Bug Summary

File:src/lib/libtls/tls.c
Warning:line 260, column 2
Access to field 'refcount' results in a dereference of a null pointer (loaded from variable 'config')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name tls.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libtls/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libtls/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libtls/tls.c
1/* $OpenBSD: tls.c,v 1.92 2021/10/21 14:31:21 tb Exp $ */
2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/socket.h>
19
20#include <errno(*__errno()).h>
21#include <limits.h>
22#include <pthread.h>
23#include <stdlib.h>
24#include <unistd.h>
25
26#include <openssl/bio.h>
27#include <openssl/err.h>
28#include <openssl/evp.h>
29#include <openssl/pem.h>
30#include <openssl/safestack.h>
31#include <openssl/ssl.h>
32#include <openssl/x509.h>
33
34#include <tls.h>
35#include "tls_internal.h"
36
37static struct tls_config *tls_config_default;
38
39static int tls_init_rv = -1;
40
41static void
42tls_do_init(void)
43{
44 OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_CONFIG0x00000001L, NULL((void*)0));
45
46 if (BIO_sock_init() != 1)
47 return;
48
49 if ((tls_config_default = tls_config_new_internal()) == NULL((void*)0))
50 return;
51
52 tls_config_default->refcount++;
53
54 tls_init_rv = 0;
55}
56
57int
58tls_init(void)
59{
60 static pthread_once_t once = PTHREAD_ONCE_INIT{ 0, ((void*)0) };
61
62 if (pthread_once(&once, tls_do_init) != 0)
63 return -1;
64
65 return tls_init_rv;
66}
67
68const char *
69tls_error(struct tls *ctx)
70{
71 return ctx->error.msg;
72}
73
74void
75tls_error_clear(struct tls_error *error)
76{
77 free(error->msg);
78 error->msg = NULL((void*)0);
79 error->num = 0;
80 error->tls = 0;
81}
82
83static int
84tls_error_vset(struct tls_error *error, int errnum, const char *fmt, va_list ap)
85{
86 char *errmsg = NULL((void*)0);
87 int rv = -1;
88
89 tls_error_clear(error);
90
91 error->num = errnum;
92 error->tls = 1;
93
94 if (vasprintf(&errmsg, fmt, ap) == -1) {
95 errmsg = NULL((void*)0);
96 goto err;
97 }
98
99 if (errnum == -1) {
100 error->msg = errmsg;
101 return (0);
102 }
103
104 if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
105 error->msg = NULL((void*)0);
106 goto err;
107 }
108 rv = 0;
109
110 err:
111 free(errmsg);
112
113 return (rv);
114}
115
116int
117tls_error_set(struct tls_error *error, const char *fmt, ...)
118{
119 va_list ap;
120 int errnum, rv;
121
122 errnum = errno(*__errno());
123
124 va_start(ap, fmt)__builtin_va_start(ap, fmt);
125 rv = tls_error_vset(error, errnum, fmt, ap);
126 va_end(ap)__builtin_va_end(ap);
127
128 return (rv);
129}
130
131int
132tls_error_setx(struct tls_error *error, const char *fmt, ...)
133{
134 va_list ap;
135 int rv;
136
137 va_start(ap, fmt)__builtin_va_start(ap, fmt);
138 rv = tls_error_vset(error, -1, fmt, ap);
139 va_end(ap)__builtin_va_end(ap);
140
141 return (rv);
142}
143
144int
145tls_config_set_error(struct tls_config *config, const char *fmt, ...)
146{
147 va_list ap;
148 int errnum, rv;
149
150 errnum = errno(*__errno());
151
152 va_start(ap, fmt)__builtin_va_start(ap, fmt);
153 rv = tls_error_vset(&config->error, errnum, fmt, ap);
154 va_end(ap)__builtin_va_end(ap);
155
156 return (rv);
157}
158
159int
160tls_config_set_errorx(struct tls_config *config, const char *fmt, ...)
161{
162 va_list ap;
163 int rv;
164
165 va_start(ap, fmt)__builtin_va_start(ap, fmt);
166 rv = tls_error_vset(&config->error, -1, fmt, ap);
167 va_end(ap)__builtin_va_end(ap);
168
169 return (rv);
170}
171
172int
173tls_set_error(struct tls *ctx, const char *fmt, ...)
174{
175 va_list ap;
176 int errnum, rv;
177
178 errnum = errno(*__errno());
179
180 va_start(ap, fmt)__builtin_va_start(ap, fmt);
181 rv = tls_error_vset(&ctx->error, errnum, fmt, ap);
182 va_end(ap)__builtin_va_end(ap);
183
184 return (rv);
185}
186
187int
188tls_set_errorx(struct tls *ctx, const char *fmt, ...)
189{
190 va_list ap;
191 int rv;
192
193 va_start(ap, fmt)__builtin_va_start(ap, fmt);
194 rv = tls_error_vset(&ctx->error, -1, fmt, ap);
195 va_end(ap)__builtin_va_end(ap);
196
197 return (rv);
198}
199
200int
201tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
202{
203 va_list ap;
204 int rv;
205
206 /* Only set an error if a more specific one does not already exist. */
207 if (ctx->error.tls != 0)
208 return (0);
209
210 va_start(ap, fmt)__builtin_va_start(ap, fmt);
211 rv = tls_error_vset(&ctx->error, -1, fmt, ap);
212 va_end(ap)__builtin_va_end(ap);
213
214 return (rv);
215}
216
217struct tls_sni_ctx *
218tls_sni_ctx_new(void)
219{
220 return (calloc(1, sizeof(struct tls_sni_ctx)));
221}
222
223void
224tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx)
225{
226 if (sni_ctx == NULL((void*)0))
227 return;
228
229 SSL_CTX_free(sni_ctx->ssl_ctx);
230 X509_free(sni_ctx->ssl_cert);
231
232 free(sni_ctx);
233}
234
235struct tls *
236tls_new(void)
237{
238 struct tls *ctx;
239
240 if ((ctx = calloc(1, sizeof(*ctx))) == NULL((void*)0))
1
Assuming the condition is false
2
Taking false branch
241 return (NULL((void*)0));
242
243 tls_reset(ctx);
244
245 if (tls_configure(ctx, tls_config_default) == -1) {
3
Calling 'tls_configure'
246 free(ctx);
247 return NULL((void*)0);
248 }
249
250 return (ctx);
251}
252
253int
254tls_configure(struct tls *ctx, struct tls_config *config)
255{
256 if (config == NULL((void*)0))
4
Assuming 'config' is equal to NULL
5
Taking true branch
257 config = tls_config_default;
6
Null pointer value stored to 'config'
258
259 pthread_mutex_lock(&config->mutex);
260 config->refcount++;
7
Access to field 'refcount' results in a dereference of a null pointer (loaded from variable 'config')
261 pthread_mutex_unlock(&config->mutex);
262
263 tls_config_free(ctx->config);
264
265 ctx->config = config;
266 ctx->keypair = config->keypair;
267
268 if ((ctx->flags & TLS_SERVER(1 << 1)) != 0)
269 return (tls_configure_server(ctx));
270
271 return (0);
272}
273
274int
275tls_cert_hash(X509 *cert, char **hash)
276{
277 char d[EVP_MAX_MD_SIZE64], *dhex = NULL((void*)0);
278 int dlen, rv = -1;
279
280 free(*hash);
281 *hash = NULL((void*)0);
282
283 if (X509_digest(cert, EVP_sha256(), d, &dlen) != 1)
284 goto err;
285
286 if (tls_hex_string(d, dlen, &dhex, NULL((void*)0)) != 0)
287 goto err;
288
289 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
290 *hash = NULL((void*)0);
291 goto err;
292 }
293
294 rv = 0;
295 err:
296 free(dhex);
297
298 return (rv);
299}
300
301int
302tls_cert_pubkey_hash(X509 *cert, char **hash)
303{
304 char d[EVP_MAX_MD_SIZE64], *dhex = NULL((void*)0);
305 int dlen, rv = -1;
306
307 free(*hash);
308 *hash = NULL((void*)0);
309
310 if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
311 goto err;
312
313 if (tls_hex_string(d, dlen, &dhex, NULL((void*)0)) != 0)
314 goto err;
315
316 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
317 *hash = NULL((void*)0);
318 goto err;
319 }
320
321 rv = 0;
322
323 err:
324 free(dhex);
325
326 return (rv);
327}
328
329static int
330tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey)
331{
332 BIO *bio = NULL((void*)0);
333 X509 *x509 = NULL((void*)0);
334 char *mem;
335 size_t len;
336 int ret = -1;
337
338 *pkey = NULL((void*)0);
339
340 if (ctx->config->use_fake_private_key) {
341 mem = keypair->cert_mem;
342 len = keypair->cert_len;
343 } else {
344 mem = keypair->key_mem;
345 len = keypair->key_len;
346 }
347
348 if (mem == NULL((void*)0))
349 return (0);
350
351 if (len > INT_MAX2147483647) {
352 tls_set_errorx(ctx, ctx->config->use_fake_private_key ?
353 "cert too long" : "key too long");
354 goto err;
355 }
356
357 if ((bio = BIO_new_mem_buf(mem, len)) == NULL((void*)0)) {
358 tls_set_errorx(ctx, "failed to create buffer");
359 goto err;
360 }
361
362 if (ctx->config->use_fake_private_key) {
363 if ((x509 = PEM_read_bio_X509(bio, NULL((void*)0), tls_password_cb,
364 NULL((void*)0))) == NULL((void*)0)) {
365 tls_set_errorx(ctx, "failed to read X509 certificate");
366 goto err;
367 }
368 if ((*pkey = X509_get_pubkey(x509)) == NULL((void*)0)) {
369 tls_set_errorx(ctx, "failed to retrieve pubkey");
370 goto err;
371 }
372 } else {
373 if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL((void*)0), tls_password_cb,
374 NULL((void*)0))) == NULL((void*)0)) {
375 tls_set_errorx(ctx, "failed to read private key");
376 goto err;
377 }
378 }
379
380 ret = 0;
381 err:
382 BIO_free(bio);
383 X509_free(x509);
384 return (ret);
385}
386
387static int
388tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey)
389{
390 RSA *rsa = NULL((void*)0);
391 EC_KEY *eckey = NULL((void*)0);
392 int ret = -1;
393
394 /* Only install the pubkey hash if fake private keys are used. */
395 if (!ctx->config->skip_private_key_check)
396 return (0);
397
398 if (keypair->pubkey_hash == NULL((void*)0)) {
399 tls_set_errorx(ctx, "public key hash not set");
400 goto err;
401 }
402
403 switch (EVP_PKEY_id(pkey)) {
404 case EVP_PKEY_RSA6:
405 if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL((void*)0) ||
406 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) {
407 tls_set_errorx(ctx, "RSA key setup failure");
408 goto err;
409 }
410 break;
411 case EVP_PKEY_EC408:
412 if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL((void*)0) ||
413 ECDSA_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
414 tls_set_errorx(ctx, "EC key setup failure");
415 goto err;
416 }
417 break;
418 default:
419 tls_set_errorx(ctx, "incorrect key type");
420 goto err;
421 }
422
423 ret = 0;
424
425 err:
426 RSA_free(rsa);
427 EC_KEY_free(eckey);
428 return (ret);
429}
430
431int
432tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
433 struct tls_keypair *keypair, int required)
434{
435 EVP_PKEY *pkey = NULL((void*)0);
436
437 if (!required &&
438 keypair->cert_mem == NULL((void*)0) &&
439 keypair->key_mem == NULL((void*)0))
440 return(0);
441
442 if (keypair->cert_mem != NULL((void*)0)) {
443 if (keypair->cert_len > INT_MAX2147483647) {
444 tls_set_errorx(ctx, "certificate too long");
445 goto err;
446 }
447
448 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
449 keypair->cert_mem, keypair->cert_len) != 1) {
450 tls_set_errorx(ctx, "failed to load certificate");
451 goto err;
452 }
453 }
454
455 if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1)
456 goto err;
457 if (pkey != NULL((void*)0)) {
458 if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1)
459 goto err;
460 if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
461 tls_set_errorx(ctx, "failed to load private key");
462 goto err;
463 }
464 EVP_PKEY_free(pkey);
465 pkey = NULL((void*)0);
466 }
467
468 if (!ctx->config->skip_private_key_check &&
469 SSL_CTX_check_private_key(ssl_ctx) != 1) {
470 tls_set_errorx(ctx, "private/public key mismatch");
471 goto err;
472 }
473
474 return (0);
475
476 err:
477 EVP_PKEY_free(pkey);
478
479 return (-1);
480}
481
482int
483tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
484{
485 SSL_CTX_clear_mode(ssl_ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ssl_ctx),78,(0x00000004L),((void*)0));
486
487 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE)SSL_CTX_ctrl((ssl_ctx),33,(0x00000001L),((void*)0));
488 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)SSL_CTX_ctrl((ssl_ctx),33,(0x00000002L),((void*)0));
489
490 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2)SSL_CTX_ctrl((ssl_ctx),32,(0x0),((void*)0));
491 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3)SSL_CTX_ctrl((ssl_ctx),32,(0x0),((void*)0));
492
493 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1)SSL_CTX_ctrl((ssl_ctx),77,(0x04000000L),((void*)0));
494 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1)SSL_CTX_ctrl((ssl_ctx),77,(0x10000000L),((void*)0));
495 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2)SSL_CTX_ctrl((ssl_ctx),77,(0x08000000L),((void*)0));
496 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3)SSL_CTX_ctrl((ssl_ctx),77,(0x20000000L),((void*)0));
497
498 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0(1 << 1)) == 0)
499 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1)SSL_CTX_ctrl((ssl_ctx),32,(0x04000000L),((void*)0));
500 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1(1 << 2)) == 0)
501 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1)SSL_CTX_ctrl((ssl_ctx),32,(0x10000000L),((void*)0));
502 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2(1 << 3)) == 0)
503 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2)SSL_CTX_ctrl((ssl_ctx),32,(0x08000000L),((void*)0));
504 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3(1 << 4)) == 0)
505 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3)SSL_CTX_ctrl((ssl_ctx),32,(0x20000000L),((void*)0));
506
507 if (ctx->config->alpn != NULL((void*)0)) {
508 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
509 ctx->config->alpn_len) != 0) {
510 tls_set_errorx(ctx, "failed to set alpn");
511 goto err;
512 }
513 }
514
515 if (ctx->config->ciphers != NULL((void*)0)) {
516 if (SSL_CTX_set_cipher_list(ssl_ctx,
517 ctx->config->ciphers) != 1) {
518 tls_set_errorx(ctx, "failed to set ciphers");
519 goto err;
520 }
521 }
522
523 if (ctx->config->verify_time == 0) {
524 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(ssl_ctx),
525 X509_V_FLAG_NO_CHECK_TIME0x200000);
526 }
527
528 /* Disable any form of session caching by default */
529 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ssl_ctx,44,0x0000,((void*)0));
530 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET)SSL_CTX_ctrl((ssl_ctx),32,(0x00004000L),((void*)0));
531
532 return (0);
533
534 err:
535 return (-1);
536}
537
538static int
539tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
540{
541 struct tls *ctx = arg;
542 int x509_err;
543
544 if (ctx->config->verify_cert == 0)
545 return (1);
546
547 if ((X509_verify_cert(x509_ctx)) < 0) {
548 tls_set_errorx(ctx, "X509 verify cert failed");
549 return (0);
550 }
551
552 x509_err = X509_STORE_CTX_get_error(x509_ctx);
553 if (x509_err == X509_V_OK0)
554 return (1);
555
556 tls_set_errorx(ctx, "certificate verification failed: %s",
557 X509_verify_cert_error_string(x509_err));
558
559 return (0);
560}
561
562int
563tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
564{
565 size_t ca_len = ctx->config->ca_len;
566 char *ca_mem = ctx->config->ca_mem;
567 char *crl_mem = ctx->config->crl_mem;
568 size_t crl_len = ctx->config->crl_len;
569 char *ca_free = NULL((void*)0);
570 STACK_OF(X509_INFO)struct stack_st_X509_INFO *xis = NULL((void*)0);
571 X509_STORE *store;
572 X509_INFO *xi;
573 BIO *bio = NULL((void*)0);
574 int rv = -1;
575 int i;
576
577 SSL_CTX_set_verify(ssl_ctx, verify, NULL((void*)0));
578 SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
579
580 if (ctx->config->verify_depth >= 0)
581 SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
582
583 if (ctx->config->verify_cert == 0)
584 goto done;
585
586 /* If no CA has been specified, attempt to load the default. */
587 if (ctx->config->ca_mem == NULL((void*)0) && ctx->config->ca_path == NULL((void*)0)) {
588 if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(),
589 &ca_mem, &ca_len) != 0)
590 goto err;
591 ca_free = ca_mem;
592 }
593
594 if (ca_mem != NULL((void*)0)) {
595 if (ca_len > INT_MAX2147483647) {
596 tls_set_errorx(ctx, "ca too long");
597 goto err;
598 }
599 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
600 tls_set_errorx(ctx, "ssl verify memory setup failure");
601 goto err;
602 }
603 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL((void*)0),
604 ctx->config->ca_path) != 1) {
605 tls_set_errorx(ctx, "ssl verify locations failure");
606 goto err;
607 }
608
609 if (crl_mem != NULL((void*)0)) {
610 if (crl_len > INT_MAX2147483647) {
611 tls_set_errorx(ctx, "crl too long");
612 goto err;
613 }
614 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL((void*)0)) {
615 tls_set_errorx(ctx, "failed to create buffer");
616 goto err;
617 }
618 if ((xis = PEM_X509_INFO_read_bio(bio, NULL((void*)0), tls_password_cb,
619 NULL((void*)0))) == NULL((void*)0)) {
620 tls_set_errorx(ctx, "failed to parse crl");
621 goto err;
622 }
623 store = SSL_CTX_get_cert_store(ssl_ctx);
624 for (i = 0; i < sk_X509_INFO_num(xis)sk_num(((_STACK*) (1 ? (xis) : (struct stack_st_X509_INFO*)0)
)); i++) {
625 xi = sk_X509_INFO_value(xis, i)((X509_INFO *)sk_value(((_STACK*) (1 ? (xis) : (struct stack_st_X509_INFO
*)0)), (i)));
626 if (xi->crl == NULL((void*)0))
627 continue;
628 if (!X509_STORE_add_crl(store, xi->crl)) {
629 tls_set_error(ctx, "failed to add crl");
630 goto err;
631 }
632 xi->crl = NULL((void*)0);
633 }
634 X509_STORE_set_flags(store,
635 X509_V_FLAG_CRL_CHECK0x4 | X509_V_FLAG_CRL_CHECK_ALL0x8);
636 }
637
638 done:
639 rv = 0;
640
641 err:
642 sk_X509_INFO_pop_free(xis, X509_INFO_free)sk_pop_free(((_STACK*) (1 ? (xis) : (struct stack_st_X509_INFO
*)0)), ((void (*)(void *)) ((1 ? (X509_INFO_free) : (void (*)
(X509_INFO *))0))));
643 BIO_free(bio);
644 free(ca_free);
645
646 return (rv);
647}
648
649void
650tls_free(struct tls *ctx)
651{
652 if (ctx == NULL((void*)0))
653 return;
654
655 tls_reset(ctx);
656
657 free(ctx);
658}
659
660void
661tls_reset(struct tls *ctx)
662{
663 struct tls_sni_ctx *sni, *nsni;
664
665 tls_config_free(ctx->config);
666 ctx->config = NULL((void*)0);
667
668 SSL_CTX_free(ctx->ssl_ctx);
669 SSL_free(ctx->ssl_conn);
670 X509_free(ctx->ssl_peer_cert);
671
672 ctx->ssl_conn = NULL((void*)0);
673 ctx->ssl_ctx = NULL((void*)0);
674 ctx->ssl_peer_cert = NULL((void*)0);
675 /* X509 objects in chain are freed with the SSL */
676 ctx->ssl_peer_chain = NULL((void*)0);
677
678 ctx->socket = -1;
679 ctx->state = 0;
680
681 free(ctx->servername);
682 ctx->servername = NULL((void*)0);
683
684 free(ctx->error.msg);
685 ctx->error.msg = NULL((void*)0);
686 ctx->error.num = -1;
687
688 tls_conninfo_free(ctx->conninfo);
689 ctx->conninfo = NULL((void*)0);
690
691 tls_ocsp_free(ctx->ocsp);
692 ctx->ocsp = NULL((void*)0);
693
694 for (sni = ctx->sni_ctx; sni != NULL((void*)0); sni = nsni) {
695 nsni = sni->next;
696 tls_sni_ctx_free(sni);
697 }
698 ctx->sni_ctx = NULL((void*)0);
699
700 ctx->read_cb = NULL((void*)0);
701 ctx->write_cb = NULL((void*)0);
702 ctx->cb_arg = NULL((void*)0);
703}
704
705int
706tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
707{
708 const char *errstr = "unknown error";
709 unsigned long err;
710 int ssl_err;
711
712 ssl_err = SSL_get_error(ssl_conn, ssl_ret);
713 switch (ssl_err) {
714 case SSL_ERROR_NONE0:
715 case SSL_ERROR_ZERO_RETURN6:
716 return (0);
717
718 case SSL_ERROR_WANT_READ2:
719 return (TLS_WANT_POLLIN-2);
720
721 case SSL_ERROR_WANT_WRITE3:
722 return (TLS_WANT_POLLOUT-3);
723
724 case SSL_ERROR_SYSCALL5:
725 if ((err = ERR_peek_error()) != 0) {
726 errstr = ERR_error_string(err, NULL((void*)0));
727 } else if (ssl_ret == 0) {
728 if ((ctx->state & TLS_HANDSHAKE_COMPLETE(1 << 2)) != 0) {
729 ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY(1 << 0);
730 return (0);
731 }
732 errstr = "unexpected EOF";
733 } else if (ssl_ret == -1) {
734 errstr = strerror(errno(*__errno()));
735 }
736 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
737 return (-1);
738
739 case SSL_ERROR_SSL1:
740 if ((err = ERR_peek_error()) != 0) {
741 errstr = ERR_error_string(err, NULL((void*)0));
742 }
743 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
744 return (-1);
745
746 case SSL_ERROR_WANT_CONNECT7:
747 case SSL_ERROR_WANT_ACCEPT8:
748 case SSL_ERROR_WANT_X509_LOOKUP4:
749 default:
750 tls_set_ssl_errorx(ctx, "%s failed (%d)", prefix, ssl_err);
751 return (-1);
752 }
753}
754
755int
756tls_handshake(struct tls *ctx)
757{
758 int rv = -1;
759
760 tls_error_clear(&ctx->error);
761
762 if ((ctx->flags & (TLS_CLIENT(1 << 0) | TLS_SERVER_CONN(1 << 2))) == 0) {
763 tls_set_errorx(ctx, "invalid operation for context");
764 goto out;
765 }
766
767 if ((ctx->state & TLS_HANDSHAKE_COMPLETE(1 << 2)) != 0) {
768 tls_set_errorx(ctx, "handshake already completed");
769 goto out;
770 }
771
772 if ((ctx->flags & TLS_CLIENT(1 << 0)) != 0)
773 rv = tls_handshake_client(ctx);
774 else if ((ctx->flags & TLS_SERVER_CONN(1 << 2)) != 0)
775 rv = tls_handshake_server(ctx);
776
777 if (rv == 0) {
778 ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
779 ctx->ssl_peer_chain = SSL_get_peer_cert_chain(ctx->ssl_conn);
780 if (tls_conninfo_populate(ctx) == -1)
781 rv = -1;
782 if (ctx->ocsp == NULL((void*)0))
783 ctx->ocsp = tls_ocsp_setup_from_peer(ctx);
784 }
785 out:
786 /* Prevent callers from performing incorrect error handling */
787 errno(*__errno()) = 0;
788 return (rv);
789}
790
791ssize_t
792tls_read(struct tls *ctx, void *buf, size_t buflen)
793{
794 ssize_t rv = -1;
795 int ssl_ret;
796
797 tls_error_clear(&ctx->error);
798
799 if ((ctx->state & TLS_HANDSHAKE_COMPLETE(1 << 2)) == 0) {
800 if ((rv = tls_handshake(ctx)) != 0)
801 goto out;
802 }
803
804 if (buflen > INT_MAX2147483647) {
805 tls_set_errorx(ctx, "buflen too long");
806 goto out;
807 }
808
809 ERR_clear_error();
810 if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
811 rv = (ssize_t)ssl_ret;
812 goto out;
813 }
814 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read");
815
816 out:
817 /* Prevent callers from performing incorrect error handling */
818 errno(*__errno()) = 0;
819 return (rv);
820}
821
822ssize_t
823tls_write(struct tls *ctx, const void *buf, size_t buflen)
824{
825 ssize_t rv = -1;
826 int ssl_ret;
827
828 tls_error_clear(&ctx->error);
829
830 if ((ctx->state & TLS_HANDSHAKE_COMPLETE(1 << 2)) == 0) {
831 if ((rv = tls_handshake(ctx)) != 0)
832 goto out;
833 }
834
835 if (buflen > INT_MAX2147483647) {
836 tls_set_errorx(ctx, "buflen too long");
837 goto out;
838 }
839
840 ERR_clear_error();
841 if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) > 0) {
842 rv = (ssize_t)ssl_ret;
843 goto out;
844 }
845 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "write");
846
847 out:
848 /* Prevent callers from performing incorrect error handling */
849 errno(*__errno()) = 0;
850 return (rv);
851}
852
853int
854tls_close(struct tls *ctx)
855{
856 int ssl_ret;
857 int rv = 0;
858
859 tls_error_clear(&ctx->error);
860
861 if ((ctx->flags & (TLS_CLIENT(1 << 0) | TLS_SERVER_CONN(1 << 2))) == 0) {
862 tls_set_errorx(ctx, "invalid operation for context");
863 rv = -1;
864 goto out;
865 }
866
867 if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN(1 << 3)) {
868 ERR_clear_error();
869 ssl_ret = SSL_shutdown(ctx->ssl_conn);
870 if (ssl_ret < 0) {
871 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret,
872 "shutdown");
873 if (rv == TLS_WANT_POLLIN-2 || rv == TLS_WANT_POLLOUT-3)
874 goto out;
875 }
876 ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN(1 << 3);
877 }
878
879 if (ctx->socket != -1) {
880 if (shutdown(ctx->socket, SHUT_RDWR2) != 0) {
881 if (rv == 0 &&
882 errno(*__errno()) != ENOTCONN57 && errno(*__errno()) != ECONNRESET54) {
883 tls_set_error(ctx, "shutdown");
884 rv = -1;
885 }
886 }
887 if (close(ctx->socket) != 0) {
888 if (rv == 0) {
889 tls_set_error(ctx, "close");
890 rv = -1;
891 }
892 }
893 ctx->socket = -1;
894 }
895
896 if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY(1 << 0)) != 0) {
897 tls_set_errorx(ctx, "EOF without close notify");
898 rv = -1;
899 }
900
901 out:
902 /* Prevent callers from performing incorrect error handling */
903 errno(*__errno()) = 0;
904 return (rv);
905}