SSL *s;
void *buf;
int num;
- int type;
+ enum { READFUNC, WRITEFUNC, OTHERFUNC} type;
union {
- int (*func1)(SSL *, void *, int);
- int (*func2)(SSL *, const void *, int);
+ int (*func_read)(SSL *, void *, int);
+ int (*func_write)(SSL *, const void *, int);
+ int (*func_other)(SSL *);
} f;
};
s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
}
+ s->verified_chain = NULL;
s->verify_result = X509_V_OK;
s->default_passwd_callback = ctx->default_passwd_callback;
return (NULL);
}
+void SSL_up_ref(SSL *s)
+{
+ CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL);
+}
+
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
return 0;
}
+ /*
+ * Default SNI name. This rejects empty names, while set1_host below
+ * accepts them and disables host name checks. To avoid side-effects with
+ * invalid input, set the SNI name first.
+ */
+ if (s->tlsext_hostname == NULL) {
+ if (!SSL_set_tlsext_host_name(s, basedomain)) {
+ SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
+ return -1;
+ }
+ }
+
/* Primary RFC6125 reference identifier */
if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) {
SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
return -1;
}
- /* Default SNI name */
- if (s->tlsext_hostname == NULL) {
- if (!SSL_set_tlsext_host_name(s, basedomain))
- return -1;
- }
-
dane->mdpth = -1;
dane->pdpth = -1;
dane->dctx = &s->ctx->dane;
{
struct dane_st *dane = &s->dane;
- if (!DANETLS_ENABLED(dane))
+ if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
return -1;
if (dane->mtlsa) {
if (mcert)
{
struct dane_st *dane = &s->dane;
- if (!DANETLS_ENABLED(dane))
+ if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
return -1;
if (dane->mtlsa) {
if (usage)
sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
+ sk_X509_pop_free(s->verified_chain, X509_free);
+
if (s->method != NULL)
s->method->ssl_free(s);
s = args->s;
buf = args->buf;
num = args->num;
- if (args->type == 1)
- return args->f.func1(s, buf, num);
- else
- return args->f.func2(s, buf, num);
+ switch (args->type) {
+ case READFUNC:
+ return args->f.func_read(s, buf, num);
+ case WRITEFUNC:
+ return args->f.func_write(s, buf, num);
+ case OTHERFUNC:
+ return args->f.func_other(s);
+ }
+ return -1;
}
int SSL_read(SSL *s, void *buf, int num)
args.s = s;
args.buf = buf;
args.num = num;
- args.type = 1;
- args.f.func1 = s->method->ssl_read;
+ args.type = READFUNC;
+ args.f.func_read = s->method->ssl_read;
return ssl_start_async_job(s, &args, ssl_io_intern);
} else {
args.s = s;
args.buf = buf;
args.num = num;
- args.type = 1;
- args.f.func1 = s->method->ssl_peek;
+ args.type = READFUNC;
+ args.f.func_read = s->method->ssl_peek;
return ssl_start_async_job(s, &args, ssl_io_intern);
} else {
args.s = s;
args.buf = (void *)buf;
args.num = num;
- args.type = 2;
- args.f.func2 = s->method->ssl_write;
+ args.type = WRITEFUNC;
+ args.f.func_write = s->method->ssl_write;
return ssl_start_async_job(s, &args, ssl_io_intern);
} else {
return -1;
}
- if (!SSL_in_init(s))
- return (s->method->ssl_shutdown(s));
- else
- return (1);
+ if (!SSL_in_init(s)) {
+ if((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
+ struct ssl_async_args args;
+
+ args.s = s;
+ args.type = OTHERFUNC;
+ args.f.func_other = s->method->ssl_shutdown;
+
+ return ssl_start_async_job(s, &args, ssl_io_intern);
+ } else {
+ return s->method->ssl_shutdown(s);
+ }
+ } else {
+ SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
+ return -1;
+ }
}
int SSL_renegotiate(SSL *s)
*p = '\0';
return buf;
}
- strcpy(p, c->name);
+ memcpy(p, c->name, n + 1);
p += n;
*(p++) = ':';
len -= n + 1;
* variable. The reason is that the functions aren't static, they're exposed
* via ssl.h.
*/
-static IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION)
-static IMPLEMENT_LHASH_COMP_FN(ssl_session, SSL_SESSION)
SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
{
return (NULL);
}
+ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+
if (FIPS_mode() && (meth->version < TLS1_VERSION)) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);
return NULL;
if ((ret->cert = ssl_cert_new()) == NULL)
goto err;
- ret->sessions = lh_SSL_SESSION_new();
+ ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
if (ret->sessions == NULL)
goto err;
ret->cert_store = X509_STORE_new();
* deployed might change this.
*/
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ /*
+ * Disable compression by default to prevent CRIME. Applications can
+ * re-enable compression by configuring
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
+ * or by using the SSL_CONF library.
+ */
+ ret->options |= SSL_OP_NO_COMPRESSION;
return (ret);
err:
return (NULL);
}
+void SSL_CTX_up_ref(SSL_CTX *ctx)
+{
+ CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
+}
+
void SSL_CTX_free(SSL_CTX *a)
{
int i;
mask_a = 0;
#ifdef CIPHER_DEBUG
- fprintf(stderr,
- "dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n",
- dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
+ fprintf(stderr, "dht=%d re=%d rs=%d ds=%d\n",
+ dh_tmp, rsa_enc, rsa_sign, dsa_sign);
#endif
#ifndef OPENSSL_NO_GOST
SSL_set_info_callback(ret, SSL_get_info_callback(s));
- ret->debug = s->debug;
-
/* copy app data, a little dangerous perhaps */
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
goto err;
void ssl_clear_cipher_ctx(SSL *s)
{
if (s->enc_read_ctx != NULL) {
- EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
- OPENSSL_free(s->enc_read_ctx);
+ EVP_CIPHER_CTX_free(s->enc_read_ctx);
s->enc_read_ctx = NULL;
}
if (s->enc_write_ctx != NULL) {
- EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
- OPENSSL_free(s->enc_write_ctx);
+ EVP_CIPHER_CTX_free(s->enc_write_ctx);
s->enc_write_ctx = NULL;
}
#ifndef OPENSSL_NO_COMP
return ret;
}
-void SSL_set_debug(SSL *s, int debug)
-{
- s->debug = debug;
-}
-
-int SSL_cache_hit(SSL *s)
+int SSL_session_reused(SSL *s)
{
return s->hit;
}
return s->server;
}
+#if OPENSSL_API_COMPAT < 0x10100000L
+void SSL_set_debug(SSL *s, int debug)
+{
+ /* Old function was do-nothing anyway... */
+ (void)s;
+ (void)debug;
+}
+#endif
+
+
void SSL_set_security_level(SSL *s, int level)
{
s->cert->sec_level = level;
return s->options &= ~op;
}
+STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
+{
+ return s->verified_chain;
+}
+
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);