2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
14 #include <openssl/crypto.h>
15 #include "internal/bio.h"
16 #include <openssl/err.h>
17 #include "ssl_local.h"
19 static int ssl_write(BIO
*h
, const char *buf
, size_t size
, size_t *written
);
20 static int ssl_read(BIO
*b
, char *buf
, size_t size
, size_t *readbytes
);
21 static int ssl_puts(BIO
*h
, const char *str
);
22 static long ssl_ctrl(BIO
*h
, int cmd
, long arg1
, void *arg2
);
23 static int ssl_new(BIO
*h
);
24 static int ssl_free(BIO
*data
);
25 static long ssl_callback_ctrl(BIO
*h
, int cmd
, BIO_info_cb
*fp
);
26 typedef struct bio_ssl_st
{
27 SSL
*ssl
; /* The ssl handle :-) */
29 * Re-negotiate every time the total number of bytes is this size
30 * or when timeout expires.
31 * There is no proper support for TLS-1.3 or QUIC yet.
34 unsigned long renegotiate_count
;
36 unsigned long renegotiate_timeout
;
37 unsigned long last_time
;
40 static const BIO_METHOD methods_sslp
= {
44 NULL
, /* ssl_write_old, */
46 NULL
, /* ssl_read_old, */
55 const BIO_METHOD
*BIO_f_ssl(void)
60 static int ssl_new(BIO
*bi
)
62 BIO_SSL
*bs
= OPENSSL_zalloc(sizeof(*bs
));
69 BIO_clear_flags(bi
, ~0);
74 static int ssl_free(BIO
*a
)
81 if (BIO_get_shutdown(a
)) {
83 SSL_shutdown(bs
->ssl
);
86 BIO_clear_flags(a
, ~0); /* Clear all flags */
93 static int ssl_read(BIO
*b
, char *buf
, size_t size
, size_t *readbytes
)
103 sb
= BIO_get_data(b
);
106 BIO_clear_retry_flags(b
);
108 ret
= ssl_read_internal(ssl
, buf
, size
, readbytes
);
110 switch (SSL_get_error(ssl
, ret
)) {
112 if (sb
->renegotiate_count
> 0) {
113 sb
->byte_count
+= *readbytes
;
114 if (sb
->byte_count
> sb
->renegotiate_count
) {
116 sb
->num_renegotiates
++;
117 SSL_renegotiate(ssl
);
121 if ((sb
->renegotiate_timeout
> 0) && (!r
)) {
124 tm
= (unsigned long)time(NULL
);
125 if (tm
> sb
->last_time
+ sb
->renegotiate_timeout
) {
127 sb
->num_renegotiates
++;
128 SSL_renegotiate(ssl
);
133 case SSL_ERROR_WANT_READ
:
134 BIO_set_retry_read(b
);
136 case SSL_ERROR_WANT_WRITE
:
137 BIO_set_retry_write(b
);
139 case SSL_ERROR_WANT_X509_LOOKUP
:
140 BIO_set_retry_special(b
);
141 retry_reason
= BIO_RR_SSL_X509_LOOKUP
;
143 case SSL_ERROR_WANT_ACCEPT
:
144 BIO_set_retry_special(b
);
145 retry_reason
= BIO_RR_ACCEPT
;
147 case SSL_ERROR_WANT_CONNECT
:
148 BIO_set_retry_special(b
);
149 retry_reason
= BIO_RR_CONNECT
;
151 case SSL_ERROR_SYSCALL
:
153 case SSL_ERROR_ZERO_RETURN
:
158 BIO_set_retry_reason(b
, retry_reason
);
163 static int ssl_write(BIO
*b
, const char *buf
, size_t size
, size_t *written
)
166 int retry_reason
= 0;
172 bs
= BIO_get_data(b
);
175 BIO_clear_retry_flags(b
);
177 ret
= ssl_write_internal(ssl
, buf
, size
, 0, written
);
179 switch (SSL_get_error(ssl
, ret
)) {
181 if (bs
->renegotiate_count
> 0) {
182 bs
->byte_count
+= *written
;
183 if (bs
->byte_count
> bs
->renegotiate_count
) {
185 bs
->num_renegotiates
++;
186 SSL_renegotiate(ssl
);
190 if ((bs
->renegotiate_timeout
> 0) && (!r
)) {
193 tm
= (unsigned long)time(NULL
);
194 if (tm
> bs
->last_time
+ bs
->renegotiate_timeout
) {
196 bs
->num_renegotiates
++;
197 SSL_renegotiate(ssl
);
201 case SSL_ERROR_WANT_WRITE
:
202 BIO_set_retry_write(b
);
204 case SSL_ERROR_WANT_READ
:
205 BIO_set_retry_read(b
);
207 case SSL_ERROR_WANT_X509_LOOKUP
:
208 BIO_set_retry_special(b
);
209 retry_reason
= BIO_RR_SSL_X509_LOOKUP
;
211 case SSL_ERROR_WANT_CONNECT
:
212 BIO_set_retry_special(b
);
213 retry_reason
= BIO_RR_CONNECT
;
214 case SSL_ERROR_SYSCALL
:
220 BIO_set_retry_reason(b
, retry_reason
);
225 static long ssl_ctrl(BIO
*b
, int cmd
, long num
, void *ptr
)
232 SSL_CONNECTION
*sc
= NULL
;
234 bs
= BIO_get_data(b
);
237 if (ssl
== NULL
&& cmd
!= BIO_C_SET_SSL
)
241 /* TODO(QUIC FUTURE): Add support when SSL_clear() is supported */
242 if ((sc
= SSL_CONNECTION_FROM_SSL_ONLY(ssl
)) == NULL
)
247 if (sc
->handshake_func
== ssl
->method
->ssl_connect
)
248 SSL_set_connect_state(ssl
);
249 else if (sc
->handshake_func
== ssl
->method
->ssl_accept
)
250 SSL_set_accept_state(ssl
);
252 if (!SSL_clear(ssl
)) {
258 ret
= BIO_ctrl(next
, cmd
, num
, ptr
);
259 else if (sc
->rbio
!= NULL
)
260 ret
= BIO_ctrl(sc
->rbio
, cmd
, num
, ptr
);
268 if (num
) /* client mode */
269 SSL_set_connect_state(ssl
);
271 SSL_set_accept_state(ssl
);
273 case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT
:
274 ret
= bs
->renegotiate_timeout
;
277 bs
->renegotiate_timeout
= (unsigned long)num
;
278 bs
->last_time
= (unsigned long)time(NULL
);
280 case BIO_C_SET_SSL_RENEGOTIATE_BYTES
:
281 ret
= bs
->renegotiate_count
;
282 if ((long)num
>= 512)
283 bs
->renegotiate_count
= (unsigned long)num
;
285 case BIO_C_GET_SSL_NUM_RENEGOTIATES
:
286 ret
= bs
->num_renegotiates
;
293 bs
= BIO_get_data(b
);
295 BIO_set_shutdown(b
, num
);
298 bio
= SSL_get_rbio(ssl
);
302 BIO_set_next(b
, bio
);
314 case BIO_CTRL_GET_CLOSE
:
315 ret
= BIO_get_shutdown(b
);
317 case BIO_CTRL_SET_CLOSE
:
318 BIO_set_shutdown(b
, (int)num
);
320 case BIO_CTRL_WPENDING
:
321 ret
= BIO_ctrl(SSL_get_wbio(ssl
), cmd
, num
, ptr
);
323 case BIO_CTRL_PENDING
:
324 ret
= SSL_pending(ssl
);
326 ret
= BIO_pending(SSL_get_rbio(ssl
));
329 BIO_clear_retry_flags(b
);
330 ret
= BIO_ctrl(SSL_get_wbio(ssl
), cmd
, num
, ptr
);
331 BIO_copy_next_retry(b
);
334 if ((next
!= NULL
) && (next
!= SSL_get_rbio(ssl
))) {
336 * We are going to pass ownership of next to the SSL object...but
337 * we don't own a reference to pass yet - so up ref
340 SSL_set_bio(ssl
, next
, next
);
344 /* Only detach if we are the BIO explicitly being popped */
346 /* This will clear the reference we obtained during push */
347 SSL_set_bio(ssl
, NULL
, NULL
);
350 case BIO_C_DO_STATE_MACHINE
:
351 BIO_clear_retry_flags(b
);
353 BIO_set_retry_reason(b
, 0);
354 ret
= (int)SSL_do_handshake(ssl
);
356 switch (SSL_get_error(ssl
, (int)ret
)) {
357 case SSL_ERROR_WANT_READ
:
358 BIO_set_flags(b
, BIO_FLAGS_READ
| BIO_FLAGS_SHOULD_RETRY
);
360 case SSL_ERROR_WANT_WRITE
:
361 BIO_set_flags(b
, BIO_FLAGS_WRITE
| BIO_FLAGS_SHOULD_RETRY
);
363 case SSL_ERROR_WANT_CONNECT
:
364 BIO_set_flags(b
, BIO_FLAGS_IO_SPECIAL
| BIO_FLAGS_SHOULD_RETRY
);
365 BIO_set_retry_reason(b
, BIO_get_retry_reason(next
));
367 case SSL_ERROR_WANT_X509_LOOKUP
:
368 BIO_set_retry_special(b
);
369 BIO_set_retry_reason(b
, BIO_RR_SSL_X509_LOOKUP
);
377 dbs
= BIO_get_data(dbio
);
379 dbs
->ssl
= SSL_dup(ssl
);
380 dbs
->num_renegotiates
= bs
->num_renegotiates
;
381 dbs
->renegotiate_count
= bs
->renegotiate_count
;
382 dbs
->byte_count
= bs
->byte_count
;
383 dbs
->renegotiate_timeout
= bs
->renegotiate_timeout
;
384 dbs
->last_time
= bs
->last_time
;
385 ret
= (dbs
->ssl
!= NULL
);
388 ret
= BIO_ctrl(SSL_get_rbio(ssl
), cmd
, num
, ptr
);
390 case BIO_CTRL_SET_CALLBACK
:
391 ret
= 0; /* use callback ctrl */
393 case BIO_CTRL_GET_RPOLL_DESCRIPTOR
:
394 if (!SSL_get_rpoll_descriptor(ssl
, (BIO_POLL_DESCRIPTOR
*)ptr
))
397 case BIO_CTRL_GET_WPOLL_DESCRIPTOR
:
398 if (!SSL_get_wpoll_descriptor(ssl
, (BIO_POLL_DESCRIPTOR
*)ptr
))
402 ret
= BIO_ctrl(SSL_get_rbio(ssl
), cmd
, num
, ptr
);
408 static long ssl_callback_ctrl(BIO
*b
, int cmd
, BIO_info_cb
*fp
)
414 bs
= BIO_get_data(b
);
417 case BIO_CTRL_SET_CALLBACK
:
418 ret
= BIO_callback_ctrl(SSL_get_rbio(ssl
), cmd
, fp
);
427 static int ssl_puts(BIO
*bp
, const char *str
)
432 ret
= BIO_write(bp
, str
, n
);
436 BIO
*BIO_new_buffer_ssl_connect(SSL_CTX
*ctx
)
438 #ifndef OPENSSL_NO_SOCK
439 BIO
*ret
= NULL
, *buf
= NULL
, *ssl
= NULL
;
441 # ifndef OPENSSL_NO_QUIC
442 if (ctx
!= NULL
&& IS_QUIC_CTX(ctx
))
443 /* Never use buffering for QUIC. */
444 return BIO_new_ssl_connect(ctx
);
447 if ((buf
= BIO_new(BIO_f_buffer())) == NULL
)
449 if ((ssl
= BIO_new_ssl_connect(ctx
)) == NULL
)
451 if ((ret
= BIO_push(buf
, ssl
)) == NULL
)
461 BIO
*BIO_new_ssl_connect(SSL_CTX
*ctx
)
463 #ifndef OPENSSL_NO_SOCK
464 BIO
*ret
= NULL
, *con
= NULL
, *ssl
= NULL
;
466 if ((con
= BIO_new(BIO_s_connect())) == NULL
)
469 # ifndef OPENSSL_NO_QUIC
470 if (ctx
!= NULL
&& IS_QUIC_CTX(ctx
))
471 if (!BIO_set_sock_type(con
, SOCK_DGRAM
))
475 if ((ssl
= BIO_new_ssl(ctx
, 1)) == NULL
)
477 if ((ret
= BIO_push(ssl
, con
)) == NULL
)
487 BIO
*BIO_new_ssl(SSL_CTX
*ctx
, int client
)
492 if ((ret
= BIO_new(BIO_f_ssl())) == NULL
)
494 if ((ssl
= SSL_new(ctx
)) == NULL
) {
499 SSL_set_connect_state(ssl
);
501 SSL_set_accept_state(ssl
);
503 BIO_set_ssl(ret
, ssl
, BIO_CLOSE
);
507 int BIO_ssl_copy_session_id(BIO
*t
, BIO
*f
)
509 BIO_SSL
*tdata
, *fdata
;
510 t
= BIO_find_type(t
, BIO_TYPE_SSL
);
511 f
= BIO_find_type(f
, BIO_TYPE_SSL
);
512 if ((t
== NULL
) || (f
== NULL
))
514 tdata
= BIO_get_data(t
);
515 fdata
= BIO_get_data(f
);
516 if ((tdata
->ssl
== NULL
) || (fdata
->ssl
== NULL
))
518 if (!SSL_copy_session_id(tdata
->ssl
, (fdata
->ssl
)))
523 void BIO_ssl_shutdown(BIO
*b
)
527 for (; b
!= NULL
; b
= BIO_next(b
)) {
528 if (BIO_method_type(b
) != BIO_TYPE_SSL
)
530 bdata
= BIO_get_data(b
);
531 if (bdata
!= NULL
&& bdata
->ssl
!= NULL
)
532 SSL_shutdown(bdata
->ssl
);