* OTHERWISE.
*/
-#ifdef REF_CHECK
+#ifdef REF_DEBUG
# include <assert.h>
#endif
#include <stdio.h>
SSL *s;
void *buf;
int num;
- int type;
+ enum { READFUNC, WRITEFUNC, OTHERFUNC} type;
union {
- int (*func1)(SSL *, void *, int);
- int (*func2)(SSL *, const void *, int);
+ int (*func_read)(SSL *, void *, int);
+ int (*func_write)(SSL *, const void *, int);
+ int (*func_other)(SSL *);
} f;
};
s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
}
+ s->verified_chain = NULL;
s->verify_result = X509_V_OK;
s->default_passwd_callback = ctx->default_passwd_callback;
{
struct dane_st *dane = &s->dane;
- if (!DANETLS_ENABLED(dane))
+ if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
return -1;
if (dane->mtlsa) {
if (mcert)
{
struct dane_st *dane = &s->dane;
- if (!DANETLS_ENABLED(dane))
+ if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
return -1;
if (dane->mtlsa) {
if (usage)
return;
i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL);
-#ifdef REF_PRINT
- REF_PRINT("SSL", s);
-#endif
+ REF_PRINT_COUNT("SSL", s);
if (i > 0)
return;
-#ifdef REF_CHECK
- if (i < 0) {
- fprintf(stderr, "SSL_free, bad reference count\n");
- abort(); /* ok */
- }
-#endif
+ REF_ASSERT_ISNT(i < 0);
X509_VERIFY_PARAM_free(s->param);
dane_final(&s->dane);
sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
+ sk_X509_pop_free(s->verified_chain, X509_free);
+
if (s->method != NULL)
s->method->ssl_free(s);
s = args->s;
buf = args->buf;
num = args->num;
- if (args->type == 1)
- return args->f.func1(s, buf, num);
- else
- return args->f.func2(s, buf, num);
+ switch (args->type) {
+ case READFUNC:
+ return args->f.func_read(s, buf, num);
+ case WRITEFUNC:
+ return args->f.func_write(s, buf, num);
+ case OTHERFUNC:
+ return args->f.func_other(s);
+ }
+ return -1;
}
int SSL_read(SSL *s, void *buf, int num)
args.s = s;
args.buf = buf;
args.num = num;
- args.type = 1;
- args.f.func1 = s->method->ssl_read;
+ args.type = READFUNC;
+ args.f.func_read = s->method->ssl_read;
return ssl_start_async_job(s, &args, ssl_io_intern);
} else {
args.s = s;
args.buf = buf;
args.num = num;
- args.type = 1;
- args.f.func1 = s->method->ssl_peek;
+ args.type = READFUNC;
+ args.f.func_read = s->method->ssl_peek;
return ssl_start_async_job(s, &args, ssl_io_intern);
} else {
args.s = s;
args.buf = (void *)buf;
args.num = num;
- args.type = 2;
- args.f.func2 = s->method->ssl_write;
+ args.type = WRITEFUNC;
+ args.f.func_write = s->method->ssl_write;
return ssl_start_async_job(s, &args, ssl_io_intern);
} else {
return -1;
}
- return s->method->ssl_shutdown(s);
+ if (!SSL_in_init(s)) {
+ if((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
+ struct ssl_async_args args;
+
+ args.s = s;
+ args.type = OTHERFUNC;
+ args.f.func_other = s->method->ssl_shutdown;
+
+ return ssl_start_async_job(s, &args, ssl_io_intern);
+ } else {
+ return s->method->ssl_shutdown(s);
+ }
+ } else {
+ SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
+ return -1;
+ }
}
int SSL_renegotiate(SSL *s)
*p = '\0';
return buf;
}
- strcpy(p, c->name);
+ memcpy(p, c->name, n + 1);
p += n;
*(p++) = ':';
len -= n + 1;
return (NULL);
}
+ if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
+ return NULL;
+
if (FIPS_mode() && (meth->version < TLS1_VERSION)) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);
return NULL;
* deployed might change this.
*/
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ /*
+ * Disable compression by default to prevent CRIME. Applications can
+ * re-enable compression by configuring
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
+ * or by using the SSL_CONF library.
+ */
+ ret->options |= SSL_OP_NO_COMPRESSION;
return (ret);
err:
return;
i = CRYPTO_add(&a->references, -1, CRYPTO_LOCK_SSL_CTX);
-#ifdef REF_PRINT
- REF_PRINT("SSL_CTX", a);
-#endif
+ REF_PRINT_COUNT("SSL_CTX", a);
if (i > 0)
return;
-#ifdef REF_CHECK
- if (i < 0) {
- fprintf(stderr, "SSL_CTX_free, bad reference count\n");
- abort(); /* ok */
- }
-#endif
+ REF_ASSERT_ISNT(i < 0);
X509_VERIFY_PARAM_free(a->param);
dane_ctx_final(&a->dane);
if (s->bbio == s->wbio) {
/* remove buffering */
s->wbio = BIO_pop(s->wbio);
-#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids
- * adding one more preprocessor symbol */
+#ifdef REF_DEBUG
+ /*
+ * not the usual REF_DEBUG, but this avoids
+ * adding one more preprocessor symbol
+ */
assert(s->wbio != NULL);
#endif
}
return ret;
}
-int SSL_cache_hit(SSL *s)
+int SSL_session_reused(SSL *s)
{
return s->hit;
}
return s->options &= ~op;
}
+STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
+{
+ return s->verified_chain;
+}
+
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);