1 /* 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the OpenSSL license (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include "ssl_local.h" 14 #include "e_os.h" 15 #include <openssl/objects.h> 16 #include <openssl/x509v3.h> 17 #include <openssl/rand.h> 18 #include <openssl/rand_drbg.h> 19 #include <openssl/ocsp.h> 20 #include <openssl/dh.h> 21 #include <openssl/engine.h> 22 #include <openssl/async.h> 23 #include <openssl/ct.h> 24 #include "internal/cryptlib.h" 25 #include "internal/refcount.h" 26 #include "internal/ktls.h" 27 28 const char SSL_version_str[] = OPENSSL_VERSION_TEXT; 29 30 static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t) 31 { 32 (void)r; 33 (void)s; 34 (void)t; 35 return ssl_undefined_function(ssl); 36 } 37 38 static int ssl_undefined_function_2(SSL *ssl, SSL3_RECORD *r, unsigned char *s, 39 int t) 40 { 41 (void)r; 42 (void)s; 43 (void)t; 44 return ssl_undefined_function(ssl); 45 } 46 47 static int ssl_undefined_function_3(SSL *ssl, unsigned char *r, 48 unsigned char *s, size_t t, size_t *u) 49 { 50 (void)r; 51 (void)s; 52 (void)t; 53 (void)u; 54 return ssl_undefined_function(ssl); 55 } 56 57 static int ssl_undefined_function_4(SSL *ssl, int r) 58 { 59 (void)r; 60 return ssl_undefined_function(ssl); 61 } 62 63 static size_t ssl_undefined_function_5(SSL *ssl, const char *r, size_t s, 64 unsigned char *t) 65 { 66 (void)r; 67 (void)s; 68 (void)t; 69 return ssl_undefined_function(ssl); 70 } 71 72 static int ssl_undefined_function_6(int r) 73 { 74 (void)r; 75 return ssl_undefined_function(NULL); 76 } 77 78 static int ssl_undefined_function_7(SSL *ssl, unsigned char *r, size_t s, 79 const char *t, size_t u, 80 const unsigned char *v, size_t w, int x) 81 { 82 (void)r; 83 (void)s; 84 (void)t; 85 (void)u; 86 (void)v; 87 (void)w; 88 (void)x; 89 return ssl_undefined_function(ssl); 90 } 91 92 SSL3_ENC_METHOD ssl3_undef_enc_method = { 93 ssl_undefined_function_1, 94 ssl_undefined_function_2, 95 ssl_undefined_function, 96 ssl_undefined_function_3, 97 ssl_undefined_function_4, 98 ssl_undefined_function_5, 99 NULL, /* client_finished_label */ 100 0, /* client_finished_label_len */ 101 NULL, /* server_finished_label */ 102 0, /* server_finished_label_len */ 103 ssl_undefined_function_6, 104 ssl_undefined_function_7, 105 }; 106 107 struct ssl_async_args { 108 SSL *s; 109 void *buf; 110 size_t num; 111 enum { READFUNC, WRITEFUNC, OTHERFUNC } type; 112 union { 113 int (*func_read) (SSL *, void *, size_t, size_t *); 114 int (*func_write) (SSL *, const void *, size_t, size_t *); 115 int (*func_other) (SSL *); 116 } f; 117 }; 118 119 static const struct { 120 uint8_t mtype; 121 uint8_t ord; 122 int nid; 123 } dane_mds[] = { 124 { 125 DANETLS_MATCHING_FULL, 0, NID_undef 126 }, 127 { 128 DANETLS_MATCHING_2256, 1, NID_sha256 129 }, 130 { 131 DANETLS_MATCHING_2512, 2, NID_sha512 132 }, 133 }; 134 135 static int dane_ctx_enable(struct dane_ctx_st *dctx) 136 { 137 const EVP_MD **mdevp; 138 uint8_t *mdord; 139 uint8_t mdmax = DANETLS_MATCHING_LAST; 140 int n = ((int)mdmax) + 1; /* int to handle PrivMatch(255) */ 141 size_t i; 142 143 if (dctx->mdevp != NULL) 144 return 1; 145 146 mdevp = OPENSSL_zalloc(n * sizeof(*mdevp)); 147 mdord = OPENSSL_zalloc(n * sizeof(*mdord)); 148 149 if (mdord == NULL || mdevp == NULL) { 150 OPENSSL_free(mdord); 151 OPENSSL_free(mdevp); 152 SSLerr(SSL_F_DANE_CTX_ENABLE, ERR_R_MALLOC_FAILURE); 153 return 0; 154 } 155 156 /* Install default entries */ 157 for (i = 0; i < OSSL_NELEM(dane_mds); ++i) { 158 const EVP_MD *md; 159 160 if (dane_mds[i].nid == NID_undef || 161 (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL) 162 continue; 163 mdevp[dane_mds[i].mtype] = md; 164 mdord[dane_mds[i].mtype] = dane_mds[i].ord; 165 } 166 167 dctx->mdevp = mdevp; 168 dctx->mdord = mdord; 169 dctx->mdmax = mdmax; 170 171 return 1; 172 } 173 174 static void dane_ctx_final(struct dane_ctx_st *dctx) 175 { 176 OPENSSL_free(dctx->mdevp); 177 dctx->mdevp = NULL; 178 179 OPENSSL_free(dctx->mdord); 180 dctx->mdord = NULL; 181 dctx->mdmax = 0; 182 } 183 184 static void tlsa_free(danetls_record *t) 185 { 186 if (t == NULL) 187 return; 188 OPENSSL_free(t->data); 189 EVP_PKEY_free(t->spki); 190 OPENSSL_free(t); 191 } 192 193 static void dane_final(SSL_DANE *dane) 194 { 195 sk_danetls_record_pop_free(dane->trecs, tlsa_free); 196 dane->trecs = NULL; 197 198 sk_X509_pop_free(dane->certs, X509_free); 199 dane->certs = NULL; 200 201 X509_free(dane->mcert); 202 dane->mcert = NULL; 203 dane->mtlsa = NULL; 204 dane->mdpth = -1; 205 dane->pdpth = -1; 206 } 207 208 /* 209 * dane_copy - Copy dane configuration, sans verification state. 210 */ 211 static int ssl_dane_dup(SSL *to, SSL *from) 212 { 213 int num; 214 int i; 215 216 if (!DANETLS_ENABLED(&from->dane)) 217 return 1; 218 219 num = sk_danetls_record_num(from->dane.trecs); 220 dane_final(&to->dane); 221 to->dane.flags = from->dane.flags; 222 to->dane.dctx = &to->ctx->dane; 223 to->dane.trecs = sk_danetls_record_new_reserve(NULL, num); 224 225 if (to->dane.trecs == NULL) { 226 SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE); 227 return 0; 228 } 229 230 for (i = 0; i < num; ++i) { 231 danetls_record *t = sk_danetls_record_value(from->dane.trecs, i); 232 233 if (SSL_dane_tlsa_add(to, t->usage, t->selector, t->mtype, 234 t->data, t->dlen) <= 0) 235 return 0; 236 } 237 return 1; 238 } 239 240 static int dane_mtype_set(struct dane_ctx_st *dctx, 241 const EVP_MD *md, uint8_t mtype, uint8_t ord) 242 { 243 int i; 244 245 if (mtype == DANETLS_MATCHING_FULL && md != NULL) { 246 SSLerr(SSL_F_DANE_MTYPE_SET, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL); 247 return 0; 248 } 249 250 if (mtype > dctx->mdmax) { 251 const EVP_MD **mdevp; 252 uint8_t *mdord; 253 int n = ((int)mtype) + 1; 254 255 mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp)); 256 if (mdevp == NULL) { 257 SSLerr(SSL_F_DANE_MTYPE_SET, ERR_R_MALLOC_FAILURE); 258 return -1; 259 } 260 dctx->mdevp = mdevp; 261 262 mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord)); 263 if (mdord == NULL) { 264 SSLerr(SSL_F_DANE_MTYPE_SET, ERR_R_MALLOC_FAILURE); 265 return -1; 266 } 267 dctx->mdord = mdord; 268 269 /* Zero-fill any gaps */ 270 for (i = dctx->mdmax + 1; i < mtype; ++i) { 271 mdevp[i] = NULL; 272 mdord[i] = 0; 273 } 274 275 dctx->mdmax = mtype; 276 } 277 278 dctx->mdevp[mtype] = md; 279 /* Coerce ordinal of disabled matching types to 0 */ 280 dctx->mdord[mtype] = (md == NULL) ? 0 : ord; 281 282 return 1; 283 } 284 285 static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype) 286 { 287 if (mtype > dane->dctx->mdmax) 288 return NULL; 289 return dane->dctx->mdevp[mtype]; 290 } 291 292 static int dane_tlsa_add(SSL_DANE *dane, 293 uint8_t usage, 294 uint8_t selector, 295 uint8_t mtype, unsigned const char *data, size_t dlen) 296 { 297 danetls_record *t; 298 const EVP_MD *md = NULL; 299 int ilen = (int)dlen; 300 int i; 301 int num; 302 303 if (dane->trecs == NULL) { 304 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_NOT_ENABLED); 305 return -1; 306 } 307 308 if (ilen < 0 || dlen != (size_t)ilen) { 309 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_DATA_LENGTH); 310 return 0; 311 } 312 313 if (usage > DANETLS_USAGE_LAST) { 314 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE); 315 return 0; 316 } 317 318 if (selector > DANETLS_SELECTOR_LAST) { 319 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_SELECTOR); 320 return 0; 321 } 322 323 if (mtype != DANETLS_MATCHING_FULL) { 324 md = tlsa_md_get(dane, mtype); 325 if (md == NULL) { 326 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE); 327 return 0; 328 } 329 } 330 331 if (md != NULL && dlen != (size_t)EVP_MD_size(md)) { 332 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH); 333 return 0; 334 } 335 if (!data) { 336 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_NULL_DATA); 337 return 0; 338 } 339 340 if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL) { 341 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); 342 return -1; 343 } 344 345 t->usage = usage; 346 t->selector = selector; 347 t->mtype = mtype; 348 t->data = OPENSSL_malloc(dlen); 349 if (t->data == NULL) { 350 tlsa_free(t); 351 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); 352 return -1; 353 } 354 memcpy(t->data, data, dlen); 355 t->dlen = dlen; 356 357 /* Validate and cache full certificate or public key */ 358 if (mtype == DANETLS_MATCHING_FULL) { 359 const unsigned char *p = data; 360 X509 *cert = NULL; 361 EVP_PKEY *pkey = NULL; 362 363 switch (selector) { 364 case DANETLS_SELECTOR_CERT: 365 if (!d2i_X509(&cert, &p, ilen) || p < data || 366 dlen != (size_t)(p - data)) { 367 tlsa_free(t); 368 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE); 369 return 0; 370 } 371 if (X509_get0_pubkey(cert) == NULL) { 372 tlsa_free(t); 373 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE); 374 return 0; 375 } 376 377 if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) { 378 X509_free(cert); 379 break; 380 } 381 382 /* 383 * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA 384 * records that contain full certificates of trust-anchors that are 385 * not present in the wire chain. For usage PKIX-TA(0), we augment 386 * the chain with untrusted Full(0) certificates from DNS, in case 387 * they are missing from the chain. 388 */ 389 if ((dane->certs == NULL && 390 (dane->certs = sk_X509_new_null()) == NULL) || 391 !sk_X509_push(dane->certs, cert)) { 392 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); 393 X509_free(cert); 394 tlsa_free(t); 395 return -1; 396 } 397 break; 398 399 case DANETLS_SELECTOR_SPKI: 400 if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data || 401 dlen != (size_t)(p - data)) { 402 tlsa_free(t); 403 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY); 404 return 0; 405 } 406 407 /* 408 * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA 409 * records that contain full bare keys of trust-anchors that are 410 * not present in the wire chain. 411 */ 412 if (usage == DANETLS_USAGE_DANE_TA) 413 t->spki = pkey; 414 else 415 EVP_PKEY_free(pkey); 416 break; 417 } 418 } 419 420 /*- 421 * Find the right insertion point for the new record. 422 * 423 * See crypto/x509/x509_vfy.c. We sort DANE-EE(3) records first, so that 424 * they can be processed first, as they require no chain building, and no 425 * expiration or hostname checks. Because DANE-EE(3) is numerically 426 * largest, this is accomplished via descending sort by "usage". 427 * 428 * We also sort in descending order by matching ordinal to simplify 429 * the implementation of digest agility in the verification code. 430 * 431 * The choice of order for the selector is not significant, so we 432 * use the same descending order for consistency. 433 */ 434 num = sk_danetls_record_num(dane->trecs); 435 for (i = 0; i < num; ++i) { 436 danetls_record *rec = sk_danetls_record_value(dane->trecs, i); 437 438 if (rec->usage > usage) 439 continue; 440 if (rec->usage < usage) 441 break; 442 if (rec->selector > selector) 443 continue; 444 if (rec->selector < selector) 445 break; 446 if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype]) 447 continue; 448 break; 449 } 450 451 if (!sk_danetls_record_insert(dane->trecs, t, i)) { 452 tlsa_free(t); 453 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); 454 return -1; 455 } 456 dane->umask |= DANETLS_USAGE_BIT(usage); 457 458 return 1; 459 } 460 461 /* 462 * Return 0 if there is only one version configured and it was disabled 463 * at configure time. Return 1 otherwise. 464 */ 465 static int ssl_check_allowed_versions(int min_version, int max_version) 466 { 467 int minisdtls = 0, maxisdtls = 0; 468 469 /* Figure out if we're doing DTLS versions or TLS versions */ 470 if (min_version == DTLS1_BAD_VER 471 || min_version >> 8 == DTLS1_VERSION_MAJOR) 472 minisdtls = 1; 473 if (max_version == DTLS1_BAD_VER 474 || max_version >> 8 == DTLS1_VERSION_MAJOR) 475 maxisdtls = 1; 476 /* A wildcard version of 0 could be DTLS or TLS. */ 477 if ((minisdtls && !maxisdtls && max_version != 0) 478 || (maxisdtls && !minisdtls && min_version != 0)) { 479 /* Mixing DTLS and TLS versions will lead to sadness; deny it. */ 480 return 0; 481 } 482 483 if (minisdtls || maxisdtls) { 484 /* Do DTLS version checks. */ 485 if (min_version == 0) 486 /* Ignore DTLS1_BAD_VER */ 487 min_version = DTLS1_VERSION; 488 if (max_version == 0) 489 max_version = DTLS1_2_VERSION; 490 #ifdef OPENSSL_NO_DTLS1_2 491 if (max_version == DTLS1_2_VERSION) 492 max_version = DTLS1_VERSION; 493 #endif 494 #ifdef OPENSSL_NO_DTLS1 495 if (min_version == DTLS1_VERSION) 496 min_version = DTLS1_2_VERSION; 497 #endif 498 /* Done massaging versions; do the check. */ 499 if (0 500 #ifdef OPENSSL_NO_DTLS1 501 || (DTLS_VERSION_GE(min_version, DTLS1_VERSION) 502 && DTLS_VERSION_GE(DTLS1_VERSION, max_version)) 503 #endif 504 #ifdef OPENSSL_NO_DTLS1_2 505 || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION) 506 && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version)) 507 #endif 508 ) 509 return 0; 510 } else { 511 /* Regular TLS version checks. */ 512 if (min_version == 0) 513 min_version = SSL3_VERSION; 514 if (max_version == 0) 515 max_version = TLS1_3_VERSION; 516 #ifdef OPENSSL_NO_TLS1_3 517 if (max_version == TLS1_3_VERSION) 518 max_version = TLS1_2_VERSION; 519 #endif 520 #ifdef OPENSSL_NO_TLS1_2 521 if (max_version == TLS1_2_VERSION) 522 max_version = TLS1_1_VERSION; 523 #endif 524 #ifdef OPENSSL_NO_TLS1_1 525 if (max_version == TLS1_1_VERSION) 526 max_version = TLS1_VERSION; 527 #endif 528 #ifdef OPENSSL_NO_TLS1 529 if (max_version == TLS1_VERSION) 530 max_version = SSL3_VERSION; 531 #endif 532 #ifdef OPENSSL_NO_SSL3 533 if (min_version == SSL3_VERSION) 534 min_version = TLS1_VERSION; 535 #endif 536 #ifdef OPENSSL_NO_TLS1 537 if (min_version == TLS1_VERSION) 538 min_version = TLS1_1_VERSION; 539 #endif 540 #ifdef OPENSSL_NO_TLS1_1 541 if (min_version == TLS1_1_VERSION) 542 min_version = TLS1_2_VERSION; 543 #endif 544 #ifdef OPENSSL_NO_TLS1_2 545 if (min_version == TLS1_2_VERSION) 546 min_version = TLS1_3_VERSION; 547 #endif 548 /* Done massaging versions; do the check. */ 549 if (0 550 #ifdef OPENSSL_NO_SSL3 551 || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version) 552 #endif 553 #ifdef OPENSSL_NO_TLS1 554 || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version) 555 #endif 556 #ifdef OPENSSL_NO_TLS1_1 557 || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version) 558 #endif 559 #ifdef OPENSSL_NO_TLS1_2 560 || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version) 561 #endif 562 #ifdef OPENSSL_NO_TLS1_3 563 || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version) 564 #endif 565 ) 566 return 0; 567 } 568 return 1; 569 } 570 571 static void clear_ciphers(SSL *s) 572 { 573 /* clear the current cipher */ 574 ssl_clear_cipher_ctx(s); 575 ssl_clear_hash_ctx(&s->read_hash); 576 ssl_clear_hash_ctx(&s->write_hash); 577 } 578 579 int SSL_clear(SSL *s) 580 { 581 if (s->method == NULL) { 582 SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED); 583 return 0; 584 } 585 586 if (ssl_clear_bad_session(s)) { 587 SSL_SESSION_free(s->session); 588 s->session = NULL; 589 } 590 SSL_SESSION_free(s->psksession); 591 s->psksession = NULL; 592 OPENSSL_free(s->psksession_id); 593 s->psksession_id = NULL; 594 s->psksession_id_len = 0; 595 s->hello_retry_request = 0; 596 s->sent_tickets = 0; 597 598 s->error = 0; 599 s->hit = 0; 600 s->shutdown = 0; 601 602 if (s->renegotiate) { 603 SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR); 604 return 0; 605 } 606 607 ossl_statem_clear(s); 608 609 s->version = s->method->version; 610 s->client_version = s->version; 611 s->rwstate = SSL_NOTHING; 612 613 BUF_MEM_free(s->init_buf); 614 s->init_buf = NULL; 615 clear_ciphers(s); 616 s->first_packet = 0; 617 618 s->key_update = SSL_KEY_UPDATE_NONE; 619 620 EVP_MD_CTX_free(s->pha_dgst); 621 s->pha_dgst = NULL; 622 623 /* Reset DANE verification result state */ 624 s->dane.mdpth = -1; 625 s->dane.pdpth = -1; 626 X509_free(s->dane.mcert); 627 s->dane.mcert = NULL; 628 s->dane.mtlsa = NULL; 629 630 /* Clear the verification result peername */ 631 X509_VERIFY_PARAM_move_peername(s->param, NULL); 632 633 /* Clear any shared connection state */ 634 OPENSSL_free(s->shared_sigalgs); 635 s->shared_sigalgs = NULL; 636 s->shared_sigalgslen = 0; 637 638 /* 639 * Check to see if we were changed into a different method, if so, revert 640 * back. 641 */ 642 if (s->method != s->ctx->method) { 643 s->method->ssl_free(s); 644 s->method = s->ctx->method; 645 if (!s->method->ssl_new(s)) 646 return 0; 647 } else { 648 if (!s->method->ssl_clear(s)) 649 return 0; 650 } 651 652 RECORD_LAYER_clear(&s->rlayer); 653 654 return 1; 655 } 656 657 /** Used to change an SSL_CTXs default SSL method type */ 658 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) 659 { 660 STACK_OF(SSL_CIPHER) *sk; 661 662 ctx->method = meth; 663 664 if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) { 665 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 666 return 0; 667 } 668 sk = ssl_create_cipher_list(ctx->method, 669 ctx->tls13_ciphersuites, 670 &(ctx->cipher_list), 671 &(ctx->cipher_list_by_id), 672 SSL_DEFAULT_CIPHER_LIST, ctx->cert); 673 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { 674 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 675 return 0; 676 } 677 return 1; 678 } 679 680 SSL *SSL_new(SSL_CTX *ctx) 681 { 682 SSL *s; 683 684 if (ctx == NULL) { 685 SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX); 686 return NULL; 687 } 688 if (ctx->method == NULL) { 689 SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 690 return NULL; 691 } 692 693 s = OPENSSL_zalloc(sizeof(*s)); 694 if (s == NULL) 695 goto err; 696 697 s->references = 1; 698 s->lock = CRYPTO_THREAD_lock_new(); 699 if (s->lock == NULL) { 700 OPENSSL_free(s); 701 s = NULL; 702 goto err; 703 } 704 705 RECORD_LAYER_init(&s->rlayer, s); 706 707 s->options = ctx->options; 708 s->dane.flags = ctx->dane.flags; 709 s->min_proto_version = ctx->min_proto_version; 710 s->max_proto_version = ctx->max_proto_version; 711 s->mode = ctx->mode; 712 s->max_cert_list = ctx->max_cert_list; 713 s->max_early_data = ctx->max_early_data; 714 s->recv_max_early_data = ctx->recv_max_early_data; 715 s->num_tickets = ctx->num_tickets; 716 s->pha_enabled = ctx->pha_enabled; 717 718 /* Shallow copy of the ciphersuites stack */ 719 s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); 720 if (s->tls13_ciphersuites == NULL) 721 goto err; 722 723 /* 724 * Earlier library versions used to copy the pointer to the CERT, not 725 * its contents; only when setting new parameters for the per-SSL 726 * copy, ssl_cert_new would be called (and the direct reference to 727 * the per-SSL_CTX settings would be lost, but those still were 728 * indirectly accessed for various purposes, and for that reason they 729 * used to be known as s->ctx->default_cert). Now we don't look at the 730 * SSL_CTX's CERT after having duplicated it once. 731 */ 732 s->cert = ssl_cert_dup(ctx->cert); 733 if (s->cert == NULL) 734 goto err; 735 736 RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead); 737 s->msg_callback = ctx->msg_callback; 738 s->msg_callback_arg = ctx->msg_callback_arg; 739 s->verify_mode = ctx->verify_mode; 740 s->not_resumable_session_cb = ctx->not_resumable_session_cb; 741 s->record_padding_cb = ctx->record_padding_cb; 742 s->record_padding_arg = ctx->record_padding_arg; 743 s->block_padding = ctx->block_padding; 744 s->sid_ctx_length = ctx->sid_ctx_length; 745 if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx))) 746 goto err; 747 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); 748 s->verify_callback = ctx->default_verify_callback; 749 s->generate_session_id = ctx->generate_session_id; 750 751 s->param = X509_VERIFY_PARAM_new(); 752 if (s->param == NULL) 753 goto err; 754 X509_VERIFY_PARAM_inherit(s->param, ctx->param); 755 s->quiet_shutdown = ctx->quiet_shutdown; 756 757 s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode; 758 s->max_send_fragment = ctx->max_send_fragment; 759 s->split_send_fragment = ctx->split_send_fragment; 760 s->max_pipelines = ctx->max_pipelines; 761 if (s->max_pipelines > 1) 762 RECORD_LAYER_set_read_ahead(&s->rlayer, 1); 763 if (ctx->default_read_buf_len > 0) 764 SSL_set_default_read_buffer_len(s, ctx->default_read_buf_len); 765 766 SSL_CTX_up_ref(ctx); 767 s->ctx = ctx; 768 s->ext.debug_cb = 0; 769 s->ext.debug_arg = NULL; 770 s->ext.ticket_expected = 0; 771 s->ext.status_type = ctx->ext.status_type; 772 s->ext.status_expected = 0; 773 s->ext.ocsp.ids = NULL; 774 s->ext.ocsp.exts = NULL; 775 s->ext.ocsp.resp = NULL; 776 s->ext.ocsp.resp_len = 0; 777 SSL_CTX_up_ref(ctx); 778 s->session_ctx = ctx; 779 #ifndef OPENSSL_NO_EC 780 if (ctx->ext.ecpointformats) { 781 s->ext.ecpointformats = 782 OPENSSL_memdup(ctx->ext.ecpointformats, 783 ctx->ext.ecpointformats_len); 784 if (!s->ext.ecpointformats) 785 goto err; 786 s->ext.ecpointformats_len = 787 ctx->ext.ecpointformats_len; 788 } 789 if (ctx->ext.supportedgroups) { 790 s->ext.supportedgroups = 791 OPENSSL_memdup(ctx->ext.supportedgroups, 792 ctx->ext.supportedgroups_len 793 * sizeof(*ctx->ext.supportedgroups)); 794 if (!s->ext.supportedgroups) 795 goto err; 796 s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; 797 } 798 #endif 799 #ifndef OPENSSL_NO_NEXTPROTONEG 800 s->ext.npn = NULL; 801 #endif 802 803 if (s->ctx->ext.alpn) { 804 s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); 805 if (s->ext.alpn == NULL) 806 goto err; 807 memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); 808 s->ext.alpn_len = s->ctx->ext.alpn_len; 809 } 810 811 s->verified_chain = NULL; 812 s->verify_result = X509_V_OK; 813 814 s->default_passwd_callback = ctx->default_passwd_callback; 815 s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata; 816 817 s->method = ctx->method; 818 819 s->key_update = SSL_KEY_UPDATE_NONE; 820 821 s->allow_early_data_cb = ctx->allow_early_data_cb; 822 s->allow_early_data_cb_data = ctx->allow_early_data_cb_data; 823 824 if (!s->method->ssl_new(s)) 825 goto err; 826 827 s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; 828 829 if (!SSL_clear(s)) 830 goto err; 831 832 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data)) 833 goto err; 834 835 #ifndef OPENSSL_NO_PSK 836 s->psk_client_callback = ctx->psk_client_callback; 837 s->psk_server_callback = ctx->psk_server_callback; 838 #endif 839 s->psk_find_session_cb = ctx->psk_find_session_cb; 840 s->psk_use_session_cb = ctx->psk_use_session_cb; 841 842 s->job = NULL; 843 844 #ifndef OPENSSL_NO_CT 845 if (!SSL_set_ct_validation_callback(s, ctx->ct_validation_callback, 846 ctx->ct_validation_callback_arg)) 847 goto err; 848 #endif 849 850 return s; 851 err: 852 SSL_free(s); 853 SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); 854 return NULL; 855 } 856 857 int SSL_is_dtls(const SSL *s) 858 { 859 return SSL_IS_DTLS(s) ? 1 : 0; 860 } 861 862 int SSL_up_ref(SSL *s) 863 { 864 int i; 865 866 if (CRYPTO_UP_REF(&s->references, &i, s->lock) <= 0) 867 return 0; 868 869 REF_PRINT_COUNT("SSL", s); 870 REF_ASSERT_ISNT(i < 2); 871 return ((i > 1) ? 1 : 0); 872 } 873 874 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, 875 unsigned int sid_ctx_len) 876 { 877 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 878 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, 879 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 880 return 0; 881 } 882 ctx->sid_ctx_length = sid_ctx_len; 883 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); 884 885 return 1; 886 } 887 888 int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, 889 unsigned int sid_ctx_len) 890 { 891 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 892 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT, 893 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 894 return 0; 895 } 896 ssl->sid_ctx_length = sid_ctx_len; 897 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len); 898 899 return 1; 900 } 901 902 int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) 903 { 904 CRYPTO_THREAD_write_lock(ctx->lock); 905 ctx->generate_session_id = cb; 906 CRYPTO_THREAD_unlock(ctx->lock); 907 return 1; 908 } 909 910 int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) 911 { 912 CRYPTO_THREAD_write_lock(ssl->lock); 913 ssl->generate_session_id = cb; 914 CRYPTO_THREAD_unlock(ssl->lock); 915 return 1; 916 } 917 918 int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, 919 unsigned int id_len) 920 { 921 /* 922 * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how 923 * we can "construct" a session to give us the desired check - i.e. to 924 * find if there's a session in the hash table that would conflict with 925 * any new session built out of this id/id_len and the ssl_version in use 926 * by this SSL. 927 */ 928 SSL_SESSION r, *p; 929 930 if (id_len > sizeof(r.session_id)) 931 return 0; 932 933 r.ssl_version = ssl->version; 934 r.session_id_length = id_len; 935 memcpy(r.session_id, id, id_len); 936 937 CRYPTO_THREAD_read_lock(ssl->session_ctx->lock); 938 p = lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &r); 939 CRYPTO_THREAD_unlock(ssl->session_ctx->lock); 940 return (p != NULL); 941 } 942 943 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 944 { 945 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 946 } 947 948 int SSL_set_purpose(SSL *s, int purpose) 949 { 950 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 951 } 952 953 int SSL_CTX_set_trust(SSL_CTX *s, int trust) 954 { 955 return X509_VERIFY_PARAM_set_trust(s->param, trust); 956 } 957 958 int SSL_set_trust(SSL *s, int trust) 959 { 960 return X509_VERIFY_PARAM_set_trust(s->param, trust); 961 } 962 963 int SSL_set1_host(SSL *s, const char *hostname) 964 { 965 return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); 966 } 967 968 int SSL_add1_host(SSL *s, const char *hostname) 969 { 970 return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0); 971 } 972 973 void SSL_set_hostflags(SSL *s, unsigned int flags) 974 { 975 X509_VERIFY_PARAM_set_hostflags(s->param, flags); 976 } 977 978 const char *SSL_get0_peername(SSL *s) 979 { 980 return X509_VERIFY_PARAM_get0_peername(s->param); 981 } 982 983 int SSL_CTX_dane_enable(SSL_CTX *ctx) 984 { 985 return dane_ctx_enable(&ctx->dane); 986 } 987 988 unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags) 989 { 990 unsigned long orig = ctx->dane.flags; 991 992 ctx->dane.flags |= flags; 993 return orig; 994 } 995 996 unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags) 997 { 998 unsigned long orig = ctx->dane.flags; 999 1000 ctx->dane.flags &= ~flags; 1001 return orig; 1002 } 1003 1004 int SSL_dane_enable(SSL *s, const char *basedomain) 1005 { 1006 SSL_DANE *dane = &s->dane; 1007 1008 if (s->ctx->dane.mdmax == 0) { 1009 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_CONTEXT_NOT_DANE_ENABLED); 1010 return 0; 1011 } 1012 if (dane->trecs != NULL) { 1013 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_DANE_ALREADY_ENABLED); 1014 return 0; 1015 } 1016 1017 /* 1018 * Default SNI name. This rejects empty names, while set1_host below 1019 * accepts them and disables host name checks. To avoid side-effects with 1020 * invalid input, set the SNI name first. 1021 */ 1022 if (s->ext.hostname == NULL) { 1023 if (!SSL_set_tlsext_host_name(s, basedomain)) { 1024 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); 1025 return -1; 1026 } 1027 } 1028 1029 /* Primary RFC6125 reference identifier */ 1030 if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) { 1031 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); 1032 return -1; 1033 } 1034 1035 dane->mdpth = -1; 1036 dane->pdpth = -1; 1037 dane->dctx = &s->ctx->dane; 1038 dane->trecs = sk_danetls_record_new_null(); 1039 1040 if (dane->trecs == NULL) { 1041 SSLerr(SSL_F_SSL_DANE_ENABLE, ERR_R_MALLOC_FAILURE); 1042 return -1; 1043 } 1044 return 1; 1045 } 1046 1047 unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags) 1048 { 1049 unsigned long orig = ssl->dane.flags; 1050 1051 ssl->dane.flags |= flags; 1052 return orig; 1053 } 1054 1055 unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags) 1056 { 1057 unsigned long orig = ssl->dane.flags; 1058 1059 ssl->dane.flags &= ~flags; 1060 return orig; 1061 } 1062 1063 int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki) 1064 { 1065 SSL_DANE *dane = &s->dane; 1066 1067 if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK) 1068 return -1; 1069 if (dane->mtlsa) { 1070 if (mcert) 1071 *mcert = dane->mcert; 1072 if (mspki) 1073 *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL; 1074 } 1075 return dane->mdpth; 1076 } 1077 1078 int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, 1079 uint8_t *mtype, unsigned const char **data, size_t *dlen) 1080 { 1081 SSL_DANE *dane = &s->dane; 1082 1083 if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK) 1084 return -1; 1085 if (dane->mtlsa) { 1086 if (usage) 1087 *usage = dane->mtlsa->usage; 1088 if (selector) 1089 *selector = dane->mtlsa->selector; 1090 if (mtype) 1091 *mtype = dane->mtlsa->mtype; 1092 if (data) 1093 *data = dane->mtlsa->data; 1094 if (dlen) 1095 *dlen = dane->mtlsa->dlen; 1096 } 1097 return dane->mdpth; 1098 } 1099 1100 SSL_DANE *SSL_get0_dane(SSL *s) 1101 { 1102 return &s->dane; 1103 } 1104 1105 int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, 1106 uint8_t mtype, unsigned const char *data, size_t dlen) 1107 { 1108 return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen); 1109 } 1110 1111 int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype, 1112 uint8_t ord) 1113 { 1114 return dane_mtype_set(&ctx->dane, md, mtype, ord); 1115 } 1116 1117 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) 1118 { 1119 return X509_VERIFY_PARAM_set1(ctx->param, vpm); 1120 } 1121 1122 int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) 1123 { 1124 return X509_VERIFY_PARAM_set1(ssl->param, vpm); 1125 } 1126 1127 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) 1128 { 1129 return ctx->param; 1130 } 1131 1132 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) 1133 { 1134 return ssl->param; 1135 } 1136 1137 void SSL_certs_clear(SSL *s) 1138 { 1139 ssl_cert_clear_certs(s->cert); 1140 } 1141 1142 void SSL_free(SSL *s) 1143 { 1144 int i; 1145 1146 if (s == NULL) 1147 return; 1148 CRYPTO_DOWN_REF(&s->references, &i, s->lock); 1149 REF_PRINT_COUNT("SSL", s); 1150 if (i > 0) 1151 return; 1152 REF_ASSERT_ISNT(i < 0); 1153 1154 X509_VERIFY_PARAM_free(s->param); 1155 dane_final(&s->dane); 1156 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); 1157 1158 RECORD_LAYER_release(&s->rlayer); 1159 1160 /* Ignore return value */ 1161 ssl_free_wbio_buffer(s); 1162 1163 BIO_free_all(s->wbio); 1164 s->wbio = NULL; 1165 BIO_free_all(s->rbio); 1166 s->rbio = NULL; 1167 1168 BUF_MEM_free(s->init_buf); 1169 1170 /* add extra stuff */ 1171 sk_SSL_CIPHER_free(s->cipher_list); 1172 sk_SSL_CIPHER_free(s->cipher_list_by_id); 1173 sk_SSL_CIPHER_free(s->tls13_ciphersuites); 1174 sk_SSL_CIPHER_free(s->peer_ciphers); 1175 1176 /* Make the next call work :-) */ 1177 if (s->session != NULL) { 1178 ssl_clear_bad_session(s); 1179 SSL_SESSION_free(s->session); 1180 } 1181 SSL_SESSION_free(s->psksession); 1182 OPENSSL_free(s->psksession_id); 1183 1184 clear_ciphers(s); 1185 1186 ssl_cert_free(s->cert); 1187 OPENSSL_free(s->shared_sigalgs); 1188 /* Free up if allocated */ 1189 1190 OPENSSL_free(s->ext.hostname); 1191 SSL_CTX_free(s->session_ctx); 1192 #ifndef OPENSSL_NO_EC 1193 OPENSSL_free(s->ext.ecpointformats); 1194 OPENSSL_free(s->ext.peer_ecpointformats); 1195 OPENSSL_free(s->ext.supportedgroups); 1196 OPENSSL_free(s->ext.peer_supportedgroups); 1197 #endif /* OPENSSL_NO_EC */ 1198 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); 1199 #ifndef OPENSSL_NO_OCSP 1200 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); 1201 #endif 1202 #ifndef OPENSSL_NO_CT 1203 SCT_LIST_free(s->scts); 1204 OPENSSL_free(s->ext.scts); 1205 #endif 1206 OPENSSL_free(s->ext.ocsp.resp); 1207 OPENSSL_free(s->ext.alpn); 1208 OPENSSL_free(s->ext.tls13_cookie); 1209 if (s->clienthello != NULL) 1210 OPENSSL_free(s->clienthello->pre_proc_exts); 1211 OPENSSL_free(s->clienthello); 1212 OPENSSL_free(s->pha_context); 1213 EVP_MD_CTX_free(s->pha_dgst); 1214 1215 sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); 1216 sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free); 1217 1218 sk_X509_pop_free(s->verified_chain, X509_free); 1219 1220 if (s->method != NULL) 1221 s->method->ssl_free(s); 1222 1223 SSL_CTX_free(s->ctx); 1224 1225 ASYNC_WAIT_CTX_free(s->waitctx); 1226 1227 #if !defined(OPENSSL_NO_NEXTPROTONEG) 1228 OPENSSL_free(s->ext.npn); 1229 #endif 1230 1231 #ifndef OPENSSL_NO_SRTP 1232 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); 1233 #endif 1234 1235 CRYPTO_THREAD_lock_free(s->lock); 1236 1237 OPENSSL_free(s); 1238 } 1239 1240 void SSL_set0_rbio(SSL *s, BIO *rbio) 1241 { 1242 BIO_free_all(s->rbio); 1243 s->rbio = rbio; 1244 } 1245 1246 void SSL_set0_wbio(SSL *s, BIO *wbio) 1247 { 1248 /* 1249 * If the output buffering BIO is still in place, remove it 1250 */ 1251 if (s->bbio != NULL) 1252 s->wbio = BIO_pop(s->wbio); 1253 1254 BIO_free_all(s->wbio); 1255 s->wbio = wbio; 1256 1257 /* Re-attach |bbio| to the new |wbio|. */ 1258 if (s->bbio != NULL) 1259 s->wbio = BIO_push(s->bbio, s->wbio); 1260 } 1261 1262 void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) 1263 { 1264 /* 1265 * For historical reasons, this function has many different cases in 1266 * ownership handling. 1267 */ 1268 1269 /* If nothing has changed, do nothing */ 1270 if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s)) 1271 return; 1272 1273 /* 1274 * If the two arguments are equal then one fewer reference is granted by the 1275 * caller than we want to take 1276 */ 1277 if (rbio != NULL && rbio == wbio) 1278 BIO_up_ref(rbio); 1279 1280 /* 1281 * If only the wbio is changed only adopt one reference. 1282 */ 1283 if (rbio == SSL_get_rbio(s)) { 1284 SSL_set0_wbio(s, wbio); 1285 return; 1286 } 1287 /* 1288 * There is an asymmetry here for historical reasons. If only the rbio is 1289 * changed AND the rbio and wbio were originally different, then we only 1290 * adopt one reference. 1291 */ 1292 if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) { 1293 SSL_set0_rbio(s, rbio); 1294 return; 1295 } 1296 1297 /* Otherwise, adopt both references. */ 1298 SSL_set0_rbio(s, rbio); 1299 SSL_set0_wbio(s, wbio); 1300 } 1301 1302 BIO *SSL_get_rbio(const SSL *s) 1303 { 1304 return s->rbio; 1305 } 1306 1307 BIO *SSL_get_wbio(const SSL *s) 1308 { 1309 if (s->bbio != NULL) { 1310 /* 1311 * If |bbio| is active, the true caller-configured BIO is its 1312 * |next_bio|. 1313 */ 1314 return BIO_next(s->bbio); 1315 } 1316 return s->wbio; 1317 } 1318 1319 int SSL_get_fd(const SSL *s) 1320 { 1321 return SSL_get_rfd(s); 1322 } 1323 1324 int SSL_get_rfd(const SSL *s) 1325 { 1326 int ret = -1; 1327 BIO *b, *r; 1328 1329 b = SSL_get_rbio(s); 1330 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); 1331 if (r != NULL) 1332 BIO_get_fd(r, &ret); 1333 return ret; 1334 } 1335 1336 int SSL_get_wfd(const SSL *s) 1337 { 1338 int ret = -1; 1339 BIO *b, *r; 1340 1341 b = SSL_get_wbio(s); 1342 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); 1343 if (r != NULL) 1344 BIO_get_fd(r, &ret); 1345 return ret; 1346 } 1347 1348 #ifndef OPENSSL_NO_SOCK 1349 int SSL_set_fd(SSL *s, int fd) 1350 { 1351 int ret = 0; 1352 BIO *bio = NULL; 1353 1354 bio = BIO_new(BIO_s_socket()); 1355 1356 if (bio == NULL) { 1357 SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); 1358 goto err; 1359 } 1360 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1361 SSL_set_bio(s, bio, bio); 1362 #ifndef OPENSSL_NO_KTLS 1363 /* 1364 * The new socket is created successfully regardless of ktls_enable. 1365 * ktls_enable doesn't change any functionality of the socket, except 1366 * changing the setsockopt to enable the processing of ktls_start. 1367 * Thus, it is not a problem to call it for non-TLS sockets. 1368 */ 1369 ktls_enable(fd); 1370 #endif /* OPENSSL_NO_KTLS */ 1371 ret = 1; 1372 err: 1373 return ret; 1374 } 1375 1376 int SSL_set_wfd(SSL *s, int fd) 1377 { 1378 BIO *rbio = SSL_get_rbio(s); 1379 1380 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET 1381 || (int)BIO_get_fd(rbio, NULL) != fd) { 1382 BIO *bio = BIO_new(BIO_s_socket()); 1383 1384 if (bio == NULL) { 1385 SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB); 1386 return 0; 1387 } 1388 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1389 SSL_set0_wbio(s, bio); 1390 #ifndef OPENSSL_NO_KTLS 1391 /* 1392 * The new socket is created successfully regardless of ktls_enable. 1393 * ktls_enable doesn't change any functionality of the socket, except 1394 * changing the setsockopt to enable the processing of ktls_start. 1395 * Thus, it is not a problem to call it for non-TLS sockets. 1396 */ 1397 ktls_enable(fd); 1398 #endif /* OPENSSL_NO_KTLS */ 1399 } else { 1400 BIO_up_ref(rbio); 1401 SSL_set0_wbio(s, rbio); 1402 } 1403 return 1; 1404 } 1405 1406 int SSL_set_rfd(SSL *s, int fd) 1407 { 1408 BIO *wbio = SSL_get_wbio(s); 1409 1410 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET 1411 || ((int)BIO_get_fd(wbio, NULL) != fd)) { 1412 BIO *bio = BIO_new(BIO_s_socket()); 1413 1414 if (bio == NULL) { 1415 SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB); 1416 return 0; 1417 } 1418 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1419 SSL_set0_rbio(s, bio); 1420 } else { 1421 BIO_up_ref(wbio); 1422 SSL_set0_rbio(s, wbio); 1423 } 1424 1425 return 1; 1426 } 1427 #endif 1428 1429 /* return length of latest Finished message we sent, copy to 'buf' */ 1430 size_t SSL_get_finished(const SSL *s, void *buf, size_t count) 1431 { 1432 size_t ret = 0; 1433 1434 if (s->s3 != NULL) { 1435 ret = s->s3->tmp.finish_md_len; 1436 if (count > ret) 1437 count = ret; 1438 memcpy(buf, s->s3->tmp.finish_md, count); 1439 } 1440 return ret; 1441 } 1442 1443 /* return length of latest Finished message we expected, copy to 'buf' */ 1444 size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) 1445 { 1446 size_t ret = 0; 1447 1448 if (s->s3 != NULL) { 1449 ret = s->s3->tmp.peer_finish_md_len; 1450 if (count > ret) 1451 count = ret; 1452 memcpy(buf, s->s3->tmp.peer_finish_md, count); 1453 } 1454 return ret; 1455 } 1456 1457 int SSL_get_verify_mode(const SSL *s) 1458 { 1459 return s->verify_mode; 1460 } 1461 1462 int SSL_get_verify_depth(const SSL *s) 1463 { 1464 return X509_VERIFY_PARAM_get_depth(s->param); 1465 } 1466 1467 int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) { 1468 return s->verify_callback; 1469 } 1470 1471 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) 1472 { 1473 return ctx->verify_mode; 1474 } 1475 1476 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) 1477 { 1478 return X509_VERIFY_PARAM_get_depth(ctx->param); 1479 } 1480 1481 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) { 1482 return ctx->default_verify_callback; 1483 } 1484 1485 void SSL_set_verify(SSL *s, int mode, 1486 int (*callback) (int ok, X509_STORE_CTX *ctx)) 1487 { 1488 s->verify_mode = mode; 1489 if (callback != NULL) 1490 s->verify_callback = callback; 1491 } 1492 1493 void SSL_set_verify_depth(SSL *s, int depth) 1494 { 1495 X509_VERIFY_PARAM_set_depth(s->param, depth); 1496 } 1497 1498 void SSL_set_read_ahead(SSL *s, int yes) 1499 { 1500 RECORD_LAYER_set_read_ahead(&s->rlayer, yes); 1501 } 1502 1503 int SSL_get_read_ahead(const SSL *s) 1504 { 1505 return RECORD_LAYER_get_read_ahead(&s->rlayer); 1506 } 1507 1508 int SSL_pending(const SSL *s) 1509 { 1510 size_t pending = s->method->ssl_pending(s); 1511 1512 /* 1513 * SSL_pending cannot work properly if read-ahead is enabled 1514 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is 1515 * impossible to fix since SSL_pending cannot report errors that may be 1516 * observed while scanning the new data. (Note that SSL_pending() is 1517 * often used as a boolean value, so we'd better not return -1.) 1518 * 1519 * SSL_pending also cannot work properly if the value >INT_MAX. In that case 1520 * we just return INT_MAX. 1521 */ 1522 return pending < INT_MAX ? (int)pending : INT_MAX; 1523 } 1524 1525 int SSL_has_pending(const SSL *s) 1526 { 1527 /* 1528 * Similar to SSL_pending() but returns a 1 to indicate that we have 1529 * unprocessed data available or 0 otherwise (as opposed to the number of 1530 * bytes available). Unlike SSL_pending() this will take into account 1531 * read_ahead data. A 1 return simply indicates that we have unprocessed 1532 * data. That data may not result in any application data, or we may fail 1533 * to parse the records for some reason. 1534 */ 1535 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) 1536 return 1; 1537 1538 return RECORD_LAYER_read_pending(&s->rlayer); 1539 } 1540 1541 X509 *SSL_get_peer_certificate(const SSL *s) 1542 { 1543 X509 *r; 1544 1545 if ((s == NULL) || (s->session == NULL)) 1546 r = NULL; 1547 else 1548 r = s->session->peer; 1549 1550 if (r == NULL) 1551 return r; 1552 1553 X509_up_ref(r); 1554 1555 return r; 1556 } 1557 1558 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) 1559 { 1560 STACK_OF(X509) *r; 1561 1562 if ((s == NULL) || (s->session == NULL)) 1563 r = NULL; 1564 else 1565 r = s->session->peer_chain; 1566 1567 /* 1568 * If we are a client, cert_chain includes the peer's own certificate; if 1569 * we are a server, it does not. 1570 */ 1571 1572 return r; 1573 } 1574 1575 /* 1576 * Now in theory, since the calling process own 't' it should be safe to 1577 * modify. We need to be able to read f without being hassled 1578 */ 1579 int SSL_copy_session_id(SSL *t, const SSL *f) 1580 { 1581 int i; 1582 /* Do we need to to SSL locking? */ 1583 if (!SSL_set_session(t, SSL_get_session(f))) { 1584 return 0; 1585 } 1586 1587 /* 1588 * what if we are setup for one protocol version but want to talk another 1589 */ 1590 if (t->method != f->method) { 1591 t->method->ssl_free(t); 1592 t->method = f->method; 1593 if (t->method->ssl_new(t) == 0) 1594 return 0; 1595 } 1596 1597 CRYPTO_UP_REF(&f->cert->references, &i, f->cert->lock); 1598 ssl_cert_free(t->cert); 1599 t->cert = f->cert; 1600 if (!SSL_set_session_id_context(t, f->sid_ctx, (int)f->sid_ctx_length)) { 1601 return 0; 1602 } 1603 1604 return 1; 1605 } 1606 1607 /* Fix this so it checks all the valid key/cert options */ 1608 int SSL_CTX_check_private_key(const SSL_CTX *ctx) 1609 { 1610 if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) { 1611 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); 1612 return 0; 1613 } 1614 if (ctx->cert->key->privatekey == NULL) { 1615 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); 1616 return 0; 1617 } 1618 return X509_check_private_key 1619 (ctx->cert->key->x509, ctx->cert->key->privatekey); 1620 } 1621 1622 /* Fix this function so that it takes an optional type parameter */ 1623 int SSL_check_private_key(const SSL *ssl) 1624 { 1625 if (ssl == NULL) { 1626 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER); 1627 return 0; 1628 } 1629 if (ssl->cert->key->x509 == NULL) { 1630 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); 1631 return 0; 1632 } 1633 if (ssl->cert->key->privatekey == NULL) { 1634 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); 1635 return 0; 1636 } 1637 return X509_check_private_key(ssl->cert->key->x509, 1638 ssl->cert->key->privatekey); 1639 } 1640 1641 int SSL_waiting_for_async(SSL *s) 1642 { 1643 if (s->job) 1644 return 1; 1645 1646 return 0; 1647 } 1648 1649 int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds) 1650 { 1651 ASYNC_WAIT_CTX *ctx = s->waitctx; 1652 1653 if (ctx == NULL) 1654 return 0; 1655 return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds); 1656 } 1657 1658 int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds, 1659 OSSL_ASYNC_FD *delfd, size_t *numdelfds) 1660 { 1661 ASYNC_WAIT_CTX *ctx = s->waitctx; 1662 1663 if (ctx == NULL) 1664 return 0; 1665 return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd, 1666 numdelfds); 1667 } 1668 1669 int SSL_accept(SSL *s) 1670 { 1671 if (s->handshake_func == NULL) { 1672 /* Not properly initialized yet */ 1673 SSL_set_accept_state(s); 1674 } 1675 1676 return SSL_do_handshake(s); 1677 } 1678 1679 int SSL_connect(SSL *s) 1680 { 1681 if (s->handshake_func == NULL) { 1682 /* Not properly initialized yet */ 1683 SSL_set_connect_state(s); 1684 } 1685 1686 return SSL_do_handshake(s); 1687 } 1688 1689 long SSL_get_default_timeout(const SSL *s) 1690 { 1691 return s->method->get_timeout(); 1692 } 1693 1694 static int ssl_start_async_job(SSL *s, struct ssl_async_args *args, 1695 int (*func) (void *)) 1696 { 1697 int ret; 1698 if (s->waitctx == NULL) { 1699 s->waitctx = ASYNC_WAIT_CTX_new(); 1700 if (s->waitctx == NULL) 1701 return -1; 1702 } 1703 switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args, 1704 sizeof(struct ssl_async_args))) { 1705 case ASYNC_ERR: 1706 s->rwstate = SSL_NOTHING; 1707 SSLerr(SSL_F_SSL_START_ASYNC_JOB, SSL_R_FAILED_TO_INIT_ASYNC); 1708 return -1; 1709 case ASYNC_PAUSE: 1710 s->rwstate = SSL_ASYNC_PAUSED; 1711 return -1; 1712 case ASYNC_NO_JOBS: 1713 s->rwstate = SSL_ASYNC_NO_JOBS; 1714 return -1; 1715 case ASYNC_FINISH: 1716 s->job = NULL; 1717 return ret; 1718 default: 1719 s->rwstate = SSL_NOTHING; 1720 SSLerr(SSL_F_SSL_START_ASYNC_JOB, ERR_R_INTERNAL_ERROR); 1721 /* Shouldn't happen */ 1722 return -1; 1723 } 1724 } 1725 1726 static int ssl_io_intern(void *vargs) 1727 { 1728 struct ssl_async_args *args; 1729 SSL *s; 1730 void *buf; 1731 size_t num; 1732 1733 args = (struct ssl_async_args *)vargs; 1734 s = args->s; 1735 buf = args->buf; 1736 num = args->num; 1737 switch (args->type) { 1738 case READFUNC: 1739 return args->f.func_read(s, buf, num, &s->asyncrw); 1740 case WRITEFUNC: 1741 return args->f.func_write(s, buf, num, &s->asyncrw); 1742 case OTHERFUNC: 1743 return args->f.func_other(s); 1744 } 1745 return -1; 1746 } 1747 1748 int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes) 1749 { 1750 if (s->handshake_func == NULL) { 1751 SSLerr(SSL_F_SSL_READ_INTERNAL, SSL_R_UNINITIALIZED); 1752 return -1; 1753 } 1754 1755 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1756 s->rwstate = SSL_NOTHING; 1757 return 0; 1758 } 1759 1760 if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY 1761 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) { 1762 SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1763 return 0; 1764 } 1765 /* 1766 * If we are a client and haven't received the ServerHello etc then we 1767 * better do that 1768 */ 1769 ossl_statem_check_finish_init(s, 0); 1770 1771 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 1772 struct ssl_async_args args; 1773 int ret; 1774 1775 args.s = s; 1776 args.buf = buf; 1777 args.num = num; 1778 args.type = READFUNC; 1779 args.f.func_read = s->method->ssl_read; 1780 1781 ret = ssl_start_async_job(s, &args, ssl_io_intern); 1782 *readbytes = s->asyncrw; 1783 return ret; 1784 } else { 1785 return s->method->ssl_read(s, buf, num, readbytes); 1786 } 1787 } 1788 1789 int SSL_read(SSL *s, void *buf, int num) 1790 { 1791 int ret; 1792 size_t readbytes; 1793 1794 if (num < 0) { 1795 SSLerr(SSL_F_SSL_READ, SSL_R_BAD_LENGTH); 1796 return -1; 1797 } 1798 1799 ret = ssl_read_internal(s, buf, (size_t)num, &readbytes); 1800 1801 /* 1802 * The cast is safe here because ret should be <= INT_MAX because num is 1803 * <= INT_MAX 1804 */ 1805 if (ret > 0) 1806 ret = (int)readbytes; 1807 1808 return ret; 1809 } 1810 1811 int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes) 1812 { 1813 int ret = ssl_read_internal(s, buf, num, readbytes); 1814 1815 if (ret < 0) 1816 ret = 0; 1817 return ret; 1818 } 1819 1820 int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) 1821 { 1822 int ret; 1823 1824 if (!s->server) { 1825 SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1826 return SSL_READ_EARLY_DATA_ERROR; 1827 } 1828 1829 switch (s->early_data_state) { 1830 case SSL_EARLY_DATA_NONE: 1831 if (!SSL_in_before(s)) { 1832 SSLerr(SSL_F_SSL_READ_EARLY_DATA, 1833 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1834 return SSL_READ_EARLY_DATA_ERROR; 1835 } 1836 /* fall through */ 1837 1838 case SSL_EARLY_DATA_ACCEPT_RETRY: 1839 s->early_data_state = SSL_EARLY_DATA_ACCEPTING; 1840 ret = SSL_accept(s); 1841 if (ret <= 0) { 1842 /* NBIO or error */ 1843 s->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY; 1844 return SSL_READ_EARLY_DATA_ERROR; 1845 } 1846 /* fall through */ 1847 1848 case SSL_EARLY_DATA_READ_RETRY: 1849 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { 1850 s->early_data_state = SSL_EARLY_DATA_READING; 1851 ret = SSL_read_ex(s, buf, num, readbytes); 1852 /* 1853 * State machine will update early_data_state to 1854 * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData 1855 * message 1856 */ 1857 if (ret > 0 || (ret <= 0 && s->early_data_state 1858 != SSL_EARLY_DATA_FINISHED_READING)) { 1859 s->early_data_state = SSL_EARLY_DATA_READ_RETRY; 1860 return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS 1861 : SSL_READ_EARLY_DATA_ERROR; 1862 } 1863 } else { 1864 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; 1865 } 1866 *readbytes = 0; 1867 return SSL_READ_EARLY_DATA_FINISH; 1868 1869 default: 1870 SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1871 return SSL_READ_EARLY_DATA_ERROR; 1872 } 1873 } 1874 1875 int SSL_get_early_data_status(const SSL *s) 1876 { 1877 return s->ext.early_data; 1878 } 1879 1880 static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes) 1881 { 1882 if (s->handshake_func == NULL) { 1883 SSLerr(SSL_F_SSL_PEEK_INTERNAL, SSL_R_UNINITIALIZED); 1884 return -1; 1885 } 1886 1887 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1888 return 0; 1889 } 1890 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 1891 struct ssl_async_args args; 1892 int ret; 1893 1894 args.s = s; 1895 args.buf = buf; 1896 args.num = num; 1897 args.type = READFUNC; 1898 args.f.func_read = s->method->ssl_peek; 1899 1900 ret = ssl_start_async_job(s, &args, ssl_io_intern); 1901 *readbytes = s->asyncrw; 1902 return ret; 1903 } else { 1904 return s->method->ssl_peek(s, buf, num, readbytes); 1905 } 1906 } 1907 1908 int SSL_peek(SSL *s, void *buf, int num) 1909 { 1910 int ret; 1911 size_t readbytes; 1912 1913 if (num < 0) { 1914 SSLerr(SSL_F_SSL_PEEK, SSL_R_BAD_LENGTH); 1915 return -1; 1916 } 1917 1918 ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes); 1919 1920 /* 1921 * The cast is safe here because ret should be <= INT_MAX because num is 1922 * <= INT_MAX 1923 */ 1924 if (ret > 0) 1925 ret = (int)readbytes; 1926 1927 return ret; 1928 } 1929 1930 1931 int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes) 1932 { 1933 int ret = ssl_peek_internal(s, buf, num, readbytes); 1934 1935 if (ret < 0) 1936 ret = 0; 1937 return ret; 1938 } 1939 1940 int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) 1941 { 1942 if (s->handshake_func == NULL) { 1943 SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_UNINITIALIZED); 1944 return -1; 1945 } 1946 1947 if (s->shutdown & SSL_SENT_SHUTDOWN) { 1948 s->rwstate = SSL_NOTHING; 1949 SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_PROTOCOL_IS_SHUTDOWN); 1950 return -1; 1951 } 1952 1953 if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY 1954 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY 1955 || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) { 1956 SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1957 return 0; 1958 } 1959 /* If we are a client and haven't sent the Finished we better do that */ 1960 ossl_statem_check_finish_init(s, 1); 1961 1962 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 1963 int ret; 1964 struct ssl_async_args args; 1965 1966 args.s = s; 1967 args.buf = (void *)buf; 1968 args.num = num; 1969 args.type = WRITEFUNC; 1970 args.f.func_write = s->method->ssl_write; 1971 1972 ret = ssl_start_async_job(s, &args, ssl_io_intern); 1973 *written = s->asyncrw; 1974 return ret; 1975 } else { 1976 return s->method->ssl_write(s, buf, num, written); 1977 } 1978 } 1979 1980 ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags) 1981 { 1982 ossl_ssize_t ret; 1983 1984 if (s->handshake_func == NULL) { 1985 SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); 1986 return -1; 1987 } 1988 1989 if (s->shutdown & SSL_SENT_SHUTDOWN) { 1990 s->rwstate = SSL_NOTHING; 1991 SSLerr(SSL_F_SSL_SENDFILE, SSL_R_PROTOCOL_IS_SHUTDOWN); 1992 return -1; 1993 } 1994 1995 if (!BIO_get_ktls_send(s->wbio)) { 1996 SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); 1997 return -1; 1998 } 1999 2000 /* If we have an alert to send, lets send it */ 2001 if (s->s3->alert_dispatch) { 2002 ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s); 2003 if (ret <= 0) { 2004 /* SSLfatal() already called if appropriate */ 2005 return ret; 2006 } 2007 /* if it went, fall through and send more stuff */ 2008 } 2009 2010 s->rwstate = SSL_WRITING; 2011 if (BIO_flush(s->wbio) <= 0) { 2012 if (!BIO_should_retry(s->wbio)) { 2013 s->rwstate = SSL_NOTHING; 2014 } else { 2015 #ifdef EAGAIN 2016 set_sys_error(EAGAIN); 2017 #endif 2018 } 2019 return -1; 2020 } 2021 2022 #ifdef OPENSSL_NO_KTLS 2023 ERR_raise_data(ERR_LIB_SYS, ERR_R_INTERNAL_ERROR, "calling sendfile()"); 2024 return -1; 2025 #else 2026 ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags); 2027 if (ret < 0) { 2028 #if defined(EAGAIN) && defined(EINTR) && defined(EBUSY) 2029 if ((get_last_sys_error() == EAGAIN) || 2030 (get_last_sys_error() == EINTR) || 2031 (get_last_sys_error() == EBUSY)) 2032 BIO_set_retry_write(s->wbio); 2033 else 2034 #endif 2035 SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); 2036 return ret; 2037 } 2038 s->rwstate = SSL_NOTHING; 2039 return ret; 2040 #endif 2041 } 2042 2043 int SSL_write(SSL *s, const void *buf, int num) 2044 { 2045 int ret; 2046 size_t written; 2047 2048 if (num < 0) { 2049 SSLerr(SSL_F_SSL_WRITE, SSL_R_BAD_LENGTH); 2050 return -1; 2051 } 2052 2053 ret = ssl_write_internal(s, buf, (size_t)num, &written); 2054 2055 /* 2056 * The cast is safe here because ret should be <= INT_MAX because num is 2057 * <= INT_MAX 2058 */ 2059 if (ret > 0) 2060 ret = (int)written; 2061 2062 return ret; 2063 } 2064 2065 int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written) 2066 { 2067 int ret = ssl_write_internal(s, buf, num, written); 2068 2069 if (ret < 0) 2070 ret = 0; 2071 return ret; 2072 } 2073 2074 int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) 2075 { 2076 int ret, early_data_state; 2077 size_t writtmp; 2078 uint32_t partialwrite; 2079 2080 switch (s->early_data_state) { 2081 case SSL_EARLY_DATA_NONE: 2082 if (s->server 2083 || !SSL_in_before(s) 2084 || ((s->session == NULL || s->session->ext.max_early_data == 0) 2085 && (s->psk_use_session_cb == NULL))) { 2086 SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, 2087 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2088 return 0; 2089 } 2090 /* fall through */ 2091 2092 case SSL_EARLY_DATA_CONNECT_RETRY: 2093 s->early_data_state = SSL_EARLY_DATA_CONNECTING; 2094 ret = SSL_connect(s); 2095 if (ret <= 0) { 2096 /* NBIO or error */ 2097 s->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY; 2098 return 0; 2099 } 2100 /* fall through */ 2101 2102 case SSL_EARLY_DATA_WRITE_RETRY: 2103 s->early_data_state = SSL_EARLY_DATA_WRITING; 2104 /* 2105 * We disable partial write for early data because we don't keep track 2106 * of how many bytes we've written between the SSL_write_ex() call and 2107 * the flush if the flush needs to be retried) 2108 */ 2109 partialwrite = s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE; 2110 s->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE; 2111 ret = SSL_write_ex(s, buf, num, &writtmp); 2112 s->mode |= partialwrite; 2113 if (!ret) { 2114 s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; 2115 return ret; 2116 } 2117 s->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH; 2118 /* fall through */ 2119 2120 case SSL_EARLY_DATA_WRITE_FLUSH: 2121 /* The buffering BIO is still in place so we need to flush it */ 2122 if (statem_flush(s) != 1) 2123 return 0; 2124 *written = num; 2125 s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; 2126 return 1; 2127 2128 case SSL_EARLY_DATA_FINISHED_READING: 2129 case SSL_EARLY_DATA_READ_RETRY: 2130 early_data_state = s->early_data_state; 2131 /* We are a server writing to an unauthenticated client */ 2132 s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING; 2133 ret = SSL_write_ex(s, buf, num, written); 2134 /* The buffering BIO is still in place */ 2135 if (ret) 2136 (void)BIO_flush(s->wbio); 2137 s->early_data_state = early_data_state; 2138 return ret; 2139 2140 default: 2141 SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2142 return 0; 2143 } 2144 } 2145 2146 int SSL_shutdown(SSL *s) 2147 { 2148 /* 2149 * Note that this function behaves differently from what one might 2150 * expect. Return values are 0 for no success (yet), 1 for success; but 2151 * calling it once is usually not enough, even if blocking I/O is used 2152 * (see ssl3_shutdown). 2153 */ 2154 2155 if (s->handshake_func == NULL) { 2156 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); 2157 return -1; 2158 } 2159 2160 if (!SSL_in_init(s)) { 2161 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 2162 struct ssl_async_args args; 2163 2164 args.s = s; 2165 args.type = OTHERFUNC; 2166 args.f.func_other = s->method->ssl_shutdown; 2167 2168 return ssl_start_async_job(s, &args, ssl_io_intern); 2169 } else { 2170 return s->method->ssl_shutdown(s); 2171 } 2172 } else { 2173 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT); 2174 return -1; 2175 } 2176 } 2177 2178 int SSL_key_update(SSL *s, int updatetype) 2179 { 2180 /* 2181 * TODO(TLS1.3): How will applications know whether TLSv1.3 has been 2182 * negotiated, and that it is appropriate to call SSL_key_update() instead 2183 * of SSL_renegotiate(). 2184 */ 2185 if (!SSL_IS_TLS13(s)) { 2186 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_WRONG_SSL_VERSION); 2187 return 0; 2188 } 2189 2190 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 2191 && updatetype != SSL_KEY_UPDATE_REQUESTED) { 2192 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_INVALID_KEY_UPDATE_TYPE); 2193 return 0; 2194 } 2195 2196 if (!SSL_is_init_finished(s)) { 2197 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_STILL_IN_INIT); 2198 return 0; 2199 } 2200 2201 ossl_statem_set_in_init(s, 1); 2202 s->key_update = updatetype; 2203 return 1; 2204 } 2205 2206 int SSL_get_key_update_type(const SSL *s) 2207 { 2208 return s->key_update; 2209 } 2210 2211 int SSL_renegotiate(SSL *s) 2212 { 2213 if (SSL_IS_TLS13(s)) { 2214 SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_WRONG_SSL_VERSION); 2215 return 0; 2216 } 2217 2218 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 2219 SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_NO_RENEGOTIATION); 2220 return 0; 2221 } 2222 2223 s->renegotiate = 1; 2224 s->new_session = 1; 2225 2226 return s->method->ssl_renegotiate(s); 2227 } 2228 2229 int SSL_renegotiate_abbreviated(SSL *s) 2230 { 2231 if (SSL_IS_TLS13(s)) { 2232 SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_WRONG_SSL_VERSION); 2233 return 0; 2234 } 2235 2236 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 2237 SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_NO_RENEGOTIATION); 2238 return 0; 2239 } 2240 2241 s->renegotiate = 1; 2242 s->new_session = 0; 2243 2244 return s->method->ssl_renegotiate(s); 2245 } 2246 2247 int SSL_renegotiate_pending(const SSL *s) 2248 { 2249 /* 2250 * becomes true when negotiation is requested; false again once a 2251 * handshake has finished 2252 */ 2253 return (s->renegotiate != 0); 2254 } 2255 2256 long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) 2257 { 2258 long l; 2259 2260 switch (cmd) { 2261 case SSL_CTRL_GET_READ_AHEAD: 2262 return RECORD_LAYER_get_read_ahead(&s->rlayer); 2263 case SSL_CTRL_SET_READ_AHEAD: 2264 l = RECORD_LAYER_get_read_ahead(&s->rlayer); 2265 RECORD_LAYER_set_read_ahead(&s->rlayer, larg); 2266 return l; 2267 2268 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 2269 s->msg_callback_arg = parg; 2270 return 1; 2271 2272 case SSL_CTRL_MODE: 2273 return (s->mode |= larg); 2274 case SSL_CTRL_CLEAR_MODE: 2275 return (s->mode &= ~larg); 2276 case SSL_CTRL_GET_MAX_CERT_LIST: 2277 return (long)s->max_cert_list; 2278 case SSL_CTRL_SET_MAX_CERT_LIST: 2279 if (larg < 0) 2280 return 0; 2281 l = (long)s->max_cert_list; 2282 s->max_cert_list = (size_t)larg; 2283 return l; 2284 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 2285 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 2286 return 0; 2287 #ifndef OPENSSL_NO_KTLS 2288 if (s->wbio != NULL && BIO_get_ktls_send(s->wbio)) 2289 return 0; 2290 #endif /* OPENSSL_NO_KTLS */ 2291 s->max_send_fragment = larg; 2292 if (s->max_send_fragment < s->split_send_fragment) 2293 s->split_send_fragment = s->max_send_fragment; 2294 return 1; 2295 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: 2296 if ((size_t)larg > s->max_send_fragment || larg == 0) 2297 return 0; 2298 s->split_send_fragment = larg; 2299 return 1; 2300 case SSL_CTRL_SET_MAX_PIPELINES: 2301 if (larg < 1 || larg > SSL_MAX_PIPELINES) 2302 return 0; 2303 s->max_pipelines = larg; 2304 if (larg > 1) 2305 RECORD_LAYER_set_read_ahead(&s->rlayer, 1); 2306 return 1; 2307 case SSL_CTRL_GET_RI_SUPPORT: 2308 if (s->s3) 2309 return s->s3->send_connection_binding; 2310 else 2311 return 0; 2312 case SSL_CTRL_CERT_FLAGS: 2313 return (s->cert->cert_flags |= larg); 2314 case SSL_CTRL_CLEAR_CERT_FLAGS: 2315 return (s->cert->cert_flags &= ~larg); 2316 2317 case SSL_CTRL_GET_RAW_CIPHERLIST: 2318 if (parg) { 2319 if (s->s3->tmp.ciphers_raw == NULL) 2320 return 0; 2321 *(unsigned char **)parg = s->s3->tmp.ciphers_raw; 2322 return (int)s->s3->tmp.ciphers_rawlen; 2323 } else { 2324 return TLS_CIPHER_LEN; 2325 } 2326 case SSL_CTRL_GET_EXTMS_SUPPORT: 2327 if (!s->session || SSL_in_init(s) || ossl_statem_get_in_handshake(s)) 2328 return -1; 2329 if (s->session->flags & SSL_SESS_FLAG_EXTMS) 2330 return 1; 2331 else 2332 return 0; 2333 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2334 return ssl_check_allowed_versions(larg, s->max_proto_version) 2335 && ssl_set_version_bound(s->ctx->method->version, (int)larg, 2336 &s->min_proto_version); 2337 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2338 return s->min_proto_version; 2339 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2340 return ssl_check_allowed_versions(s->min_proto_version, larg) 2341 && ssl_set_version_bound(s->ctx->method->version, (int)larg, 2342 &s->max_proto_version); 2343 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2344 return s->max_proto_version; 2345 default: 2346 return s->method->ssl_ctrl(s, cmd, larg, parg); 2347 } 2348 } 2349 2350 long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) 2351 { 2352 switch (cmd) { 2353 case SSL_CTRL_SET_MSG_CALLBACK: 2354 s->msg_callback = (void (*) 2355 (int write_p, int version, int content_type, 2356 const void *buf, size_t len, SSL *ssl, 2357 void *arg))(fp); 2358 return 1; 2359 2360 default: 2361 return s->method->ssl_callback_ctrl(s, cmd, fp); 2362 } 2363 } 2364 2365 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) 2366 { 2367 return ctx->sessions; 2368 } 2369 2370 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2371 { 2372 long l; 2373 /* For some cases with ctx == NULL perform syntax checks */ 2374 if (ctx == NULL) { 2375 switch (cmd) { 2376 #ifndef OPENSSL_NO_EC 2377 case SSL_CTRL_SET_GROUPS_LIST: 2378 return tls1_set_groups_list(NULL, NULL, parg); 2379 #endif 2380 case SSL_CTRL_SET_SIGALGS_LIST: 2381 case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: 2382 return tls1_set_sigalgs_list(NULL, parg, 0); 2383 default: 2384 return 0; 2385 } 2386 } 2387 2388 switch (cmd) { 2389 case SSL_CTRL_GET_READ_AHEAD: 2390 return ctx->read_ahead; 2391 case SSL_CTRL_SET_READ_AHEAD: 2392 l = ctx->read_ahead; 2393 ctx->read_ahead = larg; 2394 return l; 2395 2396 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 2397 ctx->msg_callback_arg = parg; 2398 return 1; 2399 2400 case SSL_CTRL_GET_MAX_CERT_LIST: 2401 return (long)ctx->max_cert_list; 2402 case SSL_CTRL_SET_MAX_CERT_LIST: 2403 if (larg < 0) 2404 return 0; 2405 l = (long)ctx->max_cert_list; 2406 ctx->max_cert_list = (size_t)larg; 2407 return l; 2408 2409 case SSL_CTRL_SET_SESS_CACHE_SIZE: 2410 if (larg < 0) 2411 return 0; 2412 l = (long)ctx->session_cache_size; 2413 ctx->session_cache_size = (size_t)larg; 2414 return l; 2415 case SSL_CTRL_GET_SESS_CACHE_SIZE: 2416 return (long)ctx->session_cache_size; 2417 case SSL_CTRL_SET_SESS_CACHE_MODE: 2418 l = ctx->session_cache_mode; 2419 ctx->session_cache_mode = larg; 2420 return l; 2421 case SSL_CTRL_GET_SESS_CACHE_MODE: 2422 return ctx->session_cache_mode; 2423 2424 case SSL_CTRL_SESS_NUMBER: 2425 return lh_SSL_SESSION_num_items(ctx->sessions); 2426 case SSL_CTRL_SESS_CONNECT: 2427 return tsan_load(&ctx->stats.sess_connect); 2428 case SSL_CTRL_SESS_CONNECT_GOOD: 2429 return tsan_load(&ctx->stats.sess_connect_good); 2430 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: 2431 return tsan_load(&ctx->stats.sess_connect_renegotiate); 2432 case SSL_CTRL_SESS_ACCEPT: 2433 return tsan_load(&ctx->stats.sess_accept); 2434 case SSL_CTRL_SESS_ACCEPT_GOOD: 2435 return tsan_load(&ctx->stats.sess_accept_good); 2436 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: 2437 return tsan_load(&ctx->stats.sess_accept_renegotiate); 2438 case SSL_CTRL_SESS_HIT: 2439 return tsan_load(&ctx->stats.sess_hit); 2440 case SSL_CTRL_SESS_CB_HIT: 2441 return tsan_load(&ctx->stats.sess_cb_hit); 2442 case SSL_CTRL_SESS_MISSES: 2443 return tsan_load(&ctx->stats.sess_miss); 2444 case SSL_CTRL_SESS_TIMEOUTS: 2445 return tsan_load(&ctx->stats.sess_timeout); 2446 case SSL_CTRL_SESS_CACHE_FULL: 2447 return tsan_load(&ctx->stats.sess_cache_full); 2448 case SSL_CTRL_MODE: 2449 return (ctx->mode |= larg); 2450 case SSL_CTRL_CLEAR_MODE: 2451 return (ctx->mode &= ~larg); 2452 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 2453 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 2454 return 0; 2455 ctx->max_send_fragment = larg; 2456 if (ctx->max_send_fragment < ctx->split_send_fragment) 2457 ctx->split_send_fragment = ctx->max_send_fragment; 2458 return 1; 2459 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: 2460 if ((size_t)larg > ctx->max_send_fragment || larg == 0) 2461 return 0; 2462 ctx->split_send_fragment = larg; 2463 return 1; 2464 case SSL_CTRL_SET_MAX_PIPELINES: 2465 if (larg < 1 || larg > SSL_MAX_PIPELINES) 2466 return 0; 2467 ctx->max_pipelines = larg; 2468 return 1; 2469 case SSL_CTRL_CERT_FLAGS: 2470 return (ctx->cert->cert_flags |= larg); 2471 case SSL_CTRL_CLEAR_CERT_FLAGS: 2472 return (ctx->cert->cert_flags &= ~larg); 2473 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2474 return ssl_check_allowed_versions(larg, ctx->max_proto_version) 2475 && ssl_set_version_bound(ctx->method->version, (int)larg, 2476 &ctx->min_proto_version); 2477 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2478 return ctx->min_proto_version; 2479 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2480 return ssl_check_allowed_versions(ctx->min_proto_version, larg) 2481 && ssl_set_version_bound(ctx->method->version, (int)larg, 2482 &ctx->max_proto_version); 2483 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2484 return ctx->max_proto_version; 2485 default: 2486 return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg); 2487 } 2488 } 2489 2490 long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) 2491 { 2492 switch (cmd) { 2493 case SSL_CTRL_SET_MSG_CALLBACK: 2494 ctx->msg_callback = (void (*) 2495 (int write_p, int version, int content_type, 2496 const void *buf, size_t len, SSL *ssl, 2497 void *arg))(fp); 2498 return 1; 2499 2500 default: 2501 return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp); 2502 } 2503 } 2504 2505 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) 2506 { 2507 if (a->id > b->id) 2508 return 1; 2509 if (a->id < b->id) 2510 return -1; 2511 return 0; 2512 } 2513 2514 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, 2515 const SSL_CIPHER *const *bp) 2516 { 2517 if ((*ap)->id > (*bp)->id) 2518 return 1; 2519 if ((*ap)->id < (*bp)->id) 2520 return -1; 2521 return 0; 2522 } 2523 2524 /** return a STACK of the ciphers available for the SSL and in order of 2525 * preference */ 2526 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) 2527 { 2528 if (s != NULL) { 2529 if (s->cipher_list != NULL) { 2530 return s->cipher_list; 2531 } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { 2532 return s->ctx->cipher_list; 2533 } 2534 } 2535 return NULL; 2536 } 2537 2538 STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s) 2539 { 2540 if ((s == NULL) || !s->server) 2541 return NULL; 2542 return s->peer_ciphers; 2543 } 2544 2545 STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) 2546 { 2547 STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers; 2548 int i; 2549 2550 ciphers = SSL_get_ciphers(s); 2551 if (!ciphers) 2552 return NULL; 2553 if (!ssl_set_client_disabled(s)) 2554 return NULL; 2555 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 2556 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 2557 if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) { 2558 if (!sk) 2559 sk = sk_SSL_CIPHER_new_null(); 2560 if (!sk) 2561 return NULL; 2562 if (!sk_SSL_CIPHER_push(sk, c)) { 2563 sk_SSL_CIPHER_free(sk); 2564 return NULL; 2565 } 2566 } 2567 } 2568 return sk; 2569 } 2570 2571 /** return a STACK of the ciphers available for the SSL and in order of 2572 * algorithm id */ 2573 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) 2574 { 2575 if (s != NULL) { 2576 if (s->cipher_list_by_id != NULL) { 2577 return s->cipher_list_by_id; 2578 } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) { 2579 return s->ctx->cipher_list_by_id; 2580 } 2581 } 2582 return NULL; 2583 } 2584 2585 /** The old interface to get the same thing as SSL_get_ciphers() */ 2586 const char *SSL_get_cipher_list(const SSL *s, int n) 2587 { 2588 const SSL_CIPHER *c; 2589 STACK_OF(SSL_CIPHER) *sk; 2590 2591 if (s == NULL) 2592 return NULL; 2593 sk = SSL_get_ciphers(s); 2594 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) 2595 return NULL; 2596 c = sk_SSL_CIPHER_value(sk, n); 2597 if (c == NULL) 2598 return NULL; 2599 return c->name; 2600 } 2601 2602 /** return a STACK of the ciphers available for the SSL_CTX and in order of 2603 * preference */ 2604 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) 2605 { 2606 if (ctx != NULL) 2607 return ctx->cipher_list; 2608 return NULL; 2609 } 2610 2611 /* 2612 * Distinguish between ciphers controlled by set_ciphersuite() and 2613 * set_cipher_list() when counting. 2614 */ 2615 static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk) 2616 { 2617 int i, num = 0; 2618 const SSL_CIPHER *c; 2619 2620 if (sk == NULL) 2621 return 0; 2622 for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) { 2623 c = sk_SSL_CIPHER_value(sk, i); 2624 if (c->min_tls >= TLS1_3_VERSION) 2625 continue; 2626 num++; 2627 } 2628 return num; 2629 } 2630 2631 /** specify the ciphers to be used by default by the SSL_CTX */ 2632 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 2633 { 2634 STACK_OF(SSL_CIPHER) *sk; 2635 2636 sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, 2637 &ctx->cipher_list, &ctx->cipher_list_by_id, str, 2638 ctx->cert); 2639 /* 2640 * ssl_create_cipher_list may return an empty stack if it was unable to 2641 * find a cipher matching the given rule string (for example if the rule 2642 * string specifies a cipher which has been disabled). This is not an 2643 * error as far as ssl_create_cipher_list is concerned, and hence 2644 * ctx->cipher_list and ctx->cipher_list_by_id has been updated. 2645 */ 2646 if (sk == NULL) 2647 return 0; 2648 else if (cipher_list_tls12_num(sk) == 0) { 2649 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); 2650 return 0; 2651 } 2652 return 1; 2653 } 2654 2655 /** specify the ciphers to be used by the SSL */ 2656 int SSL_set_cipher_list(SSL *s, const char *str) 2657 { 2658 STACK_OF(SSL_CIPHER) *sk; 2659 2660 sk = ssl_create_cipher_list(s->ctx->method, s->tls13_ciphersuites, 2661 &s->cipher_list, &s->cipher_list_by_id, str, 2662 s->cert); 2663 /* see comment in SSL_CTX_set_cipher_list */ 2664 if (sk == NULL) 2665 return 0; 2666 else if (cipher_list_tls12_num(sk) == 0) { 2667 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); 2668 return 0; 2669 } 2670 return 1; 2671 } 2672 2673 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) 2674 { 2675 char *p; 2676 STACK_OF(SSL_CIPHER) *clntsk, *srvrsk; 2677 const SSL_CIPHER *c; 2678 int i; 2679 2680 if (!s->server 2681 || s->peer_ciphers == NULL 2682 || size < 2) 2683 return NULL; 2684 2685 p = buf; 2686 clntsk = s->peer_ciphers; 2687 srvrsk = SSL_get_ciphers(s); 2688 if (clntsk == NULL || srvrsk == NULL) 2689 return NULL; 2690 2691 if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0) 2692 return NULL; 2693 2694 for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) { 2695 int n; 2696 2697 c = sk_SSL_CIPHER_value(clntsk, i); 2698 if (sk_SSL_CIPHER_find(srvrsk, c) < 0) 2699 continue; 2700 2701 n = strlen(c->name); 2702 if (n + 1 > size) { 2703 if (p != buf) 2704 --p; 2705 *p = '\0'; 2706 return buf; 2707 } 2708 strcpy(p, c->name); 2709 p += n; 2710 *(p++) = ':'; 2711 size -= n + 1; 2712 } 2713 p[-1] = '\0'; 2714 return buf; 2715 } 2716 2717 /** 2718 * Return the requested servername (SNI) value. Note that the behaviour varies 2719 * depending on: 2720 * - whether this is called by the client or the server, 2721 * - if we are before or during/after the handshake, 2722 * - if a resumption or normal handshake is being attempted/has occurred 2723 * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3 2724 * 2725 * Note that only the host_name type is defined (RFC 3546). 2726 */ 2727 const char *SSL_get_servername(const SSL *s, const int type) 2728 { 2729 /* 2730 * If we don't know if we are the client or the server yet then we assume 2731 * client. 2732 */ 2733 int server = s->handshake_func == NULL ? 0 : s->server; 2734 if (type != TLSEXT_NAMETYPE_host_name) 2735 return NULL; 2736 2737 if (server) { 2738 /** 2739 * Server side 2740 * In TLSv1.3 on the server SNI is not associated with the session 2741 * but in TLSv1.2 or below it is. 2742 * 2743 * Before the handshake: 2744 * - return NULL 2745 * 2746 * During/after the handshake (TLSv1.2 or below resumption occurred): 2747 * - If a servername was accepted by the server in the original 2748 * handshake then it will return that servername, or NULL otherwise. 2749 * 2750 * During/after the handshake (TLSv1.2 or below resumption did not occur): 2751 * - The function will return the servername requested by the client in 2752 * this handshake or NULL if none was requested. 2753 */ 2754 if (s->hit && !SSL_IS_TLS13(s)) 2755 return s->session->ext.hostname; 2756 } else { 2757 /** 2758 * Client side 2759 * 2760 * Before the handshake: 2761 * - If a servername has been set via a call to 2762 * SSL_set_tlsext_host_name() then it will return that servername 2763 * - If one has not been set, but a TLSv1.2 resumption is being 2764 * attempted and the session from the original handshake had a 2765 * servername accepted by the server then it will return that 2766 * servername 2767 * - Otherwise it returns NULL 2768 * 2769 * During/after the handshake (TLSv1.2 or below resumption occurred): 2770 * - If the session from the original handshake had a servername accepted 2771 * by the server then it will return that servername. 2772 * - Otherwise it returns the servername set via 2773 * SSL_set_tlsext_host_name() (or NULL if it was not called). 2774 * 2775 * During/after the handshake (TLSv1.2 or below resumption did not occur): 2776 * - It will return the servername set via SSL_set_tlsext_host_name() 2777 * (or NULL if it was not called). 2778 */ 2779 if (SSL_in_before(s)) { 2780 if (s->ext.hostname == NULL 2781 && s->session != NULL 2782 && s->session->ssl_version != TLS1_3_VERSION) 2783 return s->session->ext.hostname; 2784 } else { 2785 if (!SSL_IS_TLS13(s) && s->hit && s->session->ext.hostname != NULL) 2786 return s->session->ext.hostname; 2787 } 2788 } 2789 2790 return s->ext.hostname; 2791 } 2792 2793 int SSL_get_servername_type(const SSL *s) 2794 { 2795 if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL) 2796 return TLSEXT_NAMETYPE_host_name; 2797 return -1; 2798 } 2799 2800 /* 2801 * SSL_select_next_proto implements the standard protocol selection. It is 2802 * expected that this function is called from the callback set by 2803 * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a 2804 * vector of 8-bit, length prefixed byte strings. The length byte itself is 2805 * not included in the length. A byte string of length 0 is invalid. No byte 2806 * string may be truncated. The current, but experimental algorithm for 2807 * selecting the protocol is: 1) If the server doesn't support NPN then this 2808 * is indicated to the callback. In this case, the client application has to 2809 * abort the connection or have a default application level protocol. 2) If 2810 * the server supports NPN, but advertises an empty list then the client 2811 * selects the first protocol in its list, but indicates via the API that this 2812 * fallback case was enacted. 3) Otherwise, the client finds the first 2813 * protocol in the server's list that it supports and selects this protocol. 2814 * This is because it's assumed that the server has better information about 2815 * which protocol a client should use. 4) If the client doesn't support any 2816 * of the server's advertised protocols, then this is treated the same as 2817 * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was 2818 * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached. 2819 */ 2820 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, 2821 const unsigned char *server, 2822 unsigned int server_len, 2823 const unsigned char *client, unsigned int client_len) 2824 { 2825 unsigned int i, j; 2826 const unsigned char *result; 2827 int status = OPENSSL_NPN_UNSUPPORTED; 2828 2829 /* 2830 * For each protocol in server preference order, see if we support it. 2831 */ 2832 for (i = 0; i < server_len;) { 2833 for (j = 0; j < client_len;) { 2834 if (server[i] == client[j] && 2835 memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { 2836 /* We found a match */ 2837 result = &server[i]; 2838 status = OPENSSL_NPN_NEGOTIATED; 2839 goto found; 2840 } 2841 j += client[j]; 2842 j++; 2843 } 2844 i += server[i]; 2845 i++; 2846 } 2847 2848 /* There's no overlap between our protocols and the server's list. */ 2849 result = client; 2850 status = OPENSSL_NPN_NO_OVERLAP; 2851 2852 found: 2853 *out = (unsigned char *)result + 1; 2854 *outlen = result[0]; 2855 return status; 2856 } 2857 2858 #ifndef OPENSSL_NO_NEXTPROTONEG 2859 /* 2860 * SSL_get0_next_proto_negotiated sets *data and *len to point to the 2861 * client's requested protocol for this connection and returns 0. If the 2862 * client didn't request any protocol, then *data is set to NULL. Note that 2863 * the client can request any protocol it chooses. The value returned from 2864 * this function need not be a member of the list of supported protocols 2865 * provided by the callback. 2866 */ 2867 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, 2868 unsigned *len) 2869 { 2870 *data = s->ext.npn; 2871 if (!*data) { 2872 *len = 0; 2873 } else { 2874 *len = (unsigned int)s->ext.npn_len; 2875 } 2876 } 2877 2878 /* 2879 * SSL_CTX_set_npn_advertised_cb sets a callback that is called when 2880 * a TLS server needs a list of supported protocols for Next Protocol 2881 * Negotiation. The returned list must be in wire format. The list is 2882 * returned by setting |out| to point to it and |outlen| to its length. This 2883 * memory will not be modified, but one should assume that the SSL* keeps a 2884 * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it 2885 * wishes to advertise. Otherwise, no such extension will be included in the 2886 * ServerHello. 2887 */ 2888 void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx, 2889 SSL_CTX_npn_advertised_cb_func cb, 2890 void *arg) 2891 { 2892 ctx->ext.npn_advertised_cb = cb; 2893 ctx->ext.npn_advertised_cb_arg = arg; 2894 } 2895 2896 /* 2897 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a 2898 * client needs to select a protocol from the server's provided list. |out| 2899 * must be set to point to the selected protocol (which may be within |in|). 2900 * The length of the protocol name must be written into |outlen|. The 2901 * server's advertised protocols are provided in |in| and |inlen|. The 2902 * callback can assume that |in| is syntactically valid. The client must 2903 * select a protocol. It is fatal to the connection if this callback returns 2904 * a value other than SSL_TLSEXT_ERR_OK. 2905 */ 2906 void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx, 2907 SSL_CTX_npn_select_cb_func cb, 2908 void *arg) 2909 { 2910 ctx->ext.npn_select_cb = cb; 2911 ctx->ext.npn_select_cb_arg = arg; 2912 } 2913 #endif 2914 2915 /* 2916 * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|. 2917 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 2918 * length-prefixed strings). Returns 0 on success. 2919 */ 2920 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, 2921 unsigned int protos_len) 2922 { 2923 OPENSSL_free(ctx->ext.alpn); 2924 ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); 2925 if (ctx->ext.alpn == NULL) { 2926 SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); 2927 return 1; 2928 } 2929 ctx->ext.alpn_len = protos_len; 2930 2931 return 0; 2932 } 2933 2934 /* 2935 * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|. 2936 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 2937 * length-prefixed strings). Returns 0 on success. 2938 */ 2939 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, 2940 unsigned int protos_len) 2941 { 2942 OPENSSL_free(ssl->ext.alpn); 2943 ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); 2944 if (ssl->ext.alpn == NULL) { 2945 SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); 2946 return 1; 2947 } 2948 ssl->ext.alpn_len = protos_len; 2949 2950 return 0; 2951 } 2952 2953 /* 2954 * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is 2955 * called during ClientHello processing in order to select an ALPN protocol 2956 * from the client's list of offered protocols. 2957 */ 2958 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, 2959 SSL_CTX_alpn_select_cb_func cb, 2960 void *arg) 2961 { 2962 ctx->ext.alpn_select_cb = cb; 2963 ctx->ext.alpn_select_cb_arg = arg; 2964 } 2965 2966 /* 2967 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|. 2968 * On return it sets |*data| to point to |*len| bytes of protocol name 2969 * (not including the leading length-prefix byte). If the server didn't 2970 * respond with a negotiated protocol then |*len| will be zero. 2971 */ 2972 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, 2973 unsigned int *len) 2974 { 2975 *data = NULL; 2976 if (ssl->s3) 2977 *data = ssl->s3->alpn_selected; 2978 if (*data == NULL) 2979 *len = 0; 2980 else 2981 *len = (unsigned int)ssl->s3->alpn_selected_len; 2982 } 2983 2984 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, 2985 const char *label, size_t llen, 2986 const unsigned char *context, size_t contextlen, 2987 int use_context) 2988 { 2989 if (s->session == NULL 2990 || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)) 2991 return -1; 2992 2993 return s->method->ssl3_enc->export_keying_material(s, out, olen, label, 2994 llen, context, 2995 contextlen, use_context); 2996 } 2997 2998 int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, 2999 const char *label, size_t llen, 3000 const unsigned char *context, 3001 size_t contextlen) 3002 { 3003 if (s->version != TLS1_3_VERSION) 3004 return 0; 3005 3006 return tls13_export_keying_material_early(s, out, olen, label, llen, 3007 context, contextlen); 3008 } 3009 3010 static unsigned long ssl_session_hash(const SSL_SESSION *a) 3011 { 3012 const unsigned char *session_id = a->session_id; 3013 unsigned long l; 3014 unsigned char tmp_storage[4]; 3015 3016 if (a->session_id_length < sizeof(tmp_storage)) { 3017 memset(tmp_storage, 0, sizeof(tmp_storage)); 3018 memcpy(tmp_storage, a->session_id, a->session_id_length); 3019 session_id = tmp_storage; 3020 } 3021 3022 l = (unsigned long) 3023 ((unsigned long)session_id[0]) | 3024 ((unsigned long)session_id[1] << 8L) | 3025 ((unsigned long)session_id[2] << 16L) | 3026 ((unsigned long)session_id[3] << 24L); 3027 return l; 3028 } 3029 3030 /* 3031 * NB: If this function (or indeed the hash function which uses a sort of 3032 * coarser function than this one) is changed, ensure 3033 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on 3034 * being able to construct an SSL_SESSION that will collide with any existing 3035 * session with a matching session ID. 3036 */ 3037 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) 3038 { 3039 if (a->ssl_version != b->ssl_version) 3040 return 1; 3041 if (a->session_id_length != b->session_id_length) 3042 return 1; 3043 return memcmp(a->session_id, b->session_id, a->session_id_length); 3044 } 3045 3046 /* 3047 * These wrapper functions should remain rather than redeclaring 3048 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each 3049 * variable. The reason is that the functions aren't static, they're exposed 3050 * via ssl.h. 3051 */ 3052 3053 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) 3054 { 3055 SSL_CTX *ret = NULL; 3056 3057 if (meth == NULL) { 3058 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); 3059 return NULL; 3060 } 3061 3062 if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) 3063 return NULL; 3064 3065 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { 3066 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 3067 goto err; 3068 } 3069 ret = OPENSSL_zalloc(sizeof(*ret)); 3070 if (ret == NULL) 3071 goto err; 3072 3073 ret->method = meth; 3074 ret->min_proto_version = 0; 3075 ret->max_proto_version = 0; 3076 ret->mode = SSL_MODE_AUTO_RETRY; 3077 ret->session_cache_mode = SSL_SESS_CACHE_SERVER; 3078 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 3079 /* We take the system default. */ 3080 ret->session_timeout = meth->get_timeout(); 3081 ret->references = 1; 3082 ret->lock = CRYPTO_THREAD_lock_new(); 3083 if (ret->lock == NULL) { 3084 SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); 3085 OPENSSL_free(ret); 3086 return NULL; 3087 } 3088 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; 3089 ret->verify_mode = SSL_VERIFY_NONE; 3090 if ((ret->cert = ssl_cert_new()) == NULL) 3091 goto err; 3092 3093 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); 3094 if (ret->sessions == NULL) 3095 goto err; 3096 ret->cert_store = X509_STORE_new(); 3097 if (ret->cert_store == NULL) 3098 goto err; 3099 #ifndef OPENSSL_NO_CT 3100 ret->ctlog_store = CTLOG_STORE_new(); 3101 if (ret->ctlog_store == NULL) 3102 goto err; 3103 #endif 3104 3105 if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES)) 3106 goto err; 3107 3108 if (!ssl_create_cipher_list(ret->method, 3109 ret->tls13_ciphersuites, 3110 &ret->cipher_list, &ret->cipher_list_by_id, 3111 SSL_DEFAULT_CIPHER_LIST, ret->cert) 3112 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { 3113 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); 3114 goto err2; 3115 } 3116 3117 ret->param = X509_VERIFY_PARAM_new(); 3118 if (ret->param == NULL) 3119 goto err; 3120 3121 if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { 3122 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); 3123 goto err2; 3124 } 3125 if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { 3126 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); 3127 goto err2; 3128 } 3129 3130 if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) 3131 goto err; 3132 3133 if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) 3134 goto err; 3135 3136 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) 3137 goto err; 3138 3139 if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL) 3140 goto err; 3141 3142 /* No compression for DTLS */ 3143 if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)) 3144 ret->comp_methods = SSL_COMP_get_compression_methods(); 3145 3146 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 3147 ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 3148 3149 /* Setup RFC5077 ticket keys */ 3150 if ((RAND_bytes(ret->ext.tick_key_name, 3151 sizeof(ret->ext.tick_key_name)) <= 0) 3152 || (RAND_priv_bytes(ret->ext.secure->tick_hmac_key, 3153 sizeof(ret->ext.secure->tick_hmac_key)) <= 0) 3154 || (RAND_priv_bytes(ret->ext.secure->tick_aes_key, 3155 sizeof(ret->ext.secure->tick_aes_key)) <= 0)) 3156 ret->options |= SSL_OP_NO_TICKET; 3157 3158 if (RAND_priv_bytes(ret->ext.cookie_hmac_key, 3159 sizeof(ret->ext.cookie_hmac_key)) <= 0) 3160 goto err; 3161 3162 #ifndef OPENSSL_NO_SRP 3163 if (!SSL_CTX_SRP_CTX_init(ret)) 3164 goto err; 3165 #endif 3166 #ifndef OPENSSL_NO_ENGINE 3167 # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO 3168 # define eng_strx(x) #x 3169 # define eng_str(x) eng_strx(x) 3170 /* Use specific client engine automatically... ignore errors */ 3171 { 3172 ENGINE *eng; 3173 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); 3174 if (!eng) { 3175 ERR_clear_error(); 3176 ENGINE_load_builtin_engines(); 3177 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); 3178 } 3179 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) 3180 ERR_clear_error(); 3181 } 3182 # endif 3183 #endif 3184 /* 3185 * Default is to connect to non-RI servers. When RI is more widely 3186 * deployed might change this. 3187 */ 3188 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; 3189 /* 3190 * Disable compression by default to prevent CRIME. Applications can 3191 * re-enable compression by configuring 3192 * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); 3193 * or by using the SSL_CONF library. Similarly we also enable TLSv1.3 3194 * middlebox compatibility by default. This may be disabled by default in 3195 * a later OpenSSL version. 3196 */ 3197 ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; 3198 3199 ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; 3200 3201 /* 3202 * We cannot usefully set a default max_early_data here (which gets 3203 * propagated in SSL_new(), for the following reason: setting the 3204 * SSL field causes tls_construct_stoc_early_data() to tell the 3205 * client that early data will be accepted when constructing a TLS 1.3 3206 * session ticket, and the client will accordingly send us early data 3207 * when using that ticket (if the client has early data to send). 3208 * However, in order for the early data to actually be consumed by 3209 * the application, the application must also have calls to 3210 * SSL_read_early_data(); otherwise we'll just skip past the early data 3211 * and ignore it. So, since the application must add calls to 3212 * SSL_read_early_data(), we also require them to add 3213 * calls to SSL_CTX_set_max_early_data() in order to use early data, 3214 * eliminating the bandwidth-wasting early data in the case described 3215 * above. 3216 */ 3217 ret->max_early_data = 0; 3218 3219 /* 3220 * Default recv_max_early_data is a fully loaded single record. Could be 3221 * split across multiple records in practice. We set this differently to 3222 * max_early_data so that, in the default case, we do not advertise any 3223 * support for early_data, but if a client were to send us some (e.g. 3224 * because of an old, stale ticket) then we will tolerate it and skip over 3225 * it. 3226 */ 3227 ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; 3228 3229 /* By default we send two session tickets automatically in TLSv1.3 */ 3230 ret->num_tickets = 2; 3231 3232 ssl_ctx_system_config(ret); 3233 3234 return ret; 3235 err: 3236 SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); 3237 err2: 3238 SSL_CTX_free(ret); 3239 return NULL; 3240 } 3241 3242 int SSL_CTX_up_ref(SSL_CTX *ctx) 3243 { 3244 int i; 3245 3246 if (CRYPTO_UP_REF(&ctx->references, &i, ctx->lock) <= 0) 3247 return 0; 3248 3249 REF_PRINT_COUNT("SSL_CTX", ctx); 3250 REF_ASSERT_ISNT(i < 2); 3251 return ((i > 1) ? 1 : 0); 3252 } 3253 3254 void SSL_CTX_free(SSL_CTX *a) 3255 { 3256 int i; 3257 3258 if (a == NULL) 3259 return; 3260 3261 CRYPTO_DOWN_REF(&a->references, &i, a->lock); 3262 REF_PRINT_COUNT("SSL_CTX", a); 3263 if (i > 0) 3264 return; 3265 REF_ASSERT_ISNT(i < 0); 3266 3267 X509_VERIFY_PARAM_free(a->param); 3268 dane_ctx_final(&a->dane); 3269 3270 /* 3271 * Free internal session cache. However: the remove_cb() may reference 3272 * the ex_data of SSL_CTX, thus the ex_data store can only be removed 3273 * after the sessions were flushed. 3274 * As the ex_data handling routines might also touch the session cache, 3275 * the most secure solution seems to be: empty (flush) the cache, then 3276 * free ex_data, then finally free the cache. 3277 * (See ticket [openssl.org #212].) 3278 */ 3279 if (a->sessions != NULL) 3280 SSL_CTX_flush_sessions(a, 0); 3281 3282 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); 3283 lh_SSL_SESSION_free(a->sessions); 3284 X509_STORE_free(a->cert_store); 3285 #ifndef OPENSSL_NO_CT 3286 CTLOG_STORE_free(a->ctlog_store); 3287 #endif 3288 sk_SSL_CIPHER_free(a->cipher_list); 3289 sk_SSL_CIPHER_free(a->cipher_list_by_id); 3290 sk_SSL_CIPHER_free(a->tls13_ciphersuites); 3291 ssl_cert_free(a->cert); 3292 sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); 3293 sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free); 3294 sk_X509_pop_free(a->extra_certs, X509_free); 3295 a->comp_methods = NULL; 3296 #ifndef OPENSSL_NO_SRTP 3297 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); 3298 #endif 3299 #ifndef OPENSSL_NO_SRP 3300 SSL_CTX_SRP_CTX_free(a); 3301 #endif 3302 #ifndef OPENSSL_NO_ENGINE 3303 ENGINE_finish(a->client_cert_engine); 3304 #endif 3305 3306 #ifndef OPENSSL_NO_EC 3307 OPENSSL_free(a->ext.ecpointformats); 3308 OPENSSL_free(a->ext.supportedgroups); 3309 #endif 3310 OPENSSL_free(a->ext.alpn); 3311 OPENSSL_secure_free(a->ext.secure); 3312 3313 CRYPTO_THREAD_lock_free(a->lock); 3314 3315 OPENSSL_free(a); 3316 } 3317 3318 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) 3319 { 3320 ctx->default_passwd_callback = cb; 3321 } 3322 3323 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) 3324 { 3325 ctx->default_passwd_callback_userdata = u; 3326 } 3327 3328 pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) 3329 { 3330 return ctx->default_passwd_callback; 3331 } 3332 3333 void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) 3334 { 3335 return ctx->default_passwd_callback_userdata; 3336 } 3337 3338 void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb) 3339 { 3340 s->default_passwd_callback = cb; 3341 } 3342 3343 void SSL_set_default_passwd_cb_userdata(SSL *s, void *u) 3344 { 3345 s->default_passwd_callback_userdata = u; 3346 } 3347 3348 pem_password_cb *SSL_get_default_passwd_cb(SSL *s) 3349 { 3350 return s->default_passwd_callback; 3351 } 3352 3353 void *SSL_get_default_passwd_cb_userdata(SSL *s) 3354 { 3355 return s->default_passwd_callback_userdata; 3356 } 3357 3358 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, 3359 int (*cb) (X509_STORE_CTX *, void *), 3360 void *arg) 3361 { 3362 ctx->app_verify_callback = cb; 3363 ctx->app_verify_arg = arg; 3364 } 3365 3366 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, 3367 int (*cb) (int, X509_STORE_CTX *)) 3368 { 3369 ctx->verify_mode = mode; 3370 ctx->default_verify_callback = cb; 3371 } 3372 3373 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) 3374 { 3375 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 3376 } 3377 3378 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg) 3379 { 3380 ssl_cert_set_cert_cb(c->cert, cb, arg); 3381 } 3382 3383 void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) 3384 { 3385 ssl_cert_set_cert_cb(s->cert, cb, arg); 3386 } 3387 3388 void ssl_set_masks(SSL *s) 3389 { 3390 CERT *c = s->cert; 3391 uint32_t *pvalid = s->s3->tmp.valid_flags; 3392 int rsa_enc, rsa_sign, dh_tmp, dsa_sign; 3393 unsigned long mask_k, mask_a; 3394 #ifndef OPENSSL_NO_EC 3395 int have_ecc_cert, ecdsa_ok; 3396 #endif 3397 if (c == NULL) 3398 return; 3399 3400 #ifndef OPENSSL_NO_DH 3401 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto); 3402 #else 3403 dh_tmp = 0; 3404 #endif 3405 3406 rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; 3407 rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; 3408 dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID; 3409 #ifndef OPENSSL_NO_EC 3410 have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; 3411 #endif 3412 mask_k = 0; 3413 mask_a = 0; 3414 3415 #ifdef CIPHER_DEBUG 3416 fprintf(stderr, "dht=%d re=%d rs=%d ds=%d\n", 3417 dh_tmp, rsa_enc, rsa_sign, dsa_sign); 3418 #endif 3419 3420 #ifndef OPENSSL_NO_GOST 3421 if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) { 3422 mask_k |= SSL_kGOST; 3423 mask_a |= SSL_aGOST12; 3424 } 3425 if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) { 3426 mask_k |= SSL_kGOST; 3427 mask_a |= SSL_aGOST12; 3428 } 3429 if (ssl_has_cert(s, SSL_PKEY_GOST01)) { 3430 mask_k |= SSL_kGOST; 3431 mask_a |= SSL_aGOST01; 3432 } 3433 #endif 3434 3435 if (rsa_enc) 3436 mask_k |= SSL_kRSA; 3437 3438 if (dh_tmp) 3439 mask_k |= SSL_kDHE; 3440 3441 /* 3442 * If we only have an RSA-PSS certificate allow RSA authentication 3443 * if TLS 1.2 and peer supports it. 3444 */ 3445 3446 if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN) 3447 && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN 3448 && TLS1_get_version(s) == TLS1_2_VERSION)) 3449 mask_a |= SSL_aRSA; 3450 3451 if (dsa_sign) { 3452 mask_a |= SSL_aDSS; 3453 } 3454 3455 mask_a |= SSL_aNULL; 3456 3457 /* 3458 * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites 3459 * depending on the key usage extension. 3460 */ 3461 #ifndef OPENSSL_NO_EC 3462 if (have_ecc_cert) { 3463 uint32_t ex_kusage; 3464 ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509); 3465 ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE; 3466 if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) 3467 ecdsa_ok = 0; 3468 if (ecdsa_ok) 3469 mask_a |= SSL_aECDSA; 3470 } 3471 /* Allow Ed25519 for TLS 1.2 if peer supports it */ 3472 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519) 3473 && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN 3474 && TLS1_get_version(s) == TLS1_2_VERSION) 3475 mask_a |= SSL_aECDSA; 3476 3477 /* Allow Ed448 for TLS 1.2 if peer supports it */ 3478 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448) 3479 && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN 3480 && TLS1_get_version(s) == TLS1_2_VERSION) 3481 mask_a |= SSL_aECDSA; 3482 #endif 3483 3484 #ifndef OPENSSL_NO_EC 3485 mask_k |= SSL_kECDHE; 3486 #endif 3487 3488 #ifndef OPENSSL_NO_PSK 3489 mask_k |= SSL_kPSK; 3490 mask_a |= SSL_aPSK; 3491 if (mask_k & SSL_kRSA) 3492 mask_k |= SSL_kRSAPSK; 3493 if (mask_k & SSL_kDHE) 3494 mask_k |= SSL_kDHEPSK; 3495 if (mask_k & SSL_kECDHE) 3496 mask_k |= SSL_kECDHEPSK; 3497 #endif 3498 3499 s->s3->tmp.mask_k = mask_k; 3500 s->s3->tmp.mask_a = mask_a; 3501 } 3502 3503 #ifndef OPENSSL_NO_EC 3504 3505 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) 3506 { 3507 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) { 3508 /* key usage, if present, must allow signing */ 3509 if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) { 3510 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 3511 SSL_R_ECC_CERT_NOT_FOR_SIGNING); 3512 return 0; 3513 } 3514 } 3515 return 1; /* all checks are ok */ 3516 } 3517 3518 #endif 3519 3520 int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, 3521 size_t *serverinfo_length) 3522 { 3523 CERT_PKEY *cpk = s->s3->tmp.cert; 3524 *serverinfo_length = 0; 3525 3526 if (cpk == NULL || cpk->serverinfo == NULL) 3527 return 0; 3528 3529 *serverinfo = cpk->serverinfo; 3530 *serverinfo_length = cpk->serverinfo_length; 3531 return 1; 3532 } 3533 3534 void ssl_update_cache(SSL *s, int mode) 3535 { 3536 int i; 3537 3538 /* 3539 * If the session_id_length is 0, we are not supposed to cache it, and it 3540 * would be rather hard to do anyway :-) 3541 */ 3542 if (s->session->session_id_length == 0) 3543 return; 3544 3545 /* 3546 * If sid_ctx_length is 0 there is no specific application context 3547 * associated with this session, so when we try to resume it and 3548 * SSL_VERIFY_PEER is requested to verify the client identity, we have no 3549 * indication that this is actually a session for the proper application 3550 * context, and the *handshake* will fail, not just the resumption attempt. 3551 * Do not cache (on the server) these sessions that are not resumable 3552 * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set). 3553 */ 3554 if (s->server && s->session->sid_ctx_length == 0 3555 && (s->verify_mode & SSL_VERIFY_PEER) != 0) 3556 return; 3557 3558 i = s->session_ctx->session_cache_mode; 3559 if ((i & mode) != 0 3560 && (!s->hit || SSL_IS_TLS13(s))) { 3561 /* 3562 * Add the session to the internal cache. In server side TLSv1.3 we 3563 * normally don't do this because by default it's a full stateless ticket 3564 * with only a dummy session id so there is no reason to cache it, 3565 * unless: 3566 * - we are doing early_data, in which case we cache so that we can 3567 * detect replays 3568 * - the application has set a remove_session_cb so needs to know about 3569 * session timeout events 3570 * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket 3571 */ 3572 if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0 3573 && (!SSL_IS_TLS13(s) 3574 || !s->server 3575 || (s->max_early_data > 0 3576 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0) 3577 || s->session_ctx->remove_session_cb != NULL 3578 || (s->options & SSL_OP_NO_TICKET) != 0)) 3579 SSL_CTX_add_session(s->session_ctx, s->session); 3580 3581 /* 3582 * Add the session to the external cache. We do this even in server side 3583 * TLSv1.3 without early data because some applications just want to 3584 * know about the creation of a session and aren't doing a full cache. 3585 */ 3586 if (s->session_ctx->new_session_cb != NULL) { 3587 SSL_SESSION_up_ref(s->session); 3588 if (!s->session_ctx->new_session_cb(s, s->session)) 3589 SSL_SESSION_free(s->session); 3590 } 3591 } 3592 3593 /* auto flush every 255 connections */ 3594 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { 3595 TSAN_QUALIFIER int *stat; 3596 if (mode & SSL_SESS_CACHE_CLIENT) 3597 stat = &s->session_ctx->stats.sess_connect_good; 3598 else 3599 stat = &s->session_ctx->stats.sess_accept_good; 3600 if ((tsan_load(stat) & 0xff) == 0xff) 3601 SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); 3602 } 3603 } 3604 3605 const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx) 3606 { 3607 return ctx->method; 3608 } 3609 3610 const SSL_METHOD *SSL_get_ssl_method(const SSL *s) 3611 { 3612 return s->method; 3613 } 3614 3615 int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) 3616 { 3617 int ret = 1; 3618 3619 if (s->method != meth) { 3620 const SSL_METHOD *sm = s->method; 3621 int (*hf) (SSL *) = s->handshake_func; 3622 3623 if (sm->version == meth->version) 3624 s->method = meth; 3625 else { 3626 sm->ssl_free(s); 3627 s->method = meth; 3628 ret = s->method->ssl_new(s); 3629 } 3630 3631 if (hf == sm->ssl_connect) 3632 s->handshake_func = meth->ssl_connect; 3633 else if (hf == sm->ssl_accept) 3634 s->handshake_func = meth->ssl_accept; 3635 } 3636 return ret; 3637 } 3638 3639 int SSL_get_error(const SSL *s, int i) 3640 { 3641 int reason; 3642 unsigned long l; 3643 BIO *bio; 3644 3645 if (i > 0) 3646 return SSL_ERROR_NONE; 3647 3648 /* 3649 * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, 3650 * where we do encode the error 3651 */ 3652 if ((l = ERR_peek_error()) != 0) { 3653 if (ERR_GET_LIB(l) == ERR_LIB_SYS) 3654 return SSL_ERROR_SYSCALL; 3655 else 3656 return SSL_ERROR_SSL; 3657 } 3658 3659 if (SSL_want_read(s)) { 3660 bio = SSL_get_rbio(s); 3661 if (BIO_should_read(bio)) 3662 return SSL_ERROR_WANT_READ; 3663 else if (BIO_should_write(bio)) 3664 /* 3665 * This one doesn't make too much sense ... We never try to write 3666 * to the rbio, and an application program where rbio and wbio 3667 * are separate couldn't even know what it should wait for. 3668 * However if we ever set s->rwstate incorrectly (so that we have 3669 * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and 3670 * wbio *are* the same, this test works around that bug; so it 3671 * might be safer to keep it. 3672 */ 3673 return SSL_ERROR_WANT_WRITE; 3674 else if (BIO_should_io_special(bio)) { 3675 reason = BIO_get_retry_reason(bio); 3676 if (reason == BIO_RR_CONNECT) 3677 return SSL_ERROR_WANT_CONNECT; 3678 else if (reason == BIO_RR_ACCEPT) 3679 return SSL_ERROR_WANT_ACCEPT; 3680 else 3681 return SSL_ERROR_SYSCALL; /* unknown */ 3682 } 3683 } 3684 3685 if (SSL_want_write(s)) { 3686 /* Access wbio directly - in order to use the buffered bio if present */ 3687 bio = s->wbio; 3688 if (BIO_should_write(bio)) 3689 return SSL_ERROR_WANT_WRITE; 3690 else if (BIO_should_read(bio)) 3691 /* 3692 * See above (SSL_want_read(s) with BIO_should_write(bio)) 3693 */ 3694 return SSL_ERROR_WANT_READ; 3695 else if (BIO_should_io_special(bio)) { 3696 reason = BIO_get_retry_reason(bio); 3697 if (reason == BIO_RR_CONNECT) 3698 return SSL_ERROR_WANT_CONNECT; 3699 else if (reason == BIO_RR_ACCEPT) 3700 return SSL_ERROR_WANT_ACCEPT; 3701 else 3702 return SSL_ERROR_SYSCALL; 3703 } 3704 } 3705 if (SSL_want_x509_lookup(s)) 3706 return SSL_ERROR_WANT_X509_LOOKUP; 3707 if (SSL_want_async(s)) 3708 return SSL_ERROR_WANT_ASYNC; 3709 if (SSL_want_async_job(s)) 3710 return SSL_ERROR_WANT_ASYNC_JOB; 3711 if (SSL_want_client_hello_cb(s)) 3712 return SSL_ERROR_WANT_CLIENT_HELLO_CB; 3713 3714 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && 3715 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) 3716 return SSL_ERROR_ZERO_RETURN; 3717 3718 return SSL_ERROR_SYSCALL; 3719 } 3720 3721 static int ssl_do_handshake_intern(void *vargs) 3722 { 3723 struct ssl_async_args *args; 3724 SSL *s; 3725 3726 args = (struct ssl_async_args *)vargs; 3727 s = args->s; 3728 3729 return s->handshake_func(s); 3730 } 3731 3732 int SSL_do_handshake(SSL *s) 3733 { 3734 int ret = 1; 3735 3736 if (s->handshake_func == NULL) { 3737 SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET); 3738 return -1; 3739 } 3740 3741 ossl_statem_check_finish_init(s, -1); 3742 3743 s->method->ssl_renegotiate_check(s, 0); 3744 3745 if (SSL_in_init(s) || SSL_in_before(s)) { 3746 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 3747 struct ssl_async_args args; 3748 3749 args.s = s; 3750 3751 ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern); 3752 } else { 3753 ret = s->handshake_func(s); 3754 } 3755 } 3756 return ret; 3757 } 3758 3759 void SSL_set_accept_state(SSL *s) 3760 { 3761 s->server = 1; 3762 s->shutdown = 0; 3763 ossl_statem_clear(s); 3764 s->handshake_func = s->method->ssl_accept; 3765 clear_ciphers(s); 3766 } 3767 3768 void SSL_set_connect_state(SSL *s) 3769 { 3770 s->server = 0; 3771 s->shutdown = 0; 3772 ossl_statem_clear(s); 3773 s->handshake_func = s->method->ssl_connect; 3774 clear_ciphers(s); 3775 } 3776 3777 int ssl_undefined_function(SSL *s) 3778 { 3779 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3780 return 0; 3781 } 3782 3783 int ssl_undefined_void_function(void) 3784 { 3785 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION, 3786 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3787 return 0; 3788 } 3789 3790 int ssl_undefined_const_function(const SSL *s) 3791 { 3792 return 0; 3793 } 3794 3795 const SSL_METHOD *ssl_bad_method(int ver) 3796 { 3797 SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3798 return NULL; 3799 } 3800 3801 const char *ssl_protocol_to_string(int version) 3802 { 3803 switch(version) 3804 { 3805 case TLS1_3_VERSION: 3806 return "TLSv1.3"; 3807 3808 case TLS1_2_VERSION: 3809 return "TLSv1.2"; 3810 3811 case TLS1_1_VERSION: 3812 return "TLSv1.1"; 3813 3814 case TLS1_VERSION: 3815 return "TLSv1"; 3816 3817 case SSL3_VERSION: 3818 return "SSLv3"; 3819 3820 case DTLS1_BAD_VER: 3821 return "DTLSv0.9"; 3822 3823 case DTLS1_VERSION: 3824 return "DTLSv1"; 3825 3826 case DTLS1_2_VERSION: 3827 return "DTLSv1.2"; 3828 3829 default: 3830 return "unknown"; 3831 } 3832 } 3833 3834 const char *SSL_get_version(const SSL *s) 3835 { 3836 return ssl_protocol_to_string(s->version); 3837 } 3838 3839 static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src) 3840 { 3841 STACK_OF(X509_NAME) *sk; 3842 X509_NAME *xn; 3843 int i; 3844 3845 if (src == NULL) { 3846 *dst = NULL; 3847 return 1; 3848 } 3849 3850 if ((sk = sk_X509_NAME_new_null()) == NULL) 3851 return 0; 3852 for (i = 0; i < sk_X509_NAME_num(src); i++) { 3853 xn = X509_NAME_dup(sk_X509_NAME_value(src, i)); 3854 if (xn == NULL) { 3855 sk_X509_NAME_pop_free(sk, X509_NAME_free); 3856 return 0; 3857 } 3858 if (sk_X509_NAME_insert(sk, xn, i) == 0) { 3859 X509_NAME_free(xn); 3860 sk_X509_NAME_pop_free(sk, X509_NAME_free); 3861 return 0; 3862 } 3863 } 3864 *dst = sk; 3865 3866 return 1; 3867 } 3868 3869 SSL *SSL_dup(SSL *s) 3870 { 3871 SSL *ret; 3872 int i; 3873 3874 /* If we're not quiescent, just up_ref! */ 3875 if (!SSL_in_init(s) || !SSL_in_before(s)) { 3876 CRYPTO_UP_REF(&s->references, &i, s->lock); 3877 return s; 3878 } 3879 3880 /* 3881 * Otherwise, copy configuration state, and session if set. 3882 */ 3883 if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL) 3884 return NULL; 3885 3886 if (s->session != NULL) { 3887 /* 3888 * Arranges to share the same session via up_ref. This "copies" 3889 * session-id, SSL_METHOD, sid_ctx, and 'cert' 3890 */ 3891 if (!SSL_copy_session_id(ret, s)) 3892 goto err; 3893 } else { 3894 /* 3895 * No session has been established yet, so we have to expect that 3896 * s->cert or ret->cert will be changed later -- they should not both 3897 * point to the same object, and thus we can't use 3898 * SSL_copy_session_id. 3899 */ 3900 if (!SSL_set_ssl_method(ret, s->method)) 3901 goto err; 3902 3903 if (s->cert != NULL) { 3904 ssl_cert_free(ret->cert); 3905 ret->cert = ssl_cert_dup(s->cert); 3906 if (ret->cert == NULL) 3907 goto err; 3908 } 3909 3910 if (!SSL_set_session_id_context(ret, s->sid_ctx, 3911 (int)s->sid_ctx_length)) 3912 goto err; 3913 } 3914 3915 if (!ssl_dane_dup(ret, s)) 3916 goto err; 3917 ret->version = s->version; 3918 ret->options = s->options; 3919 ret->min_proto_version = s->min_proto_version; 3920 ret->max_proto_version = s->max_proto_version; 3921 ret->mode = s->mode; 3922 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); 3923 SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); 3924 ret->msg_callback = s->msg_callback; 3925 ret->msg_callback_arg = s->msg_callback_arg; 3926 SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s)); 3927 SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); 3928 ret->generate_session_id = s->generate_session_id; 3929 3930 SSL_set_info_callback(ret, SSL_get_info_callback(s)); 3931 3932 /* copy app data, a little dangerous perhaps */ 3933 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) 3934 goto err; 3935 3936 ret->server = s->server; 3937 if (s->handshake_func) { 3938 if (s->server) 3939 SSL_set_accept_state(ret); 3940 else 3941 SSL_set_connect_state(ret); 3942 } 3943 ret->shutdown = s->shutdown; 3944 ret->hit = s->hit; 3945 3946 ret->default_passwd_callback = s->default_passwd_callback; 3947 ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata; 3948 3949 X509_VERIFY_PARAM_inherit(ret->param, s->param); 3950 3951 /* dup the cipher_list and cipher_list_by_id stacks */ 3952 if (s->cipher_list != NULL) { 3953 if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 3954 goto err; 3955 } 3956 if (s->cipher_list_by_id != NULL) 3957 if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id)) 3958 == NULL) 3959 goto err; 3960 3961 /* Dup the client_CA list */ 3962 if (!dup_ca_names(&ret->ca_names, s->ca_names) 3963 || !dup_ca_names(&ret->client_ca_names, s->client_ca_names)) 3964 goto err; 3965 3966 return ret; 3967 3968 err: 3969 SSL_free(ret); 3970 return NULL; 3971 } 3972 3973 void ssl_clear_cipher_ctx(SSL *s) 3974 { 3975 if (s->enc_read_ctx != NULL) { 3976 EVP_CIPHER_CTX_free(s->enc_read_ctx); 3977 s->enc_read_ctx = NULL; 3978 } 3979 if (s->enc_write_ctx != NULL) { 3980 EVP_CIPHER_CTX_free(s->enc_write_ctx); 3981 s->enc_write_ctx = NULL; 3982 } 3983 #ifndef OPENSSL_NO_COMP 3984 COMP_CTX_free(s->expand); 3985 s->expand = NULL; 3986 COMP_CTX_free(s->compress); 3987 s->compress = NULL; 3988 #endif 3989 } 3990 3991 X509 *SSL_get_certificate(const SSL *s) 3992 { 3993 if (s->cert != NULL) 3994 return s->cert->key->x509; 3995 else 3996 return NULL; 3997 } 3998 3999 EVP_PKEY *SSL_get_privatekey(const SSL *s) 4000 { 4001 if (s->cert != NULL) 4002 return s->cert->key->privatekey; 4003 else 4004 return NULL; 4005 } 4006 4007 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) 4008 { 4009 if (ctx->cert != NULL) 4010 return ctx->cert->key->x509; 4011 else 4012 return NULL; 4013 } 4014 4015 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) 4016 { 4017 if (ctx->cert != NULL) 4018 return ctx->cert->key->privatekey; 4019 else 4020 return NULL; 4021 } 4022 4023 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) 4024 { 4025 if ((s->session != NULL) && (s->session->cipher != NULL)) 4026 return s->session->cipher; 4027 return NULL; 4028 } 4029 4030 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s) 4031 { 4032 return s->s3->tmp.new_cipher; 4033 } 4034 4035 const COMP_METHOD *SSL_get_current_compression(const SSL *s) 4036 { 4037 #ifndef OPENSSL_NO_COMP 4038 return s->compress ? COMP_CTX_get_method(s->compress) : NULL; 4039 #else 4040 return NULL; 4041 #endif 4042 } 4043 4044 const COMP_METHOD *SSL_get_current_expansion(const SSL *s) 4045 { 4046 #ifndef OPENSSL_NO_COMP 4047 return s->expand ? COMP_CTX_get_method(s->expand) : NULL; 4048 #else 4049 return NULL; 4050 #endif 4051 } 4052 4053 int ssl_init_wbio_buffer(SSL *s) 4054 { 4055 BIO *bbio; 4056 4057 if (s->bbio != NULL) { 4058 /* Already buffered. */ 4059 return 1; 4060 } 4061 4062 bbio = BIO_new(BIO_f_buffer()); 4063 if (bbio == NULL || !BIO_set_read_buffer_size(bbio, 1)) { 4064 BIO_free(bbio); 4065 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB); 4066 return 0; 4067 } 4068 s->bbio = bbio; 4069 s->wbio = BIO_push(bbio, s->wbio); 4070 4071 return 1; 4072 } 4073 4074 int ssl_free_wbio_buffer(SSL *s) 4075 { 4076 /* callers ensure s is never null */ 4077 if (s->bbio == NULL) 4078 return 1; 4079 4080 s->wbio = BIO_pop(s->wbio); 4081 BIO_free(s->bbio); 4082 s->bbio = NULL; 4083 4084 return 1; 4085 } 4086 4087 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) 4088 { 4089 ctx->quiet_shutdown = mode; 4090 } 4091 4092 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) 4093 { 4094 return ctx->quiet_shutdown; 4095 } 4096 4097 void SSL_set_quiet_shutdown(SSL *s, int mode) 4098 { 4099 s->quiet_shutdown = mode; 4100 } 4101 4102 int SSL_get_quiet_shutdown(const SSL *s) 4103 { 4104 return s->quiet_shutdown; 4105 } 4106 4107 void SSL_set_shutdown(SSL *s, int mode) 4108 { 4109 s->shutdown = mode; 4110 } 4111 4112 int SSL_get_shutdown(const SSL *s) 4113 { 4114 return s->shutdown; 4115 } 4116 4117 int SSL_version(const SSL *s) 4118 { 4119 return s->version; 4120 } 4121 4122 int SSL_client_version(const SSL *s) 4123 { 4124 return s->client_version; 4125 } 4126 4127 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) 4128 { 4129 return ssl->ctx; 4130 } 4131 4132 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) 4133 { 4134 CERT *new_cert; 4135 if (ssl->ctx == ctx) 4136 return ssl->ctx; 4137 if (ctx == NULL) 4138 ctx = ssl->session_ctx; 4139 new_cert = ssl_cert_dup(ctx->cert); 4140 if (new_cert == NULL) { 4141 return NULL; 4142 } 4143 4144 if (!custom_exts_copy_flags(&new_cert->custext, &ssl->cert->custext)) { 4145 ssl_cert_free(new_cert); 4146 return NULL; 4147 } 4148 4149 ssl_cert_free(ssl->cert); 4150 ssl->cert = new_cert; 4151 4152 /* 4153 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), 4154 * so setter APIs must prevent invalid lengths from entering the system. 4155 */ 4156 if (!ossl_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx))) 4157 return NULL; 4158 4159 /* 4160 * If the session ID context matches that of the parent SSL_CTX, 4161 * inherit it from the new SSL_CTX as well. If however the context does 4162 * not match (i.e., it was set per-ssl with SSL_set_session_id_context), 4163 * leave it unchanged. 4164 */ 4165 if ((ssl->ctx != NULL) && 4166 (ssl->sid_ctx_length == ssl->ctx->sid_ctx_length) && 4167 (memcmp(ssl->sid_ctx, ssl->ctx->sid_ctx, ssl->sid_ctx_length) == 0)) { 4168 ssl->sid_ctx_length = ctx->sid_ctx_length; 4169 memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx)); 4170 } 4171 4172 SSL_CTX_up_ref(ctx); 4173 SSL_CTX_free(ssl->ctx); /* decrement reference count */ 4174 ssl->ctx = ctx; 4175 4176 return ssl->ctx; 4177 } 4178 4179 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) 4180 { 4181 return X509_STORE_set_default_paths(ctx->cert_store); 4182 } 4183 4184 int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx) 4185 { 4186 X509_LOOKUP *lookup; 4187 4188 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir()); 4189 if (lookup == NULL) 4190 return 0; 4191 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); 4192 4193 /* Clear any errors if the default directory does not exist */ 4194 ERR_clear_error(); 4195 4196 return 1; 4197 } 4198 4199 int SSL_CTX_set_default_verify_file(SSL_CTX *ctx) 4200 { 4201 X509_LOOKUP *lookup; 4202 4203 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file()); 4204 if (lookup == NULL) 4205 return 0; 4206 4207 X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); 4208 4209 /* Clear any errors if the default file does not exist */ 4210 ERR_clear_error(); 4211 4212 return 1; 4213 } 4214 4215 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 4216 const char *CApath) 4217 { 4218 return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath); 4219 } 4220 4221 void SSL_set_info_callback(SSL *ssl, 4222 void (*cb) (const SSL *ssl, int type, int val)) 4223 { 4224 ssl->info_callback = cb; 4225 } 4226 4227 /* 4228 * One compiler (Diab DCC) doesn't like argument names in returned function 4229 * pointer. 4230 */ 4231 void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ , 4232 int /* type */ , 4233 int /* val */ ) { 4234 return ssl->info_callback; 4235 } 4236 4237 void SSL_set_verify_result(SSL *ssl, long arg) 4238 { 4239 ssl->verify_result = arg; 4240 } 4241 4242 long SSL_get_verify_result(const SSL *ssl) 4243 { 4244 return ssl->verify_result; 4245 } 4246 4247 size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen) 4248 { 4249 if (outlen == 0) 4250 return sizeof(ssl->s3->client_random); 4251 if (outlen > sizeof(ssl->s3->client_random)) 4252 outlen = sizeof(ssl->s3->client_random); 4253 memcpy(out, ssl->s3->client_random, outlen); 4254 return outlen; 4255 } 4256 4257 size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen) 4258 { 4259 if (outlen == 0) 4260 return sizeof(ssl->s3->server_random); 4261 if (outlen > sizeof(ssl->s3->server_random)) 4262 outlen = sizeof(ssl->s3->server_random); 4263 memcpy(out, ssl->s3->server_random, outlen); 4264 return outlen; 4265 } 4266 4267 size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, 4268 unsigned char *out, size_t outlen) 4269 { 4270 if (outlen == 0) 4271 return session->master_key_length; 4272 if (outlen > session->master_key_length) 4273 outlen = session->master_key_length; 4274 memcpy(out, session->master_key, outlen); 4275 return outlen; 4276 } 4277 4278 int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in, 4279 size_t len) 4280 { 4281 if (len > sizeof(sess->master_key)) 4282 return 0; 4283 4284 memcpy(sess->master_key, in, len); 4285 sess->master_key_length = len; 4286 return 1; 4287 } 4288 4289 4290 int SSL_set_ex_data(SSL *s, int idx, void *arg) 4291 { 4292 return CRYPTO_set_ex_data(&s->ex_data, idx, arg); 4293 } 4294 4295 void *SSL_get_ex_data(const SSL *s, int idx) 4296 { 4297 return CRYPTO_get_ex_data(&s->ex_data, idx); 4298 } 4299 4300 int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) 4301 { 4302 return CRYPTO_set_ex_data(&s->ex_data, idx, arg); 4303 } 4304 4305 void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) 4306 { 4307 return CRYPTO_get_ex_data(&s->ex_data, idx); 4308 } 4309 4310 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) 4311 { 4312 return ctx->cert_store; 4313 } 4314 4315 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) 4316 { 4317 X509_STORE_free(ctx->cert_store); 4318 ctx->cert_store = store; 4319 } 4320 4321 void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) 4322 { 4323 if (store != NULL) 4324 X509_STORE_up_ref(store); 4325 SSL_CTX_set_cert_store(ctx, store); 4326 } 4327 4328 int SSL_want(const SSL *s) 4329 { 4330 return s->rwstate; 4331 } 4332 4333 /** 4334 * \brief Set the callback for generating temporary DH keys. 4335 * \param ctx the SSL context. 4336 * \param dh the callback 4337 */ 4338 4339 #ifndef OPENSSL_NO_DH 4340 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 4341 DH *(*dh) (SSL *ssl, int is_export, 4342 int keylength)) 4343 { 4344 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); 4345 } 4346 4347 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, 4348 int keylength)) 4349 { 4350 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); 4351 } 4352 #endif 4353 4354 #ifndef OPENSSL_NO_PSK 4355 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) 4356 { 4357 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 4358 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG); 4359 return 0; 4360 } 4361 OPENSSL_free(ctx->cert->psk_identity_hint); 4362 if (identity_hint != NULL) { 4363 ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint); 4364 if (ctx->cert->psk_identity_hint == NULL) 4365 return 0; 4366 } else 4367 ctx->cert->psk_identity_hint = NULL; 4368 return 1; 4369 } 4370 4371 int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint) 4372 { 4373 if (s == NULL) 4374 return 0; 4375 4376 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 4377 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG); 4378 return 0; 4379 } 4380 OPENSSL_free(s->cert->psk_identity_hint); 4381 if (identity_hint != NULL) { 4382 s->cert->psk_identity_hint = OPENSSL_strdup(identity_hint); 4383 if (s->cert->psk_identity_hint == NULL) 4384 return 0; 4385 } else 4386 s->cert->psk_identity_hint = NULL; 4387 return 1; 4388 } 4389 4390 const char *SSL_get_psk_identity_hint(const SSL *s) 4391 { 4392 if (s == NULL || s->session == NULL) 4393 return NULL; 4394 return s->session->psk_identity_hint; 4395 } 4396 4397 const char *SSL_get_psk_identity(const SSL *s) 4398 { 4399 if (s == NULL || s->session == NULL) 4400 return NULL; 4401 return s->session->psk_identity; 4402 } 4403 4404 void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb) 4405 { 4406 s->psk_client_callback = cb; 4407 } 4408 4409 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb) 4410 { 4411 ctx->psk_client_callback = cb; 4412 } 4413 4414 void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb) 4415 { 4416 s->psk_server_callback = cb; 4417 } 4418 4419 void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb) 4420 { 4421 ctx->psk_server_callback = cb; 4422 } 4423 #endif 4424 4425 void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb) 4426 { 4427 s->psk_find_session_cb = cb; 4428 } 4429 4430 void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, 4431 SSL_psk_find_session_cb_func cb) 4432 { 4433 ctx->psk_find_session_cb = cb; 4434 } 4435 4436 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) 4437 { 4438 s->psk_use_session_cb = cb; 4439 } 4440 4441 void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, 4442 SSL_psk_use_session_cb_func cb) 4443 { 4444 ctx->psk_use_session_cb = cb; 4445 } 4446 4447 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, 4448 void (*cb) (int write_p, int version, 4449 int content_type, const void *buf, 4450 size_t len, SSL *ssl, void *arg)) 4451 { 4452 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 4453 } 4454 4455 void SSL_set_msg_callback(SSL *ssl, 4456 void (*cb) (int write_p, int version, 4457 int content_type, const void *buf, 4458 size_t len, SSL *ssl, void *arg)) 4459 { 4460 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 4461 } 4462 4463 void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, 4464 int (*cb) (SSL *ssl, 4465 int 4466 is_forward_secure)) 4467 { 4468 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB, 4469 (void (*)(void))cb); 4470 } 4471 4472 void SSL_set_not_resumable_session_callback(SSL *ssl, 4473 int (*cb) (SSL *ssl, 4474 int is_forward_secure)) 4475 { 4476 SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB, 4477 (void (*)(void))cb); 4478 } 4479 4480 void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, 4481 size_t (*cb) (SSL *ssl, int type, 4482 size_t len, void *arg)) 4483 { 4484 ctx->record_padding_cb = cb; 4485 } 4486 4487 void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg) 4488 { 4489 ctx->record_padding_arg = arg; 4490 } 4491 4492 void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx) 4493 { 4494 return ctx->record_padding_arg; 4495 } 4496 4497 int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) 4498 { 4499 /* block size of 0 or 1 is basically no padding */ 4500 if (block_size == 1) 4501 ctx->block_padding = 0; 4502 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) 4503 ctx->block_padding = block_size; 4504 else 4505 return 0; 4506 return 1; 4507 } 4508 4509 int SSL_set_record_padding_callback(SSL *ssl, 4510 size_t (*cb) (SSL *ssl, int type, 4511 size_t len, void *arg)) 4512 { 4513 BIO *b; 4514 4515 b = SSL_get_wbio(ssl); 4516 if (b == NULL || !BIO_get_ktls_send(b)) { 4517 ssl->record_padding_cb = cb; 4518 return 1; 4519 } 4520 return 0; 4521 } 4522 4523 void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) 4524 { 4525 ssl->record_padding_arg = arg; 4526 } 4527 4528 void *SSL_get_record_padding_callback_arg(const SSL *ssl) 4529 { 4530 return ssl->record_padding_arg; 4531 } 4532 4533 int SSL_set_block_padding(SSL *ssl, size_t block_size) 4534 { 4535 /* block size of 0 or 1 is basically no padding */ 4536 if (block_size == 1) 4537 ssl->block_padding = 0; 4538 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) 4539 ssl->block_padding = block_size; 4540 else 4541 return 0; 4542 return 1; 4543 } 4544 4545 int SSL_set_num_tickets(SSL *s, size_t num_tickets) 4546 { 4547 s->num_tickets = num_tickets; 4548 4549 return 1; 4550 } 4551 4552 size_t SSL_get_num_tickets(const SSL *s) 4553 { 4554 return s->num_tickets; 4555 } 4556 4557 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) 4558 { 4559 ctx->num_tickets = num_tickets; 4560 4561 return 1; 4562 } 4563 4564 size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) 4565 { 4566 return ctx->num_tickets; 4567 } 4568 4569 /* 4570 * Allocates new EVP_MD_CTX and sets pointer to it into given pointer 4571 * variable, freeing EVP_MD_CTX previously stored in that variable, if any. 4572 * If EVP_MD pointer is passed, initializes ctx with this |md|. 4573 * Returns the newly allocated ctx; 4574 */ 4575 4576 EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md) 4577 { 4578 ssl_clear_hash_ctx(hash); 4579 *hash = EVP_MD_CTX_new(); 4580 if (*hash == NULL || (md && EVP_DigestInit_ex(*hash, md, NULL) <= 0)) { 4581 EVP_MD_CTX_free(*hash); 4582 *hash = NULL; 4583 return NULL; 4584 } 4585 return *hash; 4586 } 4587 4588 void ssl_clear_hash_ctx(EVP_MD_CTX **hash) 4589 { 4590 4591 EVP_MD_CTX_free(*hash); 4592 *hash = NULL; 4593 } 4594 4595 /* Retrieve handshake hashes */ 4596 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, 4597 size_t *hashlen) 4598 { 4599 EVP_MD_CTX *ctx = NULL; 4600 EVP_MD_CTX *hdgst = s->s3->handshake_dgst; 4601 int hashleni = EVP_MD_CTX_size(hdgst); 4602 int ret = 0; 4603 4604 if (hashleni < 0 || (size_t)hashleni > outlen) { 4605 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, 4606 ERR_R_INTERNAL_ERROR); 4607 goto err; 4608 } 4609 4610 ctx = EVP_MD_CTX_new(); 4611 if (ctx == NULL) 4612 goto err; 4613 4614 if (!EVP_MD_CTX_copy_ex(ctx, hdgst) 4615 || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) { 4616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, 4617 ERR_R_INTERNAL_ERROR); 4618 goto err; 4619 } 4620 4621 *hashlen = hashleni; 4622 4623 ret = 1; 4624 err: 4625 EVP_MD_CTX_free(ctx); 4626 return ret; 4627 } 4628 4629 int SSL_session_reused(const SSL *s) 4630 { 4631 return s->hit; 4632 } 4633 4634 int SSL_is_server(const SSL *s) 4635 { 4636 return s->server; 4637 } 4638 4639 #if OPENSSL_API_COMPAT < 0x10100000L 4640 void SSL_set_debug(SSL *s, int debug) 4641 { 4642 /* Old function was do-nothing anyway... */ 4643 (void)s; 4644 (void)debug; 4645 } 4646 #endif 4647 4648 void SSL_set_security_level(SSL *s, int level) 4649 { 4650 s->cert->sec_level = level; 4651 } 4652 4653 int SSL_get_security_level(const SSL *s) 4654 { 4655 return s->cert->sec_level; 4656 } 4657 4658 void SSL_set_security_callback(SSL *s, 4659 int (*cb) (const SSL *s, const SSL_CTX *ctx, 4660 int op, int bits, int nid, 4661 void *other, void *ex)) 4662 { 4663 s->cert->sec_cb = cb; 4664 } 4665 4666 int (*SSL_get_security_callback(const SSL *s)) (const SSL *s, 4667 const SSL_CTX *ctx, int op, 4668 int bits, int nid, void *other, 4669 void *ex) { 4670 return s->cert->sec_cb; 4671 } 4672 4673 void SSL_set0_security_ex_data(SSL *s, void *ex) 4674 { 4675 s->cert->sec_ex = ex; 4676 } 4677 4678 void *SSL_get0_security_ex_data(const SSL *s) 4679 { 4680 return s->cert->sec_ex; 4681 } 4682 4683 void SSL_CTX_set_security_level(SSL_CTX *ctx, int level) 4684 { 4685 ctx->cert->sec_level = level; 4686 } 4687 4688 int SSL_CTX_get_security_level(const SSL_CTX *ctx) 4689 { 4690 return ctx->cert->sec_level; 4691 } 4692 4693 void SSL_CTX_set_security_callback(SSL_CTX *ctx, 4694 int (*cb) (const SSL *s, const SSL_CTX *ctx, 4695 int op, int bits, int nid, 4696 void *other, void *ex)) 4697 { 4698 ctx->cert->sec_cb = cb; 4699 } 4700 4701 int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s, 4702 const SSL_CTX *ctx, 4703 int op, int bits, 4704 int nid, 4705 void *other, 4706 void *ex) { 4707 return ctx->cert->sec_cb; 4708 } 4709 4710 void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex) 4711 { 4712 ctx->cert->sec_ex = ex; 4713 } 4714 4715 void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) 4716 { 4717 return ctx->cert->sec_ex; 4718 } 4719 4720 /* 4721 * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that 4722 * can return unsigned long, instead of the generic long return value from the 4723 * control interface. 4724 */ 4725 unsigned long SSL_CTX_get_options(const SSL_CTX *ctx) 4726 { 4727 return ctx->options; 4728 } 4729 4730 unsigned long SSL_get_options(const SSL *s) 4731 { 4732 return s->options; 4733 } 4734 4735 unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op) 4736 { 4737 return ctx->options |= op; 4738 } 4739 4740 unsigned long SSL_set_options(SSL *s, unsigned long op) 4741 { 4742 return s->options |= op; 4743 } 4744 4745 unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) 4746 { 4747 return ctx->options &= ~op; 4748 } 4749 4750 unsigned long SSL_clear_options(SSL *s, unsigned long op) 4751 { 4752 return s->options &= ~op; 4753 } 4754 4755 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s) 4756 { 4757 return s->verified_chain; 4758 } 4759 4760 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); 4761 4762 #ifndef OPENSSL_NO_CT 4763 4764 /* 4765 * Moves SCTs from the |src| stack to the |dst| stack. 4766 * The source of each SCT will be set to |origin|. 4767 * If |dst| points to a NULL pointer, a new stack will be created and owned by 4768 * the caller. 4769 * Returns the number of SCTs moved, or a negative integer if an error occurs. 4770 */ 4771 static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src, 4772 sct_source_t origin) 4773 { 4774 int scts_moved = 0; 4775 SCT *sct = NULL; 4776 4777 if (*dst == NULL) { 4778 *dst = sk_SCT_new_null(); 4779 if (*dst == NULL) { 4780 SSLerr(SSL_F_CT_MOVE_SCTS, ERR_R_MALLOC_FAILURE); 4781 goto err; 4782 } 4783 } 4784 4785 while ((sct = sk_SCT_pop(src)) != NULL) { 4786 if (SCT_set_source(sct, origin) != 1) 4787 goto err; 4788 4789 if (sk_SCT_push(*dst, sct) <= 0) 4790 goto err; 4791 scts_moved += 1; 4792 } 4793 4794 return scts_moved; 4795 err: 4796 if (sct != NULL) 4797 sk_SCT_push(src, sct); /* Put the SCT back */ 4798 return -1; 4799 } 4800 4801 /* 4802 * Look for data collected during ServerHello and parse if found. 4803 * Returns the number of SCTs extracted. 4804 */ 4805 static int ct_extract_tls_extension_scts(SSL *s) 4806 { 4807 int scts_extracted = 0; 4808 4809 if (s->ext.scts != NULL) { 4810 const unsigned char *p = s->ext.scts; 4811 STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len); 4812 4813 scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION); 4814 4815 SCT_LIST_free(scts); 4816 } 4817 4818 return scts_extracted; 4819 } 4820 4821 /* 4822 * Checks for an OCSP response and then attempts to extract any SCTs found if it 4823 * contains an SCT X509 extension. They will be stored in |s->scts|. 4824 * Returns: 4825 * - The number of SCTs extracted, assuming an OCSP response exists. 4826 * - 0 if no OCSP response exists or it contains no SCTs. 4827 * - A negative integer if an error occurs. 4828 */ 4829 static int ct_extract_ocsp_response_scts(SSL *s) 4830 { 4831 # ifndef OPENSSL_NO_OCSP 4832 int scts_extracted = 0; 4833 const unsigned char *p; 4834 OCSP_BASICRESP *br = NULL; 4835 OCSP_RESPONSE *rsp = NULL; 4836 STACK_OF(SCT) *scts = NULL; 4837 int i; 4838 4839 if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0) 4840 goto err; 4841 4842 p = s->ext.ocsp.resp; 4843 rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len); 4844 if (rsp == NULL) 4845 goto err; 4846 4847 br = OCSP_response_get1_basic(rsp); 4848 if (br == NULL) 4849 goto err; 4850 4851 for (i = 0; i < OCSP_resp_count(br); ++i) { 4852 OCSP_SINGLERESP *single = OCSP_resp_get0(br, i); 4853 4854 if (single == NULL) 4855 continue; 4856 4857 scts = 4858 OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL); 4859 scts_extracted = 4860 ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE); 4861 if (scts_extracted < 0) 4862 goto err; 4863 } 4864 err: 4865 SCT_LIST_free(scts); 4866 OCSP_BASICRESP_free(br); 4867 OCSP_RESPONSE_free(rsp); 4868 return scts_extracted; 4869 # else 4870 /* Behave as if no OCSP response exists */ 4871 return 0; 4872 # endif 4873 } 4874 4875 /* 4876 * Attempts to extract SCTs from the peer certificate. 4877 * Return the number of SCTs extracted, or a negative integer if an error 4878 * occurs. 4879 */ 4880 static int ct_extract_x509v3_extension_scts(SSL *s) 4881 { 4882 int scts_extracted = 0; 4883 X509 *cert = s->session != NULL ? s->session->peer : NULL; 4884 4885 if (cert != NULL) { 4886 STACK_OF(SCT) *scts = 4887 X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL); 4888 4889 scts_extracted = 4890 ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION); 4891 4892 SCT_LIST_free(scts); 4893 } 4894 4895 return scts_extracted; 4896 } 4897 4898 /* 4899 * Attempts to find all received SCTs by checking TLS extensions, the OCSP 4900 * response (if it exists) and X509v3 extensions in the certificate. 4901 * Returns NULL if an error occurs. 4902 */ 4903 const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s) 4904 { 4905 if (!s->scts_parsed) { 4906 if (ct_extract_tls_extension_scts(s) < 0 || 4907 ct_extract_ocsp_response_scts(s) < 0 || 4908 ct_extract_x509v3_extension_scts(s) < 0) 4909 goto err; 4910 4911 s->scts_parsed = 1; 4912 } 4913 return s->scts; 4914 err: 4915 return NULL; 4916 } 4917 4918 static int ct_permissive(const CT_POLICY_EVAL_CTX * ctx, 4919 const STACK_OF(SCT) *scts, void *unused_arg) 4920 { 4921 return 1; 4922 } 4923 4924 static int ct_strict(const CT_POLICY_EVAL_CTX * ctx, 4925 const STACK_OF(SCT) *scts, void *unused_arg) 4926 { 4927 int count = scts != NULL ? sk_SCT_num(scts) : 0; 4928 int i; 4929 4930 for (i = 0; i < count; ++i) { 4931 SCT *sct = sk_SCT_value(scts, i); 4932 int status = SCT_get_validation_status(sct); 4933 4934 if (status == SCT_VALIDATION_STATUS_VALID) 4935 return 1; 4936 } 4937 SSLerr(SSL_F_CT_STRICT, SSL_R_NO_VALID_SCTS); 4938 return 0; 4939 } 4940 4941 int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback, 4942 void *arg) 4943 { 4944 /* 4945 * Since code exists that uses the custom extension handler for CT, look 4946 * for this and throw an error if they have already registered to use CT. 4947 */ 4948 if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx, 4949 TLSEXT_TYPE_signed_certificate_timestamp)) 4950 { 4951 SSLerr(SSL_F_SSL_SET_CT_VALIDATION_CALLBACK, 4952 SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED); 4953 return 0; 4954 } 4955 4956 if (callback != NULL) { 4957 /* 4958 * If we are validating CT, then we MUST accept SCTs served via OCSP 4959 */ 4960 if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp)) 4961 return 0; 4962 } 4963 4964 s->ct_validation_callback = callback; 4965 s->ct_validation_callback_arg = arg; 4966 4967 return 1; 4968 } 4969 4970 int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, 4971 ssl_ct_validation_cb callback, void *arg) 4972 { 4973 /* 4974 * Since code exists that uses the custom extension handler for CT, look for 4975 * this and throw an error if they have already registered to use CT. 4976 */ 4977 if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx, 4978 TLSEXT_TYPE_signed_certificate_timestamp)) 4979 { 4980 SSLerr(SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK, 4981 SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED); 4982 return 0; 4983 } 4984 4985 ctx->ct_validation_callback = callback; 4986 ctx->ct_validation_callback_arg = arg; 4987 return 1; 4988 } 4989 4990 int SSL_ct_is_enabled(const SSL *s) 4991 { 4992 return s->ct_validation_callback != NULL; 4993 } 4994 4995 int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx) 4996 { 4997 return ctx->ct_validation_callback != NULL; 4998 } 4999 5000 int ssl_validate_ct(SSL *s) 5001 { 5002 int ret = 0; 5003 X509 *cert = s->session != NULL ? s->session->peer : NULL; 5004 X509 *issuer; 5005 SSL_DANE *dane = &s->dane; 5006 CT_POLICY_EVAL_CTX *ctx = NULL; 5007 const STACK_OF(SCT) *scts; 5008 5009 /* 5010 * If no callback is set, the peer is anonymous, or its chain is invalid, 5011 * skip SCT validation - just return success. Applications that continue 5012 * handshakes without certificates, with unverified chains, or pinned leaf 5013 * certificates are outside the scope of the WebPKI and CT. 5014 * 5015 * The above exclusions notwithstanding the vast majority of peers will 5016 * have rather ordinary certificate chains validated by typical 5017 * applications that perform certificate verification and therefore will 5018 * process SCTs when enabled. 5019 */ 5020 if (s->ct_validation_callback == NULL || cert == NULL || 5021 s->verify_result != X509_V_OK || 5022 s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1) 5023 return 1; 5024 5025 /* 5026 * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3) 5027 * trust-anchors. See https://tools.ietf.org/html/rfc7671#section-4.2 5028 */ 5029 if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) { 5030 switch (dane->mtlsa->usage) { 5031 case DANETLS_USAGE_DANE_TA: 5032 case DANETLS_USAGE_DANE_EE: 5033 return 1; 5034 } 5035 } 5036 5037 ctx = CT_POLICY_EVAL_CTX_new(); 5038 if (ctx == NULL) { 5039 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT, 5040 ERR_R_MALLOC_FAILURE); 5041 goto end; 5042 } 5043 5044 issuer = sk_X509_value(s->verified_chain, 1); 5045 CT_POLICY_EVAL_CTX_set1_cert(ctx, cert); 5046 CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer); 5047 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store); 5048 CT_POLICY_EVAL_CTX_set_time( 5049 ctx, (uint64_t)SSL_SESSION_get_time(SSL_get0_session(s)) * 1000); 5050 5051 scts = SSL_get0_peer_scts(s); 5052 5053 /* 5054 * This function returns success (> 0) only when all the SCTs are valid, 0 5055 * when some are invalid, and < 0 on various internal errors (out of 5056 * memory, etc.). Having some, or even all, invalid SCTs is not sufficient 5057 * reason to abort the handshake, that decision is up to the callback. 5058 * Therefore, we error out only in the unexpected case that the return 5059 * value is negative. 5060 * 5061 * XXX: One might well argue that the return value of this function is an 5062 * unfortunate design choice. Its job is only to determine the validation 5063 * status of each of the provided SCTs. So long as it correctly separates 5064 * the wheat from the chaff it should return success. Failure in this case 5065 * ought to correspond to an inability to carry out its duties. 5066 */ 5067 if (SCT_LIST_validate(scts, ctx) < 0) { 5068 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT, 5069 SSL_R_SCT_VERIFICATION_FAILED); 5070 goto end; 5071 } 5072 5073 ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg); 5074 if (ret < 0) 5075 ret = 0; /* This function returns 0 on failure */ 5076 if (!ret) 5077 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT, 5078 SSL_R_CALLBACK_FAILED); 5079 5080 end: 5081 CT_POLICY_EVAL_CTX_free(ctx); 5082 /* 5083 * With SSL_VERIFY_NONE the session may be cached and re-used despite a 5084 * failure return code here. Also the application may wish the complete 5085 * the handshake, and then disconnect cleanly at a higher layer, after 5086 * checking the verification status of the completed connection. 5087 * 5088 * We therefore force a certificate verification failure which will be 5089 * visible via SSL_get_verify_result() and cached as part of any resumed 5090 * session. 5091 * 5092 * Note: the permissive callback is for information gathering only, always 5093 * returns success, and does not affect verification status. Only the 5094 * strict callback or a custom application-specified callback can trigger 5095 * connection failure or record a verification error. 5096 */ 5097 if (ret <= 0) 5098 s->verify_result = X509_V_ERR_NO_VALID_SCTS; 5099 return ret; 5100 } 5101 5102 int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode) 5103 { 5104 switch (validation_mode) { 5105 default: 5106 SSLerr(SSL_F_SSL_CTX_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE); 5107 return 0; 5108 case SSL_CT_VALIDATION_PERMISSIVE: 5109 return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL); 5110 case SSL_CT_VALIDATION_STRICT: 5111 return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL); 5112 } 5113 } 5114 5115 int SSL_enable_ct(SSL *s, int validation_mode) 5116 { 5117 switch (validation_mode) { 5118 default: 5119 SSLerr(SSL_F_SSL_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE); 5120 return 0; 5121 case SSL_CT_VALIDATION_PERMISSIVE: 5122 return SSL_set_ct_validation_callback(s, ct_permissive, NULL); 5123 case SSL_CT_VALIDATION_STRICT: 5124 return SSL_set_ct_validation_callback(s, ct_strict, NULL); 5125 } 5126 } 5127 5128 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx) 5129 { 5130 return CTLOG_STORE_load_default_file(ctx->ctlog_store); 5131 } 5132 5133 int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path) 5134 { 5135 return CTLOG_STORE_load_file(ctx->ctlog_store, path); 5136 } 5137 5138 void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE * logs) 5139 { 5140 CTLOG_STORE_free(ctx->ctlog_store); 5141 ctx->ctlog_store = logs; 5142 } 5143 5144 const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx) 5145 { 5146 return ctx->ctlog_store; 5147 } 5148 5149 #endif /* OPENSSL_NO_CT */ 5150 5151 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, 5152 void *arg) 5153 { 5154 c->client_hello_cb = cb; 5155 c->client_hello_cb_arg = arg; 5156 } 5157 5158 int SSL_client_hello_isv2(SSL *s) 5159 { 5160 if (s->clienthello == NULL) 5161 return 0; 5162 return s->clienthello->isv2; 5163 } 5164 5165 unsigned int SSL_client_hello_get0_legacy_version(SSL *s) 5166 { 5167 if (s->clienthello == NULL) 5168 return 0; 5169 return s->clienthello->legacy_version; 5170 } 5171 5172 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out) 5173 { 5174 if (s->clienthello == NULL) 5175 return 0; 5176 if (out != NULL) 5177 *out = s->clienthello->random; 5178 return SSL3_RANDOM_SIZE; 5179 } 5180 5181 size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out) 5182 { 5183 if (s->clienthello == NULL) 5184 return 0; 5185 if (out != NULL) 5186 *out = s->clienthello->session_id; 5187 return s->clienthello->session_id_len; 5188 } 5189 5190 size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out) 5191 { 5192 if (s->clienthello == NULL) 5193 return 0; 5194 if (out != NULL) 5195 *out = PACKET_data(&s->clienthello->ciphersuites); 5196 return PACKET_remaining(&s->clienthello->ciphersuites); 5197 } 5198 5199 size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out) 5200 { 5201 if (s->clienthello == NULL) 5202 return 0; 5203 if (out != NULL) 5204 *out = s->clienthello->compressions; 5205 return s->clienthello->compressions_len; 5206 } 5207 5208 int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) 5209 { 5210 RAW_EXTENSION *ext; 5211 int *present; 5212 size_t num = 0, i; 5213 5214 if (s->clienthello == NULL || out == NULL || outlen == NULL) 5215 return 0; 5216 for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { 5217 ext = s->clienthello->pre_proc_exts + i; 5218 if (ext->present) 5219 num++; 5220 } 5221 if (num == 0) { 5222 *out = NULL; 5223 *outlen = 0; 5224 return 1; 5225 } 5226 if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { 5227 SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, 5228 ERR_R_MALLOC_FAILURE); 5229 return 0; 5230 } 5231 for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { 5232 ext = s->clienthello->pre_proc_exts + i; 5233 if (ext->present) { 5234 if (ext->received_order >= num) 5235 goto err; 5236 present[ext->received_order] = ext->type; 5237 } 5238 } 5239 *out = present; 5240 *outlen = num; 5241 return 1; 5242 err: 5243 OPENSSL_free(present); 5244 return 0; 5245 } 5246 5247 int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out, 5248 size_t *outlen) 5249 { 5250 size_t i; 5251 RAW_EXTENSION *r; 5252 5253 if (s->clienthello == NULL) 5254 return 0; 5255 for (i = 0; i < s->clienthello->pre_proc_exts_len; ++i) { 5256 r = s->clienthello->pre_proc_exts + i; 5257 if (r->present && r->type == type) { 5258 if (out != NULL) 5259 *out = PACKET_data(&r->data); 5260 if (outlen != NULL) 5261 *outlen = PACKET_remaining(&r->data); 5262 return 1; 5263 } 5264 } 5265 return 0; 5266 } 5267 5268 int SSL_free_buffers(SSL *ssl) 5269 { 5270 RECORD_LAYER *rl = &ssl->rlayer; 5271 5272 if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) 5273 return 0; 5274 5275 RECORD_LAYER_release(rl); 5276 return 1; 5277 } 5278 5279 int SSL_alloc_buffers(SSL *ssl) 5280 { 5281 return ssl3_setup_buffers(ssl); 5282 } 5283 5284 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) 5285 { 5286 ctx->keylog_callback = cb; 5287 } 5288 5289 SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) 5290 { 5291 return ctx->keylog_callback; 5292 } 5293 5294 static int nss_keylog_int(const char *prefix, 5295 SSL *ssl, 5296 const uint8_t *parameter_1, 5297 size_t parameter_1_len, 5298 const uint8_t *parameter_2, 5299 size_t parameter_2_len) 5300 { 5301 char *out = NULL; 5302 char *cursor = NULL; 5303 size_t out_len = 0; 5304 size_t i; 5305 size_t prefix_len; 5306 5307 if (ssl->ctx->keylog_callback == NULL) 5308 return 1; 5309 5310 /* 5311 * Our output buffer will contain the following strings, rendered with 5312 * space characters in between, terminated by a NULL character: first the 5313 * prefix, then the first parameter, then the second parameter. The 5314 * meaning of each parameter depends on the specific key material being 5315 * logged. Note that the first and second parameters are encoded in 5316 * hexadecimal, so we need a buffer that is twice their lengths. 5317 */ 5318 prefix_len = strlen(prefix); 5319 out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3; 5320 if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { 5321 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT, 5322 ERR_R_MALLOC_FAILURE); 5323 return 0; 5324 } 5325 5326 strcpy(cursor, prefix); 5327 cursor += prefix_len; 5328 *cursor++ = ' '; 5329 5330 for (i = 0; i < parameter_1_len; i++) { 5331 sprintf(cursor, "%02x", parameter_1[i]); 5332 cursor += 2; 5333 } 5334 *cursor++ = ' '; 5335 5336 for (i = 0; i < parameter_2_len; i++) { 5337 sprintf(cursor, "%02x", parameter_2[i]); 5338 cursor += 2; 5339 } 5340 *cursor = '\0'; 5341 5342 ssl->ctx->keylog_callback(ssl, (const char *)out); 5343 OPENSSL_clear_free(out, out_len); 5344 return 1; 5345 5346 } 5347 5348 int ssl_log_rsa_client_key_exchange(SSL *ssl, 5349 const uint8_t *encrypted_premaster, 5350 size_t encrypted_premaster_len, 5351 const uint8_t *premaster, 5352 size_t premaster_len) 5353 { 5354 if (encrypted_premaster_len < 8) { 5355 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, 5356 SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 5357 return 0; 5358 } 5359 5360 /* We only want the first 8 bytes of the encrypted premaster as a tag. */ 5361 return nss_keylog_int("RSA", 5362 ssl, 5363 encrypted_premaster, 5364 8, 5365 premaster, 5366 premaster_len); 5367 } 5368 5369 int ssl_log_secret(SSL *ssl, 5370 const char *label, 5371 const uint8_t *secret, 5372 size_t secret_len) 5373 { 5374 return nss_keylog_int(label, 5375 ssl, 5376 ssl->s3->client_random, 5377 SSL3_RANDOM_SIZE, 5378 secret, 5379 secret_len); 5380 } 5381 5382 #define SSLV2_CIPHER_LEN 3 5383 5384 int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format) 5385 { 5386 int n; 5387 5388 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; 5389 5390 if (PACKET_remaining(cipher_suites) == 0) { 5391 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_CACHE_CIPHERLIST, 5392 SSL_R_NO_CIPHERS_SPECIFIED); 5393 return 0; 5394 } 5395 5396 if (PACKET_remaining(cipher_suites) % n != 0) { 5397 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, 5398 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5399 return 0; 5400 } 5401 5402 OPENSSL_free(s->s3->tmp.ciphers_raw); 5403 s->s3->tmp.ciphers_raw = NULL; 5404 s->s3->tmp.ciphers_rawlen = 0; 5405 5406 if (sslv2format) { 5407 size_t numciphers = PACKET_remaining(cipher_suites) / n; 5408 PACKET sslv2ciphers = *cipher_suites; 5409 unsigned int leadbyte; 5410 unsigned char *raw; 5411 5412 /* 5413 * We store the raw ciphers list in SSLv3+ format so we need to do some 5414 * preprocessing to convert the list first. If there are any SSLv2 only 5415 * ciphersuites with a non-zero leading byte then we are going to 5416 * slightly over allocate because we won't store those. But that isn't a 5417 * problem. 5418 */ 5419 raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); 5420 s->s3->tmp.ciphers_raw = raw; 5421 if (raw == NULL) { 5422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, 5423 ERR_R_MALLOC_FAILURE); 5424 return 0; 5425 } 5426 for (s->s3->tmp.ciphers_rawlen = 0; 5427 PACKET_remaining(&sslv2ciphers) > 0; 5428 raw += TLS_CIPHER_LEN) { 5429 if (!PACKET_get_1(&sslv2ciphers, &leadbyte) 5430 || (leadbyte == 0 5431 && !PACKET_copy_bytes(&sslv2ciphers, raw, 5432 TLS_CIPHER_LEN)) 5433 || (leadbyte != 0 5434 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { 5435 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, 5436 SSL_R_BAD_PACKET); 5437 OPENSSL_free(s->s3->tmp.ciphers_raw); 5438 s->s3->tmp.ciphers_raw = NULL; 5439 s->s3->tmp.ciphers_rawlen = 0; 5440 return 0; 5441 } 5442 if (leadbyte == 0) 5443 s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN; 5444 } 5445 } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, 5446 &s->s3->tmp.ciphers_rawlen)) { 5447 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, 5448 ERR_R_INTERNAL_ERROR); 5449 return 0; 5450 } 5451 return 1; 5452 } 5453 5454 int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len, 5455 int isv2format, STACK_OF(SSL_CIPHER) **sk, 5456 STACK_OF(SSL_CIPHER) **scsvs) 5457 { 5458 PACKET pkt; 5459 5460 if (!PACKET_buf_init(&pkt, bytes, len)) 5461 return 0; 5462 return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, 0); 5463 } 5464 5465 int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, 5466 STACK_OF(SSL_CIPHER) **skp, 5467 STACK_OF(SSL_CIPHER) **scsvs_out, 5468 int sslv2format, int fatal) 5469 { 5470 const SSL_CIPHER *c; 5471 STACK_OF(SSL_CIPHER) *sk = NULL; 5472 STACK_OF(SSL_CIPHER) *scsvs = NULL; 5473 int n; 5474 /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */ 5475 unsigned char cipher[SSLV2_CIPHER_LEN]; 5476 5477 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; 5478 5479 if (PACKET_remaining(cipher_suites) == 0) { 5480 if (fatal) 5481 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_BYTES_TO_CIPHER_LIST, 5482 SSL_R_NO_CIPHERS_SPECIFIED); 5483 else 5484 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); 5485 return 0; 5486 } 5487 5488 if (PACKET_remaining(cipher_suites) % n != 0) { 5489 if (fatal) 5490 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, 5491 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5492 else 5493 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, 5494 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5495 return 0; 5496 } 5497 5498 sk = sk_SSL_CIPHER_new_null(); 5499 scsvs = sk_SSL_CIPHER_new_null(); 5500 if (sk == NULL || scsvs == NULL) { 5501 if (fatal) 5502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, 5503 ERR_R_MALLOC_FAILURE); 5504 else 5505 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); 5506 goto err; 5507 } 5508 5509 while (PACKET_copy_bytes(cipher_suites, cipher, n)) { 5510 /* 5511 * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the 5512 * first byte set to zero, while true SSLv2 ciphers have a non-zero 5513 * first byte. We don't support any true SSLv2 ciphers, so skip them. 5514 */ 5515 if (sslv2format && cipher[0] != '\0') 5516 continue; 5517 5518 /* For SSLv2-compat, ignore leading 0-byte. */ 5519 c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1); 5520 if (c != NULL) { 5521 if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) || 5522 (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) { 5523 if (fatal) 5524 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 5525 SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); 5526 else 5527 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); 5528 goto err; 5529 } 5530 } 5531 } 5532 if (PACKET_remaining(cipher_suites) > 0) { 5533 if (fatal) 5534 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, 5535 SSL_R_BAD_LENGTH); 5536 else 5537 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH); 5538 goto err; 5539 } 5540 5541 if (skp != NULL) 5542 *skp = sk; 5543 else 5544 sk_SSL_CIPHER_free(sk); 5545 if (scsvs_out != NULL) 5546 *scsvs_out = scsvs; 5547 else 5548 sk_SSL_CIPHER_free(scsvs); 5549 return 1; 5550 err: 5551 sk_SSL_CIPHER_free(sk); 5552 sk_SSL_CIPHER_free(scsvs); 5553 return 0; 5554 } 5555 5556 int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) 5557 { 5558 ctx->max_early_data = max_early_data; 5559 5560 return 1; 5561 } 5562 5563 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx) 5564 { 5565 return ctx->max_early_data; 5566 } 5567 5568 int SSL_set_max_early_data(SSL *s, uint32_t max_early_data) 5569 { 5570 s->max_early_data = max_early_data; 5571 5572 return 1; 5573 } 5574 5575 uint32_t SSL_get_max_early_data(const SSL *s) 5576 { 5577 return s->max_early_data; 5578 } 5579 5580 int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data) 5581 { 5582 ctx->recv_max_early_data = recv_max_early_data; 5583 5584 return 1; 5585 } 5586 5587 uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx) 5588 { 5589 return ctx->recv_max_early_data; 5590 } 5591 5592 int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data) 5593 { 5594 s->recv_max_early_data = recv_max_early_data; 5595 5596 return 1; 5597 } 5598 5599 uint32_t SSL_get_recv_max_early_data(const SSL *s) 5600 { 5601 return s->recv_max_early_data; 5602 } 5603 5604 __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) 5605 { 5606 /* Return any active Max Fragment Len extension */ 5607 if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)) 5608 return GET_MAX_FRAGMENT_LENGTH(ssl->session); 5609 5610 /* return current SSL connection setting */ 5611 return ssl->max_send_fragment; 5612 } 5613 5614 __owur unsigned int ssl_get_split_send_fragment(const SSL *ssl) 5615 { 5616 /* Return a value regarding an active Max Fragment Len extension */ 5617 if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) 5618 && ssl->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(ssl->session)) 5619 return GET_MAX_FRAGMENT_LENGTH(ssl->session); 5620 5621 /* else limit |split_send_fragment| to current |max_send_fragment| */ 5622 if (ssl->split_send_fragment > ssl->max_send_fragment) 5623 return ssl->max_send_fragment; 5624 5625 /* return current SSL connection setting */ 5626 return ssl->split_send_fragment; 5627 } 5628 5629 int SSL_stateless(SSL *s) 5630 { 5631 int ret; 5632 5633 /* Ensure there is no state left over from a previous invocation */ 5634 if (!SSL_clear(s)) 5635 return 0; 5636 5637 ERR_clear_error(); 5638 5639 s->s3->flags |= TLS1_FLAGS_STATELESS; 5640 ret = SSL_accept(s); 5641 s->s3->flags &= ~TLS1_FLAGS_STATELESS; 5642 5643 if (ret > 0 && s->ext.cookieok) 5644 return 1; 5645 5646 if (s->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(s)) 5647 return 0; 5648 5649 return -1; 5650 } 5651 5652 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) 5653 { 5654 ctx->pha_enabled = val; 5655 } 5656 5657 void SSL_set_post_handshake_auth(SSL *ssl, int val) 5658 { 5659 ssl->pha_enabled = val; 5660 } 5661 5662 int SSL_verify_client_post_handshake(SSL *ssl) 5663 { 5664 if (!SSL_IS_TLS13(ssl)) { 5665 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_WRONG_SSL_VERSION); 5666 return 0; 5667 } 5668 if (!ssl->server) { 5669 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_NOT_SERVER); 5670 return 0; 5671 } 5672 5673 if (!SSL_is_init_finished(ssl)) { 5674 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_STILL_IN_INIT); 5675 return 0; 5676 } 5677 5678 switch (ssl->post_handshake_auth) { 5679 case SSL_PHA_NONE: 5680 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_EXTENSION_NOT_RECEIVED); 5681 return 0; 5682 default: 5683 case SSL_PHA_EXT_SENT: 5684 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, ERR_R_INTERNAL_ERROR); 5685 return 0; 5686 case SSL_PHA_EXT_RECEIVED: 5687 break; 5688 case SSL_PHA_REQUEST_PENDING: 5689 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_PENDING); 5690 return 0; 5691 case SSL_PHA_REQUESTED: 5692 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_SENT); 5693 return 0; 5694 } 5695 5696 ssl->post_handshake_auth = SSL_PHA_REQUEST_PENDING; 5697 5698 /* checks verify_mode and algorithm_auth */ 5699 if (!send_certificate_request(ssl)) { 5700 ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */ 5701 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_INVALID_CONFIG); 5702 return 0; 5703 } 5704 5705 ossl_statem_set_in_init(ssl, 1); 5706 return 1; 5707 } 5708 5709 int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, 5710 SSL_CTX_generate_session_ticket_fn gen_cb, 5711 SSL_CTX_decrypt_session_ticket_fn dec_cb, 5712 void *arg) 5713 { 5714 ctx->generate_ticket_cb = gen_cb; 5715 ctx->decrypt_ticket_cb = dec_cb; 5716 ctx->ticket_cb_data = arg; 5717 return 1; 5718 } 5719 5720 void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, 5721 SSL_allow_early_data_cb_fn cb, 5722 void *arg) 5723 { 5724 ctx->allow_early_data_cb = cb; 5725 ctx->allow_early_data_cb_data = arg; 5726 } 5727 5728 void SSL_set_allow_early_data_cb(SSL *s, 5729 SSL_allow_early_data_cb_fn cb, 5730 void *arg) 5731 { 5732 s->allow_early_data_cb = cb; 5733 s->allow_early_data_cb_data = arg; 5734 } 5735