1
/*
2
 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4
 * Copyright 2005 Nokia. All rights reserved.
5
 *
6
 * Licensed under the Apache License 2.0 (the "License").  You may not use
7
 * this file except in compliance with the License.  You can obtain a copy
8
 * in the file LICENSE in the source distribution or at
9
 * https://www.openssl.org/source/license.html
10
 */
11

12
#include "internal/e_os.h"
13
#include "internal/e_winsock.h"
14
#include "ssl_local.h"
15

16
#include <openssl/objects.h>
17
#include <openssl/x509v3.h>
18
#include <openssl/rand.h>
19
#include <openssl/ocsp.h>
20
#include <openssl/dh.h>
21
#include <openssl/engine.h>
22
#include <openssl/async.h>
23
#include <openssl/ct.h>
24
#include <openssl/trace.h>
25
#include <openssl/core_names.h>
26
#include <openssl/provider.h>
27
#include "internal/cryptlib.h"
28
#include "internal/nelem.h"
29
#include "internal/refcount.h"
30
#include "internal/thread_once.h"
31
#include "internal/ktls.h"
32
#include "internal/to_hex.h"
33
#include "internal/ssl_unwrap.h"
34
#include "quic/quic_local.h"
35

36
#ifndef OPENSSL_NO_SSLKEYLOG
37
# include <sys/stat.h>
38
# include <fcntl.h>
39
#endif
40

41
static int ssl_undefined_function_3(SSL_CONNECTION *sc, unsigned char *r,
42
                                    unsigned char *s, size_t t, size_t *u)
43
{
44
    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
45
}
46

47
static int ssl_undefined_function_4(SSL_CONNECTION *sc, int r)
48
{
49
    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
50
}
51

52
static size_t ssl_undefined_function_5(SSL_CONNECTION *sc, const char *r,
53
                                       size_t s, unsigned char *t)
54
{
55
    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
56
}
57

58
static int ssl_undefined_function_6(int r)
59
{
60
    return ssl_undefined_function(NULL);
61
}
62

63
static int ssl_undefined_function_7(SSL_CONNECTION *sc, unsigned char *r,
64
                                    size_t s, const char *t, size_t u,
65
                                    const unsigned char *v, size_t w, int x)
66
{
67
    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
68
}
69

70
static int ssl_undefined_function_8(SSL_CONNECTION *sc)
71
{
72
    return ssl_undefined_function(SSL_CONNECTION_GET_SSL(sc));
73
}
74

75
const SSL3_ENC_METHOD ssl3_undef_enc_method = {
76
    ssl_undefined_function_8,
77
    ssl_undefined_function_3,
78
    ssl_undefined_function_4,
79
    ssl_undefined_function_5,
80
    NULL,                       /* client_finished_label */
81
    0,                          /* client_finished_label_len */
82
    NULL,                       /* server_finished_label */
83
    0,                          /* server_finished_label_len */
84
    ssl_undefined_function_6,
85
    ssl_undefined_function_7,
86
};
87

88
struct ssl_async_args {
89
    SSL *s;
90
    void *buf;
91
    size_t num;
92
    enum { READFUNC, WRITEFUNC, OTHERFUNC } type;
93
    union {
94
        int (*func_read) (SSL *, void *, size_t, size_t *);
95
        int (*func_write) (SSL *, const void *, size_t, size_t *);
96
        int (*func_other) (SSL *);
97
    } f;
98
};
99

100
static const struct {
101
    uint8_t mtype;
102
    uint8_t ord;
103
    int nid;
104
} dane_mds[] = {
105
    {
106
        DANETLS_MATCHING_FULL, 0, NID_undef
107
    },
108
    {
109
        DANETLS_MATCHING_2256, 1, NID_sha256
110
    },
111
    {
112
        DANETLS_MATCHING_2512, 2, NID_sha512
113
    },
114
};
115

116
static int dane_ctx_enable(struct dane_ctx_st *dctx)
117
{
118
    const EVP_MD **mdevp;
119
    uint8_t *mdord;
120
    uint8_t mdmax = DANETLS_MATCHING_LAST;
121
    int n = ((int)mdmax) + 1;   /* int to handle PrivMatch(255) */
122
    size_t i;
123

124
    if (dctx->mdevp != NULL)
125
        return 1;
126

127
    mdevp = OPENSSL_zalloc(n * sizeof(*mdevp));
128
    mdord = OPENSSL_zalloc(n * sizeof(*mdord));
129

130
    if (mdord == NULL || mdevp == NULL) {
131
        OPENSSL_free(mdord);
132
        OPENSSL_free(mdevp);
133
        return 0;
134
    }
135

136
    /* Install default entries */
137
    for (i = 0; i < OSSL_NELEM(dane_mds); ++i) {
138
        const EVP_MD *md;
139

140
        if (dane_mds[i].nid == NID_undef ||
141
            (md = EVP_get_digestbynid(dane_mds[i].nid)) == NULL)
142
            continue;
143
        mdevp[dane_mds[i].mtype] = md;
144
        mdord[dane_mds[i].mtype] = dane_mds[i].ord;
145
    }
146

147
    dctx->mdevp = mdevp;
148
    dctx->mdord = mdord;
149
    dctx->mdmax = mdmax;
150

151
    return 1;
152
}
153

154
static void dane_ctx_final(struct dane_ctx_st *dctx)
155
{
156
    OPENSSL_free(dctx->mdevp);
157
    dctx->mdevp = NULL;
158

159
    OPENSSL_free(dctx->mdord);
160
    dctx->mdord = NULL;
161
    dctx->mdmax = 0;
162
}
163

164
static void tlsa_free(danetls_record *t)
165
{
166
    if (t == NULL)
167
        return;
168
    OPENSSL_free(t->data);
169
    EVP_PKEY_free(t->spki);
170
    OPENSSL_free(t);
171
}
172

173
static void dane_final(SSL_DANE *dane)
174
{
175
    sk_danetls_record_pop_free(dane->trecs, tlsa_free);
176
    dane->trecs = NULL;
177

178
    OSSL_STACK_OF_X509_free(dane->certs);
179
    dane->certs = NULL;
180

181
    X509_free(dane->mcert);
182
    dane->mcert = NULL;
183
    dane->mtlsa = NULL;
184
    dane->mdpth = -1;
185
    dane->pdpth = -1;
186
}
187

188
/*
189
 * dane_copy - Copy dane configuration, sans verification state.
190
 */
191
static int ssl_dane_dup(SSL_CONNECTION *to, SSL_CONNECTION *from)
192
{
193
    int num;
194
    int i;
195

196
    if (!DANETLS_ENABLED(&from->dane))
197
        return 1;
198

199
    num = sk_danetls_record_num(from->dane.trecs);
200
    dane_final(&to->dane);
201
    to->dane.flags = from->dane.flags;
202
    to->dane.dctx = &SSL_CONNECTION_GET_CTX(to)->dane;
203
    to->dane.trecs = sk_danetls_record_new_reserve(NULL, num);
204

205
    if (to->dane.trecs == NULL) {
206
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
207
        return 0;
208
    }
209

210
    for (i = 0; i < num; ++i) {
211
        danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
212

213
        if (SSL_dane_tlsa_add(SSL_CONNECTION_GET_SSL(to), t->usage,
214
                              t->selector, t->mtype, t->data, t->dlen) <= 0)
215
            return 0;
216
    }
217
    return 1;
218
}
219

220
static int dane_mtype_set(struct dane_ctx_st *dctx,
221
                          const EVP_MD *md, uint8_t mtype, uint8_t ord)
222
{
223
    int i;
224

225
    if (mtype == DANETLS_MATCHING_FULL && md != NULL) {
226
        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);
227
        return 0;
228
    }
229

230
    if (mtype > dctx->mdmax) {
231
        const EVP_MD **mdevp;
232
        uint8_t *mdord;
233
        int n = ((int)mtype) + 1;
234

235
        mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp));
236
        if (mdevp == NULL)
237
            return -1;
238
        dctx->mdevp = mdevp;
239

240
        mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord));
241
        if (mdord == NULL)
242
            return -1;
243
        dctx->mdord = mdord;
244

245
        /* Zero-fill any gaps */
246
        for (i = dctx->mdmax + 1; i < mtype; ++i) {
247
            mdevp[i] = NULL;
248
            mdord[i] = 0;
249
        }
250

251
        dctx->mdmax = mtype;
252
    }
253

254
    dctx->mdevp[mtype] = md;
255
    /* Coerce ordinal of disabled matching types to 0 */
256
    dctx->mdord[mtype] = (md == NULL) ? 0 : ord;
257

258
    return 1;
259
}
260

261
static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
262
{
263
    if (mtype > dane->dctx->mdmax)
264
        return NULL;
265
    return dane->dctx->mdevp[mtype];
266
}
267

268
static int dane_tlsa_add(SSL_DANE *dane,
269
                         uint8_t usage,
270
                         uint8_t selector,
271
                         uint8_t mtype, const unsigned char *data, size_t dlen)
272
{
273
    danetls_record *t;
274
    const EVP_MD *md = NULL;
275
    int ilen = (int)dlen;
276
    int i;
277
    int num;
278
    int mdsize;
279

280
    if (dane->trecs == NULL) {
281
        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_NOT_ENABLED);
282
        return -1;
283
    }
284

285
    if (ilen < 0 || dlen != (size_t)ilen) {
286
        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DATA_LENGTH);
287
        return 0;
288
    }
289

290
    if (usage > DANETLS_USAGE_LAST) {
291
        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE);
292
        return 0;
293
    }
294

295
    if (selector > DANETLS_SELECTOR_LAST) {
296
        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_SELECTOR);
297
        return 0;
298
    }
299

300
    if (mtype != DANETLS_MATCHING_FULL) {
301
        md = tlsa_md_get(dane, mtype);
302
        if (md == NULL) {
303
            ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE);
304
            return 0;
305
        }
306
    }
307

308
    if (md != NULL) {
309
        mdsize = EVP_MD_get_size(md);
310
        if (mdsize <= 0 || dlen != (size_t)mdsize) {
311
            ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH);
312
            return 0;
313
        }
314
    }
315
    if (!data) {
316
        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_NULL_DATA);
317
        return 0;
318
    }
319

320
    if ((t = OPENSSL_zalloc(sizeof(*t))) == NULL)
321
        return -1;
322

323
    t->usage = usage;
324
    t->selector = selector;
325
    t->mtype = mtype;
326
    t->data = OPENSSL_malloc(dlen);
327
    if (t->data == NULL) {
328
        tlsa_free(t);
329
        return -1;
330
    }
331
    memcpy(t->data, data, dlen);
332
    t->dlen = dlen;
333

334
    /* Validate and cache full certificate or public key */
335
    if (mtype == DANETLS_MATCHING_FULL) {
336
        const unsigned char *p = data;
337
        X509 *cert = NULL;
338
        EVP_PKEY *pkey = NULL;
339

340
        switch (selector) {
341
        case DANETLS_SELECTOR_CERT:
342
            if (!d2i_X509(&cert, &p, ilen) || p < data ||
343
                dlen != (size_t)(p - data)) {
344
                X509_free(cert);
345
                tlsa_free(t);
346
                ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
347
                return 0;
348
            }
349
            if (X509_get0_pubkey(cert) == NULL) {
350
                X509_free(cert);
351
                tlsa_free(t);
352
                ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
353
                return 0;
354
            }
355

356
            if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
357
                /*
358
                 * The Full(0) certificate decodes to a seemingly valid X.509
359
                 * object with a plausible key, so the TLSA record is well
360
                 * formed.  However, we don't actually need the certificate for
361
                 * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
362
                 * certificate is always presented by the peer.  We discard the
363
                 * certificate, and just use the TLSA data as an opaque blob
364
                 * for matching the raw presented DER octets.
365
                 *
366
                 * DO NOT FREE `t` here, it will be added to the TLSA record
367
                 * list below!
368
                 */
369
                X509_free(cert);
370
                break;
371
            }
372

373
            /*
374
             * For usage DANE-TA(2), we support authentication via "2 0 0" TLSA
375
             * records that contain full certificates of trust-anchors that are
376
             * not present in the wire chain.  For usage PKIX-TA(0), we augment
377
             * the chain with untrusted Full(0) certificates from DNS, in case
378
             * they are missing from the chain.
379
             */
380
            if ((dane->certs == NULL &&
381
                 (dane->certs = sk_X509_new_null()) == NULL) ||
382
                !sk_X509_push(dane->certs, cert)) {
383
                ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
384
                X509_free(cert);
385
                tlsa_free(t);
386
                return -1;
387
            }
388
            break;
389

390
        case DANETLS_SELECTOR_SPKI:
391
            if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
392
                dlen != (size_t)(p - data)) {
393
                EVP_PKEY_free(pkey);
394
                tlsa_free(t);
395
                ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
396
                return 0;
397
            }
398

399
            /*
400
             * For usage DANE-TA(2), we support authentication via "2 1 0" TLSA
401
             * records that contain full bare keys of trust-anchors that are
402
             * not present in the wire chain.
403
             */
404
            if (usage == DANETLS_USAGE_DANE_TA)
405
                t->spki = pkey;
406
            else
407
                EVP_PKEY_free(pkey);
408
            break;
409
        }
410
    }
411

412
    /*-
413
     * Find the right insertion point for the new record.
414
     *
415
     * See crypto/x509/x509_vfy.c.  We sort DANE-EE(3) records first, so that
416
     * they can be processed first, as they require no chain building, and no
417
     * expiration or hostname checks.  Because DANE-EE(3) is numerically
418
     * largest, this is accomplished via descending sort by "usage".
419
     *
420
     * We also sort in descending order by matching ordinal to simplify
421
     * the implementation of digest agility in the verification code.
422
     *
423
     * The choice of order for the selector is not significant, so we
424
     * use the same descending order for consistency.
425
     */
426
    num = sk_danetls_record_num(dane->trecs);
427
    for (i = 0; i < num; ++i) {
428
        danetls_record *rec = sk_danetls_record_value(dane->trecs, i);
429

430
        if (rec->usage > usage)
431
            continue;
432
        if (rec->usage < usage)
433
            break;
434
        if (rec->selector > selector)
435
            continue;
436
        if (rec->selector < selector)
437
            break;
438
        if (dane->dctx->mdord[rec->mtype] > dane->dctx->mdord[mtype])
439
            continue;
440
        break;
441
    }
442

443
    if (!sk_danetls_record_insert(dane->trecs, t, i)) {
444
        tlsa_free(t);
445
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
446
        return -1;
447
    }
448
    dane->umask |= DANETLS_USAGE_BIT(usage);
449

450
    return 1;
451
}
452

453
/*
454
 * Return 0 if there is only one version configured and it was disabled
455
 * at configure time.  Return 1 otherwise.
456
 */
457
static int ssl_check_allowed_versions(int min_version, int max_version)
458
{
459
    int minisdtls = 0, maxisdtls = 0;
460

461
    /* Figure out if we're doing DTLS versions or TLS versions */
462
    if (min_version == DTLS1_BAD_VER
463
        || min_version >> 8 == DTLS1_VERSION_MAJOR)
464
        minisdtls = 1;
465
    if (max_version == DTLS1_BAD_VER
466
        || max_version >> 8 == DTLS1_VERSION_MAJOR)
467
        maxisdtls = 1;
468
    /* A wildcard version of 0 could be DTLS or TLS. */
469
    if ((minisdtls && !maxisdtls && max_version != 0)
470
        || (maxisdtls && !minisdtls && min_version != 0)) {
471
        /* Mixing DTLS and TLS versions will lead to sadness; deny it. */
472
        return 0;
473
    }
474

475
    if (minisdtls || maxisdtls) {
476
        /* Do DTLS version checks. */
477
        if (min_version == 0)
478
            /* Ignore DTLS1_BAD_VER */
479
            min_version = DTLS1_VERSION;
480
        if (max_version == 0)
481
            max_version = DTLS1_2_VERSION;
482
#ifdef OPENSSL_NO_DTLS1_2
483
        if (max_version == DTLS1_2_VERSION)
484
            max_version = DTLS1_VERSION;
485
#endif
486
#ifdef OPENSSL_NO_DTLS1
487
        if (min_version == DTLS1_VERSION)
488
            min_version = DTLS1_2_VERSION;
489
#endif
490
        /* Done massaging versions; do the check. */
491
        if (0
492
#ifdef OPENSSL_NO_DTLS1
493
            || (DTLS_VERSION_GE(min_version, DTLS1_VERSION)
494
                && DTLS_VERSION_GE(DTLS1_VERSION, max_version))
495
#endif
496
#ifdef OPENSSL_NO_DTLS1_2
497
            || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION)
498
                && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version))
499
#endif
500
            )
501
            return 0;
502
    } else {
503
        /* Regular TLS version checks. */
504
        if (min_version == 0)
505
            min_version = SSL3_VERSION;
506
        if (max_version == 0)
507
            max_version = TLS1_3_VERSION;
508
#ifdef OPENSSL_NO_TLS1_3
509
        if (max_version == TLS1_3_VERSION)
510
            max_version = TLS1_2_VERSION;
511
#endif
512
#ifdef OPENSSL_NO_TLS1_2
513
        if (max_version == TLS1_2_VERSION)
514
            max_version = TLS1_1_VERSION;
515
#endif
516
#ifdef OPENSSL_NO_TLS1_1
517
        if (max_version == TLS1_1_VERSION)
518
            max_version = TLS1_VERSION;
519
#endif
520
#ifdef OPENSSL_NO_TLS1
521
        if (max_version == TLS1_VERSION)
522
            max_version = SSL3_VERSION;
523
#endif
524
#ifdef OPENSSL_NO_SSL3
525
        if (min_version == SSL3_VERSION)
526
            min_version = TLS1_VERSION;
527
#endif
528
#ifdef OPENSSL_NO_TLS1
529
        if (min_version == TLS1_VERSION)
530
            min_version = TLS1_1_VERSION;
531
#endif
532
#ifdef OPENSSL_NO_TLS1_1
533
        if (min_version == TLS1_1_VERSION)
534
            min_version = TLS1_2_VERSION;
535
#endif
536
#ifdef OPENSSL_NO_TLS1_2
537
        if (min_version == TLS1_2_VERSION)
538
            min_version = TLS1_3_VERSION;
539
#endif
540
        /* Done massaging versions; do the check. */
541
        if (0
542
#ifdef OPENSSL_NO_SSL3
543
            || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version)
544
#endif
545
#ifdef OPENSSL_NO_TLS1
546
            || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version)
547
#endif
548
#ifdef OPENSSL_NO_TLS1_1
549
            || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version)
550
#endif
551
#ifdef OPENSSL_NO_TLS1_2
552
            || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version)
553
#endif
554
#ifdef OPENSSL_NO_TLS1_3
555
            || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version)
556
#endif
557
            )
558
            return 0;
559
    }
560
    return 1;
561
}
562

563
#if defined(__TANDEM) && defined(OPENSSL_VPROC)
564
/*
565
 * Define a VPROC function for HP NonStop build ssl library.
566
 * This is used by platform version identification tools.
567
 * Do not inline this procedure or make it static.
568
 */
569
# define OPENSSL_VPROC_STRING_(x)    x##_SSL
570
# define OPENSSL_VPROC_STRING(x)     OPENSSL_VPROC_STRING_(x)
571
# define OPENSSL_VPROC_FUNC          OPENSSL_VPROC_STRING(OPENSSL_VPROC)
572
void OPENSSL_VPROC_FUNC(void) {}
573
#endif
574

575
int SSL_clear(SSL *s)
576
{
577
    if (s->method == NULL) {
578
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_METHOD_SPECIFIED);
579
        return 0;
580
    }
581

582
    return s->method->ssl_reset(s);
583
}
584

585
int ossl_ssl_connection_reset(SSL *s)
586
{
587
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
588

589
    if (sc == NULL)
590
        return 0;
591

592
    if (ssl_clear_bad_session(sc)) {
593
        SSL_SESSION_free(sc->session);
594
        sc->session = NULL;
595
    }
596
    SSL_SESSION_free(sc->psksession);
597
    sc->psksession = NULL;
598
    OPENSSL_free(sc->psksession_id);
599
    sc->psksession_id = NULL;
600
    sc->psksession_id_len = 0;
601
    sc->hello_retry_request = SSL_HRR_NONE;
602
    sc->sent_tickets = 0;
603

604
    sc->error = 0;
605
    sc->hit = 0;
606
    sc->shutdown = 0;
607

608
    if (sc->renegotiate) {
609
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
610
        return 0;
611
    }
612

613
    ossl_statem_clear(sc);
614

615
    sc->version = s->method->version;
616
    sc->client_version = sc->version;
617
    sc->rwstate = SSL_NOTHING;
618

619
    BUF_MEM_free(sc->init_buf);
620
    sc->init_buf = NULL;
621
    sc->first_packet = 0;
622

623
    sc->key_update = SSL_KEY_UPDATE_NONE;
624
    memset(sc->ext.compress_certificate_from_peer, 0,
625
           sizeof(sc->ext.compress_certificate_from_peer));
626
    sc->ext.compress_certificate_sent = 0;
627

628
    EVP_MD_CTX_free(sc->pha_dgst);
629
    sc->pha_dgst = NULL;
630

631
    /* Reset DANE verification result state */
632
    sc->dane.mdpth = -1;
633
    sc->dane.pdpth = -1;
634
    X509_free(sc->dane.mcert);
635
    sc->dane.mcert = NULL;
636
    sc->dane.mtlsa = NULL;
637

638
    /* Clear the verification result peername */
639
    X509_VERIFY_PARAM_move_peername(sc->param, NULL);
640

641
    /* Clear any shared connection state */
642
    OPENSSL_free(sc->shared_sigalgs);
643
    sc->shared_sigalgs = NULL;
644
    sc->shared_sigalgslen = 0;
645

646
    /*
647
     * Check to see if we were changed into a different method, if so, revert
648
     * back.
649
     */
650
    if (s->method != s->defltmeth) {
651
        s->method->ssl_deinit(s);
652
        s->method = s->defltmeth;
653
        if (!s->method->ssl_init(s))
654
            return 0;
655
    } else {
656
        if (!s->method->ssl_clear(s))
657
            return 0;
658
    }
659

660
    ossl_quic_tls_clear(sc->qtls);
661

662
    if (!RECORD_LAYER_reset(&sc->rlayer))
663
        return 0;
664

665
    return 1;
666
}
667

668
#ifndef OPENSSL_NO_DEPRECATED_3_0
669
/** Used to change an SSL_CTXs default SSL method type */
670
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
671
{
672
    STACK_OF(SSL_CIPHER) *sk;
673

674
    if (IS_QUIC_CTX(ctx)) {
675
        ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
676
        return 0;
677
    }
678

679
    ctx->method = meth;
680

681
    if (!SSL_CTX_set_ciphersuites(ctx, OSSL_default_ciphersuites())) {
682
        ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
683
        return 0;
684
    }
685
    sk = ssl_create_cipher_list(ctx,
686
                                ctx->tls13_ciphersuites,
687
                                &(ctx->cipher_list),
688
                                &(ctx->cipher_list_by_id),
689
                                OSSL_default_cipher_list(), ctx->cert);
690
    if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
691
        ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
692
        return 0;
693
    }
694
    return 1;
695
}
696
#endif
697

698
SSL *SSL_new(SSL_CTX *ctx)
699
{
700
    if (ctx == NULL) {
701
        ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_CTX);
702
        return NULL;
703
    }
704
    if (ctx->method == NULL) {
705
        ERR_raise(ERR_LIB_SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
706
        return NULL;
707
    }
708
    return ctx->method->ssl_new(ctx);
709
}
710

711
int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type)
712
{
713
    if (!SSL_CTX_up_ref(ctx))
714
        return 0;
715

716
    ssl->lock = CRYPTO_THREAD_lock_new();
717

718
    if (ssl->lock == NULL || !CRYPTO_NEW_REF(&ssl->references, 1))
719
        goto err;
720

721
    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, ssl, &ssl->ex_data)) {
722
        CRYPTO_FREE_REF(&ssl->references);
723
        goto err;
724
    }
725

726
    ssl->ctx = ctx;
727
    ssl->type = type;
728
    ssl->defltmeth = ssl->method = method;
729

730
    return 1;
731

732
err:
733
    CRYPTO_THREAD_lock_free(ssl->lock);
734
    ssl->lock = NULL;
735
    SSL_CTX_free(ctx);
736
    return 0;
737
}
738

739
SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl,
740
                                 const SSL_METHOD *method)
741
{
742
    SSL_CONNECTION *s;
743
    SSL *ssl;
744

745
    s = OPENSSL_zalloc(sizeof(*s));
746
    if (s == NULL)
747
        return NULL;
748

749
    ssl = &s->ssl;
750
    s->user_ssl = (user_ssl == NULL) ? ssl : user_ssl;
751

752
    if (!ossl_ssl_init(ssl, ctx, method, SSL_TYPE_SSL_CONNECTION)) {
753
        OPENSSL_free(s);
754
        s = NULL;
755
        ssl = NULL;
756
        goto sslerr;
757
    }
758

759
    RECORD_LAYER_init(&s->rlayer, s);
760

761
    s->options = ctx->options;
762

763
    s->dane.flags = ctx->dane.flags;
764
    if (method->version == ctx->method->version) {
765
        s->min_proto_version = ctx->min_proto_version;
766
        s->max_proto_version = ctx->max_proto_version;
767
    }
768

769
    s->mode = ctx->mode;
770
    s->max_cert_list = ctx->max_cert_list;
771
    s->max_early_data = ctx->max_early_data;
772
    s->recv_max_early_data = ctx->recv_max_early_data;
773

774
    s->num_tickets = ctx->num_tickets;
775
    s->pha_enabled = ctx->pha_enabled;
776

777
    /* Shallow copy of the ciphersuites stack */
778
    s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites);
779
    if (s->tls13_ciphersuites == NULL)
780
        goto cerr;
781

782
    /*
783
     * Earlier library versions used to copy the pointer to the CERT, not
784
     * its contents; only when setting new parameters for the per-SSL
785
     * copy, ssl_cert_new would be called (and the direct reference to
786
     * the per-SSL_CTX settings would be lost, but those still were
787
     * indirectly accessed for various purposes, and for that reason they
788
     * used to be known as s->ctx->default_cert). Now we don't look at the
789
     * SSL_CTX's CERT after having duplicated it once.
790
     */
791
    s->cert = ssl_cert_dup(ctx->cert);
792
    if (s->cert == NULL)
793
        goto sslerr;
794

795
    RECORD_LAYER_set_read_ahead(&s->rlayer, ctx->read_ahead);
796
    s->msg_callback = ctx->msg_callback;
797
    s->msg_callback_arg = ctx->msg_callback_arg;
798
    s->verify_mode = ctx->verify_mode;
799
    s->not_resumable_session_cb = ctx->not_resumable_session_cb;
800
    s->rlayer.record_padding_cb = ctx->record_padding_cb;
801
    s->rlayer.record_padding_arg = ctx->record_padding_arg;
802
    s->rlayer.block_padding = ctx->block_padding;
803
    s->rlayer.hs_padding = ctx->hs_padding;
804
    s->sid_ctx_length = ctx->sid_ctx_length;
805
    if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx)))
806
        goto err;
807
    memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
808
    s->verify_callback = ctx->default_verify_callback;
809
    s->generate_session_id = ctx->generate_session_id;
810

811
    s->param = X509_VERIFY_PARAM_new();
812
    if (s->param == NULL)
813
        goto asn1err;
814
    X509_VERIFY_PARAM_inherit(s->param, ctx->param);
815
    s->quiet_shutdown = IS_QUIC_CTX(ctx) ? 0 : ctx->quiet_shutdown;
816

817
    if (!IS_QUIC_CTX(ctx))
818
        s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode;
819

820
    s->max_send_fragment = ctx->max_send_fragment;
821
    s->split_send_fragment = ctx->split_send_fragment;
822
    s->max_pipelines = ctx->max_pipelines;
823
    s->rlayer.default_read_buf_len = ctx->default_read_buf_len;
824

825
    s->ext.debug_cb = 0;
826
    s->ext.debug_arg = NULL;
827
    s->ext.ticket_expected = 0;
828
    s->ext.status_type = ctx->ext.status_type;
829
    s->ext.status_expected = 0;
830
    s->ext.ocsp.ids = NULL;
831
    s->ext.ocsp.exts = NULL;
832
    s->ext.ocsp.resp = NULL;
833
    s->ext.ocsp.resp_len = 0;
834

835
    if (!SSL_CTX_up_ref(ctx))
836
        goto err;
837

838
    s->session_ctx = ctx;
839
    if (ctx->ext.ecpointformats != NULL) {
840
        s->ext.ecpointformats =
841
            OPENSSL_memdup(ctx->ext.ecpointformats,
842
                           ctx->ext.ecpointformats_len);
843
        if (s->ext.ecpointformats == NULL) {
844
            s->ext.ecpointformats_len = 0;
845
            goto err;
846
        }
847
        s->ext.ecpointformats_len =
848
            ctx->ext.ecpointformats_len;
849
    }
850
    if (ctx->ext.supportedgroups != NULL) {
851
        size_t add = 0;
852

853
        if (ctx->ext.supportedgroups_len == 0)
854
            /* Add 1 so allocation won't fail */
855
            add = 1;
856
        s->ext.supportedgroups =
857
            OPENSSL_memdup(ctx->ext.supportedgroups,
858
                           (ctx->ext.supportedgroups_len + add)
859
                           * sizeof(*ctx->ext.supportedgroups));
860
        if (s->ext.supportedgroups == NULL) {
861
            s->ext.supportedgroups_len = 0;
862
            goto err;
863
        }
864
        s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
865
    }
866
    if (ctx->ext.keyshares != NULL) {
867
        size_t add = 0;
868

869
        if (ctx->ext.keyshares_len == 0)
870
            /* Add 1 so allocation won't fail */
871
            add = 1;
872
        s->ext.keyshares =
873
            OPENSSL_memdup(ctx->ext.keyshares,
874
                           (ctx->ext.keyshares_len + add)
875
                           * sizeof(*ctx->ext.keyshares));
876
        if (s->ext.keyshares == NULL) {
877
            s->ext.keyshares_len = 0;
878
            goto err;
879
        }
880
        s->ext.keyshares_len = ctx->ext.keyshares_len;
881
    }
882
    if (ctx->ext.tuples != NULL) {
883
        size_t add = 0;
884

885
        if (ctx->ext.tuples_len == 0)
886
            /* Add 1 so allocation won't fail */
887
            add = 1;
888
        s->ext.tuples =
889
            OPENSSL_memdup(ctx->ext.tuples,
890
                           (ctx->ext.tuples_len + add)
891
                           * sizeof(*ctx->ext.tuples));
892
        if (s->ext.tuples == NULL) {
893
            s->ext.tuples_len = 0;
894
            goto err;
895
        }
896
        s->ext.tuples_len = ctx->ext.tuples_len;
897
    }
898

899
#ifndef OPENSSL_NO_NEXTPROTONEG
900
    s->ext.npn = NULL;
901
#endif
902

903
    if (ctx->ext.alpn != NULL) {
904
        s->ext.alpn = OPENSSL_malloc(ctx->ext.alpn_len);
905
        if (s->ext.alpn == NULL) {
906
            s->ext.alpn_len = 0;
907
            goto err;
908
        }
909
        memcpy(s->ext.alpn, ctx->ext.alpn, ctx->ext.alpn_len);
910
        s->ext.alpn_len = ctx->ext.alpn_len;
911
    }
912

913
    s->verified_chain = NULL;
914
    s->verify_result = X509_V_OK;
915

916
    s->default_passwd_callback = ctx->default_passwd_callback;
917
    s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
918

919
    s->key_update = SSL_KEY_UPDATE_NONE;
920

921
    if (!IS_QUIC_CTX(ctx)) {
922
        s->allow_early_data_cb = ctx->allow_early_data_cb;
923
        s->allow_early_data_cb_data = ctx->allow_early_data_cb_data;
924
    }
925

926
    if (!method->ssl_init(ssl))
927
        goto sslerr;
928

929
    s->server = (method->ssl_accept == ssl_undefined_function) ? 0 : 1;
930

931
    if (!method->ssl_reset(ssl))
932
        goto sslerr;
933

934
#ifndef OPENSSL_NO_PSK
935
    s->psk_client_callback = ctx->psk_client_callback;
936
    s->psk_server_callback = ctx->psk_server_callback;
937
#endif
938
    s->psk_find_session_cb = ctx->psk_find_session_cb;
939
    s->psk_use_session_cb = ctx->psk_use_session_cb;
940

941
    s->async_cb = ctx->async_cb;
942
    s->async_cb_arg = ctx->async_cb_arg;
943

944
    s->job = NULL;
945

946
#ifndef OPENSSL_NO_COMP_ALG
947
    memcpy(s->cert_comp_prefs, ctx->cert_comp_prefs, sizeof(s->cert_comp_prefs));
948
#endif
949
    if (ctx->client_cert_type != NULL) {
950
        s->client_cert_type = OPENSSL_memdup(ctx->client_cert_type,
951
                                             ctx->client_cert_type_len);
952
        if (s->client_cert_type == NULL)
953
            goto sslerr;
954
        s->client_cert_type_len = ctx->client_cert_type_len;
955
    }
956
    if (ctx->server_cert_type != NULL) {
957
        s->server_cert_type = OPENSSL_memdup(ctx->server_cert_type,
958
                                             ctx->server_cert_type_len);
959
        if (s->server_cert_type == NULL)
960
            goto sslerr;
961
        s->server_cert_type_len = ctx->server_cert_type_len;
962
    }
963

964
#ifndef OPENSSL_NO_CT
965
    if (!SSL_set_ct_validation_callback(ssl, ctx->ct_validation_callback,
966
                                        ctx->ct_validation_callback_arg))
967
        goto sslerr;
968
#endif
969

970
    s->ssl_pkey_num = SSL_PKEY_NUM + ctx->sigalg_list_len;
971
    return ssl;
972
 cerr:
973
    ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
974
    goto err;
975
 asn1err:
976
    ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB);
977
    goto err;
978
 sslerr:
979
    ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
980
 err:
981
    SSL_free(ssl);
982
    return NULL;
983
}
984

985
SSL *ossl_ssl_connection_new(SSL_CTX *ctx)
986
{
987
    return ossl_ssl_connection_new_int(ctx, NULL, ctx->method);
988
}
989

990
int SSL_is_dtls(const SSL *s)
991
{
992
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
993

994
#ifndef OPENSSL_NO_QUIC
995
    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
996
        return 0;
997
#endif
998

999
    if (sc == NULL)
1000
        return 0;
1001

1002
    return SSL_CONNECTION_IS_DTLS(sc) ? 1 : 0;
1003
}
1004

1005
int SSL_is_tls(const SSL *s)
1006
{
1007
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1008

1009
#ifndef OPENSSL_NO_QUIC
1010
    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
1011
        return 0;
1012
#endif
1013

1014
    if (sc == NULL)
1015
        return 0;
1016

1017
    return SSL_CONNECTION_IS_DTLS(sc) ? 0 : 1;
1018
}
1019

1020
int SSL_is_quic(const SSL *s)
1021
{
1022
    return IS_QUIC(s);
1023
}
1024

1025
int SSL_up_ref(SSL *s)
1026
{
1027
    int i;
1028

1029
    if (CRYPTO_UP_REF(&s->references, &i) <= 0)
1030
        return 0;
1031

1032
    REF_PRINT_COUNT("SSL", i, s);
1033
    REF_ASSERT_ISNT(i < 2);
1034
    return ((i > 1) ? 1 : 0);
1035
}
1036

1037
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
1038
                                   unsigned int sid_ctx_len)
1039
{
1040
    if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
1041
        ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1042
        return 0;
1043
    }
1044
    ctx->sid_ctx_length = sid_ctx_len;
1045
    memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
1046

1047
    return 1;
1048
}
1049

1050
int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
1051
                               unsigned int sid_ctx_len)
1052
{
1053
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1054

1055
    if (sc == NULL)
1056
        return 0;
1057

1058
    if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
1059
        ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1060
        return 0;
1061
    }
1062
    sc->sid_ctx_length = sid_ctx_len;
1063
    memcpy(sc->sid_ctx, sid_ctx, sid_ctx_len);
1064

1065
    return 1;
1066
}
1067

1068
int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
1069
{
1070
    if (!CRYPTO_THREAD_write_lock(ctx->lock))
1071
        return 0;
1072
    ctx->generate_session_id = cb;
1073
    CRYPTO_THREAD_unlock(ctx->lock);
1074
    return 1;
1075
}
1076

1077
int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
1078
{
1079
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1080

1081
    if (sc == NULL || !CRYPTO_THREAD_write_lock(ssl->lock))
1082
        return 0;
1083
    sc->generate_session_id = cb;
1084
    CRYPTO_THREAD_unlock(ssl->lock);
1085
    return 1;
1086
}
1087

1088
int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1089
                                unsigned int id_len)
1090
{
1091
    /*
1092
     * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
1093
     * we can "construct" a session to give us the desired check - i.e. to
1094
     * find if there's a session in the hash table that would conflict with
1095
     * any new session built out of this id/id_len and the ssl_version in use
1096
     * by this SSL.
1097
     */
1098
    SSL_SESSION r, *p;
1099
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
1100

1101
    if (sc == NULL || id_len > sizeof(r.session_id))
1102
        return 0;
1103

1104
    r.ssl_version = sc->version;
1105
    r.session_id_length = id_len;
1106
    memcpy(r.session_id, id, id_len);
1107

1108
    if (!CRYPTO_THREAD_read_lock(sc->session_ctx->lock))
1109
        return 0;
1110
    p = lh_SSL_SESSION_retrieve(sc->session_ctx->sessions, &r);
1111
    CRYPTO_THREAD_unlock(sc->session_ctx->lock);
1112
    return (p != NULL);
1113
}
1114

1115
int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
1116
{
1117
    return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
1118
}
1119

1120
int SSL_set_purpose(SSL *s, int purpose)
1121
{
1122
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1123

1124
    if (sc == NULL)
1125
        return 0;
1126

1127
    return X509_VERIFY_PARAM_set_purpose(sc->param, purpose);
1128
}
1129

1130
int SSL_CTX_set_trust(SSL_CTX *s, int trust)
1131
{
1132
    return X509_VERIFY_PARAM_set_trust(s->param, trust);
1133
}
1134

1135
int SSL_set_trust(SSL *s, int trust)
1136
{
1137
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1138

1139
    if (sc == NULL)
1140
        return 0;
1141

1142
    return X509_VERIFY_PARAM_set_trust(sc->param, trust);
1143
}
1144

1145
int SSL_set1_host(SSL *s, const char *host)
1146
{
1147
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1148

1149
    if (sc == NULL)
1150
        return 0;
1151

1152
    /* clear hostname(s) and IP address in any case, also if host parses as an IP address */
1153
    (void)X509_VERIFY_PARAM_set1_host(sc->param, NULL, 0);
1154
    (void)X509_VERIFY_PARAM_set1_ip(sc->param, NULL, 0);
1155
    if (host == NULL)
1156
        return 1;
1157

1158
    /* If a host is provided and parses as an IP address, treat it as such. */
1159
    return X509_VERIFY_PARAM_set1_ip_asc(sc->param, host)
1160
        || X509_VERIFY_PARAM_set1_host(sc->param, host, 0);
1161
}
1162

1163
int SSL_add1_host(SSL *s, const char *host)
1164
{
1165
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1166

1167
    if (sc == NULL)
1168
        return 0;
1169

1170
    /* If a host is provided and parses as an IP address, treat it as such. */
1171
    if (host != NULL) {
1172
        ASN1_OCTET_STRING *ip;
1173
        char *old_ip;
1174

1175
        ip = a2i_IPADDRESS(host);
1176
        if (ip != NULL) {
1177
            /* We didn't want it; only to check if it *is* an IP address */
1178
            ASN1_OCTET_STRING_free(ip);
1179

1180
            old_ip = X509_VERIFY_PARAM_get1_ip_asc(sc->param);
1181
            if (old_ip != NULL) {
1182
                OPENSSL_free(old_ip);
1183
                /* There can be only one IP address */
1184
                ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
1185
                               "IP address was already set");
1186
                return 0;
1187
            }
1188

1189
            return X509_VERIFY_PARAM_set1_ip_asc(sc->param, host);
1190
        }
1191
    }
1192

1193
    return X509_VERIFY_PARAM_add1_host(sc->param, host, 0);
1194
}
1195

1196
void SSL_set_hostflags(SSL *s, unsigned int flags)
1197
{
1198
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1199

1200
    if (sc == NULL)
1201
        return;
1202

1203
    X509_VERIFY_PARAM_set_hostflags(sc->param, flags);
1204
}
1205

1206
const char *SSL_get0_peername(SSL *s)
1207
{
1208
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1209

1210
    if (sc == NULL)
1211
        return NULL;
1212

1213
    return X509_VERIFY_PARAM_get0_peername(sc->param);
1214
}
1215

1216
int SSL_CTX_dane_enable(SSL_CTX *ctx)
1217
{
1218
    return dane_ctx_enable(&ctx->dane);
1219
}
1220

1221
unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags)
1222
{
1223
    unsigned long orig = ctx->dane.flags;
1224

1225
    ctx->dane.flags |= flags;
1226
    return orig;
1227
}
1228

1229
unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags)
1230
{
1231
    unsigned long orig = ctx->dane.flags;
1232

1233
    ctx->dane.flags &= ~flags;
1234
    return orig;
1235
}
1236

1237
int SSL_dane_enable(SSL *s, const char *basedomain)
1238
{
1239
    SSL_DANE *dane;
1240
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1241

1242
    if (sc == NULL)
1243
        return 0;
1244

1245
    dane = &sc->dane;
1246
    if (s->ctx->dane.mdmax == 0) {
1247
        ERR_raise(ERR_LIB_SSL, SSL_R_CONTEXT_NOT_DANE_ENABLED);
1248
        return 0;
1249
    }
1250
    if (dane->trecs != NULL) {
1251
        ERR_raise(ERR_LIB_SSL, SSL_R_DANE_ALREADY_ENABLED);
1252
        return 0;
1253
    }
1254

1255
    /*
1256
     * Default SNI name.  This rejects empty names, while set1_host below
1257
     * accepts them and disables hostname checks.  To avoid side-effects with
1258
     * invalid input, set the SNI name first.
1259
     */
1260
    if (sc->ext.hostname == NULL) {
1261
        if (!SSL_set_tlsext_host_name(s, basedomain)) {
1262
            ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1263
            return -1;
1264
        }
1265
    }
1266

1267
    /* Primary RFC6125 reference identifier */
1268
    if (!X509_VERIFY_PARAM_set1_host(sc->param, basedomain, 0)) {
1269
        ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
1270
        return -1;
1271
    }
1272

1273
    dane->mdpth = -1;
1274
    dane->pdpth = -1;
1275
    dane->dctx = &s->ctx->dane;
1276
    dane->trecs = sk_danetls_record_new_null();
1277

1278
    if (dane->trecs == NULL) {
1279
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
1280
        return -1;
1281
    }
1282
    return 1;
1283
}
1284

1285
unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags)
1286
{
1287
    unsigned long orig;
1288
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1289

1290
    if (sc == NULL)
1291
        return 0;
1292

1293
    orig = sc->dane.flags;
1294

1295
    sc->dane.flags |= flags;
1296
    return orig;
1297
}
1298

1299
unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags)
1300
{
1301
    unsigned long orig;
1302
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1303

1304
    if (sc == NULL)
1305
        return 0;
1306

1307
    orig = sc->dane.flags;
1308

1309
    sc->dane.flags &= ~flags;
1310
    return orig;
1311
}
1312

1313
int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
1314
{
1315
    SSL_DANE *dane;
1316
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1317

1318
    if (sc == NULL)
1319
        return -1;
1320

1321
    dane = &sc->dane;
1322

1323
    if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1324
        return -1;
1325
    if (dane->mtlsa) {
1326
        if (mcert)
1327
            *mcert = dane->mcert;
1328
        if (mspki)
1329
            *mspki = (dane->mcert == NULL) ? dane->mtlsa->spki : NULL;
1330
    }
1331
    return dane->mdpth;
1332
}
1333

1334
int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
1335
                       uint8_t *mtype, const unsigned char **data, size_t *dlen)
1336
{
1337
    SSL_DANE *dane;
1338
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1339

1340
    if (sc == NULL)
1341
        return -1;
1342

1343
    dane = &sc->dane;
1344

1345
    if (!DANETLS_ENABLED(dane) || sc->verify_result != X509_V_OK)
1346
        return -1;
1347
    if (dane->mtlsa) {
1348
        if (usage)
1349
            *usage = dane->mtlsa->usage;
1350
        if (selector)
1351
            *selector = dane->mtlsa->selector;
1352
        if (mtype)
1353
            *mtype = dane->mtlsa->mtype;
1354
        if (data)
1355
            *data = dane->mtlsa->data;
1356
        if (dlen)
1357
            *dlen = dane->mtlsa->dlen;
1358
    }
1359
    return dane->mdpth;
1360
}
1361

1362
SSL_DANE *SSL_get0_dane(SSL *s)
1363
{
1364
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1365

1366
    if (sc == NULL)
1367
        return NULL;
1368

1369
    return &sc->dane;
1370
}
1371

1372
int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
1373
                      uint8_t mtype, const unsigned char *data, size_t dlen)
1374
{
1375
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1376

1377
    if (sc == NULL)
1378
        return 0;
1379

1380
    return dane_tlsa_add(&sc->dane, usage, selector, mtype, data, dlen);
1381
}
1382

1383
int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype,
1384
                           uint8_t ord)
1385
{
1386
    return dane_mtype_set(&ctx->dane, md, mtype, ord);
1387
}
1388

1389
int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
1390
{
1391
    return X509_VERIFY_PARAM_set1(ctx->param, vpm);
1392
}
1393

1394
int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
1395
{
1396
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1397

1398
    if (sc == NULL)
1399
        return 0;
1400

1401
    return X509_VERIFY_PARAM_set1(sc->param, vpm);
1402
}
1403

1404
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
1405
{
1406
    return ctx->param;
1407
}
1408

1409
X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
1410
{
1411
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
1412

1413
    if (sc == NULL)
1414
        return NULL;
1415

1416
    return sc->param;
1417
}
1418

1419
void SSL_certs_clear(SSL *s)
1420
{
1421
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1422

1423
    if (sc == NULL)
1424
        return;
1425

1426
    ssl_cert_clear_certs(sc->cert);
1427
}
1428

1429
void SSL_free(SSL *s)
1430
{
1431
    int i;
1432

1433
    if (s == NULL)
1434
        return;
1435
    CRYPTO_DOWN_REF(&s->references, &i);
1436
    REF_PRINT_COUNT("SSL", i, s);
1437
    if (i > 0)
1438
        return;
1439
    REF_ASSERT_ISNT(i < 0);
1440

1441
    if (s->method != NULL)
1442
        s->method->ssl_free(s);
1443

1444
    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
1445
    SSL_CTX_free(s->ctx);
1446
    CRYPTO_THREAD_lock_free(s->lock);
1447
    CRYPTO_FREE_REF(&s->references);
1448

1449
    OPENSSL_free(s);
1450
}
1451

1452
void ossl_ssl_connection_free(SSL *ssl)
1453
{
1454
    SSL_CONNECTION *s;
1455

1456
    s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
1457
    if (s == NULL)
1458
        return;
1459

1460
    /*
1461
     * Ignore return values. This could result in user callbacks being called
1462
     * e.g. for the QUIC TLS record layer. So we do this early before we have
1463
     * freed other things.
1464
     */
1465
    ssl_free_wbio_buffer(s);
1466
    RECORD_LAYER_clear(&s->rlayer);
1467

1468
    X509_VERIFY_PARAM_free(s->param);
1469
    dane_final(&s->dane);
1470

1471
    BUF_MEM_free(s->init_buf);
1472

1473
    /* add extra stuff */
1474
    sk_SSL_CIPHER_free(s->cipher_list);
1475
    sk_SSL_CIPHER_free(s->cipher_list_by_id);
1476
    sk_SSL_CIPHER_free(s->tls13_ciphersuites);
1477
    sk_SSL_CIPHER_free(s->peer_ciphers);
1478

1479
    /* Make the next call work :-) */
1480
    if (s->session != NULL) {
1481
        ssl_clear_bad_session(s);
1482
        SSL_SESSION_free(s->session);
1483
    }
1484
    SSL_SESSION_free(s->psksession);
1485
    OPENSSL_free(s->psksession_id);
1486

1487
    ssl_cert_free(s->cert);
1488
    OPENSSL_free(s->shared_sigalgs);
1489
    /* Free up if allocated */
1490

1491
    OPENSSL_free(s->ext.hostname);
1492
    SSL_CTX_free(s->session_ctx);
1493
    OPENSSL_free(s->ext.ecpointformats);
1494
    OPENSSL_free(s->ext.peer_ecpointformats);
1495
    OPENSSL_free(s->ext.supportedgroups);
1496
    OPENSSL_free(s->ext.keyshares);
1497
    OPENSSL_free(s->ext.tuples);
1498
    OPENSSL_free(s->ext.peer_supportedgroups);
1499
    sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
1500
#ifndef OPENSSL_NO_OCSP
1501
    sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1502
#endif
1503
#ifndef OPENSSL_NO_CT
1504
    SCT_LIST_free(s->scts);
1505
    OPENSSL_free(s->ext.scts);
1506
#endif
1507
    OPENSSL_free(s->ext.ocsp.resp);
1508
    OPENSSL_free(s->ext.alpn);
1509
    OPENSSL_free(s->ext.tls13_cookie);
1510
    if (s->clienthello != NULL)
1511
        OPENSSL_free(s->clienthello->pre_proc_exts);
1512
    OPENSSL_free(s->clienthello);
1513
    OPENSSL_free(s->pha_context);
1514
    EVP_MD_CTX_free(s->pha_dgst);
1515

1516
    sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free);
1517
    sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free);
1518

1519
    OPENSSL_free(s->client_cert_type);
1520
    OPENSSL_free(s->server_cert_type);
1521

1522
    OSSL_STACK_OF_X509_free(s->verified_chain);
1523

1524
    if (ssl->method != NULL)
1525
        ssl->method->ssl_deinit(ssl);
1526

1527
    ASYNC_WAIT_CTX_free(s->waitctx);
1528

1529
#if !defined(OPENSSL_NO_NEXTPROTONEG)
1530
    OPENSSL_free(s->ext.npn);
1531
#endif
1532

1533
#ifndef OPENSSL_NO_SRTP
1534
    sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
1535
#endif
1536

1537
    /*
1538
     * We do this late. We want to ensure that any other references we held to
1539
     * these BIOs are freed first *before* we call BIO_free_all(), because
1540
     * BIO_free_all() will only free each BIO in the chain if the number of
1541
     * references to the first BIO have dropped to 0
1542
     */
1543
    BIO_free_all(s->wbio);
1544
    s->wbio = NULL;
1545
    BIO_free_all(s->rbio);
1546
    s->rbio = NULL;
1547
    OPENSSL_free(s->s3.tmp.valid_flags);
1548
}
1549

1550
void SSL_set0_rbio(SSL *s, BIO *rbio)
1551
{
1552
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1553

1554
#ifndef OPENSSL_NO_QUIC
1555
    if (IS_QUIC(s)) {
1556
        ossl_quic_conn_set0_net_rbio(s, rbio);
1557
        return;
1558
    }
1559
#endif
1560

1561
    if (sc == NULL)
1562
        return;
1563

1564
    BIO_free_all(sc->rbio);
1565
    sc->rbio = rbio;
1566
    sc->rlayer.rrlmethod->set1_bio(sc->rlayer.rrl, sc->rbio);
1567
}
1568

1569
void SSL_set0_wbio(SSL *s, BIO *wbio)
1570
{
1571
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1572

1573
#ifndef OPENSSL_NO_QUIC
1574
    if (IS_QUIC(s)) {
1575
        ossl_quic_conn_set0_net_wbio(s, wbio);
1576
        return;
1577
    }
1578
#endif
1579

1580
    if (sc == NULL)
1581
        return;
1582

1583
    /*
1584
     * If the output buffering BIO is still in place, remove it
1585
     */
1586
    if (sc->bbio != NULL)
1587
        sc->wbio = BIO_pop(sc->wbio);
1588

1589
    BIO_free_all(sc->wbio);
1590
    sc->wbio = wbio;
1591

1592
    /* Re-attach |bbio| to the new |wbio|. */
1593
    if (sc->bbio != NULL)
1594
        sc->wbio = BIO_push(sc->bbio, sc->wbio);
1595

1596
    sc->rlayer.wrlmethod->set1_bio(sc->rlayer.wrl, sc->wbio);
1597
}
1598

1599
void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
1600
{
1601
    /*
1602
     * For historical reasons, this function has many different cases in
1603
     * ownership handling.
1604
     */
1605

1606
    /* If nothing has changed, do nothing */
1607
    if (rbio == SSL_get_rbio(s) && wbio == SSL_get_wbio(s))
1608
        return;
1609

1610
    /*
1611
     * If the two arguments are equal then one fewer reference is granted by the
1612
     * caller than we want to take
1613
     */
1614
    if (rbio != NULL && rbio == wbio) {
1615
        if (!BIO_up_ref(rbio))
1616
            return;
1617
    }
1618

1619
    /*
1620
     * If only the wbio is changed only adopt one reference.
1621
     */
1622
    if (rbio == SSL_get_rbio(s)) {
1623
        SSL_set0_wbio(s, wbio);
1624
        return;
1625
    }
1626
    /*
1627
     * There is an asymmetry here for historical reasons. If only the rbio is
1628
     * changed AND the rbio and wbio were originally different, then we only
1629
     * adopt one reference.
1630
     */
1631
    if (wbio == SSL_get_wbio(s) && SSL_get_rbio(s) != SSL_get_wbio(s)) {
1632
        SSL_set0_rbio(s, rbio);
1633
        return;
1634
    }
1635

1636
    /* Otherwise, adopt both references. */
1637
    SSL_set0_rbio(s, rbio);
1638
    SSL_set0_wbio(s, wbio);
1639
}
1640

1641
BIO *SSL_get_rbio(const SSL *s)
1642
{
1643
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1644

1645
#ifndef OPENSSL_NO_QUIC
1646
    if (IS_QUIC(s))
1647
        return ossl_quic_conn_get_net_rbio(s);
1648
#endif
1649

1650
    if (sc == NULL)
1651
        return NULL;
1652

1653
    return sc->rbio;
1654
}
1655

1656
BIO *SSL_get_wbio(const SSL *s)
1657
{
1658
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1659

1660
#ifndef OPENSSL_NO_QUIC
1661
    if (IS_QUIC(s))
1662
        return ossl_quic_conn_get_net_wbio(s);
1663
#endif
1664

1665
    if (sc == NULL)
1666
        return NULL;
1667

1668
    if (sc->bbio != NULL) {
1669
        /*
1670
         * If |bbio| is active, the true caller-configured BIO is its
1671
         * |next_bio|.
1672
         */
1673
        return BIO_next(sc->bbio);
1674
    }
1675
    return sc->wbio;
1676
}
1677

1678
int SSL_get_fd(const SSL *s)
1679
{
1680
    return SSL_get_rfd(s);
1681
}
1682

1683
int SSL_get_rfd(const SSL *s)
1684
{
1685
    int ret = -1;
1686
    BIO *b, *r;
1687

1688
    b = SSL_get_rbio(s);
1689
    r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1690
    if (r != NULL)
1691
        BIO_get_fd(r, &ret);
1692
    return ret;
1693
}
1694

1695
int SSL_get_wfd(const SSL *s)
1696
{
1697
    int ret = -1;
1698
    BIO *b, *r;
1699

1700
    b = SSL_get_wbio(s);
1701
    r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
1702
    if (r != NULL)
1703
        BIO_get_fd(r, &ret);
1704
    return ret;
1705
}
1706

1707
#ifndef OPENSSL_NO_SOCK
1708
static const BIO_METHOD *fd_method(SSL *s)
1709
{
1710
#ifndef OPENSSL_NO_DGRAM
1711
    if (IS_QUIC(s))
1712
        return BIO_s_datagram();
1713
#endif
1714

1715
    return BIO_s_socket();
1716
}
1717

1718
int SSL_set_fd(SSL *s, int fd)
1719
{
1720
    int ret = 0;
1721
    BIO *bio = NULL;
1722

1723
    if (s->type == SSL_TYPE_QUIC_XSO) {
1724
        ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1725
        goto err;
1726
    }
1727

1728
    bio = BIO_new(fd_method(s));
1729

1730
    if (bio == NULL) {
1731
        ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1732
        goto err;
1733
    }
1734
    BIO_set_fd(bio, fd, BIO_NOCLOSE);
1735
    SSL_set_bio(s, bio, bio);
1736
#ifndef OPENSSL_NO_KTLS
1737
    /*
1738
     * The new socket is created successfully regardless of ktls_enable.
1739
     * ktls_enable doesn't change any functionality of the socket, except
1740
     * changing the setsockopt to enable the processing of ktls_start.
1741
     * Thus, it is not a problem to call it for non-TLS sockets.
1742
     */
1743
    ktls_enable(fd);
1744
#endif /* OPENSSL_NO_KTLS */
1745
    ret = 1;
1746
 err:
1747
    return ret;
1748
}
1749

1750
int SSL_set_wfd(SSL *s, int fd)
1751
{
1752
    BIO *rbio = SSL_get_rbio(s);
1753
    int desired_type = IS_QUIC(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
1754

1755
    if (s->type == SSL_TYPE_QUIC_XSO) {
1756
        ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1757
        return 0;
1758
    }
1759

1760
    if (rbio == NULL || BIO_method_type(rbio) != desired_type
1761
        || (int)BIO_get_fd(rbio, NULL) != fd) {
1762
        BIO *bio = BIO_new(fd_method(s));
1763

1764
        if (bio == NULL) {
1765
            ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1766
            return 0;
1767
        }
1768
        BIO_set_fd(bio, fd, BIO_NOCLOSE);
1769
        SSL_set0_wbio(s, bio);
1770
#ifndef OPENSSL_NO_KTLS
1771
        /*
1772
         * The new socket is created successfully regardless of ktls_enable.
1773
         * ktls_enable doesn't change any functionality of the socket, except
1774
         * changing the setsockopt to enable the processing of ktls_start.
1775
         * Thus, it is not a problem to call it for non-TLS sockets.
1776
         */
1777
        ktls_enable(fd);
1778
#endif /* OPENSSL_NO_KTLS */
1779
    } else {
1780
        if (!BIO_up_ref(rbio))
1781
            return 0;
1782
        SSL_set0_wbio(s, rbio);
1783
    }
1784
    return 1;
1785
}
1786

1787
int SSL_set_rfd(SSL *s, int fd)
1788
{
1789
    BIO *wbio = SSL_get_wbio(s);
1790
    int desired_type = IS_QUIC(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
1791

1792
    if (s->type == SSL_TYPE_QUIC_XSO) {
1793
        ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
1794
        return 0;
1795
    }
1796

1797
    if (wbio == NULL || BIO_method_type(wbio) != desired_type
1798
        || ((int)BIO_get_fd(wbio, NULL) != fd)) {
1799
        BIO *bio = BIO_new(fd_method(s));
1800

1801
        if (bio == NULL) {
1802
            ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
1803
            return 0;
1804
        }
1805
        BIO_set_fd(bio, fd, BIO_NOCLOSE);
1806
        SSL_set0_rbio(s, bio);
1807
    } else {
1808
        if (!BIO_up_ref(wbio))
1809
            return 0;
1810
        SSL_set0_rbio(s, wbio);
1811
    }
1812

1813
    return 1;
1814
}
1815
#endif
1816

1817
/* return length of latest Finished message we sent, copy to 'buf' */
1818
size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
1819
{
1820
    size_t ret = 0;
1821
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1822

1823
    if (sc == NULL)
1824
        return 0;
1825

1826
    ret = sc->s3.tmp.finish_md_len;
1827
    if (count > ret)
1828
        count = ret;
1829
    memcpy(buf, sc->s3.tmp.finish_md, count);
1830
    return ret;
1831
}
1832

1833
/* return length of latest Finished message we expected, copy to 'buf' */
1834
size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
1835
{
1836
    size_t ret = 0;
1837
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1838

1839
    if (sc == NULL)
1840
        return 0;
1841

1842
    ret = sc->s3.tmp.peer_finish_md_len;
1843
    if (count > ret)
1844
        count = ret;
1845
    memcpy(buf, sc->s3.tmp.peer_finish_md, count);
1846
    return ret;
1847
}
1848

1849
int SSL_get_verify_mode(const SSL *s)
1850
{
1851
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1852

1853
    if (sc == NULL)
1854
        return 0;
1855

1856
    return sc->verify_mode;
1857
}
1858

1859
int SSL_get_verify_depth(const SSL *s)
1860
{
1861
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1862

1863
    if (sc == NULL)
1864
        return 0;
1865

1866
    return X509_VERIFY_PARAM_get_depth(sc->param);
1867
}
1868

1869
int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) {
1870
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1871

1872
    if (sc == NULL)
1873
        return NULL;
1874

1875
    return sc->verify_callback;
1876
}
1877

1878
int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
1879
{
1880
    return ctx->verify_mode;
1881
}
1882

1883
int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
1884
{
1885
    return X509_VERIFY_PARAM_get_depth(ctx->param);
1886
}
1887

1888
int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) {
1889
    return ctx->default_verify_callback;
1890
}
1891

1892
void SSL_set_verify(SSL *s, int mode,
1893
                    int (*callback) (int ok, X509_STORE_CTX *ctx))
1894
{
1895
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1896

1897
    if (sc == NULL)
1898
        return;
1899

1900
    sc->verify_mode = mode;
1901
    if (callback != NULL)
1902
        sc->verify_callback = callback;
1903
}
1904

1905
void SSL_set_verify_depth(SSL *s, int depth)
1906
{
1907
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
1908

1909
    if (sc == NULL)
1910
        return;
1911

1912
    X509_VERIFY_PARAM_set_depth(sc->param, depth);
1913
}
1914

1915
void SSL_set_read_ahead(SSL *s, int yes)
1916
{
1917
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
1918
    OSSL_PARAM options[2], *opts = options;
1919

1920
    if (sc == NULL)
1921
        return;
1922

1923
    RECORD_LAYER_set_read_ahead(&sc->rlayer, yes);
1924

1925
    *opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD,
1926
                                       &sc->rlayer.read_ahead);
1927
    *opts = OSSL_PARAM_construct_end();
1928

1929
    /* Ignore return value */
1930
    sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
1931
}
1932

1933
int SSL_get_read_ahead(const SSL *s)
1934
{
1935
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
1936

1937
    if (sc == NULL)
1938
        return 0;
1939

1940
    return RECORD_LAYER_get_read_ahead(&sc->rlayer);
1941
}
1942

1943
int SSL_pending(const SSL *s)
1944
{
1945
    size_t pending = s->method->ssl_pending(s);
1946

1947
    /*
1948
     * SSL_pending cannot work properly if read-ahead is enabled
1949
     * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is
1950
     * impossible to fix since SSL_pending cannot report errors that may be
1951
     * observed while scanning the new data. (Note that SSL_pending() is
1952
     * often used as a boolean value, so we'd better not return -1.)
1953
     *
1954
     * SSL_pending also cannot work properly if the value >INT_MAX. In that case
1955
     * we just return INT_MAX.
1956
     */
1957
    return pending < INT_MAX ? (int)pending : INT_MAX;
1958
}
1959

1960
int SSL_has_pending(const SSL *s)
1961
{
1962
    /*
1963
     * Similar to SSL_pending() but returns a 1 to indicate that we have
1964
     * processed or unprocessed data available or 0 otherwise (as opposed to the
1965
     * number of bytes available). Unlike SSL_pending() this will take into
1966
     * account read_ahead data. A 1 return simply indicates that we have data.
1967
     * That data may not result in any application data, or we may fail to parse
1968
     * the records for some reason.
1969
     */
1970
    const SSL_CONNECTION *sc;
1971

1972
#ifndef OPENSSL_NO_QUIC
1973
    if (IS_QUIC(s))
1974
        return ossl_quic_has_pending(s);
1975
#endif
1976

1977
    sc = SSL_CONNECTION_FROM_CONST_SSL(s);
1978

1979
    /* Check buffered app data if any first */
1980
    if (SSL_CONNECTION_IS_DTLS(sc)) {
1981
        TLS_RECORD *rdata;
1982
        pitem *item, *iter;
1983

1984
        iter = pqueue_iterator(sc->rlayer.d->buffered_app_data);
1985
        while ((item = pqueue_next(&iter)) != NULL) {
1986
            rdata = item->data;
1987
            if (rdata->length > 0)
1988
                return 1;
1989
        }
1990
    }
1991

1992
    if (RECORD_LAYER_processed_read_pending(&sc->rlayer))
1993
        return 1;
1994

1995
    return RECORD_LAYER_read_pending(&sc->rlayer);
1996
}
1997

1998
X509 *SSL_get1_peer_certificate(const SSL *s)
1999
{
2000
    X509 *r = SSL_get0_peer_certificate(s);
2001

2002
    if (r != NULL && !X509_up_ref(r))
2003
        return NULL;
2004

2005
    return r;
2006
}
2007

2008
X509 *SSL_get0_peer_certificate(const SSL *s)
2009
{
2010
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2011

2012
    if (sc == NULL)
2013
        return NULL;
2014

2015
    if (sc->session == NULL)
2016
        return NULL;
2017
    else
2018
        return sc->session->peer;
2019
}
2020

2021
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
2022
{
2023
    STACK_OF(X509) *r;
2024
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2025

2026
    if (sc == NULL)
2027
        return NULL;
2028

2029
    if (sc->session == NULL)
2030
        r = NULL;
2031
    else
2032
        r = sc->session->peer_chain;
2033

2034
    /*
2035
     * If we are a client, cert_chain includes the peer's own certificate; if
2036
     * we are a server, it does not.
2037
     */
2038

2039
    return r;
2040
}
2041

2042
/*
2043
 * Now in theory, since the calling process own 't' it should be safe to
2044
 * modify.  We need to be able to read f without being hassled
2045
 */
2046
int SSL_copy_session_id(SSL *t, const SSL *f)
2047
{
2048
    int i;
2049
    /* TODO(QUIC FUTURE): Not allowed for QUIC currently. */
2050
    SSL_CONNECTION *tsc = SSL_CONNECTION_FROM_SSL_ONLY(t);
2051
    const SSL_CONNECTION *fsc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(f);
2052

2053
    if (tsc == NULL || fsc == NULL)
2054
        return 0;
2055

2056
    /* Do we need to do SSL locking? */
2057
    if (!SSL_set_session(t, SSL_get_session(f))) {
2058
        return 0;
2059
    }
2060

2061
    /*
2062
     * what if we are setup for one protocol version but want to talk another
2063
     */
2064
    if (t->method != f->method) {
2065
        t->method->ssl_deinit(t);
2066
        t->method = f->method;
2067
        if (t->method->ssl_init(t) == 0)
2068
            return 0;
2069
    }
2070

2071
    CRYPTO_UP_REF(&fsc->cert->references, &i);
2072
    ssl_cert_free(tsc->cert);
2073
    tsc->cert = fsc->cert;
2074
    if (!SSL_set_session_id_context(t, fsc->sid_ctx, (int)fsc->sid_ctx_length)) {
2075
        return 0;
2076
    }
2077

2078
    return 1;
2079
}
2080

2081
/* Fix this so it checks all the valid key/cert options */
2082
int SSL_CTX_check_private_key(const SSL_CTX *ctx)
2083
{
2084
    if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) {
2085
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
2086
        return 0;
2087
    }
2088
    if (ctx->cert->key->privatekey == NULL) {
2089
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
2090
        return 0;
2091
    }
2092
    return X509_check_private_key
2093
            (ctx->cert->key->x509, ctx->cert->key->privatekey);
2094
}
2095

2096
/* Fix this function so that it takes an optional type parameter */
2097
int SSL_check_private_key(const SSL *ssl)
2098
{
2099
    const SSL_CONNECTION *sc;
2100

2101
    if ((sc = SSL_CONNECTION_FROM_CONST_SSL(ssl)) == NULL) {
2102
        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
2103
        return 0;
2104
    }
2105
    if (sc->cert->key->x509 == NULL) {
2106
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
2107
        return 0;
2108
    }
2109
    if (sc->cert->key->privatekey == NULL) {
2110
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
2111
        return 0;
2112
    }
2113
    return X509_check_private_key(sc->cert->key->x509,
2114
                                   sc->cert->key->privatekey);
2115
}
2116

2117
int SSL_waiting_for_async(SSL *s)
2118
{
2119
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2120

2121
    if (sc == NULL)
2122
        return 0;
2123

2124
    if (sc->job)
2125
        return 1;
2126

2127
    return 0;
2128
}
2129

2130
int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds)
2131
{
2132
    ASYNC_WAIT_CTX *ctx;
2133
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2134

2135
    if (sc == NULL)
2136
        return 0;
2137

2138
    if ((ctx = sc->waitctx) == NULL)
2139
        return 0;
2140
    return ASYNC_WAIT_CTX_get_all_fds(ctx, fds, numfds);
2141
}
2142

2143
int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds,
2144
                              OSSL_ASYNC_FD *delfd, size_t *numdelfds)
2145
{
2146
    ASYNC_WAIT_CTX *ctx;
2147
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2148

2149
    if (sc == NULL)
2150
        return 0;
2151

2152
    if ((ctx = sc->waitctx) == NULL)
2153
        return 0;
2154
    return ASYNC_WAIT_CTX_get_changed_fds(ctx, addfd, numaddfds, delfd,
2155
                                          numdelfds);
2156
}
2157

2158
int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback)
2159
{
2160
    ctx->async_cb = callback;
2161
    return 1;
2162
}
2163

2164
int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg)
2165
{
2166
    ctx->async_cb_arg = arg;
2167
    return 1;
2168
}
2169

2170
int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback)
2171
{
2172
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2173

2174
    if (sc == NULL)
2175
        return 0;
2176

2177
    sc->async_cb = callback;
2178
    return 1;
2179
}
2180

2181
int SSL_set_async_callback_arg(SSL *s, void *arg)
2182
{
2183
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2184

2185
    if (sc == NULL)
2186
        return 0;
2187

2188
    sc->async_cb_arg = arg;
2189
    return 1;
2190
}
2191

2192
int SSL_get_async_status(SSL *s, int *status)
2193
{
2194
    ASYNC_WAIT_CTX *ctx;
2195
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2196

2197
    if (sc == NULL)
2198
        return 0;
2199

2200
    if ((ctx = sc->waitctx) == NULL)
2201
        return 0;
2202
    *status = ASYNC_WAIT_CTX_get_status(ctx);
2203
    return 1;
2204
}
2205

2206
int SSL_accept(SSL *s)
2207
{
2208
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2209

2210
#ifndef OPENSSL_NO_QUIC
2211
    if (IS_QUIC(s))
2212
        return s->method->ssl_accept(s);
2213
#endif
2214

2215
    if (sc == NULL)
2216
        return 0;
2217

2218
    if (sc->handshake_func == NULL) {
2219
        /* Not properly initialized yet */
2220
        SSL_set_accept_state(s);
2221
    }
2222

2223
    return SSL_do_handshake(s);
2224
}
2225

2226
int SSL_connect(SSL *s)
2227
{
2228
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2229

2230
#ifndef OPENSSL_NO_QUIC
2231
    if (IS_QUIC(s))
2232
        return s->method->ssl_connect(s);
2233
#endif
2234

2235
    if (sc == NULL)
2236
        return 0;
2237

2238
    if (sc->handshake_func == NULL) {
2239
        /* Not properly initialized yet */
2240
        SSL_set_connect_state(s);
2241
    }
2242

2243
    return SSL_do_handshake(s);
2244
}
2245

2246
long SSL_get_default_timeout(const SSL *s)
2247
{
2248
    return (long int)ossl_time2seconds(s->method->get_timeout());
2249
}
2250

2251
static int ssl_async_wait_ctx_cb(void *arg)
2252
{
2253
    SSL *s = (SSL *)arg;
2254
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2255

2256
    if (sc == NULL)
2257
        return 0;
2258

2259
    return sc->async_cb(s, sc->async_cb_arg);
2260
}
2261

2262
static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
2263
                               int (*func) (void *))
2264
{
2265
    int ret;
2266
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2267

2268
    if (sc == NULL)
2269
        return 0;
2270

2271
    if (sc->waitctx == NULL) {
2272
        sc->waitctx = ASYNC_WAIT_CTX_new();
2273
        if (sc->waitctx == NULL)
2274
            return -1;
2275
        if (sc->async_cb != NULL
2276
            && !ASYNC_WAIT_CTX_set_callback
2277
                 (sc->waitctx, ssl_async_wait_ctx_cb, s))
2278
            return -1;
2279
    }
2280

2281
    sc->rwstate = SSL_NOTHING;
2282
    switch (ASYNC_start_job(&sc->job, sc->waitctx, &ret, func, args,
2283
                            sizeof(struct ssl_async_args))) {
2284
    case ASYNC_ERR:
2285
        sc->rwstate = SSL_NOTHING;
2286
        ERR_raise(ERR_LIB_SSL, SSL_R_FAILED_TO_INIT_ASYNC);
2287
        return -1;
2288
    case ASYNC_PAUSE:
2289
        sc->rwstate = SSL_ASYNC_PAUSED;
2290
        return -1;
2291
    case ASYNC_NO_JOBS:
2292
        sc->rwstate = SSL_ASYNC_NO_JOBS;
2293
        return -1;
2294
    case ASYNC_FINISH:
2295
        sc->job = NULL;
2296
        return ret;
2297
    default:
2298
        sc->rwstate = SSL_NOTHING;
2299
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
2300
        /* Shouldn't happen */
2301
        return -1;
2302
    }
2303
}
2304

2305
static int ssl_io_intern(void *vargs)
2306
{
2307
    struct ssl_async_args *args;
2308
    SSL *s;
2309
    void *buf;
2310
    size_t num;
2311
    SSL_CONNECTION *sc;
2312

2313
    args = (struct ssl_async_args *)vargs;
2314
    s = args->s;
2315
    buf = args->buf;
2316
    num = args->num;
2317
    if ((sc = SSL_CONNECTION_FROM_SSL(s)) == NULL)
2318
        return -1;
2319

2320
    switch (args->type) {
2321
    case READFUNC:
2322
        return args->f.func_read(s, buf, num, &sc->asyncrw);
2323
    case WRITEFUNC:
2324
        return args->f.func_write(s, buf, num, &sc->asyncrw);
2325
    case OTHERFUNC:
2326
        return args->f.func_other(s);
2327
    }
2328
    return -1;
2329
}
2330

2331
int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
2332
{
2333
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2334

2335
#ifndef OPENSSL_NO_QUIC
2336
    if (IS_QUIC(s))
2337
        return s->method->ssl_read(s, buf, num, readbytes);
2338
#endif
2339

2340
    if (sc == NULL)
2341
        return -1;
2342

2343
    if (sc->handshake_func == NULL) {
2344
        ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2345
        return -1;
2346
    }
2347

2348
    if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
2349
        sc->rwstate = SSL_NOTHING;
2350
        return 0;
2351
    }
2352

2353
    if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2354
                || sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
2355
        ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2356
        return 0;
2357
    }
2358
    /*
2359
     * If we are a client and haven't received the ServerHello etc then we
2360
     * better do that
2361
     */
2362
    if (!ossl_statem_check_finish_init(sc, 0))
2363
        return -1;
2364

2365
    if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2366
        struct ssl_async_args args;
2367
        int ret;
2368

2369
        args.s = s;
2370
        args.buf = buf;
2371
        args.num = num;
2372
        args.type = READFUNC;
2373
        args.f.func_read = s->method->ssl_read;
2374

2375
        ret = ssl_start_async_job(s, &args, ssl_io_intern);
2376
        *readbytes = sc->asyncrw;
2377
        return ret;
2378
    } else {
2379
        return s->method->ssl_read(s, buf, num, readbytes);
2380
    }
2381
}
2382

2383
int SSL_read(SSL *s, void *buf, int num)
2384
{
2385
    int ret;
2386
    size_t readbytes;
2387

2388
    if (num < 0) {
2389
        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2390
        return -1;
2391
    }
2392

2393
    ret = ssl_read_internal(s, buf, (size_t)num, &readbytes);
2394

2395
    /*
2396
     * The cast is safe here because ret should be <= INT_MAX because num is
2397
     * <= INT_MAX
2398
     */
2399
    if (ret > 0)
2400
        ret = (int)readbytes;
2401

2402
    return ret;
2403
}
2404

2405
int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
2406
{
2407
    int ret = ssl_read_internal(s, buf, num, readbytes);
2408

2409
    if (ret < 0)
2410
        ret = 0;
2411
    return ret;
2412
}
2413

2414
int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
2415
{
2416
    int ret;
2417
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2418

2419
    /* TODO(QUIC 0RTT): 0-RTT support */
2420
    if (sc == NULL || !sc->server) {
2421
        ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2422
        return SSL_READ_EARLY_DATA_ERROR;
2423
    }
2424

2425
    switch (sc->early_data_state) {
2426
    case SSL_EARLY_DATA_NONE:
2427
        if (!SSL_in_before(s)) {
2428
            ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2429
            return SSL_READ_EARLY_DATA_ERROR;
2430
        }
2431
        /* fall through */
2432

2433
    case SSL_EARLY_DATA_ACCEPT_RETRY:
2434
        sc->early_data_state = SSL_EARLY_DATA_ACCEPTING;
2435
        ret = SSL_accept(s);
2436
        if (ret <= 0) {
2437
            /* NBIO or error */
2438
            sc->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY;
2439
            return SSL_READ_EARLY_DATA_ERROR;
2440
        }
2441
        /* fall through */
2442

2443
    case SSL_EARLY_DATA_READ_RETRY:
2444
        if (sc->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
2445
            sc->early_data_state = SSL_EARLY_DATA_READING;
2446
            ret = SSL_read_ex(s, buf, num, readbytes);
2447
            /*
2448
             * State machine will update early_data_state to
2449
             * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData
2450
             * message
2451
             */
2452
            if (ret > 0 || (ret <= 0 && sc->early_data_state
2453
                                        != SSL_EARLY_DATA_FINISHED_READING)) {
2454
                sc->early_data_state = SSL_EARLY_DATA_READ_RETRY;
2455
                return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS
2456
                               : SSL_READ_EARLY_DATA_ERROR;
2457
            }
2458
        } else {
2459
            sc->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
2460
        }
2461
        *readbytes = 0;
2462
        return SSL_READ_EARLY_DATA_FINISH;
2463

2464
    default:
2465
        ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2466
        return SSL_READ_EARLY_DATA_ERROR;
2467
    }
2468
}
2469

2470
int SSL_get_early_data_status(const SSL *s)
2471
{
2472
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
2473

2474
    /* TODO(QUIC 0RTT): 0-RTT support */
2475
    if (sc == NULL)
2476
        return 0;
2477

2478
    return sc->ext.early_data;
2479
}
2480

2481
static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes)
2482
{
2483
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2484

2485
#ifndef OPENSSL_NO_QUIC
2486
    if (IS_QUIC(s))
2487
        return s->method->ssl_peek(s, buf, num, readbytes);
2488
#endif
2489

2490
    if (sc == NULL)
2491
        return 0;
2492

2493
    if (sc->handshake_func == NULL) {
2494
        ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2495
        return -1;
2496
    }
2497

2498
    if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
2499
        return 0;
2500
    }
2501
    if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2502
        struct ssl_async_args args;
2503
        int ret;
2504

2505
        args.s = s;
2506
        args.buf = buf;
2507
        args.num = num;
2508
        args.type = READFUNC;
2509
        args.f.func_read = s->method->ssl_peek;
2510

2511
        ret = ssl_start_async_job(s, &args, ssl_io_intern);
2512
        *readbytes = sc->asyncrw;
2513
        return ret;
2514
    } else {
2515
        return s->method->ssl_peek(s, buf, num, readbytes);
2516
    }
2517
}
2518

2519
int SSL_peek(SSL *s, void *buf, int num)
2520
{
2521
    int ret;
2522
    size_t readbytes;
2523

2524
    if (num < 0) {
2525
        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2526
        return -1;
2527
    }
2528

2529
    ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes);
2530

2531
    /*
2532
     * The cast is safe here because ret should be <= INT_MAX because num is
2533
     * <= INT_MAX
2534
     */
2535
    if (ret > 0)
2536
        ret = (int)readbytes;
2537

2538
    return ret;
2539
}
2540

2541

2542
int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes)
2543
{
2544
    int ret = ssl_peek_internal(s, buf, num, readbytes);
2545

2546
    if (ret < 0)
2547
        ret = 0;
2548
    return ret;
2549
}
2550

2551
int ssl_write_internal(SSL *s, const void *buf, size_t num,
2552
                       uint64_t flags, size_t *written)
2553
{
2554
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2555

2556
#ifndef OPENSSL_NO_QUIC
2557
    if (IS_QUIC(s))
2558
        return ossl_quic_write_flags(s, buf, num, flags, written);
2559
#endif
2560

2561
    if (sc == NULL)
2562
        return 0;
2563

2564
    if (sc->handshake_func == NULL) {
2565
        ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2566
        return -1;
2567
    }
2568

2569
    if (sc->shutdown & SSL_SENT_SHUTDOWN) {
2570
        sc->rwstate = SSL_NOTHING;
2571
        ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2572
        return -1;
2573
    }
2574

2575
    if (flags != 0) {
2576
        ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_WRITE_FLAG);
2577
        return -1;
2578
    }
2579

2580
    if (sc->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
2581
                || sc->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY
2582
                || sc->early_data_state == SSL_EARLY_DATA_READ_RETRY) {
2583
        ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2584
        return 0;
2585
    }
2586
    /* If we are a client and haven't sent the Finished we better do that */
2587
    if (!ossl_statem_check_finish_init(sc, 1))
2588
        return -1;
2589

2590
    if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2591
        int ret;
2592
        struct ssl_async_args args;
2593

2594
        args.s = s;
2595
        args.buf = (void *)buf;
2596
        args.num = num;
2597
        args.type = WRITEFUNC;
2598
        args.f.func_write = s->method->ssl_write;
2599

2600
        ret = ssl_start_async_job(s, &args, ssl_io_intern);
2601
        *written = sc->asyncrw;
2602
        return ret;
2603
    } else {
2604
        return s->method->ssl_write(s, buf, num, written);
2605
    }
2606
}
2607

2608
ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags)
2609
{
2610
    ossl_ssize_t ret;
2611
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2612

2613
    if (sc == NULL)
2614
        return 0;
2615

2616
    if (sc->handshake_func == NULL) {
2617
        ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2618
        return -1;
2619
    }
2620

2621
    if (sc->shutdown & SSL_SENT_SHUTDOWN) {
2622
        sc->rwstate = SSL_NOTHING;
2623
        ERR_raise(ERR_LIB_SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
2624
        return -1;
2625
    }
2626

2627
    if (!BIO_get_ktls_send(sc->wbio)) {
2628
        ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2629
        return -1;
2630
    }
2631

2632
    /* If we have an alert to send, lets send it */
2633
    if (sc->s3.alert_dispatch > 0) {
2634
        ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s);
2635
        if (ret <= 0) {
2636
            /* SSLfatal() already called if appropriate */
2637
            return ret;
2638
        }
2639
        /* if it went, fall through and send more stuff */
2640
    }
2641

2642
    sc->rwstate = SSL_WRITING;
2643
    if (BIO_flush(sc->wbio) <= 0) {
2644
        if (!BIO_should_retry(sc->wbio)) {
2645
            sc->rwstate = SSL_NOTHING;
2646
        } else {
2647
#ifdef EAGAIN
2648
            set_sys_error(EAGAIN);
2649
#endif
2650
        }
2651
        return -1;
2652
    }
2653

2654
#ifdef OPENSSL_NO_KTLS
2655
    ERR_raise_data(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR,
2656
                   "can't call ktls_sendfile(), ktls disabled");
2657
    return -1;
2658
#else
2659
    ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags);
2660
    if (ret < 0) {
2661
#if defined(EAGAIN) && defined(EINTR) && defined(EBUSY)
2662
        if ((get_last_sys_error() == EAGAIN) ||
2663
            (get_last_sys_error() == EINTR) ||
2664
            (get_last_sys_error() == EBUSY))
2665
            BIO_set_retry_write(sc->wbio);
2666
        else
2667
#endif
2668
            ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
2669
                           "ktls_sendfile failure");
2670
        return ret;
2671
    }
2672
    sc->rwstate = SSL_NOTHING;
2673
    return ret;
2674
#endif
2675
}
2676

2677
int SSL_write(SSL *s, const void *buf, int num)
2678
{
2679
    int ret;
2680
    size_t written;
2681

2682
    if (num < 0) {
2683
        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
2684
        return -1;
2685
    }
2686

2687
    ret = ssl_write_internal(s, buf, (size_t)num, 0, &written);
2688

2689
    /*
2690
     * The cast is safe here because ret should be <= INT_MAX because num is
2691
     * <= INT_MAX
2692
     */
2693
    if (ret > 0)
2694
        ret = (int)written;
2695

2696
    return ret;
2697
}
2698

2699
int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written)
2700
{
2701
    return SSL_write_ex2(s, buf, num, 0, written);
2702
}
2703

2704
int SSL_write_ex2(SSL *s, const void *buf, size_t num, uint64_t flags,
2705
                  size_t *written)
2706
{
2707
    int ret = ssl_write_internal(s, buf, num, flags, written);
2708

2709
    if (ret < 0)
2710
        ret = 0;
2711
    return ret;
2712
}
2713

2714
int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
2715
{
2716
    int ret, early_data_state;
2717
    size_t writtmp;
2718
    uint32_t partialwrite;
2719
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2720

2721
    /* TODO(QUIC 0RTT): This will need special handling for QUIC */
2722
    if (sc == NULL)
2723
        return 0;
2724

2725
    switch (sc->early_data_state) {
2726
    case SSL_EARLY_DATA_NONE:
2727
        if (sc->server
2728
                || !SSL_in_before(s)
2729
                || ((sc->session == NULL || sc->session->ext.max_early_data == 0)
2730
                     && (sc->psk_use_session_cb == NULL))) {
2731
            ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2732
            return 0;
2733
        }
2734
        /* fall through */
2735

2736
    case SSL_EARLY_DATA_CONNECT_RETRY:
2737
        sc->early_data_state = SSL_EARLY_DATA_CONNECTING;
2738
        ret = SSL_connect(s);
2739
        if (ret <= 0) {
2740
            /* NBIO or error */
2741
            sc->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY;
2742
            return 0;
2743
        }
2744
        /* fall through */
2745

2746
    case SSL_EARLY_DATA_WRITE_RETRY:
2747
        sc->early_data_state = SSL_EARLY_DATA_WRITING;
2748
        /*
2749
         * We disable partial write for early data because we don't keep track
2750
         * of how many bytes we've written between the SSL_write_ex() call and
2751
         * the flush if the flush needs to be retried)
2752
         */
2753
        partialwrite = sc->mode & SSL_MODE_ENABLE_PARTIAL_WRITE;
2754
        sc->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE;
2755
        ret = SSL_write_ex(s, buf, num, &writtmp);
2756
        sc->mode |= partialwrite;
2757
        if (!ret) {
2758
            sc->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2759
            return ret;
2760
        }
2761
        sc->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH;
2762
        /* fall through */
2763

2764
    case SSL_EARLY_DATA_WRITE_FLUSH:
2765
        /* The buffering BIO is still in place so we need to flush it */
2766
        if (statem_flush(sc) != 1)
2767
            return 0;
2768
        *written = num;
2769
        sc->early_data_state = SSL_EARLY_DATA_WRITE_RETRY;
2770
        return 1;
2771

2772
    case SSL_EARLY_DATA_FINISHED_READING:
2773
    case SSL_EARLY_DATA_READ_RETRY:
2774
        early_data_state = sc->early_data_state;
2775
        /* We are a server writing to an unauthenticated client */
2776
        sc->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING;
2777
        ret = SSL_write_ex(s, buf, num, written);
2778
        /* The buffering BIO is still in place */
2779
        if (ret)
2780
            (void)BIO_flush(sc->wbio);
2781
        sc->early_data_state = early_data_state;
2782
        return ret;
2783

2784
    default:
2785
        ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2786
        return 0;
2787
    }
2788
}
2789

2790
int SSL_shutdown(SSL *s)
2791
{
2792
    /*
2793
     * Note that this function behaves differently from what one might
2794
     * expect.  Return values are 0 for no success (yet), 1 for success; but
2795
     * calling it once is usually not enough, even if blocking I/O is used
2796
     * (see ssl3_shutdown).
2797
     */
2798
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2799

2800
#ifndef OPENSSL_NO_QUIC
2801
    if (IS_QUIC(s))
2802
        return ossl_quic_conn_shutdown(s, 0, NULL, 0);
2803
#endif
2804

2805
    if (sc == NULL)
2806
        return -1;
2807

2808
    if (sc->handshake_func == NULL) {
2809
        ERR_raise(ERR_LIB_SSL, SSL_R_UNINITIALIZED);
2810
        return -1;
2811
    }
2812

2813
    if (!SSL_in_init(s)) {
2814
        if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
2815
            struct ssl_async_args args;
2816

2817
            memset(&args, 0, sizeof(args));
2818
            args.s = s;
2819
            args.type = OTHERFUNC;
2820
            args.f.func_other = s->method->ssl_shutdown;
2821

2822
            return ssl_start_async_job(s, &args, ssl_io_intern);
2823
        } else {
2824
            return s->method->ssl_shutdown(s);
2825
        }
2826
    } else {
2827
        ERR_raise(ERR_LIB_SSL, SSL_R_SHUTDOWN_WHILE_IN_INIT);
2828
        return -1;
2829
    }
2830
}
2831

2832
int SSL_key_update(SSL *s, int updatetype)
2833
{
2834
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2835

2836
#ifndef OPENSSL_NO_QUIC
2837
    if (IS_QUIC(s))
2838
        return ossl_quic_key_update(s, updatetype);
2839
#endif
2840

2841
    if (sc == NULL)
2842
        return 0;
2843

2844
    if (!SSL_CONNECTION_IS_TLS13(sc)) {
2845
        ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
2846
        return 0;
2847
    }
2848

2849
    if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
2850
            && updatetype != SSL_KEY_UPDATE_REQUESTED) {
2851
        ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_KEY_UPDATE_TYPE);
2852
        return 0;
2853
    }
2854

2855
    if (!SSL_is_init_finished(s)) {
2856
        ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT);
2857
        return 0;
2858
    }
2859

2860
    if (RECORD_LAYER_write_pending(&sc->rlayer)) {
2861
        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY);
2862
        return 0;
2863
    }
2864

2865
    ossl_statem_set_in_init(sc, 1);
2866
    sc->key_update = updatetype;
2867
    return 1;
2868
}
2869

2870
int SSL_get_key_update_type(const SSL *s)
2871
{
2872
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
2873

2874
#ifndef OPENSSL_NO_QUIC
2875
    if (IS_QUIC(s))
2876
        return ossl_quic_get_key_update_type(s);
2877
#endif
2878

2879
    if (sc == NULL)
2880
        return 0;
2881

2882
    return sc->key_update;
2883
}
2884

2885
/*
2886
 * Can we accept a renegotiation request?  If yes, set the flag and
2887
 * return 1 if yes. If not, raise error and return 0.
2888
 */
2889
static int can_renegotiate(const SSL_CONNECTION *sc)
2890
{
2891
    if (SSL_CONNECTION_IS_TLS13(sc)) {
2892
        ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
2893
        return 0;
2894
    }
2895

2896
    if ((sc->options & SSL_OP_NO_RENEGOTIATION) != 0) {
2897
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_RENEGOTIATION);
2898
        return 0;
2899
    }
2900

2901
    return 1;
2902
}
2903

2904
int SSL_renegotiate(SSL *s)
2905
{
2906
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2907

2908
    if (sc == NULL)
2909
        return 0;
2910

2911
    if (!can_renegotiate(sc))
2912
        return 0;
2913

2914
    sc->renegotiate = 1;
2915
    sc->new_session = 1;
2916
    return s->method->ssl_renegotiate(s);
2917
}
2918

2919
int SSL_renegotiate_abbreviated(SSL *s)
2920
{
2921
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2922

2923
    if (sc == NULL)
2924
        return 0;
2925

2926
    if (!can_renegotiate(sc))
2927
        return 0;
2928

2929
    sc->renegotiate = 1;
2930
    sc->new_session = 0;
2931
    return s->method->ssl_renegotiate(s);
2932
}
2933

2934
int SSL_renegotiate_pending(const SSL *s)
2935
{
2936
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
2937

2938
    if (sc == NULL)
2939
        return 0;
2940

2941
    /*
2942
     * becomes true when negotiation is requested; false again once a
2943
     * handshake has finished
2944
     */
2945
    return (sc->renegotiate != 0);
2946
}
2947

2948
int SSL_new_session_ticket(SSL *s)
2949
{
2950
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2951

2952
    if (sc == NULL)
2953
        return 0;
2954

2955
    /* If we are in init because we're sending tickets, okay to send more. */
2956
    if ((SSL_in_init(s) && sc->ext.extra_tickets_expected == 0)
2957
            || SSL_IS_FIRST_HANDSHAKE(sc) || !sc->server
2958
            || !SSL_CONNECTION_IS_TLS13(sc))
2959
        return 0;
2960
    sc->ext.extra_tickets_expected++;
2961
    if (!RECORD_LAYER_write_pending(&sc->rlayer) && !SSL_in_init(s))
2962
        ossl_statem_set_in_init(sc, 1);
2963
    return 1;
2964
}
2965

2966
long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
2967
{
2968
    return ossl_ctrl_internal(s, cmd, larg, parg, /*no_quic=*/0);
2969
}
2970

2971
long ossl_ctrl_internal(SSL *s, int cmd, long larg, void *parg, int no_quic)
2972
{
2973
    long l;
2974
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
2975

2976
    /*
2977
     * Routing of ctrl calls for QUIC is a little counterintuitive:
2978
     *
2979
     *   - Firstly (no_quic=0), we pass the ctrl directly to our QUIC
2980
     *     implementation in case it wants to handle the ctrl specially.
2981
     *
2982
     *   - If our QUIC implementation does not care about the ctrl, it
2983
     *     will reenter this function with no_quic=1 and we will try to handle
2984
     *     it directly using the QCSO SSL object stub (not the handshake layer
2985
     *     SSL object). This is important for e.g. the version configuration
2986
     *     ctrls below, which must use s->defltmeth (and not sc->defltmeth).
2987
     *
2988
     *   - If we don't handle a ctrl here specially, then processing is
2989
     *     redirected to the handshake layer SSL object.
2990
     */
2991
    if (!no_quic && IS_QUIC(s))
2992
        return s->method->ssl_ctrl(s, cmd, larg, parg);
2993

2994
    if (sc == NULL)
2995
        return 0;
2996

2997
    switch (cmd) {
2998
    case SSL_CTRL_GET_READ_AHEAD:
2999
        return RECORD_LAYER_get_read_ahead(&sc->rlayer);
3000
    case SSL_CTRL_SET_READ_AHEAD:
3001
        l = RECORD_LAYER_get_read_ahead(&sc->rlayer);
3002
        RECORD_LAYER_set_read_ahead(&sc->rlayer, larg);
3003
        return l;
3004

3005
    case SSL_CTRL_MODE:
3006
    {
3007
        OSSL_PARAM options[2], *opts = options;
3008

3009
        sc->mode |= larg;
3010

3011
        *opts++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE,
3012
                                              &sc->mode);
3013
        *opts = OSSL_PARAM_construct_end();
3014

3015
        /* Ignore return value */
3016
        sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
3017

3018
        return sc->mode;
3019
    }
3020
    case SSL_CTRL_CLEAR_MODE:
3021
        return (sc->mode &= ~larg);
3022
    case SSL_CTRL_GET_MAX_CERT_LIST:
3023
        return (long)sc->max_cert_list;
3024
    case SSL_CTRL_SET_MAX_CERT_LIST:
3025
        if (larg < 0)
3026
            return 0;
3027
        l = (long)sc->max_cert_list;
3028
        sc->max_cert_list = (size_t)larg;
3029
        return l;
3030
    case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
3031
        if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
3032
            return 0;
3033
#ifndef OPENSSL_NO_KTLS
3034
        if (sc->wbio != NULL && BIO_get_ktls_send(sc->wbio))
3035
            return 0;
3036
#endif /* OPENSSL_NO_KTLS */
3037
        sc->max_send_fragment = larg;
3038
        if (sc->max_send_fragment < sc->split_send_fragment)
3039
            sc->split_send_fragment = sc->max_send_fragment;
3040
        sc->rlayer.wrlmethod->set_max_frag_len(sc->rlayer.wrl, larg);
3041
        return 1;
3042
    case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
3043
        if ((size_t)larg > sc->max_send_fragment || larg == 0)
3044
            return 0;
3045
        sc->split_send_fragment = larg;
3046
        return 1;
3047
    case SSL_CTRL_SET_MAX_PIPELINES:
3048
        if (larg < 1 || larg > SSL_MAX_PIPELINES)
3049
            return 0;
3050
        sc->max_pipelines = larg;
3051
        if (sc->rlayer.rrlmethod->set_max_pipelines != NULL)
3052
            sc->rlayer.rrlmethod->set_max_pipelines(sc->rlayer.rrl, (size_t)larg);
3053
        return 1;
3054
    case SSL_CTRL_GET_RI_SUPPORT:
3055
        return sc->s3.send_connection_binding;
3056
    case SSL_CTRL_SET_RETRY_VERIFY:
3057
        sc->rwstate = SSL_RETRY_VERIFY;
3058
        return 1;
3059
    case SSL_CTRL_CERT_FLAGS:
3060
        return (sc->cert->cert_flags |= larg);
3061
    case SSL_CTRL_CLEAR_CERT_FLAGS:
3062
        return (sc->cert->cert_flags &= ~larg);
3063

3064
    case SSL_CTRL_GET_RAW_CIPHERLIST:
3065
        if (parg) {
3066
            if (sc->s3.tmp.ciphers_raw == NULL)
3067
                return 0;
3068
            *(unsigned char **)parg = sc->s3.tmp.ciphers_raw;
3069
            return (int)sc->s3.tmp.ciphers_rawlen;
3070
        } else {
3071
            return TLS_CIPHER_LEN;
3072
        }
3073
    case SSL_CTRL_GET_EXTMS_SUPPORT:
3074
        if (!sc->session || SSL_in_init(s) || ossl_statem_get_in_handshake(sc))
3075
            return -1;
3076
        if (sc->session->flags & SSL_SESS_FLAG_EXTMS)
3077
            return 1;
3078
        else
3079
            return 0;
3080
    case SSL_CTRL_SET_MIN_PROTO_VERSION:
3081
        return ssl_check_allowed_versions(larg, sc->max_proto_version)
3082
               && ssl_set_version_bound(s->defltmeth->version, (int)larg,
3083
                                        &sc->min_proto_version);
3084
    case SSL_CTRL_GET_MIN_PROTO_VERSION:
3085
        return sc->min_proto_version;
3086
    case SSL_CTRL_SET_MAX_PROTO_VERSION:
3087
        return ssl_check_allowed_versions(sc->min_proto_version, larg)
3088
               && ssl_set_version_bound(s->defltmeth->version, (int)larg,
3089
                                        &sc->max_proto_version);
3090
    case SSL_CTRL_GET_MAX_PROTO_VERSION:
3091
        return sc->max_proto_version;
3092
    default:
3093
        if (IS_QUIC(s))
3094
            return SSL_ctrl((SSL *)sc, cmd, larg, parg);
3095
        else
3096
            return s->method->ssl_ctrl(s, cmd, larg, parg);
3097
    }
3098
}
3099

3100
long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
3101
{
3102
    return s->method->ssl_callback_ctrl(s, cmd, fp);
3103
}
3104

3105
LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
3106
{
3107
    return ctx->sessions;
3108
}
3109

3110
static int ssl_tsan_load(SSL_CTX *ctx, TSAN_QUALIFIER int *stat)
3111
{
3112
    int res = 0;
3113

3114
    if (ssl_tsan_lock(ctx)) {
3115
        res = tsan_load(stat);
3116
        ssl_tsan_unlock(ctx);
3117
    }
3118
    return res;
3119
}
3120

3121
long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3122
{
3123
    long l;
3124

3125
    /* For some cases with ctx == NULL or larg == 1 perform syntax checks */
3126
    if (cmd == SSL_CTRL_SET_GROUPS_LIST && larg == 1)
3127
        return tls1_set_groups_list(ctx, NULL, NULL, NULL, NULL, NULL, NULL, parg);
3128
    if (ctx == NULL) {
3129
        switch (cmd) {
3130
        case SSL_CTRL_SET_SIGALGS_LIST:
3131
        case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
3132
            return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
3133
        default:
3134
            return 0;
3135
        }
3136
    }
3137

3138
    switch (cmd) {
3139
    case SSL_CTRL_GET_READ_AHEAD:
3140
        return ctx->read_ahead;
3141
    case SSL_CTRL_SET_READ_AHEAD:
3142
        l = ctx->read_ahead;
3143
        ctx->read_ahead = larg;
3144
        return l;
3145

3146
    case SSL_CTRL_SET_MSG_CALLBACK_ARG:
3147
        ctx->msg_callback_arg = parg;
3148
        return 1;
3149

3150
    case SSL_CTRL_GET_MAX_CERT_LIST:
3151
        return (long)ctx->max_cert_list;
3152
    case SSL_CTRL_SET_MAX_CERT_LIST:
3153
        if (larg < 0)
3154
            return 0;
3155
        l = (long)ctx->max_cert_list;
3156
        ctx->max_cert_list = (size_t)larg;
3157
        return l;
3158

3159
    case SSL_CTRL_SET_SESS_CACHE_SIZE:
3160
        if (larg < 0)
3161
            return 0;
3162
        l = (long)ctx->session_cache_size;
3163
        ctx->session_cache_size = (size_t)larg;
3164
        return l;
3165
    case SSL_CTRL_GET_SESS_CACHE_SIZE:
3166
        return (long)ctx->session_cache_size;
3167
    case SSL_CTRL_SET_SESS_CACHE_MODE:
3168
        l = ctx->session_cache_mode;
3169
        ctx->session_cache_mode = larg;
3170
        return l;
3171
    case SSL_CTRL_GET_SESS_CACHE_MODE:
3172
        return ctx->session_cache_mode;
3173

3174
    case SSL_CTRL_SESS_NUMBER:
3175
        return lh_SSL_SESSION_num_items(ctx->sessions);
3176
    case SSL_CTRL_SESS_CONNECT:
3177
        return ssl_tsan_load(ctx, &ctx->stats.sess_connect);
3178
    case SSL_CTRL_SESS_CONNECT_GOOD:
3179
        return ssl_tsan_load(ctx, &ctx->stats.sess_connect_good);
3180
    case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
3181
        return ssl_tsan_load(ctx, &ctx->stats.sess_connect_renegotiate);
3182
    case SSL_CTRL_SESS_ACCEPT:
3183
        return ssl_tsan_load(ctx, &ctx->stats.sess_accept);
3184
    case SSL_CTRL_SESS_ACCEPT_GOOD:
3185
        return ssl_tsan_load(ctx, &ctx->stats.sess_accept_good);
3186
    case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
3187
        return ssl_tsan_load(ctx, &ctx->stats.sess_accept_renegotiate);
3188
    case SSL_CTRL_SESS_HIT:
3189
        return ssl_tsan_load(ctx, &ctx->stats.sess_hit);
3190
    case SSL_CTRL_SESS_CB_HIT:
3191
        return ssl_tsan_load(ctx, &ctx->stats.sess_cb_hit);
3192
    case SSL_CTRL_SESS_MISSES:
3193
        return ssl_tsan_load(ctx, &ctx->stats.sess_miss);
3194
    case SSL_CTRL_SESS_TIMEOUTS:
3195
        return ssl_tsan_load(ctx, &ctx->stats.sess_timeout);
3196
    case SSL_CTRL_SESS_CACHE_FULL:
3197
        return ssl_tsan_load(ctx, &ctx->stats.sess_cache_full);
3198
    case SSL_CTRL_MODE:
3199
        return (ctx->mode |= larg);
3200
    case SSL_CTRL_CLEAR_MODE:
3201
        return (ctx->mode &= ~larg);
3202
    case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
3203
        if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
3204
            return 0;
3205
        ctx->max_send_fragment = larg;
3206
        if (ctx->max_send_fragment < ctx->split_send_fragment)
3207
            ctx->split_send_fragment = ctx->max_send_fragment;
3208
        return 1;
3209
    case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
3210
        if ((size_t)larg > ctx->max_send_fragment || larg == 0)
3211
            return 0;
3212
        ctx->split_send_fragment = larg;
3213
        return 1;
3214
    case SSL_CTRL_SET_MAX_PIPELINES:
3215
        if (larg < 1 || larg > SSL_MAX_PIPELINES)
3216
            return 0;
3217
        ctx->max_pipelines = larg;
3218
        return 1;
3219
    case SSL_CTRL_CERT_FLAGS:
3220
        return (ctx->cert->cert_flags |= larg);
3221
    case SSL_CTRL_CLEAR_CERT_FLAGS:
3222
        return (ctx->cert->cert_flags &= ~larg);
3223
    case SSL_CTRL_SET_MIN_PROTO_VERSION:
3224
        return ssl_check_allowed_versions(larg, ctx->max_proto_version)
3225
               && ssl_set_version_bound(ctx->method->version, (int)larg,
3226
                                        &ctx->min_proto_version);
3227
    case SSL_CTRL_GET_MIN_PROTO_VERSION:
3228
        return ctx->min_proto_version;
3229
    case SSL_CTRL_SET_MAX_PROTO_VERSION:
3230
        return ssl_check_allowed_versions(ctx->min_proto_version, larg)
3231
               && ssl_set_version_bound(ctx->method->version, (int)larg,
3232
                                        &ctx->max_proto_version);
3233
    case SSL_CTRL_GET_MAX_PROTO_VERSION:
3234
        return ctx->max_proto_version;
3235
    default:
3236
        return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
3237
    }
3238
}
3239

3240
long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
3241
{
3242
    switch (cmd) {
3243
    case SSL_CTRL_SET_MSG_CALLBACK:
3244
        ctx->msg_callback = (void (*)
3245
                             (int write_p, int version, int content_type,
3246
                              const void *buf, size_t len, SSL *ssl,
3247
                              void *arg))(fp);
3248
        return 1;
3249

3250
    default:
3251
        return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp);
3252
    }
3253
}
3254

3255
int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
3256
{
3257
    if (a->id > b->id)
3258
        return 1;
3259
    if (a->id < b->id)
3260
        return -1;
3261
    return 0;
3262
}
3263

3264
int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
3265
                          const SSL_CIPHER *const *bp)
3266
{
3267
    if ((*ap)->id > (*bp)->id)
3268
        return 1;
3269
    if ((*ap)->id < (*bp)->id)
3270
        return -1;
3271
    return 0;
3272
}
3273

3274
/*
3275
 * return a STACK of the ciphers available for the SSL and in order of
3276
 * preference
3277
 */
3278
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
3279
{
3280
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3281

3282
    if (sc != NULL) {
3283
        if (sc->cipher_list != NULL) {
3284
            return sc->cipher_list;
3285
        } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
3286
            return s->ctx->cipher_list;
3287
        }
3288
    }
3289
    return NULL;
3290
}
3291

3292
STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
3293
{
3294
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3295

3296
    if (sc == NULL || !sc->server)
3297
        return NULL;
3298
    return sc->peer_ciphers;
3299
}
3300

3301
STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
3302
{
3303
    STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
3304
    int i;
3305
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3306

3307
    if (sc == NULL)
3308
        return NULL;
3309

3310
    ciphers = SSL_get_ciphers(s);
3311
    if (!ciphers)
3312
        return NULL;
3313
    if (!ssl_set_client_disabled(sc))
3314
        return NULL;
3315
    for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
3316
        const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
3317
        if (!ssl_cipher_disabled(sc, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
3318
            if (!sk)
3319
                sk = sk_SSL_CIPHER_new_null();
3320
            if (!sk)
3321
                return NULL;
3322
            if (!sk_SSL_CIPHER_push(sk, c)) {
3323
                sk_SSL_CIPHER_free(sk);
3324
                return NULL;
3325
            }
3326
        }
3327
    }
3328
    return sk;
3329
}
3330

3331
/** return a STACK of the ciphers available for the SSL and in order of
3332
 * algorithm id */
3333
STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL_CONNECTION *s)
3334
{
3335
    if (s != NULL) {
3336
        if (s->cipher_list_by_id != NULL)
3337
            return s->cipher_list_by_id;
3338
        else if (s->ssl.ctx != NULL
3339
                 && s->ssl.ctx->cipher_list_by_id != NULL)
3340
            return s->ssl.ctx->cipher_list_by_id;
3341
    }
3342
    return NULL;
3343
}
3344

3345
/** The old interface to get the same thing as SSL_get_ciphers() */
3346
const char *SSL_get_cipher_list(const SSL *s, int n)
3347
{
3348
    const SSL_CIPHER *c;
3349
    STACK_OF(SSL_CIPHER) *sk;
3350

3351
    if (s == NULL)
3352
        return NULL;
3353
    sk = SSL_get_ciphers(s);
3354
    if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
3355
        return NULL;
3356
    c = sk_SSL_CIPHER_value(sk, n);
3357
    if (c == NULL)
3358
        return NULL;
3359
    return c->name;
3360
}
3361

3362
/** return a STACK of the ciphers available for the SSL_CTX and in order of
3363
 * preference */
3364
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
3365
{
3366
    if (ctx != NULL)
3367
        return ctx->cipher_list;
3368
    return NULL;
3369
}
3370

3371
/*
3372
 * Distinguish between ciphers controlled by set_ciphersuite() and
3373
 * set_cipher_list() when counting.
3374
 */
3375
static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
3376
{
3377
    int i, num = 0;
3378
    const SSL_CIPHER *c;
3379

3380
    if (sk == NULL)
3381
        return 0;
3382
    for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
3383
        c = sk_SSL_CIPHER_value(sk, i);
3384
        if (c->min_tls >= TLS1_3_VERSION)
3385
            continue;
3386
        num++;
3387
    }
3388
    return num;
3389
}
3390

3391
/** specify the ciphers to be used by default by the SSL_CTX */
3392
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
3393
{
3394
    STACK_OF(SSL_CIPHER) *sk;
3395

3396
    sk = ssl_create_cipher_list(ctx, ctx->tls13_ciphersuites,
3397
                                &ctx->cipher_list, &ctx->cipher_list_by_id, str,
3398
                                ctx->cert);
3399
    /*
3400
     * ssl_create_cipher_list may return an empty stack if it was unable to
3401
     * find a cipher matching the given rule string (for example if the rule
3402
     * string specifies a cipher which has been disabled). This is not an
3403
     * error as far as ssl_create_cipher_list is concerned, and hence
3404
     * ctx->cipher_list and ctx->cipher_list_by_id has been updated.
3405
     */
3406
    if (sk == NULL)
3407
        return 0;
3408
    if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
3409
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
3410
        return 0;
3411
    }
3412
    return 1;
3413
}
3414

3415
/** specify the ciphers to be used by the SSL */
3416
int SSL_set_cipher_list(SSL *s, const char *str)
3417
{
3418
    STACK_OF(SSL_CIPHER) *sk;
3419
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3420
    SSL_CTX *ctx;
3421

3422
    if (sc == NULL)
3423
        return 0;
3424

3425
    ctx = s->ctx;
3426
    sk = ssl_create_cipher_list(ctx, sc->tls13_ciphersuites,
3427
                                &sc->cipher_list, &sc->cipher_list_by_id, str,
3428
                                sc->cert);
3429
    /* see comment in SSL_CTX_set_cipher_list */
3430
    if (sk == NULL)
3431
        return 0;
3432
    if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
3433
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
3434
        return 0;
3435
    }
3436
    return 1;
3437
}
3438

3439
char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
3440
{
3441
    char *p;
3442
    STACK_OF(SSL_CIPHER) *clntsk, *srvrsk;
3443
    const SSL_CIPHER *c;
3444
    int i;
3445
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3446

3447
    if (sc == NULL)
3448
        return NULL;
3449

3450
    if (!sc->server
3451
            || sc->peer_ciphers == NULL
3452
            || size < 2)
3453
        return NULL;
3454

3455
    p = buf;
3456
    clntsk = sc->peer_ciphers;
3457
    srvrsk = SSL_get_ciphers(s);
3458
    if (clntsk == NULL || srvrsk == NULL)
3459
        return NULL;
3460

3461
    if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0)
3462
        return NULL;
3463

3464
    for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) {
3465
        int n;
3466

3467
        c = sk_SSL_CIPHER_value(clntsk, i);
3468
        if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
3469
            continue;
3470

3471
        n = OPENSSL_strnlen(c->name, size);
3472
        if (n >= size) {
3473
            if (p != buf)
3474
                --p;
3475
            *p = '\0';
3476
            return buf;
3477
        }
3478
        memcpy(p, c->name, n);
3479
        p += n;
3480
        *(p++) = ':';
3481
        size -= n + 1;
3482
    }
3483
    p[-1] = '\0';
3484
    return buf;
3485
}
3486

3487
/**
3488
 * Return the requested servername (SNI) value. Note that the behaviour varies
3489
 * depending on:
3490
 * - whether this is called by the client or the server,
3491
 * - if we are before or during/after the handshake,
3492
 * - if a resumption or normal handshake is being attempted/has occurred
3493
 * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3
3494
 *
3495
 * Note that only the host_name type is defined (RFC 3546).
3496
 */
3497
const char *SSL_get_servername(const SSL *s, const int type)
3498
{
3499
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3500
    int server;
3501

3502
    if (sc == NULL)
3503
        return NULL;
3504

3505
    /*
3506
     * If we don't know if we are the client or the server yet then we assume
3507
     * client.
3508
     */
3509
    server = sc->handshake_func == NULL ? 0 : sc->server;
3510

3511
    if (type != TLSEXT_NAMETYPE_host_name)
3512
        return NULL;
3513

3514
    if (server) {
3515
        /**
3516
         * Server side
3517
         * In TLSv1.3 on the server SNI is not associated with the session
3518
         * but in TLSv1.2 or below it is.
3519
         *
3520
         * Before the handshake:
3521
         *  - return NULL
3522
         *
3523
         * During/after the handshake (TLSv1.2 or below resumption occurred):
3524
         * - If a servername was accepted by the server in the original
3525
         *   handshake then it will return that servername, or NULL otherwise.
3526
         *
3527
         * During/after the handshake (TLSv1.2 or below resumption did not occur):
3528
         * - The function will return the servername requested by the client in
3529
         *   this handshake or NULL if none was requested.
3530
         */
3531
         if (sc->hit && !SSL_CONNECTION_IS_TLS13(sc))
3532
            return sc->session->ext.hostname;
3533
    } else {
3534
        /**
3535
         * Client side
3536
         *
3537
         * Before the handshake:
3538
         *  - If a servername has been set via a call to
3539
         *    SSL_set_tlsext_host_name() then it will return that servername
3540
         *  - If one has not been set, but a TLSv1.2 resumption is being
3541
         *    attempted and the session from the original handshake had a
3542
         *    servername accepted by the server then it will return that
3543
         *    servername
3544
         *  - Otherwise it returns NULL
3545
         *
3546
         * During/after the handshake (TLSv1.2 or below resumption occurred):
3547
         * - If the session from the original handshake had a servername accepted
3548
         *   by the server then it will return that servername.
3549
         * - Otherwise it returns the servername set via
3550
         *   SSL_set_tlsext_host_name() (or NULL if it was not called).
3551
         *
3552
         * During/after the handshake (TLSv1.2 or below resumption did not occur):
3553
         * - It will return the servername set via SSL_set_tlsext_host_name()
3554
         *   (or NULL if it was not called).
3555
         */
3556
        if (SSL_in_before(s)) {
3557
            if (sc->ext.hostname == NULL
3558
                    && sc->session != NULL
3559
                    && sc->session->ssl_version != TLS1_3_VERSION)
3560
                return sc->session->ext.hostname;
3561
        } else {
3562
            if (!SSL_CONNECTION_IS_TLS13(sc) && sc->hit
3563
                && sc->session->ext.hostname != NULL)
3564
                return sc->session->ext.hostname;
3565
        }
3566
    }
3567

3568
    return sc->ext.hostname;
3569
}
3570

3571
int SSL_get_servername_type(const SSL *s)
3572
{
3573
    if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL)
3574
        return TLSEXT_NAMETYPE_host_name;
3575
    return -1;
3576
}
3577

3578
/*
3579
 * SSL_select_next_proto implements the standard protocol selection. It is
3580
 * expected that this function is called from the callback set by
3581
 * SSL_CTX_set_next_proto_select_cb. The protocol data is assumed to be a
3582
 * vector of 8-bit, length prefixed byte strings. The length byte itself is
3583
 * not included in the length. A byte string of length 0 is invalid. No byte
3584
 * string may be truncated. The current, but experimental algorithm for
3585
 * selecting the protocol is: 1) If the server doesn't support NPN then this
3586
 * is indicated to the callback. In this case, the client application has to
3587
 * abort the connection or have a default application level protocol. 2) If
3588
 * the server supports NPN, but advertises an empty list then the client
3589
 * selects the first protocol in its list, but indicates via the API that this
3590
 * fallback case was enacted. 3) Otherwise, the client finds the first
3591
 * protocol in the server's list that it supports and selects this protocol.
3592
 * This is because it's assumed that the server has better information about
3593
 * which protocol a client should use. 4) If the client doesn't support any
3594
 * of the server's advertised protocols, then this is treated the same as
3595
 * case 2. It returns either OPENSSL_NPN_NEGOTIATED if a common protocol was
3596
 * found, or OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
3597
 */
3598
int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
3599
                          const unsigned char *server,
3600
                          unsigned int server_len,
3601
                          const unsigned char *client, unsigned int client_len)
3602
{
3603
    PACKET cpkt, csubpkt, spkt, ssubpkt;
3604

3605
    if (!PACKET_buf_init(&cpkt, client, client_len)
3606
            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
3607
            || PACKET_remaining(&csubpkt) == 0) {
3608
        *out = NULL;
3609
        *outlen = 0;
3610
        return OPENSSL_NPN_NO_OVERLAP;
3611
    }
3612

3613
    /*
3614
     * Set the default opportunistic protocol. Will be overwritten if we find
3615
     * a match.
3616
     */
3617
    *out = (unsigned char *)PACKET_data(&csubpkt);
3618
    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
3619

3620
    /*
3621
     * For each protocol in server preference order, see if we support it.
3622
     */
3623
    if (PACKET_buf_init(&spkt, server, server_len)) {
3624
        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
3625
            if (PACKET_remaining(&ssubpkt) == 0)
3626
                continue; /* Invalid - ignore it */
3627
            if (PACKET_buf_init(&cpkt, client, client_len)) {
3628
                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
3629
                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
3630
                                     PACKET_remaining(&ssubpkt))) {
3631
                        /* We found a match */
3632
                        *out = (unsigned char *)PACKET_data(&ssubpkt);
3633
                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
3634
                        return OPENSSL_NPN_NEGOTIATED;
3635
                    }
3636
                }
3637
                /* Ignore spurious trailing bytes in the client list */
3638
            } else {
3639
                /* This should never happen */
3640
                return OPENSSL_NPN_NO_OVERLAP;
3641
            }
3642
        }
3643
        /* Ignore spurious trailing bytes in the server list */
3644
    }
3645

3646
    /*
3647
     * There's no overlap between our protocols and the server's list. We use
3648
     * the default opportunistic protocol selected earlier
3649
     */
3650
    return OPENSSL_NPN_NO_OVERLAP;
3651
}
3652

3653
#ifndef OPENSSL_NO_NEXTPROTONEG
3654
/*
3655
 * SSL_get0_next_proto_negotiated sets *data and *len to point to the
3656
 * client's requested protocol for this connection and returns 0. If the
3657
 * client didn't request any protocol, then *data is set to NULL. Note that
3658
 * the client can request any protocol it chooses. The value returned from
3659
 * this function need not be a member of the list of supported protocols
3660
 * provided by the callback.
3661
 */
3662
void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
3663
                                    unsigned *len)
3664
{
3665
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
3666

3667
    if (sc == NULL) {
3668
        /* We have no other way to indicate error */
3669
        *data = NULL;
3670
        *len = 0;
3671
        return;
3672
    }
3673

3674
    *data = sc->ext.npn;
3675
    if (*data == NULL) {
3676
        *len = 0;
3677
    } else {
3678
        *len = (unsigned int)sc->ext.npn_len;
3679
    }
3680
}
3681

3682
/*
3683
 * SSL_CTX_set_npn_advertised_cb sets a callback that is called when
3684
 * a TLS server needs a list of supported protocols for Next Protocol
3685
 * Negotiation. The returned list must be in wire format.  The list is
3686
 * returned by setting |out| to point to it and |outlen| to its length. This
3687
 * memory will not be modified, but one should assume that the SSL* keeps a
3688
 * reference to it. The callback should return SSL_TLSEXT_ERR_OK if it
3689
 * wishes to advertise. Otherwise, no such extension will be included in the
3690
 * ServerHello.
3691
 */
3692
void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
3693
                                   SSL_CTX_npn_advertised_cb_func cb,
3694
                                   void *arg)
3695
{
3696
    if (IS_QUIC_CTX(ctx))
3697
        /* NPN not allowed for QUIC */
3698
        return;
3699

3700
    ctx->ext.npn_advertised_cb = cb;
3701
    ctx->ext.npn_advertised_cb_arg = arg;
3702
}
3703

3704
/*
3705
 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
3706
 * client needs to select a protocol from the server's provided list. |out|
3707
 * must be set to point to the selected protocol (which may be within |in|).
3708
 * The length of the protocol name must be written into |outlen|. The
3709
 * server's advertised protocols are provided in |in| and |inlen|. The
3710
 * callback can assume that |in| is syntactically valid. The client must
3711
 * select a protocol. It is fatal to the connection if this callback returns
3712
 * a value other than SSL_TLSEXT_ERR_OK.
3713
 */
3714
void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
3715
                               SSL_CTX_npn_select_cb_func cb,
3716
                               void *arg)
3717
{
3718
    if (IS_QUIC_CTX(ctx))
3719
        /* NPN not allowed for QUIC */
3720
        return;
3721

3722
    ctx->ext.npn_select_cb = cb;
3723
    ctx->ext.npn_select_cb_arg = arg;
3724
}
3725
#endif
3726

3727
static int alpn_value_ok(const unsigned char *protos, unsigned int protos_len)
3728
{
3729
    unsigned int idx;
3730

3731
    if (protos_len < 2 || protos == NULL)
3732
        return 0;
3733

3734
    for (idx = 0; idx < protos_len; idx += protos[idx] + 1) {
3735
        if (protos[idx] == 0)
3736
            return 0;
3737
    }
3738
    return idx == protos_len;
3739
}
3740
/*
3741
 * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
3742
 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3743
 * length-prefixed strings). Returns 0 on success.
3744
 */
3745
int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
3746
                            unsigned int protos_len)
3747
{
3748
    unsigned char *alpn;
3749

3750
    if (protos_len == 0 || protos == NULL) {
3751
        OPENSSL_free(ctx->ext.alpn);
3752
        ctx->ext.alpn = NULL;
3753
        ctx->ext.alpn_len = 0;
3754
        return 0;
3755
    }
3756
    /* Not valid per RFC */
3757
    if (!alpn_value_ok(protos, protos_len))
3758
        return 1;
3759

3760
    alpn = OPENSSL_memdup(protos, protos_len);
3761
    if (alpn == NULL)
3762
        return 1;
3763
    OPENSSL_free(ctx->ext.alpn);
3764
    ctx->ext.alpn = alpn;
3765
    ctx->ext.alpn_len = protos_len;
3766

3767
    return 0;
3768
}
3769

3770
/*
3771
 * SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
3772
 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
3773
 * length-prefixed strings). Returns 0 on success.
3774
 */
3775
int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
3776
                        unsigned int protos_len)
3777
{
3778
    unsigned char *alpn;
3779
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
3780

3781
    if (sc == NULL)
3782
        return 1;
3783

3784
    if (protos_len == 0 || protos == NULL) {
3785
        OPENSSL_free(sc->ext.alpn);
3786
        sc->ext.alpn = NULL;
3787
        sc->ext.alpn_len = 0;
3788
        return 0;
3789
    }
3790
    /* Not valid per RFC */
3791
    if (!alpn_value_ok(protos, protos_len))
3792
        return 1;
3793

3794
    alpn = OPENSSL_memdup(protos, protos_len);
3795
    if (alpn == NULL)
3796
        return 1;
3797
    OPENSSL_free(sc->ext.alpn);
3798
    sc->ext.alpn = alpn;
3799
    sc->ext.alpn_len = protos_len;
3800

3801
    return 0;
3802
}
3803

3804
/*
3805
 * SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is
3806
 * called during ClientHello processing in order to select an ALPN protocol
3807
 * from the client's list of offered protocols.
3808
 */
3809
void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
3810
                                SSL_CTX_alpn_select_cb_func cb,
3811
                                void *arg)
3812
{
3813
    ctx->ext.alpn_select_cb = cb;
3814
    ctx->ext.alpn_select_cb_arg = arg;
3815
}
3816

3817
/*
3818
 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
3819
 * On return it sets |*data| to point to |*len| bytes of protocol name
3820
 * (not including the leading length-prefix byte). If the server didn't
3821
 * respond with a negotiated protocol then |*len| will be zero.
3822
 */
3823
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
3824
                            unsigned int *len)
3825
{
3826
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
3827

3828
    if (sc == NULL) {
3829
        /* We have no other way to indicate error */
3830
        *data = NULL;
3831
        *len = 0;
3832
        return;
3833
    }
3834

3835
    *data = sc->s3.alpn_selected;
3836
    if (*data == NULL)
3837
        *len = 0;
3838
    else
3839
        *len = (unsigned int)sc->s3.alpn_selected_len;
3840
}
3841

3842
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
3843
                               const char *label, size_t llen,
3844
                               const unsigned char *context, size_t contextlen,
3845
                               int use_context)
3846
{
3847
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3848

3849
    if (sc == NULL)
3850
        return -1;
3851

3852
    if (sc->session == NULL
3853
        || (sc->version < TLS1_VERSION && sc->version != DTLS1_BAD_VER))
3854
        return -1;
3855

3856
    return sc->ssl.method->ssl3_enc->export_keying_material(sc, out, olen, label,
3857
                                                            llen, context,
3858
                                                            contextlen,
3859
                                                            use_context);
3860
}
3861

3862
int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
3863
                                     const char *label, size_t llen,
3864
                                     const unsigned char *context,
3865
                                     size_t contextlen)
3866
{
3867
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
3868

3869
    if (sc == NULL)
3870
        return -1;
3871

3872
    if (sc->version != TLS1_3_VERSION)
3873
        return 0;
3874

3875
    return tls13_export_keying_material_early(sc, out, olen, label, llen,
3876
                                              context, contextlen);
3877
}
3878

3879
static unsigned long ssl_session_hash(const SSL_SESSION *a)
3880
{
3881
    const unsigned char *session_id = a->session_id;
3882
    unsigned long l;
3883
    unsigned char tmp_storage[4];
3884

3885
    if (a->session_id_length < sizeof(tmp_storage)) {
3886
        memset(tmp_storage, 0, sizeof(tmp_storage));
3887
        memcpy(tmp_storage, a->session_id, a->session_id_length);
3888
        session_id = tmp_storage;
3889
    }
3890

3891
    l = (unsigned long)
3892
        ((unsigned long)session_id[0]) |
3893
        ((unsigned long)session_id[1] << 8L) |
3894
        ((unsigned long)session_id[2] << 16L) |
3895
        ((unsigned long)session_id[3] << 24L);
3896
    return l;
3897
}
3898

3899
/*
3900
 * NB: If this function (or indeed the hash function which uses a sort of
3901
 * coarser function than this one) is changed, ensure
3902
 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on
3903
 * being able to construct an SSL_SESSION that will collide with any existing
3904
 * session with a matching session ID.
3905
 */
3906
static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
3907
{
3908
    if (a->ssl_version != b->ssl_version)
3909
        return 1;
3910
    if (a->session_id_length != b->session_id_length)
3911
        return 1;
3912
    return memcmp(a->session_id, b->session_id, a->session_id_length);
3913
}
3914

3915
#ifndef OPENSSL_NO_SSLKEYLOG
3916
/**
3917
 * @brief Static initialization for a one-time action to initialize the SSL key log.
3918
 */
3919
static CRYPTO_ONCE ssl_keylog_once = CRYPTO_ONCE_STATIC_INIT;
3920

3921
/**
3922
 * @brief Pointer to a read-write lock used to protect access to the key log.
3923
 */
3924
static CRYPTO_RWLOCK *keylog_lock = NULL;
3925

3926
/**
3927
 * @brief Pointer to a BIO structure used for writing the key log information.
3928
 */
3929
static BIO *keylog_bio = NULL;
3930

3931
/**
3932
 * @brief Initializes the SSLKEYLOGFILE lock.
3933
 *
3934
 * @return 1 on success, 0 on failure.
3935
 */
3936
DEFINE_RUN_ONCE_STATIC(ssl_keylog_init)
3937
{
3938
    keylog_lock = CRYPTO_THREAD_lock_new();
3939
    if (keylog_lock == NULL)
3940
        return 0;
3941
    return 1;
3942
}
3943

3944
/**
3945
 * @brief checks when a BIO refcount has reached zero, and sets
3946
 * keylog_cb to NULL if it has
3947
 *
3948
 * @returns 1 always
3949
 */
3950
static long check_keylog_bio_free(BIO *b, int oper, const char *argp,
3951
                                  size_t len, int argi, long argl, int ret,
3952
                                  size_t *processed)
3953
{
3954

3955
    /*
3956
     * Note we _dont_ take the keylog_lock here
3957
     * This is intentional, because we only free the keylog lock
3958
     * During SSL_CTX_free, in which we already posess the lock, so
3959
     * Theres no need to grab it again here
3960
     */
3961
    if (oper == BIO_CB_FREE)
3962
        keylog_bio = NULL;
3963
    return ret;
3964
}
3965

3966
/**
3967
 * @brief records ssl secrets to a file
3968
 */
3969
static void do_sslkeylogfile(const SSL *ssl, const char *line)
3970
{
3971
    if (keylog_lock == NULL)
3972
        return;
3973

3974
    if (!CRYPTO_THREAD_write_lock(keylog_lock))
3975
        return;
3976
    if (keylog_bio != NULL) {
3977
        BIO_printf(keylog_bio, "%s\n", line);
3978
        (void)BIO_flush(keylog_bio);
3979
    }
3980
    CRYPTO_THREAD_unlock(keylog_lock);
3981
}
3982
#endif
3983

3984
/*
3985
 * These wrapper functions should remain rather than redeclaring
3986
 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
3987
 * variable. The reason is that the functions aren't static, they're exposed
3988
 * via ssl.h.
3989
 */
3990

3991
#ifndef OPENSSL_NO_SSLKEYLOG
3992
static BIO *get_sslkeylog_bio(const char *keylogfile)
3993
{
3994
# ifdef _POSIX_C_SOURCE
3995
    BIO *b;
3996
    int fdno = -1;
3997
    FILE *fp = NULL;
3998

3999
    fdno = open(keylogfile, O_WRONLY | O_CREAT | O_APPEND,  0600);
4000
    if (fdno < 0)
4001
        return NULL;
4002

4003
    fp = fdopen(fdno, "a");
4004
    if (fp == NULL) {
4005
        close(fdno);
4006
        return NULL;
4007
    }
4008

4009
    if ((b = BIO_new_fp(fp, BIO_CLOSE)) == NULL)
4010
        fclose(fp);
4011
    return b;
4012
# else
4013
    return BIO_new_file(keylogfile, "a");
4014
# endif
4015
}
4016
#endif
4017

4018
SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
4019
                        const SSL_METHOD *meth)
4020
{
4021
    SSL_CTX *ret = NULL;
4022
#ifndef OPENSSL_NO_SSLKEYLOG
4023
    const char *keylogfile = ossl_safe_getenv("SSLKEYLOGFILE");
4024
#endif
4025
#ifndef OPENSSL_NO_COMP_ALG
4026
    int i;
4027
#endif
4028

4029
    if (meth == NULL) {
4030
        ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_METHOD_PASSED);
4031
        return NULL;
4032
    }
4033

4034
    if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
4035
        return NULL;
4036

4037
    /* Doing this for the run once effect */
4038
    if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
4039
        ERR_raise(ERR_LIB_SSL, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
4040
        goto err;
4041
    }
4042

4043
    ret = OPENSSL_zalloc(sizeof(*ret));
4044
    if (ret == NULL)
4045
        return NULL;
4046

4047
    /* Init the reference counting before any call to SSL_CTX_free */
4048
    if (!CRYPTO_NEW_REF(&ret->references, 1)) {
4049
        OPENSSL_free(ret);
4050
        return NULL;
4051
    }
4052

4053
    ret->lock = CRYPTO_THREAD_lock_new();
4054
    if (ret->lock == NULL) {
4055
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4056
        goto err;
4057
    }
4058

4059
#ifdef TSAN_REQUIRES_LOCKING
4060
    ret->tsan_lock = CRYPTO_THREAD_lock_new();
4061
    if (ret->tsan_lock == NULL) {
4062
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4063
        goto err;
4064
    }
4065
#endif
4066

4067
    ret->libctx = libctx;
4068
    if (propq != NULL) {
4069
        ret->propq = OPENSSL_strdup(propq);
4070
        if (ret->propq == NULL)
4071
            goto err;
4072
    }
4073

4074
    ret->method = meth;
4075
    ret->min_proto_version = 0;
4076
    ret->max_proto_version = 0;
4077
    ret->mode = SSL_MODE_AUTO_RETRY;
4078
    ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
4079
    ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
4080
    /* We take the system default. */
4081
    ret->session_timeout = meth->get_timeout();
4082
    ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
4083
    ret->verify_mode = SSL_VERIFY_NONE;
4084

4085
    ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
4086
    if (ret->sessions == NULL) {
4087
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4088
        goto err;
4089
    }
4090
    ret->cert_store = X509_STORE_new();
4091
    if (ret->cert_store == NULL) {
4092
        ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
4093
        goto err;
4094
    }
4095
#ifndef OPENSSL_NO_CT
4096
    ret->ctlog_store = CTLOG_STORE_new_ex(libctx, propq);
4097
    if (ret->ctlog_store == NULL) {
4098
        ERR_raise(ERR_LIB_SSL, ERR_R_CT_LIB);
4099
        goto err;
4100
    }
4101
#endif
4102

4103
    /* initialize cipher/digest methods table */
4104
    if (!ssl_load_ciphers(ret)) {
4105
        ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4106
        goto err;
4107
    }
4108

4109
    if (!ssl_load_groups(ret)) {
4110
        ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4111
        goto err;
4112
    }
4113

4114
    /* load provider sigalgs */
4115
    if (!ssl_load_sigalgs(ret)) {
4116
        ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4117
        goto err;
4118
    }
4119

4120
    /* initialise sig algs */
4121
    if (!ssl_setup_sigalgs(ret)) {
4122
        ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4123
        goto err;
4124
    }
4125

4126
    if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites())) {
4127
        ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4128
        goto err;
4129
    }
4130

4131
    if ((ret->cert = ssl_cert_new(SSL_PKEY_NUM + ret->sigalg_list_len)) == NULL) {
4132
        ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4133
        goto err;
4134
    }
4135

4136
    if (!ssl_create_cipher_list(ret,
4137
                                ret->tls13_ciphersuites,
4138
                                &ret->cipher_list, &ret->cipher_list_by_id,
4139
                                OSSL_default_cipher_list(), ret->cert)
4140
        || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
4141
        ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
4142
        goto err;
4143
    }
4144

4145
    ret->param = X509_VERIFY_PARAM_new();
4146
    if (ret->param == NULL) {
4147
        ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
4148
        goto err;
4149
    }
4150

4151
    /*
4152
     * If these aren't available from the provider we'll get NULL returns.
4153
     * That's fine but will cause errors later if SSLv3 is negotiated
4154
     */
4155
    ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq);
4156
    ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq);
4157

4158
    if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) {
4159
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4160
        goto err;
4161
    }
4162

4163
    if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) {
4164
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4165
        goto err;
4166
    }
4167

4168
    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) {
4169
        ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
4170
        goto err;
4171
    }
4172

4173
    if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL)
4174
        goto err;
4175

4176
    /* No compression for DTLS */
4177
    if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
4178
        ret->comp_methods = SSL_COMP_get_compression_methods();
4179

4180
    ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
4181
    ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
4182

4183
    /* Setup RFC5077 ticket keys */
4184
    if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name,
4185
                       sizeof(ret->ext.tick_key_name), 0) <= 0)
4186
        || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key,
4187
                               sizeof(ret->ext.secure->tick_hmac_key), 0) <= 0)
4188
        || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key,
4189
                               sizeof(ret->ext.secure->tick_aes_key), 0) <= 0))
4190
        ret->options |= SSL_OP_NO_TICKET;
4191

4192
    if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key,
4193
                           sizeof(ret->ext.cookie_hmac_key), 0) <= 0) {
4194
        ERR_raise(ERR_LIB_SSL, ERR_R_RAND_LIB);
4195
        goto err;
4196
    }
4197

4198
#ifndef OPENSSL_NO_SRP
4199
    if (!ssl_ctx_srp_ctx_init_intern(ret)) {
4200
        ERR_raise(ERR_LIB_SSL, ERR_R_SSL_LIB);
4201
        goto err;
4202
    }
4203
#endif
4204
#ifndef OPENSSL_NO_ENGINE
4205
# ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
4206
#  define eng_strx(x)     #x
4207
#  define eng_str(x)      eng_strx(x)
4208
    /* Use specific client engine automatically... ignore errors */
4209
    {
4210
        ENGINE *eng;
4211
        eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
4212
        if (!eng) {
4213
            ERR_clear_error();
4214
            ENGINE_load_builtin_engines();
4215
            eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
4216
        }
4217
        if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
4218
            ERR_clear_error();
4219
    }
4220
# endif
4221
#endif
4222

4223
#ifndef OPENSSL_NO_COMP_ALG
4224
    /*
4225
     * Set the default order: brotli, zlib, zstd
4226
     * Including only those enabled algorithms
4227
     */
4228
    memset(ret->cert_comp_prefs, 0, sizeof(ret->cert_comp_prefs));
4229
    i = 0;
4230
    if (ossl_comp_has_alg(TLSEXT_comp_cert_brotli))
4231
        ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_brotli;
4232
    if (ossl_comp_has_alg(TLSEXT_comp_cert_zlib))
4233
        ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_zlib;
4234
    if (ossl_comp_has_alg(TLSEXT_comp_cert_zstd))
4235
        ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_zstd;
4236
#endif
4237
    /*
4238
     * Disable compression by default to prevent CRIME. Applications can
4239
     * re-enable compression by configuring
4240
     * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
4241
     * or by using the SSL_CONF library. Similarly we also enable TLSv1.3
4242
     * middlebox compatibility by default. This may be disabled by default in
4243
     * a later OpenSSL version.
4244
     */
4245
    ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
4246

4247
    ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
4248

4249
    /*
4250
     * We cannot usefully set a default max_early_data here (which gets
4251
     * propagated in SSL_new(), for the following reason: setting the
4252
     * SSL field causes tls_construct_stoc_early_data() to tell the
4253
     * client that early data will be accepted when constructing a TLS 1.3
4254
     * session ticket, and the client will accordingly send us early data
4255
     * when using that ticket (if the client has early data to send).
4256
     * However, in order for the early data to actually be consumed by
4257
     * the application, the application must also have calls to
4258
     * SSL_read_early_data(); otherwise we'll just skip past the early data
4259
     * and ignore it.  So, since the application must add calls to
4260
     * SSL_read_early_data(), we also require them to add
4261
     * calls to SSL_CTX_set_max_early_data() in order to use early data,
4262
     * eliminating the bandwidth-wasting early data in the case described
4263
     * above.
4264
     */
4265
    ret->max_early_data = 0;
4266

4267
    /*
4268
     * Default recv_max_early_data is a fully loaded single record. Could be
4269
     * split across multiple records in practice. We set this differently to
4270
     * max_early_data so that, in the default case, we do not advertise any
4271
     * support for early_data, but if a client were to send us some (e.g.
4272
     * because of an old, stale ticket) then we will tolerate it and skip over
4273
     * it.
4274
     */
4275
    ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
4276

4277
    /* By default we send two session tickets automatically in TLSv1.3 */
4278
    ret->num_tickets = 2;
4279

4280
# ifndef OPENSSL_NO_QUIC
4281
    /* only create a cache for client CTX-es */
4282
    if (meth == OSSL_QUIC_client_method())
4283
        if ((ret->tokencache = ossl_quic_new_token_store()) == NULL)
4284
            goto err;
4285
    ret->domain_flags = 0;
4286
    if (IS_QUIC_METHOD(meth)) {
4287
#  if defined(OPENSSL_THREADS)
4288
        if (meth == OSSL_QUIC_client_thread_method())
4289
            ret->domain_flags
4290
                = SSL_DOMAIN_FLAG_MULTI_THREAD
4291
                | SSL_DOMAIN_FLAG_THREAD_ASSISTED
4292
                | SSL_DOMAIN_FLAG_BLOCKING;
4293
        else
4294
            ret->domain_flags
4295
                = SSL_DOMAIN_FLAG_MULTI_THREAD
4296
                | SSL_DOMAIN_FLAG_LEGACY_BLOCKING;
4297
#  else
4298
        ret->domain_flags
4299
            = SSL_DOMAIN_FLAG_SINGLE_THREAD
4300
            | SSL_DOMAIN_FLAG_LEGACY_BLOCKING;
4301
#  endif
4302
    }
4303
# endif
4304

4305
    if (!ssl_ctx_system_config(ret)) {
4306
        ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG);
4307
        goto err;
4308
    }
4309

4310
#ifndef OPENSSL_NO_SSLKEYLOG
4311
    if (keylogfile != NULL && strlen(keylogfile) != 0) {
4312
        /* Make sure we have a global lock allocated */
4313
        if (!RUN_ONCE(&ssl_keylog_once, ssl_keylog_init)) {
4314
            /* use a trace message as a warning */
4315
            OSSL_TRACE(TLS, "Unable to initalize keylog data\n");
4316
            goto out;
4317
        }
4318

4319
        /* Grab our global lock */
4320
        if (!CRYPTO_THREAD_write_lock(keylog_lock)) {
4321
            OSSL_TRACE(TLS, "Unable to acquire keylog write lock\n");
4322
            goto out;
4323
        } else {
4324
            /*
4325
             * If the bio for the requested keylog file hasn't been
4326
             * created yet, go ahead and create it, and set it to append
4327
             * if its already there.
4328
             */
4329
            if (keylog_bio == NULL) {
4330
                keylog_bio = get_sslkeylog_bio(keylogfile);
4331
                if (keylog_bio == NULL) {
4332
                    OSSL_TRACE(TLS, "Unable to create keylog bio\n");
4333
                    goto out;
4334
                }
4335
                BIO_set_callback_ex(keylog_bio, check_keylog_bio_free);
4336
            } else {
4337
                /* up our refcount for the already-created case */
4338
                BIO_up_ref(keylog_bio);
4339
            }
4340
            /* If we have a bio now, assign the callback handler */
4341
            if (keylog_bio != NULL)
4342
                ret->do_sslkeylog = 1;
4343
            /* unlock, and we're done */
4344
            CRYPTO_THREAD_unlock(keylog_lock);
4345
        }
4346
    }
4347
out:
4348
#endif
4349
    return ret;
4350
 err:
4351
    SSL_CTX_free(ret);
4352
#ifndef OPENSSL_NO_SSLKEYLOG
4353
    BIO_free(keylog_bio);
4354
#endif
4355
    return NULL;
4356
}
4357

4358
SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
4359
{
4360
    return SSL_CTX_new_ex(NULL, NULL, meth);
4361
}
4362

4363
int SSL_CTX_up_ref(SSL_CTX *ctx)
4364
{
4365
    int i;
4366

4367
    if (CRYPTO_UP_REF(&ctx->references, &i) <= 0)
4368
        return 0;
4369

4370
    REF_PRINT_COUNT("SSL_CTX", i, ctx);
4371
    REF_ASSERT_ISNT(i < 2);
4372
    return ((i > 1) ? 1 : 0);
4373
}
4374

4375
void SSL_CTX_free(SSL_CTX *a)
4376
{
4377
    int i;
4378
    size_t j;
4379

4380
    if (a == NULL)
4381
        return;
4382

4383
    CRYPTO_DOWN_REF(&a->references, &i);
4384
    REF_PRINT_COUNT("SSL_CTX", i, a);
4385
    if (i > 0)
4386
        return;
4387
    REF_ASSERT_ISNT(i < 0);
4388

4389
#ifndef OPENSSL_NO_SSLKEYLOG
4390
    if (keylog_lock != NULL && CRYPTO_THREAD_write_lock(keylog_lock)) {
4391
        if (a->do_sslkeylog == 1)
4392
            BIO_free(keylog_bio);
4393
        a->do_sslkeylog = 0;
4394
        CRYPTO_THREAD_unlock(keylog_lock);
4395
    }
4396
#endif
4397

4398
    X509_VERIFY_PARAM_free(a->param);
4399
    dane_ctx_final(&a->dane);
4400

4401
    /*
4402
     * Free internal session cache. However: the remove_cb() may reference
4403
     * the ex_data of SSL_CTX, thus the ex_data store can only be removed
4404
     * after the sessions were flushed.
4405
     * As the ex_data handling routines might also touch the session cache,
4406
     * the most secure solution seems to be: empty (flush) the cache, then
4407
     * free ex_data, then finally free the cache.
4408
     * (See ticket [openssl.org #212].)
4409
     */
4410
    if (a->sessions != NULL)
4411
        SSL_CTX_flush_sessions_ex(a, 0);
4412

4413
    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
4414
    lh_SSL_SESSION_free(a->sessions);
4415
    X509_STORE_free(a->cert_store);
4416
#ifndef OPENSSL_NO_CT
4417
    CTLOG_STORE_free(a->ctlog_store);
4418
#endif
4419
    sk_SSL_CIPHER_free(a->cipher_list);
4420
    sk_SSL_CIPHER_free(a->cipher_list_by_id);
4421
    sk_SSL_CIPHER_free(a->tls13_ciphersuites);
4422
    ssl_cert_free(a->cert);
4423
    sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free);
4424
    sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free);
4425
    OSSL_STACK_OF_X509_free(a->extra_certs);
4426
    a->comp_methods = NULL;
4427
#ifndef OPENSSL_NO_SRTP
4428
    sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
4429
#endif
4430
#ifndef OPENSSL_NO_SRP
4431
    ssl_ctx_srp_ctx_free_intern(a);
4432
#endif
4433
#ifndef OPENSSL_NO_ENGINE
4434
    tls_engine_finish(a->client_cert_engine);
4435
#endif
4436

4437
    OPENSSL_free(a->ext.ecpointformats);
4438
    OPENSSL_free(a->ext.supportedgroups);
4439
    OPENSSL_free(a->ext.keyshares);
4440
    OPENSSL_free(a->ext.tuples);
4441
    OPENSSL_free(a->ext.alpn);
4442
    OPENSSL_secure_free(a->ext.secure);
4443

4444
    ssl_evp_md_free(a->md5);
4445
    ssl_evp_md_free(a->sha1);
4446

4447
    for (j = 0; j < SSL_ENC_NUM_IDX; j++)
4448
        ssl_evp_cipher_free(a->ssl_cipher_methods[j]);
4449
    for (j = 0; j < SSL_MD_NUM_IDX; j++)
4450
        ssl_evp_md_free(a->ssl_digest_methods[j]);
4451
    for (j = 0; j < a->group_list_len; j++) {
4452
        OPENSSL_free(a->group_list[j].tlsname);
4453
        OPENSSL_free(a->group_list[j].realname);
4454
        OPENSSL_free(a->group_list[j].algorithm);
4455
    }
4456
    OPENSSL_free(a->group_list);
4457
    for (j = 0; j < a->sigalg_list_len; j++) {
4458
        OPENSSL_free(a->sigalg_list[j].name);
4459
        OPENSSL_free(a->sigalg_list[j].sigalg_name);
4460
        OPENSSL_free(a->sigalg_list[j].sigalg_oid);
4461
        OPENSSL_free(a->sigalg_list[j].sig_name);
4462
        OPENSSL_free(a->sigalg_list[j].sig_oid);
4463
        OPENSSL_free(a->sigalg_list[j].hash_name);
4464
        OPENSSL_free(a->sigalg_list[j].hash_oid);
4465
        OPENSSL_free(a->sigalg_list[j].keytype);
4466
        OPENSSL_free(a->sigalg_list[j].keytype_oid);
4467
    }
4468
    OPENSSL_free(a->sigalg_list);
4469
    OPENSSL_free(a->ssl_cert_info);
4470

4471
    OPENSSL_free(a->sigalg_lookup_cache);
4472
    OPENSSL_free(a->tls12_sigalgs);
4473

4474
    OPENSSL_free(a->client_cert_type);
4475
    OPENSSL_free(a->server_cert_type);
4476

4477
    CRYPTO_THREAD_lock_free(a->lock);
4478
    CRYPTO_FREE_REF(&a->references);
4479
#ifdef TSAN_REQUIRES_LOCKING
4480
    CRYPTO_THREAD_lock_free(a->tsan_lock);
4481
#endif
4482

4483
    OPENSSL_free(a->propq);
4484
#ifndef OPENSSL_NO_QLOG
4485
    OPENSSL_free(a->qlog_title);
4486
#endif
4487

4488
#ifndef OPENSSL_NO_QUIC
4489
    ossl_quic_free_token_store(a->tokencache);
4490
#endif
4491

4492
    OPENSSL_free(a);
4493
}
4494

4495
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
4496
{
4497
    ctx->default_passwd_callback = cb;
4498
}
4499

4500
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
4501
{
4502
    ctx->default_passwd_callback_userdata = u;
4503
}
4504

4505
pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
4506
{
4507
    return ctx->default_passwd_callback;
4508
}
4509

4510
void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
4511
{
4512
    return ctx->default_passwd_callback_userdata;
4513
}
4514

4515
void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
4516
{
4517
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4518

4519
    if (sc == NULL)
4520
        return;
4521

4522
    sc->default_passwd_callback = cb;
4523
}
4524

4525
void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
4526
{
4527
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4528

4529
    if (sc == NULL)
4530
        return;
4531

4532
    sc->default_passwd_callback_userdata = u;
4533
}
4534

4535
pem_password_cb *SSL_get_default_passwd_cb(SSL *s)
4536
{
4537
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4538

4539
    if (sc == NULL)
4540
        return NULL;
4541

4542
    return sc->default_passwd_callback;
4543
}
4544

4545
void *SSL_get_default_passwd_cb_userdata(SSL *s)
4546
{
4547
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4548

4549
    if (sc == NULL)
4550
        return NULL;
4551

4552
    return sc->default_passwd_callback_userdata;
4553
}
4554

4555
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
4556
                                      int (*cb) (X509_STORE_CTX *, void *),
4557
                                      void *arg)
4558
{
4559
    ctx->app_verify_callback = cb;
4560
    ctx->app_verify_arg = arg;
4561
}
4562

4563
void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
4564
                        int (*cb) (int, X509_STORE_CTX *))
4565
{
4566
    ctx->verify_mode = mode;
4567
    ctx->default_verify_callback = cb;
4568
}
4569

4570
void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
4571
{
4572
    X509_VERIFY_PARAM_set_depth(ctx->param, depth);
4573
}
4574

4575
void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg)
4576
{
4577
    ssl_cert_set_cert_cb(c->cert, cb, arg);
4578
}
4579

4580
void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg)
4581
{
4582
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4583

4584
    if (sc == NULL)
4585
        return;
4586

4587
    ssl_cert_set_cert_cb(sc->cert, cb, arg);
4588
}
4589

4590
void ssl_set_masks(SSL_CONNECTION *s)
4591
{
4592
    CERT *c = s->cert;
4593
    uint32_t *pvalid = s->s3.tmp.valid_flags;
4594
    int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
4595
    unsigned long mask_k, mask_a;
4596
    int have_ecc_cert, ecdsa_ok;
4597

4598
    if (c == NULL)
4599
        return;
4600

4601
    dh_tmp = (c->dh_tmp != NULL
4602
              || c->dh_tmp_cb != NULL
4603
              || c->dh_tmp_auto);
4604

4605
    rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
4606
    rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
4607
    dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID;
4608
    have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
4609
    mask_k = 0;
4610
    mask_a = 0;
4611

4612
    OSSL_TRACE4(TLS_CIPHER, "dh_tmp=%d rsa_enc=%d rsa_sign=%d dsa_sign=%d\n",
4613
               dh_tmp, rsa_enc, rsa_sign, dsa_sign);
4614

4615
#ifndef OPENSSL_NO_GOST
4616
    if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
4617
        mask_k |= SSL_kGOST | SSL_kGOST18;
4618
        mask_a |= SSL_aGOST12;
4619
    }
4620
    if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
4621
        mask_k |= SSL_kGOST | SSL_kGOST18;
4622
        mask_a |= SSL_aGOST12;
4623
    }
4624
    if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
4625
        mask_k |= SSL_kGOST;
4626
        mask_a |= SSL_aGOST01;
4627
    }
4628
#endif
4629

4630
    if (rsa_enc)
4631
        mask_k |= SSL_kRSA;
4632

4633
    if (dh_tmp)
4634
        mask_k |= SSL_kDHE;
4635

4636
    /*
4637
     * If we only have an RSA-PSS certificate allow RSA authentication
4638
     * if TLS 1.2 and peer supports it.
4639
     */
4640

4641
    if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
4642
                && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
4643
                && TLS1_get_version(&s->ssl) == TLS1_2_VERSION))
4644
        mask_a |= SSL_aRSA;
4645

4646
    if (dsa_sign) {
4647
        mask_a |= SSL_aDSS;
4648
    }
4649

4650
    mask_a |= SSL_aNULL;
4651

4652
    /*
4653
     * You can do anything with an RPK key, since there's no cert to restrict it
4654
     * But we need to check for private keys
4655
     */
4656
    if (pvalid[SSL_PKEY_RSA] & CERT_PKEY_RPK) {
4657
        mask_a |= SSL_aRSA;
4658
        mask_k |= SSL_kRSA;
4659
    }
4660
    if (pvalid[SSL_PKEY_ECC] & CERT_PKEY_RPK)
4661
        mask_a |= SSL_aECDSA;
4662
    if (TLS1_get_version(&s->ssl) == TLS1_2_VERSION) {
4663
        if (pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_RPK)
4664
            mask_a |= SSL_aRSA;
4665
        if (pvalid[SSL_PKEY_ED25519] & CERT_PKEY_RPK
4666
                || pvalid[SSL_PKEY_ED448] & CERT_PKEY_RPK)
4667
            mask_a |= SSL_aECDSA;
4668
    }
4669

4670
    /*
4671
     * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites
4672
     * depending on the key usage extension.
4673
     */
4674
    if (have_ecc_cert) {
4675
        uint32_t ex_kusage;
4676
        ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509);
4677
        ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
4678
        if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
4679
            ecdsa_ok = 0;
4680
        if (ecdsa_ok)
4681
            mask_a |= SSL_aECDSA;
4682
    }
4683
    /* Allow Ed25519 for TLS 1.2 if peer supports it */
4684
    if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519)
4685
            && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN
4686
            && TLS1_get_version(&s->ssl) == TLS1_2_VERSION)
4687
            mask_a |= SSL_aECDSA;
4688

4689
    /* Allow Ed448 for TLS 1.2 if peer supports it */
4690
    if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448)
4691
            && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN
4692
            && TLS1_get_version(&s->ssl) == TLS1_2_VERSION)
4693
            mask_a |= SSL_aECDSA;
4694

4695
    mask_k |= SSL_kECDHE;
4696

4697
#ifndef OPENSSL_NO_PSK
4698
    mask_k |= SSL_kPSK;
4699
    mask_a |= SSL_aPSK;
4700
    if (mask_k & SSL_kRSA)
4701
        mask_k |= SSL_kRSAPSK;
4702
    if (mask_k & SSL_kDHE)
4703
        mask_k |= SSL_kDHEPSK;
4704
    if (mask_k & SSL_kECDHE)
4705
        mask_k |= SSL_kECDHEPSK;
4706
#endif
4707

4708
    s->s3.tmp.mask_k = mask_k;
4709
    s->s3.tmp.mask_a = mask_a;
4710
}
4711

4712
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CONNECTION *s)
4713
{
4714
    if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) {
4715
        /* key usage, if present, must allow signing */
4716
        if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
4717
            ERR_raise(ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
4718
            return 0;
4719
        }
4720
    }
4721
    return 1;                   /* all checks are ok */
4722
}
4723

4724
int ssl_get_server_cert_serverinfo(SSL_CONNECTION *s,
4725
                                   const unsigned char **serverinfo,
4726
                                   size_t *serverinfo_length)
4727
{
4728
    CERT_PKEY *cpk = s->s3.tmp.cert;
4729
    *serverinfo_length = 0;
4730

4731
    if (cpk == NULL || cpk->serverinfo == NULL)
4732
        return 0;
4733

4734
    *serverinfo = cpk->serverinfo;
4735
    *serverinfo_length = cpk->serverinfo_length;
4736
    return 1;
4737
}
4738

4739
void ssl_update_cache(SSL_CONNECTION *s, int mode)
4740
{
4741
    int i;
4742

4743
    /*
4744
     * If the session_id_length is 0, we are not supposed to cache it, and it
4745
     * would be rather hard to do anyway :-). Also if the session has already
4746
     * been marked as not_resumable we should not cache it for later reuse.
4747
     */
4748
    if (s->session->session_id_length == 0 || s->session->not_resumable)
4749
        return;
4750

4751
    /*
4752
     * If sid_ctx_length is 0 there is no specific application context
4753
     * associated with this session, so when we try to resume it and
4754
     * SSL_VERIFY_PEER is requested to verify the client identity, we have no
4755
     * indication that this is actually a session for the proper application
4756
     * context, and the *handshake* will fail, not just the resumption attempt.
4757
     * Do not cache (on the server) these sessions that are not resumable
4758
     * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set).
4759
     */
4760
    if (s->server && s->session->sid_ctx_length == 0
4761
            && (s->verify_mode & SSL_VERIFY_PEER) != 0)
4762
        return;
4763

4764
    i = s->session_ctx->session_cache_mode;
4765
    if ((i & mode) != 0
4766
        && (!s->hit || SSL_CONNECTION_IS_TLS13(s))) {
4767
        /*
4768
         * Add the session to the internal cache. In server side TLSv1.3 we
4769
         * normally don't do this because by default it's a full stateless ticket
4770
         * with only a dummy session id so there is no reason to cache it,
4771
         * unless:
4772
         * - we are doing early_data, in which case we cache so that we can
4773
         *   detect replays
4774
         * - the application has set a remove_session_cb so needs to know about
4775
         *   session timeout events
4776
         * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket
4777
         */
4778
        if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0
4779
                && (!SSL_CONNECTION_IS_TLS13(s)
4780
                    || !s->server
4781
                    || (s->max_early_data > 0
4782
                        && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)
4783
                    || s->session_ctx->remove_session_cb != NULL
4784
                    || (s->options & SSL_OP_NO_TICKET) != 0))
4785
            SSL_CTX_add_session(s->session_ctx, s->session);
4786

4787
        /*
4788
         * Add the session to the external cache. We do this even in server side
4789
         * TLSv1.3 without early data because some applications just want to
4790
         * know about the creation of a session and aren't doing a full cache.
4791
         */
4792
        if (s->session_ctx->new_session_cb != NULL && SSL_SESSION_up_ref(s->session)) {
4793
            if (!s->session_ctx->new_session_cb(SSL_CONNECTION_GET_USER_SSL(s),
4794
                                                s->session))
4795
                SSL_SESSION_free(s->session);
4796
        }
4797
    }
4798

4799
    /* auto flush every 255 connections */
4800
    if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) {
4801
        TSAN_QUALIFIER int *stat;
4802

4803
        if (mode & SSL_SESS_CACHE_CLIENT)
4804
            stat = &s->session_ctx->stats.sess_connect_good;
4805
        else
4806
            stat = &s->session_ctx->stats.sess_accept_good;
4807
        if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff)
4808
            SSL_CTX_flush_sessions_ex(s->session_ctx, time(NULL));
4809
    }
4810
}
4811

4812
const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx)
4813
{
4814
    return ctx->method;
4815
}
4816

4817
const SSL_METHOD *SSL_get_ssl_method(const SSL *s)
4818
{
4819
    return s->method;
4820
}
4821

4822
int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
4823
{
4824
    int ret = 1;
4825
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4826

4827
    /* Not allowed for QUIC */
4828
    if (sc == NULL
4829
        || (s->type != SSL_TYPE_SSL_CONNECTION && s->method != meth)
4830
        || (s->type == SSL_TYPE_SSL_CONNECTION && IS_QUIC_METHOD(meth)))
4831
        return 0;
4832

4833
    if (s->method != meth) {
4834
        const SSL_METHOD *sm = s->method;
4835
        int (*hf) (SSL *) = sc->handshake_func;
4836

4837
        if (sm->version == meth->version)
4838
            s->method = meth;
4839
        else {
4840
            sm->ssl_deinit(s);
4841
            s->method = meth;
4842
            ret = s->method->ssl_init(s);
4843
        }
4844

4845
        if (hf == sm->ssl_connect)
4846
            sc->handshake_func = meth->ssl_connect;
4847
        else if (hf == sm->ssl_accept)
4848
            sc->handshake_func = meth->ssl_accept;
4849
    }
4850
    return ret;
4851
}
4852

4853
int SSL_get_error(const SSL *s, int i)
4854
{
4855
    return ossl_ssl_get_error(s, i, /*check_err=*/1);
4856
}
4857

4858
int ossl_ssl_get_error(const SSL *s, int i, int check_err)
4859
{
4860
    int reason;
4861
    unsigned long l;
4862
    BIO *bio;
4863
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
4864

4865
    if (i > 0)
4866
        return SSL_ERROR_NONE;
4867

4868
#ifndef OPENSSL_NO_QUIC
4869
    if (IS_QUIC(s)) {
4870
        reason = ossl_quic_get_error(s, i);
4871
        if (reason != SSL_ERROR_NONE)
4872
            return reason;
4873
    }
4874
#endif
4875

4876
    if (sc == NULL)
4877
        return SSL_ERROR_SSL;
4878

4879
    /*
4880
     * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
4881
     * where we do encode the error
4882
     */
4883
    if (check_err && (l = ERR_peek_error()) != 0) {
4884
        if (ERR_GET_LIB(l) == ERR_LIB_SYS)
4885
            return SSL_ERROR_SYSCALL;
4886
        else
4887
            return SSL_ERROR_SSL;
4888
    }
4889

4890
#ifndef OPENSSL_NO_QUIC
4891
    if (!IS_QUIC(s))
4892
#endif
4893
    {
4894
        if (SSL_want_read(s)) {
4895
            bio = SSL_get_rbio(s);
4896
            if (BIO_should_read(bio))
4897
                return SSL_ERROR_WANT_READ;
4898
            else if (BIO_should_write(bio))
4899
                /*
4900
                 * This one doesn't make too much sense ... We never try to
4901
                 * write to the rbio, and an application program where rbio and
4902
                 * wbio are separate couldn't even know what it should wait for.
4903
                 * However if we ever set s->rwstate incorrectly (so that we
4904
                 * have SSL_want_read(s) instead of SSL_want_write(s)) and rbio
4905
                 * and wbio *are* the same, this test works around that bug; so
4906
                 * it might be safer to keep it.
4907
                 */
4908
                return SSL_ERROR_WANT_WRITE;
4909
            else if (BIO_should_io_special(bio)) {
4910
                reason = BIO_get_retry_reason(bio);
4911
                if (reason == BIO_RR_CONNECT)
4912
                    return SSL_ERROR_WANT_CONNECT;
4913
                else if (reason == BIO_RR_ACCEPT)
4914
                    return SSL_ERROR_WANT_ACCEPT;
4915
                else
4916
                    return SSL_ERROR_SYSCALL; /* unknown */
4917
            }
4918
        }
4919

4920
        if (SSL_want_write(s)) {
4921
            /*
4922
             * Access wbio directly - in order to use the buffered bio if
4923
             * present
4924
             */
4925
            bio = sc->wbio;
4926
            if (BIO_should_write(bio))
4927
                return SSL_ERROR_WANT_WRITE;
4928
            else if (BIO_should_read(bio))
4929
                /*
4930
                 * See above (SSL_want_read(s) with BIO_should_write(bio))
4931
                 */
4932
                return SSL_ERROR_WANT_READ;
4933
            else if (BIO_should_io_special(bio)) {
4934
                reason = BIO_get_retry_reason(bio);
4935
                if (reason == BIO_RR_CONNECT)
4936
                    return SSL_ERROR_WANT_CONNECT;
4937
                else if (reason == BIO_RR_ACCEPT)
4938
                    return SSL_ERROR_WANT_ACCEPT;
4939
                else
4940
                    return SSL_ERROR_SYSCALL;
4941
            }
4942
        }
4943
    }
4944

4945
    if (SSL_want_x509_lookup(s))
4946
        return SSL_ERROR_WANT_X509_LOOKUP;
4947
    if (SSL_want_retry_verify(s))
4948
        return SSL_ERROR_WANT_RETRY_VERIFY;
4949
    if (SSL_want_async(s))
4950
        return SSL_ERROR_WANT_ASYNC;
4951
    if (SSL_want_async_job(s))
4952
        return SSL_ERROR_WANT_ASYNC_JOB;
4953
    if (SSL_want_client_hello_cb(s))
4954
        return SSL_ERROR_WANT_CLIENT_HELLO_CB;
4955

4956
    if ((sc->shutdown & SSL_RECEIVED_SHUTDOWN) &&
4957
        (sc->s3.warn_alert == SSL_AD_CLOSE_NOTIFY))
4958
        return SSL_ERROR_ZERO_RETURN;
4959

4960
    return SSL_ERROR_SYSCALL;
4961
}
4962

4963
static int ssl_do_handshake_intern(void *vargs)
4964
{
4965
    struct ssl_async_args *args = (struct ssl_async_args *)vargs;
4966
    SSL *s = args->s;
4967
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4968

4969
    if (sc == NULL)
4970
        return -1;
4971

4972
    return sc->handshake_func(s);
4973
}
4974

4975
int SSL_do_handshake(SSL *s)
4976
{
4977
    int ret = 1;
4978
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
4979

4980
#ifndef OPENSSL_NO_QUIC
4981
    if (IS_QUIC(s))
4982
        return ossl_quic_do_handshake(s);
4983
#endif
4984

4985
    if (sc == NULL)
4986
        return -1;
4987

4988
    if (sc->handshake_func == NULL) {
4989
        ERR_raise(ERR_LIB_SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
4990
        return -1;
4991
    }
4992

4993
    if (!ossl_statem_check_finish_init(sc, -1))
4994
        return -1;
4995

4996
    s->method->ssl_renegotiate_check(s, 0);
4997

4998
    if (SSL_in_init(s) || SSL_in_before(s)) {
4999
        if ((sc->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
5000
            struct ssl_async_args args;
5001

5002
            memset(&args, 0, sizeof(args));
5003
            args.s = s;
5004

5005
            ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
5006
        } else {
5007
            ret = sc->handshake_func(s);
5008
        }
5009
    }
5010

5011
    return ret;
5012
}
5013

5014
void SSL_set_accept_state(SSL *s)
5015
{
5016
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5017

5018
#ifndef OPENSSL_NO_QUIC
5019
    if (IS_QUIC(s)) {
5020
        /* We suppress errors because this is a void function */
5021
        (void)ossl_quic_set_accept_state(s, 0 /* suppress errors */);
5022
        return;
5023
    }
5024
#endif
5025

5026
    sc->server = 1;
5027
    sc->shutdown = 0;
5028
    ossl_statem_clear(sc);
5029
    sc->handshake_func = s->method->ssl_accept;
5030
    /* Ignore return value. Its a void public API function */
5031
    RECORD_LAYER_reset(&sc->rlayer);
5032
}
5033

5034
void SSL_set_connect_state(SSL *s)
5035
{
5036
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5037

5038
#ifndef OPENSSL_NO_QUIC
5039
    if (IS_QUIC(s)) {
5040
        /* We suppress errors because this is a void function */
5041
        (void)ossl_quic_set_connect_state(s, 0 /* suppress errors */);
5042
        return;
5043
    }
5044
#endif
5045

5046
    sc->server = 0;
5047
    sc->shutdown = 0;
5048
    ossl_statem_clear(sc);
5049
    sc->handshake_func = s->method->ssl_connect;
5050
    /* Ignore return value. Its a void public API function */
5051
    RECORD_LAYER_reset(&sc->rlayer);
5052
}
5053

5054
int ssl_undefined_function(SSL *s)
5055
{
5056
    ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
5057
    return 0;
5058
}
5059

5060
int ssl_undefined_void_function(void)
5061
{
5062
    ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
5063
    return 0;
5064
}
5065

5066
const char *ssl_protocol_to_string(int version)
5067
{
5068
    switch (version) {
5069
    case TLS1_3_VERSION:
5070
        return "TLSv1.3";
5071

5072
    case TLS1_2_VERSION:
5073
        return "TLSv1.2";
5074

5075
    case TLS1_1_VERSION:
5076
        return "TLSv1.1";
5077

5078
    case TLS1_VERSION:
5079
        return "TLSv1";
5080

5081
    case SSL3_VERSION:
5082
        return "SSLv3";
5083

5084
    case DTLS1_BAD_VER:
5085
        return "DTLSv0.9";
5086

5087
    case DTLS1_VERSION:
5088
        return "DTLSv1";
5089

5090
    case DTLS1_2_VERSION:
5091
        return "DTLSv1.2";
5092

5093
    default:
5094
        return "unknown";
5095
    }
5096
}
5097

5098
const char *SSL_get_version(const SSL *s)
5099
{
5100
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5101

5102
#ifndef OPENSSL_NO_QUIC
5103
    /* We only support QUICv1 - so if its QUIC its QUICv1 */
5104
    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5105
        return "QUICv1";
5106
#endif
5107

5108
    if (sc == NULL)
5109
        return NULL;
5110

5111
    return ssl_protocol_to_string(sc->version);
5112
}
5113

5114
__owur int SSL_get_handshake_rtt(const SSL *s, uint64_t *rtt)
5115
{
5116
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5117

5118
    if (sc == NULL)
5119
        return -1;
5120
    if (sc->ts_msg_write.t <= 0 || sc->ts_msg_read.t <= 0)
5121
        return 0; /* data not (yet) available */
5122
    if (sc->ts_msg_read.t < sc->ts_msg_write.t)
5123
        return -1;
5124

5125
    *rtt = ossl_time2us(ossl_time_subtract(sc->ts_msg_read, sc->ts_msg_write));
5126
    return 1;
5127
}
5128

5129
static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src)
5130
{
5131
    STACK_OF(X509_NAME) *sk;
5132
    X509_NAME *xn;
5133
    int i;
5134

5135
    if (src == NULL) {
5136
        *dst = NULL;
5137
        return 1;
5138
    }
5139

5140
    if ((sk = sk_X509_NAME_new_null()) == NULL)
5141
        return 0;
5142
    for (i = 0; i < sk_X509_NAME_num(src); i++) {
5143
        xn = X509_NAME_dup(sk_X509_NAME_value(src, i));
5144
        if (xn == NULL) {
5145
            sk_X509_NAME_pop_free(sk, X509_NAME_free);
5146
            return 0;
5147
        }
5148
        if (sk_X509_NAME_insert(sk, xn, i) == 0) {
5149
            X509_NAME_free(xn);
5150
            sk_X509_NAME_pop_free(sk, X509_NAME_free);
5151
            return 0;
5152
        }
5153
    }
5154
    *dst = sk;
5155

5156
    return 1;
5157
}
5158

5159
SSL *SSL_dup(SSL *s)
5160
{
5161
    SSL *ret;
5162
    int i;
5163
    /* TODO(QUIC FUTURE): Add an SSL_METHOD function for duplication */
5164
    SSL_CONNECTION *retsc;
5165
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5166

5167
    if (sc == NULL)
5168
        return NULL;
5169

5170
    /* If we're not quiescent, just up_ref! */
5171
    if (!SSL_in_init(s) || !SSL_in_before(s)) {
5172
        CRYPTO_UP_REF(&s->references, &i);
5173
        return s;
5174
    }
5175

5176
    /*
5177
     * Otherwise, copy configuration state, and session if set.
5178
     */
5179
    if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
5180
        return NULL;
5181
    if ((retsc = SSL_CONNECTION_FROM_SSL_ONLY(ret)) == NULL)
5182
        goto err;
5183

5184
    if (sc->session != NULL) {
5185
        /*
5186
         * Arranges to share the same session via up_ref.  This "copies"
5187
         * session-id, SSL_METHOD, sid_ctx, and 'cert'
5188
         */
5189
        if (!SSL_copy_session_id(ret, s))
5190
            goto err;
5191
    } else {
5192
        /*
5193
         * No session has been established yet, so we have to expect that
5194
         * s->cert or ret->cert will be changed later -- they should not both
5195
         * point to the same object, and thus we can't use
5196
         * SSL_copy_session_id.
5197
         */
5198
        if (!SSL_set_ssl_method(ret, s->method))
5199
            goto err;
5200

5201
        if (sc->cert != NULL) {
5202
            ssl_cert_free(retsc->cert);
5203
            retsc->cert = ssl_cert_dup(sc->cert);
5204
            if (retsc->cert == NULL)
5205
                goto err;
5206
        }
5207

5208
        if (!SSL_set_session_id_context(ret, sc->sid_ctx,
5209
                                        (int)sc->sid_ctx_length))
5210
            goto err;
5211
    }
5212

5213
    if (!ssl_dane_dup(retsc, sc))
5214
        goto err;
5215
    retsc->version = sc->version;
5216
    retsc->options = sc->options;
5217
    retsc->min_proto_version = sc->min_proto_version;
5218
    retsc->max_proto_version = sc->max_proto_version;
5219
    retsc->mode = sc->mode;
5220
    SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
5221
    SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
5222
    retsc->msg_callback = sc->msg_callback;
5223
    retsc->msg_callback_arg = sc->msg_callback_arg;
5224
    SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s));
5225
    SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
5226
    retsc->generate_session_id = sc->generate_session_id;
5227

5228
    SSL_set_info_callback(ret, SSL_get_info_callback(s));
5229

5230
    /* copy app data, a little dangerous perhaps */
5231
    if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
5232
        goto err;
5233

5234
    retsc->server = sc->server;
5235
    if (sc->handshake_func) {
5236
        if (sc->server)
5237
            SSL_set_accept_state(ret);
5238
        else
5239
            SSL_set_connect_state(ret);
5240
    }
5241
    retsc->shutdown = sc->shutdown;
5242
    retsc->hit = sc->hit;
5243

5244
    retsc->default_passwd_callback = sc->default_passwd_callback;
5245
    retsc->default_passwd_callback_userdata = sc->default_passwd_callback_userdata;
5246

5247
    X509_VERIFY_PARAM_inherit(retsc->param, sc->param);
5248

5249
    /* dup the cipher_list and cipher_list_by_id stacks */
5250
    if (sc->cipher_list != NULL) {
5251
        if ((retsc->cipher_list = sk_SSL_CIPHER_dup(sc->cipher_list)) == NULL)
5252
            goto err;
5253
    }
5254
    if (sc->cipher_list_by_id != NULL)
5255
        if ((retsc->cipher_list_by_id = sk_SSL_CIPHER_dup(sc->cipher_list_by_id))
5256
            == NULL)
5257
            goto err;
5258

5259
    /* Dup the client_CA list */
5260
    if (!dup_ca_names(&retsc->ca_names, sc->ca_names)
5261
            || !dup_ca_names(&retsc->client_ca_names, sc->client_ca_names))
5262
        goto err;
5263

5264
    return ret;
5265

5266
 err:
5267
    SSL_free(ret);
5268
    return NULL;
5269
}
5270

5271
X509 *SSL_get_certificate(const SSL *s)
5272
{
5273
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5274

5275
    if (sc == NULL)
5276
        return NULL;
5277

5278
    if (sc->cert != NULL)
5279
        return sc->cert->key->x509;
5280
    else
5281
        return NULL;
5282
}
5283

5284
EVP_PKEY *SSL_get_privatekey(const SSL *s)
5285
{
5286
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5287

5288
    if (sc == NULL)
5289
        return NULL;
5290

5291
    if (sc->cert != NULL)
5292
        return sc->cert->key->privatekey;
5293
    else
5294
        return NULL;
5295
}
5296

5297
X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx)
5298
{
5299
    if (ctx->cert != NULL)
5300
        return ctx->cert->key->x509;
5301
    else
5302
        return NULL;
5303
}
5304

5305
EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
5306
{
5307
    if (ctx->cert != NULL)
5308
        return ctx->cert->key->privatekey;
5309
    else
5310
        return NULL;
5311
}
5312

5313
const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
5314
{
5315
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5316

5317
    if (sc == NULL)
5318
        return NULL;
5319

5320
    if ((sc->session != NULL) && (sc->session->cipher != NULL))
5321
        return sc->session->cipher;
5322
    return NULL;
5323
}
5324

5325
const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
5326
{
5327
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5328

5329
    if (sc == NULL)
5330
        return NULL;
5331

5332
    return sc->s3.tmp.new_cipher;
5333
}
5334

5335
const COMP_METHOD *SSL_get_current_compression(const SSL *s)
5336
{
5337
#ifndef OPENSSL_NO_COMP
5338
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5339

5340
    if (sc == NULL)
5341
        return NULL;
5342

5343
    return sc->rlayer.wrlmethod->get_compression(sc->rlayer.wrl);
5344
#else
5345
    return NULL;
5346
#endif
5347
}
5348

5349
const COMP_METHOD *SSL_get_current_expansion(const SSL *s)
5350
{
5351
#ifndef OPENSSL_NO_COMP
5352
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5353

5354
    if (sc == NULL)
5355
        return NULL;
5356

5357
    return sc->rlayer.rrlmethod->get_compression(sc->rlayer.rrl);
5358
#else
5359
    return NULL;
5360
#endif
5361
}
5362

5363
int ssl_init_wbio_buffer(SSL_CONNECTION *s)
5364
{
5365
    BIO *bbio;
5366

5367
    if (s->bbio != NULL) {
5368
        /* Already buffered. */
5369
        return 1;
5370
    }
5371

5372
    bbio = BIO_new(BIO_f_buffer());
5373
    if (bbio == NULL || BIO_set_read_buffer_size(bbio, 1) <= 0) {
5374
        BIO_free(bbio);
5375
        ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
5376
        return 0;
5377
    }
5378
    s->bbio = bbio;
5379
    s->wbio = BIO_push(bbio, s->wbio);
5380

5381
    s->rlayer.wrlmethod->set1_bio(s->rlayer.wrl, s->wbio);
5382

5383
    return 1;
5384
}
5385

5386
int ssl_free_wbio_buffer(SSL_CONNECTION *s)
5387
{
5388
    /* callers ensure s is never null */
5389
    if (s->bbio == NULL)
5390
        return 1;
5391

5392
    s->wbio = BIO_pop(s->wbio);
5393
    s->rlayer.wrlmethod->set1_bio(s->rlayer.wrl, s->wbio);
5394

5395
    BIO_free(s->bbio);
5396
    s->bbio = NULL;
5397

5398
    return 1;
5399
}
5400

5401
void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
5402
{
5403
    ctx->quiet_shutdown = mode;
5404
}
5405

5406
int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
5407
{
5408
    return ctx->quiet_shutdown;
5409
}
5410

5411
void SSL_set_quiet_shutdown(SSL *s, int mode)
5412
{
5413
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5414

5415
    /* Not supported with QUIC */
5416
    if (sc == NULL)
5417
        return;
5418

5419
    sc->quiet_shutdown = mode;
5420
}
5421

5422
int SSL_get_quiet_shutdown(const SSL *s)
5423
{
5424
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5425

5426
    /* Not supported with QUIC */
5427
    if (sc == NULL)
5428
        return 0;
5429

5430
    return sc->quiet_shutdown;
5431
}
5432

5433
void SSL_set_shutdown(SSL *s, int mode)
5434
{
5435
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
5436

5437
    /* Not supported with QUIC */
5438
    if (sc == NULL)
5439
        return;
5440

5441
    sc->shutdown = mode;
5442
}
5443

5444
int SSL_get_shutdown(const SSL *s)
5445
{
5446
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
5447

5448
#ifndef OPENSSL_NO_QUIC
5449
    /* QUIC: Just indicate whether the connection was shutdown cleanly. */
5450
    if (IS_QUIC(s))
5451
        return ossl_quic_get_shutdown(s);
5452
#endif
5453

5454
    if (sc == NULL)
5455
        return 0;
5456

5457
    return sc->shutdown;
5458
}
5459

5460
int SSL_version(const SSL *s)
5461
{
5462
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5463

5464
#ifndef OPENSSL_NO_QUIC
5465
    /* We only support QUICv1 - so if its QUIC its QUICv1 */
5466
    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5467
        return OSSL_QUIC1_VERSION;
5468
#endif
5469
    if (sc == NULL)
5470
        return 0;
5471

5472
    return sc->version;
5473
}
5474

5475
int SSL_client_version(const SSL *s)
5476
{
5477
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5478

5479
#ifndef OPENSSL_NO_QUIC
5480
    /* We only support QUICv1 - so if its QUIC its QUICv1 */
5481
    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_XSO)
5482
        return OSSL_QUIC1_VERSION;
5483
#endif
5484
    if (sc == NULL)
5485
        return 0;
5486

5487
    return sc->client_version;
5488
}
5489

5490
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
5491
{
5492
    return ssl->ctx;
5493
}
5494

5495
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
5496
{
5497
    CERT *new_cert;
5498
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
5499

5500
    /* TODO(QUIC FUTURE): Add support for QUIC */
5501
    if (sc == NULL)
5502
        return NULL;
5503

5504
    if (ssl->ctx == ctx)
5505
        return ssl->ctx;
5506
    if (ctx == NULL)
5507
        ctx = sc->session_ctx;
5508
    new_cert = ssl_cert_dup(ctx->cert);
5509
    if (new_cert == NULL)
5510
        goto err;
5511
    if (!custom_exts_copy_conn(&new_cert->custext, &sc->cert->custext))
5512
        goto err;
5513
    if (!custom_exts_copy_flags(&new_cert->custext, &sc->cert->custext))
5514
        goto err;
5515

5516
    /*
5517
     * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
5518
     * so setter APIs must prevent invalid lengths from entering the system.
5519
     */
5520
    if (!ossl_assert(sc->sid_ctx_length <= sizeof(sc->sid_ctx)))
5521
        goto err;
5522
    if (!SSL_CTX_up_ref(ctx))
5523
        goto err;
5524

5525
    /*
5526
     * If the session ID context matches that of the parent SSL_CTX,
5527
     * inherit it from the new SSL_CTX as well. If however the context does
5528
     * not match (i.e., it was set per-ssl with SSL_set_session_id_context),
5529
     * leave it unchanged.
5530
     */
5531
    if ((ssl->ctx != NULL) &&
5532
        (sc->sid_ctx_length == ssl->ctx->sid_ctx_length) &&
5533
        (memcmp(sc->sid_ctx, ssl->ctx->sid_ctx, sc->sid_ctx_length) == 0)) {
5534
        sc->sid_ctx_length = ctx->sid_ctx_length;
5535
        memcpy(&sc->sid_ctx, &ctx->sid_ctx, sizeof(sc->sid_ctx));
5536
    }
5537

5538
    ssl_cert_free(sc->cert);
5539
    sc->cert = new_cert;
5540
    SSL_CTX_free(ssl->ctx);     /* decrement reference count */
5541
    ssl->ctx = ctx;
5542

5543
    return ssl->ctx;
5544

5545
err:
5546
    ssl_cert_free(new_cert);
5547
    return NULL;
5548
}
5549

5550
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
5551
{
5552
    return X509_STORE_set_default_paths_ex(ctx->cert_store, ctx->libctx,
5553
                                           ctx->propq);
5554
}
5555

5556
int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
5557
{
5558
    X509_LOOKUP *lookup;
5559

5560
    lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
5561
    if (lookup == NULL)
5562
        return 0;
5563

5564
    /* We ignore errors, in case the directory doesn't exist */
5565
    ERR_set_mark();
5566

5567
    X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
5568

5569
    ERR_pop_to_mark();
5570

5571
    return 1;
5572
}
5573

5574
int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)
5575
{
5576
    X509_LOOKUP *lookup;
5577

5578
    lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file());
5579
    if (lookup == NULL)
5580
        return 0;
5581

5582
    /* We ignore errors, in case the file doesn't exist */
5583
    ERR_set_mark();
5584

5585
    X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT, ctx->libctx,
5586
                             ctx->propq);
5587

5588
    ERR_pop_to_mark();
5589

5590
    return 1;
5591
}
5592

5593
int SSL_CTX_set_default_verify_store(SSL_CTX *ctx)
5594
{
5595
    X509_LOOKUP *lookup;
5596

5597
    lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store());
5598
    if (lookup == NULL)
5599
        return 0;
5600

5601
    /* We ignore errors, in case the directory doesn't exist */
5602
    ERR_set_mark();
5603

5604
    X509_LOOKUP_add_store_ex(lookup, NULL, ctx->libctx, ctx->propq);
5605

5606
    ERR_pop_to_mark();
5607

5608
    return 1;
5609
}
5610

5611
int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
5612
{
5613
    return X509_STORE_load_file_ex(ctx->cert_store, CAfile, ctx->libctx,
5614
                                   ctx->propq);
5615
}
5616

5617
int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
5618
{
5619
    return X509_STORE_load_path(ctx->cert_store, CApath);
5620
}
5621

5622
int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
5623
{
5624
    return X509_STORE_load_store_ex(ctx->cert_store, CAstore, ctx->libctx,
5625
                                    ctx->propq);
5626
}
5627

5628
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
5629
                                  const char *CApath)
5630
{
5631
    if (CAfile == NULL && CApath == NULL)
5632
        return 0;
5633
    if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
5634
        return 0;
5635
    if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
5636
        return 0;
5637
    return 1;
5638
}
5639

5640
void SSL_set_info_callback(SSL *ssl,
5641
                           void (*cb) (const SSL *ssl, int type, int val))
5642
{
5643
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5644

5645
    if (sc == NULL)
5646
        return;
5647

5648
    sc->info_callback = cb;
5649
}
5650

5651
/*
5652
 * One compiler (Diab DCC) doesn't like argument names in returned function
5653
 * pointer.
5654
 */
5655
void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ ,
5656
                                               int /* type */ ,
5657
                                               int /* val */ ) {
5658
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5659

5660
    if (sc == NULL)
5661
        return NULL;
5662

5663
    return sc->info_callback;
5664
}
5665

5666
void SSL_set_verify_result(SSL *ssl, long arg)
5667
{
5668
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
5669

5670
    if (sc == NULL)
5671
        return;
5672

5673
    sc->verify_result = arg;
5674
}
5675

5676
long SSL_get_verify_result(const SSL *ssl)
5677
{
5678
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5679

5680
    if (sc == NULL)
5681
        return 0;
5682

5683
    return sc->verify_result;
5684
}
5685

5686
size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen)
5687
{
5688
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5689

5690
    if (sc == NULL)
5691
        return 0;
5692

5693
    if (outlen == 0)
5694
        return sizeof(sc->s3.client_random);
5695
    if (outlen > sizeof(sc->s3.client_random))
5696
        outlen = sizeof(sc->s3.client_random);
5697
    memcpy(out, sc->s3.client_random, outlen);
5698
    return outlen;
5699
}
5700

5701
size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen)
5702
{
5703
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
5704

5705
    if (sc == NULL)
5706
        return 0;
5707

5708
    if (outlen == 0)
5709
        return sizeof(sc->s3.server_random);
5710
    if (outlen > sizeof(sc->s3.server_random))
5711
        outlen = sizeof(sc->s3.server_random);
5712
    memcpy(out, sc->s3.server_random, outlen);
5713
    return outlen;
5714
}
5715

5716
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
5717
                                  unsigned char *out, size_t outlen)
5718
{
5719
    if (outlen == 0)
5720
        return session->master_key_length;
5721
    if (outlen > session->master_key_length)
5722
        outlen = session->master_key_length;
5723
    memcpy(out, session->master_key, outlen);
5724
    return outlen;
5725
}
5726

5727
int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in,
5728
                                size_t len)
5729
{
5730
    if (len > sizeof(sess->master_key))
5731
        return 0;
5732

5733
    memcpy(sess->master_key, in, len);
5734
    sess->master_key_length = len;
5735
    return 1;
5736
}
5737

5738

5739
int SSL_set_ex_data(SSL *s, int idx, void *arg)
5740
{
5741
    return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
5742
}
5743

5744
void *SSL_get_ex_data(const SSL *s, int idx)
5745
{
5746
    return CRYPTO_get_ex_data(&s->ex_data, idx);
5747
}
5748

5749
int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
5750
{
5751
    return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
5752
}
5753

5754
void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
5755
{
5756
    return CRYPTO_get_ex_data(&s->ex_data, idx);
5757
}
5758

5759
X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
5760
{
5761
    return ctx->cert_store;
5762
}
5763

5764
void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
5765
{
5766
    X509_STORE_free(ctx->cert_store);
5767
    ctx->cert_store = store;
5768
}
5769

5770
void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
5771
{
5772
    if (store != NULL && !X509_STORE_up_ref(store))
5773
        return;
5774

5775
    SSL_CTX_set_cert_store(ctx, store);
5776
}
5777

5778
int SSL_want(const SSL *s)
5779
{
5780
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5781

5782
#ifndef OPENSSL_NO_QUIC
5783
    if (IS_QUIC(s))
5784
        return ossl_quic_want(s);
5785
#endif
5786

5787
    if (sc == NULL)
5788
        return SSL_NOTHING;
5789

5790
    return sc->rwstate;
5791
}
5792

5793
#ifndef OPENSSL_NO_PSK
5794
int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
5795
{
5796
    if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
5797
        ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG);
5798
        return 0;
5799
    }
5800
    OPENSSL_free(ctx->cert->psk_identity_hint);
5801
    if (identity_hint != NULL) {
5802
        ctx->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
5803
        if (ctx->cert->psk_identity_hint == NULL)
5804
            return 0;
5805
    } else
5806
        ctx->cert->psk_identity_hint = NULL;
5807
    return 1;
5808
}
5809

5810
int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
5811
{
5812
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5813

5814
    if (sc == NULL)
5815
        return 0;
5816

5817
    if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
5818
        ERR_raise(ERR_LIB_SSL, SSL_R_DATA_LENGTH_TOO_LONG);
5819
        return 0;
5820
    }
5821
    OPENSSL_free(sc->cert->psk_identity_hint);
5822
    if (identity_hint != NULL) {
5823
        sc->cert->psk_identity_hint = OPENSSL_strdup(identity_hint);
5824
        if (sc->cert->psk_identity_hint == NULL)
5825
            return 0;
5826
    } else
5827
        sc->cert->psk_identity_hint = NULL;
5828
    return 1;
5829
}
5830

5831
const char *SSL_get_psk_identity_hint(const SSL *s)
5832
{
5833
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5834

5835
    if (sc == NULL || sc->session == NULL)
5836
        return NULL;
5837

5838
    return sc->session->psk_identity_hint;
5839
}
5840

5841
const char *SSL_get_psk_identity(const SSL *s)
5842
{
5843
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
5844

5845
    if (sc == NULL || sc->session == NULL)
5846
        return NULL;
5847

5848
    return sc->session->psk_identity;
5849
}
5850

5851
void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb)
5852
{
5853
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5854

5855
    if (sc == NULL)
5856
        return;
5857

5858
    sc->psk_client_callback = cb;
5859
}
5860

5861
void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb)
5862
{
5863
    ctx->psk_client_callback = cb;
5864
}
5865

5866
void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb)
5867
{
5868
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5869

5870
    if (sc == NULL)
5871
        return;
5872

5873
    sc->psk_server_callback = cb;
5874
}
5875

5876
void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb)
5877
{
5878
    ctx->psk_server_callback = cb;
5879
}
5880
#endif
5881

5882
void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb)
5883
{
5884
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5885

5886
    if (sc == NULL)
5887
        return;
5888

5889
    sc->psk_find_session_cb = cb;
5890
}
5891

5892
void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
5893
                                           SSL_psk_find_session_cb_func cb)
5894
{
5895
    ctx->psk_find_session_cb = cb;
5896
}
5897

5898
void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb)
5899
{
5900
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
5901

5902
    if (sc == NULL)
5903
        return;
5904

5905
    sc->psk_use_session_cb = cb;
5906
}
5907

5908
void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
5909
                                           SSL_psk_use_session_cb_func cb)
5910
{
5911
    ctx->psk_use_session_cb = cb;
5912
}
5913

5914
void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
5915
                              void (*cb) (int write_p, int version,
5916
                                          int content_type, const void *buf,
5917
                                          size_t len, SSL *ssl, void *arg))
5918
{
5919
    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
5920
}
5921

5922
void SSL_set_msg_callback(SSL *ssl,
5923
                          void (*cb) (int write_p, int version,
5924
                                      int content_type, const void *buf,
5925
                                      size_t len, SSL *ssl, void *arg))
5926
{
5927
    SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
5928
}
5929

5930
void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
5931
                                                int (*cb) (SSL *ssl,
5932
                                                           int
5933
                                                           is_forward_secure))
5934
{
5935
    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
5936
                          (void (*)(void))cb);
5937
}
5938

5939
void SSL_set_not_resumable_session_callback(SSL *ssl,
5940
                                            int (*cb) (SSL *ssl,
5941
                                                       int is_forward_secure))
5942
{
5943
    SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
5944
                      (void (*)(void))cb);
5945
}
5946

5947
void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
5948
                                         size_t (*cb) (SSL *ssl, int type,
5949
                                                       size_t len, void *arg))
5950
{
5951
    ctx->record_padding_cb = cb;
5952
}
5953

5954
void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg)
5955
{
5956
    ctx->record_padding_arg = arg;
5957
}
5958

5959
void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx)
5960
{
5961
    return ctx->record_padding_arg;
5962
}
5963

5964
int SSL_CTX_set_block_padding_ex(SSL_CTX *ctx, size_t app_block_size,
5965
                                 size_t hs_block_size)
5966
{
5967
    if (IS_QUIC_CTX(ctx) && (app_block_size > 1 || hs_block_size > 1))
5968
        return 0;
5969

5970
    /* block size of 0 or 1 is basically no padding */
5971
    if (app_block_size == 1) {
5972
        ctx->block_padding = 0;
5973
    } else if (app_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
5974
        ctx->block_padding = app_block_size;
5975
    } else {
5976
        return 0;
5977
    }
5978
    if (hs_block_size == 1) {
5979
        ctx->hs_padding = 0;
5980
    } else if (hs_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
5981
        ctx->hs_padding = hs_block_size;
5982
    } else {
5983
        return 0;
5984
    }
5985
    return 1;
5986
}
5987

5988
int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
5989
{
5990
    return SSL_CTX_set_block_padding_ex(ctx, block_size, block_size);
5991
}
5992

5993
int SSL_set_record_padding_callback(SSL *ssl,
5994
                                     size_t (*cb) (SSL *ssl, int type,
5995
                                                   size_t len, void *arg))
5996
{
5997
    BIO *b;
5998
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
5999

6000
    if (sc == NULL)
6001
        return 0;
6002

6003
    b = SSL_get_wbio(ssl);
6004
    if (b == NULL || !BIO_get_ktls_send(b)) {
6005
        sc->rlayer.record_padding_cb = cb;
6006
        return 1;
6007
    }
6008
    return 0;
6009
}
6010

6011
void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg)
6012
{
6013
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6014

6015
    if (sc == NULL)
6016
        return;
6017

6018
    sc->rlayer.record_padding_arg = arg;
6019
}
6020

6021
void *SSL_get_record_padding_callback_arg(const SSL *ssl)
6022
{
6023
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);
6024

6025
    if (sc == NULL)
6026
        return NULL;
6027

6028
    return sc->rlayer.record_padding_arg;
6029
}
6030

6031
int SSL_set_block_padding_ex(SSL *ssl, size_t app_block_size,
6032
                             size_t hs_block_size)
6033
{
6034
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6035

6036
    if (sc == NULL
6037
        || (IS_QUIC(ssl)
6038
            && (app_block_size > 1 || hs_block_size > 1)))
6039
        return 0;
6040

6041
    /* block size of 0 or 1 is basically no padding */
6042
    if (app_block_size == 1) {
6043
        sc->rlayer.block_padding = 0;
6044
    } else if (app_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
6045
        sc->rlayer.block_padding = app_block_size;
6046
    } else {
6047
        return 0;
6048
    }
6049
    if (hs_block_size == 1) {
6050
        sc->rlayer.hs_padding = 0;
6051
    } else if (hs_block_size <= SSL3_RT_MAX_PLAIN_LENGTH) {
6052
        sc->rlayer.hs_padding = hs_block_size;
6053
    } else {
6054
        return 0;
6055
    }
6056
    return 1;
6057
}
6058

6059
int SSL_set_block_padding(SSL *ssl, size_t block_size)
6060
{
6061
    return SSL_set_block_padding_ex(ssl, block_size, block_size);
6062
}
6063

6064
int SSL_set_num_tickets(SSL *s, size_t num_tickets)
6065
{
6066
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6067

6068
    if (sc == NULL)
6069
        return 0;
6070

6071
    sc->num_tickets = num_tickets;
6072

6073
    return 1;
6074
}
6075

6076
size_t SSL_get_num_tickets(const SSL *s)
6077
{
6078
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6079

6080
    if (sc == NULL)
6081
        return 0;
6082

6083
    return sc->num_tickets;
6084
}
6085

6086
int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets)
6087
{
6088
    ctx->num_tickets = num_tickets;
6089

6090
    return 1;
6091
}
6092

6093
size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx)
6094
{
6095
    return ctx->num_tickets;
6096
}
6097

6098
/* Retrieve handshake hashes */
6099
int ssl_handshake_hash(SSL_CONNECTION *s,
6100
                       unsigned char *out, size_t outlen,
6101
                       size_t *hashlen)
6102
{
6103
    EVP_MD_CTX *ctx = NULL;
6104
    EVP_MD_CTX *hdgst = s->s3.handshake_dgst;
6105
    int hashleni = EVP_MD_CTX_get_size(hdgst);
6106
    int ret = 0;
6107

6108
    if (hashleni < 0 || (size_t)hashleni > outlen) {
6109
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6110
        goto err;
6111
    }
6112

6113
    ctx = EVP_MD_CTX_new();
6114
    if (ctx == NULL) {
6115
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6116
        goto err;
6117
    }
6118

6119
    if (!EVP_MD_CTX_copy_ex(ctx, hdgst)
6120
        || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) {
6121
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6122
        goto err;
6123
    }
6124

6125
    *hashlen = hashleni;
6126

6127
    ret = 1;
6128
 err:
6129
    EVP_MD_CTX_free(ctx);
6130
    return ret;
6131
}
6132

6133
int SSL_session_reused(const SSL *s)
6134
{
6135
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6136

6137
    if (sc == NULL)
6138
        return 0;
6139

6140
    return sc->hit;
6141
}
6142

6143
int SSL_is_server(const SSL *s)
6144
{
6145
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6146

6147
    if (sc == NULL)
6148
        return 0;
6149

6150
    return sc->server;
6151
}
6152

6153
#ifndef OPENSSL_NO_DEPRECATED_1_1_0
6154
void SSL_set_debug(SSL *s, int debug)
6155
{
6156
    /* Old function was do-nothing anyway... */
6157
    (void)s;
6158
    (void)debug;
6159
}
6160
#endif
6161

6162
void SSL_set_security_level(SSL *s, int level)
6163
{
6164
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6165

6166
    if (sc == NULL)
6167
        return;
6168

6169
    sc->cert->sec_level = level;
6170
}
6171

6172
int SSL_get_security_level(const SSL *s)
6173
{
6174
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6175

6176
    if (sc == NULL)
6177
        return 0;
6178

6179
    return sc->cert->sec_level;
6180
}
6181

6182
void SSL_set_security_callback(SSL *s,
6183
                               int (*cb) (const SSL *s, const SSL_CTX *ctx,
6184
                                          int op, int bits, int nid,
6185
                                          void *other, void *ex))
6186
{
6187
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6188

6189
    if (sc == NULL)
6190
        return;
6191

6192
    sc->cert->sec_cb = cb;
6193
}
6194

6195
int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
6196
                                                const SSL_CTX *ctx, int op,
6197
                                                int bits, int nid, void *other,
6198
                                                void *ex) {
6199
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6200

6201
    if (sc == NULL)
6202
        return NULL;
6203

6204
    return sc->cert->sec_cb;
6205
}
6206

6207
void SSL_set0_security_ex_data(SSL *s, void *ex)
6208
{
6209
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6210

6211
    if (sc == NULL)
6212
        return;
6213

6214
    sc->cert->sec_ex = ex;
6215
}
6216

6217
void *SSL_get0_security_ex_data(const SSL *s)
6218
{
6219
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6220

6221
    if (sc == NULL)
6222
        return NULL;
6223

6224
    return sc->cert->sec_ex;
6225
}
6226

6227
void SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
6228
{
6229
    ctx->cert->sec_level = level;
6230
}
6231

6232
int SSL_CTX_get_security_level(const SSL_CTX *ctx)
6233
{
6234
    return ctx->cert->sec_level;
6235
}
6236

6237
void SSL_CTX_set_security_callback(SSL_CTX *ctx,
6238
                                   int (*cb) (const SSL *s, const SSL_CTX *ctx,
6239
                                              int op, int bits, int nid,
6240
                                              void *other, void *ex))
6241
{
6242
    ctx->cert->sec_cb = cb;
6243
}
6244

6245
int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
6246
                                                          const SSL_CTX *ctx,
6247
                                                          int op, int bits,
6248
                                                          int nid,
6249
                                                          void *other,
6250
                                                          void *ex) {
6251
    return ctx->cert->sec_cb;
6252
}
6253

6254
void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex)
6255
{
6256
    ctx->cert->sec_ex = ex;
6257
}
6258

6259
void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
6260
{
6261
    return ctx->cert->sec_ex;
6262
}
6263

6264
uint64_t SSL_CTX_get_options(const SSL_CTX *ctx)
6265
{
6266
    return ctx->options;
6267
}
6268

6269
uint64_t SSL_get_options(const SSL *s)
6270
{
6271
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6272

6273
#ifndef OPENSSL_NO_QUIC
6274
    if (IS_QUIC(s))
6275
        return ossl_quic_get_options(s);
6276
#endif
6277

6278
    if (sc == NULL)
6279
        return 0;
6280

6281
    return sc->options;
6282
}
6283

6284
uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op)
6285
{
6286
    return ctx->options |= op;
6287
}
6288

6289
uint64_t SSL_set_options(SSL *s, uint64_t op)
6290
{
6291
    SSL_CONNECTION *sc;
6292
    OSSL_PARAM options[2], *opts = options;
6293

6294
#ifndef OPENSSL_NO_QUIC
6295
    if (IS_QUIC(s))
6296
        return ossl_quic_set_options(s, op);
6297
#endif
6298

6299
    sc = SSL_CONNECTION_FROM_SSL(s);
6300
    if (sc == NULL)
6301
        return 0;
6302

6303
    sc->options |= op;
6304

6305
    *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS,
6306
                                          &sc->options);
6307
    *opts = OSSL_PARAM_construct_end();
6308

6309
    /* Ignore return value */
6310
    sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
6311
    sc->rlayer.wrlmethod->set_options(sc->rlayer.wrl, options);
6312

6313
    return sc->options;
6314
}
6315

6316
uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op)
6317
{
6318
    return ctx->options &= ~op;
6319
}
6320

6321
uint64_t SSL_clear_options(SSL *s, uint64_t op)
6322
{
6323
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6324
    OSSL_PARAM options[2], *opts = options;
6325

6326
#ifndef OPENSSL_NO_QUIC
6327
    if (IS_QUIC(s))
6328
        return ossl_quic_clear_options(s, op);
6329
#endif
6330

6331
    if (sc == NULL)
6332
        return 0;
6333

6334
    sc->options &= ~op;
6335

6336
    *opts++ = OSSL_PARAM_construct_uint64(OSSL_LIBSSL_RECORD_LAYER_PARAM_OPTIONS,
6337
                                          &sc->options);
6338
    *opts = OSSL_PARAM_construct_end();
6339

6340
    /* Ignore return value */
6341
    sc->rlayer.rrlmethod->set_options(sc->rlayer.rrl, options);
6342
    sc->rlayer.wrlmethod->set_options(sc->rlayer.wrl, options);
6343

6344
    return sc->options;
6345
}
6346

6347
STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s)
6348
{
6349
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6350

6351
    if (sc == NULL)
6352
        return NULL;
6353

6354
    return sc->verified_chain;
6355
}
6356

6357
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
6358

6359
#ifndef OPENSSL_NO_CT
6360

6361
/*
6362
 * Moves SCTs from the |src| stack to the |dst| stack.
6363
 * The source of each SCT will be set to |origin|.
6364
 * If |dst| points to a NULL pointer, a new stack will be created and owned by
6365
 * the caller.
6366
 * Returns the number of SCTs moved, or a negative integer if an error occurs.
6367
 * The |dst| stack is created and possibly partially populated even in case
6368
 * of error, likewise the |src| stack may be left in an intermediate state.
6369
 */
6370
static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
6371
                        sct_source_t origin)
6372
{
6373
    int scts_moved = 0;
6374
    SCT *sct = NULL;
6375

6376
    if (*dst == NULL) {
6377
        *dst = sk_SCT_new_null();
6378
        if (*dst == NULL) {
6379
            ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
6380
            goto err;
6381
        }
6382
    }
6383

6384
    while ((sct = sk_SCT_pop(src)) != NULL) {
6385
        if (SCT_set_source(sct, origin) != 1)
6386
            goto err;
6387

6388
        if (!sk_SCT_push(*dst, sct))
6389
            goto err;
6390
        scts_moved += 1;
6391
    }
6392

6393
    return scts_moved;
6394
 err:
6395
    SCT_free(sct);
6396
    return -1;
6397
}
6398

6399
/*
6400
 * Look for data collected during ServerHello and parse if found.
6401
 * Returns the number of SCTs extracted.
6402
 */
6403
static int ct_extract_tls_extension_scts(SSL_CONNECTION *s)
6404
{
6405
    int scts_extracted = 0;
6406

6407
    if (s->ext.scts != NULL) {
6408
        const unsigned char *p = s->ext.scts;
6409
        STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len);
6410

6411
        scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION);
6412

6413
        SCT_LIST_free(scts);
6414
    }
6415

6416
    return scts_extracted;
6417
}
6418

6419
/*
6420
 * Checks for an OCSP response and then attempts to extract any SCTs found if it
6421
 * contains an SCT X509 extension. They will be stored in |s->scts|.
6422
 * Returns:
6423
 * - The number of SCTs extracted, assuming an OCSP response exists.
6424
 * - 0 if no OCSP response exists or it contains no SCTs.
6425
 * - A negative integer if an error occurs.
6426
 */
6427
static int ct_extract_ocsp_response_scts(SSL_CONNECTION *s)
6428
{
6429
# ifndef OPENSSL_NO_OCSP
6430
    int scts_extracted = 0;
6431
    const unsigned char *p;
6432
    OCSP_BASICRESP *br = NULL;
6433
    OCSP_RESPONSE *rsp = NULL;
6434
    STACK_OF(SCT) *scts = NULL;
6435
    int i;
6436

6437
    if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0)
6438
        goto err;
6439

6440
    p = s->ext.ocsp.resp;
6441
    rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len);
6442
    if (rsp == NULL)
6443
        goto err;
6444

6445
    br = OCSP_response_get1_basic(rsp);
6446
    if (br == NULL)
6447
        goto err;
6448

6449
    for (i = 0; i < OCSP_resp_count(br); ++i) {
6450
        OCSP_SINGLERESP *single = OCSP_resp_get0(br, i);
6451

6452
        if (single == NULL)
6453
            continue;
6454

6455
        scts =
6456
            OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL);
6457
        scts_extracted =
6458
            ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE);
6459
        if (scts_extracted < 0)
6460
            goto err;
6461
    }
6462
 err:
6463
    SCT_LIST_free(scts);
6464
    OCSP_BASICRESP_free(br);
6465
    OCSP_RESPONSE_free(rsp);
6466
    return scts_extracted;
6467
# else
6468
    /* Behave as if no OCSP response exists */
6469
    return 0;
6470
# endif
6471
}
6472

6473
/*
6474
 * Attempts to extract SCTs from the peer certificate.
6475
 * Return the number of SCTs extracted, or a negative integer if an error
6476
 * occurs.
6477
 */
6478
static int ct_extract_x509v3_extension_scts(SSL_CONNECTION *s)
6479
{
6480
    int scts_extracted = 0;
6481
    X509 *cert = s->session != NULL ? s->session->peer : NULL;
6482

6483
    if (cert != NULL) {
6484
        STACK_OF(SCT) *scts =
6485
            X509_get_ext_d2i(cert, NID_ct_precert_scts, NULL, NULL);
6486

6487
        scts_extracted =
6488
            ct_move_scts(&s->scts, scts, SCT_SOURCE_X509V3_EXTENSION);
6489

6490
        SCT_LIST_free(scts);
6491
    }
6492

6493
    return scts_extracted;
6494
}
6495

6496
/*
6497
 * Attempts to find all received SCTs by checking TLS extensions, the OCSP
6498
 * response (if it exists) and X509v3 extensions in the certificate.
6499
 * Returns NULL if an error occurs.
6500
 */
6501
const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s)
6502
{
6503
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6504

6505
    if (sc == NULL)
6506
        return NULL;
6507

6508
    if (!sc->scts_parsed) {
6509
        if (ct_extract_tls_extension_scts(sc) < 0 ||
6510
            ct_extract_ocsp_response_scts(sc) < 0 ||
6511
            ct_extract_x509v3_extension_scts(sc) < 0)
6512
            goto err;
6513

6514
        sc->scts_parsed = 1;
6515
    }
6516
    return sc->scts;
6517
 err:
6518
    return NULL;
6519
}
6520

6521
static int ct_permissive(const CT_POLICY_EVAL_CTX *ctx,
6522
                         const STACK_OF(SCT) *scts, void *unused_arg)
6523
{
6524
    return 1;
6525
}
6526

6527
static int ct_strict(const CT_POLICY_EVAL_CTX *ctx,
6528
                     const STACK_OF(SCT) *scts, void *unused_arg)
6529
{
6530
    int count = scts != NULL ? sk_SCT_num(scts) : 0;
6531
    int i;
6532

6533
    for (i = 0; i < count; ++i) {
6534
        SCT *sct = sk_SCT_value(scts, i);
6535
        int status = SCT_get_validation_status(sct);
6536

6537
        if (status == SCT_VALIDATION_STATUS_VALID)
6538
            return 1;
6539
    }
6540
    ERR_raise(ERR_LIB_SSL, SSL_R_NO_VALID_SCTS);
6541
    return 0;
6542
}
6543

6544
int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
6545
                                   void *arg)
6546
{
6547
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6548

6549
    if (sc == NULL)
6550
        return 0;
6551

6552
    /*
6553
     * Since code exists that uses the custom extension handler for CT, look
6554
     * for this and throw an error if they have already registered to use CT.
6555
     */
6556
    if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx,
6557
                                                          TLSEXT_TYPE_signed_certificate_timestamp))
6558
    {
6559
        ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
6560
        return 0;
6561
    }
6562

6563
    if (callback != NULL) {
6564
        /*
6565
         * If we are validating CT, then we MUST accept SCTs served via OCSP
6566
         */
6567
        if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp))
6568
            return 0;
6569
    }
6570

6571
    sc->ct_validation_callback = callback;
6572
    sc->ct_validation_callback_arg = arg;
6573

6574
    return 1;
6575
}
6576

6577
int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
6578
                                       ssl_ct_validation_cb callback, void *arg)
6579
{
6580
    /*
6581
     * Since code exists that uses the custom extension handler for CT, look for
6582
     * this and throw an error if they have already registered to use CT.
6583
     */
6584
    if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx,
6585
                                                          TLSEXT_TYPE_signed_certificate_timestamp))
6586
    {
6587
        ERR_raise(ERR_LIB_SSL, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
6588
        return 0;
6589
    }
6590

6591
    ctx->ct_validation_callback = callback;
6592
    ctx->ct_validation_callback_arg = arg;
6593
    return 1;
6594
}
6595

6596
int SSL_ct_is_enabled(const SSL *s)
6597
{
6598
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
6599

6600
    if (sc == NULL)
6601
        return 0;
6602

6603
    return sc->ct_validation_callback != NULL;
6604
}
6605

6606
int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx)
6607
{
6608
    return ctx->ct_validation_callback != NULL;
6609
}
6610

6611
int ssl_validate_ct(SSL_CONNECTION *s)
6612
{
6613
    int ret = 0;
6614
    X509 *cert = s->session != NULL ? s->session->peer : NULL;
6615
    X509 *issuer;
6616
    SSL_DANE *dane = &s->dane;
6617
    CT_POLICY_EVAL_CTX *ctx = NULL;
6618
    const STACK_OF(SCT) *scts;
6619

6620
    /*
6621
     * If no callback is set, the peer is anonymous, or its chain is invalid,
6622
     * skip SCT validation - just return success.  Applications that continue
6623
     * handshakes without certificates, with unverified chains, or pinned leaf
6624
     * certificates are outside the scope of the WebPKI and CT.
6625
     *
6626
     * The above exclusions notwithstanding the vast majority of peers will
6627
     * have rather ordinary certificate chains validated by typical
6628
     * applications that perform certificate verification and therefore will
6629
     * process SCTs when enabled.
6630
     */
6631
    if (s->ct_validation_callback == NULL || cert == NULL ||
6632
        s->verify_result != X509_V_OK ||
6633
        s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1)
6634
        return 1;
6635

6636
    /*
6637
     * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3)
6638
     * trust-anchors.  See https://tools.ietf.org/html/rfc7671#section-4.2
6639
     */
6640
    if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) {
6641
        switch (dane->mtlsa->usage) {
6642
        case DANETLS_USAGE_DANE_TA:
6643
        case DANETLS_USAGE_DANE_EE:
6644
            return 1;
6645
        }
6646
    }
6647

6648
    ctx = CT_POLICY_EVAL_CTX_new_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
6649
                                    SSL_CONNECTION_GET_CTX(s)->propq);
6650
    if (ctx == NULL) {
6651
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CT_LIB);
6652
        goto end;
6653
    }
6654

6655
    issuer = sk_X509_value(s->verified_chain, 1);
6656
    CT_POLICY_EVAL_CTX_set1_cert(ctx, cert);
6657
    CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer);
6658
    CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx,
6659
            SSL_CONNECTION_GET_CTX(s)->ctlog_store);
6660
    CT_POLICY_EVAL_CTX_set_time(
6661
            ctx, (uint64_t)SSL_SESSION_get_time_ex(s->session) * 1000);
6662

6663
    scts = SSL_get0_peer_scts(SSL_CONNECTION_GET_SSL(s));
6664

6665
    /*
6666
     * This function returns success (> 0) only when all the SCTs are valid, 0
6667
     * when some are invalid, and < 0 on various internal errors (out of
6668
     * memory, etc.).  Having some, or even all, invalid SCTs is not sufficient
6669
     * reason to abort the handshake, that decision is up to the callback.
6670
     * Therefore, we error out only in the unexpected case that the return
6671
     * value is negative.
6672
     *
6673
     * XXX: One might well argue that the return value of this function is an
6674
     * unfortunate design choice.  Its job is only to determine the validation
6675
     * status of each of the provided SCTs.  So long as it correctly separates
6676
     * the wheat from the chaff it should return success.  Failure in this case
6677
     * ought to correspond to an inability to carry out its duties.
6678
     */
6679
    if (SCT_LIST_validate(scts, ctx) < 0) {
6680
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_SCT_VERIFICATION_FAILED);
6681
        goto end;
6682
    }
6683

6684
    ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg);
6685
    if (ret < 0)
6686
        ret = 0;                /* This function returns 0 on failure */
6687
    if (!ret)
6688
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_CALLBACK_FAILED);
6689

6690
 end:
6691
    CT_POLICY_EVAL_CTX_free(ctx);
6692
    /*
6693
     * With SSL_VERIFY_NONE the session may be cached and reused despite a
6694
     * failure return code here.  Also the application may wish the complete
6695
     * the handshake, and then disconnect cleanly at a higher layer, after
6696
     * checking the verification status of the completed connection.
6697
     *
6698
     * We therefore force a certificate verification failure which will be
6699
     * visible via SSL_get_verify_result() and cached as part of any resumed
6700
     * session.
6701
     *
6702
     * Note: the permissive callback is for information gathering only, always
6703
     * returns success, and does not affect verification status.  Only the
6704
     * strict callback or a custom application-specified callback can trigger
6705
     * connection failure or record a verification error.
6706
     */
6707
    if (ret <= 0)
6708
        s->verify_result = X509_V_ERR_NO_VALID_SCTS;
6709
    return ret;
6710
}
6711

6712
int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode)
6713
{
6714
    switch (validation_mode) {
6715
    default:
6716
        ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE);
6717
        return 0;
6718
    case SSL_CT_VALIDATION_PERMISSIVE:
6719
        return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL);
6720
    case SSL_CT_VALIDATION_STRICT:
6721
        return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL);
6722
    }
6723
}
6724

6725
int SSL_enable_ct(SSL *s, int validation_mode)
6726
{
6727
    switch (validation_mode) {
6728
    default:
6729
        ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CT_VALIDATION_TYPE);
6730
        return 0;
6731
    case SSL_CT_VALIDATION_PERMISSIVE:
6732
        return SSL_set_ct_validation_callback(s, ct_permissive, NULL);
6733
    case SSL_CT_VALIDATION_STRICT:
6734
        return SSL_set_ct_validation_callback(s, ct_strict, NULL);
6735
    }
6736
}
6737

6738
int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx)
6739
{
6740
    return CTLOG_STORE_load_default_file(ctx->ctlog_store);
6741
}
6742

6743
int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
6744
{
6745
    return CTLOG_STORE_load_file(ctx->ctlog_store, path);
6746
}
6747

6748
void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs)
6749
{
6750
    CTLOG_STORE_free(ctx->ctlog_store);
6751
    ctx->ctlog_store = logs;
6752
}
6753

6754
const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
6755
{
6756
    return ctx->ctlog_store;
6757
}
6758

6759
#endif  /* OPENSSL_NO_CT */
6760

6761
void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
6762
                                 void *arg)
6763
{
6764
    c->client_hello_cb = cb;
6765
    c->client_hello_cb_arg = arg;
6766
}
6767

6768
void SSL_CTX_set_new_pending_conn_cb(SSL_CTX *c, SSL_new_pending_conn_cb_fn cb,
6769
                                     void *arg)
6770
{
6771
    c->new_pending_conn_cb = cb;
6772
    c->new_pending_conn_arg = arg;
6773
}
6774

6775
int SSL_client_hello_isv2(SSL *s)
6776
{
6777
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6778

6779
    if (sc == NULL)
6780
        return 0;
6781

6782
    if (sc->clienthello == NULL)
6783
        return 0;
6784
    return sc->clienthello->isv2;
6785
}
6786

6787
unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
6788
{
6789
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6790

6791
    if (sc == NULL)
6792
        return 0;
6793

6794
    if (sc->clienthello == NULL)
6795
        return 0;
6796
    return sc->clienthello->legacy_version;
6797
}
6798

6799
size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
6800
{
6801
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6802

6803
    if (sc == NULL)
6804
        return 0;
6805

6806
    if (sc->clienthello == NULL)
6807
        return 0;
6808
    if (out != NULL)
6809
        *out = sc->clienthello->random;
6810
    return SSL3_RANDOM_SIZE;
6811
}
6812

6813
size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
6814
{
6815
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6816

6817
    if (sc == NULL)
6818
        return 0;
6819

6820
    if (sc->clienthello == NULL)
6821
        return 0;
6822
    if (out != NULL)
6823
        *out = sc->clienthello->session_id;
6824
    return sc->clienthello->session_id_len;
6825
}
6826

6827
size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
6828
{
6829
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6830

6831
    if (sc == NULL)
6832
        return 0;
6833

6834
    if (sc->clienthello == NULL)
6835
        return 0;
6836
    if (out != NULL)
6837
        *out = PACKET_data(&sc->clienthello->ciphersuites);
6838
    return PACKET_remaining(&sc->clienthello->ciphersuites);
6839
}
6840

6841
size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
6842
{
6843
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6844

6845
    if (sc == NULL)
6846
        return 0;
6847

6848
    if (sc->clienthello == NULL)
6849
        return 0;
6850
    if (out != NULL)
6851
        *out = sc->clienthello->compressions;
6852
    return sc->clienthello->compressions_len;
6853
}
6854

6855
int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
6856
{
6857
    RAW_EXTENSION *ext;
6858
    int *present;
6859
    size_t num = 0, i;
6860
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6861

6862
    if (sc == NULL)
6863
        return 0;
6864

6865
    if (sc->clienthello == NULL || out == NULL || outlen == NULL)
6866
        return 0;
6867
    for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6868
        ext = sc->clienthello->pre_proc_exts + i;
6869
        if (ext->present)
6870
            num++;
6871
    }
6872
    if (num == 0) {
6873
        *out = NULL;
6874
        *outlen = 0;
6875
        return 1;
6876
    }
6877
    if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL)
6878
        return 0;
6879
    for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6880
        ext = sc->clienthello->pre_proc_exts + i;
6881
        if (ext->present) {
6882
            if (ext->received_order >= num)
6883
                goto err;
6884
            present[ext->received_order] = ext->type;
6885
        }
6886
    }
6887
    *out = present;
6888
    *outlen = num;
6889
    return 1;
6890
 err:
6891
    OPENSSL_free(present);
6892
    return 0;
6893
}
6894

6895
int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts, size_t *num_exts)
6896
{
6897
    RAW_EXTENSION *ext;
6898
    size_t num = 0, i;
6899
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6900

6901
    if (sc == NULL)
6902
        return 0;
6903

6904
    if (sc->clienthello == NULL || num_exts == NULL)
6905
        return 0;
6906
    for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6907
        ext = sc->clienthello->pre_proc_exts + i;
6908
        if (ext->present)
6909
            num++;
6910
    }
6911
    if (num == 0) {
6912
        *num_exts = 0;
6913
        return 1;
6914
    }
6915
    if (exts == NULL) {
6916
        *num_exts = num;
6917
        return 1;
6918
    }
6919
    if (*num_exts < num)
6920
        return 0;
6921
    for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
6922
        ext = sc->clienthello->pre_proc_exts + i;
6923
        if (ext->present) {
6924
            if (ext->received_order >= num)
6925
                return 0;
6926
            exts[ext->received_order] = ext->type;
6927
        }
6928
    }
6929
    *num_exts = num;
6930
    return 1;
6931
}
6932

6933
int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
6934
                       size_t *outlen)
6935
{
6936
    size_t i;
6937
    RAW_EXTENSION *r;
6938
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
6939

6940
    if (sc == NULL)
6941
        return 0;
6942

6943
    if (sc->clienthello == NULL)
6944
        return 0;
6945
    for (i = 0; i < sc->clienthello->pre_proc_exts_len; ++i) {
6946
        r = sc->clienthello->pre_proc_exts + i;
6947
        if (r->present && r->type == type) {
6948
            if (out != NULL)
6949
                *out = PACKET_data(&r->data);
6950
            if (outlen != NULL)
6951
                *outlen = PACKET_remaining(&r->data);
6952
            return 1;
6953
        }
6954
    }
6955
    return 0;
6956
}
6957

6958
int SSL_free_buffers(SSL *ssl)
6959
{
6960
    RECORD_LAYER *rl;
6961
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
6962

6963
    if (sc == NULL)
6964
        return 0;
6965

6966
    rl = &sc->rlayer;
6967

6968
    return rl->rrlmethod->free_buffers(rl->rrl)
6969
           && rl->wrlmethod->free_buffers(rl->wrl);
6970
}
6971

6972
int SSL_alloc_buffers(SSL *ssl)
6973
{
6974
    RECORD_LAYER *rl;
6975
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
6976

6977
    if (sc == NULL)
6978
        return 0;
6979

6980
    /* QUIC always has buffers allocated. */
6981
    if (IS_QUIC(ssl))
6982
        return 1;
6983

6984
    rl = &sc->rlayer;
6985

6986
    return rl->rrlmethod->alloc_buffers(rl->rrl)
6987
           && rl->wrlmethod->alloc_buffers(rl->wrl);
6988
}
6989

6990
void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
6991
{
6992
    ctx->keylog_callback = cb;
6993
}
6994

6995
SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
6996
{
6997
    return ctx->keylog_callback;
6998
}
6999

7000
static int nss_keylog_int(const char *prefix,
7001
                          SSL_CONNECTION *sc,
7002
                          const uint8_t *parameter_1,
7003
                          size_t parameter_1_len,
7004
                          const uint8_t *parameter_2,
7005
                          size_t parameter_2_len)
7006
{
7007
    char *out = NULL;
7008
    char *cursor = NULL;
7009
    size_t out_len = 0, i, prefix_len;
7010
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
7011

7012
#ifndef OPENSSL_NO_SSLKEYLOG
7013
    if (sctx->keylog_callback == NULL && sctx->do_sslkeylog == 0)
7014
        return 1;
7015
#else
7016
    if (sctx->keylog_callback == NULL)
7017
        return 1;
7018
#endif
7019

7020
    /*
7021
     * Our output buffer will contain the following strings, rendered with
7022
     * space characters in between, terminated by a NULL character: first the
7023
     * prefix, then the first parameter, then the second parameter. The
7024
     * meaning of each parameter depends on the specific key material being
7025
     * logged. Note that the first and second parameters are encoded in
7026
     * hexadecimal, so we need a buffer that is twice their lengths.
7027
     */
7028
    prefix_len = strlen(prefix);
7029
    out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3;
7030
    if ((out = cursor = OPENSSL_malloc(out_len)) == NULL)
7031
        return 0;
7032

7033
    memcpy(cursor, prefix, prefix_len);
7034
    cursor += prefix_len;
7035
    *cursor++ = ' ';
7036

7037
    for (i = 0; i < parameter_1_len; ++i)
7038
        cursor += ossl_to_lowerhex(cursor, parameter_1[i]);
7039
    *cursor++ = ' ';
7040

7041
    for (i = 0; i < parameter_2_len; ++i)
7042
        cursor += ossl_to_lowerhex(cursor, parameter_2[i]);
7043
    *cursor = '\0';
7044

7045
#ifndef OPENSSL_NO_SSLKEYLOG
7046
    if (sctx->do_sslkeylog == 1)
7047
        do_sslkeylogfile(SSL_CONNECTION_GET_SSL(sc), (const char *)out);
7048
#endif
7049
    if (sctx->keylog_callback != NULL)
7050
        sctx->keylog_callback(SSL_CONNECTION_GET_USER_SSL(sc), (const char *)out);
7051
    OPENSSL_clear_free(out, out_len);
7052
    return 1;
7053
}
7054

7055
int ssl_log_rsa_client_key_exchange(SSL_CONNECTION *sc,
7056
                                    const uint8_t *encrypted_premaster,
7057
                                    size_t encrypted_premaster_len,
7058
                                    const uint8_t *premaster,
7059
                                    size_t premaster_len)
7060
{
7061
    if (encrypted_premaster_len < 8) {
7062
        SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7063
        return 0;
7064
    }
7065

7066
    /* We only want the first 8 bytes of the encrypted premaster as a tag. */
7067
    return nss_keylog_int("RSA",
7068
                          sc,
7069
                          encrypted_premaster,
7070
                          8,
7071
                          premaster,
7072
                          premaster_len);
7073
}
7074

7075
int ssl_log_secret(SSL_CONNECTION *sc,
7076
                   const char *label,
7077
                   const uint8_t *secret,
7078
                   size_t secret_len)
7079
{
7080
    return nss_keylog_int(label,
7081
                          sc,
7082
                          sc->s3.client_random,
7083
                          SSL3_RANDOM_SIZE,
7084
                          secret,
7085
                          secret_len);
7086
}
7087

7088
#define SSLV2_CIPHER_LEN    3
7089

7090
int ssl_cache_cipherlist(SSL_CONNECTION *s, PACKET *cipher_suites, int sslv2format)
7091
{
7092
    int n;
7093

7094
    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
7095

7096
    if (PACKET_remaining(cipher_suites) == 0) {
7097
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_CIPHERS_SPECIFIED);
7098
        return 0;
7099
    }
7100

7101
    if (PACKET_remaining(cipher_suites) % n != 0) {
7102
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7103
        return 0;
7104
    }
7105

7106
    OPENSSL_free(s->s3.tmp.ciphers_raw);
7107
    s->s3.tmp.ciphers_raw = NULL;
7108
    s->s3.tmp.ciphers_rawlen = 0;
7109

7110
    if (sslv2format) {
7111
        size_t numciphers = PACKET_remaining(cipher_suites) / n;
7112
        PACKET sslv2ciphers = *cipher_suites;
7113
        unsigned int leadbyte;
7114
        unsigned char *raw;
7115

7116
        /*
7117
         * We store the raw ciphers list in SSLv3+ format so we need to do some
7118
         * preprocessing to convert the list first. If there are any SSLv2 only
7119
         * ciphersuites with a non-zero leading byte then we are going to
7120
         * slightly over allocate because we won't store those. But that isn't a
7121
         * problem.
7122
         */
7123
        raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
7124
        s->s3.tmp.ciphers_raw = raw;
7125
        if (raw == NULL) {
7126
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7127
            return 0;
7128
        }
7129
        for (s->s3.tmp.ciphers_rawlen = 0;
7130
             PACKET_remaining(&sslv2ciphers) > 0;
7131
             raw += TLS_CIPHER_LEN) {
7132
            if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
7133
                    || (leadbyte == 0
7134
                        && !PACKET_copy_bytes(&sslv2ciphers, raw,
7135
                                              TLS_CIPHER_LEN))
7136
                    || (leadbyte != 0
7137
                        && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
7138
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
7139
                OPENSSL_free(s->s3.tmp.ciphers_raw);
7140
                s->s3.tmp.ciphers_raw = NULL;
7141
                s->s3.tmp.ciphers_rawlen = 0;
7142
                return 0;
7143
            }
7144
            if (leadbyte == 0)
7145
                s->s3.tmp.ciphers_rawlen += TLS_CIPHER_LEN;
7146
        }
7147
    } else if (!PACKET_memdup(cipher_suites, &s->s3.tmp.ciphers_raw,
7148
                           &s->s3.tmp.ciphers_rawlen)) {
7149
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7150
        return 0;
7151
    }
7152
    return 1;
7153
}
7154

7155
int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
7156
                             int isv2format, STACK_OF(SSL_CIPHER) **sk,
7157
                             STACK_OF(SSL_CIPHER) **scsvs)
7158
{
7159
    PACKET pkt;
7160
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7161

7162
    if (sc == NULL)
7163
        return 0;
7164

7165
    if (!PACKET_buf_init(&pkt, bytes, len))
7166
        return 0;
7167
    return ossl_bytes_to_cipher_list(sc, &pkt, sk, scsvs, isv2format, 0);
7168
}
7169

7170
int ossl_bytes_to_cipher_list(SSL_CONNECTION *s, PACKET *cipher_suites,
7171
                              STACK_OF(SSL_CIPHER) **skp,
7172
                              STACK_OF(SSL_CIPHER) **scsvs_out,
7173
                              int sslv2format, int fatal)
7174
{
7175
    const SSL_CIPHER *c;
7176
    STACK_OF(SSL_CIPHER) *sk = NULL;
7177
    STACK_OF(SSL_CIPHER) *scsvs = NULL;
7178
    int n;
7179
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
7180
    unsigned char cipher[SSLV2_CIPHER_LEN];
7181

7182
    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
7183

7184
    if (PACKET_remaining(cipher_suites) == 0) {
7185
        if (fatal)
7186
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CIPHERS_SPECIFIED);
7187
        else
7188
            ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHERS_SPECIFIED);
7189
        return 0;
7190
    }
7191

7192
    if (PACKET_remaining(cipher_suites) % n != 0) {
7193
        if (fatal)
7194
            SSLfatal(s, SSL_AD_DECODE_ERROR,
7195
                     SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7196
        else
7197
            ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
7198
        return 0;
7199
    }
7200

7201
    sk = sk_SSL_CIPHER_new_null();
7202
    scsvs = sk_SSL_CIPHER_new_null();
7203
    if (sk == NULL || scsvs == NULL) {
7204
        if (fatal)
7205
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7206
        else
7207
            ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
7208
        goto err;
7209
    }
7210

7211
    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
7212
        /*
7213
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
7214
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
7215
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
7216
         */
7217
        if (sslv2format && cipher[0] != '\0')
7218
            continue;
7219

7220
        /* For SSLv2-compat, ignore leading 0-byte. */
7221
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1);
7222
        if (c != NULL) {
7223
            if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) ||
7224
                (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) {
7225
                if (fatal)
7226
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
7227
                else
7228
                    ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
7229
                goto err;
7230
            }
7231
        }
7232
    }
7233
    if (PACKET_remaining(cipher_suites) > 0) {
7234
        if (fatal)
7235
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
7236
        else
7237
            ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH);
7238
        goto err;
7239
    }
7240

7241
    if (skp != NULL)
7242
        *skp = sk;
7243
    else
7244
        sk_SSL_CIPHER_free(sk);
7245
    if (scsvs_out != NULL)
7246
        *scsvs_out = scsvs;
7247
    else
7248
        sk_SSL_CIPHER_free(scsvs);
7249
    return 1;
7250
 err:
7251
    sk_SSL_CIPHER_free(sk);
7252
    sk_SSL_CIPHER_free(scsvs);
7253
    return 0;
7254
}
7255

7256
int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data)
7257
{
7258
    ctx->max_early_data = max_early_data;
7259

7260
    return 1;
7261
}
7262

7263
uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx)
7264
{
7265
    return ctx->max_early_data;
7266
}
7267

7268
int SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
7269
{
7270
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7271

7272
    if (sc == NULL)
7273
        return 0;
7274

7275
    sc->max_early_data = max_early_data;
7276

7277
    return 1;
7278
}
7279

7280
uint32_t SSL_get_max_early_data(const SSL *s)
7281
{
7282
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
7283

7284
    if (sc == NULL)
7285
        return 0;
7286

7287
    return sc->max_early_data;
7288
}
7289

7290
int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data)
7291
{
7292
    ctx->recv_max_early_data = recv_max_early_data;
7293

7294
    return 1;
7295
}
7296

7297
uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx)
7298
{
7299
    return ctx->recv_max_early_data;
7300
}
7301

7302
int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data)
7303
{
7304
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7305

7306
    if (sc == NULL)
7307
        return 0;
7308

7309
    sc->recv_max_early_data = recv_max_early_data;
7310

7311
    return 1;
7312
}
7313

7314
uint32_t SSL_get_recv_max_early_data(const SSL *s)
7315
{
7316
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
7317

7318
    if (sc == NULL)
7319
        return 0;
7320

7321
    return sc->recv_max_early_data;
7322
}
7323

7324
__owur unsigned int ssl_get_max_send_fragment(const SSL_CONNECTION *sc)
7325
{
7326
    /* Return any active Max Fragment Len extension */
7327
    if (sc->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(sc->session))
7328
        return GET_MAX_FRAGMENT_LENGTH(sc->session);
7329

7330
    /* return current SSL connection setting */
7331
    return sc->max_send_fragment;
7332
}
7333

7334
__owur unsigned int ssl_get_split_send_fragment(const SSL_CONNECTION *sc)
7335
{
7336
    /* Return a value regarding an active Max Fragment Len extension */
7337
    if (sc->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(sc->session)
7338
        && sc->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(sc->session))
7339
        return GET_MAX_FRAGMENT_LENGTH(sc->session);
7340

7341
    /* else limit |split_send_fragment| to current |max_send_fragment| */
7342
    if (sc->split_send_fragment > sc->max_send_fragment)
7343
        return sc->max_send_fragment;
7344

7345
    /* return current SSL connection setting */
7346
    return sc->split_send_fragment;
7347
}
7348

7349
int SSL_stateless(SSL *s)
7350
{
7351
    int ret;
7352
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7353

7354
    if (sc == NULL)
7355
        return 0;
7356

7357
    /* Ensure there is no state left over from a previous invocation */
7358
    if (!SSL_clear(s))
7359
        return 0;
7360

7361
    ERR_clear_error();
7362

7363
    sc->s3.flags |= TLS1_FLAGS_STATELESS;
7364
    ret = SSL_accept(s);
7365
    sc->s3.flags &= ~TLS1_FLAGS_STATELESS;
7366

7367
    if (ret > 0 && sc->ext.cookieok)
7368
        return 1;
7369

7370
    if (sc->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(sc))
7371
        return 0;
7372

7373
    return -1;
7374
}
7375

7376
void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
7377
{
7378
    ctx->pha_enabled = val;
7379
}
7380

7381
void SSL_set_post_handshake_auth(SSL *ssl, int val)
7382
{
7383
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
7384

7385
    if (sc == NULL)
7386
        return;
7387

7388
    sc->pha_enabled = val;
7389
}
7390

7391
int SSL_verify_client_post_handshake(SSL *ssl)
7392
{
7393
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
7394

7395
#ifndef OPENSSL_NO_QUIC
7396
    if (IS_QUIC(ssl)) {
7397
        ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
7398
        return 0;
7399
    }
7400
#endif
7401

7402
    if (sc == NULL)
7403
        return 0;
7404

7405
    if (!SSL_CONNECTION_IS_TLS13(sc)) {
7406
        ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
7407
        return 0;
7408
    }
7409
    if (!sc->server) {
7410
        ERR_raise(ERR_LIB_SSL, SSL_R_NOT_SERVER);
7411
        return 0;
7412
    }
7413

7414
    if (!SSL_is_init_finished(ssl)) {
7415
        ERR_raise(ERR_LIB_SSL, SSL_R_STILL_IN_INIT);
7416
        return 0;
7417
    }
7418

7419
    switch (sc->post_handshake_auth) {
7420
    case SSL_PHA_NONE:
7421
        ERR_raise(ERR_LIB_SSL, SSL_R_EXTENSION_NOT_RECEIVED);
7422
        return 0;
7423
    default:
7424
    case SSL_PHA_EXT_SENT:
7425
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
7426
        return 0;
7427
    case SSL_PHA_EXT_RECEIVED:
7428
        break;
7429
    case SSL_PHA_REQUEST_PENDING:
7430
        ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_PENDING);
7431
        return 0;
7432
    case SSL_PHA_REQUESTED:
7433
        ERR_raise(ERR_LIB_SSL, SSL_R_REQUEST_SENT);
7434
        return 0;
7435
    }
7436

7437
    sc->post_handshake_auth = SSL_PHA_REQUEST_PENDING;
7438

7439
    /* checks verify_mode and algorithm_auth */
7440
    if (!send_certificate_request(sc)) {
7441
        sc->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */
7442
        ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_CONFIG);
7443
        return 0;
7444
    }
7445

7446
    ossl_statem_set_in_init(sc, 1);
7447
    return 1;
7448
}
7449

7450
int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
7451
                                  SSL_CTX_generate_session_ticket_fn gen_cb,
7452
                                  SSL_CTX_decrypt_session_ticket_fn dec_cb,
7453
                                  void *arg)
7454
{
7455
    ctx->generate_ticket_cb = gen_cb;
7456
    ctx->decrypt_ticket_cb = dec_cb;
7457
    ctx->ticket_cb_data = arg;
7458
    return 1;
7459
}
7460

7461
void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
7462
                                     SSL_allow_early_data_cb_fn cb,
7463
                                     void *arg)
7464
{
7465
    ctx->allow_early_data_cb = cb;
7466
    ctx->allow_early_data_cb_data = arg;
7467
}
7468

7469
void SSL_set_allow_early_data_cb(SSL *s,
7470
                                 SSL_allow_early_data_cb_fn cb,
7471
                                 void *arg)
7472
{
7473
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7474

7475
    if (sc == NULL)
7476
        return;
7477

7478
    sc->allow_early_data_cb = cb;
7479
    sc->allow_early_data_cb_data = arg;
7480
}
7481

7482
const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx,
7483
                                       int nid,
7484
                                       const char *properties)
7485
{
7486
    const EVP_CIPHER *ciph;
7487

7488
    ciph = tls_get_cipher_from_engine(nid);
7489
    if (ciph != NULL)
7490
        return ciph;
7491

7492
    /*
7493
     * If there is no engine cipher then we do an explicit fetch. This may fail
7494
     * and that could be ok
7495
     */
7496
    ERR_set_mark();
7497
    ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
7498
    if (ciph != NULL) {
7499
        OSSL_PARAM params[2];
7500
        int decrypt_only = 0;
7501

7502
        params[0] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_DECRYPT_ONLY,
7503
                                             &decrypt_only);
7504
        params[1] = OSSL_PARAM_construct_end();
7505
        if (EVP_CIPHER_get_params((EVP_CIPHER *)ciph, params)
7506
            && decrypt_only) {
7507
            /* If a cipher is decrypt-only, it is unusable */
7508
            EVP_CIPHER_free((EVP_CIPHER *)ciph);
7509
            ciph = NULL;
7510
        }
7511
    }
7512
    ERR_pop_to_mark();
7513
    return ciph;
7514
}
7515

7516

7517
int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher)
7518
{
7519
    /* Don't up-ref an implicit EVP_CIPHER */
7520
    if (EVP_CIPHER_get0_provider(cipher) == NULL)
7521
        return 1;
7522

7523
    /*
7524
     * The cipher was explicitly fetched and therefore it is safe to cast
7525
     * away the const
7526
     */
7527
    return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher);
7528
}
7529

7530
void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
7531
{
7532
    if (cipher == NULL)
7533
        return;
7534

7535
    if (EVP_CIPHER_get0_provider(cipher) != NULL) {
7536
        /*
7537
         * The cipher was explicitly fetched and therefore it is safe to cast
7538
         * away the const
7539
         */
7540
        EVP_CIPHER_free((EVP_CIPHER *)cipher);
7541
    }
7542
}
7543

7544
const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx,
7545
                               int nid,
7546
                               const char *properties)
7547
{
7548
    const EVP_MD *md;
7549

7550
    md = tls_get_digest_from_engine(nid);
7551
    if (md != NULL)
7552
        return md;
7553

7554
    /* Otherwise we do an explicit fetch */
7555
    ERR_set_mark();
7556
    md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
7557
    ERR_pop_to_mark();
7558
    return md;
7559
}
7560

7561
int ssl_evp_md_up_ref(const EVP_MD *md)
7562
{
7563
    /* Don't up-ref an implicit EVP_MD */
7564
    if (EVP_MD_get0_provider(md) == NULL)
7565
        return 1;
7566

7567
    /*
7568
     * The digest was explicitly fetched and therefore it is safe to cast
7569
     * away the const
7570
     */
7571
    return EVP_MD_up_ref((EVP_MD *)md);
7572
}
7573

7574
void ssl_evp_md_free(const EVP_MD *md)
7575
{
7576
    if (md == NULL)
7577
        return;
7578

7579
    if (EVP_MD_get0_provider(md) != NULL) {
7580
        /*
7581
         * The digest was explicitly fetched and therefore it is safe to cast
7582
         * away the const
7583
         */
7584
        EVP_MD_free((EVP_MD *)md);
7585
    }
7586
}
7587

7588
int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey)
7589
{
7590
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7591

7592
    if (sc == NULL)
7593
        return 0;
7594

7595
    if (!ssl_security(sc, SSL_SECOP_TMP_DH,
7596
                      EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
7597
        ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
7598
        return 0;
7599
    }
7600
    EVP_PKEY_free(sc->cert->dh_tmp);
7601
    sc->cert->dh_tmp = dhpkey;
7602
    return 1;
7603
}
7604

7605
int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey)
7606
{
7607
    if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
7608
                          EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
7609
        ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
7610
        return 0;
7611
    }
7612
    EVP_PKEY_free(ctx->cert->dh_tmp);
7613
    ctx->cert->dh_tmp = dhpkey;
7614
    return 1;
7615
}
7616

7617
/* QUIC-specific methods which are supported on QUIC connections only. */
7618
int SSL_handle_events(SSL *s)
7619
{
7620
    SSL_CONNECTION *sc;
7621

7622
#ifndef OPENSSL_NO_QUIC
7623
    if (IS_QUIC(s))
7624
        return ossl_quic_handle_events(s);
7625
#endif
7626

7627
    sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7628
    if (sc != NULL && SSL_CONNECTION_IS_DTLS(sc))
7629
        /*
7630
         * DTLSv1_handle_timeout returns 0 if the timer wasn't expired yet,
7631
         * which we consider a success case. Theoretically DTLSv1_handle_timeout
7632
         * can also return 0 if s is NULL or not a DTLS object, but we've
7633
         * already ruled out those possibilities above, so this is not possible
7634
         * here. Thus the only failure cases are where DTLSv1_handle_timeout
7635
         * returns -1.
7636
         */
7637
        return DTLSv1_handle_timeout(s) >= 0;
7638

7639
    return 1;
7640
}
7641

7642
int SSL_get_event_timeout(SSL *s, struct timeval *tv, int *is_infinite)
7643
{
7644
    SSL_CONNECTION *sc;
7645

7646
#ifndef OPENSSL_NO_QUIC
7647
    if (IS_QUIC(s))
7648
        return ossl_quic_get_event_timeout(s, tv, is_infinite);
7649
#endif
7650

7651
    sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
7652
    if (sc != NULL && SSL_CONNECTION_IS_DTLS(sc)
7653
        && DTLSv1_get_timeout(s, tv)) {
7654
        *is_infinite = 0;
7655
        return 1;
7656
    }
7657

7658
    tv->tv_sec  = 1000000;
7659
    tv->tv_usec = 0;
7660
    *is_infinite = 1;
7661
    return 1;
7662
}
7663

7664
int SSL_get_rpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc)
7665
{
7666
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7667

7668
#ifndef OPENSSL_NO_QUIC
7669
    if (IS_QUIC(s))
7670
        return ossl_quic_get_rpoll_descriptor(s, desc);
7671
#endif
7672

7673
    if (sc == NULL || sc->rbio == NULL)
7674
        return 0;
7675

7676
    return BIO_get_rpoll_descriptor(sc->rbio, desc);
7677
}
7678

7679
int SSL_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc)
7680
{
7681
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
7682

7683
#ifndef OPENSSL_NO_QUIC
7684
    if (IS_QUIC(s))
7685
        return ossl_quic_get_wpoll_descriptor(s, desc);
7686
#endif
7687

7688
    if (sc == NULL || sc->wbio == NULL)
7689
        return 0;
7690

7691
    return BIO_get_wpoll_descriptor(sc->wbio, desc);
7692
}
7693

7694
int SSL_net_read_desired(SSL *s)
7695
{
7696
#ifndef OPENSSL_NO_QUIC
7697
    if (!IS_QUIC(s))
7698
        return SSL_want_read(s);
7699

7700
    return ossl_quic_get_net_read_desired(s);
7701
#else
7702
    return SSL_want_read(s);
7703
#endif
7704
}
7705

7706
int SSL_net_write_desired(SSL *s)
7707
{
7708
#ifndef OPENSSL_NO_QUIC
7709
    if (!IS_QUIC(s))
7710
        return SSL_want_write(s);
7711

7712
    return ossl_quic_get_net_write_desired(s);
7713
#else
7714
    return SSL_want_write(s);
7715
#endif
7716
}
7717

7718
int SSL_set_blocking_mode(SSL *s, int blocking)
7719
{
7720
#ifndef OPENSSL_NO_QUIC
7721
    if (!IS_QUIC(s))
7722
        return 0;
7723

7724
    return ossl_quic_conn_set_blocking_mode(s, blocking);
7725
#else
7726
    return 0;
7727
#endif
7728
}
7729

7730
int SSL_get_blocking_mode(SSL *s)
7731
{
7732
#ifndef OPENSSL_NO_QUIC
7733
    if (!IS_QUIC(s))
7734
        return -1;
7735

7736
    return ossl_quic_conn_get_blocking_mode(s);
7737
#else
7738
    return -1;
7739
#endif
7740
}
7741

7742
int SSL_set1_initial_peer_addr(SSL *s, const BIO_ADDR *peer_addr)
7743
{
7744
#ifndef OPENSSL_NO_QUIC
7745
    if (!IS_QUIC(s))
7746
        return 0;
7747

7748
    return ossl_quic_conn_set_initial_peer_addr(s, peer_addr);
7749
#else
7750
    return 0;
7751
#endif
7752
}
7753

7754
int SSL_shutdown_ex(SSL *ssl, uint64_t flags,
7755
                    const SSL_SHUTDOWN_EX_ARGS *args,
7756
                    size_t args_len)
7757
{
7758
#ifndef OPENSSL_NO_QUIC
7759
    if (!IS_QUIC(ssl))
7760
        return SSL_shutdown(ssl);
7761

7762
    return ossl_quic_conn_shutdown(ssl, flags, args, args_len);
7763
#else
7764
    return SSL_shutdown(ssl);
7765
#endif
7766
}
7767

7768
int SSL_stream_conclude(SSL *ssl, uint64_t flags)
7769
{
7770
#ifndef OPENSSL_NO_QUIC
7771
    if (!IS_QUIC(ssl))
7772
        return 0;
7773

7774
    return ossl_quic_conn_stream_conclude(ssl);
7775
#else
7776
    return 0;
7777
#endif
7778
}
7779

7780
SSL *SSL_new_stream(SSL *s, uint64_t flags)
7781
{
7782
#ifndef OPENSSL_NO_QUIC
7783
    if (!IS_QUIC(s))
7784
        return NULL;
7785

7786
    return ossl_quic_conn_stream_new(s, flags);
7787
#else
7788
    return NULL;
7789
#endif
7790
}
7791

7792
SSL *SSL_get0_connection(SSL *s)
7793
{
7794
#ifndef OPENSSL_NO_QUIC
7795
    if (!IS_QUIC(s))
7796
        return s;
7797

7798
    return ossl_quic_get0_connection(s);
7799
#else
7800
    return s;
7801
#endif
7802
}
7803

7804
int SSL_is_connection(SSL *s)
7805
{
7806
    return SSL_get0_connection(s) == s;
7807
}
7808

7809
SSL *SSL_get0_listener(SSL *s)
7810
{
7811
#ifndef OPENSSL_NO_QUIC
7812
    if (!IS_QUIC(s))
7813
        return NULL;
7814

7815
    return ossl_quic_get0_listener(s);
7816
#else
7817
    return NULL;
7818
#endif
7819
}
7820

7821
SSL *SSL_get0_domain(SSL *s)
7822
{
7823
#ifndef OPENSSL_NO_QUIC
7824
    if (!IS_QUIC(s))
7825
        return NULL;
7826

7827
    return ossl_quic_get0_domain(s);
7828
#else
7829
    return NULL;
7830
#endif
7831
}
7832

7833
int SSL_is_listener(SSL *s)
7834
{
7835
    return SSL_get0_listener(s) == s;
7836
}
7837

7838
int SSL_is_domain(SSL *s)
7839
{
7840
    return SSL_get0_domain(s) == s;
7841
}
7842

7843
int SSL_get_stream_type(SSL *s)
7844
{
7845
#ifndef OPENSSL_NO_QUIC
7846
    if (!IS_QUIC(s))
7847
        return SSL_STREAM_TYPE_BIDI;
7848

7849
    return ossl_quic_get_stream_type(s);
7850
#else
7851
    return SSL_STREAM_TYPE_BIDI;
7852
#endif
7853
}
7854

7855
uint64_t SSL_get_stream_id(SSL *s)
7856
{
7857
#ifndef OPENSSL_NO_QUIC
7858
    if (!IS_QUIC(s))
7859
        return UINT64_MAX;
7860

7861
    return ossl_quic_get_stream_id(s);
7862
#else
7863
    return UINT64_MAX;
7864
#endif
7865
}
7866

7867
int SSL_is_stream_local(SSL *s)
7868
{
7869
#ifndef OPENSSL_NO_QUIC
7870
    if (!IS_QUIC(s))
7871
        return -1;
7872

7873
    return ossl_quic_is_stream_local(s);
7874
#else
7875
    return -1;
7876
#endif
7877
}
7878

7879
int SSL_set_default_stream_mode(SSL *s, uint32_t mode)
7880
{
7881
#ifndef OPENSSL_NO_QUIC
7882
    if (!IS_QUIC(s))
7883
        return 0;
7884

7885
    return ossl_quic_set_default_stream_mode(s, mode);
7886
#else
7887
    return 0;
7888
#endif
7889
}
7890

7891
int SSL_set_incoming_stream_policy(SSL *s, int policy, uint64_t aec)
7892
{
7893
#ifndef OPENSSL_NO_QUIC
7894
    if (!IS_QUIC(s))
7895
        return 0;
7896

7897
    return ossl_quic_set_incoming_stream_policy(s, policy, aec);
7898
#else
7899
    return 0;
7900
#endif
7901
}
7902

7903
SSL *SSL_accept_stream(SSL *s, uint64_t flags)
7904
{
7905
#ifndef OPENSSL_NO_QUIC
7906
    if (!IS_QUIC(s))
7907
        return NULL;
7908

7909
    return ossl_quic_accept_stream(s, flags);
7910
#else
7911
    return NULL;
7912
#endif
7913
}
7914

7915
size_t SSL_get_accept_stream_queue_len(SSL *s)
7916
{
7917
#ifndef OPENSSL_NO_QUIC
7918
    if (!IS_QUIC(s))
7919
        return 0;
7920

7921
    return ossl_quic_get_accept_stream_queue_len(s);
7922
#else
7923
    return 0;
7924
#endif
7925
}
7926

7927
int SSL_stream_reset(SSL *s,
7928
                     const SSL_STREAM_RESET_ARGS *args,
7929
                     size_t args_len)
7930
{
7931
#ifndef OPENSSL_NO_QUIC
7932
    if (!IS_QUIC(s))
7933
        return 0;
7934

7935
    return ossl_quic_stream_reset(s, args, args_len);
7936
#else
7937
    return 0;
7938
#endif
7939
}
7940

7941
int SSL_get_stream_read_state(SSL *s)
7942
{
7943
#ifndef OPENSSL_NO_QUIC
7944
    if (!IS_QUIC(s))
7945
        return SSL_STREAM_STATE_NONE;
7946

7947
    return ossl_quic_get_stream_read_state(s);
7948
#else
7949
    return SSL_STREAM_STATE_NONE;
7950
#endif
7951
}
7952

7953
int SSL_get_stream_write_state(SSL *s)
7954
{
7955
#ifndef OPENSSL_NO_QUIC
7956
    if (!IS_QUIC(s))
7957
        return SSL_STREAM_STATE_NONE;
7958

7959
    return ossl_quic_get_stream_write_state(s);
7960
#else
7961
    return SSL_STREAM_STATE_NONE;
7962
#endif
7963
}
7964

7965
int SSL_get_stream_read_error_code(SSL *s, uint64_t *app_error_code)
7966
{
7967
#ifndef OPENSSL_NO_QUIC
7968
    if (!IS_QUIC(s))
7969
        return -1;
7970

7971
    return ossl_quic_get_stream_read_error_code(s, app_error_code);
7972
#else
7973
    return -1;
7974
#endif
7975
}
7976

7977
int SSL_get_stream_write_error_code(SSL *s, uint64_t *app_error_code)
7978
{
7979
#ifndef OPENSSL_NO_QUIC
7980
    if (!IS_QUIC(s))
7981
        return -1;
7982

7983
    return ossl_quic_get_stream_write_error_code(s, app_error_code);
7984
#else
7985
    return -1;
7986
#endif
7987
}
7988

7989
int SSL_get_conn_close_info(SSL *s, SSL_CONN_CLOSE_INFO *info,
7990
                            size_t info_len)
7991
{
7992
#ifndef OPENSSL_NO_QUIC
7993
    if (!IS_QUIC(s))
7994
        return -1;
7995

7996
    return ossl_quic_get_conn_close_info(s, info, info_len);
7997
#else
7998
    return -1;
7999
#endif
8000
}
8001

8002
int SSL_get_value_uint(SSL *s, uint32_t class_, uint32_t id,
8003
                       uint64_t *value)
8004
{
8005
#ifndef OPENSSL_NO_QUIC
8006
    if (IS_QUIC(s))
8007
        return ossl_quic_get_value_uint(s, class_, id, value);
8008
#endif
8009

8010
    ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL);
8011
    return 0;
8012
}
8013

8014
int SSL_set_value_uint(SSL *s, uint32_t class_, uint32_t id,
8015
                       uint64_t value)
8016
{
8017
#ifndef OPENSSL_NO_QUIC
8018
    if (IS_QUIC(s))
8019
        return ossl_quic_set_value_uint(s, class_, id, value);
8020
#endif
8021

8022
    ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_PROTOCOL);
8023
    return 0;
8024
}
8025

8026
SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags)
8027
{
8028
#ifndef OPENSSL_NO_QUIC
8029
    if (!IS_QUIC_CTX(ctx))
8030
        return NULL;
8031

8032
    return ossl_quic_new_listener(ctx, flags);
8033
#else
8034
    return NULL;
8035
#endif
8036
}
8037

8038
SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags)
8039
{
8040
#ifndef OPENSSL_NO_QUIC
8041
    if (!IS_QUIC(ssl))
8042
        return NULL;
8043

8044
    return ossl_quic_new_listener_from(ssl, flags);
8045
#else
8046
    return NULL;
8047
#endif
8048
}
8049

8050
SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags)
8051
{
8052
#ifndef OPENSSL_NO_QUIC
8053
    if (!IS_QUIC(ssl))
8054
        return NULL;
8055

8056
    return ossl_quic_new_from_listener(ssl, flags);
8057
#else
8058
    return NULL;
8059
#endif
8060
}
8061

8062
SSL *SSL_accept_connection(SSL *ssl, uint64_t flags)
8063
{
8064
#ifndef OPENSSL_NO_QUIC
8065
    if (!IS_QUIC(ssl))
8066
        return NULL;
8067

8068
    return ossl_quic_accept_connection(ssl, flags);
8069
#else
8070
    return NULL;
8071
#endif
8072
}
8073

8074
size_t SSL_get_accept_connection_queue_len(SSL *ssl)
8075
{
8076
#ifndef OPENSSL_NO_QUIC
8077
    if (!IS_QUIC(ssl))
8078
        return 0;
8079

8080
    return ossl_quic_get_accept_connection_queue_len(ssl);
8081
#else
8082
    return 0;
8083
#endif
8084
}
8085

8086
int SSL_listen(SSL *ssl)
8087
{
8088
#ifndef OPENSSL_NO_QUIC
8089
    if (!IS_QUIC(ssl))
8090
        return 0;
8091

8092
    return ossl_quic_listen(ssl);
8093
#else
8094
    return 0;
8095
#endif
8096
}
8097

8098
SSL *SSL_new_domain(SSL_CTX *ctx, uint64_t flags)
8099
{
8100
#ifndef OPENSSL_NO_QUIC
8101
    if (!IS_QUIC_CTX(ctx))
8102
        return NULL;
8103

8104
    return ossl_quic_new_domain(ctx, flags);
8105
#else
8106
    return NULL;
8107
#endif
8108
}
8109

8110
int ossl_adjust_domain_flags(uint64_t domain_flags, uint64_t *p_domain_flags)
8111
{
8112
    if ((domain_flags & ~OSSL_QUIC_SUPPORTED_DOMAIN_FLAGS) != 0) {
8113
        ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8114
                       "unsupported domain flag requested");
8115
        return 0;
8116
    }
8117

8118
    if ((domain_flags & SSL_DOMAIN_FLAG_THREAD_ASSISTED) != 0)
8119
        domain_flags |= SSL_DOMAIN_FLAG_MULTI_THREAD;
8120

8121
    if ((domain_flags & (SSL_DOMAIN_FLAG_MULTI_THREAD
8122
                         | SSL_DOMAIN_FLAG_SINGLE_THREAD)) == 0)
8123
        domain_flags |= SSL_DOMAIN_FLAG_MULTI_THREAD;
8124

8125
    if ((domain_flags & SSL_DOMAIN_FLAG_SINGLE_THREAD) != 0
8126
        && (domain_flags & SSL_DOMAIN_FLAG_MULTI_THREAD) != 0) {
8127
        ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
8128
                       "mutually exclusive domain flags specified");
8129
        return 0;
8130
    }
8131

8132
    /*
8133
     * Note: We treat MULTI_THREAD as a no-op in non-threaded builds, but
8134
     * not THREAD_ASSISTED.
8135
     */
8136
# ifndef OPENSSL_THREADS
8137
    if ((domain_flags & SSL_DOMAIN_FLAG_THREAD_ASSISTED) != 0) {
8138
        ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8139
                       "thread assisted mode not available in this build");
8140
        return 0;
8141
    }
8142
# endif
8143

8144
    *p_domain_flags = domain_flags;
8145
    return 1;
8146
}
8147

8148
int SSL_CTX_set_domain_flags(SSL_CTX *ctx, uint64_t domain_flags)
8149
{
8150
#ifndef OPENSSL_NO_QUIC
8151
    if (IS_QUIC_CTX(ctx)) {
8152
        if (!ossl_adjust_domain_flags(domain_flags, &domain_flags))
8153
            return 0;
8154

8155
        ctx->domain_flags = domain_flags;
8156
        return 1;
8157
    }
8158
#endif
8159

8160
    ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8161
                   "domain flags unsupported on this kind of SSL_CTX");
8162
    return 0;
8163
}
8164

8165
int SSL_CTX_get_domain_flags(const SSL_CTX *ctx, uint64_t *domain_flags)
8166
{
8167
#ifndef OPENSSL_NO_QUIC
8168
    if (IS_QUIC_CTX(ctx)) {
8169
        if (domain_flags != NULL)
8170
            *domain_flags = ctx->domain_flags;
8171

8172
        return 1;
8173
    }
8174
#endif
8175

8176
    ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
8177
                   "domain flags unsupported on this kind of SSL_CTX");
8178
    return 0;
8179
}
8180

8181
int SSL_get_domain_flags(const SSL *ssl, uint64_t *domain_flags)
8182
{
8183
#ifndef OPENSSL_NO_QUIC
8184
    if (IS_QUIC(ssl))
8185
        return ossl_quic_get_domain_flags(ssl, domain_flags);
8186
#endif
8187

8188
    return 0;
8189
}
8190

8191
int SSL_add_expected_rpk(SSL *s, EVP_PKEY *rpk)
8192
{
8193
    unsigned char *data = NULL;
8194
    SSL_DANE *dane = SSL_get0_dane(s);
8195
    int ret;
8196

8197
    if (dane == NULL || dane->dctx == NULL)
8198
        return 0;
8199
    if ((ret = i2d_PUBKEY(rpk, &data)) <= 0)
8200
        return 0;
8201

8202
    ret = SSL_dane_tlsa_add(s, DANETLS_USAGE_DANE_EE,
8203
                            DANETLS_SELECTOR_SPKI,
8204
                            DANETLS_MATCHING_FULL,
8205
                            data, (size_t)ret) > 0;
8206
    OPENSSL_free(data);
8207
    return ret;
8208
}
8209

8210
EVP_PKEY *SSL_get0_peer_rpk(const SSL *s)
8211
{
8212
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8213

8214
    if (sc == NULL || sc->session == NULL)
8215
        return NULL;
8216
    return sc->session->peer_rpk;
8217
}
8218

8219
int SSL_get_negotiated_client_cert_type(const SSL *s)
8220
{
8221
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8222

8223
    if (sc == NULL)
8224
        return 0;
8225

8226
    return sc->ext.client_cert_type;
8227
}
8228

8229
int SSL_get_negotiated_server_cert_type(const SSL *s)
8230
{
8231
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8232

8233
    if (sc == NULL)
8234
        return 0;
8235

8236
    return sc->ext.server_cert_type;
8237
}
8238

8239
static int validate_cert_type(const unsigned char *val, size_t len)
8240
{
8241
    size_t i;
8242
    int saw_rpk = 0;
8243
    int saw_x509 = 0;
8244

8245
    if (val == NULL && len == 0)
8246
        return 1;
8247

8248
    if (val == NULL || len == 0)
8249
        return 0;
8250

8251
    for (i = 0; i < len; i++) {
8252
        switch (val[i]) {
8253
        case TLSEXT_cert_type_rpk:
8254
            if (saw_rpk)
8255
                return 0;
8256
            saw_rpk = 1;
8257
            break;
8258
        case TLSEXT_cert_type_x509:
8259
            if (saw_x509)
8260
                return 0;
8261
            saw_x509 = 1;
8262
            break;
8263
        case TLSEXT_cert_type_pgp:
8264
        case TLSEXT_cert_type_1609dot2:
8265
        default:
8266
            return 0;
8267
        }
8268
    }
8269
    return 1;
8270
}
8271

8272
static int set_cert_type(unsigned char **cert_type,
8273
                         size_t *cert_type_len,
8274
                         const unsigned char *val,
8275
                         size_t len)
8276
{
8277
    unsigned char *tmp = NULL;
8278

8279
    if (!validate_cert_type(val, len))
8280
        return 0;
8281

8282
    if (val != NULL && (tmp = OPENSSL_memdup(val, len)) == NULL)
8283
        return 0;
8284

8285
    OPENSSL_free(*cert_type);
8286
    *cert_type = tmp;
8287
    *cert_type_len = len;
8288
    return 1;
8289
}
8290

8291
int SSL_set1_client_cert_type(SSL *s, const unsigned char *val, size_t len)
8292
{
8293
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8294

8295
    if (sc == NULL)
8296
        return 0;
8297

8298
    return set_cert_type(&sc->client_cert_type, &sc->client_cert_type_len,
8299
                         val, len);
8300
}
8301

8302
int SSL_set1_server_cert_type(SSL *s, const unsigned char *val, size_t len)
8303
{
8304
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
8305

8306
    if (sc == NULL)
8307
        return 0;
8308

8309
    return set_cert_type(&sc->server_cert_type, &sc->server_cert_type_len,
8310
                         val, len);
8311
}
8312

8313
int SSL_CTX_set1_client_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len)
8314
{
8315
    return set_cert_type(&ctx->client_cert_type, &ctx->client_cert_type_len,
8316
                         val, len);
8317
}
8318

8319
int SSL_CTX_set1_server_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len)
8320
{
8321
    return set_cert_type(&ctx->server_cert_type, &ctx->server_cert_type_len,
8322
                         val, len);
8323
}
8324

8325
int SSL_get0_client_cert_type(const SSL *s, unsigned char **t, size_t *len)
8326
{
8327
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
8328

8329
    if (t == NULL || len == NULL || sc == NULL)
8330
        return 0;
8331

8332
    *t = sc->client_cert_type;
8333
    *len = sc->client_cert_type_len;
8334
    return 1;
8335
}
8336

8337
int SSL_get0_server_cert_type(const SSL *s, unsigned char **t, size_t *len)
8338
{
8339
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
8340

8341
    if (t == NULL || len == NULL || sc == NULL)
8342
        return 0;
8343

8344
    *t = sc->server_cert_type;
8345
    *len = sc->server_cert_type_len;
8346
    return 1;
8347
}
8348

8349
int SSL_CTX_get0_client_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len)
8350
{
8351
    if (t == NULL || len == NULL)
8352
        return 0;
8353

8354
    *t = ctx->client_cert_type;
8355
    *len = ctx->client_cert_type_len;
8356
    return 1;
8357
}
8358

8359
int SSL_CTX_get0_server_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len)
8360
{
8361
    if (t == NULL || len == NULL)
8362
        return 0;
8363

8364
    *t = ctx->server_cert_type;
8365
    *len = ctx->server_cert_type_len;
8366
    return 1;
8367
}
8368

8369