* only used with decompression */
+/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
} SSL3_RECORD;
typedef struct ssl3_buffer_st
@@ -220,10 +222,6 @@ typedef struct ssl3_buffer_st
/*rw*/ unsigned char *buf; /* SSL3_RT_MAX_PACKET_SIZE bytes */
} SSL3_BUFFER;
-typedef struct ssl3_compression_st {
- int nothing;
- } SSL3_COMPRESSION;
-
#define SSL3_CT_RSA_SIGN 1
#define SSL3_CT_DSS_SIGN 2
#define SSL3_CT_RSA_FIXED_DH 3
@@ -236,7 +234,7 @@ typedef struct ssl3_compression_st {
#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
#define SSL3_FLAGS_POP_BUFFER 0x0004
-#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
+#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#if 0
#define AD_CLOSE_NOTIFY 0
@@ -290,7 +288,7 @@ typedef struct ssl3_ctx_st
int wpend_tot; /* number bytes written */
int wpend_type;
int wpend_ret; /* number of bytes submitted */
- char *wpend_buf;
+ const unsigned char *wpend_buf;
/* used during startup, digest all incoming/outgoing packets */
EVP_MD_CTX finish_dgst1;
@@ -305,7 +303,7 @@ typedef struct ssl3_ctx_st
/* we alow one fatal and one warning alert to be outstanding,
* send close alert via the warning alert */
int alert_dispatch;
- char send_alert[2];
+ unsigned char send_alert[2];
/* This flag is set when we should renegotiate ASAP, basically when
* there is no more data in the read or write buffers */
@@ -324,8 +322,9 @@ typedef struct ssl3_ctx_st
/* used to hold the new cipher we are going to use */
SSL_CIPHER *new_cipher;
+#ifndef NO_DH
DH *dh;
-
+#endif
/* used when SSL_ST_FLUSH_DATA is entered */
int next_state;
@@ -335,18 +334,23 @@ typedef struct ssl3_ctx_st
int cert_req;
int ctype_num;
char ctype[SSL3_CT_NUMBER];
- STACK *ca_names;
+ STACK_OF(X509_NAME) *ca_names;
int use_rsa_tmp;
int key_block_length;
unsigned char *key_block;
- EVP_CIPHER *new_sym_enc;
- EVP_MD *new_hash;
- SSL_COMPRESSION *new_compression;
+ const EVP_CIPHER *new_sym_enc;
+ const EVP_MD *new_hash;
+#ifdef HEADER_COMP_H
+ const SSL_COMP *new_compression;
+#else
+ char *new_compression;
+#endif
int cert_request;
} tmp;
+
} SSL3_CTX;
/* SSLv3 */
diff --git a/lib/libssl/src/ssl/ssl_algs.c b/lib/libssl/src/ssl/ssl_algs.c
index 65f3a593869..a91ee6d22e4 100644
--- a/lib/libssl/src/ssl/ssl_algs.c
+++ b/lib/libssl/src/ssl/ssl_algs.c
@@ -57,11 +57,11 @@
*/
#include <stdio.h>
-#include "objects.h"
-#include "lhash.h"
+#include <openssl/objects.h>
+#include <openssl/lhash.h>
#include "ssl_locl.h"
-void SSLeay_add_ssl_algorithms()
+int SSL_library_init(void)
{
#ifndef NO_DES
EVP_add_cipher(EVP_des_cbc());
@@ -71,25 +71,25 @@ void SSLeay_add_ssl_algorithms()
EVP_add_cipher(EVP_idea_cbc());
#endif
#ifndef NO_RC4
- EVP_add_cipher(EVP_rc4());
+ EVP_add_cipher(EVP_rc4());
#endif
#ifndef NO_RC2
- EVP_add_cipher(EVP_rc2_cbc());
+ EVP_add_cipher(EVP_rc2_cbc());
#endif
#ifndef NO_MD2
- EVP_add_digest(EVP_md2());
+ EVP_add_digest(EVP_md2());
#endif
#ifndef NO_MD5
EVP_add_digest(EVP_md5());
- EVP_add_alias(SN_md5,"ssl2-md5");
- EVP_add_alias(SN_md5,"ssl3-md5");
+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
+ EVP_add_digest_alias(SN_md5,"ssl3-md5");
#endif
-#ifndef NO_SHA1
+#ifndef NO_SHA
EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
- EVP_add_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
#endif
-#if !defined(NO_SHA1) && !defined(NO_DSA)
+#if !defined(NO_SHA) && !defined(NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
#endif
@@ -98,5 +98,6 @@ void SSLeay_add_ssl_algorithms()
EVP_add_digest(EVP_sha());
EVP_add_digest(EVP_dss());
#endif
+ return(1);
}
diff --git a/lib/libssl/src/ssl/ssl_asn1.c b/lib/libssl/src/ssl/ssl_asn1.c
index 116a83de645..0f6a0884e4a 100644
--- a/lib/libssl/src/ssl/ssl_asn1.c
+++ b/lib/libssl/src/ssl/ssl_asn1.c
@@ -58,8 +58,8 @@
#include <stdio.h>
#include <stdlib.h>
-#include "asn1_mac.h"
-#include "objects.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/objects.h>
#include "ssl_locl.h"
typedef struct ssl_session_asn1_st
@@ -69,22 +69,16 @@ typedef struct ssl_session_asn1_st
ASN1_OCTET_STRING cipher;
ASN1_OCTET_STRING master_key;
ASN1_OCTET_STRING session_id;
+ ASN1_OCTET_STRING session_id_context;
ASN1_OCTET_STRING key_arg;
ASN1_INTEGER time;
ASN1_INTEGER timeout;
} SSL_SESSION_ASN1;
-/*
- * SSLerr(SSL_F_I2D_SSL_SESSION,SSL_R_CIPHER_CODE_WRONG_LENGTH);
- * SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNSUPPORTED_CIPHER);
- */
-
-int i2d_SSL_SESSION(in,pp)
-SSL_SESSION *in;
-unsigned char **pp;
+int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
{
#define LSIZE2 (sizeof(long)*2)
- int v1=0,v2=0,v3=0;
+ int v1=0,v2=0,v3=0,v4=0;
unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2];
long l;
@@ -138,6 +132,10 @@ unsigned char **pp;
a.session_id.type=V_ASN1_OCTET_STRING;
a.session_id.data=in->session_id;
+ a.session_id_context.length=in->sid_ctx_length;
+ a.session_id_context.type=V_ASN1_OCTET_STRING;
+ a.session_id_context.data=in->sid_ctx;
+
a.key_arg.length=in->key_arg_length;
a.key_arg.type=V_ASN1_OCTET_STRING;
a.key_arg.data=in->key_arg;
@@ -171,6 +169,7 @@ unsigned char **pp;
M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
if (in->peer != NULL)
M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
+ M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
M_ASN1_I2D_seq_total();
@@ -187,14 +186,14 @@ unsigned char **pp;
M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
if (in->peer != NULL)
M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
+ M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
+ v4);
M_ASN1_I2D_finish();
}
-SSL_SESSION *d2i_SSL_SESSION(a,pp,length)
-SSL_SESSION **a;
-unsigned char **pp;
-long length;
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
+ long length)
{
int version,ssl_version=0,i;
long id;
@@ -308,6 +307,21 @@ long length;
}
M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
+ os.length=0;
+ os.data=NULL;
+ M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4);
+
+ if(os.data != NULL)
+ {
+ if (os.length > SSL_MAX_SID_CTX_LENGTH)
+ SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
+ ret->sid_ctx_length=os.length;
+ memcpy(ret->sid_ctx,os.data,os.length);
+ Free(os.data); os.data=NULL; os.length=0;
+ }
+ else
+ ret->sid_ctx_length=0;
+
M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
}
diff --git a/lib/libssl/src/ssl/ssl_cert.c b/lib/libssl/src/ssl/ssl_cert.c
index c1cb86e1b7d..6d2511f76c2 100644
--- a/lib/libssl/src/ssl/ssl_cert.c
+++ b/lib/libssl/src/ssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* ssl/ssl_cert.c */
+/*! \file ssl/ssl_cert.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -55,14 +55,82 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
#include <stdio.h>
-#include "objects.h"
-#include "bio.h"
-#include "pem.h"
+#include <sys/types.h>
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT)
+#include <dirent.h>
+#endif
+#ifdef NeXT
+#include <sys/dir.h>
+#define dirent direct
+#endif
+#include <openssl/objects.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
#include "ssl_locl.h"
-CERT *ssl_cert_new()
+int SSL_get_ex_data_X509_STORE_CTX_idx(void)
+ {
+ static int ssl_x509_store_ctx_idx= -1;
+
+ if (ssl_x509_store_ctx_idx < 0)
+ {
+ ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
+ 0,"SSL for verify callback",NULL,NULL,NULL);
+ }
+ return(ssl_x509_store_ctx_idx);
+ }
+
+CERT *ssl_cert_new(void)
{
CERT *ret;
@@ -73,14 +141,6 @@ CERT *ssl_cert_new()
return(NULL);
}
memset(ret,0,sizeof(CERT));
-/*
- ret->valid=0;
- ret->mask=0;
- ret->export_mask=0;
- ret->cert_type=0;
- ret->key->x509=NULL;
- ret->key->publickey=NULL;
- ret->key->privatekey=NULL; */
ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
ret->references=1;
@@ -88,11 +148,132 @@ CERT *ssl_cert_new()
return(ret);
}
-void ssl_cert_free(c)
-CERT *c;
+CERT *ssl_cert_dup(CERT *cert)
+ {
+ CERT *ret;
+ int i;
+
+ ret = (CERT *)Malloc(sizeof(CERT));
+ if (ret == NULL)
+ {
+ SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
+ return(NULL);
+ }
+
+ memset(ret, 0, sizeof(CERT));
+
+ ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
+ /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
+ * if you find that more readable */
+
+ ret->valid = cert->valid;
+ ret->mask = cert->mask;
+ ret->export_mask = cert->export_mask;
+
+#ifndef NO_RSA
+ if (cert->rsa_tmp != NULL)
+ {
+ ret->rsa_tmp = cert->rsa_tmp;
+ CRYPTO_add(&ret->rsa_tmp->references, 1, CRYPTO_LOCK_RSA);
+ }
+ ret->rsa_tmp_cb = cert->rsa_tmp_cb;
+#endif
+
+#ifndef NO_DH
+ if (cert->dh_tmp != NULL)
+ {
+ /* DH parameters don't have a reference count (and cannot
+ * reasonably be shared anyway, as the secret exponent may
+ * be created just when it is needed -- earlier library
+ * versions did not pay attention to this) */
+ ret->dh_tmp = DHparams_dup(cert->dh_tmp);
+ if (ret->dh_tmp == NULL)
+ {
+ SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_DH_LIB);
+ goto err;
+ }
+ }
+ ret->dh_tmp_cb = cert->dh_tmp_cb;
+#endif
+
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ {
+ if (cert->pkeys[i].x509 != NULL)
+ {
+ ret->pkeys[i].x509 = cert->pkeys[i].x509;
+ CRYPTO_add(&ret->pkeys[i].x509->references, 1,
+ CRYPTO_LOCK_X509);
+ }
+
+ if (cert->pkeys[i].privatekey != NULL)
+ {
+ ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
+ CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
+ CRYPTO_LOCK_EVP_PKEY);
+
+ switch(i)
+ {
+ /* If there was anything special to do for
+ * certain types of keys, we'd do it here.
+ * (Nothing at the moment, I think.) */
+
+ case SSL_PKEY_RSA_ENC:
+ case SSL_PKEY_RSA_SIGN:
+ /* We have an RSA key. */
+ break;
+
+ case SSL_PKEY_DSA_SIGN:
+ /* We have a DSA key. */
+ break;
+
+ case SSL_PKEY_DH_RSA:
+ case SSL_PKEY_DH_DSA:
+ /* We have a DH key. */
+ break;
+
+ default:
+ /* Can't happen. */
+ SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
+ }
+ }
+ }
+
+ /* ret->extra_certs *should* exist, but currently the own certificate
+ * chain is held inside SSL_CTX */
+
+ ret->references=1;
+
+ return(ret);
+
+err:
+#ifndef NO_RSA
+ if (ret->rsa_tmp != NULL)
+ RSA_free(ret->rsa_tmp);
+#endif
+#ifndef NO_DH
+ if (ret->dh_tmp != NULL)
+ DH_free(ret->dh_tmp);
+#endif
+
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ {
+ if (ret->pkeys[i].x509 != NULL)
+ X509_free(ret->pkeys[i].x509);
+ if (ret->pkeys[i].privatekey != NULL)
+ EVP_PKEY_free(ret->pkeys[i].privatekey);
+ }
+
+ return NULL;
+ }
+
+
+void ssl_cert_free(CERT *c)
{
int i;
+ if(c == NULL)
+ return;
+
i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
#ifdef REF_PRINT
REF_PRINT("CERT",c);
@@ -124,97 +305,188 @@ CERT *c;
EVP_PKEY_free(c->pkeys[i].publickey);
#endif
}
- if (c->cert_chain != NULL)
- sk_pop_free(c->cert_chain,X509_free);
Free(c);
}
-int ssl_set_cert_type(c, type)
-CERT *c;
-int type;
+int ssl_cert_inst(CERT **o)
{
- c->cert_type=type;
+ /* Create a CERT if there isn't already one
+ * (which cannot really happen, as it is initially created in
+ * SSL_CTX_new; but the earlier code usually allows for that one
+ * being non-existant, so we follow that behaviour, as it might
+ * turn out that there actually is a reason for it -- but I'm
+ * not sure that *all* of the existing code could cope with
+ * s->cert being NULL, otherwise we could do without the
+ * initialization in SSL_CTX_new).
+ */
+
+ if (o == NULL)
+ {
+ SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
+ return(0);
+ }
+ if (*o == NULL)
+ {
+ if ((*o = ssl_cert_new()) == NULL)
+ {
+ SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
+ return(0);
+ }
+ }
+ return(1);
+ }
+
+
+SESS_CERT *ssl_sess_cert_new(void)
+ {
+ SESS_CERT *ret;
+
+ ret = Malloc(sizeof *ret);
+ if (ret == NULL)
+ {
+ SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ memset(ret, 0 ,sizeof *ret);
+ ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
+ ret->references = 1;
+
+ return ret;
+ }
+
+void ssl_sess_cert_free(SESS_CERT *sc)
+ {
+ int i;
+
+ if (sc == NULL)
+ return;
+
+ i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
+#ifdef REF_PRINT
+ REF_PRINT("SESS_CERT", sc);
+#endif
+ if (i > 0)
+ return;
+#ifdef REF_CHECK
+ if (i < 0)
+ {
+ fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
+ abort(); /* ok */
+ }
+#endif
+
+ /* i == 0 */
+ if (sc->cert_chain != NULL)
+ sk_X509_pop_free(sc->cert_chain, X509_free);
+ for (i = 0; i < SSL_PKEY_NUM; i++)
+ {
+ if (sc->peer_pkeys[i].x509 != NULL)
+ X509_free(sc->peer_pkeys[i].x509);
+#if 0 /* We don't have the peer's private key. These lines are just
+ * here as a reminder that we're still using a not-quite-appropriate
+ * data structure. */
+ if (sc->peer_pkeys[i].privatekey != NULL)
+ EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
+#endif
+ }
+
+#ifndef NO_RSA
+ if (sc->peer_rsa_tmp != NULL)
+ RSA_free(sc->peer_rsa_tmp);
+#endif
+#ifndef NO_DH
+ if (sc->peer_dh_tmp != NULL)
+ DH_free(sc->peer_dh_tmp);
+#endif
+
+ Free(sc);
+ }
+
+int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
+ {
+ sc->peer_cert_type = type;
return(1);
}
-int ssl_verify_cert_chain(s,sk)
-SSL *s;
-STACK *sk;
+int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
{
X509 *x;
int i;
X509_STORE_CTX ctx;
- if ((sk == NULL) || (sk_num(sk) == 0))
+ if ((sk == NULL) || (sk_X509_num(sk) == 0))
return(0);
- x=(X509 *)sk_value(sk,0);
+ x=sk_X509_value(sk,0);
X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
- X509_STORE_CTX_set_app_data(&ctx,(char *)s);
+ if (SSL_get_verify_depth(s) >= 0)
+ X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
+ X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
+ (char *)s);
if (s->ctx->app_verify_callback != NULL)
- i=s->ctx->app_verify_callback(&ctx);
+ i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
else
+ {
+#ifndef NO_X509_VERIFY
i=X509_verify_cert(&ctx);
+#else
+ i=0;
+ ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
+ SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
+#endif
+ }
- X509_STORE_CTX_cleanup(&ctx);
s->verify_result=ctx.error;
+ X509_STORE_CTX_cleanup(&ctx);
return(i);
}
-static void set_client_CA_list(ca_list,list)
-STACK **ca_list;
-STACK *list;
+static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *list)
{
if (*ca_list != NULL)
- sk_pop_free(*ca_list,X509_NAME_free);
+ sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
*ca_list=list;
}
-STACK *SSL_dup_CA_list(sk)
-STACK *sk;
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
{
int i;
- STACK *ret;
+ STACK_OF(X509_NAME) *ret;
X509_NAME *name;
- ret=sk_new_null();
- for (i=0; i<sk_num(sk); i++)
+ ret=sk_X509_NAME_new_null();
+ for (i=0; i<sk_X509_NAME_num(sk); i++)
{
- name=X509_NAME_dup((X509_NAME *)sk_value(sk,i));
- if ((name == NULL) || !sk_push(ret,(char *)name))
+ name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
+ if ((name == NULL) || !sk_X509_NAME_push(ret,name))
{
- sk_pop_free(ret,X509_NAME_free);
+ sk_X509_NAME_pop_free(ret,X509_NAME_free);
return(NULL);
}
}
return(ret);
}
-void SSL_set_client_CA_list(s,list)
-SSL *s;
-STACK *list;
+void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *list)
{
set_client_CA_list(&(s->client_CA),list);
}
-void SSL_CTX_set_client_CA_list(ctx,list)
-SSL_CTX *ctx;
-STACK *list;
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list)
{
set_client_CA_list(&(ctx->client_CA),list);
}
-STACK *SSL_CTX_get_client_CA_list(ctx)
-SSL_CTX *ctx;
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
{
return(ctx->client_CA);
}
-STACK *SSL_get_client_CA_list(s)
-SSL *s;
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s)
{
if (s->type == SSL_ST_CONNECT)
{ /* we are in the client */
@@ -233,20 +505,18 @@ SSL *s;
}
}
-static int add_client_CA(sk,x)
-STACK **sk;
-X509 *x;
+static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
{
X509_NAME *name;
if (x == NULL) return(0);
- if ((*sk == NULL) && ((*sk=sk_new_null()) == NULL))
+ if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
return(0);
if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
return(0);
- if (!sk_push(*sk,(char *)name))
+ if (!sk_X509_NAME_push(*sk,name))
{
X509_NAME_free(name);
return(0);
@@ -254,37 +524,39 @@ X509 *x;
return(1);
}
-int SSL_add_client_CA(ssl,x)
-SSL *ssl;
-X509 *x;
+int SSL_add_client_CA(SSL *ssl,X509 *x)
{
return(add_client_CA(&(ssl->client_CA),x));
}
-int SSL_CTX_add_client_CA(ctx,x)
-SSL_CTX *ctx;
-X509 *x;
+int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
{
return(add_client_CA(&(ctx->client_CA),x));
}
-static int name_cmp(a,b)
-X509_NAME **a,**b;
+static int name_cmp(X509_NAME **a,X509_NAME **b)
{
return(X509_NAME_cmp(*a,*b));
}
#ifndef NO_STDIO
-STACK *SSL_load_client_CA_file(file)
-char *file;
+/*!
+ * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
+ * it doesn't really have anything to do with clients (except that a common use
+ * for a stack of CAs is to send it to the client). Actually, it doesn't have
+ * much to do with CAs, either, since it will load any old cert.
+ * \param file the file containing one or more certs.
+ * \return a ::STACK containing the certs.
+ */
+STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
{
BIO *in;
X509 *x=NULL;
X509_NAME *xn=NULL;
- STACK *ret,*sk;
+ STACK_OF(X509_NAME) *ret,*sk;
- ret=sk_new(NULL);
- sk=sk_new(name_cmp);
+ ret=sk_X509_NAME_new(NULL);
+ sk=sk_X509_NAME_new(name_cmp);
in=BIO_new(BIO_s_file_internal());
@@ -299,31 +571,146 @@ char *file;
for (;;)
{
- if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+ if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
break;
if ((xn=X509_get_subject_name(x)) == NULL) goto err;
/* check for duplicates */
xn=X509_NAME_dup(xn);
if (xn == NULL) goto err;
- if (sk_find(sk,(char *)xn) >= 0)
+ if (sk_X509_NAME_find(sk,xn) >= 0)
X509_NAME_free(xn);
else
{
- sk_push(sk,(char *)xn);
- sk_push(ret,(char *)xn);
+ sk_X509_NAME_push(sk,xn);
+ sk_X509_NAME_push(ret,xn);
}
}
if (0)
{
err:
- if (ret != NULL) sk_pop_free(ret,X509_NAME_free);
+ if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
ret=NULL;
}
- if (sk != NULL) sk_free(sk);
+ if (sk != NULL) sk_X509_NAME_free(sk);
if (in != NULL) BIO_free(in);
if (x != NULL) X509_free(x);
return(ret);
}
#endif
+/*!
+ * Add a file of certs to a stack.
+ * \param stack the stack to add to.
+ * \param file the file to add from. All certs in this file that are not
+ * already in the stack will be added.
+ * \return 1 for success, 0 for failure. Note that in the case of failure some
+ * certs may have been added to \c stack.
+ */
+
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+ const char *file)
+ {
+ BIO *in;
+ X509 *x=NULL;
+ X509_NAME *xn=NULL;
+ int ret=1;
+ int (*oldcmp)(X509_NAME **a, X509_NAME **b);
+
+ oldcmp=sk_X509_NAME_set_cmp_func(stack,name_cmp);
+
+ in=BIO_new(BIO_s_file_internal());
+
+ if (in == NULL)
+ {
+ SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (!BIO_read_filename(in,file))
+ goto err;
+
+ for (;;)
+ {
+ if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
+ break;
+ if ((xn=X509_get_subject_name(x)) == NULL) goto err;
+ xn=X509_NAME_dup(xn);
+ if (xn == NULL) goto err;
+ if (sk_X509_NAME_find(stack,xn) >= 0)
+ X509_NAME_free(xn);
+ else
+ sk_X509_NAME_push(stack,xn);
+ }
+
+ if (0)
+ {
+err:
+ ret=0;
+ }
+ if(in != NULL)
+ BIO_free(in);
+ if(x != NULL)
+ X509_free(x);
+
+ sk_X509_NAME_set_cmp_func(stack,oldcmp);
+
+ return ret;
+ }
+
+/*!
+ * Add a directory of certs to a stack.
+ * \param stack the stack to append to.
+ * \param dir the directory to append from. All files in this directory will be
+ * examined as potential certs. Any that are acceptable to
+ * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
+ * included.
+ * \return 1 for success, 0 for failure. Note that in the case of failure some
+ * certs may have been added to \c stack.
+ */
+
+#ifndef WIN32
+#ifndef VMS /* XXXX This may be fixed in the future */
+
+int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+ const char *dir)
+ {
+ DIR *d;
+ struct dirent *dstruct;
+ int ret = 0;
+
+ CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+ d = opendir(dir);
+
+ /* Note that a side effect is that the CAs will be sorted by name */
+ if(!d)
+ {
+ SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+ ERR_add_error_data(3, "opendir('", dir, "')");
+ SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+ goto err;
+ }
+
+ while((dstruct=readdir(d)))
+ {
+ char buf[1024];
+
+ if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
+ {
+ SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
+ goto err;
+ }
+
+ sprintf(buf,"%s/%s",dir,dstruct->d_name);
+ if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
+ goto err;
+ }
+ ret = 1;
+
+err:
+ CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
+ return ret;
+ }
+
+#endif
+#endif
diff --git a/lib/libssl/src/ssl/ssl_ciph.c b/lib/libssl/src/ssl/ssl_ciph.c
index 820994408b3..4c2989c47a3 100644
--- a/lib/libssl/src/ssl/ssl_ciph.c
+++ b/lib/libssl/src/ssl/ssl_ciph.c
@@ -57,7 +57,8 @@
*/
#include <stdio.h>
-#include "objects.h"
+#include <openssl/objects.h>
+#include <openssl/comp.h>
#include "ssl_locl.h"
#define SSL_ENC_DES_IDX 0
@@ -69,14 +70,16 @@
#define SSL_ENC_NULL_IDX 6
#define SSL_ENC_NUM_IDX 7
-static EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
+static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
NULL,NULL,NULL,NULL,NULL,NULL,
};
+static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
+
#define SSL_MD_MD5_IDX 0
#define SSL_MD_SHA1_IDX 1
#define SSL_MD_NUM_IDX 2
-static EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
+static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
NULL,NULL,
};
@@ -108,7 +111,8 @@ typedef struct cipher_order_st
} CIPHER_ORDER;
static SSL_CIPHER cipher_aliases[]={
- {0,SSL_TXT_ALL, 0,SSL_ALL, 0,SSL_ALL}, /* must be first */
+ /* Don't include eNULL unless specifically enabled */
+ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, 0,SSL_ALL}, /* must be first */
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,SSL_MKEY_MASK},
{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,SSL_MKEY_MASK},
{0,SSL_TXT_kDHd,0,SSL_kDHd, 0,SSL_MKEY_MASK},
@@ -141,25 +145,26 @@ static SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
{0,SSL_TXT_FZA, 0,SSL_FZA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK},
- {0,SSL_TXT_EXP, 0,SSL_EXP, 0,SSL_EXP_MASK},
- {0,SSL_TXT_EXPORT,0,SSL_EXPORT,0,SSL_EXP_MASK},
- {0,SSL_TXT_SSLV2,0,SSL_SSLV2,0,SSL_SSL_MASK},
- {0,SSL_TXT_SSLV3,0,SSL_SSLV3,0,SSL_SSL_MASK},
- {0,SSL_TXT_LOW, 0,SSL_LOW,0,SSL_STRONG_MASK},
+ {0,SSL_TXT_EXP40, 0,SSL_EXP40, 0,SSL_EXP_MASK},
+ {0,SSL_TXT_EXPORT,0,SSL_EXP40, 0,SSL_EXP_MASK},
+ {0,SSL_TXT_EXP56, 0,SSL_EXP56, 0,SSL_EXP_MASK},
+ {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,SSL_SSL_MASK},
+ {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,SSL_SSL_MASK},
+ {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,SSL_SSL_MASK},
+ {0,SSL_TXT_LOW, 0,SSL_LOW, 0,SSL_STRONG_MASK},
{0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
- {0,SSL_TXT_HIGH, 0,SSL_HIGH,0,SSL_STRONG_MASK},
+ {0,SSL_TXT_HIGH, 0,SSL_HIGH, 0,SSL_STRONG_MASK},
};
static int init_ciphers=1;
static void load_ciphers();
-static int cmp_by_name(a,b)
-SSL_CIPHER **a,**b;
+static int cmp_by_name(SSL_CIPHER **a, SSL_CIPHER **b)
{
return(strcmp((*a)->name,(*b)->name));
}
-static void load_ciphers()
+static void load_ciphers(void)
{
init_ciphers=0;
ssl_cipher_methods[SSL_ENC_DES_IDX]=
@@ -179,14 +184,38 @@ static void load_ciphers()
EVP_get_digestbyname(SN_sha1);
}
-int ssl_cipher_get_evp(c,enc,md)
-SSL_CIPHER *c;
-EVP_CIPHER **enc;
-EVP_MD **md;
+int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
+ const EVP_MD **md, SSL_COMP **comp)
{
int i;
+ SSL_CIPHER *c;
+ c=s->cipher;
if (c == NULL) return(0);
+ if (comp != NULL)
+ {
+ SSL_COMP ctmp;
+
+ if (s->compress_meth == 0)
+ *comp=NULL;
+ else if (ssl_comp_methods == NULL)
+ {
+ /* bad */
+ *comp=NULL;
+ }
+ else
+ {
+
+ ctmp.id=s->compress_meth;
+ i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
+ if (i >= 0)
+ *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
+ else
+ *comp=NULL;
+ }
+ }
+
+ if ((enc == NULL) || (md == NULL)) return(0);
switch (c->algorithms & SSL_ENC_MASK)
{
@@ -208,7 +237,6 @@ EVP_MD **md;
case SSL_eNULL:
i=SSL_ENC_NULL_IDX;
break;
- break;
default:
i= -1;
break;
@@ -250,8 +278,8 @@ EVP_MD **md;
#define ITEM_SEP(a) \
(((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
-static void ll_append_tail(head,curr,tail)
-CIPHER_ORDER **head,*curr,**tail;
+static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
+ CIPHER_ORDER **tail)
{
if (curr == *tail) return;
if (curr == *head)
@@ -266,14 +294,14 @@ CIPHER_ORDER **head,*curr,**tail;
*tail=curr;
}
-STACK *ssl_create_cipher_list(ssl_method,cipher_list,cipher_list_by_id,str)
-SSL_METHOD *ssl_method;
-STACK **cipher_list,**cipher_list_by_id;
-char *str;
+STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
+ STACK_OF(SSL_CIPHER) **cipher_list,
+ STACK_OF(SSL_CIPHER) **cipher_list_by_id,
+ char *str)
{
SSL_CIPHER *c;
char *l;
- STACK *ret=NULL,*ok=NULL;
+ STACK_OF(SSL_CIPHER) *ret=NULL,*ok=NULL;
#define CL_BUF 40
char buf[CL_BUF];
char *tmp_str=NULL;
@@ -308,7 +336,7 @@ char *str;
num=ssl_method->num_ciphers();
- if ((ret=(STACK *)sk_new(NULL)) == NULL) goto err;
+ if ((ret=sk_SSL_CIPHER_new(NULL)) == NULL) goto err;
if ((ca_list=(STACK *)sk_new(cmp_by_name)) == NULL) goto err;
mask =SSL_kFZA;
@@ -322,7 +350,7 @@ char *str;
mask|=SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
#endif
-#ifndef SSL_ALLOW_ENULL
+#ifdef SSL_FORBID_ENULL
mask|=SSL_eNULL;
#endif
@@ -372,7 +400,7 @@ char *str;
}
/* special case */
- cipher_aliases[0].algorithms= ~mask;
+ cipher_aliases[0].algorithms &= ~mask;
/* get the aliases */
k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);
@@ -430,10 +458,14 @@ char *str;
{
ch= *l;
i=0;
+#ifndef CHARSET_EBCDIC
while ( ((ch >= 'A') && (ch <= 'Z')) ||
((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) ||
(ch == '-'))
+#else
+ while ( isalnum(ch) || (ch == '-'))
+#endif
{
buf[i]=ch;
ch= *(++l);
@@ -541,7 +573,7 @@ end_loop:
{
if (curr->active)
{
- sk_push(ret,(char *)curr->cipher);
+ sk_SSL_CIPHER_push(ret,curr->cipher);
#ifdef CIPHER_DEBUG
printf("<%s>\n",curr->cipher->name);
#endif
@@ -551,15 +583,15 @@ end_loop:
if (cipher_list != NULL)
{
if (*cipher_list != NULL)
- sk_free(*cipher_list);
+ sk_SSL_CIPHER_free(*cipher_list);
*cipher_list=ret;
}
if (cipher_list_by_id != NULL)
{
if (*cipher_list_by_id != NULL)
- sk_free(*cipher_list_by_id);
- *cipher_list_by_id=sk_dup(ret);
+ sk_SSL_CIPHER_free(*cipher_list_by_id);
+ *cipher_list_by_id=sk_SSL_CIPHER_dup(ret);
}
if ( (cipher_list_by_id == NULL) ||
@@ -567,25 +599,22 @@ end_loop:
(cipher_list == NULL) ||
(*cipher_list == NULL))
goto err;
- sk_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
+ sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
ok=ret;
ret=NULL;
err:
if (tmp_str) Free(tmp_str);
if (ops != NULL) Free(ops);
- if (ret != NULL) sk_free(ret);
+ if (ret != NULL) sk_SSL_CIPHER_free(ret);
if (ca_list != NULL) sk_free(ca_list);
if (list != NULL) Free(list);
return(ok);
}
-char *SSL_CIPHER_description(cipher,buf,len)
-SSL_CIPHER *cipher;
-char *buf;
-int len;
+char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
{
- int export;
+ int is_export,pkl,kl;
char *ver,*exp;
char *kx,*au,*enc,*mac;
unsigned long alg,alg2;
@@ -594,8 +623,10 @@ int len;
alg=cipher->algorithms;
alg2=cipher->algorithm2;
- export=(alg&SSL_EXP)?1:0;
- exp=(export)?" export":"";
+ is_export=SSL_IS_EXPORT(alg);
+ pkl=SSL_EXPORT_PKEYLENGTH(alg);
+ kl=SSL_EXPORT_KEYLENGTH(alg);
+ exp=is_export?" export":"";
if (alg & SSL_SSLV2)
ver="SSLv2";
@@ -607,7 +638,7 @@ int len;
switch (alg&SSL_MKEY_MASK)
{
case SSL_kRSA:
- kx=(export)?"RSA(512)":"RSA";
+ kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
break;
case SSL_kDHr:
kx="DH/RSA";
@@ -619,7 +650,7 @@ int len;
kx="Fortezza";
break;
case SSL_kEDH:
- kx=(export)?"DH(512)":"DH";
+ kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
break;
default:
kx="unknown";
@@ -648,16 +679,17 @@ int len;
switch (alg&SSL_ENC_MASK)
{
case SSL_DES:
- enc=export?"DES(40)":"DES(56)";
+ enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
break;
case SSL_3DES:
enc="3DES(168)";
break;
case SSL_RC4:
- enc=export?"RC4(40)":((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
+ enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
+ :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
break;
case SSL_RC2:
- enc=export?"RC2(40)":"RC2(128)";
+ enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
break;
case SSL_IDEA:
enc="IDEA(128)";
@@ -698,8 +730,7 @@ int len;
return(buf);
}
-char *SSL_CIPHER_get_version(c)
-SSL_CIPHER *c;
+char *SSL_CIPHER_get_version(SSL_CIPHER *c)
{
int i;
@@ -714,8 +745,7 @@ SSL_CIPHER *c;
}
/* return the actual cipher being used */
-char *SSL_CIPHER_get_name(c)
-SSL_CIPHER *c;
+const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
{
if (c != NULL)
return(c->name);
@@ -723,24 +753,24 @@ SSL_CIPHER *c;
}
/* number of bits for symetric cipher */
-int SSL_CIPHER_get_bits(c,alg_bits)
-SSL_CIPHER *c;
-int *alg_bits;
+int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
{
int ret=0,a=0;
- EVP_CIPHER *enc;
- EVP_MD *md;
+ const EVP_CIPHER *enc;
+ const EVP_MD *md;
+ SSL_SESSION ss;
if (c != NULL)
{
- if (!ssl_cipher_get_evp(c,&enc,&md))
+ ss.cipher=c;
+ if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL))
return(0);
a=EVP_CIPHER_key_length(enc)*8;
- if (c->algorithms & SSL_EXP)
+ if (SSL_C_IS_EXPORT(c))
{
- ret=40;
+ ret=SSL_C_EXPORT_KEYLENGTH(c)*8;
}
else
{
@@ -756,3 +786,50 @@ int *alg_bits;
return(ret);
}
+SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
+ {
+ SSL_COMP *ctmp;
+ int i,nn;
+
+ if ((n == 0) || (sk == NULL)) return(NULL);
+ nn=sk_SSL_COMP_num(sk);
+ for (i=0; i<nn; i++)
+ {
+ ctmp=sk_SSL_COMP_value(sk,i);
+ if (ctmp->id == n)
+ return(ctmp);
+ }
+ return(NULL);
+ }
+
+static int sk_comp_cmp(SSL_COMP **a,SSL_COMP **b)
+ {
+ return((*a)->id-(*b)->id);
+ }
+
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
+ {
+ return(ssl_comp_methods);
+ }
+
+int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
+ {
+ SSL_COMP *comp;
+ STACK_OF(SSL_COMP) *sk;
+
+ comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP));
+ comp->id=id;
+ comp->method=cm;
+ if (ssl_comp_methods == NULL)
+ sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+ else
+ sk=ssl_comp_methods;
+ if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp))
+ {
+ SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
+ return(0);
+ }
+ else
+ return(1);
+ }
+
diff --git a/lib/libssl/src/ssl/ssl_err.c b/lib/libssl/src/ssl/ssl_err.c
index bcbb98591f3..3ddc805b537 100644
--- a/lib/libssl/src/ssl/ssl_err.c
+++ b/lib/libssl/src/ssl/ssl_err.c
@@ -1,63 +1,65 @@
-/* lib/ssl/ssl_err.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
+/* ssl/ssl_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
*
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
* 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
*/
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
#include <stdio.h>
-#include "err.h"
-#include "ssl.h"
+#include <openssl/err.h>
+#include <openssl/ssl.h>
/* BEGIN ERROR CODES */
#ifndef NO_ERR
@@ -96,6 +98,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,0), "SSL3_CHECK_CERT_AND_ALGORITHM"},
{ERR_PACK(0,SSL_F_SSL3_CLIENT_HELLO,0), "SSL3_CLIENT_HELLO"},
{ERR_PACK(0,SSL_F_SSL3_CONNECT,0), "SSL3_CONNECT"},
+{ERR_PACK(0,SSL_F_SSL3_CTRL,0), "SSL3_CTRL"},
{ERR_PACK(0,SSL_F_SSL3_CTX_CTRL,0), "SSL3_CTX_CTRL"},
{ERR_PACK(0,SSL_F_SSL3_ENC,0), "SSL3_ENC"},
{ERR_PACK(0,SSL_F_SSL3_GET_CERTIFICATE_REQUEST,0), "SSL3_GET_CERTIFICATE_REQUEST"},
@@ -123,16 +126,25 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL3_SETUP_KEY_BLOCK,0), "SSL3_SETUP_KEY_BLOCK"},
{ERR_PACK(0,SSL_F_SSL3_WRITE_BYTES,0), "SSL3_WRITE_BYTES"},
{ERR_PACK(0,SSL_F_SSL3_WRITE_PENDING,0), "SSL3_WRITE_PENDING"},
+{ERR_PACK(0,SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,0), "SSL_add_dir_cert_subjects_to_stack"},
+{ERR_PACK(0,SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,0), "SSL_add_file_cert_subjects_to_stack"},
{ERR_PACK(0,SSL_F_SSL_BAD_METHOD,0), "SSL_BAD_METHOD"},
{ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0), "SSL_BYTES_TO_CIPHER_LIST"},
+{ERR_PACK(0,SSL_F_SSL_CERT_DUP,0), "SSL_CERT_DUP"},
+{ERR_PACK(0,SSL_F_SSL_CERT_INST,0), "SSL_CERT_INST"},
+{ERR_PACK(0,SSL_F_SSL_CERT_INSTANTIATE,0), "SSL_CERT_INSTANTIATE"},
{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0), "SSL_CERT_NEW"},
{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0), "SSL_check_private_key"},
+{ERR_PACK(0,SSL_F_SSL_CLEAR,0), "SSL_clear"},
+{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0), "SSL_COMP_add_compression_method"},
{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0), "SSL_CREATE_CIPHER_LIST"},
{ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0), "SSL_CTX_check_private_key"},
{ERR_PACK(0,SSL_F_SSL_CTX_NEW,0), "SSL_CTX_new"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,0), "SSL_CTX_set_session_id_context"},
{ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0), "SSL_CTX_set_ssl_version"},
{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE,0), "SSL_CTX_use_certificate"},
{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,0), "SSL_CTX_use_certificate_ASN1"},
+{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,0), "SSL_CTX_use_certificate_chain_file"},
{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,0), "SSL_CTX_use_certificate_file"},
{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY,0), "SSL_CTX_use_PrivateKey"},
{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,0), "SSL_CTX_use_PrivateKey_ASN1"},
@@ -142,21 +154,26 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,0), "SSL_CTX_use_RSAPrivateKey_file"},
{ERR_PACK(0,SSL_F_SSL_DO_HANDSHAKE,0), "SSL_do_handshake"},
{ERR_PACK(0,SSL_F_SSL_GET_NEW_SESSION,0), "SSL_GET_NEW_SESSION"},
+{ERR_PACK(0,SSL_F_SSL_GET_PREV_SESSION,0), "SSL_GET_PREV_SESSION"},
{ERR_PACK(0,SSL_F_SSL_GET_SERVER_SEND_CERT,0), "SSL_GET_SERVER_SEND_CERT"},
{ERR_PACK(0,SSL_F_SSL_GET_SIGN_PKEY,0), "SSL_GET_SIGN_PKEY"},
{ERR_PACK(0,SSL_F_SSL_INIT_WBIO_BUFFER,0), "SSL_INIT_WBIO_BUFFER"},
{ERR_PACK(0,SSL_F_SSL_LOAD_CLIENT_CA_FILE,0), "SSL_load_client_CA_file"},
{ERR_PACK(0,SSL_F_SSL_NEW,0), "SSL_new"},
+{ERR_PACK(0,SSL_F_SSL_READ,0), "SSL_read"},
{ERR_PACK(0,SSL_F_SSL_RSA_PRIVATE_DECRYPT,0), "SSL_RSA_PRIVATE_DECRYPT"},
{ERR_PACK(0,SSL_F_SSL_RSA_PUBLIC_ENCRYPT,0), "SSL_RSA_PUBLIC_ENCRYPT"},
{ERR_PACK(0,SSL_F_SSL_SESSION_NEW,0), "SSL_SESSION_new"},
{ERR_PACK(0,SSL_F_SSL_SESSION_PRINT_FP,0), "SSL_SESSION_print_fp"},
+{ERR_PACK(0,SSL_F_SSL_SESS_CERT_NEW,0), "SSL_SESS_CERT_NEW"},
{ERR_PACK(0,SSL_F_SSL_SET_CERT,0), "SSL_SET_CERT"},
{ERR_PACK(0,SSL_F_SSL_SET_FD,0), "SSL_set_fd"},
{ERR_PACK(0,SSL_F_SSL_SET_PKEY,0), "SSL_SET_PKEY"},
{ERR_PACK(0,SSL_F_SSL_SET_RFD,0), "SSL_set_rfd"},
{ERR_PACK(0,SSL_F_SSL_SET_SESSION,0), "SSL_set_session"},
+{ERR_PACK(0,SSL_F_SSL_SET_SESSION_ID_CONTEXT,0), "SSL_set_session_id_context"},
{ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"},
+{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0), "SSL_shutdown"},
{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"},
{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0), "SSL_use_certificate"},
{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0), "SSL_use_certificate_ASN1"},
@@ -167,17 +184,19 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY,0), "SSL_use_RSAPrivateKey"},
{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,0), "SSL_use_RSAPrivateKey_ASN1"},
{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,0), "SSL_use_RSAPrivateKey_file"},
+{ERR_PACK(0,SSL_F_SSL_VERIFY_CERT_CHAIN,0), "SSL_VERIFY_CERT_CHAIN"},
{ERR_PACK(0,SSL_F_SSL_WRITE,0), "SSL_write"},
{ERR_PACK(0,SSL_F_TLS1_CHANGE_CIPHER_STATE,0), "TLS1_CHANGE_CIPHER_STATE"},
{ERR_PACK(0,SSL_F_TLS1_ENC,0), "TLS1_ENC"},
{ERR_PACK(0,SSL_F_TLS1_SETUP_KEY_BLOCK,0), "TLS1_SETUP_KEY_BLOCK"},
{ERR_PACK(0,SSL_F_WRITE_PENDING,0), "WRITE_PENDING"},
-{0,NULL},
+{0,NULL}
};
static ERR_STRING_DATA SSL_str_reasons[]=
{
{SSL_R_APP_DATA_IN_HANDSHAKE ,"app data in handshake"},
+{SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT,"attempt to reuse session in different context"},
{SSL_R_BAD_ALERT_RECORD ,"bad alert record"},
{SSL_R_BAD_AUTHENTICATION_TYPE ,"bad authentication type"},
{SSL_R_BAD_CHANGE_CIPHER_SPEC ,"bad change cipher spec"},
@@ -190,6 +209,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_BAD_DH_P_LENGTH ,"bad dh p length"},
{SSL_R_BAD_DIGEST_LENGTH ,"bad digest length"},
{SSL_R_BAD_DSA_SIGNATURE ,"bad dsa signature"},
+{SSL_R_BAD_LENGTH ,"bad length"},
{SSL_R_BAD_MAC_DECODE ,"bad mac decode"},
{SSL_R_BAD_MESSAGE_TYPE ,"bad message type"},
{SSL_R_BAD_PACKET_LENGTH ,"bad packet length"},
@@ -219,6 +239,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_CIPHER_TABLE_SRC_ERROR ,"cipher table src error"},
{SSL_R_COMPRESSED_LENGTH_TOO_LONG ,"compressed length too long"},
{SSL_R_COMPRESSION_FAILURE ,"compression failure"},
+{SSL_R_COMPRESSION_LIBRARY_ERROR ,"compression library error"},
{SSL_R_CONNECTION_ID_IS_DIFFERENT ,"connection id is different"},
{SSL_R_CONNECTION_TYPE_NOT_SET ,"connection type not set"},
{SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ,"data between ccs and finished"},
@@ -237,6 +258,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_INVALID_CHALLENGE_LENGTH ,"invalid challenge length"},
{SSL_R_LENGTH_MISMATCH ,"length mismatch"},
{SSL_R_LENGTH_TOO_SHORT ,"length too short"},
+{SSL_R_LIBRARY_BUG ,"library bug"},
{SSL_R_LIBRARY_HAS_NO_CIPHERS ,"library has no ciphers"},
{SSL_R_MISSING_DH_DSA_CERT ,"missing dh dsa cert"},
{SSL_R_MISSING_DH_KEY ,"missing dh key"},
@@ -264,15 +286,18 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_NO_CIPHER_MATCH ,"no cipher match"},
{SSL_R_NO_CLIENT_CERT_RECEIVED ,"no client cert received"},
{SSL_R_NO_COMPRESSION_SPECIFIED ,"no compression specified"},
+{SSL_R_NO_METHOD_SPECIFIED ,"no method specified"},
{SSL_R_NO_PRIVATEKEY ,"no privatekey"},
{SSL_R_NO_PRIVATE_KEY_ASSIGNED ,"no private key assigned"},
{SSL_R_NO_PROTOCOLS_AVAILABLE ,"no protocols available"},
{SSL_R_NO_PUBLICKEY ,"no publickey"},
{SSL_R_NO_SHARED_CIPHER ,"no shared cipher"},
+{SSL_R_NO_VERIFY_CALLBACK ,"no verify callback"},
{SSL_R_NULL_SSL_CTX ,"null ssl ctx"},
{SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"},
{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"},
{SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"},
+{SSL_R_PATH_TOO_LONG ,"path too long"},
{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
{SSL_R_PEER_ERROR ,"peer error"},
{SSL_R_PEER_ERROR_CERTIFICATE ,"peer error certificate"},
@@ -293,8 +318,10 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_REUSE_CERT_LENGTH_NOT_ZERO ,"reuse cert length not zero"},
{SSL_R_REUSE_CERT_TYPE_NOT_ZERO ,"reuse cert type not zero"},
{SSL_R_REUSE_CIPHER_LIST_NOT_ZERO ,"reuse cipher list not zero"},
+{SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED ,"session id context uninitialized"},
{SSL_R_SHORT_READ ,"short read"},
{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
+{SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"},
{SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"},
{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"},
{SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"},
@@ -315,7 +342,20 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION,"ssl ctx has no default ssl version"},
{SSL_R_SSL_HANDSHAKE_FAILURE ,"ssl handshake failure"},
{SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS ,"ssl library has no ciphers"},
+{SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG ,"ssl session id context too long"},
{SSL_R_SSL_SESSION_ID_IS_DIFFERENT ,"ssl session id is different"},
+{SSL_R_TLSV1_ALERT_ACCESS_DENIED ,"tlsv1 alert access denied"},
+{SSL_R_TLSV1_ALERT_DECODE_ERROR ,"tlsv1 alert decode error"},
+{SSL_R_TLSV1_ALERT_DECRYPTION_FAILED ,"tlsv1 alert decryption failed"},
+{SSL_R_TLSV1_ALERT_DECRYPT_ERROR ,"tlsv1 alert decrypt error"},
+{SSL_R_TLSV1_ALERT_EXPORT_RESTRICION ,"tlsv1 alert export restricion"},
+{SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"},
+{SSL_R_TLSV1_ALERT_INTERNAL_ERROR ,"tlsv1 alert internal error"},
+{SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ,"tlsv1 alert no renegotiation"},
+{SSL_R_TLSV1_ALERT_PROTOCOL_VERSION ,"tlsv1 alert protocol version"},
+{SSL_R_TLSV1_ALERT_RECORD_OVERFLOW ,"tlsv1 alert record overflow"},
+{SSL_R_TLSV1_ALERT_UNKNOWN_CA ,"tlsv1 alert unknown ca"},
+{SSL_R_TLSV1_ALERT_USER_CANCLED ,"tlsv1 alert user cancled"},
{SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"},
{SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"},
{SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"},
@@ -330,6 +370,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES ,"unable to load ssl3 sha1 routines"},
{SSL_R_UNEXPECTED_MESSAGE ,"unexpected message"},
{SSL_R_UNEXPECTED_RECORD ,"unexpected record"},
+{SSL_R_UNINITIALIZED ,"uninitialized"},
{SSL_R_UNKNOWN_ALERT_TYPE ,"unknown alert type"},
{SSL_R_UNKNOWN_CERTIFICATE_TYPE ,"unknown certificate type"},
{SSL_R_UNKNOWN_CIPHER_RETURNED ,"unknown cipher returned"},
@@ -353,17 +394,18 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_WRONG_SSL_VERSION ,"wrong ssl version"},
{SSL_R_WRONG_VERSION_NUMBER ,"wrong version number"},
{SSL_R_X509_LIB ,"x509 lib"},
-{0,NULL},
+{SSL_R_X509_VERIFICATION_SETUP_PROBLEMS ,"x509 verification setup problems"},
+{0,NULL}
};
#endif
-void ERR_load_SSL_strings()
+void ERR_load_SSL_strings(void)
{
static int init=1;
- if (init);
- {;
+ if (init)
+ {
init=0;
#ifndef NO_ERR
ERR_load_strings(ERR_LIB_SSL,SSL_str_functs);
diff --git a/lib/libssl/src/ssl/ssl_err2.c b/lib/libssl/src/ssl/ssl_err2.c
index 0b91f7b8d23..cc089a612b1 100644
--- a/lib/libssl/src/ssl/ssl_err2.c
+++ b/lib/libssl/src/ssl/ssl_err2.c
@@ -57,10 +57,10 @@
*/
#include <stdio.h>
-#include "err.h"
-#include "ssl.h"
+#include <openssl/err.h>
+#include <openssl/ssl.h>
-void SSL_load_error_strings()
+void SSL_load_error_strings(void)
{
#ifndef NO_ERR
ERR_load_crypto_strings();
diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c
index f562ec6b14d..e192fc4cac3 100644
--- a/lib/libssl/src/ssl/ssl_lib.c
+++ b/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,6 @@
-/* ssl/ssl_lib.c */
+/*! \file ssl/ssl_lib.c
+ * \brief Version independent SSL functions.
+ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -57,18 +59,18 @@
*/
#include <stdio.h>
-#include "objects.h"
-#include "lhash.h"
+#include <openssl/objects.h>
+#include <openssl/lhash.h>
#include "ssl_locl.h"
-char *SSL_version_str="SSLeay 0.9.0b 29-Jun-1998";
+char *SSL_version_str=OPENSSL_VERSION_TEXT;
static STACK *ssl_meth=NULL;
static STACK *ssl_ctx_meth=NULL;
static int ssl_meth_num=0;
static int ssl_ctx_meth_num=0;
-SSL3_ENC_METHOD ssl3_undef_enc_method={
+OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
ssl_undefined_function,
ssl_undefined_function,
ssl_undefined_function,
@@ -77,30 +79,36 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
ssl_undefined_function,
};
-void SSL_clear(s)
-SSL *s;
+int SSL_clear(SSL *s)
{
int state;
- if (s->method == NULL) return;
+ if (s->method == NULL)
+ {
+ SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
+ return(0);
+ }
s->error=0;
s->hit=0;
+ s->shutdown=0;
+#if 0
/* This is set if we are doing dynamic renegotiation so keep
* the old cipher. It is sort of a SSL_clear_lite :-) */
- if (s->new_session) return;
+ if (s->new_session) return(1);
+#endif
state=s->state; /* Keep to check if we throw away the session-id */
s->type=0;
+ s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
+
s->version=s->method->version;
+ s->client_version=s->version;
s->rwstate=SSL_NOTHING;
- s->state=SSL_ST_BEFORE;
s->rstate=SSL_ST_READ_HEADER;
- s->read_ahead=s->ctx->default_read_ahead;
-
-/* s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */
+ s->read_ahead=s->ctx->read_ahead;
if (s->init_buf != NULL)
{
@@ -116,24 +124,34 @@ SSL *s;
s->session=NULL;
}
- s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
s->first_packet=0;
- s->method->ssl_clear(s);
+#if 1
+ /* Check to see if we were changed into a different method, if
+ * so, revert back if we are not doing session-id reuse. */
+ if ((s->session == NULL) && (s->method != s->ctx->method))
+ {
+ s->method->ssl_free(s);
+ s->method=s->ctx->method;
+ if (!s->method->ssl_new(s))
+ return(0);
+ }
+ else
+#endif
+ s->method->ssl_clear(s);
+ return(1);
}
-/* Used to change an SSL_CTXs default SSL method type */
-int SSL_CTX_set_ssl_version(ctx,meth)
-SSL_CTX *ctx;
-SSL_METHOD *meth;
+/** Used to change an SSL_CTXs default SSL method type */
+int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
{
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
ctx->method=meth;
sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
&(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
- if ((sk == NULL) || (sk_num(sk) <= 0))
+ if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
{
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return(0);
@@ -141,8 +159,7 @@ SSL_METHOD *meth;
return(1);
}
-SSL *SSL_new(ctx)
-SSL_CTX *ctx;
+SSL *SSL_new(SSL_CTX *ctx)
{
SSL *s;
@@ -161,15 +178,28 @@ SSL_CTX *ctx;
if (s == NULL) goto err;
memset(s,0,sizeof(SSL));
- if (ctx->default_cert != NULL)
+ if (ctx->cert != NULL)
{
- CRYPTO_add(&ctx->default_cert->references,1,
- CRYPTO_LOCK_SSL_CERT);
- s->cert=ctx->default_cert;
+ /* Earlier library versions used to copy the pointer to
+ * the CERT, not its contents; only when setting new
+ * parameters for the per-SSL copy, ssl_cert_new would be
+ * called (and the direct reference to the per-SSL_CTX
+ * settings would be lost, but those still were indirectly
+ * accessed for various purposes, and for that reason they
+ * used to be known as s->ctx->default_cert).
+ * Now we don't look at the SSL_CTX's CERT after having
+ * duplicated it once. */
+
+ s->cert = ssl_cert_dup(ctx->cert);
+ if (s->cert == NULL)
+ goto err;
}
else
- s->cert=NULL;
- s->verify_mode=ctx->default_verify_mode;
+ s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
+ s->sid_ctx_length=ctx->sid_ctx_length;
+ memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
+ s->verify_mode=ctx->verify_mode;
+ s->verify_depth=ctx->verify_depth;
s->verify_callback=ctx->default_verify_callback;
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->ctx=ctx;
@@ -179,30 +209,66 @@ SSL_CTX *ctx;
s->method=ctx->method;
if (!s->method->ssl_new(s))
- {
- SSL_CTX_free(ctx);
- Free(s);
goto err;
- }
s->quiet_shutdown=ctx->quiet_shutdown;
s->references=1;
+ s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
s->options=ctx->options;
+ s->mode=ctx->mode;
SSL_clear(s);
CRYPTO_new_ex_data(ssl_meth,(char *)s,&s->ex_data);
return(s);
err:
+ if (s != NULL)
+ {
+ if (s->cert != NULL)
+ ssl_cert_free(s->cert);
+ if (s->ctx != NULL)
+ SSL_CTX_free(s->ctx); /* decrement reference count */
+ Free(s);
+ }
SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
return(NULL);
}
-void SSL_free(s)
-SSL *s;
+int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
+ unsigned int sid_ctx_len)
+ {
+ if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+ {
+ SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+ return 0;
+ }
+ ctx->sid_ctx_length=sid_ctx_len;
+ memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
+
+ return 1;
+ }
+
+int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
+ unsigned int sid_ctx_len)
+ {
+ if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+ {
+ SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+ return 0;
+ }
+ ssl->sid_ctx_length=sid_ctx_len;
+ memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
+
+ return 1;
+ }
+
+void SSL_free(SSL *s)
{
int i;
+ if(s == NULL)
+ return;
+
i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
#ifdef REF_PRINT
REF_PRINT("SSL",s);
@@ -236,8 +302,8 @@ SSL *s;
if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
/* add extra stuff */
- if (s->cipher_list != NULL) sk_free(s->cipher_list);
- if (s->cipher_list_by_id != NULL) sk_free(s->cipher_list_by_id);
+ if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
+ if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
/* Make the next call work :-) */
if (s->session != NULL)
@@ -254,17 +320,14 @@ SSL *s;
if (s->ctx) SSL_CTX_free(s->ctx);
if (s->client_CA != NULL)
- sk_pop_free(s->client_CA,X509_NAME_free);
+ sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
if (s->method != NULL) s->method->ssl_free(s);
Free((char *)s);
}
-void SSL_set_bio(s, rbio,wbio)
-SSL *s;
-BIO *rbio;
-BIO *wbio;
+void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
{
/* If the output buffering BIO is still in place, remove it
*/
@@ -284,16 +347,13 @@ BIO *wbio;
s->wbio=wbio;
}
-BIO *SSL_get_rbio(s)
-SSL *s;
+BIO *SSL_get_rbio(SSL *s)
{ return(s->rbio); }
-BIO *SSL_get_wbio(s)
-SSL *s;
+BIO *SSL_get_wbio(SSL *s)
{ return(s->wbio); }
-int SSL_get_fd(s)
-SSL *s;
+int SSL_get_fd(SSL *s)
{
int ret= -1;
BIO *b,*r;
@@ -306,9 +366,7 @@ SSL *s;
}
#ifndef NO_SOCK
-int SSL_set_fd(s, fd)
-SSL *s;
-int fd;
+int SSL_set_fd(SSL *s,int fd)
{
int ret=0;
BIO *bio=NULL;
@@ -327,9 +385,7 @@ err:
return(ret);
}
-int SSL_set_wfd(s, fd)
-SSL *s;
-int fd;
+int SSL_set_wfd(SSL *s,int fd)
{
int ret=0;
BIO *bio=NULL;
@@ -351,9 +407,7 @@ err:
return(ret);
}
-int SSL_set_rfd(s, fd)
-SSL *s;
-int fd;
+int SSL_set_rfd(SSL *s,int fd)
{
int ret=0;
BIO *bio=NULL;
@@ -379,61 +433,65 @@ err:
}
#endif
-int SSL_get_verify_mode(s)
-SSL *s;
+int SSL_get_verify_mode(SSL *s)
{
return(s->verify_mode);
}
-int (*SSL_get_verify_callback(s))()
-SSL *s;
+int SSL_get_verify_depth(SSL *s)
+ {
+ return(s->verify_depth);
+ }
+
+int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
{
return(s->verify_callback);
}
-int SSL_CTX_get_verify_mode(ctx)
-SSL_CTX *ctx;
+int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
+ {
+ return(ctx->verify_mode);
+ }
+
+int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
{
- return(ctx->default_verify_mode);
+ return(ctx->verify_depth);
}
-int (*SSL_CTX_get_verify_callback(ctx))()
-SSL_CTX *ctx;
+int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
{
return(ctx->default_verify_callback);
}
-void SSL_set_verify(s, mode, callback)
-SSL *s;
-int mode;
-int (*callback)();
+void SSL_set_verify(SSL *s,int mode,
+ int (*callback)(int ok,X509_STORE_CTX *ctx))
{
s->verify_mode=mode;
if (callback != NULL)
s->verify_callback=callback;
}
-void SSL_set_read_ahead(s, yes)
-SSL *s;
-int yes;
+void SSL_set_verify_depth(SSL *s,int depth)
+ {
+ s->verify_depth=depth;
+ }
+
+void SSL_set_read_ahead(SSL *s,int yes)
{
s->read_ahead=yes;
}
-int SSL_get_read_ahead(s)
-SSL *s;
+int SSL_get_read_ahead(SSL *s)
{
return(s->read_ahead);
}
-int SSL_pending(s)
-SSL *s;
+int SSL_pending(SSL *s)
{
return(s->method->ssl_pending(s));
}
-X509 *SSL_get_peer_certificate(s)
-SSL *s;
+X509 *SSL_get_peer_certificate(SSL *s)
{
X509 *r;
@@ -449,23 +507,21 @@ SSL *s;
return(r);
}
-STACK *SSL_get_peer_cert_chain(s)
-SSL *s;
+STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
{
- STACK *r;
+ STACK_OF(X509) *r;
- if ((s == NULL) || (s->session == NULL) || (s->session->cert == NULL))
+ if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
r=NULL;
else
- r=s->session->cert->cert_chain;
+ r=s->session->sess_cert->cert_chain;
return(r);
}
/* Now in theory, since the calling process own 't' it should be safe to
* modify. We need to be able to read f without being hassled */
-void SSL_copy_session_id(t,f)
-SSL *t,*f;
+void SSL_copy_session_id(SSL *t,SSL *f)
{
CERT *tmp;
@@ -490,30 +546,29 @@ SSL *t,*f;
else
t->cert=NULL;
if (tmp != NULL) ssl_cert_free(tmp);
+ SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
}
/* Fix this so it checks all the valid key/cert options */
-int SSL_CTX_check_private_key(ctx)
-SSL_CTX *ctx;
+int SSL_CTX_check_private_key(SSL_CTX *ctx)
{
if ( (ctx == NULL) ||
- (ctx->default_cert == NULL) ||
- (ctx->default_cert->key->x509 == NULL))
+ (ctx->cert == NULL) ||
+ (ctx->cert->key->x509 == NULL))
{
SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
return(0);
}
- if (ctx->default_cert->key->privatekey == NULL)
+ if (ctx->cert->key->privatekey == NULL)
{
SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
return(0);
}
- return(X509_check_private_key(ctx->default_cert->key->x509, ctx->default_cert->key->privatekey));
+ return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
}
/* Fix this function so that it takes an optional type parameter */
-int SSL_check_private_key(ssl)
-SSL *ssl;
+int SSL_check_private_key(SSL *ssl)
{
if (ssl == NULL)
{
@@ -521,7 +576,10 @@ SSL *ssl;
return(0);
}
if (ssl->cert == NULL)
- return(SSL_CTX_check_private_key(ssl->ctx));
+ {
+ SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
+ return 0;
+ }
if (ssl->cert->key->x509 == NULL)
{
SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
@@ -536,29 +594,37 @@ SSL *ssl;
ssl->cert->key->privatekey));
}
-int SSL_accept(s)
-SSL *s;
+int SSL_accept(SSL *s)
{
+ if (s->handshake_func == 0)
+ /* Not properly initialized yet */
+ SSL_set_accept_state(s);
+
return(s->method->ssl_accept(s));
}
-int SSL_connect(s)
-SSL *s;
+int SSL_connect(SSL *s)
{
+ if (s->handshake_func == 0)
+ /* Not properly initialized yet */
+ SSL_set_connect_state(s);
+
return(s->method->ssl_connect(s));
}
-long SSL_get_default_timeout(s)
-SSL *s;
+long SSL_get_default_timeout(SSL *s)
{
return(s->method->get_timeout());
}
-int SSL_read(s,buf,num)
-SSL *s;
-char *buf;
-int num;
+int SSL_read(SSL *s,char *buf,int num)
{
+ if (s->handshake_func == 0)
+ {
+ SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
+ return -1;
+ }
+
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
s->rwstate=SSL_NOTHING;
@@ -567,10 +633,7 @@ int num;
return(s->method->ssl_read(s,buf,num));
}
-int SSL_peek(s,buf,num)
-SSL *s;
-char *buf;
-int num;
+int SSL_peek(SSL *s,char *buf,int num)
{
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
@@ -579,11 +642,14 @@ int num;
return(s->method->ssl_peek(s,buf,num));
}
-int SSL_write(s,buf,num)
-SSL *s;
-char *buf;
-int num;
+int SSL_write(SSL *s,const char *buf,int num)
{
+ if (s->handshake_func == 0)
+ {
+ SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
+ return -1;
+ }
+
if (s->shutdown & SSL_SENT_SHUTDOWN)
{
s->rwstate=SSL_NOTHING;
@@ -593,42 +659,113 @@ int num;
return(s->method->ssl_write(s,buf,num));
}
-int SSL_shutdown(s)
-SSL *s;
+int SSL_shutdown(SSL *s)
{
+ /* Note that this function behaves differently from what one might
+ * expect. Return values are 0 for no success (yet),
+ * 1 for success; but calling it once is usually not enough,
+ * even if blocking I/O is used (see ssl3_shutdown).
+ */
+
+ if (s->handshake_func == 0)
+ {
+ SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
+ return -1;
+ }
+
if ((s != NULL) && !SSL_in_init(s))
return(s->method->ssl_shutdown(s));
else
return(1);
}
-int SSL_renegotiate(s)
-SSL *s;
+int SSL_renegotiate(SSL *s)
{
s->new_session=1;
return(s->method->ssl_renegotiate(s));
}
-long SSL_ctrl(s,cmd,larg,parg)
-SSL *s;
-int cmd;
-long larg;
-char *parg;
+long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
{
- return(s->method->ssl_ctrl(s,cmd,larg,parg));
+ long l;
+
+ switch (cmd)
+ {
+ case SSL_CTRL_GET_READ_AHEAD:
+ return(s->read_ahead);
+ case SSL_CTRL_SET_READ_AHEAD:
+ l=s->read_ahead;
+ s->read_ahead=larg;
+ return(l);
+ case SSL_CTRL_OPTIONS:
+ return(s->options|=larg);
+ case SSL_CTRL_MODE:
+ return(s->mode|=larg);
+ default:
+ return(s->method->ssl_ctrl(s,cmd,larg,parg));
+ }
}
-long SSL_CTX_ctrl(ctx,cmd,larg,parg)
-SSL_CTX *ctx;
-int cmd;
-long larg;
-char *parg;
+long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
{
- return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
- }
+ long l;
-int ssl_cipher_id_cmp(a,b)
-SSL_CIPHER *a,*b;
+ switch (cmd)
+ {
+ case SSL_CTRL_GET_READ_AHEAD:
+ return(ctx->read_ahead);
+ case SSL_CTRL_SET_READ_AHEAD:
+ l=ctx->read_ahead;
+ ctx->read_ahead=larg;
+ return(l);
+
+ case SSL_CTRL_SET_SESS_CACHE_SIZE:
+ l=ctx->session_cache_size;
+ ctx->session_cache_size=larg;
+ return(l);
+ case SSL_CTRL_GET_SESS_CACHE_SIZE:
+ return(ctx->session_cache_size);
+ case SSL_CTRL_SET_SESS_CACHE_MODE:
+ l=ctx->session_cache_mode;
+ ctx->session_cache_mode=larg;
+ return(l);
+ case SSL_CTRL_GET_SESS_CACHE_MODE:
+ return(ctx->session_cache_mode);
+
+ case SSL_CTRL_SESS_NUMBER:
+ return(ctx->sessions->num_items);
+ case SSL_CTRL_SESS_CONNECT:
+ return(ctx->stats.sess_connect);
+ case SSL_CTRL_SESS_CONNECT_GOOD:
+ return(ctx->stats.sess_connect_good);
+ case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
+ return(ctx->stats.sess_connect_renegotiate);
+ case SSL_CTRL_SESS_ACCEPT:
+ return(ctx->stats.sess_accept);
+ case SSL_CTRL_SESS_ACCEPT_GOOD:
+ return(ctx->stats.sess_accept_good);
+ case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
+ return(ctx->stats.sess_accept_renegotiate);
+ case SSL_CTRL_SESS_HIT:
+ return(ctx->stats.sess_hit);
+ case SSL_CTRL_SESS_CB_HIT:
+ return(ctx->stats.sess_cb_hit);
+ case SSL_CTRL_SESS_MISSES:
+ return(ctx->stats.sess_miss);
+ case SSL_CTRL_SESS_TIMEOUTS:
+ return(ctx->stats.sess_timeout);
+ case SSL_CTRL_SESS_CACHE_FULL:
+ return(ctx->stats.sess_cache_full);
+ case SSL_CTRL_OPTIONS:
+ return(ctx->options|=larg);
+ case SSL_CTRL_MODE:
+ return(ctx->mode|=larg);
+ default:
+ return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
+ }
+ }
+
+int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b)
{
long l;
@@ -639,8 +776,7 @@ SSL_CIPHER *a,*b;
return((l > 0)?1:-1);
}
-int ssl_cipher_ptr_id_cmp(ap,bp)
-SSL_CIPHER **ap,**bp;
+int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp)
{
long l;
@@ -651,10 +787,9 @@ SSL_CIPHER **ap,**bp;
return((l > 0)?1:-1);
}
-/* return a STACK of the ciphers available for the SSL and in order of
+/** return a STACK of the ciphers available for the SSL and in order of
* preference */
-STACK *SSL_get_ciphers(s)
-SSL *s;
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
{
if ((s != NULL) && (s->cipher_list != NULL))
{
@@ -668,10 +803,9 @@ SSL *s;
return(NULL);
}
-/* return a STACK of the ciphers available for the SSL and in order of
+/** return a STACK of the ciphers available for the SSL and in order of
* algorithm id */
-STACK *ssl_get_ciphers_by_id(s)
-SSL *s;
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
{
if ((s != NULL) && (s->cipher_list_by_id != NULL))
{
@@ -685,29 +819,25 @@ SSL *s;
return(NULL);
}
-/* The old interface to get the same thing as SSL_get_ciphers() */
-char *SSL_get_cipher_list(s,n)
-SSL *s;
-int n;
+/** The old interface to get the same thing as SSL_get_ciphers() */
+const char *SSL_get_cipher_list(SSL *s,int n)
{
SSL_CIPHER *c;
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
if (s == NULL) return(NULL);
sk=SSL_get_ciphers(s);
- if ((sk == NULL) || (sk_num(sk) <= n))
+ if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
return(NULL);
- c=(SSL_CIPHER *)sk_value(sk,n);
+ c=sk_SSL_CIPHER_value(sk,n);
if (c == NULL) return(NULL);
return(c->name);
}
-/* specify the ciphers to be used by defaut by the SSL_CTX */
-int SSL_CTX_set_cipher_list(ctx,str)
-SSL_CTX *ctx;
-char *str;
+/** specify the ciphers to be used by defaut by the SSL_CTX */
+int SSL_CTX_set_cipher_list(SSL_CTX *ctx,char *str)
{
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
&ctx->cipher_list_by_id,str);
@@ -715,12 +845,10 @@ char *str;
return((sk == NULL)?0:1);
}
-/* specify the ciphers to be used by the SSL */
-int SSL_set_cipher_list(s, str)
-SSL *s;
-char *str;
+/** specify the ciphers to be used by the SSL */
+int SSL_set_cipher_list(SSL *s,char *str)
{
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
&s->cipher_list_by_id,str);
@@ -729,13 +857,11 @@ char *str;
}
/* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(s,buf,len)
-SSL *s;
-char *buf;
-int len;
+char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
{
- char *p,*cp;
- STACK *sk;
+ char *p;
+ const char *cp;
+ STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *c;
int i;
@@ -745,11 +871,11 @@ int len;
p=buf;
sk=s->session->ciphers;
- for (i=0; i<sk_num(sk); i++)
+ for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
/* Decrement for either the ':' or a '\0' */
len--;
- c=(SSL_CIPHER *)sk_value(sk,i);
+ c=sk_SSL_CIPHER_value(sk,i);
for (cp=c->name; *cp; )
{
if (len-- == 0)
@@ -766,10 +892,7 @@ int len;
return(buf);
}
-int ssl_cipher_list_to_bytes(s,sk,p)
-SSL *s;
-STACK *sk;
-unsigned char *p;
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
{
int i,j=0;
SSL_CIPHER *c;
@@ -778,23 +901,20 @@ unsigned char *p;
if (sk == NULL) return(0);
q=p;
- for (i=0; i<sk_num(sk); i++)
+ for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
- c=(SSL_CIPHER *)sk_value(sk,i);
+ c=sk_SSL_CIPHER_value(sk,i);
j=ssl_put_cipher_by_char(s,c,p);
p+=j;
}
return(p-q);
}
-STACK *ssl_bytes_to_cipher_list(s,p,num,skp)
-SSL *s;
-unsigned char *p;
-int num;
-STACK **skp;
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
+ STACK_OF(SSL_CIPHER) **skp)
{
SSL_CIPHER *c;
- STACK *sk;
+ STACK_OF(SSL_CIPHER) *sk;
int i,n;
n=ssl_put_cipher_by_char(s,NULL,NULL);
@@ -804,11 +924,11 @@ STACK **skp;
return(NULL);
}
if ((skp == NULL) || (*skp == NULL))
- sk=sk_new(NULL); /* change perhaps later */
+ sk=sk_SSL_CIPHER_new(NULL); /* change perhaps later */
else
{
sk= *skp;
- sk_zero(sk);
+ sk_SSL_CIPHER_zero(sk);
}
for (i=0; i<num; i+=n)
@@ -817,7 +937,7 @@ STACK **skp;
p+=n;
if (c != NULL)
{
- if (!sk_push(sk,(char *)c))
+ if (!sk_SSL_CIPHER_push(sk,c))
{
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
goto err;
@@ -830,23 +950,23 @@ STACK **skp;
return(sk);
err:
if ((skp == NULL) || (*skp == NULL))
- sk_free(sk);
+ sk_SSL_CIPHER_free(sk);
return(NULL);
}
-unsigned long SSL_SESSION_hash(a)
-SSL_SESSION *a;
+unsigned long SSL_SESSION_hash(SSL_SESSION *a)
{
unsigned long l;
- l= (a->session_id[0] )|(a->session_id[1]<< 8L)|
- (a->session_id[2]<<16L)|(a->session_id[3]<<24L);
+ l=(unsigned long)
+ ((unsigned int) a->session_id[0] )|
+ ((unsigned int) a->session_id[1]<< 8L)|
+ ((unsigned long)a->session_id[2]<<16L)|
+ ((unsigned long)a->session_id[3]<<24L);
return(l);
}
-int SSL_SESSION_cmp(a, b)
-SSL_SESSION *a;
-SSL_SESSION *b;
+int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
{
if (a->ssl_version != b->ssl_version)
return(1);
@@ -855,16 +975,21 @@ SSL_SESSION *b;
return(memcmp(a->session_id,b->session_id,a->session_id_length));
}
-SSL_CTX *SSL_CTX_new(meth)
-SSL_METHOD *meth;
+SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
{
- SSL_CTX *ret;
+ SSL_CTX *ret=NULL;
if (meth == NULL)
{
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
return(NULL);
}
+
+ if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
+ {
+ SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+ goto err;
+ }
ret=(SSL_CTX *)Malloc(sizeof(SSL_CTX));
if (ret == NULL)
goto err;
@@ -886,17 +1011,7 @@ SSL_METHOD *meth;
ret->remove_session_cb=NULL;
ret->get_session_cb=NULL;
- ret->sess_connect=0;
- ret->sess_connect_good=0;
- ret->sess_accept=0;
- ret->sess_accept_renegotiate=0;
- ret->sess_connect_renegotiate=0;
- ret->sess_accept_good=0;
- ret->sess_miss=0;
- ret->sess_timeout=0;
- ret->sess_cache_full=0;
- ret->sess_hit=0;
- ret->sess_cb_hit=0;
+ memset((char *)&ret->stats,0,sizeof(ret->stats));
ret->references=1;
ret->quiet_shutdown=0;
@@ -912,13 +1027,15 @@ SSL_METHOD *meth;
ret->app_verify_callback=NULL;
ret->app_verify_arg=NULL;
- ret->default_read_ahead=0;
- ret->default_verify_mode=SSL_VERIFY_NONE;
+ ret->read_ahead=0;
+ ret->verify_mode=SSL_VERIFY_NONE;
+ ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
ret->default_verify_callback=NULL;
- if ((ret->default_cert=ssl_cert_new()) == NULL)
+ if ((ret->cert=ssl_cert_new()) == NULL)
goto err;
ret->default_passwd_callback=NULL;
+ ret->default_passwd_callback_userdata=NULL;
ret->client_cert_cb=NULL;
ret->sessions=lh_new(SSL_SESSION_hash,SSL_SESSION_cmp);
@@ -929,7 +1046,8 @@ SSL_METHOD *meth;
ssl_create_cipher_list(ret->method,
&ret->cipher_list,&ret->cipher_list_by_id,
SSL_DEFAULT_CIPHER_LIST);
- if ((ret->cipher_list == NULL) || (sk_num(ret->cipher_list) <= 0))
+ if (ret->cipher_list == NULL
+ || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
{
SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
@@ -951,11 +1069,14 @@ SSL_METHOD *meth;
goto err2;
}
- if ((ret->client_CA=sk_new_null()) == NULL)
+ if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
goto err;
CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data);
+ ret->extra_certs=NULL;
+ ret->comp_methods=SSL_COMP_get_compression_methods();
+
return(ret);
err:
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -964,8 +1085,10 @@ err2:
return(NULL);
}
-void SSL_CTX_free(a)
-SSL_CTX *a;
+static void SSL_COMP_free(SSL_COMP *comp)
+ { Free(comp); }
+
+void SSL_CTX_free(SSL_CTX *a)
{
int i;
@@ -993,96 +1116,108 @@ SSL_CTX *a;
if (a->cert_store != NULL)
X509_STORE_free(a->cert_store);
if (a->cipher_list != NULL)
- sk_free(a->cipher_list);
+ sk_SSL_CIPHER_free(a->cipher_list);
if (a->cipher_list_by_id != NULL)
- sk_free(a->cipher_list_by_id);
- if (a->default_cert != NULL)
- ssl_cert_free(a->default_cert);
+ sk_SSL_CIPHER_free(a->cipher_list_by_id);
+ if (a->cert != NULL)
+ ssl_cert_free(a->cert);
if (a->client_CA != NULL)
- sk_pop_free(a->client_CA,X509_NAME_free);
+ sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
+ if (a->extra_certs != NULL)
+ sk_X509_pop_free(a->extra_certs,X509_free);
+ if (a->comp_methods != NULL)
+ sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
Free((char *)a);
}
-void SSL_CTX_set_default_passwd_cb(ctx,cb)
-SSL_CTX *ctx;
-int (*cb)();
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
{
ctx->default_passwd_callback=cb;
}
-void SSL_CTX_set_cert_verify_cb(ctx,cb,arg)
-SSL_CTX *ctx;
-int (*cb)();
-char *arg;
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
{
+ ctx->default_passwd_callback_userdata=u;
+ }
+
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg)
+ {
+ /* now
+ * int (*cb)(X509_STORE_CTX *),
+ * but should be
+ * int (*cb)(X509_STORE_CTX *, void *arg)
+ */
ctx->app_verify_callback=cb;
- ctx->app_verify_arg=arg;
+ ctx->app_verify_arg=arg; /* never used */
}
-void SSL_CTX_set_verify(ctx,mode,cb)
-SSL_CTX *ctx;
-int mode;
-int (*cb)();
+void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
{
- ctx->default_verify_mode=mode;
+ ctx->verify_mode=mode;
ctx->default_verify_callback=cb;
/* This needs cleaning up EAY EAY EAY */
X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
}
-void ssl_set_cert_masks(c)
-CERT *c;
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
+ {
+ ctx->verify_depth=depth;
+ }
+
+void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
{
CERT_PKEY *cpk;
int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
int rsa_enc_export,dh_rsa_export,dh_dsa_export;
- int rsa_tmp_export,dh_tmp_export;
+ int rsa_tmp_export,dh_tmp_export,kl;
unsigned long mask,emask;
- if ((c == NULL) || (c->valid)) return;
+ if (c == NULL) return;
+
+ kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
#ifndef NO_RSA
- rsa_tmp=((c->rsa_tmp != NULL) || (c->rsa_tmp_cb != NULL))?1:0;
- rsa_tmp_export=((c->rsa_tmp_cb != NULL) ||
- (rsa_tmp && (RSA_size(c->rsa_tmp)*8 <= 512)))?1:0;
+ rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
+ rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
+ (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
#else
rsa_tmp=rsa_tmp_export=0;
#endif
#ifndef NO_DH
- dh_tmp=((c->dh_tmp != NULL) || (c->dh_tmp_cb != NULL))?1:0;
- dh_tmp_export=((c->dh_tmp_cb != NULL) ||
- (dh_tmp && (DH_size(c->dh_tmp)*8 <= 512)))?1:0;
+ dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
+ dh_tmp_export=(c->dh_tmp_cb != NULL ||
+ (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
#else
dh_tmp=dh_tmp_export=0;
#endif
cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
- rsa_enc= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
- rsa_enc_export=(rsa_enc && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+ rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
+ rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
- rsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
+ rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
- dsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
+ dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
- dh_rsa= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
- dh_rsa_export=(dh_rsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+ dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
+ dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
/* FIX THIS EAY EAY EAY */
- dh_dsa= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
- dh_dsa_export=(dh_dsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+ dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
+ dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
mask=0;
emask=0;
#ifdef CIPHER_DEBUG
- printf("rt=%d dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n",
- rsa_tmp,dh_tmp,
- rsa_enc,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
+ printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+ rsa_tmp,rsa_tmp_export,dh_tmp,
+ rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
#endif
if (rsa_enc || (rsa_tmp && rsa_sign))
mask|=SSL_kRSA;
- if (rsa_enc_export || (rsa_tmp_export && rsa_sign))
+ if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
emask|=SSL_kRSA;
#if 0
@@ -1130,18 +1265,17 @@ CERT *c;
}
/* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(s)
-SSL *s;
+X509 *ssl_get_server_send_cert(SSL *s)
{
unsigned long alg,mask,kalg;
CERT *c;
- int i,export;
+ int i,is_export;
c=s->cert;
- ssl_set_cert_masks(c);
+ ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
alg=s->s3->tmp.new_cipher->algorithms;
- export=(alg & SSL_EXPORT)?1:0;
- mask=(export)?c->export_mask:c->mask;
+ is_export=SSL_IS_EXPORT(alg);
+ mask=is_export?c->export_mask:c->mask;
kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
if (kalg & SSL_kDHr)
@@ -1166,9 +1300,7 @@ SSL *s;
return(c->pkeys[i].x509);
}
-EVP_PKEY *ssl_get_sign_pkey(s,cipher)
-SSL *s;
-SSL_CIPHER *cipher;
+EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
{
unsigned long alg;
CERT *c;
@@ -1195,9 +1327,7 @@ SSL_CIPHER *cipher;
}
}
-void ssl_update_cache(s,mode)
-SSL *s;
-int mode;
+void ssl_update_cache(SSL *s,int mode)
{
int i;
@@ -1221,23 +1351,20 @@ int mode;
((i & mode) == mode))
{
if ( (((mode & SSL_SESS_CACHE_CLIENT)
- ?s->ctx->sess_connect_good
- :s->ctx->sess_accept_good) & 0xff) == 0xff)
+ ?s->ctx->stats.sess_connect_good
+ :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
{
SSL_CTX_flush_sessions(s->ctx,time(NULL));
}
}
}
-SSL_METHOD *SSL_get_ssl_method(s)
-SSL *s;
+SSL_METHOD *SSL_get_ssl_method(SSL *s)
{
return(s->method);
}
-int SSL_set_ssl_method(s,meth)
-SSL *s;
-SSL_METHOD *meth;
+int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
{
int conn= -1;
int ret=1;
@@ -1264,17 +1391,23 @@ SSL_METHOD *meth;
return(ret);
}
-int SSL_get_error(s,i)
-SSL *s;
-int i;
+int SSL_get_error(SSL *s,int i)
{
int reason;
+ unsigned long l;
BIO *bio;
if (i > 0) return(SSL_ERROR_NONE);
- if (ERR_peek_error() != 0)
- return(SSL_ERROR_SSL);
+ /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
+ * etc, where we do encode the error */
+ if ((l=ERR_peek_error()) != 0)
+ {
+ if (ERR_GET_LIB(l) == ERR_LIB_SYS)
+ return(SSL_ERROR_SYSCALL);
+ else
+ return(SSL_ERROR_SSL);
+ }
if ((i < 0) && SSL_want_read(s))
{
@@ -1282,6 +1415,15 @@ int i;
if (BIO_should_read(bio))
return(SSL_ERROR_WANT_READ);
else if (BIO_should_write(bio))
+ /* This one doesn't make too much sense ... We never try
+ * to write to the rbio, and an application program where
+ * rbio and wbio are separate couldn't even know what it
+ * should wait for.
+ * However if we ever set s->rwstate incorrectly
+ * (so that we have SSL_want_read(s) instead of
+ * SSL_want_write(s)) and rbio and wbio *are* the same,
+ * this test works around that bug; so it might be safer
+ * to keep it. */
return(SSL_ERROR_WANT_WRITE);
else if (BIO_should_io_special(bio))
{
@@ -1299,6 +1441,7 @@ int i;
if (BIO_should_write(bio))
return(SSL_ERROR_WANT_WRITE);
else if (BIO_should_read(bio))
+ /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
return(SSL_ERROR_WANT_READ);
else if (BIO_should_io_special(bio))
{
@@ -1331,8 +1474,7 @@ int i;
return(SSL_ERROR_SYSCALL);
}
-int SSL_do_handshake(s)
-SSL *s;
+int SSL_do_handshake(SSL *s)
{
int ret=1;
@@ -1341,7 +1483,9 @@ SSL *s;
SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
return(-1);
}
- if (s->s3->renegotiate) ssl3_renegotiate_check(s);
+
+ s->method->ssl_renegotiate_check(s);
+
if (SSL_in_init(s) || SSL_in_before(s))
{
ret=s->handshake_func(s);
@@ -1351,9 +1495,9 @@ SSL *s;
/* For the next 2 functions, SSL_clear() sets shutdown and so
* one of these calls will reset it */
-void SSL_set_accept_state(s)
-SSL *s;
+void SSL_set_accept_state(SSL *s)
{
+ s->server=1;
s->shutdown=0;
s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
s->handshake_func=s->method->ssl_accept;
@@ -1361,9 +1505,9 @@ SSL *s;
ssl_clear_cipher_ctx(s);
}
-void SSL_set_connect_state(s)
-SSL *s;
+void SSL_set_connect_state(SSL *s)
{
+ s->server=0;
s->shutdown=0;
s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
s->handshake_func=s->method->ssl_connect;
@@ -1371,22 +1515,19 @@ SSL *s;
ssl_clear_cipher_ctx(s);
}
-int ssl_undefined_function(s)
-SSL *s;
+int ssl_undefined_function(SSL *s)
{
SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return(0);
}
-SSL_METHOD *ssl_bad_method(ver)
-int ver;
+SSL_METHOD *ssl_bad_method(int ver)
{
SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return(NULL);
}
-char *SSL_get_version(s)
-SSL *s;
+char *SSL_get_version(SSL *s)
{
if (s->version == TLS1_VERSION)
return("TLSv1");
@@ -1398,22 +1539,46 @@ SSL *s;
return("unknown");
}
-SSL *SSL_dup(s)
-SSL *s;
- {
- STACK *sk;
+SSL *SSL_dup(SSL *s)
+ {
+ STACK_OF(X509_NAME) *sk;
X509_NAME *xn;
- SSL *ret;
+ SSL *ret;
int i;
- if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) return(NULL);
+ if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
+ return(NULL);
- /* This copies version, session-id, SSL_METHOD and 'cert' */
- SSL_copy_session_id(ret,s);
+ if (s->session != NULL)
+ {
+ /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
+ SSL_copy_session_id(ret,s);
+ }
+ else
+ {
+ /* No session has been established yet, so we have to expect
+ * that s->cert or ret->cert will be changed later --
+ * they should not both point to the same object,
+ * and thus we can't use SSL_copy_session_id. */
+
+ ret->method = s->method;
+ ret->method->ssl_new(ret);
+
+ if (s->cert != NULL)
+ {
+ ret->cert = ssl_cert_dup(s->cert);
+ if (ret->cert == NULL)
+ goto err;
+ }
+
+ SSL_set_session_id_context(ret,
+ s->sid_ctx, s->sid_ctx_length);
+ }
SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
SSL_set_verify(ret,SSL_get_verify_mode(s),
SSL_get_verify_callback(s));
+ SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
SSL_set_info_callback(ret,SSL_get_info_callback(s));
@@ -1444,23 +1609,23 @@ SSL *s;
/* dup the cipher_list and cipher_list_by_id stacks */
if (s->cipher_list != NULL)
{
- if ((ret->cipher_list=sk_dup(s->cipher_list)) == NULL)
+ if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
goto err;
}
if (s->cipher_list_by_id != NULL)
- if ((ret->cipher_list_by_id=sk_dup(s->cipher_list_by_id))
+ if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
== NULL)
goto err;
/* Dup the client_CA list */
if (s->client_CA != NULL)
{
- if ((sk=sk_dup(s->client_CA)) == NULL) goto err;
+ if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
ret->client_CA=sk;
- for (i=0; i<sk_num(sk); i++)
+ for (i=0; i<sk_X509_NAME_num(sk); i++)
{
- xn=(X509_NAME *)sk_value(sk,i);
- if ((sk_value(sk,i)=(char *)X509_NAME_dup(xn)) == NULL)
+ xn=sk_X509_NAME_value(sk,i);
+ if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
{
X509_NAME_free(xn);
goto err;
@@ -1471,6 +1636,7 @@ SSL *s;
ret->shutdown=s->shutdown;
ret->state=s->state;
ret->handshake_func=s->handshake_func;
+ ret->server=s->server;
if (0)
{
@@ -1481,26 +1647,34 @@ err:
return(ret);
}
-void ssl_clear_cipher_ctx(s)
-SSL *s;
+void ssl_clear_cipher_ctx(SSL *s)
{
- if (s->enc_read_ctx != NULL)
- {
- EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
- Free(s->enc_read_ctx);
- s->enc_read_ctx=NULL;
- }
- if (s->enc_write_ctx != NULL)
- {
- EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
- Free(s->enc_write_ctx);
- s->enc_write_ctx=NULL;
- }
+ if (s->enc_read_ctx != NULL)
+ {
+ EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
+ Free(s->enc_read_ctx);
+ s->enc_read_ctx=NULL;
+ }
+ if (s->enc_write_ctx != NULL)
+ {
+ EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
+ Free(s->enc_write_ctx);
+ s->enc_write_ctx=NULL;
+ }
+ if (s->expand != NULL)
+ {
+ COMP_CTX_free(s->expand);
+ s->expand=NULL;
+ }
+ if (s->compress != NULL)
+ {
+ COMP_CTX_free(s->compress);
+ s->compress=NULL;
+ }
}
/* Fix this function so that it takes an optional type parameter */
-X509 *SSL_get_certificate(s)
-SSL *s;
+X509 *SSL_get_certificate(SSL *s)
{
if (s->cert != NULL)
return(s->cert->key->x509);
@@ -1509,8 +1683,7 @@ SSL *s;
}
/* Fix this function so that it takes an optional type parameter */
-EVP_PKEY *SSL_get_privatekey(s)
-SSL *s;
+EVP_PKEY *SSL_get_privatekey(SSL *s)
{
if (s->cert != NULL)
return(s->cert->key->privatekey);
@@ -1518,17 +1691,14 @@ SSL *s;
return(NULL);
}
-SSL_CIPHER *SSL_get_current_cipher(s)
-SSL *s;
+SSL_CIPHER *SSL_get_current_cipher(SSL *s)
{
- if ((s->session != NULL) && (s->session->cipher != NULL))
- return(s->session->cipher);
- return(NULL);
+ if ((s->session != NULL) && (s->session->cipher != NULL))
+ return(s->session->cipher);
+ return(NULL);
}
-int ssl_init_wbio_buffer(s,push)
-SSL *s;
-int push;
+int ssl_init_wbio_buffer(SSL *s,int push)
{
BIO *bbio;
@@ -1544,7 +1714,7 @@ int push;
if (s->bbio == s->wbio)
s->wbio=BIO_pop(s->wbio);
}
- BIO_reset(bbio);
+ (void)BIO_reset(bbio);
/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
if (!BIO_set_read_buffer_size(bbio,1))
{
@@ -1563,159 +1733,215 @@ int push;
}
return(1);
}
+
+void ssl_free_wbio_buffer(SSL *s)
+ {
+ BIO *under;
+
+ if (s->bbio == NULL) return;
+
+ if (s->bbio == s->wbio)
+ {
+ /* remove buffering */
+ under=BIO_pop(s->wbio);
+ if (under != NULL)
+ s->wbio=under;
+ else
+ abort(); /* ok */
+ }
+ BIO_free(s->bbio);
+ s->bbio=NULL;
+ }
-void SSL_CTX_set_quiet_shutdown(ctx,mode)
-SSL_CTX *ctx;
-int mode;
+void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
{
ctx->quiet_shutdown=mode;
}
-int SSL_CTX_get_quiet_shutdown(ctx)
-SSL_CTX *ctx;
+int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx)
{
return(ctx->quiet_shutdown);
}
-void SSL_set_quiet_shutdown(s,mode)
-SSL *s;
-int mode;
+void SSL_set_quiet_shutdown(SSL *s,int mode)
{
s->quiet_shutdown=mode;
}
-int SSL_get_quiet_shutdown(s)
-SSL *s;
+int SSL_get_quiet_shutdown(SSL *s)
{
return(s->quiet_shutdown);
}
-void SSL_set_shutdown(s,mode)
-SSL *s;
-int mode;
+void SSL_set_shutdown(SSL *s,int mode)
{
s->shutdown=mode;
}
-int SSL_get_shutdown(s)
-SSL *s;
+int SSL_get_shutdown(SSL *s)
{
return(s->shutdown);
}
-int SSL_version(s)
-SSL *s;
+int SSL_version(SSL *s)
{
return(s->version);
}
-SSL_CTX *SSL_get_SSL_CTX(ssl)
-SSL *ssl;
+SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
{
return(ssl->ctx);
}
-int SSL_CTX_set_default_verify_paths(ctx)
-SSL_CTX *ctx;
+#ifndef NO_STDIO
+int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
{
return(X509_STORE_set_default_paths(ctx->cert_store));
}
-int SSL_CTX_load_verify_locations(ctx,CAfile,CApath)
-SSL_CTX *ctx;
-char *CAfile;
-char *CApath;
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+ const char *CApath)
{
return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
}
+#endif
-void SSL_set_info_callback(ssl,cb)
-SSL *ssl;
-void (*cb)();
+void SSL_set_info_callback(SSL *ssl,void (*cb)())
{
ssl->info_callback=cb;
}
-void (*SSL_get_info_callback(ssl))()
-SSL *ssl;
+void (*SSL_get_info_callback(SSL *ssl))(void)
{
- return(ssl->info_callback);
+ return((void (*)())ssl->info_callback);
}
-int SSL_state(ssl)
-SSL *ssl;
+int SSL_state(SSL *ssl)
{
return(ssl->state);
}
-void SSL_set_verify_result(ssl,arg)
-SSL *ssl;
-long arg;
+void SSL_set_verify_result(SSL *ssl,long arg)
{
ssl->verify_result=arg;
}
-long SSL_get_verify_result(ssl)
-SSL *ssl;
+long SSL_get_verify_result(SSL *ssl)
{
return(ssl->verify_result);
}
-int SSL_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
-long argl;
-char *argp;
-int (*new_func)();
-int (*dup_func)();
-void (*free_func)();
- {
+int SSL_get_ex_new_index(long argl,char *argp,int (*new_func)(),
+ int (*dup_func)(),void (*free_func)())
+ {
ssl_meth_num++;
return(CRYPTO_get_ex_new_index(ssl_meth_num-1,
&ssl_meth,argl,argp,new_func,dup_func,free_func));
- }
+ }
-int SSL_set_ex_data(s,idx,arg)
-SSL *s;
-int idx;
-char *arg;
+int SSL_set_ex_data(SSL *s,int idx,void *arg)
{
return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
}
-char *SSL_get_ex_data(s,idx)
-SSL *s;
-int idx;
+void *SSL_get_ex_data(SSL *s,int idx)
{
return(CRYPTO_get_ex_data(&s->ex_data,idx));
}
-int SSL_CTX_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
-long argl;
-char *argp;
-int (*new_func)();
-int (*dup_func)();
-void (*free_func)();
- {
+int SSL_CTX_get_ex_new_index(long argl,char *argp,int (*new_func)(),
+ int (*dup_func)(),void (*free_func)())
+ {
ssl_ctx_meth_num++;
return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1,
&ssl_ctx_meth,argl,argp,new_func,dup_func,free_func));
- }
+ }
-int SSL_CTX_set_ex_data(s,idx,arg)
-SSL_CTX *s;
-int idx;
-char *arg;
+int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
{
return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
}
-char *SSL_CTX_get_ex_data(s,idx)
-SSL_CTX *s;
-int idx;
+void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx)
{
return(CRYPTO_get_ex_data(&s->ex_data,idx));
}
+int ssl_ok(SSL *s)
+ {
+ return(1);
+ }
+
+X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
+ {
+ return(ctx->cert_store);
+ }
+
+void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
+ {
+ if (ctx->cert_store != NULL)
+ X509_STORE_free(ctx->cert_store);
+ ctx->cert_store=store;
+ }
+
+int SSL_want(SSL *s)
+ {
+ return(s->rwstate);
+ }
+
+/*!
+ * \brief Set the callback for generating temporary RSA keys.
+ * \param ctx the SSL context.
+ * \param cb the callback
+ */
+
+#ifndef NO_RSA
+void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
+ int is_export,
+ int keylength))
+ { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
+#endif
+
+#ifndef NO_RSA
+void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,int is_export,
+ int keylength))
+ { SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
+#endif
+
+#ifdef DOXYGEN
+/*!
+ * \brief The RSA temporary key callback function.
+ * \param ssl the SSL session.
+ * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
+ * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
+ * of the required key in bits.
+ * \return the temporary RSA key.
+ * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
+ */
+
+RSA *cb(SSL *ssl,int is_export,int keylength)
+ {}
+#endif
+
+/*!
+ * \brief Set the callback for generating temporary DH keys.
+ * \param ctx the SSL context.
+ * \param dh the callback
+ */
+
+#ifndef NO_DH
+void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
+ int keylength))
+ { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); }
+
+void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
+ int keylength))
+ { SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); }
+#endif
+
#if defined(_WINDLL) && defined(WIN16)
#include "../crypto/bio/bss_file.c"
#endif
+IMPLEMENT_STACK_OF(SSL_CIPHER)
+IMPLEMENT_STACK_OF(SSL_COMP)
diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h
index b29517081bc..0bfd57db326 100644
--- a/lib/libssl/src/ssl/ssl_locl.h
+++ b/lib/libssl/src/ssl/ssl_locl.h
@@ -63,17 +63,19 @@
#include <string.h>
#include <errno.h>
-#include "e_os.h"
+#include "openssl/e_os.h"
-#include "buffer.h"
-#include "bio.h"
-#include "crypto.h"
-#include "evp.h"
-#include "stack.h"
-#include "x509.h"
-#include "err.h"
-#include "ssl.h"
+#include <openssl/buffer.h>
+#include <openssl/comp.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/stack.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#define PKCS1_CHECK
#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
l|=(((unsigned long)(*((c)++)))<< 8), \
@@ -126,18 +128,18 @@
} \
}
-#define n2s(c,s) (s =((unsigned int)(*((c)++)))<< 8, \
- s|=((unsigned int)(*((c)++))))
-#define s2n(s,c) (*((c)++)=(unsigned char)(((s)>> 8)&0xff), \
- *((c)++)=(unsigned char)(((s) )&0xff))
+#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
+ (((unsigned int)(c[1])) )),c+=2)
+#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
+ c[1]=(unsigned char)(((s) )&0xff)),c+=2)
-#define n2l3(c,l) (l =((unsigned long)(*((c)++)))<<16, \
- l|=((unsigned long)(*((c)++)))<< 8, \
- l|=((unsigned long)(*((c)++))))
+#define n2l3(c,l) ((l =(((unsigned long)(c[0]))<<16)| \
+ (((unsigned long)(c[1]))<< 8)| \
+ (((unsigned long)(c[2])) )),c+=3)
-#define l2n3(l,c) (*((c)++)=(unsigned char)(((l)>>16)&0xff), \
- *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
- *((c)++)=(unsigned char)(((l) )&0xff))
+#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
+ c[1]=(unsigned char)(((l)>> 8)&0xff), \
+ c[2]=(unsigned char)(((l) )&0xff)),c+=3)
/* LOCAL STUFF */
@@ -190,13 +192,25 @@
#define SSL_SHA (SSL_SHA1)
#define SSL_EXP_MASK 0x00300000L
-#define SSL_EXP 0x00100000L
+#define SSL_EXP40 0x00100000L
#define SSL_NOT_EXP 0x00200000L
-#define SSL_EXPORT SSL_EXP
+#define SSL_EXP56 0x00300000L
+#define SSL_IS_EXPORT(a) ((a)&SSL_EXP40)
+#define SSL_IS_EXPORT56(a) (((a)&SSL_EXP_MASK) == SSL_EXP56)
+#define SSL_IS_EXPORT40(a) (((a)&SSL_EXP_MASK) == SSL_EXP40)
+#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algorithms)
+#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algorithms)
+#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algorithms)
+#define SSL_EXPORT_KEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 5 : \
+ ((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
+#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
+#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms)
+#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algorithms)
#define SSL_SSL_MASK 0x00c00000L
#define SSL_SSLV2 0x00400000L
#define SSL_SSLV3 0x00800000L
+#define SSL_TLSV1 SSL_SSLV3 /* for now */
#define SSL_STRONG_MASK 0x07000000L
#define SSL_LOW 0x01000000L
@@ -233,44 +247,59 @@
typedef struct cert_pkey_st
{
X509 *x509;
-/* EVP_PKEY *publickey; *//* when extracted */
EVP_PKEY *privatekey;
} CERT_PKEY;
typedef struct cert_st
{
- int cert_type;
-
-#ifdef undef
- X509 *x509;
- EVP_PKEY *publickey; /* when extracted */
- EVP_PKEY *privatekey;
-
- pkeys[SSL_PKEY_RSA_ENC].x509
-/* pkeys[SSL_PKEY_RSA_ENC].publickey */
- pkeys[SSL_PKEY_RSA_ENC].privatekey
-#endif
-
/* Current active set */
- CERT_PKEY *key;
+ CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
+ * Probably it would make more sense to store
+ * an index, not a pointer. */
/* The following masks are for the key and auth
* algorithms that are supported by the certs below */
int valid;
unsigned long mask;
unsigned long export_mask;
-
+#ifndef NO_RSA
RSA *rsa_tmp;
+ RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
+#endif
+#ifndef NO_DH
DH *dh_tmp;
- RSA *(*rsa_tmp_cb)();
- DH *(*dh_tmp_cb)();
- CERT_PKEY pkeys[SSL_PKEY_NUM];
+ DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
+#endif
- STACK *cert_chain;
+ CERT_PKEY pkeys[SSL_PKEY_NUM];
- int references;
+ int references; /* >1 only if SSL_copy_session_id is used */
} CERT;
+
+typedef struct sess_cert_st
+ {
+ STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
+
+ /* The 'peer_...' members are used only by clients. */
+ int peer_cert_type;
+
+ CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
+ CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
+ /* Obviously we don't have the private keys of these,
+ * so maybe we shouldn't even use the CERT_PKEY type here. */
+
+#ifndef NO_RSA
+ RSA *peer_rsa_tmp; /* not used for SSL 2 */
+#endif
+#ifndef NO_DH
+ DH *peer_dh_tmp; /* not used for SSL 2 */
+#endif
+
+ int references; /* actually always 1 at the moment */
+ } SESS_CERT;
+
+
/*#define MAC_DEBUG */
/*#define ERR_DEBUG */
@@ -282,12 +311,7 @@ typedef struct cert_st
/*#define RSA_DEBUG */
/*#define IDEA_DEBUG */
-#ifndef NOPROTO
#define FP_ICC (int (*)(const void *,const void *))
-#else
-#define FP_ICC
-#endif
-
#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
((ssl)->method->put_cipher_by_char((ciph),(ptr)))
#define ssl_get_cipher_by_char(ssl,ptr) \
@@ -313,11 +337,23 @@ typedef struct ssl3_enc_method
int (*alert_value)();
} SSL3_ENC_METHOD;
-extern SSL3_ENC_METHOD ssl3_undef_enc_method;
-extern SSL_CIPHER ssl2_ciphers[];
-extern SSL_CIPHER ssl3_ciphers[];
+/* Used for holding the relevant compression methods loaded into SSL_CTX */
+typedef struct ssl3_comp_st
+ {
+ int comp_id; /* The identifer byte for this compression type */
+ char *name; /* Text name used for the compression type */
+ COMP_METHOD *method; /* The method :-) */
+ } SSL3_COMP;
+
+OPENSSL_EXTERN SSL3_ENC_METHOD ssl3_undef_enc_method;
+OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
+OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
+
+#ifdef VMS
+#undef SSL_COMP_get_compression_methods
+#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods
+#endif
-#ifndef NOPROTO
SSL_METHOD *ssl_bad_method(int ver);
SSL_METHOD *sslv2_base_method(void);
@@ -327,33 +363,41 @@ SSL_METHOD *sslv3_base_method(void);
void ssl_clear_cipher_ctx(SSL *s);
int ssl_clear_bad_session(SSL *s);
CERT *ssl_cert_new(void);
+CERT *ssl_cert_dup(CERT *cert);
+int ssl_cert_inst(CERT **o);
void ssl_cert_free(CERT *c);
-int ssl_set_cert_type(CERT *c, int type);
+SESS_CERT *ssl_sess_cert_new(void);
+void ssl_sess_cert_free(SESS_CERT *sc);
+int ssl_set_peer_cert_type(SESS_CERT *c, int type);
int ssl_get_new_session(SSL *s, int session);
int ssl_get_prev_session(SSL *s, unsigned char *session,int len);
int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b);
int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp);
-STACK *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,STACK **skp);
-int ssl_cipher_list_to_bytes(SSL *s,STACK *sk,unsigned char *p);
-STACK *ssl_create_cipher_list(SSL_METHOD *meth,STACK **pref,
- STACK **sorted,char *str);
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
+ STACK_OF(SSL_CIPHER) **skp);
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p);
+STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *meth,
+ STACK_OF(SSL_CIPHER) **pref,
+ STACK_OF(SSL_CIPHER) **sorted,
+ char *str);
void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(SSL_CIPHER *c, EVP_CIPHER **enc, EVP_MD **md);
-int ssl_verify_cert_chain(SSL *s,STACK *sk);
+int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
+ SSL_COMP **comp);
+int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
int ssl_undefined_function(SSL *s);
X509 *ssl_get_server_send_cert(SSL *);
EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
-void ssl_set_cert_masks(CERT *c);
-STACK *ssl_get_ciphers_by_id(SSL *s);
+void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
int ssl_verify_alarm_type(long type);
int ssl2_enc_init(SSL *s, int client);
void ssl2_generate_key_material(SSL *s);
void ssl2_enc(SSL *s,int send_data);
void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
-SSL_CIPHER *ssl2_get_cipher_by_char(unsigned char *p);
-int ssl2_put_cipher_by_char(SSL_CIPHER *c,unsigned char *p);
+SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
+int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
int ssl2_part_read(SSL *s, unsigned long f, int i);
int ssl2_do_write(SSL *s);
int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data);
@@ -365,17 +409,17 @@ int ssl2_new(SSL *s);
void ssl2_free(SSL *s);
int ssl2_accept(SSL *s);
int ssl2_connect(SSL *s);
-int ssl2_read(SSL *s, char *buf, int len);
+int ssl2_read(SSL *s, void *buf, int len);
int ssl2_peek(SSL *s, char *buf, int len);
-int ssl2_write(SSL *s, char *buf, int len);
+int ssl2_write(SSL *s, const void *buf, int len);
int ssl2_shutdown(SSL *s);
void ssl2_clear(SSL *s);
long ssl2_ctrl(SSL *s,int cmd, long larg, char *parg);
long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
int ssl2_pending(SSL *s);
-SSL_CIPHER *ssl3_get_cipher_by_char(unsigned char *p);
-int ssl3_put_cipher_by_char(SSL_CIPHER *c,unsigned char *p);
+SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
+int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
void ssl3_init_finished_mac(SSL *s);
int ssl3_send_server_certificate(SSL *s);
int ssl3_get_finished(SSL *s,int state_a,int state_b);
@@ -395,25 +439,26 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u);
int ssl3_renegotiate(SSL *ssl);
int ssl3_renegotiate_check(SSL *ssl);
int ssl3_dispatch_alert(SSL *s);
-int ssl3_read_bytes(SSL *s, int type, char *buf, int len);
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len);
int ssl3_part_read(SSL *s, int i);
-int ssl3_write_bytes(SSL *s, int type, char *buf, int len);
+int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1,EVP_MD_CTX *ctx2,
unsigned char *sender, int slen,unsigned char *p);
int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
-void ssl3_finish_mac(SSL *s, unsigned char *buf, int len);
+void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
int ssl3_enc(SSL *s, int send_data);
int ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
-SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK *have,STACK *pref);
+SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *have,
+ STACK_OF(SSL_CIPHER) *pref);
int ssl3_setup_buffers(SSL *s);
int ssl3_new(SSL *s);
void ssl3_free(SSL *s);
int ssl3_accept(SSL *s);
int ssl3_connect(SSL *s);
-int ssl3_read(SSL *s, char *buf, int len);
+int ssl3_read(SSL *s, void *buf, int len);
int ssl3_peek(SSL *s,char *buf, int len);
-int ssl3_write(SSL *s, char *buf, int len);
+int ssl3_write(SSL *s, const void *buf, int len);
int ssl3_shutdown(SSL *s);
void ssl3_clear(SSL *s);
long ssl3_ctrl(SSL *s,int cmd, long larg, char *parg);
@@ -431,8 +476,8 @@ void tls1_clear(SSL *s);
long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
SSL_METHOD *tlsv1_base_method(void );
-
int ssl_init_wbio_buffer(SSL *s, int push);
+void ssl_free_wbio_buffer(SSL *s);
int tls1_change_cipher_state(SSL *s, int which);
int tls1_setup_key_block(SSL *s);
@@ -445,114 +490,10 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out,
unsigned char *p, int len);
int tls1_alert_code(int code);
int ssl3_alert_code(int code);
+int ssl_ok(SSL *s);
+SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
-#else
-
-SSL_METHOD *ssl_bad_method();
-SSL_METHOD *sslv2_base_method();
-SSL_METHOD *sslv23_base_method();
-SSL_METHOD *sslv3_base_method();
-
-void ssl_clear_cipher_ctx();
-int ssl_clear_bad_session();
-CERT *ssl_cert_new();
-void ssl_cert_free();
-int ssl_set_cert_type();
-int ssl_get_new_session();
-int ssl_get_prev_session();
-int ssl_cipher_id_cmp();
-int ssl_cipher_ptr_id_cmp();
-STACK *ssl_bytes_to_cipher_list();
-int ssl_cipher_list_to_bytes();
-STACK *ssl_create_cipher_list();
-void ssl_update_cache();
-int ssl_session_get_ciphers();
-int ssl_verify_cert_chain();
-int ssl_undefined_function();
-X509 *ssl_get_server_send_cert();
-EVP_PKEY *ssl_get_sign_pkey();
-int ssl_cert_type();
-void ssl_set_cert_masks();
-STACK *ssl_get_ciphers_by_id();
-int ssl_verify_alarm_type();
-
-int ssl2_enc_init();
-void ssl2_generate_key_material();
-void ssl2_enc();
-void ssl2_mac();
-SSL_CIPHER *ssl2_get_cipher_by_char();
-int ssl2_put_cipher_by_char();
-int ssl2_part_read();
-int ssl2_do_write();
-int ssl2_set_certificate();
-void ssl2_return_error();
-void ssl2_write_error();
-int ssl2_num_ciphers();
-SSL_CIPHER *ssl2_get_cipher();
-int ssl2_new();
-void ssl2_free();
-int ssl2_accept();
-int ssl2_connect();
-int ssl2_read();
-int ssl2_peek();
-int ssl2_write();
-int ssl2_shutdown();
-void ssl2_clear();
-long ssl2_ctrl();
-long ssl2_ctx_ctrl();
-int ssl2_pending();
-
-SSL_CIPHER *ssl3_get_cipher_by_char();
-int ssl3_put_cipher_by_char();
-void ssl3_init_finished_mac();
-int ssl3_send_server_certificate();
-int ssl3_get_finished();
-int ssl3_setup_key_block();
-int ssl3_send_change_cipher_spec();
-int ssl3_change_cipher_state();
-void ssl3_cleanup_key_block();
-int ssl3_do_write();
-void ssl3_send_alert();
-int ssl3_generate_master_secret();
-int ssl3_get_req_cert_type();
-long ssl3_get_message();
-int ssl3_send_finished();
-int ssl3_num_ciphers();
-SSL_CIPHER *ssl3_get_cipher();
-int ssl3_renegotiate();
-int ssl3_renegotiate_check();
-int ssl3_dispatch_alert();
-int ssl3_read_bytes();
-int ssl3_part_read();
-int ssl3_write_bytes();
-int ssl3_final_finish_mac();
-void ssl3_finish_mac();
-int ssl3_enc();
-int ssl3_mac();
-unsigned long ssl3_output_cert_chain();
-SSL_CIPHER *ssl3_choose_cipher();
-int ssl3_setup_buffers();
-int ssl3_new();
-void ssl3_free();
-int ssl3_accept();
-int ssl3_connect();
-int ssl3_read();
-int ssl3_peek();
-int ssl3_write();
-int ssl3_shutdown();
-void ssl3_clear();
-long ssl3_ctrl();
-long ssl3_ctx_ctrl();
-int ssl3_pending();
-
-int ssl23_accept();
-int ssl23_connect();
-int ssl23_read_bytes();
-int ssl23_write_bytes();
-
-int ssl_init_wbio_buffer();
-
-#endif
#endif
diff --git a/lib/libssl/src/ssl/ssl_rsa.c b/lib/libssl/src/ssl/ssl_rsa.c
index 140475e5fbd..6ec7a5cdb19 100644
--- a/lib/libssl/src/ssl/ssl_rsa.c
+++ b/lib/libssl/src/ssl/ssl_rsa.c
@@ -57,53 +57,32 @@
*/
#include <stdio.h>
-#include "bio.h"
-#include "objects.h"
-#include "evp.h"
-#include "x509.h"
-#include "pem.h"
+#include <openssl/bio.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
#include "ssl_locl.h"
-#ifndef NOPROTO
static int ssl_set_cert(CERT *c, X509 *x509);
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
-#else
-static int ssl_set_cert();
-static int ssl_set_pkey();
-#endif
-
-int SSL_use_certificate(ssl, x)
-SSL *ssl;
-X509 *x;
+int SSL_use_certificate(SSL *ssl, X509 *x)
{
- CERT *c;
-
if (x == NULL)
{
SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
return(0);
}
- if ((ssl->cert == NULL) || (ssl->cert == ssl->ctx->default_cert))
+ if (!ssl_cert_inst(&ssl->cert))
{
- c=ssl_cert_new();
- if (c == NULL)
- {
- SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
- return(0);
- }
- if (ssl->cert != NULL) ssl_cert_free(ssl->cert);
- ssl->cert=c;
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+ return(0);
}
- c=ssl->cert;
-
- return(ssl_set_cert(c,x));
+ return(ssl_set_cert(ssl->cert,x));
}
#ifndef NO_STDIO
-int SSL_use_certificate_file(ssl, file, type)
-SSL *ssl;
-char *file;
-int type;
+int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
{
int j;
BIO *in;
@@ -130,7 +109,7 @@ int type;
else if (type == SSL_FILETYPE_PEM)
{
j=ERR_R_PEM_LIB;
- x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback);
+ x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
}
else
{
@@ -152,10 +131,7 @@ end:
}
#endif
-int SSL_use_certificate_ASN1(ssl, len, d)
-SSL *ssl;
-int len;
-unsigned char *d;
+int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len)
{
X509 *x;
int ret;
@@ -173,11 +149,8 @@ unsigned char *d;
}
#ifndef NO_RSA
-int SSL_use_RSAPrivateKey(ssl, rsa)
-SSL *ssl;
-RSA *rsa;
+int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
{
- CERT *c;
EVP_PKEY *pkey;
int ret;
@@ -186,19 +159,11 @@ RSA *rsa;
SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
return(0);
}
-
- if ((ssl->cert == NULL) || (ssl->cert == ssl->ctx->default_cert))
- {
- c=ssl_cert_new();
- if (c == NULL)
- {
- SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
- return(0);
- }
- if (ssl->cert != NULL) ssl_cert_free(ssl->cert);
- ssl->cert=c;
+ if (!ssl_cert_inst(&ssl->cert))
+ {
+ SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
+ return(0);
}
- c=ssl->cert;
if ((pkey=EVP_PKEY_new()) == NULL)
{
SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
@@ -208,15 +173,13 @@ RSA *rsa;
CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
EVP_PKEY_assign_RSA(pkey,rsa);
- ret=ssl_set_pkey(c,pkey);
+ ret=ssl_set_pkey(ssl->cert,pkey);
EVP_PKEY_free(pkey);
return(ret);
}
#endif
-static int ssl_set_pkey(c,pkey)
-CERT *c;
-EVP_PKEY *pkey;
+static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
{
int i,ok=0,bad=0;
@@ -229,6 +192,12 @@ EVP_PKEY *pkey;
if (c->pkeys[i].x509 != NULL)
{
+ EVP_PKEY *pktmp;
+ pktmp = X509_get_pubkey(c->pkeys[i].x509);
+ EVP_PKEY_copy_parameters(pktmp,pkey);
+ EVP_PKEY_free(pktmp);
+ ERR_clear_error();
+
#ifndef NO_RSA
/* Don't check the public/private key, this is mostly
* for smart cards. */
@@ -284,10 +253,7 @@ EVP_PKEY *pkey;
#ifndef NO_RSA
#ifndef NO_STDIO
-int SSL_use_RSAPrivateKey_file(ssl, file, type)
-SSL *ssl;
-char *file;
-int type;
+int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
{
int j,ret=0;
BIO *in;
@@ -314,7 +280,7 @@ int type;
{
j=ERR_R_PEM_LIB;
rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
- ssl->ctx->default_passwd_callback);
+ ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
}
else
{
@@ -334,10 +300,7 @@ end:
}
#endif
-int SSL_use_RSAPrivateKey_ASN1(ssl,d,len)
-SSL *ssl;
-unsigned char *d;
-long len;
+int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
{
int ret;
unsigned char *p;
@@ -356,11 +319,8 @@ long len;
}
#endif /* !NO_RSA */
-int SSL_use_PrivateKey(ssl, pkey)
-SSL *ssl;
-EVP_PKEY *pkey;
+int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
{
- CERT *c;
int ret;
if (pkey == NULL)
@@ -368,29 +328,17 @@ EVP_PKEY *pkey;
SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
return(0);
}
-
- if ((ssl->cert == NULL) || (ssl->cert == ssl->ctx->default_cert))
- {
- c=ssl_cert_new();
- if (c == NULL)
- {
- SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
- return(0);
- }
- if (ssl->cert != NULL) ssl_cert_free(ssl->cert);
- ssl->cert=c;
+ if (!ssl_cert_inst(&ssl->cert))
+ {
+ SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
+ return(0);
}
- c=ssl->cert;
-
- ret=ssl_set_pkey(c,pkey);
+ ret=ssl_set_pkey(ssl->cert,pkey);
return(ret);
}
#ifndef NO_STDIO
-int SSL_use_PrivateKey_file(ssl, file, type)
-SSL *ssl;
-char *file;
-int type;
+int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
{
int j,ret=0;
BIO *in;
@@ -412,7 +360,7 @@ int type;
{
j=ERR_R_PEM_LIB;
pkey=PEM_read_bio_PrivateKey(in,NULL,
- ssl->ctx->default_passwd_callback);
+ ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
}
else
{
@@ -432,11 +380,7 @@ end:
}
#endif
-int SSL_use_PrivateKey_ASN1(type,ssl,d,len)
-int type;
-SSL *ssl;
-unsigned char *d;
-long len;
+int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len)
{
int ret;
unsigned char *p;
@@ -454,36 +398,22 @@ long len;
return(ret);
}
-int SSL_CTX_use_certificate(ctx, x)
-SSL_CTX *ctx;
-X509 *x;
+int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
{
- CERT *c;
-
if (x == NULL)
{
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
return(0);
}
-
- if (ctx->default_cert == NULL)
+ if (!ssl_cert_inst(&ctx->cert))
{
- c=ssl_cert_new();
- if (c == NULL)
- {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
- return(0);
- }
- ctx->default_cert=c;
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+ return(0);
}
- c=ctx->default_cert;
-
- return(ssl_set_cert(c,x));
+ return(ssl_set_cert(ctx->cert, x));
}
-static int ssl_set_cert(c,x)
-CERT *c;
-X509 *x;
+static int ssl_set_cert(CERT *c, X509 *x)
{
EVP_PKEY *pkey;
int i,ok=0,bad=0;
@@ -499,11 +429,25 @@ X509 *x;
if (i < 0)
{
SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+ EVP_PKEY_free(pkey);
return(0);
}
if (c->pkeys[i].privatekey != NULL)
{
+ EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
+ ERR_clear_error();
+
+#ifndef NO_RSA
+ /* Don't check the public/private key, this is mostly
+ * for smart cards. */
+ if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
+ (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
+ RSA_METHOD_FLAG_NO_CHECK))
+ ok=1;
+ else
+#endif
+ {
if (!X509_check_private_key(x,c->pkeys[i].privatekey))
{
if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
@@ -527,10 +471,12 @@ X509 *x;
}
else
ok=1;
+ } /* NO_RSA */
}
else
ok=1;
+ EVP_PKEY_free(pkey);
if (bad)
{
EVP_PKEY_free(c->pkeys[i].privatekey);
@@ -548,10 +494,7 @@ X509 *x;
}
#ifndef NO_STDIO
-int SSL_CTX_use_certificate_file(ctx, file, type)
-SSL_CTX *ctx;
-char *file;
-int type;
+int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
{
int j;
BIO *in;
@@ -578,7 +521,7 @@ int type;
else if (type == SSL_FILETYPE_PEM)
{
j=ERR_R_PEM_LIB;
- x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback);
+ x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
}
else
{
@@ -600,10 +543,7 @@ end:
}
#endif
-int SSL_CTX_use_certificate_ASN1(ctx, len, d)
-SSL_CTX *ctx;
-int len;
-unsigned char *d;
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d)
{
X509 *x;
int ret;
@@ -621,12 +561,9 @@ unsigned char *d;
}
#ifndef NO_RSA
-int SSL_CTX_use_RSAPrivateKey(ctx, rsa)
-SSL_CTX *ctx;
-RSA *rsa;
+int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
{
int ret;
- CERT *c;
EVP_PKEY *pkey;
if (rsa == NULL)
@@ -634,18 +571,11 @@ RSA *rsa;
SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
return(0);
}
- if (ctx->default_cert == NULL)
+ if (!ssl_cert_inst(&ctx->cert))
{
- c=ssl_cert_new();
- if (c == NULL)
- {
- SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
- return(0);
- }
- ctx->default_cert=c;
+ SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
+ return(0);
}
- c=ctx->default_cert;
-
if ((pkey=EVP_PKEY_new()) == NULL)
{
SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
@@ -655,16 +585,13 @@ RSA *rsa;
CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
EVP_PKEY_assign_RSA(pkey,rsa);
- ret=ssl_set_pkey(c,pkey);
+ ret=ssl_set_pkey(ctx->cert, pkey);
EVP_PKEY_free(pkey);
return(ret);
}
#ifndef NO_STDIO
-int SSL_CTX_use_RSAPrivateKey_file(ctx, file, type)
-SSL_CTX *ctx;
-char *file;
-int type;
+int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
{
int j,ret=0;
BIO *in;
@@ -691,7 +618,7 @@ int type;
{
j=ERR_R_PEM_LIB;
rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
- ctx->default_passwd_callback);
+ ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
}
else
{
@@ -711,10 +638,7 @@ end:
}
#endif
-int SSL_CTX_use_RSAPrivateKey_ASN1(ctx,d,len)
-SSL_CTX *ctx;
-unsigned char *d;
-long len;
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
{
int ret;
unsigned char *p;
@@ -733,38 +657,23 @@ long len;
}
#endif /* !NO_RSA */
-int SSL_CTX_use_PrivateKey(ctx, pkey)
-SSL_CTX *ctx;
-EVP_PKEY *pkey;
+int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
{
- CERT *c;
-
if (pkey == NULL)
{
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
return(0);
}
-
- if (ctx->default_cert == NULL)
+ if (!ssl_cert_inst(&ctx->cert))
{
- c=ssl_cert_new();
- if (c == NULL)
- {
- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
- return(0);
- }
- ctx->default_cert=c;
+ SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
+ return(0);
}
- c=ctx->default_cert;
-
- return(ssl_set_pkey(c,pkey));
+ return(ssl_set_pkey(ctx->cert,pkey));
}
#ifndef NO_STDIO
-int SSL_CTX_use_PrivateKey_file(ctx, file, type)
-SSL_CTX *ctx;
-char *file;
-int type;
+int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
{
int j,ret=0;
BIO *in;
@@ -786,7 +695,7 @@ int type;
{
j=ERR_R_PEM_LIB;
pkey=PEM_read_bio_PrivateKey(in,NULL,
- ctx->default_passwd_callback);
+ ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
}
else
{
@@ -806,11 +715,8 @@ end:
}
#endif
-int SSL_CTX_use_PrivateKey_ASN1(type,ctx,d,len)
-int type;
-SSL_CTX *ctx;
-unsigned char *d;
-long len;
+int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d,
+ long len)
{
int ret;
unsigned char *p;
@@ -829,3 +735,81 @@ long len;
}
+#ifndef NO_STDIO
+/* Read a file that contains our certificate in "PEM" format,
+ * possibly followed by a sequence of CA certificates that should be
+ * sent to the peer in the Certificate message.
+ */
+int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
+ {
+ BIO *in;
+ int ret=0;
+ X509 *x=NULL;
+
+ in=BIO_new(BIO_s_file_internal());
+ if (in == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
+ goto end;
+ }
+
+ if (BIO_read_filename(in,file) <= 0)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
+ goto end;
+ }
+
+ x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+ if (x == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
+ goto end;
+ }
+
+ ret=SSL_CTX_use_certificate(ctx,x);
+ if (ERR_peek_error() != 0)
+ ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
+ if (ret)
+ {
+ /* If we could set up our certificate, now proceed to
+ * the CA certificates.
+ */
+ X509 *ca;
+ int r;
+ unsigned long err;
+
+ if (ctx->extra_certs != NULL)
+ {
+ sk_X509_pop_free(ctx->extra_certs, X509_free);
+ ctx->extra_certs = NULL;
+ }
+
+ while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
+ != NULL)
+ {
+ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+ if (!r)
+ {
+ X509_free(ca);
+ ret = 0;
+ goto end;
+ }
+ /* Note that we must not free r if it was successfully
+ * added to the chain (while we must free the main
+ * certificate, since its reference count is increased
+ * by SSL_CTX_use_certificate). */
+ }
+ /* When the while loop ends, it's usually just EOF. */
+ err = ERR_peek_error();
+ if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
+ (void) ERR_get_error();
+ else
+ ret = 0; /* some real error */
+ }
+
+end:
+ if (x != NULL) X509_free(x);
+ if (in != NULL) BIO_free(in);
+ return(ret);
+ }
+#endif
diff --git a/lib/libssl/src/ssl/ssl_sess.c b/lib/libssl/src/ssl/ssl_sess.c
index 8212600e408..681499f08aa 100644
--- a/lib/libssl/src/ssl/ssl_sess.c
+++ b/lib/libssl/src/ssl/ssl_sess.c
@@ -57,56 +57,41 @@
*/
#include <stdio.h>
-#include "lhash.h"
-#include "rand.h"
+#include <openssl/lhash.h>
+#include <openssl/rand.h>
#include "ssl_locl.h"
-#ifndef NOPROTO
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
-#else
-static void SSL_SESSION_list_remove();
-static void SSL_SESSION_list_add();
-#endif
-
-static ssl_session_num=0;
+static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
+static int ssl_session_num=0;
static STACK *ssl_session_meth=NULL;
-SSL_SESSION *SSL_get_session(ssl)
-SSL *ssl;
+SSL_SESSION *SSL_get_session(SSL *ssl)
{
return(ssl->session);
}
-int SSL_SESSION_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
-long argl;
-char *argp;
-int (*new_func)();
-int (*dup_func)();
-void (*free_func)();
- {
- ssl_session_num++;
- return(CRYPTO_get_ex_new_index(ssl_session_num-1,
+int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+ int (*dup_func)(), void (*free_func)())
+ {
+ ssl_session_num++;
+ return(CRYPTO_get_ex_new_index(ssl_session_num-1,
&ssl_session_meth,
- argl,argp,new_func,dup_func,free_func));
- }
+ argl,argp,new_func,dup_func,free_func));
+ }
-int SSL_SESSION_set_ex_data(s,idx,arg)
-SSL_SESSION *s;
-int idx;
-char *arg;
+int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
{
return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
}
-char *SSL_SESSION_get_ex_data(s,idx)
-SSL_SESSION *s;
-int idx;
+void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx)
{
return(CRYPTO_get_ex_data(&s->ex_data,idx));
}
-SSL_SESSION *SSL_SESSION_new()
+SSL_SESSION *SSL_SESSION_new(void)
{
SSL_SESSION *ss;
@@ -123,21 +108,24 @@ SSL_SESSION *SSL_SESSION_new()
ss->time=time(NULL);
ss->prev=NULL;
ss->next=NULL;
+ ss->compress_meth=0;
CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
return(ss);
}
-int ssl_get_new_session(s, session)
-SSL *s;
-int session;
+int ssl_get_new_session(SSL *s, int session)
{
+ /* This gets used by clients and servers. */
+
SSL_SESSION *ss=NULL;
if ((ss=SSL_SESSION_new()) == NULL) return(0);
/* If the context has a default timeout, use it */
- if (s->ctx->session_timeout != 0)
+ if (s->ctx->session_timeout == 0)
ss->timeout=SSL_get_default_timeout(s);
+ else
+ ss->timeout=s->ctx->session_timeout;
if (s->session != NULL)
{
@@ -147,7 +135,7 @@ int session;
if (session)
{
- if (s->version == SSL2_CLIENT_VERSION)
+ if (s->version == SSL2_VERSION)
{
ss->ssl_version=SSL2_VERSION;
ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
@@ -180,6 +168,8 @@ int session;
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
if (r == NULL) break;
/* else - woops a session_id match */
+ /* XXX should also check external cache!
+ * (But the probability of a collision is negligible, anyway...) */
}
}
else
@@ -187,58 +177,100 @@ int session;
ss->session_id_length=0;
}
+ memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
+ ss->sid_ctx_length=s->sid_ctx_length;
s->session=ss;
ss->ssl_version=s->version;
return(1);
}
-int ssl_get_prev_session(s,session_id,len)
-SSL *s;
-unsigned char *session_id;
-int len;
+int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
{
+ /* This is used only by servers. */
+
SSL_SESSION *ret=NULL,data;
+ int fatal = 0;
/* conn_init();*/
data.ssl_version=s->version;
data.session_id_length=len;
if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
- return(0);
- memcpy(data.session_id,session_id,len);;
+ goto err;
+ memcpy(data.session_id,session_id,len);
if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
{
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
+ if (ret != NULL)
+ /* don't allow other threads to steal it: */
+ CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
}
if (ret == NULL)
{
int copy=1;
-
- s->ctx->sess_miss++;
+
+ s->ctx->stats.sess_miss++;
ret=NULL;
- if ((s->ctx->get_session_cb != NULL) &&
- ((ret=s->ctx->get_session_cb(s,session_id,len,&copy))
- != NULL))
+ if (s->ctx->get_session_cb != NULL
+ && (ret=s->ctx->get_session_cb(s,session_id,len,&copy))
+ != NULL)
{
- s->ctx->sess_cb_hit++;
+ s->ctx->stats.sess_cb_hit++;
+
+ /* Increment reference count now if the session callback
+ * asks us to do so (note that if the session structures
+ * returned by the callback are shared between threads,
+ * it must handle the reference count itself [i.e. copy == 0],
+ * or things won't be thread-safe). */
+ if (copy)
+ CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
/* The following should not return 1, otherwise,
* things are very strange */
SSL_CTX_add_session(s->ctx,ret);
- /* auto free it */
- if (!copy)
- SSL_SESSION_free(ret);
}
- if (ret == NULL) return(0);
+ if (ret == NULL)
+ goto err;
+ }
+
+ /* Now ret is non-NULL, and we own one of its reference counts. */
+
+ if((s->verify_mode&SSL_VERIFY_PEER)
+ && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
+ || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
+ {
+ /* We've found the session named by the client, but we don't
+ * want to use it in this context. */
+
+ if (s->sid_ctx_length == 0)
+ {
+ /* application should have used SSL[_CTX]_set_session_id_context
+ * -- we could tolerate this and just pretend we never heard
+ * of this session, but then applications could effectively
+ * disable the session cache by accident without anyone noticing */
+
+ SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
+ fatal = 1;
+ goto err;
+ }
+ else
+ {
+#if 0 /* The client cannot always know when a session is not appropriate,
+ * so we shouldn't generate an error message. */
+
+ SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+#endif
+ goto err; /* treat like cache miss */
+ }
}
if (ret->cipher == NULL)
{
- char buf[5],*p;
+ unsigned char buf[5],*p;
unsigned long l;
p=buf;
@@ -249,25 +281,28 @@ int len;
else
ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
if (ret->cipher == NULL)
- return(0);
+ goto err;
}
+
+#if 0 /* This is way too late. */
+
/* If a thread got the session, then 'swaped', and another got
* it and then due to a time-out decided to 'Free' it we could
* be in trouble. So I'll increment it now, then double decrement
* later - am I speaking rubbish?. */
CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
+#endif
if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
{
- s->ctx->sess_timeout++;
+ s->ctx->stats.sess_timeout++;
/* remove it from the cache */
SSL_CTX_remove_session(s->ctx,ret);
- SSL_SESSION_free(ret); /* again to actually Free it */
- return(0);
+ goto err;
}
- s->ctx->sess_hit++;
+ s->ctx->stats.sess_hit++;
/* ret->time=time(NULL); */ /* rezero timeout? */
/* again, just leave the session
@@ -277,11 +312,17 @@ int len;
SSL_SESSION_free(s->session);
s->session=ret;
return(1);
+
+ err:
+ if (ret != NULL)
+ SSL_SESSION_free(ret);
+ if (fatal)
+ return -1;
+ else
+ return 0;
}
-int SSL_CTX_add_session(ctx,c)
-SSL_CTX *ctx;
-SSL_SESSION *c;
+int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
{
int ret=0;
SSL_SESSION *s;
@@ -314,11 +355,11 @@ SSL_SESSION *c;
while (SSL_CTX_sess_number(ctx) >
SSL_CTX_sess_get_cache_size(ctx))
{
- if (!SSL_CTX_remove_session(ctx,
- ctx->session_cache_tail))
+ if (!remove_session_lock(ctx,
+ ctx->session_cache_tail, 0))
break;
else
- ctx->sess_cache_full++;
+ ctx->stats.sess_cache_full++;
}
}
}
@@ -326,16 +367,19 @@ SSL_SESSION *c;
return(ret);
}
-int SSL_CTX_remove_session(ctx,c)
-SSL_CTX *ctx;
-SSL_SESSION *c;
+int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
+{
+ return remove_session_lock(ctx, c, 1);
+}
+
+static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
{
SSL_SESSION *r;
int ret=0;
if ((c != NULL) && (c->session_id_length != 0))
{
- CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+ if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
r=(SSL_SESSION *)lh_delete(ctx->sessions,(char *)c);
if (r != NULL)
{
@@ -343,7 +387,7 @@ SSL_SESSION *c;
SSL_SESSION_list_remove(ctx,c);
}
- CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+ if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
if (ret)
{
@@ -358,11 +402,13 @@ SSL_SESSION *c;
return(ret);
}
-void SSL_SESSION_free(ss)
-SSL_SESSION *ss;
+void SSL_SESSION_free(SSL_SESSION *ss)
{
int i;
+ if(ss == NULL)
+ return;
+
i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
#ifdef REF_PRINT
REF_PRINT("SSL_SESSION",ss);
@@ -381,16 +427,14 @@ SSL_SESSION *ss;
memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
- if (ss->cert != NULL) ssl_cert_free(ss->cert);
+ if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
if (ss->peer != NULL) X509_free(ss->peer);
- if (ss->ciphers != NULL) sk_free(ss->ciphers);
+ if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
memset(ss,0,sizeof(*ss));
Free(ss);
}
-int SSL_set_session(s, session)
-SSL *s;
-SSL_SESSION *session;
+int SSL_set_session(SSL *s, SSL_SESSION *session)
{
int ret=0;
SSL_METHOD *meth;
@@ -410,7 +454,10 @@ SSL_SESSION *session;
{
if (!SSL_set_ssl_method(s,meth))
return(0);
- session->timeout=SSL_get_default_timeout(s);
+ if (s->ctx->session_timeout == 0)
+ session->timeout=SSL_get_default_timeout(s);
+ else
+ session->timeout=s->ctx->session_timeout;
}
/* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
@@ -428,42 +475,59 @@ SSL_SESSION *session;
SSL_SESSION_free(s->session);
s->session=NULL;
}
+
+ meth=s->ctx->method;
+ if (meth != s->method)
+ {
+ if (!SSL_set_ssl_method(s,meth))
+ return(0);
+ }
+ ret=1;
}
return(ret);
}
-long SSL_SESSION_set_timeout(s,t)
-SSL_SESSION *s;
-long t;
+long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
{
if (s == NULL) return(0);
s->timeout=t;
return(1);
}
-long SSL_SESSION_get_timeout(s)
-SSL_SESSION *s;
+long SSL_SESSION_get_timeout(SSL_SESSION *s)
{
if (s == NULL) return(0);
return(s->timeout);
}
-long SSL_SESSION_get_time(s)
-SSL_SESSION *s;
+long SSL_SESSION_get_time(SSL_SESSION *s)
{
if (s == NULL) return(0);
return(s->time);
}
-long SSL_SESSION_set_time(s,t)
-SSL_SESSION *s;
-long t;
+long SSL_SESSION_set_time(SSL_SESSION *s, long t)
{
if (s == NULL) return(0);
s->time=t;
return(t);
}
+long SSL_CTX_set_timeout(SSL_CTX *s, long t)
+ {
+ long l;
+ if (s == NULL) return(0);
+ l=s->session_timeout;
+ s->session_timeout=t;
+ return(l);
+ }
+
+long SSL_CTX_get_timeout(SSL_CTX *s)
+ {
+ if (s == NULL) return(0);
+ return(s->session_timeout);
+ }
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
@@ -471,9 +535,7 @@ typedef struct timeout_param_st
LHASH *cache;
} TIMEOUT_PARAM;
-static void timeout(s,p)
-SSL_SESSION *s;
-TIMEOUT_PARAM *p;
+static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
{
if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
{
@@ -488,15 +550,13 @@ TIMEOUT_PARAM *p;
}
}
-void SSL_CTX_flush_sessions(s,t)
-SSL_CTX *s;
-long t;
+void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
{
unsigned long i;
TIMEOUT_PARAM tp;
tp.ctx=s;
- tp.cache=SSL_CTX_sessions(s);
+ tp.cache=s->sessions;
if (tp.cache == NULL) return;
tp.time=t;
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
@@ -507,8 +567,7 @@ long t;
CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
}
-int ssl_clear_bad_session(s)
-SSL *s;
+int ssl_clear_bad_session(SSL *s)
{
if ( (s->session != NULL) &&
!(s->shutdown & SSL_SENT_SHUTDOWN) &&
@@ -522,9 +581,7 @@ SSL *s;
}
/* locked by SSL_CTX in the calling function */
-static void SSL_SESSION_list_remove(ctx,s)
-SSL_CTX *ctx;
-SSL_SESSION *s;
+static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
{
if ((s->next == NULL) || (s->prev == NULL)) return;
@@ -557,9 +614,7 @@ SSL_SESSION *s;
s->prev=s->next=NULL;
}
-static void SSL_SESSION_list_add(ctx,s)
-SSL_CTX *ctx;
-SSL_SESSION *s;
+static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
{
if ((s->next != NULL) && (s->prev != NULL))
SSL_SESSION_list_remove(ctx,s);
diff --git a/lib/libssl/src/ssl/ssl_stat.c b/lib/libssl/src/ssl/ssl_stat.c
index a1daf25dd43..3eca4ee6017 100644
--- a/lib/libssl/src/ssl/ssl_stat.c
+++ b/lib/libssl/src/ssl/ssl_stat.c
@@ -59,22 +59,21 @@
#include <stdio.h>
#include "ssl_locl.h"
-char *SSL_state_string_long(s)
-SSL *s;
+char *SSL_state_string_long(SSL *s)
{
char *str;
switch (s->state)
{
-case SSL_ST_BEFORE: str="before SSL initalisation"; break;
-case SSL_ST_ACCEPT: str="before accept initalisation"; break;
-case SSL_ST_CONNECT: str="before connect initalisation"; break;
+case SSL_ST_BEFORE: str="before SSL initialization"; break;
+case SSL_ST_ACCEPT: str="before accept initialization"; break;
+case SSL_ST_CONNECT: str="before connect initialization"; break;
case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
case SSL_ST_RENEGOTIATE: str="SSL renegotiate ciphers"; break;
-case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initalisation"; break;
-case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initalisation"; break;
-case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initalisation"; break;
-case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initalisation"; break;
+case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
+case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
+case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
+case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
#ifndef NO_SSL2
case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
@@ -132,6 +131,8 @@ case SSL3_ST_CR_SRVR_DONE_A: str="SSLv3 read server done A"; break;
case SSL3_ST_CR_SRVR_DONE_B: str="SSLv3 read server done B"; break;
case SSL3_ST_CW_CERT_A: str="SSLv3 write client certificate A"; break;
case SSL3_ST_CW_CERT_B: str="SSLv3 write client certificate B"; break;
+case SSL3_ST_CW_CERT_C: str="SSLv3 write client certificate C"; break;
+case SSL3_ST_CW_CERT_D: str="SSLv3 write client certificate D"; break;
case SSL3_ST_CW_KEY_EXCH_A: str="SSLv3 write client key exchange A"; break;
case SSL3_ST_CW_KEY_EXCH_B: str="SSLv3 write client key exchange B"; break;
case SSL3_ST_CW_CERT_VRFY_A: str="SSLv3 write certificate verify A"; break;
@@ -198,8 +199,7 @@ default: str="unknown state"; break;
return(str);
}
-char *SSL_rstate_string_long(s)
-SSL *s;
+char *SSL_rstate_string_long(SSL *s)
{
char *str;
@@ -213,8 +213,7 @@ SSL *s;
return(str);
}
-char *SSL_state_string(s)
-SSL *s;
+char *SSL_state_string(SSL *s)
{
char *str;
@@ -283,6 +282,8 @@ case SSL3_ST_CR_SRVR_DONE_A: str="3RSD_A"; break;
case SSL3_ST_CR_SRVR_DONE_B: str="3RSD_B"; break;
case SSL3_ST_CW_CERT_A: str="3WCC_A"; break;
case SSL3_ST_CW_CERT_B: str="3WCC_B"; break;
+case SSL3_ST_CW_CERT_C: str="3WCC_C"; break;
+case SSL3_ST_CW_CERT_D: str="3WCC_D"; break;
case SSL3_ST_CW_KEY_EXCH_A: str="3WCKEA"; break;
case SSL3_ST_CW_KEY_EXCH_B: str="3WCKEB"; break;
case SSL3_ST_CW_CERT_VRFY_A: str="3WCV_A"; break;
@@ -346,8 +347,7 @@ default: str="UNKWN "; break;
return(str);
}
-char *SSL_alert_type_string_long(value)
-int value;
+char *SSL_alert_type_string_long(int value)
{
value>>=8;
if (value == SSL3_AL_WARNING)
@@ -358,8 +358,7 @@ int value;
return("unknown");
}
-char *SSL_alert_type_string(value)
-int value;
+char *SSL_alert_type_string(int value)
{
value>>=8;
if (value == SSL3_AL_WARNING)
@@ -370,8 +369,7 @@ int value;
return("U");
}
-char *SSL_alert_desc_string(value)
-int value;
+char *SSL_alert_desc_string(int value)
{
char *str;
@@ -394,8 +392,7 @@ int value;
return(str);
}
-char *SSL_alert_desc_string_long(value)
-int value;
+char *SSL_alert_desc_string_long(int value)
{
char *str;
@@ -442,8 +439,7 @@ int value;
return(str);
}
-char *SSL_rstate_string(s)
-SSL *s;
+char *SSL_rstate_string(SSL *s)
{
char *str;
diff --git a/lib/libssl/src/ssl/ssl_task.c b/lib/libssl/src/ssl/ssl_task.c
index ab72166665f..321e35c83ba 100644
--- a/lib/libssl/src/ssl/ssl_task.c
+++ b/lib/libssl/src/ssl/ssl_task.c
@@ -123,11 +123,13 @@ int LIB$INIT_TIMER(), LIB$SHOW_TIMER();
#include <string.h> /* from ssltest.c */
#include <errno.h>
-#include "buffer.h"
-#include "../e_os.h"
-#include "x509.h"
-#include "ssl.h"
-#include "err.h"
+
+#include "openssl/e_os.h"
+
+#include <openssl/buffer.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
int MS_CALLBACK verify_callback(int ok, X509 *xs, X509 *xi, int depth,
int error);
@@ -224,8 +226,12 @@ int main ( int argc, char **argv )
printf("cipher list: %s\n", cipher ? cipher : "{undefined}" );
SSL_load_error_strings();
+ SSLeay_add_all_algorithms();
+/* DRM, this was the original, but there is no such thing as SSLv2()
s_ctx=SSL_CTX_new(SSLv2());
+*/
+ s_ctx=SSL_CTX_new(SSLv2_server_method());
if (s_ctx == NULL) goto end;
@@ -267,8 +273,12 @@ int doit(io_channel chan, SSL_CTX *s_ctx )
c_to_s=BIO_new(BIO_s_rtcp());
s_to_c=BIO_new(BIO_s_rtcp());
if ((s_to_c == NULL) || (c_to_s == NULL)) goto err;
+/* original, DRM 24-SEP-1997
BIO_set_fd ( c_to_s, "", chan );
BIO_set_fd ( s_to_c, "", chan );
+*/
+ BIO_set_fd ( c_to_s, 0, chan );
+ BIO_set_fd ( s_to_c, 0, chan );
c_bio=BIO_new(BIO_f_ssl());
s_bio=BIO_new(BIO_f_ssl());
diff --git a/lib/libssl/src/ssl/ssl_txt.c b/lib/libssl/src/ssl/ssl_txt.c
index ce60e1a6dd1..ca67a98d896 100644
--- a/lib/libssl/src/ssl/ssl_txt.c
+++ b/lib/libssl/src/ssl/ssl_txt.c
@@ -57,34 +57,30 @@
*/
#include <stdio.h>
-#include "buffer.h"
+#include <openssl/buffer.h>
#include "ssl_locl.h"
#ifndef NO_FP_API
-int SSL_SESSION_print_fp(fp, x)
-FILE *fp;
-SSL_SESSION *x;
- {
- BIO *b;
- int ret;
+int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
+ {
+ BIO *b;
+ int ret;
- if ((b=BIO_new(BIO_s_file_internal())) == NULL)
+ if ((b=BIO_new(BIO_s_file_internal())) == NULL)
{
SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
- return(0);
+ return(0);
}
- BIO_set_fp(b,fp,BIO_NOCLOSE);
- ret=SSL_SESSION_print(b,x);
- BIO_free(b);
- return(ret);
- }
+ BIO_set_fp(b,fp,BIO_NOCLOSE);
+ ret=SSL_SESSION_print(b,x);
+ BIO_free(b);
+ return(ret);
+ }
#endif
-int SSL_SESSION_print(bp,x)
-BIO *bp;
-SSL_SESSION *x;
+int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
{
- int i;
+ unsigned int i;
char str[128],*s;
if (x == NULL) goto err;
@@ -111,13 +107,19 @@ SSL_SESSION *x;
sprintf(str," Cipher : %s\n",(x->cipher == NULL)?"unknown":x->cipher->name);
if (BIO_puts(bp,str) <= 0) goto err;
if (BIO_puts(bp," Session-ID: ") <= 0) goto err;
- for (i=0; i<(int)x->session_id_length; i++)
+ for (i=0; i<x->session_id_length; i++)
{
sprintf(str,"%02X",x->session_id[i]);
if (BIO_puts(bp,str) <= 0) goto err;
}
+ if (BIO_puts(bp,"\nSession-ID-ctx: ") <= 0) goto err;
+ for (i=0; i<x->sid_ctx_length; i++)
+ {
+ sprintf(str,"%02X",x->sid_ctx[i]);
+ if (BIO_puts(bp,str) <= 0) goto err;
+ }
if (BIO_puts(bp,"\n Master-Key: ") <= 0) goto err;
- for (i=0; i<(int)x->master_key_length; i++)
+ for (i=0; i<(unsigned int)x->master_key_length; i++)
{
sprintf(str,"%02X",x->master_key[i]);
if (BIO_puts(bp,str) <= 0) goto err;
@@ -128,11 +130,28 @@ SSL_SESSION *x;
if (BIO_puts(bp,"None") <= 0) goto err;
}
else
- for (i=0; i<(int)x->key_arg_length; i++)
+ for (i=0; i<x->key_arg_length; i++)
{
sprintf(str,"%02X",x->key_arg[i]);
if (BIO_puts(bp,str) <= 0) goto err;
}
+ if (x->compress_meth != 0)
+ {
+ SSL_COMP *comp;
+
+ ssl_cipher_get_evp(x,NULL,NULL,&comp);
+ if (comp == NULL)
+ {
+ sprintf(str,"\n Compression: %d",x->compress_meth);
+ if (BIO_puts(bp,str) <= 0) goto err;
+ }
+ else
+ {
+ sprintf(str,"\n Compression: %d (%s)",
+ comp->id,comp->method->name);
+ if (BIO_puts(bp,str) <= 0) goto err;
+ }
+ }
if (x->time != 0L)
{
sprintf(str,"\n Start Time: %ld",x->time);
diff --git a/lib/libssl/src/ssl/ssltest.c b/lib/libssl/src/ssl/ssltest.c
index f9dca4e3ef7..90570f4bee7 100644
--- a/lib/libssl/src/ssl/ssltest.c
+++ b/lib/libssl/src/ssl/ssltest.c
@@ -60,51 +60,55 @@
#include <stdlib.h>
#include <string.h>
#include <errno.h>
-#include "e_os.h"
-#include "bio.h"
-#include "crypto.h"
-#include "x509.h"
-#include "ssl.h"
-#include "err.h"
+#include <limits.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
#ifdef WINDOWS
#include "../crypto/bio/bss_file.c"
#endif
-#define TEST_SERVER_CERT "../apps/server.pem"
-#define TEST_CLIENT_CERT "../apps/client.pem"
-
-#ifndef NOPROTO
-int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
-static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export);
-#ifndef NO_DSA
-static DH *get_dh512(void);
+#if defined(NO_RSA) && !defined(NO_SSL2)
+#define NO_SSL2
#endif
+
+#ifdef VMS
+# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
+# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
#else
-int MS_CALLBACK verify_callback();
-static RSA MS_CALLBACK *tmp_rsa_cb();
-#ifndef NO_DSA
-static DH *get_dh512();
-#endif
+# define TEST_SERVER_CERT "../apps/server.pem"
+# define TEST_CLIENT_CERT "../apps/client.pem"
#endif
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
+#ifndef NO_RSA
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
+#endif
+#ifndef NO_DH
+static DH *get_dh512(void);
+#endif
BIO *bio_err=NULL;
BIO *bio_stdout=NULL;
static char *cipher=NULL;
int verbose=0;
int debug=0;
+#if 0
+/* Not used yet. */
#ifdef FIONBIO
static int s_nbio=0;
#endif
+#endif
-#ifndef NOPROTO
+int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes);
int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
-#else
-int doit();
-#endif
-
-static void sv_usage()
+static void sv_usage(void)
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
@@ -115,6 +119,9 @@ static void sv_usage()
fprintf(stderr," -reuse - use session-id reuse\n");
fprintf(stderr," -num <val> - number of connections to perform\n");
fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
+#if !defined NO_DH && !defined NO_DSA
+ fprintf(stderr," -dhe1024 - generate 1024 bit key for DHE\n");
+#endif
#ifndef NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
#endif
@@ -130,14 +137,16 @@ static void sv_usage()
fprintf(stderr," -s_cert arg - Just the server certificate file\n");
fprintf(stderr," -c_cert arg - Just the client certificate file\n");
fprintf(stderr," -cipher arg - The cipher list\n");
+ fprintf(stderr," -bio_pair - Use BIO pairs\n");
+ fprintf(stderr," -f - Test even cases that can't work\n");
}
-int main(argc, argv)
-int argc;
-char *argv[];
+int main(int argc, char *argv[])
{
char *CApath=NULL,*CAfile=NULL;
int badop=0;
+ int bio_pair=0;
+ int force=0;
int tls1=0,ssl2=0,ssl3=0,ret=1;
int client_auth=0;
int server_auth=0,i;
@@ -150,6 +159,7 @@ char *argv[];
int number=1,reuse=0;
long bytes=1L;
SSL_CIPHER *ciph;
+ int dhe1024 = 0;
#ifndef NO_DH
DH *dh;
#endif
@@ -174,6 +184,8 @@ char *argv[];
debug=1;
else if (strcmp(*argv,"-reuse") == 0)
reuse=1;
+ else if (strcmp(*argv,"-dhe1024") == 0)
+ dhe1024=1;
else if (strcmp(*argv,"-ssl2") == 0)
ssl2=1;
else if (strcmp(*argv,"-tls1") == 0)
@@ -225,6 +237,14 @@ char *argv[];
if (--argc < 1) goto bad;
CAfile= *(++argv);
}
+ else if (strcmp(*argv,"-bio_pair") == 0)
+ {
+ bio_pair = 1;
+ }
+ else if (strcmp(*argv,"-f") == 0)
+ {
+ force = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
@@ -241,9 +261,20 @@ bad:
goto end;
}
+ if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
+ {
+ fprintf(stderr, "This case cannot work. Use -f switch to perform "
+ "the test anyway\n"
+ "(and -d to see what happens, "
+ "and -bio_pair to really make it happen :-)\n"
+ "or add one of -ssl2, -ssl3, -tls1, -reuse to "
+ "avoid protocol mismatch.\n");
+ exit(1);
+ }
+
/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
- SSLeay_add_ssl_algorithms();
+ SSL_library_init();
SSL_load_error_strings();
#if !defined(NO_SSL2) && !defined(NO_SSL3)
@@ -280,7 +311,29 @@ bad:
}
#ifndef NO_DH
- dh=get_dh512();
+# ifndef NO_DSA
+ if (dhe1024)
+ {
+ DSA *dsa;
+
+ if (verbose)
+ {
+ fprintf(stdout, "Creating 1024 bit DHE parameters ...");
+ fflush(stdout);
+ }
+
+ dsa = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL);
+ dh = DSA_dup_DH(dsa);
+ DSA_free(dsa);
+ /* important: SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
+ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+
+ if (verbose)
+ fprintf(stdout, " done\n");
+ }
+ else
+# endif
+ dh=get_dh512();
SSL_CTX_set_tmp_dh(s_ctx,dh);
DH_free(dh);
#endif
@@ -338,7 +391,10 @@ bad:
for (i=0; i<number; i++)
{
if (!reuse) SSL_set_session(c_ssl,NULL);
- ret=doit(s_ssl,c_ssl,bytes);
+ if (bio_pair)
+ ret=doit_biopair(s_ssl,c_ssl,bytes);
+ else
+ ret=doit(s_ssl,c_ssl,bytes);
}
if (!verbose)
@@ -361,20 +417,382 @@ end:
if (bio_stdout != NULL) BIO_free(bio_stdout);
+ ERR_free_strings();
ERR_remove_state(0);
EVP_cleanup();
CRYPTO_mem_leaks(bio_err);
EXIT(ret);
}
+int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
+ {
+ long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
+ BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
+ BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
+ SSL_CIPHER *ciph;
+ int ret = 1;
+
+ size_t bufsiz = 256; /* small buffer for testing */
+
+ if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
+ goto err;
+ if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
+ goto err;
+
+ s_ssl_bio = BIO_new(BIO_f_ssl());
+ if (!s_ssl_bio)
+ goto err;
+
+ c_ssl_bio = BIO_new(BIO_f_ssl());
+ if (!c_ssl_bio)
+ goto err;
+
+ SSL_set_connect_state(c_ssl);
+ SSL_set_bio(c_ssl, client, client);
+ (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
+
+ SSL_set_accept_state(s_ssl);
+ SSL_set_bio(s_ssl, server, server);
+ (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
+
+ do
+ {
+ /* c_ssl_bio: SSL filter BIO
+ *
+ * client: pseudo-I/O for SSL library
+ *
+ * client_io: client's SSL communication; usually to be
+ * relayed over some I/O facility, but in this
+ * test program, we're the server, too:
+ *
+ * server_io: server's SSL communication
+ *
+ * server: pseudo-I/O for SSL library
+ *
+ * s_ssl_bio: SSL filter BIO
+ *
+ * The client and the server each employ a "BIO pair":
+ * client + client_io, server + server_io.
+ * BIO pairs are symmetric. A BIO pair behaves similar
+ * to a non-blocking socketpair (but both endpoints must
+ * be handled by the same thread).
+ * [Here we could connect client and server to the ends
+ * of a single BIO pair, but then this code would be less
+ * suitable as an example for BIO pairs in general.]
+ *
+ * Useful functions for querying the state of BIO pair endpoints:
+ *
+ * BIO_ctrl_pending(bio) number of bytes we can read now
+ * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
+ * other side's read attempt
+ * BIO_ctrl_get_write_gurantee(bio) number of bytes we can write now
+ *
+ * ..._read_request is never more than ..._write_guarantee;
+ * it depends on the application which one you should use.
+ */
+
+ /* We have non-blocking behaviour throughout this test program, but
+ * can be sure that there is *some* progress in each iteration; so
+ * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
+ * -- we just try everything in each iteration
+ */
+
+ {
+ /* CLIENT */
+
+ MS_STATIC char cbuf[1024*8];
+ int i, r;
+
+ if (debug)
+ if (SSL_in_init(c_ssl))
+ printf("client waiting in SSL_connect - %s\n",
+ SSL_state_string_long(c_ssl));
+
+ if (cw_num > 0)
+ {
+ /* Write to server. */
+
+ if (cw_num > (long)sizeof cbuf)
+ i = sizeof cbuf;
+ else
+ i = (int)cw_num;
+ r = BIO_write(c_ssl_bio, cbuf, i);
+ if (r == -1)
+ {
+ if (!BIO_should_retry(c_ssl_bio))
+ {
+ fprintf(stderr,"ERROR in CLIENT\n");
+ goto err;
+ }
+ /* BIO_should_retry(...) can just be ignored here.
+ * The library expects us to call BIO_write with
+ * the same arguments again, and that's what we will
+ * do in the next iteration. */
+ }
+ else if (r == 0)
+ {
+ fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+ goto err;
+ }
+ else
+ {
+ if (debug)
+ printf("client wrote %d\n", r);
+ cw_num -= r;
+ }
+ }
+
+ if (cr_num > 0)
+ {
+ /* Read from server. */
+
+ r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
+ if (r < 0)
+ {
+ if (!BIO_should_retry(c_ssl_bio))
+ {
+ fprintf(stderr,"ERROR in CLIENT\n");
+ goto err;
+ }
+ /* Again, "BIO_should_retry" can be ignored. */
+ }
+ else if (r == 0)
+ {
+ fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
+ goto err;
+ }
+ else
+ {
+ if (debug)
+ printf("client read %d\n", r);
+ cr_num -= r;
+ }
+ }
+ }
+
+ {
+ /* SERVER */
+
+ MS_STATIC char sbuf[1024*8];
+ int i, r;
+
+ if (debug)
+ if (SSL_in_init(s_ssl))
+ printf("server waiting in SSL_accept - %s\n",
+ SSL_state_string_long(s_ssl));
+
+ if (sw_num > 0)
+ {
+ /* Write to client. */
+
+ if (sw_num > (long)sizeof sbuf)
+ i = sizeof sbuf;
+ else
+ i = (int)sw_num;
+ r = BIO_write(s_ssl_bio, sbuf, i);
+ if (r == -1)
+ {
+ if (!BIO_should_retry(s_ssl_bio))
+ {
+ fprintf(stderr,"ERROR in SERVER\n");
+ goto err;
+ }
+ /* Ignore "BIO_should_retry". */
+ }
+ else if (r == 0)
+ {
+ fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
+ goto err;
+ }
+ else
+ {
+ if (debug)
+ printf("server wrote %d\n", r);
+ sw_num -= r;
+ }
+ }
+
+ if (sr_num > 0)
+ {
+ /* Read from client. */
+
+ r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
+ if (r < 0)
+ {
+ if (!BIO_should_retry(s_ssl_bio))
+ {
+ fprintf(stderr,"ERROR in SERVER\n");
+ goto err;
+ }
+ /* blah, blah */
+ }
+ else if (r == 0)
+ {
+ fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
+ goto err;
+ }
+ else
+ {
+ if (debug)
+ printf("server read %d\n", r);
+ sr_num -= r;
+ }
+ }
+ }
+
+ {
+ /* "I/O" BETWEEN CLIENT AND SERVER. */
+
+#define RELAYBUFSIZ 200
+ static char buf[RELAYBUFSIZ];
+
+ /* RELAYBUF is arbitrary. When writing data over some real
+ * network, use a buffer of the same size as in the BIO_pipe
+ * and make that size large (for reading from the network
+ * small buffers usually won't hurt).
+ * Here sizes differ for testing. */
+
+ size_t r1, r2;
+ size_t num;
+ int r;
+ static int prev_progress = 1;
+ int progress = 0;
+
+ /* client to server */
+ do
+ {
+ r1 = BIO_ctrl_pending(client_io);
+ r2 = BIO_ctrl_get_write_guarantee(server_io);
+
+ num = r1;
+ if (r2 < num)
+ num = r2;
+ if (num)
+ {
+ if (sizeof buf < num)
+ num = sizeof buf;
+ if (INT_MAX < num) /* yeah, right */
+ num = INT_MAX;
+
+ r = BIO_read(client_io, buf, (int)num);
+ if (r != (int)num) /* can't happen */
+ {
+ fprintf(stderr, "ERROR: BIO_read could not read "
+ "BIO_ctrl_pending() bytes");
+ goto err;
+ }
+ r = BIO_write(server_io, buf, (int)num);
+ if (r != (int)num) /* can't happen */
+ {
+ fprintf(stderr, "ERROR: BIO_write could not write "
+ "BIO_ctrl_get_write_guarantee() bytes");
+ goto err;
+ }
+ progress = 1;
+
+ if (debug)
+ printf("C->S relaying: %d bytes\n", (int)num);
+ }
+ }
+ while (r1 && r2);
+
+ /* server to client */
+ do
+ {
+ r1 = BIO_ctrl_pending(server_io);
+ r2 = BIO_ctrl_get_write_guarantee(client_io);
+
+ num = r1;
+ if (r2 < num)
+ num = r2;
+ if (num)
+ {
+ if (sizeof buf < num)
+ num = sizeof buf;
+ if (INT_MAX < num)
+ num = INT_MAX;
+
+ r = BIO_read(server_io, buf, (int)num);
+ if (r != (int)num) /* can't happen */
+ {
+ fprintf(stderr, "ERROR: BIO_read could not read "
+ "BIO_ctrl_pending() bytes");
+ goto err;
+ }
+ r = BIO_write(client_io, buf, (int)num);
+ if (r != (int)num) /* can't happen */
+ {
+ fprintf(stderr, "ERROR: BIO_write could not write "
+ "BIO_ctrl_get_write_guarantee() bytes");
+ goto err;
+ }
+ progress = 1;
+
+ if (debug)
+ printf("S->C relaying: %d bytes\n", (int)num);
+ }
+ }
+ while (r1 && r2);
+
+ if (!progress && !prev_progress)
+ if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
+ {
+ fprintf(stderr, "ERROR: got stuck\n");
+ if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
+ {
+ fprintf(stderr, "This can happen for SSL2 because "
+ "CLIENT-FINISHED and SERVER-VERIFY are written \n"
+ "concurrently ...");
+ if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
+ && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
+ {
+ fprintf(stderr, " ok.\n");
+ goto end;
+ }
+ }
+ fprintf(stderr, " ERROR.\n");
+ goto err;
+ }
+ prev_progress = progress;
+ }
+ }
+ while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
+
+ ciph = SSL_get_current_cipher(c_ssl);
+ if (verbose)
+ fprintf(stdout,"DONE via BIO pair, protocol %s, cipher %s, %s\n",
+ SSL_get_version(c_ssl),
+ SSL_CIPHER_get_version(ciph),
+ SSL_CIPHER_get_name(ciph));
+ end:
+ ret = 0;
+
+ err:
+ ERR_print_errors(bio_err);
+
+ if (server)
+ BIO_free(server);
+ if (server_io)
+ BIO_free(server_io);
+ if (client)
+ BIO_free(client);
+ if (client_io)
+ BIO_free(client_io);
+ if (s_ssl_bio)
+ BIO_free(s_ssl_bio);
+ if (c_ssl_bio)
+ BIO_free(c_ssl_bio);
+
+ return ret;
+ }
+
+
#define W_READ 1
#define W_WRITE 2
#define C_DONE 1
#define S_DONE 2
-int doit(s_ssl,c_ssl,count)
-SSL *s_ssl,*c_ssl;
-long count;
+int doit(SSL *s_ssl, SSL *c_ssl, long count)
{
MS_STATIC char cbuf[1024*8],sbuf[1024*8];
long cw_num=count,cr_num=count;
@@ -673,9 +1091,7 @@ err:
return(ret);
}
-int MS_CALLBACK verify_callback(ok, ctx)
-int ok;
-X509_STORE_CTX *ctx;
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
{
char *s,buf[256];
@@ -716,7 +1132,7 @@ static unsigned char dh512_g[]={
0x02,
};
-static DH *get_dh512()
+static DH *get_dh512(void)
{
DH *dh=NULL;
@@ -729,23 +1145,19 @@ static DH *get_dh512()
}
#endif
-static RSA MS_CALLBACK *tmp_rsa_cb(s,export)
-SSL *s;
-int export;
+#ifndef NO_RSA
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
{
static RSA *rsa_tmp=NULL;
if (rsa_tmp == NULL)
{
- BIO_printf(bio_err,"Generating temp (512 bit) RSA key...");
- BIO_flush(bio_err);
-#ifndef NO_RSA
- rsa_tmp=RSA_generate_key(512,RSA_F4,NULL,NULL);
-#endif
+ BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
+ (void)BIO_flush(bio_err);
+ rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
BIO_printf(bio_err,"\n");
- BIO_flush(bio_err);
+ (void)BIO_flush(bio_err);
}
return(rsa_tmp);
}
-
-
+#endif
diff --git a/lib/libssl/src/ssl/t1_clnt.c b/lib/libssl/src/ssl/t1_clnt.c
index 986d2436e2f..9745630a008 100644
--- a/lib/libssl/src/ssl/t1_clnt.c
+++ b/lib/libssl/src/ssl/t1_clnt.c
@@ -57,14 +57,14 @@
*/
#include <stdio.h>
-#include "buffer.h"
-#include "rand.h"
-#include "objects.h"
-#include "evp.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
#include "ssl_locl.h"
-static SSL_METHOD *tls1_get_client_method(ver)
-int ver;
+static SSL_METHOD *tls1_get_client_method(int ver);
+static SSL_METHOD *tls1_get_client_method(int ver)
{
if (ver == TLS1_VERSION)
return(TLSv1_client_method());
@@ -72,18 +72,18 @@ int ver;
return(NULL);
}
-SSL_METHOD *TLSv1_client_method()
+SSL_METHOD *TLSv1_client_method(void)
{
static int init=1;
static SSL_METHOD TLSv1_client_data;
if (init)
{
- init=0;
memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
sizeof(SSL_METHOD));
TLSv1_client_data.ssl_connect=ssl3_connect;
TLSv1_client_data.get_ssl_method=tls1_get_client_method;
+ init=0;
}
return(&TLSv1_client_data);
}
diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c
index fbdd3bffb52..914b7434987 100644
--- a/lib/libssl/src/ssl/t1_enc.c
+++ b/lib/libssl/src/ssl/t1_enc.c
@@ -57,18 +57,16 @@
*/
#include <stdio.h>
-#include "evp.h"
-#include "hmac.h"
+#include <openssl/comp.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
#include "ssl_locl.h"
-static void tls1_P_hash(md,sec,sec_len,seed,seed_len,out,olen)
-EVP_MD *md;
-unsigned char *sec;
-int sec_len;
-unsigned char *seed;
-int seed_len;
-unsigned char *out;
-int olen;
+static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
+ int sec_len, unsigned char *seed, int seed_len,
+ unsigned char *out, int olen)
{
int chunk,n;
unsigned int j;
@@ -110,19 +108,13 @@ int olen;
memset(A1,0,sizeof(A1));
}
-static void tls1_PRF(md5,sha1,label,label_len,sec,slen,out1,out2,olen)
-EVP_MD *md5;
-EVP_MD *sha1;
-unsigned char *label;
-int label_len;
-unsigned char *sec;
-int slen;
-unsigned char *out1;
-unsigned char *out2;
-int olen;
+static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
+ unsigned char *label, int label_len,
+ const unsigned char *sec, int slen, unsigned char *out1,
+ unsigned char *out2, int olen)
{
int len,i;
- unsigned char *S1,*S2;
+ const unsigned char *S1,*S2;
len=slen/2;
S1=sec;
@@ -137,10 +129,8 @@ int olen;
out1[i]^=out2[i];
}
-static void tls1_generate_key_block(s,km,tmp,num)
-SSL *s;
-unsigned char *km,*tmp;
-int num;
+static void tls1_generate_key_block(SSL *s, unsigned char *km,
+ unsigned char *tmp, int num)
{
unsigned char *p;
unsigned char buf[SSL3_RANDOM_SIZE*2+
@@ -155,15 +145,14 @@ int num;
memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
p+=SSL3_RANDOM_SIZE;
- tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,
- s->session->master_key,s->session->master_key_length,
- km,tmp,num);
+ tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
+ s->session->master_key,s->session->master_key_length,
+ km,tmp,num);
}
-int tls1_change_cipher_state(s,which)
-SSL *s;
-int which;
+int tls1_change_cipher_state(SSL *s, int which)
{
+ static const unsigned char empty[]="";
unsigned char *p,*key_block,*mac_secret;
unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+
SSL3_RANDOM_SIZE*2];
@@ -174,12 +163,12 @@ int which;
unsigned char *ms,*key,*iv,*er1,*er2;
int client_write;
EVP_CIPHER_CTX *dd;
- EVP_CIPHER *c;
- SSL_COMPRESSION *comp;
- EVP_MD *m;
- int exp,n,i,j,k,exp_label_len;
+ const EVP_CIPHER *c;
+ const SSL_COMP *comp;
+ const EVP_MD *m;
+ int _exp,n,i,j,k,exp_label_len,cl;
- exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0;
+ _exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c=s->s3->tmp.new_sym_enc;
m=s->s3->tmp.new_hash;
comp=s->s3->tmp.new_compression;
@@ -193,7 +182,25 @@ int which;
goto err;
dd= s->enc_read_ctx;
s->read_hash=m;
- s->read_compression=comp;
+ if (s->expand != NULL)
+ {
+ COMP_CTX_free(s->expand);
+ s->expand=NULL;
+ }
+ if (comp != NULL)
+ {
+ s->expand=COMP_CTX_new(comp->method);
+ if (s->expand == NULL)
+ {
+ SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+ goto err2;
+ }
+ if (s->s3->rrec.comp == NULL)
+ s->s3->rrec.comp=(unsigned char *)
+ Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
+ if (s->s3->rrec.comp == NULL)
+ goto err;
+ }
memset(&(s->s3->read_sequence[0]),0,8);
mac_secret= &(s->s3->read_mac_secret[0]);
}
@@ -205,7 +212,20 @@ int which;
goto err;
dd= s->enc_write_ctx;
s->write_hash=m;
- s->write_compression=comp;
+ if (s->compress != NULL)
+ {
+ COMP_CTX_free(s->compress);
+ s->compress=NULL;
+ }
+ if (comp != NULL)
+ {
+ s->compress=COMP_CTX_new(comp->method);
+ if (s->compress == NULL)
+ {
+ SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
+ goto err2;
+ }
+ }
memset(&(s->s3->write_sequence[0]),0,8);
mac_secret= &(s->s3->write_mac_secret[0]);
}
@@ -214,7 +234,10 @@ int which;
p=s->s3->tmp.key_block;
i=EVP_MD_size(m);
- j=(exp)?5:EVP_CIPHER_key_length(c);
+ cl=EVP_CIPHER_key_length(c);
+ j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+ cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+ /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
k=EVP_CIPHER_iv_length(c);
er1= &(s->s3->client_random[0]);
er2= &(s->s3->server_random[0]);
@@ -250,7 +273,7 @@ int which;
printf("which = %04X\nmac key=",which);
{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
#endif
- if (exp)
+ if (_exp)
{
/* In here I set both the read and write key/iv to the
* same value since only the correct one will be used :-).
@@ -262,8 +285,8 @@ printf("which = %04X\nmac key=",which);
p+=SSL3_RANDOM_SIZE;
memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
p+=SSL3_RANDOM_SIZE;
- tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,key,j,
- tmp1,tmp2,EVP_CIPHER_key_length(c));
+ tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
+ tmp1,tmp2,EVP_CIPHER_key_length(c));
key=tmp1;
if (k > 0)
@@ -276,8 +299,8 @@ printf("which = %04X\nmac key=",which);
p+=SSL3_RANDOM_SIZE;
memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
p+=SSL3_RANDOM_SIZE;
- tls1_PRF(s->ctx->md5,s->ctx->sha1,
- buf,p-buf,"",0,iv1,iv2,k*2);
+ tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0,
+ iv1,iv2,k*2);
if (client_write)
iv=iv1;
else
@@ -307,18 +330,18 @@ err2:
return(0);
}
-int tls1_setup_key_block(s)
-SSL *s;
+int tls1_setup_key_block(SSL *s)
{
unsigned char *p1,*p2;
- EVP_CIPHER *c;
- EVP_MD *hash;
- int num,exp;
+ const EVP_CIPHER *c;
+ const EVP_MD *hash;
+ int num;
+ SSL_COMP *comp;
if (s->s3->tmp.key_block_length != 0)
return(1);
- if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash))
+ if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
{
SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return(0);
@@ -327,8 +350,6 @@ SSL *s;
s->s3->tmp.new_sym_enc=c;
s->s3->tmp.new_hash=hash;
- exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
-
num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
num*=2;
@@ -365,16 +386,13 @@ err:
return(0);
}
-int tls1_enc(s,send)
-SSL *s;
-int send;
+int tls1_enc(SSL *s, int send)
{
SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds;
unsigned long l;
int bs,i,ii,j,k,n=0;
- EVP_CIPHER *enc;
- SSL_COMPRESSION *comp;
+ const EVP_CIPHER *enc;
if (send)
{
@@ -383,12 +401,9 @@ int send;
ds=s->enc_write_ctx;
rec= &(s->s3->wrec);
if (s->enc_write_ctx == NULL)
- { enc=NULL; comp=NULL; }
+ enc=NULL;
else
- {
enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
- comp=s->write_compression;
- }
}
else
{
@@ -397,16 +412,13 @@ int send;
ds=s->enc_read_ctx;
rec= &(s->s3->rrec);
if (s->enc_read_ctx == NULL)
- { enc=NULL; comp=NULL; }
+ enc=NULL;
else
- {
enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
- comp=s->read_compression;
- }
}
if ((s->session == NULL) || (ds == NULL) ||
- ((enc == NULL) && (comp == NULL)))
+ (enc == NULL))
{
memcpy(rec->data,rec->input,rec->length);
rec->input=rec->data;
@@ -471,25 +483,18 @@ int send;
return(1);
}
-int tls1_cert_verify_mac(s,in_ctx,out)
-SSL *s;
-EVP_MD_CTX *in_ctx;
-unsigned char *out;
+int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
{
unsigned int ret;
EVP_MD_CTX ctx;
- memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_copy(&ctx,in_ctx);
EVP_DigestFinal(&ctx,out,&ret);
return((int)ret);
}
-int tls1_final_finish_mac(s,in1_ctx,in2_ctx,str,slen,out)
-SSL *s;
-EVP_MD_CTX *in1_ctx,*in2_ctx;
-unsigned char *str;
-int slen;
-unsigned char *out;
+int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
+ unsigned char *str, int slen, unsigned char *out)
{
unsigned int i;
EVP_MD_CTX ctx;
@@ -500,14 +505,14 @@ unsigned char *out;
memcpy(q,str,slen);
q+=slen;
- memcpy(&ctx,in1_ctx,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_copy(&ctx,in1_ctx);
EVP_DigestFinal(&ctx,q,&i);
q+=i;
- memcpy(&ctx,in2_ctx,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_copy(&ctx,in2_ctx);
EVP_DigestFinal(&ctx,q,&i);
q+=i;
- tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,q-buf,
+ tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
s->session->master_key,s->session->master_key_length,
out,buf2,12);
memset(&ctx,0,sizeof(EVP_MD_CTX));
@@ -515,14 +520,11 @@ unsigned char *out;
return((int)12);
}
-int tls1_mac(ssl,md,send)
-SSL *ssl;
-unsigned char *md;
-int send;
+int tls1_mac(SSL *ssl, unsigned char *md, int send)
{
SSL3_RECORD *rec;
unsigned char *mac_sec,*seq;
- EVP_MD *hash;
+ const EVP_MD *hash;
unsigned int md_size;
int i;
HMAC_CTX hmac;
@@ -560,29 +562,26 @@ int send;
#ifdef TLS_DEBUG
printf("sec=");
-{int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
+{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
printf("seq=");
{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
printf("buf=");
{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
printf("rec=");
-{int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
+{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
#endif
for (i=7; i>=0; i--)
if (++seq[i]) break;
#ifdef TLS_DEBUG
-{int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
+{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
#endif
return(md_size);
}
-int tls1_generate_master_secret(s,out,p,len)
-SSL *s;
-unsigned char *out;
-unsigned char *p;
-int len;
+int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
+ int len)
{
unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
@@ -600,8 +599,7 @@ int len;
return(SSL3_MASTER_SECRET_SIZE);
}
-int tls1_alert_code(code)
-int code;
+int tls1_alert_code(int code)
{
switch (code)
{
diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c
index f9fbfa414c8..ddf5c15799e 100644
--- a/lib/libssl/src/ssl/t1_lib.c
+++ b/lib/libssl/src/ssl/t1_lib.c
@@ -57,10 +57,10 @@
*/
#include <stdio.h>
-#include "objects.h"
+#include <openssl/objects.h>
#include "ssl_locl.h"
-char *tls1_version_str="TLSv1 part of SSLeay 0.9.0b 29-Jun-1998";
+char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
#ifndef NO_PROTO
static long tls1_default_timeout(void);
@@ -94,6 +94,7 @@ static SSL_METHOD TLSv1_data= {
ssl3_write,
ssl3_shutdown,
ssl3_renegotiate,
+ ssl3_renegotiate_check,
ssl3_ctrl,
ssl3_ctx_ctrl,
ssl3_get_cipher_by_char,
@@ -106,45 +107,38 @@ static SSL_METHOD TLSv1_data= {
&TLSv1_enc_data,
};
-static long tls1_default_timeout()
+static long tls1_default_timeout(void)
{
/* 2 hours, the 24 hours mentioned in the TLSv1 spec
* is way too long for http, the cache would over fill */
return(60*60*2);
}
-SSL_METHOD *tlsv1_base_method()
+SSL_METHOD *tlsv1_base_method(void)
{
return(&TLSv1_data);
}
-int tls1_new(s)
-SSL *s;
+int tls1_new(SSL *s)
{
if (!ssl3_new(s)) return(0);
s->method->ssl_clear(s);
return(1);
}
-void tls1_free(s)
-SSL *s;
+void tls1_free(SSL *s)
{
ssl3_free(s);
}
-void tls1_clear(s)
-SSL *s;
+void tls1_clear(SSL *s)
{
ssl3_clear(s);
s->version=TLS1_VERSION;
}
#if 0
-long tls1_ctrl(s,cmd,larg,parg)
-SSL *s;
-int cmd;
-long larg;
-char *parg;
+long tls1_ctrl(SSL *s, int cmd, long larg, char *parg)
{
return(0);
}
diff --git a/lib/libssl/src/ssl/t1_meth.c b/lib/libssl/src/ssl/t1_meth.c
index 512c2078e76..9bb36a7d1ca 100644
--- a/lib/libssl/src/ssl/t1_meth.c
+++ b/lib/libssl/src/ssl/t1_meth.c
@@ -57,11 +57,11 @@
*/
#include <stdio.h>
-#include "objects.h"
+#include <openssl/objects.h>
#include "ssl_locl.h"
-static SSL_METHOD *tls1_get_method(ver)
-int ver;
+static SSL_METHOD *tls1_get_method(int ver);
+static SSL_METHOD *tls1_get_method(int ver)
{
if (ver == TLS1_VERSION)
return(TLSv1_method());
@@ -69,19 +69,19 @@ int ver;
return(NULL);
}
-SSL_METHOD *TLSv1_method()
+SSL_METHOD *TLSv1_method(void)
{
static int init=1;
static SSL_METHOD TLSv1_data;
if (init)
{
- init=0;
memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
sizeof(SSL_METHOD));
TLSv1_data.ssl_connect=ssl3_connect;
TLSv1_data.ssl_accept=ssl3_accept;
TLSv1_data.get_ssl_method=tls1_get_method;
+ init=0;
}
return(&TLSv1_data);
}
diff --git a/lib/libssl/src/ssl/t1_srvr.c b/lib/libssl/src/ssl/t1_srvr.c
index 8cf0addcd9e..996b7ca8e2e 100644
--- a/lib/libssl/src/ssl/t1_srvr.c
+++ b/lib/libssl/src/ssl/t1_srvr.c
@@ -57,15 +57,15 @@
*/
#include <stdio.h>
-#include "buffer.h"
-#include "rand.h"
-#include "objects.h"
-#include "evp.h"
-#include "x509.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
#include "ssl_locl.h"
-static SSL_METHOD *tls1_get_server_method(ver)
-int ver;
+static SSL_METHOD *tls1_get_server_method(int ver);
+static SSL_METHOD *tls1_get_server_method(int ver)
{
if (ver == TLS1_VERSION)
return(TLSv1_server_method());
@@ -73,18 +73,18 @@ int ver;
return(NULL);
}
-SSL_METHOD *TLSv1_server_method()
+SSL_METHOD *TLSv1_server_method(void)
{
static int init=1;
static SSL_METHOD TLSv1_server_data;
if (init)
{
- init=0;
memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
sizeof(SSL_METHOD));
TLSv1_server_data.ssl_accept=ssl3_accept;
TLSv1_server_data.get_ssl_method=tls1_get_server_method;
+ init=0;
}
return(&TLSv1_server_data);
}
diff --git a/lib/libssl/src/ssl/tls1.h b/lib/libssl/src/ssl/tls1.h
index 60978613ef7..a931efa936a 100644
--- a/lib/libssl/src/ssl/tls1.h
+++ b/lib/libssl/src/ssl/tls1.h
@@ -59,12 +59,14 @@
#ifndef HEADER_TLS1_H
#define HEADER_TLS1_H
-#include "buffer.h"
+#include <openssl/buffer.h>
#ifdef __cplusplus
extern "C" {
#endif
+#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
+
#define TLS1_VERSION 0x0301
#define TLS1_VERSION_MAJOR 0x03
#define TLS1_VERSION_MINOR 0x01
@@ -82,6 +84,23 @@ extern "C" {
#define TLS1_AD_USER_CANCLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061
+#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062
+#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064
+#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
+#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066
+
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DES-CBC-SHA"
+#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DHE-DSS-DES-CBC-SHA"
+#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA "EXP1024-RC4-SHA"
+#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA"
+
+
#define TLS_CT_RSA_SIGN 1
#define TLS_CT_DSS_SIGN 2
#define TLS_CT_RSA_FIXED_DH 3
@@ -108,6 +127,25 @@ extern "C" {
#define TLS_MD_MASTER_SECRET_CONST "master secret"
#define TLS_MD_MASTER_SECRET_CONST_SIZE 13
+#ifdef CHARSET_EBCDIC
+#undef TLS_MD_CLIENT_FINISH_CONST
+#define TLS_MD_CLIENT_FINISH_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x66\x69\x6e\x69\x73\x68\x65\x64" /*client finished*/
+#undef TLS_MD_SERVER_FINISH_CONST
+#define TLS_MD_SERVER_FINISH_CONST "\x73\x65\x72\x76\x65\x72\x20\x66\x69\x6e\x69\x73\x68\x65\x64" /*server finished*/
+#undef TLS_MD_SERVER_WRITE_KEY_CONST
+#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" /*server write key*/
+#undef TLS_MD_KEY_EXPANSION_CONST
+#define TLS_MD_KEY_EXPANSION_CONST "\x6b\x65\x79\x20\x65\x78\x70\x61\x6e\x73\x69\x6f\x6e" /*key expansion*/
+#undef TLS_MD_CLIENT_WRITE_KEY_CONST
+#define TLS_MD_CLIENT_WRITE_KEY_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" /*client write key*/
+#undef TLS_MD_SERVER_WRITE_KEY_CONST
+#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" /*server write key*/
+#undef TLS_MD_IV_BLOCK_CONST
+#define TLS_MD_IV_BLOCK_CONST "\x49\x56\x20\x62\x6c\x6f\x63\x6b" /*IV block*/
+#undef TLS_MD_MASTER_SECRET_CONST
+#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
+#endif
+
#ifdef __cplusplus
}
#endif
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.