]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssl_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Mark SSL_CTX_set_ssl_version() as deprecated in 3.0
[thirdparty/openssl.git] / ssl / ssl_lib.c
1 /*
2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 /* We need to use some engine deprecated APIs */
13 #define OPENSSL_SUPPRESS_DEPRECATED
14
15 #include <stdio.h>
16 #include "ssl_local.h"
17 #include "e_os.h"
18 #include <openssl/objects.h>
19 #include <openssl/x509v3.h>
20 #include <openssl/rand.h>
21 #include <openssl/ocsp.h>
22 #include <openssl/dh.h>
23 #include <openssl/engine.h>
24 #include <openssl/async.h>
25 #include <openssl/ct.h>
26 #include <openssl/trace.h>
27 #include "internal/cryptlib.h"
28 #include "internal/refcount.h"
29 #include "internal/ktls.h"
30
31 DEFINE_STACK_OF(X509)
32 DEFINE_STACK_OF(X509_NAME)
33 DEFINE_STACK_OF_CONST(SSL_CIPHER)
34 DEFINE_STACK_OF(X509_EXTENSION)
35 DEFINE_STACK_OF(OCSP_RESPID)
36 DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
37 DEFINE_STACK_OF(SCT)
38
39 static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t,
40 SSL_MAC_BUF *mac, size_t macsize)
41 {
42 return ssl_undefined_function(ssl);
43 }
44
45 static int ssl_undefined_function_2(SSL *ssl, SSL3_RECORD *r, unsigned char *s,
46 int t)
47 {
48 return ssl_undefined_function(ssl);
49 }
50
51 static int ssl_undefined_function_3(SSL *ssl, unsigned char *r,
52 unsigned char *s, size_t t, size_t *u)
53 {
54 return ssl_undefined_function(ssl);
55 }
56
57 static int ssl_undefined_function_4(SSL *ssl, int r)
58 {
59 return ssl_undefined_function(ssl);
60 }
61
62 static size_t ssl_undefined_function_5(SSL *ssl, const char *r, size_t s,
63 unsigned char *t)
64 {
65 return ssl_undefined_function(ssl);
66 }
67
68 static int ssl_undefined_function_6(int r)
69 {
70 return ssl_undefined_function(NULL);
71 }
72
73 static int ssl_undefined_function_7(SSL *ssl, unsigned char *r, size_t s,
74 const char *t, size_t u,
75 const unsigned char *v, size_t w, int x)
76 {
77 return ssl_undefined_function(ssl);
78 }
79
80 SSL3_ENC_METHOD ssl3_undef_enc_method = {
81 ssl_undefined_function_1,
82 ssl_undefined_function_2,
83 ssl_undefined_function,
84 ssl_undefined_function_3,
85 ssl_undefined_function_4,
86 ssl_undefined_function_5,
87 NULL, /* client_finished_label */
88 0, /* client_finished_label_len */
89 NULL, /* server_finished_label */
90 0, /* server_finished_label_len */
91 ssl_undefined_function_6,
92 ssl_undefined_function_7,
93 };
94
95 struct ssl_async_args {
96 SSL *s;
97 void *buf;
98 size_t num;
99 enum { READFUNC, WRITEFUNC, OTHERFUNC } type;
100 union {
101 int (*func_read) (SSL *, void *, size_t, size_t *);
102 int (*func_write) (SSL *, const void *, size_t, size_t *);
103 int (*func_other) (SSL *);
104 } f;
105 };
106
107 static const struct {
108 uint8_t mtype;
109 uint8_t ord;
110 int nid;
111 } dane_mds[] = {
112 {
113 DANETLS_MATCHING_FULL, 0, NID_undef
114 },
115 {
116 DANETLS_MATCHING_2256, 1, NID_sha256
117 },
118 {
119 DANETLS_MATCHING_2512, 2, NID_sha512
120 },
121 };
122
123 static int dane_ctx_enable(struct dane_ctx_st *dctx)
124 {
125 const EVP_MD **mdevp;
126 uint8_t *mdord;
127 uint8_t mdmax = DANETLS_MATCHING_LAST;
128 int n = ((int)mdmax) + 1; /* int to handle PrivMatch(255) */
129 size_t i;
130
131 if (dctx->mdevp != NULL)
132 return 1;
133
134 mdevp = OPENSSL_zalloc(n * sizeof(*mdevp));
135 mdord = OPENSSL_zalloc(n * sizeof(*mdord));
136
137 if (mdord == NULL || mdevp == NULL) {
138 OPENSSL_free(mdord);
139 OPENSSL_free(mdevp);
140 SSLerr(SSL_F_DANE_CTX_ENABLE, ERR_R_MALLOC_FAILURE);
141 return 0;
142 }
143
144 /* Install default entries */
145 for (i = 0; i < OSSL_NELEM(dane_mds); ++i) {
146 const EVP_MD *md;
147
148 if (dane_mds[i].nid == NID_undef ||
149 (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL)
150 continue;
151 mdevp[dane_mds[i].mtype] = md;
152 mdord[dane_mds[i].mtype] = dane_mds[i].ord;
153 }
154
155 dctx->mdevp = mdevp;
156 dctx->mdord = mdord;
157 dctx->mdmax = mdmax;
158
159 return 1;
160 }
161
162 static void dane_ctx_final(struct dane_ctx_st *dctx)
163 {
164 OPENSSL_free(dctx->mdevp);
165 dctx->mdevp = NULL;
166
167 OPENSSL_free(dctx->mdord);
168 dctx->mdord = NULL;
169 dctx->mdmax = 0;
170 }
171
172 static void tlsa_free(danetls_record *t)
173 {
174 if (t == NULL)
175 return;
176 OPENSSL_free(t->data);
177 EVP_PKEY_free(t->spki);
178 OPENSSL_free(t);
179 }
180
181 static void dane_final(SSL_DANE *dane)
182 {
183 sk_danetls_record_pop_free(dane->trecs, tlsa_free);
184 dane->trecs = NULL;
185
186 sk_X509_pop_free(dane->certs, X509_free);
187 dane->certs = NULL;
188
189 X509_free(dane->mcert);
190 dane->mcert = NULL;
191 dane->mtlsa = NULL;
192 dane->mdpth = -1;
193 dane->pdpth = -1;
194 }
195
196 /*
197 * dane_copy - Copy dane configuration, sans verification state.
198 */
199 static int ssl_dane_dup(SSL *to, SSL *from)
200 {
201 int num;
202 int i;
203
204 if (!DANETLS_ENABLED(&from->dane))
205 return 1;
206
207 num = sk_danetls_record_num(from->dane.trecs);
208 dane_final(&to->dane);
209 to->dane.flags = from->dane.flags;
210 to->dane.dctx = &to->ctx->dane;
211 to->dane.trecs = sk_danetls_record_new_reserve(NULL, num);
212
213 if (to->dane.trecs == NULL) {
214 SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE);
215 return 0;
216 }
217
218 for (i = 0; i < num; ++i) {
219 danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
220
221 if (SSL_dane_tlsa_add(to, t->usage, t->selector, t->mtype,
222 t->data, t->dlen) <= 0)
223 return 0;
224 }
225 return 1;
226 }
227
228 static int dane_mtype_set(struct dane_ctx_st *dctx,
229 const EVP_MD *md, uint8_t mtype, uint8_t ord)
230 {
231 int i;
232
233 if (mtype == DANETLS_MATCHING_FULL && md != NULL) {
234 SSLerr(SSL_F_DANE_MTYPE_SET, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);
235 return 0;
236 }
237
238 if (mtype > dctx->mdmax) {
239 const EVP_MD **mdevp;
240 uint8_t *mdord;
241 int n = ((int)mtype) + 1;
242
243 mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp));
244 if (mdevp == NULL) {
245 SSLerr(SSL_F_DANE_MTYPE_SET, ERR_R_MALLOC_FAILURE);
246 return -1;
247 }
248 dctx->mdevp = mdevp;
249
250 mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord));
251 if (mdord == NULL) {
252 SSLerr(SSL_F_DANE_MTYPE_SET, ERR_R_MALLOC_FAILURE);
253 return -1;
254 }
255 dctx->mdord = mdord;
256
257 /* Zero-fill any gaps */
258 for (i = dctx->mdmax + 1; i < mtype; ++i) {
259 mdevp[i] = NULL;
260 mdord[i] = 0;
261 }
262
263 dctx->mdmax = mtype;
264 }
265
266 dctx->mdevp[mtype] = md;
267 /* Coerce ordinal of disabled matching types to 0 */
268 dctx->mdord[mtype] = (md == NULL) ? 0 : ord;
269
270 return 1;
271 }
272
273 static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
274 {
275 if (mtype > dane->dctx->mdmax)
276 return NULL;
277 return dane->dctx->mdevp[mtype];
278 }
279
280 static int dane_tlsa_add(SSL_DANE *dane,
281 uint8_t usage,
282 uint8_t selector,
283 uint8_t mtype, unsigned const char *data, size_t dlen)
284 {
285 danetls_record *t;
286 const EVP_MD *md = NULL;
287 int ilen = (int)dlen;
288 int i;
289 int num;
290
291 if (dane->trecs == NULL) {
292 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_NOT_ENABLED);
293 return -1;
294 }
295
296 if (ilen < 0 || dlen != (size_t)ilen) {
297 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_DATA_LENGTH);
298 return 0;
299 }
300
301 if (usage > DANETLS_USAGE_LAST) {
302 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE);
303 return 0;
304 }
305
306 if (selector > DANETLS_SELECTOR_LAST) {
307 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_SELECTOR);
308 return 0;
309 }
310
311 if (mtype != DANETLS_MATCHING_FULL) {
312 md = tlsa_md_get(dane, mtype);
313 if (md == NULL) {
314 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE);
315 return 0;
316 }
317 }
318
319 if (md != NULL && dlen != (size_t)EVP_MD_size(md)) {
320 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH);
321 return 0;
322 }
323 if (!data) {
324 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_NULL_DATA);
325 return 0;
326 }
327
328 if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL) {
329 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
330 return -1;
331 }
332
333 t->usage = usage;
334 t->selector = selector;
335 t->mtype = mtype;
336 t->data = OPENSSL_malloc(dlen);
337 if (t->data == NULL) {
338 tlsa_free(t);
339 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
340 return -1;
341 }
342 memcpy(t->data, data, dlen);
343 t->dlen = dlen;
344
345 /* Validate and cache full certificate or public key */
346 if (mtype == DANETLS_MATCHING_FULL) {
347 const unsigned char *p = data;
348 X509 *cert = NULL;
349 EVP_PKEY *pkey = NULL;
350
351 switch (selector) {
352 case DANETLS_SELECTOR_CERT:
353 if (!d2i_X509(&cert, &p, ilen) || p < data ||
354 dlen != (size_t)(p - data)) {
355 tlsa_free(t);
356 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
357 return 0;
358 }
359 if (X509_get0_pubkey(cert) == NULL) {
360 tlsa_free(t);
361 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
362 return 0;
363 }
364
365 if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
366 X509_free(cert);
367 break;
368 }
369
370 /*
371 * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA
372 * records that contain full certificates of trust-anchors that are
373 * not present in the wire chain. For usage PKIX-TA(0), we augment
374 * the chain with untrusted Full(0) certificates from DNS, in case
375 * they are missing from the chain.
376 */
377 if ((dane->certs == NULL &&
378 (dane->certs = sk_X509_new_null()) == NULL) ||
379 !sk_X509_push(dane->certs, cert)) {
380 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
381 X509_free(cert);
382 tlsa_free(t);
383 return -1;
384 }
385 break;
386
387 case DANETLS_SELECTOR_SPKI:
388 if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
389 dlen != (size_t)(p - data)) {
390 tlsa_free(t);
391 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
392 return 0;
393 }
394
395 /*
396 * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA
397 * records that contain full bare keys of trust-anchors that are
398 * not present in the wire chain.
399 */
400 if (usage == DANETLS_USAGE_DANE_TA)
401 t->spki = pkey;
402 else
403 EVP_PKEY_free(pkey);
404 break;
405 }
406 }
407
408 /*-
409 * Find the right insertion point for the new record.
410 *
411 * See crypto/x509/x509_vfy.c. We sort DANE-EE(3) records first, so that
412 * they can be processed first, as they require no chain building, and no
413 * expiration or hostname checks. Because DANE-EE(3) is numerically
414 * largest, this is accomplished via descending sort by "usage".
415 *
416 * We also sort in descending order by matching ordinal to simplify
417 * the implementation of digest agility in the verification code.
418 *
419 * The choice of order for the selector is not significant, so we
420 * use the same descending order for consistency.
421 */
422 num = sk_danetls_record_num(dane->trecs);
423 for (i = 0; i < num; ++i) {
424 danetls_record *rec = sk_danetls_record_value(dane->trecs, i);
425
426 if (rec->usage > usage)
427 continue;
428 if (rec->usage < usage)
429 break;
430 if (rec->selector > selector)
431 continue;
432 if (rec->selector < selector)
433 break;
434 if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype])
435 continue;
436 break;
437 }
438
439 if (!sk_danetls_record_insert(dane->trecs, t, i)) {
440 tlsa_free(t);
441 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
442 return -1;
443 }
444 dane->umask |= DANETLS_USAGE_BIT(usage);
445
446 return 1;
447 }
448
449 /*
450 * Return 0 if there is only one version configured and it was disabled
451 * at configure time. Return 1 otherwise.
452 */
453 static int ssl_check_allowed_versions(int min_version, int max_version)
454 {
455 int minisdtls = 0, maxisdtls = 0;
456
457 /* Figure out if we're doing DTLS versions or TLS versions */
458 if (min_version == DTLS1_BAD_VER
459 || min_version >> 8 == DTLS1_VERSION_MAJOR)
460 minisdtls = 1;
461 if (max_version == DTLS1_BAD_VER
462 || max_version >> 8 == DTLS1_VERSION_MAJOR)
463 maxisdtls = 1;
464 /* A wildcard version of 0 could be DTLS or TLS. */
465 if ((minisdtls && !maxisdtls && max_version != 0)
466 || (maxisdtls && !minisdtls && min_version != 0)) {
467 /* Mixing DTLS and TLS versions will lead to sadness; deny it. */
468 return 0;
469 }
470
471 if (minisdtls || maxisdtls) {
472 /* Do DTLS version checks. */
473 if (min_version == 0)
474 /* Ignore DTLS1_BAD_VER */
475 min_version = DTLS1_VERSION;
476 if (max_version == 0)
477 max_version = DTLS1_2_VERSION;
478 #ifdef OPENSSL_NO_DTLS1_2
479 if (max_version == DTLS1_2_VERSION)
480 max_version = DTLS1_VERSION;
481 #endif
482 #ifdef OPENSSL_NO_DTLS1
483 if (min_version == DTLS1_VERSION)
484 min_version = DTLS1_2_VERSION;
485 #endif
486 /* Done massaging versions; do the check. */
487 if (0
488 #ifdef OPENSSL_NO_DTLS1
489 || (DTLS_VERSION_GE(min_version, DTLS1_VERSION)
490 && DTLS_VERSION_GE(DTLS1_VERSION, max_version))
491 #endif
492 #ifdef OPENSSL_NO_DTLS1_2
493 || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION)
494 && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version))
495 #endif
496 )
497 return 0;
498 } else {
499 /* Regular TLS version checks. */
500 if (min_version == 0)
501 min_version = SSL3_VERSION;
502 if (max_version == 0)
503 max_version = TLS1_3_VERSION;
504 #ifdef OPENSSL_NO_TLS1_3
505 if (max_version == TLS1_3_VERSION)
506 max_version = TLS1_2_VERSION;
507 #endif
508 #ifdef OPENSSL_NO_TLS1_2
509 if (max_version == TLS1_2_VERSION)
510 max_version = TLS1_1_VERSION;
511 #endif
512 #ifdef OPENSSL_NO_TLS1_1
513 if (max_version == TLS1_1_VERSION)
514 max_version = TLS1_VERSION;
515 #endif
516 #ifdef OPENSSL_NO_TLS1
517 if (max_version == TLS1_VERSION)
518 max_version = SSL3_VERSION;
519 #endif
520 #ifdef OPENSSL_NO_SSL3
521 if (min_version == SSL3_VERSION)
522 min_version = TLS1_VERSION;
523 #endif
524 #ifdef OPENSSL_NO_TLS1
525 if (min_version == TLS1_VERSION)
526 min_version = TLS1_1_VERSION;
527 #endif
528 #ifdef OPENSSL_NO_TLS1_1
529 if (min_version == TLS1_1_VERSION)
530 min_version = TLS1_2_VERSION;
531 #endif
532 #ifdef OPENSSL_NO_TLS1_2
533 if (min_version == TLS1_2_VERSION)
534 min_version = TLS1_3_VERSION;
535 #endif
536 /* Done massaging versions; do the check. */
537 if (0
538 #ifdef OPENSSL_NO_SSL3
539 || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version)
540 #endif
541 #ifdef OPENSSL_NO_TLS1
542 || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version)
543 #endif
544 #ifdef OPENSSL_NO_TLS1_1
545 || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version)
546 #endif
547 #ifdef OPENSSL_NO_TLS1_2
548 || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version)
549 #endif
550 #ifdef OPENSSL_NO_TLS1_3
551 || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version)
552 #endif
553 )
554 return 0;
555 }
556 return 1;
557 }
558
559 static void clear_ciphers(SSL *s)
560 {
561 /* clear the current cipher */
562 ssl_clear_cipher_ctx(s);
563 ssl_clear_hash_ctx(&s->read_hash);
564 ssl_clear_hash_ctx(&s->write_hash);
565 }
566
567 int SSL_clear(SSL *s)
568 {
569 if (s->method == NULL) {
570 SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED);
571 return 0;
572 }
573
574 if (ssl_clear_bad_session(s)) {
575 SSL_SESSION_free(s->session);
576 s->session = NULL;
577 }
578 SSL_SESSION_free(s->psksession);
579 s->psksession = NULL;
580 OPENSSL_free(s->psksession_id);
581 s->psksession_id = NULL;
582 s->psksession_id_len = 0;
583 s->hello_retry_request = 0;
584 s->sent_tickets = 0;
585
586 s->error = 0;
587 s->hit = 0;
588 s->shutdown = 0;
589
590 if (s->renegotiate) {
591 SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
592 return 0;
593 }
594
595 ossl_statem_clear(s);
596
597 s->version = s->method->version;
598 s->client_version = s->version;
599 s->rwstate = SSL_NOTHING;
600
601 BUF_MEM_free(s->init_buf);
602 s->init_buf = NULL;
603 clear_ciphers(s);
604 s->first_packet = 0;
605
606 s->key_update = SSL_KEY_UPDATE_NONE;
607
608 EVP_MD_CTX_free(s->pha_dgst);
609 s->pha_dgst = NULL;
610
611 /* Reset DANE verification result state */
612 s->dane.mdpth = -1;
613 s->dane.pdpth = -1;
614 X509_free(s->dane.mcert);
615 s->dane.mcert = NULL;
616 s->dane.mtlsa = NULL;
617
618 /* Clear the verification result peername */
619 X509_VERIFY_PARAM_move_peername(s->param, NULL);
620
621 /* Clear any shared connection state */
622 OPENSSL_free(s->shared_sigalgs);
623 s->shared_sigalgs = NULL;
624 s->shared_sigalgslen = 0;
625
626 /*
627 * Check to see if we were changed into a different method, if so, revert
628 * back.
629 */
630 if (s->method != s->ctx->method) {
631 s->method->ssl_free(s);
632 s->method = s->ctx->method;
633 if (!s->method->ssl_new(s))
634 return 0;
635 } else {
636 if (!s->method->ssl_clear(s))
637 return 0;
638 }
639
640 RECORD_LAYER_clear(&s->rlayer);
641
642 return 1;
643 }
644
645 #ifndef OPENSSL_NO_DEPRECATED_3_0
646 /** Used to change an SSL_CTXs default SSL method type */
647 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
648 {
649 STACK_OF(SSL_CIPHER) *sk;
650
651 ctx->method = meth;
652
653 if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) {
654 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
655 return 0;
656 }
657 sk = ssl_create_cipher_list(ctx->method,
658 ctx->tls13_ciphersuites,
659 &(ctx->cipher_list),
660 &(ctx->cipher_list_by_id),
661 OSSL_default_cipher_list(), ctx->cert);
662 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
663 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
664 return 0;
665 }
666 return 1;
667 }
668 #endif
669
670 SSL *SSL_new(SSL_CTX *ctx)
671 {
672 SSL *s;
673
674 if (ctx == NULL) {
675 SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX);
676 return NULL;
677 }
678 if (ctx->method == NULL) {
679 SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
680 return NULL;
681 }
682
683 s = OPENSSL_zalloc(sizeof(*s));
684 if (s == NULL)
685 goto err;
686
687 s->references = 1;
688 s->lock = CRYPTO_THREAD_lock_new();
689 if (s->lock == NULL) {
690 OPENSSL_free(s);
691 s = NULL;
692 goto err;
693 }
694
695 RECORD_LAYER_init(&s->rlayer, s);
696
697 s->options = ctx->options;
698 s->dane.flags = ctx->dane.flags;
699 s->min_proto_version = ctx->min_proto_version;
700 s->max_proto_version = ctx->max_proto_version;
701 s->mode = ctx->mode;
702 s->max_cert_list = ctx->max_cert_list;
703 s->max_early_data = ctx->max_early_data;
704 s->recv_max_early_data = ctx->recv_max_early_data;
705 s->num_tickets = ctx->num_tickets;
706 s->pha_enabled = ctx->pha_enabled;
707
708 /* Shallow copy of the ciphersuites stack */
709 s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites);
710 if (s->tls13_ciphersuites == NULL)
711 goto err;
712
713 /*
714 * Earlier library versions used to copy the pointer to the CERT, not
715 * its contents; only when setting new parameters for the per-SSL
716 * copy, ssl_cert_new would be called (and the direct reference to
717 * the per-SSL_CTX settings would be lost, but those still were
718 * indirectly accessed for various purposes, and for that reason they
719 * used to be known as s->ctx->default_cert). Now we don't look at the
720 * SSL_CTX's CERT after having duplicated it once.
721 */
722 s->cert = ssl_cert_dup(ctx->cert);
723 if (s->cert == NULL)
724 goto err;
725
726 RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead);
727 s->msg_callback = ctx->msg_callback;
728 s->msg_callback_arg = ctx->msg_callback_arg;
729 s->verify_mode = ctx->verify_mode;
730 s->not_resumable_session_cb = ctx->not_resumable_session_cb;
731 s->record_padding_cb = ctx->record_padding_cb;
732 s->record_padding_arg = ctx->record_padding_arg;
733 s->block_padding = ctx->block_padding;
734 s->sid_ctx_length = ctx->sid_ctx_length;
735 if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx)))
736 goto err;
737 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
738 s->verify_callback = ctx->default_verify_callback;
739 s->generate_session_id = ctx->generate_session_id;
740
741 s->param = X509_VERIFY_PARAM_new();
742 if (s->param == NULL)
743 goto err;
744 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
745 s->quiet_shutdown = ctx->quiet_shutdown;
746
747 s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode;
748 s->max_send_fragment = ctx->max_send_fragment;
749 s->split_send_fragment = ctx->split_send_fragment;
750 s->max_pipelines = ctx->max_pipelines;
751 if (s->max_pipelines > 1)
752 RECORD_LAYER_set_read_ahead(&s->rlayer, 1);
753 if (ctx->default_read_buf_len > 0)
754 SSL_set_default_read_buffer_len(s, ctx->default_read_buf_len);
755
756 SSL_CTX_up_ref(ctx);
757 s->ctx = ctx;
758 s->ext.debug_cb = 0;
759 s->ext.debug_arg = NULL;
760 s->ext.ticket_expected = 0;
761 s->ext.status_type = ctx->ext.status_type;
762 s->ext.status_expected = 0;
763 s->ext.ocsp.ids = NULL;
764 s->ext.ocsp.exts = NULL;
765 s->ext.ocsp.resp = NULL;
766 s->ext.ocsp.resp_len = 0;
767 SSL_CTX_up_ref(ctx);
768 s->session_ctx = ctx;
769 #ifndef OPENSSL_NO_EC
770 if (ctx->ext.ecpointformats) {
771 s->ext.ecpointformats =
772 OPENSSL_memdup(ctx->ext.ecpointformats,
773 ctx->ext.ecpointformats_len);
774 if (!s->ext.ecpointformats)
775 goto err;
776 s->ext.ecpointformats_len =
777 ctx->ext.ecpointformats_len;
778 }
779 #endif
780 if (ctx->ext.supportedgroups) {
781 s->ext.supportedgroups =
782 OPENSSL_memdup(ctx->ext.supportedgroups,
783 ctx->ext.supportedgroups_len
784 * sizeof(*ctx->ext.supportedgroups));
785 if (!s->ext.supportedgroups)
786 goto err;
787 s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
788 }
789
790 #ifndef OPENSSL_NO_NEXTPROTONEG
791 s->ext.npn = NULL;
792 #endif
793
794 if (s->ctx->ext.alpn) {
795 s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len);
796 if (s->ext.alpn == NULL)
797 goto err;
798 memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len);
799 s->ext.alpn_len = s->ctx->ext.alpn_len;
800 }
801
802 s->verified_chain = NULL;
803 s->verify_result = X509_V_OK;
804
805 s->default_passwd_callback = ctx->default_passwd_callback;
806 s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
807
808 s->method = ctx->method;
809
810 s->key_update = SSL_KEY_UPDATE_NONE;
811
812 s->allow_early_data_cb = ctx->allow_early_data_cb;
813 s->allow_early_data_cb_data = ctx->allow_early_data_cb_data;
814
815 if (!s->method->ssl_new(s))
816 goto err;
817
818 s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
819
820 if (!SSL_clear(s))
821 goto err;
822
823 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data))
824 goto err;
825
826 #ifndef OPENSSL_NO_PSK
827 s->psk_client_callback = ctx->psk_client_callback;
828 s->psk_server_callback = ctx->psk_server_callback;
829 #endif
830 s->psk_find_session_cb = ctx->psk_find_session_cb;
831 s->psk_use_session_cb = ctx->psk_use_session_cb;
832
833 s->async_cb = ctx->async_cb;
834 s->async_cb_arg = ctx->async_cb_arg;
835
836 s->job = NULL;
837
838 #ifndef OPENSSL_NO_CT
839 if (!SSL_set_ct_validation_callback(s, ctx->ct_validation_callback,
840 ctx->ct_validation_callback_arg))
841 goto err;
842 #endif
843
844 return s;
845 err:
846 SSL_free(s);
847 SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
848 return NULL;
849 }
850
851 int SSL_is_dtls(const SSL *s)
852 {
853 return SSL_IS_DTLS(s) ? 1 : 0;
854 }
855
856 int SSL_up_ref(SSL *s)
857 {
858 int i;
859
860 if (CRYPTO_UP_REF(&s->references, &i, s->lock) <= 0)
861 return 0;
862
863 REF_PRINT_COUNT("SSL", s);
864 REF_ASSERT_ISNT(i < 2);
865 return ((i > 1) ? 1 : 0);
866 }
867
868 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
869 unsigned int sid_ctx_len)
870 {
871 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
872 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
873 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
874 return 0;
875 }
876 ctx->sid_ctx_length = sid_ctx_len;
877 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
878
879 return 1;
880 }
881
882 int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
883 unsigned int sid_ctx_len)
884 {
885 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
886 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,
887 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
888 return 0;
889 }
890 ssl->sid_ctx_length = sid_ctx_len;
891 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
892
893 return 1;
894 }
895
896 int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
897 {
898 CRYPTO_THREAD_write_lock(ctx->lock);
899 ctx->generate_session_id = cb;
900 CRYPTO_THREAD_unlock(ctx->lock);
901 return 1;
902 }
903
904 int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
905 {
906 CRYPTO_THREAD_write_lock(ssl->lock);
907 ssl->generate_session_id = cb;
908 CRYPTO_THREAD_unlock(ssl->lock);
909 return 1;
910 }
911
912 int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
913 unsigned int id_len)
914 {
915 /*
916 * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
917 * we can "construct" a session to give us the desired check - i.e. to
918 * find if there's a session in the hash table that would conflict with
919 * any new session built out of this id/id_len and the ssl_version in use
920 * by this SSL.
921 */
922 SSL_SESSION r, *p;
923
924 if (id_len > sizeof(r.session_id))
925 return 0;
926
927 r.ssl_version = ssl->version;
928 r.session_id_length = id_len;
929 memcpy(r.session_id, id, id_len);
930
931 CRYPTO_THREAD_read_lock(ssl->session_ctx->lock);
932 p = lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &r);
933 CRYPTO_THREAD_unlock(ssl->session_ctx->lock);
934 return (p != NULL);
935 }
936
937 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
938 {
939 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
940 }
941
942 int SSL_set_purpose(SSL *s, int purpose)
943 {
944 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
945 }
946
947 int SSL_CTX_set_trust(SSL_CTX *s, int trust)
948 {
949 return X509_VERIFY_PARAM_set_trust(s->param, trust);
950 }
951
952 int SSL_set_trust(SSL *s, int trust)
953 {
954 return X509_VERIFY_PARAM_set_trust(s->param, trust);
955 }
956
957 int SSL_set1_host(SSL *s, const char *hostname)
958 {
959 /* If a hostname is provided and parses as an IP address,
960 * treat it as such. */
961 if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1)
962 return 1;
963
964 return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0);
965 }
966
967 int SSL_add1_host(SSL *s, const char *hostname)
968 {
969 /* If a hostname is provided and parses as an IP address,
970 * treat it as such. */
971 if (hostname)
972 {
973 ASN1_OCTET_STRING *ip;
974 char *old_ip;
975
976 ip = a2i_IPADDRESS(hostname);
977 if (ip) {
978 /* We didn't want it; only to check if it *is* an IP address */
979 ASN1_OCTET_STRING_free(ip);
980
981 old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param);
982 if (old_ip)
983 {
984 free(old_ip);
985 /* There can be only one IP address */
986 return 0;
987 }
988
989 return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname);
990 }
991 }
992
993 return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0);
994 }
995
996 void SSL_set_hostflags(SSL *s, unsigned int flags)
997 {
998 X509_VERIFY_PARAM_set_hostflags(s->param, flags);
999 }
1000
1001 const char *SSL_get0_peername(SSL *s)
1002 {
1003 return X509_VERIFY_PARAM_get0_peername(s->param);
1004 }
1005
1006 int SSL_CTX_dane_enable(SSL_CTX *ctx)
1007 {
1008 return dane_ctx_enable(&ctx->dane);
1009 }
1010
1011 unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags)
1012 {
1013 unsigned long orig = ctx->dane.flags;
1014
1015 ctx->dane.flags |= flags;
1016 return orig;
1017 }
1018
1019 unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags)
1020 {
1021 unsigned long orig = ctx->dane.flags;
1022
1023 ctx->dane.flags &= ~flags;
1024 return orig;
1025 }
1026
1027 int SSL_dane_enable(SSL *s, const char *basedomain)
1028 {
1029 SSL_DANE *dane = &s->dane;
1030
1031 if (s->ctx->dane.mdmax == 0) {
1032 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_CONTEXT_NOT_DANE_ENABLED);
1033 return 0;
1034 }
1035 if (dane->trecs != NULL) {
1036 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_DANE_ALREADY_ENABLED);
1037 return 0;
1038 }
1039
1040 /*
1041 * Default SNI name. This rejects empty names, while set1_host below
1042 * accepts them and disables host name checks. To avoid side-effects with
1043 * invalid input, set the SNI name first.
1044 */
1045 if (s->ext.hostname == NULL) {
1046 if (!SSL_set_tlsext_host_name(s, basedomain)) {
1047 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1048 return -1;
1049 }
1050 }
1051
1052 /* Primary RFC6125 reference identifier */
1053 if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) {
1054 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1055 return -1;
1056 }
1057
1058 dane->mdpth = -1;
1059 dane->pdpth = -1;
1060 dane->dctx = &s->ctx->dane;
1061 dane->trecs = sk_danetls_record_new_null();
1062
1063 if (dane->trecs == NULL) {
1064 SSLerr(SSL_F_SSL_DANE_ENABLE, ERR_R_MALLOC_FAILURE);
1065 return -1;
1066 }
1067 return 1;
1068 }
1069
1070 unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags)
1071 {
1072 unsigned long orig = ssl->dane.flags;
1073
1074 ssl->dane.flags |= flags;
1075 return orig;
1076 }
1077
1078 unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags)
1079 {
1080 unsigned long orig = ssl->dane.flags;
1081
1082 ssl->dane.flags &= ~flags;
1083 return orig;
1084 }
1085
1086 int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
1087 {
1088 SSL_DANE *dane = &s->dane;
1089
1090 if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
1091 return -1;
1092 if (dane->mtlsa) {
1093 if (mcert)
1094 *mcert = dane->mcert;
1095 if (mspki)
1096 *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL;
1097 }
1098 return dane->mdpth;
1099 }
1100
1101 int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
1102 uint8_t *mtype, unsigned const char **data, size_t *dlen)
1103 {
1104 SSL_DANE *dane = &s->dane;
1105
1106 if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
1107 return -1;
1108 if (dane->mtlsa) {
1109 if (usage)
1110 *usage = dane->mtlsa->usage;
1111 if (selector)
1112 *selector = dane->mtlsa->selector;
1113 if (mtype)
1114 *mtype = dane->mtlsa->mtype;
1115 if (data)
1116 *data = dane->mtlsa->data;
1117 if (dlen)
1118 *dlen = dane->mtlsa->dlen;
1119 }
1120 return dane->mdpth;
1121 }
1122
1123 SSL_DANE *SSL_get0_dane(SSL *s)
1124 {
1125 return &s->dane;
1126 }
1127
1128 int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
1129 uint8_t mtype, unsigned const char *data, size_t dlen)
1130 {
1131 return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen);
1132 }
1133
1134 int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype,
1135 uint8_t ord)
1136 {
1137 return dane_mtype_set(&ctx->dane, md, mtype, ord);
1138 }
1139
1140 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
1141 {
1142 return X509_VERIFY_PARAM_set1(ctx->param, vpm);
1143 }
1144
1145 int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
1146 {
1147 return X509_VERIFY_PARAM_set1(ssl->param, vpm);
1148 }
1149
1150 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
1151 {
1152 return ctx->param;
1153 }
1154
1155 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
1156 {
1157 return ssl->param;
1158 }
1159
1160 void SSL_certs_clear(SSL *s)
1161 {
1162 ssl_cert_clear_certs(s->cert);
1163 }
1164
1165 void SSL_free(SSL *s)
1166 {
1167 int i;
1168
1169 if (s == NULL)
1170 return;
1171 CRYPTO_DOWN_REF(&s->references, &i, s->lock);
1172 REF_PRINT_COUNT("SSL", s);
1173 if (i > 0)
1174 return;
1175 REF_ASSERT_ISNT(i < 0);
1176
1177 X509_VERIFY_PARAM_free(s->param);
1178 dane_final(&s->dane);
1179 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
1180
1181 RECORD_LAYER_release(&s->rlayer);
1182
1183 /* Ignore return value */
1184 ssl_free_wbio_buffer(s);
1185
1186 BIO_free_all(s->wbio);
1187 s->wbio = NULL;
1188 BIO_free_all(s->rbio);
1189 s->rbio = NULL;
1190
1191 BUF_MEM_free(s->init_buf);
1192
1193 /* add extra stuff */
1194 sk_SSL_CIPHER_free(s->cipher_list);
1195 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1196 sk_SSL_CIPHER_free(s->tls13_ciphersuites);
1197 sk_SSL_CIPHER_free(s->peer_ciphers);
1198
1199 /* Make the next call work :-) */
1200 if (s->session != NULL) {
1201 ssl_clear_bad_session(s);
1202 SSL_SESSION_free(s->session);
1203 }
1204 SSL_SESSION_free(s->psksession);
1205 OPENSSL_free(s->psksession_id);
1206
1207 clear_ciphers(s);
1208
1209 ssl_cert_free(s->cert);
1210 OPENSSL_free(s->shared_sigalgs);
1211 /* Free up if allocated */
1212
1213 OPENSSL_free(s->ext.hostname);
1214 SSL_CTX_free(s->session_ctx);
1215 #ifndef OPENSSL_NO_EC
1216 OPENSSL_free(s->ext.ecpointformats);
1217 OPENSSL_free(s->ext.peer_ecpointformats);
1218 #endif /* OPENSSL_NO_EC */
1219 OPENSSL_free(s->ext.supportedgroups);
1220 OPENSSL_free(s->ext.peer_supportedgroups);
1221 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
1222 #ifndef OPENSSL_NO_OCSP
1223 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1224 #endif
1225 #ifndef OPENSSL_NO_CT
1226 SCT_LIST_free(s->scts);
1227 OPENSSL_free(s->ext.scts);
1228 #endif
1229 OPENSSL_free(s->ext.ocsp.resp);
1230 OPENSSL_free(s->ext.alpn);
1231 OPENSSL_free(s->ext.tls13_cookie);
1232 if (s->clienthello != NULL)
1233 OPENSSL_free(s->clienthello->pre_proc_exts);
1234 OPENSSL_free(s->clienthello);
1235 OPENSSL_free(s->pha_context);
1236 EVP_MD_CTX_free(s->pha_dgst);
1237
1238 sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free);
1239 sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free);
1240
1241 sk_X509_pop_free(s->verified_chain, X509_free);
1242
1243 if (s->method != NULL)
1244 s->method->ssl_free(s);
1245
1246 SSL_CTX_free(s->ctx);
1247
1248 ASYNC_WAIT_CTX_free(s->waitctx);
1249
1250 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1251 OPENSSL_free(s->ext.npn);
1252 #endif
1253
1254 #ifndef OPENSSL_NO_SRTP
1255 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
1256 #endif
1257
1258 CRYPTO_THREAD_lock_free(s->lock);
1259
1260 OPENSSL_free(s);
1261 }
1262
1263 void SSL_set0_rbio(SSL *s, BIO *rbio)
1264 {
1265 BIO_free_all(s->rbio);
1266 s->rbio = rbio;
1267 }
1268
1269 void SSL_set0_wbio(SSL *s, BIO *wbio)
1270 {
1271 /*
1272 * If the output buffering BIO is still in place, remove it
1273 */
1274 if (s->bbio != NULL)
1275 s->wbio = BIO_pop(s->wbio);
1276
1277 BIO_free_all(s->wbio);
1278 s->wbio = wbio;
1279
1280 /* Re-attach |bbio| to the new |wbio|. */
1281 if (s->bbio != NULL)
1282 s->wbio = BIO_push(s->bbio, s->wbio);
1283 }
1284
1285 void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
1286 {
1287 /*
1288 * For historical reasons, this function has many different cases in
1289 * ownership handling.
1290 */
1291
1292 /* If nothing has changed, do nothing */
1293 if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s))
1294 return;
1295
1296 /*
1297 * If the two arguments are equal then one fewer reference is granted by the
1298 * caller than we want to take
1299 */
1300 if (rbio != NULL && rbio == wbio)
1301 BIO_up_ref(rbio);
1302
1303 /*
1304 * If only the wbio is changed only adopt one reference.
1305 */
1306 if (rbio == SSL_get_rbio(s)) {
1307 SSL_set0_wbio(s, wbio);
1308 return;
1309 }
1310 /*
1311 * There is an asymmetry here for historical reasons. If only the rbio is
1312 * changed AND the rbio and wbio were originally different, then we only
1313 * adopt one reference.
1314 */
1315 if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) {
1316 SSL_set0_rbio(s, rbio);
1317 return;
1318 }
1319
1320 /* Otherwise, adopt both references. */
1321 SSL_set0_rbio(s, rbio);
1322 SSL_set0_wbio(s, wbio);
1323 }
1324
1325 BIO *SSL_get_rbio(const SSL *s)
1326 {
1327 return s->rbio;
1328 }
1329
1330 BIO *SSL_get_wbio(const SSL *s)
1331 {
1332 if (s->bbio != NULL) {
1333 /*
1334 * If |bbio| is active, the true caller-configured BIO is its
1335 * |next_bio|.
1336 */
1337 return BIO_next(s->bbio);
1338 }
1339 return s->wbio;
1340 }
1341
1342 int SSL_get_fd(const SSL *s)
1343 {
1344 return SSL_get_rfd(s);
1345 }
1346
1347 int SSL_get_rfd(const SSL *s)
1348 {
1349 int ret = -1;
1350 BIO *b, *r;
1351
1352 b = SSL_get_rbio(s);
1353 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1354 if (r != NULL)
1355 BIO_get_fd(r, &ret);
1356 return ret;
1357 }
1358
1359 int SSL_get_wfd(const SSL *s)
1360 {
1361 int ret = -1;
1362 BIO *b, *r;
1363
1364 b = SSL_get_wbio(s);
1365 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1366 if (r != NULL)
1367 BIO_get_fd(r, &ret);
1368 return ret;
1369 }
1370
1371 #ifndef OPENSSL_NO_SOCK
1372 int SSL_set_fd(SSL *s, int fd)
1373 {
1374 int ret = 0;
1375 BIO *bio = NULL;
1376
1377 bio = BIO_new(BIO_s_socket());
1378
1379 if (bio == NULL) {
1380 SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
1381 goto err;
1382 }
1383 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1384 SSL_set_bio(s, bio, bio);
1385 #ifndef OPENSSL_NO_KTLS
1386 /*
1387 * The new socket is created successfully regardless of ktls_enable.
1388 * ktls_enable doesn't change any functionality of the socket, except
1389 * changing the setsockopt to enable the processing of ktls_start.
1390 * Thus, it is not a problem to call it for non-TLS sockets.
1391 */
1392 ktls_enable(fd);
1393 #endif /* OPENSSL_NO_KTLS */
1394 ret = 1;
1395 err:
1396 return ret;
1397 }
1398
1399 int SSL_set_wfd(SSL *s, int fd)
1400 {
1401 BIO *rbio = SSL_get_rbio(s);
1402
1403 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET
1404 || (int)BIO_get_fd(rbio, NULL) != fd) {
1405 BIO *bio = BIO_new(BIO_s_socket());
1406
1407 if (bio == NULL) {
1408 SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB);
1409 return 0;
1410 }
1411 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1412 SSL_set0_wbio(s, bio);
1413 #ifndef OPENSSL_NO_KTLS
1414 /*
1415 * The new socket is created successfully regardless of ktls_enable.
1416 * ktls_enable doesn't change any functionality of the socket, except
1417 * changing the setsockopt to enable the processing of ktls_start.
1418 * Thus, it is not a problem to call it for non-TLS sockets.
1419 */
1420 ktls_enable(fd);
1421 #endif /* OPENSSL_NO_KTLS */
1422 } else {
1423 BIO_up_ref(rbio);
1424 SSL_set0_wbio(s, rbio);
1425 }
1426 return 1;
1427 }
1428
1429 int SSL_set_rfd(SSL *s, int fd)
1430 {
1431 BIO *wbio = SSL_get_wbio(s);
1432
1433 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET
1434 || ((int)BIO_get_fd(wbio, NULL) != fd)) {
1435 BIO *bio = BIO_new(BIO_s_socket());
1436
1437 if (bio == NULL) {
1438 SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB);
1439 return 0;
1440 }
1441 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1442 SSL_set0_rbio(s, bio);
1443 } else {
1444 BIO_up_ref(wbio);
1445 SSL_set0_rbio(s, wbio);
1446 }
1447
1448 return 1;
1449 }
1450 #endif
1451
1452 /* return length of latest Finished message we sent, copy to 'buf' */
1453 size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
1454 {
1455 size_t ret = 0;
1456
1457 ret = s->s3.tmp.finish_md_len;
1458 if (count > ret)
1459 count = ret;
1460 memcpy(buf, s->s3.tmp.finish_md, count);
1461 return ret;
1462 }
1463
1464 /* return length of latest Finished message we expected, copy to 'buf' */
1465 size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
1466 {
1467 size_t ret = 0;
1468
1469 ret = s->s3.tmp.peer_finish_md_len;
1470 if (count > ret)
1471 count = ret;
1472 memcpy(buf, s->s3.tmp.peer_finish_md, count);
1473 return ret;
1474 }
1475
1476 int SSL_get_verify_mode(const SSL *s)
1477 {
1478 return s->verify_mode;
1479 }
1480
1481 int SSL_get_verify_depth(const SSL *s)
1482 {
1483 return X509_VERIFY_PARAM_get_depth(s->param);
1484 }
1485
1486 int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) {
1487 return s->verify_callback;
1488 }
1489
1490 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
1491 {
1492 return ctx->verify_mode;
1493 }
1494
1495 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1496 {
1497 return X509_VERIFY_PARAM_get_depth(ctx->param);
1498 }
1499
1500 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) {
1501 return ctx->default_verify_callback;
1502 }
1503
1504 void SSL_set_verify(SSL *s, int mode,
1505 int (*callback) (int ok, X509_STORE_CTX *ctx))
1506 {
1507 s->verify_mode = mode;
1508 if (callback != NULL)
1509 s->verify_callback = callback;
1510 }
1511
1512 void SSL_set_verify_depth(SSL *s, int depth)
1513 {
1514 X509_VERIFY_PARAM_set_depth(s->param, depth);
1515 }
1516
1517 void SSL_set_read_ahead(SSL *s, int yes)
1518 {
1519 RECORD_LAYER_set_read_ahead(&s->rlayer, yes);
1520 }
1521
1522 int SSL_get_read_ahead(const SSL *s)
1523 {
1524 return RECORD_LAYER_get_read_ahead(&s->rlayer);
1525 }
1526
1527 int SSL_pending(const SSL *s)
1528 {
1529 size_t pending = s->method->ssl_pending(s);
1530
1531 /*
1532 * SSL_pending cannot work properly if read-ahead is enabled
1533 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is
1534 * impossible to fix since SSL_pending cannot report errors that may be
1535 * observed while scanning the new data. (Note that SSL_pending() is
1536 * often used as a boolean value, so we'd better not return -1.)
1537 *
1538 * SSL_pending also cannot work properly if the value >INT_MAX. In that case
1539 * we just return INT_MAX.
1540 */
1541 return pending < INT_MAX ? (int)pending : INT_MAX;
1542 }
1543
1544 int SSL_has_pending(const SSL *s)
1545 {
1546 /*
1547 * Similar to SSL_pending() but returns a 1 to indicate that we have
1548 * unprocessed data available or 0 otherwise (as opposed to the number of
1549 * bytes available). Unlike SSL_pending() this will take into account
1550 * read_ahead data. A 1 return simply indicates that we have unprocessed
1551 * data. That data may not result in any application data, or we may fail
1552 * to parse the records for some reason.
1553 */
1554 if (RECORD_LAYER_processed_read_pending(&s->rlayer))
1555 return 1;
1556
1557 return RECORD_LAYER_read_pending(&s->rlayer);
1558 }
1559
1560 X509 *SSL_get1_peer_certificate(const SSL *s)
1561 {
1562 X509 *r = SSL_get0_peer_certificate(s);
1563
1564 if (r != NULL)
1565 X509_up_ref(r);
1566
1567 return r;
1568 }
1569
1570 X509 *SSL_get0_peer_certificate(const SSL *s)
1571 {
1572 if ((s == NULL) || (s->session == NULL))
1573 return NULL;
1574 else
1575 return s->session->peer;
1576 }
1577
1578 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
1579 {
1580 STACK_OF(X509) *r;
1581
1582 if ((s == NULL) || (s->session == NULL))
1583 r = NULL;
1584 else
1585 r = s->session->peer_chain;
1586
1587 /*
1588 * If we are a client, cert_chain includes the peer's own certificate; if
1589 * we are a server, it does not.
1590 */
1591
1592 return r;
1593 }
1594
1595 /*
1596 * Now in theory, since the calling process own 't' it should be safe to
1597 * modify. We need to be able to read f without being hassled
1598 */
1599 int SSL_copy_session_id(SSL *t, const SSL *f)
1600 {
1601 int i;
1602 /* Do we need to to SSL locking? */
1603 if (!SSL_set_session(t, SSL_get_session(f))) {
1604 return 0;
1605 }
1606
1607 /*
1608 * what if we are setup for one protocol version but want to talk another
1609 */
1610 if (t->method != f->method) {
1611 t->method->ssl_free(t);
1612 t->method = f->method;
1613 if (t->method->ssl_new(t) == 0)
1614 return 0;
1615 }
1616
1617 CRYPTO_UP_REF(&f->cert->references, &i, f->cert->lock);
1618 ssl_cert_free(t->cert);
1619 t->cert = f->cert;
1620 if (!SSL_set_session_id_context(t, f->sid_ctx, (int)f->sid_ctx_length)) {
1621 return 0;
1622 }
1623
1624 return 1;
1625 }
1626
1627 /* Fix this so it checks all the valid key/cert options */
1628 int SSL_CTX_check_private_key(const SSL_CTX *ctx)
1629 {
1630 if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) {
1631 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED);
1632 return 0;
1633 }
1634 if (ctx->cert->key->privatekey == NULL) {
1635 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1636 return 0;
1637 }
1638 return X509_check_private_key
1639 (ctx->cert->key->x509, ctx->cert->key->privatekey);
1640 }
1641
1642 /* Fix this function so that it takes an optional type parameter */
1643 int SSL_check_private_key(const SSL *ssl)
1644 {
1645 if (ssl == NULL) {
1646 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
1647 return 0;
1648 }
1649 if (ssl->cert->key->x509 == NULL) {
1650 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED);
1651 return 0;
1652 }
1653 if (ssl->cert->key->privatekey == NULL) {
1654 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1655 return 0;
1656 }
1657 return X509_check_private_key(ssl->cert->key->x509,
1658 ssl->cert->key->privatekey);
1659 }
1660
1661 int SSL_waiting_for_async(SSL *s)
1662 {
1663 if (s->job)
1664 return 1;
1665
1666 return 0;
1667 }
1668
1669 int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds)
1670 {
1671 ASYNC_WAIT_CTX *ctx = s->waitctx;
1672
1673 if (ctx == NULL)
1674 return 0;
1675 return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds);
1676 }
1677
1678 int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds,
1679 OSSL_ASYNC_FD *delfd, size_t *numdelfds)
1680 {
1681 ASYNC_WAIT_CTX *ctx = s->waitctx;
1682
1683 if (ctx == NULL)
1684 return 0;
1685 return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd,
1686 numdelfds);
1687 }
1688
1689 int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback)
1690 {
1691 ctx->async_cb = callback;
1692 return 1;
1693 }
1694
1695 int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg)
1696 {
1697 ctx->async_cb_arg = arg;
1698 return 1;
1699 }
1700
1701 int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback)
1702 {
1703 s->async_cb = callback;
1704 return 1;
1705 }
1706
1707 int SSL_set_async_callback_arg(SSL *s, void *arg)
1708 {
1709 s->async_cb_arg = arg;
1710 return 1;
1711 }
1712
1713 int SSL_get_async_status(SSL *s, int *status)
1714 {
1715 ASYNC_WAIT_CTX *ctx = s->waitctx;
1716
1717 if (ctx == NULL)
1718 return 0;
1719 *status = ASYNC_WAIT_CTX_get_status(ctx);
1720 return 1;
1721 }
1722
1723 int SSL_accept(SSL *s)
1724 {
1725 if (s->handshake_func == NULL) {
1726 /* Not properly initialized yet */
1727 SSL_set_accept_state(s);
1728 }
1729
1730 return SSL_do_handshake(s);
1731 }
1732
1733 int SSL_connect(SSL *s)
1734 {
1735 if (s->handshake_func == NULL) {
1736 /* Not properly initialized yet */
1737 SSL_set_connect_state(s);
1738 }
1739
1740 return SSL_do_handshake(s);
1741 }
1742
1743 long SSL_get_default_timeout(const SSL *s)
1744 {
1745 return s->method->get_timeout();
1746 }
1747
1748 static int ssl_async_wait_ctx_cb(void *arg)
1749 {
1750 SSL *s = (SSL *)arg;
1751
1752 return s->async_cb(s, s->async_cb_arg);
1753 }
1754
1755 static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
1756 int (*func) (void *))
1757 {
1758 int ret;
1759 if (s->waitctx == NULL) {
1760 s->waitctx = ASYNC_WAIT_CTX_new();
1761 if (s->waitctx == NULL)
1762 return -1;
1763 if (s->async_cb != NULL
1764 && !ASYNC_WAIT_CTX_set_callback
1765 (s->waitctx, ssl_async_wait_ctx_cb, s))
1766 return -1;
1767 }
1768 switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args,
1769 sizeof(struct ssl_async_args))) {
1770 case ASYNC_ERR:
1771 s->rwstate = SSL_NOTHING;
1772 SSLerr(SSL_F_SSL_START_ASYNC_JOB, SSL_R_FAILED_TO_INIT_ASYNC);
1773 return -1;
1774 case ASYNC_PAUSE:
1775 s->rwstate = SSL_ASYNC_PAUSED;
1776 return -1;
1777 case ASYNC_NO_JOBS:
1778 s->rwstate = SSL_ASYNC_NO_JOBS;
1779 return -1;
1780 case ASYNC_FINISH:
1781 s->job = NULL;
1782 return ret;
1783 default:
1784 s->rwstate = SSL_NOTHING;
1785 SSLerr(SSL_F_SSL_START_ASYNC_JOB, ERR_R_INTERNAL_ERROR);
1786 /* Shouldn't happen */
1787 return -1;
1788 }
1789 }
1790
1791 static int ssl_io_intern(void *vargs)
1792 {
1793 struct ssl_async_args *args;
1794 SSL *s;
1795 void *buf;
1796 size_t num;
1797
1798 args = (struct ssl_async_args *)vargs;
1799 s = args->s;
1800 buf = args->buf;
1801 num = args->num;
1802 switch (args->type) {
1803 case READFUNC:
1804 return args->f.func_read(s, buf, num, &s->asyncrw);
1805 case WRITEFUNC:
1806 return args->f.func_write(s, buf, num, &s->asyncrw);
1807 case OTHERFUNC:
1808 return args->f.func_other(s);
1809 }
1810 return -1;
1811 }
1812
1813 int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
1814 {
1815 if (s->handshake_func == NULL) {
1816 SSLerr(SSL_F_SSL_READ_INTERNAL, SSL_R_UNINITIALIZED);
1817 return -1;
1818 }
1819
1820 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1821 s->rwstate = SSL_NOTHING;
1822 return 0;
1823 }
1824
1825 if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
1826 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
1827 SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1828 return 0;
1829 }
1830 /*
1831 * If we are a client and haven't received the ServerHello etc then we
1832 * better do that
1833 */
1834 ossl_statem_check_finish_init(s, 0);
1835
1836 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
1837 struct ssl_async_args args;
1838 int ret;
1839
1840 args.s = s;
1841 args.buf = buf;
1842 args.num = num;
1843 args.type = READFUNC;
1844 args.f.func_read = s->method->ssl_read;
1845
1846 ret = ssl_start_async_job(s, &args, ssl_io_intern);
1847 *readbytes = s->asyncrw;
1848 return ret;
1849 } else {
1850 return s->method->ssl_read(s, buf, num, readbytes);
1851 }
1852 }
1853
1854 int SSL_read(SSL *s, void *buf, int num)
1855 {
1856 int ret;
1857 size_t readbytes;
1858
1859 if (num < 0) {
1860 SSLerr(SSL_F_SSL_READ, SSL_R_BAD_LENGTH);
1861 return -1;
1862 }
1863
1864 ret = ssl_read_internal(s, buf, (size_t)num, &readbytes);
1865
1866 /*
1867 * The cast is safe here because ret should be <= INT_MAX because num is
1868 * <= INT_MAX
1869 */
1870 if (ret > 0)
1871 ret = (int)readbytes;
1872
1873 return ret;
1874 }
1875
1876 int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
1877 {
1878 int ret = ssl_read_internal(s, buf, num, readbytes);
1879
1880 if (ret < 0)
1881 ret = 0;
1882 return ret;
1883 }
1884
1885 int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
1886 {
1887 int ret;
1888
1889 if (!s->server) {
1890 SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1891 return SSL_READ_EARLY_DATA_ERROR;
1892 }
1893
1894 switch (s->early_data_state) {
1895 case SSL_EARLY_DATA_NONE:
1896 if (!SSL_in_before(s)) {
1897 SSLerr(SSL_F_SSL_READ_EARLY_DATA,
1898 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1899 return SSL_READ_EARLY_DATA_ERROR;
1900 }
1901 /* fall through */
1902
1903 case SSL_EARLY_DATA_ACCEPT_RETRY:
1904 s->early_data_state = SSL_EARLY_DATA_ACCEPTING;
1905 ret = SSL_accept(s);
1906 if (ret <= 0) {
1907 /* NBIO or error */
1908 s->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY;
1909 return SSL_READ_EARLY_DATA_ERROR;
1910 }
1911 /* fall through */
1912
1913 case SSL_EARLY_DATA_READ_RETRY:
1914 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
1915 s->early_data_state = SSL_EARLY_DATA_READING;
1916 ret = SSL_read_ex(s, buf, num, readbytes);
1917 /*
1918 * State machine will update early_data_state to
1919 * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData
1920 * message
1921 */
1922 if (ret > 0 || (ret <= 0 && s->early_data_state
1923 != SSL_EARLY_DATA_FINISHED_READING)) {
1924 s->early_data_state = SSL_EARLY_DATA_READ_RETRY;
1925 return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS
1926 : SSL_READ_EARLY_DATA_ERROR;
1927 }
1928 } else {
1929 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
1930 }
1931 *readbytes = 0;
1932 return SSL_READ_EARLY_DATA_FINISH;
1933
1934 default:
1935 SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1936 return SSL_READ_EARLY_DATA_ERROR;
1937 }
1938 }
1939
1940 int SSL_get_early_data_status(const SSL *s)
1941 {
1942 return s->ext.early_data;
1943 }
1944
1945 static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
1946 {
1947 if (s->handshake_func == NULL) {
1948 SSLerr(SSL_F_SSL_PEEK_INTERNAL, SSL_R_UNINITIALIZED);
1949 return -1;
1950 }
1951
1952 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1953 return 0;
1954 }
1955 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
1956 struct ssl_async_args args;
1957 int ret;
1958
1959 args.s = s;
1960 args.buf = buf;
1961 args.num = num;
1962 args.type = READFUNC;
1963 args.f.func_read = s->method->ssl_peek;
1964
1965 ret = ssl_start_async_job(s, &args, ssl_io_intern);
1966 *readbytes = s->asyncrw;
1967 return ret;
1968 } else {
1969 return s->method->ssl_peek(s, buf, num, readbytes);
1970 }
1971 }
1972
1973 int SSL_peek(SSL *s, void *buf, int num)
1974 {
1975 int ret;
1976 size_t readbytes;
1977
1978 if (num < 0) {
1979 SSLerr(SSL_F_SSL_PEEK, SSL_R_BAD_LENGTH);
1980 return -1;
1981 }
1982
1983 ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes);
1984
1985 /*
1986 * The cast is safe here because ret should be <= INT_MAX because num is
1987 * <= INT_MAX
1988 */
1989 if (ret > 0)
1990 ret = (int)readbytes;
1991
1992 return ret;
1993 }
1994
1995
1996 int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
1997 {
1998 int ret = ssl_peek_internal(s, buf, num, readbytes);
1999
2000 if (ret < 0)
2001 ret = 0;
2002 return ret;
2003 }
2004
2005 int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
2006 {
2007 if (s->handshake_func == NULL) {
2008 SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_UNINITIALIZED);
2009 return -1;
2010 }
2011
2012 if (s->shutdown & SSL_SENT_SHUTDOWN) {
2013 s->rwstate = SSL_NOTHING;
2014 SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2015 return -1;
2016 }
2017
2018 if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2019 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY
2020 || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) {
2021 SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2022 return 0;
2023 }
2024 /* If we are a client and haven't sent the Finished we better do that */
2025 ossl_statem_check_finish_init(s, 1);
2026
2027 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2028 int ret;
2029 struct ssl_async_args args;
2030
2031 args.s = s;
2032 args.buf = (void *)buf;
2033 args.num = num;
2034 args.type = WRITEFUNC;
2035 args.f.func_write = s->method->ssl_write;
2036
2037 ret = ssl_start_async_job(s, &args, ssl_io_intern);
2038 *written = s->asyncrw;
2039 return ret;
2040 } else {
2041 return s->method->ssl_write(s, buf, num, written);
2042 }
2043 }
2044
2045 ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags)
2046 {
2047 ossl_ssize_t ret;
2048
2049 if (s->handshake_func == NULL) {
2050 SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED);
2051 return -1;
2052 }
2053
2054 if (s->shutdown & SSL_SENT_SHUTDOWN) {
2055 s->rwstate = SSL_NOTHING;
2056 SSLerr(SSL_F_SSL_SENDFILE, SSL_R_PROTOCOL_IS_SHUTDOWN);
2057 return -1;
2058 }
2059
2060 if (!BIO_get_ktls_send(s->wbio)) {
2061 SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED);
2062 return -1;
2063 }
2064
2065 /* If we have an alert to send, lets send it */
2066 if (s->s3.alert_dispatch) {
2067 ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s);
2068 if (ret <= 0) {
2069 /* SSLfatal() already called if appropriate */
2070 return ret;
2071 }
2072 /* if it went, fall through and send more stuff */
2073 }
2074
2075 s->rwstate = SSL_WRITING;
2076 if (BIO_flush(s->wbio) <= 0) {
2077 if (!BIO_should_retry(s->wbio)) {
2078 s->rwstate = SSL_NOTHING;
2079 } else {
2080 #ifdef EAGAIN
2081 set_sys_error(EAGAIN);
2082 #endif
2083 }
2084 return -1;
2085 }
2086
2087 #ifdef OPENSSL_NO_KTLS
2088 ERR_raise_data(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR,
2089 "can't call ktls_sendfile(), ktls disabled");
2090 return -1;
2091 #else
2092 ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags);
2093 if (ret < 0) {
2094 #if defined(EAGAIN) && defined(EINTR) && defined(EBUSY)
2095 if ((get_last_sys_error() == EAGAIN) ||
2096 (get_last_sys_error() == EINTR) ||
2097 (get_last_sys_error() == EBUSY))
2098 BIO_set_retry_write(s->wbio);
2099 else
2100 #endif
2101 SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED);
2102 return ret;
2103 }
2104 s->rwstate = SSL_NOTHING;
2105 return ret;
2106 #endif
2107 }
2108
2109 int SSL_write(SSL *s, const void *buf, int num)
2110 {
2111 int ret;
2112 size_t written;
2113
2114 if (num < 0) {
2115 SSLerr(SSL_F_SSL_WRITE, SSL_R_BAD_LENGTH);
2116 return -1;
2117 }
2118
2119 ret = ssl_write_internal(s, buf, (size_t)num, &written);
2120
2121 /*
2122 * The cast is safe here because ret should be <= INT_MAX because num is
2123 * <= INT_MAX
2124 */
2125 if (ret > 0)
2126 ret = (int)written;
2127
2128 return ret;
2129 }
2130
2131 int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written)
2132 {
2133 int ret = ssl_write_internal(s, buf, num, written);
2134
2135 if (ret < 0)
2136 ret = 0;
2137 return ret;
2138 }
2139
2140 int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
2141 {
2142 int ret, early_data_state;
2143 size_t writtmp;
2144 uint32_t partialwrite;
2145
2146 switch (s->early_data_state) {
2147 case SSL_EARLY_DATA_NONE:
2148 if (s->server
2149 || !SSL_in_before(s)
2150 || ((s->session == NULL || s->session->ext.max_early_data == 0)
2151 && (s->psk_use_session_cb == NULL))) {
2152 SSLerr(SSL_F_SSL_WRITE_EARLY_DATA,
2153 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2154 return 0;
2155 }
2156 /* fall through */
2157
2158 case SSL_EARLY_DATA_CONNECT_RETRY:
2159 s->early_data_state = SSL_EARLY_DATA_CONNECTING;
2160 ret = SSL_connect(s);
2161 if (ret <= 0) {
2162 /* NBIO or error */
2163 s->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY;
2164 return 0;
2165 }
2166 /* fall through */
2167
2168 case SSL_EARLY_DATA_WRITE_RETRY:
2169 s->early_data_state = SSL_EARLY_DATA_WRITING;
2170 /*
2171 * We disable partial write for early data because we don't keep track
2172 * of how many bytes we've written between the SSL_write_ex() call and
2173 * the flush if the flush needs to be retried)
2174 */
2175 partialwrite = s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE;
2176 s->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE;
2177 ret = SSL_write_ex(s, buf, num, &writtmp);
2178 s->mode |= partialwrite;
2179 if (!ret) {
2180 s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2181 return ret;
2182 }
2183 s->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH;
2184 /* fall through */
2185
2186 case SSL_EARLY_DATA_WRITE_FLUSH:
2187 /* The buffering BIO is still in place so we need to flush it */
2188 if (statem_flush(s) != 1)
2189 return 0;
2190 *written = num;
2191 s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2192 return 1;
2193
2194 case SSL_EARLY_DATA_FINISHED_READING:
2195 case SSL_EARLY_DATA_READ_RETRY:
2196 early_data_state = s->early_data_state;
2197 /* We are a server writing to an unauthenticated client */
2198 s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING;
2199 ret = SSL_write_ex(s, buf, num, written);
2200 /* The buffering BIO is still in place */
2201 if (ret)
2202 (void)BIO_flush(s->wbio);
2203 s->early_data_state = early_data_state;
2204 return ret;
2205
2206 default:
2207 SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2208 return 0;
2209 }
2210 }
2211
2212 int SSL_shutdown(SSL *s)
2213 {
2214 /*
2215 * Note that this function behaves differently from what one might
2216 * expect. Return values are 0 for no success (yet), 1 for success; but
2217 * calling it once is usually not enough, even if blocking I/O is used
2218 * (see ssl3_shutdown).
2219 */
2220
2221 if (s->handshake_func == NULL) {
2222 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
2223 return -1;
2224 }
2225
2226 if (!SSL_in_init(s)) {
2227 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2228 struct ssl_async_args args;
2229
2230 args.s = s;
2231 args.type = OTHERFUNC;
2232 args.f.func_other = s->method->ssl_shutdown;
2233
2234 return ssl_start_async_job(s, &args, ssl_io_intern);
2235 } else {
2236 return s->method->ssl_shutdown(s);
2237 }
2238 } else {
2239 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
2240 return -1;
2241 }
2242 }
2243
2244 int SSL_key_update(SSL *s, int updatetype)
2245 {
2246 /*
2247 * TODO(TLS1.3): How will applications know whether TLSv1.3 has been
2248 * negotiated, and that it is appropriate to call SSL_key_update() instead
2249 * of SSL_renegotiate().
2250 */
2251 if (!SSL_IS_TLS13(s)) {
2252 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_WRONG_SSL_VERSION);
2253 return 0;
2254 }
2255
2256 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
2257 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
2258 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_INVALID_KEY_UPDATE_TYPE);
2259 return 0;
2260 }
2261
2262 if (!SSL_is_init_finished(s)) {
2263 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_STILL_IN_INIT);
2264 return 0;
2265 }
2266
2267 ossl_statem_set_in_init(s, 1);
2268 s->key_update = updatetype;
2269 return 1;
2270 }
2271
2272 int SSL_get_key_update_type(const SSL *s)
2273 {
2274 return s->key_update;
2275 }
2276
2277 int SSL_renegotiate(SSL *s)
2278 {
2279 if (SSL_IS_TLS13(s)) {
2280 SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_WRONG_SSL_VERSION);
2281 return 0;
2282 }
2283
2284 if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
2285 SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_NO_RENEGOTIATION);
2286 return 0;
2287 }
2288
2289 s->renegotiate = 1;
2290 s->new_session = 1;
2291
2292 return s->method->ssl_renegotiate(s);
2293 }
2294
2295 int SSL_renegotiate_abbreviated(SSL *s)
2296 {
2297 if (SSL_IS_TLS13(s)) {
2298 SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_WRONG_SSL_VERSION);
2299 return 0;
2300 }
2301
2302 if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
2303 SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_NO_RENEGOTIATION);
2304 return 0;
2305 }
2306
2307 s->renegotiate = 1;
2308 s->new_session = 0;
2309
2310 return s->method->ssl_renegotiate(s);
2311 }
2312
2313 int SSL_renegotiate_pending(const SSL *s)
2314 {
2315 /*
2316 * becomes true when negotiation is requested; false again once a
2317 * handshake has finished
2318 */
2319 return (s->renegotiate != 0);
2320 }
2321
2322 int SSL_new_session_ticket(SSL *s)
2323 {
2324 if (SSL_in_init(s) || SSL_IS_FIRST_HANDSHAKE(s) || !s->server
2325 || !SSL_IS_TLS13(s))
2326 return 0;
2327 s->ext.extra_tickets_expected++;
2328 return 1;
2329 }
2330
2331 long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
2332 {
2333 long l;
2334
2335 switch (cmd) {
2336 case SSL_CTRL_GET_READ_AHEAD:
2337 return RECORD_LAYER_get_read_ahead(&s->rlayer);
2338 case SSL_CTRL_SET_READ_AHEAD:
2339 l = RECORD_LAYER_get_read_ahead(&s->rlayer);
2340 RECORD_LAYER_set_read_ahead(&s->rlayer, larg);
2341 return l;
2342
2343 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
2344 s->msg_callback_arg = parg;
2345 return 1;
2346
2347 case SSL_CTRL_MODE:
2348 return (s->mode |= larg);
2349 case SSL_CTRL_CLEAR_MODE:
2350 return (s->mode &= ~larg);
2351 case SSL_CTRL_GET_MAX_CERT_LIST:
2352 return (long)s->max_cert_list;
2353 case SSL_CTRL_SET_MAX_CERT_LIST:
2354 if (larg < 0)
2355 return 0;
2356 l = (long)s->max_cert_list;
2357 s->max_cert_list = (size_t)larg;
2358 return l;
2359 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
2360 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
2361 return 0;
2362 #ifndef OPENSSL_NO_KTLS
2363 if (s->wbio != NULL && BIO_get_ktls_send(s->wbio))
2364 return 0;
2365 #endif /* OPENSSL_NO_KTLS */
2366 s->max_send_fragment = larg;
2367 if (s->max_send_fragment < s->split_send_fragment)
2368 s->split_send_fragment = s->max_send_fragment;
2369 return 1;
2370 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
2371 if ((size_t)larg > s->max_send_fragment || larg == 0)
2372 return 0;
2373 s->split_send_fragment = larg;
2374 return 1;
2375 case SSL_CTRL_SET_MAX_PIPELINES:
2376 if (larg < 1 || larg > SSL_MAX_PIPELINES)
2377 return 0;
2378 s->max_pipelines = larg;
2379 if (larg > 1)
2380 RECORD_LAYER_set_read_ahead(&s->rlayer, 1);
2381 return 1;
2382 case SSL_CTRL_GET_RI_SUPPORT:
2383 return s->s3.send_connection_binding;
2384 case SSL_CTRL_CERT_FLAGS:
2385 return (s->cert->cert_flags |= larg);
2386 case SSL_CTRL_CLEAR_CERT_FLAGS:
2387 return (s->cert->cert_flags &= ~larg);
2388
2389 case SSL_CTRL_GET_RAW_CIPHERLIST:
2390 if (parg) {
2391 if (s->s3.tmp.ciphers_raw == NULL)
2392 return 0;
2393 *(unsigned char **)parg = s->s3.tmp.ciphers_raw;
2394 return (int)s->s3.tmp.ciphers_rawlen;
2395 } else {
2396 return TLS_CIPHER_LEN;
2397 }
2398 case SSL_CTRL_GET_EXTMS_SUPPORT:
2399 if (!s->session || SSL_in_init(s) || ossl_statem_get_in_handshake(s))
2400 return -1;
2401 if (s->session->flags & SSL_SESS_FLAG_EXTMS)
2402 return 1;
2403 else
2404 return 0;
2405 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2406 return ssl_check_allowed_versions(larg, s->max_proto_version)
2407 && ssl_set_version_bound(s->ctx->method->version, (int)larg,
2408 &s->min_proto_version);
2409 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2410 return s->min_proto_version;
2411 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2412 return ssl_check_allowed_versions(s->min_proto_version, larg)
2413 && ssl_set_version_bound(s->ctx->method->version, (int)larg,
2414 &s->max_proto_version);
2415 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2416 return s->max_proto_version;
2417 default:
2418 return s->method->ssl_ctrl(s, cmd, larg, parg);
2419 }
2420 }
2421
2422 long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
2423 {
2424 switch (cmd) {
2425 case SSL_CTRL_SET_MSG_CALLBACK:
2426 s->msg_callback = (void (*)
2427 (int write_p, int version, int content_type,
2428 const void *buf, size_t len, SSL *ssl,
2429 void *arg))(fp);
2430 return 1;
2431
2432 default:
2433 return s->method->ssl_callback_ctrl(s, cmd, fp);
2434 }
2435 }
2436
2437 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
2438 {
2439 return ctx->sessions;
2440 }
2441
2442 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2443 {
2444 long l;
2445 /* For some cases with ctx == NULL perform syntax checks */
2446 if (ctx == NULL) {
2447 switch (cmd) {
2448 case SSL_CTRL_SET_GROUPS_LIST:
2449 return tls1_set_groups_list(ctx, NULL, NULL, parg);
2450 case SSL_CTRL_SET_SIGALGS_LIST:
2451 case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
2452 return tls1_set_sigalgs_list(NULL, parg, 0);
2453 default:
2454 return 0;
2455 }
2456 }
2457
2458 switch (cmd) {
2459 case SSL_CTRL_GET_READ_AHEAD:
2460 return ctx->read_ahead;
2461 case SSL_CTRL_SET_READ_AHEAD:
2462 l = ctx->read_ahead;
2463 ctx->read_ahead = larg;
2464 return l;
2465
2466 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
2467 ctx->msg_callback_arg = parg;
2468 return 1;
2469
2470 case SSL_CTRL_GET_MAX_CERT_LIST:
2471 return (long)ctx->max_cert_list;
2472 case SSL_CTRL_SET_MAX_CERT_LIST:
2473 if (larg < 0)
2474 return 0;
2475 l = (long)ctx->max_cert_list;
2476 ctx->max_cert_list = (size_t)larg;
2477 return l;
2478
2479 case SSL_CTRL_SET_SESS_CACHE_SIZE:
2480 if (larg < 0)
2481 return 0;
2482 l = (long)ctx->session_cache_size;
2483 ctx->session_cache_size = (size_t)larg;
2484 return l;
2485 case SSL_CTRL_GET_SESS_CACHE_SIZE:
2486 return (long)ctx->session_cache_size;
2487 case SSL_CTRL_SET_SESS_CACHE_MODE:
2488 l = ctx->session_cache_mode;
2489 ctx->session_cache_mode = larg;
2490 return l;
2491 case SSL_CTRL_GET_SESS_CACHE_MODE:
2492 return ctx->session_cache_mode;
2493
2494 case SSL_CTRL_SESS_NUMBER:
2495 return lh_SSL_SESSION_num_items(ctx->sessions);
2496 case SSL_CTRL_SESS_CONNECT:
2497 return tsan_load(&ctx->stats.sess_connect);
2498 case SSL_CTRL_SESS_CONNECT_GOOD:
2499 return tsan_load(&ctx->stats.sess_connect_good);
2500 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
2501 return tsan_load(&ctx->stats.sess_connect_renegotiate);
2502 case SSL_CTRL_SESS_ACCEPT:
2503 return tsan_load(&ctx->stats.sess_accept);
2504 case SSL_CTRL_SESS_ACCEPT_GOOD:
2505 return tsan_load(&ctx->stats.sess_accept_good);
2506 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
2507 return tsan_load(&ctx->stats.sess_accept_renegotiate);
2508 case SSL_CTRL_SESS_HIT:
2509 return tsan_load(&ctx->stats.sess_hit);
2510 case SSL_CTRL_SESS_CB_HIT:
2511 return tsan_load(&ctx->stats.sess_cb_hit);
2512 case SSL_CTRL_SESS_MISSES:
2513 return tsan_load(&ctx->stats.sess_miss);
2514 case SSL_CTRL_SESS_TIMEOUTS:
2515 return tsan_load(&ctx->stats.sess_timeout);
2516 case SSL_CTRL_SESS_CACHE_FULL:
2517 return tsan_load(&ctx->stats.sess_cache_full);
2518 case SSL_CTRL_MODE:
2519 return (ctx->mode |= larg);
2520 case SSL_CTRL_CLEAR_MODE:
2521 return (ctx->mode &= ~larg);
2522 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
2523 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
2524 return 0;
2525 ctx->max_send_fragment = larg;
2526 if (ctx->max_send_fragment < ctx->split_send_fragment)
2527 ctx->split_send_fragment = ctx->max_send_fragment;
2528 return 1;
2529 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
2530 if ((size_t)larg > ctx->max_send_fragment || larg == 0)
2531 return 0;
2532 ctx->split_send_fragment = larg;
2533 return 1;
2534 case SSL_CTRL_SET_MAX_PIPELINES:
2535 if (larg < 1 || larg > SSL_MAX_PIPELINES)
2536 return 0;
2537 ctx->max_pipelines = larg;
2538 return 1;
2539 case SSL_CTRL_CERT_FLAGS:
2540 return (ctx->cert->cert_flags |= larg);
2541 case SSL_CTRL_CLEAR_CERT_FLAGS:
2542 return (ctx->cert->cert_flags &= ~larg);
2543 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2544 return ssl_check_allowed_versions(larg, ctx->max_proto_version)
2545 && ssl_set_version_bound(ctx->method->version, (int)larg,
2546 &ctx->min_proto_version);
2547 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2548 return ctx->min_proto_version;
2549 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2550 return ssl_check_allowed_versions(ctx->min_proto_version, larg)
2551 && ssl_set_version_bound(ctx->method->version, (int)larg,
2552 &ctx->max_proto_version);
2553 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2554 return ctx->max_proto_version;
2555 default:
2556 return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
2557 }
2558 }
2559
2560 long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
2561 {
2562 switch (cmd) {
2563 case SSL_CTRL_SET_MSG_CALLBACK:
2564 ctx->msg_callback = (void (*)
2565 (int write_p, int version, int content_type,
2566 const void *buf, size_t len, SSL *ssl,
2567 void *arg))(fp);
2568 return 1;
2569
2570 default:
2571 return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp);
2572 }
2573 }
2574
2575 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
2576 {
2577 if (a->id > b->id)
2578 return 1;
2579 if (a->id < b->id)
2580 return -1;
2581 return 0;
2582 }
2583
2584 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
2585 const SSL_CIPHER *const *bp)
2586 {
2587 if ((*ap)->id > (*bp)->id)
2588 return 1;
2589 if ((*ap)->id < (*bp)->id)
2590 return -1;
2591 return 0;
2592 }
2593
2594 /** return a STACK of the ciphers available for the SSL and in order of
2595 * preference */
2596 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
2597 {
2598 if (s != NULL) {
2599 if (s->cipher_list != NULL) {
2600 return s->cipher_list;
2601 } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
2602 return s->ctx->cipher_list;
2603 }
2604 }
2605 return NULL;
2606 }
2607
2608 STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
2609 {
2610 if ((s == NULL) || !s->server)
2611 return NULL;
2612 return s->peer_ciphers;
2613 }
2614
2615 STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
2616 {
2617 STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
2618 int i;
2619
2620 ciphers = SSL_get_ciphers(s);
2621 if (!ciphers)
2622 return NULL;
2623 if (!ssl_set_client_disabled(s))
2624 return NULL;
2625 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
2626 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
2627 if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
2628 if (!sk)
2629 sk = sk_SSL_CIPHER_new_null();
2630 if (!sk)
2631 return NULL;
2632 if (!sk_SSL_CIPHER_push(sk, c)) {
2633 sk_SSL_CIPHER_free(sk);
2634 return NULL;
2635 }
2636 }
2637 }
2638 return sk;
2639 }
2640
2641 /** return a STACK of the ciphers available for the SSL and in order of
2642 * algorithm id */
2643 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
2644 {
2645 if (s != NULL) {
2646 if (s->cipher_list_by_id != NULL) {
2647 return s->cipher_list_by_id;
2648 } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) {
2649 return s->ctx->cipher_list_by_id;
2650 }
2651 }
2652 return NULL;
2653 }
2654
2655 /** The old interface to get the same thing as SSL_get_ciphers() */
2656 const char *SSL_get_cipher_list(const SSL *s, int n)
2657 {
2658 const SSL_CIPHER *c;
2659 STACK_OF(SSL_CIPHER) *sk;
2660
2661 if (s == NULL)
2662 return NULL;
2663 sk = SSL_get_ciphers(s);
2664 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
2665 return NULL;
2666 c = sk_SSL_CIPHER_value(sk, n);
2667 if (c == NULL)
2668 return NULL;
2669 return c->name;
2670 }
2671
2672 /** return a STACK of the ciphers available for the SSL_CTX and in order of
2673 * preference */
2674 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
2675 {
2676 if (ctx != NULL)
2677 return ctx->cipher_list;
2678 return NULL;
2679 }
2680
2681 /*
2682 * Distinguish between ciphers controlled by set_ciphersuite() and
2683 * set_cipher_list() when counting.
2684 */
2685 static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
2686 {
2687 int i, num = 0;
2688 const SSL_CIPHER *c;
2689
2690 if (sk == NULL)
2691 return 0;
2692 for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
2693 c = sk_SSL_CIPHER_value(sk, i);
2694 if (c->min_tls >= TLS1_3_VERSION)
2695 continue;
2696 num++;
2697 }
2698 return num;
2699 }
2700
2701 /** specify the ciphers to be used by default by the SSL_CTX */
2702 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
2703 {
2704 STACK_OF(SSL_CIPHER) *sk;
2705
2706 sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites,
2707 &ctx->cipher_list, &ctx->cipher_list_by_id, str,
2708 ctx->cert);
2709 /*
2710 * ssl_create_cipher_list may return an empty stack if it was unable to
2711 * find a cipher matching the given rule string (for example if the rule
2712 * string specifies a cipher which has been disabled). This is not an
2713 * error as far as ssl_create_cipher_list is concerned, and hence
2714 * ctx->cipher_list and ctx->cipher_list_by_id has been updated.
2715 */
2716 if (sk == NULL)
2717 return 0;
2718 else if (cipher_list_tls12_num(sk) == 0) {
2719 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
2720 return 0;
2721 }
2722 return 1;
2723 }
2724
2725 /** specify the ciphers to be used by the SSL */
2726 int SSL_set_cipher_list(SSL *s, const char *str)
2727 {
2728 STACK_OF(SSL_CIPHER) *sk;
2729
2730 sk = ssl_create_cipher_list(s->ctx->method, s->tls13_ciphersuites,
2731 &s->cipher_list, &s->cipher_list_by_id, str,
2732 s->cert);
2733 /* see comment in SSL_CTX_set_cipher_list */
2734 if (sk == NULL)
2735 return 0;
2736 else if (cipher_list_tls12_num(sk) == 0) {
2737 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
2738 return 0;
2739 }
2740 return 1;
2741 }
2742
2743 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
2744 {
2745 char *p;
2746 STACK_OF(SSL_CIPHER) *clntsk, *srvrsk;
2747 const SSL_CIPHER *c;
2748 int i;
2749
2750 if (!s->server
2751 || s->peer_ciphers == NULL
2752 || size < 2)
2753 return NULL;
2754
2755 p = buf;
2756 clntsk = s->peer_ciphers;
2757 srvrsk = SSL_get_ciphers(s);
2758 if (clntsk == NULL || srvrsk == NULL)
2759 return NULL;
2760
2761 if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0)
2762 return NULL;
2763
2764 for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) {
2765 int n;
2766
2767 c = sk_SSL_CIPHER_value(clntsk, i);
2768 if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
2769 continue;
2770
2771 n = strlen(c->name);
2772 if (n + 1 > size) {
2773 if (p != buf)
2774 --p;
2775 *p = '\0';
2776 return buf;
2777 }
2778 strcpy(p, c->name);
2779 p += n;
2780 *(p++) = ':';
2781 size -= n + 1;
2782 }
2783 p[-1] = '\0';
2784 return buf;
2785 }
2786
2787 /**
2788 * Return the requested servername (SNI) value. Note that the behaviour varies
2789 * depending on:
2790 * - whether this is called by the client or the server,
2791 * - if we are before or during/after the handshake,
2792 * - if a resumption or normal handshake is being attempted/has occurred
2793 * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3
2794 *
2795 * Note that only the host_name type is defined (RFC 3546).
2796 */
2797 const char *SSL_get_servername(const SSL *s, const int type)
2798 {
2799 /*
2800 * If we don't know if we are the client or the server yet then we assume
2801 * client.
2802 */
2803 int server = s->handshake_func == NULL ? 0 : s->server;
2804 if (type != TLSEXT_NAMETYPE_host_name)
2805 return NULL;
2806
2807 if (server) {
2808 /**
2809 * Server side
2810 * In TLSv1.3 on the server SNI is not associated with the session
2811 * but in TLSv1.2 or below it is.
2812 *
2813 * Before the handshake:
2814 * - return NULL
2815 *
2816 * During/after the handshake (TLSv1.2 or below resumption occurred):
2817 * - If a servername was accepted by the server in the original
2818 * handshake then it will return that servername, or NULL otherwise.
2819 *
2820 * During/after the handshake (TLSv1.2 or below resumption did not occur):
2821 * - The function will return the servername requested by the client in
2822 * this handshake or NULL if none was requested.
2823 */
2824 if (s->hit && !SSL_IS_TLS13(s))
2825 return s->session->ext.hostname;
2826 } else {
2827 /**
2828 * Client side
2829 *
2830 * Before the handshake:
2831 * - If a servername has been set via a call to
2832 * SSL_set_tlsext_host_name() then it will return that servername
2833 * - If one has not been set, but a TLSv1.2 resumption is being
2834 * attempted and the session from the original handshake had a
2835 * servername accepted by the server then it will return that
2836 * servername
2837 * - Otherwise it returns NULL
2838 *
2839 * During/after the handshake (TLSv1.2 or below resumption occurred):
2840 * - If the session from the orignal handshake had a servername accepted
2841 * by the server then it will return that servername.
2842 * - Otherwise it returns the servername set via
2843 * SSL_set_tlsext_host_name() (or NULL if it was not called).
2844 *
2845 * During/after the handshake (TLSv1.2 or below resumption did not occur):
2846 * - It will return the servername set via SSL_set_tlsext_host_name()
2847 * (or NULL if it was not called).
2848 */
2849 if (SSL_in_before(s)) {
2850 if (s->ext.hostname == NULL
2851 && s->session != NULL
2852 && s->session->ssl_version != TLS1_3_VERSION)
2853 return s->session->ext.hostname;
2854 } else {
2855 if (!SSL_IS_TLS13(s) && s->hit && s->session->ext.hostname != NULL)
2856 return s->session->ext.hostname;
2857 }
2858 }
2859
2860 return s->ext.hostname;
2861 }
2862
2863 int SSL_get_servername_type(const SSL *s)
2864 {
2865 if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL)
2866 return TLSEXT_NAMETYPE_host_name;
2867 return -1;
2868 }
2869
2870 /*
2871 * SSL_select_next_proto implements the standard protocol selection. It is
2872 * expected that this function is called from the callback set by
2873 * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a
2874 * vector of 8-bit, length prefixed byte strings. The length byte itself is
2875 * not included in the length. A byte string of length 0 is invalid. No byte
2876 * string may be truncated. The current, but experimental algorithm for
2877 * selecting the protocol is: 1) If the server doesn't support NPN then this
2878 * is indicated to the callback. In this case, the client application has to
2879 * abort the connection or have a default application level protocol. 2) If
2880 * the server supports NPN, but advertises an empty list then the client
2881 * selects the first protocol in its list, but indicates via the API that this
2882 * fallback case was enacted. 3) Otherwise, the client finds the first
2883 * protocol in the server's list that it supports and selects this protocol.
2884 * This is because it's assumed that the server has better information about
2885 * which protocol a client should use. 4) If the client doesn't support any
2886 * of the server's advertised protocols, then this is treated the same as
2887 * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was
2888 * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
2889 */
2890 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
2891 const unsigned char *server,
2892 unsigned int server_len,
2893 const unsigned char *client, unsigned int client_len)
2894 {
2895 unsigned int i, j;
2896 const unsigned char *result;
2897 int status = OPENSSL_NPN_UNSUPPORTED;
2898
2899 /*
2900 * For each protocol in server preference order, see if we support it.
2901 */
2902 for (i = 0; i < server_len;) {
2903 for (j = 0; j < client_len;) {
2904 if (server[i] == client[j] &&
2905 memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
2906 /* We found a match */
2907 result = &server[i];
2908 status = OPENSSL_NPN_NEGOTIATED;
2909 goto found;
2910 }
2911 j += client[j];
2912 j++;
2913 }
2914 i += server[i];
2915 i++;
2916 }
2917
2918 /* There's no overlap between our protocols and the server's list. */
2919 result = client;
2920 status = OPENSSL_NPN_NO_OVERLAP;
2921
2922 found:
2923 *out = (unsigned char *)result + 1;
2924 *outlen = result[0];
2925 return status;
2926 }
2927
2928 #ifndef OPENSSL_NO_NEXTPROTONEG
2929 /*
2930 * SSL_get0_next_proto_negotiated sets *data and *len to point to the
2931 * client's requested protocol for this connection and returns 0. If the
2932 * client didn't request any protocol, then *data is set to NULL. Note that
2933 * the client can request any protocol it chooses. The value returned from
2934 * this function need not be a member of the list of supported protocols
2935 * provided by the callback.
2936 */
2937 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
2938 unsigned *len)
2939 {
2940 *data = s->ext.npn;
2941 if (*data == NULL) {
2942 *len = 0;
2943 } else {
2944 *len = (unsigned int)s->ext.npn_len;
2945 }
2946 }
2947
2948 /*
2949 * SSL_CTX_set_npn_advertised_cb sets a callback that is called when
2950 * a TLS server needs a list of supported protocols for Next Protocol
2951 * Negotiation. The returned list must be in wire format. The list is
2952 * returned by setting |out| to point to it and |outlen| to its length. This
2953 * memory will not be modified, but one should assume that the SSL* keeps a
2954 * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it
2955 * wishes to advertise. Otherwise, no such extension will be included in the
2956 * ServerHello.
2957 */
2958 void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
2959 SSL_CTX_npn_advertised_cb_func cb,
2960 void *arg)
2961 {
2962 ctx->ext.npn_advertised_cb = cb;
2963 ctx->ext.npn_advertised_cb_arg = arg;
2964 }
2965
2966 /*
2967 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
2968 * client needs to select a protocol from the server's provided list. |out|
2969 * must be set to point to the selected protocol (which may be within |in|).
2970 * The length of the protocol name must be written into |outlen|. The
2971 * server's advertised protocols are provided in |in| and |inlen|. The
2972 * callback can assume that |in| is syntactically valid. The client must
2973 * select a protocol. It is fatal to the connection if this callback returns
2974 * a value other than SSL_TLSEXT_ERR_OK.
2975 */
2976 void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
2977 SSL_CTX_npn_select_cb_func cb,
2978 void *arg)
2979 {
2980 ctx->ext.npn_select_cb = cb;
2981 ctx->ext.npn_select_cb_arg = arg;
2982 }
2983 #endif
2984
2985 /*
2986 * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
2987 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
2988 * length-prefixed strings). Returns 0 on success.
2989 */
2990 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
2991 unsigned int protos_len)
2992 {
2993 OPENSSL_free(ctx->ext.alpn);
2994 ctx->ext.alpn = OPENSSL_memdup(protos, protos_len);
2995 if (ctx->ext.alpn == NULL) {
2996 SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
2997 return 1;
2998 }
2999 ctx->ext.alpn_len = protos_len;
3000
3001 return 0;
3002 }
3003
3004 /*
3005 * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
3006 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3007 * length-prefixed strings). Returns 0 on success.
3008 */
3009 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
3010 unsigned int protos_len)
3011 {
3012 OPENSSL_free(ssl->ext.alpn);
3013 ssl->ext.alpn = OPENSSL_memdup(protos, protos_len);
3014 if (ssl->ext.alpn == NULL) {
3015 SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
3016 return 1;
3017 }
3018 ssl->ext.alpn_len = protos_len;
3019
3020 return 0;
3021 }
3022
3023 /*
3024 * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is
3025 * called during ClientHello processing in order to select an ALPN protocol
3026 * from the client's list of offered protocols.
3027 */
3028 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
3029 SSL_CTX_alpn_select_cb_func cb,
3030 void *arg)
3031 {
3032 ctx->ext.alpn_select_cb = cb;
3033 ctx->ext.alpn_select_cb_arg = arg;
3034 }
3035
3036 /*
3037 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
3038 * On return it sets |*data| to point to |*len| bytes of protocol name
3039 * (not including the leading length-prefix byte). If the server didn't
3040 * respond with a negotiated protocol then |*len| will be zero.
3041 */
3042 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
3043 unsigned int *len)
3044 {
3045 *data = ssl->s3.alpn_selected;
3046 if (*data == NULL)
3047 *len = 0;
3048 else
3049 *len = (unsigned int)ssl->s3.alpn_selected_len;
3050 }
3051
3052 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
3053 const char *label, size_t llen,
3054 const unsigned char *context, size_t contextlen,
3055 int use_context)
3056 {
3057 if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
3058 return -1;
3059
3060 return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
3061 llen, context,
3062 contextlen, use_context);
3063 }
3064
3065 int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
3066 const char *label, size_t llen,
3067 const unsigned char *context,
3068 size_t contextlen)
3069 {
3070 if (s->version != TLS1_3_VERSION)
3071 return 0;
3072
3073 return tls13_export_keying_material_early(s, out, olen, label, llen,
3074 context, contextlen);
3075 }
3076
3077 static unsigned long ssl_session_hash(const SSL_SESSION *a)
3078 {
3079 const unsigned char *session_id = a->session_id;
3080 unsigned long l;
3081 unsigned char tmp_storage[4];
3082
3083 if (a->session_id_length < sizeof(tmp_storage)) {
3084 memset(tmp_storage, 0, sizeof(tmp_storage));
3085 memcpy(tmp_storage, a->session_id, a->session_id_length);
3086 session_id = tmp_storage;
3087 }
3088
3089 l = (unsigned long)
3090 ((unsigned long)session_id[0]) |
3091 ((unsigned long)session_id[1] << 8L) |
3092 ((unsigned long)session_id[2] << 16L) |
3093 ((unsigned long)session_id[3] << 24L);
3094 return l;
3095 }
3096
3097 /*
3098 * NB: If this function (or indeed the hash function which uses a sort of
3099 * coarser function than this one) is changed, ensure
3100 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on
3101 * being able to construct an SSL_SESSION that will collide with any existing
3102 * session with a matching session ID.
3103 */
3104 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
3105 {
3106 if (a->ssl_version != b->ssl_version)
3107 return 1;
3108 if (a->session_id_length != b->session_id_length)
3109 return 1;
3110 return memcmp(a->session_id, b->session_id, a->session_id_length);
3111 }
3112
3113 /*
3114 * These wrapper functions should remain rather than redeclaring
3115 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
3116 * variable. The reason is that the functions aren't static, they're exposed
3117 * via ssl.h.
3118 */
3119
3120 SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq,
3121 const SSL_METHOD *meth)
3122 {
3123 SSL_CTX *ret = NULL;
3124
3125 if (meth == NULL) {
3126 SSLerr(0, SSL_R_NULL_SSL_METHOD_PASSED);
3127 return NULL;
3128 }
3129
3130 if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
3131 return NULL;
3132
3133 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
3134 SSLerr(0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
3135 goto err;
3136 }
3137 ret = OPENSSL_zalloc(sizeof(*ret));
3138 if (ret == NULL)
3139 goto err;
3140
3141 ret->libctx = libctx;
3142 if (propq != NULL) {
3143 ret->propq = OPENSSL_strdup(propq);
3144 if (ret->propq == NULL)
3145 goto err;
3146 }
3147
3148 ret->method = meth;
3149 ret->min_proto_version = 0;
3150 ret->max_proto_version = 0;
3151 ret->mode = SSL_MODE_AUTO_RETRY;
3152 ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
3153 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
3154 /* We take the system default. */
3155 ret->session_timeout = meth->get_timeout();
3156 ret->references = 1;
3157 ret->lock = CRYPTO_THREAD_lock_new();
3158 if (ret->lock == NULL) {
3159 SSLerr(0, ERR_R_MALLOC_FAILURE);
3160 OPENSSL_free(ret);
3161 return NULL;
3162 }
3163 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
3164 ret->verify_mode = SSL_VERIFY_NONE;
3165 if ((ret->cert = ssl_cert_new()) == NULL)
3166 goto err;
3167
3168 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
3169 if (ret->sessions == NULL)
3170 goto err;
3171 ret->cert_store = X509_STORE_new();
3172 if (ret->cert_store == NULL)
3173 goto err;
3174 #ifndef OPENSSL_NO_CT
3175 ret->ctlog_store = CTLOG_STORE_new_with_libctx(libctx, propq);
3176 if (ret->ctlog_store == NULL)
3177 goto err;
3178 #endif
3179
3180 /* initialize cipher/digest methods table */
3181 if (!ssl_load_ciphers(ret))
3182 goto err2;
3183 /* initialise sig algs */
3184 if (!ssl_setup_sig_algs(ret))
3185 goto err2;
3186
3187
3188 if (!ssl_load_groups(ret))
3189 goto err2;
3190
3191 if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites()))
3192 goto err;
3193
3194 if (!ssl_create_cipher_list(ret->method,
3195 ret->tls13_ciphersuites,
3196 &ret->cipher_list, &ret->cipher_list_by_id,
3197 OSSL_default_cipher_list(), ret->cert)
3198 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
3199 SSLerr(0, SSL_R_LIBRARY_HAS_NO_CIPHERS);
3200 goto err2;
3201 }
3202
3203 ret->param = X509_VERIFY_PARAM_new();
3204 if (ret->param == NULL)
3205 goto err;
3206
3207 /*
3208 * If these aren't available from the provider we'll get NULL returns.
3209 * That's fine but will cause errors later if SSLv3 is negotiated
3210 */
3211 ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq);
3212 ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq);
3213
3214 if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
3215 goto err;
3216
3217 if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL)
3218 goto err;
3219
3220 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data))
3221 goto err;
3222
3223 if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL)
3224 goto err;
3225
3226 /* No compression for DTLS */
3227 if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
3228 ret->comp_methods = SSL_COMP_get_compression_methods();
3229
3230 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
3231 ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
3232
3233 /* Setup RFC5077 ticket keys */
3234 if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name,
3235 sizeof(ret->ext.tick_key_name)) <= 0)
3236 || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key,
3237 sizeof(ret->ext.secure->tick_hmac_key)) <= 0)
3238 || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key,
3239 sizeof(ret->ext.secure->tick_aes_key)) <= 0))
3240 ret->options |= SSL_OP_NO_TICKET;
3241
3242 if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key,
3243 sizeof(ret->ext.cookie_hmac_key)) <= 0)
3244 goto err;
3245
3246 #ifndef OPENSSL_NO_SRP
3247 if (!SSL_CTX_SRP_CTX_init(ret))
3248 goto err;
3249 #endif
3250 #ifndef OPENSSL_NO_ENGINE
3251 # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
3252 # define eng_strx(x) #x
3253 # define eng_str(x) eng_strx(x)
3254 /* Use specific client engine automatically... ignore errors */
3255 {
3256 ENGINE *eng;
3257 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
3258 if (!eng) {
3259 ERR_clear_error();
3260 ENGINE_load_builtin_engines();
3261 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
3262 }
3263 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
3264 ERR_clear_error();
3265 }
3266 # endif
3267 #endif
3268 /*
3269 * Default is to connect to non-RI servers. When RI is more widely
3270 * deployed might change this.
3271 */
3272 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
3273 /*
3274 * Disable compression by default to prevent CRIME. Applications can
3275 * re-enable compression by configuring
3276 * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
3277 * or by using the SSL_CONF library. Similarly we also enable TLSv1.3
3278 * middlebox compatibility by default. This may be disabled by default in
3279 * a later OpenSSL version.
3280 */
3281 ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
3282
3283 ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
3284
3285 /*
3286 * We cannot usefully set a default max_early_data here (which gets
3287 * propagated in SSL_new(), for the following reason: setting the
3288 * SSL field causes tls_construct_stoc_early_data() to tell the
3289 * client that early data will be accepted when constructing a TLS 1.3
3290 * session ticket, and the client will accordingly send us early data
3291 * when using that ticket (if the client has early data to send).
3292 * However, in order for the early data to actually be consumed by
3293 * the application, the application must also have calls to
3294 * SSL_read_early_data(); otherwise we'll just skip past the early data
3295 * and ignore it. So, since the application must add calls to
3296 * SSL_read_early_data(), we also require them to add
3297 * calls to SSL_CTX_set_max_early_data() in order to use early data,
3298 * eliminating the bandwidth-wasting early data in the case described
3299 * above.
3300 */
3301 ret->max_early_data = 0;
3302
3303 /*
3304 * Default recv_max_early_data is a fully loaded single record. Could be
3305 * split across multiple records in practice. We set this differently to
3306 * max_early_data so that, in the default case, we do not advertise any
3307 * support for early_data, but if a client were to send us some (e.g.
3308 * because of an old, stale ticket) then we will tolerate it and skip over
3309 * it.
3310 */
3311 ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
3312
3313 /* By default we send two session tickets automatically in TLSv1.3 */
3314 ret->num_tickets = 2;
3315
3316 ssl_ctx_system_config(ret);
3317
3318 return ret;
3319 err:
3320 SSLerr(0, ERR_R_MALLOC_FAILURE);
3321 err2:
3322 SSL_CTX_free(ret);
3323 return NULL;
3324 }
3325
3326 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
3327 {
3328 return SSL_CTX_new_with_libctx(NULL, NULL, meth);
3329 }
3330
3331 int SSL_CTX_up_ref(SSL_CTX *ctx)
3332 {
3333 int i;
3334
3335 if (CRYPTO_UP_REF(&ctx->references, &i, ctx->lock) <= 0)
3336 return 0;
3337
3338 REF_PRINT_COUNT("SSL_CTX", ctx);
3339 REF_ASSERT_ISNT(i < 2);
3340 return ((i > 1) ? 1 : 0);
3341 }
3342
3343 void SSL_CTX_free(SSL_CTX *a)
3344 {
3345 int i;
3346 size_t j;
3347
3348 if (a == NULL)
3349 return;
3350
3351 CRYPTO_DOWN_REF(&a->references, &i, a->lock);
3352 REF_PRINT_COUNT("SSL_CTX", a);
3353 if (i > 0)
3354 return;
3355 REF_ASSERT_ISNT(i < 0);
3356
3357 X509_VERIFY_PARAM_free(a->param);
3358 dane_ctx_final(&a->dane);
3359
3360 /*
3361 * Free internal session cache. However: the remove_cb() may reference
3362 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
3363 * after the sessions were flushed.
3364 * As the ex_data handling routines might also touch the session cache,
3365 * the most secure solution seems to be: empty (flush) the cache, then
3366 * free ex_data, then finally free the cache.
3367 * (See ticket [openssl.org #212].)
3368 */
3369 if (a->sessions != NULL)
3370 SSL_CTX_flush_sessions(a, 0);
3371
3372 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
3373 lh_SSL_SESSION_free(a->sessions);
3374 X509_STORE_free(a->cert_store);
3375 #ifndef OPENSSL_NO_CT
3376 CTLOG_STORE_free(a->ctlog_store);
3377 #endif
3378 sk_SSL_CIPHER_free(a->cipher_list);
3379 sk_SSL_CIPHER_free(a->cipher_list_by_id);
3380 sk_SSL_CIPHER_free(a->tls13_ciphersuites);
3381 ssl_cert_free(a->cert);
3382 sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free);
3383 sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free);
3384 sk_X509_pop_free(a->extra_certs, X509_free);
3385 a->comp_methods = NULL;
3386 #ifndef OPENSSL_NO_SRTP
3387 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
3388 #endif
3389 #ifndef OPENSSL_NO_SRP
3390 SSL_CTX_SRP_CTX_free(a);
3391 #endif
3392 #ifndef OPENSSL_NO_ENGINE
3393 ENGINE_finish(a->client_cert_engine);
3394 #endif
3395
3396 #ifndef OPENSSL_NO_EC
3397 OPENSSL_free(a->ext.ecpointformats);
3398 #endif
3399 OPENSSL_free(a->ext.supportedgroups);
3400 OPENSSL_free(a->ext.alpn);
3401 OPENSSL_secure_free(a->ext.secure);
3402
3403 ssl_evp_md_free(a->md5);
3404 ssl_evp_md_free(a->sha1);
3405
3406 for (j = 0; j < SSL_ENC_NUM_IDX; j++)
3407 ssl_evp_cipher_free(a->ssl_cipher_methods[j]);
3408 for (j = 0; j < SSL_MD_NUM_IDX; j++)
3409 ssl_evp_md_free(a->ssl_digest_methods[j]);
3410 for (j = 0; j < a->group_list_len; j++) {
3411 OPENSSL_free(a->group_list[j].tlsname);
3412 OPENSSL_free(a->group_list[j].realname);
3413 OPENSSL_free(a->group_list[j].algorithm);
3414 }
3415 OPENSSL_free(a->group_list);
3416
3417 OPENSSL_free(a->sigalg_lookup_cache);
3418
3419 CRYPTO_THREAD_lock_free(a->lock);
3420
3421 OPENSSL_free(a->propq);
3422
3423 OPENSSL_free(a);
3424 }
3425
3426 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
3427 {
3428 ctx->default_passwd_callback = cb;
3429 }
3430
3431 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
3432 {
3433 ctx->default_passwd_callback_userdata = u;
3434 }
3435
3436 pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
3437 {
3438 return ctx->default_passwd_callback;
3439 }
3440
3441 void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
3442 {
3443 return ctx->default_passwd_callback_userdata;
3444 }
3445
3446 void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
3447 {
3448 s->default_passwd_callback = cb;
3449 }
3450
3451 void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
3452 {
3453 s->default_passwd_callback_userdata = u;
3454 }
3455
3456 pem_password_cb *SSL_get_default_passwd_cb(SSL *s)
3457 {
3458 return s->default_passwd_callback;
3459 }
3460
3461 void *SSL_get_default_passwd_cb_userdata(SSL *s)
3462 {
3463 return s->default_passwd_callback_userdata;
3464 }
3465
3466 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
3467 int (*cb) (X509_STORE_CTX *, void *),
3468 void *arg)
3469 {
3470 ctx->app_verify_callback = cb;
3471 ctx->app_verify_arg = arg;
3472 }
3473
3474 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
3475 int (*cb) (int, X509_STORE_CTX *))
3476 {
3477 ctx->verify_mode = mode;
3478 ctx->default_verify_callback = cb;
3479 }
3480
3481 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
3482 {
3483 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
3484 }
3485
3486 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg)
3487 {
3488 ssl_cert_set_cert_cb(c->cert, cb, arg);
3489 }
3490
3491 void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
3492 {
3493 ssl_cert_set_cert_cb(s->cert, cb, arg);
3494 }
3495
3496 void ssl_set_masks(SSL *s)
3497 {
3498 CERT *c = s->cert;
3499 uint32_t *pvalid = s->s3.tmp.valid_flags;
3500 int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
3501 unsigned long mask_k, mask_a;
3502 #ifndef OPENSSL_NO_EC
3503 int have_ecc_cert, ecdsa_ok;
3504 #endif
3505 if (c == NULL)
3506 return;
3507
3508 #ifndef OPENSSL_NO_DH
3509 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto);
3510 #else
3511 dh_tmp = 0;
3512 #endif
3513
3514 rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
3515 rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
3516 dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID;
3517 #ifndef OPENSSL_NO_EC
3518 have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
3519 #endif
3520 mask_k = 0;
3521 mask_a = 0;
3522
3523 OSSL_TRACE4(TLS_CIPHER, "dh_tmp=%d rsa_enc=%d rsa_sign=%d dsa_sign=%d\n",
3524 dh_tmp, rsa_enc, rsa_sign, dsa_sign);
3525
3526 #ifndef OPENSSL_NO_GOST
3527 if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
3528 mask_k |= SSL_kGOST | SSL_kGOST18;
3529 mask_a |= SSL_aGOST12;
3530 }
3531 if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
3532 mask_k |= SSL_kGOST | SSL_kGOST18;
3533 mask_a |= SSL_aGOST12;
3534 }
3535 if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
3536 mask_k |= SSL_kGOST;
3537 mask_a |= SSL_aGOST01;
3538 }
3539 #endif
3540
3541 if (rsa_enc)
3542 mask_k |= SSL_kRSA;
3543
3544 if (dh_tmp)
3545 mask_k |= SSL_kDHE;
3546
3547 /*
3548 * If we only have an RSA-PSS certificate allow RSA authentication
3549 * if TLS 1.2 and peer supports it.
3550 */
3551
3552 if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
3553 && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
3554 && TLS1_get_version(s) == TLS1_2_VERSION))
3555 mask_a |= SSL_aRSA;
3556
3557 if (dsa_sign) {
3558 mask_a |= SSL_aDSS;
3559 }
3560
3561 mask_a |= SSL_aNULL;
3562
3563 /*
3564 * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites
3565 * depending on the key usage extension.
3566 */
3567 #ifndef OPENSSL_NO_EC
3568 if (have_ecc_cert) {
3569 uint32_t ex_kusage;
3570 ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509);
3571 ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
3572 if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
3573 ecdsa_ok = 0;
3574 if (ecdsa_ok)
3575 mask_a |= SSL_aECDSA;
3576 }
3577 /* Allow Ed25519 for TLS 1.2 if peer supports it */
3578 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519)
3579 && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN
3580 && TLS1_get_version(s) == TLS1_2_VERSION)
3581 mask_a |= SSL_aECDSA;
3582
3583 /* Allow Ed448 for TLS 1.2 if peer supports it */
3584 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448)
3585 && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN
3586 && TLS1_get_version(s) == TLS1_2_VERSION)
3587 mask_a |= SSL_aECDSA;
3588 #endif
3589
3590 #ifndef OPENSSL_NO_EC
3591 mask_k |= SSL_kECDHE;
3592 #endif
3593
3594 #ifndef OPENSSL_NO_PSK
3595 mask_k |= SSL_kPSK;
3596 mask_a |= SSL_aPSK;
3597 if (mask_k & SSL_kRSA)
3598 mask_k |= SSL_kRSAPSK;
3599 if (mask_k & SSL_kDHE)
3600 mask_k |= SSL_kDHEPSK;
3601 if (mask_k & SSL_kECDHE)
3602 mask_k |= SSL_kECDHEPSK;
3603 #endif
3604
3605 s->s3.tmp.mask_k = mask_k;
3606 s->s3.tmp.mask_a = mask_a;
3607 }
3608
3609 #ifndef OPENSSL_NO_EC
3610
3611 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
3612 {
3613 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) {
3614 /* key usage, if present, must allow signing */
3615 if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
3616 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
3617 SSL_R_ECC_CERT_NOT_FOR_SIGNING);
3618 return 0;
3619 }
3620 }
3621 return 1; /* all checks are ok */
3622 }
3623
3624 #endif
3625
3626 int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
3627 size_t *serverinfo_length)
3628 {
3629 CERT_PKEY *cpk = s->s3.tmp.cert;
3630 *serverinfo_length = 0;
3631
3632 if (cpk == NULL || cpk->serverinfo == NULL)
3633 return 0;
3634
3635 *serverinfo = cpk->serverinfo;
3636 *serverinfo_length = cpk->serverinfo_length;
3637 return 1;
3638 }
3639
3640 void ssl_update_cache(SSL *s, int mode)
3641 {
3642 int i;
3643
3644 /*
3645 * If the session_id_length is 0, we are not supposed to cache it, and it
3646 * would be rather hard to do anyway :-)
3647 */
3648 if (s->session->session_id_length == 0)
3649 return;
3650
3651 /*
3652 * If sid_ctx_length is 0 there is no specific application context
3653 * associated with this session, so when we try to resume it and
3654 * SSL_VERIFY_PEER is requested to verify the client identity, we have no
3655 * indication that this is actually a session for the proper application
3656 * context, and the *handshake* will fail, not just the resumption attempt.
3657 * Do not cache (on the server) these sessions that are not resumable
3658 * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set).
3659 */
3660 if (s->server && s->session->sid_ctx_length == 0
3661 && (s->verify_mode & SSL_VERIFY_PEER) != 0)
3662 return;
3663
3664 i = s->session_ctx->session_cache_mode;
3665 if ((i & mode) != 0
3666 && (!s->hit || SSL_IS_TLS13(s))) {
3667 /*
3668 * Add the session to the internal cache. In server side TLSv1.3 we
3669 * normally don't do this because by default it's a full stateless ticket
3670 * with only a dummy session id so there is no reason to cache it,
3671 * unless:
3672 * - we are doing early_data, in which case we cache so that we can
3673 * detect replays
3674 * - the application has set a remove_session_cb so needs to know about
3675 * session timeout events
3676 * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket
3677 */
3678 if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0
3679 && (!SSL_IS_TLS13(s)
3680 || !s->server
3681 || (s->max_early_data > 0
3682 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)
3683 || s->session_ctx->remove_session_cb != NULL
3684 || (s->options & SSL_OP_NO_TICKET) != 0))
3685 SSL_CTX_add_session(s->session_ctx, s->session);
3686
3687 /*
3688 * Add the session to the external cache. We do this even in server side
3689 * TLSv1.3 without early data because some applications just want to
3690 * know about the creation of a session and aren't doing a full cache.
3691 */
3692 if (s->session_ctx->new_session_cb != NULL) {
3693 SSL_SESSION_up_ref(s->session);
3694 if (!s->session_ctx->new_session_cb(s, s->session))
3695 SSL_SESSION_free(s->session);
3696 }
3697 }
3698
3699 /* auto flush every 255 connections */
3700 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) {
3701 TSAN_QUALIFIER int *stat;
3702 if (mode & SSL_SESS_CACHE_CLIENT)
3703 stat = &s->session_ctx->stats.sess_connect_good;
3704 else
3705 stat = &s->session_ctx->stats.sess_accept_good;
3706 if ((tsan_load(stat) & 0xff) == 0xff)
3707 SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL));
3708 }
3709 }
3710
3711 const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx)
3712 {
3713 return ctx->method;
3714 }
3715
3716 const SSL_METHOD *SSL_get_ssl_method(const SSL *s)
3717 {
3718 return s->method;
3719 }
3720
3721 int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
3722 {
3723 int ret = 1;
3724
3725 if (s->method != meth) {
3726 const SSL_METHOD *sm = s->method;
3727 int (*hf) (SSL *) = s->handshake_func;
3728
3729 if (sm->version == meth->version)
3730 s->method = meth;
3731 else {
3732 sm->ssl_free(s);
3733 s->method = meth;
3734 ret = s->method->ssl_new(s);
3735 }
3736
3737 if (hf == sm->ssl_connect)
3738 s->handshake_func = meth->ssl_connect;
3739 else if (hf == sm->ssl_accept)
3740 s->handshake_func = meth->ssl_accept;
3741 }
3742 return ret;
3743 }
3744
3745 int SSL_get_error(const SSL *s, int i)
3746 {
3747 int reason;
3748 unsigned long l;
3749 BIO *bio;
3750
3751 if (i > 0)
3752 return SSL_ERROR_NONE;
3753
3754 /*
3755 * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
3756 * where we do encode the error
3757 */
3758 if ((l = ERR_peek_error()) != 0) {
3759 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
3760 return SSL_ERROR_SYSCALL;
3761 else
3762 return SSL_ERROR_SSL;
3763 }
3764
3765 if (SSL_want_read(s)) {
3766 bio = SSL_get_rbio(s);
3767 if (BIO_should_read(bio))
3768 return SSL_ERROR_WANT_READ;
3769 else if (BIO_should_write(bio))
3770 /*
3771 * This one doesn't make too much sense ... We never try to write
3772 * to the rbio, and an application program where rbio and wbio
3773 * are separate couldn't even know what it should wait for.
3774 * However if we ever set s->rwstate incorrectly (so that we have
3775 * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and
3776 * wbio *are* the same, this test works around that bug; so it
3777 * might be safer to keep it.
3778 */
3779 return SSL_ERROR_WANT_WRITE;
3780 else if (BIO_should_io_special(bio)) {
3781 reason = BIO_get_retry_reason(bio);
3782 if (reason == BIO_RR_CONNECT)
3783 return SSL_ERROR_WANT_CONNECT;
3784 else if (reason == BIO_RR_ACCEPT)
3785 return SSL_ERROR_WANT_ACCEPT;
3786 else
3787 return SSL_ERROR_SYSCALL; /* unknown */
3788 }
3789 }
3790
3791 if (SSL_want_write(s)) {
3792 /* Access wbio directly - in order to use the buffered bio if present */
3793 bio = s->wbio;
3794 if (BIO_should_write(bio))
3795 return SSL_ERROR_WANT_WRITE;
3796 else if (BIO_should_read(bio))
3797 /*
3798 * See above (SSL_want_read(s) with BIO_should_write(bio))
3799 */
3800 return SSL_ERROR_WANT_READ;
3801 else if (BIO_should_io_special(bio)) {
3802 reason = BIO_get_retry_reason(bio);
3803 if (reason == BIO_RR_CONNECT)
3804 return SSL_ERROR_WANT_CONNECT;
3805 else if (reason == BIO_RR_ACCEPT)
3806 return SSL_ERROR_WANT_ACCEPT;
3807 else
3808 return SSL_ERROR_SYSCALL;
3809 }
3810 }
3811 if (SSL_want_x509_lookup(s))
3812 return SSL_ERROR_WANT_X509_LOOKUP;
3813 if (SSL_want_async(s))
3814 return SSL_ERROR_WANT_ASYNC;
3815 if (SSL_want_async_job(s))
3816 return SSL_ERROR_WANT_ASYNC_JOB;
3817 if (SSL_want_client_hello_cb(s))
3818 return SSL_ERROR_WANT_CLIENT_HELLO_CB;
3819
3820 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
3821 (s->s3.warn_alert == SSL_AD_CLOSE_NOTIFY))
3822 return SSL_ERROR_ZERO_RETURN;
3823
3824 return SSL_ERROR_SYSCALL;
3825 }
3826
3827 static int ssl_do_handshake_intern(void *vargs)
3828 {
3829 struct ssl_async_args *args;
3830 SSL *s;
3831
3832 args = (struct ssl_async_args *)vargs;
3833 s = args->s;
3834
3835 return s->handshake_func(s);
3836 }
3837
3838 int SSL_do_handshake(SSL *s)
3839 {
3840 int ret = 1;
3841
3842 if (s->handshake_func == NULL) {
3843 SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET);
3844 return -1;
3845 }
3846
3847 ossl_statem_check_finish_init(s, -1);
3848
3849 s->method->ssl_renegotiate_check(s, 0);
3850
3851 if (SSL_in_init(s) || SSL_in_before(s)) {
3852 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
3853 struct ssl_async_args args;
3854
3855 args.s = s;
3856
3857 ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
3858 } else {
3859 ret = s->handshake_func(s);
3860 }
3861 }
3862 return ret;
3863 }
3864
3865 void SSL_set_accept_state(SSL *s)
3866 {
3867 s->server = 1;
3868 s->shutdown = 0;
3869 ossl_statem_clear(s);
3870 s->handshake_func = s->method->ssl_accept;
3871 clear_ciphers(s);
3872 }
3873
3874 void SSL_set_connect_state(SSL *s)
3875 {
3876 s->server = 0;
3877 s->shutdown = 0;
3878 ossl_statem_clear(s);
3879 s->handshake_func = s->method->ssl_connect;
3880 clear_ciphers(s);
3881 }
3882
3883 int ssl_undefined_function(SSL *s)
3884 {
3885 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
3886 return 0;
3887 }
3888
3889 int ssl_undefined_void_function(void)
3890 {
3891 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,
3892 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
3893 return 0;
3894 }
3895
3896 int ssl_undefined_const_function(const SSL *s)
3897 {
3898 return 0;
3899 }
3900
3901 const SSL_METHOD *ssl_bad_method(int ver)
3902 {
3903 SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
3904 return NULL;
3905 }
3906
3907 const char *ssl_protocol_to_string(int version)
3908 {
3909 switch(version)
3910 {
3911 case TLS1_3_VERSION:
3912 return "TLSv1.3";
3913
3914 case TLS1_2_VERSION:
3915 return "TLSv1.2";
3916
3917 case TLS1_1_VERSION:
3918 return "TLSv1.1";
3919
3920 case TLS1_VERSION:
3921 return "TLSv1";
3922
3923 case SSL3_VERSION:
3924 return "SSLv3";
3925
3926 case DTLS1_BAD_VER:
3927 return "DTLSv0.9";
3928
3929 case DTLS1_VERSION:
3930 return "DTLSv1";
3931
3932 case DTLS1_2_VERSION:
3933 return "DTLSv1.2";
3934
3935 default:
3936 return "unknown";
3937 }
3938 }
3939
3940 const char *SSL_get_version(const SSL *s)
3941 {
3942 return ssl_protocol_to_string(s->version);
3943 }
3944
3945 static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src)
3946 {
3947 STACK_OF(X509_NAME) *sk;
3948 X509_NAME *xn;
3949 int i;
3950
3951 if (src == NULL) {
3952 *dst = NULL;
3953 return 1;
3954 }
3955
3956 if ((sk = sk_X509_NAME_new_null()) == NULL)
3957 return 0;
3958 for (i = 0; i < sk_X509_NAME_num(src); i++) {
3959 xn = X509_NAME_dup(sk_X509_NAME_value(src, i));
3960 if (xn == NULL) {
3961 sk_X509_NAME_pop_free(sk, X509_NAME_free);
3962 return 0;
3963 }
3964 if (sk_X509_NAME_insert(sk, xn, i) == 0) {
3965 X509_NAME_free(xn);
3966 sk_X509_NAME_pop_free(sk, X509_NAME_free);
3967 return 0;
3968 }
3969 }
3970 *dst = sk;
3971
3972 return 1;
3973 }
3974
3975 SSL *SSL_dup(SSL *s)
3976 {
3977 SSL *ret;
3978 int i;
3979
3980 /* If we're not quiescent, just up_ref! */
3981 if (!SSL_in_init(s) || !SSL_in_before(s)) {
3982 CRYPTO_UP_REF(&s->references, &i, s->lock);
3983 return s;
3984 }
3985
3986 /*
3987 * Otherwise, copy configuration state, and session if set.
3988 */
3989 if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
3990 return NULL;
3991
3992 if (s->session != NULL) {
3993 /*
3994 * Arranges to share the same session via up_ref. This "copies"
3995 * session-id, SSL_METHOD, sid_ctx, and 'cert'
3996 */
3997 if (!SSL_copy_session_id(ret, s))
3998 goto err;
3999 } else {
4000 /*
4001 * No session has been established yet, so we have to expect that
4002 * s->cert or ret->cert will be changed later -- they should not both
4003 * point to the same object, and thus we can't use
4004 * SSL_copy_session_id.
4005 */
4006 if (!SSL_set_ssl_method(ret, s->method))
4007 goto err;
4008
4009 if (s->cert != NULL) {
4010 ssl_cert_free(ret->cert);
4011 ret->cert = ssl_cert_dup(s->cert);
4012 if (ret->cert == NULL)
4013 goto err;
4014 }
4015
4016 if (!SSL_set_session_id_context(ret, s->sid_ctx,
4017 (int)s->sid_ctx_length))
4018 goto err;
4019 }
4020
4021 if (!ssl_dane_dup(ret, s))
4022 goto err;
4023 ret->version = s->version;
4024 ret->options = s->options;
4025 ret->min_proto_version = s->min_proto_version;
4026 ret->max_proto_version = s->max_proto_version;
4027 ret->mode = s->mode;
4028 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
4029 SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
4030 ret->msg_callback = s->msg_callback;
4031 ret->msg_callback_arg = s->msg_callback_arg;
4032 SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s));
4033 SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
4034 ret->generate_session_id = s->generate_session_id;
4035
4036 SSL_set_info_callback(ret, SSL_get_info_callback(s));
4037
4038 /* copy app data, a little dangerous perhaps */
4039 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
4040 goto err;
4041
4042 ret->server = s->server;
4043 if (s->handshake_func) {
4044 if (s->server)
4045 SSL_set_accept_state(ret);
4046 else
4047 SSL_set_connect_state(ret);
4048 }
4049 ret->shutdown = s->shutdown;
4050 ret->hit = s->hit;
4051
4052 ret->default_passwd_callback = s->default_passwd_callback;
4053 ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata;
4054
4055 X509_VERIFY_PARAM_inherit(ret->param, s->param);
4056
4057 /* dup the cipher_list and cipher_list_by_id stacks */
4058 if (s->cipher_list != NULL) {
4059 if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
4060 goto err;
4061 }
4062 if (s->cipher_list_by_id != NULL)
4063 if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
4064 == NULL)
4065 goto err;
4066
4067 /* Dup the client_CA list */
4068 if (!dup_ca_names(&ret->ca_names, s->ca_names)
4069 || !dup_ca_names(&ret->client_ca_names, s->client_ca_names))
4070 goto err;
4071
4072 return ret;
4073
4074 err:
4075 SSL_free(ret);
4076 return NULL;
4077 }
4078
4079 void ssl_clear_cipher_ctx(SSL *s)
4080 {
4081 if (s->enc_read_ctx != NULL) {
4082 EVP_CIPHER_CTX_free(s->enc_read_ctx);
4083 s->enc_read_ctx = NULL;
4084 }
4085 if (s->enc_write_ctx != NULL) {
4086 EVP_CIPHER_CTX_free(s->enc_write_ctx);
4087 s->enc_write_ctx = NULL;
4088 }
4089 #ifndef OPENSSL_NO_COMP
4090 COMP_CTX_free(s->expand);
4091 s->expand = NULL;
4092 COMP_CTX_free(s->compress);
4093 s->compress = NULL;
4094 #endif
4095 }
4096
4097 X509 *SSL_get_certificate(const SSL *s)
4098 {
4099 if (s->cert != NULL)
4100 return s->cert->key->x509;
4101 else
4102 return NULL;
4103 }
4104
4105 EVP_PKEY *SSL_get_privatekey(const SSL *s)
4106 {
4107 if (s->cert != NULL)
4108 return s->cert->key->privatekey;
4109 else
4110 return NULL;
4111 }
4112
4113 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx)
4114 {
4115 if (ctx->cert != NULL)
4116 return ctx->cert->key->x509;
4117 else
4118 return NULL;
4119 }
4120
4121 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
4122 {
4123 if (ctx->cert != NULL)
4124 return ctx->cert->key->privatekey;
4125 else
4126 return NULL;
4127 }
4128
4129 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
4130 {
4131 if ((s->session != NULL) && (s->session->cipher != NULL))
4132 return s->session->cipher;
4133 return NULL;
4134 }
4135
4136 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
4137 {
4138 return s->s3.tmp.new_cipher;
4139 }
4140
4141 const COMP_METHOD *SSL_get_current_compression(const SSL *s)
4142 {
4143 #ifndef OPENSSL_NO_COMP
4144 return s->compress ? COMP_CTX_get_method(s->compress) : NULL;
4145 #else
4146 return NULL;
4147 #endif
4148 }
4149
4150 const COMP_METHOD *SSL_get_current_expansion(const SSL *s)
4151 {
4152 #ifndef OPENSSL_NO_COMP
4153 return s->expand ? COMP_CTX_get_method(s->expand) : NULL;
4154 #else
4155 return NULL;
4156 #endif
4157 }
4158
4159 int ssl_init_wbio_buffer(SSL *s)
4160 {
4161 BIO *bbio;
4162
4163 if (s->bbio != NULL) {
4164 /* Already buffered. */
4165 return 1;
4166 }
4167
4168 bbio = BIO_new(BIO_f_buffer());
4169 if (bbio == NULL || !BIO_set_read_buffer_size(bbio, 1)) {
4170 BIO_free(bbio);
4171 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB);
4172 return 0;
4173 }
4174 s->bbio = bbio;
4175 s->wbio = BIO_push(bbio, s->wbio);
4176
4177 return 1;
4178 }
4179
4180 int ssl_free_wbio_buffer(SSL *s)
4181 {
4182 /* callers ensure s is never null */
4183 if (s->bbio == NULL)
4184 return 1;
4185
4186 s->wbio = BIO_pop(s->wbio);
4187 BIO_free(s->bbio);
4188 s->bbio = NULL;
4189
4190 return 1;
4191 }
4192
4193 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
4194 {
4195 ctx->quiet_shutdown = mode;
4196 }
4197
4198 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
4199 {
4200 return ctx->quiet_shutdown;
4201 }
4202
4203 void SSL_set_quiet_shutdown(SSL *s, int mode)
4204 {
4205 s->quiet_shutdown = mode;
4206 }
4207
4208 int SSL_get_quiet_shutdown(const SSL *s)
4209 {
4210 return s->quiet_shutdown;
4211 }
4212
4213 void SSL_set_shutdown(SSL *s, int mode)
4214 {
4215 s->shutdown = mode;
4216 }
4217
4218 int SSL_get_shutdown(const SSL *s)
4219 {
4220 return s->shutdown;
4221 }
4222
4223 int SSL_version(const SSL *s)
4224 {
4225 return s->version;
4226 }
4227
4228 int SSL_client_version(const SSL *s)
4229 {
4230 return s->client_version;
4231 }
4232
4233 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
4234 {
4235 return ssl->ctx;
4236 }
4237
4238 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
4239 {
4240 CERT *new_cert;
4241 if (ssl->ctx == ctx)
4242 return ssl->ctx;
4243 if (ctx == NULL)
4244 ctx = ssl->session_ctx;
4245 new_cert = ssl_cert_dup(ctx->cert);
4246 if (new_cert == NULL) {
4247 return NULL;
4248 }
4249
4250 if (!custom_exts_copy_flags(&new_cert->custext, &ssl->cert->custext)) {
4251 ssl_cert_free(new_cert);
4252 return NULL;
4253 }
4254
4255 ssl_cert_free(ssl->cert);
4256 ssl->cert = new_cert;
4257
4258 /*
4259 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
4260 * so setter APIs must prevent invalid lengths from entering the system.
4261 */
4262 if (!ossl_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx)))
4263 return NULL;
4264
4265 /*
4266 * If the session ID context matches that of the parent SSL_CTX,
4267 * inherit it from the new SSL_CTX as well. If however the context does
4268 * not match (i.e., it was set per-ssl with SSL_set_session_id_context),
4269 * leave it unchanged.
4270 */
4271 if ((ssl->ctx != NULL) &&
4272 (ssl->sid_ctx_length == ssl->ctx->sid_ctx_length) &&
4273 (memcmp(ssl->sid_ctx, ssl->ctx->sid_ctx, ssl->sid_ctx_length) == 0)) {
4274 ssl->sid_ctx_length = ctx->sid_ctx_length;
4275 memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
4276 }
4277
4278 SSL_CTX_up_ref(ctx);
4279 SSL_CTX_free(ssl->ctx); /* decrement reference count */
4280 ssl->ctx = ctx;
4281
4282 return ssl->ctx;
4283 }
4284
4285 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
4286 {
4287 return X509_STORE_set_default_paths_with_libctx(ctx->cert_store,
4288 ctx->libctx, ctx->propq);
4289 }
4290
4291 int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
4292 {
4293 X509_LOOKUP *lookup;
4294
4295 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
4296 if (lookup == NULL)
4297 return 0;
4298
4299 /* We ignore errors, in case the directory doesn't exist */
4300 ERR_set_mark();
4301
4302 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
4303
4304 ERR_pop_to_mark();
4305
4306 return 1;
4307 }
4308
4309 int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)
4310 {
4311 X509_LOOKUP *lookup;
4312
4313 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file());
4314 if (lookup == NULL)
4315 return 0;
4316
4317 /* We ignore errors, in case the directory doesn't exist */
4318 ERR_set_mark();
4319
4320 X509_LOOKUP_load_file_with_libctx(lookup, NULL, X509_FILETYPE_DEFAULT,
4321 ctx->libctx, ctx->propq);
4322
4323 ERR_pop_to_mark();
4324
4325 return 1;
4326 }
4327
4328 int SSL_CTX_set_default_verify_store(SSL_CTX *ctx)
4329 {
4330 X509_LOOKUP *lookup;
4331
4332 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store());
4333 if (lookup == NULL)
4334 return 0;
4335
4336 /* We ignore errors, in case the directory doesn't exist */
4337 ERR_set_mark();
4338
4339 X509_LOOKUP_add_store_with_libctx(lookup, NULL, ctx->libctx, ctx->propq);
4340
4341 ERR_pop_to_mark();
4342
4343 return 1;
4344 }
4345
4346 int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
4347 {
4348 return X509_STORE_load_file_with_libctx(ctx->cert_store, CAfile,
4349 ctx->libctx, ctx->propq);
4350 }
4351
4352 int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
4353 {
4354 return X509_STORE_load_path(ctx->cert_store, CApath);
4355 }
4356
4357 int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
4358 {
4359 return X509_STORE_load_store_with_libctx(ctx->cert_store, CAstore,
4360 ctx->libctx, ctx->propq);
4361 }
4362
4363 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
4364 const char *CApath)
4365 {
4366 if (CAfile == NULL && CApath == NULL)
4367 return 0;
4368 if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
4369 return 0;
4370 if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
4371 return 0;
4372 return 1;
4373 }
4374
4375 void SSL_set_info_callback(SSL *ssl,
4376 void (*cb) (const SSL *ssl, int type, int val))
4377 {
4378 ssl->info_callback = cb;
4379 }
4380
4381 /*
4382 * One compiler (Diab DCC) doesn't like argument names in returned function
4383 * pointer.
4384 */
4385 void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ ,
4386 int /* type */ ,
4387 int /* val */ ) {
4388 return ssl->info_callback;
4389 }
4390
4391 void SSL_set_verify_result(SSL *ssl, long arg)
4392 {
4393 ssl->verify_result = arg;
4394 }
4395
4396 long SSL_get_verify_result(const SSL *ssl)
4397 {
4398 return ssl->verify_result;
4399 }
4400
4401 size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen)
4402 {
4403 if (outlen == 0)
4404 return sizeof(ssl->s3.client_random);
4405 if (outlen > sizeof(ssl->s3.client_random))
4406 outlen = sizeof(ssl->s3.client_random);
4407 memcpy(out, ssl->s3.client_random, outlen);
4408 return outlen;
4409 }
4410
4411 size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen)
4412 {
4413 if (outlen == 0)
4414 return sizeof(ssl->s3.server_random);
4415 if (outlen > sizeof(ssl->s3.server_random))
4416 outlen = sizeof(ssl->s3.server_random);
4417 memcpy(out, ssl->s3.server_random, outlen);
4418 return outlen;
4419 }
4420
4421 size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
4422 unsigned char *out, size_t outlen)
4423 {
4424 if (outlen == 0)
4425 return session->master_key_length;
4426 if (outlen > session->master_key_length)
4427 outlen = session->master_key_length;
4428 memcpy(out, session->master_key, outlen);
4429 return outlen;
4430 }
4431
4432 int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in,
4433 size_t len)
4434 {
4435 if (len > sizeof(sess->master_key))
4436 return 0;
4437
4438 memcpy(sess->master_key, in, len);
4439 sess->master_key_length = len;
4440 return 1;
4441 }
4442
4443
4444 int SSL_set_ex_data(SSL *s, int idx, void *arg)
4445 {
4446 return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
4447 }
4448
4449 void *SSL_get_ex_data(const SSL *s, int idx)
4450 {
4451 return CRYPTO_get_ex_data(&s->ex_data, idx);
4452 }
4453
4454 int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
4455 {
4456 return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
4457 }
4458
4459 void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
4460 {
4461 return CRYPTO_get_ex_data(&s->ex_data, idx);
4462 }
4463
4464 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
4465 {
4466 return ctx->cert_store;
4467 }
4468
4469 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
4470 {
4471 X509_STORE_free(ctx->cert_store);
4472 ctx->cert_store = store;
4473 }
4474
4475 void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
4476 {
4477 if (store != NULL)
4478 X509_STORE_up_ref(store);
4479 SSL_CTX_set_cert_store(ctx, store);
4480 }
4481
4482 int SSL_want(const SSL *s)
4483 {
4484 return s->rwstate;
4485 }
4486
4487 /**
4488 * \brief Set the callback for generating temporary DH keys.
4489 * \param ctx the SSL context.
4490 * \param dh the callback
4491 */
4492
4493 #ifndef OPENSSL_NO_DH
4494 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
4495 DH *(*dh) (SSL *ssl, int is_export,
4496 int keylength))
4497 {
4498 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
4499 }
4500
4501 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
4502 int keylength))
4503 {
4504 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
4505 }
4506 #endif
4507
4508 #ifndef OPENSSL_NO_PSK
4509 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
4510 {
4511 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
4512 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
4513 return 0;
4514 }
4515 OPENSSL_free(ctx->cert->psk_identity_hint);
4516 if (identity_hint != NULL) {
4517 ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
4518 if (ctx->cert->psk_identity_hint == NULL)
4519 return 0;
4520 } else
4521 ctx->cert->psk_identity_hint = NULL;
4522 return 1;
4523 }
4524
4525 int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
4526 {
4527 if (s == NULL)
4528 return 0;
4529
4530 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
4531 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
4532 return 0;
4533 }
4534 OPENSSL_free(s->cert->psk_identity_hint);
4535 if (identity_hint != NULL) {
4536 s->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
4537 if (s->cert->psk_identity_hint == NULL)
4538 return 0;
4539 } else
4540 s->cert->psk_identity_hint = NULL;
4541 return 1;
4542 }
4543
4544 const char *SSL_get_psk_identity_hint(const SSL *s)
4545 {
4546 if (s == NULL || s->session == NULL)
4547 return NULL;
4548 return s->session->psk_identity_hint;
4549 }
4550
4551 const char *SSL_get_psk_identity(const SSL *s)
4552 {
4553 if (s == NULL || s->session == NULL)
4554 return NULL;
4555 return s->session->psk_identity;
4556 }
4557
4558 void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb)
4559 {
4560 s->psk_client_callback = cb;
4561 }
4562
4563 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb)
4564 {
4565 ctx->psk_client_callback = cb;
4566 }
4567
4568 void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb)
4569 {
4570 s->psk_server_callback = cb;
4571 }
4572
4573 void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb)
4574 {
4575 ctx->psk_server_callback = cb;
4576 }
4577 #endif
4578
4579 void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb)
4580 {
4581 s->psk_find_session_cb = cb;
4582 }
4583
4584 void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
4585 SSL_psk_find_session_cb_func cb)
4586 {
4587 ctx->psk_find_session_cb = cb;
4588 }
4589
4590 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb)
4591 {
4592 s->psk_use_session_cb = cb;
4593 }
4594
4595 void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
4596 SSL_psk_use_session_cb_func cb)
4597 {
4598 ctx->psk_use_session_cb = cb;
4599 }
4600
4601 void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
4602 void (*cb) (int write_p, int version,
4603 int content_type, const void *buf,
4604 size_t len, SSL *ssl, void *arg))
4605 {
4606 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
4607 }
4608
4609 void SSL_set_msg_callback(SSL *ssl,
4610 void (*cb) (int write_p, int version,
4611 int content_type, const void *buf,
4612 size_t len, SSL *ssl, void *arg))
4613 {
4614 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
4615 }
4616
4617 void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
4618 int (*cb) (SSL *ssl,
4619 int
4620 is_forward_secure))
4621 {
4622 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
4623 (void (*)(void))cb);
4624 }
4625
4626 void SSL_set_not_resumable_session_callback(SSL *ssl,
4627 int (*cb) (SSL *ssl,
4628 int is_forward_secure))
4629 {
4630 SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
4631 (void (*)(void))cb);
4632 }
4633
4634 void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
4635 size_t (*cb) (SSL *ssl, int type,
4636 size_t len, void *arg))
4637 {
4638 ctx->record_padding_cb = cb;
4639 }
4640
4641 void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg)
4642 {
4643 ctx->record_padding_arg = arg;
4644 }
4645
4646 void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx)
4647 {
4648 return ctx->record_padding_arg;
4649 }
4650
4651 int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
4652 {
4653 /* block size of 0 or 1 is basically no padding */
4654 if (block_size == 1)
4655 ctx->block_padding = 0;
4656 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH)
4657 ctx->block_padding = block_size;
4658 else
4659 return 0;
4660 return 1;
4661 }
4662
4663 int SSL_set_record_padding_callback(SSL *ssl,
4664 size_t (*cb) (SSL *ssl, int type,
4665 size_t len, void *arg))
4666 {
4667 BIO *b;
4668
4669 b = SSL_get_wbio(ssl);
4670 if (b == NULL || !BIO_get_ktls_send(b)) {
4671 ssl->record_padding_cb = cb;
4672 return 1;
4673 }
4674 return 0;
4675 }
4676
4677 void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg)
4678 {
4679 ssl->record_padding_arg = arg;
4680 }
4681
4682 void *SSL_get_record_padding_callback_arg(const SSL *ssl)
4683 {
4684 return ssl->record_padding_arg;
4685 }
4686
4687 int SSL_set_block_padding(SSL *ssl, size_t block_size)
4688 {
4689 /* block size of 0 or 1 is basically no padding */
4690 if (block_size == 1)
4691 ssl->block_padding = 0;
4692 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH)
4693 ssl->block_padding = block_size;
4694 else
4695 return 0;
4696 return 1;
4697 }
4698
4699 int SSL_set_num_tickets(SSL *s, size_t num_tickets)
4700 {
4701 s->num_tickets = num_tickets;
4702
4703 return 1;
4704 }
4705
4706 size_t SSL_get_num_tickets(const SSL *s)
4707 {
4708 return s->num_tickets;
4709 }
4710
4711 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets)
4712 {
4713 ctx->num_tickets = num_tickets;
4714
4715 return 1;
4716 }
4717
4718 size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx)
4719 {
4720 return ctx->num_tickets;
4721 }
4722
4723 /*
4724 * Allocates new EVP_MD_CTX and sets pointer to it into given pointer
4725 * variable, freeing EVP_MD_CTX previously stored in that variable, if any.
4726 * If EVP_MD pointer is passed, initializes ctx with this |md|.
4727 * Returns the newly allocated ctx;
4728 */
4729
4730 EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
4731 {
4732 ssl_clear_hash_ctx(hash);
4733 *hash = EVP_MD_CTX_new();
4734 if (*hash == NULL || (md && EVP_DigestInit_ex(*hash, md, NULL) <= 0)) {
4735 EVP_MD_CTX_free(*hash);
4736 *hash = NULL;
4737 return NULL;
4738 }
4739 return *hash;
4740 }
4741
4742 void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
4743 {
4744
4745 EVP_MD_CTX_free(*hash);
4746 *hash = NULL;
4747 }
4748
4749 /* Retrieve handshake hashes */
4750 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
4751 size_t *hashlen)
4752 {
4753 EVP_MD_CTX *ctx = NULL;
4754 EVP_MD_CTX *hdgst = s->s3.handshake_dgst;
4755 int hashleni = EVP_MD_CTX_size(hdgst);
4756 int ret = 0;
4757
4758 if (hashleni < 0 || (size_t)hashleni > outlen) {
4759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH,
4760 ERR_R_INTERNAL_ERROR);
4761 goto err;
4762 }
4763
4764 ctx = EVP_MD_CTX_new();
4765 if (ctx == NULL)
4766 goto err;
4767
4768 if (!EVP_MD_CTX_copy_ex(ctx, hdgst)
4769 || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) {
4770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH,
4771 ERR_R_INTERNAL_ERROR);
4772 goto err;
4773 }
4774
4775 *hashlen = hashleni;
4776
4777 ret = 1;
4778 err:
4779 EVP_MD_CTX_free(ctx);
4780 return ret;
4781 }
4782
4783 int SSL_session_reused(const SSL *s)
4784 {
4785 return s->hit;
4786 }
4787
4788 int SSL_is_server(const SSL *s)
4789 {
4790 return s->server;
4791 }
4792
4793 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
4794 void SSL_set_debug(SSL *s, int debug)
4795 {
4796 /* Old function was do-nothing anyway... */
4797 (void)s;
4798 (void)debug;
4799 }
4800 #endif
4801
4802 void SSL_set_security_level(SSL *s, int level)
4803 {
4804 s->cert->sec_level = level;
4805 }
4806
4807 int SSL_get_security_level(const SSL *s)
4808 {
4809 return s->cert->sec_level;
4810 }
4811
4812 void SSL_set_security_callback(SSL *s,
4813 int (*cb) (const SSL *s, const SSL_CTX *ctx,
4814 int op, int bits, int nid,
4815 void *other, void *ex))
4816 {
4817 s->cert->sec_cb = cb;
4818 }
4819
4820 int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
4821 const SSL_CTX *ctx, int op,
4822 int bits, int nid, void *other,
4823 void *ex) {
4824 return s->cert->sec_cb;
4825 }
4826
4827 void SSL_set0_security_ex_data(SSL *s, void *ex)
4828 {
4829 s->cert->sec_ex = ex;
4830 }
4831
4832 void *SSL_get0_security_ex_data(const SSL *s)
4833 {
4834 return s->cert->sec_ex;
4835 }
4836
4837 void SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
4838 {
4839 ctx->cert->sec_level = level;
4840 }
4841
4842 int SSL_CTX_get_security_level(const SSL_CTX *ctx)
4843 {
4844 return ctx->cert->sec_level;
4845 }
4846
4847 void SSL_CTX_set_security_callback(SSL_CTX *ctx,
4848 int (*cb) (const SSL *s, const SSL_CTX *ctx,
4849 int op, int bits, int nid,
4850 void *other, void *ex))
4851 {
4852 ctx->cert->sec_cb = cb;
4853 }
4854
4855 int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
4856 const SSL_CTX *ctx,
4857 int op, int bits,
4858 int nid,
4859 void *other,
4860 void *ex) {
4861 return ctx->cert->sec_cb;
4862 }
4863
4864 void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex)
4865 {
4866 ctx->cert->sec_ex = ex;
4867 }
4868
4869 void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
4870 {
4871 return ctx->cert->sec_ex;
4872 }
4873
4874 /*
4875 * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
4876 * can return unsigned long, instead of the generic long return value from the
4877 * control interface.
4878 */
4879 unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
4880 {
4881 return ctx->options;
4882 }
4883
4884 unsigned long SSL_get_options(const SSL *s)
4885 {
4886 return s->options;
4887 }
4888
4889 unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
4890 {
4891 return ctx->options |= op;
4892 }
4893
4894 unsigned long SSL_set_options(SSL *s, unsigned long op)
4895 {
4896 return s->options |= op;
4897 }
4898
4899 unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
4900 {
4901 return ctx->options &= ~op;
4902 }
4903
4904 unsigned long SSL_clear_options(SSL *s, unsigned long op)
4905 {
4906 return s->options &= ~op;
4907 }
4908
4909 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
4910 {
4911 return s->verified_chain;
4912 }
4913
4914 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
4915
4916 #ifndef OPENSSL_NO_CT
4917
4918 /*
4919 * Moves SCTs from the |src| stack to the |dst| stack.
4920 * The source of each SCT will be set to |origin|.
4921 * If |dst| points to a NULL pointer, a new stack will be created and owned by
4922 * the caller.
4923 * Returns the number of SCTs moved, or a negative integer if an error occurs.
4924 */
4925 static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
4926 sct_source_t origin)
4927 {
4928 int scts_moved = 0;
4929 SCT *sct = NULL;
4930
4931 if (*dst == NULL) {
4932 *dst = sk_SCT_new_null();
4933 if (*dst == NULL) {
4934 SSLerr(SSL_F_CT_MOVE_SCTS, ERR_R_MALLOC_FAILURE);
4935 goto err;
4936 }
4937 }
4938
4939 while ((sct = sk_SCT_pop(src)) != NULL) {
4940 if (SCT_set_source(sct, origin) != 1)
4941 goto err;
4942
4943 if (sk_SCT_push(*dst, sct) <= 0)
4944 goto err;
4945 scts_moved += 1;
4946 }
4947
4948 return scts_moved;
4949 err:
4950 if (sct != NULL)
4951 sk_SCT_push(src, sct); /* Put the SCT back */
4952 return -1;
4953 }
4954
4955 /*
4956 * Look for data collected during ServerHello and parse if found.
4957 * Returns the number of SCTs extracted.
4958 */
4959 static int ct_extract_tls_extension_scts(SSL *s)
4960 {
4961 int scts_extracted = 0;
4962
4963 if (s->ext.scts != NULL) {
4964 const unsigned char *p = s->ext.scts;
4965 STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len);
4966
4967 scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION);
4968
4969 SCT_LIST_free(scts);
4970 }
4971
4972 return scts_extracted;
4973 }
4974
4975 /*
4976 * Checks for an OCSP response and then attempts to extract any SCTs found if it
4977 * contains an SCT X509 extension. They will be stored in |s->scts|.
4978 * Returns:
4979 * - The number of SCTs extracted, assuming an OCSP response exists.
4980 * - 0 if no OCSP response exists or it contains no SCTs.
4981 * - A negative integer if an error occurs.
4982 */
4983 static int ct_extract_ocsp_response_scts(SSL *s)
4984 {
4985 # ifndef OPENSSL_NO_OCSP
4986 int scts_extracted = 0;
4987 const unsigned char *p;
4988 OCSP_BASICRESP *br = NULL;
4989 OCSP_RESPONSE *rsp = NULL;
4990 STACK_OF(SCT) *scts = NULL;
4991 int i;
4992
4993 if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0)
4994 goto err;
4995
4996 p = s->ext.ocsp.resp;
4997 rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len);
4998 if (rsp == NULL)
4999 goto err;
5000
5001 br = OCSP_response_get1_basic(rsp);
5002 if (br == NULL)
5003 goto err;
5004
5005 for (i = 0; i < OCSP_resp_count(br); ++i) {
5006 OCSP_SINGLERESP *single = OCSP_resp_get0(br, i);
5007
5008 if (single == NULL)
5009 continue;
5010
5011 scts =
5012 OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL);
5013 scts_extracted =
5014 ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE);
5015 if (scts_extracted < 0)
5016 goto err;
5017 }
5018 err:
5019 SCT_LIST_free(scts);
5020 OCSP_BASICRESP_free(br);
5021 OCSP_RESPONSE_free(rsp);
5022 return scts_extracted;
5023 # else
5024 /* Behave as if no OCSP response exists */
5025 return 0;
5026 # endif
5027 }
5028
5029 /*
5030 * Attempts to extract SCTs from the peer certificate.
5031 * Return the number of SCTs extracted, or a negative integer if an error
5032 * occurs.
5033 */
5034 static int ct_extract_x509v3_extension_scts(SSL *s)
5035 {
5036 int scts_extracted = 0;
5037 X509 *cert = s->session != NULL ? s->session->peer : NULL;
5038
5039 if (cert != NULL) {
5040 STACK_OF(SCT) *scts =
5041 X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL);
5042
5043 scts_extracted =
5044 ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION);
5045
5046 SCT_LIST_free(scts);
5047 }
5048
5049 return scts_extracted;
5050 }
5051
5052 /*
5053 * Attempts to find all received SCTs by checking TLS extensions, the OCSP
5054 * response (if it exists) and X509v3 extensions in the certificate.
5055 * Returns NULL if an error occurs.
5056 */
5057 const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s)
5058 {
5059 if (!s->scts_parsed) {
5060 if (ct_extract_tls_extension_scts(s) < 0 ||
5061 ct_extract_ocsp_response_scts(s) < 0 ||
5062 ct_extract_x509v3_extension_scts(s) < 0)
5063 goto err;
5064
5065 s->scts_parsed = 1;
5066 }
5067 return s->scts;
5068 err:
5069 return NULL;
5070 }
5071
5072 static int ct_permissive(const CT_POLICY_EVAL_CTX * ctx,
5073 const STACK_OF(SCT) *scts, void *unused_arg)
5074 {
5075 return 1;
5076 }
5077
5078 static int ct_strict(const CT_POLICY_EVAL_CTX * ctx,
5079 const STACK_OF(SCT) *scts, void *unused_arg)
5080 {
5081 int count = scts != NULL ? sk_SCT_num(scts) : 0;
5082 int i;
5083
5084 for (i = 0; i < count; ++i) {
5085 SCT *sct = sk_SCT_value(scts, i);
5086 int status = SCT_get_validation_status(sct);
5087
5088 if (status == SCT_VALIDATION_STATUS_VALID)
5089 return 1;
5090 }
5091 SSLerr(SSL_F_CT_STRICT, SSL_R_NO_VALID_SCTS);
5092 return 0;
5093 }
5094
5095 int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
5096 void *arg)
5097 {
5098 /*
5099 * Since code exists that uses the custom extension handler for CT, look
5100 * for this and throw an error if they have already registered to use CT.
5101 */
5102 if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx,
5103 TLSEXT_TYPE_signed_certificate_timestamp))
5104 {
5105 SSLerr(SSL_F_SSL_SET_CT_VALIDATION_CALLBACK,
5106 SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
5107 return 0;
5108 }
5109
5110 if (callback != NULL) {
5111 /*
5112 * If we are validating CT, then we MUST accept SCTs served via OCSP
5113 */
5114 if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp))
5115 return 0;
5116 }
5117
5118 s->ct_validation_callback = callback;
5119 s->ct_validation_callback_arg = arg;
5120
5121 return 1;
5122 }
5123
5124 int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
5125 ssl_ct_validation_cb callback, void *arg)
5126 {
5127 /*
5128 * Since code exists that uses the custom extension handler for CT, look for
5129 * this and throw an error if they have already registered to use CT.
5130 */
5131 if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx,
5132 TLSEXT_TYPE_signed_certificate_timestamp))
5133 {
5134 SSLerr(SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK,
5135 SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
5136 return 0;
5137 }
5138
5139 ctx->ct_validation_callback = callback;
5140 ctx->ct_validation_callback_arg = arg;
5141 return 1;
5142 }
5143
5144 int SSL_ct_is_enabled(const SSL *s)
5145 {
5146 return s->ct_validation_callback != NULL;
5147 }
5148
5149 int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx)
5150 {
5151 return ctx->ct_validation_callback != NULL;
5152 }
5153
5154 int ssl_validate_ct(SSL *s)
5155 {
5156 int ret = 0;
5157 X509 *cert = s->session != NULL ? s->session->peer : NULL;
5158 X509 *issuer;
5159 SSL_DANE *dane = &s->dane;
5160 CT_POLICY_EVAL_CTX *ctx = NULL;
5161 const STACK_OF(SCT) *scts;
5162
5163 /*
5164 * If no callback is set, the peer is anonymous, or its chain is invalid,
5165 * skip SCT validation - just return success. Applications that continue
5166 * handshakes without certificates, with unverified chains, or pinned leaf
5167 * certificates are outside the scope of the WebPKI and CT.
5168 *
5169 * The above exclusions notwithstanding the vast majority of peers will
5170 * have rather ordinary certificate chains validated by typical
5171 * applications that perform certificate verification and therefore will
5172 * process SCTs when enabled.
5173 */
5174 if (s->ct_validation_callback == NULL || cert == NULL ||
5175 s->verify_result != X509_V_OK ||
5176 s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1)
5177 return 1;
5178
5179 /*
5180 * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3)
5181 * trust-anchors. See https://tools.ietf.org/html/rfc7671#section-4.2
5182 */
5183 if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) {
5184 switch (dane->mtlsa->usage) {
5185 case DANETLS_USAGE_DANE_TA:
5186 case DANETLS_USAGE_DANE_EE:
5187 return 1;
5188 }
5189 }
5190
5191 ctx = CT_POLICY_EVAL_CTX_new_with_libctx(s->ctx->libctx, s->ctx->propq);
5192 if (ctx == NULL) {
5193 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT,
5194 ERR_R_MALLOC_FAILURE);
5195 goto end;
5196 }
5197
5198 issuer = sk_X509_value(s->verified_chain, 1);
5199 CT_POLICY_EVAL_CTX_set1_cert(ctx, cert);
5200 CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer);
5201 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store);
5202 CT_POLICY_EVAL_CTX_set_time(
5203 ctx, (uint64_t)SSL_SESSION_get_time(SSL_get0_session(s)) * 1000);
5204
5205 scts = SSL_get0_peer_scts(s);
5206
5207 /*
5208 * This function returns success (> 0) only when all the SCTs are valid, 0
5209 * when some are invalid, and < 0 on various internal errors (out of
5210 * memory, etc.). Having some, or even all, invalid SCTs is not sufficient
5211 * reason to abort the handshake, that decision is up to the callback.
5212 * Therefore, we error out only in the unexpected case that the return
5213 * value is negative.
5214 *
5215 * XXX: One might well argue that the return value of this function is an
5216 * unfortunate design choice. Its job is only to determine the validation
5217 * status of each of the provided SCTs. So long as it correctly separates
5218 * the wheat from the chaff it should return success. Failure in this case
5219 * ought to correspond to an inability to carry out its duties.
5220 */
5221 if (SCT_LIST_validate(scts, ctx) < 0) {
5222 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT,
5223 SSL_R_SCT_VERIFICATION_FAILED);
5224 goto end;
5225 }
5226
5227 ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg);
5228 if (ret < 0)
5229 ret = 0; /* This function returns 0 on failure */
5230 if (!ret)
5231 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT,
5232 SSL_R_CALLBACK_FAILED);
5233
5234 end:
5235 CT_POLICY_EVAL_CTX_free(ctx);
5236 /*
5237 * With SSL_VERIFY_NONE the session may be cached and re-used despite a
5238 * failure return code here. Also the application may wish the complete
5239 * the handshake, and then disconnect cleanly at a higher layer, after
5240 * checking the verification status of the completed connection.
5241 *
5242 * We therefore force a certificate verification failure which will be
5243 * visible via SSL_get_verify_result() and cached as part of any resumed
5244 * session.
5245 *
5246 * Note: the permissive callback is for information gathering only, always
5247 * returns success, and does not affect verification status. Only the
5248 * strict callback or a custom application-specified callback can trigger
5249 * connection failure or record a verification error.
5250 */
5251 if (ret <= 0)
5252 s->verify_result = X509_V_ERR_NO_VALID_SCTS;
5253 return ret;
5254 }
5255
5256 int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode)
5257 {
5258 switch (validation_mode) {
5259 default:
5260 SSLerr(SSL_F_SSL_CTX_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE);
5261 return 0;
5262 case SSL_CT_VALIDATION_PERMISSIVE:
5263 return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL);
5264 case SSL_CT_VALIDATION_STRICT:
5265 return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL);
5266 }
5267 }
5268
5269 int SSL_enable_ct(SSL *s, int validation_mode)
5270 {
5271 switch (validation_mode) {
5272 default:
5273 SSLerr(SSL_F_SSL_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE);
5274 return 0;
5275 case SSL_CT_VALIDATION_PERMISSIVE:
5276 return SSL_set_ct_validation_callback(s, ct_permissive, NULL);
5277 case SSL_CT_VALIDATION_STRICT:
5278 return SSL_set_ct_validation_callback(s, ct_strict, NULL);
5279 }
5280 }
5281
5282 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx)
5283 {
5284 return CTLOG_STORE_load_default_file(ctx->ctlog_store);
5285 }
5286
5287 int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
5288 {
5289 return CTLOG_STORE_load_file(ctx->ctlog_store, path);
5290 }
5291
5292 void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE * logs)
5293 {
5294 CTLOG_STORE_free(ctx->ctlog_store);
5295 ctx->ctlog_store = logs;
5296 }
5297
5298 const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
5299 {
5300 return ctx->ctlog_store;
5301 }
5302
5303 #endif /* OPENSSL_NO_CT */
5304
5305 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
5306 void *arg)
5307 {
5308 c->client_hello_cb = cb;
5309 c->client_hello_cb_arg = arg;
5310 }
5311
5312 int SSL_client_hello_isv2(SSL *s)
5313 {
5314 if (s->clienthello == NULL)
5315 return 0;
5316 return s->clienthello->isv2;
5317 }
5318
5319 unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
5320 {
5321 if (s->clienthello == NULL)
5322 return 0;
5323 return s->clienthello->legacy_version;
5324 }
5325
5326 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
5327 {
5328 if (s->clienthello == NULL)
5329 return 0;
5330 if (out != NULL)
5331 *out = s->clienthello->random;
5332 return SSL3_RANDOM_SIZE;
5333 }
5334
5335 size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
5336 {
5337 if (s->clienthello == NULL)
5338 return 0;
5339 if (out != NULL)
5340 *out = s->clienthello->session_id;
5341 return s->clienthello->session_id_len;
5342 }
5343
5344 size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
5345 {
5346 if (s->clienthello == NULL)
5347 return 0;
5348 if (out != NULL)
5349 *out = PACKET_data(&s->clienthello->ciphersuites);
5350 return PACKET_remaining(&s->clienthello->ciphersuites);
5351 }
5352
5353 size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
5354 {
5355 if (s->clienthello == NULL)
5356 return 0;
5357 if (out != NULL)
5358 *out = s->clienthello->compressions;
5359 return s->clienthello->compressions_len;
5360 }
5361
5362 int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
5363 {
5364 RAW_EXTENSION *ext;
5365 int *present;
5366 size_t num = 0, i;
5367
5368 if (s->clienthello == NULL || out == NULL || outlen == NULL)
5369 return 0;
5370 for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) {
5371 ext = s->clienthello->pre_proc_exts + i;
5372 if (ext->present)
5373 num++;
5374 }
5375 if (num == 0) {
5376 *out = NULL;
5377 *outlen = 0;
5378 return 1;
5379 }
5380 if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) {
5381 SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT,
5382 ERR_R_MALLOC_FAILURE);
5383 return 0;
5384 }
5385 for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) {
5386 ext = s->clienthello->pre_proc_exts + i;
5387 if (ext->present) {
5388 if (ext->received_order >= num)
5389 goto err;
5390 present[ext->received_order] = ext->type;
5391 }
5392 }
5393 *out = present;
5394 *outlen = num;
5395 return 1;
5396 err:
5397 OPENSSL_free(present);
5398 return 0;
5399 }
5400
5401 int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
5402 size_t *outlen)
5403 {
5404 size_t i;
5405 RAW_EXTENSION *r;
5406
5407 if (s->clienthello == NULL)
5408 return 0;
5409 for (i = 0; i < s->clienthello->pre_proc_exts_len; ++i) {
5410 r = s->clienthello->pre_proc_exts + i;
5411 if (r->present && r->type == type) {
5412 if (out != NULL)
5413 *out = PACKET_data(&r->data);
5414 if (outlen != NULL)
5415 *outlen = PACKET_remaining(&r->data);
5416 return 1;
5417 }
5418 }
5419 return 0;
5420 }
5421
5422 int SSL_free_buffers(SSL *ssl)
5423 {
5424 RECORD_LAYER *rl = &ssl->rlayer;
5425
5426 if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
5427 return 0;
5428
5429 RECORD_LAYER_release(rl);
5430 return 1;
5431 }
5432
5433 int SSL_alloc_buffers(SSL *ssl)
5434 {
5435 return ssl3_setup_buffers(ssl);
5436 }
5437
5438 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
5439 {
5440 ctx->keylog_callback = cb;
5441 }
5442
5443 SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
5444 {
5445 return ctx->keylog_callback;
5446 }
5447
5448 static int nss_keylog_int(const char *prefix,
5449 SSL *ssl,
5450 const uint8_t *parameter_1,
5451 size_t parameter_1_len,
5452 const uint8_t *parameter_2,
5453 size_t parameter_2_len)
5454 {
5455 char *out = NULL;
5456 char *cursor = NULL;
5457 size_t out_len = 0;
5458 size_t i;
5459 size_t prefix_len;
5460
5461 if (ssl->ctx->keylog_callback == NULL)
5462 return 1;
5463
5464 /*
5465 * Our output buffer will contain the following strings, rendered with
5466 * space characters in between, terminated by a NULL character: first the
5467 * prefix, then the first parameter, then the second parameter. The
5468 * meaning of each parameter depends on the specific key material being
5469 * logged. Note that the first and second parameters are encoded in
5470 * hexadecimal, so we need a buffer that is twice their lengths.
5471 */
5472 prefix_len = strlen(prefix);
5473 out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3;
5474 if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) {
5475 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT,
5476 ERR_R_MALLOC_FAILURE);
5477 return 0;
5478 }
5479
5480 strcpy(cursor, prefix);
5481 cursor += prefix_len;
5482 *cursor++ = ' ';
5483
5484 for (i = 0; i < parameter_1_len; i++) {
5485 sprintf(cursor, "%02x", parameter_1[i]);
5486 cursor += 2;
5487 }
5488 *cursor++ = ' ';
5489
5490 for (i = 0; i < parameter_2_len; i++) {
5491 sprintf(cursor, "%02x", parameter_2[i]);
5492 cursor += 2;
5493 }
5494 *cursor = '\0';
5495
5496 ssl->ctx->keylog_callback(ssl, (const char *)out);
5497 OPENSSL_clear_free(out, out_len);
5498 return 1;
5499
5500 }
5501
5502 int ssl_log_rsa_client_key_exchange(SSL *ssl,
5503 const uint8_t *encrypted_premaster,
5504 size_t encrypted_premaster_len,
5505 const uint8_t *premaster,
5506 size_t premaster_len)
5507 {
5508 if (encrypted_premaster_len < 8) {
5509 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR,
5510 SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
5511 return 0;
5512 }
5513
5514 /* We only want the first 8 bytes of the encrypted premaster as a tag. */
5515 return nss_keylog_int("RSA",
5516 ssl,
5517 encrypted_premaster,
5518 8,
5519 premaster,
5520 premaster_len);
5521 }
5522
5523 int ssl_log_secret(SSL *ssl,
5524 const char *label,
5525 const uint8_t *secret,
5526 size_t secret_len)
5527 {
5528 return nss_keylog_int(label,
5529 ssl,
5530 ssl->s3.client_random,
5531 SSL3_RANDOM_SIZE,
5532 secret,
5533 secret_len);
5534 }
5535
5536 #define SSLV2_CIPHER_LEN 3
5537
5538 int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format)
5539 {
5540 int n;
5541
5542 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
5543
5544 if (PACKET_remaining(cipher_suites) == 0) {
5545 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_CACHE_CIPHERLIST,
5546 SSL_R_NO_CIPHERS_SPECIFIED);
5547 return 0;
5548 }
5549
5550 if (PACKET_remaining(cipher_suites) % n != 0) {
5551 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST,
5552 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
5553 return 0;
5554 }
5555
5556 OPENSSL_free(s->s3.tmp.ciphers_raw);
5557 s->s3.tmp.ciphers_raw = NULL;
5558 s->s3.tmp.ciphers_rawlen = 0;
5559
5560 if (sslv2format) {
5561 size_t numciphers = PACKET_remaining(cipher_suites) / n;
5562 PACKET sslv2ciphers = *cipher_suites;
5563 unsigned int leadbyte;
5564 unsigned char *raw;
5565
5566 /*
5567 * We store the raw ciphers list in SSLv3+ format so we need to do some
5568 * preprocessing to convert the list first. If there are any SSLv2 only
5569 * ciphersuites with a non-zero leading byte then we are going to
5570 * slightly over allocate because we won't store those. But that isn't a
5571 * problem.
5572 */
5573 raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
5574 s->s3.tmp.ciphers_raw = raw;
5575 if (raw == NULL) {
5576 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST,
5577 ERR_R_MALLOC_FAILURE);
5578 return 0;
5579 }
5580 for (s->s3.tmp.ciphers_rawlen = 0;
5581 PACKET_remaining(&sslv2ciphers) > 0;
5582 raw += TLS_CIPHER_LEN) {
5583 if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
5584 || (leadbyte == 0
5585 && !PACKET_copy_bytes(&sslv2ciphers, raw,
5586 TLS_CIPHER_LEN))
5587 || (leadbyte != 0
5588 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
5589 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST,
5590 SSL_R_BAD_PACKET);
5591 OPENSSL_free(s->s3.tmp.ciphers_raw);
5592 s->s3.tmp.ciphers_raw = NULL;
5593 s->s3.tmp.ciphers_rawlen = 0;
5594 return 0;
5595 }
5596 if (leadbyte == 0)
5597 s->s3.tmp.ciphers_rawlen += TLS_CIPHER_LEN;
5598 }
5599 } else if (!PACKET_memdup(cipher_suites, &s->s3.tmp.ciphers_raw,
5600 &s->s3.tmp.ciphers_rawlen)) {
5601 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST,
5602 ERR_R_INTERNAL_ERROR);
5603 return 0;
5604 }
5605 return 1;
5606 }
5607
5608 int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
5609 int isv2format, STACK_OF(SSL_CIPHER) **sk,
5610 STACK_OF(SSL_CIPHER) **scsvs)
5611 {
5612 PACKET pkt;
5613
5614 if (!PACKET_buf_init(&pkt, bytes, len))
5615 return 0;
5616 return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, 0);
5617 }
5618
5619 int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
5620 STACK_OF(SSL_CIPHER) **skp,
5621 STACK_OF(SSL_CIPHER) **scsvs_out,
5622 int sslv2format, int fatal)
5623 {
5624 const SSL_CIPHER *c;
5625 STACK_OF(SSL_CIPHER) *sk = NULL;
5626 STACK_OF(SSL_CIPHER) *scsvs = NULL;
5627 int n;
5628 /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
5629 unsigned char cipher[SSLV2_CIPHER_LEN];
5630
5631 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
5632
5633 if (PACKET_remaining(cipher_suites) == 0) {
5634 if (fatal)
5635 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_BYTES_TO_CIPHER_LIST,
5636 SSL_R_NO_CIPHERS_SPECIFIED);
5637 else
5638 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
5639 return 0;
5640 }
5641
5642 if (PACKET_remaining(cipher_suites) % n != 0) {
5643 if (fatal)
5644 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST,
5645 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
5646 else
5647 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST,
5648 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
5649 return 0;
5650 }
5651
5652 sk = sk_SSL_CIPHER_new_null();
5653 scsvs = sk_SSL_CIPHER_new_null();
5654 if (sk == NULL || scsvs == NULL) {
5655 if (fatal)
5656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_BYTES_TO_CIPHER_LIST,
5657 ERR_R_MALLOC_FAILURE);
5658 else
5659 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
5660 goto err;
5661 }
5662
5663 while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
5664 /*
5665 * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
5666 * first byte set to zero, while true SSLv2 ciphers have a non-zero
5667 * first byte. We don't support any true SSLv2 ciphers, so skip them.
5668 */
5669 if (sslv2format && cipher[0] != '\0')
5670 continue;
5671
5672 /* For SSLv2-compat, ignore leading 0-byte. */
5673 c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1);
5674 if (c != NULL) {
5675 if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) ||
5676 (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) {
5677 if (fatal)
5678 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
5679 SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
5680 else
5681 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
5682 goto err;
5683 }
5684 }
5685 }
5686 if (PACKET_remaining(cipher_suites) > 0) {
5687 if (fatal)
5688 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST,
5689 SSL_R_BAD_LENGTH);
5690 else
5691 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH);
5692 goto err;
5693 }
5694
5695 if (skp != NULL)
5696 *skp = sk;
5697 else
5698 sk_SSL_CIPHER_free(sk);
5699 if (scsvs_out != NULL)
5700 *scsvs_out = scsvs;
5701 else
5702 sk_SSL_CIPHER_free(scsvs);
5703 return 1;
5704 err:
5705 sk_SSL_CIPHER_free(sk);
5706 sk_SSL_CIPHER_free(scsvs);
5707 return 0;
5708 }
5709
5710 int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data)
5711 {
5712 ctx->max_early_data = max_early_data;
5713
5714 return 1;
5715 }
5716
5717 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx)
5718 {
5719 return ctx->max_early_data;
5720 }
5721
5722 int SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
5723 {
5724 s->max_early_data = max_early_data;
5725
5726 return 1;
5727 }
5728
5729 uint32_t SSL_get_max_early_data(const SSL *s)
5730 {
5731 return s->max_early_data;
5732 }
5733
5734 int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data)
5735 {
5736 ctx->recv_max_early_data = recv_max_early_data;
5737
5738 return 1;
5739 }
5740
5741 uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx)
5742 {
5743 return ctx->recv_max_early_data;
5744 }
5745
5746 int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data)
5747 {
5748 s->recv_max_early_data = recv_max_early_data;
5749
5750 return 1;
5751 }
5752
5753 uint32_t SSL_get_recv_max_early_data(const SSL *s)
5754 {
5755 return s->recv_max_early_data;
5756 }
5757
5758 __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl)
5759 {
5760 /* Return any active Max Fragment Len extension */
5761 if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session))
5762 return GET_MAX_FRAGMENT_LENGTH(ssl->session);
5763
5764 /* return current SSL connection setting */
5765 return ssl->max_send_fragment;
5766 }
5767
5768 __owur unsigned int ssl_get_split_send_fragment(const SSL *ssl)
5769 {
5770 /* Return a value regarding an active Max Fragment Len extension */
5771 if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)
5772 && ssl->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(ssl->session))
5773 return GET_MAX_FRAGMENT_LENGTH(ssl->session);
5774
5775 /* else limit |split_send_fragment| to current |max_send_fragment| */
5776 if (ssl->split_send_fragment > ssl->max_send_fragment)
5777 return ssl->max_send_fragment;
5778
5779 /* return current SSL connection setting */
5780 return ssl->split_send_fragment;
5781 }
5782
5783 int SSL_stateless(SSL *s)
5784 {
5785 int ret;
5786
5787 /* Ensure there is no state left over from a previous invocation */
5788 if (!SSL_clear(s))
5789 return 0;
5790
5791 ERR_clear_error();
5792
5793 s->s3.flags |= TLS1_FLAGS_STATELESS;
5794 ret = SSL_accept(s);
5795 s->s3.flags &= ~TLS1_FLAGS_STATELESS;
5796
5797 if (ret > 0 && s->ext.cookieok)
5798 return 1;
5799
5800 if (s->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(s))
5801 return 0;
5802
5803 return -1;
5804 }
5805
5806 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
5807 {
5808 ctx->pha_enabled = val;
5809 }
5810
5811 void SSL_set_post_handshake_auth(SSL *ssl, int val)
5812 {
5813 ssl->pha_enabled = val;
5814 }
5815
5816 int SSL_verify_client_post_handshake(SSL *ssl)
5817 {
5818 if (!SSL_IS_TLS13(ssl)) {
5819 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_WRONG_SSL_VERSION);
5820 return 0;
5821 }
5822 if (!ssl->server) {
5823 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_NOT_SERVER);
5824 return 0;
5825 }
5826
5827 if (!SSL_is_init_finished(ssl)) {
5828 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_STILL_IN_INIT);
5829 return 0;
5830 }
5831
5832 switch (ssl->post_handshake_auth) {
5833 case SSL_PHA_NONE:
5834 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_EXTENSION_NOT_RECEIVED);
5835 return 0;
5836 default:
5837 case SSL_PHA_EXT_SENT:
5838 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, ERR_R_INTERNAL_ERROR);
5839 return 0;
5840 case SSL_PHA_EXT_RECEIVED:
5841 break;
5842 case SSL_PHA_REQUEST_PENDING:
5843 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_PENDING);
5844 return 0;
5845 case SSL_PHA_REQUESTED:
5846 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_SENT);
5847 return 0;
5848 }
5849
5850 ssl->post_handshake_auth = SSL_PHA_REQUEST_PENDING;
5851
5852 /* checks verify_mode and algorithm_auth */
5853 if (!send_certificate_request(ssl)) {
5854 ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */
5855 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_INVALID_CONFIG);
5856 return 0;
5857 }
5858
5859 ossl_statem_set_in_init(ssl, 1);
5860 return 1;
5861 }
5862
5863 int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
5864 SSL_CTX_generate_session_ticket_fn gen_cb,
5865 SSL_CTX_decrypt_session_ticket_fn dec_cb,
5866 void *arg)
5867 {
5868 ctx->generate_ticket_cb = gen_cb;
5869 ctx->decrypt_ticket_cb = dec_cb;
5870 ctx->ticket_cb_data = arg;
5871 return 1;
5872 }
5873
5874 void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
5875 SSL_allow_early_data_cb_fn cb,
5876 void *arg)
5877 {
5878 ctx->allow_early_data_cb = cb;
5879 ctx->allow_early_data_cb_data = arg;
5880 }
5881
5882 void SSL_set_allow_early_data_cb(SSL *s,
5883 SSL_allow_early_data_cb_fn cb,
5884 void *arg)
5885 {
5886 s->allow_early_data_cb = cb;
5887 s->allow_early_data_cb_data = arg;
5888 }
5889
5890 const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
5891 int nid,
5892 const char *properties)
5893 {
5894 EVP_CIPHER *ciph;
5895
5896 #ifndef OPENSSL_NO_ENGINE
5897 ENGINE *eng;
5898
5899 /*
5900 * If there is an Engine available for this cipher we use the "implicit"
5901 * form to ensure we use that engine later.
5902 */
5903 eng = ENGINE_get_cipher_engine(nid);
5904 if (eng != NULL) {
5905 ENGINE_finish(eng);
5906 return EVP_get_cipherbynid(nid);
5907 }
5908 #endif
5909
5910 /* Otherwise we do an explicit fetch. This may fail and that could be ok */
5911 ERR_set_mark();
5912 ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
5913 ERR_pop_to_mark();
5914 return ciph;
5915 }
5916
5917
5918 int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher)
5919 {
5920 /* Don't up-ref an implicit EVP_CIPHER */
5921 if (EVP_CIPHER_provider(cipher) == NULL)
5922 return 1;
5923
5924 /*
5925 * The cipher was explicitly fetched and therefore it is safe to cast
5926 * away the const
5927 */
5928 return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher);
5929 }
5930
5931 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
5932 {
5933 if (cipher == NULL)
5934 return;
5935
5936 if (EVP_CIPHER_provider(cipher) != NULL) {
5937 /*
5938 * The cipher was explicitly fetched and therefore it is safe to cast
5939 * away the const
5940 */
5941 EVP_CIPHER_free((EVP_CIPHER *)cipher);
5942 }
5943 }
5944
5945 const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
5946 int nid,
5947 const char *properties)
5948 {
5949 EVP_MD *md;
5950
5951 #ifndef OPENSSL_NO_ENGINE
5952 ENGINE *eng;
5953
5954 /*
5955 * If there is an Engine available for this digest we use the "implicit"
5956 * form to ensure we use that engine later.
5957 */
5958 eng = ENGINE_get_digest_engine(nid);
5959 if (eng != NULL) {
5960 ENGINE_finish(eng);
5961 return EVP_get_digestbynid(nid);
5962 }
5963 #endif
5964
5965 /* Otherwise we do an explicit fetch */
5966 ERR_set_mark();
5967 md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
5968 ERR_pop_to_mark();
5969 return md;
5970 }
5971
5972 int ssl_evp_md_up_ref(const EVP_MD *md)
5973 {
5974 /* Don't up-ref an implicit EVP_MD */
5975 if (EVP_MD_provider(md) == NULL)
5976 return 1;
5977
5978 /*
5979 * The digest was explicitly fetched and therefore it is safe to cast
5980 * away the const
5981 */
5982 return EVP_MD_up_ref((EVP_MD *)md);
5983 }
5984
5985 void ssl_evp_md_free(const EVP_MD *md)
5986 {
5987 if (md == NULL)
5988 return;
5989
5990 if (EVP_MD_provider(md) != NULL) {
5991 /*
5992 * The digest was explicitly fetched and therefore it is safe to cast
5993 * away the const
5994 */
5995 EVP_MD_free((EVP_MD *)md);
5996 }
5997 }
A mirror of the official openssl repository