mdord = OPENSSL_zalloc(n * sizeof(*mdord));
if (mdord == NULL || mdevp == NULL) {
+ OPENSSL_free(mdord);
OPENSSL_free(mdevp);
SSLerr(SSL_F_DANE_CTX_ENABLE, ERR_R_MALLOC_FAILURE);
return 0;
OPENSSL_free(t);
}
-static void dane_final(struct dane_st *dane)
+static void dane_final(SSL_DANE *dane)
{
sk_danetls_record_pop_free(dane->trecs, tlsa_free);
dane->trecs = NULL;
return 1;
dane_final(&to->dane);
+ to->dane.dctx = &to->ctx->dane;
+ to->dane.trecs = sk_danetls_record_new_null();
+
+ if (to->dane.trecs == NULL) {
+ SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
num = sk_danetls_record_num(from->dane.trecs);
for (i = 0; i < num; ++i) {
danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
+
if (SSL_dane_tlsa_add(to, t->usage, t->selector, t->mtype,
t->data, t->dlen) <= 0)
return 0;
return 1;
}
-static const EVP_MD *tlsa_md_get(struct dane_st *dane, uint8_t mtype)
+static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
{
if (mtype > dane->dctx->mdmax)
return NULL;
}
static int dane_tlsa_add(
- struct dane_st *dane,
+ SSL_DANE *dane,
uint8_t usage,
uint8_t selector,
uint8_t mtype,
const EVP_MD *md = NULL;
int ilen = (int)dlen;
int i;
+ int num;
if (dane->trecs == NULL) {
SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_NOT_ENABLED);
* The choice of order for the selector is not significant, so we
* use the same descending order for consistency.
*/
- for (i = 0; i < sk_danetls_record_num(dane->trecs); ++i) {
+ num = sk_danetls_record_num(dane->trecs);
+ for (i = 0; i < num; ++i) {
danetls_record *rec = sk_danetls_record_value(dane->trecs, i);
+
if (rec->usage > usage)
continue;
if (rec->usage < usage)
s->tlsext_debug_cb = 0;
s->tlsext_debug_arg = NULL;
s->tlsext_ticket_expected = 0;
- s->tlsext_status_type = -1;
+ s->tlsext_status_type = ctx->tlsext_status_type;
s->tlsext_status_expected = 0;
s->tlsext_ocsp_ids = NULL;
s->tlsext_ocsp_exts = NULL;
if (!SSL_clear(s))
goto err;
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data))
+ goto err;
#ifndef OPENSSL_NO_PSK
s->psk_client_callback = ctx->psk_client_callback;
return NULL;
}
-void SSL_up_ref(SSL *s)
+int SSL_up_ref(SSL *s)
{
int i;
- CRYPTO_atomic_add(&s->references, 1, &i, s->lock);
+
+ if (CRYPTO_atomic_add(&s->references, 1, &i, s->lock) <= 0)
+ return 0;
+
+ REF_PRINT_COUNT("SSL", s);
+ REF_ASSERT_ISNT(i < 2);
+ return ((i > 1) ? 1 : 0);
}
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
int SSL_dane_enable(SSL *s, const char *basedomain)
{
- struct dane_st *dane = &s->dane;
+ SSL_DANE *dane = &s->dane;
if (s->ctx->dane.mdmax == 0) {
SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_CONTEXT_NOT_DANE_ENABLED);
* invalid input, set the SNI name first.
*/
if (s->tlsext_hostname == NULL) {
- if (!SSL_set_tlsext_host_name(s, basedomain)) {
+ if (!SSL_set_tlsext_host_name(s, basedomain)) {
SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
- return -1;
+ return -1;
}
}
int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
{
- struct dane_st *dane = &s->dane;
+ SSL_DANE *dane = &s->dane;
if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
return -1;
int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
uint8_t *mtype, unsigned const char **data, size_t *dlen)
{
- struct dane_st *dane = &s->dane;
+ SSL_DANE *dane = &s->dane;
if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
return -1;
return dane->mdpth;
}
-struct dane_st *SSL_get0_dane(SSL *s)
+SSL_DANE *SSL_get0_dane(SSL *s)
{
return &s->dane;
}
case ASYNC_PAUSE:
s->rwstate = SSL_ASYNC_PAUSED;
return -1;
+ case ASYNC_NO_JOBS:
+ s->rwstate = SSL_ASYNC_NO_JOBS;
+ return -1;
case ASYNC_FINISH:
s->job = NULL;
return ret;
}
case SSL_CTRL_GET_EXTMS_SUPPORT:
if (!s->session || SSL_in_init(s) || ossl_statem_get_in_handshake(s))
- return -1;
- if (s->session->flags & SSL_SESS_FLAG_EXTMS)
+ return -1;
+ if (s->session->flags & SSL_SESS_FLAG_EXTMS)
return 1;
else
return 0;
return 0;
ctx->max_send_fragment = larg;
if (ctx->max_send_fragment < ctx->split_send_fragment)
- ctx->split_send_fragment = ctx->split_send_fragment;
+ ctx->split_send_fragment = ctx->max_send_fragment;
return 1;
case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
if ((unsigned int)larg > ctx->max_send_fragment || larg == 0)
return (c->name);
}
+/** return a STACK of the ciphers available for the SSL_CTX and in order of
+ * preference */
+STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
+{
+ if (ctx != NULL)
+ return ctx->cipher_list;
+ return NULL;
+}
+
/** specify the ciphers to be used by default by the SSL_CTX */
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
{
if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL)
goto err;
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data))
+ goto err;
/* No compression for DTLS */
if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
*/
ret->options |= SSL_OP_NO_COMPRESSION;
+ ret->tlsext_status_type = -1;
+
return ret;
err:
SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
-void SSL_CTX_up_ref(SSL_CTX *ctx)
+int SSL_CTX_up_ref(SSL_CTX *ctx)
{
int i;
- CRYPTO_atomic_add(&ctx->references, 1, &i, ctx->lock);
+
+ if (CRYPTO_atomic_add(&ctx->references, 1, &i, ctx->lock) <= 0)
+ return 0;
+
+ REF_PRINT_COUNT("SSL_CTX", ctx);
+ REF_ASSERT_ISNT(i < 2);
+ return ((i > 1) ? 1 : 0);
}
void SSL_CTX_free(SSL_CTX *a)
return (SSL_ERROR_SSL);
}
- if ((i < 0) && SSL_want_read(s)) {
- bio = SSL_get_rbio(s);
- if (BIO_should_read(bio))
- return (SSL_ERROR_WANT_READ);
- else if (BIO_should_write(bio))
- /*
- * This one doesn't make too much sense ... We never try to write
- * to the rbio, and an application program where rbio and wbio
- * are separate couldn't even know what it should wait for.
- * However if we ever set s->rwstate incorrectly (so that we have
- * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and
- * wbio *are* the same, this test works around that bug; so it
- * might be safer to keep it.
- */
- return (SSL_ERROR_WANT_WRITE);
- else if (BIO_should_io_special(bio)) {
- reason = BIO_get_retry_reason(bio);
- if (reason == BIO_RR_CONNECT)
- return (SSL_ERROR_WANT_CONNECT);
- else if (reason == BIO_RR_ACCEPT)
- return (SSL_ERROR_WANT_ACCEPT);
- else
- return (SSL_ERROR_SYSCALL); /* unknown */
+ if (i < 0) {
+ if (SSL_want_read(s)) {
+ bio = SSL_get_rbio(s);
+ if (BIO_should_read(bio))
+ return (SSL_ERROR_WANT_READ);
+ else if (BIO_should_write(bio))
+ /*
+ * This one doesn't make too much sense ... We never try to write
+ * to the rbio, and an application program where rbio and wbio
+ * are separate couldn't even know what it should wait for.
+ * However if we ever set s->rwstate incorrectly (so that we have
+ * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and
+ * wbio *are* the same, this test works around that bug; so it
+ * might be safer to keep it.
+ */
+ return (SSL_ERROR_WANT_WRITE);
+ else if (BIO_should_io_special(bio)) {
+ reason = BIO_get_retry_reason(bio);
+ if (reason == BIO_RR_CONNECT)
+ return (SSL_ERROR_WANT_CONNECT);
+ else if (reason == BIO_RR_ACCEPT)
+ return (SSL_ERROR_WANT_ACCEPT);
+ else
+ return (SSL_ERROR_SYSCALL); /* unknown */
+ }
}
- }
- if ((i < 0) && SSL_want_write(s)) {
- bio = SSL_get_wbio(s);
- if (BIO_should_write(bio))
- return (SSL_ERROR_WANT_WRITE);
- else if (BIO_should_read(bio))
- /*
- * See above (SSL_want_read(s) with BIO_should_write(bio))
- */
- return (SSL_ERROR_WANT_READ);
- else if (BIO_should_io_special(bio)) {
- reason = BIO_get_retry_reason(bio);
- if (reason == BIO_RR_CONNECT)
- return (SSL_ERROR_WANT_CONNECT);
- else if (reason == BIO_RR_ACCEPT)
- return (SSL_ERROR_WANT_ACCEPT);
- else
- return (SSL_ERROR_SYSCALL);
+ if (SSL_want_write(s)) {
+ bio = SSL_get_wbio(s);
+ if (BIO_should_write(bio))
+ return (SSL_ERROR_WANT_WRITE);
+ else if (BIO_should_read(bio))
+ /*
+ * See above (SSL_want_read(s) with BIO_should_write(bio))
+ */
+ return (SSL_ERROR_WANT_READ);
+ else if (BIO_should_io_special(bio)) {
+ reason = BIO_get_retry_reason(bio);
+ if (reason == BIO_RR_CONNECT)
+ return (SSL_ERROR_WANT_CONNECT);
+ else if (reason == BIO_RR_ACCEPT)
+ return (SSL_ERROR_WANT_ACCEPT);
+ else
+ return (SSL_ERROR_SYSCALL);
+ }
+ }
+ if (SSL_want_x509_lookup(s)) {
+ return (SSL_ERROR_WANT_X509_LOOKUP);
+ }
+ if (SSL_want_async(s)) {
+ return SSL_ERROR_WANT_ASYNC;
+ }
+ if (SSL_want_async_job(s)) {
+ return SSL_ERROR_WANT_ASYNC_JOB;
}
- }
- if ((i < 0) && SSL_want_x509_lookup(s)) {
- return (SSL_ERROR_WANT_X509_LOOKUP);
- }
- if ((i < 0) && SSL_want_async(s)) {
- return SSL_ERROR_WANT_ASYNC;
}
if (i == 0) {
goto err;
}
- ssl_dane_dup(ret, s);
+ if (!ssl_dane_dup(ret, s))
+ goto err;
ret->version = s->version;
ret->options = s->options;
ret->mode = s->mode;
int SSL_get_shutdown(const SSL *s)
{
- return (s->shutdown);
+ return s->shutdown;
}
int SSL_version(const SSL *s)
{
- return (s->version);
+ return s->version;
+}
+
+int SSL_client_version(const SSL *s)
+{
+ return s->client_version;
}
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
{
- return (ssl->ctx);
+ return ssl->ctx;
}
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
/*
* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
- * vairable, freeing EVP_MD_CTX previously stored in that variable, if any.
+ * variable, freeing EVP_MD_CTX previously stored in that variable, if any.
* If EVP_MD pointer is passed, initializes ctx with this md Returns newly
* allocated ctx;
*/
int ret = 0;
X509 *cert = s->session != NULL ? s->session->peer : NULL;
X509 *issuer;
- struct dane_st *dane = &s->dane;
+ SSL_DANE *dane = &s->dane;
CT_POLICY_EVAL_CTX *ctx = NULL;
const STACK_OF(SCT) *scts;