#ifndef OPENSSL_NO_EC
OPENSSL_free(s->ext.ecpointformats);
OPENSSL_free(s->ext.peer_ecpointformats);
+#endif /* OPENSSL_NO_EC */
OPENSSL_free(s->ext.supportedgroups);
OPENSSL_free(s->ext.peer_supportedgroups);
-#endif /* OPENSSL_NO_EC */
sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
#ifndef OPENSSL_NO_OCSP
sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
return -1;
}
-#ifndef OPENSSL_NO_KTLS
- ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags);
+#ifdef OPENSSL_NO_KTLS
+ ERR_raise_data(ERR_LIB_SYS, ERR_R_INTERNAL_ERROR, "calling sendfile()");
+ return -1;
#else
- ret = -1;
-#endif
+ ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags);
if (ret < 0) {
#if defined(EAGAIN) && defined(EINTR) && defined(EBUSY)
if ((get_last_sys_error() == EAGAIN) ||
BIO_set_retry_write(s->wbio);
else
#endif
-#ifdef OPENSSL_NO_KTLS
- ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
- "calling sendfile()");
-#else
SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED);
-#endif
return ret;
}
s->rwstate = SSL_NOTHING;
return ret;
+#endif
}
int SSL_write(SSL *s, const void *buf, int num)
return buf;
}
-/** return a servername extension value if provided in Client Hello, or NULL.
- * So far, only host_name types are defined (RFC 3546).
+/**
+ * Return the requested servername (SNI) value. Note that the behaviour varies
+ * depending on:
+ * - whether this is called by the client or the server,
+ * - if we are before or during/after the handshake,
+ * - if a resumption or normal handshake is being attempted/has occurred
+ * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3
+ *
+ * Note that only the host_name type is defined (RFC 3546).
*/
-
const char *SSL_get_servername(const SSL *s, const int type)
{
+ /*
+ * If we don't know if we are the client or the server yet then we assume
+ * client.
+ */
+ int server = s->handshake_func == NULL ? 0 : s->server;
if (type != TLSEXT_NAMETYPE_host_name)
return NULL;
- /*
- * SNI is not negotiated in pre-TLS-1.3 resumption flows, so fake up an
- * SNI value to return if we are resuming/resumed. N.B. that we still
- * call the relevant callbacks for such resumption flows, and callbacks
- * might error out if there is not a SNI value available.
- */
- if (s->hit)
- return s->session->ext.hostname;
+ if (server) {
+ /**
+ * Server side
+ * In TLSv1.3 on the server SNI is not associated with the session
+ * but in TLSv1.2 or below it is.
+ *
+ * Before the handshake:
+ * - return NULL
+ *
+ * During/after the handshake (TLSv1.2 or below resumption occurred):
+ * - If a servername was accepted by the server in the original
+ * handshake then it will return that servername, or NULL otherwise.
+ *
+ * During/after the handshake (TLSv1.2 or below resumption did not occur):
+ * - The function will return the servername requested by the client in
+ * this handshake or NULL if none was requested.
+ */
+ if (s->hit && !SSL_IS_TLS13(s))
+ return s->session->ext.hostname;
+ } else {
+ /**
+ * Client side
+ *
+ * Before the handshake:
+ * - If a servername has been set via a call to
+ * SSL_set_tlsext_host_name() then it will return that servername
+ * - If one has not been set, but a TLSv1.2 resumption is being
+ * attempted and the session from the original handshake had a
+ * servername accepted by the server then it will return that
+ * servername
+ * - Otherwise it returns NULL
+ *
+ * During/after the handshake (TLSv1.2 or below resumption occurred):
+ * - If the session from the orignal handshake had a servername accepted
+ * by the server then it will return that servername.
+ * - Otherwise it returns the servername set via
+ * SSL_set_tlsext_host_name() (or NULL if it was not called).
+ *
+ * During/after the handshake (TLSv1.2 or below resumption did not occur):
+ * - It will return the servername set via SSL_set_tlsext_host_name()
+ * (or NULL if it was not called).
+ */
+ if (SSL_in_before(s)) {
+ if (s->ext.hostname == NULL
+ && s->session != NULL
+ && s->session->ssl_version != TLS1_3_VERSION)
+ return s->session->ext.hostname;
+ } else {
+ if (!SSL_IS_TLS13(s) && s->hit && s->session->ext.hostname != NULL)
+ return s->session->ext.hostname;
+ }
+ }
+
return s->ext.hostname;
}
int SSL_get_servername_type(const SSL *s)
{
- if (s->session
- && (!s->ext.hostname ? s->session->
- ext.hostname : s->ext.hostname))
+ if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL)
return TLSEXT_NAMETYPE_host_name;
return -1;
}
* via ssl.h.
*/
-SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
+SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq,
+ const SSL_METHOD *meth)
{
SSL_CTX *ret = NULL;
if (meth == NULL) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED);
+ SSLerr(0, SSL_R_NULL_SSL_METHOD_PASSED);
return NULL;
}
return NULL;
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+ SSLerr(0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
goto err;
}
ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL)
goto err;
+ ret->libctx = libctx;
+ if (propq != NULL) {
+ ret->propq = OPENSSL_strdup(propq);
+ if (ret->propq == NULL)
+ goto err;
+ }
+
ret->method = meth;
ret->min_proto_version = 0;
ret->max_proto_version = 0;
ret->references = 1;
ret->lock = CRYPTO_THREAD_lock_new();
if (ret->lock == NULL) {
- SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+ SSLerr(0, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ret);
return NULL;
}
&ret->cipher_list, &ret->cipher_list_by_id,
OSSL_default_cipher_list(), ret->cert)
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+ SSLerr(0, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
goto err;
if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+ SSLerr(0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
goto err2;
}
if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+ SSLerr(0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
goto err2;
}
ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
/* Setup RFC5077 ticket keys */
- if ((RAND_bytes(ret->ext.tick_key_name,
- sizeof(ret->ext.tick_key_name)) <= 0)
- || (RAND_priv_bytes(ret->ext.secure->tick_hmac_key,
- sizeof(ret->ext.secure->tick_hmac_key)) <= 0)
- || (RAND_priv_bytes(ret->ext.secure->tick_aes_key,
- sizeof(ret->ext.secure->tick_aes_key)) <= 0))
+ if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name,
+ sizeof(ret->ext.tick_key_name)) <= 0)
+ || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key,
+ sizeof(ret->ext.secure->tick_hmac_key)) <= 0)
+ || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key,
+ sizeof(ret->ext.secure->tick_aes_key)) <= 0))
ret->options |= SSL_OP_NO_TICKET;
- if (RAND_priv_bytes(ret->ext.cookie_hmac_key,
- sizeof(ret->ext.cookie_hmac_key)) <= 0)
+ if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key,
+ sizeof(ret->ext.cookie_hmac_key)) <= 0)
goto err;
#ifndef OPENSSL_NO_SRP
return ret;
err:
- SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+ SSLerr(0, ERR_R_MALLOC_FAILURE);
err2:
SSL_CTX_free(ret);
return NULL;
}
+SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
+{
+ return SSL_CTX_new_with_libctx(NULL, NULL, meth);
+}
+
int SSL_CTX_up_ref(SSL_CTX *ctx)
{
int i;
#ifndef OPENSSL_NO_EC
OPENSSL_free(a->ext.ecpointformats);
- OPENSSL_free(a->ext.supportedgroups);
#endif
+ OPENSSL_free(a->ext.supportedgroups);
OPENSSL_free(a->ext.alpn);
OPENSSL_secure_free(a->ext.secure);
CRYPTO_THREAD_lock_free(a->lock);
+ OPENSSL_free(a->propq);
+
OPENSSL_free(a);
}
lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
return 0;
+
+ /* We ignore errors, in case the directory doesn't exist */
+ ERR_set_mark();
+
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
- /* Clear any errors if the default directory does not exist */
- ERR_clear_error();
+ ERR_pop_to_mark();
return 1;
}
if (lookup == NULL)
return 0;
+ /* We ignore errors, in case the directory doesn't exist */
+ ERR_set_mark();
+
X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
- /* Clear any errors if the default file does not exist */
- ERR_clear_error();
+ ERR_pop_to_mark();
return 1;
}
+int SSL_CTX_set_default_verify_store(SSL_CTX *ctx)
+{
+ X509_LOOKUP *lookup;
+
+ lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store());
+ if (lookup == NULL)
+ return 0;
+
+ /* We ignore errors, in case the directory doesn't exist */
+ ERR_set_mark();
+
+ X509_LOOKUP_add_store(lookup, NULL);
+
+ ERR_pop_to_mark();
+
+ return 1;
+}
+
+int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
+{
+ return X509_STORE_load_file(ctx->cert_store, CAfile);
+}
+
+int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
+{
+ return X509_STORE_load_path(ctx->cert_store, CApath);
+}
+
+int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
+{
+ return X509_STORE_load_store(ctx->cert_store, CAstore);
+}
+
+#ifndef OPENSSL_NO_DEPRECATED_3_0
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath)
{
- return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath);
+ if (CAfile == NULL && CApath == NULL)
+ return 0;
+ if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
+ return 0;
+ if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
+ return 0;
+ return 1;
}
+#endif
void SSL_set_info_callback(SSL *ssl,
void (*cb) (const SSL *ssl, int type, int val))
return s->server;
}
-#if !OPENSSL_API_1_1_0
+#ifndef OPENSSL_NO_DEPRECATED_1_1_0
void SSL_set_debug(SSL *s, int debug)
{
/* Old function was do-nothing anyway... */