File: | src/lib/libssl/ssl_lib.c |
Warning: | line 360, column 2 Potential leak of memory pointed to by 's' |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: ssl_lib.c,v 1.286 2022/01/11 18:43:00 jsing Exp $ */ | |||
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |||
3 | * All rights reserved. | |||
4 | * | |||
5 | * This package is an SSL implementation written | |||
6 | * by Eric Young (eay@cryptsoft.com). | |||
7 | * The implementation was written so as to conform with Netscapes SSL. | |||
8 | * | |||
9 | * This library is free for commercial and non-commercial use as long as | |||
10 | * the following conditions are aheared to. The following conditions | |||
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |||
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |||
13 | * included with this distribution is covered by the same copyright terms | |||
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |||
15 | * | |||
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |||
17 | * the code are not to be removed. | |||
18 | * If this package is used in a product, Eric Young should be given attribution | |||
19 | * as the author of the parts of the library used. | |||
20 | * This can be in the form of a textual message at program startup or | |||
21 | * in documentation (online or textual) provided with the package. | |||
22 | * | |||
23 | * Redistribution and use in source and binary forms, with or without | |||
24 | * modification, are permitted provided that the following conditions | |||
25 | * are met: | |||
26 | * 1. Redistributions of source code must retain the copyright | |||
27 | * notice, this list of conditions and the following disclaimer. | |||
28 | * 2. Redistributions in binary form must reproduce the above copyright | |||
29 | * notice, this list of conditions and the following disclaimer in the | |||
30 | * documentation and/or other materials provided with the distribution. | |||
31 | * 3. All advertising materials mentioning features or use of this software | |||
32 | * must display the following acknowledgement: | |||
33 | * "This product includes cryptographic software written by | |||
34 | * Eric Young (eay@cryptsoft.com)" | |||
35 | * The word 'cryptographic' can be left out if the rouines from the library | |||
36 | * being used are not cryptographic related :-). | |||
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |||
38 | * the apps directory (application code) you must include an acknowledgement: | |||
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |||
40 | * | |||
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |||
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |||
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||
51 | * SUCH DAMAGE. | |||
52 | * | |||
53 | * The licence and distribution terms for any publically available version or | |||
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |||
55 | * copied and put under another distribution licence | |||
56 | * [including the GNU Public Licence.] | |||
57 | */ | |||
58 | /* ==================================================================== | |||
59 | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. | |||
60 | * | |||
61 | * Redistribution and use in source and binary forms, with or without | |||
62 | * modification, are permitted provided that the following conditions | |||
63 | * are met: | |||
64 | * | |||
65 | * 1. Redistributions of source code must retain the above copyright | |||
66 | * notice, this list of conditions and the following disclaimer. | |||
67 | * | |||
68 | * 2. Redistributions in binary form must reproduce the above copyright | |||
69 | * notice, this list of conditions and the following disclaimer in | |||
70 | * the documentation and/or other materials provided with the | |||
71 | * distribution. | |||
72 | * | |||
73 | * 3. All advertising materials mentioning features or use of this | |||
74 | * software must display the following acknowledgment: | |||
75 | * "This product includes software developed by the OpenSSL Project | |||
76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |||
77 | * | |||
78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |||
79 | * endorse or promote products derived from this software without | |||
80 | * prior written permission. For written permission, please contact | |||
81 | * openssl-core@openssl.org. | |||
82 | * | |||
83 | * 5. Products derived from this software may not be called "OpenSSL" | |||
84 | * nor may "OpenSSL" appear in their names without prior written | |||
85 | * permission of the OpenSSL Project. | |||
86 | * | |||
87 | * 6. Redistributions of any form whatsoever must retain the following | |||
88 | * acknowledgment: | |||
89 | * "This product includes software developed by the OpenSSL Project | |||
90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |||
91 | * | |||
92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |||
93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||
94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |||
95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |||
96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |||
98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |||
99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||
101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |||
102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |||
103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |||
104 | * ==================================================================== | |||
105 | * | |||
106 | * This product includes cryptographic software written by Eric Young | |||
107 | * (eay@cryptsoft.com). This product includes software written by Tim | |||
108 | * Hudson (tjh@cryptsoft.com). | |||
109 | * | |||
110 | */ | |||
111 | /* ==================================================================== | |||
112 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. | |||
113 | * ECC cipher suite support in OpenSSL originally developed by | |||
114 | * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. | |||
115 | */ | |||
116 | /* ==================================================================== | |||
117 | * Copyright 2005 Nokia. All rights reserved. | |||
118 | * | |||
119 | * The portions of the attached software ("Contribution") is developed by | |||
120 | * Nokia Corporation and is licensed pursuant to the OpenSSL open source | |||
121 | * license. | |||
122 | * | |||
123 | * The Contribution, originally written by Mika Kousa and Pasi Eronen of | |||
124 | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites | |||
125 | * support (see RFC 4279) to OpenSSL. | |||
126 | * | |||
127 | * No patent licenses or other rights except those expressly stated in | |||
128 | * the OpenSSL open source license shall be deemed granted or received | |||
129 | * expressly, by implication, estoppel, or otherwise. | |||
130 | * | |||
131 | * No assurances are provided by Nokia that the Contribution does not | |||
132 | * infringe the patent or other intellectual property rights of any third | |||
133 | * party or that the license provides you with all the necessary rights | |||
134 | * to make use of the Contribution. | |||
135 | * | |||
136 | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN | |||
137 | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA | |||
138 | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY | |||
139 | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR | |||
140 | * OTHERWISE. | |||
141 | */ | |||
142 | ||||
143 | #include <arpa/inet.h> | |||
144 | #include <sys/socket.h> | |||
145 | #include <netinet/in.h> | |||
146 | ||||
147 | #include <limits.h> | |||
148 | #include <stdio.h> | |||
149 | ||||
150 | #include <openssl/dh.h> | |||
151 | #include <openssl/lhash.h> | |||
152 | #include <openssl/objects.h> | |||
153 | #include <openssl/ocsp.h> | |||
154 | #include <openssl/opensslconf.h> | |||
155 | #include <openssl/x509v3.h> | |||
156 | ||||
157 | #ifndef OPENSSL_NO_ENGINE | |||
158 | #include <openssl/engine.h> | |||
159 | #endif | |||
160 | ||||
161 | #include "bytestring.h" | |||
162 | #include "dtls_locl.h" | |||
163 | #include "ssl_locl.h" | |||
164 | #include "ssl_sigalgs.h" | |||
165 | ||||
166 | const char *SSL_version_str = OPENSSL_VERSION_TEXT"LibreSSL 3.5.0"; | |||
167 | ||||
168 | int | |||
169 | SSL_clear(SSL *s) | |||
170 | { | |||
171 | if (s->method == NULL((void*)0)) { | |||
172 | SSLerror(s, SSL_R_NO_METHOD_SPECIFIED)SSL_error_internal(s, 188, "/usr/src/lib/libssl/ssl_lib.c", 172 ); | |||
173 | return (0); | |||
174 | } | |||
175 | ||||
176 | if (ssl_clear_bad_session(s)) { | |||
177 | SSL_SESSION_free(s->session); | |||
178 | s->session = NULL((void*)0); | |||
179 | } | |||
180 | ||||
181 | s->error = 0; | |||
182 | s->internal->hit = 0; | |||
183 | s->internal->shutdown = 0; | |||
184 | ||||
185 | if (s->internal->renegotiate) { | |||
186 | SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_lib.c" , 186); | |||
187 | return (0); | |||
188 | } | |||
189 | ||||
190 | s->version = s->method->version; | |||
191 | s->client_version = s->version; | |||
192 | s->internal->rwstate = SSL_NOTHING1; | |||
193 | s->internal->rstate = SSL_ST_READ_HEADER0xF0; | |||
194 | ||||
195 | tls13_ctx_free(s->internal->tls13); | |||
196 | s->internal->tls13 = NULL((void*)0); | |||
197 | ||||
198 | ssl3_release_init_buffer(s); | |||
199 | ||||
200 | ssl_clear_cipher_state(s); | |||
201 | ||||
202 | s->internal->first_packet = 0; | |||
203 | ||||
204 | /* | |||
205 | * Check to see if we were changed into a different method, if | |||
206 | * so, revert back if we are not doing session-id reuse. | |||
207 | */ | |||
208 | if (!s->internal->in_handshake && (s->session == NULL((void*)0)) && | |||
209 | (s->method != s->ctx->method)) { | |||
210 | s->method->ssl_free(s); | |||
211 | s->method = s->ctx->method; | |||
212 | if (!s->method->ssl_new(s)) | |||
213 | return (0); | |||
214 | } else | |||
215 | s->method->ssl_clear(s); | |||
216 | ||||
217 | return (1); | |||
218 | } | |||
219 | ||||
220 | /* Used to change an SSL_CTXs default SSL method type */ | |||
221 | int | |||
222 | SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) | |||
223 | { | |||
224 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *ciphers; | |||
225 | ||||
226 | ctx->method = meth; | |||
227 | ||||
228 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, | |||
229 | ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST"ALL:!aNULL:!eNULL:!SSLv2"); | |||
230 | if (ciphers == NULL((void*)0) || sk_SSL_CIPHER_num(ciphers)sk_num(((_STACK*) (1 ? (ciphers) : (struct stack_st_SSL_CIPHER *)0))) <= 0) { | |||
231 | SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS)ERR_put_error(20,(0xfff),(230),"/usr/src/lib/libssl/ssl_lib.c" ,231); | |||
232 | return (0); | |||
233 | } | |||
234 | return (1); | |||
235 | } | |||
236 | ||||
237 | SSL * | |||
238 | SSL_new(SSL_CTX *ctx) | |||
239 | { | |||
240 | SSL *s; | |||
241 | ||||
242 | if (ctx == NULL((void*)0)) { | |||
243 | SSLerrorx(SSL_R_NULL_SSL_CTX)ERR_put_error(20,(0xfff),(195),"/usr/src/lib/libssl/ssl_lib.c" ,243); | |||
244 | return (NULL((void*)0)); | |||
245 | } | |||
246 | if (ctx->method == NULL((void*)0)) { | |||
247 | SSLerrorx(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION)ERR_put_error(20,(0xfff),(228),"/usr/src/lib/libssl/ssl_lib.c" ,247); | |||
248 | return (NULL((void*)0)); | |||
249 | } | |||
250 | ||||
251 | if ((s = calloc(1, sizeof(*s))) == NULL((void*)0)) | |||
252 | goto err; | |||
253 | if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL((void*)0)) | |||
254 | goto err; | |||
255 | ||||
256 | if ((s->internal->rl = tls12_record_layer_new()) == NULL((void*)0)) | |||
257 | goto err; | |||
258 | ||||
259 | s->internal->min_tls_version = ctx->internal->min_tls_version; | |||
260 | s->internal->max_tls_version = ctx->internal->max_tls_version; | |||
261 | s->internal->min_proto_version = ctx->internal->min_proto_version; | |||
262 | s->internal->max_proto_version = ctx->internal->max_proto_version; | |||
263 | ||||
264 | s->internal->options = ctx->internal->options; | |||
265 | s->internal->mode = ctx->internal->mode; | |||
266 | s->internal->max_cert_list = ctx->internal->max_cert_list; | |||
267 | s->internal->num_tickets = ctx->internal->num_tickets; | |||
268 | ||||
269 | if ((s->cert = ssl_cert_dup(ctx->internal->cert)) == NULL((void*)0)) | |||
270 | goto err; | |||
271 | ||||
272 | s->internal->read_ahead = ctx->internal->read_ahead; | |||
273 | s->internal->msg_callback = ctx->internal->msg_callback; | |||
274 | s->internal->msg_callback_arg = ctx->internal->msg_callback_arg; | |||
275 | s->verify_mode = ctx->verify_mode; | |||
276 | s->sid_ctx_length = ctx->sid_ctx_length; | |||
277 | OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx)(void)((s->sid_ctx_length <= sizeof s->sid_ctx) ? 0 : (OpenSSLDie("/usr/src/lib/libssl/ssl_lib.c", 277, "s->sid_ctx_length <= sizeof s->sid_ctx" ),1)); | |||
278 | memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); | |||
279 | s->internal->verify_callback = ctx->internal->default_verify_callback; | |||
280 | s->internal->generate_session_id = ctx->internal->generate_session_id; | |||
281 | ||||
282 | s->param = X509_VERIFY_PARAM_new(); | |||
283 | if (!s->param) | |||
284 | goto err; | |||
285 | X509_VERIFY_PARAM_inherit(s->param, ctx->param); | |||
286 | s->internal->quiet_shutdown = ctx->internal->quiet_shutdown; | |||
287 | s->max_send_fragment = ctx->internal->max_send_fragment; | |||
288 | ||||
289 | CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX)CRYPTO_add_lock(&ctx->references,1,12,((void*)0),0); | |||
290 | s->ctx = ctx; | |||
291 | s->internal->tlsext_debug_cb = 0; | |||
292 | s->internal->tlsext_debug_arg = NULL((void*)0); | |||
293 | s->internal->tlsext_ticket_expected = 0; | |||
294 | s->tlsext_status_type = -1; | |||
295 | s->internal->tlsext_status_expected = 0; | |||
296 | s->internal->tlsext_ocsp_ids = NULL((void*)0); | |||
297 | s->internal->tlsext_ocsp_exts = NULL((void*)0); | |||
298 | s->internal->tlsext_ocsp_resp = NULL((void*)0); | |||
299 | s->internal->tlsext_ocsp_resp_len = 0; | |||
300 | CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX)CRYPTO_add_lock(&ctx->references,1,12,((void*)0),0); | |||
301 | s->initial_ctx = ctx; | |||
302 | ||||
303 | if (ctx->internal->tlsext_ecpointformatlist != NULL((void*)0)) { | |||
304 | s->internal->tlsext_ecpointformatlist = | |||
305 | calloc(ctx->internal->tlsext_ecpointformatlist_length, | |||
306 | sizeof(ctx->internal->tlsext_ecpointformatlist[0])); | |||
307 | if (s->internal->tlsext_ecpointformatlist == NULL((void*)0)) | |||
308 | goto err; | |||
309 | memcpy(s->internal->tlsext_ecpointformatlist, | |||
310 | ctx->internal->tlsext_ecpointformatlist, | |||
311 | ctx->internal->tlsext_ecpointformatlist_length * | |||
312 | sizeof(ctx->internal->tlsext_ecpointformatlist[0])); | |||
313 | s->internal->tlsext_ecpointformatlist_length = | |||
314 | ctx->internal->tlsext_ecpointformatlist_length; | |||
315 | } | |||
316 | if (ctx->internal->tlsext_supportedgroups != NULL((void*)0)) { | |||
317 | s->internal->tlsext_supportedgroups = | |||
318 | calloc(ctx->internal->tlsext_supportedgroups_length, | |||
319 | sizeof(ctx->internal->tlsext_supportedgroups[0])); | |||
320 | if (s->internal->tlsext_supportedgroups == NULL((void*)0)) | |||
321 | goto err; | |||
322 | memcpy(s->internal->tlsext_supportedgroups, | |||
323 | ctx->internal->tlsext_supportedgroups, | |||
324 | ctx->internal->tlsext_supportedgroups_length * | |||
325 | sizeof(ctx->internal->tlsext_supportedgroups[0])); | |||
326 | s->internal->tlsext_supportedgroups_length = | |||
327 | ctx->internal->tlsext_supportedgroups_length; | |||
328 | } | |||
329 | ||||
330 | if (s->ctx->internal->alpn_client_proto_list != NULL((void*)0)) { | |||
331 | s->internal->alpn_client_proto_list = | |||
332 | malloc(s->ctx->internal->alpn_client_proto_list_len); | |||
333 | if (s->internal->alpn_client_proto_list == NULL((void*)0)) | |||
334 | goto err; | |||
335 | memcpy(s->internal->alpn_client_proto_list, | |||
336 | s->ctx->internal->alpn_client_proto_list, | |||
337 | s->ctx->internal->alpn_client_proto_list_len); | |||
338 | s->internal->alpn_client_proto_list_len = | |||
339 | s->ctx->internal->alpn_client_proto_list_len; | |||
340 | } | |||
341 | ||||
342 | s->verify_result = X509_V_OK0; | |||
343 | ||||
344 | s->method = ctx->method; | |||
345 | ||||
346 | if (!s->method->ssl_new(s)) | |||
347 | goto err; | |||
348 | ||||
349 | s->references = 1; | |||
350 | s->server = ctx->method->server; | |||
351 | ||||
352 | SSL_clear(s); | |||
353 | ||||
354 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL1, s, &s->internal->ex_data); | |||
355 | ||||
356 | return (s); | |||
357 | ||||
358 | err: | |||
359 | SSL_free(s); | |||
360 | SSLerrorx(ERR_R_MALLOC_FAILURE)ERR_put_error(20,(0xfff),((1|64)),"/usr/src/lib/libssl/ssl_lib.c" ,360); | |||
| ||||
361 | return (NULL((void*)0)); | |||
362 | } | |||
363 | ||||
364 | int | |||
365 | SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, | |||
366 | unsigned int sid_ctx_len) | |||
367 | { | |||
368 | if (sid_ctx_len > sizeof ctx->sid_ctx) { | |||
369 | SSLerrorx(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG)ERR_put_error(20,(0xfff),(273),"/usr/src/lib/libssl/ssl_lib.c" ,369); | |||
370 | return (0); | |||
371 | } | |||
372 | ctx->sid_ctx_length = sid_ctx_len; | |||
373 | memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); | |||
374 | ||||
375 | return (1); | |||
376 | } | |||
377 | ||||
378 | int | |||
379 | SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, | |||
380 | unsigned int sid_ctx_len) | |||
381 | { | |||
382 | if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH32) { | |||
383 | SSLerror(ssl, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG)SSL_error_internal(ssl, 273, "/usr/src/lib/libssl/ssl_lib.c", 383); | |||
384 | return (0); | |||
385 | } | |||
386 | ssl->sid_ctx_length = sid_ctx_len; | |||
387 | memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len); | |||
388 | ||||
389 | return (1); | |||
390 | } | |||
391 | ||||
392 | int | |||
393 | SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) | |||
394 | { | |||
395 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX)CRYPTO_lock(1|8,12,((void*)0),0); | |||
396 | ctx->internal->generate_session_id = cb; | |||
397 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX)CRYPTO_lock(2|8,12,((void*)0),0); | |||
398 | return (1); | |||
399 | } | |||
400 | ||||
401 | int | |||
402 | SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) | |||
403 | { | |||
404 | CRYPTO_w_lock(CRYPTO_LOCK_SSL)CRYPTO_lock(1|8,16,((void*)0),0); | |||
405 | ssl->internal->generate_session_id = cb; | |||
406 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL)CRYPTO_lock(2|8,16,((void*)0),0); | |||
407 | return (1); | |||
408 | } | |||
409 | ||||
410 | int | |||
411 | SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, | |||
412 | unsigned int id_len) | |||
413 | { | |||
414 | /* | |||
415 | * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp | |||
416 | * shows how we can "construct" a session to give us the desired | |||
417 | * check - ie. to find if there's a session in the hash table | |||
418 | * that would conflict with any new session built out of this | |||
419 | * id/id_len and the ssl_version in use by this SSL. | |||
420 | */ | |||
421 | SSL_SESSION r, *p; | |||
422 | ||||
423 | if (id_len > sizeof r.session_id) | |||
424 | return (0); | |||
425 | ||||
426 | r.ssl_version = ssl->version; | |||
427 | r.session_id_length = id_len; | |||
428 | memcpy(r.session_id, id, id_len); | |||
429 | ||||
430 | CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX)CRYPTO_lock(1|4,12,((void*)0),0); | |||
431 | p = lh_SSL_SESSION_retrieve(ssl->ctx->internal->sessions, &r)((SSL_SESSION *)lh_retrieve(((_LHASH *)((void*) (1 ? ssl-> ctx->internal->sessions : (struct lhash_st_SSL_SESSION* )0))), ((void*) (1 ? &r : (SSL_SESSION*)0)))); | |||
432 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX)CRYPTO_lock(2|4,12,((void*)0),0); | |||
433 | return (p != NULL((void*)0)); | |||
434 | } | |||
435 | ||||
436 | int | |||
437 | SSL_CTX_set_purpose(SSL_CTX *s, int purpose) | |||
438 | { | |||
439 | return (X509_VERIFY_PARAM_set_purpose(s->param, purpose)); | |||
440 | } | |||
441 | ||||
442 | int | |||
443 | SSL_set_purpose(SSL *s, int purpose) | |||
444 | { | |||
445 | return (X509_VERIFY_PARAM_set_purpose(s->param, purpose)); | |||
446 | } | |||
447 | ||||
448 | int | |||
449 | SSL_CTX_set_trust(SSL_CTX *s, int trust) | |||
450 | { | |||
451 | return (X509_VERIFY_PARAM_set_trust(s->param, trust)); | |||
452 | } | |||
453 | ||||
454 | int | |||
455 | SSL_set_trust(SSL *s, int trust) | |||
456 | { | |||
457 | return (X509_VERIFY_PARAM_set_trust(s->param, trust)); | |||
458 | } | |||
459 | ||||
460 | int | |||
461 | SSL_set1_host(SSL *s, const char *hostname) | |||
462 | { | |||
463 | struct in_addr ina; | |||
464 | struct in6_addr in6a; | |||
465 | ||||
466 | if (hostname != NULL((void*)0) && *hostname != '\0' && | |||
467 | (inet_pton(AF_INET2, hostname, &ina) == 1 || | |||
468 | inet_pton(AF_INET624, hostname, &in6a) == 1)) | |||
469 | return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname); | |||
470 | else | |||
471 | return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); | |||
472 | } | |||
473 | ||||
474 | void | |||
475 | SSL_set_hostflags(SSL *s, unsigned int flags) | |||
476 | { | |||
477 | X509_VERIFY_PARAM_set_hostflags(s->param, flags); | |||
478 | } | |||
479 | ||||
480 | const char * | |||
481 | SSL_get0_peername(SSL *s) | |||
482 | { | |||
483 | return X509_VERIFY_PARAM_get0_peername(s->param); | |||
484 | } | |||
485 | ||||
486 | X509_VERIFY_PARAM * | |||
487 | SSL_CTX_get0_param(SSL_CTX *ctx) | |||
488 | { | |||
489 | return (ctx->param); | |||
490 | } | |||
491 | ||||
492 | int | |||
493 | SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) | |||
494 | { | |||
495 | return (X509_VERIFY_PARAM_set1(ctx->param, vpm)); | |||
496 | } | |||
497 | ||||
498 | X509_VERIFY_PARAM * | |||
499 | SSL_get0_param(SSL *ssl) | |||
500 | { | |||
501 | return (ssl->param); | |||
502 | } | |||
503 | ||||
504 | int | |||
505 | SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) | |||
506 | { | |||
507 | return (X509_VERIFY_PARAM_set1(ssl->param, vpm)); | |||
508 | } | |||
509 | ||||
510 | void | |||
511 | SSL_free(SSL *s) | |||
512 | { | |||
513 | int i; | |||
514 | ||||
515 | if (s == NULL((void*)0)) | |||
516 | return; | |||
517 | ||||
518 | i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL)CRYPTO_add_lock(&s->references,-1,16,((void*)0),0); | |||
519 | if (i > 0) | |||
520 | return; | |||
521 | ||||
522 | X509_VERIFY_PARAM_free(s->param); | |||
523 | ||||
524 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL1, s, &s->internal->ex_data); | |||
525 | ||||
526 | if (s->bbio != NULL((void*)0)) { | |||
527 | /* If the buffering BIO is in place, pop it off */ | |||
528 | if (s->bbio == s->wbio) { | |||
529 | s->wbio = BIO_pop(s->wbio); | |||
530 | } | |||
531 | BIO_free(s->bbio); | |||
532 | s->bbio = NULL((void*)0); | |||
533 | } | |||
534 | ||||
535 | if (s->rbio != s->wbio) | |||
536 | BIO_free_all(s->rbio); | |||
537 | BIO_free_all(s->wbio); | |||
538 | ||||
539 | tls13_ctx_free(s->internal->tls13); | |||
540 | ||||
541 | ssl3_release_init_buffer(s); | |||
542 | ||||
543 | sk_SSL_CIPHER_free(s->cipher_list)sk_free(((_STACK*) (1 ? (s->cipher_list) : (struct stack_st_SSL_CIPHER *)0))); | |||
544 | sk_SSL_CIPHER_free(s->internal->cipher_list_tls13)sk_free(((_STACK*) (1 ? (s->internal->cipher_list_tls13 ) : (struct stack_st_SSL_CIPHER*)0))); | |||
545 | ||||
546 | /* Make the next call work :-) */ | |||
547 | if (s->session != NULL((void*)0)) { | |||
548 | ssl_clear_bad_session(s); | |||
549 | SSL_SESSION_free(s->session); | |||
550 | } | |||
551 | ||||
552 | ssl_clear_cipher_state(s); | |||
553 | ||||
554 | ssl_cert_free(s->cert); | |||
555 | ||||
556 | free(s->tlsext_hostname); | |||
557 | SSL_CTX_free(s->initial_ctx); | |||
558 | ||||
559 | free(s->internal->tlsext_ecpointformatlist); | |||
560 | free(s->internal->tlsext_supportedgroups); | |||
561 | ||||
562 | sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,sk_pop_free(((_STACK*) (1 ? (s->internal->tlsext_ocsp_exts ) : (struct stack_st_X509_EXTENSION*)0)), ((void (*)(void *)) ((1 ? (X509_EXTENSION_free) : (void (*)(X509_EXTENSION *))0) ))) | |||
563 | X509_EXTENSION_free)sk_pop_free(((_STACK*) (1 ? (s->internal->tlsext_ocsp_exts ) : (struct stack_st_X509_EXTENSION*)0)), ((void (*)(void *)) ((1 ? (X509_EXTENSION_free) : (void (*)(X509_EXTENSION *))0) ))); | |||
564 | sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free)sk_pop_free(((_STACK*) (1 ? (s->internal->tlsext_ocsp_ids ) : (struct stack_st_OCSP_RESPID*)0)), ((void (*)(void *)) (( 1 ? (OCSP_RESPID_free) : (void (*)(OCSP_RESPID *))0)))); | |||
565 | free(s->internal->tlsext_ocsp_resp); | |||
566 | ||||
567 | sk_X509_NAME_pop_free(s->internal->client_CA, X509_NAME_free)sk_pop_free(((_STACK*) (1 ? (s->internal->client_CA) : ( struct stack_st_X509_NAME*)0)), ((void (*)(void *)) ((1 ? (X509_NAME_free ) : (void (*)(X509_NAME *))0)))); | |||
568 | ||||
569 | if (s->method != NULL((void*)0)) | |||
570 | s->method->ssl_free(s); | |||
571 | ||||
572 | SSL_CTX_free(s->ctx); | |||
573 | ||||
574 | free(s->internal->alpn_client_proto_list); | |||
575 | ||||
576 | #ifndef OPENSSL_NO_SRTP | |||
577 | sk_SRTP_PROTECTION_PROFILE_free(s->internal->srtp_profiles)sk_free(((_STACK*) (1 ? (s->internal->srtp_profiles) : ( struct stack_st_SRTP_PROTECTION_PROFILE*)0))); | |||
578 | #endif | |||
579 | ||||
580 | tls12_record_layer_free(s->internal->rl); | |||
581 | ||||
582 | free(s->internal); | |||
583 | free(s); | |||
584 | } | |||
585 | ||||
586 | int | |||
587 | SSL_up_ref(SSL *s) | |||
588 | { | |||
589 | int refs = CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL)CRYPTO_add_lock(&s->references,1,16,((void*)0),0); | |||
590 | return (refs > 1) ? 1 : 0; | |||
591 | } | |||
592 | ||||
593 | void | |||
594 | SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) | |||
595 | { | |||
596 | /* If the output buffering BIO is still in place, remove it */ | |||
597 | if (s->bbio != NULL((void*)0)) { | |||
598 | if (s->wbio == s->bbio) { | |||
599 | s->wbio = s->wbio->next_bio; | |||
600 | s->bbio->next_bio = NULL((void*)0); | |||
601 | } | |||
602 | } | |||
603 | ||||
604 | if (s->rbio != rbio && s->rbio != s->wbio) | |||
605 | BIO_free_all(s->rbio); | |||
606 | if (s->wbio != wbio) | |||
607 | BIO_free_all(s->wbio); | |||
608 | s->rbio = rbio; | |||
609 | s->wbio = wbio; | |||
610 | } | |||
611 | ||||
612 | BIO * | |||
613 | SSL_get_rbio(const SSL *s) | |||
614 | { | |||
615 | return (s->rbio); | |||
616 | } | |||
617 | ||||
618 | void | |||
619 | SSL_set0_rbio(SSL *s, BIO *rbio) | |||
620 | { | |||
621 | BIO_free_all(s->rbio); | |||
622 | s->rbio = rbio; | |||
623 | } | |||
624 | ||||
625 | BIO * | |||
626 | SSL_get_wbio(const SSL *s) | |||
627 | { | |||
628 | return (s->wbio); | |||
629 | } | |||
630 | ||||
631 | int | |||
632 | SSL_get_fd(const SSL *s) | |||
633 | { | |||
634 | return (SSL_get_rfd(s)); | |||
635 | } | |||
636 | ||||
637 | int | |||
638 | SSL_get_rfd(const SSL *s) | |||
639 | { | |||
640 | int ret = -1; | |||
641 | BIO *b, *r; | |||
642 | ||||
643 | b = SSL_get_rbio(s); | |||
644 | r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR0x0100); | |||
645 | if (r != NULL((void*)0)) | |||
646 | BIO_get_fd(r, &ret)BIO_ctrl(r,105,0,(char *)&ret); | |||
647 | return (ret); | |||
648 | } | |||
649 | ||||
650 | int | |||
651 | SSL_get_wfd(const SSL *s) | |||
652 | { | |||
653 | int ret = -1; | |||
654 | BIO *b, *r; | |||
655 | ||||
656 | b = SSL_get_wbio(s); | |||
657 | r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR0x0100); | |||
658 | if (r != NULL((void*)0)) | |||
659 | BIO_get_fd(r, &ret)BIO_ctrl(r,105,0,(char *)&ret); | |||
660 | return (ret); | |||
661 | } | |||
662 | ||||
663 | int | |||
664 | SSL_set_fd(SSL *s, int fd) | |||
665 | { | |||
666 | int ret = 0; | |||
667 | BIO *bio = NULL((void*)0); | |||
668 | ||||
669 | bio = BIO_new(BIO_s_socket()); | |||
670 | ||||
671 | if (bio == NULL((void*)0)) { | |||
672 | SSLerror(s, ERR_R_BUF_LIB)SSL_error_internal(s, 7, "/usr/src/lib/libssl/ssl_lib.c", 672 ); | |||
673 | goto err; | |||
674 | } | |||
675 | BIO_set_fd(bio, fd, BIO_NOCLOSE)BIO_int_ctrl(bio,104,0x00,fd); | |||
676 | SSL_set_bio(s, bio, bio); | |||
677 | ret = 1; | |||
678 | err: | |||
679 | return (ret); | |||
680 | } | |||
681 | ||||
682 | int | |||
683 | SSL_set_wfd(SSL *s, int fd) | |||
684 | { | |||
685 | int ret = 0; | |||
686 | BIO *bio = NULL((void*)0); | |||
687 | ||||
688 | if ((s->rbio == NULL((void*)0)) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET(5|0x0400|0x0100)) | |||
689 | || ((int)BIO_get_fd(s->rbio, NULL)BIO_ctrl(s->rbio,105,0,(char *)((void*)0)) != fd)) { | |||
690 | bio = BIO_new(BIO_s_socket()); | |||
691 | ||||
692 | if (bio == NULL((void*)0)) { | |||
693 | SSLerror(s, ERR_R_BUF_LIB)SSL_error_internal(s, 7, "/usr/src/lib/libssl/ssl_lib.c", 693 ); | |||
694 | goto err; | |||
695 | } | |||
696 | BIO_set_fd(bio, fd, BIO_NOCLOSE)BIO_int_ctrl(bio,104,0x00,fd); | |||
697 | SSL_set_bio(s, SSL_get_rbio(s), bio); | |||
698 | } else | |||
699 | SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s)); | |||
700 | ret = 1; | |||
701 | err: | |||
702 | return (ret); | |||
703 | } | |||
704 | ||||
705 | int | |||
706 | SSL_set_rfd(SSL *s, int fd) | |||
707 | { | |||
708 | int ret = 0; | |||
709 | BIO *bio = NULL((void*)0); | |||
710 | ||||
711 | if ((s->wbio == NULL((void*)0)) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET(5|0x0400|0x0100)) | |||
712 | || ((int)BIO_get_fd(s->wbio, NULL)BIO_ctrl(s->wbio,105,0,(char *)((void*)0)) != fd)) { | |||
713 | bio = BIO_new(BIO_s_socket()); | |||
714 | ||||
715 | if (bio == NULL((void*)0)) { | |||
716 | SSLerror(s, ERR_R_BUF_LIB)SSL_error_internal(s, 7, "/usr/src/lib/libssl/ssl_lib.c", 716 ); | |||
717 | goto err; | |||
718 | } | |||
719 | BIO_set_fd(bio, fd, BIO_NOCLOSE)BIO_int_ctrl(bio,104,0x00,fd); | |||
720 | SSL_set_bio(s, bio, SSL_get_wbio(s)); | |||
721 | } else | |||
722 | SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s)); | |||
723 | ret = 1; | |||
724 | err: | |||
725 | return (ret); | |||
726 | } | |||
727 | ||||
728 | ||||
729 | /* return length of latest Finished message we sent, copy to 'buf' */ | |||
730 | size_t | |||
731 | SSL_get_finished(const SSL *s, void *buf, size_t count) | |||
732 | { | |||
733 | size_t ret; | |||
734 | ||||
735 | ret = S3I(s)(s->s3->internal)->hs.finished_len; | |||
736 | if (count > ret) | |||
737 | count = ret; | |||
738 | memcpy(buf, S3I(s)(s->s3->internal)->hs.finished, count); | |||
739 | return (ret); | |||
740 | } | |||
741 | ||||
742 | /* return length of latest Finished message we expected, copy to 'buf' */ | |||
743 | size_t | |||
744 | SSL_get_peer_finished(const SSL *s, void *buf, size_t count) | |||
745 | { | |||
746 | size_t ret; | |||
747 | ||||
748 | ret = S3I(s)(s->s3->internal)->hs.peer_finished_len; | |||
749 | if (count > ret) | |||
750 | count = ret; | |||
751 | memcpy(buf, S3I(s)(s->s3->internal)->hs.peer_finished, count); | |||
752 | return (ret); | |||
753 | } | |||
754 | ||||
755 | ||||
756 | int | |||
757 | SSL_get_verify_mode(const SSL *s) | |||
758 | { | |||
759 | return (s->verify_mode); | |||
760 | } | |||
761 | ||||
762 | int | |||
763 | SSL_get_verify_depth(const SSL *s) | |||
764 | { | |||
765 | return (X509_VERIFY_PARAM_get_depth(s->param)); | |||
766 | } | |||
767 | ||||
768 | int | |||
769 | (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) | |||
770 | { | |||
771 | return (s->internal->verify_callback); | |||
772 | } | |||
773 | ||||
774 | void | |||
775 | SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) | |||
776 | { | |||
777 | ctx->internal->keylog_callback = cb; | |||
778 | } | |||
779 | ||||
780 | SSL_CTX_keylog_cb_func | |||
781 | SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) | |||
782 | { | |||
783 | return (ctx->internal->keylog_callback); | |||
784 | } | |||
785 | ||||
786 | int | |||
787 | SSL_set_num_tickets(SSL *s, size_t num_tickets) | |||
788 | { | |||
789 | s->internal->num_tickets = num_tickets; | |||
790 | ||||
791 | return 1; | |||
792 | } | |||
793 | ||||
794 | size_t | |||
795 | SSL_get_num_tickets(const SSL *s) | |||
796 | { | |||
797 | return s->internal->num_tickets; | |||
798 | } | |||
799 | ||||
800 | int | |||
801 | SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) | |||
802 | { | |||
803 | ctx->internal->num_tickets = num_tickets; | |||
804 | ||||
805 | return 1; | |||
806 | } | |||
807 | ||||
808 | size_t | |||
809 | SSL_CTX_get_num_tickets(const SSL_CTX *ctx) | |||
810 | { | |||
811 | return ctx->internal->num_tickets; | |||
812 | } | |||
813 | ||||
814 | int | |||
815 | SSL_CTX_get_verify_mode(const SSL_CTX *ctx) | |||
816 | { | |||
817 | return (ctx->verify_mode); | |||
818 | } | |||
819 | ||||
820 | int | |||
821 | SSL_CTX_get_verify_depth(const SSL_CTX *ctx) | |||
822 | { | |||
823 | return (X509_VERIFY_PARAM_get_depth(ctx->param)); | |||
824 | } | |||
825 | ||||
826 | int | |||
827 | (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) | |||
828 | { | |||
829 | return (ctx->internal->default_verify_callback); | |||
830 | } | |||
831 | ||||
832 | void | |||
833 | SSL_set_verify(SSL *s, int mode, | |||
834 | int (*callback)(int ok, X509_STORE_CTX *ctx)) | |||
835 | { | |||
836 | s->verify_mode = mode; | |||
837 | if (callback != NULL((void*)0)) | |||
838 | s->internal->verify_callback = callback; | |||
839 | } | |||
840 | ||||
841 | void | |||
842 | SSL_set_verify_depth(SSL *s, int depth) | |||
843 | { | |||
844 | X509_VERIFY_PARAM_set_depth(s->param, depth); | |||
845 | } | |||
846 | ||||
847 | void | |||
848 | SSL_set_read_ahead(SSL *s, int yes) | |||
849 | { | |||
850 | s->internal->read_ahead = yes; | |||
851 | } | |||
852 | ||||
853 | int | |||
854 | SSL_get_read_ahead(const SSL *s) | |||
855 | { | |||
856 | return (s->internal->read_ahead); | |||
857 | } | |||
858 | ||||
859 | int | |||
860 | SSL_pending(const SSL *s) | |||
861 | { | |||
862 | return (s->method->ssl_pending(s)); | |||
863 | } | |||
864 | ||||
865 | X509 * | |||
866 | SSL_get_peer_certificate(const SSL *s) | |||
867 | { | |||
868 | X509 *cert; | |||
869 | ||||
870 | if (s == NULL((void*)0) || s->session == NULL((void*)0)) | |||
871 | return NULL((void*)0); | |||
872 | ||||
873 | if ((cert = s->session->peer_cert) == NULL((void*)0)) | |||
874 | return NULL((void*)0); | |||
875 | ||||
876 | X509_up_ref(cert); | |||
877 | ||||
878 | return cert; | |||
879 | } | |||
880 | ||||
881 | STACK_OF(X509)struct stack_st_X509 * | |||
882 | SSL_get_peer_cert_chain(const SSL *s) | |||
883 | { | |||
884 | if (s == NULL((void*)0) || s->session == NULL((void*)0)) | |||
885 | return NULL((void*)0); | |||
886 | ||||
887 | /* | |||
888 | * If we are a client, cert_chain includes the peer's own | |||
889 | * certificate; if we are a server, it does not. | |||
890 | */ | |||
891 | return s->session->cert_chain; | |||
892 | } | |||
893 | ||||
894 | STACK_OF(X509)struct stack_st_X509 * | |||
895 | SSL_get0_verified_chain(const SSL *s) | |||
896 | { | |||
897 | return s->internal->verified_chain; | |||
898 | } | |||
899 | ||||
900 | /* | |||
901 | * Now in theory, since the calling process own 't' it should be safe to | |||
902 | * modify. We need to be able to read f without being hassled | |||
903 | */ | |||
904 | int | |||
905 | SSL_copy_session_id(SSL *t, const SSL *f) | |||
906 | { | |||
907 | SSL_CERT *tmp; | |||
908 | ||||
909 | /* Do we need to do SSL locking? */ | |||
910 | if (!SSL_set_session(t, SSL_get_session(f))) | |||
911 | return 0; | |||
912 | ||||
913 | /* What if we are set up for one protocol but want to talk another? */ | |||
914 | if (t->method != f->method) { | |||
915 | t->method->ssl_free(t); | |||
916 | t->method = f->method; | |||
917 | if (!t->method->ssl_new(t)) | |||
918 | return 0; | |||
919 | } | |||
920 | ||||
921 | tmp = t->cert; | |||
922 | if (f->cert != NULL((void*)0)) { | |||
923 | CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT)CRYPTO_add_lock(&f->cert->references,1,13,((void*)0 ),0); | |||
924 | t->cert = f->cert; | |||
925 | } else | |||
926 | t->cert = NULL((void*)0); | |||
927 | ssl_cert_free(tmp); | |||
928 | ||||
929 | if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) | |||
930 | return 0; | |||
931 | ||||
932 | return 1; | |||
933 | } | |||
934 | ||||
935 | /* Fix this so it checks all the valid key/cert options */ | |||
936 | int | |||
937 | SSL_CTX_check_private_key(const SSL_CTX *ctx) | |||
938 | { | |||
939 | if ((ctx == NULL((void*)0)) || (ctx->internal->cert == NULL((void*)0)) || | |||
940 | (ctx->internal->cert->key->x509 == NULL((void*)0))) { | |||
941 | SSLerrorx(SSL_R_NO_CERTIFICATE_ASSIGNED)ERR_put_error(20,(0xfff),(177),"/usr/src/lib/libssl/ssl_lib.c" ,941); | |||
942 | return (0); | |||
943 | } | |||
944 | if (ctx->internal->cert->key->privatekey == NULL((void*)0)) { | |||
945 | SSLerrorx(SSL_R_NO_PRIVATE_KEY_ASSIGNED)ERR_put_error(20,(0xfff),(190),"/usr/src/lib/libssl/ssl_lib.c" ,945); | |||
946 | return (0); | |||
947 | } | |||
948 | return (X509_check_private_key(ctx->internal->cert->key->x509, | |||
949 | ctx->internal->cert->key->privatekey)); | |||
950 | } | |||
951 | ||||
952 | /* Fix this function so that it takes an optional type parameter */ | |||
953 | int | |||
954 | SSL_check_private_key(const SSL *ssl) | |||
955 | { | |||
956 | if (ssl == NULL((void*)0)) { | |||
957 | SSLerrorx(ERR_R_PASSED_NULL_PARAMETER)ERR_put_error(20,(0xfff),((3|64)),"/usr/src/lib/libssl/ssl_lib.c" ,957); | |||
958 | return (0); | |||
959 | } | |||
960 | if (ssl->cert == NULL((void*)0)) { | |||
961 | SSLerror(ssl, SSL_R_NO_CERTIFICATE_ASSIGNED)SSL_error_internal(ssl, 177, "/usr/src/lib/libssl/ssl_lib.c", 961); | |||
962 | return (0); | |||
963 | } | |||
964 | if (ssl->cert->key->x509 == NULL((void*)0)) { | |||
965 | SSLerror(ssl, SSL_R_NO_CERTIFICATE_ASSIGNED)SSL_error_internal(ssl, 177, "/usr/src/lib/libssl/ssl_lib.c", 965); | |||
966 | return (0); | |||
967 | } | |||
968 | if (ssl->cert->key->privatekey == NULL((void*)0)) { | |||
969 | SSLerror(ssl, SSL_R_NO_PRIVATE_KEY_ASSIGNED)SSL_error_internal(ssl, 190, "/usr/src/lib/libssl/ssl_lib.c", 969); | |||
970 | return (0); | |||
971 | } | |||
972 | return (X509_check_private_key(ssl->cert->key->x509, | |||
973 | ssl->cert->key->privatekey)); | |||
974 | } | |||
975 | ||||
976 | int | |||
977 | SSL_accept(SSL *s) | |||
978 | { | |||
979 | if (s->internal->handshake_func == NULL((void*)0)) | |||
980 | SSL_set_accept_state(s); /* Not properly initialized yet */ | |||
981 | ||||
982 | return (s->method->ssl_accept(s)); | |||
983 | } | |||
984 | ||||
985 | int | |||
986 | SSL_connect(SSL *s) | |||
987 | { | |||
988 | if (s->internal->handshake_func == NULL((void*)0)) | |||
989 | SSL_set_connect_state(s); /* Not properly initialized yet */ | |||
990 | ||||
991 | return (s->method->ssl_connect(s)); | |||
992 | } | |||
993 | ||||
994 | int | |||
995 | SSL_is_dtls(const SSL *s) | |||
996 | { | |||
997 | return s->method->dtls; | |||
998 | } | |||
999 | ||||
1000 | int | |||
1001 | SSL_is_server(const SSL *s) | |||
1002 | { | |||
1003 | return s->server; | |||
1004 | } | |||
1005 | ||||
1006 | static long | |||
1007 | ssl_get_default_timeout() | |||
1008 | { | |||
1009 | /* | |||
1010 | * 2 hours, the 24 hours mentioned in the TLSv1 spec | |||
1011 | * is way too long for http, the cache would over fill. | |||
1012 | */ | |||
1013 | return (2 * 60 * 60); | |||
1014 | } | |||
1015 | ||||
1016 | long | |||
1017 | SSL_get_default_timeout(const SSL *s) | |||
1018 | { | |||
1019 | return (ssl_get_default_timeout()); | |||
1020 | } | |||
1021 | ||||
1022 | int | |||
1023 | SSL_read(SSL *s, void *buf, int num) | |||
1024 | { | |||
1025 | if (num < 0) { | |||
1026 | SSLerror(s, SSL_R_BAD_LENGTH)SSL_error_internal(s, 271, "/usr/src/lib/libssl/ssl_lib.c", 1026 ); | |||
1027 | return -1; | |||
1028 | } | |||
1029 | ||||
1030 | if (s->internal->handshake_func == NULL((void*)0)) { | |||
1031 | SSLerror(s, SSL_R_UNINITIALIZED)SSL_error_internal(s, 276, "/usr/src/lib/libssl/ssl_lib.c", 1031 ); | |||
1032 | return (-1); | |||
1033 | } | |||
1034 | ||||
1035 | if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN2) { | |||
1036 | s->internal->rwstate = SSL_NOTHING1; | |||
1037 | return (0); | |||
1038 | } | |||
1039 | return ssl3_read(s, buf, num); | |||
1040 | } | |||
1041 | ||||
1042 | int | |||
1043 | SSL_read_ex(SSL *s, void *buf, size_t num, size_t *bytes_read) | |||
1044 | { | |||
1045 | int ret; | |||
1046 | ||||
1047 | /* We simply don't bother supporting enormous reads */ | |||
1048 | if (num > INT_MAX2147483647) { | |||
1049 | SSLerror(s, SSL_R_BAD_LENGTH)SSL_error_internal(s, 271, "/usr/src/lib/libssl/ssl_lib.c", 1049 ); | |||
1050 | return 0; | |||
1051 | } | |||
1052 | ||||
1053 | ret = SSL_read(s, buf, (int)num); | |||
1054 | if (ret < 0) | |||
1055 | ret = 0; | |||
1056 | *bytes_read = ret; | |||
1057 | ||||
1058 | return ret > 0; | |||
1059 | } | |||
1060 | ||||
1061 | int | |||
1062 | SSL_peek(SSL *s, void *buf, int num) | |||
1063 | { | |||
1064 | if (num < 0) { | |||
1065 | SSLerror(s, SSL_R_BAD_LENGTH)SSL_error_internal(s, 271, "/usr/src/lib/libssl/ssl_lib.c", 1065 ); | |||
1066 | return -1; | |||
1067 | } | |||
1068 | ||||
1069 | if (s->internal->handshake_func == NULL((void*)0)) { | |||
1070 | SSLerror(s, SSL_R_UNINITIALIZED)SSL_error_internal(s, 276, "/usr/src/lib/libssl/ssl_lib.c", 1070 ); | |||
1071 | return (-1); | |||
1072 | } | |||
1073 | ||||
1074 | if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN2) { | |||
1075 | return (0); | |||
1076 | } | |||
1077 | return ssl3_peek(s, buf, num); | |||
1078 | } | |||
1079 | ||||
1080 | int | |||
1081 | SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *bytes_peeked) | |||
1082 | { | |||
1083 | int ret; | |||
1084 | ||||
1085 | /* We simply don't bother supporting enormous peeks */ | |||
1086 | if (num > INT_MAX2147483647) { | |||
1087 | SSLerror(s, SSL_R_BAD_LENGTH)SSL_error_internal(s, 271, "/usr/src/lib/libssl/ssl_lib.c", 1087 ); | |||
1088 | return 0; | |||
1089 | } | |||
1090 | ||||
1091 | ret = SSL_peek(s, buf, (int)num); | |||
1092 | if (ret < 0) | |||
1093 | ret = 0; | |||
1094 | *bytes_peeked = ret; | |||
1095 | ||||
1096 | return ret > 0; | |||
1097 | } | |||
1098 | ||||
1099 | int | |||
1100 | SSL_write(SSL *s, const void *buf, int num) | |||
1101 | { | |||
1102 | if (num < 0) { | |||
1103 | SSLerror(s, SSL_R_BAD_LENGTH)SSL_error_internal(s, 271, "/usr/src/lib/libssl/ssl_lib.c", 1103 ); | |||
1104 | return -1; | |||
1105 | } | |||
1106 | ||||
1107 | if (s->internal->handshake_func == NULL((void*)0)) { | |||
1108 | SSLerror(s, SSL_R_UNINITIALIZED)SSL_error_internal(s, 276, "/usr/src/lib/libssl/ssl_lib.c", 1108 ); | |||
1109 | return (-1); | |||
1110 | } | |||
1111 | ||||
1112 | if (s->internal->shutdown & SSL_SENT_SHUTDOWN1) { | |||
1113 | s->internal->rwstate = SSL_NOTHING1; | |||
1114 | SSLerror(s, SSL_R_PROTOCOL_IS_SHUTDOWN)SSL_error_internal(s, 207, "/usr/src/lib/libssl/ssl_lib.c", 1114 ); | |||
1115 | return (-1); | |||
1116 | } | |||
1117 | return ssl3_write(s, buf, num); | |||
1118 | } | |||
1119 | ||||
1120 | int | |||
1121 | SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *bytes_written) | |||
1122 | { | |||
1123 | int ret; | |||
1124 | ||||
1125 | /* We simply don't bother supporting enormous writes */ | |||
1126 | if (num > INT_MAX2147483647) { | |||
1127 | SSLerror(s, SSL_R_BAD_LENGTH)SSL_error_internal(s, 271, "/usr/src/lib/libssl/ssl_lib.c", 1127 ); | |||
1128 | return 0; | |||
1129 | } | |||
1130 | ||||
1131 | if (num == 0) { | |||
1132 | /* This API is special */ | |||
1133 | bytes_written = 0; | |||
1134 | return 1; | |||
1135 | } | |||
1136 | ||||
1137 | ret = SSL_write(s, buf, (int)num); | |||
1138 | if (ret < 0) | |||
1139 | ret = 0; | |||
1140 | *bytes_written = ret; | |||
1141 | ||||
1142 | return ret > 0; | |||
1143 | } | |||
1144 | ||||
1145 | uint32_t | |||
1146 | SSL_CTX_get_max_early_data(const SSL_CTX *ctx) | |||
1147 | { | |||
1148 | return 0; | |||
1149 | } | |||
1150 | ||||
1151 | int | |||
1152 | SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) | |||
1153 | { | |||
1154 | return 1; | |||
1155 | } | |||
1156 | ||||
1157 | uint32_t | |||
1158 | SSL_get_max_early_data(const SSL *s) | |||
1159 | { | |||
1160 | return 0; | |||
1161 | } | |||
1162 | ||||
1163 | int | |||
1164 | SSL_set_max_early_data(SSL *s, uint32_t max_early_data) | |||
1165 | { | |||
1166 | return 1; | |||
1167 | } | |||
1168 | ||||
1169 | int | |||
1170 | SSL_get_early_data_status(const SSL *s) | |||
1171 | { | |||
1172 | return SSL_EARLY_DATA_REJECTED1; | |||
1173 | } | |||
1174 | ||||
1175 | int | |||
1176 | SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) | |||
1177 | { | |||
1178 | *readbytes = 0; | |||
1179 | ||||
1180 | if (!s->server) { | |||
1181 | SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED)SSL_error_internal(s, (2|64), "/usr/src/lib/libssl/ssl_lib.c" , 1181); | |||
1182 | return SSL_READ_EARLY_DATA_ERROR0; | |||
1183 | } | |||
1184 | ||||
1185 | return SSL_READ_EARLY_DATA_FINISH2; | |||
1186 | } | |||
1187 | ||||
1188 | int | |||
1189 | SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) | |||
1190 | { | |||
1191 | *written = 0; | |||
1192 | SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED)SSL_error_internal(s, (2|64), "/usr/src/lib/libssl/ssl_lib.c" , 1192); | |||
1193 | return 0; | |||
1194 | } | |||
1195 | ||||
1196 | int | |||
1197 | SSL_shutdown(SSL *s) | |||
1198 | { | |||
1199 | /* | |||
1200 | * Note that this function behaves differently from what one might | |||
1201 | * expect. Return values are 0 for no success (yet), | |||
1202 | * 1 for success; but calling it once is usually not enough, | |||
1203 | * even if blocking I/O is used (see ssl3_shutdown). | |||
1204 | */ | |||
1205 | ||||
1206 | if (s->internal->handshake_func == NULL((void*)0)) { | |||
1207 | SSLerror(s, SSL_R_UNINITIALIZED)SSL_error_internal(s, 276, "/usr/src/lib/libssl/ssl_lib.c", 1207 ); | |||
1208 | return (-1); | |||
1209 | } | |||
1210 | ||||
1211 | if (s != NULL((void*)0) && !SSL_in_init(s)(SSL_state((s))&(0x1000|0x2000))) | |||
1212 | return (s->method->ssl_shutdown(s)); | |||
1213 | ||||
1214 | return (1); | |||
1215 | } | |||
1216 | ||||
1217 | int | |||
1218 | SSL_renegotiate(SSL *s) | |||
1219 | { | |||
1220 | if (s->internal->renegotiate == 0) | |||
1221 | s->internal->renegotiate = 1; | |||
1222 | ||||
1223 | s->internal->new_session = 1; | |||
1224 | ||||
1225 | return (s->method->ssl_renegotiate(s)); | |||
1226 | } | |||
1227 | ||||
1228 | int | |||
1229 | SSL_renegotiate_abbreviated(SSL *s) | |||
1230 | { | |||
1231 | if (s->internal->renegotiate == 0) | |||
1232 | s->internal->renegotiate = 1; | |||
1233 | ||||
1234 | s->internal->new_session = 0; | |||
1235 | ||||
1236 | return (s->method->ssl_renegotiate(s)); | |||
1237 | } | |||
1238 | ||||
1239 | int | |||
1240 | SSL_renegotiate_pending(SSL *s) | |||
1241 | { | |||
1242 | /* | |||
1243 | * Becomes true when negotiation is requested; | |||
1244 | * false again once a handshake has finished. | |||
1245 | */ | |||
1246 | return (s->internal->renegotiate != 0); | |||
1247 | } | |||
1248 | ||||
1249 | long | |||
1250 | SSL_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
1251 | { | |||
1252 | long l; | |||
1253 | ||||
1254 | switch (cmd) { | |||
1255 | case SSL_CTRL_GET_READ_AHEAD40: | |||
1256 | return (s->internal->read_ahead); | |||
1257 | case SSL_CTRL_SET_READ_AHEAD41: | |||
1258 | l = s->internal->read_ahead; | |||
1259 | s->internal->read_ahead = larg; | |||
1260 | return (l); | |||
1261 | ||||
1262 | case SSL_CTRL_SET_MSG_CALLBACK_ARG16: | |||
1263 | s->internal->msg_callback_arg = parg; | |||
1264 | return (1); | |||
1265 | ||||
1266 | case SSL_CTRL_OPTIONS32: | |||
1267 | return (s->internal->options|=larg); | |||
1268 | case SSL_CTRL_CLEAR_OPTIONS77: | |||
1269 | return (s->internal->options&=~larg); | |||
1270 | case SSL_CTRL_MODE33: | |||
1271 | return (s->internal->mode|=larg); | |||
1272 | case SSL_CTRL_CLEAR_MODE78: | |||
1273 | return (s->internal->mode &=~larg); | |||
1274 | case SSL_CTRL_GET_MAX_CERT_LIST50: | |||
1275 | return (s->internal->max_cert_list); | |||
1276 | case SSL_CTRL_SET_MAX_CERT_LIST51: | |||
1277 | l = s->internal->max_cert_list; | |||
1278 | s->internal->max_cert_list = larg; | |||
1279 | return (l); | |||
1280 | case SSL_CTRL_SET_MTU17: | |||
1281 | #ifndef OPENSSL_NO_DTLS1 | |||
1282 | if (larg < (long)dtls1_min_mtu()) | |||
1283 | return (0); | |||
1284 | #endif | |||
1285 | if (SSL_is_dtls(s)) { | |||
1286 | s->d1->mtu = larg; | |||
1287 | return (larg); | |||
1288 | } | |||
1289 | return (0); | |||
1290 | case SSL_CTRL_SET_MAX_SEND_FRAGMENT52: | |||
1291 | if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH16384) | |||
1292 | return (0); | |||
1293 | s->max_send_fragment = larg; | |||
1294 | return (1); | |||
1295 | case SSL_CTRL_GET_RI_SUPPORT76: | |||
1296 | if (s->s3) | |||
1297 | return (S3I(s)(s->s3->internal)->send_connection_binding); | |||
1298 | else return (0); | |||
1299 | default: | |||
1300 | if (SSL_is_dtls(s)) | |||
1301 | return dtls1_ctrl(s, cmd, larg, parg); | |||
1302 | return ssl3_ctrl(s, cmd, larg, parg); | |||
1303 | } | |||
1304 | } | |||
1305 | ||||
1306 | long | |||
1307 | SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) | |||
1308 | { | |||
1309 | switch (cmd) { | |||
1310 | case SSL_CTRL_SET_MSG_CALLBACK15: | |||
1311 | s->internal->msg_callback = (ssl_msg_callback_fn *)(fp); | |||
1312 | return (1); | |||
1313 | ||||
1314 | default: | |||
1315 | return (ssl3_callback_ctrl(s, cmd, fp)); | |||
1316 | } | |||
1317 | } | |||
1318 | ||||
1319 | struct lhash_st_SSL_SESSION * | |||
1320 | SSL_CTX_sessions(SSL_CTX *ctx) | |||
1321 | { | |||
1322 | return (ctx->internal->sessions); | |||
1323 | } | |||
1324 | ||||
1325 | long | |||
1326 | SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
1327 | { | |||
1328 | long l; | |||
1329 | ||||
1330 | switch (cmd) { | |||
1331 | case SSL_CTRL_GET_READ_AHEAD40: | |||
1332 | return (ctx->internal->read_ahead); | |||
1333 | case SSL_CTRL_SET_READ_AHEAD41: | |||
1334 | l = ctx->internal->read_ahead; | |||
1335 | ctx->internal->read_ahead = larg; | |||
1336 | return (l); | |||
1337 | ||||
1338 | case SSL_CTRL_SET_MSG_CALLBACK_ARG16: | |||
1339 | ctx->internal->msg_callback_arg = parg; | |||
1340 | return (1); | |||
1341 | ||||
1342 | case SSL_CTRL_GET_MAX_CERT_LIST50: | |||
1343 | return (ctx->internal->max_cert_list); | |||
1344 | case SSL_CTRL_SET_MAX_CERT_LIST51: | |||
1345 | l = ctx->internal->max_cert_list; | |||
1346 | ctx->internal->max_cert_list = larg; | |||
1347 | return (l); | |||
1348 | ||||
1349 | case SSL_CTRL_SET_SESS_CACHE_SIZE42: | |||
1350 | l = ctx->internal->session_cache_size; | |||
1351 | ctx->internal->session_cache_size = larg; | |||
1352 | return (l); | |||
1353 | case SSL_CTRL_GET_SESS_CACHE_SIZE43: | |||
1354 | return (ctx->internal->session_cache_size); | |||
1355 | case SSL_CTRL_SET_SESS_CACHE_MODE44: | |||
1356 | l = ctx->internal->session_cache_mode; | |||
1357 | ctx->internal->session_cache_mode = larg; | |||
1358 | return (l); | |||
1359 | case SSL_CTRL_GET_SESS_CACHE_MODE45: | |||
1360 | return (ctx->internal->session_cache_mode); | |||
1361 | ||||
1362 | case SSL_CTRL_SESS_NUMBER20: | |||
1363 | return (lh_SSL_SESSION_num_items(ctx->internal->sessions)lh_num_items(((_LHASH *)((void*) (1 ? ctx->internal->sessions : (struct lhash_st_SSL_SESSION*)0))))); | |||
1364 | case SSL_CTRL_SESS_CONNECT21: | |||
1365 | return (ctx->internal->stats.sess_connect); | |||
1366 | case SSL_CTRL_SESS_CONNECT_GOOD22: | |||
1367 | return (ctx->internal->stats.sess_connect_good); | |||
1368 | case SSL_CTRL_SESS_CONNECT_RENEGOTIATE23: | |||
1369 | return (ctx->internal->stats.sess_connect_renegotiate); | |||
1370 | case SSL_CTRL_SESS_ACCEPT24: | |||
1371 | return (ctx->internal->stats.sess_accept); | |||
1372 | case SSL_CTRL_SESS_ACCEPT_GOOD25: | |||
1373 | return (ctx->internal->stats.sess_accept_good); | |||
1374 | case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE26: | |||
1375 | return (ctx->internal->stats.sess_accept_renegotiate); | |||
1376 | case SSL_CTRL_SESS_HIT27: | |||
1377 | return (ctx->internal->stats.sess_hit); | |||
1378 | case SSL_CTRL_SESS_CB_HIT28: | |||
1379 | return (ctx->internal->stats.sess_cb_hit); | |||
1380 | case SSL_CTRL_SESS_MISSES29: | |||
1381 | return (ctx->internal->stats.sess_miss); | |||
1382 | case SSL_CTRL_SESS_TIMEOUTS30: | |||
1383 | return (ctx->internal->stats.sess_timeout); | |||
1384 | case SSL_CTRL_SESS_CACHE_FULL31: | |||
1385 | return (ctx->internal->stats.sess_cache_full); | |||
1386 | case SSL_CTRL_OPTIONS32: | |||
1387 | return (ctx->internal->options|=larg); | |||
1388 | case SSL_CTRL_CLEAR_OPTIONS77: | |||
1389 | return (ctx->internal->options&=~larg); | |||
1390 | case SSL_CTRL_MODE33: | |||
1391 | return (ctx->internal->mode|=larg); | |||
1392 | case SSL_CTRL_CLEAR_MODE78: | |||
1393 | return (ctx->internal->mode&=~larg); | |||
1394 | case SSL_CTRL_SET_MAX_SEND_FRAGMENT52: | |||
1395 | if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH16384) | |||
1396 | return (0); | |||
1397 | ctx->internal->max_send_fragment = larg; | |||
1398 | return (1); | |||
1399 | default: | |||
1400 | return (ssl3_ctx_ctrl(ctx, cmd, larg, parg)); | |||
1401 | } | |||
1402 | } | |||
1403 | ||||
1404 | long | |||
1405 | SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) | |||
1406 | { | |||
1407 | switch (cmd) { | |||
1408 | case SSL_CTRL_SET_MSG_CALLBACK15: | |||
1409 | ctx->internal->msg_callback = (ssl_msg_callback_fn *)fp; | |||
1410 | return (1); | |||
1411 | ||||
1412 | default: | |||
1413 | return (ssl3_ctx_callback_ctrl(ctx, cmd, fp)); | |||
1414 | } | |||
1415 | } | |||
1416 | ||||
1417 | int | |||
1418 | ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) | |||
1419 | { | |||
1420 | long l; | |||
1421 | ||||
1422 | l = a->id - b->id; | |||
1423 | if (l == 0L) | |||
1424 | return (0); | |||
1425 | else | |||
1426 | return ((l > 0) ? 1:-1); | |||
1427 | } | |||
1428 | ||||
1429 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER * | |||
1430 | SSL_get_ciphers(const SSL *s) | |||
1431 | { | |||
1432 | if (s == NULL((void*)0)) | |||
1433 | return (NULL((void*)0)); | |||
1434 | if (s->cipher_list != NULL((void*)0)) | |||
1435 | return (s->cipher_list); | |||
1436 | ||||
1437 | return (s->ctx->cipher_list); | |||
1438 | } | |||
1439 | ||||
1440 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER * | |||
1441 | SSL_get_client_ciphers(const SSL *s) | |||
1442 | { | |||
1443 | if (s == NULL((void*)0) || s->session == NULL((void*)0) || !s->server) | |||
1444 | return NULL((void*)0); | |||
1445 | return s->session->ciphers; | |||
1446 | } | |||
1447 | ||||
1448 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER * | |||
1449 | SSL_get1_supported_ciphers(SSL *s) | |||
1450 | { | |||
1451 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *supported_ciphers = NULL((void*)0), *ciphers; | |||
1452 | const SSL_CIPHER *cipher; | |||
1453 | uint16_t min_vers, max_vers; | |||
1454 | int i; | |||
1455 | ||||
1456 | if (s == NULL((void*)0)) | |||
1457 | return NULL((void*)0); | |||
1458 | if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers)) | |||
1459 | return NULL((void*)0); | |||
1460 | if ((ciphers = SSL_get_ciphers(s)) == NULL((void*)0)) | |||
1461 | return NULL((void*)0); | |||
1462 | if ((supported_ciphers = sk_SSL_CIPHER_new_null()((struct stack_st_SSL_CIPHER *)sk_new_null())) == NULL((void*)0)) | |||
1463 | return NULL((void*)0); | |||
1464 | ||||
1465 | for (i = 0; i < sk_SSL_CIPHER_num(ciphers)sk_num(((_STACK*) (1 ? (ciphers) : (struct stack_st_SSL_CIPHER *)0))); i++) { | |||
1466 | if ((cipher = sk_SSL_CIPHER_value(ciphers, i)((SSL_CIPHER *)sk_value(((_STACK*) (1 ? (ciphers) : (struct stack_st_SSL_CIPHER *)0)), (i)))) == NULL((void*)0)) | |||
1467 | goto err; | |||
1468 | if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, | |||
1469 | max_vers)) | |||
1470 | continue; | |||
1471 | if (!sk_SSL_CIPHER_push(supported_ciphers, cipher)sk_push(((_STACK*) (1 ? (supported_ciphers) : (struct stack_st_SSL_CIPHER *)0)), ((void*) (1 ? (cipher) : (SSL_CIPHER*)0)))) | |||
1472 | goto err; | |||
1473 | } | |||
1474 | ||||
1475 | if (sk_SSL_CIPHER_num(supported_ciphers)sk_num(((_STACK*) (1 ? (supported_ciphers) : (struct stack_st_SSL_CIPHER *)0))) > 0) | |||
1476 | return supported_ciphers; | |||
1477 | ||||
1478 | err: | |||
1479 | sk_SSL_CIPHER_free(supported_ciphers)sk_free(((_STACK*) (1 ? (supported_ciphers) : (struct stack_st_SSL_CIPHER *)0))); | |||
1480 | return NULL((void*)0); | |||
1481 | } | |||
1482 | ||||
1483 | /* See if we have any ECC cipher suites. */ | |||
1484 | int | |||
1485 | ssl_has_ecc_ciphers(SSL *s) | |||
1486 | { | |||
1487 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *ciphers; | |||
1488 | unsigned long alg_k, alg_a; | |||
1489 | SSL_CIPHER *cipher; | |||
1490 | int i; | |||
1491 | ||||
1492 | if ((ciphers = SSL_get_ciphers(s)) == NULL((void*)0)) | |||
1493 | return 0; | |||
1494 | ||||
1495 | for (i = 0; i < sk_SSL_CIPHER_num(ciphers)sk_num(((_STACK*) (1 ? (ciphers) : (struct stack_st_SSL_CIPHER *)0))); i++) { | |||
1496 | cipher = sk_SSL_CIPHER_value(ciphers, i)((SSL_CIPHER *)sk_value(((_STACK*) (1 ? (ciphers) : (struct stack_st_SSL_CIPHER *)0)), (i))); | |||
1497 | ||||
1498 | alg_k = cipher->algorithm_mkey; | |||
1499 | alg_a = cipher->algorithm_auth; | |||
1500 | ||||
1501 | if ((alg_k & SSL_kECDHE0x00000080L) || (alg_a & SSL_aECDSA0x00000040L)) | |||
1502 | return 1; | |||
1503 | } | |||
1504 | ||||
1505 | return 0; | |||
1506 | } | |||
1507 | ||||
1508 | /* The old interface to get the same thing as SSL_get_ciphers(). */ | |||
1509 | const char * | |||
1510 | SSL_get_cipher_list(const SSL *s, int n) | |||
1511 | { | |||
1512 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *ciphers; | |||
1513 | const SSL_CIPHER *cipher; | |||
1514 | ||||
1515 | if ((ciphers = SSL_get_ciphers(s)) == NULL((void*)0)) | |||
1516 | return (NULL((void*)0)); | |||
1517 | if ((cipher = sk_SSL_CIPHER_value(ciphers, n)((SSL_CIPHER *)sk_value(((_STACK*) (1 ? (ciphers) : (struct stack_st_SSL_CIPHER *)0)), (n)))) == NULL((void*)0)) | |||
1518 | return (NULL((void*)0)); | |||
1519 | ||||
1520 | return (cipher->name); | |||
1521 | } | |||
1522 | ||||
1523 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER * | |||
1524 | SSL_CTX_get_ciphers(const SSL_CTX *ctx) | |||
1525 | { | |||
1526 | if (ctx == NULL((void*)0)) | |||
1527 | return NULL((void*)0); | |||
1528 | return ctx->cipher_list; | |||
1529 | } | |||
1530 | ||||
1531 | /* Specify the ciphers to be used by default by the SSL_CTX. */ | |||
1532 | int | |||
1533 | SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) | |||
1534 | { | |||
1535 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *ciphers; | |||
1536 | ||||
1537 | /* | |||
1538 | * ssl_create_cipher_list may return an empty stack if it was unable to | |||
1539 | * find a cipher matching the given rule string (for example if the | |||
1540 | * rule string specifies a cipher which has been disabled). This is not | |||
1541 | * an error as far as ssl_create_cipher_list is concerned, and hence | |||
1542 | * ctx->cipher_list has been updated. | |||
1543 | */ | |||
1544 | ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, | |||
1545 | ctx->internal->cipher_list_tls13, str); | |||
1546 | if (ciphers == NULL((void*)0)) { | |||
1547 | return (0); | |||
1548 | } else if (sk_SSL_CIPHER_num(ciphers)sk_num(((_STACK*) (1 ? (ciphers) : (struct stack_st_SSL_CIPHER *)0))) == 0) { | |||
1549 | SSLerrorx(SSL_R_NO_CIPHER_MATCH)ERR_put_error(20,(0xfff),(185),"/usr/src/lib/libssl/ssl_lib.c" ,1549); | |||
1550 | return (0); | |||
1551 | } | |||
1552 | return (1); | |||
1553 | } | |||
1554 | ||||
1555 | int | |||
1556 | SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) | |||
1557 | { | |||
1558 | if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) { | |||
1559 | SSLerrorx(SSL_R_NO_CIPHER_MATCH)ERR_put_error(20,(0xfff),(185),"/usr/src/lib/libssl/ssl_lib.c" ,1559); | |||
1560 | return 0; | |||
1561 | } | |||
1562 | if (!ssl_merge_cipherlists(ctx->cipher_list, | |||
1563 | ctx->internal->cipher_list_tls13, &ctx->cipher_list)) | |||
1564 | return 0; | |||
1565 | ||||
1566 | return 1; | |||
1567 | } | |||
1568 | ||||
1569 | /* Specify the ciphers to be used by the SSL. */ | |||
1570 | int | |||
1571 | SSL_set_cipher_list(SSL *s, const char *str) | |||
1572 | { | |||
1573 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *ciphers, *ciphers_tls13; | |||
1574 | ||||
1575 | if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL((void*)0)) | |||
1576 | ciphers_tls13 = s->ctx->internal->cipher_list_tls13; | |||
1577 | ||||
1578 | /* See comment in SSL_CTX_set_cipher_list. */ | |||
1579 | ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, | |||
1580 | ciphers_tls13, str); | |||
1581 | if (ciphers == NULL((void*)0)) { | |||
1582 | return (0); | |||
1583 | } else if (sk_SSL_CIPHER_num(ciphers)sk_num(((_STACK*) (1 ? (ciphers) : (struct stack_st_SSL_CIPHER *)0))) == 0) { | |||
1584 | SSLerror(s, SSL_R_NO_CIPHER_MATCH)SSL_error_internal(s, 185, "/usr/src/lib/libssl/ssl_lib.c", 1584 ); | |||
1585 | return (0); | |||
1586 | } | |||
1587 | return (1); | |||
1588 | } | |||
1589 | ||||
1590 | int | |||
1591 | SSL_set_ciphersuites(SSL *s, const char *str) | |||
1592 | { | |||
1593 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *ciphers; | |||
1594 | ||||
1595 | if ((ciphers = s->cipher_list) == NULL((void*)0)) | |||
1596 | ciphers = s->ctx->cipher_list; | |||
1597 | ||||
1598 | if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) { | |||
1599 | SSLerrorx(SSL_R_NO_CIPHER_MATCH)ERR_put_error(20,(0xfff),(185),"/usr/src/lib/libssl/ssl_lib.c" ,1599); | |||
1600 | return (0); | |||
1601 | } | |||
1602 | if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13, | |||
1603 | &s->cipher_list)) | |||
1604 | return 0; | |||
1605 | ||||
1606 | return 1; | |||
1607 | } | |||
1608 | ||||
1609 | char * | |||
1610 | SSL_get_shared_ciphers(const SSL *s, char *buf, int len) | |||
1611 | { | |||
1612 | STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *client_ciphers, *server_ciphers; | |||
1613 | const SSL_CIPHER *cipher; | |||
1614 | size_t curlen = 0; | |||
1615 | char *end; | |||
1616 | int i; | |||
1617 | ||||
1618 | if (!s->server || s->session == NULL((void*)0) || len < 2) | |||
1619 | return NULL((void*)0); | |||
1620 | ||||
1621 | if ((client_ciphers = s->session->ciphers) == NULL((void*)0)) | |||
1622 | return NULL((void*)0); | |||
1623 | if ((server_ciphers = SSL_get_ciphers(s)) == NULL((void*)0)) | |||
1624 | return NULL((void*)0); | |||
1625 | if (sk_SSL_CIPHER_num(client_ciphers)sk_num(((_STACK*) (1 ? (client_ciphers) : (struct stack_st_SSL_CIPHER *)0))) == 0 || | |||
1626 | sk_SSL_CIPHER_num(server_ciphers)sk_num(((_STACK*) (1 ? (server_ciphers) : (struct stack_st_SSL_CIPHER *)0))) == 0) | |||
1627 | return NULL((void*)0); | |||
1628 | ||||
1629 | buf[0] = '\0'; | |||
1630 | for (i = 0; i < sk_SSL_CIPHER_num(client_ciphers)sk_num(((_STACK*) (1 ? (client_ciphers) : (struct stack_st_SSL_CIPHER *)0))); i++) { | |||
1631 | cipher = sk_SSL_CIPHER_value(client_ciphers, i)((SSL_CIPHER *)sk_value(((_STACK*) (1 ? (client_ciphers) : (struct stack_st_SSL_CIPHER*)0)), (i))); | |||
1632 | ||||
1633 | if (sk_SSL_CIPHER_find(server_ciphers, cipher)sk_find(((_STACK*) (1 ? (server_ciphers) : (struct stack_st_SSL_CIPHER *)0)), ((void*) (1 ? (cipher) : (SSL_CIPHER*)0))) < 0) | |||
1634 | continue; | |||
1635 | ||||
1636 | end = buf + curlen; | |||
1637 | if (strlcat(buf, cipher->name, len) >= len || | |||
1638 | (curlen = strlcat(buf, ":", len)) >= len) { | |||
1639 | /* remove truncated cipher from list */ | |||
1640 | *end = '\0'; | |||
1641 | break; | |||
1642 | } | |||
1643 | } | |||
1644 | /* remove trailing colon */ | |||
1645 | if ((end = strrchr(buf, ':')) != NULL((void*)0)) | |||
1646 | *end = '\0'; | |||
1647 | return buf; | |||
1648 | } | |||
1649 | ||||
1650 | /* | |||
1651 | * Return a servername extension value if provided in Client Hello, or NULL. | |||
1652 | * So far, only host_name types are defined (RFC 3546). | |||
1653 | */ | |||
1654 | const char * | |||
1655 | SSL_get_servername(const SSL *s, const int type) | |||
1656 | { | |||
1657 | if (type != TLSEXT_NAMETYPE_host_name0) | |||
1658 | return (NULL((void*)0)); | |||
1659 | ||||
1660 | return (s->session && !s->tlsext_hostname ? | |||
1661 | s->session->tlsext_hostname : | |||
1662 | s->tlsext_hostname); | |||
1663 | } | |||
1664 | ||||
1665 | int | |||
1666 | SSL_get_servername_type(const SSL *s) | |||
1667 | { | |||
1668 | if (s->session && | |||
1669 | (!s->tlsext_hostname ? | |||
1670 | s->session->tlsext_hostname : s->tlsext_hostname)) | |||
1671 | return (TLSEXT_NAMETYPE_host_name0); | |||
1672 | return (-1); | |||
1673 | } | |||
1674 | ||||
1675 | /* | |||
1676 | * SSL_select_next_proto implements standard protocol selection. It is | |||
1677 | * expected that this function is called from the callback set by | |||
1678 | * SSL_CTX_set_alpn_select_cb. | |||
1679 | * | |||
1680 | * The protocol data is assumed to be a vector of 8-bit, length prefixed byte | |||
1681 | * strings. The length byte itself is not included in the length. A byte | |||
1682 | * string of length 0 is invalid. No byte string may be truncated. | |||
1683 | * | |||
1684 | * It returns either: | |||
1685 | * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or | |||
1686 | * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached. | |||
1687 | */ | |||
1688 | int | |||
1689 | SSL_select_next_proto(unsigned char **out, unsigned char *outlen, | |||
1690 | const unsigned char *server, unsigned int server_len, | |||
1691 | const unsigned char *client, unsigned int client_len) | |||
1692 | { | |||
1693 | unsigned int i, j; | |||
1694 | const unsigned char *result; | |||
1695 | int status = OPENSSL_NPN_UNSUPPORTED0; | |||
1696 | ||||
1697 | /* | |||
1698 | * For each protocol in server preference order, | |||
1699 | * see if we support it. | |||
1700 | */ | |||
1701 | for (i = 0; i < server_len; ) { | |||
1702 | for (j = 0; j < client_len; ) { | |||
1703 | if (server[i] == client[j] && | |||
1704 | memcmp(&server[i + 1], | |||
1705 | &client[j + 1], server[i]) == 0) { | |||
1706 | /* We found a match */ | |||
1707 | result = &server[i]; | |||
1708 | status = OPENSSL_NPN_NEGOTIATED1; | |||
1709 | goto found; | |||
1710 | } | |||
1711 | j += client[j]; | |||
1712 | j++; | |||
1713 | } | |||
1714 | i += server[i]; | |||
1715 | i++; | |||
1716 | } | |||
1717 | ||||
1718 | /* There's no overlap between our protocols and the server's list. */ | |||
1719 | result = client; | |||
1720 | status = OPENSSL_NPN_NO_OVERLAP2; | |||
1721 | ||||
1722 | found: | |||
1723 | *out = (unsigned char *) result + 1; | |||
1724 | *outlen = result[0]; | |||
1725 | return (status); | |||
1726 | } | |||
1727 | ||||
1728 | /* SSL_get0_next_proto_negotiated is deprecated. */ | |||
1729 | void | |||
1730 | SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, | |||
1731 | unsigned int *len) | |||
1732 | { | |||
1733 | *data = NULL((void*)0); | |||
1734 | *len = 0; | |||
1735 | } | |||
1736 | ||||
1737 | /* SSL_CTX_set_next_protos_advertised_cb is deprecated. */ | |||
1738 | void | |||
1739 | SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, | |||
1740 | const unsigned char **out, unsigned int *outlen, void *arg), void *arg) | |||
1741 | { | |||
1742 | } | |||
1743 | ||||
1744 | /* SSL_CTX_set_next_proto_select_cb is deprecated. */ | |||
1745 | void | |||
1746 | SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, | |||
1747 | unsigned char **out, unsigned char *outlen, const unsigned char *in, | |||
1748 | unsigned int inlen, void *arg), void *arg) | |||
1749 | { | |||
1750 | } | |||
1751 | ||||
1752 | /* | |||
1753 | * SSL_CTX_set_alpn_protos sets the ALPN protocol list to the specified | |||
1754 | * protocols, which must be in wire-format (i.e. a series of non-empty, | |||
1755 | * 8-bit length-prefixed strings). Returns 0 on success. | |||
1756 | */ | |||
1757 | int | |||
1758 | SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, | |||
1759 | unsigned int protos_len) | |||
1760 | { | |||
1761 | int failed = 1; | |||
1762 | ||||
1763 | if (protos == NULL((void*)0) || protos_len == 0) | |||
1764 | goto err; | |||
1765 | ||||
1766 | free(ctx->internal->alpn_client_proto_list); | |||
1767 | ctx->internal->alpn_client_proto_list = NULL((void*)0); | |||
1768 | ctx->internal->alpn_client_proto_list_len = 0; | |||
1769 | ||||
1770 | if ((ctx->internal->alpn_client_proto_list = malloc(protos_len)) | |||
1771 | == NULL((void*)0)) | |||
1772 | goto err; | |||
1773 | ctx->internal->alpn_client_proto_list_len = protos_len; | |||
1774 | ||||
1775 | memcpy(ctx->internal->alpn_client_proto_list, protos, protos_len); | |||
1776 | ||||
1777 | failed = 0; | |||
1778 | ||||
1779 | err: | |||
1780 | /* NOTE: Return values are the reverse of what you expect. */ | |||
1781 | return (failed); | |||
1782 | } | |||
1783 | ||||
1784 | /* | |||
1785 | * SSL_set_alpn_protos sets the ALPN protocol list to the specified | |||
1786 | * protocols, which must be in wire-format (i.e. a series of non-empty, | |||
1787 | * 8-bit length-prefixed strings). Returns 0 on success. | |||
1788 | */ | |||
1789 | int | |||
1790 | SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, | |||
1791 | unsigned int protos_len) | |||
1792 | { | |||
1793 | int failed = 1; | |||
1794 | ||||
1795 | if (protos == NULL((void*)0) || protos_len == 0) | |||
1796 | goto err; | |||
1797 | ||||
1798 | free(ssl->internal->alpn_client_proto_list); | |||
1799 | ssl->internal->alpn_client_proto_list = NULL((void*)0); | |||
1800 | ssl->internal->alpn_client_proto_list_len = 0; | |||
1801 | ||||
1802 | if ((ssl->internal->alpn_client_proto_list = malloc(protos_len)) | |||
1803 | == NULL((void*)0)) | |||
1804 | goto err; | |||
1805 | ssl->internal->alpn_client_proto_list_len = protos_len; | |||
1806 | ||||
1807 | memcpy(ssl->internal->alpn_client_proto_list, protos, protos_len); | |||
1808 | ||||
1809 | failed = 0; | |||
1810 | ||||
1811 | err: | |||
1812 | /* NOTE: Return values are the reverse of what you expect. */ | |||
1813 | return (failed); | |||
1814 | } | |||
1815 | ||||
1816 | /* | |||
1817 | * SSL_CTX_set_alpn_select_cb sets a callback function that is called during | |||
1818 | * ClientHello processing in order to select an ALPN protocol from the | |||
1819 | * client's list of offered protocols. | |||
1820 | */ | |||
1821 | void | |||
1822 | SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, | |||
1823 | int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen, | |||
1824 | const unsigned char *in, unsigned int inlen, void *arg), void *arg) | |||
1825 | { | |||
1826 | ctx->internal->alpn_select_cb = cb; | |||
1827 | ctx->internal->alpn_select_cb_arg = arg; | |||
1828 | } | |||
1829 | ||||
1830 | /* | |||
1831 | * SSL_get0_alpn_selected gets the selected ALPN protocol (if any). On return | |||
1832 | * it sets data to point to len bytes of protocol name (not including the | |||
1833 | * leading length-prefix byte). If the server didn't respond with* a negotiated | |||
1834 | * protocol then len will be zero. | |||
1835 | */ | |||
1836 | void | |||
1837 | SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, | |||
1838 | unsigned int *len) | |||
1839 | { | |||
1840 | *data = ssl->s3->internal->alpn_selected; | |||
1841 | *len = ssl->s3->internal->alpn_selected_len; | |||
1842 | } | |||
1843 | ||||
1844 | void | |||
1845 | SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) | |||
1846 | { | |||
1847 | return; | |||
1848 | } | |||
1849 | ||||
1850 | int | |||
1851 | SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, | |||
1852 | const char *label, size_t llen, const unsigned char *p, size_t plen, | |||
1853 | int use_context) | |||
1854 | { | |||
1855 | if (s->internal->tls13 != NULL((void*)0) && s->version == TLS1_3_VERSION0x0304) { | |||
1856 | if (!use_context) { | |||
1857 | p = NULL((void*)0); | |||
1858 | plen = 0; | |||
1859 | } | |||
1860 | return tls13_exporter(s->internal->tls13, label, llen, p, plen, | |||
1861 | out, olen); | |||
1862 | } | |||
1863 | ||||
1864 | return (tls1_export_keying_material(s, out, olen, label, llen, p, plen, | |||
1865 | use_context)); | |||
1866 | } | |||
1867 | ||||
1868 | static unsigned long | |||
1869 | ssl_session_hash(const SSL_SESSION *a) | |||
1870 | { | |||
1871 | unsigned long l; | |||
1872 | ||||
1873 | l = (unsigned long) | |||
1874 | ((unsigned int) a->session_id[0] )| | |||
1875 | ((unsigned int) a->session_id[1]<< 8L)| | |||
1876 | ((unsigned long)a->session_id[2]<<16L)| | |||
1877 | ((unsigned long)a->session_id[3]<<24L); | |||
1878 | return (l); | |||
1879 | } | |||
1880 | ||||
1881 | /* | |||
1882 | * NB: If this function (or indeed the hash function which uses a sort of | |||
1883 | * coarser function than this one) is changed, ensure | |||
1884 | * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being | |||
1885 | * able to construct an SSL_SESSION that will collide with any existing session | |||
1886 | * with a matching session ID. | |||
1887 | */ | |||
1888 | static int | |||
1889 | ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) | |||
1890 | { | |||
1891 | if (a->ssl_version != b->ssl_version) | |||
1892 | return (1); | |||
1893 | if (a->session_id_length != b->session_id_length) | |||
1894 | return (1); | |||
1895 | if (timingsafe_memcmp(a->session_id, b->session_id, a->session_id_length) != 0) | |||
1896 | return (1); | |||
1897 | return (0); | |||
1898 | } | |||
1899 | ||||
1900 | /* | |||
1901 | * These wrapper functions should remain rather than redeclaring | |||
1902 | * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each | |||
1903 | * variable. The reason is that the functions aren't static, they're exposed via | |||
1904 | * ssl.h. | |||
1905 | */ | |||
1906 | static unsigned long | |||
1907 | ssl_session_LHASH_HASH(const void *arg) | |||
1908 | { | |||
1909 | const SSL_SESSION *a = arg; | |||
1910 | ||||
1911 | return ssl_session_hash(a); | |||
1912 | } | |||
1913 | ||||
1914 | static int | |||
1915 | ssl_session_LHASH_COMP(const void *arg1, const void *arg2) | |||
1916 | { | |||
1917 | const SSL_SESSION *a = arg1; | |||
1918 | const SSL_SESSION *b = arg2; | |||
1919 | ||||
1920 | return ssl_session_cmp(a, b); | |||
1921 | } | |||
1922 | ||||
1923 | SSL_CTX * | |||
1924 | SSL_CTX_new(const SSL_METHOD *meth) | |||
1925 | { | |||
1926 | SSL_CTX *ret; | |||
1927 | ||||
1928 | if (!OPENSSL_init_ssl(0, NULL((void*)0))) { | |||
1929 | SSLerrorx(SSL_R_LIBRARY_BUG)ERR_put_error(20,(0xfff),(274),"/usr/src/lib/libssl/ssl_lib.c" ,1929); | |||
1930 | return (NULL((void*)0)); | |||
1931 | } | |||
1932 | ||||
1933 | if (meth == NULL((void*)0)) { | |||
1934 | SSLerrorx(SSL_R_NULL_SSL_METHOD_PASSED)ERR_put_error(20,(0xfff),(196),"/usr/src/lib/libssl/ssl_lib.c" ,1934); | |||
1935 | return (NULL((void*)0)); | |||
1936 | } | |||
1937 | ||||
1938 | if ((ret = calloc(1, sizeof(*ret))) == NULL((void*)0)) { | |||
1939 | SSLerrorx(ERR_R_MALLOC_FAILURE)ERR_put_error(20,(0xfff),((1|64)),"/usr/src/lib/libssl/ssl_lib.c" ,1939); | |||
1940 | return (NULL((void*)0)); | |||
1941 | } | |||
1942 | if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL((void*)0)) { | |||
1943 | free(ret); | |||
1944 | SSLerrorx(ERR_R_MALLOC_FAILURE)ERR_put_error(20,(0xfff),((1|64)),"/usr/src/lib/libssl/ssl_lib.c" ,1944); | |||
1945 | return (NULL((void*)0)); | |||
1946 | } | |||
1947 | ||||
1948 | if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { | |||
1949 | SSLerrorx(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS)ERR_put_error(20,(0xfff),(269),"/usr/src/lib/libssl/ssl_lib.c" ,1949); | |||
1950 | goto err; | |||
1951 | } | |||
1952 | ||||
1953 | ret->method = meth; | |||
1954 | ret->internal->min_tls_version = meth->min_tls_version; | |||
1955 | ret->internal->max_tls_version = meth->max_tls_version; | |||
1956 | ret->internal->min_proto_version = 0; | |||
1957 | ret->internal->max_proto_version = 0; | |||
1958 | ret->internal->mode = SSL_MODE_AUTO_RETRY0x00000004L; | |||
1959 | ||||
1960 | ret->cert_store = NULL((void*)0); | |||
1961 | ret->internal->session_cache_mode = SSL_SESS_CACHE_SERVER0x0002; | |||
1962 | ret->internal->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT(1024*20); | |||
1963 | ret->internal->session_cache_head = NULL((void*)0); | |||
1964 | ret->internal->session_cache_tail = NULL((void*)0); | |||
1965 | ||||
1966 | /* We take the system default */ | |||
1967 | ret->session_timeout = ssl_get_default_timeout(); | |||
1968 | ||||
1969 | ret->internal->new_session_cb = 0; | |||
1970 | ret->internal->remove_session_cb = 0; | |||
1971 | ret->internal->get_session_cb = 0; | |||
1972 | ret->internal->generate_session_id = 0; | |||
1973 | ||||
1974 | memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats)); | |||
1975 | ||||
1976 | ret->references = 1; | |||
1977 | ret->internal->quiet_shutdown = 0; | |||
1978 | ||||
1979 | ret->internal->info_callback = NULL((void*)0); | |||
1980 | ||||
1981 | ret->internal->app_verify_callback = 0; | |||
1982 | ret->internal->app_verify_arg = NULL((void*)0); | |||
1983 | ||||
1984 | ret->internal->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT1024*100; | |||
1985 | ret->internal->read_ahead = 0; | |||
1986 | ret->internal->msg_callback = 0; | |||
1987 | ret->internal->msg_callback_arg = NULL((void*)0); | |||
1988 | ret->verify_mode = SSL_VERIFY_NONE0x00; | |||
1989 | ret->sid_ctx_length = 0; | |||
1990 | ret->internal->default_verify_callback = NULL((void*)0); | |||
1991 | ||||
1992 | if ((ret->internal->cert = ssl_cert_new()) == NULL((void*)0)) | |||
1993 | goto err; | |||
1994 | ||||
1995 | ret->default_passwd_callback = 0; | |||
1996 | ret->default_passwd_callback_userdata = NULL((void*)0); | |||
1997 | ret->internal->client_cert_cb = 0; | |||
1998 | ret->internal->app_gen_cookie_cb = 0; | |||
1999 | ret->internal->app_verify_cookie_cb = 0; | |||
2000 | ||||
2001 | ret->internal->sessions = lh_SSL_SESSION_new()((struct lhash_st_SSL_SESSION *)lh_new(ssl_session_LHASH_HASH , ssl_session_LHASH_COMP)); | |||
2002 | if (ret->internal->sessions == NULL((void*)0)) | |||
2003 | goto err; | |||
2004 | ret->cert_store = X509_STORE_new(); | |||
2005 | if (ret->cert_store == NULL((void*)0)) | |||
2006 | goto err; | |||
2007 | ||||
2008 | ssl_create_cipher_list(ret->method, &ret->cipher_list, | |||
2009 | NULL((void*)0), SSL_DEFAULT_CIPHER_LIST"ALL:!aNULL:!eNULL:!SSLv2"); | |||
2010 | if (ret->cipher_list == NULL((void*)0) || | |||
2011 | sk_SSL_CIPHER_num(ret->cipher_list)sk_num(((_STACK*) (1 ? (ret->cipher_list) : (struct stack_st_SSL_CIPHER *)0))) <= 0) { | |||
2012 | SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS)ERR_put_error(20,(0xfff),(161),"/usr/src/lib/libssl/ssl_lib.c" ,2012); | |||
2013 | goto err2; | |||
2014 | } | |||
2015 | ||||
2016 | ret->param = X509_VERIFY_PARAM_new(); | |||
2017 | if (!ret->param) | |||
2018 | goto err; | |||
2019 | ||||
2020 | if ((ret->internal->client_CA = sk_X509_NAME_new_null()((struct stack_st_X509_NAME *)sk_new_null())) == NULL((void*)0)) | |||
2021 | goto err; | |||
2022 | ||||
2023 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX2, ret, &ret->internal->ex_data); | |||
2024 | ||||
2025 | ret->extra_certs = NULL((void*)0); | |||
2026 | ||||
2027 | ret->internal->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH16384; | |||
2028 | ||||
2029 | ret->internal->tlsext_servername_callback = 0; | |||
2030 | ret->internal->tlsext_servername_arg = NULL((void*)0); | |||
2031 | ||||
2032 | /* Setup RFC4507 ticket keys */ | |||
2033 | arc4random_buf(ret->internal->tlsext_tick_key_name, 16); | |||
2034 | arc4random_buf(ret->internal->tlsext_tick_hmac_key, 16); | |||
2035 | arc4random_buf(ret->internal->tlsext_tick_aes_key, 16); | |||
2036 | ||||
2037 | ret->internal->tlsext_status_cb = 0; | |||
2038 | ret->internal->tlsext_status_arg = NULL((void*)0); | |||
2039 | ||||
2040 | #ifndef OPENSSL_NO_ENGINE | |||
2041 | ret->internal->client_cert_engine = NULL((void*)0); | |||
2042 | #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO | |||
2043 | #define eng_strx(x) #x | |||
2044 | #define eng_str(x) eng_strx(x) | |||
2045 | /* Use specific client engine automatically... ignore errors */ | |||
2046 | { | |||
2047 | ENGINE *eng; | |||
2048 | eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); | |||
2049 | if (!eng) { | |||
2050 | ERR_clear_error(); | |||
2051 | ENGINE_load_builtin_engines(); | |||
2052 | eng = ENGINE_by_id(eng_str( | |||
2053 | OPENSSL_SSL_CLIENT_ENGINE_AUTO)); | |||
2054 | } | |||
2055 | if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) | |||
2056 | ERR_clear_error(); | |||
2057 | } | |||
2058 | #endif | |||
2059 | #endif | |||
2060 | /* | |||
2061 | * Default is to connect to non-RI servers. When RI is more widely | |||
2062 | * deployed might change this. | |||
2063 | */ | |||
2064 | ret->internal->options |= SSL_OP_LEGACY_SERVER_CONNECT0x00000004L; | |||
2065 | ||||
2066 | return (ret); | |||
2067 | err: | |||
2068 | SSLerrorx(ERR_R_MALLOC_FAILURE)ERR_put_error(20,(0xfff),((1|64)),"/usr/src/lib/libssl/ssl_lib.c" ,2068); | |||
2069 | err2: | |||
2070 | SSL_CTX_free(ret); | |||
2071 | return (NULL((void*)0)); | |||
2072 | } | |||
2073 | ||||
2074 | void | |||
2075 | SSL_CTX_free(SSL_CTX *ctx) | |||
2076 | { | |||
2077 | int i; | |||
2078 | ||||
2079 | if (ctx == NULL((void*)0)) | |||
2080 | return; | |||
2081 | ||||
2082 | i = CRYPTO_add(&ctx->references, -1, CRYPTO_LOCK_SSL_CTX)CRYPTO_add_lock(&ctx->references,-1,12,((void*)0),0); | |||
2083 | if (i > 0) | |||
2084 | return; | |||
2085 | ||||
2086 | X509_VERIFY_PARAM_free(ctx->param); | |||
2087 | ||||
2088 | /* | |||
2089 | * Free internal session cache. However: the remove_cb() may reference | |||
2090 | * the ex_data of SSL_CTX, thus the ex_data store can only be removed | |||
2091 | * after the sessions were flushed. | |||
2092 | * As the ex_data handling routines might also touch the session cache, | |||
2093 | * the most secure solution seems to be: empty (flush) the cache, then | |||
2094 | * free ex_data, then finally free the cache. | |||
2095 | * (See ticket [openssl.org #212].) | |||
2096 | */ | |||
2097 | if (ctx->internal->sessions != NULL((void*)0)) | |||
2098 | SSL_CTX_flush_sessions(ctx, 0); | |||
2099 | ||||
2100 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX2, ctx, &ctx->internal->ex_data); | |||
2101 | ||||
2102 | lh_SSL_SESSION_free(ctx->internal->sessions)lh_free(((_LHASH *)((void*) (1 ? ctx->internal->sessions : (struct lhash_st_SSL_SESSION*)0)))); | |||
2103 | ||||
2104 | X509_STORE_free(ctx->cert_store); | |||
2105 | sk_SSL_CIPHER_free(ctx->cipher_list)sk_free(((_STACK*) (1 ? (ctx->cipher_list) : (struct stack_st_SSL_CIPHER *)0))); | |||
2106 | sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13)sk_free(((_STACK*) (1 ? (ctx->internal->cipher_list_tls13 ) : (struct stack_st_SSL_CIPHER*)0))); | |||
2107 | ssl_cert_free(ctx->internal->cert); | |||
2108 | sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free)sk_pop_free(((_STACK*) (1 ? (ctx->internal->client_CA) : (struct stack_st_X509_NAME*)0)), ((void (*)(void *)) ((1 ? ( X509_NAME_free) : (void (*)(X509_NAME *))0)))); | |||
2109 | sk_X509_pop_free(ctx->extra_certs, X509_free)sk_pop_free(((_STACK*) (1 ? (ctx->extra_certs) : (struct stack_st_X509 *)0)), ((void (*)(void *)) ((1 ? (X509_free) : (void (*)(X509 *))0)))); | |||
2110 | ||||
2111 | #ifndef OPENSSL_NO_SRTP | |||
2112 | if (ctx->internal->srtp_profiles) | |||
2113 | sk_SRTP_PROTECTION_PROFILE_free(ctx->internal->srtp_profiles)sk_free(((_STACK*) (1 ? (ctx->internal->srtp_profiles) : (struct stack_st_SRTP_PROTECTION_PROFILE*)0))); | |||
2114 | #endif | |||
2115 | ||||
2116 | #ifndef OPENSSL_NO_ENGINE | |||
2117 | ENGINE_finish(ctx->internal->client_cert_engine); | |||
2118 | #endif | |||
2119 | ||||
2120 | free(ctx->internal->tlsext_ecpointformatlist); | |||
2121 | free(ctx->internal->tlsext_supportedgroups); | |||
2122 | ||||
2123 | free(ctx->internal->alpn_client_proto_list); | |||
2124 | ||||
2125 | free(ctx->internal); | |||
2126 | free(ctx); | |||
2127 | } | |||
2128 | ||||
2129 | int | |||
2130 | SSL_CTX_up_ref(SSL_CTX *ctx) | |||
2131 | { | |||
2132 | int refs = CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX)CRYPTO_add_lock(&ctx->references,1,12,((void*)0),0); | |||
2133 | return ((refs > 1) ? 1 : 0); | |||
2134 | } | |||
2135 | ||||
2136 | pem_password_cb * | |||
2137 | SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) | |||
2138 | { | |||
2139 | return (ctx->default_passwd_callback); | |||
2140 | } | |||
2141 | ||||
2142 | void | |||
2143 | SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) | |||
2144 | { | |||
2145 | ctx->default_passwd_callback = cb; | |||
2146 | } | |||
2147 | ||||
2148 | void * | |||
2149 | SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) | |||
2150 | { | |||
2151 | return ctx->default_passwd_callback_userdata; | |||
2152 | } | |||
2153 | ||||
2154 | void | |||
2155 | SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) | |||
2156 | { | |||
2157 | ctx->default_passwd_callback_userdata = u; | |||
2158 | } | |||
2159 | ||||
2160 | void | |||
2161 | SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, | |||
2162 | int (*cb)(X509_STORE_CTX *, void *), void *arg) | |||
2163 | { | |||
2164 | ctx->internal->app_verify_callback = cb; | |||
2165 | ctx->internal->app_verify_arg = arg; | |||
2166 | } | |||
2167 | ||||
2168 | void | |||
2169 | SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *)) | |||
2170 | { | |||
2171 | ctx->verify_mode = mode; | |||
2172 | ctx->internal->default_verify_callback = cb; | |||
2173 | } | |||
2174 | ||||
2175 | void | |||
2176 | SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) | |||
2177 | { | |||
2178 | X509_VERIFY_PARAM_set_depth(ctx->param, depth); | |||
2179 | } | |||
2180 | ||||
2181 | void | |||
2182 | ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher) | |||
2183 | { | |||
2184 | unsigned long mask_a, mask_k; | |||
2185 | SSL_CERT_PKEY *cpk; | |||
2186 | ||||
2187 | if (c == NULL((void*)0)) | |||
2188 | return; | |||
2189 | ||||
2190 | mask_a = SSL_aNULL0x00000004L | SSL_aTLS1_30x00000400L; | |||
2191 | mask_k = SSL_kECDHE0x00000080L | SSL_kTLS1_30x00000400L; | |||
2192 | ||||
2193 | if (c->dhe_params != NULL((void*)0) || c->dhe_params_cb != NULL((void*)0) || | |||
2194 | c->dhe_params_auto != 0) | |||
2195 | mask_k |= SSL_kDHE0x00000008L; | |||
2196 | ||||
2197 | cpk = &(c->pkeys[SSL_PKEY_ECC1]); | |||
2198 | if (cpk->x509 != NULL((void*)0) && cpk->privatekey != NULL((void*)0)) { | |||
2199 | /* Key usage, if present, must allow signing. */ | |||
2200 | if (X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE0x0080) | |||
2201 | mask_a |= SSL_aECDSA0x00000040L; | |||
2202 | } | |||
2203 | ||||
2204 | cpk = &(c->pkeys[SSL_PKEY_GOST012]); | |||
2205 | if (cpk->x509 != NULL((void*)0) && cpk->privatekey != NULL((void*)0)) { | |||
2206 | mask_k |= SSL_kGOST0x00000200L; | |||
2207 | mask_a |= SSL_aGOST010x00000200L; | |||
2208 | } | |||
2209 | ||||
2210 | cpk = &(c->pkeys[SSL_PKEY_RSA0]); | |||
2211 | if (cpk->x509 != NULL((void*)0) && cpk->privatekey != NULL((void*)0)) { | |||
2212 | mask_a |= SSL_aRSA0x00000001L; | |||
2213 | mask_k |= SSL_kRSA0x00000001L; | |||
2214 | } | |||
2215 | ||||
2216 | c->mask_k = mask_k; | |||
2217 | c->mask_a = mask_a; | |||
2218 | c->valid = 1; | |||
2219 | } | |||
2220 | ||||
2221 | /* See if this handshake is using an ECC cipher suite. */ | |||
2222 | int | |||
2223 | ssl_using_ecc_cipher(SSL *s) | |||
2224 | { | |||
2225 | unsigned long alg_a, alg_k; | |||
2226 | ||||
2227 | alg_a = S3I(s)(s->s3->internal)->hs.cipher->algorithm_auth; | |||
2228 | alg_k = S3I(s)(s->s3->internal)->hs.cipher->algorithm_mkey; | |||
2229 | ||||
2230 | return s->session->tlsext_ecpointformatlist != NULL((void*)0) && | |||
2231 | s->session->tlsext_ecpointformatlist_length > 0 && | |||
2232 | ((alg_k & SSL_kECDHE0x00000080L) || (alg_a & SSL_aECDSA0x00000040L)); | |||
2233 | } | |||
2234 | ||||
2235 | int | |||
2236 | ssl_check_srvr_ecc_cert_and_alg(SSL *s, X509 *x) | |||
2237 | { | |||
2238 | const SSL_CIPHER *cs = S3I(s)(s->s3->internal)->hs.cipher; | |||
2239 | unsigned long alg_a; | |||
2240 | ||||
2241 | alg_a = cs->algorithm_auth; | |||
2242 | ||||
2243 | if (alg_a & SSL_aECDSA0x00000040L) { | |||
2244 | /* Key usage, if present, must allow signing. */ | |||
2245 | if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE0x0080)) { | |||
2246 | SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING)SSL_error_internal(s, 318, "/usr/src/lib/libssl/ssl_lib.c", 2246 ); | |||
2247 | return (0); | |||
2248 | } | |||
2249 | } | |||
2250 | ||||
2251 | return (1); | |||
2252 | } | |||
2253 | ||||
2254 | SSL_CERT_PKEY * | |||
2255 | ssl_get_server_send_pkey(const SSL *s) | |||
2256 | { | |||
2257 | unsigned long alg_a; | |||
2258 | SSL_CERT *c; | |||
2259 | int i; | |||
2260 | ||||
2261 | c = s->cert; | |||
2262 | ssl_set_cert_masks(c, S3I(s)(s->s3->internal)->hs.cipher); | |||
2263 | ||||
2264 | alg_a = S3I(s)(s->s3->internal)->hs.cipher->algorithm_auth; | |||
2265 | ||||
2266 | if (alg_a & SSL_aECDSA0x00000040L) { | |||
2267 | i = SSL_PKEY_ECC1; | |||
2268 | } else if (alg_a & SSL_aRSA0x00000001L) { | |||
2269 | i = SSL_PKEY_RSA0; | |||
2270 | } else if (alg_a & SSL_aGOST010x00000200L) { | |||
2271 | i = SSL_PKEY_GOST012; | |||
2272 | } else { /* if (alg_a & SSL_aNULL) */ | |||
2273 | SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_lib.c" , 2273); | |||
2274 | return (NULL((void*)0)); | |||
2275 | } | |||
2276 | ||||
2277 | return (c->pkeys + i); | |||
2278 | } | |||
2279 | ||||
2280 | EVP_PKEY * | |||
2281 | ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd, | |||
2282 | const struct ssl_sigalg **sap) | |||
2283 | { | |||
2284 | const struct ssl_sigalg *sigalg = NULL((void*)0); | |||
2285 | EVP_PKEY *pkey = NULL((void*)0); | |||
2286 | unsigned long alg_a; | |||
2287 | SSL_CERT *c; | |||
2288 | int idx = -1; | |||
2289 | ||||
2290 | alg_a = cipher->algorithm_auth; | |||
2291 | c = s->cert; | |||
2292 | ||||
2293 | if (alg_a & SSL_aRSA0x00000001L) { | |||
2294 | idx = SSL_PKEY_RSA0; | |||
2295 | } else if ((alg_a & SSL_aECDSA0x00000040L) && | |||
2296 | (c->pkeys[SSL_PKEY_ECC1].privatekey != NULL((void*)0))) | |||
2297 | idx = SSL_PKEY_ECC1; | |||
2298 | if (idx == -1) { | |||
2299 | SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_lib.c" , 2299); | |||
2300 | return (NULL((void*)0)); | |||
2301 | } | |||
2302 | ||||
2303 | pkey = c->pkeys[idx].privatekey; | |||
2304 | if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL((void*)0)) { | |||
2305 | SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR)SSL_error_internal(s, 360, "/usr/src/lib/libssl/ssl_lib.c", 2305 ); | |||
2306 | return (NULL((void*)0)); | |||
2307 | } | |||
2308 | *pmd = sigalg->md(); | |||
2309 | *sap = sigalg; | |||
2310 | ||||
2311 | return (pkey); | |||
2312 | } | |||
2313 | ||||
2314 | size_t | |||
2315 | ssl_dhe_params_auto_key_bits(SSL *s) | |||
2316 | { | |||
2317 | SSL_CERT_PKEY *cpk; | |||
2318 | int key_bits; | |||
2319 | ||||
2320 | if (s->cert->dhe_params_auto == 2) { | |||
2321 | key_bits = 1024; | |||
2322 | } else if (S3I(s)(s->s3->internal)->hs.cipher->algorithm_auth & SSL_aNULL0x00000004L) { | |||
2323 | key_bits = 1024; | |||
2324 | if (S3I(s)(s->s3->internal)->hs.cipher->strength_bits == 256) | |||
2325 | key_bits = 3072; | |||
2326 | } else { | |||
2327 | if ((cpk = ssl_get_server_send_pkey(s)) == NULL((void*)0)) | |||
2328 | return 0; | |||
2329 | if (cpk->privatekey == NULL((void*)0) || | |||
2330 | EVP_PKEY_get0_RSA(cpk->privatekey) == NULL((void*)0)) | |||
2331 | return 0; | |||
2332 | if ((key_bits = EVP_PKEY_bits(cpk->privatekey)) <= 0) | |||
2333 | return 0; | |||
2334 | } | |||
2335 | ||||
2336 | return key_bits; | |||
2337 | } | |||
2338 | ||||
2339 | static int | |||
2340 | ssl_should_update_external_cache(SSL *s, int mode) | |||
2341 | { | |||
2342 | int cache_mode; | |||
2343 | ||||
2344 | cache_mode = s->session_ctxinitial_ctx->internal->session_cache_mode; | |||
2345 | ||||
2346 | /* Don't cache if mode says not to */ | |||
2347 | if ((cache_mode & mode) == 0) | |||
2348 | return 0; | |||
2349 | ||||
2350 | /* if it is not already cached, cache it */ | |||
2351 | if (!s->internal->hit) | |||
2352 | return 1; | |||
2353 | ||||
2354 | /* If it's TLS 1.3, do it to match OpenSSL */ | |||
2355 | if (S3I(s)(s->s3->internal)->hs.negotiated_tls_version >= TLS1_3_VERSION0x0304) | |||
2356 | return 1; | |||
2357 | ||||
2358 | return 0; | |||
2359 | } | |||
2360 | ||||
2361 | static int | |||
2362 | ssl_should_update_internal_cache(SSL *s, int mode) | |||
2363 | { | |||
2364 | int cache_mode; | |||
2365 | ||||
2366 | cache_mode = s->session_ctxinitial_ctx->internal->session_cache_mode; | |||
2367 | ||||
2368 | /* Don't cache if mode says not to */ | |||
2369 | if ((cache_mode & mode) == 0) | |||
2370 | return 0; | |||
2371 | ||||
2372 | /* If it is already cached, don't cache it again */ | |||
2373 | if (s->internal->hit) | |||
2374 | return 0; | |||
2375 | ||||
2376 | if ((cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE0x0200) != 0) | |||
2377 | return 0; | |||
2378 | ||||
2379 | /* If we are lesser than TLS 1.3, Cache it. */ | |||
2380 | if (S3I(s)(s->s3->internal)->hs.negotiated_tls_version < TLS1_3_VERSION0x0304) | |||
2381 | return 1; | |||
2382 | ||||
2383 | /* Below this we consider TLS 1.3 or later */ | |||
2384 | ||||
2385 | /* If it's not a server, add it? OpenSSL does this. */ | |||
2386 | if (!s->server) | |||
2387 | return 1; | |||
2388 | ||||
2389 | /* XXX if we support early data / PSK need to add */ | |||
2390 | ||||
2391 | /* | |||
2392 | * If we have the remove session callback, we will want | |||
2393 | * to know about this even if it's a stateless ticket | |||
2394 | * from 1.3 so we can know when it is removed. | |||
2395 | */ | |||
2396 | if (s->session_ctxinitial_ctx->internal->remove_session_cb != NULL((void*)0)) | |||
2397 | return 1; | |||
2398 | ||||
2399 | /* If we have set OP_NO_TICKET, cache it. */ | |||
2400 | if ((s->internal->options & SSL_OP_NO_TICKET0x00004000L) != 0) | |||
2401 | return 1; | |||
2402 | ||||
2403 | /* Otherwise do not cache */ | |||
2404 | return 0; | |||
2405 | } | |||
2406 | ||||
2407 | void | |||
2408 | ssl_update_cache(SSL *s, int mode) | |||
2409 | { | |||
2410 | int cache_mode, do_callback; | |||
2411 | ||||
2412 | if (s->session->session_id_length == 0) | |||
2413 | return; | |||
2414 | ||||
2415 | cache_mode = s->session_ctxinitial_ctx->internal->session_cache_mode; | |||
2416 | do_callback = ssl_should_update_external_cache(s, mode); | |||
2417 | ||||
2418 | if (ssl_should_update_internal_cache(s, mode)) { | |||
2419 | /* | |||
2420 | * XXX should we fail if the add to the internal cache | |||
2421 | * fails? OpenSSL doesn't care.. | |||
2422 | */ | |||
2423 | (void) SSL_CTX_add_session(s->session_ctxinitial_ctx, s->session); | |||
2424 | } | |||
2425 | ||||
2426 | /* | |||
2427 | * Update the "external cache" by calling the new session | |||
2428 | * callback if present, even with TLS 1.3 without early data | |||
2429 | * "because some application just want to know about the | |||
2430 | * creation of a session and aren't doing a full cache". | |||
2431 | * Apparently, if they are doing a full cache, they'll have | |||
2432 | * some fun, but we endeavour to give application writers the | |||
2433 | * same glorious experience they expect from OpenSSL which | |||
2434 | * does it this way. | |||
2435 | */ | |||
2436 | if (do_callback && s->session_ctxinitial_ctx->internal->new_session_cb != NULL((void*)0)) { | |||
2437 | CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION)CRYPTO_add_lock(&s->session->references,1,14,((void *)0),0); | |||
2438 | if (!s->session_ctxinitial_ctx->internal->new_session_cb(s, s->session)) | |||
2439 | SSL_SESSION_free(s->session); | |||
2440 | } | |||
2441 | ||||
2442 | /* Auto flush every 255 connections. */ | |||
2443 | if (!(cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR0x0080) && | |||
2444 | (cache_mode & mode) != 0) { | |||
2445 | int connections; | |||
2446 | if (mode & SSL_SESS_CACHE_CLIENT0x0001) | |||
2447 | connections = s->session_ctxinitial_ctx->internal->stats.sess_connect_good; | |||
2448 | else | |||
2449 | connections = s->session_ctxinitial_ctx->internal->stats.sess_accept_good; | |||
2450 | if ((connections & 0xff) == 0xff) | |||
2451 | SSL_CTX_flush_sessions(s->session_ctxinitial_ctx, time(NULL((void*)0))); | |||
2452 | } | |||
2453 | } | |||
2454 | ||||
2455 | const SSL_METHOD * | |||
2456 | SSL_get_ssl_method(SSL *s) | |||
2457 | { | |||
2458 | return (s->method); | |||
2459 | } | |||
2460 | ||||
2461 | int | |||
2462 | SSL_set_ssl_method(SSL *s, const SSL_METHOD *method) | |||
2463 | { | |||
2464 | int (*handshake_func)(SSL *) = NULL((void*)0); | |||
2465 | int ret = 1; | |||
2466 | ||||
2467 | if (s->method == method) | |||
2468 | return (ret); | |||
2469 | ||||
2470 | if (s->internal->handshake_func == s->method->ssl_connect) | |||
2471 | handshake_func = method->ssl_connect; | |||
2472 | else if (s->internal->handshake_func == s->method->ssl_accept) | |||
2473 | handshake_func = method->ssl_accept; | |||
2474 | ||||
2475 | if (s->method->version == method->version) { | |||
2476 | s->method = method; | |||
2477 | } else { | |||
2478 | s->method->ssl_free(s); | |||
2479 | s->method = method; | |||
2480 | ret = s->method->ssl_new(s); | |||
2481 | } | |||
2482 | s->internal->handshake_func = handshake_func; | |||
2483 | ||||
2484 | return (ret); | |||
2485 | } | |||
2486 | ||||
2487 | int | |||
2488 | SSL_get_error(const SSL *s, int i) | |||
2489 | { | |||
2490 | int reason; | |||
2491 | unsigned long l; | |||
2492 | BIO *bio; | |||
2493 | ||||
2494 | if (i > 0) | |||
2495 | return (SSL_ERROR_NONE0); | |||
2496 | ||||
2497 | /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake | |||
2498 | * etc, where we do encode the error */ | |||
2499 | if ((l = ERR_peek_error()) != 0) { | |||
2500 | if (ERR_GET_LIB(l)(int)((((unsigned long)l)>>24L)&0xffL) == ERR_LIB_SYS2) | |||
2501 | return (SSL_ERROR_SYSCALL5); | |||
2502 | else | |||
2503 | return (SSL_ERROR_SSL1); | |||
2504 | } | |||
2505 | ||||
2506 | if ((i < 0) && SSL_want_read(s)(SSL_want(s) == 3)) { | |||
2507 | bio = SSL_get_rbio(s); | |||
2508 | if (BIO_should_read(bio)BIO_test_flags(bio, 0x01)) { | |||
2509 | return (SSL_ERROR_WANT_READ2); | |||
2510 | } else if (BIO_should_write(bio)BIO_test_flags(bio, 0x02)) { | |||
2511 | /* | |||
2512 | * This one doesn't make too much sense... We never | |||
2513 | * try to write to the rbio, and an application | |||
2514 | * program where rbio and wbio are separate couldn't | |||
2515 | * even know what it should wait for. However if we | |||
2516 | * ever set s->internal->rwstate incorrectly (so that we have | |||
2517 | * SSL_want_read(s) instead of SSL_want_write(s)) | |||
2518 | * and rbio and wbio *are* the same, this test works | |||
2519 | * around that bug; so it might be safer to keep it. | |||
2520 | */ | |||
2521 | return (SSL_ERROR_WANT_WRITE3); | |||
2522 | } else if (BIO_should_io_special(bio)BIO_test_flags(bio, 0x04)) { | |||
2523 | reason = BIO_get_retry_reason(bio); | |||
2524 | if (reason == BIO_RR_CONNECT0x02) | |||
2525 | return (SSL_ERROR_WANT_CONNECT7); | |||
2526 | else if (reason == BIO_RR_ACCEPT0x03) | |||
2527 | return (SSL_ERROR_WANT_ACCEPT8); | |||
2528 | else | |||
2529 | return (SSL_ERROR_SYSCALL5); /* unknown */ | |||
2530 | } | |||
2531 | } | |||
2532 | ||||
2533 | if ((i < 0) && SSL_want_write(s)(SSL_want(s) == 2)) { | |||
2534 | bio = SSL_get_wbio(s); | |||
2535 | if (BIO_should_write(bio)BIO_test_flags(bio, 0x02)) { | |||
2536 | return (SSL_ERROR_WANT_WRITE3); | |||
2537 | } else if (BIO_should_read(bio)BIO_test_flags(bio, 0x01)) { | |||
2538 | /* | |||
2539 | * See above (SSL_want_read(s) with | |||
2540 | * BIO_should_write(bio)) | |||
2541 | */ | |||
2542 | return (SSL_ERROR_WANT_READ2); | |||
2543 | } else if (BIO_should_io_special(bio)BIO_test_flags(bio, 0x04)) { | |||
2544 | reason = BIO_get_retry_reason(bio); | |||
2545 | if (reason == BIO_RR_CONNECT0x02) | |||
2546 | return (SSL_ERROR_WANT_CONNECT7); | |||
2547 | else if (reason == BIO_RR_ACCEPT0x03) | |||
2548 | return (SSL_ERROR_WANT_ACCEPT8); | |||
2549 | else | |||
2550 | return (SSL_ERROR_SYSCALL5); | |||
2551 | } | |||
2552 | } | |||
2553 | if ((i < 0) && SSL_want_x509_lookup(s)(SSL_want(s) == 4)) { | |||
2554 | return (SSL_ERROR_WANT_X509_LOOKUP4); | |||
2555 | } | |||
2556 | ||||
2557 | if (i == 0) { | |||
2558 | if ((s->internal->shutdown & SSL_RECEIVED_SHUTDOWN2) && | |||
2559 | (S3I(s)(s->s3->internal)->warn_alert == SSL_AD_CLOSE_NOTIFY0)) | |||
2560 | return (SSL_ERROR_ZERO_RETURN6); | |||
2561 | } | |||
2562 | return (SSL_ERROR_SYSCALL5); | |||
2563 | } | |||
2564 | ||||
2565 | int | |||
2566 | SSL_do_handshake(SSL *s) | |||
2567 | { | |||
2568 | int ret = 1; | |||
2569 | ||||
2570 | if (s->internal->handshake_func == NULL((void*)0)) { | |||
2571 | SSLerror(s, SSL_R_CONNECTION_TYPE_NOT_SET)SSL_error_internal(s, 144, "/usr/src/lib/libssl/ssl_lib.c", 2571 ); | |||
2572 | return (-1); | |||
2573 | } | |||
2574 | ||||
2575 | s->method->ssl_renegotiate_check(s); | |||
2576 | ||||
2577 | if (SSL_in_init(s)(SSL_state((s))&(0x1000|0x2000)) || SSL_in_before(s)(SSL_state((s))&0x4000)) { | |||
2578 | ret = s->internal->handshake_func(s); | |||
2579 | } | |||
2580 | return (ret); | |||
2581 | } | |||
2582 | ||||
2583 | /* | |||
2584 | * For the next 2 functions, SSL_clear() sets shutdown and so | |||
2585 | * one of these calls will reset it | |||
2586 | */ | |||
2587 | void | |||
2588 | SSL_set_accept_state(SSL *s) | |||
2589 | { | |||
2590 | s->server = 1; | |||
2591 | s->internal->shutdown = 0; | |||
2592 | S3I(s)(s->s3->internal)->hs.state = SSL_ST_ACCEPT0x2000|SSL_ST_BEFORE0x4000; | |||
2593 | s->internal->handshake_func = s->method->ssl_accept; | |||
2594 | ssl_clear_cipher_state(s); | |||
2595 | } | |||
2596 | ||||
2597 | void | |||
2598 | SSL_set_connect_state(SSL *s) | |||
2599 | { | |||
2600 | s->server = 0; | |||
2601 | s->internal->shutdown = 0; | |||
2602 | S3I(s)(s->s3->internal)->hs.state = SSL_ST_CONNECT0x1000|SSL_ST_BEFORE0x4000; | |||
2603 | s->internal->handshake_func = s->method->ssl_connect; | |||
2604 | ssl_clear_cipher_state(s); | |||
2605 | } | |||
2606 | ||||
2607 | int | |||
2608 | ssl_undefined_function(SSL *s) | |||
2609 | { | |||
2610 | SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED)SSL_error_internal(s, (2|64), "/usr/src/lib/libssl/ssl_lib.c" , 2610); | |||
2611 | return (0); | |||
2612 | } | |||
2613 | ||||
2614 | int | |||
2615 | ssl_undefined_void_function(void) | |||
2616 | { | |||
2617 | SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED)ERR_put_error(20,(0xfff),((2|64)),"/usr/src/lib/libssl/ssl_lib.c" ,2617); | |||
2618 | return (0); | |||
2619 | } | |||
2620 | ||||
2621 | int | |||
2622 | ssl_undefined_const_function(const SSL *s) | |||
2623 | { | |||
2624 | SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED)SSL_error_internal(s, (2|64), "/usr/src/lib/libssl/ssl_lib.c" , 2624); | |||
2625 | return (0); | |||
2626 | } | |||
2627 | ||||
2628 | const char * | |||
2629 | ssl_version_string(int ver) | |||
2630 | { | |||
2631 | switch (ver) { | |||
2632 | case TLS1_VERSION0x0301: | |||
2633 | return (SSL_TXT_TLSV1"TLSv1"); | |||
2634 | case TLS1_1_VERSION0x0302: | |||
2635 | return (SSL_TXT_TLSV1_1"TLSv1.1"); | |||
2636 | case TLS1_2_VERSION0x0303: | |||
2637 | return (SSL_TXT_TLSV1_2"TLSv1.2"); | |||
2638 | case TLS1_3_VERSION0x0304: | |||
2639 | return (SSL_TXT_TLSV1_3"TLSv1.3"); | |||
2640 | case DTLS1_VERSION0xFEFF: | |||
2641 | return (SSL_TXT_DTLS1"DTLSv1"); | |||
2642 | case DTLS1_2_VERSION0xFEFD: | |||
2643 | return (SSL_TXT_DTLS1_2"DTLSv1.2"); | |||
2644 | default: | |||
2645 | return ("unknown"); | |||
2646 | } | |||
2647 | } | |||
2648 | ||||
2649 | const char * | |||
2650 | SSL_get_version(const SSL *s) | |||
2651 | { | |||
2652 | return ssl_version_string(s->version); | |||
2653 | } | |||
2654 | ||||
2655 | SSL * | |||
2656 | SSL_dup(SSL *s) | |||
2657 | { | |||
2658 | STACK_OF(X509_NAME)struct stack_st_X509_NAME *sk; | |||
2659 | X509_NAME *xn; | |||
2660 | SSL *ret; | |||
2661 | int i; | |||
2662 | ||||
2663 | if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL((void*)0)) | |||
| ||||
2664 | goto err; | |||
2665 | ||||
2666 | ret->version = s->version; | |||
2667 | ret->method = s->method; | |||
2668 | ||||
2669 | if (s->session != NULL((void*)0)) { | |||
2670 | if (!SSL_copy_session_id(ret, s)) | |||
2671 | goto err; | |||
2672 | } else { | |||
2673 | /* | |||
2674 | * No session has been established yet, so we have to expect | |||
2675 | * that s->cert or ret->cert will be changed later -- | |||
2676 | * they should not both point to the same object, | |||
2677 | * and thus we can't use SSL_copy_session_id. | |||
2678 | */ | |||
2679 | ||||
2680 | ret->method->ssl_free(ret); | |||
2681 | ret->method = s->method; | |||
2682 | ret->method->ssl_new(ret); | |||
2683 | ||||
2684 | ssl_cert_free(ret->cert); | |||
2685 | if ((ret->cert = ssl_cert_dup(s->cert)) == NULL((void*)0)) | |||
2686 | goto err; | |||
2687 | ||||
2688 | if (!SSL_set_session_id_context(ret, s->sid_ctx, | |||
2689 | s->sid_ctx_length)) | |||
2690 | goto err; | |||
2691 | } | |||
2692 | ||||
2693 | ret->internal->options = s->internal->options; | |||
2694 | ret->internal->mode = s->internal->mode; | |||
2695 | SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s))SSL_ctrl(ret,51,SSL_ctrl(s,50,0,((void*)0)),((void*)0)); | |||
2696 | SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); | |||
2697 | ret->internal->msg_callback = s->internal->msg_callback; | |||
2698 | ret->internal->msg_callback_arg = s->internal->msg_callback_arg; | |||
2699 | SSL_set_verify(ret, SSL_get_verify_mode(s), | |||
2700 | SSL_get_verify_callback(s)); | |||
2701 | SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); | |||
2702 | ret->internal->generate_session_id = s->internal->generate_session_id; | |||
2703 | ||||
2704 | SSL_set_info_callback(ret, SSL_get_info_callback(s)); | |||
2705 | ||||
2706 | ret->internal->debug = s->internal->debug; | |||
2707 | ||||
2708 | /* copy app data, a little dangerous perhaps */ | |||
2709 | if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL1, | |||
2710 | &ret->internal->ex_data, &s->internal->ex_data)) | |||
2711 | goto err; | |||
2712 | ||||
2713 | /* setup rbio, and wbio */ | |||
2714 | if (s->rbio != NULL((void*)0)) { | |||
2715 | if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)BIO_ctrl(s->rbio,12,0,(char *)((char *)&ret->rbio))) | |||
2716 | goto err; | |||
2717 | } | |||
2718 | if (s->wbio != NULL((void*)0)) { | |||
2719 | if (s->wbio != s->rbio) { | |||
2720 | if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)BIO_ctrl(s->wbio,12,0,(char *)((char *)&ret->wbio))) | |||
2721 | goto err; | |||
2722 | } else | |||
2723 | ret->wbio = ret->rbio; | |||
2724 | } | |||
2725 | ret->internal->rwstate = s->internal->rwstate; | |||
2726 | ret->internal->in_handshake = s->internal->in_handshake; | |||
2727 | ret->internal->handshake_func = s->internal->handshake_func; | |||
2728 | ret->server = s->server; | |||
2729 | ret->internal->renegotiate = s->internal->renegotiate; | |||
2730 | ret->internal->new_session = s->internal->new_session; | |||
2731 | ret->internal->quiet_shutdown = s->internal->quiet_shutdown; | |||
2732 | ret->internal->shutdown = s->internal->shutdown; | |||
2733 | /* SSL_dup does not really work at any state, though */ | |||
2734 | S3I(ret)(ret->s3->internal)->hs.state = S3I(s)(s->s3->internal)->hs.state; | |||
2735 | ret->internal->rstate = s->internal->rstate; | |||
2736 | ||||
2737 | /* | |||
2738 | * Would have to copy ret->init_buf, ret->init_msg, ret->init_num, | |||
2739 | * ret->init_off | |||
2740 | */ | |||
2741 | ret->internal->init_num = 0; | |||
2742 | ||||
2743 | ret->internal->hit = s->internal->hit; | |||
2744 | ||||
2745 | X509_VERIFY_PARAM_inherit(ret->param, s->param); | |||
2746 | ||||
2747 | if (s->cipher_list != NULL((void*)0)) { | |||
2748 | if ((ret->cipher_list = | |||
2749 | sk_SSL_CIPHER_dup(s->cipher_list)(struct stack_st_SSL_CIPHER *)sk_dup(((_STACK*) (1 ? s->cipher_list : (struct stack_st_SSL_CIPHER*)0)))) == NULL((void*)0)) | |||
2750 | goto err; | |||
2751 | } | |||
2752 | if (s->internal->cipher_list_tls13 != NULL((void*)0)) { | |||
2753 | if ((ret->internal->cipher_list_tls13 = | |||
2754 | sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)(struct stack_st_SSL_CIPHER *)sk_dup(((_STACK*) (1 ? s->internal ->cipher_list_tls13 : (struct stack_st_SSL_CIPHER*)0)))) == NULL((void*)0)) | |||
2755 | goto err; | |||
2756 | } | |||
2757 | ||||
2758 | /* Dup the client_CA list */ | |||
2759 | if (s->internal->client_CA != NULL((void*)0)) { | |||
2760 | if ((sk = sk_X509_NAME_dup(s->internal->client_CA)(struct stack_st_X509_NAME *)sk_dup(((_STACK*) (1 ? s->internal ->client_CA : (struct stack_st_X509_NAME*)0)))) == NULL((void*)0)) goto err; | |||
2761 | ret->internal->client_CA = sk; | |||
2762 | for (i = 0; i < sk_X509_NAME_num(sk)sk_num(((_STACK*) (1 ? (sk) : (struct stack_st_X509_NAME*)0)) ); i++) { | |||
2763 | xn = sk_X509_NAME_value(sk, i)((X509_NAME *)sk_value(((_STACK*) (1 ? (sk) : (struct stack_st_X509_NAME *)0)), (i))); | |||
2764 | if (sk_X509_NAME_set(sk, i,sk_set(((_STACK*) (1 ? (sk) : (struct stack_st_X509_NAME*)0)) , (i), ((void*) (1 ? (X509_NAME_dup(xn)) : (X509_NAME*)0))) | |||
2765 | X509_NAME_dup(xn))sk_set(((_STACK*) (1 ? (sk) : (struct stack_st_X509_NAME*)0)) , (i), ((void*) (1 ? (X509_NAME_dup(xn)) : (X509_NAME*)0))) == NULL((void*)0)) { | |||
2766 | X509_NAME_free(xn); | |||
2767 | goto err; | |||
2768 | } | |||
2769 | } | |||
2770 | } | |||
2771 | ||||
2772 | return ret; | |||
2773 | err: | |||
2774 | SSL_free(ret); | |||
2775 | return NULL((void*)0); | |||
2776 | } | |||
2777 | ||||
2778 | void | |||
2779 | ssl_clear_cipher_state(SSL *s) | |||
2780 | { | |||
2781 | tls12_record_layer_clear_read_state(s->internal->rl); | |||
2782 | tls12_record_layer_clear_write_state(s->internal->rl); | |||
2783 | } | |||
2784 | ||||
2785 | void | |||
2786 | ssl_info_callback(const SSL *s, int type, int value) | |||
2787 | { | |||
2788 | ssl_info_callback_fn *cb; | |||
2789 | ||||
2790 | if ((cb = s->internal->info_callback) == NULL((void*)0)) | |||
2791 | cb = s->ctx->internal->info_callback; | |||
2792 | if (cb != NULL((void*)0)) | |||
2793 | cb(s, type, value); | |||
2794 | } | |||
2795 | ||||
2796 | void | |||
2797 | ssl_msg_callback(SSL *s, int is_write, int content_type, | |||
2798 | const void *msg_buf, size_t msg_len) | |||
2799 | { | |||
2800 | if (s->internal->msg_callback != NULL((void*)0)) | |||
2801 | s->internal->msg_callback(is_write, s->version, content_type, | |||
2802 | msg_buf, msg_len, s, s->internal->msg_callback_arg); | |||
2803 | } | |||
2804 | ||||
2805 | /* Fix this function so that it takes an optional type parameter */ | |||
2806 | X509 * | |||
2807 | SSL_get_certificate(const SSL *s) | |||
2808 | { | |||
2809 | return (s->cert->key->x509); | |||
2810 | } | |||
2811 | ||||
2812 | /* Fix this function so that it takes an optional type parameter */ | |||
2813 | EVP_PKEY * | |||
2814 | SSL_get_privatekey(const SSL *s) | |||
2815 | { | |||
2816 | return (s->cert->key->privatekey); | |||
2817 | } | |||
2818 | ||||
2819 | const SSL_CIPHER * | |||
2820 | SSL_get_current_cipher(const SSL *s) | |||
2821 | { | |||
2822 | if ((s->session != NULL((void*)0)) && (s->session->cipher != NULL((void*)0))) | |||
2823 | return (s->session->cipher); | |||
2824 | return (NULL((void*)0)); | |||
2825 | } | |||
2826 | const void * | |||
2827 | SSL_get_current_compression(SSL *s) | |||
2828 | { | |||
2829 | return (NULL((void*)0)); | |||
2830 | } | |||
2831 | ||||
2832 | const void * | |||
2833 | SSL_get_current_expansion(SSL *s) | |||
2834 | { | |||
2835 | return (NULL((void*)0)); | |||
2836 | } | |||
2837 | ||||
2838 | size_t | |||
2839 | SSL_get_client_random(const SSL *s, unsigned char *out, size_t max_out) | |||
2840 | { | |||
2841 | size_t len = sizeof(s->s3->client_random); | |||
2842 | ||||
2843 | if (out == NULL((void*)0)) | |||
2844 | return len; | |||
2845 | ||||
2846 | if (len > max_out) | |||
2847 | len = max_out; | |||
2848 | ||||
2849 | memcpy(out, s->s3->client_random, len); | |||
2850 | ||||
2851 | return len; | |||
2852 | } | |||
2853 | ||||
2854 | size_t | |||
2855 | SSL_get_server_random(const SSL *s, unsigned char *out, size_t max_out) | |||
2856 | { | |||
2857 | size_t len = sizeof(s->s3->server_random); | |||
2858 | ||||
2859 | if (out == NULL((void*)0)) | |||
2860 | return len; | |||
2861 | ||||
2862 | if (len > max_out) | |||
2863 | len = max_out; | |||
2864 | ||||
2865 | memcpy(out, s->s3->server_random, len); | |||
2866 | ||||
2867 | return len; | |||
2868 | } | |||
2869 | ||||
2870 | int | |||
2871 | ssl_init_wbio_buffer(SSL *s, int push) | |||
2872 | { | |||
2873 | BIO *bbio; | |||
2874 | ||||
2875 | if (s->bbio == NULL((void*)0)) { | |||
2876 | bbio = BIO_new(BIO_f_buffer()); | |||
2877 | if (bbio == NULL((void*)0)) | |||
2878 | return (0); | |||
2879 | s->bbio = bbio; | |||
2880 | } else { | |||
2881 | bbio = s->bbio; | |||
2882 | if (s->bbio == s->wbio) | |||
2883 | s->wbio = BIO_pop(s->wbio); | |||
2884 | } | |||
2885 | (void)BIO_reset(bbio)(int)BIO_ctrl(bbio,1,0,((void*)0)); | |||
2886 | /* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ | |||
2887 | if (!BIO_set_read_buffer_size(bbio, 1)BIO_int_ctrl(bbio,117,1,0)) { | |||
2888 | SSLerror(s, ERR_R_BUF_LIB)SSL_error_internal(s, 7, "/usr/src/lib/libssl/ssl_lib.c", 2888 ); | |||
2889 | return (0); | |||
2890 | } | |||
2891 | if (push) { | |||
2892 | if (s->wbio != bbio) | |||
2893 | s->wbio = BIO_push(bbio, s->wbio); | |||
2894 | } else { | |||
2895 | if (s->wbio == bbio) | |||
2896 | s->wbio = BIO_pop(bbio); | |||
2897 | } | |||
2898 | return (1); | |||
2899 | } | |||
2900 | ||||
2901 | void | |||
2902 | ssl_free_wbio_buffer(SSL *s) | |||
2903 | { | |||
2904 | if (s == NULL((void*)0)) | |||
2905 | return; | |||
2906 | ||||
2907 | if (s->bbio == NULL((void*)0)) | |||
2908 | return; | |||
2909 | ||||
2910 | if (s->bbio == s->wbio) { | |||
2911 | /* remove buffering */ | |||
2912 | s->wbio = BIO_pop(s->wbio); | |||
2913 | } | |||
2914 | BIO_free(s->bbio); | |||
2915 | s->bbio = NULL((void*)0); | |||
2916 | } | |||
2917 | ||||
2918 | void | |||
2919 | SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) | |||
2920 | { | |||
2921 | ctx->internal->quiet_shutdown = mode; | |||
2922 | } | |||
2923 | ||||
2924 | int | |||
2925 | SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) | |||
2926 | { | |||
2927 | return (ctx->internal->quiet_shutdown); | |||
2928 | } | |||
2929 | ||||
2930 | void | |||
2931 | SSL_set_quiet_shutdown(SSL *s, int mode) | |||
2932 | { | |||
2933 | s->internal->quiet_shutdown = mode; | |||
2934 | } | |||
2935 | ||||
2936 | int | |||
2937 | SSL_get_quiet_shutdown(const SSL *s) | |||
2938 | { | |||
2939 | return (s->internal->quiet_shutdown); | |||
2940 | } | |||
2941 | ||||
2942 | void | |||
2943 | SSL_set_shutdown(SSL *s, int mode) | |||
2944 | { | |||
2945 | s->internal->shutdown = mode; | |||
2946 | } | |||
2947 | ||||
2948 | int | |||
2949 | SSL_get_shutdown(const SSL *s) | |||
2950 | { | |||
2951 | return (s->internal->shutdown); | |||
2952 | } | |||
2953 | ||||
2954 | int | |||
2955 | SSL_version(const SSL *s) | |||
2956 | { | |||
2957 | return (s->version); | |||
2958 | } | |||
2959 | ||||
2960 | SSL_CTX * | |||
2961 | SSL_get_SSL_CTX(const SSL *ssl) | |||
2962 | { | |||
2963 | return (ssl->ctx); | |||
2964 | } | |||
2965 | ||||
2966 | SSL_CTX * | |||
2967 | SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) | |||
2968 | { | |||
2969 | SSL_CERT *new_cert; | |||
2970 | ||||
2971 | if (ctx == NULL((void*)0)) | |||
2972 | ctx = ssl->initial_ctx; | |||
2973 | if (ssl->ctx == ctx) | |||
2974 | return (ssl->ctx); | |||
2975 | ||||
2976 | if ((new_cert = ssl_cert_dup(ctx->internal->cert)) == NULL((void*)0)) | |||
2977 | return NULL((void*)0); | |||
2978 | ssl_cert_free(ssl->cert); | |||
2979 | ssl->cert = new_cert; | |||
2980 | ||||
2981 | SSL_CTX_up_ref(ctx); | |||
2982 | SSL_CTX_free(ssl->ctx); /* decrement reference count */ | |||
2983 | ssl->ctx = ctx; | |||
2984 | ||||
2985 | return (ssl->ctx); | |||
2986 | } | |||
2987 | ||||
2988 | int | |||
2989 | SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) | |||
2990 | { | |||
2991 | return (X509_STORE_set_default_paths(ctx->cert_store)); | |||
2992 | } | |||
2993 | ||||
2994 | int | |||
2995 | SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, | |||
2996 | const char *CApath) | |||
2997 | { | |||
2998 | return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); | |||
2999 | } | |||
3000 | ||||
3001 | int | |||
3002 | SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) | |||
3003 | { | |||
3004 | return (X509_STORE_load_mem(ctx->cert_store, buf, len)); | |||
3005 | } | |||
3006 | ||||
3007 | void | |||
3008 | SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) | |||
3009 | { | |||
3010 | ssl->internal->info_callback = cb; | |||
3011 | } | |||
3012 | ||||
3013 | void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val) | |||
3014 | { | |||
3015 | return (ssl->internal->info_callback); | |||
3016 | } | |||
3017 | ||||
3018 | int | |||
3019 | SSL_state(const SSL *ssl) | |||
3020 | { | |||
3021 | return (S3I(ssl)(ssl->s3->internal)->hs.state); | |||
3022 | } | |||
3023 | ||||
3024 | void | |||
3025 | SSL_set_state(SSL *ssl, int state) | |||
3026 | { | |||
3027 | S3I(ssl)(ssl->s3->internal)->hs.state = state; | |||
3028 | } | |||
3029 | ||||
3030 | void | |||
3031 | SSL_set_verify_result(SSL *ssl, long arg) | |||
3032 | { | |||
3033 | ssl->verify_result = arg; | |||
3034 | } | |||
3035 | ||||
3036 | long | |||
3037 | SSL_get_verify_result(const SSL *ssl) | |||
3038 | { | |||
3039 | return (ssl->verify_result); | |||
3040 | } | |||
3041 | ||||
3042 | int | |||
3043 | SSL_verify_client_post_handshake(SSL *ssl) | |||
3044 | { | |||
3045 | return 0; | |||
3046 | } | |||
3047 | ||||
3048 | void | |||
3049 | SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) | |||
3050 | { | |||
3051 | return; | |||
3052 | } | |||
3053 | ||||
3054 | void | |||
3055 | SSL_set_post_handshake_auth(SSL *ssl, int val) | |||
3056 | { | |||
3057 | return; | |||
3058 | } | |||
3059 | ||||
3060 | int | |||
3061 | SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, | |||
3062 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) | |||
3063 | { | |||
3064 | return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL1, argl, argp, | |||
3065 | new_func, dup_func, free_func)); | |||
3066 | } | |||
3067 | ||||
3068 | int | |||
3069 | SSL_set_ex_data(SSL *s, int idx, void *arg) | |||
3070 | { | |||
3071 | return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg)); | |||
3072 | } | |||
3073 | ||||
3074 | void * | |||
3075 | SSL_get_ex_data(const SSL *s, int idx) | |||
3076 | { | |||
3077 | return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); | |||
3078 | } | |||
3079 | ||||
3080 | int | |||
3081 | SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, | |||
3082 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) | |||
3083 | { | |||
3084 | return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX2, argl, argp, | |||
3085 | new_func, dup_func, free_func)); | |||
3086 | } | |||
3087 | ||||
3088 | int | |||
3089 | SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) | |||
3090 | { | |||
3091 | return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg)); | |||
3092 | } | |||
3093 | ||||
3094 | void * | |||
3095 | SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) | |||
3096 | { | |||
3097 | return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); | |||
3098 | } | |||
3099 | ||||
3100 | int | |||
3101 | ssl_ok(SSL *s) | |||
3102 | { | |||
3103 | return (1); | |||
3104 | } | |||
3105 | ||||
3106 | X509_STORE * | |||
3107 | SSL_CTX_get_cert_store(const SSL_CTX *ctx) | |||
3108 | { | |||
3109 | return (ctx->cert_store); | |||
3110 | } | |||
3111 | ||||
3112 | void | |||
3113 | SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) | |||
3114 | { | |||
3115 | X509_STORE_free(ctx->cert_store); | |||
3116 | ctx->cert_store = store; | |||
3117 | } | |||
3118 | ||||
3119 | X509 * | |||
3120 | SSL_CTX_get0_certificate(const SSL_CTX *ctx) | |||
3121 | { | |||
3122 | if (ctx->internal->cert == NULL((void*)0)) | |||
3123 | return NULL((void*)0); | |||
3124 | ||||
3125 | return ctx->internal->cert->key->x509; | |||
3126 | } | |||
3127 | ||||
3128 | EVP_PKEY * | |||
3129 | SSL_CTX_get0_privatekey(const SSL_CTX *ctx) | |||
3130 | { | |||
3131 | if (ctx->internal->cert == NULL((void*)0)) | |||
3132 | return NULL((void*)0); | |||
3133 | ||||
3134 | return ctx->internal->cert->key->privatekey; | |||
3135 | } | |||
3136 | ||||
3137 | int | |||
3138 | SSL_want(const SSL *s) | |||
3139 | { | |||
3140 | return (s->internal->rwstate); | |||
3141 | } | |||
3142 | ||||
3143 | void | |||
3144 | SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, | |||
3145 | int keylength)) | |||
3146 | { | |||
3147 | SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB5,(void (*)(void))cb); | |||
3148 | } | |||
3149 | ||||
3150 | void | |||
3151 | SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export, | |||
3152 | int keylength)) | |||
3153 | { | |||
3154 | SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB5,(void (*)(void))cb); | |||
3155 | } | |||
3156 | ||||
3157 | void | |||
3158 | SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export, | |||
3159 | int keylength)) | |||
3160 | { | |||
3161 | SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB6,(void (*)(void))dh); | |||
3162 | } | |||
3163 | ||||
3164 | void | |||
3165 | SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export, | |||
3166 | int keylength)) | |||
3167 | { | |||
3168 | SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB6,(void (*)(void))dh); | |||
3169 | } | |||
3170 | ||||
3171 | void | |||
3172 | SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, | |||
3173 | int is_export, int keylength)) | |||
3174 | { | |||
3175 | SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB7, | |||
3176 | (void (*)(void))ecdh); | |||
3177 | } | |||
3178 | ||||
3179 | void | |||
3180 | SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, | |||
3181 | int keylength)) | |||
3182 | { | |||
3183 | SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB7,(void (*)(void))ecdh); | |||
3184 | } | |||
3185 | ||||
3186 | ||||
3187 | void | |||
3188 | SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, | |||
3189 | int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) | |||
3190 | { | |||
3191 | SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK15, | |||
3192 | (void (*)(void))cb); | |||
3193 | } | |||
3194 | ||||
3195 | void | |||
3196 | SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, | |||
3197 | int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) | |||
3198 | { | |||
3199 | SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK15, (void (*)(void))cb); | |||
3200 | } | |||
3201 | ||||
3202 | void | |||
3203 | SSL_set_debug(SSL *s, int debug) | |||
3204 | { | |||
3205 | s->internal->debug = debug; | |||
3206 | } | |||
3207 | ||||
3208 | int | |||
3209 | SSL_cache_hit(SSL *s) | |||
3210 | { | |||
3211 | return (s->internal->hit); | |||
3212 | } | |||
3213 | ||||
3214 | int | |||
3215 | SSL_CTX_get_min_proto_version(SSL_CTX *ctx) | |||
3216 | { | |||
3217 | return ctx->internal->min_proto_version; | |||
3218 | } | |||
3219 | ||||
3220 | int | |||
3221 | SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) | |||
3222 | { | |||
3223 | return ssl_version_set_min(ctx->method, version, | |||
3224 | ctx->internal->max_tls_version, &ctx->internal->min_tls_version, | |||
3225 | &ctx->internal->min_proto_version); | |||
3226 | } | |||
3227 | ||||
3228 | int | |||
3229 | SSL_CTX_get_max_proto_version(SSL_CTX *ctx) | |||
3230 | { | |||
3231 | return ctx->internal->max_proto_version; | |||
3232 | } | |||
3233 | ||||
3234 | int | |||
3235 | SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) | |||
3236 | { | |||
3237 | return ssl_version_set_max(ctx->method, version, | |||
3238 | ctx->internal->min_tls_version, &ctx->internal->max_tls_version, | |||
3239 | &ctx->internal->max_proto_version); | |||
3240 | } | |||
3241 | ||||
3242 | int | |||
3243 | SSL_get_min_proto_version(SSL *ssl) | |||
3244 | { | |||
3245 | return ssl->internal->min_proto_version; | |||
3246 | } | |||
3247 | ||||
3248 | int | |||
3249 | SSL_set_min_proto_version(SSL *ssl, uint16_t version) | |||
3250 | { | |||
3251 | return ssl_version_set_min(ssl->method, version, | |||
3252 | ssl->internal->max_tls_version, &ssl->internal->min_tls_version, | |||
3253 | &ssl->internal->min_proto_version); | |||
3254 | } | |||
3255 | int | |||
3256 | SSL_get_max_proto_version(SSL *ssl) | |||
3257 | { | |||
3258 | return ssl->internal->max_proto_version; | |||
3259 | } | |||
3260 | ||||
3261 | int | |||
3262 | SSL_set_max_proto_version(SSL *ssl, uint16_t version) | |||
3263 | { | |||
3264 | return ssl_version_set_max(ssl->method, version, | |||
3265 | ssl->internal->min_tls_version, &ssl->internal->max_tls_version, | |||
3266 | &ssl->internal->max_proto_version); | |||
3267 | } | |||
3268 | ||||
3269 | const SSL_METHOD * | |||
3270 | SSL_CTX_get_ssl_method(const SSL_CTX *ctx) | |||
3271 | { | |||
3272 | return ctx->method; | |||
3273 | } | |||
3274 | ||||
3275 | static int | |||
3276 | ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) | |||
3277 | { | |||
3278 | SSL_CIPHER const *a = a_; | |||
3279 | SSL_CIPHER const *b = b_; | |||
3280 | return ssl_cipher_id_cmp(a, b); | |||
3281 | } | |||
3282 | ||||
3283 | SSL_CIPHER * | |||
3284 | OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, int num) | |||
3285 | { | |||
3286 | return (SSL_CIPHER *)OBJ_bsearch_(key, base, num, sizeof(SSL_CIPHER), | |||
3287 | ssl_cipher_id_cmp_BSEARCH_CMP_FN); | |||
3288 | } |