return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
}
-SSL3_ENC_METHOD ssl3_undef_enc_method = {
+const SSL3_ENC_METHOD ssl3_undef_enc_method = {
ssl_undefined_function_8,
ssl_undefined_function_3,
ssl_undefined_function_4,
case DANETLS_SELECTOR_CERT:
if (!d2i_X509(&cert, &p, ilen) || p < data ||
dlen != (size_t)(p - data)) {
+ X509_free(cert);
tlsa_free(t);
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
return 0;
}
if (X509_get0_pubkey(cert) == NULL) {
+ X509_free(cert);
tlsa_free(t);
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
return 0;
}
if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
+ /*
+ * The Full(0) certificate decodes to a seemingly valid X.509
+ * object with a plausible key, so the TLSA record is well
+ * formed. However, we don't actually need the certificate for
+ * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
+ * certificate is always presented by the peer. We discard the
+ * certificate, and just use the TLSA data as an opaque blob
+ * for matching the raw presented DER octets.
+ *
+ * DO NOT FREE `t` here, it will be added to the TLSA record
+ * list below!
+ */
X509_free(cert);
break;
}
case DANETLS_SELECTOR_SPKI:
if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
dlen != (size_t)(p - data)) {
+ EVP_PKEY_free(pkey);
tlsa_free(t);
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
return 0;
void OPENSSL_VPROC_FUNC(void) {}
#endif
-static int clear_record_layer(SSL_CONNECTION *s)
-{
- int ret;
-
- /* We try and reset both record layers even if one fails */
-
- ret = ssl_set_new_record_layer(s,
- SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION
- : TLS_ANY_VERSION,
- OSSL_RECORD_DIRECTION_READ,
- OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
- NULL, 0, NULL, 0, NULL, 0, NULL, 0,
- NID_undef, NULL, NULL, NULL);
-
- ret &= ssl_set_new_record_layer(s,
- SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION
- : TLS_ANY_VERSION,
- OSSL_RECORD_DIRECTION_WRITE,
- OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
- NULL, 0, NULL, 0, NULL, 0, NULL, 0,
- NID_undef, NULL, NULL, NULL);
-
- /* SSLfatal already called in the event of failure */
- return ret;
-}
-
int SSL_clear(SSL *s)
{
if (s->method == NULL) {
return 0;
}
- RECORD_LAYER_clear(&sc->rlayer);
- BIO_free(sc->rlayer.rrlnext);
- sc->rlayer.rrlnext = NULL;
-
- if (!clear_record_layer(sc))
+ if (!RECORD_LAYER_reset(&sc->rlayer))
return 0;
return 1;
/* Ignore return value */
ssl_free_wbio_buffer(s);
+ /* Ignore return value */
RECORD_LAYER_clear(&s->rlayer);
BUF_MEM_free(s->init_buf);
return ret;
}
-int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
+int ssl_write_internal(SSL *s, const void *buf, size_t num,
+ uint64_t flags, size_t *written)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
#ifndef OPENSSL_NO_QUIC
if (IS_QUIC(s))
- return s->method->ssl_write(s, buf, num, written);
+ return ossl_quic_write_flags(s, buf, num, flags, written);
#endif
if (sc == NULL)
return -1;
}
+ if (flags != 0) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_WRITE_FLAG);
+ return -1;
+ }
+
if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
|| sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY
|| sc->early_data_state == SSL_EARLY_DATA_READ_RETRY) {
return -1;
}
- ret = ssl_write_internal(s, buf, (size_t)num, &written);
+ ret = ssl_write_internal(s, buf, (size_t)num, 0, &written);
/*
* The cast is safe here because ret should be <= INT_MAX because num is
int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written)
{
- int ret = ssl_write_internal(s, buf, num, written);
+ return SSL_write_ex2(s, buf, num, 0, written);
+}
+
+int SSL_write_ex2(SSL *s, const void *buf, size_t num, uint64_t flags,
+ size_t *written)
+{
+ int ret = ssl_write_internal(s, buf, num, flags, written);
if (ret < 0)
ret = 0;
long l;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+ if (sc == NULL)
+ return 0;
+
/*
* Routing of ctrl calls for QUIC is a little counterintuitive:
*
if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
continue;
- n = strlen(c->name);
- if (n + 1 > size) {
+ n = OPENSSL_strnlen(c->name, size);
+ if (n >= size) {
if (p != buf)
--p;
*p = '\0';
return buf;
}
- strcpy(p, c->name);
+ memcpy(p, c->name, n);
p += n;
*(p++) = ':';
size -= n + 1;
#endif
OPENSSL_free(a->propq);
+#ifndef OPENSSL_NO_QLOG
+ OPENSSL_free(a->qlog_title);
+#endif
OPENSSL_free(a);
}
ossl_statem_clear(sc);
sc->handshake_func = s->method->ssl_accept;
/* Ignore return value. Its a void public API function */
- clear_record_layer(sc);
+ RECORD_LAYER_reset(&sc->rlayer);
}
void SSL_set_connect_state(SSL *s)
ossl_statem_clear(sc);
sc->handshake_func = s->method->ssl_connect;
/* Ignore return value. Its a void public API function */
- clear_record_layer(sc);
+ RECORD_LAYER_reset(&sc->rlayer);
}
int ssl_undefined_function(SSL *s)
return 0;
}
-const SSL_METHOD *ssl_bad_method(int ver)
-{
- ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return NULL;
-}
-
const char *ssl_protocol_to_string(int version)
{
switch (version)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
- /* TODO(QUIC): Currently not supported for QUIC. */
+ /* Not supported with QUIC */
if (sc == NULL)
return;
{
const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
- /* TODO(QUIC): Currently not supported for QUIC. */
+ /* Not supported with QUIC */
if (sc == NULL)
return 0;
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
- /* TODO(QUIC): Do we want this for QUIC? */
+ /* Not supported with QUIC */
if (sc == NULL)
return;
{
const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
- /* TODO(QUIC): Do we want this for QUIC? */
+#ifndef OPENSSL_NO_QUIC
+ /* QUIC: Just indicate whether the connection was shutdown cleanly. */
+ if (IS_QUIC(s))
+ return ossl_quic_get_shutdown(s);
+#endif
+
if (sc == NULL)
return 0;
/* Ignore return value */
sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
+ sc->rlayer.wrlmethod->set_options(sc->rlayer.wrl, options);
return sc->options;
}
uint64_t SSL_clear_options(SSL *s, uint64_t op)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+ OSSL_PARAM options[2], *opts = options;
#ifndef OPENSSL_NO_QUIC
if (IS_QUIC(s))
if (sc == NULL)
return 0;
- return sc->options &= ~op;
+ sc->options &= ~op;
+
+ *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS,
+ &sc->options);
+ *opts = OSSL_PARAM_construct_end();
+
+ /* Ignore return value */
+ sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
+ sc->rlayer.wrlmethod->set_options(sc->rlayer.wrl, options);
+
+ return sc->options;
}
STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
* If |dst| points to a NULL pointer, a new stack will be created and owned by
* the caller.
* Returns the number of SCTs moved, or a negative integer if an error occurs.
+ * The |dst| stack is created and possibly partially populated even in case
+ * of error, likewise the |src| stack may be left in an intermediate state.
*/
static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
sct_source_t origin)
if (SCT_set_source(sct, origin) != 1)
goto err;
- if (sk_SCT_push(*dst, sct) <= 0)
+ if (!sk_SCT_push(*dst, sct))
goto err;
scts_moved += 1;
}
return scts_moved;
err:
- if (sct != NULL)
- sk_SCT_push(src, sct); /* Put the SCT back */
+ SCT_free(sct);
return -1;
}
int SSL_get_rpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc)
{
-#ifndef OPENSSL_NO_QUIC
- if (!IS_QUIC(s))
- return -1;
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
- return ossl_quic_get_rpoll_descriptor(s, desc);
-#else
- return -1;
+#ifndef OPENSSL_NO_QUIC
+ if (IS_QUIC(s))
+ return ossl_quic_get_rpoll_descriptor(s, desc);
#endif
+
+ if (sc == NULL || sc->rbio == NULL)
+ return 0;
+
+ return BIO_get_rpoll_descriptor(sc->rbio, desc);
}
int SSL_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc)
{
-#ifndef OPENSSL_NO_QUIC
- if (!IS_QUIC(s))
- return -1;
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
- return ossl_quic_get_wpoll_descriptor(s, desc);
-#else
- return -1;
+#ifndef OPENSSL_NO_QUIC
+ if (IS_QUIC(s))
+ return ossl_quic_get_wpoll_descriptor(s, desc);
#endif
+
+ if (sc == NULL || sc->wbio == NULL)
+ return 0;
+
+ return BIO_get_wpoll_descriptor(sc->wbio, desc);
}
int SSL_net_read_desired(SSL *s)
{
#ifndef OPENSSL_NO_QUIC
if (!IS_QUIC(s))
- return 0;
+ return SSL_want_read(s);
return ossl_quic_get_net_read_desired(s);
#else
- return 0;
+ return SSL_want_read(s);
#endif
}
{
#ifndef OPENSSL_NO_QUIC
if (!IS_QUIC(s))
- return 0;
+ return SSL_want_write(s);
return ossl_quic_get_net_write_desired(s);
#else
- return 0;
+ return SSL_want_write(s);
#endif
}
#endif
}
+int SSL_get_value_uint(SSL *s, uint32_t class_, uint32_t id,
+ uint64_t *value)
+{
+ if (value == NULL) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
+ return 0;
+ }
+
+#ifndef OPENSSL_NO_QUIC
+ if (IS_QUIC(s))
+ return ossl_quic_get_value_uint(s, class_, id, value);
+#endif
+
+ ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL);
+ return 0;
+}
+
+int SSL_set_value_uint(SSL *s, uint32_t class_, uint32_t id,
+ uint64_t value)
+{
+#ifndef OPENSSL_NO_QUIC
+ if (IS_QUIC(s))
+ return ossl_quic_set_value_uint(s, class_, id, value);
+#endif
+
+ ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL);
+ return 0;
+}
+
int SSL_add_expected_rpk(SSL *s, EVP_PKEY *rpk)
{
unsigned char *data = NULL;
projects / thirdparty / openssl.git / blobdiff