/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
#include "internal/refcount.h"
#include "internal/ktls.h"
+DEFINE_STACK_OF(X509)
+DEFINE_STACK_OF(X509_NAME)
+DEFINE_STACK_OF_CONST(SSL_CIPHER)
+DEFINE_STACK_OF(X509_EXTENSION)
+DEFINE_STACK_OF(OCSP_RESPID)
+DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
+DEFINE_STACK_OF(SCT)
+
static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t)
{
(void)r;
return (s->renegotiate != 0);
}
+int SSL_new_session_ticket(SSL *s)
+{
+ if (SSL_in_init(s) || SSL_IS_FIRST_HANDSHAKE(s) || !s->server
+ || !SSL_IS_TLS13(s))
+ return 0;
+ s->ext.extra_tickets_expected++;
+ return 1;
+}
+
long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
{
long l;
if (ret->cert_store == NULL)
goto err;
#ifndef OPENSSL_NO_CT
- ret->ctlog_store = CTLOG_STORE_new();
+ ret->ctlog_store = CTLOG_STORE_new_with_libctx(libctx, propq);
if (ret->ctlog_store == NULL)
goto err;
#endif
+ /* initialize cipher/digest methods table */
+ if (!ssl_load_ciphers(ret))
+ goto err2;
+
if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites()))
goto err;
if (ret->param == NULL)
goto err;
- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
- SSLerr(0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
- goto err2;
- }
- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
- SSLerr(0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
- goto err2;
- }
+ /*
+ * If these aren't available from the provider we'll get NULL returns.
+ * That's fine but will cause errors later if SSLv3 is negotiated
+ */
+ ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq);
+ ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq);
if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
goto err;
OPENSSL_free(a->ext.alpn);
OPENSSL_secure_free(a->ext.secure);
+ ssl_evp_md_free(a->md5);
+ ssl_evp_md_free(a->sha1);
+
+ for (i = 0; i < SSL_ENC_NUM_IDX; i++)
+ ssl_evp_cipher_free(a->ssl_cipher_methods[i]);
+ for (i = 0; i < SSL_MD_NUM_IDX; i++)
+ ssl_evp_md_free(a->ssl_digest_methods[i]);
+
CRYPTO_THREAD_lock_free(a->lock);
OPENSSL_free(a->propq);
}
}
- ctx = CT_POLICY_EVAL_CTX_new();
+ ctx = CT_POLICY_EVAL_CTX_new_with_libctx(s->ctx->libctx, s->ctx->propq);
if (ctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT,
ERR_R_MALLOC_FAILURE);
s->allow_early_data_cb = cb;
s->allow_early_data_cb_data = arg;
}
+
+const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
+ int nid,
+ const char *properties)
+{
+ EVP_CIPHER *ciph;
+
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE *eng;
+
+ /*
+ * If there is an Engine available for this cipher we use the "implicit"
+ * form to ensure we use that engine later.
+ */
+ eng = ENGINE_get_cipher_engine(nid);
+ if (eng != NULL) {
+ ENGINE_finish(eng);
+ return EVP_get_cipherbynid(nid);
+ }
+#endif
+
+ /* Otherwise we do an explicit fetch. This may fail and that could be ok */
+ ERR_set_mark();
+ ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
+ ERR_pop_to_mark();
+ return ciph;
+}
+
+
+int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher)
+{
+ /* Don't up-ref an implicit EVP_CIPHER */
+ if (EVP_CIPHER_provider(cipher) == NULL)
+ return 1;
+
+ /*
+ * The cipher was explicitly fetched and therefore it is safe to cast
+ * away the const
+ */
+ return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher);
+}
+
+void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
+{
+ if (cipher == NULL)
+ return;
+
+ if (EVP_CIPHER_provider(cipher) != NULL) {
+ /*
+ * The cipher was explicitly fetched and therefore it is safe to cast
+ * away the const
+ */
+ EVP_CIPHER_free((EVP_CIPHER *)cipher);
+ }
+}
+
+const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
+ int nid,
+ const char *properties)
+{
+ EVP_MD *md;
+
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE *eng;
+
+ /*
+ * If there is an Engine available for this digest we use the "implicit"
+ * form to ensure we use that engine later.
+ */
+ eng = ENGINE_get_digest_engine(nid);
+ if (eng != NULL) {
+ ENGINE_finish(eng);
+ return EVP_get_digestbynid(nid);
+ }
+#endif
+
+ /* Otherwise we do an explicit fetch */
+ ERR_set_mark();
+ md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
+ ERR_pop_to_mark();
+ return md;
+}
+
+int ssl_evp_md_up_ref(const EVP_MD *md)
+{
+ /* Don't up-ref an implicit EVP_MD */
+ if (EVP_MD_provider(md) == NULL)
+ return 1;
+
+ /*
+ * The digest was explicitly fetched and therefore it is safe to cast
+ * away the const
+ */
+ return EVP_MD_up_ref((EVP_MD *)md);
+}
+
+void ssl_evp_md_free(const EVP_MD *md)
+{
+ if (md == NULL)
+ return;
+
+ if (EVP_MD_provider(md) != NULL) {
+ /*
+ * The digest was explicitly fetched and therefore it is safe to cast
+ * away the const
+ */
+ EVP_MD_free((EVP_MD *)md);
+ }
+}