]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssl_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Ensure various SSL options are passed down to the record layer
[thirdparty/openssl.git] / ssl / ssl_lib.c
1 /*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 #include <stdio.h>
13 #include "ssl_local.h"
14 #include "internal/e_os.h"
15 #include <openssl/objects.h>
16 #include <openssl/x509v3.h>
17 #include <openssl/rand.h>
18 #include <openssl/ocsp.h>
19 #include <openssl/dh.h>
20 #include <openssl/engine.h>
21 #include <openssl/async.h>
22 #include <openssl/ct.h>
23 #include <openssl/trace.h>
24 #include "internal/cryptlib.h"
25 #include "internal/refcount.h"
26 #include "internal/ktls.h"
27
28 static int ssl_undefined_function_1(SSL_CONNECTION *sc, SSL3_RECORD *r, size_t s,
29 int t, SSL_MAC_BUF *mac, size_t macsize)
30 {
31 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
32 }
33
34 static int ssl_undefined_function_2(SSL_CONNECTION *sc, SSL3_RECORD *r,
35 unsigned char *s, int t)
36 {
37 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
38 }
39
40 static int ssl_undefined_function_3(SSL_CONNECTION *sc, unsigned char *r,
41 unsigned char *s, size_t t, size_t *u)
42 {
43 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
44 }
45
46 static int ssl_undefined_function_4(SSL_CONNECTION *sc, int r)
47 {
48 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
49 }
50
51 static size_t ssl_undefined_function_5(SSL_CONNECTION *sc, const char *r,
52 size_t s, unsigned char *t)
53 {
54 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
55 }
56
57 static int ssl_undefined_function_6(int r)
58 {
59 return ssl_undefined_function(NULL);
60 }
61
62 static int ssl_undefined_function_7(SSL_CONNECTION *sc, unsigned char *r,
63 size_t s, const char *t, size_t u,
64 const unsigned char *v, size_t w, int x)
65 {
66 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
67 }
68
69 static int ssl_undefined_function_8(SSL_CONNECTION *sc)
70 {
71 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
72 }
73
74 SSL3_ENC_METHOD ssl3_undef_enc_method = {
75 ssl_undefined_function_1,
76 ssl_undefined_function_2,
77 ssl_undefined_function_8,
78 ssl_undefined_function_3,
79 ssl_undefined_function_4,
80 ssl_undefined_function_5,
81 NULL, /* client_finished_label */
82 0, /* client_finished_label_len */
83 NULL, /* server_finished_label */
84 0, /* server_finished_label_len */
85 ssl_undefined_function_6,
86 ssl_undefined_function_7,
87 };
88
89 struct ssl_async_args {
90 SSL *s;
91 void *buf;
92 size_t num;
93 enum { READFUNC, WRITEFUNC, OTHERFUNC } type;
94 union {
95 int (*func_read) (SSL *, void *, size_t, size_t *);
96 int (*func_write) (SSL *, const void *, size_t, size_t *);
97 int (*func_other) (SSL *);
98 } f;
99 };
100
101 static const struct {
102 uint8_t mtype;
103 uint8_t ord;
104 int nid;
105 } dane_mds[] = {
106 {
107 DANETLS_MATCHING_FULL, 0, NID_undef
108 },
109 {
110 DANETLS_MATCHING_2256, 1, NID_sha256
111 },
112 {
113 DANETLS_MATCHING_2512, 2, NID_sha512
114 },
115 };
116
117 static int dane_ctx_enable(struct dane_ctx_st *dctx)
118 {
119 const EVP_MD **mdevp;
120 uint8_t *mdord;
121 uint8_t mdmax = DANETLS_MATCHING_LAST;
122 int n = ((int)mdmax) + 1; /* int to handle PrivMatch(255) */
123 size_t i;
124
125 if (dctx->mdevp != NULL)
126 return 1;
127
128 mdevp = OPENSSL_zalloc(n * sizeof(*mdevp));
129 mdord = OPENSSL_zalloc(n * sizeof(*mdord));
130
131 if (mdord == NULL || mdevp == NULL) {
132 OPENSSL_free(mdord);
133 OPENSSL_free(mdevp);
134 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
135 return 0;
136 }
137
138 /* Install default entries */
139 for (i = 0; i < OSSL_NELEM(dane_mds); ++i) {
140 const EVP_MD *md;
141
142 if (dane_mds[i].nid == NID_undef ||
143 (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL)
144 continue;
145 mdevp[dane_mds[i].mtype] = md;
146 mdord[dane_mds[i].mtype] = dane_mds[i].ord;
147 }
148
149 dctx->mdevp = mdevp;
150 dctx->mdord = mdord;
151 dctx->mdmax = mdmax;
152
153 return 1;
154 }
155
156 static void dane_ctx_final(struct dane_ctx_st *dctx)
157 {
158 OPENSSL_free(dctx->mdevp);
159 dctx->mdevp = NULL;
160
161 OPENSSL_free(dctx->mdord);
162 dctx->mdord = NULL;
163 dctx->mdmax = 0;
164 }
165
166 static void tlsa_free(danetls_record *t)
167 {
168 if (t == NULL)
169 return;
170 OPENSSL_free(t->data);
171 EVP_PKEY_free(t->spki);
172 OPENSSL_free(t);
173 }
174
175 static void dane_final(SSL_DANE *dane)
176 {
177 sk_danetls_record_pop_free(dane->trecs, tlsa_free);
178 dane->trecs = NULL;
179
180 OSSL_STACK_OF_X509_free(dane->certs);
181 dane->certs = NULL;
182
183 X509_free(dane->mcert);
184 dane->mcert = NULL;
185 dane->mtlsa = NULL;
186 dane->mdpth = -1;
187 dane->pdpth = -1;
188 }
189
190 /*
191 * dane_copy - Copy dane configuration, sans verification state.
192 */
193 static int ssl_dane_dup(SSL_CONNECTION *to, SSL_CONNECTION *from)
194 {
195 int num;
196 int i;
197
198 if (!DANETLS_ENABLED(&from->dane))
199 return 1;
200
201 num = sk_danetls_record_num(from->dane.trecs);
202 dane_final(&to->dane);
203 to->dane.flags = from->dane.flags;
204 to->dane.dctx = &SSL_CONNECTION_GET_CTX(to)->dane;
205 to->dane.trecs = sk_danetls_record_new_reserve(NULL, num);
206
207 if (to->dane.trecs == NULL) {
208 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
209 return 0;
210 }
211
212 for (i = 0; i < num; ++i) {
213 danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
214
215 if (SSL_dane_tlsa_add(SSL_CONNECTION_GET_SSL(to), t->usage,
216 t->selector, t->mtype, t->data, t->dlen) <= 0)
217 return 0;
218 }
219 return 1;
220 }
221
222 static int dane_mtype_set(struct dane_ctx_st *dctx,
223 const EVP_MD *md, uint8_t mtype, uint8_t ord)
224 {
225 int i;
226
227 if (mtype == DANETLS_MATCHING_FULL && md != NULL) {
228 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);
229 return 0;
230 }
231
232 if (mtype > dctx->mdmax) {
233 const EVP_MD **mdevp;
234 uint8_t *mdord;
235 int n = ((int)mtype) + 1;
236
237 mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp));
238 if (mdevp == NULL) {
239 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
240 return -1;
241 }
242 dctx->mdevp = mdevp;
243
244 mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord));
245 if (mdord == NULL) {
246 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
247 return -1;
248 }
249 dctx->mdord = mdord;
250
251 /* Zero-fill any gaps */
252 for (i = dctx->mdmax + 1; i < mtype; ++i) {
253 mdevp[i] = NULL;
254 mdord[i] = 0;
255 }
256
257 dctx->mdmax = mtype;
258 }
259
260 dctx->mdevp[mtype] = md;
261 /* Coerce ordinal of disabled matching types to 0 */
262 dctx->mdord[mtype] = (md == NULL) ? 0 : ord;
263
264 return 1;
265 }
266
267 static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
268 {
269 if (mtype > dane->dctx->mdmax)
270 return NULL;
271 return dane->dctx->mdevp[mtype];
272 }
273
274 static int dane_tlsa_add(SSL_DANE *dane,
275 uint8_t usage,
276 uint8_t selector,
277 uint8_t mtype, const unsigned char *data, size_t dlen)
278 {
279 danetls_record *t;
280 const EVP_MD *md = NULL;
281 int ilen = (int)dlen;
282 int i;
283 int num;
284
285 if (dane->trecs == NULL) {
286 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_NOT_ENABLED);
287 return -1;
288 }
289
290 if (ilen < 0 || dlen != (size_t)ilen) {
291 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DATA_LENGTH);
292 return 0;
293 }
294
295 if (usage > DANETLS_USAGE_LAST) {
296 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE);
297 return 0;
298 }
299
300 if (selector > DANETLS_SELECTOR_LAST) {
301 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_SELECTOR);
302 return 0;
303 }
304
305 if (mtype != DANETLS_MATCHING_FULL) {
306 md = tlsa_md_get(dane, mtype);
307 if (md == NULL) {
308 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE);
309 return 0;
310 }
311 }
312
313 if (md != NULL && dlen != (size_t)EVP_MD_get_size(md)) {
314 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH);
315 return 0;
316 }
317 if (!data) {
318 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_NULL_DATA);
319 return 0;
320 }
321
322 if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL) {
323 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
324 return -1;
325 }
326
327 t->usage = usage;
328 t->selector = selector;
329 t->mtype = mtype;
330 t->data = OPENSSL_malloc(dlen);
331 if (t->data == NULL) {
332 tlsa_free(t);
333 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
334 return -1;
335 }
336 memcpy(t->data, data, dlen);
337 t->dlen = dlen;
338
339 /* Validate and cache full certificate or public key */
340 if (mtype == DANETLS_MATCHING_FULL) {
341 const unsigned char *p = data;
342 X509 *cert = NULL;
343 EVP_PKEY *pkey = NULL;
344
345 switch (selector) {
346 case DANETLS_SELECTOR_CERT:
347 if (!d2i_X509(&cert, &p, ilen) || p < data ||
348 dlen != (size_t)(p - data)) {
349 tlsa_free(t);
350 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
351 return 0;
352 }
353 if (X509_get0_pubkey(cert) == NULL) {
354 tlsa_free(t);
355 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
356 return 0;
357 }
358
359 if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
360 X509_free(cert);
361 break;
362 }
363
364 /*
365 * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA
366 * records that contain full certificates of trust-anchors that are
367 * not present in the wire chain. For usage PKIX-TA(0), we augment
368 * the chain with untrusted Full(0) certificates from DNS, in case
369 * they are missing from the chain.
370 */
371 if ((dane->certs == NULL &&
372 (dane->certs = sk_X509_new_null()) == NULL) ||
373 !sk_X509_push(dane->certs, cert)) {
374 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
375 X509_free(cert);
376 tlsa_free(t);
377 return -1;
378 }
379 break;
380
381 case DANETLS_SELECTOR_SPKI:
382 if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
383 dlen != (size_t)(p - data)) {
384 tlsa_free(t);
385 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
386 return 0;
387 }
388
389 /*
390 * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA
391 * records that contain full bare keys of trust-anchors that are
392 * not present in the wire chain.
393 */
394 if (usage == DANETLS_USAGE_DANE_TA)
395 t->spki = pkey;
396 else
397 EVP_PKEY_free(pkey);
398 break;
399 }
400 }
401
402 /*-
403 * Find the right insertion point for the new record.
404 *
405 * See crypto/x509/x509_vfy.c. We sort DANE-EE(3) records first, so that
406 * they can be processed first, as they require no chain building, and no
407 * expiration or hostname checks. Because DANE-EE(3) is numerically
408 * largest, this is accomplished via descending sort by "usage".
409 *
410 * We also sort in descending order by matching ordinal to simplify
411 * the implementation of digest agility in the verification code.
412 *
413 * The choice of order for the selector is not significant, so we
414 * use the same descending order for consistency.
415 */
416 num = sk_danetls_record_num(dane->trecs);
417 for (i = 0; i < num; ++i) {
418 danetls_record *rec = sk_danetls_record_value(dane->trecs, i);
419
420 if (rec->usage > usage)
421 continue;
422 if (rec->usage < usage)
423 break;
424 if (rec->selector > selector)
425 continue;
426 if (rec->selector < selector)
427 break;
428 if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype])
429 continue;
430 break;
431 }
432
433 if (!sk_danetls_record_insert(dane->trecs, t, i)) {
434 tlsa_free(t);
435 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
436 return -1;
437 }
438 dane->umask |= DANETLS_USAGE_BIT(usage);
439
440 return 1;
441 }
442
443 /*
444 * Return 0 if there is only one version configured and it was disabled
445 * at configure time. Return 1 otherwise.
446 */
447 static int ssl_check_allowed_versions(int min_version, int max_version)
448 {
449 int minisdtls = 0, maxisdtls = 0;
450
451 /* Figure out if we're doing DTLS versions or TLS versions */
452 if (min_version == DTLS1_BAD_VER
453 || min_version >> 8 == DTLS1_VERSION_MAJOR)
454 minisdtls = 1;
455 if (max_version == DTLS1_BAD_VER
456 || max_version >> 8 == DTLS1_VERSION_MAJOR)
457 maxisdtls = 1;
458 /* A wildcard version of 0 could be DTLS or TLS. */
459 if ((minisdtls && !maxisdtls && max_version != 0)
460 || (maxisdtls && !minisdtls && min_version != 0)) {
461 /* Mixing DTLS and TLS versions will lead to sadness; deny it. */
462 return 0;
463 }
464
465 if (minisdtls || maxisdtls) {
466 /* Do DTLS version checks. */
467 if (min_version == 0)
468 /* Ignore DTLS1_BAD_VER */
469 min_version = DTLS1_VERSION;
470 if (max_version == 0)
471 max_version = DTLS1_2_VERSION;
472 #ifdef OPENSSL_NO_DTLS1_2
473 if (max_version == DTLS1_2_VERSION)
474 max_version = DTLS1_VERSION;
475 #endif
476 #ifdef OPENSSL_NO_DTLS1
477 if (min_version == DTLS1_VERSION)
478 min_version = DTLS1_2_VERSION;
479 #endif
480 /* Done massaging versions; do the check. */
481 if (0
482 #ifdef OPENSSL_NO_DTLS1
483 || (DTLS_VERSION_GE(min_version, DTLS1_VERSION)
484 && DTLS_VERSION_GE(DTLS1_VERSION, max_version))
485 #endif
486 #ifdef OPENSSL_NO_DTLS1_2
487 || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION)
488 && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version))
489 #endif
490 )
491 return 0;
492 } else {
493 /* Regular TLS version checks. */
494 if (min_version == 0)
495 min_version = SSL3_VERSION;
496 if (max_version == 0)
497 max_version = TLS1_3_VERSION;
498 #ifdef OPENSSL_NO_TLS1_3
499 if (max_version == TLS1_3_VERSION)
500 max_version = TLS1_2_VERSION;
501 #endif
502 #ifdef OPENSSL_NO_TLS1_2
503 if (max_version == TLS1_2_VERSION)
504 max_version = TLS1_1_VERSION;
505 #endif
506 #ifdef OPENSSL_NO_TLS1_1
507 if (max_version == TLS1_1_VERSION)
508 max_version = TLS1_VERSION;
509 #endif
510 #ifdef OPENSSL_NO_TLS1
511 if (max_version == TLS1_VERSION)
512 max_version = SSL3_VERSION;
513 #endif
514 #ifdef OPENSSL_NO_SSL3
515 if (min_version == SSL3_VERSION)
516 min_version = TLS1_VERSION;
517 #endif
518 #ifdef OPENSSL_NO_TLS1
519 if (min_version == TLS1_VERSION)
520 min_version = TLS1_1_VERSION;
521 #endif
522 #ifdef OPENSSL_NO_TLS1_1
523 if (min_version == TLS1_1_VERSION)
524 min_version = TLS1_2_VERSION;
525 #endif
526 #ifdef OPENSSL_NO_TLS1_2
527 if (min_version == TLS1_2_VERSION)
528 min_version = TLS1_3_VERSION;
529 #endif
530 /* Done massaging versions; do the check. */
531 if (0
532 #ifdef OPENSSL_NO_SSL3
533 || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version)
534 #endif
535 #ifdef OPENSSL_NO_TLS1
536 || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version)
537 #endif
538 #ifdef OPENSSL_NO_TLS1_1
539 || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version)
540 #endif
541 #ifdef OPENSSL_NO_TLS1_2
542 || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version)
543 #endif
544 #ifdef OPENSSL_NO_TLS1_3
545 || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version)
546 #endif
547 )
548 return 0;
549 }
550 return 1;
551 }
552
553 #if defined(__TANDEM) && defined(OPENSSL_VPROC)
554 /*
555 * Define a VPROC function for HP NonStop build ssl library.
556 * This is used by platform version identification tools.
557 * Do not inline this procedure or make it static.
558 */
559 # define OPENSSL_VPROC_STRING_(x) x##_SSL
560 # define OPENSSL_VPROC_STRING(x) OPENSSL_VPROC_STRING_(x)
561 # define OPENSSL_VPROC_FUNC OPENSSL_VPROC_STRING(OPENSSL_VPROC)
562 void OPENSSL_VPROC_FUNC(void) {}
563 #endif
564
565
566 static void clear_ciphers(SSL_CONNECTION *s)
567 {
568 /* clear the current cipher */
569 ssl_clear_cipher_ctx(s);
570 ssl_clear_hash_ctx(&s->read_hash);
571 ssl_clear_hash_ctx(&s->write_hash);
572 }
573
574 int SSL_clear(SSL *s)
575 {
576 if (s->method == NULL) {
577 ERR_raise(ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED);
578 return 0;
579 }
580
581 return s->method->ssl_reset(s);
582 }
583
584 int ossl_ssl_connection_reset(SSL *s)
585 {
586 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
587
588 if (sc == NULL)
589 return 0;
590
591 if (ssl_clear_bad_session(sc)) {
592 SSL_SESSION_free(sc->session);
593 sc->session = NULL;
594 }
595 SSL_SESSION_free(sc->psksession);
596 sc->psksession = NULL;
597 OPENSSL_free(sc->psksession_id);
598 sc->psksession_id = NULL;
599 sc->psksession_id_len = 0;
600 sc->hello_retry_request = 0;
601 sc->sent_tickets = 0;
602
603 sc->error = 0;
604 sc->hit = 0;
605 sc->shutdown = 0;
606
607 if (sc->renegotiate) {
608 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
609 return 0;
610 }
611
612 ossl_statem_clear(sc);
613
614 /* TODO(QUIC): Version handling not yet clear */
615 sc->version = s->method->version;
616 sc->client_version = sc->version;
617 sc->rwstate = SSL_NOTHING;
618
619 BUF_MEM_free(sc->init_buf);
620 sc->init_buf = NULL;
621 clear_ciphers(sc);
622 sc->first_packet = 0;
623
624 sc->key_update = SSL_KEY_UPDATE_NONE;
625
626 EVP_MD_CTX_free(sc->pha_dgst);
627 sc->pha_dgst = NULL;
628
629 /* Reset DANE verification result state */
630 sc->dane.mdpth = -1;
631 sc->dane.pdpth = -1;
632 X509_free(sc->dane.mcert);
633 sc->dane.mcert = NULL;
634 sc->dane.mtlsa = NULL;
635
636 /* Clear the verification result peername */
637 X509_VERIFY_PARAM_move_peername(sc->param, NULL);
638
639 /* Clear any shared connection state */
640 OPENSSL_free(sc->shared_sigalgs);
641 sc->shared_sigalgs = NULL;
642 sc->shared_sigalgslen = 0;
643
644 /*
645 * Check to see if we were changed into a different method, if so, revert
646 * back.
647 */
648 if (s->method != SSL_CONNECTION_GET_CTX(sc)->method) {
649 s->method->ssl_deinit(s);
650 s->method = SSL_CONNECTION_GET_CTX(sc)->method;
651 if (!s->method->ssl_init(s))
652 return 0;
653 } else {
654 if (!s->method->ssl_clear(s))
655 return 0;
656 }
657
658 RECORD_LAYER_clear(&sc->rlayer);
659
660 /*
661 * TODO(RECLAYER): The record method should probably initialy come from the
662 * SSL_METHOD, and potentially be updated later. For now though we just
663 * assign it.
664 */
665 if (!ssl_set_new_record_layer(sc,
666 SSL_CONNECTION_IS_DTLS(sc) ? &ossl_dtls_record_method
667 : &ossl_tls_record_method,
668 TLS_ANY_VERSION,
669 OSSL_RECORD_DIRECTION_READ,
670 OSSL_RECORD_PROTECTION_LEVEL_NONE,
671 NULL, 0, NULL, 0, NULL, 0, NULL, 0,
672 NID_undef, NULL, NULL)) {
673 /* SSLfatal already called */
674 return 0;
675 }
676
677 return 1;
678 }
679
680 #ifndef OPENSSL_NO_DEPRECATED_3_0
681 /** Used to change an SSL_CTXs default SSL method type */
682 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
683 {
684 STACK_OF(SSL_CIPHER) *sk;
685
686 ctx->method = meth;
687
688 if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) {
689 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
690 return 0;
691 }
692 sk = ssl_create_cipher_list(ctx,
693 ctx->tls13_ciphersuites,
694 &(ctx->cipher_list),
695 &(ctx->cipher_list_by_id),
696 OSSL_default_cipher_list(), ctx->cert);
697 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
698 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
699 return 0;
700 }
701 return 1;
702 }
703 #endif
704
705 SSL *SSL_new(SSL_CTX *ctx)
706 {
707 if (ctx == NULL) {
708 ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_CTX);
709 return NULL;
710 }
711 if (ctx->method == NULL) {
712 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
713 return NULL;
714 }
715 return ctx->method->ssl_new(ctx);
716 }
717
718 int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, int type)
719 {
720 ssl->type = type;
721
722 ssl->references = 1;
723 ssl->lock = CRYPTO_THREAD_lock_new();
724 if (ssl->lock == NULL)
725 return 0;
726
727 SSL_CTX_up_ref(ctx);
728 ssl->ctx = ctx;
729
730 ssl->method = ctx->method;
731
732 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, ssl, &ssl->ex_data))
733 return 0;
734
735 return 1;
736 }
737
738 SSL *ossl_ssl_connection_new(SSL_CTX *ctx)
739 {
740 SSL_CONNECTION *s;
741 SSL *ssl;
742
743 s = OPENSSL_zalloc(sizeof(*s));
744 if (s == NULL)
745 return NULL;
746
747 ssl = &s->ssl;
748 if (!ossl_ssl_init(ssl, ctx, SSL_TYPE_SSL_CONNECTION)) {
749 OPENSSL_free(s);
750 s = NULL;
751 goto err;
752 }
753
754 #ifndef OPENSSL_NO_QUIC
755 /* set the parent (user visible) ssl to self */
756 s->user_ssl = ssl;
757 #endif
758
759 RECORD_LAYER_init(&s->rlayer, s);
760
761 s->options = ctx->options;
762 s->dane.flags = ctx->dane.flags;
763 s->min_proto_version = ctx->min_proto_version;
764 s->max_proto_version = ctx->max_proto_version;
765 s->mode = ctx->mode;
766 s->max_cert_list = ctx->max_cert_list;
767 s->max_early_data = ctx->max_early_data;
768 s->recv_max_early_data = ctx->recv_max_early_data;
769 s->num_tickets = ctx->num_tickets;
770 s->pha_enabled = ctx->pha_enabled;
771
772 /* Shallow copy of the ciphersuites stack */
773 s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites);
774 if (s->tls13_ciphersuites == NULL)
775 goto err;
776
777 /*
778 * Earlier library versions used to copy the pointer to the CERT, not
779 * its contents; only when setting new parameters for the per-SSL
780 * copy, ssl_cert_new would be called (and the direct reference to
781 * the per-SSL_CTX settings would be lost, but those still were
782 * indirectly accessed for various purposes, and for that reason they
783 * used to be known as s->ctx->default_cert). Now we don't look at the
784 * SSL_CTX's CERT after having duplicated it once.
785 */
786 s->cert = ssl_cert_dup(ctx->cert);
787 if (s->cert == NULL)
788 goto err;
789
790 RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead);
791 s->msg_callback = ctx->msg_callback;
792 s->msg_callback_arg = ctx->msg_callback_arg;
793 s->verify_mode = ctx->verify_mode;
794 s->not_resumable_session_cb = ctx->not_resumable_session_cb;
795 s->record_padding_cb = ctx->record_padding_cb;
796 s->record_padding_arg = ctx->record_padding_arg;
797 s->block_padding = ctx->block_padding;
798 s->sid_ctx_length = ctx->sid_ctx_length;
799 if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx)))
800 goto err;
801 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
802 s->verify_callback = ctx->default_verify_callback;
803 s->generate_session_id = ctx->generate_session_id;
804
805 s->param = X509_VERIFY_PARAM_new();
806 if (s->param == NULL)
807 goto err;
808 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
809 s->quiet_shutdown = ctx->quiet_shutdown;
810
811 s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode;
812 s->max_send_fragment = ctx->max_send_fragment;
813 s->split_send_fragment = ctx->split_send_fragment;
814 s->max_pipelines = ctx->max_pipelines;
815 if (s->max_pipelines > 1)
816 RECORD_LAYER_set_read_ahead(&s->rlayer, 1);
817 if (ctx->default_read_buf_len > 0)
818 SSL_set_default_read_buffer_len(ssl, ctx->default_read_buf_len);
819
820 s->ext.debug_cb = 0;
821 s->ext.debug_arg = NULL;
822 s->ext.ticket_expected = 0;
823 s->ext.status_type = ctx->ext.status_type;
824 s->ext.status_expected = 0;
825 s->ext.ocsp.ids = NULL;
826 s->ext.ocsp.exts = NULL;
827 s->ext.ocsp.resp = NULL;
828 s->ext.ocsp.resp_len = 0;
829 SSL_CTX_up_ref(ctx);
830 s->session_ctx = ctx;
831 if (ctx->ext.ecpointformats) {
832 s->ext.ecpointformats =
833 OPENSSL_memdup(ctx->ext.ecpointformats,
834 ctx->ext.ecpointformats_len);
835 if (!s->ext.ecpointformats) {
836 s->ext.ecpointformats_len = 0;
837 goto err;
838 }
839 s->ext.ecpointformats_len =
840 ctx->ext.ecpointformats_len;
841 }
842 if (ctx->ext.supportedgroups) {
843 s->ext.supportedgroups =
844 OPENSSL_memdup(ctx->ext.supportedgroups,
845 ctx->ext.supportedgroups_len
846 * sizeof(*ctx->ext.supportedgroups));
847 if (!s->ext.supportedgroups) {
848 s->ext.supportedgroups_len = 0;
849 goto err;
850 }
851 s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
852 }
853
854 #ifndef OPENSSL_NO_NEXTPROTONEG
855 s->ext.npn = NULL;
856 #endif
857
858 if (ctx->ext.alpn != NULL) {
859 s->ext.alpn = OPENSSL_malloc(ctx->ext.alpn_len);
860 if (s->ext.alpn == NULL) {
861 s->ext.alpn_len = 0;
862 goto err;
863 }
864 memcpy(s->ext.alpn, ctx->ext.alpn, ctx->ext.alpn_len);
865 s->ext.alpn_len = ctx->ext.alpn_len;
866 }
867
868 s->verified_chain = NULL;
869 s->verify_result = X509_V_OK;
870
871 s->default_passwd_callback = ctx->default_passwd_callback;
872 s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
873
874 s->key_update = SSL_KEY_UPDATE_NONE;
875
876 s->allow_early_data_cb = ctx->allow_early_data_cb;
877 s->allow_early_data_cb_data = ctx->allow_early_data_cb_data;
878
879 if (!ssl->method->ssl_init(ssl))
880 goto err;
881
882 s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
883
884 if (!SSL_clear(ssl))
885 goto err;
886
887 #ifndef OPENSSL_NO_PSK
888 s->psk_client_callback = ctx->psk_client_callback;
889 s->psk_server_callback = ctx->psk_server_callback;
890 #endif
891 s->psk_find_session_cb = ctx->psk_find_session_cb;
892 s->psk_use_session_cb = ctx->psk_use_session_cb;
893
894 s->async_cb = ctx->async_cb;
895 s->async_cb_arg = ctx->async_cb_arg;
896
897 s->job = NULL;
898
899 #ifndef OPENSSL_NO_CT
900 if (!SSL_set_ct_validation_callback(ssl, ctx->ct_validation_callback,
901 ctx->ct_validation_callback_arg))
902 goto err;
903 #endif
904
905 return ssl;
906 err:
907 SSL_free(ssl);
908 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
909 return NULL;
910 }
911
912 int SSL_is_dtls(const SSL *s)
913 {
914 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
915
916 if (sc == NULL)
917 return 0;
918
919 return SSL_CONNECTION_IS_DTLS(sc) ? 1 : 0;
920 }
921
922 int SSL_up_ref(SSL *s)
923 {
924 int i;
925
926 if (CRYPTO_UP_REF(&s->references, &i, s->lock) <= 0)
927 return 0;
928
929 REF_PRINT_COUNT("SSL", s);
930 REF_ASSERT_ISNT(i < 2);
931 return ((i > 1) ? 1 : 0);
932 }
933
934 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
935 unsigned int sid_ctx_len)
936 {
937 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
938 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
939 return 0;
940 }
941 ctx->sid_ctx_length = sid_ctx_len;
942 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
943
944 return 1;
945 }
946
947 int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
948 unsigned int sid_ctx_len)
949 {
950 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
951
952 if (sc == NULL)
953 return 0;
954
955 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
956 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
957 return 0;
958 }
959 sc->sid_ctx_length = sid_ctx_len;
960 memcpy(sc->sid_ctx, sid_ctx, sid_ctx_len);
961
962 return 1;
963 }
964
965 int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
966 {
967 if (!CRYPTO_THREAD_write_lock(ctx->lock))
968 return 0;
969 ctx->generate_session_id = cb;
970 CRYPTO_THREAD_unlock(ctx->lock);
971 return 1;
972 }
973
974 int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
975 {
976 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
977
978 if (sc == NULL || !CRYPTO_THREAD_write_lock(ssl->lock))
979 return 0;
980 sc->generate_session_id = cb;
981 CRYPTO_THREAD_unlock(ssl->lock);
982 return 1;
983 }
984
985 int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
986 unsigned int id_len)
987 {
988 /*
989 * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
990 * we can "construct" a session to give us the desired check - i.e. to
991 * find if there's a session in the hash table that would conflict with
992 * any new session built out of this id/id_len and the ssl_version in use
993 * by this SSL.
994 */
995 SSL_SESSION r, *p;
996 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
997
998 if (sc == NULL || id_len > sizeof(r.session_id))
999 return 0;
1000
1001 r.ssl_version = sc->version;
1002 r.session_id_length = id_len;
1003 memcpy(r.session_id, id, id_len);
1004
1005 if (!CRYPTO_THREAD_read_lock(sc->session_ctx->lock))
1006 return 0;
1007 p = lh_SSL_SESSION_retrieve(sc->session_ctx->sessions, &r);
1008 CRYPTO_THREAD_unlock(sc->session_ctx->lock);
1009 return (p != NULL);
1010 }
1011
1012 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
1013 {
1014 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
1015 }
1016
1017 int SSL_set_purpose(SSL *s, int purpose)
1018 {
1019 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1020
1021 if (sc == NULL)
1022 return 0;
1023
1024 return X509_VERIFY_PARAM_set_purpose(sc->param, purpose);
1025 }
1026
1027 int SSL_CTX_set_trust(SSL_CTX *s, int trust)
1028 {
1029 return X509_VERIFY_PARAM_set_trust(s->param, trust);
1030 }
1031
1032 int SSL_set_trust(SSL *s, int trust)
1033 {
1034 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1035
1036 if (sc == NULL)
1037 return 0;
1038
1039 return X509_VERIFY_PARAM_set_trust(sc->param, trust);
1040 }
1041
1042 int SSL_set1_host(SSL *s, const char *hostname)
1043 {
1044 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1045
1046 if (sc == NULL)
1047 return 0;
1048
1049 /* If a hostname is provided and parses as an IP address,
1050 * treat it as such. */
1051 if (hostname != NULL
1052 && X509_VERIFY_PARAM_set1_ip_asc(sc->param, hostname) == 1)
1053 return 1;
1054
1055 return X509_VERIFY_PARAM_set1_host(sc->param, hostname, 0);
1056 }
1057
1058 int SSL_add1_host(SSL *s, const char *hostname)
1059 {
1060 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1061
1062 if (sc == NULL)
1063 return 0;
1064
1065 /* If a hostname is provided and parses as an IP address,
1066 * treat it as such. */
1067 if (hostname)
1068 {
1069 ASN1_OCTET_STRING *ip;
1070 char *old_ip;
1071
1072 ip = a2i_IPADDRESS(hostname);
1073 if (ip) {
1074 /* We didn't want it; only to check if it *is* an IP address */
1075 ASN1_OCTET_STRING_free(ip);
1076
1077 old_ip = X509_VERIFY_PARAM_get1_ip_asc(sc->param);
1078 if (old_ip)
1079 {
1080 OPENSSL_free(old_ip);
1081 /* There can be only one IP address */
1082 return 0;
1083 }
1084
1085 return X509_VERIFY_PARAM_set1_ip_asc(sc->param, hostname);
1086 }
1087 }
1088
1089 return X509_VERIFY_PARAM_add1_host(sc->param, hostname, 0);
1090 }
1091
1092 void SSL_set_hostflags(SSL *s, unsigned int flags)
1093 {
1094 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1095
1096 if (sc == NULL)
1097 return;
1098
1099 X509_VERIFY_PARAM_set_hostflags(sc->param, flags);
1100 }
1101
1102 const char *SSL_get0_peername(SSL *s)
1103 {
1104 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1105
1106 if (sc == NULL)
1107 return NULL;
1108
1109 return X509_VERIFY_PARAM_get0_peername(sc->param);
1110 }
1111
1112 int SSL_CTX_dane_enable(SSL_CTX *ctx)
1113 {
1114 return dane_ctx_enable(&ctx->dane);
1115 }
1116
1117 unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags)
1118 {
1119 unsigned long orig = ctx->dane.flags;
1120
1121 ctx->dane.flags |= flags;
1122 return orig;
1123 }
1124
1125 unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags)
1126 {
1127 unsigned long orig = ctx->dane.flags;
1128
1129 ctx->dane.flags &= ~flags;
1130 return orig;
1131 }
1132
1133 int SSL_dane_enable(SSL *s, const char *basedomain)
1134 {
1135 SSL_DANE *dane;
1136 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1137
1138 if (sc == NULL)
1139 return 0;
1140
1141 dane = &sc->dane;
1142 if (s->ctx->dane.mdmax == 0) {
1143 ERR_raise(ERR_LIB_SSL, SSL_R_CONTEXT_NOT_DANE_ENABLED);
1144 return 0;
1145 }
1146 if (dane->trecs != NULL) {
1147 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_ALREADY_ENABLED);
1148 return 0;
1149 }
1150
1151 /*
1152 * Default SNI name. This rejects empty names, while set1_host below
1153 * accepts them and disables host name checks. To avoid side-effects with
1154 * invalid input, set the SNI name first.
1155 */
1156 if (sc->ext.hostname == NULL) {
1157 if (!SSL_set_tlsext_host_name(s, basedomain)) {
1158 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1159 return -1;
1160 }
1161 }
1162
1163 /* Primary RFC6125 reference identifier */
1164 if (!X509_VERIFY_PARAM_set1_host(sc->param, basedomain, 0)) {
1165 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1166 return -1;
1167 }
1168
1169 dane->mdpth = -1;
1170 dane->pdpth = -1;
1171 dane->dctx = &s->ctx->dane;
1172 dane->trecs = sk_danetls_record_new_null();
1173
1174 if (dane->trecs == NULL) {
1175 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
1176 return -1;
1177 }
1178 return 1;
1179 }
1180
1181 unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags)
1182 {
1183 unsigned long orig;
1184 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1185
1186 if (sc == NULL)
1187 return 0;
1188
1189 orig = sc->dane.flags;
1190
1191 sc->dane.flags |= flags;
1192 return orig;
1193 }
1194
1195 unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags)
1196 {
1197 unsigned long orig;
1198 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1199
1200 if (sc == NULL)
1201 return 0;
1202
1203 orig = sc->dane.flags;
1204
1205 sc->dane.flags &= ~flags;
1206 return orig;
1207 }
1208
1209 int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
1210 {
1211 SSL_DANE *dane;
1212 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1213
1214 if (sc == NULL)
1215 return -1;
1216
1217 dane = &sc->dane;
1218
1219 if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1220 return -1;
1221 if (dane->mtlsa) {
1222 if (mcert)
1223 *mcert = dane->mcert;
1224 if (mspki)
1225 *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL;
1226 }
1227 return dane->mdpth;
1228 }
1229
1230 int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
1231 uint8_t *mtype, const unsigned char **data, size_t *dlen)
1232 {
1233 SSL_DANE *dane;
1234 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1235
1236 if (sc == NULL)
1237 return -1;
1238
1239 dane = &sc->dane;
1240
1241 if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1242 return -1;
1243 if (dane->mtlsa) {
1244 if (usage)
1245 *usage = dane->mtlsa->usage;
1246 if (selector)
1247 *selector = dane->mtlsa->selector;
1248 if (mtype)
1249 *mtype = dane->mtlsa->mtype;
1250 if (data)
1251 *data = dane->mtlsa->data;
1252 if (dlen)
1253 *dlen = dane->mtlsa->dlen;
1254 }
1255 return dane->mdpth;
1256 }
1257
1258 SSL_DANE *SSL_get0_dane(SSL *s)
1259 {
1260 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1261
1262 if (sc == NULL)
1263 return NULL;
1264
1265 return &sc->dane;
1266 }
1267
1268 int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
1269 uint8_t mtype, const unsigned char *data, size_t dlen)
1270 {
1271 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1272
1273 if (sc == NULL)
1274 return 0;
1275
1276 return dane_tlsa_add(&sc->dane, usage, selector, mtype, data, dlen);
1277 }
1278
1279 int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype,
1280 uint8_t ord)
1281 {
1282 return dane_mtype_set(&ctx->dane, md, mtype, ord);
1283 }
1284
1285 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
1286 {
1287 return X509_VERIFY_PARAM_set1(ctx->param, vpm);
1288 }
1289
1290 int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
1291 {
1292 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1293
1294 if (sc == NULL)
1295 return 0;
1296
1297 return X509_VERIFY_PARAM_set1(sc->param, vpm);
1298 }
1299
1300 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
1301 {
1302 return ctx->param;
1303 }
1304
1305 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
1306 {
1307 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1308
1309 if (sc == NULL)
1310 return NULL;
1311
1312 return sc->param;
1313 }
1314
1315 void SSL_certs_clear(SSL *s)
1316 {
1317 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1318
1319 if (sc == NULL)
1320 return;
1321
1322 ssl_cert_clear_certs(sc->cert);
1323 }
1324
1325 void SSL_free(SSL *s)
1326 {
1327 int i;
1328
1329 if (s == NULL)
1330 return;
1331 CRYPTO_DOWN_REF(&s->references, &i, s->lock);
1332 REF_PRINT_COUNT("SSL", s);
1333 if (i > 0)
1334 return;
1335 REF_ASSERT_ISNT(i < 0);
1336
1337 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
1338
1339 if (s->method != NULL)
1340 s->method->ssl_free(s);
1341
1342 SSL_CTX_free(s->ctx);
1343 CRYPTO_THREAD_lock_free(s->lock);
1344
1345 OPENSSL_free(s);
1346 }
1347
1348 void ossl_ssl_connection_free(SSL *ssl)
1349 {
1350 SSL_CONNECTION *s;
1351
1352 s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
1353 if (s == NULL)
1354 return;
1355
1356 X509_VERIFY_PARAM_free(s->param);
1357 dane_final(&s->dane);
1358
1359 RECORD_LAYER_release(&s->rlayer);
1360
1361 /* Ignore return value */
1362 ssl_free_wbio_buffer(s);
1363
1364 BIO_free_all(s->wbio);
1365 s->wbio = NULL;
1366 BIO_free_all(s->rbio);
1367 s->rbio = NULL;
1368
1369 BUF_MEM_free(s->init_buf);
1370
1371 /* add extra stuff */
1372 sk_SSL_CIPHER_free(s->cipher_list);
1373 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1374 sk_SSL_CIPHER_free(s->tls13_ciphersuites);
1375 sk_SSL_CIPHER_free(s->peer_ciphers);
1376
1377 /* Make the next call work :-) */
1378 if (s->session != NULL) {
1379 ssl_clear_bad_session(s);
1380 SSL_SESSION_free(s->session);
1381 }
1382 SSL_SESSION_free(s->psksession);
1383 OPENSSL_free(s->psksession_id);
1384
1385 clear_ciphers(s);
1386
1387 ssl_cert_free(s->cert);
1388 OPENSSL_free(s->shared_sigalgs);
1389 /* Free up if allocated */
1390
1391 OPENSSL_free(s->ext.hostname);
1392 SSL_CTX_free(s->session_ctx);
1393 OPENSSL_free(s->ext.ecpointformats);
1394 OPENSSL_free(s->ext.peer_ecpointformats);
1395 OPENSSL_free(s->ext.supportedgroups);
1396 OPENSSL_free(s->ext.peer_supportedgroups);
1397 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
1398 #ifndef OPENSSL_NO_OCSP
1399 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1400 #endif
1401 #ifndef OPENSSL_NO_CT
1402 SCT_LIST_free(s->scts);
1403 OPENSSL_free(s->ext.scts);
1404 #endif
1405 OPENSSL_free(s->ext.ocsp.resp);
1406 OPENSSL_free(s->ext.alpn);
1407 OPENSSL_free(s->ext.tls13_cookie);
1408 if (s->clienthello != NULL)
1409 OPENSSL_free(s->clienthello->pre_proc_exts);
1410 OPENSSL_free(s->clienthello);
1411 OPENSSL_free(s->pha_context);
1412 EVP_MD_CTX_free(s->pha_dgst);
1413
1414 sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free);
1415 sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free);
1416
1417 OSSL_STACK_OF_X509_free(s->verified_chain);
1418
1419 if (ssl->method != NULL)
1420 ssl->method->ssl_deinit(ssl);
1421
1422 ASYNC_WAIT_CTX_free(s->waitctx);
1423
1424 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1425 OPENSSL_free(s->ext.npn);
1426 #endif
1427
1428 #ifndef OPENSSL_NO_SRTP
1429 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
1430 #endif
1431 }
1432
1433 void SSL_set0_rbio(SSL *s, BIO *rbio)
1434 {
1435 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1436
1437 if (sc == NULL)
1438 return;
1439
1440 BIO_free_all(sc->rbio);
1441 sc->rbio = rbio;
1442 sc->rrlmethod->set1_bio(sc->rrl, sc->rbio);
1443 }
1444
1445 void SSL_set0_wbio(SSL *s, BIO *wbio)
1446 {
1447 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1448
1449 if (sc == NULL)
1450 return;
1451
1452 /*
1453 * If the output buffering BIO is still in place, remove it
1454 */
1455 if (sc->bbio != NULL)
1456 sc->wbio = BIO_pop(sc->wbio);
1457
1458 BIO_free_all(sc->wbio);
1459 sc->wbio = wbio;
1460
1461 /* Re-attach |bbio| to the new |wbio|. */
1462 if (sc->bbio != NULL)
1463 sc->wbio = BIO_push(sc->bbio, sc->wbio);
1464 }
1465
1466 void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
1467 {
1468 /*
1469 * For historical reasons, this function has many different cases in
1470 * ownership handling.
1471 */
1472
1473 /* If nothing has changed, do nothing */
1474 if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s))
1475 return;
1476
1477 /*
1478 * If the two arguments are equal then one fewer reference is granted by the
1479 * caller than we want to take
1480 */
1481 if (rbio != NULL && rbio == wbio)
1482 BIO_up_ref(rbio);
1483
1484 /*
1485 * If only the wbio is changed only adopt one reference.
1486 */
1487 if (rbio == SSL_get_rbio(s)) {
1488 SSL_set0_wbio(s, wbio);
1489 return;
1490 }
1491 /*
1492 * There is an asymmetry here for historical reasons. If only the rbio is
1493 * changed AND the rbio and wbio were originally different, then we only
1494 * adopt one reference.
1495 */
1496 if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) {
1497 SSL_set0_rbio(s, rbio);
1498 return;
1499 }
1500
1501 /* Otherwise, adopt both references. */
1502 SSL_set0_rbio(s, rbio);
1503 SSL_set0_wbio(s, wbio);
1504 }
1505
1506 BIO *SSL_get_rbio(const SSL *s)
1507 {
1508 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1509
1510 if (sc == NULL)
1511 return NULL;
1512
1513 return sc->rbio;
1514 }
1515
1516 BIO *SSL_get_wbio(const SSL *s)
1517 {
1518 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1519
1520 if (sc == NULL)
1521 return NULL;
1522
1523 if (sc->bbio != NULL) {
1524 /*
1525 * If |bbio| is active, the true caller-configured BIO is its
1526 * |next_bio|.
1527 */
1528 return BIO_next(sc->bbio);
1529 }
1530 return sc->wbio;
1531 }
1532
1533 int SSL_get_fd(const SSL *s)
1534 {
1535 return SSL_get_rfd(s);
1536 }
1537
1538 int SSL_get_rfd(const SSL *s)
1539 {
1540 int ret = -1;
1541 BIO *b, *r;
1542
1543 b = SSL_get_rbio(s);
1544 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1545 if (r != NULL)
1546 BIO_get_fd(r, &ret);
1547 return ret;
1548 }
1549
1550 int SSL_get_wfd(const SSL *s)
1551 {
1552 int ret = -1;
1553 BIO *b, *r;
1554
1555 b = SSL_get_wbio(s);
1556 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1557 if (r != NULL)
1558 BIO_get_fd(r, &ret);
1559 return ret;
1560 }
1561
1562 #ifndef OPENSSL_NO_SOCK
1563 int SSL_set_fd(SSL *s, int fd)
1564 {
1565 int ret = 0;
1566 BIO *bio = NULL;
1567
1568 bio = BIO_new(BIO_s_socket());
1569
1570 if (bio == NULL) {
1571 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1572 goto err;
1573 }
1574 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1575 SSL_set_bio(s, bio, bio);
1576 #ifndef OPENSSL_NO_KTLS
1577 /*
1578 * The new socket is created successfully regardless of ktls_enable.
1579 * ktls_enable doesn't change any functionality of the socket, except
1580 * changing the setsockopt to enable the processing of ktls_start.
1581 * Thus, it is not a problem to call it for non-TLS sockets.
1582 */
1583 ktls_enable(fd);
1584 #endif /* OPENSSL_NO_KTLS */
1585 ret = 1;
1586 err:
1587 return ret;
1588 }
1589
1590 int SSL_set_wfd(SSL *s, int fd)
1591 {
1592 BIO *rbio = SSL_get_rbio(s);
1593
1594 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET
1595 || (int)BIO_get_fd(rbio, NULL) != fd) {
1596 BIO *bio = BIO_new(BIO_s_socket());
1597
1598 if (bio == NULL) {
1599 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1600 return 0;
1601 }
1602 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1603 SSL_set0_wbio(s, bio);
1604 #ifndef OPENSSL_NO_KTLS
1605 /*
1606 * The new socket is created successfully regardless of ktls_enable.
1607 * ktls_enable doesn't change any functionality of the socket, except
1608 * changing the setsockopt to enable the processing of ktls_start.
1609 * Thus, it is not a problem to call it for non-TLS sockets.
1610 */
1611 ktls_enable(fd);
1612 #endif /* OPENSSL_NO_KTLS */
1613 } else {
1614 BIO_up_ref(rbio);
1615 SSL_set0_wbio(s, rbio);
1616 }
1617 return 1;
1618 }
1619
1620 int SSL_set_rfd(SSL *s, int fd)
1621 {
1622 BIO *wbio = SSL_get_wbio(s);
1623
1624 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET
1625 || ((int)BIO_get_fd(wbio, NULL) != fd)) {
1626 BIO *bio = BIO_new(BIO_s_socket());
1627
1628 if (bio == NULL) {
1629 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1630 return 0;
1631 }
1632 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1633 SSL_set0_rbio(s, bio);
1634 } else {
1635 BIO_up_ref(wbio);
1636 SSL_set0_rbio(s, wbio);
1637 }
1638
1639 return 1;
1640 }
1641 #endif
1642
1643 /* return length of latest Finished message we sent, copy to 'buf' */
1644 size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
1645 {
1646 size_t ret = 0;
1647 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1648
1649 if (sc == NULL)
1650 return 0;
1651
1652 ret = sc->s3.tmp.finish_md_len;
1653 if (count > ret)
1654 count = ret;
1655 memcpy(buf, sc->s3.tmp.finish_md, count);
1656 return ret;
1657 }
1658
1659 /* return length of latest Finished message we expected, copy to 'buf' */
1660 size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
1661 {
1662 size_t ret = 0;
1663 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1664
1665 if (sc == NULL)
1666 return 0;
1667
1668 ret = sc->s3.tmp.peer_finish_md_len;
1669 if (count > ret)
1670 count = ret;
1671 memcpy(buf, sc->s3.tmp.peer_finish_md, count);
1672 return ret;
1673 }
1674
1675 int SSL_get_verify_mode(const SSL *s)
1676 {
1677 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1678
1679 if (sc == NULL)
1680 return 0;
1681
1682 return sc->verify_mode;
1683 }
1684
1685 int SSL_get_verify_depth(const SSL *s)
1686 {
1687 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1688
1689 if (sc == NULL)
1690 return 0;
1691
1692 return X509_VERIFY_PARAM_get_depth(sc->param);
1693 }
1694
1695 int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) {
1696 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1697
1698 if (sc == NULL)
1699 return NULL;
1700
1701 return sc->verify_callback;
1702 }
1703
1704 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
1705 {
1706 return ctx->verify_mode;
1707 }
1708
1709 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1710 {
1711 return X509_VERIFY_PARAM_get_depth(ctx->param);
1712 }
1713
1714 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) {
1715 return ctx->default_verify_callback;
1716 }
1717
1718 void SSL_set_verify(SSL *s, int mode,
1719 int (*callback) (int ok, X509_STORE_CTX *ctx))
1720 {
1721 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1722
1723 if (sc == NULL)
1724 return;
1725
1726 sc->verify_mode = mode;
1727 if (callback != NULL)
1728 sc->verify_callback = callback;
1729 }
1730
1731 void SSL_set_verify_depth(SSL *s, int depth)
1732 {
1733 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1734
1735 if (sc == NULL)
1736 return;
1737
1738 X509_VERIFY_PARAM_set_depth(sc->param, depth);
1739 }
1740
1741 void SSL_set_read_ahead(SSL *s, int yes)
1742 {
1743 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1744
1745 if (sc == NULL)
1746 return;
1747
1748 RECORD_LAYER_set_read_ahead(&sc->rlayer, yes);
1749 }
1750
1751 int SSL_get_read_ahead(const SSL *s)
1752 {
1753 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1754
1755 if (sc == NULL)
1756 return 0;
1757
1758 return RECORD_LAYER_get_read_ahead(&sc->rlayer);
1759 }
1760
1761 int SSL_pending(const SSL *s)
1762 {
1763 size_t pending = s->method->ssl_pending(s);
1764
1765 /*
1766 * SSL_pending cannot work properly if read-ahead is enabled
1767 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is
1768 * impossible to fix since SSL_pending cannot report errors that may be
1769 * observed while scanning the new data. (Note that SSL_pending() is
1770 * often used as a boolean value, so we'd better not return -1.)
1771 *
1772 * SSL_pending also cannot work properly if the value >INT_MAX. In that case
1773 * we just return INT_MAX.
1774 */
1775 return pending < INT_MAX ? (int)pending : INT_MAX;
1776 }
1777
1778 int SSL_has_pending(const SSL *s)
1779 {
1780 /*
1781 * Similar to SSL_pending() but returns a 1 to indicate that we have
1782 * processed or unprocessed data available or 0 otherwise (as opposed to the
1783 * number of bytes available). Unlike SSL_pending() this will take into
1784 * account read_ahead data. A 1 return simply indicates that we have data.
1785 * That data may not result in any application data, or we may fail to parse
1786 * the records for some reason.
1787 */
1788 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1789
1790 /* Check buffered app data if any first */
1791 if (SSL_CONNECTION_IS_DTLS(sc)) {
1792 DTLS1_RECORD_DATA *rdata;
1793 pitem *item, *iter;
1794
1795 iter = pqueue_iterator(sc->rlayer.d->buffered_app_data.q);
1796 while ((item = pqueue_next(&iter)) != NULL) {
1797 rdata = item->data;
1798 if (rdata->rrec.length > 0)
1799 return 1;
1800 }
1801 }
1802
1803 if (RECORD_LAYER_processed_read_pending(&sc->rlayer))
1804 return 1;
1805
1806 return RECORD_LAYER_read_pending(&sc->rlayer);
1807 }
1808
1809 X509 *SSL_get1_peer_certificate(const SSL *s)
1810 {
1811 X509 *r = SSL_get0_peer_certificate(s);
1812
1813 if (r != NULL)
1814 X509_up_ref(r);
1815
1816 return r;
1817 }
1818
1819 X509 *SSL_get0_peer_certificate(const SSL *s)
1820 {
1821 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1822
1823 if (sc == NULL)
1824 return NULL;
1825
1826 if (sc->session == NULL)
1827 return NULL;
1828 else
1829 return sc->session->peer;
1830 }
1831
1832 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
1833 {
1834 STACK_OF(X509) *r;
1835 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1836
1837 if (sc == NULL)
1838 return NULL;
1839
1840 if (sc->session == NULL)
1841 r = NULL;
1842 else
1843 r = sc->session->peer_chain;
1844
1845 /*
1846 * If we are a client, cert_chain includes the peer's own certificate; if
1847 * we are a server, it does not.
1848 */
1849
1850 return r;
1851 }
1852
1853 /*
1854 * Now in theory, since the calling process own 't' it should be safe to
1855 * modify. We need to be able to read f without being hassled
1856 */
1857 int SSL_copy_session_id(SSL *t, const SSL *f)
1858 {
1859 int i;
1860 /* TODO(QUIC): Do we want to support this for QUIC connections? */
1861 SSL_CONNECTION *tsc = SSL_CONNECTION_FROM_SSL_ONLY(t);
1862 const SSL_CONNECTION *fsc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(f);
1863
1864 if (tsc == NULL || fsc == NULL)
1865 return 0;
1866
1867 /* Do we need to do SSL locking? */
1868 if (!SSL_set_session(t, SSL_get_session(f))) {
1869 return 0;
1870 }
1871
1872 /*
1873 * what if we are setup for one protocol version but want to talk another
1874 */
1875 if (t->method != f->method) {
1876 t->method->ssl_deinit(t);
1877 t->method = f->method;
1878 if (t->method->ssl_init(t) == 0)
1879 return 0;
1880 }
1881
1882 CRYPTO_UP_REF(&fsc->cert->references, &i, fsc->cert->lock);
1883 ssl_cert_free(tsc->cert);
1884 tsc->cert = fsc->cert;
1885 if (!SSL_set_session_id_context(t, fsc->sid_ctx, (int)fsc->sid_ctx_length)) {
1886 return 0;
1887 }
1888
1889 return 1;
1890 }
1891
1892 /* Fix this so it checks all the valid key/cert options */
1893 int SSL_CTX_check_private_key(const SSL_CTX *ctx)
1894 {
1895 if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) {
1896 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
1897 return 0;
1898 }
1899 if (ctx->cert->key->privatekey == NULL) {
1900 ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1901 return 0;
1902 }
1903 return X509_check_private_key
1904 (ctx->cert->key->x509, ctx->cert->key->privatekey);
1905 }
1906
1907 /* Fix this function so that it takes an optional type parameter */
1908 int SSL_check_private_key(const SSL *ssl)
1909 {
1910 const SSL_CONNECTION *sc;
1911
1912 if ((sc = SSL_CONNECTION_FROM_CONST_SSL(ssl)) == NULL) {
1913 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
1914 return 0;
1915 }
1916 if (sc->cert->key->x509 == NULL) {
1917 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
1918 return 0;
1919 }
1920 if (sc->cert->key->privatekey == NULL) {
1921 ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1922 return 0;
1923 }
1924 return X509_check_private_key(sc->cert->key->x509,
1925 sc->cert->key->privatekey);
1926 }
1927
1928 int SSL_waiting_for_async(SSL *s)
1929 {
1930 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1931
1932 if (sc == NULL)
1933 return 0;
1934
1935 if (sc->job)
1936 return 1;
1937
1938 return 0;
1939 }
1940
1941 int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds)
1942 {
1943 ASYNC_WAIT_CTX *ctx;
1944 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1945
1946 if (sc == NULL)
1947 return 0;
1948
1949 if ((ctx = sc->waitctx) == NULL)
1950 return 0;
1951 return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds);
1952 }
1953
1954 int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds,
1955 OSSL_ASYNC_FD *delfd, size_t *numdelfds)
1956 {
1957 ASYNC_WAIT_CTX *ctx;
1958 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1959
1960 if (sc == NULL)
1961 return 0;
1962
1963 if ((ctx = sc->waitctx) == NULL)
1964 return 0;
1965 return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd,
1966 numdelfds);
1967 }
1968
1969 int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback)
1970 {
1971 ctx->async_cb = callback;
1972 return 1;
1973 }
1974
1975 int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg)
1976 {
1977 ctx->async_cb_arg = arg;
1978 return 1;
1979 }
1980
1981 int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback)
1982 {
1983 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1984
1985 if (sc == NULL)
1986 return 0;
1987
1988 sc->async_cb = callback;
1989 return 1;
1990 }
1991
1992 int SSL_set_async_callback_arg(SSL *s, void *arg)
1993 {
1994 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1995
1996 if (sc == NULL)
1997 return 0;
1998
1999 sc->async_cb_arg = arg;
2000 return 1;
2001 }
2002
2003 int SSL_get_async_status(SSL *s, int *status)
2004 {
2005 ASYNC_WAIT_CTX *ctx;
2006 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2007
2008 if (sc == NULL)
2009 return 0;
2010
2011 if ((ctx = sc->waitctx) == NULL)
2012 return 0;
2013 *status = ASYNC_WAIT_CTX_get_status(ctx);
2014 return 1;
2015 }
2016
2017 int SSL_accept(SSL *s)
2018 {
2019 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2020
2021 if (sc == NULL)
2022 return 0;
2023
2024 if (sc->handshake_func == NULL) {
2025 /* Not properly initialized yet */
2026 SSL_set_accept_state(s);
2027 }
2028
2029 return SSL_do_handshake(s);
2030 }
2031
2032 int SSL_connect(SSL *s)
2033 {
2034 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2035
2036 if (sc == NULL)
2037 return 0;
2038
2039 if (sc->handshake_func == NULL) {
2040 /* Not properly initialized yet */
2041 SSL_set_connect_state(s);
2042 }
2043
2044 return SSL_do_handshake(s);
2045 }
2046
2047 long SSL_get_default_timeout(const SSL *s)
2048 {
2049 return s->method->get_timeout();
2050 }
2051
2052 static int ssl_async_wait_ctx_cb(void *arg)
2053 {
2054 SSL *s = (SSL *)arg;
2055 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2056
2057 if (sc == NULL)
2058 return 0;
2059
2060 return sc->async_cb(s, sc->async_cb_arg);
2061 }
2062
2063 static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
2064 int (*func) (void *))
2065 {
2066 int ret;
2067 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2068
2069 if (sc == NULL)
2070 return 0;
2071
2072 if (sc->waitctx == NULL) {
2073 sc->waitctx = ASYNC_WAIT_CTX_new();
2074 if (sc->waitctx == NULL)
2075 return -1;
2076 if (sc->async_cb != NULL
2077 && !ASYNC_WAIT_CTX_set_callback
2078 (sc->waitctx, ssl_async_wait_ctx_cb, s))
2079 return -1;
2080 }
2081
2082 sc->rwstate = SSL_NOTHING;
2083 switch (ASYNC_start_job(&sc->job, sc->waitctx, &ret, func, args,
2084 sizeof(struct ssl_async_args))) {
2085 case ASYNC_ERR:
2086 sc->rwstate = SSL_NOTHING;
2087 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_INIT_ASYNC);
2088 return -1;
2089 case ASYNC_PAUSE:
2090 sc->rwstate = SSL_ASYNC_PAUSED;
2091 return -1;
2092 case ASYNC_NO_JOBS:
2093 sc->rwstate = SSL_ASYNC_NO_JOBS;
2094 return -1;
2095 case ASYNC_FINISH:
2096 sc->job = NULL;
2097 return ret;
2098 default:
2099 sc->rwstate = SSL_NOTHING;
2100 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
2101 /* Shouldn't happen */
2102 return -1;
2103 }
2104 }
2105
2106 static int ssl_io_intern(void *vargs)
2107 {
2108 struct ssl_async_args *args;
2109 SSL *s;
2110 void *buf;
2111 size_t num;
2112 SSL_CONNECTION *sc;
2113
2114 args = (struct ssl_async_args *)vargs;
2115 s = args->s;
2116 buf = args->buf;
2117 num = args->num;
2118 if ((sc = SSL_CONNECTION_FROM_SSL(s)) == NULL)
2119 return -1;
2120
2121 switch (args->type) {
2122 case READFUNC:
2123 return args->f.func_read(s, buf, num, &sc->asyncrw);
2124 case WRITEFUNC:
2125 return args->f.func_write(s, buf, num, &sc->asyncrw);
2126 case OTHERFUNC:
2127 return args->f.func_other(s);
2128 }
2129 return -1;
2130 }
2131
2132 int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
2133 {
2134 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2135
2136 if (sc == NULL)
2137 return -1;
2138
2139 if (sc->handshake_func == NULL) {
2140 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2141 return -1;
2142 }
2143
2144 if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
2145 sc->rwstate = SSL_NOTHING;
2146 return 0;
2147 }
2148
2149 if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2150 || sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
2151 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2152 return 0;
2153 }
2154 /*
2155 * If we are a client and haven't received the ServerHello etc then we
2156 * better do that
2157 */
2158 ossl_statem_check_finish_init(sc, 0);
2159
2160 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2161 struct ssl_async_args args;
2162 int ret;
2163
2164 args.s = s;
2165 args.buf = buf;
2166 args.num = num;
2167 args.type = READFUNC;
2168 args.f.func_read = s->method->ssl_read;
2169
2170 ret = ssl_start_async_job(s, &args, ssl_io_intern);
2171 *readbytes = sc->asyncrw;
2172 return ret;
2173 } else {
2174 return s->method->ssl_read(s, buf, num, readbytes);
2175 }
2176 }
2177
2178 int SSL_read(SSL *s, void *buf, int num)
2179 {
2180 int ret;
2181 size_t readbytes;
2182
2183 if (num < 0) {
2184 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2185 return -1;
2186 }
2187
2188 ret = ssl_read_internal(s, buf, (size_t)num, &readbytes);
2189
2190 /*
2191 * The cast is safe here because ret should be <= INT_MAX because num is
2192 * <= INT_MAX
2193 */
2194 if (ret > 0)
2195 ret = (int)readbytes;
2196
2197 return ret;
2198 }
2199
2200 int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
2201 {
2202 int ret = ssl_read_internal(s, buf, num, readbytes);
2203
2204 if (ret < 0)
2205 ret = 0;
2206 return ret;
2207 }
2208
2209 int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
2210 {
2211 int ret;
2212 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2213
2214 /* TODO(QUIC): This will need special handling for QUIC */
2215 if (sc == NULL)
2216 return 0;
2217
2218 if (!sc->server) {
2219 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2220 return SSL_READ_EARLY_DATA_ERROR;
2221 }
2222
2223 switch (sc->early_data_state) {
2224 case SSL_EARLY_DATA_NONE:
2225 if (!SSL_in_before(s)) {
2226 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2227 return SSL_READ_EARLY_DATA_ERROR;
2228 }
2229 /* fall through */
2230
2231 case SSL_EARLY_DATA_ACCEPT_RETRY:
2232 sc->early_data_state = SSL_EARLY_DATA_ACCEPTING;
2233 ret = SSL_accept(s);
2234 if (ret <= 0) {
2235 /* NBIO or error */
2236 sc->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY;
2237 return SSL_READ_EARLY_DATA_ERROR;
2238 }
2239 /* fall through */
2240
2241 case SSL_EARLY_DATA_READ_RETRY:
2242 if (sc->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
2243 sc->early_data_state = SSL_EARLY_DATA_READING;
2244 ret = SSL_read_ex(s, buf, num, readbytes);
2245 /*
2246 * State machine will update early_data_state to
2247 * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData
2248 * message
2249 */
2250 if (ret > 0 || (ret <= 0 && sc->early_data_state
2251 != SSL_EARLY_DATA_FINISHED_READING)) {
2252 sc->early_data_state = SSL_EARLY_DATA_READ_RETRY;
2253 return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS
2254 : SSL_READ_EARLY_DATA_ERROR;
2255 }
2256 } else {
2257 sc->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
2258 }
2259 *readbytes = 0;
2260 return SSL_READ_EARLY_DATA_FINISH;
2261
2262 default:
2263 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2264 return SSL_READ_EARLY_DATA_ERROR;
2265 }
2266 }
2267
2268 int SSL_get_early_data_status(const SSL *s)
2269 {
2270 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
2271
2272 /* TODO(QUIC): This will need special handling for QUIC */
2273 if (sc == NULL)
2274 return 0;
2275
2276 return sc->ext.early_data;
2277 }
2278
2279 static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
2280 {
2281 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2282
2283 if (sc == NULL)
2284 return 0;
2285
2286 if (sc->handshake_func == NULL) {
2287 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2288 return -1;
2289 }
2290
2291 if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
2292 return 0;
2293 }
2294 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2295 struct ssl_async_args args;
2296 int ret;
2297
2298 args.s = s;
2299 args.buf = buf;
2300 args.num = num;
2301 args.type = READFUNC;
2302 args.f.func_read = s->method->ssl_peek;
2303
2304 ret = ssl_start_async_job(s, &args, ssl_io_intern);
2305 *readbytes = sc->asyncrw;
2306 return ret;
2307 } else {
2308 return s->method->ssl_peek(s, buf, num, readbytes);
2309 }
2310 }
2311
2312 int SSL_peek(SSL *s, void *buf, int num)
2313 {
2314 int ret;
2315 size_t readbytes;
2316
2317 if (num < 0) {
2318 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2319 return -1;
2320 }
2321
2322 ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes);
2323
2324 /*
2325 * The cast is safe here because ret should be <= INT_MAX because num is
2326 * <= INT_MAX
2327 */
2328 if (ret > 0)
2329 ret = (int)readbytes;
2330
2331 return ret;
2332 }
2333
2334
2335 int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
2336 {
2337 int ret = ssl_peek_internal(s, buf, num, readbytes);
2338
2339 if (ret < 0)
2340 ret = 0;
2341 return ret;
2342 }
2343
2344 int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
2345 {
2346 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2347
2348 if (sc == NULL)
2349 return 0;
2350
2351 if (sc->handshake_func == NULL) {
2352 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2353 return -1;
2354 }
2355
2356 if (sc->shutdown & SSL_SENT_SHUTDOWN) {
2357 sc->rwstate = SSL_NOTHING;
2358 ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2359 return -1;
2360 }
2361
2362 if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2363 || sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY
2364 || sc->early_data_state == SSL_EARLY_DATA_READ_RETRY) {
2365 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2366 return 0;
2367 }
2368 /* If we are a client and haven't sent the Finished we better do that */
2369 ossl_statem_check_finish_init(sc, 1);
2370
2371 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2372 int ret;
2373 struct ssl_async_args args;
2374
2375 args.s = s;
2376 args.buf = (void *)buf;
2377 args.num = num;
2378 args.type = WRITEFUNC;
2379 args.f.func_write = s->method->ssl_write;
2380
2381 ret = ssl_start_async_job(s, &args, ssl_io_intern);
2382 *written = sc->asyncrw;
2383 return ret;
2384 } else {
2385 return s->method->ssl_write(s, buf, num, written);
2386 }
2387 }
2388
2389 ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags)
2390 {
2391 ossl_ssize_t ret;
2392 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2393
2394 if (sc == NULL)
2395 return 0;
2396
2397 if (sc->handshake_func == NULL) {
2398 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2399 return -1;
2400 }
2401
2402 if (sc->shutdown & SSL_SENT_SHUTDOWN) {
2403 sc->rwstate = SSL_NOTHING;
2404 ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2405 return -1;
2406 }
2407
2408 if (!BIO_get_ktls_send(sc->wbio)) {
2409 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2410 return -1;
2411 }
2412
2413 /* If we have an alert to send, lets send it */
2414 if (sc->s3.alert_dispatch) {
2415 ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s);
2416 if (ret <= 0) {
2417 /* SSLfatal() already called if appropriate */
2418 return ret;
2419 }
2420 /* if it went, fall through and send more stuff */
2421 }
2422
2423 sc->rwstate = SSL_WRITING;
2424 if (BIO_flush(sc->wbio) <= 0) {
2425 if (!BIO_should_retry(sc->wbio)) {
2426 sc->rwstate = SSL_NOTHING;
2427 } else {
2428 #ifdef EAGAIN
2429 set_sys_error(EAGAIN);
2430 #endif
2431 }
2432 return -1;
2433 }
2434
2435 #ifdef OPENSSL_NO_KTLS
2436 ERR_raise_data(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR,
2437 "can't call ktls_sendfile(), ktls disabled");
2438 return -1;
2439 #else
2440 ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags);
2441 if (ret < 0) {
2442 #if defined(EAGAIN) && defined(EINTR) && defined(EBUSY)
2443 if ((get_last_sys_error() == EAGAIN) ||
2444 (get_last_sys_error() == EINTR) ||
2445 (get_last_sys_error() == EBUSY))
2446 BIO_set_retry_write(sc->wbio);
2447 else
2448 #endif
2449 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2450 return ret;
2451 }
2452 sc->rwstate = SSL_NOTHING;
2453 return ret;
2454 #endif
2455 }
2456
2457 int SSL_write(SSL *s, const void *buf, int num)
2458 {
2459 int ret;
2460 size_t written;
2461
2462 if (num < 0) {
2463 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2464 return -1;
2465 }
2466
2467 ret = ssl_write_internal(s, buf, (size_t)num, &written);
2468
2469 /*
2470 * The cast is safe here because ret should be <= INT_MAX because num is
2471 * <= INT_MAX
2472 */
2473 if (ret > 0)
2474 ret = (int)written;
2475
2476 return ret;
2477 }
2478
2479 int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written)
2480 {
2481 int ret = ssl_write_internal(s, buf, num, written);
2482
2483 if (ret < 0)
2484 ret = 0;
2485 return ret;
2486 }
2487
2488 int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
2489 {
2490 int ret, early_data_state;
2491 size_t writtmp;
2492 uint32_t partialwrite;
2493 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2494
2495 /* TODO(QUIC): This will need special handling for QUIC */
2496 if (sc == NULL)
2497 return 0;
2498
2499 switch (sc->early_data_state) {
2500 case SSL_EARLY_DATA_NONE:
2501 if (sc->server
2502 || !SSL_in_before(s)
2503 || ((sc->session == NULL || sc->session->ext.max_early_data == 0)
2504 && (sc->psk_use_session_cb == NULL))) {
2505 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2506 return 0;
2507 }
2508 /* fall through */
2509
2510 case SSL_EARLY_DATA_CONNECT_RETRY:
2511 sc->early_data_state = SSL_EARLY_DATA_CONNECTING;
2512 ret = SSL_connect(s);
2513 if (ret <= 0) {
2514 /* NBIO or error */
2515 sc->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY;
2516 return 0;
2517 }
2518 /* fall through */
2519
2520 case SSL_EARLY_DATA_WRITE_RETRY:
2521 sc->early_data_state = SSL_EARLY_DATA_WRITING;
2522 /*
2523 * We disable partial write for early data because we don't keep track
2524 * of how many bytes we've written between the SSL_write_ex() call and
2525 * the flush if the flush needs to be retried)
2526 */
2527 partialwrite = sc->mode & SSL_MODE_ENABLE_PARTIAL_WRITE;
2528 sc->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE;
2529 ret = SSL_write_ex(s, buf, num, &writtmp);
2530 sc->mode |= partialwrite;
2531 if (!ret) {
2532 sc->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2533 return ret;
2534 }
2535 sc->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH;
2536 /* fall through */
2537
2538 case SSL_EARLY_DATA_WRITE_FLUSH:
2539 /* The buffering BIO is still in place so we need to flush it */
2540 if (statem_flush(sc) != 1)
2541 return 0;
2542 *written = num;
2543 sc->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2544 return 1;
2545
2546 case SSL_EARLY_DATA_FINISHED_READING:
2547 case SSL_EARLY_DATA_READ_RETRY:
2548 early_data_state = sc->early_data_state;
2549 /* We are a server writing to an unauthenticated client */
2550 sc->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING;
2551 ret = SSL_write_ex(s, buf, num, written);
2552 /* The buffering BIO is still in place */
2553 if (ret)
2554 (void)BIO_flush(sc->wbio);
2555 sc->early_data_state = early_data_state;
2556 return ret;
2557
2558 default:
2559 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2560 return 0;
2561 }
2562 }
2563
2564 int SSL_shutdown(SSL *s)
2565 {
2566 /*
2567 * Note that this function behaves differently from what one might
2568 * expect. Return values are 0 for no success (yet), 1 for success; but
2569 * calling it once is usually not enough, even if blocking I/O is used
2570 * (see ssl3_shutdown).
2571 */
2572 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2573
2574 if (sc == NULL)
2575 return -1;
2576
2577 if (sc->handshake_func == NULL) {
2578 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2579 return -1;
2580 }
2581
2582 if (!SSL_in_init(s)) {
2583 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2584 struct ssl_async_args args;
2585
2586 memset(&args, 0, sizeof(args));
2587 args.s = s;
2588 args.type = OTHERFUNC;
2589 args.f.func_other = s->method->ssl_shutdown;
2590
2591 return ssl_start_async_job(s, &args, ssl_io_intern);
2592 } else {
2593 return s->method->ssl_shutdown(s);
2594 }
2595 } else {
2596 ERR_raise(ERR_LIB_SSL, SSL_R_SHUTDOWN_WHILE_IN_INIT);
2597 return -1;
2598 }
2599 }
2600
2601 int SSL_key_update(SSL *s, int updatetype)
2602 {
2603 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2604
2605 if (sc == NULL)
2606 return 0;
2607
2608 if (!SSL_CONNECTION_IS_TLS13(sc)) {
2609 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
2610 return 0;
2611 }
2612
2613 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
2614 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
2615 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_KEY_UPDATE_TYPE);
2616 return 0;
2617 }
2618
2619 if (!SSL_is_init_finished(s)) {
2620 ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT);
2621 return 0;
2622 }
2623
2624 if (RECORD_LAYER_write_pending(&sc->rlayer)) {
2625 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY);
2626 return 0;
2627 }
2628
2629 ossl_statem_set_in_init(sc, 1);
2630 sc->key_update = updatetype;
2631 return 1;
2632 }
2633
2634 int SSL_get_key_update_type(const SSL *s)
2635 {
2636 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2637
2638 if (sc == NULL)
2639 return 0;
2640
2641 return sc->key_update;
2642 }
2643
2644 /*
2645 * Can we accept a renegotiation request? If yes, set the flag and
2646 * return 1 if yes. If not, raise error and return 0.
2647 */
2648 static int can_renegotiate(const SSL_CONNECTION *sc)
2649 {
2650 if (SSL_CONNECTION_IS_TLS13(sc)) {
2651 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
2652 return 0;
2653 }
2654
2655 if ((sc->options & SSL_OP_NO_RENEGOTIATION) != 0) {
2656 ERR_raise(ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION);
2657 return 0;
2658 }
2659
2660 return 1;
2661 }
2662
2663 int SSL_renegotiate(SSL *s)
2664 {
2665 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2666
2667 if (sc == NULL)
2668 return 0;
2669
2670 if (!can_renegotiate(sc))
2671 return 0;
2672
2673 sc->renegotiate = 1;
2674 sc->new_session = 1;
2675 return s->method->ssl_renegotiate(s);
2676 }
2677
2678 int SSL_renegotiate_abbreviated(SSL *s)
2679 {
2680 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2681
2682 if (sc == NULL)
2683 return 0;
2684
2685 if (!can_renegotiate(sc))
2686 return 0;
2687
2688 sc->renegotiate = 1;
2689 sc->new_session = 0;
2690 return s->method->ssl_renegotiate(s);
2691 }
2692
2693 int SSL_renegotiate_pending(const SSL *s)
2694 {
2695 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2696
2697 if (sc == NULL)
2698 return 0;
2699
2700 /*
2701 * becomes true when negotiation is requested; false again once a
2702 * handshake has finished
2703 */
2704 return (sc->renegotiate != 0);
2705 }
2706
2707 int SSL_new_session_ticket(SSL *s)
2708 {
2709 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2710
2711 if (sc == NULL)
2712 return 0;
2713
2714 /* If we are in init because we're sending tickets, okay to send more. */
2715 if ((SSL_in_init(s) && sc->ext.extra_tickets_expected == 0)
2716 || SSL_IS_FIRST_HANDSHAKE(sc) || !sc->server
2717 || !SSL_CONNECTION_IS_TLS13(sc))
2718 return 0;
2719 sc->ext.extra_tickets_expected++;
2720 if (!RECORD_LAYER_write_pending(&sc->rlayer) && !SSL_in_init(s))
2721 ossl_statem_set_in_init(sc, 1);
2722 return 1;
2723 }
2724
2725 long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
2726 {
2727 long l;
2728 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2729
2730 /* TODO(QUIC): Special handling for some ctrls will be needed */
2731 if (sc == NULL)
2732 return 0;
2733
2734 switch (cmd) {
2735 case SSL_CTRL_GET_READ_AHEAD:
2736 return RECORD_LAYER_get_read_ahead(&sc->rlayer);
2737 case SSL_CTRL_SET_READ_AHEAD:
2738 l = RECORD_LAYER_get_read_ahead(&sc->rlayer);
2739 RECORD_LAYER_set_read_ahead(&sc->rlayer, larg);
2740 return l;
2741
2742 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
2743 sc->msg_callback_arg = parg;
2744 return 1;
2745
2746 case SSL_CTRL_MODE:
2747 return (sc->mode |= larg);
2748 case SSL_CTRL_CLEAR_MODE:
2749 return (sc->mode &= ~larg);
2750 case SSL_CTRL_GET_MAX_CERT_LIST:
2751 return (long)sc->max_cert_list;
2752 case SSL_CTRL_SET_MAX_CERT_LIST:
2753 if (larg < 0)
2754 return 0;
2755 l = (long)sc->max_cert_list;
2756 sc->max_cert_list = (size_t)larg;
2757 return l;
2758 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
2759 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
2760 return 0;
2761 #ifndef OPENSSL_NO_KTLS
2762 if (sc->wbio != NULL && BIO_get_ktls_send(sc->wbio))
2763 return 0;
2764 #endif /* OPENSSL_NO_KTLS */
2765 sc->max_send_fragment = larg;
2766 if (sc->max_send_fragment < sc->split_send_fragment)
2767 sc->split_send_fragment = sc->max_send_fragment;
2768 return 1;
2769 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
2770 if ((size_t)larg > sc->max_send_fragment || larg == 0)
2771 return 0;
2772 sc->split_send_fragment = larg;
2773 return 1;
2774 case SSL_CTRL_SET_MAX_PIPELINES:
2775 if (larg < 1 || larg > SSL_MAX_PIPELINES)
2776 return 0;
2777 sc->max_pipelines = larg;
2778 if (larg > 1)
2779 RECORD_LAYER_set_read_ahead(&sc->rlayer, 1);
2780 return 1;
2781 case SSL_CTRL_GET_RI_SUPPORT:
2782 return sc->s3.send_connection_binding;
2783 case SSL_CTRL_SET_RETRY_VERIFY:
2784 sc->rwstate = SSL_RETRY_VERIFY;
2785 return 1;
2786 case SSL_CTRL_CERT_FLAGS:
2787 return (sc->cert->cert_flags |= larg);
2788 case SSL_CTRL_CLEAR_CERT_FLAGS:
2789 return (sc->cert->cert_flags &= ~larg);
2790
2791 case SSL_CTRL_GET_RAW_CIPHERLIST:
2792 if (parg) {
2793 if (sc->s3.tmp.ciphers_raw == NULL)
2794 return 0;
2795 *(unsigned char **)parg = sc->s3.tmp.ciphers_raw;
2796 return (int)sc->s3.tmp.ciphers_rawlen;
2797 } else {
2798 return TLS_CIPHER_LEN;
2799 }
2800 case SSL_CTRL_GET_EXTMS_SUPPORT:
2801 if (!sc->session || SSL_in_init(s) || ossl_statem_get_in_handshake(sc))
2802 return -1;
2803 if (sc->session->flags & SSL_SESS_FLAG_EXTMS)
2804 return 1;
2805 else
2806 return 0;
2807 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2808 return ssl_check_allowed_versions(larg, sc->max_proto_version)
2809 && ssl_set_version_bound(s->ctx->method->version, (int)larg,
2810 &sc->min_proto_version);
2811 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2812 return sc->min_proto_version;
2813 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2814 return ssl_check_allowed_versions(sc->min_proto_version, larg)
2815 && ssl_set_version_bound(s->ctx->method->version, (int)larg,
2816 &sc->max_proto_version);
2817 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2818 return sc->max_proto_version;
2819 default:
2820 return s->method->ssl_ctrl(s, cmd, larg, parg);
2821 }
2822 }
2823
2824 long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
2825 {
2826 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2827
2828 if (sc == NULL)
2829 return 0;
2830
2831 switch (cmd) {
2832 case SSL_CTRL_SET_MSG_CALLBACK:
2833 sc->msg_callback = (void (*)
2834 (int write_p, int version, int content_type,
2835 const void *buf, size_t len, SSL *ssl,
2836 void *arg))(fp);
2837 return 1;
2838
2839 default:
2840 return s->method->ssl_callback_ctrl(s, cmd, fp);
2841 }
2842 }
2843
2844 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
2845 {
2846 return ctx->sessions;
2847 }
2848
2849 static int ssl_tsan_load(SSL_CTX *ctx, TSAN_QUALIFIER int *stat)
2850 {
2851 int res = 0;
2852
2853 if (ssl_tsan_lock(ctx)) {
2854 res = tsan_load(stat);
2855 ssl_tsan_unlock(ctx);
2856 }
2857 return res;
2858 }
2859
2860 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2861 {
2862 long l;
2863 /* For some cases with ctx == NULL perform syntax checks */
2864 if (ctx == NULL) {
2865 switch (cmd) {
2866 case SSL_CTRL_SET_GROUPS_LIST:
2867 return tls1_set_groups_list(ctx, NULL, NULL, parg);
2868 case SSL_CTRL_SET_SIGALGS_LIST:
2869 case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
2870 return tls1_set_sigalgs_list(NULL, parg, 0);
2871 default:
2872 return 0;
2873 }
2874 }
2875
2876 switch (cmd) {
2877 case SSL_CTRL_GET_READ_AHEAD:
2878 return ctx->read_ahead;
2879 case SSL_CTRL_SET_READ_AHEAD:
2880 l = ctx->read_ahead;
2881 ctx->read_ahead = larg;
2882 return l;
2883
2884 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
2885 ctx->msg_callback_arg = parg;
2886 return 1;
2887
2888 case SSL_CTRL_GET_MAX_CERT_LIST:
2889 return (long)ctx->max_cert_list;
2890 case SSL_CTRL_SET_MAX_CERT_LIST:
2891 if (larg < 0)
2892 return 0;
2893 l = (long)ctx->max_cert_list;
2894 ctx->max_cert_list = (size_t)larg;
2895 return l;
2896
2897 case SSL_CTRL_SET_SESS_CACHE_SIZE:
2898 if (larg < 0)
2899 return 0;
2900 l = (long)ctx->session_cache_size;
2901 ctx->session_cache_size = (size_t)larg;
2902 return l;
2903 case SSL_CTRL_GET_SESS_CACHE_SIZE:
2904 return (long)ctx->session_cache_size;
2905 case SSL_CTRL_SET_SESS_CACHE_MODE:
2906 l = ctx->session_cache_mode;
2907 ctx->session_cache_mode = larg;
2908 return l;
2909 case SSL_CTRL_GET_SESS_CACHE_MODE:
2910 return ctx->session_cache_mode;
2911
2912 case SSL_CTRL_SESS_NUMBER:
2913 return lh_SSL_SESSION_num_items(ctx->sessions);
2914 case SSL_CTRL_SESS_CONNECT:
2915 return ssl_tsan_load(ctx, &ctx->stats.sess_connect);
2916 case SSL_CTRL_SESS_CONNECT_GOOD:
2917 return ssl_tsan_load(ctx, &ctx->stats.sess_connect_good);
2918 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
2919 return ssl_tsan_load(ctx, &ctx->stats.sess_connect_renegotiate);
2920 case SSL_CTRL_SESS_ACCEPT:
2921 return ssl_tsan_load(ctx, &ctx->stats.sess_accept);
2922 case SSL_CTRL_SESS_ACCEPT_GOOD:
2923 return ssl_tsan_load(ctx, &ctx->stats.sess_accept_good);
2924 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
2925 return ssl_tsan_load(ctx, &ctx->stats.sess_accept_renegotiate);
2926 case SSL_CTRL_SESS_HIT:
2927 return ssl_tsan_load(ctx, &ctx->stats.sess_hit);
2928 case SSL_CTRL_SESS_CB_HIT:
2929 return ssl_tsan_load(ctx, &ctx->stats.sess_cb_hit);
2930 case SSL_CTRL_SESS_MISSES:
2931 return ssl_tsan_load(ctx, &ctx->stats.sess_miss);
2932 case SSL_CTRL_SESS_TIMEOUTS:
2933 return ssl_tsan_load(ctx, &ctx->stats.sess_timeout);
2934 case SSL_CTRL_SESS_CACHE_FULL:
2935 return ssl_tsan_load(ctx, &ctx->stats.sess_cache_full);
2936 case SSL_CTRL_MODE:
2937 return (ctx->mode |= larg);
2938 case SSL_CTRL_CLEAR_MODE:
2939 return (ctx->mode &= ~larg);
2940 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
2941 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
2942 return 0;
2943 ctx->max_send_fragment = larg;
2944 if (ctx->max_send_fragment < ctx->split_send_fragment)
2945 ctx->split_send_fragment = ctx->max_send_fragment;
2946 return 1;
2947 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
2948 if ((size_t)larg > ctx->max_send_fragment || larg == 0)
2949 return 0;
2950 ctx->split_send_fragment = larg;
2951 return 1;
2952 case SSL_CTRL_SET_MAX_PIPELINES:
2953 if (larg < 1 || larg > SSL_MAX_PIPELINES)
2954 return 0;
2955 ctx->max_pipelines = larg;
2956 return 1;
2957 case SSL_CTRL_CERT_FLAGS:
2958 return (ctx->cert->cert_flags |= larg);
2959 case SSL_CTRL_CLEAR_CERT_FLAGS:
2960 return (ctx->cert->cert_flags &= ~larg);
2961 case SSL_CTRL_SET_MIN_PROTO_VERSION:
2962 return ssl_check_allowed_versions(larg, ctx->max_proto_version)
2963 && ssl_set_version_bound(ctx->method->version, (int)larg,
2964 &ctx->min_proto_version);
2965 case SSL_CTRL_GET_MIN_PROTO_VERSION:
2966 return ctx->min_proto_version;
2967 case SSL_CTRL_SET_MAX_PROTO_VERSION:
2968 return ssl_check_allowed_versions(ctx->min_proto_version, larg)
2969 && ssl_set_version_bound(ctx->method->version, (int)larg,
2970 &ctx->max_proto_version);
2971 case SSL_CTRL_GET_MAX_PROTO_VERSION:
2972 return ctx->max_proto_version;
2973 default:
2974 return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
2975 }
2976 }
2977
2978 long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
2979 {
2980 switch (cmd) {
2981 case SSL_CTRL_SET_MSG_CALLBACK:
2982 ctx->msg_callback = (void (*)
2983 (int write_p, int version, int content_type,
2984 const void *buf, size_t len, SSL *ssl,
2985 void *arg))(fp);
2986 return 1;
2987
2988 default:
2989 return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp);
2990 }
2991 }
2992
2993 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
2994 {
2995 if (a->id > b->id)
2996 return 1;
2997 if (a->id < b->id)
2998 return -1;
2999 return 0;
3000 }
3001
3002 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
3003 const SSL_CIPHER *const *bp)
3004 {
3005 if ((*ap)->id > (*bp)->id)
3006 return 1;
3007 if ((*ap)->id < (*bp)->id)
3008 return -1;
3009 return 0;
3010 }
3011
3012 /*
3013 * return a STACK of the ciphers available for the SSL and in order of
3014 * preference
3015 */
3016 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
3017 {
3018 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3019
3020 if (sc != NULL) {
3021 if (sc->cipher_list != NULL) {
3022 return sc->cipher_list;
3023 } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
3024 return s->ctx->cipher_list;
3025 }
3026 }
3027 return NULL;
3028 }
3029
3030 STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
3031 {
3032 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3033
3034 if (sc == NULL || !sc->server)
3035 return NULL;
3036 return sc->peer_ciphers;
3037 }
3038
3039 STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
3040 {
3041 STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
3042 int i;
3043 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3044
3045 if (sc == NULL)
3046 return NULL;
3047
3048 ciphers = SSL_get_ciphers(s);
3049 if (!ciphers)
3050 return NULL;
3051 if (!ssl_set_client_disabled(sc))
3052 return NULL;
3053 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
3054 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
3055 if (!ssl_cipher_disabled(sc, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
3056 if (!sk)
3057 sk = sk_SSL_CIPHER_new_null();
3058 if (!sk)
3059 return NULL;
3060 if (!sk_SSL_CIPHER_push(sk, c)) {
3061 sk_SSL_CIPHER_free(sk);
3062 return NULL;
3063 }
3064 }
3065 }
3066 return sk;
3067 }
3068
3069 /** return a STACK of the ciphers available for the SSL and in order of
3070 * algorithm id */
3071 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL_CONNECTION *s)
3072 {
3073 if (s != NULL) {
3074 if (s->cipher_list_by_id != NULL)
3075 return s->cipher_list_by_id;
3076 else if (s->ssl.ctx != NULL
3077 && s->ssl.ctx->cipher_list_by_id != NULL)
3078 return s->ssl.ctx->cipher_list_by_id;
3079 }
3080 return NULL;
3081 }
3082
3083 /** The old interface to get the same thing as SSL_get_ciphers() */
3084 const char *SSL_get_cipher_list(const SSL *s, int n)
3085 {
3086 const SSL_CIPHER *c;
3087 STACK_OF(SSL_CIPHER) *sk;
3088
3089 if (s == NULL)
3090 return NULL;
3091 sk = SSL_get_ciphers(s);
3092 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
3093 return NULL;
3094 c = sk_SSL_CIPHER_value(sk, n);
3095 if (c == NULL)
3096 return NULL;
3097 return c->name;
3098 }
3099
3100 /** return a STACK of the ciphers available for the SSL_CTX and in order of
3101 * preference */
3102 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
3103 {
3104 if (ctx != NULL)
3105 return ctx->cipher_list;
3106 return NULL;
3107 }
3108
3109 /*
3110 * Distinguish between ciphers controlled by set_ciphersuite() and
3111 * set_cipher_list() when counting.
3112 */
3113 static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
3114 {
3115 int i, num = 0;
3116 const SSL_CIPHER *c;
3117
3118 if (sk == NULL)
3119 return 0;
3120 for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
3121 c = sk_SSL_CIPHER_value(sk, i);
3122 if (c->min_tls >= TLS1_3_VERSION)
3123 continue;
3124 num++;
3125 }
3126 return num;
3127 }
3128
3129 /** specify the ciphers to be used by default by the SSL_CTX */
3130 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
3131 {
3132 STACK_OF(SSL_CIPHER) *sk;
3133
3134 sk = ssl_create_cipher_list(ctx, ctx->tls13_ciphersuites,
3135 &ctx->cipher_list, &ctx->cipher_list_by_id, str,
3136 ctx->cert);
3137 /*
3138 * ssl_create_cipher_list may return an empty stack if it was unable to
3139 * find a cipher matching the given rule string (for example if the rule
3140 * string specifies a cipher which has been disabled). This is not an
3141 * error as far as ssl_create_cipher_list is concerned, and hence
3142 * ctx->cipher_list and ctx->cipher_list_by_id has been updated.
3143 */
3144 if (sk == NULL)
3145 return 0;
3146 else if (cipher_list_tls12_num(sk) == 0) {
3147 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
3148 return 0;
3149 }
3150 return 1;
3151 }
3152
3153 /** specify the ciphers to be used by the SSL */
3154 int SSL_set_cipher_list(SSL *s, const char *str)
3155 {
3156 STACK_OF(SSL_CIPHER) *sk;
3157 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3158
3159 if (sc == NULL)
3160 return 0;
3161
3162 sk = ssl_create_cipher_list(s->ctx, sc->tls13_ciphersuites,
3163 &sc->cipher_list, &sc->cipher_list_by_id, str,
3164 sc->cert);
3165 /* see comment in SSL_CTX_set_cipher_list */
3166 if (sk == NULL)
3167 return 0;
3168 else if (cipher_list_tls12_num(sk) == 0) {
3169 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
3170 return 0;
3171 }
3172 return 1;
3173 }
3174
3175 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
3176 {
3177 char *p;
3178 STACK_OF(SSL_CIPHER) *clntsk, *srvrsk;
3179 const SSL_CIPHER *c;
3180 int i;
3181 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3182
3183 if (sc == NULL)
3184 return NULL;
3185
3186 if (!sc->server
3187 || sc->peer_ciphers == NULL
3188 || size < 2)
3189 return NULL;
3190
3191 p = buf;
3192 clntsk = sc->peer_ciphers;
3193 srvrsk = SSL_get_ciphers(s);
3194 if (clntsk == NULL || srvrsk == NULL)
3195 return NULL;
3196
3197 if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0)
3198 return NULL;
3199
3200 for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) {
3201 int n;
3202
3203 c = sk_SSL_CIPHER_value(clntsk, i);
3204 if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
3205 continue;
3206
3207 n = strlen(c->name);
3208 if (n + 1 > size) {
3209 if (p != buf)
3210 --p;
3211 *p = '\0';
3212 return buf;
3213 }
3214 strcpy(p, c->name);
3215 p += n;
3216 *(p++) = ':';
3217 size -= n + 1;
3218 }
3219 p[-1] = '\0';
3220 return buf;
3221 }
3222
3223 /**
3224 * Return the requested servername (SNI) value. Note that the behaviour varies
3225 * depending on:
3226 * - whether this is called by the client or the server,
3227 * - if we are before or during/after the handshake,
3228 * - if a resumption or normal handshake is being attempted/has occurred
3229 * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3
3230 *
3231 * Note that only the host_name type is defined (RFC 3546).
3232 */
3233 const char *SSL_get_servername(const SSL *s, const int type)
3234 {
3235 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3236 int server;
3237
3238 if (sc == NULL)
3239 return NULL;
3240
3241 /*
3242 * If we don't know if we are the client or the server yet then we assume
3243 * client.
3244 */
3245 server = sc->handshake_func == NULL ? 0 : sc->server;
3246
3247 if (type != TLSEXT_NAMETYPE_host_name)
3248 return NULL;
3249
3250 if (server) {
3251 /**
3252 * Server side
3253 * In TLSv1.3 on the server SNI is not associated with the session
3254 * but in TLSv1.2 or below it is.
3255 *
3256 * Before the handshake:
3257 * - return NULL
3258 *
3259 * During/after the handshake (TLSv1.2 or below resumption occurred):
3260 * - If a servername was accepted by the server in the original
3261 * handshake then it will return that servername, or NULL otherwise.
3262 *
3263 * During/after the handshake (TLSv1.2 or below resumption did not occur):
3264 * - The function will return the servername requested by the client in
3265 * this handshake or NULL if none was requested.
3266 */
3267 if (sc->hit && !SSL_CONNECTION_IS_TLS13(sc))
3268 return sc->session->ext.hostname;
3269 } else {
3270 /**
3271 * Client side
3272 *
3273 * Before the handshake:
3274 * - If a servername has been set via a call to
3275 * SSL_set_tlsext_host_name() then it will return that servername
3276 * - If one has not been set, but a TLSv1.2 resumption is being
3277 * attempted and the session from the original handshake had a
3278 * servername accepted by the server then it will return that
3279 * servername
3280 * - Otherwise it returns NULL
3281 *
3282 * During/after the handshake (TLSv1.2 or below resumption occurred):
3283 * - If the session from the original handshake had a servername accepted
3284 * by the server then it will return that servername.
3285 * - Otherwise it returns the servername set via
3286 * SSL_set_tlsext_host_name() (or NULL if it was not called).
3287 *
3288 * During/after the handshake (TLSv1.2 or below resumption did not occur):
3289 * - It will return the servername set via SSL_set_tlsext_host_name()
3290 * (or NULL if it was not called).
3291 */
3292 if (SSL_in_before(s)) {
3293 if (sc->ext.hostname == NULL
3294 && sc->session != NULL
3295 && sc->session->ssl_version != TLS1_3_VERSION)
3296 return sc->session->ext.hostname;
3297 } else {
3298 if (!SSL_CONNECTION_IS_TLS13(sc) && sc->hit
3299 && sc->session->ext.hostname != NULL)
3300 return sc->session->ext.hostname;
3301 }
3302 }
3303
3304 return sc->ext.hostname;
3305 }
3306
3307 int SSL_get_servername_type(const SSL *s)
3308 {
3309 if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL)
3310 return TLSEXT_NAMETYPE_host_name;
3311 return -1;
3312 }
3313
3314 /*
3315 * SSL_select_next_proto implements the standard protocol selection. It is
3316 * expected that this function is called from the callback set by
3317 * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a
3318 * vector of 8-bit, length prefixed byte strings. The length byte itself is
3319 * not included in the length. A byte string of length 0 is invalid. No byte
3320 * string may be truncated. The current, but experimental algorithm for
3321 * selecting the protocol is: 1) If the server doesn't support NPN then this
3322 * is indicated to the callback. In this case, the client application has to
3323 * abort the connection or have a default application level protocol. 2) If
3324 * the server supports NPN, but advertises an empty list then the client
3325 * selects the first protocol in its list, but indicates via the API that this
3326 * fallback case was enacted. 3) Otherwise, the client finds the first
3327 * protocol in the server's list that it supports and selects this protocol.
3328 * This is because it's assumed that the server has better information about
3329 * which protocol a client should use. 4) If the client doesn't support any
3330 * of the server's advertised protocols, then this is treated the same as
3331 * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was
3332 * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
3333 */
3334 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
3335 const unsigned char *server,
3336 unsigned int server_len,
3337 const unsigned char *client, unsigned int client_len)
3338 {
3339 unsigned int i, j;
3340 const unsigned char *result;
3341 int status = OPENSSL_NPN_UNSUPPORTED;
3342
3343 /*
3344 * For each protocol in server preference order, see if we support it.
3345 */
3346 for (i = 0; i < server_len;) {
3347 for (j = 0; j < client_len;) {
3348 if (server[i] == client[j] &&
3349 memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
3350 /* We found a match */
3351 result = &server[i];
3352 status = OPENSSL_NPN_NEGOTIATED;
3353 goto found;
3354 }
3355 j += client[j];
3356 j++;
3357 }
3358 i += server[i];
3359 i++;
3360 }
3361
3362 /* There's no overlap between our protocols and the server's list. */
3363 result = client;
3364 status = OPENSSL_NPN_NO_OVERLAP;
3365
3366 found:
3367 *out = (unsigned char *)result + 1;
3368 *outlen = result[0];
3369 return status;
3370 }
3371
3372 #ifndef OPENSSL_NO_NEXTPROTONEG
3373 /*
3374 * SSL_get0_next_proto_negotiated sets *data and *len to point to the
3375 * client's requested protocol for this connection and returns 0. If the
3376 * client didn't request any protocol, then *data is set to NULL. Note that
3377 * the client can request any protocol it chooses. The value returned from
3378 * this function need not be a member of the list of supported protocols
3379 * provided by the callback.
3380 */
3381 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
3382 unsigned *len)
3383 {
3384 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3385
3386 if (sc == NULL) {
3387 /* We have no other way to indicate error */
3388 *data = NULL;
3389 *len = 0;
3390 return;
3391 }
3392
3393 *data = sc->ext.npn;
3394 if (*data == NULL) {
3395 *len = 0;
3396 } else {
3397 *len = (unsigned int)sc->ext.npn_len;
3398 }
3399 }
3400
3401 /*
3402 * SSL_CTX_set_npn_advertised_cb sets a callback that is called when
3403 * a TLS server needs a list of supported protocols for Next Protocol
3404 * Negotiation. The returned list must be in wire format. The list is
3405 * returned by setting |out| to point to it and |outlen| to its length. This
3406 * memory will not be modified, but one should assume that the SSL* keeps a
3407 * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it
3408 * wishes to advertise. Otherwise, no such extension will be included in the
3409 * ServerHello.
3410 */
3411 void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
3412 SSL_CTX_npn_advertised_cb_func cb,
3413 void *arg)
3414 {
3415 ctx->ext.npn_advertised_cb = cb;
3416 ctx->ext.npn_advertised_cb_arg = arg;
3417 }
3418
3419 /*
3420 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
3421 * client needs to select a protocol from the server's provided list. |out|
3422 * must be set to point to the selected protocol (which may be within |in|).
3423 * The length of the protocol name must be written into |outlen|. The
3424 * server's advertised protocols are provided in |in| and |inlen|. The
3425 * callback can assume that |in| is syntactically valid. The client must
3426 * select a protocol. It is fatal to the connection if this callback returns
3427 * a value other than SSL_TLSEXT_ERR_OK.
3428 */
3429 void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
3430 SSL_CTX_npn_select_cb_func cb,
3431 void *arg)
3432 {
3433 ctx->ext.npn_select_cb = cb;
3434 ctx->ext.npn_select_cb_arg = arg;
3435 }
3436 #endif
3437
3438 static int alpn_value_ok(const unsigned char *protos, unsigned int protos_len)
3439 {
3440 unsigned int idx;
3441
3442 if (protos_len < 2 || protos == NULL)
3443 return 0;
3444
3445 for (idx = 0; idx < protos_len; idx += protos[idx] + 1) {
3446 if (protos[idx] == 0)
3447 return 0;
3448 }
3449 return idx == protos_len;
3450 }
3451 /*
3452 * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
3453 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3454 * length-prefixed strings). Returns 0 on success.
3455 */
3456 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
3457 unsigned int protos_len)
3458 {
3459 unsigned char *alpn;
3460
3461 if (protos_len == 0 || protos == NULL) {
3462 OPENSSL_free(ctx->ext.alpn);
3463 ctx->ext.alpn = NULL;
3464 ctx->ext.alpn_len = 0;
3465 return 0;
3466 }
3467 /* Not valid per RFC */
3468 if (!alpn_value_ok(protos, protos_len))
3469 return 1;
3470
3471 alpn = OPENSSL_memdup(protos, protos_len);
3472 if (alpn == NULL) {
3473 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
3474 return 1;
3475 }
3476 OPENSSL_free(ctx->ext.alpn);
3477 ctx->ext.alpn = alpn;
3478 ctx->ext.alpn_len = protos_len;
3479
3480 return 0;
3481 }
3482
3483 /*
3484 * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
3485 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3486 * length-prefixed strings). Returns 0 on success.
3487 */
3488 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
3489 unsigned int protos_len)
3490 {
3491 unsigned char *alpn;
3492 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
3493
3494 if (sc == NULL)
3495 return 1;
3496
3497 if (protos_len == 0 || protos == NULL) {
3498 OPENSSL_free(sc->ext.alpn);
3499 sc->ext.alpn = NULL;
3500 sc->ext.alpn_len = 0;
3501 return 0;
3502 }
3503 /* Not valid per RFC */
3504 if (!alpn_value_ok(protos, protos_len))
3505 return 1;
3506
3507 alpn = OPENSSL_memdup(protos, protos_len);
3508 if (alpn == NULL) {
3509 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
3510 return 1;
3511 }
3512 OPENSSL_free(sc->ext.alpn);
3513 sc->ext.alpn = alpn;
3514 sc->ext.alpn_len = protos_len;
3515
3516 return 0;
3517 }
3518
3519 /*
3520 * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is
3521 * called during ClientHello processing in order to select an ALPN protocol
3522 * from the client's list of offered protocols.
3523 */
3524 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
3525 SSL_CTX_alpn_select_cb_func cb,
3526 void *arg)
3527 {
3528 ctx->ext.alpn_select_cb = cb;
3529 ctx->ext.alpn_select_cb_arg = arg;
3530 }
3531
3532 /*
3533 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
3534 * On return it sets |*data| to point to |*len| bytes of protocol name
3535 * (not including the leading length-prefix byte). If the server didn't
3536 * respond with a negotiated protocol then |*len| will be zero.
3537 */
3538 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
3539 unsigned int *len)
3540 {
3541 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
3542
3543 if (sc == NULL) {
3544 /* We have no other way to indicate error */
3545 *data = NULL;
3546 *len = 0;
3547 return;
3548 }
3549
3550 *data = sc->s3.alpn_selected;
3551 if (*data == NULL)
3552 *len = 0;
3553 else
3554 *len = (unsigned int)sc->s3.alpn_selected_len;
3555 }
3556
3557 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
3558 const char *label, size_t llen,
3559 const unsigned char *context, size_t contextlen,
3560 int use_context)
3561 {
3562 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3563
3564 if (sc == NULL)
3565 return -1;
3566
3567 if (sc->session == NULL
3568 || (sc->version < TLS1_VERSION && sc->version != DTLS1_BAD_VER))
3569 return -1;
3570
3571 return s->method->ssl3_enc->export_keying_material(sc, out, olen, label,
3572 llen, context,
3573 contextlen, use_context);
3574 }
3575
3576 int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
3577 const char *label, size_t llen,
3578 const unsigned char *context,
3579 size_t contextlen)
3580 {
3581 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3582
3583 if (sc == NULL)
3584 return -1;
3585
3586 if (sc->version != TLS1_3_VERSION)
3587 return 0;
3588
3589 return tls13_export_keying_material_early(sc, out, olen, label, llen,
3590 context, contextlen);
3591 }
3592
3593 static unsigned long ssl_session_hash(const SSL_SESSION *a)
3594 {
3595 const unsigned char *session_id = a->session_id;
3596 unsigned long l;
3597 unsigned char tmp_storage[4];
3598
3599 if (a->session_id_length < sizeof(tmp_storage)) {
3600 memset(tmp_storage, 0, sizeof(tmp_storage));
3601 memcpy(tmp_storage, a->session_id, a->session_id_length);
3602 session_id = tmp_storage;
3603 }
3604
3605 l = (unsigned long)
3606 ((unsigned long)session_id[0]) |
3607 ((unsigned long)session_id[1] << 8L) |
3608 ((unsigned long)session_id[2] << 16L) |
3609 ((unsigned long)session_id[3] << 24L);
3610 return l;
3611 }
3612
3613 /*
3614 * NB: If this function (or indeed the hash function which uses a sort of
3615 * coarser function than this one) is changed, ensure
3616 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on
3617 * being able to construct an SSL_SESSION that will collide with any existing
3618 * session with a matching session ID.
3619 */
3620 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
3621 {
3622 if (a->ssl_version != b->ssl_version)
3623 return 1;
3624 if (a->session_id_length != b->session_id_length)
3625 return 1;
3626 return memcmp(a->session_id, b->session_id, a->session_id_length);
3627 }
3628
3629 /*
3630 * These wrapper functions should remain rather than redeclaring
3631 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
3632 * variable. The reason is that the functions aren't static, they're exposed
3633 * via ssl.h.
3634 */
3635
3636 SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
3637 const SSL_METHOD *meth)
3638 {
3639 SSL_CTX *ret = NULL;
3640
3641 if (meth == NULL) {
3642 ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_METHOD_PASSED);
3643 return NULL;
3644 }
3645
3646 if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
3647 return NULL;
3648
3649 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
3650 ERR_raise(ERR_LIB_SSL, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
3651 goto err;
3652 }
3653 ret = OPENSSL_zalloc(sizeof(*ret));
3654 if (ret == NULL)
3655 goto err;
3656
3657 /* Init the reference counting before any call to SSL_CTX_free */
3658 ret->references = 1;
3659 ret->lock = CRYPTO_THREAD_lock_new();
3660 if (ret->lock == NULL) {
3661 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
3662 OPENSSL_free(ret);
3663 return NULL;
3664 }
3665
3666 #ifdef TSAN_REQUIRES_LOCKING
3667 ret->tsan_lock = CRYPTO_THREAD_lock_new();
3668 if (ret->tsan_lock == NULL) {
3669 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
3670 goto err;
3671 }
3672 #endif
3673
3674 ret->libctx = libctx;
3675 if (propq != NULL) {
3676 ret->propq = OPENSSL_strdup(propq);
3677 if (ret->propq == NULL)
3678 goto err;
3679 }
3680
3681 ret->method = meth;
3682 ret->min_proto_version = 0;
3683 ret->max_proto_version = 0;
3684 ret->mode = SSL_MODE_AUTO_RETRY;
3685 ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
3686 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
3687 /* We take the system default. */
3688 ret->session_timeout = meth->get_timeout();
3689 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
3690 ret->verify_mode = SSL_VERIFY_NONE;
3691 if ((ret->cert = ssl_cert_new()) == NULL)
3692 goto err;
3693
3694 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
3695 if (ret->sessions == NULL)
3696 goto err;
3697 ret->cert_store = X509_STORE_new();
3698 if (ret->cert_store == NULL)
3699 goto err;
3700 #ifndef OPENSSL_NO_CT
3701 ret->ctlog_store = CTLOG_STORE_new_ex(libctx, propq);
3702 if (ret->ctlog_store == NULL)
3703 goto err;
3704 #endif
3705
3706 /* initialize cipher/digest methods table */
3707 if (!ssl_load_ciphers(ret))
3708 goto err2;
3709 /* initialise sig algs */
3710 if (!ssl_setup_sig_algs(ret))
3711 goto err2;
3712
3713
3714 if (!ssl_load_groups(ret))
3715 goto err2;
3716
3717 if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites()))
3718 goto err;
3719
3720 if (!ssl_create_cipher_list(ret,
3721 ret->tls13_ciphersuites,
3722 &ret->cipher_list, &ret->cipher_list_by_id,
3723 OSSL_default_cipher_list(), ret->cert)
3724 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
3725 ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
3726 goto err2;
3727 }
3728
3729 ret->param = X509_VERIFY_PARAM_new();
3730 if (ret->param == NULL)
3731 goto err;
3732
3733 /*
3734 * If these aren't available from the provider we'll get NULL returns.
3735 * That's fine but will cause errors later if SSLv3 is negotiated
3736 */
3737 ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq);
3738 ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq);
3739
3740 if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
3741 goto err;
3742
3743 if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL)
3744 goto err;
3745
3746 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data))
3747 goto err;
3748
3749 if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL)
3750 goto err;
3751
3752 /* No compression for DTLS */
3753 if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
3754 ret->comp_methods = SSL_COMP_get_compression_methods();
3755
3756 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
3757 ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
3758
3759 /* Setup RFC5077 ticket keys */
3760 if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name,
3761 sizeof(ret->ext.tick_key_name), 0) <= 0)
3762 || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key,
3763 sizeof(ret->ext.secure->tick_hmac_key), 0) <= 0)
3764 || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key,
3765 sizeof(ret->ext.secure->tick_aes_key), 0) <= 0))
3766 ret->options |= SSL_OP_NO_TICKET;
3767
3768 if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key,
3769 sizeof(ret->ext.cookie_hmac_key), 0) <= 0)
3770 goto err;
3771
3772 #ifndef OPENSSL_NO_SRP
3773 if (!ssl_ctx_srp_ctx_init_intern(ret))
3774 goto err;
3775 #endif
3776 #ifndef OPENSSL_NO_ENGINE
3777 # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
3778 # define eng_strx(x) #x
3779 # define eng_str(x) eng_strx(x)
3780 /* Use specific client engine automatically... ignore errors */
3781 {
3782 ENGINE *eng;
3783 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
3784 if (!eng) {
3785 ERR_clear_error();
3786 ENGINE_load_builtin_engines();
3787 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
3788 }
3789 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
3790 ERR_clear_error();
3791 }
3792 # endif
3793 #endif
3794 /*
3795 * Disable compression by default to prevent CRIME. Applications can
3796 * re-enable compression by configuring
3797 * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
3798 * or by using the SSL_CONF library. Similarly we also enable TLSv1.3
3799 * middlebox compatibility by default. This may be disabled by default in
3800 * a later OpenSSL version.
3801 */
3802 ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
3803
3804 ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
3805
3806 /*
3807 * We cannot usefully set a default max_early_data here (which gets
3808 * propagated in SSL_new(), for the following reason: setting the
3809 * SSL field causes tls_construct_stoc_early_data() to tell the
3810 * client that early data will be accepted when constructing a TLS 1.3
3811 * session ticket, and the client will accordingly send us early data
3812 * when using that ticket (if the client has early data to send).
3813 * However, in order for the early data to actually be consumed by
3814 * the application, the application must also have calls to
3815 * SSL_read_early_data(); otherwise we'll just skip past the early data
3816 * and ignore it. So, since the application must add calls to
3817 * SSL_read_early_data(), we also require them to add
3818 * calls to SSL_CTX_set_max_early_data() in order to use early data,
3819 * eliminating the bandwidth-wasting early data in the case described
3820 * above.
3821 */
3822 ret->max_early_data = 0;
3823
3824 /*
3825 * Default recv_max_early_data is a fully loaded single record. Could be
3826 * split across multiple records in practice. We set this differently to
3827 * max_early_data so that, in the default case, we do not advertise any
3828 * support for early_data, but if a client were to send us some (e.g.
3829 * because of an old, stale ticket) then we will tolerate it and skip over
3830 * it.
3831 */
3832 ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
3833
3834 /* By default we send two session tickets automatically in TLSv1.3 */
3835 ret->num_tickets = 2;
3836
3837 ssl_ctx_system_config(ret);
3838
3839 return ret;
3840 err:
3841 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
3842 err2:
3843 SSL_CTX_free(ret);
3844 return NULL;
3845 }
3846
3847 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
3848 {
3849 return SSL_CTX_new_ex(NULL, NULL, meth);
3850 }
3851
3852 int SSL_CTX_up_ref(SSL_CTX *ctx)
3853 {
3854 int i;
3855
3856 if (CRYPTO_UP_REF(&ctx->references, &i, ctx->lock) <= 0)
3857 return 0;
3858
3859 REF_PRINT_COUNT("SSL_CTX", ctx);
3860 REF_ASSERT_ISNT(i < 2);
3861 return ((i > 1) ? 1 : 0);
3862 }
3863
3864 void SSL_CTX_free(SSL_CTX *a)
3865 {
3866 int i;
3867 size_t j;
3868
3869 if (a == NULL)
3870 return;
3871
3872 CRYPTO_DOWN_REF(&a->references, &i, a->lock);
3873 REF_PRINT_COUNT("SSL_CTX", a);
3874 if (i > 0)
3875 return;
3876 REF_ASSERT_ISNT(i < 0);
3877
3878 X509_VERIFY_PARAM_free(a->param);
3879 dane_ctx_final(&a->dane);
3880
3881 /*
3882 * Free internal session cache. However: the remove_cb() may reference
3883 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
3884 * after the sessions were flushed.
3885 * As the ex_data handling routines might also touch the session cache,
3886 * the most secure solution seems to be: empty (flush) the cache, then
3887 * free ex_data, then finally free the cache.
3888 * (See ticket [openssl.org #212].)
3889 */
3890 if (a->sessions != NULL)
3891 SSL_CTX_flush_sessions(a, 0);
3892
3893 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
3894 lh_SSL_SESSION_free(a->sessions);
3895 X509_STORE_free(a->cert_store);
3896 #ifndef OPENSSL_NO_CT
3897 CTLOG_STORE_free(a->ctlog_store);
3898 #endif
3899 sk_SSL_CIPHER_free(a->cipher_list);
3900 sk_SSL_CIPHER_free(a->cipher_list_by_id);
3901 sk_SSL_CIPHER_free(a->tls13_ciphersuites);
3902 ssl_cert_free(a->cert);
3903 sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free);
3904 sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free);
3905 OSSL_STACK_OF_X509_free(a->extra_certs);
3906 a->comp_methods = NULL;
3907 #ifndef OPENSSL_NO_SRTP
3908 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
3909 #endif
3910 #ifndef OPENSSL_NO_SRP
3911 ssl_ctx_srp_ctx_free_intern(a);
3912 #endif
3913 #ifndef OPENSSL_NO_ENGINE
3914 tls_engine_finish(a->client_cert_engine);
3915 #endif
3916
3917 OPENSSL_free(a->ext.ecpointformats);
3918 OPENSSL_free(a->ext.supportedgroups);
3919 OPENSSL_free(a->ext.supported_groups_default);
3920 OPENSSL_free(a->ext.alpn);
3921 OPENSSL_secure_free(a->ext.secure);
3922
3923 ssl_evp_md_free(a->md5);
3924 ssl_evp_md_free(a->sha1);
3925
3926 for (j = 0; j < SSL_ENC_NUM_IDX; j++)
3927 ssl_evp_cipher_free(a->ssl_cipher_methods[j]);
3928 for (j = 0; j < SSL_MD_NUM_IDX; j++)
3929 ssl_evp_md_free(a->ssl_digest_methods[j]);
3930 for (j = 0; j < a->group_list_len; j++) {
3931 OPENSSL_free(a->group_list[j].tlsname);
3932 OPENSSL_free(a->group_list[j].realname);
3933 OPENSSL_free(a->group_list[j].algorithm);
3934 }
3935 OPENSSL_free(a->group_list);
3936
3937 OPENSSL_free(a->sigalg_lookup_cache);
3938
3939 CRYPTO_THREAD_lock_free(a->lock);
3940 #ifdef TSAN_REQUIRES_LOCKING
3941 CRYPTO_THREAD_lock_free(a->tsan_lock);
3942 #endif
3943
3944 OPENSSL_free(a->propq);
3945
3946 OPENSSL_free(a);
3947 }
3948
3949 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
3950 {
3951 ctx->default_passwd_callback = cb;
3952 }
3953
3954 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
3955 {
3956 ctx->default_passwd_callback_userdata = u;
3957 }
3958
3959 pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
3960 {
3961 return ctx->default_passwd_callback;
3962 }
3963
3964 void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
3965 {
3966 return ctx->default_passwd_callback_userdata;
3967 }
3968
3969 void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
3970 {
3971 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3972
3973 if (sc == NULL)
3974 return;
3975
3976 sc->default_passwd_callback = cb;
3977 }
3978
3979 void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
3980 {
3981 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3982
3983 if (sc == NULL)
3984 return;
3985
3986 sc->default_passwd_callback_userdata = u;
3987 }
3988
3989 pem_password_cb *SSL_get_default_passwd_cb(SSL *s)
3990 {
3991 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3992
3993 if (sc == NULL)
3994 return NULL;
3995
3996 return sc->default_passwd_callback;
3997 }
3998
3999 void *SSL_get_default_passwd_cb_userdata(SSL *s)
4000 {
4001 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4002
4003 if (sc == NULL)
4004 return NULL;
4005
4006 return sc->default_passwd_callback_userdata;
4007 }
4008
4009 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
4010 int (*cb) (X509_STORE_CTX *, void *),
4011 void *arg)
4012 {
4013 ctx->app_verify_callback = cb;
4014 ctx->app_verify_arg = arg;
4015 }
4016
4017 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
4018 int (*cb) (int, X509_STORE_CTX *))
4019 {
4020 ctx->verify_mode = mode;
4021 ctx->default_verify_callback = cb;
4022 }
4023
4024 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
4025 {
4026 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
4027 }
4028
4029 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg)
4030 {
4031 ssl_cert_set_cert_cb(c->cert, cb, arg);
4032 }
4033
4034 void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
4035 {
4036 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4037
4038 if (sc == NULL)
4039 return;
4040
4041 ssl_cert_set_cert_cb(sc->cert, cb, arg);
4042 }
4043
4044 void ssl_set_masks(SSL_CONNECTION *s)
4045 {
4046 CERT *c = s->cert;
4047 uint32_t *pvalid = s->s3.tmp.valid_flags;
4048 int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
4049 unsigned long mask_k, mask_a;
4050 int have_ecc_cert, ecdsa_ok;
4051
4052 if (c == NULL)
4053 return;
4054
4055 dh_tmp = (c->dh_tmp != NULL
4056 || c->dh_tmp_cb != NULL
4057 || c->dh_tmp_auto);
4058
4059 rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
4060 rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
4061 dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID;
4062 have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
4063 mask_k = 0;
4064 mask_a = 0;
4065
4066 OSSL_TRACE4(TLS_CIPHER, "dh_tmp=%d rsa_enc=%d rsa_sign=%d dsa_sign=%d\n",
4067 dh_tmp, rsa_enc, rsa_sign, dsa_sign);
4068
4069 #ifndef OPENSSL_NO_GOST
4070 if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
4071 mask_k |= SSL_kGOST | SSL_kGOST18;
4072 mask_a |= SSL_aGOST12;
4073 }
4074 if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
4075 mask_k |= SSL_kGOST | SSL_kGOST18;
4076 mask_a |= SSL_aGOST12;
4077 }
4078 if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
4079 mask_k |= SSL_kGOST;
4080 mask_a |= SSL_aGOST01;
4081 }
4082 #endif
4083
4084 if (rsa_enc)
4085 mask_k |= SSL_kRSA;
4086
4087 if (dh_tmp)
4088 mask_k |= SSL_kDHE;
4089
4090 /*
4091 * If we only have an RSA-PSS certificate allow RSA authentication
4092 * if TLS 1.2 and peer supports it.
4093 */
4094
4095 if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
4096 && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
4097 && TLS1_get_version(&s->ssl) == TLS1_2_VERSION))
4098 mask_a |= SSL_aRSA;
4099
4100 if (dsa_sign) {
4101 mask_a |= SSL_aDSS;
4102 }
4103
4104 mask_a |= SSL_aNULL;
4105
4106 /*
4107 * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites
4108 * depending on the key usage extension.
4109 */
4110 if (have_ecc_cert) {
4111 uint32_t ex_kusage;
4112 ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509);
4113 ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
4114 if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
4115 ecdsa_ok = 0;
4116 if (ecdsa_ok)
4117 mask_a |= SSL_aECDSA;
4118 }
4119 /* Allow Ed25519 for TLS 1.2 if peer supports it */
4120 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519)
4121 && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN
4122 && TLS1_get_version(&s->ssl) == TLS1_2_VERSION)
4123 mask_a |= SSL_aECDSA;
4124
4125 /* Allow Ed448 for TLS 1.2 if peer supports it */
4126 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448)
4127 && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN
4128 && TLS1_get_version(&s->ssl) == TLS1_2_VERSION)
4129 mask_a |= SSL_aECDSA;
4130
4131 mask_k |= SSL_kECDHE;
4132
4133 #ifndef OPENSSL_NO_PSK
4134 mask_k |= SSL_kPSK;
4135 mask_a |= SSL_aPSK;
4136 if (mask_k & SSL_kRSA)
4137 mask_k |= SSL_kRSAPSK;
4138 if (mask_k & SSL_kDHE)
4139 mask_k |= SSL_kDHEPSK;
4140 if (mask_k & SSL_kECDHE)
4141 mask_k |= SSL_kECDHEPSK;
4142 #endif
4143
4144 s->s3.tmp.mask_k = mask_k;
4145 s->s3.tmp.mask_a = mask_a;
4146 }
4147
4148 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CONNECTION *s)
4149 {
4150 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) {
4151 /* key usage, if present, must allow signing */
4152 if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
4153 ERR_raise(ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
4154 return 0;
4155 }
4156 }
4157 return 1; /* all checks are ok */
4158 }
4159
4160 int ssl_get_server_cert_serverinfo(SSL_CONNECTION *s,
4161 const unsigned char **serverinfo,
4162 size_t *serverinfo_length)
4163 {
4164 CERT_PKEY *cpk = s->s3.tmp.cert;
4165 *serverinfo_length = 0;
4166
4167 if (cpk == NULL || cpk->serverinfo == NULL)
4168 return 0;
4169
4170 *serverinfo = cpk->serverinfo;
4171 *serverinfo_length = cpk->serverinfo_length;
4172 return 1;
4173 }
4174
4175 void ssl_update_cache(SSL_CONNECTION *s, int mode)
4176 {
4177 int i;
4178
4179 /*
4180 * If the session_id_length is 0, we are not supposed to cache it, and it
4181 * would be rather hard to do anyway :-)
4182 */
4183 if (s->session->session_id_length == 0)
4184 return;
4185
4186 /*
4187 * If sid_ctx_length is 0 there is no specific application context
4188 * associated with this session, so when we try to resume it and
4189 * SSL_VERIFY_PEER is requested to verify the client identity, we have no
4190 * indication that this is actually a session for the proper application
4191 * context, and the *handshake* will fail, not just the resumption attempt.
4192 * Do not cache (on the server) these sessions that are not resumable
4193 * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set).
4194 */
4195 if (s->server && s->session->sid_ctx_length == 0
4196 && (s->verify_mode & SSL_VERIFY_PEER) != 0)
4197 return;
4198
4199 i = s->session_ctx->session_cache_mode;
4200 if ((i & mode) != 0
4201 && (!s->hit || SSL_CONNECTION_IS_TLS13(s))) {
4202 /*
4203 * Add the session to the internal cache. In server side TLSv1.3 we
4204 * normally don't do this because by default it's a full stateless ticket
4205 * with only a dummy session id so there is no reason to cache it,
4206 * unless:
4207 * - we are doing early_data, in which case we cache so that we can
4208 * detect replays
4209 * - the application has set a remove_session_cb so needs to know about
4210 * session timeout events
4211 * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket
4212 */
4213 if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0
4214 && (!SSL_CONNECTION_IS_TLS13(s)
4215 || !s->server
4216 || (s->max_early_data > 0
4217 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)
4218 || s->session_ctx->remove_session_cb != NULL
4219 || (s->options & SSL_OP_NO_TICKET) != 0))
4220 SSL_CTX_add_session(s->session_ctx, s->session);
4221
4222 /*
4223 * Add the session to the external cache. We do this even in server side
4224 * TLSv1.3 without early data because some applications just want to
4225 * know about the creation of a session and aren't doing a full cache.
4226 */
4227 if (s->session_ctx->new_session_cb != NULL) {
4228 SSL_SESSION_up_ref(s->session);
4229 if (!s->session_ctx->new_session_cb(SSL_CONNECTION_GET_SSL(s),
4230 s->session))
4231 SSL_SESSION_free(s->session);
4232 }
4233 }
4234
4235 /* auto flush every 255 connections */
4236 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) {
4237 TSAN_QUALIFIER int *stat;
4238
4239 if (mode & SSL_SESS_CACHE_CLIENT)
4240 stat = &s->session_ctx->stats.sess_connect_good;
4241 else
4242 stat = &s->session_ctx->stats.sess_accept_good;
4243 if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff)
4244 SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL));
4245 }
4246 }
4247
4248 const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx)
4249 {
4250 return ctx->method;
4251 }
4252
4253 const SSL_METHOD *SSL_get_ssl_method(const SSL *s)
4254 {
4255 return s->method;
4256 }
4257
4258 int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
4259 {
4260 int ret = 1;
4261 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4262
4263 /* TODO(QUIC): Do we want this for QUIC? */
4264 if (sc == NULL
4265 || (s->type != SSL_TYPE_SSL_CONNECTION && s->method != meth))
4266 return 0;
4267
4268 if (s->method != meth) {
4269 const SSL_METHOD *sm = s->method;
4270 int (*hf) (SSL *) = sc->handshake_func;
4271
4272 if (sm->version == meth->version)
4273 s->method = meth;
4274 else {
4275 sm->ssl_deinit(s);
4276 s->method = meth;
4277 ret = s->method->ssl_init(s);
4278 }
4279
4280 if (hf == sm->ssl_connect)
4281 sc->handshake_func = meth->ssl_connect;
4282 else if (hf == sm->ssl_accept)
4283 sc->handshake_func = meth->ssl_accept;
4284 }
4285 return ret;
4286 }
4287
4288 int SSL_get_error(const SSL *s, int i)
4289 {
4290 int reason;
4291 unsigned long l;
4292 BIO *bio;
4293 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4294
4295 if (i > 0)
4296 return SSL_ERROR_NONE;
4297
4298 /* TODO(QUIC): This will need more handling for QUIC_CONNECTIONs */
4299 if (sc == NULL)
4300 return SSL_ERROR_SSL;
4301
4302 /*
4303 * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
4304 * where we do encode the error
4305 */
4306 if ((l = ERR_peek_error()) != 0) {
4307 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
4308 return SSL_ERROR_SYSCALL;
4309 else
4310 return SSL_ERROR_SSL;
4311 }
4312
4313 if (SSL_want_read(s)) {
4314 bio = SSL_get_rbio(s);
4315 if (BIO_should_read(bio))
4316 return SSL_ERROR_WANT_READ;
4317 else if (BIO_should_write(bio))
4318 /*
4319 * This one doesn't make too much sense ... We never try to write
4320 * to the rbio, and an application program where rbio and wbio
4321 * are separate couldn't even know what it should wait for.
4322 * However if we ever set s->rwstate incorrectly (so that we have
4323 * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and
4324 * wbio *are* the same, this test works around that bug; so it
4325 * might be safer to keep it.
4326 */
4327 return SSL_ERROR_WANT_WRITE;
4328 else if (BIO_should_io_special(bio)) {
4329 reason = BIO_get_retry_reason(bio);
4330 if (reason == BIO_RR_CONNECT)
4331 return SSL_ERROR_WANT_CONNECT;
4332 else if (reason == BIO_RR_ACCEPT)
4333 return SSL_ERROR_WANT_ACCEPT;
4334 else
4335 return SSL_ERROR_SYSCALL; /* unknown */
4336 }
4337 }
4338
4339 if (SSL_want_write(s)) {
4340 /* Access wbio directly - in order to use the buffered bio if present */
4341 bio = sc->wbio;
4342 if (BIO_should_write(bio))
4343 return SSL_ERROR_WANT_WRITE;
4344 else if (BIO_should_read(bio))
4345 /*
4346 * See above (SSL_want_read(s) with BIO_should_write(bio))
4347 */
4348 return SSL_ERROR_WANT_READ;
4349 else if (BIO_should_io_special(bio)) {
4350 reason = BIO_get_retry_reason(bio);
4351 if (reason == BIO_RR_CONNECT)
4352 return SSL_ERROR_WANT_CONNECT;
4353 else if (reason == BIO_RR_ACCEPT)
4354 return SSL_ERROR_WANT_ACCEPT;
4355 else
4356 return SSL_ERROR_SYSCALL;
4357 }
4358 }
4359 if (SSL_want_x509_lookup(s))
4360 return SSL_ERROR_WANT_X509_LOOKUP;
4361 if (SSL_want_retry_verify(s))
4362 return SSL_ERROR_WANT_RETRY_VERIFY;
4363 if (SSL_want_async(s))
4364 return SSL_ERROR_WANT_ASYNC;
4365 if (SSL_want_async_job(s))
4366 return SSL_ERROR_WANT_ASYNC_JOB;
4367 if (SSL_want_client_hello_cb(s))
4368 return SSL_ERROR_WANT_CLIENT_HELLO_CB;
4369
4370 if ((sc->shutdown & SSL_RECEIVED_SHUTDOWN) &&
4371 (sc->s3.warn_alert == SSL_AD_CLOSE_NOTIFY))
4372 return SSL_ERROR_ZERO_RETURN;
4373
4374 return SSL_ERROR_SYSCALL;
4375 }
4376
4377 static int ssl_do_handshake_intern(void *vargs)
4378 {
4379 struct ssl_async_args *args = (struct ssl_async_args *)vargs;
4380 SSL *s = args->s;
4381 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4382
4383 if (sc == NULL)
4384 return -1;
4385
4386 return sc->handshake_func(s);
4387 }
4388
4389 int SSL_do_handshake(SSL *s)
4390 {
4391 int ret = 1;
4392 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4393
4394 /* TODO(QUIC): Special handling for QUIC will be needed */
4395 if (sc == NULL)
4396 return -1;
4397
4398 if (sc->handshake_func == NULL) {
4399 ERR_raise(ERR_LIB_SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
4400 return -1;
4401 }
4402
4403 ossl_statem_check_finish_init(sc, -1);
4404
4405 s->method->ssl_renegotiate_check(s, 0);
4406
4407 if (SSL_in_init(s) || SSL_in_before(s)) {
4408 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
4409 struct ssl_async_args args;
4410
4411 memset(&args, 0, sizeof(args));
4412 args.s = s;
4413
4414 ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
4415 } else {
4416 ret = sc->handshake_func(s);
4417 }
4418 }
4419 return ret;
4420 }
4421
4422 void SSL_set_accept_state(SSL *s)
4423 {
4424 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4425
4426 /* TODO(QUIC): Special handling for QUIC will be needed */
4427 if (sc == NULL)
4428 return;
4429
4430 sc->server = 1;
4431 sc->shutdown = 0;
4432 ossl_statem_clear(sc);
4433 sc->handshake_func = s->method->ssl_accept;
4434 clear_ciphers(sc);
4435 }
4436
4437 void SSL_set_connect_state(SSL *s)
4438 {
4439 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4440
4441 /* TODO(QUIC): Special handling for QUIC will be needed */
4442 if (sc == NULL)
4443 return;
4444
4445 sc->server = 0;
4446 sc->shutdown = 0;
4447 ossl_statem_clear(sc);
4448 sc->handshake_func = s->method->ssl_connect;
4449 clear_ciphers(sc);
4450 }
4451
4452 int ssl_undefined_function(SSL *s)
4453 {
4454 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
4455 return 0;
4456 }
4457
4458 int ssl_undefined_void_function(void)
4459 {
4460 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
4461 return 0;
4462 }
4463
4464 int ssl_undefined_const_function(const SSL *s)
4465 {
4466 return 0;
4467 }
4468
4469 const SSL_METHOD *ssl_bad_method(int ver)
4470 {
4471 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
4472 return NULL;
4473 }
4474
4475 const char *ssl_protocol_to_string(int version)
4476 {
4477 switch (version)
4478 {
4479 case TLS1_3_VERSION:
4480 return "TLSv1.3";
4481
4482 case TLS1_2_VERSION:
4483 return "TLSv1.2";
4484
4485 case TLS1_1_VERSION:
4486 return "TLSv1.1";
4487
4488 case TLS1_VERSION:
4489 return "TLSv1";
4490
4491 case SSL3_VERSION:
4492 return "SSLv3";
4493
4494 case DTLS1_BAD_VER:
4495 return "DTLSv0.9";
4496
4497 case DTLS1_VERSION:
4498 return "DTLSv1";
4499
4500 case DTLS1_2_VERSION:
4501 return "DTLSv1.2";
4502
4503 default:
4504 return "unknown";
4505 }
4506 }
4507
4508 const char *SSL_get_version(const SSL *s)
4509 {
4510 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4511
4512 /* TODO(QUIC): Should QUIC return QUIC or TLSv1.3? */
4513 if (sc == NULL)
4514 return NULL;
4515
4516 return ssl_protocol_to_string(sc->version);
4517 }
4518
4519 static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src)
4520 {
4521 STACK_OF(X509_NAME) *sk;
4522 X509_NAME *xn;
4523 int i;
4524
4525 if (src == NULL) {
4526 *dst = NULL;
4527 return 1;
4528 }
4529
4530 if ((sk = sk_X509_NAME_new_null()) == NULL)
4531 return 0;
4532 for (i = 0; i < sk_X509_NAME_num(src); i++) {
4533 xn = X509_NAME_dup(sk_X509_NAME_value(src, i));
4534 if (xn == NULL) {
4535 sk_X509_NAME_pop_free(sk, X509_NAME_free);
4536 return 0;
4537 }
4538 if (sk_X509_NAME_insert(sk, xn, i) == 0) {
4539 X509_NAME_free(xn);
4540 sk_X509_NAME_pop_free(sk, X509_NAME_free);
4541 return 0;
4542 }
4543 }
4544 *dst = sk;
4545
4546 return 1;
4547 }
4548
4549 SSL *SSL_dup(SSL *s)
4550 {
4551 SSL *ret;
4552 int i;
4553 /* TODO(QUIC): Add a SSL_METHOD function for duplication */
4554 SSL_CONNECTION *retsc;
4555 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
4556
4557 if (sc == NULL)
4558 return NULL;
4559
4560 /* If we're not quiescent, just up_ref! */
4561 if (!SSL_in_init(s) || !SSL_in_before(s)) {
4562 CRYPTO_UP_REF(&s->references, &i, s->lock);
4563 return s;
4564 }
4565
4566 /*
4567 * Otherwise, copy configuration state, and session if set.
4568 */
4569 if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
4570 return NULL;
4571 if ((retsc = SSL_CONNECTION_FROM_SSL_ONLY(ret)) == NULL)
4572 goto err;
4573
4574 if (sc->session != NULL) {
4575 /*
4576 * Arranges to share the same session via up_ref. This "copies"
4577 * session-id, SSL_METHOD, sid_ctx, and 'cert'
4578 */
4579 if (!SSL_copy_session_id(ret, s))
4580 goto err;
4581 } else {
4582 /*
4583 * No session has been established yet, so we have to expect that
4584 * s->cert or ret->cert will be changed later -- they should not both
4585 * point to the same object, and thus we can't use
4586 * SSL_copy_session_id.
4587 */
4588 if (!SSL_set_ssl_method(ret, s->method))
4589 goto err;
4590
4591 if (sc->cert != NULL) {
4592 ssl_cert_free(retsc->cert);
4593 retsc->cert = ssl_cert_dup(sc->cert);
4594 if (retsc->cert == NULL)
4595 goto err;
4596 }
4597
4598 if (!SSL_set_session_id_context(ret, sc->sid_ctx,
4599 (int)sc->sid_ctx_length))
4600 goto err;
4601 }
4602
4603 if (!ssl_dane_dup(retsc, sc))
4604 goto err;
4605 retsc->version = sc->version;
4606 retsc->options = sc->options;
4607 retsc->min_proto_version = sc->min_proto_version;
4608 retsc->max_proto_version = sc->max_proto_version;
4609 retsc->mode = sc->mode;
4610 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
4611 SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
4612 retsc->msg_callback = sc->msg_callback;
4613 retsc->msg_callback_arg = sc->msg_callback_arg;
4614 SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s));
4615 SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
4616 retsc->generate_session_id = sc->generate_session_id;
4617
4618 SSL_set_info_callback(ret, SSL_get_info_callback(s));
4619
4620 /* copy app data, a little dangerous perhaps */
4621 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
4622 goto err;
4623
4624 retsc->server = sc->server;
4625 if (sc->handshake_func) {
4626 if (sc->server)
4627 SSL_set_accept_state(ret);
4628 else
4629 SSL_set_connect_state(ret);
4630 }
4631 retsc->shutdown = sc->shutdown;
4632 retsc->hit = sc->hit;
4633
4634 retsc->default_passwd_callback = sc->default_passwd_callback;
4635 retsc->default_passwd_callback_userdata = sc->default_passwd_callback_userdata;
4636
4637 X509_VERIFY_PARAM_inherit(retsc->param, sc->param);
4638
4639 /* dup the cipher_list and cipher_list_by_id stacks */
4640 if (sc->cipher_list != NULL) {
4641 if ((retsc->cipher_list = sk_SSL_CIPHER_dup(sc->cipher_list)) == NULL)
4642 goto err;
4643 }
4644 if (sc->cipher_list_by_id != NULL)
4645 if ((retsc->cipher_list_by_id = sk_SSL_CIPHER_dup(sc->cipher_list_by_id))
4646 == NULL)
4647 goto err;
4648
4649 /* Dup the client_CA list */
4650 if (!dup_ca_names(&retsc->ca_names, sc->ca_names)
4651 || !dup_ca_names(&retsc->client_ca_names, sc->client_ca_names))
4652 goto err;
4653
4654 return ret;
4655
4656 err:
4657 SSL_free(ret);
4658 return NULL;
4659 }
4660
4661 void ssl_clear_cipher_ctx(SSL_CONNECTION *s)
4662 {
4663 if (s->enc_read_ctx != NULL) {
4664 EVP_CIPHER_CTX_free(s->enc_read_ctx);
4665 s->enc_read_ctx = NULL;
4666 }
4667 if (s->enc_write_ctx != NULL) {
4668 EVP_CIPHER_CTX_free(s->enc_write_ctx);
4669 s->enc_write_ctx = NULL;
4670 }
4671 #ifndef OPENSSL_NO_COMP
4672 COMP_CTX_free(s->expand);
4673 s->expand = NULL;
4674 COMP_CTX_free(s->compress);
4675 s->compress = NULL;
4676 #endif
4677 }
4678
4679 X509 *SSL_get_certificate(const SSL *s)
4680 {
4681 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4682
4683 if (sc == NULL)
4684 return NULL;
4685
4686 if (sc->cert != NULL)
4687 return sc->cert->key->x509;
4688 else
4689 return NULL;
4690 }
4691
4692 EVP_PKEY *SSL_get_privatekey(const SSL *s)
4693 {
4694 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4695
4696 if (sc == NULL)
4697 return NULL;
4698
4699 if (sc->cert != NULL)
4700 return sc->cert->key->privatekey;
4701 else
4702 return NULL;
4703 }
4704
4705 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx)
4706 {
4707 if (ctx->cert != NULL)
4708 return ctx->cert->key->x509;
4709 else
4710 return NULL;
4711 }
4712
4713 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
4714 {
4715 if (ctx->cert != NULL)
4716 return ctx->cert->key->privatekey;
4717 else
4718 return NULL;
4719 }
4720
4721 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
4722 {
4723 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4724
4725 if (sc == NULL)
4726 return NULL;
4727
4728 if ((sc->session != NULL) && (sc->session->cipher != NULL))
4729 return sc->session->cipher;
4730 return NULL;
4731 }
4732
4733 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
4734 {
4735 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4736
4737 if (sc == NULL)
4738 return NULL;
4739
4740 return sc->s3.tmp.new_cipher;
4741 }
4742
4743 const COMP_METHOD *SSL_get_current_compression(const SSL *s)
4744 {
4745 #ifndef OPENSSL_NO_COMP
4746 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
4747
4748 if (sc == NULL)
4749 return NULL;
4750
4751 return sc->compress ? COMP_CTX_get_method(sc->compress) : NULL;
4752 #else
4753 return NULL;
4754 #endif
4755 }
4756
4757 const COMP_METHOD *SSL_get_current_expansion(const SSL *s)
4758 {
4759 #ifndef OPENSSL_NO_COMP
4760 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
4761
4762 if (sc == NULL)
4763 return NULL;
4764
4765 return sc->expand ? COMP_CTX_get_method(sc->expand) : NULL;
4766 #else
4767 return NULL;
4768 #endif
4769 }
4770
4771 int ssl_init_wbio_buffer(SSL_CONNECTION *s)
4772 {
4773 BIO *bbio;
4774
4775 if (s->bbio != NULL) {
4776 /* Already buffered. */
4777 return 1;
4778 }
4779
4780 bbio = BIO_new(BIO_f_buffer());
4781 if (bbio == NULL || !BIO_set_read_buffer_size(bbio, 1)) {
4782 BIO_free(bbio);
4783 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
4784 return 0;
4785 }
4786 s->bbio = bbio;
4787 s->wbio = BIO_push(bbio, s->wbio);
4788
4789 return 1;
4790 }
4791
4792 int ssl_free_wbio_buffer(SSL_CONNECTION *s)
4793 {
4794 /* callers ensure s is never null */
4795 if (s->bbio == NULL)
4796 return 1;
4797
4798 s->wbio = BIO_pop(s->wbio);
4799 BIO_free(s->bbio);
4800 s->bbio = NULL;
4801
4802 return 1;
4803 }
4804
4805 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
4806 {
4807 ctx->quiet_shutdown = mode;
4808 }
4809
4810 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
4811 {
4812 return ctx->quiet_shutdown;
4813 }
4814
4815 void SSL_set_quiet_shutdown(SSL *s, int mode)
4816 {
4817 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
4818
4819 /* TODO(QUIC): Do we want this for QUIC? */
4820 if (sc == NULL)
4821 return;
4822
4823 sc->quiet_shutdown = mode;
4824 }
4825
4826 int SSL_get_quiet_shutdown(const SSL *s)
4827 {
4828 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
4829
4830 /* TODO(QUIC): Do we want this for QUIC? */
4831 if (sc == NULL)
4832 return 0;
4833
4834 return sc->quiet_shutdown;
4835 }
4836
4837 void SSL_set_shutdown(SSL *s, int mode)
4838 {
4839 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
4840
4841 /* TODO(QUIC): Do we want this for QUIC? */
4842 if (sc == NULL)
4843 return;
4844
4845 sc->shutdown = mode;
4846 }
4847
4848 int SSL_get_shutdown(const SSL *s)
4849 {
4850 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
4851
4852 /* TODO(QUIC): Do we want this for QUIC? */
4853 if (sc == NULL)
4854 return 0;
4855
4856 return sc->shutdown;
4857 }
4858
4859 int SSL_version(const SSL *s)
4860 {
4861 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4862
4863 /* TODO(QUIC): Do we want to report QUIC version this way instead? */
4864 if (sc == NULL)
4865 return 0;
4866
4867 return sc->version;
4868 }
4869
4870 int SSL_client_version(const SSL *s)
4871 {
4872 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4873
4874 /* TODO(QUIC): Do we want to report QUIC version this way instead? */
4875 if (sc == NULL)
4876 return 0;
4877
4878 return sc->client_version;
4879 }
4880
4881 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
4882 {
4883 return ssl->ctx;
4884 }
4885
4886 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
4887 {
4888 CERT *new_cert;
4889 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
4890
4891 /* TODO(QUIC): Do we need this for QUIC support? */
4892 if (sc == NULL)
4893 return NULL;
4894
4895 if (ssl->ctx == ctx)
4896 return ssl->ctx;
4897 if (ctx == NULL)
4898 ctx = sc->session_ctx;
4899 new_cert = ssl_cert_dup(ctx->cert);
4900 if (new_cert == NULL) {
4901 return NULL;
4902 }
4903
4904 if (!custom_exts_copy_flags(&new_cert->custext, &sc->cert->custext)) {
4905 ssl_cert_free(new_cert);
4906 return NULL;
4907 }
4908
4909 ssl_cert_free(sc->cert);
4910 sc->cert = new_cert;
4911
4912 /*
4913 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
4914 * so setter APIs must prevent invalid lengths from entering the system.
4915 */
4916 if (!ossl_assert(sc->sid_ctx_length <= sizeof(sc->sid_ctx)))
4917 return NULL;
4918
4919 /*
4920 * If the session ID context matches that of the parent SSL_CTX,
4921 * inherit it from the new SSL_CTX as well. If however the context does
4922 * not match (i.e., it was set per-ssl with SSL_set_session_id_context),
4923 * leave it unchanged.
4924 */
4925 if ((ssl->ctx != NULL) &&
4926 (sc->sid_ctx_length == ssl->ctx->sid_ctx_length) &&
4927 (memcmp(sc->sid_ctx, ssl->ctx->sid_ctx, sc->sid_ctx_length) == 0)) {
4928 sc->sid_ctx_length = ctx->sid_ctx_length;
4929 memcpy(&sc->sid_ctx, &ctx->sid_ctx, sizeof(sc->sid_ctx));
4930 }
4931
4932 SSL_CTX_up_ref(ctx);
4933 SSL_CTX_free(ssl->ctx); /* decrement reference count */
4934 ssl->ctx = ctx;
4935
4936 return ssl->ctx;
4937 }
4938
4939 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
4940 {
4941 return X509_STORE_set_default_paths_ex(ctx->cert_store, ctx->libctx,
4942 ctx->propq);
4943 }
4944
4945 int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
4946 {
4947 X509_LOOKUP *lookup;
4948
4949 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
4950 if (lookup == NULL)
4951 return 0;
4952
4953 /* We ignore errors, in case the directory doesn't exist */
4954 ERR_set_mark();
4955
4956 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
4957
4958 ERR_pop_to_mark();
4959
4960 return 1;
4961 }
4962
4963 int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)
4964 {
4965 X509_LOOKUP *lookup;
4966
4967 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file());
4968 if (lookup == NULL)
4969 return 0;
4970
4971 /* We ignore errors, in case the file doesn't exist */
4972 ERR_set_mark();
4973
4974 X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT, ctx->libctx,
4975 ctx->propq);
4976
4977 ERR_pop_to_mark();
4978
4979 return 1;
4980 }
4981
4982 int SSL_CTX_set_default_verify_store(SSL_CTX *ctx)
4983 {
4984 X509_LOOKUP *lookup;
4985
4986 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store());
4987 if (lookup == NULL)
4988 return 0;
4989
4990 /* We ignore errors, in case the directory doesn't exist */
4991 ERR_set_mark();
4992
4993 X509_LOOKUP_add_store_ex(lookup, NULL, ctx->libctx, ctx->propq);
4994
4995 ERR_pop_to_mark();
4996
4997 return 1;
4998 }
4999
5000 int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
5001 {
5002 return X509_STORE_load_file_ex(ctx->cert_store, CAfile, ctx->libctx,
5003 ctx->propq);
5004 }
5005
5006 int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
5007 {
5008 return X509_STORE_load_path(ctx->cert_store, CApath);
5009 }
5010
5011 int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
5012 {
5013 return X509_STORE_load_store_ex(ctx->cert_store, CAstore, ctx->libctx,
5014 ctx->propq);
5015 }
5016
5017 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
5018 const char *CApath)
5019 {
5020 if (CAfile == NULL && CApath == NULL)
5021 return 0;
5022 if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
5023 return 0;
5024 if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
5025 return 0;
5026 return 1;
5027 }
5028
5029 void SSL_set_info_callback(SSL *ssl,
5030 void (*cb) (const SSL *ssl, int type, int val))
5031 {
5032 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5033
5034 if (sc == NULL)
5035 return;
5036
5037 sc->info_callback = cb;
5038 }
5039
5040 /*
5041 * One compiler (Diab DCC) doesn't like argument names in returned function
5042 * pointer.
5043 */
5044 void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ ,
5045 int /* type */ ,
5046 int /* val */ ) {
5047 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5048
5049 if (sc == NULL)
5050 return NULL;
5051
5052 return sc->info_callback;
5053 }
5054
5055 void SSL_set_verify_result(SSL *ssl, long arg)
5056 {
5057 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5058
5059 if (sc == NULL)
5060 return;
5061
5062 sc->verify_result = arg;
5063 }
5064
5065 long SSL_get_verify_result(const SSL *ssl)
5066 {
5067 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5068
5069 if (sc == NULL)
5070 return 0;
5071
5072 return sc->verify_result;
5073 }
5074
5075 size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen)
5076 {
5077 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5078
5079 if (sc == NULL)
5080 return 0;
5081
5082 if (outlen == 0)
5083 return sizeof(sc->s3.client_random);
5084 if (outlen > sizeof(sc->s3.client_random))
5085 outlen = sizeof(sc->s3.client_random);
5086 memcpy(out, sc->s3.client_random, outlen);
5087 return outlen;
5088 }
5089
5090 size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen)
5091 {
5092 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5093
5094 if (sc == NULL)
5095 return 0;
5096
5097 if (outlen == 0)
5098 return sizeof(sc->s3.server_random);
5099 if (outlen > sizeof(sc->s3.server_random))
5100 outlen = sizeof(sc->s3.server_random);
5101 memcpy(out, sc->s3.server_random, outlen);
5102 return outlen;
5103 }
5104
5105 size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
5106 unsigned char *out, size_t outlen)
5107 {
5108 if (outlen == 0)
5109 return session->master_key_length;
5110 if (outlen > session->master_key_length)
5111 outlen = session->master_key_length;
5112 memcpy(out, session->master_key, outlen);
5113 return outlen;
5114 }
5115
5116 int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in,
5117 size_t len)
5118 {
5119 if (len > sizeof(sess->master_key))
5120 return 0;
5121
5122 memcpy(sess->master_key, in, len);
5123 sess->master_key_length = len;
5124 return 1;
5125 }
5126
5127
5128 int SSL_set_ex_data(SSL *s, int idx, void *arg)
5129 {
5130 return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
5131 }
5132
5133 void *SSL_get_ex_data(const SSL *s, int idx)
5134 {
5135 return CRYPTO_get_ex_data(&s->ex_data, idx);
5136 }
5137
5138 int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
5139 {
5140 return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
5141 }
5142
5143 void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
5144 {
5145 return CRYPTO_get_ex_data(&s->ex_data, idx);
5146 }
5147
5148 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
5149 {
5150 return ctx->cert_store;
5151 }
5152
5153 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
5154 {
5155 X509_STORE_free(ctx->cert_store);
5156 ctx->cert_store = store;
5157 }
5158
5159 void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
5160 {
5161 if (store != NULL)
5162 X509_STORE_up_ref(store);
5163 SSL_CTX_set_cert_store(ctx, store);
5164 }
5165
5166 int SSL_want(const SSL *s)
5167 {
5168 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5169
5170 if (sc == NULL)
5171 return SSL_NOTHING;
5172
5173 return sc->rwstate;
5174 }
5175
5176 #ifndef OPENSSL_NO_PSK
5177 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
5178 {
5179 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
5180 ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG);
5181 return 0;
5182 }
5183 OPENSSL_free(ctx->cert->psk_identity_hint);
5184 if (identity_hint != NULL) {
5185 ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
5186 if (ctx->cert->psk_identity_hint == NULL)
5187 return 0;
5188 } else
5189 ctx->cert->psk_identity_hint = NULL;
5190 return 1;
5191 }
5192
5193 int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
5194 {
5195 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5196
5197 if (sc == NULL)
5198 return 0;
5199
5200 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
5201 ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG);
5202 return 0;
5203 }
5204 OPENSSL_free(sc->cert->psk_identity_hint);
5205 if (identity_hint != NULL) {
5206 sc->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
5207 if (sc->cert->psk_identity_hint == NULL)
5208 return 0;
5209 } else
5210 sc->cert->psk_identity_hint = NULL;
5211 return 1;
5212 }
5213
5214 const char *SSL_get_psk_identity_hint(const SSL *s)
5215 {
5216 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5217
5218 if (sc == NULL || sc->session == NULL)
5219 return NULL;
5220
5221 return sc->session->psk_identity_hint;
5222 }
5223
5224 const char *SSL_get_psk_identity(const SSL *s)
5225 {
5226 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5227
5228 if (sc == NULL || sc->session == NULL)
5229 return NULL;
5230
5231 return sc->session->psk_identity;
5232 }
5233
5234 void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb)
5235 {
5236 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5237
5238 if (sc == NULL)
5239 return;
5240
5241 sc->psk_client_callback = cb;
5242 }
5243
5244 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb)
5245 {
5246 ctx->psk_client_callback = cb;
5247 }
5248
5249 void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb)
5250 {
5251 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5252
5253 if (sc == NULL)
5254 return;
5255
5256 sc->psk_server_callback = cb;
5257 }
5258
5259 void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb)
5260 {
5261 ctx->psk_server_callback = cb;
5262 }
5263 #endif
5264
5265 void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb)
5266 {
5267 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5268
5269 if (sc == NULL)
5270 return;
5271
5272 sc->psk_find_session_cb = cb;
5273 }
5274
5275 void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
5276 SSL_psk_find_session_cb_func cb)
5277 {
5278 ctx->psk_find_session_cb = cb;
5279 }
5280
5281 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb)
5282 {
5283 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5284
5285 if (sc == NULL)
5286 return;
5287
5288 sc->psk_use_session_cb = cb;
5289 }
5290
5291 void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
5292 SSL_psk_use_session_cb_func cb)
5293 {
5294 ctx->psk_use_session_cb = cb;
5295 }
5296
5297 void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
5298 void (*cb) (int write_p, int version,
5299 int content_type, const void *buf,
5300 size_t len, SSL *ssl, void *arg))
5301 {
5302 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
5303 }
5304
5305 void SSL_set_msg_callback(SSL *ssl,
5306 void (*cb) (int write_p, int version,
5307 int content_type, const void *buf,
5308 size_t len, SSL *ssl, void *arg))
5309 {
5310 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
5311 }
5312
5313 void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
5314 int (*cb) (SSL *ssl,
5315 int
5316 is_forward_secure))
5317 {
5318 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
5319 (void (*)(void))cb);
5320 }
5321
5322 void SSL_set_not_resumable_session_callback(SSL *ssl,
5323 int (*cb) (SSL *ssl,
5324 int is_forward_secure))
5325 {
5326 SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
5327 (void (*)(void))cb);
5328 }
5329
5330 void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
5331 size_t (*cb) (SSL *ssl, int type,
5332 size_t len, void *arg))
5333 {
5334 ctx->record_padding_cb = cb;
5335 }
5336
5337 void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg)
5338 {
5339 ctx->record_padding_arg = arg;
5340 }
5341
5342 void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx)
5343 {
5344 return ctx->record_padding_arg;
5345 }
5346
5347 int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
5348 {
5349 /* block size of 0 or 1 is basically no padding */
5350 if (block_size == 1)
5351 ctx->block_padding = 0;
5352 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH)
5353 ctx->block_padding = block_size;
5354 else
5355 return 0;
5356 return 1;
5357 }
5358
5359 int SSL_set_record_padding_callback(SSL *ssl,
5360 size_t (*cb) (SSL *ssl, int type,
5361 size_t len, void *arg))
5362 {
5363 BIO *b;
5364 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5365
5366 if (sc == NULL)
5367 return 0;
5368
5369 b = SSL_get_wbio(ssl);
5370 if (b == NULL || !BIO_get_ktls_send(b)) {
5371 sc->record_padding_cb = cb;
5372 return 1;
5373 }
5374 return 0;
5375 }
5376
5377 void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg)
5378 {
5379 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5380
5381 if (sc == NULL)
5382 return;
5383
5384 sc->record_padding_arg = arg;
5385 }
5386
5387 void *SSL_get_record_padding_callback_arg(const SSL *ssl)
5388 {
5389 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5390
5391 if (sc == NULL)
5392 return NULL;
5393
5394 return sc->record_padding_arg;
5395 }
5396
5397 int SSL_set_block_padding(SSL *ssl, size_t block_size)
5398 {
5399 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5400
5401 if (sc == NULL)
5402 return 0;
5403
5404 /* block size of 0 or 1 is basically no padding */
5405 if (block_size == 1)
5406 sc->block_padding = 0;
5407 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH)
5408 sc->block_padding = block_size;
5409 else
5410 return 0;
5411 return 1;
5412 }
5413
5414 int SSL_set_num_tickets(SSL *s, size_t num_tickets)
5415 {
5416 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5417
5418 if (sc == NULL)
5419 return 0;
5420
5421 sc->num_tickets = num_tickets;
5422
5423 return 1;
5424 }
5425
5426 size_t SSL_get_num_tickets(const SSL *s)
5427 {
5428 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5429
5430 if (sc == NULL)
5431 return 0;
5432
5433 return sc->num_tickets;
5434 }
5435
5436 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets)
5437 {
5438 ctx->num_tickets = num_tickets;
5439
5440 return 1;
5441 }
5442
5443 size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx)
5444 {
5445 return ctx->num_tickets;
5446 }
5447
5448 /*
5449 * Allocates new EVP_MD_CTX and sets pointer to it into given pointer
5450 * variable, freeing EVP_MD_CTX previously stored in that variable, if any.
5451 * If EVP_MD pointer is passed, initializes ctx with this |md|.
5452 * Returns the newly allocated ctx;
5453 */
5454
5455 EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
5456 {
5457 ssl_clear_hash_ctx(hash);
5458 *hash = EVP_MD_CTX_new();
5459 if (*hash == NULL || (md && EVP_DigestInit_ex(*hash, md, NULL) <= 0)) {
5460 EVP_MD_CTX_free(*hash);
5461 *hash = NULL;
5462 return NULL;
5463 }
5464 return *hash;
5465 }
5466
5467 void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
5468 {
5469
5470 EVP_MD_CTX_free(*hash);
5471 *hash = NULL;
5472 }
5473
5474 /* Retrieve handshake hashes */
5475 int ssl_handshake_hash(SSL_CONNECTION *s,
5476 unsigned char *out, size_t outlen,
5477 size_t *hashlen)
5478 {
5479 EVP_MD_CTX *ctx = NULL;
5480 EVP_MD_CTX *hdgst = s->s3.handshake_dgst;
5481 int hashleni = EVP_MD_CTX_get_size(hdgst);
5482 int ret = 0;
5483
5484 if (hashleni < 0 || (size_t)hashleni > outlen) {
5485 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5486 goto err;
5487 }
5488
5489 ctx = EVP_MD_CTX_new();
5490 if (ctx == NULL) {
5491 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5492 goto err;
5493 }
5494
5495 if (!EVP_MD_CTX_copy_ex(ctx, hdgst)
5496 || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) {
5497 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5498 goto err;
5499 }
5500
5501 *hashlen = hashleni;
5502
5503 ret = 1;
5504 err:
5505 EVP_MD_CTX_free(ctx);
5506 return ret;
5507 }
5508
5509 int SSL_session_reused(const SSL *s)
5510 {
5511 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5512
5513 if (sc == NULL)
5514 return 0;
5515
5516 return sc->hit;
5517 }
5518
5519 int SSL_is_server(const SSL *s)
5520 {
5521 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5522
5523 if (sc == NULL)
5524 return 0;
5525
5526 return sc->server;
5527 }
5528
5529 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
5530 void SSL_set_debug(SSL *s, int debug)
5531 {
5532 /* Old function was do-nothing anyway... */
5533 (void)s;
5534 (void)debug;
5535 }
5536 #endif
5537
5538 void SSL_set_security_level(SSL *s, int level)
5539 {
5540 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5541
5542 if (sc == NULL)
5543 return;
5544
5545 sc->cert->sec_level = level;
5546 }
5547
5548 int SSL_get_security_level(const SSL *s)
5549 {
5550 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5551
5552 if (sc == NULL)
5553 return 0;
5554
5555 return sc->cert->sec_level;
5556 }
5557
5558 void SSL_set_security_callback(SSL *s,
5559 int (*cb) (const SSL *s, const SSL_CTX *ctx,
5560 int op, int bits, int nid,
5561 void *other, void *ex))
5562 {
5563 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5564
5565 if (sc == NULL)
5566 return;
5567
5568 sc->cert->sec_cb = cb;
5569 }
5570
5571 int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
5572 const SSL_CTX *ctx, int op,
5573 int bits, int nid, void *other,
5574 void *ex) {
5575 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5576
5577 if (sc == NULL)
5578 return NULL;
5579
5580 return sc->cert->sec_cb;
5581 }
5582
5583 void SSL_set0_security_ex_data(SSL *s, void *ex)
5584 {
5585 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5586
5587 if (sc == NULL)
5588 return;
5589
5590 sc->cert->sec_ex = ex;
5591 }
5592
5593 void *SSL_get0_security_ex_data(const SSL *s)
5594 {
5595 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5596
5597 if (sc == NULL)
5598 return NULL;
5599
5600 return sc->cert->sec_ex;
5601 }
5602
5603 void SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
5604 {
5605 ctx->cert->sec_level = level;
5606 }
5607
5608 int SSL_CTX_get_security_level(const SSL_CTX *ctx)
5609 {
5610 return ctx->cert->sec_level;
5611 }
5612
5613 void SSL_CTX_set_security_callback(SSL_CTX *ctx,
5614 int (*cb) (const SSL *s, const SSL_CTX *ctx,
5615 int op, int bits, int nid,
5616 void *other, void *ex))
5617 {
5618 ctx->cert->sec_cb = cb;
5619 }
5620
5621 int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
5622 const SSL_CTX *ctx,
5623 int op, int bits,
5624 int nid,
5625 void *other,
5626 void *ex) {
5627 return ctx->cert->sec_cb;
5628 }
5629
5630 void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex)
5631 {
5632 ctx->cert->sec_ex = ex;
5633 }
5634
5635 void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
5636 {
5637 return ctx->cert->sec_ex;
5638 }
5639
5640 uint64_t SSL_CTX_get_options(const SSL_CTX *ctx)
5641 {
5642 return ctx->options;
5643 }
5644
5645 uint64_t SSL_get_options(const SSL *s)
5646 {
5647 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5648
5649 if (sc == NULL)
5650 return 0;
5651
5652 return sc->options;
5653 }
5654
5655 uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op)
5656 {
5657 return ctx->options |= op;
5658 }
5659
5660 uint64_t SSL_set_options(SSL *s, uint64_t op)
5661 {
5662 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5663
5664 if (sc == NULL)
5665 return 0;
5666
5667 return sc->options |= op;
5668 }
5669
5670 uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op)
5671 {
5672 return ctx->options &= ~op;
5673 }
5674
5675 uint64_t SSL_clear_options(SSL *s, uint64_t op)
5676 {
5677 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5678
5679 if (sc == NULL)
5680 return 0;
5681
5682 return sc->options &= ~op;
5683 }
5684
5685 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
5686 {
5687 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5688
5689 if (sc == NULL)
5690 return NULL;
5691
5692 return sc->verified_chain;
5693 }
5694
5695 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
5696
5697 #ifndef OPENSSL_NO_CT
5698
5699 /*
5700 * Moves SCTs from the |src| stack to the |dst| stack.
5701 * The source of each SCT will be set to |origin|.
5702 * If |dst| points to a NULL pointer, a new stack will be created and owned by
5703 * the caller.
5704 * Returns the number of SCTs moved, or a negative integer if an error occurs.
5705 */
5706 static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
5707 sct_source_t origin)
5708 {
5709 int scts_moved = 0;
5710 SCT *sct = NULL;
5711
5712 if (*dst == NULL) {
5713 *dst = sk_SCT_new_null();
5714 if (*dst == NULL) {
5715 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
5716 goto err;
5717 }
5718 }
5719
5720 while ((sct = sk_SCT_pop(src)) != NULL) {
5721 if (SCT_set_source(sct, origin) != 1)
5722 goto err;
5723
5724 if (sk_SCT_push(*dst, sct) <= 0)
5725 goto err;
5726 scts_moved += 1;
5727 }
5728
5729 return scts_moved;
5730 err:
5731 if (sct != NULL)
5732 sk_SCT_push(src, sct); /* Put the SCT back */
5733 return -1;
5734 }
5735
5736 /*
5737 * Look for data collected during ServerHello and parse if found.
5738 * Returns the number of SCTs extracted.
5739 */
5740 static int ct_extract_tls_extension_scts(SSL_CONNECTION *s)
5741 {
5742 int scts_extracted = 0;
5743
5744 if (s->ext.scts != NULL) {
5745 const unsigned char *p = s->ext.scts;
5746 STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len);
5747
5748 scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION);
5749
5750 SCT_LIST_free(scts);
5751 }
5752
5753 return scts_extracted;
5754 }
5755
5756 /*
5757 * Checks for an OCSP response and then attempts to extract any SCTs found if it
5758 * contains an SCT X509 extension. They will be stored in |s->scts|.
5759 * Returns:
5760 * - The number of SCTs extracted, assuming an OCSP response exists.
5761 * - 0 if no OCSP response exists or it contains no SCTs.
5762 * - A negative integer if an error occurs.
5763 */
5764 static int ct_extract_ocsp_response_scts(SSL_CONNECTION *s)
5765 {
5766 # ifndef OPENSSL_NO_OCSP
5767 int scts_extracted = 0;
5768 const unsigned char *p;
5769 OCSP_BASICRESP *br = NULL;
5770 OCSP_RESPONSE *rsp = NULL;
5771 STACK_OF(SCT) *scts = NULL;
5772 int i;
5773
5774 if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0)
5775 goto err;
5776
5777 p = s->ext.ocsp.resp;
5778 rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len);
5779 if (rsp == NULL)
5780 goto err;
5781
5782 br = OCSP_response_get1_basic(rsp);
5783 if (br == NULL)
5784 goto err;
5785
5786 for (i = 0; i < OCSP_resp_count(br); ++i) {
5787 OCSP_SINGLERESP *single = OCSP_resp_get0(br, i);
5788
5789 if (single == NULL)
5790 continue;
5791
5792 scts =
5793 OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL);
5794 scts_extracted =
5795 ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE);
5796 if (scts_extracted < 0)
5797 goto err;
5798 }
5799 err:
5800 SCT_LIST_free(scts);
5801 OCSP_BASICRESP_free(br);
5802 OCSP_RESPONSE_free(rsp);
5803 return scts_extracted;
5804 # else
5805 /* Behave as if no OCSP response exists */
5806 return 0;
5807 # endif
5808 }
5809
5810 /*
5811 * Attempts to extract SCTs from the peer certificate.
5812 * Return the number of SCTs extracted, or a negative integer if an error
5813 * occurs.
5814 */
5815 static int ct_extract_x509v3_extension_scts(SSL_CONNECTION *s)
5816 {
5817 int scts_extracted = 0;
5818 X509 *cert = s->session != NULL ? s->session->peer : NULL;
5819
5820 if (cert != NULL) {
5821 STACK_OF(SCT) *scts =
5822 X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL);
5823
5824 scts_extracted =
5825 ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION);
5826
5827 SCT_LIST_free(scts);
5828 }
5829
5830 return scts_extracted;
5831 }
5832
5833 /*
5834 * Attempts to find all received SCTs by checking TLS extensions, the OCSP
5835 * response (if it exists) and X509v3 extensions in the certificate.
5836 * Returns NULL if an error occurs.
5837 */
5838 const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s)
5839 {
5840 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5841
5842 if (sc == NULL)
5843 return NULL;
5844
5845 if (!sc->scts_parsed) {
5846 if (ct_extract_tls_extension_scts(sc) < 0 ||
5847 ct_extract_ocsp_response_scts(sc) < 0 ||
5848 ct_extract_x509v3_extension_scts(sc) < 0)
5849 goto err;
5850
5851 sc->scts_parsed = 1;
5852 }
5853 return sc->scts;
5854 err:
5855 return NULL;
5856 }
5857
5858 static int ct_permissive(const CT_POLICY_EVAL_CTX * ctx,
5859 const STACK_OF(SCT) *scts, void *unused_arg)
5860 {
5861 return 1;
5862 }
5863
5864 static int ct_strict(const CT_POLICY_EVAL_CTX * ctx,
5865 const STACK_OF(SCT) *scts, void *unused_arg)
5866 {
5867 int count = scts != NULL ? sk_SCT_num(scts) : 0;
5868 int i;
5869
5870 for (i = 0; i < count; ++i) {
5871 SCT *sct = sk_SCT_value(scts, i);
5872 int status = SCT_get_validation_status(sct);
5873
5874 if (status == SCT_VALIDATION_STATUS_VALID)
5875 return 1;
5876 }
5877 ERR_raise(ERR_LIB_SSL, SSL_R_NO_VALID_SCTS);
5878 return 0;
5879 }
5880
5881 int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
5882 void *arg)
5883 {
5884 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5885
5886 if (sc == NULL)
5887 return 0;
5888
5889 /*
5890 * Since code exists that uses the custom extension handler for CT, look
5891 * for this and throw an error if they have already registered to use CT.
5892 */
5893 if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx,
5894 TLSEXT_TYPE_signed_certificate_timestamp))
5895 {
5896 ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
5897 return 0;
5898 }
5899
5900 if (callback != NULL) {
5901 /*
5902 * If we are validating CT, then we MUST accept SCTs served via OCSP
5903 */
5904 if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp))
5905 return 0;
5906 }
5907
5908 sc->ct_validation_callback = callback;
5909 sc->ct_validation_callback_arg = arg;
5910
5911 return 1;
5912 }
5913
5914 int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
5915 ssl_ct_validation_cb callback, void *arg)
5916 {
5917 /*
5918 * Since code exists that uses the custom extension handler for CT, look for
5919 * this and throw an error if they have already registered to use CT.
5920 */
5921 if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx,
5922 TLSEXT_TYPE_signed_certificate_timestamp))
5923 {
5924 ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
5925 return 0;
5926 }
5927
5928 ctx->ct_validation_callback = callback;
5929 ctx->ct_validation_callback_arg = arg;
5930 return 1;
5931 }
5932
5933 int SSL_ct_is_enabled(const SSL *s)
5934 {
5935 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5936
5937 if (sc == NULL)
5938 return 0;
5939
5940 return sc->ct_validation_callback != NULL;
5941 }
5942
5943 int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx)
5944 {
5945 return ctx->ct_validation_callback != NULL;
5946 }
5947
5948 int ssl_validate_ct(SSL_CONNECTION *s)
5949 {
5950 int ret = 0;
5951 X509 *cert = s->session != NULL ? s->session->peer : NULL;
5952 X509 *issuer;
5953 SSL_DANE *dane = &s->dane;
5954 CT_POLICY_EVAL_CTX *ctx = NULL;
5955 const STACK_OF(SCT) *scts;
5956
5957 /*
5958 * If no callback is set, the peer is anonymous, or its chain is invalid,
5959 * skip SCT validation - just return success. Applications that continue
5960 * handshakes without certificates, with unverified chains, or pinned leaf
5961 * certificates are outside the scope of the WebPKI and CT.
5962 *
5963 * The above exclusions notwithstanding the vast majority of peers will
5964 * have rather ordinary certificate chains validated by typical
5965 * applications that perform certificate verification and therefore will
5966 * process SCTs when enabled.
5967 */
5968 if (s->ct_validation_callback == NULL || cert == NULL ||
5969 s->verify_result != X509_V_OK ||
5970 s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1)
5971 return 1;
5972
5973 /*
5974 * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3)
5975 * trust-anchors. See https://tools.ietf.org/html/rfc7671#section-4.2
5976 */
5977 if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) {
5978 switch (dane->mtlsa->usage) {
5979 case DANETLS_USAGE_DANE_TA:
5980 case DANETLS_USAGE_DANE_EE:
5981 return 1;
5982 }
5983 }
5984
5985 ctx = CT_POLICY_EVAL_CTX_new_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
5986 SSL_CONNECTION_GET_CTX(s)->propq);
5987 if (ctx == NULL) {
5988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
5989 goto end;
5990 }
5991
5992 issuer = sk_X509_value(s->verified_chain, 1);
5993 CT_POLICY_EVAL_CTX_set1_cert(ctx, cert);
5994 CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer);
5995 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx,
5996 SSL_CONNECTION_GET_CTX(s)->ctlog_store);
5997 CT_POLICY_EVAL_CTX_set_time(
5998 ctx, (uint64_t)SSL_SESSION_get_time(s->session) * 1000);
5999
6000 scts = SSL_get0_peer_scts(SSL_CONNECTION_GET_SSL(s));
6001
6002 /*
6003 * This function returns success (> 0) only when all the SCTs are valid, 0
6004 * when some are invalid, and < 0 on various internal errors (out of
6005 * memory, etc.). Having some, or even all, invalid SCTs is not sufficient
6006 * reason to abort the handshake, that decision is up to the callback.
6007 * Therefore, we error out only in the unexpected case that the return
6008 * value is negative.
6009 *
6010 * XXX: One might well argue that the return value of this function is an
6011 * unfortunate design choice. Its job is only to determine the validation
6012 * status of each of the provided SCTs. So long as it correctly separates
6013 * the wheat from the chaff it should return success. Failure in this case
6014 * ought to correspond to an inability to carry out its duties.
6015 */
6016 if (SCT_LIST_validate(scts, ctx) < 0) {
6017 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_SCT_VERIFICATION_FAILED);
6018 goto end;
6019 }
6020
6021 ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg);
6022 if (ret < 0)
6023 ret = 0; /* This function returns 0 on failure */
6024 if (!ret)
6025 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_CALLBACK_FAILED);
6026
6027 end:
6028 CT_POLICY_EVAL_CTX_free(ctx);
6029 /*
6030 * With SSL_VERIFY_NONE the session may be cached and re-used despite a
6031 * failure return code here. Also the application may wish the complete
6032 * the handshake, and then disconnect cleanly at a higher layer, after
6033 * checking the verification status of the completed connection.
6034 *
6035 * We therefore force a certificate verification failure which will be
6036 * visible via SSL_get_verify_result() and cached as part of any resumed
6037 * session.
6038 *
6039 * Note: the permissive callback is for information gathering only, always
6040 * returns success, and does not affect verification status. Only the
6041 * strict callback or a custom application-specified callback can trigger
6042 * connection failure or record a verification error.
6043 */
6044 if (ret <= 0)
6045 s->verify_result = X509_V_ERR_NO_VALID_SCTS;
6046 return ret;
6047 }
6048
6049 int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode)
6050 {
6051 switch (validation_mode) {
6052 default:
6053 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE);
6054 return 0;
6055 case SSL_CT_VALIDATION_PERMISSIVE:
6056 return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL);
6057 case SSL_CT_VALIDATION_STRICT:
6058 return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL);
6059 }
6060 }
6061
6062 int SSL_enable_ct(SSL *s, int validation_mode)
6063 {
6064 switch (validation_mode) {
6065 default:
6066 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE);
6067 return 0;
6068 case SSL_CT_VALIDATION_PERMISSIVE:
6069 return SSL_set_ct_validation_callback(s, ct_permissive, NULL);
6070 case SSL_CT_VALIDATION_STRICT:
6071 return SSL_set_ct_validation_callback(s, ct_strict, NULL);
6072 }
6073 }
6074
6075 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx)
6076 {
6077 return CTLOG_STORE_load_default_file(ctx->ctlog_store);
6078 }
6079
6080 int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
6081 {
6082 return CTLOG_STORE_load_file(ctx->ctlog_store, path);
6083 }
6084
6085 void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE * logs)
6086 {
6087 CTLOG_STORE_free(ctx->ctlog_store);
6088 ctx->ctlog_store = logs;
6089 }
6090
6091 const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
6092 {
6093 return ctx->ctlog_store;
6094 }
6095
6096 #endif /* OPENSSL_NO_CT */
6097
6098 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
6099 void *arg)
6100 {
6101 c->client_hello_cb = cb;
6102 c->client_hello_cb_arg = arg;
6103 }
6104
6105 int SSL_client_hello_isv2(SSL *s)
6106 {
6107 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6108
6109 if (sc == NULL)
6110 return 0;
6111
6112 if (sc->clienthello == NULL)
6113 return 0;
6114 return sc->clienthello->isv2;
6115 }
6116
6117 unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
6118 {
6119 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6120
6121 if (sc == NULL)
6122 return 0;
6123
6124 if (sc->clienthello == NULL)
6125 return 0;
6126 return sc->clienthello->legacy_version;
6127 }
6128
6129 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
6130 {
6131 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6132
6133 if (sc == NULL)
6134 return 0;
6135
6136 if (sc->clienthello == NULL)
6137 return 0;
6138 if (out != NULL)
6139 *out = sc->clienthello->random;
6140 return SSL3_RANDOM_SIZE;
6141 }
6142
6143 size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
6144 {
6145 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6146
6147 if (sc == NULL)
6148 return 0;
6149
6150 if (sc->clienthello == NULL)
6151 return 0;
6152 if (out != NULL)
6153 *out = sc->clienthello->session_id;
6154 return sc->clienthello->session_id_len;
6155 }
6156
6157 size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
6158 {
6159 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6160
6161 if (sc == NULL)
6162 return 0;
6163
6164 if (sc->clienthello == NULL)
6165 return 0;
6166 if (out != NULL)
6167 *out = PACKET_data(&sc->clienthello->ciphersuites);
6168 return PACKET_remaining(&sc->clienthello->ciphersuites);
6169 }
6170
6171 size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
6172 {
6173 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6174
6175 if (sc == NULL)
6176 return 0;
6177
6178 if (sc->clienthello == NULL)
6179 return 0;
6180 if (out != NULL)
6181 *out = sc->clienthello->compressions;
6182 return sc->clienthello->compressions_len;
6183 }
6184
6185 int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
6186 {
6187 RAW_EXTENSION *ext;
6188 int *present;
6189 size_t num = 0, i;
6190 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6191
6192 if (sc == NULL)
6193 return 0;
6194
6195 if (sc->clienthello == NULL || out == NULL || outlen == NULL)
6196 return 0;
6197 for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6198 ext = sc->clienthello->pre_proc_exts + i;
6199 if (ext->present)
6200 num++;
6201 }
6202 if (num == 0) {
6203 *out = NULL;
6204 *outlen = 0;
6205 return 1;
6206 }
6207 if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) {
6208 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
6209 return 0;
6210 }
6211 for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6212 ext = sc->clienthello->pre_proc_exts + i;
6213 if (ext->present) {
6214 if (ext->received_order >= num)
6215 goto err;
6216 present[ext->received_order] = ext->type;
6217 }
6218 }
6219 *out = present;
6220 *outlen = num;
6221 return 1;
6222 err:
6223 OPENSSL_free(present);
6224 return 0;
6225 }
6226
6227 int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts, size_t *num_exts)
6228 {
6229 RAW_EXTENSION *ext;
6230 size_t num = 0, i;
6231 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6232
6233 if (sc == NULL)
6234 return 0;
6235
6236 if (sc->clienthello == NULL || num_exts == NULL)
6237 return 0;
6238 for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6239 ext = sc->clienthello->pre_proc_exts + i;
6240 if (ext->present)
6241 num++;
6242 }
6243 if (num == 0) {
6244 *num_exts = 0;
6245 return 1;
6246 }
6247 if (exts == NULL) {
6248 *num_exts = num;
6249 return 1;
6250 }
6251 if (*num_exts < num)
6252 return 0;
6253 for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6254 ext = sc->clienthello->pre_proc_exts + i;
6255 if (ext->present) {
6256 if (ext->received_order >= num)
6257 return 0;
6258 exts[ext->received_order] = ext->type;
6259 }
6260 }
6261 *num_exts = num;
6262 return 1;
6263 }
6264
6265 int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
6266 size_t *outlen)
6267 {
6268 size_t i;
6269 RAW_EXTENSION *r;
6270 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6271
6272 if (sc == NULL)
6273 return 0;
6274
6275 if (sc->clienthello == NULL)
6276 return 0;
6277 for (i = 0; i < sc->clienthello->pre_proc_exts_len; ++i) {
6278 r = sc->clienthello->pre_proc_exts + i;
6279 if (r->present && r->type == type) {
6280 if (out != NULL)
6281 *out = PACKET_data(&r->data);
6282 if (outlen != NULL)
6283 *outlen = PACKET_remaining(&r->data);
6284 return 1;
6285 }
6286 }
6287 return 0;
6288 }
6289
6290 int SSL_free_buffers(SSL *ssl)
6291 {
6292 RECORD_LAYER *rl;
6293 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6294
6295 if (sc == NULL)
6296 return 0;
6297
6298 rl = &sc->rlayer;
6299
6300 if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
6301 return 0;
6302
6303 RECORD_LAYER_release(rl);
6304 return 1;
6305 }
6306
6307 int SSL_alloc_buffers(SSL *ssl)
6308 {
6309 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6310
6311 if (sc == NULL)
6312 return 0;
6313
6314 return ssl3_setup_buffers(sc);
6315 }
6316
6317 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
6318 {
6319 ctx->keylog_callback = cb;
6320 }
6321
6322 SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
6323 {
6324 return ctx->keylog_callback;
6325 }
6326
6327 static int nss_keylog_int(const char *prefix,
6328 SSL_CONNECTION *sc,
6329 const uint8_t *parameter_1,
6330 size_t parameter_1_len,
6331 const uint8_t *parameter_2,
6332 size_t parameter_2_len)
6333 {
6334 char *out = NULL;
6335 char *cursor = NULL;
6336 size_t out_len = 0;
6337 size_t i;
6338 size_t prefix_len;
6339 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
6340
6341 if (sctx->keylog_callback == NULL)
6342 return 1;
6343
6344 /*
6345 * Our output buffer will contain the following strings, rendered with
6346 * space characters in between, terminated by a NULL character: first the
6347 * prefix, then the first parameter, then the second parameter. The
6348 * meaning of each parameter depends on the specific key material being
6349 * logged. Note that the first and second parameters are encoded in
6350 * hexadecimal, so we need a buffer that is twice their lengths.
6351 */
6352 prefix_len = strlen(prefix);
6353 out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3;
6354 if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) {
6355 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
6356 return 0;
6357 }
6358
6359 strcpy(cursor, prefix);
6360 cursor += prefix_len;
6361 *cursor++ = ' ';
6362
6363 for (i = 0; i < parameter_1_len; i++) {
6364 sprintf(cursor, "%02x", parameter_1[i]);
6365 cursor += 2;
6366 }
6367 *cursor++ = ' ';
6368
6369 for (i = 0; i < parameter_2_len; i++) {
6370 sprintf(cursor, "%02x", parameter_2[i]);
6371 cursor += 2;
6372 }
6373 *cursor = '\0';
6374
6375 sctx->keylog_callback(SSL_CONNECTION_GET_SSL(sc), (const char *)out);
6376 OPENSSL_clear_free(out, out_len);
6377 return 1;
6378
6379 }
6380
6381 int ssl_log_rsa_client_key_exchange(SSL_CONNECTION *sc,
6382 const uint8_t *encrypted_premaster,
6383 size_t encrypted_premaster_len,
6384 const uint8_t *premaster,
6385 size_t premaster_len)
6386 {
6387 if (encrypted_premaster_len < 8) {
6388 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6389 return 0;
6390 }
6391
6392 /* We only want the first 8 bytes of the encrypted premaster as a tag. */
6393 return nss_keylog_int("RSA",
6394 sc,
6395 encrypted_premaster,
6396 8,
6397 premaster,
6398 premaster_len);
6399 }
6400
6401 int ssl_log_secret(SSL_CONNECTION *sc,
6402 const char *label,
6403 const uint8_t *secret,
6404 size_t secret_len)
6405 {
6406 return nss_keylog_int(label,
6407 sc,
6408 sc->s3.client_random,
6409 SSL3_RANDOM_SIZE,
6410 secret,
6411 secret_len);
6412 }
6413
6414 #define SSLV2_CIPHER_LEN 3
6415
6416 int ssl_cache_cipherlist(SSL_CONNECTION *s, PACKET *cipher_suites, int sslv2format)
6417 {
6418 int n;
6419
6420 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
6421
6422 if (PACKET_remaining(cipher_suites) == 0) {
6423 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CIPHERS_SPECIFIED);
6424 return 0;
6425 }
6426
6427 if (PACKET_remaining(cipher_suites) % n != 0) {
6428 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
6429 return 0;
6430 }
6431
6432 OPENSSL_free(s->s3.tmp.ciphers_raw);
6433 s->s3.tmp.ciphers_raw = NULL;
6434 s->s3.tmp.ciphers_rawlen = 0;
6435
6436 if (sslv2format) {
6437 size_t numciphers = PACKET_remaining(cipher_suites) / n;
6438 PACKET sslv2ciphers = *cipher_suites;
6439 unsigned int leadbyte;
6440 unsigned char *raw;
6441
6442 /*
6443 * We store the raw ciphers list in SSLv3+ format so we need to do some
6444 * preprocessing to convert the list first. If there are any SSLv2 only
6445 * ciphersuites with a non-zero leading byte then we are going to
6446 * slightly over allocate because we won't store those. But that isn't a
6447 * problem.
6448 */
6449 raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
6450 s->s3.tmp.ciphers_raw = raw;
6451 if (raw == NULL) {
6452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
6453 return 0;
6454 }
6455 for (s->s3.tmp.ciphers_rawlen = 0;
6456 PACKET_remaining(&sslv2ciphers) > 0;
6457 raw += TLS_CIPHER_LEN) {
6458 if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
6459 || (leadbyte == 0
6460 && !PACKET_copy_bytes(&sslv2ciphers, raw,
6461 TLS_CIPHER_LEN))
6462 || (leadbyte != 0
6463 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
6464 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
6465 OPENSSL_free(s->s3.tmp.ciphers_raw);
6466 s->s3.tmp.ciphers_raw = NULL;
6467 s->s3.tmp.ciphers_rawlen = 0;
6468 return 0;
6469 }
6470 if (leadbyte == 0)
6471 s->s3.tmp.ciphers_rawlen += TLS_CIPHER_LEN;
6472 }
6473 } else if (!PACKET_memdup(cipher_suites, &s->s3.tmp.ciphers_raw,
6474 &s->s3.tmp.ciphers_rawlen)) {
6475 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6476 return 0;
6477 }
6478 return 1;
6479 }
6480
6481 int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
6482 int isv2format, STACK_OF(SSL_CIPHER) **sk,
6483 STACK_OF(SSL_CIPHER) **scsvs)
6484 {
6485 PACKET pkt;
6486 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6487
6488 if (sc == NULL)
6489 return 0;
6490
6491 if (!PACKET_buf_init(&pkt, bytes, len))
6492 return 0;
6493 return ossl_bytes_to_cipher_list(sc, &pkt, sk, scsvs, isv2format, 0);
6494 }
6495
6496 int ossl_bytes_to_cipher_list(SSL_CONNECTION *s, PACKET *cipher_suites,
6497 STACK_OF(SSL_CIPHER) **skp,
6498 STACK_OF(SSL_CIPHER) **scsvs_out,
6499 int sslv2format, int fatal)
6500 {
6501 const SSL_CIPHER *c;
6502 STACK_OF(SSL_CIPHER) *sk = NULL;
6503 STACK_OF(SSL_CIPHER) *scsvs = NULL;
6504 int n;
6505 /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
6506 unsigned char cipher[SSLV2_CIPHER_LEN];
6507
6508 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
6509
6510 if (PACKET_remaining(cipher_suites) == 0) {
6511 if (fatal)
6512 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CIPHERS_SPECIFIED);
6513 else
6514 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHERS_SPECIFIED);
6515 return 0;
6516 }
6517
6518 if (PACKET_remaining(cipher_suites) % n != 0) {
6519 if (fatal)
6520 SSLfatal(s, SSL_AD_DECODE_ERROR,
6521 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
6522 else
6523 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
6524 return 0;
6525 }
6526
6527 sk = sk_SSL_CIPHER_new_null();
6528 scsvs = sk_SSL_CIPHER_new_null();
6529 if (sk == NULL || scsvs == NULL) {
6530 if (fatal)
6531 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
6532 else
6533 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
6534 goto err;
6535 }
6536
6537 while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
6538 /*
6539 * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
6540 * first byte set to zero, while true SSLv2 ciphers have a non-zero
6541 * first byte. We don't support any true SSLv2 ciphers, so skip them.
6542 */
6543 if (sslv2format && cipher[0] != '\0')
6544 continue;
6545
6546 /* For SSLv2-compat, ignore leading 0-byte. */
6547 c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1);
6548 if (c != NULL) {
6549 if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) ||
6550 (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) {
6551 if (fatal)
6552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
6553 else
6554 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
6555 goto err;
6556 }
6557 }
6558 }
6559 if (PACKET_remaining(cipher_suites) > 0) {
6560 if (fatal)
6561 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
6562 else
6563 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
6564 goto err;
6565 }
6566
6567 if (skp != NULL)
6568 *skp = sk;
6569 else
6570 sk_SSL_CIPHER_free(sk);
6571 if (scsvs_out != NULL)
6572 *scsvs_out = scsvs;
6573 else
6574 sk_SSL_CIPHER_free(scsvs);
6575 return 1;
6576 err:
6577 sk_SSL_CIPHER_free(sk);
6578 sk_SSL_CIPHER_free(scsvs);
6579 return 0;
6580 }
6581
6582 int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data)
6583 {
6584 ctx->max_early_data = max_early_data;
6585
6586 return 1;
6587 }
6588
6589 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx)
6590 {
6591 return ctx->max_early_data;
6592 }
6593
6594 int SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
6595 {
6596 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6597
6598 if (sc == NULL)
6599 return 0;
6600
6601 sc->max_early_data = max_early_data;
6602
6603 return 1;
6604 }
6605
6606 uint32_t SSL_get_max_early_data(const SSL *s)
6607 {
6608 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6609
6610 if (sc == NULL)
6611 return 0;
6612
6613 return sc->max_early_data;
6614 }
6615
6616 int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data)
6617 {
6618 ctx->recv_max_early_data = recv_max_early_data;
6619
6620 return 1;
6621 }
6622
6623 uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx)
6624 {
6625 return ctx->recv_max_early_data;
6626 }
6627
6628 int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data)
6629 {
6630 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6631
6632 if (sc == NULL)
6633 return 0;
6634
6635 sc->recv_max_early_data = recv_max_early_data;
6636
6637 return 1;
6638 }
6639
6640 uint32_t SSL_get_recv_max_early_data(const SSL *s)
6641 {
6642 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6643
6644 if (sc == NULL)
6645 return 0;
6646
6647 return sc->recv_max_early_data;
6648 }
6649
6650 __owur unsigned int ssl_get_max_send_fragment(const SSL_CONNECTION *sc)
6651 {
6652 /* Return any active Max Fragment Len extension */
6653 if (sc->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(sc->session))
6654 return GET_MAX_FRAGMENT_LENGTH(sc->session);
6655
6656 /* return current SSL connection setting */
6657 return sc->max_send_fragment;
6658 }
6659
6660 __owur unsigned int ssl_get_split_send_fragment(const SSL_CONNECTION *sc)
6661 {
6662 /* Return a value regarding an active Max Fragment Len extension */
6663 if (sc->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(sc->session)
6664 && sc->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(sc->session))
6665 return GET_MAX_FRAGMENT_LENGTH(sc->session);
6666
6667 /* else limit |split_send_fragment| to current |max_send_fragment| */
6668 if (sc->split_send_fragment > sc->max_send_fragment)
6669 return sc->max_send_fragment;
6670
6671 /* return current SSL connection setting */
6672 return sc->split_send_fragment;
6673 }
6674
6675 int SSL_stateless(SSL *s)
6676 {
6677 int ret;
6678 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6679
6680 /* TODO(QUIC): This will need further work. */
6681 if (sc == NULL)
6682 return 0;
6683
6684 /* Ensure there is no state left over from a previous invocation */
6685 if (!SSL_clear(s))
6686 return 0;
6687
6688 ERR_clear_error();
6689
6690 sc->s3.flags |= TLS1_FLAGS_STATELESS;
6691 ret = SSL_accept(s);
6692 sc->s3.flags &= ~TLS1_FLAGS_STATELESS;
6693
6694 if (ret > 0 && sc->ext.cookieok)
6695 return 1;
6696
6697 if (sc->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(sc))
6698 return 0;
6699
6700 return -1;
6701 }
6702
6703 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
6704 {
6705 ctx->pha_enabled = val;
6706 }
6707
6708 void SSL_set_post_handshake_auth(SSL *ssl, int val)
6709 {
6710 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6711
6712 if (sc == NULL)
6713 return;
6714
6715 sc->pha_enabled = val;
6716 }
6717
6718 int SSL_verify_client_post_handshake(SSL *ssl)
6719 {
6720 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6721
6722 if (sc == NULL)
6723 return 0;
6724
6725 if (!SSL_CONNECTION_IS_TLS13(sc)) {
6726 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
6727 return 0;
6728 }
6729 if (!sc->server) {
6730 ERR_raise(ERR_LIB_SSL, SSL_R_NOT_SERVER);
6731 return 0;
6732 }
6733
6734 if (!SSL_is_init_finished(ssl)) {
6735 ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT);
6736 return 0;
6737 }
6738
6739 switch (sc->post_handshake_auth) {
6740 case SSL_PHA_NONE:
6741 ERR_raise(ERR_LIB_SSL, SSL_R_EXTENSION_NOT_RECEIVED);
6742 return 0;
6743 default:
6744 case SSL_PHA_EXT_SENT:
6745 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
6746 return 0;
6747 case SSL_PHA_EXT_RECEIVED:
6748 break;
6749 case SSL_PHA_REQUEST_PENDING:
6750 ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_PENDING);
6751 return 0;
6752 case SSL_PHA_REQUESTED:
6753 ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_SENT);
6754 return 0;
6755 }
6756
6757 sc->post_handshake_auth = SSL_PHA_REQUEST_PENDING;
6758
6759 /* checks verify_mode and algorithm_auth */
6760 if (!send_certificate_request(sc)) {
6761 sc->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */
6762 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CONFIG);
6763 return 0;
6764 }
6765
6766 ossl_statem_set_in_init(sc, 1);
6767 return 1;
6768 }
6769
6770 int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
6771 SSL_CTX_generate_session_ticket_fn gen_cb,
6772 SSL_CTX_decrypt_session_ticket_fn dec_cb,
6773 void *arg)
6774 {
6775 ctx->generate_ticket_cb = gen_cb;
6776 ctx->decrypt_ticket_cb = dec_cb;
6777 ctx->ticket_cb_data = arg;
6778 return 1;
6779 }
6780
6781 void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
6782 SSL_allow_early_data_cb_fn cb,
6783 void *arg)
6784 {
6785 ctx->allow_early_data_cb = cb;
6786 ctx->allow_early_data_cb_data = arg;
6787 }
6788
6789 void SSL_set_allow_early_data_cb(SSL *s,
6790 SSL_allow_early_data_cb_fn cb,
6791 void *arg)
6792 {
6793 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6794
6795 if (sc == NULL)
6796 return;
6797
6798 sc->allow_early_data_cb = cb;
6799 sc->allow_early_data_cb_data = arg;
6800 }
6801
6802 const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx,
6803 int nid,
6804 const char *properties)
6805 {
6806 const EVP_CIPHER *ciph;
6807
6808 ciph = tls_get_cipher_from_engine(nid);
6809 if (ciph != NULL)
6810 return ciph;
6811
6812 /*
6813 * If there is no engine cipher then we do an explicit fetch. This may fail
6814 * and that could be ok
6815 */
6816 ERR_set_mark();
6817 ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
6818 ERR_pop_to_mark();
6819 return ciph;
6820 }
6821
6822
6823 int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher)
6824 {
6825 /* Don't up-ref an implicit EVP_CIPHER */
6826 if (EVP_CIPHER_get0_provider(cipher) == NULL)
6827 return 1;
6828
6829 /*
6830 * The cipher was explicitly fetched and therefore it is safe to cast
6831 * away the const
6832 */
6833 return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher);
6834 }
6835
6836 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
6837 {
6838 if (cipher == NULL)
6839 return;
6840
6841 if (EVP_CIPHER_get0_provider(cipher) != NULL) {
6842 /*
6843 * The cipher was explicitly fetched and therefore it is safe to cast
6844 * away the const
6845 */
6846 EVP_CIPHER_free((EVP_CIPHER *)cipher);
6847 }
6848 }
6849
6850 const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx,
6851 int nid,
6852 const char *properties)
6853 {
6854 const EVP_MD *md;
6855
6856 md = tls_get_digest_from_engine(nid);
6857 if (md != NULL)
6858 return md;
6859
6860 /* Otherwise we do an explicit fetch */
6861 ERR_set_mark();
6862 md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
6863 ERR_pop_to_mark();
6864 return md;
6865 }
6866
6867 int ssl_evp_md_up_ref(const EVP_MD *md)
6868 {
6869 /* Don't up-ref an implicit EVP_MD */
6870 if (EVP_MD_get0_provider(md) == NULL)
6871 return 1;
6872
6873 /*
6874 * The digest was explicitly fetched and therefore it is safe to cast
6875 * away the const
6876 */
6877 return EVP_MD_up_ref((EVP_MD *)md);
6878 }
6879
6880 void ssl_evp_md_free(const EVP_MD *md)
6881 {
6882 if (md == NULL)
6883 return;
6884
6885 if (EVP_MD_get0_provider(md) != NULL) {
6886 /*
6887 * The digest was explicitly fetched and therefore it is safe to cast
6888 * away the const
6889 */
6890 EVP_MD_free((EVP_MD *)md);
6891 }
6892 }
6893
6894 int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey)
6895 {
6896 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6897
6898 if (sc == NULL)
6899 return 0;
6900
6901 if (!ssl_security(sc, SSL_SECOP_TMP_DH,
6902 EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
6903 ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
6904 return 0;
6905 }
6906 EVP_PKEY_free(sc->cert->dh_tmp);
6907 sc->cert->dh_tmp = dhpkey;
6908 return 1;
6909 }
6910
6911 int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey)
6912 {
6913 if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
6914 EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
6915 ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
6916 return 0;
6917 }
6918 EVP_PKEY_free(ctx->cert->dh_tmp);
6919 ctx->cert->dh_tmp = dhpkey;
6920 return 1;
6921 }
A mirror of the official openssl repository