diff options
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/record/methods/tls_common.c | 13 | ||||
-rw-r--r-- | ssl/record/rec_layer_s3.c | 1 | ||||
-rw-r--r-- | ssl/ssl_ciph.c | 126 | ||||
-rw-r--r-- | ssl/ssl_init.c | 23 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 6 | ||||
-rw-r--r-- | ssl/ssl_local.h | 6 | ||||
-rw-r--r-- | ssl/ssl_sess.c | 11 | ||||
-rw-r--r-- | ssl/ssl_txt.c | 2 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 1 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 1 |
10 files changed, 77 insertions, 113 deletions
diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index bf6dc0d1f5..b09991cafb 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -283,6 +283,8 @@ static int tls_release_read_buffer(OSSL_RECORD_LAYER *rl) OPENSSL_cleanse(b->buf, b->len); OPENSSL_free(b->buf); b->buf = NULL; + rl->packet = NULL; + rl->packet_length = 0; return 1; } @@ -325,6 +327,12 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, /* ... now we can act as if 'extend' was set */ } + if (!ossl_assert(rl->packet != NULL)) { + /* does not happen */ + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return OSSL_RECORD_RETURN_FATAL; + } + len = rl->packet_length; pkt = rb->buf + align; /* @@ -2129,7 +2137,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl) /* Read direction */ /* If we have pending data to be read then fail */ - if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0) + if (rl->curr_rec < rl->num_recs + || rl->curr_rec != rl->num_released + || TLS_BUFFER_get_left(&rl->rbuf) != 0 + || rl->rstate == SSL_ST_READ_BODY) return 0; return tls_release_read_buffer(rl); diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 6a31efe1c0..e61861d9fd 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -19,6 +19,7 @@ #include <openssl/core_names.h> #include "record_local.h" #include "internal/packet.h" +#include "internal/comp.h" void RECORD_LAYER_init(RECORD_LAYER *rl, SSL_CONNECTION *s) { diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index e70b800a5c..ce6d0d99a2 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -21,6 +21,7 @@ #include "ssl_local.h" #include "internal/thread_once.h" #include "internal/cryptlib.h" +#include "internal/comp.h" /* NB: make sure indices in these tables match values above */ @@ -57,16 +58,6 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = { {SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm}, /* SSL_ENC_KUZNYECHIK_IDX */ }; -#define SSL_COMP_NULL_IDX 0 -#define SSL_COMP_ZLIB_IDX 1 -#define SSL_COMP_NUM_IDX 2 - -static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; - -#ifndef OPENSSL_NO_COMP -static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT; -#endif - /* NB: make sure indices in this table matches values above */ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = { {SSL_MD5, NID_md5}, /* SSL_MD_MD5_IDX 0 */ @@ -445,40 +436,6 @@ int ssl_load_ciphers(SSL_CTX *ctx) return 1; } -#ifndef OPENSSL_NO_COMP - -static int sk_comp_cmp(const SSL_COMP *const *a, const SSL_COMP *const *b) -{ - return ((*a)->id - (*b)->id); -} - -DEFINE_RUN_ONCE_STATIC(do_load_builtin_compressions) -{ - SSL_COMP *comp = NULL; - COMP_METHOD *method = COMP_zlib(); - - ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp); - - if (COMP_get_type(method) != NID_undef && ssl_comp_methods != NULL) { - comp = OPENSSL_malloc(sizeof(*comp)); - if (comp != NULL) { - comp->method = method; - comp->id = SSL_COMP_ZLIB_IDX; - comp->name = COMP_get_name(method); - if (!sk_SSL_COMP_push(ssl_comp_methods, comp)) - OPENSSL_free(comp); - sk_SSL_COMP_sort(ssl_comp_methods); - } - } - return 1; -} - -static int load_builtin_compressions(void) -{ - return RUN_ONCE(&ssl_load_builtin_comp_once, do_load_builtin_compressions); -} -#endif - int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc, const EVP_CIPHER **enc) { @@ -549,20 +506,15 @@ int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s, return 0; if (comp != NULL) { SSL_COMP ctmp; -#ifndef OPENSSL_NO_COMP - if (!load_builtin_compressions()) { - /* - * Currently don't care, since a failure only means that - * ssl_comp_methods is NULL, which is perfectly OK - */ - } -#endif + STACK_OF(SSL_COMP) *comp_methods; + *comp = NULL; ctmp.id = s->compress_meth; - if (ssl_comp_methods != NULL) { - i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp); + comp_methods = SSL_COMP_get_compression_methods(); + if (comp_methods != NULL) { + i = sk_SSL_COMP_find(comp_methods, &ctmp); if (i >= 0) - *comp = sk_SSL_COMP_value(ssl_comp_methods, i); + *comp = sk_SSL_COMP_value(comp_methods, i); } /* If were only interested in comp then return success */ if ((enc == NULL) && (md == NULL)) @@ -649,6 +601,7 @@ const EVP_MD *ssl_prf_md(SSL_CONNECTION *s) ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT); } + #define ITEM_SEP(a) \ (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) @@ -1988,17 +1941,19 @@ uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c) SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) { SSL_COMP *ctmp; - int i, nn; + SSL_COMP srch_key; + int i; if ((n == 0) || (sk == NULL)) return NULL; - nn = sk_SSL_COMP_num(sk); - for (i = 0; i < nn; i++) { + srch_key.id = n; + i = sk_SSL_COMP_find(sk, &srch_key); + if (i >= 0) ctmp = sk_SSL_COMP_value(sk, i); - if (ctmp->id == n) - return ctmp; - } - return NULL; + else + ctmp = NULL; + + return ctmp; } #ifdef OPENSSL_NO_COMP @@ -2021,34 +1976,44 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) #else STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { - load_builtin_compressions(); - return ssl_comp_methods; + STACK_OF(SSL_COMP) **rv; + + rv = (STACK_OF(SSL_COMP) **)OSSL_LIB_CTX_get_data(NULL, + OSSL_LIB_CTX_COMP_METHODS); + if (rv != NULL) + return *rv; + else + return NULL; } STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) *meths) { - STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods; - ssl_comp_methods = meths; - return old_meths; -} + STACK_OF(SSL_COMP) **comp_methods; + STACK_OF(SSL_COMP) *old_meths; -static void cmeth_free(SSL_COMP *cm) -{ - OPENSSL_free(cm); -} + comp_methods = (STACK_OF(SSL_COMP) **)OSSL_LIB_CTX_get_data(NULL, + OSSL_LIB_CTX_COMP_METHODS); + if (comp_methods == NULL) { + old_meths = meths; + } else { + old_meths = *comp_methods; + *comp_methods = meths; + } -void ssl_comp_free_compression_methods_int(void) -{ - STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods; - ssl_comp_methods = NULL; - sk_SSL_COMP_pop_free(old_meths, cmeth_free); + return old_meths; } int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { + STACK_OF(SSL_COMP) *comp_methods; SSL_COMP *comp; + comp_methods = SSL_COMP_get_compression_methods(); + + if (comp_methods == NULL) + return 1; + if (cm == NULL || COMP_get_type(cm) == NID_undef) return 1; @@ -2070,18 +2035,17 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) return 1; comp->id = id; - comp->method = cm; - load_builtin_compressions(); - if (ssl_comp_methods && sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) { + if (sk_SSL_COMP_find(comp_methods, comp) >= 0) { OPENSSL_free(comp); ERR_raise(ERR_LIB_SSL, SSL_R_DUPLICATE_COMPRESSION_ID); return 1; } - if (ssl_comp_methods == NULL || !sk_SSL_COMP_push(ssl_comp_methods, comp)) { + if (!sk_SSL_COMP_push(comp_methods, comp)) { OPENSSL_free(comp); ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); return 1; } + return 0; } #endif diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index 70e567b72c..c99639db7c 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -19,8 +19,6 @@ static int stopped; -static void ssl_library_stop(void); - static CRYPTO_ONCE ssl_base = CRYPTO_ONCE_STATIC_INIT; static int ssl_base_inited = 0; DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base) @@ -36,11 +34,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base) #endif ssl_sort_cipher_list(); OSSL_TRACE(INIT, "ossl_init_ssl_base: SSL_add_ssl_module()\n"); - /* - * We ignore an error return here. Not much we can do - but not that bad - * either. We can still safely continue. - */ - OPENSSL_atexit(ssl_library_stop); ssl_base_inited = 1; return 1; } @@ -67,22 +60,6 @@ DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_load_ssl_strings, return 1; } -static void ssl_library_stop(void) -{ - /* Might be explicitly called and also by atexit */ - if (stopped) - return; - stopped = 1; - - if (ssl_base_inited) { -#ifndef OPENSSL_NO_COMP - OSSL_TRACE(INIT, "ssl_library_stop: " - "ssl_comp_free_compression_methods_int()\n"); - ssl_comp_free_compression_methods_int(); -#endif - } -} - /* * If this function is called with a non NULL settings value then it must be * called prior to any threads making calls to any OpenSSL functions, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 6af23612ee..05047e9163 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4151,7 +4151,7 @@ void SSL_CTX_free(SSL_CTX *a) * (See ticket [openssl.org #212].) */ if (a->sessions != NULL) - SSL_CTX_flush_sessions(a, 0); + SSL_CTX_flush_sessions_ex(a, 0); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); lh_SSL_SESSION_free(a->sessions); @@ -4544,7 +4544,7 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) else stat = &s->session_ctx->stats.sess_accept_good; if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff) - SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); + SSL_CTX_flush_sessions_ex(s->session_ctx, time(NULL)); } } @@ -6363,7 +6363,7 @@ int ssl_validate_ct(SSL_CONNECTION *s) CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, SSL_CONNECTION_GET_CTX(s)->ctlog_store); CT_POLICY_EVAL_CTX_set_time( - ctx, (uint64_t)SSL_SESSION_get_time(s->session) * 1000); + ctx, (uint64_t)SSL_SESSION_get_time_ex(s->session) * 1000); scts = SSL_get0_peer_scts(SSL_CONNECTION_GET_SSL(s)); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 2d827d8bb9..9083ec2f3b 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -37,6 +37,7 @@ # include "internal/ktls.h" # include "internal/time.h" # include "internal/ssl.h" +# include "internal/cryptlib.h" # include "record/record.h" # ifdef OPENSSL_BUILD_SHLIBSSL @@ -637,11 +638,6 @@ typedef enum { #define MAX_COMPRESSIONS_SIZE 255 -struct ssl_comp_st { - int id; - const char *name; - COMP_METHOD *method; -}; typedef struct raw_extension_st { /* Raw packet data for the extension */ diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index e7c5c2a36f..d326eadb04 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -941,10 +941,12 @@ long SSL_SESSION_get_timeout(const SSL_SESSION *s) return (long)ossl_time_to_time_t(s->timeout); } +#ifndef OPENSSL_NO_DEPRECATED_3_4 long SSL_SESSION_get_time(const SSL_SESSION *s) { return (long) SSL_SESSION_get_time_ex(s); } +#endif time_t SSL_SESSION_get_time_ex(const SSL_SESSION *s) { @@ -973,10 +975,12 @@ time_t SSL_SESSION_set_time_ex(SSL_SESSION *s, time_t t) return t; } +#ifndef OPENSSL_NO_DEPRECATED_3_4 long SSL_SESSION_set_time(SSL_SESSION *s, long t) { return (long) SSL_SESSION_set_time_ex(s, (time_t) t); } +#endif int SSL_SESSION_get_protocol_version(const SSL_SESSION *s) { @@ -1183,8 +1187,15 @@ int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) return 0; } +#ifndef OPENSSL_NO_DEPRECATED_3_4 void SSL_CTX_flush_sessions(SSL_CTX *s, long t) { + SSL_CTX_flush_sessions_ex(s, (time_t) t); +} +#endif + +void SSL_CTX_flush_sessions_ex(SSL_CTX *s, time_t t) +{ STACK_OF(SSL_SESSION) *sk; SSL_SESSION *current; unsigned long i; diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 9e9c2e10ec..2a0f503255 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -12,6 +12,8 @@ #include <openssl/buffer.h> #include "ssl_local.h" +#include "internal/comp.h" + #ifndef OPENSSL_NO_STDIO int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) { diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 6f73d5f698..162442ea2d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -27,6 +27,7 @@ #include <openssl/core_names.h> #include <openssl/param_build.h> #include "internal/cryptlib.h" +#include "internal/comp.h" static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, PACKET *pkt); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 5ff479a2ec..08544ed0bf 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -27,6 +27,7 @@ #include <openssl/core_names.h> #include <openssl/asn1t.h> #include <openssl/comp.h> +#include "internal/comp.h" #define TICKET_NONCE_SIZE 8 |