* https://www.openssl.org/source/license.html
*/
+/* We need to use some engine deprecated APIs */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#include <stdio.h>
#include "ssl_local.h"
#include "e_os.h"
#include <openssl/objects.h>
#include <openssl/x509v3.h>
#include <openssl/rand.h>
-#include <openssl/rand_drbg.h>
#include <openssl/ocsp.h>
#include <openssl/dh.h>
#include <openssl/engine.h>
#include "internal/refcount.h"
#include "internal/ktls.h"
-DEFINE_STACK_OF(X509)
-DEFINE_STACK_OF(X509_NAME)
-DEFINE_STACK_OF_CONST(SSL_CIPHER)
-DEFINE_STACK_OF(X509_EXTENSION)
-DEFINE_STACK_OF(OCSP_RESPID)
-DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
-DEFINE_STACK_OF(SCT)
-
-static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t)
+static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t,
+ SSL_MAC_BUF *mac, size_t macsize)
{
- (void)r;
- (void)s;
- (void)t;
return ssl_undefined_function(ssl);
}
static int ssl_undefined_function_2(SSL *ssl, SSL3_RECORD *r, unsigned char *s,
int t)
{
- (void)r;
- (void)s;
- (void)t;
return ssl_undefined_function(ssl);
}
static int ssl_undefined_function_3(SSL *ssl, unsigned char *r,
unsigned char *s, size_t t, size_t *u)
{
- (void)r;
- (void)s;
- (void)t;
- (void)u;
return ssl_undefined_function(ssl);
}
static int ssl_undefined_function_4(SSL *ssl, int r)
{
- (void)r;
return ssl_undefined_function(ssl);
}
static size_t ssl_undefined_function_5(SSL *ssl, const char *r, size_t s,
unsigned char *t)
{
- (void)r;
- (void)s;
- (void)t;
return ssl_undefined_function(ssl);
}
static int ssl_undefined_function_6(int r)
{
- (void)r;
return ssl_undefined_function(NULL);
}
const char *t, size_t u,
const unsigned char *v, size_t w, int x)
{
- (void)r;
- (void)s;
- (void)t;
- (void)u;
- (void)v;
- (void)w;
- (void)x;
return ssl_undefined_function(ssl);
}
return 1;
}
+#if defined(__TANDEM) && defined(OPENSSL_VPROC)
+/*
+ * Define a VPROC function for HP NonStop build ssl library.
+ * This is used by platform version identification tools.
+ * Do not inline this procedure or make it static.
+ */
+# define OPENSSL_VPROC_STRING_(x) x##_SSL
+# define OPENSSL_VPROC_STRING(x) OPENSSL_VPROC_STRING_(x)
+# define OPENSSL_VPROC_FUNC OPENSSL_VPROC_STRING(OPENSSL_VPROC)
+void OPENSSL_VPROC_FUNC(void) {}
+#endif
+
+
static void clear_ciphers(SSL *s)
{
/* clear the current cipher */
return 1;
}
+#ifndef OPENSSL_NO_DEPRECATED_3_0
/** Used to change an SSL_CTXs default SSL method type */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
{
}
return 1;
}
+#endif
SSL *SSL_new(SSL_CTX *ctx)
{
int SSL_set1_host(SSL *s, const char *hostname)
{
+ /* If a hostname is provided and parses as an IP address,
+ * treat it as such. */
+ if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1)
+ return 1;
+
return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0);
}
int SSL_add1_host(SSL *s, const char *hostname)
{
+ /* If a hostname is provided and parses as an IP address,
+ * treat it as such. */
+ if (hostname)
+ {
+ ASN1_OCTET_STRING *ip;
+ char *old_ip;
+
+ ip = a2i_IPADDRESS(hostname);
+ if (ip) {
+ /* We didn't want it; only to check if it *is* an IP address */
+ ASN1_OCTET_STRING_free(ip);
+
+ old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param);
+ if (old_ip)
+ {
+ OPENSSL_free(old_ip);
+ /* There can be only one IP address */
+ return 0;
+ }
+
+ return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname);
+ }
+ }
+
return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0);
}
OPENSSL_free(s->ext.ocsp.resp);
OPENSSL_free(s->ext.alpn);
OPENSSL_free(s->ext.tls13_cookie);
+ if (s->clienthello != NULL)
+ OPENSSL_free(s->clienthello->pre_proc_exts);
OPENSSL_free(s->clienthello);
OPENSSL_free(s->pha_context);
EVP_MD_CTX_free(s->pha_dgst);
return RECORD_LAYER_read_pending(&s->rlayer);
}
-X509 *SSL_get_peer_certificate(const SSL *s)
+X509 *SSL_get1_peer_certificate(const SSL *s)
{
- X509 *r;
-
- if ((s == NULL) || (s->session == NULL))
- r = NULL;
- else
- r = s->session->peer;
-
- if (r == NULL)
- return r;
+ X509 *r = SSL_get0_peer_certificate(s);
- X509_up_ref(r);
+ if (r != NULL)
+ X509_up_ref(r);
return r;
}
+X509 *SSL_get0_peer_certificate(const SSL *s)
+{
+ if ((s == NULL) || (s->session == NULL))
+ return NULL;
+ else
+ return s->session->peer;
+}
+
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
{
STACK_OF(X509) *r;
}
#ifdef OPENSSL_NO_KTLS
- ERR_raise_data(ERR_LIB_SYS, ERR_R_INTERNAL_ERROR, "calling sendfile()");
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR,
+ "can't call ktls_sendfile(), ktls disabled");
return -1;
#else
ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags);
/* For some cases with ctx == NULL perform syntax checks */
if (ctx == NULL) {
switch (cmd) {
-#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_GROUPS_LIST:
- return tls1_set_groups_list(NULL, NULL, parg);
-#endif
+ return tls1_set_groups_list(ctx, NULL, NULL, parg);
case SSL_CTRL_SET_SIGALGS_LIST:
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
return tls1_set_sigalgs_list(NULL, parg, 0);
* - Otherwise it returns NULL
*
* During/after the handshake (TLSv1.2 or below resumption occurred):
- * - If the session from the orignal handshake had a servername accepted
+ * - If the session from the original handshake had a servername accepted
* by the server then it will return that servername.
* - Otherwise it returns the servername set via
* SSL_set_tlsext_host_name() (or NULL if it was not called).
const unsigned char *context, size_t contextlen,
int use_context)
{
- if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
+ if (s->session == NULL
+ || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER))
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
* via ssl.h.
*/
-SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq,
- const SSL_METHOD *meth)
+SSL_CTX *SSL_CTX_new_ex(OPENSSL_CTX *libctx, const char *propq,
+ const SSL_METHOD *meth)
{
SSL_CTX *ret = NULL;
if (ret->cert_store == NULL)
goto err;
#ifndef OPENSSL_NO_CT
- ret->ctlog_store = CTLOG_STORE_new_with_libctx(libctx, propq);
+ ret->ctlog_store = CTLOG_STORE_new_ex(libctx, propq);
if (ret->ctlog_store == NULL)
goto err;
#endif
/* initialize cipher/digest methods table */
if (!ssl_load_ciphers(ret))
goto err2;
+ /* initialise sig algs */
+ if (!ssl_setup_sig_algs(ret))
+ goto err2;
+
+
+ if (!ssl_load_groups(ret))
+ goto err2;
if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites()))
goto err;
SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
{
- return SSL_CTX_new_with_libctx(NULL, NULL, meth);
+ return SSL_CTX_new_ex(NULL, NULL, meth);
}
int SSL_CTX_up_ref(SSL_CTX *ctx)
void SSL_CTX_free(SSL_CTX *a)
{
int i;
+ size_t j;
if (a == NULL)
return;
ssl_evp_md_free(a->md5);
ssl_evp_md_free(a->sha1);
- for (i = 0; i < SSL_ENC_NUM_IDX; i++)
- ssl_evp_cipher_free(a->ssl_cipher_methods[i]);
- for (i = 0; i < SSL_MD_NUM_IDX; i++)
- ssl_evp_md_free(a->ssl_digest_methods[i]);
+ for (j = 0; j < SSL_ENC_NUM_IDX; j++)
+ ssl_evp_cipher_free(a->ssl_cipher_methods[j]);
+ for (j = 0; j < SSL_MD_NUM_IDX; j++)
+ ssl_evp_md_free(a->ssl_digest_methods[j]);
+ for (j = 0; j < a->group_list_len; j++) {
+ OPENSSL_free(a->group_list[j].tlsname);
+ OPENSSL_free(a->group_list[j].realname);
+ OPENSSL_free(a->group_list[j].algorithm);
+ }
+ OPENSSL_free(a->group_list);
+
+ OPENSSL_free(a->sigalg_lookup_cache);
CRYPTO_THREAD_lock_free(a->lock);
goto err;
ret->version = s->version;
ret->options = s->options;
+ ret->min_proto_version = s->min_proto_version;
+ ret->max_proto_version = s->max_proto_version;
ret->mode = s->mode;
SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
goto err;
- /* setup rbio, and wbio */
- if (s->rbio != NULL) {
- if (!BIO_dup_state(s->rbio, (char *)&ret->rbio))
- goto err;
- }
- if (s->wbio != NULL) {
- if (s->wbio != s->rbio) {
- if (!BIO_dup_state(s->wbio, (char *)&ret->wbio))
- goto err;
- } else {
- BIO_up_ref(ret->rbio);
- ret->wbio = ret->rbio;
- }
- }
-
ret->server = s->server;
if (s->handshake_func) {
if (s->server)
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
{
- return X509_STORE_set_default_paths(ctx->cert_store);
+ return X509_STORE_set_default_paths_ex(ctx->cert_store, ctx->libctx,
+ ctx->propq);
}
int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
/* We ignore errors, in case the directory doesn't exist */
ERR_set_mark();
- X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
+ X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT, ctx->libctx,
+ ctx->propq);
ERR_pop_to_mark();
/* We ignore errors, in case the directory doesn't exist */
ERR_set_mark();
- X509_LOOKUP_add_store(lookup, NULL);
+ X509_LOOKUP_add_store_ex(lookup, NULL, ctx->libctx, ctx->propq);
ERR_pop_to_mark();
int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
{
- return X509_STORE_load_file(ctx->cert_store, CAfile);
+ return X509_STORE_load_file_ex(ctx->cert_store, CAfile, ctx->libctx,
+ ctx->propq);
}
int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
{
- return X509_STORE_load_store(ctx->cert_store, CAstore);
+ return X509_STORE_load_store_ex(ctx->cert_store, CAstore, ctx->libctx,
+ ctx->propq);
}
-#ifndef OPENSSL_NO_DEPRECATED_3_0
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath)
{
return 0;
return 1;
}
-#endif
void SSL_set_info_callback(SSL *ssl,
void (*cb) (const SSL *ssl, int type, int val))
return 1;
}
-void SSL_set_record_padding_callback(SSL *ssl,
+int SSL_set_record_padding_callback(SSL *ssl,
size_t (*cb) (SSL *ssl, int type,
size_t len, void *arg))
{
- ssl->record_padding_cb = cb;
+ BIO *b;
+
+ b = SSL_get_wbio(ssl);
+ if (b == NULL || !BIO_get_ktls_send(b)) {
+ ssl->record_padding_cb = cb;
+ return 1;
+ }
+ return 0;
}
void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg)
}
}
- ctx = CT_POLICY_EVAL_CTX_new_with_libctx(s->ctx->libctx, s->ctx->propq);
+ ctx = CT_POLICY_EVAL_CTX_new_ex(s->ctx->libctx, s->ctx->propq);
if (ctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT,
ERR_R_MALLOC_FAILURE);