1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the Apache License 2.0 (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include "ssl_local.h" 14 #include "e_os.h" 15 #include <openssl/objects.h> 16 #include <openssl/x509v3.h> 17 #include <openssl/rand.h> 18 #include <openssl/ocsp.h> 19 #include <openssl/dh.h> 20 #include <openssl/engine.h> 21 #include <openssl/async.h> 22 #include <openssl/ct.h> 23 #include <openssl/trace.h> 24 #include "internal/cryptlib.h" 25 #include "internal/refcount.h" 26 #include "internal/ktls.h" 27 28 static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t, 29 SSL_MAC_BUF *mac, size_t macsize) 30 { 31 return ssl_undefined_function(ssl); 32 } 33 34 static int ssl_undefined_function_2(SSL *ssl, SSL3_RECORD *r, unsigned char *s, 35 int t) 36 { 37 return ssl_undefined_function(ssl); 38 } 39 40 static int ssl_undefined_function_3(SSL *ssl, unsigned char *r, 41 unsigned char *s, size_t t, size_t *u) 42 { 43 return ssl_undefined_function(ssl); 44 } 45 46 static int ssl_undefined_function_4(SSL *ssl, int r) 47 { 48 return ssl_undefined_function(ssl); 49 } 50 51 static size_t ssl_undefined_function_5(SSL *ssl, const char *r, size_t s, 52 unsigned char *t) 53 { 54 return ssl_undefined_function(ssl); 55 } 56 57 static int ssl_undefined_function_6(int r) 58 { 59 return ssl_undefined_function(NULL); 60 } 61 62 static int ssl_undefined_function_7(SSL *ssl, unsigned char *r, size_t s, 63 const char *t, size_t u, 64 const unsigned char *v, size_t w, int x) 65 { 66 return ssl_undefined_function(ssl); 67 } 68 69 SSL3_ENC_METHOD ssl3_undef_enc_method = { 70 ssl_undefined_function_1, 71 ssl_undefined_function_2, 72 ssl_undefined_function, 73 ssl_undefined_function_3, 74 ssl_undefined_function_4, 75 ssl_undefined_function_5, 76 NULL, /* client_finished_label */ 77 0, /* client_finished_label_len */ 78 NULL, /* server_finished_label */ 79 0, /* server_finished_label_len */ 80 ssl_undefined_function_6, 81 ssl_undefined_function_7, 82 }; 83 84 struct ssl_async_args { 85 SSL *s; 86 void *buf; 87 size_t num; 88 enum { READFUNC, WRITEFUNC, OTHERFUNC } type; 89 union { 90 int (*func_read) (SSL *, void *, size_t, size_t *); 91 int (*func_write) (SSL *, const void *, size_t, size_t *); 92 int (*func_other) (SSL *); 93 } f; 94 }; 95 96 static const struct { 97 uint8_t mtype; 98 uint8_t ord; 99 int nid; 100 } dane_mds[] = { 101 { 102 DANETLS_MATCHING_FULL, 0, NID_undef 103 }, 104 { 105 DANETLS_MATCHING_2256, 1, NID_sha256 106 }, 107 { 108 DANETLS_MATCHING_2512, 2, NID_sha512 109 }, 110 }; 111 112 static int dane_ctx_enable(struct dane_ctx_st *dctx) 113 { 114 const EVP_MD **mdevp; 115 uint8_t *mdord; 116 uint8_t mdmax = DANETLS_MATCHING_LAST; 117 int n = ((int)mdmax) + 1; /* int to handle PrivMatch(255) */ 118 size_t i; 119 120 if (dctx->mdevp != NULL) 121 return 1; 122 123 mdevp = OPENSSL_zalloc(n * sizeof(*mdevp)); 124 mdord = OPENSSL_zalloc(n * sizeof(*mdord)); 125 126 if (mdord == NULL || mdevp == NULL) { 127 OPENSSL_free(mdord); 128 OPENSSL_free(mdevp); 129 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 130 return 0; 131 } 132 133 /* Install default entries */ 134 for (i = 0; i < OSSL_NELEM(dane_mds); ++i) { 135 const EVP_MD *md; 136 137 if (dane_mds[i].nid == NID_undef || 138 (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL) 139 continue; 140 mdevp[dane_mds[i].mtype] = md; 141 mdord[dane_mds[i].mtype] = dane_mds[i].ord; 142 } 143 144 dctx->mdevp = mdevp; 145 dctx->mdord = mdord; 146 dctx->mdmax = mdmax; 147 148 return 1; 149 } 150 151 static void dane_ctx_final(struct dane_ctx_st *dctx) 152 { 153 OPENSSL_free(dctx->mdevp); 154 dctx->mdevp = NULL; 155 156 OPENSSL_free(dctx->mdord); 157 dctx->mdord = NULL; 158 dctx->mdmax = 0; 159 } 160 161 static void tlsa_free(danetls_record *t) 162 { 163 if (t == NULL) 164 return; 165 OPENSSL_free(t->data); 166 EVP_PKEY_free(t->spki); 167 OPENSSL_free(t); 168 } 169 170 static void dane_final(SSL_DANE *dane) 171 { 172 sk_danetls_record_pop_free(dane->trecs, tlsa_free); 173 dane->trecs = NULL; 174 175 sk_X509_pop_free(dane->certs, X509_free); 176 dane->certs = NULL; 177 178 X509_free(dane->mcert); 179 dane->mcert = NULL; 180 dane->mtlsa = NULL; 181 dane->mdpth = -1; 182 dane->pdpth = -1; 183 } 184 185 /* 186 * dane_copy - Copy dane configuration, sans verification state. 187 */ 188 static int ssl_dane_dup(SSL *to, SSL *from) 189 { 190 int num; 191 int i; 192 193 if (!DANETLS_ENABLED(&from->dane)) 194 return 1; 195 196 num = sk_danetls_record_num(from->dane.trecs); 197 dane_final(&to->dane); 198 to->dane.flags = from->dane.flags; 199 to->dane.dctx = &to->ctx->dane; 200 to->dane.trecs = sk_danetls_record_new_reserve(NULL, num); 201 202 if (to->dane.trecs == NULL) { 203 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 204 return 0; 205 } 206 207 for (i = 0; i < num; ++i) { 208 danetls_record *t = sk_danetls_record_value(from->dane.trecs, i); 209 210 if (SSL_dane_tlsa_add(to, t->usage, t->selector, t->mtype, 211 t->data, t->dlen) <= 0) 212 return 0; 213 } 214 return 1; 215 } 216 217 static int dane_mtype_set(struct dane_ctx_st *dctx, 218 const EVP_MD *md, uint8_t mtype, uint8_t ord) 219 { 220 int i; 221 222 if (mtype == DANETLS_MATCHING_FULL && md != NULL) { 223 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL); 224 return 0; 225 } 226 227 if (mtype > dctx->mdmax) { 228 const EVP_MD **mdevp; 229 uint8_t *mdord; 230 int n = ((int)mtype) + 1; 231 232 mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp)); 233 if (mdevp == NULL) { 234 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 235 return -1; 236 } 237 dctx->mdevp = mdevp; 238 239 mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord)); 240 if (mdord == NULL) { 241 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 242 return -1; 243 } 244 dctx->mdord = mdord; 245 246 /* Zero-fill any gaps */ 247 for (i = dctx->mdmax + 1; i < mtype; ++i) { 248 mdevp[i] = NULL; 249 mdord[i] = 0; 250 } 251 252 dctx->mdmax = mtype; 253 } 254 255 dctx->mdevp[mtype] = md; 256 /* Coerce ordinal of disabled matching types to 0 */ 257 dctx->mdord[mtype] = (md == NULL) ? 0 : ord; 258 259 return 1; 260 } 261 262 static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype) 263 { 264 if (mtype > dane->dctx->mdmax) 265 return NULL; 266 return dane->dctx->mdevp[mtype]; 267 } 268 269 static int dane_tlsa_add(SSL_DANE *dane, 270 uint8_t usage, 271 uint8_t selector, 272 uint8_t mtype, const unsigned char *data, size_t dlen) 273 { 274 danetls_record *t; 275 const EVP_MD *md = NULL; 276 int ilen = (int)dlen; 277 int i; 278 int num; 279 280 if (dane->trecs == NULL) { 281 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_NOT_ENABLED); 282 return -1; 283 } 284 285 if (ilen < 0 || dlen != (size_t)ilen) { 286 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DATA_LENGTH); 287 return 0; 288 } 289 290 if (usage > DANETLS_USAGE_LAST) { 291 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE); 292 return 0; 293 } 294 295 if (selector > DANETLS_SELECTOR_LAST) { 296 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_SELECTOR); 297 return 0; 298 } 299 300 if (mtype != DANETLS_MATCHING_FULL) { 301 md = tlsa_md_get(dane, mtype); 302 if (md == NULL) { 303 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE); 304 return 0; 305 } 306 } 307 308 if (md != NULL && dlen != (size_t)EVP_MD_get_size(md)) { 309 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH); 310 return 0; 311 } 312 if (!data) { 313 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_NULL_DATA); 314 return 0; 315 } 316 317 if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL) { 318 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 319 return -1; 320 } 321 322 t->usage = usage; 323 t->selector = selector; 324 t->mtype = mtype; 325 t->data = OPENSSL_malloc(dlen); 326 if (t->data == NULL) { 327 tlsa_free(t); 328 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 329 return -1; 330 } 331 memcpy(t->data, data, dlen); 332 t->dlen = dlen; 333 334 /* Validate and cache full certificate or public key */ 335 if (mtype == DANETLS_MATCHING_FULL) { 336 const unsigned char *p = data; 337 X509 *cert = NULL; 338 EVP_PKEY *pkey = NULL; 339 340 switch (selector) { 341 case DANETLS_SELECTOR_CERT: 342 if (!d2i_X509(&cert, &p, ilen) || p < data || 343 dlen != (size_t)(p - data)) { 344 tlsa_free(t); 345 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE); 346 return 0; 347 } 348 if (X509_get0_pubkey(cert) == NULL) { 349 tlsa_free(t); 350 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE); 351 return 0; 352 } 353 354 if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) { 355 X509_free(cert); 356 break; 357 } 358 359 /* 360 * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA 361 * records that contain full certificates of trust-anchors that are 362 * not present in the wire chain. For usage PKIX-TA(0), we augment 363 * the chain with untrusted Full(0) certificates from DNS, in case 364 * they are missing from the chain. 365 */ 366 if ((dane->certs == NULL && 367 (dane->certs = sk_X509_new_null()) == NULL) || 368 !sk_X509_push(dane->certs, cert)) { 369 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 370 X509_free(cert); 371 tlsa_free(t); 372 return -1; 373 } 374 break; 375 376 case DANETLS_SELECTOR_SPKI: 377 if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data || 378 dlen != (size_t)(p - data)) { 379 tlsa_free(t); 380 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY); 381 return 0; 382 } 383 384 /* 385 * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA 386 * records that contain full bare keys of trust-anchors that are 387 * not present in the wire chain. 388 */ 389 if (usage == DANETLS_USAGE_DANE_TA) 390 t->spki = pkey; 391 else 392 EVP_PKEY_free(pkey); 393 break; 394 } 395 } 396 397 /*- 398 * Find the right insertion point for the new record. 399 * 400 * See crypto/x509/x509_vfy.c. We sort DANE-EE(3) records first, so that 401 * they can be processed first, as they require no chain building, and no 402 * expiration or hostname checks. Because DANE-EE(3) is numerically 403 * largest, this is accomplished via descending sort by "usage". 404 * 405 * We also sort in descending order by matching ordinal to simplify 406 * the implementation of digest agility in the verification code. 407 * 408 * The choice of order for the selector is not significant, so we 409 * use the same descending order for consistency. 410 */ 411 num = sk_danetls_record_num(dane->trecs); 412 for (i = 0; i < num; ++i) { 413 danetls_record *rec = sk_danetls_record_value(dane->trecs, i); 414 415 if (rec->usage > usage) 416 continue; 417 if (rec->usage < usage) 418 break; 419 if (rec->selector > selector) 420 continue; 421 if (rec->selector < selector) 422 break; 423 if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype]) 424 continue; 425 break; 426 } 427 428 if (!sk_danetls_record_insert(dane->trecs, t, i)) { 429 tlsa_free(t); 430 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 431 return -1; 432 } 433 dane->umask |= DANETLS_USAGE_BIT(usage); 434 435 return 1; 436 } 437 438 /* 439 * Return 0 if there is only one version configured and it was disabled 440 * at configure time. Return 1 otherwise. 441 */ 442 static int ssl_check_allowed_versions(int min_version, int max_version) 443 { 444 int minisdtls = 0, maxisdtls = 0; 445 446 /* Figure out if we're doing DTLS versions or TLS versions */ 447 if (min_version == DTLS1_BAD_VER 448 || min_version >> 8 == DTLS1_VERSION_MAJOR) 449 minisdtls = 1; 450 if (max_version == DTLS1_BAD_VER 451 || max_version >> 8 == DTLS1_VERSION_MAJOR) 452 maxisdtls = 1; 453 /* A wildcard version of 0 could be DTLS or TLS. */ 454 if ((minisdtls && !maxisdtls && max_version != 0) 455 || (maxisdtls && !minisdtls && min_version != 0)) { 456 /* Mixing DTLS and TLS versions will lead to sadness; deny it. */ 457 return 0; 458 } 459 460 if (minisdtls || maxisdtls) { 461 /* Do DTLS version checks. */ 462 if (min_version == 0) 463 /* Ignore DTLS1_BAD_VER */ 464 min_version = DTLS1_VERSION; 465 if (max_version == 0) 466 max_version = DTLS1_2_VERSION; 467 #ifdef OPENSSL_NO_DTLS1_2 468 if (max_version == DTLS1_2_VERSION) 469 max_version = DTLS1_VERSION; 470 #endif 471 #ifdef OPENSSL_NO_DTLS1 472 if (min_version == DTLS1_VERSION) 473 min_version = DTLS1_2_VERSION; 474 #endif 475 /* Done massaging versions; do the check. */ 476 if (0 477 #ifdef OPENSSL_NO_DTLS1 478 || (DTLS_VERSION_GE(min_version, DTLS1_VERSION) 479 && DTLS_VERSION_GE(DTLS1_VERSION, max_version)) 480 #endif 481 #ifdef OPENSSL_NO_DTLS1_2 482 || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION) 483 && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version)) 484 #endif 485 ) 486 return 0; 487 } else { 488 /* Regular TLS version checks. */ 489 if (min_version == 0) 490 min_version = SSL3_VERSION; 491 if (max_version == 0) 492 max_version = TLS1_3_VERSION; 493 #ifdef OPENSSL_NO_TLS1_3 494 if (max_version == TLS1_3_VERSION) 495 max_version = TLS1_2_VERSION; 496 #endif 497 #ifdef OPENSSL_NO_TLS1_2 498 if (max_version == TLS1_2_VERSION) 499 max_version = TLS1_1_VERSION; 500 #endif 501 #ifdef OPENSSL_NO_TLS1_1 502 if (max_version == TLS1_1_VERSION) 503 max_version = TLS1_VERSION; 504 #endif 505 #ifdef OPENSSL_NO_TLS1 506 if (max_version == TLS1_VERSION) 507 max_version = SSL3_VERSION; 508 #endif 509 #ifdef OPENSSL_NO_SSL3 510 if (min_version == SSL3_VERSION) 511 min_version = TLS1_VERSION; 512 #endif 513 #ifdef OPENSSL_NO_TLS1 514 if (min_version == TLS1_VERSION) 515 min_version = TLS1_1_VERSION; 516 #endif 517 #ifdef OPENSSL_NO_TLS1_1 518 if (min_version == TLS1_1_VERSION) 519 min_version = TLS1_2_VERSION; 520 #endif 521 #ifdef OPENSSL_NO_TLS1_2 522 if (min_version == TLS1_2_VERSION) 523 min_version = TLS1_3_VERSION; 524 #endif 525 /* Done massaging versions; do the check. */ 526 if (0 527 #ifdef OPENSSL_NO_SSL3 528 || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version) 529 #endif 530 #ifdef OPENSSL_NO_TLS1 531 || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version) 532 #endif 533 #ifdef OPENSSL_NO_TLS1_1 534 || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version) 535 #endif 536 #ifdef OPENSSL_NO_TLS1_2 537 || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version) 538 #endif 539 #ifdef OPENSSL_NO_TLS1_3 540 || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version) 541 #endif 542 ) 543 return 0; 544 } 545 return 1; 546 } 547 548 #if defined(__TANDEM) && defined(OPENSSL_VPROC) 549 /* 550 * Define a VPROC function for HP NonStop build ssl library. 551 * This is used by platform version identification tools. 552 * Do not inline this procedure or make it static. 553 */ 554 # define OPENSSL_VPROC_STRING_(x) x##_SSL 555 # define OPENSSL_VPROC_STRING(x) OPENSSL_VPROC_STRING_(x) 556 # define OPENSSL_VPROC_FUNC OPENSSL_VPROC_STRING(OPENSSL_VPROC) 557 void OPENSSL_VPROC_FUNC(void) {} 558 #endif 559 560 561 static void clear_ciphers(SSL *s) 562 { 563 /* clear the current cipher */ 564 ssl_clear_cipher_ctx(s); 565 ssl_clear_hash_ctx(&s->read_hash); 566 ssl_clear_hash_ctx(&s->write_hash); 567 } 568 569 int SSL_clear(SSL *s) 570 { 571 if (s->method == NULL) { 572 ERR_raise(ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED); 573 return 0; 574 } 575 576 if (ssl_clear_bad_session(s)) { 577 SSL_SESSION_free(s->session); 578 s->session = NULL; 579 } 580 SSL_SESSION_free(s->psksession); 581 s->psksession = NULL; 582 OPENSSL_free(s->psksession_id); 583 s->psksession_id = NULL; 584 s->psksession_id_len = 0; 585 s->hello_retry_request = 0; 586 s->sent_tickets = 0; 587 588 s->error = 0; 589 s->hit = 0; 590 s->shutdown = 0; 591 592 if (s->renegotiate) { 593 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 594 return 0; 595 } 596 597 ossl_statem_clear(s); 598 599 s->version = s->method->version; 600 s->client_version = s->version; 601 s->rwstate = SSL_NOTHING; 602 603 BUF_MEM_free(s->init_buf); 604 s->init_buf = NULL; 605 clear_ciphers(s); 606 s->first_packet = 0; 607 608 s->key_update = SSL_KEY_UPDATE_NONE; 609 610 EVP_MD_CTX_free(s->pha_dgst); 611 s->pha_dgst = NULL; 612 613 /* Reset DANE verification result state */ 614 s->dane.mdpth = -1; 615 s->dane.pdpth = -1; 616 X509_free(s->dane.mcert); 617 s->dane.mcert = NULL; 618 s->dane.mtlsa = NULL; 619 620 /* Clear the verification result peername */ 621 X509_VERIFY_PARAM_move_peername(s->param, NULL); 622 623 /* Clear any shared connection state */ 624 OPENSSL_free(s->shared_sigalgs); 625 s->shared_sigalgs = NULL; 626 s->shared_sigalgslen = 0; 627 628 /* 629 * Check to see if we were changed into a different method, if so, revert 630 * back. 631 */ 632 if (s->method != s->ctx->method) { 633 s->method->ssl_free(s); 634 s->method = s->ctx->method; 635 if (!s->method->ssl_new(s)) 636 return 0; 637 } else { 638 if (!s->method->ssl_clear(s)) 639 return 0; 640 } 641 642 RECORD_LAYER_clear(&s->rlayer); 643 644 return 1; 645 } 646 647 #ifndef OPENSSL_NO_DEPRECATED_3_0 648 /** Used to change an SSL_CTXs default SSL method type */ 649 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) 650 { 651 STACK_OF(SSL_CIPHER) *sk; 652 653 ctx->method = meth; 654 655 if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) { 656 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 657 return 0; 658 } 659 sk = ssl_create_cipher_list(ctx, 660 ctx->tls13_ciphersuites, 661 &(ctx->cipher_list), 662 &(ctx->cipher_list_by_id), 663 OSSL_default_cipher_list(), ctx->cert); 664 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { 665 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 666 return 0; 667 } 668 return 1; 669 } 670 #endif 671 672 SSL *SSL_new(SSL_CTX *ctx) 673 { 674 SSL *s; 675 676 if (ctx == NULL) { 677 ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_CTX); 678 return NULL; 679 } 680 if (ctx->method == NULL) { 681 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 682 return NULL; 683 } 684 685 s = OPENSSL_zalloc(sizeof(*s)); 686 if (s == NULL) 687 goto err; 688 689 s->references = 1; 690 s->lock = CRYPTO_THREAD_lock_new(); 691 if (s->lock == NULL) { 692 OPENSSL_free(s); 693 s = NULL; 694 goto err; 695 } 696 697 RECORD_LAYER_init(&s->rlayer, s); 698 699 s->options = ctx->options; 700 s->dane.flags = ctx->dane.flags; 701 s->min_proto_version = ctx->min_proto_version; 702 s->max_proto_version = ctx->max_proto_version; 703 s->mode = ctx->mode; 704 s->max_cert_list = ctx->max_cert_list; 705 s->max_early_data = ctx->max_early_data; 706 s->recv_max_early_data = ctx->recv_max_early_data; 707 s->num_tickets = ctx->num_tickets; 708 s->pha_enabled = ctx->pha_enabled; 709 710 /* Shallow copy of the ciphersuites stack */ 711 s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); 712 if (s->tls13_ciphersuites == NULL) 713 goto err; 714 715 /* 716 * Earlier library versions used to copy the pointer to the CERT, not 717 * its contents; only when setting new parameters for the per-SSL 718 * copy, ssl_cert_new would be called (and the direct reference to 719 * the per-SSL_CTX settings would be lost, but those still were 720 * indirectly accessed for various purposes, and for that reason they 721 * used to be known as s->ctx->default_cert). Now we don't look at the 722 * SSL_CTX's CERT after having duplicated it once. 723 */ 724 s->cert = ssl_cert_dup(ctx->cert); 725 if (s->cert == NULL) 726 goto err; 727 728 RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead); 729 s->msg_callback = ctx->msg_callback; 730 s->msg_callback_arg = ctx->msg_callback_arg; 731 s->verify_mode = ctx->verify_mode; 732 s->not_resumable_session_cb = ctx->not_resumable_session_cb; 733 s->record_padding_cb = ctx->record_padding_cb; 734 s->record_padding_arg = ctx->record_padding_arg; 735 s->block_padding = ctx->block_padding; 736 s->sid_ctx_length = ctx->sid_ctx_length; 737 if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx))) 738 goto err; 739 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); 740 s->verify_callback = ctx->default_verify_callback; 741 s->generate_session_id = ctx->generate_session_id; 742 743 s->param = X509_VERIFY_PARAM_new(); 744 if (s->param == NULL) 745 goto err; 746 X509_VERIFY_PARAM_inherit(s->param, ctx->param); 747 s->quiet_shutdown = ctx->quiet_shutdown; 748 749 s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode; 750 s->max_send_fragment = ctx->max_send_fragment; 751 s->split_send_fragment = ctx->split_send_fragment; 752 s->max_pipelines = ctx->max_pipelines; 753 if (s->max_pipelines > 1) 754 RECORD_LAYER_set_read_ahead(&s->rlayer, 1); 755 if (ctx->default_read_buf_len > 0) 756 SSL_set_default_read_buffer_len(s, ctx->default_read_buf_len); 757 758 SSL_CTX_up_ref(ctx); 759 s->ctx = ctx; 760 s->ext.debug_cb = 0; 761 s->ext.debug_arg = NULL; 762 s->ext.ticket_expected = 0; 763 s->ext.status_type = ctx->ext.status_type; 764 s->ext.status_expected = 0; 765 s->ext.ocsp.ids = NULL; 766 s->ext.ocsp.exts = NULL; 767 s->ext.ocsp.resp = NULL; 768 s->ext.ocsp.resp_len = 0; 769 SSL_CTX_up_ref(ctx); 770 s->session_ctx = ctx; 771 if (ctx->ext.ecpointformats) { 772 s->ext.ecpointformats = 773 OPENSSL_memdup(ctx->ext.ecpointformats, 774 ctx->ext.ecpointformats_len); 775 if (!s->ext.ecpointformats) { 776 s->ext.ecpointformats_len = 0; 777 goto err; 778 } 779 s->ext.ecpointformats_len = 780 ctx->ext.ecpointformats_len; 781 } 782 if (ctx->ext.supportedgroups) { 783 s->ext.supportedgroups = 784 OPENSSL_memdup(ctx->ext.supportedgroups, 785 ctx->ext.supportedgroups_len 786 * sizeof(*ctx->ext.supportedgroups)); 787 if (!s->ext.supportedgroups) { 788 s->ext.supportedgroups_len = 0; 789 goto err; 790 } 791 s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; 792 } 793 794 #ifndef OPENSSL_NO_NEXTPROTONEG 795 s->ext.npn = NULL; 796 #endif 797 798 if (s->ctx->ext.alpn) { 799 s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); 800 if (s->ext.alpn == NULL) { 801 s->ext.alpn_len = 0; 802 goto err; 803 } 804 memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); 805 s->ext.alpn_len = s->ctx->ext.alpn_len; 806 } 807 808 s->verified_chain = NULL; 809 s->verify_result = X509_V_OK; 810 811 s->default_passwd_callback = ctx->default_passwd_callback; 812 s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata; 813 814 s->method = ctx->method; 815 816 s->key_update = SSL_KEY_UPDATE_NONE; 817 818 s->allow_early_data_cb = ctx->allow_early_data_cb; 819 s->allow_early_data_cb_data = ctx->allow_early_data_cb_data; 820 821 if (!s->method->ssl_new(s)) 822 goto err; 823 824 s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; 825 826 if (!SSL_clear(s)) 827 goto err; 828 829 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data)) 830 goto err; 831 832 #ifndef OPENSSL_NO_PSK 833 s->psk_client_callback = ctx->psk_client_callback; 834 s->psk_server_callback = ctx->psk_server_callback; 835 #endif 836 s->psk_find_session_cb = ctx->psk_find_session_cb; 837 s->psk_use_session_cb = ctx->psk_use_session_cb; 838 839 s->async_cb = ctx->async_cb; 840 s->async_cb_arg = ctx->async_cb_arg; 841 842 s->job = NULL; 843 844 #ifndef OPENSSL_NO_CT 845 if (!SSL_set_ct_validation_callback(s, ctx->ct_validation_callback, 846 ctx->ct_validation_callback_arg)) 847 goto err; 848 #endif 849 850 return s; 851 err: 852 SSL_free(s); 853 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 854 return NULL; 855 } 856 857 int SSL_is_dtls(const SSL *s) 858 { 859 return SSL_IS_DTLS(s) ? 1 : 0; 860 } 861 862 int SSL_up_ref(SSL *s) 863 { 864 int i; 865 866 if (CRYPTO_UP_REF(&s->references, &i, s->lock) <= 0) 867 return 0; 868 869 REF_PRINT_COUNT("SSL", s); 870 REF_ASSERT_ISNT(i < 2); 871 return ((i > 1) ? 1 : 0); 872 } 873 874 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, 875 unsigned int sid_ctx_len) 876 { 877 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 878 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 879 return 0; 880 } 881 ctx->sid_ctx_length = sid_ctx_len; 882 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); 883 884 return 1; 885 } 886 887 int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, 888 unsigned int sid_ctx_len) 889 { 890 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 891 ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 892 return 0; 893 } 894 ssl->sid_ctx_length = sid_ctx_len; 895 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len); 896 897 return 1; 898 } 899 900 int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) 901 { 902 if (!CRYPTO_THREAD_write_lock(ctx->lock)) 903 return 0; 904 ctx->generate_session_id = cb; 905 CRYPTO_THREAD_unlock(ctx->lock); 906 return 1; 907 } 908 909 int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) 910 { 911 if (!CRYPTO_THREAD_write_lock(ssl->lock)) 912 return 0; 913 ssl->generate_session_id = cb; 914 CRYPTO_THREAD_unlock(ssl->lock); 915 return 1; 916 } 917 918 int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, 919 unsigned int id_len) 920 { 921 /* 922 * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how 923 * we can "construct" a session to give us the desired check - i.e. to 924 * find if there's a session in the hash table that would conflict with 925 * any new session built out of this id/id_len and the ssl_version in use 926 * by this SSL. 927 */ 928 SSL_SESSION r, *p; 929 930 if (id_len > sizeof(r.session_id)) 931 return 0; 932 933 r.ssl_version = ssl->version; 934 r.session_id_length = id_len; 935 memcpy(r.session_id, id, id_len); 936 937 if (!CRYPTO_THREAD_read_lock(ssl->session_ctx->lock)) 938 return 0; 939 p = lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &r); 940 CRYPTO_THREAD_unlock(ssl->session_ctx->lock); 941 return (p != NULL); 942 } 943 944 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 945 { 946 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 947 } 948 949 int SSL_set_purpose(SSL *s, int purpose) 950 { 951 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 952 } 953 954 int SSL_CTX_set_trust(SSL_CTX *s, int trust) 955 { 956 return X509_VERIFY_PARAM_set_trust(s->param, trust); 957 } 958 959 int SSL_set_trust(SSL *s, int trust) 960 { 961 return X509_VERIFY_PARAM_set_trust(s->param, trust); 962 } 963 964 int SSL_set1_host(SSL *s, const char *hostname) 965 { 966 /* If a hostname is provided and parses as an IP address, 967 * treat it as such. */ 968 if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1) 969 return 1; 970 971 return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); 972 } 973 974 int SSL_add1_host(SSL *s, const char *hostname) 975 { 976 /* If a hostname is provided and parses as an IP address, 977 * treat it as such. */ 978 if (hostname) 979 { 980 ASN1_OCTET_STRING *ip; 981 char *old_ip; 982 983 ip = a2i_IPADDRESS(hostname); 984 if (ip) { 985 /* We didn't want it; only to check if it *is* an IP address */ 986 ASN1_OCTET_STRING_free(ip); 987 988 old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param); 989 if (old_ip) 990 { 991 OPENSSL_free(old_ip); 992 /* There can be only one IP address */ 993 return 0; 994 } 995 996 return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname); 997 } 998 } 999 1000 return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0); 1001 } 1002 1003 void SSL_set_hostflags(SSL *s, unsigned int flags) 1004 { 1005 X509_VERIFY_PARAM_set_hostflags(s->param, flags); 1006 } 1007 1008 const char *SSL_get0_peername(SSL *s) 1009 { 1010 return X509_VERIFY_PARAM_get0_peername(s->param); 1011 } 1012 1013 int SSL_CTX_dane_enable(SSL_CTX *ctx) 1014 { 1015 return dane_ctx_enable(&ctx->dane); 1016 } 1017 1018 unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags) 1019 { 1020 unsigned long orig = ctx->dane.flags; 1021 1022 ctx->dane.flags |= flags; 1023 return orig; 1024 } 1025 1026 unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags) 1027 { 1028 unsigned long orig = ctx->dane.flags; 1029 1030 ctx->dane.flags &= ~flags; 1031 return orig; 1032 } 1033 1034 int SSL_dane_enable(SSL *s, const char *basedomain) 1035 { 1036 SSL_DANE *dane = &s->dane; 1037 1038 if (s->ctx->dane.mdmax == 0) { 1039 ERR_raise(ERR_LIB_SSL, SSL_R_CONTEXT_NOT_DANE_ENABLED); 1040 return 0; 1041 } 1042 if (dane->trecs != NULL) { 1043 ERR_raise(ERR_LIB_SSL, SSL_R_DANE_ALREADY_ENABLED); 1044 return 0; 1045 } 1046 1047 /* 1048 * Default SNI name. This rejects empty names, while set1_host below 1049 * accepts them and disables host name checks. To avoid side-effects with 1050 * invalid input, set the SNI name first. 1051 */ 1052 if (s->ext.hostname == NULL) { 1053 if (!SSL_set_tlsext_host_name(s, basedomain)) { 1054 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); 1055 return -1; 1056 } 1057 } 1058 1059 /* Primary RFC6125 reference identifier */ 1060 if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) { 1061 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); 1062 return -1; 1063 } 1064 1065 dane->mdpth = -1; 1066 dane->pdpth = -1; 1067 dane->dctx = &s->ctx->dane; 1068 dane->trecs = sk_danetls_record_new_null(); 1069 1070 if (dane->trecs == NULL) { 1071 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 1072 return -1; 1073 } 1074 return 1; 1075 } 1076 1077 unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags) 1078 { 1079 unsigned long orig = ssl->dane.flags; 1080 1081 ssl->dane.flags |= flags; 1082 return orig; 1083 } 1084 1085 unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags) 1086 { 1087 unsigned long orig = ssl->dane.flags; 1088 1089 ssl->dane.flags &= ~flags; 1090 return orig; 1091 } 1092 1093 int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki) 1094 { 1095 SSL_DANE *dane = &s->dane; 1096 1097 if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK) 1098 return -1; 1099 if (dane->mtlsa) { 1100 if (mcert) 1101 *mcert = dane->mcert; 1102 if (mspki) 1103 *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL; 1104 } 1105 return dane->mdpth; 1106 } 1107 1108 int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, 1109 uint8_t *mtype, const unsigned char **data, size_t *dlen) 1110 { 1111 SSL_DANE *dane = &s->dane; 1112 1113 if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK) 1114 return -1; 1115 if (dane->mtlsa) { 1116 if (usage) 1117 *usage = dane->mtlsa->usage; 1118 if (selector) 1119 *selector = dane->mtlsa->selector; 1120 if (mtype) 1121 *mtype = dane->mtlsa->mtype; 1122 if (data) 1123 *data = dane->mtlsa->data; 1124 if (dlen) 1125 *dlen = dane->mtlsa->dlen; 1126 } 1127 return dane->mdpth; 1128 } 1129 1130 SSL_DANE *SSL_get0_dane(SSL *s) 1131 { 1132 return &s->dane; 1133 } 1134 1135 int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, 1136 uint8_t mtype, const unsigned char *data, size_t dlen) 1137 { 1138 return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen); 1139 } 1140 1141 int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype, 1142 uint8_t ord) 1143 { 1144 return dane_mtype_set(&ctx->dane, md, mtype, ord); 1145 } 1146 1147 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) 1148 { 1149 return X509_VERIFY_PARAM_set1(ctx->param, vpm); 1150 } 1151 1152 int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) 1153 { 1154 return X509_VERIFY_PARAM_set1(ssl->param, vpm); 1155 } 1156 1157 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) 1158 { 1159 return ctx->param; 1160 } 1161 1162 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) 1163 { 1164 return ssl->param; 1165 } 1166 1167 void SSL_certs_clear(SSL *s) 1168 { 1169 ssl_cert_clear_certs(s->cert); 1170 } 1171 1172 void SSL_free(SSL *s) 1173 { 1174 int i; 1175 1176 if (s == NULL) 1177 return; 1178 CRYPTO_DOWN_REF(&s->references, &i, s->lock); 1179 REF_PRINT_COUNT("SSL", s); 1180 if (i > 0) 1181 return; 1182 REF_ASSERT_ISNT(i < 0); 1183 1184 X509_VERIFY_PARAM_free(s->param); 1185 dane_final(&s->dane); 1186 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); 1187 1188 RECORD_LAYER_release(&s->rlayer); 1189 1190 /* Ignore return value */ 1191 ssl_free_wbio_buffer(s); 1192 1193 BIO_free_all(s->wbio); 1194 s->wbio = NULL; 1195 BIO_free_all(s->rbio); 1196 s->rbio = NULL; 1197 1198 BUF_MEM_free(s->init_buf); 1199 1200 /* add extra stuff */ 1201 sk_SSL_CIPHER_free(s->cipher_list); 1202 sk_SSL_CIPHER_free(s->cipher_list_by_id); 1203 sk_SSL_CIPHER_free(s->tls13_ciphersuites); 1204 sk_SSL_CIPHER_free(s->peer_ciphers); 1205 1206 /* Make the next call work :-) */ 1207 if (s->session != NULL) { 1208 ssl_clear_bad_session(s); 1209 SSL_SESSION_free(s->session); 1210 } 1211 SSL_SESSION_free(s->psksession); 1212 OPENSSL_free(s->psksession_id); 1213 1214 clear_ciphers(s); 1215 1216 ssl_cert_free(s->cert); 1217 OPENSSL_free(s->shared_sigalgs); 1218 /* Free up if allocated */ 1219 1220 OPENSSL_free(s->ext.hostname); 1221 SSL_CTX_free(s->session_ctx); 1222 OPENSSL_free(s->ext.ecpointformats); 1223 OPENSSL_free(s->ext.peer_ecpointformats); 1224 OPENSSL_free(s->ext.supportedgroups); 1225 OPENSSL_free(s->ext.peer_supportedgroups); 1226 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); 1227 #ifndef OPENSSL_NO_OCSP 1228 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); 1229 #endif 1230 #ifndef OPENSSL_NO_CT 1231 SCT_LIST_free(s->scts); 1232 OPENSSL_free(s->ext.scts); 1233 #endif 1234 OPENSSL_free(s->ext.ocsp.resp); 1235 OPENSSL_free(s->ext.alpn); 1236 OPENSSL_free(s->ext.tls13_cookie); 1237 if (s->clienthello != NULL) 1238 OPENSSL_free(s->clienthello->pre_proc_exts); 1239 OPENSSL_free(s->clienthello); 1240 OPENSSL_free(s->pha_context); 1241 EVP_MD_CTX_free(s->pha_dgst); 1242 1243 sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); 1244 sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free); 1245 1246 sk_X509_pop_free(s->verified_chain, X509_free); 1247 1248 if (s->method != NULL) 1249 s->method->ssl_free(s); 1250 1251 SSL_CTX_free(s->ctx); 1252 1253 ASYNC_WAIT_CTX_free(s->waitctx); 1254 1255 #if !defined(OPENSSL_NO_NEXTPROTONEG) 1256 OPENSSL_free(s->ext.npn); 1257 #endif 1258 1259 #ifndef OPENSSL_NO_SRTP 1260 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); 1261 #endif 1262 1263 CRYPTO_THREAD_lock_free(s->lock); 1264 1265 OPENSSL_free(s); 1266 } 1267 1268 void SSL_set0_rbio(SSL *s, BIO *rbio) 1269 { 1270 BIO_free_all(s->rbio); 1271 s->rbio = rbio; 1272 } 1273 1274 void SSL_set0_wbio(SSL *s, BIO *wbio) 1275 { 1276 /* 1277 * If the output buffering BIO is still in place, remove it 1278 */ 1279 if (s->bbio != NULL) 1280 s->wbio = BIO_pop(s->wbio); 1281 1282 BIO_free_all(s->wbio); 1283 s->wbio = wbio; 1284 1285 /* Re-attach |bbio| to the new |wbio|. */ 1286 if (s->bbio != NULL) 1287 s->wbio = BIO_push(s->bbio, s->wbio); 1288 } 1289 1290 void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) 1291 { 1292 /* 1293 * For historical reasons, this function has many different cases in 1294 * ownership handling. 1295 */ 1296 1297 /* If nothing has changed, do nothing */ 1298 if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s)) 1299 return; 1300 1301 /* 1302 * If the two arguments are equal then one fewer reference is granted by the 1303 * caller than we want to take 1304 */ 1305 if (rbio != NULL && rbio == wbio) 1306 BIO_up_ref(rbio); 1307 1308 /* 1309 * If only the wbio is changed only adopt one reference. 1310 */ 1311 if (rbio == SSL_get_rbio(s)) { 1312 SSL_set0_wbio(s, wbio); 1313 return; 1314 } 1315 /* 1316 * There is an asymmetry here for historical reasons. If only the rbio is 1317 * changed AND the rbio and wbio were originally different, then we only 1318 * adopt one reference. 1319 */ 1320 if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) { 1321 SSL_set0_rbio(s, rbio); 1322 return; 1323 } 1324 1325 /* Otherwise, adopt both references. */ 1326 SSL_set0_rbio(s, rbio); 1327 SSL_set0_wbio(s, wbio); 1328 } 1329 1330 BIO *SSL_get_rbio(const SSL *s) 1331 { 1332 return s->rbio; 1333 } 1334 1335 BIO *SSL_get_wbio(const SSL *s) 1336 { 1337 if (s->bbio != NULL) { 1338 /* 1339 * If |bbio| is active, the true caller-configured BIO is its 1340 * |next_bio|. 1341 */ 1342 return BIO_next(s->bbio); 1343 } 1344 return s->wbio; 1345 } 1346 1347 int SSL_get_fd(const SSL *s) 1348 { 1349 return SSL_get_rfd(s); 1350 } 1351 1352 int SSL_get_rfd(const SSL *s) 1353 { 1354 int ret = -1; 1355 BIO *b, *r; 1356 1357 b = SSL_get_rbio(s); 1358 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); 1359 if (r != NULL) 1360 BIO_get_fd(r, &ret); 1361 return ret; 1362 } 1363 1364 int SSL_get_wfd(const SSL *s) 1365 { 1366 int ret = -1; 1367 BIO *b, *r; 1368 1369 b = SSL_get_wbio(s); 1370 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); 1371 if (r != NULL) 1372 BIO_get_fd(r, &ret); 1373 return ret; 1374 } 1375 1376 #ifndef OPENSSL_NO_SOCK 1377 int SSL_set_fd(SSL *s, int fd) 1378 { 1379 int ret = 0; 1380 BIO *bio = NULL; 1381 1382 bio = BIO_new(BIO_s_socket()); 1383 1384 if (bio == NULL) { 1385 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); 1386 goto err; 1387 } 1388 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1389 SSL_set_bio(s, bio, bio); 1390 #ifndef OPENSSL_NO_KTLS 1391 /* 1392 * The new socket is created successfully regardless of ktls_enable. 1393 * ktls_enable doesn't change any functionality of the socket, except 1394 * changing the setsockopt to enable the processing of ktls_start. 1395 * Thus, it is not a problem to call it for non-TLS sockets. 1396 */ 1397 ktls_enable(fd); 1398 #endif /* OPENSSL_NO_KTLS */ 1399 ret = 1; 1400 err: 1401 return ret; 1402 } 1403 1404 int SSL_set_wfd(SSL *s, int fd) 1405 { 1406 BIO *rbio = SSL_get_rbio(s); 1407 1408 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET 1409 || (int)BIO_get_fd(rbio, NULL) != fd) { 1410 BIO *bio = BIO_new(BIO_s_socket()); 1411 1412 if (bio == NULL) { 1413 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); 1414 return 0; 1415 } 1416 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1417 SSL_set0_wbio(s, bio); 1418 #ifndef OPENSSL_NO_KTLS 1419 /* 1420 * The new socket is created successfully regardless of ktls_enable. 1421 * ktls_enable doesn't change any functionality of the socket, except 1422 * changing the setsockopt to enable the processing of ktls_start. 1423 * Thus, it is not a problem to call it for non-TLS sockets. 1424 */ 1425 ktls_enable(fd); 1426 #endif /* OPENSSL_NO_KTLS */ 1427 } else { 1428 BIO_up_ref(rbio); 1429 SSL_set0_wbio(s, rbio); 1430 } 1431 return 1; 1432 } 1433 1434 int SSL_set_rfd(SSL *s, int fd) 1435 { 1436 BIO *wbio = SSL_get_wbio(s); 1437 1438 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET 1439 || ((int)BIO_get_fd(wbio, NULL) != fd)) { 1440 BIO *bio = BIO_new(BIO_s_socket()); 1441 1442 if (bio == NULL) { 1443 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); 1444 return 0; 1445 } 1446 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1447 SSL_set0_rbio(s, bio); 1448 } else { 1449 BIO_up_ref(wbio); 1450 SSL_set0_rbio(s, wbio); 1451 } 1452 1453 return 1; 1454 } 1455 #endif 1456 1457 /* return length of latest Finished message we sent, copy to 'buf' */ 1458 size_t SSL_get_finished(const SSL *s, void *buf, size_t count) 1459 { 1460 size_t ret = 0; 1461 1462 ret = s->s3.tmp.finish_md_len; 1463 if (count > ret) 1464 count = ret; 1465 memcpy(buf, s->s3.tmp.finish_md, count); 1466 return ret; 1467 } 1468 1469 /* return length of latest Finished message we expected, copy to 'buf' */ 1470 size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) 1471 { 1472 size_t ret = 0; 1473 1474 ret = s->s3.tmp.peer_finish_md_len; 1475 if (count > ret) 1476 count = ret; 1477 memcpy(buf, s->s3.tmp.peer_finish_md, count); 1478 return ret; 1479 } 1480 1481 int SSL_get_verify_mode(const SSL *s) 1482 { 1483 return s->verify_mode; 1484 } 1485 1486 int SSL_get_verify_depth(const SSL *s) 1487 { 1488 return X509_VERIFY_PARAM_get_depth(s->param); 1489 } 1490 1491 int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) { 1492 return s->verify_callback; 1493 } 1494 1495 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) 1496 { 1497 return ctx->verify_mode; 1498 } 1499 1500 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) 1501 { 1502 return X509_VERIFY_PARAM_get_depth(ctx->param); 1503 } 1504 1505 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) { 1506 return ctx->default_verify_callback; 1507 } 1508 1509 void SSL_set_verify(SSL *s, int mode, 1510 int (*callback) (int ok, X509_STORE_CTX *ctx)) 1511 { 1512 s->verify_mode = mode; 1513 if (callback != NULL) 1514 s->verify_callback = callback; 1515 } 1516 1517 void SSL_set_verify_depth(SSL *s, int depth) 1518 { 1519 X509_VERIFY_PARAM_set_depth(s->param, depth); 1520 } 1521 1522 void SSL_set_read_ahead(SSL *s, int yes) 1523 { 1524 RECORD_LAYER_set_read_ahead(&s->rlayer, yes); 1525 } 1526 1527 int SSL_get_read_ahead(const SSL *s) 1528 { 1529 return RECORD_LAYER_get_read_ahead(&s->rlayer); 1530 } 1531 1532 int SSL_pending(const SSL *s) 1533 { 1534 size_t pending = s->method->ssl_pending(s); 1535 1536 /* 1537 * SSL_pending cannot work properly if read-ahead is enabled 1538 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is 1539 * impossible to fix since SSL_pending cannot report errors that may be 1540 * observed while scanning the new data. (Note that SSL_pending() is 1541 * often used as a boolean value, so we'd better not return -1.) 1542 * 1543 * SSL_pending also cannot work properly if the value >INT_MAX. In that case 1544 * we just return INT_MAX. 1545 */ 1546 return pending < INT_MAX ? (int)pending : INT_MAX; 1547 } 1548 1549 int SSL_has_pending(const SSL *s) 1550 { 1551 /* 1552 * Similar to SSL_pending() but returns a 1 to indicate that we have 1553 * processed or unprocessed data available or 0 otherwise (as opposed to the 1554 * number of bytes available). Unlike SSL_pending() this will take into 1555 * account read_ahead data. A 1 return simply indicates that we have data. 1556 * That data may not result in any application data, or we may fail to parse 1557 * the records for some reason. 1558 */ 1559 1560 /* Check buffered app data if any first */ 1561 if (SSL_IS_DTLS(s)) { 1562 DTLS1_RECORD_DATA *rdata; 1563 pitem *item, *iter; 1564 1565 iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q); 1566 while ((item = pqueue_next(&iter)) != NULL) { 1567 rdata = item->data; 1568 if (rdata->rrec.length > 0) 1569 return 1; 1570 } 1571 } 1572 1573 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) 1574 return 1; 1575 1576 return RECORD_LAYER_read_pending(&s->rlayer); 1577 } 1578 1579 X509 *SSL_get1_peer_certificate(const SSL *s) 1580 { 1581 X509 *r = SSL_get0_peer_certificate(s); 1582 1583 if (r != NULL) 1584 X509_up_ref(r); 1585 1586 return r; 1587 } 1588 1589 X509 *SSL_get0_peer_certificate(const SSL *s) 1590 { 1591 if ((s == NULL) || (s->session == NULL)) 1592 return NULL; 1593 else 1594 return s->session->peer; 1595 } 1596 1597 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) 1598 { 1599 STACK_OF(X509) *r; 1600 1601 if ((s == NULL) || (s->session == NULL)) 1602 r = NULL; 1603 else 1604 r = s->session->peer_chain; 1605 1606 /* 1607 * If we are a client, cert_chain includes the peer's own certificate; if 1608 * we are a server, it does not. 1609 */ 1610 1611 return r; 1612 } 1613 1614 /* 1615 * Now in theory, since the calling process own 't' it should be safe to 1616 * modify. We need to be able to read f without being hassled 1617 */ 1618 int SSL_copy_session_id(SSL *t, const SSL *f) 1619 { 1620 int i; 1621 /* Do we need to do SSL locking? */ 1622 if (!SSL_set_session(t, SSL_get_session(f))) { 1623 return 0; 1624 } 1625 1626 /* 1627 * what if we are setup for one protocol version but want to talk another 1628 */ 1629 if (t->method != f->method) { 1630 t->method->ssl_free(t); 1631 t->method = f->method; 1632 if (t->method->ssl_new(t) == 0) 1633 return 0; 1634 } 1635 1636 CRYPTO_UP_REF(&f->cert->references, &i, f->cert->lock); 1637 ssl_cert_free(t->cert); 1638 t->cert = f->cert; 1639 if (!SSL_set_session_id_context(t, f->sid_ctx, (int)f->sid_ctx_length)) { 1640 return 0; 1641 } 1642 1643 return 1; 1644 } 1645 1646 /* Fix this so it checks all the valid key/cert options */ 1647 int SSL_CTX_check_private_key(const SSL_CTX *ctx) 1648 { 1649 if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) { 1650 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); 1651 return 0; 1652 } 1653 if (ctx->cert->key->privatekey == NULL) { 1654 ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); 1655 return 0; 1656 } 1657 return X509_check_private_key 1658 (ctx->cert->key->x509, ctx->cert->key->privatekey); 1659 } 1660 1661 /* Fix this function so that it takes an optional type parameter */ 1662 int SSL_check_private_key(const SSL *ssl) 1663 { 1664 if (ssl == NULL) { 1665 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); 1666 return 0; 1667 } 1668 if (ssl->cert->key->x509 == NULL) { 1669 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); 1670 return 0; 1671 } 1672 if (ssl->cert->key->privatekey == NULL) { 1673 ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); 1674 return 0; 1675 } 1676 return X509_check_private_key(ssl->cert->key->x509, 1677 ssl->cert->key->privatekey); 1678 } 1679 1680 int SSL_waiting_for_async(SSL *s) 1681 { 1682 if (s->job) 1683 return 1; 1684 1685 return 0; 1686 } 1687 1688 int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds) 1689 { 1690 ASYNC_WAIT_CTX *ctx = s->waitctx; 1691 1692 if (ctx == NULL) 1693 return 0; 1694 return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds); 1695 } 1696 1697 int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds, 1698 OSSL_ASYNC_FD *delfd, size_t *numdelfds) 1699 { 1700 ASYNC_WAIT_CTX *ctx = s->waitctx; 1701 1702 if (ctx == NULL) 1703 return 0; 1704 return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd, 1705 numdelfds); 1706 } 1707 1708 int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback) 1709 { 1710 ctx->async_cb = callback; 1711 return 1; 1712 } 1713 1714 int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg) 1715 { 1716 ctx->async_cb_arg = arg; 1717 return 1; 1718 } 1719 1720 int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback) 1721 { 1722 s->async_cb = callback; 1723 return 1; 1724 } 1725 1726 int SSL_set_async_callback_arg(SSL *s, void *arg) 1727 { 1728 s->async_cb_arg = arg; 1729 return 1; 1730 } 1731 1732 int SSL_get_async_status(SSL *s, int *status) 1733 { 1734 ASYNC_WAIT_CTX *ctx = s->waitctx; 1735 1736 if (ctx == NULL) 1737 return 0; 1738 *status = ASYNC_WAIT_CTX_get_status(ctx); 1739 return 1; 1740 } 1741 1742 int SSL_accept(SSL *s) 1743 { 1744 if (s->handshake_func == NULL) { 1745 /* Not properly initialized yet */ 1746 SSL_set_accept_state(s); 1747 } 1748 1749 return SSL_do_handshake(s); 1750 } 1751 1752 int SSL_connect(SSL *s) 1753 { 1754 if (s->handshake_func == NULL) { 1755 /* Not properly initialized yet */ 1756 SSL_set_connect_state(s); 1757 } 1758 1759 return SSL_do_handshake(s); 1760 } 1761 1762 long SSL_get_default_timeout(const SSL *s) 1763 { 1764 return s->method->get_timeout(); 1765 } 1766 1767 static int ssl_async_wait_ctx_cb(void *arg) 1768 { 1769 SSL *s = (SSL *)arg; 1770 1771 return s->async_cb(s, s->async_cb_arg); 1772 } 1773 1774 static int ssl_start_async_job(SSL *s, struct ssl_async_args *args, 1775 int (*func) (void *)) 1776 { 1777 int ret; 1778 if (s->waitctx == NULL) { 1779 s->waitctx = ASYNC_WAIT_CTX_new(); 1780 if (s->waitctx == NULL) 1781 return -1; 1782 if (s->async_cb != NULL 1783 && !ASYNC_WAIT_CTX_set_callback 1784 (s->waitctx, ssl_async_wait_ctx_cb, s)) 1785 return -1; 1786 } 1787 1788 s->rwstate = SSL_NOTHING; 1789 switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args, 1790 sizeof(struct ssl_async_args))) { 1791 case ASYNC_ERR: 1792 s->rwstate = SSL_NOTHING; 1793 ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_INIT_ASYNC); 1794 return -1; 1795 case ASYNC_PAUSE: 1796 s->rwstate = SSL_ASYNC_PAUSED; 1797 return -1; 1798 case ASYNC_NO_JOBS: 1799 s->rwstate = SSL_ASYNC_NO_JOBS; 1800 return -1; 1801 case ASYNC_FINISH: 1802 s->job = NULL; 1803 return ret; 1804 default: 1805 s->rwstate = SSL_NOTHING; 1806 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 1807 /* Shouldn't happen */ 1808 return -1; 1809 } 1810 } 1811 1812 static int ssl_io_intern(void *vargs) 1813 { 1814 struct ssl_async_args *args; 1815 SSL *s; 1816 void *buf; 1817 size_t num; 1818 1819 args = (struct ssl_async_args *)vargs; 1820 s = args->s; 1821 buf = args->buf; 1822 num = args->num; 1823 switch (args->type) { 1824 case READFUNC: 1825 return args->f.func_read(s, buf, num, &s->asyncrw); 1826 case WRITEFUNC: 1827 return args->f.func_write(s, buf, num, &s->asyncrw); 1828 case OTHERFUNC: 1829 return args->f.func_other(s); 1830 } 1831 return -1; 1832 } 1833 1834 int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes) 1835 { 1836 if (s->handshake_func == NULL) { 1837 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED); 1838 return -1; 1839 } 1840 1841 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1842 s->rwstate = SSL_NOTHING; 1843 return 0; 1844 } 1845 1846 if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY 1847 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) { 1848 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1849 return 0; 1850 } 1851 /* 1852 * If we are a client and haven't received the ServerHello etc then we 1853 * better do that 1854 */ 1855 ossl_statem_check_finish_init(s, 0); 1856 1857 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 1858 struct ssl_async_args args; 1859 int ret; 1860 1861 args.s = s; 1862 args.buf = buf; 1863 args.num = num; 1864 args.type = READFUNC; 1865 args.f.func_read = s->method->ssl_read; 1866 1867 ret = ssl_start_async_job(s, &args, ssl_io_intern); 1868 *readbytes = s->asyncrw; 1869 return ret; 1870 } else { 1871 return s->method->ssl_read(s, buf, num, readbytes); 1872 } 1873 } 1874 1875 int SSL_read(SSL *s, void *buf, int num) 1876 { 1877 int ret; 1878 size_t readbytes; 1879 1880 if (num < 0) { 1881 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 1882 return -1; 1883 } 1884 1885 ret = ssl_read_internal(s, buf, (size_t)num, &readbytes); 1886 1887 /* 1888 * The cast is safe here because ret should be <= INT_MAX because num is 1889 * <= INT_MAX 1890 */ 1891 if (ret > 0) 1892 ret = (int)readbytes; 1893 1894 return ret; 1895 } 1896 1897 int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes) 1898 { 1899 int ret = ssl_read_internal(s, buf, num, readbytes); 1900 1901 if (ret < 0) 1902 ret = 0; 1903 return ret; 1904 } 1905 1906 int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) 1907 { 1908 int ret; 1909 1910 if (!s->server) { 1911 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1912 return SSL_READ_EARLY_DATA_ERROR; 1913 } 1914 1915 switch (s->early_data_state) { 1916 case SSL_EARLY_DATA_NONE: 1917 if (!SSL_in_before(s)) { 1918 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1919 return SSL_READ_EARLY_DATA_ERROR; 1920 } 1921 /* fall through */ 1922 1923 case SSL_EARLY_DATA_ACCEPT_RETRY: 1924 s->early_data_state = SSL_EARLY_DATA_ACCEPTING; 1925 ret = SSL_accept(s); 1926 if (ret <= 0) { 1927 /* NBIO or error */ 1928 s->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY; 1929 return SSL_READ_EARLY_DATA_ERROR; 1930 } 1931 /* fall through */ 1932 1933 case SSL_EARLY_DATA_READ_RETRY: 1934 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { 1935 s->early_data_state = SSL_EARLY_DATA_READING; 1936 ret = SSL_read_ex(s, buf, num, readbytes); 1937 /* 1938 * State machine will update early_data_state to 1939 * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData 1940 * message 1941 */ 1942 if (ret > 0 || (ret <= 0 && s->early_data_state 1943 != SSL_EARLY_DATA_FINISHED_READING)) { 1944 s->early_data_state = SSL_EARLY_DATA_READ_RETRY; 1945 return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS 1946 : SSL_READ_EARLY_DATA_ERROR; 1947 } 1948 } else { 1949 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; 1950 } 1951 *readbytes = 0; 1952 return SSL_READ_EARLY_DATA_FINISH; 1953 1954 default: 1955 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1956 return SSL_READ_EARLY_DATA_ERROR; 1957 } 1958 } 1959 1960 int SSL_get_early_data_status(const SSL *s) 1961 { 1962 return s->ext.early_data; 1963 } 1964 1965 static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes) 1966 { 1967 if (s->handshake_func == NULL) { 1968 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED); 1969 return -1; 1970 } 1971 1972 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1973 return 0; 1974 } 1975 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 1976 struct ssl_async_args args; 1977 int ret; 1978 1979 args.s = s; 1980 args.buf = buf; 1981 args.num = num; 1982 args.type = READFUNC; 1983 args.f.func_read = s->method->ssl_peek; 1984 1985 ret = ssl_start_async_job(s, &args, ssl_io_intern); 1986 *readbytes = s->asyncrw; 1987 return ret; 1988 } else { 1989 return s->method->ssl_peek(s, buf, num, readbytes); 1990 } 1991 } 1992 1993 int SSL_peek(SSL *s, void *buf, int num) 1994 { 1995 int ret; 1996 size_t readbytes; 1997 1998 if (num < 0) { 1999 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 2000 return -1; 2001 } 2002 2003 ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes); 2004 2005 /* 2006 * The cast is safe here because ret should be <= INT_MAX because num is 2007 * <= INT_MAX 2008 */ 2009 if (ret > 0) 2010 ret = (int)readbytes; 2011 2012 return ret; 2013 } 2014 2015 2016 int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes) 2017 { 2018 int ret = ssl_peek_internal(s, buf, num, readbytes); 2019 2020 if (ret < 0) 2021 ret = 0; 2022 return ret; 2023 } 2024 2025 int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) 2026 { 2027 if (s->handshake_func == NULL) { 2028 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED); 2029 return -1; 2030 } 2031 2032 if (s->shutdown & SSL_SENT_SHUTDOWN) { 2033 s->rwstate = SSL_NOTHING; 2034 ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); 2035 return -1; 2036 } 2037 2038 if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY 2039 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY 2040 || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) { 2041 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2042 return 0; 2043 } 2044 /* If we are a client and haven't sent the Finished we better do that */ 2045 ossl_statem_check_finish_init(s, 1); 2046 2047 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 2048 int ret; 2049 struct ssl_async_args args; 2050 2051 args.s = s; 2052 args.buf = (void *)buf; 2053 args.num = num; 2054 args.type = WRITEFUNC; 2055 args.f.func_write = s->method->ssl_write; 2056 2057 ret = ssl_start_async_job(s, &args, ssl_io_intern); 2058 *written = s->asyncrw; 2059 return ret; 2060 } else { 2061 return s->method->ssl_write(s, buf, num, written); 2062 } 2063 } 2064 2065 ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags) 2066 { 2067 ossl_ssize_t ret; 2068 2069 if (s->handshake_func == NULL) { 2070 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED); 2071 return -1; 2072 } 2073 2074 if (s->shutdown & SSL_SENT_SHUTDOWN) { 2075 s->rwstate = SSL_NOTHING; 2076 ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); 2077 return -1; 2078 } 2079 2080 if (!BIO_get_ktls_send(s->wbio)) { 2081 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED); 2082 return -1; 2083 } 2084 2085 /* If we have an alert to send, lets send it */ 2086 if (s->s3.alert_dispatch) { 2087 ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s); 2088 if (ret <= 0) { 2089 /* SSLfatal() already called if appropriate */ 2090 return ret; 2091 } 2092 /* if it went, fall through and send more stuff */ 2093 } 2094 2095 s->rwstate = SSL_WRITING; 2096 if (BIO_flush(s->wbio) <= 0) { 2097 if (!BIO_should_retry(s->wbio)) { 2098 s->rwstate = SSL_NOTHING; 2099 } else { 2100 #ifdef EAGAIN 2101 set_sys_error(EAGAIN); 2102 #endif 2103 } 2104 return -1; 2105 } 2106 2107 #ifdef OPENSSL_NO_KTLS 2108 ERR_raise_data(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR, 2109 "can't call ktls_sendfile(), ktls disabled"); 2110 return -1; 2111 #else 2112 ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags); 2113 if (ret < 0) { 2114 #if defined(EAGAIN) && defined(EINTR) && defined(EBUSY) 2115 if ((get_last_sys_error() == EAGAIN) || 2116 (get_last_sys_error() == EINTR) || 2117 (get_last_sys_error() == EBUSY)) 2118 BIO_set_retry_write(s->wbio); 2119 else 2120 #endif 2121 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED); 2122 return ret; 2123 } 2124 s->rwstate = SSL_NOTHING; 2125 return ret; 2126 #endif 2127 } 2128 2129 int SSL_write(SSL *s, const void *buf, int num) 2130 { 2131 int ret; 2132 size_t written; 2133 2134 if (num < 0) { 2135 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 2136 return -1; 2137 } 2138 2139 ret = ssl_write_internal(s, buf, (size_t)num, &written); 2140 2141 /* 2142 * The cast is safe here because ret should be <= INT_MAX because num is 2143 * <= INT_MAX 2144 */ 2145 if (ret > 0) 2146 ret = (int)written; 2147 2148 return ret; 2149 } 2150 2151 int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written) 2152 { 2153 int ret = ssl_write_internal(s, buf, num, written); 2154 2155 if (ret < 0) 2156 ret = 0; 2157 return ret; 2158 } 2159 2160 int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) 2161 { 2162 int ret, early_data_state; 2163 size_t writtmp; 2164 uint32_t partialwrite; 2165 2166 switch (s->early_data_state) { 2167 case SSL_EARLY_DATA_NONE: 2168 if (s->server 2169 || !SSL_in_before(s) 2170 || ((s->session == NULL || s->session->ext.max_early_data == 0) 2171 && (s->psk_use_session_cb == NULL))) { 2172 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2173 return 0; 2174 } 2175 /* fall through */ 2176 2177 case SSL_EARLY_DATA_CONNECT_RETRY: 2178 s->early_data_state = SSL_EARLY_DATA_CONNECTING; 2179 ret = SSL_connect(s); 2180 if (ret <= 0) { 2181 /* NBIO or error */ 2182 s->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY; 2183 return 0; 2184 } 2185 /* fall through */ 2186 2187 case SSL_EARLY_DATA_WRITE_RETRY: 2188 s->early_data_state = SSL_EARLY_DATA_WRITING; 2189 /* 2190 * We disable partial write for early data because we don't keep track 2191 * of how many bytes we've written between the SSL_write_ex() call and 2192 * the flush if the flush needs to be retried) 2193 */ 2194 partialwrite = s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE; 2195 s->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE; 2196 ret = SSL_write_ex(s, buf, num, &writtmp); 2197 s->mode |= partialwrite; 2198 if (!ret) { 2199 s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; 2200 return ret; 2201 } 2202 s->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH; 2203 /* fall through */ 2204 2205 case SSL_EARLY_DATA_WRITE_FLUSH: 2206 /* The buffering BIO is still in place so we need to flush it */ 2207 if (statem_flush(s) != 1) 2208 return 0; 2209 *written = num; 2210 s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; 2211 return 1; 2212 2213 case SSL_EARLY_DATA_FINISHED_READING: 2214 case SSL_EARLY_DATA_READ_RETRY: 2215 early_data_state = s->early_data_state; 2216 /* We are a server writing to an unauthenticated client */ 2217 s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING; 2218 ret = SSL_write_ex(s, buf, num, written); 2219 /* The buffering BIO is still in place */ 2220 if (ret) 2221 (void)BIO_flush(s->wbio); 2222 s->early_data_state = early_data_state; 2223 return ret; 2224 2225 default: 2226 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2227 return 0; 2228 } 2229 } 2230 2231 int SSL_shutdown(SSL *s) 2232 { 2233 /* 2234 * Note that this function behaves differently from what one might 2235 * expect. Return values are 0 for no success (yet), 1 for success; but 2236 * calling it once is usually not enough, even if blocking I/O is used 2237 * (see ssl3_shutdown). 2238 */ 2239 2240 if (s->handshake_func == NULL) { 2241 ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED); 2242 return -1; 2243 } 2244 2245 if (!SSL_in_init(s)) { 2246 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 2247 struct ssl_async_args args; 2248 2249 memset(&args, 0, sizeof(args)); 2250 args.s = s; 2251 args.type = OTHERFUNC; 2252 args.f.func_other = s->method->ssl_shutdown; 2253 2254 return ssl_start_async_job(s, &args, ssl_io_intern); 2255 } else { 2256 return s->method->ssl_shutdown(s); 2257 } 2258 } else { 2259 ERR_raise(ERR_LIB_SSL, SSL_R_SHUTDOWN_WHILE_IN_INIT); 2260 return -1; 2261 } 2262 } 2263 2264 int SSL_key_update(SSL *s, int updatetype) 2265 { 2266 if (!SSL_IS_TLS13(s)) { 2267 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION); 2268 return 0; 2269 } 2270 2271 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 2272 && updatetype != SSL_KEY_UPDATE_REQUESTED) { 2273 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_KEY_UPDATE_TYPE); 2274 return 0; 2275 } 2276 2277 if (!SSL_is_init_finished(s)) { 2278 ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT); 2279 return 0; 2280 } 2281 2282 if (RECORD_LAYER_write_pending(&s->rlayer)) { 2283 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY); 2284 return 0; 2285 } 2286 2287 ossl_statem_set_in_init(s, 1); 2288 s->key_update = updatetype; 2289 return 1; 2290 } 2291 2292 int SSL_get_key_update_type(const SSL *s) 2293 { 2294 return s->key_update; 2295 } 2296 2297 /* 2298 * Can we accept a renegotiation request? If yes, set the flag and 2299 * return 1 if yes. If not, raise error and return 0. 2300 */ 2301 static int can_renegotiate(const SSL *s) 2302 { 2303 if (SSL_IS_TLS13(s)) { 2304 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION); 2305 return 0; 2306 } 2307 2308 if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) { 2309 ERR_raise(ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION); 2310 return 0; 2311 } 2312 2313 return 1; 2314 } 2315 2316 int SSL_renegotiate(SSL *s) 2317 { 2318 if (!can_renegotiate(s)) 2319 return 0; 2320 2321 s->renegotiate = 1; 2322 s->new_session = 1; 2323 return s->method->ssl_renegotiate(s); 2324 } 2325 2326 int SSL_renegotiate_abbreviated(SSL *s) 2327 { 2328 if (!can_renegotiate(s)) 2329 return 0; 2330 2331 s->renegotiate = 1; 2332 s->new_session = 0; 2333 return s->method->ssl_renegotiate(s); 2334 } 2335 2336 int SSL_renegotiate_pending(const SSL *s) 2337 { 2338 /* 2339 * becomes true when negotiation is requested; false again once a 2340 * handshake has finished 2341 */ 2342 return (s->renegotiate != 0); 2343 } 2344 2345 int SSL_new_session_ticket(SSL *s) 2346 { 2347 /* If we are in init because we're sending tickets, okay to send more. */ 2348 if ((SSL_in_init(s) && s->ext.extra_tickets_expected == 0) 2349 || SSL_IS_FIRST_HANDSHAKE(s) || !s->server 2350 || !SSL_IS_TLS13(s)) 2351 return 0; 2352 s->ext.extra_tickets_expected++; 2353 if (!RECORD_LAYER_write_pending(&s->rlayer) && !SSL_in_init(s)) 2354 ossl_statem_set_in_init(s, 1); 2355 return 1; 2356 } 2357 2358 long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) 2359 { 2360 long l; 2361 2362 switch (cmd) { 2363 case SSL_CTRL_GET_READ_AHEAD: 2364 return RECORD_LAYER_get_read_ahead(&s->rlayer); 2365 case SSL_CTRL_SET_READ_AHEAD: 2366 l = RECORD_LAYER_get_read_ahead(&s->rlayer); 2367 RECORD_LAYER_set_read_ahead(&s->rlayer, larg); 2368 return l; 2369 2370 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 2371 s->msg_callback_arg = parg; 2372 return 1; 2373 2374 case SSL_CTRL_MODE: 2375 return (s->mode |= larg); 2376 case SSL_CTRL_CLEAR_MODE: 2377 return (s->mode &= ~larg); 2378 case SSL_CTRL_GET_MAX_CERT_LIST: 2379 return (long)s->max_cert_list; 2380 case SSL_CTRL_SET_MAX_CERT_LIST: 2381 if (larg < 0) 2382 return 0; 2383 l = (long)s->max_cert_list; 2384 s->max_cert_list = (size_t)larg; 2385 return l; 2386 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 2387 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 2388 return 0; 2389 #ifndef OPENSSL_NO_KTLS 2390 if (s->wbio != NULL && BIO_get_ktls_send(s->wbio)) 2391 return 0; 2392 #endif /* OPENSSL_NO_KTLS */ 2393 s->max_send_fragment = larg; 2394 if (s->max_send_fragment < s->split_send_fragment) 2395 s->split_send_fragment = s->max_send_fragment; 2396 return 1; 2397 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: 2398 if ((size_t)larg > s->max_send_fragment || larg == 0) 2399 return 0; 2400 s->split_send_fragment = larg; 2401 return 1; 2402 case SSL_CTRL_SET_MAX_PIPELINES: 2403 if (larg < 1 || larg > SSL_MAX_PIPELINES) 2404 return 0; 2405 s->max_pipelines = larg; 2406 if (larg > 1) 2407 RECORD_LAYER_set_read_ahead(&s->rlayer, 1); 2408 return 1; 2409 case SSL_CTRL_GET_RI_SUPPORT: 2410 return s->s3.send_connection_binding; 2411 case SSL_CTRL_SET_RETRY_VERIFY: 2412 s->rwstate = SSL_RETRY_VERIFY; 2413 return 1; 2414 case SSL_CTRL_CERT_FLAGS: 2415 return (s->cert->cert_flags |= larg); 2416 case SSL_CTRL_CLEAR_CERT_FLAGS: 2417 return (s->cert->cert_flags &= ~larg); 2418 2419 case SSL_CTRL_GET_RAW_CIPHERLIST: 2420 if (parg) { 2421 if (s->s3.tmp.ciphers_raw == NULL) 2422 return 0; 2423 *(unsigned char **)parg = s->s3.tmp.ciphers_raw; 2424 return (int)s->s3.tmp.ciphers_rawlen; 2425 } else { 2426 return TLS_CIPHER_LEN; 2427 } 2428 case SSL_CTRL_GET_EXTMS_SUPPORT: 2429 if (!s->session || SSL_in_init(s) || ossl_statem_get_in_handshake(s)) 2430 return -1; 2431 if (s->session->flags & SSL_SESS_FLAG_EXTMS) 2432 return 1; 2433 else 2434 return 0; 2435 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2436 return ssl_check_allowed_versions(larg, s->max_proto_version) 2437 && ssl_set_version_bound(s->ctx->method->version, (int)larg, 2438 &s->min_proto_version); 2439 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2440 return s->min_proto_version; 2441 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2442 return ssl_check_allowed_versions(s->min_proto_version, larg) 2443 && ssl_set_version_bound(s->ctx->method->version, (int)larg, 2444 &s->max_proto_version); 2445 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2446 return s->max_proto_version; 2447 default: 2448 return s->method->ssl_ctrl(s, cmd, larg, parg); 2449 } 2450 } 2451 2452 long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) 2453 { 2454 switch (cmd) { 2455 case SSL_CTRL_SET_MSG_CALLBACK: 2456 s->msg_callback = (void (*) 2457 (int write_p, int version, int content_type, 2458 const void *buf, size_t len, SSL *ssl, 2459 void *arg))(fp); 2460 return 1; 2461 2462 default: 2463 return s->method->ssl_callback_ctrl(s, cmd, fp); 2464 } 2465 } 2466 2467 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) 2468 { 2469 return ctx->sessions; 2470 } 2471 2472 static int ssl_tsan_load(SSL_CTX *ctx, TSAN_QUALIFIER int *stat) 2473 { 2474 int res = 0; 2475 2476 if (ssl_tsan_lock(ctx)) { 2477 res = tsan_load(stat); 2478 ssl_tsan_unlock(ctx); 2479 } 2480 return res; 2481 } 2482 2483 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2484 { 2485 long l; 2486 /* For some cases with ctx == NULL perform syntax checks */ 2487 if (ctx == NULL) { 2488 switch (cmd) { 2489 case SSL_CTRL_SET_GROUPS_LIST: 2490 return tls1_set_groups_list(ctx, NULL, NULL, parg); 2491 case SSL_CTRL_SET_SIGALGS_LIST: 2492 case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: 2493 return tls1_set_sigalgs_list(NULL, parg, 0); 2494 default: 2495 return 0; 2496 } 2497 } 2498 2499 switch (cmd) { 2500 case SSL_CTRL_GET_READ_AHEAD: 2501 return ctx->read_ahead; 2502 case SSL_CTRL_SET_READ_AHEAD: 2503 l = ctx->read_ahead; 2504 ctx->read_ahead = larg; 2505 return l; 2506 2507 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 2508 ctx->msg_callback_arg = parg; 2509 return 1; 2510 2511 case SSL_CTRL_GET_MAX_CERT_LIST: 2512 return (long)ctx->max_cert_list; 2513 case SSL_CTRL_SET_MAX_CERT_LIST: 2514 if (larg < 0) 2515 return 0; 2516 l = (long)ctx->max_cert_list; 2517 ctx->max_cert_list = (size_t)larg; 2518 return l; 2519 2520 case SSL_CTRL_SET_SESS_CACHE_SIZE: 2521 if (larg < 0) 2522 return 0; 2523 l = (long)ctx->session_cache_size; 2524 ctx->session_cache_size = (size_t)larg; 2525 return l; 2526 case SSL_CTRL_GET_SESS_CACHE_SIZE: 2527 return (long)ctx->session_cache_size; 2528 case SSL_CTRL_SET_SESS_CACHE_MODE: 2529 l = ctx->session_cache_mode; 2530 ctx->session_cache_mode = larg; 2531 return l; 2532 case SSL_CTRL_GET_SESS_CACHE_MODE: 2533 return ctx->session_cache_mode; 2534 2535 case SSL_CTRL_SESS_NUMBER: 2536 return lh_SSL_SESSION_num_items(ctx->sessions); 2537 case SSL_CTRL_SESS_CONNECT: 2538 return ssl_tsan_load(ctx, &ctx->stats.sess_connect); 2539 case SSL_CTRL_SESS_CONNECT_GOOD: 2540 return ssl_tsan_load(ctx, &ctx->stats.sess_connect_good); 2541 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: 2542 return ssl_tsan_load(ctx, &ctx->stats.sess_connect_renegotiate); 2543 case SSL_CTRL_SESS_ACCEPT: 2544 return ssl_tsan_load(ctx, &ctx->stats.sess_accept); 2545 case SSL_CTRL_SESS_ACCEPT_GOOD: 2546 return ssl_tsan_load(ctx, &ctx->stats.sess_accept_good); 2547 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: 2548 return ssl_tsan_load(ctx, &ctx->stats.sess_accept_renegotiate); 2549 case SSL_CTRL_SESS_HIT: 2550 return ssl_tsan_load(ctx, &ctx->stats.sess_hit); 2551 case SSL_CTRL_SESS_CB_HIT: 2552 return ssl_tsan_load(ctx, &ctx->stats.sess_cb_hit); 2553 case SSL_CTRL_SESS_MISSES: 2554 return ssl_tsan_load(ctx, &ctx->stats.sess_miss); 2555 case SSL_CTRL_SESS_TIMEOUTS: 2556 return ssl_tsan_load(ctx, &ctx->stats.sess_timeout); 2557 case SSL_CTRL_SESS_CACHE_FULL: 2558 return ssl_tsan_load(ctx, &ctx->stats.sess_cache_full); 2559 case SSL_CTRL_MODE: 2560 return (ctx->mode |= larg); 2561 case SSL_CTRL_CLEAR_MODE: 2562 return (ctx->mode &= ~larg); 2563 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 2564 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 2565 return 0; 2566 ctx->max_send_fragment = larg; 2567 if (ctx->max_send_fragment < ctx->split_send_fragment) 2568 ctx->split_send_fragment = ctx->max_send_fragment; 2569 return 1; 2570 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: 2571 if ((size_t)larg > ctx->max_send_fragment || larg == 0) 2572 return 0; 2573 ctx->split_send_fragment = larg; 2574 return 1; 2575 case SSL_CTRL_SET_MAX_PIPELINES: 2576 if (larg < 1 || larg > SSL_MAX_PIPELINES) 2577 return 0; 2578 ctx->max_pipelines = larg; 2579 return 1; 2580 case SSL_CTRL_CERT_FLAGS: 2581 return (ctx->cert->cert_flags |= larg); 2582 case SSL_CTRL_CLEAR_CERT_FLAGS: 2583 return (ctx->cert->cert_flags &= ~larg); 2584 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2585 return ssl_check_allowed_versions(larg, ctx->max_proto_version) 2586 && ssl_set_version_bound(ctx->method->version, (int)larg, 2587 &ctx->min_proto_version); 2588 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2589 return ctx->min_proto_version; 2590 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2591 return ssl_check_allowed_versions(ctx->min_proto_version, larg) 2592 && ssl_set_version_bound(ctx->method->version, (int)larg, 2593 &ctx->max_proto_version); 2594 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2595 return ctx->max_proto_version; 2596 default: 2597 return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg); 2598 } 2599 } 2600 2601 long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) 2602 { 2603 switch (cmd) { 2604 case SSL_CTRL_SET_MSG_CALLBACK: 2605 ctx->msg_callback = (void (*) 2606 (int write_p, int version, int content_type, 2607 const void *buf, size_t len, SSL *ssl, 2608 void *arg))(fp); 2609 return 1; 2610 2611 default: 2612 return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp); 2613 } 2614 } 2615 2616 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) 2617 { 2618 if (a->id > b->id) 2619 return 1; 2620 if (a->id < b->id) 2621 return -1; 2622 return 0; 2623 } 2624 2625 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, 2626 const SSL_CIPHER *const *bp) 2627 { 2628 if ((*ap)->id > (*bp)->id) 2629 return 1; 2630 if ((*ap)->id < (*bp)->id) 2631 return -1; 2632 return 0; 2633 } 2634 2635 /** return a STACK of the ciphers available for the SSL and in order of 2636 * preference */ 2637 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) 2638 { 2639 if (s != NULL) { 2640 if (s->cipher_list != NULL) { 2641 return s->cipher_list; 2642 } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { 2643 return s->ctx->cipher_list; 2644 } 2645 } 2646 return NULL; 2647 } 2648 2649 STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s) 2650 { 2651 if ((s == NULL) || !s->server) 2652 return NULL; 2653 return s->peer_ciphers; 2654 } 2655 2656 STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) 2657 { 2658 STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers; 2659 int i; 2660 2661 ciphers = SSL_get_ciphers(s); 2662 if (!ciphers) 2663 return NULL; 2664 if (!ssl_set_client_disabled(s)) 2665 return NULL; 2666 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 2667 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 2668 if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) { 2669 if (!sk) 2670 sk = sk_SSL_CIPHER_new_null(); 2671 if (!sk) 2672 return NULL; 2673 if (!sk_SSL_CIPHER_push(sk, c)) { 2674 sk_SSL_CIPHER_free(sk); 2675 return NULL; 2676 } 2677 } 2678 } 2679 return sk; 2680 } 2681 2682 /** return a STACK of the ciphers available for the SSL and in order of 2683 * algorithm id */ 2684 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) 2685 { 2686 if (s != NULL) { 2687 if (s->cipher_list_by_id != NULL) { 2688 return s->cipher_list_by_id; 2689 } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) { 2690 return s->ctx->cipher_list_by_id; 2691 } 2692 } 2693 return NULL; 2694 } 2695 2696 /** The old interface to get the same thing as SSL_get_ciphers() */ 2697 const char *SSL_get_cipher_list(const SSL *s, int n) 2698 { 2699 const SSL_CIPHER *c; 2700 STACK_OF(SSL_CIPHER) *sk; 2701 2702 if (s == NULL) 2703 return NULL; 2704 sk = SSL_get_ciphers(s); 2705 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) 2706 return NULL; 2707 c = sk_SSL_CIPHER_value(sk, n); 2708 if (c == NULL) 2709 return NULL; 2710 return c->name; 2711 } 2712 2713 /** return a STACK of the ciphers available for the SSL_CTX and in order of 2714 * preference */ 2715 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) 2716 { 2717 if (ctx != NULL) 2718 return ctx->cipher_list; 2719 return NULL; 2720 } 2721 2722 /* 2723 * Distinguish between ciphers controlled by set_ciphersuite() and 2724 * set_cipher_list() when counting. 2725 */ 2726 static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk) 2727 { 2728 int i, num = 0; 2729 const SSL_CIPHER *c; 2730 2731 if (sk == NULL) 2732 return 0; 2733 for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) { 2734 c = sk_SSL_CIPHER_value(sk, i); 2735 if (c->min_tls >= TLS1_3_VERSION) 2736 continue; 2737 num++; 2738 } 2739 return num; 2740 } 2741 2742 /** specify the ciphers to be used by default by the SSL_CTX */ 2743 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 2744 { 2745 STACK_OF(SSL_CIPHER) *sk; 2746 2747 sk = ssl_create_cipher_list(ctx, ctx->tls13_ciphersuites, 2748 &ctx->cipher_list, &ctx->cipher_list_by_id, str, 2749 ctx->cert); 2750 /* 2751 * ssl_create_cipher_list may return an empty stack if it was unable to 2752 * find a cipher matching the given rule string (for example if the rule 2753 * string specifies a cipher which has been disabled). This is not an 2754 * error as far as ssl_create_cipher_list is concerned, and hence 2755 * ctx->cipher_list and ctx->cipher_list_by_id has been updated. 2756 */ 2757 if (sk == NULL) 2758 return 0; 2759 else if (cipher_list_tls12_num(sk) == 0) { 2760 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); 2761 return 0; 2762 } 2763 return 1; 2764 } 2765 2766 /** specify the ciphers to be used by the SSL */ 2767 int SSL_set_cipher_list(SSL *s, const char *str) 2768 { 2769 STACK_OF(SSL_CIPHER) *sk; 2770 2771 sk = ssl_create_cipher_list(s->ctx, s->tls13_ciphersuites, 2772 &s->cipher_list, &s->cipher_list_by_id, str, 2773 s->cert); 2774 /* see comment in SSL_CTX_set_cipher_list */ 2775 if (sk == NULL) 2776 return 0; 2777 else if (cipher_list_tls12_num(sk) == 0) { 2778 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); 2779 return 0; 2780 } 2781 return 1; 2782 } 2783 2784 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) 2785 { 2786 char *p; 2787 STACK_OF(SSL_CIPHER) *clntsk, *srvrsk; 2788 const SSL_CIPHER *c; 2789 int i; 2790 2791 if (!s->server 2792 || s->peer_ciphers == NULL 2793 || size < 2) 2794 return NULL; 2795 2796 p = buf; 2797 clntsk = s->peer_ciphers; 2798 srvrsk = SSL_get_ciphers(s); 2799 if (clntsk == NULL || srvrsk == NULL) 2800 return NULL; 2801 2802 if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0) 2803 return NULL; 2804 2805 for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) { 2806 int n; 2807 2808 c = sk_SSL_CIPHER_value(clntsk, i); 2809 if (sk_SSL_CIPHER_find(srvrsk, c) < 0) 2810 continue; 2811 2812 n = strlen(c->name); 2813 if (n + 1 > size) { 2814 if (p != buf) 2815 --p; 2816 *p = '\0'; 2817 return buf; 2818 } 2819 strcpy(p, c->name); 2820 p += n; 2821 *(p++) = ':'; 2822 size -= n + 1; 2823 } 2824 p[-1] = '\0'; 2825 return buf; 2826 } 2827 2828 /** 2829 * Return the requested servername (SNI) value. Note that the behaviour varies 2830 * depending on: 2831 * - whether this is called by the client or the server, 2832 * - if we are before or during/after the handshake, 2833 * - if a resumption or normal handshake is being attempted/has occurred 2834 * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3 2835 * 2836 * Note that only the host_name type is defined (RFC 3546). 2837 */ 2838 const char *SSL_get_servername(const SSL *s, const int type) 2839 { 2840 /* 2841 * If we don't know if we are the client or the server yet then we assume 2842 * client. 2843 */ 2844 int server = s->handshake_func == NULL ? 0 : s->server; 2845 if (type != TLSEXT_NAMETYPE_host_name) 2846 return NULL; 2847 2848 if (server) { 2849 /** 2850 * Server side 2851 * In TLSv1.3 on the server SNI is not associated with the session 2852 * but in TLSv1.2 or below it is. 2853 * 2854 * Before the handshake: 2855 * - return NULL 2856 * 2857 * During/after the handshake (TLSv1.2 or below resumption occurred): 2858 * - If a servername was accepted by the server in the original 2859 * handshake then it will return that servername, or NULL otherwise. 2860 * 2861 * During/after the handshake (TLSv1.2 or below resumption did not occur): 2862 * - The function will return the servername requested by the client in 2863 * this handshake or NULL if none was requested. 2864 */ 2865 if (s->hit && !SSL_IS_TLS13(s)) 2866 return s->session->ext.hostname; 2867 } else { 2868 /** 2869 * Client side 2870 * 2871 * Before the handshake: 2872 * - If a servername has been set via a call to 2873 * SSL_set_tlsext_host_name() then it will return that servername 2874 * - If one has not been set, but a TLSv1.2 resumption is being 2875 * attempted and the session from the original handshake had a 2876 * servername accepted by the server then it will return that 2877 * servername 2878 * - Otherwise it returns NULL 2879 * 2880 * During/after the handshake (TLSv1.2 or below resumption occurred): 2881 * - If the session from the original handshake had a servername accepted 2882 * by the server then it will return that servername. 2883 * - Otherwise it returns the servername set via 2884 * SSL_set_tlsext_host_name() (or NULL if it was not called). 2885 * 2886 * During/after the handshake (TLSv1.2 or below resumption did not occur): 2887 * - It will return the servername set via SSL_set_tlsext_host_name() 2888 * (or NULL if it was not called). 2889 */ 2890 if (SSL_in_before(s)) { 2891 if (s->ext.hostname == NULL 2892 && s->session != NULL 2893 && s->session->ssl_version != TLS1_3_VERSION) 2894 return s->session->ext.hostname; 2895 } else { 2896 if (!SSL_IS_TLS13(s) && s->hit && s->session->ext.hostname != NULL) 2897 return s->session->ext.hostname; 2898 } 2899 } 2900 2901 return s->ext.hostname; 2902 } 2903 2904 int SSL_get_servername_type(const SSL *s) 2905 { 2906 if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL) 2907 return TLSEXT_NAMETYPE_host_name; 2908 return -1; 2909 } 2910 2911 /* 2912 * SSL_select_next_proto implements the standard protocol selection. It is 2913 * expected that this function is called from the callback set by 2914 * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a 2915 * vector of 8-bit, length prefixed byte strings. The length byte itself is 2916 * not included in the length. A byte string of length 0 is invalid. No byte 2917 * string may be truncated. The current, but experimental algorithm for 2918 * selecting the protocol is: 1) If the server doesn't support NPN then this 2919 * is indicated to the callback. In this case, the client application has to 2920 * abort the connection or have a default application level protocol. 2) If 2921 * the server supports NPN, but advertises an empty list then the client 2922 * selects the first protocol in its list, but indicates via the API that this 2923 * fallback case was enacted. 3) Otherwise, the client finds the first 2924 * protocol in the server's list that it supports and selects this protocol. 2925 * This is because it's assumed that the server has better information about 2926 * which protocol a client should use. 4) If the client doesn't support any 2927 * of the server's advertised protocols, then this is treated the same as 2928 * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was 2929 * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached. 2930 */ 2931 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, 2932 const unsigned char *server, 2933 unsigned int server_len, 2934 const unsigned char *client, unsigned int client_len) 2935 { 2936 unsigned int i, j; 2937 const unsigned char *result; 2938 int status = OPENSSL_NPN_UNSUPPORTED; 2939 2940 /* 2941 * For each protocol in server preference order, see if we support it. 2942 */ 2943 for (i = 0; i < server_len;) { 2944 for (j = 0; j < client_len;) { 2945 if (server[i] == client[j] && 2946 memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { 2947 /* We found a match */ 2948 result = &server[i]; 2949 status = OPENSSL_NPN_NEGOTIATED; 2950 goto found; 2951 } 2952 j += client[j]; 2953 j++; 2954 } 2955 i += server[i]; 2956 i++; 2957 } 2958 2959 /* There's no overlap between our protocols and the server's list. */ 2960 result = client; 2961 status = OPENSSL_NPN_NO_OVERLAP; 2962 2963 found: 2964 *out = (unsigned char *)result + 1; 2965 *outlen = result[0]; 2966 return status; 2967 } 2968 2969 #ifndef OPENSSL_NO_NEXTPROTONEG 2970 /* 2971 * SSL_get0_next_proto_negotiated sets *data and *len to point to the 2972 * client's requested protocol for this connection and returns 0. If the 2973 * client didn't request any protocol, then *data is set to NULL. Note that 2974 * the client can request any protocol it chooses. The value returned from 2975 * this function need not be a member of the list of supported protocols 2976 * provided by the callback. 2977 */ 2978 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, 2979 unsigned *len) 2980 { 2981 *data = s->ext.npn; 2982 if (*data == NULL) { 2983 *len = 0; 2984 } else { 2985 *len = (unsigned int)s->ext.npn_len; 2986 } 2987 } 2988 2989 /* 2990 * SSL_CTX_set_npn_advertised_cb sets a callback that is called when 2991 * a TLS server needs a list of supported protocols for Next Protocol 2992 * Negotiation. The returned list must be in wire format. The list is 2993 * returned by setting |out| to point to it and |outlen| to its length. This 2994 * memory will not be modified, but one should assume that the SSL* keeps a 2995 * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it 2996 * wishes to advertise. Otherwise, no such extension will be included in the 2997 * ServerHello. 2998 */ 2999 void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx, 3000 SSL_CTX_npn_advertised_cb_func cb, 3001 void *arg) 3002 { 3003 ctx->ext.npn_advertised_cb = cb; 3004 ctx->ext.npn_advertised_cb_arg = arg; 3005 } 3006 3007 /* 3008 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a 3009 * client needs to select a protocol from the server's provided list. |out| 3010 * must be set to point to the selected protocol (which may be within |in|). 3011 * The length of the protocol name must be written into |outlen|. The 3012 * server's advertised protocols are provided in |in| and |inlen|. The 3013 * callback can assume that |in| is syntactically valid. The client must 3014 * select a protocol. It is fatal to the connection if this callback returns 3015 * a value other than SSL_TLSEXT_ERR_OK. 3016 */ 3017 void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx, 3018 SSL_CTX_npn_select_cb_func cb, 3019 void *arg) 3020 { 3021 ctx->ext.npn_select_cb = cb; 3022 ctx->ext.npn_select_cb_arg = arg; 3023 } 3024 #endif 3025 3026 static int alpn_value_ok(const unsigned char *protos, unsigned int protos_len) 3027 { 3028 unsigned int idx; 3029 3030 if (protos_len < 2 || protos == NULL) 3031 return 0; 3032 3033 for (idx = 0; idx < protos_len; idx += protos[idx] + 1) { 3034 if (protos[idx] == 0) 3035 return 0; 3036 } 3037 return idx == protos_len; 3038 } 3039 /* 3040 * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|. 3041 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 3042 * length-prefixed strings). Returns 0 on success. 3043 */ 3044 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, 3045 unsigned int protos_len) 3046 { 3047 unsigned char *alpn; 3048 3049 if (protos_len == 0 || protos == NULL) { 3050 OPENSSL_free(ctx->ext.alpn); 3051 ctx->ext.alpn = NULL; 3052 ctx->ext.alpn_len = 0; 3053 return 0; 3054 } 3055 /* Not valid per RFC */ 3056 if (!alpn_value_ok(protos, protos_len)) 3057 return 1; 3058 3059 alpn = OPENSSL_memdup(protos, protos_len); 3060 if (alpn == NULL) { 3061 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 3062 return 1; 3063 } 3064 OPENSSL_free(ctx->ext.alpn); 3065 ctx->ext.alpn = alpn; 3066 ctx->ext.alpn_len = protos_len; 3067 3068 return 0; 3069 } 3070 3071 /* 3072 * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|. 3073 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 3074 * length-prefixed strings). Returns 0 on success. 3075 */ 3076 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, 3077 unsigned int protos_len) 3078 { 3079 unsigned char *alpn; 3080 3081 if (protos_len == 0 || protos == NULL) { 3082 OPENSSL_free(ssl->ext.alpn); 3083 ssl->ext.alpn = NULL; 3084 ssl->ext.alpn_len = 0; 3085 return 0; 3086 } 3087 /* Not valid per RFC */ 3088 if (!alpn_value_ok(protos, protos_len)) 3089 return 1; 3090 3091 alpn = OPENSSL_memdup(protos, protos_len); 3092 if (alpn == NULL) { 3093 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 3094 return 1; 3095 } 3096 OPENSSL_free(ssl->ext.alpn); 3097 ssl->ext.alpn = alpn; 3098 ssl->ext.alpn_len = protos_len; 3099 3100 return 0; 3101 } 3102 3103 /* 3104 * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is 3105 * called during ClientHello processing in order to select an ALPN protocol 3106 * from the client's list of offered protocols. 3107 */ 3108 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, 3109 SSL_CTX_alpn_select_cb_func cb, 3110 void *arg) 3111 { 3112 ctx->ext.alpn_select_cb = cb; 3113 ctx->ext.alpn_select_cb_arg = arg; 3114 } 3115 3116 /* 3117 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|. 3118 * On return it sets |*data| to point to |*len| bytes of protocol name 3119 * (not including the leading length-prefix byte). If the server didn't 3120 * respond with a negotiated protocol then |*len| will be zero. 3121 */ 3122 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, 3123 unsigned int *len) 3124 { 3125 *data = ssl->s3.alpn_selected; 3126 if (*data == NULL) 3127 *len = 0; 3128 else 3129 *len = (unsigned int)ssl->s3.alpn_selected_len; 3130 } 3131 3132 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, 3133 const char *label, size_t llen, 3134 const unsigned char *context, size_t contextlen, 3135 int use_context) 3136 { 3137 if (s->session == NULL 3138 || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)) 3139 return -1; 3140 3141 return s->method->ssl3_enc->export_keying_material(s, out, olen, label, 3142 llen, context, 3143 contextlen, use_context); 3144 } 3145 3146 int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, 3147 const char *label, size_t llen, 3148 const unsigned char *context, 3149 size_t contextlen) 3150 { 3151 if (s->version != TLS1_3_VERSION) 3152 return 0; 3153 3154 return tls13_export_keying_material_early(s, out, olen, label, llen, 3155 context, contextlen); 3156 } 3157 3158 static unsigned long ssl_session_hash(const SSL_SESSION *a) 3159 { 3160 const unsigned char *session_id = a->session_id; 3161 unsigned long l; 3162 unsigned char tmp_storage[4]; 3163 3164 if (a->session_id_length < sizeof(tmp_storage)) { 3165 memset(tmp_storage, 0, sizeof(tmp_storage)); 3166 memcpy(tmp_storage, a->session_id, a->session_id_length); 3167 session_id = tmp_storage; 3168 } 3169 3170 l = (unsigned long) 3171 ((unsigned long)session_id[0]) | 3172 ((unsigned long)session_id[1] << 8L) | 3173 ((unsigned long)session_id[2] << 16L) | 3174 ((unsigned long)session_id[3] << 24L); 3175 return l; 3176 } 3177 3178 /* 3179 * NB: If this function (or indeed the hash function which uses a sort of 3180 * coarser function than this one) is changed, ensure 3181 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on 3182 * being able to construct an SSL_SESSION that will collide with any existing 3183 * session with a matching session ID. 3184 */ 3185 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) 3186 { 3187 if (a->ssl_version != b->ssl_version) 3188 return 1; 3189 if (a->session_id_length != b->session_id_length) 3190 return 1; 3191 return memcmp(a->session_id, b->session_id, a->session_id_length); 3192 } 3193 3194 /* 3195 * These wrapper functions should remain rather than redeclaring 3196 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each 3197 * variable. The reason is that the functions aren't static, they're exposed 3198 * via ssl.h. 3199 */ 3200 3201 SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, 3202 const SSL_METHOD *meth) 3203 { 3204 SSL_CTX *ret = NULL; 3205 3206 if (meth == NULL) { 3207 ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_METHOD_PASSED); 3208 return NULL; 3209 } 3210 3211 if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) 3212 return NULL; 3213 3214 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { 3215 ERR_raise(ERR_LIB_SSL, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 3216 goto err; 3217 } 3218 ret = OPENSSL_zalloc(sizeof(*ret)); 3219 if (ret == NULL) 3220 goto err; 3221 3222 /* Init the reference counting before any call to SSL_CTX_free */ 3223 ret->references = 1; 3224 ret->lock = CRYPTO_THREAD_lock_new(); 3225 if (ret->lock == NULL) { 3226 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 3227 OPENSSL_free(ret); 3228 return NULL; 3229 } 3230 3231 #ifdef TSAN_REQUIRES_LOCKING 3232 ret->tsan_lock = CRYPTO_THREAD_lock_new(); 3233 if (ret->tsan_lock == NULL) { 3234 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 3235 goto err; 3236 } 3237 #endif 3238 3239 ret->libctx = libctx; 3240 if (propq != NULL) { 3241 ret->propq = OPENSSL_strdup(propq); 3242 if (ret->propq == NULL) 3243 goto err; 3244 } 3245 3246 ret->method = meth; 3247 ret->min_proto_version = 0; 3248 ret->max_proto_version = 0; 3249 ret->mode = SSL_MODE_AUTO_RETRY; 3250 ret->session_cache_mode = SSL_SESS_CACHE_SERVER; 3251 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 3252 /* We take the system default. */ 3253 ret->session_timeout = meth->get_timeout(); 3254 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; 3255 ret->verify_mode = SSL_VERIFY_NONE; 3256 if ((ret->cert = ssl_cert_new()) == NULL) 3257 goto err; 3258 3259 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); 3260 if (ret->sessions == NULL) 3261 goto err; 3262 ret->cert_store = X509_STORE_new(); 3263 if (ret->cert_store == NULL) 3264 goto err; 3265 #ifndef OPENSSL_NO_CT 3266 ret->ctlog_store = CTLOG_STORE_new_ex(libctx, propq); 3267 if (ret->ctlog_store == NULL) 3268 goto err; 3269 #endif 3270 3271 /* initialize cipher/digest methods table */ 3272 if (!ssl_load_ciphers(ret)) 3273 goto err2; 3274 /* initialise sig algs */ 3275 if (!ssl_setup_sig_algs(ret)) 3276 goto err2; 3277 3278 3279 if (!ssl_load_groups(ret)) 3280 goto err2; 3281 3282 if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites())) 3283 goto err; 3284 3285 if (!ssl_create_cipher_list(ret, 3286 ret->tls13_ciphersuites, 3287 &ret->cipher_list, &ret->cipher_list_by_id, 3288 OSSL_default_cipher_list(), ret->cert) 3289 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { 3290 ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); 3291 goto err2; 3292 } 3293 3294 ret->param = X509_VERIFY_PARAM_new(); 3295 if (ret->param == NULL) 3296 goto err; 3297 3298 /* 3299 * If these aren't available from the provider we'll get NULL returns. 3300 * That's fine but will cause errors later if SSLv3 is negotiated 3301 */ 3302 ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq); 3303 ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq); 3304 3305 if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) 3306 goto err; 3307 3308 if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) 3309 goto err; 3310 3311 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) 3312 goto err; 3313 3314 if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL) 3315 goto err; 3316 3317 /* No compression for DTLS */ 3318 if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)) 3319 ret->comp_methods = SSL_COMP_get_compression_methods(); 3320 3321 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 3322 ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 3323 3324 /* Setup RFC5077 ticket keys */ 3325 if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name, 3326 sizeof(ret->ext.tick_key_name), 0) <= 0) 3327 || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key, 3328 sizeof(ret->ext.secure->tick_hmac_key), 0) <= 0) 3329 || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key, 3330 sizeof(ret->ext.secure->tick_aes_key), 0) <= 0)) 3331 ret->options |= SSL_OP_NO_TICKET; 3332 3333 if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key, 3334 sizeof(ret->ext.cookie_hmac_key), 0) <= 0) 3335 goto err; 3336 3337 #ifndef OPENSSL_NO_SRP 3338 if (!ssl_ctx_srp_ctx_init_intern(ret)) 3339 goto err; 3340 #endif 3341 #ifndef OPENSSL_NO_ENGINE 3342 # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO 3343 # define eng_strx(x) #x 3344 # define eng_str(x) eng_strx(x) 3345 /* Use specific client engine automatically... ignore errors */ 3346 { 3347 ENGINE *eng; 3348 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); 3349 if (!eng) { 3350 ERR_clear_error(); 3351 ENGINE_load_builtin_engines(); 3352 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); 3353 } 3354 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) 3355 ERR_clear_error(); 3356 } 3357 # endif 3358 #endif 3359 /* 3360 * Disable compression by default to prevent CRIME. Applications can 3361 * re-enable compression by configuring 3362 * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); 3363 * or by using the SSL_CONF library. Similarly we also enable TLSv1.3 3364 * middlebox compatibility by default. This may be disabled by default in 3365 * a later OpenSSL version. 3366 */ 3367 ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; 3368 3369 ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; 3370 3371 /* 3372 * We cannot usefully set a default max_early_data here (which gets 3373 * propagated in SSL_new(), for the following reason: setting the 3374 * SSL field causes tls_construct_stoc_early_data() to tell the 3375 * client that early data will be accepted when constructing a TLS 1.3 3376 * session ticket, and the client will accordingly send us early data 3377 * when using that ticket (if the client has early data to send). 3378 * However, in order for the early data to actually be consumed by 3379 * the application, the application must also have calls to 3380 * SSL_read_early_data(); otherwise we'll just skip past the early data 3381 * and ignore it. So, since the application must add calls to 3382 * SSL_read_early_data(), we also require them to add 3383 * calls to SSL_CTX_set_max_early_data() in order to use early data, 3384 * eliminating the bandwidth-wasting early data in the case described 3385 * above. 3386 */ 3387 ret->max_early_data = 0; 3388 3389 /* 3390 * Default recv_max_early_data is a fully loaded single record. Could be 3391 * split across multiple records in practice. We set this differently to 3392 * max_early_data so that, in the default case, we do not advertise any 3393 * support for early_data, but if a client were to send us some (e.g. 3394 * because of an old, stale ticket) then we will tolerate it and skip over 3395 * it. 3396 */ 3397 ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; 3398 3399 /* By default we send two session tickets automatically in TLSv1.3 */ 3400 ret->num_tickets = 2; 3401 3402 ssl_ctx_system_config(ret); 3403 3404 return ret; 3405 err: 3406 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 3407 err2: 3408 SSL_CTX_free(ret); 3409 return NULL; 3410 } 3411 3412 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) 3413 { 3414 return SSL_CTX_new_ex(NULL, NULL, meth); 3415 } 3416 3417 int SSL_CTX_up_ref(SSL_CTX *ctx) 3418 { 3419 int i; 3420 3421 if (CRYPTO_UP_REF(&ctx->references, &i, ctx->lock) <= 0) 3422 return 0; 3423 3424 REF_PRINT_COUNT("SSL_CTX", ctx); 3425 REF_ASSERT_ISNT(i < 2); 3426 return ((i > 1) ? 1 : 0); 3427 } 3428 3429 void SSL_CTX_free(SSL_CTX *a) 3430 { 3431 int i; 3432 size_t j; 3433 3434 if (a == NULL) 3435 return; 3436 3437 CRYPTO_DOWN_REF(&a->references, &i, a->lock); 3438 REF_PRINT_COUNT("SSL_CTX", a); 3439 if (i > 0) 3440 return; 3441 REF_ASSERT_ISNT(i < 0); 3442 3443 X509_VERIFY_PARAM_free(a->param); 3444 dane_ctx_final(&a->dane); 3445 3446 /* 3447 * Free internal session cache. However: the remove_cb() may reference 3448 * the ex_data of SSL_CTX, thus the ex_data store can only be removed 3449 * after the sessions were flushed. 3450 * As the ex_data handling routines might also touch the session cache, 3451 * the most secure solution seems to be: empty (flush) the cache, then 3452 * free ex_data, then finally free the cache. 3453 * (See ticket [openssl.org #212].) 3454 */ 3455 if (a->sessions != NULL) 3456 SSL_CTX_flush_sessions(a, 0); 3457 3458 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); 3459 lh_SSL_SESSION_free(a->sessions); 3460 X509_STORE_free(a->cert_store); 3461 #ifndef OPENSSL_NO_CT 3462 CTLOG_STORE_free(a->ctlog_store); 3463 #endif 3464 sk_SSL_CIPHER_free(a->cipher_list); 3465 sk_SSL_CIPHER_free(a->cipher_list_by_id); 3466 sk_SSL_CIPHER_free(a->tls13_ciphersuites); 3467 ssl_cert_free(a->cert); 3468 sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); 3469 sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free); 3470 sk_X509_pop_free(a->extra_certs, X509_free); 3471 a->comp_methods = NULL; 3472 #ifndef OPENSSL_NO_SRTP 3473 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); 3474 #endif 3475 #ifndef OPENSSL_NO_SRP 3476 ssl_ctx_srp_ctx_free_intern(a); 3477 #endif 3478 #ifndef OPENSSL_NO_ENGINE 3479 tls_engine_finish(a->client_cert_engine); 3480 #endif 3481 3482 OPENSSL_free(a->ext.ecpointformats); 3483 OPENSSL_free(a->ext.supportedgroups); 3484 OPENSSL_free(a->ext.supported_groups_default); 3485 OPENSSL_free(a->ext.alpn); 3486 OPENSSL_secure_free(a->ext.secure); 3487 3488 ssl_evp_md_free(a->md5); 3489 ssl_evp_md_free(a->sha1); 3490 3491 for (j = 0; j < SSL_ENC_NUM_IDX; j++) 3492 ssl_evp_cipher_free(a->ssl_cipher_methods[j]); 3493 for (j = 0; j < SSL_MD_NUM_IDX; j++) 3494 ssl_evp_md_free(a->ssl_digest_methods[j]); 3495 for (j = 0; j < a->group_list_len; j++) { 3496 OPENSSL_free(a->group_list[j].tlsname); 3497 OPENSSL_free(a->group_list[j].realname); 3498 OPENSSL_free(a->group_list[j].algorithm); 3499 } 3500 OPENSSL_free(a->group_list); 3501 3502 OPENSSL_free(a->sigalg_lookup_cache); 3503 3504 CRYPTO_THREAD_lock_free(a->lock); 3505 #ifdef TSAN_REQUIRES_LOCKING 3506 CRYPTO_THREAD_lock_free(a->tsan_lock); 3507 #endif 3508 3509 OPENSSL_free(a->propq); 3510 3511 OPENSSL_free(a); 3512 } 3513 3514 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) 3515 { 3516 ctx->default_passwd_callback = cb; 3517 } 3518 3519 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) 3520 { 3521 ctx->default_passwd_callback_userdata = u; 3522 } 3523 3524 pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) 3525 { 3526 return ctx->default_passwd_callback; 3527 } 3528 3529 void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) 3530 { 3531 return ctx->default_passwd_callback_userdata; 3532 } 3533 3534 void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb) 3535 { 3536 s->default_passwd_callback = cb; 3537 } 3538 3539 void SSL_set_default_passwd_cb_userdata(SSL *s, void *u) 3540 { 3541 s->default_passwd_callback_userdata = u; 3542 } 3543 3544 pem_password_cb *SSL_get_default_passwd_cb(SSL *s) 3545 { 3546 return s->default_passwd_callback; 3547 } 3548 3549 void *SSL_get_default_passwd_cb_userdata(SSL *s) 3550 { 3551 return s->default_passwd_callback_userdata; 3552 } 3553 3554 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, 3555 int (*cb) (X509_STORE_CTX *, void *), 3556 void *arg) 3557 { 3558 ctx->app_verify_callback = cb; 3559 ctx->app_verify_arg = arg; 3560 } 3561 3562 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, 3563 int (*cb) (int, X509_STORE_CTX *)) 3564 { 3565 ctx->verify_mode = mode; 3566 ctx->default_verify_callback = cb; 3567 } 3568 3569 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) 3570 { 3571 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 3572 } 3573 3574 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg) 3575 { 3576 ssl_cert_set_cert_cb(c->cert, cb, arg); 3577 } 3578 3579 void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) 3580 { 3581 ssl_cert_set_cert_cb(s->cert, cb, arg); 3582 } 3583 3584 void ssl_set_masks(SSL *s) 3585 { 3586 CERT *c = s->cert; 3587 uint32_t *pvalid = s->s3.tmp.valid_flags; 3588 int rsa_enc, rsa_sign, dh_tmp, dsa_sign; 3589 unsigned long mask_k, mask_a; 3590 int have_ecc_cert, ecdsa_ok; 3591 3592 if (c == NULL) 3593 return; 3594 3595 dh_tmp = (c->dh_tmp != NULL 3596 || c->dh_tmp_cb != NULL 3597 || c->dh_tmp_auto); 3598 3599 rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; 3600 rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; 3601 dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID; 3602 have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; 3603 mask_k = 0; 3604 mask_a = 0; 3605 3606 OSSL_TRACE4(TLS_CIPHER, "dh_tmp=%d rsa_enc=%d rsa_sign=%d dsa_sign=%d\n", 3607 dh_tmp, rsa_enc, rsa_sign, dsa_sign); 3608 3609 #ifndef OPENSSL_NO_GOST 3610 if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) { 3611 mask_k |= SSL_kGOST | SSL_kGOST18; 3612 mask_a |= SSL_aGOST12; 3613 } 3614 if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) { 3615 mask_k |= SSL_kGOST | SSL_kGOST18; 3616 mask_a |= SSL_aGOST12; 3617 } 3618 if (ssl_has_cert(s, SSL_PKEY_GOST01)) { 3619 mask_k |= SSL_kGOST; 3620 mask_a |= SSL_aGOST01; 3621 } 3622 #endif 3623 3624 if (rsa_enc) 3625 mask_k |= SSL_kRSA; 3626 3627 if (dh_tmp) 3628 mask_k |= SSL_kDHE; 3629 3630 /* 3631 * If we only have an RSA-PSS certificate allow RSA authentication 3632 * if TLS 1.2 and peer supports it. 3633 */ 3634 3635 if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN) 3636 && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN 3637 && TLS1_get_version(s) == TLS1_2_VERSION)) 3638 mask_a |= SSL_aRSA; 3639 3640 if (dsa_sign) { 3641 mask_a |= SSL_aDSS; 3642 } 3643 3644 mask_a |= SSL_aNULL; 3645 3646 /* 3647 * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites 3648 * depending on the key usage extension. 3649 */ 3650 if (have_ecc_cert) { 3651 uint32_t ex_kusage; 3652 ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509); 3653 ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE; 3654 if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) 3655 ecdsa_ok = 0; 3656 if (ecdsa_ok) 3657 mask_a |= SSL_aECDSA; 3658 } 3659 /* Allow Ed25519 for TLS 1.2 if peer supports it */ 3660 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519) 3661 && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN 3662 && TLS1_get_version(s) == TLS1_2_VERSION) 3663 mask_a |= SSL_aECDSA; 3664 3665 /* Allow Ed448 for TLS 1.2 if peer supports it */ 3666 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448) 3667 && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN 3668 && TLS1_get_version(s) == TLS1_2_VERSION) 3669 mask_a |= SSL_aECDSA; 3670 3671 mask_k |= SSL_kECDHE; 3672 3673 #ifndef OPENSSL_NO_PSK 3674 mask_k |= SSL_kPSK; 3675 mask_a |= SSL_aPSK; 3676 if (mask_k & SSL_kRSA) 3677 mask_k |= SSL_kRSAPSK; 3678 if (mask_k & SSL_kDHE) 3679 mask_k |= SSL_kDHEPSK; 3680 if (mask_k & SSL_kECDHE) 3681 mask_k |= SSL_kECDHEPSK; 3682 #endif 3683 3684 s->s3.tmp.mask_k = mask_k; 3685 s->s3.tmp.mask_a = mask_a; 3686 } 3687 3688 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) 3689 { 3690 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) { 3691 /* key usage, if present, must allow signing */ 3692 if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) { 3693 ERR_raise(ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING); 3694 return 0; 3695 } 3696 } 3697 return 1; /* all checks are ok */ 3698 } 3699 3700 int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, 3701 size_t *serverinfo_length) 3702 { 3703 CERT_PKEY *cpk = s->s3.tmp.cert; 3704 *serverinfo_length = 0; 3705 3706 if (cpk == NULL || cpk->serverinfo == NULL) 3707 return 0; 3708 3709 *serverinfo = cpk->serverinfo; 3710 *serverinfo_length = cpk->serverinfo_length; 3711 return 1; 3712 } 3713 3714 void ssl_update_cache(SSL *s, int mode) 3715 { 3716 int i; 3717 3718 /* 3719 * If the session_id_length is 0, we are not supposed to cache it, and it 3720 * would be rather hard to do anyway :-) 3721 */ 3722 if (s->session->session_id_length == 0) 3723 return; 3724 3725 /* 3726 * If sid_ctx_length is 0 there is no specific application context 3727 * associated with this session, so when we try to resume it and 3728 * SSL_VERIFY_PEER is requested to verify the client identity, we have no 3729 * indication that this is actually a session for the proper application 3730 * context, and the *handshake* will fail, not just the resumption attempt. 3731 * Do not cache (on the server) these sessions that are not resumable 3732 * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set). 3733 */ 3734 if (s->server && s->session->sid_ctx_length == 0 3735 && (s->verify_mode & SSL_VERIFY_PEER) != 0) 3736 return; 3737 3738 i = s->session_ctx->session_cache_mode; 3739 if ((i & mode) != 0 3740 && (!s->hit || SSL_IS_TLS13(s))) { 3741 /* 3742 * Add the session to the internal cache. In server side TLSv1.3 we 3743 * normally don't do this because by default it's a full stateless ticket 3744 * with only a dummy session id so there is no reason to cache it, 3745 * unless: 3746 * - we are doing early_data, in which case we cache so that we can 3747 * detect replays 3748 * - the application has set a remove_session_cb so needs to know about 3749 * session timeout events 3750 * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket 3751 */ 3752 if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0 3753 && (!SSL_IS_TLS13(s) 3754 || !s->server 3755 || (s->max_early_data > 0 3756 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0) 3757 || s->session_ctx->remove_session_cb != NULL 3758 || (s->options & SSL_OP_NO_TICKET) != 0)) 3759 SSL_CTX_add_session(s->session_ctx, s->session); 3760 3761 /* 3762 * Add the session to the external cache. We do this even in server side 3763 * TLSv1.3 without early data because some applications just want to 3764 * know about the creation of a session and aren't doing a full cache. 3765 */ 3766 if (s->session_ctx->new_session_cb != NULL) { 3767 SSL_SESSION_up_ref(s->session); 3768 if (!s->session_ctx->new_session_cb(s, s->session)) 3769 SSL_SESSION_free(s->session); 3770 } 3771 } 3772 3773 /* auto flush every 255 connections */ 3774 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { 3775 TSAN_QUALIFIER int *stat; 3776 3777 if (mode & SSL_SESS_CACHE_CLIENT) 3778 stat = &s->session_ctx->stats.sess_connect_good; 3779 else 3780 stat = &s->session_ctx->stats.sess_accept_good; 3781 if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff) 3782 SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); 3783 } 3784 } 3785 3786 const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx) 3787 { 3788 return ctx->method; 3789 } 3790 3791 const SSL_METHOD *SSL_get_ssl_method(const SSL *s) 3792 { 3793 return s->method; 3794 } 3795 3796 int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) 3797 { 3798 int ret = 1; 3799 3800 if (s->method != meth) { 3801 const SSL_METHOD *sm = s->method; 3802 int (*hf) (SSL *) = s->handshake_func; 3803 3804 if (sm->version == meth->version) 3805 s->method = meth; 3806 else { 3807 sm->ssl_free(s); 3808 s->method = meth; 3809 ret = s->method->ssl_new(s); 3810 } 3811 3812 if (hf == sm->ssl_connect) 3813 s->handshake_func = meth->ssl_connect; 3814 else if (hf == sm->ssl_accept) 3815 s->handshake_func = meth->ssl_accept; 3816 } 3817 return ret; 3818 } 3819 3820 int SSL_get_error(const SSL *s, int i) 3821 { 3822 int reason; 3823 unsigned long l; 3824 BIO *bio; 3825 3826 if (i > 0) 3827 return SSL_ERROR_NONE; 3828 3829 /* 3830 * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, 3831 * where we do encode the error 3832 */ 3833 if ((l = ERR_peek_error()) != 0) { 3834 if (ERR_GET_LIB(l) == ERR_LIB_SYS) 3835 return SSL_ERROR_SYSCALL; 3836 else 3837 return SSL_ERROR_SSL; 3838 } 3839 3840 if (SSL_want_read(s)) { 3841 bio = SSL_get_rbio(s); 3842 if (BIO_should_read(bio)) 3843 return SSL_ERROR_WANT_READ; 3844 else if (BIO_should_write(bio)) 3845 /* 3846 * This one doesn't make too much sense ... We never try to write 3847 * to the rbio, and an application program where rbio and wbio 3848 * are separate couldn't even know what it should wait for. 3849 * However if we ever set s->rwstate incorrectly (so that we have 3850 * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and 3851 * wbio *are* the same, this test works around that bug; so it 3852 * might be safer to keep it. 3853 */ 3854 return SSL_ERROR_WANT_WRITE; 3855 else if (BIO_should_io_special(bio)) { 3856 reason = BIO_get_retry_reason(bio); 3857 if (reason == BIO_RR_CONNECT) 3858 return SSL_ERROR_WANT_CONNECT; 3859 else if (reason == BIO_RR_ACCEPT) 3860 return SSL_ERROR_WANT_ACCEPT; 3861 else 3862 return SSL_ERROR_SYSCALL; /* unknown */ 3863 } 3864 } 3865 3866 if (SSL_want_write(s)) { 3867 /* Access wbio directly - in order to use the buffered bio if present */ 3868 bio = s->wbio; 3869 if (BIO_should_write(bio)) 3870 return SSL_ERROR_WANT_WRITE; 3871 else if (BIO_should_read(bio)) 3872 /* 3873 * See above (SSL_want_read(s) with BIO_should_write(bio)) 3874 */ 3875 return SSL_ERROR_WANT_READ; 3876 else if (BIO_should_io_special(bio)) { 3877 reason = BIO_get_retry_reason(bio); 3878 if (reason == BIO_RR_CONNECT) 3879 return SSL_ERROR_WANT_CONNECT; 3880 else if (reason == BIO_RR_ACCEPT) 3881 return SSL_ERROR_WANT_ACCEPT; 3882 else 3883 return SSL_ERROR_SYSCALL; 3884 } 3885 } 3886 if (SSL_want_x509_lookup(s)) 3887 return SSL_ERROR_WANT_X509_LOOKUP; 3888 if (SSL_want_retry_verify(s)) 3889 return SSL_ERROR_WANT_RETRY_VERIFY; 3890 if (SSL_want_async(s)) 3891 return SSL_ERROR_WANT_ASYNC; 3892 if (SSL_want_async_job(s)) 3893 return SSL_ERROR_WANT_ASYNC_JOB; 3894 if (SSL_want_client_hello_cb(s)) 3895 return SSL_ERROR_WANT_CLIENT_HELLO_CB; 3896 3897 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && 3898 (s->s3.warn_alert == SSL_AD_CLOSE_NOTIFY)) 3899 return SSL_ERROR_ZERO_RETURN; 3900 3901 return SSL_ERROR_SYSCALL; 3902 } 3903 3904 static int ssl_do_handshake_intern(void *vargs) 3905 { 3906 struct ssl_async_args *args; 3907 SSL *s; 3908 3909 args = (struct ssl_async_args *)vargs; 3910 s = args->s; 3911 3912 return s->handshake_func(s); 3913 } 3914 3915 int SSL_do_handshake(SSL *s) 3916 { 3917 int ret = 1; 3918 3919 if (s->handshake_func == NULL) { 3920 ERR_raise(ERR_LIB_SSL, SSL_R_CONNECTION_TYPE_NOT_SET); 3921 return -1; 3922 } 3923 3924 ossl_statem_check_finish_init(s, -1); 3925 3926 s->method->ssl_renegotiate_check(s, 0); 3927 3928 if (SSL_in_init(s) || SSL_in_before(s)) { 3929 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 3930 struct ssl_async_args args; 3931 3932 memset(&args, 0, sizeof(args)); 3933 args.s = s; 3934 3935 ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern); 3936 } else { 3937 ret = s->handshake_func(s); 3938 } 3939 } 3940 return ret; 3941 } 3942 3943 void SSL_set_accept_state(SSL *s) 3944 { 3945 s->server = 1; 3946 s->shutdown = 0; 3947 ossl_statem_clear(s); 3948 s->handshake_func = s->method->ssl_accept; 3949 clear_ciphers(s); 3950 } 3951 3952 void SSL_set_connect_state(SSL *s) 3953 { 3954 s->server = 0; 3955 s->shutdown = 0; 3956 ossl_statem_clear(s); 3957 s->handshake_func = s->method->ssl_connect; 3958 clear_ciphers(s); 3959 } 3960 3961 int ssl_undefined_function(SSL *s) 3962 { 3963 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3964 return 0; 3965 } 3966 3967 int ssl_undefined_void_function(void) 3968 { 3969 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3970 return 0; 3971 } 3972 3973 int ssl_undefined_const_function(const SSL *s) 3974 { 3975 return 0; 3976 } 3977 3978 const SSL_METHOD *ssl_bad_method(int ver) 3979 { 3980 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3981 return NULL; 3982 } 3983 3984 const char *ssl_protocol_to_string(int version) 3985 { 3986 switch(version) 3987 { 3988 case TLS1_3_VERSION: 3989 return "TLSv1.3"; 3990 3991 case TLS1_2_VERSION: 3992 return "TLSv1.2"; 3993 3994 case TLS1_1_VERSION: 3995 return "TLSv1.1"; 3996 3997 case TLS1_VERSION: 3998 return "TLSv1"; 3999 4000 case SSL3_VERSION: 4001 return "SSLv3"; 4002 4003 case DTLS1_BAD_VER: 4004 return "DTLSv0.9"; 4005 4006 case DTLS1_VERSION: 4007 return "DTLSv1"; 4008 4009 case DTLS1_2_VERSION: 4010 return "DTLSv1.2"; 4011 4012 default: 4013 return "unknown"; 4014 } 4015 } 4016 4017 const char *SSL_get_version(const SSL *s) 4018 { 4019 return ssl_protocol_to_string(s->version); 4020 } 4021 4022 static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src) 4023 { 4024 STACK_OF(X509_NAME) *sk; 4025 X509_NAME *xn; 4026 int i; 4027 4028 if (src == NULL) { 4029 *dst = NULL; 4030 return 1; 4031 } 4032 4033 if ((sk = sk_X509_NAME_new_null()) == NULL) 4034 return 0; 4035 for (i = 0; i < sk_X509_NAME_num(src); i++) { 4036 xn = X509_NAME_dup(sk_X509_NAME_value(src, i)); 4037 if (xn == NULL) { 4038 sk_X509_NAME_pop_free(sk, X509_NAME_free); 4039 return 0; 4040 } 4041 if (sk_X509_NAME_insert(sk, xn, i) == 0) { 4042 X509_NAME_free(xn); 4043 sk_X509_NAME_pop_free(sk, X509_NAME_free); 4044 return 0; 4045 } 4046 } 4047 *dst = sk; 4048 4049 return 1; 4050 } 4051 4052 SSL *SSL_dup(SSL *s) 4053 { 4054 SSL *ret; 4055 int i; 4056 4057 /* If we're not quiescent, just up_ref! */ 4058 if (!SSL_in_init(s) || !SSL_in_before(s)) { 4059 CRYPTO_UP_REF(&s->references, &i, s->lock); 4060 return s; 4061 } 4062 4063 /* 4064 * Otherwise, copy configuration state, and session if set. 4065 */ 4066 if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL) 4067 return NULL; 4068 4069 if (s->session != NULL) { 4070 /* 4071 * Arranges to share the same session via up_ref. This "copies" 4072 * session-id, SSL_METHOD, sid_ctx, and 'cert' 4073 */ 4074 if (!SSL_copy_session_id(ret, s)) 4075 goto err; 4076 } else { 4077 /* 4078 * No session has been established yet, so we have to expect that 4079 * s->cert or ret->cert will be changed later -- they should not both 4080 * point to the same object, and thus we can't use 4081 * SSL_copy_session_id. 4082 */ 4083 if (!SSL_set_ssl_method(ret, s->method)) 4084 goto err; 4085 4086 if (s->cert != NULL) { 4087 ssl_cert_free(ret->cert); 4088 ret->cert = ssl_cert_dup(s->cert); 4089 if (ret->cert == NULL) 4090 goto err; 4091 } 4092 4093 if (!SSL_set_session_id_context(ret, s->sid_ctx, 4094 (int)s->sid_ctx_length)) 4095 goto err; 4096 } 4097 4098 if (!ssl_dane_dup(ret, s)) 4099 goto err; 4100 ret->version = s->version; 4101 ret->options = s->options; 4102 ret->min_proto_version = s->min_proto_version; 4103 ret->max_proto_version = s->max_proto_version; 4104 ret->mode = s->mode; 4105 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); 4106 SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); 4107 ret->msg_callback = s->msg_callback; 4108 ret->msg_callback_arg = s->msg_callback_arg; 4109 SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s)); 4110 SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); 4111 ret->generate_session_id = s->generate_session_id; 4112 4113 SSL_set_info_callback(ret, SSL_get_info_callback(s)); 4114 4115 /* copy app data, a little dangerous perhaps */ 4116 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) 4117 goto err; 4118 4119 ret->server = s->server; 4120 if (s->handshake_func) { 4121 if (s->server) 4122 SSL_set_accept_state(ret); 4123 else 4124 SSL_set_connect_state(ret); 4125 } 4126 ret->shutdown = s->shutdown; 4127 ret->hit = s->hit; 4128 4129 ret->default_passwd_callback = s->default_passwd_callback; 4130 ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata; 4131 4132 X509_VERIFY_PARAM_inherit(ret->param, s->param); 4133 4134 /* dup the cipher_list and cipher_list_by_id stacks */ 4135 if (s->cipher_list != NULL) { 4136 if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 4137 goto err; 4138 } 4139 if (s->cipher_list_by_id != NULL) 4140 if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id)) 4141 == NULL) 4142 goto err; 4143 4144 /* Dup the client_CA list */ 4145 if (!dup_ca_names(&ret->ca_names, s->ca_names) 4146 || !dup_ca_names(&ret->client_ca_names, s->client_ca_names)) 4147 goto err; 4148 4149 return ret; 4150 4151 err: 4152 SSL_free(ret); 4153 return NULL; 4154 } 4155 4156 void ssl_clear_cipher_ctx(SSL *s) 4157 { 4158 if (s->enc_read_ctx != NULL) { 4159 EVP_CIPHER_CTX_free(s->enc_read_ctx); 4160 s->enc_read_ctx = NULL; 4161 } 4162 if (s->enc_write_ctx != NULL) { 4163 EVP_CIPHER_CTX_free(s->enc_write_ctx); 4164 s->enc_write_ctx = NULL; 4165 } 4166 #ifndef OPENSSL_NO_COMP 4167 COMP_CTX_free(s->expand); 4168 s->expand = NULL; 4169 COMP_CTX_free(s->compress); 4170 s->compress = NULL; 4171 #endif 4172 } 4173 4174 X509 *SSL_get_certificate(const SSL *s) 4175 { 4176 if (s->cert != NULL) 4177 return s->cert->key->x509; 4178 else 4179 return NULL; 4180 } 4181 4182 EVP_PKEY *SSL_get_privatekey(const SSL *s) 4183 { 4184 if (s->cert != NULL) 4185 return s->cert->key->privatekey; 4186 else 4187 return NULL; 4188 } 4189 4190 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) 4191 { 4192 if (ctx->cert != NULL) 4193 return ctx->cert->key->x509; 4194 else 4195 return NULL; 4196 } 4197 4198 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) 4199 { 4200 if (ctx->cert != NULL) 4201 return ctx->cert->key->privatekey; 4202 else 4203 return NULL; 4204 } 4205 4206 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) 4207 { 4208 if ((s->session != NULL) && (s->session->cipher != NULL)) 4209 return s->session->cipher; 4210 return NULL; 4211 } 4212 4213 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s) 4214 { 4215 return s->s3.tmp.new_cipher; 4216 } 4217 4218 const COMP_METHOD *SSL_get_current_compression(const SSL *s) 4219 { 4220 #ifndef OPENSSL_NO_COMP 4221 return s->compress ? COMP_CTX_get_method(s->compress) : NULL; 4222 #else 4223 return NULL; 4224 #endif 4225 } 4226 4227 const COMP_METHOD *SSL_get_current_expansion(const SSL *s) 4228 { 4229 #ifndef OPENSSL_NO_COMP 4230 return s->expand ? COMP_CTX_get_method(s->expand) : NULL; 4231 #else 4232 return NULL; 4233 #endif 4234 } 4235 4236 int ssl_init_wbio_buffer(SSL *s) 4237 { 4238 BIO *bbio; 4239 4240 if (s->bbio != NULL) { 4241 /* Already buffered. */ 4242 return 1; 4243 } 4244 4245 bbio = BIO_new(BIO_f_buffer()); 4246 if (bbio == NULL || BIO_set_read_buffer_size(bbio, 1) <= 0) { 4247 BIO_free(bbio); 4248 ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB); 4249 return 0; 4250 } 4251 s->bbio = bbio; 4252 s->wbio = BIO_push(bbio, s->wbio); 4253 4254 return 1; 4255 } 4256 4257 int ssl_free_wbio_buffer(SSL *s) 4258 { 4259 /* callers ensure s is never null */ 4260 if (s->bbio == NULL) 4261 return 1; 4262 4263 s->wbio = BIO_pop(s->wbio); 4264 BIO_free(s->bbio); 4265 s->bbio = NULL; 4266 4267 return 1; 4268 } 4269 4270 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) 4271 { 4272 ctx->quiet_shutdown = mode; 4273 } 4274 4275 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) 4276 { 4277 return ctx->quiet_shutdown; 4278 } 4279 4280 void SSL_set_quiet_shutdown(SSL *s, int mode) 4281 { 4282 s->quiet_shutdown = mode; 4283 } 4284 4285 int SSL_get_quiet_shutdown(const SSL *s) 4286 { 4287 return s->quiet_shutdown; 4288 } 4289 4290 void SSL_set_shutdown(SSL *s, int mode) 4291 { 4292 s->shutdown = mode; 4293 } 4294 4295 int SSL_get_shutdown(const SSL *s) 4296 { 4297 return s->shutdown; 4298 } 4299 4300 int SSL_version(const SSL *s) 4301 { 4302 return s->version; 4303 } 4304 4305 int SSL_client_version(const SSL *s) 4306 { 4307 return s->client_version; 4308 } 4309 4310 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) 4311 { 4312 return ssl->ctx; 4313 } 4314 4315 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) 4316 { 4317 CERT *new_cert; 4318 if (ssl->ctx == ctx) 4319 return ssl->ctx; 4320 if (ctx == NULL) 4321 ctx = ssl->session_ctx; 4322 new_cert = ssl_cert_dup(ctx->cert); 4323 if (new_cert == NULL) { 4324 return NULL; 4325 } 4326 4327 if (!custom_exts_copy_flags(&new_cert->custext, &ssl->cert->custext)) { 4328 ssl_cert_free(new_cert); 4329 return NULL; 4330 } 4331 4332 ssl_cert_free(ssl->cert); 4333 ssl->cert = new_cert; 4334 4335 /* 4336 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), 4337 * so setter APIs must prevent invalid lengths from entering the system. 4338 */ 4339 if (!ossl_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx))) 4340 return NULL; 4341 4342 /* 4343 * If the session ID context matches that of the parent SSL_CTX, 4344 * inherit it from the new SSL_CTX as well. If however the context does 4345 * not match (i.e., it was set per-ssl with SSL_set_session_id_context), 4346 * leave it unchanged. 4347 */ 4348 if ((ssl->ctx != NULL) && 4349 (ssl->sid_ctx_length == ssl->ctx->sid_ctx_length) && 4350 (memcmp(ssl->sid_ctx, ssl->ctx->sid_ctx, ssl->sid_ctx_length) == 0)) { 4351 ssl->sid_ctx_length = ctx->sid_ctx_length; 4352 memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx)); 4353 } 4354 4355 SSL_CTX_up_ref(ctx); 4356 SSL_CTX_free(ssl->ctx); /* decrement reference count */ 4357 ssl->ctx = ctx; 4358 4359 return ssl->ctx; 4360 } 4361 4362 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) 4363 { 4364 return X509_STORE_set_default_paths_ex(ctx->cert_store, ctx->libctx, 4365 ctx->propq); 4366 } 4367 4368 int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx) 4369 { 4370 X509_LOOKUP *lookup; 4371 4372 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir()); 4373 if (lookup == NULL) 4374 return 0; 4375 4376 /* We ignore errors, in case the directory doesn't exist */ 4377 ERR_set_mark(); 4378 4379 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); 4380 4381 ERR_pop_to_mark(); 4382 4383 return 1; 4384 } 4385 4386 int SSL_CTX_set_default_verify_file(SSL_CTX *ctx) 4387 { 4388 X509_LOOKUP *lookup; 4389 4390 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file()); 4391 if (lookup == NULL) 4392 return 0; 4393 4394 /* We ignore errors, in case the file doesn't exist */ 4395 ERR_set_mark(); 4396 4397 X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT, ctx->libctx, 4398 ctx->propq); 4399 4400 ERR_pop_to_mark(); 4401 4402 return 1; 4403 } 4404 4405 int SSL_CTX_set_default_verify_store(SSL_CTX *ctx) 4406 { 4407 X509_LOOKUP *lookup; 4408 4409 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store()); 4410 if (lookup == NULL) 4411 return 0; 4412 4413 /* We ignore errors, in case the directory doesn't exist */ 4414 ERR_set_mark(); 4415 4416 X509_LOOKUP_add_store_ex(lookup, NULL, ctx->libctx, ctx->propq); 4417 4418 ERR_pop_to_mark(); 4419 4420 return 1; 4421 } 4422 4423 int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile) 4424 { 4425 return X509_STORE_load_file_ex(ctx->cert_store, CAfile, ctx->libctx, 4426 ctx->propq); 4427 } 4428 4429 int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath) 4430 { 4431 return X509_STORE_load_path(ctx->cert_store, CApath); 4432 } 4433 4434 int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore) 4435 { 4436 return X509_STORE_load_store_ex(ctx->cert_store, CAstore, ctx->libctx, 4437 ctx->propq); 4438 } 4439 4440 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 4441 const char *CApath) 4442 { 4443 if (CAfile == NULL && CApath == NULL) 4444 return 0; 4445 if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile)) 4446 return 0; 4447 if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath)) 4448 return 0; 4449 return 1; 4450 } 4451 4452 void SSL_set_info_callback(SSL *ssl, 4453 void (*cb) (const SSL *ssl, int type, int val)) 4454 { 4455 ssl->info_callback = cb; 4456 } 4457 4458 /* 4459 * One compiler (Diab DCC) doesn't like argument names in returned function 4460 * pointer. 4461 */ 4462 void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ , 4463 int /* type */ , 4464 int /* val */ ) { 4465 return ssl->info_callback; 4466 } 4467 4468 void SSL_set_verify_result(SSL *ssl, long arg) 4469 { 4470 ssl->verify_result = arg; 4471 } 4472 4473 long SSL_get_verify_result(const SSL *ssl) 4474 { 4475 return ssl->verify_result; 4476 } 4477 4478 size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen) 4479 { 4480 if (outlen == 0) 4481 return sizeof(ssl->s3.client_random); 4482 if (outlen > sizeof(ssl->s3.client_random)) 4483 outlen = sizeof(ssl->s3.client_random); 4484 memcpy(out, ssl->s3.client_random, outlen); 4485 return outlen; 4486 } 4487 4488 size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen) 4489 { 4490 if (outlen == 0) 4491 return sizeof(ssl->s3.server_random); 4492 if (outlen > sizeof(ssl->s3.server_random)) 4493 outlen = sizeof(ssl->s3.server_random); 4494 memcpy(out, ssl->s3.server_random, outlen); 4495 return outlen; 4496 } 4497 4498 size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, 4499 unsigned char *out, size_t outlen) 4500 { 4501 if (outlen == 0) 4502 return session->master_key_length; 4503 if (outlen > session->master_key_length) 4504 outlen = session->master_key_length; 4505 memcpy(out, session->master_key, outlen); 4506 return outlen; 4507 } 4508 4509 int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in, 4510 size_t len) 4511 { 4512 if (len > sizeof(sess->master_key)) 4513 return 0; 4514 4515 memcpy(sess->master_key, in, len); 4516 sess->master_key_length = len; 4517 return 1; 4518 } 4519 4520 4521 int SSL_set_ex_data(SSL *s, int idx, void *arg) 4522 { 4523 return CRYPTO_set_ex_data(&s->ex_data, idx, arg); 4524 } 4525 4526 void *SSL_get_ex_data(const SSL *s, int idx) 4527 { 4528 return CRYPTO_get_ex_data(&s->ex_data, idx); 4529 } 4530 4531 int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) 4532 { 4533 return CRYPTO_set_ex_data(&s->ex_data, idx, arg); 4534 } 4535 4536 void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) 4537 { 4538 return CRYPTO_get_ex_data(&s->ex_data, idx); 4539 } 4540 4541 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) 4542 { 4543 return ctx->cert_store; 4544 } 4545 4546 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) 4547 { 4548 X509_STORE_free(ctx->cert_store); 4549 ctx->cert_store = store; 4550 } 4551 4552 void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) 4553 { 4554 if (store != NULL) 4555 X509_STORE_up_ref(store); 4556 SSL_CTX_set_cert_store(ctx, store); 4557 } 4558 4559 int SSL_want(const SSL *s) 4560 { 4561 return s->rwstate; 4562 } 4563 4564 #ifndef OPENSSL_NO_PSK 4565 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) 4566 { 4567 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 4568 ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG); 4569 return 0; 4570 } 4571 OPENSSL_free(ctx->cert->psk_identity_hint); 4572 if (identity_hint != NULL) { 4573 ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint); 4574 if (ctx->cert->psk_identity_hint == NULL) 4575 return 0; 4576 } else 4577 ctx->cert->psk_identity_hint = NULL; 4578 return 1; 4579 } 4580 4581 int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint) 4582 { 4583 if (s == NULL) 4584 return 0; 4585 4586 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 4587 ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG); 4588 return 0; 4589 } 4590 OPENSSL_free(s->cert->psk_identity_hint); 4591 if (identity_hint != NULL) { 4592 s->cert->psk_identity_hint = OPENSSL_strdup(identity_hint); 4593 if (s->cert->psk_identity_hint == NULL) 4594 return 0; 4595 } else 4596 s->cert->psk_identity_hint = NULL; 4597 return 1; 4598 } 4599 4600 const char *SSL_get_psk_identity_hint(const SSL *s) 4601 { 4602 if (s == NULL || s->session == NULL) 4603 return NULL; 4604 return s->session->psk_identity_hint; 4605 } 4606 4607 const char *SSL_get_psk_identity(const SSL *s) 4608 { 4609 if (s == NULL || s->session == NULL) 4610 return NULL; 4611 return s->session->psk_identity; 4612 } 4613 4614 void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb) 4615 { 4616 s->psk_client_callback = cb; 4617 } 4618 4619 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb) 4620 { 4621 ctx->psk_client_callback = cb; 4622 } 4623 4624 void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb) 4625 { 4626 s->psk_server_callback = cb; 4627 } 4628 4629 void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb) 4630 { 4631 ctx->psk_server_callback = cb; 4632 } 4633 #endif 4634 4635 void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb) 4636 { 4637 s->psk_find_session_cb = cb; 4638 } 4639 4640 void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, 4641 SSL_psk_find_session_cb_func cb) 4642 { 4643 ctx->psk_find_session_cb = cb; 4644 } 4645 4646 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) 4647 { 4648 s->psk_use_session_cb = cb; 4649 } 4650 4651 void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, 4652 SSL_psk_use_session_cb_func cb) 4653 { 4654 ctx->psk_use_session_cb = cb; 4655 } 4656 4657 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, 4658 void (*cb) (int write_p, int version, 4659 int content_type, const void *buf, 4660 size_t len, SSL *ssl, void *arg)) 4661 { 4662 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 4663 } 4664 4665 void SSL_set_msg_callback(SSL *ssl, 4666 void (*cb) (int write_p, int version, 4667 int content_type, const void *buf, 4668 size_t len, SSL *ssl, void *arg)) 4669 { 4670 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 4671 } 4672 4673 void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, 4674 int (*cb) (SSL *ssl, 4675 int 4676 is_forward_secure)) 4677 { 4678 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB, 4679 (void (*)(void))cb); 4680 } 4681 4682 void SSL_set_not_resumable_session_callback(SSL *ssl, 4683 int (*cb) (SSL *ssl, 4684 int is_forward_secure)) 4685 { 4686 SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB, 4687 (void (*)(void))cb); 4688 } 4689 4690 void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, 4691 size_t (*cb) (SSL *ssl, int type, 4692 size_t len, void *arg)) 4693 { 4694 ctx->record_padding_cb = cb; 4695 } 4696 4697 void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg) 4698 { 4699 ctx->record_padding_arg = arg; 4700 } 4701 4702 void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx) 4703 { 4704 return ctx->record_padding_arg; 4705 } 4706 4707 int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) 4708 { 4709 /* block size of 0 or 1 is basically no padding */ 4710 if (block_size == 1) 4711 ctx->block_padding = 0; 4712 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) 4713 ctx->block_padding = block_size; 4714 else 4715 return 0; 4716 return 1; 4717 } 4718 4719 int SSL_set_record_padding_callback(SSL *ssl, 4720 size_t (*cb) (SSL *ssl, int type, 4721 size_t len, void *arg)) 4722 { 4723 BIO *b; 4724 4725 b = SSL_get_wbio(ssl); 4726 if (b == NULL || !BIO_get_ktls_send(b)) { 4727 ssl->record_padding_cb = cb; 4728 return 1; 4729 } 4730 return 0; 4731 } 4732 4733 void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) 4734 { 4735 ssl->record_padding_arg = arg; 4736 } 4737 4738 void *SSL_get_record_padding_callback_arg(const SSL *ssl) 4739 { 4740 return ssl->record_padding_arg; 4741 } 4742 4743 int SSL_set_block_padding(SSL *ssl, size_t block_size) 4744 { 4745 /* block size of 0 or 1 is basically no padding */ 4746 if (block_size == 1) 4747 ssl->block_padding = 0; 4748 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) 4749 ssl->block_padding = block_size; 4750 else 4751 return 0; 4752 return 1; 4753 } 4754 4755 int SSL_set_num_tickets(SSL *s, size_t num_tickets) 4756 { 4757 s->num_tickets = num_tickets; 4758 4759 return 1; 4760 } 4761 4762 size_t SSL_get_num_tickets(const SSL *s) 4763 { 4764 return s->num_tickets; 4765 } 4766 4767 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) 4768 { 4769 ctx->num_tickets = num_tickets; 4770 4771 return 1; 4772 } 4773 4774 size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) 4775 { 4776 return ctx->num_tickets; 4777 } 4778 4779 /* 4780 * Allocates new EVP_MD_CTX and sets pointer to it into given pointer 4781 * variable, freeing EVP_MD_CTX previously stored in that variable, if any. 4782 * If EVP_MD pointer is passed, initializes ctx with this |md|. 4783 * Returns the newly allocated ctx; 4784 */ 4785 4786 EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md) 4787 { 4788 ssl_clear_hash_ctx(hash); 4789 *hash = EVP_MD_CTX_new(); 4790 if (*hash == NULL || (md && EVP_DigestInit_ex(*hash, md, NULL) <= 0)) { 4791 EVP_MD_CTX_free(*hash); 4792 *hash = NULL; 4793 return NULL; 4794 } 4795 return *hash; 4796 } 4797 4798 void ssl_clear_hash_ctx(EVP_MD_CTX **hash) 4799 { 4800 4801 EVP_MD_CTX_free(*hash); 4802 *hash = NULL; 4803 } 4804 4805 /* Retrieve handshake hashes */ 4806 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, 4807 size_t *hashlen) 4808 { 4809 EVP_MD_CTX *ctx = NULL; 4810 EVP_MD_CTX *hdgst = s->s3.handshake_dgst; 4811 int hashleni = EVP_MD_CTX_get_size(hdgst); 4812 int ret = 0; 4813 4814 if (hashleni < 0 || (size_t)hashleni > outlen) { 4815 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4816 goto err; 4817 } 4818 4819 ctx = EVP_MD_CTX_new(); 4820 if (ctx == NULL) { 4821 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4822 goto err; 4823 } 4824 4825 if (!EVP_MD_CTX_copy_ex(ctx, hdgst) 4826 || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) { 4827 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4828 goto err; 4829 } 4830 4831 *hashlen = hashleni; 4832 4833 ret = 1; 4834 err: 4835 EVP_MD_CTX_free(ctx); 4836 return ret; 4837 } 4838 4839 int SSL_session_reused(const SSL *s) 4840 { 4841 return s->hit; 4842 } 4843 4844 int SSL_is_server(const SSL *s) 4845 { 4846 return s->server; 4847 } 4848 4849 #ifndef OPENSSL_NO_DEPRECATED_1_1_0 4850 void SSL_set_debug(SSL *s, int debug) 4851 { 4852 /* Old function was do-nothing anyway... */ 4853 (void)s; 4854 (void)debug; 4855 } 4856 #endif 4857 4858 void SSL_set_security_level(SSL *s, int level) 4859 { 4860 s->cert->sec_level = level; 4861 } 4862 4863 int SSL_get_security_level(const SSL *s) 4864 { 4865 return s->cert->sec_level; 4866 } 4867 4868 void SSL_set_security_callback(SSL *s, 4869 int (*cb) (const SSL *s, const SSL_CTX *ctx, 4870 int op, int bits, int nid, 4871 void *other, void *ex)) 4872 { 4873 s->cert->sec_cb = cb; 4874 } 4875 4876 int (*SSL_get_security_callback(const SSL *s)) (const SSL *s, 4877 const SSL_CTX *ctx, int op, 4878 int bits, int nid, void *other, 4879 void *ex) { 4880 return s->cert->sec_cb; 4881 } 4882 4883 void SSL_set0_security_ex_data(SSL *s, void *ex) 4884 { 4885 s->cert->sec_ex = ex; 4886 } 4887 4888 void *SSL_get0_security_ex_data(const SSL *s) 4889 { 4890 return s->cert->sec_ex; 4891 } 4892 4893 void SSL_CTX_set_security_level(SSL_CTX *ctx, int level) 4894 { 4895 ctx->cert->sec_level = level; 4896 } 4897 4898 int SSL_CTX_get_security_level(const SSL_CTX *ctx) 4899 { 4900 return ctx->cert->sec_level; 4901 } 4902 4903 void SSL_CTX_set_security_callback(SSL_CTX *ctx, 4904 int (*cb) (const SSL *s, const SSL_CTX *ctx, 4905 int op, int bits, int nid, 4906 void *other, void *ex)) 4907 { 4908 ctx->cert->sec_cb = cb; 4909 } 4910 4911 int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s, 4912 const SSL_CTX *ctx, 4913 int op, int bits, 4914 int nid, 4915 void *other, 4916 void *ex) { 4917 return ctx->cert->sec_cb; 4918 } 4919 4920 void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex) 4921 { 4922 ctx->cert->sec_ex = ex; 4923 } 4924 4925 void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) 4926 { 4927 return ctx->cert->sec_ex; 4928 } 4929 4930 uint64_t SSL_CTX_get_options(const SSL_CTX *ctx) 4931 { 4932 return ctx->options; 4933 } 4934 4935 uint64_t SSL_get_options(const SSL *s) 4936 { 4937 return s->options; 4938 } 4939 4940 uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op) 4941 { 4942 return ctx->options |= op; 4943 } 4944 4945 uint64_t SSL_set_options(SSL *s, uint64_t op) 4946 { 4947 return s->options |= op; 4948 } 4949 4950 uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op) 4951 { 4952 return ctx->options &= ~op; 4953 } 4954 4955 uint64_t SSL_clear_options(SSL *s, uint64_t op) 4956 { 4957 return s->options &= ~op; 4958 } 4959 4960 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s) 4961 { 4962 return s->verified_chain; 4963 } 4964 4965 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); 4966 4967 #ifndef OPENSSL_NO_CT 4968 4969 /* 4970 * Moves SCTs from the |src| stack to the |dst| stack. 4971 * The source of each SCT will be set to |origin|. 4972 * If |dst| points to a NULL pointer, a new stack will be created and owned by 4973 * the caller. 4974 * Returns the number of SCTs moved, or a negative integer if an error occurs. 4975 */ 4976 static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src, 4977 sct_source_t origin) 4978 { 4979 int scts_moved = 0; 4980 SCT *sct = NULL; 4981 4982 if (*dst == NULL) { 4983 *dst = sk_SCT_new_null(); 4984 if (*dst == NULL) { 4985 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 4986 goto err; 4987 } 4988 } 4989 4990 while ((sct = sk_SCT_pop(src)) != NULL) { 4991 if (SCT_set_source(sct, origin) != 1) 4992 goto err; 4993 4994 if (sk_SCT_push(*dst, sct) <= 0) 4995 goto err; 4996 scts_moved += 1; 4997 } 4998 4999 return scts_moved; 5000 err: 5001 if (sct != NULL) 5002 sk_SCT_push(src, sct); /* Put the SCT back */ 5003 return -1; 5004 } 5005 5006 /* 5007 * Look for data collected during ServerHello and parse if found. 5008 * Returns the number of SCTs extracted. 5009 */ 5010 static int ct_extract_tls_extension_scts(SSL *s) 5011 { 5012 int scts_extracted = 0; 5013 5014 if (s->ext.scts != NULL) { 5015 const unsigned char *p = s->ext.scts; 5016 STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len); 5017 5018 scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION); 5019 5020 SCT_LIST_free(scts); 5021 } 5022 5023 return scts_extracted; 5024 } 5025 5026 /* 5027 * Checks for an OCSP response and then attempts to extract any SCTs found if it 5028 * contains an SCT X509 extension. They will be stored in |s->scts|. 5029 * Returns: 5030 * - The number of SCTs extracted, assuming an OCSP response exists. 5031 * - 0 if no OCSP response exists or it contains no SCTs. 5032 * - A negative integer if an error occurs. 5033 */ 5034 static int ct_extract_ocsp_response_scts(SSL *s) 5035 { 5036 # ifndef OPENSSL_NO_OCSP 5037 int scts_extracted = 0; 5038 const unsigned char *p; 5039 OCSP_BASICRESP *br = NULL; 5040 OCSP_RESPONSE *rsp = NULL; 5041 STACK_OF(SCT) *scts = NULL; 5042 int i; 5043 5044 if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0) 5045 goto err; 5046 5047 p = s->ext.ocsp.resp; 5048 rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len); 5049 if (rsp == NULL) 5050 goto err; 5051 5052 br = OCSP_response_get1_basic(rsp); 5053 if (br == NULL) 5054 goto err; 5055 5056 for (i = 0; i < OCSP_resp_count(br); ++i) { 5057 OCSP_SINGLERESP *single = OCSP_resp_get0(br, i); 5058 5059 if (single == NULL) 5060 continue; 5061 5062 scts = 5063 OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL); 5064 scts_extracted = 5065 ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE); 5066 if (scts_extracted < 0) 5067 goto err; 5068 } 5069 err: 5070 SCT_LIST_free(scts); 5071 OCSP_BASICRESP_free(br); 5072 OCSP_RESPONSE_free(rsp); 5073 return scts_extracted; 5074 # else 5075 /* Behave as if no OCSP response exists */ 5076 return 0; 5077 # endif 5078 } 5079 5080 /* 5081 * Attempts to extract SCTs from the peer certificate. 5082 * Return the number of SCTs extracted, or a negative integer if an error 5083 * occurs. 5084 */ 5085 static int ct_extract_x509v3_extension_scts(SSL *s) 5086 { 5087 int scts_extracted = 0; 5088 X509 *cert = s->session != NULL ? s->session->peer : NULL; 5089 5090 if (cert != NULL) { 5091 STACK_OF(SCT) *scts = 5092 X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL); 5093 5094 scts_extracted = 5095 ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION); 5096 5097 SCT_LIST_free(scts); 5098 } 5099 5100 return scts_extracted; 5101 } 5102 5103 /* 5104 * Attempts to find all received SCTs by checking TLS extensions, the OCSP 5105 * response (if it exists) and X509v3 extensions in the certificate. 5106 * Returns NULL if an error occurs. 5107 */ 5108 const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s) 5109 { 5110 if (!s->scts_parsed) { 5111 if (ct_extract_tls_extension_scts(s) < 0 || 5112 ct_extract_ocsp_response_scts(s) < 0 || 5113 ct_extract_x509v3_extension_scts(s) < 0) 5114 goto err; 5115 5116 s->scts_parsed = 1; 5117 } 5118 return s->scts; 5119 err: 5120 return NULL; 5121 } 5122 5123 static int ct_permissive(const CT_POLICY_EVAL_CTX * ctx, 5124 const STACK_OF(SCT) *scts, void *unused_arg) 5125 { 5126 return 1; 5127 } 5128 5129 static int ct_strict(const CT_POLICY_EVAL_CTX * ctx, 5130 const STACK_OF(SCT) *scts, void *unused_arg) 5131 { 5132 int count = scts != NULL ? sk_SCT_num(scts) : 0; 5133 int i; 5134 5135 for (i = 0; i < count; ++i) { 5136 SCT *sct = sk_SCT_value(scts, i); 5137 int status = SCT_get_validation_status(sct); 5138 5139 if (status == SCT_VALIDATION_STATUS_VALID) 5140 return 1; 5141 } 5142 ERR_raise(ERR_LIB_SSL, SSL_R_NO_VALID_SCTS); 5143 return 0; 5144 } 5145 5146 int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback, 5147 void *arg) 5148 { 5149 /* 5150 * Since code exists that uses the custom extension handler for CT, look 5151 * for this and throw an error if they have already registered to use CT. 5152 */ 5153 if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx, 5154 TLSEXT_TYPE_signed_certificate_timestamp)) 5155 { 5156 ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED); 5157 return 0; 5158 } 5159 5160 if (callback != NULL) { 5161 /* 5162 * If we are validating CT, then we MUST accept SCTs served via OCSP 5163 */ 5164 if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp)) 5165 return 0; 5166 } 5167 5168 s->ct_validation_callback = callback; 5169 s->ct_validation_callback_arg = arg; 5170 5171 return 1; 5172 } 5173 5174 int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, 5175 ssl_ct_validation_cb callback, void *arg) 5176 { 5177 /* 5178 * Since code exists that uses the custom extension handler for CT, look for 5179 * this and throw an error if they have already registered to use CT. 5180 */ 5181 if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx, 5182 TLSEXT_TYPE_signed_certificate_timestamp)) 5183 { 5184 ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED); 5185 return 0; 5186 } 5187 5188 ctx->ct_validation_callback = callback; 5189 ctx->ct_validation_callback_arg = arg; 5190 return 1; 5191 } 5192 5193 int SSL_ct_is_enabled(const SSL *s) 5194 { 5195 return s->ct_validation_callback != NULL; 5196 } 5197 5198 int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx) 5199 { 5200 return ctx->ct_validation_callback != NULL; 5201 } 5202 5203 int ssl_validate_ct(SSL *s) 5204 { 5205 int ret = 0; 5206 X509 *cert = s->session != NULL ? s->session->peer : NULL; 5207 X509 *issuer; 5208 SSL_DANE *dane = &s->dane; 5209 CT_POLICY_EVAL_CTX *ctx = NULL; 5210 const STACK_OF(SCT) *scts; 5211 5212 /* 5213 * If no callback is set, the peer is anonymous, or its chain is invalid, 5214 * skip SCT validation - just return success. Applications that continue 5215 * handshakes without certificates, with unverified chains, or pinned leaf 5216 * certificates are outside the scope of the WebPKI and CT. 5217 * 5218 * The above exclusions notwithstanding the vast majority of peers will 5219 * have rather ordinary certificate chains validated by typical 5220 * applications that perform certificate verification and therefore will 5221 * process SCTs when enabled. 5222 */ 5223 if (s->ct_validation_callback == NULL || cert == NULL || 5224 s->verify_result != X509_V_OK || 5225 s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1) 5226 return 1; 5227 5228 /* 5229 * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3) 5230 * trust-anchors. See https://tools.ietf.org/html/rfc7671#section-4.2 5231 */ 5232 if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) { 5233 switch (dane->mtlsa->usage) { 5234 case DANETLS_USAGE_DANE_TA: 5235 case DANETLS_USAGE_DANE_EE: 5236 return 1; 5237 } 5238 } 5239 5240 ctx = CT_POLICY_EVAL_CTX_new_ex(s->ctx->libctx, s->ctx->propq); 5241 if (ctx == NULL) { 5242 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 5243 goto end; 5244 } 5245 5246 issuer = sk_X509_value(s->verified_chain, 1); 5247 CT_POLICY_EVAL_CTX_set1_cert(ctx, cert); 5248 CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer); 5249 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store); 5250 CT_POLICY_EVAL_CTX_set_time( 5251 ctx, (uint64_t)SSL_SESSION_get_time(SSL_get0_session(s)) * 1000); 5252 5253 scts = SSL_get0_peer_scts(s); 5254 5255 /* 5256 * This function returns success (> 0) only when all the SCTs are valid, 0 5257 * when some are invalid, and < 0 on various internal errors (out of 5258 * memory, etc.). Having some, or even all, invalid SCTs is not sufficient 5259 * reason to abort the handshake, that decision is up to the callback. 5260 * Therefore, we error out only in the unexpected case that the return 5261 * value is negative. 5262 * 5263 * XXX: One might well argue that the return value of this function is an 5264 * unfortunate design choice. Its job is only to determine the validation 5265 * status of each of the provided SCTs. So long as it correctly separates 5266 * the wheat from the chaff it should return success. Failure in this case 5267 * ought to correspond to an inability to carry out its duties. 5268 */ 5269 if (SCT_LIST_validate(scts, ctx) < 0) { 5270 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_SCT_VERIFICATION_FAILED); 5271 goto end; 5272 } 5273 5274 ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg); 5275 if (ret < 0) 5276 ret = 0; /* This function returns 0 on failure */ 5277 if (!ret) 5278 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_CALLBACK_FAILED); 5279 5280 end: 5281 CT_POLICY_EVAL_CTX_free(ctx); 5282 /* 5283 * With SSL_VERIFY_NONE the session may be cached and re-used despite a 5284 * failure return code here. Also the application may wish the complete 5285 * the handshake, and then disconnect cleanly at a higher layer, after 5286 * checking the verification status of the completed connection. 5287 * 5288 * We therefore force a certificate verification failure which will be 5289 * visible via SSL_get_verify_result() and cached as part of any resumed 5290 * session. 5291 * 5292 * Note: the permissive callback is for information gathering only, always 5293 * returns success, and does not affect verification status. Only the 5294 * strict callback or a custom application-specified callback can trigger 5295 * connection failure or record a verification error. 5296 */ 5297 if (ret <= 0) 5298 s->verify_result = X509_V_ERR_NO_VALID_SCTS; 5299 return ret; 5300 } 5301 5302 int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode) 5303 { 5304 switch (validation_mode) { 5305 default: 5306 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE); 5307 return 0; 5308 case SSL_CT_VALIDATION_PERMISSIVE: 5309 return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL); 5310 case SSL_CT_VALIDATION_STRICT: 5311 return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL); 5312 } 5313 } 5314 5315 int SSL_enable_ct(SSL *s, int validation_mode) 5316 { 5317 switch (validation_mode) { 5318 default: 5319 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE); 5320 return 0; 5321 case SSL_CT_VALIDATION_PERMISSIVE: 5322 return SSL_set_ct_validation_callback(s, ct_permissive, NULL); 5323 case SSL_CT_VALIDATION_STRICT: 5324 return SSL_set_ct_validation_callback(s, ct_strict, NULL); 5325 } 5326 } 5327 5328 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx) 5329 { 5330 return CTLOG_STORE_load_default_file(ctx->ctlog_store); 5331 } 5332 5333 int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path) 5334 { 5335 return CTLOG_STORE_load_file(ctx->ctlog_store, path); 5336 } 5337 5338 void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE * logs) 5339 { 5340 CTLOG_STORE_free(ctx->ctlog_store); 5341 ctx->ctlog_store = logs; 5342 } 5343 5344 const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx) 5345 { 5346 return ctx->ctlog_store; 5347 } 5348 5349 #endif /* OPENSSL_NO_CT */ 5350 5351 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, 5352 void *arg) 5353 { 5354 c->client_hello_cb = cb; 5355 c->client_hello_cb_arg = arg; 5356 } 5357 5358 int SSL_client_hello_isv2(SSL *s) 5359 { 5360 if (s->clienthello == NULL) 5361 return 0; 5362 return s->clienthello->isv2; 5363 } 5364 5365 unsigned int SSL_client_hello_get0_legacy_version(SSL *s) 5366 { 5367 if (s->clienthello == NULL) 5368 return 0; 5369 return s->clienthello->legacy_version; 5370 } 5371 5372 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out) 5373 { 5374 if (s->clienthello == NULL) 5375 return 0; 5376 if (out != NULL) 5377 *out = s->clienthello->random; 5378 return SSL3_RANDOM_SIZE; 5379 } 5380 5381 size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out) 5382 { 5383 if (s->clienthello == NULL) 5384 return 0; 5385 if (out != NULL) 5386 *out = s->clienthello->session_id; 5387 return s->clienthello->session_id_len; 5388 } 5389 5390 size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out) 5391 { 5392 if (s->clienthello == NULL) 5393 return 0; 5394 if (out != NULL) 5395 *out = PACKET_data(&s->clienthello->ciphersuites); 5396 return PACKET_remaining(&s->clienthello->ciphersuites); 5397 } 5398 5399 size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out) 5400 { 5401 if (s->clienthello == NULL) 5402 return 0; 5403 if (out != NULL) 5404 *out = s->clienthello->compressions; 5405 return s->clienthello->compressions_len; 5406 } 5407 5408 int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) 5409 { 5410 RAW_EXTENSION *ext; 5411 int *present; 5412 size_t num = 0, i; 5413 5414 if (s->clienthello == NULL || out == NULL || outlen == NULL) 5415 return 0; 5416 for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { 5417 ext = s->clienthello->pre_proc_exts + i; 5418 if (ext->present) 5419 num++; 5420 } 5421 if (num == 0) { 5422 *out = NULL; 5423 *outlen = 0; 5424 return 1; 5425 } 5426 if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { 5427 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 5428 return 0; 5429 } 5430 for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { 5431 ext = s->clienthello->pre_proc_exts + i; 5432 if (ext->present) { 5433 if (ext->received_order >= num) 5434 goto err; 5435 present[ext->received_order] = ext->type; 5436 } 5437 } 5438 *out = present; 5439 *outlen = num; 5440 return 1; 5441 err: 5442 OPENSSL_free(present); 5443 return 0; 5444 } 5445 5446 int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out, 5447 size_t *outlen) 5448 { 5449 size_t i; 5450 RAW_EXTENSION *r; 5451 5452 if (s->clienthello == NULL) 5453 return 0; 5454 for (i = 0; i < s->clienthello->pre_proc_exts_len; ++i) { 5455 r = s->clienthello->pre_proc_exts + i; 5456 if (r->present && r->type == type) { 5457 if (out != NULL) 5458 *out = PACKET_data(&r->data); 5459 if (outlen != NULL) 5460 *outlen = PACKET_remaining(&r->data); 5461 return 1; 5462 } 5463 } 5464 return 0; 5465 } 5466 5467 int SSL_free_buffers(SSL *ssl) 5468 { 5469 RECORD_LAYER *rl = &ssl->rlayer; 5470 5471 if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) 5472 return 0; 5473 5474 RECORD_LAYER_release(rl); 5475 return 1; 5476 } 5477 5478 int SSL_alloc_buffers(SSL *ssl) 5479 { 5480 return ssl3_setup_buffers(ssl); 5481 } 5482 5483 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) 5484 { 5485 ctx->keylog_callback = cb; 5486 } 5487 5488 SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) 5489 { 5490 return ctx->keylog_callback; 5491 } 5492 5493 static int nss_keylog_int(const char *prefix, 5494 SSL *ssl, 5495 const uint8_t *parameter_1, 5496 size_t parameter_1_len, 5497 const uint8_t *parameter_2, 5498 size_t parameter_2_len) 5499 { 5500 char *out = NULL; 5501 char *cursor = NULL; 5502 size_t out_len = 0; 5503 size_t i; 5504 size_t prefix_len; 5505 5506 if (ssl->ctx->keylog_callback == NULL) 5507 return 1; 5508 5509 /* 5510 * Our output buffer will contain the following strings, rendered with 5511 * space characters in between, terminated by a NULL character: first the 5512 * prefix, then the first parameter, then the second parameter. The 5513 * meaning of each parameter depends on the specific key material being 5514 * logged. Note that the first and second parameters are encoded in 5515 * hexadecimal, so we need a buffer that is twice their lengths. 5516 */ 5517 prefix_len = strlen(prefix); 5518 out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3; 5519 if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { 5520 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 5521 return 0; 5522 } 5523 5524 strcpy(cursor, prefix); 5525 cursor += prefix_len; 5526 *cursor++ = ' '; 5527 5528 for (i = 0; i < parameter_1_len; i++) { 5529 sprintf(cursor, "%02x", parameter_1[i]); 5530 cursor += 2; 5531 } 5532 *cursor++ = ' '; 5533 5534 for (i = 0; i < parameter_2_len; i++) { 5535 sprintf(cursor, "%02x", parameter_2[i]); 5536 cursor += 2; 5537 } 5538 *cursor = '\0'; 5539 5540 ssl->ctx->keylog_callback(ssl, (const char *)out); 5541 OPENSSL_clear_free(out, out_len); 5542 return 1; 5543 5544 } 5545 5546 int ssl_log_rsa_client_key_exchange(SSL *ssl, 5547 const uint8_t *encrypted_premaster, 5548 size_t encrypted_premaster_len, 5549 const uint8_t *premaster, 5550 size_t premaster_len) 5551 { 5552 if (encrypted_premaster_len < 8) { 5553 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 5554 return 0; 5555 } 5556 5557 /* We only want the first 8 bytes of the encrypted premaster as a tag. */ 5558 return nss_keylog_int("RSA", 5559 ssl, 5560 encrypted_premaster, 5561 8, 5562 premaster, 5563 premaster_len); 5564 } 5565 5566 int ssl_log_secret(SSL *ssl, 5567 const char *label, 5568 const uint8_t *secret, 5569 size_t secret_len) 5570 { 5571 return nss_keylog_int(label, 5572 ssl, 5573 ssl->s3.client_random, 5574 SSL3_RANDOM_SIZE, 5575 secret, 5576 secret_len); 5577 } 5578 5579 #define SSLV2_CIPHER_LEN 3 5580 5581 int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format) 5582 { 5583 int n; 5584 5585 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; 5586 5587 if (PACKET_remaining(cipher_suites) == 0) { 5588 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CIPHERS_SPECIFIED); 5589 return 0; 5590 } 5591 5592 if (PACKET_remaining(cipher_suites) % n != 0) { 5593 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5594 return 0; 5595 } 5596 5597 OPENSSL_free(s->s3.tmp.ciphers_raw); 5598 s->s3.tmp.ciphers_raw = NULL; 5599 s->s3.tmp.ciphers_rawlen = 0; 5600 5601 if (sslv2format) { 5602 size_t numciphers = PACKET_remaining(cipher_suites) / n; 5603 PACKET sslv2ciphers = *cipher_suites; 5604 unsigned int leadbyte; 5605 unsigned char *raw; 5606 5607 /* 5608 * We store the raw ciphers list in SSLv3+ format so we need to do some 5609 * preprocessing to convert the list first. If there are any SSLv2 only 5610 * ciphersuites with a non-zero leading byte then we are going to 5611 * slightly over allocate because we won't store those. But that isn't a 5612 * problem. 5613 */ 5614 raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); 5615 s->s3.tmp.ciphers_raw = raw; 5616 if (raw == NULL) { 5617 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 5618 return 0; 5619 } 5620 for (s->s3.tmp.ciphers_rawlen = 0; 5621 PACKET_remaining(&sslv2ciphers) > 0; 5622 raw += TLS_CIPHER_LEN) { 5623 if (!PACKET_get_1(&sslv2ciphers, &leadbyte) 5624 || (leadbyte == 0 5625 && !PACKET_copy_bytes(&sslv2ciphers, raw, 5626 TLS_CIPHER_LEN)) 5627 || (leadbyte != 0 5628 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { 5629 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET); 5630 OPENSSL_free(s->s3.tmp.ciphers_raw); 5631 s->s3.tmp.ciphers_raw = NULL; 5632 s->s3.tmp.ciphers_rawlen = 0; 5633 return 0; 5634 } 5635 if (leadbyte == 0) 5636 s->s3.tmp.ciphers_rawlen += TLS_CIPHER_LEN; 5637 } 5638 } else if (!PACKET_memdup(cipher_suites, &s->s3.tmp.ciphers_raw, 5639 &s->s3.tmp.ciphers_rawlen)) { 5640 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 5641 return 0; 5642 } 5643 return 1; 5644 } 5645 5646 int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len, 5647 int isv2format, STACK_OF(SSL_CIPHER) **sk, 5648 STACK_OF(SSL_CIPHER) **scsvs) 5649 { 5650 PACKET pkt; 5651 5652 if (!PACKET_buf_init(&pkt, bytes, len)) 5653 return 0; 5654 return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, 0); 5655 } 5656 5657 int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, 5658 STACK_OF(SSL_CIPHER) **skp, 5659 STACK_OF(SSL_CIPHER) **scsvs_out, 5660 int sslv2format, int fatal) 5661 { 5662 const SSL_CIPHER *c; 5663 STACK_OF(SSL_CIPHER) *sk = NULL; 5664 STACK_OF(SSL_CIPHER) *scsvs = NULL; 5665 int n; 5666 /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */ 5667 unsigned char cipher[SSLV2_CIPHER_LEN]; 5668 5669 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; 5670 5671 if (PACKET_remaining(cipher_suites) == 0) { 5672 if (fatal) 5673 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CIPHERS_SPECIFIED); 5674 else 5675 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHERS_SPECIFIED); 5676 return 0; 5677 } 5678 5679 if (PACKET_remaining(cipher_suites) % n != 0) { 5680 if (fatal) 5681 SSLfatal(s, SSL_AD_DECODE_ERROR, 5682 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5683 else 5684 ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5685 return 0; 5686 } 5687 5688 sk = sk_SSL_CIPHER_new_null(); 5689 scsvs = sk_SSL_CIPHER_new_null(); 5690 if (sk == NULL || scsvs == NULL) { 5691 if (fatal) 5692 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 5693 else 5694 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 5695 goto err; 5696 } 5697 5698 while (PACKET_copy_bytes(cipher_suites, cipher, n)) { 5699 /* 5700 * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the 5701 * first byte set to zero, while true SSLv2 ciphers have a non-zero 5702 * first byte. We don't support any true SSLv2 ciphers, so skip them. 5703 */ 5704 if (sslv2format && cipher[0] != '\0') 5705 continue; 5706 5707 /* For SSLv2-compat, ignore leading 0-byte. */ 5708 c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1); 5709 if (c != NULL) { 5710 if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) || 5711 (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) { 5712 if (fatal) 5713 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 5714 else 5715 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 5716 goto err; 5717 } 5718 } 5719 } 5720 if (PACKET_remaining(cipher_suites) > 0) { 5721 if (fatal) 5722 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 5723 else 5724 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); 5725 goto err; 5726 } 5727 5728 if (skp != NULL) 5729 *skp = sk; 5730 else 5731 sk_SSL_CIPHER_free(sk); 5732 if (scsvs_out != NULL) 5733 *scsvs_out = scsvs; 5734 else 5735 sk_SSL_CIPHER_free(scsvs); 5736 return 1; 5737 err: 5738 sk_SSL_CIPHER_free(sk); 5739 sk_SSL_CIPHER_free(scsvs); 5740 return 0; 5741 } 5742 5743 int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) 5744 { 5745 ctx->max_early_data = max_early_data; 5746 5747 return 1; 5748 } 5749 5750 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx) 5751 { 5752 return ctx->max_early_data; 5753 } 5754 5755 int SSL_set_max_early_data(SSL *s, uint32_t max_early_data) 5756 { 5757 s->max_early_data = max_early_data; 5758 5759 return 1; 5760 } 5761 5762 uint32_t SSL_get_max_early_data(const SSL *s) 5763 { 5764 return s->max_early_data; 5765 } 5766 5767 int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data) 5768 { 5769 ctx->recv_max_early_data = recv_max_early_data; 5770 5771 return 1; 5772 } 5773 5774 uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx) 5775 { 5776 return ctx->recv_max_early_data; 5777 } 5778 5779 int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data) 5780 { 5781 s->recv_max_early_data = recv_max_early_data; 5782 5783 return 1; 5784 } 5785 5786 uint32_t SSL_get_recv_max_early_data(const SSL *s) 5787 { 5788 return s->recv_max_early_data; 5789 } 5790 5791 __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) 5792 { 5793 /* Return any active Max Fragment Len extension */ 5794 if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)) 5795 return GET_MAX_FRAGMENT_LENGTH(ssl->session); 5796 5797 /* return current SSL connection setting */ 5798 return ssl->max_send_fragment; 5799 } 5800 5801 __owur unsigned int ssl_get_split_send_fragment(const SSL *ssl) 5802 { 5803 /* Return a value regarding an active Max Fragment Len extension */ 5804 if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) 5805 && ssl->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(ssl->session)) 5806 return GET_MAX_FRAGMENT_LENGTH(ssl->session); 5807 5808 /* else limit |split_send_fragment| to current |max_send_fragment| */ 5809 if (ssl->split_send_fragment > ssl->max_send_fragment) 5810 return ssl->max_send_fragment; 5811 5812 /* return current SSL connection setting */ 5813 return ssl->split_send_fragment; 5814 } 5815 5816 int SSL_stateless(SSL *s) 5817 { 5818 int ret; 5819 5820 /* Ensure there is no state left over from a previous invocation */ 5821 if (!SSL_clear(s)) 5822 return 0; 5823 5824 ERR_clear_error(); 5825 5826 s->s3.flags |= TLS1_FLAGS_STATELESS; 5827 ret = SSL_accept(s); 5828 s->s3.flags &= ~TLS1_FLAGS_STATELESS; 5829 5830 if (ret > 0 && s->ext.cookieok) 5831 return 1; 5832 5833 if (s->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(s)) 5834 return 0; 5835 5836 return -1; 5837 } 5838 5839 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) 5840 { 5841 ctx->pha_enabled = val; 5842 } 5843 5844 void SSL_set_post_handshake_auth(SSL *ssl, int val) 5845 { 5846 ssl->pha_enabled = val; 5847 } 5848 5849 int SSL_verify_client_post_handshake(SSL *ssl) 5850 { 5851 if (!SSL_IS_TLS13(ssl)) { 5852 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION); 5853 return 0; 5854 } 5855 if (!ssl->server) { 5856 ERR_raise(ERR_LIB_SSL, SSL_R_NOT_SERVER); 5857 return 0; 5858 } 5859 5860 if (!SSL_is_init_finished(ssl)) { 5861 ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT); 5862 return 0; 5863 } 5864 5865 switch (ssl->post_handshake_auth) { 5866 case SSL_PHA_NONE: 5867 ERR_raise(ERR_LIB_SSL, SSL_R_EXTENSION_NOT_RECEIVED); 5868 return 0; 5869 default: 5870 case SSL_PHA_EXT_SENT: 5871 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 5872 return 0; 5873 case SSL_PHA_EXT_RECEIVED: 5874 break; 5875 case SSL_PHA_REQUEST_PENDING: 5876 ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_PENDING); 5877 return 0; 5878 case SSL_PHA_REQUESTED: 5879 ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_SENT); 5880 return 0; 5881 } 5882 5883 ssl->post_handshake_auth = SSL_PHA_REQUEST_PENDING; 5884 5885 /* checks verify_mode and algorithm_auth */ 5886 if (!send_certificate_request(ssl)) { 5887 ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */ 5888 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CONFIG); 5889 return 0; 5890 } 5891 5892 ossl_statem_set_in_init(ssl, 1); 5893 return 1; 5894 } 5895 5896 int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, 5897 SSL_CTX_generate_session_ticket_fn gen_cb, 5898 SSL_CTX_decrypt_session_ticket_fn dec_cb, 5899 void *arg) 5900 { 5901 ctx->generate_ticket_cb = gen_cb; 5902 ctx->decrypt_ticket_cb = dec_cb; 5903 ctx->ticket_cb_data = arg; 5904 return 1; 5905 } 5906 5907 void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, 5908 SSL_allow_early_data_cb_fn cb, 5909 void *arg) 5910 { 5911 ctx->allow_early_data_cb = cb; 5912 ctx->allow_early_data_cb_data = arg; 5913 } 5914 5915 void SSL_set_allow_early_data_cb(SSL *s, 5916 SSL_allow_early_data_cb_fn cb, 5917 void *arg) 5918 { 5919 s->allow_early_data_cb = cb; 5920 s->allow_early_data_cb_data = arg; 5921 } 5922 5923 const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx, 5924 int nid, 5925 const char *properties) 5926 { 5927 const EVP_CIPHER *ciph; 5928 5929 ciph = tls_get_cipher_from_engine(nid); 5930 if (ciph != NULL) 5931 return ciph; 5932 5933 /* 5934 * If there is no engine cipher then we do an explicit fetch. This may fail 5935 * and that could be ok 5936 */ 5937 ERR_set_mark(); 5938 ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties); 5939 ERR_pop_to_mark(); 5940 return ciph; 5941 } 5942 5943 5944 int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher) 5945 { 5946 /* Don't up-ref an implicit EVP_CIPHER */ 5947 if (EVP_CIPHER_get0_provider(cipher) == NULL) 5948 return 1; 5949 5950 /* 5951 * The cipher was explicitly fetched and therefore it is safe to cast 5952 * away the const 5953 */ 5954 return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher); 5955 } 5956 5957 void ssl_evp_cipher_free(const EVP_CIPHER *cipher) 5958 { 5959 if (cipher == NULL) 5960 return; 5961 5962 if (EVP_CIPHER_get0_provider(cipher) != NULL) { 5963 /* 5964 * The cipher was explicitly fetched and therefore it is safe to cast 5965 * away the const 5966 */ 5967 EVP_CIPHER_free((EVP_CIPHER *)cipher); 5968 } 5969 } 5970 5971 const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx, 5972 int nid, 5973 const char *properties) 5974 { 5975 const EVP_MD *md; 5976 5977 md = tls_get_digest_from_engine(nid); 5978 if (md != NULL) 5979 return md; 5980 5981 /* Otherwise we do an explicit fetch */ 5982 ERR_set_mark(); 5983 md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties); 5984 ERR_pop_to_mark(); 5985 return md; 5986 } 5987 5988 int ssl_evp_md_up_ref(const EVP_MD *md) 5989 { 5990 /* Don't up-ref an implicit EVP_MD */ 5991 if (EVP_MD_get0_provider(md) == NULL) 5992 return 1; 5993 5994 /* 5995 * The digest was explicitly fetched and therefore it is safe to cast 5996 * away the const 5997 */ 5998 return EVP_MD_up_ref((EVP_MD *)md); 5999 } 6000 6001 void ssl_evp_md_free(const EVP_MD *md) 6002 { 6003 if (md == NULL) 6004 return; 6005 6006 if (EVP_MD_get0_provider(md) != NULL) { 6007 /* 6008 * The digest was explicitly fetched and therefore it is safe to cast 6009 * away the const 6010 */ 6011 EVP_MD_free((EVP_MD *)md); 6012 } 6013 } 6014 6015 int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey) 6016 { 6017 if (!ssl_security(s, SSL_SECOP_TMP_DH, 6018 EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) { 6019 ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); 6020 return 0; 6021 } 6022 EVP_PKEY_free(s->cert->dh_tmp); 6023 s->cert->dh_tmp = dhpkey; 6024 return 1; 6025 } 6026 6027 int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey) 6028 { 6029 if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, 6030 EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) { 6031 ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); 6032 return 0; 6033 } 6034 EVP_PKEY_free(ctx->cert->dh_tmp); 6035 ctx->cert->dh_tmp = dhpkey; 6036 return 1; 6037 } 6038