#include <stdio.h>
#include <openssl/objects.h>
#include "internal/nelem.h"
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/md5.h>
#include <openssl/dh.h>
#include <openssl/rand.h>
s->s3.tmp.pkey = NULL;
#endif
+ ssl_evp_cipher_free(s->s3.tmp.new_sym_enc);
+ ssl_evp_md_free(s->s3.tmp.new_hash);
+
OPENSSL_free(s->s3.tmp.ctype);
sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
OPENSSL_free(s->s3.tmp.ciphers_raw);
case SSL_CTRL_GET_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = s->cert->key->chain;
+ ret = 1;
break;
case SSL_CTRL_SELECT_CURRENT_CERT:
}
return ssl_cert_set_current(s->cert, larg);
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
case SSL_CTRL_GET_GROUPS:
{
uint16_t *clist;
if (!s->session)
return 0;
- clist = s->session->ext.supportedgroups;
- clistlen = s->session->ext.supportedgroups_len;
+ clist = s->ext.peer_supportedgroups;
+ clistlen = s->ext.peer_supportedgroups_len;
if (parg) {
size_t i;
int *cptr = parg;
{
uint16_t id = tls1_shared_group(s, larg);
- if (larg != -1) {
- const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
-
- return ginf == NULL ? 0 : ginf->nid;
- }
+ if (larg != -1)
+ return tls1_group_id2nid(id);
return id;
}
+ case SSL_CTRL_GET_NEGOTIATED_GROUP:
+ ret = tls1_group_id2nid(s->s3.group_id);
+ break;
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
- SSL_SESSION *sess = s->session;
const unsigned char **pformat = parg;
- if (sess == NULL || sess->ext.ecpointformats == NULL)
+ if (s->ext.peer_ecpointformats == NULL)
return 0;
- *pformat = sess->ext.ecpointformats;
- return (int)sess->ext.ecpointformats_len;
+ *pformat = s->ext.peer_ecpointformats;
+ return (int)s->ext.peer_ecpointformats_len;
}
#endif
srp_password_from_info_cb;
if (ctx->srp_ctx.info != NULL)
OPENSSL_free(ctx->srp_ctx.info);
- if ((ctx->srp_ctx.info = BUF_strdup((char *)parg)) == NULL) {
+ if ((ctx->srp_ctx.info = OPENSSL_strdup((char *)parg)) == NULL) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
return 0;
}
break;
#endif
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
case SSL_CTRL_SET_GROUPS:
return tls1_set_groups(&ctx->ext.supportedgroups,
&ctx->ext.supportedgroups_len,
return tls1_set_groups_list(&ctx->ext.supportedgroups,
&ctx->ext.supportedgroups_len,
parg);
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
ctx->ext.status_cb = (int (*)(SSL *, void *))fp;
break;
+# ifndef OPENSSL_NO_DEPRECATED_3_0
case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *,
unsigned char *,
EVP_CIPHER_CTX *,
HMAC_CTX *, int))fp;
break;
+#endif
#ifndef OPENSSL_NO_SRP
case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
return 1;
}
+int SSL_CTX_set_tlsext_ticket_key_evp_cb
+ (SSL_CTX *ctx, int (*fp)(SSL *, unsigned char *, unsigned char *,
+ EVP_CIPHER_CTX *, EVP_MAC_CTX *, int))
+{
+ ctx->ext.ticket_key_evp_cb = fp;
+ return 1;
+}
+
const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id)
{
SSL_CIPHER c;
STACK_OF(SSL_CIPHER) *prio, *allow;
int i, ii, ok, prefer_sha256 = 0;
unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
- const EVP_MD *mdsha256 = EVP_sha256();
#ifndef OPENSSL_NO_CHACHA
STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
#endif
if (prefer_sha256) {
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
- if (ssl_md(tmp->algorithm2) == mdsha256) {
+ /*
+ * TODO: When there are no more legacy digests we can just use
+ * OSSL_DIGEST_NAME_SHA2_256 instead of calling OBJ_nid2sn
+ */
+ if (EVP_MD_is_a(ssl_md(s->ctx, tmp->algorithm2),
+ OBJ_nid2sn(NID_sha256))) {
ret = tmp;
break;
}
unsigned char *p = result;
l2n(Time, p);
- ret = RAND_bytes(p, len - 4);
+ ret = RAND_bytes_ex(s->ctx->libctx, p, len - 4);
} else {
- ret = RAND_bytes(result, len);
+ ret = RAND_bytes_ex(s->ctx->libctx, result, len);
}
if (ret > 0) {
}
/* Generate a private key from parameters */
-EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm)
+EVP_PKEY *ssl_generate_pkey(SSL *s, EVP_PKEY *pm)
{
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pkey = NULL;
if (pm == NULL)
return NULL;
- pctx = EVP_PKEY_CTX_new(pm, NULL);
+ pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pm, s->ctx->propq);
if (pctx == NULL)
goto err;
if (EVP_PKEY_keygen_init(pctx) <= 0)
}
/* Generate a private key from a group ID */
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
{
const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
goto err;
}
gtype = ginf->flags & TLS_GROUP_TYPE;
+ /*
+ * TODO(3.0): Convert these EVP_PKEY_CTX_new_id calls to ones that take
+ * s->ctx->libctx and s->ctx->propq when keygen has been updated to be
+ * provider aware.
+ */
# ifndef OPENSSL_NO_DH
if (gtype == TLS_GROUP_FFDHE)
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
EVP_PKEY_CTX_free(pctx);
return pkey;
}
+#endif
/*
* Generate parameters from a group ID
return NULL;
}
+ /*
+ * TODO(3.0): Convert this EVP_PKEY_CTX_new_id call to one that takes
+ * s->ctx->libctx and s->ctx->propq when paramgen has been updated to be
+ * provider aware.
+ */
pkey_ctx_id = (ginf->flags & TLS_GROUP_FFDHE)
? EVP_PKEY_DH : EVP_PKEY_EC;
pctx = EVP_PKEY_CTX_new_id(pkey_ctx_id, NULL);
return 0;
}
- pctx = EVP_PKEY_CTX_new(privkey, NULL);
+ pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, privkey, s->ctx->propq);
if (EVP_PKEY_derive_init(pctx) <= 0
|| EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0