1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: ssl_lib.c,v 1.305 2022/09/10 15:29:33 jsing Exp $ */
2f5b1c8a1SJohn Marino /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3f5b1c8a1SJohn Marino * All rights reserved.
4f5b1c8a1SJohn Marino *
5f5b1c8a1SJohn Marino * This package is an SSL implementation written
6f5b1c8a1SJohn Marino * by Eric Young (eay@cryptsoft.com).
7f5b1c8a1SJohn Marino * The implementation was written so as to conform with Netscapes SSL.
8f5b1c8a1SJohn Marino *
9f5b1c8a1SJohn Marino * This library is free for commercial and non-commercial use as long as
10f5b1c8a1SJohn Marino * the following conditions are aheared to. The following conditions
11f5b1c8a1SJohn Marino * apply to all code found in this distribution, be it the RC4, RSA,
12f5b1c8a1SJohn Marino * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13f5b1c8a1SJohn Marino * included with this distribution is covered by the same copyright terms
14f5b1c8a1SJohn Marino * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15f5b1c8a1SJohn Marino *
16f5b1c8a1SJohn Marino * Copyright remains Eric Young's, and as such any Copyright notices in
17f5b1c8a1SJohn Marino * the code are not to be removed.
18f5b1c8a1SJohn Marino * If this package is used in a product, Eric Young should be given attribution
19f5b1c8a1SJohn Marino * as the author of the parts of the library used.
20f5b1c8a1SJohn Marino * This can be in the form of a textual message at program startup or
21f5b1c8a1SJohn Marino * in documentation (online or textual) provided with the package.
22f5b1c8a1SJohn Marino *
23f5b1c8a1SJohn Marino * Redistribution and use in source and binary forms, with or without
24f5b1c8a1SJohn Marino * modification, are permitted provided that the following conditions
25f5b1c8a1SJohn Marino * are met:
26f5b1c8a1SJohn Marino * 1. Redistributions of source code must retain the copyright
27f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer.
28f5b1c8a1SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright
29f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer in the
30f5b1c8a1SJohn Marino * documentation and/or other materials provided with the distribution.
31f5b1c8a1SJohn Marino * 3. All advertising materials mentioning features or use of this software
32f5b1c8a1SJohn Marino * must display the following acknowledgement:
33f5b1c8a1SJohn Marino * "This product includes cryptographic software written by
34f5b1c8a1SJohn Marino * Eric Young (eay@cryptsoft.com)"
35f5b1c8a1SJohn Marino * The word 'cryptographic' can be left out if the rouines from the library
36f5b1c8a1SJohn Marino * being used are not cryptographic related :-).
37f5b1c8a1SJohn Marino * 4. If you include any Windows specific code (or a derivative thereof) from
38f5b1c8a1SJohn Marino * the apps directory (application code) you must include an acknowledgement:
39f5b1c8a1SJohn Marino * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40f5b1c8a1SJohn Marino *
41f5b1c8a1SJohn Marino * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42f5b1c8a1SJohn Marino * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43f5b1c8a1SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44f5b1c8a1SJohn Marino * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45f5b1c8a1SJohn Marino * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46f5b1c8a1SJohn Marino * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47f5b1c8a1SJohn Marino * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48f5b1c8a1SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49f5b1c8a1SJohn Marino * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50f5b1c8a1SJohn Marino * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51f5b1c8a1SJohn Marino * SUCH DAMAGE.
52f5b1c8a1SJohn Marino *
53f5b1c8a1SJohn Marino * The licence and distribution terms for any publically available version or
54f5b1c8a1SJohn Marino * derivative of this code cannot be changed. i.e. this code cannot simply be
55f5b1c8a1SJohn Marino * copied and put under another distribution licence
56f5b1c8a1SJohn Marino * [including the GNU Public Licence.]
57f5b1c8a1SJohn Marino */
58f5b1c8a1SJohn Marino /* ====================================================================
59f5b1c8a1SJohn Marino * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60f5b1c8a1SJohn Marino *
61f5b1c8a1SJohn Marino * Redistribution and use in source and binary forms, with or without
62f5b1c8a1SJohn Marino * modification, are permitted provided that the following conditions
63f5b1c8a1SJohn Marino * are met:
64f5b1c8a1SJohn Marino *
65f5b1c8a1SJohn Marino * 1. Redistributions of source code must retain the above copyright
66f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer.
67f5b1c8a1SJohn Marino *
68f5b1c8a1SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright
69f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer in
70f5b1c8a1SJohn Marino * the documentation and/or other materials provided with the
71f5b1c8a1SJohn Marino * distribution.
72f5b1c8a1SJohn Marino *
73f5b1c8a1SJohn Marino * 3. All advertising materials mentioning features or use of this
74f5b1c8a1SJohn Marino * software must display the following acknowledgment:
75f5b1c8a1SJohn Marino * "This product includes software developed by the OpenSSL Project
76f5b1c8a1SJohn Marino * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77f5b1c8a1SJohn Marino *
78f5b1c8a1SJohn Marino * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79f5b1c8a1SJohn Marino * endorse or promote products derived from this software without
80f5b1c8a1SJohn Marino * prior written permission. For written permission, please contact
81f5b1c8a1SJohn Marino * openssl-core@openssl.org.
82f5b1c8a1SJohn Marino *
83f5b1c8a1SJohn Marino * 5. Products derived from this software may not be called "OpenSSL"
84f5b1c8a1SJohn Marino * nor may "OpenSSL" appear in their names without prior written
85f5b1c8a1SJohn Marino * permission of the OpenSSL Project.
86f5b1c8a1SJohn Marino *
87f5b1c8a1SJohn Marino * 6. Redistributions of any form whatsoever must retain the following
88f5b1c8a1SJohn Marino * acknowledgment:
89f5b1c8a1SJohn Marino * "This product includes software developed by the OpenSSL Project
90f5b1c8a1SJohn Marino * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91f5b1c8a1SJohn Marino *
92f5b1c8a1SJohn Marino * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93f5b1c8a1SJohn Marino * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94f5b1c8a1SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95f5b1c8a1SJohn Marino * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96f5b1c8a1SJohn Marino * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97f5b1c8a1SJohn Marino * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98f5b1c8a1SJohn Marino * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99f5b1c8a1SJohn Marino * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100f5b1c8a1SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101f5b1c8a1SJohn Marino * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102f5b1c8a1SJohn Marino * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103f5b1c8a1SJohn Marino * OF THE POSSIBILITY OF SUCH DAMAGE.
104f5b1c8a1SJohn Marino * ====================================================================
105f5b1c8a1SJohn Marino *
106f5b1c8a1SJohn Marino * This product includes cryptographic software written by Eric Young
107f5b1c8a1SJohn Marino * (eay@cryptsoft.com). This product includes software written by Tim
108f5b1c8a1SJohn Marino * Hudson (tjh@cryptsoft.com).
109f5b1c8a1SJohn Marino *
110f5b1c8a1SJohn Marino */
111f5b1c8a1SJohn Marino /* ====================================================================
112f5b1c8a1SJohn Marino * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113f5b1c8a1SJohn Marino * ECC cipher suite support in OpenSSL originally developed by
114f5b1c8a1SJohn Marino * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115f5b1c8a1SJohn Marino */
116f5b1c8a1SJohn Marino /* ====================================================================
117f5b1c8a1SJohn Marino * Copyright 2005 Nokia. All rights reserved.
118f5b1c8a1SJohn Marino *
119f5b1c8a1SJohn Marino * The portions of the attached software ("Contribution") is developed by
120f5b1c8a1SJohn Marino * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121f5b1c8a1SJohn Marino * license.
122f5b1c8a1SJohn Marino *
123f5b1c8a1SJohn Marino * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124f5b1c8a1SJohn Marino * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125f5b1c8a1SJohn Marino * support (see RFC 4279) to OpenSSL.
126f5b1c8a1SJohn Marino *
127f5b1c8a1SJohn Marino * No patent licenses or other rights except those expressly stated in
128f5b1c8a1SJohn Marino * the OpenSSL open source license shall be deemed granted or received
129f5b1c8a1SJohn Marino * expressly, by implication, estoppel, or otherwise.
130f5b1c8a1SJohn Marino *
131f5b1c8a1SJohn Marino * No assurances are provided by Nokia that the Contribution does not
132f5b1c8a1SJohn Marino * infringe the patent or other intellectual property rights of any third
133f5b1c8a1SJohn Marino * party or that the license provides you with all the necessary rights
134f5b1c8a1SJohn Marino * to make use of the Contribution.
135f5b1c8a1SJohn Marino *
136f5b1c8a1SJohn Marino * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137f5b1c8a1SJohn Marino * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138f5b1c8a1SJohn Marino * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139f5b1c8a1SJohn Marino * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140f5b1c8a1SJohn Marino * OTHERWISE.
141f5b1c8a1SJohn Marino */
142f5b1c8a1SJohn Marino
143cca6fc52SDaniel Fojt #include <arpa/inet.h>
144cca6fc52SDaniel Fojt #include <sys/socket.h>
145cca6fc52SDaniel Fojt #include <netinet/in.h>
146cca6fc52SDaniel Fojt
147*de0e0e4dSAntonio Huete Jimenez #include <limits.h>
148f5b1c8a1SJohn Marino #include <stdio.h>
149f5b1c8a1SJohn Marino
150f5b1c8a1SJohn Marino #include <openssl/dh.h>
151f5b1c8a1SJohn Marino #include <openssl/lhash.h>
152f5b1c8a1SJohn Marino #include <openssl/objects.h>
153f5b1c8a1SJohn Marino #include <openssl/ocsp.h>
154*de0e0e4dSAntonio Huete Jimenez #include <openssl/opensslconf.h>
155f5b1c8a1SJohn Marino #include <openssl/x509v3.h>
156f5b1c8a1SJohn Marino
157f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_ENGINE
158f5b1c8a1SJohn Marino #include <openssl/engine.h>
159f5b1c8a1SJohn Marino #endif
160f5b1c8a1SJohn Marino
161f5b1c8a1SJohn Marino #include "bytestring.h"
162*de0e0e4dSAntonio Huete Jimenez #include "dtls_locl.h"
163*de0e0e4dSAntonio Huete Jimenez #include "ssl_locl.h"
16472c33676SMaxim Ag #include "ssl_sigalgs.h"
165*de0e0e4dSAntonio Huete Jimenez #include "ssl_tlsext.h"
166f5b1c8a1SJohn Marino
167f5b1c8a1SJohn Marino const char *SSL_version_str = OPENSSL_VERSION_TEXT;
168f5b1c8a1SJohn Marino
169f5b1c8a1SJohn Marino int
SSL_clear(SSL * s)170f5b1c8a1SJohn Marino SSL_clear(SSL *s)
171f5b1c8a1SJohn Marino {
172f5b1c8a1SJohn Marino if (s->method == NULL) {
17372c33676SMaxim Ag SSLerror(s, SSL_R_NO_METHOD_SPECIFIED);
174f5b1c8a1SJohn Marino return (0);
175f5b1c8a1SJohn Marino }
176f5b1c8a1SJohn Marino
177f5b1c8a1SJohn Marino if (ssl_clear_bad_session(s)) {
178f5b1c8a1SJohn Marino SSL_SESSION_free(s->session);
179f5b1c8a1SJohn Marino s->session = NULL;
180f5b1c8a1SJohn Marino }
181f5b1c8a1SJohn Marino
182f5b1c8a1SJohn Marino s->error = 0;
18372c33676SMaxim Ag s->internal->hit = 0;
18472c33676SMaxim Ag s->internal->shutdown = 0;
185f5b1c8a1SJohn Marino
18672c33676SMaxim Ag if (s->internal->renegotiate) {
18772c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
188f5b1c8a1SJohn Marino return (0);
189f5b1c8a1SJohn Marino }
190f5b1c8a1SJohn Marino
191*de0e0e4dSAntonio Huete Jimenez s->version = s->method->version;
192f5b1c8a1SJohn Marino s->client_version = s->version;
19372c33676SMaxim Ag s->internal->rwstate = SSL_NOTHING;
19472c33676SMaxim Ag s->internal->rstate = SSL_ST_READ_HEADER;
195f5b1c8a1SJohn Marino
196cca6fc52SDaniel Fojt tls13_ctx_free(s->internal->tls13);
197cca6fc52SDaniel Fojt s->internal->tls13 = NULL;
198cca6fc52SDaniel Fojt
1998edacedfSDaniel Fojt ssl3_release_init_buffer(s);
200f5b1c8a1SJohn Marino
20172c33676SMaxim Ag ssl_clear_cipher_state(s);
202f5b1c8a1SJohn Marino
20372c33676SMaxim Ag s->internal->first_packet = 0;
204f5b1c8a1SJohn Marino
205f5b1c8a1SJohn Marino /*
206f5b1c8a1SJohn Marino * Check to see if we were changed into a different method, if
207f5b1c8a1SJohn Marino * so, revert back if we are not doing session-id reuse.
208f5b1c8a1SJohn Marino */
20972c33676SMaxim Ag if (!s->internal->in_handshake && (s->session == NULL) &&
210f5b1c8a1SJohn Marino (s->method != s->ctx->method)) {
211*de0e0e4dSAntonio Huete Jimenez s->method->ssl_free(s);
212f5b1c8a1SJohn Marino s->method = s->ctx->method;
213*de0e0e4dSAntonio Huete Jimenez if (!s->method->ssl_new(s))
214f5b1c8a1SJohn Marino return (0);
215f5b1c8a1SJohn Marino } else
216*de0e0e4dSAntonio Huete Jimenez s->method->ssl_clear(s);
21772c33676SMaxim Ag
218f5b1c8a1SJohn Marino return (1);
219f5b1c8a1SJohn Marino }
220f5b1c8a1SJohn Marino
221f5b1c8a1SJohn Marino /* Used to change an SSL_CTXs default SSL method type */
222f5b1c8a1SJohn Marino int
SSL_CTX_set_ssl_version(SSL_CTX * ctx,const SSL_METHOD * meth)223f5b1c8a1SJohn Marino SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
224f5b1c8a1SJohn Marino {
2258edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *ciphers;
226f5b1c8a1SJohn Marino
227f5b1c8a1SJohn Marino ctx->method = meth;
228f5b1c8a1SJohn Marino
2298edacedfSDaniel Fojt ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
230*de0e0e4dSAntonio Huete Jimenez ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST,
231*de0e0e4dSAntonio Huete Jimenez ctx->internal->cert);
2328edacedfSDaniel Fojt if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) {
23372c33676SMaxim Ag SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
234f5b1c8a1SJohn Marino return (0);
235f5b1c8a1SJohn Marino }
236f5b1c8a1SJohn Marino return (1);
237f5b1c8a1SJohn Marino }
238f5b1c8a1SJohn Marino
239f5b1c8a1SJohn Marino SSL *
SSL_new(SSL_CTX * ctx)240f5b1c8a1SJohn Marino SSL_new(SSL_CTX *ctx)
241f5b1c8a1SJohn Marino {
242f5b1c8a1SJohn Marino SSL *s;
243*de0e0e4dSAntonio Huete Jimenez CBS cbs;
244f5b1c8a1SJohn Marino
245f5b1c8a1SJohn Marino if (ctx == NULL) {
24672c33676SMaxim Ag SSLerrorx(SSL_R_NULL_SSL_CTX);
247f5b1c8a1SJohn Marino return (NULL);
248f5b1c8a1SJohn Marino }
249f5b1c8a1SJohn Marino if (ctx->method == NULL) {
25072c33676SMaxim Ag SSLerrorx(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
251f5b1c8a1SJohn Marino return (NULL);
252f5b1c8a1SJohn Marino }
253f5b1c8a1SJohn Marino
2548edacedfSDaniel Fojt if ((s = calloc(1, sizeof(*s))) == NULL)
2558edacedfSDaniel Fojt goto err;
2568edacedfSDaniel Fojt if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL)
2578edacedfSDaniel Fojt goto err;
258*de0e0e4dSAntonio Huete Jimenez
259b6dec7daSDaniel Fojt if ((s->internal->rl = tls12_record_layer_new()) == NULL)
260b6dec7daSDaniel Fojt goto err;
26172c33676SMaxim Ag
262*de0e0e4dSAntonio Huete Jimenez s->internal->min_tls_version = ctx->internal->min_tls_version;
263*de0e0e4dSAntonio Huete Jimenez s->internal->max_tls_version = ctx->internal->max_tls_version;
264*de0e0e4dSAntonio Huete Jimenez s->internal->min_proto_version = ctx->internal->min_proto_version;
265*de0e0e4dSAntonio Huete Jimenez s->internal->max_proto_version = ctx->internal->max_proto_version;
26672c33676SMaxim Ag
26772c33676SMaxim Ag s->internal->options = ctx->internal->options;
26872c33676SMaxim Ag s->internal->mode = ctx->internal->mode;
26972c33676SMaxim Ag s->internal->max_cert_list = ctx->internal->max_cert_list;
270*de0e0e4dSAntonio Huete Jimenez s->internal->num_tickets = ctx->internal->num_tickets;
27172c33676SMaxim Ag
27272c33676SMaxim Ag if ((s->cert = ssl_cert_dup(ctx->internal->cert)) == NULL)
273f5b1c8a1SJohn Marino goto err;
274f5b1c8a1SJohn Marino
27572c33676SMaxim Ag s->internal->read_ahead = ctx->internal->read_ahead;
27672c33676SMaxim Ag s->internal->msg_callback = ctx->internal->msg_callback;
27772c33676SMaxim Ag s->internal->msg_callback_arg = ctx->internal->msg_callback_arg;
278f5b1c8a1SJohn Marino s->verify_mode = ctx->verify_mode;
279f5b1c8a1SJohn Marino s->sid_ctx_length = ctx->sid_ctx_length;
280f5b1c8a1SJohn Marino OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
281f5b1c8a1SJohn Marino memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
28272c33676SMaxim Ag s->internal->verify_callback = ctx->internal->default_verify_callback;
28372c33676SMaxim Ag s->internal->generate_session_id = ctx->internal->generate_session_id;
284f5b1c8a1SJohn Marino
285f5b1c8a1SJohn Marino s->param = X509_VERIFY_PARAM_new();
286f5b1c8a1SJohn Marino if (!s->param)
287f5b1c8a1SJohn Marino goto err;
288f5b1c8a1SJohn Marino X509_VERIFY_PARAM_inherit(s->param, ctx->param);
28972c33676SMaxim Ag s->internal->quiet_shutdown = ctx->internal->quiet_shutdown;
29072c33676SMaxim Ag s->max_send_fragment = ctx->internal->max_send_fragment;
291f5b1c8a1SJohn Marino
292f5b1c8a1SJohn Marino CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
293f5b1c8a1SJohn Marino s->ctx = ctx;
29472c33676SMaxim Ag s->internal->tlsext_debug_cb = 0;
29572c33676SMaxim Ag s->internal->tlsext_debug_arg = NULL;
29672c33676SMaxim Ag s->internal->tlsext_ticket_expected = 0;
297f5b1c8a1SJohn Marino s->tlsext_status_type = -1;
29872c33676SMaxim Ag s->internal->tlsext_status_expected = 0;
29972c33676SMaxim Ag s->internal->tlsext_ocsp_ids = NULL;
30072c33676SMaxim Ag s->internal->tlsext_ocsp_exts = NULL;
30172c33676SMaxim Ag s->internal->tlsext_ocsp_resp = NULL;
3028edacedfSDaniel Fojt s->internal->tlsext_ocsp_resp_len = 0;
303f5b1c8a1SJohn Marino CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
304f5b1c8a1SJohn Marino s->initial_ctx = ctx;
305f5b1c8a1SJohn Marino
30672c33676SMaxim Ag if (ctx->internal->tlsext_ecpointformatlist != NULL) {
30772c33676SMaxim Ag s->internal->tlsext_ecpointformatlist =
30872c33676SMaxim Ag calloc(ctx->internal->tlsext_ecpointformatlist_length,
30972c33676SMaxim Ag sizeof(ctx->internal->tlsext_ecpointformatlist[0]));
31072c33676SMaxim Ag if (s->internal->tlsext_ecpointformatlist == NULL)
311f5b1c8a1SJohn Marino goto err;
31272c33676SMaxim Ag memcpy(s->internal->tlsext_ecpointformatlist,
31372c33676SMaxim Ag ctx->internal->tlsext_ecpointformatlist,
31472c33676SMaxim Ag ctx->internal->tlsext_ecpointformatlist_length *
31572c33676SMaxim Ag sizeof(ctx->internal->tlsext_ecpointformatlist[0]));
31672c33676SMaxim Ag s->internal->tlsext_ecpointformatlist_length =
31772c33676SMaxim Ag ctx->internal->tlsext_ecpointformatlist_length;
31872c33676SMaxim Ag }
31972c33676SMaxim Ag if (ctx->internal->tlsext_supportedgroups != NULL) {
32072c33676SMaxim Ag s->internal->tlsext_supportedgroups =
32172c33676SMaxim Ag calloc(ctx->internal->tlsext_supportedgroups_length,
32272c33676SMaxim Ag sizeof(ctx->internal->tlsext_supportedgroups[0]));
32372c33676SMaxim Ag if (s->internal->tlsext_supportedgroups == NULL)
32472c33676SMaxim Ag goto err;
32572c33676SMaxim Ag memcpy(s->internal->tlsext_supportedgroups,
32672c33676SMaxim Ag ctx->internal->tlsext_supportedgroups,
32772c33676SMaxim Ag ctx->internal->tlsext_supportedgroups_length *
32872c33676SMaxim Ag sizeof(ctx->internal->tlsext_supportedgroups[0]));
32972c33676SMaxim Ag s->internal->tlsext_supportedgroups_length =
33072c33676SMaxim Ag ctx->internal->tlsext_supportedgroups_length;
33172c33676SMaxim Ag }
33272c33676SMaxim Ag
333*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, ctx->internal->alpn_client_proto_list,
334*de0e0e4dSAntonio Huete Jimenez ctx->internal->alpn_client_proto_list_len);
335*de0e0e4dSAntonio Huete Jimenez if (!CBS_stow(&cbs, &s->internal->alpn_client_proto_list,
336*de0e0e4dSAntonio Huete Jimenez &s->internal->alpn_client_proto_list_len))
33772c33676SMaxim Ag goto err;
338f5b1c8a1SJohn Marino
339f5b1c8a1SJohn Marino s->verify_result = X509_V_OK;
340f5b1c8a1SJohn Marino
341f5b1c8a1SJohn Marino s->method = ctx->method;
342*de0e0e4dSAntonio Huete Jimenez s->quic_method = ctx->quic_method;
343f5b1c8a1SJohn Marino
344*de0e0e4dSAntonio Huete Jimenez if (!s->method->ssl_new(s))
345f5b1c8a1SJohn Marino goto err;
346f5b1c8a1SJohn Marino
347f5b1c8a1SJohn Marino s->references = 1;
348*de0e0e4dSAntonio Huete Jimenez s->server = ctx->method->server;
349f5b1c8a1SJohn Marino
350f5b1c8a1SJohn Marino SSL_clear(s);
351f5b1c8a1SJohn Marino
35272c33676SMaxim Ag CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->internal->ex_data);
353f5b1c8a1SJohn Marino
354f5b1c8a1SJohn Marino return (s);
355f5b1c8a1SJohn Marino
356f5b1c8a1SJohn Marino err:
357f5b1c8a1SJohn Marino SSL_free(s);
35872c33676SMaxim Ag SSLerrorx(ERR_R_MALLOC_FAILURE);
359f5b1c8a1SJohn Marino return (NULL);
360f5b1c8a1SJohn Marino }
361f5b1c8a1SJohn Marino
362f5b1c8a1SJohn Marino int
SSL_CTX_set_session_id_context(SSL_CTX * ctx,const unsigned char * sid_ctx,unsigned int sid_ctx_len)363f5b1c8a1SJohn Marino SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
364f5b1c8a1SJohn Marino unsigned int sid_ctx_len)
365f5b1c8a1SJohn Marino {
366f5b1c8a1SJohn Marino if (sid_ctx_len > sizeof ctx->sid_ctx) {
36772c33676SMaxim Ag SSLerrorx(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
368f5b1c8a1SJohn Marino return (0);
369f5b1c8a1SJohn Marino }
370f5b1c8a1SJohn Marino ctx->sid_ctx_length = sid_ctx_len;
371f5b1c8a1SJohn Marino memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
372f5b1c8a1SJohn Marino
373f5b1c8a1SJohn Marino return (1);
374f5b1c8a1SJohn Marino }
375f5b1c8a1SJohn Marino
376f5b1c8a1SJohn Marino int
SSL_set_session_id_context(SSL * ssl,const unsigned char * sid_ctx,unsigned int sid_ctx_len)377f5b1c8a1SJohn Marino SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
378f5b1c8a1SJohn Marino unsigned int sid_ctx_len)
379f5b1c8a1SJohn Marino {
380f5b1c8a1SJohn Marino if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
38172c33676SMaxim Ag SSLerror(ssl, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
382f5b1c8a1SJohn Marino return (0);
383f5b1c8a1SJohn Marino }
384f5b1c8a1SJohn Marino ssl->sid_ctx_length = sid_ctx_len;
385f5b1c8a1SJohn Marino memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
386f5b1c8a1SJohn Marino
387f5b1c8a1SJohn Marino return (1);
388f5b1c8a1SJohn Marino }
389f5b1c8a1SJohn Marino
390f5b1c8a1SJohn Marino int
SSL_CTX_set_generate_session_id(SSL_CTX * ctx,GEN_SESSION_CB cb)391f5b1c8a1SJohn Marino SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
392f5b1c8a1SJohn Marino {
393f5b1c8a1SJohn Marino CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
39472c33676SMaxim Ag ctx->internal->generate_session_id = cb;
395f5b1c8a1SJohn Marino CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
396f5b1c8a1SJohn Marino return (1);
397f5b1c8a1SJohn Marino }
398f5b1c8a1SJohn Marino
399f5b1c8a1SJohn Marino int
SSL_set_generate_session_id(SSL * ssl,GEN_SESSION_CB cb)400f5b1c8a1SJohn Marino SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
401f5b1c8a1SJohn Marino {
402f5b1c8a1SJohn Marino CRYPTO_w_lock(CRYPTO_LOCK_SSL);
40372c33676SMaxim Ag ssl->internal->generate_session_id = cb;
404f5b1c8a1SJohn Marino CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
405f5b1c8a1SJohn Marino return (1);
406f5b1c8a1SJohn Marino }
407f5b1c8a1SJohn Marino
408f5b1c8a1SJohn Marino int
SSL_has_matching_session_id(const SSL * ssl,const unsigned char * id,unsigned int id_len)409f5b1c8a1SJohn Marino SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
410f5b1c8a1SJohn Marino unsigned int id_len)
411f5b1c8a1SJohn Marino {
412f5b1c8a1SJohn Marino /*
413f5b1c8a1SJohn Marino * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp
414f5b1c8a1SJohn Marino * shows how we can "construct" a session to give us the desired
415f5b1c8a1SJohn Marino * check - ie. to find if there's a session in the hash table
416f5b1c8a1SJohn Marino * that would conflict with any new session built out of this
417f5b1c8a1SJohn Marino * id/id_len and the ssl_version in use by this SSL.
418f5b1c8a1SJohn Marino */
419f5b1c8a1SJohn Marino SSL_SESSION r, *p;
420f5b1c8a1SJohn Marino
421f5b1c8a1SJohn Marino if (id_len > sizeof r.session_id)
422f5b1c8a1SJohn Marino return (0);
423f5b1c8a1SJohn Marino
424f5b1c8a1SJohn Marino r.ssl_version = ssl->version;
425f5b1c8a1SJohn Marino r.session_id_length = id_len;
426f5b1c8a1SJohn Marino memcpy(r.session_id, id, id_len);
427f5b1c8a1SJohn Marino
428f5b1c8a1SJohn Marino CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
42972c33676SMaxim Ag p = lh_SSL_SESSION_retrieve(ssl->ctx->internal->sessions, &r);
430f5b1c8a1SJohn Marino CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
431f5b1c8a1SJohn Marino return (p != NULL);
432f5b1c8a1SJohn Marino }
433f5b1c8a1SJohn Marino
434f5b1c8a1SJohn Marino int
SSL_CTX_set_purpose(SSL_CTX * s,int purpose)435f5b1c8a1SJohn Marino SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
436f5b1c8a1SJohn Marino {
437f5b1c8a1SJohn Marino return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
438f5b1c8a1SJohn Marino }
439f5b1c8a1SJohn Marino
440f5b1c8a1SJohn Marino int
SSL_set_purpose(SSL * s,int purpose)441f5b1c8a1SJohn Marino SSL_set_purpose(SSL *s, int purpose)
442f5b1c8a1SJohn Marino {
443f5b1c8a1SJohn Marino return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
444f5b1c8a1SJohn Marino }
445f5b1c8a1SJohn Marino
446f5b1c8a1SJohn Marino int
SSL_CTX_set_trust(SSL_CTX * s,int trust)447f5b1c8a1SJohn Marino SSL_CTX_set_trust(SSL_CTX *s, int trust)
448f5b1c8a1SJohn Marino {
449f5b1c8a1SJohn Marino return (X509_VERIFY_PARAM_set_trust(s->param, trust));
450f5b1c8a1SJohn Marino }
451f5b1c8a1SJohn Marino
452f5b1c8a1SJohn Marino int
SSL_set_trust(SSL * s,int trust)453f5b1c8a1SJohn Marino SSL_set_trust(SSL *s, int trust)
454f5b1c8a1SJohn Marino {
455f5b1c8a1SJohn Marino return (X509_VERIFY_PARAM_set_trust(s->param, trust));
456f5b1c8a1SJohn Marino }
457f5b1c8a1SJohn Marino
458f5b1c8a1SJohn Marino int
SSL_set1_host(SSL * s,const char * hostname)45972c33676SMaxim Ag SSL_set1_host(SSL *s, const char *hostname)
46072c33676SMaxim Ag {
461cca6fc52SDaniel Fojt struct in_addr ina;
462cca6fc52SDaniel Fojt struct in6_addr in6a;
463cca6fc52SDaniel Fojt
464cca6fc52SDaniel Fojt if (hostname != NULL && *hostname != '\0' &&
465cca6fc52SDaniel Fojt (inet_pton(AF_INET, hostname, &ina) == 1 ||
466cca6fc52SDaniel Fojt inet_pton(AF_INET6, hostname, &in6a) == 1))
467cca6fc52SDaniel Fojt return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname);
468cca6fc52SDaniel Fojt else
46972c33676SMaxim Ag return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0);
47072c33676SMaxim Ag }
47172c33676SMaxim Ag
472*de0e0e4dSAntonio Huete Jimenez void
SSL_set_hostflags(SSL * s,unsigned int flags)473*de0e0e4dSAntonio Huete Jimenez SSL_set_hostflags(SSL *s, unsigned int flags)
474*de0e0e4dSAntonio Huete Jimenez {
475*de0e0e4dSAntonio Huete Jimenez X509_VERIFY_PARAM_set_hostflags(s->param, flags);
476*de0e0e4dSAntonio Huete Jimenez }
477*de0e0e4dSAntonio Huete Jimenez
4788edacedfSDaniel Fojt const char *
SSL_get0_peername(SSL * s)4798edacedfSDaniel Fojt SSL_get0_peername(SSL *s)
4808edacedfSDaniel Fojt {
4818edacedfSDaniel Fojt return X509_VERIFY_PARAM_get0_peername(s->param);
4828edacedfSDaniel Fojt }
4838edacedfSDaniel Fojt
48472c33676SMaxim Ag X509_VERIFY_PARAM *
SSL_CTX_get0_param(SSL_CTX * ctx)48572c33676SMaxim Ag SSL_CTX_get0_param(SSL_CTX *ctx)
48672c33676SMaxim Ag {
48772c33676SMaxim Ag return (ctx->param);
48872c33676SMaxim Ag }
48972c33676SMaxim Ag
49072c33676SMaxim Ag int
SSL_CTX_set1_param(SSL_CTX * ctx,X509_VERIFY_PARAM * vpm)491f5b1c8a1SJohn Marino SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
492f5b1c8a1SJohn Marino {
493f5b1c8a1SJohn Marino return (X509_VERIFY_PARAM_set1(ctx->param, vpm));
494f5b1c8a1SJohn Marino }
495f5b1c8a1SJohn Marino
49672c33676SMaxim Ag X509_VERIFY_PARAM *
SSL_get0_param(SSL * ssl)49772c33676SMaxim Ag SSL_get0_param(SSL *ssl)
49872c33676SMaxim Ag {
49972c33676SMaxim Ag return (ssl->param);
50072c33676SMaxim Ag }
50172c33676SMaxim Ag
502f5b1c8a1SJohn Marino int
SSL_set1_param(SSL * ssl,X509_VERIFY_PARAM * vpm)503f5b1c8a1SJohn Marino SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
504f5b1c8a1SJohn Marino {
505f5b1c8a1SJohn Marino return (X509_VERIFY_PARAM_set1(ssl->param, vpm));
506f5b1c8a1SJohn Marino }
507f5b1c8a1SJohn Marino
508f5b1c8a1SJohn Marino void
SSL_free(SSL * s)509f5b1c8a1SJohn Marino SSL_free(SSL *s)
510f5b1c8a1SJohn Marino {
511f5b1c8a1SJohn Marino int i;
512f5b1c8a1SJohn Marino
513f5b1c8a1SJohn Marino if (s == NULL)
514f5b1c8a1SJohn Marino return;
515f5b1c8a1SJohn Marino
516f5b1c8a1SJohn Marino i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL);
517f5b1c8a1SJohn Marino if (i > 0)
518f5b1c8a1SJohn Marino return;
519f5b1c8a1SJohn Marino
520f5b1c8a1SJohn Marino X509_VERIFY_PARAM_free(s->param);
521f5b1c8a1SJohn Marino
52272c33676SMaxim Ag CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->internal->ex_data);
523f5b1c8a1SJohn Marino
524f5b1c8a1SJohn Marino if (s->bbio != NULL) {
525f5b1c8a1SJohn Marino /* If the buffering BIO is in place, pop it off */
526f5b1c8a1SJohn Marino if (s->bbio == s->wbio) {
527f5b1c8a1SJohn Marino s->wbio = BIO_pop(s->wbio);
528f5b1c8a1SJohn Marino }
529f5b1c8a1SJohn Marino BIO_free(s->bbio);
530f5b1c8a1SJohn Marino s->bbio = NULL;
531f5b1c8a1SJohn Marino }
532f5b1c8a1SJohn Marino
533f5b1c8a1SJohn Marino if (s->rbio != s->wbio)
534f5b1c8a1SJohn Marino BIO_free_all(s->rbio);
535f5b1c8a1SJohn Marino BIO_free_all(s->wbio);
536f5b1c8a1SJohn Marino
537cca6fc52SDaniel Fojt tls13_ctx_free(s->internal->tls13);
538cca6fc52SDaniel Fojt
5398edacedfSDaniel Fojt ssl3_release_init_buffer(s);
540f5b1c8a1SJohn Marino
541f5b1c8a1SJohn Marino sk_SSL_CIPHER_free(s->cipher_list);
5428edacedfSDaniel Fojt sk_SSL_CIPHER_free(s->internal->cipher_list_tls13);
543f5b1c8a1SJohn Marino
544f5b1c8a1SJohn Marino /* Make the next call work :-) */
545f5b1c8a1SJohn Marino if (s->session != NULL) {
546f5b1c8a1SJohn Marino ssl_clear_bad_session(s);
547f5b1c8a1SJohn Marino SSL_SESSION_free(s->session);
548f5b1c8a1SJohn Marino }
549f5b1c8a1SJohn Marino
55072c33676SMaxim Ag ssl_clear_cipher_state(s);
551f5b1c8a1SJohn Marino
552f5b1c8a1SJohn Marino ssl_cert_free(s->cert);
553f5b1c8a1SJohn Marino
554f5b1c8a1SJohn Marino free(s->tlsext_hostname);
555f5b1c8a1SJohn Marino SSL_CTX_free(s->initial_ctx);
556f5b1c8a1SJohn Marino
55772c33676SMaxim Ag free(s->internal->tlsext_ecpointformatlist);
55872c33676SMaxim Ag free(s->internal->tlsext_supportedgroups);
55972c33676SMaxim Ag
56072c33676SMaxim Ag sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
56172c33676SMaxim Ag X509_EXTENSION_free);
56272c33676SMaxim Ag sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
56372c33676SMaxim Ag free(s->internal->tlsext_ocsp_resp);
56472c33676SMaxim Ag
56572c33676SMaxim Ag sk_X509_NAME_pop_free(s->internal->client_CA, X509_NAME_free);
566f5b1c8a1SJohn Marino
567f5b1c8a1SJohn Marino if (s->method != NULL)
568*de0e0e4dSAntonio Huete Jimenez s->method->ssl_free(s);
569f5b1c8a1SJohn Marino
570f5b1c8a1SJohn Marino SSL_CTX_free(s->ctx);
571f5b1c8a1SJohn Marino
57272c33676SMaxim Ag free(s->internal->alpn_client_proto_list);
573f5b1c8a1SJohn Marino
574*de0e0e4dSAntonio Huete Jimenez free(s->internal->quic_transport_params);
575*de0e0e4dSAntonio Huete Jimenez
576f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_SRTP
57772c33676SMaxim Ag sk_SRTP_PROTECTION_PROFILE_free(s->internal->srtp_profiles);
578f5b1c8a1SJohn Marino #endif
579f5b1c8a1SJohn Marino
5808edacedfSDaniel Fojt tls12_record_layer_free(s->internal->rl);
5818edacedfSDaniel Fojt
58272c33676SMaxim Ag free(s->internal);
583f5b1c8a1SJohn Marino free(s);
584f5b1c8a1SJohn Marino }
585f5b1c8a1SJohn Marino
58672c33676SMaxim Ag int
SSL_up_ref(SSL * s)58772c33676SMaxim Ag SSL_up_ref(SSL *s)
58872c33676SMaxim Ag {
58972c33676SMaxim Ag int refs = CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL);
59072c33676SMaxim Ag return (refs > 1) ? 1 : 0;
59172c33676SMaxim Ag }
59272c33676SMaxim Ag
593f5b1c8a1SJohn Marino void
SSL_set_bio(SSL * s,BIO * rbio,BIO * wbio)594f5b1c8a1SJohn Marino SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
595f5b1c8a1SJohn Marino {
596f5b1c8a1SJohn Marino /* If the output buffering BIO is still in place, remove it */
597f5b1c8a1SJohn Marino if (s->bbio != NULL) {
598f5b1c8a1SJohn Marino if (s->wbio == s->bbio) {
599*de0e0e4dSAntonio Huete Jimenez s->wbio = BIO_next(s->wbio);
600*de0e0e4dSAntonio Huete Jimenez BIO_set_next(s->bbio, NULL);
601f5b1c8a1SJohn Marino }
602f5b1c8a1SJohn Marino }
603f5b1c8a1SJohn Marino
604f5b1c8a1SJohn Marino if (s->rbio != rbio && s->rbio != s->wbio)
605f5b1c8a1SJohn Marino BIO_free_all(s->rbio);
606f5b1c8a1SJohn Marino if (s->wbio != wbio)
607f5b1c8a1SJohn Marino BIO_free_all(s->wbio);
608f5b1c8a1SJohn Marino s->rbio = rbio;
609f5b1c8a1SJohn Marino s->wbio = wbio;
610f5b1c8a1SJohn Marino }
611f5b1c8a1SJohn Marino
612f5b1c8a1SJohn Marino BIO *
SSL_get_rbio(const SSL * s)613f5b1c8a1SJohn Marino SSL_get_rbio(const SSL *s)
614f5b1c8a1SJohn Marino {
615f5b1c8a1SJohn Marino return (s->rbio);
616f5b1c8a1SJohn Marino }
617f5b1c8a1SJohn Marino
618*de0e0e4dSAntonio Huete Jimenez void
SSL_set0_rbio(SSL * s,BIO * rbio)619*de0e0e4dSAntonio Huete Jimenez SSL_set0_rbio(SSL *s, BIO *rbio)
620*de0e0e4dSAntonio Huete Jimenez {
621*de0e0e4dSAntonio Huete Jimenez BIO_free_all(s->rbio);
622*de0e0e4dSAntonio Huete Jimenez s->rbio = rbio;
623*de0e0e4dSAntonio Huete Jimenez }
624*de0e0e4dSAntonio Huete Jimenez
625f5b1c8a1SJohn Marino BIO *
SSL_get_wbio(const SSL * s)626f5b1c8a1SJohn Marino SSL_get_wbio(const SSL *s)
627f5b1c8a1SJohn Marino {
628f5b1c8a1SJohn Marino return (s->wbio);
629f5b1c8a1SJohn Marino }
630f5b1c8a1SJohn Marino
631f5b1c8a1SJohn Marino int
SSL_get_fd(const SSL * s)632f5b1c8a1SJohn Marino SSL_get_fd(const SSL *s)
633f5b1c8a1SJohn Marino {
634f5b1c8a1SJohn Marino return (SSL_get_rfd(s));
635f5b1c8a1SJohn Marino }
636f5b1c8a1SJohn Marino
637f5b1c8a1SJohn Marino int
SSL_get_rfd(const SSL * s)638f5b1c8a1SJohn Marino SSL_get_rfd(const SSL *s)
639f5b1c8a1SJohn Marino {
640f5b1c8a1SJohn Marino int ret = -1;
641f5b1c8a1SJohn Marino BIO *b, *r;
642f5b1c8a1SJohn Marino
643f5b1c8a1SJohn Marino b = SSL_get_rbio(s);
644f5b1c8a1SJohn Marino r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
645f5b1c8a1SJohn Marino if (r != NULL)
646f5b1c8a1SJohn Marino BIO_get_fd(r, &ret);
647f5b1c8a1SJohn Marino return (ret);
648f5b1c8a1SJohn Marino }
649f5b1c8a1SJohn Marino
650f5b1c8a1SJohn Marino int
SSL_get_wfd(const SSL * s)651f5b1c8a1SJohn Marino SSL_get_wfd(const SSL *s)
652f5b1c8a1SJohn Marino {
653f5b1c8a1SJohn Marino int ret = -1;
654f5b1c8a1SJohn Marino BIO *b, *r;
655f5b1c8a1SJohn Marino
656f5b1c8a1SJohn Marino b = SSL_get_wbio(s);
657f5b1c8a1SJohn Marino r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
658f5b1c8a1SJohn Marino if (r != NULL)
659f5b1c8a1SJohn Marino BIO_get_fd(r, &ret);
660f5b1c8a1SJohn Marino return (ret);
661f5b1c8a1SJohn Marino }
662f5b1c8a1SJohn Marino
663f5b1c8a1SJohn Marino int
SSL_set_fd(SSL * s,int fd)664f5b1c8a1SJohn Marino SSL_set_fd(SSL *s, int fd)
665f5b1c8a1SJohn Marino {
666f5b1c8a1SJohn Marino int ret = 0;
667f5b1c8a1SJohn Marino BIO *bio = NULL;
668f5b1c8a1SJohn Marino
669f5b1c8a1SJohn Marino bio = BIO_new(BIO_s_socket());
670f5b1c8a1SJohn Marino
671f5b1c8a1SJohn Marino if (bio == NULL) {
67272c33676SMaxim Ag SSLerror(s, ERR_R_BUF_LIB);
673f5b1c8a1SJohn Marino goto err;
674f5b1c8a1SJohn Marino }
675f5b1c8a1SJohn Marino BIO_set_fd(bio, fd, BIO_NOCLOSE);
676f5b1c8a1SJohn Marino SSL_set_bio(s, bio, bio);
677f5b1c8a1SJohn Marino ret = 1;
678f5b1c8a1SJohn Marino err:
679f5b1c8a1SJohn Marino return (ret);
680f5b1c8a1SJohn Marino }
681f5b1c8a1SJohn Marino
682f5b1c8a1SJohn Marino int
SSL_set_wfd(SSL * s,int fd)683f5b1c8a1SJohn Marino SSL_set_wfd(SSL *s, int fd)
684f5b1c8a1SJohn Marino {
685f5b1c8a1SJohn Marino int ret = 0;
686f5b1c8a1SJohn Marino BIO *bio = NULL;
687f5b1c8a1SJohn Marino
688f5b1c8a1SJohn Marino if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
689f5b1c8a1SJohn Marino || ((int)BIO_get_fd(s->rbio, NULL) != fd)) {
690f5b1c8a1SJohn Marino bio = BIO_new(BIO_s_socket());
691f5b1c8a1SJohn Marino
692f5b1c8a1SJohn Marino if (bio == NULL) {
69372c33676SMaxim Ag SSLerror(s, ERR_R_BUF_LIB);
694f5b1c8a1SJohn Marino goto err;
695f5b1c8a1SJohn Marino }
696f5b1c8a1SJohn Marino BIO_set_fd(bio, fd, BIO_NOCLOSE);
697f5b1c8a1SJohn Marino SSL_set_bio(s, SSL_get_rbio(s), bio);
698f5b1c8a1SJohn Marino } else
699f5b1c8a1SJohn Marino SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s));
700f5b1c8a1SJohn Marino ret = 1;
701f5b1c8a1SJohn Marino err:
702f5b1c8a1SJohn Marino return (ret);
703f5b1c8a1SJohn Marino }
704f5b1c8a1SJohn Marino
705f5b1c8a1SJohn Marino int
SSL_set_rfd(SSL * s,int fd)706f5b1c8a1SJohn Marino SSL_set_rfd(SSL *s, int fd)
707f5b1c8a1SJohn Marino {
708f5b1c8a1SJohn Marino int ret = 0;
709f5b1c8a1SJohn Marino BIO *bio = NULL;
710f5b1c8a1SJohn Marino
711f5b1c8a1SJohn Marino if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
712f5b1c8a1SJohn Marino || ((int)BIO_get_fd(s->wbio, NULL) != fd)) {
713f5b1c8a1SJohn Marino bio = BIO_new(BIO_s_socket());
714f5b1c8a1SJohn Marino
715f5b1c8a1SJohn Marino if (bio == NULL) {
71672c33676SMaxim Ag SSLerror(s, ERR_R_BUF_LIB);
717f5b1c8a1SJohn Marino goto err;
718f5b1c8a1SJohn Marino }
719f5b1c8a1SJohn Marino BIO_set_fd(bio, fd, BIO_NOCLOSE);
720f5b1c8a1SJohn Marino SSL_set_bio(s, bio, SSL_get_wbio(s));
721f5b1c8a1SJohn Marino } else
722f5b1c8a1SJohn Marino SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s));
723f5b1c8a1SJohn Marino ret = 1;
724f5b1c8a1SJohn Marino err:
725f5b1c8a1SJohn Marino return (ret);
726f5b1c8a1SJohn Marino }
727f5b1c8a1SJohn Marino
728f5b1c8a1SJohn Marino
729f5b1c8a1SJohn Marino /* return length of latest Finished message we sent, copy to 'buf' */
730f5b1c8a1SJohn Marino size_t
SSL_get_finished(const SSL * s,void * buf,size_t count)731f5b1c8a1SJohn Marino SSL_get_finished(const SSL *s, void *buf, size_t count)
732f5b1c8a1SJohn Marino {
733cca6fc52SDaniel Fojt size_t ret;
734f5b1c8a1SJohn Marino
735*de0e0e4dSAntonio Huete Jimenez ret = s->s3->hs.finished_len;
736f5b1c8a1SJohn Marino if (count > ret)
737f5b1c8a1SJohn Marino count = ret;
738*de0e0e4dSAntonio Huete Jimenez memcpy(buf, s->s3->hs.finished, count);
739f5b1c8a1SJohn Marino return (ret);
740f5b1c8a1SJohn Marino }
741f5b1c8a1SJohn Marino
742f5b1c8a1SJohn Marino /* return length of latest Finished message we expected, copy to 'buf' */
743f5b1c8a1SJohn Marino size_t
SSL_get_peer_finished(const SSL * s,void * buf,size_t count)744f5b1c8a1SJohn Marino SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
745f5b1c8a1SJohn Marino {
746cca6fc52SDaniel Fojt size_t ret;
747f5b1c8a1SJohn Marino
748*de0e0e4dSAntonio Huete Jimenez ret = s->s3->hs.peer_finished_len;
749f5b1c8a1SJohn Marino if (count > ret)
750f5b1c8a1SJohn Marino count = ret;
751*de0e0e4dSAntonio Huete Jimenez memcpy(buf, s->s3->hs.peer_finished, count);
752f5b1c8a1SJohn Marino return (ret);
753f5b1c8a1SJohn Marino }
754f5b1c8a1SJohn Marino
755f5b1c8a1SJohn Marino
756f5b1c8a1SJohn Marino int
SSL_get_verify_mode(const SSL * s)757f5b1c8a1SJohn Marino SSL_get_verify_mode(const SSL *s)
758f5b1c8a1SJohn Marino {
759f5b1c8a1SJohn Marino return (s->verify_mode);
760f5b1c8a1SJohn Marino }
761f5b1c8a1SJohn Marino
762f5b1c8a1SJohn Marino int
SSL_get_verify_depth(const SSL * s)763f5b1c8a1SJohn Marino SSL_get_verify_depth(const SSL *s)
764f5b1c8a1SJohn Marino {
765f5b1c8a1SJohn Marino return (X509_VERIFY_PARAM_get_depth(s->param));
766f5b1c8a1SJohn Marino }
767f5b1c8a1SJohn Marino
768f5b1c8a1SJohn Marino int
SSL_get_verify_callback(const SSL * s)769f5b1c8a1SJohn Marino (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *)
770f5b1c8a1SJohn Marino {
77172c33676SMaxim Ag return (s->internal->verify_callback);
772f5b1c8a1SJohn Marino }
773f5b1c8a1SJohn Marino
774*de0e0e4dSAntonio Huete Jimenez void
SSL_CTX_set_keylog_callback(SSL_CTX * ctx,SSL_CTX_keylog_cb_func cb)775*de0e0e4dSAntonio Huete Jimenez SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
776*de0e0e4dSAntonio Huete Jimenez {
777*de0e0e4dSAntonio Huete Jimenez ctx->internal->keylog_callback = cb;
778*de0e0e4dSAntonio Huete Jimenez }
779*de0e0e4dSAntonio Huete Jimenez
780*de0e0e4dSAntonio Huete Jimenez SSL_CTX_keylog_cb_func
SSL_CTX_get_keylog_callback(const SSL_CTX * ctx)781*de0e0e4dSAntonio Huete Jimenez SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
782*de0e0e4dSAntonio Huete Jimenez {
783*de0e0e4dSAntonio Huete Jimenez return (ctx->internal->keylog_callback);
784*de0e0e4dSAntonio Huete Jimenez }
785*de0e0e4dSAntonio Huete Jimenez
786*de0e0e4dSAntonio Huete Jimenez int
SSL_set_num_tickets(SSL * s,size_t num_tickets)787*de0e0e4dSAntonio Huete Jimenez SSL_set_num_tickets(SSL *s, size_t num_tickets)
788*de0e0e4dSAntonio Huete Jimenez {
789*de0e0e4dSAntonio Huete Jimenez s->internal->num_tickets = num_tickets;
790*de0e0e4dSAntonio Huete Jimenez
791*de0e0e4dSAntonio Huete Jimenez return 1;
792*de0e0e4dSAntonio Huete Jimenez }
793*de0e0e4dSAntonio Huete Jimenez
794*de0e0e4dSAntonio Huete Jimenez size_t
SSL_get_num_tickets(const SSL * s)795*de0e0e4dSAntonio Huete Jimenez SSL_get_num_tickets(const SSL *s)
796*de0e0e4dSAntonio Huete Jimenez {
797*de0e0e4dSAntonio Huete Jimenez return s->internal->num_tickets;
798*de0e0e4dSAntonio Huete Jimenez }
799*de0e0e4dSAntonio Huete Jimenez
800*de0e0e4dSAntonio Huete Jimenez int
SSL_CTX_set_num_tickets(SSL_CTX * ctx,size_t num_tickets)801*de0e0e4dSAntonio Huete Jimenez SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets)
802*de0e0e4dSAntonio Huete Jimenez {
803*de0e0e4dSAntonio Huete Jimenez ctx->internal->num_tickets = num_tickets;
804*de0e0e4dSAntonio Huete Jimenez
805*de0e0e4dSAntonio Huete Jimenez return 1;
806*de0e0e4dSAntonio Huete Jimenez }
807*de0e0e4dSAntonio Huete Jimenez
808*de0e0e4dSAntonio Huete Jimenez size_t
SSL_CTX_get_num_tickets(const SSL_CTX * ctx)809*de0e0e4dSAntonio Huete Jimenez SSL_CTX_get_num_tickets(const SSL_CTX *ctx)
810*de0e0e4dSAntonio Huete Jimenez {
811*de0e0e4dSAntonio Huete Jimenez return ctx->internal->num_tickets;
812*de0e0e4dSAntonio Huete Jimenez }
813*de0e0e4dSAntonio Huete Jimenez
814f5b1c8a1SJohn Marino int
SSL_CTX_get_verify_mode(const SSL_CTX * ctx)815f5b1c8a1SJohn Marino SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
816f5b1c8a1SJohn Marino {
817f5b1c8a1SJohn Marino return (ctx->verify_mode);
818f5b1c8a1SJohn Marino }
819f5b1c8a1SJohn Marino
820f5b1c8a1SJohn Marino int
SSL_CTX_get_verify_depth(const SSL_CTX * ctx)821f5b1c8a1SJohn Marino SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
822f5b1c8a1SJohn Marino {
823f5b1c8a1SJohn Marino return (X509_VERIFY_PARAM_get_depth(ctx->param));
824f5b1c8a1SJohn Marino }
825f5b1c8a1SJohn Marino
82672c33676SMaxim Ag int
SSL_CTX_get_verify_callback(const SSL_CTX * ctx)82772c33676SMaxim Ag (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *)
828f5b1c8a1SJohn Marino {
82972c33676SMaxim Ag return (ctx->internal->default_verify_callback);
830f5b1c8a1SJohn Marino }
831f5b1c8a1SJohn Marino
832f5b1c8a1SJohn Marino void
SSL_set_verify(SSL * s,int mode,int (* callback)(int ok,X509_STORE_CTX * ctx))833f5b1c8a1SJohn Marino SSL_set_verify(SSL *s, int mode,
834f5b1c8a1SJohn Marino int (*callback)(int ok, X509_STORE_CTX *ctx))
835f5b1c8a1SJohn Marino {
836f5b1c8a1SJohn Marino s->verify_mode = mode;
837f5b1c8a1SJohn Marino if (callback != NULL)
83872c33676SMaxim Ag s->internal->verify_callback = callback;
839f5b1c8a1SJohn Marino }
840f5b1c8a1SJohn Marino
841f5b1c8a1SJohn Marino void
SSL_set_verify_depth(SSL * s,int depth)842f5b1c8a1SJohn Marino SSL_set_verify_depth(SSL *s, int depth)
843f5b1c8a1SJohn Marino {
844f5b1c8a1SJohn Marino X509_VERIFY_PARAM_set_depth(s->param, depth);
845f5b1c8a1SJohn Marino }
846f5b1c8a1SJohn Marino
847f5b1c8a1SJohn Marino void
SSL_set_read_ahead(SSL * s,int yes)848f5b1c8a1SJohn Marino SSL_set_read_ahead(SSL *s, int yes)
849f5b1c8a1SJohn Marino {
85072c33676SMaxim Ag s->internal->read_ahead = yes;
851f5b1c8a1SJohn Marino }
852f5b1c8a1SJohn Marino
853f5b1c8a1SJohn Marino int
SSL_get_read_ahead(const SSL * s)854f5b1c8a1SJohn Marino SSL_get_read_ahead(const SSL *s)
855f5b1c8a1SJohn Marino {
85672c33676SMaxim Ag return (s->internal->read_ahead);
857f5b1c8a1SJohn Marino }
858f5b1c8a1SJohn Marino
859f5b1c8a1SJohn Marino int
SSL_pending(const SSL * s)860f5b1c8a1SJohn Marino SSL_pending(const SSL *s)
861f5b1c8a1SJohn Marino {
862*de0e0e4dSAntonio Huete Jimenez return (s->method->ssl_pending(s));
863f5b1c8a1SJohn Marino }
864f5b1c8a1SJohn Marino
865f5b1c8a1SJohn Marino X509 *
SSL_get_peer_certificate(const SSL * s)866f5b1c8a1SJohn Marino SSL_get_peer_certificate(const SSL *s)
867f5b1c8a1SJohn Marino {
868*de0e0e4dSAntonio Huete Jimenez X509 *cert;
869f5b1c8a1SJohn Marino
870*de0e0e4dSAntonio Huete Jimenez if (s == NULL || s->session == NULL)
871*de0e0e4dSAntonio Huete Jimenez return NULL;
872f5b1c8a1SJohn Marino
873*de0e0e4dSAntonio Huete Jimenez if ((cert = s->session->peer_cert) == NULL)
874*de0e0e4dSAntonio Huete Jimenez return NULL;
875f5b1c8a1SJohn Marino
876*de0e0e4dSAntonio Huete Jimenez X509_up_ref(cert);
877f5b1c8a1SJohn Marino
878*de0e0e4dSAntonio Huete Jimenez return cert;
879f5b1c8a1SJohn Marino }
880f5b1c8a1SJohn Marino
STACK_OF(X509)881f5b1c8a1SJohn Marino STACK_OF(X509) *
882f5b1c8a1SJohn Marino SSL_get_peer_cert_chain(const SSL *s)
883f5b1c8a1SJohn Marino {
884*de0e0e4dSAntonio Huete Jimenez if (s == NULL)
885*de0e0e4dSAntonio Huete Jimenez return NULL;
886f5b1c8a1SJohn Marino
887f5b1c8a1SJohn Marino /*
888*de0e0e4dSAntonio Huete Jimenez * Achtung! Due to API inconsistency, a client includes the peer's leaf
889*de0e0e4dSAntonio Huete Jimenez * certificate in the peer certificate chain, while a server does not.
890f5b1c8a1SJohn Marino */
891*de0e0e4dSAntonio Huete Jimenez if (!s->server)
892*de0e0e4dSAntonio Huete Jimenez return s->s3->hs.peer_certs;
893*de0e0e4dSAntonio Huete Jimenez
894*de0e0e4dSAntonio Huete Jimenez return s->s3->hs.peer_certs_no_leaf;
895*de0e0e4dSAntonio Huete Jimenez }
896*de0e0e4dSAntonio Huete Jimenez
STACK_OF(X509)897*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509) *
898*de0e0e4dSAntonio Huete Jimenez SSL_get0_verified_chain(const SSL *s)
899*de0e0e4dSAntonio Huete Jimenez {
900*de0e0e4dSAntonio Huete Jimenez return s->internal->verified_chain;
901f5b1c8a1SJohn Marino }
902f5b1c8a1SJohn Marino
903f5b1c8a1SJohn Marino /*
904f5b1c8a1SJohn Marino * Now in theory, since the calling process own 't' it should be safe to
905f5b1c8a1SJohn Marino * modify. We need to be able to read f without being hassled
906f5b1c8a1SJohn Marino */
90772c33676SMaxim Ag int
SSL_copy_session_id(SSL * t,const SSL * f)908f5b1c8a1SJohn Marino SSL_copy_session_id(SSL *t, const SSL *f)
909f5b1c8a1SJohn Marino {
910*de0e0e4dSAntonio Huete Jimenez SSL_CERT *tmp;
911f5b1c8a1SJohn Marino
91272c33676SMaxim Ag /* Do we need to do SSL locking? */
91372c33676SMaxim Ag if (!SSL_set_session(t, SSL_get_session(f)))
91472c33676SMaxim Ag return 0;
915f5b1c8a1SJohn Marino
91672c33676SMaxim Ag /* What if we are set up for one protocol but want to talk another? */
917f5b1c8a1SJohn Marino if (t->method != f->method) {
918*de0e0e4dSAntonio Huete Jimenez t->method->ssl_free(t);
91972c33676SMaxim Ag t->method = f->method;
920*de0e0e4dSAntonio Huete Jimenez if (!t->method->ssl_new(t))
92172c33676SMaxim Ag return 0;
922f5b1c8a1SJohn Marino }
923f5b1c8a1SJohn Marino
924f5b1c8a1SJohn Marino tmp = t->cert;
925f5b1c8a1SJohn Marino if (f->cert != NULL) {
926f5b1c8a1SJohn Marino CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
927f5b1c8a1SJohn Marino t->cert = f->cert;
928f5b1c8a1SJohn Marino } else
929f5b1c8a1SJohn Marino t->cert = NULL;
930f5b1c8a1SJohn Marino ssl_cert_free(tmp);
93172c33676SMaxim Ag
93272c33676SMaxim Ag if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length))
93372c33676SMaxim Ag return 0;
93472c33676SMaxim Ag
93572c33676SMaxim Ag return 1;
936f5b1c8a1SJohn Marino }
937f5b1c8a1SJohn Marino
938f5b1c8a1SJohn Marino /* Fix this so it checks all the valid key/cert options */
939f5b1c8a1SJohn Marino int
SSL_CTX_check_private_key(const SSL_CTX * ctx)940f5b1c8a1SJohn Marino SSL_CTX_check_private_key(const SSL_CTX *ctx)
941f5b1c8a1SJohn Marino {
94272c33676SMaxim Ag if ((ctx == NULL) || (ctx->internal->cert == NULL) ||
94372c33676SMaxim Ag (ctx->internal->cert->key->x509 == NULL)) {
94472c33676SMaxim Ag SSLerrorx(SSL_R_NO_CERTIFICATE_ASSIGNED);
945f5b1c8a1SJohn Marino return (0);
946f5b1c8a1SJohn Marino }
94772c33676SMaxim Ag if (ctx->internal->cert->key->privatekey == NULL) {
94872c33676SMaxim Ag SSLerrorx(SSL_R_NO_PRIVATE_KEY_ASSIGNED);
949f5b1c8a1SJohn Marino return (0);
950f5b1c8a1SJohn Marino }
95172c33676SMaxim Ag return (X509_check_private_key(ctx->internal->cert->key->x509,
95272c33676SMaxim Ag ctx->internal->cert->key->privatekey));
953f5b1c8a1SJohn Marino }
954f5b1c8a1SJohn Marino
955f5b1c8a1SJohn Marino /* Fix this function so that it takes an optional type parameter */
956f5b1c8a1SJohn Marino int
SSL_check_private_key(const SSL * ssl)957f5b1c8a1SJohn Marino SSL_check_private_key(const SSL *ssl)
958f5b1c8a1SJohn Marino {
959f5b1c8a1SJohn Marino if (ssl == NULL) {
96072c33676SMaxim Ag SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
961f5b1c8a1SJohn Marino return (0);
962f5b1c8a1SJohn Marino }
963f5b1c8a1SJohn Marino if (ssl->cert == NULL) {
96472c33676SMaxim Ag SSLerror(ssl, SSL_R_NO_CERTIFICATE_ASSIGNED);
965f5b1c8a1SJohn Marino return (0);
966f5b1c8a1SJohn Marino }
967f5b1c8a1SJohn Marino if (ssl->cert->key->x509 == NULL) {
96872c33676SMaxim Ag SSLerror(ssl, SSL_R_NO_CERTIFICATE_ASSIGNED);
969f5b1c8a1SJohn Marino return (0);
970f5b1c8a1SJohn Marino }
971f5b1c8a1SJohn Marino if (ssl->cert->key->privatekey == NULL) {
97272c33676SMaxim Ag SSLerror(ssl, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
973f5b1c8a1SJohn Marino return (0);
974f5b1c8a1SJohn Marino }
975f5b1c8a1SJohn Marino return (X509_check_private_key(ssl->cert->key->x509,
976f5b1c8a1SJohn Marino ssl->cert->key->privatekey));
977f5b1c8a1SJohn Marino }
978f5b1c8a1SJohn Marino
979f5b1c8a1SJohn Marino int
SSL_accept(SSL * s)980f5b1c8a1SJohn Marino SSL_accept(SSL *s)
981f5b1c8a1SJohn Marino {
98272c33676SMaxim Ag if (s->internal->handshake_func == NULL)
983f5b1c8a1SJohn Marino SSL_set_accept_state(s); /* Not properly initialized yet */
984f5b1c8a1SJohn Marino
985*de0e0e4dSAntonio Huete Jimenez return (s->method->ssl_accept(s));
986f5b1c8a1SJohn Marino }
987f5b1c8a1SJohn Marino
988f5b1c8a1SJohn Marino int
SSL_connect(SSL * s)989f5b1c8a1SJohn Marino SSL_connect(SSL *s)
990f5b1c8a1SJohn Marino {
99172c33676SMaxim Ag if (s->internal->handshake_func == NULL)
992f5b1c8a1SJohn Marino SSL_set_connect_state(s); /* Not properly initialized yet */
993f5b1c8a1SJohn Marino
994*de0e0e4dSAntonio Huete Jimenez return (s->method->ssl_connect(s));
995*de0e0e4dSAntonio Huete Jimenez }
996*de0e0e4dSAntonio Huete Jimenez
997*de0e0e4dSAntonio Huete Jimenez int
SSL_is_dtls(const SSL * s)998*de0e0e4dSAntonio Huete Jimenez SSL_is_dtls(const SSL *s)
999*de0e0e4dSAntonio Huete Jimenez {
1000*de0e0e4dSAntonio Huete Jimenez return s->method->dtls;
100172c33676SMaxim Ag }
100272c33676SMaxim Ag
100372c33676SMaxim Ag int
SSL_is_server(const SSL * s)100472c33676SMaxim Ag SSL_is_server(const SSL *s)
100572c33676SMaxim Ag {
100672c33676SMaxim Ag return s->server;
1007f5b1c8a1SJohn Marino }
1008f5b1c8a1SJohn Marino
10098edacedfSDaniel Fojt static long
ssl_get_default_timeout()10108edacedfSDaniel Fojt ssl_get_default_timeout()
10118edacedfSDaniel Fojt {
10128edacedfSDaniel Fojt /*
10138edacedfSDaniel Fojt * 2 hours, the 24 hours mentioned in the TLSv1 spec
10148edacedfSDaniel Fojt * is way too long for http, the cache would over fill.
10158edacedfSDaniel Fojt */
10168edacedfSDaniel Fojt return (2 * 60 * 60);
10178edacedfSDaniel Fojt }
10188edacedfSDaniel Fojt
1019f5b1c8a1SJohn Marino long
SSL_get_default_timeout(const SSL * s)1020f5b1c8a1SJohn Marino SSL_get_default_timeout(const SSL *s)
1021f5b1c8a1SJohn Marino {
10228edacedfSDaniel Fojt return (ssl_get_default_timeout());
1023f5b1c8a1SJohn Marino }
1024f5b1c8a1SJohn Marino
1025f5b1c8a1SJohn Marino int
SSL_read(SSL * s,void * buf,int num)1026f5b1c8a1SJohn Marino SSL_read(SSL *s, void *buf, int num)
1027f5b1c8a1SJohn Marino {
1028*de0e0e4dSAntonio Huete Jimenez if (num < 0) {
1029*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_LENGTH);
1030*de0e0e4dSAntonio Huete Jimenez return -1;
1031*de0e0e4dSAntonio Huete Jimenez }
1032*de0e0e4dSAntonio Huete Jimenez
1033*de0e0e4dSAntonio Huete Jimenez if (SSL_is_quic(s)) {
1034*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1035*de0e0e4dSAntonio Huete Jimenez return (-1);
1036*de0e0e4dSAntonio Huete Jimenez }
1037*de0e0e4dSAntonio Huete Jimenez
103872c33676SMaxim Ag if (s->internal->handshake_func == NULL) {
103972c33676SMaxim Ag SSLerror(s, SSL_R_UNINITIALIZED);
1040f5b1c8a1SJohn Marino return (-1);
1041f5b1c8a1SJohn Marino }
1042f5b1c8a1SJohn Marino
104372c33676SMaxim Ag if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) {
104472c33676SMaxim Ag s->internal->rwstate = SSL_NOTHING;
1045f5b1c8a1SJohn Marino return (0);
1046f5b1c8a1SJohn Marino }
104772c33676SMaxim Ag return ssl3_read(s, buf, num);
1048f5b1c8a1SJohn Marino }
1049f5b1c8a1SJohn Marino
1050f5b1c8a1SJohn Marino int
SSL_read_ex(SSL * s,void * buf,size_t num,size_t * bytes_read)1051*de0e0e4dSAntonio Huete Jimenez SSL_read_ex(SSL *s, void *buf, size_t num, size_t *bytes_read)
1052*de0e0e4dSAntonio Huete Jimenez {
1053*de0e0e4dSAntonio Huete Jimenez int ret;
1054*de0e0e4dSAntonio Huete Jimenez
1055*de0e0e4dSAntonio Huete Jimenez /* We simply don't bother supporting enormous reads */
1056*de0e0e4dSAntonio Huete Jimenez if (num > INT_MAX) {
1057*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_LENGTH);
1058*de0e0e4dSAntonio Huete Jimenez return 0;
1059*de0e0e4dSAntonio Huete Jimenez }
1060*de0e0e4dSAntonio Huete Jimenez
1061*de0e0e4dSAntonio Huete Jimenez ret = SSL_read(s, buf, (int)num);
1062*de0e0e4dSAntonio Huete Jimenez if (ret < 0)
1063*de0e0e4dSAntonio Huete Jimenez ret = 0;
1064*de0e0e4dSAntonio Huete Jimenez *bytes_read = ret;
1065*de0e0e4dSAntonio Huete Jimenez
1066*de0e0e4dSAntonio Huete Jimenez return ret > 0;
1067*de0e0e4dSAntonio Huete Jimenez }
1068*de0e0e4dSAntonio Huete Jimenez
1069*de0e0e4dSAntonio Huete Jimenez int
SSL_peek(SSL * s,void * buf,int num)1070f5b1c8a1SJohn Marino SSL_peek(SSL *s, void *buf, int num)
1071f5b1c8a1SJohn Marino {
1072*de0e0e4dSAntonio Huete Jimenez if (num < 0) {
1073*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_LENGTH);
1074*de0e0e4dSAntonio Huete Jimenez return -1;
1075*de0e0e4dSAntonio Huete Jimenez }
1076*de0e0e4dSAntonio Huete Jimenez
1077*de0e0e4dSAntonio Huete Jimenez if (SSL_is_quic(s)) {
1078*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1079*de0e0e4dSAntonio Huete Jimenez return (-1);
1080*de0e0e4dSAntonio Huete Jimenez }
1081*de0e0e4dSAntonio Huete Jimenez
108272c33676SMaxim Ag if (s->internal->handshake_func == NULL) {
108372c33676SMaxim Ag SSLerror(s, SSL_R_UNINITIALIZED);
1084f5b1c8a1SJohn Marino return (-1);
1085f5b1c8a1SJohn Marino }
1086f5b1c8a1SJohn Marino
108772c33676SMaxim Ag if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) {
1088f5b1c8a1SJohn Marino return (0);
1089f5b1c8a1SJohn Marino }
109072c33676SMaxim Ag return ssl3_peek(s, buf, num);
1091f5b1c8a1SJohn Marino }
1092f5b1c8a1SJohn Marino
1093f5b1c8a1SJohn Marino int
SSL_peek_ex(SSL * s,void * buf,size_t num,size_t * bytes_peeked)1094*de0e0e4dSAntonio Huete Jimenez SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *bytes_peeked)
1095*de0e0e4dSAntonio Huete Jimenez {
1096*de0e0e4dSAntonio Huete Jimenez int ret;
1097*de0e0e4dSAntonio Huete Jimenez
1098*de0e0e4dSAntonio Huete Jimenez /* We simply don't bother supporting enormous peeks */
1099*de0e0e4dSAntonio Huete Jimenez if (num > INT_MAX) {
1100*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_LENGTH);
1101*de0e0e4dSAntonio Huete Jimenez return 0;
1102*de0e0e4dSAntonio Huete Jimenez }
1103*de0e0e4dSAntonio Huete Jimenez
1104*de0e0e4dSAntonio Huete Jimenez ret = SSL_peek(s, buf, (int)num);
1105*de0e0e4dSAntonio Huete Jimenez if (ret < 0)
1106*de0e0e4dSAntonio Huete Jimenez ret = 0;
1107*de0e0e4dSAntonio Huete Jimenez *bytes_peeked = ret;
1108*de0e0e4dSAntonio Huete Jimenez
1109*de0e0e4dSAntonio Huete Jimenez return ret > 0;
1110*de0e0e4dSAntonio Huete Jimenez }
1111*de0e0e4dSAntonio Huete Jimenez
1112*de0e0e4dSAntonio Huete Jimenez int
SSL_write(SSL * s,const void * buf,int num)1113f5b1c8a1SJohn Marino SSL_write(SSL *s, const void *buf, int num)
1114f5b1c8a1SJohn Marino {
1115*de0e0e4dSAntonio Huete Jimenez if (num < 0) {
1116*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_LENGTH);
1117*de0e0e4dSAntonio Huete Jimenez return -1;
1118*de0e0e4dSAntonio Huete Jimenez }
1119*de0e0e4dSAntonio Huete Jimenez
1120*de0e0e4dSAntonio Huete Jimenez if (SSL_is_quic(s)) {
1121*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1122*de0e0e4dSAntonio Huete Jimenez return (-1);
1123*de0e0e4dSAntonio Huete Jimenez }
1124*de0e0e4dSAntonio Huete Jimenez
112572c33676SMaxim Ag if (s->internal->handshake_func == NULL) {
112672c33676SMaxim Ag SSLerror(s, SSL_R_UNINITIALIZED);
1127f5b1c8a1SJohn Marino return (-1);
1128f5b1c8a1SJohn Marino }
1129f5b1c8a1SJohn Marino
113072c33676SMaxim Ag if (s->internal->shutdown & SSL_SENT_SHUTDOWN) {
113172c33676SMaxim Ag s->internal->rwstate = SSL_NOTHING;
113272c33676SMaxim Ag SSLerror(s, SSL_R_PROTOCOL_IS_SHUTDOWN);
1133f5b1c8a1SJohn Marino return (-1);
1134f5b1c8a1SJohn Marino }
113572c33676SMaxim Ag return ssl3_write(s, buf, num);
1136f5b1c8a1SJohn Marino }
1137f5b1c8a1SJohn Marino
1138*de0e0e4dSAntonio Huete Jimenez int
SSL_write_ex(SSL * s,const void * buf,size_t num,size_t * bytes_written)1139*de0e0e4dSAntonio Huete Jimenez SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *bytes_written)
1140*de0e0e4dSAntonio Huete Jimenez {
1141*de0e0e4dSAntonio Huete Jimenez int ret;
1142*de0e0e4dSAntonio Huete Jimenez
1143*de0e0e4dSAntonio Huete Jimenez /* We simply don't bother supporting enormous writes */
1144*de0e0e4dSAntonio Huete Jimenez if (num > INT_MAX) {
1145*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_LENGTH);
1146*de0e0e4dSAntonio Huete Jimenez return 0;
1147*de0e0e4dSAntonio Huete Jimenez }
1148*de0e0e4dSAntonio Huete Jimenez
1149*de0e0e4dSAntonio Huete Jimenez if (num == 0) {
1150*de0e0e4dSAntonio Huete Jimenez /* This API is special */
1151*de0e0e4dSAntonio Huete Jimenez bytes_written = 0;
1152*de0e0e4dSAntonio Huete Jimenez return 1;
1153*de0e0e4dSAntonio Huete Jimenez }
1154*de0e0e4dSAntonio Huete Jimenez
1155*de0e0e4dSAntonio Huete Jimenez ret = SSL_write(s, buf, (int)num);
1156*de0e0e4dSAntonio Huete Jimenez if (ret < 0)
1157*de0e0e4dSAntonio Huete Jimenez ret = 0;
1158*de0e0e4dSAntonio Huete Jimenez *bytes_written = ret;
1159*de0e0e4dSAntonio Huete Jimenez
1160*de0e0e4dSAntonio Huete Jimenez return ret > 0;
1161*de0e0e4dSAntonio Huete Jimenez }
1162*de0e0e4dSAntonio Huete Jimenez
11638edacedfSDaniel Fojt uint32_t
SSL_CTX_get_max_early_data(const SSL_CTX * ctx)11648edacedfSDaniel Fojt SSL_CTX_get_max_early_data(const SSL_CTX *ctx)
11658edacedfSDaniel Fojt {
11668edacedfSDaniel Fojt return 0;
11678edacedfSDaniel Fojt }
11688edacedfSDaniel Fojt
11698edacedfSDaniel Fojt int
SSL_CTX_set_max_early_data(SSL_CTX * ctx,uint32_t max_early_data)11708edacedfSDaniel Fojt SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data)
11718edacedfSDaniel Fojt {
11728edacedfSDaniel Fojt return 1;
11738edacedfSDaniel Fojt }
11748edacedfSDaniel Fojt
11758edacedfSDaniel Fojt uint32_t
SSL_get_max_early_data(const SSL * s)11768edacedfSDaniel Fojt SSL_get_max_early_data(const SSL *s)
11778edacedfSDaniel Fojt {
11788edacedfSDaniel Fojt return 0;
11798edacedfSDaniel Fojt }
11808edacedfSDaniel Fojt
11818edacedfSDaniel Fojt int
SSL_set_max_early_data(SSL * s,uint32_t max_early_data)11828edacedfSDaniel Fojt SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
11838edacedfSDaniel Fojt {
11848edacedfSDaniel Fojt return 1;
11858edacedfSDaniel Fojt }
11868edacedfSDaniel Fojt
11878edacedfSDaniel Fojt int
SSL_get_early_data_status(const SSL * s)11888edacedfSDaniel Fojt SSL_get_early_data_status(const SSL *s)
11898edacedfSDaniel Fojt {
11908edacedfSDaniel Fojt return SSL_EARLY_DATA_REJECTED;
11918edacedfSDaniel Fojt }
11928edacedfSDaniel Fojt
11938edacedfSDaniel Fojt int
SSL_read_early_data(SSL * s,void * buf,size_t num,size_t * readbytes)11948edacedfSDaniel Fojt SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
11958edacedfSDaniel Fojt {
11968edacedfSDaniel Fojt *readbytes = 0;
11978edacedfSDaniel Fojt
11988edacedfSDaniel Fojt if (!s->server) {
11998edacedfSDaniel Fojt SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
12008edacedfSDaniel Fojt return SSL_READ_EARLY_DATA_ERROR;
12018edacedfSDaniel Fojt }
12028edacedfSDaniel Fojt
12038edacedfSDaniel Fojt return SSL_READ_EARLY_DATA_FINISH;
12048edacedfSDaniel Fojt }
12058edacedfSDaniel Fojt
12068edacedfSDaniel Fojt int
SSL_write_early_data(SSL * s,const void * buf,size_t num,size_t * written)12078edacedfSDaniel Fojt SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
12088edacedfSDaniel Fojt {
12098edacedfSDaniel Fojt *written = 0;
12108edacedfSDaniel Fojt SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
12118edacedfSDaniel Fojt return 0;
12128edacedfSDaniel Fojt }
12138edacedfSDaniel Fojt
1214f5b1c8a1SJohn Marino int
SSL_shutdown(SSL * s)1215f5b1c8a1SJohn Marino SSL_shutdown(SSL *s)
1216f5b1c8a1SJohn Marino {
1217f5b1c8a1SJohn Marino /*
1218f5b1c8a1SJohn Marino * Note that this function behaves differently from what one might
1219f5b1c8a1SJohn Marino * expect. Return values are 0 for no success (yet),
1220f5b1c8a1SJohn Marino * 1 for success; but calling it once is usually not enough,
1221f5b1c8a1SJohn Marino * even if blocking I/O is used (see ssl3_shutdown).
1222f5b1c8a1SJohn Marino */
1223f5b1c8a1SJohn Marino
122472c33676SMaxim Ag if (s->internal->handshake_func == NULL) {
122572c33676SMaxim Ag SSLerror(s, SSL_R_UNINITIALIZED);
1226f5b1c8a1SJohn Marino return (-1);
1227f5b1c8a1SJohn Marino }
1228f5b1c8a1SJohn Marino
122972c33676SMaxim Ag if (s != NULL && !SSL_in_init(s))
1230*de0e0e4dSAntonio Huete Jimenez return (s->method->ssl_shutdown(s));
123172c33676SMaxim Ag
1232f5b1c8a1SJohn Marino return (1);
1233f5b1c8a1SJohn Marino }
1234f5b1c8a1SJohn Marino
1235f5b1c8a1SJohn Marino int
SSL_renegotiate(SSL * s)1236f5b1c8a1SJohn Marino SSL_renegotiate(SSL *s)
1237f5b1c8a1SJohn Marino {
123872c33676SMaxim Ag if (s->internal->renegotiate == 0)
123972c33676SMaxim Ag s->internal->renegotiate = 1;
1240f5b1c8a1SJohn Marino
124172c33676SMaxim Ag s->internal->new_session = 1;
1242f5b1c8a1SJohn Marino
1243*de0e0e4dSAntonio Huete Jimenez return (s->method->ssl_renegotiate(s));
1244f5b1c8a1SJohn Marino }
1245f5b1c8a1SJohn Marino
1246f5b1c8a1SJohn Marino int
SSL_renegotiate_abbreviated(SSL * s)1247f5b1c8a1SJohn Marino SSL_renegotiate_abbreviated(SSL *s)
1248f5b1c8a1SJohn Marino {
124972c33676SMaxim Ag if (s->internal->renegotiate == 0)
125072c33676SMaxim Ag s->internal->renegotiate = 1;
1251f5b1c8a1SJohn Marino
125272c33676SMaxim Ag s->internal->new_session = 0;
1253f5b1c8a1SJohn Marino
1254*de0e0e4dSAntonio Huete Jimenez return (s->method->ssl_renegotiate(s));
1255f5b1c8a1SJohn Marino }
1256f5b1c8a1SJohn Marino
1257f5b1c8a1SJohn Marino int
SSL_renegotiate_pending(SSL * s)1258f5b1c8a1SJohn Marino SSL_renegotiate_pending(SSL *s)
1259f5b1c8a1SJohn Marino {
1260f5b1c8a1SJohn Marino /*
1261f5b1c8a1SJohn Marino * Becomes true when negotiation is requested;
1262f5b1c8a1SJohn Marino * false again once a handshake has finished.
1263f5b1c8a1SJohn Marino */
126472c33676SMaxim Ag return (s->internal->renegotiate != 0);
1265f5b1c8a1SJohn Marino }
1266f5b1c8a1SJohn Marino
1267f5b1c8a1SJohn Marino long
SSL_ctrl(SSL * s,int cmd,long larg,void * parg)1268f5b1c8a1SJohn Marino SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1269f5b1c8a1SJohn Marino {
1270f5b1c8a1SJohn Marino long l;
1271f5b1c8a1SJohn Marino
1272f5b1c8a1SJohn Marino switch (cmd) {
1273f5b1c8a1SJohn Marino case SSL_CTRL_GET_READ_AHEAD:
127472c33676SMaxim Ag return (s->internal->read_ahead);
1275f5b1c8a1SJohn Marino case SSL_CTRL_SET_READ_AHEAD:
127672c33676SMaxim Ag l = s->internal->read_ahead;
127772c33676SMaxim Ag s->internal->read_ahead = larg;
1278f5b1c8a1SJohn Marino return (l);
1279f5b1c8a1SJohn Marino
1280f5b1c8a1SJohn Marino case SSL_CTRL_SET_MSG_CALLBACK_ARG:
128172c33676SMaxim Ag s->internal->msg_callback_arg = parg;
1282f5b1c8a1SJohn Marino return (1);
1283f5b1c8a1SJohn Marino
1284f5b1c8a1SJohn Marino case SSL_CTRL_OPTIONS:
128572c33676SMaxim Ag return (s->internal->options|=larg);
1286f5b1c8a1SJohn Marino case SSL_CTRL_CLEAR_OPTIONS:
128772c33676SMaxim Ag return (s->internal->options&=~larg);
1288f5b1c8a1SJohn Marino case SSL_CTRL_MODE:
128972c33676SMaxim Ag return (s->internal->mode|=larg);
1290f5b1c8a1SJohn Marino case SSL_CTRL_CLEAR_MODE:
129172c33676SMaxim Ag return (s->internal->mode &=~larg);
1292f5b1c8a1SJohn Marino case SSL_CTRL_GET_MAX_CERT_LIST:
129372c33676SMaxim Ag return (s->internal->max_cert_list);
1294f5b1c8a1SJohn Marino case SSL_CTRL_SET_MAX_CERT_LIST:
129572c33676SMaxim Ag l = s->internal->max_cert_list;
129672c33676SMaxim Ag s->internal->max_cert_list = larg;
1297f5b1c8a1SJohn Marino return (l);
1298f5b1c8a1SJohn Marino case SSL_CTRL_SET_MTU:
1299f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_DTLS1
1300f5b1c8a1SJohn Marino if (larg < (long)dtls1_min_mtu())
1301f5b1c8a1SJohn Marino return (0);
1302f5b1c8a1SJohn Marino #endif
1303*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
1304*de0e0e4dSAntonio Huete Jimenez s->d1->mtu = larg;
1305f5b1c8a1SJohn Marino return (larg);
1306f5b1c8a1SJohn Marino }
1307f5b1c8a1SJohn Marino return (0);
1308f5b1c8a1SJohn Marino case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1309f5b1c8a1SJohn Marino if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1310f5b1c8a1SJohn Marino return (0);
1311f5b1c8a1SJohn Marino s->max_send_fragment = larg;
1312f5b1c8a1SJohn Marino return (1);
1313f5b1c8a1SJohn Marino case SSL_CTRL_GET_RI_SUPPORT:
1314f5b1c8a1SJohn Marino if (s->s3)
1315*de0e0e4dSAntonio Huete Jimenez return (s->s3->send_connection_binding);
1316f5b1c8a1SJohn Marino else return (0);
1317f5b1c8a1SJohn Marino default:
1318*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
131972c33676SMaxim Ag return dtls1_ctrl(s, cmd, larg, parg);
132072c33676SMaxim Ag return ssl3_ctrl(s, cmd, larg, parg);
1321f5b1c8a1SJohn Marino }
1322f5b1c8a1SJohn Marino }
1323f5b1c8a1SJohn Marino
1324f5b1c8a1SJohn Marino long
SSL_callback_ctrl(SSL * s,int cmd,void (* fp)(void))1325f5b1c8a1SJohn Marino SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1326f5b1c8a1SJohn Marino {
1327f5b1c8a1SJohn Marino switch (cmd) {
1328f5b1c8a1SJohn Marino case SSL_CTRL_SET_MSG_CALLBACK:
1329*de0e0e4dSAntonio Huete Jimenez s->internal->msg_callback = (ssl_msg_callback_fn *)(fp);
1330f5b1c8a1SJohn Marino return (1);
1331f5b1c8a1SJohn Marino
1332f5b1c8a1SJohn Marino default:
133372c33676SMaxim Ag return (ssl3_callback_ctrl(s, cmd, fp));
1334f5b1c8a1SJohn Marino }
1335f5b1c8a1SJohn Marino }
1336f5b1c8a1SJohn Marino
133772c33676SMaxim Ag struct lhash_st_SSL_SESSION *
SSL_CTX_sessions(SSL_CTX * ctx)1338f5b1c8a1SJohn Marino SSL_CTX_sessions(SSL_CTX *ctx)
1339f5b1c8a1SJohn Marino {
134072c33676SMaxim Ag return (ctx->internal->sessions);
1341f5b1c8a1SJohn Marino }
1342f5b1c8a1SJohn Marino
1343f5b1c8a1SJohn Marino long
SSL_CTX_ctrl(SSL_CTX * ctx,int cmd,long larg,void * parg)1344f5b1c8a1SJohn Marino SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1345f5b1c8a1SJohn Marino {
1346f5b1c8a1SJohn Marino long l;
1347f5b1c8a1SJohn Marino
1348f5b1c8a1SJohn Marino switch (cmd) {
1349f5b1c8a1SJohn Marino case SSL_CTRL_GET_READ_AHEAD:
135072c33676SMaxim Ag return (ctx->internal->read_ahead);
1351f5b1c8a1SJohn Marino case SSL_CTRL_SET_READ_AHEAD:
135272c33676SMaxim Ag l = ctx->internal->read_ahead;
135372c33676SMaxim Ag ctx->internal->read_ahead = larg;
1354f5b1c8a1SJohn Marino return (l);
1355f5b1c8a1SJohn Marino
1356f5b1c8a1SJohn Marino case SSL_CTRL_SET_MSG_CALLBACK_ARG:
135772c33676SMaxim Ag ctx->internal->msg_callback_arg = parg;
1358f5b1c8a1SJohn Marino return (1);
1359f5b1c8a1SJohn Marino
1360f5b1c8a1SJohn Marino case SSL_CTRL_GET_MAX_CERT_LIST:
136172c33676SMaxim Ag return (ctx->internal->max_cert_list);
1362f5b1c8a1SJohn Marino case SSL_CTRL_SET_MAX_CERT_LIST:
136372c33676SMaxim Ag l = ctx->internal->max_cert_list;
136472c33676SMaxim Ag ctx->internal->max_cert_list = larg;
1365f5b1c8a1SJohn Marino return (l);
1366f5b1c8a1SJohn Marino
1367f5b1c8a1SJohn Marino case SSL_CTRL_SET_SESS_CACHE_SIZE:
136872c33676SMaxim Ag l = ctx->internal->session_cache_size;
136972c33676SMaxim Ag ctx->internal->session_cache_size = larg;
1370f5b1c8a1SJohn Marino return (l);
1371f5b1c8a1SJohn Marino case SSL_CTRL_GET_SESS_CACHE_SIZE:
137272c33676SMaxim Ag return (ctx->internal->session_cache_size);
1373f5b1c8a1SJohn Marino case SSL_CTRL_SET_SESS_CACHE_MODE:
137472c33676SMaxim Ag l = ctx->internal->session_cache_mode;
137572c33676SMaxim Ag ctx->internal->session_cache_mode = larg;
1376f5b1c8a1SJohn Marino return (l);
1377f5b1c8a1SJohn Marino case SSL_CTRL_GET_SESS_CACHE_MODE:
137872c33676SMaxim Ag return (ctx->internal->session_cache_mode);
1379f5b1c8a1SJohn Marino
1380f5b1c8a1SJohn Marino case SSL_CTRL_SESS_NUMBER:
138172c33676SMaxim Ag return (lh_SSL_SESSION_num_items(ctx->internal->sessions));
1382f5b1c8a1SJohn Marino case SSL_CTRL_SESS_CONNECT:
138372c33676SMaxim Ag return (ctx->internal->stats.sess_connect);
1384f5b1c8a1SJohn Marino case SSL_CTRL_SESS_CONNECT_GOOD:
138572c33676SMaxim Ag return (ctx->internal->stats.sess_connect_good);
1386f5b1c8a1SJohn Marino case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
138772c33676SMaxim Ag return (ctx->internal->stats.sess_connect_renegotiate);
1388f5b1c8a1SJohn Marino case SSL_CTRL_SESS_ACCEPT:
138972c33676SMaxim Ag return (ctx->internal->stats.sess_accept);
1390f5b1c8a1SJohn Marino case SSL_CTRL_SESS_ACCEPT_GOOD:
139172c33676SMaxim Ag return (ctx->internal->stats.sess_accept_good);
1392f5b1c8a1SJohn Marino case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
139372c33676SMaxim Ag return (ctx->internal->stats.sess_accept_renegotiate);
1394f5b1c8a1SJohn Marino case SSL_CTRL_SESS_HIT:
139572c33676SMaxim Ag return (ctx->internal->stats.sess_hit);
1396f5b1c8a1SJohn Marino case SSL_CTRL_SESS_CB_HIT:
139772c33676SMaxim Ag return (ctx->internal->stats.sess_cb_hit);
1398f5b1c8a1SJohn Marino case SSL_CTRL_SESS_MISSES:
139972c33676SMaxim Ag return (ctx->internal->stats.sess_miss);
1400f5b1c8a1SJohn Marino case SSL_CTRL_SESS_TIMEOUTS:
140172c33676SMaxim Ag return (ctx->internal->stats.sess_timeout);
1402f5b1c8a1SJohn Marino case SSL_CTRL_SESS_CACHE_FULL:
140372c33676SMaxim Ag return (ctx->internal->stats.sess_cache_full);
1404f5b1c8a1SJohn Marino case SSL_CTRL_OPTIONS:
140572c33676SMaxim Ag return (ctx->internal->options|=larg);
1406f5b1c8a1SJohn Marino case SSL_CTRL_CLEAR_OPTIONS:
140772c33676SMaxim Ag return (ctx->internal->options&=~larg);
1408f5b1c8a1SJohn Marino case SSL_CTRL_MODE:
140972c33676SMaxim Ag return (ctx->internal->mode|=larg);
1410f5b1c8a1SJohn Marino case SSL_CTRL_CLEAR_MODE:
141172c33676SMaxim Ag return (ctx->internal->mode&=~larg);
1412f5b1c8a1SJohn Marino case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1413f5b1c8a1SJohn Marino if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1414f5b1c8a1SJohn Marino return (0);
141572c33676SMaxim Ag ctx->internal->max_send_fragment = larg;
1416f5b1c8a1SJohn Marino return (1);
1417f5b1c8a1SJohn Marino default:
141872c33676SMaxim Ag return (ssl3_ctx_ctrl(ctx, cmd, larg, parg));
1419f5b1c8a1SJohn Marino }
1420f5b1c8a1SJohn Marino }
1421f5b1c8a1SJohn Marino
1422f5b1c8a1SJohn Marino long
SSL_CTX_callback_ctrl(SSL_CTX * ctx,int cmd,void (* fp)(void))1423f5b1c8a1SJohn Marino SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1424f5b1c8a1SJohn Marino {
1425f5b1c8a1SJohn Marino switch (cmd) {
1426f5b1c8a1SJohn Marino case SSL_CTRL_SET_MSG_CALLBACK:
1427*de0e0e4dSAntonio Huete Jimenez ctx->internal->msg_callback = (ssl_msg_callback_fn *)fp;
1428f5b1c8a1SJohn Marino return (1);
1429f5b1c8a1SJohn Marino
1430f5b1c8a1SJohn Marino default:
143172c33676SMaxim Ag return (ssl3_ctx_callback_ctrl(ctx, cmd, fp));
1432f5b1c8a1SJohn Marino }
1433f5b1c8a1SJohn Marino }
1434f5b1c8a1SJohn Marino
1435f5b1c8a1SJohn Marino int
ssl_cipher_id_cmp(const SSL_CIPHER * a,const SSL_CIPHER * b)1436f5b1c8a1SJohn Marino ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1437f5b1c8a1SJohn Marino {
1438f5b1c8a1SJohn Marino long l;
1439f5b1c8a1SJohn Marino
1440f5b1c8a1SJohn Marino l = a->id - b->id;
1441f5b1c8a1SJohn Marino if (l == 0L)
1442f5b1c8a1SJohn Marino return (0);
1443f5b1c8a1SJohn Marino else
1444f5b1c8a1SJohn Marino return ((l > 0) ? 1:-1);
1445f5b1c8a1SJohn Marino }
1446f5b1c8a1SJohn Marino
STACK_OF(SSL_CIPHER)1447f5b1c8a1SJohn Marino STACK_OF(SSL_CIPHER) *
1448f5b1c8a1SJohn Marino SSL_get_ciphers(const SSL *s)
1449f5b1c8a1SJohn Marino {
14508edacedfSDaniel Fojt if (s == NULL)
1451f5b1c8a1SJohn Marino return (NULL);
14528edacedfSDaniel Fojt if (s->cipher_list != NULL)
14538edacedfSDaniel Fojt return (s->cipher_list);
14548edacedfSDaniel Fojt
14558edacedfSDaniel Fojt return (s->ctx->cipher_list);
1456f5b1c8a1SJohn Marino }
1457f5b1c8a1SJohn Marino
STACK_OF(SSL_CIPHER)145872c33676SMaxim Ag STACK_OF(SSL_CIPHER) *
145972c33676SMaxim Ag SSL_get_client_ciphers(const SSL *s)
146072c33676SMaxim Ag {
146172c33676SMaxim Ag if (s == NULL || s->session == NULL || !s->server)
146272c33676SMaxim Ag return NULL;
146372c33676SMaxim Ag return s->session->ciphers;
146472c33676SMaxim Ag }
146572c33676SMaxim Ag
STACK_OF(SSL_CIPHER)146672c33676SMaxim Ag STACK_OF(SSL_CIPHER) *
146772c33676SMaxim Ag SSL_get1_supported_ciphers(SSL *s)
146872c33676SMaxim Ag {
146972c33676SMaxim Ag STACK_OF(SSL_CIPHER) *supported_ciphers = NULL, *ciphers;
1470*de0e0e4dSAntonio Huete Jimenez SSL_CIPHER *cipher;
147172c33676SMaxim Ag uint16_t min_vers, max_vers;
147272c33676SMaxim Ag int i;
147372c33676SMaxim Ag
147472c33676SMaxim Ag if (s == NULL)
147572c33676SMaxim Ag return NULL;
1476*de0e0e4dSAntonio Huete Jimenez if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
147772c33676SMaxim Ag return NULL;
147872c33676SMaxim Ag if ((ciphers = SSL_get_ciphers(s)) == NULL)
147972c33676SMaxim Ag return NULL;
148072c33676SMaxim Ag if ((supported_ciphers = sk_SSL_CIPHER_new_null()) == NULL)
148172c33676SMaxim Ag return NULL;
148272c33676SMaxim Ag
148372c33676SMaxim Ag for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
148472c33676SMaxim Ag if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
148572c33676SMaxim Ag goto err;
1486*de0e0e4dSAntonio Huete Jimenez if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
14878edacedfSDaniel Fojt max_vers))
148872c33676SMaxim Ag continue;
1489*de0e0e4dSAntonio Huete Jimenez if (!ssl_security_supported_cipher(s, cipher))
1490*de0e0e4dSAntonio Huete Jimenez continue;
149172c33676SMaxim Ag if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
149272c33676SMaxim Ag goto err;
149372c33676SMaxim Ag }
149472c33676SMaxim Ag
149572c33676SMaxim Ag if (sk_SSL_CIPHER_num(supported_ciphers) > 0)
149672c33676SMaxim Ag return supported_ciphers;
149772c33676SMaxim Ag
149872c33676SMaxim Ag err:
149972c33676SMaxim Ag sk_SSL_CIPHER_free(supported_ciphers);
150072c33676SMaxim Ag return NULL;
150172c33676SMaxim Ag }
150272c33676SMaxim Ag
150372c33676SMaxim Ag /* See if we have any ECC cipher suites. */
150472c33676SMaxim Ag int
ssl_has_ecc_ciphers(SSL * s)150572c33676SMaxim Ag ssl_has_ecc_ciphers(SSL *s)
150672c33676SMaxim Ag {
150772c33676SMaxim Ag STACK_OF(SSL_CIPHER) *ciphers;
150872c33676SMaxim Ag unsigned long alg_k, alg_a;
150972c33676SMaxim Ag SSL_CIPHER *cipher;
151072c33676SMaxim Ag int i;
151172c33676SMaxim Ag
151272c33676SMaxim Ag if ((ciphers = SSL_get_ciphers(s)) == NULL)
151372c33676SMaxim Ag return 0;
151472c33676SMaxim Ag
151572c33676SMaxim Ag for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
151672c33676SMaxim Ag cipher = sk_SSL_CIPHER_value(ciphers, i);
151772c33676SMaxim Ag
151872c33676SMaxim Ag alg_k = cipher->algorithm_mkey;
151972c33676SMaxim Ag alg_a = cipher->algorithm_auth;
152072c33676SMaxim Ag
152172c33676SMaxim Ag if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
152272c33676SMaxim Ag return 1;
152372c33676SMaxim Ag }
152472c33676SMaxim Ag
152572c33676SMaxim Ag return 0;
152672c33676SMaxim Ag }
152772c33676SMaxim Ag
1528f5b1c8a1SJohn Marino /* The old interface to get the same thing as SSL_get_ciphers(). */
1529f5b1c8a1SJohn Marino const char *
SSL_get_cipher_list(const SSL * s,int n)1530f5b1c8a1SJohn Marino SSL_get_cipher_list(const SSL *s, int n)
1531f5b1c8a1SJohn Marino {
15328edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *ciphers;
15338edacedfSDaniel Fojt const SSL_CIPHER *cipher;
1534f5b1c8a1SJohn Marino
15358edacedfSDaniel Fojt if ((ciphers = SSL_get_ciphers(s)) == NULL)
1536f5b1c8a1SJohn Marino return (NULL);
15378edacedfSDaniel Fojt if ((cipher = sk_SSL_CIPHER_value(ciphers, n)) == NULL)
1538f5b1c8a1SJohn Marino return (NULL);
15398edacedfSDaniel Fojt
15408edacedfSDaniel Fojt return (cipher->name);
1541f5b1c8a1SJohn Marino }
1542f5b1c8a1SJohn Marino
STACK_OF(SSL_CIPHER)154372c33676SMaxim Ag STACK_OF(SSL_CIPHER) *
154472c33676SMaxim Ag SSL_CTX_get_ciphers(const SSL_CTX *ctx)
154572c33676SMaxim Ag {
15468edacedfSDaniel Fojt if (ctx == NULL)
15478edacedfSDaniel Fojt return NULL;
154872c33676SMaxim Ag return ctx->cipher_list;
154972c33676SMaxim Ag }
155072c33676SMaxim Ag
1551f5b1c8a1SJohn Marino /* Specify the ciphers to be used by default by the SSL_CTX. */
1552f5b1c8a1SJohn Marino int
SSL_CTX_set_cipher_list(SSL_CTX * ctx,const char * str)1553f5b1c8a1SJohn Marino SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1554f5b1c8a1SJohn Marino {
15558edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *ciphers;
1556f5b1c8a1SJohn Marino
1557f5b1c8a1SJohn Marino /*
15588edacedfSDaniel Fojt * ssl_create_cipher_list may return an empty stack if it was unable to
15598edacedfSDaniel Fojt * find a cipher matching the given rule string (for example if the
15608edacedfSDaniel Fojt * rule string specifies a cipher which has been disabled). This is not
15618edacedfSDaniel Fojt * an error as far as ssl_create_cipher_list is concerned, and hence
15628edacedfSDaniel Fojt * ctx->cipher_list has been updated.
1563f5b1c8a1SJohn Marino */
15648edacedfSDaniel Fojt ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
1565*de0e0e4dSAntonio Huete Jimenez ctx->internal->cipher_list_tls13, str, ctx->internal->cert);
15668edacedfSDaniel Fojt if (ciphers == NULL) {
1567f5b1c8a1SJohn Marino return (0);
15688edacedfSDaniel Fojt } else if (sk_SSL_CIPHER_num(ciphers) == 0) {
156972c33676SMaxim Ag SSLerrorx(SSL_R_NO_CIPHER_MATCH);
1570f5b1c8a1SJohn Marino return (0);
1571f5b1c8a1SJohn Marino }
1572f5b1c8a1SJohn Marino return (1);
1573f5b1c8a1SJohn Marino }
1574f5b1c8a1SJohn Marino
15758edacedfSDaniel Fojt int
SSL_CTX_set_ciphersuites(SSL_CTX * ctx,const char * str)15768edacedfSDaniel Fojt SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
15778edacedfSDaniel Fojt {
15788edacedfSDaniel Fojt if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) {
15798edacedfSDaniel Fojt SSLerrorx(SSL_R_NO_CIPHER_MATCH);
15808edacedfSDaniel Fojt return 0;
15818edacedfSDaniel Fojt }
15828edacedfSDaniel Fojt if (!ssl_merge_cipherlists(ctx->cipher_list,
15838edacedfSDaniel Fojt ctx->internal->cipher_list_tls13, &ctx->cipher_list))
15848edacedfSDaniel Fojt return 0;
15858edacedfSDaniel Fojt
15868edacedfSDaniel Fojt return 1;
15878edacedfSDaniel Fojt }
15888edacedfSDaniel Fojt
1589f5b1c8a1SJohn Marino /* Specify the ciphers to be used by the SSL. */
1590f5b1c8a1SJohn Marino int
SSL_set_cipher_list(SSL * s,const char * str)1591f5b1c8a1SJohn Marino SSL_set_cipher_list(SSL *s, const char *str)
1592f5b1c8a1SJohn Marino {
15938edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13;
1594f5b1c8a1SJohn Marino
15958edacedfSDaniel Fojt if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL)
15968edacedfSDaniel Fojt ciphers_tls13 = s->ctx->internal->cipher_list_tls13;
15978edacedfSDaniel Fojt
15988edacedfSDaniel Fojt /* See comment in SSL_CTX_set_cipher_list. */
15998edacedfSDaniel Fojt ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
1600*de0e0e4dSAntonio Huete Jimenez ciphers_tls13, str, s->cert);
16018edacedfSDaniel Fojt if (ciphers == NULL) {
1602f5b1c8a1SJohn Marino return (0);
16038edacedfSDaniel Fojt } else if (sk_SSL_CIPHER_num(ciphers) == 0) {
160472c33676SMaxim Ag SSLerror(s, SSL_R_NO_CIPHER_MATCH);
1605f5b1c8a1SJohn Marino return (0);
1606f5b1c8a1SJohn Marino }
1607f5b1c8a1SJohn Marino return (1);
1608f5b1c8a1SJohn Marino }
1609f5b1c8a1SJohn Marino
16108edacedfSDaniel Fojt int
SSL_set_ciphersuites(SSL * s,const char * str)16118edacedfSDaniel Fojt SSL_set_ciphersuites(SSL *s, const char *str)
16128edacedfSDaniel Fojt {
16138edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *ciphers;
16148edacedfSDaniel Fojt
16158edacedfSDaniel Fojt if ((ciphers = s->cipher_list) == NULL)
16168edacedfSDaniel Fojt ciphers = s->ctx->cipher_list;
16178edacedfSDaniel Fojt
16188edacedfSDaniel Fojt if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) {
16198edacedfSDaniel Fojt SSLerrorx(SSL_R_NO_CIPHER_MATCH);
16208edacedfSDaniel Fojt return (0);
16218edacedfSDaniel Fojt }
16228edacedfSDaniel Fojt if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13,
16238edacedfSDaniel Fojt &s->cipher_list))
16248edacedfSDaniel Fojt return 0;
16258edacedfSDaniel Fojt
16268edacedfSDaniel Fojt return 1;
16278edacedfSDaniel Fojt }
16288edacedfSDaniel Fojt
1629f5b1c8a1SJohn Marino char *
SSL_get_shared_ciphers(const SSL * s,char * buf,int len)1630f5b1c8a1SJohn Marino SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
1631f5b1c8a1SJohn Marino {
1632*de0e0e4dSAntonio Huete Jimenez STACK_OF(SSL_CIPHER) *client_ciphers, *server_ciphers;
16338edacedfSDaniel Fojt const SSL_CIPHER *cipher;
1634f5b1c8a1SJohn Marino size_t curlen = 0;
16358edacedfSDaniel Fojt char *end;
1636f5b1c8a1SJohn Marino int i;
1637f5b1c8a1SJohn Marino
1638*de0e0e4dSAntonio Huete Jimenez if (!s->server || s->session == NULL || len < 2)
1639*de0e0e4dSAntonio Huete Jimenez return NULL;
1640f5b1c8a1SJohn Marino
1641*de0e0e4dSAntonio Huete Jimenez if ((client_ciphers = s->session->ciphers) == NULL)
1642*de0e0e4dSAntonio Huete Jimenez return NULL;
1643*de0e0e4dSAntonio Huete Jimenez if ((server_ciphers = SSL_get_ciphers(s)) == NULL)
1644*de0e0e4dSAntonio Huete Jimenez return NULL;
1645*de0e0e4dSAntonio Huete Jimenez if (sk_SSL_CIPHER_num(client_ciphers) == 0 ||
1646*de0e0e4dSAntonio Huete Jimenez sk_SSL_CIPHER_num(server_ciphers) == 0)
1647*de0e0e4dSAntonio Huete Jimenez return NULL;
1648f5b1c8a1SJohn Marino
1649f5b1c8a1SJohn Marino buf[0] = '\0';
1650*de0e0e4dSAntonio Huete Jimenez for (i = 0; i < sk_SSL_CIPHER_num(client_ciphers); i++) {
1651*de0e0e4dSAntonio Huete Jimenez cipher = sk_SSL_CIPHER_value(client_ciphers, i);
1652*de0e0e4dSAntonio Huete Jimenez
1653*de0e0e4dSAntonio Huete Jimenez if (sk_SSL_CIPHER_find(server_ciphers, cipher) < 0)
1654*de0e0e4dSAntonio Huete Jimenez continue;
1655*de0e0e4dSAntonio Huete Jimenez
1656f5b1c8a1SJohn Marino end = buf + curlen;
16578edacedfSDaniel Fojt if (strlcat(buf, cipher->name, len) >= len ||
1658f5b1c8a1SJohn Marino (curlen = strlcat(buf, ":", len)) >= len) {
1659f5b1c8a1SJohn Marino /* remove truncated cipher from list */
1660f5b1c8a1SJohn Marino *end = '\0';
1661f5b1c8a1SJohn Marino break;
1662f5b1c8a1SJohn Marino }
1663f5b1c8a1SJohn Marino }
1664f5b1c8a1SJohn Marino /* remove trailing colon */
1665f5b1c8a1SJohn Marino if ((end = strrchr(buf, ':')) != NULL)
1666f5b1c8a1SJohn Marino *end = '\0';
1667*de0e0e4dSAntonio Huete Jimenez return buf;
1668f5b1c8a1SJohn Marino }
1669f5b1c8a1SJohn Marino
1670f5b1c8a1SJohn Marino /*
1671f5b1c8a1SJohn Marino * Return a servername extension value if provided in Client Hello, or NULL.
1672f5b1c8a1SJohn Marino * So far, only host_name types are defined (RFC 3546).
1673f5b1c8a1SJohn Marino */
1674f5b1c8a1SJohn Marino const char *
SSL_get_servername(const SSL * s,const int type)1675f5b1c8a1SJohn Marino SSL_get_servername(const SSL *s, const int type)
1676f5b1c8a1SJohn Marino {
1677f5b1c8a1SJohn Marino if (type != TLSEXT_NAMETYPE_host_name)
1678f5b1c8a1SJohn Marino return (NULL);
1679f5b1c8a1SJohn Marino
1680f5b1c8a1SJohn Marino return (s->session && !s->tlsext_hostname ?
1681f5b1c8a1SJohn Marino s->session->tlsext_hostname :
1682f5b1c8a1SJohn Marino s->tlsext_hostname);
1683f5b1c8a1SJohn Marino }
1684f5b1c8a1SJohn Marino
1685f5b1c8a1SJohn Marino int
SSL_get_servername_type(const SSL * s)1686f5b1c8a1SJohn Marino SSL_get_servername_type(const SSL *s)
1687f5b1c8a1SJohn Marino {
1688f5b1c8a1SJohn Marino if (s->session &&
1689f5b1c8a1SJohn Marino (!s->tlsext_hostname ?
1690f5b1c8a1SJohn Marino s->session->tlsext_hostname : s->tlsext_hostname))
1691f5b1c8a1SJohn Marino return (TLSEXT_NAMETYPE_host_name);
1692f5b1c8a1SJohn Marino return (-1);
1693f5b1c8a1SJohn Marino }
1694f5b1c8a1SJohn Marino
1695f5b1c8a1SJohn Marino /*
169672c33676SMaxim Ag * SSL_select_next_proto implements standard protocol selection. It is
1697f5b1c8a1SJohn Marino * expected that this function is called from the callback set by
169872c33676SMaxim Ag * SSL_CTX_set_alpn_select_cb.
1699f5b1c8a1SJohn Marino *
1700f5b1c8a1SJohn Marino * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
1701f5b1c8a1SJohn Marino * strings. The length byte itself is not included in the length. A byte
1702f5b1c8a1SJohn Marino * string of length 0 is invalid. No byte string may be truncated.
1703f5b1c8a1SJohn Marino *
170472c33676SMaxim Ag * It returns either:
1705f5b1c8a1SJohn Marino * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
1706f5b1c8a1SJohn Marino * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
1707f5b1c8a1SJohn Marino */
1708f5b1c8a1SJohn Marino int
SSL_select_next_proto(unsigned char ** out,unsigned char * outlen,const unsigned char * server,unsigned int server_len,const unsigned char * client,unsigned int client_len)1709f5b1c8a1SJohn Marino SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
1710f5b1c8a1SJohn Marino const unsigned char *server, unsigned int server_len,
1711f5b1c8a1SJohn Marino const unsigned char *client, unsigned int client_len)
1712f5b1c8a1SJohn Marino {
1713f5b1c8a1SJohn Marino unsigned int i, j;
1714f5b1c8a1SJohn Marino const unsigned char *result;
1715f5b1c8a1SJohn Marino int status = OPENSSL_NPN_UNSUPPORTED;
1716f5b1c8a1SJohn Marino
1717f5b1c8a1SJohn Marino /*
1718f5b1c8a1SJohn Marino * For each protocol in server preference order,
1719f5b1c8a1SJohn Marino * see if we support it.
1720f5b1c8a1SJohn Marino */
1721f5b1c8a1SJohn Marino for (i = 0; i < server_len; ) {
1722f5b1c8a1SJohn Marino for (j = 0; j < client_len; ) {
1723f5b1c8a1SJohn Marino if (server[i] == client[j] &&
1724f5b1c8a1SJohn Marino memcmp(&server[i + 1],
1725f5b1c8a1SJohn Marino &client[j + 1], server[i]) == 0) {
1726f5b1c8a1SJohn Marino /* We found a match */
1727f5b1c8a1SJohn Marino result = &server[i];
1728f5b1c8a1SJohn Marino status = OPENSSL_NPN_NEGOTIATED;
1729f5b1c8a1SJohn Marino goto found;
1730f5b1c8a1SJohn Marino }
1731f5b1c8a1SJohn Marino j += client[j];
1732f5b1c8a1SJohn Marino j++;
1733f5b1c8a1SJohn Marino }
1734f5b1c8a1SJohn Marino i += server[i];
1735f5b1c8a1SJohn Marino i++;
1736f5b1c8a1SJohn Marino }
1737f5b1c8a1SJohn Marino
1738f5b1c8a1SJohn Marino /* There's no overlap between our protocols and the server's list. */
1739f5b1c8a1SJohn Marino result = client;
1740f5b1c8a1SJohn Marino status = OPENSSL_NPN_NO_OVERLAP;
1741f5b1c8a1SJohn Marino
1742f5b1c8a1SJohn Marino found:
1743f5b1c8a1SJohn Marino *out = (unsigned char *) result + 1;
1744f5b1c8a1SJohn Marino *outlen = result[0];
1745f5b1c8a1SJohn Marino return (status);
1746f5b1c8a1SJohn Marino }
1747f5b1c8a1SJohn Marino
174872c33676SMaxim Ag /* SSL_get0_next_proto_negotiated is deprecated. */
1749f5b1c8a1SJohn Marino void
SSL_get0_next_proto_negotiated(const SSL * s,const unsigned char ** data,unsigned int * len)1750f5b1c8a1SJohn Marino SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
1751cca6fc52SDaniel Fojt unsigned int *len)
1752f5b1c8a1SJohn Marino {
175372c33676SMaxim Ag *data = NULL;
1754f5b1c8a1SJohn Marino *len = 0;
1755f5b1c8a1SJohn Marino }
1756f5b1c8a1SJohn Marino
175772c33676SMaxim Ag /* SSL_CTX_set_next_protos_advertised_cb is deprecated. */
1758f5b1c8a1SJohn Marino void
SSL_CTX_set_next_protos_advertised_cb(SSL_CTX * ctx,int (* cb)(SSL * ssl,const unsigned char ** out,unsigned int * outlen,void * arg),void * arg)1759f5b1c8a1SJohn Marino SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl,
1760f5b1c8a1SJohn Marino const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
1761f5b1c8a1SJohn Marino {
1762f5b1c8a1SJohn Marino }
1763f5b1c8a1SJohn Marino
176472c33676SMaxim Ag /* SSL_CTX_set_next_proto_select_cb is deprecated. */
1765f5b1c8a1SJohn Marino void
SSL_CTX_set_next_proto_select_cb(SSL_CTX * ctx,int (* cb)(SSL * s,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg),void * arg)1766f5b1c8a1SJohn Marino SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
1767f5b1c8a1SJohn Marino unsigned char **out, unsigned char *outlen, const unsigned char *in,
1768f5b1c8a1SJohn Marino unsigned int inlen, void *arg), void *arg)
1769f5b1c8a1SJohn Marino {
1770f5b1c8a1SJohn Marino }
1771f5b1c8a1SJohn Marino
1772f5b1c8a1SJohn Marino /*
1773f5b1c8a1SJohn Marino * SSL_CTX_set_alpn_protos sets the ALPN protocol list to the specified
1774f5b1c8a1SJohn Marino * protocols, which must be in wire-format (i.e. a series of non-empty,
1775f5b1c8a1SJohn Marino * 8-bit length-prefixed strings). Returns 0 on success.
1776f5b1c8a1SJohn Marino */
1777f5b1c8a1SJohn Marino int
SSL_CTX_set_alpn_protos(SSL_CTX * ctx,const unsigned char * protos,unsigned int protos_len)1778f5b1c8a1SJohn Marino SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
1779f5b1c8a1SJohn Marino unsigned int protos_len)
1780f5b1c8a1SJohn Marino {
1781*de0e0e4dSAntonio Huete Jimenez CBS cbs;
178272c33676SMaxim Ag int failed = 1;
1783f5b1c8a1SJohn Marino
1784*de0e0e4dSAntonio Huete Jimenez if (protos == NULL)
1785*de0e0e4dSAntonio Huete Jimenez protos_len = 0;
1786*de0e0e4dSAntonio Huete Jimenez
1787*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, protos, protos_len);
1788*de0e0e4dSAntonio Huete Jimenez
1789*de0e0e4dSAntonio Huete Jimenez if (protos_len > 0) {
1790*de0e0e4dSAntonio Huete Jimenez if (!tlsext_alpn_check_format(&cbs))
179172c33676SMaxim Ag goto err;
1792*de0e0e4dSAntonio Huete Jimenez }
179372c33676SMaxim Ag
1794*de0e0e4dSAntonio Huete Jimenez if (!CBS_stow(&cbs, &ctx->internal->alpn_client_proto_list,
1795*de0e0e4dSAntonio Huete Jimenez &ctx->internal->alpn_client_proto_list_len))
179672c33676SMaxim Ag goto err;
179772c33676SMaxim Ag
179872c33676SMaxim Ag failed = 0;
179972c33676SMaxim Ag
180072c33676SMaxim Ag err:
180172c33676SMaxim Ag /* NOTE: Return values are the reverse of what you expect. */
1802*de0e0e4dSAntonio Huete Jimenez return failed;
1803f5b1c8a1SJohn Marino }
1804f5b1c8a1SJohn Marino
1805f5b1c8a1SJohn Marino /*
1806f5b1c8a1SJohn Marino * SSL_set_alpn_protos sets the ALPN protocol list to the specified
1807f5b1c8a1SJohn Marino * protocols, which must be in wire-format (i.e. a series of non-empty,
1808f5b1c8a1SJohn Marino * 8-bit length-prefixed strings). Returns 0 on success.
1809f5b1c8a1SJohn Marino */
1810f5b1c8a1SJohn Marino int
SSL_set_alpn_protos(SSL * ssl,const unsigned char * protos,unsigned int protos_len)1811f5b1c8a1SJohn Marino SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
1812f5b1c8a1SJohn Marino unsigned int protos_len)
1813f5b1c8a1SJohn Marino {
1814*de0e0e4dSAntonio Huete Jimenez CBS cbs;
181572c33676SMaxim Ag int failed = 1;
1816f5b1c8a1SJohn Marino
1817*de0e0e4dSAntonio Huete Jimenez if (protos == NULL)
1818*de0e0e4dSAntonio Huete Jimenez protos_len = 0;
1819*de0e0e4dSAntonio Huete Jimenez
1820*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, protos, protos_len);
1821*de0e0e4dSAntonio Huete Jimenez
1822*de0e0e4dSAntonio Huete Jimenez if (protos_len > 0) {
1823*de0e0e4dSAntonio Huete Jimenez if (!tlsext_alpn_check_format(&cbs))
182472c33676SMaxim Ag goto err;
1825*de0e0e4dSAntonio Huete Jimenez }
182672c33676SMaxim Ag
1827*de0e0e4dSAntonio Huete Jimenez if (!CBS_stow(&cbs, &ssl->internal->alpn_client_proto_list,
1828*de0e0e4dSAntonio Huete Jimenez &ssl->internal->alpn_client_proto_list_len))
182972c33676SMaxim Ag goto err;
183072c33676SMaxim Ag
183172c33676SMaxim Ag failed = 0;
183272c33676SMaxim Ag
183372c33676SMaxim Ag err:
183472c33676SMaxim Ag /* NOTE: Return values are the reverse of what you expect. */
1835*de0e0e4dSAntonio Huete Jimenez return failed;
1836f5b1c8a1SJohn Marino }
1837f5b1c8a1SJohn Marino
1838f5b1c8a1SJohn Marino /*
1839f5b1c8a1SJohn Marino * SSL_CTX_set_alpn_select_cb sets a callback function that is called during
1840f5b1c8a1SJohn Marino * ClientHello processing in order to select an ALPN protocol from the
1841f5b1c8a1SJohn Marino * client's list of offered protocols.
1842f5b1c8a1SJohn Marino */
1843f5b1c8a1SJohn Marino void
SSL_CTX_set_alpn_select_cb(SSL_CTX * ctx,int (* cb)(SSL * ssl,const unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg),void * arg)1844f5b1c8a1SJohn Marino SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx,
1845f5b1c8a1SJohn Marino int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen,
1846f5b1c8a1SJohn Marino const unsigned char *in, unsigned int inlen, void *arg), void *arg)
1847f5b1c8a1SJohn Marino {
184872c33676SMaxim Ag ctx->internal->alpn_select_cb = cb;
184972c33676SMaxim Ag ctx->internal->alpn_select_cb_arg = arg;
1850f5b1c8a1SJohn Marino }
1851f5b1c8a1SJohn Marino
1852f5b1c8a1SJohn Marino /*
1853f5b1c8a1SJohn Marino * SSL_get0_alpn_selected gets the selected ALPN protocol (if any). On return
1854f5b1c8a1SJohn Marino * it sets data to point to len bytes of protocol name (not including the
1855f5b1c8a1SJohn Marino * leading length-prefix byte). If the server didn't respond with* a negotiated
1856f5b1c8a1SJohn Marino * protocol then len will be zero.
1857f5b1c8a1SJohn Marino */
1858f5b1c8a1SJohn Marino void
SSL_get0_alpn_selected(const SSL * ssl,const unsigned char ** data,unsigned int * len)1859f5b1c8a1SJohn Marino SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
1860cca6fc52SDaniel Fojt unsigned int *len)
1861f5b1c8a1SJohn Marino {
1862*de0e0e4dSAntonio Huete Jimenez *data = ssl->s3->alpn_selected;
1863*de0e0e4dSAntonio Huete Jimenez *len = ssl->s3->alpn_selected_len;
1864*de0e0e4dSAntonio Huete Jimenez }
1865f5b1c8a1SJohn Marino
1866*de0e0e4dSAntonio Huete Jimenez void
SSL_set_psk_use_session_callback(SSL * s,SSL_psk_use_session_cb_func cb)1867*de0e0e4dSAntonio Huete Jimenez SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb)
1868*de0e0e4dSAntonio Huete Jimenez {
1869*de0e0e4dSAntonio Huete Jimenez return;
1870f5b1c8a1SJohn Marino }
1871f5b1c8a1SJohn Marino
1872f5b1c8a1SJohn Marino int
SSL_export_keying_material(SSL * s,unsigned char * out,size_t olen,const char * label,size_t llen,const unsigned char * p,size_t plen,int use_context)1873f5b1c8a1SJohn Marino SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1874f5b1c8a1SJohn Marino const char *label, size_t llen, const unsigned char *p, size_t plen,
1875f5b1c8a1SJohn Marino int use_context)
1876f5b1c8a1SJohn Marino {
18772eb7d3b8SDaniel Fojt if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) {
18782eb7d3b8SDaniel Fojt if (!use_context) {
18792eb7d3b8SDaniel Fojt p = NULL;
18802eb7d3b8SDaniel Fojt plen = 0;
18812eb7d3b8SDaniel Fojt }
18822eb7d3b8SDaniel Fojt return tls13_exporter(s->internal->tls13, label, llen, p, plen,
18832eb7d3b8SDaniel Fojt out, olen);
18842eb7d3b8SDaniel Fojt }
18852eb7d3b8SDaniel Fojt
18862eb7d3b8SDaniel Fojt return (tls1_export_keying_material(s, out, olen, label, llen, p, plen,
18872eb7d3b8SDaniel Fojt use_context));
1888f5b1c8a1SJohn Marino }
1889f5b1c8a1SJohn Marino
1890f5b1c8a1SJohn Marino static unsigned long
ssl_session_hash(const SSL_SESSION * a)1891f5b1c8a1SJohn Marino ssl_session_hash(const SSL_SESSION *a)
1892f5b1c8a1SJohn Marino {
1893f5b1c8a1SJohn Marino unsigned long l;
1894f5b1c8a1SJohn Marino
1895f5b1c8a1SJohn Marino l = (unsigned long)
1896f5b1c8a1SJohn Marino ((unsigned int) a->session_id[0] )|
1897f5b1c8a1SJohn Marino ((unsigned int) a->session_id[1]<< 8L)|
1898f5b1c8a1SJohn Marino ((unsigned long)a->session_id[2]<<16L)|
1899f5b1c8a1SJohn Marino ((unsigned long)a->session_id[3]<<24L);
1900f5b1c8a1SJohn Marino return (l);
1901f5b1c8a1SJohn Marino }
1902f5b1c8a1SJohn Marino
1903f5b1c8a1SJohn Marino /*
1904f5b1c8a1SJohn Marino * NB: If this function (or indeed the hash function which uses a sort of
1905f5b1c8a1SJohn Marino * coarser function than this one) is changed, ensure
1906f5b1c8a1SJohn Marino * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1907f5b1c8a1SJohn Marino * able to construct an SSL_SESSION that will collide with any existing session
1908f5b1c8a1SJohn Marino * with a matching session ID.
1909f5b1c8a1SJohn Marino */
1910f5b1c8a1SJohn Marino static int
ssl_session_cmp(const SSL_SESSION * a,const SSL_SESSION * b)1911f5b1c8a1SJohn Marino ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
1912f5b1c8a1SJohn Marino {
1913f5b1c8a1SJohn Marino if (a->ssl_version != b->ssl_version)
1914f5b1c8a1SJohn Marino return (1);
1915f5b1c8a1SJohn Marino if (a->session_id_length != b->session_id_length)
1916f5b1c8a1SJohn Marino return (1);
1917f5b1c8a1SJohn Marino if (timingsafe_memcmp(a->session_id, b->session_id, a->session_id_length) != 0)
1918f5b1c8a1SJohn Marino return (1);
1919f5b1c8a1SJohn Marino return (0);
1920f5b1c8a1SJohn Marino }
1921f5b1c8a1SJohn Marino
1922f5b1c8a1SJohn Marino /*
1923f5b1c8a1SJohn Marino * These wrapper functions should remain rather than redeclaring
1924f5b1c8a1SJohn Marino * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1925f5b1c8a1SJohn Marino * variable. The reason is that the functions aren't static, they're exposed via
1926f5b1c8a1SJohn Marino * ssl.h.
1927f5b1c8a1SJohn Marino */
192872c33676SMaxim Ag static unsigned long
ssl_session_LHASH_HASH(const void * arg)192972c33676SMaxim Ag ssl_session_LHASH_HASH(const void *arg)
193072c33676SMaxim Ag {
193172c33676SMaxim Ag const SSL_SESSION *a = arg;
193272c33676SMaxim Ag
193372c33676SMaxim Ag return ssl_session_hash(a);
193472c33676SMaxim Ag }
193572c33676SMaxim Ag
193672c33676SMaxim Ag static int
ssl_session_LHASH_COMP(const void * arg1,const void * arg2)193772c33676SMaxim Ag ssl_session_LHASH_COMP(const void *arg1, const void *arg2)
193872c33676SMaxim Ag {
193972c33676SMaxim Ag const SSL_SESSION *a = arg1;
194072c33676SMaxim Ag const SSL_SESSION *b = arg2;
194172c33676SMaxim Ag
194272c33676SMaxim Ag return ssl_session_cmp(a, b);
194372c33676SMaxim Ag }
1944f5b1c8a1SJohn Marino
1945f5b1c8a1SJohn Marino SSL_CTX *
SSL_CTX_new(const SSL_METHOD * meth)1946f5b1c8a1SJohn Marino SSL_CTX_new(const SSL_METHOD *meth)
1947f5b1c8a1SJohn Marino {
194872c33676SMaxim Ag SSL_CTX *ret;
194972c33676SMaxim Ag
195072c33676SMaxim Ag if (!OPENSSL_init_ssl(0, NULL)) {
195172c33676SMaxim Ag SSLerrorx(SSL_R_LIBRARY_BUG);
195272c33676SMaxim Ag return (NULL);
195372c33676SMaxim Ag }
1954f5b1c8a1SJohn Marino
1955f5b1c8a1SJohn Marino if (meth == NULL) {
195672c33676SMaxim Ag SSLerrorx(SSL_R_NULL_SSL_METHOD_PASSED);
195772c33676SMaxim Ag return (NULL);
195872c33676SMaxim Ag }
195972c33676SMaxim Ag
196072c33676SMaxim Ag if ((ret = calloc(1, sizeof(*ret))) == NULL) {
196172c33676SMaxim Ag SSLerrorx(ERR_R_MALLOC_FAILURE);
196272c33676SMaxim Ag return (NULL);
196372c33676SMaxim Ag }
196472c33676SMaxim Ag if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL) {
196572c33676SMaxim Ag free(ret);
196672c33676SMaxim Ag SSLerrorx(ERR_R_MALLOC_FAILURE);
1967f5b1c8a1SJohn Marino return (NULL);
1968f5b1c8a1SJohn Marino }
1969f5b1c8a1SJohn Marino
1970f5b1c8a1SJohn Marino if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
197172c33676SMaxim Ag SSLerrorx(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1972f5b1c8a1SJohn Marino goto err;
1973f5b1c8a1SJohn Marino }
1974f5b1c8a1SJohn Marino
1975f5b1c8a1SJohn Marino ret->method = meth;
1976*de0e0e4dSAntonio Huete Jimenez ret->internal->min_tls_version = meth->min_tls_version;
1977*de0e0e4dSAntonio Huete Jimenez ret->internal->max_tls_version = meth->max_tls_version;
1978*de0e0e4dSAntonio Huete Jimenez ret->internal->min_proto_version = 0;
1979*de0e0e4dSAntonio Huete Jimenez ret->internal->max_proto_version = 0;
19808edacedfSDaniel Fojt ret->internal->mode = SSL_MODE_AUTO_RETRY;
1981f5b1c8a1SJohn Marino
1982f5b1c8a1SJohn Marino ret->cert_store = NULL;
198372c33676SMaxim Ag ret->internal->session_cache_mode = SSL_SESS_CACHE_SERVER;
198472c33676SMaxim Ag ret->internal->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
198572c33676SMaxim Ag ret->internal->session_cache_head = NULL;
198672c33676SMaxim Ag ret->internal->session_cache_tail = NULL;
1987f5b1c8a1SJohn Marino
1988f5b1c8a1SJohn Marino /* We take the system default */
19898edacedfSDaniel Fojt ret->session_timeout = ssl_get_default_timeout();
1990f5b1c8a1SJohn Marino
199172c33676SMaxim Ag ret->internal->new_session_cb = 0;
199272c33676SMaxim Ag ret->internal->remove_session_cb = 0;
199372c33676SMaxim Ag ret->internal->get_session_cb = 0;
199472c33676SMaxim Ag ret->internal->generate_session_id = 0;
1995f5b1c8a1SJohn Marino
199672c33676SMaxim Ag memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats));
1997f5b1c8a1SJohn Marino
1998f5b1c8a1SJohn Marino ret->references = 1;
199972c33676SMaxim Ag ret->internal->quiet_shutdown = 0;
2000f5b1c8a1SJohn Marino
200172c33676SMaxim Ag ret->internal->info_callback = NULL;
2002f5b1c8a1SJohn Marino
200372c33676SMaxim Ag ret->internal->app_verify_callback = 0;
200472c33676SMaxim Ag ret->internal->app_verify_arg = NULL;
2005f5b1c8a1SJohn Marino
200672c33676SMaxim Ag ret->internal->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
200772c33676SMaxim Ag ret->internal->read_ahead = 0;
200872c33676SMaxim Ag ret->internal->msg_callback = 0;
200972c33676SMaxim Ag ret->internal->msg_callback_arg = NULL;
2010f5b1c8a1SJohn Marino ret->verify_mode = SSL_VERIFY_NONE;
2011f5b1c8a1SJohn Marino ret->sid_ctx_length = 0;
201272c33676SMaxim Ag ret->internal->default_verify_callback = NULL;
201372c33676SMaxim Ag
201472c33676SMaxim Ag if ((ret->internal->cert = ssl_cert_new()) == NULL)
2015f5b1c8a1SJohn Marino goto err;
2016f5b1c8a1SJohn Marino
2017f5b1c8a1SJohn Marino ret->default_passwd_callback = 0;
2018f5b1c8a1SJohn Marino ret->default_passwd_callback_userdata = NULL;
201972c33676SMaxim Ag ret->internal->client_cert_cb = 0;
202072c33676SMaxim Ag ret->internal->app_gen_cookie_cb = 0;
202172c33676SMaxim Ag ret->internal->app_verify_cookie_cb = 0;
2022f5b1c8a1SJohn Marino
202372c33676SMaxim Ag ret->internal->sessions = lh_SSL_SESSION_new();
202472c33676SMaxim Ag if (ret->internal->sessions == NULL)
2025f5b1c8a1SJohn Marino goto err;
2026f5b1c8a1SJohn Marino ret->cert_store = X509_STORE_new();
2027f5b1c8a1SJohn Marino if (ret->cert_store == NULL)
2028f5b1c8a1SJohn Marino goto err;
2029f5b1c8a1SJohn Marino
2030f5b1c8a1SJohn Marino ssl_create_cipher_list(ret->method, &ret->cipher_list,
2031*de0e0e4dSAntonio Huete Jimenez NULL, SSL_DEFAULT_CIPHER_LIST, ret->internal->cert);
2032f5b1c8a1SJohn Marino if (ret->cipher_list == NULL ||
2033f5b1c8a1SJohn Marino sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
203472c33676SMaxim Ag SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS);
2035f5b1c8a1SJohn Marino goto err2;
2036f5b1c8a1SJohn Marino }
2037f5b1c8a1SJohn Marino
2038f5b1c8a1SJohn Marino ret->param = X509_VERIFY_PARAM_new();
2039f5b1c8a1SJohn Marino if (!ret->param)
2040f5b1c8a1SJohn Marino goto err;
2041f5b1c8a1SJohn Marino
204272c33676SMaxim Ag if ((ret->internal->client_CA = sk_X509_NAME_new_null()) == NULL)
2043f5b1c8a1SJohn Marino goto err;
2044f5b1c8a1SJohn Marino
204572c33676SMaxim Ag CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->internal->ex_data);
2046f5b1c8a1SJohn Marino
2047f5b1c8a1SJohn Marino ret->extra_certs = NULL;
2048f5b1c8a1SJohn Marino
204972c33676SMaxim Ag ret->internal->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
2050f5b1c8a1SJohn Marino
205172c33676SMaxim Ag ret->internal->tlsext_servername_callback = 0;
205272c33676SMaxim Ag ret->internal->tlsext_servername_arg = NULL;
2053f5b1c8a1SJohn Marino
2054f5b1c8a1SJohn Marino /* Setup RFC4507 ticket keys */
205572c33676SMaxim Ag arc4random_buf(ret->internal->tlsext_tick_key_name, 16);
205672c33676SMaxim Ag arc4random_buf(ret->internal->tlsext_tick_hmac_key, 16);
205772c33676SMaxim Ag arc4random_buf(ret->internal->tlsext_tick_aes_key, 16);
2058f5b1c8a1SJohn Marino
205972c33676SMaxim Ag ret->internal->tlsext_status_cb = 0;
206072c33676SMaxim Ag ret->internal->tlsext_status_arg = NULL;
2061f5b1c8a1SJohn Marino
2062f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_ENGINE
206372c33676SMaxim Ag ret->internal->client_cert_engine = NULL;
2064f5b1c8a1SJohn Marino #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
2065f5b1c8a1SJohn Marino #define eng_strx(x) #x
2066f5b1c8a1SJohn Marino #define eng_str(x) eng_strx(x)
2067f5b1c8a1SJohn Marino /* Use specific client engine automatically... ignore errors */
2068f5b1c8a1SJohn Marino {
2069f5b1c8a1SJohn Marino ENGINE *eng;
2070f5b1c8a1SJohn Marino eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
2071f5b1c8a1SJohn Marino if (!eng) {
2072f5b1c8a1SJohn Marino ERR_clear_error();
2073f5b1c8a1SJohn Marino ENGINE_load_builtin_engines();
2074f5b1c8a1SJohn Marino eng = ENGINE_by_id(eng_str(
2075f5b1c8a1SJohn Marino OPENSSL_SSL_CLIENT_ENGINE_AUTO));
2076f5b1c8a1SJohn Marino }
2077f5b1c8a1SJohn Marino if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
2078f5b1c8a1SJohn Marino ERR_clear_error();
2079f5b1c8a1SJohn Marino }
2080f5b1c8a1SJohn Marino #endif
2081f5b1c8a1SJohn Marino #endif
2082f5b1c8a1SJohn Marino /*
2083f5b1c8a1SJohn Marino * Default is to connect to non-RI servers. When RI is more widely
2084f5b1c8a1SJohn Marino * deployed might change this.
2085f5b1c8a1SJohn Marino */
208672c33676SMaxim Ag ret->internal->options |= SSL_OP_LEGACY_SERVER_CONNECT;
2087f5b1c8a1SJohn Marino
2088f5b1c8a1SJohn Marino return (ret);
2089f5b1c8a1SJohn Marino err:
209072c33676SMaxim Ag SSLerrorx(ERR_R_MALLOC_FAILURE);
2091f5b1c8a1SJohn Marino err2:
2092f5b1c8a1SJohn Marino SSL_CTX_free(ret);
2093f5b1c8a1SJohn Marino return (NULL);
2094f5b1c8a1SJohn Marino }
2095f5b1c8a1SJohn Marino
2096f5b1c8a1SJohn Marino void
SSL_CTX_free(SSL_CTX * ctx)209772c33676SMaxim Ag SSL_CTX_free(SSL_CTX *ctx)
2098f5b1c8a1SJohn Marino {
2099f5b1c8a1SJohn Marino int i;
2100f5b1c8a1SJohn Marino
210172c33676SMaxim Ag if (ctx == NULL)
2102f5b1c8a1SJohn Marino return;
2103f5b1c8a1SJohn Marino
210472c33676SMaxim Ag i = CRYPTO_add(&ctx->references, -1, CRYPTO_LOCK_SSL_CTX);
2105f5b1c8a1SJohn Marino if (i > 0)
2106f5b1c8a1SJohn Marino return;
2107f5b1c8a1SJohn Marino
210872c33676SMaxim Ag X509_VERIFY_PARAM_free(ctx->param);
2109f5b1c8a1SJohn Marino
2110f5b1c8a1SJohn Marino /*
2111f5b1c8a1SJohn Marino * Free internal session cache. However: the remove_cb() may reference
2112f5b1c8a1SJohn Marino * the ex_data of SSL_CTX, thus the ex_data store can only be removed
2113f5b1c8a1SJohn Marino * after the sessions were flushed.
2114f5b1c8a1SJohn Marino * As the ex_data handling routines might also touch the session cache,
2115f5b1c8a1SJohn Marino * the most secure solution seems to be: empty (flush) the cache, then
2116f5b1c8a1SJohn Marino * free ex_data, then finally free the cache.
2117f5b1c8a1SJohn Marino * (See ticket [openssl.org #212].)
2118f5b1c8a1SJohn Marino */
211972c33676SMaxim Ag if (ctx->internal->sessions != NULL)
212072c33676SMaxim Ag SSL_CTX_flush_sessions(ctx, 0);
2121f5b1c8a1SJohn Marino
212272c33676SMaxim Ag CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ctx, &ctx->internal->ex_data);
2123f5b1c8a1SJohn Marino
212472c33676SMaxim Ag lh_SSL_SESSION_free(ctx->internal->sessions);
2125f5b1c8a1SJohn Marino
212672c33676SMaxim Ag X509_STORE_free(ctx->cert_store);
212772c33676SMaxim Ag sk_SSL_CIPHER_free(ctx->cipher_list);
21288edacedfSDaniel Fojt sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13);
212972c33676SMaxim Ag ssl_cert_free(ctx->internal->cert);
213072c33676SMaxim Ag sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free);
213172c33676SMaxim Ag sk_X509_pop_free(ctx->extra_certs, X509_free);
2132f5b1c8a1SJohn Marino
2133f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_SRTP
213472c33676SMaxim Ag if (ctx->internal->srtp_profiles)
213572c33676SMaxim Ag sk_SRTP_PROTECTION_PROFILE_free(ctx->internal->srtp_profiles);
2136f5b1c8a1SJohn Marino #endif
2137f5b1c8a1SJohn Marino
2138f5b1c8a1SJohn Marino #ifndef OPENSSL_NO_ENGINE
213972c33676SMaxim Ag ENGINE_finish(ctx->internal->client_cert_engine);
2140f5b1c8a1SJohn Marino #endif
2141f5b1c8a1SJohn Marino
214272c33676SMaxim Ag free(ctx->internal->tlsext_ecpointformatlist);
214372c33676SMaxim Ag free(ctx->internal->tlsext_supportedgroups);
2144f5b1c8a1SJohn Marino
214572c33676SMaxim Ag free(ctx->internal->alpn_client_proto_list);
214672c33676SMaxim Ag
214772c33676SMaxim Ag free(ctx->internal);
214872c33676SMaxim Ag free(ctx);
214972c33676SMaxim Ag }
215072c33676SMaxim Ag
215172c33676SMaxim Ag int
SSL_CTX_up_ref(SSL_CTX * ctx)215272c33676SMaxim Ag SSL_CTX_up_ref(SSL_CTX *ctx)
215372c33676SMaxim Ag {
215472c33676SMaxim Ag int refs = CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
215572c33676SMaxim Ag return ((refs > 1) ? 1 : 0);
215672c33676SMaxim Ag }
215772c33676SMaxim Ag
215872c33676SMaxim Ag pem_password_cb *
SSL_CTX_get_default_passwd_cb(SSL_CTX * ctx)215972c33676SMaxim Ag SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
216072c33676SMaxim Ag {
216172c33676SMaxim Ag return (ctx->default_passwd_callback);
2162f5b1c8a1SJohn Marino }
2163f5b1c8a1SJohn Marino
2164f5b1c8a1SJohn Marino void
SSL_CTX_set_default_passwd_cb(SSL_CTX * ctx,pem_password_cb * cb)2165f5b1c8a1SJohn Marino SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
2166f5b1c8a1SJohn Marino {
2167f5b1c8a1SJohn Marino ctx->default_passwd_callback = cb;
2168f5b1c8a1SJohn Marino }
2169f5b1c8a1SJohn Marino
217072c33676SMaxim Ag void *
SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX * ctx)217172c33676SMaxim Ag SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
217272c33676SMaxim Ag {
217372c33676SMaxim Ag return ctx->default_passwd_callback_userdata;
217472c33676SMaxim Ag }
217572c33676SMaxim Ag
2176f5b1c8a1SJohn Marino void
SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX * ctx,void * u)2177f5b1c8a1SJohn Marino SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
2178f5b1c8a1SJohn Marino {
2179f5b1c8a1SJohn Marino ctx->default_passwd_callback_userdata = u;
2180f5b1c8a1SJohn Marino }
2181f5b1c8a1SJohn Marino
2182f5b1c8a1SJohn Marino void
SSL_CTX_set_cert_verify_callback(SSL_CTX * ctx,int (* cb)(X509_STORE_CTX *,void *),void * arg)21838edacedfSDaniel Fojt SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
21848edacedfSDaniel Fojt int (*cb)(X509_STORE_CTX *, void *), void *arg)
2185f5b1c8a1SJohn Marino {
218672c33676SMaxim Ag ctx->internal->app_verify_callback = cb;
218772c33676SMaxim Ag ctx->internal->app_verify_arg = arg;
2188f5b1c8a1SJohn Marino }
2189f5b1c8a1SJohn Marino
2190f5b1c8a1SJohn Marino void
SSL_CTX_set_verify(SSL_CTX * ctx,int mode,int (* cb)(int,X509_STORE_CTX *))2191f5b1c8a1SJohn Marino SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *))
2192f5b1c8a1SJohn Marino {
2193f5b1c8a1SJohn Marino ctx->verify_mode = mode;
219472c33676SMaxim Ag ctx->internal->default_verify_callback = cb;
2195f5b1c8a1SJohn Marino }
2196f5b1c8a1SJohn Marino
2197f5b1c8a1SJohn Marino void
SSL_CTX_set_verify_depth(SSL_CTX * ctx,int depth)2198f5b1c8a1SJohn Marino SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
2199f5b1c8a1SJohn Marino {
2200f5b1c8a1SJohn Marino X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2201f5b1c8a1SJohn Marino }
2202f5b1c8a1SJohn Marino
2203f5b1c8a1SJohn Marino void
ssl_set_cert_masks(SSL_CERT * c,const SSL_CIPHER * cipher)2204*de0e0e4dSAntonio Huete Jimenez ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher)
2205f5b1c8a1SJohn Marino {
22068edacedfSDaniel Fojt unsigned long mask_a, mask_k;
2207*de0e0e4dSAntonio Huete Jimenez SSL_CERT_PKEY *cpk;
2208f5b1c8a1SJohn Marino
2209f5b1c8a1SJohn Marino if (c == NULL)
2210f5b1c8a1SJohn Marino return;
2211f5b1c8a1SJohn Marino
22128edacedfSDaniel Fojt mask_a = SSL_aNULL | SSL_aTLS1_3;
22138edacedfSDaniel Fojt mask_k = SSL_kECDHE | SSL_kTLS1_3;
2214f5b1c8a1SJohn Marino
2215*de0e0e4dSAntonio Huete Jimenez if (c->dhe_params != NULL || c->dhe_params_cb != NULL ||
2216*de0e0e4dSAntonio Huete Jimenez c->dhe_params_auto != 0)
22178edacedfSDaniel Fojt mask_k |= SSL_kDHE;
22188edacedfSDaniel Fojt
2219f5b1c8a1SJohn Marino cpk = &(c->pkeys[SSL_PKEY_ECC]);
22208edacedfSDaniel Fojt if (cpk->x509 != NULL && cpk->privatekey != NULL) {
2221*de0e0e4dSAntonio Huete Jimenez /* Key usage, if present, must allow signing. */
2222*de0e0e4dSAntonio Huete Jimenez if (X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)
22238edacedfSDaniel Fojt mask_a |= SSL_aECDSA;
22248edacedfSDaniel Fojt }
2225f5b1c8a1SJohn Marino
2226f5b1c8a1SJohn Marino cpk = &(c->pkeys[SSL_PKEY_GOST01]);
2227f5b1c8a1SJohn Marino if (cpk->x509 != NULL && cpk->privatekey != NULL) {
2228f5b1c8a1SJohn Marino mask_k |= SSL_kGOST;
2229f5b1c8a1SJohn Marino mask_a |= SSL_aGOST01;
2230f5b1c8a1SJohn Marino }
2231f5b1c8a1SJohn Marino
22328edacedfSDaniel Fojt cpk = &(c->pkeys[SSL_PKEY_RSA]);
22338edacedfSDaniel Fojt if (cpk->x509 != NULL && cpk->privatekey != NULL) {
2234f5b1c8a1SJohn Marino mask_a |= SSL_aRSA;
22358edacedfSDaniel Fojt mask_k |= SSL_kRSA;
2236f5b1c8a1SJohn Marino }
2237f5b1c8a1SJohn Marino
2238f5b1c8a1SJohn Marino c->mask_k = mask_k;
2239f5b1c8a1SJohn Marino c->mask_a = mask_a;
2240f5b1c8a1SJohn Marino c->valid = 1;
2241f5b1c8a1SJohn Marino }
2242f5b1c8a1SJohn Marino
224372c33676SMaxim Ag /* See if this handshake is using an ECC cipher suite. */
224472c33676SMaxim Ag int
ssl_using_ecc_cipher(SSL * s)224572c33676SMaxim Ag ssl_using_ecc_cipher(SSL *s)
224672c33676SMaxim Ag {
224772c33676SMaxim Ag unsigned long alg_a, alg_k;
2248f5b1c8a1SJohn Marino
2249*de0e0e4dSAntonio Huete Jimenez alg_a = s->s3->hs.cipher->algorithm_auth;
2250*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
225172c33676SMaxim Ag
2252*de0e0e4dSAntonio Huete Jimenez return s->session->tlsext_ecpointformatlist != NULL &&
2253*de0e0e4dSAntonio Huete Jimenez s->session->tlsext_ecpointformatlist_length > 0 &&
225472c33676SMaxim Ag ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA));
225572c33676SMaxim Ag }
2256f5b1c8a1SJohn Marino
2257f5b1c8a1SJohn Marino int
ssl_check_srvr_ecc_cert_and_alg(SSL * s,X509 * x)2258*de0e0e4dSAntonio Huete Jimenez ssl_check_srvr_ecc_cert_and_alg(SSL *s, X509 *x)
2259f5b1c8a1SJohn Marino {
2260*de0e0e4dSAntonio Huete Jimenez const SSL_CIPHER *cs = s->s3->hs.cipher;
226172c33676SMaxim Ag unsigned long alg_a;
2262f5b1c8a1SJohn Marino
2263f5b1c8a1SJohn Marino alg_a = cs->algorithm_auth;
2264f5b1c8a1SJohn Marino
2265f5b1c8a1SJohn Marino if (alg_a & SSL_aECDSA) {
226672c33676SMaxim Ag /* Key usage, if present, must allow signing. */
2267*de0e0e4dSAntonio Huete Jimenez if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
226872c33676SMaxim Ag SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2269f5b1c8a1SJohn Marino return (0);
2270f5b1c8a1SJohn Marino }
2271f5b1c8a1SJohn Marino }
2272f5b1c8a1SJohn Marino
2273f5b1c8a1SJohn Marino return (1);
2274f5b1c8a1SJohn Marino }
2275f5b1c8a1SJohn Marino
2276*de0e0e4dSAntonio Huete Jimenez SSL_CERT_PKEY *
ssl_get_server_send_pkey(const SSL * s)2277f5b1c8a1SJohn Marino ssl_get_server_send_pkey(const SSL *s)
2278f5b1c8a1SJohn Marino {
227972c33676SMaxim Ag unsigned long alg_a;
2280*de0e0e4dSAntonio Huete Jimenez SSL_CERT *c;
2281f5b1c8a1SJohn Marino int i;
2282f5b1c8a1SJohn Marino
2283f5b1c8a1SJohn Marino c = s->cert;
2284*de0e0e4dSAntonio Huete Jimenez ssl_set_cert_masks(c, s->s3->hs.cipher);
2285f5b1c8a1SJohn Marino
2286*de0e0e4dSAntonio Huete Jimenez alg_a = s->s3->hs.cipher->algorithm_auth;
2287f5b1c8a1SJohn Marino
228872c33676SMaxim Ag if (alg_a & SSL_aECDSA) {
2289f5b1c8a1SJohn Marino i = SSL_PKEY_ECC;
2290f5b1c8a1SJohn Marino } else if (alg_a & SSL_aRSA) {
22918edacedfSDaniel Fojt i = SSL_PKEY_RSA;
2292f5b1c8a1SJohn Marino } else if (alg_a & SSL_aGOST01) {
2293f5b1c8a1SJohn Marino i = SSL_PKEY_GOST01;
2294f5b1c8a1SJohn Marino } else { /* if (alg_a & SSL_aNULL) */
229572c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
2296f5b1c8a1SJohn Marino return (NULL);
2297f5b1c8a1SJohn Marino }
2298f5b1c8a1SJohn Marino
2299f5b1c8a1SJohn Marino return (c->pkeys + i);
2300f5b1c8a1SJohn Marino }
2301f5b1c8a1SJohn Marino
2302f5b1c8a1SJohn Marino EVP_PKEY *
ssl_get_sign_pkey(SSL * s,const SSL_CIPHER * cipher,const EVP_MD ** pmd,const struct ssl_sigalg ** sap)230372c33676SMaxim Ag ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd,
230472c33676SMaxim Ag const struct ssl_sigalg **sap)
2305f5b1c8a1SJohn Marino {
230672c33676SMaxim Ag const struct ssl_sigalg *sigalg = NULL;
230772c33676SMaxim Ag EVP_PKEY *pkey = NULL;
2308f5b1c8a1SJohn Marino unsigned long alg_a;
2309*de0e0e4dSAntonio Huete Jimenez SSL_CERT *c;
2310f5b1c8a1SJohn Marino int idx = -1;
2311f5b1c8a1SJohn Marino
2312f5b1c8a1SJohn Marino alg_a = cipher->algorithm_auth;
2313f5b1c8a1SJohn Marino c = s->cert;
2314f5b1c8a1SJohn Marino
231572c33676SMaxim Ag if (alg_a & SSL_aRSA) {
23168edacedfSDaniel Fojt idx = SSL_PKEY_RSA;
2317f5b1c8a1SJohn Marino } else if ((alg_a & SSL_aECDSA) &&
2318f5b1c8a1SJohn Marino (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2319f5b1c8a1SJohn Marino idx = SSL_PKEY_ECC;
2320f5b1c8a1SJohn Marino if (idx == -1) {
232172c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
2322f5b1c8a1SJohn Marino return (NULL);
2323f5b1c8a1SJohn Marino }
232472c33676SMaxim Ag
232572c33676SMaxim Ag pkey = c->pkeys[idx].privatekey;
232672c33676SMaxim Ag if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
232772c33676SMaxim Ag SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
232872c33676SMaxim Ag return (NULL);
232972c33676SMaxim Ag }
233072c33676SMaxim Ag *pmd = sigalg->md();
233172c33676SMaxim Ag *sap = sigalg;
233272c33676SMaxim Ag
233372c33676SMaxim Ag return (pkey);
2334f5b1c8a1SJohn Marino }
2335f5b1c8a1SJohn Marino
2336*de0e0e4dSAntonio Huete Jimenez size_t
ssl_dhe_params_auto_key_bits(SSL * s)2337*de0e0e4dSAntonio Huete Jimenez ssl_dhe_params_auto_key_bits(SSL *s)
2338f5b1c8a1SJohn Marino {
2339*de0e0e4dSAntonio Huete Jimenez SSL_CERT_PKEY *cpk;
2340*de0e0e4dSAntonio Huete Jimenez int key_bits;
2341f5b1c8a1SJohn Marino
2342*de0e0e4dSAntonio Huete Jimenez if (s->cert->dhe_params_auto == 2) {
2343*de0e0e4dSAntonio Huete Jimenez key_bits = 1024;
2344*de0e0e4dSAntonio Huete Jimenez } else if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
2345*de0e0e4dSAntonio Huete Jimenez key_bits = 1024;
2346*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.cipher->strength_bits == 256)
2347*de0e0e4dSAntonio Huete Jimenez key_bits = 3072;
2348f5b1c8a1SJohn Marino } else {
2349f5b1c8a1SJohn Marino if ((cpk = ssl_get_server_send_pkey(s)) == NULL)
2350*de0e0e4dSAntonio Huete Jimenez return 0;
2351*de0e0e4dSAntonio Huete Jimenez if (cpk->privatekey == NULL ||
2352*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_get0_RSA(cpk->privatekey) == NULL)
2353*de0e0e4dSAntonio Huete Jimenez return 0;
2354*de0e0e4dSAntonio Huete Jimenez if ((key_bits = EVP_PKEY_bits(cpk->privatekey)) <= 0)
2355*de0e0e4dSAntonio Huete Jimenez return 0;
2356f5b1c8a1SJohn Marino }
2357f5b1c8a1SJohn Marino
2358*de0e0e4dSAntonio Huete Jimenez return key_bits;
2359f5b1c8a1SJohn Marino }
2360*de0e0e4dSAntonio Huete Jimenez
2361*de0e0e4dSAntonio Huete Jimenez static int
ssl_should_update_external_cache(SSL * s,int mode)2362*de0e0e4dSAntonio Huete Jimenez ssl_should_update_external_cache(SSL *s, int mode)
2363*de0e0e4dSAntonio Huete Jimenez {
2364*de0e0e4dSAntonio Huete Jimenez int cache_mode;
2365*de0e0e4dSAntonio Huete Jimenez
2366*de0e0e4dSAntonio Huete Jimenez cache_mode = s->session_ctx->internal->session_cache_mode;
2367*de0e0e4dSAntonio Huete Jimenez
2368*de0e0e4dSAntonio Huete Jimenez /* Don't cache if mode says not to */
2369*de0e0e4dSAntonio Huete Jimenez if ((cache_mode & mode) == 0)
2370*de0e0e4dSAntonio Huete Jimenez return 0;
2371*de0e0e4dSAntonio Huete Jimenez
2372*de0e0e4dSAntonio Huete Jimenez /* if it is not already cached, cache it */
2373*de0e0e4dSAntonio Huete Jimenez if (!s->internal->hit)
2374*de0e0e4dSAntonio Huete Jimenez return 1;
2375*de0e0e4dSAntonio Huete Jimenez
2376*de0e0e4dSAntonio Huete Jimenez /* If it's TLS 1.3, do it to match OpenSSL */
2377*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION)
2378*de0e0e4dSAntonio Huete Jimenez return 1;
2379*de0e0e4dSAntonio Huete Jimenez
2380*de0e0e4dSAntonio Huete Jimenez return 0;
2381*de0e0e4dSAntonio Huete Jimenez }
2382*de0e0e4dSAntonio Huete Jimenez
2383*de0e0e4dSAntonio Huete Jimenez static int
ssl_should_update_internal_cache(SSL * s,int mode)2384*de0e0e4dSAntonio Huete Jimenez ssl_should_update_internal_cache(SSL *s, int mode)
2385*de0e0e4dSAntonio Huete Jimenez {
2386*de0e0e4dSAntonio Huete Jimenez int cache_mode;
2387*de0e0e4dSAntonio Huete Jimenez
2388*de0e0e4dSAntonio Huete Jimenez cache_mode = s->session_ctx->internal->session_cache_mode;
2389*de0e0e4dSAntonio Huete Jimenez
2390*de0e0e4dSAntonio Huete Jimenez /* Don't cache if mode says not to */
2391*de0e0e4dSAntonio Huete Jimenez if ((cache_mode & mode) == 0)
2392*de0e0e4dSAntonio Huete Jimenez return 0;
2393*de0e0e4dSAntonio Huete Jimenez
2394*de0e0e4dSAntonio Huete Jimenez /* If it is already cached, don't cache it again */
2395*de0e0e4dSAntonio Huete Jimenez if (s->internal->hit)
2396*de0e0e4dSAntonio Huete Jimenez return 0;
2397*de0e0e4dSAntonio Huete Jimenez
2398*de0e0e4dSAntonio Huete Jimenez if ((cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0)
2399*de0e0e4dSAntonio Huete Jimenez return 0;
2400*de0e0e4dSAntonio Huete Jimenez
2401*de0e0e4dSAntonio Huete Jimenez /* If we are lesser than TLS 1.3, Cache it. */
2402*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
2403*de0e0e4dSAntonio Huete Jimenez return 1;
2404*de0e0e4dSAntonio Huete Jimenez
2405*de0e0e4dSAntonio Huete Jimenez /* Below this we consider TLS 1.3 or later */
2406*de0e0e4dSAntonio Huete Jimenez
2407*de0e0e4dSAntonio Huete Jimenez /* If it's not a server, add it? OpenSSL does this. */
2408*de0e0e4dSAntonio Huete Jimenez if (!s->server)
2409*de0e0e4dSAntonio Huete Jimenez return 1;
2410*de0e0e4dSAntonio Huete Jimenez
2411*de0e0e4dSAntonio Huete Jimenez /* XXX if we support early data / PSK need to add */
2412*de0e0e4dSAntonio Huete Jimenez
2413*de0e0e4dSAntonio Huete Jimenez /*
2414*de0e0e4dSAntonio Huete Jimenez * If we have the remove session callback, we will want
2415*de0e0e4dSAntonio Huete Jimenez * to know about this even if it's a stateless ticket
2416*de0e0e4dSAntonio Huete Jimenez * from 1.3 so we can know when it is removed.
2417*de0e0e4dSAntonio Huete Jimenez */
2418*de0e0e4dSAntonio Huete Jimenez if (s->session_ctx->internal->remove_session_cb != NULL)
2419*de0e0e4dSAntonio Huete Jimenez return 1;
2420*de0e0e4dSAntonio Huete Jimenez
2421*de0e0e4dSAntonio Huete Jimenez /* If we have set OP_NO_TICKET, cache it. */
2422*de0e0e4dSAntonio Huete Jimenez if ((s->internal->options & SSL_OP_NO_TICKET) != 0)
2423*de0e0e4dSAntonio Huete Jimenez return 1;
2424*de0e0e4dSAntonio Huete Jimenez
2425*de0e0e4dSAntonio Huete Jimenez /* Otherwise do not cache */
2426*de0e0e4dSAntonio Huete Jimenez return 0;
2427f5b1c8a1SJohn Marino }
2428f5b1c8a1SJohn Marino
2429f5b1c8a1SJohn Marino void
ssl_update_cache(SSL * s,int mode)2430f5b1c8a1SJohn Marino ssl_update_cache(SSL *s, int mode)
2431f5b1c8a1SJohn Marino {
2432*de0e0e4dSAntonio Huete Jimenez int cache_mode, do_callback;
2433f5b1c8a1SJohn Marino
2434f5b1c8a1SJohn Marino if (s->session->session_id_length == 0)
2435f5b1c8a1SJohn Marino return;
2436f5b1c8a1SJohn Marino
2437*de0e0e4dSAntonio Huete Jimenez cache_mode = s->session_ctx->internal->session_cache_mode;
2438*de0e0e4dSAntonio Huete Jimenez do_callback = ssl_should_update_external_cache(s, mode);
2439*de0e0e4dSAntonio Huete Jimenez
2440*de0e0e4dSAntonio Huete Jimenez if (ssl_should_update_internal_cache(s, mode)) {
2441*de0e0e4dSAntonio Huete Jimenez /*
2442*de0e0e4dSAntonio Huete Jimenez * XXX should we fail if the add to the internal cache
2443*de0e0e4dSAntonio Huete Jimenez * fails? OpenSSL doesn't care..
2444*de0e0e4dSAntonio Huete Jimenez */
2445*de0e0e4dSAntonio Huete Jimenez (void) SSL_CTX_add_session(s->session_ctx, s->session);
2446*de0e0e4dSAntonio Huete Jimenez }
2447*de0e0e4dSAntonio Huete Jimenez
2448*de0e0e4dSAntonio Huete Jimenez /*
2449*de0e0e4dSAntonio Huete Jimenez * Update the "external cache" by calling the new session
2450*de0e0e4dSAntonio Huete Jimenez * callback if present, even with TLS 1.3 without early data
2451*de0e0e4dSAntonio Huete Jimenez * "because some application just want to know about the
2452*de0e0e4dSAntonio Huete Jimenez * creation of a session and aren't doing a full cache".
2453*de0e0e4dSAntonio Huete Jimenez * Apparently, if they are doing a full cache, they'll have
2454*de0e0e4dSAntonio Huete Jimenez * some fun, but we endeavour to give application writers the
2455*de0e0e4dSAntonio Huete Jimenez * same glorious experience they expect from OpenSSL which
2456*de0e0e4dSAntonio Huete Jimenez * does it this way.
2457*de0e0e4dSAntonio Huete Jimenez */
2458*de0e0e4dSAntonio Huete Jimenez if (do_callback && s->session_ctx->internal->new_session_cb != NULL) {
2459f5b1c8a1SJohn Marino CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION);
246072c33676SMaxim Ag if (!s->session_ctx->internal->new_session_cb(s, s->session))
2461f5b1c8a1SJohn Marino SSL_SESSION_free(s->session);
2462f5b1c8a1SJohn Marino }
2463f5b1c8a1SJohn Marino
2464*de0e0e4dSAntonio Huete Jimenez /* Auto flush every 255 connections. */
2465*de0e0e4dSAntonio Huete Jimenez if (!(cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR) &&
2466*de0e0e4dSAntonio Huete Jimenez (cache_mode & mode) != 0) {
2467*de0e0e4dSAntonio Huete Jimenez int connections;
2468*de0e0e4dSAntonio Huete Jimenez if (mode & SSL_SESS_CACHE_CLIENT)
2469*de0e0e4dSAntonio Huete Jimenez connections = s->session_ctx->internal->stats.sess_connect_good;
2470*de0e0e4dSAntonio Huete Jimenez else
2471*de0e0e4dSAntonio Huete Jimenez connections = s->session_ctx->internal->stats.sess_accept_good;
2472*de0e0e4dSAntonio Huete Jimenez if ((connections & 0xff) == 0xff)
2473f5b1c8a1SJohn Marino SSL_CTX_flush_sessions(s->session_ctx, time(NULL));
2474f5b1c8a1SJohn Marino }
2475f5b1c8a1SJohn Marino }
2476f5b1c8a1SJohn Marino
2477f5b1c8a1SJohn Marino const SSL_METHOD *
SSL_get_ssl_method(SSL * s)2478f5b1c8a1SJohn Marino SSL_get_ssl_method(SSL *s)
2479f5b1c8a1SJohn Marino {
2480f5b1c8a1SJohn Marino return (s->method);
2481f5b1c8a1SJohn Marino }
2482f5b1c8a1SJohn Marino
2483f5b1c8a1SJohn Marino int
SSL_set_ssl_method(SSL * s,const SSL_METHOD * method)24848edacedfSDaniel Fojt SSL_set_ssl_method(SSL *s, const SSL_METHOD *method)
2485f5b1c8a1SJohn Marino {
24868edacedfSDaniel Fojt int (*handshake_func)(SSL *) = NULL;
2487f5b1c8a1SJohn Marino int ret = 1;
2488f5b1c8a1SJohn Marino
24898edacedfSDaniel Fojt if (s->method == method)
24908edacedfSDaniel Fojt return (ret);
2491f5b1c8a1SJohn Marino
2492*de0e0e4dSAntonio Huete Jimenez if (s->internal->handshake_func == s->method->ssl_connect)
2493*de0e0e4dSAntonio Huete Jimenez handshake_func = method->ssl_connect;
2494*de0e0e4dSAntonio Huete Jimenez else if (s->internal->handshake_func == s->method->ssl_accept)
2495*de0e0e4dSAntonio Huete Jimenez handshake_func = method->ssl_accept;
24968edacedfSDaniel Fojt
2497*de0e0e4dSAntonio Huete Jimenez if (s->method->version == method->version) {
24988edacedfSDaniel Fojt s->method = method;
24998edacedfSDaniel Fojt } else {
2500*de0e0e4dSAntonio Huete Jimenez s->method->ssl_free(s);
25018edacedfSDaniel Fojt s->method = method;
2502*de0e0e4dSAntonio Huete Jimenez ret = s->method->ssl_new(s);
2503f5b1c8a1SJohn Marino }
25048edacedfSDaniel Fojt s->internal->handshake_func = handshake_func;
2505f5b1c8a1SJohn Marino
2506f5b1c8a1SJohn Marino return (ret);
2507f5b1c8a1SJohn Marino }
2508f5b1c8a1SJohn Marino
2509f5b1c8a1SJohn Marino int
SSL_get_error(const SSL * s,int i)2510f5b1c8a1SJohn Marino SSL_get_error(const SSL *s, int i)
2511f5b1c8a1SJohn Marino {
2512f5b1c8a1SJohn Marino unsigned long l;
2513*de0e0e4dSAntonio Huete Jimenez int reason;
2514f5b1c8a1SJohn Marino BIO *bio;
2515f5b1c8a1SJohn Marino
2516f5b1c8a1SJohn Marino if (i > 0)
2517f5b1c8a1SJohn Marino return (SSL_ERROR_NONE);
2518f5b1c8a1SJohn Marino
2519*de0e0e4dSAntonio Huete Jimenez /*
2520*de0e0e4dSAntonio Huete Jimenez * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
2521*de0e0e4dSAntonio Huete Jimenez * etc, where we do encode the error.
2522*de0e0e4dSAntonio Huete Jimenez */
2523f5b1c8a1SJohn Marino if ((l = ERR_peek_error()) != 0) {
2524f5b1c8a1SJohn Marino if (ERR_GET_LIB(l) == ERR_LIB_SYS)
2525f5b1c8a1SJohn Marino return (SSL_ERROR_SYSCALL);
2526f5b1c8a1SJohn Marino else
2527f5b1c8a1SJohn Marino return (SSL_ERROR_SSL);
2528f5b1c8a1SJohn Marino }
2529f5b1c8a1SJohn Marino
2530*de0e0e4dSAntonio Huete Jimenez if (SSL_want_read(s)) {
2531f5b1c8a1SJohn Marino bio = SSL_get_rbio(s);
2532f5b1c8a1SJohn Marino if (BIO_should_read(bio)) {
2533f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_READ);
2534f5b1c8a1SJohn Marino } else if (BIO_should_write(bio)) {
2535f5b1c8a1SJohn Marino /*
2536f5b1c8a1SJohn Marino * This one doesn't make too much sense... We never
2537f5b1c8a1SJohn Marino * try to write to the rbio, and an application
2538f5b1c8a1SJohn Marino * program where rbio and wbio are separate couldn't
2539f5b1c8a1SJohn Marino * even know what it should wait for. However if we
254072c33676SMaxim Ag * ever set s->internal->rwstate incorrectly (so that we have
2541f5b1c8a1SJohn Marino * SSL_want_read(s) instead of SSL_want_write(s))
2542f5b1c8a1SJohn Marino * and rbio and wbio *are* the same, this test works
2543f5b1c8a1SJohn Marino * around that bug; so it might be safer to keep it.
2544f5b1c8a1SJohn Marino */
2545f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_WRITE);
2546f5b1c8a1SJohn Marino } else if (BIO_should_io_special(bio)) {
2547f5b1c8a1SJohn Marino reason = BIO_get_retry_reason(bio);
2548f5b1c8a1SJohn Marino if (reason == BIO_RR_CONNECT)
2549f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_CONNECT);
2550f5b1c8a1SJohn Marino else if (reason == BIO_RR_ACCEPT)
2551f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_ACCEPT);
2552f5b1c8a1SJohn Marino else
2553f5b1c8a1SJohn Marino return (SSL_ERROR_SYSCALL); /* unknown */
2554f5b1c8a1SJohn Marino }
2555f5b1c8a1SJohn Marino }
2556f5b1c8a1SJohn Marino
2557*de0e0e4dSAntonio Huete Jimenez if (SSL_want_write(s)) {
2558f5b1c8a1SJohn Marino bio = SSL_get_wbio(s);
2559f5b1c8a1SJohn Marino if (BIO_should_write(bio)) {
2560f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_WRITE);
2561f5b1c8a1SJohn Marino } else if (BIO_should_read(bio)) {
2562f5b1c8a1SJohn Marino /*
2563f5b1c8a1SJohn Marino * See above (SSL_want_read(s) with
2564f5b1c8a1SJohn Marino * BIO_should_write(bio))
2565f5b1c8a1SJohn Marino */
2566f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_READ);
2567f5b1c8a1SJohn Marino } else if (BIO_should_io_special(bio)) {
2568f5b1c8a1SJohn Marino reason = BIO_get_retry_reason(bio);
2569f5b1c8a1SJohn Marino if (reason == BIO_RR_CONNECT)
2570f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_CONNECT);
2571f5b1c8a1SJohn Marino else if (reason == BIO_RR_ACCEPT)
2572f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_ACCEPT);
2573f5b1c8a1SJohn Marino else
2574f5b1c8a1SJohn Marino return (SSL_ERROR_SYSCALL);
2575f5b1c8a1SJohn Marino }
2576f5b1c8a1SJohn Marino }
2577*de0e0e4dSAntonio Huete Jimenez
2578*de0e0e4dSAntonio Huete Jimenez if (SSL_want_x509_lookup(s))
2579f5b1c8a1SJohn Marino return (SSL_ERROR_WANT_X509_LOOKUP);
2580*de0e0e4dSAntonio Huete Jimenez
2581*de0e0e4dSAntonio Huete Jimenez if ((s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) &&
2582*de0e0e4dSAntonio Huete Jimenez (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
2583*de0e0e4dSAntonio Huete Jimenez return (SSL_ERROR_ZERO_RETURN);
2584*de0e0e4dSAntonio Huete Jimenez
2585*de0e0e4dSAntonio Huete Jimenez return (SSL_ERROR_SYSCALL);
2586f5b1c8a1SJohn Marino }
2587f5b1c8a1SJohn Marino
2588*de0e0e4dSAntonio Huete Jimenez int
SSL_CTX_set_quic_method(SSL_CTX * ctx,const SSL_QUIC_METHOD * quic_method)2589*de0e0e4dSAntonio Huete Jimenez SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method)
2590*de0e0e4dSAntonio Huete Jimenez {
2591*de0e0e4dSAntonio Huete Jimenez if (ctx->method->dtls)
2592*de0e0e4dSAntonio Huete Jimenez return 0;
2593*de0e0e4dSAntonio Huete Jimenez
2594*de0e0e4dSAntonio Huete Jimenez ctx->quic_method = quic_method;
2595*de0e0e4dSAntonio Huete Jimenez
2596*de0e0e4dSAntonio Huete Jimenez return 1;
2597f5b1c8a1SJohn Marino }
2598*de0e0e4dSAntonio Huete Jimenez
2599*de0e0e4dSAntonio Huete Jimenez int
SSL_set_quic_method(SSL * ssl,const SSL_QUIC_METHOD * quic_method)2600*de0e0e4dSAntonio Huete Jimenez SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
2601*de0e0e4dSAntonio Huete Jimenez {
2602*de0e0e4dSAntonio Huete Jimenez if (ssl->method->dtls)
2603*de0e0e4dSAntonio Huete Jimenez return 0;
2604*de0e0e4dSAntonio Huete Jimenez
2605*de0e0e4dSAntonio Huete Jimenez ssl->quic_method = quic_method;
2606*de0e0e4dSAntonio Huete Jimenez
2607*de0e0e4dSAntonio Huete Jimenez return 1;
2608*de0e0e4dSAntonio Huete Jimenez }
2609*de0e0e4dSAntonio Huete Jimenez
2610*de0e0e4dSAntonio Huete Jimenez size_t
SSL_quic_max_handshake_flight_len(const SSL * ssl,enum ssl_encryption_level_t level)2611*de0e0e4dSAntonio Huete Jimenez SSL_quic_max_handshake_flight_len(const SSL *ssl,
2612*de0e0e4dSAntonio Huete Jimenez enum ssl_encryption_level_t level)
2613*de0e0e4dSAntonio Huete Jimenez {
2614*de0e0e4dSAntonio Huete Jimenez size_t flight_len;
2615*de0e0e4dSAntonio Huete Jimenez
2616*de0e0e4dSAntonio Huete Jimenez /* Limit flights to 16K when there are no large certificate messages. */
2617*de0e0e4dSAntonio Huete Jimenez flight_len = 16384;
2618*de0e0e4dSAntonio Huete Jimenez
2619*de0e0e4dSAntonio Huete Jimenez switch (level) {
2620*de0e0e4dSAntonio Huete Jimenez case ssl_encryption_initial:
2621*de0e0e4dSAntonio Huete Jimenez return flight_len;
2622*de0e0e4dSAntonio Huete Jimenez
2623*de0e0e4dSAntonio Huete Jimenez case ssl_encryption_early_data:
2624*de0e0e4dSAntonio Huete Jimenez /* QUIC does not send EndOfEarlyData. */
2625*de0e0e4dSAntonio Huete Jimenez return 0;
2626*de0e0e4dSAntonio Huete Jimenez
2627*de0e0e4dSAntonio Huete Jimenez case ssl_encryption_handshake:
2628*de0e0e4dSAntonio Huete Jimenez if (ssl->server) {
2629*de0e0e4dSAntonio Huete Jimenez /*
2630*de0e0e4dSAntonio Huete Jimenez * Servers may receive Certificate message if configured
2631*de0e0e4dSAntonio Huete Jimenez * to request client certificates.
2632*de0e0e4dSAntonio Huete Jimenez */
2633*de0e0e4dSAntonio Huete Jimenez if ((SSL_get_verify_mode(ssl) & SSL_VERIFY_PEER) != 0 &&
2634*de0e0e4dSAntonio Huete Jimenez ssl->internal->max_cert_list > flight_len)
2635*de0e0e4dSAntonio Huete Jimenez flight_len = ssl->internal->max_cert_list;
2636*de0e0e4dSAntonio Huete Jimenez } else {
2637*de0e0e4dSAntonio Huete Jimenez /*
2638*de0e0e4dSAntonio Huete Jimenez * Clients may receive both Certificate message and a
2639*de0e0e4dSAntonio Huete Jimenez * CertificateRequest message.
2640*de0e0e4dSAntonio Huete Jimenez */
2641*de0e0e4dSAntonio Huete Jimenez if (ssl->internal->max_cert_list * 2 > flight_len)
2642*de0e0e4dSAntonio Huete Jimenez flight_len = ssl->internal->max_cert_list * 2;
2643*de0e0e4dSAntonio Huete Jimenez }
2644*de0e0e4dSAntonio Huete Jimenez return flight_len;
2645*de0e0e4dSAntonio Huete Jimenez case ssl_encryption_application:
2646*de0e0e4dSAntonio Huete Jimenez /*
2647*de0e0e4dSAntonio Huete Jimenez * Note there is not actually a bound on the number of
2648*de0e0e4dSAntonio Huete Jimenez * NewSessionTickets one may send in a row. This level may need
2649*de0e0e4dSAntonio Huete Jimenez * more involved flow control.
2650*de0e0e4dSAntonio Huete Jimenez */
2651*de0e0e4dSAntonio Huete Jimenez return flight_len;
2652*de0e0e4dSAntonio Huete Jimenez }
2653*de0e0e4dSAntonio Huete Jimenez
2654*de0e0e4dSAntonio Huete Jimenez return 0;
2655*de0e0e4dSAntonio Huete Jimenez }
2656*de0e0e4dSAntonio Huete Jimenez
2657*de0e0e4dSAntonio Huete Jimenez enum ssl_encryption_level_t
SSL_quic_read_level(const SSL * ssl)2658*de0e0e4dSAntonio Huete Jimenez SSL_quic_read_level(const SSL *ssl)
2659*de0e0e4dSAntonio Huete Jimenez {
2660*de0e0e4dSAntonio Huete Jimenez return ssl->s3->hs.tls13.quic_read_level;
2661*de0e0e4dSAntonio Huete Jimenez }
2662*de0e0e4dSAntonio Huete Jimenez
2663*de0e0e4dSAntonio Huete Jimenez enum ssl_encryption_level_t
SSL_quic_write_level(const SSL * ssl)2664*de0e0e4dSAntonio Huete Jimenez SSL_quic_write_level(const SSL *ssl)
2665*de0e0e4dSAntonio Huete Jimenez {
2666*de0e0e4dSAntonio Huete Jimenez return ssl->s3->hs.tls13.quic_write_level;
2667*de0e0e4dSAntonio Huete Jimenez }
2668*de0e0e4dSAntonio Huete Jimenez
2669*de0e0e4dSAntonio Huete Jimenez int
SSL_provide_quic_data(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)2670*de0e0e4dSAntonio Huete Jimenez SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
2671*de0e0e4dSAntonio Huete Jimenez const uint8_t *data, size_t len)
2672*de0e0e4dSAntonio Huete Jimenez {
2673*de0e0e4dSAntonio Huete Jimenez if (!SSL_is_quic(ssl)) {
2674*de0e0e4dSAntonio Huete Jimenez SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2675*de0e0e4dSAntonio Huete Jimenez return 0;
2676*de0e0e4dSAntonio Huete Jimenez }
2677*de0e0e4dSAntonio Huete Jimenez
2678*de0e0e4dSAntonio Huete Jimenez if (level != SSL_quic_read_level(ssl)) {
2679*de0e0e4dSAntonio Huete Jimenez SSLerror(ssl, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
2680*de0e0e4dSAntonio Huete Jimenez return 0;
2681*de0e0e4dSAntonio Huete Jimenez }
2682*de0e0e4dSAntonio Huete Jimenez
2683*de0e0e4dSAntonio Huete Jimenez if (ssl->s3->hs.tls13.quic_read_buffer == NULL) {
2684*de0e0e4dSAntonio Huete Jimenez ssl->s3->hs.tls13.quic_read_buffer = tls_buffer_new(0);
2685*de0e0e4dSAntonio Huete Jimenez if (ssl->s3->hs.tls13.quic_read_buffer == NULL) {
2686*de0e0e4dSAntonio Huete Jimenez SSLerror(ssl, ERR_R_MALLOC_FAILURE);
2687*de0e0e4dSAntonio Huete Jimenez return 0;
2688*de0e0e4dSAntonio Huete Jimenez }
2689*de0e0e4dSAntonio Huete Jimenez }
2690*de0e0e4dSAntonio Huete Jimenez
2691*de0e0e4dSAntonio Huete Jimenez /* XXX - note that this does not currently downsize. */
2692*de0e0e4dSAntonio Huete Jimenez tls_buffer_set_capacity_limit(ssl->s3->hs.tls13.quic_read_buffer,
2693*de0e0e4dSAntonio Huete Jimenez SSL_quic_max_handshake_flight_len(ssl, level));
2694*de0e0e4dSAntonio Huete Jimenez
2695*de0e0e4dSAntonio Huete Jimenez /*
2696*de0e0e4dSAntonio Huete Jimenez * XXX - an append that fails due to exceeding capacity should set
2697*de0e0e4dSAntonio Huete Jimenez * SSL_R_EXCESSIVE_MESSAGE_SIZE.
2698*de0e0e4dSAntonio Huete Jimenez */
2699*de0e0e4dSAntonio Huete Jimenez return tls_buffer_append(ssl->s3->hs.tls13.quic_read_buffer, data, len);
2700*de0e0e4dSAntonio Huete Jimenez }
2701*de0e0e4dSAntonio Huete Jimenez
2702*de0e0e4dSAntonio Huete Jimenez int
SSL_process_quic_post_handshake(SSL * ssl)2703*de0e0e4dSAntonio Huete Jimenez SSL_process_quic_post_handshake(SSL *ssl)
2704*de0e0e4dSAntonio Huete Jimenez {
2705*de0e0e4dSAntonio Huete Jimenez /* XXX - this needs to run PHH received. */
2706*de0e0e4dSAntonio Huete Jimenez return 1;
2707f5b1c8a1SJohn Marino }
2708f5b1c8a1SJohn Marino
2709f5b1c8a1SJohn Marino int
SSL_do_handshake(SSL * s)2710f5b1c8a1SJohn Marino SSL_do_handshake(SSL *s)
2711f5b1c8a1SJohn Marino {
271272c33676SMaxim Ag if (s->internal->handshake_func == NULL) {
271372c33676SMaxim Ag SSLerror(s, SSL_R_CONNECTION_TYPE_NOT_SET);
2714f5b1c8a1SJohn Marino return (-1);
2715f5b1c8a1SJohn Marino }
2716f5b1c8a1SJohn Marino
2717*de0e0e4dSAntonio Huete Jimenez s->method->ssl_renegotiate_check(s);
2718f5b1c8a1SJohn Marino
2719*de0e0e4dSAntonio Huete Jimenez if (!SSL_in_init(s) && !SSL_in_before(s))
2720*de0e0e4dSAntonio Huete Jimenez return 1;
2721*de0e0e4dSAntonio Huete Jimenez
2722*de0e0e4dSAntonio Huete Jimenez return s->internal->handshake_func(s);
2723f5b1c8a1SJohn Marino }
2724f5b1c8a1SJohn Marino
2725f5b1c8a1SJohn Marino /*
2726f5b1c8a1SJohn Marino * For the next 2 functions, SSL_clear() sets shutdown and so
2727f5b1c8a1SJohn Marino * one of these calls will reset it
2728f5b1c8a1SJohn Marino */
2729f5b1c8a1SJohn Marino void
SSL_set_accept_state(SSL * s)2730f5b1c8a1SJohn Marino SSL_set_accept_state(SSL *s)
2731f5b1c8a1SJohn Marino {
2732f5b1c8a1SJohn Marino s->server = 1;
273372c33676SMaxim Ag s->internal->shutdown = 0;
2734*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE;
2735*de0e0e4dSAntonio Huete Jimenez s->internal->handshake_func = s->method->ssl_accept;
273672c33676SMaxim Ag ssl_clear_cipher_state(s);
2737f5b1c8a1SJohn Marino }
2738f5b1c8a1SJohn Marino
2739f5b1c8a1SJohn Marino void
SSL_set_connect_state(SSL * s)2740f5b1c8a1SJohn Marino SSL_set_connect_state(SSL *s)
2741f5b1c8a1SJohn Marino {
2742f5b1c8a1SJohn Marino s->server = 0;
274372c33676SMaxim Ag s->internal->shutdown = 0;
2744*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE;
2745*de0e0e4dSAntonio Huete Jimenez s->internal->handshake_func = s->method->ssl_connect;
274672c33676SMaxim Ag ssl_clear_cipher_state(s);
2747f5b1c8a1SJohn Marino }
2748f5b1c8a1SJohn Marino
2749f5b1c8a1SJohn Marino int
ssl_undefined_function(SSL * s)2750f5b1c8a1SJohn Marino ssl_undefined_function(SSL *s)
2751f5b1c8a1SJohn Marino {
275272c33676SMaxim Ag SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2753f5b1c8a1SJohn Marino return (0);
2754f5b1c8a1SJohn Marino }
2755f5b1c8a1SJohn Marino
2756f5b1c8a1SJohn Marino int
ssl_undefined_void_function(void)2757f5b1c8a1SJohn Marino ssl_undefined_void_function(void)
2758f5b1c8a1SJohn Marino {
275972c33676SMaxim Ag SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2760f5b1c8a1SJohn Marino return (0);
2761f5b1c8a1SJohn Marino }
2762f5b1c8a1SJohn Marino
2763f5b1c8a1SJohn Marino int
ssl_undefined_const_function(const SSL * s)2764f5b1c8a1SJohn Marino ssl_undefined_const_function(const SSL *s)
2765f5b1c8a1SJohn Marino {
276672c33676SMaxim Ag SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2767f5b1c8a1SJohn Marino return (0);
2768f5b1c8a1SJohn Marino }
2769f5b1c8a1SJohn Marino
2770f5b1c8a1SJohn Marino const char *
ssl_version_string(int ver)2771f5b1c8a1SJohn Marino ssl_version_string(int ver)
2772f5b1c8a1SJohn Marino {
2773f5b1c8a1SJohn Marino switch (ver) {
2774f5b1c8a1SJohn Marino case TLS1_VERSION:
2775f5b1c8a1SJohn Marino return (SSL_TXT_TLSV1);
2776f5b1c8a1SJohn Marino case TLS1_1_VERSION:
2777f5b1c8a1SJohn Marino return (SSL_TXT_TLSV1_1);
2778f5b1c8a1SJohn Marino case TLS1_2_VERSION:
2779f5b1c8a1SJohn Marino return (SSL_TXT_TLSV1_2);
278072c33676SMaxim Ag case TLS1_3_VERSION:
278172c33676SMaxim Ag return (SSL_TXT_TLSV1_3);
2782*de0e0e4dSAntonio Huete Jimenez case DTLS1_VERSION:
2783*de0e0e4dSAntonio Huete Jimenez return (SSL_TXT_DTLS1);
2784*de0e0e4dSAntonio Huete Jimenez case DTLS1_2_VERSION:
2785*de0e0e4dSAntonio Huete Jimenez return (SSL_TXT_DTLS1_2);
2786f5b1c8a1SJohn Marino default:
2787f5b1c8a1SJohn Marino return ("unknown");
2788f5b1c8a1SJohn Marino }
2789f5b1c8a1SJohn Marino }
2790f5b1c8a1SJohn Marino
2791f5b1c8a1SJohn Marino const char *
SSL_get_version(const SSL * s)2792f5b1c8a1SJohn Marino SSL_get_version(const SSL *s)
2793f5b1c8a1SJohn Marino {
2794f5b1c8a1SJohn Marino return ssl_version_string(s->version);
2795f5b1c8a1SJohn Marino }
2796f5b1c8a1SJohn Marino
2797f5b1c8a1SJohn Marino SSL *
SSL_dup(SSL * s)2798f5b1c8a1SJohn Marino SSL_dup(SSL *s)
2799f5b1c8a1SJohn Marino {
2800f5b1c8a1SJohn Marino STACK_OF(X509_NAME) *sk;
2801f5b1c8a1SJohn Marino X509_NAME *xn;
2802f5b1c8a1SJohn Marino SSL *ret;
2803f5b1c8a1SJohn Marino int i;
2804f5b1c8a1SJohn Marino
2805f5b1c8a1SJohn Marino if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
280672c33676SMaxim Ag goto err;
2807f5b1c8a1SJohn Marino
2808f5b1c8a1SJohn Marino ret->version = s->version;
2809f5b1c8a1SJohn Marino ret->method = s->method;
2810f5b1c8a1SJohn Marino
2811f5b1c8a1SJohn Marino if (s->session != NULL) {
281272c33676SMaxim Ag if (!SSL_copy_session_id(ret, s))
281372c33676SMaxim Ag goto err;
2814f5b1c8a1SJohn Marino } else {
2815f5b1c8a1SJohn Marino /*
2816f5b1c8a1SJohn Marino * No session has been established yet, so we have to expect
2817f5b1c8a1SJohn Marino * that s->cert or ret->cert will be changed later --
2818f5b1c8a1SJohn Marino * they should not both point to the same object,
2819f5b1c8a1SJohn Marino * and thus we can't use SSL_copy_session_id.
2820f5b1c8a1SJohn Marino */
2821f5b1c8a1SJohn Marino
2822*de0e0e4dSAntonio Huete Jimenez ret->method->ssl_free(ret);
2823f5b1c8a1SJohn Marino ret->method = s->method;
2824*de0e0e4dSAntonio Huete Jimenez ret->method->ssl_new(ret);
2825f5b1c8a1SJohn Marino
2826f5b1c8a1SJohn Marino ssl_cert_free(ret->cert);
282772c33676SMaxim Ag if ((ret->cert = ssl_cert_dup(s->cert)) == NULL)
282872c33676SMaxim Ag goto err;
282972c33676SMaxim Ag
283072c33676SMaxim Ag if (!SSL_set_session_id_context(ret, s->sid_ctx,
283172c33676SMaxim Ag s->sid_ctx_length))
2832f5b1c8a1SJohn Marino goto err;
2833f5b1c8a1SJohn Marino }
2834f5b1c8a1SJohn Marino
283572c33676SMaxim Ag ret->internal->options = s->internal->options;
283672c33676SMaxim Ag ret->internal->mode = s->internal->mode;
2837f5b1c8a1SJohn Marino SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
2838f5b1c8a1SJohn Marino SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
283972c33676SMaxim Ag ret->internal->msg_callback = s->internal->msg_callback;
284072c33676SMaxim Ag ret->internal->msg_callback_arg = s->internal->msg_callback_arg;
2841f5b1c8a1SJohn Marino SSL_set_verify(ret, SSL_get_verify_mode(s),
2842f5b1c8a1SJohn Marino SSL_get_verify_callback(s));
2843f5b1c8a1SJohn Marino SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
284472c33676SMaxim Ag ret->internal->generate_session_id = s->internal->generate_session_id;
2845f5b1c8a1SJohn Marino
2846f5b1c8a1SJohn Marino SSL_set_info_callback(ret, SSL_get_info_callback(s));
2847f5b1c8a1SJohn Marino
284872c33676SMaxim Ag ret->internal->debug = s->internal->debug;
2849f5b1c8a1SJohn Marino
2850f5b1c8a1SJohn Marino /* copy app data, a little dangerous perhaps */
2851f5b1c8a1SJohn Marino if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL,
285272c33676SMaxim Ag &ret->internal->ex_data, &s->internal->ex_data))
2853f5b1c8a1SJohn Marino goto err;
2854f5b1c8a1SJohn Marino
2855f5b1c8a1SJohn Marino /* setup rbio, and wbio */
2856f5b1c8a1SJohn Marino if (s->rbio != NULL) {
2857f5b1c8a1SJohn Marino if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
2858f5b1c8a1SJohn Marino goto err;
2859f5b1c8a1SJohn Marino }
2860f5b1c8a1SJohn Marino if (s->wbio != NULL) {
2861f5b1c8a1SJohn Marino if (s->wbio != s->rbio) {
2862f5b1c8a1SJohn Marino if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
2863f5b1c8a1SJohn Marino goto err;
2864f5b1c8a1SJohn Marino } else
2865f5b1c8a1SJohn Marino ret->wbio = ret->rbio;
2866f5b1c8a1SJohn Marino }
286772c33676SMaxim Ag ret->internal->rwstate = s->internal->rwstate;
286872c33676SMaxim Ag ret->internal->in_handshake = s->internal->in_handshake;
286972c33676SMaxim Ag ret->internal->handshake_func = s->internal->handshake_func;
2870f5b1c8a1SJohn Marino ret->server = s->server;
287172c33676SMaxim Ag ret->internal->renegotiate = s->internal->renegotiate;
287272c33676SMaxim Ag ret->internal->new_session = s->internal->new_session;
287372c33676SMaxim Ag ret->internal->quiet_shutdown = s->internal->quiet_shutdown;
287472c33676SMaxim Ag ret->internal->shutdown = s->internal->shutdown;
2875f5b1c8a1SJohn Marino /* SSL_dup does not really work at any state, though */
2876*de0e0e4dSAntonio Huete Jimenez ret->s3->hs.state = s->s3->hs.state;
287772c33676SMaxim Ag ret->internal->rstate = s->internal->rstate;
2878f5b1c8a1SJohn Marino
2879f5b1c8a1SJohn Marino /*
2880f5b1c8a1SJohn Marino * Would have to copy ret->init_buf, ret->init_msg, ret->init_num,
2881f5b1c8a1SJohn Marino * ret->init_off
2882f5b1c8a1SJohn Marino */
288372c33676SMaxim Ag ret->internal->init_num = 0;
2884f5b1c8a1SJohn Marino
288572c33676SMaxim Ag ret->internal->hit = s->internal->hit;
2886f5b1c8a1SJohn Marino
2887f5b1c8a1SJohn Marino X509_VERIFY_PARAM_inherit(ret->param, s->param);
2888f5b1c8a1SJohn Marino
2889f5b1c8a1SJohn Marino if (s->cipher_list != NULL) {
2890f5b1c8a1SJohn Marino if ((ret->cipher_list =
2891f5b1c8a1SJohn Marino sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2892f5b1c8a1SJohn Marino goto err;
2893f5b1c8a1SJohn Marino }
28948edacedfSDaniel Fojt if (s->internal->cipher_list_tls13 != NULL) {
28958edacedfSDaniel Fojt if ((ret->internal->cipher_list_tls13 =
28968edacedfSDaniel Fojt sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)) == NULL)
2897f5b1c8a1SJohn Marino goto err;
2898f5b1c8a1SJohn Marino }
2899f5b1c8a1SJohn Marino
2900f5b1c8a1SJohn Marino /* Dup the client_CA list */
290172c33676SMaxim Ag if (s->internal->client_CA != NULL) {
290272c33676SMaxim Ag if ((sk = sk_X509_NAME_dup(s->internal->client_CA)) == NULL) goto err;
290372c33676SMaxim Ag ret->internal->client_CA = sk;
2904f5b1c8a1SJohn Marino for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2905f5b1c8a1SJohn Marino xn = sk_X509_NAME_value(sk, i);
2906f5b1c8a1SJohn Marino if (sk_X509_NAME_set(sk, i,
2907f5b1c8a1SJohn Marino X509_NAME_dup(xn)) == NULL) {
2908f5b1c8a1SJohn Marino X509_NAME_free(xn);
2909f5b1c8a1SJohn Marino goto err;
2910f5b1c8a1SJohn Marino }
2911f5b1c8a1SJohn Marino }
2912f5b1c8a1SJohn Marino }
2913f5b1c8a1SJohn Marino
291472c33676SMaxim Ag return ret;
2915f5b1c8a1SJohn Marino err:
2916f5b1c8a1SJohn Marino SSL_free(ret);
291772c33676SMaxim Ag return NULL;
2918f5b1c8a1SJohn Marino }
2919f5b1c8a1SJohn Marino
2920f5b1c8a1SJohn Marino void
ssl_clear_cipher_state(SSL * s)292172c33676SMaxim Ag ssl_clear_cipher_state(SSL *s)
292272c33676SMaxim Ag {
29238edacedfSDaniel Fojt tls12_record_layer_clear_read_state(s->internal->rl);
2924*de0e0e4dSAntonio Huete Jimenez tls12_record_layer_clear_write_state(s->internal->rl);
2925f5b1c8a1SJohn Marino }
2926f5b1c8a1SJohn Marino
292772c33676SMaxim Ag void
ssl_info_callback(const SSL * s,int type,int value)2928*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(const SSL *s, int type, int value)
292972c33676SMaxim Ag {
2930*de0e0e4dSAntonio Huete Jimenez ssl_info_callback_fn *cb;
293172c33676SMaxim Ag
2932*de0e0e4dSAntonio Huete Jimenez if ((cb = s->internal->info_callback) == NULL)
2933*de0e0e4dSAntonio Huete Jimenez cb = s->ctx->internal->info_callback;
2934*de0e0e4dSAntonio Huete Jimenez if (cb != NULL)
2935*de0e0e4dSAntonio Huete Jimenez cb(s, type, value);
293672c33676SMaxim Ag }
2937*de0e0e4dSAntonio Huete Jimenez
2938*de0e0e4dSAntonio Huete Jimenez void
ssl_msg_callback(SSL * s,int is_write,int content_type,const void * msg_buf,size_t msg_len)2939*de0e0e4dSAntonio Huete Jimenez ssl_msg_callback(SSL *s, int is_write, int content_type,
2940*de0e0e4dSAntonio Huete Jimenez const void *msg_buf, size_t msg_len)
2941*de0e0e4dSAntonio Huete Jimenez {
2942*de0e0e4dSAntonio Huete Jimenez if (s->internal->msg_callback == NULL)
2943*de0e0e4dSAntonio Huete Jimenez return;
2944*de0e0e4dSAntonio Huete Jimenez
2945*de0e0e4dSAntonio Huete Jimenez s->internal->msg_callback(is_write, s->version, content_type,
2946*de0e0e4dSAntonio Huete Jimenez msg_buf, msg_len, s, s->internal->msg_callback_arg);
2947*de0e0e4dSAntonio Huete Jimenez }
2948*de0e0e4dSAntonio Huete Jimenez
2949*de0e0e4dSAntonio Huete Jimenez void
ssl_msg_callback_cbs(SSL * s,int is_write,int content_type,CBS * cbs)2950*de0e0e4dSAntonio Huete Jimenez ssl_msg_callback_cbs(SSL *s, int is_write, int content_type, CBS *cbs)
2951*de0e0e4dSAntonio Huete Jimenez {
2952*de0e0e4dSAntonio Huete Jimenez ssl_msg_callback(s, is_write, content_type, CBS_data(cbs), CBS_len(cbs));
2953f5b1c8a1SJohn Marino }
2954f5b1c8a1SJohn Marino
2955f5b1c8a1SJohn Marino /* Fix this function so that it takes an optional type parameter */
2956f5b1c8a1SJohn Marino X509 *
SSL_get_certificate(const SSL * s)2957f5b1c8a1SJohn Marino SSL_get_certificate(const SSL *s)
2958f5b1c8a1SJohn Marino {
2959f5b1c8a1SJohn Marino return (s->cert->key->x509);
2960f5b1c8a1SJohn Marino }
2961f5b1c8a1SJohn Marino
2962f5b1c8a1SJohn Marino /* Fix this function so that it takes an optional type parameter */
2963f5b1c8a1SJohn Marino EVP_PKEY *
SSL_get_privatekey(const SSL * s)296472c33676SMaxim Ag SSL_get_privatekey(const SSL *s)
2965f5b1c8a1SJohn Marino {
2966f5b1c8a1SJohn Marino return (s->cert->key->privatekey);
2967f5b1c8a1SJohn Marino }
2968f5b1c8a1SJohn Marino
2969f5b1c8a1SJohn Marino const SSL_CIPHER *
SSL_get_current_cipher(const SSL * s)2970f5b1c8a1SJohn Marino SSL_get_current_cipher(const SSL *s)
2971f5b1c8a1SJohn Marino {
2972f5b1c8a1SJohn Marino if ((s->session != NULL) && (s->session->cipher != NULL))
2973f5b1c8a1SJohn Marino return (s->session->cipher);
2974f5b1c8a1SJohn Marino return (NULL);
2975f5b1c8a1SJohn Marino }
2976f5b1c8a1SJohn Marino const void *
SSL_get_current_compression(SSL * s)2977f5b1c8a1SJohn Marino SSL_get_current_compression(SSL *s)
2978f5b1c8a1SJohn Marino {
2979f5b1c8a1SJohn Marino return (NULL);
2980f5b1c8a1SJohn Marino }
2981f5b1c8a1SJohn Marino
2982f5b1c8a1SJohn Marino const void *
SSL_get_current_expansion(SSL * s)2983f5b1c8a1SJohn Marino SSL_get_current_expansion(SSL *s)
2984f5b1c8a1SJohn Marino {
2985f5b1c8a1SJohn Marino return (NULL);
2986f5b1c8a1SJohn Marino }
2987f5b1c8a1SJohn Marino
298872c33676SMaxim Ag size_t
SSL_get_client_random(const SSL * s,unsigned char * out,size_t max_out)298972c33676SMaxim Ag SSL_get_client_random(const SSL *s, unsigned char *out, size_t max_out)
299072c33676SMaxim Ag {
299172c33676SMaxim Ag size_t len = sizeof(s->s3->client_random);
299272c33676SMaxim Ag
299372c33676SMaxim Ag if (out == NULL)
299472c33676SMaxim Ag return len;
299572c33676SMaxim Ag
299672c33676SMaxim Ag if (len > max_out)
299772c33676SMaxim Ag len = max_out;
299872c33676SMaxim Ag
299972c33676SMaxim Ag memcpy(out, s->s3->client_random, len);
300072c33676SMaxim Ag
300172c33676SMaxim Ag return len;
300272c33676SMaxim Ag }
300372c33676SMaxim Ag
300472c33676SMaxim Ag size_t
SSL_get_server_random(const SSL * s,unsigned char * out,size_t max_out)300572c33676SMaxim Ag SSL_get_server_random(const SSL *s, unsigned char *out, size_t max_out)
300672c33676SMaxim Ag {
300772c33676SMaxim Ag size_t len = sizeof(s->s3->server_random);
300872c33676SMaxim Ag
300972c33676SMaxim Ag if (out == NULL)
301072c33676SMaxim Ag return len;
301172c33676SMaxim Ag
301272c33676SMaxim Ag if (len > max_out)
301372c33676SMaxim Ag len = max_out;
301472c33676SMaxim Ag
301572c33676SMaxim Ag memcpy(out, s->s3->server_random, len);
301672c33676SMaxim Ag
301772c33676SMaxim Ag return len;
301872c33676SMaxim Ag }
301972c33676SMaxim Ag
3020f5b1c8a1SJohn Marino int
ssl_init_wbio_buffer(SSL * s,int push)3021f5b1c8a1SJohn Marino ssl_init_wbio_buffer(SSL *s, int push)
3022f5b1c8a1SJohn Marino {
3023f5b1c8a1SJohn Marino BIO *bbio;
3024f5b1c8a1SJohn Marino
3025f5b1c8a1SJohn Marino if (s->bbio == NULL) {
3026f5b1c8a1SJohn Marino bbio = BIO_new(BIO_f_buffer());
3027f5b1c8a1SJohn Marino if (bbio == NULL)
3028f5b1c8a1SJohn Marino return (0);
3029f5b1c8a1SJohn Marino s->bbio = bbio;
3030f5b1c8a1SJohn Marino } else {
3031f5b1c8a1SJohn Marino bbio = s->bbio;
3032f5b1c8a1SJohn Marino if (s->bbio == s->wbio)
3033f5b1c8a1SJohn Marino s->wbio = BIO_pop(s->wbio);
3034f5b1c8a1SJohn Marino }
3035f5b1c8a1SJohn Marino (void)BIO_reset(bbio);
3036f5b1c8a1SJohn Marino /* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
3037f5b1c8a1SJohn Marino if (!BIO_set_read_buffer_size(bbio, 1)) {
303872c33676SMaxim Ag SSLerror(s, ERR_R_BUF_LIB);
3039f5b1c8a1SJohn Marino return (0);
3040f5b1c8a1SJohn Marino }
3041f5b1c8a1SJohn Marino if (push) {
3042f5b1c8a1SJohn Marino if (s->wbio != bbio)
3043f5b1c8a1SJohn Marino s->wbio = BIO_push(bbio, s->wbio);
3044f5b1c8a1SJohn Marino } else {
3045f5b1c8a1SJohn Marino if (s->wbio == bbio)
3046f5b1c8a1SJohn Marino s->wbio = BIO_pop(bbio);
3047f5b1c8a1SJohn Marino }
3048f5b1c8a1SJohn Marino return (1);
3049f5b1c8a1SJohn Marino }
3050f5b1c8a1SJohn Marino
3051f5b1c8a1SJohn Marino void
ssl_free_wbio_buffer(SSL * s)3052f5b1c8a1SJohn Marino ssl_free_wbio_buffer(SSL *s)
3053f5b1c8a1SJohn Marino {
3054f5b1c8a1SJohn Marino if (s == NULL)
3055f5b1c8a1SJohn Marino return;
3056f5b1c8a1SJohn Marino
3057f5b1c8a1SJohn Marino if (s->bbio == NULL)
3058f5b1c8a1SJohn Marino return;
3059f5b1c8a1SJohn Marino
3060f5b1c8a1SJohn Marino if (s->bbio == s->wbio) {
3061f5b1c8a1SJohn Marino /* remove buffering */
3062f5b1c8a1SJohn Marino s->wbio = BIO_pop(s->wbio);
3063f5b1c8a1SJohn Marino }
3064f5b1c8a1SJohn Marino BIO_free(s->bbio);
3065f5b1c8a1SJohn Marino s->bbio = NULL;
3066f5b1c8a1SJohn Marino }
3067f5b1c8a1SJohn Marino
3068f5b1c8a1SJohn Marino void
SSL_CTX_set_quiet_shutdown(SSL_CTX * ctx,int mode)3069f5b1c8a1SJohn Marino SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
3070f5b1c8a1SJohn Marino {
307172c33676SMaxim Ag ctx->internal->quiet_shutdown = mode;
3072f5b1c8a1SJohn Marino }
3073f5b1c8a1SJohn Marino
3074f5b1c8a1SJohn Marino int
SSL_CTX_get_quiet_shutdown(const SSL_CTX * ctx)3075f5b1c8a1SJohn Marino SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
3076f5b1c8a1SJohn Marino {
307772c33676SMaxim Ag return (ctx->internal->quiet_shutdown);
3078f5b1c8a1SJohn Marino }
3079f5b1c8a1SJohn Marino
3080f5b1c8a1SJohn Marino void
SSL_set_quiet_shutdown(SSL * s,int mode)3081f5b1c8a1SJohn Marino SSL_set_quiet_shutdown(SSL *s, int mode)
3082f5b1c8a1SJohn Marino {
308372c33676SMaxim Ag s->internal->quiet_shutdown = mode;
3084f5b1c8a1SJohn Marino }
3085f5b1c8a1SJohn Marino
3086f5b1c8a1SJohn Marino int
SSL_get_quiet_shutdown(const SSL * s)3087f5b1c8a1SJohn Marino SSL_get_quiet_shutdown(const SSL *s)
3088f5b1c8a1SJohn Marino {
308972c33676SMaxim Ag return (s->internal->quiet_shutdown);
3090f5b1c8a1SJohn Marino }
3091f5b1c8a1SJohn Marino
3092f5b1c8a1SJohn Marino void
SSL_set_shutdown(SSL * s,int mode)3093f5b1c8a1SJohn Marino SSL_set_shutdown(SSL *s, int mode)
3094f5b1c8a1SJohn Marino {
309572c33676SMaxim Ag s->internal->shutdown = mode;
3096f5b1c8a1SJohn Marino }
3097f5b1c8a1SJohn Marino
3098f5b1c8a1SJohn Marino int
SSL_get_shutdown(const SSL * s)3099f5b1c8a1SJohn Marino SSL_get_shutdown(const SSL *s)
3100f5b1c8a1SJohn Marino {
310172c33676SMaxim Ag return (s->internal->shutdown);
3102f5b1c8a1SJohn Marino }
3103f5b1c8a1SJohn Marino
3104f5b1c8a1SJohn Marino int
SSL_version(const SSL * s)3105f5b1c8a1SJohn Marino SSL_version(const SSL *s)
3106f5b1c8a1SJohn Marino {
3107f5b1c8a1SJohn Marino return (s->version);
3108f5b1c8a1SJohn Marino }
3109f5b1c8a1SJohn Marino
3110f5b1c8a1SJohn Marino SSL_CTX *
SSL_get_SSL_CTX(const SSL * ssl)3111f5b1c8a1SJohn Marino SSL_get_SSL_CTX(const SSL *ssl)
3112f5b1c8a1SJohn Marino {
3113f5b1c8a1SJohn Marino return (ssl->ctx);
3114f5b1c8a1SJohn Marino }
3115f5b1c8a1SJohn Marino
3116f5b1c8a1SJohn Marino SSL_CTX *
SSL_set_SSL_CTX(SSL * ssl,SSL_CTX * ctx)3117f5b1c8a1SJohn Marino SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
3118f5b1c8a1SJohn Marino {
3119*de0e0e4dSAntonio Huete Jimenez SSL_CERT *new_cert;
31208edacedfSDaniel Fojt
3121f5b1c8a1SJohn Marino if (ctx == NULL)
3122f5b1c8a1SJohn Marino ctx = ssl->initial_ctx;
31238edacedfSDaniel Fojt if (ssl->ctx == ctx)
31248edacedfSDaniel Fojt return (ssl->ctx);
312572c33676SMaxim Ag
31268edacedfSDaniel Fojt if ((new_cert = ssl_cert_dup(ctx->internal->cert)) == NULL)
31278edacedfSDaniel Fojt return NULL;
312872c33676SMaxim Ag ssl_cert_free(ssl->cert);
31298edacedfSDaniel Fojt ssl->cert = new_cert;
313072c33676SMaxim Ag
31318edacedfSDaniel Fojt SSL_CTX_up_ref(ctx);
3132f5b1c8a1SJohn Marino SSL_CTX_free(ssl->ctx); /* decrement reference count */
3133f5b1c8a1SJohn Marino ssl->ctx = ctx;
31348edacedfSDaniel Fojt
3135f5b1c8a1SJohn Marino return (ssl->ctx);
3136f5b1c8a1SJohn Marino }
3137f5b1c8a1SJohn Marino
3138f5b1c8a1SJohn Marino int
SSL_CTX_set_default_verify_paths(SSL_CTX * ctx)3139f5b1c8a1SJohn Marino SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
3140f5b1c8a1SJohn Marino {
3141f5b1c8a1SJohn Marino return (X509_STORE_set_default_paths(ctx->cert_store));
3142f5b1c8a1SJohn Marino }
3143f5b1c8a1SJohn Marino
3144f5b1c8a1SJohn Marino int
SSL_CTX_load_verify_locations(SSL_CTX * ctx,const char * CAfile,const char * CApath)3145f5b1c8a1SJohn Marino SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
3146f5b1c8a1SJohn Marino const char *CApath)
3147f5b1c8a1SJohn Marino {
3148f5b1c8a1SJohn Marino return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath));
3149f5b1c8a1SJohn Marino }
3150f5b1c8a1SJohn Marino
3151f5b1c8a1SJohn Marino int
SSL_CTX_load_verify_mem(SSL_CTX * ctx,void * buf,int len)3152f5b1c8a1SJohn Marino SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len)
3153f5b1c8a1SJohn Marino {
3154f5b1c8a1SJohn Marino return (X509_STORE_load_mem(ctx->cert_store, buf, len));
3155f5b1c8a1SJohn Marino }
3156f5b1c8a1SJohn Marino
3157f5b1c8a1SJohn Marino void
SSL_set_info_callback(SSL * ssl,void (* cb)(const SSL * ssl,int type,int val))3158f5b1c8a1SJohn Marino SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val))
3159f5b1c8a1SJohn Marino {
316072c33676SMaxim Ag ssl->internal->info_callback = cb;
3161f5b1c8a1SJohn Marino }
3162f5b1c8a1SJohn Marino
SSL_get_info_callback(const SSL * ssl)3163f5b1c8a1SJohn Marino void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val)
3164f5b1c8a1SJohn Marino {
316572c33676SMaxim Ag return (ssl->internal->info_callback);
3166f5b1c8a1SJohn Marino }
3167f5b1c8a1SJohn Marino
3168f5b1c8a1SJohn Marino int
SSL_state(const SSL * ssl)3169f5b1c8a1SJohn Marino SSL_state(const SSL *ssl)
3170f5b1c8a1SJohn Marino {
3171*de0e0e4dSAntonio Huete Jimenez return (ssl->s3->hs.state);
3172f5b1c8a1SJohn Marino }
3173f5b1c8a1SJohn Marino
3174f5b1c8a1SJohn Marino void
SSL_set_state(SSL * ssl,int state)3175f5b1c8a1SJohn Marino SSL_set_state(SSL *ssl, int state)
3176f5b1c8a1SJohn Marino {
3177*de0e0e4dSAntonio Huete Jimenez ssl->s3->hs.state = state;
3178f5b1c8a1SJohn Marino }
3179f5b1c8a1SJohn Marino
3180f5b1c8a1SJohn Marino void
SSL_set_verify_result(SSL * ssl,long arg)3181f5b1c8a1SJohn Marino SSL_set_verify_result(SSL *ssl, long arg)
3182f5b1c8a1SJohn Marino {
3183f5b1c8a1SJohn Marino ssl->verify_result = arg;
3184f5b1c8a1SJohn Marino }
3185f5b1c8a1SJohn Marino
3186f5b1c8a1SJohn Marino long
SSL_get_verify_result(const SSL * ssl)3187f5b1c8a1SJohn Marino SSL_get_verify_result(const SSL *ssl)
3188f5b1c8a1SJohn Marino {
3189f5b1c8a1SJohn Marino return (ssl->verify_result);
3190f5b1c8a1SJohn Marino }
3191f5b1c8a1SJohn Marino
3192f5b1c8a1SJohn Marino int
SSL_verify_client_post_handshake(SSL * ssl)3193*de0e0e4dSAntonio Huete Jimenez SSL_verify_client_post_handshake(SSL *ssl)
3194*de0e0e4dSAntonio Huete Jimenez {
3195*de0e0e4dSAntonio Huete Jimenez return 0;
3196*de0e0e4dSAntonio Huete Jimenez }
3197*de0e0e4dSAntonio Huete Jimenez
3198*de0e0e4dSAntonio Huete Jimenez void
SSL_CTX_set_post_handshake_auth(SSL_CTX * ctx,int val)3199*de0e0e4dSAntonio Huete Jimenez SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
3200*de0e0e4dSAntonio Huete Jimenez {
3201*de0e0e4dSAntonio Huete Jimenez return;
3202*de0e0e4dSAntonio Huete Jimenez }
3203*de0e0e4dSAntonio Huete Jimenez
3204*de0e0e4dSAntonio Huete Jimenez void
SSL_set_post_handshake_auth(SSL * ssl,int val)3205*de0e0e4dSAntonio Huete Jimenez SSL_set_post_handshake_auth(SSL *ssl, int val)
3206*de0e0e4dSAntonio Huete Jimenez {
3207*de0e0e4dSAntonio Huete Jimenez return;
3208*de0e0e4dSAntonio Huete Jimenez }
3209*de0e0e4dSAntonio Huete Jimenez
3210*de0e0e4dSAntonio Huete Jimenez int
SSL_get_ex_new_index(long argl,void * argp,CRYPTO_EX_new * new_func,CRYPTO_EX_dup * dup_func,CRYPTO_EX_free * free_func)3211f5b1c8a1SJohn Marino SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
3212f5b1c8a1SJohn Marino CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
3213f5b1c8a1SJohn Marino {
3214f5b1c8a1SJohn Marino return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
3215f5b1c8a1SJohn Marino new_func, dup_func, free_func));
3216f5b1c8a1SJohn Marino }
3217f5b1c8a1SJohn Marino
3218f5b1c8a1SJohn Marino int
SSL_set_ex_data(SSL * s,int idx,void * arg)3219f5b1c8a1SJohn Marino SSL_set_ex_data(SSL *s, int idx, void *arg)
3220f5b1c8a1SJohn Marino {
322172c33676SMaxim Ag return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg));
3222f5b1c8a1SJohn Marino }
3223f5b1c8a1SJohn Marino
3224f5b1c8a1SJohn Marino void *
SSL_get_ex_data(const SSL * s,int idx)3225f5b1c8a1SJohn Marino SSL_get_ex_data(const SSL *s, int idx)
3226f5b1c8a1SJohn Marino {
322772c33676SMaxim Ag return (CRYPTO_get_ex_data(&s->internal->ex_data, idx));
3228f5b1c8a1SJohn Marino }
3229f5b1c8a1SJohn Marino
3230f5b1c8a1SJohn Marino int
SSL_CTX_get_ex_new_index(long argl,void * argp,CRYPTO_EX_new * new_func,CRYPTO_EX_dup * dup_func,CRYPTO_EX_free * free_func)3231f5b1c8a1SJohn Marino SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
3232f5b1c8a1SJohn Marino CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
3233f5b1c8a1SJohn Marino {
3234f5b1c8a1SJohn Marino return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
3235f5b1c8a1SJohn Marino new_func, dup_func, free_func));
3236f5b1c8a1SJohn Marino }
3237f5b1c8a1SJohn Marino
3238f5b1c8a1SJohn Marino int
SSL_CTX_set_ex_data(SSL_CTX * s,int idx,void * arg)3239f5b1c8a1SJohn Marino SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
3240f5b1c8a1SJohn Marino {
324172c33676SMaxim Ag return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg));
3242f5b1c8a1SJohn Marino }
3243f5b1c8a1SJohn Marino
3244f5b1c8a1SJohn Marino void *
SSL_CTX_get_ex_data(const SSL_CTX * s,int idx)3245f5b1c8a1SJohn Marino SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
3246f5b1c8a1SJohn Marino {
324772c33676SMaxim Ag return (CRYPTO_get_ex_data(&s->internal->ex_data, idx));
3248f5b1c8a1SJohn Marino }
3249f5b1c8a1SJohn Marino
3250f5b1c8a1SJohn Marino int
ssl_ok(SSL * s)3251f5b1c8a1SJohn Marino ssl_ok(SSL *s)
3252f5b1c8a1SJohn Marino {
3253f5b1c8a1SJohn Marino return (1);
3254f5b1c8a1SJohn Marino }
3255f5b1c8a1SJohn Marino
3256f5b1c8a1SJohn Marino X509_STORE *
SSL_CTX_get_cert_store(const SSL_CTX * ctx)3257f5b1c8a1SJohn Marino SSL_CTX_get_cert_store(const SSL_CTX *ctx)
3258f5b1c8a1SJohn Marino {
3259f5b1c8a1SJohn Marino return (ctx->cert_store);
3260f5b1c8a1SJohn Marino }
3261f5b1c8a1SJohn Marino
3262f5b1c8a1SJohn Marino void
SSL_CTX_set_cert_store(SSL_CTX * ctx,X509_STORE * store)3263f5b1c8a1SJohn Marino SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
3264f5b1c8a1SJohn Marino {
3265f5b1c8a1SJohn Marino X509_STORE_free(ctx->cert_store);
3266f5b1c8a1SJohn Marino ctx->cert_store = store;
3267f5b1c8a1SJohn Marino }
3268f5b1c8a1SJohn Marino
326972c33676SMaxim Ag X509 *
SSL_CTX_get0_certificate(const SSL_CTX * ctx)327072c33676SMaxim Ag SSL_CTX_get0_certificate(const SSL_CTX *ctx)
327172c33676SMaxim Ag {
327272c33676SMaxim Ag if (ctx->internal->cert == NULL)
327372c33676SMaxim Ag return NULL;
327472c33676SMaxim Ag
327572c33676SMaxim Ag return ctx->internal->cert->key->x509;
327672c33676SMaxim Ag }
327772c33676SMaxim Ag
3278*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *
SSL_CTX_get0_privatekey(const SSL_CTX * ctx)3279*de0e0e4dSAntonio Huete Jimenez SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
3280*de0e0e4dSAntonio Huete Jimenez {
3281*de0e0e4dSAntonio Huete Jimenez if (ctx->internal->cert == NULL)
3282*de0e0e4dSAntonio Huete Jimenez return NULL;
3283*de0e0e4dSAntonio Huete Jimenez
3284*de0e0e4dSAntonio Huete Jimenez return ctx->internal->cert->key->privatekey;
3285*de0e0e4dSAntonio Huete Jimenez }
3286*de0e0e4dSAntonio Huete Jimenez
3287f5b1c8a1SJohn Marino int
SSL_want(const SSL * s)3288f5b1c8a1SJohn Marino SSL_want(const SSL *s)
3289f5b1c8a1SJohn Marino {
329072c33676SMaxim Ag return (s->internal->rwstate);
3291f5b1c8a1SJohn Marino }
3292f5b1c8a1SJohn Marino
3293f5b1c8a1SJohn Marino void
SSL_CTX_set_tmp_rsa_callback(SSL_CTX * ctx,RSA * (* cb)(SSL * ssl,int is_export,int keylength))3294f5b1c8a1SJohn Marino SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export,
3295f5b1c8a1SJohn Marino int keylength))
3296f5b1c8a1SJohn Marino {
3297f5b1c8a1SJohn Marino SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3298f5b1c8a1SJohn Marino }
3299f5b1c8a1SJohn Marino
3300f5b1c8a1SJohn Marino void
SSL_set_tmp_rsa_callback(SSL * ssl,RSA * (* cb)(SSL * ssl,int is_export,int keylength))3301f5b1c8a1SJohn Marino SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
3302f5b1c8a1SJohn Marino int keylength))
3303f5b1c8a1SJohn Marino {
3304f5b1c8a1SJohn Marino SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3305f5b1c8a1SJohn Marino }
3306f5b1c8a1SJohn Marino
3307f5b1c8a1SJohn Marino void
SSL_CTX_set_tmp_dh_callback(SSL_CTX * ctx,DH * (* dh)(SSL * ssl,int is_export,int keylength))3308f5b1c8a1SJohn Marino SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export,
3309f5b1c8a1SJohn Marino int keylength))
3310f5b1c8a1SJohn Marino {
3311f5b1c8a1SJohn Marino SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3312f5b1c8a1SJohn Marino }
3313f5b1c8a1SJohn Marino
3314f5b1c8a1SJohn Marino void
SSL_set_tmp_dh_callback(SSL * ssl,DH * (* dh)(SSL * ssl,int is_export,int keylength))3315f5b1c8a1SJohn Marino SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export,
3316f5b1c8a1SJohn Marino int keylength))
3317f5b1c8a1SJohn Marino {
3318f5b1c8a1SJohn Marino SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3319f5b1c8a1SJohn Marino }
3320f5b1c8a1SJohn Marino
3321f5b1c8a1SJohn Marino void
SSL_CTX_set_tmp_ecdh_callback(SSL_CTX * ctx,EC_KEY * (* ecdh)(SSL * ssl,int is_export,int keylength))3322f5b1c8a1SJohn Marino SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl,
3323f5b1c8a1SJohn Marino int is_export, int keylength))
3324f5b1c8a1SJohn Marino {
3325f5b1c8a1SJohn Marino SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB,
3326f5b1c8a1SJohn Marino (void (*)(void))ecdh);
3327f5b1c8a1SJohn Marino }
3328f5b1c8a1SJohn Marino
3329f5b1c8a1SJohn Marino void
SSL_set_tmp_ecdh_callback(SSL * ssl,EC_KEY * (* ecdh)(SSL * ssl,int is_export,int keylength))3330f5b1c8a1SJohn Marino SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export,
3331f5b1c8a1SJohn Marino int keylength))
3332f5b1c8a1SJohn Marino {
3333f5b1c8a1SJohn Marino SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
3334f5b1c8a1SJohn Marino }
3335f5b1c8a1SJohn Marino
3336f5b1c8a1SJohn Marino
3337f5b1c8a1SJohn Marino void
SSL_CTX_set_msg_callback(SSL_CTX * ctx,void (* cb)(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg))3338f5b1c8a1SJohn Marino SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version,
3339f5b1c8a1SJohn Marino int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3340f5b1c8a1SJohn Marino {
3341f5b1c8a1SJohn Marino SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK,
3342f5b1c8a1SJohn Marino (void (*)(void))cb);
3343f5b1c8a1SJohn Marino }
3344f5b1c8a1SJohn Marino
3345f5b1c8a1SJohn Marino void
SSL_set_msg_callback(SSL * ssl,void (* cb)(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg))3346f5b1c8a1SJohn Marino SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
3347f5b1c8a1SJohn Marino int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3348f5b1c8a1SJohn Marino {
3349f5b1c8a1SJohn Marino SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3350f5b1c8a1SJohn Marino }
3351f5b1c8a1SJohn Marino
3352f5b1c8a1SJohn Marino void
SSL_set_debug(SSL * s,int debug)3353f5b1c8a1SJohn Marino SSL_set_debug(SSL *s, int debug)
3354f5b1c8a1SJohn Marino {
335572c33676SMaxim Ag s->internal->debug = debug;
3356f5b1c8a1SJohn Marino }
3357f5b1c8a1SJohn Marino
3358f5b1c8a1SJohn Marino int
SSL_cache_hit(SSL * s)3359f5b1c8a1SJohn Marino SSL_cache_hit(SSL *s)
3360f5b1c8a1SJohn Marino {
336172c33676SMaxim Ag return (s->internal->hit);
3362f5b1c8a1SJohn Marino }
3363f5b1c8a1SJohn Marino
336472c33676SMaxim Ag int
SSL_CTX_get_min_proto_version(SSL_CTX * ctx)336572c33676SMaxim Ag SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
336672c33676SMaxim Ag {
3367*de0e0e4dSAntonio Huete Jimenez return ctx->internal->min_proto_version;
336872c33676SMaxim Ag }
336972c33676SMaxim Ag
337072c33676SMaxim Ag int
SSL_CTX_set_min_proto_version(SSL_CTX * ctx,uint16_t version)337172c33676SMaxim Ag SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
337272c33676SMaxim Ag {
337372c33676SMaxim Ag return ssl_version_set_min(ctx->method, version,
3374*de0e0e4dSAntonio Huete Jimenez ctx->internal->max_tls_version, &ctx->internal->min_tls_version,
3375*de0e0e4dSAntonio Huete Jimenez &ctx->internal->min_proto_version);
337672c33676SMaxim Ag }
337772c33676SMaxim Ag
337872c33676SMaxim Ag int
SSL_CTX_get_max_proto_version(SSL_CTX * ctx)337972c33676SMaxim Ag SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
338072c33676SMaxim Ag {
3381*de0e0e4dSAntonio Huete Jimenez return ctx->internal->max_proto_version;
338272c33676SMaxim Ag }
338372c33676SMaxim Ag
338472c33676SMaxim Ag int
SSL_CTX_set_max_proto_version(SSL_CTX * ctx,uint16_t version)338572c33676SMaxim Ag SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
338672c33676SMaxim Ag {
338772c33676SMaxim Ag return ssl_version_set_max(ctx->method, version,
3388*de0e0e4dSAntonio Huete Jimenez ctx->internal->min_tls_version, &ctx->internal->max_tls_version,
3389*de0e0e4dSAntonio Huete Jimenez &ctx->internal->max_proto_version);
339072c33676SMaxim Ag }
339172c33676SMaxim Ag
339272c33676SMaxim Ag int
SSL_get_min_proto_version(SSL * ssl)339372c33676SMaxim Ag SSL_get_min_proto_version(SSL *ssl)
339472c33676SMaxim Ag {
3395*de0e0e4dSAntonio Huete Jimenez return ssl->internal->min_proto_version;
339672c33676SMaxim Ag }
339772c33676SMaxim Ag
339872c33676SMaxim Ag int
SSL_set_min_proto_version(SSL * ssl,uint16_t version)339972c33676SMaxim Ag SSL_set_min_proto_version(SSL *ssl, uint16_t version)
340072c33676SMaxim Ag {
340172c33676SMaxim Ag return ssl_version_set_min(ssl->method, version,
3402*de0e0e4dSAntonio Huete Jimenez ssl->internal->max_tls_version, &ssl->internal->min_tls_version,
3403*de0e0e4dSAntonio Huete Jimenez &ssl->internal->min_proto_version);
340472c33676SMaxim Ag }
340572c33676SMaxim Ag int
SSL_get_max_proto_version(SSL * ssl)340672c33676SMaxim Ag SSL_get_max_proto_version(SSL *ssl)
340772c33676SMaxim Ag {
3408*de0e0e4dSAntonio Huete Jimenez return ssl->internal->max_proto_version;
340972c33676SMaxim Ag }
341072c33676SMaxim Ag
341172c33676SMaxim Ag int
SSL_set_max_proto_version(SSL * ssl,uint16_t version)341272c33676SMaxim Ag SSL_set_max_proto_version(SSL *ssl, uint16_t version)
341372c33676SMaxim Ag {
341472c33676SMaxim Ag return ssl_version_set_max(ssl->method, version,
3415*de0e0e4dSAntonio Huete Jimenez ssl->internal->min_tls_version, &ssl->internal->max_tls_version,
3416*de0e0e4dSAntonio Huete Jimenez &ssl->internal->max_proto_version);
3417*de0e0e4dSAntonio Huete Jimenez }
3418*de0e0e4dSAntonio Huete Jimenez
3419*de0e0e4dSAntonio Huete Jimenez const SSL_METHOD *
SSL_CTX_get_ssl_method(const SSL_CTX * ctx)3420*de0e0e4dSAntonio Huete Jimenez SSL_CTX_get_ssl_method(const SSL_CTX *ctx)
3421*de0e0e4dSAntonio Huete Jimenez {
3422*de0e0e4dSAntonio Huete Jimenez return ctx->method;
3423*de0e0e4dSAntonio Huete Jimenez }
3424*de0e0e4dSAntonio Huete Jimenez
3425*de0e0e4dSAntonio Huete Jimenez int
SSL_CTX_get_security_level(const SSL_CTX * ctx)3426*de0e0e4dSAntonio Huete Jimenez SSL_CTX_get_security_level(const SSL_CTX *ctx)
3427*de0e0e4dSAntonio Huete Jimenez {
3428*de0e0e4dSAntonio Huete Jimenez return ctx->internal->cert->security_level;
3429*de0e0e4dSAntonio Huete Jimenez }
3430*de0e0e4dSAntonio Huete Jimenez
3431*de0e0e4dSAntonio Huete Jimenez void
SSL_CTX_set_security_level(SSL_CTX * ctx,int level)3432*de0e0e4dSAntonio Huete Jimenez SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
3433*de0e0e4dSAntonio Huete Jimenez {
3434*de0e0e4dSAntonio Huete Jimenez ctx->internal->cert->security_level = level;
3435*de0e0e4dSAntonio Huete Jimenez }
3436*de0e0e4dSAntonio Huete Jimenez
3437*de0e0e4dSAntonio Huete Jimenez int
SSL_get_security_level(const SSL * ssl)3438*de0e0e4dSAntonio Huete Jimenez SSL_get_security_level(const SSL *ssl)
3439*de0e0e4dSAntonio Huete Jimenez {
3440*de0e0e4dSAntonio Huete Jimenez return ssl->cert->security_level;
3441*de0e0e4dSAntonio Huete Jimenez }
3442*de0e0e4dSAntonio Huete Jimenez
3443*de0e0e4dSAntonio Huete Jimenez void
SSL_set_security_level(SSL * ssl,int level)3444*de0e0e4dSAntonio Huete Jimenez SSL_set_security_level(SSL *ssl, int level)
3445*de0e0e4dSAntonio Huete Jimenez {
3446*de0e0e4dSAntonio Huete Jimenez ssl->cert->security_level = level;
3447*de0e0e4dSAntonio Huete Jimenez }
3448*de0e0e4dSAntonio Huete Jimenez
3449*de0e0e4dSAntonio Huete Jimenez int
SSL_is_quic(const SSL * ssl)3450*de0e0e4dSAntonio Huete Jimenez SSL_is_quic(const SSL *ssl)
3451*de0e0e4dSAntonio Huete Jimenez {
3452*de0e0e4dSAntonio Huete Jimenez return ssl->quic_method != NULL;
3453*de0e0e4dSAntonio Huete Jimenez }
3454*de0e0e4dSAntonio Huete Jimenez
3455*de0e0e4dSAntonio Huete Jimenez int
SSL_set_quic_transport_params(SSL * ssl,const uint8_t * params,size_t params_len)3456*de0e0e4dSAntonio Huete Jimenez SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
3457*de0e0e4dSAntonio Huete Jimenez size_t params_len)
3458*de0e0e4dSAntonio Huete Jimenez {
3459*de0e0e4dSAntonio Huete Jimenez freezero(ssl->internal->quic_transport_params,
3460*de0e0e4dSAntonio Huete Jimenez ssl->internal->quic_transport_params_len);
3461*de0e0e4dSAntonio Huete Jimenez ssl->internal->quic_transport_params = NULL;
3462*de0e0e4dSAntonio Huete Jimenez ssl->internal->quic_transport_params_len = 0;
3463*de0e0e4dSAntonio Huete Jimenez
3464*de0e0e4dSAntonio Huete Jimenez if ((ssl->internal->quic_transport_params = malloc(params_len)) == NULL)
3465*de0e0e4dSAntonio Huete Jimenez return 0;
3466*de0e0e4dSAntonio Huete Jimenez
3467*de0e0e4dSAntonio Huete Jimenez memcpy(ssl->internal->quic_transport_params, params, params_len);
3468*de0e0e4dSAntonio Huete Jimenez ssl->internal->quic_transport_params_len = params_len;
3469*de0e0e4dSAntonio Huete Jimenez
3470*de0e0e4dSAntonio Huete Jimenez return 1;
3471*de0e0e4dSAntonio Huete Jimenez }
3472*de0e0e4dSAntonio Huete Jimenez
3473*de0e0e4dSAntonio Huete Jimenez void
SSL_get_peer_quic_transport_params(const SSL * ssl,const uint8_t ** out_params,size_t * out_params_len)3474*de0e0e4dSAntonio Huete Jimenez SSL_get_peer_quic_transport_params(const SSL *ssl, const uint8_t **out_params,
3475*de0e0e4dSAntonio Huete Jimenez size_t *out_params_len)
3476*de0e0e4dSAntonio Huete Jimenez {
3477*de0e0e4dSAntonio Huete Jimenez *out_params = ssl->s3->peer_quic_transport_params;
3478*de0e0e4dSAntonio Huete Jimenez *out_params_len = ssl->s3->peer_quic_transport_params_len;
3479*de0e0e4dSAntonio Huete Jimenez }
3480*de0e0e4dSAntonio Huete Jimenez
3481*de0e0e4dSAntonio Huete Jimenez void
SSL_set_quic_use_legacy_codepoint(SSL * ssl,int use_legacy)3482*de0e0e4dSAntonio Huete Jimenez SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy)
3483*de0e0e4dSAntonio Huete Jimenez {
3484*de0e0e4dSAntonio Huete Jimenez /* Not supported. */
348572c33676SMaxim Ag }
348672c33676SMaxim Ag
348772c33676SMaxim Ag static int
ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void * a_,const void * b_)348872c33676SMaxim Ag ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
348972c33676SMaxim Ag {
349072c33676SMaxim Ag SSL_CIPHER const *a = a_;
349172c33676SMaxim Ag SSL_CIPHER const *b = b_;
349272c33676SMaxim Ag return ssl_cipher_id_cmp(a, b);
349372c33676SMaxim Ag }
349472c33676SMaxim Ag
349572c33676SMaxim Ag SSL_CIPHER *
OBJ_bsearch_ssl_cipher_id(SSL_CIPHER * key,SSL_CIPHER const * base,int num)349672c33676SMaxim Ag OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, int num)
349772c33676SMaxim Ag {
349872c33676SMaxim Ag return (SSL_CIPHER *)OBJ_bsearch_(key, base, num, sizeof(SSL_CIPHER),
349972c33676SMaxim Ag ssl_cipher_id_cmp_BSEARCH_CMP_FN);
350072c33676SMaxim Ag }
3501