]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssl_lib.c
projects / thirdparty / openssl.git / blob
? search:


9ebd8d34f69122077db7f956b6249e664bdc2b58
[thirdparty/openssl.git] / ssl / ssl_lib.c
1 /*
2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 #include "internal/e_os.h"
13 #include "internal/e_winsock.h"
14 #include "ssl_local.h"
15
16 #include <openssl/objects.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/rand.h>
19 #include <openssl/ocsp.h>
20 #include <openssl/dh.h>
21 #include <openssl/engine.h>
22 #include <openssl/async.h>
23 #include <openssl/ct.h>
24 #include <openssl/trace.h>
25 #include <openssl/core_names.h>
26 #include <openssl/provider.h>
27 #include "internal/cryptlib.h"
28 #include "internal/nelem.h"
29 #include "internal/refcount.h"
30 #include "internal/thread_once.h"
31 #include "internal/ktls.h"
32 #include "internal/to_hex.h"
33 #include "internal/ssl_unwrap.h"
34 #include "quic/quic_local.h"
35
36 #ifndef OPENSSL_NO_SSLKEYLOG
37 # include <sys/stat.h>
38 # include <fcntl.h>
39 #endif
40
41 static int ssl_undefined_function_3(SSL_CONNECTION *sc, unsigned char *r,
42 unsigned char *s, size_t t, size_t *u)
43 {
44 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
45 }
46
47 static int ssl_undefined_function_4(SSL_CONNECTION *sc, int r)
48 {
49 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
50 }
51
52 static size_t ssl_undefined_function_5(SSL_CONNECTION *sc, const char *r,
53 size_t s, unsigned char *t)
54 {
55 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
56 }
57
58 static int ssl_undefined_function_6(int r)
59 {
60 return ssl_undefined_function(NULL);
61 }
62
63 static int ssl_undefined_function_7(SSL_CONNECTION *sc, unsigned char *r,
64 size_t s, const char *t, size_t u,
65 const unsigned char *v, size_t w, int x)
66 {
67 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
68 }
69
70 static int ssl_undefined_function_8(SSL_CONNECTION *sc)
71 {
72 return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
73 }
74
75 const SSL3_ENC_METHOD ssl3_undef_enc_method = {
76 ssl_undefined_function_8,
77 ssl_undefined_function_3,
78 ssl_undefined_function_4,
79 ssl_undefined_function_5,
80 NULL, /* client_finished_label */
81 0, /* client_finished_label_len */
82 NULL, /* server_finished_label */
83 0, /* server_finished_label_len */
84 ssl_undefined_function_6,
85 ssl_undefined_function_7,
86 };
87
88 struct ssl_async_args {
89 SSL *s;
90 void *buf;
91 size_t num;
92 enum { READFUNC, WRITEFUNC, OTHERFUNC } type;
93 union {
94 int (*func_read) (SSL *, void *, size_t, size_t *);
95 int (*func_write) (SSL *, const void *, size_t, size_t *);
96 int (*func_other) (SSL *);
97 } f;
98 };
99
100 static const struct {
101 uint8_t mtype;
102 uint8_t ord;
103 int nid;
104 } dane_mds[] = {
105 {
106 DANETLS_MATCHING_FULL, 0, NID_undef
107 },
108 {
109 DANETLS_MATCHING_2256, 1, NID_sha256
110 },
111 {
112 DANETLS_MATCHING_2512, 2, NID_sha512
113 },
114 };
115
116 static int dane_ctx_enable(struct dane_ctx_st *dctx)
117 {
118 const EVP_MD **mdevp;
119 uint8_t *mdord;
120 uint8_t mdmax = DANETLS_MATCHING_LAST;
121 int n = ((int)mdmax) + 1; /* int to handle PrivMatch(255) */
122 size_t i;
123
124 if (dctx->mdevp != NULL)
125 return 1;
126
127 mdevp = OPENSSL_zalloc(n * sizeof(*mdevp));
128 mdord = OPENSSL_zalloc(n * sizeof(*mdord));
129
130 if (mdord == NULL || mdevp == NULL) {
131 OPENSSL_free(mdord);
132 OPENSSL_free(mdevp);
133 return 0;
134 }
135
136 /* Install default entries */
137 for (i = 0; i < OSSL_NELEM(dane_mds); ++i) {
138 const EVP_MD *md;
139
140 if (dane_mds[i].nid == NID_undef ||
141 (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL)
142 continue;
143 mdevp[dane_mds[i].mtype] = md;
144 mdord[dane_mds[i].mtype] = dane_mds[i].ord;
145 }
146
147 dctx->mdevp = mdevp;
148 dctx->mdord = mdord;
149 dctx->mdmax = mdmax;
150
151 return 1;
152 }
153
154 static void dane_ctx_final(struct dane_ctx_st *dctx)
155 {
156 OPENSSL_free(dctx->mdevp);
157 dctx->mdevp = NULL;
158
159 OPENSSL_free(dctx->mdord);
160 dctx->mdord = NULL;
161 dctx->mdmax = 0;
162 }
163
164 static void tlsa_free(danetls_record *t)
165 {
166 if (t == NULL)
167 return;
168 OPENSSL_free(t->data);
169 EVP_PKEY_free(t->spki);
170 OPENSSL_free(t);
171 }
172
173 static void dane_final(SSL_DANE *dane)
174 {
175 sk_danetls_record_pop_free(dane->trecs, tlsa_free);
176 dane->trecs = NULL;
177
178 OSSL_STACK_OF_X509_free(dane->certs);
179 dane->certs = NULL;
180
181 X509_free(dane->mcert);
182 dane->mcert = NULL;
183 dane->mtlsa = NULL;
184 dane->mdpth = -1;
185 dane->pdpth = -1;
186 }
187
188 /*
189 * dane_copy - Copy dane configuration, sans verification state.
190 */
191 static int ssl_dane_dup(SSL_CONNECTION *to, SSL_CONNECTION *from)
192 {
193 int num;
194 int i;
195
196 if (!DANETLS_ENABLED(&from->dane))
197 return 1;
198
199 num = sk_danetls_record_num(from->dane.trecs);
200 dane_final(&to->dane);
201 to->dane.flags = from->dane.flags;
202 to->dane.dctx = &SSL_CONNECTION_GET_CTX(to)->dane;
203 to->dane.trecs = sk_danetls_record_new_reserve(NULL, num);
204
205 if (to->dane.trecs == NULL) {
206 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
207 return 0;
208 }
209
210 for (i = 0; i < num; ++i) {
211 danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
212
213 if (SSL_dane_tlsa_add(SSL_CONNECTION_GET_SSL(to), t->usage,
214 t->selector, t->mtype, t->data, t->dlen) <= 0)
215 return 0;
216 }
217 return 1;
218 }
219
220 static int dane_mtype_set(struct dane_ctx_st *dctx,
221 const EVP_MD *md, uint8_t mtype, uint8_t ord)
222 {
223 int i;
224
225 if (mtype == DANETLS_MATCHING_FULL && md != NULL) {
226 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);
227 return 0;
228 }
229
230 if (mtype > dctx->mdmax) {
231 const EVP_MD **mdevp;
232 uint8_t *mdord;
233 int n = ((int)mtype) + 1;
234
235 mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp));
236 if (mdevp == NULL)
237 return -1;
238 dctx->mdevp = mdevp;
239
240 mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord));
241 if (mdord == NULL)
242 return -1;
243 dctx->mdord = mdord;
244
245 /* Zero-fill any gaps */
246 for (i = dctx->mdmax + 1; i < mtype; ++i) {
247 mdevp[i] = NULL;
248 mdord[i] = 0;
249 }
250
251 dctx->mdmax = mtype;
252 }
253
254 dctx->mdevp[mtype] = md;
255 /* Coerce ordinal of disabled matching types to 0 */
256 dctx->mdord[mtype] = (md == NULL) ? 0 : ord;
257
258 return 1;
259 }
260
261 static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
262 {
263 if (mtype > dane->dctx->mdmax)
264 return NULL;
265 return dane->dctx->mdevp[mtype];
266 }
267
268 static int dane_tlsa_add(SSL_DANE *dane,
269 uint8_t usage,
270 uint8_t selector,
271 uint8_t mtype, const unsigned char *data, size_t dlen)
272 {
273 danetls_record *t;
274 const EVP_MD *md = NULL;
275 int ilen = (int)dlen;
276 int i;
277 int num;
278 int mdsize;
279
280 if (dane->trecs == NULL) {
281 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_NOT_ENABLED);
282 return -1;
283 }
284
285 if (ilen < 0 || dlen != (size_t)ilen) {
286 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DATA_LENGTH);
287 return 0;
288 }
289
290 if (usage > DANETLS_USAGE_LAST) {
291 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE);
292 return 0;
293 }
294
295 if (selector > DANETLS_SELECTOR_LAST) {
296 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_SELECTOR);
297 return 0;
298 }
299
300 if (mtype != DANETLS_MATCHING_FULL) {
301 md = tlsa_md_get(dane, mtype);
302 if (md == NULL) {
303 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE);
304 return 0;
305 }
306 }
307
308 if (md != NULL) {
309 mdsize = EVP_MD_get_size(md);
310 if (mdsize <= 0 || dlen != (size_t)mdsize) {
311 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH);
312 return 0;
313 }
314 }
315 if (!data) {
316 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_NULL_DATA);
317 return 0;
318 }
319
320 if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL)
321 return -1;
322
323 t->usage = usage;
324 t->selector = selector;
325 t->mtype = mtype;
326 t->data = OPENSSL_malloc(dlen);
327 if (t->data == NULL) {
328 tlsa_free(t);
329 return -1;
330 }
331 memcpy(t->data, data, dlen);
332 t->dlen = dlen;
333
334 /* Validate and cache full certificate or public key */
335 if (mtype == DANETLS_MATCHING_FULL) {
336 const unsigned char *p = data;
337 X509 *cert = NULL;
338 EVP_PKEY *pkey = NULL;
339
340 switch (selector) {
341 case DANETLS_SELECTOR_CERT:
342 if (!d2i_X509(&cert, &p, ilen) || p < data ||
343 dlen != (size_t)(p - data)) {
344 X509_free(cert);
345 tlsa_free(t);
346 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
347 return 0;
348 }
349 if (X509_get0_pubkey(cert) == NULL) {
350 X509_free(cert);
351 tlsa_free(t);
352 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
353 return 0;
354 }
355
356 if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
357 /*
358 * The Full(0) certificate decodes to a seemingly valid X.509
359 * object with a plausible key, so the TLSA record is well
360 * formed. However, we don't actually need the certificate for
361 * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
362 * certificate is always presented by the peer. We discard the
363 * certificate, and just use the TLSA data as an opaque blob
364 * for matching the raw presented DER octets.
365 *
366 * DO NOT FREE `t` here, it will be added to the TLSA record
367 * list below!
368 */
369 X509_free(cert);
370 break;
371 }
372
373 /*
374 * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA
375 * records that contain full certificates of trust-anchors that are
376 * not present in the wire chain. For usage PKIX-TA(0), we augment
377 * the chain with untrusted Full(0) certificates from DNS, in case
378 * they are missing from the chain.
379 */
380 if ((dane->certs == NULL &&
381 (dane->certs = sk_X509_new_null()) == NULL) ||
382 !sk_X509_push(dane->certs, cert)) {
383 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
384 X509_free(cert);
385 tlsa_free(t);
386 return -1;
387 }
388 break;
389
390 case DANETLS_SELECTOR_SPKI:
391 if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
392 dlen != (size_t)(p - data)) {
393 EVP_PKEY_free(pkey);
394 tlsa_free(t);
395 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
396 return 0;
397 }
398
399 /*
400 * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA
401 * records that contain full bare keys of trust-anchors that are
402 * not present in the wire chain.
403 */
404 if (usage == DANETLS_USAGE_DANE_TA)
405 t->spki = pkey;
406 else
407 EVP_PKEY_free(pkey);
408 break;
409 }
410 }
411
412 /*-
413 * Find the right insertion point for the new record.
414 *
415 * See crypto/x509/x509_vfy.c. We sort DANE-EE(3) records first, so that
416 * they can be processed first, as they require no chain building, and no
417 * expiration or hostname checks. Because DANE-EE(3) is numerically
418 * largest, this is accomplished via descending sort by "usage".
419 *
420 * We also sort in descending order by matching ordinal to simplify
421 * the implementation of digest agility in the verification code.
422 *
423 * The choice of order for the selector is not significant, so we
424 * use the same descending order for consistency.
425 */
426 num = sk_danetls_record_num(dane->trecs);
427 for (i = 0; i < num; ++i) {
428 danetls_record *rec = sk_danetls_record_value(dane->trecs, i);
429
430 if (rec->usage > usage)
431 continue;
432 if (rec->usage < usage)
433 break;
434 if (rec->selector > selector)
435 continue;
436 if (rec->selector < selector)
437 break;
438 if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype])
439 continue;
440 break;
441 }
442
443 if (!sk_danetls_record_insert(dane->trecs, t, i)) {
444 tlsa_free(t);
445 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
446 return -1;
447 }
448 dane->umask |= DANETLS_USAGE_BIT(usage);
449
450 return 1;
451 }
452
453 /*
454 * Return 0 if there is only one version configured and it was disabled
455 * at configure time. Return 1 otherwise.
456 */
457 static int ssl_check_allowed_versions(int min_version, int max_version)
458 {
459 int minisdtls = 0, maxisdtls = 0;
460
461 /* Figure out if we're doing DTLS versions or TLS versions */
462 if (min_version == DTLS1_BAD_VER
463 || min_version >> 8 == DTLS1_VERSION_MAJOR)
464 minisdtls = 1;
465 if (max_version == DTLS1_BAD_VER
466 || max_version >> 8 == DTLS1_VERSION_MAJOR)
467 maxisdtls = 1;
468 /* A wildcard version of 0 could be DTLS or TLS. */
469 if ((minisdtls && !maxisdtls && max_version != 0)
470 || (maxisdtls && !minisdtls && min_version != 0)) {
471 /* Mixing DTLS and TLS versions will lead to sadness; deny it. */
472 return 0;
473 }
474
475 if (minisdtls || maxisdtls) {
476 /* Do DTLS version checks. */
477 if (min_version == 0)
478 /* Ignore DTLS1_BAD_VER */
479 min_version = DTLS1_VERSION;
480 if (max_version == 0)
481 max_version = DTLS1_2_VERSION;
482 #ifdef OPENSSL_NO_DTLS1_2
483 if (max_version == DTLS1_2_VERSION)
484 max_version = DTLS1_VERSION;
485 #endif
486 #ifdef OPENSSL_NO_DTLS1
487 if (min_version == DTLS1_VERSION)
488 min_version = DTLS1_2_VERSION;
489 #endif
490 /* Done massaging versions; do the check. */
491 if (0
492 #ifdef OPENSSL_NO_DTLS1
493 || (DTLS_VERSION_GE(min_version, DTLS1_VERSION)
494 && DTLS_VERSION_GE(DTLS1_VERSION, max_version))
495 #endif
496 #ifdef OPENSSL_NO_DTLS1_2
497 || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION)
498 && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version))
499 #endif
500 )
501 return 0;
502 } else {
503 /* Regular TLS version checks. */
504 if (min_version == 0)
505 min_version = SSL3_VERSION;
506 if (max_version == 0)
507 max_version = TLS1_3_VERSION;
508 #ifdef OPENSSL_NO_TLS1_3
509 if (max_version == TLS1_3_VERSION)
510 max_version = TLS1_2_VERSION;
511 #endif
512 #ifdef OPENSSL_NO_TLS1_2
513 if (max_version == TLS1_2_VERSION)
514 max_version = TLS1_1_VERSION;
515 #endif
516 #ifdef OPENSSL_NO_TLS1_1
517 if (max_version == TLS1_1_VERSION)
518 max_version = TLS1_VERSION;
519 #endif
520 #ifdef OPENSSL_NO_TLS1
521 if (max_version == TLS1_VERSION)
522 max_version = SSL3_VERSION;
523 #endif
524 #ifdef OPENSSL_NO_SSL3
525 if (min_version == SSL3_VERSION)
526 min_version = TLS1_VERSION;
527 #endif
528 #ifdef OPENSSL_NO_TLS1
529 if (min_version == TLS1_VERSION)
530 min_version = TLS1_1_VERSION;
531 #endif
532 #ifdef OPENSSL_NO_TLS1_1
533 if (min_version == TLS1_1_VERSION)
534 min_version = TLS1_2_VERSION;
535 #endif
536 #ifdef OPENSSL_NO_TLS1_2
537 if (min_version == TLS1_2_VERSION)
538 min_version = TLS1_3_VERSION;
539 #endif
540 /* Done massaging versions; do the check. */
541 if (0
542 #ifdef OPENSSL_NO_SSL3
543 || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version)
544 #endif
545 #ifdef OPENSSL_NO_TLS1
546 || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version)
547 #endif
548 #ifdef OPENSSL_NO_TLS1_1
549 || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version)
550 #endif
551 #ifdef OPENSSL_NO_TLS1_2
552 || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version)
553 #endif
554 #ifdef OPENSSL_NO_TLS1_3
555 || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version)
556 #endif
557 )
558 return 0;
559 }
560 return 1;
561 }
562
563 #if defined(__TANDEM) && defined(OPENSSL_VPROC)
564 /*
565 * Define a VPROC function for HP NonStop build ssl library.
566 * This is used by platform version identification tools.
567 * Do not inline this procedure or make it static.
568 */
569 # define OPENSSL_VPROC_STRING_(x) x##_SSL
570 # define OPENSSL_VPROC_STRING(x) OPENSSL_VPROC_STRING_(x)
571 # define OPENSSL_VPROC_FUNC OPENSSL_VPROC_STRING(OPENSSL_VPROC)
572 void OPENSSL_VPROC_FUNC(void) {}
573 #endif
574
575 int SSL_clear(SSL *s)
576 {
577 if (s->method == NULL) {
578 ERR_raise(ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED);
579 return 0;
580 }
581
582 return s->method->ssl_reset(s);
583 }
584
585 int ossl_ssl_connection_reset(SSL *s)
586 {
587 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
588
589 if (sc == NULL)
590 return 0;
591
592 if (ssl_clear_bad_session(sc)) {
593 SSL_SESSION_free(sc->session);
594 sc->session = NULL;
595 }
596 SSL_SESSION_free(sc->psksession);
597 sc->psksession = NULL;
598 OPENSSL_free(sc->psksession_id);
599 sc->psksession_id = NULL;
600 sc->psksession_id_len = 0;
601 sc->hello_retry_request = SSL_HRR_NONE;
602 sc->sent_tickets = 0;
603
604 sc->error = 0;
605 sc->hit = 0;
606 sc->shutdown = 0;
607
608 if (sc->renegotiate) {
609 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
610 return 0;
611 }
612
613 ossl_statem_clear(sc);
614
615 sc->version = s->method->version;
616 sc->client_version = sc->version;
617 sc->rwstate = SSL_NOTHING;
618
619 BUF_MEM_free(sc->init_buf);
620 sc->init_buf = NULL;
621 sc->first_packet = 0;
622
623 sc->key_update = SSL_KEY_UPDATE_NONE;
624 memset(sc->ext.compress_certificate_from_peer, 0,
625 sizeof(sc->ext.compress_certificate_from_peer));
626 sc->ext.compress_certificate_sent = 0;
627
628 EVP_MD_CTX_free(sc->pha_dgst);
629 sc->pha_dgst = NULL;
630
631 /* Reset DANE verification result state */
632 sc->dane.mdpth = -1;
633 sc->dane.pdpth = -1;
634 X509_free(sc->dane.mcert);
635 sc->dane.mcert = NULL;
636 sc->dane.mtlsa = NULL;
637
638 /* Clear the verification result peername */
639 X509_VERIFY_PARAM_move_peername(sc->param, NULL);
640
641 /* Clear any shared connection state */
642 OPENSSL_free(sc->shared_sigalgs);
643 sc->shared_sigalgs = NULL;
644 sc->shared_sigalgslen = 0;
645
646 /*
647 * Check to see if we were changed into a different method, if so, revert
648 * back.
649 */
650 if (s->method != s->defltmeth) {
651 s->method->ssl_deinit(s);
652 s->method = s->defltmeth;
653 if (!s->method->ssl_init(s))
654 return 0;
655 } else {
656 if (!s->method->ssl_clear(s))
657 return 0;
658 }
659
660 ossl_quic_tls_clear(sc->qtls);
661
662 if (!RECORD_LAYER_reset(&sc->rlayer))
663 return 0;
664
665 return 1;
666 }
667
668 #ifndef OPENSSL_NO_DEPRECATED_3_0
669 /** Used to change an SSL_CTXs default SSL method type */
670 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
671 {
672 STACK_OF(SSL_CIPHER) *sk;
673
674 if (IS_QUIC_CTX(ctx)) {
675 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
676 return 0;
677 }
678
679 ctx->method = meth;
680
681 if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) {
682 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
683 return 0;
684 }
685 sk = ssl_create_cipher_list(ctx,
686 ctx->tls13_ciphersuites,
687 &(ctx->cipher_list),
688 &(ctx->cipher_list_by_id),
689 OSSL_default_cipher_list(), ctx->cert);
690 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
691 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
692 return 0;
693 }
694 return 1;
695 }
696 #endif
697
698 SSL *SSL_new(SSL_CTX *ctx)
699 {
700 if (ctx == NULL) {
701 ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_CTX);
702 return NULL;
703 }
704 if (ctx->method == NULL) {
705 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
706 return NULL;
707 }
708 return ctx->method->ssl_new(ctx);
709 }
710
711 int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type)
712 {
713 if (!SSL_CTX_up_ref(ctx))
714 return 0;
715
716 ssl->lock = CRYPTO_THREAD_lock_new();
717
718 if (ssl->lock == NULL || !CRYPTO_NEW_REF(&ssl->references, 1))
719 goto err;
720
721 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, ssl, &ssl->ex_data)) {
722 CRYPTO_FREE_REF(&ssl->references);
723 goto err;
724 }
725
726 ssl->ctx = ctx;
727 ssl->type = type;
728 ssl->defltmeth = ssl->method = method;
729
730 return 1;
731
732 err:
733 CRYPTO_THREAD_lock_free(ssl->lock);
734 ssl->lock = NULL;
735 SSL_CTX_free(ctx);
736 return 0;
737 }
738
739 SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl,
740 const SSL_METHOD *method)
741 {
742 SSL_CONNECTION *s;
743 SSL *ssl;
744
745 s = OPENSSL_zalloc(sizeof(*s));
746 if (s == NULL)
747 return NULL;
748
749 ssl = &s->ssl;
750 s->user_ssl = (user_ssl == NULL) ? ssl : user_ssl;
751
752 if (!ossl_ssl_init(ssl, ctx, method, SSL_TYPE_SSL_CONNECTION)) {
753 OPENSSL_free(s);
754 s = NULL;
755 ssl = NULL;
756 goto sslerr;
757 }
758
759 RECORD_LAYER_init(&s->rlayer, s);
760
761 s->options = ctx->options;
762
763 s->dane.flags = ctx->dane.flags;
764 if (method->version == ctx->method->version) {
765 s->min_proto_version = ctx->min_proto_version;
766 s->max_proto_version = ctx->max_proto_version;
767 }
768
769 s->mode = ctx->mode;
770 s->max_cert_list = ctx->max_cert_list;
771 s->max_early_data = ctx->max_early_data;
772 s->recv_max_early_data = ctx->recv_max_early_data;
773
774 s->num_tickets = ctx->num_tickets;
775 s->pha_enabled = ctx->pha_enabled;
776
777 /* Shallow copy of the ciphersuites stack */
778 s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites);
779 if (s->tls13_ciphersuites == NULL)
780 goto cerr;
781
782 /*
783 * Earlier library versions used to copy the pointer to the CERT, not
784 * its contents; only when setting new parameters for the per-SSL
785 * copy, ssl_cert_new would be called (and the direct reference to
786 * the per-SSL_CTX settings would be lost, but those still were
787 * indirectly accessed for various purposes, and for that reason they
788 * used to be known as s->ctx->default_cert). Now we don't look at the
789 * SSL_CTX's CERT after having duplicated it once.
790 */
791 s->cert = ssl_cert_dup(ctx->cert);
792 if (s->cert == NULL)
793 goto sslerr;
794
795 RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead);
796 s->msg_callback = ctx->msg_callback;
797 s->msg_callback_arg = ctx->msg_callback_arg;
798 s->verify_mode = ctx->verify_mode;
799 s->not_resumable_session_cb = ctx->not_resumable_session_cb;
800 s->rlayer.record_padding_cb = ctx->record_padding_cb;
801 s->rlayer.record_padding_arg = ctx->record_padding_arg;
802 s->rlayer.block_padding = ctx->block_padding;
803 s->rlayer.hs_padding = ctx->hs_padding;
804 s->sid_ctx_length = ctx->sid_ctx_length;
805 if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx)))
806 goto err;
807 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
808 s->verify_callback = ctx->default_verify_callback;
809 s->generate_session_id = ctx->generate_session_id;
810
811 s->param = X509_VERIFY_PARAM_new();
812 if (s->param == NULL)
813 goto asn1err;
814 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
815 s->quiet_shutdown = IS_QUIC_CTX(ctx) ? 0 : ctx->quiet_shutdown;
816
817 if (!IS_QUIC_CTX(ctx))
818 s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode;
819
820 s->max_send_fragment = ctx->max_send_fragment;
821 s->split_send_fragment = ctx->split_send_fragment;
822 s->max_pipelines = ctx->max_pipelines;
823 s->rlayer.default_read_buf_len = ctx->default_read_buf_len;
824
825 s->ext.debug_cb = 0;
826 s->ext.debug_arg = NULL;
827 s->ext.ticket_expected = 0;
828 s->ext.status_type = ctx->ext.status_type;
829 s->ext.status_expected = 0;
830 s->ext.ocsp.ids = NULL;
831 s->ext.ocsp.exts = NULL;
832 s->ext.ocsp.resp = NULL;
833 s->ext.ocsp.resp_len = 0;
834
835 if (!SSL_CTX_up_ref(ctx))
836 goto err;
837
838 s->session_ctx = ctx;
839 if (ctx->ext.ecpointformats != NULL) {
840 s->ext.ecpointformats =
841 OPENSSL_memdup(ctx->ext.ecpointformats,
842 ctx->ext.ecpointformats_len);
843 if (s->ext.ecpointformats == NULL) {
844 s->ext.ecpointformats_len = 0;
845 goto err;
846 }
847 s->ext.ecpointformats_len =
848 ctx->ext.ecpointformats_len;
849 }
850 if (ctx->ext.supportedgroups != NULL) {
851 size_t add = 0;
852
853 if (ctx->ext.supportedgroups_len == 0)
854 /* Add 1 so allocation won't fail */
855 add = 1;
856 s->ext.supportedgroups =
857 OPENSSL_memdup(ctx->ext.supportedgroups,
858 (ctx->ext.supportedgroups_len + add)
859 * sizeof(*ctx->ext.supportedgroups));
860 if (s->ext.supportedgroups == NULL) {
861 s->ext.supportedgroups_len = 0;
862 goto err;
863 }
864 s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
865 }
866 if (ctx->ext.keyshares != NULL) {
867 size_t add = 0;
868
869 if (ctx->ext.keyshares_len == 0)
870 /* Add 1 so allocation won't fail */
871 add = 1;
872 s->ext.keyshares =
873 OPENSSL_memdup(ctx->ext.keyshares,
874 (ctx->ext.keyshares_len + add)
875 * sizeof(*ctx->ext.keyshares));
876 if (s->ext.keyshares == NULL) {
877 s->ext.keyshares_len = 0;
878 goto err;
879 }
880 s->ext.keyshares_len = ctx->ext.keyshares_len;
881 }
882 if (ctx->ext.tuples != NULL) {
883 size_t add = 0;
884
885 if (ctx->ext.tuples_len == 0)
886 /* Add 1 so allocation won't fail */
887 add = 1;
888 s->ext.tuples =
889 OPENSSL_memdup(ctx->ext.tuples,
890 (ctx->ext.tuples_len + add)
891 * sizeof(*ctx->ext.tuples));
892 if (s->ext.tuples == NULL) {
893 s->ext.tuples_len = 0;
894 goto err;
895 }
896 s->ext.tuples_len = ctx->ext.tuples_len;
897 }
898
899 #ifndef OPENSSL_NO_NEXTPROTONEG
900 s->ext.npn = NULL;
901 #endif
902
903 if (ctx->ext.alpn != NULL) {
904 s->ext.alpn = OPENSSL_malloc(ctx->ext.alpn_len);
905 if (s->ext.alpn == NULL) {
906 s->ext.alpn_len = 0;
907 goto err;
908 }
909 memcpy(s->ext.alpn, ctx->ext.alpn, ctx->ext.alpn_len);
910 s->ext.alpn_len = ctx->ext.alpn_len;
911 }
912
913 s->verified_chain = NULL;
914 s->verify_result = X509_V_OK;
915
916 s->default_passwd_callback = ctx->default_passwd_callback;
917 s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
918
919 s->key_update = SSL_KEY_UPDATE_NONE;
920
921 if (!IS_QUIC_CTX(ctx)) {
922 s->allow_early_data_cb = ctx->allow_early_data_cb;
923 s->allow_early_data_cb_data = ctx->allow_early_data_cb_data;
924 }
925
926 if (!method->ssl_init(ssl))
927 goto sslerr;
928
929 s->server = (method->ssl_accept == ssl_undefined_function) ? 0 : 1;
930
931 if (!method->ssl_reset(ssl))
932 goto sslerr;
933
934 #ifndef OPENSSL_NO_PSK
935 s->psk_client_callback = ctx->psk_client_callback;
936 s->psk_server_callback = ctx->psk_server_callback;
937 #endif
938 s->psk_find_session_cb = ctx->psk_find_session_cb;
939 s->psk_use_session_cb = ctx->psk_use_session_cb;
940
941 s->async_cb = ctx->async_cb;
942 s->async_cb_arg = ctx->async_cb_arg;
943
944 s->job = NULL;
945
946 #ifndef OPENSSL_NO_COMP_ALG
947 memcpy(s->cert_comp_prefs, ctx->cert_comp_prefs, sizeof(s->cert_comp_prefs));
948 #endif
949 if (ctx->client_cert_type != NULL) {
950 s->client_cert_type = OPENSSL_memdup(ctx->client_cert_type,
951 ctx->client_cert_type_len);
952 if (s->client_cert_type == NULL)
953 goto sslerr;
954 s->client_cert_type_len = ctx->client_cert_type_len;
955 }
956 if (ctx->server_cert_type != NULL) {
957 s->server_cert_type = OPENSSL_memdup(ctx->server_cert_type,
958 ctx->server_cert_type_len);
959 if (s->server_cert_type == NULL)
960 goto sslerr;
961 s->server_cert_type_len = ctx->server_cert_type_len;
962 }
963
964 #ifndef OPENSSL_NO_CT
965 if (!SSL_set_ct_validation_callback(ssl, ctx->ct_validation_callback,
966 ctx->ct_validation_callback_arg))
967 goto sslerr;
968 #endif
969
970 s->ssl_pkey_num = SSL_PKEY_NUM + ctx->sigalg_list_len;
971 return ssl;
972 cerr:
973 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
974 goto err;
975 asn1err:
976 ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB);
977 goto err;
978 sslerr:
979 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
980 err:
981 SSL_free(ssl);
982 return NULL;
983 }
984
985 SSL *ossl_ssl_connection_new(SSL_CTX *ctx)
986 {
987 return ossl_ssl_connection_new_int(ctx, NULL, ctx->method);
988 }
989
990 int SSL_is_dtls(const SSL *s)
991 {
992 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
993
994 #ifndef OPENSSL_NO_QUIC
995 if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
996 return 0;
997 #endif
998
999 if (sc == NULL)
1000 return 0;
1001
1002 return SSL_CONNECTION_IS_DTLS(sc) ? 1 : 0;
1003 }
1004
1005 int SSL_is_tls(const SSL *s)
1006 {
1007 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1008
1009 #ifndef OPENSSL_NO_QUIC
1010 if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
1011 return 0;
1012 #endif
1013
1014 if (sc == NULL)
1015 return 0;
1016
1017 return SSL_CONNECTION_IS_DTLS(sc) ? 0 : 1;
1018 }
1019
1020 int SSL_is_quic(const SSL *s)
1021 {
1022 return IS_QUIC(s);
1023 }
1024
1025 int SSL_up_ref(SSL *s)
1026 {
1027 int i;
1028
1029 if (CRYPTO_UP_REF(&s->references, &i) <= 0)
1030 return 0;
1031
1032 REF_PRINT_COUNT("SSL", i, s);
1033 REF_ASSERT_ISNT(i < 2);
1034 return ((i > 1) ? 1 : 0);
1035 }
1036
1037 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
1038 unsigned int sid_ctx_len)
1039 {
1040 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
1041 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1042 return 0;
1043 }
1044 ctx->sid_ctx_length = sid_ctx_len;
1045 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
1046
1047 return 1;
1048 }
1049
1050 int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
1051 unsigned int sid_ctx_len)
1052 {
1053 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1054
1055 if (sc == NULL)
1056 return 0;
1057
1058 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
1059 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1060 return 0;
1061 }
1062 sc->sid_ctx_length = sid_ctx_len;
1063 memcpy(sc->sid_ctx, sid_ctx, sid_ctx_len);
1064
1065 return 1;
1066 }
1067
1068 int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
1069 {
1070 if (!CRYPTO_THREAD_write_lock(ctx->lock))
1071 return 0;
1072 ctx->generate_session_id = cb;
1073 CRYPTO_THREAD_unlock(ctx->lock);
1074 return 1;
1075 }
1076
1077 int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
1078 {
1079 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1080
1081 if (sc == NULL || !CRYPTO_THREAD_write_lock(ssl->lock))
1082 return 0;
1083 sc->generate_session_id = cb;
1084 CRYPTO_THREAD_unlock(ssl->lock);
1085 return 1;
1086 }
1087
1088 int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1089 unsigned int id_len)
1090 {
1091 /*
1092 * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
1093 * we can "construct" a session to give us the desired check - i.e. to
1094 * find if there's a session in the hash table that would conflict with
1095 * any new session built out of this id/id_len and the ssl_version in use
1096 * by this SSL.
1097 */
1098 SSL_SESSION r, *p;
1099 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
1100
1101 if (sc == NULL || id_len > sizeof(r.session_id))
1102 return 0;
1103
1104 r.ssl_version = sc->version;
1105 r.session_id_length = id_len;
1106 memcpy(r.session_id, id, id_len);
1107
1108 if (!CRYPTO_THREAD_read_lock(sc->session_ctx->lock))
1109 return 0;
1110 p = lh_SSL_SESSION_retrieve(sc->session_ctx->sessions, &r);
1111 CRYPTO_THREAD_unlock(sc->session_ctx->lock);
1112 return (p != NULL);
1113 }
1114
1115 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
1116 {
1117 return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
1118 }
1119
1120 int SSL_set_purpose(SSL *s, int purpose)
1121 {
1122 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1123
1124 if (sc == NULL)
1125 return 0;
1126
1127 return X509_VERIFY_PARAM_set_purpose(sc->param, purpose);
1128 }
1129
1130 int SSL_CTX_set_trust(SSL_CTX *s, int trust)
1131 {
1132 return X509_VERIFY_PARAM_set_trust(s->param, trust);
1133 }
1134
1135 int SSL_set_trust(SSL *s, int trust)
1136 {
1137 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1138
1139 if (sc == NULL)
1140 return 0;
1141
1142 return X509_VERIFY_PARAM_set_trust(sc->param, trust);
1143 }
1144
1145 int SSL_set1_host(SSL *s, const char *host)
1146 {
1147 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1148
1149 if (sc == NULL)
1150 return 0;
1151
1152 /* clear hostname(s) and IP address in any case, also if host parses as an IP address */
1153 (void)X509_VERIFY_PARAM_set1_host(sc->param, NULL, 0);
1154 (void)X509_VERIFY_PARAM_set1_ip(sc->param, NULL, 0);
1155 if (host == NULL)
1156 return 1;
1157
1158 /* If a host is provided and parses as an IP address, treat it as such. */
1159 return X509_VERIFY_PARAM_set1_ip_asc(sc->param, host)
1160 || X509_VERIFY_PARAM_set1_host(sc->param, host, 0);
1161 }
1162
1163 int SSL_add1_host(SSL *s, const char *host)
1164 {
1165 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1166
1167 if (sc == NULL)
1168 return 0;
1169
1170 /* If a host is provided and parses as an IP address, treat it as such. */
1171 if (host != NULL) {
1172 ASN1_OCTET_STRING *ip;
1173 char *old_ip;
1174
1175 ip = a2i_IPADDRESS(host);
1176 if (ip != NULL) {
1177 /* We didn't want it; only to check if it *is* an IP address */
1178 ASN1_OCTET_STRING_free(ip);
1179
1180 old_ip = X509_VERIFY_PARAM_get1_ip_asc(sc->param);
1181 if (old_ip != NULL) {
1182 OPENSSL_free(old_ip);
1183 /* There can be only one IP address */
1184 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
1185 "IP address was already set");
1186 return 0;
1187 }
1188
1189 return X509_VERIFY_PARAM_set1_ip_asc(sc->param, host);
1190 }
1191 }
1192
1193 return X509_VERIFY_PARAM_add1_host(sc->param, host, 0);
1194 }
1195
1196 void SSL_set_hostflags(SSL *s, unsigned int flags)
1197 {
1198 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1199
1200 if (sc == NULL)
1201 return;
1202
1203 X509_VERIFY_PARAM_set_hostflags(sc->param, flags);
1204 }
1205
1206 const char *SSL_get0_peername(SSL *s)
1207 {
1208 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1209
1210 if (sc == NULL)
1211 return NULL;
1212
1213 return X509_VERIFY_PARAM_get0_peername(sc->param);
1214 }
1215
1216 int SSL_CTX_dane_enable(SSL_CTX *ctx)
1217 {
1218 return dane_ctx_enable(&ctx->dane);
1219 }
1220
1221 unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags)
1222 {
1223 unsigned long orig = ctx->dane.flags;
1224
1225 ctx->dane.flags |= flags;
1226 return orig;
1227 }
1228
1229 unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags)
1230 {
1231 unsigned long orig = ctx->dane.flags;
1232
1233 ctx->dane.flags &= ~flags;
1234 return orig;
1235 }
1236
1237 int SSL_dane_enable(SSL *s, const char *basedomain)
1238 {
1239 SSL_DANE *dane;
1240 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1241
1242 if (sc == NULL)
1243 return 0;
1244
1245 dane = &sc->dane;
1246 if (s->ctx->dane.mdmax == 0) {
1247 ERR_raise(ERR_LIB_SSL, SSL_R_CONTEXT_NOT_DANE_ENABLED);
1248 return 0;
1249 }
1250 if (dane->trecs != NULL) {
1251 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_ALREADY_ENABLED);
1252 return 0;
1253 }
1254
1255 /*
1256 * Default SNI name. This rejects empty names, while set1_host below
1257 * accepts them and disables hostname checks. To avoid side-effects with
1258 * invalid input, set the SNI name first.
1259 */
1260 if (sc->ext.hostname == NULL) {
1261 if (!SSL_set_tlsext_host_name(s, basedomain)) {
1262 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1263 return -1;
1264 }
1265 }
1266
1267 /* Primary RFC6125 reference identifier */
1268 if (!X509_VERIFY_PARAM_set1_host(sc->param, basedomain, 0)) {
1269 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1270 return -1;
1271 }
1272
1273 dane->mdpth = -1;
1274 dane->pdpth = -1;
1275 dane->dctx = &s->ctx->dane;
1276 dane->trecs = sk_danetls_record_new_null();
1277
1278 if (dane->trecs == NULL) {
1279 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
1280 return -1;
1281 }
1282 return 1;
1283 }
1284
1285 unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags)
1286 {
1287 unsigned long orig;
1288 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1289
1290 if (sc == NULL)
1291 return 0;
1292
1293 orig = sc->dane.flags;
1294
1295 sc->dane.flags |= flags;
1296 return orig;
1297 }
1298
1299 unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags)
1300 {
1301 unsigned long orig;
1302 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1303
1304 if (sc == NULL)
1305 return 0;
1306
1307 orig = sc->dane.flags;
1308
1309 sc->dane.flags &= ~flags;
1310 return orig;
1311 }
1312
1313 int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
1314 {
1315 SSL_DANE *dane;
1316 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1317
1318 if (sc == NULL)
1319 return -1;
1320
1321 dane = &sc->dane;
1322
1323 if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1324 return -1;
1325 if (dane->mtlsa) {
1326 if (mcert)
1327 *mcert = dane->mcert;
1328 if (mspki)
1329 *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL;
1330 }
1331 return dane->mdpth;
1332 }
1333
1334 int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
1335 uint8_t *mtype, const unsigned char **data, size_t *dlen)
1336 {
1337 SSL_DANE *dane;
1338 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1339
1340 if (sc == NULL)
1341 return -1;
1342
1343 dane = &sc->dane;
1344
1345 if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1346 return -1;
1347 if (dane->mtlsa) {
1348 if (usage)
1349 *usage = dane->mtlsa->usage;
1350 if (selector)
1351 *selector = dane->mtlsa->selector;
1352 if (mtype)
1353 *mtype = dane->mtlsa->mtype;
1354 if (data)
1355 *data = dane->mtlsa->data;
1356 if (dlen)
1357 *dlen = dane->mtlsa->dlen;
1358 }
1359 return dane->mdpth;
1360 }
1361
1362 SSL_DANE *SSL_get0_dane(SSL *s)
1363 {
1364 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1365
1366 if (sc == NULL)
1367 return NULL;
1368
1369 return &sc->dane;
1370 }
1371
1372 int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
1373 uint8_t mtype, const unsigned char *data, size_t dlen)
1374 {
1375 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1376
1377 if (sc == NULL)
1378 return 0;
1379
1380 return dane_tlsa_add(&sc->dane, usage, selector, mtype, data, dlen);
1381 }
1382
1383 int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype,
1384 uint8_t ord)
1385 {
1386 return dane_mtype_set(&ctx->dane, md, mtype, ord);
1387 }
1388
1389 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
1390 {
1391 return X509_VERIFY_PARAM_set1(ctx->param, vpm);
1392 }
1393
1394 int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
1395 {
1396 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1397
1398 if (sc == NULL)
1399 return 0;
1400
1401 return X509_VERIFY_PARAM_set1(sc->param, vpm);
1402 }
1403
1404 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
1405 {
1406 return ctx->param;
1407 }
1408
1409 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
1410 {
1411 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1412
1413 if (sc == NULL)
1414 return NULL;
1415
1416 return sc->param;
1417 }
1418
1419 void SSL_certs_clear(SSL *s)
1420 {
1421 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1422
1423 if (sc == NULL)
1424 return;
1425
1426 ssl_cert_clear_certs(sc->cert);
1427 }
1428
1429 void SSL_free(SSL *s)
1430 {
1431 int i;
1432
1433 if (s == NULL)
1434 return;
1435 CRYPTO_DOWN_REF(&s->references, &i);
1436 REF_PRINT_COUNT("SSL", i, s);
1437 if (i > 0)
1438 return;
1439 REF_ASSERT_ISNT(i < 0);
1440
1441 if (s->method != NULL)
1442 s->method->ssl_free(s);
1443
1444 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
1445 SSL_CTX_free(s->ctx);
1446 CRYPTO_THREAD_lock_free(s->lock);
1447 CRYPTO_FREE_REF(&s->references);
1448
1449 OPENSSL_free(s);
1450 }
1451
1452 void ossl_ssl_connection_free(SSL *ssl)
1453 {
1454 SSL_CONNECTION *s;
1455
1456 s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
1457 if (s == NULL)
1458 return;
1459
1460 /*
1461 * Ignore return values. This could result in user callbacks being called
1462 * e.g. for the QUIC TLS record layer. So we do this early before we have
1463 * freed other things.
1464 */
1465 ssl_free_wbio_buffer(s);
1466 RECORD_LAYER_clear(&s->rlayer);
1467
1468 X509_VERIFY_PARAM_free(s->param);
1469 dane_final(&s->dane);
1470
1471 BUF_MEM_free(s->init_buf);
1472
1473 /* add extra stuff */
1474 sk_SSL_CIPHER_free(s->cipher_list);
1475 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1476 sk_SSL_CIPHER_free(s->tls13_ciphersuites);
1477 sk_SSL_CIPHER_free(s->peer_ciphers);
1478
1479 /* Make the next call work :-) */
1480 if (s->session != NULL) {
1481 ssl_clear_bad_session(s);
1482 SSL_SESSION_free(s->session);
1483 }
1484 SSL_SESSION_free(s->psksession);
1485 OPENSSL_free(s->psksession_id);
1486
1487 ssl_cert_free(s->cert);
1488 OPENSSL_free(s->shared_sigalgs);
1489 /* Free up if allocated */
1490
1491 OPENSSL_free(s->ext.hostname);
1492 SSL_CTX_free(s->session_ctx);
1493 OPENSSL_free(s->ext.ecpointformats);
1494 OPENSSL_free(s->ext.peer_ecpointformats);
1495 OPENSSL_free(s->ext.supportedgroups);
1496 OPENSSL_free(s->ext.keyshares);
1497 OPENSSL_free(s->ext.tuples);
1498 OPENSSL_free(s->ext.peer_supportedgroups);
1499 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
1500 #ifndef OPENSSL_NO_OCSP
1501 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1502 #endif
1503 #ifndef OPENSSL_NO_CT
1504 SCT_LIST_free(s->scts);
1505 OPENSSL_free(s->ext.scts);
1506 #endif
1507 OPENSSL_free(s->ext.ocsp.resp);
1508 OPENSSL_free(s->ext.alpn);
1509 OPENSSL_free(s->ext.tls13_cookie);
1510 if (s->clienthello != NULL)
1511 OPENSSL_free(s->clienthello->pre_proc_exts);
1512 OPENSSL_free(s->clienthello);
1513 OPENSSL_free(s->pha_context);
1514 EVP_MD_CTX_free(s->pha_dgst);
1515
1516 sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free);
1517 sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free);
1518
1519 OPENSSL_free(s->client_cert_type);
1520 OPENSSL_free(s->server_cert_type);
1521
1522 OSSL_STACK_OF_X509_free(s->verified_chain);
1523
1524 if (ssl->method != NULL)
1525 ssl->method->ssl_deinit(ssl);
1526
1527 ASYNC_WAIT_CTX_free(s->waitctx);
1528
1529 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1530 OPENSSL_free(s->ext.npn);
1531 #endif
1532
1533 #ifndef OPENSSL_NO_SRTP
1534 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
1535 #endif
1536
1537 /*
1538 * We do this late. We want to ensure that any other references we held to
1539 * these BIOs are freed first *before* we call BIO_free_all(), because
1540 * BIO_free_all() will only free each BIO in the chain if the number of
1541 * references to the first BIO have dropped to 0
1542 */
1543 BIO_free_all(s->wbio);
1544 s->wbio = NULL;
1545 BIO_free_all(s->rbio);
1546 s->rbio = NULL;
1547 OPENSSL_free(s->s3.tmp.valid_flags);
1548 }
1549
1550 void SSL_set0_rbio(SSL *s, BIO *rbio)
1551 {
1552 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1553
1554 #ifndef OPENSSL_NO_QUIC
1555 if (IS_QUIC(s)) {
1556 ossl_quic_conn_set0_net_rbio(s, rbio);
1557 return;
1558 }
1559 #endif
1560
1561 if (sc == NULL)
1562 return;
1563
1564 BIO_free_all(sc->rbio);
1565 sc->rbio = rbio;
1566 sc->rlayer.rrlmethod->set1_bio(sc->rlayer.rrl, sc->rbio);
1567 }
1568
1569 void SSL_set0_wbio(SSL *s, BIO *wbio)
1570 {
1571 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1572
1573 #ifndef OPENSSL_NO_QUIC
1574 if (IS_QUIC(s)) {
1575 ossl_quic_conn_set0_net_wbio(s, wbio);
1576 return;
1577 }
1578 #endif
1579
1580 if (sc == NULL)
1581 return;
1582
1583 /*
1584 * If the output buffering BIO is still in place, remove it
1585 */
1586 if (sc->bbio != NULL)
1587 sc->wbio = BIO_pop(sc->wbio);
1588
1589 BIO_free_all(sc->wbio);
1590 sc->wbio = wbio;
1591
1592 /* Re-attach |bbio| to the new |wbio|. */
1593 if (sc->bbio != NULL)
1594 sc->wbio = BIO_push(sc->bbio, sc->wbio);
1595
1596 sc->rlayer.wrlmethod->set1_bio(sc->rlayer.wrl, sc->wbio);
1597 }
1598
1599 void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
1600 {
1601 /*
1602 * For historical reasons, this function has many different cases in
1603 * ownership handling.
1604 */
1605
1606 /* If nothing has changed, do nothing */
1607 if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s))
1608 return;
1609
1610 /*
1611 * If the two arguments are equal then one fewer reference is granted by the
1612 * caller than we want to take
1613 */
1614 if (rbio != NULL && rbio == wbio) {
1615 if (!BIO_up_ref(rbio))
1616 return;
1617 }
1618
1619 /*
1620 * If only the wbio is changed only adopt one reference.
1621 */
1622 if (rbio == SSL_get_rbio(s)) {
1623 SSL_set0_wbio(s, wbio);
1624 return;
1625 }
1626 /*
1627 * There is an asymmetry here for historical reasons. If only the rbio is
1628 * changed AND the rbio and wbio were originally different, then we only
1629 * adopt one reference.
1630 */
1631 if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) {
1632 SSL_set0_rbio(s, rbio);
1633 return;
1634 }
1635
1636 /* Otherwise, adopt both references. */
1637 SSL_set0_rbio(s, rbio);
1638 SSL_set0_wbio(s, wbio);
1639 }
1640
1641 BIO *SSL_get_rbio(const SSL *s)
1642 {
1643 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1644
1645 #ifndef OPENSSL_NO_QUIC
1646 if (IS_QUIC(s))
1647 return ossl_quic_conn_get_net_rbio(s);
1648 #endif
1649
1650 if (sc == NULL)
1651 return NULL;
1652
1653 return sc->rbio;
1654 }
1655
1656 BIO *SSL_get_wbio(const SSL *s)
1657 {
1658 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1659
1660 #ifndef OPENSSL_NO_QUIC
1661 if (IS_QUIC(s))
1662 return ossl_quic_conn_get_net_wbio(s);
1663 #endif
1664
1665 if (sc == NULL)
1666 return NULL;
1667
1668 if (sc->bbio != NULL) {
1669 /*
1670 * If |bbio| is active, the true caller-configured BIO is its
1671 * |next_bio|.
1672 */
1673 return BIO_next(sc->bbio);
1674 }
1675 return sc->wbio;
1676 }
1677
1678 int SSL_get_fd(const SSL *s)
1679 {
1680 return SSL_get_rfd(s);
1681 }
1682
1683 int SSL_get_rfd(const SSL *s)
1684 {
1685 int ret = -1;
1686 BIO *b, *r;
1687
1688 b = SSL_get_rbio(s);
1689 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1690 if (r != NULL)
1691 BIO_get_fd(r, &ret);
1692 return ret;
1693 }
1694
1695 int SSL_get_wfd(const SSL *s)
1696 {
1697 int ret = -1;
1698 BIO *b, *r;
1699
1700 b = SSL_get_wbio(s);
1701 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1702 if (r != NULL)
1703 BIO_get_fd(r, &ret);
1704 return ret;
1705 }
1706
1707 #ifndef OPENSSL_NO_SOCK
1708 static const BIO_METHOD *fd_method(SSL *s)
1709 {
1710 #ifndef OPENSSL_NO_DGRAM
1711 if (IS_QUIC(s))
1712 return BIO_s_datagram();
1713 #endif
1714
1715 return BIO_s_socket();
1716 }
1717
1718 int SSL_set_fd(SSL *s, int fd)
1719 {
1720 int ret = 0;
1721 BIO *bio = NULL;
1722
1723 if (s->type == SSL_TYPE_QUIC_XSO) {
1724 ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1725 goto err;
1726 }
1727
1728 bio = BIO_new(fd_method(s));
1729
1730 if (bio == NULL) {
1731 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1732 goto err;
1733 }
1734 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1735 SSL_set_bio(s, bio, bio);
1736 #ifndef OPENSSL_NO_KTLS
1737 /*
1738 * The new socket is created successfully regardless of ktls_enable.
1739 * ktls_enable doesn't change any functionality of the socket, except
1740 * changing the setsockopt to enable the processing of ktls_start.
1741 * Thus, it is not a problem to call it for non-TLS sockets.
1742 */
1743 ktls_enable(fd);
1744 #endif /* OPENSSL_NO_KTLS */
1745 ret = 1;
1746 err:
1747 return ret;
1748 }
1749
1750 int SSL_set_wfd(SSL *s, int fd)
1751 {
1752 BIO *rbio = SSL_get_rbio(s);
1753 int desired_type = IS_QUIC(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
1754
1755 if (s->type == SSL_TYPE_QUIC_XSO) {
1756 ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1757 return 0;
1758 }
1759
1760 if (rbio == NULL || BIO_method_type(rbio) != desired_type
1761 || (int)BIO_get_fd(rbio, NULL) != fd) {
1762 BIO *bio = BIO_new(fd_method(s));
1763
1764 if (bio == NULL) {
1765 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1766 return 0;
1767 }
1768 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1769 SSL_set0_wbio(s, bio);
1770 #ifndef OPENSSL_NO_KTLS
1771 /*
1772 * The new socket is created successfully regardless of ktls_enable.
1773 * ktls_enable doesn't change any functionality of the socket, except
1774 * changing the setsockopt to enable the processing of ktls_start.
1775 * Thus, it is not a problem to call it for non-TLS sockets.
1776 */
1777 ktls_enable(fd);
1778 #endif /* OPENSSL_NO_KTLS */
1779 } else {
1780 if (!BIO_up_ref(rbio))
1781 return 0;
1782 SSL_set0_wbio(s, rbio);
1783 }
1784 return 1;
1785 }
1786
1787 int SSL_set_rfd(SSL *s, int fd)
1788 {
1789 BIO *wbio = SSL_get_wbio(s);
1790 int desired_type = IS_QUIC(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
1791
1792 if (s->type == SSL_TYPE_QUIC_XSO) {
1793 ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1794 return 0;
1795 }
1796
1797 if (wbio == NULL || BIO_method_type(wbio) != desired_type
1798 || ((int)BIO_get_fd(wbio, NULL) != fd)) {
1799 BIO *bio = BIO_new(fd_method(s));
1800
1801 if (bio == NULL) {
1802 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1803 return 0;
1804 }
1805 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1806 SSL_set0_rbio(s, bio);
1807 } else {
1808 if (!BIO_up_ref(wbio))
1809 return 0;
1810 SSL_set0_rbio(s, wbio);
1811 }
1812
1813 return 1;
1814 }
1815 #endif
1816
1817 /* return length of latest Finished message we sent, copy to 'buf' */
1818 size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
1819 {
1820 size_t ret = 0;
1821 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1822
1823 if (sc == NULL)
1824 return 0;
1825
1826 ret = sc->s3.tmp.finish_md_len;
1827 if (count > ret)
1828 count = ret;
1829 memcpy(buf, sc->s3.tmp.finish_md, count);
1830 return ret;
1831 }
1832
1833 /* return length of latest Finished message we expected, copy to 'buf' */
1834 size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
1835 {
1836 size_t ret = 0;
1837 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1838
1839 if (sc == NULL)
1840 return 0;
1841
1842 ret = sc->s3.tmp.peer_finish_md_len;
1843 if (count > ret)
1844 count = ret;
1845 memcpy(buf, sc->s3.tmp.peer_finish_md, count);
1846 return ret;
1847 }
1848
1849 int SSL_get_verify_mode(const SSL *s)
1850 {
1851 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1852
1853 if (sc == NULL)
1854 return 0;
1855
1856 return sc->verify_mode;
1857 }
1858
1859 int SSL_get_verify_depth(const SSL *s)
1860 {
1861 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1862
1863 if (sc == NULL)
1864 return 0;
1865
1866 return X509_VERIFY_PARAM_get_depth(sc->param);
1867 }
1868
1869 int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) {
1870 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1871
1872 if (sc == NULL)
1873 return NULL;
1874
1875 return sc->verify_callback;
1876 }
1877
1878 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
1879 {
1880 return ctx->verify_mode;
1881 }
1882
1883 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1884 {
1885 return X509_VERIFY_PARAM_get_depth(ctx->param);
1886 }
1887
1888 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) {
1889 return ctx->default_verify_callback;
1890 }
1891
1892 void SSL_set_verify(SSL *s, int mode,
1893 int (*callback) (int ok, X509_STORE_CTX *ctx))
1894 {
1895 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1896
1897 if (sc == NULL)
1898 return;
1899
1900 sc->verify_mode = mode;
1901 if (callback != NULL)
1902 sc->verify_callback = callback;
1903 }
1904
1905 void SSL_set_verify_depth(SSL *s, int depth)
1906 {
1907 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1908
1909 if (sc == NULL)
1910 return;
1911
1912 X509_VERIFY_PARAM_set_depth(sc->param, depth);
1913 }
1914
1915 void SSL_set_read_ahead(SSL *s, int yes)
1916 {
1917 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
1918 OSSL_PARAM options[2], *opts = options;
1919
1920 if (sc == NULL)
1921 return;
1922
1923 RECORD_LAYER_set_read_ahead(&sc->rlayer, yes);
1924
1925 *opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD,
1926 &sc->rlayer.read_ahead);
1927 *opts = OSSL_PARAM_construct_end();
1928
1929 /* Ignore return value */
1930 sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
1931 }
1932
1933 int SSL_get_read_ahead(const SSL *s)
1934 {
1935 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
1936
1937 if (sc == NULL)
1938 return 0;
1939
1940 return RECORD_LAYER_get_read_ahead(&sc->rlayer);
1941 }
1942
1943 int SSL_pending(const SSL *s)
1944 {
1945 size_t pending = s->method->ssl_pending(s);
1946
1947 /*
1948 * SSL_pending cannot work properly if read-ahead is enabled
1949 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is
1950 * impossible to fix since SSL_pending cannot report errors that may be
1951 * observed while scanning the new data. (Note that SSL_pending() is
1952 * often used as a boolean value, so we'd better not return -1.)
1953 *
1954 * SSL_pending also cannot work properly if the value >INT_MAX. In that case
1955 * we just return INT_MAX.
1956 */
1957 return pending < INT_MAX ? (int)pending : INT_MAX;
1958 }
1959
1960 int SSL_has_pending(const SSL *s)
1961 {
1962 /*
1963 * Similar to SSL_pending() but returns a 1 to indicate that we have
1964 * processed or unprocessed data available or 0 otherwise (as opposed to the
1965 * number of bytes available). Unlike SSL_pending() this will take into
1966 * account read_ahead data. A 1 return simply indicates that we have data.
1967 * That data may not result in any application data, or we may fail to parse
1968 * the records for some reason.
1969 */
1970 const SSL_CONNECTION *sc;
1971
1972 #ifndef OPENSSL_NO_QUIC
1973 if (IS_QUIC(s))
1974 return ossl_quic_has_pending(s);
1975 #endif
1976
1977 sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1978
1979 /* Check buffered app data if any first */
1980 if (SSL_CONNECTION_IS_DTLS(sc)) {
1981 TLS_RECORD *rdata;
1982 pitem *item, *iter;
1983
1984 iter = pqueue_iterator(sc->rlayer.d->buffered_app_data);
1985 while ((item = pqueue_next(&iter)) != NULL) {
1986 rdata = item->data;
1987 if (rdata->length > 0)
1988 return 1;
1989 }
1990 }
1991
1992 if (RECORD_LAYER_processed_read_pending(&sc->rlayer))
1993 return 1;
1994
1995 return RECORD_LAYER_read_pending(&sc->rlayer);
1996 }
1997
1998 X509 *SSL_get1_peer_certificate(const SSL *s)
1999 {
2000 X509 *r = SSL_get0_peer_certificate(s);
2001
2002 if (r != NULL && !X509_up_ref(r))
2003 return NULL;
2004
2005 return r;
2006 }
2007
2008 X509 *SSL_get0_peer_certificate(const SSL *s)
2009 {
2010 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2011
2012 if (sc == NULL)
2013 return NULL;
2014
2015 if (sc->session == NULL)
2016 return NULL;
2017 else
2018 return sc->session->peer;
2019 }
2020
2021 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
2022 {
2023 STACK_OF(X509) *r;
2024 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2025
2026 if (sc == NULL)
2027 return NULL;
2028
2029 if (sc->session == NULL)
2030 r = NULL;
2031 else
2032 r = sc->session->peer_chain;
2033
2034 /*
2035 * If we are a client, cert_chain includes the peer's own certificate; if
2036 * we are a server, it does not.
2037 */
2038
2039 return r;
2040 }
2041
2042 /*
2043 * Now in theory, since the calling process own 't' it should be safe to
2044 * modify. We need to be able to read f without being hassled
2045 */
2046 int SSL_copy_session_id(SSL *t, const SSL *f)
2047 {
2048 int i;
2049 /* TODO(QUIC FUTURE): Not allowed for QUIC currently. */
2050 SSL_CONNECTION *tsc = SSL_CONNECTION_FROM_SSL_ONLY(t);
2051 const SSL_CONNECTION *fsc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(f);
2052
2053 if (tsc == NULL || fsc == NULL)
2054 return 0;
2055
2056 /* Do we need to do SSL locking? */
2057 if (!SSL_set_session(t, SSL_get_session(f))) {
2058 return 0;
2059 }
2060
2061 /*
2062 * what if we are setup for one protocol version but want to talk another
2063 */
2064 if (t->method != f->method) {
2065 t->method->ssl_deinit(t);
2066 t->method = f->method;
2067 if (t->method->ssl_init(t) == 0)
2068 return 0;
2069 }
2070
2071 CRYPTO_UP_REF(&fsc->cert->references, &i);
2072 ssl_cert_free(tsc->cert);
2073 tsc->cert = fsc->cert;
2074 if (!SSL_set_session_id_context(t, fsc->sid_ctx, (int)fsc->sid_ctx_length)) {
2075 return 0;
2076 }
2077
2078 return 1;
2079 }
2080
2081 /* Fix this so it checks all the valid key/cert options */
2082 int SSL_CTX_check_private_key(const SSL_CTX *ctx)
2083 {
2084 if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) {
2085 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
2086 return 0;
2087 }
2088 if (ctx->cert->key->privatekey == NULL) {
2089 ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
2090 return 0;
2091 }
2092 return X509_check_private_key
2093 (ctx->cert->key->x509, ctx->cert->key->privatekey);
2094 }
2095
2096 /* Fix this function so that it takes an optional type parameter */
2097 int SSL_check_private_key(const SSL *ssl)
2098 {
2099 const SSL_CONNECTION *sc;
2100
2101 if ((sc = SSL_CONNECTION_FROM_CONST_SSL(ssl)) == NULL) {
2102 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
2103 return 0;
2104 }
2105 if (sc->cert->key->x509 == NULL) {
2106 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
2107 return 0;
2108 }
2109 if (sc->cert->key->privatekey == NULL) {
2110 ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
2111 return 0;
2112 }
2113 return X509_check_private_key(sc->cert->key->x509,
2114 sc->cert->key->privatekey);
2115 }
2116
2117 int SSL_waiting_for_async(SSL *s)
2118 {
2119 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2120
2121 if (sc == NULL)
2122 return 0;
2123
2124 if (sc->job)
2125 return 1;
2126
2127 return 0;
2128 }
2129
2130 int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds)
2131 {
2132 ASYNC_WAIT_CTX *ctx;
2133 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2134
2135 if (sc == NULL)
2136 return 0;
2137
2138 if ((ctx = sc->waitctx) == NULL)
2139 return 0;
2140 return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds);
2141 }
2142
2143 int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds,
2144 OSSL_ASYNC_FD *delfd, size_t *numdelfds)
2145 {
2146 ASYNC_WAIT_CTX *ctx;
2147 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2148
2149 if (sc == NULL)
2150 return 0;
2151
2152 if ((ctx = sc->waitctx) == NULL)
2153 return 0;
2154 return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd,
2155 numdelfds);
2156 }
2157
2158 int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback)
2159 {
2160 ctx->async_cb = callback;
2161 return 1;
2162 }
2163
2164 int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg)
2165 {
2166 ctx->async_cb_arg = arg;
2167 return 1;
2168 }
2169
2170 int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback)
2171 {
2172 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2173
2174 if (sc == NULL)
2175 return 0;
2176
2177 sc->async_cb = callback;
2178 return 1;
2179 }
2180
2181 int SSL_set_async_callback_arg(SSL *s, void *arg)
2182 {
2183 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2184
2185 if (sc == NULL)
2186 return 0;
2187
2188 sc->async_cb_arg = arg;
2189 return 1;
2190 }
2191
2192 int SSL_get_async_status(SSL *s, int *status)
2193 {
2194 ASYNC_WAIT_CTX *ctx;
2195 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2196
2197 if (sc == NULL)
2198 return 0;
2199
2200 if ((ctx = sc->waitctx) == NULL)
2201 return 0;
2202 *status = ASYNC_WAIT_CTX_get_status(ctx);
2203 return 1;
2204 }
2205
2206 int SSL_accept(SSL *s)
2207 {
2208 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2209
2210 #ifndef OPENSSL_NO_QUIC
2211 if (IS_QUIC(s))
2212 return s->method->ssl_accept(s);
2213 #endif
2214
2215 if (sc == NULL)
2216 return 0;
2217
2218 if (sc->handshake_func == NULL) {
2219 /* Not properly initialized yet */
2220 SSL_set_accept_state(s);
2221 }
2222
2223 return SSL_do_handshake(s);
2224 }
2225
2226 int SSL_connect(SSL *s)
2227 {
2228 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2229
2230 #ifndef OPENSSL_NO_QUIC
2231 if (IS_QUIC(s))
2232 return s->method->ssl_connect(s);
2233 #endif
2234
2235 if (sc == NULL)
2236 return 0;
2237
2238 if (sc->handshake_func == NULL) {
2239 /* Not properly initialized yet */
2240 SSL_set_connect_state(s);
2241 }
2242
2243 return SSL_do_handshake(s);
2244 }
2245
2246 long SSL_get_default_timeout(const SSL *s)
2247 {
2248 return (long int)ossl_time2seconds(s->method->get_timeout());
2249 }
2250
2251 static int ssl_async_wait_ctx_cb(void *arg)
2252 {
2253 SSL *s = (SSL *)arg;
2254 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2255
2256 if (sc == NULL)
2257 return 0;
2258
2259 return sc->async_cb(s, sc->async_cb_arg);
2260 }
2261
2262 static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
2263 int (*func) (void *))
2264 {
2265 int ret;
2266 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2267
2268 if (sc == NULL)
2269 return 0;
2270
2271 if (sc->waitctx == NULL) {
2272 sc->waitctx = ASYNC_WAIT_CTX_new();
2273 if (sc->waitctx == NULL)
2274 return -1;
2275 if (sc->async_cb != NULL
2276 && !ASYNC_WAIT_CTX_set_callback
2277 (sc->waitctx, ssl_async_wait_ctx_cb, s))
2278 return -1;
2279 }
2280
2281 sc->rwstate = SSL_NOTHING;
2282 switch (ASYNC_start_job(&sc->job, sc->waitctx, &ret, func, args,
2283 sizeof(struct ssl_async_args))) {
2284 case ASYNC_ERR:
2285 sc->rwstate = SSL_NOTHING;
2286 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_INIT_ASYNC);
2287 return -1;
2288 case ASYNC_PAUSE:
2289 sc->rwstate = SSL_ASYNC_PAUSED;
2290 return -1;
2291 case ASYNC_NO_JOBS:
2292 sc->rwstate = SSL_ASYNC_NO_JOBS;
2293 return -1;
2294 case ASYNC_FINISH:
2295 sc->job = NULL;
2296 return ret;
2297 default:
2298 sc->rwstate = SSL_NOTHING;
2299 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
2300 /* Shouldn't happen */
2301 return -1;
2302 }
2303 }
2304
2305 static int ssl_io_intern(void *vargs)
2306 {
2307 struct ssl_async_args *args;
2308 SSL *s;
2309 void *buf;
2310 size_t num;
2311 SSL_CONNECTION *sc;
2312
2313 args = (struct ssl_async_args *)vargs;
2314 s = args->s;
2315 buf = args->buf;
2316 num = args->num;
2317 if ((sc = SSL_CONNECTION_FROM_SSL(s)) == NULL)
2318 return -1;
2319
2320 switch (args->type) {
2321 case READFUNC:
2322 return args->f.func_read(s, buf, num, &sc->asyncrw);
2323 case WRITEFUNC:
2324 return args->f.func_write(s, buf, num, &sc->asyncrw);
2325 case OTHERFUNC:
2326 return args->f.func_other(s);
2327 }
2328 return -1;
2329 }
2330
2331 int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
2332 {
2333 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2334
2335 #ifndef OPENSSL_NO_QUIC
2336 if (IS_QUIC(s))
2337 return s->method->ssl_read(s, buf, num, readbytes);
2338 #endif
2339
2340 if (sc == NULL)
2341 return -1;
2342
2343 if (sc->handshake_func == NULL) {
2344 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2345 return -1;
2346 }
2347
2348 if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
2349 sc->rwstate = SSL_NOTHING;
2350 return 0;
2351 }
2352
2353 if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2354 || sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
2355 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2356 return 0;
2357 }
2358 /*
2359 * If we are a client and haven't received the ServerHello etc then we
2360 * better do that
2361 */
2362 if (!ossl_statem_check_finish_init(sc, 0))
2363 return -1;
2364
2365 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2366 struct ssl_async_args args;
2367 int ret;
2368
2369 args.s = s;
2370 args.buf = buf;
2371 args.num = num;
2372 args.type = READFUNC;
2373 args.f.func_read = s->method->ssl_read;
2374
2375 ret = ssl_start_async_job(s, &args, ssl_io_intern);
2376 *readbytes = sc->asyncrw;
2377 return ret;
2378 } else {
2379 return s->method->ssl_read(s, buf, num, readbytes);
2380 }
2381 }
2382
2383 int SSL_read(SSL *s, void *buf, int num)
2384 {
2385 int ret;
2386 size_t readbytes;
2387
2388 if (num < 0) {
2389 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2390 return -1;
2391 }
2392
2393 ret = ssl_read_internal(s, buf, (size_t)num, &readbytes);
2394
2395 /*
2396 * The cast is safe here because ret should be <= INT_MAX because num is
2397 * <= INT_MAX
2398 */
2399 if (ret > 0)
2400 ret = (int)readbytes;
2401
2402 return ret;
2403 }
2404
2405 int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
2406 {
2407 int ret = ssl_read_internal(s, buf, num, readbytes);
2408
2409 if (ret < 0)
2410 ret = 0;
2411 return ret;
2412 }
2413
2414 int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
2415 {
2416 int ret;
2417 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2418
2419 /* TODO(QUIC 0RTT): 0-RTT support */
2420 if (sc == NULL || !sc->server) {
2421 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2422 return SSL_READ_EARLY_DATA_ERROR;
2423 }
2424
2425 switch (sc->early_data_state) {
2426 case SSL_EARLY_DATA_NONE:
2427 if (!SSL_in_before(s)) {
2428 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2429 return SSL_READ_EARLY_DATA_ERROR;
2430 }
2431 /* fall through */
2432
2433 case SSL_EARLY_DATA_ACCEPT_RETRY:
2434 sc->early_data_state = SSL_EARLY_DATA_ACCEPTING;
2435 ret = SSL_accept(s);
2436 if (ret <= 0) {
2437 /* NBIO or error */
2438 sc->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY;
2439 return SSL_READ_EARLY_DATA_ERROR;
2440 }
2441 /* fall through */
2442
2443 case SSL_EARLY_DATA_READ_RETRY:
2444 if (sc->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
2445 sc->early_data_state = SSL_EARLY_DATA_READING;
2446 ret = SSL_read_ex(s, buf, num, readbytes);
2447 /*
2448 * State machine will update early_data_state to
2449 * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData
2450 * message
2451 */
2452 if (ret > 0 || (ret <= 0 && sc->early_data_state
2453 != SSL_EARLY_DATA_FINISHED_READING)) {
2454 sc->early_data_state = SSL_EARLY_DATA_READ_RETRY;
2455 return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS
2456 : SSL_READ_EARLY_DATA_ERROR;
2457 }
2458 } else {
2459 sc->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
2460 }
2461 *readbytes = 0;
2462 return SSL_READ_EARLY_DATA_FINISH;
2463
2464 default:
2465 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2466 return SSL_READ_EARLY_DATA_ERROR;
2467 }
2468 }
2469
2470 int SSL_get_early_data_status(const SSL *s)
2471 {
2472 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
2473
2474 /* TODO(QUIC 0RTT): 0-RTT support */
2475 if (sc == NULL)
2476 return 0;
2477
2478 return sc->ext.early_data;
2479 }
2480
2481 static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
2482 {
2483 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2484
2485 #ifndef OPENSSL_NO_QUIC
2486 if (IS_QUIC(s))
2487 return s->method->ssl_peek(s, buf, num, readbytes);
2488 #endif
2489
2490 if (sc == NULL)
2491 return 0;
2492
2493 if (sc->handshake_func == NULL) {
2494 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2495 return -1;
2496 }
2497
2498 if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
2499 return 0;
2500 }
2501 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2502 struct ssl_async_args args;
2503 int ret;
2504
2505 args.s = s;
2506 args.buf = buf;
2507 args.num = num;
2508 args.type = READFUNC;
2509 args.f.func_read = s->method->ssl_peek;
2510
2511 ret = ssl_start_async_job(s, &args, ssl_io_intern);
2512 *readbytes = sc->asyncrw;
2513 return ret;
2514 } else {
2515 return s->method->ssl_peek(s, buf, num, readbytes);
2516 }
2517 }
2518
2519 int SSL_peek(SSL *s, void *buf, int num)
2520 {
2521 int ret;
2522 size_t readbytes;
2523
2524 if (num < 0) {
2525 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2526 return -1;
2527 }
2528
2529 ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes);
2530
2531 /*
2532 * The cast is safe here because ret should be <= INT_MAX because num is
2533 * <= INT_MAX
2534 */
2535 if (ret > 0)
2536 ret = (int)readbytes;
2537
2538 return ret;
2539 }
2540
2541
2542 int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
2543 {
2544 int ret = ssl_peek_internal(s, buf, num, readbytes);
2545
2546 if (ret < 0)
2547 ret = 0;
2548 return ret;
2549 }
2550
2551 int ssl_write_internal(SSL *s, const void *buf, size_t num,
2552 uint64_t flags, size_t *written)
2553 {
2554 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2555
2556 #ifndef OPENSSL_NO_QUIC
2557 if (IS_QUIC(s))
2558 return ossl_quic_write_flags(s, buf, num, flags, written);
2559 #endif
2560
2561 if (sc == NULL)
2562 return 0;
2563
2564 if (sc->handshake_func == NULL) {
2565 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2566 return -1;
2567 }
2568
2569 if (sc->shutdown & SSL_SENT_SHUTDOWN) {
2570 sc->rwstate = SSL_NOTHING;
2571 ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2572 return -1;
2573 }
2574
2575 if (flags != 0) {
2576 ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_WRITE_FLAG);
2577 return -1;
2578 }
2579
2580 if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2581 || sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY
2582 || sc->early_data_state == SSL_EARLY_DATA_READ_RETRY) {
2583 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2584 return 0;
2585 }
2586 /* If we are a client and haven't sent the Finished we better do that */
2587 if (!ossl_statem_check_finish_init(sc, 1))
2588 return -1;
2589
2590 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2591 int ret;
2592 struct ssl_async_args args;
2593
2594 args.s = s;
2595 args.buf = (void *)buf;
2596 args.num = num;
2597 args.type = WRITEFUNC;
2598 args.f.func_write = s->method->ssl_write;
2599
2600 ret = ssl_start_async_job(s, &args, ssl_io_intern);
2601 *written = sc->asyncrw;
2602 return ret;
2603 } else {
2604 return s->method->ssl_write(s, buf, num, written);
2605 }
2606 }
2607
2608 ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags)
2609 {
2610 ossl_ssize_t ret;
2611 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2612
2613 if (sc == NULL)
2614 return 0;
2615
2616 if (sc->handshake_func == NULL) {
2617 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2618 return -1;
2619 }
2620
2621 if (sc->shutdown & SSL_SENT_SHUTDOWN) {
2622 sc->rwstate = SSL_NOTHING;
2623 ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2624 return -1;
2625 }
2626
2627 if (!BIO_get_ktls_send(sc->wbio)) {
2628 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2629 return -1;
2630 }
2631
2632 /* If we have an alert to send, lets send it */
2633 if (sc->s3.alert_dispatch > 0) {
2634 ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s);
2635 if (ret <= 0) {
2636 /* SSLfatal() already called if appropriate */
2637 return ret;
2638 }
2639 /* if it went, fall through and send more stuff */
2640 }
2641
2642 sc->rwstate = SSL_WRITING;
2643 if (BIO_flush(sc->wbio) <= 0) {
2644 if (!BIO_should_retry(sc->wbio)) {
2645 sc->rwstate = SSL_NOTHING;
2646 } else {
2647 #ifdef EAGAIN
2648 set_sys_error(EAGAIN);
2649 #endif
2650 }
2651 return -1;
2652 }
2653
2654 #ifdef OPENSSL_NO_KTLS
2655 ERR_raise_data(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR,
2656 "can't call ktls_sendfile(), ktls disabled");
2657 return -1;
2658 #else
2659 ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags);
2660 if (ret < 0) {
2661 #if defined(EAGAIN) && defined(EINTR) && defined(EBUSY)
2662 if ((get_last_sys_error() == EAGAIN) ||
2663 (get_last_sys_error() == EINTR) ||
2664 (get_last_sys_error() == EBUSY))
2665 BIO_set_retry_write(sc->wbio);
2666 else
2667 #endif
2668 ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
2669 "ktls_sendfile failure");
2670 return ret;
2671 }
2672 sc->rwstate = SSL_NOTHING;
2673 return ret;
2674 #endif
2675 }
2676
2677 int SSL_write(SSL *s, const void *buf, int num)
2678 {
2679 int ret;
2680 size_t written;
2681
2682 if (num < 0) {
2683 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2684 return -1;
2685 }
2686
2687 ret = ssl_write_internal(s, buf, (size_t)num, 0, &written);
2688
2689 /*
2690 * The cast is safe here because ret should be <= INT_MAX because num is
2691 * <= INT_MAX
2692 */
2693 if (ret > 0)
2694 ret = (int)written;
2695
2696 return ret;
2697 }
2698
2699 int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written)
2700 {
2701 return SSL_write_ex2(s, buf, num, 0, written);
2702 }
2703
2704 int SSL_write_ex2(SSL *s, const void *buf, size_t num, uint64_t flags,
2705 size_t *written)
2706 {
2707 int ret = ssl_write_internal(s, buf, num, flags, written);
2708
2709 if (ret < 0)
2710 ret = 0;
2711 return ret;
2712 }
2713
2714 int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
2715 {
2716 int ret, early_data_state;
2717 size_t writtmp;
2718 uint32_t partialwrite;
2719 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2720
2721 /* TODO(QUIC 0RTT): This will need special handling for QUIC */
2722 if (sc == NULL)
2723 return 0;
2724
2725 switch (sc->early_data_state) {
2726 case SSL_EARLY_DATA_NONE:
2727 if (sc->server
2728 || !SSL_in_before(s)
2729 || ((sc->session == NULL || sc->session->ext.max_early_data == 0)
2730 && (sc->psk_use_session_cb == NULL))) {
2731 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2732 return 0;
2733 }
2734 /* fall through */
2735
2736 case SSL_EARLY_DATA_CONNECT_RETRY:
2737 sc->early_data_state = SSL_EARLY_DATA_CONNECTING;
2738 ret = SSL_connect(s);
2739 if (ret <= 0) {
2740 /* NBIO or error */
2741 sc->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY;
2742 return 0;
2743 }
2744 /* fall through */
2745
2746 case SSL_EARLY_DATA_WRITE_RETRY:
2747 sc->early_data_state = SSL_EARLY_DATA_WRITING;
2748 /*
2749 * We disable partial write for early data because we don't keep track
2750 * of how many bytes we've written between the SSL_write_ex() call and
2751 * the flush if the flush needs to be retried)
2752 */
2753 partialwrite = sc->mode & SSL_MODE_ENABLE_PARTIAL_WRITE;
2754 sc->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE;
2755 ret = SSL_write_ex(s, buf, num, &writtmp);
2756 sc->mode |= partialwrite;
2757 if (!ret) {
2758 sc->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2759 return ret;
2760 }
2761 sc->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH;
2762 /* fall through */
2763
2764 case SSL_EARLY_DATA_WRITE_FLUSH:
2765 /* The buffering BIO is still in place so we need to flush it */
2766 if (statem_flush(sc) != 1)
2767 return 0;
2768 *written = num;
2769 sc->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2770 return 1;
2771
2772 case SSL_EARLY_DATA_FINISHED_READING:
2773 case SSL_EARLY_DATA_READ_RETRY:
2774 early_data_state = sc->early_data_state;
2775 /* We are a server writing to an unauthenticated client */
2776 sc->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING;
2777 ret = SSL_write_ex(s, buf, num, written);
2778 /* The buffering BIO is still in place */
2779 if (ret)
2780 (void)BIO_flush(sc->wbio);
2781 sc->early_data_state = early_data_state;
2782 return ret;
2783
2784 default:
2785 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2786 return 0;
2787 }
2788 }
2789
2790 int SSL_shutdown(SSL *s)
2791 {
2792 /*
2793 * Note that this function behaves differently from what one might
2794 * expect. Return values are 0 for no success (yet), 1 for success; but
2795 * calling it once is usually not enough, even if blocking I/O is used
2796 * (see ssl3_shutdown).
2797 */
2798 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2799
2800 #ifndef OPENSSL_NO_QUIC
2801 if (IS_QUIC(s))
2802 return ossl_quic_conn_shutdown(s, 0, NULL, 0);
2803 #endif
2804
2805 if (sc == NULL)
2806 return -1;
2807
2808 if (sc->handshake_func == NULL) {
2809 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2810 return -1;
2811 }
2812
2813 if (!SSL_in_init(s)) {
2814 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2815 struct ssl_async_args args;
2816
2817 memset(&args, 0, sizeof(args));
2818 args.s = s;
2819 args.type = OTHERFUNC;
2820 args.f.func_other = s->method->ssl_shutdown;
2821
2822 return ssl_start_async_job(s, &args, ssl_io_intern);
2823 } else {
2824 return s->method->ssl_shutdown(s);
2825 }
2826 } else {
2827 ERR_raise(ERR_LIB_SSL, SSL_R_SHUTDOWN_WHILE_IN_INIT);
2828 return -1;
2829 }
2830 }
2831
2832 int SSL_key_update(SSL *s, int updatetype)
2833 {
2834 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2835
2836 #ifndef OPENSSL_NO_QUIC
2837 if (IS_QUIC(s))
2838 return ossl_quic_key_update(s, updatetype);
2839 #endif
2840
2841 if (sc == NULL)
2842 return 0;
2843
2844 if (!SSL_CONNECTION_IS_TLS13(sc)) {
2845 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
2846 return 0;
2847 }
2848
2849 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
2850 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
2851 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_KEY_UPDATE_TYPE);
2852 return 0;
2853 }
2854
2855 if (!SSL_is_init_finished(s)) {
2856 ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT);
2857 return 0;
2858 }
2859
2860 if (RECORD_LAYER_write_pending(&sc->rlayer)) {
2861 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY);
2862 return 0;
2863 }
2864
2865 ossl_statem_set_in_init(sc, 1);
2866 sc->key_update = updatetype;
2867 return 1;
2868 }
2869
2870 int SSL_get_key_update_type(const SSL *s)
2871 {
2872 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2873
2874 #ifndef OPENSSL_NO_QUIC
2875 if (IS_QUIC(s))
2876 return ossl_quic_get_key_update_type(s);
2877 #endif
2878
2879 if (sc == NULL)
2880 return 0;
2881
2882 return sc->key_update;
2883 }
2884
2885 /*
2886 * Can we accept a renegotiation request? If yes, set the flag and
2887 * return 1 if yes. If not, raise error and return 0.
2888 */
2889 static int can_renegotiate(const SSL_CONNECTION *sc)
2890 {
2891 if (SSL_CONNECTION_IS_TLS13(sc)) {
2892 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
2893 return 0;
2894 }
2895
2896 if ((sc->options & SSL_OP_NO_RENEGOTIATION) != 0) {
2897 ERR_raise(ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION);
2898 return 0;
2899 }
2900
2901 return 1;
2902 }
2903
2904 int SSL_renegotiate(SSL *s)
2905 {
2906 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2907
2908 if (sc == NULL)
2909 return 0;
2910
2911 if (!can_renegotiate(sc))
2912 return 0;
2913
2914 sc->renegotiate = 1;
2915 sc->new_session = 1;
2916 return s->method->ssl_renegotiate(s);
2917 }
2918
2919 int SSL_renegotiate_abbreviated(SSL *s)
2920 {
2921 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2922
2923 if (sc == NULL)
2924 return 0;
2925
2926 if (!can_renegotiate(sc))
2927 return 0;
2928
2929 sc->renegotiate = 1;
2930 sc->new_session = 0;
2931 return s->method->ssl_renegotiate(s);
2932 }
2933
2934 int SSL_renegotiate_pending(const SSL *s)
2935 {
2936 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2937
2938 if (sc == NULL)
2939 return 0;
2940
2941 /*
2942 * becomes true when negotiation is requested; false again once a
2943 * handshake has finished
2944 */
2945 return (sc->renegotiate != 0);
2946 }
2947
2948 int SSL_new_session_ticket(SSL *s)
2949 {
2950 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2951
2952 if (sc == NULL)
2953 return 0;
2954
2955 /* If we are in init because we're sending tickets, okay to send more. */
2956 if ((SSL_in_init(s) && sc->ext.extra_tickets_expected == 0)
2957 || SSL_IS_FIRST_HANDSHAKE(sc) || !sc->server
2958 || !SSL_CONNECTION_IS_TLS13(sc))
2959 return 0;
2960 sc->ext.extra_tickets_expected++;
2961 if (!RECORD_LAYER_write_pending(&sc->rlayer) && !SSL_in_init(s))
2962 ossl_statem_set_in_init(sc, 1);
2963 return 1;
2964 }
2965
2966 long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
2967 {
2968 return ossl_ctrl_internal(s, cmd, larg, parg, /*no_quic=*/0);
2969 }
2970
2971 long ossl_ctrl_internal(SSL *s, int cmd, long larg, void *parg, int no_quic)
2972 {
2973 long l;
2974 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2975
2976 /*
2977 * Routing of ctrl calls for QUIC is a little counterintuitive:
2978 *
2979 * - Firstly (no_quic=0), we pass the ctrl directly to our QUIC
2980 * implementation in case it wants to handle the ctrl specially.
2981 *
2982 * - If our QUIC implementation does not care about the ctrl, it
2983 * will reenter this function with no_quic=1 and we will try to handle
2984 * it directly using the QCSO SSL object stub (not the handshake layer
2985 * SSL object). This is important for e.g. the version configuration
2986 * ctrls below, which must use s->defltmeth (and not sc->defltmeth).
2987 *
2988 * - If we don't handle a ctrl here specially, then processing is
2989 * redirected to the handshake layer SSL object.
2990 */
2991 if (!no_quic && IS_QUIC(s))
2992 return s->method->ssl_ctrl(s, cmd, larg, parg);
2993
2994 if (sc == NULL)
2995 return 0;
2996
2997 switch (cmd) {
2998 case SSL_CTRL_GET_READ_AHEAD:
2999 return RECORD_LAYER_get_read_ahead(&sc->rlayer);
3000 case SSL_CTRL_SET_READ_AHEAD:
3001 l = RECORD_LAYER_get_read_ahead(&sc->rlayer);
3002 RECORD_LAYER_set_read_ahead(&sc->rlayer, larg);
3003 return l;
3004
3005 case SSL_CTRL_MODE:
3006 {
3007 OSSL_PARAM options[2], *opts = options;
3008
3009 sc->mode |= larg;
3010
3011 *opts++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE,
3012 &sc->mode);
3013 *opts = OSSL_PARAM_construct_end();
3014
3015 /* Ignore return value */
3016 sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
3017
3018 return sc->mode;
3019 }
3020 case SSL_CTRL_CLEAR_MODE:
3021 return (sc->mode &= ~larg);
3022 case SSL_CTRL_GET_MAX_CERT_LIST:
3023 return (long)sc->max_cert_list;
3024 case SSL_CTRL_SET_MAX_CERT_LIST:
3025 if (larg < 0)
3026 return 0;
3027 l = (long)sc->max_cert_list;
3028 sc->max_cert_list = (size_t)larg;
3029 return l;
3030 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
3031 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
3032 return 0;
3033 #ifndef OPENSSL_NO_KTLS
3034 if (sc->wbio != NULL && BIO_get_ktls_send(sc->wbio))
3035 return 0;
3036 #endif /* OPENSSL_NO_KTLS */
3037 sc->max_send_fragment = larg;
3038 if (sc->max_send_fragment < sc->split_send_fragment)
3039 sc->split_send_fragment = sc->max_send_fragment;
3040 sc->rlayer.wrlmethod->set_max_frag_len(sc->rlayer.wrl, larg);
3041 return 1;
3042 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
3043 if ((size_t)larg > sc->max_send_fragment || larg == 0)
3044 return 0;
3045 sc->split_send_fragment = larg;
3046 return 1;
3047 case SSL_CTRL_SET_MAX_PIPELINES:
3048 if (larg < 1 || larg > SSL_MAX_PIPELINES)
3049 return 0;
3050 sc->max_pipelines = larg;
3051 if (sc->rlayer.rrlmethod->set_max_pipelines != NULL)
3052 sc->rlayer.rrlmethod->set_max_pipelines(sc->rlayer.rrl, (size_t)larg);
3053 return 1;
3054 case SSL_CTRL_GET_RI_SUPPORT:
3055 return sc->s3.send_connection_binding;
3056 case SSL_CTRL_SET_RETRY_VERIFY:
3057 sc->rwstate = SSL_RETRY_VERIFY;
3058 return 1;
3059 case SSL_CTRL_CERT_FLAGS:
3060 return (sc->cert->cert_flags |= larg);
3061 case SSL_CTRL_CLEAR_CERT_FLAGS:
3062 return (sc->cert->cert_flags &= ~larg);
3063
3064 case SSL_CTRL_GET_RAW_CIPHERLIST:
3065 if (parg) {
3066 if (sc->s3.tmp.ciphers_raw == NULL)
3067 return 0;
3068 *(unsigned char **)parg = sc->s3.tmp.ciphers_raw;
3069 return (int)sc->s3.tmp.ciphers_rawlen;
3070 } else {
3071 return TLS_CIPHER_LEN;
3072 }
3073 case SSL_CTRL_GET_EXTMS_SUPPORT:
3074 if (!sc->session || SSL_in_init(s) || ossl_statem_get_in_handshake(sc))
3075 return -1;
3076 if (sc->session->flags & SSL_SESS_FLAG_EXTMS)
3077 return 1;
3078 else
3079 return 0;
3080 case SSL_CTRL_SET_MIN_PROTO_VERSION:
3081 return ssl_check_allowed_versions(larg, sc->max_proto_version)
3082 && ssl_set_version_bound(s->defltmeth->version, (int)larg,
3083 &sc->min_proto_version);
3084 case SSL_CTRL_GET_MIN_PROTO_VERSION:
3085 return sc->min_proto_version;
3086 case SSL_CTRL_SET_MAX_PROTO_VERSION:
3087 return ssl_check_allowed_versions(sc->min_proto_version, larg)
3088 && ssl_set_version_bound(s->defltmeth->version, (int)larg,
3089 &sc->max_proto_version);
3090 case SSL_CTRL_GET_MAX_PROTO_VERSION:
3091 return sc->max_proto_version;
3092 default:
3093 if (IS_QUIC(s))
3094 return SSL_ctrl((SSL *)sc, cmd, larg, parg);
3095 else
3096 return s->method->ssl_ctrl(s, cmd, larg, parg);
3097 }
3098 }
3099
3100 long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
3101 {
3102 return s->method->ssl_callback_ctrl(s, cmd, fp);
3103 }
3104
3105 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
3106 {
3107 return ctx->sessions;
3108 }
3109
3110 static int ssl_tsan_load(SSL_CTX *ctx, TSAN_QUALIFIER int *stat)
3111 {
3112 int res = 0;
3113
3114 if (ssl_tsan_lock(ctx)) {
3115 res = tsan_load(stat);
3116 ssl_tsan_unlock(ctx);
3117 }
3118 return res;
3119 }
3120
3121 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3122 {
3123 long l;
3124
3125 /* For some cases with ctx == NULL or larg == 1 perform syntax checks */
3126 if (cmd == SSL_CTRL_SET_GROUPS_LIST && larg == 1)
3127 return tls1_set_groups_list(ctx, NULL, NULL, NULL, NULL, NULL, NULL, parg);
3128 if (ctx == NULL) {
3129 switch (cmd) {
3130 case SSL_CTRL_SET_SIGALGS_LIST:
3131 case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
3132 return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
3133 default:
3134 return 0;
3135 }
3136 }
3137
3138 switch (cmd) {
3139 case SSL_CTRL_GET_READ_AHEAD:
3140 return ctx->read_ahead;
3141 case SSL_CTRL_SET_READ_AHEAD:
3142 l = ctx->read_ahead;
3143 ctx->read_ahead = larg;
3144 return l;
3145
3146 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
3147 ctx->msg_callback_arg = parg;
3148 return 1;
3149
3150 case SSL_CTRL_GET_MAX_CERT_LIST:
3151 return (long)ctx->max_cert_list;
3152 case SSL_CTRL_SET_MAX_CERT_LIST:
3153 if (larg < 0)
3154 return 0;
3155 l = (long)ctx->max_cert_list;
3156 ctx->max_cert_list = (size_t)larg;
3157 return l;
3158
3159 case SSL_CTRL_SET_SESS_CACHE_SIZE:
3160 if (larg < 0)
3161 return 0;
3162 l = (long)ctx->session_cache_size;
3163 ctx->session_cache_size = (size_t)larg;
3164 return l;
3165 case SSL_CTRL_GET_SESS_CACHE_SIZE:
3166 return (long)ctx->session_cache_size;
3167 case SSL_CTRL_SET_SESS_CACHE_MODE:
3168 l = ctx->session_cache_mode;
3169 ctx->session_cache_mode = larg;
3170 return l;
3171 case SSL_CTRL_GET_SESS_CACHE_MODE:
3172 return ctx->session_cache_mode;
3173
3174 case SSL_CTRL_SESS_NUMBER:
3175 return lh_SSL_SESSION_num_items(ctx->sessions);
3176 case SSL_CTRL_SESS_CONNECT:
3177 return ssl_tsan_load(ctx, &ctx->stats.sess_connect);
3178 case SSL_CTRL_SESS_CONNECT_GOOD:
3179 return ssl_tsan_load(ctx, &ctx->stats.sess_connect_good);
3180 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
3181 return ssl_tsan_load(ctx, &ctx->stats.sess_connect_renegotiate);
3182 case SSL_CTRL_SESS_ACCEPT:
3183 return ssl_tsan_load(ctx, &ctx->stats.sess_accept);
3184 case SSL_CTRL_SESS_ACCEPT_GOOD:
3185 return ssl_tsan_load(ctx, &ctx->stats.sess_accept_good);
3186 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
3187 return ssl_tsan_load(ctx, &ctx->stats.sess_accept_renegotiate);
3188 case SSL_CTRL_SESS_HIT:
3189 return ssl_tsan_load(ctx, &ctx->stats.sess_hit);
3190 case SSL_CTRL_SESS_CB_HIT:
3191 return ssl_tsan_load(ctx, &ctx->stats.sess_cb_hit);
3192 case SSL_CTRL_SESS_MISSES:
3193 return ssl_tsan_load(ctx, &ctx->stats.sess_miss);
3194 case SSL_CTRL_SESS_TIMEOUTS:
3195 return ssl_tsan_load(ctx, &ctx->stats.sess_timeout);
3196 case SSL_CTRL_SESS_CACHE_FULL:
3197 return ssl_tsan_load(ctx, &ctx->stats.sess_cache_full);
3198 case SSL_CTRL_MODE:
3199 return (ctx->mode |= larg);
3200 case SSL_CTRL_CLEAR_MODE:
3201 return (ctx->mode &= ~larg);
3202 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
3203 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
3204 return 0;
3205 ctx->max_send_fragment = larg;
3206 if (ctx->max_send_fragment < ctx->split_send_fragment)
3207 ctx->split_send_fragment = ctx->max_send_fragment;
3208 return 1;
3209 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
3210 if ((size_t)larg > ctx->max_send_fragment || larg == 0)
3211 return 0;
3212 ctx->split_send_fragment = larg;
3213 return 1;
3214 case SSL_CTRL_SET_MAX_PIPELINES:
3215 if (larg < 1 || larg > SSL_MAX_PIPELINES)
3216 return 0;
3217 ctx->max_pipelines = larg;
3218 return 1;
3219 case SSL_CTRL_CERT_FLAGS:
3220 return (ctx->cert->cert_flags |= larg);
3221 case SSL_CTRL_CLEAR_CERT_FLAGS:
3222 return (ctx->cert->cert_flags &= ~larg);
3223 case SSL_CTRL_SET_MIN_PROTO_VERSION:
3224 return ssl_check_allowed_versions(larg, ctx->max_proto_version)
3225 && ssl_set_version_bound(ctx->method->version, (int)larg,
3226 &ctx->min_proto_version);
3227 case SSL_CTRL_GET_MIN_PROTO_VERSION:
3228 return ctx->min_proto_version;
3229 case SSL_CTRL_SET_MAX_PROTO_VERSION:
3230 return ssl_check_allowed_versions(ctx->min_proto_version, larg)
3231 && ssl_set_version_bound(ctx->method->version, (int)larg,
3232 &ctx->max_proto_version);
3233 case SSL_CTRL_GET_MAX_PROTO_VERSION:
3234 return ctx->max_proto_version;
3235 default:
3236 return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
3237 }
3238 }
3239
3240 long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
3241 {
3242 switch (cmd) {
3243 case SSL_CTRL_SET_MSG_CALLBACK:
3244 ctx->msg_callback = (void (*)
3245 (int write_p, int version, int content_type,
3246 const void *buf, size_t len, SSL *ssl,
3247 void *arg))(fp);
3248 return 1;
3249
3250 default:
3251 return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp);
3252 }
3253 }
3254
3255 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
3256 {
3257 if (a->id > b->id)
3258 return 1;
3259 if (a->id < b->id)
3260 return -1;
3261 return 0;
3262 }
3263
3264 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
3265 const SSL_CIPHER *const *bp)
3266 {
3267 if ((*ap)->id > (*bp)->id)
3268 return 1;
3269 if ((*ap)->id < (*bp)->id)
3270 return -1;
3271 return 0;
3272 }
3273
3274 /*
3275 * return a STACK of the ciphers available for the SSL and in order of
3276 * preference
3277 */
3278 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
3279 {
3280 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3281
3282 if (sc != NULL) {
3283 if (sc->cipher_list != NULL) {
3284 return sc->cipher_list;
3285 } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
3286 return s->ctx->cipher_list;
3287 }
3288 }
3289 return NULL;
3290 }
3291
3292 STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
3293 {
3294 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3295
3296 if (sc == NULL || !sc->server)
3297 return NULL;
3298 return sc->peer_ciphers;
3299 }
3300
3301 STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
3302 {
3303 STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
3304 int i;
3305 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3306
3307 if (sc == NULL)
3308 return NULL;
3309
3310 ciphers = SSL_get_ciphers(s);
3311 if (!ciphers)
3312 return NULL;
3313 if (!ssl_set_client_disabled(sc))
3314 return NULL;
3315 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
3316 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
3317 if (!ssl_cipher_disabled(sc, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
3318 if (!sk)
3319 sk = sk_SSL_CIPHER_new_null();
3320 if (!sk)
3321 return NULL;
3322 if (!sk_SSL_CIPHER_push(sk, c)) {
3323 sk_SSL_CIPHER_free(sk);
3324 return NULL;
3325 }
3326 }
3327 }
3328 return sk;
3329 }
3330
3331 /** return a STACK of the ciphers available for the SSL and in order of
3332 * algorithm id */
3333 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL_CONNECTION *s)
3334 {
3335 if (s != NULL) {
3336 if (s->cipher_list_by_id != NULL)
3337 return s->cipher_list_by_id;
3338 else if (s->ssl.ctx != NULL
3339 && s->ssl.ctx->cipher_list_by_id != NULL)
3340 return s->ssl.ctx->cipher_list_by_id;
3341 }
3342 return NULL;
3343 }
3344
3345 /** The old interface to get the same thing as SSL_get_ciphers() */
3346 const char *SSL_get_cipher_list(const SSL *s, int n)
3347 {
3348 const SSL_CIPHER *c;
3349 STACK_OF(SSL_CIPHER) *sk;
3350
3351 if (s == NULL)
3352 return NULL;
3353 sk = SSL_get_ciphers(s);
3354 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
3355 return NULL;
3356 c = sk_SSL_CIPHER_value(sk, n);
3357 if (c == NULL)
3358 return NULL;
3359 return c->name;
3360 }
3361
3362 /** return a STACK of the ciphers available for the SSL_CTX and in order of
3363 * preference */
3364 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
3365 {
3366 if (ctx != NULL)
3367 return ctx->cipher_list;
3368 return NULL;
3369 }
3370
3371 /*
3372 * Distinguish between ciphers controlled by set_ciphersuite() and
3373 * set_cipher_list() when counting.
3374 */
3375 static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
3376 {
3377 int i, num = 0;
3378 const SSL_CIPHER *c;
3379
3380 if (sk == NULL)
3381 return 0;
3382 for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
3383 c = sk_SSL_CIPHER_value(sk, i);
3384 if (c->min_tls >= TLS1_3_VERSION)
3385 continue;
3386 num++;
3387 }
3388 return num;
3389 }
3390
3391 /** specify the ciphers to be used by default by the SSL_CTX */
3392 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
3393 {
3394 STACK_OF(SSL_CIPHER) *sk;
3395
3396 sk = ssl_create_cipher_list(ctx, ctx->tls13_ciphersuites,
3397 &ctx->cipher_list, &ctx->cipher_list_by_id, str,
3398 ctx->cert);
3399 /*
3400 * ssl_create_cipher_list may return an empty stack if it was unable to
3401 * find a cipher matching the given rule string (for example if the rule
3402 * string specifies a cipher which has been disabled). This is not an
3403 * error as far as ssl_create_cipher_list is concerned, and hence
3404 * ctx->cipher_list and ctx->cipher_list_by_id has been updated.
3405 */
3406 if (sk == NULL)
3407 return 0;
3408 if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
3409 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
3410 return 0;
3411 }
3412 return 1;
3413 }
3414
3415 /** specify the ciphers to be used by the SSL */
3416 int SSL_set_cipher_list(SSL *s, const char *str)
3417 {
3418 STACK_OF(SSL_CIPHER) *sk;
3419 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3420 SSL_CTX *ctx;
3421
3422 if (sc == NULL)
3423 return 0;
3424
3425 ctx = s->ctx;
3426 sk = ssl_create_cipher_list(ctx, sc->tls13_ciphersuites,
3427 &sc->cipher_list, &sc->cipher_list_by_id, str,
3428 sc->cert);
3429 /* see comment in SSL_CTX_set_cipher_list */
3430 if (sk == NULL)
3431 return 0;
3432 if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
3433 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
3434 return 0;
3435 }
3436 return 1;
3437 }
3438
3439 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
3440 {
3441 char *p;
3442 STACK_OF(SSL_CIPHER) *clntsk, *srvrsk;
3443 const SSL_CIPHER *c;
3444 int i;
3445 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3446
3447 if (sc == NULL)
3448 return NULL;
3449
3450 if (!sc->server
3451 || sc->peer_ciphers == NULL
3452 || size < 2)
3453 return NULL;
3454
3455 p = buf;
3456 clntsk = sc->peer_ciphers;
3457 srvrsk = SSL_get_ciphers(s);
3458 if (clntsk == NULL || srvrsk == NULL)
3459 return NULL;
3460
3461 if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0)
3462 return NULL;
3463
3464 for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) {
3465 int n;
3466
3467 c = sk_SSL_CIPHER_value(clntsk, i);
3468 if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
3469 continue;
3470
3471 n = (int)OPENSSL_strnlen(c->name, size);
3472 if (n >= size) {
3473 if (p != buf)
3474 --p;
3475 *p = '\0';
3476 return buf;
3477 }
3478 memcpy(p, c->name, n);
3479 p += n;
3480 *(p++) = ':';
3481 size -= n + 1;
3482 }
3483 p[-1] = '\0';
3484 return buf;
3485 }
3486
3487 /**
3488 * Return the requested servername (SNI) value. Note that the behaviour varies
3489 * depending on:
3490 * - whether this is called by the client or the server,
3491 * - if we are before or during/after the handshake,
3492 * - if a resumption or normal handshake is being attempted/has occurred
3493 * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3
3494 *
3495 * Note that only the host_name type is defined (RFC 3546).
3496 */
3497 const char *SSL_get_servername(const SSL *s, const int type)
3498 {
3499 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3500 int server;
3501
3502 if (sc == NULL)
3503 return NULL;
3504
3505 /*
3506 * If we don't know if we are the client or the server yet then we assume
3507 * client.
3508 */
3509 server = sc->handshake_func == NULL ? 0 : sc->server;
3510
3511 if (type != TLSEXT_NAMETYPE_host_name)
3512 return NULL;
3513
3514 if (server) {
3515 /**
3516 * Server side
3517 * In TLSv1.3 on the server SNI is not associated with the session
3518 * but in TLSv1.2 or below it is.
3519 *
3520 * Before the handshake:
3521 * - return NULL
3522 *
3523 * During/after the handshake (TLSv1.2 or below resumption occurred):
3524 * - If a servername was accepted by the server in the original
3525 * handshake then it will return that servername, or NULL otherwise.
3526 *
3527 * During/after the handshake (TLSv1.2 or below resumption did not occur):
3528 * - The function will return the servername requested by the client in
3529 * this handshake or NULL if none was requested.
3530 */
3531 if (sc->hit && !SSL_CONNECTION_IS_TLS13(sc))
3532 return sc->session->ext.hostname;
3533 } else {
3534 /**
3535 * Client side
3536 *
3537 * Before the handshake:
3538 * - If a servername has been set via a call to
3539 * SSL_set_tlsext_host_name() then it will return that servername
3540 * - If one has not been set, but a TLSv1.2 resumption is being
3541 * attempted and the session from the original handshake had a
3542 * servername accepted by the server then it will return that
3543 * servername
3544 * - Otherwise it returns NULL
3545 *
3546 * During/after the handshake (TLSv1.2 or below resumption occurred):
3547 * - If the session from the original handshake had a servername accepted
3548 * by the server then it will return that servername.
3549 * - Otherwise it returns the servername set via
3550 * SSL_set_tlsext_host_name() (or NULL if it was not called).
3551 *
3552 * During/after the handshake (TLSv1.2 or below resumption did not occur):
3553 * - It will return the servername set via SSL_set_tlsext_host_name()
3554 * (or NULL if it was not called).
3555 */
3556 if (SSL_in_before(s)) {
3557 if (sc->ext.hostname == NULL
3558 && sc->session != NULL
3559 && sc->session->ssl_version != TLS1_3_VERSION)
3560 return sc->session->ext.hostname;
3561 } else {
3562 if (!SSL_CONNECTION_IS_TLS13(sc) && sc->hit
3563 && sc->session->ext.hostname != NULL)
3564 return sc->session->ext.hostname;
3565 }
3566 }
3567
3568 return sc->ext.hostname;
3569 }
3570
3571 int SSL_get_servername_type(const SSL *s)
3572 {
3573 if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL)
3574 return TLSEXT_NAMETYPE_host_name;
3575 return -1;
3576 }
3577
3578 /*
3579 * SSL_select_next_proto implements the standard protocol selection. It is
3580 * expected that this function is called from the callback set by
3581 * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a
3582 * vector of 8-bit, length prefixed byte strings. The length byte itself is
3583 * not included in the length. A byte string of length 0 is invalid. No byte
3584 * string may be truncated. The current, but experimental algorithm for
3585 * selecting the protocol is: 1) If the server doesn't support NPN then this
3586 * is indicated to the callback. In this case, the client application has to
3587 * abort the connection or have a default application level protocol. 2) If
3588 * the server supports NPN, but advertises an empty list then the client
3589 * selects the first protocol in its list, but indicates via the API that this
3590 * fallback case was enacted. 3) Otherwise, the client finds the first
3591 * protocol in the server's list that it supports and selects this protocol.
3592 * This is because it's assumed that the server has better information about
3593 * which protocol a client should use. 4) If the client doesn't support any
3594 * of the server's advertised protocols, then this is treated the same as
3595 * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was
3596 * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
3597 */
3598 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
3599 const unsigned char *server,
3600 unsigned int server_len,
3601 const unsigned char *client, unsigned int client_len)
3602 {
3603 PACKET cpkt, csubpkt, spkt, ssubpkt;
3604
3605 if (!PACKET_buf_init(&cpkt, client, client_len)
3606 || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
3607 || PACKET_remaining(&csubpkt) == 0) {
3608 *out = NULL;
3609 *outlen = 0;
3610 return OPENSSL_NPN_NO_OVERLAP;
3611 }
3612
3613 /*
3614 * Set the default opportunistic protocol. Will be overwritten if we find
3615 * a match.
3616 */
3617 *out = (unsigned char *)PACKET_data(&csubpkt);
3618 *outlen = (unsigned char)PACKET_remaining(&csubpkt);
3619
3620 /*
3621 * For each protocol in server preference order, see if we support it.
3622 */
3623 if (PACKET_buf_init(&spkt, server, server_len)) {
3624 while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
3625 if (PACKET_remaining(&ssubpkt) == 0)
3626 continue; /* Invalid - ignore it */
3627 if (PACKET_buf_init(&cpkt, client, client_len)) {
3628 while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
3629 if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
3630 PACKET_remaining(&ssubpkt))) {
3631 /* We found a match */
3632 *out = (unsigned char *)PACKET_data(&ssubpkt);
3633 *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
3634 return OPENSSL_NPN_NEGOTIATED;
3635 }
3636 }
3637 /* Ignore spurious trailing bytes in the client list */
3638 } else {
3639 /* This should never happen */
3640 return OPENSSL_NPN_NO_OVERLAP;
3641 }
3642 }
3643 /* Ignore spurious trailing bytes in the server list */
3644 }
3645
3646 /*
3647 * There's no overlap between our protocols and the server's list. We use
3648 * the default opportunistic protocol selected earlier
3649 */
3650 return OPENSSL_NPN_NO_OVERLAP;
3651 }
3652
3653 #ifndef OPENSSL_NO_NEXTPROTONEG
3654 /*
3655 * SSL_get0_next_proto_negotiated sets *data and *len to point to the
3656 * client's requested protocol for this connection and returns 0. If the
3657 * client didn't request any protocol, then *data is set to NULL. Note that
3658 * the client can request any protocol it chooses. The value returned from
3659 * this function need not be a member of the list of supported protocols
3660 * provided by the callback.
3661 */
3662 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
3663 unsigned *len)
3664 {
3665 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3666
3667 if (sc == NULL) {
3668 /* We have no other way to indicate error */
3669 *data = NULL;
3670 *len = 0;
3671 return;
3672 }
3673
3674 *data = sc->ext.npn;
3675 if (*data == NULL) {
3676 *len = 0;
3677 } else {
3678 *len = (unsigned int)sc->ext.npn_len;
3679 }
3680 }
3681
3682 /*
3683 * SSL_CTX_set_npn_advertised_cb sets a callback that is called when
3684 * a TLS server needs a list of supported protocols for Next Protocol
3685 * Negotiation. The returned list must be in wire format. The list is
3686 * returned by setting |out| to point to it and |outlen| to its length. This
3687 * memory will not be modified, but one should assume that the SSL* keeps a
3688 * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it
3689 * wishes to advertise. Otherwise, no such extension will be included in the
3690 * ServerHello.
3691 */
3692 void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
3693 SSL_CTX_npn_advertised_cb_func cb,
3694 void *arg)
3695 {
3696 if (IS_QUIC_CTX(ctx))
3697 /* NPN not allowed for QUIC */
3698 return;
3699
3700 ctx->ext.npn_advertised_cb = cb;
3701 ctx->ext.npn_advertised_cb_arg = arg;
3702 }
3703
3704 /*
3705 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
3706 * client needs to select a protocol from the server's provided list. |out|
3707 * must be set to point to the selected protocol (which may be within |in|).
3708 * The length of the protocol name must be written into |outlen|. The
3709 * server's advertised protocols are provided in |in| and |inlen|. The
3710 * callback can assume that |in| is syntactically valid. The client must
3711 * select a protocol. It is fatal to the connection if this callback returns
3712 * a value other than SSL_TLSEXT_ERR_OK.
3713 */
3714 void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
3715 SSL_CTX_npn_select_cb_func cb,
3716 void *arg)
3717 {
3718 if (IS_QUIC_CTX(ctx))
3719 /* NPN not allowed for QUIC */
3720 return;
3721
3722 ctx->ext.npn_select_cb = cb;
3723 ctx->ext.npn_select_cb_arg = arg;
3724 }
3725 #endif
3726
3727 static int alpn_value_ok(const unsigned char *protos, unsigned int protos_len)
3728 {
3729 unsigned int idx;
3730
3731 if (protos_len < 2 || protos == NULL)
3732 return 0;
3733
3734 for (idx = 0; idx < protos_len; idx += protos[idx] + 1) {
3735 if (protos[idx] == 0)
3736 return 0;
3737 }
3738 return idx == protos_len;
3739 }
3740 /*
3741 * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
3742 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3743 * length-prefixed strings). Returns 0 on success.
3744 */
3745 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
3746 unsigned int protos_len)
3747 {
3748 unsigned char *alpn;
3749
3750 if (protos_len == 0 || protos == NULL) {
3751 OPENSSL_free(ctx->ext.alpn);
3752 ctx->ext.alpn = NULL;
3753 ctx->ext.alpn_len = 0;
3754 return 0;
3755 }
3756 /* Not valid per RFC */
3757 if (!alpn_value_ok(protos, protos_len))
3758 return 1;
3759
3760 alpn = OPENSSL_memdup(protos, protos_len);
3761 if (alpn == NULL)
3762 return 1;
3763 OPENSSL_free(ctx->ext.alpn);
3764 ctx->ext.alpn = alpn;
3765 ctx->ext.alpn_len = protos_len;
3766
3767 return 0;
3768 }
3769
3770 /*
3771 * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
3772 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3773 * length-prefixed strings). Returns 0 on success.
3774 */
3775 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
3776 unsigned int protos_len)
3777 {
3778 unsigned char *alpn;
3779 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
3780
3781 if (sc == NULL)
3782 return 1;
3783
3784 if (protos_len == 0 || protos == NULL) {
3785 OPENSSL_free(sc->ext.alpn);
3786 sc->ext.alpn = NULL;
3787 sc->ext.alpn_len = 0;
3788 return 0;
3789 }
3790 /* Not valid per RFC */
3791 if (!alpn_value_ok(protos, protos_len))
3792 return 1;
3793
3794 alpn = OPENSSL_memdup(protos, protos_len);
3795 if (alpn == NULL)
3796 return 1;
3797 OPENSSL_free(sc->ext.alpn);
3798 sc->ext.alpn = alpn;
3799 sc->ext.alpn_len = protos_len;
3800
3801 return 0;
3802 }
3803
3804 /*
3805 * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is
3806 * called during ClientHello processing in order to select an ALPN protocol
3807 * from the client's list of offered protocols.
3808 */
3809 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
3810 SSL_CTX_alpn_select_cb_func cb,
3811 void *arg)
3812 {
3813 ctx->ext.alpn_select_cb = cb;
3814 ctx->ext.alpn_select_cb_arg = arg;
3815 }
3816
3817 /*
3818 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
3819 * On return it sets |*data| to point to |*len| bytes of protocol name
3820 * (not including the leading length-prefix byte). If the server didn't
3821 * respond with a negotiated protocol then |*len| will be zero.
3822 */
3823 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
3824 unsigned int *len)
3825 {
3826 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
3827
3828 if (sc == NULL) {
3829 /* We have no other way to indicate error */
3830 *data = NULL;
3831 *len = 0;
3832 return;
3833 }
3834
3835 *data = sc->s3.alpn_selected;
3836 if (*data == NULL)
3837 *len = 0;
3838 else
3839 *len = (unsigned int)sc->s3.alpn_selected_len;
3840 }
3841
3842 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
3843 const char *label, size_t llen,
3844 const unsigned char *context, size_t contextlen,
3845 int use_context)
3846 {
3847 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3848
3849 if (sc == NULL)
3850 return -1;
3851
3852 if (sc->session == NULL
3853 || (sc->version < TLS1_VERSION && sc->version != DTLS1_BAD_VER))
3854 return -1;
3855
3856 return sc->ssl.method->ssl3_enc->export_keying_material(sc, out, olen, label,
3857 llen, context,
3858 contextlen,
3859 use_context);
3860 }
3861
3862 int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
3863 const char *label, size_t llen,
3864 const unsigned char *context,
3865 size_t contextlen)
3866 {
3867 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3868
3869 if (sc == NULL)
3870 return -1;
3871
3872 if (sc->version != TLS1_3_VERSION)
3873 return 0;
3874
3875 return tls13_export_keying_material_early(sc, out, olen, label, llen,
3876 context, contextlen);
3877 }
3878
3879 static unsigned long ssl_session_hash(const SSL_SESSION *a)
3880 {
3881 const unsigned char *session_id = a->session_id;
3882 unsigned long l;
3883 unsigned char tmp_storage[4];
3884
3885 if (a->session_id_length < sizeof(tmp_storage)) {
3886 memset(tmp_storage, 0, sizeof(tmp_storage));
3887 memcpy(tmp_storage, a->session_id, a->session_id_length);
3888 session_id = tmp_storage;
3889 }
3890
3891 l = (unsigned long)
3892 ((unsigned long)session_id[0]) |
3893 ((unsigned long)session_id[1] << 8L) |
3894 ((unsigned long)session_id[2] << 16L) |
3895 ((unsigned long)session_id[3] << 24L);
3896 return l;
3897 }
3898
3899 /*
3900 * NB: If this function (or indeed the hash function which uses a sort of
3901 * coarser function than this one) is changed, ensure
3902 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on
3903 * being able to construct an SSL_SESSION that will collide with any existing
3904 * session with a matching session ID.
3905 */
3906 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
3907 {
3908 if (a->ssl_version != b->ssl_version)
3909 return 1;
3910 if (a->session_id_length != b->session_id_length)
3911 return 1;
3912 return memcmp(a->session_id, b->session_id, a->session_id_length);
3913 }
3914
3915 #ifndef OPENSSL_NO_SSLKEYLOG
3916 /**
3917 * @brief Static initialization for a one-time action to initialize the SSL key log.
3918 */
3919 static CRYPTO_ONCE ssl_keylog_once = CRYPTO_ONCE_STATIC_INIT;
3920
3921 /**
3922 * @brief Pointer to a read-write lock used to protect access to the key log.
3923 */
3924 static CRYPTO_RWLOCK *keylog_lock = NULL;
3925
3926 /**
3927 * @brief Pointer to a BIO structure used for writing the key log information.
3928 */
3929 static BIO *keylog_bio = NULL;
3930
3931 /**
3932 * @brief Initializes the SSLKEYLOGFILE lock.
3933 *
3934 * @return 1 on success, 0 on failure.
3935 */
3936 DEFINE_RUN_ONCE_STATIC(ssl_keylog_init)
3937 {
3938 keylog_lock = CRYPTO_THREAD_lock_new();
3939 if (keylog_lock == NULL)
3940 return 0;
3941 return 1;
3942 }
3943
3944 /**
3945 * @brief checks when a BIO refcount has reached zero, and sets
3946 * keylog_cb to NULL if it has
3947 *
3948 * @returns 1 always
3949 */
3950 static long check_keylog_bio_free(BIO *b, int oper, const char *argp,
3951 size_t len, int argi, long argl, int ret,
3952 size_t *processed)
3953 {
3954
3955 /*
3956 * Note we _dont_ take the keylog_lock here
3957 * This is intentional, because we only free the keylog lock
3958 * During SSL_CTX_free, in which we already posess the lock, so
3959 * Theres no need to grab it again here
3960 */
3961 if (oper == BIO_CB_FREE)
3962 keylog_bio = NULL;
3963 return ret;
3964 }
3965
3966 /**
3967 * @brief records ssl secrets to a file
3968 */
3969 static void do_sslkeylogfile(const SSL *ssl, const char *line)
3970 {
3971 if (keylog_lock == NULL)
3972 return;
3973
3974 if (!CRYPTO_THREAD_write_lock(keylog_lock))
3975 return;
3976 if (keylog_bio != NULL) {
3977 BIO_printf(keylog_bio, "%s\n", line);
3978 (void)BIO_flush(keylog_bio);
3979 }
3980 CRYPTO_THREAD_unlock(keylog_lock);
3981 }
3982 #endif
3983
3984 /*
3985 * These wrapper functions should remain rather than redeclaring
3986 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
3987 * variable. The reason is that the functions aren't static, they're exposed
3988 * via ssl.h.
3989 */
3990
3991 #ifndef OPENSSL_NO_SSLKEYLOG
3992 static BIO *get_sslkeylog_bio(const char *keylogfile)
3993 {
3994 # ifdef _POSIX_C_SOURCE
3995 BIO *b;
3996 int fdno = -1;
3997 FILE *fp = NULL;
3998
3999 fdno = open(keylogfile, O_WRONLY | O_CREAT | O_APPEND, 0600);
4000 if (fdno < 0)
4001 return NULL;
4002
4003 fp = fdopen(fdno, "a");
4004 if (fp == NULL) {
4005 close(fdno);
4006 return NULL;
4007 }
4008
4009 if ((b = BIO_new_fp(fp, BIO_CLOSE)) == NULL)
4010 fclose(fp);
4011 return b;
4012 # else
4013 return BIO_new_file(keylogfile, "a");
4014 # endif
4015 }
4016 #endif
4017
4018 SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
4019 const SSL_METHOD *meth)
4020 {
4021 SSL_CTX *ret = NULL;
4022 #ifndef OPENSSL_NO_SSLKEYLOG
4023 const char *keylogfile = ossl_safe_getenv("SSLKEYLOGFILE");
4024 #endif
4025 #ifndef OPENSSL_NO_COMP_ALG
4026 int i;
4027 #endif
4028
4029 if (meth == NULL) {
4030 ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_METHOD_PASSED);
4031 return NULL;
4032 }
4033
4034 if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
4035 return NULL;
4036
4037 /* Doing this for the run once effect */
4038 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
4039 ERR_raise(ERR_LIB_SSL, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
4040 goto err;
4041 }
4042
4043 ret = OPENSSL_zalloc(sizeof(*ret));
4044 if (ret == NULL)
4045 return NULL;
4046
4047 /* Init the reference counting before any call to SSL_CTX_free */
4048 if (!CRYPTO_NEW_REF(&ret->references, 1)) {
4049 OPENSSL_free(ret);
4050 return NULL;
4051 }
4052
4053 ret->lock = CRYPTO_THREAD_lock_new();
4054 if (ret->lock == NULL) {
4055 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4056 goto err;
4057 }
4058
4059 #ifdef TSAN_REQUIRES_LOCKING
4060 ret->tsan_lock = CRYPTO_THREAD_lock_new();
4061 if (ret->tsan_lock == NULL) {
4062 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4063 goto err;
4064 }
4065 #endif
4066
4067 ret->libctx = libctx;
4068 if (propq != NULL) {
4069 ret->propq = OPENSSL_strdup(propq);
4070 if (ret->propq == NULL)
4071 goto err;
4072 }
4073
4074 ret->method = meth;
4075 ret->min_proto_version = 0;
4076 ret->max_proto_version = 0;
4077 ret->mode = SSL_MODE_AUTO_RETRY;
4078 ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
4079 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
4080 /* We take the system default. */
4081 ret->session_timeout = meth->get_timeout();
4082 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
4083 ret->verify_mode = SSL_VERIFY_NONE;
4084
4085 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
4086 if (ret->sessions == NULL) {
4087 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4088 goto err;
4089 }
4090 ret->cert_store = X509_STORE_new();
4091 if (ret->cert_store == NULL) {
4092 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
4093 goto err;
4094 }
4095 #ifndef OPENSSL_NO_CT
4096 ret->ctlog_store = CTLOG_STORE_new_ex(libctx, propq);
4097 if (ret->ctlog_store == NULL) {
4098 ERR_raise(ERR_LIB_SSL, ERR_R_CT_LIB);
4099 goto err;
4100 }
4101 #endif
4102
4103 /* initialize cipher/digest methods table */
4104 if (!ssl_load_ciphers(ret)) {
4105 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4106 goto err;
4107 }
4108
4109 if (!ssl_load_groups(ret)) {
4110 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4111 goto err;
4112 }
4113
4114 /* load provider sigalgs */
4115 if (!ssl_load_sigalgs(ret)) {
4116 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4117 goto err;
4118 }
4119
4120 /* initialise sig algs */
4121 if (!ssl_setup_sigalgs(ret)) {
4122 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4123 goto err;
4124 }
4125
4126 if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites())) {
4127 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4128 goto err;
4129 }
4130
4131 if ((ret->cert = ssl_cert_new(SSL_PKEY_NUM + ret->sigalg_list_len)) == NULL) {
4132 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4133 goto err;
4134 }
4135
4136 if (!ssl_create_cipher_list(ret,
4137 ret->tls13_ciphersuites,
4138 &ret->cipher_list, &ret->cipher_list_by_id,
4139 OSSL_default_cipher_list(), ret->cert)
4140 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
4141 ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
4142 goto err;
4143 }
4144
4145 ret->param = X509_VERIFY_PARAM_new();
4146 if (ret->param == NULL) {
4147 ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
4148 goto err;
4149 }
4150
4151 /*
4152 * If these aren't available from the provider we'll get NULL returns.
4153 * That's fine but will cause errors later if SSLv3 is negotiated
4154 */
4155 ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq);
4156 ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq);
4157
4158 if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) {
4159 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4160 goto err;
4161 }
4162
4163 if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) {
4164 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4165 goto err;
4166 }
4167
4168 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) {
4169 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4170 goto err;
4171 }
4172
4173 if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL)
4174 goto err;
4175
4176 /* No compression for DTLS */
4177 if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
4178 ret->comp_methods = SSL_COMP_get_compression_methods();
4179
4180 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
4181 ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
4182
4183 /* Setup RFC5077 ticket keys */
4184 if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name,
4185 sizeof(ret->ext.tick_key_name), 0) <= 0)
4186 || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key,
4187 sizeof(ret->ext.secure->tick_hmac_key), 0) <= 0)
4188 || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key,
4189 sizeof(ret->ext.secure->tick_aes_key), 0) <= 0))
4190 ret->options |= SSL_OP_NO_TICKET;
4191
4192 if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key,
4193 sizeof(ret->ext.cookie_hmac_key), 0) <= 0) {
4194 ERR_raise(ERR_LIB_SSL, ERR_R_RAND_LIB);
4195 goto err;
4196 }
4197
4198 #ifndef OPENSSL_NO_SRP
4199 if (!ssl_ctx_srp_ctx_init_intern(ret)) {
4200 ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4201 goto err;
4202 }
4203 #endif
4204 #ifndef OPENSSL_NO_ENGINE
4205 # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
4206 # define eng_strx(x) #x
4207 # define eng_str(x) eng_strx(x)
4208 /* Use specific client engine automatically... ignore errors */
4209 {
4210 ENGINE *eng;
4211 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
4212 if (!eng) {
4213 ERR_clear_error();
4214 ENGINE_load_builtin_engines();
4215 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
4216 }
4217 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
4218 ERR_clear_error();
4219 }
4220 # endif
4221 #endif
4222
4223 #ifndef OPENSSL_NO_COMP_ALG
4224 /*
4225 * Set the default order: brotli, zlib, zstd
4226 * Including only those enabled algorithms
4227 */
4228 memset(ret->cert_comp_prefs, 0, sizeof(ret->cert_comp_prefs));
4229 i = 0;
4230 if (ossl_comp_has_alg(TLSEXT_comp_cert_brotli))
4231 ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_brotli;
4232 if (ossl_comp_has_alg(TLSEXT_comp_cert_zlib))
4233 ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_zlib;
4234 if (ossl_comp_has_alg(TLSEXT_comp_cert_zstd))
4235 ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_zstd;
4236 #endif
4237 /*
4238 * Disable compression by default to prevent CRIME. Applications can
4239 * re-enable compression by configuring
4240 * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
4241 * or by using the SSL_CONF library. Similarly we also enable TLSv1.3
4242 * middlebox compatibility by default. This may be disabled by default in
4243 * a later OpenSSL version.
4244 */
4245 ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
4246
4247 ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
4248
4249 /*
4250 * We cannot usefully set a default max_early_data here (which gets
4251 * propagated in SSL_new(), for the following reason: setting the
4252 * SSL field causes tls_construct_stoc_early_data() to tell the
4253 * client that early data will be accepted when constructing a TLS 1.3
4254 * session ticket, and the client will accordingly send us early data
4255 * when using that ticket (if the client has early data to send).
4256 * However, in order for the early data to actually be consumed by
4257 * the application, the application must also have calls to
4258 * SSL_read_early_data(); otherwise we'll just skip past the early data
4259 * and ignore it. So, since the application must add calls to
4260 * SSL_read_early_data(), we also require them to add
4261 * calls to SSL_CTX_set_max_early_data() in order to use early data,
4262 * eliminating the bandwidth-wasting early data in the case described
4263 * above.
4264 */
4265 ret->max_early_data = 0;
4266
4267 /*
4268 * Default recv_max_early_data is a fully loaded single record. Could be
4269 * split across multiple records in practice. We set this differently to
4270 * max_early_data so that, in the default case, we do not advertise any
4271 * support for early_data, but if a client were to send us some (e.g.
4272 * because of an old, stale ticket) then we will tolerate it and skip over
4273 * it.
4274 */
4275 ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
4276
4277 /* By default we send two session tickets automatically in TLSv1.3 */
4278 ret->num_tickets = 2;
4279
4280 # ifndef OPENSSL_NO_QUIC
4281 /* only create a cache for client CTX-es */
4282 if (meth == OSSL_QUIC_client_method())
4283 if ((ret->tokencache = ossl_quic_new_token_store()) == NULL)
4284 goto err;
4285 ret->domain_flags = 0;
4286 if (IS_QUIC_METHOD(meth)) {
4287 # if defined(OPENSSL_THREADS)
4288 if (meth == OSSL_QUIC_client_thread_method())
4289 ret->domain_flags
4290 = SSL_DOMAIN_FLAG_MULTI_THREAD
4291 | SSL_DOMAIN_FLAG_THREAD_ASSISTED
4292 | SSL_DOMAIN_FLAG_BLOCKING;
4293 else
4294 ret->domain_flags
4295 = SSL_DOMAIN_FLAG_MULTI_THREAD
4296 | SSL_DOMAIN_FLAG_LEGACY_BLOCKING;
4297 # else
4298 ret->domain_flags
4299 = SSL_DOMAIN_FLAG_SINGLE_THREAD
4300 | SSL_DOMAIN_FLAG_LEGACY_BLOCKING;
4301 # endif
4302 }
4303 # endif
4304
4305 if (!ssl_ctx_system_config(ret)) {
4306 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG);
4307 goto err;
4308 }
4309
4310 #ifndef OPENSSL_NO_SSLKEYLOG
4311 if (keylogfile != NULL && strlen(keylogfile) != 0) {
4312 /* Make sure we have a global lock allocated */
4313 if (!RUN_ONCE(&ssl_keylog_once, ssl_keylog_init)) {
4314 /* use a trace message as a warning */
4315 OSSL_TRACE(TLS, "Unable to initalize keylog data\n");
4316 goto out;
4317 }
4318
4319 /* Grab our global lock */
4320 if (!CRYPTO_THREAD_write_lock(keylog_lock)) {
4321 OSSL_TRACE(TLS, "Unable to acquire keylog write lock\n");
4322 goto out;
4323 } else {
4324 /*
4325 * If the bio for the requested keylog file hasn't been
4326 * created yet, go ahead and create it, and set it to append
4327 * if its already there.
4328 */
4329 if (keylog_bio == NULL) {
4330 keylog_bio = get_sslkeylog_bio(keylogfile);
4331 if (keylog_bio == NULL) {
4332 OSSL_TRACE(TLS, "Unable to create keylog bio\n");
4333 goto out;
4334 }
4335 BIO_set_callback_ex(keylog_bio, check_keylog_bio_free);
4336 } else {
4337 /* up our refcount for the already-created case */
4338 BIO_up_ref(keylog_bio);
4339 }
4340 /* If we have a bio now, assign the callback handler */
4341 if (keylog_bio != NULL)
4342 ret->do_sslkeylog = 1;
4343 /* unlock, and we're done */
4344 CRYPTO_THREAD_unlock(keylog_lock);
4345 }
4346 }
4347 out:
4348 #endif
4349 return ret;
4350 err:
4351 SSL_CTX_free(ret);
4352 #ifndef OPENSSL_NO_SSLKEYLOG
4353 BIO_free(keylog_bio);
4354 #endif
4355 return NULL;
4356 }
4357
4358 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
4359 {
4360 return SSL_CTX_new_ex(NULL, NULL, meth);
4361 }
4362
4363 int SSL_CTX_up_ref(SSL_CTX *ctx)
4364 {
4365 int i;
4366
4367 if (CRYPTO_UP_REF(&ctx->references, &i) <= 0)
4368 return 0;
4369
4370 REF_PRINT_COUNT("SSL_CTX", i, ctx);
4371 REF_ASSERT_ISNT(i < 2);
4372 return ((i > 1) ? 1 : 0);
4373 }
4374
4375 void SSL_CTX_free(SSL_CTX *a)
4376 {
4377 int i;
4378 size_t j;
4379
4380 if (a == NULL)
4381 return;
4382
4383 CRYPTO_DOWN_REF(&a->references, &i);
4384 REF_PRINT_COUNT("SSL_CTX", i, a);
4385 if (i > 0)
4386 return;
4387 REF_ASSERT_ISNT(i < 0);
4388
4389 #ifndef OPENSSL_NO_SSLKEYLOG
4390 if (keylog_lock != NULL && CRYPTO_THREAD_write_lock(keylog_lock)) {
4391 if (a->do_sslkeylog == 1)
4392 BIO_free(keylog_bio);
4393 a->do_sslkeylog = 0;
4394 CRYPTO_THREAD_unlock(keylog_lock);
4395 }
4396 #endif
4397
4398 X509_VERIFY_PARAM_free(a->param);
4399 dane_ctx_final(&a->dane);
4400
4401 /*
4402 * Free internal session cache. However: the remove_cb() may reference
4403 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
4404 * after the sessions were flushed.
4405 * As the ex_data handling routines might also touch the session cache,
4406 * the most secure solution seems to be: empty (flush) the cache, then
4407 * free ex_data, then finally free the cache.
4408 * (See ticket [openssl.org #212].)
4409 */
4410 if (a->sessions != NULL)
4411 SSL_CTX_flush_sessions_ex(a, 0);
4412
4413 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
4414 lh_SSL_SESSION_free(a->sessions);
4415 X509_STORE_free(a->cert_store);
4416 #ifndef OPENSSL_NO_CT
4417 CTLOG_STORE_free(a->ctlog_store);
4418 #endif
4419 sk_SSL_CIPHER_free(a->cipher_list);
4420 sk_SSL_CIPHER_free(a->cipher_list_by_id);
4421 sk_SSL_CIPHER_free(a->tls13_ciphersuites);
4422 ssl_cert_free(a->cert);
4423 sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free);
4424 sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free);
4425 OSSL_STACK_OF_X509_free(a->extra_certs);
4426 a->comp_methods = NULL;
4427 #ifndef OPENSSL_NO_SRTP
4428 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
4429 #endif
4430 #ifndef OPENSSL_NO_SRP
4431 ssl_ctx_srp_ctx_free_intern(a);
4432 #endif
4433 #ifndef OPENSSL_NO_ENGINE
4434 tls_engine_finish(a->client_cert_engine);
4435 #endif
4436
4437 OPENSSL_free(a->ext.ecpointformats);
4438 OPENSSL_free(a->ext.supportedgroups);
4439 OPENSSL_free(a->ext.keyshares);
4440 OPENSSL_free(a->ext.tuples);
4441 OPENSSL_free(a->ext.alpn);
4442 OPENSSL_secure_free(a->ext.secure);
4443
4444 ssl_evp_md_free(a->md5);
4445 ssl_evp_md_free(a->sha1);
4446
4447 for (j = 0; j < SSL_ENC_NUM_IDX; j++)
4448 ssl_evp_cipher_free(a->ssl_cipher_methods[j]);
4449 for (j = 0; j < SSL_MD_NUM_IDX; j++)
4450 ssl_evp_md_free(a->ssl_digest_methods[j]);
4451 for (j = 0; j < a->group_list_len; j++) {
4452 OPENSSL_free(a->group_list[j].tlsname);
4453 OPENSSL_free(a->group_list[j].realname);
4454 OPENSSL_free(a->group_list[j].algorithm);
4455 }
4456 OPENSSL_free(a->group_list);
4457 for (j = 0; j < a->sigalg_list_len; j++) {
4458 OPENSSL_free(a->sigalg_list[j].name);
4459 OPENSSL_free(a->sigalg_list[j].sigalg_name);
4460 OPENSSL_free(a->sigalg_list[j].sigalg_oid);
4461 OPENSSL_free(a->sigalg_list[j].sig_name);
4462 OPENSSL_free(a->sigalg_list[j].sig_oid);
4463 OPENSSL_free(a->sigalg_list[j].hash_name);
4464 OPENSSL_free(a->sigalg_list[j].hash_oid);
4465 OPENSSL_free(a->sigalg_list[j].keytype);
4466 OPENSSL_free(a->sigalg_list[j].keytype_oid);
4467 }
4468 OPENSSL_free(a->sigalg_list);
4469 OPENSSL_free(a->ssl_cert_info);
4470
4471 OPENSSL_free(a->sigalg_lookup_cache);
4472 OPENSSL_free(a->tls12_sigalgs);
4473
4474 OPENSSL_free(a->client_cert_type);
4475 OPENSSL_free(a->server_cert_type);
4476
4477 CRYPTO_THREAD_lock_free(a->lock);
4478 CRYPTO_FREE_REF(&a->references);
4479 #ifdef TSAN_REQUIRES_LOCKING
4480 CRYPTO_THREAD_lock_free(a->tsan_lock);
4481 #endif
4482
4483 OPENSSL_free(a->propq);
4484 #ifndef OPENSSL_NO_QLOG
4485 OPENSSL_free(a->qlog_title);
4486 #endif
4487
4488 #ifndef OPENSSL_NO_QUIC
4489 ossl_quic_free_token_store(a->tokencache);
4490 #endif
4491
4492 OPENSSL_free(a);
4493 }
4494
4495 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
4496 {
4497 ctx->default_passwd_callback = cb;
4498 }
4499
4500 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
4501 {
4502 ctx->default_passwd_callback_userdata = u;
4503 }
4504
4505 pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
4506 {
4507 return ctx->default_passwd_callback;
4508 }
4509
4510 void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
4511 {
4512 return ctx->default_passwd_callback_userdata;
4513 }
4514
4515 void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
4516 {
4517 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4518
4519 if (sc == NULL)
4520 return;
4521
4522 sc->default_passwd_callback = cb;
4523 }
4524
4525 void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
4526 {
4527 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4528
4529 if (sc == NULL)
4530 return;
4531
4532 sc->default_passwd_callback_userdata = u;
4533 }
4534
4535 pem_password_cb *SSL_get_default_passwd_cb(SSL *s)
4536 {
4537 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4538
4539 if (sc == NULL)
4540 return NULL;
4541
4542 return sc->default_passwd_callback;
4543 }
4544
4545 void *SSL_get_default_passwd_cb_userdata(SSL *s)
4546 {
4547 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4548
4549 if (sc == NULL)
4550 return NULL;
4551
4552 return sc->default_passwd_callback_userdata;
4553 }
4554
4555 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
4556 int (*cb) (X509_STORE_CTX *, void *),
4557 void *arg)
4558 {
4559 ctx->app_verify_callback = cb;
4560 ctx->app_verify_arg = arg;
4561 }
4562
4563 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
4564 int (*cb) (int, X509_STORE_CTX *))
4565 {
4566 ctx->verify_mode = mode;
4567 ctx->default_verify_callback = cb;
4568 }
4569
4570 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
4571 {
4572 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
4573 }
4574
4575 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg)
4576 {
4577 ssl_cert_set_cert_cb(c->cert, cb, arg);
4578 }
4579
4580 void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
4581 {
4582 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4583
4584 if (sc == NULL)
4585 return;
4586
4587 ssl_cert_set_cert_cb(sc->cert, cb, arg);
4588 }
4589
4590 void ssl_set_masks(SSL_CONNECTION *s)
4591 {
4592 CERT *c = s->cert;
4593 uint32_t *pvalid = s->s3.tmp.valid_flags;
4594 int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
4595 unsigned long mask_k, mask_a;
4596 int have_ecc_cert, ecdsa_ok;
4597
4598 if (c == NULL)
4599 return;
4600
4601 dh_tmp = (c->dh_tmp != NULL
4602 || c->dh_tmp_cb != NULL
4603 || c->dh_tmp_auto);
4604
4605 rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
4606 rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
4607 dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID;
4608 have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
4609 mask_k = 0;
4610 mask_a = 0;
4611
4612 OSSL_TRACE4(TLS_CIPHER, "dh_tmp=%d rsa_enc=%d rsa_sign=%d dsa_sign=%d\n",
4613 dh_tmp, rsa_enc, rsa_sign, dsa_sign);
4614
4615 #ifndef OPENSSL_NO_GOST
4616 if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
4617 mask_k |= SSL_kGOST | SSL_kGOST18;
4618 mask_a |= SSL_aGOST12;
4619 }
4620 if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
4621 mask_k |= SSL_kGOST | SSL_kGOST18;
4622 mask_a |= SSL_aGOST12;
4623 }
4624 if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
4625 mask_k |= SSL_kGOST;
4626 mask_a |= SSL_aGOST01;
4627 }
4628 #endif
4629
4630 if (rsa_enc)
4631 mask_k |= SSL_kRSA;
4632
4633 if (dh_tmp)
4634 mask_k |= SSL_kDHE;
4635
4636 /*
4637 * If we only have an RSA-PSS certificate allow RSA authentication
4638 * if TLS 1.2 and peer supports it.
4639 */
4640
4641 if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
4642 && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
4643 && TLS1_get_version(&s->ssl) == TLS1_2_VERSION))
4644 mask_a |= SSL_aRSA;
4645
4646 if (dsa_sign) {
4647 mask_a |= SSL_aDSS;
4648 }
4649
4650 mask_a |= SSL_aNULL;
4651
4652 /*
4653 * You can do anything with an RPK key, since there's no cert to restrict it
4654 * But we need to check for private keys
4655 */
4656 if (pvalid[SSL_PKEY_RSA] & CERT_PKEY_RPK) {
4657 mask_a |= SSL_aRSA;
4658 mask_k |= SSL_kRSA;
4659 }
4660 if (pvalid[SSL_PKEY_ECC] & CERT_PKEY_RPK)
4661 mask_a |= SSL_aECDSA;
4662 if (TLS1_get_version(&s->ssl) == TLS1_2_VERSION) {
4663 if (pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_RPK)
4664 mask_a |= SSL_aRSA;
4665 if (pvalid[SSL_PKEY_ED25519] & CERT_PKEY_RPK
4666 || pvalid[SSL_PKEY_ED448] & CERT_PKEY_RPK)
4667 mask_a |= SSL_aECDSA;
4668 }
4669
4670 /*
4671 * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites
4672 * depending on the key usage extension.
4673 */
4674 if (have_ecc_cert) {
4675 uint32_t ex_kusage;
4676 ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509);
4677 ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
4678 if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
4679 ecdsa_ok = 0;
4680 if (ecdsa_ok)
4681 mask_a |= SSL_aECDSA;
4682 }
4683 /* Allow Ed25519 for TLS 1.2 if peer supports it */
4684 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519)
4685 && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN
4686 && TLS1_get_version(&s->ssl) == TLS1_2_VERSION)
4687 mask_a |= SSL_aECDSA;
4688
4689 /* Allow Ed448 for TLS 1.2 if peer supports it */
4690 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448)
4691 && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN
4692 && TLS1_get_version(&s->ssl) == TLS1_2_VERSION)
4693 mask_a |= SSL_aECDSA;
4694
4695 mask_k |= SSL_kECDHE;
4696
4697 #ifndef OPENSSL_NO_PSK
4698 mask_k |= SSL_kPSK;
4699 mask_a |= SSL_aPSK;
4700 if (mask_k & SSL_kRSA)
4701 mask_k |= SSL_kRSAPSK;
4702 if (mask_k & SSL_kDHE)
4703 mask_k |= SSL_kDHEPSK;
4704 if (mask_k & SSL_kECDHE)
4705 mask_k |= SSL_kECDHEPSK;
4706 #endif
4707
4708 s->s3.tmp.mask_k = mask_k;
4709 s->s3.tmp.mask_a = mask_a;
4710 }
4711
4712 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CONNECTION *s)
4713 {
4714 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) {
4715 /* key usage, if present, must allow signing */
4716 if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
4717 ERR_raise(ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
4718 return 0;
4719 }
4720 }
4721 return 1; /* all checks are ok */
4722 }
4723
4724 int ssl_get_server_cert_serverinfo(SSL_CONNECTION *s,
4725 const unsigned char **serverinfo,
4726 size_t *serverinfo_length)
4727 {
4728 CERT_PKEY *cpk = s->s3.tmp.cert;
4729 *serverinfo_length = 0;
4730
4731 if (cpk == NULL || cpk->serverinfo == NULL)
4732 return 0;
4733
4734 *serverinfo = cpk->serverinfo;
4735 *serverinfo_length = cpk->serverinfo_length;
4736 return 1;
4737 }
4738
4739 void ssl_update_cache(SSL_CONNECTION *s, int mode)
4740 {
4741 int i;
4742
4743 /*
4744 * If the session_id_length is 0, we are not supposed to cache it, and it
4745 * would be rather hard to do anyway :-). Also if the session has already
4746 * been marked as not_resumable we should not cache it for later reuse.
4747 */
4748 if (s->session->session_id_length == 0 || s->session->not_resumable)
4749 return;
4750
4751 /*
4752 * If sid_ctx_length is 0 there is no specific application context
4753 * associated with this session, so when we try to resume it and
4754 * SSL_VERIFY_PEER is requested to verify the client identity, we have no
4755 * indication that this is actually a session for the proper application
4756 * context, and the *handshake* will fail, not just the resumption attempt.
4757 * Do not cache (on the server) these sessions that are not resumable
4758 * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set).
4759 */
4760 if (s->server && s->session->sid_ctx_length == 0
4761 && (s->verify_mode & SSL_VERIFY_PEER) != 0)
4762 return;
4763
4764 i = s->session_ctx->session_cache_mode;
4765 if ((i & mode) != 0
4766 && (!s->hit || SSL_CONNECTION_IS_TLS13(s))) {
4767 /*
4768 * Add the session to the internal cache. In server side TLSv1.3 we
4769 * normally don't do this because by default it's a full stateless ticket
4770 * with only a dummy session id so there is no reason to cache it,
4771 * unless:
4772 * - we are doing early_data, in which case we cache so that we can
4773 * detect replays
4774 * - the application has set a remove_session_cb so needs to know about
4775 * session timeout events
4776 * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket
4777 */
4778 if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0
4779 && (!SSL_CONNECTION_IS_TLS13(s)
4780 || !s->server
4781 || (s->max_early_data > 0
4782 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)
4783 || s->session_ctx->remove_session_cb != NULL
4784 || (s->options & SSL_OP_NO_TICKET) != 0))
4785 SSL_CTX_add_session(s->session_ctx, s->session);
4786
4787 /*
4788 * Add the session to the external cache. We do this even in server side
4789 * TLSv1.3 without early data because some applications just want to
4790 * know about the creation of a session and aren't doing a full cache.
4791 */
4792 if (s->session_ctx->new_session_cb != NULL && SSL_SESSION_up_ref(s->session)) {
4793 if (!s->session_ctx->new_session_cb(SSL_CONNECTION_GET_USER_SSL(s),
4794 s->session))
4795 SSL_SESSION_free(s->session);
4796 }
4797 }
4798
4799 /* auto flush every 255 connections */
4800 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) {
4801 TSAN_QUALIFIER int *stat;
4802
4803 if (mode & SSL_SESS_CACHE_CLIENT)
4804 stat = &s->session_ctx->stats.sess_connect_good;
4805 else
4806 stat = &s->session_ctx->stats.sess_accept_good;
4807 if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff)
4808 SSL_CTX_flush_sessions_ex(s->session_ctx, time(NULL));
4809 }
4810 }
4811
4812 const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx)
4813 {
4814 return ctx->method;
4815 }
4816
4817 const SSL_METHOD *SSL_get_ssl_method(const SSL *s)
4818 {
4819 return s->method;
4820 }
4821
4822 int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
4823 {
4824 int ret = 1;
4825 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4826
4827 /* Not allowed for QUIC */
4828 if (sc == NULL
4829 || (s->type != SSL_TYPE_SSL_CONNECTION && s->method != meth)
4830 || (s->type == SSL_TYPE_SSL_CONNECTION && IS_QUIC_METHOD(meth)))
4831 return 0;
4832
4833 if (s->method != meth) {
4834 const SSL_METHOD *sm = s->method;
4835 int (*hf) (SSL *) = sc->handshake_func;
4836
4837 if (sm->version == meth->version)
4838 s->method = meth;
4839 else {
4840 sm->ssl_deinit(s);
4841 s->method = meth;
4842 ret = s->method->ssl_init(s);
4843 }
4844
4845 if (hf == sm->ssl_connect)
4846 sc->handshake_func = meth->ssl_connect;
4847 else if (hf == sm->ssl_accept)
4848 sc->handshake_func = meth->ssl_accept;
4849 }
4850 return ret;
4851 }
4852
4853 int SSL_get_error(const SSL *s, int i)
4854 {
4855 return ossl_ssl_get_error(s, i, /*check_err=*/1);
4856 }
4857
4858 int ossl_ssl_get_error(const SSL *s, int i, int check_err)
4859 {
4860 int reason;
4861 unsigned long l;
4862 BIO *bio;
4863 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4864
4865 if (i > 0)
4866 return SSL_ERROR_NONE;
4867
4868 #ifndef OPENSSL_NO_QUIC
4869 if (IS_QUIC(s)) {
4870 reason = ossl_quic_get_error(s, i);
4871 if (reason != SSL_ERROR_NONE)
4872 return reason;
4873 }
4874 #endif
4875
4876 if (sc == NULL)
4877 return SSL_ERROR_SSL;
4878
4879 /*
4880 * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
4881 * where we do encode the error
4882 */
4883 if (check_err && (l = ERR_peek_error()) != 0) {
4884 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
4885 return SSL_ERROR_SYSCALL;
4886 else
4887 return SSL_ERROR_SSL;
4888 }
4889
4890 #ifndef OPENSSL_NO_QUIC
4891 if (!IS_QUIC(s))
4892 #endif
4893 {
4894 if (SSL_want_read(s)) {
4895 bio = SSL_get_rbio(s);
4896 if (BIO_should_read(bio))
4897 return SSL_ERROR_WANT_READ;
4898 else if (BIO_should_write(bio))
4899 /*
4900 * This one doesn't make too much sense ... We never try to
4901 * write to the rbio, and an application program where rbio and
4902 * wbio are separate couldn't even know what it should wait for.
4903 * However if we ever set s->rwstate incorrectly (so that we
4904 * have SSL_want_read(s) instead of SSL_want_write(s)) and rbio
4905 * and wbio *are* the same, this test works around that bug; so
4906 * it might be safer to keep it.
4907 */
4908 return SSL_ERROR_WANT_WRITE;
4909 else if (BIO_should_io_special(bio)) {
4910 reason = BIO_get_retry_reason(bio);
4911 if (reason == BIO_RR_CONNECT)
4912 return SSL_ERROR_WANT_CONNECT;
4913 else if (reason == BIO_RR_ACCEPT)
4914 return SSL_ERROR_WANT_ACCEPT;
4915 else
4916 return SSL_ERROR_SYSCALL; /* unknown */
4917 }
4918 }
4919
4920 if (SSL_want_write(s)) {
4921 /*
4922 * Access wbio directly - in order to use the buffered bio if
4923 * present
4924 */
4925 bio = sc->wbio;
4926 if (BIO_should_write(bio))
4927 return SSL_ERROR_WANT_WRITE;
4928 else if (BIO_should_read(bio))
4929 /*
4930 * See above (SSL_want_read(s) with BIO_should_write(bio))
4931 */
4932 return SSL_ERROR_WANT_READ;
4933 else if (BIO_should_io_special(bio)) {
4934 reason = BIO_get_retry_reason(bio);
4935 if (reason == BIO_RR_CONNECT)
4936 return SSL_ERROR_WANT_CONNECT;
4937 else if (reason == BIO_RR_ACCEPT)
4938 return SSL_ERROR_WANT_ACCEPT;
4939 else
4940 return SSL_ERROR_SYSCALL;
4941 }
4942 }
4943 }
4944
4945 if (SSL_want_x509_lookup(s))
4946 return SSL_ERROR_WANT_X509_LOOKUP;
4947 if (SSL_want_retry_verify(s))
4948 return SSL_ERROR_WANT_RETRY_VERIFY;
4949 if (SSL_want_async(s))
4950 return SSL_ERROR_WANT_ASYNC;
4951 if (SSL_want_async_job(s))
4952 return SSL_ERROR_WANT_ASYNC_JOB;
4953 if (SSL_want_client_hello_cb(s))
4954 return SSL_ERROR_WANT_CLIENT_HELLO_CB;
4955
4956 if ((sc->shutdown & SSL_RECEIVED_SHUTDOWN) &&
4957 (sc->s3.warn_alert == SSL_AD_CLOSE_NOTIFY))
4958 return SSL_ERROR_ZERO_RETURN;
4959
4960 return SSL_ERROR_SYSCALL;
4961 }
4962
4963 static int ssl_do_handshake_intern(void *vargs)
4964 {
4965 struct ssl_async_args *args = (struct ssl_async_args *)vargs;
4966 SSL *s = args->s;
4967 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4968
4969 if (sc == NULL)
4970 return -1;
4971
4972 return sc->handshake_func(s);
4973 }
4974
4975 int SSL_do_handshake(SSL *s)
4976 {
4977 int ret = 1;
4978 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4979
4980 #ifndef OPENSSL_NO_QUIC
4981 if (IS_QUIC(s))
4982 return ossl_quic_do_handshake(s);
4983 #endif
4984
4985 if (sc == NULL)
4986 return -1;
4987
4988 if (sc->handshake_func == NULL) {
4989 ERR_raise(ERR_LIB_SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
4990 return -1;
4991 }
4992
4993 if (!ossl_statem_check_finish_init(sc, -1))
4994 return -1;
4995
4996 s->method->ssl_renegotiate_check(s, 0);
4997
4998 if (SSL_in_init(s) || SSL_in_before(s)) {
4999 if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
5000 struct ssl_async_args args;
5001
5002 memset(&args, 0, sizeof(args));
5003 args.s = s;
5004
5005 ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
5006 } else {
5007 ret = sc->handshake_func(s);
5008 }
5009 }
5010
5011 return ret;
5012 }
5013
5014 void SSL_set_accept_state(SSL *s)
5015 {
5016 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5017
5018 #ifndef OPENSSL_NO_QUIC
5019 if (IS_QUIC(s)) {
5020 /* We suppress errors because this is a void function */
5021 (void)ossl_quic_set_accept_state(s, 0 /* suppress errors */);
5022 return;
5023 }
5024 #endif
5025
5026 sc->server = 1;
5027 sc->shutdown = 0;
5028 ossl_statem_clear(sc);
5029 sc->handshake_func = s->method->ssl_accept;
5030 /* Ignore return value. Its a void public API function */
5031 RECORD_LAYER_reset(&sc->rlayer);
5032 }
5033
5034 void SSL_set_connect_state(SSL *s)
5035 {
5036 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5037
5038 #ifndef OPENSSL_NO_QUIC
5039 if (IS_QUIC(s)) {
5040 /* We suppress errors because this is a void function */
5041 (void)ossl_quic_set_connect_state(s, 0 /* suppress errors */);
5042 return;
5043 }
5044 #endif
5045
5046 sc->server = 0;
5047 sc->shutdown = 0;
5048 ossl_statem_clear(sc);
5049 sc->handshake_func = s->method->ssl_connect;
5050 /* Ignore return value. Its a void public API function */
5051 RECORD_LAYER_reset(&sc->rlayer);
5052 }
5053
5054 int ssl_undefined_function(SSL *s)
5055 {
5056 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
5057 return 0;
5058 }
5059
5060 int ssl_undefined_void_function(void)
5061 {
5062 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
5063 return 0;
5064 }
5065
5066 const char *ssl_protocol_to_string(int version)
5067 {
5068 switch (version) {
5069 case TLS1_3_VERSION:
5070 return "TLSv1.3";
5071
5072 case TLS1_2_VERSION:
5073 return "TLSv1.2";
5074
5075 case TLS1_1_VERSION:
5076 return "TLSv1.1";
5077
5078 case TLS1_VERSION:
5079 return "TLSv1";
5080
5081 case SSL3_VERSION:
5082 return "SSLv3";
5083
5084 case DTLS1_BAD_VER:
5085 return "DTLSv0.9";
5086
5087 case DTLS1_VERSION:
5088 return "DTLSv1";
5089
5090 case DTLS1_2_VERSION:
5091 return "DTLSv1.2";
5092
5093 default:
5094 return "unknown";
5095 }
5096 }
5097
5098 const char *SSL_get_version(const SSL *s)
5099 {
5100 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5101
5102 #ifndef OPENSSL_NO_QUIC
5103 /* We only support QUICv1 - so if its QUIC its QUICv1 */
5104 if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5105 return "QUICv1";
5106 #endif
5107
5108 if (sc == NULL)
5109 return NULL;
5110
5111 return ssl_protocol_to_string(sc->version);
5112 }
5113
5114 __owur int SSL_get_handshake_rtt(const SSL *s, uint64_t *rtt)
5115 {
5116 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5117
5118 if (sc == NULL)
5119 return -1;
5120 if (sc->ts_msg_write.t <= 0 || sc->ts_msg_read.t <= 0)
5121 return 0; /* data not (yet) available */
5122 if (sc->ts_msg_read.t < sc->ts_msg_write.t)
5123 return -1;
5124
5125 *rtt = ossl_time2us(ossl_time_subtract(sc->ts_msg_read, sc->ts_msg_write));
5126 return 1;
5127 }
5128
5129 static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src)
5130 {
5131 STACK_OF(X509_NAME) *sk;
5132 X509_NAME *xn;
5133 int i;
5134
5135 if (src == NULL) {
5136 *dst = NULL;
5137 return 1;
5138 }
5139
5140 if ((sk = sk_X509_NAME_new_null()) == NULL)
5141 return 0;
5142 for (i = 0; i < sk_X509_NAME_num(src); i++) {
5143 xn = X509_NAME_dup(sk_X509_NAME_value(src, i));
5144 if (xn == NULL) {
5145 sk_X509_NAME_pop_free(sk, X509_NAME_free);
5146 return 0;
5147 }
5148 if (sk_X509_NAME_insert(sk, xn, i) == 0) {
5149 X509_NAME_free(xn);
5150 sk_X509_NAME_pop_free(sk, X509_NAME_free);
5151 return 0;
5152 }
5153 }
5154 *dst = sk;
5155
5156 return 1;
5157 }
5158
5159 SSL *SSL_dup(SSL *s)
5160 {
5161 SSL *ret;
5162 int i;
5163 /* TODO(QUIC FUTURE): Add an SSL_METHOD function for duplication */
5164 SSL_CONNECTION *retsc;
5165 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5166
5167 if (sc == NULL)
5168 return NULL;
5169
5170 /* If we're not quiescent, just up_ref! */
5171 if (!SSL_in_init(s) || !SSL_in_before(s)) {
5172 CRYPTO_UP_REF(&s->references, &i);
5173 return s;
5174 }
5175
5176 /*
5177 * Otherwise, copy configuration state, and session if set.
5178 */
5179 if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
5180 return NULL;
5181 if ((retsc = SSL_CONNECTION_FROM_SSL_ONLY(ret)) == NULL)
5182 goto err;
5183
5184 if (sc->session != NULL) {
5185 /*
5186 * Arranges to share the same session via up_ref. This "copies"
5187 * session-id, SSL_METHOD, sid_ctx, and 'cert'
5188 */
5189 if (!SSL_copy_session_id(ret, s))
5190 goto err;
5191 } else {
5192 /*
5193 * No session has been established yet, so we have to expect that
5194 * s->cert or ret->cert will be changed later -- they should not both
5195 * point to the same object, and thus we can't use
5196 * SSL_copy_session_id.
5197 */
5198 if (!SSL_set_ssl_method(ret, s->method))
5199 goto err;
5200
5201 if (sc->cert != NULL) {
5202 ssl_cert_free(retsc->cert);
5203 retsc->cert = ssl_cert_dup(sc->cert);
5204 if (retsc->cert == NULL)
5205 goto err;
5206 }
5207
5208 if (!SSL_set_session_id_context(ret, sc->sid_ctx,
5209 (int)sc->sid_ctx_length))
5210 goto err;
5211 }
5212
5213 if (!ssl_dane_dup(retsc, sc))
5214 goto err;
5215 retsc->version = sc->version;
5216 retsc->options = sc->options;
5217 retsc->min_proto_version = sc->min_proto_version;
5218 retsc->max_proto_version = sc->max_proto_version;
5219 retsc->mode = sc->mode;
5220 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
5221 SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
5222 retsc->msg_callback = sc->msg_callback;
5223 retsc->msg_callback_arg = sc->msg_callback_arg;
5224 SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s));
5225 SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
5226 retsc->generate_session_id = sc->generate_session_id;
5227
5228 SSL_set_info_callback(ret, SSL_get_info_callback(s));
5229
5230 /* copy app data, a little dangerous perhaps */
5231 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
5232 goto err;
5233
5234 retsc->server = sc->server;
5235 if (sc->handshake_func) {
5236 if (sc->server)
5237 SSL_set_accept_state(ret);
5238 else
5239 SSL_set_connect_state(ret);
5240 }
5241 retsc->shutdown = sc->shutdown;
5242 retsc->hit = sc->hit;
5243
5244 retsc->default_passwd_callback = sc->default_passwd_callback;
5245 retsc->default_passwd_callback_userdata = sc->default_passwd_callback_userdata;
5246
5247 X509_VERIFY_PARAM_inherit(retsc->param, sc->param);
5248
5249 /* dup the cipher_list and cipher_list_by_id stacks */
5250 if (sc->cipher_list != NULL) {
5251 if ((retsc->cipher_list = sk_SSL_CIPHER_dup(sc->cipher_list)) == NULL)
5252 goto err;
5253 }
5254 if (sc->cipher_list_by_id != NULL)
5255 if ((retsc->cipher_list_by_id = sk_SSL_CIPHER_dup(sc->cipher_list_by_id))
5256 == NULL)
5257 goto err;
5258
5259 /* Dup the client_CA list */
5260 if (!dup_ca_names(&retsc->ca_names, sc->ca_names)
5261 || !dup_ca_names(&retsc->client_ca_names, sc->client_ca_names))
5262 goto err;
5263
5264 return ret;
5265
5266 err:
5267 SSL_free(ret);
5268 return NULL;
5269 }
5270
5271 X509 *SSL_get_certificate(const SSL *s)
5272 {
5273 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5274
5275 if (sc == NULL)
5276 return NULL;
5277
5278 if (sc->cert != NULL)
5279 return sc->cert->key->x509;
5280 else
5281 return NULL;
5282 }
5283
5284 EVP_PKEY *SSL_get_privatekey(const SSL *s)
5285 {
5286 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5287
5288 if (sc == NULL)
5289 return NULL;
5290
5291 if (sc->cert != NULL)
5292 return sc->cert->key->privatekey;
5293 else
5294 return NULL;
5295 }
5296
5297 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx)
5298 {
5299 if (ctx->cert != NULL)
5300 return ctx->cert->key->x509;
5301 else
5302 return NULL;
5303 }
5304
5305 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
5306 {
5307 if (ctx->cert != NULL)
5308 return ctx->cert->key->privatekey;
5309 else
5310 return NULL;
5311 }
5312
5313 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
5314 {
5315 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5316
5317 if (sc == NULL)
5318 return NULL;
5319
5320 if ((sc->session != NULL) && (sc->session->cipher != NULL))
5321 return sc->session->cipher;
5322 return NULL;
5323 }
5324
5325 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
5326 {
5327 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5328
5329 if (sc == NULL)
5330 return NULL;
5331
5332 return sc->s3.tmp.new_cipher;
5333 }
5334
5335 const COMP_METHOD *SSL_get_current_compression(const SSL *s)
5336 {
5337 #ifndef OPENSSL_NO_COMP
5338 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5339
5340 if (sc == NULL)
5341 return NULL;
5342
5343 return sc->rlayer.wrlmethod->get_compression(sc->rlayer.wrl);
5344 #else
5345 return NULL;
5346 #endif
5347 }
5348
5349 const COMP_METHOD *SSL_get_current_expansion(const SSL *s)
5350 {
5351 #ifndef OPENSSL_NO_COMP
5352 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5353
5354 if (sc == NULL)
5355 return NULL;
5356
5357 return sc->rlayer.rrlmethod->get_compression(sc->rlayer.rrl);
5358 #else
5359 return NULL;
5360 #endif
5361 }
5362
5363 int ssl_init_wbio_buffer(SSL_CONNECTION *s)
5364 {
5365 BIO *bbio;
5366
5367 if (s->bbio != NULL) {
5368 /* Already buffered. */
5369 return 1;
5370 }
5371
5372 bbio = BIO_new(BIO_f_buffer());
5373 if (bbio == NULL || BIO_set_read_buffer_size(bbio, 1) <= 0) {
5374 BIO_free(bbio);
5375 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
5376 return 0;
5377 }
5378 s->bbio = bbio;
5379 s->wbio = BIO_push(bbio, s->wbio);
5380
5381 s->rlayer.wrlmethod->set1_bio(s->rlayer.wrl, s->wbio);
5382
5383 return 1;
5384 }
5385
5386 int ssl_free_wbio_buffer(SSL_CONNECTION *s)
5387 {
5388 /* callers ensure s is never null */
5389 if (s->bbio == NULL)
5390 return 1;
5391
5392 s->wbio = BIO_pop(s->wbio);
5393 s->rlayer.wrlmethod->set1_bio(s->rlayer.wrl, s->wbio);
5394
5395 BIO_free(s->bbio);
5396 s->bbio = NULL;
5397
5398 return 1;
5399 }
5400
5401 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
5402 {
5403 ctx->quiet_shutdown = mode;
5404 }
5405
5406 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
5407 {
5408 return ctx->quiet_shutdown;
5409 }
5410
5411 void SSL_set_quiet_shutdown(SSL *s, int mode)
5412 {
5413 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5414
5415 /* Not supported with QUIC */
5416 if (sc == NULL)
5417 return;
5418
5419 sc->quiet_shutdown = mode;
5420 }
5421
5422 int SSL_get_quiet_shutdown(const SSL *s)
5423 {
5424 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5425
5426 /* Not supported with QUIC */
5427 if (sc == NULL)
5428 return 0;
5429
5430 return sc->quiet_shutdown;
5431 }
5432
5433 void SSL_set_shutdown(SSL *s, int mode)
5434 {
5435 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5436
5437 /* Not supported with QUIC */
5438 if (sc == NULL)
5439 return;
5440
5441 sc->shutdown = mode;
5442 }
5443
5444 int SSL_get_shutdown(const SSL *s)
5445 {
5446 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5447
5448 #ifndef OPENSSL_NO_QUIC
5449 /* QUIC: Just indicate whether the connection was shutdown cleanly. */
5450 if (IS_QUIC(s))
5451 return ossl_quic_get_shutdown(s);
5452 #endif
5453
5454 if (sc == NULL)
5455 return 0;
5456
5457 return sc->shutdown;
5458 }
5459
5460 int SSL_version(const SSL *s)
5461 {
5462 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5463
5464 #ifndef OPENSSL_NO_QUIC
5465 /* We only support QUICv1 - so if its QUIC its QUICv1 */
5466 if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5467 return OSSL_QUIC1_VERSION;
5468 #endif
5469 if (sc == NULL)
5470 return 0;
5471
5472 return sc->version;
5473 }
5474
5475 int SSL_client_version(const SSL *s)
5476 {
5477 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5478
5479 #ifndef OPENSSL_NO_QUIC
5480 /* We only support QUICv1 - so if its QUIC its QUICv1 */
5481 if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5482 return OSSL_QUIC1_VERSION;
5483 #endif
5484 if (sc == NULL)
5485 return 0;
5486
5487 return sc->client_version;
5488 }
5489
5490 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
5491 {
5492 return ssl->ctx;
5493 }
5494
5495 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
5496 {
5497 CERT *new_cert;
5498 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
5499
5500 /* TODO(QUIC FUTURE): Add support for QUIC */
5501 if (sc == NULL)
5502 return NULL;
5503
5504 if (ssl->ctx == ctx)
5505 return ssl->ctx;
5506 if (ctx == NULL)
5507 ctx = sc->session_ctx;
5508 new_cert = ssl_cert_dup(ctx->cert);
5509 if (new_cert == NULL)
5510 goto err;
5511 if (!custom_exts_copy_conn(&new_cert->custext, &sc->cert->custext))
5512 goto err;
5513 if (!custom_exts_copy_flags(&new_cert->custext, &sc->cert->custext))
5514 goto err;
5515
5516 /*
5517 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
5518 * so setter APIs must prevent invalid lengths from entering the system.
5519 */
5520 if (!ossl_assert(sc->sid_ctx_length <= sizeof(sc->sid_ctx)))
5521 goto err;
5522 if (!SSL_CTX_up_ref(ctx))
5523 goto err;
5524
5525 /*
5526 * If the session ID context matches that of the parent SSL_CTX,
5527 * inherit it from the new SSL_CTX as well. If however the context does
5528 * not match (i.e., it was set per-ssl with SSL_set_session_id_context),
5529 * leave it unchanged.
5530 */
5531 if ((ssl->ctx != NULL) &&
5532 (sc->sid_ctx_length == ssl->ctx->sid_ctx_length) &&
5533 (memcmp(sc->sid_ctx, ssl->ctx->sid_ctx, sc->sid_ctx_length) == 0)) {
5534 sc->sid_ctx_length = ctx->sid_ctx_length;
5535 memcpy(&sc->sid_ctx, &ctx->sid_ctx, sizeof(sc->sid_ctx));
5536 }
5537
5538 ssl_cert_free(sc->cert);
5539 sc->cert = new_cert;
5540 SSL_CTX_free(ssl->ctx); /* decrement reference count */
5541 ssl->ctx = ctx;
5542
5543 return ssl->ctx;
5544
5545 err:
5546 ssl_cert_free(new_cert);
5547 return NULL;
5548 }
5549
5550 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
5551 {
5552 return X509_STORE_set_default_paths_ex(ctx->cert_store, ctx->libctx,
5553 ctx->propq);
5554 }
5555
5556 int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
5557 {
5558 X509_LOOKUP *lookup;
5559
5560 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
5561 if (lookup == NULL)
5562 return 0;
5563
5564 /* We ignore errors, in case the directory doesn't exist */
5565 ERR_set_mark();
5566
5567 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
5568
5569 ERR_pop_to_mark();
5570
5571 return 1;
5572 }
5573
5574 int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)
5575 {
5576 X509_LOOKUP *lookup;
5577
5578 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file());
5579 if (lookup == NULL)
5580 return 0;
5581
5582 /* We ignore errors, in case the file doesn't exist */
5583 ERR_set_mark();
5584
5585 X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT, ctx->libctx,
5586 ctx->propq);
5587
5588 ERR_pop_to_mark();
5589
5590 return 1;
5591 }
5592
5593 int SSL_CTX_set_default_verify_store(SSL_CTX *ctx)
5594 {
5595 X509_LOOKUP *lookup;
5596
5597 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store());
5598 if (lookup == NULL)
5599 return 0;
5600
5601 /* We ignore errors, in case the directory doesn't exist */
5602 ERR_set_mark();
5603
5604 X509_LOOKUP_add_store_ex(lookup, NULL, ctx->libctx, ctx->propq);
5605
5606 ERR_pop_to_mark();
5607
5608 return 1;
5609 }
5610
5611 int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
5612 {
5613 return X509_STORE_load_file_ex(ctx->cert_store, CAfile, ctx->libctx,
5614 ctx->propq);
5615 }
5616
5617 int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
5618 {
5619 return X509_STORE_load_path(ctx->cert_store, CApath);
5620 }
5621
5622 int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
5623 {
5624 return X509_STORE_load_store_ex(ctx->cert_store, CAstore, ctx->libctx,
5625 ctx->propq);
5626 }
5627
5628 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
5629 const char *CApath)
5630 {
5631 if (CAfile == NULL && CApath == NULL)
5632 return 0;
5633 if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
5634 return 0;
5635 if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
5636 return 0;
5637 return 1;
5638 }
5639
5640 void SSL_set_info_callback(SSL *ssl,
5641 void (*cb) (const SSL *ssl, int type, int val))
5642 {
5643 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5644
5645 if (sc == NULL)
5646 return;
5647
5648 sc->info_callback = cb;
5649 }
5650
5651 /*
5652 * One compiler (Diab DCC) doesn't like argument names in returned function
5653 * pointer.
5654 */
5655 void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ ,
5656 int /* type */ ,
5657 int /* val */ ) {
5658 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5659
5660 if (sc == NULL)
5661 return NULL;
5662
5663 return sc->info_callback;
5664 }
5665
5666 void SSL_set_verify_result(SSL *ssl, long arg)
5667 {
5668 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5669
5670 if (sc == NULL)
5671 return;
5672
5673 sc->verify_result = arg;
5674 }
5675
5676 long SSL_get_verify_result(const SSL *ssl)
5677 {
5678 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5679
5680 if (sc == NULL)
5681 return 0;
5682
5683 return sc->verify_result;
5684 }
5685
5686 size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen)
5687 {
5688 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5689
5690 if (sc == NULL)
5691 return 0;
5692
5693 if (outlen == 0)
5694 return sizeof(sc->s3.client_random);
5695 if (outlen > sizeof(sc->s3.client_random))
5696 outlen = sizeof(sc->s3.client_random);
5697 memcpy(out, sc->s3.client_random, outlen);
5698 return outlen;
5699 }
5700
5701 size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen)
5702 {
5703 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5704
5705 if (sc == NULL)
5706 return 0;
5707
5708 if (outlen == 0)
5709 return sizeof(sc->s3.server_random);
5710 if (outlen > sizeof(sc->s3.server_random))
5711 outlen = sizeof(sc->s3.server_random);
5712 memcpy(out, sc->s3.server_random, outlen);
5713 return outlen;
5714 }
5715
5716 size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
5717 unsigned char *out, size_t outlen)
5718 {
5719 if (outlen == 0)
5720 return session->master_key_length;
5721 if (outlen > session->master_key_length)
5722 outlen = session->master_key_length;
5723 memcpy(out, session->master_key, outlen);
5724 return outlen;
5725 }
5726
5727 int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in,
5728 size_t len)
5729 {
5730 if (len > sizeof(sess->master_key))
5731 return 0;
5732
5733 memcpy(sess->master_key, in, len);
5734 sess->master_key_length = len;
5735 return 1;
5736 }
5737
5738
5739 int SSL_set_ex_data(SSL *s, int idx, void *arg)
5740 {
5741 return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
5742 }
5743
5744 void *SSL_get_ex_data(const SSL *s, int idx)
5745 {
5746 return CRYPTO_get_ex_data(&s->ex_data, idx);
5747 }
5748
5749 int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
5750 {
5751 return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
5752 }
5753
5754 void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
5755 {
5756 return CRYPTO_get_ex_data(&s->ex_data, idx);
5757 }
5758
5759 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
5760 {
5761 return ctx->cert_store;
5762 }
5763
5764 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
5765 {
5766 X509_STORE_free(ctx->cert_store);
5767 ctx->cert_store = store;
5768 }
5769
5770 void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
5771 {
5772 if (store != NULL && !X509_STORE_up_ref(store))
5773 return;
5774
5775 SSL_CTX_set_cert_store(ctx, store);
5776 }
5777
5778 int SSL_want(const SSL *s)
5779 {
5780 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5781
5782 #ifndef OPENSSL_NO_QUIC
5783 if (IS_QUIC(s))
5784 return ossl_quic_want(s);
5785 #endif
5786
5787 if (sc == NULL)
5788 return SSL_NOTHING;
5789
5790 return sc->rwstate;
5791 }
5792
5793 #ifndef OPENSSL_NO_PSK
5794 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
5795 {
5796 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
5797 ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG);
5798 return 0;
5799 }
5800 OPENSSL_free(ctx->cert->psk_identity_hint);
5801 if (identity_hint != NULL) {
5802 ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
5803 if (ctx->cert->psk_identity_hint == NULL)
5804 return 0;
5805 } else
5806 ctx->cert->psk_identity_hint = NULL;
5807 return 1;
5808 }
5809
5810 int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
5811 {
5812 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5813
5814 if (sc == NULL)
5815 return 0;
5816
5817 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
5818 ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG);
5819 return 0;
5820 }
5821 OPENSSL_free(sc->cert->psk_identity_hint);
5822 if (identity_hint != NULL) {
5823 sc->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
5824 if (sc->cert->psk_identity_hint == NULL)
5825 return 0;
5826 } else
5827 sc->cert->psk_identity_hint = NULL;
5828 return 1;
5829 }
5830
5831 const char *SSL_get_psk_identity_hint(const SSL *s)
5832 {
5833 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5834
5835 if (sc == NULL || sc->session == NULL)
5836 return NULL;
5837
5838 return sc->session->psk_identity_hint;
5839 }
5840
5841 const char *SSL_get_psk_identity(const SSL *s)
5842 {
5843 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5844
5845 if (sc == NULL || sc->session == NULL)
5846 return NULL;
5847
5848 return sc->session->psk_identity;
5849 }
5850
5851 void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb)
5852 {
5853 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5854
5855 if (sc == NULL)
5856 return;
5857
5858 sc->psk_client_callback = cb;
5859 }
5860
5861 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb)
5862 {
5863 ctx->psk_client_callback = cb;
5864 }
5865
5866 void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb)
5867 {
5868 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5869
5870 if (sc == NULL)
5871 return;
5872
5873 sc->psk_server_callback = cb;
5874 }
5875
5876 void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb)
5877 {
5878 ctx->psk_server_callback = cb;
5879 }
5880 #endif
5881
5882 void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb)
5883 {
5884 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5885
5886 if (sc == NULL)
5887 return;
5888
5889 sc->psk_find_session_cb = cb;
5890 }
5891
5892 void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
5893 SSL_psk_find_session_cb_func cb)
5894 {
5895 ctx->psk_find_session_cb = cb;
5896 }
5897
5898 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb)
5899 {
5900 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5901
5902 if (sc == NULL)
5903 return;
5904
5905 sc->psk_use_session_cb = cb;
5906 }
5907
5908 void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
5909 SSL_psk_use_session_cb_func cb)
5910 {
5911 ctx->psk_use_session_cb = cb;
5912 }
5913
5914 void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
5915 void (*cb) (int write_p, int version,
5916 int content_type, const void *buf,
5917 size_t len, SSL *ssl, void *arg))
5918 {
5919 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
5920 }
5921
5922 void SSL_set_msg_callback(SSL *ssl,
5923 void (*cb) (int write_p, int version,
5924 int content_type, const void *buf,
5925 size_t len, SSL *ssl, void *arg))
5926 {
5927 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
5928 }
5929
5930 void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
5931 int (*cb) (SSL *ssl,
5932 int
5933 is_forward_secure))
5934 {
5935 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
5936 (void (*)(void))cb);
5937 }
5938
5939 void SSL_set_not_resumable_session_callback(SSL *ssl,
5940 int (*cb) (SSL *ssl,
5941 int is_forward_secure))
5942 {
5943 SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
5944 (void (*)(void))cb);
5945 }
5946
5947 void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
5948 size_t (*cb) (SSL *ssl, int type,
5949 size_t len, void *arg))
5950 {
5951 ctx->record_padding_cb = cb;
5952 }
5953
5954 void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg)
5955 {
5956 ctx->record_padding_arg = arg;
5957 }
5958
5959 void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx)
5960 {
5961 return ctx->record_padding_arg;
5962 }
5963
5964 int SSL_CTX_set_block_padding_ex(SSL_CTX *ctx, size_t app_block_size,
5965 size_t hs_block_size)
5966 {
5967 if (IS_QUIC_CTX(ctx) && (app_block_size > 1 || hs_block_size > 1))
5968 return 0;
5969
5970 /* block size of 0 or 1 is basically no padding */
5971 if (app_block_size == 1) {
5972 ctx->block_padding = 0;
5973 } else if (app_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
5974 ctx->block_padding = app_block_size;
5975 } else {
5976 return 0;
5977 }
5978 if (hs_block_size == 1) {
5979 ctx->hs_padding = 0;
5980 } else if (hs_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
5981 ctx->hs_padding = hs_block_size;
5982 } else {
5983 return 0;
5984 }
5985 return 1;
5986 }
5987
5988 int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
5989 {
5990 return SSL_CTX_set_block_padding_ex(ctx, block_size, block_size);
5991 }
5992
5993 int SSL_set_record_padding_callback(SSL *ssl,
5994 size_t (*cb) (SSL *ssl, int type,
5995 size_t len, void *arg))
5996 {
5997 BIO *b;
5998 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
5999
6000 if (sc == NULL)
6001 return 0;
6002
6003 b = SSL_get_wbio(ssl);
6004 if (b == NULL || !BIO_get_ktls_send(b)) {
6005 sc->rlayer.record_padding_cb = cb;
6006 return 1;
6007 }
6008 return 0;
6009 }
6010
6011 void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg)
6012 {
6013 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6014
6015 if (sc == NULL)
6016 return;
6017
6018 sc->rlayer.record_padding_arg = arg;
6019 }
6020
6021 void *SSL_get_record_padding_callback_arg(const SSL *ssl)
6022 {
6023 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
6024
6025 if (sc == NULL)
6026 return NULL;
6027
6028 return sc->rlayer.record_padding_arg;
6029 }
6030
6031 int SSL_set_block_padding_ex(SSL *ssl, size_t app_block_size,
6032 size_t hs_block_size)
6033 {
6034 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6035
6036 if (sc == NULL
6037 || (IS_QUIC(ssl)
6038 && (app_block_size > 1 || hs_block_size > 1)))
6039 return 0;
6040
6041 /* block size of 0 or 1 is basically no padding */
6042 if (app_block_size == 1) {
6043 sc->rlayer.block_padding = 0;
6044 } else if (app_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
6045 sc->rlayer.block_padding = app_block_size;
6046 } else {
6047 return 0;
6048 }
6049 if (hs_block_size == 1) {
6050 sc->rlayer.hs_padding = 0;
6051 } else if (hs_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
6052 sc->rlayer.hs_padding = hs_block_size;
6053 } else {
6054 return 0;
6055 }
6056 return 1;
6057 }
6058
6059 int SSL_set_block_padding(SSL *ssl, size_t block_size)
6060 {
6061 return SSL_set_block_padding_ex(ssl, block_size, block_size);
6062 }
6063
6064 int SSL_set_num_tickets(SSL *s, size_t num_tickets)
6065 {
6066 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6067
6068 if (sc == NULL)
6069 return 0;
6070
6071 sc->num_tickets = num_tickets;
6072
6073 return 1;
6074 }
6075
6076 size_t SSL_get_num_tickets(const SSL *s)
6077 {
6078 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6079
6080 if (sc == NULL)
6081 return 0;
6082
6083 return sc->num_tickets;
6084 }
6085
6086 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets)
6087 {
6088 ctx->num_tickets = num_tickets;
6089
6090 return 1;
6091 }
6092
6093 size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx)
6094 {
6095 return ctx->num_tickets;
6096 }
6097
6098 /* Retrieve handshake hashes */
6099 int ssl_handshake_hash(SSL_CONNECTION *s,
6100 unsigned char *out, size_t outlen,
6101 size_t *hashlen)
6102 {
6103 EVP_MD_CTX *ctx = NULL;
6104 EVP_MD_CTX *hdgst = s->s3.handshake_dgst;
6105 int hashleni = EVP_MD_CTX_get_size(hdgst);
6106 int ret = 0;
6107
6108 if (hashleni < 0 || (size_t)hashleni > outlen) {
6109 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6110 goto err;
6111 }
6112
6113 ctx = EVP_MD_CTX_new();
6114 if (ctx == NULL) {
6115 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6116 goto err;
6117 }
6118
6119 if (!EVP_MD_CTX_copy_ex(ctx, hdgst)
6120 || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) {
6121 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6122 goto err;
6123 }
6124
6125 *hashlen = hashleni;
6126
6127 ret = 1;
6128 err:
6129 EVP_MD_CTX_free(ctx);
6130 return ret;
6131 }
6132
6133 int SSL_session_reused(const SSL *s)
6134 {
6135 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6136
6137 if (sc == NULL)
6138 return 0;
6139
6140 return sc->hit;
6141 }
6142
6143 int SSL_is_server(const SSL *s)
6144 {
6145 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6146
6147 if (sc == NULL)
6148 return 0;
6149
6150 return sc->server;
6151 }
6152
6153 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
6154 void SSL_set_debug(SSL *s, int debug)
6155 {
6156 /* Old function was do-nothing anyway... */
6157 (void)s;
6158 (void)debug;
6159 }
6160 #endif
6161
6162 void SSL_set_security_level(SSL *s, int level)
6163 {
6164 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6165
6166 if (sc == NULL)
6167 return;
6168
6169 sc->cert->sec_level = level;
6170 }
6171
6172 int SSL_get_security_level(const SSL *s)
6173 {
6174 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6175
6176 if (sc == NULL)
6177 return 0;
6178
6179 return sc->cert->sec_level;
6180 }
6181
6182 void SSL_set_security_callback(SSL *s,
6183 int (*cb) (const SSL *s, const SSL_CTX *ctx,
6184 int op, int bits, int nid,
6185 void *other, void *ex))
6186 {
6187 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6188
6189 if (sc == NULL)
6190 return;
6191
6192 sc->cert->sec_cb = cb;
6193 }
6194
6195 int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
6196 const SSL_CTX *ctx, int op,
6197 int bits, int nid, void *other,
6198 void *ex) {
6199 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6200
6201 if (sc == NULL)
6202 return NULL;
6203
6204 return sc->cert->sec_cb;
6205 }
6206
6207 void SSL_set0_security_ex_data(SSL *s, void *ex)
6208 {
6209 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6210
6211 if (sc == NULL)
6212 return;
6213
6214 sc->cert->sec_ex = ex;
6215 }
6216
6217 void *SSL_get0_security_ex_data(const SSL *s)
6218 {
6219 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6220
6221 if (sc == NULL)
6222 return NULL;
6223
6224 return sc->cert->sec_ex;
6225 }
6226
6227 void SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
6228 {
6229 ctx->cert->sec_level = level;
6230 }
6231
6232 int SSL_CTX_get_security_level(const SSL_CTX *ctx)
6233 {
6234 return ctx->cert->sec_level;
6235 }
6236
6237 void SSL_CTX_set_security_callback(SSL_CTX *ctx,
6238 int (*cb) (const SSL *s, const SSL_CTX *ctx,
6239 int op, int bits, int nid,
6240 void *other, void *ex))
6241 {
6242 ctx->cert->sec_cb = cb;
6243 }
6244
6245 int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
6246 const SSL_CTX *ctx,
6247 int op, int bits,
6248 int nid,
6249 void *other,
6250 void *ex) {
6251 return ctx->cert->sec_cb;
6252 }
6253
6254 void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex)
6255 {
6256 ctx->cert->sec_ex = ex;
6257 }
6258
6259 void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
6260 {
6261 return ctx->cert->sec_ex;
6262 }
6263
6264 uint64_t SSL_CTX_get_options(const SSL_CTX *ctx)
6265 {
6266 return ctx->options;
6267 }
6268
6269 uint64_t SSL_get_options(const SSL *s)
6270 {
6271 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6272
6273 #ifndef OPENSSL_NO_QUIC
6274 if (IS_QUIC(s))
6275 return ossl_quic_get_options(s);
6276 #endif
6277
6278 if (sc == NULL)
6279 return 0;
6280
6281 return sc->options;
6282 }
6283
6284 uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op)
6285 {
6286 return ctx->options |= op;
6287 }
6288
6289 uint64_t SSL_set_options(SSL *s, uint64_t op)
6290 {
6291 SSL_CONNECTION *sc;
6292 OSSL_PARAM options[2], *opts = options;
6293
6294 #ifndef OPENSSL_NO_QUIC
6295 if (IS_QUIC(s))
6296 return ossl_quic_set_options(s, op);
6297 #endif
6298
6299 sc = SSL_CONNECTION_FROM_SSL(s);
6300 if (sc == NULL)
6301 return 0;
6302
6303 sc->options |= op;
6304
6305 *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS,
6306 &sc->options);
6307 *opts = OSSL_PARAM_construct_end();
6308
6309 /* Ignore return value */
6310 sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
6311 sc->rlayer.wrlmethod->set_options(sc->rlayer.wrl, options);
6312
6313 return sc->options;
6314 }
6315
6316 uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op)
6317 {
6318 return ctx->options &= ~op;
6319 }
6320
6321 uint64_t SSL_clear_options(SSL *s, uint64_t op)
6322 {
6323 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6324 OSSL_PARAM options[2], *opts = options;
6325
6326 #ifndef OPENSSL_NO_QUIC
6327 if (IS_QUIC(s))
6328 return ossl_quic_clear_options(s, op);
6329 #endif
6330
6331 if (sc == NULL)
6332 return 0;
6333
6334 sc->options &= ~op;
6335
6336 *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS,
6337 &sc->options);
6338 *opts = OSSL_PARAM_construct_end();
6339
6340 /* Ignore return value */
6341 sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
6342 sc->rlayer.wrlmethod->set_options(sc->rlayer.wrl, options);
6343
6344 return sc->options;
6345 }
6346
6347 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
6348 {
6349 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6350
6351 if (sc == NULL)
6352 return NULL;
6353
6354 return sc->verified_chain;
6355 }
6356
6357 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
6358
6359 #ifndef OPENSSL_NO_CT
6360
6361 /*
6362 * Moves SCTs from the |src| stack to the |dst| stack.
6363 * The source of each SCT will be set to |origin|.
6364 * If |dst| points to a NULL pointer, a new stack will be created and owned by
6365 * the caller.
6366 * Returns the number of SCTs moved, or a negative integer if an error occurs.
6367 * The |dst| stack is created and possibly partially populated even in case
6368 * of error, likewise the |src| stack may be left in an intermediate state.
6369 */
6370 static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
6371 sct_source_t origin)
6372 {
6373 int scts_moved = 0;
6374 SCT *sct = NULL;
6375
6376 if (*dst == NULL) {
6377 *dst = sk_SCT_new_null();
6378 if (*dst == NULL) {
6379 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
6380 goto err;
6381 }
6382 }
6383
6384 while ((sct = sk_SCT_pop(src)) != NULL) {
6385 if (SCT_set_source(sct, origin) != 1)
6386 goto err;
6387
6388 if (!sk_SCT_push(*dst, sct))
6389 goto err;
6390 scts_moved += 1;
6391 }
6392
6393 return scts_moved;
6394 err:
6395 SCT_free(sct);
6396 return -1;
6397 }
6398
6399 /*
6400 * Look for data collected during ServerHello and parse if found.
6401 * Returns the number of SCTs extracted.
6402 */
6403 static int ct_extract_tls_extension_scts(SSL_CONNECTION *s)
6404 {
6405 int scts_extracted = 0;
6406
6407 if (s->ext.scts != NULL) {
6408 const unsigned char *p = s->ext.scts;
6409 STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len);
6410
6411 scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION);
6412
6413 SCT_LIST_free(scts);
6414 }
6415
6416 return scts_extracted;
6417 }
6418
6419 /*
6420 * Checks for an OCSP response and then attempts to extract any SCTs found if it
6421 * contains an SCT X509 extension. They will be stored in |s->scts|.
6422 * Returns:
6423 * - The number of SCTs extracted, assuming an OCSP response exists.
6424 * - 0 if no OCSP response exists or it contains no SCTs.
6425 * - A negative integer if an error occurs.
6426 */
6427 static int ct_extract_ocsp_response_scts(SSL_CONNECTION *s)
6428 {
6429 # ifndef OPENSSL_NO_OCSP
6430 int scts_extracted = 0;
6431 const unsigned char *p;
6432 OCSP_BASICRESP *br = NULL;
6433 OCSP_RESPONSE *rsp = NULL;
6434 STACK_OF(SCT) *scts = NULL;
6435 int i;
6436
6437 if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0)
6438 goto err;
6439
6440 p = s->ext.ocsp.resp;
6441 rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len);
6442 if (rsp == NULL)
6443 goto err;
6444
6445 br = OCSP_response_get1_basic(rsp);
6446 if (br == NULL)
6447 goto err;
6448
6449 for (i = 0; i < OCSP_resp_count(br); ++i) {
6450 OCSP_SINGLERESP *single = OCSP_resp_get0(br, i);
6451
6452 if (single == NULL)
6453 continue;
6454
6455 scts =
6456 OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL);
6457 scts_extracted =
6458 ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE);
6459 if (scts_extracted < 0)
6460 goto err;
6461 }
6462 err:
6463 SCT_LIST_free(scts);
6464 OCSP_BASICRESP_free(br);
6465 OCSP_RESPONSE_free(rsp);
6466 return scts_extracted;
6467 # else
6468 /* Behave as if no OCSP response exists */
6469 return 0;
6470 # endif
6471 }
6472
6473 /*
6474 * Attempts to extract SCTs from the peer certificate.
6475 * Return the number of SCTs extracted, or a negative integer if an error
6476 * occurs.
6477 */
6478 static int ct_extract_x509v3_extension_scts(SSL_CONNECTION *s)
6479 {
6480 int scts_extracted = 0;
6481 X509 *cert = s->session != NULL ? s->session->peer : NULL;
6482
6483 if (cert != NULL) {
6484 STACK_OF(SCT) *scts =
6485 X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL);
6486
6487 scts_extracted =
6488 ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION);
6489
6490 SCT_LIST_free(scts);
6491 }
6492
6493 return scts_extracted;
6494 }
6495
6496 /*
6497 * Attempts to find all received SCTs by checking TLS extensions, the OCSP
6498 * response (if it exists) and X509v3 extensions in the certificate.
6499 * Returns NULL if an error occurs.
6500 */
6501 const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s)
6502 {
6503 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6504
6505 if (sc == NULL)
6506 return NULL;
6507
6508 if (!sc->scts_parsed) {
6509 if (ct_extract_tls_extension_scts(sc) < 0 ||
6510 ct_extract_ocsp_response_scts(sc) < 0 ||
6511 ct_extract_x509v3_extension_scts(sc) < 0)
6512 goto err;
6513
6514 sc->scts_parsed = 1;
6515 }
6516 return sc->scts;
6517 err:
6518 return NULL;
6519 }
6520
6521 static int ct_permissive(const CT_POLICY_EVAL_CTX *ctx,
6522 const STACK_OF(SCT) *scts, void *unused_arg)
6523 {
6524 return 1;
6525 }
6526
6527 static int ct_strict(const CT_POLICY_EVAL_CTX *ctx,
6528 const STACK_OF(SCT) *scts, void *unused_arg)
6529 {
6530 int count = scts != NULL ? sk_SCT_num(scts) : 0;
6531 int i;
6532
6533 for (i = 0; i < count; ++i) {
6534 SCT *sct = sk_SCT_value(scts, i);
6535 int status = SCT_get_validation_status(sct);
6536
6537 if (status == SCT_VALIDATION_STATUS_VALID)
6538 return 1;
6539 }
6540 ERR_raise(ERR_LIB_SSL, SSL_R_NO_VALID_SCTS);
6541 return 0;
6542 }
6543
6544 int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
6545 void *arg)
6546 {
6547 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6548
6549 if (sc == NULL)
6550 return 0;
6551
6552 /*
6553 * Since code exists that uses the custom extension handler for CT, look
6554 * for this and throw an error if they have already registered to use CT.
6555 */
6556 if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx,
6557 TLSEXT_TYPE_signed_certificate_timestamp))
6558 {
6559 ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
6560 return 0;
6561 }
6562
6563 if (callback != NULL) {
6564 /*
6565 * If we are validating CT, then we MUST accept SCTs served via OCSP
6566 */
6567 if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp))
6568 return 0;
6569 }
6570
6571 sc->ct_validation_callback = callback;
6572 sc->ct_validation_callback_arg = arg;
6573
6574 return 1;
6575 }
6576
6577 int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
6578 ssl_ct_validation_cb callback, void *arg)
6579 {
6580 /*
6581 * Since code exists that uses the custom extension handler for CT, look for
6582 * this and throw an error if they have already registered to use CT.
6583 */
6584 if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx,
6585 TLSEXT_TYPE_signed_certificate_timestamp))
6586 {
6587 ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
6588 return 0;
6589 }
6590
6591 ctx->ct_validation_callback = callback;
6592 ctx->ct_validation_callback_arg = arg;
6593 return 1;
6594 }
6595
6596 int SSL_ct_is_enabled(const SSL *s)
6597 {
6598 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6599
6600 if (sc == NULL)
6601 return 0;
6602
6603 return sc->ct_validation_callback != NULL;
6604 }
6605
6606 int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx)
6607 {
6608 return ctx->ct_validation_callback != NULL;
6609 }
6610
6611 int ssl_validate_ct(SSL_CONNECTION *s)
6612 {
6613 int ret = 0;
6614 X509 *cert = s->session != NULL ? s->session->peer : NULL;
6615 X509 *issuer;
6616 SSL_DANE *dane = &s->dane;
6617 CT_POLICY_EVAL_CTX *ctx = NULL;
6618 const STACK_OF(SCT) *scts;
6619
6620 /*
6621 * If no callback is set, the peer is anonymous, or its chain is invalid,
6622 * skip SCT validation - just return success. Applications that continue
6623 * handshakes without certificates, with unverified chains, or pinned leaf
6624 * certificates are outside the scope of the WebPKI and CT.
6625 *
6626 * The above exclusions notwithstanding the vast majority of peers will
6627 * have rather ordinary certificate chains validated by typical
6628 * applications that perform certificate verification and therefore will
6629 * process SCTs when enabled.
6630 */
6631 if (s->ct_validation_callback == NULL || cert == NULL ||
6632 s->verify_result != X509_V_OK ||
6633 s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1)
6634 return 1;
6635
6636 /*
6637 * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3)
6638 * trust-anchors. See https://tools.ietf.org/html/rfc7671#section-4.2
6639 */
6640 if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) {
6641 switch (dane->mtlsa->usage) {
6642 case DANETLS_USAGE_DANE_TA:
6643 case DANETLS_USAGE_DANE_EE:
6644 return 1;
6645 }
6646 }
6647
6648 ctx = CT_POLICY_EVAL_CTX_new_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
6649 SSL_CONNECTION_GET_CTX(s)->propq);
6650 if (ctx == NULL) {
6651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CT_LIB);
6652 goto end;
6653 }
6654
6655 issuer = sk_X509_value(s->verified_chain, 1);
6656 CT_POLICY_EVAL_CTX_set1_cert(ctx, cert);
6657 CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer);
6658 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx,
6659 SSL_CONNECTION_GET_CTX(s)->ctlog_store);
6660 CT_POLICY_EVAL_CTX_set_time(
6661 ctx, (uint64_t)SSL_SESSION_get_time_ex(s->session) * 1000);
6662
6663 scts = SSL_get0_peer_scts(SSL_CONNECTION_GET_SSL(s));
6664
6665 /*
6666 * This function returns success (> 0) only when all the SCTs are valid, 0
6667 * when some are invalid, and < 0 on various internal errors (out of
6668 * memory, etc.). Having some, or even all, invalid SCTs is not sufficient
6669 * reason to abort the handshake, that decision is up to the callback.
6670 * Therefore, we error out only in the unexpected case that the return
6671 * value is negative.
6672 *
6673 * XXX: One might well argue that the return value of this function is an
6674 * unfortunate design choice. Its job is only to determine the validation
6675 * status of each of the provided SCTs. So long as it correctly separates
6676 * the wheat from the chaff it should return success. Failure in this case
6677 * ought to correspond to an inability to carry out its duties.
6678 */
6679 if (SCT_LIST_validate(scts, ctx) < 0) {
6680 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_SCT_VERIFICATION_FAILED);
6681 goto end;
6682 }
6683
6684 ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg);
6685 if (ret < 0)
6686 ret = 0; /* This function returns 0 on failure */
6687 if (!ret)
6688 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_CALLBACK_FAILED);
6689
6690 end:
6691 CT_POLICY_EVAL_CTX_free(ctx);
6692 /*
6693 * With SSL_VERIFY_NONE the session may be cached and reused despite a
6694 * failure return code here. Also the application may wish the complete
6695 * the handshake, and then disconnect cleanly at a higher layer, after
6696 * checking the verification status of the completed connection.
6697 *
6698 * We therefore force a certificate verification failure which will be
6699 * visible via SSL_get_verify_result() and cached as part of any resumed
6700 * session.
6701 *
6702 * Note: the permissive callback is for information gathering only, always
6703 * returns success, and does not affect verification status. Only the
6704 * strict callback or a custom application-specified callback can trigger
6705 * connection failure or record a verification error.
6706 */
6707 if (ret <= 0)
6708 s->verify_result = X509_V_ERR_NO_VALID_SCTS;
6709 return ret;
6710 }
6711
6712 int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode)
6713 {
6714 switch (validation_mode) {
6715 default:
6716 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE);
6717 return 0;
6718 case SSL_CT_VALIDATION_PERMISSIVE:
6719 return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL);
6720 case SSL_CT_VALIDATION_STRICT:
6721 return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL);
6722 }
6723 }
6724
6725 int SSL_enable_ct(SSL *s, int validation_mode)
6726 {
6727 switch (validation_mode) {
6728 default:
6729 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE);
6730 return 0;
6731 case SSL_CT_VALIDATION_PERMISSIVE:
6732 return SSL_set_ct_validation_callback(s, ct_permissive, NULL);
6733 case SSL_CT_VALIDATION_STRICT:
6734 return SSL_set_ct_validation_callback(s, ct_strict, NULL);
6735 }
6736 }
6737
6738 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx)
6739 {
6740 return CTLOG_STORE_load_default_file(ctx->ctlog_store);
6741 }
6742
6743 int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
6744 {
6745 return CTLOG_STORE_load_file(ctx->ctlog_store, path);
6746 }
6747
6748 void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs)
6749 {
6750 CTLOG_STORE_free(ctx->ctlog_store);
6751 ctx->ctlog_store = logs;
6752 }
6753
6754 const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
6755 {
6756 return ctx->ctlog_store;
6757 }
6758
6759 #endif /* OPENSSL_NO_CT */
6760
6761 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
6762 void *arg)
6763 {
6764 c->client_hello_cb = cb;
6765 c->client_hello_cb_arg = arg;
6766 }
6767
6768 void SSL_CTX_set_new_pending_conn_cb(SSL_CTX *c, SSL_new_pending_conn_cb_fn cb,
6769 void *arg)
6770 {
6771 c->new_pending_conn_cb = cb;
6772 c->new_pending_conn_arg = arg;
6773 }
6774
6775 int SSL_client_hello_isv2(SSL *s)
6776 {
6777 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6778
6779 if (sc == NULL)
6780 return 0;
6781
6782 if (sc->clienthello == NULL)
6783 return 0;
6784 return sc->clienthello->isv2;
6785 }
6786
6787 unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
6788 {
6789 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6790
6791 if (sc == NULL)
6792 return 0;
6793
6794 if (sc->clienthello == NULL)
6795 return 0;
6796 return sc->clienthello->legacy_version;
6797 }
6798
6799 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
6800 {
6801 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6802
6803 if (sc == NULL)
6804 return 0;
6805
6806 if (sc->clienthello == NULL)
6807 return 0;
6808 if (out != NULL)
6809 *out = sc->clienthello->random;
6810 return SSL3_RANDOM_SIZE;
6811 }
6812
6813 size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
6814 {
6815 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6816
6817 if (sc == NULL)
6818 return 0;
6819
6820 if (sc->clienthello == NULL)
6821 return 0;
6822 if (out != NULL)
6823 *out = sc->clienthello->session_id;
6824 return sc->clienthello->session_id_len;
6825 }
6826
6827 size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
6828 {
6829 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6830
6831 if (sc == NULL)
6832 return 0;
6833
6834 if (sc->clienthello == NULL)
6835 return 0;
6836 if (out != NULL)
6837 *out = PACKET_data(&sc->clienthello->ciphersuites);
6838 return PACKET_remaining(&sc->clienthello->ciphersuites);
6839 }
6840
6841 size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
6842 {
6843 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6844
6845 if (sc == NULL)
6846 return 0;
6847
6848 if (sc->clienthello == NULL)
6849 return 0;
6850 if (out != NULL)
6851 *out = sc->clienthello->compressions;
6852 return sc->clienthello->compressions_len;
6853 }
6854
6855 int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
6856 {
6857 RAW_EXTENSION *ext;
6858 int *present;
6859 size_t num = 0, i;
6860 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6861
6862 if (sc == NULL)
6863 return 0;
6864
6865 if (sc->clienthello == NULL || out == NULL || outlen == NULL)
6866 return 0;
6867 for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6868 ext = sc->clienthello->pre_proc_exts + i;
6869 if (ext->present)
6870 num++;
6871 }
6872 if (num == 0) {
6873 *out = NULL;
6874 *outlen = 0;
6875 return 1;
6876 }
6877 if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL)
6878 return 0;
6879 for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6880 ext = sc->clienthello->pre_proc_exts + i;
6881 if (ext->present) {
6882 if (ext->received_order >= num)
6883 goto err;
6884 present[ext->received_order] = ext->type;
6885 }
6886 }
6887 *out = present;
6888 *outlen = num;
6889 return 1;
6890 err:
6891 OPENSSL_free(present);
6892 return 0;
6893 }
6894
6895 int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts, size_t *num_exts)
6896 {
6897 RAW_EXTENSION *ext;
6898 size_t num = 0, i;
6899 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6900
6901 if (sc == NULL)
6902 return 0;
6903
6904 if (sc->clienthello == NULL || num_exts == NULL)
6905 return 0;
6906 for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6907 ext = sc->clienthello->pre_proc_exts + i;
6908 if (ext->present)
6909 num++;
6910 }
6911 if (num == 0) {
6912 *num_exts = 0;
6913 return 1;
6914 }
6915 if (exts == NULL) {
6916 *num_exts = num;
6917 return 1;
6918 }
6919 if (*num_exts < num)
6920 return 0;
6921 for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6922 ext = sc->clienthello->pre_proc_exts + i;
6923 if (ext->present) {
6924 if (ext->received_order >= num)
6925 return 0;
6926 exts[ext->received_order] = ext->type;
6927 }
6928 }
6929 *num_exts = num;
6930 return 1;
6931 }
6932
6933 int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
6934 size_t *outlen)
6935 {
6936 size_t i;
6937 RAW_EXTENSION *r;
6938 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6939
6940 if (sc == NULL)
6941 return 0;
6942
6943 if (sc->clienthello == NULL)
6944 return 0;
6945 for (i = 0; i < sc->clienthello->pre_proc_exts_len; ++i) {
6946 r = sc->clienthello->pre_proc_exts + i;
6947 if (r->present && r->type == type) {
6948 if (out != NULL)
6949 *out = PACKET_data(&r->data);
6950 if (outlen != NULL)
6951 *outlen = PACKET_remaining(&r->data);
6952 return 1;
6953 }
6954 }
6955 return 0;
6956 }
6957
6958 int SSL_free_buffers(SSL *ssl)
6959 {
6960 RECORD_LAYER *rl;
6961 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
6962
6963 if (sc == NULL)
6964 return 0;
6965
6966 rl = &sc->rlayer;
6967
6968 return rl->rrlmethod->free_buffers(rl->rrl)
6969 && rl->wrlmethod->free_buffers(rl->wrl);
6970 }
6971
6972 int SSL_alloc_buffers(SSL *ssl)
6973 {
6974 RECORD_LAYER *rl;
6975 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6976
6977 if (sc == NULL)
6978 return 0;
6979
6980 /* QUIC always has buffers allocated. */
6981 if (IS_QUIC(ssl))
6982 return 1;
6983
6984 rl = &sc->rlayer;
6985
6986 return rl->rrlmethod->alloc_buffers(rl->rrl)
6987 && rl->wrlmethod->alloc_buffers(rl->wrl);
6988 }
6989
6990 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
6991 {
6992 ctx->keylog_callback = cb;
6993 }
6994
6995 SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
6996 {
6997 return ctx->keylog_callback;
6998 }
6999
7000 static int nss_keylog_int(const char *prefix,
7001 SSL_CONNECTION *sc,
7002 const uint8_t *parameter_1,
7003 size_t parameter_1_len,
7004 const uint8_t *parameter_2,
7005 size_t parameter_2_len)
7006 {
7007 char *out = NULL;
7008 char *cursor = NULL;
7009 size_t out_len = 0, i, prefix_len;
7010 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
7011
7012 #ifndef OPENSSL_NO_SSLKEYLOG
7013 if (sctx->keylog_callback == NULL && sctx->do_sslkeylog == 0)
7014 return 1;
7015 #else
7016 if (sctx->keylog_callback == NULL)
7017 return 1;
7018 #endif
7019
7020 /*
7021 * Our output buffer will contain the following strings, rendered with
7022 * space characters in between, terminated by a NULL character: first the
7023 * prefix, then the first parameter, then the second parameter. The
7024 * meaning of each parameter depends on the specific key material being
7025 * logged. Note that the first and second parameters are encoded in
7026 * hexadecimal, so we need a buffer that is twice their lengths.
7027 */
7028 prefix_len = strlen(prefix);
7029 out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3;
7030 if ((out = cursor = OPENSSL_malloc(out_len)) == NULL)
7031 return 0;
7032
7033 memcpy(cursor, prefix, prefix_len);
7034 cursor += prefix_len;
7035 *cursor++ = ' ';
7036
7037 for (i = 0; i < parameter_1_len; ++i)
7038 cursor += ossl_to_lowerhex(cursor, parameter_1[i]);
7039 *cursor++ = ' ';
7040
7041 for (i = 0; i < parameter_2_len; ++i)
7042 cursor += ossl_to_lowerhex(cursor, parameter_2[i]);
7043 *cursor = '\0';
7044
7045 #ifndef OPENSSL_NO_SSLKEYLOG
7046 if (sctx->do_sslkeylog == 1)
7047 do_sslkeylogfile(SSL_CONNECTION_GET_SSL(sc), (const char *)out);
7048 #endif
7049 if (sctx->keylog_callback != NULL)
7050 sctx->keylog_callback(SSL_CONNECTION_GET_USER_SSL(sc), (const char *)out);
7051 OPENSSL_clear_free(out, out_len);
7052 return 1;
7053 }
7054
7055 int ssl_log_rsa_client_key_exchange(SSL_CONNECTION *sc,
7056 const uint8_t *encrypted_premaster,
7057 size_t encrypted_premaster_len,
7058 const uint8_t *premaster,
7059 size_t premaster_len)
7060 {
7061 if (encrypted_premaster_len < 8) {
7062 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7063 return 0;
7064 }
7065
7066 /* We only want the first 8 bytes of the encrypted premaster as a tag. */
7067 return nss_keylog_int("RSA",
7068 sc,
7069 encrypted_premaster,
7070 8,
7071 premaster,
7072 premaster_len);
7073 }
7074
7075 int ssl_log_secret(SSL_CONNECTION *sc,
7076 const char *label,
7077 const uint8_t *secret,
7078 size_t secret_len)
7079 {
7080 return nss_keylog_int(label,
7081 sc,
7082 sc->s3.client_random,
7083 SSL3_RANDOM_SIZE,
7084 secret,
7085 secret_len);
7086 }
7087
7088 #define SSLV2_CIPHER_LEN 3
7089
7090 int ssl_cache_cipherlist(SSL_CONNECTION *s, PACKET *cipher_suites, int sslv2format)
7091 {
7092 int n;
7093
7094 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
7095
7096 if (PACKET_remaining(cipher_suites) == 0) {
7097 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_CIPHERS_SPECIFIED);
7098 return 0;
7099 }
7100
7101 if (PACKET_remaining(cipher_suites) % n != 0) {
7102 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7103 return 0;
7104 }
7105
7106 OPENSSL_free(s->s3.tmp.ciphers_raw);
7107 s->s3.tmp.ciphers_raw = NULL;
7108 s->s3.tmp.ciphers_rawlen = 0;
7109
7110 if (sslv2format) {
7111 size_t numciphers = PACKET_remaining(cipher_suites) / n;
7112 PACKET sslv2ciphers = *cipher_suites;
7113 unsigned int leadbyte;
7114 unsigned char *raw;
7115
7116 /*
7117 * We store the raw ciphers list in SSLv3+ format so we need to do some
7118 * preprocessing to convert the list first. If there are any SSLv2 only
7119 * ciphersuites with a non-zero leading byte then we are going to
7120 * slightly over allocate because we won't store those. But that isn't a
7121 * problem.
7122 */
7123 raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
7124 s->s3.tmp.ciphers_raw = raw;
7125 if (raw == NULL) {
7126 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7127 return 0;
7128 }
7129 for (s->s3.tmp.ciphers_rawlen = 0;
7130 PACKET_remaining(&sslv2ciphers) > 0;
7131 raw += TLS_CIPHER_LEN) {
7132 if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
7133 || (leadbyte == 0
7134 && !PACKET_copy_bytes(&sslv2ciphers, raw,
7135 TLS_CIPHER_LEN))
7136 || (leadbyte != 0
7137 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
7138 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
7139 OPENSSL_free(s->s3.tmp.ciphers_raw);
7140 s->s3.tmp.ciphers_raw = NULL;
7141 s->s3.tmp.ciphers_rawlen = 0;
7142 return 0;
7143 }
7144 if (leadbyte == 0)
7145 s->s3.tmp.ciphers_rawlen += TLS_CIPHER_LEN;
7146 }
7147 } else if (!PACKET_memdup(cipher_suites, &s->s3.tmp.ciphers_raw,
7148 &s->s3.tmp.ciphers_rawlen)) {
7149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7150 return 0;
7151 }
7152 return 1;
7153 }
7154
7155 int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
7156 int isv2format, STACK_OF(SSL_CIPHER) **sk,
7157 STACK_OF(SSL_CIPHER) **scsvs)
7158 {
7159 PACKET pkt;
7160 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7161
7162 if (sc == NULL)
7163 return 0;
7164
7165 if (!PACKET_buf_init(&pkt, bytes, len))
7166 return 0;
7167 return ossl_bytes_to_cipher_list(sc, &pkt, sk, scsvs, isv2format, 0);
7168 }
7169
7170 int ossl_bytes_to_cipher_list(SSL_CONNECTION *s, PACKET *cipher_suites,
7171 STACK_OF(SSL_CIPHER) **skp,
7172 STACK_OF(SSL_CIPHER) **scsvs_out,
7173 int sslv2format, int fatal)
7174 {
7175 const SSL_CIPHER *c;
7176 STACK_OF(SSL_CIPHER) *sk = NULL;
7177 STACK_OF(SSL_CIPHER) *scsvs = NULL;
7178 int n;
7179 /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
7180 unsigned char cipher[SSLV2_CIPHER_LEN];
7181
7182 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
7183
7184 if (PACKET_remaining(cipher_suites) == 0) {
7185 if (fatal)
7186 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CIPHERS_SPECIFIED);
7187 else
7188 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHERS_SPECIFIED);
7189 return 0;
7190 }
7191
7192 if (PACKET_remaining(cipher_suites) % n != 0) {
7193 if (fatal)
7194 SSLfatal(s, SSL_AD_DECODE_ERROR,
7195 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7196 else
7197 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7198 return 0;
7199 }
7200
7201 sk = sk_SSL_CIPHER_new_null();
7202 scsvs = sk_SSL_CIPHER_new_null();
7203 if (sk == NULL || scsvs == NULL) {
7204 if (fatal)
7205 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7206 else
7207 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
7208 goto err;
7209 }
7210
7211 while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
7212 /*
7213 * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
7214 * first byte set to zero, while true SSLv2 ciphers have a non-zero
7215 * first byte. We don't support any true SSLv2 ciphers, so skip them.
7216 */
7217 if (sslv2format && cipher[0] != '\0')
7218 continue;
7219
7220 /* For SSLv2-compat, ignore leading 0-byte. */
7221 c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1);
7222 if (c != NULL) {
7223 if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) ||
7224 (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) {
7225 if (fatal)
7226 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7227 else
7228 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
7229 goto err;
7230 }
7231 }
7232 }
7233 if (PACKET_remaining(cipher_suites) > 0) {
7234 if (fatal)
7235 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
7236 else
7237 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
7238 goto err;
7239 }
7240
7241 if (skp != NULL)
7242 *skp = sk;
7243 else
7244 sk_SSL_CIPHER_free(sk);
7245 if (scsvs_out != NULL)
7246 *scsvs_out = scsvs;
7247 else
7248 sk_SSL_CIPHER_free(scsvs);
7249 return 1;
7250 err:
7251 sk_SSL_CIPHER_free(sk);
7252 sk_SSL_CIPHER_free(scsvs);
7253 return 0;
7254 }
7255
7256 int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data)
7257 {
7258 ctx->max_early_data = max_early_data;
7259
7260 return 1;
7261 }
7262
7263 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx)
7264 {
7265 return ctx->max_early_data;
7266 }
7267
7268 int SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
7269 {
7270 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7271
7272 if (sc == NULL)
7273 return 0;
7274
7275 sc->max_early_data = max_early_data;
7276
7277 return 1;
7278 }
7279
7280 uint32_t SSL_get_max_early_data(const SSL *s)
7281 {
7282 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
7283
7284 if (sc == NULL)
7285 return 0;
7286
7287 return sc->max_early_data;
7288 }
7289
7290 int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data)
7291 {
7292 ctx->recv_max_early_data = recv_max_early_data;
7293
7294 return 1;
7295 }
7296
7297 uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx)
7298 {
7299 return ctx->recv_max_early_data;
7300 }
7301
7302 int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data)
7303 {
7304 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7305
7306 if (sc == NULL)
7307 return 0;
7308
7309 sc->recv_max_early_data = recv_max_early_data;
7310
7311 return 1;
7312 }
7313
7314 uint32_t SSL_get_recv_max_early_data(const SSL *s)
7315 {
7316 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
7317
7318 if (sc == NULL)
7319 return 0;
7320
7321 return sc->recv_max_early_data;
7322 }
7323
7324 __owur unsigned int ssl_get_max_send_fragment(const SSL_CONNECTION *sc)
7325 {
7326 /* Return any active Max Fragment Len extension */
7327 if (sc->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(sc->session))
7328 return GET_MAX_FRAGMENT_LENGTH(sc->session);
7329
7330 /* return current SSL connection setting */
7331 return (unsigned int)sc->max_send_fragment;
7332 }
7333
7334 __owur unsigned int ssl_get_split_send_fragment(const SSL_CONNECTION *sc)
7335 {
7336 /* Return a value regarding an active Max Fragment Len extension */
7337 if (sc->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(sc->session)
7338 && sc->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(sc->session))
7339 return GET_MAX_FRAGMENT_LENGTH(sc->session);
7340
7341 /* else limit |split_send_fragment| to current |max_send_fragment| */
7342 if (sc->split_send_fragment > sc->max_send_fragment)
7343 return (unsigned int)sc->max_send_fragment;
7344
7345 /* return current SSL connection setting */
7346 return (unsigned int)sc->split_send_fragment;
7347 }
7348
7349 int SSL_stateless(SSL *s)
7350 {
7351 int ret;
7352 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7353
7354 if (sc == NULL)
7355 return 0;
7356
7357 /* Ensure there is no state left over from a previous invocation */
7358 if (!SSL_clear(s))
7359 return 0;
7360
7361 ERR_clear_error();
7362
7363 sc->s3.flags |= TLS1_FLAGS_STATELESS;
7364 ret = SSL_accept(s);
7365 sc->s3.flags &= ~TLS1_FLAGS_STATELESS;
7366
7367 if (ret > 0 && sc->ext.cookieok)
7368 return 1;
7369
7370 if (sc->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(sc))
7371 return 0;
7372
7373 return -1;
7374 }
7375
7376 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
7377 {
7378 ctx->pha_enabled = val;
7379 }
7380
7381 void SSL_set_post_handshake_auth(SSL *ssl, int val)
7382 {
7383 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
7384
7385 if (sc == NULL)
7386 return;
7387
7388 sc->pha_enabled = val;
7389 }
7390
7391 int SSL_verify_client_post_handshake(SSL *ssl)
7392 {
7393 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
7394
7395 #ifndef OPENSSL_NO_QUIC
7396 if (IS_QUIC(ssl)) {
7397 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
7398 return 0;
7399 }
7400 #endif
7401
7402 if (sc == NULL)
7403 return 0;
7404
7405 if (!SSL_CONNECTION_IS_TLS13(sc)) {
7406 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
7407 return 0;
7408 }
7409 if (!sc->server) {
7410 ERR_raise(ERR_LIB_SSL, SSL_R_NOT_SERVER);
7411 return 0;
7412 }
7413
7414 if (!SSL_is_init_finished(ssl)) {
7415 ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT);
7416 return 0;
7417 }
7418
7419 switch (sc->post_handshake_auth) {
7420 case SSL_PHA_NONE:
7421 ERR_raise(ERR_LIB_SSL, SSL_R_EXTENSION_NOT_RECEIVED);
7422 return 0;
7423 default:
7424 case SSL_PHA_EXT_SENT:
7425 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7426 return 0;
7427 case SSL_PHA_EXT_RECEIVED:
7428 break;
7429 case SSL_PHA_REQUEST_PENDING:
7430 ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_PENDING);
7431 return 0;
7432 case SSL_PHA_REQUESTED:
7433 ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_SENT);
7434 return 0;
7435 }
7436
7437 sc->post_handshake_auth = SSL_PHA_REQUEST_PENDING;
7438
7439 /* checks verify_mode and algorithm_auth */
7440 if (!send_certificate_request(sc)) {
7441 sc->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */
7442 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CONFIG);
7443 return 0;
7444 }
7445
7446 ossl_statem_set_in_init(sc, 1);
7447 return 1;
7448 }
7449
7450 int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
7451 SSL_CTX_generate_session_ticket_fn gen_cb,
7452 SSL_CTX_decrypt_session_ticket_fn dec_cb,
7453 void *arg)
7454 {
7455 ctx->generate_ticket_cb = gen_cb;
7456 ctx->decrypt_ticket_cb = dec_cb;
7457 ctx->ticket_cb_data = arg;
7458 return 1;
7459 }
7460
7461 void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
7462 SSL_allow_early_data_cb_fn cb,
7463 void *arg)
7464 {
7465 ctx->allow_early_data_cb = cb;
7466 ctx->allow_early_data_cb_data = arg;
7467 }
7468
7469 void SSL_set_allow_early_data_cb(SSL *s,
7470 SSL_allow_early_data_cb_fn cb,
7471 void *arg)
7472 {
7473 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7474
7475 if (sc == NULL)
7476 return;
7477
7478 sc->allow_early_data_cb = cb;
7479 sc->allow_early_data_cb_data = arg;
7480 }
7481
7482 const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx,
7483 int nid,
7484 const char *properties)
7485 {
7486 const EVP_CIPHER *ciph;
7487
7488 ciph = tls_get_cipher_from_engine(nid);
7489 if (ciph != NULL)
7490 return ciph;
7491
7492 /*
7493 * If there is no engine cipher then we do an explicit fetch. This may fail
7494 * and that could be ok
7495 */
7496 ERR_set_mark();
7497 ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
7498 if (ciph != NULL) {
7499 OSSL_PARAM params[2];
7500 int decrypt_only = 0;
7501
7502 params[0] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_DECRYPT_ONLY,
7503 &decrypt_only);
7504 params[1] = OSSL_PARAM_construct_end();
7505 if (EVP_CIPHER_get_params((EVP_CIPHER *)ciph, params)
7506 && decrypt_only) {
7507 /* If a cipher is decrypt-only, it is unusable */
7508 EVP_CIPHER_free((EVP_CIPHER *)ciph);
7509 ciph = NULL;
7510 }
7511 }
7512 ERR_pop_to_mark();
7513 return ciph;
7514 }
7515
7516
7517 int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher)
7518 {
7519 /* Don't up-ref an implicit EVP_CIPHER */
7520 if (EVP_CIPHER_get0_provider(cipher) == NULL)
7521 return 1;
7522
7523 /*
7524 * The cipher was explicitly fetched and therefore it is safe to cast
7525 * away the const
7526 */
7527 return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher);
7528 }
7529
7530 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
7531 {
7532 if (cipher == NULL)
7533 return;
7534
7535 if (EVP_CIPHER_get0_provider(cipher) != NULL) {
7536 /*
7537 * The cipher was explicitly fetched and therefore it is safe to cast
7538 * away the const
7539 */
7540 EVP_CIPHER_free((EVP_CIPHER *)cipher);
7541 }
7542 }
7543
7544 const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx,
7545 int nid,
7546 const char *properties)
7547 {
7548 const EVP_MD *md;
7549
7550 md = tls_get_digest_from_engine(nid);
7551 if (md != NULL)
7552 return md;
7553
7554 /* Otherwise we do an explicit fetch */
7555 ERR_set_mark();
7556 md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
7557 ERR_pop_to_mark();
7558 return md;
7559 }
7560
7561 int ssl_evp_md_up_ref(const EVP_MD *md)
7562 {
7563 /* Don't up-ref an implicit EVP_MD */
7564 if (EVP_MD_get0_provider(md) == NULL)
7565 return 1;
7566
7567 /*
7568 * The digest was explicitly fetched and therefore it is safe to cast
7569 * away the const
7570 */
7571 return EVP_MD_up_ref((EVP_MD *)md);
7572 }
7573
7574 void ssl_evp_md_free(const EVP_MD *md)
7575 {
7576 if (md == NULL)
7577 return;
7578
7579 if (EVP_MD_get0_provider(md) != NULL) {
7580 /*
7581 * The digest was explicitly fetched and therefore it is safe to cast
7582 * away the const
7583 */
7584 EVP_MD_free((EVP_MD *)md);
7585 }
7586 }
7587
7588 int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey)
7589 {
7590 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7591
7592 if (sc == NULL)
7593 return 0;
7594
7595 if (!ssl_security(sc, SSL_SECOP_TMP_DH,
7596 EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
7597 ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
7598 return 0;
7599 }
7600 EVP_PKEY_free(sc->cert->dh_tmp);
7601 sc->cert->dh_tmp = dhpkey;
7602 return 1;
7603 }
7604
7605 int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey)
7606 {
7607 if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
7608 EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
7609 ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
7610 return 0;
7611 }
7612 EVP_PKEY_free(ctx->cert->dh_tmp);
7613 ctx->cert->dh_tmp = dhpkey;
7614 return 1;
7615 }
7616
7617 /* QUIC-specific methods which are supported on QUIC connections only. */
7618 int SSL_handle_events(SSL *s)
7619 {
7620 SSL_CONNECTION *sc;
7621
7622 #ifndef OPENSSL_NO_QUIC
7623 if (IS_QUIC(s))
7624 return ossl_quic_handle_events(s);
7625 #endif
7626
7627 sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7628 if (sc != NULL && SSL_CONNECTION_IS_DTLS(sc))
7629 /*
7630 * DTLSv1_handle_timeout returns 0 if the timer wasn't expired yet,
7631 * which we consider a success case. Theoretically DTLSv1_handle_timeout
7632 * can also return 0 if s is NULL or not a DTLS object, but we've
7633 * already ruled out those possibilities above, so this is not possible
7634 * here. Thus the only failure cases are where DTLSv1_handle_timeout
7635 * returns -1.
7636 */
7637 return DTLSv1_handle_timeout(s) >= 0;
7638
7639 return 1;
7640 }
7641
7642 int SSL_get_event_timeout(SSL *s, struct timeval *tv, int *is_infinite)
7643 {
7644 SSL_CONNECTION *sc;
7645
7646 #ifndef OPENSSL_NO_QUIC
7647 if (IS_QUIC(s))
7648 return ossl_quic_get_event_timeout(s, tv, is_infinite);
7649 #endif
7650
7651 sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7652 if (sc != NULL && SSL_CONNECTION_IS_DTLS(sc)
7653 && DTLSv1_get_timeout(s, tv)) {
7654 *is_infinite = 0;
7655 return 1;
7656 }
7657
7658 tv->tv_sec = 1000000;
7659 tv->tv_usec = 0;
7660 *is_infinite = 1;
7661 return 1;
7662 }
7663
7664 int SSL_get_rpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc)
7665 {
7666 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7667
7668 #ifndef OPENSSL_NO_QUIC
7669 if (IS_QUIC(s))
7670 return ossl_quic_get_rpoll_descriptor(s, desc);
7671 #endif
7672
7673 if (sc == NULL || sc->rbio == NULL)
7674 return 0;
7675
7676 return BIO_get_rpoll_descriptor(sc->rbio, desc);
7677 }
7678
7679 int SSL_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc)
7680 {
7681 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7682
7683 #ifndef OPENSSL_NO_QUIC
7684 if (IS_QUIC(s))
7685 return ossl_quic_get_wpoll_descriptor(s, desc);
7686 #endif
7687
7688 if (sc == NULL || sc->wbio == NULL)
7689 return 0;
7690
7691 return BIO_get_wpoll_descriptor(sc->wbio, desc);
7692 }
7693
7694 int SSL_net_read_desired(SSL *s)
7695 {
7696 #ifndef OPENSSL_NO_QUIC
7697 if (!IS_QUIC(s))
7698 return SSL_want_read(s);
7699
7700 return ossl_quic_get_net_read_desired(s);
7701 #else
7702 return SSL_want_read(s);
7703 #endif
7704 }
7705
7706 int SSL_net_write_desired(SSL *s)
7707 {
7708 #ifndef OPENSSL_NO_QUIC
7709 if (!IS_QUIC(s))
7710 return SSL_want_write(s);
7711
7712 return ossl_quic_get_net_write_desired(s);
7713 #else
7714 return SSL_want_write(s);
7715 #endif
7716 }
7717
7718 int SSL_set_blocking_mode(SSL *s, int blocking)
7719 {
7720 #ifndef OPENSSL_NO_QUIC
7721 if (!IS_QUIC(s))
7722 return 0;
7723
7724 return ossl_quic_conn_set_blocking_mode(s, blocking);
7725 #else
7726 return 0;
7727 #endif
7728 }
7729
7730 int SSL_get_blocking_mode(SSL *s)
7731 {
7732 #ifndef OPENSSL_NO_QUIC
7733 if (!IS_QUIC(s))
7734 return -1;
7735
7736 return ossl_quic_conn_get_blocking_mode(s);
7737 #else
7738 return -1;
7739 #endif
7740 }
7741
7742 int SSL_set1_initial_peer_addr(SSL *s, const BIO_ADDR *peer_addr)
7743 {
7744 #ifndef OPENSSL_NO_QUIC
7745 if (!IS_QUIC(s))
7746 return 0;
7747
7748 return ossl_quic_conn_set_initial_peer_addr(s, peer_addr);
7749 #else
7750 return 0;
7751 #endif
7752 }
7753
7754 int SSL_shutdown_ex(SSL *ssl, uint64_t flags,
7755 const SSL_SHUTDOWN_EX_ARGS *args,
7756 size_t args_len)
7757 {
7758 #ifndef OPENSSL_NO_QUIC
7759 if (!IS_QUIC(ssl))
7760 return SSL_shutdown(ssl);
7761
7762 return ossl_quic_conn_shutdown(ssl, flags, args, args_len);
7763 #else
7764 return SSL_shutdown(ssl);
7765 #endif
7766 }
7767
7768 int SSL_stream_conclude(SSL *ssl, uint64_t flags)
7769 {
7770 #ifndef OPENSSL_NO_QUIC
7771 if (!IS_QUIC(ssl))
7772 return 0;
7773
7774 return ossl_quic_conn_stream_conclude(ssl);
7775 #else
7776 return 0;
7777 #endif
7778 }
7779
7780 SSL *SSL_new_stream(SSL *s, uint64_t flags)
7781 {
7782 #ifndef OPENSSL_NO_QUIC
7783 if (!IS_QUIC(s))
7784 return NULL;
7785
7786 return ossl_quic_conn_stream_new(s, flags);
7787 #else
7788 return NULL;
7789 #endif
7790 }
7791
7792 SSL *SSL_get0_connection(SSL *s)
7793 {
7794 #ifndef OPENSSL_NO_QUIC
7795 if (!IS_QUIC(s))
7796 return s;
7797
7798 return ossl_quic_get0_connection(s);
7799 #else
7800 return s;
7801 #endif
7802 }
7803
7804 int SSL_is_connection(SSL *s)
7805 {
7806 return SSL_get0_connection(s) == s;
7807 }
7808
7809 SSL *SSL_get0_listener(SSL *s)
7810 {
7811 #ifndef OPENSSL_NO_QUIC
7812 if (!IS_QUIC(s))
7813 return NULL;
7814
7815 return ossl_quic_get0_listener(s);
7816 #else
7817 return NULL;
7818 #endif
7819 }
7820
7821 SSL *SSL_get0_domain(SSL *s)
7822 {
7823 #ifndef OPENSSL_NO_QUIC
7824 if (!IS_QUIC(s))
7825 return NULL;
7826
7827 return ossl_quic_get0_domain(s);
7828 #else
7829 return NULL;
7830 #endif
7831 }
7832
7833 int SSL_is_listener(SSL *s)
7834 {
7835 return SSL_get0_listener(s) == s;
7836 }
7837
7838 int SSL_is_domain(SSL *s)
7839 {
7840 return SSL_get0_domain(s) == s;
7841 }
7842
7843 int SSL_get_stream_type(SSL *s)
7844 {
7845 #ifndef OPENSSL_NO_QUIC
7846 if (!IS_QUIC(s))
7847 return SSL_STREAM_TYPE_BIDI;
7848
7849 return ossl_quic_get_stream_type(s);
7850 #else
7851 return SSL_STREAM_TYPE_BIDI;
7852 #endif
7853 }
7854
7855 uint64_t SSL_get_stream_id(SSL *s)
7856 {
7857 #ifndef OPENSSL_NO_QUIC
7858 if (!IS_QUIC(s))
7859 return UINT64_MAX;
7860
7861 return ossl_quic_get_stream_id(s);
7862 #else
7863 return UINT64_MAX;
7864 #endif
7865 }
7866
7867 int SSL_is_stream_local(SSL *s)
7868 {
7869 #ifndef OPENSSL_NO_QUIC
7870 if (!IS_QUIC(s))
7871 return -1;
7872
7873 return ossl_quic_is_stream_local(s);
7874 #else
7875 return -1;
7876 #endif
7877 }
7878
7879 int SSL_set_default_stream_mode(SSL *s, uint32_t mode)
7880 {
7881 #ifndef OPENSSL_NO_QUIC
7882 if (!IS_QUIC(s))
7883 return 0;
7884
7885 return ossl_quic_set_default_stream_mode(s, mode);
7886 #else
7887 return 0;
7888 #endif
7889 }
7890
7891 int SSL_set_incoming_stream_policy(SSL *s, int policy, uint64_t aec)
7892 {
7893 #ifndef OPENSSL_NO_QUIC
7894 if (!IS_QUIC(s))
7895 return 0;
7896
7897 return ossl_quic_set_incoming_stream_policy(s, policy, aec);
7898 #else
7899 return 0;
7900 #endif
7901 }
7902
7903 SSL *SSL_accept_stream(SSL *s, uint64_t flags)
7904 {
7905 #ifndef OPENSSL_NO_QUIC
7906 if (!IS_QUIC(s))
7907 return NULL;
7908
7909 return ossl_quic_accept_stream(s, flags);
7910 #else
7911 return NULL;
7912 #endif
7913 }
7914
7915 size_t SSL_get_accept_stream_queue_len(SSL *s)
7916 {
7917 #ifndef OPENSSL_NO_QUIC
7918 if (!IS_QUIC(s))
7919 return 0;
7920
7921 return ossl_quic_get_accept_stream_queue_len(s);
7922 #else
7923 return 0;
7924 #endif
7925 }
7926
7927 int SSL_stream_reset(SSL *s,
7928 const SSL_STREAM_RESET_ARGS *args,
7929 size_t args_len)
7930 {
7931 #ifndef OPENSSL_NO_QUIC
7932 if (!IS_QUIC(s))
7933 return 0;
7934
7935 return ossl_quic_stream_reset(s, args, args_len);
7936 #else
7937 return 0;
7938 #endif
7939 }
7940
7941 int SSL_get_stream_read_state(SSL *s)
7942 {
7943 #ifndef OPENSSL_NO_QUIC
7944 if (!IS_QUIC(s))
7945 return SSL_STREAM_STATE_NONE;
7946
7947 return ossl_quic_get_stream_read_state(s);
7948 #else
7949 return SSL_STREAM_STATE_NONE;
7950 #endif
7951 }
7952
7953 int SSL_get_stream_write_state(SSL *s)
7954 {
7955 #ifndef OPENSSL_NO_QUIC
7956 if (!IS_QUIC(s))
7957 return SSL_STREAM_STATE_NONE;
7958
7959 return ossl_quic_get_stream_write_state(s);
7960 #else
7961 return SSL_STREAM_STATE_NONE;
7962 #endif
7963 }
7964
7965 int SSL_get_stream_read_error_code(SSL *s, uint64_t *app_error_code)
7966 {
7967 #ifndef OPENSSL_NO_QUIC
7968 if (!IS_QUIC(s))
7969 return -1;
7970
7971 return ossl_quic_get_stream_read_error_code(s, app_error_code);
7972 #else
7973 return -1;
7974 #endif
7975 }
7976
7977 int SSL_get_stream_write_error_code(SSL *s, uint64_t *app_error_code)
7978 {
7979 #ifndef OPENSSL_NO_QUIC
7980 if (!IS_QUIC(s))
7981 return -1;
7982
7983 return ossl_quic_get_stream_write_error_code(s, app_error_code);
7984 #else
7985 return -1;
7986 #endif
7987 }
7988
7989 int SSL_get_conn_close_info(SSL *s, SSL_CONN_CLOSE_INFO *info,
7990 size_t info_len)
7991 {
7992 #ifndef OPENSSL_NO_QUIC
7993 if (!IS_QUIC(s))
7994 return -1;
7995
7996 return ossl_quic_get_conn_close_info(s, info, info_len);
7997 #else
7998 return -1;
7999 #endif
8000 }
8001
8002 int SSL_get_value_uint(SSL *s, uint32_t class_, uint32_t id,
8003 uint64_t *value)
8004 {
8005 #ifndef OPENSSL_NO_QUIC
8006 if (IS_QUIC(s))
8007 return ossl_quic_get_value_uint(s, class_, id, value);
8008 #endif
8009
8010 ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL);
8011 return 0;
8012 }
8013
8014 int SSL_set_value_uint(SSL *s, uint32_t class_, uint32_t id,
8015 uint64_t value)
8016 {
8017 #ifndef OPENSSL_NO_QUIC
8018 if (IS_QUIC(s))
8019 return ossl_quic_set_value_uint(s, class_, id, value);
8020 #endif
8021
8022 ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL);
8023 return 0;
8024 }
8025
8026 SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags)
8027 {
8028 #ifndef OPENSSL_NO_QUIC
8029 if (!IS_QUIC_CTX(ctx))
8030 return NULL;
8031
8032 return ossl_quic_new_listener(ctx, flags);
8033 #else
8034 return NULL;
8035 #endif
8036 }
8037
8038 SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags)
8039 {
8040 #ifndef OPENSSL_NO_QUIC
8041 if (!IS_QUIC(ssl))
8042 return NULL;
8043
8044 return ossl_quic_new_listener_from(ssl, flags);
8045 #else
8046 return NULL;
8047 #endif
8048 }
8049
8050 SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags)
8051 {
8052 #ifndef OPENSSL_NO_QUIC
8053 if (!IS_QUIC(ssl))
8054 return NULL;
8055
8056 return ossl_quic_new_from_listener(ssl, flags);
8057 #else
8058 return NULL;
8059 #endif
8060 }
8061
8062 SSL *SSL_accept_connection(SSL *ssl, uint64_t flags)
8063 {
8064 #ifndef OPENSSL_NO_QUIC
8065 if (!IS_QUIC(ssl))
8066 return NULL;
8067
8068 return ossl_quic_accept_connection(ssl, flags);
8069 #else
8070 return NULL;
8071 #endif
8072 }
8073
8074 size_t SSL_get_accept_connection_queue_len(SSL *ssl)
8075 {
8076 #ifndef OPENSSL_NO_QUIC
8077 if (!IS_QUIC(ssl))
8078 return 0;
8079
8080 return ossl_quic_get_accept_connection_queue_len(ssl);
8081 #else
8082 return 0;
8083 #endif
8084 }
8085
8086 int SSL_listen(SSL *ssl)
8087 {
8088 #ifndef OPENSSL_NO_QUIC
8089 if (!IS_QUIC(ssl))
8090 return 0;
8091
8092 return ossl_quic_listen(ssl);
8093 #else
8094 return 0;
8095 #endif
8096 }
8097
8098 SSL *SSL_new_domain(SSL_CTX *ctx, uint64_t flags)
8099 {
8100 #ifndef OPENSSL_NO_QUIC
8101 if (!IS_QUIC_CTX(ctx))
8102 return NULL;
8103
8104 return ossl_quic_new_domain(ctx, flags);
8105 #else
8106 return NULL;
8107 #endif
8108 }
8109
8110 int ossl_adjust_domain_flags(uint64_t domain_flags, uint64_t *p_domain_flags)
8111 {
8112 if ((domain_flags & ~OSSL_QUIC_SUPPORTED_DOMAIN_FLAGS) != 0) {
8113 ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8114 "unsupported domain flag requested");
8115 return 0;
8116 }
8117
8118 if ((domain_flags & SSL_DOMAIN_FLAG_THREAD_ASSISTED) != 0)
8119 domain_flags |= SSL_DOMAIN_FLAG_MULTI_THREAD;
8120
8121 if ((domain_flags & (SSL_DOMAIN_FLAG_MULTI_THREAD
8122 | SSL_DOMAIN_FLAG_SINGLE_THREAD)) == 0)
8123 domain_flags |= SSL_DOMAIN_FLAG_MULTI_THREAD;
8124
8125 if ((domain_flags & SSL_DOMAIN_FLAG_SINGLE_THREAD) != 0
8126 && (domain_flags & SSL_DOMAIN_FLAG_MULTI_THREAD) != 0) {
8127 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
8128 "mutually exclusive domain flags specified");
8129 return 0;
8130 }
8131
8132 /*
8133 * Note: We treat MULTI_THREAD as a no-op in non-threaded builds, but
8134 * not THREAD_ASSISTED.
8135 */
8136 # ifndef OPENSSL_THREADS
8137 if ((domain_flags & SSL_DOMAIN_FLAG_THREAD_ASSISTED) != 0) {
8138 ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8139 "thread assisted mode not available in this build");
8140 return 0;
8141 }
8142 # endif
8143
8144 *p_domain_flags = domain_flags;
8145 return 1;
8146 }
8147
8148 int SSL_CTX_set_domain_flags(SSL_CTX *ctx, uint64_t domain_flags)
8149 {
8150 #ifndef OPENSSL_NO_QUIC
8151 if (IS_QUIC_CTX(ctx)) {
8152 if (!ossl_adjust_domain_flags(domain_flags, &domain_flags))
8153 return 0;
8154
8155 ctx->domain_flags = domain_flags;
8156 return 1;
8157 }
8158 #endif
8159
8160 ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8161 "domain flags unsupported on this kind of SSL_CTX");
8162 return 0;
8163 }
8164
8165 int SSL_CTX_get_domain_flags(const SSL_CTX *ctx, uint64_t *domain_flags)
8166 {
8167 #ifndef OPENSSL_NO_QUIC
8168 if (IS_QUIC_CTX(ctx)) {
8169 if (domain_flags != NULL)
8170 *domain_flags = ctx->domain_flags;
8171
8172 return 1;
8173 }
8174 #endif
8175
8176 ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8177 "domain flags unsupported on this kind of SSL_CTX");
8178 return 0;
8179 }
8180
8181 int SSL_get_domain_flags(const SSL *ssl, uint64_t *domain_flags)
8182 {
8183 #ifndef OPENSSL_NO_QUIC
8184 if (IS_QUIC(ssl))
8185 return ossl_quic_get_domain_flags(ssl, domain_flags);
8186 #endif
8187
8188 return 0;
8189 }
8190
8191 int SSL_add_expected_rpk(SSL *s, EVP_PKEY *rpk)
8192 {
8193 unsigned char *data = NULL;
8194 SSL_DANE *dane = SSL_get0_dane(s);
8195 int ret;
8196
8197 if (dane == NULL || dane->dctx == NULL)
8198 return 0;
8199 if ((ret = i2d_PUBKEY(rpk, &data)) <= 0)
8200 return 0;
8201
8202 ret = SSL_dane_tlsa_add(s, DANETLS_USAGE_DANE_EE,
8203 DANETLS_SELECTOR_SPKI,
8204 DANETLS_MATCHING_FULL,
8205 data, (size_t)ret) > 0;
8206 OPENSSL_free(data);
8207 return ret;
8208 }
8209
8210 EVP_PKEY *SSL_get0_peer_rpk(const SSL *s)
8211 {
8212 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8213
8214 if (sc == NULL || sc->session == NULL)
8215 return NULL;
8216 return sc->session->peer_rpk;
8217 }
8218
8219 int SSL_get_negotiated_client_cert_type(const SSL *s)
8220 {
8221 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8222
8223 if (sc == NULL)
8224 return 0;
8225
8226 return sc->ext.client_cert_type;
8227 }
8228
8229 int SSL_get_negotiated_server_cert_type(const SSL *s)
8230 {
8231 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8232
8233 if (sc == NULL)
8234 return 0;
8235
8236 return sc->ext.server_cert_type;
8237 }
8238
8239 static int validate_cert_type(const unsigned char *val, size_t len)
8240 {
8241 size_t i;
8242 int saw_rpk = 0;
8243 int saw_x509 = 0;
8244
8245 if (val == NULL && len == 0)
8246 return 1;
8247
8248 if (val == NULL || len == 0)
8249 return 0;
8250
8251 for (i = 0; i < len; i++) {
8252 switch (val[i]) {
8253 case TLSEXT_cert_type_rpk:
8254 if (saw_rpk)
8255 return 0;
8256 saw_rpk = 1;
8257 break;
8258 case TLSEXT_cert_type_x509:
8259 if (saw_x509)
8260 return 0;
8261 saw_x509 = 1;
8262 break;
8263 case TLSEXT_cert_type_pgp:
8264 case TLSEXT_cert_type_1609dot2:
8265 default:
8266 return 0;
8267 }
8268 }
8269 return 1;
8270 }
8271
8272 static int set_cert_type(unsigned char **cert_type,
8273 size_t *cert_type_len,
8274 const unsigned char *val,
8275 size_t len)
8276 {
8277 unsigned char *tmp = NULL;
8278
8279 if (!validate_cert_type(val, len))
8280 return 0;
8281
8282 if (val != NULL && (tmp = OPENSSL_memdup(val, len)) == NULL)
8283 return 0;
8284
8285 OPENSSL_free(*cert_type);
8286 *cert_type = tmp;
8287 *cert_type_len = len;
8288 return 1;
8289 }
8290
8291 int SSL_set1_client_cert_type(SSL *s, const unsigned char *val, size_t len)
8292 {
8293 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8294
8295 if (sc == NULL)
8296 return 0;
8297
8298 return set_cert_type(&sc->client_cert_type, &sc->client_cert_type_len,
8299 val, len);
8300 }
8301
8302 int SSL_set1_server_cert_type(SSL *s, const unsigned char *val, size_t len)
8303 {
8304 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8305
8306 if (sc == NULL)
8307 return 0;
8308
8309 return set_cert_type(&sc->server_cert_type, &sc->server_cert_type_len,
8310 val, len);
8311 }
8312
8313 int SSL_CTX_set1_client_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len)
8314 {
8315 return set_cert_type(&ctx->client_cert_type, &ctx->client_cert_type_len,
8316 val, len);
8317 }
8318
8319 int SSL_CTX_set1_server_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len)
8320 {
8321 return set_cert_type(&ctx->server_cert_type, &ctx->server_cert_type_len,
8322 val, len);
8323 }
8324
8325 int SSL_get0_client_cert_type(const SSL *s, unsigned char **t, size_t *len)
8326 {
8327 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
8328
8329 if (t == NULL || len == NULL || sc == NULL)
8330 return 0;
8331
8332 *t = sc->client_cert_type;
8333 *len = sc->client_cert_type_len;
8334 return 1;
8335 }
8336
8337 int SSL_get0_server_cert_type(const SSL *s, unsigned char **t, size_t *len)
8338 {
8339 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
8340
8341 if (t == NULL || len == NULL || sc == NULL)
8342 return 0;
8343
8344 *t = sc->server_cert_type;
8345 *len = sc->server_cert_type_len;
8346 return 1;
8347 }
8348
8349 int SSL_CTX_get0_client_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len)
8350 {
8351 if (t == NULL || len == NULL)
8352 return 0;
8353
8354 *t = ctx->client_cert_type;
8355 *len = ctx->client_cert_type_len;
8356 return 1;
8357 }
8358
8359 int SSL_CTX_get0_server_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len)
8360 {
8361 if (t == NULL || len == NULL)
8362 return 0;
8363
8364 *t = ctx->server_cert_type;
8365 *len = ctx->server_cert_type_len;
8366 return 1;
8367 }
Mirror of https://github.com/openssl/openssl.git