1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. */ 140 141 #include <openssl/ssl.h> 142 143 #include <assert.h> 144 #include <stdlib.h> 145 #include <string.h> 146 147 #include <openssl/bytestring.h> 148 #include <openssl/crypto.h> 149 #include <openssl/dh.h> 150 #include <openssl/err.h> 151 #include <openssl/lhash.h> 152 #include <openssl/mem.h> 153 #include <openssl/rand.h> 154 155 #include "internal.h" 156 #include "../crypto/internal.h" 157 158 #if defined(OPENSSL_WINDOWS) 159 #include <sys/timeb.h> 160 #else 161 #include <sys/socket.h> 162 #include <sys/time.h> 163 #endif 164 165 166 /* |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it 167 * to avoid downstream churn. */ 168 OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL) 169 170 /* The following errors are no longer emitted, but are used in nginx without 171 * #ifdefs. */ 172 OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG) 173 OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED) 174 175 /* Some error codes are special. Ensure the make_errors.go script never 176 * regresses this. */ 177 OPENSSL_COMPILE_ASSERT(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION == 178 SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET, 179 ssl_alert_reason_code_mismatch); 180 181 /* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */ 182 static const size_t kMaxHandshakeSize = (1u << 24) - 1; 183 184 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl = 185 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; 186 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx = 187 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; 188 189 int SSL_library_init(void) { 190 CRYPTO_library_init(); 191 return 1; 192 } 193 194 static uint32_t ssl_session_hash(const SSL_SESSION *sess) { 195 const uint8_t *session_id = sess->session_id; 196 197 uint8_t tmp_storage[sizeof(uint32_t)]; 198 if (sess->session_id_length < sizeof(tmp_storage)) { 199 OPENSSL_memset(tmp_storage, 0, sizeof(tmp_storage)); 200 OPENSSL_memcpy(tmp_storage, sess->session_id, sess->session_id_length); 201 session_id = tmp_storage; 202 } 203 204 uint32_t hash = 205 ((uint32_t)session_id[0]) | 206 ((uint32_t)session_id[1] << 8) | 207 ((uint32_t)session_id[2] << 16) | 208 ((uint32_t)session_id[3] << 24); 209 210 return hash; 211 } 212 213 /* NB: If this function (or indeed the hash function which uses a sort of 214 * coarser function than this one) is changed, ensure 215 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being 216 * able to construct an SSL_SESSION that will collide with any existing session 217 * with a matching session ID. */ 218 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { 219 if (a->ssl_version != b->ssl_version) { 220 return 1; 221 } 222 223 if (a->session_id_length != b->session_id_length) { 224 return 1; 225 } 226 227 return OPENSSL_memcmp(a->session_id, b->session_id, a->session_id_length); 228 } 229 230 SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { 231 SSL_CTX *ret = NULL; 232 233 if (method == NULL) { 234 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED); 235 return NULL; 236 } 237 238 ret = OPENSSL_malloc(sizeof(SSL_CTX)); 239 if (ret == NULL) { 240 goto err; 241 } 242 243 OPENSSL_memset(ret, 0, sizeof(SSL_CTX)); 244 245 ret->method = method->method; 246 ret->x509_method = method->x509_method; 247 248 CRYPTO_MUTEX_init(&ret->lock); 249 250 ret->session_cache_mode = SSL_SESS_CACHE_SERVER; 251 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 252 253 ret->session_timeout = SSL_DEFAULT_SESSION_TIMEOUT; 254 ret->session_psk_dhe_timeout = SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT; 255 256 ret->references = 1; 257 258 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; 259 ret->verify_mode = SSL_VERIFY_NONE; 260 ret->cert = ssl_cert_new(method->x509_method); 261 if (ret->cert == NULL) { 262 goto err; 263 } 264 265 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); 266 if (ret->sessions == NULL) { 267 goto err; 268 } 269 270 if (!ret->x509_method->ssl_ctx_new(ret)) { 271 goto err; 272 } 273 274 if (!SSL_CTX_set_strict_cipher_list(ret, SSL_DEFAULT_CIPHER_LIST)) { 275 goto err2; 276 } 277 278 ret->client_CA = sk_CRYPTO_BUFFER_new_null(); 279 if (ret->client_CA == NULL) { 280 goto err; 281 } 282 283 CRYPTO_new_ex_data(&ret->ex_data); 284 285 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 286 287 /* Setup RFC4507 ticket keys */ 288 if (!RAND_bytes(ret->tlsext_tick_key_name, 16) || 289 !RAND_bytes(ret->tlsext_tick_hmac_key, 16) || 290 !RAND_bytes(ret->tlsext_tick_aes_key, 16)) { 291 ret->options |= SSL_OP_NO_TICKET; 292 } 293 294 /* Disable the auto-chaining feature by default. Once this has stuck without 295 * problems, the feature will be removed entirely. */ 296 ret->mode = SSL_MODE_NO_AUTO_CHAIN; 297 298 /* Lock the SSL_CTX to the specified version, for compatibility with legacy 299 * uses of SSL_METHOD. */ 300 if (!SSL_CTX_set_max_proto_version(ret, method->version) || 301 !SSL_CTX_set_min_proto_version(ret, method->version)) { 302 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 303 goto err2; 304 } 305 306 return ret; 307 308 err: 309 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 310 err2: 311 SSL_CTX_free(ret); 312 return NULL; 313 } 314 315 int SSL_CTX_up_ref(SSL_CTX *ctx) { 316 CRYPTO_refcount_inc(&ctx->references); 317 return 1; 318 } 319 320 void SSL_CTX_free(SSL_CTX *ctx) { 321 if (ctx == NULL || 322 !CRYPTO_refcount_dec_and_test_zero(&ctx->references)) { 323 return; 324 } 325 326 /* Free internal session cache. However: the remove_cb() may reference the 327 * ex_data of SSL_CTX, thus the ex_data store can only be removed after the 328 * sessions were flushed. As the ex_data handling routines might also touch 329 * the session cache, the most secure solution seems to be: empty (flush) the 330 * cache, then free ex_data, then finally free the cache. (See ticket 331 * [openssl.org #212].) */ 332 SSL_CTX_flush_sessions(ctx, 0); 333 334 CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data); 335 336 CRYPTO_MUTEX_cleanup(&ctx->lock); 337 lh_SSL_SESSION_free(ctx->sessions); 338 ssl_cipher_preference_list_free(ctx->cipher_list); 339 ssl_cert_free(ctx->cert); 340 sk_SSL_CUSTOM_EXTENSION_pop_free(ctx->client_custom_extensions, 341 SSL_CUSTOM_EXTENSION_free); 342 sk_SSL_CUSTOM_EXTENSION_pop_free(ctx->server_custom_extensions, 343 SSL_CUSTOM_EXTENSION_free); 344 sk_CRYPTO_BUFFER_pop_free(ctx->client_CA, CRYPTO_BUFFER_free); 345 ctx->x509_method->ssl_ctx_free(ctx); 346 sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles); 347 OPENSSL_free(ctx->psk_identity_hint); 348 OPENSSL_free(ctx->supported_group_list); 349 OPENSSL_free(ctx->alpn_client_proto_list); 350 EVP_PKEY_free(ctx->tlsext_channel_id_private); 351 352 OPENSSL_free(ctx); 353 } 354 355 SSL *SSL_new(SSL_CTX *ctx) { 356 if (ctx == NULL) { 357 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX); 358 return NULL; 359 } 360 if (ctx->method == NULL) { 361 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 362 return NULL; 363 } 364 365 SSL *ssl = OPENSSL_malloc(sizeof(SSL)); 366 if (ssl == NULL) { 367 goto err; 368 } 369 OPENSSL_memset(ssl, 0, sizeof(SSL)); 370 371 ssl->min_version = ctx->min_version; 372 ssl->max_version = ctx->max_version; 373 374 /* RFC 6347 states that implementations SHOULD use an initial timer value of 375 * 1 second. */ 376 ssl->initial_timeout_duration_ms = 1000; 377 378 ssl->options = ctx->options; 379 ssl->mode = ctx->mode; 380 ssl->max_cert_list = ctx->max_cert_list; 381 382 ssl->cert = ssl_cert_dup(ctx->cert); 383 if (ssl->cert == NULL) { 384 goto err; 385 } 386 387 ssl->msg_callback = ctx->msg_callback; 388 ssl->msg_callback_arg = ctx->msg_callback_arg; 389 ssl->verify_mode = ctx->verify_mode; 390 ssl->verify_callback = ctx->default_verify_callback; 391 ssl->retain_only_sha256_of_client_certs = 392 ctx->retain_only_sha256_of_client_certs; 393 394 ssl->quiet_shutdown = ctx->quiet_shutdown; 395 ssl->max_send_fragment = ctx->max_send_fragment; 396 397 SSL_CTX_up_ref(ctx); 398 ssl->ctx = ctx; 399 SSL_CTX_up_ref(ctx); 400 ssl->session_ctx = ctx; 401 402 if (!ssl->ctx->x509_method->ssl_new(ssl)) { 403 goto err; 404 } 405 406 if (ctx->supported_group_list) { 407 ssl->supported_group_list = BUF_memdup(ctx->supported_group_list, 408 ctx->supported_group_list_len * 2); 409 if (!ssl->supported_group_list) { 410 goto err; 411 } 412 ssl->supported_group_list_len = ctx->supported_group_list_len; 413 } 414 415 if (ctx->alpn_client_proto_list) { 416 ssl->alpn_client_proto_list = BUF_memdup(ctx->alpn_client_proto_list, 417 ctx->alpn_client_proto_list_len); 418 if (ssl->alpn_client_proto_list == NULL) { 419 goto err; 420 } 421 ssl->alpn_client_proto_list_len = ctx->alpn_client_proto_list_len; 422 } 423 424 ssl->method = ctx->method; 425 426 if (!ssl->method->ssl_new(ssl)) { 427 goto err; 428 } 429 430 ssl->rwstate = SSL_NOTHING; 431 432 CRYPTO_new_ex_data(&ssl->ex_data); 433 434 ssl->psk_identity_hint = NULL; 435 if (ctx->psk_identity_hint) { 436 ssl->psk_identity_hint = BUF_strdup(ctx->psk_identity_hint); 437 if (ssl->psk_identity_hint == NULL) { 438 goto err; 439 } 440 } 441 ssl->psk_client_callback = ctx->psk_client_callback; 442 ssl->psk_server_callback = ctx->psk_server_callback; 443 444 ssl->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled; 445 if (ctx->tlsext_channel_id_private) { 446 EVP_PKEY_up_ref(ctx->tlsext_channel_id_private); 447 ssl->tlsext_channel_id_private = ctx->tlsext_channel_id_private; 448 } 449 450 ssl->signed_cert_timestamps_enabled = ctx->signed_cert_timestamps_enabled; 451 ssl->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled; 452 453 return ssl; 454 455 err: 456 SSL_free(ssl); 457 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 458 459 return NULL; 460 } 461 462 void SSL_free(SSL *ssl) { 463 if (ssl == NULL) { 464 return; 465 } 466 467 ssl->ctx->x509_method->ssl_free(ssl); 468 CRYPTO_free_ex_data(&g_ex_data_class_ssl, ssl, &ssl->ex_data); 469 470 BIO_free_all(ssl->rbio); 471 BIO_free_all(ssl->wbio); 472 473 BUF_MEM_free(ssl->init_buf); 474 475 /* add extra stuff */ 476 ssl_cipher_preference_list_free(ssl->cipher_list); 477 478 SSL_SESSION_free(ssl->session); 479 480 ssl_cert_free(ssl->cert); 481 482 OPENSSL_free(ssl->tlsext_hostname); 483 SSL_CTX_free(ssl->session_ctx); 484 OPENSSL_free(ssl->supported_group_list); 485 OPENSSL_free(ssl->alpn_client_proto_list); 486 EVP_PKEY_free(ssl->tlsext_channel_id_private); 487 OPENSSL_free(ssl->psk_identity_hint); 488 sk_CRYPTO_BUFFER_pop_free(ssl->client_CA, CRYPTO_BUFFER_free); 489 sk_SRTP_PROTECTION_PROFILE_free(ssl->srtp_profiles); 490 491 if (ssl->method != NULL) { 492 ssl->method->ssl_free(ssl); 493 } 494 SSL_CTX_free(ssl->ctx); 495 496 OPENSSL_free(ssl); 497 } 498 499 void SSL_set_connect_state(SSL *ssl) { 500 ssl->server = 0; 501 ssl->handshake_func = ssl3_connect; 502 } 503 504 void SSL_set_accept_state(SSL *ssl) { 505 ssl->server = 1; 506 ssl->handshake_func = ssl3_accept; 507 } 508 509 void SSL_set0_rbio(SSL *ssl, BIO *rbio) { 510 BIO_free_all(ssl->rbio); 511 ssl->rbio = rbio; 512 } 513 514 void SSL_set0_wbio(SSL *ssl, BIO *wbio) { 515 BIO_free_all(ssl->wbio); 516 ssl->wbio = wbio; 517 } 518 519 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { 520 /* For historical reasons, this function has many different cases in ownership 521 * handling. */ 522 523 /* If nothing has changed, do nothing */ 524 if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) { 525 return; 526 } 527 528 /* If the two arguments are equal, one fewer reference is granted than 529 * taken. */ 530 if (rbio != NULL && rbio == wbio) { 531 BIO_up_ref(rbio); 532 } 533 534 /* If only the wbio is changed, adopt only one reference. */ 535 if (rbio == SSL_get_rbio(ssl)) { 536 SSL_set0_wbio(ssl, wbio); 537 return; 538 } 539 540 /* There is an asymmetry here for historical reasons. If only the rbio is 541 * changed AND the rbio and wbio were originally different, then we only adopt 542 * one reference. */ 543 if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) { 544 SSL_set0_rbio(ssl, rbio); 545 return; 546 } 547 548 /* Otherwise, adopt both references. */ 549 SSL_set0_rbio(ssl, rbio); 550 SSL_set0_wbio(ssl, wbio); 551 } 552 553 BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; } 554 555 BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; } 556 557 void ssl_reset_error_state(SSL *ssl) { 558 /* Functions which use |SSL_get_error| must reset I/O and error state on 559 * entry. */ 560 ssl->rwstate = SSL_NOTHING; 561 ERR_clear_error(); 562 ERR_clear_system_error(); 563 } 564 565 int SSL_do_handshake(SSL *ssl) { 566 ssl_reset_error_state(ssl); 567 568 if (ssl->handshake_func == NULL) { 569 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET); 570 return -1; 571 } 572 573 if (!SSL_in_init(ssl)) { 574 return 1; 575 } 576 577 if (ssl->s3->hs == NULL) { 578 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 579 return -1; 580 } 581 582 /* Run the handshake. */ 583 assert(ssl->s3->hs != NULL); 584 int ret = ssl->handshake_func(ssl->s3->hs); 585 if (ret <= 0) { 586 return ret; 587 } 588 589 /* Destroy the handshake object if the handshake has completely finished. */ 590 if (!SSL_in_init(ssl)) { 591 ssl_handshake_free(ssl->s3->hs); 592 ssl->s3->hs = NULL; 593 } 594 595 return 1; 596 } 597 598 int SSL_connect(SSL *ssl) { 599 if (ssl->handshake_func == NULL) { 600 /* Not properly initialized yet */ 601 SSL_set_connect_state(ssl); 602 } 603 604 return SSL_do_handshake(ssl); 605 } 606 607 int SSL_accept(SSL *ssl) { 608 if (ssl->handshake_func == NULL) { 609 /* Not properly initialized yet */ 610 SSL_set_accept_state(ssl); 611 } 612 613 return SSL_do_handshake(ssl); 614 } 615 616 int ssl_can_write(const SSL *ssl) { 617 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write; 618 } 619 620 int ssl_can_read(const SSL *ssl) { 621 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read; 622 } 623 624 static int ssl_do_renegotiate(SSL *ssl) { 625 /* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be 626 * removed entirely in the future and requires retaining more data for 627 * renegotiation_info. */ 628 if (ssl->server || ssl->version == SSL3_VERSION) { 629 goto no_renegotiation; 630 } 631 632 if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_REQUEST || 633 ssl->init_num != 0) { 634 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 635 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST); 636 return 0; 637 } 638 639 switch (ssl->renegotiate_mode) { 640 case ssl_renegotiate_ignore: 641 /* Ignore the HelloRequest. */ 642 return 1; 643 644 case ssl_renegotiate_once: 645 if (ssl->s3->total_renegotiations != 0) { 646 goto no_renegotiation; 647 } 648 break; 649 650 case ssl_renegotiate_never: 651 goto no_renegotiation; 652 653 case ssl_renegotiate_freely: 654 break; 655 } 656 657 /* Renegotiation is only supported at quiescent points in the application 658 * protocol, namely in HTTPS, just before reading the HTTP response. Require 659 * the record-layer be idle and avoid complexities of sending a handshake 660 * record while an application_data record is being written. */ 661 if (ssl_write_buffer_is_pending(ssl)) { 662 goto no_renegotiation; 663 } 664 665 /* Begin a new handshake. */ 666 if (ssl->s3->hs != NULL) { 667 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 668 return 0; 669 } 670 ssl->s3->hs = ssl_handshake_new(ssl); 671 if (ssl->s3->hs == NULL) { 672 return 0; 673 } 674 675 ssl->s3->total_renegotiations++; 676 return 1; 677 678 no_renegotiation: 679 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); 680 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); 681 return 0; 682 } 683 684 static int ssl_do_post_handshake(SSL *ssl) { 685 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { 686 return ssl_do_renegotiate(ssl); 687 } 688 689 return tls13_post_handshake(ssl); 690 } 691 692 static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) { 693 ssl_reset_error_state(ssl); 694 695 if (ssl->handshake_func == NULL) { 696 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 697 return -1; 698 } 699 700 for (;;) { 701 /* Complete the current handshake, if any. False Start will cause 702 * |SSL_do_handshake| to return mid-handshake, so this may require multiple 703 * iterations. */ 704 while (!ssl_can_read(ssl)) { 705 int ret = SSL_do_handshake(ssl); 706 if (ret < 0) { 707 return ret; 708 } 709 if (ret == 0) { 710 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 711 return -1; 712 } 713 } 714 715 int got_handshake; 716 int ret = ssl->method->read_app_data(ssl, &got_handshake, buf, num, peek); 717 if (ret > 0 || !got_handshake) { 718 ssl->s3->key_update_count = 0; 719 return ret; 720 } 721 722 /* If we received an interrupt in early read (the end_of_early_data alert), 723 * loop again for the handshake to process it. */ 724 if (SSL_in_init(ssl)) { 725 continue; 726 } 727 728 /* Handle the post-handshake message and try again. */ 729 if (!ssl_do_post_handshake(ssl)) { 730 return -1; 731 } 732 ssl->method->release_current_message(ssl, 1 /* free buffer */); 733 } 734 } 735 736 int SSL_read(SSL *ssl, void *buf, int num) { 737 return ssl_read_impl(ssl, buf, num, 0 /* consume bytes */); 738 } 739 740 int SSL_peek(SSL *ssl, void *buf, int num) { 741 return ssl_read_impl(ssl, buf, num, 1 /* peek */); 742 } 743 744 int SSL_write(SSL *ssl, const void *buf, int num) { 745 ssl_reset_error_state(ssl); 746 747 if (ssl->handshake_func == NULL) { 748 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 749 return -1; 750 } 751 752 if (ssl->s3->send_shutdown != ssl_shutdown_none) { 753 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); 754 return -1; 755 } 756 757 /* If necessary, complete the handshake implicitly. */ 758 if (!ssl_can_write(ssl)) { 759 int ret = SSL_do_handshake(ssl); 760 if (ret < 0) { 761 return ret; 762 } 763 if (ret == 0) { 764 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 765 return -1; 766 } 767 } 768 769 return ssl->method->write_app_data(ssl, buf, num); 770 } 771 772 int SSL_shutdown(SSL *ssl) { 773 ssl_reset_error_state(ssl); 774 775 if (ssl->handshake_func == NULL) { 776 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 777 return -1; 778 } 779 780 /* If we are in the middle of a handshake, silently succeed. Consumers often 781 * call this function before |SSL_free|, whether the handshake succeeded or 782 * not. We assume the caller has already handled failed handshakes. */ 783 if (SSL_in_init(ssl)) { 784 return 1; 785 } 786 787 if (ssl->quiet_shutdown) { 788 /* Do nothing if configured not to send a close_notify. */ 789 ssl->s3->send_shutdown = ssl_shutdown_close_notify; 790 ssl->s3->recv_shutdown = ssl_shutdown_close_notify; 791 return 1; 792 } 793 794 /* This function completes in two stages. It sends a close_notify and then it 795 * waits for a close_notify to come in. Perform exactly one action and return 796 * whether or not it succeeds. */ 797 798 if (ssl->s3->send_shutdown != ssl_shutdown_close_notify) { 799 /* Send a close_notify. */ 800 if (ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) { 801 return -1; 802 } 803 } else if (ssl->s3->alert_dispatch) { 804 /* Finish sending the close_notify. */ 805 if (ssl->method->dispatch_alert(ssl) <= 0) { 806 return -1; 807 } 808 } else if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) { 809 /* Wait for the peer's close_notify. */ 810 ssl->method->read_close_notify(ssl); 811 if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) { 812 return -1; 813 } 814 } 815 816 /* Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. */ 817 return ssl->s3->recv_shutdown == ssl_shutdown_close_notify; 818 } 819 820 int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) { 821 if (ssl->s3->alert_dispatch) { 822 if (ssl->s3->send_alert[0] != SSL3_AL_FATAL || 823 ssl->s3->send_alert[1] != alert) { 824 /* We are already attempting to write a different alert. */ 825 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); 826 return -1; 827 } 828 return ssl->method->dispatch_alert(ssl); 829 } 830 831 return ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 832 } 833 834 void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) { 835 ctx->enable_early_data = !!enabled; 836 } 837 838 int SSL_early_data_accepted(const SSL *ssl) { 839 return ssl->early_data_accepted; 840 } 841 842 static int bio_retry_reason_to_error(int reason) { 843 switch (reason) { 844 case BIO_RR_CONNECT: 845 return SSL_ERROR_WANT_CONNECT; 846 case BIO_RR_ACCEPT: 847 return SSL_ERROR_WANT_ACCEPT; 848 default: 849 return SSL_ERROR_SYSCALL; 850 } 851 } 852 853 int SSL_get_error(const SSL *ssl, int ret_code) { 854 if (ret_code > 0) { 855 return SSL_ERROR_NONE; 856 } 857 858 /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, 859 * where we do encode the error */ 860 uint32_t err = ERR_peek_error(); 861 if (err != 0) { 862 if (ERR_GET_LIB(err) == ERR_LIB_SYS) { 863 return SSL_ERROR_SYSCALL; 864 } 865 return SSL_ERROR_SSL; 866 } 867 868 if (ret_code == 0) { 869 if (ssl->s3->recv_shutdown == ssl_shutdown_close_notify) { 870 return SSL_ERROR_ZERO_RETURN; 871 } 872 /* An EOF was observed which violates the protocol, and the underlying 873 * transport does not participate in the error queue. Bubble up to the 874 * caller. */ 875 return SSL_ERROR_SYSCALL; 876 } 877 878 switch (ssl->rwstate) { 879 case SSL_PENDING_SESSION: 880 return SSL_ERROR_PENDING_SESSION; 881 882 case SSL_CERTIFICATE_SELECTION_PENDING: 883 return SSL_ERROR_PENDING_CERTIFICATE; 884 885 case SSL_READING: { 886 BIO *bio = SSL_get_rbio(ssl); 887 if (BIO_should_read(bio)) { 888 return SSL_ERROR_WANT_READ; 889 } 890 891 if (BIO_should_write(bio)) { 892 /* TODO(davidben): OpenSSL historically checked for writes on the read 893 * BIO. Can this be removed? */ 894 return SSL_ERROR_WANT_WRITE; 895 } 896 897 if (BIO_should_io_special(bio)) { 898 return bio_retry_reason_to_error(BIO_get_retry_reason(bio)); 899 } 900 901 break; 902 } 903 904 case SSL_WRITING: { 905 BIO *bio = SSL_get_wbio(ssl); 906 if (BIO_should_write(bio)) { 907 return SSL_ERROR_WANT_WRITE; 908 } 909 910 if (BIO_should_read(bio)) { 911 /* TODO(davidben): OpenSSL historically checked for reads on the write 912 * BIO. Can this be removed? */ 913 return SSL_ERROR_WANT_READ; 914 } 915 916 if (BIO_should_io_special(bio)) { 917 return bio_retry_reason_to_error(BIO_get_retry_reason(bio)); 918 } 919 920 break; 921 } 922 923 case SSL_X509_LOOKUP: 924 return SSL_ERROR_WANT_X509_LOOKUP; 925 926 case SSL_CHANNEL_ID_LOOKUP: 927 return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP; 928 929 case SSL_PRIVATE_KEY_OPERATION: 930 return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION; 931 932 case SSL_PENDING_TICKET: 933 return SSL_ERROR_PENDING_TICKET; 934 } 935 936 return SSL_ERROR_SYSCALL; 937 } 938 939 static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 940 uint16_t version) { 941 /* Zero is interpreted as the default minimum version. */ 942 if (version == 0) { 943 *out = method->min_version; 944 return 1; 945 } 946 947 if (version == TLS1_3_VERSION) { 948 version = TLS1_3_DRAFT_VERSION; 949 } 950 951 return method->version_from_wire(out, version); 952 } 953 954 static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 955 uint16_t version) { 956 /* Zero is interpreted as the default maximum version. */ 957 if (version == 0) { 958 *out = method->max_version; 959 /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */ 960 if (*out > TLS1_2_VERSION) { 961 *out = TLS1_2_VERSION; 962 } 963 return 1; 964 } 965 966 if (version == TLS1_3_VERSION) { 967 version = TLS1_3_DRAFT_VERSION; 968 } 969 970 return method->version_from_wire(out, version); 971 } 972 973 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { 974 return set_min_version(ctx->method, &ctx->min_version, version); 975 } 976 977 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { 978 return set_max_version(ctx->method, &ctx->max_version, version); 979 } 980 981 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { 982 return set_min_version(ssl->method, &ssl->min_version, version); 983 } 984 985 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { 986 return set_max_version(ssl->method, &ssl->max_version, version); 987 } 988 989 uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) { 990 ctx->options |= options; 991 return ctx->options; 992 } 993 994 uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) { 995 ctx->options &= ~options; 996 return ctx->options; 997 } 998 999 uint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; } 1000 1001 uint32_t SSL_set_options(SSL *ssl, uint32_t options) { 1002 ssl->options |= options; 1003 return ssl->options; 1004 } 1005 1006 uint32_t SSL_clear_options(SSL *ssl, uint32_t options) { 1007 ssl->options &= ~options; 1008 return ssl->options; 1009 } 1010 1011 uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; } 1012 1013 uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) { 1014 ctx->mode |= mode; 1015 return ctx->mode; 1016 } 1017 1018 uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) { 1019 ctx->mode &= ~mode; 1020 return ctx->mode; 1021 } 1022 1023 uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; } 1024 1025 uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) { 1026 ssl->mode |= mode; 1027 return ssl->mode; 1028 } 1029 1030 uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) { 1031 ssl->mode &= ~mode; 1032 return ssl->mode; 1033 } 1034 1035 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; } 1036 1037 void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) { 1038 ctx->pool = pool; 1039 } 1040 1041 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, 1042 size_t max_out) { 1043 /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */ 1044 if (!ssl->s3->initial_handshake_complete || 1045 ssl3_protocol_version(ssl) < TLS1_VERSION || 1046 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { 1047 goto err; 1048 } 1049 1050 /* The tls-unique value is the first Finished message in the handshake, which 1051 * is the client's in a full handshake and the server's for a resumption. See 1052 * https://tools.ietf.org/html/rfc5929#section-3.1. */ 1053 const uint8_t *finished = ssl->s3->previous_client_finished; 1054 size_t finished_len = ssl->s3->previous_client_finished_len; 1055 if (ssl->session != NULL) { 1056 /* tls-unique is broken for resumed sessions unless EMS is used. */ 1057 if (!ssl->session->extended_master_secret) { 1058 goto err; 1059 } 1060 finished = ssl->s3->previous_server_finished; 1061 finished_len = ssl->s3->previous_server_finished_len; 1062 } 1063 1064 *out_len = finished_len; 1065 if (finished_len > max_out) { 1066 *out_len = max_out; 1067 } 1068 1069 OPENSSL_memcpy(out, finished, *out_len); 1070 return 1; 1071 1072 err: 1073 *out_len = 0; 1074 OPENSSL_memset(out, 0, max_out); 1075 return 0; 1076 } 1077 1078 static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx, 1079 size_t sid_ctx_len) { 1080 if (sid_ctx_len > sizeof(cert->sid_ctx)) { 1081 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 1082 return 0; 1083 } 1084 1085 OPENSSL_COMPILE_ASSERT(sizeof(cert->sid_ctx) < 256, sid_ctx_too_large); 1086 cert->sid_ctx_length = (uint8_t)sid_ctx_len; 1087 OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len); 1088 return 1; 1089 } 1090 1091 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx, 1092 size_t sid_ctx_len) { 1093 return set_session_id_context(ctx->cert, sid_ctx, sid_ctx_len); 1094 } 1095 1096 int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, 1097 size_t sid_ctx_len) { 1098 return set_session_id_context(ssl->cert, sid_ctx, sid_ctx_len); 1099 } 1100 1101 const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) { 1102 *out_len = ssl->cert->sid_ctx_length; 1103 return ssl->cert->sid_ctx; 1104 } 1105 1106 void ssl_cipher_preference_list_free( 1107 struct ssl_cipher_preference_list_st *cipher_list) { 1108 if (cipher_list == NULL) { 1109 return; 1110 } 1111 sk_SSL_CIPHER_free(cipher_list->ciphers); 1112 OPENSSL_free(cipher_list->in_group_flags); 1113 OPENSSL_free(cipher_list); 1114 } 1115 1116 void SSL_certs_clear(SSL *ssl) { ssl_cert_clear_certs(ssl->cert); } 1117 1118 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); } 1119 1120 int SSL_get_rfd(const SSL *ssl) { 1121 int ret = -1; 1122 BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR); 1123 if (b != NULL) { 1124 BIO_get_fd(b, &ret); 1125 } 1126 return ret; 1127 } 1128 1129 int SSL_get_wfd(const SSL *ssl) { 1130 int ret = -1; 1131 BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR); 1132 if (b != NULL) { 1133 BIO_get_fd(b, &ret); 1134 } 1135 return ret; 1136 } 1137 1138 int SSL_set_fd(SSL *ssl, int fd) { 1139 BIO *bio = BIO_new(BIO_s_socket()); 1140 if (bio == NULL) { 1141 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1142 return 0; 1143 } 1144 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1145 SSL_set_bio(ssl, bio, bio); 1146 return 1; 1147 } 1148 1149 int SSL_set_wfd(SSL *ssl, int fd) { 1150 BIO *rbio = SSL_get_rbio(ssl); 1151 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET || 1152 BIO_get_fd(rbio, NULL) != fd) { 1153 BIO *bio = BIO_new(BIO_s_socket()); 1154 if (bio == NULL) { 1155 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1156 return 0; 1157 } 1158 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1159 SSL_set0_wbio(ssl, bio); 1160 } else { 1161 /* Copy the rbio over to the wbio. */ 1162 BIO_up_ref(rbio); 1163 SSL_set0_wbio(ssl, rbio); 1164 } 1165 1166 return 1; 1167 } 1168 1169 int SSL_set_rfd(SSL *ssl, int fd) { 1170 BIO *wbio = SSL_get_wbio(ssl); 1171 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET || 1172 BIO_get_fd(wbio, NULL) != fd) { 1173 BIO *bio = BIO_new(BIO_s_socket()); 1174 if (bio == NULL) { 1175 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1176 return 0; 1177 } 1178 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1179 SSL_set0_rbio(ssl, bio); 1180 } else { 1181 /* Copy the wbio over to the rbio. */ 1182 BIO_up_ref(wbio); 1183 SSL_set0_rbio(ssl, wbio); 1184 } 1185 return 1; 1186 } 1187 1188 static size_t copy_finished(void *out, size_t out_len, const uint8_t *in, 1189 size_t in_len) { 1190 if (out_len > in_len) { 1191 out_len = in_len; 1192 } 1193 OPENSSL_memcpy(out, in, out_len); 1194 return in_len; 1195 } 1196 1197 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) { 1198 if (!ssl->s3->initial_handshake_complete || 1199 ssl3_protocol_version(ssl) < TLS1_VERSION || 1200 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { 1201 return 0; 1202 } 1203 1204 if (ssl->server) { 1205 return copy_finished(buf, count, ssl->s3->previous_server_finished, 1206 ssl->s3->previous_server_finished_len); 1207 } 1208 1209 return copy_finished(buf, count, ssl->s3->previous_client_finished, 1210 ssl->s3->previous_client_finished_len); 1211 } 1212 1213 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { 1214 if (!ssl->s3->initial_handshake_complete || 1215 ssl3_protocol_version(ssl) < TLS1_VERSION || 1216 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { 1217 return 0; 1218 } 1219 1220 if (ssl->server) { 1221 return copy_finished(buf, count, ssl->s3->previous_client_finished, 1222 ssl->s3->previous_client_finished_len); 1223 } 1224 1225 return copy_finished(buf, count, ssl->s3->previous_server_finished, 1226 ssl->s3->previous_server_finished_len); 1227 } 1228 1229 int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; } 1230 1231 int SSL_get_extms_support(const SSL *ssl) { 1232 /* TLS 1.3 does not require extended master secret and always reports as 1233 * supporting it. */ 1234 if (!ssl->s3->have_version) { 1235 return 0; 1236 } 1237 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { 1238 return 1; 1239 } 1240 1241 /* If the initial handshake completed, query the established session. */ 1242 if (ssl->s3->established_session != NULL) { 1243 return ssl->s3->established_session->extended_master_secret; 1244 } 1245 1246 /* Otherwise, query the in-progress handshake. */ 1247 if (ssl->s3->hs != NULL) { 1248 return ssl->s3->hs->extended_master_secret; 1249 } 1250 assert(0); 1251 return 0; 1252 } 1253 1254 int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; } 1255 1256 int SSL_get_read_ahead(const SSL *ssl) { return 0; } 1257 1258 void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { } 1259 1260 void SSL_set_read_ahead(SSL *ssl, int yes) { } 1261 1262 int SSL_pending(const SSL *ssl) { 1263 if (ssl->s3->rrec.type != SSL3_RT_APPLICATION_DATA) { 1264 return 0; 1265 } 1266 return ssl->s3->rrec.length; 1267 } 1268 1269 /* Fix this so it checks all the valid key/cert options */ 1270 int SSL_CTX_check_private_key(const SSL_CTX *ctx) { 1271 return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey); 1272 } 1273 1274 /* Fix this function so that it takes an optional type parameter */ 1275 int SSL_check_private_key(const SSL *ssl) { 1276 return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey); 1277 } 1278 1279 long SSL_get_default_timeout(const SSL *ssl) { 1280 return SSL_DEFAULT_SESSION_TIMEOUT; 1281 } 1282 1283 int SSL_renegotiate(SSL *ssl) { 1284 /* Caller-initiated renegotiation is not supported. */ 1285 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1286 return 0; 1287 } 1288 1289 int SSL_renegotiate_pending(SSL *ssl) { 1290 return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete; 1291 } 1292 1293 int SSL_total_renegotiations(const SSL *ssl) { 1294 return ssl->s3->total_renegotiations; 1295 } 1296 1297 size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) { 1298 return ctx->max_cert_list; 1299 } 1300 1301 void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) { 1302 if (max_cert_list > kMaxHandshakeSize) { 1303 max_cert_list = kMaxHandshakeSize; 1304 } 1305 ctx->max_cert_list = (uint32_t)max_cert_list; 1306 } 1307 1308 size_t SSL_get_max_cert_list(const SSL *ssl) { 1309 return ssl->max_cert_list; 1310 } 1311 1312 void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) { 1313 if (max_cert_list > kMaxHandshakeSize) { 1314 max_cert_list = kMaxHandshakeSize; 1315 } 1316 ssl->max_cert_list = (uint32_t)max_cert_list; 1317 } 1318 1319 int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) { 1320 if (max_send_fragment < 512) { 1321 max_send_fragment = 512; 1322 } 1323 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { 1324 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1325 } 1326 ctx->max_send_fragment = (uint16_t)max_send_fragment; 1327 1328 return 1; 1329 } 1330 1331 int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) { 1332 if (max_send_fragment < 512) { 1333 max_send_fragment = 512; 1334 } 1335 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { 1336 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1337 } 1338 ssl->max_send_fragment = (uint16_t)max_send_fragment; 1339 1340 return 1; 1341 } 1342 1343 int SSL_set_mtu(SSL *ssl, unsigned mtu) { 1344 if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) { 1345 return 0; 1346 } 1347 ssl->d1->mtu = mtu; 1348 return 1; 1349 } 1350 1351 int SSL_get_secure_renegotiation_support(const SSL *ssl) { 1352 if (!ssl->s3->have_version) { 1353 return 0; 1354 } 1355 return ssl3_protocol_version(ssl) >= TLS1_3_VERSION || 1356 ssl->s3->send_connection_binding; 1357 } 1358 1359 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; } 1360 1361 size_t SSL_CTX_sess_number(const SSL_CTX *ctx) { 1362 return lh_SSL_SESSION_num_items(ctx->sessions); 1363 } 1364 1365 unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) { 1366 unsigned long ret = ctx->session_cache_size; 1367 ctx->session_cache_size = size; 1368 return ret; 1369 } 1370 1371 unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) { 1372 return ctx->session_cache_size; 1373 } 1374 1375 int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) { 1376 int ret = ctx->session_cache_mode; 1377 ctx->session_cache_mode = mode; 1378 return ret; 1379 } 1380 1381 int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) { 1382 return ctx->session_cache_mode; 1383 } 1384 1385 1386 int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) { 1387 if (out == NULL) { 1388 return 48; 1389 } 1390 if (len != 48) { 1391 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH); 1392 return 0; 1393 } 1394 uint8_t *out_bytes = out; 1395 OPENSSL_memcpy(out_bytes, ctx->tlsext_tick_key_name, 16); 1396 OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_tick_hmac_key, 16); 1397 OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_tick_aes_key, 16); 1398 return 1; 1399 } 1400 1401 int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) { 1402 if (in == NULL) { 1403 return 48; 1404 } 1405 if (len != 48) { 1406 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH); 1407 return 0; 1408 } 1409 const uint8_t *in_bytes = in; 1410 OPENSSL_memcpy(ctx->tlsext_tick_key_name, in_bytes, 16); 1411 OPENSSL_memcpy(ctx->tlsext_tick_hmac_key, in_bytes + 16, 16); 1412 OPENSSL_memcpy(ctx->tlsext_tick_aes_key, in_bytes + 32, 16); 1413 return 1; 1414 } 1415 1416 int SSL_CTX_set_tlsext_ticket_key_cb( 1417 SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv, 1418 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, 1419 int encrypt)) { 1420 ctx->tlsext_ticket_key_cb = callback; 1421 return 1; 1422 } 1423 1424 int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t curves_len) { 1425 return tls1_set_curves(&ctx->supported_group_list, 1426 &ctx->supported_group_list_len, curves, 1427 curves_len); 1428 } 1429 1430 int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) { 1431 return tls1_set_curves(&ssl->supported_group_list, 1432 &ssl->supported_group_list_len, curves, 1433 curves_len); 1434 } 1435 1436 int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) { 1437 return tls1_set_curves_list(&ctx->supported_group_list, 1438 &ctx->supported_group_list_len, curves); 1439 } 1440 1441 int SSL_set1_curves_list(SSL *ssl, const char *curves) { 1442 return tls1_set_curves_list(&ssl->supported_group_list, 1443 &ssl->supported_group_list_len, curves); 1444 } 1445 1446 uint16_t SSL_get_curve_id(const SSL *ssl) { 1447 /* TODO(davidben): This checks the wrong session if there is a renegotiation in 1448 * progress. */ 1449 SSL_SESSION *session = SSL_get_session(ssl); 1450 if (session == NULL) { 1451 return 0; 1452 } 1453 1454 return session->group_id; 1455 } 1456 1457 int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) { 1458 DH_free(ctx->cert->dh_tmp); 1459 ctx->cert->dh_tmp = DHparams_dup(dh); 1460 if (ctx->cert->dh_tmp == NULL) { 1461 OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB); 1462 return 0; 1463 } 1464 return 1; 1465 } 1466 1467 int SSL_set_tmp_dh(SSL *ssl, const DH *dh) { 1468 DH_free(ssl->cert->dh_tmp); 1469 ssl->cert->dh_tmp = DHparams_dup(dh); 1470 if (ssl->cert->dh_tmp == NULL) { 1471 OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB); 1472 return 0; 1473 } 1474 return 1; 1475 } 1476 1477 OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { 1478 return ctx->cipher_list->ciphers; 1479 } 1480 1481 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) { 1482 if (ssl == NULL) { 1483 return NULL; 1484 } 1485 1486 const struct ssl_cipher_preference_list_st *prefs = 1487 ssl_get_cipher_preferences(ssl); 1488 if (prefs == NULL) { 1489 return NULL; 1490 } 1491 1492 return prefs->ciphers; 1493 } 1494 1495 const char *SSL_get_cipher_list(const SSL *ssl, int n) { 1496 if (ssl == NULL) { 1497 return NULL; 1498 } 1499 1500 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); 1501 if (sk == NULL || n < 0 || (size_t)n >= sk_SSL_CIPHER_num(sk)) { 1502 return NULL; 1503 } 1504 1505 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, n); 1506 if (c == NULL) { 1507 return NULL; 1508 } 1509 1510 return c->name; 1511 } 1512 1513 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { 1514 return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str, 1515 0 /* not strict */); 1516 } 1517 1518 int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) { 1519 return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str, 1520 1 /* strict */); 1521 } 1522 1523 int SSL_set_cipher_list(SSL *ssl, const char *str) { 1524 return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str, 1525 0 /* not strict */); 1526 } 1527 1528 int SSL_set_strict_cipher_list(SSL *ssl, const char *str) { 1529 return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str, 1530 1 /* strict */); 1531 } 1532 1533 const char *SSL_get_servername(const SSL *ssl, const int type) { 1534 if (type != TLSEXT_NAMETYPE_host_name) { 1535 return NULL; 1536 } 1537 1538 /* Historically, |SSL_get_servername| was also the configuration getter 1539 * corresponding to |SSL_set_tlsext_host_name|. */ 1540 if (ssl->tlsext_hostname != NULL) { 1541 return ssl->tlsext_hostname; 1542 } 1543 1544 /* During the handshake, report the handshake value. */ 1545 if (ssl->s3->hs != NULL) { 1546 return ssl->s3->hs->hostname; 1547 } 1548 1549 /* SSL_get_servername may also be called after the handshake to look up the 1550 * SNI value. 1551 * 1552 * TODO(davidben): This is almost unused. Can we remove it? */ 1553 SSL_SESSION *session = SSL_get_session(ssl); 1554 if (session == NULL) { 1555 return NULL; 1556 } 1557 return session->tlsext_hostname; 1558 } 1559 1560 int SSL_get_servername_type(const SSL *ssl) { 1561 SSL_SESSION *session = SSL_get_session(ssl); 1562 if (session == NULL || session->tlsext_hostname == NULL) { 1563 return -1; 1564 } 1565 return TLSEXT_NAMETYPE_host_name; 1566 } 1567 1568 void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) { 1569 ctx->signed_cert_timestamps_enabled = 1; 1570 } 1571 1572 void SSL_CTX_i_promise_to_verify_certs_after_the_handshake(SSL_CTX *ctx) { 1573 ctx->i_promise_to_verify_certs_after_the_handshake = 1; 1574 } 1575 1576 void SSL_enable_signed_cert_timestamps(SSL *ssl) { 1577 ssl->signed_cert_timestamps_enabled = 1; 1578 } 1579 1580 void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx) { 1581 ctx->ocsp_stapling_enabled = 1; 1582 } 1583 1584 void SSL_enable_ocsp_stapling(SSL *ssl) { 1585 ssl->ocsp_stapling_enabled = 1; 1586 } 1587 1588 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out, 1589 size_t *out_len) { 1590 SSL_SESSION *session = SSL_get_session(ssl); 1591 1592 *out_len = 0; 1593 *out = NULL; 1594 if (ssl->server || !session || !session->tlsext_signed_cert_timestamp_list) { 1595 return; 1596 } 1597 1598 *out = session->tlsext_signed_cert_timestamp_list; 1599 *out_len = session->tlsext_signed_cert_timestamp_list_length; 1600 } 1601 1602 void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, 1603 size_t *out_len) { 1604 SSL_SESSION *session = SSL_get_session(ssl); 1605 1606 *out_len = 0; 1607 *out = NULL; 1608 if (ssl->server || !session || !session->ocsp_response) { 1609 return; 1610 } 1611 *out = session->ocsp_response; 1612 *out_len = session->ocsp_response_length; 1613 } 1614 1615 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) { 1616 OPENSSL_free(ssl->tlsext_hostname); 1617 ssl->tlsext_hostname = NULL; 1618 1619 if (name == NULL) { 1620 return 1; 1621 } 1622 1623 size_t len = strlen(name); 1624 if (len == 0 || len > TLSEXT_MAXLEN_host_name) { 1625 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1626 return 0; 1627 } 1628 ssl->tlsext_hostname = BUF_strdup(name); 1629 if (ssl->tlsext_hostname == NULL) { 1630 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1631 return 0; 1632 } 1633 return 1; 1634 } 1635 1636 int SSL_CTX_set_tlsext_servername_callback( 1637 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) { 1638 ctx->tlsext_servername_callback = callback; 1639 return 1; 1640 } 1641 1642 int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) { 1643 ctx->tlsext_servername_arg = arg; 1644 return 1; 1645 } 1646 1647 int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, 1648 const uint8_t *server, unsigned server_len, 1649 const uint8_t *client, unsigned client_len) { 1650 unsigned int i, j; 1651 const uint8_t *result; 1652 int status = OPENSSL_NPN_UNSUPPORTED; 1653 1654 /* For each protocol in server preference order, see if we support it. */ 1655 for (i = 0; i < server_len;) { 1656 for (j = 0; j < client_len;) { 1657 if (server[i] == client[j] && 1658 OPENSSL_memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { 1659 /* We found a match */ 1660 result = &server[i]; 1661 status = OPENSSL_NPN_NEGOTIATED; 1662 goto found; 1663 } 1664 j += client[j]; 1665 j++; 1666 } 1667 i += server[i]; 1668 i++; 1669 } 1670 1671 /* There's no overlap between our protocols and the server's list. */ 1672 result = client; 1673 status = OPENSSL_NPN_NO_OVERLAP; 1674 1675 found: 1676 *out = (uint8_t *)result + 1; 1677 *out_len = result[0]; 1678 return status; 1679 } 1680 1681 void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data, 1682 unsigned *out_len) { 1683 *out_data = ssl->s3->next_proto_negotiated; 1684 if (*out_data == NULL) { 1685 *out_len = 0; 1686 } else { 1687 *out_len = ssl->s3->next_proto_negotiated_len; 1688 } 1689 } 1690 1691 void SSL_CTX_set_next_protos_advertised_cb( 1692 SSL_CTX *ctx, 1693 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg), 1694 void *arg) { 1695 ctx->next_protos_advertised_cb = cb; 1696 ctx->next_protos_advertised_cb_arg = arg; 1697 } 1698 1699 void SSL_CTX_set_next_proto_select_cb( 1700 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, 1701 const uint8_t *in, unsigned in_len, void *arg), 1702 void *arg) { 1703 ctx->next_proto_select_cb = cb; 1704 ctx->next_proto_select_cb_arg = arg; 1705 } 1706 1707 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos, 1708 unsigned protos_len) { 1709 OPENSSL_free(ctx->alpn_client_proto_list); 1710 ctx->alpn_client_proto_list = BUF_memdup(protos, protos_len); 1711 if (!ctx->alpn_client_proto_list) { 1712 return 1; 1713 } 1714 ctx->alpn_client_proto_list_len = protos_len; 1715 1716 return 0; 1717 } 1718 1719 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) { 1720 OPENSSL_free(ssl->alpn_client_proto_list); 1721 ssl->alpn_client_proto_list = BUF_memdup(protos, protos_len); 1722 if (!ssl->alpn_client_proto_list) { 1723 return 1; 1724 } 1725 ssl->alpn_client_proto_list_len = protos_len; 1726 1727 return 0; 1728 } 1729 1730 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, 1731 int (*cb)(SSL *ssl, const uint8_t **out, 1732 uint8_t *out_len, const uint8_t *in, 1733 unsigned in_len, void *arg), 1734 void *arg) { 1735 ctx->alpn_select_cb = cb; 1736 ctx->alpn_select_cb_arg = arg; 1737 } 1738 1739 void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data, 1740 unsigned *out_len) { 1741 *out_data = NULL; 1742 if (ssl->s3) { 1743 *out_data = ssl->s3->alpn_selected; 1744 } 1745 if (*out_data == NULL) { 1746 *out_len = 0; 1747 } else { 1748 *out_len = ssl->s3->alpn_selected_len; 1749 } 1750 } 1751 1752 1753 void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) { 1754 ctx->tlsext_channel_id_enabled = !!enabled; 1755 } 1756 1757 int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) { 1758 SSL_CTX_set_tls_channel_id_enabled(ctx, 1); 1759 return 1; 1760 } 1761 1762 void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) { 1763 ssl->tlsext_channel_id_enabled = !!enabled; 1764 } 1765 1766 int SSL_enable_tls_channel_id(SSL *ssl) { 1767 SSL_set_tls_channel_id_enabled(ssl, 1); 1768 return 1; 1769 } 1770 1771 static int is_p256_key(EVP_PKEY *private_key) { 1772 const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(private_key); 1773 return ec_key != NULL && 1774 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) == 1775 NID_X9_62_prime256v1; 1776 } 1777 1778 int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) { 1779 if (!is_p256_key(private_key)) { 1780 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); 1781 return 0; 1782 } 1783 1784 EVP_PKEY_free(ctx->tlsext_channel_id_private); 1785 EVP_PKEY_up_ref(private_key); 1786 ctx->tlsext_channel_id_private = private_key; 1787 ctx->tlsext_channel_id_enabled = 1; 1788 1789 return 1; 1790 } 1791 1792 int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) { 1793 if (!is_p256_key(private_key)) { 1794 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); 1795 return 0; 1796 } 1797 1798 EVP_PKEY_free(ssl->tlsext_channel_id_private); 1799 EVP_PKEY_up_ref(private_key); 1800 ssl->tlsext_channel_id_private = private_key; 1801 ssl->tlsext_channel_id_enabled = 1; 1802 1803 return 1; 1804 } 1805 1806 size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) { 1807 if (!ssl->s3->tlsext_channel_id_valid) { 1808 return 0; 1809 } 1810 OPENSSL_memcpy(out, ssl->s3->tlsext_channel_id, 1811 (max_out < 64) ? max_out : 64); 1812 return 64; 1813 } 1814 1815 size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types) { 1816 if (ssl->server || ssl->s3->hs == NULL) { 1817 *out_types = NULL; 1818 return 0; 1819 } 1820 *out_types = ssl->s3->hs->certificate_types; 1821 return ssl->s3->hs->num_certificate_types; 1822 } 1823 1824 void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { 1825 SSL *const ssl = hs->ssl; 1826 SSL_CTX *ctx = ssl->session_ctx; 1827 /* Never cache sessions with empty session IDs. */ 1828 if (ssl->s3->established_session->session_id_length == 0 || 1829 (ctx->session_cache_mode & mode) != mode) { 1830 return; 1831 } 1832 1833 /* Clients never use the internal session cache. */ 1834 int use_internal_cache = ssl->server && !(ctx->session_cache_mode & 1835 SSL_SESS_CACHE_NO_INTERNAL_STORE); 1836 1837 /* A client may see new sessions on abbreviated handshakes if the server 1838 * decides to renew the ticket. Once the handshake is completed, it should be 1839 * inserted into the cache. */ 1840 if (ssl->s3->established_session != ssl->session || 1841 (!ssl->server && hs->ticket_expected)) { 1842 if (use_internal_cache) { 1843 SSL_CTX_add_session(ctx, ssl->s3->established_session); 1844 } 1845 if (ctx->new_session_cb != NULL) { 1846 SSL_SESSION_up_ref(ssl->s3->established_session); 1847 if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) { 1848 /* |new_session_cb|'s return value signals whether it took ownership. */ 1849 SSL_SESSION_free(ssl->s3->established_session); 1850 } 1851 } 1852 } 1853 1854 if (use_internal_cache && 1855 !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) { 1856 /* Automatically flush the internal session cache every 255 connections. */ 1857 int flush_cache = 0; 1858 CRYPTO_MUTEX_lock_write(&ctx->lock); 1859 ctx->handshakes_since_cache_flush++; 1860 if (ctx->handshakes_since_cache_flush >= 255) { 1861 flush_cache = 1; 1862 ctx->handshakes_since_cache_flush = 0; 1863 } 1864 CRYPTO_MUTEX_unlock_write(&ctx->lock); 1865 1866 if (flush_cache) { 1867 struct OPENSSL_timeval now; 1868 ssl_get_current_time(ssl, &now); 1869 SSL_CTX_flush_sessions(ctx, now.tv_sec); 1870 } 1871 } 1872 } 1873 1874 static const char *ssl_get_version(int version) { 1875 switch (version) { 1876 /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */ 1877 case TLS1_3_DRAFT_VERSION: 1878 return "TLSv1.3"; 1879 1880 case TLS1_2_VERSION: 1881 return "TLSv1.2"; 1882 1883 case TLS1_1_VERSION: 1884 return "TLSv1.1"; 1885 1886 case TLS1_VERSION: 1887 return "TLSv1"; 1888 1889 case SSL3_VERSION: 1890 return "SSLv3"; 1891 1892 case DTLS1_VERSION: 1893 return "DTLSv1"; 1894 1895 case DTLS1_2_VERSION: 1896 return "DTLSv1.2"; 1897 1898 default: 1899 return "unknown"; 1900 } 1901 } 1902 1903 const char *SSL_get_version(const SSL *ssl) { 1904 return ssl_get_version(ssl->version); 1905 } 1906 1907 const char *SSL_SESSION_get_version(const SSL_SESSION *session) { 1908 return ssl_get_version(session->ssl_version); 1909 } 1910 1911 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) { 1912 if (ssl->cert != NULL) { 1913 return ssl->cert->privatekey; 1914 } 1915 1916 return NULL; 1917 } 1918 1919 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { 1920 if (ctx->cert != NULL) { 1921 return ctx->cert->privatekey; 1922 } 1923 1924 return NULL; 1925 } 1926 1927 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) { 1928 if (ssl->s3->aead_write_ctx == NULL) { 1929 return NULL; 1930 } 1931 return ssl->s3->aead_write_ctx->cipher; 1932 } 1933 1934 int SSL_session_reused(const SSL *ssl) { 1935 return ssl->s3->session_reused; 1936 } 1937 1938 const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; } 1939 1940 const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; } 1941 1942 int *SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; } 1943 1944 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { 1945 ctx->quiet_shutdown = (mode != 0); 1946 } 1947 1948 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { 1949 return ctx->quiet_shutdown; 1950 } 1951 1952 void SSL_set_quiet_shutdown(SSL *ssl, int mode) { 1953 ssl->quiet_shutdown = (mode != 0); 1954 } 1955 1956 int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; } 1957 1958 void SSL_set_shutdown(SSL *ssl, int mode) { 1959 /* It is an error to clear any bits that have already been set. (We can't try 1960 * to get a second close_notify or send two.) */ 1961 assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)); 1962 1963 if (mode & SSL_RECEIVED_SHUTDOWN && 1964 ssl->s3->recv_shutdown == ssl_shutdown_none) { 1965 ssl->s3->recv_shutdown = ssl_shutdown_close_notify; 1966 } 1967 1968 if (mode & SSL_SENT_SHUTDOWN && 1969 ssl->s3->send_shutdown == ssl_shutdown_none) { 1970 ssl->s3->send_shutdown = ssl_shutdown_close_notify; 1971 } 1972 } 1973 1974 int SSL_get_shutdown(const SSL *ssl) { 1975 int ret = 0; 1976 if (ssl->s3->recv_shutdown != ssl_shutdown_none) { 1977 /* Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify 1978 * and fatal alert. */ 1979 ret |= SSL_RECEIVED_SHUTDOWN; 1980 } 1981 if (ssl->s3->send_shutdown == ssl_shutdown_close_notify) { 1982 /* Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. */ 1983 ret |= SSL_SENT_SHUTDOWN; 1984 } 1985 return ret; 1986 } 1987 1988 int SSL_version(const SSL *ssl) { 1989 /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */ 1990 if (ssl->version == TLS1_3_DRAFT_VERSION) { 1991 return TLS1_3_VERSION; 1992 } 1993 1994 return ssl->version; 1995 } 1996 1997 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx; } 1998 1999 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { 2000 if (ssl->ctx == ctx) { 2001 return ssl->ctx; 2002 } 2003 2004 /* One cannot change the X.509 callbacks during a connection. */ 2005 if (ssl->ctx->x509_method != ctx->x509_method) { 2006 assert(0); 2007 return NULL; 2008 } 2009 2010 if (ctx == NULL) { 2011 ctx = ssl->session_ctx; 2012 } 2013 2014 ssl_cert_free(ssl->cert); 2015 ssl->cert = ssl_cert_dup(ctx->cert); 2016 2017 SSL_CTX_up_ref(ctx); 2018 SSL_CTX_free(ssl->ctx); 2019 ssl->ctx = ctx; 2020 2021 return ssl->ctx; 2022 } 2023 2024 void SSL_set_info_callback(SSL *ssl, 2025 void (*cb)(const SSL *ssl, int type, int value)) { 2026 ssl->info_callback = cb; 2027 } 2028 2029 void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, 2030 int value) { 2031 return ssl->info_callback; 2032 } 2033 2034 int SSL_state(const SSL *ssl) { 2035 return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK; 2036 } 2037 2038 void SSL_set_state(SSL *ssl, int state) { } 2039 2040 char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) { 2041 if (len <= 0) { 2042 return NULL; 2043 } 2044 buf[0] = '\0'; 2045 return buf; 2046 } 2047 2048 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, 2049 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { 2050 int index; 2051 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp, 2052 dup_func, free_func)) { 2053 return -1; 2054 } 2055 return index; 2056 } 2057 2058 int SSL_set_ex_data(SSL *ssl, int idx, void *arg) { 2059 return CRYPTO_set_ex_data(&ssl->ex_data, idx, arg); 2060 } 2061 2062 void *SSL_get_ex_data(const SSL *ssl, int idx) { 2063 return CRYPTO_get_ex_data(&ssl->ex_data, idx); 2064 } 2065 2066 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, 2067 CRYPTO_EX_dup *dup_func, 2068 CRYPTO_EX_free *free_func) { 2069 int index; 2070 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp, 2071 dup_func, free_func)) { 2072 return -1; 2073 } 2074 return index; 2075 } 2076 2077 int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg) { 2078 return CRYPTO_set_ex_data(&ctx->ex_data, idx, arg); 2079 } 2080 2081 void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) { 2082 return CRYPTO_get_ex_data(&ctx->ex_data, idx); 2083 } 2084 2085 int SSL_want(const SSL *ssl) { return ssl->rwstate; } 2086 2087 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, 2088 RSA *(*cb)(SSL *ssl, int is_export, 2089 int keylength)) { 2090 } 2091 2092 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export, 2093 int keylength)) { 2094 } 2095 2096 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 2097 DH *(*callback)(SSL *ssl, int is_export, 2098 int keylength)) { 2099 ctx->cert->dh_tmp_cb = callback; 2100 } 2101 2102 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export, 2103 int keylength)) { 2104 ssl->cert->dh_tmp_cb = callback; 2105 } 2106 2107 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { 2108 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 2109 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); 2110 return 0; 2111 } 2112 2113 OPENSSL_free(ctx->psk_identity_hint); 2114 2115 if (identity_hint != NULL) { 2116 ctx->psk_identity_hint = BUF_strdup(identity_hint); 2117 if (ctx->psk_identity_hint == NULL) { 2118 return 0; 2119 } 2120 } else { 2121 ctx->psk_identity_hint = NULL; 2122 } 2123 2124 return 1; 2125 } 2126 2127 int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) { 2128 if (ssl == NULL) { 2129 return 0; 2130 } 2131 2132 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 2133 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); 2134 return 0; 2135 } 2136 2137 /* Clear currently configured hint, if any. */ 2138 OPENSSL_free(ssl->psk_identity_hint); 2139 ssl->psk_identity_hint = NULL; 2140 2141 /* Treat the empty hint as not supplying one. Plain PSK makes it possible to 2142 * send either no hint (omit ServerKeyExchange) or an empty hint, while 2143 * ECDHE_PSK can only spell empty hint. Having different capabilities is odd, 2144 * so we interpret empty and missing as identical. */ 2145 if (identity_hint != NULL && identity_hint[0] != '\0') { 2146 ssl->psk_identity_hint = BUF_strdup(identity_hint); 2147 if (ssl->psk_identity_hint == NULL) { 2148 return 0; 2149 } 2150 } 2151 2152 return 1; 2153 } 2154 2155 const char *SSL_get_psk_identity_hint(const SSL *ssl) { 2156 if (ssl == NULL) { 2157 return NULL; 2158 } 2159 return ssl->psk_identity_hint; 2160 } 2161 2162 const char *SSL_get_psk_identity(const SSL *ssl) { 2163 if (ssl == NULL) { 2164 return NULL; 2165 } 2166 SSL_SESSION *session = SSL_get_session(ssl); 2167 if (session == NULL) { 2168 return NULL; 2169 } 2170 return session->psk_identity; 2171 } 2172 2173 void SSL_set_psk_client_callback( 2174 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, 2175 unsigned max_identity_len, uint8_t *psk, 2176 unsigned max_psk_len)) { 2177 ssl->psk_client_callback = cb; 2178 } 2179 2180 void SSL_CTX_set_psk_client_callback( 2181 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, 2182 unsigned max_identity_len, uint8_t *psk, 2183 unsigned max_psk_len)) { 2184 ctx->psk_client_callback = cb; 2185 } 2186 2187 void SSL_set_psk_server_callback( 2188 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk, 2189 unsigned max_psk_len)) { 2190 ssl->psk_server_callback = cb; 2191 } 2192 2193 void SSL_CTX_set_psk_server_callback( 2194 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, 2195 uint8_t *psk, unsigned max_psk_len)) { 2196 ctx->psk_server_callback = cb; 2197 } 2198 2199 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, 2200 void (*cb)(int write_p, int version, 2201 int content_type, const void *buf, 2202 size_t len, SSL *ssl, void *arg)) { 2203 ctx->msg_callback = cb; 2204 } 2205 2206 void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) { 2207 ctx->msg_callback_arg = arg; 2208 } 2209 2210 void SSL_set_msg_callback(SSL *ssl, 2211 void (*cb)(int write_p, int version, int content_type, 2212 const void *buf, size_t len, SSL *ssl, 2213 void *arg)) { 2214 ssl->msg_callback = cb; 2215 } 2216 2217 void SSL_set_msg_callback_arg(SSL *ssl, void *arg) { 2218 ssl->msg_callback_arg = arg; 2219 } 2220 2221 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, 2222 void (*cb)(const SSL *ssl, const char *line)) { 2223 ctx->keylog_callback = cb; 2224 } 2225 2226 void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl, 2227 const char *line) { 2228 return ctx->keylog_callback; 2229 } 2230 2231 void SSL_CTX_set_current_time_cb(SSL_CTX *ctx, 2232 void (*cb)(const SSL *ssl, 2233 struct timeval *out_clock)) { 2234 ctx->current_time_cb = cb; 2235 } 2236 2237 static int cbb_add_hex(CBB *cbb, const uint8_t *in, size_t in_len) { 2238 static const char hextable[] = "0123456789abcdef"; 2239 uint8_t *out; 2240 2241 if (!CBB_add_space(cbb, &out, in_len * 2)) { 2242 return 0; 2243 } 2244 2245 for (size_t i = 0; i < in_len; i++) { 2246 *(out++) = (uint8_t)hextable[in[i] >> 4]; 2247 *(out++) = (uint8_t)hextable[in[i] & 0xf]; 2248 } 2249 2250 return 1; 2251 } 2252 2253 int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, 2254 size_t secret_len) { 2255 if (ssl->ctx->keylog_callback == NULL) { 2256 return 1; 2257 } 2258 2259 CBB cbb; 2260 uint8_t *out; 2261 size_t out_len; 2262 if (!CBB_init(&cbb, strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 + 2263 secret_len * 2 + 1) || 2264 !CBB_add_bytes(&cbb, (const uint8_t *)label, strlen(label)) || 2265 !CBB_add_bytes(&cbb, (const uint8_t *)" ", 1) || 2266 !cbb_add_hex(&cbb, ssl->s3->client_random, SSL3_RANDOM_SIZE) || 2267 !CBB_add_bytes(&cbb, (const uint8_t *)" ", 1) || 2268 !cbb_add_hex(&cbb, secret, secret_len) || 2269 !CBB_add_u8(&cbb, 0 /* NUL */) || 2270 !CBB_finish(&cbb, &out, &out_len)) { 2271 CBB_cleanup(&cbb); 2272 return 0; 2273 } 2274 2275 ssl->ctx->keylog_callback(ssl, (const char *)out); 2276 OPENSSL_free(out); 2277 return 1; 2278 } 2279 2280 int SSL_is_init_finished(const SSL *ssl) { 2281 return !SSL_in_init(ssl); 2282 } 2283 2284 int SSL_in_init(const SSL *ssl) { 2285 SSL_HANDSHAKE *hs = ssl->s3->hs; 2286 return hs != NULL && hs->state != SSL_ST_OK; 2287 } 2288 2289 int SSL_in_false_start(const SSL *ssl) { 2290 if (ssl->s3->hs == NULL) { 2291 return 0; 2292 } 2293 return ssl->s3->hs->in_false_start; 2294 } 2295 2296 int SSL_cutthrough_complete(const SSL *ssl) { 2297 return SSL_in_false_start(ssl); 2298 } 2299 2300 void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size, 2301 size_t *ssl_session_size) { 2302 *ssl_size = sizeof(SSL); 2303 *ssl_ctx_size = sizeof(SSL_CTX); 2304 *ssl_session_size = sizeof(SSL_SESSION); 2305 } 2306 2307 int ssl3_can_false_start(const SSL *ssl) { 2308 const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl); 2309 2310 /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */ 2311 return !SSL_is_dtls(ssl) && 2312 SSL_version(ssl) == TLS1_2_VERSION && 2313 (ssl->s3->alpn_selected != NULL || 2314 ssl->s3->next_proto_negotiated != NULL) && 2315 cipher != NULL && 2316 cipher->algorithm_mkey == SSL_kECDHE && 2317 cipher->algorithm_mac == SSL_AEAD; 2318 } 2319 2320 const struct { 2321 uint16_t version; 2322 uint32_t flag; 2323 } kVersions[] = { 2324 {SSL3_VERSION, SSL_OP_NO_SSLv3}, 2325 {TLS1_VERSION, SSL_OP_NO_TLSv1}, 2326 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1}, 2327 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2}, 2328 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3}, 2329 }; 2330 2331 static const size_t kVersionsLen = OPENSSL_ARRAY_SIZE(kVersions); 2332 2333 int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, 2334 uint16_t *out_max_version) { 2335 /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but 2336 * DTLS 1.0 should be mapped to TLS 1.1. */ 2337 uint32_t options = ssl->options; 2338 if (SSL_is_dtls(ssl)) { 2339 options &= ~SSL_OP_NO_TLSv1_1; 2340 if (options & SSL_OP_NO_DTLSv1) { 2341 options |= SSL_OP_NO_TLSv1_1; 2342 } 2343 } 2344 2345 uint16_t min_version = ssl->min_version; 2346 uint16_t max_version = ssl->max_version; 2347 2348 /* Bound the range to only those implemented in this protocol. */ 2349 if (min_version < ssl->method->min_version) { 2350 min_version = ssl->method->min_version; 2351 } 2352 if (max_version > ssl->method->max_version) { 2353 max_version = ssl->method->max_version; 2354 } 2355 2356 /* OpenSSL's API for controlling versions entails blacklisting individual 2357 * protocols. This has two problems. First, on the client, the protocol can 2358 * only express a contiguous range of versions. Second, a library consumer 2359 * trying to set a maximum version cannot disable protocol versions that get 2360 * added in a future version of the library. 2361 * 2362 * To account for both of these, OpenSSL interprets the client-side bitmask 2363 * as a min/max range by picking the lowest contiguous non-empty range of 2364 * enabled protocols. Note that this means it is impossible to set a maximum 2365 * version of the higest supported TLS version in a future-proof way. */ 2366 int any_enabled = 0; 2367 for (size_t i = 0; i < kVersionsLen; i++) { 2368 /* Only look at the versions already enabled. */ 2369 if (min_version > kVersions[i].version) { 2370 continue; 2371 } 2372 if (max_version < kVersions[i].version) { 2373 break; 2374 } 2375 2376 if (!(options & kVersions[i].flag)) { 2377 /* The minimum version is the first enabled version. */ 2378 if (!any_enabled) { 2379 any_enabled = 1; 2380 min_version = kVersions[i].version; 2381 } 2382 continue; 2383 } 2384 2385 /* If there is a disabled version after the first enabled one, all versions 2386 * after it are implicitly disabled. */ 2387 if (any_enabled) { 2388 max_version = kVersions[i-1].version; 2389 break; 2390 } 2391 } 2392 2393 if (!any_enabled) { 2394 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); 2395 return 0; 2396 } 2397 2398 *out_min_version = min_version; 2399 *out_max_version = max_version; 2400 return 1; 2401 } 2402 2403 uint16_t ssl3_protocol_version(const SSL *ssl) { 2404 assert(ssl->s3->have_version); 2405 uint16_t version; 2406 if (!ssl->method->version_from_wire(&version, ssl->version)) { 2407 /* TODO(davidben): Use the internal version representation for ssl->version 2408 * and map to the public API representation at API boundaries. */ 2409 assert(0); 2410 return 0; 2411 } 2412 2413 return version; 2414 } 2415 2416 int SSL_is_server(const SSL *ssl) { return ssl->server; } 2417 2418 int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; } 2419 2420 void SSL_CTX_set_select_certificate_cb( 2421 SSL_CTX *ctx, 2422 enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)) { 2423 ctx->select_certificate_cb = cb; 2424 } 2425 2426 void SSL_CTX_set_dos_protection_cb(SSL_CTX *ctx, 2427 int (*cb)(const SSL_CLIENT_HELLO *)) { 2428 ctx->dos_protection_cb = cb; 2429 } 2430 2431 void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) { 2432 ssl->renegotiate_mode = mode; 2433 } 2434 2435 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv, 2436 const uint8_t **out_write_iv, size_t *out_iv_len) { 2437 if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) { 2438 return 0; 2439 } 2440 2441 size_t write_iv_len; 2442 if (!EVP_AEAD_CTX_get_iv(&ssl->s3->aead_read_ctx->ctx, out_read_iv, 2443 out_iv_len) || 2444 !EVP_AEAD_CTX_get_iv(&ssl->s3->aead_write_ctx->ctx, out_write_iv, 2445 &write_iv_len) || 2446 *out_iv_len != write_iv_len) { 2447 return 0; 2448 } 2449 2450 return 1; 2451 } 2452 2453 static uint64_t be_to_u64(const uint8_t in[8]) { 2454 return (((uint64_t)in[0]) << 56) | (((uint64_t)in[1]) << 48) | 2455 (((uint64_t)in[2]) << 40) | (((uint64_t)in[3]) << 32) | 2456 (((uint64_t)in[4]) << 24) | (((uint64_t)in[5]) << 16) | 2457 (((uint64_t)in[6]) << 8) | ((uint64_t)in[7]); 2458 } 2459 2460 uint64_t SSL_get_read_sequence(const SSL *ssl) { 2461 /* TODO(davidben): Internally represent sequence numbers as uint64_t. */ 2462 if (SSL_is_dtls(ssl)) { 2463 /* max_seq_num already includes the epoch. */ 2464 assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48)); 2465 return ssl->d1->bitmap.max_seq_num; 2466 } 2467 return be_to_u64(ssl->s3->read_sequence); 2468 } 2469 2470 uint64_t SSL_get_write_sequence(const SSL *ssl) { 2471 uint64_t ret = be_to_u64(ssl->s3->write_sequence); 2472 if (SSL_is_dtls(ssl)) { 2473 assert((ret >> 48) == 0); 2474 ret |= ((uint64_t)ssl->d1->w_epoch) << 48; 2475 } 2476 return ret; 2477 } 2478 2479 uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) { 2480 /* TODO(davidben): This checks the wrong session if there is a renegotiation 2481 * in progress. */ 2482 SSL_SESSION *session = SSL_get_session(ssl); 2483 if (session == NULL) { 2484 return 0; 2485 } 2486 2487 return session->peer_signature_algorithm; 2488 } 2489 2490 size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) { 2491 if (max_out == 0) { 2492 return sizeof(ssl->s3->client_random); 2493 } 2494 if (max_out > sizeof(ssl->s3->client_random)) { 2495 max_out = sizeof(ssl->s3->client_random); 2496 } 2497 OPENSSL_memcpy(out, ssl->s3->client_random, max_out); 2498 return max_out; 2499 } 2500 2501 size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) { 2502 if (max_out == 0) { 2503 return sizeof(ssl->s3->server_random); 2504 } 2505 if (max_out > sizeof(ssl->s3->server_random)) { 2506 max_out = sizeof(ssl->s3->server_random); 2507 } 2508 OPENSSL_memcpy(out, ssl->s3->server_random, max_out); 2509 return max_out; 2510 } 2511 2512 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) { 2513 SSL_HANDSHAKE *hs = ssl->s3->hs; 2514 if (hs == NULL) { 2515 return NULL; 2516 } 2517 return hs->new_cipher; 2518 } 2519 2520 void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) { 2521 ssl->retain_only_sha256_of_client_certs = !!enabled; 2522 } 2523 2524 void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) { 2525 ctx->retain_only_sha256_of_client_certs = !!enabled; 2526 } 2527 2528 void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) { 2529 ctx->grease_enabled = !!enabled; 2530 } 2531 2532 int32_t SSL_get_ticket_age_skew(const SSL *ssl) { 2533 return ssl->s3->ticket_age_skew; 2534 } 2535 2536 int SSL_clear(SSL *ssl) { 2537 /* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously 2538 * established session to be offered the next time around. wpa_supplicant 2539 * depends on this behavior, so emulate it. */ 2540 SSL_SESSION *session = NULL; 2541 if (!ssl->server && ssl->s3->established_session != NULL) { 2542 session = ssl->s3->established_session; 2543 SSL_SESSION_up_ref(session); 2544 } 2545 2546 /* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and 2547 * |SSL_clear| because it is per-connection state rather than configuration 2548 * state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is 2549 * naturally reset at the right points between |SSL_new|, |SSL_clear|, and 2550 * |ssl3_new|. */ 2551 2552 ssl->rwstate = SSL_NOTHING; 2553 2554 BUF_MEM_free(ssl->init_buf); 2555 ssl->init_buf = NULL; 2556 ssl->init_msg = NULL; 2557 ssl->init_num = 0; 2558 2559 /* The ssl->d1->mtu is simultaneously configuration (preserved across 2560 * clear) and connection-specific state (gets reset). 2561 * 2562 * TODO(davidben): Avoid this. */ 2563 unsigned mtu = 0; 2564 if (ssl->d1 != NULL) { 2565 mtu = ssl->d1->mtu; 2566 } 2567 2568 ssl->method->ssl_free(ssl); 2569 if (!ssl->method->ssl_new(ssl)) { 2570 SSL_SESSION_free(session); 2571 return 0; 2572 } 2573 2574 if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { 2575 ssl->d1->mtu = mtu; 2576 } 2577 2578 if (session != NULL) { 2579 SSL_set_session(ssl, session); 2580 SSL_SESSION_free(session); 2581 } 2582 2583 return 1; 2584 } 2585 2586 void ssl_do_info_callback(const SSL *ssl, int type, int value) { 2587 void (*cb)(const SSL *ssl, int type, int value) = NULL; 2588 if (ssl->info_callback != NULL) { 2589 cb = ssl->info_callback; 2590 } else if (ssl->ctx->info_callback != NULL) { 2591 cb = ssl->ctx->info_callback; 2592 } 2593 2594 if (cb != NULL) { 2595 cb(ssl, type, value); 2596 } 2597 } 2598 2599 void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, 2600 const void *buf, size_t len) { 2601 if (ssl->msg_callback == NULL) { 2602 return; 2603 } 2604 2605 /* |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for 2606 * a V2ClientHello. */ 2607 int version; 2608 switch (content_type) { 2609 case 0: 2610 /* V2ClientHello */ 2611 version = SSL2_VERSION; 2612 break; 2613 case SSL3_RT_HEADER: 2614 version = 0; 2615 break; 2616 default: 2617 version = SSL_version(ssl); 2618 } 2619 2620 ssl->msg_callback(is_write, version, content_type, buf, len, ssl, 2621 ssl->msg_callback_arg); 2622 } 2623 2624 int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; } 2625 int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; } 2626 int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; } 2627 int SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; } 2628 int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; } 2629 int SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; } 2630 int SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; } 2631 int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; } 2632 int SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; } 2633 int SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; } 2634 int SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; } 2635 2636 int SSL_num_renegotiations(const SSL *ssl) { 2637 return SSL_total_renegotiations(ssl); 2638 } 2639 2640 int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) { return 0; } 2641 int SSL_need_tmp_RSA(const SSL *ssl) { return 0; } 2642 int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) { return 1; } 2643 int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; } 2644 void ERR_load_SSL_strings(void) {} 2645 void SSL_load_error_strings(void) {} 2646 int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); } 2647 2648 int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) { 2649 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { 2650 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 2651 return 0; 2652 } 2653 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); 2654 return SSL_CTX_set1_curves(ctx, &nid, 1); 2655 } 2656 2657 int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) { 2658 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { 2659 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 2660 return 0; 2661 } 2662 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); 2663 return SSL_set1_curves(ssl, &nid, 1); 2664 } 2665 2666 void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) { 2667 if (ssl->ctx->current_time_cb != NULL) { 2668 /* TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See 2669 * https://crbug.com/boringssl/155. */ 2670 struct timeval clock; 2671 ssl->ctx->current_time_cb(ssl, &clock); 2672 if (clock.tv_sec < 0) { 2673 assert(0); 2674 out_clock->tv_sec = 0; 2675 out_clock->tv_usec = 0; 2676 } else { 2677 out_clock->tv_sec = (uint64_t)clock.tv_sec; 2678 out_clock->tv_usec = (uint32_t)clock.tv_usec; 2679 } 2680 return; 2681 } 2682 2683 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) 2684 out_clock->tv_sec = 1234; 2685 out_clock->tv_usec = 1234; 2686 #elif defined(OPENSSL_WINDOWS) 2687 struct _timeb time; 2688 _ftime(&time); 2689 if (time.time < 0) { 2690 assert(0); 2691 out_clock->tv_sec = 0; 2692 out_clock->tv_usec = 0; 2693 } else { 2694 out_clock->tv_sec = time.time; 2695 out_clock->tv_usec = time.millitm * 1000; 2696 } 2697 #else 2698 struct timeval clock; 2699 gettimeofday(&clock, NULL); 2700 if (clock.tv_sec < 0) { 2701 assert(0); 2702 out_clock->tv_sec = 0; 2703 out_clock->tv_usec = 0; 2704 } else { 2705 out_clock->tv_sec = (uint64_t)clock.tv_sec; 2706 out_clock->tv_usec = (uint32_t)clock.tv_usec; 2707 } 2708 #endif 2709 } 2710 2711 int SSL_CTX_set_min_version(SSL_CTX *ctx, uint16_t version) { 2712 return SSL_CTX_set_min_proto_version(ctx, version); 2713 } 2714 2715 int SSL_CTX_set_max_version(SSL_CTX *ctx, uint16_t version) { 2716 return SSL_CTX_set_max_proto_version(ctx, version); 2717 } 2718 2719 int SSL_set_min_version(SSL *ssl, uint16_t version) { 2720 return SSL_set_min_proto_version(ssl, version); 2721 } 2722 2723 int SSL_set_max_version(SSL *ssl, uint16_t version) { 2724 return SSL_set_max_proto_version(ssl, version); 2725 } 2726 2727 void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx, 2728 const SSL_TICKET_AEAD_METHOD *aead_method) { 2729 ctx->ticket_aead_method = aead_method; 2730 } 2731