xref: /freebsd/crypto/openssl/ssl/ssl_lib.c (revision e7be843b4a162e68651d3911f0357ed464915629)
1 /*
2  * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  * Copyright 2005 Nokia. All rights reserved.
5  *
6  * Licensed under the Apache License 2.0 (the "License").  You may not use
7  * this file except in compliance with the License.  You can obtain a copy
8  * in the file LICENSE in the source distribution or at
9  * https://www.openssl.org/source/license.html
10  */
11 
12 #include "internal/e_os.h"
13 #include "internal/e_winsock.h"
14 #include "ssl_local.h"
15 
16 #include <openssl/objects.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/rand.h>
19 #include <openssl/ocsp.h>
20 #include <openssl/dh.h>
21 #include <openssl/engine.h>
22 #include <openssl/async.h>
23 #include <openssl/ct.h>
24 #include <openssl/trace.h>
25 #include <openssl/core_names.h>
26 #include <openssl/provider.h>
27 #include "internal/cryptlib.h"
28 #include "internal/nelem.h"
29 #include "internal/refcount.h"
30 #include "internal/thread_once.h"
31 #include "internal/ktls.h"
32 #include "internal/to_hex.h"
33 #include "internal/ssl_unwrap.h"
34 #include "quic/quic_local.h"
35 
36 #ifndef OPENSSL_NO_SSLKEYLOG
37 # include <sys/stat.h>
38 # include <fcntl.h>
39 #endif
40 
ssl_undefined_function_3(SSL_CONNECTION * sc,unsigned char * r,unsigned char * s,size_t t,size_t * u)41 static int ssl_undefined_function_3(SSL_CONNECTION *sc, unsigned char *r,
42                                     unsigned char *s, size_t t, size_t *u)
43 {
44     return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
45 }
46 
ssl_undefined_function_4(SSL_CONNECTION * sc,int r)47 static int ssl_undefined_function_4(SSL_CONNECTION *sc, int r)
48 {
49     return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
50 }
51 
ssl_undefined_function_5(SSL_CONNECTION * sc,const char * r,size_t s,unsigned char * t)52 static size_t ssl_undefined_function_5(SSL_CONNECTION *sc, const char *r,
53                                        size_t s, unsigned char *t)
54 {
55     return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
56 }
57 
ssl_undefined_function_6(int r)58 static int ssl_undefined_function_6(int r)
59 {
60     return ssl_undefined_function(NULL);
61 }
62 
ssl_undefined_function_7(SSL_CONNECTION * sc,unsigned char * r,size_t s,const char * t,size_t u,const unsigned char * v,size_t w,int x)63 static int ssl_undefined_function_7(SSL_CONNECTION *sc, unsigned char *r,
64                                     size_t s, const char *t, size_t u,
65                                     const unsigned char *v, size_t w, int x)
66 {
67     return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
68 }
69 
ssl_undefined_function_8(SSL_CONNECTION * sc)70 static int ssl_undefined_function_8(SSL_CONNECTION *sc)
71 {
72     return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
73 }
74 
75 const SSL3_ENC_METHOD ssl3_undef_enc_method = {
76     ssl_undefined_function_8,
77     ssl_undefined_function_3,
78     ssl_undefined_function_4,
79     ssl_undefined_function_5,
80     NULL,                       /* client_finished_label */
81     0,                          /* client_finished_label_len */
82     NULL,                       /* server_finished_label */
83     0,                          /* server_finished_label_len */
84     ssl_undefined_function_6,
85     ssl_undefined_function_7,
86 };
87 
88 struct ssl_async_args {
89     SSL *s;
90     void *buf;
91     size_t num;
92     enum { READFUNC, WRITEFUNC, OTHERFUNC } type;
93     union {
94         int (*func_read) (SSL *, void *, size_t, size_t *);
95         int (*func_write) (SSL *, const void *, size_t, size_t *);
96         int (*func_other) (SSL *);
97     } f;
98 };
99 
100 static const struct {
101     uint8_t mtype;
102     uint8_t ord;
103     int nid;
104 } dane_mds[] = {
105     {
106         DANETLS_MATCHING_FULL, 0, NID_undef
107     },
108     {
109         DANETLS_MATCHING_2256, 1, NID_sha256
110     },
111     {
112         DANETLS_MATCHING_2512, 2, NID_sha512
113     },
114 };
115 
dane_ctx_enable(struct dane_ctx_st * dctx)116 static int dane_ctx_enable(struct dane_ctx_st *dctx)
117 {
118     const EVP_MD **mdevp;
119     uint8_t *mdord;
120     uint8_t mdmax = DANETLS_MATCHING_LAST;
121     int n = ((int)mdmax) + 1;   /* int to handle PrivMatch(255) */
122     size_t i;
123 
124     if (dctx->mdevp != NULL)
125         return 1;
126 
127     mdevp = OPENSSL_zalloc(n * sizeof(*mdevp));
128     mdord = OPENSSL_zalloc(n * sizeof(*mdord));
129 
130     if (mdord == NULL || mdevp == NULL) {
131         OPENSSL_free(mdord);
132         OPENSSL_free(mdevp);
133         return 0;
134     }
135 
136     /* Install default entries */
137     for (i = 0; i < OSSL_NELEM(dane_mds); ++i) {
138         const EVP_MD *md;
139 
140         if (dane_mds[i].nid == NID_undef ||
141             (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL)
142             continue;
143         mdevp[dane_mds[i].mtype] = md;
144         mdord[dane_mds[i].mtype] = dane_mds[i].ord;
145     }
146 
147     dctx->mdevp = mdevp;
148     dctx->mdord = mdord;
149     dctx->mdmax = mdmax;
150 
151     return 1;
152 }
153 
dane_ctx_final(struct dane_ctx_st * dctx)154 static void dane_ctx_final(struct dane_ctx_st *dctx)
155 {
156     OPENSSL_free(dctx->mdevp);
157     dctx->mdevp = NULL;
158 
159     OPENSSL_free(dctx->mdord);
160     dctx->mdord = NULL;
161     dctx->mdmax = 0;
162 }
163 
tlsa_free(danetls_record * t)164 static void tlsa_free(danetls_record *t)
165 {
166     if (t == NULL)
167         return;
168     OPENSSL_free(t->data);
169     EVP_PKEY_free(t->spki);
170     OPENSSL_free(t);
171 }
172 
dane_final(SSL_DANE * dane)173 static void dane_final(SSL_DANE *dane)
174 {
175     sk_danetls_record_pop_free(dane->trecs, tlsa_free);
176     dane->trecs = NULL;
177 
178     OSSL_STACK_OF_X509_free(dane->certs);
179     dane->certs = NULL;
180 
181     X509_free(dane->mcert);
182     dane->mcert = NULL;
183     dane->mtlsa = NULL;
184     dane->mdpth = -1;
185     dane->pdpth = -1;
186 }
187 
188 /*
189  * dane_copy - Copy dane configuration, sans verification state.
190  */
ssl_dane_dup(SSL_CONNECTION * to,SSL_CONNECTION * from)191 static int ssl_dane_dup(SSL_CONNECTION *to, SSL_CONNECTION *from)
192 {
193     int num;
194     int i;
195 
196     if (!DANETLS_ENABLED(&from->dane))
197         return 1;
198 
199     num = sk_danetls_record_num(from->dane.trecs);
200     dane_final(&to->dane);
201     to->dane.flags = from->dane.flags;
202     to->dane.dctx = &SSL_CONNECTION_GET_CTX(to)->dane;
203     to->dane.trecs = sk_danetls_record_new_reserve(NULL, num);
204 
205     if (to->dane.trecs == NULL) {
206         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
207         return 0;
208     }
209 
210     for (i = 0; i < num; ++i) {
211         danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
212 
213         if (SSL_dane_tlsa_add(SSL_CONNECTION_GET_SSL(to), t->usage,
214                               t->selector, t->mtype, t->data, t->dlen) <= 0)
215             return 0;
216     }
217     return 1;
218 }
219 
dane_mtype_set(struct dane_ctx_st * dctx,const EVP_MD * md,uint8_t mtype,uint8_t ord)220 static int dane_mtype_set(struct dane_ctx_st *dctx,
221                           const EVP_MD *md, uint8_t mtype, uint8_t ord)
222 {
223     int i;
224 
225     if (mtype == DANETLS_MATCHING_FULL && md != NULL) {
226         ERR_raise(ERR_LIB_SSL, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);
227         return 0;
228     }
229 
230     if (mtype > dctx->mdmax) {
231         const EVP_MD **mdevp;
232         uint8_t *mdord;
233         int n = ((int)mtype) + 1;
234 
235         mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp));
236         if (mdevp == NULL)
237             return -1;
238         dctx->mdevp = mdevp;
239 
240         mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord));
241         if (mdord == NULL)
242             return -1;
243         dctx->mdord = mdord;
244 
245         /* Zero-fill any gaps */
246         for (i = dctx->mdmax + 1; i < mtype; ++i) {
247             mdevp[i] = NULL;
248             mdord[i] = 0;
249         }
250 
251         dctx->mdmax = mtype;
252     }
253 
254     dctx->mdevp[mtype] = md;
255     /* Coerce ordinal of disabled matching types to 0 */
256     dctx->mdord[mtype] = (md == NULL) ? 0 : ord;
257 
258     return 1;
259 }
260 
tlsa_md_get(SSL_DANE * dane,uint8_t mtype)261 static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
262 {
263     if (mtype > dane->dctx->mdmax)
264         return NULL;
265     return dane->dctx->mdevp[mtype];
266 }
267 
dane_tlsa_add(SSL_DANE * dane,uint8_t usage,uint8_t selector,uint8_t mtype,const unsigned char * data,size_t dlen)268 static int dane_tlsa_add(SSL_DANE *dane,
269                          uint8_t usage,
270                          uint8_t selector,
271                          uint8_t mtype, const unsigned char *data, size_t dlen)
272 {
273     danetls_record *t;
274     const EVP_MD *md = NULL;
275     int ilen = (int)dlen;
276     int i;
277     int num;
278     int mdsize;
279 
280     if (dane->trecs == NULL) {
281         ERR_raise(ERR_LIB_SSL, SSL_R_DANE_NOT_ENABLED);
282         return -1;
283     }
284 
285     if (ilen < 0 || dlen != (size_t)ilen) {
286         ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DATA_LENGTH);
287         return 0;
288     }
289 
290     if (usage > DANETLS_USAGE_LAST) {
291         ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE);
292         return 0;
293     }
294 
295     if (selector > DANETLS_SELECTOR_LAST) {
296         ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_SELECTOR);
297         return 0;
298     }
299 
300     if (mtype != DANETLS_MATCHING_FULL) {
301         md = tlsa_md_get(dane, mtype);
302         if (md == NULL) {
303             ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE);
304             return 0;
305         }
306     }
307 
308     if (md != NULL) {
309         mdsize = EVP_MD_get_size(md);
310         if (mdsize <= 0 || dlen != (size_t)mdsize) {
311             ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH);
312             return 0;
313         }
314     }
315     if (!data) {
316         ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_NULL_DATA);
317         return 0;
318     }
319 
320     if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL)
321         return -1;
322 
323     t->usage = usage;
324     t->selector = selector;
325     t->mtype = mtype;
326     t->data = OPENSSL_malloc(dlen);
327     if (t->data == NULL) {
328         tlsa_free(t);
329         return -1;
330     }
331     memcpy(t->data, data, dlen);
332     t->dlen = dlen;
333 
334     /* Validate and cache full certificate or public key */
335     if (mtype == DANETLS_MATCHING_FULL) {
336         const unsigned char *p = data;
337         X509 *cert = NULL;
338         EVP_PKEY *pkey = NULL;
339 
340         switch (selector) {
341         case DANETLS_SELECTOR_CERT:
342             if (!d2i_X509(&cert, &p, ilen) || p < data ||
343                 dlen != (size_t)(p - data)) {
344                 X509_free(cert);
345                 tlsa_free(t);
346                 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
347                 return 0;
348             }
349             if (X509_get0_pubkey(cert) == NULL) {
350                 X509_free(cert);
351                 tlsa_free(t);
352                 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
353                 return 0;
354             }
355 
356             if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
357                 /*
358                  * The Full(0) certificate decodes to a seemingly valid X.509
359                  * object with a plausible key, so the TLSA record is well
360                  * formed.  However, we don't actually need the certificate for
361                  * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
362                  * certificate is always presented by the peer.  We discard the
363                  * certificate, and just use the TLSA data as an opaque blob
364                  * for matching the raw presented DER octets.
365                  *
366                  * DO NOT FREE `t` here, it will be added to the TLSA record
367                  * list below!
368                  */
369                 X509_free(cert);
370                 break;
371             }
372 
373             /*
374              * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA
375              * records that contain full certificates of trust-anchors that are
376              * not present in the wire chain.  For usage PKIX-TA(0), we augment
377              * the chain with untrusted Full(0) certificates from DNS, in case
378              * they are missing from the chain.
379              */
380             if ((dane->certs == NULL &&
381                  (dane->certs = sk_X509_new_null()) == NULL) ||
382                 !sk_X509_push(dane->certs, cert)) {
383                 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
384                 X509_free(cert);
385                 tlsa_free(t);
386                 return -1;
387             }
388             break;
389 
390         case DANETLS_SELECTOR_SPKI:
391             if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
392                 dlen != (size_t)(p - data)) {
393                 EVP_PKEY_free(pkey);
394                 tlsa_free(t);
395                 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
396                 return 0;
397             }
398 
399             /*
400              * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA
401              * records that contain full bare keys of trust-anchors that are
402              * not present in the wire chain.
403              */
404             if (usage == DANETLS_USAGE_DANE_TA)
405                 t->spki = pkey;
406             else
407                 EVP_PKEY_free(pkey);
408             break;
409         }
410     }
411 
412     /*-
413      * Find the right insertion point for the new record.
414      *
415      * See crypto/x509/x509_vfy.c.  We sort DANE-EE(3) records first, so that
416      * they can be processed first, as they require no chain building, and no
417      * expiration or hostname checks.  Because DANE-EE(3) is numerically
418      * largest, this is accomplished via descending sort by "usage".
419      *
420      * We also sort in descending order by matching ordinal to simplify
421      * the implementation of digest agility in the verification code.
422      *
423      * The choice of order for the selector is not significant, so we
424      * use the same descending order for consistency.
425      */
426     num = sk_danetls_record_num(dane->trecs);
427     for (i = 0; i < num; ++i) {
428         danetls_record *rec = sk_danetls_record_value(dane->trecs, i);
429 
430         if (rec->usage > usage)
431             continue;
432         if (rec->usage < usage)
433             break;
434         if (rec->selector > selector)
435             continue;
436         if (rec->selector < selector)
437             break;
438         if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype])
439             continue;
440         break;
441     }
442 
443     if (!sk_danetls_record_insert(dane->trecs, t, i)) {
444         tlsa_free(t);
445         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
446         return -1;
447     }
448     dane->umask |= DANETLS_USAGE_BIT(usage);
449 
450     return 1;
451 }
452 
453 /*
454  * Return 0 if there is only one version configured and it was disabled
455  * at configure time.  Return 1 otherwise.
456  */
ssl_check_allowed_versions(int min_version,int max_version)457 static int ssl_check_allowed_versions(int min_version, int max_version)
458 {
459     int minisdtls = 0, maxisdtls = 0;
460 
461     /* Figure out if we're doing DTLS versions or TLS versions */
462     if (min_version == DTLS1_BAD_VER
463         || min_version >> 8 == DTLS1_VERSION_MAJOR)
464         minisdtls = 1;
465     if (max_version == DTLS1_BAD_VER
466         || max_version >> 8 == DTLS1_VERSION_MAJOR)
467         maxisdtls = 1;
468     /* A wildcard version of 0 could be DTLS or TLS. */
469     if ((minisdtls && !maxisdtls && max_version != 0)
470         || (maxisdtls && !minisdtls && min_version != 0)) {
471         /* Mixing DTLS and TLS versions will lead to sadness; deny it. */
472         return 0;
473     }
474 
475     if (minisdtls || maxisdtls) {
476         /* Do DTLS version checks. */
477         if (min_version == 0)
478             /* Ignore DTLS1_BAD_VER */
479             min_version = DTLS1_VERSION;
480         if (max_version == 0)
481             max_version = DTLS1_2_VERSION;
482 #ifdef OPENSSL_NO_DTLS1_2
483         if (max_version == DTLS1_2_VERSION)
484             max_version = DTLS1_VERSION;
485 #endif
486 #ifdef OPENSSL_NO_DTLS1
487         if (min_version == DTLS1_VERSION)
488             min_version = DTLS1_2_VERSION;
489 #endif
490         /* Done massaging versions; do the check. */
491         if (0
492 #ifdef OPENSSL_NO_DTLS1
493             || (DTLS_VERSION_GE(min_version, DTLS1_VERSION)
494                 && DTLS_VERSION_GE(DTLS1_VERSION, max_version))
495 #endif
496 #ifdef OPENSSL_NO_DTLS1_2
497             || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION)
498                 && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version))
499 #endif
500             )
501             return 0;
502     } else {
503         /* Regular TLS version checks. */
504         if (min_version == 0)
505             min_version = SSL3_VERSION;
506         if (max_version == 0)
507             max_version = TLS1_3_VERSION;
508 #ifdef OPENSSL_NO_TLS1_3
509         if (max_version == TLS1_3_VERSION)
510             max_version = TLS1_2_VERSION;
511 #endif
512 #ifdef OPENSSL_NO_TLS1_2
513         if (max_version == TLS1_2_VERSION)
514             max_version = TLS1_1_VERSION;
515 #endif
516 #ifdef OPENSSL_NO_TLS1_1
517         if (max_version == TLS1_1_VERSION)
518             max_version = TLS1_VERSION;
519 #endif
520 #ifdef OPENSSL_NO_TLS1
521         if (max_version == TLS1_VERSION)
522             max_version = SSL3_VERSION;
523 #endif
524 #ifdef OPENSSL_NO_SSL3
525         if (min_version == SSL3_VERSION)
526             min_version = TLS1_VERSION;
527 #endif
528 #ifdef OPENSSL_NO_TLS1
529         if (min_version == TLS1_VERSION)
530             min_version = TLS1_1_VERSION;
531 #endif
532 #ifdef OPENSSL_NO_TLS1_1
533         if (min_version == TLS1_1_VERSION)
534             min_version = TLS1_2_VERSION;
535 #endif
536 #ifdef OPENSSL_NO_TLS1_2
537         if (min_version == TLS1_2_VERSION)
538             min_version = TLS1_3_VERSION;
539 #endif
540         /* Done massaging versions; do the check. */
541         if (0
542 #ifdef OPENSSL_NO_SSL3
543             || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version)
544 #endif
545 #ifdef OPENSSL_NO_TLS1
546             || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version)
547 #endif
548 #ifdef OPENSSL_NO_TLS1_1
549             || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version)
550 #endif
551 #ifdef OPENSSL_NO_TLS1_2
552             || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version)
553 #endif
554 #ifdef OPENSSL_NO_TLS1_3
555             || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version)
556 #endif
557             )
558             return 0;
559     }
560     return 1;
561 }
562 
563 #if defined(__TANDEM) && defined(OPENSSL_VPROC)
564 /*
565  * Define a VPROC function for HP NonStop build ssl library.
566  * This is used by platform version identification tools.
567  * Do not inline this procedure or make it static.
568  */
569 # define OPENSSL_VPROC_STRING_(x)    x##_SSL
570 # define OPENSSL_VPROC_STRING(x)     OPENSSL_VPROC_STRING_(x)
571 # define OPENSSL_VPROC_FUNC          OPENSSL_VPROC_STRING(OPENSSL_VPROC)
OPENSSL_VPROC_FUNC(void)572 void OPENSSL_VPROC_FUNC(void) {}
573 #endif
574 
SSL_clear(SSL * s)575 int SSL_clear(SSL *s)
576 {
577     if (s->method == NULL) {
578         ERR_raise(ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED);
579         return 0;
580     }
581 
582     return s->method->ssl_reset(s);
583 }
584 
ossl_ssl_connection_reset(SSL * s)585 int ossl_ssl_connection_reset(SSL *s)
586 {
587     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
588 
589     if (sc == NULL)
590         return 0;
591 
592     if (ssl_clear_bad_session(sc)) {
593         SSL_SESSION_free(sc->session);
594         sc->session = NULL;
595     }
596     SSL_SESSION_free(sc->psksession);
597     sc->psksession = NULL;
598     OPENSSL_free(sc->psksession_id);
599     sc->psksession_id = NULL;
600     sc->psksession_id_len = 0;
601     sc->hello_retry_request = SSL_HRR_NONE;
602     sc->sent_tickets = 0;
603 
604     sc->error = 0;
605     sc->hit = 0;
606     sc->shutdown = 0;
607 
608     if (sc->renegotiate) {
609         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
610         return 0;
611     }
612 
613     ossl_statem_clear(sc);
614 
615     sc->version = s->method->version;
616     sc->client_version = sc->version;
617     sc->rwstate = SSL_NOTHING;
618 
619     BUF_MEM_free(sc->init_buf);
620     sc->init_buf = NULL;
621     sc->first_packet = 0;
622 
623     sc->key_update = SSL_KEY_UPDATE_NONE;
624     memset(sc->ext.compress_certificate_from_peer, 0,
625            sizeof(sc->ext.compress_certificate_from_peer));
626     sc->ext.compress_certificate_sent = 0;
627 
628     EVP_MD_CTX_free(sc->pha_dgst);
629     sc->pha_dgst = NULL;
630 
631     /* Reset DANE verification result state */
632     sc->dane.mdpth = -1;
633     sc->dane.pdpth = -1;
634     X509_free(sc->dane.mcert);
635     sc->dane.mcert = NULL;
636     sc->dane.mtlsa = NULL;
637 
638     /* Clear the verification result peername */
639     X509_VERIFY_PARAM_move_peername(sc->param, NULL);
640 
641     /* Clear any shared connection state */
642     OPENSSL_free(sc->shared_sigalgs);
643     sc->shared_sigalgs = NULL;
644     sc->shared_sigalgslen = 0;
645 
646     /*
647      * Check to see if we were changed into a different method, if so, revert
648      * back.
649      */
650     if (s->method != s->defltmeth) {
651         s->method->ssl_deinit(s);
652         s->method = s->defltmeth;
653         if (!s->method->ssl_init(s))
654             return 0;
655     } else {
656         if (!s->method->ssl_clear(s))
657             return 0;
658     }
659 
660     ossl_quic_tls_clear(sc->qtls);
661 
662     if (!RECORD_LAYER_reset(&sc->rlayer))
663         return 0;
664 
665     return 1;
666 }
667 
668 #ifndef OPENSSL_NO_DEPRECATED_3_0
669 /** Used to change an SSL_CTXs default SSL method type */
SSL_CTX_set_ssl_version(SSL_CTX * ctx,const SSL_METHOD * meth)670 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
671 {
672     STACK_OF(SSL_CIPHER) *sk;
673 
674     if (IS_QUIC_CTX(ctx)) {
675         ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
676         return 0;
677     }
678 
679     ctx->method = meth;
680 
681     if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) {
682         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
683         return 0;
684     }
685     sk = ssl_create_cipher_list(ctx,
686                                 ctx->tls13_ciphersuites,
687                                 &(ctx->cipher_list),
688                                 &(ctx->cipher_list_by_id),
689                                 OSSL_default_cipher_list(), ctx->cert);
690     if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
691         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
692         return 0;
693     }
694     return 1;
695 }
696 #endif
697 
SSL_new(SSL_CTX * ctx)698 SSL *SSL_new(SSL_CTX *ctx)
699 {
700     if (ctx == NULL) {
701         ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_CTX);
702         return NULL;
703     }
704     if (ctx->method == NULL) {
705         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
706         return NULL;
707     }
708     return ctx->method->ssl_new(ctx);
709 }
710 
ossl_ssl_init(SSL * ssl,SSL_CTX * ctx,const SSL_METHOD * method,int type)711 int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type)
712 {
713     if (!SSL_CTX_up_ref(ctx))
714         return 0;
715 
716     ssl->lock = CRYPTO_THREAD_lock_new();
717 
718     if (ssl->lock == NULL || !CRYPTO_NEW_REF(&ssl->references, 1))
719         goto err;
720 
721     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, ssl, &ssl->ex_data)) {
722         CRYPTO_FREE_REF(&ssl->references);
723         goto err;
724     }
725 
726     ssl->ctx = ctx;
727     ssl->type = type;
728     ssl->defltmeth = ssl->method = method;
729 
730     return 1;
731 
732 err:
733     CRYPTO_THREAD_lock_free(ssl->lock);
734     ssl->lock = NULL;
735     SSL_CTX_free(ctx);
736     return 0;
737 }
738 
ossl_ssl_connection_new_int(SSL_CTX * ctx,SSL * user_ssl,const SSL_METHOD * method)739 SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl,
740                                  const SSL_METHOD *method)
741 {
742     SSL_CONNECTION *s;
743     SSL *ssl;
744 
745     s = OPENSSL_zalloc(sizeof(*s));
746     if (s == NULL)
747         return NULL;
748 
749     ssl = &s->ssl;
750     s->user_ssl = (user_ssl == NULL) ? ssl : user_ssl;
751 
752     if (!ossl_ssl_init(ssl, ctx, method, SSL_TYPE_SSL_CONNECTION)) {
753         OPENSSL_free(s);
754         s = NULL;
755         ssl = NULL;
756         goto sslerr;
757     }
758 
759     RECORD_LAYER_init(&s->rlayer, s);
760 
761     s->options = ctx->options;
762 
763     s->dane.flags = ctx->dane.flags;
764     if (method->version == ctx->method->version) {
765         s->min_proto_version = ctx->min_proto_version;
766         s->max_proto_version = ctx->max_proto_version;
767     }
768 
769     s->mode = ctx->mode;
770     s->max_cert_list = ctx->max_cert_list;
771     s->max_early_data = ctx->max_early_data;
772     s->recv_max_early_data = ctx->recv_max_early_data;
773 
774     s->num_tickets = ctx->num_tickets;
775     s->pha_enabled = ctx->pha_enabled;
776 
777     /* Shallow copy of the ciphersuites stack */
778     s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites);
779     if (s->tls13_ciphersuites == NULL)
780         goto cerr;
781 
782     /*
783      * Earlier library versions used to copy the pointer to the CERT, not
784      * its contents; only when setting new parameters for the per-SSL
785      * copy, ssl_cert_new would be called (and the direct reference to
786      * the per-SSL_CTX settings would be lost, but those still were
787      * indirectly accessed for various purposes, and for that reason they
788      * used to be known as s->ctx->default_cert). Now we don't look at the
789      * SSL_CTX's CERT after having duplicated it once.
790      */
791     s->cert = ssl_cert_dup(ctx->cert);
792     if (s->cert == NULL)
793         goto sslerr;
794 
795     RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead);
796     s->msg_callback = ctx->msg_callback;
797     s->msg_callback_arg = ctx->msg_callback_arg;
798     s->verify_mode = ctx->verify_mode;
799     s->not_resumable_session_cb = ctx->not_resumable_session_cb;
800     s->rlayer.record_padding_cb = ctx->record_padding_cb;
801     s->rlayer.record_padding_arg = ctx->record_padding_arg;
802     s->rlayer.block_padding = ctx->block_padding;
803     s->rlayer.hs_padding = ctx->hs_padding;
804     s->sid_ctx_length = ctx->sid_ctx_length;
805     if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx)))
806         goto err;
807     memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
808     s->verify_callback = ctx->default_verify_callback;
809     s->generate_session_id = ctx->generate_session_id;
810 
811     s->param = X509_VERIFY_PARAM_new();
812     if (s->param == NULL)
813         goto asn1err;
814     X509_VERIFY_PARAM_inherit(s->param, ctx->param);
815     s->quiet_shutdown = IS_QUIC_CTX(ctx) ? 0 : ctx->quiet_shutdown;
816 
817     if (!IS_QUIC_CTX(ctx))
818         s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode;
819 
820     s->max_send_fragment = ctx->max_send_fragment;
821     s->split_send_fragment = ctx->split_send_fragment;
822     s->max_pipelines = ctx->max_pipelines;
823     s->rlayer.default_read_buf_len = ctx->default_read_buf_len;
824 
825     s->ext.debug_cb = 0;
826     s->ext.debug_arg = NULL;
827     s->ext.ticket_expected = 0;
828     s->ext.status_type = ctx->ext.status_type;
829     s->ext.status_expected = 0;
830     s->ext.ocsp.ids = NULL;
831     s->ext.ocsp.exts = NULL;
832     s->ext.ocsp.resp = NULL;
833     s->ext.ocsp.resp_len = 0;
834 
835     if (!SSL_CTX_up_ref(ctx))
836         goto err;
837 
838     s->session_ctx = ctx;
839     if (ctx->ext.ecpointformats != NULL) {
840         s->ext.ecpointformats =
841             OPENSSL_memdup(ctx->ext.ecpointformats,
842                            ctx->ext.ecpointformats_len);
843         if (s->ext.ecpointformats == NULL) {
844             s->ext.ecpointformats_len = 0;
845             goto err;
846         }
847         s->ext.ecpointformats_len =
848             ctx->ext.ecpointformats_len;
849     }
850     if (ctx->ext.supportedgroups != NULL) {
851         size_t add = 0;
852 
853         if (ctx->ext.supportedgroups_len == 0)
854             /* Add 1 so allocation won't fail */
855             add = 1;
856         s->ext.supportedgroups =
857             OPENSSL_memdup(ctx->ext.supportedgroups,
858                            (ctx->ext.supportedgroups_len + add)
859                            * sizeof(*ctx->ext.supportedgroups));
860         if (s->ext.supportedgroups == NULL) {
861             s->ext.supportedgroups_len = 0;
862             goto err;
863         }
864         s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
865     }
866     if (ctx->ext.keyshares != NULL) {
867         size_t add = 0;
868 
869         if (ctx->ext.keyshares_len == 0)
870             /* Add 1 so allocation won't fail */
871             add = 1;
872         s->ext.keyshares =
873             OPENSSL_memdup(ctx->ext.keyshares,
874                            (ctx->ext.keyshares_len + add)
875                            * sizeof(*ctx->ext.keyshares));
876         if (s->ext.keyshares == NULL) {
877             s->ext.keyshares_len = 0;
878             goto err;
879         }
880         s->ext.keyshares_len = ctx->ext.keyshares_len;
881     }
882     if (ctx->ext.tuples != NULL) {
883         size_t add = 0;
884 
885         if (ctx->ext.tuples_len == 0)
886             /* Add 1 so allocation won't fail */
887             add = 1;
888         s->ext.tuples =
889             OPENSSL_memdup(ctx->ext.tuples,
890                            (ctx->ext.tuples_len + add)
891                            * sizeof(*ctx->ext.tuples));
892         if (s->ext.tuples == NULL) {
893             s->ext.tuples_len = 0;
894             goto err;
895         }
896         s->ext.tuples_len = ctx->ext.tuples_len;
897     }
898 
899 #ifndef OPENSSL_NO_NEXTPROTONEG
900     s->ext.npn = NULL;
901 #endif
902 
903     if (ctx->ext.alpn != NULL) {
904         s->ext.alpn = OPENSSL_malloc(ctx->ext.alpn_len);
905         if (s->ext.alpn == NULL) {
906             s->ext.alpn_len = 0;
907             goto err;
908         }
909         memcpy(s->ext.alpn, ctx->ext.alpn, ctx->ext.alpn_len);
910         s->ext.alpn_len = ctx->ext.alpn_len;
911     }
912 
913     s->verified_chain = NULL;
914     s->verify_result = X509_V_OK;
915 
916     s->default_passwd_callback = ctx->default_passwd_callback;
917     s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
918 
919     s->key_update = SSL_KEY_UPDATE_NONE;
920 
921     if (!IS_QUIC_CTX(ctx)) {
922         s->allow_early_data_cb = ctx->allow_early_data_cb;
923         s->allow_early_data_cb_data = ctx->allow_early_data_cb_data;
924     }
925 
926     if (!method->ssl_init(ssl))
927         goto sslerr;
928 
929     s->server = (method->ssl_accept == ssl_undefined_function) ? 0 : 1;
930 
931     if (!method->ssl_reset(ssl))
932         goto sslerr;
933 
934 #ifndef OPENSSL_NO_PSK
935     s->psk_client_callback = ctx->psk_client_callback;
936     s->psk_server_callback = ctx->psk_server_callback;
937 #endif
938     s->psk_find_session_cb = ctx->psk_find_session_cb;
939     s->psk_use_session_cb = ctx->psk_use_session_cb;
940 
941     s->async_cb = ctx->async_cb;
942     s->async_cb_arg = ctx->async_cb_arg;
943 
944     s->job = NULL;
945 
946 #ifndef OPENSSL_NO_COMP_ALG
947     memcpy(s->cert_comp_prefs, ctx->cert_comp_prefs, sizeof(s->cert_comp_prefs));
948 #endif
949     if (ctx->client_cert_type != NULL) {
950         s->client_cert_type = OPENSSL_memdup(ctx->client_cert_type,
951                                              ctx->client_cert_type_len);
952         if (s->client_cert_type == NULL)
953             goto sslerr;
954         s->client_cert_type_len = ctx->client_cert_type_len;
955     }
956     if (ctx->server_cert_type != NULL) {
957         s->server_cert_type = OPENSSL_memdup(ctx->server_cert_type,
958                                              ctx->server_cert_type_len);
959         if (s->server_cert_type == NULL)
960             goto sslerr;
961         s->server_cert_type_len = ctx->server_cert_type_len;
962     }
963 
964 #ifndef OPENSSL_NO_CT
965     if (!SSL_set_ct_validation_callback(ssl, ctx->ct_validation_callback,
966                                         ctx->ct_validation_callback_arg))
967         goto sslerr;
968 #endif
969 
970     s->ssl_pkey_num = SSL_PKEY_NUM + ctx->sigalg_list_len;
971     return ssl;
972  cerr:
973     ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
974     goto err;
975  asn1err:
976     ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB);
977     goto err;
978  sslerr:
979     ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
980  err:
981     SSL_free(ssl);
982     return NULL;
983 }
984 
ossl_ssl_connection_new(SSL_CTX * ctx)985 SSL *ossl_ssl_connection_new(SSL_CTX *ctx)
986 {
987     return ossl_ssl_connection_new_int(ctx, NULL, ctx->method);
988 }
989 
SSL_is_dtls(const SSL * s)990 int SSL_is_dtls(const SSL *s)
991 {
992     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
993 
994 #ifndef OPENSSL_NO_QUIC
995     if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
996         return 0;
997 #endif
998 
999     if (sc == NULL)
1000         return 0;
1001 
1002     return SSL_CONNECTION_IS_DTLS(sc) ? 1 : 0;
1003 }
1004 
SSL_is_tls(const SSL * s)1005 int SSL_is_tls(const SSL *s)
1006 {
1007     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1008 
1009 #ifndef OPENSSL_NO_QUIC
1010     if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
1011         return 0;
1012 #endif
1013 
1014     if (sc == NULL)
1015         return 0;
1016 
1017     return SSL_CONNECTION_IS_DTLS(sc) ? 0 : 1;
1018 }
1019 
SSL_is_quic(const SSL * s)1020 int SSL_is_quic(const SSL *s)
1021 {
1022     return IS_QUIC(s);
1023 }
1024 
SSL_up_ref(SSL * s)1025 int SSL_up_ref(SSL *s)
1026 {
1027     int i;
1028 
1029     if (CRYPTO_UP_REF(&s->references, &i) <= 0)
1030         return 0;
1031 
1032     REF_PRINT_COUNT("SSL", i, s);
1033     REF_ASSERT_ISNT(i < 2);
1034     return ((i > 1) ? 1 : 0);
1035 }
1036 
SSL_CTX_set_session_id_context(SSL_CTX * ctx,const unsigned char * sid_ctx,unsigned int sid_ctx_len)1037 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
1038                                    unsigned int sid_ctx_len)
1039 {
1040     if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
1041         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1042         return 0;
1043     }
1044     ctx->sid_ctx_length = sid_ctx_len;
1045     memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
1046 
1047     return 1;
1048 }
1049 
SSL_set_session_id_context(SSL * ssl,const unsigned char * sid_ctx,unsigned int sid_ctx_len)1050 int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
1051                                unsigned int sid_ctx_len)
1052 {
1053     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1054 
1055     if (sc == NULL)
1056         return 0;
1057 
1058     if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
1059         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1060         return 0;
1061     }
1062     sc->sid_ctx_length = sid_ctx_len;
1063     memcpy(sc->sid_ctx, sid_ctx, sid_ctx_len);
1064 
1065     return 1;
1066 }
1067 
SSL_CTX_set_generate_session_id(SSL_CTX * ctx,GEN_SESSION_CB cb)1068 int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
1069 {
1070     if (!CRYPTO_THREAD_write_lock(ctx->lock))
1071         return 0;
1072     ctx->generate_session_id = cb;
1073     CRYPTO_THREAD_unlock(ctx->lock);
1074     return 1;
1075 }
1076 
SSL_set_generate_session_id(SSL * ssl,GEN_SESSION_CB cb)1077 int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
1078 {
1079     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1080 
1081     if (sc == NULL || !CRYPTO_THREAD_write_lock(ssl->lock))
1082         return 0;
1083     sc->generate_session_id = cb;
1084     CRYPTO_THREAD_unlock(ssl->lock);
1085     return 1;
1086 }
1087 
SSL_has_matching_session_id(const SSL * ssl,const unsigned char * id,unsigned int id_len)1088 int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1089                                 unsigned int id_len)
1090 {
1091     /*
1092      * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
1093      * we can "construct" a session to give us the desired check - i.e. to
1094      * find if there's a session in the hash table that would conflict with
1095      * any new session built out of this id/id_len and the ssl_version in use
1096      * by this SSL.
1097      */
1098     SSL_SESSION r, *p;
1099     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
1100 
1101     if (sc == NULL || id_len > sizeof(r.session_id))
1102         return 0;
1103 
1104     r.ssl_version = sc->version;
1105     r.session_id_length = id_len;
1106     memcpy(r.session_id, id, id_len);
1107 
1108     if (!CRYPTO_THREAD_read_lock(sc->session_ctx->lock))
1109         return 0;
1110     p = lh_SSL_SESSION_retrieve(sc->session_ctx->sessions, &r);
1111     CRYPTO_THREAD_unlock(sc->session_ctx->lock);
1112     return (p != NULL);
1113 }
1114 
SSL_CTX_set_purpose(SSL_CTX * s,int purpose)1115 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
1116 {
1117     return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
1118 }
1119 
SSL_set_purpose(SSL * s,int purpose)1120 int SSL_set_purpose(SSL *s, int purpose)
1121 {
1122     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1123 
1124     if (sc == NULL)
1125         return 0;
1126 
1127     return X509_VERIFY_PARAM_set_purpose(sc->param, purpose);
1128 }
1129 
SSL_CTX_set_trust(SSL_CTX * s,int trust)1130 int SSL_CTX_set_trust(SSL_CTX *s, int trust)
1131 {
1132     return X509_VERIFY_PARAM_set_trust(s->param, trust);
1133 }
1134 
SSL_set_trust(SSL * s,int trust)1135 int SSL_set_trust(SSL *s, int trust)
1136 {
1137     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1138 
1139     if (sc == NULL)
1140         return 0;
1141 
1142     return X509_VERIFY_PARAM_set_trust(sc->param, trust);
1143 }
1144 
SSL_set1_host(SSL * s,const char * host)1145 int SSL_set1_host(SSL *s, const char *host)
1146 {
1147     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1148 
1149     if (sc == NULL)
1150         return 0;
1151 
1152     /* clear hostname(s) and IP address in any case, also if host parses as an IP address */
1153     (void)X509_VERIFY_PARAM_set1_host(sc->param, NULL, 0);
1154     (void)X509_VERIFY_PARAM_set1_ip(sc->param, NULL, 0);
1155     if (host == NULL)
1156         return 1;
1157 
1158     /* If a host is provided and parses as an IP address, treat it as such. */
1159     return X509_VERIFY_PARAM_set1_ip_asc(sc->param, host)
1160         || X509_VERIFY_PARAM_set1_host(sc->param, host, 0);
1161 }
1162 
SSL_add1_host(SSL * s,const char * host)1163 int SSL_add1_host(SSL *s, const char *host)
1164 {
1165     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1166 
1167     if (sc == NULL)
1168         return 0;
1169 
1170     /* If a host is provided and parses as an IP address, treat it as such. */
1171     if (host != NULL) {
1172         ASN1_OCTET_STRING *ip;
1173         char *old_ip;
1174 
1175         ip = a2i_IPADDRESS(host);
1176         if (ip != NULL) {
1177             /* We didn't want it; only to check if it *is* an IP address */
1178             ASN1_OCTET_STRING_free(ip);
1179 
1180             old_ip = X509_VERIFY_PARAM_get1_ip_asc(sc->param);
1181             if (old_ip != NULL) {
1182                 OPENSSL_free(old_ip);
1183                 /* There can be only one IP address */
1184                 ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
1185                                "IP address was already set");
1186                 return 0;
1187             }
1188 
1189             return X509_VERIFY_PARAM_set1_ip_asc(sc->param, host);
1190         }
1191     }
1192 
1193     return X509_VERIFY_PARAM_add1_host(sc->param, host, 0);
1194 }
1195 
SSL_set_hostflags(SSL * s,unsigned int flags)1196 void SSL_set_hostflags(SSL *s, unsigned int flags)
1197 {
1198     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1199 
1200     if (sc == NULL)
1201         return;
1202 
1203     X509_VERIFY_PARAM_set_hostflags(sc->param, flags);
1204 }
1205 
SSL_get0_peername(SSL * s)1206 const char *SSL_get0_peername(SSL *s)
1207 {
1208     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1209 
1210     if (sc == NULL)
1211         return NULL;
1212 
1213     return X509_VERIFY_PARAM_get0_peername(sc->param);
1214 }
1215 
SSL_CTX_dane_enable(SSL_CTX * ctx)1216 int SSL_CTX_dane_enable(SSL_CTX *ctx)
1217 {
1218     return dane_ctx_enable(&ctx->dane);
1219 }
1220 
SSL_CTX_dane_set_flags(SSL_CTX * ctx,unsigned long flags)1221 unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags)
1222 {
1223     unsigned long orig = ctx->dane.flags;
1224 
1225     ctx->dane.flags |= flags;
1226     return orig;
1227 }
1228 
SSL_CTX_dane_clear_flags(SSL_CTX * ctx,unsigned long flags)1229 unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags)
1230 {
1231     unsigned long orig = ctx->dane.flags;
1232 
1233     ctx->dane.flags &= ~flags;
1234     return orig;
1235 }
1236 
SSL_dane_enable(SSL * s,const char * basedomain)1237 int SSL_dane_enable(SSL *s, const char *basedomain)
1238 {
1239     SSL_DANE *dane;
1240     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1241 
1242     if (sc == NULL)
1243         return 0;
1244 
1245     dane = &sc->dane;
1246     if (s->ctx->dane.mdmax == 0) {
1247         ERR_raise(ERR_LIB_SSL, SSL_R_CONTEXT_NOT_DANE_ENABLED);
1248         return 0;
1249     }
1250     if (dane->trecs != NULL) {
1251         ERR_raise(ERR_LIB_SSL, SSL_R_DANE_ALREADY_ENABLED);
1252         return 0;
1253     }
1254 
1255     /*
1256      * Default SNI name.  This rejects empty names, while set1_host below
1257      * accepts them and disables hostname checks.  To avoid side-effects with
1258      * invalid input, set the SNI name first.
1259      */
1260     if (sc->ext.hostname == NULL) {
1261         if (!SSL_set_tlsext_host_name(s, basedomain)) {
1262             ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1263             return -1;
1264         }
1265     }
1266 
1267     /* Primary RFC6125 reference identifier */
1268     if (!X509_VERIFY_PARAM_set1_host(sc->param, basedomain, 0)) {
1269         ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1270         return -1;
1271     }
1272 
1273     dane->mdpth = -1;
1274     dane->pdpth = -1;
1275     dane->dctx = &s->ctx->dane;
1276     dane->trecs = sk_danetls_record_new_null();
1277 
1278     if (dane->trecs == NULL) {
1279         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
1280         return -1;
1281     }
1282     return 1;
1283 }
1284 
SSL_dane_set_flags(SSL * ssl,unsigned long flags)1285 unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags)
1286 {
1287     unsigned long orig;
1288     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1289 
1290     if (sc == NULL)
1291         return 0;
1292 
1293     orig = sc->dane.flags;
1294 
1295     sc->dane.flags |= flags;
1296     return orig;
1297 }
1298 
SSL_dane_clear_flags(SSL * ssl,unsigned long flags)1299 unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags)
1300 {
1301     unsigned long orig;
1302     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1303 
1304     if (sc == NULL)
1305         return 0;
1306 
1307     orig = sc->dane.flags;
1308 
1309     sc->dane.flags &= ~flags;
1310     return orig;
1311 }
1312 
SSL_get0_dane_authority(SSL * s,X509 ** mcert,EVP_PKEY ** mspki)1313 int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
1314 {
1315     SSL_DANE *dane;
1316     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1317 
1318     if (sc == NULL)
1319         return -1;
1320 
1321     dane = &sc->dane;
1322 
1323     if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1324         return -1;
1325     if (dane->mtlsa) {
1326         if (mcert)
1327             *mcert = dane->mcert;
1328         if (mspki)
1329             *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL;
1330     }
1331     return dane->mdpth;
1332 }
1333 
SSL_get0_dane_tlsa(SSL * s,uint8_t * usage,uint8_t * selector,uint8_t * mtype,const unsigned char ** data,size_t * dlen)1334 int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
1335                        uint8_t *mtype, const unsigned char **data, size_t *dlen)
1336 {
1337     SSL_DANE *dane;
1338     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1339 
1340     if (sc == NULL)
1341         return -1;
1342 
1343     dane = &sc->dane;
1344 
1345     if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1346         return -1;
1347     if (dane->mtlsa) {
1348         if (usage)
1349             *usage = dane->mtlsa->usage;
1350         if (selector)
1351             *selector = dane->mtlsa->selector;
1352         if (mtype)
1353             *mtype = dane->mtlsa->mtype;
1354         if (data)
1355             *data = dane->mtlsa->data;
1356         if (dlen)
1357             *dlen = dane->mtlsa->dlen;
1358     }
1359     return dane->mdpth;
1360 }
1361 
SSL_get0_dane(SSL * s)1362 SSL_DANE *SSL_get0_dane(SSL *s)
1363 {
1364     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1365 
1366     if (sc == NULL)
1367         return NULL;
1368 
1369     return &sc->dane;
1370 }
1371 
SSL_dane_tlsa_add(SSL * s,uint8_t usage,uint8_t selector,uint8_t mtype,const unsigned char * data,size_t dlen)1372 int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
1373                       uint8_t mtype, const unsigned char *data, size_t dlen)
1374 {
1375     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1376 
1377     if (sc == NULL)
1378         return 0;
1379 
1380     return dane_tlsa_add(&sc->dane, usage, selector, mtype, data, dlen);
1381 }
1382 
SSL_CTX_dane_mtype_set(SSL_CTX * ctx,const EVP_MD * md,uint8_t mtype,uint8_t ord)1383 int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype,
1384                            uint8_t ord)
1385 {
1386     return dane_mtype_set(&ctx->dane, md, mtype, ord);
1387 }
1388 
SSL_CTX_set1_param(SSL_CTX * ctx,X509_VERIFY_PARAM * vpm)1389 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
1390 {
1391     return X509_VERIFY_PARAM_set1(ctx->param, vpm);
1392 }
1393 
SSL_set1_param(SSL * ssl,X509_VERIFY_PARAM * vpm)1394 int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
1395 {
1396     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1397 
1398     if (sc == NULL)
1399         return 0;
1400 
1401     return X509_VERIFY_PARAM_set1(sc->param, vpm);
1402 }
1403 
SSL_CTX_get0_param(SSL_CTX * ctx)1404 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
1405 {
1406     return ctx->param;
1407 }
1408 
SSL_get0_param(SSL * ssl)1409 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
1410 {
1411     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1412 
1413     if (sc == NULL)
1414         return NULL;
1415 
1416     return sc->param;
1417 }
1418 
SSL_certs_clear(SSL * s)1419 void SSL_certs_clear(SSL *s)
1420 {
1421     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1422 
1423     if (sc == NULL)
1424         return;
1425 
1426     ssl_cert_clear_certs(sc->cert);
1427 }
1428 
SSL_free(SSL * s)1429 void SSL_free(SSL *s)
1430 {
1431     int i;
1432 
1433     if (s == NULL)
1434         return;
1435     CRYPTO_DOWN_REF(&s->references, &i);
1436     REF_PRINT_COUNT("SSL", i, s);
1437     if (i > 0)
1438         return;
1439     REF_ASSERT_ISNT(i < 0);
1440 
1441     if (s->method != NULL)
1442         s->method->ssl_free(s);
1443 
1444     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
1445     SSL_CTX_free(s->ctx);
1446     CRYPTO_THREAD_lock_free(s->lock);
1447     CRYPTO_FREE_REF(&s->references);
1448 
1449     OPENSSL_free(s);
1450 }
1451 
ossl_ssl_connection_free(SSL * ssl)1452 void ossl_ssl_connection_free(SSL *ssl)
1453 {
1454     SSL_CONNECTION *s;
1455 
1456     s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
1457     if (s == NULL)
1458         return;
1459 
1460     /*
1461      * Ignore return values. This could result in user callbacks being called
1462      * e.g. for the QUIC TLS record layer. So we do this early before we have
1463      * freed other things.
1464      */
1465     ssl_free_wbio_buffer(s);
1466     RECORD_LAYER_clear(&s->rlayer);
1467 
1468     X509_VERIFY_PARAM_free(s->param);
1469     dane_final(&s->dane);
1470 
1471     BUF_MEM_free(s->init_buf);
1472 
1473     /* add extra stuff */
1474     sk_SSL_CIPHER_free(s->cipher_list);
1475     sk_SSL_CIPHER_free(s->cipher_list_by_id);
1476     sk_SSL_CIPHER_free(s->tls13_ciphersuites);
1477     sk_SSL_CIPHER_free(s->peer_ciphers);
1478 
1479     /* Make the next call work :-) */
1480     if (s->session != NULL) {
1481         ssl_clear_bad_session(s);
1482         SSL_SESSION_free(s->session);
1483     }
1484     SSL_SESSION_free(s->psksession);
1485     OPENSSL_free(s->psksession_id);
1486 
1487     ssl_cert_free(s->cert);
1488     OPENSSL_free(s->shared_sigalgs);
1489     /* Free up if allocated */
1490 
1491     OPENSSL_free(s->ext.hostname);
1492     SSL_CTX_free(s->session_ctx);
1493     OPENSSL_free(s->ext.ecpointformats);
1494     OPENSSL_free(s->ext.peer_ecpointformats);
1495     OPENSSL_free(s->ext.supportedgroups);
1496     OPENSSL_free(s->ext.keyshares);
1497     OPENSSL_free(s->ext.tuples);
1498     OPENSSL_free(s->ext.peer_supportedgroups);
1499     sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
1500 #ifndef OPENSSL_NO_OCSP
1501     sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1502 #endif
1503 #ifndef OPENSSL_NO_CT
1504     SCT_LIST_free(s->scts);
1505     OPENSSL_free(s->ext.scts);
1506 #endif
1507     OPENSSL_free(s->ext.ocsp.resp);
1508     OPENSSL_free(s->ext.alpn);
1509     OPENSSL_free(s->ext.tls13_cookie);
1510     if (s->clienthello != NULL)
1511         OPENSSL_free(s->clienthello->pre_proc_exts);
1512     OPENSSL_free(s->clienthello);
1513     OPENSSL_free(s->pha_context);
1514     EVP_MD_CTX_free(s->pha_dgst);
1515 
1516     sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free);
1517     sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free);
1518 
1519     OPENSSL_free(s->client_cert_type);
1520     OPENSSL_free(s->server_cert_type);
1521 
1522     OSSL_STACK_OF_X509_free(s->verified_chain);
1523 
1524     if (ssl->method != NULL)
1525         ssl->method->ssl_deinit(ssl);
1526 
1527     ASYNC_WAIT_CTX_free(s->waitctx);
1528 
1529 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1530     OPENSSL_free(s->ext.npn);
1531 #endif
1532 
1533 #ifndef OPENSSL_NO_SRTP
1534     sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
1535 #endif
1536 
1537     /*
1538      * We do this late. We want to ensure that any other references we held to
1539      * these BIOs are freed first *before* we call BIO_free_all(), because
1540      * BIO_free_all() will only free each BIO in the chain if the number of
1541      * references to the first BIO have dropped to 0
1542      */
1543     BIO_free_all(s->wbio);
1544     s->wbio = NULL;
1545     BIO_free_all(s->rbio);
1546     s->rbio = NULL;
1547     OPENSSL_free(s->s3.tmp.valid_flags);
1548 }
1549 
SSL_set0_rbio(SSL * s,BIO * rbio)1550 void SSL_set0_rbio(SSL *s, BIO *rbio)
1551 {
1552     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1553 
1554 #ifndef OPENSSL_NO_QUIC
1555     if (IS_QUIC(s)) {
1556         ossl_quic_conn_set0_net_rbio(s, rbio);
1557         return;
1558     }
1559 #endif
1560 
1561     if (sc == NULL)
1562         return;
1563 
1564     BIO_free_all(sc->rbio);
1565     sc->rbio = rbio;
1566     sc->rlayer.rrlmethod->set1_bio(sc->rlayer.rrl, sc->rbio);
1567 }
1568 
SSL_set0_wbio(SSL * s,BIO * wbio)1569 void SSL_set0_wbio(SSL *s, BIO *wbio)
1570 {
1571     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1572 
1573 #ifndef OPENSSL_NO_QUIC
1574     if (IS_QUIC(s)) {
1575         ossl_quic_conn_set0_net_wbio(s, wbio);
1576         return;
1577     }
1578 #endif
1579 
1580     if (sc == NULL)
1581         return;
1582 
1583     /*
1584      * If the output buffering BIO is still in place, remove it
1585      */
1586     if (sc->bbio != NULL)
1587         sc->wbio = BIO_pop(sc->wbio);
1588 
1589     BIO_free_all(sc->wbio);
1590     sc->wbio = wbio;
1591 
1592     /* Re-attach |bbio| to the new |wbio|. */
1593     if (sc->bbio != NULL)
1594         sc->wbio = BIO_push(sc->bbio, sc->wbio);
1595 
1596     sc->rlayer.wrlmethod->set1_bio(sc->rlayer.wrl, sc->wbio);
1597 }
1598 
SSL_set_bio(SSL * s,BIO * rbio,BIO * wbio)1599 void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
1600 {
1601     /*
1602      * For historical reasons, this function has many different cases in
1603      * ownership handling.
1604      */
1605 
1606     /* If nothing has changed, do nothing */
1607     if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s))
1608         return;
1609 
1610     /*
1611      * If the two arguments are equal then one fewer reference is granted by the
1612      * caller than we want to take
1613      */
1614     if (rbio != NULL && rbio == wbio) {
1615         if (!BIO_up_ref(rbio))
1616             return;
1617     }
1618 
1619     /*
1620      * If only the wbio is changed only adopt one reference.
1621      */
1622     if (rbio == SSL_get_rbio(s)) {
1623         SSL_set0_wbio(s, wbio);
1624         return;
1625     }
1626     /*
1627      * There is an asymmetry here for historical reasons. If only the rbio is
1628      * changed AND the rbio and wbio were originally different, then we only
1629      * adopt one reference.
1630      */
1631     if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) {
1632         SSL_set0_rbio(s, rbio);
1633         return;
1634     }
1635 
1636     /* Otherwise, adopt both references. */
1637     SSL_set0_rbio(s, rbio);
1638     SSL_set0_wbio(s, wbio);
1639 }
1640 
SSL_get_rbio(const SSL * s)1641 BIO *SSL_get_rbio(const SSL *s)
1642 {
1643     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1644 
1645 #ifndef OPENSSL_NO_QUIC
1646     if (IS_QUIC(s))
1647         return ossl_quic_conn_get_net_rbio(s);
1648 #endif
1649 
1650     if (sc == NULL)
1651         return NULL;
1652 
1653     return sc->rbio;
1654 }
1655 
SSL_get_wbio(const SSL * s)1656 BIO *SSL_get_wbio(const SSL *s)
1657 {
1658     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1659 
1660 #ifndef OPENSSL_NO_QUIC
1661     if (IS_QUIC(s))
1662         return ossl_quic_conn_get_net_wbio(s);
1663 #endif
1664 
1665     if (sc == NULL)
1666         return NULL;
1667 
1668     if (sc->bbio != NULL) {
1669         /*
1670          * If |bbio| is active, the true caller-configured BIO is its
1671          * |next_bio|.
1672          */
1673         return BIO_next(sc->bbio);
1674     }
1675     return sc->wbio;
1676 }
1677 
SSL_get_fd(const SSL * s)1678 int SSL_get_fd(const SSL *s)
1679 {
1680     return SSL_get_rfd(s);
1681 }
1682 
SSL_get_rfd(const SSL * s)1683 int SSL_get_rfd(const SSL *s)
1684 {
1685     int ret = -1;
1686     BIO *b, *r;
1687 
1688     b = SSL_get_rbio(s);
1689     r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1690     if (r != NULL)
1691         BIO_get_fd(r, &ret);
1692     return ret;
1693 }
1694 
SSL_get_wfd(const SSL * s)1695 int SSL_get_wfd(const SSL *s)
1696 {
1697     int ret = -1;
1698     BIO *b, *r;
1699 
1700     b = SSL_get_wbio(s);
1701     r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1702     if (r != NULL)
1703         BIO_get_fd(r, &ret);
1704     return ret;
1705 }
1706 
1707 #ifndef OPENSSL_NO_SOCK
fd_method(SSL * s)1708 static const BIO_METHOD *fd_method(SSL *s)
1709 {
1710 #ifndef OPENSSL_NO_DGRAM
1711     if (IS_QUIC(s))
1712         return BIO_s_datagram();
1713 #endif
1714 
1715     return BIO_s_socket();
1716 }
1717 
SSL_set_fd(SSL * s,int fd)1718 int SSL_set_fd(SSL *s, int fd)
1719 {
1720     int ret = 0;
1721     BIO *bio = NULL;
1722 
1723     if (s->type == SSL_TYPE_QUIC_XSO) {
1724         ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1725         goto err;
1726     }
1727 
1728     bio = BIO_new(fd_method(s));
1729 
1730     if (bio == NULL) {
1731         ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1732         goto err;
1733     }
1734     BIO_set_fd(bio, fd, BIO_NOCLOSE);
1735     SSL_set_bio(s, bio, bio);
1736 #ifndef OPENSSL_NO_KTLS
1737     /*
1738      * The new socket is created successfully regardless of ktls_enable.
1739      * ktls_enable doesn't change any functionality of the socket, except
1740      * changing the setsockopt to enable the processing of ktls_start.
1741      * Thus, it is not a problem to call it for non-TLS sockets.
1742      */
1743     ktls_enable(fd);
1744 #endif /* OPENSSL_NO_KTLS */
1745     ret = 1;
1746  err:
1747     return ret;
1748 }
1749 
SSL_set_wfd(SSL * s,int fd)1750 int SSL_set_wfd(SSL *s, int fd)
1751 {
1752     BIO *rbio = SSL_get_rbio(s);
1753     int desired_type = IS_QUIC(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
1754 
1755     if (s->type == SSL_TYPE_QUIC_XSO) {
1756         ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1757         return 0;
1758     }
1759 
1760     if (rbio == NULL || BIO_method_type(rbio) != desired_type
1761         || (int)BIO_get_fd(rbio, NULL) != fd) {
1762         BIO *bio = BIO_new(fd_method(s));
1763 
1764         if (bio == NULL) {
1765             ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1766             return 0;
1767         }
1768         BIO_set_fd(bio, fd, BIO_NOCLOSE);
1769         SSL_set0_wbio(s, bio);
1770 #ifndef OPENSSL_NO_KTLS
1771         /*
1772          * The new socket is created successfully regardless of ktls_enable.
1773          * ktls_enable doesn't change any functionality of the socket, except
1774          * changing the setsockopt to enable the processing of ktls_start.
1775          * Thus, it is not a problem to call it for non-TLS sockets.
1776          */
1777         ktls_enable(fd);
1778 #endif /* OPENSSL_NO_KTLS */
1779     } else {
1780         if (!BIO_up_ref(rbio))
1781             return 0;
1782         SSL_set0_wbio(s, rbio);
1783     }
1784     return 1;
1785 }
1786 
SSL_set_rfd(SSL * s,int fd)1787 int SSL_set_rfd(SSL *s, int fd)
1788 {
1789     BIO *wbio = SSL_get_wbio(s);
1790     int desired_type = IS_QUIC(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
1791 
1792     if (s->type == SSL_TYPE_QUIC_XSO) {
1793         ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1794         return 0;
1795     }
1796 
1797     if (wbio == NULL || BIO_method_type(wbio) != desired_type
1798         || ((int)BIO_get_fd(wbio, NULL) != fd)) {
1799         BIO *bio = BIO_new(fd_method(s));
1800 
1801         if (bio == NULL) {
1802             ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1803             return 0;
1804         }
1805         BIO_set_fd(bio, fd, BIO_NOCLOSE);
1806         SSL_set0_rbio(s, bio);
1807     } else {
1808         if (!BIO_up_ref(wbio))
1809             return 0;
1810         SSL_set0_rbio(s, wbio);
1811     }
1812 
1813     return 1;
1814 }
1815 #endif
1816 
1817 /* return length of latest Finished message we sent, copy to 'buf' */
SSL_get_finished(const SSL * s,void * buf,size_t count)1818 size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
1819 {
1820     size_t ret = 0;
1821     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1822 
1823     if (sc == NULL)
1824         return 0;
1825 
1826     ret = sc->s3.tmp.finish_md_len;
1827     if (count > ret)
1828         count = ret;
1829     memcpy(buf, sc->s3.tmp.finish_md, count);
1830     return ret;
1831 }
1832 
1833 /* return length of latest Finished message we expected, copy to 'buf' */
SSL_get_peer_finished(const SSL * s,void * buf,size_t count)1834 size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
1835 {
1836     size_t ret = 0;
1837     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1838 
1839     if (sc == NULL)
1840         return 0;
1841 
1842     ret = sc->s3.tmp.peer_finish_md_len;
1843     if (count > ret)
1844         count = ret;
1845     memcpy(buf, sc->s3.tmp.peer_finish_md, count);
1846     return ret;
1847 }
1848 
SSL_get_verify_mode(const SSL * s)1849 int SSL_get_verify_mode(const SSL *s)
1850 {
1851     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1852 
1853     if (sc == NULL)
1854         return 0;
1855 
1856     return sc->verify_mode;
1857 }
1858 
SSL_get_verify_depth(const SSL * s)1859 int SSL_get_verify_depth(const SSL *s)
1860 {
1861     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1862 
1863     if (sc == NULL)
1864         return 0;
1865 
1866     return X509_VERIFY_PARAM_get_depth(sc->param);
1867 }
1868 
SSL_get_verify_callback(const SSL * s)1869 int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) {
1870     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1871 
1872     if (sc == NULL)
1873         return NULL;
1874 
1875     return sc->verify_callback;
1876 }
1877 
SSL_CTX_get_verify_mode(const SSL_CTX * ctx)1878 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
1879 {
1880     return ctx->verify_mode;
1881 }
1882 
SSL_CTX_get_verify_depth(const SSL_CTX * ctx)1883 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1884 {
1885     return X509_VERIFY_PARAM_get_depth(ctx->param);
1886 }
1887 
SSL_CTX_get_verify_callback(const SSL_CTX * ctx)1888 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) {
1889     return ctx->default_verify_callback;
1890 }
1891 
SSL_set_verify(SSL * s,int mode,int (* callback)(int ok,X509_STORE_CTX * ctx))1892 void SSL_set_verify(SSL *s, int mode,
1893                     int (*callback) (int ok, X509_STORE_CTX *ctx))
1894 {
1895     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1896 
1897     if (sc == NULL)
1898         return;
1899 
1900     sc->verify_mode = mode;
1901     if (callback != NULL)
1902         sc->verify_callback = callback;
1903 }
1904 
SSL_set_verify_depth(SSL * s,int depth)1905 void SSL_set_verify_depth(SSL *s, int depth)
1906 {
1907     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1908 
1909     if (sc == NULL)
1910         return;
1911 
1912     X509_VERIFY_PARAM_set_depth(sc->param, depth);
1913 }
1914 
SSL_set_read_ahead(SSL * s,int yes)1915 void SSL_set_read_ahead(SSL *s, int yes)
1916 {
1917     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
1918     OSSL_PARAM options[2], *opts = options;
1919 
1920     if (sc == NULL)
1921         return;
1922 
1923     RECORD_LAYER_set_read_ahead(&sc->rlayer, yes);
1924 
1925     *opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD,
1926                                        &sc->rlayer.read_ahead);
1927     *opts = OSSL_PARAM_construct_end();
1928 
1929     /* Ignore return value */
1930     sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
1931 }
1932 
SSL_get_read_ahead(const SSL * s)1933 int SSL_get_read_ahead(const SSL *s)
1934 {
1935     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
1936 
1937     if (sc == NULL)
1938         return 0;
1939 
1940     return RECORD_LAYER_get_read_ahead(&sc->rlayer);
1941 }
1942 
SSL_pending(const SSL * s)1943 int SSL_pending(const SSL *s)
1944 {
1945     size_t pending = s->method->ssl_pending(s);
1946 
1947     /*
1948      * SSL_pending cannot work properly if read-ahead is enabled
1949      * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is
1950      * impossible to fix since SSL_pending cannot report errors that may be
1951      * observed while scanning the new data. (Note that SSL_pending() is
1952      * often used as a boolean value, so we'd better not return -1.)
1953      *
1954      * SSL_pending also cannot work properly if the value >INT_MAX. In that case
1955      * we just return INT_MAX.
1956      */
1957     return pending < INT_MAX ? (int)pending : INT_MAX;
1958 }
1959 
SSL_has_pending(const SSL * s)1960 int SSL_has_pending(const SSL *s)
1961 {
1962     /*
1963      * Similar to SSL_pending() but returns a 1 to indicate that we have
1964      * processed or unprocessed data available or 0 otherwise (as opposed to the
1965      * number of bytes available). Unlike SSL_pending() this will take into
1966      * account read_ahead data. A 1 return simply indicates that we have data.
1967      * That data may not result in any application data, or we may fail to parse
1968      * the records for some reason.
1969      */
1970     const SSL_CONNECTION *sc;
1971 
1972 #ifndef OPENSSL_NO_QUIC
1973     if (IS_QUIC(s))
1974         return ossl_quic_has_pending(s);
1975 #endif
1976 
1977     sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1978 
1979     /* Check buffered app data if any first */
1980     if (SSL_CONNECTION_IS_DTLS(sc)) {
1981         TLS_RECORD *rdata;
1982         pitem *item, *iter;
1983 
1984         iter = pqueue_iterator(sc->rlayer.d->buffered_app_data);
1985         while ((item = pqueue_next(&iter)) != NULL) {
1986             rdata = item->data;
1987             if (rdata->length > 0)
1988                 return 1;
1989         }
1990     }
1991 
1992     if (RECORD_LAYER_processed_read_pending(&sc->rlayer))
1993         return 1;
1994 
1995     return RECORD_LAYER_read_pending(&sc->rlayer);
1996 }
1997 
SSL_get1_peer_certificate(const SSL * s)1998 X509 *SSL_get1_peer_certificate(const SSL *s)
1999 {
2000     X509 *r = SSL_get0_peer_certificate(s);
2001 
2002     if (r != NULL && !X509_up_ref(r))
2003         return NULL;
2004 
2005     return r;
2006 }
2007 
SSL_get0_peer_certificate(const SSL * s)2008 X509 *SSL_get0_peer_certificate(const SSL *s)
2009 {
2010     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2011 
2012     if (sc == NULL)
2013         return NULL;
2014 
2015     if (sc->session == NULL)
2016         return NULL;
2017     else
2018         return sc->session->peer;
2019 }
2020 
STACK_OF(X509)2021 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
2022 {
2023     STACK_OF(X509) *r;
2024     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2025 
2026     if (sc == NULL)
2027         return NULL;
2028 
2029     if (sc->session == NULL)
2030         r = NULL;
2031     else
2032         r = sc->session->peer_chain;
2033 
2034     /*
2035      * If we are a client, cert_chain includes the peer's own certificate; if
2036      * we are a server, it does not.
2037      */
2038 
2039     return r;
2040 }
2041 
2042 /*
2043  * Now in theory, since the calling process own 't' it should be safe to
2044  * modify.  We need to be able to read f without being hassled
2045  */
SSL_copy_session_id(SSL * t,const SSL * f)2046 int SSL_copy_session_id(SSL *t, const SSL *f)
2047 {
2048     int i;
2049     /* TODO(QUIC FUTURE): Not allowed for QUIC currently. */
2050     SSL_CONNECTION *tsc = SSL_CONNECTION_FROM_SSL_ONLY(t);
2051     const SSL_CONNECTION *fsc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(f);
2052 
2053     if (tsc == NULL || fsc == NULL)
2054         return 0;
2055 
2056     /* Do we need to do SSL locking? */
2057     if (!SSL_set_session(t, SSL_get_session(f))) {
2058         return 0;
2059     }
2060 
2061     /*
2062      * what if we are setup for one protocol version but want to talk another
2063      */
2064     if (t->method != f->method) {
2065         t->method->ssl_deinit(t);
2066         t->method = f->method;
2067         if (t->method->ssl_init(t) == 0)
2068             return 0;
2069     }
2070 
2071     CRYPTO_UP_REF(&fsc->cert->references, &i);
2072     ssl_cert_free(tsc->cert);
2073     tsc->cert = fsc->cert;
2074     if (!SSL_set_session_id_context(t, fsc->sid_ctx, (int)fsc->sid_ctx_length)) {
2075         return 0;
2076     }
2077 
2078     return 1;
2079 }
2080 
2081 /* Fix this so it checks all the valid key/cert options */
SSL_CTX_check_private_key(const SSL_CTX * ctx)2082 int SSL_CTX_check_private_key(const SSL_CTX *ctx)
2083 {
2084     if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) {
2085         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
2086         return 0;
2087     }
2088     if (ctx->cert->key->privatekey == NULL) {
2089         ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
2090         return 0;
2091     }
2092     return X509_check_private_key
2093             (ctx->cert->key->x509, ctx->cert->key->privatekey);
2094 }
2095 
2096 /* Fix this function so that it takes an optional type parameter */
SSL_check_private_key(const SSL * ssl)2097 int SSL_check_private_key(const SSL *ssl)
2098 {
2099     const SSL_CONNECTION *sc;
2100 
2101     if ((sc = SSL_CONNECTION_FROM_CONST_SSL(ssl)) == NULL) {
2102         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
2103         return 0;
2104     }
2105     if (sc->cert->key->x509 == NULL) {
2106         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
2107         return 0;
2108     }
2109     if (sc->cert->key->privatekey == NULL) {
2110         ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
2111         return 0;
2112     }
2113     return X509_check_private_key(sc->cert->key->x509,
2114                                    sc->cert->key->privatekey);
2115 }
2116 
SSL_waiting_for_async(SSL * s)2117 int SSL_waiting_for_async(SSL *s)
2118 {
2119     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2120 
2121     if (sc == NULL)
2122         return 0;
2123 
2124     if (sc->job)
2125         return 1;
2126 
2127     return 0;
2128 }
2129 
SSL_get_all_async_fds(SSL * s,OSSL_ASYNC_FD * fds,size_t * numfds)2130 int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds)
2131 {
2132     ASYNC_WAIT_CTX *ctx;
2133     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2134 
2135     if (sc == NULL)
2136         return 0;
2137 
2138     if ((ctx = sc->waitctx) == NULL)
2139         return 0;
2140     return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds);
2141 }
2142 
SSL_get_changed_async_fds(SSL * s,OSSL_ASYNC_FD * addfd,size_t * numaddfds,OSSL_ASYNC_FD * delfd,size_t * numdelfds)2143 int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds,
2144                               OSSL_ASYNC_FD *delfd, size_t *numdelfds)
2145 {
2146     ASYNC_WAIT_CTX *ctx;
2147     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2148 
2149     if (sc == NULL)
2150         return 0;
2151 
2152     if ((ctx = sc->waitctx) == NULL)
2153         return 0;
2154     return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd,
2155                                           numdelfds);
2156 }
2157 
SSL_CTX_set_async_callback(SSL_CTX * ctx,SSL_async_callback_fn callback)2158 int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback)
2159 {
2160     ctx->async_cb = callback;
2161     return 1;
2162 }
2163 
SSL_CTX_set_async_callback_arg(SSL_CTX * ctx,void * arg)2164 int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg)
2165 {
2166     ctx->async_cb_arg = arg;
2167     return 1;
2168 }
2169 
SSL_set_async_callback(SSL * s,SSL_async_callback_fn callback)2170 int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback)
2171 {
2172     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2173 
2174     if (sc == NULL)
2175         return 0;
2176 
2177     sc->async_cb = callback;
2178     return 1;
2179 }
2180 
SSL_set_async_callback_arg(SSL * s,void * arg)2181 int SSL_set_async_callback_arg(SSL *s, void *arg)
2182 {
2183     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2184 
2185     if (sc == NULL)
2186         return 0;
2187 
2188     sc->async_cb_arg = arg;
2189     return 1;
2190 }
2191 
SSL_get_async_status(SSL * s,int * status)2192 int SSL_get_async_status(SSL *s, int *status)
2193 {
2194     ASYNC_WAIT_CTX *ctx;
2195     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2196 
2197     if (sc == NULL)
2198         return 0;
2199 
2200     if ((ctx = sc->waitctx) == NULL)
2201         return 0;
2202     *status = ASYNC_WAIT_CTX_get_status(ctx);
2203     return 1;
2204 }
2205 
SSL_accept(SSL * s)2206 int SSL_accept(SSL *s)
2207 {
2208     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2209 
2210 #ifndef OPENSSL_NO_QUIC
2211     if (IS_QUIC(s))
2212         return s->method->ssl_accept(s);
2213 #endif
2214 
2215     if (sc == NULL)
2216         return 0;
2217 
2218     if (sc->handshake_func == NULL) {
2219         /* Not properly initialized yet */
2220         SSL_set_accept_state(s);
2221     }
2222 
2223     return SSL_do_handshake(s);
2224 }
2225 
SSL_connect(SSL * s)2226 int SSL_connect(SSL *s)
2227 {
2228     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2229 
2230 #ifndef OPENSSL_NO_QUIC
2231     if (IS_QUIC(s))
2232         return s->method->ssl_connect(s);
2233 #endif
2234 
2235     if (sc == NULL)
2236         return 0;
2237 
2238     if (sc->handshake_func == NULL) {
2239         /* Not properly initialized yet */
2240         SSL_set_connect_state(s);
2241     }
2242 
2243     return SSL_do_handshake(s);
2244 }
2245 
SSL_get_default_timeout(const SSL * s)2246 long SSL_get_default_timeout(const SSL *s)
2247 {
2248     return (long int)ossl_time2seconds(s->method->get_timeout());
2249 }
2250 
ssl_async_wait_ctx_cb(void * arg)2251 static int ssl_async_wait_ctx_cb(void *arg)
2252 {
2253     SSL *s = (SSL *)arg;
2254     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2255 
2256     if (sc == NULL)
2257         return 0;
2258 
2259     return sc->async_cb(s, sc->async_cb_arg);
2260 }
2261 
ssl_start_async_job(SSL * s,struct ssl_async_args * args,int (* func)(void *))2262 static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
2263                                int (*func) (void *))
2264 {
2265     int ret;
2266     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2267 
2268     if (sc == NULL)
2269         return 0;
2270 
2271     if (sc->waitctx == NULL) {
2272         sc->waitctx = ASYNC_WAIT_CTX_new();
2273         if (sc->waitctx == NULL)
2274             return -1;
2275         if (sc->async_cb != NULL
2276             && !ASYNC_WAIT_CTX_set_callback
2277                  (sc->waitctx, ssl_async_wait_ctx_cb, s))
2278             return -1;
2279     }
2280 
2281     sc->rwstate = SSL_NOTHING;
2282     switch (ASYNC_start_job(&sc->job, sc->waitctx, &ret, func, args,
2283                             sizeof(struct ssl_async_args))) {
2284     case ASYNC_ERR:
2285         sc->rwstate = SSL_NOTHING;
2286         ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_INIT_ASYNC);
2287         return -1;
2288     case ASYNC_PAUSE:
2289         sc->rwstate = SSL_ASYNC_PAUSED;
2290         return -1;
2291     case ASYNC_NO_JOBS:
2292         sc->rwstate = SSL_ASYNC_NO_JOBS;
2293         return -1;
2294     case ASYNC_FINISH:
2295         sc->job = NULL;
2296         return ret;
2297     default:
2298         sc->rwstate = SSL_NOTHING;
2299         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
2300         /* Shouldn't happen */
2301         return -1;
2302     }
2303 }
2304 
ssl_io_intern(void * vargs)2305 static int ssl_io_intern(void *vargs)
2306 {
2307     struct ssl_async_args *args;
2308     SSL *s;
2309     void *buf;
2310     size_t num;
2311     SSL_CONNECTION *sc;
2312 
2313     args = (struct ssl_async_args *)vargs;
2314     s = args->s;
2315     buf = args->buf;
2316     num = args->num;
2317     if ((sc = SSL_CONNECTION_FROM_SSL(s)) == NULL)
2318         return -1;
2319 
2320     switch (args->type) {
2321     case READFUNC:
2322         return args->f.func_read(s, buf, num, &sc->asyncrw);
2323     case WRITEFUNC:
2324         return args->f.func_write(s, buf, num, &sc->asyncrw);
2325     case OTHERFUNC:
2326         return args->f.func_other(s);
2327     }
2328     return -1;
2329 }
2330 
ssl_read_internal(SSL * s,void * buf,size_t num,size_t * readbytes)2331 int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
2332 {
2333     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2334 
2335 #ifndef OPENSSL_NO_QUIC
2336     if (IS_QUIC(s))
2337         return s->method->ssl_read(s, buf, num, readbytes);
2338 #endif
2339 
2340     if (sc == NULL)
2341         return -1;
2342 
2343     if (sc->handshake_func == NULL) {
2344         ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2345         return -1;
2346     }
2347 
2348     if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
2349         sc->rwstate = SSL_NOTHING;
2350         return 0;
2351     }
2352 
2353     if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2354                 || sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
2355         ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2356         return 0;
2357     }
2358     /*
2359      * If we are a client and haven't received the ServerHello etc then we
2360      * better do that
2361      */
2362     if (!ossl_statem_check_finish_init(sc, 0))
2363         return -1;
2364 
2365     if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2366         struct ssl_async_args args;
2367         int ret;
2368 
2369         args.s = s;
2370         args.buf = buf;
2371         args.num = num;
2372         args.type = READFUNC;
2373         args.f.func_read = s->method->ssl_read;
2374 
2375         ret = ssl_start_async_job(s, &args, ssl_io_intern);
2376         *readbytes = sc->asyncrw;
2377         return ret;
2378     } else {
2379         return s->method->ssl_read(s, buf, num, readbytes);
2380     }
2381 }
2382 
SSL_read(SSL * s,void * buf,int num)2383 int SSL_read(SSL *s, void *buf, int num)
2384 {
2385     int ret;
2386     size_t readbytes;
2387 
2388     if (num < 0) {
2389         ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2390         return -1;
2391     }
2392 
2393     ret = ssl_read_internal(s, buf, (size_t)num, &readbytes);
2394 
2395     /*
2396      * The cast is safe here because ret should be <= INT_MAX because num is
2397      * <= INT_MAX
2398      */
2399     if (ret > 0)
2400         ret = (int)readbytes;
2401 
2402     return ret;
2403 }
2404 
SSL_read_ex(SSL * s,void * buf,size_t num,size_t * readbytes)2405 int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
2406 {
2407     int ret = ssl_read_internal(s, buf, num, readbytes);
2408 
2409     if (ret < 0)
2410         ret = 0;
2411     return ret;
2412 }
2413 
SSL_read_early_data(SSL * s,void * buf,size_t num,size_t * readbytes)2414 int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
2415 {
2416     int ret;
2417     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2418 
2419     /* TODO(QUIC 0RTT): 0-RTT support */
2420     if (sc == NULL || !sc->server) {
2421         ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2422         return SSL_READ_EARLY_DATA_ERROR;
2423     }
2424 
2425     switch (sc->early_data_state) {
2426     case SSL_EARLY_DATA_NONE:
2427         if (!SSL_in_before(s)) {
2428             ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2429             return SSL_READ_EARLY_DATA_ERROR;
2430         }
2431         /* fall through */
2432 
2433     case SSL_EARLY_DATA_ACCEPT_RETRY:
2434         sc->early_data_state = SSL_EARLY_DATA_ACCEPTING;
2435         ret = SSL_accept(s);
2436         if (ret <= 0) {
2437             /* NBIO or error */
2438             sc->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY;
2439             return SSL_READ_EARLY_DATA_ERROR;
2440         }
2441         /* fall through */
2442 
2443     case SSL_EARLY_DATA_READ_RETRY:
2444         if (sc->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
2445             sc->early_data_state = SSL_EARLY_DATA_READING;
2446             ret = SSL_read_ex(s, buf, num, readbytes);
2447             /*
2448              * State machine will update early_data_state to
2449              * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData
2450              * message
2451              */
2452             if (ret > 0 || (ret <= 0 && sc->early_data_state
2453                                         != SSL_EARLY_DATA_FINISHED_READING)) {
2454                 sc->early_data_state = SSL_EARLY_DATA_READ_RETRY;
2455                 return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS
2456                                : SSL_READ_EARLY_DATA_ERROR;
2457             }
2458         } else {
2459             sc->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
2460         }
2461         *readbytes = 0;
2462         return SSL_READ_EARLY_DATA_FINISH;
2463 
2464     default:
2465         ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2466         return SSL_READ_EARLY_DATA_ERROR;
2467     }
2468 }
2469 
SSL_get_early_data_status(const SSL * s)2470 int SSL_get_early_data_status(const SSL *s)
2471 {
2472     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
2473 
2474     /* TODO(QUIC 0RTT): 0-RTT support */
2475     if (sc == NULL)
2476         return 0;
2477 
2478     return sc->ext.early_data;
2479 }
2480 
ssl_peek_internal(SSL * s,void * buf,size_t num,size_t * readbytes)2481 static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
2482 {
2483     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2484 
2485 #ifndef OPENSSL_NO_QUIC
2486     if (IS_QUIC(s))
2487         return s->method->ssl_peek(s, buf, num, readbytes);
2488 #endif
2489 
2490     if (sc == NULL)
2491         return 0;
2492 
2493     if (sc->handshake_func == NULL) {
2494         ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2495         return -1;
2496     }
2497 
2498     if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
2499         return 0;
2500     }
2501     if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2502         struct ssl_async_args args;
2503         int ret;
2504 
2505         args.s = s;
2506         args.buf = buf;
2507         args.num = num;
2508         args.type = READFUNC;
2509         args.f.func_read = s->method->ssl_peek;
2510 
2511         ret = ssl_start_async_job(s, &args, ssl_io_intern);
2512         *readbytes = sc->asyncrw;
2513         return ret;
2514     } else {
2515         return s->method->ssl_peek(s, buf, num, readbytes);
2516     }
2517 }
2518 
SSL_peek(SSL * s,void * buf,int num)2519 int SSL_peek(SSL *s, void *buf, int num)
2520 {
2521     int ret;
2522     size_t readbytes;
2523 
2524     if (num < 0) {
2525         ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2526         return -1;
2527     }
2528 
2529     ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes);
2530 
2531     /*
2532      * The cast is safe here because ret should be <= INT_MAX because num is
2533      * <= INT_MAX
2534      */
2535     if (ret > 0)
2536         ret = (int)readbytes;
2537 
2538     return ret;
2539 }
2540 
2541 
SSL_peek_ex(SSL * s,void * buf,size_t num,size_t * readbytes)2542 int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
2543 {
2544     int ret = ssl_peek_internal(s, buf, num, readbytes);
2545 
2546     if (ret < 0)
2547         ret = 0;
2548     return ret;
2549 }
2550 
ssl_write_internal(SSL * s,const void * buf,size_t num,uint64_t flags,size_t * written)2551 int ssl_write_internal(SSL *s, const void *buf, size_t num,
2552                        uint64_t flags, size_t *written)
2553 {
2554     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2555 
2556 #ifndef OPENSSL_NO_QUIC
2557     if (IS_QUIC(s))
2558         return ossl_quic_write_flags(s, buf, num, flags, written);
2559 #endif
2560 
2561     if (sc == NULL)
2562         return 0;
2563 
2564     if (sc->handshake_func == NULL) {
2565         ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2566         return -1;
2567     }
2568 
2569     if (sc->shutdown & SSL_SENT_SHUTDOWN) {
2570         sc->rwstate = SSL_NOTHING;
2571         ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2572         return -1;
2573     }
2574 
2575     if (flags != 0) {
2576         ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_WRITE_FLAG);
2577         return -1;
2578     }
2579 
2580     if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2581                 || sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY
2582                 || sc->early_data_state == SSL_EARLY_DATA_READ_RETRY) {
2583         ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2584         return 0;
2585     }
2586     /* If we are a client and haven't sent the Finished we better do that */
2587     if (!ossl_statem_check_finish_init(sc, 1))
2588         return -1;
2589 
2590     if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2591         int ret;
2592         struct ssl_async_args args;
2593 
2594         args.s = s;
2595         args.buf = (void *)buf;
2596         args.num = num;
2597         args.type = WRITEFUNC;
2598         args.f.func_write = s->method->ssl_write;
2599 
2600         ret = ssl_start_async_job(s, &args, ssl_io_intern);
2601         *written = sc->asyncrw;
2602         return ret;
2603     } else {
2604         return s->method->ssl_write(s, buf, num, written);
2605     }
2606 }
2607 
SSL_sendfile(SSL * s,int fd,off_t offset,size_t size,int flags)2608 ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags)
2609 {
2610     ossl_ssize_t ret;
2611     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2612 
2613     if (sc == NULL)
2614         return 0;
2615 
2616     if (sc->handshake_func == NULL) {
2617         ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2618         return -1;
2619     }
2620 
2621     if (sc->shutdown & SSL_SENT_SHUTDOWN) {
2622         sc->rwstate = SSL_NOTHING;
2623         ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2624         return -1;
2625     }
2626 
2627     if (!BIO_get_ktls_send(sc->wbio)) {
2628         ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2629         return -1;
2630     }
2631 
2632     /* If we have an alert to send, lets send it */
2633     if (sc->s3.alert_dispatch > 0) {
2634         ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s);
2635         if (ret <= 0) {
2636             /* SSLfatal() already called if appropriate */
2637             return ret;
2638         }
2639         /* if it went, fall through and send more stuff */
2640     }
2641 
2642     sc->rwstate = SSL_WRITING;
2643     if (BIO_flush(sc->wbio) <= 0) {
2644         if (!BIO_should_retry(sc->wbio)) {
2645             sc->rwstate = SSL_NOTHING;
2646         } else {
2647 #ifdef EAGAIN
2648             set_sys_error(EAGAIN);
2649 #endif
2650         }
2651         return -1;
2652     }
2653 
2654 #ifdef OPENSSL_NO_KTLS
2655     ERR_raise_data(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR,
2656                    "can't call ktls_sendfile(), ktls disabled");
2657     return -1;
2658 #else
2659     ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags);
2660     if (ret < 0) {
2661 #if defined(EAGAIN) && defined(EINTR) && defined(EBUSY)
2662         if ((get_last_sys_error() == EAGAIN) ||
2663             (get_last_sys_error() == EINTR) ||
2664             (get_last_sys_error() == EBUSY))
2665             BIO_set_retry_write(sc->wbio);
2666         else
2667 #endif
2668             ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
2669                            "ktls_sendfile failure");
2670         return ret;
2671     }
2672     sc->rwstate = SSL_NOTHING;
2673     return ret;
2674 #endif
2675 }
2676 
SSL_write(SSL * s,const void * buf,int num)2677 int SSL_write(SSL *s, const void *buf, int num)
2678 {
2679     int ret;
2680     size_t written;
2681 
2682     if (num < 0) {
2683         ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2684         return -1;
2685     }
2686 
2687     ret = ssl_write_internal(s, buf, (size_t)num, 0, &written);
2688 
2689     /*
2690      * The cast is safe here because ret should be <= INT_MAX because num is
2691      * <= INT_MAX
2692      */
2693     if (ret > 0)
2694         ret = (int)written;
2695 
2696     return ret;
2697 }
2698 
SSL_write_ex(SSL * s,const void * buf,size_t num,size_t * written)2699 int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written)
2700 {
2701     return SSL_write_ex2(s, buf, num, 0, written);
2702 }
2703 
SSL_write_ex2(SSL * s,const void * buf,size_t num,uint64_t flags,size_t * written)2704 int SSL_write_ex2(SSL *s, const void *buf, size_t num, uint64_t flags,
2705                   size_t *written)
2706 {
2707     int ret = ssl_write_internal(s, buf, num, flags, written);
2708 
2709     if (ret < 0)
2710         ret = 0;
2711     return ret;
2712 }
2713 
SSL_write_early_data(SSL * s,const void * buf,size_t num,size_t * written)2714 int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
2715 {
2716     int ret, early_data_state;
2717     size_t writtmp;
2718     uint32_t partialwrite;
2719     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2720 
2721     /* TODO(QUIC 0RTT): This will need special handling for QUIC */
2722     if (sc == NULL)
2723         return 0;
2724 
2725     switch (sc->early_data_state) {
2726     case SSL_EARLY_DATA_NONE:
2727         if (sc->server
2728                 || !SSL_in_before(s)
2729                 || ((sc->session == NULL || sc->session->ext.max_early_data == 0)
2730                      && (sc->psk_use_session_cb == NULL))) {
2731             ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2732             return 0;
2733         }
2734         /* fall through */
2735 
2736     case SSL_EARLY_DATA_CONNECT_RETRY:
2737         sc->early_data_state = SSL_EARLY_DATA_CONNECTING;
2738         ret = SSL_connect(s);
2739         if (ret <= 0) {
2740             /* NBIO or error */
2741             sc->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY;
2742             return 0;
2743         }
2744         /* fall through */
2745 
2746     case SSL_EARLY_DATA_WRITE_RETRY:
2747         sc->early_data_state = SSL_EARLY_DATA_WRITING;
2748         /*
2749          * We disable partial write for early data because we don't keep track
2750          * of how many bytes we've written between the SSL_write_ex() call and
2751          * the flush if the flush needs to be retried)
2752          */
2753         partialwrite = sc->mode & SSL_MODE_ENABLE_PARTIAL_WRITE;
2754         sc->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE;
2755         ret = SSL_write_ex(s, buf, num, &writtmp);
2756         sc->mode |= partialwrite;
2757         if (!ret) {
2758             sc->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2759             return ret;
2760         }
2761         sc->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH;
2762         /* fall through */
2763 
2764     case SSL_EARLY_DATA_WRITE_FLUSH:
2765         /* The buffering BIO is still in place so we need to flush it */
2766         if (statem_flush(sc) != 1)
2767             return 0;
2768         *written = num;
2769         sc->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2770         return 1;
2771 
2772     case SSL_EARLY_DATA_FINISHED_READING:
2773     case SSL_EARLY_DATA_READ_RETRY:
2774         early_data_state = sc->early_data_state;
2775         /* We are a server writing to an unauthenticated client */
2776         sc->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING;
2777         ret = SSL_write_ex(s, buf, num, written);
2778         /* The buffering BIO is still in place */
2779         if (ret)
2780             (void)BIO_flush(sc->wbio);
2781         sc->early_data_state = early_data_state;
2782         return ret;
2783 
2784     default:
2785         ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2786         return 0;
2787     }
2788 }
2789 
SSL_shutdown(SSL * s)2790 int SSL_shutdown(SSL *s)
2791 {
2792     /*
2793      * Note that this function behaves differently from what one might
2794      * expect.  Return values are 0 for no success (yet), 1 for success; but
2795      * calling it once is usually not enough, even if blocking I/O is used
2796      * (see ssl3_shutdown).
2797      */
2798     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2799 
2800 #ifndef OPENSSL_NO_QUIC
2801     if (IS_QUIC(s))
2802         return ossl_quic_conn_shutdown(s, 0, NULL, 0);
2803 #endif
2804 
2805     if (sc == NULL)
2806         return -1;
2807 
2808     if (sc->handshake_func == NULL) {
2809         ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2810         return -1;
2811     }
2812 
2813     if (!SSL_in_init(s)) {
2814         if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2815             struct ssl_async_args args;
2816 
2817             memset(&args, 0, sizeof(args));
2818             args.s = s;
2819             args.type = OTHERFUNC;
2820             args.f.func_other = s->method->ssl_shutdown;
2821 
2822             return ssl_start_async_job(s, &args, ssl_io_intern);
2823         } else {
2824             return s->method->ssl_shutdown(s);
2825         }
2826     } else {
2827         ERR_raise(ERR_LIB_SSL, SSL_R_SHUTDOWN_WHILE_IN_INIT);
2828         return -1;
2829     }
2830 }
2831 
SSL_key_update(SSL * s,int updatetype)2832 int SSL_key_update(SSL *s, int updatetype)
2833 {
2834     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2835 
2836 #ifndef OPENSSL_NO_QUIC
2837     if (IS_QUIC(s))
2838         return ossl_quic_key_update(s, updatetype);
2839 #endif
2840 
2841     if (sc == NULL)
2842         return 0;
2843 
2844     if (!SSL_CONNECTION_IS_TLS13(sc)) {
2845         ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
2846         return 0;
2847     }
2848 
2849     if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
2850             && updatetype != SSL_KEY_UPDATE_REQUESTED) {
2851         ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_KEY_UPDATE_TYPE);
2852         return 0;
2853     }
2854 
2855     if (!SSL_is_init_finished(s)) {
2856         ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT);
2857         return 0;
2858     }
2859 
2860     if (RECORD_LAYER_write_pending(&sc->rlayer)) {
2861         ERR_raise(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY);
2862         return 0;
2863     }
2864 
2865     ossl_statem_set_in_init(sc, 1);
2866     sc->key_update = updatetype;
2867     return 1;
2868 }
2869 
SSL_get_key_update_type(const SSL * s)2870 int SSL_get_key_update_type(const SSL *s)
2871 {
2872     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2873 
2874 #ifndef OPENSSL_NO_QUIC
2875     if (IS_QUIC(s))
2876         return ossl_quic_get_key_update_type(s);
2877 #endif
2878 
2879     if (sc == NULL)
2880         return 0;
2881 
2882     return sc->key_update;
2883 }
2884 
2885 /*
2886  * Can we accept a renegotiation request?  If yes, set the flag and
2887  * return 1 if yes. If not, raise error and return 0.
2888  */
can_renegotiate(const SSL_CONNECTION * sc)2889 static int can_renegotiate(const SSL_CONNECTION *sc)
2890 {
2891     if (SSL_CONNECTION_IS_TLS13(sc)) {
2892         ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
2893         return 0;
2894     }
2895 
2896     if ((sc->options & SSL_OP_NO_RENEGOTIATION) != 0) {
2897         ERR_raise(ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION);
2898         return 0;
2899     }
2900 
2901     return 1;
2902 }
2903 
SSL_renegotiate(SSL * s)2904 int SSL_renegotiate(SSL *s)
2905 {
2906     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2907 
2908     if (sc == NULL)
2909         return 0;
2910 
2911     if (!can_renegotiate(sc))
2912         return 0;
2913 
2914     sc->renegotiate = 1;
2915     sc->new_session = 1;
2916     return s->method->ssl_renegotiate(s);
2917 }
2918 
SSL_renegotiate_abbreviated(SSL * s)2919 int SSL_renegotiate_abbreviated(SSL *s)
2920 {
2921     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2922 
2923     if (sc == NULL)
2924         return 0;
2925 
2926     if (!can_renegotiate(sc))
2927         return 0;
2928 
2929     sc->renegotiate = 1;
2930     sc->new_session = 0;
2931     return s->method->ssl_renegotiate(s);
2932 }
2933 
SSL_renegotiate_pending(const SSL * s)2934 int SSL_renegotiate_pending(const SSL *s)
2935 {
2936     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2937 
2938     if (sc == NULL)
2939         return 0;
2940 
2941     /*
2942      * becomes true when negotiation is requested; false again once a
2943      * handshake has finished
2944      */
2945     return (sc->renegotiate != 0);
2946 }
2947 
SSL_new_session_ticket(SSL * s)2948 int SSL_new_session_ticket(SSL *s)
2949 {
2950     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2951 
2952     if (sc == NULL)
2953         return 0;
2954 
2955     /* If we are in init because we're sending tickets, okay to send more. */
2956     if ((SSL_in_init(s) && sc->ext.extra_tickets_expected == 0)
2957             || SSL_IS_FIRST_HANDSHAKE(sc) || !sc->server
2958             || !SSL_CONNECTION_IS_TLS13(sc))
2959         return 0;
2960     sc->ext.extra_tickets_expected++;
2961     if (!RECORD_LAYER_write_pending(&sc->rlayer) && !SSL_in_init(s))
2962         ossl_statem_set_in_init(sc, 1);
2963     return 1;
2964 }
2965 
SSL_ctrl(SSL * s,int cmd,long larg,void * parg)2966 long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
2967 {
2968     return ossl_ctrl_internal(s, cmd, larg, parg, /*no_quic=*/0);
2969 }
2970 
ossl_ctrl_internal(SSL * s,int cmd,long larg,void * parg,int no_quic)2971 long ossl_ctrl_internal(SSL *s, int cmd, long larg, void *parg, int no_quic)
2972 {
2973     long l;
2974     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2975 
2976     /*
2977      * Routing of ctrl calls for QUIC is a little counterintuitive:
2978      *
2979      *   - Firstly (no_quic=0), we pass the ctrl directly to our QUIC
2980      *     implementation in case it wants to handle the ctrl specially.
2981      *
2982      *   - If our QUIC implementation does not care about the ctrl, it
2983      *     will reenter this function with no_quic=1 and we will try to handle
2984      *     it directly using the QCSO SSL object stub (not the handshake layer
2985      *     SSL object). This is important for e.g. the version configuration
2986      *     ctrls below, which must use s->defltmeth (and not sc->defltmeth).
2987      *
2988      *   - If we don't handle a ctrl here specially, then processing is
2989      *     redirected to the handshake layer SSL object.
2990      */
2991     if (!no_quic && IS_QUIC(s))
2992         return s->method->ssl_ctrl(s, cmd, larg, parg);
2993 
2994     if (sc == NULL)
2995         return 0;
2996 
2997     switch (cmd) {
2998     case SSL_CTRL_GET_READ_AHEAD:
2999         return RECORD_LAYER_get_read_ahead(&sc->rlayer);
3000     case SSL_CTRL_SET_READ_AHEAD:
3001         l = RECORD_LAYER_get_read_ahead(&sc->rlayer);
3002         RECORD_LAYER_set_read_ahead(&sc->rlayer, larg);
3003         return l;
3004 
3005     case SSL_CTRL_MODE:
3006     {
3007         OSSL_PARAM options[2], *opts = options;
3008 
3009         sc->mode |= larg;
3010 
3011         *opts++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE,
3012                                               &sc->mode);
3013         *opts = OSSL_PARAM_construct_end();
3014 
3015         /* Ignore return value */
3016         sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
3017 
3018         return sc->mode;
3019     }
3020     case SSL_CTRL_CLEAR_MODE:
3021         return (sc->mode &= ~larg);
3022     case SSL_CTRL_GET_MAX_CERT_LIST:
3023         return (long)sc->max_cert_list;
3024     case SSL_CTRL_SET_MAX_CERT_LIST:
3025         if (larg < 0)
3026             return 0;
3027         l = (long)sc->max_cert_list;
3028         sc->max_cert_list = (size_t)larg;
3029         return l;
3030     case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
3031         if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
3032             return 0;
3033 #ifndef OPENSSL_NO_KTLS
3034         if (sc->wbio != NULL && BIO_get_ktls_send(sc->wbio))
3035             return 0;
3036 #endif /* OPENSSL_NO_KTLS */
3037         sc->max_send_fragment = larg;
3038         if (sc->max_send_fragment < sc->split_send_fragment)
3039             sc->split_send_fragment = sc->max_send_fragment;
3040         sc->rlayer.wrlmethod->set_max_frag_len(sc->rlayer.wrl, larg);
3041         return 1;
3042     case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
3043         if ((size_t)larg > sc->max_send_fragment || larg == 0)
3044             return 0;
3045         sc->split_send_fragment = larg;
3046         return 1;
3047     case SSL_CTRL_SET_MAX_PIPELINES:
3048         if (larg < 1 || larg > SSL_MAX_PIPELINES)
3049             return 0;
3050         sc->max_pipelines = larg;
3051         if (sc->rlayer.rrlmethod->set_max_pipelines != NULL)
3052             sc->rlayer.rrlmethod->set_max_pipelines(sc->rlayer.rrl, (size_t)larg);
3053         return 1;
3054     case SSL_CTRL_GET_RI_SUPPORT:
3055         return sc->s3.send_connection_binding;
3056     case SSL_CTRL_SET_RETRY_VERIFY:
3057         sc->rwstate = SSL_RETRY_VERIFY;
3058         return 1;
3059     case SSL_CTRL_CERT_FLAGS:
3060         return (sc->cert->cert_flags |= larg);
3061     case SSL_CTRL_CLEAR_CERT_FLAGS:
3062         return (sc->cert->cert_flags &= ~larg);
3063 
3064     case SSL_CTRL_GET_RAW_CIPHERLIST:
3065         if (parg) {
3066             if (sc->s3.tmp.ciphers_raw == NULL)
3067                 return 0;
3068             *(unsigned char **)parg = sc->s3.tmp.ciphers_raw;
3069             return (int)sc->s3.tmp.ciphers_rawlen;
3070         } else {
3071             return TLS_CIPHER_LEN;
3072         }
3073     case SSL_CTRL_GET_EXTMS_SUPPORT:
3074         if (!sc->session || SSL_in_init(s) || ossl_statem_get_in_handshake(sc))
3075             return -1;
3076         if (sc->session->flags & SSL_SESS_FLAG_EXTMS)
3077             return 1;
3078         else
3079             return 0;
3080     case SSL_CTRL_SET_MIN_PROTO_VERSION:
3081         return ssl_check_allowed_versions(larg, sc->max_proto_version)
3082                && ssl_set_version_bound(s->defltmeth->version, (int)larg,
3083                                         &sc->min_proto_version);
3084     case SSL_CTRL_GET_MIN_PROTO_VERSION:
3085         return sc->min_proto_version;
3086     case SSL_CTRL_SET_MAX_PROTO_VERSION:
3087         return ssl_check_allowed_versions(sc->min_proto_version, larg)
3088                && ssl_set_version_bound(s->defltmeth->version, (int)larg,
3089                                         &sc->max_proto_version);
3090     case SSL_CTRL_GET_MAX_PROTO_VERSION:
3091         return sc->max_proto_version;
3092     default:
3093         if (IS_QUIC(s))
3094             return SSL_ctrl((SSL *)sc, cmd, larg, parg);
3095         else
3096             return s->method->ssl_ctrl(s, cmd, larg, parg);
3097     }
3098 }
3099 
SSL_callback_ctrl(SSL * s,int cmd,void (* fp)(void))3100 long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
3101 {
3102     return s->method->ssl_callback_ctrl(s, cmd, fp);
3103 }
3104 
LHASH_OF(SSL_SESSION)3105 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
3106 {
3107     return ctx->sessions;
3108 }
3109 
ssl_tsan_load(SSL_CTX * ctx,TSAN_QUALIFIER int * stat)3110 static int ssl_tsan_load(SSL_CTX *ctx, TSAN_QUALIFIER int *stat)
3111 {
3112     int res = 0;
3113 
3114     if (ssl_tsan_lock(ctx)) {
3115         res = tsan_load(stat);
3116         ssl_tsan_unlock(ctx);
3117     }
3118     return res;
3119 }
3120 
SSL_CTX_ctrl(SSL_CTX * ctx,int cmd,long larg,void * parg)3121 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3122 {
3123     long l;
3124 
3125     /* For some cases with ctx == NULL or larg == 1 perform syntax checks */
3126     if (cmd == SSL_CTRL_SET_GROUPS_LIST && larg == 1)
3127         return tls1_set_groups_list(ctx, NULL, NULL, NULL, NULL, NULL, NULL, parg);
3128     if (ctx == NULL) {
3129         switch (cmd) {
3130         case SSL_CTRL_SET_SIGALGS_LIST:
3131         case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
3132             return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
3133         default:
3134             return 0;
3135         }
3136     }
3137 
3138     switch (cmd) {
3139     case SSL_CTRL_GET_READ_AHEAD:
3140         return ctx->read_ahead;
3141     case SSL_CTRL_SET_READ_AHEAD:
3142         l = ctx->read_ahead;
3143         ctx->read_ahead = larg;
3144         return l;
3145 
3146     case SSL_CTRL_SET_MSG_CALLBACK_ARG:
3147         ctx->msg_callback_arg = parg;
3148         return 1;
3149 
3150     case SSL_CTRL_GET_MAX_CERT_LIST:
3151         return (long)ctx->max_cert_list;
3152     case SSL_CTRL_SET_MAX_CERT_LIST:
3153         if (larg < 0)
3154             return 0;
3155         l = (long)ctx->max_cert_list;
3156         ctx->max_cert_list = (size_t)larg;
3157         return l;
3158 
3159     case SSL_CTRL_SET_SESS_CACHE_SIZE:
3160         if (larg < 0)
3161             return 0;
3162         l = (long)ctx->session_cache_size;
3163         ctx->session_cache_size = (size_t)larg;
3164         return l;
3165     case SSL_CTRL_GET_SESS_CACHE_SIZE:
3166         return (long)ctx->session_cache_size;
3167     case SSL_CTRL_SET_SESS_CACHE_MODE:
3168         l = ctx->session_cache_mode;
3169         ctx->session_cache_mode = larg;
3170         return l;
3171     case SSL_CTRL_GET_SESS_CACHE_MODE:
3172         return ctx->session_cache_mode;
3173 
3174     case SSL_CTRL_SESS_NUMBER:
3175         return lh_SSL_SESSION_num_items(ctx->sessions);
3176     case SSL_CTRL_SESS_CONNECT:
3177         return ssl_tsan_load(ctx, &ctx->stats.sess_connect);
3178     case SSL_CTRL_SESS_CONNECT_GOOD:
3179         return ssl_tsan_load(ctx, &ctx->stats.sess_connect_good);
3180     case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
3181         return ssl_tsan_load(ctx, &ctx->stats.sess_connect_renegotiate);
3182     case SSL_CTRL_SESS_ACCEPT:
3183         return ssl_tsan_load(ctx, &ctx->stats.sess_accept);
3184     case SSL_CTRL_SESS_ACCEPT_GOOD:
3185         return ssl_tsan_load(ctx, &ctx->stats.sess_accept_good);
3186     case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
3187         return ssl_tsan_load(ctx, &ctx->stats.sess_accept_renegotiate);
3188     case SSL_CTRL_SESS_HIT:
3189         return ssl_tsan_load(ctx, &ctx->stats.sess_hit);
3190     case SSL_CTRL_SESS_CB_HIT:
3191         return ssl_tsan_load(ctx, &ctx->stats.sess_cb_hit);
3192     case SSL_CTRL_SESS_MISSES:
3193         return ssl_tsan_load(ctx, &ctx->stats.sess_miss);
3194     case SSL_CTRL_SESS_TIMEOUTS:
3195         return ssl_tsan_load(ctx, &ctx->stats.sess_timeout);
3196     case SSL_CTRL_SESS_CACHE_FULL:
3197         return ssl_tsan_load(ctx, &ctx->stats.sess_cache_full);
3198     case SSL_CTRL_MODE:
3199         return (ctx->mode |= larg);
3200     case SSL_CTRL_CLEAR_MODE:
3201         return (ctx->mode &= ~larg);
3202     case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
3203         if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
3204             return 0;
3205         ctx->max_send_fragment = larg;
3206         if (ctx->max_send_fragment < ctx->split_send_fragment)
3207             ctx->split_send_fragment = ctx->max_send_fragment;
3208         return 1;
3209     case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
3210         if ((size_t)larg > ctx->max_send_fragment || larg == 0)
3211             return 0;
3212         ctx->split_send_fragment = larg;
3213         return 1;
3214     case SSL_CTRL_SET_MAX_PIPELINES:
3215         if (larg < 1 || larg > SSL_MAX_PIPELINES)
3216             return 0;
3217         ctx->max_pipelines = larg;
3218         return 1;
3219     case SSL_CTRL_CERT_FLAGS:
3220         return (ctx->cert->cert_flags |= larg);
3221     case SSL_CTRL_CLEAR_CERT_FLAGS:
3222         return (ctx->cert->cert_flags &= ~larg);
3223     case SSL_CTRL_SET_MIN_PROTO_VERSION:
3224         return ssl_check_allowed_versions(larg, ctx->max_proto_version)
3225                && ssl_set_version_bound(ctx->method->version, (int)larg,
3226                                         &ctx->min_proto_version);
3227     case SSL_CTRL_GET_MIN_PROTO_VERSION:
3228         return ctx->min_proto_version;
3229     case SSL_CTRL_SET_MAX_PROTO_VERSION:
3230         return ssl_check_allowed_versions(ctx->min_proto_version, larg)
3231                && ssl_set_version_bound(ctx->method->version, (int)larg,
3232                                         &ctx->max_proto_version);
3233     case SSL_CTRL_GET_MAX_PROTO_VERSION:
3234         return ctx->max_proto_version;
3235     default:
3236         return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
3237     }
3238 }
3239 
SSL_CTX_callback_ctrl(SSL_CTX * ctx,int cmd,void (* fp)(void))3240 long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
3241 {
3242     switch (cmd) {
3243     case SSL_CTRL_SET_MSG_CALLBACK:
3244         ctx->msg_callback = (void (*)
3245                              (int write_p, int version, int content_type,
3246                               const void *buf, size_t len, SSL *ssl,
3247                               void *arg))(fp);
3248         return 1;
3249 
3250     default:
3251         return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp);
3252     }
3253 }
3254 
ssl_cipher_id_cmp(const SSL_CIPHER * a,const SSL_CIPHER * b)3255 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
3256 {
3257     if (a->id > b->id)
3258         return 1;
3259     if (a->id < b->id)
3260         return -1;
3261     return 0;
3262 }
3263 
ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const * ap,const SSL_CIPHER * const * bp)3264 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
3265                           const SSL_CIPHER *const *bp)
3266 {
3267     if ((*ap)->id > (*bp)->id)
3268         return 1;
3269     if ((*ap)->id < (*bp)->id)
3270         return -1;
3271     return 0;
3272 }
3273 
3274 /*
3275  * return a STACK of the ciphers available for the SSL and in order of
3276  * preference
3277  */
STACK_OF(SSL_CIPHER)3278 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
3279 {
3280     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3281 
3282     if (sc != NULL) {
3283         if (sc->cipher_list != NULL) {
3284             return sc->cipher_list;
3285         } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
3286             return s->ctx->cipher_list;
3287         }
3288     }
3289     return NULL;
3290 }
3291 
STACK_OF(SSL_CIPHER)3292 STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
3293 {
3294     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3295 
3296     if (sc == NULL || !sc->server)
3297         return NULL;
3298     return sc->peer_ciphers;
3299 }
3300 
STACK_OF(SSL_CIPHER)3301 STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
3302 {
3303     STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
3304     int i;
3305     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3306 
3307     if (sc == NULL)
3308         return NULL;
3309 
3310     ciphers = SSL_get_ciphers(s);
3311     if (!ciphers)
3312         return NULL;
3313     if (!ssl_set_client_disabled(sc))
3314         return NULL;
3315     for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
3316         const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
3317         if (!ssl_cipher_disabled(sc, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
3318             if (!sk)
3319                 sk = sk_SSL_CIPHER_new_null();
3320             if (!sk)
3321                 return NULL;
3322             if (!sk_SSL_CIPHER_push(sk, c)) {
3323                 sk_SSL_CIPHER_free(sk);
3324                 return NULL;
3325             }
3326         }
3327     }
3328     return sk;
3329 }
3330 
3331 /** return a STACK of the ciphers available for the SSL and in order of
3332  * algorithm id */
STACK_OF(SSL_CIPHER)3333 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL_CONNECTION *s)
3334 {
3335     if (s != NULL) {
3336         if (s->cipher_list_by_id != NULL)
3337             return s->cipher_list_by_id;
3338         else if (s->ssl.ctx != NULL
3339                  && s->ssl.ctx->cipher_list_by_id != NULL)
3340             return s->ssl.ctx->cipher_list_by_id;
3341     }
3342     return NULL;
3343 }
3344 
3345 /** The old interface to get the same thing as SSL_get_ciphers() */
SSL_get_cipher_list(const SSL * s,int n)3346 const char *SSL_get_cipher_list(const SSL *s, int n)
3347 {
3348     const SSL_CIPHER *c;
3349     STACK_OF(SSL_CIPHER) *sk;
3350 
3351     if (s == NULL)
3352         return NULL;
3353     sk = SSL_get_ciphers(s);
3354     if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
3355         return NULL;
3356     c = sk_SSL_CIPHER_value(sk, n);
3357     if (c == NULL)
3358         return NULL;
3359     return c->name;
3360 }
3361 
3362 /** return a STACK of the ciphers available for the SSL_CTX and in order of
3363  * preference */
STACK_OF(SSL_CIPHER)3364 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
3365 {
3366     if (ctx != NULL)
3367         return ctx->cipher_list;
3368     return NULL;
3369 }
3370 
3371 /*
3372  * Distinguish between ciphers controlled by set_ciphersuite() and
3373  * set_cipher_list() when counting.
3374  */
cipher_list_tls12_num(STACK_OF (SSL_CIPHER)* sk)3375 static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
3376 {
3377     int i, num = 0;
3378     const SSL_CIPHER *c;
3379 
3380     if (sk == NULL)
3381         return 0;
3382     for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
3383         c = sk_SSL_CIPHER_value(sk, i);
3384         if (c->min_tls >= TLS1_3_VERSION)
3385             continue;
3386         num++;
3387     }
3388     return num;
3389 }
3390 
3391 /** specify the ciphers to be used by default by the SSL_CTX */
SSL_CTX_set_cipher_list(SSL_CTX * ctx,const char * str)3392 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
3393 {
3394     STACK_OF(SSL_CIPHER) *sk;
3395 
3396     sk = ssl_create_cipher_list(ctx, ctx->tls13_ciphersuites,
3397                                 &ctx->cipher_list, &ctx->cipher_list_by_id, str,
3398                                 ctx->cert);
3399     /*
3400      * ssl_create_cipher_list may return an empty stack if it was unable to
3401      * find a cipher matching the given rule string (for example if the rule
3402      * string specifies a cipher which has been disabled). This is not an
3403      * error as far as ssl_create_cipher_list is concerned, and hence
3404      * ctx->cipher_list and ctx->cipher_list_by_id has been updated.
3405      */
3406     if (sk == NULL)
3407         return 0;
3408     if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
3409         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
3410         return 0;
3411     }
3412     return 1;
3413 }
3414 
3415 /** specify the ciphers to be used by the SSL */
SSL_set_cipher_list(SSL * s,const char * str)3416 int SSL_set_cipher_list(SSL *s, const char *str)
3417 {
3418     STACK_OF(SSL_CIPHER) *sk;
3419     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3420     SSL_CTX *ctx;
3421 
3422     if (sc == NULL)
3423         return 0;
3424 
3425     ctx = s->ctx;
3426     sk = ssl_create_cipher_list(ctx, sc->tls13_ciphersuites,
3427                                 &sc->cipher_list, &sc->cipher_list_by_id, str,
3428                                 sc->cert);
3429     /* see comment in SSL_CTX_set_cipher_list */
3430     if (sk == NULL)
3431         return 0;
3432     if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
3433         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
3434         return 0;
3435     }
3436     return 1;
3437 }
3438 
SSL_get_shared_ciphers(const SSL * s,char * buf,int size)3439 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
3440 {
3441     char *p;
3442     STACK_OF(SSL_CIPHER) *clntsk, *srvrsk;
3443     const SSL_CIPHER *c;
3444     int i;
3445     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3446 
3447     if (sc == NULL)
3448         return NULL;
3449 
3450     if (!sc->server
3451             || sc->peer_ciphers == NULL
3452             || size < 2)
3453         return NULL;
3454 
3455     p = buf;
3456     clntsk = sc->peer_ciphers;
3457     srvrsk = SSL_get_ciphers(s);
3458     if (clntsk == NULL || srvrsk == NULL)
3459         return NULL;
3460 
3461     if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0)
3462         return NULL;
3463 
3464     for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) {
3465         int n;
3466 
3467         c = sk_SSL_CIPHER_value(clntsk, i);
3468         if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
3469             continue;
3470 
3471         n = OPENSSL_strnlen(c->name, size);
3472         if (n >= size) {
3473             if (p != buf)
3474                 --p;
3475             *p = '\0';
3476             return buf;
3477         }
3478         memcpy(p, c->name, n);
3479         p += n;
3480         *(p++) = ':';
3481         size -= n + 1;
3482     }
3483     p[-1] = '\0';
3484     return buf;
3485 }
3486 
3487 /**
3488  * Return the requested servername (SNI) value. Note that the behaviour varies
3489  * depending on:
3490  * - whether this is called by the client or the server,
3491  * - if we are before or during/after the handshake,
3492  * - if a resumption or normal handshake is being attempted/has occurred
3493  * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3
3494  *
3495  * Note that only the host_name type is defined (RFC 3546).
3496  */
SSL_get_servername(const SSL * s,const int type)3497 const char *SSL_get_servername(const SSL *s, const int type)
3498 {
3499     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3500     int server;
3501 
3502     if (sc == NULL)
3503         return NULL;
3504 
3505     /*
3506      * If we don't know if we are the client or the server yet then we assume
3507      * client.
3508      */
3509     server = sc->handshake_func == NULL ? 0 : sc->server;
3510 
3511     if (type != TLSEXT_NAMETYPE_host_name)
3512         return NULL;
3513 
3514     if (server) {
3515         /**
3516          * Server side
3517          * In TLSv1.3 on the server SNI is not associated with the session
3518          * but in TLSv1.2 or below it is.
3519          *
3520          * Before the handshake:
3521          *  - return NULL
3522          *
3523          * During/after the handshake (TLSv1.2 or below resumption occurred):
3524          * - If a servername was accepted by the server in the original
3525          *   handshake then it will return that servername, or NULL otherwise.
3526          *
3527          * During/after the handshake (TLSv1.2 or below resumption did not occur):
3528          * - The function will return the servername requested by the client in
3529          *   this handshake or NULL if none was requested.
3530          */
3531          if (sc->hit && !SSL_CONNECTION_IS_TLS13(sc))
3532             return sc->session->ext.hostname;
3533     } else {
3534         /**
3535          * Client side
3536          *
3537          * Before the handshake:
3538          *  - If a servername has been set via a call to
3539          *    SSL_set_tlsext_host_name() then it will return that servername
3540          *  - If one has not been set, but a TLSv1.2 resumption is being
3541          *    attempted and the session from the original handshake had a
3542          *    servername accepted by the server then it will return that
3543          *    servername
3544          *  - Otherwise it returns NULL
3545          *
3546          * During/after the handshake (TLSv1.2 or below resumption occurred):
3547          * - If the session from the original handshake had a servername accepted
3548          *   by the server then it will return that servername.
3549          * - Otherwise it returns the servername set via
3550          *   SSL_set_tlsext_host_name() (or NULL if it was not called).
3551          *
3552          * During/after the handshake (TLSv1.2 or below resumption did not occur):
3553          * - It will return the servername set via SSL_set_tlsext_host_name()
3554          *   (or NULL if it was not called).
3555          */
3556         if (SSL_in_before(s)) {
3557             if (sc->ext.hostname == NULL
3558                     && sc->session != NULL
3559                     && sc->session->ssl_version != TLS1_3_VERSION)
3560                 return sc->session->ext.hostname;
3561         } else {
3562             if (!SSL_CONNECTION_IS_TLS13(sc) && sc->hit
3563                 && sc->session->ext.hostname != NULL)
3564                 return sc->session->ext.hostname;
3565         }
3566     }
3567 
3568     return sc->ext.hostname;
3569 }
3570 
SSL_get_servername_type(const SSL * s)3571 int SSL_get_servername_type(const SSL *s)
3572 {
3573     if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL)
3574         return TLSEXT_NAMETYPE_host_name;
3575     return -1;
3576 }
3577 
3578 /*
3579  * SSL_select_next_proto implements the standard protocol selection. It is
3580  * expected that this function is called from the callback set by
3581  * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a
3582  * vector of 8-bit, length prefixed byte strings. The length byte itself is
3583  * not included in the length. A byte string of length 0 is invalid. No byte
3584  * string may be truncated. The current, but experimental algorithm for
3585  * selecting the protocol is: 1) If the server doesn't support NPN then this
3586  * is indicated to the callback. In this case, the client application has to
3587  * abort the connection or have a default application level protocol. 2) If
3588  * the server supports NPN, but advertises an empty list then the client
3589  * selects the first protocol in its list, but indicates via the API that this
3590  * fallback case was enacted. 3) Otherwise, the client finds the first
3591  * protocol in the server's list that it supports and selects this protocol.
3592  * This is because it's assumed that the server has better information about
3593  * which protocol a client should use. 4) If the client doesn't support any
3594  * of the server's advertised protocols, then this is treated the same as
3595  * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was
3596  * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
3597  */
SSL_select_next_proto(unsigned char ** out,unsigned char * outlen,const unsigned char * server,unsigned int server_len,const unsigned char * client,unsigned int client_len)3598 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
3599                           const unsigned char *server,
3600                           unsigned int server_len,
3601                           const unsigned char *client, unsigned int client_len)
3602 {
3603     PACKET cpkt, csubpkt, spkt, ssubpkt;
3604 
3605     if (!PACKET_buf_init(&cpkt, client, client_len)
3606             || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
3607             || PACKET_remaining(&csubpkt) == 0) {
3608         *out = NULL;
3609         *outlen = 0;
3610         return OPENSSL_NPN_NO_OVERLAP;
3611     }
3612 
3613     /*
3614      * Set the default opportunistic protocol. Will be overwritten if we find
3615      * a match.
3616      */
3617     *out = (unsigned char *)PACKET_data(&csubpkt);
3618     *outlen = (unsigned char)PACKET_remaining(&csubpkt);
3619 
3620     /*
3621      * For each protocol in server preference order, see if we support it.
3622      */
3623     if (PACKET_buf_init(&spkt, server, server_len)) {
3624         while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
3625             if (PACKET_remaining(&ssubpkt) == 0)
3626                 continue; /* Invalid - ignore it */
3627             if (PACKET_buf_init(&cpkt, client, client_len)) {
3628                 while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
3629                     if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
3630                                      PACKET_remaining(&ssubpkt))) {
3631                         /* We found a match */
3632                         *out = (unsigned char *)PACKET_data(&ssubpkt);
3633                         *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
3634                         return OPENSSL_NPN_NEGOTIATED;
3635                     }
3636                 }
3637                 /* Ignore spurious trailing bytes in the client list */
3638             } else {
3639                 /* This should never happen */
3640                 return OPENSSL_NPN_NO_OVERLAP;
3641             }
3642         }
3643         /* Ignore spurious trailing bytes in the server list */
3644     }
3645 
3646     /*
3647      * There's no overlap between our protocols and the server's list. We use
3648      * the default opportunistic protocol selected earlier
3649      */
3650     return OPENSSL_NPN_NO_OVERLAP;
3651 }
3652 
3653 #ifndef OPENSSL_NO_NEXTPROTONEG
3654 /*
3655  * SSL_get0_next_proto_negotiated sets *data and *len to point to the
3656  * client's requested protocol for this connection and returns 0. If the
3657  * client didn't request any protocol, then *data is set to NULL. Note that
3658  * the client can request any protocol it chooses. The value returned from
3659  * this function need not be a member of the list of supported protocols
3660  * provided by the callback.
3661  */
SSL_get0_next_proto_negotiated(const SSL * s,const unsigned char ** data,unsigned * len)3662 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
3663                                     unsigned *len)
3664 {
3665     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3666 
3667     if (sc == NULL) {
3668         /* We have no other way to indicate error */
3669         *data = NULL;
3670         *len = 0;
3671         return;
3672     }
3673 
3674     *data = sc->ext.npn;
3675     if (*data == NULL) {
3676         *len = 0;
3677     } else {
3678         *len = (unsigned int)sc->ext.npn_len;
3679     }
3680 }
3681 
3682 /*
3683  * SSL_CTX_set_npn_advertised_cb sets a callback that is called when
3684  * a TLS server needs a list of supported protocols for Next Protocol
3685  * Negotiation. The returned list must be in wire format.  The list is
3686  * returned by setting |out| to point to it and |outlen| to its length. This
3687  * memory will not be modified, but one should assume that the SSL* keeps a
3688  * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it
3689  * wishes to advertise. Otherwise, no such extension will be included in the
3690  * ServerHello.
3691  */
SSL_CTX_set_npn_advertised_cb(SSL_CTX * ctx,SSL_CTX_npn_advertised_cb_func cb,void * arg)3692 void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
3693                                    SSL_CTX_npn_advertised_cb_func cb,
3694                                    void *arg)
3695 {
3696     if (IS_QUIC_CTX(ctx))
3697         /* NPN not allowed for QUIC */
3698         return;
3699 
3700     ctx->ext.npn_advertised_cb = cb;
3701     ctx->ext.npn_advertised_cb_arg = arg;
3702 }
3703 
3704 /*
3705  * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
3706  * client needs to select a protocol from the server's provided list. |out|
3707  * must be set to point to the selected protocol (which may be within |in|).
3708  * The length of the protocol name must be written into |outlen|. The
3709  * server's advertised protocols are provided in |in| and |inlen|. The
3710  * callback can assume that |in| is syntactically valid. The client must
3711  * select a protocol. It is fatal to the connection if this callback returns
3712  * a value other than SSL_TLSEXT_ERR_OK.
3713  */
SSL_CTX_set_npn_select_cb(SSL_CTX * ctx,SSL_CTX_npn_select_cb_func cb,void * arg)3714 void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
3715                                SSL_CTX_npn_select_cb_func cb,
3716                                void *arg)
3717 {
3718     if (IS_QUIC_CTX(ctx))
3719         /* NPN not allowed for QUIC */
3720         return;
3721 
3722     ctx->ext.npn_select_cb = cb;
3723     ctx->ext.npn_select_cb_arg = arg;
3724 }
3725 #endif
3726 
alpn_value_ok(const unsigned char * protos,unsigned int protos_len)3727 static int alpn_value_ok(const unsigned char *protos, unsigned int protos_len)
3728 {
3729     unsigned int idx;
3730 
3731     if (protos_len < 2 || protos == NULL)
3732         return 0;
3733 
3734     for (idx = 0; idx < protos_len; idx += protos[idx] + 1) {
3735         if (protos[idx] == 0)
3736             return 0;
3737     }
3738     return idx == protos_len;
3739 }
3740 /*
3741  * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
3742  * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3743  * length-prefixed strings). Returns 0 on success.
3744  */
SSL_CTX_set_alpn_protos(SSL_CTX * ctx,const unsigned char * protos,unsigned int protos_len)3745 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
3746                             unsigned int protos_len)
3747 {
3748     unsigned char *alpn;
3749 
3750     if (protos_len == 0 || protos == NULL) {
3751         OPENSSL_free(ctx->ext.alpn);
3752         ctx->ext.alpn = NULL;
3753         ctx->ext.alpn_len = 0;
3754         return 0;
3755     }
3756     /* Not valid per RFC */
3757     if (!alpn_value_ok(protos, protos_len))
3758         return 1;
3759 
3760     alpn = OPENSSL_memdup(protos, protos_len);
3761     if (alpn == NULL)
3762         return 1;
3763     OPENSSL_free(ctx->ext.alpn);
3764     ctx->ext.alpn = alpn;
3765     ctx->ext.alpn_len = protos_len;
3766 
3767     return 0;
3768 }
3769 
3770 /*
3771  * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
3772  * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3773  * length-prefixed strings). Returns 0 on success.
3774  */
SSL_set_alpn_protos(SSL * ssl,const unsigned char * protos,unsigned int protos_len)3775 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
3776                         unsigned int protos_len)
3777 {
3778     unsigned char *alpn;
3779     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
3780 
3781     if (sc == NULL)
3782         return 1;
3783 
3784     if (protos_len == 0 || protos == NULL) {
3785         OPENSSL_free(sc->ext.alpn);
3786         sc->ext.alpn = NULL;
3787         sc->ext.alpn_len = 0;
3788         return 0;
3789     }
3790     /* Not valid per RFC */
3791     if (!alpn_value_ok(protos, protos_len))
3792         return 1;
3793 
3794     alpn = OPENSSL_memdup(protos, protos_len);
3795     if (alpn == NULL)
3796         return 1;
3797     OPENSSL_free(sc->ext.alpn);
3798     sc->ext.alpn = alpn;
3799     sc->ext.alpn_len = protos_len;
3800 
3801     return 0;
3802 }
3803 
3804 /*
3805  * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is
3806  * called during ClientHello processing in order to select an ALPN protocol
3807  * from the client's list of offered protocols.
3808  */
SSL_CTX_set_alpn_select_cb(SSL_CTX * ctx,SSL_CTX_alpn_select_cb_func cb,void * arg)3809 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
3810                                 SSL_CTX_alpn_select_cb_func cb,
3811                                 void *arg)
3812 {
3813     ctx->ext.alpn_select_cb = cb;
3814     ctx->ext.alpn_select_cb_arg = arg;
3815 }
3816 
3817 /*
3818  * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
3819  * On return it sets |*data| to point to |*len| bytes of protocol name
3820  * (not including the leading length-prefix byte). If the server didn't
3821  * respond with a negotiated protocol then |*len| will be zero.
3822  */
SSL_get0_alpn_selected(const SSL * ssl,const unsigned char ** data,unsigned int * len)3823 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
3824                             unsigned int *len)
3825 {
3826     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
3827 
3828     if (sc == NULL) {
3829         /* We have no other way to indicate error */
3830         *data = NULL;
3831         *len = 0;
3832         return;
3833     }
3834 
3835     *data = sc->s3.alpn_selected;
3836     if (*data == NULL)
3837         *len = 0;
3838     else
3839         *len = (unsigned int)sc->s3.alpn_selected_len;
3840 }
3841 
SSL_export_keying_material(SSL * s,unsigned char * out,size_t olen,const char * label,size_t llen,const unsigned char * context,size_t contextlen,int use_context)3842 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
3843                                const char *label, size_t llen,
3844                                const unsigned char *context, size_t contextlen,
3845                                int use_context)
3846 {
3847     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3848 
3849     if (sc == NULL)
3850         return -1;
3851 
3852     if (sc->session == NULL
3853         || (sc->version < TLS1_VERSION && sc->version != DTLS1_BAD_VER))
3854         return -1;
3855 
3856     return sc->ssl.method->ssl3_enc->export_keying_material(sc, out, olen, label,
3857                                                             llen, context,
3858                                                             contextlen,
3859                                                             use_context);
3860 }
3861 
SSL_export_keying_material_early(SSL * s,unsigned char * out,size_t olen,const char * label,size_t llen,const unsigned char * context,size_t contextlen)3862 int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
3863                                      const char *label, size_t llen,
3864                                      const unsigned char *context,
3865                                      size_t contextlen)
3866 {
3867     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3868 
3869     if (sc == NULL)
3870         return -1;
3871 
3872     if (sc->version != TLS1_3_VERSION)
3873         return 0;
3874 
3875     return tls13_export_keying_material_early(sc, out, olen, label, llen,
3876                                               context, contextlen);
3877 }
3878 
ssl_session_hash(const SSL_SESSION * a)3879 static unsigned long ssl_session_hash(const SSL_SESSION *a)
3880 {
3881     const unsigned char *session_id = a->session_id;
3882     unsigned long l;
3883     unsigned char tmp_storage[4];
3884 
3885     if (a->session_id_length < sizeof(tmp_storage)) {
3886         memset(tmp_storage, 0, sizeof(tmp_storage));
3887         memcpy(tmp_storage, a->session_id, a->session_id_length);
3888         session_id = tmp_storage;
3889     }
3890 
3891     l = (unsigned long)
3892         ((unsigned long)session_id[0]) |
3893         ((unsigned long)session_id[1] << 8L) |
3894         ((unsigned long)session_id[2] << 16L) |
3895         ((unsigned long)session_id[3] << 24L);
3896     return l;
3897 }
3898 
3899 /*
3900  * NB: If this function (or indeed the hash function which uses a sort of
3901  * coarser function than this one) is changed, ensure
3902  * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on
3903  * being able to construct an SSL_SESSION that will collide with any existing
3904  * session with a matching session ID.
3905  */
ssl_session_cmp(const SSL_SESSION * a,const SSL_SESSION * b)3906 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
3907 {
3908     if (a->ssl_version != b->ssl_version)
3909         return 1;
3910     if (a->session_id_length != b->session_id_length)
3911         return 1;
3912     return memcmp(a->session_id, b->session_id, a->session_id_length);
3913 }
3914 
3915 #ifndef OPENSSL_NO_SSLKEYLOG
3916 /**
3917  * @brief Static initialization for a one-time action to initialize the SSL key log.
3918  */
3919 static CRYPTO_ONCE ssl_keylog_once = CRYPTO_ONCE_STATIC_INIT;
3920 
3921 /**
3922  * @brief Pointer to a read-write lock used to protect access to the key log.
3923  */
3924 static CRYPTO_RWLOCK *keylog_lock = NULL;
3925 
3926 /**
3927  * @brief Pointer to a BIO structure used for writing the key log information.
3928  */
3929 static BIO *keylog_bio = NULL;
3930 
3931 /**
3932  * @brief Initializes the SSLKEYLOGFILE lock.
3933  *
3934  * @return 1 on success, 0 on failure.
3935  */
DEFINE_RUN_ONCE_STATIC(ssl_keylog_init)3936 DEFINE_RUN_ONCE_STATIC(ssl_keylog_init)
3937 {
3938     keylog_lock = CRYPTO_THREAD_lock_new();
3939     if (keylog_lock == NULL)
3940         return 0;
3941     return 1;
3942 }
3943 
3944 /**
3945  * @brief checks when a BIO refcount has reached zero, and sets
3946  * keylog_cb to NULL if it has
3947  *
3948  * @returns 1 always
3949  */
check_keylog_bio_free(BIO * b,int oper,const char * argp,size_t len,int argi,long argl,int ret,size_t * processed)3950 static long check_keylog_bio_free(BIO *b, int oper, const char *argp,
3951                                   size_t len, int argi, long argl, int ret,
3952                                   size_t *processed)
3953 {
3954 
3955     /*
3956      * Note we _dont_ take the keylog_lock here
3957      * This is intentional, because we only free the keylog lock
3958      * During SSL_CTX_free, in which we already posess the lock, so
3959      * Theres no need to grab it again here
3960      */
3961     if (oper == BIO_CB_FREE)
3962         keylog_bio = NULL;
3963     return ret;
3964 }
3965 
3966 /**
3967  * @brief records ssl secrets to a file
3968  */
do_sslkeylogfile(const SSL * ssl,const char * line)3969 static void do_sslkeylogfile(const SSL *ssl, const char *line)
3970 {
3971     if (keylog_lock == NULL)
3972         return;
3973 
3974     if (!CRYPTO_THREAD_write_lock(keylog_lock))
3975         return;
3976     if (keylog_bio != NULL) {
3977         BIO_printf(keylog_bio, "%s\n", line);
3978         (void)BIO_flush(keylog_bio);
3979     }
3980     CRYPTO_THREAD_unlock(keylog_lock);
3981 }
3982 #endif
3983 
3984 /*
3985  * These wrapper functions should remain rather than redeclaring
3986  * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
3987  * variable. The reason is that the functions aren't static, they're exposed
3988  * via ssl.h.
3989  */
3990 
3991 #ifndef OPENSSL_NO_SSLKEYLOG
get_sslkeylog_bio(const char * keylogfile)3992 static BIO *get_sslkeylog_bio(const char *keylogfile)
3993 {
3994 # ifdef _POSIX_C_SOURCE
3995     BIO *b;
3996     int fdno = -1;
3997     FILE *fp = NULL;
3998 
3999     fdno = open(keylogfile, O_WRONLY | O_CREAT | O_APPEND,  0600);
4000     if (fdno < 0)
4001         return NULL;
4002 
4003     fp = fdopen(fdno, "a");
4004     if (fp == NULL) {
4005         close(fdno);
4006         return NULL;
4007     }
4008 
4009     if ((b = BIO_new_fp(fp, BIO_CLOSE)) == NULL)
4010         fclose(fp);
4011     return b;
4012 # else
4013     return BIO_new_file(keylogfile, "a");
4014 # endif
4015 }
4016 #endif
4017 
SSL_CTX_new_ex(OSSL_LIB_CTX * libctx,const char * propq,const SSL_METHOD * meth)4018 SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
4019                         const SSL_METHOD *meth)
4020 {
4021     SSL_CTX *ret = NULL;
4022 #ifndef OPENSSL_NO_SSLKEYLOG
4023     const char *keylogfile = ossl_safe_getenv("SSLKEYLOGFILE");
4024 #endif
4025 #ifndef OPENSSL_NO_COMP_ALG
4026     int i;
4027 #endif
4028 
4029     if (meth == NULL) {
4030         ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_METHOD_PASSED);
4031         return NULL;
4032     }
4033 
4034     if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
4035         return NULL;
4036 
4037     /* Doing this for the run once effect */
4038     if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
4039         ERR_raise(ERR_LIB_SSL, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
4040         goto err;
4041     }
4042 
4043     ret = OPENSSL_zalloc(sizeof(*ret));
4044     if (ret == NULL)
4045         return NULL;
4046 
4047     /* Init the reference counting before any call to SSL_CTX_free */
4048     if (!CRYPTO_NEW_REF(&ret->references, 1)) {
4049         OPENSSL_free(ret);
4050         return NULL;
4051     }
4052 
4053     ret->lock = CRYPTO_THREAD_lock_new();
4054     if (ret->lock == NULL) {
4055         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4056         goto err;
4057     }
4058 
4059 #ifdef TSAN_REQUIRES_LOCKING
4060     ret->tsan_lock = CRYPTO_THREAD_lock_new();
4061     if (ret->tsan_lock == NULL) {
4062         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4063         goto err;
4064     }
4065 #endif
4066 
4067     ret->libctx = libctx;
4068     if (propq != NULL) {
4069         ret->propq = OPENSSL_strdup(propq);
4070         if (ret->propq == NULL)
4071             goto err;
4072     }
4073 
4074     ret->method = meth;
4075     ret->min_proto_version = 0;
4076     ret->max_proto_version = 0;
4077     ret->mode = SSL_MODE_AUTO_RETRY;
4078     ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
4079     ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
4080     /* We take the system default. */
4081     ret->session_timeout = meth->get_timeout();
4082     ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
4083     ret->verify_mode = SSL_VERIFY_NONE;
4084 
4085     ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
4086     if (ret->sessions == NULL) {
4087         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4088         goto err;
4089     }
4090     ret->cert_store = X509_STORE_new();
4091     if (ret->cert_store == NULL) {
4092         ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
4093         goto err;
4094     }
4095 #ifndef OPENSSL_NO_CT
4096     ret->ctlog_store = CTLOG_STORE_new_ex(libctx, propq);
4097     if (ret->ctlog_store == NULL) {
4098         ERR_raise(ERR_LIB_SSL, ERR_R_CT_LIB);
4099         goto err;
4100     }
4101 #endif
4102 
4103     /* initialize cipher/digest methods table */
4104     if (!ssl_load_ciphers(ret)) {
4105         ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4106         goto err;
4107     }
4108 
4109     if (!ssl_load_groups(ret)) {
4110         ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4111         goto err;
4112     }
4113 
4114     /* load provider sigalgs */
4115     if (!ssl_load_sigalgs(ret)) {
4116         ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4117         goto err;
4118     }
4119 
4120     /* initialise sig algs */
4121     if (!ssl_setup_sigalgs(ret)) {
4122         ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4123         goto err;
4124     }
4125 
4126     if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites())) {
4127         ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4128         goto err;
4129     }
4130 
4131     if ((ret->cert = ssl_cert_new(SSL_PKEY_NUM + ret->sigalg_list_len)) == NULL) {
4132         ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4133         goto err;
4134     }
4135 
4136     if (!ssl_create_cipher_list(ret,
4137                                 ret->tls13_ciphersuites,
4138                                 &ret->cipher_list, &ret->cipher_list_by_id,
4139                                 OSSL_default_cipher_list(), ret->cert)
4140         || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
4141         ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
4142         goto err;
4143     }
4144 
4145     ret->param = X509_VERIFY_PARAM_new();
4146     if (ret->param == NULL) {
4147         ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
4148         goto err;
4149     }
4150 
4151     /*
4152      * If these aren't available from the provider we'll get NULL returns.
4153      * That's fine but will cause errors later if SSLv3 is negotiated
4154      */
4155     ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq);
4156     ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq);
4157 
4158     if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) {
4159         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4160         goto err;
4161     }
4162 
4163     if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) {
4164         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4165         goto err;
4166     }
4167 
4168     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) {
4169         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4170         goto err;
4171     }
4172 
4173     if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL)
4174         goto err;
4175 
4176     /* No compression for DTLS */
4177     if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
4178         ret->comp_methods = SSL_COMP_get_compression_methods();
4179 
4180     ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
4181     ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
4182 
4183     /* Setup RFC5077 ticket keys */
4184     if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name,
4185                        sizeof(ret->ext.tick_key_name), 0) <= 0)
4186         || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key,
4187                                sizeof(ret->ext.secure->tick_hmac_key), 0) <= 0)
4188         || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key,
4189                                sizeof(ret->ext.secure->tick_aes_key), 0) <= 0))
4190         ret->options |= SSL_OP_NO_TICKET;
4191 
4192     if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key,
4193                            sizeof(ret->ext.cookie_hmac_key), 0) <= 0) {
4194         ERR_raise(ERR_LIB_SSL, ERR_R_RAND_LIB);
4195         goto err;
4196     }
4197 
4198 #ifndef OPENSSL_NO_SRP
4199     if (!ssl_ctx_srp_ctx_init_intern(ret)) {
4200         ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4201         goto err;
4202     }
4203 #endif
4204 #ifndef OPENSSL_NO_ENGINE
4205 # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
4206 #  define eng_strx(x)     #x
4207 #  define eng_str(x)      eng_strx(x)
4208     /* Use specific client engine automatically... ignore errors */
4209     {
4210         ENGINE *eng;
4211         eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
4212         if (!eng) {
4213             ERR_clear_error();
4214             ENGINE_load_builtin_engines();
4215             eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
4216         }
4217         if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
4218             ERR_clear_error();
4219     }
4220 # endif
4221 #endif
4222 
4223 #ifndef OPENSSL_NO_COMP_ALG
4224     /*
4225      * Set the default order: brotli, zlib, zstd
4226      * Including only those enabled algorithms
4227      */
4228     memset(ret->cert_comp_prefs, 0, sizeof(ret->cert_comp_prefs));
4229     i = 0;
4230     if (ossl_comp_has_alg(TLSEXT_comp_cert_brotli))
4231         ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_brotli;
4232     if (ossl_comp_has_alg(TLSEXT_comp_cert_zlib))
4233         ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_zlib;
4234     if (ossl_comp_has_alg(TLSEXT_comp_cert_zstd))
4235         ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_zstd;
4236 #endif
4237     /*
4238      * Disable compression by default to prevent CRIME. Applications can
4239      * re-enable compression by configuring
4240      * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
4241      * or by using the SSL_CONF library. Similarly we also enable TLSv1.3
4242      * middlebox compatibility by default. This may be disabled by default in
4243      * a later OpenSSL version.
4244      */
4245     ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
4246 
4247     ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
4248 
4249     /*
4250      * We cannot usefully set a default max_early_data here (which gets
4251      * propagated in SSL_new(), for the following reason: setting the
4252      * SSL field causes tls_construct_stoc_early_data() to tell the
4253      * client that early data will be accepted when constructing a TLS 1.3
4254      * session ticket, and the client will accordingly send us early data
4255      * when using that ticket (if the client has early data to send).
4256      * However, in order for the early data to actually be consumed by
4257      * the application, the application must also have calls to
4258      * SSL_read_early_data(); otherwise we'll just skip past the early data
4259      * and ignore it.  So, since the application must add calls to
4260      * SSL_read_early_data(), we also require them to add
4261      * calls to SSL_CTX_set_max_early_data() in order to use early data,
4262      * eliminating the bandwidth-wasting early data in the case described
4263      * above.
4264      */
4265     ret->max_early_data = 0;
4266 
4267     /*
4268      * Default recv_max_early_data is a fully loaded single record. Could be
4269      * split across multiple records in practice. We set this differently to
4270      * max_early_data so that, in the default case, we do not advertise any
4271      * support for early_data, but if a client were to send us some (e.g.
4272      * because of an old, stale ticket) then we will tolerate it and skip over
4273      * it.
4274      */
4275     ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
4276 
4277     /* By default we send two session tickets automatically in TLSv1.3 */
4278     ret->num_tickets = 2;
4279 
4280 # ifndef OPENSSL_NO_QUIC
4281     /* only create a cache for client CTX-es */
4282     if (meth == OSSL_QUIC_client_method())
4283         if ((ret->tokencache = ossl_quic_new_token_store()) == NULL)
4284             goto err;
4285     ret->domain_flags = 0;
4286     if (IS_QUIC_METHOD(meth)) {
4287 #  if defined(OPENSSL_THREADS)
4288         if (meth == OSSL_QUIC_client_thread_method())
4289             ret->domain_flags
4290                 = SSL_DOMAIN_FLAG_MULTI_THREAD
4291                 | SSL_DOMAIN_FLAG_THREAD_ASSISTED
4292                 | SSL_DOMAIN_FLAG_BLOCKING;
4293         else
4294             ret->domain_flags
4295                 = SSL_DOMAIN_FLAG_MULTI_THREAD
4296                 | SSL_DOMAIN_FLAG_LEGACY_BLOCKING;
4297 #  else
4298         ret->domain_flags
4299             = SSL_DOMAIN_FLAG_SINGLE_THREAD
4300             | SSL_DOMAIN_FLAG_LEGACY_BLOCKING;
4301 #  endif
4302     }
4303 # endif
4304 
4305     if (!ssl_ctx_system_config(ret)) {
4306         ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG);
4307         goto err;
4308     }
4309 
4310 #ifndef OPENSSL_NO_SSLKEYLOG
4311     if (keylogfile != NULL && strlen(keylogfile) != 0) {
4312         /* Make sure we have a global lock allocated */
4313         if (!RUN_ONCE(&ssl_keylog_once, ssl_keylog_init)) {
4314             /* use a trace message as a warning */
4315             OSSL_TRACE(TLS, "Unable to initalize keylog data\n");
4316             goto out;
4317         }
4318 
4319         /* Grab our global lock */
4320         if (!CRYPTO_THREAD_write_lock(keylog_lock)) {
4321             OSSL_TRACE(TLS, "Unable to acquire keylog write lock\n");
4322             goto out;
4323         } else {
4324             /*
4325              * If the bio for the requested keylog file hasn't been
4326              * created yet, go ahead and create it, and set it to append
4327              * if its already there.
4328              */
4329             if (keylog_bio == NULL) {
4330                 keylog_bio = get_sslkeylog_bio(keylogfile);
4331                 if (keylog_bio == NULL) {
4332                     OSSL_TRACE(TLS, "Unable to create keylog bio\n");
4333                     goto out;
4334                 }
4335                 BIO_set_callback_ex(keylog_bio, check_keylog_bio_free);
4336             } else {
4337                 /* up our refcount for the already-created case */
4338                 BIO_up_ref(keylog_bio);
4339             }
4340             /* If we have a bio now, assign the callback handler */
4341             if (keylog_bio != NULL)
4342                 ret->do_sslkeylog = 1;
4343             /* unlock, and we're done */
4344             CRYPTO_THREAD_unlock(keylog_lock);
4345         }
4346     }
4347 out:
4348 #endif
4349     return ret;
4350  err:
4351     SSL_CTX_free(ret);
4352 #ifndef OPENSSL_NO_SSLKEYLOG
4353     BIO_free(keylog_bio);
4354 #endif
4355     return NULL;
4356 }
4357 
SSL_CTX_new(const SSL_METHOD * meth)4358 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
4359 {
4360     return SSL_CTX_new_ex(NULL, NULL, meth);
4361 }
4362 
SSL_CTX_up_ref(SSL_CTX * ctx)4363 int SSL_CTX_up_ref(SSL_CTX *ctx)
4364 {
4365     int i;
4366 
4367     if (CRYPTO_UP_REF(&ctx->references, &i) <= 0)
4368         return 0;
4369 
4370     REF_PRINT_COUNT("SSL_CTX", i, ctx);
4371     REF_ASSERT_ISNT(i < 2);
4372     return ((i > 1) ? 1 : 0);
4373 }
4374 
SSL_CTX_free(SSL_CTX * a)4375 void SSL_CTX_free(SSL_CTX *a)
4376 {
4377     int i;
4378     size_t j;
4379 
4380     if (a == NULL)
4381         return;
4382 
4383     CRYPTO_DOWN_REF(&a->references, &i);
4384     REF_PRINT_COUNT("SSL_CTX", i, a);
4385     if (i > 0)
4386         return;
4387     REF_ASSERT_ISNT(i < 0);
4388 
4389 #ifndef OPENSSL_NO_SSLKEYLOG
4390     if (keylog_lock != NULL && CRYPTO_THREAD_write_lock(keylog_lock)) {
4391         if (a->do_sslkeylog == 1)
4392             BIO_free(keylog_bio);
4393         a->do_sslkeylog = 0;
4394         CRYPTO_THREAD_unlock(keylog_lock);
4395     }
4396 #endif
4397 
4398     X509_VERIFY_PARAM_free(a->param);
4399     dane_ctx_final(&a->dane);
4400 
4401     /*
4402      * Free internal session cache. However: the remove_cb() may reference
4403      * the ex_data of SSL_CTX, thus the ex_data store can only be removed
4404      * after the sessions were flushed.
4405      * As the ex_data handling routines might also touch the session cache,
4406      * the most secure solution seems to be: empty (flush) the cache, then
4407      * free ex_data, then finally free the cache.
4408      * (See ticket [openssl.org #212].)
4409      */
4410     if (a->sessions != NULL)
4411         SSL_CTX_flush_sessions_ex(a, 0);
4412 
4413     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
4414     lh_SSL_SESSION_free(a->sessions);
4415     X509_STORE_free(a->cert_store);
4416 #ifndef OPENSSL_NO_CT
4417     CTLOG_STORE_free(a->ctlog_store);
4418 #endif
4419     sk_SSL_CIPHER_free(a->cipher_list);
4420     sk_SSL_CIPHER_free(a->cipher_list_by_id);
4421     sk_SSL_CIPHER_free(a->tls13_ciphersuites);
4422     ssl_cert_free(a->cert);
4423     sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free);
4424     sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free);
4425     OSSL_STACK_OF_X509_free(a->extra_certs);
4426     a->comp_methods = NULL;
4427 #ifndef OPENSSL_NO_SRTP
4428     sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
4429 #endif
4430 #ifndef OPENSSL_NO_SRP
4431     ssl_ctx_srp_ctx_free_intern(a);
4432 #endif
4433 #ifndef OPENSSL_NO_ENGINE
4434     tls_engine_finish(a->client_cert_engine);
4435 #endif
4436 
4437     OPENSSL_free(a->ext.ecpointformats);
4438     OPENSSL_free(a->ext.supportedgroups);
4439     OPENSSL_free(a->ext.keyshares);
4440     OPENSSL_free(a->ext.tuples);
4441     OPENSSL_free(a->ext.alpn);
4442     OPENSSL_secure_free(a->ext.secure);
4443 
4444     ssl_evp_md_free(a->md5);
4445     ssl_evp_md_free(a->sha1);
4446 
4447     for (j = 0; j < SSL_ENC_NUM_IDX; j++)
4448         ssl_evp_cipher_free(a->ssl_cipher_methods[j]);
4449     for (j = 0; j < SSL_MD_NUM_IDX; j++)
4450         ssl_evp_md_free(a->ssl_digest_methods[j]);
4451     for (j = 0; j < a->group_list_len; j++) {
4452         OPENSSL_free(a->group_list[j].tlsname);
4453         OPENSSL_free(a->group_list[j].realname);
4454         OPENSSL_free(a->group_list[j].algorithm);
4455     }
4456     OPENSSL_free(a->group_list);
4457     for (j = 0; j < a->sigalg_list_len; j++) {
4458         OPENSSL_free(a->sigalg_list[j].name);
4459         OPENSSL_free(a->sigalg_list[j].sigalg_name);
4460         OPENSSL_free(a->sigalg_list[j].sigalg_oid);
4461         OPENSSL_free(a->sigalg_list[j].sig_name);
4462         OPENSSL_free(a->sigalg_list[j].sig_oid);
4463         OPENSSL_free(a->sigalg_list[j].hash_name);
4464         OPENSSL_free(a->sigalg_list[j].hash_oid);
4465         OPENSSL_free(a->sigalg_list[j].keytype);
4466         OPENSSL_free(a->sigalg_list[j].keytype_oid);
4467     }
4468     OPENSSL_free(a->sigalg_list);
4469     OPENSSL_free(a->ssl_cert_info);
4470 
4471     OPENSSL_free(a->sigalg_lookup_cache);
4472     OPENSSL_free(a->tls12_sigalgs);
4473 
4474     OPENSSL_free(a->client_cert_type);
4475     OPENSSL_free(a->server_cert_type);
4476 
4477     CRYPTO_THREAD_lock_free(a->lock);
4478     CRYPTO_FREE_REF(&a->references);
4479 #ifdef TSAN_REQUIRES_LOCKING
4480     CRYPTO_THREAD_lock_free(a->tsan_lock);
4481 #endif
4482 
4483     OPENSSL_free(a->propq);
4484 #ifndef OPENSSL_NO_QLOG
4485     OPENSSL_free(a->qlog_title);
4486 #endif
4487 
4488 #ifndef OPENSSL_NO_QUIC
4489     ossl_quic_free_token_store(a->tokencache);
4490 #endif
4491 
4492     OPENSSL_free(a);
4493 }
4494 
SSL_CTX_set_default_passwd_cb(SSL_CTX * ctx,pem_password_cb * cb)4495 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
4496 {
4497     ctx->default_passwd_callback = cb;
4498 }
4499 
SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX * ctx,void * u)4500 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
4501 {
4502     ctx->default_passwd_callback_userdata = u;
4503 }
4504 
SSL_CTX_get_default_passwd_cb(SSL_CTX * ctx)4505 pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
4506 {
4507     return ctx->default_passwd_callback;
4508 }
4509 
SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX * ctx)4510 void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
4511 {
4512     return ctx->default_passwd_callback_userdata;
4513 }
4514 
SSL_set_default_passwd_cb(SSL * s,pem_password_cb * cb)4515 void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
4516 {
4517     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4518 
4519     if (sc == NULL)
4520         return;
4521 
4522     sc->default_passwd_callback = cb;
4523 }
4524 
SSL_set_default_passwd_cb_userdata(SSL * s,void * u)4525 void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
4526 {
4527     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4528 
4529     if (sc == NULL)
4530         return;
4531 
4532     sc->default_passwd_callback_userdata = u;
4533 }
4534 
SSL_get_default_passwd_cb(SSL * s)4535 pem_password_cb *SSL_get_default_passwd_cb(SSL *s)
4536 {
4537     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4538 
4539     if (sc == NULL)
4540         return NULL;
4541 
4542     return sc->default_passwd_callback;
4543 }
4544 
SSL_get_default_passwd_cb_userdata(SSL * s)4545 void *SSL_get_default_passwd_cb_userdata(SSL *s)
4546 {
4547     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4548 
4549     if (sc == NULL)
4550         return NULL;
4551 
4552     return sc->default_passwd_callback_userdata;
4553 }
4554 
SSL_CTX_set_cert_verify_callback(SSL_CTX * ctx,int (* cb)(X509_STORE_CTX *,void *),void * arg)4555 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
4556                                       int (*cb) (X509_STORE_CTX *, void *),
4557                                       void *arg)
4558 {
4559     ctx->app_verify_callback = cb;
4560     ctx->app_verify_arg = arg;
4561 }
4562 
SSL_CTX_set_verify(SSL_CTX * ctx,int mode,int (* cb)(int,X509_STORE_CTX *))4563 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
4564                         int (*cb) (int, X509_STORE_CTX *))
4565 {
4566     ctx->verify_mode = mode;
4567     ctx->default_verify_callback = cb;
4568 }
4569 
SSL_CTX_set_verify_depth(SSL_CTX * ctx,int depth)4570 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
4571 {
4572     X509_VERIFY_PARAM_set_depth(ctx->param, depth);
4573 }
4574 
SSL_CTX_set_cert_cb(SSL_CTX * c,int (* cb)(SSL * ssl,void * arg),void * arg)4575 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg)
4576 {
4577     ssl_cert_set_cert_cb(c->cert, cb, arg);
4578 }
4579 
SSL_set_cert_cb(SSL * s,int (* cb)(SSL * ssl,void * arg),void * arg)4580 void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
4581 {
4582     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4583 
4584     if (sc == NULL)
4585         return;
4586 
4587     ssl_cert_set_cert_cb(sc->cert, cb, arg);
4588 }
4589 
ssl_set_masks(SSL_CONNECTION * s)4590 void ssl_set_masks(SSL_CONNECTION *s)
4591 {
4592     CERT *c = s->cert;
4593     uint32_t *pvalid = s->s3.tmp.valid_flags;
4594     int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
4595     unsigned long mask_k, mask_a;
4596     int have_ecc_cert, ecdsa_ok;
4597 
4598     if (c == NULL)
4599         return;
4600 
4601     dh_tmp = (c->dh_tmp != NULL
4602               || c->dh_tmp_cb != NULL
4603               || c->dh_tmp_auto);
4604 
4605     rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
4606     rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
4607     dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID;
4608     have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
4609     mask_k = 0;
4610     mask_a = 0;
4611 
4612     OSSL_TRACE4(TLS_CIPHER, "dh_tmp=%d rsa_enc=%d rsa_sign=%d dsa_sign=%d\n",
4613                dh_tmp, rsa_enc, rsa_sign, dsa_sign);
4614 
4615 #ifndef OPENSSL_NO_GOST
4616     if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
4617         mask_k |= SSL_kGOST | SSL_kGOST18;
4618         mask_a |= SSL_aGOST12;
4619     }
4620     if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
4621         mask_k |= SSL_kGOST | SSL_kGOST18;
4622         mask_a |= SSL_aGOST12;
4623     }
4624     if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
4625         mask_k |= SSL_kGOST;
4626         mask_a |= SSL_aGOST01;
4627     }
4628 #endif
4629 
4630     if (rsa_enc)
4631         mask_k |= SSL_kRSA;
4632 
4633     if (dh_tmp)
4634         mask_k |= SSL_kDHE;
4635 
4636     /*
4637      * If we only have an RSA-PSS certificate allow RSA authentication
4638      * if TLS 1.2 and peer supports it.
4639      */
4640 
4641     if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
4642                 && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
4643                 && TLS1_get_version(&s->ssl) == TLS1_2_VERSION))
4644         mask_a |= SSL_aRSA;
4645 
4646     if (dsa_sign) {
4647         mask_a |= SSL_aDSS;
4648     }
4649 
4650     mask_a |= SSL_aNULL;
4651 
4652     /*
4653      * You can do anything with an RPK key, since there's no cert to restrict it
4654      * But we need to check for private keys
4655      */
4656     if (pvalid[SSL_PKEY_RSA] & CERT_PKEY_RPK) {
4657         mask_a |= SSL_aRSA;
4658         mask_k |= SSL_kRSA;
4659     }
4660     if (pvalid[SSL_PKEY_ECC] & CERT_PKEY_RPK)
4661         mask_a |= SSL_aECDSA;
4662     if (TLS1_get_version(&s->ssl) == TLS1_2_VERSION) {
4663         if (pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_RPK)
4664             mask_a |= SSL_aRSA;
4665         if (pvalid[SSL_PKEY_ED25519] & CERT_PKEY_RPK
4666                 || pvalid[SSL_PKEY_ED448] & CERT_PKEY_RPK)
4667             mask_a |= SSL_aECDSA;
4668     }
4669 
4670     /*
4671      * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites
4672      * depending on the key usage extension.
4673      */
4674     if (have_ecc_cert) {
4675         uint32_t ex_kusage;
4676         ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509);
4677         ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
4678         if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
4679             ecdsa_ok = 0;
4680         if (ecdsa_ok)
4681             mask_a |= SSL_aECDSA;
4682     }
4683     /* Allow Ed25519 for TLS 1.2 if peer supports it */
4684     if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519)
4685             && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN
4686             && TLS1_get_version(&s->ssl) == TLS1_2_VERSION)
4687             mask_a |= SSL_aECDSA;
4688 
4689     /* Allow Ed448 for TLS 1.2 if peer supports it */
4690     if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448)
4691             && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN
4692             && TLS1_get_version(&s->ssl) == TLS1_2_VERSION)
4693             mask_a |= SSL_aECDSA;
4694 
4695     mask_k |= SSL_kECDHE;
4696 
4697 #ifndef OPENSSL_NO_PSK
4698     mask_k |= SSL_kPSK;
4699     mask_a |= SSL_aPSK;
4700     if (mask_k & SSL_kRSA)
4701         mask_k |= SSL_kRSAPSK;
4702     if (mask_k & SSL_kDHE)
4703         mask_k |= SSL_kDHEPSK;
4704     if (mask_k & SSL_kECDHE)
4705         mask_k |= SSL_kECDHEPSK;
4706 #endif
4707 
4708     s->s3.tmp.mask_k = mask_k;
4709     s->s3.tmp.mask_a = mask_a;
4710 }
4711 
ssl_check_srvr_ecc_cert_and_alg(X509 * x,SSL_CONNECTION * s)4712 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CONNECTION *s)
4713 {
4714     if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) {
4715         /* key usage, if present, must allow signing */
4716         if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
4717             ERR_raise(ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
4718             return 0;
4719         }
4720     }
4721     return 1;                   /* all checks are ok */
4722 }
4723 
ssl_get_server_cert_serverinfo(SSL_CONNECTION * s,const unsigned char ** serverinfo,size_t * serverinfo_length)4724 int ssl_get_server_cert_serverinfo(SSL_CONNECTION *s,
4725                                    const unsigned char **serverinfo,
4726                                    size_t *serverinfo_length)
4727 {
4728     CERT_PKEY *cpk = s->s3.tmp.cert;
4729     *serverinfo_length = 0;
4730 
4731     if (cpk == NULL || cpk->serverinfo == NULL)
4732         return 0;
4733 
4734     *serverinfo = cpk->serverinfo;
4735     *serverinfo_length = cpk->serverinfo_length;
4736     return 1;
4737 }
4738 
ssl_update_cache(SSL_CONNECTION * s,int mode)4739 void ssl_update_cache(SSL_CONNECTION *s, int mode)
4740 {
4741     int i;
4742 
4743     /*
4744      * If the session_id_length is 0, we are not supposed to cache it, and it
4745      * would be rather hard to do anyway :-). Also if the session has already
4746      * been marked as not_resumable we should not cache it for later reuse.
4747      */
4748     if (s->session->session_id_length == 0 || s->session->not_resumable)
4749         return;
4750 
4751     /*
4752      * If sid_ctx_length is 0 there is no specific application context
4753      * associated with this session, so when we try to resume it and
4754      * SSL_VERIFY_PEER is requested to verify the client identity, we have no
4755      * indication that this is actually a session for the proper application
4756      * context, and the *handshake* will fail, not just the resumption attempt.
4757      * Do not cache (on the server) these sessions that are not resumable
4758      * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set).
4759      */
4760     if (s->server && s->session->sid_ctx_length == 0
4761             && (s->verify_mode & SSL_VERIFY_PEER) != 0)
4762         return;
4763 
4764     i = s->session_ctx->session_cache_mode;
4765     if ((i & mode) != 0
4766         && (!s->hit || SSL_CONNECTION_IS_TLS13(s))) {
4767         /*
4768          * Add the session to the internal cache. In server side TLSv1.3 we
4769          * normally don't do this because by default it's a full stateless ticket
4770          * with only a dummy session id so there is no reason to cache it,
4771          * unless:
4772          * - we are doing early_data, in which case we cache so that we can
4773          *   detect replays
4774          * - the application has set a remove_session_cb so needs to know about
4775          *   session timeout events
4776          * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket
4777          */
4778         if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0
4779                 && (!SSL_CONNECTION_IS_TLS13(s)
4780                     || !s->server
4781                     || (s->max_early_data > 0
4782                         && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)
4783                     || s->session_ctx->remove_session_cb != NULL
4784                     || (s->options & SSL_OP_NO_TICKET) != 0))
4785             SSL_CTX_add_session(s->session_ctx, s->session);
4786 
4787         /*
4788          * Add the session to the external cache. We do this even in server side
4789          * TLSv1.3 without early data because some applications just want to
4790          * know about the creation of a session and aren't doing a full cache.
4791          */
4792         if (s->session_ctx->new_session_cb != NULL && SSL_SESSION_up_ref(s->session)) {
4793             if (!s->session_ctx->new_session_cb(SSL_CONNECTION_GET_USER_SSL(s),
4794                                                 s->session))
4795                 SSL_SESSION_free(s->session);
4796         }
4797     }
4798 
4799     /* auto flush every 255 connections */
4800     if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) {
4801         TSAN_QUALIFIER int *stat;
4802 
4803         if (mode & SSL_SESS_CACHE_CLIENT)
4804             stat = &s->session_ctx->stats.sess_connect_good;
4805         else
4806             stat = &s->session_ctx->stats.sess_accept_good;
4807         if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff)
4808             SSL_CTX_flush_sessions_ex(s->session_ctx, time(NULL));
4809     }
4810 }
4811 
SSL_CTX_get_ssl_method(const SSL_CTX * ctx)4812 const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx)
4813 {
4814     return ctx->method;
4815 }
4816 
SSL_get_ssl_method(const SSL * s)4817 const SSL_METHOD *SSL_get_ssl_method(const SSL *s)
4818 {
4819     return s->method;
4820 }
4821 
SSL_set_ssl_method(SSL * s,const SSL_METHOD * meth)4822 int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
4823 {
4824     int ret = 1;
4825     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4826 
4827     /* Not allowed for QUIC */
4828     if (sc == NULL
4829         || (s->type != SSL_TYPE_SSL_CONNECTION && s->method != meth)
4830         || (s->type == SSL_TYPE_SSL_CONNECTION && IS_QUIC_METHOD(meth)))
4831         return 0;
4832 
4833     if (s->method != meth) {
4834         const SSL_METHOD *sm = s->method;
4835         int (*hf) (SSL *) = sc->handshake_func;
4836 
4837         if (sm->version == meth->version)
4838             s->method = meth;
4839         else {
4840             sm->ssl_deinit(s);
4841             s->method = meth;
4842             ret = s->method->ssl_init(s);
4843         }
4844 
4845         if (hf == sm->ssl_connect)
4846             sc->handshake_func = meth->ssl_connect;
4847         else if (hf == sm->ssl_accept)
4848             sc->handshake_func = meth->ssl_accept;
4849     }
4850     return ret;
4851 }
4852 
SSL_get_error(const SSL * s,int i)4853 int SSL_get_error(const SSL *s, int i)
4854 {
4855     return ossl_ssl_get_error(s, i, /*check_err=*/1);
4856 }
4857 
ossl_ssl_get_error(const SSL * s,int i,int check_err)4858 int ossl_ssl_get_error(const SSL *s, int i, int check_err)
4859 {
4860     int reason;
4861     unsigned long l;
4862     BIO *bio;
4863     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4864 
4865     if (i > 0)
4866         return SSL_ERROR_NONE;
4867 
4868 #ifndef OPENSSL_NO_QUIC
4869     if (IS_QUIC(s)) {
4870         reason = ossl_quic_get_error(s, i);
4871         if (reason != SSL_ERROR_NONE)
4872             return reason;
4873     }
4874 #endif
4875 
4876     if (sc == NULL)
4877         return SSL_ERROR_SSL;
4878 
4879     /*
4880      * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
4881      * where we do encode the error
4882      */
4883     if (check_err && (l = ERR_peek_error()) != 0) {
4884         if (ERR_GET_LIB(l) == ERR_LIB_SYS)
4885             return SSL_ERROR_SYSCALL;
4886         else
4887             return SSL_ERROR_SSL;
4888     }
4889 
4890 #ifndef OPENSSL_NO_QUIC
4891     if (!IS_QUIC(s))
4892 #endif
4893     {
4894         if (SSL_want_read(s)) {
4895             bio = SSL_get_rbio(s);
4896             if (BIO_should_read(bio))
4897                 return SSL_ERROR_WANT_READ;
4898             else if (BIO_should_write(bio))
4899                 /*
4900                  * This one doesn't make too much sense ... We never try to
4901                  * write to the rbio, and an application program where rbio and
4902                  * wbio are separate couldn't even know what it should wait for.
4903                  * However if we ever set s->rwstate incorrectly (so that we
4904                  * have SSL_want_read(s) instead of SSL_want_write(s)) and rbio
4905                  * and wbio *are* the same, this test works around that bug; so
4906                  * it might be safer to keep it.
4907                  */
4908                 return SSL_ERROR_WANT_WRITE;
4909             else if (BIO_should_io_special(bio)) {
4910                 reason = BIO_get_retry_reason(bio);
4911                 if (reason == BIO_RR_CONNECT)
4912                     return SSL_ERROR_WANT_CONNECT;
4913                 else if (reason == BIO_RR_ACCEPT)
4914                     return SSL_ERROR_WANT_ACCEPT;
4915                 else
4916                     return SSL_ERROR_SYSCALL; /* unknown */
4917             }
4918         }
4919 
4920         if (SSL_want_write(s)) {
4921             /*
4922              * Access wbio directly - in order to use the buffered bio if
4923              * present
4924              */
4925             bio = sc->wbio;
4926             if (BIO_should_write(bio))
4927                 return SSL_ERROR_WANT_WRITE;
4928             else if (BIO_should_read(bio))
4929                 /*
4930                  * See above (SSL_want_read(s) with BIO_should_write(bio))
4931                  */
4932                 return SSL_ERROR_WANT_READ;
4933             else if (BIO_should_io_special(bio)) {
4934                 reason = BIO_get_retry_reason(bio);
4935                 if (reason == BIO_RR_CONNECT)
4936                     return SSL_ERROR_WANT_CONNECT;
4937                 else if (reason == BIO_RR_ACCEPT)
4938                     return SSL_ERROR_WANT_ACCEPT;
4939                 else
4940                     return SSL_ERROR_SYSCALL;
4941             }
4942         }
4943     }
4944 
4945     if (SSL_want_x509_lookup(s))
4946         return SSL_ERROR_WANT_X509_LOOKUP;
4947     if (SSL_want_retry_verify(s))
4948         return SSL_ERROR_WANT_RETRY_VERIFY;
4949     if (SSL_want_async(s))
4950         return SSL_ERROR_WANT_ASYNC;
4951     if (SSL_want_async_job(s))
4952         return SSL_ERROR_WANT_ASYNC_JOB;
4953     if (SSL_want_client_hello_cb(s))
4954         return SSL_ERROR_WANT_CLIENT_HELLO_CB;
4955 
4956     if ((sc->shutdown & SSL_RECEIVED_SHUTDOWN) &&
4957         (sc->s3.warn_alert == SSL_AD_CLOSE_NOTIFY))
4958         return SSL_ERROR_ZERO_RETURN;
4959 
4960     return SSL_ERROR_SYSCALL;
4961 }
4962 
ssl_do_handshake_intern(void * vargs)4963 static int ssl_do_handshake_intern(void *vargs)
4964 {
4965     struct ssl_async_args *args = (struct ssl_async_args *)vargs;
4966     SSL *s = args->s;
4967     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4968 
4969     if (sc == NULL)
4970         return -1;
4971 
4972     return sc->handshake_func(s);
4973 }
4974 
SSL_do_handshake(SSL * s)4975 int SSL_do_handshake(SSL *s)
4976 {
4977     int ret = 1;
4978     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4979 
4980 #ifndef OPENSSL_NO_QUIC
4981     if (IS_QUIC(s))
4982         return ossl_quic_do_handshake(s);
4983 #endif
4984 
4985     if (sc == NULL)
4986         return -1;
4987 
4988     if (sc->handshake_func == NULL) {
4989         ERR_raise(ERR_LIB_SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
4990         return -1;
4991     }
4992 
4993     if (!ossl_statem_check_finish_init(sc, -1))
4994         return -1;
4995 
4996     s->method->ssl_renegotiate_check(s, 0);
4997 
4998     if (SSL_in_init(s) || SSL_in_before(s)) {
4999         if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
5000             struct ssl_async_args args;
5001 
5002             memset(&args, 0, sizeof(args));
5003             args.s = s;
5004 
5005             ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
5006         } else {
5007             ret = sc->handshake_func(s);
5008         }
5009     }
5010 
5011     return ret;
5012 }
5013 
SSL_set_accept_state(SSL * s)5014 void SSL_set_accept_state(SSL *s)
5015 {
5016     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5017 
5018 #ifndef OPENSSL_NO_QUIC
5019     if (IS_QUIC(s)) {
5020         /* We suppress errors because this is a void function */
5021         (void)ossl_quic_set_accept_state(s, 0 /* suppress errors */);
5022         return;
5023     }
5024 #endif
5025 
5026     sc->server = 1;
5027     sc->shutdown = 0;
5028     ossl_statem_clear(sc);
5029     sc->handshake_func = s->method->ssl_accept;
5030     /* Ignore return value. Its a void public API function */
5031     RECORD_LAYER_reset(&sc->rlayer);
5032 }
5033 
SSL_set_connect_state(SSL * s)5034 void SSL_set_connect_state(SSL *s)
5035 {
5036     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5037 
5038 #ifndef OPENSSL_NO_QUIC
5039     if (IS_QUIC(s)) {
5040         /* We suppress errors because this is a void function */
5041         (void)ossl_quic_set_connect_state(s, 0 /* suppress errors */);
5042         return;
5043     }
5044 #endif
5045 
5046     sc->server = 0;
5047     sc->shutdown = 0;
5048     ossl_statem_clear(sc);
5049     sc->handshake_func = s->method->ssl_connect;
5050     /* Ignore return value. Its a void public API function */
5051     RECORD_LAYER_reset(&sc->rlayer);
5052 }
5053 
ssl_undefined_function(SSL * s)5054 int ssl_undefined_function(SSL *s)
5055 {
5056     ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
5057     return 0;
5058 }
5059 
ssl_undefined_void_function(void)5060 int ssl_undefined_void_function(void)
5061 {
5062     ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
5063     return 0;
5064 }
5065 
ssl_protocol_to_string(int version)5066 const char *ssl_protocol_to_string(int version)
5067 {
5068     switch (version) {
5069     case TLS1_3_VERSION:
5070         return "TLSv1.3";
5071 
5072     case TLS1_2_VERSION:
5073         return "TLSv1.2";
5074 
5075     case TLS1_1_VERSION:
5076         return "TLSv1.1";
5077 
5078     case TLS1_VERSION:
5079         return "TLSv1";
5080 
5081     case SSL3_VERSION:
5082         return "SSLv3";
5083 
5084     case DTLS1_BAD_VER:
5085         return "DTLSv0.9";
5086 
5087     case DTLS1_VERSION:
5088         return "DTLSv1";
5089 
5090     case DTLS1_2_VERSION:
5091         return "DTLSv1.2";
5092 
5093     default:
5094         return "unknown";
5095     }
5096 }
5097 
SSL_get_version(const SSL * s)5098 const char *SSL_get_version(const SSL *s)
5099 {
5100     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5101 
5102 #ifndef OPENSSL_NO_QUIC
5103     /* We only support QUICv1 - so if its QUIC its QUICv1 */
5104     if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5105         return "QUICv1";
5106 #endif
5107 
5108     if (sc == NULL)
5109         return NULL;
5110 
5111     return ssl_protocol_to_string(sc->version);
5112 }
5113 
SSL_get_handshake_rtt(const SSL * s,uint64_t * rtt)5114 __owur int SSL_get_handshake_rtt(const SSL *s, uint64_t *rtt)
5115 {
5116     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5117 
5118     if (sc == NULL)
5119         return -1;
5120     if (sc->ts_msg_write.t <= 0 || sc->ts_msg_read.t <= 0)
5121         return 0; /* data not (yet) available */
5122     if (sc->ts_msg_read.t < sc->ts_msg_write.t)
5123         return -1;
5124 
5125     *rtt = ossl_time2us(ossl_time_subtract(sc->ts_msg_read, sc->ts_msg_write));
5126     return 1;
5127 }
5128 
dup_ca_names(STACK_OF (X509_NAME)** dst,STACK_OF (X509_NAME)* src)5129 static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src)
5130 {
5131     STACK_OF(X509_NAME) *sk;
5132     X509_NAME *xn;
5133     int i;
5134 
5135     if (src == NULL) {
5136         *dst = NULL;
5137         return 1;
5138     }
5139 
5140     if ((sk = sk_X509_NAME_new_null()) == NULL)
5141         return 0;
5142     for (i = 0; i < sk_X509_NAME_num(src); i++) {
5143         xn = X509_NAME_dup(sk_X509_NAME_value(src, i));
5144         if (xn == NULL) {
5145             sk_X509_NAME_pop_free(sk, X509_NAME_free);
5146             return 0;
5147         }
5148         if (sk_X509_NAME_insert(sk, xn, i) == 0) {
5149             X509_NAME_free(xn);
5150             sk_X509_NAME_pop_free(sk, X509_NAME_free);
5151             return 0;
5152         }
5153     }
5154     *dst = sk;
5155 
5156     return 1;
5157 }
5158 
SSL_dup(SSL * s)5159 SSL *SSL_dup(SSL *s)
5160 {
5161     SSL *ret;
5162     int i;
5163     /* TODO(QUIC FUTURE): Add an SSL_METHOD function for duplication */
5164     SSL_CONNECTION *retsc;
5165     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5166 
5167     if (sc == NULL)
5168         return NULL;
5169 
5170     /* If we're not quiescent, just up_ref! */
5171     if (!SSL_in_init(s) || !SSL_in_before(s)) {
5172         CRYPTO_UP_REF(&s->references, &i);
5173         return s;
5174     }
5175 
5176     /*
5177      * Otherwise, copy configuration state, and session if set.
5178      */
5179     if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
5180         return NULL;
5181     if ((retsc = SSL_CONNECTION_FROM_SSL_ONLY(ret)) == NULL)
5182         goto err;
5183 
5184     if (sc->session != NULL) {
5185         /*
5186          * Arranges to share the same session via up_ref.  This "copies"
5187          * session-id, SSL_METHOD, sid_ctx, and 'cert'
5188          */
5189         if (!SSL_copy_session_id(ret, s))
5190             goto err;
5191     } else {
5192         /*
5193          * No session has been established yet, so we have to expect that
5194          * s->cert or ret->cert will be changed later -- they should not both
5195          * point to the same object, and thus we can't use
5196          * SSL_copy_session_id.
5197          */
5198         if (!SSL_set_ssl_method(ret, s->method))
5199             goto err;
5200 
5201         if (sc->cert != NULL) {
5202             ssl_cert_free(retsc->cert);
5203             retsc->cert = ssl_cert_dup(sc->cert);
5204             if (retsc->cert == NULL)
5205                 goto err;
5206         }
5207 
5208         if (!SSL_set_session_id_context(ret, sc->sid_ctx,
5209                                         (int)sc->sid_ctx_length))
5210             goto err;
5211     }
5212 
5213     if (!ssl_dane_dup(retsc, sc))
5214         goto err;
5215     retsc->version = sc->version;
5216     retsc->options = sc->options;
5217     retsc->min_proto_version = sc->min_proto_version;
5218     retsc->max_proto_version = sc->max_proto_version;
5219     retsc->mode = sc->mode;
5220     SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
5221     SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
5222     retsc->msg_callback = sc->msg_callback;
5223     retsc->msg_callback_arg = sc->msg_callback_arg;
5224     SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s));
5225     SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
5226     retsc->generate_session_id = sc->generate_session_id;
5227 
5228     SSL_set_info_callback(ret, SSL_get_info_callback(s));
5229 
5230     /* copy app data, a little dangerous perhaps */
5231     if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
5232         goto err;
5233 
5234     retsc->server = sc->server;
5235     if (sc->handshake_func) {
5236         if (sc->server)
5237             SSL_set_accept_state(ret);
5238         else
5239             SSL_set_connect_state(ret);
5240     }
5241     retsc->shutdown = sc->shutdown;
5242     retsc->hit = sc->hit;
5243 
5244     retsc->default_passwd_callback = sc->default_passwd_callback;
5245     retsc->default_passwd_callback_userdata = sc->default_passwd_callback_userdata;
5246 
5247     X509_VERIFY_PARAM_inherit(retsc->param, sc->param);
5248 
5249     /* dup the cipher_list and cipher_list_by_id stacks */
5250     if (sc->cipher_list != NULL) {
5251         if ((retsc->cipher_list = sk_SSL_CIPHER_dup(sc->cipher_list)) == NULL)
5252             goto err;
5253     }
5254     if (sc->cipher_list_by_id != NULL)
5255         if ((retsc->cipher_list_by_id = sk_SSL_CIPHER_dup(sc->cipher_list_by_id))
5256             == NULL)
5257             goto err;
5258 
5259     /* Dup the client_CA list */
5260     if (!dup_ca_names(&retsc->ca_names, sc->ca_names)
5261             || !dup_ca_names(&retsc->client_ca_names, sc->client_ca_names))
5262         goto err;
5263 
5264     return ret;
5265 
5266  err:
5267     SSL_free(ret);
5268     return NULL;
5269 }
5270 
SSL_get_certificate(const SSL * s)5271 X509 *SSL_get_certificate(const SSL *s)
5272 {
5273     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5274 
5275     if (sc == NULL)
5276         return NULL;
5277 
5278     if (sc->cert != NULL)
5279         return sc->cert->key->x509;
5280     else
5281         return NULL;
5282 }
5283 
SSL_get_privatekey(const SSL * s)5284 EVP_PKEY *SSL_get_privatekey(const SSL *s)
5285 {
5286     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5287 
5288     if (sc == NULL)
5289         return NULL;
5290 
5291     if (sc->cert != NULL)
5292         return sc->cert->key->privatekey;
5293     else
5294         return NULL;
5295 }
5296 
SSL_CTX_get0_certificate(const SSL_CTX * ctx)5297 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx)
5298 {
5299     if (ctx->cert != NULL)
5300         return ctx->cert->key->x509;
5301     else
5302         return NULL;
5303 }
5304 
SSL_CTX_get0_privatekey(const SSL_CTX * ctx)5305 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
5306 {
5307     if (ctx->cert != NULL)
5308         return ctx->cert->key->privatekey;
5309     else
5310         return NULL;
5311 }
5312 
SSL_get_current_cipher(const SSL * s)5313 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
5314 {
5315     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5316 
5317     if (sc == NULL)
5318         return NULL;
5319 
5320     if ((sc->session != NULL) && (sc->session->cipher != NULL))
5321         return sc->session->cipher;
5322     return NULL;
5323 }
5324 
SSL_get_pending_cipher(const SSL * s)5325 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
5326 {
5327     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5328 
5329     if (sc == NULL)
5330         return NULL;
5331 
5332     return sc->s3.tmp.new_cipher;
5333 }
5334 
SSL_get_current_compression(const SSL * s)5335 const COMP_METHOD *SSL_get_current_compression(const SSL *s)
5336 {
5337 #ifndef OPENSSL_NO_COMP
5338     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5339 
5340     if (sc == NULL)
5341         return NULL;
5342 
5343     return sc->rlayer.wrlmethod->get_compression(sc->rlayer.wrl);
5344 #else
5345     return NULL;
5346 #endif
5347 }
5348 
SSL_get_current_expansion(const SSL * s)5349 const COMP_METHOD *SSL_get_current_expansion(const SSL *s)
5350 {
5351 #ifndef OPENSSL_NO_COMP
5352     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5353 
5354     if (sc == NULL)
5355         return NULL;
5356 
5357     return sc->rlayer.rrlmethod->get_compression(sc->rlayer.rrl);
5358 #else
5359     return NULL;
5360 #endif
5361 }
5362 
ssl_init_wbio_buffer(SSL_CONNECTION * s)5363 int ssl_init_wbio_buffer(SSL_CONNECTION *s)
5364 {
5365     BIO *bbio;
5366 
5367     if (s->bbio != NULL) {
5368         /* Already buffered. */
5369         return 1;
5370     }
5371 
5372     bbio = BIO_new(BIO_f_buffer());
5373     if (bbio == NULL || BIO_set_read_buffer_size(bbio, 1) <= 0) {
5374         BIO_free(bbio);
5375         ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
5376         return 0;
5377     }
5378     s->bbio = bbio;
5379     s->wbio = BIO_push(bbio, s->wbio);
5380 
5381     s->rlayer.wrlmethod->set1_bio(s->rlayer.wrl, s->wbio);
5382 
5383     return 1;
5384 }
5385 
ssl_free_wbio_buffer(SSL_CONNECTION * s)5386 int ssl_free_wbio_buffer(SSL_CONNECTION *s)
5387 {
5388     /* callers ensure s is never null */
5389     if (s->bbio == NULL)
5390         return 1;
5391 
5392     s->wbio = BIO_pop(s->wbio);
5393     s->rlayer.wrlmethod->set1_bio(s->rlayer.wrl, s->wbio);
5394 
5395     BIO_free(s->bbio);
5396     s->bbio = NULL;
5397 
5398     return 1;
5399 }
5400 
SSL_CTX_set_quiet_shutdown(SSL_CTX * ctx,int mode)5401 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
5402 {
5403     ctx->quiet_shutdown = mode;
5404 }
5405 
SSL_CTX_get_quiet_shutdown(const SSL_CTX * ctx)5406 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
5407 {
5408     return ctx->quiet_shutdown;
5409 }
5410 
SSL_set_quiet_shutdown(SSL * s,int mode)5411 void SSL_set_quiet_shutdown(SSL *s, int mode)
5412 {
5413     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5414 
5415     /* Not supported with QUIC */
5416     if (sc == NULL)
5417         return;
5418 
5419     sc->quiet_shutdown = mode;
5420 }
5421 
SSL_get_quiet_shutdown(const SSL * s)5422 int SSL_get_quiet_shutdown(const SSL *s)
5423 {
5424     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5425 
5426     /* Not supported with QUIC */
5427     if (sc == NULL)
5428         return 0;
5429 
5430     return sc->quiet_shutdown;
5431 }
5432 
SSL_set_shutdown(SSL * s,int mode)5433 void SSL_set_shutdown(SSL *s, int mode)
5434 {
5435     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5436 
5437     /* Not supported with QUIC */
5438     if (sc == NULL)
5439         return;
5440 
5441     sc->shutdown = mode;
5442 }
5443 
SSL_get_shutdown(const SSL * s)5444 int SSL_get_shutdown(const SSL *s)
5445 {
5446     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5447 
5448 #ifndef OPENSSL_NO_QUIC
5449     /* QUIC: Just indicate whether the connection was shutdown cleanly. */
5450     if (IS_QUIC(s))
5451         return ossl_quic_get_shutdown(s);
5452 #endif
5453 
5454     if (sc == NULL)
5455         return 0;
5456 
5457     return sc->shutdown;
5458 }
5459 
SSL_version(const SSL * s)5460 int SSL_version(const SSL *s)
5461 {
5462     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5463 
5464 #ifndef OPENSSL_NO_QUIC
5465     /* We only support QUICv1 - so if its QUIC its QUICv1 */
5466     if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5467         return OSSL_QUIC1_VERSION;
5468 #endif
5469     if (sc == NULL)
5470         return 0;
5471 
5472     return sc->version;
5473 }
5474 
SSL_client_version(const SSL * s)5475 int SSL_client_version(const SSL *s)
5476 {
5477     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5478 
5479 #ifndef OPENSSL_NO_QUIC
5480     /* We only support QUICv1 - so if its QUIC its QUICv1 */
5481     if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5482         return OSSL_QUIC1_VERSION;
5483 #endif
5484     if (sc == NULL)
5485         return 0;
5486 
5487     return sc->client_version;
5488 }
5489 
SSL_get_SSL_CTX(const SSL * ssl)5490 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
5491 {
5492     return ssl->ctx;
5493 }
5494 
SSL_set_SSL_CTX(SSL * ssl,SSL_CTX * ctx)5495 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
5496 {
5497     CERT *new_cert;
5498     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
5499 
5500     /* TODO(QUIC FUTURE): Add support for QUIC */
5501     if (sc == NULL)
5502         return NULL;
5503 
5504     if (ssl->ctx == ctx)
5505         return ssl->ctx;
5506     if (ctx == NULL)
5507         ctx = sc->session_ctx;
5508     new_cert = ssl_cert_dup(ctx->cert);
5509     if (new_cert == NULL)
5510         goto err;
5511     if (!custom_exts_copy_conn(&new_cert->custext, &sc->cert->custext))
5512         goto err;
5513     if (!custom_exts_copy_flags(&new_cert->custext, &sc->cert->custext))
5514         goto err;
5515 
5516     /*
5517      * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
5518      * so setter APIs must prevent invalid lengths from entering the system.
5519      */
5520     if (!ossl_assert(sc->sid_ctx_length <= sizeof(sc->sid_ctx)))
5521         goto err;
5522     if (!SSL_CTX_up_ref(ctx))
5523         goto err;
5524 
5525     /*
5526      * If the session ID context matches that of the parent SSL_CTX,
5527      * inherit it from the new SSL_CTX as well. If however the context does
5528      * not match (i.e., it was set per-ssl with SSL_set_session_id_context),
5529      * leave it unchanged.
5530      */
5531     if ((ssl->ctx != NULL) &&
5532         (sc->sid_ctx_length == ssl->ctx->sid_ctx_length) &&
5533         (memcmp(sc->sid_ctx, ssl->ctx->sid_ctx, sc->sid_ctx_length) == 0)) {
5534         sc->sid_ctx_length = ctx->sid_ctx_length;
5535         memcpy(&sc->sid_ctx, &ctx->sid_ctx, sizeof(sc->sid_ctx));
5536     }
5537 
5538     ssl_cert_free(sc->cert);
5539     sc->cert = new_cert;
5540     SSL_CTX_free(ssl->ctx);     /* decrement reference count */
5541     ssl->ctx = ctx;
5542 
5543     return ssl->ctx;
5544 
5545 err:
5546     ssl_cert_free(new_cert);
5547     return NULL;
5548 }
5549 
SSL_CTX_set_default_verify_paths(SSL_CTX * ctx)5550 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
5551 {
5552     return X509_STORE_set_default_paths_ex(ctx->cert_store, ctx->libctx,
5553                                            ctx->propq);
5554 }
5555 
SSL_CTX_set_default_verify_dir(SSL_CTX * ctx)5556 int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
5557 {
5558     X509_LOOKUP *lookup;
5559 
5560     lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
5561     if (lookup == NULL)
5562         return 0;
5563 
5564     /* We ignore errors, in case the directory doesn't exist */
5565     ERR_set_mark();
5566 
5567     X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
5568 
5569     ERR_pop_to_mark();
5570 
5571     return 1;
5572 }
5573 
SSL_CTX_set_default_verify_file(SSL_CTX * ctx)5574 int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)
5575 {
5576     X509_LOOKUP *lookup;
5577 
5578     lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file());
5579     if (lookup == NULL)
5580         return 0;
5581 
5582     /* We ignore errors, in case the file doesn't exist */
5583     ERR_set_mark();
5584 
5585     X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT, ctx->libctx,
5586                              ctx->propq);
5587 
5588     ERR_pop_to_mark();
5589 
5590     return 1;
5591 }
5592 
SSL_CTX_set_default_verify_store(SSL_CTX * ctx)5593 int SSL_CTX_set_default_verify_store(SSL_CTX *ctx)
5594 {
5595     X509_LOOKUP *lookup;
5596 
5597     lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store());
5598     if (lookup == NULL)
5599         return 0;
5600 
5601     /* We ignore errors, in case the directory doesn't exist */
5602     ERR_set_mark();
5603 
5604     X509_LOOKUP_add_store_ex(lookup, NULL, ctx->libctx, ctx->propq);
5605 
5606     ERR_pop_to_mark();
5607 
5608     return 1;
5609 }
5610 
SSL_CTX_load_verify_file(SSL_CTX * ctx,const char * CAfile)5611 int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
5612 {
5613     return X509_STORE_load_file_ex(ctx->cert_store, CAfile, ctx->libctx,
5614                                    ctx->propq);
5615 }
5616 
SSL_CTX_load_verify_dir(SSL_CTX * ctx,const char * CApath)5617 int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
5618 {
5619     return X509_STORE_load_path(ctx->cert_store, CApath);
5620 }
5621 
SSL_CTX_load_verify_store(SSL_CTX * ctx,const char * CAstore)5622 int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
5623 {
5624     return X509_STORE_load_store_ex(ctx->cert_store, CAstore, ctx->libctx,
5625                                     ctx->propq);
5626 }
5627 
SSL_CTX_load_verify_locations(SSL_CTX * ctx,const char * CAfile,const char * CApath)5628 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
5629                                   const char *CApath)
5630 {
5631     if (CAfile == NULL && CApath == NULL)
5632         return 0;
5633     if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
5634         return 0;
5635     if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
5636         return 0;
5637     return 1;
5638 }
5639 
SSL_set_info_callback(SSL * ssl,void (* cb)(const SSL * ssl,int type,int val))5640 void SSL_set_info_callback(SSL *ssl,
5641                            void (*cb) (const SSL *ssl, int type, int val))
5642 {
5643     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5644 
5645     if (sc == NULL)
5646         return;
5647 
5648     sc->info_callback = cb;
5649 }
5650 
5651 /*
5652  * One compiler (Diab DCC) doesn't like argument names in returned function
5653  * pointer.
5654  */
SSL_get_info_callback(const SSL * ssl)5655 void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ ,
5656                                                int /* type */ ,
5657                                                int /* val */ ) {
5658     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5659 
5660     if (sc == NULL)
5661         return NULL;
5662 
5663     return sc->info_callback;
5664 }
5665 
SSL_set_verify_result(SSL * ssl,long arg)5666 void SSL_set_verify_result(SSL *ssl, long arg)
5667 {
5668     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5669 
5670     if (sc == NULL)
5671         return;
5672 
5673     sc->verify_result = arg;
5674 }
5675 
SSL_get_verify_result(const SSL * ssl)5676 long SSL_get_verify_result(const SSL *ssl)
5677 {
5678     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5679 
5680     if (sc == NULL)
5681         return 0;
5682 
5683     return sc->verify_result;
5684 }
5685 
SSL_get_client_random(const SSL * ssl,unsigned char * out,size_t outlen)5686 size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen)
5687 {
5688     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5689 
5690     if (sc == NULL)
5691         return 0;
5692 
5693     if (outlen == 0)
5694         return sizeof(sc->s3.client_random);
5695     if (outlen > sizeof(sc->s3.client_random))
5696         outlen = sizeof(sc->s3.client_random);
5697     memcpy(out, sc->s3.client_random, outlen);
5698     return outlen;
5699 }
5700 
SSL_get_server_random(const SSL * ssl,unsigned char * out,size_t outlen)5701 size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen)
5702 {
5703     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5704 
5705     if (sc == NULL)
5706         return 0;
5707 
5708     if (outlen == 0)
5709         return sizeof(sc->s3.server_random);
5710     if (outlen > sizeof(sc->s3.server_random))
5711         outlen = sizeof(sc->s3.server_random);
5712     memcpy(out, sc->s3.server_random, outlen);
5713     return outlen;
5714 }
5715 
SSL_SESSION_get_master_key(const SSL_SESSION * session,unsigned char * out,size_t outlen)5716 size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
5717                                   unsigned char *out, size_t outlen)
5718 {
5719     if (outlen == 0)
5720         return session->master_key_length;
5721     if (outlen > session->master_key_length)
5722         outlen = session->master_key_length;
5723     memcpy(out, session->master_key, outlen);
5724     return outlen;
5725 }
5726 
SSL_SESSION_set1_master_key(SSL_SESSION * sess,const unsigned char * in,size_t len)5727 int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in,
5728                                 size_t len)
5729 {
5730     if (len > sizeof(sess->master_key))
5731         return 0;
5732 
5733     memcpy(sess->master_key, in, len);
5734     sess->master_key_length = len;
5735     return 1;
5736 }
5737 
5738 
SSL_set_ex_data(SSL * s,int idx,void * arg)5739 int SSL_set_ex_data(SSL *s, int idx, void *arg)
5740 {
5741     return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
5742 }
5743 
SSL_get_ex_data(const SSL * s,int idx)5744 void *SSL_get_ex_data(const SSL *s, int idx)
5745 {
5746     return CRYPTO_get_ex_data(&s->ex_data, idx);
5747 }
5748 
SSL_CTX_set_ex_data(SSL_CTX * s,int idx,void * arg)5749 int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
5750 {
5751     return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
5752 }
5753 
SSL_CTX_get_ex_data(const SSL_CTX * s,int idx)5754 void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
5755 {
5756     return CRYPTO_get_ex_data(&s->ex_data, idx);
5757 }
5758 
SSL_CTX_get_cert_store(const SSL_CTX * ctx)5759 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
5760 {
5761     return ctx->cert_store;
5762 }
5763 
SSL_CTX_set_cert_store(SSL_CTX * ctx,X509_STORE * store)5764 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
5765 {
5766     X509_STORE_free(ctx->cert_store);
5767     ctx->cert_store = store;
5768 }
5769 
SSL_CTX_set1_cert_store(SSL_CTX * ctx,X509_STORE * store)5770 void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
5771 {
5772     if (store != NULL && !X509_STORE_up_ref(store))
5773         return;
5774 
5775     SSL_CTX_set_cert_store(ctx, store);
5776 }
5777 
SSL_want(const SSL * s)5778 int SSL_want(const SSL *s)
5779 {
5780     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5781 
5782 #ifndef OPENSSL_NO_QUIC
5783     if (IS_QUIC(s))
5784         return ossl_quic_want(s);
5785 #endif
5786 
5787     if (sc == NULL)
5788         return SSL_NOTHING;
5789 
5790     return sc->rwstate;
5791 }
5792 
5793 #ifndef OPENSSL_NO_PSK
SSL_CTX_use_psk_identity_hint(SSL_CTX * ctx,const char * identity_hint)5794 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
5795 {
5796     if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
5797         ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG);
5798         return 0;
5799     }
5800     OPENSSL_free(ctx->cert->psk_identity_hint);
5801     if (identity_hint != NULL) {
5802         ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
5803         if (ctx->cert->psk_identity_hint == NULL)
5804             return 0;
5805     } else
5806         ctx->cert->psk_identity_hint = NULL;
5807     return 1;
5808 }
5809 
SSL_use_psk_identity_hint(SSL * s,const char * identity_hint)5810 int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
5811 {
5812     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5813 
5814     if (sc == NULL)
5815         return 0;
5816 
5817     if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
5818         ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG);
5819         return 0;
5820     }
5821     OPENSSL_free(sc->cert->psk_identity_hint);
5822     if (identity_hint != NULL) {
5823         sc->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
5824         if (sc->cert->psk_identity_hint == NULL)
5825             return 0;
5826     } else
5827         sc->cert->psk_identity_hint = NULL;
5828     return 1;
5829 }
5830 
SSL_get_psk_identity_hint(const SSL * s)5831 const char *SSL_get_psk_identity_hint(const SSL *s)
5832 {
5833     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5834 
5835     if (sc == NULL || sc->session == NULL)
5836         return NULL;
5837 
5838     return sc->session->psk_identity_hint;
5839 }
5840 
SSL_get_psk_identity(const SSL * s)5841 const char *SSL_get_psk_identity(const SSL *s)
5842 {
5843     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5844 
5845     if (sc == NULL || sc->session == NULL)
5846         return NULL;
5847 
5848     return sc->session->psk_identity;
5849 }
5850 
SSL_set_psk_client_callback(SSL * s,SSL_psk_client_cb_func cb)5851 void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb)
5852 {
5853     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5854 
5855     if (sc == NULL)
5856         return;
5857 
5858     sc->psk_client_callback = cb;
5859 }
5860 
SSL_CTX_set_psk_client_callback(SSL_CTX * ctx,SSL_psk_client_cb_func cb)5861 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb)
5862 {
5863     ctx->psk_client_callback = cb;
5864 }
5865 
SSL_set_psk_server_callback(SSL * s,SSL_psk_server_cb_func cb)5866 void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb)
5867 {
5868     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5869 
5870     if (sc == NULL)
5871         return;
5872 
5873     sc->psk_server_callback = cb;
5874 }
5875 
SSL_CTX_set_psk_server_callback(SSL_CTX * ctx,SSL_psk_server_cb_func cb)5876 void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb)
5877 {
5878     ctx->psk_server_callback = cb;
5879 }
5880 #endif
5881 
SSL_set_psk_find_session_callback(SSL * s,SSL_psk_find_session_cb_func cb)5882 void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb)
5883 {
5884     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5885 
5886     if (sc == NULL)
5887         return;
5888 
5889     sc->psk_find_session_cb = cb;
5890 }
5891 
SSL_CTX_set_psk_find_session_callback(SSL_CTX * ctx,SSL_psk_find_session_cb_func cb)5892 void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
5893                                            SSL_psk_find_session_cb_func cb)
5894 {
5895     ctx->psk_find_session_cb = cb;
5896 }
5897 
SSL_set_psk_use_session_callback(SSL * s,SSL_psk_use_session_cb_func cb)5898 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb)
5899 {
5900     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5901 
5902     if (sc == NULL)
5903         return;
5904 
5905     sc->psk_use_session_cb = cb;
5906 }
5907 
SSL_CTX_set_psk_use_session_callback(SSL_CTX * ctx,SSL_psk_use_session_cb_func cb)5908 void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
5909                                            SSL_psk_use_session_cb_func cb)
5910 {
5911     ctx->psk_use_session_cb = cb;
5912 }
5913 
SSL_CTX_set_msg_callback(SSL_CTX * ctx,void (* cb)(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg))5914 void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
5915                               void (*cb) (int write_p, int version,
5916                                           int content_type, const void *buf,
5917                                           size_t len, SSL *ssl, void *arg))
5918 {
5919     SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
5920 }
5921 
SSL_set_msg_callback(SSL * ssl,void (* cb)(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg))5922 void SSL_set_msg_callback(SSL *ssl,
5923                           void (*cb) (int write_p, int version,
5924                                       int content_type, const void *buf,
5925                                       size_t len, SSL *ssl, void *arg))
5926 {
5927     SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
5928 }
5929 
SSL_CTX_set_not_resumable_session_callback(SSL_CTX * ctx,int (* cb)(SSL * ssl,int is_forward_secure))5930 void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
5931                                                 int (*cb) (SSL *ssl,
5932                                                            int
5933                                                            is_forward_secure))
5934 {
5935     SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
5936                           (void (*)(void))cb);
5937 }
5938 
SSL_set_not_resumable_session_callback(SSL * ssl,int (* cb)(SSL * ssl,int is_forward_secure))5939 void SSL_set_not_resumable_session_callback(SSL *ssl,
5940                                             int (*cb) (SSL *ssl,
5941                                                        int is_forward_secure))
5942 {
5943     SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
5944                       (void (*)(void))cb);
5945 }
5946 
SSL_CTX_set_record_padding_callback(SSL_CTX * ctx,size_t (* cb)(SSL * ssl,int type,size_t len,void * arg))5947 void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
5948                                          size_t (*cb) (SSL *ssl, int type,
5949                                                        size_t len, void *arg))
5950 {
5951     ctx->record_padding_cb = cb;
5952 }
5953 
SSL_CTX_set_record_padding_callback_arg(SSL_CTX * ctx,void * arg)5954 void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg)
5955 {
5956     ctx->record_padding_arg = arg;
5957 }
5958 
SSL_CTX_get_record_padding_callback_arg(const SSL_CTX * ctx)5959 void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx)
5960 {
5961     return ctx->record_padding_arg;
5962 }
5963 
SSL_CTX_set_block_padding_ex(SSL_CTX * ctx,size_t app_block_size,size_t hs_block_size)5964 int SSL_CTX_set_block_padding_ex(SSL_CTX *ctx, size_t app_block_size,
5965                                  size_t hs_block_size)
5966 {
5967     if (IS_QUIC_CTX(ctx) && (app_block_size > 1 || hs_block_size > 1))
5968         return 0;
5969 
5970     /* block size of 0 or 1 is basically no padding */
5971     if (app_block_size == 1) {
5972         ctx->block_padding = 0;
5973     } else if (app_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
5974         ctx->block_padding = app_block_size;
5975     } else {
5976         return 0;
5977     }
5978     if (hs_block_size == 1) {
5979         ctx->hs_padding = 0;
5980     } else if (hs_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
5981         ctx->hs_padding = hs_block_size;
5982     } else {
5983         return 0;
5984     }
5985     return 1;
5986 }
5987 
SSL_CTX_set_block_padding(SSL_CTX * ctx,size_t block_size)5988 int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
5989 {
5990     return SSL_CTX_set_block_padding_ex(ctx, block_size, block_size);
5991 }
5992 
SSL_set_record_padding_callback(SSL * ssl,size_t (* cb)(SSL * ssl,int type,size_t len,void * arg))5993 int SSL_set_record_padding_callback(SSL *ssl,
5994                                      size_t (*cb) (SSL *ssl, int type,
5995                                                    size_t len, void *arg))
5996 {
5997     BIO *b;
5998     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
5999 
6000     if (sc == NULL)
6001         return 0;
6002 
6003     b = SSL_get_wbio(ssl);
6004     if (b == NULL || !BIO_get_ktls_send(b)) {
6005         sc->rlayer.record_padding_cb = cb;
6006         return 1;
6007     }
6008     return 0;
6009 }
6010 
SSL_set_record_padding_callback_arg(SSL * ssl,void * arg)6011 void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg)
6012 {
6013     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6014 
6015     if (sc == NULL)
6016         return;
6017 
6018     sc->rlayer.record_padding_arg = arg;
6019 }
6020 
SSL_get_record_padding_callback_arg(const SSL * ssl)6021 void *SSL_get_record_padding_callback_arg(const SSL *ssl)
6022 {
6023     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
6024 
6025     if (sc == NULL)
6026         return NULL;
6027 
6028     return sc->rlayer.record_padding_arg;
6029 }
6030 
SSL_set_block_padding_ex(SSL * ssl,size_t app_block_size,size_t hs_block_size)6031 int SSL_set_block_padding_ex(SSL *ssl, size_t app_block_size,
6032                              size_t hs_block_size)
6033 {
6034     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6035 
6036     if (sc == NULL
6037         || (IS_QUIC(ssl)
6038             && (app_block_size > 1 || hs_block_size > 1)))
6039         return 0;
6040 
6041     /* block size of 0 or 1 is basically no padding */
6042     if (app_block_size == 1) {
6043         sc->rlayer.block_padding = 0;
6044     } else if (app_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
6045         sc->rlayer.block_padding = app_block_size;
6046     } else {
6047         return 0;
6048     }
6049     if (hs_block_size == 1) {
6050         sc->rlayer.hs_padding = 0;
6051     } else if (hs_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
6052         sc->rlayer.hs_padding = hs_block_size;
6053     } else {
6054         return 0;
6055     }
6056     return 1;
6057 }
6058 
SSL_set_block_padding(SSL * ssl,size_t block_size)6059 int SSL_set_block_padding(SSL *ssl, size_t block_size)
6060 {
6061     return SSL_set_block_padding_ex(ssl, block_size, block_size);
6062 }
6063 
SSL_set_num_tickets(SSL * s,size_t num_tickets)6064 int SSL_set_num_tickets(SSL *s, size_t num_tickets)
6065 {
6066     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6067 
6068     if (sc == NULL)
6069         return 0;
6070 
6071     sc->num_tickets = num_tickets;
6072 
6073     return 1;
6074 }
6075 
SSL_get_num_tickets(const SSL * s)6076 size_t SSL_get_num_tickets(const SSL *s)
6077 {
6078     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6079 
6080     if (sc == NULL)
6081         return 0;
6082 
6083     return sc->num_tickets;
6084 }
6085 
SSL_CTX_set_num_tickets(SSL_CTX * ctx,size_t num_tickets)6086 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets)
6087 {
6088     ctx->num_tickets = num_tickets;
6089 
6090     return 1;
6091 }
6092 
SSL_CTX_get_num_tickets(const SSL_CTX * ctx)6093 size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx)
6094 {
6095     return ctx->num_tickets;
6096 }
6097 
6098 /* Retrieve handshake hashes */
ssl_handshake_hash(SSL_CONNECTION * s,unsigned char * out,size_t outlen,size_t * hashlen)6099 int ssl_handshake_hash(SSL_CONNECTION *s,
6100                        unsigned char *out, size_t outlen,
6101                        size_t *hashlen)
6102 {
6103     EVP_MD_CTX *ctx = NULL;
6104     EVP_MD_CTX *hdgst = s->s3.handshake_dgst;
6105     int hashleni = EVP_MD_CTX_get_size(hdgst);
6106     int ret = 0;
6107 
6108     if (hashleni < 0 || (size_t)hashleni > outlen) {
6109         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6110         goto err;
6111     }
6112 
6113     ctx = EVP_MD_CTX_new();
6114     if (ctx == NULL) {
6115         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6116         goto err;
6117     }
6118 
6119     if (!EVP_MD_CTX_copy_ex(ctx, hdgst)
6120         || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) {
6121         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6122         goto err;
6123     }
6124 
6125     *hashlen = hashleni;
6126 
6127     ret = 1;
6128  err:
6129     EVP_MD_CTX_free(ctx);
6130     return ret;
6131 }
6132 
SSL_session_reused(const SSL * s)6133 int SSL_session_reused(const SSL *s)
6134 {
6135     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6136 
6137     if (sc == NULL)
6138         return 0;
6139 
6140     return sc->hit;
6141 }
6142 
SSL_is_server(const SSL * s)6143 int SSL_is_server(const SSL *s)
6144 {
6145     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6146 
6147     if (sc == NULL)
6148         return 0;
6149 
6150     return sc->server;
6151 }
6152 
6153 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
SSL_set_debug(SSL * s,int debug)6154 void SSL_set_debug(SSL *s, int debug)
6155 {
6156     /* Old function was do-nothing anyway... */
6157     (void)s;
6158     (void)debug;
6159 }
6160 #endif
6161 
SSL_set_security_level(SSL * s,int level)6162 void SSL_set_security_level(SSL *s, int level)
6163 {
6164     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6165 
6166     if (sc == NULL)
6167         return;
6168 
6169     sc->cert->sec_level = level;
6170 }
6171 
SSL_get_security_level(const SSL * s)6172 int SSL_get_security_level(const SSL *s)
6173 {
6174     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6175 
6176     if (sc == NULL)
6177         return 0;
6178 
6179     return sc->cert->sec_level;
6180 }
6181 
SSL_set_security_callback(SSL * s,int (* cb)(const SSL * s,const SSL_CTX * ctx,int op,int bits,int nid,void * other,void * ex))6182 void SSL_set_security_callback(SSL *s,
6183                                int (*cb) (const SSL *s, const SSL_CTX *ctx,
6184                                           int op, int bits, int nid,
6185                                           void *other, void *ex))
6186 {
6187     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6188 
6189     if (sc == NULL)
6190         return;
6191 
6192     sc->cert->sec_cb = cb;
6193 }
6194 
SSL_get_security_callback(const SSL * s)6195 int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
6196                                                 const SSL_CTX *ctx, int op,
6197                                                 int bits, int nid, void *other,
6198                                                 void *ex) {
6199     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6200 
6201     if (sc == NULL)
6202         return NULL;
6203 
6204     return sc->cert->sec_cb;
6205 }
6206 
SSL_set0_security_ex_data(SSL * s,void * ex)6207 void SSL_set0_security_ex_data(SSL *s, void *ex)
6208 {
6209     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6210 
6211     if (sc == NULL)
6212         return;
6213 
6214     sc->cert->sec_ex = ex;
6215 }
6216 
SSL_get0_security_ex_data(const SSL * s)6217 void *SSL_get0_security_ex_data(const SSL *s)
6218 {
6219     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6220 
6221     if (sc == NULL)
6222         return NULL;
6223 
6224     return sc->cert->sec_ex;
6225 }
6226 
SSL_CTX_set_security_level(SSL_CTX * ctx,int level)6227 void SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
6228 {
6229     ctx->cert->sec_level = level;
6230 }
6231 
SSL_CTX_get_security_level(const SSL_CTX * ctx)6232 int SSL_CTX_get_security_level(const SSL_CTX *ctx)
6233 {
6234     return ctx->cert->sec_level;
6235 }
6236 
SSL_CTX_set_security_callback(SSL_CTX * ctx,int (* cb)(const SSL * s,const SSL_CTX * ctx,int op,int bits,int nid,void * other,void * ex))6237 void SSL_CTX_set_security_callback(SSL_CTX *ctx,
6238                                    int (*cb) (const SSL *s, const SSL_CTX *ctx,
6239                                               int op, int bits, int nid,
6240                                               void *other, void *ex))
6241 {
6242     ctx->cert->sec_cb = cb;
6243 }
6244 
SSL_CTX_get_security_callback(const SSL_CTX * ctx)6245 int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
6246                                                           const SSL_CTX *ctx,
6247                                                           int op, int bits,
6248                                                           int nid,
6249                                                           void *other,
6250                                                           void *ex) {
6251     return ctx->cert->sec_cb;
6252 }
6253 
SSL_CTX_set0_security_ex_data(SSL_CTX * ctx,void * ex)6254 void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex)
6255 {
6256     ctx->cert->sec_ex = ex;
6257 }
6258 
SSL_CTX_get0_security_ex_data(const SSL_CTX * ctx)6259 void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
6260 {
6261     return ctx->cert->sec_ex;
6262 }
6263 
SSL_CTX_get_options(const SSL_CTX * ctx)6264 uint64_t SSL_CTX_get_options(const SSL_CTX *ctx)
6265 {
6266     return ctx->options;
6267 }
6268 
SSL_get_options(const SSL * s)6269 uint64_t SSL_get_options(const SSL *s)
6270 {
6271     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6272 
6273 #ifndef OPENSSL_NO_QUIC
6274     if (IS_QUIC(s))
6275         return ossl_quic_get_options(s);
6276 #endif
6277 
6278     if (sc == NULL)
6279         return 0;
6280 
6281     return sc->options;
6282 }
6283 
SSL_CTX_set_options(SSL_CTX * ctx,uint64_t op)6284 uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op)
6285 {
6286     return ctx->options |= op;
6287 }
6288 
SSL_set_options(SSL * s,uint64_t op)6289 uint64_t SSL_set_options(SSL *s, uint64_t op)
6290 {
6291     SSL_CONNECTION *sc;
6292     OSSL_PARAM options[2], *opts = options;
6293 
6294 #ifndef OPENSSL_NO_QUIC
6295     if (IS_QUIC(s))
6296         return ossl_quic_set_options(s, op);
6297 #endif
6298 
6299     sc = SSL_CONNECTION_FROM_SSL(s);
6300     if (sc == NULL)
6301         return 0;
6302 
6303     sc->options |= op;
6304 
6305     *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS,
6306                                           &sc->options);
6307     *opts = OSSL_PARAM_construct_end();
6308 
6309     /* Ignore return value */
6310     sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
6311     sc->rlayer.wrlmethod->set_options(sc->rlayer.wrl, options);
6312 
6313     return sc->options;
6314 }
6315 
SSL_CTX_clear_options(SSL_CTX * ctx,uint64_t op)6316 uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op)
6317 {
6318     return ctx->options &= ~op;
6319 }
6320 
SSL_clear_options(SSL * s,uint64_t op)6321 uint64_t SSL_clear_options(SSL *s, uint64_t op)
6322 {
6323     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6324     OSSL_PARAM options[2], *opts = options;
6325 
6326 #ifndef OPENSSL_NO_QUIC
6327     if (IS_QUIC(s))
6328         return ossl_quic_clear_options(s, op);
6329 #endif
6330 
6331     if (sc == NULL)
6332         return 0;
6333 
6334     sc->options &= ~op;
6335 
6336     *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS,
6337                                           &sc->options);
6338     *opts = OSSL_PARAM_construct_end();
6339 
6340     /* Ignore return value */
6341     sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
6342     sc->rlayer.wrlmethod->set_options(sc->rlayer.wrl, options);
6343 
6344     return sc->options;
6345 }
6346 
STACK_OF(X509)6347 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
6348 {
6349     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6350 
6351     if (sc == NULL)
6352         return NULL;
6353 
6354     return sc->verified_chain;
6355 }
6356 
6357 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
6358 
6359 #ifndef OPENSSL_NO_CT
6360 
6361 /*
6362  * Moves SCTs from the |src| stack to the |dst| stack.
6363  * The source of each SCT will be set to |origin|.
6364  * If |dst| points to a NULL pointer, a new stack will be created and owned by
6365  * the caller.
6366  * Returns the number of SCTs moved, or a negative integer if an error occurs.
6367  * The |dst| stack is created and possibly partially populated even in case
6368  * of error, likewise the |src| stack may be left in an intermediate state.
6369  */
ct_move_scts(STACK_OF (SCT)** dst,STACK_OF (SCT)* src,sct_source_t origin)6370 static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
6371                         sct_source_t origin)
6372 {
6373     int scts_moved = 0;
6374     SCT *sct = NULL;
6375 
6376     if (*dst == NULL) {
6377         *dst = sk_SCT_new_null();
6378         if (*dst == NULL) {
6379             ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
6380             goto err;
6381         }
6382     }
6383 
6384     while ((sct = sk_SCT_pop(src)) != NULL) {
6385         if (SCT_set_source(sct, origin) != 1)
6386             goto err;
6387 
6388         if (!sk_SCT_push(*dst, sct))
6389             goto err;
6390         scts_moved += 1;
6391     }
6392 
6393     return scts_moved;
6394  err:
6395     SCT_free(sct);
6396     return -1;
6397 }
6398 
6399 /*
6400  * Look for data collected during ServerHello and parse if found.
6401  * Returns the number of SCTs extracted.
6402  */
ct_extract_tls_extension_scts(SSL_CONNECTION * s)6403 static int ct_extract_tls_extension_scts(SSL_CONNECTION *s)
6404 {
6405     int scts_extracted = 0;
6406 
6407     if (s->ext.scts != NULL) {
6408         const unsigned char *p = s->ext.scts;
6409         STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len);
6410 
6411         scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION);
6412 
6413         SCT_LIST_free(scts);
6414     }
6415 
6416     return scts_extracted;
6417 }
6418 
6419 /*
6420  * Checks for an OCSP response and then attempts to extract any SCTs found if it
6421  * contains an SCT X509 extension. They will be stored in |s->scts|.
6422  * Returns:
6423  * - The number of SCTs extracted, assuming an OCSP response exists.
6424  * - 0 if no OCSP response exists or it contains no SCTs.
6425  * - A negative integer if an error occurs.
6426  */
ct_extract_ocsp_response_scts(SSL_CONNECTION * s)6427 static int ct_extract_ocsp_response_scts(SSL_CONNECTION *s)
6428 {
6429 # ifndef OPENSSL_NO_OCSP
6430     int scts_extracted = 0;
6431     const unsigned char *p;
6432     OCSP_BASICRESP *br = NULL;
6433     OCSP_RESPONSE *rsp = NULL;
6434     STACK_OF(SCT) *scts = NULL;
6435     int i;
6436 
6437     if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0)
6438         goto err;
6439 
6440     p = s->ext.ocsp.resp;
6441     rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len);
6442     if (rsp == NULL)
6443         goto err;
6444 
6445     br = OCSP_response_get1_basic(rsp);
6446     if (br == NULL)
6447         goto err;
6448 
6449     for (i = 0; i < OCSP_resp_count(br); ++i) {
6450         OCSP_SINGLERESP *single = OCSP_resp_get0(br, i);
6451 
6452         if (single == NULL)
6453             continue;
6454 
6455         scts =
6456             OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL);
6457         scts_extracted =
6458             ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE);
6459         if (scts_extracted < 0)
6460             goto err;
6461     }
6462  err:
6463     SCT_LIST_free(scts);
6464     OCSP_BASICRESP_free(br);
6465     OCSP_RESPONSE_free(rsp);
6466     return scts_extracted;
6467 # else
6468     /* Behave as if no OCSP response exists */
6469     return 0;
6470 # endif
6471 }
6472 
6473 /*
6474  * Attempts to extract SCTs from the peer certificate.
6475  * Return the number of SCTs extracted, or a negative integer if an error
6476  * occurs.
6477  */
ct_extract_x509v3_extension_scts(SSL_CONNECTION * s)6478 static int ct_extract_x509v3_extension_scts(SSL_CONNECTION *s)
6479 {
6480     int scts_extracted = 0;
6481     X509 *cert = s->session != NULL ? s->session->peer : NULL;
6482 
6483     if (cert != NULL) {
6484         STACK_OF(SCT) *scts =
6485             X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL);
6486 
6487         scts_extracted =
6488             ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION);
6489 
6490         SCT_LIST_free(scts);
6491     }
6492 
6493     return scts_extracted;
6494 }
6495 
6496 /*
6497  * Attempts to find all received SCTs by checking TLS extensions, the OCSP
6498  * response (if it exists) and X509v3 extensions in the certificate.
6499  * Returns NULL if an error occurs.
6500  */
STACK_OF(SCT)6501 const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s)
6502 {
6503     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6504 
6505     if (sc == NULL)
6506         return NULL;
6507 
6508     if (!sc->scts_parsed) {
6509         if (ct_extract_tls_extension_scts(sc) < 0 ||
6510             ct_extract_ocsp_response_scts(sc) < 0 ||
6511             ct_extract_x509v3_extension_scts(sc) < 0)
6512             goto err;
6513 
6514         sc->scts_parsed = 1;
6515     }
6516     return sc->scts;
6517  err:
6518     return NULL;
6519 }
6520 
ct_permissive(const CT_POLICY_EVAL_CTX * ctx,const STACK_OF (SCT)* scts,void * unused_arg)6521 static int ct_permissive(const CT_POLICY_EVAL_CTX *ctx,
6522                          const STACK_OF(SCT) *scts, void *unused_arg)
6523 {
6524     return 1;
6525 }
6526 
ct_strict(const CT_POLICY_EVAL_CTX * ctx,const STACK_OF (SCT)* scts,void * unused_arg)6527 static int ct_strict(const CT_POLICY_EVAL_CTX *ctx,
6528                      const STACK_OF(SCT) *scts, void *unused_arg)
6529 {
6530     int count = scts != NULL ? sk_SCT_num(scts) : 0;
6531     int i;
6532 
6533     for (i = 0; i < count; ++i) {
6534         SCT *sct = sk_SCT_value(scts, i);
6535         int status = SCT_get_validation_status(sct);
6536 
6537         if (status == SCT_VALIDATION_STATUS_VALID)
6538             return 1;
6539     }
6540     ERR_raise(ERR_LIB_SSL, SSL_R_NO_VALID_SCTS);
6541     return 0;
6542 }
6543 
SSL_set_ct_validation_callback(SSL * s,ssl_ct_validation_cb callback,void * arg)6544 int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
6545                                    void *arg)
6546 {
6547     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6548 
6549     if (sc == NULL)
6550         return 0;
6551 
6552     /*
6553      * Since code exists that uses the custom extension handler for CT, look
6554      * for this and throw an error if they have already registered to use CT.
6555      */
6556     if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx,
6557                                                           TLSEXT_TYPE_signed_certificate_timestamp))
6558     {
6559         ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
6560         return 0;
6561     }
6562 
6563     if (callback != NULL) {
6564         /*
6565          * If we are validating CT, then we MUST accept SCTs served via OCSP
6566          */
6567         if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp))
6568             return 0;
6569     }
6570 
6571     sc->ct_validation_callback = callback;
6572     sc->ct_validation_callback_arg = arg;
6573 
6574     return 1;
6575 }
6576 
SSL_CTX_set_ct_validation_callback(SSL_CTX * ctx,ssl_ct_validation_cb callback,void * arg)6577 int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
6578                                        ssl_ct_validation_cb callback, void *arg)
6579 {
6580     /*
6581      * Since code exists that uses the custom extension handler for CT, look for
6582      * this and throw an error if they have already registered to use CT.
6583      */
6584     if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx,
6585                                                           TLSEXT_TYPE_signed_certificate_timestamp))
6586     {
6587         ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
6588         return 0;
6589     }
6590 
6591     ctx->ct_validation_callback = callback;
6592     ctx->ct_validation_callback_arg = arg;
6593     return 1;
6594 }
6595 
SSL_ct_is_enabled(const SSL * s)6596 int SSL_ct_is_enabled(const SSL *s)
6597 {
6598     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6599 
6600     if (sc == NULL)
6601         return 0;
6602 
6603     return sc->ct_validation_callback != NULL;
6604 }
6605 
SSL_CTX_ct_is_enabled(const SSL_CTX * ctx)6606 int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx)
6607 {
6608     return ctx->ct_validation_callback != NULL;
6609 }
6610 
ssl_validate_ct(SSL_CONNECTION * s)6611 int ssl_validate_ct(SSL_CONNECTION *s)
6612 {
6613     int ret = 0;
6614     X509 *cert = s->session != NULL ? s->session->peer : NULL;
6615     X509 *issuer;
6616     SSL_DANE *dane = &s->dane;
6617     CT_POLICY_EVAL_CTX *ctx = NULL;
6618     const STACK_OF(SCT) *scts;
6619 
6620     /*
6621      * If no callback is set, the peer is anonymous, or its chain is invalid,
6622      * skip SCT validation - just return success.  Applications that continue
6623      * handshakes without certificates, with unverified chains, or pinned leaf
6624      * certificates are outside the scope of the WebPKI and CT.
6625      *
6626      * The above exclusions notwithstanding the vast majority of peers will
6627      * have rather ordinary certificate chains validated by typical
6628      * applications that perform certificate verification and therefore will
6629      * process SCTs when enabled.
6630      */
6631     if (s->ct_validation_callback == NULL || cert == NULL ||
6632         s->verify_result != X509_V_OK ||
6633         s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1)
6634         return 1;
6635 
6636     /*
6637      * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3)
6638      * trust-anchors.  See https://tools.ietf.org/html/rfc7671#section-4.2
6639      */
6640     if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) {
6641         switch (dane->mtlsa->usage) {
6642         case DANETLS_USAGE_DANE_TA:
6643         case DANETLS_USAGE_DANE_EE:
6644             return 1;
6645         }
6646     }
6647 
6648     ctx = CT_POLICY_EVAL_CTX_new_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
6649                                     SSL_CONNECTION_GET_CTX(s)->propq);
6650     if (ctx == NULL) {
6651         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CT_LIB);
6652         goto end;
6653     }
6654 
6655     issuer = sk_X509_value(s->verified_chain, 1);
6656     CT_POLICY_EVAL_CTX_set1_cert(ctx, cert);
6657     CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer);
6658     CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx,
6659             SSL_CONNECTION_GET_CTX(s)->ctlog_store);
6660     CT_POLICY_EVAL_CTX_set_time(
6661             ctx, (uint64_t)SSL_SESSION_get_time_ex(s->session) * 1000);
6662 
6663     scts = SSL_get0_peer_scts(SSL_CONNECTION_GET_SSL(s));
6664 
6665     /*
6666      * This function returns success (> 0) only when all the SCTs are valid, 0
6667      * when some are invalid, and < 0 on various internal errors (out of
6668      * memory, etc.).  Having some, or even all, invalid SCTs is not sufficient
6669      * reason to abort the handshake, that decision is up to the callback.
6670      * Therefore, we error out only in the unexpected case that the return
6671      * value is negative.
6672      *
6673      * XXX: One might well argue that the return value of this function is an
6674      * unfortunate design choice.  Its job is only to determine the validation
6675      * status of each of the provided SCTs.  So long as it correctly separates
6676      * the wheat from the chaff it should return success.  Failure in this case
6677      * ought to correspond to an inability to carry out its duties.
6678      */
6679     if (SCT_LIST_validate(scts, ctx) < 0) {
6680         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_SCT_VERIFICATION_FAILED);
6681         goto end;
6682     }
6683 
6684     ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg);
6685     if (ret < 0)
6686         ret = 0;                /* This function returns 0 on failure */
6687     if (!ret)
6688         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_CALLBACK_FAILED);
6689 
6690  end:
6691     CT_POLICY_EVAL_CTX_free(ctx);
6692     /*
6693      * With SSL_VERIFY_NONE the session may be cached and reused despite a
6694      * failure return code here.  Also the application may wish the complete
6695      * the handshake, and then disconnect cleanly at a higher layer, after
6696      * checking the verification status of the completed connection.
6697      *
6698      * We therefore force a certificate verification failure which will be
6699      * visible via SSL_get_verify_result() and cached as part of any resumed
6700      * session.
6701      *
6702      * Note: the permissive callback is for information gathering only, always
6703      * returns success, and does not affect verification status.  Only the
6704      * strict callback or a custom application-specified callback can trigger
6705      * connection failure or record a verification error.
6706      */
6707     if (ret <= 0)
6708         s->verify_result = X509_V_ERR_NO_VALID_SCTS;
6709     return ret;
6710 }
6711 
SSL_CTX_enable_ct(SSL_CTX * ctx,int validation_mode)6712 int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode)
6713 {
6714     switch (validation_mode) {
6715     default:
6716         ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE);
6717         return 0;
6718     case SSL_CT_VALIDATION_PERMISSIVE:
6719         return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL);
6720     case SSL_CT_VALIDATION_STRICT:
6721         return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL);
6722     }
6723 }
6724 
SSL_enable_ct(SSL * s,int validation_mode)6725 int SSL_enable_ct(SSL *s, int validation_mode)
6726 {
6727     switch (validation_mode) {
6728     default:
6729         ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE);
6730         return 0;
6731     case SSL_CT_VALIDATION_PERMISSIVE:
6732         return SSL_set_ct_validation_callback(s, ct_permissive, NULL);
6733     case SSL_CT_VALIDATION_STRICT:
6734         return SSL_set_ct_validation_callback(s, ct_strict, NULL);
6735     }
6736 }
6737 
SSL_CTX_set_default_ctlog_list_file(SSL_CTX * ctx)6738 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx)
6739 {
6740     return CTLOG_STORE_load_default_file(ctx->ctlog_store);
6741 }
6742 
SSL_CTX_set_ctlog_list_file(SSL_CTX * ctx,const char * path)6743 int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
6744 {
6745     return CTLOG_STORE_load_file(ctx->ctlog_store, path);
6746 }
6747 
SSL_CTX_set0_ctlog_store(SSL_CTX * ctx,CTLOG_STORE * logs)6748 void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs)
6749 {
6750     CTLOG_STORE_free(ctx->ctlog_store);
6751     ctx->ctlog_store = logs;
6752 }
6753 
SSL_CTX_get0_ctlog_store(const SSL_CTX * ctx)6754 const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
6755 {
6756     return ctx->ctlog_store;
6757 }
6758 
6759 #endif  /* OPENSSL_NO_CT */
6760 
SSL_CTX_set_client_hello_cb(SSL_CTX * c,SSL_client_hello_cb_fn cb,void * arg)6761 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
6762                                  void *arg)
6763 {
6764     c->client_hello_cb = cb;
6765     c->client_hello_cb_arg = arg;
6766 }
6767 
SSL_CTX_set_new_pending_conn_cb(SSL_CTX * c,SSL_new_pending_conn_cb_fn cb,void * arg)6768 void SSL_CTX_set_new_pending_conn_cb(SSL_CTX *c, SSL_new_pending_conn_cb_fn cb,
6769                                      void *arg)
6770 {
6771     c->new_pending_conn_cb = cb;
6772     c->new_pending_conn_arg = arg;
6773 }
6774 
SSL_client_hello_isv2(SSL * s)6775 int SSL_client_hello_isv2(SSL *s)
6776 {
6777     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6778 
6779     if (sc == NULL)
6780         return 0;
6781 
6782     if (sc->clienthello == NULL)
6783         return 0;
6784     return sc->clienthello->isv2;
6785 }
6786 
SSL_client_hello_get0_legacy_version(SSL * s)6787 unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
6788 {
6789     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6790 
6791     if (sc == NULL)
6792         return 0;
6793 
6794     if (sc->clienthello == NULL)
6795         return 0;
6796     return sc->clienthello->legacy_version;
6797 }
6798 
SSL_client_hello_get0_random(SSL * s,const unsigned char ** out)6799 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
6800 {
6801     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6802 
6803     if (sc == NULL)
6804         return 0;
6805 
6806     if (sc->clienthello == NULL)
6807         return 0;
6808     if (out != NULL)
6809         *out = sc->clienthello->random;
6810     return SSL3_RANDOM_SIZE;
6811 }
6812 
SSL_client_hello_get0_session_id(SSL * s,const unsigned char ** out)6813 size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
6814 {
6815     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6816 
6817     if (sc == NULL)
6818         return 0;
6819 
6820     if (sc->clienthello == NULL)
6821         return 0;
6822     if (out != NULL)
6823         *out = sc->clienthello->session_id;
6824     return sc->clienthello->session_id_len;
6825 }
6826 
SSL_client_hello_get0_ciphers(SSL * s,const unsigned char ** out)6827 size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
6828 {
6829     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6830 
6831     if (sc == NULL)
6832         return 0;
6833 
6834     if (sc->clienthello == NULL)
6835         return 0;
6836     if (out != NULL)
6837         *out = PACKET_data(&sc->clienthello->ciphersuites);
6838     return PACKET_remaining(&sc->clienthello->ciphersuites);
6839 }
6840 
SSL_client_hello_get0_compression_methods(SSL * s,const unsigned char ** out)6841 size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
6842 {
6843     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6844 
6845     if (sc == NULL)
6846         return 0;
6847 
6848     if (sc->clienthello == NULL)
6849         return 0;
6850     if (out != NULL)
6851         *out = sc->clienthello->compressions;
6852     return sc->clienthello->compressions_len;
6853 }
6854 
SSL_client_hello_get1_extensions_present(SSL * s,int ** out,size_t * outlen)6855 int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
6856 {
6857     RAW_EXTENSION *ext;
6858     int *present;
6859     size_t num = 0, i;
6860     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6861 
6862     if (sc == NULL)
6863         return 0;
6864 
6865     if (sc->clienthello == NULL || out == NULL || outlen == NULL)
6866         return 0;
6867     for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6868         ext = sc->clienthello->pre_proc_exts + i;
6869         if (ext->present)
6870             num++;
6871     }
6872     if (num == 0) {
6873         *out = NULL;
6874         *outlen = 0;
6875         return 1;
6876     }
6877     if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL)
6878         return 0;
6879     for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6880         ext = sc->clienthello->pre_proc_exts + i;
6881         if (ext->present) {
6882             if (ext->received_order >= num)
6883                 goto err;
6884             present[ext->received_order] = ext->type;
6885         }
6886     }
6887     *out = present;
6888     *outlen = num;
6889     return 1;
6890  err:
6891     OPENSSL_free(present);
6892     return 0;
6893 }
6894 
SSL_client_hello_get_extension_order(SSL * s,uint16_t * exts,size_t * num_exts)6895 int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts, size_t *num_exts)
6896 {
6897     RAW_EXTENSION *ext;
6898     size_t num = 0, i;
6899     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6900 
6901     if (sc == NULL)
6902         return 0;
6903 
6904     if (sc->clienthello == NULL || num_exts == NULL)
6905         return 0;
6906     for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6907         ext = sc->clienthello->pre_proc_exts + i;
6908         if (ext->present)
6909             num++;
6910     }
6911     if (num == 0) {
6912         *num_exts = 0;
6913         return 1;
6914     }
6915     if (exts == NULL) {
6916         *num_exts = num;
6917         return 1;
6918     }
6919     if (*num_exts < num)
6920         return 0;
6921     for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6922         ext = sc->clienthello->pre_proc_exts + i;
6923         if (ext->present) {
6924             if (ext->received_order >= num)
6925                 return 0;
6926             exts[ext->received_order] = ext->type;
6927         }
6928     }
6929     *num_exts = num;
6930     return 1;
6931 }
6932 
SSL_client_hello_get0_ext(SSL * s,unsigned int type,const unsigned char ** out,size_t * outlen)6933 int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
6934                        size_t *outlen)
6935 {
6936     size_t i;
6937     RAW_EXTENSION *r;
6938     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6939 
6940     if (sc == NULL)
6941         return 0;
6942 
6943     if (sc->clienthello == NULL)
6944         return 0;
6945     for (i = 0; i < sc->clienthello->pre_proc_exts_len; ++i) {
6946         r = sc->clienthello->pre_proc_exts + i;
6947         if (r->present && r->type == type) {
6948             if (out != NULL)
6949                 *out = PACKET_data(&r->data);
6950             if (outlen != NULL)
6951                 *outlen = PACKET_remaining(&r->data);
6952             return 1;
6953         }
6954     }
6955     return 0;
6956 }
6957 
SSL_free_buffers(SSL * ssl)6958 int SSL_free_buffers(SSL *ssl)
6959 {
6960     RECORD_LAYER *rl;
6961     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
6962 
6963     if (sc == NULL)
6964         return 0;
6965 
6966     rl = &sc->rlayer;
6967 
6968     return rl->rrlmethod->free_buffers(rl->rrl)
6969            && rl->wrlmethod->free_buffers(rl->wrl);
6970 }
6971 
SSL_alloc_buffers(SSL * ssl)6972 int SSL_alloc_buffers(SSL *ssl)
6973 {
6974     RECORD_LAYER *rl;
6975     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6976 
6977     if (sc == NULL)
6978         return 0;
6979 
6980     /* QUIC always has buffers allocated. */
6981     if (IS_QUIC(ssl))
6982         return 1;
6983 
6984     rl = &sc->rlayer;
6985 
6986     return rl->rrlmethod->alloc_buffers(rl->rrl)
6987            && rl->wrlmethod->alloc_buffers(rl->wrl);
6988 }
6989 
SSL_CTX_set_keylog_callback(SSL_CTX * ctx,SSL_CTX_keylog_cb_func cb)6990 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
6991 {
6992     ctx->keylog_callback = cb;
6993 }
6994 
SSL_CTX_get_keylog_callback(const SSL_CTX * ctx)6995 SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
6996 {
6997     return ctx->keylog_callback;
6998 }
6999 
nss_keylog_int(const char * prefix,SSL_CONNECTION * sc,const uint8_t * parameter_1,size_t parameter_1_len,const uint8_t * parameter_2,size_t parameter_2_len)7000 static int nss_keylog_int(const char *prefix,
7001                           SSL_CONNECTION *sc,
7002                           const uint8_t *parameter_1,
7003                           size_t parameter_1_len,
7004                           const uint8_t *parameter_2,
7005                           size_t parameter_2_len)
7006 {
7007     char *out = NULL;
7008     char *cursor = NULL;
7009     size_t out_len = 0, i, prefix_len;
7010     SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
7011 
7012 #ifndef OPENSSL_NO_SSLKEYLOG
7013     if (sctx->keylog_callback == NULL && sctx->do_sslkeylog == 0)
7014         return 1;
7015 #else
7016     if (sctx->keylog_callback == NULL)
7017         return 1;
7018 #endif
7019 
7020     /*
7021      * Our output buffer will contain the following strings, rendered with
7022      * space characters in between, terminated by a NULL character: first the
7023      * prefix, then the first parameter, then the second parameter. The
7024      * meaning of each parameter depends on the specific key material being
7025      * logged. Note that the first and second parameters are encoded in
7026      * hexadecimal, so we need a buffer that is twice their lengths.
7027      */
7028     prefix_len = strlen(prefix);
7029     out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3;
7030     if ((out = cursor = OPENSSL_malloc(out_len)) == NULL)
7031         return 0;
7032 
7033     memcpy(cursor, prefix, prefix_len);
7034     cursor += prefix_len;
7035     *cursor++ = ' ';
7036 
7037     for (i = 0; i < parameter_1_len; ++i)
7038         cursor += ossl_to_lowerhex(cursor, parameter_1[i]);
7039     *cursor++ = ' ';
7040 
7041     for (i = 0; i < parameter_2_len; ++i)
7042         cursor += ossl_to_lowerhex(cursor, parameter_2[i]);
7043     *cursor = '\0';
7044 
7045 #ifndef OPENSSL_NO_SSLKEYLOG
7046     if (sctx->do_sslkeylog == 1)
7047         do_sslkeylogfile(SSL_CONNECTION_GET_SSL(sc), (const char *)out);
7048 #endif
7049     if (sctx->keylog_callback != NULL)
7050         sctx->keylog_callback(SSL_CONNECTION_GET_USER_SSL(sc), (const char *)out);
7051     OPENSSL_clear_free(out, out_len);
7052     return 1;
7053 }
7054 
ssl_log_rsa_client_key_exchange(SSL_CONNECTION * sc,const uint8_t * encrypted_premaster,size_t encrypted_premaster_len,const uint8_t * premaster,size_t premaster_len)7055 int ssl_log_rsa_client_key_exchange(SSL_CONNECTION *sc,
7056                                     const uint8_t *encrypted_premaster,
7057                                     size_t encrypted_premaster_len,
7058                                     const uint8_t *premaster,
7059                                     size_t premaster_len)
7060 {
7061     if (encrypted_premaster_len < 8) {
7062         SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7063         return 0;
7064     }
7065 
7066     /* We only want the first 8 bytes of the encrypted premaster as a tag. */
7067     return nss_keylog_int("RSA",
7068                           sc,
7069                           encrypted_premaster,
7070                           8,
7071                           premaster,
7072                           premaster_len);
7073 }
7074 
ssl_log_secret(SSL_CONNECTION * sc,const char * label,const uint8_t * secret,size_t secret_len)7075 int ssl_log_secret(SSL_CONNECTION *sc,
7076                    const char *label,
7077                    const uint8_t *secret,
7078                    size_t secret_len)
7079 {
7080     return nss_keylog_int(label,
7081                           sc,
7082                           sc->s3.client_random,
7083                           SSL3_RANDOM_SIZE,
7084                           secret,
7085                           secret_len);
7086 }
7087 
7088 #define SSLV2_CIPHER_LEN    3
7089 
ssl_cache_cipherlist(SSL_CONNECTION * s,PACKET * cipher_suites,int sslv2format)7090 int ssl_cache_cipherlist(SSL_CONNECTION *s, PACKET *cipher_suites, int sslv2format)
7091 {
7092     int n;
7093 
7094     n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
7095 
7096     if (PACKET_remaining(cipher_suites) == 0) {
7097         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_CIPHERS_SPECIFIED);
7098         return 0;
7099     }
7100 
7101     if (PACKET_remaining(cipher_suites) % n != 0) {
7102         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7103         return 0;
7104     }
7105 
7106     OPENSSL_free(s->s3.tmp.ciphers_raw);
7107     s->s3.tmp.ciphers_raw = NULL;
7108     s->s3.tmp.ciphers_rawlen = 0;
7109 
7110     if (sslv2format) {
7111         size_t numciphers = PACKET_remaining(cipher_suites) / n;
7112         PACKET sslv2ciphers = *cipher_suites;
7113         unsigned int leadbyte;
7114         unsigned char *raw;
7115 
7116         /*
7117          * We store the raw ciphers list in SSLv3+ format so we need to do some
7118          * preprocessing to convert the list first. If there are any SSLv2 only
7119          * ciphersuites with a non-zero leading byte then we are going to
7120          * slightly over allocate because we won't store those. But that isn't a
7121          * problem.
7122          */
7123         raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
7124         s->s3.tmp.ciphers_raw = raw;
7125         if (raw == NULL) {
7126             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7127             return 0;
7128         }
7129         for (s->s3.tmp.ciphers_rawlen = 0;
7130              PACKET_remaining(&sslv2ciphers) > 0;
7131              raw += TLS_CIPHER_LEN) {
7132             if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
7133                     || (leadbyte == 0
7134                         && !PACKET_copy_bytes(&sslv2ciphers, raw,
7135                                               TLS_CIPHER_LEN))
7136                     || (leadbyte != 0
7137                         && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
7138                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
7139                 OPENSSL_free(s->s3.tmp.ciphers_raw);
7140                 s->s3.tmp.ciphers_raw = NULL;
7141                 s->s3.tmp.ciphers_rawlen = 0;
7142                 return 0;
7143             }
7144             if (leadbyte == 0)
7145                 s->s3.tmp.ciphers_rawlen += TLS_CIPHER_LEN;
7146         }
7147     } else if (!PACKET_memdup(cipher_suites, &s->s3.tmp.ciphers_raw,
7148                            &s->s3.tmp.ciphers_rawlen)) {
7149         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7150         return 0;
7151     }
7152     return 1;
7153 }
7154 
SSL_bytes_to_cipher_list(SSL * s,const unsigned char * bytes,size_t len,int isv2format,STACK_OF (SSL_CIPHER)** sk,STACK_OF (SSL_CIPHER)** scsvs)7155 int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
7156                              int isv2format, STACK_OF(SSL_CIPHER) **sk,
7157                              STACK_OF(SSL_CIPHER) **scsvs)
7158 {
7159     PACKET pkt;
7160     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7161 
7162     if (sc == NULL)
7163         return 0;
7164 
7165     if (!PACKET_buf_init(&pkt, bytes, len))
7166         return 0;
7167     return ossl_bytes_to_cipher_list(sc, &pkt, sk, scsvs, isv2format, 0);
7168 }
7169 
ossl_bytes_to_cipher_list(SSL_CONNECTION * s,PACKET * cipher_suites,STACK_OF (SSL_CIPHER)** skp,STACK_OF (SSL_CIPHER)** scsvs_out,int sslv2format,int fatal)7170 int ossl_bytes_to_cipher_list(SSL_CONNECTION *s, PACKET *cipher_suites,
7171                               STACK_OF(SSL_CIPHER) **skp,
7172                               STACK_OF(SSL_CIPHER) **scsvs_out,
7173                               int sslv2format, int fatal)
7174 {
7175     const SSL_CIPHER *c;
7176     STACK_OF(SSL_CIPHER) *sk = NULL;
7177     STACK_OF(SSL_CIPHER) *scsvs = NULL;
7178     int n;
7179     /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
7180     unsigned char cipher[SSLV2_CIPHER_LEN];
7181 
7182     n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
7183 
7184     if (PACKET_remaining(cipher_suites) == 0) {
7185         if (fatal)
7186             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CIPHERS_SPECIFIED);
7187         else
7188             ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHERS_SPECIFIED);
7189         return 0;
7190     }
7191 
7192     if (PACKET_remaining(cipher_suites) % n != 0) {
7193         if (fatal)
7194             SSLfatal(s, SSL_AD_DECODE_ERROR,
7195                      SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7196         else
7197             ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7198         return 0;
7199     }
7200 
7201     sk = sk_SSL_CIPHER_new_null();
7202     scsvs = sk_SSL_CIPHER_new_null();
7203     if (sk == NULL || scsvs == NULL) {
7204         if (fatal)
7205             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7206         else
7207             ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
7208         goto err;
7209     }
7210 
7211     while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
7212         /*
7213          * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
7214          * first byte set to zero, while true SSLv2 ciphers have a non-zero
7215          * first byte. We don't support any true SSLv2 ciphers, so skip them.
7216          */
7217         if (sslv2format && cipher[0] != '\0')
7218             continue;
7219 
7220         /* For SSLv2-compat, ignore leading 0-byte. */
7221         c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1);
7222         if (c != NULL) {
7223             if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) ||
7224                 (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) {
7225                 if (fatal)
7226                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7227                 else
7228                     ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
7229                 goto err;
7230             }
7231         }
7232     }
7233     if (PACKET_remaining(cipher_suites) > 0) {
7234         if (fatal)
7235             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
7236         else
7237             ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
7238         goto err;
7239     }
7240 
7241     if (skp != NULL)
7242         *skp = sk;
7243     else
7244         sk_SSL_CIPHER_free(sk);
7245     if (scsvs_out != NULL)
7246         *scsvs_out = scsvs;
7247     else
7248         sk_SSL_CIPHER_free(scsvs);
7249     return 1;
7250  err:
7251     sk_SSL_CIPHER_free(sk);
7252     sk_SSL_CIPHER_free(scsvs);
7253     return 0;
7254 }
7255 
SSL_CTX_set_max_early_data(SSL_CTX * ctx,uint32_t max_early_data)7256 int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data)
7257 {
7258     ctx->max_early_data = max_early_data;
7259 
7260     return 1;
7261 }
7262 
SSL_CTX_get_max_early_data(const SSL_CTX * ctx)7263 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx)
7264 {
7265     return ctx->max_early_data;
7266 }
7267 
SSL_set_max_early_data(SSL * s,uint32_t max_early_data)7268 int SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
7269 {
7270     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7271 
7272     if (sc == NULL)
7273         return 0;
7274 
7275     sc->max_early_data = max_early_data;
7276 
7277     return 1;
7278 }
7279 
SSL_get_max_early_data(const SSL * s)7280 uint32_t SSL_get_max_early_data(const SSL *s)
7281 {
7282     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
7283 
7284     if (sc == NULL)
7285         return 0;
7286 
7287     return sc->max_early_data;
7288 }
7289 
SSL_CTX_set_recv_max_early_data(SSL_CTX * ctx,uint32_t recv_max_early_data)7290 int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data)
7291 {
7292     ctx->recv_max_early_data = recv_max_early_data;
7293 
7294     return 1;
7295 }
7296 
SSL_CTX_get_recv_max_early_data(const SSL_CTX * ctx)7297 uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx)
7298 {
7299     return ctx->recv_max_early_data;
7300 }
7301 
SSL_set_recv_max_early_data(SSL * s,uint32_t recv_max_early_data)7302 int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data)
7303 {
7304     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7305 
7306     if (sc == NULL)
7307         return 0;
7308 
7309     sc->recv_max_early_data = recv_max_early_data;
7310 
7311     return 1;
7312 }
7313 
SSL_get_recv_max_early_data(const SSL * s)7314 uint32_t SSL_get_recv_max_early_data(const SSL *s)
7315 {
7316     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
7317 
7318     if (sc == NULL)
7319         return 0;
7320 
7321     return sc->recv_max_early_data;
7322 }
7323 
ssl_get_max_send_fragment(const SSL_CONNECTION * sc)7324 __owur unsigned int ssl_get_max_send_fragment(const SSL_CONNECTION *sc)
7325 {
7326     /* Return any active Max Fragment Len extension */
7327     if (sc->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(sc->session))
7328         return GET_MAX_FRAGMENT_LENGTH(sc->session);
7329 
7330     /* return current SSL connection setting */
7331     return sc->max_send_fragment;
7332 }
7333 
ssl_get_split_send_fragment(const SSL_CONNECTION * sc)7334 __owur unsigned int ssl_get_split_send_fragment(const SSL_CONNECTION *sc)
7335 {
7336     /* Return a value regarding an active Max Fragment Len extension */
7337     if (sc->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(sc->session)
7338         && sc->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(sc->session))
7339         return GET_MAX_FRAGMENT_LENGTH(sc->session);
7340 
7341     /* else limit |split_send_fragment| to current |max_send_fragment| */
7342     if (sc->split_send_fragment > sc->max_send_fragment)
7343         return sc->max_send_fragment;
7344 
7345     /* return current SSL connection setting */
7346     return sc->split_send_fragment;
7347 }
7348 
SSL_stateless(SSL * s)7349 int SSL_stateless(SSL *s)
7350 {
7351     int ret;
7352     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7353 
7354     if (sc == NULL)
7355         return 0;
7356 
7357     /* Ensure there is no state left over from a previous invocation */
7358     if (!SSL_clear(s))
7359         return 0;
7360 
7361     ERR_clear_error();
7362 
7363     sc->s3.flags |= TLS1_FLAGS_STATELESS;
7364     ret = SSL_accept(s);
7365     sc->s3.flags &= ~TLS1_FLAGS_STATELESS;
7366 
7367     if (ret > 0 && sc->ext.cookieok)
7368         return 1;
7369 
7370     if (sc->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(sc))
7371         return 0;
7372 
7373     return -1;
7374 }
7375 
SSL_CTX_set_post_handshake_auth(SSL_CTX * ctx,int val)7376 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
7377 {
7378     ctx->pha_enabled = val;
7379 }
7380 
SSL_set_post_handshake_auth(SSL * ssl,int val)7381 void SSL_set_post_handshake_auth(SSL *ssl, int val)
7382 {
7383     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
7384 
7385     if (sc == NULL)
7386         return;
7387 
7388     sc->pha_enabled = val;
7389 }
7390 
SSL_verify_client_post_handshake(SSL * ssl)7391 int SSL_verify_client_post_handshake(SSL *ssl)
7392 {
7393     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
7394 
7395 #ifndef OPENSSL_NO_QUIC
7396     if (IS_QUIC(ssl)) {
7397         ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
7398         return 0;
7399     }
7400 #endif
7401 
7402     if (sc == NULL)
7403         return 0;
7404 
7405     if (!SSL_CONNECTION_IS_TLS13(sc)) {
7406         ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
7407         return 0;
7408     }
7409     if (!sc->server) {
7410         ERR_raise(ERR_LIB_SSL, SSL_R_NOT_SERVER);
7411         return 0;
7412     }
7413 
7414     if (!SSL_is_init_finished(ssl)) {
7415         ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT);
7416         return 0;
7417     }
7418 
7419     switch (sc->post_handshake_auth) {
7420     case SSL_PHA_NONE:
7421         ERR_raise(ERR_LIB_SSL, SSL_R_EXTENSION_NOT_RECEIVED);
7422         return 0;
7423     default:
7424     case SSL_PHA_EXT_SENT:
7425         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7426         return 0;
7427     case SSL_PHA_EXT_RECEIVED:
7428         break;
7429     case SSL_PHA_REQUEST_PENDING:
7430         ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_PENDING);
7431         return 0;
7432     case SSL_PHA_REQUESTED:
7433         ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_SENT);
7434         return 0;
7435     }
7436 
7437     sc->post_handshake_auth = SSL_PHA_REQUEST_PENDING;
7438 
7439     /* checks verify_mode and algorithm_auth */
7440     if (!send_certificate_request(sc)) {
7441         sc->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */
7442         ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CONFIG);
7443         return 0;
7444     }
7445 
7446     ossl_statem_set_in_init(sc, 1);
7447     return 1;
7448 }
7449 
SSL_CTX_set_session_ticket_cb(SSL_CTX * ctx,SSL_CTX_generate_session_ticket_fn gen_cb,SSL_CTX_decrypt_session_ticket_fn dec_cb,void * arg)7450 int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
7451                                   SSL_CTX_generate_session_ticket_fn gen_cb,
7452                                   SSL_CTX_decrypt_session_ticket_fn dec_cb,
7453                                   void *arg)
7454 {
7455     ctx->generate_ticket_cb = gen_cb;
7456     ctx->decrypt_ticket_cb = dec_cb;
7457     ctx->ticket_cb_data = arg;
7458     return 1;
7459 }
7460 
SSL_CTX_set_allow_early_data_cb(SSL_CTX * ctx,SSL_allow_early_data_cb_fn cb,void * arg)7461 void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
7462                                      SSL_allow_early_data_cb_fn cb,
7463                                      void *arg)
7464 {
7465     ctx->allow_early_data_cb = cb;
7466     ctx->allow_early_data_cb_data = arg;
7467 }
7468 
SSL_set_allow_early_data_cb(SSL * s,SSL_allow_early_data_cb_fn cb,void * arg)7469 void SSL_set_allow_early_data_cb(SSL *s,
7470                                  SSL_allow_early_data_cb_fn cb,
7471                                  void *arg)
7472 {
7473     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7474 
7475     if (sc == NULL)
7476         return;
7477 
7478     sc->allow_early_data_cb = cb;
7479     sc->allow_early_data_cb_data = arg;
7480 }
7481 
ssl_evp_cipher_fetch(OSSL_LIB_CTX * libctx,int nid,const char * properties)7482 const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx,
7483                                        int nid,
7484                                        const char *properties)
7485 {
7486     const EVP_CIPHER *ciph;
7487 
7488     ciph = tls_get_cipher_from_engine(nid);
7489     if (ciph != NULL)
7490         return ciph;
7491 
7492     /*
7493      * If there is no engine cipher then we do an explicit fetch. This may fail
7494      * and that could be ok
7495      */
7496     ERR_set_mark();
7497     ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
7498     if (ciph != NULL) {
7499         OSSL_PARAM params[2];
7500         int decrypt_only = 0;
7501 
7502         params[0] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_DECRYPT_ONLY,
7503                                              &decrypt_only);
7504         params[1] = OSSL_PARAM_construct_end();
7505         if (EVP_CIPHER_get_params((EVP_CIPHER *)ciph, params)
7506             && decrypt_only) {
7507             /* If a cipher is decrypt-only, it is unusable */
7508             EVP_CIPHER_free((EVP_CIPHER *)ciph);
7509             ciph = NULL;
7510         }
7511     }
7512     ERR_pop_to_mark();
7513     return ciph;
7514 }
7515 
7516 
ssl_evp_cipher_up_ref(const EVP_CIPHER * cipher)7517 int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher)
7518 {
7519     /* Don't up-ref an implicit EVP_CIPHER */
7520     if (EVP_CIPHER_get0_provider(cipher) == NULL)
7521         return 1;
7522 
7523     /*
7524      * The cipher was explicitly fetched and therefore it is safe to cast
7525      * away the const
7526      */
7527     return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher);
7528 }
7529 
ssl_evp_cipher_free(const EVP_CIPHER * cipher)7530 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
7531 {
7532     if (cipher == NULL)
7533         return;
7534 
7535     if (EVP_CIPHER_get0_provider(cipher) != NULL) {
7536         /*
7537          * The cipher was explicitly fetched and therefore it is safe to cast
7538          * away the const
7539          */
7540         EVP_CIPHER_free((EVP_CIPHER *)cipher);
7541     }
7542 }
7543 
ssl_evp_md_fetch(OSSL_LIB_CTX * libctx,int nid,const char * properties)7544 const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx,
7545                                int nid,
7546                                const char *properties)
7547 {
7548     const EVP_MD *md;
7549 
7550     md = tls_get_digest_from_engine(nid);
7551     if (md != NULL)
7552         return md;
7553 
7554     /* Otherwise we do an explicit fetch */
7555     ERR_set_mark();
7556     md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
7557     ERR_pop_to_mark();
7558     return md;
7559 }
7560 
ssl_evp_md_up_ref(const EVP_MD * md)7561 int ssl_evp_md_up_ref(const EVP_MD *md)
7562 {
7563     /* Don't up-ref an implicit EVP_MD */
7564     if (EVP_MD_get0_provider(md) == NULL)
7565         return 1;
7566 
7567     /*
7568      * The digest was explicitly fetched and therefore it is safe to cast
7569      * away the const
7570      */
7571     return EVP_MD_up_ref((EVP_MD *)md);
7572 }
7573 
ssl_evp_md_free(const EVP_MD * md)7574 void ssl_evp_md_free(const EVP_MD *md)
7575 {
7576     if (md == NULL)
7577         return;
7578 
7579     if (EVP_MD_get0_provider(md) != NULL) {
7580         /*
7581          * The digest was explicitly fetched and therefore it is safe to cast
7582          * away the const
7583          */
7584         EVP_MD_free((EVP_MD *)md);
7585     }
7586 }
7587 
SSL_set0_tmp_dh_pkey(SSL * s,EVP_PKEY * dhpkey)7588 int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey)
7589 {
7590     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7591 
7592     if (sc == NULL)
7593         return 0;
7594 
7595     if (!ssl_security(sc, SSL_SECOP_TMP_DH,
7596                       EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
7597         ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
7598         return 0;
7599     }
7600     EVP_PKEY_free(sc->cert->dh_tmp);
7601     sc->cert->dh_tmp = dhpkey;
7602     return 1;
7603 }
7604 
SSL_CTX_set0_tmp_dh_pkey(SSL_CTX * ctx,EVP_PKEY * dhpkey)7605 int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey)
7606 {
7607     if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
7608                           EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
7609         ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
7610         return 0;
7611     }
7612     EVP_PKEY_free(ctx->cert->dh_tmp);
7613     ctx->cert->dh_tmp = dhpkey;
7614     return 1;
7615 }
7616 
7617 /* QUIC-specific methods which are supported on QUIC connections only. */
SSL_handle_events(SSL * s)7618 int SSL_handle_events(SSL *s)
7619 {
7620     SSL_CONNECTION *sc;
7621 
7622 #ifndef OPENSSL_NO_QUIC
7623     if (IS_QUIC(s))
7624         return ossl_quic_handle_events(s);
7625 #endif
7626 
7627     sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7628     if (sc != NULL && SSL_CONNECTION_IS_DTLS(sc))
7629         /*
7630          * DTLSv1_handle_timeout returns 0 if the timer wasn't expired yet,
7631          * which we consider a success case. Theoretically DTLSv1_handle_timeout
7632          * can also return 0 if s is NULL or not a DTLS object, but we've
7633          * already ruled out those possibilities above, so this is not possible
7634          * here. Thus the only failure cases are where DTLSv1_handle_timeout
7635          * returns -1.
7636          */
7637         return DTLSv1_handle_timeout(s) >= 0;
7638 
7639     return 1;
7640 }
7641 
SSL_get_event_timeout(SSL * s,struct timeval * tv,int * is_infinite)7642 int SSL_get_event_timeout(SSL *s, struct timeval *tv, int *is_infinite)
7643 {
7644     SSL_CONNECTION *sc;
7645 
7646 #ifndef OPENSSL_NO_QUIC
7647     if (IS_QUIC(s))
7648         return ossl_quic_get_event_timeout(s, tv, is_infinite);
7649 #endif
7650 
7651     sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7652     if (sc != NULL && SSL_CONNECTION_IS_DTLS(sc)
7653         && DTLSv1_get_timeout(s, tv)) {
7654         *is_infinite = 0;
7655         return 1;
7656     }
7657 
7658     tv->tv_sec  = 1000000;
7659     tv->tv_usec = 0;
7660     *is_infinite = 1;
7661     return 1;
7662 }
7663 
SSL_get_rpoll_descriptor(SSL * s,BIO_POLL_DESCRIPTOR * desc)7664 int SSL_get_rpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc)
7665 {
7666     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7667 
7668 #ifndef OPENSSL_NO_QUIC
7669     if (IS_QUIC(s))
7670         return ossl_quic_get_rpoll_descriptor(s, desc);
7671 #endif
7672 
7673     if (sc == NULL || sc->rbio == NULL)
7674         return 0;
7675 
7676     return BIO_get_rpoll_descriptor(sc->rbio, desc);
7677 }
7678 
SSL_get_wpoll_descriptor(SSL * s,BIO_POLL_DESCRIPTOR * desc)7679 int SSL_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc)
7680 {
7681     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7682 
7683 #ifndef OPENSSL_NO_QUIC
7684     if (IS_QUIC(s))
7685         return ossl_quic_get_wpoll_descriptor(s, desc);
7686 #endif
7687 
7688     if (sc == NULL || sc->wbio == NULL)
7689         return 0;
7690 
7691     return BIO_get_wpoll_descriptor(sc->wbio, desc);
7692 }
7693 
SSL_net_read_desired(SSL * s)7694 int SSL_net_read_desired(SSL *s)
7695 {
7696 #ifndef OPENSSL_NO_QUIC
7697     if (!IS_QUIC(s))
7698         return SSL_want_read(s);
7699 
7700     return ossl_quic_get_net_read_desired(s);
7701 #else
7702     return SSL_want_read(s);
7703 #endif
7704 }
7705 
SSL_net_write_desired(SSL * s)7706 int SSL_net_write_desired(SSL *s)
7707 {
7708 #ifndef OPENSSL_NO_QUIC
7709     if (!IS_QUIC(s))
7710         return SSL_want_write(s);
7711 
7712     return ossl_quic_get_net_write_desired(s);
7713 #else
7714     return SSL_want_write(s);
7715 #endif
7716 }
7717 
SSL_set_blocking_mode(SSL * s,int blocking)7718 int SSL_set_blocking_mode(SSL *s, int blocking)
7719 {
7720 #ifndef OPENSSL_NO_QUIC
7721     if (!IS_QUIC(s))
7722         return 0;
7723 
7724     return ossl_quic_conn_set_blocking_mode(s, blocking);
7725 #else
7726     return 0;
7727 #endif
7728 }
7729 
SSL_get_blocking_mode(SSL * s)7730 int SSL_get_blocking_mode(SSL *s)
7731 {
7732 #ifndef OPENSSL_NO_QUIC
7733     if (!IS_QUIC(s))
7734         return -1;
7735 
7736     return ossl_quic_conn_get_blocking_mode(s);
7737 #else
7738     return -1;
7739 #endif
7740 }
7741 
SSL_set1_initial_peer_addr(SSL * s,const BIO_ADDR * peer_addr)7742 int SSL_set1_initial_peer_addr(SSL *s, const BIO_ADDR *peer_addr)
7743 {
7744 #ifndef OPENSSL_NO_QUIC
7745     if (!IS_QUIC(s))
7746         return 0;
7747 
7748     return ossl_quic_conn_set_initial_peer_addr(s, peer_addr);
7749 #else
7750     return 0;
7751 #endif
7752 }
7753 
SSL_shutdown_ex(SSL * ssl,uint64_t flags,const SSL_SHUTDOWN_EX_ARGS * args,size_t args_len)7754 int SSL_shutdown_ex(SSL *ssl, uint64_t flags,
7755                     const SSL_SHUTDOWN_EX_ARGS *args,
7756                     size_t args_len)
7757 {
7758 #ifndef OPENSSL_NO_QUIC
7759     if (!IS_QUIC(ssl))
7760         return SSL_shutdown(ssl);
7761 
7762     return ossl_quic_conn_shutdown(ssl, flags, args, args_len);
7763 #else
7764     return SSL_shutdown(ssl);
7765 #endif
7766 }
7767 
SSL_stream_conclude(SSL * ssl,uint64_t flags)7768 int SSL_stream_conclude(SSL *ssl, uint64_t flags)
7769 {
7770 #ifndef OPENSSL_NO_QUIC
7771     if (!IS_QUIC(ssl))
7772         return 0;
7773 
7774     return ossl_quic_conn_stream_conclude(ssl);
7775 #else
7776     return 0;
7777 #endif
7778 }
7779 
SSL_new_stream(SSL * s,uint64_t flags)7780 SSL *SSL_new_stream(SSL *s, uint64_t flags)
7781 {
7782 #ifndef OPENSSL_NO_QUIC
7783     if (!IS_QUIC(s))
7784         return NULL;
7785 
7786     return ossl_quic_conn_stream_new(s, flags);
7787 #else
7788     return NULL;
7789 #endif
7790 }
7791 
SSL_get0_connection(SSL * s)7792 SSL *SSL_get0_connection(SSL *s)
7793 {
7794 #ifndef OPENSSL_NO_QUIC
7795     if (!IS_QUIC(s))
7796         return s;
7797 
7798     return ossl_quic_get0_connection(s);
7799 #else
7800     return s;
7801 #endif
7802 }
7803 
SSL_is_connection(SSL * s)7804 int SSL_is_connection(SSL *s)
7805 {
7806     return SSL_get0_connection(s) == s;
7807 }
7808 
SSL_get0_listener(SSL * s)7809 SSL *SSL_get0_listener(SSL *s)
7810 {
7811 #ifndef OPENSSL_NO_QUIC
7812     if (!IS_QUIC(s))
7813         return NULL;
7814 
7815     return ossl_quic_get0_listener(s);
7816 #else
7817     return NULL;
7818 #endif
7819 }
7820 
SSL_get0_domain(SSL * s)7821 SSL *SSL_get0_domain(SSL *s)
7822 {
7823 #ifndef OPENSSL_NO_QUIC
7824     if (!IS_QUIC(s))
7825         return NULL;
7826 
7827     return ossl_quic_get0_domain(s);
7828 #else
7829     return NULL;
7830 #endif
7831 }
7832 
SSL_is_listener(SSL * s)7833 int SSL_is_listener(SSL *s)
7834 {
7835     return SSL_get0_listener(s) == s;
7836 }
7837 
SSL_is_domain(SSL * s)7838 int SSL_is_domain(SSL *s)
7839 {
7840     return SSL_get0_domain(s) == s;
7841 }
7842 
SSL_get_stream_type(SSL * s)7843 int SSL_get_stream_type(SSL *s)
7844 {
7845 #ifndef OPENSSL_NO_QUIC
7846     if (!IS_QUIC(s))
7847         return SSL_STREAM_TYPE_BIDI;
7848 
7849     return ossl_quic_get_stream_type(s);
7850 #else
7851     return SSL_STREAM_TYPE_BIDI;
7852 #endif
7853 }
7854 
SSL_get_stream_id(SSL * s)7855 uint64_t SSL_get_stream_id(SSL *s)
7856 {
7857 #ifndef OPENSSL_NO_QUIC
7858     if (!IS_QUIC(s))
7859         return UINT64_MAX;
7860 
7861     return ossl_quic_get_stream_id(s);
7862 #else
7863     return UINT64_MAX;
7864 #endif
7865 }
7866 
SSL_is_stream_local(SSL * s)7867 int SSL_is_stream_local(SSL *s)
7868 {
7869 #ifndef OPENSSL_NO_QUIC
7870     if (!IS_QUIC(s))
7871         return -1;
7872 
7873     return ossl_quic_is_stream_local(s);
7874 #else
7875     return -1;
7876 #endif
7877 }
7878 
SSL_set_default_stream_mode(SSL * s,uint32_t mode)7879 int SSL_set_default_stream_mode(SSL *s, uint32_t mode)
7880 {
7881 #ifndef OPENSSL_NO_QUIC
7882     if (!IS_QUIC(s))
7883         return 0;
7884 
7885     return ossl_quic_set_default_stream_mode(s, mode);
7886 #else
7887     return 0;
7888 #endif
7889 }
7890 
SSL_set_incoming_stream_policy(SSL * s,int policy,uint64_t aec)7891 int SSL_set_incoming_stream_policy(SSL *s, int policy, uint64_t aec)
7892 {
7893 #ifndef OPENSSL_NO_QUIC
7894     if (!IS_QUIC(s))
7895         return 0;
7896 
7897     return ossl_quic_set_incoming_stream_policy(s, policy, aec);
7898 #else
7899     return 0;
7900 #endif
7901 }
7902 
SSL_accept_stream(SSL * s,uint64_t flags)7903 SSL *SSL_accept_stream(SSL *s, uint64_t flags)
7904 {
7905 #ifndef OPENSSL_NO_QUIC
7906     if (!IS_QUIC(s))
7907         return NULL;
7908 
7909     return ossl_quic_accept_stream(s, flags);
7910 #else
7911     return NULL;
7912 #endif
7913 }
7914 
SSL_get_accept_stream_queue_len(SSL * s)7915 size_t SSL_get_accept_stream_queue_len(SSL *s)
7916 {
7917 #ifndef OPENSSL_NO_QUIC
7918     if (!IS_QUIC(s))
7919         return 0;
7920 
7921     return ossl_quic_get_accept_stream_queue_len(s);
7922 #else
7923     return 0;
7924 #endif
7925 }
7926 
SSL_stream_reset(SSL * s,const SSL_STREAM_RESET_ARGS * args,size_t args_len)7927 int SSL_stream_reset(SSL *s,
7928                      const SSL_STREAM_RESET_ARGS *args,
7929                      size_t args_len)
7930 {
7931 #ifndef OPENSSL_NO_QUIC
7932     if (!IS_QUIC(s))
7933         return 0;
7934 
7935     return ossl_quic_stream_reset(s, args, args_len);
7936 #else
7937     return 0;
7938 #endif
7939 }
7940 
SSL_get_stream_read_state(SSL * s)7941 int SSL_get_stream_read_state(SSL *s)
7942 {
7943 #ifndef OPENSSL_NO_QUIC
7944     if (!IS_QUIC(s))
7945         return SSL_STREAM_STATE_NONE;
7946 
7947     return ossl_quic_get_stream_read_state(s);
7948 #else
7949     return SSL_STREAM_STATE_NONE;
7950 #endif
7951 }
7952 
SSL_get_stream_write_state(SSL * s)7953 int SSL_get_stream_write_state(SSL *s)
7954 {
7955 #ifndef OPENSSL_NO_QUIC
7956     if (!IS_QUIC(s))
7957         return SSL_STREAM_STATE_NONE;
7958 
7959     return ossl_quic_get_stream_write_state(s);
7960 #else
7961     return SSL_STREAM_STATE_NONE;
7962 #endif
7963 }
7964 
SSL_get_stream_read_error_code(SSL * s,uint64_t * app_error_code)7965 int SSL_get_stream_read_error_code(SSL *s, uint64_t *app_error_code)
7966 {
7967 #ifndef OPENSSL_NO_QUIC
7968     if (!IS_QUIC(s))
7969         return -1;
7970 
7971     return ossl_quic_get_stream_read_error_code(s, app_error_code);
7972 #else
7973     return -1;
7974 #endif
7975 }
7976 
SSL_get_stream_write_error_code(SSL * s,uint64_t * app_error_code)7977 int SSL_get_stream_write_error_code(SSL *s, uint64_t *app_error_code)
7978 {
7979 #ifndef OPENSSL_NO_QUIC
7980     if (!IS_QUIC(s))
7981         return -1;
7982 
7983     return ossl_quic_get_stream_write_error_code(s, app_error_code);
7984 #else
7985     return -1;
7986 #endif
7987 }
7988 
SSL_get_conn_close_info(SSL * s,SSL_CONN_CLOSE_INFO * info,size_t info_len)7989 int SSL_get_conn_close_info(SSL *s, SSL_CONN_CLOSE_INFO *info,
7990                             size_t info_len)
7991 {
7992 #ifndef OPENSSL_NO_QUIC
7993     if (!IS_QUIC(s))
7994         return -1;
7995 
7996     return ossl_quic_get_conn_close_info(s, info, info_len);
7997 #else
7998     return -1;
7999 #endif
8000 }
8001 
SSL_get_value_uint(SSL * s,uint32_t class_,uint32_t id,uint64_t * value)8002 int SSL_get_value_uint(SSL *s, uint32_t class_, uint32_t id,
8003                        uint64_t *value)
8004 {
8005 #ifndef OPENSSL_NO_QUIC
8006     if (IS_QUIC(s))
8007         return ossl_quic_get_value_uint(s, class_, id, value);
8008 #endif
8009 
8010     ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL);
8011     return 0;
8012 }
8013 
SSL_set_value_uint(SSL * s,uint32_t class_,uint32_t id,uint64_t value)8014 int SSL_set_value_uint(SSL *s, uint32_t class_, uint32_t id,
8015                        uint64_t value)
8016 {
8017 #ifndef OPENSSL_NO_QUIC
8018     if (IS_QUIC(s))
8019         return ossl_quic_set_value_uint(s, class_, id, value);
8020 #endif
8021 
8022     ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL);
8023     return 0;
8024 }
8025 
SSL_new_listener(SSL_CTX * ctx,uint64_t flags)8026 SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags)
8027 {
8028 #ifndef OPENSSL_NO_QUIC
8029     if (!IS_QUIC_CTX(ctx))
8030         return NULL;
8031 
8032     return ossl_quic_new_listener(ctx, flags);
8033 #else
8034     return NULL;
8035 #endif
8036 }
8037 
SSL_new_listener_from(SSL * ssl,uint64_t flags)8038 SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags)
8039 {
8040 #ifndef OPENSSL_NO_QUIC
8041     if (!IS_QUIC(ssl))
8042         return NULL;
8043 
8044     return ossl_quic_new_listener_from(ssl, flags);
8045 #else
8046     return NULL;
8047 #endif
8048 }
8049 
SSL_new_from_listener(SSL * ssl,uint64_t flags)8050 SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags)
8051 {
8052 #ifndef OPENSSL_NO_QUIC
8053     if (!IS_QUIC(ssl))
8054         return NULL;
8055 
8056     return ossl_quic_new_from_listener(ssl, flags);
8057 #else
8058     return NULL;
8059 #endif
8060 }
8061 
SSL_accept_connection(SSL * ssl,uint64_t flags)8062 SSL *SSL_accept_connection(SSL *ssl, uint64_t flags)
8063 {
8064 #ifndef OPENSSL_NO_QUIC
8065     if (!IS_QUIC(ssl))
8066         return NULL;
8067 
8068     return ossl_quic_accept_connection(ssl, flags);
8069 #else
8070     return NULL;
8071 #endif
8072 }
8073 
SSL_get_accept_connection_queue_len(SSL * ssl)8074 size_t SSL_get_accept_connection_queue_len(SSL *ssl)
8075 {
8076 #ifndef OPENSSL_NO_QUIC
8077     if (!IS_QUIC(ssl))
8078         return 0;
8079 
8080     return ossl_quic_get_accept_connection_queue_len(ssl);
8081 #else
8082     return 0;
8083 #endif
8084 }
8085 
SSL_listen(SSL * ssl)8086 int SSL_listen(SSL *ssl)
8087 {
8088 #ifndef OPENSSL_NO_QUIC
8089     if (!IS_QUIC(ssl))
8090         return 0;
8091 
8092     return ossl_quic_listen(ssl);
8093 #else
8094     return 0;
8095 #endif
8096 }
8097 
SSL_new_domain(SSL_CTX * ctx,uint64_t flags)8098 SSL *SSL_new_domain(SSL_CTX *ctx, uint64_t flags)
8099 {
8100 #ifndef OPENSSL_NO_QUIC
8101     if (!IS_QUIC_CTX(ctx))
8102         return NULL;
8103 
8104     return ossl_quic_new_domain(ctx, flags);
8105 #else
8106     return NULL;
8107 #endif
8108 }
8109 
ossl_adjust_domain_flags(uint64_t domain_flags,uint64_t * p_domain_flags)8110 int ossl_adjust_domain_flags(uint64_t domain_flags, uint64_t *p_domain_flags)
8111 {
8112     if ((domain_flags & ~OSSL_QUIC_SUPPORTED_DOMAIN_FLAGS) != 0) {
8113         ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8114                        "unsupported domain flag requested");
8115         return 0;
8116     }
8117 
8118     if ((domain_flags & SSL_DOMAIN_FLAG_THREAD_ASSISTED) != 0)
8119         domain_flags |= SSL_DOMAIN_FLAG_MULTI_THREAD;
8120 
8121     if ((domain_flags & (SSL_DOMAIN_FLAG_MULTI_THREAD
8122                          | SSL_DOMAIN_FLAG_SINGLE_THREAD)) == 0)
8123         domain_flags |= SSL_DOMAIN_FLAG_MULTI_THREAD;
8124 
8125     if ((domain_flags & SSL_DOMAIN_FLAG_SINGLE_THREAD) != 0
8126         && (domain_flags & SSL_DOMAIN_FLAG_MULTI_THREAD) != 0) {
8127         ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
8128                        "mutually exclusive domain flags specified");
8129         return 0;
8130     }
8131 
8132     /*
8133      * Note: We treat MULTI_THREAD as a no-op in non-threaded builds, but
8134      * not THREAD_ASSISTED.
8135      */
8136 # ifndef OPENSSL_THREADS
8137     if ((domain_flags & SSL_DOMAIN_FLAG_THREAD_ASSISTED) != 0) {
8138         ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8139                        "thread assisted mode not available in this build");
8140         return 0;
8141     }
8142 # endif
8143 
8144     *p_domain_flags = domain_flags;
8145     return 1;
8146 }
8147 
SSL_CTX_set_domain_flags(SSL_CTX * ctx,uint64_t domain_flags)8148 int SSL_CTX_set_domain_flags(SSL_CTX *ctx, uint64_t domain_flags)
8149 {
8150 #ifndef OPENSSL_NO_QUIC
8151     if (IS_QUIC_CTX(ctx)) {
8152         if (!ossl_adjust_domain_flags(domain_flags, &domain_flags))
8153             return 0;
8154 
8155         ctx->domain_flags = domain_flags;
8156         return 1;
8157     }
8158 #endif
8159 
8160     ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8161                    "domain flags unsupported on this kind of SSL_CTX");
8162     return 0;
8163 }
8164 
SSL_CTX_get_domain_flags(const SSL_CTX * ctx,uint64_t * domain_flags)8165 int SSL_CTX_get_domain_flags(const SSL_CTX *ctx, uint64_t *domain_flags)
8166 {
8167 #ifndef OPENSSL_NO_QUIC
8168     if (IS_QUIC_CTX(ctx)) {
8169         if (domain_flags != NULL)
8170             *domain_flags = ctx->domain_flags;
8171 
8172         return 1;
8173     }
8174 #endif
8175 
8176     ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8177                    "domain flags unsupported on this kind of SSL_CTX");
8178     return 0;
8179 }
8180 
SSL_get_domain_flags(const SSL * ssl,uint64_t * domain_flags)8181 int SSL_get_domain_flags(const SSL *ssl, uint64_t *domain_flags)
8182 {
8183 #ifndef OPENSSL_NO_QUIC
8184     if (IS_QUIC(ssl))
8185         return ossl_quic_get_domain_flags(ssl, domain_flags);
8186 #endif
8187 
8188     return 0;
8189 }
8190 
SSL_add_expected_rpk(SSL * s,EVP_PKEY * rpk)8191 int SSL_add_expected_rpk(SSL *s, EVP_PKEY *rpk)
8192 {
8193     unsigned char *data = NULL;
8194     SSL_DANE *dane = SSL_get0_dane(s);
8195     int ret;
8196 
8197     if (dane == NULL || dane->dctx == NULL)
8198         return 0;
8199     if ((ret = i2d_PUBKEY(rpk, &data)) <= 0)
8200         return 0;
8201 
8202     ret = SSL_dane_tlsa_add(s, DANETLS_USAGE_DANE_EE,
8203                             DANETLS_SELECTOR_SPKI,
8204                             DANETLS_MATCHING_FULL,
8205                             data, (size_t)ret) > 0;
8206     OPENSSL_free(data);
8207     return ret;
8208 }
8209 
SSL_get0_peer_rpk(const SSL * s)8210 EVP_PKEY *SSL_get0_peer_rpk(const SSL *s)
8211 {
8212     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8213 
8214     if (sc == NULL || sc->session == NULL)
8215         return NULL;
8216     return sc->session->peer_rpk;
8217 }
8218 
SSL_get_negotiated_client_cert_type(const SSL * s)8219 int SSL_get_negotiated_client_cert_type(const SSL *s)
8220 {
8221     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8222 
8223     if (sc == NULL)
8224         return 0;
8225 
8226     return sc->ext.client_cert_type;
8227 }
8228 
SSL_get_negotiated_server_cert_type(const SSL * s)8229 int SSL_get_negotiated_server_cert_type(const SSL *s)
8230 {
8231     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8232 
8233     if (sc == NULL)
8234         return 0;
8235 
8236     return sc->ext.server_cert_type;
8237 }
8238 
validate_cert_type(const unsigned char * val,size_t len)8239 static int validate_cert_type(const unsigned char *val, size_t len)
8240 {
8241     size_t i;
8242     int saw_rpk = 0;
8243     int saw_x509 = 0;
8244 
8245     if (val == NULL && len == 0)
8246         return 1;
8247 
8248     if (val == NULL || len == 0)
8249         return 0;
8250 
8251     for (i = 0; i < len; i++) {
8252         switch (val[i]) {
8253         case TLSEXT_cert_type_rpk:
8254             if (saw_rpk)
8255                 return 0;
8256             saw_rpk = 1;
8257             break;
8258         case TLSEXT_cert_type_x509:
8259             if (saw_x509)
8260                 return 0;
8261             saw_x509 = 1;
8262             break;
8263         case TLSEXT_cert_type_pgp:
8264         case TLSEXT_cert_type_1609dot2:
8265         default:
8266             return 0;
8267         }
8268     }
8269     return 1;
8270 }
8271 
set_cert_type(unsigned char ** cert_type,size_t * cert_type_len,const unsigned char * val,size_t len)8272 static int set_cert_type(unsigned char **cert_type,
8273                          size_t *cert_type_len,
8274                          const unsigned char *val,
8275                          size_t len)
8276 {
8277     unsigned char *tmp = NULL;
8278 
8279     if (!validate_cert_type(val, len))
8280         return 0;
8281 
8282     if (val != NULL && (tmp = OPENSSL_memdup(val, len)) == NULL)
8283         return 0;
8284 
8285     OPENSSL_free(*cert_type);
8286     *cert_type = tmp;
8287     *cert_type_len = len;
8288     return 1;
8289 }
8290 
SSL_set1_client_cert_type(SSL * s,const unsigned char * val,size_t len)8291 int SSL_set1_client_cert_type(SSL *s, const unsigned char *val, size_t len)
8292 {
8293     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8294 
8295     if (sc == NULL)
8296         return 0;
8297 
8298     return set_cert_type(&sc->client_cert_type, &sc->client_cert_type_len,
8299                          val, len);
8300 }
8301 
SSL_set1_server_cert_type(SSL * s,const unsigned char * val,size_t len)8302 int SSL_set1_server_cert_type(SSL *s, const unsigned char *val, size_t len)
8303 {
8304     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8305 
8306     if (sc == NULL)
8307         return 0;
8308 
8309     return set_cert_type(&sc->server_cert_type, &sc->server_cert_type_len,
8310                          val, len);
8311 }
8312 
SSL_CTX_set1_client_cert_type(SSL_CTX * ctx,const unsigned char * val,size_t len)8313 int SSL_CTX_set1_client_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len)
8314 {
8315     return set_cert_type(&ctx->client_cert_type, &ctx->client_cert_type_len,
8316                          val, len);
8317 }
8318 
SSL_CTX_set1_server_cert_type(SSL_CTX * ctx,const unsigned char * val,size_t len)8319 int SSL_CTX_set1_server_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len)
8320 {
8321     return set_cert_type(&ctx->server_cert_type, &ctx->server_cert_type_len,
8322                          val, len);
8323 }
8324 
SSL_get0_client_cert_type(const SSL * s,unsigned char ** t,size_t * len)8325 int SSL_get0_client_cert_type(const SSL *s, unsigned char **t, size_t *len)
8326 {
8327     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
8328 
8329     if (t == NULL || len == NULL || sc == NULL)
8330         return 0;
8331 
8332     *t = sc->client_cert_type;
8333     *len = sc->client_cert_type_len;
8334     return 1;
8335 }
8336 
SSL_get0_server_cert_type(const SSL * s,unsigned char ** t,size_t * len)8337 int SSL_get0_server_cert_type(const SSL *s, unsigned char **t, size_t *len)
8338 {
8339     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
8340 
8341     if (t == NULL || len == NULL || sc == NULL)
8342         return 0;
8343 
8344     *t = sc->server_cert_type;
8345     *len = sc->server_cert_type_len;
8346     return 1;
8347 }
8348 
SSL_CTX_get0_client_cert_type(const SSL_CTX * ctx,unsigned char ** t,size_t * len)8349 int SSL_CTX_get0_client_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len)
8350 {
8351     if (t == NULL || len == NULL)
8352         return 0;
8353 
8354     *t = ctx->client_cert_type;
8355     *len = ctx->client_cert_type_len;
8356     return 1;
8357 }
8358 
SSL_CTX_get0_server_cert_type(const SSL_CTX * ctx,unsigned char ** t,size_t * len)8359 int SSL_CTX_get0_server_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len)
8360 {
8361     if (t == NULL || len == NULL)
8362         return 0;
8363 
8364     *t = ctx->server_cert_type;
8365     *len = ctx->server_cert_type_len;
8366     return 1;
8367 }
8368