X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=9fb65b68258600fe6530853e180e7d8b4857389e;hp=ae157300ae71448e59d245f5aebe610618797d17;hb=a6d36303e91b79379da2e2ffaa608dba704d3eb8;hpb=cdb10bae3f773401e039c55965eb177a6f3fc160 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ae157300ae..9fb65b6825 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,16 +1,17 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include -#include "ssl_locl.h" +#include "ssl_local.h" +#include "e_os.h" #include #include #include @@ -20,10 +21,18 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/refcount.h" +#include "internal/ktls.h" -const char SSL_version_str[] = OPENSSL_VERSION_TEXT; +DEFINE_STACK_OF(X509) +DEFINE_STACK_OF(X509_NAME) +DEFINE_STACK_OF_CONST(SSL_CIPHER) +DEFINE_STACK_OF(X509_EXTENSION) +DEFINE_STACK_OF(OCSP_RESPID) +DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE) +DEFINE_STACK_OF(SCT) static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t) { @@ -591,6 +600,7 @@ int SSL_clear(SSL *s) s->psksession_id = NULL; s->psksession_id_len = 0; s->hello_retry_request = 0; + s->sent_tickets = 0; s->error = 0; s->hit = 0; @@ -627,6 +637,11 @@ int SSL_clear(SSL *s) /* Clear the verification result peername */ X509_VERIFY_PARAM_move_peername(s->param, NULL); + /* Clear any shared connection state */ + OPENSSL_free(s->shared_sigalgs); + s->shared_sigalgs = NULL; + s->shared_sigalgslen = 0; + /* * Check to see if we were changed into a different method, if so, revert * back. @@ -653,11 +668,15 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; + if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) { + SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; + } sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), - SSL_DEFAULT_CIPHER_LIST, ctx->cert); + OSSL_default_cipher_list(), ctx->cert); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; @@ -699,6 +718,9 @@ SSL *SSL_new(SSL_CTX *ctx) s->mode = ctx->mode; s->max_cert_list = ctx->max_cert_list; s->max_early_data = ctx->max_early_data; + s->recv_max_early_data = ctx->recv_max_early_data; + s->num_tickets = ctx->num_tickets; + s->pha_enabled = ctx->pha_enabled; /* Shallow copy of the ciphersuites stack */ s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); @@ -771,6 +793,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->ext.ecpointformats_len = ctx->ext.ecpointformats_len; } +#endif if (ctx->ext.supportedgroups) { s->ext.supportedgroups = OPENSSL_memdup(ctx->ext.supportedgroups, @@ -780,7 +803,7 @@ SSL *SSL_new(SSL_CTX *ctx) goto err; s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; } -#endif + #ifndef OPENSSL_NO_NEXTPROTONEG s->ext.npn = NULL; #endif @@ -803,6 +826,9 @@ SSL *SSL_new(SSL_CTX *ctx) s->key_update = SSL_KEY_UPDATE_NONE; + s->allow_early_data_cb = ctx->allow_early_data_cb; + s->allow_early_data_cb_data = ctx->allow_early_data_cb_data; + if (!s->method->ssl_new(s)) goto err; @@ -821,6 +847,9 @@ SSL *SSL_new(SSL_CTX *ctx) s->psk_find_session_cb = ctx->psk_find_session_cb; s->psk_use_session_cb = ctx->psk_use_session_cb; + s->async_cb = ctx->async_cb; + s->async_cb_arg = ctx->async_cb_arg; + s->job = NULL; #ifndef OPENSSL_NO_CT @@ -856,7 +885,7 @@ int SSL_up_ref(SSL *s) int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { - if (sid_ctx_len > sizeof(ctx->sid_ctx)) { + if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; @@ -1137,11 +1166,15 @@ void SSL_free(SSL *s) dane_final(&s->dane); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); + RECORD_LAYER_release(&s->rlayer); + /* Ignore return value */ ssl_free_wbio_buffer(s); BIO_free_all(s->wbio); + s->wbio = NULL; BIO_free_all(s->rbio); + s->rbio = NULL; BUF_MEM_free(s->init_buf); @@ -1149,6 +1182,7 @@ void SSL_free(SSL *s) sk_SSL_CIPHER_free(s->cipher_list); sk_SSL_CIPHER_free(s->cipher_list_by_id); sk_SSL_CIPHER_free(s->tls13_ciphersuites); + sk_SSL_CIPHER_free(s->peer_ciphers); /* Make the next call work :-) */ if (s->session != NULL) { @@ -1161,14 +1195,17 @@ void SSL_free(SSL *s) clear_ciphers(s); ssl_cert_free(s->cert); + OPENSSL_free(s->shared_sigalgs); /* Free up if allocated */ OPENSSL_free(s->ext.hostname); SSL_CTX_free(s->session_ctx); #ifndef OPENSSL_NO_EC OPENSSL_free(s->ext.ecpointformats); - OPENSSL_free(s->ext.supportedgroups); + OPENSSL_free(s->ext.peer_ecpointformats); #endif /* OPENSSL_NO_EC */ + OPENSSL_free(s->ext.supportedgroups); + OPENSSL_free(s->ext.peer_supportedgroups); sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); #ifndef OPENSSL_NO_OCSP sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); @@ -1185,14 +1222,13 @@ void SSL_free(SSL *s) EVP_MD_CTX_free(s->pha_dgst); sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free); sk_X509_pop_free(s->verified_chain, X509_free); if (s->method != NULL) s->method->ssl_free(s); - RECORD_LAYER_release(&s->rlayer); - SSL_CTX_free(s->ctx); ASYNC_WAIT_CTX_free(s->waitctx); @@ -1332,6 +1368,15 @@ int SSL_set_fd(SSL *s, int fd) } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set_bio(s, bio, bio); +#ifndef OPENSSL_NO_KTLS + /* + * The new socket is created successfully regardless of ktls_enable. + * ktls_enable doesn't change any functionality of the socket, except + * changing the setsockopt to enable the processing of ktls_start. + * Thus, it is not a problem to call it for non-TLS sockets. + */ + ktls_enable(fd); +#endif /* OPENSSL_NO_KTLS */ ret = 1; err: return ret; @@ -1351,6 +1396,15 @@ int SSL_set_wfd(SSL *s, int fd) } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set0_wbio(s, bio); +#ifndef OPENSSL_NO_KTLS + /* + * The new socket is created successfully regardless of ktls_enable. + * ktls_enable doesn't change any functionality of the socket, except + * changing the setsockopt to enable the processing of ktls_start. + * Thus, it is not a problem to call it for non-TLS sockets. + */ + ktls_enable(fd); +#endif /* OPENSSL_NO_KTLS */ } else { BIO_up_ref(rbio); SSL_set0_wbio(s, rbio); @@ -1386,12 +1440,10 @@ size_t SSL_get_finished(const SSL *s, void *buf, size_t count) { size_t ret = 0; - if (s->s3 != NULL) { - ret = s->s3->tmp.finish_md_len; - if (count > ret) - count = ret; - memcpy(buf, s->s3->tmp.finish_md, count); - } + ret = s->s3.tmp.finish_md_len; + if (count > ret) + count = ret; + memcpy(buf, s->s3.tmp.finish_md, count); return ret; } @@ -1400,12 +1452,10 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) { size_t ret = 0; - if (s->s3 != NULL) { - ret = s->s3->tmp.peer_finish_md_len; - if (count > ret) - count = ret; - memcpy(buf, s->s3->tmp.peer_finish_md, count); - } + ret = s->s3.tmp.peer_finish_md_len; + if (count > ret) + count = ret; + memcpy(buf, s->s3.tmp.peer_finish_md, count); return ret; } @@ -1621,6 +1671,40 @@ int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds, numdelfds); } +int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback) +{ + ctx->async_cb = callback; + return 1; +} + +int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg) +{ + ctx->async_cb_arg = arg; + return 1; +} + +int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback) +{ + s->async_cb = callback; + return 1; +} + +int SSL_set_async_callback_arg(SSL *s, void *arg) +{ + s->async_cb_arg = arg; + return 1; +} + +int SSL_get_async_status(SSL *s, int *status) +{ + ASYNC_WAIT_CTX *ctx = s->waitctx; + + if (ctx == NULL) + return 0; + *status = ASYNC_WAIT_CTX_get_status(ctx); + return 1; +} + int SSL_accept(SSL *s) { if (s->handshake_func == NULL) { @@ -1646,6 +1730,13 @@ long SSL_get_default_timeout(const SSL *s) return s->method->get_timeout(); } +static int ssl_async_wait_ctx_cb(void *arg) +{ + SSL *s = (SSL *)arg; + + return s->async_cb(s, s->async_cb_arg); +} + static int ssl_start_async_job(SSL *s, struct ssl_async_args *args, int (*func) (void *)) { @@ -1654,6 +1745,10 @@ static int ssl_start_async_job(SSL *s, struct ssl_async_args *args, s->waitctx = ASYNC_WAIT_CTX_new(); if (s->waitctx == NULL) return -1; + if (s->async_cb != NULL + && !ASYNC_WAIT_CTX_set_callback + (s->waitctx, ssl_async_wait_ctx_cb, s)) + return -1; } switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args, sizeof(struct ssl_async_args))) { @@ -1932,6 +2027,69 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) } } +ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags) +{ + ossl_ssize_t ret; + + if (s->handshake_func == NULL) { + SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); + return -1; + } + + if (s->shutdown & SSL_SENT_SHUTDOWN) { + s->rwstate = SSL_NOTHING; + SSLerr(SSL_F_SSL_SENDFILE, SSL_R_PROTOCOL_IS_SHUTDOWN); + return -1; + } + + if (!BIO_get_ktls_send(s->wbio)) { + SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); + return -1; + } + + /* If we have an alert to send, lets send it */ + if (s->s3.alert_dispatch) { + ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s); + if (ret <= 0) { + /* SSLfatal() already called if appropriate */ + return ret; + } + /* if it went, fall through and send more stuff */ + } + + s->rwstate = SSL_WRITING; + if (BIO_flush(s->wbio) <= 0) { + if (!BIO_should_retry(s->wbio)) { + s->rwstate = SSL_NOTHING; + } else { +#ifdef EAGAIN + set_sys_error(EAGAIN); +#endif + } + return -1; + } + +#ifdef OPENSSL_NO_KTLS + ERR_raise_data(ERR_LIB_SYS, ERR_R_INTERNAL_ERROR, "calling sendfile()"); + return -1; +#else + ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags); + if (ret < 0) { +#if defined(EAGAIN) && defined(EINTR) && defined(EBUSY) + if ((get_last_sys_error() == EAGAIN) || + (get_last_sys_error() == EINTR) || + (get_last_sys_error() == EBUSY)) + BIO_set_retry_write(s->wbio); + else +#endif + SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); + return ret; + } + s->rwstate = SSL_NOTHING; + return ret; +#endif +} + int SSL_write(SSL *s, const void *buf, int num) { int ret; @@ -2023,6 +2181,9 @@ int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) /* We are a server writing to an unauthenticated client */ s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING; ret = SSL_write_ex(s, buf, num, written); + /* The buffering BIO is still in place */ + if (ret) + (void)BIO_flush(s->wbio); s->early_data_state = early_data_state; return ret; @@ -2092,7 +2253,7 @@ int SSL_key_update(SSL *s, int updatetype) return 1; } -int SSL_get_key_update_type(SSL *s) +int SSL_get_key_update_type(const SSL *s) { return s->key_update; } @@ -2133,7 +2294,7 @@ int SSL_renegotiate_abbreviated(SSL *s) return s->method->ssl_renegotiate(s); } -int SSL_renegotiate_pending(SSL *s) +int SSL_renegotiate_pending(const SSL *s) { /* * becomes true when negotiation is requested; false again once a @@ -2142,6 +2303,15 @@ int SSL_renegotiate_pending(SSL *s) return (s->renegotiate != 0); } +int SSL_new_session_ticket(SSL *s) +{ + if (SSL_in_init(s) || SSL_IS_FIRST_HANDSHAKE(s) || !s->server + || !SSL_IS_TLS13(s)) + return 0; + s->ext.extra_tickets_expected++; + return 1; +} + long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) { long l; @@ -2173,6 +2343,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return 0; +#ifndef OPENSSL_NO_KTLS + if (s->wbio != NULL && BIO_get_ktls_send(s->wbio)) + return 0; +#endif /* OPENSSL_NO_KTLS */ s->max_send_fragment = larg; if (s->max_send_fragment < s->split_send_fragment) s->split_send_fragment = s->max_send_fragment; @@ -2190,10 +2364,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) RECORD_LAYER_set_read_ahead(&s->rlayer, 1); return 1; case SSL_CTRL_GET_RI_SUPPORT: - if (s->s3) - return s->s3->send_connection_binding; - else - return 0; + return s->s3.send_connection_binding; case SSL_CTRL_CERT_FLAGS: return (s->cert->cert_flags |= larg); case SSL_CTRL_CLEAR_CERT_FLAGS: @@ -2201,10 +2372,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_RAW_CIPHERLIST: if (parg) { - if (s->s3->tmp.ciphers_raw == NULL) + if (s->s3.tmp.ciphers_raw == NULL) return 0; - *(unsigned char **)parg = s->s3->tmp.ciphers_raw; - return (int)s->s3->tmp.ciphers_rawlen; + *(unsigned char **)parg = s->s3.tmp.ciphers_raw; + return (int)s->s3.tmp.ciphers_rawlen; } else { return TLS_CIPHER_LEN; } @@ -2255,7 +2426,6 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { long l; - int i; /* For some cases with ctx == NULL perform syntax checks */ if (ctx == NULL) { switch (cmd) { @@ -2310,40 +2480,27 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SESS_NUMBER: return lh_SSL_SESSION_num_items(ctx->sessions); case SSL_CTRL_SESS_CONNECT: - return CRYPTO_atomic_read(&ctx->stats.sess_connect, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: - return CRYPTO_atomic_read(&ctx->stats.sess_connect_good, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: - return CRYPTO_atomic_read(&ctx->stats.sess_connect_renegotiate, &i, - ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: - return CRYPTO_atomic_read(&ctx->stats.sess_accept, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: - return CRYPTO_atomic_read(&ctx->stats.sess_accept_good, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: - return CRYPTO_atomic_read(&ctx->stats.sess_accept_renegotiate, &i, - ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: - return CRYPTO_atomic_read(&ctx->stats.sess_hit, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: - return CRYPTO_atomic_read(&ctx->stats.sess_cb_hit, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: - return CRYPTO_atomic_read(&ctx->stats.sess_miss, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: - return CRYPTO_atomic_read(&ctx->stats.sess_timeout, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: - return CRYPTO_atomic_read(&ctx->stats.sess_cache_full, &i, ctx->lock) - ? i : 0; + return tsan_load(&ctx->stats.sess_cache_full); case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -2436,9 +2593,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s) { - if ((s == NULL) || (s->session == NULL) || !s->server) + if ((s == NULL) || !s->server) return NULL; - return s->session->ciphers; + return s->peer_ciphers; } STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) @@ -2507,6 +2664,26 @@ STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) return NULL; } +/* + * Distinguish between ciphers controlled by set_ciphersuite() and + * set_cipher_list() when counting. + */ +static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk) +{ + int i, num = 0; + const SSL_CIPHER *c; + + if (sk == NULL) + return 0; + for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) { + c = sk_SSL_CIPHER_value(sk, i); + if (c->min_tls >= TLS1_3_VERSION) + continue; + num++; + } + return num; +} + /** specify the ciphers to be used by default by the SSL_CTX */ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { @@ -2524,7 +2701,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) */ if (sk == NULL) return 0; - else if (sk_SSL_CIPHER_num(sk) == 0) { + else if (cipher_list_tls12_num(sk) == 0) { SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); return 0; } @@ -2542,128 +2719,43 @@ int SSL_set_cipher_list(SSL *s, const char *str) /* see comment in SSL_CTX_set_cipher_list */ if (sk == NULL) return 0; - else if (sk_SSL_CIPHER_num(sk) == 0) { + else if (cipher_list_tls12_num(sk) == 0) { SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); return 0; } return 1; } -static int ciphersuite_cb(const char *elem, int len, void *arg) -{ - STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg; - const SSL_CIPHER *cipher; - /* Arbitrary sized temp buffer for the cipher name. Should be big enough */ - char name[80]; - - if (len > (int)(sizeof(name) - 1)) { - SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); - return 0; - } - - memcpy(name, elem, len); - name[len] = '\0'; - - cipher = ssl3_get_cipher_by_std_name(name); - if (cipher == NULL) { - SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); - return 0; - } - - if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { - SSLerr(SSL_F_CIPHERSUITE_CB, ERR_R_INTERNAL_ERROR); - return 0; - } - - return 1; -} - -static int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str) -{ - STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null(); - - if (newciphers == NULL) - return 0; - - /* Parse the list. We explicitly allow an empty list */ - if (*str != '\0' - && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { - sk_SSL_CIPHER_free(newciphers); - return 0; - } - sk_SSL_CIPHER_free(*currciphers); - *currciphers = newciphers; - - return 1; -} - -static int update_cipher_list(STACK_OF(SSL_CIPHER) *cipher_list, - STACK_OF(SSL_CIPHER) *tls13_ciphersuites) -{ - int i; - - /* - * Delete any existing TLSv1.3 ciphersuites. These are always first in the - * list. - */ - while (sk_SSL_CIPHER_num(cipher_list) > 0 - && sk_SSL_CIPHER_value(cipher_list, 0)->min_tls == TLS1_3_VERSION) - sk_SSL_CIPHER_delete(cipher_list, 0); - - /* Insert the new TLSv1.3 ciphersuites */ - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) - sk_SSL_CIPHER_insert(cipher_list, - sk_SSL_CIPHER_value(tls13_ciphersuites, i), i); - - return 1; -} - -int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) -{ - int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); - - if (ret && ctx->cipher_list != NULL) { - /* We already have a cipher_list, so we need to update it */ - return update_cipher_list(ctx->cipher_list, ctx->tls13_ciphersuites); - } - - return ret; -} - -int SSL_set_ciphersuites(SSL *s, const char *str) -{ - int ret = set_ciphersuites(&(s->tls13_ciphersuites), str); - - if (ret && s->cipher_list != NULL) { - /* We already have a cipher_list, so we need to update it */ - return update_cipher_list(s->cipher_list, s->tls13_ciphersuites); - } - - return ret; -} - -char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) +char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) { char *p; - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *clntsk, *srvrsk; const SSL_CIPHER *c; int i; - if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) + if (!s->server + || s->peer_ciphers == NULL + || size < 2) return NULL; p = buf; - sk = s->session->ciphers; + clntsk = s->peer_ciphers; + srvrsk = SSL_get_ciphers(s); + if (clntsk == NULL || srvrsk == NULL) + return NULL; - if (sk_SSL_CIPHER_num(sk) == 0) + if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0) return NULL; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) { int n; - c = sk_SSL_CIPHER_value(sk, i); + c = sk_SSL_CIPHER_value(clntsk, i); + if (sk_SSL_CIPHER_find(srvrsk, c) < 0) + continue; + n = strlen(c->name); - if (n + 1 > len) { + if (n + 1 > size) { if (p != buf) --p; *p = '\0'; @@ -2672,30 +2764,91 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) strcpy(p, c->name); p += n; *(p++) = ':'; - len -= n + 1; + size -= n + 1; } p[-1] = '\0'; return buf; } -/** return a servername extension value if provided in Client Hello, or NULL. - * So far, only host_name types are defined (RFC 3546). +/** + * Return the requested servername (SNI) value. Note that the behaviour varies + * depending on: + * - whether this is called by the client or the server, + * - if we are before or during/after the handshake, + * - if a resumption or normal handshake is being attempted/has occurred + * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3 + * + * Note that only the host_name type is defined (RFC 3546). */ - const char *SSL_get_servername(const SSL *s, const int type) { + /* + * If we don't know if we are the client or the server yet then we assume + * client. + */ + int server = s->handshake_func == NULL ? 0 : s->server; if (type != TLSEXT_NAMETYPE_host_name) return NULL; - return s->session && !s->ext.hostname ? - s->session->ext.hostname : s->ext.hostname; + if (server) { + /** + * Server side + * In TLSv1.3 on the server SNI is not associated with the session + * but in TLSv1.2 or below it is. + * + * Before the handshake: + * - return NULL + * + * During/after the handshake (TLSv1.2 or below resumption occurred): + * - If a servername was accepted by the server in the original + * handshake then it will return that servername, or NULL otherwise. + * + * During/after the handshake (TLSv1.2 or below resumption did not occur): + * - The function will return the servername requested by the client in + * this handshake or NULL if none was requested. + */ + if (s->hit && !SSL_IS_TLS13(s)) + return s->session->ext.hostname; + } else { + /** + * Client side + * + * Before the handshake: + * - If a servername has been set via a call to + * SSL_set_tlsext_host_name() then it will return that servername + * - If one has not been set, but a TLSv1.2 resumption is being + * attempted and the session from the original handshake had a + * servername accepted by the server then it will return that + * servername + * - Otherwise it returns NULL + * + * During/after the handshake (TLSv1.2 or below resumption occurred): + * - If the session from the orignal handshake had a servername accepted + * by the server then it will return that servername. + * - Otherwise it returns the servername set via + * SSL_set_tlsext_host_name() (or NULL if it was not called). + * + * During/after the handshake (TLSv1.2 or below resumption did not occur): + * - It will return the servername set via SSL_set_tlsext_host_name() + * (or NULL if it was not called). + */ + if (SSL_in_before(s)) { + if (s->ext.hostname == NULL + && s->session != NULL + && s->session->ssl_version != TLS1_3_VERSION) + return s->session->ext.hostname; + } else { + if (!SSL_IS_TLS13(s) && s->hit && s->session->ext.hostname != NULL) + return s->session->ext.hostname; + } + } + + return s->ext.hostname; } int SSL_get_servername_type(const SSL *s) { - if (s->session - && (!s->ext.hostname ? s->session-> - ext.hostname : s->ext.hostname)) + if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL) return TLSEXT_NAMETYPE_host_name; return -1; } @@ -2771,7 +2924,7 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len) { *data = s->ext.npn; - if (!*data) { + if (*data == NULL) { *len = 0; } else { *len = (unsigned int)s->ext.npn_len; @@ -2875,13 +3028,11 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, unsigned int *len) { - *data = NULL; - if (ssl->s3) - *data = ssl->s3->alpn_selected; + *data = ssl->s3.alpn_selected; if (*data == NULL) *len = 0; else - *len = (unsigned int)ssl->s3->alpn_selected_len; + *len = (unsigned int)ssl->s3.alpn_selected_len; } int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, @@ -2952,12 +3103,13 @@ static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) * via ssl.h. */ -SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) +SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq, + const SSL_METHOD *meth) { SSL_CTX *ret = NULL; if (meth == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); + SSLerr(0, SSL_R_NULL_SSL_METHOD_PASSED); return NULL; } @@ -2965,16 +3117,24 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) return NULL; if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); + SSLerr(0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; } ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) goto err; + ret->libctx = libctx; + if (propq != NULL) { + ret->propq = OPENSSL_strdup(propq); + if (ret->propq == NULL) + goto err; + } + ret->method = meth; ret->min_proto_version = 0; ret->max_proto_version = 0; + ret->mode = SSL_MODE_AUTO_RETRY; ret->session_cache_mode = SSL_SESS_CACHE_SERVER; ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; /* We take the system default. */ @@ -2982,7 +3142,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->references = 1; ret->lock = CRYPTO_THREAD_lock_new(); if (ret->lock == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); + SSLerr(0, ERR_R_MALLOC_FAILURE); OPENSSL_free(ret); return NULL; } @@ -2998,20 +3158,28 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (ret->cert_store == NULL) goto err; #ifndef OPENSSL_NO_CT - ret->ctlog_store = CTLOG_STORE_new(); + ret->ctlog_store = CTLOG_STORE_new_with_libctx(libctx, propq); if (ret->ctlog_store == NULL) goto err; #endif - if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES)) + /* initialize cipher/digest methods table */ + if (!ssl_load_ciphers(ret)) + goto err2; + /* initialise sig algs */ + if (!ssl_setup_sig_algs(ret)) + goto err2; + + + if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites())) goto err; if (!ssl_create_cipher_list(ret->method, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, - SSL_DEFAULT_CIPHER_LIST, ret->cert) + OSSL_default_cipher_list(), ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); + SSLerr(0, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; } @@ -3019,18 +3187,19 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (ret->param == NULL) goto err; - if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); - goto err2; - } - if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); - goto err2; - } + /* + * If these aren't available from the provider we'll get NULL returns. + * That's fine but will cause errors later if SSLv3 is negotiated + */ + ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq); + ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq); if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) goto err; + if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) + goto err; + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) goto err; @@ -3045,16 +3214,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; /* Setup RFC5077 ticket keys */ - if ((RAND_bytes(ret->ext.tick_key_name, - sizeof(ret->ext.tick_key_name)) <= 0) - || (RAND_priv_bytes(ret->ext.secure->tick_hmac_key, - sizeof(ret->ext.secure->tick_hmac_key)) <= 0) - || (RAND_priv_bytes(ret->ext.secure->tick_aes_key, - sizeof(ret->ext.secure->tick_aes_key)) <= 0)) + if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name, + sizeof(ret->ext.tick_key_name)) <= 0) + || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key, + sizeof(ret->ext.secure->tick_hmac_key)) <= 0) + || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key, + sizeof(ret->ext.secure->tick_aes_key)) <= 0)) ret->options |= SSL_OP_NO_TICKET; - if (RAND_priv_bytes(ret->ext.cookie_hmac_key, - sizeof(ret->ext.cookie_hmac_key)) <= 0) + if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key, + sizeof(ret->ext.cookie_hmac_key)) <= 0) goto err; #ifndef OPENSSL_NO_SRP @@ -3114,16 +3283,34 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) */ ret->max_early_data = 0; + /* + * Default recv_max_early_data is a fully loaded single record. Could be + * split across multiple records in practice. We set this differently to + * max_early_data so that, in the default case, we do not advertise any + * support for early_data, but if a client were to send us some (e.g. + * because of an old, stale ticket) then we will tolerate it and skip over + * it. + */ + ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; + + /* By default we send two session tickets automatically in TLSv1.3 */ + ret->num_tickets = 2; + ssl_ctx_system_config(ret); return ret; err: - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); + SSLerr(0, ERR_R_MALLOC_FAILURE); err2: SSL_CTX_free(ret); return NULL; } +SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) +{ + return SSL_CTX_new_with_libctx(NULL, NULL, meth); +} + int SSL_CTX_up_ref(SSL_CTX *ctx) { int i; @@ -3175,6 +3362,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_SSL_CIPHER_free(a->tls13_ciphersuites); ssl_cert_free(a->cert); sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free); sk_X509_pop_free(a->extra_certs, X509_free); a->comp_methods = NULL; #ifndef OPENSSL_NO_SRTP @@ -3189,13 +3377,25 @@ void SSL_CTX_free(SSL_CTX *a) #ifndef OPENSSL_NO_EC OPENSSL_free(a->ext.ecpointformats); - OPENSSL_free(a->ext.supportedgroups); #endif + OPENSSL_free(a->ext.supportedgroups); OPENSSL_free(a->ext.alpn); OPENSSL_secure_free(a->ext.secure); + ssl_evp_md_free(a->md5); + ssl_evp_md_free(a->sha1); + + for (i = 0; i < SSL_ENC_NUM_IDX; i++) + ssl_evp_cipher_free(a->ssl_cipher_methods[i]); + for (i = 0; i < SSL_MD_NUM_IDX; i++) + ssl_evp_md_free(a->ssl_digest_methods[i]); + + OPENSSL_free(a->sigalg_lookup_cache); + CRYPTO_THREAD_lock_free(a->lock); + OPENSSL_free(a->propq); + OPENSSL_free(a); } @@ -3272,7 +3472,7 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) void ssl_set_masks(SSL *s) { CERT *c = s->cert; - uint32_t *pvalid = s->s3->tmp.valid_flags; + uint32_t *pvalid = s->s3.tmp.valid_flags; int rsa_enc, rsa_sign, dh_tmp, dsa_sign; unsigned long mask_k, mask_a; #ifndef OPENSSL_NO_EC @@ -3296,18 +3496,16 @@ void ssl_set_masks(SSL *s) mask_k = 0; mask_a = 0; -#ifdef CIPHER_DEBUG - fprintf(stderr, "dht=%d re=%d rs=%d ds=%d\n", - dh_tmp, rsa_enc, rsa_sign, dsa_sign); -#endif + OSSL_TRACE4(TLS_CIPHER, "dh_tmp=%d rsa_enc=%d rsa_sign=%d dsa_sign=%d\n", + dh_tmp, rsa_enc, rsa_sign, dsa_sign); #ifndef OPENSSL_NO_GOST if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) { - mask_k |= SSL_kGOST; + mask_k |= SSL_kGOST | SSL_kGOST18; mask_a |= SSL_aGOST12; } if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) { - mask_k |= SSL_kGOST; + mask_k |= SSL_kGOST | SSL_kGOST18; mask_a |= SSL_aGOST12; } if (ssl_has_cert(s, SSL_PKEY_GOST01)) { @@ -3380,15 +3578,15 @@ void ssl_set_masks(SSL *s) mask_k |= SSL_kECDHEPSK; #endif - s->s3->tmp.mask_k = mask_k; - s->s3->tmp.mask_a = mask_a; + s->s3.tmp.mask_k = mask_k; + s->s3.tmp.mask_a = mask_a; } #ifndef OPENSSL_NO_EC int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { - if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) { + if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) { /* key usage, if present, must allow signing */ if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, @@ -3404,7 +3602,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length) { - CERT_PKEY *cpk = s->s3->tmp.cert; + CERT_PKEY *cpk = s->s3.tmp.cert; *serverinfo_length = 0; if (cpk == NULL || cpk->serverinfo == NULL) @@ -3429,45 +3627,69 @@ void ssl_update_cache(SSL *s, int mode) /* * If sid_ctx_length is 0 there is no specific application context * associated with this session, so when we try to resume it and - * SSL_VERIFY_PEER is requested, we have no indication that this is - * actually a session for the proper application context, and the - * *handshake* will fail, not just the resumption attempt. - * Do not cache these sessions that are not resumable. + * SSL_VERIFY_PEER is requested to verify the client identity, we have no + * indication that this is actually a session for the proper application + * context, and the *handshake* will fail, not just the resumption attempt. + * Do not cache (on the server) these sessions that are not resumable + * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set). */ - if (s->session->sid_ctx_length == 0 + if (s->server && s->session->sid_ctx_length == 0 && (s->verify_mode & SSL_VERIFY_PEER) != 0) return; i = s->session_ctx->session_cache_mode; if ((i & mode) != 0 - && (!s->hit || SSL_IS_TLS13(s)) - && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0 - || SSL_CTX_add_session(s->session_ctx, s->session)) - && s->session_ctx->new_session_cb != NULL) { - SSL_SESSION_up_ref(s->session); - if (!s->session_ctx->new_session_cb(s, s->session)) - SSL_SESSION_free(s->session); + && (!s->hit || SSL_IS_TLS13(s))) { + /* + * Add the session to the internal cache. In server side TLSv1.3 we + * normally don't do this because by default it's a full stateless ticket + * with only a dummy session id so there is no reason to cache it, + * unless: + * - we are doing early_data, in which case we cache so that we can + * detect replays + * - the application has set a remove_session_cb so needs to know about + * session timeout events + * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket + */ + if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0 + && (!SSL_IS_TLS13(s) + || !s->server + || (s->max_early_data > 0 + && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0) + || s->session_ctx->remove_session_cb != NULL + || (s->options & SSL_OP_NO_TICKET) != 0)) + SSL_CTX_add_session(s->session_ctx, s->session); + + /* + * Add the session to the external cache. We do this even in server side + * TLSv1.3 without early data because some applications just want to + * know about the creation of a session and aren't doing a full cache. + */ + if (s->session_ctx->new_session_cb != NULL) { + SSL_SESSION_up_ref(s->session); + if (!s->session_ctx->new_session_cb(s, s->session)) + SSL_SESSION_free(s->session); + } } /* auto flush every 255 connections */ if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { - int *stat, val; + TSAN_QUALIFIER int *stat; if (mode & SSL_SESS_CACHE_CLIENT) stat = &s->session_ctx->stats.sess_connect_good; else stat = &s->session_ctx->stats.sess_accept_good; - if (CRYPTO_atomic_read(stat, &val, s->session_ctx->lock) - && (val & 0xff) == 0xff) + if ((tsan_load(stat) & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); } } -const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) +const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx) { return ctx->method; } -const SSL_METHOD *SSL_get_ssl_method(SSL *s) +const SSL_METHOD *SSL_get_ssl_method(const SSL *s) { return s->method; } @@ -3572,7 +3794,7 @@ int SSL_get_error(const SSL *s, int i) return SSL_ERROR_WANT_CLIENT_HELLO_CB; if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && - (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) + (s->s3.warn_alert == SSL_AD_CLOSE_NOTIFY)) return SSL_ERROR_ZERO_RETURN; return SSL_ERROR_SYSCALL; @@ -3602,12 +3824,6 @@ int SSL_do_handshake(SSL *s) s->method->ssl_renegotiate_check(s, 0); - if (SSL_is_server(s)) { - /* clear SNI settings at server-side */ - OPENSSL_free(s->ext.hostname); - s->ext.hostname = NULL; - } - if (SSL_in_init(s) || SSL_in_before(s)) { if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; @@ -3702,10 +3918,38 @@ const char *SSL_get_version(const SSL *s) return ssl_protocol_to_string(s->version); } -SSL *SSL_dup(SSL *s) +static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src) { STACK_OF(X509_NAME) *sk; X509_NAME *xn; + int i; + + if (src == NULL) { + *dst = NULL; + return 1; + } + + if ((sk = sk_X509_NAME_new_null()) == NULL) + return 0; + for (i = 0; i < sk_X509_NAME_num(src); i++) { + xn = X509_NAME_dup(sk_X509_NAME_value(src, i)); + if (xn == NULL) { + sk_X509_NAME_pop_free(sk, X509_NAME_free); + return 0; + } + if (sk_X509_NAME_insert(sk, xn, i) == 0) { + X509_NAME_free(xn); + sk_X509_NAME_pop_free(sk, X509_NAME_free); + return 0; + } + } + *dst = sk; + + return 1; +} + +SSL *SSL_dup(SSL *s) +{ SSL *ret; int i; @@ -3810,18 +4054,10 @@ SSL *SSL_dup(SSL *s) goto err; /* Dup the client_CA list */ - if (s->ca_names != NULL) { - if ((sk = sk_X509_NAME_dup(s->ca_names)) == NULL) - goto err; - ret->ca_names = sk; - for (i = 0; i < sk_X509_NAME_num(sk); i++) { - xn = sk_X509_NAME_value(sk, i); - if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) { - X509_NAME_free(xn); - goto err; - } - } - } + if (!dup_ca_names(&ret->ca_names, s->ca_names) + || !dup_ca_names(&ret->client_ca_names, s->client_ca_names)) + goto err; + return ret; err: @@ -3888,10 +4124,10 @@ const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s) { - return s->s3->tmp.new_cipher; + return s->s3.tmp.new_cipher; } -const COMP_METHOD *SSL_get_current_compression(SSL *s) +const COMP_METHOD *SSL_get_current_compression(const SSL *s) { #ifndef OPENSSL_NO_COMP return s->compress ? COMP_CTX_get_method(s->compress) : NULL; @@ -3900,7 +4136,7 @@ const COMP_METHOD *SSL_get_current_compression(SSL *s) #endif } -const COMP_METHOD *SSL_get_current_expansion(SSL *s) +const COMP_METHOD *SSL_get_current_expansion(const SSL *s) { #ifndef OPENSSL_NO_COMP return s->expand ? COMP_CTX_get_method(s->expand) : NULL; @@ -3937,8 +4173,6 @@ int ssl_free_wbio_buffer(SSL *s) return 1; s->wbio = BIO_pop(s->wbio); - if (!ossl_assert(s->wbio != NULL)) - return 0; BIO_free(s->bbio); s->bbio = NULL; @@ -4049,10 +4283,13 @@ int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx) lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir()); if (lookup == NULL) return 0; + + /* We ignore errors, in case the directory doesn't exist */ + ERR_set_mark(); + X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); - /* Clear any errors if the default directory does not exist */ - ERR_clear_error(); + ERR_pop_to_mark(); return 1; } @@ -4065,18 +4302,59 @@ int SSL_CTX_set_default_verify_file(SSL_CTX *ctx) if (lookup == NULL) return 0; + /* We ignore errors, in case the directory doesn't exist */ + ERR_set_mark(); + X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); - /* Clear any errors if the default file does not exist */ - ERR_clear_error(); + ERR_pop_to_mark(); + + return 1; +} + +int SSL_CTX_set_default_verify_store(SSL_CTX *ctx) +{ + X509_LOOKUP *lookup; + + lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store()); + if (lookup == NULL) + return 0; + + /* We ignore errors, in case the directory doesn't exist */ + ERR_set_mark(); + + X509_LOOKUP_add_store(lookup, NULL); + + ERR_pop_to_mark(); return 1; } +int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile) +{ + return X509_STORE_load_file(ctx->cert_store, CAfile); +} + +int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath) +{ + return X509_STORE_load_path(ctx->cert_store, CApath); +} + +int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore) +{ + return X509_STORE_load_store(ctx->cert_store, CAstore); +} + int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { - return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath); + if (CAfile == NULL && CApath == NULL) + return 0; + if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile)) + return 0; + if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath)) + return 0; + return 1; } void SSL_set_info_callback(SSL *ssl, @@ -4108,20 +4386,20 @@ long SSL_get_verify_result(const SSL *ssl) size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen) { if (outlen == 0) - return sizeof(ssl->s3->client_random); - if (outlen > sizeof(ssl->s3->client_random)) - outlen = sizeof(ssl->s3->client_random); - memcpy(out, ssl->s3->client_random, outlen); + return sizeof(ssl->s3.client_random); + if (outlen > sizeof(ssl->s3.client_random)) + outlen = sizeof(ssl->s3.client_random); + memcpy(out, ssl->s3.client_random, outlen); return outlen; } size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen) { if (outlen == 0) - return sizeof(ssl->s3->server_random); - if (outlen > sizeof(ssl->s3->server_random)) - outlen = sizeof(ssl->s3->server_random); - memcpy(out, ssl->s3->server_random, outlen); + return sizeof(ssl->s3.server_random); + if (outlen > sizeof(ssl->s3.server_random)) + outlen = sizeof(ssl->s3.server_random); + memcpy(out, ssl->s3.server_random, outlen); return outlen; } @@ -4350,7 +4628,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg) ctx->record_padding_arg = arg; } -void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx) +void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx) { return ctx->record_padding_arg; } @@ -4367,11 +4645,18 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) return 1; } -void SSL_set_record_padding_callback(SSL *ssl, +int SSL_set_record_padding_callback(SSL *ssl, size_t (*cb) (SSL *ssl, int type, size_t len, void *arg)) { - ssl->record_padding_cb = cb; + BIO *b; + + b = SSL_get_wbio(ssl); + if (b == NULL || !BIO_get_ktls_send(b)) { + ssl->record_padding_cb = cb; + return 1; + } + return 0; } void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) @@ -4379,7 +4664,7 @@ void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) ssl->record_padding_arg = arg; } -void *SSL_get_record_padding_callback_arg(SSL *ssl) +void *SSL_get_record_padding_callback_arg(const SSL *ssl) { return ssl->record_padding_arg; } @@ -4396,6 +4681,30 @@ int SSL_set_block_padding(SSL *ssl, size_t block_size) return 1; } +int SSL_set_num_tickets(SSL *s, size_t num_tickets) +{ + s->num_tickets = num_tickets; + + return 1; +} + +size_t SSL_get_num_tickets(const SSL *s) +{ + return s->num_tickets; +} + +int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) +{ + ctx->num_tickets = num_tickets; + + return 1; +} + +size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) +{ + return ctx->num_tickets; +} + /* * Allocates new EVP_MD_CTX and sets pointer to it into given pointer * variable, freeing EVP_MD_CTX previously stored in that variable, if any. @@ -4427,7 +4736,7 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, size_t *hashlen) { EVP_MD_CTX *ctx = NULL; - EVP_MD_CTX *hdgst = s->s3->handshake_dgst; + EVP_MD_CTX *hdgst = s->s3.handshake_dgst; int hashleni = EVP_MD_CTX_size(hdgst); int ret = 0; @@ -4456,7 +4765,7 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, return ret; } -int SSL_session_reused(SSL *s) +int SSL_session_reused(const SSL *s) { return s->hit; } @@ -4466,7 +4775,7 @@ int SSL_is_server(const SSL *s) return s->server; } -#if OPENSSL_API_COMPAT < 0x10100000L +#ifndef OPENSSL_NO_DEPRECATED_1_1_0 void SSL_set_debug(SSL *s, int debug) { /* Old function was do-nothing anyway... */ @@ -4864,7 +5173,7 @@ int ssl_validate_ct(SSL *s) } } - ctx = CT_POLICY_EVAL_CTX_new(); + ctx = CT_POLICY_EVAL_CTX_new_with_libctx(s->ctx->libctx, s->ctx->propq); if (ctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT, ERR_R_MALLOC_FAILURE); @@ -5048,6 +5357,11 @@ int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) if (ext->present) num++; } + if (num == 0) { + *out = NULL; + *outlen = 0; + return 1; + } if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, ERR_R_MALLOC_FAILURE); @@ -5129,7 +5443,8 @@ static int nss_keylog_int(const char *prefix, size_t i; size_t prefix_len; - if (ssl->ctx->keylog_callback == NULL) return 1; + if (ssl->ctx->keylog_callback == NULL) + return 1; /* * Our output buffer will contain the following strings, rendered with @@ -5140,7 +5455,7 @@ static int nss_keylog_int(const char *prefix, * hexadecimal, so we need a buffer that is twice their lengths. */ prefix_len = strlen(prefix); - out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3; + out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3; if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT, ERR_R_MALLOC_FAILURE); @@ -5164,7 +5479,7 @@ static int nss_keylog_int(const char *prefix, *cursor = '\0'; ssl->ctx->keylog_callback(ssl, (const char *)out); - OPENSSL_free(out); + OPENSSL_clear_free(out, out_len); return 1; } @@ -5197,7 +5512,7 @@ int ssl_log_secret(SSL *ssl, { return nss_keylog_int(label, ssl, - ssl->s3->client_random, + ssl->s3.client_random, SSL3_RANDOM_SIZE, secret, secret_len); @@ -5223,9 +5538,9 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format) return 0; } - OPENSSL_free(s->s3->tmp.ciphers_raw); - s->s3->tmp.ciphers_raw = NULL; - s->s3->tmp.ciphers_rawlen = 0; + OPENSSL_free(s->s3.tmp.ciphers_raw); + s->s3.tmp.ciphers_raw = NULL; + s->s3.tmp.ciphers_rawlen = 0; if (sslv2format) { size_t numciphers = PACKET_remaining(cipher_suites) / n; @@ -5241,13 +5556,13 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format) * problem. */ raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); - s->s3->tmp.ciphers_raw = raw; + s->s3.tmp.ciphers_raw = raw; if (raw == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, ERR_R_MALLOC_FAILURE); return 0; } - for (s->s3->tmp.ciphers_rawlen = 0; + for (s->s3.tmp.ciphers_rawlen = 0; PACKET_remaining(&sslv2ciphers) > 0; raw += TLS_CIPHER_LEN) { if (!PACKET_get_1(&sslv2ciphers, &leadbyte) @@ -5258,16 +5573,16 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format) && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, SSL_R_BAD_PACKET); - OPENSSL_free(s->s3->tmp.ciphers_raw); - s->s3->tmp.ciphers_raw = NULL; - s->s3->tmp.ciphers_rawlen = 0; + OPENSSL_free(s->s3.tmp.ciphers_raw); + s->s3.tmp.ciphers_raw = NULL; + s->s3.tmp.ciphers_rawlen = 0; return 0; } if (leadbyte == 0) - s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN; + s->s3.tmp.ciphers_rawlen += TLS_CIPHER_LEN; } - } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, - &s->s3->tmp.ciphers_rawlen)) { + } else if (!PACKET_memdup(cipher_suites, &s->s3.tmp.ciphers_raw, + &s->s3.tmp.ciphers_rawlen)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, ERR_R_INTERNAL_ERROR); return 0; @@ -5401,6 +5716,30 @@ uint32_t SSL_get_max_early_data(const SSL *s) return s->max_early_data; } +int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data) +{ + ctx->recv_max_early_data = recv_max_early_data; + + return 1; +} + +uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx) +{ + return ctx->recv_max_early_data; +} + +int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data) +{ + s->recv_max_early_data = recv_max_early_data; + + return 1; +} + +uint32_t SSL_get_recv_max_early_data(const SSL *s) +{ + return s->recv_max_early_data; +} + __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) { /* Return any active Max Fragment Len extension */ @@ -5436,9 +5775,9 @@ int SSL_stateless(SSL *s) ERR_clear_error(); - s->s3->flags |= TLS1_FLAGS_STATELESS; + s->s3.flags |= TLS1_FLAGS_STATELESS; ret = SSL_accept(s); - s->s3->flags &= ~TLS1_FLAGS_STATELESS; + s->s3.flags &= ~TLS1_FLAGS_STATELESS; if (ret > 0 && s->ext.cookieok) return 1; @@ -5449,9 +5788,14 @@ int SSL_stateless(SSL *s) return -1; } -void SSL_force_post_handshake_auth(SSL *ssl) +void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) { - ssl->pha_forced = 1; + ctx->pha_enabled = val; +} + +void SSL_set_post_handshake_auth(SSL *ssl, int val) +{ + ssl->pha_enabled = val; } int SSL_verify_client_post_handshake(SSL *ssl) @@ -5511,3 +5855,128 @@ int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, ctx->ticket_cb_data = arg; return 1; } + +void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, + SSL_allow_early_data_cb_fn cb, + void *arg) +{ + ctx->allow_early_data_cb = cb; + ctx->allow_early_data_cb_data = arg; +} + +void SSL_set_allow_early_data_cb(SSL *s, + SSL_allow_early_data_cb_fn cb, + void *arg) +{ + s->allow_early_data_cb = cb; + s->allow_early_data_cb_data = arg; +} + +const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx, + int nid, + const char *properties) +{ + EVP_CIPHER *ciph; + +#ifndef OPENSSL_NO_ENGINE + ENGINE *eng; + + /* + * If there is an Engine available for this cipher we use the "implicit" + * form to ensure we use that engine later. + */ + eng = ENGINE_get_cipher_engine(nid); + if (eng != NULL) { + ENGINE_finish(eng); + return EVP_get_cipherbynid(nid); + } +#endif + + /* Otherwise we do an explicit fetch. This may fail and that could be ok */ + ERR_set_mark(); + ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties); + ERR_pop_to_mark(); + return ciph; +} + + +int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher) +{ + /* Don't up-ref an implicit EVP_CIPHER */ + if (EVP_CIPHER_provider(cipher) == NULL) + return 1; + + /* + * The cipher was explicitly fetched and therefore it is safe to cast + * away the const + */ + return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher); +} + +void ssl_evp_cipher_free(const EVP_CIPHER *cipher) +{ + if (cipher == NULL) + return; + + if (EVP_CIPHER_provider(cipher) != NULL) { + /* + * The cipher was explicitly fetched and therefore it is safe to cast + * away the const + */ + EVP_CIPHER_free((EVP_CIPHER *)cipher); + } +} + +const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx, + int nid, + const char *properties) +{ + EVP_MD *md; + +#ifndef OPENSSL_NO_ENGINE + ENGINE *eng; + + /* + * If there is an Engine available for this digest we use the "implicit" + * form to ensure we use that engine later. + */ + eng = ENGINE_get_digest_engine(nid); + if (eng != NULL) { + ENGINE_finish(eng); + return EVP_get_digestbynid(nid); + } +#endif + + /* Otherwise we do an explicit fetch */ + ERR_set_mark(); + md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties); + ERR_pop_to_mark(); + return md; +} + +int ssl_evp_md_up_ref(const EVP_MD *md) +{ + /* Don't up-ref an implicit EVP_MD */ + if (EVP_MD_provider(md) == NULL) + return 1; + + /* + * The digest was explicitly fetched and therefore it is safe to cast + * away the const + */ + return EVP_MD_up_ref((EVP_MD *)md); +} + +void ssl_evp_md_free(const EVP_MD *md) +{ + if (md == NULL) + return; + + if (EVP_MD_provider(md) != NULL) { + /* + * The digest was explicitly fetched and therefore it is safe to cast + * away the const + */ + EVP_MD_free((EVP_MD *)md); + } +}