mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 03:54:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Make sure we use the correct SSL object when making a callback

Browse Source 
When processing a callback within libssl that applies to TLS the original
SSL object may have been created for TLS directly, or for QUIC. When making
the callback we must make sure that we use the correct SSL object. In the
case of QUIC we must not use the internal only SSL object.

Fixes #25788

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25874)
This commit is contained in:
Matt Caswell 2024-11-05 09:12:35 +00:00 committed by Tomas Mraz
parent f88c2f2d17
commit dc84829cc5
16 changed files with 87 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/d1_lib.c
View File

@ -396,7 +396,7 @@ int dtls1_handle_timeout(SSL_CONNECTION *s)
}
if (s->d1->timer_cb != NULL)
s->d1->timeout_duration_us = s->d1->timer_cb(SSL_CONNECTION_GET_SSL(s),
s->d1->timeout_duration_us = s->d1->timer_cb(SSL_CONNECTION_GET_USER_SSL(s),
s->d1->timeout_duration_us);
else
dtls1_double_timeout(s);

4
ssl/record/rec_layer_s3.c
View File

@ -1131,7 +1131,7 @@ static void rlayer_msg_callback_wrapper(int write_p, int version,
size_t len, void *cbarg)
{
SSL_CONNECTION *s = cbarg;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
if (s->msg_callback != NULL)
s->msg_callback(write_p, version, content_type, buf, len, ssl,
@ -1151,7 +1151,7 @@ static OSSL_FUNC_rlayer_padding_fn rlayer_padding_wrapper;
static size_t rlayer_padding_wrapper(void *cbarg, int type, size_t len)
{
SSL_CONNECTION *s = cbarg;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
return s->rlayer.record_padding_cb(ssl, type, len,
s->rlayer.record_padding_arg);

2
ssl/ssl_cert.c
View File

@ -1278,7 +1278,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int ssl_security(const SSL_CONNECTION *s, int op, int bits, int nid, void *other)
{
return s->cert->sec_cb(SSL_CONNECTION_GET_SSL(s), NULL, op, bits, nid,
return s->cert->sec_cb(SSL_CONNECTION_GET_USER_SSL(s), NULL, op, bits, nid,
other, s->cert->sec_ex);
}

4
ssl/ssl_lib.c
View File

@ -4675,7 +4675,7 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode)
*/
if (s->session_ctx->new_session_cb != NULL) {
SSL_SESSION_up_ref(s->session);
if (!s->session_ctx->new_session_cb(SSL_CONNECTION_GET_SSL(s),
if (!s->session_ctx->new_session_cb(SSL_CONNECTION_GET_USER_SSL(s),
s->session))
SSL_SESSION_free(s->session);
}
@ -6915,7 +6915,7 @@ static int nss_keylog_int(const char *prefix,
do_sslkeylogfile(SSL_CONNECTION_GET_SSL(sc), (const char *)out);
#endif
if (sctx->keylog_callback != NULL)
sctx->keylog_callback(SSL_CONNECTION_GET_SSL(sc), (const char *)out);
sctx->keylog_callback(SSL_CONNECTION_GET_USER_SSL(sc), (const char *)out);
OPENSSL_clear_free(out, out_len);
return 1;
}

2
ssl/ssl_sess.c
View File

@ -522,7 +522,7 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s,
if (ret == NULL && s->session_ctx->get_session_cb != NULL) {
int copy = 1;
ret = s->session_ctx->get_session_cb(SSL_CONNECTION_GET_SSL(s),
ret = s->session_ctx->get_session_cb(SSL_CONNECTION_GET_USER_SSL(s),
sess_id, sess_id_len, &copy);
if (ret != NULL) {

13
ssl/statem/extensions.c
View File

@ -693,7 +693,7 @@ int tls_collect_extensions(SSL_CONNECTION *s, PACKET *packet,
thisex->type = type;
thisex->received_order = i++;
if (s->ext.debug_cb)
s->ext.debug_cb(SSL_CONNECTION_GET_SSL(s), !s->server,
s->ext.debug_cb(SSL_CONNECTION_GET_USER_SSL(s), !s->server,
thisex->type, PACKET_data(&thisex->data),
PACKET_remaining(&thisex->data),
s->ext.debug_arg);
@ -991,6 +991,7 @@ static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent)
int ret = SSL_TLSEXT_ERR_NOACK;
int altmp = SSL_AD_UNRECOGNIZED_NAME;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
int was_ticket = (SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0;
@ -1000,11 +1001,11 @@ static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent)
}
if (sctx->ext.servername_cb != NULL)
ret = sctx->ext.servername_cb(ssl, &altmp,
ret = sctx->ext.servername_cb(ussl, &altmp,
sctx->ext.servername_arg);
else if (s->session_ctx->ext.servername_cb != NULL)
ret = s->session_ctx->ext.servername_cb(ssl, &altmp,
s->session_ctx->ext.servername_arg);
ret = s->session_ctx->ext.servername_cb(ussl, &altmp,
s->session_ctx->ext.servername_arg);
/*
* For servers, propagate the SNI hostname from the temporary
@ -1739,8 +1740,8 @@ static int final_early_data(SSL_CONNECTION *s, unsigned int context, int sent)
|| !s->ext.early_data_ok
|| s->hello_retry_request != SSL_HRR_NONE
|| (s->allow_early_data_cb != NULL
&& !s->allow_early_data_cb(SSL_CONNECTION_GET_SSL(s),
s->allow_early_data_cb_data))) {
&& !s->allow_early_data_cb(SSL_CONNECTION_GET_USER_SSL(s),
s->allow_early_data_cb_data))) {
s->ext.early_data = SSL_EARLY_DATA_REJECTED;
} else {
s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;

13
ssl/statem/extensions_clnt.c
View File

@ -784,13 +784,13 @@ EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
SSL_SESSION *psksess = NULL;
SSL_SESSION *edsess = NULL;
const EVP_MD *handmd = NULL;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
if (s->hello_retry_request == SSL_HRR_PENDING)
handmd = ssl_handshake_md(s);
if (s->psk_use_session_cb != NULL
&& (!s->psk_use_session_cb(ssl, handmd, &id, &idlen, &psksess)
&& (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess)
|| (psksess != NULL
&& psksess->ssl_version != TLS1_3_VERSION))) {
SSL_SESSION_free(psksess);
@ -804,7 +804,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
size_t psklen = 0;
memset(identity, 0, sizeof(identity));
psklen = s->psk_client_callback(ssl, NULL,
psklen = s->psk_client_callback(ussl, NULL,
identity, sizeof(identity) - 1,
psk, sizeof(psk));
@ -826,7 +826,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
* We found a PSK using an old style callback. We don't know
* the digest so we default to SHA256 as per the TLSv1.3 spec
*/
cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s),
tls13_aes128gcmsha256_id);
if (cipher == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
@ -1421,7 +1422,7 @@ int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
unsigned int context,
X509 *x, size_t chainidx)
{
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
if (s->ext.session_ticket_cb != NULL &&
!s->ext.session_ticket_cb(ssl, PACKET_data(pkt),
@ -1595,7 +1596,7 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
/* SSLfatal() already called */
return 0;
}
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s),
&selected, &selected_len,
PACKET_data(pkt), PACKET_remaining(pkt),
sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK

14
ssl/statem/extensions_cust.c
View File

@ -158,7 +158,7 @@ int custom_ext_parse(SSL_CONNECTION *s, unsigned int context,
if (meth->parse_cb == NULL)
return 1;
if (meth->parse_cb(SSL_CONNECTION_GET_SSL(s), ext_type, context, ext_data,
if (meth->parse_cb(SSL_CONNECTION_GET_USER_SSL(s), ext_type, context, ext_data,
ext_size, x, chainidx, &al, meth->parse_arg) <= 0) {
SSLfatal(s, al, SSL_R_BAD_EXTENSION);
return 0;
@ -207,7 +207,7 @@ int custom_ext_add(SSL_CONNECTION *s, int context, WPACKET *pkt, X509 *x,
continue;
if (meth->add_cb != NULL) {
int cb_retval = meth->add_cb(SSL_CONNECTION_GET_SSL(s),
int cb_retval = meth->add_cb(SSL_CONNECTION_GET_USER_SSL(s),
meth->ext_type, context, &out,
&outlen, x, chainidx, &al,
meth->add_arg);
@ -226,8 +226,8 @@ int custom_ext_add(SSL_CONNECTION *s, int context, WPACKET *pkt, X509 *x,
|| (outlen > 0 && !WPACKET_memcpy(pkt, out, outlen))
|| !WPACKET_close(pkt)) {
if (meth->free_cb != NULL)
meth->free_cb(SSL_CONNECTION_GET_SSL(s), meth->ext_type, context,
out, meth->add_arg);
meth->free_cb(SSL_CONNECTION_GET_USER_SSL(s), meth->ext_type,
context, out, meth->add_arg);
if (!for_comp)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
@ -238,7 +238,7 @@ int custom_ext_add(SSL_CONNECTION *s, int context, WPACKET *pkt, X509 *x,
*/
if (!ossl_assert((meth->ext_flags & SSL_EXT_FLAG_SENT) == 0)) {
if (meth->free_cb != NULL)
meth->free_cb(SSL_CONNECTION_GET_SSL(s), meth->ext_type,
meth->free_cb(SSL_CONNECTION_GET_USER_SSL(s), meth->ext_type,
context, out, meth->add_arg);
if (!for_comp)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@ -252,8 +252,8 @@ int custom_ext_add(SSL_CONNECTION *s, int context, WPACKET *pkt, X509 *x,
meth->ext_flags |= SSL_EXT_FLAG_SENT;
}
if (meth->free_cb != NULL)
meth->free_cb(SSL_CONNECTION_GET_SSL(s), meth->ext_type, context,
out, meth->add_arg);
meth->free_cb(SSL_CONNECTION_GET_USER_SSL(s), meth->ext_type,
context, out, meth->add_arg);
}
return 1;
}

20
ssl/statem/extensions_srvr.c
View File

@ -265,7 +265,7 @@ int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
X509 *x, size_t chainidx)
{
if (s->ext.session_ticket_cb &&
!s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
!s->ext.session_ticket_cb(SSL_CONNECTION_GET_USER_SSL(s),
PACKET_data(pkt), PACKET_remaining(pkt),
s->ext.session_ticket_cb_arg)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@ -852,7 +852,7 @@ int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
}
/* Verify the app cookie */
if (sctx->verify_stateless_cookie_cb(ssl,
if (sctx->verify_stateless_cookie_cb(SSL_CONNECTION_GET_USER_SSL(s),
PACKET_data(&appcookie),
PACKET_remaining(&appcookie)) == 0) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
@ -1031,7 +1031,7 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
unsigned int id, i, ext = 0;
const EVP_MD *md = NULL;
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
/*
* If we have no PSK kex mode that we recognise then we can't resume so
@ -1060,7 +1060,7 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
idlen = PACKET_remaining(&identity);
if (s->psk_find_session_cb != NULL
&& !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
&& !s->psk_find_session_cb(ussl, PACKET_data(&identity), idlen,
&sess)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
return 0;
@ -1078,7 +1078,7 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
}
pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
pskdatalen = s->psk_server_callback(ussl, pskid, pskdata,
sizeof(pskdata));
OPENSSL_free(pskid);
if (pskdatalen > PSK_MAX_PSK_LEN) {
@ -1092,7 +1092,8 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
* We found a PSK using an old style callback. We don't know
* the digest so we default to SHA256 as per the TLSv1.3 spec
*/
cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s),
tls13_aes128gcmsha256_id);
if (cipher == NULL) {
OPENSSL_cleanse(pskdata, pskdatalen);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@ -1510,8 +1511,8 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
return EXT_RETURN_NOT_SENT;
ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
sctx->ext.npn_advertised_cb_arg);
ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_USER_SSL(s), &npa,
&npalen, sctx->ext.npn_advertised_cb_arg);
if (ret == SSL_TLSEXT_ERR_OK) {
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
|| !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
@ -1784,6 +1785,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
int ret = EXT_RETURN_FAIL;
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
return EXT_RETURN_NOT_SENT;
@ -1833,7 +1835,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
}
/* Generate the application cookie */
if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
if (sctx->gen_stateless_cookie_cb(ussl, appcookie1,
&appcookielen) == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
return EXT_RETURN_FAIL;

11
ssl/statem/statem.c
View File

@ -359,6 +359,7 @@ static int state_machine(SSL_CONNECTION *s, int server)
int ret = -1;
int ssret;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
if (st->state == MSG_FLOW_ERROR) {
/* Shouldn't have been called if we're already in the error state */
@ -401,7 +402,7 @@ static int state_machine(SSL_CONNECTION *s, int server)
s->server = server;
if (cb != NULL) {
if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_TLS13(s))
cb(ssl, SSL_CB_HANDSHAKE_START, 1);
cb(ussl, SSL_CB_HANDSHAKE_START, 1);
}
/*
@ -523,9 +524,9 @@ static int state_machine(SSL_CONNECTION *s, int server)
BUF_MEM_free(buf);
if (cb != NULL) {
if (server)
cb(ssl, SSL_CB_ACCEPT_EXIT, ret);
cb(ussl, SSL_CB_ACCEPT_EXIT, ret);
else
cb(ssl, SSL_CB_CONNECT_EXIT, ret);
cb(ussl, SSL_CB_CONNECT_EXIT, ret);
}
return ret;
}
@ -592,7 +593,7 @@ static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s)
WORK_STATE(*post_process_message) (SSL_CONNECTION *s, WORK_STATE wst);
size_t (*max_message_size) (SSL_CONNECTION *s);
void (*cb) (const SSL *ssl, int type, int val) = NULL;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
cb = get_callback(s);
@ -815,7 +816,7 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)
CON_FUNC_RETURN (*confunc) (SSL_CONNECTION *s, WPACKET *pkt);
int mt;
WPACKET pkt;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
cb = get_callback(s);

9
ssl/statem/statem_clnt.c
View File

@ -1464,6 +1464,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
unsigned int context;
RAW_EXTENSION *extensions = NULL;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
#ifndef OPENSSL_NO_COMP
SSL_COMP *comp;
#endif
@ -1624,7 +1625,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
int master_key_length;
master_key_length = sizeof(s->session->master_key);
if (s->ext.session_secret_cb(ssl, s->session->master_key,
if (s->ext.session_secret_cb(ussl, s->session->master_key,
&master_key_length,
NULL, &pref_cipher,
s->ext.session_secret_cb_arg)
@ -2930,7 +2931,7 @@ int tls_process_initial_server_flight(SSL_CONNECTION *s)
*/
if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
&& sctx->ext.status_cb != NULL) {
int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s),
int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_USER_SSL(s),
sctx->ext.status_arg);
if (ret == 0) {
@ -3004,7 +3005,7 @@ static int tls_construct_cke_psk_preamble(SSL_CONNECTION *s, WPACKET *pkt)
memset(identity, 0, sizeof(identity));
psklen = s->psk_client_callback(SSL_CONNECTION_GET_SSL(s),
psklen = s->psk_client_callback(SSL_CONNECTION_GET_USER_SSL(s),
s->session->psk_identity_hint,
identity, sizeof(identity) - 1,
psk, sizeof(psk));
@ -4055,7 +4056,7 @@ int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey)
}
#endif
if (sctx->client_cert_cb)
i = sctx->client_cert_cb(SSL_CONNECTION_GET_SSL(s), px509, ppkey);
i = sctx->client_cert_cb(SSL_CONNECTION_GET_USER_SSL(s), px509, ppkey);
return i;
}

10
ssl/statem/statem_dtls.c
View File

@ -114,6 +114,7 @@ int dtls1_do_write(SSL_CONNECTION *s, uint8_t type)
int retry = 1;
size_t len, frag_off, overhead, used_len;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
if (!dtls1_query_mtu(s))
return -1;
@ -295,7 +296,7 @@ int dtls1_do_write(SSL_CONNECTION *s, uint8_t type)
if (written == s->init_num) {
if (s->msg_callback)
s->msg_callback(1, s->version, type, s->init_buf->data,
(size_t)(s->init_off + s->init_num), ssl,
(size_t)(s->init_off + s->init_num), ussl,
s->msg_callback_arg);
s->init_off = 0; /* done writing this message */
@ -348,7 +349,7 @@ int dtls_get_message(SSL_CONNECTION *s, int *mt)
if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
if (s->msg_callback) {
s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
p, 1, SSL_CONNECTION_GET_SSL(s),
p, 1, SSL_CONNECTION_GET_USER_SSL(s),
s->msg_callback_arg);
}
/*
@ -409,7 +410,7 @@ int dtls_get_message_body(SSL_CONNECTION *s, size_t *len)
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
s->init_buf->data, s->init_num + DTLS1_HM_HEADER_LENGTH,
SSL_CONNECTION_GET_SSL(s), s->msg_callback_arg);
SSL_CONNECTION_GET_USER_SSL(s), s->msg_callback_arg);
end:
*len = s->init_num;
@ -808,6 +809,7 @@ static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype,
struct hm_header_st msg_hdr;
size_t readbytes;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
int chretran = 0;
unsigned char *p;
@ -913,7 +915,7 @@ static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype,
if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
p, DTLS1_HM_HEADER_LENGTH, ssl,
p, DTLS1_HM_HEADER_LENGTH, ussl,
s->msg_callback_arg);
s->init_num = 0;

15
ssl/statem/statem_lib.c
View File

@ -63,6 +63,7 @@ int ssl3_do_write(SSL_CONNECTION *s, uint8_t type)
int ret;
size_t written = 0;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
/*
* If we're running the test suite then we may need to mutate the message
@ -112,7 +113,7 @@ int ssl3_do_write(SSL_CONNECTION *s, uint8_t type)
s->statem.write_in_progress = 0;
if (s->msg_callback)
s->msg_callback(1, s->version, type, s->init_buf->data,
(size_t)(s->init_off + s->init_num), ssl,
(size_t)(s->init_off + s->init_num), ussl,
s->msg_callback_arg);
return 1;
}
@ -1411,7 +1412,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
{
void (*cb) (const SSL *ssl, int type, int val) = NULL;
int cleanuphand = s->statem.cleanuphand;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
if (clearbufs) {
@ -1423,7 +1424,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
* MUST NOT be used.
* Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
*/
|| BIO_dgram_is_sctp(SSL_get_wbio(ssl))
|| BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)))
#endif
) {
/*
@ -1535,6 +1536,7 @@ int tls_get_message_header(SSL_CONNECTION *s, int *mt)
unsigned char *p;
size_t l, readbytes;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
p = (unsigned char *)s->init_buf->data;
@ -1598,7 +1600,7 @@ int tls_get_message_header(SSL_CONNECTION *s, int *mt)
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
p, SSL3_HM_HEADER_LENGTH, ssl,
p, SSL3_HM_HEADER_LENGTH, ussl,
s->msg_callback_arg);
}
} while (skip_message);
@ -1643,6 +1645,7 @@ int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
unsigned char *p;
int i;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
/* We've already read everything in */
@ -1684,7 +1687,7 @@ int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
}
if (s->msg_callback)
s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
(size_t)s->init_num, ssl, s->msg_callback_arg);
(size_t)s->init_num, ussl, s->msg_callback_arg);
} else {
/*
* We defer feeding in the HRR until later. We'll do it as part of
@ -1712,7 +1715,7 @@ int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
}
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
(size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ssl,
(size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ussl,
s->msg_callback_arg);
}

29
ssl/statem/statem_srvr.c
View File

@ -1383,7 +1383,7 @@ CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s,
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
if (sctx->app_gen_cookie_cb == NULL
|| sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_SSL(s), s->d1->cookie,
|| sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_USER_SSL(s), s->d1->cookie,
&cookie_leni) == 0
|| cookie_leni > DTLS1_COOKIE_LENGTH) {
SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
@ -1696,12 +1696,13 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
DOWNGRADE dgrd = DOWNGRADE_NONE;
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
/* Finished parsing the ClientHello, now we can start processing it */
/* Give the ClientHello callback a crack at things */
if (sctx->client_hello_cb != NULL) {
/* A failure in the ClientHello callback terminates the connection. */
switch (sctx->client_hello_cb(ssl, &al, sctx->client_hello_cb_arg)) {
switch (sctx->client_hello_cb(ussl, &al, sctx->client_hello_cb_arg)) {
case SSL_CLIENT_HELLO_SUCCESS:
break;
case SSL_CLIENT_HELLO_RETRY:
@ -1757,8 +1758,8 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
/* Empty cookie was already handled above by returning early. */
if (SSL_get_options(ssl) & SSL_OP_COOKIE_EXCHANGE) {
if (sctx->app_verify_cookie_cb != NULL) {
if (sctx->app_verify_cookie_cb(ssl, clienthello->dtls_cookie,
clienthello->dtls_cookie_len) == 0) {
if (sctx->app_verify_cookie_cb(ussl, clienthello->dtls_cookie,
clienthello->dtls_cookie_len) == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_R_COOKIE_MISMATCH);
goto err;
@ -1981,7 +1982,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
int master_key_length;
master_key_length = sizeof(s->session->master_key);
if (s->ext.session_secret_cb(ssl, s->session->master_key,
if (s->ext.session_secret_cb(ussl, s->session->master_key,
&master_key_length, ciphers,
&pref_cipher,
s->ext.session_secret_cb_arg)
@ -2164,7 +2165,7 @@ static int tls_handle_status_request(SSL_CONNECTION *s)
* et al can pick it up.
*/
s->cert->key = s->s3.tmp.cert;
ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s),
ret = sctx->ext.status_cb(SSL_CONNECTION_GET_USER_SSL(s),
sctx->ext.status_arg);
switch (ret) {
/* We don't want to send a status request response */
@ -2199,7 +2200,7 @@ int tls_handle_alpn(SSL_CONNECTION *s)
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
if (sctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) {
int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_SSL(s),
int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_USER_SSL(s),
&selected, &selected_len,
s->s3.alpn_proposed,
(unsigned int)s->s3.alpn_proposed_len,
@ -2274,6 +2275,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
{
const SSL_CIPHER *cipher;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
if (wst == WORK_MORE_A) {
int rv = tls_early_post_process_client_hello(s);
@ -2289,7 +2291,8 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
/* Let cert callback update server certificates if required */
if (!s->hit && s->cert->cert_cb != NULL) {
int rv = s->cert->cert_cb(ssl, s->cert->cert_cb_arg);
int rv = s->cert->cert_cb(ussl, s->cert->cert_cb_arg);
if (rv == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CERT_CB_ERROR);
goto err;
@ -2322,7 +2325,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
/* check whether we should disable session resumption */
if (s->not_resumable_session_cb != NULL)
s->session->not_resumable =
s->not_resumable_session_cb(ssl,
s->not_resumable_session_cb(ussl,
((s->s3.tmp.new_cipher->algorithm_mkey
& (SSL_kDHE | SSL_kECDHE)) != 0));
if (s->session->not_resumable)
@ -2562,7 +2565,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s,
}
#if !defined(OPENSSL_NO_DEPRECATED_3_0)
if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_SSL(s),
pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_USER_SSL(s),
0, 1024));
if (pkdh == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@ -2918,7 +2921,7 @@ static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt)
return 0;
}
psklen = s->psk_server_callback(SSL_CONNECTION_GET_SSL(s),
psklen = s->psk_server_callback(SSL_CONNECTION_GET_USER_SSL(s),
s->session->psk_identity,
psk, sizeof(psk));
@ -3936,7 +3939,7 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s,
int iv_len;
CON_FUNC_RETURN ok = CON_FUNC_ERROR;
size_t macoffset, macendoffset;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
/* get session encoding length */
@ -4247,7 +4250,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt
}
if (tctx->generate_ticket_cb != NULL &&
tctx->generate_ticket_cb(SSL_CONNECTION_GET_SSL(s),
tctx->generate_ticket_cb(SSL_CONNECTION_GET_USER_SSL(s),
tctx->ticket_cb_data) == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;

5
ssl/t1_lib.c
View File

@ -2428,7 +2428,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
int rv = 0;
if (tctx->ext.ticket_key_evp_cb != NULL)
rv = tctx->ext.ticket_key_evp_cb(SSL_CONNECTION_GET_SSL(s), nctick,
rv = tctx->ext.ticket_key_evp_cb(SSL_CONNECTION_GET_USER_SSL(s),
nctick,
nctick + TLSEXT_KEYNAME_LENGTH,
ctx,
ssl_hmac_get0_EVP_MAC_CTX(hctx),
@ -2436,7 +2437,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
#ifndef OPENSSL_NO_DEPRECATED_3_0
else if (tctx->ext.ticket_key_cb != NULL)
/* if 0 is returned, write an empty ticket */
rv = tctx->ext.ticket_key_cb(SSL_CONNECTION_GET_SSL(s), nctick,
rv = tctx->ext.ticket_key_cb(SSL_CONNECTION_GET_USER_SSL(s), nctick,
nctick + TLSEXT_KEYNAME_LENGTH,
ctx, ssl_hmac_get0_HMAC_CTX(hctx), 0);
#endif

6
ssl/tls_srp.c
View File

@ -199,7 +199,7 @@ int ssl_srp_server_param_with_username_intern(SSL_CONNECTION *s, int *ad)
*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
((al =
s->srp_ctx.TLS_ext_srp_username_callback(SSL_CONNECTION_GET_SSL(s),
s->srp_ctx.TLS_ext_srp_username_callback(SSL_CONNECTION_GET_USER_SSL(s),
ad,
s->srp_ctx.SRP_cb_arg)) !=
SSL_ERROR_NONE))
@ -373,7 +373,7 @@ int srp_generate_client_master_secret(SSL_CONNECTION *s)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(SSL_CONNECTION_GET_SSL(s),
if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(SSL_CONNECTION_GET_USER_SSL(s),
s->srp_ctx.SRP_cb_arg))
== NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
@ -426,7 +426,7 @@ int srp_verify_server_param(SSL_CONNECTION *s)
}
if (srp->SRP_verify_param_callback) {
if (srp->SRP_verify_param_callback(SSL_CONNECTION_GET_SSL(s),
if (srp->SRP_verify_param_callback(SSL_CONNECTION_GET_USER_SSL(s),
srp->SRP_cb_arg) <= 0) {
SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
return 0;