X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=197a37cd0d46b511ece256542fddf67bbd61b9d6;hp=f0f1264cdff5c4453764bf607107940f5900936d;hb=696178edff89f8df0382af0edbd0f723790a86cc;hpb=919ba009429b3617e975933f37a23be996a33b8d diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f0f1264cdf..197a37cd0d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -190,10 +190,11 @@ struct ssl_async_args { SSL *s; void *buf; int num; - int type; + enum { READFUNC, WRITEFUNC, OTHERFUNC} type; union { - int (*func1)(SSL *, void *, int); - int (*func2)(SSL *, const void *, int); + int (*func_read)(SSL *, void *, int); + int (*func_write)(SSL *, const void *, int); + int (*func_other)(SSL *); } f; }; @@ -714,6 +715,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len; } + s->verified_chain = NULL; s->verify_result = X509_V_OK; s->default_passwd_callback = ctx->default_passwd_callback; @@ -745,6 +747,11 @@ SSL *SSL_new(SSL_CTX *ctx) return (NULL); } +void SSL_up_ref(SSL *s) +{ + CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL); +} + int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { @@ -872,18 +879,24 @@ int SSL_dane_enable(SSL *s, const char *basedomain) return 0; } + /* + * Default SNI name. This rejects empty names, while set1_host below + * accepts them and disables host name checks. To avoid side-effects with + * invalid input, set the SNI name first. + */ + if (s->tlsext_hostname == NULL) { + if (!SSL_set_tlsext_host_name(s, basedomain)) { + SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); + return -1; + } + } + /* Primary RFC6125 reference identifier */ if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) { SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); return -1; } - /* Default SNI name */ - if (s->tlsext_hostname == NULL) { - if (!SSL_set_tlsext_host_name(s, basedomain)) - return -1; - } - dane->mdpth = -1; dane->pdpth = -1; dane->dctx = &s->ctx->dane; @@ -1040,6 +1053,8 @@ void SSL_free(SSL *s) sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); + sk_X509_pop_free(s->verified_chain, X509_free); + if (s->method != NULL) s->method->ssl_free(s); @@ -1458,10 +1473,15 @@ static int ssl_io_intern(void *vargs) s = args->s; buf = args->buf; num = args->num; - if (args->type == 1) - return args->f.func1(s, buf, num); - else - return args->f.func2(s, buf, num); + switch (args->type) { + case READFUNC: + return args->f.func_read(s, buf, num); + case WRITEFUNC: + return args->f.func_write(s, buf, num); + case OTHERFUNC: + return args->f.func_other(s); + } + return -1; } int SSL_read(SSL *s, void *buf, int num) @@ -1482,8 +1502,8 @@ int SSL_read(SSL *s, void *buf, int num) args.s = s; args.buf = buf; args.num = num; - args.type = 1; - args.f.func1 = s->method->ssl_read; + args.type = READFUNC; + args.f.func_read = s->method->ssl_read; return ssl_start_async_job(s, &args, ssl_io_intern); } else { @@ -1507,8 +1527,8 @@ int SSL_peek(SSL *s, void *buf, int num) args.s = s; args.buf = buf; args.num = num; - args.type = 1; - args.f.func1 = s->method->ssl_peek; + args.type = READFUNC; + args.f.func_read = s->method->ssl_peek; return ssl_start_async_job(s, &args, ssl_io_intern); } else { @@ -1535,8 +1555,8 @@ int SSL_write(SSL *s, const void *buf, int num) args.s = s; args.buf = (void *)buf; args.num = num; - args.type = 2; - args.f.func2 = s->method->ssl_write; + args.type = WRITEFUNC; + args.f.func_write = s->method->ssl_write; return ssl_start_async_job(s, &args, ssl_io_intern); } else { @@ -1558,10 +1578,19 @@ int SSL_shutdown(SSL *s) return -1; } - if (!SSL_in_init(s)) - return (s->method->ssl_shutdown(s)); - else - return (1); + if((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { + struct ssl_async_args args; + + args.s = s; + args.type = OTHERFUNC; + args.f.func_other = s->method->ssl_shutdown; + + return ssl_start_async_job(s, &args, ssl_io_intern); + } else { + return s->method->ssl_shutdown(s); + } + + return s->method->ssl_shutdown(s); } int SSL_renegotiate(SSL *s) @@ -1609,10 +1638,6 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) s->msg_callback_arg = parg; return 1; - case SSL_CTRL_OPTIONS: - return (s->options |= larg); - case SSL_CTRL_CLEAR_OPTIONS: - return (s->options &= ~larg); case SSL_CTRL_MODE: return (s->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -1759,10 +1784,6 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: return (ctx->stats.sess_cache_full); - case SSL_CTRL_OPTIONS: - return (ctx->options |= larg); - case SSL_CTRL_CLEAR_OPTIONS: - return (ctx->options &= ~larg); case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -1883,7 +1904,7 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) /** The old interface to get the same thing as SSL_get_ciphers() */ const char *SSL_get_cipher_list(const SSL *s, int n) { - SSL_CIPHER *c; + const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; if (s == NULL) @@ -1941,7 +1962,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) { char *p; STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *c; + const SSL_CIPHER *c; int i; if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) @@ -1964,7 +1985,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) *p = '\0'; return buf; } - strcpy(p, c->name); + memcpy(p, c->name, n + 1); p += n; *(p++) = ':'; len -= n + 1; @@ -2236,8 +2257,6 @@ static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) * variable. The reason is that the functions aren't static, they're exposed * via ssl.h. */ -static IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION) -static IMPLEMENT_LHASH_COMP_FN(ssl_session, SSL_SESSION) SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) { @@ -2274,7 +2293,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if ((ret->cert = ssl_cert_new()) == NULL) goto err; - ret->sessions = lh_SSL_SESSION_new(); + ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); if (ret->sessions == NULL) goto err; ret->cert_store = X509_STORE_new(); @@ -2346,6 +2365,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) * deployed might change this. */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* + * Disable compression by default to prevent CRIME. Applications can + * re-enable compression by configuring + * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); + * or by using the SSL_CONF library. + */ + ret->options |= SSL_OP_NO_COMPRESSION; return (ret); err: @@ -2355,6 +2381,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) return (NULL); } +void SSL_CTX_up_ref(SSL_CTX *ctx) +{ + CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); +} + void SSL_CTX_free(SSL_CTX *a) { int i; @@ -2504,9 +2535,8 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) mask_a = 0; #ifdef CIPHER_DEBUG - fprintf(stderr, - "dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n", - dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa); + fprintf(stderr, "dht=%d re=%d rs=%d ds=%d\n", + dh_tmp, rsa_enc, rsa_sign, dsa_sign); #endif #ifndef OPENSSL_NO_GOST @@ -3062,8 +3092,6 @@ SSL *SSL_dup(SSL *s) SSL_set_info_callback(ret, SSL_get_info_callback(s)); - ret->debug = s->debug; - /* copy app data, a little dangerous perhaps */ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) goto err; @@ -3129,13 +3157,11 @@ SSL *SSL_dup(SSL *s) void ssl_clear_cipher_ctx(SSL *s) { if (s->enc_read_ctx != NULL) { - EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); - OPENSSL_free(s->enc_read_ctx); + EVP_CIPHER_CTX_free(s->enc_read_ctx); s->enc_read_ctx = NULL; } if (s->enc_write_ctx != NULL) { - EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); - OPENSSL_free(s->enc_write_ctx); + EVP_CIPHER_CTX_free(s->enc_write_ctx); s->enc_write_ctx = NULL; } #ifndef OPENSSL_NO_COMP @@ -3677,11 +3703,6 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, int outlen) return ret; } -void SSL_set_debug(SSL *s, int debug) -{ - s->debug = debug; -} - int SSL_cache_hit(SSL *s) { return s->hit; @@ -3692,6 +3713,16 @@ int SSL_is_server(SSL *s) return s->server; } +#if OPENSSL_API_COMPAT < 0x10100000L +void SSL_set_debug(SSL *s, int debug) +{ + /* Old function was do-nothing anyway... */ + (void)s; + (void)debug; +} +#endif + + void SSL_set_security_level(SSL *s, int level) { s->cert->sec_level = level; @@ -3763,4 +3794,40 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) return ctx->cert->sec_ex; } + +/* + * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that + * can return unsigned long, instead of the generic long return value from the + * control interface. + */ +unsigned long SSL_CTX_get_options(const SSL_CTX *ctx) +{ + return ctx->options; +} +unsigned long SSL_get_options(const SSL* s) +{ + return s->options; +} +unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op) +{ + return ctx->options |= op; +} +unsigned long SSL_set_options(SSL *s, unsigned long op) +{ + return s->options |= op; +} +unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) +{ + return ctx->options &= ~op; +} +unsigned long SSL_clear_options(SSL *s, unsigned long op) +{ + return s->options &= ~op; +} + +STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s) +{ + return s->verified_chain; +} + IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);