results.
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
ASN1_TYPE *param, EVP_CIPHER *cipher,
EVP_MD *md, int en_de);
+#ifndef NO_RSA
#define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
(char *)(rsa))
+#endif
+
+#ifndef NO_DSA
#define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\
(char *)(dsa))
+#endif
+
+#ifndef NO_DH
#define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\
(char *)(dh))
+#endif
/* Add some extra combinations */
#define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
#endif
EVP_MD *EVP_md_null(void);
+#ifndef NO_MD2
EVP_MD *EVP_md2(void);
+#endif
+#ifndef NO_MD4
EVP_MD *EVP_md4(void);
+#endif
+#ifndef NO_MD5
EVP_MD *EVP_md5(void);
+#endif
+#ifndef NO_SHA
EVP_MD *EVP_sha(void);
EVP_MD *EVP_sha1(void);
EVP_MD *EVP_dss(void);
EVP_MD *EVP_dss1(void);
+#endif
+#ifndef NO_MDC2
EVP_MD *EVP_mdc2(void);
+#endif
+#ifndef NO_RIPEMD
EVP_MD *EVP_ripemd160(void);
-
+#endif
EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */
+#ifndef NO_DES
EVP_CIPHER *EVP_des_ecb(void);
EVP_CIPHER *EVP_des_ede(void);
EVP_CIPHER *EVP_des_ede3(void);
EVP_CIPHER *EVP_des_ede_cbc(void);
EVP_CIPHER *EVP_des_ede3_cbc(void);
EVP_CIPHER *EVP_desx_cbc(void);
+#endif
+#ifndef NO_RC4
EVP_CIPHER *EVP_rc4(void);
EVP_CIPHER *EVP_rc4_40(void);
+#endif
+#ifndef NO_IDEA
EVP_CIPHER *EVP_idea_ecb(void);
EVP_CIPHER *EVP_idea_cfb(void);
EVP_CIPHER *EVP_idea_ofb(void);
EVP_CIPHER *EVP_idea_cbc(void);
+#endif
+#ifndef NO_RC2
EVP_CIPHER *EVP_rc2_ecb(void);
EVP_CIPHER *EVP_rc2_cbc(void);
EVP_CIPHER *EVP_rc2_40_cbc(void);
EVP_CIPHER *EVP_rc2_64_cbc(void);
EVP_CIPHER *EVP_rc2_cfb(void);
EVP_CIPHER *EVP_rc2_ofb(void);
+#endif
+#ifndef NO_BF
EVP_CIPHER *EVP_bf_ecb(void);
EVP_CIPHER *EVP_bf_cbc(void);
EVP_CIPHER *EVP_bf_cfb(void);
EVP_CIPHER *EVP_bf_ofb(void);
+#endif
+#ifndef NO_CAST
EVP_CIPHER *EVP_cast5_ecb(void);
EVP_CIPHER *EVP_cast5_cbc(void);
EVP_CIPHER *EVP_cast5_cfb(void);
EVP_CIPHER *EVP_cast5_ofb(void);
+#endif
+#ifndef NO_RC5
EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
-
+#endif
void OpenSSL_add_all_algorithms(void);
void OpenSSL_add_all_ciphers(void);
void OpenSSL_add_all_digests(void);
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
{
if ( (xi->enc_data!=NULL) && (xi->enc_len>0) )
{
- /* copy from wierdo names into more normal things */
+ /* copy from weirdo names into more normal things */
iv=xi->enc_cipher.iv;
data=(unsigned char *)xi->enc_data;
i=xi->enc_len;
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
{
unsigned char *uniname;
int ret, unilen;
- if (!asc2uni(name, &uniname, &unilen)) {
+ if (!asc2uni(name, namelen, &uniname, &unilen)) {
PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,
ERR_R_MALLOC_FAILURE);
return 0;
if(!pass) {
unipass = NULL;
uniplen = 0;
- } else if (!asc2uni(pass, &unipass, &uniplen)) {
+ } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) {
PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE);
return 0;
}
/* Cheap and nasty Unicode stuff */
-unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen)
+unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen)
{
int ulen, i;
unsigned char *unitmp;
- ulen = strlen(asc)*2 + 2;
- if (!(unitmp = OPENSSL_malloc (ulen))) return NULL;
- for (i = 0; i < ulen; i+=2) {
+ if (asclen == -1) asclen = strlen(asc);
+ ulen = asclen*2 + 2;
+ if (!(unitmp = OPENSSL_malloc(ulen))) return NULL;
+ for (i = 0; i < ulen - 2; i+=2) {
unitmp[i] = 0;
unitmp[i + 1] = asc[i>>1];
}
+ /* Make result double null terminated */
+ unitmp[ulen - 2] = 0;
+ unitmp[ulen - 1] = 0;
if (unilen) *unilen = ulen;
if (uni) *uni = unitmp;
return unitmp;
}
-char *uni2asc (unsigned char *uni, int unilen)
+char *uni2asc(unsigned char *uni, int unilen)
{
int asclen, i;
char *asctmp;
asclen = unilen / 2;
/* If no terminating zero allow for one */
- if (uni[unilen - 1]) asclen++;
+ if (!unilen || uni[unilen - 1]) asclen++;
uni++;
- if (!(asctmp = OPENSSL_malloc (asclen))) return NULL;
+ if (!(asctmp = OPENSSL_malloc(asclen))) return NULL;
for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i];
asctmp[asclen - 1] = 0;
return asctmp;
EVP_MD *md_type);
int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
int saltlen, EVP_MD *md_type);
-unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen);
+unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen);
char *uni2asc(unsigned char *uni, int unilen);
int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp);
PKCS12_BAGS *PKCS12_BAGS_new(void);
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
os=si->enc_digest;
pkey = X509_get_pubkey(x509);
+ if (!pkey)
+ {
+ ret = -1;
+ goto err;
+ }
if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);
}
bound[32] = 0;
BIO_printf(bio, "MIME-Version: 1.0\n");
- BIO_printf(bio, "Content-Type: multipart/signed ; ");
- BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; ");
- BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound);
+ BIO_printf(bio, "Content-Type: multipart/signed;");
+ BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";");
+ BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound);
BIO_printf(bio, "This is an S/MIME signed message\n\n");
/* Now write out the first part */
BIO_printf(bio, "------%s\n", bound);
PKCS7_SIGNER_INFO *si;
X509_STORE_CTX cert_ctx;
char buf[4096];
- int i, j=0, k;
+ int i, j=0, k, ret = 0;
BIO *p7bio;
BIO *tmpout;
}
}
- sk_X509_free(signers);
- if(indata) BIO_pop(p7bio);
- BIO_free_all(p7bio);
-
- return 1;
+ ret = 1;
err:
+ if(indata) BIO_pop(p7bio);
+ BIO_free_all(p7bio);
sk_X509_free(signers);
- BIO_free(p7bio);
- return 0;
+ return ret;
}
STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
DWORD w;
LARGE_INTEGER l;
static int have_perfc = 1;
-#ifndef __GNUC__
+#ifdef _MSC_VER
static int have_tsc = 1;
DWORD cyclecount;
if (have_tsc) {
__try {
__asm {
- rdtsc
+ _emit 0x0f
+ _emit 0x31
mov cyclecount, eax
}
RAND_add(&cyclecount, sizeof(cyclecount), 1);
# include <sys/stat.h>
#endif
-#include <openssl/e_os.h>
+#include "openssl/e_os.h"
#include <openssl/crypto.h>
#include <openssl/rand.h>
/* #define RFILE ".rnd" - defined in ../../e_os.h */
+/* Note that these functions are intended for seed files only.
+ * Entropy devices and EGD sockets are handled in rand_unix.c */
+
int RAND_load_file(const char *file, long bytes)
{
/* If bytes >= 0, read up to 'bytes' bytes.
if (bytes > 0)
{
bytes-=n;
- if (bytes == 0) break;
+ if (bytes <= 0) break;
}
}
fclose(in);
const char *RAND_file_name(char *buf, int size)
{
- char *s;
+ char *s=NULL;
char *ret=NULL;
- s=getenv("RANDFILE");
+ if (OPENSSL_issetugid() == 0)
+ s=getenv("RANDFILE");
if (s != NULL)
{
strncpy(buf,s,size-1);
}
else
{
- s=getenv("HOME");
- if (s == NULL) return(RFILE);
- if (((int)(strlen(s)+strlen(RFILE)+2)) > size)
- return(RFILE);
- strcpy(buf,s);
+ if (OPENSSL_issetugid() == 0)
+ s=getenv("HOME");
+ if (s != NULL && (strlen(s)+strlen(RFILE)+2 < size))
+ {
+ strcpy(buf,s);
#ifndef VMS
- strcat(buf,"/");
+ strcat(buf,"/");
#endif
- strcat(buf,RFILE);
- ret=buf;
+ strcat(buf,RFILE);
+ ret=buf;
+ }
+ else
+ buf[0] = '\0'; /* no file name */
}
return(ret);
}
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{
- if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
- if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
- goto err;
+ BN_MONT_CTX* bn_mont_ctx;
+ if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
+ {
+ BN_MONT_CTX_free(bn_mont_ctx);
+ goto err;
+ }
+ if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ if (rsa->_method_mod_n == NULL)
+ {
+ rsa->_method_mod_n = bn_mont_ctx;
+ bn_mont_ctx = NULL;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ }
+ if (bn_mont_ctx)
+ BN_MONT_CTX_free(bn_mont_ctx);
}
if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
/* do the decrypt */
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{
- if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
- if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
- goto err;
+ BN_MONT_CTX* bn_mont_ctx;
+ if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
+ {
+ BN_MONT_CTX_free(bn_mont_ctx);
+ goto err;
+ }
+ if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ if (rsa->_method_mod_n == NULL)
+ {
+ rsa->_method_mod_n = bn_mont_ctx;
+ bn_mont_ctx = NULL;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ }
+ if (bn_mont_ctx)
+ BN_MONT_CTX_free(bn_mont_ctx);
}
if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
{
if (rsa->_method_mod_p == NULL)
{
- if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
- if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
- ctx))
- goto err;
+ BN_MONT_CTX* bn_mont_ctx;
+ if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
+ {
+ BN_MONT_CTX_free(bn_mont_ctx);
+ goto err;
+ }
+ if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ if (rsa->_method_mod_p == NULL)
+ {
+ rsa->_method_mod_p = bn_mont_ctx;
+ bn_mont_ctx = NULL;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ }
+ if (bn_mont_ctx)
+ BN_MONT_CTX_free(bn_mont_ctx);
}
+
if (rsa->_method_mod_q == NULL)
{
- if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
- if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
- ctx))
- goto err;
+ BN_MONT_CTX* bn_mont_ctx;
+ if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
+ {
+ BN_MONT_CTX_free(bn_mont_ctx);
+ goto err;
+ }
+ if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ if (rsa->_method_mod_q == NULL)
+ {
+ rsa->_method_mod_q = bn_mont_ctx;
+ bn_mont_ctx = NULL;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ }
+ if (bn_mont_ctx)
+ BN_MONT_CTX_free(bn_mont_ctx);
}
}
-
+
if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
rsa->_method_mod_q)) goto err;
ret->blinding=NULL;
ret->bignum_data=NULL;
ret->flags=meth->flags;
+ CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data);
if ((meth->init != NULL) && !meth->init(ret))
{
+ CRYPTO_free_ex_data(rsa_meth,ret,&ret->ex_data);
OPENSSL_free(ret);
ret=NULL;
}
- else
- CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data);
return(ret);
}
}
#endif
- CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data);
-
meth = ENGINE_get_RSA(r->engine);
if (meth->finish != NULL)
meth->finish(r);
ENGINE_finish(r->engine);
+ CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data);
+
if (r->n != NULL) BN_clear_free(r->n);
if (r->e != NULL) BN_clear_free(r->e);
if (r->d != NULL) BN_clear_free(r->d);
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
- if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err;
+ if (!BN_rand_range(A,rsa->n)) goto err;
if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A,
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
sub sha1_block_host
{
- local($name)=@_;
+ local($name, $sclabel)=@_;
&function_begin_B($name,"");
&mov(&swtmp($i+0),$A);
&mov(&swtmp($i+1),$B);
}
- &jmp(&label("shortcut"));
+ &jmp($sclabel);
&function_end_B($name);
}
&pop("esi");
&ret();
- # it has to reside within sha1_block_asm_host_order body
- # because it calls &jmp(&label("shortcut"));
- &sha1_block_host("sha1_block_asm_host_order");
+ # keep a note of shortcut label so it can be used outside
+ # block.
+ my $sclabel = &label("shortcut");
&function_end_B($name);
+ # Putting this here avoids problems with MASM in debugging mode
+ &sha1_block_host("sha1_block_asm_host_order", $sclabel);
}
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
* it out again */
CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
- if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i);
+ if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
else tmp = NULL;
CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
{
unsigned long ret=0;
unsigned char md[16];
- unsigned char str[256],*p,*pp;
- int i;
-
- i=i2d_X509_NAME(x,NULL);
- if (i > sizeof(str))
- p=OPENSSL_malloc(i);
- else
- p=str;
- pp=p;
- i2d_X509_NAME(x,&pp);
- MD5((unsigned char *)p,i,&(md[0]));
- if (p != str) OPENSSL_free(p);
+ /* Ensure cached version is up to date */
+ i2d_X509_NAME(x,NULL);
+ /* Use cached encoding directly rather than copying: this should
+ * keep libsafe happy.
+ */
+ MD5((unsigned char *)x->bytes->data,x->bytes->length,&(md[0]));
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
/* Now add any email address(es) to STACK */
i = -1;
while((i = X509_NAME_get_index_by_NID(nm,
- NID_pkcs9_emailAddress, i)) > 0) {
+ NID_pkcs9_emailAddress, i)) >= 0) {
ne = X509_NAME_get_entry(nm, i);
email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
if(!email || !(gen = GENERAL_NAME_new())) {
else BIO_printf(out, "%s:%s", nval->name, nval->value);
#else
else {
- char tmp[10240]; /* 10k is BIO_printf's limit anyway */
- ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1);
- BIO_printf(out, "%s:%s", nval->name, tmp);
+ int len;
+ char *tmp;
+ len = strlen(nval->value)+1;
+ tmp = OPENSSL_malloc(len);
+ if (tmp)
+ {
+ ascii2ebcdic(tmp, nval->value, len);
+ BIO_printf(out, "%s:%s", nval->name, tmp);
+ OPENSSL_free(tmp);
+ }
}
#endif
if(ml) BIO_puts(out, "\n");
BIO_printf(out, "%*s%s", indent, "", value);
#else
{
- char tmp[10240]; /* 10k is BIO_printf's limit anyway */
- ascii2ebcdic(tmp, value, strlen(value)+1);
- BIO_printf(out, "%*s%s", indent, "", tmp);
+ int len;
+ char *tmp;
+ len = strlen(value)+1;
+ tmp = OPENSSL_malloc(len);
+ if (tmp)
+ {
+ ascii2ebcdic(tmp, value, len);
+ BIO_printf(out, "%*s%s", indent, "", tmp);
+ OPENSSL_free(tmp);
+ }
}
#endif
} else if(method->i2v) {
else return 0;
} else {
if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+ /* If key usage present it must have certSign so tolerate it */
+ else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
else return 2;
}
}
if(ca_ret != 2) return ca_ret;
else return 0;
}
-
+
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
{
int ret;
ret = purpose_smime(x, ca);
if(!ret || ca) return ret;
- if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+ if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
return ret;
}
[B<-no_tls1>]
[B<-bugs>]
[B<-cipher cipherlist>]
+[B<-rand file(s)>]
[B<-engine id>]
=head1 DESCRIPTION
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
=item B<-engine id>
specifying an engine (by it's unique B<id> string) will cause B<s_client>
[B<-hack>]
[B<-www>]
[B<-WWW>]
+[B<-rand file(s)>]
[B<-engine id>]
=head1 DESCRIPTION
load the parameters from the server certificate file. If this fails then
a static set of parameters hard coded into the s_server program will be used.
-=item B<-nodhe>
+=item B<-no_dhe>
if this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
current directory, for example if the URL https://myhost/page.html is
requested the file ./page.html will be loaded.
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
=item B<-engine id>
specifying an engine (by it's unique B<id> string) will cause B<s_server>
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+ int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
+
=head1 DESCRIPTION
BN_rand() generates a cryptographically strong pseudo-random number of
-B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the
-two most significant bits of the number will be set to 1, so that the
-product of two such random numbers will always have 2*B<bits> length.
-If B<bottom> is true, the number will be odd.
+B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the
+most significant bit of the random number can be zero. If B<top> is 0,
+it is set to 1, and if B<top> is 1, the two most significant bits of
+the number will be set to 1, so that the product of two such random
+numbers will always have 2*B<bits> length. If B<bottom> is true, the
+number will be odd.
BN_pseudo_rand() does the same, but pseudo-random numbers generated by
this function are not necessarily unpredictable. They can be used for
non-cryptographic purposes and for certain purposes in cryptographic
protocols, but usually not for key generation etc.
-The PRNG must be seeded prior to calling BN_rand().
+BN_rand_range() generates a cryptographically strong pseudo-random
+number B<rnd> in the range 0 <lt>= B<rnd> E<lt> B<range>.
+
+The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().
=head1 RETURN VALUES
-BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error.
+The functions return 1 on success, 0 on error.
The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
=head1 HISTORY
BN_rand() is available in all versions of SSLeay and OpenSSL.
-BN_pseudo_rand() was added in OpenSSL 0.9.5.
+BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
+and the function BN_rand_range() were added in OpenSSL 0.9.6a.
=cut
#include <openssl/rand.h>
int RAND_egd(const char *path);
+ int RAND_egd_bytes(const char *path, int bytes);
=head1 DESCRIPTION
RAND_egd() queries the entropy gathering daemon EGD on socket B<path>.
+It queries 255 bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
+OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for
+RAND_egd_bytes(path, 255);
+
+RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B<path>.
+It queries B<bytes> bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
+OpenSSL built-in PRNG.
+This function is more flexible than RAND_egd().
+When only one secret key must
+be generated, it is not necessary to request the full amount 255 bytes from
+the EGD socket. This can be advantageous, since the amount of entropy
+that can be retrieved from EGD over time is limited.
+
+=head1 NOTES
+
+On systems without /dev/*random devices providing entropy from the kernel,
+the EGD entropy gathering daemon can be used to collect entropy. It provides
+a socket interface through which entropy can be gathered in chunks up to
+255 bytes. Several chunks can be queried during one connection.
EGD is available from http://www.lothar.com/tech/crypto/ (C<perl
Makefile.PL; make; make install> to install). It is run as B<egd>
random bytes that EGD has collected. The read is performed in
non-blocking mode.
-Alternatively, the EGD-compatible daemon PRNGD can be used. It is
+Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is
available from
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html .
+PRNGD does employ an internal PRNG itself and can therefore never run
+out of entropy.
=head1 RETURN VALUE
-RAND_egd() returns the number of bytes read from the daemon on
-success, and -1 if the connection failed or the daemon did not return
-enough data to fully seed the PRNG.
+RAND_egd() and RAND_egd_bytes() return the number of bytes read from the
+daemon on success, and -1 if the connection failed or the daemon did not
+return enough data to fully seed the PRNG.
=head1 SEE ALSO
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>,
+L<RAND_cleanup(3)|RAND_cleanup(3)>
=head1 HISTORY
RAND_egd() is available since OpenSSL 0.9.5.
+RAND_egd_bytes() is available since OpenSSL 0.9.6.
+
=cut
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+ int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
=head1 SEE ALSO
-crypt(3), L<des_modes(3)|des_modes(3)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
+crypt(3), L<des_modes(7)|des_modes(7)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
=head1 HISTORY
=head1 DESCRIPTION
-The EVP library provided a high-level interface to cryptographic
+The EVP library provides a high-level interface to cryptographic
functions.
B<EVP_Seal>I<...> and B<EVP_Open>I<...> provide public key encryption
=head1 NAME
-SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version,
-SSL_CIPHER_description - get SSL_CIPHER properties
+SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description - get SSL_CIPHER properties
=head1 SYNOPSIS
SSL_CIPHER_description() returns a textual description of the cipher used
into the buffer B<buf> of length B<len> provided. B<len> must be at least
-128 bytes, otherwise the string "Buffer too small" is returned. If B<buf>
-is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the
-allocation fails, the string "OPENSSL_malloc Error" is returned.
+128 bytes, otherwise a pointer to the the string "Buffer too small" is
+returned. If B<buf> is NULL, a buffer of 128 bytes is allocated using
+OPENSSL_malloc(). If the allocation fails, a pointer to the string
+"OPENSSL_malloc Error" is returned.
=head1 NOTES
does use the full 128 bits (which would be returned for B<alg_bits>), of
which however 88bits are fixed. The search space is hence only 40 bits.
+The string returned by SSL_CIPHER_description() in case of success consists
+of cleartext information separated by one or more blanks in the following
+sequence:
+
+=over 4
+
+=item <ciphername>
+
+Textual representation of the cipher name.
+
+=item <protocol version>
+
+Protocol version: B<SSLv2>, B<SSLv3>. The TLSv1 ciphers are flagged with SSLv3.
+
+=item Kx=<key exchange>
+
+Key exchange method: B<RSA> (for export ciphers as B<RSA(512)> or
+B<RSA(1024)>), B<DH> (for export ciphers as B<DH(512)> or B<DH(1024)>),
+B<DH/RSA>, B<DH/DSS>, B<Fortezza>.
+
+=item Au=<authentication>
+
+Authentication method: B<RSA>, B<DSS>, B<DH>, B<None>. None is the
+representation of anonymous ciphers.
+
+=item Enc=<symmetric encryption method>
+
+Encryption method with number of secret bits: B<DES(40)>, B<DES(56)>,
+B<3DES(168)>, B<RC4(40)>, B<RC4(56)>, B<RC4(64)>, B<RC4(128)>,
+B<RC2(40)>, B<RC2(56)>, B<RC2(128)>, B<IDEA(128)>, B<Fortezza>, B<None>.
+
+=item Mac=<message authentication code>
+
+Message digest: B<MD5>, B<SHA1>.
+
+=item <export flag>
+
+If the cipher is flagged exportable with respect to old US crypto
+regulations, the word "B<export>" is printed.
+
+=back
+
+=head1 EXAMPLES
+
+Some examples for the output of SSL_CIPHER_description():
+
+ EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
+ EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
+ RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
+ EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
+
=head1 BUGS
If SSL_CIPHER_description() is called with B<cipher> being NULL, the
library crashes.
+If SSL_CIPHER_description() cannot handle a built-in cipher, the according
+description of the cipher property is B<unknown>. This case should not
+occur.
+
=head1 RETURN VALUES
See DESCRIPTION
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>,
-L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>
+L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)>
=cut
the reference count has reached 0.
It also calls the free()ing procedures for indirectly affected items, if
-applicable: the session cacahe, the list of ciphers, the list of Client CAs,
+applicable: the session cache, the list of ciphers, the list of Client CAs,
the certificates and keys.
=head1 RETURN VALUES
=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
A TLS/SSL connection established with these methods will only understand the
-SSLv3 and TLSv1 protocol. A client will send out SSLv3 client hello messages
-and will indicate that it also understands TLSv1. A server will only understand
-SSLv3 and TLSv1 client hello messages. This especially means, that it will
+SSLv3 protocol. A client will send out SSLv3 client hello messages
+and will indicate that it only understands SSLv3. A server will only understand
+SSLv3 client hello messages. This especially means, that it will
not understand SSLv2 client hello messages which are widely used for
compatibility reasons, see SSLv23_*_method().
and will indicate that it only understands TLSv1. A server will only understand
TLSv1 client hello messages. This especially means, that it will
not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*_method().
+compatibility reasons, see SSLv23_*_method(). It will also not understand
+SSLv3 client hello messages.
=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
=back
+If a generic method is used, it is necessary to explicitly set client or
+server mode with L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
+or SSL_set_accept_state().
+
The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or
B<SSL_set_options()> functions. Using these options it is possible to choose
=head1 SEE ALSO
L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<ssl(3)|ssl(3)>
+L<ssl(3)|ssl(3)>, L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
=cut
=head1 NAME
-SSL_CTX_set_cipher_list, SSL_set_cipher_list
-- choose list of available SSL_CIPHERs
+SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs
=head1 SYNOPSIS
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
L<ciphers(1)|ciphers(1)>
=cut
SSL_CTX_set_ssl_version() sets a new default TLS/SSL B<method> for SSL objects
newly created from this B<ctx>. SSL objects already created with
-L<SSL_new(3)|SSL_new(3)> are not affected, except when SSL_clear() is
-being called.
+L<SSL_new(3)|SSL_new(3)> are not affected, except when
+L<SSL_clear(3)|SSL_clear(3)> is being called.
SSL_set_ssl_method() sets a new TLS/SSL B<method> for a particular B<ssl>
object. It may be reset, when SSL_clear() is called.
The available B<method> choices are described in
L<SSL_CTX_new(3)|SSL_CTX_new(3)>.
-When SSL_clear() is called and no session is connected to an SSL object,
-the method of the SSL object is reset to the method currently set in
-the corresponding SSL_CTX object.
+When L<SSL_clear(3)|SSL_clear(3)> is called and no session is connected to
+an SSL object, the method of the SSL object is reset to the method currently
+set in the corresponding SSL_CTX object.
=head1 RETURN VALUES
=head1 SEE ALSO
L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_new(3)|SSL_new(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>
+L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>,
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
=cut
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
+When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
+is necessary to call SSL_set_accept_state()
+before calling SSL_accept() to explicitly switch the B<ssl> to server
+mode.
+
=head1 RETURN VALUES
The following return values can occur:
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
-=item -1
+=item E<lt>0
The TLS/SSL handshake was not successful because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>
=cut
=head1 DESCRIPTION
Reset B<ssl> to allow another connection. All settings (method, ciphers,
-BIOs) are kept. A completely negotiated B<SSL_SESSION> is not freed but left
-untouched for the underlying B<SSL_CTX>.
+BIOs) are kept.
+
+=head1 NOTES
+
+SSL_clear is used to prepare an SSL object for a new connection. While all
+settings are kept, a side effect is the handling of the current SSL session.
+If a session is still B<open>, it is considered bad and will be removed
+from the session cache, as required by RFC2246. A session is considered open,
+if L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
+or at least L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was used to
+set the SSL_SENT_SHUTDOWN state.
=head1 RETURN VALUES
=back
L<SSL_new(3)|SSL_new(3)>, L<SSL_free(3)|SSL_free(3)>,
-L<ssl(3)|ssl(3)>
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)>
=cut
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
+When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
+is necessary to call L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
+before calling SSL_connect() to explicitly switch the B<ssl> to client
+mode.
+
=head1 RETURN VALUES
The following return values can occur:
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
-=item -1
+=item E<lt>0
The TLS/SSL handshake was not successful, because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>
=cut
structure pointed to by B<ssl> and frees up the allocated memory if the
the reference count has reached 0.
-It also calls the free()ing procedures for indirectly affected items, if
+=head1 NOTES
+
+SSL_free() also calls the free()ing procedures for indirectly affected items, if
applicable: the buffering BIO, the read and write BIOs,
cipher lists specially created for this B<ssl>, the B<SSL_SESSION>.
Do not explicitly free these indirectly freed up items before or after
calling SSL_free(), as trying to free things twice may lead to program
failure.
+The ssl session has reference counts from two users: the SSL object, for
+which the reference count is removed by SSL_free() and the internal
+session cache. If the session is considered bad, because
+L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
+and L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was not used to set the
+SSL_SENT_SHUTDOWN state, the session will also be removed
+from the session cache as required by RFC2246.
+
=head1 RETURN VALUES
SSL_free() does not provide diagnostic information.
L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
L<ssl(3)|ssl(3)>
=cut
SSL_get_error() returns a result code (suitable for the C "switch"
statement) for a preceding call to SSL_connect(), SSL_accept(),
-SSL_read(), or SSL_write() on B<ssl>. The value returned by that
-TLS/SSL I/O function must be passed to SSL_get_error() in parameter
+SSL_read(), SSL_peek(), or SSL_write() on B<ssl>. The value returned by
+that TLS/SSL I/O function must be passed to SSL_get_error() in parameter
B<ret>.
In addition to B<ssl> and B<ret>, SSL_get_error() inspects the
=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
The operation did not complete; the same TLS/SSL I/O function should be
-called again later. There will be protocol progress if, by then, the
-underlying B<BIO> has data available for reading (if the result code is
-B<SSL_ERROR_WANT_READ>) or allows writing data (B<SSL_ERROR_WANT_WRITE>).
-For socket B<BIO>s (e.g. when SSL_set_fd() was used) this means that
-select() or poll() on the underlying socket can be used to find out
-when the TLS/SSL I/O function should be retried.
+called again later. If, by then, the underlying B<BIO> has data
+available for reading (if the result code is B<SSL_ERROR_WANT_READ>)
+or allows writing data (B<SSL_ERROR_WANT_WRITE>), then some TLS/SSL
+protocol progress will take place, i.e. at least part of an TLS/SSL
+record will be read or written. Note that the retry may again lead to
+a B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE> condition.
+There is no fixed upper limit for the number of iterations that
+may be necessary until progress becomes visible at application
+protocol level.
+
+For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or
+poll() on the underlying socket can be used to find out when the
+TLS/SSL I/O function should be retried.
Caveat: Any TLS/SSL I/O function can lead to either of
-B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>, i.e. SSL_read()
-may want to write data and SSL_write() may want to read data.
+B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. In particular,
+SSL_read() or SSL_peek() may want to write data and SSL_write() may want
+to read data. This is mainly because TLS/SSL handshakes may occur at any
+time during the protocol (initiated by either the client or the server);
+SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes.
=item SSL_ERROR_WANT_X509_LOOKUP
SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
forming the certificate chain of the peer. If called on the client side,
the stack also contains the peer's certificate; if called on the server
-side, the peer's certificate must be obtained seperately using
+side, the peer's certificate must be obtained separately using
L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
If the peer did not present a certificate, NULL is returned.
The reference count of the X509 object is incremented by one, so that it
will not be destroyed when the session containing the peer certificate is
-freed. The X509 object must be explicitely freed using X509_free().
+freed. The X509 object must be explicitly freed using X509_free().
=head1 RETURN VALUES
SSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in
B<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so
-that the pointer can become invalid when the B<ssl> is freed and
-SSL_SESSION_free() is implicitly called.
+that the pointer can become invalid by other operations.
SSL_get0_session() is the same as SSL_get_session().
SSL_get1_session() is the same as SSL_get_session(), but the reference
count of the B<SSL_SESSION> is incremented by one.
+=head1 NOTES
+
+The ssl session contains all information required to re-establish the
+connection without a new handshake.
+
+SSL_get0_session() returns a pointer to the actual session. As the
+reference counter is not incremented, the pointer is only valid while
+the connection is in use. If L<SSL_clear(3)|SSL_clear(3)> or
+L<SSL_free(3)|SSL_free(3)> is called, the session may be removed completely
+(if considered bad), and the pointer obtained will become invalid. Even
+if the session is valid, it can be removed at any time due to timeout
+during L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>.
+
+If the data is to be kept, SSL_get1_session() will increment the reference
+count and the session will stay in memory until explicitly freed with
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, regardless of its state.
+
=head1 RETURN VALUES
The following return values can occur:
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_free(3)|SSL_free(3)>,
+L<SSL_clear(3)|SSL_clear(3)>,
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
=cut
SSL_get_verify_result() can only return one error code while the verification
of a certificate can fail because of many reasons at the same time. Only
-the last verification error that occured during the processing is available
+the last verification error that occurred during the processing is available
from SSL_get_verify_result().
The verification result is part of the established session and is restored
=head1 BUGS
If no peer certificate was presented, the returned result code is
-X509_V_OK. This is because no verification error occured, it does however
+X509_V_OK. This is because no verification error occurred, it does however
not indicate success. SSL_get_verify_result() is only useful in connection
with L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
=head1 SEE ALSO
L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
L<ssl(3)|ssl(3)>
=cut
The number of bytes pending is returned.
+=head1 BUGS
+
+SSL_pending() takes into account only bytes from the TLS/SSL record
+that is currently being processed (if any). If the B<SSL> object's
+I<read_ahead> flag is set, additional protocol bytes may have been
+read containing more TLS/SSL records; these are ignored by
+SSL_pending().
+
+Up to OpenSSL 0.9.6, SSL_pending() does not check if the record type
+of pending data is application data.
+
+=head1 SEE ALSO
+
L<SSL_read(3)|SSL_read(3)>, L<ssl(3)|ssl(3)>
=cut
#include <openssl/ssl.h>
- int SSL_read(SSL *ssl, char *buf, int num);
+ int SSL_read(SSL *ssl, void *buf, int num);
=head1 DESCRIPTION
=head1 NOTES
If necessary, SSL_read() will negotiate a TLS/SSL session, if
-not already explicitly performed by SSL_connect() or SSL_accept(). If the
+not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or
+L<SSL_accept(3)|SSL_accept(3)>. If the
peer requests a re-negotiation, it will be performed transparently during
the SSL_read() operation. The behaviour of SSL_read() depends on the
underlying BIO.
+For the transparent negotiation to succeed, the B<ssl> must have been
+initialized to client or server mode. This is not the case if a generic
+method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
+must be used before the first call to an SSL_read() or
+L<SSL_write(3)|SSL_write(3)> function.
+
If the underlying BIO is B<blocking>, SSL_read() will only return, once the
-read operation has been finished or an error occurred.
+read operation has been finished or an error occurred, except when a
+renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
+This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
If the underlying BIO is B<non-blocking>, SSL_read() will also return
when the underlying BIO could not satisfy the needs of SSL_read()
-to continue the operation. In this case a call to SSL_get_error() with the
+to continue the operation. In this case a call to
+L<SSL_get_error(3)|SSL_get_error(3)> with the
return value of SSL_read() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
call to SSL_read() can also cause write operations! The calling process
available. Call SSL_get_error() with the return value B<ret> to find out,
whether an error occurred.
-=item -1
+=item E<lt>0
The read operation was not successful, because either an error occurred
or action must be taken by the calling process. Call SSL_get_error() with the
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>,
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
=cut
=head1 SEE ALSO
-L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
=cut
=head1 DESCRIPTION
-SSL_shutdown() shuts down an active TLS/SSL connection. It sends the shutdown
-alert to the peer. The behaviour of SSL_shutdown() depends on the underlying
-BIO.
+SSL_shutdown() shuts down an active TLS/SSL connection. It sends the
+"close notify" shutdown alert to the peer.
+
+=head1 NOTES
+
+SSL_shutdown() tries to send the "close notify" shutdown alert to the peer.
+Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
+a currently open session is considered closed and good and will be kept in the
+session cache for further reuse.
+
+The behaviour of SSL_shutdown() depends on the underlying BIO.
If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the
handshake has been finished or an error occurred.
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
-L<SSL_accept(3)|SSL_accept(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
+L<SSL_clear(3)|SSL_clear(3), L<SSL_free(3)|SSL_free(3)>,
+L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
=cut
=head1 NAME
-SSL_read - write bytes to a TLS/SSL connection.
+SSL_write - write bytes to a TLS/SSL connection.
=head1 SYNOPSIS
#include <openssl/ssl.h>
- int SSL_write(SSL *ssl, char *buf, int num);
+ int SSL_write(SSL *ssl, const void *buf, int num);
=head1 DESCRIPTION
=head1 NOTES
If necessary, SSL_write() will negotiate a TLS/SSL session, if
-not already explicitly performed by SSL_connect() or SSL_accept(). If the
+not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or
+L<SSL_accept(3)|SSL_accept(3)>. If the
peer requests a re-negotiation, it will be performed transparently during
the SSL_write() operation. The behaviour of SSL_write() depends on the
underlying BIO.
+For the transparent negotiation to succeed, the B<ssl> must have been
+initialized to client or server mode. This is not the case if a generic
+method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
+must be used before the first call to an L<SSL_read(3)|SSL_read(3)>
+or SSL_write() function.
+
If the underlying BIO is B<blocking>, SSL_write() will only return, once the
-write operation has been finished or an error occurred.
+write operation has been finished or an error occurred, except when a
+renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
+This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
If the underlying BIO is B<non-blocking>, SSL_write() will also return,
when the underlying BIO could not satisfy the needs of SSL_write()
-to continue the operation. In this case a call to SSL_get_error() with the
+to continue the operation. In this case a call to
+L<SSL_get_error(3)|SSL_get_error(3)> with the
return value of SSL_write() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
-call to SSL_write() can also cause write operations! The calling process
+call to SSL_write() can also cause read operations! The calling process
then must repeat the call after taking appropriate action to satisfy the
needs of SSL_write(). The action depends on the underlying BIO. When using a
non-blocking socket, nothing is to be done, but select() can be used to check
The write operation was not successful. Call SSL_get_error() with the return
value B<ret> to find out, whether an error occurred.
-=item -1
+=item E<lt>0
-The read operation was not successful, because either an error occurred
+The write operation was not successful, because either an error occurred
or action must be taken by the calling process. Call SSL_get_error() with the
return value B<ret> to find out the reason.
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_read(3)|SSL_read(3)>,
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
=cut
Transport Layer Security (TLS v1) protocols. It provides a rich API which is
documented here.
+At first the library must be initialized; see
+L<SSL_library_init(3)|SSL_library_init(3)>.
+
+Then an B<SSL_CTX> object is created as a framework to establish
+TLS/SSL enabled connections (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>).
+Various options regarding certificates, algorithms etc. can be set
+in this object.
+
+When a network connection has been created, it can be assigned to an
+B<SSL> object. After the B<SSL> object has been created using
+L<SSL_new(3)|SSL_new(3)>, L<SSL_set_fd(3)|SSL_set_fd(3)> or
+L<SSL_set_bio(3)|SSL_set_bio(3)> can be used to associate the network
+connection with the object.
+
+Then the TLS/SSL handshake is performed using
+L<SSL_accept(3)|SSL_accept(3)> or L<SSL_connect(3)|SSL_connect(3)>
+respectively.
+L<SSL_read(3)|SSL_read(3)> and L<SSL_write(3)|SSL_write(3)> are used
+to read and write data on the TLS/SSL connection.
+L<SSL_shutdown(3)|SSL_shutdown(3)> can be used to shut down the
+TLS/SSL connection.
+
+=head1 DATA STRUCTURES
+
+Currently the OpenSSL B<ssl> library functions deals with the following data
+structures:
+
+=over 4
+
+=item B<SSL_METHOD> (SSL Method)
+
+That's a dispatch structure describing the internal B<ssl> library
+methods/functions which implement the various protocol versions (SSLv1, SSLv2
+and TLSv1). It's needed to create an B<SSL_CTX>.
+
+=item B<SSL_CIPHER> (SSL Cipher)
+
+This structure holds the algorithm information for a particular cipher which
+are a core part of the SSL/TLS protocol. The available ciphers are configured
+on a B<SSL_CTX> basis and the actually used ones are then part of the
+B<SSL_SESSION>.
+
+=item B<SSL_CTX> (SSL Context)
+
+That's the global context structure which is created by a server or client
+once per program life-time and which holds mainly default values for the
+B<SSL> structures which are later created for the connections.
+
+=item B<SSL_SESSION> (SSL Session)
+
+This is a structure containing the current TLS/SSL session details for a
+connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
+
+=item B<SSL> (SSL Connection)
+
+That's the main SSL/TLS structure which is created by a server or client per
+established connection. This actually is the core structure in the SSL API.
+Under run-time the application usually deals with this structure which has
+links to mostly all other structures.
+
+=back
+
+
=head1 HEADER FILES
Currently the OpenSSL B<ssl> library provides the following C header files
=back
-=head1 DATA STRUCTURES
-
-Currently the OpenSSL B<ssl> library functions deals with the following data
-structures:
-
-=over 4
-
-=item B<SSL_METHOD> (SSL Method)
-
-That's a dispatch structure describing the internal B<ssl> library
-methods/functions which implement the various protocol versions (SSLv1, SSLv2
-and TLSv1). It's needed to create an B<SSL_CTX>.
-
-=item B<SSL_CIPHER> (SSL Cipher)
-
-This structure holds the algorithm information for a particular cipher which
-are a core part of the SSL/TLS protocol. The available ciphers are configured
-on a B<SSL_CTX> basis and the actually used ones are then part of the
-B<SSL_SESSION>.
-
-=item B<SSL_CTX> (SSL Context)
-
-That's the global context structure which is created by a server or client
-once per program life-time and which holds mainly default values for the
-B<SSL> structures which are later created for the connections.
-
-=item B<SSL_SESSION> (SSL Session)
-
-This is a structure containing the current TLS/SSL session details for a
-connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
-
-=item B<SSL> (SSL Connection)
-
-That's the main SSL/TLS structure which is created by a server or client per
-established connection. This actually is the core structure in the SSL API.
-Under run-time the application usually deals with this structure which has
-links to mostly all other structures.
-
-=back
-
=head1 API FUNCTIONS
Currently the OpenSSL B<ssl> library exports 214 API functions.
=item long B<SSL_num_renegotiations>(SSL *ssl);
-=item int B<SSL_peek>(SSL *ssl, char *buf, int num);
+=item int B<SSL_peek>(SSL *ssl, void *buf, int num);
=item int B<SSL_pending>(SSL *ssl);
-=item int B<SSL_read>(SSL *ssl, char *buf, int num);
+=item int B<SSL_read>(SSL *ssl, void *buf, int num);
=item int B<SSL_renegotiate>(SSL *ssl);
=item int B<SSL_want_x509_lookup>(s);
-=item int B<SSL_write>(SSL *ssl, char *buf, int num);
+=item int B<SSL_write>(SSL *ssl, const void *buf, int num);
=back
L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>,
L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_connect(3)|SSL_connect(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_connect(3)|SSL_connect(3)>,
+L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
+L<SSL_CTX_get_ex_new_index(3)|SSL_CTX_get_ex_new_index(3)>,
+L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
+L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
+L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>,
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
+L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
+L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>,
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>,
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
-L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_get_fd(3)|SSL_get_fd(3)>,
+L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
+L<SSL_get_error(3)|SSL_get_error(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
+L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>,
+L<SSL_get_fd(3)|SSL_get_fd(3)>,
L<SSL_get_peer_cert_chain(3)|SSL_get_peer_cert_chain(3)>,
L<SSL_get_rbio(3)|SSL_get_rbio(3)>,
L<SSL_get_session(3)|SSL_get_session(3)>,
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<SSL_library_init(3)|SSL_library_init(3)>, L<SSL_new(3)|SSL_new(3)>,
+L<SSL_get_version(3)|SSL_get_version(3)>,
+L<SSL_library_init(3)|SSL_library_init(3)>,
+L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
+L<SSL_new(3)|SSL_new(3)>,
L<SSL_read(3)|SSL_read(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>,
+L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
L<SSL_set_fd(3)|SSL_set_fd(3)>, L<SSL_pending(3)|SSL_pending(3)>,
L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_write(3)|SSL_write(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
+L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>,
+L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
+L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>
=head1 HISTORY
EXAMPLES.
-So lets play at being a wierd SSL server.
+So lets play at being a weird SSL server.
/* setup a context */
ctx=SSL_CTX_new();
-@echo=off\r
+@echo off\r
\r
set test=..\ms\r
set opath=%PATH%\r
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
static int ssl23_num_ciphers(void );
static SSL_CIPHER *ssl23_get_cipher(unsigned int u);
static int ssl23_read(SSL *s, void *buf, int len);
+static int ssl23_peek(SSL *s, void *buf, int len);
static int ssl23_write(SSL *s, const void *buf, int len);
static long ssl23_default_timeout(void );
static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
ssl_undefined_function,
ssl_undefined_function,
ssl23_read,
- (int (*)(struct ssl_st *, char *, int))ssl_undefined_function,
+ ssl23_peek,
ssl23_write,
ssl_undefined_function,
ssl_undefined_function,
{
int n;
-#if 0
- if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
- {
- s->rwstate=SSL_NOTHING;
- return(0);
- }
-#endif
clear_sys_error();
if (SSL_in_init(s) && (!s->in_handshake))
{
}
}
-static int ssl23_write(SSL *s, const void *buf, int len)
+static int ssl23_peek(SSL *s, void *buf, int len)
{
int n;
-#if 0
- if (s->shutdown & SSL_SENT_SHUTDOWN)
+ clear_sys_error();
+ if (SSL_in_init(s) && (!s->in_handshake))
+ {
+ n=s->handshake_func(s);
+ if (n < 0) return(n);
+ if (n == 0)
+ {
+ SSLerr(SSL_F_SSL23_PEEK,SSL_R_SSL_HANDSHAKE_FAILURE);
+ return(-1);
+ }
+ return(SSL_peek(s,buf,len));
+ }
+ else
{
- s->rwstate=SSL_NOTHING;
- return(0);
+ ssl_undefined_function(s);
+ return(-1);
}
-#endif
+ }
+
+static int ssl23_write(SSL *s, const void *buf, int len)
+ {
+ int n;
+
clear_sys_error();
if (SSL_in_init(s) && (!s->in_handshake))
{
static SSL_METHOD *ssl23_get_method(int ver)
{
if (ver == SSL2_VERSION)
- return(SSLv23_method());
+ return(SSLv2_method());
else if (ver == SSL3_VERSION)
return(SSLv3_method());
else if (ver == TLS1_VERSION)
goto err;
}
ERR_clear_error(); /* but we keep s->verify_result */
+ s->session->verify_result = s->verify_result;
/* server's cert for this session */
sc=ssl_sess_cert_new();
int ssl2_pending(SSL *s)
{
- return(s->s2->ract_data_length);
+ return SSL_in_init(s) ? 0 : s->s2->ract_data_length;
}
int ssl2_new(SSL *s)
if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err;
memset(s2,0,sizeof *s2);
+#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2
+# error "assertion failed"
+#endif
+
if ((s2->rbuf=OPENSSL_malloc(
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+ /* wbuf needs one byte more because when using two-byte headers,
+ * we leave the first byte unused in do_ssl_write (s2_pkt.c) */
if ((s2->wbuf=OPENSSL_malloc(
- SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+ SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err;
s->s2=s2;
ssl2_clear(s);
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
#include "ssl_locl.h"
#ifndef NO_SSL2
static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len);
static int write_pending(SSL *s, const unsigned char *buf, unsigned int len);
static int ssl_mt_error(int n);
-int ssl2_peek(SSL *s, char *buf, int len)
- {
- int ret;
- ret=ssl2_read(s,buf,len);
- if (ret > 0)
- {
- s->s2->ract_data_length+=ret;
- s->s2->ract_data-=ret;
- }
- return(ret);
- }
-/* SSL_read -
+/* SSL 2.0 imlementation for SSL_read/SSL_peek -
* This routine will return 0 to len bytes, decrypted etc if required.
*/
-int ssl2_read(SSL *s, void *buf, int len)
+static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
{
int n;
unsigned char mac[MAX_MAC_SIZE];
int i;
unsigned int mac_size=0;
-ssl2_read_again:
+ ssl2_read_again:
if (SSL_in_init(s) && !s->in_handshake)
{
n=s->handshake_func(s);
if (n < 0) return(n);
if (n == 0)
{
- SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE);
return(-1);
}
}
n=len;
memcpy(buf,s->s2->ract_data,(unsigned int)n);
- s->s2->ract_data_length-=n;
- s->s2->ract_data+=n;
- if (s->s2->ract_data_length == 0)
- s->rstate=SSL_ST_READ_HEADER;
+ if (!peek)
+ {
+ s->s2->ract_data_length-=n;
+ s->s2->ract_data+=n;
+ if (s->s2->ract_data_length == 0)
+ s->rstate=SSL_ST_READ_HEADER;
+ }
+
return(n);
}
+ /* s->s2->ract_data_length == 0
+ *
+ * Fill the buffer, then goto ssl2_read_again.
+ */
+
if (s->rstate == SSL_ST_READ_HEADER)
{
if (s->first_packet)
(p[2] == SSL2_MT_CLIENT_HELLO) ||
(p[2] == SSL2_MT_SERVER_HELLO))))
{
- SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET);
+ SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET);
return(-1);
}
}
(unsigned int)mac_size) != 0) ||
(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
{
- SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE);
+ SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
return(-1);
}
}
INC32(s->s2->read_sequence); /* expect next number */
/* s->s2->ract_data is now available for processing */
-#if 1
- /* How should we react when a packet containing 0
- * bytes is received? (Note that SSLeay/OpenSSL itself
- * never sends such packets; see ssl2_write.)
- * Returning 0 would be interpreted by the caller as
- * indicating EOF, so it's not a good idea.
- * Instead, we just continue reading. Note that using
- * select() for blocking sockets *never* guarantees
+ /* Possibly the packet that we just read had 0 actual data bytes.
+ * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.)
+ * In this case, returning 0 would be interpreted by the caller
+ * as indicating EOF, so it's not a good idea. Instead, we just
+ * continue reading; thus ssl2_read_internal may have to process
+ * multiple packets before it can return.
+ *
+ * [Note that using select() for blocking sockets *never* guarantees
* that the next SSL_read will not block -- the available
- * data may contain incomplete packets, and except for SSL 2
- * renegotiation can confuse things even more. */
+ * data may contain incomplete packets, and except for SSL 2,
+ * renegotiation can confuse things even more.] */
goto ssl2_read_again; /* This should really be
- * "return ssl2_read(s,buf,len)",
- * but that would allow for
- * denial-of-service attacks if a
- * C compiler is used that does not
- * recognize end-recursion. */
-#else
- /* If a 0 byte packet was sent, return 0, otherwise
- * we play havoc with people using select with
- * blocking sockets. Let them handle a packet at a time,
- * they should really be using non-blocking sockets. */
- if (s->s2->ract_data_length == 0)
- return(0);
- return(ssl2_read(s,buf,len));
-#endif
+ * "return ssl2_read(s,buf,len)",
+ * but that would allow for
+ * denial-of-service attacks if a
+ * C compiler is used that does not
+ * recognize end-recursion. */
}
else
{
- SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE);
+ SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE);
return(-1);
}
}
+int ssl2_read(SSL *s, void *buf, int len)
+ {
+ return ssl2_read_internal(s, buf, len, 0);
+ }
+
+int ssl2_peek(SSL *s, void *buf, int len)
+ {
+ return ssl2_read_internal(s, buf, len, 1);
+ }
+
static int read_n(SSL *s, unsigned int n, unsigned int max,
unsigned int extend)
{
{
bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx);
j=len+mac_size;
+ /* Two-byte headers allow for a larger record length than
+ * three-byte headers, but we can't use them if we need
+ * padding or if we have to set the escape bit. */
if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) &&
(!s->s2->escape))
{
}
else if ((bs <= 1) && (!s->s2->escape))
{
- /* len=len; */
+ /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
+ * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */
s->s2->three_byte_header=0;
p=0;
}
- else /* 3 byte header */
+ else /* we may have to use a 3 byte header */
{
- /*len=len; */
+ /* If s->s2->escape is not set, then
+ * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
+ * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */
p=(j%bs);
p=(p == 0)?0:(bs-p);
if (s->s2->escape)
+ {
s->s2->three_byte_header=1;
+ if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
+ j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
+ }
else
s->s2->three_byte_header=(p == 0)?0:1;
}
}
+
+ /* Now
+ * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ * holds, and if s->s2->three_byte_header is set, then even
+ * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
+ */
+
/* mac_size is the number of MAC bytes
* len is the number of data bytes we are going to send
* p is the number of padding bytes
- * if p == 0, it is a 2 byte header */
+ * (if it is a two-byte header, then p == 0) */
s->s2->wlength=len;
s->s2->padding=p;
while (s->init_num < 4)
{
i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
- 4 - s->init_num);
+ 4 - s->init_num, 0);
if (i <= 0)
{
s->rwstate=SSL_READING;
n=s->s3->tmp.message_size;
while (n > 0)
{
- i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n);
+ i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
if (i <= 0)
{
s->rwstate=SSL_READING;
X509_free(s->session->peer);
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
s->session->peer=x;
+ s->session->verify_result = s->verify_result;
x=NULL;
ret=1;
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
#include <stdio.h>
#include <openssl/md5.h>
return(NULL);
}
-/* The problem is that it may not be the correct record type */
int ssl3_pending(SSL *s)
{
- return(s->s3->rrec.length);
+ return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
}
int ssl3_new(SSL *s)
else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
{
/* If we are waiting for a close from our peer, we are closed */
- ssl3_read_bytes(s,0,NULL,0);
+ ssl3_read_bytes(s,0,NULL,0,0);
}
if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
return(ret);
}
-int ssl3_read(SSL *s, void *buf, int len)
+static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
{
int ret;
clear_sys_error();
if (s->s3->renegotiate) ssl3_renegotiate_check(s);
s->s3->in_read_app_data=1;
- ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
+ ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
if ((ret == -1) && (s->s3->in_read_app_data == 0))
{
/* ssl3_read_bytes decided to call s->handshake_func, which
* by resetting 'in_read_app_data', strangely); so disable
* handshake processing and try to read application data again. */
s->in_handshake++;
- ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
+ ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
s->in_handshake--;
}
else
return(ret);
}
-int ssl3_peek(SSL *s, char *buf, int len)
+int ssl3_read(SSL *s, void *buf, int len)
{
- SSL3_RECORD *rr;
- int n;
-
- rr= &(s->s3->rrec);
- if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA))
- {
- n=ssl3_read(s,buf,1);
- if (n <= 0) return(n);
- rr->length++;
- rr->off--;
- }
+ return ssl3_read_internal(s, buf, len, 0);
+ }
- if ((unsigned int)len > rr->length)
- n=rr->length;
- else
- n=len;
- memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
- return(n);
+int ssl3_peek(SSL *s, void *buf, int len)
+ {
+ return ssl3_read_internal(s, buf, len, 1);
}
int ssl3_renegotiate(SSL *s)
* Application data protocol
* none of our business
*/
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
{
int al,i,j,ret;
unsigned int n;
if (!ssl3_setup_buffers(s))
return(-1);
- if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
+ if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
+ (peek && (type != SSL3_RT_APPLICATION_DATA)))
{
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
return -1;
unsigned char *dst = buf;
unsigned int k;
+ /* peek == 0 */
n = 0;
while ((len > 0) && (s->s3->handshake_fragment_len > 0))
{
* s->s3->rrec.length, - number of bytes. */
rr = &(s->s3->rrec);
- /* get new packet */
+ /* get new packet if necessary */
if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
{
ret=ssl3_get_record(s);
goto err;
}
- /* If the other end has shutdown, throw anything we read away */
+ /* If the other end has shut down, throw anything we read away
+ * (even in 'peek' mode) */
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
rr->length=0;
n = (unsigned int)len;
memcpy(buf,&(rr->data[rr->off]),n);
- rr->length-=n;
- rr->off+=n;
- if (rr->length == 0)
+ if (!peek)
{
- s->rstate=SSL_ST_READ_HEADER;
- rr->off=0;
+ rr->length-=n;
+ rr->off+=n;
+ if (rr->length == 0)
+ {
+ s->rstate=SSL_ST_READ_HEADER;
+ rr->off=0;
+ }
}
return(n);
}
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,p,i);
+ memset(p,0,i);
}
else
#endif
int (*ssl_accept)(SSL *s);
int (*ssl_connect)(SSL *s);
int (*ssl_read)(SSL *s,void *buf,int len);
- int (*ssl_peek)(SSL *s,char *buf,int len);
+ int (*ssl_peek)(SSL *s,void *buf,int len);
int (*ssl_write)(SSL *s,const void *buf,int len);
int (*ssl_shutdown)(SSL *s);
int (*ssl_renegotiate)(SSL *s);
void SSL_free(SSL *ssl);
int SSL_accept(SSL *ssl);
int SSL_connect(SSL *ssl);
-int SSL_read(SSL *ssl,char *buf,int num);
-int SSL_peek(SSL *ssl,char *buf,int num);
-int SSL_write(SSL *ssl,const char *buf,int num);
+int SSL_read(SSL *ssl,void *buf,int num);
+int SSL_peek(SSL *ssl,void *buf,int num);
+int SSL_write(SSL *ssl,const void *buf,int num);
long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
long SSL_callback_ctrl(SSL *, int, void (*)());
long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg);
#define SSL_CTX_get_read_ahead(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
#define SSL_CTX_set_read_ahead(ctx,m) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL)
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
/* NB: the keylength is only applicable when is_export is true */
#ifndef NO_RSA
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
+void ERR_load_SSL_strings(void);
/* Error codes for the SSL functions. */
#define SSL_F_SSL23_CONNECT 117
#define SSL_F_SSL23_GET_CLIENT_HELLO 118
#define SSL_F_SSL23_GET_SERVER_HELLO 119
+#define SSL_F_SSL23_PEEK 237
#define SSL_F_SSL23_READ 120
#define SSL_F_SSL23_WRITE 121
#define SSL_F_SSL2_ACCEPT 122
#define SSL_F_SSL2_CONNECT 123
#define SSL_F_SSL2_ENC_INIT 124
+#define SSL_F_SSL2_PEEK 234
#define SSL_F_SSL2_READ 125
+#define SSL_F_SSL2_READ_INTERNAL 236
#define SSL_F_SSL2_SET_CERTIFICATE 126
#define SSL_F_SSL2_WRITE 127
#define SSL_F_SSL3_ACCEPT 128
#define SSL_F_SSL3_GET_SERVER_DONE 145
#define SSL_F_SSL3_GET_SERVER_HELLO 146
#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
+#define SSL_F_SSL3_PEEK 235
#define SSL_F_SSL3_READ_BYTES 148
#define SSL_F_SSL3_READ_N 149
#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
}
#endif
#endif
-
/* Upper/Lower Bounds */
#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
#ifdef MPE
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998
+#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
#else
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767
+#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
#endif
-#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/
+#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
#define SSL2_CHALLENGE_LENGTH 16
/*#define SSL2_CHALLENGE_LENGTH 32 */
#ifndef NO_SHA
EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
#endif
#if !defined(NO_SHA) && !defined(NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
#endif
/* If you want support for phased out ciphers, add the following */
{ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"},
{ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0), "SSL23_GET_CLIENT_HELLO"},
{ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0), "SSL23_GET_SERVER_HELLO"},
+{ERR_PACK(0,SSL_F_SSL23_PEEK,0), "SSL23_PEEK"},
{ERR_PACK(0,SSL_F_SSL23_READ,0), "SSL23_READ"},
{ERR_PACK(0,SSL_F_SSL23_WRITE,0), "SSL23_WRITE"},
{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"},
{ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"},
{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"},
+{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"},
{ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"},
+{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"},
{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"},
{ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"},
{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"},
{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"},
{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"},
{ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"},
+{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"},
{ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"},
{ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"},
{ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"},
s->client_version=s->version;
s->rwstate=SSL_NOTHING;
s->rstate=SSL_ST_READ_HEADER;
+#if 0
s->read_ahead=s->ctx->read_ahead;
+#endif
if (s->init_buf != NULL)
{
s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
s->options=ctx->options;
s->mode=ctx->mode;
+ s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */
SSL_clear(s);
CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data);
return(s->method->get_timeout());
}
-int SSL_read(SSL *s,char *buf,int num)
+int SSL_read(SSL *s,void *buf,int num)
{
if (s->handshake_func == 0)
{
return(s->method->ssl_read(s,buf,num));
}
-int SSL_peek(SSL *s,char *buf,int num)
+int SSL_peek(SSL *s,void *buf,int num)
{
+ if (s->handshake_func == 0)
+ {
+ SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
+ return -1;
+ }
+
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
return(0);
return(s->method->ssl_peek(s,buf,num));
}
-int SSL_write(SSL *s,const char *buf,int num)
+int SSL_write(SSL *s,const void *buf,int num)
{
if (s->handshake_func == 0)
{
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
#ifndef HEADER_SSL_LOCL_H
#define HEADER_SSL_LOCL_H
int ssl2_accept(SSL *s);
int ssl2_connect(SSL *s);
int ssl2_read(SSL *s, void *buf, int len);
-int ssl2_peek(SSL *s, char *buf, int len);
+int ssl2_peek(SSL *s, void *buf, int len);
int ssl2_write(SSL *s, const void *buf, int len);
int ssl2_shutdown(SSL *s);
void ssl2_clear(SSL *s);
int ssl3_renegotiate(SSL *ssl);
int ssl3_renegotiate_check(SSL *ssl);
int ssl3_dispatch_alert(SSL *s);
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len);
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
const char *sender, int slen,unsigned char *p);
int ssl3_accept(SSL *s);
int ssl3_connect(SSL *s);
int ssl3_read(SSL *s, void *buf, int len);
-int ssl3_peek(SSL *s,char *buf, int len);
+int ssl3_peek(SSL *s, void *buf, int len);
int ssl3_write(SSL *s, const void *buf, int len);
int ssl3_shutdown(SSL *s);
void ssl3_clear(SSL *s);
if (s->session != NULL)
SSL_SESSION_free(s->session);
s->session=session;
+ s->verify_result = s->session->verify_result;
/* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
ret=1;
}
@./$(BNTEST) >tmp.bntest
@echo quit >>tmp.bntest
@echo "running bc"
- @bc tmp.bntest 2>&1 | $(PERL) -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"'
+ @<tmp.bntest sh -c "`sh ./bctest`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
@echo 'test a^b%c implementations'
./$(EXPTEST)
EVP_des_ede_ofb 309 EXIST::FUNCTION:DES
EVP_des_ofb 310 EXIST::FUNCTION:DES
EVP_desx_cbc 311 EXIST::FUNCTION:DES
-EVP_dss 312 EXIST::FUNCTION:DSA
-EVP_dss1 313 EXIST::FUNCTION:DSA
+EVP_dss 312 EXIST::FUNCTION:DSA,SHA
+EVP_dss1 313 EXIST::FUNCTION:DSA,SHA
EVP_enc_null 314 EXIST::FUNCTION:
EVP_get_cipherbyname 315 EXIST::FUNCTION:
EVP_get_digestbyname 316 EXIST::FUNCTION:
PKCS7_cert_from_signer_info 939 EXIST::FUNCTION:
PKCS7_get_signer_info 940 EXIST::FUNCTION:
EVP_delete_alias 941 NOEXIST::FUNCTION:
-EVP_mdc2 942 EXIST::FUNCTION:
+EVP_mdc2 942 EXIST::FUNCTION:MDC2
PEM_read_bio_RSAPublicKey 943 EXIST::FUNCTION:RSA
PEM_write_bio_RSAPublicKey 944 EXIST::FUNCTION:RSA
d2i_RSAPublicKey_bio 945 EXIST::FUNCTION:RSA
elsif (/^no-rc4$/) { $no_rc4=1; }
elsif (/^no-rc5$/) { $no_rc5=1; }
elsif (/^no-idea$/) { $no_idea=1; }
- elsif (/^no-des$/) { $no_des=1; }
+ elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; }
elsif (/^no-bf$/) { $no_bf=1; }
elsif (/^no-cast$/) { $no_cast=1; }
elsif (/^no-md2$/) { $no_md2=1; }
} else {
(my $n, my $i) = split /\\/, $nums{$s};
my %pf = ();
- my @p = split(/,/, ($i =~ /^.*?:(.*?):/,$1));
+ my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1));
+ my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1));
# @p_purged must contain hardware platforms only
my @p_purged = ();
foreach $ptmp (@p) {
|| (!$negatives
&& ($rsaref || !grep(/^RSAREF$/,@p)))
|| ($negatives
- && (!$rsaref || !grep(/^!RSAREF$/,@p))))) {
+ && (!$rsaref || !grep(/^!RSAREF$/,@p))))
+ && (!@a || (!$no_rc2 || !grep(/^RC2$/,@a)))
+ && (!@a || (!$no_rc4 || !grep(/^RC4$/,@a)))
+ && (!@a || (!$no_rc5 || !grep(/^RC5$/,@a)))
+ && (!@a || (!$no_idea || !grep(/^IDEA$/,@a)))
+ && (!@a || (!$no_des || !grep(/^DES$/,@a)))
+ && (!@a || (!$no_bf || !grep(/^BF$/,@a)))
+ && (!@a || (!$no_cast || !grep(/^CAST$/,@a)))
+ && (!@a || (!$no_md2 || !grep(/^MD2$/,@a)))
+ && (!@a || (!$no_md4 || !grep(/^MD4$/,@a)))
+ && (!@a || (!$no_md5 || !grep(/^MD5$/,@a)))
+ && (!@a || (!$no_sha || !grep(/^SHA$/,@a)))
+ && (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a)))
+ && (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a)))
+ && (!@a || (!$no_rsa || !grep(/^RSA$/,@a)))
+ && (!@a || (!$no_dsa || !grep(/^DSA$/,@a)))
+ && (!@a || (!$no_dh || !grep(/^DH$/,@a)))
+ && (!@a || (!$no_hmac || !grep(/^HMAC$/,@a)))
+ && (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a)))
+ ) {
printf OUT " %s%-40s@%d\n",($W32)?"":"_",$s,$n;
# } else {
# print STDERR "DEBUG: \"$sym\" (@p):",
warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n"
}
else {
+ $n[0] =~ s/\n/ /;
+ $n[1] =~ s/\n/ /;
%namedesc = @n;
}
}
projects / oweals / openssl.git / commitdiff