1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the OpenSSL license (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include "ssl_locl.h" 14 #include <openssl/objects.h> 15 #include <openssl/x509v3.h> 16 #include <openssl/rand.h> 17 #include <openssl/rand_drbg.h> 18 #include <openssl/ocsp.h> 19 #include <openssl/dh.h> 20 #include <openssl/engine.h> 21 #include <openssl/async.h> 22 #include <openssl/ct.h> 23 #include "internal/cryptlib.h" 24 #include "internal/refcount.h" 25 26 const char SSL_version_str[] = OPENSSL_VERSION_TEXT; 27 28 static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t) 29 { 30 (void)r; 31 (void)s; 32 (void)t; 33 return ssl_undefined_function(ssl); 34 } 35 36 static int ssl_undefined_function_2(SSL *ssl, SSL3_RECORD *r, unsigned char *s, 37 int t) 38 { 39 (void)r; 40 (void)s; 41 (void)t; 42 return ssl_undefined_function(ssl); 43 } 44 45 static int ssl_undefined_function_3(SSL *ssl, unsigned char *r, 46 unsigned char *s, size_t t, size_t *u) 47 { 48 (void)r; 49 (void)s; 50 (void)t; 51 (void)u; 52 return ssl_undefined_function(ssl); 53 } 54 55 static int ssl_undefined_function_4(SSL *ssl, int r) 56 { 57 (void)r; 58 return ssl_undefined_function(ssl); 59 } 60 61 static size_t ssl_undefined_function_5(SSL *ssl, const char *r, size_t s, 62 unsigned char *t) 63 { 64 (void)r; 65 (void)s; 66 (void)t; 67 return ssl_undefined_function(ssl); 68 } 69 70 static int ssl_undefined_function_6(int r) 71 { 72 (void)r; 73 return ssl_undefined_function(NULL); 74 } 75 76 static int ssl_undefined_function_7(SSL *ssl, unsigned char *r, size_t s, 77 const char *t, size_t u, 78 const unsigned char *v, size_t w, int x) 79 { 80 (void)r; 81 (void)s; 82 (void)t; 83 (void)u; 84 (void)v; 85 (void)w; 86 (void)x; 87 return ssl_undefined_function(ssl); 88 } 89 90 SSL3_ENC_METHOD ssl3_undef_enc_method = { 91 ssl_undefined_function_1, 92 ssl_undefined_function_2, 93 ssl_undefined_function, 94 ssl_undefined_function_3, 95 ssl_undefined_function_4, 96 ssl_undefined_function_5, 97 NULL, /* client_finished_label */ 98 0, /* client_finished_label_len */ 99 NULL, /* server_finished_label */ 100 0, /* server_finished_label_len */ 101 ssl_undefined_function_6, 102 ssl_undefined_function_7, 103 }; 104 105 struct ssl_async_args { 106 SSL *s; 107 void *buf; 108 size_t num; 109 enum { READFUNC, WRITEFUNC, OTHERFUNC } type; 110 union { 111 int (*func_read) (SSL *, void *, size_t, size_t *); 112 int (*func_write) (SSL *, const void *, size_t, size_t *); 113 int (*func_other) (SSL *); 114 } f; 115 }; 116 117 static const struct { 118 uint8_t mtype; 119 uint8_t ord; 120 int nid; 121 } dane_mds[] = { 122 { 123 DANETLS_MATCHING_FULL, 0, NID_undef 124 }, 125 { 126 DANETLS_MATCHING_2256, 1, NID_sha256 127 }, 128 { 129 DANETLS_MATCHING_2512, 2, NID_sha512 130 }, 131 }; 132 133 static int dane_ctx_enable(struct dane_ctx_st *dctx) 134 { 135 const EVP_MD **mdevp; 136 uint8_t *mdord; 137 uint8_t mdmax = DANETLS_MATCHING_LAST; 138 int n = ((int)mdmax) + 1; /* int to handle PrivMatch(255) */ 139 size_t i; 140 141 if (dctx->mdevp != NULL) 142 return 1; 143 144 mdevp = OPENSSL_zalloc(n * sizeof(*mdevp)); 145 mdord = OPENSSL_zalloc(n * sizeof(*mdord)); 146 147 if (mdord == NULL || mdevp == NULL) { 148 OPENSSL_free(mdord); 149 OPENSSL_free(mdevp); 150 SSLerr(SSL_F_DANE_CTX_ENABLE, ERR_R_MALLOC_FAILURE); 151 return 0; 152 } 153 154 /* Install default entries */ 155 for (i = 0; i < OSSL_NELEM(dane_mds); ++i) { 156 const EVP_MD *md; 157 158 if (dane_mds[i].nid == NID_undef || 159 (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL) 160 continue; 161 mdevp[dane_mds[i].mtype] = md; 162 mdord[dane_mds[i].mtype] = dane_mds[i].ord; 163 } 164 165 dctx->mdevp = mdevp; 166 dctx->mdord = mdord; 167 dctx->mdmax = mdmax; 168 169 return 1; 170 } 171 172 static void dane_ctx_final(struct dane_ctx_st *dctx) 173 { 174 OPENSSL_free(dctx->mdevp); 175 dctx->mdevp = NULL; 176 177 OPENSSL_free(dctx->mdord); 178 dctx->mdord = NULL; 179 dctx->mdmax = 0; 180 } 181 182 static void tlsa_free(danetls_record *t) 183 { 184 if (t == NULL) 185 return; 186 OPENSSL_free(t->data); 187 EVP_PKEY_free(t->spki); 188 OPENSSL_free(t); 189 } 190 191 static void dane_final(SSL_DANE *dane) 192 { 193 sk_danetls_record_pop_free(dane->trecs, tlsa_free); 194 dane->trecs = NULL; 195 196 sk_X509_pop_free(dane->certs, X509_free); 197 dane->certs = NULL; 198 199 X509_free(dane->mcert); 200 dane->mcert = NULL; 201 dane->mtlsa = NULL; 202 dane->mdpth = -1; 203 dane->pdpth = -1; 204 } 205 206 /* 207 * dane_copy - Copy dane configuration, sans verification state. 208 */ 209 static int ssl_dane_dup(SSL *to, SSL *from) 210 { 211 int num; 212 int i; 213 214 if (!DANETLS_ENABLED(&from->dane)) 215 return 1; 216 217 num = sk_danetls_record_num(from->dane.trecs); 218 dane_final(&to->dane); 219 to->dane.flags = from->dane.flags; 220 to->dane.dctx = &to->ctx->dane; 221 to->dane.trecs = sk_danetls_record_new_reserve(NULL, num); 222 223 if (to->dane.trecs == NULL) { 224 SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE); 225 return 0; 226 } 227 228 for (i = 0; i < num; ++i) { 229 danetls_record *t = sk_danetls_record_value(from->dane.trecs, i); 230 231 if (SSL_dane_tlsa_add(to, t->usage, t->selector, t->mtype, 232 t->data, t->dlen) <= 0) 233 return 0; 234 } 235 return 1; 236 } 237 238 static int dane_mtype_set(struct dane_ctx_st *dctx, 239 const EVP_MD *md, uint8_t mtype, uint8_t ord) 240 { 241 int i; 242 243 if (mtype == DANETLS_MATCHING_FULL && md != NULL) { 244 SSLerr(SSL_F_DANE_MTYPE_SET, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL); 245 return 0; 246 } 247 248 if (mtype > dctx->mdmax) { 249 const EVP_MD **mdevp; 250 uint8_t *mdord; 251 int n = ((int)mtype) + 1; 252 253 mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp)); 254 if (mdevp == NULL) { 255 SSLerr(SSL_F_DANE_MTYPE_SET, ERR_R_MALLOC_FAILURE); 256 return -1; 257 } 258 dctx->mdevp = mdevp; 259 260 mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord)); 261 if (mdord == NULL) { 262 SSLerr(SSL_F_DANE_MTYPE_SET, ERR_R_MALLOC_FAILURE); 263 return -1; 264 } 265 dctx->mdord = mdord; 266 267 /* Zero-fill any gaps */ 268 for (i = dctx->mdmax + 1; i < mtype; ++i) { 269 mdevp[i] = NULL; 270 mdord[i] = 0; 271 } 272 273 dctx->mdmax = mtype; 274 } 275 276 dctx->mdevp[mtype] = md; 277 /* Coerce ordinal of disabled matching types to 0 */ 278 dctx->mdord[mtype] = (md == NULL) ? 0 : ord; 279 280 return 1; 281 } 282 283 static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype) 284 { 285 if (mtype > dane->dctx->mdmax) 286 return NULL; 287 return dane->dctx->mdevp[mtype]; 288 } 289 290 static int dane_tlsa_add(SSL_DANE *dane, 291 uint8_t usage, 292 uint8_t selector, 293 uint8_t mtype, unsigned const char *data, size_t dlen) 294 { 295 danetls_record *t; 296 const EVP_MD *md = NULL; 297 int ilen = (int)dlen; 298 int i; 299 int num; 300 301 if (dane->trecs == NULL) { 302 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_NOT_ENABLED); 303 return -1; 304 } 305 306 if (ilen < 0 || dlen != (size_t)ilen) { 307 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_DATA_LENGTH); 308 return 0; 309 } 310 311 if (usage > DANETLS_USAGE_LAST) { 312 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE); 313 return 0; 314 } 315 316 if (selector > DANETLS_SELECTOR_LAST) { 317 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_SELECTOR); 318 return 0; 319 } 320 321 if (mtype != DANETLS_MATCHING_FULL) { 322 md = tlsa_md_get(dane, mtype); 323 if (md == NULL) { 324 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE); 325 return 0; 326 } 327 } 328 329 if (md != NULL && dlen != (size_t)EVP_MD_size(md)) { 330 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH); 331 return 0; 332 } 333 if (!data) { 334 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_NULL_DATA); 335 return 0; 336 } 337 338 if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL) { 339 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); 340 return -1; 341 } 342 343 t->usage = usage; 344 t->selector = selector; 345 t->mtype = mtype; 346 t->data = OPENSSL_malloc(dlen); 347 if (t->data == NULL) { 348 tlsa_free(t); 349 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); 350 return -1; 351 } 352 memcpy(t->data, data, dlen); 353 t->dlen = dlen; 354 355 /* Validate and cache full certificate or public key */ 356 if (mtype == DANETLS_MATCHING_FULL) { 357 const unsigned char *p = data; 358 X509 *cert = NULL; 359 EVP_PKEY *pkey = NULL; 360 361 switch (selector) { 362 case DANETLS_SELECTOR_CERT: 363 if (!d2i_X509(&cert, &p, ilen) || p < data || 364 dlen != (size_t)(p - data)) { 365 tlsa_free(t); 366 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE); 367 return 0; 368 } 369 if (X509_get0_pubkey(cert) == NULL) { 370 tlsa_free(t); 371 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE); 372 return 0; 373 } 374 375 if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) { 376 X509_free(cert); 377 break; 378 } 379 380 /* 381 * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA 382 * records that contain full certificates of trust-anchors that are 383 * not present in the wire chain. For usage PKIX-TA(0), we augment 384 * the chain with untrusted Full(0) certificates from DNS, in case 385 * they are missing from the chain. 386 */ 387 if ((dane->certs == NULL && 388 (dane->certs = sk_X509_new_null()) == NULL) || 389 !sk_X509_push(dane->certs, cert)) { 390 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); 391 X509_free(cert); 392 tlsa_free(t); 393 return -1; 394 } 395 break; 396 397 case DANETLS_SELECTOR_SPKI: 398 if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data || 399 dlen != (size_t)(p - data)) { 400 tlsa_free(t); 401 SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY); 402 return 0; 403 } 404 405 /* 406 * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA 407 * records that contain full bare keys of trust-anchors that are 408 * not present in the wire chain. 409 */ 410 if (usage == DANETLS_USAGE_DANE_TA) 411 t->spki = pkey; 412 else 413 EVP_PKEY_free(pkey); 414 break; 415 } 416 } 417 418 /*- 419 * Find the right insertion point for the new record. 420 * 421 * See crypto/x509/x509_vfy.c. We sort DANE-EE(3) records first, so that 422 * they can be processed first, as they require no chain building, and no 423 * expiration or hostname checks. Because DANE-EE(3) is numerically 424 * largest, this is accomplished via descending sort by "usage". 425 * 426 * We also sort in descending order by matching ordinal to simplify 427 * the implementation of digest agility in the verification code. 428 * 429 * The choice of order for the selector is not significant, so we 430 * use the same descending order for consistency. 431 */ 432 num = sk_danetls_record_num(dane->trecs); 433 for (i = 0; i < num; ++i) { 434 danetls_record *rec = sk_danetls_record_value(dane->trecs, i); 435 436 if (rec->usage > usage) 437 continue; 438 if (rec->usage < usage) 439 break; 440 if (rec->selector > selector) 441 continue; 442 if (rec->selector < selector) 443 break; 444 if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype]) 445 continue; 446 break; 447 } 448 449 if (!sk_danetls_record_insert(dane->trecs, t, i)) { 450 tlsa_free(t); 451 SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); 452 return -1; 453 } 454 dane->umask |= DANETLS_USAGE_BIT(usage); 455 456 return 1; 457 } 458 459 /* 460 * Return 0 if there is only one version configured and it was disabled 461 * at configure time. Return 1 otherwise. 462 */ 463 static int ssl_check_allowed_versions(int min_version, int max_version) 464 { 465 int minisdtls = 0, maxisdtls = 0; 466 467 /* Figure out if we're doing DTLS versions or TLS versions */ 468 if (min_version == DTLS1_BAD_VER 469 || min_version >> 8 == DTLS1_VERSION_MAJOR) 470 minisdtls = 1; 471 if (max_version == DTLS1_BAD_VER 472 || max_version >> 8 == DTLS1_VERSION_MAJOR) 473 maxisdtls = 1; 474 /* A wildcard version of 0 could be DTLS or TLS. */ 475 if ((minisdtls && !maxisdtls && max_version != 0) 476 || (maxisdtls && !minisdtls && min_version != 0)) { 477 /* Mixing DTLS and TLS versions will lead to sadness; deny it. */ 478 return 0; 479 } 480 481 if (minisdtls || maxisdtls) { 482 /* Do DTLS version checks. */ 483 if (min_version == 0) 484 /* Ignore DTLS1_BAD_VER */ 485 min_version = DTLS1_VERSION; 486 if (max_version == 0) 487 max_version = DTLS1_2_VERSION; 488 #ifdef OPENSSL_NO_DTLS1_2 489 if (max_version == DTLS1_2_VERSION) 490 max_version = DTLS1_VERSION; 491 #endif 492 #ifdef OPENSSL_NO_DTLS1 493 if (min_version == DTLS1_VERSION) 494 min_version = DTLS1_2_VERSION; 495 #endif 496 /* Done massaging versions; do the check. */ 497 if (0 498 #ifdef OPENSSL_NO_DTLS1 499 || (DTLS_VERSION_GE(min_version, DTLS1_VERSION) 500 && DTLS_VERSION_GE(DTLS1_VERSION, max_version)) 501 #endif 502 #ifdef OPENSSL_NO_DTLS1_2 503 || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION) 504 && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version)) 505 #endif 506 ) 507 return 0; 508 } else { 509 /* Regular TLS version checks. */ 510 if (min_version == 0) 511 min_version = SSL3_VERSION; 512 if (max_version == 0) 513 max_version = TLS1_3_VERSION; 514 #ifdef OPENSSL_NO_TLS1_3 515 if (max_version == TLS1_3_VERSION) 516 max_version = TLS1_2_VERSION; 517 #endif 518 #ifdef OPENSSL_NO_TLS1_2 519 if (max_version == TLS1_2_VERSION) 520 max_version = TLS1_1_VERSION; 521 #endif 522 #ifdef OPENSSL_NO_TLS1_1 523 if (max_version == TLS1_1_VERSION) 524 max_version = TLS1_VERSION; 525 #endif 526 #ifdef OPENSSL_NO_TLS1 527 if (max_version == TLS1_VERSION) 528 max_version = SSL3_VERSION; 529 #endif 530 #ifdef OPENSSL_NO_SSL3 531 if (min_version == SSL3_VERSION) 532 min_version = TLS1_VERSION; 533 #endif 534 #ifdef OPENSSL_NO_TLS1 535 if (min_version == TLS1_VERSION) 536 min_version = TLS1_1_VERSION; 537 #endif 538 #ifdef OPENSSL_NO_TLS1_1 539 if (min_version == TLS1_1_VERSION) 540 min_version = TLS1_2_VERSION; 541 #endif 542 #ifdef OPENSSL_NO_TLS1_2 543 if (min_version == TLS1_2_VERSION) 544 min_version = TLS1_3_VERSION; 545 #endif 546 /* Done massaging versions; do the check. */ 547 if (0 548 #ifdef OPENSSL_NO_SSL3 549 || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version) 550 #endif 551 #ifdef OPENSSL_NO_TLS1 552 || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version) 553 #endif 554 #ifdef OPENSSL_NO_TLS1_1 555 || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version) 556 #endif 557 #ifdef OPENSSL_NO_TLS1_2 558 || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version) 559 #endif 560 #ifdef OPENSSL_NO_TLS1_3 561 || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version) 562 #endif 563 ) 564 return 0; 565 } 566 return 1; 567 } 568 569 static void clear_ciphers(SSL *s) 570 { 571 /* clear the current cipher */ 572 ssl_clear_cipher_ctx(s); 573 ssl_clear_hash_ctx(&s->read_hash); 574 ssl_clear_hash_ctx(&s->write_hash); 575 } 576 577 int SSL_clear(SSL *s) 578 { 579 if (s->method == NULL) { 580 SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED); 581 return 0; 582 } 583 584 if (ssl_clear_bad_session(s)) { 585 SSL_SESSION_free(s->session); 586 s->session = NULL; 587 } 588 SSL_SESSION_free(s->psksession); 589 s->psksession = NULL; 590 OPENSSL_free(s->psksession_id); 591 s->psksession_id = NULL; 592 s->psksession_id_len = 0; 593 s->hello_retry_request = 0; 594 s->sent_tickets = 0; 595 596 s->error = 0; 597 s->hit = 0; 598 s->shutdown = 0; 599 600 if (s->renegotiate) { 601 SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR); 602 return 0; 603 } 604 605 ossl_statem_clear(s); 606 607 s->version = s->method->version; 608 s->client_version = s->version; 609 s->rwstate = SSL_NOTHING; 610 611 BUF_MEM_free(s->init_buf); 612 s->init_buf = NULL; 613 clear_ciphers(s); 614 s->first_packet = 0; 615 616 s->key_update = SSL_KEY_UPDATE_NONE; 617 618 EVP_MD_CTX_free(s->pha_dgst); 619 s->pha_dgst = NULL; 620 621 /* Reset DANE verification result state */ 622 s->dane.mdpth = -1; 623 s->dane.pdpth = -1; 624 X509_free(s->dane.mcert); 625 s->dane.mcert = NULL; 626 s->dane.mtlsa = NULL; 627 628 /* Clear the verification result peername */ 629 X509_VERIFY_PARAM_move_peername(s->param, NULL); 630 631 /* 632 * Check to see if we were changed into a different method, if so, revert 633 * back. 634 */ 635 if (s->method != s->ctx->method) { 636 s->method->ssl_free(s); 637 s->method = s->ctx->method; 638 if (!s->method->ssl_new(s)) 639 return 0; 640 } else { 641 if (!s->method->ssl_clear(s)) 642 return 0; 643 } 644 645 RECORD_LAYER_clear(&s->rlayer); 646 647 return 1; 648 } 649 650 /** Used to change an SSL_CTXs default SSL method type */ 651 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) 652 { 653 STACK_OF(SSL_CIPHER) *sk; 654 655 ctx->method = meth; 656 657 sk = ssl_create_cipher_list(ctx->method, 658 ctx->tls13_ciphersuites, 659 &(ctx->cipher_list), 660 &(ctx->cipher_list_by_id), 661 SSL_DEFAULT_CIPHER_LIST, ctx->cert); 662 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { 663 SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); 664 return 0; 665 } 666 return 1; 667 } 668 669 SSL *SSL_new(SSL_CTX *ctx) 670 { 671 SSL *s; 672 673 if (ctx == NULL) { 674 SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX); 675 return NULL; 676 } 677 if (ctx->method == NULL) { 678 SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 679 return NULL; 680 } 681 682 s = OPENSSL_zalloc(sizeof(*s)); 683 if (s == NULL) 684 goto err; 685 686 s->references = 1; 687 s->lock = CRYPTO_THREAD_lock_new(); 688 if (s->lock == NULL) { 689 OPENSSL_free(s); 690 s = NULL; 691 goto err; 692 } 693 694 RECORD_LAYER_init(&s->rlayer, s); 695 696 s->options = ctx->options; 697 s->dane.flags = ctx->dane.flags; 698 s->min_proto_version = ctx->min_proto_version; 699 s->max_proto_version = ctx->max_proto_version; 700 s->mode = ctx->mode; 701 s->max_cert_list = ctx->max_cert_list; 702 s->max_early_data = ctx->max_early_data; 703 s->recv_max_early_data = ctx->recv_max_early_data; 704 s->num_tickets = ctx->num_tickets; 705 s->pha_enabled = ctx->pha_enabled; 706 707 /* Shallow copy of the ciphersuites stack */ 708 s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); 709 if (s->tls13_ciphersuites == NULL) 710 goto err; 711 712 /* 713 * Earlier library versions used to copy the pointer to the CERT, not 714 * its contents; only when setting new parameters for the per-SSL 715 * copy, ssl_cert_new would be called (and the direct reference to 716 * the per-SSL_CTX settings would be lost, but those still were 717 * indirectly accessed for various purposes, and for that reason they 718 * used to be known as s->ctx->default_cert). Now we don't look at the 719 * SSL_CTX's CERT after having duplicated it once. 720 */ 721 s->cert = ssl_cert_dup(ctx->cert); 722 if (s->cert == NULL) 723 goto err; 724 725 RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead); 726 s->msg_callback = ctx->msg_callback; 727 s->msg_callback_arg = ctx->msg_callback_arg; 728 s->verify_mode = ctx->verify_mode; 729 s->not_resumable_session_cb = ctx->not_resumable_session_cb; 730 s->record_padding_cb = ctx->record_padding_cb; 731 s->record_padding_arg = ctx->record_padding_arg; 732 s->block_padding = ctx->block_padding; 733 s->sid_ctx_length = ctx->sid_ctx_length; 734 if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx))) 735 goto err; 736 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); 737 s->verify_callback = ctx->default_verify_callback; 738 s->generate_session_id = ctx->generate_session_id; 739 740 s->param = X509_VERIFY_PARAM_new(); 741 if (s->param == NULL) 742 goto err; 743 X509_VERIFY_PARAM_inherit(s->param, ctx->param); 744 s->quiet_shutdown = ctx->quiet_shutdown; 745 746 s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode; 747 s->max_send_fragment = ctx->max_send_fragment; 748 s->split_send_fragment = ctx->split_send_fragment; 749 s->max_pipelines = ctx->max_pipelines; 750 if (s->max_pipelines > 1) 751 RECORD_LAYER_set_read_ahead(&s->rlayer, 1); 752 if (ctx->default_read_buf_len > 0) 753 SSL_set_default_read_buffer_len(s, ctx->default_read_buf_len); 754 755 SSL_CTX_up_ref(ctx); 756 s->ctx = ctx; 757 s->ext.debug_cb = 0; 758 s->ext.debug_arg = NULL; 759 s->ext.ticket_expected = 0; 760 s->ext.status_type = ctx->ext.status_type; 761 s->ext.status_expected = 0; 762 s->ext.ocsp.ids = NULL; 763 s->ext.ocsp.exts = NULL; 764 s->ext.ocsp.resp = NULL; 765 s->ext.ocsp.resp_len = 0; 766 SSL_CTX_up_ref(ctx); 767 s->session_ctx = ctx; 768 #ifndef OPENSSL_NO_EC 769 if (ctx->ext.ecpointformats) { 770 s->ext.ecpointformats = 771 OPENSSL_memdup(ctx->ext.ecpointformats, 772 ctx->ext.ecpointformats_len); 773 if (!s->ext.ecpointformats) 774 goto err; 775 s->ext.ecpointformats_len = 776 ctx->ext.ecpointformats_len; 777 } 778 if (ctx->ext.supportedgroups) { 779 s->ext.supportedgroups = 780 OPENSSL_memdup(ctx->ext.supportedgroups, 781 ctx->ext.supportedgroups_len 782 * sizeof(*ctx->ext.supportedgroups)); 783 if (!s->ext.supportedgroups) 784 goto err; 785 s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; 786 } 787 #endif 788 #ifndef OPENSSL_NO_NEXTPROTONEG 789 s->ext.npn = NULL; 790 #endif 791 792 if (s->ctx->ext.alpn) { 793 s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); 794 if (s->ext.alpn == NULL) 795 goto err; 796 memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); 797 s->ext.alpn_len = s->ctx->ext.alpn_len; 798 } 799 800 s->verified_chain = NULL; 801 s->verify_result = X509_V_OK; 802 803 s->default_passwd_callback = ctx->default_passwd_callback; 804 s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata; 805 806 s->method = ctx->method; 807 808 s->key_update = SSL_KEY_UPDATE_NONE; 809 810 s->allow_early_data_cb = ctx->allow_early_data_cb; 811 s->allow_early_data_cb_data = ctx->allow_early_data_cb_data; 812 813 if (!s->method->ssl_new(s)) 814 goto err; 815 816 s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; 817 818 if (!SSL_clear(s)) 819 goto err; 820 821 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data)) 822 goto err; 823 824 #ifndef OPENSSL_NO_PSK 825 s->psk_client_callback = ctx->psk_client_callback; 826 s->psk_server_callback = ctx->psk_server_callback; 827 #endif 828 s->psk_find_session_cb = ctx->psk_find_session_cb; 829 s->psk_use_session_cb = ctx->psk_use_session_cb; 830 831 s->job = NULL; 832 833 #ifndef OPENSSL_NO_CT 834 if (!SSL_set_ct_validation_callback(s, ctx->ct_validation_callback, 835 ctx->ct_validation_callback_arg)) 836 goto err; 837 #endif 838 839 return s; 840 err: 841 SSL_free(s); 842 SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); 843 return NULL; 844 } 845 846 int SSL_is_dtls(const SSL *s) 847 { 848 return SSL_IS_DTLS(s) ? 1 : 0; 849 } 850 851 int SSL_up_ref(SSL *s) 852 { 853 int i; 854 855 if (CRYPTO_UP_REF(&s->references, &i, s->lock) <= 0) 856 return 0; 857 858 REF_PRINT_COUNT("SSL", s); 859 REF_ASSERT_ISNT(i < 2); 860 return ((i > 1) ? 1 : 0); 861 } 862 863 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, 864 unsigned int sid_ctx_len) 865 { 866 if (sid_ctx_len > sizeof(ctx->sid_ctx)) { 867 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, 868 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 869 return 0; 870 } 871 ctx->sid_ctx_length = sid_ctx_len; 872 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); 873 874 return 1; 875 } 876 877 int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, 878 unsigned int sid_ctx_len) 879 { 880 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 881 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT, 882 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 883 return 0; 884 } 885 ssl->sid_ctx_length = sid_ctx_len; 886 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len); 887 888 return 1; 889 } 890 891 int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) 892 { 893 CRYPTO_THREAD_write_lock(ctx->lock); 894 ctx->generate_session_id = cb; 895 CRYPTO_THREAD_unlock(ctx->lock); 896 return 1; 897 } 898 899 int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) 900 { 901 CRYPTO_THREAD_write_lock(ssl->lock); 902 ssl->generate_session_id = cb; 903 CRYPTO_THREAD_unlock(ssl->lock); 904 return 1; 905 } 906 907 int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, 908 unsigned int id_len) 909 { 910 /* 911 * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how 912 * we can "construct" a session to give us the desired check - i.e. to 913 * find if there's a session in the hash table that would conflict with 914 * any new session built out of this id/id_len and the ssl_version in use 915 * by this SSL. 916 */ 917 SSL_SESSION r, *p; 918 919 if (id_len > sizeof(r.session_id)) 920 return 0; 921 922 r.ssl_version = ssl->version; 923 r.session_id_length = id_len; 924 memcpy(r.session_id, id, id_len); 925 926 CRYPTO_THREAD_read_lock(ssl->session_ctx->lock); 927 p = lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &r); 928 CRYPTO_THREAD_unlock(ssl->session_ctx->lock); 929 return (p != NULL); 930 } 931 932 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 933 { 934 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 935 } 936 937 int SSL_set_purpose(SSL *s, int purpose) 938 { 939 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 940 } 941 942 int SSL_CTX_set_trust(SSL_CTX *s, int trust) 943 { 944 return X509_VERIFY_PARAM_set_trust(s->param, trust); 945 } 946 947 int SSL_set_trust(SSL *s, int trust) 948 { 949 return X509_VERIFY_PARAM_set_trust(s->param, trust); 950 } 951 952 int SSL_set1_host(SSL *s, const char *hostname) 953 { 954 return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); 955 } 956 957 int SSL_add1_host(SSL *s, const char *hostname) 958 { 959 return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0); 960 } 961 962 void SSL_set_hostflags(SSL *s, unsigned int flags) 963 { 964 X509_VERIFY_PARAM_set_hostflags(s->param, flags); 965 } 966 967 const char *SSL_get0_peername(SSL *s) 968 { 969 return X509_VERIFY_PARAM_get0_peername(s->param); 970 } 971 972 int SSL_CTX_dane_enable(SSL_CTX *ctx) 973 { 974 return dane_ctx_enable(&ctx->dane); 975 } 976 977 unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags) 978 { 979 unsigned long orig = ctx->dane.flags; 980 981 ctx->dane.flags |= flags; 982 return orig; 983 } 984 985 unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags) 986 { 987 unsigned long orig = ctx->dane.flags; 988 989 ctx->dane.flags &= ~flags; 990 return orig; 991 } 992 993 int SSL_dane_enable(SSL *s, const char *basedomain) 994 { 995 SSL_DANE *dane = &s->dane; 996 997 if (s->ctx->dane.mdmax == 0) { 998 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_CONTEXT_NOT_DANE_ENABLED); 999 return 0; 1000 } 1001 if (dane->trecs != NULL) { 1002 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_DANE_ALREADY_ENABLED); 1003 return 0; 1004 } 1005 1006 /* 1007 * Default SNI name. This rejects empty names, while set1_host below 1008 * accepts them and disables host name checks. To avoid side-effects with 1009 * invalid input, set the SNI name first. 1010 */ 1011 if (s->ext.hostname == NULL) { 1012 if (!SSL_set_tlsext_host_name(s, basedomain)) { 1013 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); 1014 return -1; 1015 } 1016 } 1017 1018 /* Primary RFC6125 reference identifier */ 1019 if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) { 1020 SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); 1021 return -1; 1022 } 1023 1024 dane->mdpth = -1; 1025 dane->pdpth = -1; 1026 dane->dctx = &s->ctx->dane; 1027 dane->trecs = sk_danetls_record_new_null(); 1028 1029 if (dane->trecs == NULL) { 1030 SSLerr(SSL_F_SSL_DANE_ENABLE, ERR_R_MALLOC_FAILURE); 1031 return -1; 1032 } 1033 return 1; 1034 } 1035 1036 unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags) 1037 { 1038 unsigned long orig = ssl->dane.flags; 1039 1040 ssl->dane.flags |= flags; 1041 return orig; 1042 } 1043 1044 unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags) 1045 { 1046 unsigned long orig = ssl->dane.flags; 1047 1048 ssl->dane.flags &= ~flags; 1049 return orig; 1050 } 1051 1052 int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki) 1053 { 1054 SSL_DANE *dane = &s->dane; 1055 1056 if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK) 1057 return -1; 1058 if (dane->mtlsa) { 1059 if (mcert) 1060 *mcert = dane->mcert; 1061 if (mspki) 1062 *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL; 1063 } 1064 return dane->mdpth; 1065 } 1066 1067 int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, 1068 uint8_t *mtype, unsigned const char **data, size_t *dlen) 1069 { 1070 SSL_DANE *dane = &s->dane; 1071 1072 if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK) 1073 return -1; 1074 if (dane->mtlsa) { 1075 if (usage) 1076 *usage = dane->mtlsa->usage; 1077 if (selector) 1078 *selector = dane->mtlsa->selector; 1079 if (mtype) 1080 *mtype = dane->mtlsa->mtype; 1081 if (data) 1082 *data = dane->mtlsa->data; 1083 if (dlen) 1084 *dlen = dane->mtlsa->dlen; 1085 } 1086 return dane->mdpth; 1087 } 1088 1089 SSL_DANE *SSL_get0_dane(SSL *s) 1090 { 1091 return &s->dane; 1092 } 1093 1094 int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, 1095 uint8_t mtype, unsigned const char *data, size_t dlen) 1096 { 1097 return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen); 1098 } 1099 1100 int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype, 1101 uint8_t ord) 1102 { 1103 return dane_mtype_set(&ctx->dane, md, mtype, ord); 1104 } 1105 1106 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) 1107 { 1108 return X509_VERIFY_PARAM_set1(ctx->param, vpm); 1109 } 1110 1111 int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) 1112 { 1113 return X509_VERIFY_PARAM_set1(ssl->param, vpm); 1114 } 1115 1116 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) 1117 { 1118 return ctx->param; 1119 } 1120 1121 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) 1122 { 1123 return ssl->param; 1124 } 1125 1126 void SSL_certs_clear(SSL *s) 1127 { 1128 ssl_cert_clear_certs(s->cert); 1129 } 1130 1131 void SSL_free(SSL *s) 1132 { 1133 int i; 1134 1135 if (s == NULL) 1136 return; 1137 CRYPTO_DOWN_REF(&s->references, &i, s->lock); 1138 REF_PRINT_COUNT("SSL", s); 1139 if (i > 0) 1140 return; 1141 REF_ASSERT_ISNT(i < 0); 1142 1143 X509_VERIFY_PARAM_free(s->param); 1144 dane_final(&s->dane); 1145 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); 1146 1147 /* Ignore return value */ 1148 ssl_free_wbio_buffer(s); 1149 1150 BIO_free_all(s->wbio); 1151 BIO_free_all(s->rbio); 1152 1153 BUF_MEM_free(s->init_buf); 1154 1155 /* add extra stuff */ 1156 sk_SSL_CIPHER_free(s->cipher_list); 1157 sk_SSL_CIPHER_free(s->cipher_list_by_id); 1158 sk_SSL_CIPHER_free(s->tls13_ciphersuites); 1159 1160 /* Make the next call work :-) */ 1161 if (s->session != NULL) { 1162 ssl_clear_bad_session(s); 1163 SSL_SESSION_free(s->session); 1164 } 1165 SSL_SESSION_free(s->psksession); 1166 OPENSSL_free(s->psksession_id); 1167 1168 clear_ciphers(s); 1169 1170 ssl_cert_free(s->cert); 1171 /* Free up if allocated */ 1172 1173 OPENSSL_free(s->ext.hostname); 1174 SSL_CTX_free(s->session_ctx); 1175 #ifndef OPENSSL_NO_EC 1176 OPENSSL_free(s->ext.ecpointformats); 1177 OPENSSL_free(s->ext.supportedgroups); 1178 #endif /* OPENSSL_NO_EC */ 1179 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); 1180 #ifndef OPENSSL_NO_OCSP 1181 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); 1182 #endif 1183 #ifndef OPENSSL_NO_CT 1184 SCT_LIST_free(s->scts); 1185 OPENSSL_free(s->ext.scts); 1186 #endif 1187 OPENSSL_free(s->ext.ocsp.resp); 1188 OPENSSL_free(s->ext.alpn); 1189 OPENSSL_free(s->ext.tls13_cookie); 1190 OPENSSL_free(s->clienthello); 1191 OPENSSL_free(s->pha_context); 1192 EVP_MD_CTX_free(s->pha_dgst); 1193 1194 sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); 1195 1196 sk_X509_pop_free(s->verified_chain, X509_free); 1197 1198 if (s->method != NULL) 1199 s->method->ssl_free(s); 1200 1201 RECORD_LAYER_release(&s->rlayer); 1202 1203 SSL_CTX_free(s->ctx); 1204 1205 ASYNC_WAIT_CTX_free(s->waitctx); 1206 1207 #if !defined(OPENSSL_NO_NEXTPROTONEG) 1208 OPENSSL_free(s->ext.npn); 1209 #endif 1210 1211 #ifndef OPENSSL_NO_SRTP 1212 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); 1213 #endif 1214 1215 CRYPTO_THREAD_lock_free(s->lock); 1216 1217 OPENSSL_free(s); 1218 } 1219 1220 void SSL_set0_rbio(SSL *s, BIO *rbio) 1221 { 1222 BIO_free_all(s->rbio); 1223 s->rbio = rbio; 1224 } 1225 1226 void SSL_set0_wbio(SSL *s, BIO *wbio) 1227 { 1228 /* 1229 * If the output buffering BIO is still in place, remove it 1230 */ 1231 if (s->bbio != NULL) 1232 s->wbio = BIO_pop(s->wbio); 1233 1234 BIO_free_all(s->wbio); 1235 s->wbio = wbio; 1236 1237 /* Re-attach |bbio| to the new |wbio|. */ 1238 if (s->bbio != NULL) 1239 s->wbio = BIO_push(s->bbio, s->wbio); 1240 } 1241 1242 void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) 1243 { 1244 /* 1245 * For historical reasons, this function has many different cases in 1246 * ownership handling. 1247 */ 1248 1249 /* If nothing has changed, do nothing */ 1250 if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s)) 1251 return; 1252 1253 /* 1254 * If the two arguments are equal then one fewer reference is granted by the 1255 * caller than we want to take 1256 */ 1257 if (rbio != NULL && rbio == wbio) 1258 BIO_up_ref(rbio); 1259 1260 /* 1261 * If only the wbio is changed only adopt one reference. 1262 */ 1263 if (rbio == SSL_get_rbio(s)) { 1264 SSL_set0_wbio(s, wbio); 1265 return; 1266 } 1267 /* 1268 * There is an asymmetry here for historical reasons. If only the rbio is 1269 * changed AND the rbio and wbio were originally different, then we only 1270 * adopt one reference. 1271 */ 1272 if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) { 1273 SSL_set0_rbio(s, rbio); 1274 return; 1275 } 1276 1277 /* Otherwise, adopt both references. */ 1278 SSL_set0_rbio(s, rbio); 1279 SSL_set0_wbio(s, wbio); 1280 } 1281 1282 BIO *SSL_get_rbio(const SSL *s) 1283 { 1284 return s->rbio; 1285 } 1286 1287 BIO *SSL_get_wbio(const SSL *s) 1288 { 1289 if (s->bbio != NULL) { 1290 /* 1291 * If |bbio| is active, the true caller-configured BIO is its 1292 * |next_bio|. 1293 */ 1294 return BIO_next(s->bbio); 1295 } 1296 return s->wbio; 1297 } 1298 1299 int SSL_get_fd(const SSL *s) 1300 { 1301 return SSL_get_rfd(s); 1302 } 1303 1304 int SSL_get_rfd(const SSL *s) 1305 { 1306 int ret = -1; 1307 BIO *b, *r; 1308 1309 b = SSL_get_rbio(s); 1310 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); 1311 if (r != NULL) 1312 BIO_get_fd(r, &ret); 1313 return ret; 1314 } 1315 1316 int SSL_get_wfd(const SSL *s) 1317 { 1318 int ret = -1; 1319 BIO *b, *r; 1320 1321 b = SSL_get_wbio(s); 1322 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); 1323 if (r != NULL) 1324 BIO_get_fd(r, &ret); 1325 return ret; 1326 } 1327 1328 #ifndef OPENSSL_NO_SOCK 1329 int SSL_set_fd(SSL *s, int fd) 1330 { 1331 int ret = 0; 1332 BIO *bio = NULL; 1333 1334 bio = BIO_new(BIO_s_socket()); 1335 1336 if (bio == NULL) { 1337 SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); 1338 goto err; 1339 } 1340 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1341 SSL_set_bio(s, bio, bio); 1342 ret = 1; 1343 err: 1344 return ret; 1345 } 1346 1347 int SSL_set_wfd(SSL *s, int fd) 1348 { 1349 BIO *rbio = SSL_get_rbio(s); 1350 1351 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET 1352 || (int)BIO_get_fd(rbio, NULL) != fd) { 1353 BIO *bio = BIO_new(BIO_s_socket()); 1354 1355 if (bio == NULL) { 1356 SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB); 1357 return 0; 1358 } 1359 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1360 SSL_set0_wbio(s, bio); 1361 } else { 1362 BIO_up_ref(rbio); 1363 SSL_set0_wbio(s, rbio); 1364 } 1365 return 1; 1366 } 1367 1368 int SSL_set_rfd(SSL *s, int fd) 1369 { 1370 BIO *wbio = SSL_get_wbio(s); 1371 1372 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET 1373 || ((int)BIO_get_fd(wbio, NULL) != fd)) { 1374 BIO *bio = BIO_new(BIO_s_socket()); 1375 1376 if (bio == NULL) { 1377 SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB); 1378 return 0; 1379 } 1380 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1381 SSL_set0_rbio(s, bio); 1382 } else { 1383 BIO_up_ref(wbio); 1384 SSL_set0_rbio(s, wbio); 1385 } 1386 1387 return 1; 1388 } 1389 #endif 1390 1391 /* return length of latest Finished message we sent, copy to 'buf' */ 1392 size_t SSL_get_finished(const SSL *s, void *buf, size_t count) 1393 { 1394 size_t ret = 0; 1395 1396 if (s->s3 != NULL) { 1397 ret = s->s3->tmp.finish_md_len; 1398 if (count > ret) 1399 count = ret; 1400 memcpy(buf, s->s3->tmp.finish_md, count); 1401 } 1402 return ret; 1403 } 1404 1405 /* return length of latest Finished message we expected, copy to 'buf' */ 1406 size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) 1407 { 1408 size_t ret = 0; 1409 1410 if (s->s3 != NULL) { 1411 ret = s->s3->tmp.peer_finish_md_len; 1412 if (count > ret) 1413 count = ret; 1414 memcpy(buf, s->s3->tmp.peer_finish_md, count); 1415 } 1416 return ret; 1417 } 1418 1419 int SSL_get_verify_mode(const SSL *s) 1420 { 1421 return s->verify_mode; 1422 } 1423 1424 int SSL_get_verify_depth(const SSL *s) 1425 { 1426 return X509_VERIFY_PARAM_get_depth(s->param); 1427 } 1428 1429 int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) { 1430 return s->verify_callback; 1431 } 1432 1433 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) 1434 { 1435 return ctx->verify_mode; 1436 } 1437 1438 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) 1439 { 1440 return X509_VERIFY_PARAM_get_depth(ctx->param); 1441 } 1442 1443 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) { 1444 return ctx->default_verify_callback; 1445 } 1446 1447 void SSL_set_verify(SSL *s, int mode, 1448 int (*callback) (int ok, X509_STORE_CTX *ctx)) 1449 { 1450 s->verify_mode = mode; 1451 if (callback != NULL) 1452 s->verify_callback = callback; 1453 } 1454 1455 void SSL_set_verify_depth(SSL *s, int depth) 1456 { 1457 X509_VERIFY_PARAM_set_depth(s->param, depth); 1458 } 1459 1460 void SSL_set_read_ahead(SSL *s, int yes) 1461 { 1462 RECORD_LAYER_set_read_ahead(&s->rlayer, yes); 1463 } 1464 1465 int SSL_get_read_ahead(const SSL *s) 1466 { 1467 return RECORD_LAYER_get_read_ahead(&s->rlayer); 1468 } 1469 1470 int SSL_pending(const SSL *s) 1471 { 1472 size_t pending = s->method->ssl_pending(s); 1473 1474 /* 1475 * SSL_pending cannot work properly if read-ahead is enabled 1476 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is 1477 * impossible to fix since SSL_pending cannot report errors that may be 1478 * observed while scanning the new data. (Note that SSL_pending() is 1479 * often used as a boolean value, so we'd better not return -1.) 1480 * 1481 * SSL_pending also cannot work properly if the value >INT_MAX. In that case 1482 * we just return INT_MAX. 1483 */ 1484 return pending < INT_MAX ? (int)pending : INT_MAX; 1485 } 1486 1487 int SSL_has_pending(const SSL *s) 1488 { 1489 /* 1490 * Similar to SSL_pending() but returns a 1 to indicate that we have 1491 * unprocessed data available or 0 otherwise (as opposed to the number of 1492 * bytes available). Unlike SSL_pending() this will take into account 1493 * read_ahead data. A 1 return simply indicates that we have unprocessed 1494 * data. That data may not result in any application data, or we may fail 1495 * to parse the records for some reason. 1496 */ 1497 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) 1498 return 1; 1499 1500 return RECORD_LAYER_read_pending(&s->rlayer); 1501 } 1502 1503 X509 *SSL_get_peer_certificate(const SSL *s) 1504 { 1505 X509 *r; 1506 1507 if ((s == NULL) || (s->session == NULL)) 1508 r = NULL; 1509 else 1510 r = s->session->peer; 1511 1512 if (r == NULL) 1513 return r; 1514 1515 X509_up_ref(r); 1516 1517 return r; 1518 } 1519 1520 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) 1521 { 1522 STACK_OF(X509) *r; 1523 1524 if ((s == NULL) || (s->session == NULL)) 1525 r = NULL; 1526 else 1527 r = s->session->peer_chain; 1528 1529 /* 1530 * If we are a client, cert_chain includes the peer's own certificate; if 1531 * we are a server, it does not. 1532 */ 1533 1534 return r; 1535 } 1536 1537 /* 1538 * Now in theory, since the calling process own 't' it should be safe to 1539 * modify. We need to be able to read f without being hassled 1540 */ 1541 int SSL_copy_session_id(SSL *t, const SSL *f) 1542 { 1543 int i; 1544 /* Do we need to to SSL locking? */ 1545 if (!SSL_set_session(t, SSL_get_session(f))) { 1546 return 0; 1547 } 1548 1549 /* 1550 * what if we are setup for one protocol version but want to talk another 1551 */ 1552 if (t->method != f->method) { 1553 t->method->ssl_free(t); 1554 t->method = f->method; 1555 if (t->method->ssl_new(t) == 0) 1556 return 0; 1557 } 1558 1559 CRYPTO_UP_REF(&f->cert->references, &i, f->cert->lock); 1560 ssl_cert_free(t->cert); 1561 t->cert = f->cert; 1562 if (!SSL_set_session_id_context(t, f->sid_ctx, (int)f->sid_ctx_length)) { 1563 return 0; 1564 } 1565 1566 return 1; 1567 } 1568 1569 /* Fix this so it checks all the valid key/cert options */ 1570 int SSL_CTX_check_private_key(const SSL_CTX *ctx) 1571 { 1572 if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) { 1573 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); 1574 return 0; 1575 } 1576 if (ctx->cert->key->privatekey == NULL) { 1577 SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); 1578 return 0; 1579 } 1580 return X509_check_private_key 1581 (ctx->cert->key->x509, ctx->cert->key->privatekey); 1582 } 1583 1584 /* Fix this function so that it takes an optional type parameter */ 1585 int SSL_check_private_key(const SSL *ssl) 1586 { 1587 if (ssl == NULL) { 1588 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER); 1589 return 0; 1590 } 1591 if (ssl->cert->key->x509 == NULL) { 1592 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); 1593 return 0; 1594 } 1595 if (ssl->cert->key->privatekey == NULL) { 1596 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); 1597 return 0; 1598 } 1599 return X509_check_private_key(ssl->cert->key->x509, 1600 ssl->cert->key->privatekey); 1601 } 1602 1603 int SSL_waiting_for_async(SSL *s) 1604 { 1605 if (s->job) 1606 return 1; 1607 1608 return 0; 1609 } 1610 1611 int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds) 1612 { 1613 ASYNC_WAIT_CTX *ctx = s->waitctx; 1614 1615 if (ctx == NULL) 1616 return 0; 1617 return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds); 1618 } 1619 1620 int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds, 1621 OSSL_ASYNC_FD *delfd, size_t *numdelfds) 1622 { 1623 ASYNC_WAIT_CTX *ctx = s->waitctx; 1624 1625 if (ctx == NULL) 1626 return 0; 1627 return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd, 1628 numdelfds); 1629 } 1630 1631 int SSL_accept(SSL *s) 1632 { 1633 if (s->handshake_func == NULL) { 1634 /* Not properly initialized yet */ 1635 SSL_set_accept_state(s); 1636 } 1637 1638 return SSL_do_handshake(s); 1639 } 1640 1641 int SSL_connect(SSL *s) 1642 { 1643 if (s->handshake_func == NULL) { 1644 /* Not properly initialized yet */ 1645 SSL_set_connect_state(s); 1646 } 1647 1648 return SSL_do_handshake(s); 1649 } 1650 1651 long SSL_get_default_timeout(const SSL *s) 1652 { 1653 return s->method->get_timeout(); 1654 } 1655 1656 static int ssl_start_async_job(SSL *s, struct ssl_async_args *args, 1657 int (*func) (void *)) 1658 { 1659 int ret; 1660 if (s->waitctx == NULL) { 1661 s->waitctx = ASYNC_WAIT_CTX_new(); 1662 if (s->waitctx == NULL) 1663 return -1; 1664 } 1665 switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args, 1666 sizeof(struct ssl_async_args))) { 1667 case ASYNC_ERR: 1668 s->rwstate = SSL_NOTHING; 1669 SSLerr(SSL_F_SSL_START_ASYNC_JOB, SSL_R_FAILED_TO_INIT_ASYNC); 1670 return -1; 1671 case ASYNC_PAUSE: 1672 s->rwstate = SSL_ASYNC_PAUSED; 1673 return -1; 1674 case ASYNC_NO_JOBS: 1675 s->rwstate = SSL_ASYNC_NO_JOBS; 1676 return -1; 1677 case ASYNC_FINISH: 1678 s->job = NULL; 1679 return ret; 1680 default: 1681 s->rwstate = SSL_NOTHING; 1682 SSLerr(SSL_F_SSL_START_ASYNC_JOB, ERR_R_INTERNAL_ERROR); 1683 /* Shouldn't happen */ 1684 return -1; 1685 } 1686 } 1687 1688 static int ssl_io_intern(void *vargs) 1689 { 1690 struct ssl_async_args *args; 1691 SSL *s; 1692 void *buf; 1693 size_t num; 1694 1695 args = (struct ssl_async_args *)vargs; 1696 s = args->s; 1697 buf = args->buf; 1698 num = args->num; 1699 switch (args->type) { 1700 case READFUNC: 1701 return args->f.func_read(s, buf, num, &s->asyncrw); 1702 case WRITEFUNC: 1703 return args->f.func_write(s, buf, num, &s->asyncrw); 1704 case OTHERFUNC: 1705 return args->f.func_other(s); 1706 } 1707 return -1; 1708 } 1709 1710 int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes) 1711 { 1712 if (s->handshake_func == NULL) { 1713 SSLerr(SSL_F_SSL_READ_INTERNAL, SSL_R_UNINITIALIZED); 1714 return -1; 1715 } 1716 1717 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1718 s->rwstate = SSL_NOTHING; 1719 return 0; 1720 } 1721 1722 if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY 1723 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) { 1724 SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1725 return 0; 1726 } 1727 /* 1728 * If we are a client and haven't received the ServerHello etc then we 1729 * better do that 1730 */ 1731 ossl_statem_check_finish_init(s, 0); 1732 1733 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 1734 struct ssl_async_args args; 1735 int ret; 1736 1737 args.s = s; 1738 args.buf = buf; 1739 args.num = num; 1740 args.type = READFUNC; 1741 args.f.func_read = s->method->ssl_read; 1742 1743 ret = ssl_start_async_job(s, &args, ssl_io_intern); 1744 *readbytes = s->asyncrw; 1745 return ret; 1746 } else { 1747 return s->method->ssl_read(s, buf, num, readbytes); 1748 } 1749 } 1750 1751 int SSL_read(SSL *s, void *buf, int num) 1752 { 1753 int ret; 1754 size_t readbytes; 1755 1756 if (num < 0) { 1757 SSLerr(SSL_F_SSL_READ, SSL_R_BAD_LENGTH); 1758 return -1; 1759 } 1760 1761 ret = ssl_read_internal(s, buf, (size_t)num, &readbytes); 1762 1763 /* 1764 * The cast is safe here because ret should be <= INT_MAX because num is 1765 * <= INT_MAX 1766 */ 1767 if (ret > 0) 1768 ret = (int)readbytes; 1769 1770 return ret; 1771 } 1772 1773 int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes) 1774 { 1775 int ret = ssl_read_internal(s, buf, num, readbytes); 1776 1777 if (ret < 0) 1778 ret = 0; 1779 return ret; 1780 } 1781 1782 int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) 1783 { 1784 int ret; 1785 1786 if (!s->server) { 1787 SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1788 return SSL_READ_EARLY_DATA_ERROR; 1789 } 1790 1791 switch (s->early_data_state) { 1792 case SSL_EARLY_DATA_NONE: 1793 if (!SSL_in_before(s)) { 1794 SSLerr(SSL_F_SSL_READ_EARLY_DATA, 1795 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1796 return SSL_READ_EARLY_DATA_ERROR; 1797 } 1798 /* fall through */ 1799 1800 case SSL_EARLY_DATA_ACCEPT_RETRY: 1801 s->early_data_state = SSL_EARLY_DATA_ACCEPTING; 1802 ret = SSL_accept(s); 1803 if (ret <= 0) { 1804 /* NBIO or error */ 1805 s->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY; 1806 return SSL_READ_EARLY_DATA_ERROR; 1807 } 1808 /* fall through */ 1809 1810 case SSL_EARLY_DATA_READ_RETRY: 1811 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { 1812 s->early_data_state = SSL_EARLY_DATA_READING; 1813 ret = SSL_read_ex(s, buf, num, readbytes); 1814 /* 1815 * State machine will update early_data_state to 1816 * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData 1817 * message 1818 */ 1819 if (ret > 0 || (ret <= 0 && s->early_data_state 1820 != SSL_EARLY_DATA_FINISHED_READING)) { 1821 s->early_data_state = SSL_EARLY_DATA_READ_RETRY; 1822 return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS 1823 : SSL_READ_EARLY_DATA_ERROR; 1824 } 1825 } else { 1826 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; 1827 } 1828 *readbytes = 0; 1829 return SSL_READ_EARLY_DATA_FINISH; 1830 1831 default: 1832 SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1833 return SSL_READ_EARLY_DATA_ERROR; 1834 } 1835 } 1836 1837 int SSL_get_early_data_status(const SSL *s) 1838 { 1839 return s->ext.early_data; 1840 } 1841 1842 static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes) 1843 { 1844 if (s->handshake_func == NULL) { 1845 SSLerr(SSL_F_SSL_PEEK_INTERNAL, SSL_R_UNINITIALIZED); 1846 return -1; 1847 } 1848 1849 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1850 return 0; 1851 } 1852 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 1853 struct ssl_async_args args; 1854 int ret; 1855 1856 args.s = s; 1857 args.buf = buf; 1858 args.num = num; 1859 args.type = READFUNC; 1860 args.f.func_read = s->method->ssl_peek; 1861 1862 ret = ssl_start_async_job(s, &args, ssl_io_intern); 1863 *readbytes = s->asyncrw; 1864 return ret; 1865 } else { 1866 return s->method->ssl_peek(s, buf, num, readbytes); 1867 } 1868 } 1869 1870 int SSL_peek(SSL *s, void *buf, int num) 1871 { 1872 int ret; 1873 size_t readbytes; 1874 1875 if (num < 0) { 1876 SSLerr(SSL_F_SSL_PEEK, SSL_R_BAD_LENGTH); 1877 return -1; 1878 } 1879 1880 ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes); 1881 1882 /* 1883 * The cast is safe here because ret should be <= INT_MAX because num is 1884 * <= INT_MAX 1885 */ 1886 if (ret > 0) 1887 ret = (int)readbytes; 1888 1889 return ret; 1890 } 1891 1892 1893 int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes) 1894 { 1895 int ret = ssl_peek_internal(s, buf, num, readbytes); 1896 1897 if (ret < 0) 1898 ret = 0; 1899 return ret; 1900 } 1901 1902 int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) 1903 { 1904 if (s->handshake_func == NULL) { 1905 SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_UNINITIALIZED); 1906 return -1; 1907 } 1908 1909 if (s->shutdown & SSL_SENT_SHUTDOWN) { 1910 s->rwstate = SSL_NOTHING; 1911 SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_PROTOCOL_IS_SHUTDOWN); 1912 return -1; 1913 } 1914 1915 if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY 1916 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY 1917 || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) { 1918 SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1919 return 0; 1920 } 1921 /* If we are a client and haven't sent the Finished we better do that */ 1922 ossl_statem_check_finish_init(s, 1); 1923 1924 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 1925 int ret; 1926 struct ssl_async_args args; 1927 1928 args.s = s; 1929 args.buf = (void *)buf; 1930 args.num = num; 1931 args.type = WRITEFUNC; 1932 args.f.func_write = s->method->ssl_write; 1933 1934 ret = ssl_start_async_job(s, &args, ssl_io_intern); 1935 *written = s->asyncrw; 1936 return ret; 1937 } else { 1938 return s->method->ssl_write(s, buf, num, written); 1939 } 1940 } 1941 1942 int SSL_write(SSL *s, const void *buf, int num) 1943 { 1944 int ret; 1945 size_t written; 1946 1947 if (num < 0) { 1948 SSLerr(SSL_F_SSL_WRITE, SSL_R_BAD_LENGTH); 1949 return -1; 1950 } 1951 1952 ret = ssl_write_internal(s, buf, (size_t)num, &written); 1953 1954 /* 1955 * The cast is safe here because ret should be <= INT_MAX because num is 1956 * <= INT_MAX 1957 */ 1958 if (ret > 0) 1959 ret = (int)written; 1960 1961 return ret; 1962 } 1963 1964 int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written) 1965 { 1966 int ret = ssl_write_internal(s, buf, num, written); 1967 1968 if (ret < 0) 1969 ret = 0; 1970 return ret; 1971 } 1972 1973 int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) 1974 { 1975 int ret, early_data_state; 1976 size_t writtmp; 1977 uint32_t partialwrite; 1978 1979 switch (s->early_data_state) { 1980 case SSL_EARLY_DATA_NONE: 1981 if (s->server 1982 || !SSL_in_before(s) 1983 || ((s->session == NULL || s->session->ext.max_early_data == 0) 1984 && (s->psk_use_session_cb == NULL))) { 1985 SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, 1986 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1987 return 0; 1988 } 1989 /* fall through */ 1990 1991 case SSL_EARLY_DATA_CONNECT_RETRY: 1992 s->early_data_state = SSL_EARLY_DATA_CONNECTING; 1993 ret = SSL_connect(s); 1994 if (ret <= 0) { 1995 /* NBIO or error */ 1996 s->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY; 1997 return 0; 1998 } 1999 /* fall through */ 2000 2001 case SSL_EARLY_DATA_WRITE_RETRY: 2002 s->early_data_state = SSL_EARLY_DATA_WRITING; 2003 /* 2004 * We disable partial write for early data because we don't keep track 2005 * of how many bytes we've written between the SSL_write_ex() call and 2006 * the flush if the flush needs to be retried) 2007 */ 2008 partialwrite = s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE; 2009 s->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE; 2010 ret = SSL_write_ex(s, buf, num, &writtmp); 2011 s->mode |= partialwrite; 2012 if (!ret) { 2013 s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; 2014 return ret; 2015 } 2016 s->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH; 2017 /* fall through */ 2018 2019 case SSL_EARLY_DATA_WRITE_FLUSH: 2020 /* The buffering BIO is still in place so we need to flush it */ 2021 if (statem_flush(s) != 1) 2022 return 0; 2023 *written = num; 2024 s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; 2025 return 1; 2026 2027 case SSL_EARLY_DATA_FINISHED_READING: 2028 case SSL_EARLY_DATA_READ_RETRY: 2029 early_data_state = s->early_data_state; 2030 /* We are a server writing to an unauthenticated client */ 2031 s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING; 2032 ret = SSL_write_ex(s, buf, num, written); 2033 /* The buffering BIO is still in place */ 2034 if (ret) 2035 (void)BIO_flush(s->wbio); 2036 s->early_data_state = early_data_state; 2037 return ret; 2038 2039 default: 2040 SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2041 return 0; 2042 } 2043 } 2044 2045 int SSL_shutdown(SSL *s) 2046 { 2047 /* 2048 * Note that this function behaves differently from what one might 2049 * expect. Return values are 0 for no success (yet), 1 for success; but 2050 * calling it once is usually not enough, even if blocking I/O is used 2051 * (see ssl3_shutdown). 2052 */ 2053 2054 if (s->handshake_func == NULL) { 2055 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); 2056 return -1; 2057 } 2058 2059 if (!SSL_in_init(s)) { 2060 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 2061 struct ssl_async_args args; 2062 2063 args.s = s; 2064 args.type = OTHERFUNC; 2065 args.f.func_other = s->method->ssl_shutdown; 2066 2067 return ssl_start_async_job(s, &args, ssl_io_intern); 2068 } else { 2069 return s->method->ssl_shutdown(s); 2070 } 2071 } else { 2072 SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT); 2073 return -1; 2074 } 2075 } 2076 2077 int SSL_key_update(SSL *s, int updatetype) 2078 { 2079 /* 2080 * TODO(TLS1.3): How will applications know whether TLSv1.3 has been 2081 * negotiated, and that it is appropriate to call SSL_key_update() instead 2082 * of SSL_renegotiate(). 2083 */ 2084 if (!SSL_IS_TLS13(s)) { 2085 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_WRONG_SSL_VERSION); 2086 return 0; 2087 } 2088 2089 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 2090 && updatetype != SSL_KEY_UPDATE_REQUESTED) { 2091 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_INVALID_KEY_UPDATE_TYPE); 2092 return 0; 2093 } 2094 2095 if (!SSL_is_init_finished(s)) { 2096 SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_STILL_IN_INIT); 2097 return 0; 2098 } 2099 2100 ossl_statem_set_in_init(s, 1); 2101 s->key_update = updatetype; 2102 return 1; 2103 } 2104 2105 int SSL_get_key_update_type(SSL *s) 2106 { 2107 return s->key_update; 2108 } 2109 2110 int SSL_renegotiate(SSL *s) 2111 { 2112 if (SSL_IS_TLS13(s)) { 2113 SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_WRONG_SSL_VERSION); 2114 return 0; 2115 } 2116 2117 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 2118 SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_NO_RENEGOTIATION); 2119 return 0; 2120 } 2121 2122 s->renegotiate = 1; 2123 s->new_session = 1; 2124 2125 return s->method->ssl_renegotiate(s); 2126 } 2127 2128 int SSL_renegotiate_abbreviated(SSL *s) 2129 { 2130 if (SSL_IS_TLS13(s)) { 2131 SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_WRONG_SSL_VERSION); 2132 return 0; 2133 } 2134 2135 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 2136 SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_NO_RENEGOTIATION); 2137 return 0; 2138 } 2139 2140 s->renegotiate = 1; 2141 s->new_session = 0; 2142 2143 return s->method->ssl_renegotiate(s); 2144 } 2145 2146 int SSL_renegotiate_pending(SSL *s) 2147 { 2148 /* 2149 * becomes true when negotiation is requested; false again once a 2150 * handshake has finished 2151 */ 2152 return (s->renegotiate != 0); 2153 } 2154 2155 long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) 2156 { 2157 long l; 2158 2159 switch (cmd) { 2160 case SSL_CTRL_GET_READ_AHEAD: 2161 return RECORD_LAYER_get_read_ahead(&s->rlayer); 2162 case SSL_CTRL_SET_READ_AHEAD: 2163 l = RECORD_LAYER_get_read_ahead(&s->rlayer); 2164 RECORD_LAYER_set_read_ahead(&s->rlayer, larg); 2165 return l; 2166 2167 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 2168 s->msg_callback_arg = parg; 2169 return 1; 2170 2171 case SSL_CTRL_MODE: 2172 return (s->mode |= larg); 2173 case SSL_CTRL_CLEAR_MODE: 2174 return (s->mode &= ~larg); 2175 case SSL_CTRL_GET_MAX_CERT_LIST: 2176 return (long)s->max_cert_list; 2177 case SSL_CTRL_SET_MAX_CERT_LIST: 2178 if (larg < 0) 2179 return 0; 2180 l = (long)s->max_cert_list; 2181 s->max_cert_list = (size_t)larg; 2182 return l; 2183 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 2184 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 2185 return 0; 2186 s->max_send_fragment = larg; 2187 if (s->max_send_fragment < s->split_send_fragment) 2188 s->split_send_fragment = s->max_send_fragment; 2189 return 1; 2190 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: 2191 if ((size_t)larg > s->max_send_fragment || larg == 0) 2192 return 0; 2193 s->split_send_fragment = larg; 2194 return 1; 2195 case SSL_CTRL_SET_MAX_PIPELINES: 2196 if (larg < 1 || larg > SSL_MAX_PIPELINES) 2197 return 0; 2198 s->max_pipelines = larg; 2199 if (larg > 1) 2200 RECORD_LAYER_set_read_ahead(&s->rlayer, 1); 2201 return 1; 2202 case SSL_CTRL_GET_RI_SUPPORT: 2203 if (s->s3) 2204 return s->s3->send_connection_binding; 2205 else 2206 return 0; 2207 case SSL_CTRL_CERT_FLAGS: 2208 return (s->cert->cert_flags |= larg); 2209 case SSL_CTRL_CLEAR_CERT_FLAGS: 2210 return (s->cert->cert_flags &= ~larg); 2211 2212 case SSL_CTRL_GET_RAW_CIPHERLIST: 2213 if (parg) { 2214 if (s->s3->tmp.ciphers_raw == NULL) 2215 return 0; 2216 *(unsigned char **)parg = s->s3->tmp.ciphers_raw; 2217 return (int)s->s3->tmp.ciphers_rawlen; 2218 } else { 2219 return TLS_CIPHER_LEN; 2220 } 2221 case SSL_CTRL_GET_EXTMS_SUPPORT: 2222 if (!s->session || SSL_in_init(s) || ossl_statem_get_in_handshake(s)) 2223 return -1; 2224 if (s->session->flags & SSL_SESS_FLAG_EXTMS) 2225 return 1; 2226 else 2227 return 0; 2228 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2229 return ssl_check_allowed_versions(larg, s->max_proto_version) 2230 && ssl_set_version_bound(s->ctx->method->version, (int)larg, 2231 &s->min_proto_version); 2232 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2233 return s->min_proto_version; 2234 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2235 return ssl_check_allowed_versions(s->min_proto_version, larg) 2236 && ssl_set_version_bound(s->ctx->method->version, (int)larg, 2237 &s->max_proto_version); 2238 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2239 return s->max_proto_version; 2240 default: 2241 return s->method->ssl_ctrl(s, cmd, larg, parg); 2242 } 2243 } 2244 2245 long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) 2246 { 2247 switch (cmd) { 2248 case SSL_CTRL_SET_MSG_CALLBACK: 2249 s->msg_callback = (void (*) 2250 (int write_p, int version, int content_type, 2251 const void *buf, size_t len, SSL *ssl, 2252 void *arg))(fp); 2253 return 1; 2254 2255 default: 2256 return s->method->ssl_callback_ctrl(s, cmd, fp); 2257 } 2258 } 2259 2260 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) 2261 { 2262 return ctx->sessions; 2263 } 2264 2265 long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2266 { 2267 long l; 2268 /* For some cases with ctx == NULL perform syntax checks */ 2269 if (ctx == NULL) { 2270 switch (cmd) { 2271 #ifndef OPENSSL_NO_EC 2272 case SSL_CTRL_SET_GROUPS_LIST: 2273 return tls1_set_groups_list(NULL, NULL, parg); 2274 #endif 2275 case SSL_CTRL_SET_SIGALGS_LIST: 2276 case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: 2277 return tls1_set_sigalgs_list(NULL, parg, 0); 2278 default: 2279 return 0; 2280 } 2281 } 2282 2283 switch (cmd) { 2284 case SSL_CTRL_GET_READ_AHEAD: 2285 return ctx->read_ahead; 2286 case SSL_CTRL_SET_READ_AHEAD: 2287 l = ctx->read_ahead; 2288 ctx->read_ahead = larg; 2289 return l; 2290 2291 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 2292 ctx->msg_callback_arg = parg; 2293 return 1; 2294 2295 case SSL_CTRL_GET_MAX_CERT_LIST: 2296 return (long)ctx->max_cert_list; 2297 case SSL_CTRL_SET_MAX_CERT_LIST: 2298 if (larg < 0) 2299 return 0; 2300 l = (long)ctx->max_cert_list; 2301 ctx->max_cert_list = (size_t)larg; 2302 return l; 2303 2304 case SSL_CTRL_SET_SESS_CACHE_SIZE: 2305 if (larg < 0) 2306 return 0; 2307 l = (long)ctx->session_cache_size; 2308 ctx->session_cache_size = (size_t)larg; 2309 return l; 2310 case SSL_CTRL_GET_SESS_CACHE_SIZE: 2311 return (long)ctx->session_cache_size; 2312 case SSL_CTRL_SET_SESS_CACHE_MODE: 2313 l = ctx->session_cache_mode; 2314 ctx->session_cache_mode = larg; 2315 return l; 2316 case SSL_CTRL_GET_SESS_CACHE_MODE: 2317 return ctx->session_cache_mode; 2318 2319 case SSL_CTRL_SESS_NUMBER: 2320 return lh_SSL_SESSION_num_items(ctx->sessions); 2321 case SSL_CTRL_SESS_CONNECT: 2322 return tsan_load(&ctx->stats.sess_connect); 2323 case SSL_CTRL_SESS_CONNECT_GOOD: 2324 return tsan_load(&ctx->stats.sess_connect_good); 2325 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: 2326 return tsan_load(&ctx->stats.sess_connect_renegotiate); 2327 case SSL_CTRL_SESS_ACCEPT: 2328 return tsan_load(&ctx->stats.sess_accept); 2329 case SSL_CTRL_SESS_ACCEPT_GOOD: 2330 return tsan_load(&ctx->stats.sess_accept_good); 2331 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: 2332 return tsan_load(&ctx->stats.sess_accept_renegotiate); 2333 case SSL_CTRL_SESS_HIT: 2334 return tsan_load(&ctx->stats.sess_hit); 2335 case SSL_CTRL_SESS_CB_HIT: 2336 return tsan_load(&ctx->stats.sess_cb_hit); 2337 case SSL_CTRL_SESS_MISSES: 2338 return tsan_load(&ctx->stats.sess_miss); 2339 case SSL_CTRL_SESS_TIMEOUTS: 2340 return tsan_load(&ctx->stats.sess_timeout); 2341 case SSL_CTRL_SESS_CACHE_FULL: 2342 return tsan_load(&ctx->stats.sess_cache_full); 2343 case SSL_CTRL_MODE: 2344 return (ctx->mode |= larg); 2345 case SSL_CTRL_CLEAR_MODE: 2346 return (ctx->mode &= ~larg); 2347 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 2348 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 2349 return 0; 2350 ctx->max_send_fragment = larg; 2351 if (ctx->max_send_fragment < ctx->split_send_fragment) 2352 ctx->split_send_fragment = ctx->max_send_fragment; 2353 return 1; 2354 case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: 2355 if ((size_t)larg > ctx->max_send_fragment || larg == 0) 2356 return 0; 2357 ctx->split_send_fragment = larg; 2358 return 1; 2359 case SSL_CTRL_SET_MAX_PIPELINES: 2360 if (larg < 1 || larg > SSL_MAX_PIPELINES) 2361 return 0; 2362 ctx->max_pipelines = larg; 2363 return 1; 2364 case SSL_CTRL_CERT_FLAGS: 2365 return (ctx->cert->cert_flags |= larg); 2366 case SSL_CTRL_CLEAR_CERT_FLAGS: 2367 return (ctx->cert->cert_flags &= ~larg); 2368 case SSL_CTRL_SET_MIN_PROTO_VERSION: 2369 return ssl_check_allowed_versions(larg, ctx->max_proto_version) 2370 && ssl_set_version_bound(ctx->method->version, (int)larg, 2371 &ctx->min_proto_version); 2372 case SSL_CTRL_GET_MIN_PROTO_VERSION: 2373 return ctx->min_proto_version; 2374 case SSL_CTRL_SET_MAX_PROTO_VERSION: 2375 return ssl_check_allowed_versions(ctx->min_proto_version, larg) 2376 && ssl_set_version_bound(ctx->method->version, (int)larg, 2377 &ctx->max_proto_version); 2378 case SSL_CTRL_GET_MAX_PROTO_VERSION: 2379 return ctx->max_proto_version; 2380 default: 2381 return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg); 2382 } 2383 } 2384 2385 long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) 2386 { 2387 switch (cmd) { 2388 case SSL_CTRL_SET_MSG_CALLBACK: 2389 ctx->msg_callback = (void (*) 2390 (int write_p, int version, int content_type, 2391 const void *buf, size_t len, SSL *ssl, 2392 void *arg))(fp); 2393 return 1; 2394 2395 default: 2396 return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp); 2397 } 2398 } 2399 2400 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) 2401 { 2402 if (a->id > b->id) 2403 return 1; 2404 if (a->id < b->id) 2405 return -1; 2406 return 0; 2407 } 2408 2409 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, 2410 const SSL_CIPHER *const *bp) 2411 { 2412 if ((*ap)->id > (*bp)->id) 2413 return 1; 2414 if ((*ap)->id < (*bp)->id) 2415 return -1; 2416 return 0; 2417 } 2418 2419 /** return a STACK of the ciphers available for the SSL and in order of 2420 * preference */ 2421 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) 2422 { 2423 if (s != NULL) { 2424 if (s->cipher_list != NULL) { 2425 return s->cipher_list; 2426 } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { 2427 return s->ctx->cipher_list; 2428 } 2429 } 2430 return NULL; 2431 } 2432 2433 STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s) 2434 { 2435 if ((s == NULL) || (s->session == NULL) || !s->server) 2436 return NULL; 2437 return s->session->ciphers; 2438 } 2439 2440 STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) 2441 { 2442 STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers; 2443 int i; 2444 2445 ciphers = SSL_get_ciphers(s); 2446 if (!ciphers) 2447 return NULL; 2448 if (!ssl_set_client_disabled(s)) 2449 return NULL; 2450 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 2451 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 2452 if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) { 2453 if (!sk) 2454 sk = sk_SSL_CIPHER_new_null(); 2455 if (!sk) 2456 return NULL; 2457 if (!sk_SSL_CIPHER_push(sk, c)) { 2458 sk_SSL_CIPHER_free(sk); 2459 return NULL; 2460 } 2461 } 2462 } 2463 return sk; 2464 } 2465 2466 /** return a STACK of the ciphers available for the SSL and in order of 2467 * algorithm id */ 2468 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) 2469 { 2470 if (s != NULL) { 2471 if (s->cipher_list_by_id != NULL) { 2472 return s->cipher_list_by_id; 2473 } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) { 2474 return s->ctx->cipher_list_by_id; 2475 } 2476 } 2477 return NULL; 2478 } 2479 2480 /** The old interface to get the same thing as SSL_get_ciphers() */ 2481 const char *SSL_get_cipher_list(const SSL *s, int n) 2482 { 2483 const SSL_CIPHER *c; 2484 STACK_OF(SSL_CIPHER) *sk; 2485 2486 if (s == NULL) 2487 return NULL; 2488 sk = SSL_get_ciphers(s); 2489 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) 2490 return NULL; 2491 c = sk_SSL_CIPHER_value(sk, n); 2492 if (c == NULL) 2493 return NULL; 2494 return c->name; 2495 } 2496 2497 /** return a STACK of the ciphers available for the SSL_CTX and in order of 2498 * preference */ 2499 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) 2500 { 2501 if (ctx != NULL) 2502 return ctx->cipher_list; 2503 return NULL; 2504 } 2505 2506 /** specify the ciphers to be used by default by the SSL_CTX */ 2507 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) 2508 { 2509 STACK_OF(SSL_CIPHER) *sk; 2510 2511 sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, 2512 &ctx->cipher_list, &ctx->cipher_list_by_id, str, 2513 ctx->cert); 2514 /* 2515 * ssl_create_cipher_list may return an empty stack if it was unable to 2516 * find a cipher matching the given rule string (for example if the rule 2517 * string specifies a cipher which has been disabled). This is not an 2518 * error as far as ssl_create_cipher_list is concerned, and hence 2519 * ctx->cipher_list and ctx->cipher_list_by_id has been updated. 2520 */ 2521 if (sk == NULL) 2522 return 0; 2523 else if (sk_SSL_CIPHER_num(sk) == 0) { 2524 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); 2525 return 0; 2526 } 2527 return 1; 2528 } 2529 2530 /** specify the ciphers to be used by the SSL */ 2531 int SSL_set_cipher_list(SSL *s, const char *str) 2532 { 2533 STACK_OF(SSL_CIPHER) *sk; 2534 2535 sk = ssl_create_cipher_list(s->ctx->method, s->tls13_ciphersuites, 2536 &s->cipher_list, &s->cipher_list_by_id, str, 2537 s->cert); 2538 /* see comment in SSL_CTX_set_cipher_list */ 2539 if (sk == NULL) 2540 return 0; 2541 else if (sk_SSL_CIPHER_num(sk) == 0) { 2542 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); 2543 return 0; 2544 } 2545 return 1; 2546 } 2547 2548 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) 2549 { 2550 char *p; 2551 STACK_OF(SSL_CIPHER) *clntsk, *srvrsk; 2552 const SSL_CIPHER *c; 2553 int i; 2554 2555 if (!s->server 2556 || s->session == NULL 2557 || s->session->ciphers == NULL 2558 || size < 2) 2559 return NULL; 2560 2561 p = buf; 2562 clntsk = s->session->ciphers; 2563 srvrsk = SSL_get_ciphers(s); 2564 if (clntsk == NULL || srvrsk == NULL) 2565 return NULL; 2566 2567 if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0) 2568 return NULL; 2569 2570 for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) { 2571 int n; 2572 2573 c = sk_SSL_CIPHER_value(clntsk, i); 2574 if (sk_SSL_CIPHER_find(srvrsk, c) < 0) 2575 continue; 2576 2577 n = strlen(c->name); 2578 if (n + 1 > size) { 2579 if (p != buf) 2580 --p; 2581 *p = '\0'; 2582 return buf; 2583 } 2584 strcpy(p, c->name); 2585 p += n; 2586 *(p++) = ':'; 2587 size -= n + 1; 2588 } 2589 p[-1] = '\0'; 2590 return buf; 2591 } 2592 2593 /** return a servername extension value if provided in Client Hello, or NULL. 2594 * So far, only host_name types are defined (RFC 3546). 2595 */ 2596 2597 const char *SSL_get_servername(const SSL *s, const int type) 2598 { 2599 if (type != TLSEXT_NAMETYPE_host_name) 2600 return NULL; 2601 2602 /* 2603 * SNI is not negotiated in pre-TLS-1.3 resumption flows, so fake up an 2604 * SNI value to return if we are resuming/resumed. N.B. that we still 2605 * call the relevant callbacks for such resumption flows, and callbacks 2606 * might error out if there is not a SNI value available. 2607 */ 2608 if (s->hit) 2609 return s->session->ext.hostname; 2610 return s->ext.hostname; 2611 } 2612 2613 int SSL_get_servername_type(const SSL *s) 2614 { 2615 if (s->session 2616 && (!s->ext.hostname ? s->session-> 2617 ext.hostname : s->ext.hostname)) 2618 return TLSEXT_NAMETYPE_host_name; 2619 return -1; 2620 } 2621 2622 /* 2623 * SSL_select_next_proto implements the standard protocol selection. It is 2624 * expected that this function is called from the callback set by 2625 * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a 2626 * vector of 8-bit, length prefixed byte strings. The length byte itself is 2627 * not included in the length. A byte string of length 0 is invalid. No byte 2628 * string may be truncated. The current, but experimental algorithm for 2629 * selecting the protocol is: 1) If the server doesn't support NPN then this 2630 * is indicated to the callback. In this case, the client application has to 2631 * abort the connection or have a default application level protocol. 2) If 2632 * the server supports NPN, but advertises an empty list then the client 2633 * selects the first protocol in its list, but indicates via the API that this 2634 * fallback case was enacted. 3) Otherwise, the client finds the first 2635 * protocol in the server's list that it supports and selects this protocol. 2636 * This is because it's assumed that the server has better information about 2637 * which protocol a client should use. 4) If the client doesn't support any 2638 * of the server's advertised protocols, then this is treated the same as 2639 * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was 2640 * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached. 2641 */ 2642 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, 2643 const unsigned char *server, 2644 unsigned int server_len, 2645 const unsigned char *client, unsigned int client_len) 2646 { 2647 unsigned int i, j; 2648 const unsigned char *result; 2649 int status = OPENSSL_NPN_UNSUPPORTED; 2650 2651 /* 2652 * For each protocol in server preference order, see if we support it. 2653 */ 2654 for (i = 0; i < server_len;) { 2655 for (j = 0; j < client_len;) { 2656 if (server[i] == client[j] && 2657 memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { 2658 /* We found a match */ 2659 result = &server[i]; 2660 status = OPENSSL_NPN_NEGOTIATED; 2661 goto found; 2662 } 2663 j += client[j]; 2664 j++; 2665 } 2666 i += server[i]; 2667 i++; 2668 } 2669 2670 /* There's no overlap between our protocols and the server's list. */ 2671 result = client; 2672 status = OPENSSL_NPN_NO_OVERLAP; 2673 2674 found: 2675 *out = (unsigned char *)result + 1; 2676 *outlen = result[0]; 2677 return status; 2678 } 2679 2680 #ifndef OPENSSL_NO_NEXTPROTONEG 2681 /* 2682 * SSL_get0_next_proto_negotiated sets *data and *len to point to the 2683 * client's requested protocol for this connection and returns 0. If the 2684 * client didn't request any protocol, then *data is set to NULL. Note that 2685 * the client can request any protocol it chooses. The value returned from 2686 * this function need not be a member of the list of supported protocols 2687 * provided by the callback. 2688 */ 2689 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, 2690 unsigned *len) 2691 { 2692 *data = s->ext.npn; 2693 if (!*data) { 2694 *len = 0; 2695 } else { 2696 *len = (unsigned int)s->ext.npn_len; 2697 } 2698 } 2699 2700 /* 2701 * SSL_CTX_set_npn_advertised_cb sets a callback that is called when 2702 * a TLS server needs a list of supported protocols for Next Protocol 2703 * Negotiation. The returned list must be in wire format. The list is 2704 * returned by setting |out| to point to it and |outlen| to its length. This 2705 * memory will not be modified, but one should assume that the SSL* keeps a 2706 * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it 2707 * wishes to advertise. Otherwise, no such extension will be included in the 2708 * ServerHello. 2709 */ 2710 void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx, 2711 SSL_CTX_npn_advertised_cb_func cb, 2712 void *arg) 2713 { 2714 ctx->ext.npn_advertised_cb = cb; 2715 ctx->ext.npn_advertised_cb_arg = arg; 2716 } 2717 2718 /* 2719 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a 2720 * client needs to select a protocol from the server's provided list. |out| 2721 * must be set to point to the selected protocol (which may be within |in|). 2722 * The length of the protocol name must be written into |outlen|. The 2723 * server's advertised protocols are provided in |in| and |inlen|. The 2724 * callback can assume that |in| is syntactically valid. The client must 2725 * select a protocol. It is fatal to the connection if this callback returns 2726 * a value other than SSL_TLSEXT_ERR_OK. 2727 */ 2728 void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx, 2729 SSL_CTX_npn_select_cb_func cb, 2730 void *arg) 2731 { 2732 ctx->ext.npn_select_cb = cb; 2733 ctx->ext.npn_select_cb_arg = arg; 2734 } 2735 #endif 2736 2737 /* 2738 * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|. 2739 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 2740 * length-prefixed strings). Returns 0 on success. 2741 */ 2742 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, 2743 unsigned int protos_len) 2744 { 2745 OPENSSL_free(ctx->ext.alpn); 2746 ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); 2747 if (ctx->ext.alpn == NULL) { 2748 SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); 2749 return 1; 2750 } 2751 ctx->ext.alpn_len = protos_len; 2752 2753 return 0; 2754 } 2755 2756 /* 2757 * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|. 2758 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 2759 * length-prefixed strings). Returns 0 on success. 2760 */ 2761 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, 2762 unsigned int protos_len) 2763 { 2764 OPENSSL_free(ssl->ext.alpn); 2765 ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); 2766 if (ssl->ext.alpn == NULL) { 2767 SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); 2768 return 1; 2769 } 2770 ssl->ext.alpn_len = protos_len; 2771 2772 return 0; 2773 } 2774 2775 /* 2776 * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is 2777 * called during ClientHello processing in order to select an ALPN protocol 2778 * from the client's list of offered protocols. 2779 */ 2780 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, 2781 SSL_CTX_alpn_select_cb_func cb, 2782 void *arg) 2783 { 2784 ctx->ext.alpn_select_cb = cb; 2785 ctx->ext.alpn_select_cb_arg = arg; 2786 } 2787 2788 /* 2789 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|. 2790 * On return it sets |*data| to point to |*len| bytes of protocol name 2791 * (not including the leading length-prefix byte). If the server didn't 2792 * respond with a negotiated protocol then |*len| will be zero. 2793 */ 2794 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, 2795 unsigned int *len) 2796 { 2797 *data = NULL; 2798 if (ssl->s3) 2799 *data = ssl->s3->alpn_selected; 2800 if (*data == NULL) 2801 *len = 0; 2802 else 2803 *len = (unsigned int)ssl->s3->alpn_selected_len; 2804 } 2805 2806 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, 2807 const char *label, size_t llen, 2808 const unsigned char *context, size_t contextlen, 2809 int use_context) 2810 { 2811 if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER) 2812 return -1; 2813 2814 return s->method->ssl3_enc->export_keying_material(s, out, olen, label, 2815 llen, context, 2816 contextlen, use_context); 2817 } 2818 2819 int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, 2820 const char *label, size_t llen, 2821 const unsigned char *context, 2822 size_t contextlen) 2823 { 2824 if (s->version != TLS1_3_VERSION) 2825 return 0; 2826 2827 return tls13_export_keying_material_early(s, out, olen, label, llen, 2828 context, contextlen); 2829 } 2830 2831 static unsigned long ssl_session_hash(const SSL_SESSION *a) 2832 { 2833 const unsigned char *session_id = a->session_id; 2834 unsigned long l; 2835 unsigned char tmp_storage[4]; 2836 2837 if (a->session_id_length < sizeof(tmp_storage)) { 2838 memset(tmp_storage, 0, sizeof(tmp_storage)); 2839 memcpy(tmp_storage, a->session_id, a->session_id_length); 2840 session_id = tmp_storage; 2841 } 2842 2843 l = (unsigned long) 2844 ((unsigned long)session_id[0]) | 2845 ((unsigned long)session_id[1] << 8L) | 2846 ((unsigned long)session_id[2] << 16L) | 2847 ((unsigned long)session_id[3] << 24L); 2848 return l; 2849 } 2850 2851 /* 2852 * NB: If this function (or indeed the hash function which uses a sort of 2853 * coarser function than this one) is changed, ensure 2854 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on 2855 * being able to construct an SSL_SESSION that will collide with any existing 2856 * session with a matching session ID. 2857 */ 2858 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) 2859 { 2860 if (a->ssl_version != b->ssl_version) 2861 return 1; 2862 if (a->session_id_length != b->session_id_length) 2863 return 1; 2864 return memcmp(a->session_id, b->session_id, a->session_id_length); 2865 } 2866 2867 /* 2868 * These wrapper functions should remain rather than redeclaring 2869 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each 2870 * variable. The reason is that the functions aren't static, they're exposed 2871 * via ssl.h. 2872 */ 2873 2874 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) 2875 { 2876 SSL_CTX *ret = NULL; 2877 2878 if (meth == NULL) { 2879 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); 2880 return NULL; 2881 } 2882 2883 if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) 2884 return NULL; 2885 2886 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { 2887 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 2888 goto err; 2889 } 2890 ret = OPENSSL_zalloc(sizeof(*ret)); 2891 if (ret == NULL) 2892 goto err; 2893 2894 ret->method = meth; 2895 ret->min_proto_version = 0; 2896 ret->max_proto_version = 0; 2897 ret->mode = SSL_MODE_AUTO_RETRY; 2898 ret->session_cache_mode = SSL_SESS_CACHE_SERVER; 2899 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 2900 /* We take the system default. */ 2901 ret->session_timeout = meth->get_timeout(); 2902 ret->references = 1; 2903 ret->lock = CRYPTO_THREAD_lock_new(); 2904 if (ret->lock == NULL) { 2905 SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); 2906 OPENSSL_free(ret); 2907 return NULL; 2908 } 2909 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; 2910 ret->verify_mode = SSL_VERIFY_NONE; 2911 if ((ret->cert = ssl_cert_new()) == NULL) 2912 goto err; 2913 2914 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); 2915 if (ret->sessions == NULL) 2916 goto err; 2917 ret->cert_store = X509_STORE_new(); 2918 if (ret->cert_store == NULL) 2919 goto err; 2920 #ifndef OPENSSL_NO_CT 2921 ret->ctlog_store = CTLOG_STORE_new(); 2922 if (ret->ctlog_store == NULL) 2923 goto err; 2924 #endif 2925 2926 if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES)) 2927 goto err; 2928 2929 if (!ssl_create_cipher_list(ret->method, 2930 ret->tls13_ciphersuites, 2931 &ret->cipher_list, &ret->cipher_list_by_id, 2932 SSL_DEFAULT_CIPHER_LIST, ret->cert) 2933 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { 2934 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); 2935 goto err2; 2936 } 2937 2938 ret->param = X509_VERIFY_PARAM_new(); 2939 if (ret->param == NULL) 2940 goto err; 2941 2942 if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { 2943 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); 2944 goto err2; 2945 } 2946 if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { 2947 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); 2948 goto err2; 2949 } 2950 2951 if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) 2952 goto err; 2953 2954 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) 2955 goto err; 2956 2957 if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL) 2958 goto err; 2959 2960 /* No compression for DTLS */ 2961 if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)) 2962 ret->comp_methods = SSL_COMP_get_compression_methods(); 2963 2964 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 2965 ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 2966 2967 /* Setup RFC5077 ticket keys */ 2968 if ((RAND_bytes(ret->ext.tick_key_name, 2969 sizeof(ret->ext.tick_key_name)) <= 0) 2970 || (RAND_priv_bytes(ret->ext.secure->tick_hmac_key, 2971 sizeof(ret->ext.secure->tick_hmac_key)) <= 0) 2972 || (RAND_priv_bytes(ret->ext.secure->tick_aes_key, 2973 sizeof(ret->ext.secure->tick_aes_key)) <= 0)) 2974 ret->options |= SSL_OP_NO_TICKET; 2975 2976 if (RAND_priv_bytes(ret->ext.cookie_hmac_key, 2977 sizeof(ret->ext.cookie_hmac_key)) <= 0) 2978 goto err; 2979 2980 #ifndef OPENSSL_NO_SRP 2981 if (!SSL_CTX_SRP_CTX_init(ret)) 2982 goto err; 2983 #endif 2984 #ifndef OPENSSL_NO_ENGINE 2985 # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO 2986 # define eng_strx(x) #x 2987 # define eng_str(x) eng_strx(x) 2988 /* Use specific client engine automatically... ignore errors */ 2989 { 2990 ENGINE *eng; 2991 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); 2992 if (!eng) { 2993 ERR_clear_error(); 2994 ENGINE_load_builtin_engines(); 2995 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); 2996 } 2997 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) 2998 ERR_clear_error(); 2999 } 3000 # endif 3001 #endif 3002 /* 3003 * Default is to connect to non-RI servers. When RI is more widely 3004 * deployed might change this. 3005 */ 3006 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; 3007 /* 3008 * Disable compression by default to prevent CRIME. Applications can 3009 * re-enable compression by configuring 3010 * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); 3011 * or by using the SSL_CONF library. Similarly we also enable TLSv1.3 3012 * middlebox compatibility by default. This may be disabled by default in 3013 * a later OpenSSL version. 3014 */ 3015 ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; 3016 3017 ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; 3018 3019 /* 3020 * We cannot usefully set a default max_early_data here (which gets 3021 * propagated in SSL_new(), for the following reason: setting the 3022 * SSL field causes tls_construct_stoc_early_data() to tell the 3023 * client that early data will be accepted when constructing a TLS 1.3 3024 * session ticket, and the client will accordingly send us early data 3025 * when using that ticket (if the client has early data to send). 3026 * However, in order for the early data to actually be consumed by 3027 * the application, the application must also have calls to 3028 * SSL_read_early_data(); otherwise we'll just skip past the early data 3029 * and ignore it. So, since the application must add calls to 3030 * SSL_read_early_data(), we also require them to add 3031 * calls to SSL_CTX_set_max_early_data() in order to use early data, 3032 * eliminating the bandwidth-wasting early data in the case described 3033 * above. 3034 */ 3035 ret->max_early_data = 0; 3036 3037 /* 3038 * Default recv_max_early_data is a fully loaded single record. Could be 3039 * split across multiple records in practice. We set this differently to 3040 * max_early_data so that, in the default case, we do not advertise any 3041 * support for early_data, but if a client were to send us some (e.g. 3042 * because of an old, stale ticket) then we will tolerate it and skip over 3043 * it. 3044 */ 3045 ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; 3046 3047 /* By default we send two session tickets automatically in TLSv1.3 */ 3048 ret->num_tickets = 2; 3049 3050 ssl_ctx_system_config(ret); 3051 3052 return ret; 3053 err: 3054 SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); 3055 err2: 3056 SSL_CTX_free(ret); 3057 return NULL; 3058 } 3059 3060 int SSL_CTX_up_ref(SSL_CTX *ctx) 3061 { 3062 int i; 3063 3064 if (CRYPTO_UP_REF(&ctx->references, &i, ctx->lock) <= 0) 3065 return 0; 3066 3067 REF_PRINT_COUNT("SSL_CTX", ctx); 3068 REF_ASSERT_ISNT(i < 2); 3069 return ((i > 1) ? 1 : 0); 3070 } 3071 3072 void SSL_CTX_free(SSL_CTX *a) 3073 { 3074 int i; 3075 3076 if (a == NULL) 3077 return; 3078 3079 CRYPTO_DOWN_REF(&a->references, &i, a->lock); 3080 REF_PRINT_COUNT("SSL_CTX", a); 3081 if (i > 0) 3082 return; 3083 REF_ASSERT_ISNT(i < 0); 3084 3085 X509_VERIFY_PARAM_free(a->param); 3086 dane_ctx_final(&a->dane); 3087 3088 /* 3089 * Free internal session cache. However: the remove_cb() may reference 3090 * the ex_data of SSL_CTX, thus the ex_data store can only be removed 3091 * after the sessions were flushed. 3092 * As the ex_data handling routines might also touch the session cache, 3093 * the most secure solution seems to be: empty (flush) the cache, then 3094 * free ex_data, then finally free the cache. 3095 * (See ticket [openssl.org #212].) 3096 */ 3097 if (a->sessions != NULL) 3098 SSL_CTX_flush_sessions(a, 0); 3099 3100 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); 3101 lh_SSL_SESSION_free(a->sessions); 3102 X509_STORE_free(a->cert_store); 3103 #ifndef OPENSSL_NO_CT 3104 CTLOG_STORE_free(a->ctlog_store); 3105 #endif 3106 sk_SSL_CIPHER_free(a->cipher_list); 3107 sk_SSL_CIPHER_free(a->cipher_list_by_id); 3108 sk_SSL_CIPHER_free(a->tls13_ciphersuites); 3109 ssl_cert_free(a->cert); 3110 sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); 3111 sk_X509_pop_free(a->extra_certs, X509_free); 3112 a->comp_methods = NULL; 3113 #ifndef OPENSSL_NO_SRTP 3114 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); 3115 #endif 3116 #ifndef OPENSSL_NO_SRP 3117 SSL_CTX_SRP_CTX_free(a); 3118 #endif 3119 #ifndef OPENSSL_NO_ENGINE 3120 ENGINE_finish(a->client_cert_engine); 3121 #endif 3122 3123 #ifndef OPENSSL_NO_EC 3124 OPENSSL_free(a->ext.ecpointformats); 3125 OPENSSL_free(a->ext.supportedgroups); 3126 #endif 3127 OPENSSL_free(a->ext.alpn); 3128 OPENSSL_secure_free(a->ext.secure); 3129 3130 CRYPTO_THREAD_lock_free(a->lock); 3131 3132 OPENSSL_free(a); 3133 } 3134 3135 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) 3136 { 3137 ctx->default_passwd_callback = cb; 3138 } 3139 3140 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) 3141 { 3142 ctx->default_passwd_callback_userdata = u; 3143 } 3144 3145 pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) 3146 { 3147 return ctx->default_passwd_callback; 3148 } 3149 3150 void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) 3151 { 3152 return ctx->default_passwd_callback_userdata; 3153 } 3154 3155 void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb) 3156 { 3157 s->default_passwd_callback = cb; 3158 } 3159 3160 void SSL_set_default_passwd_cb_userdata(SSL *s, void *u) 3161 { 3162 s->default_passwd_callback_userdata = u; 3163 } 3164 3165 pem_password_cb *SSL_get_default_passwd_cb(SSL *s) 3166 { 3167 return s->default_passwd_callback; 3168 } 3169 3170 void *SSL_get_default_passwd_cb_userdata(SSL *s) 3171 { 3172 return s->default_passwd_callback_userdata; 3173 } 3174 3175 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, 3176 int (*cb) (X509_STORE_CTX *, void *), 3177 void *arg) 3178 { 3179 ctx->app_verify_callback = cb; 3180 ctx->app_verify_arg = arg; 3181 } 3182 3183 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, 3184 int (*cb) (int, X509_STORE_CTX *)) 3185 { 3186 ctx->verify_mode = mode; 3187 ctx->default_verify_callback = cb; 3188 } 3189 3190 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) 3191 { 3192 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 3193 } 3194 3195 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg) 3196 { 3197 ssl_cert_set_cert_cb(c->cert, cb, arg); 3198 } 3199 3200 void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) 3201 { 3202 ssl_cert_set_cert_cb(s->cert, cb, arg); 3203 } 3204 3205 void ssl_set_masks(SSL *s) 3206 { 3207 CERT *c = s->cert; 3208 uint32_t *pvalid = s->s3->tmp.valid_flags; 3209 int rsa_enc, rsa_sign, dh_tmp, dsa_sign; 3210 unsigned long mask_k, mask_a; 3211 #ifndef OPENSSL_NO_EC 3212 int have_ecc_cert, ecdsa_ok; 3213 #endif 3214 if (c == NULL) 3215 return; 3216 3217 #ifndef OPENSSL_NO_DH 3218 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto); 3219 #else 3220 dh_tmp = 0; 3221 #endif 3222 3223 rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; 3224 rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; 3225 dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID; 3226 #ifndef OPENSSL_NO_EC 3227 have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; 3228 #endif 3229 mask_k = 0; 3230 mask_a = 0; 3231 3232 #ifdef CIPHER_DEBUG 3233 fprintf(stderr, "dht=%d re=%d rs=%d ds=%d\n", 3234 dh_tmp, rsa_enc, rsa_sign, dsa_sign); 3235 #endif 3236 3237 #ifndef OPENSSL_NO_GOST 3238 if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) { 3239 mask_k |= SSL_kGOST; 3240 mask_a |= SSL_aGOST12; 3241 } 3242 if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) { 3243 mask_k |= SSL_kGOST; 3244 mask_a |= SSL_aGOST12; 3245 } 3246 if (ssl_has_cert(s, SSL_PKEY_GOST01)) { 3247 mask_k |= SSL_kGOST; 3248 mask_a |= SSL_aGOST01; 3249 } 3250 #endif 3251 3252 if (rsa_enc) 3253 mask_k |= SSL_kRSA; 3254 3255 if (dh_tmp) 3256 mask_k |= SSL_kDHE; 3257 3258 /* 3259 * If we only have an RSA-PSS certificate allow RSA authentication 3260 * if TLS 1.2 and peer supports it. 3261 */ 3262 3263 if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN) 3264 && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN 3265 && TLS1_get_version(s) == TLS1_2_VERSION)) 3266 mask_a |= SSL_aRSA; 3267 3268 if (dsa_sign) { 3269 mask_a |= SSL_aDSS; 3270 } 3271 3272 mask_a |= SSL_aNULL; 3273 3274 /* 3275 * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites 3276 * depending on the key usage extension. 3277 */ 3278 #ifndef OPENSSL_NO_EC 3279 if (have_ecc_cert) { 3280 uint32_t ex_kusage; 3281 ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509); 3282 ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE; 3283 if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) 3284 ecdsa_ok = 0; 3285 if (ecdsa_ok) 3286 mask_a |= SSL_aECDSA; 3287 } 3288 /* Allow Ed25519 for TLS 1.2 if peer supports it */ 3289 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519) 3290 && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN 3291 && TLS1_get_version(s) == TLS1_2_VERSION) 3292 mask_a |= SSL_aECDSA; 3293 3294 /* Allow Ed448 for TLS 1.2 if peer supports it */ 3295 if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448) 3296 && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN 3297 && TLS1_get_version(s) == TLS1_2_VERSION) 3298 mask_a |= SSL_aECDSA; 3299 #endif 3300 3301 #ifndef OPENSSL_NO_EC 3302 mask_k |= SSL_kECDHE; 3303 #endif 3304 3305 #ifndef OPENSSL_NO_PSK 3306 mask_k |= SSL_kPSK; 3307 mask_a |= SSL_aPSK; 3308 if (mask_k & SSL_kRSA) 3309 mask_k |= SSL_kRSAPSK; 3310 if (mask_k & SSL_kDHE) 3311 mask_k |= SSL_kDHEPSK; 3312 if (mask_k & SSL_kECDHE) 3313 mask_k |= SSL_kECDHEPSK; 3314 #endif 3315 3316 s->s3->tmp.mask_k = mask_k; 3317 s->s3->tmp.mask_a = mask_a; 3318 } 3319 3320 #ifndef OPENSSL_NO_EC 3321 3322 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) 3323 { 3324 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) { 3325 /* key usage, if present, must allow signing */ 3326 if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) { 3327 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 3328 SSL_R_ECC_CERT_NOT_FOR_SIGNING); 3329 return 0; 3330 } 3331 } 3332 return 1; /* all checks are ok */ 3333 } 3334 3335 #endif 3336 3337 int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, 3338 size_t *serverinfo_length) 3339 { 3340 CERT_PKEY *cpk = s->s3->tmp.cert; 3341 *serverinfo_length = 0; 3342 3343 if (cpk == NULL || cpk->serverinfo == NULL) 3344 return 0; 3345 3346 *serverinfo = cpk->serverinfo; 3347 *serverinfo_length = cpk->serverinfo_length; 3348 return 1; 3349 } 3350 3351 void ssl_update_cache(SSL *s, int mode) 3352 { 3353 int i; 3354 3355 /* 3356 * If the session_id_length is 0, we are not supposed to cache it, and it 3357 * would be rather hard to do anyway :-) 3358 */ 3359 if (s->session->session_id_length == 0) 3360 return; 3361 3362 /* 3363 * If sid_ctx_length is 0 there is no specific application context 3364 * associated with this session, so when we try to resume it and 3365 * SSL_VERIFY_PEER is requested to verify the client identity, we have no 3366 * indication that this is actually a session for the proper application 3367 * context, and the *handshake* will fail, not just the resumption attempt. 3368 * Do not cache (on the server) these sessions that are not resumable 3369 * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set). 3370 */ 3371 if (s->server && s->session->sid_ctx_length == 0 3372 && (s->verify_mode & SSL_VERIFY_PEER) != 0) 3373 return; 3374 3375 i = s->session_ctx->session_cache_mode; 3376 if ((i & mode) != 0 3377 && (!s->hit || SSL_IS_TLS13(s))) { 3378 /* 3379 * Add the session to the internal cache. In server side TLSv1.3 we 3380 * normally don't do this because by default it's a full stateless ticket 3381 * with only a dummy session id so there is no reason to cache it, 3382 * unless: 3383 * - we are doing early_data, in which case we cache so that we can 3384 * detect replays 3385 * - the application has set a remove_session_cb so needs to know about 3386 * session timeout events 3387 * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket 3388 */ 3389 if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0 3390 && (!SSL_IS_TLS13(s) 3391 || !s->server 3392 || (s->max_early_data > 0 3393 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0) 3394 || s->session_ctx->remove_session_cb != NULL 3395 || (s->options & SSL_OP_NO_TICKET) != 0)) 3396 SSL_CTX_add_session(s->session_ctx, s->session); 3397 3398 /* 3399 * Add the session to the external cache. We do this even in server side 3400 * TLSv1.3 without early data because some applications just want to 3401 * know about the creation of a session and aren't doing a full cache. 3402 */ 3403 if (s->session_ctx->new_session_cb != NULL) { 3404 SSL_SESSION_up_ref(s->session); 3405 if (!s->session_ctx->new_session_cb(s, s->session)) 3406 SSL_SESSION_free(s->session); 3407 } 3408 } 3409 3410 /* auto flush every 255 connections */ 3411 if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { 3412 TSAN_QUALIFIER int *stat; 3413 if (mode & SSL_SESS_CACHE_CLIENT) 3414 stat = &s->session_ctx->stats.sess_connect_good; 3415 else 3416 stat = &s->session_ctx->stats.sess_accept_good; 3417 if ((tsan_load(stat) & 0xff) == 0xff) 3418 SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); 3419 } 3420 } 3421 3422 const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) 3423 { 3424 return ctx->method; 3425 } 3426 3427 const SSL_METHOD *SSL_get_ssl_method(SSL *s) 3428 { 3429 return s->method; 3430 } 3431 3432 int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) 3433 { 3434 int ret = 1; 3435 3436 if (s->method != meth) { 3437 const SSL_METHOD *sm = s->method; 3438 int (*hf) (SSL *) = s->handshake_func; 3439 3440 if (sm->version == meth->version) 3441 s->method = meth; 3442 else { 3443 sm->ssl_free(s); 3444 s->method = meth; 3445 ret = s->method->ssl_new(s); 3446 } 3447 3448 if (hf == sm->ssl_connect) 3449 s->handshake_func = meth->ssl_connect; 3450 else if (hf == sm->ssl_accept) 3451 s->handshake_func = meth->ssl_accept; 3452 } 3453 return ret; 3454 } 3455 3456 int SSL_get_error(const SSL *s, int i) 3457 { 3458 int reason; 3459 unsigned long l; 3460 BIO *bio; 3461 3462 if (i > 0) 3463 return SSL_ERROR_NONE; 3464 3465 /* 3466 * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, 3467 * where we do encode the error 3468 */ 3469 if ((l = ERR_peek_error()) != 0) { 3470 if (ERR_GET_LIB(l) == ERR_LIB_SYS) 3471 return SSL_ERROR_SYSCALL; 3472 else 3473 return SSL_ERROR_SSL; 3474 } 3475 3476 if (SSL_want_read(s)) { 3477 bio = SSL_get_rbio(s); 3478 if (BIO_should_read(bio)) 3479 return SSL_ERROR_WANT_READ; 3480 else if (BIO_should_write(bio)) 3481 /* 3482 * This one doesn't make too much sense ... We never try to write 3483 * to the rbio, and an application program where rbio and wbio 3484 * are separate couldn't even know what it should wait for. 3485 * However if we ever set s->rwstate incorrectly (so that we have 3486 * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and 3487 * wbio *are* the same, this test works around that bug; so it 3488 * might be safer to keep it. 3489 */ 3490 return SSL_ERROR_WANT_WRITE; 3491 else if (BIO_should_io_special(bio)) { 3492 reason = BIO_get_retry_reason(bio); 3493 if (reason == BIO_RR_CONNECT) 3494 return SSL_ERROR_WANT_CONNECT; 3495 else if (reason == BIO_RR_ACCEPT) 3496 return SSL_ERROR_WANT_ACCEPT; 3497 else 3498 return SSL_ERROR_SYSCALL; /* unknown */ 3499 } 3500 } 3501 3502 if (SSL_want_write(s)) { 3503 /* Access wbio directly - in order to use the buffered bio if present */ 3504 bio = s->wbio; 3505 if (BIO_should_write(bio)) 3506 return SSL_ERROR_WANT_WRITE; 3507 else if (BIO_should_read(bio)) 3508 /* 3509 * See above (SSL_want_read(s) with BIO_should_write(bio)) 3510 */ 3511 return SSL_ERROR_WANT_READ; 3512 else if (BIO_should_io_special(bio)) { 3513 reason = BIO_get_retry_reason(bio); 3514 if (reason == BIO_RR_CONNECT) 3515 return SSL_ERROR_WANT_CONNECT; 3516 else if (reason == BIO_RR_ACCEPT) 3517 return SSL_ERROR_WANT_ACCEPT; 3518 else 3519 return SSL_ERROR_SYSCALL; 3520 } 3521 } 3522 if (SSL_want_x509_lookup(s)) 3523 return SSL_ERROR_WANT_X509_LOOKUP; 3524 if (SSL_want_async(s)) 3525 return SSL_ERROR_WANT_ASYNC; 3526 if (SSL_want_async_job(s)) 3527 return SSL_ERROR_WANT_ASYNC_JOB; 3528 if (SSL_want_client_hello_cb(s)) 3529 return SSL_ERROR_WANT_CLIENT_HELLO_CB; 3530 3531 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && 3532 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) 3533 return SSL_ERROR_ZERO_RETURN; 3534 3535 return SSL_ERROR_SYSCALL; 3536 } 3537 3538 static int ssl_do_handshake_intern(void *vargs) 3539 { 3540 struct ssl_async_args *args; 3541 SSL *s; 3542 3543 args = (struct ssl_async_args *)vargs; 3544 s = args->s; 3545 3546 return s->handshake_func(s); 3547 } 3548 3549 int SSL_do_handshake(SSL *s) 3550 { 3551 int ret = 1; 3552 3553 if (s->handshake_func == NULL) { 3554 SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET); 3555 return -1; 3556 } 3557 3558 ossl_statem_check_finish_init(s, -1); 3559 3560 s->method->ssl_renegotiate_check(s, 0); 3561 3562 if (SSL_in_init(s) || SSL_in_before(s)) { 3563 if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { 3564 struct ssl_async_args args; 3565 3566 args.s = s; 3567 3568 ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern); 3569 } else { 3570 ret = s->handshake_func(s); 3571 } 3572 } 3573 return ret; 3574 } 3575 3576 void SSL_set_accept_state(SSL *s) 3577 { 3578 s->server = 1; 3579 s->shutdown = 0; 3580 ossl_statem_clear(s); 3581 s->handshake_func = s->method->ssl_accept; 3582 clear_ciphers(s); 3583 } 3584 3585 void SSL_set_connect_state(SSL *s) 3586 { 3587 s->server = 0; 3588 s->shutdown = 0; 3589 ossl_statem_clear(s); 3590 s->handshake_func = s->method->ssl_connect; 3591 clear_ciphers(s); 3592 } 3593 3594 int ssl_undefined_function(SSL *s) 3595 { 3596 SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3597 return 0; 3598 } 3599 3600 int ssl_undefined_void_function(void) 3601 { 3602 SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION, 3603 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3604 return 0; 3605 } 3606 3607 int ssl_undefined_const_function(const SSL *s) 3608 { 3609 return 0; 3610 } 3611 3612 const SSL_METHOD *ssl_bad_method(int ver) 3613 { 3614 SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3615 return NULL; 3616 } 3617 3618 const char *ssl_protocol_to_string(int version) 3619 { 3620 switch(version) 3621 { 3622 case TLS1_3_VERSION: 3623 return "TLSv1.3"; 3624 3625 case TLS1_2_VERSION: 3626 return "TLSv1.2"; 3627 3628 case TLS1_1_VERSION: 3629 return "TLSv1.1"; 3630 3631 case TLS1_VERSION: 3632 return "TLSv1"; 3633 3634 case SSL3_VERSION: 3635 return "SSLv3"; 3636 3637 case DTLS1_BAD_VER: 3638 return "DTLSv0.9"; 3639 3640 case DTLS1_VERSION: 3641 return "DTLSv1"; 3642 3643 case DTLS1_2_VERSION: 3644 return "DTLSv1.2"; 3645 3646 default: 3647 return "unknown"; 3648 } 3649 } 3650 3651 const char *SSL_get_version(const SSL *s) 3652 { 3653 return ssl_protocol_to_string(s->version); 3654 } 3655 3656 SSL *SSL_dup(SSL *s) 3657 { 3658 STACK_OF(X509_NAME) *sk; 3659 X509_NAME *xn; 3660 SSL *ret; 3661 int i; 3662 3663 /* If we're not quiescent, just up_ref! */ 3664 if (!SSL_in_init(s) || !SSL_in_before(s)) { 3665 CRYPTO_UP_REF(&s->references, &i, s->lock); 3666 return s; 3667 } 3668 3669 /* 3670 * Otherwise, copy configuration state, and session if set. 3671 */ 3672 if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL) 3673 return NULL; 3674 3675 if (s->session != NULL) { 3676 /* 3677 * Arranges to share the same session via up_ref. This "copies" 3678 * session-id, SSL_METHOD, sid_ctx, and 'cert' 3679 */ 3680 if (!SSL_copy_session_id(ret, s)) 3681 goto err; 3682 } else { 3683 /* 3684 * No session has been established yet, so we have to expect that 3685 * s->cert or ret->cert will be changed later -- they should not both 3686 * point to the same object, and thus we can't use 3687 * SSL_copy_session_id. 3688 */ 3689 if (!SSL_set_ssl_method(ret, s->method)) 3690 goto err; 3691 3692 if (s->cert != NULL) { 3693 ssl_cert_free(ret->cert); 3694 ret->cert = ssl_cert_dup(s->cert); 3695 if (ret->cert == NULL) 3696 goto err; 3697 } 3698 3699 if (!SSL_set_session_id_context(ret, s->sid_ctx, 3700 (int)s->sid_ctx_length)) 3701 goto err; 3702 } 3703 3704 if (!ssl_dane_dup(ret, s)) 3705 goto err; 3706 ret->version = s->version; 3707 ret->options = s->options; 3708 ret->mode = s->mode; 3709 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); 3710 SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); 3711 ret->msg_callback = s->msg_callback; 3712 ret->msg_callback_arg = s->msg_callback_arg; 3713 SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s)); 3714 SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); 3715 ret->generate_session_id = s->generate_session_id; 3716 3717 SSL_set_info_callback(ret, SSL_get_info_callback(s)); 3718 3719 /* copy app data, a little dangerous perhaps */ 3720 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) 3721 goto err; 3722 3723 /* setup rbio, and wbio */ 3724 if (s->rbio != NULL) { 3725 if (!BIO_dup_state(s->rbio, (char *)&ret->rbio)) 3726 goto err; 3727 } 3728 if (s->wbio != NULL) { 3729 if (s->wbio != s->rbio) { 3730 if (!BIO_dup_state(s->wbio, (char *)&ret->wbio)) 3731 goto err; 3732 } else { 3733 BIO_up_ref(ret->rbio); 3734 ret->wbio = ret->rbio; 3735 } 3736 } 3737 3738 ret->server = s->server; 3739 if (s->handshake_func) { 3740 if (s->server) 3741 SSL_set_accept_state(ret); 3742 else 3743 SSL_set_connect_state(ret); 3744 } 3745 ret->shutdown = s->shutdown; 3746 ret->hit = s->hit; 3747 3748 ret->default_passwd_callback = s->default_passwd_callback; 3749 ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata; 3750 3751 X509_VERIFY_PARAM_inherit(ret->param, s->param); 3752 3753 /* dup the cipher_list and cipher_list_by_id stacks */ 3754 if (s->cipher_list != NULL) { 3755 if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 3756 goto err; 3757 } 3758 if (s->cipher_list_by_id != NULL) 3759 if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id)) 3760 == NULL) 3761 goto err; 3762 3763 /* Dup the client_CA list */ 3764 if (s->ca_names != NULL) { 3765 if ((sk = sk_X509_NAME_dup(s->ca_names)) == NULL) 3766 goto err; 3767 ret->ca_names = sk; 3768 for (i = 0; i < sk_X509_NAME_num(sk); i++) { 3769 xn = sk_X509_NAME_value(sk, i); 3770 if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) { 3771 X509_NAME_free(xn); 3772 goto err; 3773 } 3774 } 3775 } 3776 return ret; 3777 3778 err: 3779 SSL_free(ret); 3780 return NULL; 3781 } 3782 3783 void ssl_clear_cipher_ctx(SSL *s) 3784 { 3785 if (s->enc_read_ctx != NULL) { 3786 EVP_CIPHER_CTX_free(s->enc_read_ctx); 3787 s->enc_read_ctx = NULL; 3788 } 3789 if (s->enc_write_ctx != NULL) { 3790 EVP_CIPHER_CTX_free(s->enc_write_ctx); 3791 s->enc_write_ctx = NULL; 3792 } 3793 #ifndef OPENSSL_NO_COMP 3794 COMP_CTX_free(s->expand); 3795 s->expand = NULL; 3796 COMP_CTX_free(s->compress); 3797 s->compress = NULL; 3798 #endif 3799 } 3800 3801 X509 *SSL_get_certificate(const SSL *s) 3802 { 3803 if (s->cert != NULL) 3804 return s->cert->key->x509; 3805 else 3806 return NULL; 3807 } 3808 3809 EVP_PKEY *SSL_get_privatekey(const SSL *s) 3810 { 3811 if (s->cert != NULL) 3812 return s->cert->key->privatekey; 3813 else 3814 return NULL; 3815 } 3816 3817 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) 3818 { 3819 if (ctx->cert != NULL) 3820 return ctx->cert->key->x509; 3821 else 3822 return NULL; 3823 } 3824 3825 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) 3826 { 3827 if (ctx->cert != NULL) 3828 return ctx->cert->key->privatekey; 3829 else 3830 return NULL; 3831 } 3832 3833 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) 3834 { 3835 if ((s->session != NULL) && (s->session->cipher != NULL)) 3836 return s->session->cipher; 3837 return NULL; 3838 } 3839 3840 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s) 3841 { 3842 return s->s3->tmp.new_cipher; 3843 } 3844 3845 const COMP_METHOD *SSL_get_current_compression(SSL *s) 3846 { 3847 #ifndef OPENSSL_NO_COMP 3848 return s->compress ? COMP_CTX_get_method(s->compress) : NULL; 3849 #else 3850 return NULL; 3851 #endif 3852 } 3853 3854 const COMP_METHOD *SSL_get_current_expansion(SSL *s) 3855 { 3856 #ifndef OPENSSL_NO_COMP 3857 return s->expand ? COMP_CTX_get_method(s->expand) : NULL; 3858 #else 3859 return NULL; 3860 #endif 3861 } 3862 3863 int ssl_init_wbio_buffer(SSL *s) 3864 { 3865 BIO *bbio; 3866 3867 if (s->bbio != NULL) { 3868 /* Already buffered. */ 3869 return 1; 3870 } 3871 3872 bbio = BIO_new(BIO_f_buffer()); 3873 if (bbio == NULL || !BIO_set_read_buffer_size(bbio, 1)) { 3874 BIO_free(bbio); 3875 SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB); 3876 return 0; 3877 } 3878 s->bbio = bbio; 3879 s->wbio = BIO_push(bbio, s->wbio); 3880 3881 return 1; 3882 } 3883 3884 int ssl_free_wbio_buffer(SSL *s) 3885 { 3886 /* callers ensure s is never null */ 3887 if (s->bbio == NULL) 3888 return 1; 3889 3890 s->wbio = BIO_pop(s->wbio); 3891 BIO_free(s->bbio); 3892 s->bbio = NULL; 3893 3894 return 1; 3895 } 3896 3897 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) 3898 { 3899 ctx->quiet_shutdown = mode; 3900 } 3901 3902 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) 3903 { 3904 return ctx->quiet_shutdown; 3905 } 3906 3907 void SSL_set_quiet_shutdown(SSL *s, int mode) 3908 { 3909 s->quiet_shutdown = mode; 3910 } 3911 3912 int SSL_get_quiet_shutdown(const SSL *s) 3913 { 3914 return s->quiet_shutdown; 3915 } 3916 3917 void SSL_set_shutdown(SSL *s, int mode) 3918 { 3919 s->shutdown = mode; 3920 } 3921 3922 int SSL_get_shutdown(const SSL *s) 3923 { 3924 return s->shutdown; 3925 } 3926 3927 int SSL_version(const SSL *s) 3928 { 3929 return s->version; 3930 } 3931 3932 int SSL_client_version(const SSL *s) 3933 { 3934 return s->client_version; 3935 } 3936 3937 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) 3938 { 3939 return ssl->ctx; 3940 } 3941 3942 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) 3943 { 3944 CERT *new_cert; 3945 if (ssl->ctx == ctx) 3946 return ssl->ctx; 3947 if (ctx == NULL) 3948 ctx = ssl->session_ctx; 3949 new_cert = ssl_cert_dup(ctx->cert); 3950 if (new_cert == NULL) { 3951 return NULL; 3952 } 3953 3954 if (!custom_exts_copy_flags(&new_cert->custext, &ssl->cert->custext)) { 3955 ssl_cert_free(new_cert); 3956 return NULL; 3957 } 3958 3959 ssl_cert_free(ssl->cert); 3960 ssl->cert = new_cert; 3961 3962 /* 3963 * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), 3964 * so setter APIs must prevent invalid lengths from entering the system. 3965 */ 3966 if (!ossl_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx))) 3967 return NULL; 3968 3969 /* 3970 * If the session ID context matches that of the parent SSL_CTX, 3971 * inherit it from the new SSL_CTX as well. If however the context does 3972 * not match (i.e., it was set per-ssl with SSL_set_session_id_context), 3973 * leave it unchanged. 3974 */ 3975 if ((ssl->ctx != NULL) && 3976 (ssl->sid_ctx_length == ssl->ctx->sid_ctx_length) && 3977 (memcmp(ssl->sid_ctx, ssl->ctx->sid_ctx, ssl->sid_ctx_length) == 0)) { 3978 ssl->sid_ctx_length = ctx->sid_ctx_length; 3979 memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx)); 3980 } 3981 3982 SSL_CTX_up_ref(ctx); 3983 SSL_CTX_free(ssl->ctx); /* decrement reference count */ 3984 ssl->ctx = ctx; 3985 3986 return ssl->ctx; 3987 } 3988 3989 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) 3990 { 3991 return X509_STORE_set_default_paths(ctx->cert_store); 3992 } 3993 3994 int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx) 3995 { 3996 X509_LOOKUP *lookup; 3997 3998 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir()); 3999 if (lookup == NULL) 4000 return 0; 4001 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); 4002 4003 /* Clear any errors if the default directory does not exist */ 4004 ERR_clear_error(); 4005 4006 return 1; 4007 } 4008 4009 int SSL_CTX_set_default_verify_file(SSL_CTX *ctx) 4010 { 4011 X509_LOOKUP *lookup; 4012 4013 lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file()); 4014 if (lookup == NULL) 4015 return 0; 4016 4017 X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); 4018 4019 /* Clear any errors if the default file does not exist */ 4020 ERR_clear_error(); 4021 4022 return 1; 4023 } 4024 4025 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, 4026 const char *CApath) 4027 { 4028 return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath); 4029 } 4030 4031 void SSL_set_info_callback(SSL *ssl, 4032 void (*cb) (const SSL *ssl, int type, int val)) 4033 { 4034 ssl->info_callback = cb; 4035 } 4036 4037 /* 4038 * One compiler (Diab DCC) doesn't like argument names in returned function 4039 * pointer. 4040 */ 4041 void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ , 4042 int /* type */ , 4043 int /* val */ ) { 4044 return ssl->info_callback; 4045 } 4046 4047 void SSL_set_verify_result(SSL *ssl, long arg) 4048 { 4049 ssl->verify_result = arg; 4050 } 4051 4052 long SSL_get_verify_result(const SSL *ssl) 4053 { 4054 return ssl->verify_result; 4055 } 4056 4057 size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen) 4058 { 4059 if (outlen == 0) 4060 return sizeof(ssl->s3->client_random); 4061 if (outlen > sizeof(ssl->s3->client_random)) 4062 outlen = sizeof(ssl->s3->client_random); 4063 memcpy(out, ssl->s3->client_random, outlen); 4064 return outlen; 4065 } 4066 4067 size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen) 4068 { 4069 if (outlen == 0) 4070 return sizeof(ssl->s3->server_random); 4071 if (outlen > sizeof(ssl->s3->server_random)) 4072 outlen = sizeof(ssl->s3->server_random); 4073 memcpy(out, ssl->s3->server_random, outlen); 4074 return outlen; 4075 } 4076 4077 size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, 4078 unsigned char *out, size_t outlen) 4079 { 4080 if (outlen == 0) 4081 return session->master_key_length; 4082 if (outlen > session->master_key_length) 4083 outlen = session->master_key_length; 4084 memcpy(out, session->master_key, outlen); 4085 return outlen; 4086 } 4087 4088 int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in, 4089 size_t len) 4090 { 4091 if (len > sizeof(sess->master_key)) 4092 return 0; 4093 4094 memcpy(sess->master_key, in, len); 4095 sess->master_key_length = len; 4096 return 1; 4097 } 4098 4099 4100 int SSL_set_ex_data(SSL *s, int idx, void *arg) 4101 { 4102 return CRYPTO_set_ex_data(&s->ex_data, idx, arg); 4103 } 4104 4105 void *SSL_get_ex_data(const SSL *s, int idx) 4106 { 4107 return CRYPTO_get_ex_data(&s->ex_data, idx); 4108 } 4109 4110 int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) 4111 { 4112 return CRYPTO_set_ex_data(&s->ex_data, idx, arg); 4113 } 4114 4115 void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) 4116 { 4117 return CRYPTO_get_ex_data(&s->ex_data, idx); 4118 } 4119 4120 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) 4121 { 4122 return ctx->cert_store; 4123 } 4124 4125 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) 4126 { 4127 X509_STORE_free(ctx->cert_store); 4128 ctx->cert_store = store; 4129 } 4130 4131 void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) 4132 { 4133 if (store != NULL) 4134 X509_STORE_up_ref(store); 4135 SSL_CTX_set_cert_store(ctx, store); 4136 } 4137 4138 int SSL_want(const SSL *s) 4139 { 4140 return s->rwstate; 4141 } 4142 4143 /** 4144 * \brief Set the callback for generating temporary DH keys. 4145 * \param ctx the SSL context. 4146 * \param dh the callback 4147 */ 4148 4149 #ifndef OPENSSL_NO_DH 4150 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 4151 DH *(*dh) (SSL *ssl, int is_export, 4152 int keylength)) 4153 { 4154 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); 4155 } 4156 4157 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, 4158 int keylength)) 4159 { 4160 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); 4161 } 4162 #endif 4163 4164 #ifndef OPENSSL_NO_PSK 4165 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) 4166 { 4167 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 4168 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG); 4169 return 0; 4170 } 4171 OPENSSL_free(ctx->cert->psk_identity_hint); 4172 if (identity_hint != NULL) { 4173 ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint); 4174 if (ctx->cert->psk_identity_hint == NULL) 4175 return 0; 4176 } else 4177 ctx->cert->psk_identity_hint = NULL; 4178 return 1; 4179 } 4180 4181 int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint) 4182 { 4183 if (s == NULL) 4184 return 0; 4185 4186 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 4187 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG); 4188 return 0; 4189 } 4190 OPENSSL_free(s->cert->psk_identity_hint); 4191 if (identity_hint != NULL) { 4192 s->cert->psk_identity_hint = OPENSSL_strdup(identity_hint); 4193 if (s->cert->psk_identity_hint == NULL) 4194 return 0; 4195 } else 4196 s->cert->psk_identity_hint = NULL; 4197 return 1; 4198 } 4199 4200 const char *SSL_get_psk_identity_hint(const SSL *s) 4201 { 4202 if (s == NULL || s->session == NULL) 4203 return NULL; 4204 return s->session->psk_identity_hint; 4205 } 4206 4207 const char *SSL_get_psk_identity(const SSL *s) 4208 { 4209 if (s == NULL || s->session == NULL) 4210 return NULL; 4211 return s->session->psk_identity; 4212 } 4213 4214 void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb) 4215 { 4216 s->psk_client_callback = cb; 4217 } 4218 4219 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb) 4220 { 4221 ctx->psk_client_callback = cb; 4222 } 4223 4224 void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb) 4225 { 4226 s->psk_server_callback = cb; 4227 } 4228 4229 void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb) 4230 { 4231 ctx->psk_server_callback = cb; 4232 } 4233 #endif 4234 4235 void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb) 4236 { 4237 s->psk_find_session_cb = cb; 4238 } 4239 4240 void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, 4241 SSL_psk_find_session_cb_func cb) 4242 { 4243 ctx->psk_find_session_cb = cb; 4244 } 4245 4246 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) 4247 { 4248 s->psk_use_session_cb = cb; 4249 } 4250 4251 void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, 4252 SSL_psk_use_session_cb_func cb) 4253 { 4254 ctx->psk_use_session_cb = cb; 4255 } 4256 4257 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, 4258 void (*cb) (int write_p, int version, 4259 int content_type, const void *buf, 4260 size_t len, SSL *ssl, void *arg)) 4261 { 4262 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 4263 } 4264 4265 void SSL_set_msg_callback(SSL *ssl, 4266 void (*cb) (int write_p, int version, 4267 int content_type, const void *buf, 4268 size_t len, SSL *ssl, void *arg)) 4269 { 4270 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); 4271 } 4272 4273 void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, 4274 int (*cb) (SSL *ssl, 4275 int 4276 is_forward_secure)) 4277 { 4278 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB, 4279 (void (*)(void))cb); 4280 } 4281 4282 void SSL_set_not_resumable_session_callback(SSL *ssl, 4283 int (*cb) (SSL *ssl, 4284 int is_forward_secure)) 4285 { 4286 SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB, 4287 (void (*)(void))cb); 4288 } 4289 4290 void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, 4291 size_t (*cb) (SSL *ssl, int type, 4292 size_t len, void *arg)) 4293 { 4294 ctx->record_padding_cb = cb; 4295 } 4296 4297 void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg) 4298 { 4299 ctx->record_padding_arg = arg; 4300 } 4301 4302 void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx) 4303 { 4304 return ctx->record_padding_arg; 4305 } 4306 4307 int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) 4308 { 4309 /* block size of 0 or 1 is basically no padding */ 4310 if (block_size == 1) 4311 ctx->block_padding = 0; 4312 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) 4313 ctx->block_padding = block_size; 4314 else 4315 return 0; 4316 return 1; 4317 } 4318 4319 void SSL_set_record_padding_callback(SSL *ssl, 4320 size_t (*cb) (SSL *ssl, int type, 4321 size_t len, void *arg)) 4322 { 4323 ssl->record_padding_cb = cb; 4324 } 4325 4326 void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) 4327 { 4328 ssl->record_padding_arg = arg; 4329 } 4330 4331 void *SSL_get_record_padding_callback_arg(SSL *ssl) 4332 { 4333 return ssl->record_padding_arg; 4334 } 4335 4336 int SSL_set_block_padding(SSL *ssl, size_t block_size) 4337 { 4338 /* block size of 0 or 1 is basically no padding */ 4339 if (block_size == 1) 4340 ssl->block_padding = 0; 4341 else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) 4342 ssl->block_padding = block_size; 4343 else 4344 return 0; 4345 return 1; 4346 } 4347 4348 int SSL_set_num_tickets(SSL *s, size_t num_tickets) 4349 { 4350 s->num_tickets = num_tickets; 4351 4352 return 1; 4353 } 4354 4355 size_t SSL_get_num_tickets(SSL *s) 4356 { 4357 return s->num_tickets; 4358 } 4359 4360 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) 4361 { 4362 ctx->num_tickets = num_tickets; 4363 4364 return 1; 4365 } 4366 4367 size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx) 4368 { 4369 return ctx->num_tickets; 4370 } 4371 4372 /* 4373 * Allocates new EVP_MD_CTX and sets pointer to it into given pointer 4374 * variable, freeing EVP_MD_CTX previously stored in that variable, if any. 4375 * If EVP_MD pointer is passed, initializes ctx with this |md|. 4376 * Returns the newly allocated ctx; 4377 */ 4378 4379 EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md) 4380 { 4381 ssl_clear_hash_ctx(hash); 4382 *hash = EVP_MD_CTX_new(); 4383 if (*hash == NULL || (md && EVP_DigestInit_ex(*hash, md, NULL) <= 0)) { 4384 EVP_MD_CTX_free(*hash); 4385 *hash = NULL; 4386 return NULL; 4387 } 4388 return *hash; 4389 } 4390 4391 void ssl_clear_hash_ctx(EVP_MD_CTX **hash) 4392 { 4393 4394 EVP_MD_CTX_free(*hash); 4395 *hash = NULL; 4396 } 4397 4398 /* Retrieve handshake hashes */ 4399 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, 4400 size_t *hashlen) 4401 { 4402 EVP_MD_CTX *ctx = NULL; 4403 EVP_MD_CTX *hdgst = s->s3->handshake_dgst; 4404 int hashleni = EVP_MD_CTX_size(hdgst); 4405 int ret = 0; 4406 4407 if (hashleni < 0 || (size_t)hashleni > outlen) { 4408 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, 4409 ERR_R_INTERNAL_ERROR); 4410 goto err; 4411 } 4412 4413 ctx = EVP_MD_CTX_new(); 4414 if (ctx == NULL) 4415 goto err; 4416 4417 if (!EVP_MD_CTX_copy_ex(ctx, hdgst) 4418 || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) { 4419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, 4420 ERR_R_INTERNAL_ERROR); 4421 goto err; 4422 } 4423 4424 *hashlen = hashleni; 4425 4426 ret = 1; 4427 err: 4428 EVP_MD_CTX_free(ctx); 4429 return ret; 4430 } 4431 4432 int SSL_session_reused(SSL *s) 4433 { 4434 return s->hit; 4435 } 4436 4437 int SSL_is_server(const SSL *s) 4438 { 4439 return s->server; 4440 } 4441 4442 #if OPENSSL_API_COMPAT < 0x10100000L 4443 void SSL_set_debug(SSL *s, int debug) 4444 { 4445 /* Old function was do-nothing anyway... */ 4446 (void)s; 4447 (void)debug; 4448 } 4449 #endif 4450 4451 void SSL_set_security_level(SSL *s, int level) 4452 { 4453 s->cert->sec_level = level; 4454 } 4455 4456 int SSL_get_security_level(const SSL *s) 4457 { 4458 return s->cert->sec_level; 4459 } 4460 4461 void SSL_set_security_callback(SSL *s, 4462 int (*cb) (const SSL *s, const SSL_CTX *ctx, 4463 int op, int bits, int nid, 4464 void *other, void *ex)) 4465 { 4466 s->cert->sec_cb = cb; 4467 } 4468 4469 int (*SSL_get_security_callback(const SSL *s)) (const SSL *s, 4470 const SSL_CTX *ctx, int op, 4471 int bits, int nid, void *other, 4472 void *ex) { 4473 return s->cert->sec_cb; 4474 } 4475 4476 void SSL_set0_security_ex_data(SSL *s, void *ex) 4477 { 4478 s->cert->sec_ex = ex; 4479 } 4480 4481 void *SSL_get0_security_ex_data(const SSL *s) 4482 { 4483 return s->cert->sec_ex; 4484 } 4485 4486 void SSL_CTX_set_security_level(SSL_CTX *ctx, int level) 4487 { 4488 ctx->cert->sec_level = level; 4489 } 4490 4491 int SSL_CTX_get_security_level(const SSL_CTX *ctx) 4492 { 4493 return ctx->cert->sec_level; 4494 } 4495 4496 void SSL_CTX_set_security_callback(SSL_CTX *ctx, 4497 int (*cb) (const SSL *s, const SSL_CTX *ctx, 4498 int op, int bits, int nid, 4499 void *other, void *ex)) 4500 { 4501 ctx->cert->sec_cb = cb; 4502 } 4503 4504 int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s, 4505 const SSL_CTX *ctx, 4506 int op, int bits, 4507 int nid, 4508 void *other, 4509 void *ex) { 4510 return ctx->cert->sec_cb; 4511 } 4512 4513 void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex) 4514 { 4515 ctx->cert->sec_ex = ex; 4516 } 4517 4518 void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) 4519 { 4520 return ctx->cert->sec_ex; 4521 } 4522 4523 /* 4524 * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that 4525 * can return unsigned long, instead of the generic long return value from the 4526 * control interface. 4527 */ 4528 unsigned long SSL_CTX_get_options(const SSL_CTX *ctx) 4529 { 4530 return ctx->options; 4531 } 4532 4533 unsigned long SSL_get_options(const SSL *s) 4534 { 4535 return s->options; 4536 } 4537 4538 unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op) 4539 { 4540 return ctx->options |= op; 4541 } 4542 4543 unsigned long SSL_set_options(SSL *s, unsigned long op) 4544 { 4545 return s->options |= op; 4546 } 4547 4548 unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) 4549 { 4550 return ctx->options &= ~op; 4551 } 4552 4553 unsigned long SSL_clear_options(SSL *s, unsigned long op) 4554 { 4555 return s->options &= ~op; 4556 } 4557 4558 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s) 4559 { 4560 return s->verified_chain; 4561 } 4562 4563 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); 4564 4565 #ifndef OPENSSL_NO_CT 4566 4567 /* 4568 * Moves SCTs from the |src| stack to the |dst| stack. 4569 * The source of each SCT will be set to |origin|. 4570 * If |dst| points to a NULL pointer, a new stack will be created and owned by 4571 * the caller. 4572 * Returns the number of SCTs moved, or a negative integer if an error occurs. 4573 */ 4574 static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src, 4575 sct_source_t origin) 4576 { 4577 int scts_moved = 0; 4578 SCT *sct = NULL; 4579 4580 if (*dst == NULL) { 4581 *dst = sk_SCT_new_null(); 4582 if (*dst == NULL) { 4583 SSLerr(SSL_F_CT_MOVE_SCTS, ERR_R_MALLOC_FAILURE); 4584 goto err; 4585 } 4586 } 4587 4588 while ((sct = sk_SCT_pop(src)) != NULL) { 4589 if (SCT_set_source(sct, origin) != 1) 4590 goto err; 4591 4592 if (sk_SCT_push(*dst, sct) <= 0) 4593 goto err; 4594 scts_moved += 1; 4595 } 4596 4597 return scts_moved; 4598 err: 4599 if (sct != NULL) 4600 sk_SCT_push(src, sct); /* Put the SCT back */ 4601 return -1; 4602 } 4603 4604 /* 4605 * Look for data collected during ServerHello and parse if found. 4606 * Returns the number of SCTs extracted. 4607 */ 4608 static int ct_extract_tls_extension_scts(SSL *s) 4609 { 4610 int scts_extracted = 0; 4611 4612 if (s->ext.scts != NULL) { 4613 const unsigned char *p = s->ext.scts; 4614 STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len); 4615 4616 scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION); 4617 4618 SCT_LIST_free(scts); 4619 } 4620 4621 return scts_extracted; 4622 } 4623 4624 /* 4625 * Checks for an OCSP response and then attempts to extract any SCTs found if it 4626 * contains an SCT X509 extension. They will be stored in |s->scts|. 4627 * Returns: 4628 * - The number of SCTs extracted, assuming an OCSP response exists. 4629 * - 0 if no OCSP response exists or it contains no SCTs. 4630 * - A negative integer if an error occurs. 4631 */ 4632 static int ct_extract_ocsp_response_scts(SSL *s) 4633 { 4634 # ifndef OPENSSL_NO_OCSP 4635 int scts_extracted = 0; 4636 const unsigned char *p; 4637 OCSP_BASICRESP *br = NULL; 4638 OCSP_RESPONSE *rsp = NULL; 4639 STACK_OF(SCT) *scts = NULL; 4640 int i; 4641 4642 if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0) 4643 goto err; 4644 4645 p = s->ext.ocsp.resp; 4646 rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len); 4647 if (rsp == NULL) 4648 goto err; 4649 4650 br = OCSP_response_get1_basic(rsp); 4651 if (br == NULL) 4652 goto err; 4653 4654 for (i = 0; i < OCSP_resp_count(br); ++i) { 4655 OCSP_SINGLERESP *single = OCSP_resp_get0(br, i); 4656 4657 if (single == NULL) 4658 continue; 4659 4660 scts = 4661 OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL); 4662 scts_extracted = 4663 ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE); 4664 if (scts_extracted < 0) 4665 goto err; 4666 } 4667 err: 4668 SCT_LIST_free(scts); 4669 OCSP_BASICRESP_free(br); 4670 OCSP_RESPONSE_free(rsp); 4671 return scts_extracted; 4672 # else 4673 /* Behave as if no OCSP response exists */ 4674 return 0; 4675 # endif 4676 } 4677 4678 /* 4679 * Attempts to extract SCTs from the peer certificate. 4680 * Return the number of SCTs extracted, or a negative integer if an error 4681 * occurs. 4682 */ 4683 static int ct_extract_x509v3_extension_scts(SSL *s) 4684 { 4685 int scts_extracted = 0; 4686 X509 *cert = s->session != NULL ? s->session->peer : NULL; 4687 4688 if (cert != NULL) { 4689 STACK_OF(SCT) *scts = 4690 X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL); 4691 4692 scts_extracted = 4693 ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION); 4694 4695 SCT_LIST_free(scts); 4696 } 4697 4698 return scts_extracted; 4699 } 4700 4701 /* 4702 * Attempts to find all received SCTs by checking TLS extensions, the OCSP 4703 * response (if it exists) and X509v3 extensions in the certificate. 4704 * Returns NULL if an error occurs. 4705 */ 4706 const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s) 4707 { 4708 if (!s->scts_parsed) { 4709 if (ct_extract_tls_extension_scts(s) < 0 || 4710 ct_extract_ocsp_response_scts(s) < 0 || 4711 ct_extract_x509v3_extension_scts(s) < 0) 4712 goto err; 4713 4714 s->scts_parsed = 1; 4715 } 4716 return s->scts; 4717 err: 4718 return NULL; 4719 } 4720 4721 static int ct_permissive(const CT_POLICY_EVAL_CTX * ctx, 4722 const STACK_OF(SCT) *scts, void *unused_arg) 4723 { 4724 return 1; 4725 } 4726 4727 static int ct_strict(const CT_POLICY_EVAL_CTX * ctx, 4728 const STACK_OF(SCT) *scts, void *unused_arg) 4729 { 4730 int count = scts != NULL ? sk_SCT_num(scts) : 0; 4731 int i; 4732 4733 for (i = 0; i < count; ++i) { 4734 SCT *sct = sk_SCT_value(scts, i); 4735 int status = SCT_get_validation_status(sct); 4736 4737 if (status == SCT_VALIDATION_STATUS_VALID) 4738 return 1; 4739 } 4740 SSLerr(SSL_F_CT_STRICT, SSL_R_NO_VALID_SCTS); 4741 return 0; 4742 } 4743 4744 int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback, 4745 void *arg) 4746 { 4747 /* 4748 * Since code exists that uses the custom extension handler for CT, look 4749 * for this and throw an error if they have already registered to use CT. 4750 */ 4751 if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx, 4752 TLSEXT_TYPE_signed_certificate_timestamp)) 4753 { 4754 SSLerr(SSL_F_SSL_SET_CT_VALIDATION_CALLBACK, 4755 SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED); 4756 return 0; 4757 } 4758 4759 if (callback != NULL) { 4760 /* 4761 * If we are validating CT, then we MUST accept SCTs served via OCSP 4762 */ 4763 if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp)) 4764 return 0; 4765 } 4766 4767 s->ct_validation_callback = callback; 4768 s->ct_validation_callback_arg = arg; 4769 4770 return 1; 4771 } 4772 4773 int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, 4774 ssl_ct_validation_cb callback, void *arg) 4775 { 4776 /* 4777 * Since code exists that uses the custom extension handler for CT, look for 4778 * this and throw an error if they have already registered to use CT. 4779 */ 4780 if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx, 4781 TLSEXT_TYPE_signed_certificate_timestamp)) 4782 { 4783 SSLerr(SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK, 4784 SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED); 4785 return 0; 4786 } 4787 4788 ctx->ct_validation_callback = callback; 4789 ctx->ct_validation_callback_arg = arg; 4790 return 1; 4791 } 4792 4793 int SSL_ct_is_enabled(const SSL *s) 4794 { 4795 return s->ct_validation_callback != NULL; 4796 } 4797 4798 int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx) 4799 { 4800 return ctx->ct_validation_callback != NULL; 4801 } 4802 4803 int ssl_validate_ct(SSL *s) 4804 { 4805 int ret = 0; 4806 X509 *cert = s->session != NULL ? s->session->peer : NULL; 4807 X509 *issuer; 4808 SSL_DANE *dane = &s->dane; 4809 CT_POLICY_EVAL_CTX *ctx = NULL; 4810 const STACK_OF(SCT) *scts; 4811 4812 /* 4813 * If no callback is set, the peer is anonymous, or its chain is invalid, 4814 * skip SCT validation - just return success. Applications that continue 4815 * handshakes without certificates, with unverified chains, or pinned leaf 4816 * certificates are outside the scope of the WebPKI and CT. 4817 * 4818 * The above exclusions notwithstanding the vast majority of peers will 4819 * have rather ordinary certificate chains validated by typical 4820 * applications that perform certificate verification and therefore will 4821 * process SCTs when enabled. 4822 */ 4823 if (s->ct_validation_callback == NULL || cert == NULL || 4824 s->verify_result != X509_V_OK || 4825 s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1) 4826 return 1; 4827 4828 /* 4829 * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3) 4830 * trust-anchors. See https://tools.ietf.org/html/rfc7671#section-4.2 4831 */ 4832 if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) { 4833 switch (dane->mtlsa->usage) { 4834 case DANETLS_USAGE_DANE_TA: 4835 case DANETLS_USAGE_DANE_EE: 4836 return 1; 4837 } 4838 } 4839 4840 ctx = CT_POLICY_EVAL_CTX_new(); 4841 if (ctx == NULL) { 4842 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT, 4843 ERR_R_MALLOC_FAILURE); 4844 goto end; 4845 } 4846 4847 issuer = sk_X509_value(s->verified_chain, 1); 4848 CT_POLICY_EVAL_CTX_set1_cert(ctx, cert); 4849 CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer); 4850 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store); 4851 CT_POLICY_EVAL_CTX_set_time( 4852 ctx, (uint64_t)SSL_SESSION_get_time(SSL_get0_session(s)) * 1000); 4853 4854 scts = SSL_get0_peer_scts(s); 4855 4856 /* 4857 * This function returns success (> 0) only when all the SCTs are valid, 0 4858 * when some are invalid, and < 0 on various internal errors (out of 4859 * memory, etc.). Having some, or even all, invalid SCTs is not sufficient 4860 * reason to abort the handshake, that decision is up to the callback. 4861 * Therefore, we error out only in the unexpected case that the return 4862 * value is negative. 4863 * 4864 * XXX: One might well argue that the return value of this function is an 4865 * unfortunate design choice. Its job is only to determine the validation 4866 * status of each of the provided SCTs. So long as it correctly separates 4867 * the wheat from the chaff it should return success. Failure in this case 4868 * ought to correspond to an inability to carry out its duties. 4869 */ 4870 if (SCT_LIST_validate(scts, ctx) < 0) { 4871 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT, 4872 SSL_R_SCT_VERIFICATION_FAILED); 4873 goto end; 4874 } 4875 4876 ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg); 4877 if (ret < 0) 4878 ret = 0; /* This function returns 0 on failure */ 4879 if (!ret) 4880 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT, 4881 SSL_R_CALLBACK_FAILED); 4882 4883 end: 4884 CT_POLICY_EVAL_CTX_free(ctx); 4885 /* 4886 * With SSL_VERIFY_NONE the session may be cached and re-used despite a 4887 * failure return code here. Also the application may wish the complete 4888 * the handshake, and then disconnect cleanly at a higher layer, after 4889 * checking the verification status of the completed connection. 4890 * 4891 * We therefore force a certificate verification failure which will be 4892 * visible via SSL_get_verify_result() and cached as part of any resumed 4893 * session. 4894 * 4895 * Note: the permissive callback is for information gathering only, always 4896 * returns success, and does not affect verification status. Only the 4897 * strict callback or a custom application-specified callback can trigger 4898 * connection failure or record a verification error. 4899 */ 4900 if (ret <= 0) 4901 s->verify_result = X509_V_ERR_NO_VALID_SCTS; 4902 return ret; 4903 } 4904 4905 int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode) 4906 { 4907 switch (validation_mode) { 4908 default: 4909 SSLerr(SSL_F_SSL_CTX_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE); 4910 return 0; 4911 case SSL_CT_VALIDATION_PERMISSIVE: 4912 return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL); 4913 case SSL_CT_VALIDATION_STRICT: 4914 return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL); 4915 } 4916 } 4917 4918 int SSL_enable_ct(SSL *s, int validation_mode) 4919 { 4920 switch (validation_mode) { 4921 default: 4922 SSLerr(SSL_F_SSL_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE); 4923 return 0; 4924 case SSL_CT_VALIDATION_PERMISSIVE: 4925 return SSL_set_ct_validation_callback(s, ct_permissive, NULL); 4926 case SSL_CT_VALIDATION_STRICT: 4927 return SSL_set_ct_validation_callback(s, ct_strict, NULL); 4928 } 4929 } 4930 4931 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx) 4932 { 4933 return CTLOG_STORE_load_default_file(ctx->ctlog_store); 4934 } 4935 4936 int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path) 4937 { 4938 return CTLOG_STORE_load_file(ctx->ctlog_store, path); 4939 } 4940 4941 void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE * logs) 4942 { 4943 CTLOG_STORE_free(ctx->ctlog_store); 4944 ctx->ctlog_store = logs; 4945 } 4946 4947 const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx) 4948 { 4949 return ctx->ctlog_store; 4950 } 4951 4952 #endif /* OPENSSL_NO_CT */ 4953 4954 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, 4955 void *arg) 4956 { 4957 c->client_hello_cb = cb; 4958 c->client_hello_cb_arg = arg; 4959 } 4960 4961 int SSL_client_hello_isv2(SSL *s) 4962 { 4963 if (s->clienthello == NULL) 4964 return 0; 4965 return s->clienthello->isv2; 4966 } 4967 4968 unsigned int SSL_client_hello_get0_legacy_version(SSL *s) 4969 { 4970 if (s->clienthello == NULL) 4971 return 0; 4972 return s->clienthello->legacy_version; 4973 } 4974 4975 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out) 4976 { 4977 if (s->clienthello == NULL) 4978 return 0; 4979 if (out != NULL) 4980 *out = s->clienthello->random; 4981 return SSL3_RANDOM_SIZE; 4982 } 4983 4984 size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out) 4985 { 4986 if (s->clienthello == NULL) 4987 return 0; 4988 if (out != NULL) 4989 *out = s->clienthello->session_id; 4990 return s->clienthello->session_id_len; 4991 } 4992 4993 size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out) 4994 { 4995 if (s->clienthello == NULL) 4996 return 0; 4997 if (out != NULL) 4998 *out = PACKET_data(&s->clienthello->ciphersuites); 4999 return PACKET_remaining(&s->clienthello->ciphersuites); 5000 } 5001 5002 size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out) 5003 { 5004 if (s->clienthello == NULL) 5005 return 0; 5006 if (out != NULL) 5007 *out = s->clienthello->compressions; 5008 return s->clienthello->compressions_len; 5009 } 5010 5011 int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) 5012 { 5013 RAW_EXTENSION *ext; 5014 int *present; 5015 size_t num = 0, i; 5016 5017 if (s->clienthello == NULL || out == NULL || outlen == NULL) 5018 return 0; 5019 for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { 5020 ext = s->clienthello->pre_proc_exts + i; 5021 if (ext->present) 5022 num++; 5023 } 5024 if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { 5025 SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, 5026 ERR_R_MALLOC_FAILURE); 5027 return 0; 5028 } 5029 for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { 5030 ext = s->clienthello->pre_proc_exts + i; 5031 if (ext->present) { 5032 if (ext->received_order >= num) 5033 goto err; 5034 present[ext->received_order] = ext->type; 5035 } 5036 } 5037 *out = present; 5038 *outlen = num; 5039 return 1; 5040 err: 5041 OPENSSL_free(present); 5042 return 0; 5043 } 5044 5045 int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out, 5046 size_t *outlen) 5047 { 5048 size_t i; 5049 RAW_EXTENSION *r; 5050 5051 if (s->clienthello == NULL) 5052 return 0; 5053 for (i = 0; i < s->clienthello->pre_proc_exts_len; ++i) { 5054 r = s->clienthello->pre_proc_exts + i; 5055 if (r->present && r->type == type) { 5056 if (out != NULL) 5057 *out = PACKET_data(&r->data); 5058 if (outlen != NULL) 5059 *outlen = PACKET_remaining(&r->data); 5060 return 1; 5061 } 5062 } 5063 return 0; 5064 } 5065 5066 int SSL_free_buffers(SSL *ssl) 5067 { 5068 RECORD_LAYER *rl = &ssl->rlayer; 5069 5070 if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) 5071 return 0; 5072 5073 RECORD_LAYER_release(rl); 5074 return 1; 5075 } 5076 5077 int SSL_alloc_buffers(SSL *ssl) 5078 { 5079 return ssl3_setup_buffers(ssl); 5080 } 5081 5082 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) 5083 { 5084 ctx->keylog_callback = cb; 5085 } 5086 5087 SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) 5088 { 5089 return ctx->keylog_callback; 5090 } 5091 5092 static int nss_keylog_int(const char *prefix, 5093 SSL *ssl, 5094 const uint8_t *parameter_1, 5095 size_t parameter_1_len, 5096 const uint8_t *parameter_2, 5097 size_t parameter_2_len) 5098 { 5099 char *out = NULL; 5100 char *cursor = NULL; 5101 size_t out_len = 0; 5102 size_t i; 5103 size_t prefix_len; 5104 5105 if (ssl->ctx->keylog_callback == NULL) return 1; 5106 5107 /* 5108 * Our output buffer will contain the following strings, rendered with 5109 * space characters in between, terminated by a NULL character: first the 5110 * prefix, then the first parameter, then the second parameter. The 5111 * meaning of each parameter depends on the specific key material being 5112 * logged. Note that the first and second parameters are encoded in 5113 * hexadecimal, so we need a buffer that is twice their lengths. 5114 */ 5115 prefix_len = strlen(prefix); 5116 out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3; 5117 if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { 5118 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT, 5119 ERR_R_MALLOC_FAILURE); 5120 return 0; 5121 } 5122 5123 strcpy(cursor, prefix); 5124 cursor += prefix_len; 5125 *cursor++ = ' '; 5126 5127 for (i = 0; i < parameter_1_len; i++) { 5128 sprintf(cursor, "%02x", parameter_1[i]); 5129 cursor += 2; 5130 } 5131 *cursor++ = ' '; 5132 5133 for (i = 0; i < parameter_2_len; i++) { 5134 sprintf(cursor, "%02x", parameter_2[i]); 5135 cursor += 2; 5136 } 5137 *cursor = '\0'; 5138 5139 ssl->ctx->keylog_callback(ssl, (const char *)out); 5140 OPENSSL_free(out); 5141 return 1; 5142 5143 } 5144 5145 int ssl_log_rsa_client_key_exchange(SSL *ssl, 5146 const uint8_t *encrypted_premaster, 5147 size_t encrypted_premaster_len, 5148 const uint8_t *premaster, 5149 size_t premaster_len) 5150 { 5151 if (encrypted_premaster_len < 8) { 5152 SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, 5153 SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 5154 return 0; 5155 } 5156 5157 /* We only want the first 8 bytes of the encrypted premaster as a tag. */ 5158 return nss_keylog_int("RSA", 5159 ssl, 5160 encrypted_premaster, 5161 8, 5162 premaster, 5163 premaster_len); 5164 } 5165 5166 int ssl_log_secret(SSL *ssl, 5167 const char *label, 5168 const uint8_t *secret, 5169 size_t secret_len) 5170 { 5171 return nss_keylog_int(label, 5172 ssl, 5173 ssl->s3->client_random, 5174 SSL3_RANDOM_SIZE, 5175 secret, 5176 secret_len); 5177 } 5178 5179 #define SSLV2_CIPHER_LEN 3 5180 5181 int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format) 5182 { 5183 int n; 5184 5185 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; 5186 5187 if (PACKET_remaining(cipher_suites) == 0) { 5188 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_CACHE_CIPHERLIST, 5189 SSL_R_NO_CIPHERS_SPECIFIED); 5190 return 0; 5191 } 5192 5193 if (PACKET_remaining(cipher_suites) % n != 0) { 5194 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, 5195 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5196 return 0; 5197 } 5198 5199 OPENSSL_free(s->s3->tmp.ciphers_raw); 5200 s->s3->tmp.ciphers_raw = NULL; 5201 s->s3->tmp.ciphers_rawlen = 0; 5202 5203 if (sslv2format) { 5204 size_t numciphers = PACKET_remaining(cipher_suites) / n; 5205 PACKET sslv2ciphers = *cipher_suites; 5206 unsigned int leadbyte; 5207 unsigned char *raw; 5208 5209 /* 5210 * We store the raw ciphers list in SSLv3+ format so we need to do some 5211 * preprocessing to convert the list first. If there are any SSLv2 only 5212 * ciphersuites with a non-zero leading byte then we are going to 5213 * slightly over allocate because we won't store those. But that isn't a 5214 * problem. 5215 */ 5216 raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); 5217 s->s3->tmp.ciphers_raw = raw; 5218 if (raw == NULL) { 5219 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, 5220 ERR_R_MALLOC_FAILURE); 5221 return 0; 5222 } 5223 for (s->s3->tmp.ciphers_rawlen = 0; 5224 PACKET_remaining(&sslv2ciphers) > 0; 5225 raw += TLS_CIPHER_LEN) { 5226 if (!PACKET_get_1(&sslv2ciphers, &leadbyte) 5227 || (leadbyte == 0 5228 && !PACKET_copy_bytes(&sslv2ciphers, raw, 5229 TLS_CIPHER_LEN)) 5230 || (leadbyte != 0 5231 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { 5232 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, 5233 SSL_R_BAD_PACKET); 5234 OPENSSL_free(s->s3->tmp.ciphers_raw); 5235 s->s3->tmp.ciphers_raw = NULL; 5236 s->s3->tmp.ciphers_rawlen = 0; 5237 return 0; 5238 } 5239 if (leadbyte == 0) 5240 s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN; 5241 } 5242 } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, 5243 &s->s3->tmp.ciphers_rawlen)) { 5244 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, 5245 ERR_R_INTERNAL_ERROR); 5246 return 0; 5247 } 5248 return 1; 5249 } 5250 5251 int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len, 5252 int isv2format, STACK_OF(SSL_CIPHER) **sk, 5253 STACK_OF(SSL_CIPHER) **scsvs) 5254 { 5255 PACKET pkt; 5256 5257 if (!PACKET_buf_init(&pkt, bytes, len)) 5258 return 0; 5259 return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, 0); 5260 } 5261 5262 int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, 5263 STACK_OF(SSL_CIPHER) **skp, 5264 STACK_OF(SSL_CIPHER) **scsvs_out, 5265 int sslv2format, int fatal) 5266 { 5267 const SSL_CIPHER *c; 5268 STACK_OF(SSL_CIPHER) *sk = NULL; 5269 STACK_OF(SSL_CIPHER) *scsvs = NULL; 5270 int n; 5271 /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */ 5272 unsigned char cipher[SSLV2_CIPHER_LEN]; 5273 5274 n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; 5275 5276 if (PACKET_remaining(cipher_suites) == 0) { 5277 if (fatal) 5278 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_BYTES_TO_CIPHER_LIST, 5279 SSL_R_NO_CIPHERS_SPECIFIED); 5280 else 5281 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); 5282 return 0; 5283 } 5284 5285 if (PACKET_remaining(cipher_suites) % n != 0) { 5286 if (fatal) 5287 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, 5288 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5289 else 5290 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, 5291 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 5292 return 0; 5293 } 5294 5295 sk = sk_SSL_CIPHER_new_null(); 5296 scsvs = sk_SSL_CIPHER_new_null(); 5297 if (sk == NULL || scsvs == NULL) { 5298 if (fatal) 5299 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, 5300 ERR_R_MALLOC_FAILURE); 5301 else 5302 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); 5303 goto err; 5304 } 5305 5306 while (PACKET_copy_bytes(cipher_suites, cipher, n)) { 5307 /* 5308 * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the 5309 * first byte set to zero, while true SSLv2 ciphers have a non-zero 5310 * first byte. We don't support any true SSLv2 ciphers, so skip them. 5311 */ 5312 if (sslv2format && cipher[0] != '\0') 5313 continue; 5314 5315 /* For SSLv2-compat, ignore leading 0-byte. */ 5316 c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1); 5317 if (c != NULL) { 5318 if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) || 5319 (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) { 5320 if (fatal) 5321 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 5322 SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); 5323 else 5324 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); 5325 goto err; 5326 } 5327 } 5328 } 5329 if (PACKET_remaining(cipher_suites) > 0) { 5330 if (fatal) 5331 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, 5332 SSL_R_BAD_LENGTH); 5333 else 5334 SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH); 5335 goto err; 5336 } 5337 5338 if (skp != NULL) 5339 *skp = sk; 5340 else 5341 sk_SSL_CIPHER_free(sk); 5342 if (scsvs_out != NULL) 5343 *scsvs_out = scsvs; 5344 else 5345 sk_SSL_CIPHER_free(scsvs); 5346 return 1; 5347 err: 5348 sk_SSL_CIPHER_free(sk); 5349 sk_SSL_CIPHER_free(scsvs); 5350 return 0; 5351 } 5352 5353 int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) 5354 { 5355 ctx->max_early_data = max_early_data; 5356 5357 return 1; 5358 } 5359 5360 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx) 5361 { 5362 return ctx->max_early_data; 5363 } 5364 5365 int SSL_set_max_early_data(SSL *s, uint32_t max_early_data) 5366 { 5367 s->max_early_data = max_early_data; 5368 5369 return 1; 5370 } 5371 5372 uint32_t SSL_get_max_early_data(const SSL *s) 5373 { 5374 return s->max_early_data; 5375 } 5376 5377 int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data) 5378 { 5379 ctx->recv_max_early_data = recv_max_early_data; 5380 5381 return 1; 5382 } 5383 5384 uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx) 5385 { 5386 return ctx->recv_max_early_data; 5387 } 5388 5389 int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data) 5390 { 5391 s->recv_max_early_data = recv_max_early_data; 5392 5393 return 1; 5394 } 5395 5396 uint32_t SSL_get_recv_max_early_data(const SSL *s) 5397 { 5398 return s->recv_max_early_data; 5399 } 5400 5401 __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) 5402 { 5403 /* Return any active Max Fragment Len extension */ 5404 if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)) 5405 return GET_MAX_FRAGMENT_LENGTH(ssl->session); 5406 5407 /* return current SSL connection setting */ 5408 return ssl->max_send_fragment; 5409 } 5410 5411 __owur unsigned int ssl_get_split_send_fragment(const SSL *ssl) 5412 { 5413 /* Return a value regarding an active Max Fragment Len extension */ 5414 if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) 5415 && ssl->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(ssl->session)) 5416 return GET_MAX_FRAGMENT_LENGTH(ssl->session); 5417 5418 /* else limit |split_send_fragment| to current |max_send_fragment| */ 5419 if (ssl->split_send_fragment > ssl->max_send_fragment) 5420 return ssl->max_send_fragment; 5421 5422 /* return current SSL connection setting */ 5423 return ssl->split_send_fragment; 5424 } 5425 5426 int SSL_stateless(SSL *s) 5427 { 5428 int ret; 5429 5430 /* Ensure there is no state left over from a previous invocation */ 5431 if (!SSL_clear(s)) 5432 return 0; 5433 5434 ERR_clear_error(); 5435 5436 s->s3->flags |= TLS1_FLAGS_STATELESS; 5437 ret = SSL_accept(s); 5438 s->s3->flags &= ~TLS1_FLAGS_STATELESS; 5439 5440 if (ret > 0 && s->ext.cookieok) 5441 return 1; 5442 5443 if (s->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(s)) 5444 return 0; 5445 5446 return -1; 5447 } 5448 5449 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) 5450 { 5451 ctx->pha_enabled = val; 5452 } 5453 5454 void SSL_set_post_handshake_auth(SSL *ssl, int val) 5455 { 5456 ssl->pha_enabled = val; 5457 } 5458 5459 int SSL_verify_client_post_handshake(SSL *ssl) 5460 { 5461 if (!SSL_IS_TLS13(ssl)) { 5462 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_WRONG_SSL_VERSION); 5463 return 0; 5464 } 5465 if (!ssl->server) { 5466 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_NOT_SERVER); 5467 return 0; 5468 } 5469 5470 if (!SSL_is_init_finished(ssl)) { 5471 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_STILL_IN_INIT); 5472 return 0; 5473 } 5474 5475 switch (ssl->post_handshake_auth) { 5476 case SSL_PHA_NONE: 5477 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_EXTENSION_NOT_RECEIVED); 5478 return 0; 5479 default: 5480 case SSL_PHA_EXT_SENT: 5481 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, ERR_R_INTERNAL_ERROR); 5482 return 0; 5483 case SSL_PHA_EXT_RECEIVED: 5484 break; 5485 case SSL_PHA_REQUEST_PENDING: 5486 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_PENDING); 5487 return 0; 5488 case SSL_PHA_REQUESTED: 5489 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_SENT); 5490 return 0; 5491 } 5492 5493 ssl->post_handshake_auth = SSL_PHA_REQUEST_PENDING; 5494 5495 /* checks verify_mode and algorithm_auth */ 5496 if (!send_certificate_request(ssl)) { 5497 ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */ 5498 SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_INVALID_CONFIG); 5499 return 0; 5500 } 5501 5502 ossl_statem_set_in_init(ssl, 1); 5503 return 1; 5504 } 5505 5506 int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, 5507 SSL_CTX_generate_session_ticket_fn gen_cb, 5508 SSL_CTX_decrypt_session_ticket_fn dec_cb, 5509 void *arg) 5510 { 5511 ctx->generate_ticket_cb = gen_cb; 5512 ctx->decrypt_ticket_cb = dec_cb; 5513 ctx->ticket_cb_data = arg; 5514 return 1; 5515 } 5516 5517 void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, 5518 SSL_allow_early_data_cb_fn cb, 5519 void *arg) 5520 { 5521 ctx->allow_early_data_cb = cb; 5522 ctx->allow_early_data_cb_data = arg; 5523 } 5524 5525 void SSL_set_allow_early_data_cb(SSL *s, 5526 SSL_allow_early_data_cb_fn cb, 5527 void *arg) 5528 { 5529 s->allow_early_data_cb = cb; 5530 s->allow_early_data_cb_data = arg; 5531 } 5532