s3_lib.c

mediastreamer2是开源的网络传输媒体流的库

            TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
            SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
            SSL_NOT_EXP,
            0,
            128,
            128,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
	    },

	/* Cipher 57 */
	    {
            1,
            TLS1_TXT_ECDH_anon_WITH_DES_CBC_SHA,
            TLS1_CK_ECDH_anon_WITH_DES_CBC_SHA,
            SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1,
            SSL_NOT_EXP|SSL_LOW,
            0,
            56,
            56,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },

	/* Cipher 58 */
	    {
            1,
            TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
            TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
            SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
            SSL_NOT_EXP|SSL_HIGH,
            0,
            168,
            168,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },

	/* Cipher 59 */
	    {
            1,
            TLS1_TXT_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA,
            TLS1_CK_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA,
            SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1,
            SSL_EXPORT|SSL_EXP40,
            0,
            40,
            56,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },

	/* Cipher 5A */
	    {
            1,
            TLS1_TXT_ECDH_anon_EXPORT_WITH_RC4_40_SHA,
            TLS1_CK_ECDH_anon_EXPORT_WITH_RC4_40_SHA,
            SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
            SSL_EXPORT|SSL_EXP40,
            0,
            40,
            128,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },
	/* Cipher 5B */
	/* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */
	    {
            1,
            TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
            TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
            SSL_EXPORT|SSL_EXP40,
            0,
            40,
            128,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },

	/* Cipher 5C */
	/* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */
	    {
            1,
            TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
            TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
            SSL_EXPORT|SSL_EXP56,
            0,
            56,
            128,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },

#endif	/* OPENSSL_NO_ECDH */

#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
	/* New TLS Export CipherSuites */
	/* Cipher 60 */
	    {
	    1,
	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
	    SSL_EXPORT|SSL_EXP56,
	    0,
	    56,
	    128,
	    SSL_ALL_CIPHERS,
	    SSL_ALL_STRENGTHS,
	    },
	/* Cipher 61 */
	    {
	    1,
	    TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
	    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
	    SSL_EXPORT|SSL_EXP56,
	    0,
	    56,
	    128,
	    SSL_ALL_CIPHERS,
	    SSL_ALL_STRENGTHS,
	    },
	/* Cipher 62 */
	    {
	    1,
	    TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
	    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
	    SSL_EXPORT|SSL_EXP56,
	    0,
	    56,
	    56,
	    SSL_ALL_CIPHERS,
	    SSL_ALL_STRENGTHS,
	    },
	/* Cipher 63 */
	    {
	    1,
	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
	    SSL_EXPORT|SSL_EXP56,
	    0,
	    56,
	    56,
	    SSL_ALL_CIPHERS,
	    SSL_ALL_STRENGTHS,
	    },
	/* Cipher 64 */
	    {
	    1,
	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
	    SSL_EXPORT|SSL_EXP56,
	    0,
	    56,
	    128,
	    SSL_ALL_CIPHERS,
	    SSL_ALL_STRENGTHS,
	    },
	/* Cipher 65 */
	    {
	    1,
	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
	    SSL_EXPORT|SSL_EXP56,
	    0,
	    56,
	    128,
	    SSL_ALL_CIPHERS,
	    SSL_ALL_STRENGTHS,
	    },
	/* Cipher 66 */
	    {
	    1,
	    TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
	    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
	    SSL_NOT_EXP|SSL_MEDIUM,
	    0,
	    128,
	    128,
	    SSL_ALL_CIPHERS,
	    SSL_ALL_STRENGTHS
	    },
#endif

#ifndef OPENSSL_NO_ECDH
	/* Cipher 77 XXX: ECC ciphersuites offering forward secrecy
	 * are not yet specified in the ECC/TLS draft but our code
	 * allows them to be implemented very easily. To add such
	 * a cipher suite, one needs to add two constant definitions
	 * to tls1.h and a new structure in this file as shown below. We 
	 * illustrate the process for the made-up cipher
	 * ECDHE-ECDSA-AES128-SHA.
	 */
	    {
            1,
            TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
            TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
            SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
            SSL_NOT_EXP|SSL_HIGH,
            0,
            128,
            128,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },

	/* Cipher 78 XXX: Another made-up ECC cipher suite that
	 * offers forward secrecy (ECDHE-RSA-AES128-SHA).
	 */
	    {
            1,
            TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
            TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
            SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
            SSL_NOT_EXP|SSL_HIGH,
            0,
            128,
            128,
            SSL_ALL_CIPHERS,
            SSL_ALL_STRENGTHS,
            },
#endif /* !OPENSSL_NO_ECDH */

/* end of list */
	};

SSL3_ENC_METHOD SSLv3_enc_data={
	ssl3_enc,
	ssl3_mac,
	ssl3_setup_key_block,
	ssl3_generate_master_secret,
	ssl3_change_cipher_state,
	ssl3_final_finish_mac,
	MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
	ssl3_cert_verify_mac,
	SSL3_MD_CLIENT_FINISHED_CONST,4,
	SSL3_MD_SERVER_FINISHED_CONST,4,
	ssl3_alert_code,
	};

long ssl3_default_timeout(void)
	{
	/* 2 hours, the 24 hours mentioned in the SSLv3 spec
	 * is way too long for http, the cache would over fill */
	return(60*60*2);
	}

IMPLEMENT_ssl3_meth_func(sslv3_base_method,
			ssl_undefined_function,
			ssl_undefined_function,
			ssl_bad_method)

int ssl3_num_ciphers(void)
	{
	return(SSL3_NUM_CIPHERS);
	}

SSL_CIPHER *ssl3_get_cipher(unsigned int u)
	{
	if (u < SSL3_NUM_CIPHERS)
		return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
	else
		return(NULL);
	}

int ssl3_pending(const SSL *s)
	{
	if (s->rstate == SSL_ST_READ_BODY)
		return 0;
	
	return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
	}

int ssl3_new(SSL *s)
	{
	SSL3_STATE *s3;

	if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
	memset(s3,0,sizeof *s3);
	EVP_MD_CTX_init(&s3->finish_dgst1);
	EVP_MD_CTX_init(&s3->finish_dgst2);
	pq_64bit_init(&(s3->rrec.seq_num));
	pq_64bit_init(&(s3->wrec.seq_num));

	s->s3=s3;

	s->method->ssl_clear(s);
	return(1);
err:
	return(0);
	}

void ssl3_free(SSL *s)
	{
	if(s == NULL)
	    return;

	ssl3_cleanup_key_block(s);
	if (s->s3->rbuf.buf != NULL)
		OPENSSL_free(s->s3->rbuf.buf);
	if (s->s3->wbuf.buf != NULL)
		OPENSSL_free(s->s3->wbuf.buf);
	if (s->s3->rrec.comp != NULL)
		OPENSSL_free(s->s3->rrec.comp);
#ifndef OPENSSL_NO_DH
	if (s->s3->tmp.dh != NULL)
		DH_free(s->s3->tmp.dh);
#endif
#ifndef OPENSSL_NO_ECDH
	if (s->s3->tmp.ecdh != NULL)
		EC_KEY_free(s->s3->tmp.ecdh);
#endif

	if (s->s3->tmp.ca_names != NULL)
		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
	pq_64bit_free(&(s->s3->rrec.seq_num));
	pq_64bit_free(&(s->s3->wrec.seq_num));

	OPENSSL_cleanse(s->s3,sizeof *s->s3);
	OPENSSL_free(s->s3);
	s->s3=NULL;
	}

void ssl3_clear(SSL *s)
	{
	unsigned char *rp,*wp;
	size_t rlen, wlen;

	ssl3_cleanup_key_block(s);
	if (s->s3->tmp.ca_names != NULL)
		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);

	if (s->s3->rrec.comp != NULL)
		{
		OPENSSL_free(s->s3->rrec.comp);
		s->s3->rrec.comp=NULL;
		}
#ifndef OPENSSL_NO_DH
	if (s->s3->tmp.dh != NULL)
		DH_free(s->s3->tmp.dh);
#endif
#ifndef OPENSSL_NO_ECDH
	if (s->s3->tmp.ecdh != NULL)
		EC_KEY_free(s->s3->tmp.ecdh);
#endif

	rp = s->s3->rbuf.buf;
	wp = s->s3->wbuf.buf;
	rlen = s->s3->rbuf.len;
 	wlen = s->s3->wbuf.len;

	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);

	memset(s->s3,0,sizeof *s->s3);
	s->s3->rbuf.buf = rp;
	s->s3->wbuf.buf = wp;
	s->s3->rbuf.len = rlen;
 	s->s3->wbuf.len = wlen;

	ssl_free_wbio_buffer(s);

	s->packet_length=0;
	s->s3->renegotiate=0;
	s->s3->total_renegotiations=0;
	s->s3->num_renegotiations=0;
	s->s3->in_read_app_data=0;
	s->version=SSL3_VERSION;
	}

long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
	{
	int ret=0;

#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
	if (
#ifndef OPENSSL_NO_RSA
	    cmd == SSL_CTRL_SET_TMP_RSA ||
	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#endif
#ifndef OPENSSL_NO_DSA
	    cmd == SSL_CTRL_SET_TMP_DH ||
	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
		0)
		{
		if (!ssl_cert_inst(&s->cert))
		    	{
			SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
			return(0);
			}
		}
#endif

	switch (cmd)
		{
	case SSL_CTRL_GET_SESSION_REUSED:
		ret=s->hit;
		break;
	case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
		break;
	case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
		ret=s->s3->num_renegotiations;
		break;
	case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
		ret=s->s3->num_renegotiations;
		s->s3->num_renegotiations=0;
		break;
	case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
		ret=s->s3->total_renegotiations;
		break;
	case SSL_CTRL_GET_FLAGS:
		ret=(int)(s->s3->flags);
		break;
#ifndef OPENSSL_NO_RSA
	case SSL_CTRL_NEED_TMP_RSA:
		if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
		    ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
		     (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))))
			ret = 1;
		break;
	case SSL_CTRL_SET_TMP_RSA:
		{
			RSA *rsa = (RSA *)parg;
			if (rsa == NULL)
				{
				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
				return(ret);
				}
			if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
				{
				SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
				return(ret);
				}
			if (s->cert->rsa_tmp != NULL)
				RSA_free(s->cert->rsa_tmp);
			s->cert->rsa_tmp = rsa;
			ret = 1;
		}
		break;
	case SSL_CTRL_SET_TMP_RSA_CB:
		{
		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
		return(ret);
		}
		break;
#endif
#ifndef OPENSSL_NO_DH
	case SSL_CTRL_SET_TMP_DH:
		{
			DH *dh = (DH *)parg;
			if (dh == NULL)
				{
				SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
				return(ret);
				}
			if ((dh = DHparams_dup(dh)) == NULL)
				{
				SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
				return(ret);
				}
			if (!(s->options & SSL_OP_SINGLE_DH_USE))
				{
				if (!DH_generate_key(dh))
					{
					DH_free(dh);
					SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
					return(ret);
					}
				}
			if (s->cert->dh_tmp != NULL)
				DH_free(s->cert->dh_tmp);
			s->cert->dh_tmp = dh;
			ret = 1;
		}
		break;
	case SSL_CTRL_SET_TMP_DH_CB:
		{
		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
		return(ret);
		}
		break;
#endif
#ifndef OPENSSL_NO_ECDH
	case SSL_CTRL_SET_TMP_ECDH:
		{
		EC_KEY *ecdh = NULL;
 			
		if (parg == NULL)
			{
			SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
			return(ret);
			}
		if (!EC_KEY_up_ref((EC_KEY *)parg))
			{
			SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
			return(ret);
			}
		ecdh = (EC_KEY *)parg;
		if (!(s->options & SSL_OP_SINGLE_ECDH_USE))
			{
			if (!EC_KEY_generate_key(ecdh))
				{
				EC_KEY_free(ecdh);
				SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
				return(ret);
				}
			}
		if (s->cert->ecdh_tmp != NULL)
			EC_KEY_free(s->cert->ecdh_tmp);
		s->cert->ecdh_tmp = ecdh;
		ret = 1;
		}
		break;
	case SSL_CTRL_SET_TMP_ECDH_CB:
		{
		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
		return(ret);
		}
		break;
#endif /* !OPENSSL_NO_ECDH */
	default:
		break;
		}
	return(ret);
	}

long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
	{
	int ret=0;

#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
	if (
#ifndef OPENSSL_NO_RSA
	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#endif
#ifndef OPENSSL_NO_DSA
	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
		0)
		{
		if (!ssl_cert_inst(&s->cert))
			{
			SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
			return(0);
			}
		}
#endif