X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=706290be9bf5d89c7a7a2421625845a8d4847b59;hp=2e041d5887c2939061bf990af2a4cdf2e759e251;hb=0f00ed7720257512924a7c891336d66e1c1083fa;hpb=dbc6268f68e50b2e49d7c5b1157b4f6bcea5d6f9 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 2e041d5887..706290be9b 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -12,7 +12,7 @@ #include #include #include "internal/nelem.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include #include #include @@ -3317,6 +3317,9 @@ void ssl3_free(SSL *s) s->s3.tmp.pkey = NULL; #endif + ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); + ssl_evp_md_free(s->s3.tmp.new_hash); + OPENSSL_free(s->s3.tmp.ctype); sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); OPENSSL_free(s->s3.tmp.ciphers_raw); @@ -3552,6 +3555,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_CHAIN_CERTS: *(STACK_OF(X509) **)parg = s->cert->key->chain; + ret = 1; break; case SSL_CTRL_SELECT_CURRENT_CERT: @@ -3578,6 +3582,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } return ssl_cert_set_current(s->cert, larg); +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_GET_GROUPS: { uint16_t *clist; @@ -3585,8 +3590,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) if (!s->session) return 0; - clist = s->session->ext.supportedgroups; - clistlen = s->session->ext.supportedgroups_len; + clist = s->ext.peer_supportedgroups; + clistlen = s->ext.peer_supportedgroups_len; if (parg) { size_t i; int *cptr = parg; @@ -3615,13 +3620,14 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { uint16_t id = tls1_shared_group(s, larg); - if (larg != -1) { - const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); - - return ginf == NULL ? 0 : ginf->nid; - } + if (larg != -1) + return tls1_group_id2nid(id); return id; } + case SSL_CTRL_GET_NEGOTIATED_GROUP: + ret = tls1_group_id2nid(s->s3.group_id); + break; +#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3700,13 +3706,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { - SSL_SESSION *sess = s->session; const unsigned char **pformat = parg; - if (sess == NULL || sess->ext.ecpointformats == NULL) + if (s->ext.peer_ecpointformats == NULL) return 0; - *pformat = sess->ext.ecpointformats; - return (int)sess->ext.ecpointformats_len; + *pformat = s->ext.peer_ecpointformats; + return (int)s->ext.peer_ecpointformats_len; } #endif @@ -3883,7 +3888,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) srp_password_from_info_cb; if (ctx->srp_ctx.info != NULL) OPENSSL_free(ctx->srp_ctx.info); - if ((ctx->srp_ctx.info = BUF_strdup((char *)parg)) == NULL) { + if ((ctx->srp_ctx.info = OPENSSL_strdup((char *)parg)) == NULL) { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR); return 0; } @@ -3898,6 +3903,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; #endif +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_SET_GROUPS: return tls1_set_groups(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, @@ -3907,6 +3913,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_groups_list(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, parg); +#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4004,12 +4011,14 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) ctx->ext.status_cb = (int (*)(SSL *, void *))fp; break; +# ifndef OPENSSL_NO_DEPRECATED_3_0 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; break; +#endif #ifndef OPENSSL_NO_SRP case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB: @@ -4038,6 +4047,14 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) return 1; } +int SSL_CTX_set_tlsext_ticket_key_evp_cb + (SSL_CTX *ctx, int (*fp)(SSL *, unsigned char *, unsigned char *, + EVP_CIPHER_CTX *, EVP_MAC_CTX *, int)) +{ + ctx->ext.ticket_key_evp_cb = fp; + return 1; +} + const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) { SSL_CIPHER c; @@ -4122,7 +4139,6 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *prio, *allow; int i, ii, ok, prefer_sha256 = 0; unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; - const EVP_MD *mdsha256 = EVP_sha256(); #ifndef OPENSSL_NO_CHACHA STACK_OF(SSL_CIPHER) *prio_chacha = NULL; #endif @@ -4296,7 +4312,12 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (prefer_sha256) { const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); - if (ssl_md(tmp->algorithm2) == mdsha256) { + /* + * TODO: When there are no more legacy digests we can just use + * OSSL_DIGEST_NAME_SHA2_256 instead of calling OBJ_nid2sn + */ + if (EVP_MD_is_a(ssl_md(s->ctx, tmp->algorithm2), + OBJ_nid2sn(NID_sha256))) { ret = tmp; break; } @@ -4566,9 +4587,9 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, unsigned char *p = result; l2n(Time, p); - ret = RAND_bytes(p, len - 4); + ret = RAND_bytes_ex(s->ctx->libctx, p, len - 4); } else { - ret = RAND_bytes(result, len); + ret = RAND_bytes_ex(s->ctx->libctx, result, len); } if (ret > 0) { @@ -4655,14 +4676,14 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, } /* Generate a private key from parameters */ -EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) +EVP_PKEY *ssl_generate_pkey(SSL *s, EVP_PKEY *pm) { EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; if (pm == NULL) return NULL; - pctx = EVP_PKEY_CTX_new(pm, NULL); + pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pm, s->ctx->propq); if (pctx == NULL) goto err; if (EVP_PKEY_keygen_init(pctx) <= 0) @@ -4678,6 +4699,7 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) } /* Generate a private key from a group ID */ +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) { const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); @@ -4694,6 +4716,11 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) goto err; } gtype = ginf->flags & TLS_GROUP_TYPE; + /* + * TODO(3.0): Convert these EVP_PKEY_CTX_new_id calls to ones that take + * s->ctx->libctx and s->ctx->propq when keygen has been updated to be + * provider aware. + */ # ifndef OPENSSL_NO_DH if (gtype == TLS_GROUP_FFDHE) pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); @@ -4764,6 +4791,7 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) EVP_PKEY_CTX_free(pctx); return pkey; } +#endif /* * Generate parameters from a group ID @@ -4786,6 +4814,11 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id) return NULL; } + /* + * TODO(3.0): Convert this EVP_PKEY_CTX_new_id call to one that takes + * s->ctx->libctx and s->ctx->propq when paramgen has been updated to be + * provider aware. + */ pkey_ctx_id = (ginf->flags & TLS_GROUP_FFDHE) ? EVP_PKEY_DH : EVP_PKEY_EC; pctx = EVP_PKEY_CTX_new_id(pkey_ctx_id, NULL); @@ -4832,7 +4865,7 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) return 0; } - pctx = EVP_PKEY_CTX_new(privkey, NULL); + pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, privkey, s->ctx->propq); if (EVP_PKEY_derive_init(pctx) <= 0 || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0