1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. */ 140 141 #include <openssl/ssl.h> 142 143 #include <assert.h> 144 #include <stdlib.h> 145 #include <string.h> 146 147 #include <openssl/bytestring.h> 148 #include <openssl/crypto.h> 149 #include <openssl/err.h> 150 #include <openssl/lhash.h> 151 #include <openssl/mem.h> 152 #include <openssl/rand.h> 153 154 #include "internal.h" 155 #include "../crypto/internal.h" 156 157 #if defined(OPENSSL_WINDOWS) 158 #include <sys/timeb.h> 159 #else 160 #include <sys/socket.h> 161 #include <sys/time.h> 162 #endif 163 164 165 BSSL_NAMESPACE_BEGIN 166 167 // |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it 168 // to avoid downstream churn. 169 OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL) 170 171 // The following errors are no longer emitted, but are used in nginx without 172 // #ifdefs. 173 OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG) 174 OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED) 175 176 // Some error codes are special. Ensure the make_errors.go script never 177 // regresses this. 178 static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION == 179 SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET, 180 "alert reason code mismatch"); 181 182 // kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. 183 static const size_t kMaxHandshakeSize = (1u << 24) - 1; 184 185 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl = 186 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; 187 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx = 188 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; 189 190 bool CBBFinishArray(CBB *cbb, Array<uint8_t> *out) { 191 uint8_t *ptr; 192 size_t len; 193 if (!CBB_finish(cbb, &ptr, &len)) { 194 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 195 return false; 196 } 197 out->Reset(ptr, len); 198 return true; 199 } 200 201 void ssl_reset_error_state(SSL *ssl) { 202 // Functions which use |SSL_get_error| must reset I/O and error state on 203 // entry. 204 ssl->s3->rwstate = SSL_NOTHING; 205 ERR_clear_error(); 206 ERR_clear_system_error(); 207 } 208 209 void ssl_set_read_error(SSL* ssl) { 210 ssl->s3->read_shutdown = ssl_shutdown_error; 211 ssl->s3->read_error.reset(ERR_save_state()); 212 } 213 214 static bool check_read_error(const SSL *ssl) { 215 if (ssl->s3->read_shutdown == ssl_shutdown_error) { 216 ERR_restore_state(ssl->s3->read_error.get()); 217 return false; 218 } 219 return true; 220 } 221 222 bool ssl_can_write(const SSL *ssl) { 223 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write; 224 } 225 226 bool ssl_can_read(const SSL *ssl) { 227 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read; 228 } 229 230 ssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed, 231 uint8_t *out_alert, Span<uint8_t> in) { 232 *out_consumed = 0; 233 if (!check_read_error(ssl)) { 234 *out_alert = 0; 235 return ssl_open_record_error; 236 } 237 auto ret = ssl->method->open_handshake(ssl, out_consumed, out_alert, in); 238 if (ret == ssl_open_record_error) { 239 ssl_set_read_error(ssl); 240 } 241 return ret; 242 } 243 244 ssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed, 245 uint8_t *out_alert, 246 Span<uint8_t> in) { 247 *out_consumed = 0; 248 if (!check_read_error(ssl)) { 249 *out_alert = 0; 250 return ssl_open_record_error; 251 } 252 auto ret = 253 ssl->method->open_change_cipher_spec(ssl, out_consumed, out_alert, in); 254 if (ret == ssl_open_record_error) { 255 ssl_set_read_error(ssl); 256 } 257 return ret; 258 } 259 260 ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out, 261 size_t *out_consumed, uint8_t *out_alert, 262 Span<uint8_t> in) { 263 *out_consumed = 0; 264 if (!check_read_error(ssl)) { 265 *out_alert = 0; 266 return ssl_open_record_error; 267 } 268 auto ret = ssl->method->open_app_data(ssl, out, out_consumed, out_alert, in); 269 if (ret == ssl_open_record_error) { 270 ssl_set_read_error(ssl); 271 } 272 return ret; 273 } 274 275 void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { 276 SSL *const ssl = hs->ssl; 277 SSL_CTX *ctx = ssl->session_ctx.get(); 278 // Never cache sessions with empty session IDs. 279 if (ssl->s3->established_session->session_id_length == 0 || 280 ssl->s3->established_session->not_resumable || 281 (ctx->session_cache_mode & mode) != mode) { 282 return; 283 } 284 285 // Clients never use the internal session cache. 286 int use_internal_cache = ssl->server && !(ctx->session_cache_mode & 287 SSL_SESS_CACHE_NO_INTERNAL_STORE); 288 289 // A client may see new sessions on abbreviated handshakes if the server 290 // decides to renew the ticket. Once the handshake is completed, it should be 291 // inserted into the cache. 292 if (ssl->s3->established_session.get() != ssl->session.get() || 293 (!ssl->server && hs->ticket_expected)) { 294 if (use_internal_cache) { 295 SSL_CTX_add_session(ctx, ssl->s3->established_session.get()); 296 } 297 if (ctx->new_session_cb != NULL) { 298 UniquePtr<SSL_SESSION> ref = UpRef(ssl->s3->established_session); 299 if (ctx->new_session_cb(ssl, ref.get())) { 300 // |new_session_cb|'s return value signals whether it took ownership. 301 ref.release(); 302 } 303 } 304 } 305 306 if (use_internal_cache && 307 !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) { 308 // Automatically flush the internal session cache every 255 connections. 309 int flush_cache = 0; 310 CRYPTO_MUTEX_lock_write(&ctx->lock); 311 ctx->handshakes_since_cache_flush++; 312 if (ctx->handshakes_since_cache_flush >= 255) { 313 flush_cache = 1; 314 ctx->handshakes_since_cache_flush = 0; 315 } 316 CRYPTO_MUTEX_unlock_write(&ctx->lock); 317 318 if (flush_cache) { 319 struct OPENSSL_timeval now; 320 ssl_get_current_time(ssl, &now); 321 SSL_CTX_flush_sessions(ctx, now.tv_sec); 322 } 323 } 324 } 325 326 static int cbb_add_hex(CBB *cbb, const uint8_t *in, size_t in_len) { 327 static const char hextable[] = "0123456789abcdef"; 328 uint8_t *out; 329 330 if (!CBB_add_space(cbb, &out, in_len * 2)) { 331 return 0; 332 } 333 334 for (size_t i = 0; i < in_len; i++) { 335 *(out++) = (uint8_t)hextable[in[i] >> 4]; 336 *(out++) = (uint8_t)hextable[in[i] & 0xf]; 337 } 338 339 return 1; 340 } 341 342 int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, 343 size_t secret_len) { 344 if (ssl->ctx->keylog_callback == NULL) { 345 return 1; 346 } 347 348 ScopedCBB cbb; 349 uint8_t *out; 350 size_t out_len; 351 if (!CBB_init(cbb.get(), strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 + 352 secret_len * 2 + 1) || 353 !CBB_add_bytes(cbb.get(), (const uint8_t *)label, strlen(label)) || 354 !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) || 355 !cbb_add_hex(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) || 356 !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) || 357 !cbb_add_hex(cbb.get(), secret, secret_len) || 358 !CBB_add_u8(cbb.get(), 0 /* NUL */) || 359 !CBB_finish(cbb.get(), &out, &out_len)) { 360 return 0; 361 } 362 363 ssl->ctx->keylog_callback(ssl, (const char *)out); 364 OPENSSL_free(out); 365 return 1; 366 } 367 368 void ssl_do_info_callback(const SSL *ssl, int type, int value) { 369 void (*cb)(const SSL *ssl, int type, int value) = NULL; 370 if (ssl->info_callback != NULL) { 371 cb = ssl->info_callback; 372 } else if (ssl->ctx->info_callback != NULL) { 373 cb = ssl->ctx->info_callback; 374 } 375 376 if (cb != NULL) { 377 cb(ssl, type, value); 378 } 379 } 380 381 void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, 382 Span<const uint8_t> in) { 383 if (ssl->msg_callback == NULL) { 384 return; 385 } 386 387 // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for 388 // a V2ClientHello. 389 int version; 390 switch (content_type) { 391 case 0: 392 // V2ClientHello 393 version = SSL2_VERSION; 394 break; 395 case SSL3_RT_HEADER: 396 version = 0; 397 break; 398 default: 399 version = SSL_version(ssl); 400 } 401 402 ssl->msg_callback(is_write, version, content_type, in.data(), in.size(), ssl, 403 ssl->msg_callback_arg); 404 } 405 406 void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) { 407 // TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the 408 // |ssl| arg from |current_time_cb| if possible. 409 ssl_ctx_get_current_time(ssl->ctx.get(), out_clock); 410 } 411 412 void ssl_ctx_get_current_time(const SSL_CTX *ctx, 413 struct OPENSSL_timeval *out_clock) { 414 if (ctx->current_time_cb != NULL) { 415 // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See 416 // https://crbug.com/boringssl/155. 417 struct timeval clock; 418 ctx->current_time_cb(nullptr /* ssl */, &clock); 419 if (clock.tv_sec < 0) { 420 assert(0); 421 out_clock->tv_sec = 0; 422 out_clock->tv_usec = 0; 423 } else { 424 out_clock->tv_sec = (uint64_t)clock.tv_sec; 425 out_clock->tv_usec = (uint32_t)clock.tv_usec; 426 } 427 return; 428 } 429 430 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) 431 out_clock->tv_sec = 1234; 432 out_clock->tv_usec = 1234; 433 #elif defined(OPENSSL_WINDOWS) 434 struct _timeb time; 435 _ftime(&time); 436 if (time.time < 0) { 437 assert(0); 438 out_clock->tv_sec = 0; 439 out_clock->tv_usec = 0; 440 } else { 441 out_clock->tv_sec = time.time; 442 out_clock->tv_usec = time.millitm * 1000; 443 } 444 #else 445 struct timeval clock; 446 gettimeofday(&clock, NULL); 447 if (clock.tv_sec < 0) { 448 assert(0); 449 out_clock->tv_sec = 0; 450 out_clock->tv_usec = 0; 451 } else { 452 out_clock->tv_sec = (uint64_t)clock.tv_sec; 453 out_clock->tv_usec = (uint32_t)clock.tv_usec; 454 } 455 #endif 456 } 457 458 void SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on) { 459 ctx->handoff = on; 460 } 461 462 static bool ssl_can_renegotiate(const SSL *ssl) { 463 if (ssl->server || SSL_is_dtls(ssl)) { 464 return false; 465 } 466 467 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 468 return false; 469 } 470 471 // The config has already been shed. 472 if (!ssl->config) { 473 return false; 474 } 475 476 switch (ssl->renegotiate_mode) { 477 case ssl_renegotiate_ignore: 478 case ssl_renegotiate_never: 479 return false; 480 481 case ssl_renegotiate_freely: 482 return true; 483 case ssl_renegotiate_once: 484 return ssl->s3->total_renegotiations == 0; 485 } 486 487 assert(0); 488 return false; 489 } 490 491 static void ssl_maybe_shed_handshake_config(SSL *ssl) { 492 if (ssl->s3->hs != nullptr || 493 ssl->config == nullptr || 494 !ssl->config->shed_handshake_config || 495 ssl_can_renegotiate(ssl)) { 496 return; 497 } 498 499 ssl->config.reset(); 500 } 501 502 void SSL_set_handoff_mode(SSL *ssl, bool on) { 503 if (!ssl->config) { 504 return; 505 } 506 ssl->config->handoff = on; 507 } 508 509 bool SSL_get_traffic_secrets(const SSL *ssl, 510 Span<const uint8_t> *out_read_traffic_secret, 511 Span<const uint8_t> *out_write_traffic_secret) { 512 if (SSL_version(ssl) < TLS1_3_VERSION) { 513 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); 514 return false; 515 } 516 517 if (!ssl->s3->initial_handshake_complete) { 518 OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE); 519 return false; 520 } 521 522 *out_read_traffic_secret = Span<const uint8_t>( 523 ssl->s3->read_traffic_secret, ssl->s3->read_traffic_secret_len); 524 *out_write_traffic_secret = Span<const uint8_t>( 525 ssl->s3->write_traffic_secret, ssl->s3->write_traffic_secret_len); 526 527 return true; 528 } 529 530 BSSL_NAMESPACE_END 531 532 using namespace bssl; 533 534 int SSL_library_init(void) { 535 CRYPTO_library_init(); 536 return 1; 537 } 538 539 int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { 540 CRYPTO_library_init(); 541 return 1; 542 } 543 544 static uint32_t ssl_session_hash(const SSL_SESSION *sess) { 545 return ssl_hash_session_id( 546 MakeConstSpan(sess->session_id, sess->session_id_length)); 547 } 548 549 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { 550 if (a->session_id_length != b->session_id_length) { 551 return 1; 552 } 553 554 return OPENSSL_memcmp(a->session_id, b->session_id, a->session_id_length); 555 } 556 557 ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) 558 : method(ssl_method->method), 559 x509_method(ssl_method->x509_method), 560 retain_only_sha256_of_client_certs(false), 561 quiet_shutdown(false), 562 ocsp_stapling_enabled(false), 563 signed_cert_timestamps_enabled(false), 564 channel_id_enabled(false), 565 grease_enabled(false), 566 allow_unknown_alpn_protos(false), 567 ed25519_enabled(false), 568 rsa_pss_rsae_certs_enabled(true), 569 false_start_allowed_without_alpn(false), 570 ignore_tls13_downgrade(false), 571 handoff(false), 572 enable_early_data(false) { 573 CRYPTO_MUTEX_init(&lock); 574 CRYPTO_new_ex_data(&ex_data); 575 } 576 577 ssl_ctx_st::~ssl_ctx_st() { 578 // Free the internal session cache. Note that this calls the caller-supplied 579 // remove callback, so we must do it before clearing ex_data. (See ticket 580 // [openssl.org #212].) 581 SSL_CTX_flush_sessions(this, 0); 582 583 CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, this, &ex_data); 584 585 CRYPTO_MUTEX_cleanup(&lock); 586 lh_SSL_SESSION_free(sessions); 587 x509_method->ssl_ctx_free(this); 588 } 589 590 SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { 591 if (method == NULL) { 592 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED); 593 return nullptr; 594 } 595 596 UniquePtr<SSL_CTX> ret = MakeUnique<SSL_CTX>(method); 597 if (!ret) { 598 return nullptr; 599 } 600 601 ret->cert = MakeUnique<CERT>(method->x509_method); 602 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); 603 ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null()); 604 if (ret->cert == nullptr || 605 ret->sessions == nullptr || 606 ret->client_CA == nullptr || 607 !ret->x509_method->ssl_ctx_new(ret.get())) { 608 return nullptr; 609 } 610 611 if (!SSL_CTX_set_strict_cipher_list(ret.get(), SSL_DEFAULT_CIPHER_LIST) || 612 // Lock the SSL_CTX to the specified version, for compatibility with 613 // legacy uses of SSL_METHOD. 614 !SSL_CTX_set_max_proto_version(ret.get(), method->version) || 615 !SSL_CTX_set_min_proto_version(ret.get(), method->version)) { 616 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 617 return nullptr; 618 } 619 620 return ret.release(); 621 } 622 623 int SSL_CTX_up_ref(SSL_CTX *ctx) { 624 CRYPTO_refcount_inc(&ctx->references); 625 return 1; 626 } 627 628 void SSL_CTX_free(SSL_CTX *ctx) { 629 if (ctx == NULL || 630 !CRYPTO_refcount_dec_and_test_zero(&ctx->references)) { 631 return; 632 } 633 634 ctx->~ssl_ctx_st(); 635 OPENSSL_free(ctx); 636 } 637 638 ssl_st::ssl_st(SSL_CTX *ctx_arg) 639 : method(ctx_arg->method), 640 max_send_fragment(ctx_arg->max_send_fragment), 641 msg_callback(ctx_arg->msg_callback), 642 msg_callback_arg(ctx_arg->msg_callback_arg), 643 ctx(UpRef(ctx_arg)), 644 session_ctx(UpRef(ctx_arg)), 645 options(ctx->options), 646 mode(ctx->mode), 647 max_cert_list(ctx->max_cert_list), 648 server(false), 649 quiet_shutdown(ctx->quiet_shutdown), 650 enable_early_data(ctx->enable_early_data) { 651 CRYPTO_new_ex_data(&ex_data); 652 } 653 654 ssl_st::~ssl_st() { 655 CRYPTO_free_ex_data(&g_ex_data_class_ssl, this, &ex_data); 656 // |config| refers to |this|, so we must release it earlier. 657 config.reset(); 658 if (method != NULL) { 659 method->ssl_free(this); 660 } 661 } 662 663 SSL *SSL_new(SSL_CTX *ctx) { 664 if (ctx == nullptr) { 665 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX); 666 return nullptr; 667 } 668 669 UniquePtr<SSL> ssl = MakeUnique<SSL>(ctx); 670 if (ssl == nullptr) { 671 return nullptr; 672 } 673 674 ssl->config = MakeUnique<SSL_CONFIG>(ssl.get()); 675 if (ssl->config == nullptr) { 676 return nullptr; 677 } 678 ssl->config->conf_min_version = ctx->conf_min_version; 679 ssl->config->conf_max_version = ctx->conf_max_version; 680 681 ssl->config->cert = ssl_cert_dup(ctx->cert.get()); 682 if (ssl->config->cert == nullptr) { 683 return nullptr; 684 } 685 686 ssl->config->verify_mode = ctx->verify_mode; 687 ssl->config->verify_callback = ctx->default_verify_callback; 688 ssl->config->custom_verify_callback = ctx->custom_verify_callback; 689 ssl->config->retain_only_sha256_of_client_certs = 690 ctx->retain_only_sha256_of_client_certs; 691 692 if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) || 693 !ssl->config->alpn_client_proto_list.CopyFrom( 694 ctx->alpn_client_proto_list) || 695 !ssl->config->verify_sigalgs.CopyFrom(ctx->verify_sigalgs)) { 696 return nullptr; 697 } 698 699 if (ctx->psk_identity_hint) { 700 ssl->config->psk_identity_hint.reset( 701 BUF_strdup(ctx->psk_identity_hint.get())); 702 if (ssl->config->psk_identity_hint == nullptr) { 703 return nullptr; 704 } 705 } 706 ssl->config->psk_client_callback = ctx->psk_client_callback; 707 ssl->config->psk_server_callback = ctx->psk_server_callback; 708 709 ssl->config->channel_id_enabled = ctx->channel_id_enabled; 710 ssl->config->channel_id_private = UpRef(ctx->channel_id_private); 711 712 ssl->config->signed_cert_timestamps_enabled = 713 ctx->signed_cert_timestamps_enabled; 714 ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled; 715 ssl->config->handoff = ctx->handoff; 716 ssl->config->ignore_tls13_downgrade = ctx->ignore_tls13_downgrade; 717 ssl->quic_method = ctx->quic_method; 718 719 if (!ssl->method->ssl_new(ssl.get()) || 720 !ssl->ctx->x509_method->ssl_new(ssl->s3->hs.get())) { 721 return nullptr; 722 } 723 724 return ssl.release(); 725 } 726 727 SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) 728 : ssl(ssl_arg), 729 signed_cert_timestamps_enabled(false), 730 ocsp_stapling_enabled(false), 731 channel_id_enabled(false), 732 enforce_rsa_key_usage(false), 733 retain_only_sha256_of_client_certs(false), 734 handoff(false), 735 shed_handshake_config(false), 736 ignore_tls13_downgrade(false), 737 jdk11_workaround(false) { 738 assert(ssl); 739 } 740 741 SSL_CONFIG::~SSL_CONFIG() { 742 if (ssl->ctx != nullptr) { 743 ssl->ctx->x509_method->ssl_config_free(this); 744 } 745 } 746 747 void SSL_free(SSL *ssl) { 748 Delete(ssl); 749 } 750 751 void SSL_set_connect_state(SSL *ssl) { 752 ssl->server = false; 753 ssl->do_handshake = ssl_client_handshake; 754 } 755 756 void SSL_set_accept_state(SSL *ssl) { 757 ssl->server = true; 758 ssl->do_handshake = ssl_server_handshake; 759 } 760 761 void SSL_set0_rbio(SSL *ssl, BIO *rbio) { 762 ssl->rbio.reset(rbio); 763 } 764 765 void SSL_set0_wbio(SSL *ssl, BIO *wbio) { 766 ssl->wbio.reset(wbio); 767 } 768 769 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { 770 // For historical reasons, this function has many different cases in ownership 771 // handling. 772 773 // If nothing has changed, do nothing 774 if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) { 775 return; 776 } 777 778 // If the two arguments are equal, one fewer reference is granted than 779 // taken. 780 if (rbio != NULL && rbio == wbio) { 781 BIO_up_ref(rbio); 782 } 783 784 // If only the wbio is changed, adopt only one reference. 785 if (rbio == SSL_get_rbio(ssl)) { 786 SSL_set0_wbio(ssl, wbio); 787 return; 788 } 789 790 // There is an asymmetry here for historical reasons. If only the rbio is 791 // changed AND the rbio and wbio were originally different, then we only adopt 792 // one reference. 793 if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) { 794 SSL_set0_rbio(ssl, rbio); 795 return; 796 } 797 798 // Otherwise, adopt both references. 799 SSL_set0_rbio(ssl, rbio); 800 SSL_set0_wbio(ssl, wbio); 801 } 802 803 BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio.get(); } 804 805 BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio.get(); } 806 807 size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, 808 enum ssl_encryption_level_t level) { 809 // Limits flights to 16K by default when there are no large 810 // (certificate-carrying) messages. 811 static const size_t kDefaultLimit = 16384; 812 813 switch (level) { 814 case ssl_encryption_initial: 815 return kDefaultLimit; 816 case ssl_encryption_early_data: 817 // QUIC does not send EndOfEarlyData. 818 return 0; 819 case ssl_encryption_handshake: 820 if (ssl->server) { 821 // Servers may receive Certificate message if configured to request 822 // client certificates. 823 if (!!(ssl->config->verify_mode & SSL_VERIFY_PEER) && 824 ssl->max_cert_list > kDefaultLimit) { 825 return ssl->max_cert_list; 826 } 827 } else { 828 // Clients may receive both Certificate message and a CertificateRequest 829 // message. 830 if (2*ssl->max_cert_list > kDefaultLimit) { 831 return 2*ssl->max_cert_list; 832 } 833 } 834 return kDefaultLimit; 835 case ssl_encryption_application: 836 // Note there is not actually a bound on the number of NewSessionTickets 837 // one may send in a row. This level may need more involved flow 838 // control. See https://github.com/quicwg/base-drafts/issues/1834. 839 return kDefaultLimit; 840 } 841 842 return 0; 843 } 844 845 enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl) { 846 return ssl->s3->read_level; 847 } 848 849 enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl) { 850 return ssl->s3->write_level; 851 } 852 853 int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, 854 const uint8_t *data, size_t len) { 855 if (ssl->quic_method == nullptr) { 856 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 857 return 0; 858 } 859 860 if (level != ssl->s3->read_level) { 861 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED); 862 return 0; 863 } 864 865 size_t new_len = (ssl->s3->hs_buf ? ssl->s3->hs_buf->length : 0) + len; 866 if (new_len < len || 867 new_len > SSL_quic_max_handshake_flight_len(ssl, level)) { 868 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE); 869 return 0; 870 } 871 872 return tls_append_handshake_data(ssl, MakeConstSpan(data, len)); 873 } 874 875 int SSL_do_handshake(SSL *ssl) { 876 ssl_reset_error_state(ssl); 877 878 if (ssl->do_handshake == NULL) { 879 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET); 880 return -1; 881 } 882 883 if (!SSL_in_init(ssl)) { 884 return 1; 885 } 886 887 // Run the handshake. 888 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 889 890 bool early_return = false; 891 int ret = ssl_run_handshake(hs, &early_return); 892 ssl_do_info_callback( 893 ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret); 894 if (ret <= 0) { 895 return ret; 896 } 897 898 // Destroy the handshake object if the handshake has completely finished. 899 if (!early_return) { 900 ssl->s3->hs.reset(); 901 ssl_maybe_shed_handshake_config(ssl); 902 } 903 904 return 1; 905 } 906 907 int SSL_connect(SSL *ssl) { 908 if (ssl->do_handshake == NULL) { 909 // Not properly initialized yet 910 SSL_set_connect_state(ssl); 911 } 912 913 return SSL_do_handshake(ssl); 914 } 915 916 int SSL_accept(SSL *ssl) { 917 if (ssl->do_handshake == NULL) { 918 // Not properly initialized yet 919 SSL_set_accept_state(ssl); 920 } 921 922 return SSL_do_handshake(ssl); 923 } 924 925 static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { 926 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 927 return tls13_post_handshake(ssl, msg); 928 } 929 930 // Check for renegotiation on the server before parsing to use the correct 931 // error. Renegotiation is triggered by a different message for servers. 932 if (ssl->server) { 933 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); 934 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); 935 return 0; 936 } 937 938 if (msg.type != SSL3_MT_HELLO_REQUEST || CBS_len(&msg.body) != 0) { 939 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 940 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST); 941 return 0; 942 } 943 944 if (ssl->renegotiate_mode == ssl_renegotiate_ignore) { 945 return 1; // Ignore the HelloRequest. 946 } 947 948 if (!ssl_can_renegotiate(ssl) || 949 // Renegotiation is only supported at quiescent points in the application 950 // protocol, namely in HTTPS, just before reading the HTTP response. 951 // Require the record-layer be idle and avoid complexities of sending a 952 // handshake record while an application_data record is being written. 953 !ssl->s3->write_buffer.empty() || 954 ssl->s3->write_shutdown != ssl_shutdown_none) { 955 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); 956 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); 957 return 0; 958 } 959 960 // Begin a new handshake. 961 if (ssl->s3->hs != nullptr) { 962 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 963 return 0; 964 } 965 ssl->s3->hs = ssl_handshake_new(ssl); 966 if (ssl->s3->hs == nullptr) { 967 return 0; 968 } 969 970 ssl->s3->total_renegotiations++; 971 return 1; 972 } 973 974 int SSL_process_quic_post_handshake(SSL *ssl) { 975 ssl_reset_error_state(ssl); 976 977 if (SSL_in_init(ssl)) { 978 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 979 return 0; 980 } 981 982 // Replay post-handshake message errors. 983 if (!check_read_error(ssl)) { 984 return 0; 985 } 986 987 // Process any buffered post-handshake messages. 988 SSLMessage msg; 989 while (ssl->method->get_message(ssl, &msg)) { 990 // Handle the post-handshake message and try again. 991 if (!ssl_do_post_handshake(ssl, msg)) { 992 ssl_set_read_error(ssl); 993 return 0; 994 } 995 ssl->method->next_message(ssl); 996 } 997 998 return 1; 999 } 1000 1001 static int ssl_read_impl(SSL *ssl) { 1002 ssl_reset_error_state(ssl); 1003 1004 if (ssl->do_handshake == NULL) { 1005 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 1006 return -1; 1007 } 1008 1009 // Replay post-handshake message errors. 1010 if (!check_read_error(ssl)) { 1011 return -1; 1012 } 1013 1014 while (ssl->s3->pending_app_data.empty()) { 1015 // Complete the current handshake, if any. False Start will cause 1016 // |SSL_do_handshake| to return mid-handshake, so this may require multiple 1017 // iterations. 1018 while (!ssl_can_read(ssl)) { 1019 int ret = SSL_do_handshake(ssl); 1020 if (ret < 0) { 1021 return ret; 1022 } 1023 if (ret == 0) { 1024 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 1025 return -1; 1026 } 1027 } 1028 1029 // Process any buffered post-handshake messages. 1030 SSLMessage msg; 1031 if (ssl->method->get_message(ssl, &msg)) { 1032 // If we received an interrupt in early read (EndOfEarlyData), loop again 1033 // for the handshake to process it. 1034 if (SSL_in_init(ssl)) { 1035 ssl->s3->hs->can_early_read = false; 1036 continue; 1037 } 1038 1039 // Handle the post-handshake message and try again. 1040 if (!ssl_do_post_handshake(ssl, msg)) { 1041 ssl_set_read_error(ssl); 1042 return -1; 1043 } 1044 ssl->method->next_message(ssl); 1045 continue; // Loop again. We may have begun a new handshake. 1046 } 1047 1048 uint8_t alert = SSL_AD_DECODE_ERROR; 1049 size_t consumed = 0; 1050 auto ret = ssl_open_app_data(ssl, &ssl->s3->pending_app_data, &consumed, 1051 &alert, ssl->s3->read_buffer.span()); 1052 bool retry; 1053 int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert); 1054 if (bio_ret <= 0) { 1055 return bio_ret; 1056 } 1057 if (!retry) { 1058 assert(!ssl->s3->pending_app_data.empty()); 1059 ssl->s3->key_update_count = 0; 1060 } 1061 } 1062 1063 return 1; 1064 } 1065 1066 int SSL_read(SSL *ssl, void *buf, int num) { 1067 int ret = SSL_peek(ssl, buf, num); 1068 if (ret <= 0) { 1069 return ret; 1070 } 1071 // TODO(davidben): In DTLS, should the rest of the record be discarded? DTLS 1072 // is not a stream. See https://crbug.com/boringssl/65. 1073 ssl->s3->pending_app_data = 1074 ssl->s3->pending_app_data.subspan(static_cast<size_t>(ret)); 1075 if (ssl->s3->pending_app_data.empty()) { 1076 ssl->s3->read_buffer.DiscardConsumed(); 1077 } 1078 return ret; 1079 } 1080 1081 int SSL_peek(SSL *ssl, void *buf, int num) { 1082 if (ssl->quic_method != nullptr) { 1083 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1084 return 0; 1085 } 1086 1087 int ret = ssl_read_impl(ssl); 1088 if (ret <= 0) { 1089 return ret; 1090 } 1091 if (num <= 0) { 1092 return num; 1093 } 1094 size_t todo = 1095 std::min(ssl->s3->pending_app_data.size(), static_cast<size_t>(num)); 1096 OPENSSL_memcpy(buf, ssl->s3->pending_app_data.data(), todo); 1097 return static_cast<int>(todo); 1098 } 1099 1100 int SSL_write(SSL *ssl, const void *buf, int num) { 1101 ssl_reset_error_state(ssl); 1102 1103 if (ssl->quic_method != nullptr) { 1104 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1105 return 0; 1106 } 1107 1108 if (ssl->do_handshake == NULL) { 1109 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 1110 return -1; 1111 } 1112 1113 if (ssl->s3->write_shutdown != ssl_shutdown_none) { 1114 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); 1115 return -1; 1116 } 1117 1118 int ret = 0; 1119 bool needs_handshake = false; 1120 do { 1121 // If necessary, complete the handshake implicitly. 1122 if (!ssl_can_write(ssl)) { 1123 ret = SSL_do_handshake(ssl); 1124 if (ret < 0) { 1125 return ret; 1126 } 1127 if (ret == 0) { 1128 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 1129 return -1; 1130 } 1131 } 1132 1133 ret = ssl->method->write_app_data(ssl, &needs_handshake, 1134 (const uint8_t *)buf, num); 1135 } while (needs_handshake); 1136 return ret; 1137 } 1138 1139 int SSL_key_update(SSL *ssl, int request_type) { 1140 ssl_reset_error_state(ssl); 1141 1142 if (ssl->do_handshake == NULL) { 1143 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 1144 return 0; 1145 } 1146 1147 if (ssl->ctx->quic_method != nullptr) { 1148 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1149 return 0; 1150 } 1151 1152 if (!ssl->s3->initial_handshake_complete) { 1153 OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE); 1154 return 0; 1155 } 1156 1157 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { 1158 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); 1159 return 0; 1160 } 1161 1162 if (!ssl->s3->key_update_pending && 1163 !tls13_add_key_update(ssl, request_type)) { 1164 return 0; 1165 } 1166 1167 return 1; 1168 } 1169 1170 int SSL_shutdown(SSL *ssl) { 1171 ssl_reset_error_state(ssl); 1172 1173 if (ssl->do_handshake == NULL) { 1174 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 1175 return -1; 1176 } 1177 1178 // If we are in the middle of a handshake, silently succeed. Consumers often 1179 // call this function before |SSL_free|, whether the handshake succeeded or 1180 // not. We assume the caller has already handled failed handshakes. 1181 if (SSL_in_init(ssl)) { 1182 return 1; 1183 } 1184 1185 if (ssl->quiet_shutdown) { 1186 // Do nothing if configured not to send a close_notify. 1187 ssl->s3->write_shutdown = ssl_shutdown_close_notify; 1188 ssl->s3->read_shutdown = ssl_shutdown_close_notify; 1189 return 1; 1190 } 1191 1192 // This function completes in two stages. It sends a close_notify and then it 1193 // waits for a close_notify to come in. Perform exactly one action and return 1194 // whether or not it succeeds. 1195 1196 if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) { 1197 // Send a close_notify. 1198 if (ssl_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) { 1199 return -1; 1200 } 1201 } else if (ssl->s3->alert_dispatch) { 1202 // Finish sending the close_notify. 1203 if (ssl->method->dispatch_alert(ssl) <= 0) { 1204 return -1; 1205 } 1206 } else if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) { 1207 if (SSL_is_dtls(ssl)) { 1208 // Bidirectional shutdown doesn't make sense for an unordered 1209 // transport. DTLS alerts also aren't delivered reliably, so we may even 1210 // time out because the peer never received our close_notify. Report to 1211 // the caller that the channel has fully shut down. 1212 if (ssl->s3->read_shutdown == ssl_shutdown_error) { 1213 ERR_restore_state(ssl->s3->read_error.get()); 1214 return -1; 1215 } 1216 ssl->s3->read_shutdown = ssl_shutdown_close_notify; 1217 } else { 1218 // Process records until an error, close_notify, or application data. 1219 if (ssl_read_impl(ssl) > 0) { 1220 // We received some unexpected application data. 1221 OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_ON_SHUTDOWN); 1222 return -1; 1223 } 1224 if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) { 1225 return -1; 1226 } 1227 } 1228 } 1229 1230 // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. 1231 return ssl->s3->read_shutdown == ssl_shutdown_close_notify; 1232 } 1233 1234 int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) { 1235 if (ssl->s3->alert_dispatch) { 1236 if (ssl->s3->send_alert[0] != SSL3_AL_FATAL || 1237 ssl->s3->send_alert[1] != alert) { 1238 // We are already attempting to write a different alert. 1239 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); 1240 return -1; 1241 } 1242 return ssl->method->dispatch_alert(ssl); 1243 } 1244 1245 return ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 1246 } 1247 1248 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, 1249 size_t params_len) { 1250 return ssl->config && ssl->config->quic_transport_params.CopyFrom( 1251 MakeConstSpan(params, params_len)); 1252 } 1253 1254 void SSL_get_peer_quic_transport_params(const SSL *ssl, 1255 const uint8_t **out_params, 1256 size_t *out_params_len) { 1257 *out_params = ssl->s3->peer_quic_transport_params.data(); 1258 *out_params_len = ssl->s3->peer_quic_transport_params.size(); 1259 } 1260 1261 void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) { 1262 ctx->enable_early_data = !!enabled; 1263 } 1264 1265 void SSL_set_early_data_enabled(SSL *ssl, int enabled) { 1266 ssl->enable_early_data = !!enabled; 1267 } 1268 1269 int SSL_in_early_data(const SSL *ssl) { 1270 if (ssl->s3->hs == NULL) { 1271 return 0; 1272 } 1273 return ssl->s3->hs->in_early_data; 1274 } 1275 1276 int SSL_early_data_accepted(const SSL *ssl) { 1277 return ssl->s3->early_data_accepted; 1278 } 1279 1280 void SSL_reset_early_data_reject(SSL *ssl) { 1281 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 1282 if (hs == NULL || 1283 hs->wait != ssl_hs_early_data_rejected) { 1284 abort(); 1285 } 1286 1287 hs->wait = ssl_hs_ok; 1288 hs->in_early_data = false; 1289 hs->early_session.reset(); 1290 1291 // Discard any unfinished writes from the perspective of |SSL_write|'s 1292 // retry. The handshake will transparently flush out the pending record 1293 // (discarded by the server) to keep the framing correct. 1294 ssl->s3->wpend_pending = false; 1295 } 1296 1297 static int bio_retry_reason_to_error(int reason) { 1298 switch (reason) { 1299 case BIO_RR_CONNECT: 1300 return SSL_ERROR_WANT_CONNECT; 1301 case BIO_RR_ACCEPT: 1302 return SSL_ERROR_WANT_ACCEPT; 1303 default: 1304 return SSL_ERROR_SYSCALL; 1305 } 1306 } 1307 1308 int SSL_get_error(const SSL *ssl, int ret_code) { 1309 if (ret_code > 0) { 1310 return SSL_ERROR_NONE; 1311 } 1312 1313 // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, 1314 // where we do encode the error 1315 uint32_t err = ERR_peek_error(); 1316 if (err != 0) { 1317 if (ERR_GET_LIB(err) == ERR_LIB_SYS) { 1318 return SSL_ERROR_SYSCALL; 1319 } 1320 return SSL_ERROR_SSL; 1321 } 1322 1323 if (ret_code == 0) { 1324 if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) { 1325 return SSL_ERROR_ZERO_RETURN; 1326 } 1327 // An EOF was observed which violates the protocol, and the underlying 1328 // transport does not participate in the error queue. Bubble up to the 1329 // caller. 1330 return SSL_ERROR_SYSCALL; 1331 } 1332 1333 switch (ssl->s3->rwstate) { 1334 case SSL_PENDING_SESSION: 1335 return SSL_ERROR_PENDING_SESSION; 1336 1337 case SSL_CERTIFICATE_SELECTION_PENDING: 1338 return SSL_ERROR_PENDING_CERTIFICATE; 1339 1340 case SSL_HANDOFF: 1341 return SSL_ERROR_HANDOFF; 1342 1343 case SSL_HANDBACK: 1344 return SSL_ERROR_HANDBACK; 1345 1346 case SSL_READING: { 1347 if (ssl->quic_method) { 1348 return SSL_ERROR_WANT_READ; 1349 } 1350 BIO *bio = SSL_get_rbio(ssl); 1351 if (BIO_should_read(bio)) { 1352 return SSL_ERROR_WANT_READ; 1353 } 1354 1355 if (BIO_should_write(bio)) { 1356 // TODO(davidben): OpenSSL historically checked for writes on the read 1357 // BIO. Can this be removed? 1358 return SSL_ERROR_WANT_WRITE; 1359 } 1360 1361 if (BIO_should_io_special(bio)) { 1362 return bio_retry_reason_to_error(BIO_get_retry_reason(bio)); 1363 } 1364 1365 break; 1366 } 1367 1368 case SSL_WRITING: { 1369 BIO *bio = SSL_get_wbio(ssl); 1370 if (BIO_should_write(bio)) { 1371 return SSL_ERROR_WANT_WRITE; 1372 } 1373 1374 if (BIO_should_read(bio)) { 1375 // TODO(davidben): OpenSSL historically checked for reads on the write 1376 // BIO. Can this be removed? 1377 return SSL_ERROR_WANT_READ; 1378 } 1379 1380 if (BIO_should_io_special(bio)) { 1381 return bio_retry_reason_to_error(BIO_get_retry_reason(bio)); 1382 } 1383 1384 break; 1385 } 1386 1387 case SSL_X509_LOOKUP: 1388 return SSL_ERROR_WANT_X509_LOOKUP; 1389 1390 case SSL_CHANNEL_ID_LOOKUP: 1391 return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP; 1392 1393 case SSL_PRIVATE_KEY_OPERATION: 1394 return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION; 1395 1396 case SSL_PENDING_TICKET: 1397 return SSL_ERROR_PENDING_TICKET; 1398 1399 case SSL_EARLY_DATA_REJECTED: 1400 return SSL_ERROR_EARLY_DATA_REJECTED; 1401 1402 case SSL_CERTIFICATE_VERIFY: 1403 return SSL_ERROR_WANT_CERTIFICATE_VERIFY; 1404 } 1405 1406 return SSL_ERROR_SYSCALL; 1407 } 1408 1409 uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) { 1410 ctx->options |= options; 1411 return ctx->options; 1412 } 1413 1414 uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) { 1415 ctx->options &= ~options; 1416 return ctx->options; 1417 } 1418 1419 uint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; } 1420 1421 uint32_t SSL_set_options(SSL *ssl, uint32_t options) { 1422 ssl->options |= options; 1423 return ssl->options; 1424 } 1425 1426 uint32_t SSL_clear_options(SSL *ssl, uint32_t options) { 1427 ssl->options &= ~options; 1428 return ssl->options; 1429 } 1430 1431 uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; } 1432 1433 uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) { 1434 ctx->mode |= mode; 1435 return ctx->mode; 1436 } 1437 1438 uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) { 1439 ctx->mode &= ~mode; 1440 return ctx->mode; 1441 } 1442 1443 uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; } 1444 1445 uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) { 1446 ssl->mode |= mode; 1447 return ssl->mode; 1448 } 1449 1450 uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) { 1451 ssl->mode &= ~mode; 1452 return ssl->mode; 1453 } 1454 1455 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; } 1456 1457 void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) { 1458 ctx->pool = pool; 1459 } 1460 1461 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, 1462 size_t max_out) { 1463 *out_len = 0; 1464 OPENSSL_memset(out, 0, max_out); 1465 1466 // tls-unique is not defined for TLS 1.3. 1467 if (!ssl->s3->initial_handshake_complete || 1468 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1469 return 0; 1470 } 1471 1472 // The tls-unique value is the first Finished message in the handshake, which 1473 // is the client's in a full handshake and the server's for a resumption. See 1474 // https://tools.ietf.org/html/rfc5929#section-3.1. 1475 const uint8_t *finished = ssl->s3->previous_client_finished; 1476 size_t finished_len = ssl->s3->previous_client_finished_len; 1477 if (ssl->session != NULL) { 1478 // tls-unique is broken for resumed sessions unless EMS is used. 1479 if (!ssl->session->extended_master_secret) { 1480 return 0; 1481 } 1482 finished = ssl->s3->previous_server_finished; 1483 finished_len = ssl->s3->previous_server_finished_len; 1484 } 1485 1486 *out_len = finished_len; 1487 if (finished_len > max_out) { 1488 *out_len = max_out; 1489 } 1490 1491 OPENSSL_memcpy(out, finished, *out_len); 1492 return 1; 1493 } 1494 1495 static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx, 1496 size_t sid_ctx_len) { 1497 if (sid_ctx_len > sizeof(cert->sid_ctx)) { 1498 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 1499 return 0; 1500 } 1501 1502 static_assert(sizeof(cert->sid_ctx) < 256, "sid_ctx too large"); 1503 cert->sid_ctx_length = (uint8_t)sid_ctx_len; 1504 OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len); 1505 return 1; 1506 } 1507 1508 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx, 1509 size_t sid_ctx_len) { 1510 return set_session_id_context(ctx->cert.get(), sid_ctx, sid_ctx_len); 1511 } 1512 1513 int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, 1514 size_t sid_ctx_len) { 1515 if (!ssl->config) { 1516 return 0; 1517 } 1518 return set_session_id_context(ssl->config->cert.get(), sid_ctx, sid_ctx_len); 1519 } 1520 1521 const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) { 1522 if (!ssl->config) { 1523 assert(ssl->config); 1524 *out_len = 0; 1525 return NULL; 1526 } 1527 *out_len = ssl->config->cert->sid_ctx_length; 1528 return ssl->config->cert->sid_ctx; 1529 } 1530 1531 void SSL_certs_clear(SSL *ssl) { 1532 if (!ssl->config) { 1533 return; 1534 } 1535 ssl_cert_clear_certs(ssl->config->cert.get()); 1536 } 1537 1538 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); } 1539 1540 int SSL_get_rfd(const SSL *ssl) { 1541 int ret = -1; 1542 BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR); 1543 if (b != NULL) { 1544 BIO_get_fd(b, &ret); 1545 } 1546 return ret; 1547 } 1548 1549 int SSL_get_wfd(const SSL *ssl) { 1550 int ret = -1; 1551 BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR); 1552 if (b != NULL) { 1553 BIO_get_fd(b, &ret); 1554 } 1555 return ret; 1556 } 1557 1558 int SSL_set_fd(SSL *ssl, int fd) { 1559 BIO *bio = BIO_new(BIO_s_socket()); 1560 if (bio == NULL) { 1561 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1562 return 0; 1563 } 1564 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1565 SSL_set_bio(ssl, bio, bio); 1566 return 1; 1567 } 1568 1569 int SSL_set_wfd(SSL *ssl, int fd) { 1570 BIO *rbio = SSL_get_rbio(ssl); 1571 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET || 1572 BIO_get_fd(rbio, NULL) != fd) { 1573 BIO *bio = BIO_new(BIO_s_socket()); 1574 if (bio == NULL) { 1575 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1576 return 0; 1577 } 1578 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1579 SSL_set0_wbio(ssl, bio); 1580 } else { 1581 // Copy the rbio over to the wbio. 1582 BIO_up_ref(rbio); 1583 SSL_set0_wbio(ssl, rbio); 1584 } 1585 1586 return 1; 1587 } 1588 1589 int SSL_set_rfd(SSL *ssl, int fd) { 1590 BIO *wbio = SSL_get_wbio(ssl); 1591 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET || 1592 BIO_get_fd(wbio, NULL) != fd) { 1593 BIO *bio = BIO_new(BIO_s_socket()); 1594 if (bio == NULL) { 1595 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1596 return 0; 1597 } 1598 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1599 SSL_set0_rbio(ssl, bio); 1600 } else { 1601 // Copy the wbio over to the rbio. 1602 BIO_up_ref(wbio); 1603 SSL_set0_rbio(ssl, wbio); 1604 } 1605 return 1; 1606 } 1607 1608 static size_t copy_finished(void *out, size_t out_len, const uint8_t *in, 1609 size_t in_len) { 1610 if (out_len > in_len) { 1611 out_len = in_len; 1612 } 1613 OPENSSL_memcpy(out, in, out_len); 1614 return in_len; 1615 } 1616 1617 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) { 1618 if (!ssl->s3->initial_handshake_complete || 1619 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1620 return 0; 1621 } 1622 1623 if (ssl->server) { 1624 return copy_finished(buf, count, ssl->s3->previous_server_finished, 1625 ssl->s3->previous_server_finished_len); 1626 } 1627 1628 return copy_finished(buf, count, ssl->s3->previous_client_finished, 1629 ssl->s3->previous_client_finished_len); 1630 } 1631 1632 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { 1633 if (!ssl->s3->initial_handshake_complete || 1634 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1635 return 0; 1636 } 1637 1638 if (ssl->server) { 1639 return copy_finished(buf, count, ssl->s3->previous_client_finished, 1640 ssl->s3->previous_client_finished_len); 1641 } 1642 1643 return copy_finished(buf, count, ssl->s3->previous_server_finished, 1644 ssl->s3->previous_server_finished_len); 1645 } 1646 1647 int SSL_get_verify_mode(const SSL *ssl) { 1648 if (!ssl->config) { 1649 assert(ssl->config); 1650 return -1; 1651 } 1652 return ssl->config->verify_mode; 1653 } 1654 1655 int SSL_get_extms_support(const SSL *ssl) { 1656 // TLS 1.3 does not require extended master secret and always reports as 1657 // supporting it. 1658 if (!ssl->s3->have_version) { 1659 return 0; 1660 } 1661 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1662 return 1; 1663 } 1664 1665 // If the initial handshake completed, query the established session. 1666 if (ssl->s3->established_session != NULL) { 1667 return ssl->s3->established_session->extended_master_secret; 1668 } 1669 1670 // Otherwise, query the in-progress handshake. 1671 if (ssl->s3->hs != NULL) { 1672 return ssl->s3->hs->extended_master_secret; 1673 } 1674 assert(0); 1675 return 0; 1676 } 1677 1678 int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; } 1679 1680 int SSL_get_read_ahead(const SSL *ssl) { return 0; } 1681 1682 int SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { return 1; } 1683 1684 int SSL_set_read_ahead(SSL *ssl, int yes) { return 1; } 1685 1686 int SSL_pending(const SSL *ssl) { 1687 return static_cast<int>(ssl->s3->pending_app_data.size()); 1688 } 1689 1690 int SSL_CTX_check_private_key(const SSL_CTX *ctx) { 1691 return ssl_cert_check_private_key(ctx->cert.get(), 1692 ctx->cert->privatekey.get()); 1693 } 1694 1695 int SSL_check_private_key(const SSL *ssl) { 1696 if (!ssl->config) { 1697 return 0; 1698 } 1699 return ssl_cert_check_private_key(ssl->config->cert.get(), 1700 ssl->config->cert->privatekey.get()); 1701 } 1702 1703 long SSL_get_default_timeout(const SSL *ssl) { 1704 return SSL_DEFAULT_SESSION_TIMEOUT; 1705 } 1706 1707 int SSL_renegotiate(SSL *ssl) { 1708 // Caller-initiated renegotiation is not supported. 1709 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1710 return 0; 1711 } 1712 1713 int SSL_renegotiate_pending(SSL *ssl) { 1714 return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete; 1715 } 1716 1717 int SSL_total_renegotiations(const SSL *ssl) { 1718 return ssl->s3->total_renegotiations; 1719 } 1720 1721 size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) { 1722 return ctx->max_cert_list; 1723 } 1724 1725 void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) { 1726 if (max_cert_list > kMaxHandshakeSize) { 1727 max_cert_list = kMaxHandshakeSize; 1728 } 1729 ctx->max_cert_list = (uint32_t)max_cert_list; 1730 } 1731 1732 size_t SSL_get_max_cert_list(const SSL *ssl) { 1733 return ssl->max_cert_list; 1734 } 1735 1736 void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) { 1737 if (max_cert_list > kMaxHandshakeSize) { 1738 max_cert_list = kMaxHandshakeSize; 1739 } 1740 ssl->max_cert_list = (uint32_t)max_cert_list; 1741 } 1742 1743 int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) { 1744 if (max_send_fragment < 512) { 1745 max_send_fragment = 512; 1746 } 1747 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { 1748 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1749 } 1750 ctx->max_send_fragment = (uint16_t)max_send_fragment; 1751 1752 return 1; 1753 } 1754 1755 int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) { 1756 if (max_send_fragment < 512) { 1757 max_send_fragment = 512; 1758 } 1759 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { 1760 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1761 } 1762 ssl->max_send_fragment = (uint16_t)max_send_fragment; 1763 1764 return 1; 1765 } 1766 1767 int SSL_set_mtu(SSL *ssl, unsigned mtu) { 1768 if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) { 1769 return 0; 1770 } 1771 ssl->d1->mtu = mtu; 1772 return 1; 1773 } 1774 1775 int SSL_get_secure_renegotiation_support(const SSL *ssl) { 1776 if (!ssl->s3->have_version) { 1777 return 0; 1778 } 1779 return ssl_protocol_version(ssl) >= TLS1_3_VERSION || 1780 ssl->s3->send_connection_binding; 1781 } 1782 1783 size_t SSL_CTX_sess_number(const SSL_CTX *ctx) { 1784 MutexReadLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock)); 1785 return lh_SSL_SESSION_num_items(ctx->sessions); 1786 } 1787 1788 unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) { 1789 unsigned long ret = ctx->session_cache_size; 1790 ctx->session_cache_size = size; 1791 return ret; 1792 } 1793 1794 unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) { 1795 return ctx->session_cache_size; 1796 } 1797 1798 int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) { 1799 int ret = ctx->session_cache_mode; 1800 ctx->session_cache_mode = mode; 1801 return ret; 1802 } 1803 1804 int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) { 1805 return ctx->session_cache_mode; 1806 } 1807 1808 1809 int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) { 1810 if (out == NULL) { 1811 return 48; 1812 } 1813 if (len != 48) { 1814 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH); 1815 return 0; 1816 } 1817 1818 // The default ticket keys are initialized lazily. Trigger a key 1819 // rotation to initialize them. 1820 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { 1821 return 0; 1822 } 1823 1824 uint8_t *out_bytes = reinterpret_cast<uint8_t *>(out); 1825 MutexReadLock lock(&ctx->lock); 1826 OPENSSL_memcpy(out_bytes, ctx->ticket_key_current->name, 16); 1827 OPENSSL_memcpy(out_bytes + 16, ctx->ticket_key_current->hmac_key, 16); 1828 OPENSSL_memcpy(out_bytes + 32, ctx->ticket_key_current->aes_key, 16); 1829 return 1; 1830 } 1831 1832 int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) { 1833 if (in == NULL) { 1834 return 48; 1835 } 1836 if (len != 48) { 1837 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH); 1838 return 0; 1839 } 1840 auto key = MakeUnique<TicketKey>(); 1841 if (!key) { 1842 return 0; 1843 } 1844 const uint8_t *in_bytes = reinterpret_cast<const uint8_t *>(in); 1845 OPENSSL_memcpy(key->name, in_bytes, 16); 1846 OPENSSL_memcpy(key->hmac_key, in_bytes + 16, 16); 1847 OPENSSL_memcpy(key->aes_key, in_bytes + 32, 16); 1848 // Disable automatic key rotation for manually-configured keys. This is now 1849 // the caller's responsibility. 1850 key->next_rotation_tv_sec = 0; 1851 ctx->ticket_key_current = std::move(key); 1852 ctx->ticket_key_prev.reset(); 1853 return 1; 1854 } 1855 1856 int SSL_CTX_set_tlsext_ticket_key_cb( 1857 SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv, 1858 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, 1859 int encrypt)) { 1860 ctx->ticket_key_cb = callback; 1861 return 1; 1862 } 1863 1864 int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t curves_len) { 1865 return tls1_set_curves(&ctx->supported_group_list, 1866 MakeConstSpan(curves, curves_len)); 1867 } 1868 1869 int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) { 1870 if (!ssl->config) { 1871 return 0; 1872 } 1873 return tls1_set_curves(&ssl->config->supported_group_list, 1874 MakeConstSpan(curves, curves_len)); 1875 } 1876 1877 int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) { 1878 return tls1_set_curves_list(&ctx->supported_group_list, curves); 1879 } 1880 1881 int SSL_set1_curves_list(SSL *ssl, const char *curves) { 1882 if (!ssl->config) { 1883 return 0; 1884 } 1885 return tls1_set_curves_list(&ssl->config->supported_group_list, curves); 1886 } 1887 1888 uint16_t SSL_get_curve_id(const SSL *ssl) { 1889 // TODO(davidben): This checks the wrong session if there is a renegotiation 1890 // in progress. 1891 SSL_SESSION *session = SSL_get_session(ssl); 1892 if (session == NULL) { 1893 return 0; 1894 } 1895 1896 return session->group_id; 1897 } 1898 1899 int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) { 1900 return 1; 1901 } 1902 1903 int SSL_set_tmp_dh(SSL *ssl, const DH *dh) { 1904 return 1; 1905 } 1906 1907 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { 1908 return ctx->cipher_list->ciphers.get(); 1909 } 1910 1911 int SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i) { 1912 if (i >= sk_SSL_CIPHER_num(ctx->cipher_list->ciphers.get())) { 1913 return 0; 1914 } 1915 return ctx->cipher_list->in_group_flags[i]; 1916 } 1917 1918 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) { 1919 if (ssl == NULL) { 1920 return NULL; 1921 } 1922 if (ssl->config == NULL) { 1923 assert(ssl->config); 1924 return NULL; 1925 } 1926 1927 return ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get() 1928 : ssl->ctx->cipher_list->ciphers.get(); 1929 } 1930 1931 const char *SSL_get_cipher_list(const SSL *ssl, int n) { 1932 if (ssl == NULL) { 1933 return NULL; 1934 } 1935 1936 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); 1937 if (sk == NULL || n < 0 || (size_t)n >= sk_SSL_CIPHER_num(sk)) { 1938 return NULL; 1939 } 1940 1941 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, n); 1942 if (c == NULL) { 1943 return NULL; 1944 } 1945 1946 return c->name; 1947 } 1948 1949 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { 1950 return ssl_create_cipher_list(&ctx->cipher_list, str, false /* not strict */); 1951 } 1952 1953 int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) { 1954 return ssl_create_cipher_list(&ctx->cipher_list, str, true /* strict */); 1955 } 1956 1957 int SSL_set_cipher_list(SSL *ssl, const char *str) { 1958 if (!ssl->config) { 1959 return 0; 1960 } 1961 return ssl_create_cipher_list(&ssl->config->cipher_list, str, 1962 false /* not strict */); 1963 } 1964 1965 int SSL_set_strict_cipher_list(SSL *ssl, const char *str) { 1966 if (!ssl->config) { 1967 return 0; 1968 } 1969 return ssl_create_cipher_list(&ssl->config->cipher_list, str, 1970 true /* strict */); 1971 } 1972 1973 const char *SSL_get_servername(const SSL *ssl, const int type) { 1974 if (type != TLSEXT_NAMETYPE_host_name) { 1975 return NULL; 1976 } 1977 1978 // Historically, |SSL_get_servername| was also the configuration getter 1979 // corresponding to |SSL_set_tlsext_host_name|. 1980 if (ssl->hostname != nullptr) { 1981 return ssl->hostname.get(); 1982 } 1983 1984 return ssl->s3->hostname.get(); 1985 } 1986 1987 int SSL_get_servername_type(const SSL *ssl) { 1988 if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) == NULL) { 1989 return -1; 1990 } 1991 return TLSEXT_NAMETYPE_host_name; 1992 } 1993 1994 void SSL_CTX_set_custom_verify( 1995 SSL_CTX *ctx, int mode, 1996 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { 1997 ctx->verify_mode = mode; 1998 ctx->custom_verify_callback = callback; 1999 } 2000 2001 void SSL_set_custom_verify( 2002 SSL *ssl, int mode, 2003 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { 2004 if (!ssl->config) { 2005 return; 2006 } 2007 ssl->config->verify_mode = mode; 2008 ssl->config->custom_verify_callback = callback; 2009 } 2010 2011 void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) { 2012 ctx->signed_cert_timestamps_enabled = true; 2013 } 2014 2015 void SSL_enable_signed_cert_timestamps(SSL *ssl) { 2016 if (!ssl->config) { 2017 return; 2018 } 2019 ssl->config->signed_cert_timestamps_enabled = true; 2020 } 2021 2022 void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx) { 2023 ctx->ocsp_stapling_enabled = true; 2024 } 2025 2026 void SSL_enable_ocsp_stapling(SSL *ssl) { 2027 if (!ssl->config) { 2028 return; 2029 } 2030 ssl->config->ocsp_stapling_enabled = true; 2031 } 2032 2033 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out, 2034 size_t *out_len) { 2035 SSL_SESSION *session = SSL_get_session(ssl); 2036 if (ssl->server || !session || !session->signed_cert_timestamp_list) { 2037 *out_len = 0; 2038 *out = NULL; 2039 return; 2040 } 2041 2042 *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list.get()); 2043 *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list.get()); 2044 } 2045 2046 void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, 2047 size_t *out_len) { 2048 SSL_SESSION *session = SSL_get_session(ssl); 2049 if (ssl->server || !session || !session->ocsp_response) { 2050 *out_len = 0; 2051 *out = NULL; 2052 return; 2053 } 2054 2055 *out = CRYPTO_BUFFER_data(session->ocsp_response.get()); 2056 *out_len = CRYPTO_BUFFER_len(session->ocsp_response.get()); 2057 } 2058 2059 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) { 2060 ssl->hostname.reset(); 2061 if (name == nullptr) { 2062 return 1; 2063 } 2064 2065 size_t len = strlen(name); 2066 if (len == 0 || len > TLSEXT_MAXLEN_host_name) { 2067 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 2068 return 0; 2069 } 2070 ssl->hostname.reset(BUF_strdup(name)); 2071 if (ssl->hostname == nullptr) { 2072 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 2073 return 0; 2074 } 2075 return 1; 2076 } 2077 2078 int SSL_CTX_set_tlsext_servername_callback( 2079 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) { 2080 ctx->servername_callback = callback; 2081 return 1; 2082 } 2083 2084 int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) { 2085 ctx->servername_arg = arg; 2086 return 1; 2087 } 2088 2089 int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, 2090 unsigned peer_len, const uint8_t *supported, 2091 unsigned supported_len) { 2092 const uint8_t *result; 2093 int status; 2094 2095 // For each protocol in peer preference order, see if we support it. 2096 for (unsigned i = 0; i < peer_len;) { 2097 for (unsigned j = 0; j < supported_len;) { 2098 if (peer[i] == supported[j] && 2099 OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) { 2100 // We found a match 2101 result = &peer[i]; 2102 status = OPENSSL_NPN_NEGOTIATED; 2103 goto found; 2104 } 2105 j += supported[j]; 2106 j++; 2107 } 2108 i += peer[i]; 2109 i++; 2110 } 2111 2112 // There's no overlap between our protocols and the peer's list. 2113 result = supported; 2114 status = OPENSSL_NPN_NO_OVERLAP; 2115 2116 found: 2117 *out = (uint8_t *)result + 1; 2118 *out_len = result[0]; 2119 return status; 2120 } 2121 2122 void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data, 2123 unsigned *out_len) { 2124 *out_data = ssl->s3->next_proto_negotiated.data(); 2125 *out_len = ssl->s3->next_proto_negotiated.size(); 2126 } 2127 2128 void SSL_CTX_set_next_protos_advertised_cb( 2129 SSL_CTX *ctx, 2130 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg), 2131 void *arg) { 2132 ctx->next_protos_advertised_cb = cb; 2133 ctx->next_protos_advertised_cb_arg = arg; 2134 } 2135 2136 void SSL_CTX_set_next_proto_select_cb( 2137 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, 2138 const uint8_t *in, unsigned in_len, void *arg), 2139 void *arg) { 2140 ctx->next_proto_select_cb = cb; 2141 ctx->next_proto_select_cb_arg = arg; 2142 } 2143 2144 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos, 2145 unsigned protos_len) { 2146 // Note this function's calling convention is backwards. 2147 return ctx->alpn_client_proto_list.CopyFrom(MakeConstSpan(protos, protos_len)) 2148 ? 0 2149 : 1; 2150 } 2151 2152 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) { 2153 // Note this function's calling convention is backwards. 2154 if (!ssl->config) { 2155 return 1; 2156 } 2157 return ssl->config->alpn_client_proto_list.CopyFrom( 2158 MakeConstSpan(protos, protos_len)) 2159 ? 0 2160 : 1; 2161 } 2162 2163 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, 2164 int (*cb)(SSL *ssl, const uint8_t **out, 2165 uint8_t *out_len, const uint8_t *in, 2166 unsigned in_len, void *arg), 2167 void *arg) { 2168 ctx->alpn_select_cb = cb; 2169 ctx->alpn_select_cb_arg = arg; 2170 } 2171 2172 void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data, 2173 unsigned *out_len) { 2174 if (SSL_in_early_data(ssl) && !ssl->server) { 2175 *out_data = ssl->s3->hs->early_session->early_alpn.data(); 2176 *out_len = ssl->s3->hs->early_session->early_alpn.size(); 2177 } else { 2178 *out_data = ssl->s3->alpn_selected.data(); 2179 *out_len = ssl->s3->alpn_selected.size(); 2180 } 2181 } 2182 2183 void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) { 2184 ctx->allow_unknown_alpn_protos = !!enabled; 2185 } 2186 2187 int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id, 2188 ssl_cert_compression_func_t compress, 2189 ssl_cert_decompression_func_t decompress) { 2190 assert(compress != nullptr || decompress != nullptr); 2191 2192 for (const auto *alg : ctx->cert_compression_algs.get()) { 2193 if (alg->alg_id == alg_id) { 2194 return 0; 2195 } 2196 } 2197 2198 UniquePtr<CertCompressionAlg> alg = MakeUnique<CertCompressionAlg>(); 2199 if (alg == nullptr) { 2200 return 0; 2201 } 2202 2203 alg->alg_id = alg_id; 2204 alg->compress = compress; 2205 alg->decompress = decompress; 2206 2207 if (ctx->cert_compression_algs == nullptr) { 2208 ctx->cert_compression_algs.reset(sk_CertCompressionAlg_new_null()); 2209 if (ctx->cert_compression_algs == nullptr) { 2210 return 0; 2211 } 2212 } 2213 2214 if (!PushToStack(ctx->cert_compression_algs.get(), std::move(alg))) { 2215 if (sk_CertCompressionAlg_num(ctx->cert_compression_algs.get()) == 0) { 2216 ctx->cert_compression_algs.reset(); 2217 } 2218 return 0; 2219 } 2220 2221 return 1; 2222 } 2223 2224 void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) { 2225 ctx->channel_id_enabled = !!enabled; 2226 } 2227 2228 int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) { 2229 SSL_CTX_set_tls_channel_id_enabled(ctx, 1); 2230 return 1; 2231 } 2232 2233 void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) { 2234 if (!ssl->config) { 2235 return; 2236 } 2237 ssl->config->channel_id_enabled = !!enabled; 2238 } 2239 2240 int SSL_enable_tls_channel_id(SSL *ssl) { 2241 SSL_set_tls_channel_id_enabled(ssl, 1); 2242 return 1; 2243 } 2244 2245 static int is_p256_key(EVP_PKEY *private_key) { 2246 const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(private_key); 2247 return ec_key != NULL && 2248 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) == 2249 NID_X9_62_prime256v1; 2250 } 2251 2252 int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) { 2253 if (!is_p256_key(private_key)) { 2254 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); 2255 return 0; 2256 } 2257 2258 ctx->channel_id_private = UpRef(private_key); 2259 ctx->channel_id_enabled = true; 2260 2261 return 1; 2262 } 2263 2264 int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) { 2265 if (!ssl->config) { 2266 return 0; 2267 } 2268 if (!is_p256_key(private_key)) { 2269 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); 2270 return 0; 2271 } 2272 2273 ssl->config->channel_id_private = UpRef(private_key); 2274 ssl->config->channel_id_enabled = true; 2275 2276 return 1; 2277 } 2278 2279 size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) { 2280 if (!ssl->s3->channel_id_valid) { 2281 return 0; 2282 } 2283 OPENSSL_memcpy(out, ssl->s3->channel_id, (max_out < 64) ? max_out : 64); 2284 return 64; 2285 } 2286 2287 int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params, size_t len) { 2288 if (!ssl->config) { 2289 return 0; 2290 } 2291 if (len > 256) { 2292 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 2293 return 0; 2294 } 2295 return ssl->config->token_binding_params.CopyFrom(MakeConstSpan(params, len)); 2296 } 2297 2298 int SSL_is_token_binding_negotiated(const SSL *ssl) { 2299 return ssl->s3->token_binding_negotiated; 2300 } 2301 2302 uint8_t SSL_get_negotiated_token_binding_param(const SSL *ssl) { 2303 return ssl->s3->negotiated_token_binding_param; 2304 } 2305 2306 size_t SSL_get0_certificate_types(const SSL *ssl, const uint8_t **out_types) { 2307 Span<const uint8_t> types; 2308 if (!ssl->server && ssl->s3->hs != nullptr) { 2309 types = ssl->s3->hs->certificate_types; 2310 } 2311 *out_types = types.data(); 2312 return types.size(); 2313 } 2314 2315 size_t SSL_get0_peer_verify_algorithms(const SSL *ssl, 2316 const uint16_t **out_sigalgs) { 2317 Span<const uint16_t> sigalgs; 2318 if (ssl->s3->hs != nullptr) { 2319 sigalgs = ssl->s3->hs->peer_sigalgs; 2320 } 2321 *out_sigalgs = sigalgs.data(); 2322 return sigalgs.size(); 2323 } 2324 2325 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) { 2326 if (!ssl->config) { 2327 assert(ssl->config); 2328 return NULL; 2329 } 2330 if (ssl->config->cert != NULL) { 2331 return ssl->config->cert->privatekey.get(); 2332 } 2333 2334 return NULL; 2335 } 2336 2337 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { 2338 if (ctx->cert != NULL) { 2339 return ctx->cert->privatekey.get(); 2340 } 2341 2342 return NULL; 2343 } 2344 2345 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) { 2346 const SSL_SESSION *session = SSL_get_session(ssl); 2347 return session == nullptr ? nullptr : session->cipher; 2348 } 2349 2350 int SSL_session_reused(const SSL *ssl) { 2351 return ssl->s3->session_reused || SSL_in_early_data(ssl); 2352 } 2353 2354 const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; } 2355 2356 const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; } 2357 2358 int SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; } 2359 2360 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { 2361 ctx->quiet_shutdown = (mode != 0); 2362 } 2363 2364 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { 2365 return ctx->quiet_shutdown; 2366 } 2367 2368 void SSL_set_quiet_shutdown(SSL *ssl, int mode) { 2369 ssl->quiet_shutdown = (mode != 0); 2370 } 2371 2372 int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; } 2373 2374 void SSL_set_shutdown(SSL *ssl, int mode) { 2375 // It is an error to clear any bits that have already been set. (We can't try 2376 // to get a second close_notify or send two.) 2377 assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)); 2378 2379 if (mode & SSL_RECEIVED_SHUTDOWN && 2380 ssl->s3->read_shutdown == ssl_shutdown_none) { 2381 ssl->s3->read_shutdown = ssl_shutdown_close_notify; 2382 } 2383 2384 if (mode & SSL_SENT_SHUTDOWN && 2385 ssl->s3->write_shutdown == ssl_shutdown_none) { 2386 ssl->s3->write_shutdown = ssl_shutdown_close_notify; 2387 } 2388 } 2389 2390 int SSL_get_shutdown(const SSL *ssl) { 2391 int ret = 0; 2392 if (ssl->s3->read_shutdown != ssl_shutdown_none) { 2393 // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify 2394 // and fatal alert. 2395 ret |= SSL_RECEIVED_SHUTDOWN; 2396 } 2397 if (ssl->s3->write_shutdown == ssl_shutdown_close_notify) { 2398 // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. 2399 ret |= SSL_SENT_SHUTDOWN; 2400 } 2401 return ret; 2402 } 2403 2404 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx.get(); } 2405 2406 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { 2407 if (!ssl->config) { 2408 return NULL; 2409 } 2410 if (ssl->ctx.get() == ctx) { 2411 return ssl->ctx.get(); 2412 } 2413 2414 // One cannot change the X.509 callbacks during a connection. 2415 if (ssl->ctx->x509_method != ctx->x509_method) { 2416 assert(0); 2417 return NULL; 2418 } 2419 2420 UniquePtr<CERT> new_cert = ssl_cert_dup(ctx->cert.get()); 2421 if (!new_cert) { 2422 return nullptr; 2423 } 2424 2425 ssl->config->cert = std::move(new_cert); 2426 ssl->ctx = UpRef(ctx); 2427 ssl->enable_early_data = ssl->ctx->enable_early_data; 2428 2429 return ssl->ctx.get(); 2430 } 2431 2432 void SSL_set_info_callback(SSL *ssl, 2433 void (*cb)(const SSL *ssl, int type, int value)) { 2434 ssl->info_callback = cb; 2435 } 2436 2437 void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, 2438 int value) { 2439 return ssl->info_callback; 2440 } 2441 2442 int SSL_state(const SSL *ssl) { 2443 return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK; 2444 } 2445 2446 void SSL_set_state(SSL *ssl, int state) { } 2447 2448 char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) { 2449 if (len <= 0) { 2450 return NULL; 2451 } 2452 buf[0] = '\0'; 2453 return buf; 2454 } 2455 2456 int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) { 2457 if (ctx->method->is_dtls) { 2458 return 0; 2459 } 2460 ctx->quic_method = quic_method; 2461 return 1; 2462 } 2463 2464 int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) { 2465 if (ssl->method->is_dtls) { 2466 return 0; 2467 } 2468 ssl->quic_method = quic_method; 2469 return 1; 2470 } 2471 2472 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, 2473 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { 2474 int index; 2475 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp, 2476 free_func)) { 2477 return -1; 2478 } 2479 return index; 2480 } 2481 2482 int SSL_set_ex_data(SSL *ssl, int idx, void *data) { 2483 return CRYPTO_set_ex_data(&ssl->ex_data, idx, data); 2484 } 2485 2486 void *SSL_get_ex_data(const SSL *ssl, int idx) { 2487 return CRYPTO_get_ex_data(&ssl->ex_data, idx); 2488 } 2489 2490 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, 2491 CRYPTO_EX_dup *dup_unused, 2492 CRYPTO_EX_free *free_func) { 2493 int index; 2494 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp, 2495 free_func)) { 2496 return -1; 2497 } 2498 return index; 2499 } 2500 2501 int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) { 2502 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); 2503 } 2504 2505 void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) { 2506 return CRYPTO_get_ex_data(&ctx->ex_data, idx); 2507 } 2508 2509 int SSL_want(const SSL *ssl) { return ssl->s3->rwstate; } 2510 2511 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, 2512 RSA *(*cb)(SSL *ssl, int is_export, 2513 int keylength)) {} 2514 2515 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export, 2516 int keylength)) {} 2517 2518 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 2519 DH *(*cb)(SSL *ssl, int is_export, 2520 int keylength)) {} 2521 2522 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export, 2523 int keylength)) {} 2524 2525 static int use_psk_identity_hint(UniquePtr<char> *out, 2526 const char *identity_hint) { 2527 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 2528 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); 2529 return 0; 2530 } 2531 2532 // Clear currently configured hint, if any. 2533 out->reset(); 2534 2535 // Treat the empty hint as not supplying one. Plain PSK makes it possible to 2536 // send either no hint (omit ServerKeyExchange) or an empty hint, while 2537 // ECDHE_PSK can only spell empty hint. Having different capabilities is odd, 2538 // so we interpret empty and missing as identical. 2539 if (identity_hint != NULL && identity_hint[0] != '\0') { 2540 out->reset(BUF_strdup(identity_hint)); 2541 if (*out == nullptr) { 2542 return 0; 2543 } 2544 } 2545 2546 return 1; 2547 } 2548 2549 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { 2550 return use_psk_identity_hint(&ctx->psk_identity_hint, identity_hint); 2551 } 2552 2553 int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) { 2554 if (!ssl->config) { 2555 return 0; 2556 } 2557 return use_psk_identity_hint(&ssl->config->psk_identity_hint, identity_hint); 2558 } 2559 2560 const char *SSL_get_psk_identity_hint(const SSL *ssl) { 2561 if (ssl == NULL) { 2562 return NULL; 2563 } 2564 if (ssl->config == NULL) { 2565 assert(ssl->config); 2566 return NULL; 2567 } 2568 return ssl->config->psk_identity_hint.get(); 2569 } 2570 2571 const char *SSL_get_psk_identity(const SSL *ssl) { 2572 if (ssl == NULL) { 2573 return NULL; 2574 } 2575 SSL_SESSION *session = SSL_get_session(ssl); 2576 if (session == NULL) { 2577 return NULL; 2578 } 2579 return session->psk_identity.get(); 2580 } 2581 2582 void SSL_set_psk_client_callback( 2583 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, 2584 unsigned max_identity_len, uint8_t *psk, 2585 unsigned max_psk_len)) { 2586 if (!ssl->config) { 2587 return; 2588 } 2589 ssl->config->psk_client_callback = cb; 2590 } 2591 2592 void SSL_CTX_set_psk_client_callback( 2593 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, 2594 unsigned max_identity_len, uint8_t *psk, 2595 unsigned max_psk_len)) { 2596 ctx->psk_client_callback = cb; 2597 } 2598 2599 void SSL_set_psk_server_callback( 2600 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk, 2601 unsigned max_psk_len)) { 2602 if (!ssl->config) { 2603 return; 2604 } 2605 ssl->config->psk_server_callback = cb; 2606 } 2607 2608 void SSL_CTX_set_psk_server_callback( 2609 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, 2610 uint8_t *psk, unsigned max_psk_len)) { 2611 ctx->psk_server_callback = cb; 2612 } 2613 2614 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, 2615 void (*cb)(int write_p, int version, 2616 int content_type, const void *buf, 2617 size_t len, SSL *ssl, void *arg)) { 2618 ctx->msg_callback = cb; 2619 } 2620 2621 void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) { 2622 ctx->msg_callback_arg = arg; 2623 } 2624 2625 void SSL_set_msg_callback(SSL *ssl, 2626 void (*cb)(int write_p, int version, int content_type, 2627 const void *buf, size_t len, SSL *ssl, 2628 void *arg)) { 2629 ssl->msg_callback = cb; 2630 } 2631 2632 void SSL_set_msg_callback_arg(SSL *ssl, void *arg) { 2633 ssl->msg_callback_arg = arg; 2634 } 2635 2636 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, 2637 void (*cb)(const SSL *ssl, const char *line)) { 2638 ctx->keylog_callback = cb; 2639 } 2640 2641 void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl, 2642 const char *line) { 2643 return ctx->keylog_callback; 2644 } 2645 2646 void SSL_CTX_set_current_time_cb(SSL_CTX *ctx, 2647 void (*cb)(const SSL *ssl, 2648 struct timeval *out_clock)) { 2649 ctx->current_time_cb = cb; 2650 } 2651 2652 int SSL_is_init_finished(const SSL *ssl) { 2653 return !SSL_in_init(ssl); 2654 } 2655 2656 int SSL_in_init(const SSL *ssl) { 2657 // This returns false once all the handshake state has been finalized, to 2658 // allow callbacks and getters based on SSL_in_init to return the correct 2659 // values. 2660 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 2661 return hs != nullptr && !hs->handshake_finalized; 2662 } 2663 2664 int SSL_in_false_start(const SSL *ssl) { 2665 if (ssl->s3->hs == NULL) { 2666 return 0; 2667 } 2668 return ssl->s3->hs->in_false_start; 2669 } 2670 2671 int SSL_cutthrough_complete(const SSL *ssl) { 2672 return SSL_in_false_start(ssl); 2673 } 2674 2675 int SSL_is_server(const SSL *ssl) { return ssl->server; } 2676 2677 int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; } 2678 2679 void SSL_CTX_set_select_certificate_cb( 2680 SSL_CTX *ctx, 2681 enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)) { 2682 ctx->select_certificate_cb = cb; 2683 } 2684 2685 void SSL_CTX_set_dos_protection_cb(SSL_CTX *ctx, 2686 int (*cb)(const SSL_CLIENT_HELLO *)) { 2687 ctx->dos_protection_cb = cb; 2688 } 2689 2690 void SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled) { 2691 ctx->reverify_on_resume = !!enabled; 2692 } 2693 2694 void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled) { 2695 if (!ssl->config) { 2696 return; 2697 } 2698 ssl->config->enforce_rsa_key_usage = !!enabled; 2699 } 2700 2701 void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) { 2702 ssl->renegotiate_mode = mode; 2703 2704 // Check if |ssl_can_renegotiate| has changed and the configuration may now be 2705 // shed. HTTP clients may initially allow renegotiation for HTTP/1.1, and then 2706 // disable after the handshake once the ALPN protocol is known to be HTTP/2. 2707 ssl_maybe_shed_handshake_config(ssl); 2708 } 2709 2710 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv, 2711 const uint8_t **out_write_iv, size_t *out_iv_len) { 2712 size_t write_iv_len; 2713 if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) || 2714 !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) || 2715 *out_iv_len != write_iv_len) { 2716 return 0; 2717 } 2718 2719 return 1; 2720 } 2721 2722 static uint64_t be_to_u64(const uint8_t in[8]) { 2723 return (((uint64_t)in[0]) << 56) | (((uint64_t)in[1]) << 48) | 2724 (((uint64_t)in[2]) << 40) | (((uint64_t)in[3]) << 32) | 2725 (((uint64_t)in[4]) << 24) | (((uint64_t)in[5]) << 16) | 2726 (((uint64_t)in[6]) << 8) | ((uint64_t)in[7]); 2727 } 2728 2729 uint64_t SSL_get_read_sequence(const SSL *ssl) { 2730 // TODO(davidben): Internally represent sequence numbers as uint64_t. 2731 if (SSL_is_dtls(ssl)) { 2732 // max_seq_num already includes the epoch. 2733 assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48)); 2734 return ssl->d1->bitmap.max_seq_num; 2735 } 2736 return be_to_u64(ssl->s3->read_sequence); 2737 } 2738 2739 uint64_t SSL_get_write_sequence(const SSL *ssl) { 2740 uint64_t ret = be_to_u64(ssl->s3->write_sequence); 2741 if (SSL_is_dtls(ssl)) { 2742 assert((ret >> 48) == 0); 2743 ret |= ((uint64_t)ssl->d1->w_epoch) << 48; 2744 } 2745 return ret; 2746 } 2747 2748 uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) { 2749 // TODO(davidben): This checks the wrong session if there is a renegotiation 2750 // in progress. 2751 SSL_SESSION *session = SSL_get_session(ssl); 2752 if (session == NULL) { 2753 return 0; 2754 } 2755 2756 return session->peer_signature_algorithm; 2757 } 2758 2759 size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) { 2760 if (max_out == 0) { 2761 return sizeof(ssl->s3->client_random); 2762 } 2763 if (max_out > sizeof(ssl->s3->client_random)) { 2764 max_out = sizeof(ssl->s3->client_random); 2765 } 2766 OPENSSL_memcpy(out, ssl->s3->client_random, max_out); 2767 return max_out; 2768 } 2769 2770 size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) { 2771 if (max_out == 0) { 2772 return sizeof(ssl->s3->server_random); 2773 } 2774 if (max_out > sizeof(ssl->s3->server_random)) { 2775 max_out = sizeof(ssl->s3->server_random); 2776 } 2777 OPENSSL_memcpy(out, ssl->s3->server_random, max_out); 2778 return max_out; 2779 } 2780 2781 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) { 2782 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 2783 if (hs == NULL) { 2784 return NULL; 2785 } 2786 return hs->new_cipher; 2787 } 2788 2789 void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) { 2790 if (!ssl->config) { 2791 return; 2792 } 2793 ssl->config->retain_only_sha256_of_client_certs = !!enabled; 2794 } 2795 2796 void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) { 2797 ctx->retain_only_sha256_of_client_certs = !!enabled; 2798 } 2799 2800 void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) { 2801 ctx->grease_enabled = !!enabled; 2802 } 2803 2804 int32_t SSL_get_ticket_age_skew(const SSL *ssl) { 2805 return ssl->s3->ticket_age_skew; 2806 } 2807 2808 void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) { 2809 ctx->false_start_allowed_without_alpn = !!allowed; 2810 } 2811 2812 int SSL_is_tls13_downgrade(const SSL *ssl) { return ssl->s3->tls13_downgrade; } 2813 2814 void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) { 2815 ctx->ignore_tls13_downgrade = !!ignore; 2816 } 2817 2818 void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore) { 2819 if (!ssl->config) { 2820 return; 2821 } 2822 ssl->config->ignore_tls13_downgrade = !!ignore; 2823 } 2824 2825 void SSL_set_shed_handshake_config(SSL *ssl, int enable) { 2826 if (!ssl->config) { 2827 return; 2828 } 2829 ssl->config->shed_handshake_config = !!enable; 2830 } 2831 2832 void SSL_set_jdk11_workaround(SSL *ssl, int enable) { 2833 if (!ssl->config) { 2834 return; 2835 } 2836 ssl->config->jdk11_workaround = !!enable; 2837 } 2838 2839 int SSL_clear(SSL *ssl) { 2840 if (!ssl->config) { 2841 return 0; // SSL_clear may not be used after shedding config. 2842 } 2843 2844 // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously 2845 // established session to be offered the next time around. wpa_supplicant 2846 // depends on this behavior, so emulate it. 2847 UniquePtr<SSL_SESSION> session; 2848 if (!ssl->server && ssl->s3->established_session != NULL) { 2849 session = UpRef(ssl->s3->established_session); 2850 } 2851 2852 // The ssl->d1->mtu is simultaneously configuration (preserved across 2853 // clear) and connection-specific state (gets reset). 2854 // 2855 // TODO(davidben): Avoid this. 2856 unsigned mtu = 0; 2857 if (ssl->d1 != NULL) { 2858 mtu = ssl->d1->mtu; 2859 } 2860 2861 ssl->method->ssl_free(ssl); 2862 if (!ssl->method->ssl_new(ssl)) { 2863 return 0; 2864 } 2865 2866 if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { 2867 ssl->d1->mtu = mtu; 2868 } 2869 2870 if (session != nullptr) { 2871 SSL_set_session(ssl, session.get()); 2872 } 2873 2874 return 1; 2875 } 2876 2877 int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; } 2878 int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; } 2879 int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; } 2880 int SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; } 2881 int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; } 2882 int SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; } 2883 int SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; } 2884 int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; } 2885 int SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; } 2886 int SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; } 2887 int SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; } 2888 2889 int SSL_num_renegotiations(const SSL *ssl) { 2890 return SSL_total_renegotiations(ssl); 2891 } 2892 2893 int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) { return 0; } 2894 int SSL_need_tmp_RSA(const SSL *ssl) { return 0; } 2895 int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) { return 1; } 2896 int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; } 2897 void ERR_load_SSL_strings(void) {} 2898 void SSL_load_error_strings(void) {} 2899 int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); } 2900 2901 int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) { 2902 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { 2903 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 2904 return 0; 2905 } 2906 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); 2907 return SSL_CTX_set1_curves(ctx, &nid, 1); 2908 } 2909 2910 int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) { 2911 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { 2912 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 2913 return 0; 2914 } 2915 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); 2916 return SSL_set1_curves(ssl, &nid, 1); 2917 } 2918 2919 void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx, 2920 const SSL_TICKET_AEAD_METHOD *aead_method) { 2921 ctx->ticket_aead_method = aead_method; 2922 } 2923 2924 int SSL_set_tlsext_status_type(SSL *ssl, int type) { 2925 if (!ssl->config) { 2926 return 0; 2927 } 2928 ssl->config->ocsp_stapling_enabled = type == TLSEXT_STATUSTYPE_ocsp; 2929 return 1; 2930 } 2931 2932 int SSL_get_tlsext_status_type(const SSL *ssl) { 2933 if (ssl->server) { 2934 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 2935 return hs != nullptr && hs->ocsp_stapling_requested 2936 ? TLSEXT_STATUSTYPE_ocsp 2937 : TLSEXT_STATUSTYPE_nothing; 2938 } 2939 2940 return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled 2941 ? TLSEXT_STATUSTYPE_ocsp 2942 : TLSEXT_STATUSTYPE_nothing; 2943 } 2944 2945 int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) { 2946 if (SSL_set_ocsp_response(ssl, resp, resp_len)) { 2947 OPENSSL_free(resp); 2948 return 1; 2949 } 2950 return 0; 2951 } 2952 2953 size_t SSL_get_tlsext_status_ocsp_resp(const SSL *ssl, const uint8_t **out) { 2954 size_t ret; 2955 SSL_get0_ocsp_response(ssl, out, &ret); 2956 return ret; 2957 } 2958 2959 int SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, 2960 int (*callback)(SSL *ssl, void *arg)) { 2961 ctx->legacy_ocsp_callback = callback; 2962 return 1; 2963 } 2964 2965 int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) { 2966 ctx->legacy_ocsp_callback_arg = arg; 2967 return 1; 2968 } 2969
