ssl_lib.c 139.9 KB
Newer Older
1
/*
2
 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4
 * Copyright 2005 Nokia. All rights reserved.
5
 *
R
Rich Salz 已提交
6 7 8 9
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
10
 */
R
Rich Salz 已提交
11

12
#include <stdio.h>
13
#include "ssl_locl.h"
14 15
#include <openssl/objects.h>
#include <openssl/lhash.h>
16
#include <openssl/x509v3.h>
17
#include <openssl/rand.h>
18
#include <openssl/ocsp.h>
R
Rich Salz 已提交
19 20
#include <openssl/dh.h>
#include <openssl/engine.h>
M
Matt Caswell 已提交
21
#include <openssl/async.h>
R
Rich Salz 已提交
22
#include <openssl/ct.h>
M
Matt Caswell 已提交
23
#include "internal/cryptlib.h"
R
Rich Salz 已提交
24
#include "internal/rand.h"
25
#include "internal/refcount.h"
26

27
const char SSL_version_str[] = OPENSSL_VERSION_TEXT;
28 29 30 31 32 33

SSL3_ENC_METHOD ssl3_undef_enc_method = {
    /*
     * evil casts, but these functions are only called if there's a library
     * bug
     */
34
    (int (*)(SSL *, SSL3_RECORD *, size_t, int))ssl_undefined_function,
35
    (int (*)(SSL *, SSL3_RECORD *, unsigned char *, int))ssl_undefined_function,
36
    ssl_undefined_function,
37
    (int (*)(SSL *, unsigned char *, unsigned char *, size_t, size_t *))
38 39
        ssl_undefined_function,
    (int (*)(SSL *, int))ssl_undefined_function,
40
    (size_t (*)(SSL *, const char *, size_t, unsigned char *))
41 42 43 44 45 46 47 48 49 50
        ssl_undefined_function,
    NULL,                       /* client_finished_label */
    0,                          /* client_finished_label_len */
    NULL,                       /* server_finished_label */
    0,                          /* server_finished_label_len */
    (int (*)(int))ssl_undefined_function,
    (int (*)(SSL *, unsigned char *, size_t, const char *,
             size_t, const unsigned char *, size_t,
             int use_context))ssl_undefined_function,
};
51

M
Matt Caswell 已提交
52 53 54
struct ssl_async_args {
    SSL *s;
    void *buf;
55
    size_t num;
E
Emilia Kasper 已提交
56
    enum { READFUNC, WRITEFUNC, OTHERFUNC } type;
M
Matt Caswell 已提交
57
    union {
58
        int (*func_read) (SSL *, void *, size_t, size_t *);
M
Matt Caswell 已提交
59
        int (*func_write) (SSL *, const void *, size_t, size_t *);
E
Emilia Kasper 已提交
60
        int (*func_other) (SSL *);
M
Matt Caswell 已提交
61
    } f;
M
Matt Caswell 已提交
62 63
};

64 65 66
static const struct {
    uint8_t mtype;
    uint8_t ord;
E
Emilia Kasper 已提交
67
    int nid;
68
} dane_mds[] = {
E
Emilia Kasper 已提交
69 70 71 72 73 74 75 76 77
    {
        DANETLS_MATCHING_FULL, 0, NID_undef
    },
    {
        DANETLS_MATCHING_2256, 1, NID_sha256
    },
    {
        DANETLS_MATCHING_2512, 2, NID_sha512
    },
78 79 80 81 82 83 84
};

static int dane_ctx_enable(struct dane_ctx_st *dctx)
{
    const EVP_MD **mdevp;
    uint8_t *mdord;
    uint8_t mdmax = DANETLS_MATCHING_LAST;
E
Emilia Kasper 已提交
85
    int n = ((int)mdmax) + 1;   /* int to handle PrivMatch(255) */
86 87
    size_t i;

88 89 90
    if (dctx->mdevp != NULL)
        return 1;

91 92 93 94
    mdevp = OPENSSL_zalloc(n * sizeof(*mdevp));
    mdord = OPENSSL_zalloc(n * sizeof(*mdord));

    if (mdord == NULL || mdevp == NULL) {
95
        OPENSSL_free(mdord);
96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137
        OPENSSL_free(mdevp);
        SSLerr(SSL_F_DANE_CTX_ENABLE, ERR_R_MALLOC_FAILURE);
        return 0;
    }

    /* Install default entries */
    for (i = 0; i < OSSL_NELEM(dane_mds); ++i) {
        const EVP_MD *md;

        if (dane_mds[i].nid == NID_undef ||
            (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL)
            continue;
        mdevp[dane_mds[i].mtype] = md;
        mdord[dane_mds[i].mtype] = dane_mds[i].ord;
    }

    dctx->mdevp = mdevp;
    dctx->mdord = mdord;
    dctx->mdmax = mdmax;

    return 1;
}

static void dane_ctx_final(struct dane_ctx_st *dctx)
{
    OPENSSL_free(dctx->mdevp);
    dctx->mdevp = NULL;

    OPENSSL_free(dctx->mdord);
    dctx->mdord = NULL;
    dctx->mdmax = 0;
}

static void tlsa_free(danetls_record *t)
{
    if (t == NULL)
        return;
    OPENSSL_free(t->data);
    EVP_PKEY_free(t->spki);
    OPENSSL_free(t);
}

138
static void dane_final(SSL_DANE *dane)
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164
{
    sk_danetls_record_pop_free(dane->trecs, tlsa_free);
    dane->trecs = NULL;

    sk_X509_pop_free(dane->certs, X509_free);
    dane->certs = NULL;

    X509_free(dane->mcert);
    dane->mcert = NULL;
    dane->mtlsa = NULL;
    dane->mdpth = -1;
    dane->pdpth = -1;
}

/*
 * dane_copy - Copy dane configuration, sans verification state.
 */
static int ssl_dane_dup(SSL *to, SSL *from)
{
    int num;
    int i;

    if (!DANETLS_ENABLED(&from->dane))
        return 1;

    dane_final(&to->dane);
165
    to->dane.flags = from->dane.flags;
166 167 168 169 170 171 172
    to->dane.dctx = &to->ctx->dane;
    to->dane.trecs = sk_danetls_record_new_null();

    if (to->dane.trecs == NULL) {
        SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE);
        return 0;
    }
173

E
Emilia Kasper 已提交
174
    num = sk_danetls_record_num(from->dane.trecs);
175 176
    for (i = 0; i < num; ++i) {
        danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
177

178 179 180 181 182 183 184
        if (SSL_dane_tlsa_add(to, t->usage, t->selector, t->mtype,
                              t->data, t->dlen) <= 0)
            return 0;
    }
    return 1;
}

E
Emilia Kasper 已提交
185 186
static int dane_mtype_set(struct dane_ctx_st *dctx,
                          const EVP_MD *md, uint8_t mtype, uint8_t ord)
187 188 189 190
{
    int i;

    if (mtype == DANETLS_MATCHING_FULL && md != NULL) {
E
Emilia Kasper 已提交
191
        SSLerr(SSL_F_DANE_MTYPE_SET, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);
192 193 194 195 196 197
        return 0;
    }

    if (mtype > dctx->mdmax) {
        const EVP_MD **mdevp;
        uint8_t *mdord;
E
Emilia Kasper 已提交
198
        int n = ((int)mtype) + 1;
199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214

        mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp));
        if (mdevp == NULL) {
            SSLerr(SSL_F_DANE_MTYPE_SET, ERR_R_MALLOC_FAILURE);
            return -1;
        }
        dctx->mdevp = mdevp;

        mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord));
        if (mdord == NULL) {
            SSLerr(SSL_F_DANE_MTYPE_SET, ERR_R_MALLOC_FAILURE);
            return -1;
        }
        dctx->mdord = mdord;

        /* Zero-fill any gaps */
E
Emilia Kasper 已提交
215
        for (i = dctx->mdmax + 1; i < mtype; ++i) {
216 217 218 219 220 221 222 223 224 225 226 227 228 229
            mdevp[i] = NULL;
            mdord[i] = 0;
        }

        dctx->mdmax = mtype;
    }

    dctx->mdevp[mtype] = md;
    /* Coerce ordinal of disabled matching types to 0 */
    dctx->mdord[mtype] = (md == NULL) ? 0 : ord;

    return 1;
}

230
static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
231 232 233 234 235 236
{
    if (mtype > dane->dctx->mdmax)
        return NULL;
    return dane->dctx->mdevp[mtype];
}

E
Emilia Kasper 已提交
237 238 239 240
static int dane_tlsa_add(SSL_DANE *dane,
                         uint8_t usage,
                         uint8_t selector,
                         uint8_t mtype, unsigned char *data, size_t dlen)
241 242 243 244 245
{
    danetls_record *t;
    const EVP_MD *md = NULL;
    int ilen = (int)dlen;
    int i;
246
    int num;
247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292

    if (dane->trecs == NULL) {
        SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_NOT_ENABLED);
        return -1;
    }

    if (ilen < 0 || dlen != (size_t)ilen) {
        SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_DATA_LENGTH);
        return 0;
    }

    if (usage > DANETLS_USAGE_LAST) {
        SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE);
        return 0;
    }

    if (selector > DANETLS_SELECTOR_LAST) {
        SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_SELECTOR);
        return 0;
    }

    if (mtype != DANETLS_MATCHING_FULL) {
        md = tlsa_md_get(dane, mtype);
        if (md == NULL) {
            SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE);
            return 0;
        }
    }

    if (md != NULL && dlen != (size_t)EVP_MD_size(md)) {
        SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH);
        return 0;
    }
    if (!data) {
        SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_NULL_DATA);
        return 0;
    }

    if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL) {
        SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
        return -1;
    }

    t->usage = usage;
    t->selector = selector;
    t->mtype = mtype;
293
    t->data = OPENSSL_malloc(dlen);
294 295 296 297 298
    if (t->data == NULL) {
        tlsa_free(t);
        SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
        return -1;
    }
299 300
    memcpy(t->data, data, dlen);
    t->dlen = dlen;
301 302 303 304 305 306 307 308 309

    /* Validate and cache full certificate or public key */
    if (mtype == DANETLS_MATCHING_FULL) {
        const unsigned char *p = data;
        X509 *cert = NULL;
        EVP_PKEY *pkey = NULL;

        switch (selector) {
        case DANETLS_SELECTOR_CERT:
310
            if (!d2i_X509(&cert, &p, ilen) || p < data ||
311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344
                dlen != (size_t)(p - data)) {
                tlsa_free(t);
                SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
                return 0;
            }
            if (X509_get0_pubkey(cert) == NULL) {
                tlsa_free(t);
                SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
                return 0;
            }

            if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
                X509_free(cert);
                break;
            }

            /*
             * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA
             * records that contain full certificates of trust-anchors that are
             * not present in the wire chain.  For usage PKIX-TA(0), we augment
             * the chain with untrusted Full(0) certificates from DNS, in case
             * they are missing from the chain.
             */
            if ((dane->certs == NULL &&
                 (dane->certs = sk_X509_new_null()) == NULL) ||
                !sk_X509_push(dane->certs, cert)) {
                SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
                X509_free(cert);
                tlsa_free(t);
                return -1;
            }
            break;

        case DANETLS_SELECTOR_SPKI:
345
            if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378
                dlen != (size_t)(p - data)) {
                tlsa_free(t);
                SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
                return 0;
            }

            /*
             * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA
             * records that contain full bare keys of trust-anchors that are
             * not present in the wire chain.
             */
            if (usage == DANETLS_USAGE_DANE_TA)
                t->spki = pkey;
            else
                EVP_PKEY_free(pkey);
            break;
        }
    }

    /*-
     * Find the right insertion point for the new record.
     *
     * See crypto/x509/x509_vfy.c.  We sort DANE-EE(3) records first, so that
     * they can be processed first, as they require no chain building, and no
     * expiration or hostname checks.  Because DANE-EE(3) is numerically
     * largest, this is accomplished via descending sort by "usage".
     *
     * We also sort in descending order by matching ordinal to simplify
     * the implementation of digest agility in the verification code.
     *
     * The choice of order for the selector is not significant, so we
     * use the same descending order for consistency.
     */
379 380
    num = sk_danetls_record_num(dane->trecs);
    for (i = 0; i < num; ++i) {
381
        danetls_record *rec = sk_danetls_record_value(dane->trecs, i);
382

383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405
        if (rec->usage > usage)
            continue;
        if (rec->usage < usage)
            break;
        if (rec->selector > selector)
            continue;
        if (rec->selector < selector)
            break;
        if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype])
            continue;
        break;
    }

    if (!sk_danetls_record_insert(dane->trecs, t, i)) {
        tlsa_free(t);
        SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
        return -1;
    }
    dane->umask |= DANETLS_USAGE_BIT(usage);

    return 1;
}

406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442
/*
 * Return 0 if there is only one version configured and it was disabled
 * at configure time.  Return 1 otherwise.
 */
static int ssl_check_allowed_versions(int min_version, int max_version)
{
    int minisdtls = 0, maxisdtls = 0;

    /* Figure out if we're doing DTLS versions or TLS versions */
    if (min_version == DTLS1_BAD_VER
        || min_version >> 8 == DTLS1_VERSION_MAJOR)
        minisdtls = 1;
    if (max_version == DTLS1_BAD_VER
        || max_version >> 8 == DTLS1_VERSION_MAJOR)
        maxisdtls = 1;
    /* A wildcard version of 0 could be DTLS or TLS. */
    if ((minisdtls && !maxisdtls && max_version != 0)
        || (maxisdtls && !minisdtls && min_version != 0)) {
        /* Mixing DTLS and TLS versions will lead to sadness; deny it. */
        return 0;
    }

    if (minisdtls || maxisdtls) {
        /* Do DTLS version checks. */
        if (min_version == 0)
            /* Ignore DTLS1_BAD_VER */
            min_version = DTLS1_VERSION;
        if (max_version == 0)
            max_version = DTLS1_2_VERSION;
#ifdef OPENSSL_NO_DTLS1_2
        if (max_version == DTLS1_2_VERSION)
            max_version = DTLS1_VERSION;
#endif
#ifdef OPENSSL_NO_DTLS1
        if (min_version == DTLS1_VERSION)
            min_version = DTLS1_2_VERSION;
#endif
443 444
        /* Done massaging versions; do the check. */
        if (0
445 446 447 448 449 450 451 452 453 454 455 456
#ifdef OPENSSL_NO_DTLS1
            || (DTLS_VERSION_GE(min_version, DTLS1_VERSION)
                && DTLS_VERSION_GE(DTLS1_VERSION, max_version))
#endif
#ifdef OPENSSL_NO_DTLS1_2
            || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION)
                && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version))
#endif
            )
            return 0;
    } else {
        /* Regular TLS version checks. */
457 458 459 460
        if (min_version == 0)
            min_version = SSL3_VERSION;
        if (max_version == 0)
            max_version = TLS1_3_VERSION;
461
#ifdef OPENSSL_NO_TLS1_3
462 463
        if (max_version == TLS1_3_VERSION)
            max_version = TLS1_2_VERSION;
464 465
#endif
#ifdef OPENSSL_NO_TLS1_2
466 467
        if (max_version == TLS1_2_VERSION)
            max_version = TLS1_1_VERSION;
468 469
#endif
#ifdef OPENSSL_NO_TLS1_1
470 471
        if (max_version == TLS1_1_VERSION)
            max_version = TLS1_VERSION;
472 473
#endif
#ifdef OPENSSL_NO_TLS1
474 475
        if (max_version == TLS1_VERSION)
            max_version = SSL3_VERSION;
476 477
#endif
#ifdef OPENSSL_NO_SSL3
478 479
        if (min_version == SSL3_VERSION)
            min_version = TLS1_VERSION;
480 481
#endif
#ifdef OPENSSL_NO_TLS1
482 483
        if (min_version == TLS1_VERSION)
            min_version = TLS1_1_VERSION;
484 485
#endif
#ifdef OPENSSL_NO_TLS1_1
486 487
        if (min_version == TLS1_1_VERSION)
            min_version = TLS1_2_VERSION;
488 489
#endif
#ifdef OPENSSL_NO_TLS1_2
490 491
        if (min_version == TLS1_2_VERSION)
            min_version = TLS1_3_VERSION;
492
#endif
493 494
        /* Done massaging versions; do the check. */
        if (0
495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515
#ifdef OPENSSL_NO_SSL3
            || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version)
#endif
#ifdef OPENSSL_NO_TLS1
            || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version)
#endif
#ifdef OPENSSL_NO_TLS1_1
            || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version)
#endif
#ifdef OPENSSL_NO_TLS1_2
            || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version)
#endif
#ifdef OPENSSL_NO_TLS1_3
            || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version)
#endif
            )
            return 0;
    }
    return 1;
}

R
Rich Salz 已提交
516 517 518 519 520 521 522 523
static void clear_ciphers(SSL *s)
{
    /* clear the current cipher */
    ssl_clear_cipher_ctx(s);
    ssl_clear_hash_ctx(&s->read_hash);
    ssl_clear_hash_ctx(&s->write_hash);
}

524
int SSL_clear(SSL *s)
525 526 527
{
    if (s->method == NULL) {
        SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED);
M
Matt Caswell 已提交
528
        return 0;
529
    }
530

531 532 533 534
    if (ssl_clear_bad_session(s)) {
        SSL_SESSION_free(s->session);
        s->session = NULL;
    }
535 536
    SSL_SESSION_free(s->psksession);
    s->psksession = NULL;
537 538 539
    OPENSSL_free(s->psksession_id);
    s->psksession_id = NULL;
    s->psksession_id_len = 0;
L
Lutz Jänicke 已提交
540

541 542 543
    s->error = 0;
    s->hit = 0;
    s->shutdown = 0;
544

545 546 547 548
    if (s->renegotiate) {
        SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
        return 0;
    }
549

M
Matt Caswell 已提交
550
    ossl_statem_clear(s);
551

552 553 554
    s->version = s->method->version;
    s->client_version = s->version;
    s->rwstate = SSL_NOTHING;
555

R
Rich Salz 已提交
556 557
    BUF_MEM_free(s->init_buf);
    s->init_buf = NULL;
R
Rich Salz 已提交
558
    clear_ciphers(s);
559
    s->first_packet = 0;
560

561 562
    s->key_update = SSL_KEY_UPDATE_NONE;

563 564 565 566 567 568 569 570 571 572
    /* Reset DANE verification result state */
    s->dane.mdpth = -1;
    s->dane.pdpth = -1;
    X509_free(s->dane.mcert);
    s->dane.mcert = NULL;
    s->dane.mtlsa = NULL;

    /* Clear the verification result peername */
    X509_VERIFY_PARAM_move_peername(s->param, NULL);

573 574
    /*
     * Check to see if we were changed into a different method, if so, revert
575
     * back.
576
     */
577
    if (s->method != s->ctx->method) {
578 579 580
        s->method->ssl_free(s);
        s->method = s->ctx->method;
        if (!s->method->ssl_new(s))
M
Matt Caswell 已提交
581
            return 0;
582 583 584 585
    } else {
        if (!s->method->ssl_clear(s))
            return 0;
    }
M
Matt Caswell 已提交
586

587
    RECORD_LAYER_clear(&s->rlayer);
M
Matt Caswell 已提交
588

M
Matt Caswell 已提交
589
    return 1;
590
}
591

592
/** Used to change an SSL_CTXs default SSL method type */
593 594 595 596 597 598 599 600 601 602
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
{
    STACK_OF(SSL_CIPHER) *sk;

    ctx->method = meth;

    sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
                                &(ctx->cipher_list_by_id),
                                SSL_DEFAULT_CIPHER_LIST, ctx->cert);
    if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
E
Emilia Kasper 已提交
603
        SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
604 605 606 607
        return (0);
    }
    return (1);
}
608

609
SSL *SSL_new(SSL_CTX *ctx)
610 611 612 613 614 615 616 617 618 619 620 621
{
    SSL *s;

    if (ctx == NULL) {
        SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX);
        return (NULL);
    }
    if (ctx->method == NULL) {
        SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
        return (NULL);
    }

R
Rich Salz 已提交
622
    s = OPENSSL_zalloc(sizeof(*s));
623 624 625
    if (s == NULL)
        goto err;

626
    s->lock = CRYPTO_THREAD_lock_new();
R
Rich Salz 已提交
627 628 629 630 631 632 633 634 635 636
    if (s->lock == NULL)
        goto err;

    /*
     * If not using the standard RAND (say for fuzzing), then don't use a
     * chained DRBG.
     */
    if (RAND_get_rand_method() == RAND_OpenSSL()) {
        s->drbg = RAND_DRBG_new(NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF,
                                RAND_DRBG_get0_global());
637 638
        if (s->drbg == NULL
            || RAND_DRBG_instantiate(s->drbg, NULL, 0) == 0) {
R
Rich Salz 已提交
639 640 641
            CRYPTO_THREAD_lock_free(s->lock);
            goto err;
        }
642 643
    }

644
    RECORD_LAYER_init(&s->rlayer, s);
645

646
    s->options = ctx->options;
647
    s->dane.flags = ctx->dane.flags;
648 649
    s->min_proto_version = ctx->min_proto_version;
    s->max_proto_version = ctx->max_proto_version;
650 651
    s->mode = ctx->mode;
    s->max_cert_list = ctx->max_cert_list;
652
    s->references = 1;
653
    s->max_early_data = ctx->max_early_data;
654

K
Kurt Roeckx 已提交
655 656 657 658 659 660 661 662 663 664 665 666
    /*
     * Earlier library versions used to copy the pointer to the CERT, not
     * its contents; only when setting new parameters for the per-SSL
     * copy, ssl_cert_new would be called (and the direct reference to
     * the per-SSL_CTX settings would be lost, but those still were
     * indirectly accessed for various purposes, and for that reason they
     * used to be known as s->ctx->default_cert). Now we don't look at the
     * SSL_CTX's CERT after having duplicated it once.
     */
    s->cert = ssl_cert_dup(ctx->cert);
    if (s->cert == NULL)
        goto err;
667

668
    RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead);
669 670 671 672
    s->msg_callback = ctx->msg_callback;
    s->msg_callback_arg = ctx->msg_callback_arg;
    s->verify_mode = ctx->verify_mode;
    s->not_resumable_session_cb = ctx->not_resumable_session_cb;
T
Todd Short 已提交
673 674 675
    s->record_padding_cb = ctx->record_padding_cb;
    s->record_padding_arg = ctx->record_padding_arg;
    s->block_padding = ctx->block_padding;
676
    s->sid_ctx_length = ctx->sid_ctx_length;
677 678
    if (!ossl_assert(s->sid_ctx_length <= sizeof s->sid_ctx))
        goto err;
679 680 681 682 683
    memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
    s->verify_callback = ctx->default_verify_callback;
    s->generate_session_id = ctx->generate_session_id;

    s->param = X509_VERIFY_PARAM_new();
684
    if (s->param == NULL)
685 686 687 688
        goto err;
    X509_VERIFY_PARAM_inherit(s->param, ctx->param);
    s->quiet_shutdown = ctx->quiet_shutdown;
    s->max_send_fragment = ctx->max_send_fragment;
689 690
    s->split_send_fragment = ctx->split_send_fragment;
    s->max_pipelines = ctx->max_pipelines;
691 692
    if (s->max_pipelines > 1)
        RECORD_LAYER_set_read_ahead(&s->rlayer, 1);
693 694
    if (ctx->default_read_buf_len > 0)
        SSL_set_default_read_buffer_len(s, ctx->default_read_buf_len);
695

696
    SSL_CTX_up_ref(ctx);
697
    s->ctx = ctx;
R
Rich Salz 已提交
698 699 700 701 702 703 704 705 706
    s->ext.debug_cb = 0;
    s->ext.debug_arg = NULL;
    s->ext.ticket_expected = 0;
    s->ext.status_type = ctx->ext.status_type;
    s->ext.status_expected = 0;
    s->ext.ocsp.ids = NULL;
    s->ext.ocsp.exts = NULL;
    s->ext.ocsp.resp = NULL;
    s->ext.ocsp.resp_len = 0;
707
    SSL_CTX_up_ref(ctx);
708
    s->session_ctx = ctx;
E
Emilia Kasper 已提交
709
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
710 711 712 713 714
    if (ctx->ext.ecpointformats) {
        s->ext.ecpointformats =
            OPENSSL_memdup(ctx->ext.ecpointformats,
                           ctx->ext.ecpointformats_len);
        if (!s->ext.ecpointformats)
715
            goto err;
R
Rich Salz 已提交
716 717 718 719 720 721
        s->ext.ecpointformats_len =
            ctx->ext.ecpointformats_len;
    }
    if (ctx->ext.supportedgroups) {
        s->ext.supportedgroups =
            OPENSSL_memdup(ctx->ext.supportedgroups,
D
Dr. Stephen Henson 已提交
722
                           ctx->ext.supportedgroups_len
723
                                * sizeof(*ctx->ext.supportedgroups));
R
Rich Salz 已提交
724
        if (!s->ext.supportedgroups)
725
            goto err;
R
Rich Salz 已提交
726
        s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
727
    }
E
Emilia Kasper 已提交
728 729
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
R
Rich Salz 已提交
730
    s->ext.npn = NULL;
E
Emilia Kasper 已提交
731
#endif
A
Adam Langley 已提交
732

R
Rich Salz 已提交
733 734 735
    if (s->ctx->ext.alpn) {
        s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len);
        if (s->ext.alpn == NULL)
736
            goto err;
R
Rich Salz 已提交
737 738
        memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len);
        s->ext.alpn_len = s->ctx->ext.alpn_len;
739
    }
740

741
    s->verified_chain = NULL;
742
    s->verify_result = X509_V_OK;
743

M
Matt Caswell 已提交
744 745 746
    s->default_passwd_callback = ctx->default_passwd_callback;
    s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;

747
    s->method = ctx->method;
748

749 750
    s->key_update = SSL_KEY_UPDATE_NONE;

751 752
    if (!s->method->ssl_new(s))
        goto err;
753

754
    s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
755

V
Viktor Dukhovni 已提交
756
    if (!SSL_clear(s))
M
Matt Caswell 已提交
757
        goto err;
758

759 760
    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data))
        goto err;
761

762
#ifndef OPENSSL_NO_PSK
763 764
    s->psk_client_callback = ctx->psk_client_callback;
    s->psk_server_callback = ctx->psk_server_callback;
765
#endif
766 767
    s->psk_find_session_cb = ctx->psk_find_session_cb;
    s->psk_use_session_cb = ctx->psk_use_session_cb;
768

M
Matt Caswell 已提交
769 770
    s->job = NULL;

771 772
#ifndef OPENSSL_NO_CT
    if (!SSL_set_ct_validation_callback(s, ctx->ct_validation_callback,
E
Emilia Kasper 已提交
773
                                        ctx->ct_validation_callback_arg))
774 775 776
        goto err;
#endif

777
    return s;
778
 err:
R
Rich Salz 已提交
779
    SSL_free(s);
780
    SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
781
    return NULL;
782
}
783

R
Rich Salz 已提交
784 785 786 787 788
int SSL_is_dtls(const SSL *s)
{
    return SSL_IS_DTLS(s) ? 1 : 0;
}

789
int SSL_up_ref(SSL *s)
790
{
791
    int i;
792

793
    if (CRYPTO_UP_REF(&s->references, &i, s->lock) <= 0)
794 795 796 797 798
        return 0;

    REF_PRINT_COUNT("SSL", s);
    REF_ASSERT_ISNT(i < 2);
    return ((i > 1) ? 1 : 0);
799 800
}

801 802 803 804 805 806 807 808 809 810
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
                                   unsigned int sid_ctx_len)
{
    if (sid_ctx_len > sizeof ctx->sid_ctx) {
        SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
               SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
        return 0;
    }
    ctx->sid_ctx_length = sid_ctx_len;
    memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
811 812

    return 1;
813
}
814

815 816 817 818 819 820 821 822 823 824
int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
                               unsigned int sid_ctx_len)
{
    if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
        SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,
               SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
        return 0;
    }
    ssl->sid_ctx_length = sid_ctx_len;
    memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
B
Ben Laurie 已提交
825 826

    return 1;
827
}
B
Ben Laurie 已提交
828

829
int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
830
{
831
    CRYPTO_THREAD_write_lock(ctx->lock);
832
    ctx->generate_session_id = cb;
833
    CRYPTO_THREAD_unlock(ctx->lock);
834 835
    return 1;
}
836 837

int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
838
{
839
    CRYPTO_THREAD_write_lock(ssl->lock);
840
    ssl->generate_session_id = cb;
841
    CRYPTO_THREAD_unlock(ssl->lock);
842 843
    return 1;
}
844

845
int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
846 847 848 849
                                unsigned int id_len)
{
    /*
     * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
F
FdaSilvaYY 已提交
850
     * we can "construct" a session to give us the desired check - i.e. to
851 852 853 854 855 856 857 858 859 860 861 862 863
     * find if there's a session in the hash table that would conflict with
     * any new session built out of this id/id_len and the ssl_version in use
     * by this SSL.
     */
    SSL_SESSION r, *p;

    if (id_len > sizeof r.session_id)
        return 0;

    r.ssl_version = ssl->version;
    r.session_id_length = id_len;
    memcpy(r.session_id, id, id_len);

864 865 866
    CRYPTO_THREAD_read_lock(ssl->session_ctx->lock);
    p = lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &r);
    CRYPTO_THREAD_unlock(ssl->session_ctx->lock);
867 868
    return (p != NULL);
}
869

870
int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
871 872 873
{
    return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
}
874 875

int SSL_set_purpose(SSL *s, int purpose)
876 877 878
{
    return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
}
D
 
Dr. Stephen Henson 已提交
879

880
int SSL_CTX_set_trust(SSL_CTX *s, int trust)
881 882 883
{
    return X509_VERIFY_PARAM_set_trust(s->param, trust);
}
884 885

int SSL_set_trust(SSL *s, int trust)
886 887 888
{
    return X509_VERIFY_PARAM_set_trust(s->param, trust);
}
889

890 891 892 893 894 895 896 897 898 899 900 901 902 903 904
int SSL_set1_host(SSL *s, const char *hostname)
{
    return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0);
}

int SSL_add1_host(SSL *s, const char *hostname)
{
    return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0);
}

void SSL_set_hostflags(SSL *s, unsigned int flags)
{
    X509_VERIFY_PARAM_set_hostflags(s->param, flags);
}

905
const char *SSL_get0_peername(SSL *s)
906 907 908 909 910 911 912 913 914
{
    return X509_VERIFY_PARAM_get0_peername(s->param);
}

int SSL_CTX_dane_enable(SSL_CTX *ctx)
{
    return dane_ctx_enable(&ctx->dane);
}

915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930
unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags)
{
    unsigned long orig = ctx->dane.flags;

    ctx->dane.flags |= flags;
    return orig;
}

unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags)
{
    unsigned long orig = ctx->dane.flags;

    ctx->dane.flags &= ~flags;
    return orig;
}

931 932
int SSL_dane_enable(SSL *s, const char *basedomain)
{
933
    SSL_DANE *dane = &s->dane;
934 935 936 937 938 939 940 941 942 943

    if (s->ctx->dane.mdmax == 0) {
        SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_CONTEXT_NOT_DANE_ENABLED);
        return 0;
    }
    if (dane->trecs != NULL) {
        SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_DANE_ALREADY_ENABLED);
        return 0;
    }

944 945 946 947 948
    /*
     * Default SNI name.  This rejects empty names, while set1_host below
     * accepts them and disables host name checks.  To avoid side-effects with
     * invalid input, set the SNI name first.
     */
R
Rich Salz 已提交
949
    if (s->ext.hostname == NULL) {
F
FdaSilvaYY 已提交
950
        if (!SSL_set_tlsext_host_name(s, basedomain)) {
951
            SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
F
FdaSilvaYY 已提交
952
            return -1;
953 954 955
        }
    }

956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973
    /* Primary RFC6125 reference identifier */
    if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) {
        SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
        return -1;
    }

    dane->mdpth = -1;
    dane->pdpth = -1;
    dane->dctx = &s->ctx->dane;
    dane->trecs = sk_danetls_record_new_null();

    if (dane->trecs == NULL) {
        SSLerr(SSL_F_SSL_DANE_ENABLE, ERR_R_MALLOC_FAILURE);
        return -1;
    }
    return 1;
}

974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989
unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags)
{
    unsigned long orig = ssl->dane.flags;

    ssl->dane.flags |= flags;
    return orig;
}

unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags)
{
    unsigned long orig = ssl->dane.flags;

    ssl->dane.flags &= ~flags;
    return orig;
}

990 991
int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
{
992
    SSL_DANE *dane = &s->dane;
993

994
    if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007
        return -1;
    if (dane->mtlsa) {
        if (mcert)
            *mcert = dane->mcert;
        if (mspki)
            *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL;
    }
    return dane->mdpth;
}

int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
                       uint8_t *mtype, unsigned const char **data, size_t *dlen)
{
1008
    SSL_DANE *dane = &s->dane;
1009

1010
    if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026
        return -1;
    if (dane->mtlsa) {
        if (usage)
            *usage = dane->mtlsa->usage;
        if (selector)
            *selector = dane->mtlsa->selector;
        if (mtype)
            *mtype = dane->mtlsa->mtype;
        if (data)
            *data = dane->mtlsa->data;
        if (dlen)
            *dlen = dane->mtlsa->dlen;
    }
    return dane->mdpth;
}

1027
SSL_DANE *SSL_get0_dane(SSL *s)
1028 1029 1030 1031 1032 1033 1034 1035 1036 1037
{
    return &s->dane;
}

int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
                      uint8_t mtype, unsigned char *data, size_t dlen)
{
    return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen);
}

E
Emilia Kasper 已提交
1038 1039
int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype,
                           uint8_t ord)
1040 1041 1042 1043
{
    return dane_mtype_set(&ctx->dane, md, mtype, ord);
}

D
Dr. Stephen Henson 已提交
1044
int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
1045 1046 1047
{
    return X509_VERIFY_PARAM_set1(ctx->param, vpm);
}
D
Dr. Stephen Henson 已提交
1048 1049

int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
1050 1051 1052
{
    return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
D
Dr. Stephen Henson 已提交
1053

1054
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
1055 1056 1057
{
    return ctx->param;
}
1058 1059

X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
1060 1061 1062
{
    return ssl->param;
}
1063

1064
void SSL_certs_clear(SSL *s)
1065 1066 1067
{
    ssl_cert_clear_certs(s->cert);
}
1068

1069
void SSL_free(SSL *s)
1070 1071
{
    int i;
1072

1073 1074
    if (s == NULL)
        return;
B
Ben Laurie 已提交
1075

1076
    CRYPTO_DOWN_REF(&s->references, &i, s->lock);
R
Rich Salz 已提交
1077
    REF_PRINT_COUNT("SSL", s);
1078 1079
    if (i > 0)
        return;
R
Rich Salz 已提交
1080
    REF_ASSERT_ISNT(i < 0);
1081

R
Rich Salz 已提交
1082
    X509_VERIFY_PARAM_free(s->param);
1083
    dane_final(&s->dane);
1084 1085
    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);

1086
    /* Ignore return value */
1087 1088
    ssl_free_wbio_buffer(s);

1089
    BIO_free_all(s->wbio);
1090
    BIO_free_all(s->rbio);
1091

R
Rich Salz 已提交
1092
    BUF_MEM_free(s->init_buf);
1093 1094

    /* add extra stuff */
R
Rich Salz 已提交
1095 1096
    sk_SSL_CIPHER_free(s->cipher_list);
    sk_SSL_CIPHER_free(s->cipher_list_by_id);
1097 1098 1099 1100 1101 1102

    /* Make the next call work :-) */
    if (s->session != NULL) {
        ssl_clear_bad_session(s);
        SSL_SESSION_free(s->session);
    }
1103
    SSL_SESSION_free(s->psksession);
1104
    OPENSSL_free(s->psksession_id);
1105

R
Rich Salz 已提交
1106
    clear_ciphers(s);
1107

R
Rich Salz 已提交
1108
    ssl_cert_free(s->cert);
1109
    /* Free up if allocated */
1110

R
Rich Salz 已提交
1111
    OPENSSL_free(s->ext.hostname);
1112
    SSL_CTX_free(s->session_ctx);
1113
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
1114 1115
    OPENSSL_free(s->ext.ecpointformats);
    OPENSSL_free(s->ext.supportedgroups);
E
Emilia Kasper 已提交
1116
#endif                          /* OPENSSL_NO_EC */
R
Rich Salz 已提交
1117
    sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
M
Matt Caswell 已提交
1118
#ifndef OPENSSL_NO_OCSP
R
Rich Salz 已提交
1119
    sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
M
Matt Caswell 已提交
1120
#endif
1121 1122
#ifndef OPENSSL_NO_CT
    SCT_LIST_free(s->scts);
R
Rich Salz 已提交
1123
    OPENSSL_free(s->ext.scts);
1124
#endif
R
Rich Salz 已提交
1125 1126
    OPENSSL_free(s->ext.ocsp.resp);
    OPENSSL_free(s->ext.alpn);
M
Matt Caswell 已提交
1127
    OPENSSL_free(s->ext.tls13_cookie);
B
Benjamin Kaduk 已提交
1128
    OPENSSL_free(s->clienthello);
1129

1130
    sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free);
1131

1132 1133
    sk_X509_pop_free(s->verified_chain, X509_free);

1134 1135 1136
    if (s->method != NULL)
        s->method->ssl_free(s);

1137
    RECORD_LAYER_release(&s->rlayer);
M
Matt Caswell 已提交
1138

R
Rich Salz 已提交
1139
    SSL_CTX_free(s->ctx);
D
Dr. Stephen Henson 已提交
1140

M
Matt Caswell 已提交
1141 1142
    ASYNC_WAIT_CTX_free(s->waitctx);

1143
#if !defined(OPENSSL_NO_NEXTPROTONEG)
R
Rich Salz 已提交
1144
    OPENSSL_free(s->ext.npn);
B
Ben Laurie 已提交
1145 1146
#endif

P
Piotr Sikora 已提交
1147
#ifndef OPENSSL_NO_SRTP
R
Rich Salz 已提交
1148
    sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
1149 1150
#endif

R
Rich Salz 已提交
1151
    RAND_DRBG_free(s->drbg);
1152 1153
    CRYPTO_THREAD_lock_free(s->lock);

1154 1155 1156
    OPENSSL_free(s);
}

1157
void SSL_set0_rbio(SSL *s, BIO *rbio)
1158
{
1159
    BIO_free_all(s->rbio);
1160 1161 1162
    s->rbio = rbio;
}

1163
void SSL_set0_wbio(SSL *s, BIO *wbio)
1164 1165 1166 1167
{
    /*
     * If the output buffering BIO is still in place, remove it
     */
1168 1169 1170
    if (s->bbio != NULL)
        s->wbio = BIO_pop(s->wbio);

1171
    BIO_free_all(s->wbio);
1172
    s->wbio = wbio;
1173 1174 1175 1176

    /* Re-attach |bbio| to the new |wbio|. */
    if (s->bbio != NULL)
        s->wbio = BIO_push(s->bbio, s->wbio);
1177
}
1178

1179 1180
void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
{
1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216
    /*
     * For historical reasons, this function has many different cases in
     * ownership handling.
     */

    /* If nothing has changed, do nothing */
    if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s))
        return;

    /*
     * If the two arguments are equal then one fewer reference is granted by the
     * caller than we want to take
     */
    if (rbio != NULL && rbio == wbio)
        BIO_up_ref(rbio);

    /*
     * If only the wbio is changed only adopt one reference.
     */
    if (rbio == SSL_get_rbio(s)) {
        SSL_set0_wbio(s, wbio);
        return;
    }
    /*
     * There is an asymmetry here for historical reasons. If only the rbio is
     * changed AND the rbio and wbio were originally different, then we only
     * adopt one reference.
     */
    if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) {
        SSL_set0_rbio(s, rbio);
        return;
    }

    /* Otherwise, adopt both references. */
    SSL_set0_rbio(s, rbio);
    SSL_set0_wbio(s, wbio);
1217 1218
}

B
Ben Laurie 已提交
1219
BIO *SSL_get_rbio(const SSL *s)
1220
{
1221
    return s->rbio;
1222
}
1223

B
Ben Laurie 已提交
1224
BIO *SSL_get_wbio(const SSL *s)
1225
{
1226 1227 1228 1229 1230 1231 1232 1233
    if (s->bbio != NULL) {
        /*
         * If |bbio| is active, the true caller-configured BIO is its
         * |next_bio|.
         */
        return BIO_next(s->bbio);
    }
    return s->wbio;
1234
}
1235

B
Ben Laurie 已提交
1236
int SSL_get_fd(const SSL *s)
1237
{
1238
    return SSL_get_rfd(s);
1239
}
1240

B
Ben Laurie 已提交
1241
int SSL_get_rfd(const SSL *s)
1242 1243 1244 1245 1246 1247 1248 1249 1250 1251
{
    int ret = -1;
    BIO *b, *r;

    b = SSL_get_rbio(s);
    r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
    if (r != NULL)
        BIO_get_fd(r, &ret);
    return (ret);
}
1252

B
Ben Laurie 已提交
1253
int SSL_get_wfd(const SSL *s)
1254 1255 1256 1257 1258 1259 1260 1261 1262 1263
{
    int ret = -1;
    BIO *b, *r;

    b = SSL_get_wbio(s);
    r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
    if (r != NULL)
        BIO_get_fd(r, &ret);
    return (ret);
}
1264

1265
#ifndef OPENSSL_NO_SOCK
1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282
int SSL_set_fd(SSL *s, int fd)
{
    int ret = 0;
    BIO *bio = NULL;

    bio = BIO_new(BIO_s_socket());

    if (bio == NULL) {
        SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
        goto err;
    }
    BIO_set_fd(bio, fd, BIO_NOCLOSE);
    SSL_set_bio(s, bio, bio);
    ret = 1;
 err:
    return (ret);
}
1283

1284 1285
int SSL_set_wfd(SSL *s, int fd)
{
1286
    BIO *rbio = SSL_get_rbio(s);
1287

1288 1289 1290
    if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET
        || (int)BIO_get_fd(rbio, NULL) != fd) {
        BIO *bio = BIO_new(BIO_s_socket());
1291 1292 1293

        if (bio == NULL) {
            SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB);
1294
            return 0;
1295 1296
        }
        BIO_set_fd(bio, fd, BIO_NOCLOSE);
1297
        SSL_set0_wbio(s, bio);
1298
    } else {
1299 1300
        BIO_up_ref(rbio);
        SSL_set0_wbio(s, rbio);
1301 1302
    }
    return 1;
1303 1304 1305 1306
}

int SSL_set_rfd(SSL *s, int fd)
{
1307
    BIO *wbio = SSL_get_wbio(s);
1308

1309 1310 1311
    if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET
        || ((int)BIO_get_fd(wbio, NULL) != fd)) {
        BIO *bio = BIO_new(BIO_s_socket());
1312 1313 1314

        if (bio == NULL) {
            SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB);
1315
            return 0;
1316 1317
        }
        BIO_set_fd(bio, fd, BIO_NOCLOSE);
1318
        SSL_set0_rbio(s, bio);
1319
    } else {
1320 1321
        BIO_up_ref(wbio);
        SSL_set0_rbio(s, wbio);
1322 1323 1324
    }

    return 1;
1325 1326
}
#endif
1327 1328

/* return length of latest Finished message we sent, copy to 'buf' */
B
Ben Laurie 已提交
1329
size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340
{
    size_t ret = 0;

    if (s->s3 != NULL) {
        ret = s->s3->tmp.finish_md_len;
        if (count > ret)
            count = ret;
        memcpy(buf, s->s3->tmp.finish_md, count);
    }
    return ret;
}
1341 1342

/* return length of latest Finished message we expected, copy to 'buf' */
B
Ben Laurie 已提交
1343
size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
1344 1345
{
    size_t ret = 0;
1346

1347 1348 1349 1350 1351 1352 1353 1354
    if (s->s3 != NULL) {
        ret = s->s3->tmp.peer_finish_md_len;
        if (count > ret)
            count = ret;
        memcpy(buf, s->s3->tmp.peer_finish_md, count);
    }
    return ret;
}
1355

B
Ben Laurie 已提交
1356
int SSL_get_verify_mode(const SSL *s)
1357 1358 1359
{
    return (s->verify_mode);
}
1360

B
Ben Laurie 已提交
1361
int SSL_get_verify_depth(const SSL *s)
1362 1363 1364
{
    return X509_VERIFY_PARAM_get_depth(s->param);
}
1365

1366 1367 1368
int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) {
    return (s->verify_callback);
}
1369

B
Ben Laurie 已提交
1370
int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
1371 1372 1373
{
    return (ctx->verify_mode);
}
1374

B
Ben Laurie 已提交
1375
int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398
{
    return X509_VERIFY_PARAM_get_depth(ctx->param);
}

int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) {
    return (ctx->default_verify_callback);
}

void SSL_set_verify(SSL *s, int mode,
                    int (*callback) (int ok, X509_STORE_CTX *ctx))
{
    s->verify_mode = mode;
    if (callback != NULL)
        s->verify_callback = callback;
}

void SSL_set_verify_depth(SSL *s, int depth)
{
    X509_VERIFY_PARAM_set_depth(s->param, depth);
}

void SSL_set_read_ahead(SSL *s, int yes)
{
1399
    RECORD_LAYER_set_read_ahead(&s->rlayer, yes);
1400
}
1401

B
Ben Laurie 已提交
1402
int SSL_get_read_ahead(const SSL *s)
1403
{
1404
    return RECORD_LAYER_get_read_ahead(&s->rlayer);
1405
}
1406

B
Ben Laurie 已提交
1407
int SSL_pending(const SSL *s)
1408
{
M
Matt Caswell 已提交
1409 1410
    size_t pending = s->method->ssl_pending(s);

1411 1412 1413 1414 1415 1416
    /*
     * SSL_pending cannot work properly if read-ahead is enabled
     * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is
     * impossible to fix since SSL_pending cannot report errors that may be
     * observed while scanning the new data. (Note that SSL_pending() is
     * often used as a boolean value, so we'd better not return -1.)
M
Matt Caswell 已提交
1417 1418 1419
     *
     * SSL_pending also cannot work properly if the value >INT_MAX. In that case
     * we just return INT_MAX.
1420
     */
1421
    return pending < INT_MAX ? (int)pending : INT_MAX;
1422
}
1423

M
Matt Caswell 已提交
1424 1425 1426 1427 1428 1429 1430 1431 1432 1433
int SSL_has_pending(const SSL *s)
{
    /*
     * Similar to SSL_pending() but returns a 1 to indicate that we have
     * unprocessed data available or 0 otherwise (as opposed to the number of
     * bytes available). Unlike SSL_pending() this will take into account
     * read_ahead data. A 1 return simply indicates that we have unprocessed
     * data. That data may not result in any application data, or we may fail
     * to parse the records for some reason.
     */
1434
    if (RECORD_LAYER_processed_read_pending(&s->rlayer))
M
Matt Caswell 已提交
1435 1436 1437 1438 1439
        return 1;

    return RECORD_LAYER_read_pending(&s->rlayer);
}

B
Ben Laurie 已提交
1440
X509 *SSL_get_peer_certificate(const SSL *s)
1441 1442
{
    X509 *r;
1443

1444 1445 1446 1447
    if ((s == NULL) || (s->session == NULL))
        r = NULL;
    else
        r = s->session->peer;
1448

1449 1450
    if (r == NULL)
        return (r);
1451

D
Dr. Stephen Henson 已提交
1452
    X509_up_ref(r);
1453 1454 1455

    return (r);
}
1456

B
Ben Laurie 已提交
1457
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
1458 1459 1460
{
    STACK_OF(X509) *r;

1461
    if ((s == NULL) || (s->session == NULL))
1462 1463
        r = NULL;
    else
1464
        r = s->session->peer_chain;
1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477

    /*
     * If we are a client, cert_chain includes the peer's own certificate; if
     * we are a server, it does not.
     */

    return (r);
}

/*
 * Now in theory, since the calling process own 't' it should be safe to
 * modify.  We need to be able to read f without being hassled
 */
M
Matt Caswell 已提交
1478
int SSL_copy_session_id(SSL *t, const SSL *f)
1479
{
1480
    int i;
1481
    /* Do we need to to SSL locking? */
V
Viktor Dukhovni 已提交
1482
    if (!SSL_set_session(t, SSL_get_session(f))) {
M
Matt Caswell 已提交
1483
        return 0;
M
Matt Caswell 已提交
1484
    }
1485 1486

    /*
M
Matt Caswell 已提交
1487
     * what if we are setup for one protocol version but want to talk another
1488 1489
     */
    if (t->method != f->method) {
1490 1491 1492 1493
        t->method->ssl_free(t);
        t->method = f->method;
        if (t->method->ssl_new(t) == 0)
            return 0;
1494 1495
    }

1496
    CRYPTO_UP_REF(&f->cert->references, &i, f->cert->lock);
K
Kurt Roeckx 已提交
1497 1498
    ssl_cert_free(t->cert);
    t->cert = f->cert;
1499
    if (!SSL_set_session_id_context(t, f->sid_ctx, (int)f->sid_ctx_length)) {
M
Matt Caswell 已提交
1500
        return 0;
M
Matt Caswell 已提交
1501
    }
M
Matt Caswell 已提交
1502 1503

    return 1;
1504
}
1505

1506
/* Fix this so it checks all the valid key/cert options */
B
Ben Laurie 已提交
1507
int SSL_CTX_check_private_key(const SSL_CTX *ctx)
1508
{
E
Emilia Kasper 已提交
1509 1510
    if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) {
        SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED);
1511 1512 1513
        return (0);
    }
    if (ctx->cert->key->privatekey == NULL) {
E
Emilia Kasper 已提交
1514
        SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1515 1516 1517 1518 1519
        return (0);
    }
    return (X509_check_private_key
            (ctx->cert->key->x509, ctx->cert->key->privatekey));
}
1520

1521
/* Fix this function so that it takes an optional type parameter */
B
Ben Laurie 已提交
1522
int SSL_check_private_key(const SSL *ssl)
1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538
{
    if (ssl == NULL) {
        SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
        return (0);
    }
    if (ssl->cert->key->x509 == NULL) {
        SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED);
        return (0);
    }
    if (ssl->cert->key->privatekey == NULL) {
        SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
        return (0);
    }
    return (X509_check_private_key(ssl->cert->key->x509,
                                   ssl->cert->key->privatekey));
}
1539

M
Matt Caswell 已提交
1540 1541
int SSL_waiting_for_async(SSL *s)
{
1542
    if (s->job)
M
Matt Caswell 已提交
1543 1544
        return 1;

M
Matt Caswell 已提交
1545 1546 1547
    return 0;
}

M
Matt Caswell 已提交
1548
int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds)
M
Matt Caswell 已提交
1549
{
M
Matt Caswell 已提交
1550 1551 1552 1553 1554 1555
    ASYNC_WAIT_CTX *ctx = s->waitctx;

    if (ctx == NULL)
        return 0;
    return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds);
}
M
Matt Caswell 已提交
1556

M
Matt Caswell 已提交
1557 1558 1559 1560 1561 1562 1563 1564 1565
int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds,
                              OSSL_ASYNC_FD *delfd, size_t *numdelfds)
{
    ASYNC_WAIT_CTX *ctx = s->waitctx;

    if (ctx == NULL)
        return 0;
    return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd,
                                          numdelfds);
M
Matt Caswell 已提交
1566 1567
}

1568
int SSL_accept(SSL *s)
1569
{
1570
    if (s->handshake_func == NULL) {
1571 1572
        /* Not properly initialized yet */
        SSL_set_accept_state(s);
M
Matt Caswell 已提交
1573
    }
M
Matt Caswell 已提交
1574 1575

    return SSL_do_handshake(s);
1576
}
1577

1578
int SSL_connect(SSL *s)
1579
{
1580
    if (s->handshake_func == NULL) {
1581 1582
        /* Not properly initialized yet */
        SSL_set_connect_state(s);
M
Matt Caswell 已提交
1583
    }
1584

M
Matt Caswell 已提交
1585
    return SSL_do_handshake(s);
1586
}
1587

B
Ben Laurie 已提交
1588
long SSL_get_default_timeout(const SSL *s)
1589 1590 1591 1592
{
    return (s->method->get_timeout());
}

1593
static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
E
Emilia Kasper 已提交
1594 1595
                               int (*func) (void *))
{
M
Matt Caswell 已提交
1596
    int ret;
M
Matt Caswell 已提交
1597 1598 1599 1600 1601
    if (s->waitctx == NULL) {
        s->waitctx = ASYNC_WAIT_CTX_new();
        if (s->waitctx == NULL)
            return -1;
    }
1602
    switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args,
E
Emilia Kasper 已提交
1603
                            sizeof(struct ssl_async_args))) {
M
Matt Caswell 已提交
1604 1605
    case ASYNC_ERR:
        s->rwstate = SSL_NOTHING;
1606
        SSLerr(SSL_F_SSL_START_ASYNC_JOB, SSL_R_FAILED_TO_INIT_ASYNC);
M
Matt Caswell 已提交
1607 1608 1609 1610
        return -1;
    case ASYNC_PAUSE:
        s->rwstate = SSL_ASYNC_PAUSED;
        return -1;
M
Matt Caswell 已提交
1611 1612 1613
    case ASYNC_NO_JOBS:
        s->rwstate = SSL_ASYNC_NO_JOBS;
        return -1;
M
Matt Caswell 已提交
1614 1615 1616 1617 1618
    case ASYNC_FINISH:
        s->job = NULL;
        return ret;
    default:
        s->rwstate = SSL_NOTHING;
1619
        SSLerr(SSL_F_SSL_START_ASYNC_JOB, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1620 1621 1622 1623
        /* Shouldn't happen */
        return -1;
    }
}
M
Matt Caswell 已提交
1624

M
Matt Caswell 已提交
1625
static int ssl_io_intern(void *vargs)
M
Matt Caswell 已提交
1626 1627 1628 1629
{
    struct ssl_async_args *args;
    SSL *s;
    void *buf;
1630
    size_t num;
M
Matt Caswell 已提交
1631 1632 1633 1634 1635

    args = (struct ssl_async_args *)vargs;
    s = args->s;
    buf = args->buf;
    num = args->num;
M
Matt Caswell 已提交
1636 1637
    switch (args->type) {
    case READFUNC:
M
Matt Caswell 已提交
1638
        return args->f.func_read(s, buf, num, &s->asyncrw);
M
Matt Caswell 已提交
1639
    case WRITEFUNC:
M
Matt Caswell 已提交
1640
        return args->f.func_write(s, buf, num, &s->asyncrw);
M
Matt Caswell 已提交
1641 1642 1643 1644
    case OTHERFUNC:
        return args->f.func_other(s);
    }
    return -1;
M
Matt Caswell 已提交
1645 1646
}

1647
int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
1648
{
1649
    if (s->handshake_func == NULL) {
1650
        SSLerr(SSL_F_SSL_READ_INTERNAL, SSL_R_UNINITIALIZED);
1651 1652 1653 1654 1655
        return -1;
    }

    if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
        s->rwstate = SSL_NOTHING;
1656
        return 0;
1657
    }
M
Matt Caswell 已提交
1658

1659 1660
    if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
                || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
1661 1662 1663
        SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return 0;
    }
1664 1665 1666 1667 1668
    /*
     * If we are a client and haven't received the ServerHello etc then we
     * better do that
     */
    ossl_statem_check_finish_init(s, 0);
1669

1670
    if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
M
Matt Caswell 已提交
1671
        struct ssl_async_args args;
1672
        int ret;
M
Matt Caswell 已提交
1673 1674 1675 1676

        args.s = s;
        args.buf = buf;
        args.num = num;
M
Matt Caswell 已提交
1677 1678
        args.type = READFUNC;
        args.f.func_read = s->method->ssl_read;
M
Matt Caswell 已提交
1679

1680
        ret = ssl_start_async_job(s, &args, ssl_io_intern);
1681
        *readbytes = s->asyncrw;
1682
        return ret;
M
Matt Caswell 已提交
1683
    } else {
1684
        return s->method->ssl_read(s, buf, num, readbytes);
M
Matt Caswell 已提交
1685
    }
1686 1687
}

1688
int SSL_read(SSL *s, void *buf, int num)
1689 1690
{
    int ret;
1691
    size_t readbytes;
1692 1693

    if (num < 0) {
1694
        SSLerr(SSL_F_SSL_READ, SSL_R_BAD_LENGTH);
1695 1696 1697
        return -1;
    }

1698
    ret = ssl_read_internal(s, buf, (size_t)num, &readbytes);
1699 1700 1701 1702 1703 1704

    /*
     * The cast is safe here because ret should be <= INT_MAX because num is
     * <= INT_MAX
     */
    if (ret > 0)
1705
        ret = (int)readbytes;
1706 1707 1708 1709

    return ret;
}

1710 1711 1712 1713 1714 1715 1716 1717 1718
int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
{
    int ret = ssl_read_internal(s, buf, num, readbytes);

    if (ret < 0)
        ret = 0;
    return ret;
}

1719
int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
1720 1721 1722 1723
{
    int ret;

    if (!s->server) {
1724 1725
        SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return SSL_READ_EARLY_DATA_ERROR;
1726 1727 1728 1729 1730
    }

    switch (s->early_data_state) {
    case SSL_EARLY_DATA_NONE:
        if (!SSL_in_before(s)) {
1731 1732 1733
            SSLerr(SSL_F_SSL_READ_EARLY_DATA,
                   ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
            return SSL_READ_EARLY_DATA_ERROR;
1734 1735 1736 1737 1738 1739 1740 1741 1742
        }
        /* fall through */

    case SSL_EARLY_DATA_ACCEPT_RETRY:
        s->early_data_state = SSL_EARLY_DATA_ACCEPTING;
        ret = SSL_accept(s);
        if (ret <= 0) {
            /* NBIO or error */
            s->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY;
1743
            return SSL_READ_EARLY_DATA_ERROR;
1744 1745 1746 1747 1748 1749 1750 1751
        }
        /* fall through */

    case SSL_EARLY_DATA_READ_RETRY:
        if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
            s->early_data_state = SSL_EARLY_DATA_READING;
            ret = SSL_read_ex(s, buf, num, readbytes);
            /*
1752 1753 1754
             * State machine will update early_data_state to
             * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData
             * message
1755 1756 1757 1758
             */
            if (ret > 0 || (ret <= 0 && s->early_data_state
                                        != SSL_EARLY_DATA_FINISHED_READING)) {
                s->early_data_state = SSL_EARLY_DATA_READ_RETRY;
1759 1760
                return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS
                               : SSL_READ_EARLY_DATA_ERROR;
1761 1762 1763 1764 1765
            }
        } else {
            s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
        }
        *readbytes = 0;
1766
        return SSL_READ_EARLY_DATA_FINISH;
1767 1768

    default:
1769 1770
        SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return SSL_READ_EARLY_DATA_ERROR;
1771 1772 1773
    }
}

1774
int SSL_get_early_data_status(const SSL *s)
1775 1776 1777 1778
{
    return s->ext.early_data;
}

1779
static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
1780
{
1781
    if (s->handshake_func == NULL) {
1782
        SSLerr(SSL_F_SSL_PEEK_INTERNAL, SSL_R_UNINITIALIZED);
1783 1784 1785 1786
        return -1;
    }

    if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1787
        return 0;
1788
    }
1789
    if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
M
Matt Caswell 已提交
1790
        struct ssl_async_args args;
1791
        int ret;
1792

M
Matt Caswell 已提交
1793 1794 1795
        args.s = s;
        args.buf = buf;
        args.num = num;
M
Matt Caswell 已提交
1796 1797
        args.type = READFUNC;
        args.f.func_read = s->method->ssl_peek;
M
Matt Caswell 已提交
1798

1799
        ret = ssl_start_async_job(s, &args, ssl_io_intern);
1800
        *readbytes = s->asyncrw;
1801
        return ret;
M
Matt Caswell 已提交
1802
    } else {
1803
        return s->method->ssl_peek(s, buf, num, readbytes);
M
Matt Caswell 已提交
1804
    }
M
Matt Caswell 已提交
1805 1806
}

1807
int SSL_peek(SSL *s, void *buf, int num)
M
Matt Caswell 已提交
1808 1809
{
    int ret;
1810
    size_t readbytes;
M
Matt Caswell 已提交
1811 1812

    if (num < 0) {
1813
        SSLerr(SSL_F_SSL_PEEK, SSL_R_BAD_LENGTH);
M
Matt Caswell 已提交
1814 1815 1816
        return -1;
    }

1817
    ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes);
M
Matt Caswell 已提交
1818 1819 1820 1821 1822 1823

    /*
     * The cast is safe here because ret should be <= INT_MAX because num is
     * <= INT_MAX
     */
    if (ret > 0)
1824
        ret = (int)readbytes;
M
Matt Caswell 已提交
1825 1826 1827 1828

    return ret;
}

1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839

int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
{
    int ret = ssl_peek_internal(s, buf, num, readbytes);

    if (ret < 0)
        ret = 0;
    return ret;
}

int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
1840
{
1841
    if (s->handshake_func == NULL) {
1842
        SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_UNINITIALIZED);
1843 1844 1845 1846 1847
        return -1;
    }

    if (s->shutdown & SSL_SENT_SHUTDOWN) {
        s->rwstate = SSL_NOTHING;
1848 1849
        SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_PROTOCOL_IS_SHUTDOWN);
        return -1;
1850
    }
M
Matt Caswell 已提交
1851

1852
    if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
1853 1854
                || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY
                || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) {
1855
        SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1856
        return 0;
1857
    }
1858 1859
    /* If we are a client and haven't sent the Finished we better do that */
    ossl_statem_check_finish_init(s, 1);
1860

1861
    if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
M
Matt Caswell 已提交
1862
        int ret;
M
Matt Caswell 已提交
1863 1864 1865 1866 1867
        struct ssl_async_args args;

        args.s = s;
        args.buf = (void *)buf;
        args.num = num;
M
Matt Caswell 已提交
1868 1869
        args.type = WRITEFUNC;
        args.f.func_write = s->method->ssl_write;
M
Matt Caswell 已提交
1870

M
Matt Caswell 已提交
1871 1872 1873
        ret = ssl_start_async_job(s, &args, ssl_io_intern);
        *written = s->asyncrw;
        return ret;
M
Matt Caswell 已提交
1874
    } else {
M
Matt Caswell 已提交
1875
        return s->method->ssl_write(s, buf, num, written);
M
Matt Caswell 已提交
1876
    }
1877
}
1878

1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909
int SSL_write(SSL *s, const void *buf, int num)
{
    int ret;
    size_t written;

    if (num < 0) {
        SSLerr(SSL_F_SSL_WRITE, SSL_R_BAD_LENGTH);
        return -1;
    }

    ret = ssl_write_internal(s, buf, (size_t)num, &written);

    /*
     * The cast is safe here because ret should be <= INT_MAX because num is
     * <= INT_MAX
     */
    if (ret > 0)
        ret = (int)written;

    return ret;
}

int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written)
{
    int ret = ssl_write_internal(s, buf, num, written);

    if (ret < 0)
        ret = 0;
    return ret;
}

1910
int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
1911
{
M
Matt Caswell 已提交
1912
    int ret, early_data_state;
1913 1914 1915

    switch (s->early_data_state) {
    case SSL_EARLY_DATA_NONE:
1916 1917
        if (s->server
                || !SSL_in_before(s)
1918 1919
                || ((s->session == NULL || s->session->ext.max_early_data == 0)
                     && (s->psk_use_session_cb == NULL))) {
1920 1921
            SSLerr(SSL_F_SSL_WRITE_EARLY_DATA,
                   ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941
            return 0;
        }
        /* fall through */

    case SSL_EARLY_DATA_CONNECT_RETRY:
        s->early_data_state = SSL_EARLY_DATA_CONNECTING;
        ret = SSL_connect(s);
        if (ret <= 0) {
            /* NBIO or error */
            s->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY;
            return 0;
        }
        /* fall through */

    case SSL_EARLY_DATA_WRITE_RETRY:
        s->early_data_state = SSL_EARLY_DATA_WRITING;
        ret = SSL_write_ex(s, buf, num, written);
        s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
        return ret;

1942
    case SSL_EARLY_DATA_FINISHED_READING:
M
Matt Caswell 已提交
1943 1944
    case SSL_EARLY_DATA_READ_RETRY:
        early_data_state = s->early_data_state;
1945 1946 1947
        /* We are a server writing to an unauthenticated client */
        s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING;
        ret = SSL_write_ex(s, buf, num, written);
1948
        s->early_data_state = early_data_state;
1949 1950
        return ret;

1951
    default:
1952
        SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1953 1954 1955 1956
        return 0;
    }
}

1957
int SSL_shutdown(SSL *s)
1958 1959 1960 1961 1962 1963 1964 1965
{
    /*
     * Note that this function behaves differently from what one might
     * expect.  Return values are 0 for no success (yet), 1 for success; but
     * calling it once is usually not enough, even if blocking I/O is used
     * (see ssl3_shutdown).
     */

1966
    if (s->handshake_func == NULL) {
1967 1968 1969 1970
        SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
        return -1;
    }

1971
    if (!SSL_in_init(s)) {
1972
        if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
1973
            struct ssl_async_args args;
M
Matt Caswell 已提交
1974

1975 1976 1977
            args.s = s;
            args.type = OTHERFUNC;
            args.f.func_other = s->method->ssl_shutdown;
M
Matt Caswell 已提交
1978

1979 1980 1981 1982
            return ssl_start_async_job(s, &args, ssl_io_intern);
        } else {
            return s->method->ssl_shutdown(s);
        }
M
Matt Caswell 已提交
1983
    } else {
1984 1985
        SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
        return -1;
M
Matt Caswell 已提交
1986
    }
1987
}
1988

1989
int SSL_key_update(SSL *s, int updatetype)
1990
{
M
Matt Caswell 已提交
1991
    /*
M
Matt Caswell 已提交
1992
     * TODO(TLS1.3): How will applications know whether TLSv1.3 has been
M
Matt Caswell 已提交
1993 1994 1995
     * negotiated, and that it is appropriate to call SSL_key_update() instead
     * of SSL_renegotiate().
     */
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
    if (!SSL_IS_TLS13(s)) {
        SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_WRONG_SSL_VERSION);
        return 0;
    }

    if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
            && updatetype != SSL_KEY_UPDATE_REQUESTED) {
        SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_INVALID_KEY_UPDATE_TYPE);
        return 0;
    }

    if (!SSL_is_init_finished(s)) {
        SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_STILL_IN_INIT);
        return 0;
    }

    ossl_statem_set_in_init(s, 1);
    s->key_update = updatetype;
    return 1;
}

2017
int SSL_get_key_update_type(SSL *s)
2018 2019 2020 2021
{
    return s->key_update;
}

2022
int SSL_renegotiate(SSL *s)
2023
{
2024 2025
    if (SSL_IS_TLS13(s)) {
        SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_WRONG_SSL_VERSION);
2026
        return 0;
2027
    }
2028

T
Todd Short 已提交
2029 2030 2031 2032
    if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
        SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_NO_RENEGOTIATION);
        return 0;
    }
D
Dr. Stephen Henson 已提交
2033

T
Todd Short 已提交
2034
    s->renegotiate = 1;
2035
    s->new_session = 1;
D
Dr. Stephen Henson 已提交
2036

2037 2038
    return (s->method->ssl_renegotiate(s));
}
2039

D
Dr. Stephen Henson 已提交
2040
int SSL_renegotiate_abbreviated(SSL *s)
2041
{
T
Todd Short 已提交
2042 2043
    if (SSL_IS_TLS13(s)) {
        SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_WRONG_SSL_VERSION);
2044
        return 0;
T
Todd Short 已提交
2045
    }
2046

T
Todd Short 已提交
2047 2048 2049 2050
    if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
        SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_NO_RENEGOTIATION);
        return 0;
    }
B
Bodo Möller 已提交
2051

T
Todd Short 已提交
2052
    s->renegotiate = 1;
2053
    s->new_session = 0;
B
Bodo Möller 已提交
2054

2055 2056
    return (s->method->ssl_renegotiate(s));
}
D
Dr. Stephen Henson 已提交
2057

2058
int SSL_renegotiate_pending(SSL *s)
2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072
{
    /*
     * becomes true when negotiation is requested; false again once a
     * handshake has finished
     */
    return (s->renegotiate != 0);
}

long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
{
    long l;

    switch (cmd) {
    case SSL_CTRL_GET_READ_AHEAD:
2073
        return (RECORD_LAYER_get_read_ahead(&s->rlayer));
2074
    case SSL_CTRL_SET_READ_AHEAD:
2075 2076
        l = RECORD_LAYER_get_read_ahead(&s->rlayer);
        RECORD_LAYER_set_read_ahead(&s->rlayer, larg);
2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087
        return (l);

    case SSL_CTRL_SET_MSG_CALLBACK_ARG:
        s->msg_callback_arg = parg;
        return 1;

    case SSL_CTRL_MODE:
        return (s->mode |= larg);
    case SSL_CTRL_CLEAR_MODE:
        return (s->mode &= ~larg);
    case SSL_CTRL_GET_MAX_CERT_LIST:
2088
        return (long)(s->max_cert_list);
2089
    case SSL_CTRL_SET_MAX_CERT_LIST:
2090 2091 2092 2093 2094
        if (larg < 0)
            return 0;
        l = (long)s->max_cert_list;
        s->max_cert_list = (size_t)larg;
        return l;
2095 2096 2097 2098
    case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
        if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
            return 0;
        s->max_send_fragment = larg;
2099 2100 2101 2102
        if (s->max_send_fragment < s->split_send_fragment)
            s->split_send_fragment = s->max_send_fragment;
        return 1;
    case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
M
Matt Caswell 已提交
2103
        if ((size_t)larg > s->max_send_fragment || larg == 0)
2104 2105
            return 0;
        s->split_send_fragment = larg;
2106
        return 1;
2107 2108 2109 2110
    case SSL_CTRL_SET_MAX_PIPELINES:
        if (larg < 1 || larg > SSL_MAX_PIPELINES)
            return 0;
        s->max_pipelines = larg;
2111 2112
        if (larg > 1)
            RECORD_LAYER_set_read_ahead(&s->rlayer, 1);
2113
        return 1;
2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125
    case SSL_CTRL_GET_RI_SUPPORT:
        if (s->s3)
            return s->s3->send_connection_binding;
        else
            return 0;
    case SSL_CTRL_CERT_FLAGS:
        return (s->cert->cert_flags |= larg);
    case SSL_CTRL_CLEAR_CERT_FLAGS:
        return (s->cert->cert_flags &= ~larg);

    case SSL_CTRL_GET_RAW_CIPHERLIST:
        if (parg) {
D
Dr. Stephen Henson 已提交
2126
            if (s->s3->tmp.ciphers_raw == NULL)
2127
                return 0;
D
Dr. Stephen Henson 已提交
2128 2129
            *(unsigned char **)parg = s->s3->tmp.ciphers_raw;
            return (int)s->s3->tmp.ciphers_rawlen;
E
Emilia Kasper 已提交
2130 2131 2132
        } else {
            return TLS_CIPHER_LEN;
        }
2133
    case SSL_CTRL_GET_EXTMS_SUPPORT:
M
Matt Caswell 已提交
2134
        if (!s->session || SSL_in_init(s) || ossl_statem_get_in_handshake(s))
E
Emilia Kasper 已提交
2135
            return -1;
F
FdaSilvaYY 已提交
2136
        if (s->session->flags & SSL_SESS_FLAG_EXTMS)
2137 2138 2139
            return 1;
        else
            return 0;
2140
    case SSL_CTRL_SET_MIN_PROTO_VERSION:
2141 2142 2143
        return ssl_check_allowed_versions(larg, s->max_proto_version)
               && ssl_set_version_bound(s->ctx->method->version, (int)larg,
                                        &s->min_proto_version);
2144 2145
    case SSL_CTRL_GET_MIN_PROTO_VERSION:
        return s->min_proto_version;
2146
    case SSL_CTRL_SET_MAX_PROTO_VERSION:
2147 2148 2149
        return ssl_check_allowed_versions(s->min_proto_version, larg)
               && ssl_set_version_bound(s->ctx->method->version, (int)larg,
                                        &s->max_proto_version);
2150 2151
    case SSL_CTRL_GET_MAX_PROTO_VERSION:
        return s->max_proto_version;
2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170
    default:
        return (s->method->ssl_ctrl(s, cmd, larg, parg));
    }
}

long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
{
    switch (cmd) {
    case SSL_CTRL_SET_MSG_CALLBACK:
        s->msg_callback = (void (*)
                           (int write_p, int version, int content_type,
                            const void *buf, size_t len, SSL *ssl,
                            void *arg))(fp);
        return 1;

    default:
        return (s->method->ssl_callback_ctrl(s, cmd, fp));
    }
}
2171

B
Ben Laurie 已提交
2172
LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
2173 2174 2175 2176 2177 2178 2179 2180 2181 2182
{
    return ctx->sessions;
}

long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
    long l;
    /* For some cases with ctx == NULL perform syntax checks */
    if (ctx == NULL) {
        switch (cmd) {
2183
#ifndef OPENSSL_NO_EC
2184 2185
        case SSL_CTRL_SET_GROUPS_LIST:
            return tls1_set_groups_list(NULL, NULL, parg);
2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207
#endif
        case SSL_CTRL_SET_SIGALGS_LIST:
        case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
            return tls1_set_sigalgs_list(NULL, parg, 0);
        default:
            return 0;
        }
    }

    switch (cmd) {
    case SSL_CTRL_GET_READ_AHEAD:
        return (ctx->read_ahead);
    case SSL_CTRL_SET_READ_AHEAD:
        l = ctx->read_ahead;
        ctx->read_ahead = larg;
        return (l);

    case SSL_CTRL_SET_MSG_CALLBACK_ARG:
        ctx->msg_callback_arg = parg;
        return 1;

    case SSL_CTRL_GET_MAX_CERT_LIST:
2208
        return (long)(ctx->max_cert_list);
2209
    case SSL_CTRL_SET_MAX_CERT_LIST:
2210 2211 2212 2213 2214
        if (larg < 0)
            return 0;
        l = (long)ctx->max_cert_list;
        ctx->max_cert_list = (size_t)larg;
        return l;
2215 2216

    case SSL_CTRL_SET_SESS_CACHE_SIZE:
2217 2218 2219 2220 2221
        if (larg < 0)
            return 0;
        l = (long)ctx->session_cache_size;
        ctx->session_cache_size = (size_t)larg;
        return l;
2222
    case SSL_CTRL_GET_SESS_CACHE_SIZE:
2223
        return (long)(ctx->session_cache_size);
2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262
    case SSL_CTRL_SET_SESS_CACHE_MODE:
        l = ctx->session_cache_mode;
        ctx->session_cache_mode = larg;
        return (l);
    case SSL_CTRL_GET_SESS_CACHE_MODE:
        return (ctx->session_cache_mode);

    case SSL_CTRL_SESS_NUMBER:
        return (lh_SSL_SESSION_num_items(ctx->sessions));
    case SSL_CTRL_SESS_CONNECT:
        return (ctx->stats.sess_connect);
    case SSL_CTRL_SESS_CONNECT_GOOD:
        return (ctx->stats.sess_connect_good);
    case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
        return (ctx->stats.sess_connect_renegotiate);
    case SSL_CTRL_SESS_ACCEPT:
        return (ctx->stats.sess_accept);
    case SSL_CTRL_SESS_ACCEPT_GOOD:
        return (ctx->stats.sess_accept_good);
    case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
        return (ctx->stats.sess_accept_renegotiate);
    case SSL_CTRL_SESS_HIT:
        return (ctx->stats.sess_hit);
    case SSL_CTRL_SESS_CB_HIT:
        return (ctx->stats.sess_cb_hit);
    case SSL_CTRL_SESS_MISSES:
        return (ctx->stats.sess_miss);
    case SSL_CTRL_SESS_TIMEOUTS:
        return (ctx->stats.sess_timeout);
    case SSL_CTRL_SESS_CACHE_FULL:
        return (ctx->stats.sess_cache_full);
    case SSL_CTRL_MODE:
        return (ctx->mode |= larg);
    case SSL_CTRL_CLEAR_MODE:
        return (ctx->mode &= ~larg);
    case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
        if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
            return 0;
        ctx->max_send_fragment = larg;
2263
        if (ctx->max_send_fragment < ctx->split_send_fragment)
2264
            ctx->split_send_fragment = ctx->max_send_fragment;
2265
        return 1;
2266
    case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
M
Matt Caswell 已提交
2267
        if ((size_t)larg > ctx->max_send_fragment || larg == 0)
2268 2269 2270 2271 2272 2273 2274
            return 0;
        ctx->split_send_fragment = larg;
        return 1;
    case SSL_CTRL_SET_MAX_PIPELINES:
        if (larg < 1 || larg > SSL_MAX_PIPELINES)
            return 0;
        ctx->max_pipelines = larg;
2275
        return 1;
2276 2277 2278 2279
    case SSL_CTRL_CERT_FLAGS:
        return (ctx->cert->cert_flags |= larg);
    case SSL_CTRL_CLEAR_CERT_FLAGS:
        return (ctx->cert->cert_flags &= ~larg);
2280
    case SSL_CTRL_SET_MIN_PROTO_VERSION:
2281 2282 2283
        return ssl_check_allowed_versions(larg, ctx->max_proto_version)
               && ssl_set_version_bound(ctx->method->version, (int)larg,
                                        &ctx->min_proto_version);
2284 2285
    case SSL_CTRL_GET_MIN_PROTO_VERSION:
        return ctx->min_proto_version;
2286
    case SSL_CTRL_SET_MAX_PROTO_VERSION:
2287 2288 2289
        return ssl_check_allowed_versions(ctx->min_proto_version, larg)
               && ssl_set_version_bound(ctx->method->version, (int)larg,
                                        &ctx->max_proto_version);
2290 2291
    case SSL_CTRL_GET_MAX_PROTO_VERSION:
        return ctx->max_proto_version;
2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310
    default:
        return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg));
    }
}

long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
{
    switch (cmd) {
    case SSL_CTRL_SET_MSG_CALLBACK:
        ctx->msg_callback = (void (*)
                             (int write_p, int version, int content_type,
                              const void *buf, size_t len, SSL *ssl,
                              void *arg))(fp);
        return 1;

    default:
        return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp));
    }
}
2311

2312
int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
2313
{
2314 2315 2316 2317 2318
    if (a->id > b->id)
        return 1;
    if (a->id < b->id)
        return -1;
    return 0;
2319 2320 2321 2322 2323
}

int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
                          const SSL_CIPHER *const *bp)
{
2324 2325 2326 2327 2328
    if ((*ap)->id > (*bp)->id)
        return 1;
    if ((*ap)->id < (*bp)->id)
        return -1;
    return 0;
2329
}
2330

2331
/** return a STACK of the ciphers available for the SSL and in order of
2332
 * preference */
B
Ben Laurie 已提交
2333
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344
{
    if (s != NULL) {
        if (s->cipher_list != NULL) {
            return (s->cipher_list);
        } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
            return (s->ctx->cipher_list);
        }
    }
    return (NULL);
}

2345 2346 2347 2348 2349 2350 2351
STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
{
    if ((s == NULL) || (s->session == NULL) || !s->server)
        return NULL;
    return s->session->ciphers;
}

2352
STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
2353 2354 2355 2356 2357 2358 2359 2360 2361
{
    STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
    int i;
    ciphers = SSL_get_ciphers(s);
    if (!ciphers)
        return NULL;
    ssl_set_client_disabled(s);
    for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
        const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
2362
        if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374
            if (!sk)
                sk = sk_SSL_CIPHER_new_null();
            if (!sk)
                return NULL;
            if (!sk_SSL_CIPHER_push(sk, c)) {
                sk_SSL_CIPHER_free(sk);
                return NULL;
            }
        }
    }
    return sk;
}
2375

2376
/** return a STACK of the ciphers available for the SSL and in order of
2377
 * algorithm id */
B
Ben Laurie 已提交
2378
STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
2379 2380 2381 2382 2383 2384 2385 2386 2387 2388
{
    if (s != NULL) {
        if (s->cipher_list_by_id != NULL) {
            return (s->cipher_list_by_id);
        } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) {
            return (s->ctx->cipher_list_by_id);
        }
    }
    return (NULL);
}
2389

2390
/** The old interface to get the same thing as SSL_get_ciphers() */
2391 2392
const char *SSL_get_cipher_list(const SSL *s, int n)
{
2393
    const SSL_CIPHER *c;
2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405
    STACK_OF(SSL_CIPHER) *sk;

    if (s == NULL)
        return (NULL);
    sk = SSL_get_ciphers(s);
    if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
        return (NULL);
    c = sk_SSL_CIPHER_value(sk, n);
    if (c == NULL)
        return (NULL);
    return (c->name);
}
2406

K
Kazuki Yamaguchi 已提交
2407 2408 2409 2410 2411 2412 2413 2414 2415
/** return a STACK of the ciphers available for the SSL_CTX and in order of
 * preference */
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
{
    if (ctx != NULL)
        return ctx->cipher_list;
    return NULL;
}

2416
/** specify the ciphers to be used by default by the SSL_CTX */
2417
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437
{
    STACK_OF(SSL_CIPHER) *sk;

    sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
                                &ctx->cipher_list_by_id, str, ctx->cert);
    /*
     * ssl_create_cipher_list may return an empty stack if it was unable to
     * find a cipher matching the given rule string (for example if the rule
     * string specifies a cipher which has been disabled). This is not an
     * error as far as ssl_create_cipher_list is concerned, and hence
     * ctx->cipher_list and ctx->cipher_list_by_id has been updated.
     */
    if (sk == NULL)
        return 0;
    else if (sk_SSL_CIPHER_num(sk) == 0) {
        SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
        return 0;
    }
    return 1;
}
2438

2439
/** specify the ciphers to be used by the SSL */
2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454
int SSL_set_cipher_list(SSL *s, const char *str)
{
    STACK_OF(SSL_CIPHER) *sk;

    sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
                                &s->cipher_list_by_id, str, s->cert);
    /* see comment in SSL_CTX_set_cipher_list */
    if (sk == NULL)
        return 0;
    else if (sk_SSL_CIPHER_num(sk) == 0) {
        SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
        return 0;
    }
    return 1;
}
2455

2456 2457 2458 2459
char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
{
    char *p;
    STACK_OF(SSL_CIPHER) *sk;
2460
    const SSL_CIPHER *c;
2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482
    int i;

    if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2))
        return (NULL);

    p = buf;
    sk = s->session->ciphers;

    if (sk_SSL_CIPHER_num(sk) == 0)
        return NULL;

    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
        int n;

        c = sk_SSL_CIPHER_value(sk, i);
        n = strlen(c->name);
        if (n + 1 > len) {
            if (p != buf)
                --p;
            *p = '\0';
            return buf;
        }
2483
        strcpy(p, c->name);
2484 2485 2486 2487 2488 2489 2490 2491
        p += n;
        *(p++) = ':';
        len -= n + 1;
    }
    p[-1] = '\0';
    return (buf);
}

2492
/** return a servername extension value if provided in Client Hello, or NULL.
2493
 * So far, only host_name types are defined (RFC 3546).
2494 2495
 */

2496
const char *SSL_get_servername(const SSL *s, const int type)
2497 2498 2499
{
    if (type != TLSEXT_NAMETYPE_host_name)
        return NULL;
B
Bodo Möller 已提交
2500

R
Rich Salz 已提交
2501 2502
    return s->session && !s->ext.hostname ?
        s->session->ext.hostname : s->ext.hostname;
2503
}
2504

2505
int SSL_get_servername_type(const SSL *s)
2506 2507
{
    if (s->session
R
Rich Salz 已提交
2508 2509
        && (!s->ext.hostname ? s->session->
            ext.hostname : s->ext.hostname))
2510 2511 2512
        return TLSEXT_NAMETYPE_host_name;
    return -1;
}
B
Ben Laurie 已提交
2513

2514 2515
/*
 * SSL_select_next_proto implements the standard protocol selection. It is
B
Ben Laurie 已提交
2516
 * expected that this function is called from the callback set by
2517 2518 2519 2520 2521 2522 2523 2524
 * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a
 * vector of 8-bit, length prefixed byte strings. The length byte itself is
 * not included in the length. A byte string of length 0 is invalid. No byte
 * string may be truncated. The current, but experimental algorithm for
 * selecting the protocol is: 1) If the server doesn't support NPN then this
 * is indicated to the callback. In this case, the client application has to
 * abort the connection or have a default application level protocol. 2) If
 * the server supports NPN, but advertises an empty list then the client
F
FdaSilvaYY 已提交
2525
 * selects the first protocol in its list, but indicates via the API that this
2526 2527 2528 2529 2530 2531 2532
 * fallback case was enacted. 3) Otherwise, the client finds the first
 * protocol in the server's list that it supports and selects this protocol.
 * This is because it's assumed that the server has better information about
 * which protocol a client should use. 4) If the client doesn't support any
 * of the server's advertised protocols, then this is treated the same as
 * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was
 * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
B
Ben Laurie 已提交
2533
 */
2534 2535 2536
int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
                          const unsigned char *server,
                          unsigned int server_len,
E
Emilia Kasper 已提交
2537
                          const unsigned char *client, unsigned int client_len)
2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565 2566 2567 2568 2569 2570
{
    unsigned int i, j;
    const unsigned char *result;
    int status = OPENSSL_NPN_UNSUPPORTED;

    /*
     * For each protocol in server preference order, see if we support it.
     */
    for (i = 0; i < server_len;) {
        for (j = 0; j < client_len;) {
            if (server[i] == client[j] &&
                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
                /* We found a match */
                result = &server[i];
                status = OPENSSL_NPN_NEGOTIATED;
                goto found;
            }
            j += client[j];
            j++;
        }
        i += server[i];
        i++;
    }

    /* There's no overlap between our protocols and the server's list. */
    result = client;
    status = OPENSSL_NPN_NO_OVERLAP;

 found:
    *out = (unsigned char *)result + 1;
    *outlen = result[0];
    return status;
}
B
Ben Laurie 已提交
2571

2572
#ifndef OPENSSL_NO_NEXTPROTONEG
2573 2574 2575 2576 2577 2578
/*
 * SSL_get0_next_proto_negotiated sets *data and *len to point to the
 * client's requested protocol for this connection and returns 0. If the
 * client didn't request any protocol, then *data is set to NULL. Note that
 * the client can request any protocol it chooses. The value returned from
 * this function need not be a member of the list of supported protocols
B
Ben Laurie 已提交
2579 2580
 * provided by the callback.
 */
2581 2582 2583
void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
                                    unsigned *len)
{
R
Rich Salz 已提交
2584
    *data = s->ext.npn;
2585 2586 2587
    if (!*data) {
        *len = 0;
    } else {
R
Rich Salz 已提交
2588
        *len = (unsigned int)s->ext.npn_len;
2589 2590 2591 2592
    }
}

/*
R
Rich Salz 已提交
2593
 * SSL_CTX_set_npn_advertised_cb sets a callback that is called when
2594 2595 2596 2597 2598 2599 2600 2601
 * a TLS server needs a list of supported protocols for Next Protocol
 * Negotiation. The returned list must be in wire format.  The list is
 * returned by setting |out| to point to it and |outlen| to its length. This
 * memory will not be modified, but one should assume that the SSL* keeps a
 * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it
 * wishes to advertise. Otherwise, no such extension will be included in the
 * ServerHello.
 */
R
Rich Salz 已提交
2602
void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
2603
                                   SSL_CTX_npn_advertised_cb_func cb,
R
Rich Salz 已提交
2604
                                   void *arg)
2605
{
R
Rich Salz 已提交
2606 2607
    ctx->ext.npn_advertised_cb = cb;
    ctx->ext.npn_advertised_cb_arg = arg;
2608 2609 2610 2611
}

/*
 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
B
Ben Laurie 已提交
2612 2613
 * client needs to select a protocol from the server's provided list. |out|
 * must be set to point to the selected protocol (which may be within |in|).
2614 2615 2616 2617 2618
 * The length of the protocol name must be written into |outlen|. The
 * server's advertised protocols are provided in |in| and |inlen|. The
 * callback can assume that |in| is syntactically valid. The client must
 * select a protocol. It is fatal to the connection if this callback returns
 * a value other than SSL_TLSEXT_ERR_OK.
B
Ben Laurie 已提交
2619
 */
R
Rich Salz 已提交
2620
void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
2621
                               SSL_CTX_npn_select_cb_func cb,
R
Rich Salz 已提交
2622
                               void *arg)
2623
{
R
Rich Salz 已提交
2624 2625
    ctx->ext.npn_select_cb = cb;
    ctx->ext.npn_select_cb_arg = arg;
2626
}
2627
#endif
2628

2629 2630
/*
 * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
A
Adam Langley 已提交
2631
 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
2632 2633 2634
 * length-prefixed strings). Returns 0 on success.
 */
int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
T
Todd Short 已提交
2635
                            unsigned int protos_len)
2636
{
R
Rich Salz 已提交
2637 2638 2639
    OPENSSL_free(ctx->ext.alpn);
    ctx->ext.alpn = OPENSSL_memdup(protos, protos_len);
    if (ctx->ext.alpn == NULL) {
2640
        SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
2641
        return 1;
2642
    }
R
Rich Salz 已提交
2643
    ctx->ext.alpn_len = protos_len;
2644 2645 2646 2647 2648 2649

    return 0;
}

/*
 * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
A
Adam Langley 已提交
2650
 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
2651 2652 2653
 * length-prefixed strings). Returns 0 on success.
 */
int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
T
Todd Short 已提交
2654
                        unsigned int protos_len)
2655
{
R
Rich Salz 已提交
2656 2657 2658
    OPENSSL_free(ssl->ext.alpn);
    ssl->ext.alpn = OPENSSL_memdup(protos, protos_len);
    if (ssl->ext.alpn == NULL) {
2659
        SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
2660
        return 1;
2661
    }
R
Rich Salz 已提交
2662
    ssl->ext.alpn_len = protos_len;
2663 2664 2665 2666 2667 2668 2669 2670 2671 2672

    return 0;
}

/*
 * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is
 * called during ClientHello processing in order to select an ALPN protocol
 * from the client's list of offered protocols.
 */
void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
2673 2674
                                SSL_CTX_alpn_select_cb_func cb,
                                void *arg)
2675
{
R
Rich Salz 已提交
2676 2677
    ctx->ext.alpn_select_cb = cb;
    ctx->ext.alpn_select_cb_arg = arg;
2678 2679 2680
}

/*
F
FdaSilvaYY 已提交
2681 2682
 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
 * On return it sets |*data| to point to |*len| bytes of protocol name
2683 2684 2685
 * (not including the leading length-prefix byte). If the server didn't
 * respond with a negotiated protocol then |*len| will be zero.
 */
A
Adam Langley 已提交
2686
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
T
Todd Short 已提交
2687
                            unsigned int *len)
2688 2689 2690 2691 2692 2693 2694
{
    *data = NULL;
    if (ssl->s3)
        *data = ssl->s3->alpn_selected;
    if (*data == NULL)
        *len = 0;
    else
2695
        *len = (unsigned int)ssl->s3->alpn_selected_len;
2696 2697
}

2698
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
2699
                               const char *label, size_t llen,
2700
                               const unsigned char *context, size_t contextlen,
2701 2702
                               int use_context)
{
2703
    if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
2704
        return -1;
B
Ben Laurie 已提交
2705

2706
    return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
2707 2708
                                                       llen, context,
                                                       contextlen, use_context);
2709
}
B
Ben Laurie 已提交
2710

B
Ben Laurie 已提交
2711
static unsigned long ssl_session_hash(const SSL_SESSION *a)
2712
{
2713
    const unsigned char *session_id = a->session_id;
2714
    unsigned long l;
2715 2716 2717 2718 2719 2720 2721
    unsigned char tmp_storage[4];

    if (a->session_id_length < sizeof(tmp_storage)) {
        memset(tmp_storage, 0, sizeof(tmp_storage));
        memcpy(tmp_storage, a->session_id, a->session_id_length);
        session_id = tmp_storage;
    }
2722 2723

    l = (unsigned long)
2724 2725 2726 2727
        ((unsigned long)session_id[0]) |
        ((unsigned long)session_id[1] << 8L) |
        ((unsigned long)session_id[2] << 16L) |
        ((unsigned long)session_id[3] << 24L);
2728 2729 2730 2731 2732
    return (l);
}

/*
 * NB: If this function (or indeed the hash function which uses a sort of
2733
 * coarser function than this one) is changed, ensure
2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748
 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on
 * being able to construct an SSL_SESSION that will collide with any existing
 * session with a matching session ID.
 */
static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
{
    if (a->ssl_version != b->ssl_version)
        return (1);
    if (a->session_id_length != b->session_id_length)
        return (1);
    return (memcmp(a->session_id, b->session_id, a->session_id_length));
}

/*
 * These wrapper functions should remain rather than redeclaring
2749
 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
2750 2751 2752
 * variable. The reason is that the functions aren't static, they're exposed
 * via ssl.h.
 */
2753

2754
SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
2755 2756 2757 2758 2759 2760 2761 2762
{
    SSL_CTX *ret = NULL;

    if (meth == NULL) {
        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED);
        return (NULL);
    }

2763 2764
    if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
        return NULL;
M
Matt Caswell 已提交
2765

2766 2767 2768 2769
    if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
        goto err;
    }
R
Rich Salz 已提交
2770
    ret = OPENSSL_zalloc(sizeof(*ret));
2771 2772 2773 2774
    if (ret == NULL)
        goto err;

    ret->method = meth;
2775 2776
    ret->min_proto_version = 0;
    ret->max_proto_version = 0;
2777 2778
    ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
    ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
R
Rich Salz 已提交
2779
    /* We take the system default. */
2780 2781
    ret->session_timeout = meth->get_timeout();
    ret->references = 1;
2782 2783 2784 2785 2786 2787
    ret->lock = CRYPTO_THREAD_lock_new();
    if (ret->lock == NULL) {
        SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
        OPENSSL_free(ret);
        return NULL;
    }
2788 2789 2790 2791 2792
    ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
    ret->verify_mode = SSL_VERIFY_NONE;
    if ((ret->cert = ssl_cert_new()) == NULL)
        goto err;

D
Dr. Stephen Henson 已提交
2793
    ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
2794 2795 2796 2797 2798
    if (ret->sessions == NULL)
        goto err;
    ret->cert_store = X509_STORE_new();
    if (ret->cert_store == NULL)
        goto err;
2799 2800 2801 2802 2803
#ifndef OPENSSL_NO_CT
    ret->ctlog_store = CTLOG_STORE_new();
    if (ret->ctlog_store == NULL)
        goto err;
#endif
V
Viktor Dukhovni 已提交
2804
    if (!ssl_create_cipher_list(ret->method,
E
Emilia Kasper 已提交
2805 2806 2807
                                &ret->cipher_list, &ret->cipher_list_by_id,
                                SSL_DEFAULT_CIPHER_LIST, ret->cert)
        || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
2808 2809 2810 2811 2812
        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
        goto err2;
    }

    ret->param = X509_VERIFY_PARAM_new();
2813
    if (ret->param == NULL)
2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824
        goto err;

    if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
        goto err2;
    }
    if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
        goto err2;
    }

2825
    if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
2826 2827
        goto err;

2828 2829
    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data))
        goto err;
2830 2831 2832 2833 2834 2835

    /* No compression for DTLS */
    if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
        ret->comp_methods = SSL_COMP_get_compression_methods();

    ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
2836
    ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
2837

2838
    /* Setup RFC5077 ticket keys */
R
Rich Salz 已提交
2839 2840 2841 2842 2843 2844
    if ((RAND_bytes(ret->ext.tick_key_name,
                    sizeof(ret->ext.tick_key_name)) <= 0)
        || (RAND_bytes(ret->ext.tick_hmac_key,
                       sizeof(ret->ext.tick_hmac_key)) <= 0)
        || (RAND_bytes(ret->ext.tick_aes_key,
                       sizeof(ret->ext.tick_aes_key)) <= 0))
2845
        ret->options |= SSL_OP_NO_TICKET;
2846

B
Ben Laurie 已提交
2847
#ifndef OPENSSL_NO_SRP
V
Viktor Dukhovni 已提交
2848
    if (!SSL_CTX_SRP_CTX_init(ret))
M
Matt Caswell 已提交
2849
        goto err;
B
Ben Laurie 已提交
2850
#endif
2851
#ifndef OPENSSL_NO_ENGINE
2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873
# ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
#  define eng_strx(x)     #x
#  define eng_str(x)      eng_strx(x)
    /* Use specific client engine automatically... ignore errors */
    {
        ENGINE *eng;
        eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
        if (!eng) {
            ERR_clear_error();
            ENGINE_load_builtin_engines();
            eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
        }
        if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
            ERR_clear_error();
    }
# endif
#endif
    /*
     * Default is to connect to non-RI servers. When RI is more widely
     * deployed might change this.
     */
    ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
E
Emilia Kasper 已提交
2874 2875 2876 2877 2878 2879 2880
    /*
     * Disable compression by default to prevent CRIME. Applications can
     * re-enable compression by configuring
     * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
     * or by using the SSL_CONF library.
     */
    ret->options |= SSL_OP_NO_COMPRESSION;
2881

R
Rich Salz 已提交
2882
    ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
2883

2884 2885 2886 2887 2888 2889
    /*
     * Default max early data is a fully loaded single record. Could be split
     * across multiple records in practice
     */
    ret->max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;

2890
    return ret;
2891 2892 2893
 err:
    SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
 err2:
R
Rich Salz 已提交
2894
    SSL_CTX_free(ret);
2895
    return NULL;
2896
}
2897

2898
int SSL_CTX_up_ref(SSL_CTX *ctx)
2899
{
2900
    int i;
2901

2902
    if (CRYPTO_UP_REF(&ctx->references, &i, ctx->lock) <= 0)
2903 2904 2905 2906 2907
        return 0;

    REF_PRINT_COUNT("SSL_CTX", ctx);
    REF_ASSERT_ISNT(i < 2);
    return ((i > 1) ? 1 : 0);
2908 2909
}

2910
void SSL_CTX_free(SSL_CTX *a)
2911 2912
{
    int i;
2913

2914 2915
    if (a == NULL)
        return;
2916

2917
    CRYPTO_DOWN_REF(&a->references, &i, a->lock);
R
Rich Salz 已提交
2918
    REF_PRINT_COUNT("SSL_CTX", a);
2919 2920
    if (i > 0)
        return;
R
Rich Salz 已提交
2921
    REF_ASSERT_ISNT(i < 0);
2922

R
Rich Salz 已提交
2923
    X509_VERIFY_PARAM_free(a->param);
2924
    dane_ctx_final(&a->dane);
2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938

    /*
     * Free internal session cache. However: the remove_cb() may reference
     * the ex_data of SSL_CTX, thus the ex_data store can only be removed
     * after the sessions were flushed.
     * As the ex_data handling routines might also touch the session cache,
     * the most secure solution seems to be: empty (flush) the cache, then
     * free ex_data, then finally free the cache.
     * (See ticket [openssl.org #212].)
     */
    if (a->sessions != NULL)
        SSL_CTX_flush_sessions(a, 0);

    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
R
Rich Salz 已提交
2939
    lh_SSL_SESSION_free(a->sessions);
R
Rich Salz 已提交
2940
    X509_STORE_free(a->cert_store);
2941 2942 2943
#ifndef OPENSSL_NO_CT
    CTLOG_STORE_free(a->ctlog_store);
#endif
R
Rich Salz 已提交
2944 2945
    sk_SSL_CIPHER_free(a->cipher_list);
    sk_SSL_CIPHER_free(a->cipher_list_by_id);
R
Rich Salz 已提交
2946
    ssl_cert_free(a->cert);
2947
    sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free);
R
Rich Salz 已提交
2948
    sk_X509_pop_free(a->extra_certs, X509_free);
2949
    a->comp_methods = NULL;
P
Piotr Sikora 已提交
2950
#ifndef OPENSSL_NO_SRTP
R
Rich Salz 已提交
2951
    sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
P
Piotr Sikora 已提交
2952
#endif
B
Ben Laurie 已提交
2953
#ifndef OPENSSL_NO_SRP
2954
    SSL_CTX_SRP_CTX_free(a);
B
Ben Laurie 已提交
2955
#endif
2956
#ifndef OPENSSL_NO_ENGINE
R
Rich Salz 已提交
2957
    ENGINE_finish(a->client_cert_engine);
2958
#endif
B
Ben Laurie 已提交
2959

2960
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2961 2962
    OPENSSL_free(a->ext.ecpointformats);
    OPENSSL_free(a->ext.supportedgroups);
B
Ben Laurie 已提交
2963
#endif
R
Rich Salz 已提交
2964
    OPENSSL_free(a->ext.alpn);
B
Ben Laurie 已提交
2965

2966 2967
    CRYPTO_THREAD_lock_free(a->lock);

2968 2969
    OPENSSL_free(a);
}
2970

2971
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
2972 2973 2974 2975 2976 2977 2978 2979 2980
{
    ctx->default_passwd_callback = cb;
}

void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
{
    ctx->default_passwd_callback_userdata = u;
}

2981 2982 2983 2984 2985 2986 2987 2988 2989 2990
pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
{
    return ctx->default_passwd_callback;
}

void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
{
    return ctx->default_passwd_callback_userdata;
}

M
Matt Caswell 已提交
2991 2992 2993 2994 2995 2996 2997 2998 2999 3000
void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
{
    s->default_passwd_callback = cb;
}

void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
{
    s->default_passwd_callback_userdata = u;
}

3001 3002 3003 3004 3005 3006 3007 3008 3009 3010
pem_password_cb *SSL_get_default_passwd_cb(SSL *s)
{
    return s->default_passwd_callback;
}

void *SSL_get_default_passwd_cb_userdata(SSL *s)
{
    return s->default_passwd_callback_userdata;
}

3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
                                      int (*cb) (X509_STORE_CTX *, void *),
                                      void *arg)
{
    ctx->app_verify_callback = cb;
    ctx->app_verify_arg = arg;
}

void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
                        int (*cb) (int, X509_STORE_CTX *))
{
    ctx->verify_mode = mode;
    ctx->default_verify_callback = cb;
}

void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
{
    X509_VERIFY_PARAM_set_depth(ctx->param, depth);
}

E
Emilia Kasper 已提交
3031
void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg)
3032 3033 3034 3035 3036 3037 3038 3039
{
    ssl_cert_set_cert_cb(c->cert, cb, arg);
}

void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
{
    ssl_cert_set_cert_cb(s->cert, cb, arg);
}
3040

3041
void ssl_set_masks(SSL *s)
3042
{
3043
    CERT *c = s->cert;
3044
    uint32_t *pvalid = s->s3->tmp.valid_flags;
D
Dr. Stephen Henson 已提交
3045
    int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
3046
    unsigned long mask_k, mask_a;
3047
#ifndef OPENSSL_NO_EC
3048
    int have_ecc_cert, ecdsa_ok;
3049
#endif
3050 3051
    if (c == NULL)
        return;
3052

3053
#ifndef OPENSSL_NO_DH
3054
    dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto);
3055
#else
3056
    dh_tmp = 0;
3057 3058
#endif

3059
    rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
3060 3061
    rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
    dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID;
3062
#ifndef OPENSSL_NO_EC
3063
    have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
3064
#endif
3065 3066
    mask_k = 0;
    mask_a = 0;
3067

3068
#ifdef CIPHER_DEBUG
3069 3070
    fprintf(stderr, "dht=%d re=%d rs=%d ds=%d\n",
            dh_tmp, rsa_enc, rsa_sign, dsa_sign);
3071 3072
#endif

M
Matt Caswell 已提交
3073
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
3074
    if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
3075 3076 3077
        mask_k |= SSL_kGOST;
        mask_a |= SSL_aGOST12;
    }
D
Dr. Stephen Henson 已提交
3078
    if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
3079 3080 3081
        mask_k |= SSL_kGOST;
        mask_a |= SSL_aGOST12;
    }
D
Dr. Stephen Henson 已提交
3082
    if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
3083 3084 3085
        mask_k |= SSL_kGOST;
        mask_a |= SSL_aGOST01;
    }
M
Matt Caswell 已提交
3086
#endif
3087

3088
    if (rsa_enc)
3089
        mask_k |= SSL_kRSA;
3090

3091 3092
    if (dh_tmp)
        mask_k |= SSL_kDHE;
3093

3094 3095 3096 3097 3098 3099 3100 3101
    /*
     * If we only have an RSA-PSS certificate allow RSA authentication
     * if TLS 1.2 and peer supports it.
     */

    if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
                && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
                && TLS1_get_version(s) == TLS1_2_VERSION))
3102
        mask_a |= SSL_aRSA;
3103

3104 3105 3106
    if (dsa_sign) {
        mask_a |= SSL_aDSS;
    }
3107

3108
    mask_a |= SSL_aNULL;
3109

3110 3111 3112 3113
    /*
     * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites
     * depending on the key usage extension.
     */
3114
#ifndef OPENSSL_NO_EC
3115
    if (have_ecc_cert) {
3116
        uint32_t ex_kusage;
D
Dr. Stephen Henson 已提交
3117
        ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509);
3118
        ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
3119
        if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
3120
            ecdsa_ok = 0;
D
Dr. Stephen Henson 已提交
3121
        if (ecdsa_ok)
3122 3123
            mask_a |= SSL_aECDSA;
    }
D
Dr. Stephen Henson 已提交
3124 3125 3126 3127 3128
    /* Allow Ed25519 for TLS 1.2 if peer supports it */
    if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519)
            && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN
            && TLS1_get_version(s) == TLS1_2_VERSION)
            mask_a |= SSL_aECDSA;
3129
#endif
B
Bodo Möller 已提交
3130

3131
#ifndef OPENSSL_NO_EC
3132
    mask_k |= SSL_kECDHE;
B
Bodo Möller 已提交
3133
#endif
3134 3135

#ifndef OPENSSL_NO_PSK
3136 3137
    mask_k |= SSL_kPSK;
    mask_a |= SSL_aPSK;
3138 3139 3140 3141 3142 3143
    if (mask_k & SSL_kRSA)
        mask_k |= SSL_kRSAPSK;
    if (mask_k & SSL_kDHE)
        mask_k |= SSL_kDHEPSK;
    if (mask_k & SSL_kECDHE)
        mask_k |= SSL_kECDHEPSK;
3144 3145
#endif

3146 3147
    s->s3->tmp.mask_k = mask_k;
    s->s3->tmp.mask_a = mask_a;
3148
}
3149

3150 3151
#ifndef OPENSSL_NO_EC

3152
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
3153
{
D
Dr. Stephen Henson 已提交
3154
    if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) {
3155
        /* key usage, if present, must allow signing */
D
Dr. Stephen Henson 已提交
3156
        if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
3157 3158 3159 3160 3161 3162 3163
            SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
                   SSL_R_ECC_CERT_NOT_FOR_SIGNING);
            return 0;
        }
    }
    return 1;                   /* all checks are ok */
}
B
Bodo Möller 已提交
3164

3165 3166
#endif

3167
int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
3168 3169
                                   size_t *serverinfo_length)
{
3170
    CERT_PKEY *cpk = s->s3->tmp.cert;
3171 3172
    *serverinfo_length = 0;

3173
    if (cpk == NULL || cpk->serverinfo == NULL)
3174 3175
        return 0;

3176 3177
    *serverinfo = cpk->serverinfo;
    *serverinfo_length = cpk->serverinfo_length;
3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192
    return 1;
}

void ssl_update_cache(SSL *s, int mode)
{
    int i;

    /*
     * If the session_id_length is 0, we are not supposed to cache it, and it
     * would be rather hard to do anyway :-)
     */
    if (s->session->session_id_length == 0)
        return;

    i = s->session_ctx->session_cache_mode;
3193 3194 3195
    if ((i & mode) != 0
        && (!s->hit || SSL_IS_TLS13(s))
        && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0
3196
            || SSL_CTX_add_session(s->session_ctx, s->session))
3197
        && s->session_ctx->new_session_cb != NULL) {
3198
        SSL_SESSION_up_ref(s->session);
3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211
        if (!s->session_ctx->new_session_cb(s, s->session))
            SSL_SESSION_free(s->session);
    }

    /* auto flush every 255 connections */
    if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) {
        if ((((mode & SSL_SESS_CACHE_CLIENT)
              ? s->session_ctx->stats.sess_connect_good
              : s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) {
            SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL));
        }
    }
}
3212

3213
const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
3214 3215 3216
{
    return ctx->method;
}
3217

3218
const SSL_METHOD *SSL_get_ssl_method(SSL *s)
3219 3220 3221
{
    return (s->method);
}
3222

3223
int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
3224 3225 3226 3227
{
    int ret = 1;

    if (s->method != meth) {
3228
        const SSL_METHOD *sm = s->method;
E
Emilia Kasper 已提交
3229
        int (*hf) (SSL *) = s->handshake_func;
3230

3231
        if (sm->version == meth->version)
3232 3233
            s->method = meth;
        else {
3234
            sm->ssl_free(s);
3235 3236 3237 3238
            s->method = meth;
            ret = s->method->ssl_new(s);
        }

3239
        if (hf == sm->ssl_connect)
3240
            s->handshake_func = meth->ssl_connect;
3241
        else if (hf == sm->ssl_accept)
3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265 3266
            s->handshake_func = meth->ssl_accept;
    }
    return (ret);
}

int SSL_get_error(const SSL *s, int i)
{
    int reason;
    unsigned long l;
    BIO *bio;

    if (i > 0)
        return (SSL_ERROR_NONE);

    /*
     * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
     * where we do encode the error
     */
    if ((l = ERR_peek_error()) != 0) {
        if (ERR_GET_LIB(l) == ERR_LIB_SYS)
            return (SSL_ERROR_SYSCALL);
        else
            return (SSL_ERROR_SSL);
    }

3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279 3280 3281 3282 3283 3284 3285 3286 3287 3288 3289
    if (SSL_want_read(s)) {
        bio = SSL_get_rbio(s);
        if (BIO_should_read(bio))
            return (SSL_ERROR_WANT_READ);
        else if (BIO_should_write(bio))
            /*
             * This one doesn't make too much sense ... We never try to write
             * to the rbio, and an application program where rbio and wbio
             * are separate couldn't even know what it should wait for.
             * However if we ever set s->rwstate incorrectly (so that we have
             * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and
             * wbio *are* the same, this test works around that bug; so it
             * might be safer to keep it.
             */
            return (SSL_ERROR_WANT_WRITE);
        else if (BIO_should_io_special(bio)) {
            reason = BIO_get_retry_reason(bio);
            if (reason == BIO_RR_CONNECT)
                return (SSL_ERROR_WANT_CONNECT);
            else if (reason == BIO_RR_ACCEPT)
                return (SSL_ERROR_WANT_ACCEPT);
            else
                return (SSL_ERROR_SYSCALL); /* unknown */
3290
        }
3291
    }
3292

3293
    if (SSL_want_write(s)) {
F
FdaSilvaYY 已提交
3294
        /* Access wbio directly - in order to use the buffered bio if present */
3295 3296 3297 3298
        bio = s->wbio;
        if (BIO_should_write(bio))
            return (SSL_ERROR_WANT_WRITE);
        else if (BIO_should_read(bio))
3299
            /*
3300
             * See above (SSL_want_read(s) with BIO_should_write(bio))
3301
             */
3302 3303 3304 3305 3306 3307 3308 3309 3310
            return (SSL_ERROR_WANT_READ);
        else if (BIO_should_io_special(bio)) {
            reason = BIO_get_retry_reason(bio);
            if (reason == BIO_RR_CONNECT)
                return (SSL_ERROR_WANT_CONNECT);
            else if (reason == BIO_RR_ACCEPT)
                return (SSL_ERROR_WANT_ACCEPT);
            else
                return (SSL_ERROR_SYSCALL);
3311
        }
M
Matt Caswell 已提交
3312
    }
B
Benjamin Kaduk 已提交
3313
    if (SSL_want_x509_lookup(s))
3314
        return (SSL_ERROR_WANT_X509_LOOKUP);
B
Benjamin Kaduk 已提交
3315
    if (SSL_want_async(s))
3316
        return SSL_ERROR_WANT_ASYNC;
B
Benjamin Kaduk 已提交
3317
    if (SSL_want_async_job(s))
3318
        return SSL_ERROR_WANT_ASYNC_JOB;
3319 3320
    if (SSL_want_client_hello_cb(s))
        return SSL_ERROR_WANT_CLIENT_HELLO_CB;
3321 3322 3323 3324 3325

    if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
        (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
        return (SSL_ERROR_ZERO_RETURN);

3326 3327
    return (SSL_ERROR_SYSCALL);
}
3328

M
Matt Caswell 已提交
3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339
static int ssl_do_handshake_intern(void *vargs)
{
    struct ssl_async_args *args;
    SSL *s;

    args = (struct ssl_async_args *)vargs;
    s = args->s;

    return s->handshake_func(s);
}

3340
int SSL_do_handshake(SSL *s)
3341 3342 3343 3344 3345
{
    int ret = 1;

    if (s->handshake_func == NULL) {
        SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET);
M
Matt Caswell 已提交
3346
        return -1;
3347 3348
    }

3349
    ossl_statem_check_finish_init(s, -1);
3350

3351
    s->method->ssl_renegotiate_check(s, 0);
3352

3353 3354 3355 3356 3357 3358
    if (SSL_is_server(s)) {
        /* clear SNI settings at server-side */
        OPENSSL_free(s->ext.hostname);
        s->ext.hostname = NULL;
    }

3359
    if (SSL_in_init(s) || SSL_in_before(s)) {
3360
        if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
M
Matt Caswell 已提交
3361 3362 3363 3364
            struct ssl_async_args args;

            args.s = s;

3365
            ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
M
Matt Caswell 已提交
3366 3367 3368
        } else {
            ret = s->handshake_func(s);
        }
3369
    }
M
Matt Caswell 已提交
3370
    return ret;
3371 3372
}

3373
void SSL_set_accept_state(SSL *s)
3374 3375 3376
{
    s->server = 1;
    s->shutdown = 0;
M
Matt Caswell 已提交
3377
    ossl_statem_clear(s);
3378
    s->handshake_func = s->method->ssl_accept;
R
Rich Salz 已提交
3379
    clear_ciphers(s);
3380
}
3381

3382
void SSL_set_connect_state(SSL *s)
3383 3384 3385
{
    s->server = 0;
    s->shutdown = 0;
M
Matt Caswell 已提交
3386
    ossl_statem_clear(s);
3387
    s->handshake_func = s->method->ssl_connect;
R
Rich Salz 已提交
3388
    clear_ciphers(s);
3389
}
3390

3391
int ssl_undefined_function(SSL *s)
3392 3393 3394 3395
{
    SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return (0);
}
3396

3397
int ssl_undefined_void_function(void)
3398 3399 3400 3401 3402
{
    SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,
           ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return (0);
}
3403

B
Ben Laurie 已提交
3404
int ssl_undefined_const_function(const SSL *s)
3405 3406 3407
{
    return (0);
}
B
Ben Laurie 已提交
3408

3409
const SSL_METHOD *ssl_bad_method(int ver)
3410 3411 3412 3413
{
    SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return (NULL);
}
3414

3415
const char *ssl_protocol_to_string(int version)
3416
{
M
Matt Caswell 已提交
3417 3418 3419
    switch(version)
    {
    case TLS1_3_VERSION:
3420
        return "TLSv1.3";
M
Matt Caswell 已提交
3421 3422

    case TLS1_2_VERSION:
3423
        return "TLSv1.2";
M
Matt Caswell 已提交
3424 3425

    case TLS1_1_VERSION:
3426
        return "TLSv1.1";
M
Matt Caswell 已提交
3427 3428

    case TLS1_VERSION:
3429
        return "TLSv1";
M
Matt Caswell 已提交
3430 3431

    case SSL3_VERSION:
3432
        return "SSLv3";
M
Matt Caswell 已提交
3433 3434

    case DTLS1_BAD_VER:
3435
        return "DTLSv0.9";
M
Matt Caswell 已提交
3436 3437

    case DTLS1_VERSION:
3438
        return "DTLSv1";
M
Matt Caswell 已提交
3439 3440

    case DTLS1_2_VERSION:
3441
        return "DTLSv1.2";
M
Matt Caswell 已提交
3442 3443 3444 3445

    default:
        return "unknown";
    }
3446
}
3447

3448 3449
const char *SSL_get_version(const SSL *s)
{
3450
    return ssl_protocol_to_string(s->version);
3451 3452
}

3453
SSL *SSL_dup(SSL *s)
3454 3455 3456 3457 3458 3459
{
    STACK_OF(X509_NAME) *sk;
    X509_NAME *xn;
    SSL *ret;
    int i;

3460 3461
    /* If we're not quiescent, just up_ref! */
    if (!SSL_in_init(s) || !SSL_in_before(s)) {
3462
        CRYPTO_UP_REF(&s->references, &i, s->lock);
3463 3464 3465 3466 3467 3468
        return s;
    }

    /*
     * Otherwise, copy configuration state, and session if set.
     */
3469 3470 3471 3472
    if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
        return (NULL);

    if (s->session != NULL) {
3473 3474 3475 3476
        /*
         * Arranges to share the same session via up_ref.  This "copies"
         * session-id, SSL_METHOD, sid_ctx, and 'cert'
         */
V
Viktor Dukhovni 已提交
3477
        if (!SSL_copy_session_id(ret, s))
M
Matt Caswell 已提交
3478
            goto err;
3479 3480 3481 3482 3483 3484 3485
    } else {
        /*
         * No session has been established yet, so we have to expect that
         * s->cert or ret->cert will be changed later -- they should not both
         * point to the same object, and thus we can't use
         * SSL_copy_session_id.
         */
3486 3487
        if (!SSL_set_ssl_method(ret, s->method))
            goto err;
3488 3489

        if (s->cert != NULL) {
R
Rich Salz 已提交
3490
            ssl_cert_free(ret->cert);
3491 3492 3493 3494 3495
            ret->cert = ssl_cert_dup(s->cert);
            if (ret->cert == NULL)
                goto err;
        }

3496 3497
        if (!SSL_set_session_id_context(ret, s->sid_ctx,
                                        (int)s->sid_ctx_length))
M
Matt Caswell 已提交
3498
            goto err;
3499 3500
    }

3501 3502
    if (!ssl_dane_dup(ret, s))
        goto err;
3503
    ret->version = s->version;
3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528
    ret->options = s->options;
    ret->mode = s->mode;
    SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
    SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
    ret->msg_callback = s->msg_callback;
    ret->msg_callback_arg = s->msg_callback_arg;
    SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s));
    SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
    ret->generate_session_id = s->generate_session_id;

    SSL_set_info_callback(ret, SSL_get_info_callback(s));

    /* copy app data, a little dangerous perhaps */
    if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
        goto err;

    /* setup rbio, and wbio */
    if (s->rbio != NULL) {
        if (!BIO_dup_state(s->rbio, (char *)&ret->rbio))
            goto err;
    }
    if (s->wbio != NULL) {
        if (s->wbio != s->rbio) {
            if (!BIO_dup_state(s->wbio, (char *)&ret->wbio))
                goto err;
3529 3530
        } else {
            BIO_up_ref(ret->rbio);
3531
            ret->wbio = ret->rbio;
3532
        }
3533
    }
3534

3535
    ret->server = s->server;
3536 3537 3538 3539 3540 3541
    if (s->handshake_func) {
        if (s->server)
            SSL_set_accept_state(ret);
        else
            SSL_set_connect_state(ret);
    }
3542 3543 3544
    ret->shutdown = s->shutdown;
    ret->hit = s->hit;

M
Matt Caswell 已提交
3545 3546 3547
    ret->default_passwd_callback = s->default_passwd_callback;
    ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata;

3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560
    X509_VERIFY_PARAM_inherit(ret->param, s->param);

    /* dup the cipher_list and cipher_list_by_id stacks */
    if (s->cipher_list != NULL) {
        if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
            goto err;
    }
    if (s->cipher_list_by_id != NULL)
        if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
            == NULL)
            goto err;

    /* Dup the client_CA list */
3561 3562
    if (s->ca_names != NULL) {
        if ((sk = sk_X509_NAME_dup(s->ca_names)) == NULL)
3563
            goto err;
3564
        ret->ca_names = sk;
3565 3566 3567 3568 3569 3570 3571 3572
        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
            xn = sk_X509_NAME_value(sk, i);
            if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) {
                X509_NAME_free(xn);
                goto err;
            }
        }
    }
R
Rich Salz 已提交
3573
    return ret;
3574 3575

 err:
R
Rich Salz 已提交
3576 3577
    SSL_free(ret);
    return NULL;
3578
}
3579

3580
void ssl_clear_cipher_ctx(SSL *s)
3581 3582
{
    if (s->enc_read_ctx != NULL) {
3583
        EVP_CIPHER_CTX_free(s->enc_read_ctx);
3584 3585 3586
        s->enc_read_ctx = NULL;
    }
    if (s->enc_write_ctx != NULL) {
3587
        EVP_CIPHER_CTX_free(s->enc_write_ctx);
3588 3589
        s->enc_write_ctx = NULL;
    }
3590
#ifndef OPENSSL_NO_COMP
R
Rich Salz 已提交
3591 3592 3593 3594
    COMP_CTX_free(s->expand);
    s->expand = NULL;
    COMP_CTX_free(s->compress);
    s->compress = NULL;
3595 3596
#endif
}
3597

B
Ben Laurie 已提交
3598
X509 *SSL_get_certificate(const SSL *s)
3599 3600 3601 3602 3603 3604
{
    if (s->cert != NULL)
        return (s->cert->key->x509);
    else
        return (NULL);
}
3605

3606
EVP_PKEY *SSL_get_privatekey(const SSL *s)
3607 3608 3609 3610 3611 3612
{
    if (s->cert != NULL)
        return (s->cert->key->privatekey);
    else
        return (NULL);
}
3613

3614
X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx)
3615 3616 3617 3618 3619 3620
{
    if (ctx->cert != NULL)
        return ctx->cert->key->x509;
    else
        return NULL;
}
3621 3622

EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
3623 3624 3625 3626 3627 3628
{
    if (ctx->cert != NULL)
        return ctx->cert->key->privatekey;
    else
        return NULL;
}
3629

3630
const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
3631 3632 3633 3634 3635 3636
{
    if ((s->session != NULL) && (s->session->cipher != NULL))
        return (s->session->cipher);
    return (NULL);
}

B
Benjamin Kaduk 已提交
3637 3638 3639 3640 3641
const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
{
    return s->s3->tmp.new_cipher;
}

3642
const COMP_METHOD *SSL_get_current_compression(SSL *s)
3643
{
R
Rich Salz 已提交
3644 3645 3646 3647 3648
#ifndef OPENSSL_NO_COMP
    return s->compress ? COMP_CTX_get_method(s->compress) : NULL;
#else
    return NULL;
#endif
3649
}
3650 3651

const COMP_METHOD *SSL_get_current_expansion(SSL *s)
3652
{
R
Rich Salz 已提交
3653 3654 3655 3656
#ifndef OPENSSL_NO_COMP
    return s->expand ? COMP_CTX_get_method(s->expand) : NULL;
#else
    return NULL;
3657
#endif
R
Rich Salz 已提交
3658
}
3659

M
Matt Caswell 已提交
3660
int ssl_init_wbio_buffer(SSL *s)
3661 3662 3663
{
    BIO *bbio;

3664 3665 3666
    if (s->bbio != NULL) {
        /* Already buffered. */
        return 1;
3667
    }
M
Matt Caswell 已提交
3668

3669 3670 3671
    bbio = BIO_new(BIO_f_buffer());
    if (bbio == NULL || !BIO_set_read_buffer_size(bbio, 1)) {
        BIO_free(bbio);
3672
        SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB);
M
Matt Caswell 已提交
3673
        return 0;
3674
    }
3675 3676
    s->bbio = bbio;
    s->wbio = BIO_push(bbio, s->wbio);
M
Matt Caswell 已提交
3677 3678

    return 1;
3679
}
3680

3681
int ssl_free_wbio_buffer(SSL *s)
3682
{
R
Rich Salz 已提交
3683
    /* callers ensure s is never null */
3684
    if (s->bbio == NULL)
3685
        return 1;
3686

3687
    s->wbio = BIO_pop(s->wbio);
3688 3689
    if (!ossl_assert(s->wbio != NULL))
        return 0;
3690 3691
    BIO_free(s->bbio);
    s->bbio = NULL;
3692 3693

    return 1;
3694 3695 3696 3697 3698 3699
}

void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
{
    ctx->quiet_shutdown = mode;
}
3700

B
Ben Laurie 已提交
3701
int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
3702 3703 3704
{
    return (ctx->quiet_shutdown);
}
3705

3706 3707 3708 3709
void SSL_set_quiet_shutdown(SSL *s, int mode)
{
    s->quiet_shutdown = mode;
}
3710

B
Ben Laurie 已提交
3711
int SSL_get_quiet_shutdown(const SSL *s)
3712 3713 3714
{
    return (s->quiet_shutdown);
}
3715

3716 3717 3718 3719
void SSL_set_shutdown(SSL *s, int mode)
{
    s->shutdown = mode;
}
3720

B
Ben Laurie 已提交
3721
int SSL_get_shutdown(const SSL *s)
3722
{
3723
    return s->shutdown;
3724
}
3725

B
Ben Laurie 已提交
3726
int SSL_version(const SSL *s)
3727
{
3728 3729 3730 3731 3732 3733
    return s->version;
}

int SSL_client_version(const SSL *s)
{
    return s->client_version;
3734
}
3735

B
Ben Laurie 已提交
3736
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
3737
{
3738
    return ssl->ctx;
3739 3740 3741 3742
}

SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
{
K
Kurt Roeckx 已提交
3743
    CERT *new_cert;
3744 3745 3746
    if (ssl->ctx == ctx)
        return ssl->ctx;
    if (ctx == NULL)
3747
        ctx = ssl->session_ctx;
K
Kurt Roeckx 已提交
3748 3749 3750
    new_cert = ssl_cert_dup(ctx->cert);
    if (new_cert == NULL) {
        return NULL;
3751
    }
3752 3753 3754 3755 3756 3757

    if (!custom_exts_copy_flags(&new_cert->custext, &ssl->cert->custext)) {
        ssl_cert_free(new_cert);
        return NULL;
    }

K
Kurt Roeckx 已提交
3758 3759
    ssl_cert_free(ssl->cert);
    ssl->cert = new_cert;
3760 3761 3762 3763 3764

    /*
     * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
     * so setter APIs must prevent invalid lengths from entering the system.
     */
3765 3766
    if (!ossl_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx)))
        return NULL;
3767 3768 3769 3770 3771 3772 3773 3774 3775 3776 3777 3778 3779 3780

    /*
     * If the session ID context matches that of the parent SSL_CTX,
     * inherit it from the new SSL_CTX as well. If however the context does
     * not match (i.e., it was set per-ssl with SSL_set_session_id_context),
     * leave it unchanged.
     */
    if ((ssl->ctx != NULL) &&
        (ssl->sid_ctx_length == ssl->ctx->sid_ctx_length) &&
        (memcmp(ssl->sid_ctx, ssl->ctx->sid_ctx, ssl->sid_ctx_length) == 0)) {
        ssl->sid_ctx_length = ctx->sid_ctx_length;
        memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
    }

3781
    SSL_CTX_up_ref(ctx);
E
Emilia Kasper 已提交
3782
    SSL_CTX_free(ssl->ctx);     /* decrement reference count */
3783 3784
    ssl->ctx = ctx;

3785
    return ssl->ctx;
3786
}
3787

3788
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
3789 3790 3791
{
    return (X509_STORE_set_default_paths(ctx->cert_store));
}
3792

3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806 3807 3808 3809 3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 3821 3822 3823
int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
{
    X509_LOOKUP *lookup;

    lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
    if (lookup == NULL)
        return 0;
    X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);

    /* Clear any errors if the default directory does not exist */
    ERR_clear_error();

    return 1;
}

int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)
{
    X509_LOOKUP *lookup;

    lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file());
    if (lookup == NULL)
        return 0;

    X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);

    /* Clear any errors if the default file does not exist */
    ERR_clear_error();

    return 1;
}

3824
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
3825 3826 3827 3828
                                  const char *CApath)
{
    return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath));
}
3829

B
Ben Laurie 已提交
3830
void SSL_set_info_callback(SSL *ssl,
3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844
                           void (*cb) (const SSL *ssl, int type, int val))
{
    ssl->info_callback = cb;
}

/*
 * One compiler (Diab DCC) doesn't like argument names in returned function
 * pointer.
 */
void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ ,
                                               int /* type */ ,
                                               int /* val */ ) {
    return ssl->info_callback;
}
3845

3846 3847 3848 3849
void SSL_set_verify_result(SSL *ssl, long arg)
{
    ssl->verify_result = arg;
}
3850

B
Ben Laurie 已提交
3851
long SSL_get_verify_result(const SSL *ssl)
3852 3853 3854 3855
{
    return (ssl->verify_result);
}

3856
size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen)
3857
{
3858
    if (outlen == 0)
3859 3860 3861 3862
        return sizeof(ssl->s3->client_random);
    if (outlen > sizeof(ssl->s3->client_random))
        outlen = sizeof(ssl->s3->client_random);
    memcpy(out, ssl->s3->client_random, outlen);
3863
    return outlen;
3864 3865
}

3866
size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen)
3867
{
3868
    if (outlen == 0)
3869 3870 3871 3872
        return sizeof(ssl->s3->server_random);
    if (outlen > sizeof(ssl->s3->server_random))
        outlen = sizeof(ssl->s3->server_random);
    memcpy(out, ssl->s3->server_random, outlen);
3873
    return outlen;
3874 3875
}

3876
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
E
Emilia Kasper 已提交
3877
                                  unsigned char *out, size_t outlen)
3878
{
3879 3880
    if (outlen == 0)
        return session->master_key_length;
3881
    if (outlen > session->master_key_length)
3882 3883
        outlen = session->master_key_length;
    memcpy(out, session->master_key, outlen);
3884
    return outlen;
3885 3886
}

3887
int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in,
M
Matt Caswell 已提交
3888 3889 3890 3891 3892 3893 3894 3895 3896 3897 3898
                                size_t len)
{
    if (len > sizeof(sess->master_key))
        return 0;

    memcpy(sess->master_key, in, len);
    sess->master_key_length = len;
    return 1;
}


3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 3916 3917
int SSL_set_ex_data(SSL *s, int idx, void *arg)
{
    return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));
}

void *SSL_get_ex_data(const SSL *s, int idx)
{
    return (CRYPTO_get_ex_data(&s->ex_data, idx));
}

int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
{
    return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));
}

void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
{
    return (CRYPTO_get_ex_data(&s->ex_data, idx));
}
3918

B
Ben Laurie 已提交
3919
X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
3920 3921 3922
{
    return (ctx->cert_store);
}
3923

3924 3925
void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
{
R
Rich Salz 已提交
3926
    X509_STORE_free(ctx->cert_store);
3927 3928
    ctx->cert_store = store;
}
3929

T
Todd Short 已提交
3930 3931 3932 3933 3934 3935 3936
void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
{
    if (store != NULL)
        X509_STORE_up_ref(store);
    SSL_CTX_set_cert_store(ctx, store);
}

B
Ben Laurie 已提交
3937
int SSL_want(const SSL *s)
3938 3939 3940
{
    return (s->rwstate);
}
3941

3942
/**
3943 3944 3945 3946 3947
 * \brief Set the callback for generating temporary DH keys.
 * \param ctx the SSL context.
 * \param dh the callback
 */

3948
#ifndef OPENSSL_NO_DH
3949 3950 3951 3952 3953 3954
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
                                 DH *(*dh) (SSL *ssl, int is_export,
                                            int keylength))
{
    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
}
3955

3956 3957 3958 3959 3960
void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
                                                  int keylength))
{
    SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
}
3961
#endif
3962

3963 3964
#ifndef OPENSSL_NO_PSK
int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
3965 3966
{
    if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
E
Emilia Kasper 已提交
3967
        SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
3968 3969
        return 0;
    }
3970
    OPENSSL_free(ctx->cert->psk_identity_hint);
3971
    if (identity_hint != NULL) {
R
Rich Salz 已提交
3972
        ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
3973
        if (ctx->cert->psk_identity_hint == NULL)
3974 3975
            return 0;
    } else
3976
        ctx->cert->psk_identity_hint = NULL;
3977 3978
    return 1;
}
3979 3980

int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
3981 3982 3983 3984 3985 3986 3987 3988
{
    if (s == NULL)
        return 0;

    if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
        SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
        return 0;
    }
3989
    OPENSSL_free(s->cert->psk_identity_hint);
3990
    if (identity_hint != NULL) {
R
Rich Salz 已提交
3991
        s->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
3992
        if (s->cert->psk_identity_hint == NULL)
3993 3994
            return 0;
    } else
3995
        s->cert->psk_identity_hint = NULL;
3996 3997
    return 1;
}
3998 3999

const char *SSL_get_psk_identity_hint(const SSL *s)
4000 4001 4002 4003 4004
{
    if (s == NULL || s->session == NULL)
        return NULL;
    return (s->session->psk_identity_hint);
}
4005 4006

const char *SSL_get_psk_identity(const SSL *s)
4007 4008 4009 4010 4011
{
    if (s == NULL || s->session == NULL)
        return NULL;
    return (s->session->psk_identity);
}
N
Nils Larsch 已提交
4012

4013
void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb)
4014 4015 4016
{
    s->psk_client_callback = cb;
}
N
Nils Larsch 已提交
4017

4018
void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb)
4019 4020 4021
{
    ctx->psk_client_callback = cb;
}
N
Nils Larsch 已提交
4022

4023
void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb)
4024 4025 4026
{
    s->psk_server_callback = cb;
}
N
Nils Larsch 已提交
4027

4028
void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb)
4029 4030 4031 4032 4033
{
    ctx->psk_server_callback = cb;
}
#endif

4034 4035 4036 4037 4038 4039 4040 4041 4042 4043 4044 4045 4046 4047 4048 4049 4050 4051 4052 4053 4054 4055
void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb)
{
    s->psk_find_session_cb = cb;
}

void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
                                           SSL_psk_find_session_cb_func cb)
{
    ctx->psk_find_session_cb = cb;
}

void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb)
{
    s->psk_use_session_cb = cb;
}

void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
                                           SSL_psk_use_session_cb_func cb)
{
    ctx->psk_use_session_cb = cb;
}

4056 4057 4058 4059 4060 4061 4062 4063 4064 4065 4066 4067 4068 4069 4070
void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
                              void (*cb) (int write_p, int version,
                                          int content_type, const void *buf,
                                          size_t len, SSL *ssl, void *arg))
{
    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
}

void SSL_set_msg_callback(SSL *ssl,
                          void (*cb) (int write_p, int version,
                                      int content_type, const void *buf,
                                      size_t len, SSL *ssl, void *arg))
{
    SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
}
4071

4072
void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
4073 4074 4075 4076 4077 4078 4079 4080
                                                int (*cb) (SSL *ssl,
                                                           int
                                                           is_forward_secure))
{
    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
                          (void (*)(void))cb);
}

4081
void SSL_set_not_resumable_session_callback(SSL *ssl,
4082 4083 4084 4085 4086 4087 4088
                                            int (*cb) (SSL *ssl,
                                                       int is_forward_secure))
{
    SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
                      (void (*)(void))cb);
}

T
Todd Short 已提交
4089 4090 4091 4092 4093 4094 4095 4096 4097 4098 4099 4100 4101 4102 4103 4104 4105 4106 4107 4108 4109 4110 4111 4112 4113 4114 4115 4116 4117 4118 4119 4120 4121 4122 4123 4124 4125 4126 4127 4128 4129 4130 4131 4132 4133 4134 4135 4136 4137 4138 4139 4140 4141 4142 4143 4144 4145 4146
void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
                                         size_t (*cb) (SSL *ssl, int type,
                                                       size_t len, void *arg))
{
    ctx->record_padding_cb = cb;
}

void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg)
{
    ctx->record_padding_arg = arg;
}

void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx)
{
    return ctx->record_padding_arg;
}

int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
{
    /* block size of 0 or 1 is basically no padding */
    if (block_size == 1)
        ctx->block_padding = 0;
    else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH)
        ctx->block_padding = block_size;
    else
        return 0;
    return 1;
}

void SSL_set_record_padding_callback(SSL *ssl,
                                     size_t (*cb) (SSL *ssl, int type,
                                                   size_t len, void *arg))
{
    ssl->record_padding_cb = cb;
}

void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg)
{
    ssl->record_padding_arg = arg;
}

void *SSL_get_record_padding_callback_arg(SSL *ssl)
{
    return ssl->record_padding_arg;
}

int SSL_set_block_padding(SSL *ssl, size_t block_size)
{
    /* block size of 0 or 1 is basically no padding */
    if (block_size == 1)
        ssl->block_padding = 0;
    else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH)
        ssl->block_padding = block_size;
    else
        return 0;
    return 1;
}

4147 4148
/*
 * Allocates new EVP_MD_CTX and sets pointer to it into given pointer
F
FdaSilvaYY 已提交
4149
 * variable, freeing EVP_MD_CTX previously stored in that variable, if any.
F
FdaSilvaYY 已提交
4150
 * If EVP_MD pointer is passed, initializes ctx with this |md|.
F
FdaSilvaYY 已提交
4151
 * Returns the newly allocated ctx;
B
Ben Laurie 已提交
4152
 */
4153

4154
EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
4155
{
4156
    ssl_clear_hash_ctx(hash);
4157
    *hash = EVP_MD_CTX_new();
4158
    if (*hash == NULL || (md && EVP_DigestInit_ex(*hash, md, NULL) <= 0)) {
4159
        EVP_MD_CTX_free(*hash);
4160 4161 4162
        *hash = NULL;
        return NULL;
    }
4163
    return *hash;
4164
}
4165 4166

void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
4167 4168
{

4169
    EVP_MD_CTX_free(*hash);
4170
    *hash = NULL;
4171
}
4172

4173
/* Retrieve handshake hashes */
4174 4175
int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
                       size_t *hashlen)
4176
{
4177
    EVP_MD_CTX *ctx = NULL;
4178
    EVP_MD_CTX *hdgst = s->s3->handshake_dgst;
4179 4180 4181 4182
    int hashleni = EVP_MD_CTX_size(hdgst);
    int ret = 0;

    if (hashleni < 0 || (size_t)hashleni > outlen)
4183
        goto err;
4184

4185
    ctx = EVP_MD_CTX_new();
4186
    if (ctx == NULL)
4187
        goto err;
4188

4189 4190
    if (!EVP_MD_CTX_copy_ex(ctx, hdgst)
        || EVP_DigestFinal_ex(ctx, out, NULL) <= 0)
4191 4192 4193 4194 4195
        goto err;

    *hashlen = hashleni;

    ret = 1;
4196
 err:
4197
    EVP_MD_CTX_free(ctx);
4198 4199 4200
    return ret;
}

4201
int SSL_session_reused(SSL *s)
4202 4203 4204
{
    return s->hit;
}
4205

4206
int SSL_is_server(const SSL *s)
4207 4208 4209
{
    return s->server;
}
4210

R
Rich Salz 已提交
4211 4212 4213 4214 4215 4216 4217 4218 4219
#if OPENSSL_API_COMPAT < 0x10100000L
void SSL_set_debug(SSL *s, int debug)
{
    /* Old function was do-nothing anyway... */
    (void)s;
    (void)debug;
}
#endif

D
Dr. Stephen Henson 已提交
4220
void SSL_set_security_level(SSL *s, int level)
4221 4222 4223
{
    s->cert->sec_level = level;
}
D
Dr. Stephen Henson 已提交
4224 4225

int SSL_get_security_level(const SSL *s)
4226 4227 4228
{
    return s->cert->sec_level;
}
D
Dr. Stephen Henson 已提交
4229

4230
void SSL_set_security_callback(SSL *s,
E
Emilia Kasper 已提交
4231 4232 4233
                               int (*cb) (const SSL *s, const SSL_CTX *ctx,
                                          int op, int bits, int nid,
                                          void *other, void *ex))
4234 4235 4236
{
    s->cert->sec_cb = cb;
}
D
Dr. Stephen Henson 已提交
4237

E
Emilia Kasper 已提交
4238 4239 4240 4241
int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
                                                const SSL_CTX *ctx, int op,
                                                int bits, int nid, void *other,
                                                void *ex) {
4242 4243
    return s->cert->sec_cb;
}
D
Dr. Stephen Henson 已提交
4244 4245

void SSL_set0_security_ex_data(SSL *s, void *ex)
4246 4247 4248
{
    s->cert->sec_ex = ex;
}
D
Dr. Stephen Henson 已提交
4249 4250

void *SSL_get0_security_ex_data(const SSL *s)
4251 4252 4253
{
    return s->cert->sec_ex;
}
D
Dr. Stephen Henson 已提交
4254 4255

void SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
4256 4257 4258
{
    ctx->cert->sec_level = level;
}
D
Dr. Stephen Henson 已提交
4259 4260

int SSL_CTX_get_security_level(const SSL_CTX *ctx)
4261 4262 4263
{
    return ctx->cert->sec_level;
}
D
Dr. Stephen Henson 已提交
4264

4265
void SSL_CTX_set_security_callback(SSL_CTX *ctx,
E
Emilia Kasper 已提交
4266 4267 4268
                                   int (*cb) (const SSL *s, const SSL_CTX *ctx,
                                              int op, int bits, int nid,
                                              void *other, void *ex))
4269 4270 4271
{
    ctx->cert->sec_cb = cb;
}
D
Dr. Stephen Henson 已提交
4272

K
Kurt Roeckx 已提交
4273 4274
int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
                                                          const SSL_CTX *ctx,
4275 4276 4277 4278 4279 4280
                                                          int op, int bits,
                                                          int nid,
                                                          void *other,
                                                          void *ex) {
    return ctx->cert->sec_cb;
}
D
Dr. Stephen Henson 已提交
4281 4282

void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex)
4283 4284 4285
{
    ctx->cert->sec_ex = ex;
}
D
Dr. Stephen Henson 已提交
4286 4287

void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
4288 4289 4290
{
    return ctx->cert->sec_ex;
}
D
Dr. Stephen Henson 已提交
4291

4292 4293 4294 4295 4296 4297 4298 4299 4300
/*
 * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
 * can return unsigned long, instead of the generic long return value from the
 * control interface.
 */
unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
{
    return ctx->options;
}
E
Emilia Kasper 已提交
4301 4302

unsigned long SSL_get_options(const SSL *s)
4303 4304 4305
{
    return s->options;
}
E
Emilia Kasper 已提交
4306

4307 4308 4309 4310
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
{
    return ctx->options |= op;
}
E
Emilia Kasper 已提交
4311

4312 4313 4314 4315
unsigned long SSL_set_options(SSL *s, unsigned long op)
{
    return s->options |= op;
}
E
Emilia Kasper 已提交
4316

4317 4318 4319 4320
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
{
    return ctx->options &= ~op;
}
E
Emilia Kasper 已提交
4321

4322 4323 4324 4325 4326
unsigned long SSL_clear_options(SSL *s, unsigned long op)
{
    return s->options &= ~op;
}

4327 4328 4329 4330 4331
STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
{
    return s->verified_chain;
}

4332
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
4333 4334 4335 4336 4337 4338 4339 4340 4341 4342

#ifndef OPENSSL_NO_CT

/*
 * Moves SCTs from the |src| stack to the |dst| stack.
 * The source of each SCT will be set to |origin|.
 * If |dst| points to a NULL pointer, a new stack will be created and owned by
 * the caller.
 * Returns the number of SCTs moved, or a negative integer if an error occurs.
 */
E
Emilia Kasper 已提交
4343 4344
static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
                        sct_source_t origin)
4345 4346 4347 4348 4349 4350 4351 4352 4353 4354 4355 4356 4357 4358 4359 4360 4361 4362 4363 4364 4365 4366
{
    int scts_moved = 0;
    SCT *sct = NULL;

    if (*dst == NULL) {
        *dst = sk_SCT_new_null();
        if (*dst == NULL) {
            SSLerr(SSL_F_CT_MOVE_SCTS, ERR_R_MALLOC_FAILURE);
            goto err;
        }
    }

    while ((sct = sk_SCT_pop(src)) != NULL) {
        if (SCT_set_source(sct, origin) != 1)
            goto err;

        if (sk_SCT_push(*dst, sct) <= 0)
            goto err;
        scts_moved += 1;
    }

    return scts_moved;
E
Emilia Kasper 已提交
4367
 err:
4368
    if (sct != NULL)
E
Emilia Kasper 已提交
4369
        sk_SCT_push(src, sct);  /* Put the SCT back */
4370
    return -1;
4371 4372 4373
}

/*
E
Emilia Kasper 已提交
4374
 * Look for data collected during ServerHello and parse if found.
4375
 * Returns the number of SCTs extracted.
E
Emilia Kasper 已提交
4376
 */
4377 4378 4379 4380
static int ct_extract_tls_extension_scts(SSL *s)
{
    int scts_extracted = 0;

R
Rich Salz 已提交
4381 4382 4383
    if (s->ext.scts != NULL) {
        const unsigned char *p = s->ext.scts;
        STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len);
4384 4385 4386 4387 4388 4389 4390 4391 4392 4393 4394 4395 4396 4397 4398 4399 4400 4401 4402

        scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION);

        SCT_LIST_free(scts);
    }

    return scts_extracted;
}

/*
 * Checks for an OCSP response and then attempts to extract any SCTs found if it
 * contains an SCT X509 extension. They will be stored in |s->scts|.
 * Returns:
 * - The number of SCTs extracted, assuming an OCSP response exists.
 * - 0 if no OCSP response exists or it contains no SCTs.
 * - A negative integer if an error occurs.
 */
static int ct_extract_ocsp_response_scts(SSL *s)
{
E
Emilia Kasper 已提交
4403
# ifndef OPENSSL_NO_OCSP
4404 4405 4406 4407 4408 4409 4410
    int scts_extracted = 0;
    const unsigned char *p;
    OCSP_BASICRESP *br = NULL;
    OCSP_RESPONSE *rsp = NULL;
    STACK_OF(SCT) *scts = NULL;
    int i;

R
Rich Salz 已提交
4411
    if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0)
4412 4413
        goto err;

R
Rich Salz 已提交
4414 4415
    p = s->ext.ocsp.resp;
    rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len);
4416 4417 4418 4419 4420 4421 4422 4423 4424 4425 4426 4427 4428
    if (rsp == NULL)
        goto err;

    br = OCSP_response_get1_basic(rsp);
    if (br == NULL)
        goto err;

    for (i = 0; i < OCSP_resp_count(br); ++i) {
        OCSP_SINGLERESP *single = OCSP_resp_get0(br, i);

        if (single == NULL)
            continue;

E
Emilia Kasper 已提交
4429 4430 4431 4432
        scts =
            OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL);
        scts_extracted =
            ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE);
4433 4434 4435
        if (scts_extracted < 0)
            goto err;
    }
E
Emilia Kasper 已提交
4436
 err:
4437 4438 4439 4440
    SCT_LIST_free(scts);
    OCSP_BASICRESP_free(br);
    OCSP_RESPONSE_free(rsp);
    return scts_extracted;
E
Emilia Kasper 已提交
4441
# else
M
Matt Caswell 已提交
4442 4443
    /* Behave as if no OCSP response exists */
    return 0;
E
Emilia Kasper 已提交
4444
# endif
4445 4446 4447 4448 4449 4450 4451 4452 4453 4454
}

/*
 * Attempts to extract SCTs from the peer certificate.
 * Return the number of SCTs extracted, or a negative integer if an error
 * occurs.
 */
static int ct_extract_x509v3_extension_scts(SSL *s)
{
    int scts_extracted = 0;
4455
    X509 *cert = s->session != NULL ? s->session->peer : NULL;
4456 4457 4458 4459 4460 4461 4462 4463 4464 4465 4466 4467 4468 4469 4470 4471 4472 4473 4474 4475 4476 4477 4478 4479 4480 4481 4482 4483 4484 4485

    if (cert != NULL) {
        STACK_OF(SCT) *scts =
            X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL);

        scts_extracted =
            ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION);

        SCT_LIST_free(scts);
    }

    return scts_extracted;
}

/*
 * Attempts to find all received SCTs by checking TLS extensions, the OCSP
 * response (if it exists) and X509v3 extensions in the certificate.
 * Returns NULL if an error occurs.
 */
const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s)
{
    if (!s->scts_parsed) {
        if (ct_extract_tls_extension_scts(s) < 0 ||
            ct_extract_ocsp_response_scts(s) < 0 ||
            ct_extract_x509v3_extension_scts(s) < 0)
            goto err;

        s->scts_parsed = 1;
    }
    return s->scts;
E
Emilia Kasper 已提交
4486
 err:
4487 4488 4489
    return NULL;
}

E
Emilia Kasper 已提交
4490
static int ct_permissive(const CT_POLICY_EVAL_CTX * ctx,
4491
                         const STACK_OF(SCT) *scts, void *unused_arg)
4492
{
4493 4494 4495
    return 1;
}

E
Emilia Kasper 已提交
4496
static int ct_strict(const CT_POLICY_EVAL_CTX * ctx,
4497 4498 4499 4500
                     const STACK_OF(SCT) *scts, void *unused_arg)
{
    int count = scts != NULL ? sk_SCT_num(scts) : 0;
    int i;
4501

4502 4503 4504 4505 4506 4507 4508 4509 4510 4511 4512 4513 4514 4515
    for (i = 0; i < count; ++i) {
        SCT *sct = sk_SCT_value(scts, i);
        int status = SCT_get_validation_status(sct);

        if (status == SCT_VALIDATION_STATUS_VALID)
            return 1;
    }
    SSLerr(SSL_F_CT_STRICT, SSL_R_NO_VALID_SCTS);
    return 0;
}

int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
                                   void *arg)
{
4516 4517 4518 4519 4520
    /*
     * Since code exists that uses the custom extension handler for CT, look
     * for this and throw an error if they have already registered to use CT.
     */
    if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx,
E
Emilia Kasper 已提交
4521 4522
                                                          TLSEXT_TYPE_signed_certificate_timestamp))
    {
4523 4524
        SSLerr(SSL_F_SSL_SET_CT_VALIDATION_CALLBACK,
               SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
4525
        return 0;
4526 4527 4528
    }

    if (callback != NULL) {
E
Emilia Kasper 已提交
4529 4530 4531
        /*
         * If we are validating CT, then we MUST accept SCTs served via OCSP
         */
4532
        if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp))
4533
            return 0;
4534 4535
    }

4536 4537 4538 4539
    s->ct_validation_callback = callback;
    s->ct_validation_callback_arg = arg;

    return 1;
4540 4541
}

4542
int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
E
Emilia Kasper 已提交
4543
                                       ssl_ct_validation_cb callback, void *arg)
4544 4545 4546 4547 4548 4549
{
    /*
     * Since code exists that uses the custom extension handler for CT, look for
     * this and throw an error if they have already registered to use CT.
     */
    if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx,
E
Emilia Kasper 已提交
4550 4551
                                                          TLSEXT_TYPE_signed_certificate_timestamp))
    {
4552 4553
        SSLerr(SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK,
               SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
4554
        return 0;
4555 4556 4557 4558
    }

    ctx->ct_validation_callback = callback;
    ctx->ct_validation_callback_arg = arg;
4559
    return 1;
4560 4561
}

4562
int SSL_ct_is_enabled(const SSL *s)
4563
{
4564
    return s->ct_validation_callback != NULL;
4565 4566
}

4567
int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx)
4568
{
4569
    return ctx->ct_validation_callback != NULL;
4570 4571
}

4572
int ssl_validate_ct(SSL *s)
4573 4574
{
    int ret = 0;
4575
    X509 *cert = s->session != NULL ? s->session->peer : NULL;
4576
    X509 *issuer;
4577
    SSL_DANE *dane = &s->dane;
4578 4579 4580
    CT_POLICY_EVAL_CTX *ctx = NULL;
    const STACK_OF(SCT) *scts;

4581 4582 4583 4584 4585 4586 4587 4588 4589 4590 4591 4592 4593
    /*
     * If no callback is set, the peer is anonymous, or its chain is invalid,
     * skip SCT validation - just return success.  Applications that continue
     * handshakes without certificates, with unverified chains, or pinned leaf
     * certificates are outside the scope of the WebPKI and CT.
     *
     * The above exclusions notwithstanding the vast majority of peers will
     * have rather ordinary certificate chains validated by typical
     * applications that perform certificate verification and therefore will
     * process SCTs when enabled.
     */
    if (s->ct_validation_callback == NULL || cert == NULL ||
        s->verify_result != X509_V_OK ||
E
Emilia Kasper 已提交
4594
        s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1)
4595 4596
        return 1;

4597 4598 4599 4600 4601 4602 4603 4604 4605 4606
    /*
     * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3)
     * trust-anchors.  See https://tools.ietf.org/html/rfc7671#section-4.2
     */
    if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) {
        switch (dane->mtlsa->usage) {
        case DANETLS_USAGE_DANE_TA:
        case DANETLS_USAGE_DANE_EE:
            return 1;
        }
4607 4608 4609 4610 4611 4612 4613 4614
    }

    ctx = CT_POLICY_EVAL_CTX_new();
    if (ctx == NULL) {
        SSLerr(SSL_F_SSL_VALIDATE_CT, ERR_R_MALLOC_FAILURE);
        goto end;
    }

4615
    issuer = sk_X509_value(s->verified_chain, 1);
R
Rob Percival 已提交
4616 4617 4618
    CT_POLICY_EVAL_CTX_set1_cert(ctx, cert);
    CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer);
    CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store);
4619 4620
    CT_POLICY_EVAL_CTX_set_time(
            ctx, (uint64_t)SSL_SESSION_get_time(SSL_get0_session(s)) * 1000);
4621 4622 4623

    scts = SSL_get0_peer_scts(s);

4624 4625 4626 4627 4628 4629 4630 4631 4632
    /*
     * This function returns success (> 0) only when all the SCTs are valid, 0
     * when some are invalid, and < 0 on various internal errors (out of
     * memory, etc.).  Having some, or even all, invalid SCTs is not sufficient
     * reason to abort the handshake, that decision is up to the callback.
     * Therefore, we error out only in the unexpected case that the return
     * value is negative.
     *
     * XXX: One might well argue that the return value of this function is an
F
FdaSilvaYY 已提交
4633
     * unfortunate design choice.  Its job is only to determine the validation
4634 4635 4636 4637 4638
     * status of each of the provided SCTs.  So long as it correctly separates
     * the wheat from the chaff it should return success.  Failure in this case
     * ought to correspond to an inability to carry out its duties.
     */
    if (SCT_LIST_validate(scts, ctx) < 0) {
4639 4640 4641 4642 4643 4644
        SSLerr(SSL_F_SSL_VALIDATE_CT, SSL_R_SCT_VERIFICATION_FAILED);
        goto end;
    }

    ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg);
    if (ret < 0)
E
Emilia Kasper 已提交
4645
        ret = 0;                /* This function returns 0 on failure */
4646

E
Emilia Kasper 已提交
4647
 end:
4648
    CT_POLICY_EVAL_CTX_free(ctx);
4649 4650 4651 4652 4653 4654 4655 4656 4657 4658 4659 4660 4661 4662 4663 4664 4665
    /*
     * With SSL_VERIFY_NONE the session may be cached and re-used despite a
     * failure return code here.  Also the application may wish the complete
     * the handshake, and then disconnect cleanly at a higher layer, after
     * checking the verification status of the completed connection.
     *
     * We therefore force a certificate verification failure which will be
     * visible via SSL_get_verify_result() and cached as part of any resumed
     * session.
     *
     * Note: the permissive callback is for information gathering only, always
     * returns success, and does not affect verification status.  Only the
     * strict callback or a custom application-specified callback can trigger
     * connection failure or record a verification error.
     */
    if (ret <= 0)
        s->verify_result = X509_V_ERR_NO_VALID_SCTS;
4666 4667 4668
    return ret;
}

4669 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4680 4681 4682 4683 4684 4685 4686 4687 4688 4689 4690 4691 4692 4693 4694
int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode)
{
    switch (validation_mode) {
    default:
        SSLerr(SSL_F_SSL_CTX_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE);
        return 0;
    case SSL_CT_VALIDATION_PERMISSIVE:
        return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL);
    case SSL_CT_VALIDATION_STRICT:
        return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL);
    }
}

int SSL_enable_ct(SSL *s, int validation_mode)
{
    switch (validation_mode) {
    default:
        SSLerr(SSL_F_SSL_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE);
        return 0;
    case SSL_CT_VALIDATION_PERMISSIVE:
        return SSL_set_ct_validation_callback(s, ct_permissive, NULL);
    case SSL_CT_VALIDATION_STRICT:
        return SSL_set_ct_validation_callback(s, ct_strict, NULL);
    }
}

4695 4696
int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx)
{
4697
    return CTLOG_STORE_load_default_file(ctx->ctlog_store);
4698 4699 4700 4701 4702 4703 4704
}

int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
{
    return CTLOG_STORE_load_file(ctx->ctlog_store, path);
}

E
Emilia Kasper 已提交
4705
void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE * logs)
R
Rob Percival 已提交
4706 4707 4708 4709 4710 4711 4712 4713 4714 4715
{
    CTLOG_STORE_free(ctx->ctlog_store);
    ctx->ctlog_store = logs;
}

const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
{
    return ctx->ctlog_store;
}

B
Benjamin Kaduk 已提交
4716 4717
#endif  /* OPENSSL_NO_CT */

4718 4719
void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
                                 void *arg)
B
Benjamin Kaduk 已提交
4720
{
4721 4722
    c->client_hello_cb = cb;
    c->client_hello_cb_arg = arg;
B
Benjamin Kaduk 已提交
4723 4724
}

4725
int SSL_client_hello_isv2(SSL *s)
B
Benjamin Kaduk 已提交
4726 4727 4728 4729 4730 4731
{
    if (s->clienthello == NULL)
        return 0;
    return s->clienthello->isv2;
}

4732
unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
B
Benjamin Kaduk 已提交
4733 4734 4735 4736 4737 4738
{
    if (s->clienthello == NULL)
        return 0;
    return s->clienthello->legacy_version;
}

4739
size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
B
Benjamin Kaduk 已提交
4740 4741 4742 4743 4744 4745 4746 4747
{
    if (s->clienthello == NULL)
        return 0;
    if (out != NULL)
        *out = s->clienthello->random;
    return SSL3_RANDOM_SIZE;
}

4748
size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
B
Benjamin Kaduk 已提交
4749 4750 4751 4752 4753 4754 4755 4756
{
    if (s->clienthello == NULL)
        return 0;
    if (out != NULL)
        *out = s->clienthello->session_id;
    return s->clienthello->session_id_len;
}

4757
size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
B
Benjamin Kaduk 已提交
4758 4759 4760 4761 4762 4763 4764 4765
{
    if (s->clienthello == NULL)
        return 0;
    if (out != NULL)
        *out = PACKET_data(&s->clienthello->ciphersuites);
    return PACKET_remaining(&s->clienthello->ciphersuites);
}

4766
size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
B
Benjamin Kaduk 已提交
4767 4768 4769 4770 4771 4772 4773 4774
{
    if (s->clienthello == NULL)
        return 0;
    if (out != NULL)
        *out = s->clienthello->compressions;
    return s->clienthello->compressions_len;
}

4775
int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
4776 4777 4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4790 4791 4792 4793 4794 4795 4796 4797 4798 4799 4800 4801 4802 4803 4804 4805 4806
{
    RAW_EXTENSION *ext;
    int *present;
    size_t num = 0, i;

    if (s->clienthello == NULL || out == NULL || outlen == NULL)
        return 0;
    for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) {
        ext = s->clienthello->pre_proc_exts + i;
        if (ext->present)
            num++;
    }
    present = OPENSSL_malloc(sizeof(*present) * num);
    if (present == NULL)
        return 0;
    for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) {
        ext = s->clienthello->pre_proc_exts + i;
        if (ext->present) {
            if (ext->received_order >= num)
                goto err;
            present[ext->received_order] = ext->type;
        }
    }
    *out = present;
    *outlen = num;
    return 1;
 err:
    OPENSSL_free(present);
    return 0;
}

4807
int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
B
Benjamin Kaduk 已提交
4808 4809 4810 4811 4812 4813 4814 4815 4816 4817 4818 4819 4820 4821 4822 4823 4824 4825 4826
                       size_t *outlen)
{
    size_t i;
    RAW_EXTENSION *r;

    if (s->clienthello == NULL)
        return 0;
    for (i = 0; i < s->clienthello->pre_proc_exts_len; ++i) {
        r = s->clienthello->pre_proc_exts + i;
        if (r->present && r->type == type) {
            if (out != NULL)
                *out = PACKET_data(&r->data);
            if (outlen != NULL)
                *outlen = PACKET_remaining(&r->data);
            return 1;
        }
    }
    return 0;
}
4827

4828 4829 4830 4831 4832 4833 4834 4835 4836 4837 4838 4839 4840 4841 4842 4843
int SSL_free_buffers(SSL *ssl)
{
    RECORD_LAYER *rl = &ssl->rlayer;

    if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
        return 0;

    RECORD_LAYER_release(rl);
    return 1;
}

int SSL_alloc_buffers(SSL *ssl)
{
    return ssl3_setup_buffers(ssl);
}

4844 4845 4846 4847 4848 4849 4850 4851 4852 4853 4854 4855 4856 4857 4858 4859 4860 4861 4862 4863 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4877 4878 4879 4880 4881 4882 4883 4884 4885 4886 4887 4888 4889 4890 4891 4892 4893 4894 4895 4896 4897 4898 4899 4900 4901 4902 4903 4904 4905 4906 4907 4908 4909 4910 4911 4912 4913 4914 4915 4916
void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
{
    ctx->keylog_callback = cb;
}

SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
{
    return ctx->keylog_callback;
}

static int nss_keylog_int(const char *prefix,
                          SSL *ssl,
                          const uint8_t *parameter_1,
                          size_t parameter_1_len,
                          const uint8_t *parameter_2,
                          size_t parameter_2_len)
{
    char *out = NULL;
    char *cursor = NULL;
    size_t out_len = 0;
    size_t i;
    size_t prefix_len;

    if (ssl->ctx->keylog_callback == NULL) return 1;

    /*
     * Our output buffer will contain the following strings, rendered with
     * space characters in between, terminated by a NULL character: first the
     * prefix, then the first parameter, then the second parameter. The
     * meaning of each parameter depends on the specific key material being
     * logged. Note that the first and second parameters are encoded in
     * hexadecimal, so we need a buffer that is twice their lengths.
     */
    prefix_len = strlen(prefix);
    out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3;
    if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) {
        SSLerr(SSL_F_NSS_KEYLOG_INT, ERR_R_MALLOC_FAILURE);
        return 0;
    }

    strcpy(cursor, prefix);
    cursor += prefix_len;
    *cursor++ = ' ';

    for (i = 0; i < parameter_1_len; i++) {
        sprintf(cursor, "%02x", parameter_1[i]);
        cursor += 2;
    }
    *cursor++ = ' ';

    for (i = 0; i < parameter_2_len; i++) {
        sprintf(cursor, "%02x", parameter_2[i]);
        cursor += 2;
    }
    *cursor = '\0';

    ssl->ctx->keylog_callback(ssl, (const char *)out);
    OPENSSL_free(out);
    return 1;

}

int ssl_log_rsa_client_key_exchange(SSL *ssl,
                                    const uint8_t *encrypted_premaster,
                                    size_t encrypted_premaster_len,
                                    const uint8_t *premaster,
                                    size_t premaster_len)
{
    if (encrypted_premaster_len < 8) {
        SSLerr(SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        return 0;
    }

4917
    /* We only want the first 8 bytes of the encrypted premaster as a tag. */
4918 4919 4920
    return nss_keylog_int("RSA",
                          ssl,
                          encrypted_premaster,
4921
                          8,
4922 4923 4924 4925
                          premaster,
                          premaster_len);
}

4926 4927 4928 4929
int ssl_log_secret(SSL *ssl,
                   const char *label,
                   const uint8_t *secret,
                   size_t secret_len)
4930
{
4931
    return nss_keylog_int(label,
4932
                          ssl,
4933 4934 4935 4936
                          ssl->s3->client_random,
                          SSL3_RANDOM_SIZE,
                          secret,
                          secret_len);
4937 4938
}

4939 4940
#define SSLV2_CIPHER_LEN    3

4941 4942
int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format,
                         int *al)
4943 4944 4945 4946 4947 4948
{
    int n;

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
4949
        SSLerr(SSL_F_SSL_CACHE_CIPHERLIST, SSL_R_NO_CIPHERS_SPECIFIED);
4950
        *al = SSL_AD_ILLEGAL_PARAMETER;
4951
        return 0;
4952 4953 4954
    }

    if (PACKET_remaining(cipher_suites) % n != 0) {
4955
        SSLerr(SSL_F_SSL_CACHE_CIPHERLIST,
4956 4957
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
        *al = SSL_AD_DECODE_ERROR;
4958
        return 0;
4959 4960 4961 4962 4963 4964 4965 4966 4967 4968 4969 4970 4971 4972 4973 4974 4975 4976 4977 4978 4979 4980 4981 4982 4983 4984 4985 4986 4987 4988 4989 4990 4991 4992
    }

    OPENSSL_free(s->s3->tmp.ciphers_raw);
    s->s3->tmp.ciphers_raw = NULL;
    s->s3->tmp.ciphers_rawlen = 0;

    if (sslv2format) {
        size_t numciphers = PACKET_remaining(cipher_suites) / n;
        PACKET sslv2ciphers = *cipher_suites;
        unsigned int leadbyte;
        unsigned char *raw;

        /*
         * We store the raw ciphers list in SSLv3+ format so we need to do some
         * preprocessing to convert the list first. If there are any SSLv2 only
         * ciphersuites with a non-zero leading byte then we are going to
         * slightly over allocate because we won't store those. But that isn't a
         * problem.
         */
        raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
        s->s3->tmp.ciphers_raw = raw;
        if (raw == NULL) {
            *al = SSL_AD_INTERNAL_ERROR;
            goto err;
        }
        for (s->s3->tmp.ciphers_rawlen = 0;
             PACKET_remaining(&sslv2ciphers) > 0;
             raw += TLS_CIPHER_LEN) {
            if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
                    || (leadbyte == 0
                        && !PACKET_copy_bytes(&sslv2ciphers, raw,
                                              TLS_CIPHER_LEN))
                    || (leadbyte != 0
                        && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
4993
                *al = SSL_AD_DECODE_ERROR;
4994 4995 4996 4997 4998 4999 5000 5001 5002 5003 5004 5005 5006
                OPENSSL_free(s->s3->tmp.ciphers_raw);
                s->s3->tmp.ciphers_raw = NULL;
                s->s3->tmp.ciphers_rawlen = 0;
                goto err;
            }
            if (leadbyte == 0)
                s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN;
        }
    } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
                           &s->s3->tmp.ciphers_rawlen)) {
        *al = SSL_AD_INTERNAL_ERROR;
        goto err;
    }
5007 5008 5009 5010 5011 5012 5013 5014 5015 5016 5017 5018 5019 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057
    return 1;
 err:
    return 0;
}

int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
                             int isv2format, STACK_OF(SSL_CIPHER) **sk,
                             STACK_OF(SSL_CIPHER) **scsvs)
{
    int alert;
    PACKET pkt;

    if (!PACKET_buf_init(&pkt, bytes, len))
        return 0;
    return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, &alert);
}

int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
                         STACK_OF(SSL_CIPHER) **skp,
                         STACK_OF(SSL_CIPHER) **scsvs_out,
                         int sslv2format, int *al)
{
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *sk = NULL;
    STACK_OF(SSL_CIPHER) *scsvs = NULL;
    int n;
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
    unsigned char cipher[SSLV2_CIPHER_LEN];

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
        SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return 0;
    }

    if (PACKET_remaining(cipher_suites) % n != 0) {
        SSLerr(SSL_F_BYTES_TO_CIPHER_LIST,
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }

    sk = sk_SSL_CIPHER_new_null();
    scsvs = sk_SSL_CIPHER_new_null();
    if (sk == NULL || scsvs == NULL) {
        SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
        *al = SSL_AD_INTERNAL_ERROR;
        goto err;
    }
5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070

    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
        /*
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
         */
        if (sslv2format && cipher[0] != '\0')
            continue;

        /* For SSLv2-compat, ignore leading 0-byte. */
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1);
        if (c != NULL) {
5071 5072
            if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) ||
                (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) {
5073 5074 5075 5076 5077 5078 5079
                SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
                *al = SSL_AD_INTERNAL_ERROR;
                goto err;
            }
        }
    }
    if (PACKET_remaining(cipher_suites) > 0) {
5080 5081
        *al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH);
5082 5083 5084
        goto err;
    }

5085 5086 5087 5088 5089 5090 5091 5092 5093
    if (skp != NULL)
        *skp = sk;
    else
        sk_SSL_CIPHER_free(sk);
    if (scsvs_out != NULL)
        *scsvs_out = scsvs;
    else
        sk_SSL_CIPHER_free(scsvs);
    return 1;
5094 5095
 err:
    sk_SSL_CIPHER_free(sk);
5096 5097
    sk_SSL_CIPHER_free(scsvs);
    return 0;
5098
}
5099 5100 5101 5102 5103 5104 5105 5106

int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data)
{
    ctx->max_early_data = max_early_data;

    return 1;
}

5107
uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx)
5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118
{
    return ctx->max_early_data;
}

int SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
{
    s->max_early_data = max_early_data;

    return 1;
}

5119
uint32_t SSL_get_max_early_data(const SSL *s)
5120 5121 5122
{
    return s->max_early_data;
}
R
Rich Salz 已提交
5123 5124 5125 5126 5127 5128 5129

int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size)
{
    if (s->drbg != NULL)
        return RAND_DRBG_generate(s->drbg, rnd, size, 0, NULL, 0);
    return RAND_bytes(rnd, (int)size);
}