Lines Matching refs:ssl
4 * This package is an SSL implementation written
6 * The implementation was written so as to conform with Netscapes SSL.
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
141 #include <openssl/ssl.h>
163 OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
215 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED);
220 OPENSSL_PUT_ERROR(SSL, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
263 OPENSSL_PUT_ERROR(SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
298 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
346 SSL *SSL_new(SSL_CTX *ctx) {
348 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX);
352 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
356 SSL *ssl = (SSL *)OPENSSL_malloc(sizeof(SSL));
357 if (ssl == NULL) {
360 memset(ssl, 0, sizeof(SSL));
362 ssl->min_version = ctx->min_version;
363 ssl->max_version = ctx->max_version;
365 ssl->options = ctx->options;
366 ssl->mode = ctx->mode;
367 ssl->max_cert_list = ctx->max_cert_list;
369 ssl->cert = ssl_cert_dup(ctx->cert);
370 if (ssl->cert == NULL) {
374 ssl->msg_callback = ctx->msg_callback;
375 ssl->msg_callback_arg = ctx->msg_callback_arg;
376 ssl->verify_mode = ctx->verify_mode;
377 ssl->sid_ctx_length = ctx->sid_ctx_length;
378 assert(ssl->sid_ctx_length <= sizeof ssl->sid_ctx);
379 memcpy(&ssl->sid_ctx, &ctx->sid_ctx, sizeof(ssl->sid_ctx));
380 ssl->verify_callback = ctx->default_verify_callback;
382 ssl->param = X509_VERIFY_PARAM_new();
383 if (!ssl->param) {
386 X509_VERIFY_PARAM_inherit(ssl->param, ctx->param);
387 ssl->quiet_shutdown = ctx->quiet_shutdown;
388 ssl->max_send_fragment = ctx->max_send_fragment;
391 ssl->ctx = ctx;
393 ssl->initial_ctx = ctx;
396 ssl->tlsext_ellipticcurvelist =
399 if (!ssl->tlsext_ellipticcurvelist) {
402 ssl->tlsext_ellipticcurvelist_length = ctx->tlsext_ellipticcurvelist_length;
405 if (ssl->ctx->alpn_client_proto_list) {
406 ssl->alpn_client_proto_list = BUF_memdup(
407 ssl->ctx->alpn_client_proto_list, ssl->ctx->alpn_client_proto_list_len);
408 if (ssl->alpn_client_proto_list == NULL) {
411 ssl->alpn_client_proto_list_len = ssl->ctx->alpn_client_proto_list_len;
414 ssl->verify_result = X509_V_OK;
415 ssl->method = ctx->method;
417 if (!ssl->method->ssl_new(ssl)) {
420 ssl->enc_method = ssl3_get_enc_method(ssl->version);
421 assert(ssl->enc_method != NULL);
423 ssl->rwstate = SSL_NOTHING;
425 CRYPTO_new_ex_data(&ssl->ex_data);
427 ssl->psk_identity_hint = NULL;
429 ssl->psk_identity_hint = BUF_strdup(ctx->psk_identity_hint);
430 if (ssl->psk_identity_hint == NULL) {
434 ssl->psk_client_callback = ctx->psk_client_callback;
435 ssl->psk_server_callback = ctx->psk_server_callback;
437 ssl->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled;
439 ssl->tlsext_channel_id_private =
443 ssl->signed_cert_timestamps_enabled =
444 ssl->ctx->signed_cert_timestamps_enabled;
445 ssl->ocsp_stapling_enabled = ssl->ctx->ocsp_stapling_enabled;
447 return ssl;
450 SSL_free(ssl);
451 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
456 void SSL_free(SSL *ssl) {
457 if (ssl == NULL) {
461 X509_VERIFY_PARAM_free(ssl->param);
463 CRYPTO_free_ex_data(&g_ex_data_class_ssl, ssl, &ssl->ex_data);
465 if (ssl->bbio != NULL) {
467 if (ssl->bbio == ssl->wbio) {
468 ssl->wbio = BIO_pop(ssl->wbio);
470 BIO_free(ssl->bbio);
471 ssl->bbio = NULL;
474 int free_wbio = ssl->wbio != ssl->rbio;
475 BIO_free_all(ssl->rbio);
477 BIO_free_all(ssl->wbio);
480 BUF_MEM_free(ssl->init_buf);
483 ssl_cipher_preference_list_free(ssl->cipher_list);
484 sk_SSL_CIPHER_free(ssl->cipher_list_by_id);
486 ssl_clear_bad_session(ssl);
487 SSL_SESSION_free(ssl->session);
489 ssl_clear_cipher_ctx(ssl);
491 ssl_cert_free(ssl->cert);
493 OPENSSL_free(ssl->tlsext_hostname);
494 SSL_CTX_free(ssl->initial_ctx);
495 OPENSSL_free(ssl->tlsext_ellipticcurvelist);
496 OPENSSL_free(ssl->alpn_client_proto_list);
497 EVP_PKEY_free(ssl->tlsext_channel_id_private);
498 OPENSSL_free(ssl->psk_identity_hint);
499 sk_X509_NAME_pop_free(ssl->client_CA, X509_NAME_free);
500 OPENSSL_free(ssl->next_proto_negotiated);
501 sk_SRTP_PROTECTION_PROFILE_free(ssl->srtp_profiles);
503 if (ssl->method != NULL) {
504 ssl->method->ssl_free(ssl);
506 SSL_CTX_free(ssl->ctx);
508 OPENSSL_free(ssl);
511 void SSL_set_connect_state(SSL *ssl) {
512 ssl->server = 0;
513 ssl->shutdown = 0;
514 ssl->state = SSL_ST_CONNECT;
515 ssl->handshake_func = ssl->method->ssl_connect;
517 ssl_clear_cipher_ctx(ssl);
520 void SSL_set_accept_state(SSL *ssl) {
521 ssl->server = 1;
522 ssl->shutdown = 0;
523 ssl->state = SSL_ST_ACCEPT;
524 ssl->handshake_func = ssl->method->ssl_accept;
526 ssl_clear_cipher_ctx(ssl);
529 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
531 if (ssl->bbio != NULL) {
532 if (ssl->wbio == ssl->bbio) {
533 ssl->wbio = ssl->wbio->next_bio;
534 ssl->bbio->next_bio = NULL;
538 if (ssl->rbio != rbio) {
539 BIO_free_all(ssl->rbio);
541 if (ssl->wbio != wbio && ssl->rbio != ssl->wbio) {
542 BIO_free_all(ssl->wbio);
544 ssl->rbio = rbio;
545 ssl->wbio = wbio;
548 BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; }
550 BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; }
552 int SSL_do_handshake(SSL *ssl) {
553 if (ssl->handshake_func == NULL) {
554 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
558 if (!SSL_in_init(ssl)) {
562 return ssl->handshake_func(ssl);
565 int SSL_connect(SSL *ssl) {
566 if (ssl->handshake_func == 0) {
568 SSL_set_connect_state(ssl);
571 if (ssl->handshake_func != ssl->method->ssl_connect) {
572 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
576 return ssl->handshake_func(ssl);
579 int SSL_accept(SSL *ssl) {
580 if (ssl->handshake_func == 0) {
582 SSL_set_accept_state(ssl);
585 if (ssl->handshake_func != ssl->method->ssl_accept) {
586 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
590 return ssl->handshake_func(ssl);
593 int SSL_read(SSL *ssl, void *buf, int num) {
594 if (ssl->handshake_func == 0) {
595 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
599 if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) {
600 ssl->rwstate = SSL_NOTHING;
605 return ssl->method->ssl_read_app_data(ssl, buf, num, 0);
608 int SSL_peek(SSL *ssl, void *buf, int num) {
609 if (ssl->handshake_func == 0) {
610 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
614 if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) {
619 return ssl->method->ssl_read_app_data(ssl, buf, num, 1);
622 int SSL_write(SSL *ssl, const void *buf, int num) {
623 if (ssl->handshake_func == 0) {
624 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
628 if (ssl->shutdown & SSL_SENT_SHUTDOWN) {
629 ssl->rwstate = SSL_NOTHING;
630 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
635 return ssl->method->ssl_write_app_data(ssl, buf, num);
638 int SSL_shutdown(SSL *ssl) {
644 if (ssl->handshake_func == 0) {
645 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
649 if (SSL_in_init(ssl)) {
654 if (ssl->quiet_shutdown) {
655 ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
659 if (!(ssl->shutdown & SSL_SENT_SHUTDOWN)) {
660 ssl->shutdown |= SSL_SENT_SHUTDOWN;
661 ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
664 * written, ssl->s3->alert_dispatch will be true */
665 if (ssl->s3->alert_dispatch) {
668 } else if (ssl->s3->alert_dispatch) {
670 int ret = ssl->method->ssl_dispatch_alert(ssl);
677 } else if (!(ssl->shutdown & SSL_RECEIVED_SHUTDOWN)) {
679 ssl->method->ssl_read_close_notify(ssl);
680 if (!(ssl->shutdown & SSL_RECEIVED_SHUTDOWN)) {
685 if (ssl->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN) &&
686 !ssl->s3->alert_dispatch) {
693 int SSL_get_error(const SSL *ssl, int ret_code) {
713 if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) &&
714 (ssl->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) {
724 if (SSL_want_session(ssl)) {
728 if (SSL_want_certificate(ssl)) {
732 if (SSL_want_read(ssl)) {
733 bio = SSL_get_rbio(ssl);
742 * ssl->rwstate incorrectly (so that we have SSL_want_read(ssl) instead of
743 * SSL_want_write(ssl)) and rbio and wbio *are* the same, this test works
762 if (SSL_want_write(ssl)) {
763 bio = SSL_get_wbio(ssl);
769 /* See above (SSL_want_read(ssl) with BIO_should_write(bio)) */
787 if (SSL_want_x509_lookup(ssl)) {
791 if (SSL_want_channel_id_lookup(ssl)) {
795 if (SSL_want_private_key_operation(ssl)) {
810 void SSL_set_min_version(SSL *ssl, uint16_t version) {
811 ssl->min_version = version;
814 void SSL_set_max_version(SSL *ssl, uint16_t version) {
815 ssl->max_version = version;
830 uint32_t SSL_set_options(SSL *ssl, uint32_t options) {
831 ssl->options |= options;
832 return ssl->options;
835 uint32_t SSL_clear_options(SSL *ssl, uint32_t options) {
836 ssl->options &= ~options;
837 return ssl->options;
840 uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; }
854 uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) {
855 ssl->mode |= mode;
856 return ssl->mode;
859 uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {
860 ssl->mode &= ~mode;
861 return ssl->mode;
864 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }
866 X509 *SSL_get_peer_certificate(const SSL *ssl) {
867 if (ssl == NULL || ssl->session == NULL || ssl->session->peer == NULL) {
870 return X509_up_ref(ssl->session->peer);
873 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
874 if (ssl == NULL || ssl->session == NULL) {
877 return ssl->session->cert_chain;
880 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
885 const uint8_t *finished = ssl->s3->previous_client_finished;
886 size_t finished_len = ssl->s3->previous_client_finished_len;
887 if (ssl->hit) {
889 if (!ssl->session->extended_master_secret) {
892 finished = ssl->s3->previous_server_finished;
893 finished_len = ssl->s3->previous_server_finished_len;
896 if (!ssl->s3->initial_handshake_complete ||
897 ssl->version < TLS1_VERSION) {
918 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
927 int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,
930 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
933 ssl->sid_ctx_length = sid_ctx_len;
934 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
943 int SSL_set_purpose(SSL *ssl, int purpose) {
944 return X509_VERIFY_PARAM_set_purpose(ssl->param, purpose);
951 int SSL_set_trust(SSL *ssl, int trust) {
952 return X509_VERIFY_PARAM_set_trust(ssl->param, trust);
959 int SSL_set1_param(SSL *ssl, const X509_VERIFY_PARAM *param) {
960 return X509_VERIFY_PARAM_set1(ssl->param, param);
975 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) { return ssl->param; }
977 void SSL_certs_clear(SSL *ssl) { ssl_cert_clear_certs(ssl->cert); }
979 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
981 int SSL_get_rfd(const SSL *ssl) {
983 BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR);
990 int SSL_get_wfd(const SSL *ssl) {
992 BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR);
999 int SSL_set_fd(SSL *ssl, int fd) {
1002 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1006 SSL_set_bio(ssl, bio, bio);
1010 int SSL_set_wfd(SSL *ssl, int fd) {
1011 if (ssl->rbio == NULL ||
1012 BIO_method_type(ssl->rbio) != BIO_TYPE_FD ||
1013 BIO_get_fd(ssl->rbio, NULL) != fd) {
1016 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1020 SSL_set_bio(ssl, SSL_get_rbio(ssl), bio);
1022 SSL_set_bio(ssl, SSL_get_rbio(ssl), SSL_get_rbio(ssl));
1028 int SSL_set_rfd(SSL *ssl, int fd) {
1029 if (ssl->wbio == NULL || BIO_method_type(ssl->wbio) != BIO_TYPE_FD ||
1030 BIO_get_fd(ssl->wbio, NULL) != fd) {
1033 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1037 SSL_set_bio(ssl, bio, SSL_get_wbio(ssl));
1039 SSL_set_bio(ssl, SSL_get_wbio(ssl), SSL_get_wbio(ssl));
1044 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
1047 if (ssl->s3 != NULL) {
1048 ret = ssl->s3->tmp.finish_md_len;
1052 memcpy(buf, ssl->s3->tmp.finish_md, count);
1058 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
1061 if (ssl->s3 != NULL) {
1062 ret = ssl->s3->tmp.peer_finish_md_len;
1066 memcpy(buf, ssl->s3->tmp.peer_finish_md, count);
1072 int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; }
1074 int SSL_get_verify_depth(const SSL *ssl) {
1075 return X509_VERIFY_PARAM_get_depth(ssl->param);
1078 int SSL_get_extms_support(const SSL *ssl) {
1079 return ssl->s3->tmp.extended_master_secret == 1;
1082 int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *) {
1083 return ssl->verify_callback;
1097 void SSL_set_verify(SSL *ssl, int mode,
1099 ssl->verify_mode = mode;
1101 ssl->verify_callback = callback;
1105 void SSL_set_verify_depth(SSL *ssl, int depth) {
1106 X509_VERIFY_PARAM_set_depth(ssl->param, depth);
1111 int SSL_get_read_ahead(const SSL *ssl) { return 0; }
1115 void SSL_set_read_ahead(SSL *ssl, int yes) { }
1117 int SSL_pending(const SSL *ssl) {
1118 if (ssl->s3->rrec.type != SSL3_RT_APPLICATION_DATA) {
1121 return ssl->s3->rrec.length;
1127 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
1132 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1140 int SSL_check_private_key(const SSL *ssl) {
1141 if (ssl->cert->x509 == NULL) {
1142 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
1146 if (ssl->cert->privatekey == NULL) {
1147 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
1151 return X509_check_private_key(ssl->cert->x509, ssl->cert->privatekey);
1154 long SSL_get_default_timeout(const SSL *ssl) {
1158 int SSL_renegotiate(SSL *ssl) {
1160 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1164 int SSL_renegotiate_pending(SSL *ssl) {
1165 return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete;
1179 size_t SSL_get_max_cert_list(const SSL *ssl) {
1180 return ssl->max_cert_list;
1183 void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
1187 ssl->max_cert_list = (uint32_t)max_cert_list;
1200 void SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
1207 ssl->max_send_fragment = (uint16_t)max_send_fragment;
1210 int SSL_set_mtu(SSL *ssl, unsigned mtu) {
1211 if (!SSL_IS_DTLS(ssl) || mtu < dtls1_min_mtu()) {
1214 ssl->d1->mtu = mtu;
1218 int SSL_get_secure_renegotiation_support(const SSL *ssl) {
1219 return ssl->s3->send_connection_binding;
1248 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {
1249 if (ssl == NULL) {
1253 if (ssl->cipher_list != NULL) {
1254 return ssl->cipher_list->ciphers;
1257 if (ssl->version >= TLS1_1_VERSION && ssl->ctx != NULL &&
1258 ssl->ctx->cipher_list_tls11 != NULL) {
1259 return ssl->ctx->cipher_list_tls11->ciphers;
1262 if (ssl->version >= TLS1_VERSION && ssl->ctx != NULL &&
1263 ssl->ctx->cipher_list_tls10 != NULL) {
1264 return ssl->ctx->cipher_list_tls10->ciphers;
1267 if (ssl->ctx != NULL && ssl->ctx->cipher_list != NULL) {
1268 return ssl->ctx->cipher_list->ciphers;
1274 /* return a STACK of the ciphers available for the SSL and in order of
1276 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *ssl) {
1277 if (ssl == NULL) {
1281 if (ssl->cipher_list_by_id != NULL) {
1282 return ssl->cipher_list_by_id;
1285 if (ssl->ctx != NULL && ssl->ctx->cipher_list_by_id != NULL) {
1286 return ssl->ctx->cipher_list_by_id;
1292 const char *SSL_get_cipher_list(const SSL *ssl, int n) {
1296 if (ssl == NULL) {
1300 sk = SSL_get_ciphers(ssl);
1322 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1338 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1354 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1361 int SSL_set_cipher_list(SSL *ssl, const char *str) {
1363 ssl->ctx->method, &ssl->cipher_list, &ssl->cipher_list_by_id, str);
1370 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1377 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *ssl, const CBS *cbs) {
1382 if (ssl->s3) {
1383 ssl->s3->send_connection_binding = 0;
1387 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1393 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1401 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1406 if (ssl->s3 && cipher_suite == (SSL3_CK_SCSV & 0xffff)) {
1408 if (ssl->s3->initial_handshake_complete) {
1409 OPENSSL_PUT_ERROR(SSL, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1410 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1413 ssl->s3->send_connection_binding = 1;
1418 if (ssl->s3 && cipher_suite == (SSL3_CK_FALLBACK_SCSV & 0xffff)) {
1419 uint16_t max_version = ssl3_get_max_server_version(ssl);
1420 if (SSL_IS_DTLS(ssl) ? (uint16_t)ssl->version > max_version
1421 : (uint16_t)ssl->version < max_version) {
1422 OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
1423 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL3_AD_INAPPROPRIATE_FALLBACK);
1431 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1443 const char *SSL_get_servername(const SSL *ssl, const int type) {
1450 if (ssl->tlsext_hostname != NULL) {
1451 return ssl->tlsext_hostname;
1454 if (ssl->session == NULL) {
1457 return ssl->session->tlsext_hostname;
1460 int SSL_get_servername_type(const SSL *ssl) {
1461 if (ssl->session != NULL && ssl->session->tlsext_hostname != NULL) {
1472 int SSL_enable_signed_cert_timestamps(SSL *ssl) {
1473 ssl->signed_cert_timestamps_enabled = 1;
1481 int SSL_enable_ocsp_stapling(SSL *ssl) {
1482 ssl->ocsp_stapling_enabled = 1;
1486 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
1488 SSL_SESSION *session = ssl->session;
1492 if (ssl->server || !session || !session->tlsext_signed_cert_timestamp_list) {
1500 void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
1502 SSL_SESSION *session = ssl->session;
1506 if (ssl->server || !session || !session->ocsp_response) {
1575 void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
1577 *out_data = ssl->next_proto_negotiated;
1581 *out_len = ssl->next_proto_negotiated_len;
1587 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),
1594 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
1613 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) {
1614 OPENSSL_free(ssl->alpn_client_proto_list);
1615 ssl->alpn_client_proto_list = BUF_memdup(protos, protos_len);
1616 if (!ssl->alpn_client_proto_list) {
1619 ssl->alpn_client_proto_list_len = protos_len;
1625 int (*cb)(SSL *ssl, const uint8_t **out,
1633 void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
1636 if (ssl->s3) {
1637 *out_data = ssl->s3->alpn_selected;
1642 *out_len = ssl->s3->alpn_selected_len;
1646 int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
1650 if (ssl->version < TLS1_VERSION) {
1654 return ssl->enc_method->export_keying_material(
1655 ssl, out, out_len, label, label_len, context, context_len, use_context);
1676 void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),
1681 void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {
1682 ssl_cert_set_cert_cb(ssl->cert, cb, arg);
1685 void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k,
1687 CERT *c = ssl->cert;
1695 if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) {
1696 if (ssl_private_key_type(ssl) == EVP_PKEY_RSA) {
1698 } else if (ssl_private_key_type(ssl
1723 if (!tls1_check_ec_cert(ssl, x)) {
1734 if (tls1_get_shared_curve(ssl, &unused)) {
1739 if (ssl->psk_server_callback != NULL) {
1748 void ssl_update_cache(SSL *ssl, int mode) {
1749 SSL_CTX *ctx = ssl->initial_ctx;
1751 if (ssl->session->session_id_length == 0 ||
1757 int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
1763 if (!ssl->hit || (!ssl->server && ssl->tlsext_ticket_expected)) {
1765 SSL_CTX_add_session(ctx, ssl->session);
1768 !ctx->new_session_cb(ssl, SSL_SESSION_up_ref(ssl->session))) {
1770 SSL_SESSION_free(ssl->session);
1817 const char *SSL_get_version(const SSL *ssl) {
1818 return ssl_get_version(ssl->version);
1825 void ssl_clear_cipher_ctx(SSL *ssl) {
1826 SSL_AEAD_CTX_free(ssl->aead_read_ctx);
1827 ssl->aead_read_ctx = NULL;
1828 SSL_AEAD_CTX_free(ssl->aead_write_ctx);
1829 ssl->aead_write_ctx = NULL;
1832 X509 *SSL_get_certificate(const SSL *ssl) {
1833 if (ssl->cert != NULL) {
1834 return ssl->cert->x509;
1840 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
1841 if (ssl->cert != NULL) {
1842 return ssl->cert->privatekey;
1864 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
1865 if (ssl->aead_write_ctx == NULL) {
1868 return ssl->aead_write_ctx->cipher;
1871 const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; }
1873 const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; }
1875 int ssl_init_wbio_buffer(SSL *ssl, int push) {
1878 if (ssl->bbio == NULL) {
1883 ssl->bbio = bbio;
1885 bbio = ssl->bbio;
1886 if (ssl->bbio == ssl->wbio) {
1887 ssl->wbio = BIO_pop(ssl->wbio);
1893 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1898 if (ssl->wbio != bbio) {
1899 ssl->wbio = BIO_push(bbio, ssl->wbio);
1902 if (ssl->wbio == bbio) {
1903 ssl->wbio = BIO_pop(bbio);
1910 void ssl_free_wbio_buffer(SSL *ssl) {
1911 if (ssl->bbio == NULL) {
1915 if (ssl->bbio == ssl->wbio) {
1917 ssl->wbio = BIO_pop(ssl->wbio);
1920 BIO_free(ssl->bbio);
1921 ssl->bbio = NULL;
1932 void SSL_set_quiet_shutdown(SSL *ssl, int mode) {
1933 ssl->quiet_shutdown = (mode != 0);
1936 int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }
1938 void SSL_set_shutdown(SSL *ssl, int mode) {
1941 assert((ssl->shutdown & mode) == ssl->shutdown);
1943 ssl->shutdown |= mode;
1946 int SSL_get_shutdown(const SSL *ssl) { return ssl->shutdown; }
1948 int SSL_version(const SSL *ssl) { return ssl->version; }
1950 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx; }
1952 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
1953 if (ssl->ctx == ctx) {
1954 return ssl->ctx;
1958 ctx = ssl->initial_ctx;
1961 ssl_cert_free(ssl->cert);
1962 ssl->cert = ssl_cert_dup(ctx->cert);
1965 SSL_CTX_free(ssl->ctx); /* decrement reference count */
1966 ssl->ctx = ctx;
1968 ssl->sid_ctx_length = ctx->sid_ctx_length;
1969 assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx));
1970 memcpy(ssl->sid_ctx, ctx->sid_ctx, sizeof(ssl->sid_ctx));
1972 return ssl->ctx;
1984 void SSL_set_info_callback(SSL *ssl,
1985 void (*cb)(const SSL *ssl, int type, int value)) {
1986 ssl->info_callback = cb;
1989 void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type,
1991 return ssl->info_callback;
1994 int SSL_state(const SSL *ssl) { return ssl->state; }
1996 void SSL_set_state(SSL *ssl, int state) { }
1998 void SSL_set_verify_result(SSL *ssl, long result) {
1999 ssl->verify_result = result;
2002 long SSL_get_verify_result(const SSL *ssl) { return ssl->verify_result; }
2014 int SSL_set_ex_data(SSL *ssl, int idx, void *arg) {
2015 return CRYPTO_set_ex_data(&ssl->ex_data, idx, arg);
2018 void *SSL_get_ex_data(const SSL *ssl, int idx) {
2019 return CRYPTO_get_ex_data(&ssl->ex_data, idx);
2050 int SSL_want(const SSL *ssl) { return ssl->rwstate; }
2053 RSA *(*cb)(SSL *ssl, int is_export,
2057 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
2062 DH *(*callback)(SSL *ssl, int is_export,
2067 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export,
2069 ssl->cert->dh_tmp_cb = callback;
2074 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
2092 int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) {
2093 if (ssl == NULL) {
2098 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
2103 OPENSSL_free(ssl->psk_identity_hint);
2104 ssl->psk_identity_hint = NULL;
2107 ssl->psk_identity_hint = BUF_strdup(identity_hint);
2108 if (ssl->psk_identity_hint == NULL) {
2116 const char *SSL_get_psk_identity_hint(const SSL *ssl) {
2117 if (ssl == NULL) {
2120 return ssl->psk_identity_hint;
2123 const char *SSL_get_psk_identity(const SSL *ssl) {
2124 if (ssl == NULL || ssl->session == NULL) {
2128 return ssl->session->psk_identity;
2132 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
2135 ssl->psk_client_callback = cb;
2139 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
2146 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,
2148 ssl->psk_server_callback = cb;
2152 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity,
2160 size_t len, SSL *ssl, void *arg)) {
2168 void SSL_set_msg_callback(SSL *ssl,
2170 const void *buf, size_t len, SSL *ssl,
2172 ssl->msg_callback = cb;
2175 void SSL_set_msg_callback_arg(SSL *ssl, void *arg) {
2176 ssl->msg_callback_arg = arg;
2180 void (*cb)(const SSL *ssl, const char *line)) {
2201 int ssl_log_rsa_client_key_exchange(const SSL *ssl,
2206 if (ssl->ctx->keylog_callback == NULL) {
2211 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2231 ssl->ctx->keylog_callback(ssl, (const char *)out);
2236 int ssl_log_master_secret(const SSL *ssl, const uint8_t *client_random,
2239 if (ssl->ctx->keylog_callback == NULL) {
2244 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2262 ssl->ctx->keylog_callback(ssl, (const char *)out);
2267 int SSL_is_init_finished(const SSL *ssl) {
2268 return ssl->state == SSL_ST_OK;
2271 int SSL_in_init(const SSL *ssl) {
2272 return (ssl->state & SSL_ST_INIT) != 0;
2275 int SSL_in_false_start(const SSL *ssl) {
2276 return ssl->s3->tmp.in_false_start;
2279 int SSL_cutthrough_complete(const SSL *ssl) {
2280 return SSL_in_false_start(ssl);
2285 *ssl_size = sizeof(SSL);
2290 int ssl3_can_false_start(const SSL *ssl) {
2291 const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl);
2294 return !SSL_IS_DTLS(ssl) &&
2295 SSL_version(ssl) >= TLS1_2_VERSION &&
2296 (ssl->s3->alpn_selected || ssl->s3->next_proto_neg_seen) &&
2323 uint16_t ssl3_get_max_server_version(const SSL *ssl) {
2326 if (SSL_IS_DTLS(ssl)) {
2327 max_version = (ssl->max_version != 0) ? ssl->max_version : DTLS1_2_VERSION;
2328 if (!(ssl->options & SSL_OP_NO_DTLSv1_2) &&
2332 if (!(ssl->options & SSL_OP_NO_DTLSv1) && DTLS1_VERSION >= max_version) {
2338 max_version = (ssl->max_version != 0) ? ssl->max_version : TLS1_2_VERSION;
2339 if (!(ssl->options & SSL_OP_NO_TLSv1_2) && TLS1_2_VERSION <= max_version) {
2342 if (!(ssl->options & SSL_OP_NO_TLSv1_1) && TLS1_1_VERSION <= max_version) {
2345 if (!(ssl->options & SSL_OP_NO_TLSv1) && TLS1_VERSION <= max_version) {
2348 if (!(ssl->options & SSL_OP_NO_SSLv3) && SSL3_VERSION <= max_version) {
2354 uint16_t ssl3_get_mutual_version(SSL *ssl, uint16_t client_version) {
2357 if (SSL_IS_DTLS(ssl)) {
2359 if (ssl->max_version != 0 && client_version < ssl->max_version) {
2360 client_version = ssl->max_version;
2364 !(ssl->options & SSL_OP_NO_DTLSv1_2)) {
2367 !(ssl->options & SSL_OP_NO_DTLSv1)) {
2372 if (version != 0 && ssl->min_version != 0 && version > ssl->min_version) {
2378 if (ssl->max_version != 0 && client_version > ssl->max_version) {
2379 client_version = ssl->max_version;
2383 !(ssl->options & SSL_OP_NO_TLSv1_2)) {
2386 !(ssl->options & SSL_OP_NO_TLSv1_1)) {
2389 !(ssl->options & SSL_OP_NO_TLSv1)) {
2392 !(ssl->options & SSL_OP_NO_SSLv3)) {
2397 if (version != 0 && ssl->min_version != 0 && version < ssl->min_version) {
2404 uint16_t ssl3_get_max_client_version(SSL *ssl) {
2405 uint32_t options = ssl->options;
2421 if (SSL_IS_DTLS(ssl)) {
2428 if (ssl->max_version != 0 && version < ssl->max_version) {
2429 version = ssl->max_version;
2444 if (ssl->max_version != 0 && version > ssl->max_version) {
2445 version = ssl->max_version;
2452 int ssl3_is_version_enabled(SSL *ssl, uint16_t version) {
2453 if (SSL_IS_DTLS(ssl)) {
2454 if (ssl->max_version != 0 && version < ssl->max_version) {
2457 if (ssl->min_version != 0 && version > ssl->min_version) {
2463 return !(ssl->options & SSL_OP_NO_DTLSv1);
2466 return !(ssl->options & SSL_OP_NO_DTLSv1_2);
2472 if (ssl->max_version != 0 && version > ssl->max_version) {
2475 if (ssl->min_version != 0 && version < ssl->min_version) {
2481 return !(ssl->options & SSL_OP_NO_SSLv3);
2484 return !(ssl->options & SSL_OP_NO_TLSv1);
2487 return !(ssl->options & SSL_OP_NO_TLSv1_1);
2490 return !(ssl->options & SSL_OP_NO_TLSv1_2);
2498 uint16_t ssl3_version_from_wire(SSL *ssl, uint16_t wire_version) {
2499 if (!SSL_IS_DTLS(ssl)) {
2519 int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); }
2521 int SSL_is_server(SSL *ssl) { return ssl->server; }
2533 void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {
2534 ssl->renegotiate_mode = mode;
2537 void SSL_set_reject_peer_renegotiations(SSL *ssl, int reject) {
2539 ssl, reject ? ssl_renegotiate_never : ssl_renegotiate_freely);
2542 int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key,
2544 if (ssl->aead_read_ctx == NULL || ssl->aead_write_ctx == NULL) {
2548 return EVP_AEAD_CTX_get_rc4_state(&ssl->aead_read_ctx->ctx, read_key) &&
2549 EVP_AEAD_CTX_get_rc4_state(&ssl->aead_write_ctx->ctx, write_key);
2552 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
2554 if (ssl->aead_read_ctx == NULL || ssl->aead_write_ctx == NULL) {
2559 if (!EVP_AEAD_CTX_get_iv(&ssl->aead_read_ctx->ctx, out_read_iv, out_iv_len) ||
2560 !EVP_AEAD_CTX_get_iv(&ssl->aead_write_ctx->ctx, out_write_iv,
2569 uint8_t SSL_get_server_key_exchange_hash(const SSL *ssl) {
2570 return ssl->s3->tmp.server_key_exchange_hash;
2573 int SSL_clear(SSL *ssl) {
2574 if (ssl->method == NULL) {
2575 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_METHOD_SPECIFIED);
2579 if (ssl_clear_bad_session(ssl)) {
2580 SSL_SESSION_free(ssl->session);
2581 ssl->session = NULL;
2584 ssl->hit = 0;
2585 ssl->shutdown = 0;
2587 /* SSL_clear may be called before or after the |ssl| is initialized in either
2589 * half and reset |ssl->state| accordingly. */
2590 if (ssl->handshake_func != NULL) {
2591 if (ssl->server) {
2592 SSL_set_accept_state(ssl);
2594 SSL_set_connect_state(ssl);
2597 assert(ssl->state == 0);
2600 /* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
2602 * state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
2606 ssl->rwstate = SSL_NOTHING;
2608 BUF_MEM_free(ssl->init_buf);
2609 ssl->init_buf = NULL;
2611 ssl_clear_cipher_ctx(ssl);
2613 OPENSSL_free(ssl->next_proto_negotiated);
2614 ssl->next_proto_negotiated = NULL;
2615 ssl->next_proto_negotiated_len = 0;
2617 /* The ssl->d1->mtu is simultaneously configuration (preserved across
2622 if (ssl->d1 != NULL) {
2623 mtu = ssl->d1->mtu;
2626 ssl->method->ssl_free(ssl);
2627 if (!ssl->method->ssl_new(ssl)) {
2630 ssl->enc_method = ssl3_get_enc_method(ssl->version);
2631 assert(ssl->enc_method != NULL);
2633 if (SSL_IS_DTLS(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
2634 ssl->d1->mtu = mtu;
2637 ssl->client_version = ssl->version;
