Bug Summary

File:src/lib/libtls/tls.c
Warning:line 261, column 2
Access to field 'refcount' results in a dereference of a null pointer (loaded from variable 'config')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name tls.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libtls/obj -resource-dir /usr/local/llvm16/lib/clang/16 -D LIBRESSL_INTERNAL -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libtls/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/lib/libtls/tls.c
1/* $OpenBSD: tls.c,v 1.98 2023/07/02 06:37:27 beck Exp $ */
2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/socket.h>
19
20#include <errno(*__errno()).h>
21#include <limits.h>
22#include <pthread.h>
23#include <stdlib.h>
24#include <string.h>
25#include <unistd.h>
26
27#include <openssl/bio.h>
28#include <openssl/err.h>
29#include <openssl/evp.h>
30#include <openssl/pem.h>
31#include <openssl/safestack.h>
32#include <openssl/ssl.h>
33#include <openssl/x509.h>
34
35#include <tls.h>
36#include "tls_internal.h"
37
38static struct tls_config *tls_config_default;
39
40static int tls_init_rv = -1;
41
42static void
43tls_do_init(void)
44{
45 OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_CONFIG0x00000001L, NULL((void *)0));
46
47 if (BIO_sock_init() != 1)
48 return;
49
50 if ((tls_config_default = tls_config_new_internal()) == NULL((void *)0))
51 return;
52
53 tls_config_default->refcount++;
54
55 tls_init_rv = 0;
56}
57
58int
59tls_init(void)
60{
61 static pthread_once_t once = PTHREAD_ONCE_INIT{ 0, ((void *)0) };
62
63 if (pthread_once(&once, tls_do_init) != 0)
64 return -1;
65
66 return tls_init_rv;
67}
68
69const char *
70tls_error(struct tls *ctx)
71{
72 return ctx->error.msg;
73}
74
75void
76tls_error_clear(struct tls_error *error)
77{
78 free(error->msg);
79 error->msg = NULL((void *)0);
80 error->num = 0;
81 error->tls = 0;
82}
83
84static int
85tls_error_vset(struct tls_error *error, int errnum, const char *fmt, va_list ap)
86{
87 char *errmsg = NULL((void *)0);
88 int rv = -1;
89
90 tls_error_clear(error);
91
92 error->num = errnum;
93 error->tls = 1;
94
95 if (vasprintf(&errmsg, fmt, ap) == -1) {
96 errmsg = NULL((void *)0);
97 goto err;
98 }
99
100 if (errnum == -1) {
101 error->msg = errmsg;
102 return (0);
103 }
104
105 if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
106 error->msg = NULL((void *)0);
107 goto err;
108 }
109 rv = 0;
110
111 err:
112 free(errmsg);
113
114 return (rv);
115}
116
117int
118tls_error_set(struct tls_error *error, const char *fmt, ...)
119{
120 va_list ap;
121 int errnum, rv;
122
123 errnum = errno(*__errno());
124
125 va_start(ap, fmt)__builtin_va_start((ap), fmt);
126 rv = tls_error_vset(error, errnum, fmt, ap);
127 va_end(ap)__builtin_va_end((ap));
128
129 return (rv);
130}
131
132int
133tls_error_setx(struct tls_error *error, const char *fmt, ...)
134{
135 va_list ap;
136 int rv;
137
138 va_start(ap, fmt)__builtin_va_start((ap), fmt);
139 rv = tls_error_vset(error, -1, fmt, ap);
140 va_end(ap)__builtin_va_end((ap));
141
142 return (rv);
143}
144
145int
146tls_config_set_error(struct tls_config *config, const char *fmt, ...)
147{
148 va_list ap;
149 int errnum, rv;
150
151 errnum = errno(*__errno());
152
153 va_start(ap, fmt)__builtin_va_start((ap), fmt);
154 rv = tls_error_vset(&config->error, errnum, fmt, ap);
155 va_end(ap)__builtin_va_end((ap));
156
157 return (rv);
158}
159
160int
161tls_config_set_errorx(struct tls_config *config, const char *fmt, ...)
162{
163 va_list ap;
164 int rv;
165
166 va_start(ap, fmt)__builtin_va_start((ap), fmt);
167 rv = tls_error_vset(&config->error, -1, fmt, ap);
168 va_end(ap)__builtin_va_end((ap));
169
170 return (rv);
171}
172
173int
174tls_set_error(struct tls *ctx, const char *fmt, ...)
175{
176 va_list ap;
177 int errnum, rv;
178
179 errnum = errno(*__errno());
180
181 va_start(ap, fmt)__builtin_va_start((ap), fmt);
182 rv = tls_error_vset(&ctx->error, errnum, fmt, ap);
183 va_end(ap)__builtin_va_end((ap));
184
185 return (rv);
186}
187
188int
189tls_set_errorx(struct tls *ctx, const char *fmt, ...)
190{
191 va_list ap;
192 int rv;
193
194 va_start(ap, fmt)__builtin_va_start((ap), fmt);
195 rv = tls_error_vset(&ctx->error, -1, fmt, ap);
196 va_end(ap)__builtin_va_end((ap));
197
198 return (rv);
199}
200
201int
202tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
203{
204 va_list ap;
205 int rv;
206
207 /* Only set an error if a more specific one does not already exist. */
208 if (ctx->error.tls != 0)
209 return (0);
210
211 va_start(ap, fmt)__builtin_va_start((ap), fmt);
212 rv = tls_error_vset(&ctx->error, -1, fmt, ap);
213 va_end(ap)__builtin_va_end((ap));
214
215 return (rv);
216}
217
218struct tls_sni_ctx *
219tls_sni_ctx_new(void)
220{
221 return (calloc(1, sizeof(struct tls_sni_ctx)));
222}
223
224void
225tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx)
226{
227 if (sni_ctx == NULL((void *)0))
228 return;
229
230 SSL_CTX_free(sni_ctx->ssl_ctx);
231 X509_free(sni_ctx->ssl_cert);
232
233 free(sni_ctx);
234}
235
236struct tls *
237tls_new(void)
238{
239 struct tls *ctx;
240
241 if ((ctx = calloc(1, sizeof(*ctx))) == NULL((void *)0))
1
Assuming the condition is false
2
Taking false branch
242 return (NULL((void *)0));
243
244 tls_reset(ctx);
245
246 if (tls_configure(ctx, tls_config_default) == -1) {
3
Calling 'tls_configure'
247 free(ctx);
248 return NULL((void *)0);
249 }
250
251 return (ctx);
252}
253
254int
255tls_configure(struct tls *ctx, struct tls_config *config)
256{
257 if (config == NULL((void *)0))
4
Assuming 'config' is equal to NULL
5
Taking true branch
258 config = tls_config_default;
6
Null pointer value stored to 'config'
259
260 pthread_mutex_lock(&config->mutex);
261 config->refcount++;
7
Access to field 'refcount' results in a dereference of a null pointer (loaded from variable 'config')
262 pthread_mutex_unlock(&config->mutex);
263
264 tls_config_free(ctx->config);
265
266 ctx->config = config;
267 ctx->keypair = config->keypair;
268
269 if ((ctx->flags & TLS_SERVER(1 << 1)) != 0)
270 return (tls_configure_server(ctx));
271
272 return (0);
273}
274
275int
276tls_cert_hash(X509 *cert, char **hash)
277{
278 char d[EVP_MAX_MD_SIZE64], *dhex = NULL((void *)0);
279 int dlen, rv = -1;
280
281 free(*hash);
282 *hash = NULL((void *)0);
283
284 if (X509_digest(cert, EVP_sha256(), d, &dlen) != 1)
285 goto err;
286
287 if (tls_hex_string(d, dlen, &dhex, NULL((void *)0)) != 0)
288 goto err;
289
290 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
291 *hash = NULL((void *)0);
292 goto err;
293 }
294
295 rv = 0;
296 err:
297 free(dhex);
298
299 return (rv);
300}
301
302int
303tls_cert_pubkey_hash(X509 *cert, char **hash)
304{
305 char d[EVP_MAX_MD_SIZE64], *dhex = NULL((void *)0);
306 int dlen, rv = -1;
307
308 free(*hash);
309 *hash = NULL((void *)0);
310
311 if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
312 goto err;
313
314 if (tls_hex_string(d, dlen, &dhex, NULL((void *)0)) != 0)
315 goto err;
316
317 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
318 *hash = NULL((void *)0);
319 goto err;
320 }
321
322 rv = 0;
323
324 err:
325 free(dhex);
326
327 return (rv);
328}
329
330static int
331tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey)
332{
333 BIO *bio = NULL((void *)0);
334 X509 *x509 = NULL((void *)0);
335 char *mem;
336 size_t len;
337 int ret = -1;
338
339 *pkey = NULL((void *)0);
340
341 if (ctx->config->use_fake_private_key) {
342 mem = keypair->cert_mem;
343 len = keypair->cert_len;
344 } else {
345 mem = keypair->key_mem;
346 len = keypair->key_len;
347 }
348
349 if (mem == NULL((void *)0))
350 return (0);
351
352 if (len > INT_MAX0x7fffffff) {
353 tls_set_errorx(ctx, ctx->config->use_fake_private_key ?
354 "cert too long" : "key too long");
355 goto err;
356 }
357
358 if ((bio = BIO_new_mem_buf(mem, len)) == NULL((void *)0)) {
359 tls_set_errorx(ctx, "failed to create buffer");
360 goto err;
361 }
362
363 if (ctx->config->use_fake_private_key) {
364 if ((x509 = PEM_read_bio_X509(bio, NULL((void *)0), tls_password_cb,
365 NULL((void *)0))) == NULL((void *)0)) {
366 tls_set_errorx(ctx, "failed to read X509 certificate");
367 goto err;
368 }
369 if ((*pkey = X509_get_pubkey(x509)) == NULL((void *)0)) {
370 tls_set_errorx(ctx, "failed to retrieve pubkey");
371 goto err;
372 }
373 } else {
374 if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL((void *)0), tls_password_cb,
375 NULL((void *)0))) == NULL((void *)0)) {
376 tls_set_errorx(ctx, "failed to read private key");
377 goto err;
378 }
379 }
380
381 ret = 0;
382 err:
383 BIO_free(bio);
384 X509_free(x509);
385 return (ret);
386}
387
388static int
389tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey)
390{
391 RSA_METHOD *rsa_method;
392 EC_KEY_METHOD *ecdsa_method;
393 RSA *rsa = NULL((void *)0);
394 EC_KEY *eckey = NULL((void *)0);
395 int ret = -1;
396
397 /* Only install the pubkey hash if fake private keys are used. */
398 if (!ctx->config->skip_private_key_check)
399 return (0);
400
401 if (keypair->pubkey_hash == NULL((void *)0)) {
402 tls_set_errorx(ctx, "public key hash not set");
403 goto err;
404 }
405
406 switch (EVP_PKEY_id(pkey)) {
407 case EVP_PKEY_RSA6:
408 if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL((void *)0) ||
409 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) {
410 tls_set_errorx(ctx, "RSA key setup failure");
411 goto err;
412 }
413 if (ctx->config->sign_cb != NULL((void *)0)) {
414 rsa_method = tls_signer_rsa_method();
415 if (rsa_method == NULL((void *)0) ||
416 RSA_set_ex_data(rsa, 1, ctx->config) == 0 ||
417 RSA_set_method(rsa, rsa_method) == 0) {
418 tls_set_errorx(ctx, "failed to setup RSA key");
419 goto err;
420 }
421 }
422 /* Reset the key to work around caching in OpenSSL 3. */
423 if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
424 tls_set_errorx(ctx, "failed to set RSA key");
425 goto err;
426 }
427 break;
428 case EVP_PKEY_EC408:
429 if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL((void *)0) ||
430 EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
431 tls_set_errorx(ctx, "EC key setup failure");
432 goto err;
433 }
434 if (ctx->config->sign_cb != NULL((void *)0)) {
435 ecdsa_method = tls_signer_ecdsa_method();
436 if (ecdsa_method == NULL((void *)0) ||
437 EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 ||
438 EC_KEY_set_method(eckey, ecdsa_method) == 0) {
439 tls_set_errorx(ctx, "failed to setup EC key");
440 goto err;
441 }
442 }
443 /* Reset the key to work around caching in OpenSSL 3. */
444 if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
445 tls_set_errorx(ctx, "failed to set EC key");
446 goto err;
447 }
448 break;
449 default:
450 tls_set_errorx(ctx, "incorrect key type");
451 goto err;
452 }
453
454 ret = 0;
455
456 err:
457 RSA_free(rsa);
458 EC_KEY_free(eckey);
459 return (ret);
460}
461
462int
463tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
464 struct tls_keypair *keypair, int required)
465{
466 EVP_PKEY *pkey = NULL((void *)0);
467
468 if (!required &&
469 keypair->cert_mem == NULL((void *)0) &&
470 keypair->key_mem == NULL((void *)0))
471 return(0);
472
473 if (keypair->cert_mem != NULL((void *)0)) {
474 if (keypair->cert_len > INT_MAX0x7fffffff) {
475 tls_set_errorx(ctx, "certificate too long");
476 goto err;
477 }
478
479 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
480 keypair->cert_mem, keypair->cert_len) != 1) {
481 tls_set_errorx(ctx, "failed to load certificate");
482 goto err;
483 }
484 }
485
486 if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1)
487 goto err;
488 if (pkey != NULL((void *)0)) {
489 if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1)
490 goto err;
491 if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
492 tls_set_errorx(ctx, "failed to load private key");
493 goto err;
494 }
495 EVP_PKEY_free(pkey);
496 pkey = NULL((void *)0);
497 }
498
499 if (!ctx->config->skip_private_key_check &&
500 SSL_CTX_check_private_key(ssl_ctx) != 1) {
501 tls_set_errorx(ctx, "private/public key mismatch");
502 goto err;
503 }
504
505 return (0);
506
507 err:
508 EVP_PKEY_free(pkey);
509
510 return (-1);
511}
512
513int
514tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
515{
516 SSL_CTX_clear_mode(ssl_ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ssl_ctx),78,(0x00000004L),((void *)0));
517
518 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE)SSL_CTX_ctrl((ssl_ctx),33,(0x00000001L),((void *)0));
519 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)SSL_CTX_ctrl((ssl_ctx),33,(0x00000002L),((void *)0));
520
521 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2)SSL_CTX_ctrl((ssl_ctx),32,(0x0),((void *)0));
522 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3)SSL_CTX_ctrl((ssl_ctx),32,(0x0),((void *)0));
523 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1)SSL_CTX_ctrl((ssl_ctx),32,(0x04000000L),((void *)0));
524 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1)SSL_CTX_ctrl((ssl_ctx),32,(0x10000000L),((void *)0));
525
526 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2)SSL_CTX_ctrl((ssl_ctx),77,(0x08000000L),((void *)0));
527 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3)SSL_CTX_ctrl((ssl_ctx),77,(0x20000000L),((void *)0));
528
529 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2(1 << 3)) == 0)
530 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2)SSL_CTX_ctrl((ssl_ctx),32,(0x08000000L),((void *)0));
531 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3(1 << 4)) == 0)
532 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3)SSL_CTX_ctrl((ssl_ctx),32,(0x20000000L),((void *)0));
533
534 if (ctx->config->alpn != NULL((void *)0)) {
535 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
536 ctx->config->alpn_len) != 0) {
537 tls_set_errorx(ctx, "failed to set alpn");
538 goto err;
539 }
540 }
541
542 if (ctx->config->ciphers != NULL((void *)0)) {
543 if (SSL_CTX_set_cipher_list(ssl_ctx,
544 ctx->config->ciphers) != 1) {
545 tls_set_errorx(ctx, "failed to set ciphers");
546 goto err;
547 }
548 }
549
550 if (ctx->config->verify_time == 0) {
551 X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(ssl_ctx),
552 X509_V_FLAG_NO_CHECK_TIME0x200000);
553 }
554
555 /* Disable any form of session caching by default */
556 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ssl_ctx,44,0x0000,((void *)0));
557 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET)SSL_CTX_ctrl((ssl_ctx),32,(0x00004000L),((void *)0));
558
559 return (0);
560
561 err:
562 return (-1);
563}
564
565static int
566tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
567{
568 struct tls *ctx = arg;
569 int x509_err;
570
571 if (ctx->config->verify_cert == 0)
572 return (1);
573
574 if ((X509_verify_cert(x509_ctx)) < 0) {
575 tls_set_errorx(ctx, "X509 verify cert failed");
576 return (0);
577 }
578
579 x509_err = X509_STORE_CTX_get_error(x509_ctx);
580 if (x509_err == X509_V_OK0)
581 return (1);
582
583 tls_set_errorx(ctx, "certificate verification failed: %s",
584 X509_verify_cert_error_string(x509_err));
585
586 return (0);
587}
588
589int
590tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
591{
592 size_t ca_len = ctx->config->ca_len;
593 char *ca_mem = ctx->config->ca_mem;
594 char *crl_mem = ctx->config->crl_mem;
595 size_t crl_len = ctx->config->crl_len;
596 char *ca_free = NULL((void *)0);
597 STACK_OF(X509_INFO)struct stack_st_X509_INFO *xis = NULL((void *)0);
598 X509_STORE *store;
599 X509_INFO *xi;
600 BIO *bio = NULL((void *)0);
601 int rv = -1;
602 int i;
603
604 SSL_CTX_set_verify(ssl_ctx, verify, NULL((void *)0));
605 SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
606
607 if (ctx->config->verify_depth >= 0)
608 SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
609
610 if (ctx->config->verify_cert == 0)
611 goto done;
612
613 /* If no CA has been specified, attempt to load the default. */
614 if (ctx->config->ca_mem == NULL((void *)0) && ctx->config->ca_path == NULL((void *)0)) {
615 if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(),
616 &ca_mem, &ca_len) != 0)
617 goto err;
618 ca_free = ca_mem;
619 }
620
621 if (ca_mem != NULL((void *)0)) {
622 if (ca_len > INT_MAX0x7fffffff) {
623 tls_set_errorx(ctx, "ca too long");
624 goto err;
625 }
626 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
627 tls_set_errorx(ctx, "ssl verify memory setup failure");
628 goto err;
629 }
630 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL((void *)0),
631 ctx->config->ca_path) != 1) {
632 tls_set_errorx(ctx, "ssl verify locations failure");
633 goto err;
634 }
635
636 if (crl_mem != NULL((void *)0)) {
637 if (crl_len > INT_MAX0x7fffffff) {
638 tls_set_errorx(ctx, "crl too long");
639 goto err;
640 }
641 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL((void *)0)) {
642 tls_set_errorx(ctx, "failed to create buffer");
643 goto err;
644 }
645 if ((xis = PEM_X509_INFO_read_bio(bio, NULL((void *)0), tls_password_cb,
646 NULL((void *)0))) == NULL((void *)0)) {
647 tls_set_errorx(ctx, "failed to parse crl");
648 goto err;
649 }
650 store = SSL_CTX_get_cert_store(ssl_ctx);
651 for (i = 0; i < sk_X509_INFO_num(xis)sk_num(((_STACK*) (1 ? (xis) : (struct stack_st_X509_INFO*)0)
)); i++) {
652 xi = sk_X509_INFO_value(xis, i)((X509_INFO *)sk_value(((_STACK*) (1 ? (xis) : (struct stack_st_X509_INFO
*)0)), (i)));
653 if (xi->crl == NULL((void *)0))
654 continue;
655 if (!X509_STORE_add_crl(store, xi->crl)) {
656 tls_set_error(ctx, "failed to add crl");
657 goto err;
658 }
659 }
660 X509_STORE_set_flags(store,
661 X509_V_FLAG_CRL_CHECK0x4 | X509_V_FLAG_CRL_CHECK_ALL0x8);
662 }
663
664 done:
665 rv = 0;
666
667 err:
668 sk_X509_INFO_pop_free(xis, X509_INFO_free)sk_pop_free(((_STACK*) (1 ? (xis) : (struct stack_st_X509_INFO
*)0)), ((void (*)(void *)) ((1 ? (X509_INFO_free) : (void (*)
(X509_INFO *))0))));
669 BIO_free(bio);
670 free(ca_free);
671
672 return (rv);
673}
674
675void
676tls_free(struct tls *ctx)
677{
678 if (ctx == NULL((void *)0))
679 return;
680
681 tls_reset(ctx);
682
683 free(ctx);
684}
685
686void
687tls_reset(struct tls *ctx)
688{
689 struct tls_sni_ctx *sni, *nsni;
690
691 tls_config_free(ctx->config);
692 ctx->config = NULL((void *)0);
693
694 SSL_CTX_free(ctx->ssl_ctx);
695 SSL_free(ctx->ssl_conn);
696 X509_free(ctx->ssl_peer_cert);
697
698 ctx->ssl_conn = NULL((void *)0);
699 ctx->ssl_ctx = NULL((void *)0);
700 ctx->ssl_peer_cert = NULL((void *)0);
701 /* X509 objects in chain are freed with the SSL */
702 ctx->ssl_peer_chain = NULL((void *)0);
703
704 ctx->socket = -1;
705 ctx->state = 0;
706
707 free(ctx->servername);
708 ctx->servername = NULL((void *)0);
709
710 free(ctx->error.msg);
711 ctx->error.msg = NULL((void *)0);
712 ctx->error.num = -1;
713
714 tls_conninfo_free(ctx->conninfo);
715 ctx->conninfo = NULL((void *)0);
716
717 tls_ocsp_free(ctx->ocsp);
718 ctx->ocsp = NULL((void *)0);
719
720 for (sni = ctx->sni_ctx; sni != NULL((void *)0); sni = nsni) {
721 nsni = sni->next;
722 tls_sni_ctx_free(sni);
723 }
724 ctx->sni_ctx = NULL((void *)0);
725
726 ctx->read_cb = NULL((void *)0);
727 ctx->write_cb = NULL((void *)0);
728 ctx->cb_arg = NULL((void *)0);
729}
730
731int
732tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
733{
734 const char *errstr = "unknown error";
735 unsigned long err;
736 int ssl_err;
737
738 ssl_err = SSL_get_error(ssl_conn, ssl_ret);
739 switch (ssl_err) {
740 case SSL_ERROR_NONE0:
741 case SSL_ERROR_ZERO_RETURN6:
742 return (0);
743
744 case SSL_ERROR_WANT_READ2:
745 return (TLS_WANT_POLLIN-2);
746
747 case SSL_ERROR_WANT_WRITE3:
748 return (TLS_WANT_POLLOUT-3);
749
750 case SSL_ERROR_SYSCALL5:
751 if ((err = ERR_peek_error()) != 0) {
752 errstr = ERR_error_string(err, NULL((void *)0));
753 } else if (ssl_ret == 0) {
754 if ((ctx->state & TLS_HANDSHAKE_COMPLETE(1 << 2)) != 0) {
755 ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY(1 << 0);
756 return (0);
757 }
758 errstr = "unexpected EOF";
759 } else if (ssl_ret == -1) {
760 errstr = strerror(errno(*__errno()));
761 }
762 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
763 return (-1);
764
765 case SSL_ERROR_SSL1:
766 if ((err = ERR_peek_error()) != 0) {
767 errstr = ERR_error_string(err, NULL((void *)0));
768 }
769 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
770 return (-1);
771
772 case SSL_ERROR_WANT_CONNECT7:
773 case SSL_ERROR_WANT_ACCEPT8:
774 case SSL_ERROR_WANT_X509_LOOKUP4:
775 default:
776 tls_set_ssl_errorx(ctx, "%s failed (%d)", prefix, ssl_err);
777 return (-1);
778 }
779}
780
781int
782tls_handshake(struct tls *ctx)
783{
784 int rv = -1;
785
786 tls_error_clear(&ctx->error);
787
788 if ((ctx->flags & (TLS_CLIENT(1 << 0) | TLS_SERVER_CONN(1 << 2))) == 0) {
789 tls_set_errorx(ctx, "invalid operation for context");
790 goto out;
791 }
792
793 if ((ctx->state & TLS_HANDSHAKE_COMPLETE(1 << 2)) != 0) {
794 tls_set_errorx(ctx, "handshake already completed");
795 goto out;
796 }
797
798 if ((ctx->flags & TLS_CLIENT(1 << 0)) != 0)
799 rv = tls_handshake_client(ctx);
800 else if ((ctx->flags & TLS_SERVER_CONN(1 << 2)) != 0)
801 rv = tls_handshake_server(ctx);
802
803 if (rv == 0) {
804 ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
805 ctx->ssl_peer_chain = SSL_get_peer_cert_chain(ctx->ssl_conn);
806 if (tls_conninfo_populate(ctx) == -1)
807 rv = -1;
808 if (ctx->ocsp == NULL((void *)0))
809 ctx->ocsp = tls_ocsp_setup_from_peer(ctx);
810 }
811 out:
812 /* Prevent callers from performing incorrect error handling */
813 errno(*__errno()) = 0;
814 return (rv);
815}
816
817ssize_t
818tls_read(struct tls *ctx, void *buf, size_t buflen)
819{
820 ssize_t rv = -1;
821 int ssl_ret;
822
823 tls_error_clear(&ctx->error);
824
825 if ((ctx->state & TLS_HANDSHAKE_COMPLETE(1 << 2)) == 0) {
826 if ((rv = tls_handshake(ctx)) != 0)
827 goto out;
828 }
829
830 if (buflen > INT_MAX0x7fffffff) {
831 tls_set_errorx(ctx, "buflen too long");
832 goto out;
833 }
834
835 ERR_clear_error();
836 if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
837 rv = (ssize_t)ssl_ret;
838 goto out;
839 }
840 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read");
841
842 out:
843 /* Prevent callers from performing incorrect error handling */
844 errno(*__errno()) = 0;
845 return (rv);
846}
847
848ssize_t
849tls_write(struct tls *ctx, const void *buf, size_t buflen)
850{
851 ssize_t rv = -1;
852 int ssl_ret;
853
854 tls_error_clear(&ctx->error);
855
856 if ((ctx->state & TLS_HANDSHAKE_COMPLETE(1 << 2)) == 0) {
857 if ((rv = tls_handshake(ctx)) != 0)
858 goto out;
859 }
860
861 if (buflen > INT_MAX0x7fffffff) {
862 tls_set_errorx(ctx, "buflen too long");
863 goto out;
864 }
865
866 ERR_clear_error();
867 if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) > 0) {
868 rv = (ssize_t)ssl_ret;
869 goto out;
870 }
871 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "write");
872
873 out:
874 /* Prevent callers from performing incorrect error handling */
875 errno(*__errno()) = 0;
876 return (rv);
877}
878
879int
880tls_close(struct tls *ctx)
881{
882 int ssl_ret;
883 int rv = 0;
884
885 tls_error_clear(&ctx->error);
886
887 if ((ctx->flags & (TLS_CLIENT(1 << 0) | TLS_SERVER_CONN(1 << 2))) == 0) {
888 tls_set_errorx(ctx, "invalid operation for context");
889 rv = -1;
890 goto out;
891 }
892
893 if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN(1 << 3)) {
894 ERR_clear_error();
895 ssl_ret = SSL_shutdown(ctx->ssl_conn);
896 if (ssl_ret < 0) {
897 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret,
898 "shutdown");
899 if (rv == TLS_WANT_POLLIN-2 || rv == TLS_WANT_POLLOUT-3)
900 goto out;
901 }
902 ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN(1 << 3);
903 }
904
905 if (ctx->socket != -1) {
906 if (shutdown(ctx->socket, SHUT_RDWR2) != 0) {
907 if (rv == 0 &&
908 errno(*__errno()) != ENOTCONN57 && errno(*__errno()) != ECONNRESET54) {
909 tls_set_error(ctx, "shutdown");
910 rv = -1;
911 }
912 }
913 if (close(ctx->socket) != 0) {
914 if (rv == 0) {
915 tls_set_error(ctx, "close");
916 rv = -1;
917 }
918 }
919 ctx->socket = -1;
920 }
921
922 if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY(1 << 0)) != 0) {
923 tls_set_errorx(ctx, "EOF without close notify");
924 rv = -1;
925 }
926
927 out:
928 /* Prevent callers from performing incorrect error handling */
929 errno(*__errno()) = 0;
930 return (rv);
931}