1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. 140 */ 141 142 #ifndef OPENSSL_HEADER_SSL_INTERNAL_H 143 #define OPENSSL_HEADER_SSL_INTERNAL_H 144 145 #include <openssl/base.h> 146 147 #include <openssl/aead.h> 148 #include <openssl/ssl.h> 149 #include <openssl/stack.h> 150 151 152 #if defined(OPENSSL_WINDOWS) 153 /* Windows defines struct timeval in winsock2.h. */ 154 OPENSSL_MSVC_PRAGMA(warning(push, 3)) 155 #include <winsock2.h> 156 OPENSSL_MSVC_PRAGMA(warning(pop)) 157 #else 158 #include <sys/time.h> 159 #endif 160 161 #if defined(__cplusplus) 162 extern "C" { 163 #endif 164 165 166 /* Cipher suites. */ 167 168 /* Bits for |algorithm_mkey| (key exchange algorithm). */ 169 #define SSL_kRSA 0x00000001L 170 #define SSL_kDHE 0x00000002L 171 #define SSL_kECDHE 0x00000004L 172 /* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */ 173 #define SSL_kPSK 0x00000008L 174 #define SSL_kGENERIC 0x00000010L 175 176 /* Bits for |algorithm_auth| (server authentication). */ 177 #define SSL_aRSA 0x00000001L 178 #define SSL_aECDSA 0x00000002L 179 /* SSL_aPSK is set for both PSK and ECDHE_PSK. */ 180 #define SSL_aPSK 0x00000004L 181 #define SSL_aGENERIC 0x00000008L 182 183 #define SSL_aCERT (SSL_aRSA | SSL_aECDSA) 184 185 /* Bits for |algorithm_enc| (symmetric encryption). */ 186 #define SSL_3DES 0x00000001L 187 #define SSL_AES128 0x00000002L 188 #define SSL_AES256 0x00000004L 189 #define SSL_AES128GCM 0x00000008L 190 #define SSL_AES256GCM 0x00000010L 191 #define SSL_eNULL 0x00000020L 192 #define SSL_CHACHA20POLY1305 0x00000040L 193 194 #define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM) 195 196 /* Bits for |algorithm_mac| (symmetric authentication). */ 197 #define SSL_SHA1 0x00000001L 198 #define SSL_SHA256 0x00000002L 199 #define SSL_SHA384 0x00000004L 200 /* SSL_AEAD is set for all AEADs. */ 201 #define SSL_AEAD 0x00000008L 202 203 /* Bits for |algorithm_prf| (handshake digest). */ 204 #define SSL_HANDSHAKE_MAC_DEFAULT 0x1 205 #define SSL_HANDSHAKE_MAC_SHA256 0x2 206 #define SSL_HANDSHAKE_MAC_SHA384 0x4 207 208 /* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new 209 * one, update the table in ssl_cipher.c. */ 210 #define SSL_MAX_DIGEST 4 211 212 /* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD 213 * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len| 214 * and |*out_fixed_iv_len| to the MAC key length and fixed IV length, 215 * respectively. The MAC key length is zero except for legacy block and stream 216 * ciphers. It returns 1 on success and 0 on error. */ 217 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, 218 size_t *out_mac_secret_len, 219 size_t *out_fixed_iv_len, 220 const SSL_CIPHER *cipher, uint16_t version); 221 222 /* ssl_get_handshake_digest returns the |EVP_MD| corresponding to 223 * |algorithm_prf| and the |version|. */ 224 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf, 225 uint16_t version); 226 227 /* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in 228 * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated 229 * |ssl_cipher_preference_list_st| containing the result. It returns 1 on 230 * success and 0 on failure. If |strict| is true, nonsense will be rejected. If 231 * false, nonsense will be silently ignored. An empty result is considered an 232 * error regardless of |strict|. */ 233 int ssl_create_cipher_list( 234 const SSL_PROTOCOL_METHOD *ssl_method, 235 struct ssl_cipher_preference_list_st **out_cipher_list, 236 const char *rule_str, int strict); 237 238 /* ssl_cipher_get_value returns the cipher suite id of |cipher|. */ 239 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher); 240 241 /* ssl_cipher_get_key_type returns the |EVP_PKEY_*| value corresponding to the 242 * server key used in |cipher| or |EVP_PKEY_NONE| if there is none. */ 243 int ssl_cipher_get_key_type(const SSL_CIPHER *cipher); 244 245 /* ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the 246 * server and, optionally, the client with a certificate. Otherwise it returns 247 * zero. */ 248 int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher); 249 250 /* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a 251 * ServerKeyExchange message. Otherwise it returns 0. 252 * 253 * This function may return zero while still allowing |cipher| an optional 254 * ServerKeyExchange. This is the case for plain PSK ciphers. */ 255 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher); 256 257 /* ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the 258 * length of an encrypted 1-byte record, for use in record-splitting. Otherwise 259 * it returns zero. */ 260 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); 261 262 263 /* Transcript layer. */ 264 265 /* SSL_TRANSCRIPT maintains the handshake transcript as a combination of a 266 * buffer and running hash. */ 267 typedef struct ssl_transcript_st { 268 /* buffer, if non-NULL, contains the handshake transcript. */ 269 BUF_MEM *buffer; 270 /* hash, if initialized with an |EVP_MD|, maintains the handshake hash. For 271 * TLS 1.1 and below, it is the SHA-1 half. */ 272 EVP_MD_CTX hash; 273 /* md5, if initialized with an |EVP_MD|, maintains the MD5 half of the 274 * handshake hash for TLS 1.1 and below. */ 275 EVP_MD_CTX md5; 276 } SSL_TRANSCRIPT; 277 278 /* SSL_TRANSCRIPT_init initializes the handshake transcript. If called on an 279 * existing transcript, it resets the transcript and hash. It returns one on 280 * success and zero on failure. */ 281 int SSL_TRANSCRIPT_init(SSL_TRANSCRIPT *transcript); 282 283 /* SSL_TRANSCRIPT_init_hash initializes the handshake hash based on the PRF and 284 * contents of the handshake transcript. Subsequent calls to 285 * |SSL_TRANSCRIPT_update| will update the rolling hash. It returns one on 286 * success and zero on failure. It is an error to call this function after the 287 * handshake buffer is released. */ 288 int SSL_TRANSCRIPT_init_hash(SSL_TRANSCRIPT *transcript, uint16_t version, 289 int algorithm_prf); 290 291 /* SSL_TRANSCRIPT_cleanup cleans up the hash and transcript. */ 292 void SSL_TRANSCRIPT_cleanup(SSL_TRANSCRIPT *transcript); 293 294 /* SSL_TRANSCRIPT_free_buffer releases the handshake buffer. Subsequent calls to 295 * |SSL_TRANSCRIPT_update| will not update the handshake buffer. */ 296 void SSL_TRANSCRIPT_free_buffer(SSL_TRANSCRIPT *transcript); 297 298 /* SSL_TRANSCRIPT_digest_len returns the length of the PRF hash. */ 299 size_t SSL_TRANSCRIPT_digest_len(const SSL_TRANSCRIPT *transcript); 300 301 /* SSL_TRANSCRIPT_md returns the PRF hash. For TLS 1.1 and below, this is 302 * |EVP_md5_sha1|. */ 303 const EVP_MD *SSL_TRANSCRIPT_md(const SSL_TRANSCRIPT *transcript); 304 305 /* SSL_TRANSCRIPT_update adds |in| to the handshake buffer and handshake hash, 306 * whichever is enabled. It returns one on success and zero on failure. */ 307 int SSL_TRANSCRIPT_update(SSL_TRANSCRIPT *transcript, const uint8_t *in, 308 size_t in_len); 309 310 /* SSL_TRANSCRIPT_get_hash writes the handshake hash to |out| which must have 311 * room for at least |SSL_TRANSCRIPT_digest_len| bytes. On success, it returns 312 * one and sets |*out_len| to the number of bytes written. Otherwise, it returns 313 * zero. */ 314 int SSL_TRANSCRIPT_get_hash(const SSL_TRANSCRIPT *transcript, uint8_t *out, 315 size_t *out_len); 316 317 /* SSL_TRANSCRIPT_ssl3_cert_verify_hash writes the SSL 3.0 CertificateVerify 318 * hash into the bytes pointed to by |out| and writes the number of bytes to 319 * |*out_len|. |out| must have room for |EVP_MAX_MD_SIZE| bytes. It returns one 320 * on success and zero on failure. */ 321 int SSL_TRANSCRIPT_ssl3_cert_verify_hash(SSL_TRANSCRIPT *transcript, 322 uint8_t *out, size_t *out_len, 323 const SSL_SESSION *session, 324 int signature_algorithm); 325 326 /* SSL_TRANSCRIPT_finish_mac computes the MAC for the Finished message into the 327 * bytes pointed by |out| and writes the number of bytes to |*out_len|. |out| 328 * must have room for |EVP_MAX_MD_SIZE| bytes. It returns one on success and 329 * zero on failure. */ 330 int SSL_TRANSCRIPT_finish_mac(SSL_TRANSCRIPT *transcript, uint8_t *out, 331 size_t *out_len, const SSL_SESSION *session, 332 int from_server, uint16_t version); 333 334 /* tls1_prf computes the PRF function for |ssl|. It writes |out_len| bytes to 335 * |out|, using |secret| as the secret and |label| as the label. |seed1| and 336 * |seed2| are concatenated to form the seed parameter. It returns one on 337 * success and zero on failure. */ 338 int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, 339 const uint8_t *secret, size_t secret_len, const char *label, 340 size_t label_len, const uint8_t *seed1, size_t seed1_len, 341 const uint8_t *seed2, size_t seed2_len); 342 343 344 /* Encryption layer. */ 345 346 /* SSL_AEAD_CTX contains information about an AEAD that is being used to encrypt 347 * an SSL connection. */ 348 typedef struct ssl_aead_ctx_st { 349 const SSL_CIPHER *cipher; 350 EVP_AEAD_CTX ctx; 351 /* fixed_nonce contains any bytes of the nonce that are fixed for all 352 * records. */ 353 uint8_t fixed_nonce[12]; 354 uint8_t fixed_nonce_len, variable_nonce_len; 355 /* version is the protocol version that should be used with this AEAD. */ 356 uint16_t version; 357 /* variable_nonce_included_in_record is non-zero if the variable nonce 358 * for a record is included as a prefix before the ciphertext. */ 359 unsigned variable_nonce_included_in_record : 1; 360 /* random_variable_nonce is non-zero if the variable nonce is 361 * randomly generated, rather than derived from the sequence 362 * number. */ 363 unsigned random_variable_nonce : 1; 364 /* omit_length_in_ad is non-zero if the length should be omitted in the 365 * AEAD's ad parameter. */ 366 unsigned omit_length_in_ad : 1; 367 /* omit_version_in_ad is non-zero if the version should be omitted 368 * in the AEAD's ad parameter. */ 369 unsigned omit_version_in_ad : 1; 370 /* omit_ad is non-zero if the AEAD's ad parameter should be omitted. */ 371 unsigned omit_ad : 1; 372 /* xor_fixed_nonce is non-zero if the fixed nonce should be XOR'd into the 373 * variable nonce rather than prepended. */ 374 unsigned xor_fixed_nonce : 1; 375 } SSL_AEAD_CTX; 376 377 /* SSL_AEAD_CTX_new creates a newly-allocated |SSL_AEAD_CTX| using the supplied 378 * key material. It returns NULL on error. Only one of |SSL_AEAD_CTX_open| or 379 * |SSL_AEAD_CTX_seal| may be used with the resulting object, depending on 380 * |direction|. |version| is the normalized protocol version, so DTLS 1.0 is 381 * represented as 0x0301, not 0xffef. */ 382 SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction, 383 uint16_t version, const SSL_CIPHER *cipher, 384 const uint8_t *enc_key, size_t enc_key_len, 385 const uint8_t *mac_key, size_t mac_key_len, 386 const uint8_t *fixed_iv, size_t fixed_iv_len); 387 388 /* SSL_AEAD_CTX_free frees |ctx|. */ 389 void SSL_AEAD_CTX_free(SSL_AEAD_CTX *ctx); 390 391 /* SSL_AEAD_CTX_explicit_nonce_len returns the length of the explicit nonce for 392 * |ctx|, if any. |ctx| may be NULL to denote the null cipher. */ 393 size_t SSL_AEAD_CTX_explicit_nonce_len(const SSL_AEAD_CTX *ctx); 394 395 /* SSL_AEAD_CTX_max_overhead returns the maximum overhead of calling 396 * |SSL_AEAD_CTX_seal|. |ctx| may be NULL to denote the null cipher. */ 397 size_t SSL_AEAD_CTX_max_overhead(const SSL_AEAD_CTX *ctx); 398 399 /* SSL_AEAD_CTX_open authenticates and decrypts |in_len| bytes from |in| 400 * in-place. On success, it sets |*out| to the plaintext in |in| and returns 401 * one. Otherwise, it returns zero. |ctx| may be NULL to denote the null cipher. 402 * The output will always be |explicit_nonce_len| bytes ahead of |in|. */ 403 int SSL_AEAD_CTX_open(SSL_AEAD_CTX *ctx, CBS *out, uint8_t type, 404 uint16_t wire_version, const uint8_t seqnum[8], 405 uint8_t *in, size_t in_len); 406 407 /* SSL_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and 408 * writes the result to |out|. It returns one on success and zero on 409 * error. |ctx| may be NULL to denote the null cipher. 410 * 411 * If |in| and |out| alias then |out| + |explicit_nonce_len| must be == |in|. */ 412 int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, 413 size_t max_out, uint8_t type, uint16_t wire_version, 414 const uint8_t seqnum[8], const uint8_t *in, 415 size_t in_len); 416 417 418 /* DTLS replay bitmap. */ 419 420 /* DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect 421 * replayed packets. It should be initialized by zeroing every field. */ 422 typedef struct dtls1_bitmap_st { 423 /* map is a bit mask of the last 64 sequence numbers. Bit 424 * |1<<i| corresponds to |max_seq_num - i|. */ 425 uint64_t map; 426 /* max_seq_num is the largest sequence number seen so far as a 64-bit 427 * integer. */ 428 uint64_t max_seq_num; 429 } DTLS1_BITMAP; 430 431 432 /* Record layer. */ 433 434 /* ssl_record_sequence_update increments the sequence number in |seq|. It 435 * returns one on success and zero on wraparound. */ 436 int ssl_record_sequence_update(uint8_t *seq, size_t seq_len); 437 438 /* ssl_record_prefix_len returns the length of the prefix before the ciphertext 439 * of a record for |ssl|. 440 * 441 * TODO(davidben): Expose this as part of public API once the high-level 442 * buffer-free APIs are available. */ 443 size_t ssl_record_prefix_len(const SSL *ssl); 444 445 enum ssl_open_record_t { 446 ssl_open_record_success, 447 ssl_open_record_discard, 448 ssl_open_record_partial, 449 ssl_open_record_close_notify, 450 ssl_open_record_fatal_alert, 451 ssl_open_record_error, 452 }; 453 454 /* tls_open_record decrypts a record from |in| in-place. 455 * 456 * If the input did not contain a complete record, it returns 457 * |ssl_open_record_partial|. It sets |*out_consumed| to the total number of 458 * bytes necessary. It is guaranteed that a successful call to |tls_open_record| 459 * will consume at least that many bytes. 460 * 461 * Otherwise, it sets |*out_consumed| to the number of bytes of input 462 * consumed. Note that input may be consumed on all return codes if a record was 463 * decrypted. 464 * 465 * On success, it returns |ssl_open_record_success|. It sets |*out_type| to the 466 * record type and |*out| to the record body in |in|. Note that |*out| may be 467 * empty. 468 * 469 * If a record was successfully processed but should be discarded, it returns 470 * |ssl_open_record_discard|. 471 * 472 * If a record was successfully processed but is a close_notify or fatal alert, 473 * it returns |ssl_open_record_close_notify| or |ssl_open_record_fatal_alert|. 474 * 475 * On failure, it returns |ssl_open_record_error| and sets |*out_alert| to an 476 * alert to emit. */ 477 enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, 478 size_t *out_consumed, uint8_t *out_alert, 479 uint8_t *in, size_t in_len); 480 481 /* dtls_open_record implements |tls_open_record| for DTLS. It never returns 482 * |ssl_open_record_partial| but otherwise behaves analogously. */ 483 enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, 484 size_t *out_consumed, 485 uint8_t *out_alert, uint8_t *in, 486 size_t in_len); 487 488 /* ssl_seal_align_prefix_len returns the length of the prefix before the start 489 * of the bulk of the ciphertext when sealing a record with |ssl|. Callers may 490 * use this to align buffers. 491 * 492 * Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte 493 * record and is the offset into second record's ciphertext. Thus sealing a 494 * small record may result in a smaller output than this value. 495 * 496 * TODO(davidben): Is this alignment valuable? Record-splitting makes this a 497 * mess. */ 498 size_t ssl_seal_align_prefix_len(const SSL *ssl); 499 500 /* tls_seal_record seals a new record of type |type| and body |in| and writes it 501 * to |out|. At most |max_out| bytes will be written. It returns one on success 502 * and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1 503 * record splitting and may write two records concatenated. 504 * 505 * For a large record, the bulk of the ciphertext will begin 506 * |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may 507 * improve performance. It writes at most |in_len| + |SSL_max_seal_overhead| 508 * bytes to |out|. 509 * 510 * |in| and |out| may not alias. */ 511 int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 512 uint8_t type, const uint8_t *in, size_t in_len); 513 514 enum dtls1_use_epoch_t { 515 dtls1_use_previous_epoch, 516 dtls1_use_current_epoch, 517 }; 518 519 /* dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a 520 * record. */ 521 size_t dtls_max_seal_overhead(const SSL *ssl, enum dtls1_use_epoch_t use_epoch); 522 523 /* dtls_seal_prefix_len returns the number of bytes of prefix to reserve in 524 * front of the plaintext when sealing a record in-place. */ 525 size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch); 526 527 /* dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects 528 * which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| 529 * may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes 530 * ahead of |out|. */ 531 int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 532 uint8_t type, const uint8_t *in, size_t in_len, 533 enum dtls1_use_epoch_t use_epoch); 534 535 /* ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown 536 * state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|, 537 * |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as 538 * appropriate. */ 539 enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, 540 const uint8_t *in, size_t in_len); 541 542 543 /* Private key operations. */ 544 545 /* ssl_has_private_key returns one if |ssl| has a private key 546 * configured and zero otherwise. */ 547 int ssl_has_private_key(const SSL *ssl); 548 549 /* ssl_is_ecdsa_key_type returns one if |type| is an ECDSA key type and zero 550 * otherwise. */ 551 int ssl_is_ecdsa_key_type(int type); 552 553 /* ssl_private_key_* call the corresponding function on the 554 * |SSL_PRIVATE_KEY_METHOD| for |ssl|, if configured. Otherwise, they implement 555 * the operation with |EVP_PKEY|. */ 556 557 int ssl_private_key_type(SSL *ssl); 558 559 size_t ssl_private_key_max_signature_len(SSL *ssl); 560 561 enum ssl_private_key_result_t ssl_private_key_sign( 562 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 563 uint16_t signature_algorithm, const uint8_t *in, size_t in_len); 564 565 enum ssl_private_key_result_t ssl_private_key_decrypt( 566 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 567 const uint8_t *in, size_t in_len); 568 569 enum ssl_private_key_result_t ssl_private_key_complete(SSL *ssl, uint8_t *out, 570 size_t *out_len, 571 size_t max_out); 572 573 /* ssl_private_key_supports_signature_algorithm returns one if |ssl|'s private 574 * key supports |signature_algorithm| and zero otherwise. */ 575 int ssl_private_key_supports_signature_algorithm(SSL *ssl, 576 uint16_t signature_algorithm); 577 578 /* ssl_public_key_verify verifies that the |signature| is valid for the public 579 * key |pkey| and input |in|, using the |signature_algorithm| specified. */ 580 int ssl_public_key_verify( 581 SSL *ssl, const uint8_t *signature, size_t signature_len, 582 uint16_t signature_algorithm, EVP_PKEY *pkey, 583 const uint8_t *in, size_t in_len); 584 585 586 /* Custom extensions */ 587 588 typedef struct ssl_handshake_st SSL_HANDSHAKE; 589 590 /* ssl_custom_extension (a.k.a. SSL_CUSTOM_EXTENSION) is a structure that 591 * contains information about custom-extension callbacks. */ 592 struct ssl_custom_extension { 593 SSL_custom_ext_add_cb add_callback; 594 void *add_arg; 595 SSL_custom_ext_free_cb free_callback; 596 SSL_custom_ext_parse_cb parse_callback; 597 void *parse_arg; 598 uint16_t value; 599 }; 600 601 void SSL_CUSTOM_EXTENSION_free(SSL_CUSTOM_EXTENSION *custom_extension); 602 603 int custom_ext_add_clienthello(SSL_HANDSHAKE *hs, CBB *extensions); 604 int custom_ext_parse_serverhello(SSL_HANDSHAKE *hs, int *out_alert, 605 uint16_t value, const CBS *extension); 606 int custom_ext_parse_clienthello(SSL_HANDSHAKE *hs, int *out_alert, 607 uint16_t value, const CBS *extension); 608 int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions); 609 610 611 /* ECDH groups. */ 612 613 typedef struct ssl_ecdh_ctx_st SSL_ECDH_CTX; 614 615 /* An SSL_ECDH_METHOD is an implementation of ECDH-like key exchanges for 616 * TLS. */ 617 typedef struct ssl_ecdh_method_st { 618 int nid; 619 uint16_t group_id; 620 const char name[8]; 621 622 /* cleanup releases state in |ctx|. */ 623 void (*cleanup)(SSL_ECDH_CTX *ctx); 624 625 /* offer generates a keypair and writes the public value to 626 * |out_public_key|. It returns one on success and zero on error. */ 627 int (*offer)(SSL_ECDH_CTX *ctx, CBB *out_public_key); 628 629 /* accept performs a key exchange against the |peer_key| generated by |offer|. 630 * On success, it returns one, writes the public value to |out_public_key|, 631 * and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer 632 * containing the shared secret. The caller must release this buffer with 633 * |OPENSSL_free|. On failure, it returns zero and sets |*out_alert| to an 634 * alert to send to the peer. */ 635 int (*accept)(SSL_ECDH_CTX *ctx, CBB *out_public_key, uint8_t **out_secret, 636 size_t *out_secret_len, uint8_t *out_alert, 637 const uint8_t *peer_key, size_t peer_key_len); 638 639 /* finish performs a key exchange against the |peer_key| generated by 640 * |accept|. On success, it returns one and sets |*out_secret| and 641 * |*out_secret_len| to a newly-allocated buffer containing the shared 642 * secret. The caller must release this buffer with |OPENSSL_free|. On 643 * failure, it returns zero and sets |*out_alert| to an alert to send to the 644 * peer. */ 645 int (*finish)(SSL_ECDH_CTX *ctx, uint8_t **out_secret, size_t *out_secret_len, 646 uint8_t *out_alert, const uint8_t *peer_key, 647 size_t peer_key_len); 648 649 /* get_key initializes |out| with a length-prefixed key from |cbs|. It returns 650 * one on success and zero on error. */ 651 int (*get_key)(CBS *cbs, CBS *out); 652 653 /* add_key initializes |out_contents| to receive a key. Typically it will then 654 * be passed to |offer| or |accept|. It returns one on success and zero on 655 * error. */ 656 int (*add_key)(CBB *cbb, CBB *out_contents); 657 } SSL_ECDH_METHOD; 658 659 struct ssl_ecdh_ctx_st { 660 const SSL_ECDH_METHOD *method; 661 void *data; 662 }; 663 664 /* ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it 665 * sets |*out_group_id| to the group ID and returns one. Otherwise, it returns 666 * zero. */ 667 int ssl_nid_to_group_id(uint16_t *out_group_id, int nid); 668 669 /* ssl_name_to_group_id looks up the group corresponding to the |name| string 670 * of length |len|. On success, it sets |*out_group_id| to the group ID and 671 * returns one. Otherwise, it returns zero. */ 672 int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len); 673 674 /* SSL_ECDH_CTX_init sets up |ctx| for use with curve |group_id|. It returns one 675 * on success and zero on error. */ 676 int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id); 677 678 /* SSL_ECDH_CTX_init_for_dhe sets up |ctx| for use with legacy DHE-based ciphers 679 * where the server specifies a group. It takes ownership of |params|. */ 680 void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params); 681 682 /* SSL_ECDH_CTX_cleanup releases memory associated with |ctx|. It is legal to 683 * call it in the zero state. */ 684 void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx); 685 686 /* SSL_ECDH_CTX_get_id returns the group ID for |ctx|. */ 687 uint16_t SSL_ECDH_CTX_get_id(const SSL_ECDH_CTX *ctx); 688 689 /* SSL_ECDH_CTX_get_key calls the |get_key| method of |SSL_ECDH_METHOD|. */ 690 int SSL_ECDH_CTX_get_key(SSL_ECDH_CTX *ctx, CBS *cbs, CBS *out); 691 692 /* SSL_ECDH_CTX_add_key calls the |add_key| method of |SSL_ECDH_METHOD|. */ 693 int SSL_ECDH_CTX_add_key(SSL_ECDH_CTX *ctx, CBB *cbb, CBB *out_contents); 694 695 /* SSL_ECDH_CTX_offer calls the |offer| method of |SSL_ECDH_METHOD|. */ 696 int SSL_ECDH_CTX_offer(SSL_ECDH_CTX *ctx, CBB *out_public_key); 697 698 /* SSL_ECDH_CTX_accept calls the |accept| method of |SSL_ECDH_METHOD|. */ 699 int SSL_ECDH_CTX_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key, 700 uint8_t **out_secret, size_t *out_secret_len, 701 uint8_t *out_alert, const uint8_t *peer_key, 702 size_t peer_key_len); 703 704 /* SSL_ECDH_CTX_finish the |finish| method of |SSL_ECDH_METHOD|. */ 705 int SSL_ECDH_CTX_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret, 706 size_t *out_secret_len, uint8_t *out_alert, 707 const uint8_t *peer_key, size_t peer_key_len); 708 709 /* Handshake messages. */ 710 711 /* SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including 712 * ChangeCipherSpec, in the longest handshake flight. Currently this is the 713 * client's second leg in a full handshake when client certificates, NPN, and 714 * Channel ID, are all enabled. */ 715 #define SSL_MAX_HANDSHAKE_FLIGHT 7 716 717 /* ssl_max_handshake_message_len returns the maximum number of bytes permitted 718 * in a handshake message for |ssl|. */ 719 size_t ssl_max_handshake_message_len(const SSL *ssl); 720 721 /* dtls_clear_incoming_messages releases all buffered incoming messages. */ 722 void dtls_clear_incoming_messages(SSL *ssl); 723 724 /* dtls_has_incoming_messages returns one if there are buffered incoming 725 * messages ahead of the current message and zero otherwise. */ 726 int dtls_has_incoming_messages(const SSL *ssl); 727 728 typedef struct dtls_outgoing_message_st { 729 uint8_t *data; 730 uint32_t len; 731 uint16_t epoch; 732 char is_ccs; 733 } DTLS_OUTGOING_MESSAGE; 734 735 /* dtls_clear_outgoing_messages releases all buffered outgoing messages. */ 736 void dtls_clear_outgoing_messages(SSL *ssl); 737 738 739 /* Callbacks. */ 740 741 /* ssl_do_info_callback calls |ssl|'s info callback, if set. */ 742 void ssl_do_info_callback(const SSL *ssl, int type, int value); 743 744 /* ssl_do_msg_callback calls |ssl|'s message callback, if set. */ 745 void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, 746 const void *buf, size_t len); 747 748 749 /* Transport buffers. */ 750 751 /* ssl_read_buffer returns a pointer to contents of the read buffer. */ 752 uint8_t *ssl_read_buffer(SSL *ssl); 753 754 /* ssl_read_buffer_len returns the length of the read buffer. */ 755 size_t ssl_read_buffer_len(const SSL *ssl); 756 757 /* ssl_read_buffer_extend_to extends the read buffer to the desired length. For 758 * TLS, it reads to the end of the buffer until the buffer is |len| bytes 759 * long. For DTLS, it reads a new packet and ignores |len|. It returns one on 760 * success, zero on EOF, and a negative number on error. 761 * 762 * It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is 763 * non-empty. */ 764 int ssl_read_buffer_extend_to(SSL *ssl, size_t len); 765 766 /* ssl_read_buffer_consume consumes |len| bytes from the read buffer. It 767 * advances the data pointer and decrements the length. The memory consumed will 768 * remain valid until the next call to |ssl_read_buffer_extend| or it is 769 * discarded with |ssl_read_buffer_discard|. */ 770 void ssl_read_buffer_consume(SSL *ssl, size_t len); 771 772 /* ssl_read_buffer_discard discards the consumed bytes from the read buffer. If 773 * the buffer is now empty, it releases memory used by it. */ 774 void ssl_read_buffer_discard(SSL *ssl); 775 776 /* ssl_read_buffer_clear releases all memory associated with the read buffer and 777 * zero-initializes it. */ 778 void ssl_read_buffer_clear(SSL *ssl); 779 780 /* ssl_write_buffer_is_pending returns one if the write buffer has pending data 781 * and zero if is empty. */ 782 int ssl_write_buffer_is_pending(const SSL *ssl); 783 784 /* ssl_write_buffer_init initializes the write buffer. On success, it sets 785 * |*out_ptr| to the start of the write buffer with space for up to |max_len| 786 * bytes. It returns one on success and zero on failure. Call 787 * |ssl_write_buffer_set_len| to complete initialization. */ 788 int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len); 789 790 /* ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete 791 * initialization after |len| bytes are written to the buffer. */ 792 void ssl_write_buffer_set_len(SSL *ssl, size_t len); 793 794 /* ssl_write_buffer_flush flushes the write buffer to the transport. It returns 795 * one on success and <= 0 on error. For DTLS, whether or not the write 796 * succeeds, the write buffer will be cleared. */ 797 int ssl_write_buffer_flush(SSL *ssl); 798 799 /* ssl_write_buffer_clear releases all memory associated with the write buffer 800 * and zero-initializes it. */ 801 void ssl_write_buffer_clear(SSL *ssl); 802 803 804 /* Certificate functions. */ 805 806 /* ssl_has_certificate returns one if a certificate and private key are 807 * configured and zero otherwise. */ 808 int ssl_has_certificate(const SSL *ssl); 809 810 /* ssl_parse_cert_chain parses a certificate list from |cbs| in the format used 811 * by a TLS Certificate message. On success, it returns a newly-allocated 812 * |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns NULL and sets 813 * |*out_alert| to an alert to send to the peer. 814 * 815 * If the list is non-empty then |*out_pubkey| will be set to a freshly 816 * allocated public-key from the leaf certificate. 817 * 818 * If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the 819 * SHA-256 hash of the leaf to |out_leaf_sha256|. */ 820 STACK_OF(CRYPTO_BUFFER) *ssl_parse_cert_chain(uint8_t *out_alert, 821 EVP_PKEY **out_pubkey, 822 uint8_t *out_leaf_sha256, 823 CBS *cbs, 824 CRYPTO_BUFFER_POOL *pool); 825 826 /* ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used 827 * by a TLS Certificate message. If there is no certificate chain, it emits an 828 * empty certificate list. It returns one on success and zero on error. */ 829 int ssl_add_cert_chain(SSL *ssl, CBB *cbb); 830 831 /* ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509 832 * certificate in |in| and returns one if doesn't specify a key usage or, if it 833 * does, if it includes digitalSignature. Otherwise it pushes to the error 834 * queue and returns zero. */ 835 int ssl_cert_check_digital_signature_key_usage(const CBS *in); 836 837 /* ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509 838 * certificate in |in|. It returns an allocated |EVP_PKEY| or else returns NULL 839 * and pushes to the error queue. */ 840 EVP_PKEY *ssl_cert_parse_pubkey(const CBS *in); 841 842 /* ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a 843 * TLS CertificateRequest message. On success, it returns a newly-allocated 844 * |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns NULL and sets 845 * |*out_alert| to an alert to send to the peer. */ 846 STACK_OF(CRYPTO_BUFFER) * 847 ssl_parse_client_CA_list(SSL *ssl, uint8_t *out_alert, CBS *cbs); 848 849 /* ssl_add_client_CA_list adds the configured CA list to |cbb| in the format 850 * used by a TLS CertificateRequest message. It returns one on success and zero 851 * on error. */ 852 int ssl_add_client_CA_list(SSL *ssl, CBB *cbb); 853 854 /* ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as 855 * a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes 856 * an error on the error queue. */ 857 int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, 858 const CRYPTO_BUFFER *leaf); 859 860 861 /* TLS 1.3 key derivation. */ 862 863 /* tls13_init_key_schedule initializes the handshake hash and key derivation 864 * state. The cipher suite and PRF hash must have been selected at this point. 865 * It returns one on success and zero on error. */ 866 int tls13_init_key_schedule(SSL_HANDSHAKE *hs); 867 868 /* tls13_init_early_key_schedule initializes the handshake hash and key 869 * derivation state from the resumption secret to derive the early secrets. It 870 * returns one on success and zero on error. */ 871 int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs); 872 873 /* tls13_advance_key_schedule incorporates |in| into the key schedule with 874 * HKDF-Extract. It returns one on success and zero on error. */ 875 int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in, 876 size_t len); 877 878 /* tls13_set_traffic_key sets the read or write traffic keys to 879 * |traffic_secret|. It returns one on success and zero on error. */ 880 int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, 881 const uint8_t *traffic_secret, 882 size_t traffic_secret_len); 883 884 /* tls13_derive_early_secrets derives the early traffic secret. It returns one 885 * on success and zero on error. */ 886 int tls13_derive_early_secrets(SSL_HANDSHAKE *hs); 887 888 /* tls13_derive_handshake_secrets derives the handshake traffic secret. It 889 * returns one on success and zero on error. */ 890 int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs); 891 892 /* tls13_rotate_traffic_key derives the next read or write traffic secret. It 893 * returns one on success and zero on error. */ 894 int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction); 895 896 /* tls13_derive_application_secrets derives the initial application data traffic 897 * and exporter secrets based on the handshake transcripts and |master_secret|. 898 * It returns one on success and zero on error. */ 899 int tls13_derive_application_secrets(SSL_HANDSHAKE *hs); 900 901 /* tls13_derive_resumption_secret derives the |resumption_secret|. */ 902 int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs); 903 904 /* tls13_export_keying_material provides an exporter interface to use the 905 * |exporter_secret|. */ 906 int tls13_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, 907 const char *label, size_t label_len, 908 const uint8_t *context, size_t context_len, 909 int use_context); 910 911 /* tls13_finished_mac calculates the MAC of the handshake transcript to verify 912 * the integrity of the Finished message, and stores the result in |out| and 913 * length in |out_len|. |is_server| is 1 if this is for the Server Finished and 914 * 0 for the Client Finished. */ 915 int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, 916 size_t *out_len, int is_server); 917 918 /* tls13_write_psk_binder calculates the PSK binder value and replaces the last 919 * bytes of |msg| with the resulting value. It returns 1 on success, and 0 on 920 * failure. */ 921 int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len); 922 923 /* tls13_verify_psk_binder verifies that the handshake transcript, truncated 924 * up to the binders has a valid signature using the value of |session|'s 925 * resumption secret. It returns 1 on success, and 0 on failure. */ 926 int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session, 927 CBS *binders); 928 929 930 /* Handshake functions. */ 931 932 enum ssl_hs_wait_t { 933 ssl_hs_error, 934 ssl_hs_ok, 935 ssl_hs_read_message, 936 ssl_hs_flush, 937 ssl_hs_flush_and_read_message, 938 ssl_hs_x509_lookup, 939 ssl_hs_channel_id_lookup, 940 ssl_hs_private_key_operation, 941 ssl_hs_pending_ticket, 942 ssl_hs_read_end_of_early_data, 943 }; 944 945 struct ssl_handshake_st { 946 /* ssl is a non-owning pointer to the parent |SSL| object. */ 947 SSL *ssl; 948 949 /* do_tls13_handshake runs the TLS 1.3 handshake. On completion, it returns 950 * |ssl_hs_ok|. Otherwise, it returns a value corresponding to what operation 951 * is needed to progress. */ 952 enum ssl_hs_wait_t (*do_tls13_handshake)(SSL_HANDSHAKE *hs); 953 954 /* wait contains the operation |do_tls13_handshake| is currently blocking on 955 * or |ssl_hs_ok| if none. */ 956 enum ssl_hs_wait_t wait; 957 958 /* state contains one of the SSL3_ST_* values. */ 959 int state; 960 961 /* next_state is used when SSL_ST_FLUSH_DATA is entered */ 962 int next_state; 963 964 /* tls13_state is the internal state for the TLS 1.3 handshake. Its values 965 * depend on |do_tls13_handshake| but the starting state is always zero. */ 966 int tls13_state; 967 968 size_t hash_len; 969 uint8_t secret[EVP_MAX_MD_SIZE]; 970 uint8_t early_traffic_secret[EVP_MAX_MD_SIZE]; 971 uint8_t client_handshake_secret[EVP_MAX_MD_SIZE]; 972 uint8_t server_handshake_secret[EVP_MAX_MD_SIZE]; 973 uint8_t client_traffic_secret_0[EVP_MAX_MD_SIZE]; 974 uint8_t server_traffic_secret_0[EVP_MAX_MD_SIZE]; 975 uint8_t expected_client_finished[EVP_MAX_MD_SIZE]; 976 977 union { 978 /* sent is a bitset where the bits correspond to elements of kExtensions 979 * in t1_lib.c. Each bit is set if that extension was sent in a 980 * ClientHello. It's not used by servers. */ 981 uint32_t sent; 982 /* received is a bitset, like |sent|, but is used by servers to record 983 * which extensions were received from a client. */ 984 uint32_t received; 985 } extensions; 986 987 union { 988 /* sent is a bitset where the bits correspond to elements of 989 * |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that 990 * extension was sent in a ClientHello. It's not used by servers. */ 991 uint16_t sent; 992 /* received is a bitset, like |sent|, but is used by servers to record 993 * which custom extensions were received from a client. The bits here 994 * correspond to |server_custom_extensions|. */ 995 uint16_t received; 996 } custom_extensions; 997 998 /* retry_group is the group ID selected by the server in HelloRetryRequest in 999 * TLS 1.3. */ 1000 uint16_t retry_group; 1001 1002 /* ecdh_ctx is the current ECDH instance. */ 1003 SSL_ECDH_CTX ecdh_ctx; 1004 1005 /* transcript is the current handshake transcript. */ 1006 SSL_TRANSCRIPT transcript; 1007 1008 /* cookie is the value of the cookie received from the server, if any. */ 1009 uint8_t *cookie; 1010 size_t cookie_len; 1011 1012 /* key_share_bytes is the value of the previously sent KeyShare extension by 1013 * the client in TLS 1.3. */ 1014 uint8_t *key_share_bytes; 1015 size_t key_share_bytes_len; 1016 1017 /* public_key, for servers, is the key share to be sent to the client in TLS 1018 * 1.3. */ 1019 uint8_t *public_key; 1020 size_t public_key_len; 1021 1022 /* peer_sigalgs are the signature algorithms that the peer supports. These are 1023 * taken from the contents of the signature algorithms extension for a server 1024 * or from the CertificateRequest for a client. */ 1025 uint16_t *peer_sigalgs; 1026 /* num_peer_sigalgs is the number of entries in |peer_sigalgs|. */ 1027 size_t num_peer_sigalgs; 1028 1029 /* peer_supported_group_list contains the supported group IDs advertised by 1030 * the peer. This is only set on the server's end. The server does not 1031 * advertise this extension to the client. */ 1032 uint16_t *peer_supported_group_list; 1033 size_t peer_supported_group_list_len; 1034 1035 /* peer_key is the peer's ECDH key for a TLS 1.2 client. */ 1036 uint8_t *peer_key; 1037 size_t peer_key_len; 1038 1039 /* server_params, in TLS 1.2, stores the ServerKeyExchange parameters to be 1040 * signed while the signature is being computed. */ 1041 uint8_t *server_params; 1042 size_t server_params_len; 1043 1044 /* peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the 1045 * server when using a TLS 1.2 PSK key exchange. */ 1046 char *peer_psk_identity_hint; 1047 1048 /* ca_names, on the client, contains the list of CAs received in a 1049 * CertificateRequest message. */ 1050 STACK_OF(CRYPTO_BUFFER) *ca_names; 1051 1052 /* cached_x509_ca_names contains a cache of parsed versions of the elements 1053 * of |ca_names|. */ 1054 STACK_OF(X509_NAME) *cached_x509_ca_names; 1055 1056 /* certificate_types, on the client, contains the set of certificate types 1057 * received in a CertificateRequest message. */ 1058 uint8_t *certificate_types; 1059 size_t num_certificate_types; 1060 1061 /* hostname, on the server, is the value of the SNI extension. */ 1062 char *hostname; 1063 1064 /* peer_pubkey is the public key parsed from the peer's leaf certificate. */ 1065 EVP_PKEY *peer_pubkey; 1066 1067 /* new_session is the new mutable session being established by the current 1068 * handshake. It should not be cached. */ 1069 SSL_SESSION *new_session; 1070 1071 /* new_cipher is the cipher being negotiated in this handshake. */ 1072 const SSL_CIPHER *new_cipher; 1073 1074 /* key_block is the record-layer key block for TLS 1.2 and earlier. */ 1075 uint8_t *key_block; 1076 uint8_t key_block_len; 1077 1078 /* scts_requested is one if the SCT extension is in the ClientHello. */ 1079 unsigned scts_requested:1; 1080 1081 /* needs_psk_binder if the ClientHello has a placeholder PSK binder to be 1082 * filled in. */ 1083 unsigned needs_psk_binder:1; 1084 1085 unsigned received_hello_retry_request:1; 1086 1087 /* accept_psk_mode stores whether the client's PSK mode is compatible with our 1088 * preferences. */ 1089 unsigned accept_psk_mode:1; 1090 1091 /* cert_request is one if a client certificate was requested and zero 1092 * otherwise. */ 1093 unsigned cert_request:1; 1094 1095 /* certificate_status_expected is one if OCSP stapling was negotiated and the 1096 * server is expected to send a CertificateStatus message. (This is used on 1097 * both the client and server sides.) */ 1098 unsigned certificate_status_expected:1; 1099 1100 /* ocsp_stapling_requested is one if a client requested OCSP stapling. */ 1101 unsigned ocsp_stapling_requested:1; 1102 1103 /* should_ack_sni is used by a server and indicates that the SNI extension 1104 * should be echoed in the ServerHello. */ 1105 unsigned should_ack_sni:1; 1106 1107 /* in_false_start is one if there is a pending client handshake in False 1108 * Start. The client may write data at this point. */ 1109 unsigned in_false_start:1; 1110 1111 /* early_data_offered is one if the client sent the early_data extension. */ 1112 unsigned early_data_offered:1; 1113 1114 /* can_early_read is one if application data may be read at this point in the 1115 * handshake. */ 1116 unsigned can_early_read:1; 1117 1118 /* can_early_write is one if application data may be written at this point in 1119 * the handshake. */ 1120 unsigned can_early_write:1; 1121 1122 /* next_proto_neg_seen is one of NPN was negotiated. */ 1123 unsigned next_proto_neg_seen:1; 1124 1125 /* ticket_expected is one if a TLS 1.2 NewSessionTicket message is to be sent 1126 * or received. */ 1127 unsigned ticket_expected:1; 1128 1129 /* v2_clienthello is one if we received a V2ClientHello. */ 1130 unsigned v2_clienthello:1; 1131 1132 /* extended_master_secret is one if the extended master secret extension is 1133 * negotiated in this handshake. */ 1134 unsigned extended_master_secret:1; 1135 1136 /* client_version is the value sent or received in the ClientHello version. */ 1137 uint16_t client_version; 1138 } /* SSL_HANDSHAKE */; 1139 1140 SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl); 1141 1142 /* ssl_handshake_free releases all memory associated with |hs|. */ 1143 void ssl_handshake_free(SSL_HANDSHAKE *hs); 1144 1145 /* ssl_check_message_type checks if the current message has type |type|. If so 1146 * it returns one. Otherwise, it sends an alert and returns zero. */ 1147 int ssl_check_message_type(SSL *ssl, int type); 1148 1149 /* tls13_handshake runs the TLS 1.3 handshake. It returns one on success and <= 1150 * 0 on error. It sets |out_early_return| to one if we've completed the 1151 * handshake early. */ 1152 int tls13_handshake(SSL_HANDSHAKE *hs, int *out_early_return); 1153 1154 /* The following are implementations of |do_tls13_handshake| for the client and 1155 * server. */ 1156 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs); 1157 enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs); 1158 1159 /* tls13_post_handshake processes a post-handshake message. It returns one on 1160 * success and zero on failure. */ 1161 int tls13_post_handshake(SSL *ssl); 1162 1163 int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous); 1164 int tls13_process_certificate_verify(SSL_HANDSHAKE *hs); 1165 1166 /* tls13_process_finished processes the current message as a Finished message 1167 * from the peer. If |use_saved_value| is one, the verify_data is compared 1168 * against |hs->expected_client_finished| rather than computed fresh. */ 1169 int tls13_process_finished(SSL_HANDSHAKE *hs, int use_saved_value); 1170 1171 int tls13_add_certificate(SSL_HANDSHAKE *hs); 1172 enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs, 1173 int is_first_run); 1174 int tls13_add_finished(SSL_HANDSHAKE *hs); 1175 int tls13_process_new_session_ticket(SSL *ssl); 1176 1177 int ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t **out_secret, 1178 size_t *out_secret_len, 1179 uint8_t *out_alert, CBS *contents); 1180 int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found, 1181 uint8_t **out_secret, 1182 size_t *out_secret_len, 1183 uint8_t *out_alert, CBS *contents); 1184 int ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out); 1185 1186 int ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs, 1187 uint8_t *out_alert, CBS *contents); 1188 int ssl_ext_pre_shared_key_parse_clienthello( 1189 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders, 1190 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents); 1191 int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out); 1192 1193 /* ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and 1194 * returns one iff it's valid. */ 1195 int ssl_is_sct_list_valid(const CBS *contents); 1196 1197 int ssl_write_client_hello(SSL_HANDSHAKE *hs); 1198 1199 /* ssl_clear_tls13_state releases client state only needed for TLS 1.3. It 1200 * should be called once the version is known to be TLS 1.2 or earlier. */ 1201 void ssl_clear_tls13_state(SSL_HANDSHAKE *hs); 1202 1203 enum ssl_cert_verify_context_t { 1204 ssl_cert_verify_server, 1205 ssl_cert_verify_client, 1206 ssl_cert_verify_channel_id, 1207 }; 1208 1209 /* tls13_get_cert_verify_signature_input generates the message to be signed for 1210 * TLS 1.3's CertificateVerify message. |cert_verify_context| determines the 1211 * type of signature. It sets |*out| and |*out_len| to a newly allocated buffer 1212 * containing the result. The caller must free it with |OPENSSL_free| to release 1213 * it. This function returns one on success and zero on failure. */ 1214 int tls13_get_cert_verify_signature_input( 1215 SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len, 1216 enum ssl_cert_verify_context_t cert_verify_context); 1217 1218 /* ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns 1219 * one on successful negotiation or if nothing was negotiated. It returns zero 1220 * and sets |*out_alert| to an alert on error. */ 1221 int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1222 const SSL_CLIENT_HELLO *client_hello); 1223 1224 typedef struct { 1225 uint16_t type; 1226 int *out_present; 1227 CBS *out_data; 1228 } SSL_EXTENSION_TYPE; 1229 1230 /* ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances 1231 * it. It writes the parsed extensions to pointers denoted by |ext_types|. On 1232 * success, it fills in the |out_present| and |out_data| fields and returns one. 1233 * Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown 1234 * extensions are rejected unless |ignore_unknown| is 1. */ 1235 int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, 1236 const SSL_EXTENSION_TYPE *ext_types, 1237 size_t num_ext_types, int ignore_unknown); 1238 1239 1240 /* SSLKEYLOGFILE functions. */ 1241 1242 /* ssl_log_secret logs |secret| with label |label|, if logging is enabled for 1243 * |ssl|. It returns one on success and zero on failure. */ 1244 int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, 1245 size_t secret_len); 1246 1247 1248 /* ClientHello functions. */ 1249 1250 int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, const uint8_t *in, 1251 size_t in_len); 1252 1253 int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello, 1254 CBS *out, uint16_t extension_type); 1255 1256 int ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO *client_hello, 1257 uint16_t id); 1258 1259 1260 /* GREASE. */ 1261 1262 enum ssl_grease_index_t { 1263 ssl_grease_cipher = 0, 1264 ssl_grease_group, 1265 ssl_grease_extension1, 1266 ssl_grease_extension2, 1267 ssl_grease_version, 1268 ssl_grease_ticket_extension, 1269 }; 1270 1271 /* ssl_get_grease_value returns a GREASE value for |ssl|. For a given 1272 * connection, the values for each index will be deterministic. This allows the 1273 * same ClientHello be sent twice for a HelloRetryRequest or the same group be 1274 * advertised in both supported_groups and key_shares. */ 1275 uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index); 1276 1277 1278 /* Signature algorithms. */ 1279 1280 /* tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature 1281 * algorithms and saves them on |hs|. It returns one on success and zero on 1282 * error. */ 1283 int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs); 1284 1285 /* tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use 1286 * with |hs|'s private key based on the peer's preferences and the algorithms 1287 * supported. It returns one on success and zero on error. */ 1288 int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out); 1289 1290 /* tls12_get_verify_sigalgs sets |*out| to the signature algorithms acceptable 1291 * for the peer signature and returns the length of the list. */ 1292 size_t tls12_get_verify_sigalgs(const SSL *ssl, const uint16_t **out); 1293 1294 /* tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer 1295 * signature. It returns one on success and zero on error, setting |*out_alert| 1296 * to an alert to send. */ 1297 int tls12_check_peer_sigalg(SSL *ssl, int *out_alert, uint16_t sigalg); 1298 1299 1300 /* Underdocumented functions. 1301 * 1302 * Functions below here haven't been touched up and may be underdocumented. */ 1303 1304 #define TLSEXT_CHANNEL_ID_SIZE 128 1305 1306 /* From RFC4492, used in encoding the curve type in ECParameters */ 1307 #define NAMED_CURVE_TYPE 3 1308 1309 typedef struct cert_st { 1310 EVP_PKEY *privatekey; 1311 1312 /* chain contains the certificate chain, with the leaf at the beginning. The 1313 * first element of |chain| may be NULL to indicate that the leaf certificate 1314 * has not yet been set. 1315 * If |chain| != NULL -> len(chain) >= 1 1316 * If |chain[0]| == NULL -> len(chain) >= 2. 1317 * |chain[1..]| != NULL */ 1318 STACK_OF(CRYPTO_BUFFER) *chain; 1319 1320 /* x509_chain may contain a parsed copy of |chain[1..]|. This is only used as 1321 * a cache in order to implement get0 functions that return a non-owning 1322 * pointer to the certificate chain. */ 1323 STACK_OF(X509) *x509_chain; 1324 1325 /* x509_leaf may contain a parsed copy of the first element of |chain|. This 1326 * is only used as a cache in order to implement get0 functions that return 1327 * a non-owning pointer to the certificate chain. */ 1328 X509 *x509_leaf; 1329 1330 /* x509_stash contains the last |X509| object append to the chain. This is a 1331 * workaround for some third-party code that continue to use an |X509| object 1332 * even after passing ownership with an add0 function. */ 1333 X509 *x509_stash; 1334 1335 /* key_method, if non-NULL, is a set of callbacks to call for private key 1336 * operations. */ 1337 const SSL_PRIVATE_KEY_METHOD *key_method; 1338 1339 /* x509_method contains pointers to functions that might deal with |X509| 1340 * compatibility, or might be a no-op, depending on the application. */ 1341 const SSL_X509_METHOD *x509_method; 1342 1343 DH *dh_tmp; 1344 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); 1345 1346 /* sigalgs, if non-NULL, is the set of signature algorithms supported by 1347 * |privatekey| in decreasing order of preference. */ 1348 uint16_t *sigalgs; 1349 size_t num_sigalgs; 1350 1351 /* Certificate setup callback: if set is called whenever a 1352 * certificate may be required (client or server). the callback 1353 * can then examine any appropriate parameters and setup any 1354 * certificates required. This allows advanced applications 1355 * to select certificates on the fly: for example based on 1356 * supported signature algorithms or curves. */ 1357 int (*cert_cb)(SSL *ssl, void *arg); 1358 void *cert_cb_arg; 1359 1360 /* Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX 1361 * store is used instead. */ 1362 X509_STORE *verify_store; 1363 1364 /* Signed certificate timestamp list to be sent to the client, if requested */ 1365 CRYPTO_BUFFER *signed_cert_timestamp_list; 1366 1367 /* OCSP response to be sent to the client, if requested. */ 1368 CRYPTO_BUFFER *ocsp_response; 1369 1370 /* sid_ctx partitions the session space within a shared session cache or 1371 * ticket key. Only sessions with a matching value will be accepted. */ 1372 uint8_t sid_ctx_length; 1373 uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 1374 } CERT; 1375 1376 /* SSL_METHOD is a compatibility structure to support the legacy version-locked 1377 * methods. */ 1378 struct ssl_method_st { 1379 /* version, if non-zero, is the only protocol version acceptable to an 1380 * SSL_CTX initialized from this method. */ 1381 uint16_t version; 1382 /* method is the underlying SSL_PROTOCOL_METHOD that initializes the 1383 * SSL_CTX. */ 1384 const SSL_PROTOCOL_METHOD *method; 1385 /* x509_method contains pointers to functions that might deal with |X509| 1386 * compatibility, or might be a no-op, depending on the application. */ 1387 const SSL_X509_METHOD *x509_method; 1388 }; 1389 1390 /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ 1391 struct ssl_protocol_method_st { 1392 /* is_dtls is one if the protocol is DTLS and zero otherwise. */ 1393 char is_dtls; 1394 /* min_version is the minimum implemented version. */ 1395 uint16_t min_version; 1396 /* max_version is the maximum implemented version. */ 1397 uint16_t max_version; 1398 /* version_from_wire maps |wire_version| to a protocol version. On success, it 1399 * sets |*out_version| to the result and returns one. If the version is 1400 * unknown, it returns zero. */ 1401 int (*version_from_wire)(uint16_t *out_version, uint16_t wire_version); 1402 /* version_to_wire maps |version| to the wire representation. It is an error 1403 * to call it with an invalid version. */ 1404 uint16_t (*version_to_wire)(uint16_t version); 1405 int (*ssl_new)(SSL *ssl); 1406 void (*ssl_free)(SSL *ssl); 1407 /* ssl_get_message reads the next handshake message. On success, it returns 1408 * one and sets |ssl->s3->tmp.message_type|, |ssl->init_msg|, and 1409 * |ssl->init_num|. Otherwise, it returns <= 0. */ 1410 int (*ssl_get_message)(SSL *ssl); 1411 /* get_current_message sets |*out| to the current handshake message. This 1412 * includes the protocol-specific message header. */ 1413 void (*get_current_message)(const SSL *ssl, CBS *out); 1414 /* release_current_message is called to release the current handshake message. 1415 * If |free_buffer| is one, buffers will also be released. */ 1416 void (*release_current_message)(SSL *ssl, int free_buffer); 1417 /* read_app_data reads up to |len| bytes of application data into |buf|. On 1418 * success, it returns the number of bytes read. Otherwise, it returns <= 0 1419 * and sets |*out_got_handshake| to whether the failure was due to a 1420 * post-handshake handshake message. If so, it fills in the current message as 1421 * in |ssl_get_message|. */ 1422 int (*read_app_data)(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, 1423 int peek); 1424 int (*read_change_cipher_spec)(SSL *ssl); 1425 void (*read_close_notify)(SSL *ssl); 1426 int (*write_app_data)(SSL *ssl, const uint8_t *buf, int len); 1427 int (*dispatch_alert)(SSL *ssl); 1428 /* supports_cipher returns one if |cipher| is supported by this protocol and 1429 * zero otherwise. */ 1430 int (*supports_cipher)(const SSL_CIPHER *cipher); 1431 /* init_message begins a new handshake message of type |type|. |cbb| is the 1432 * root CBB to be passed into |finish_message|. |*body| is set to a child CBB 1433 * the caller should write to. It returns one on success and zero on error. */ 1434 int (*init_message)(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); 1435 /* finish_message finishes a handshake message. It sets |*out_msg| to a 1436 * newly-allocated buffer with the serialized message. The caller must 1437 * release it with |OPENSSL_free| when done. It returns one on success and 1438 * zero on error. */ 1439 int (*finish_message)(SSL *ssl, CBB *cbb, uint8_t **out_msg, size_t *out_len); 1440 /* add_message adds a handshake message to the pending flight. It returns one 1441 * on success and zero on error. In either case, it takes ownership of |msg| 1442 * and releases it with |OPENSSL_free| when done. */ 1443 int (*add_message)(SSL *ssl, uint8_t *msg, size_t len); 1444 /* add_change_cipher_spec adds a ChangeCipherSpec record to the pending 1445 * flight. It returns one on success and zero on error. */ 1446 int (*add_change_cipher_spec)(SSL *ssl); 1447 /* add_alert adds an alert to the pending flight. It returns one on success 1448 * and zero on error. */ 1449 int (*add_alert)(SSL *ssl, uint8_t level, uint8_t desc); 1450 /* flush_flight flushes the pending flight to the transport. It returns one on 1451 * success and <= 0 on error. */ 1452 int (*flush_flight)(SSL *ssl); 1453 /* expect_flight is called when the handshake expects a flight of messages from 1454 * the peer. */ 1455 void (*expect_flight)(SSL *ssl); 1456 /* received_flight is called when the handshake has received a flight of 1457 * messages from the peer. */ 1458 void (*received_flight)(SSL *ssl); 1459 /* set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It takes 1460 * ownership of |aead_ctx|. It returns one on success and zero if changing the 1461 * read state is forbidden at this point. */ 1462 int (*set_read_state)(SSL *ssl, SSL_AEAD_CTX *aead_ctx); 1463 /* set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It takes 1464 * ownership of |aead_ctx|. It returns one on success and zero if changing the 1465 * write state is forbidden at this point. */ 1466 int (*set_write_state)(SSL *ssl, SSL_AEAD_CTX *aead_ctx); 1467 }; 1468 1469 struct ssl_x509_method_st { 1470 /* check_client_CA_list returns one if |names| is a good list of X.509 1471 * distinguished names and zero otherwise. This is used to ensure that we can 1472 * reject unparsable values at handshake time when using crypto/x509. */ 1473 int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names); 1474 1475 /* cert_clear frees and NULLs all X509 certificate-related state. */ 1476 void (*cert_clear)(CERT *cert); 1477 /* cert_free frees all X509-related state. */ 1478 void (*cert_free)(CERT *cert); 1479 /* cert_flush_cached_chain drops any cached |X509|-based certificate chain 1480 * from |cert|. */ 1481 /* cert_dup duplicates any needed fields from |cert| to |new_cert|. */ 1482 void (*cert_dup)(CERT *new_cert, const CERT *cert); 1483 void (*cert_flush_cached_chain)(CERT *cert); 1484 /* cert_flush_cached_chain drops any cached |X509|-based leaf certificate 1485 * from |cert|. */ 1486 void (*cert_flush_cached_leaf)(CERT *cert); 1487 1488 /* session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain| 1489 * from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns 1490 * one on success or zero on error. */ 1491 int (*session_cache_objects)(SSL_SESSION *session); 1492 /* session_dup duplicates any needed fields from |session| to |new_session|. 1493 * It returns one on success or zero on error. */ 1494 int (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session); 1495 /* session_clear frees any X509-related state from |session|. */ 1496 void (*session_clear)(SSL_SESSION *session); 1497 /* session_verify_cert_chain verifies the certificate chain in |session|, 1498 * sets |session->verify_result| and returns one on success or zero on 1499 * error. */ 1500 int (*session_verify_cert_chain)(SSL_SESSION *session, SSL *ssl); 1501 1502 /* hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|. */ 1503 void (*hs_flush_cached_ca_names)(SSL_HANDSHAKE *hs); 1504 /* ssl_new does any neccessary initialisation of |ssl|. It returns one on 1505 * success or zero on error. */ 1506 int (*ssl_new)(SSL *ssl); 1507 /* ssl_free frees anything created by |ssl_new|. */ 1508 void (*ssl_free)(SSL *ssl); 1509 /* ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|. */ 1510 void (*ssl_flush_cached_client_CA)(SSL *ssl); 1511 /* ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if 1512 * necessary. On success, it updates |ssl|'s certificate configuration as 1513 * needed and returns one. Otherwise, it returns zero. */ 1514 int (*ssl_auto_chain_if_needed)(SSL *ssl); 1515 /* ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on 1516 * success or zero on error. */ 1517 int (*ssl_ctx_new)(SSL_CTX *ctx); 1518 /* ssl_ctx_free frees anything created by |ssl_ctx_new|. */ 1519 void (*ssl_ctx_free)(SSL_CTX *ctx); 1520 /* ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|. */ 1521 void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl); 1522 }; 1523 1524 /* ssl_crypto_x509_method provides the |ssl_x509_method_st| functions using 1525 * crypto/x509. */ 1526 extern const struct ssl_x509_method_st ssl_crypto_x509_method; 1527 1528 typedef struct ssl3_record_st { 1529 /* type is the record type. */ 1530 uint8_t type; 1531 /* length is the number of unconsumed bytes in the record. */ 1532 uint16_t length; 1533 /* data is a non-owning pointer to the first unconsumed byte of the record. */ 1534 uint8_t *data; 1535 } SSL3_RECORD; 1536 1537 typedef struct ssl3_buffer_st { 1538 /* buf is the memory allocated for this buffer. */ 1539 uint8_t *buf; 1540 /* offset is the offset into |buf| which the buffer contents start at. */ 1541 uint16_t offset; 1542 /* len is the length of the buffer contents from |buf| + |offset|. */ 1543 uint16_t len; 1544 /* cap is how much memory beyond |buf| + |offset| is available. */ 1545 uint16_t cap; 1546 } SSL3_BUFFER; 1547 1548 /* An ssl_shutdown_t describes the shutdown state of one end of the connection, 1549 * whether it is alive or has been shutdown via close_notify or fatal alert. */ 1550 enum ssl_shutdown_t { 1551 ssl_shutdown_none = 0, 1552 ssl_shutdown_close_notify = 1, 1553 ssl_shutdown_fatal_alert = 2, 1554 }; 1555 1556 typedef struct ssl3_state_st { 1557 uint8_t read_sequence[8]; 1558 uint8_t write_sequence[8]; 1559 1560 uint8_t server_random[SSL3_RANDOM_SIZE]; 1561 uint8_t client_random[SSL3_RANDOM_SIZE]; 1562 1563 /* read_buffer holds data from the transport to be processed. */ 1564 SSL3_BUFFER read_buffer; 1565 /* write_buffer holds data to be written to the transport. */ 1566 SSL3_BUFFER write_buffer; 1567 1568 SSL3_RECORD rrec; /* each decoded record goes in here */ 1569 1570 /* partial write - check the numbers match */ 1571 unsigned int wnum; /* number of bytes sent so far */ 1572 int wpend_tot; /* number bytes written */ 1573 int wpend_type; 1574 int wpend_ret; /* number of bytes submitted */ 1575 const uint8_t *wpend_buf; 1576 1577 /* recv_shutdown is the shutdown state for the receive half of the 1578 * connection. */ 1579 enum ssl_shutdown_t recv_shutdown; 1580 1581 /* recv_shutdown is the shutdown state for the send half of the connection. */ 1582 enum ssl_shutdown_t send_shutdown; 1583 1584 int alert_dispatch; 1585 1586 int total_renegotiations; 1587 1588 /* early_data_skipped is the amount of early data that has been skipped by the 1589 * record layer. */ 1590 uint16_t early_data_skipped; 1591 1592 /* empty_record_count is the number of consecutive empty records received. */ 1593 uint8_t empty_record_count; 1594 1595 /* warning_alert_count is the number of consecutive warning alerts 1596 * received. */ 1597 uint8_t warning_alert_count; 1598 1599 /* key_update_count is the number of consecutive KeyUpdates received. */ 1600 uint8_t key_update_count; 1601 1602 /* skip_early_data instructs the record layer to skip unexpected early data 1603 * messages when 0RTT is rejected. */ 1604 unsigned skip_early_data:1; 1605 1606 /* have_version is true if the connection's final version is known. Otherwise 1607 * the version has not been negotiated yet. */ 1608 unsigned have_version:1; 1609 1610 /* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled 1611 * and future messages should use the record layer. */ 1612 unsigned v2_hello_done:1; 1613 1614 /* is_v2_hello is true if the current handshake message was derived from a 1615 * V2ClientHello rather than received from the peer directly. */ 1616 unsigned is_v2_hello:1; 1617 1618 /* initial_handshake_complete is true if the initial handshake has 1619 * completed. */ 1620 unsigned initial_handshake_complete:1; 1621 1622 /* session_reused indicates whether a session was resumed. */ 1623 unsigned session_reused:1; 1624 1625 unsigned send_connection_binding:1; 1626 1627 /* In a client, this means that the server supported Channel ID and that a 1628 * Channel ID was sent. In a server it means that we echoed support for 1629 * Channel IDs and that tlsext_channel_id will be valid after the 1630 * handshake. */ 1631 unsigned tlsext_channel_id_valid:1; 1632 1633 uint8_t send_alert[2]; 1634 1635 /* pending_flight is the pending outgoing flight. This is used to flush each 1636 * handshake flight in a single write. */ 1637 BUF_MEM *pending_flight; 1638 1639 /* pending_flight_offset is the number of bytes of |pending_flight| which have 1640 * been successfully written. */ 1641 uint32_t pending_flight_offset; 1642 1643 /* aead_read_ctx is the current read cipher state. */ 1644 SSL_AEAD_CTX *aead_read_ctx; 1645 1646 /* aead_write_ctx is the current write cipher state. */ 1647 SSL_AEAD_CTX *aead_write_ctx; 1648 1649 /* hs is the handshake state for the current handshake or NULL if there isn't 1650 * one. */ 1651 SSL_HANDSHAKE *hs; 1652 1653 uint8_t write_traffic_secret[EVP_MAX_MD_SIZE]; 1654 uint8_t read_traffic_secret[EVP_MAX_MD_SIZE]; 1655 uint8_t exporter_secret[EVP_MAX_MD_SIZE]; 1656 uint8_t early_exporter_secret[EVP_MAX_MD_SIZE]; 1657 uint8_t write_traffic_secret_len; 1658 uint8_t read_traffic_secret_len; 1659 uint8_t exporter_secret_len; 1660 uint8_t early_exporter_secret_len; 1661 1662 /* Connection binding to prevent renegotiation attacks */ 1663 uint8_t previous_client_finished[12]; 1664 uint8_t previous_client_finished_len; 1665 uint8_t previous_server_finished_len; 1666 uint8_t previous_server_finished[12]; 1667 1668 /* State pertaining to the pending handshake. 1669 * 1670 * TODO(davidben): Move everything not needed after the handshake completes to 1671 * |hs| and remove this. */ 1672 struct { 1673 int message_type; 1674 1675 int reuse_message; 1676 1677 uint8_t new_mac_secret_len; 1678 uint8_t new_key_len; 1679 uint8_t new_fixed_iv_len; 1680 } tmp; 1681 1682 /* established_session is the session established by the connection. This 1683 * session is only filled upon the completion of the handshake and is 1684 * immutable. */ 1685 SSL_SESSION *established_session; 1686 1687 /* Next protocol negotiation. For the client, this is the protocol that we 1688 * sent in NextProtocol and is set when handling ServerHello extensions. 1689 * 1690 * For a server, this is the client's selected_protocol from NextProtocol and 1691 * is set when handling the NextProtocol message, before the Finished 1692 * message. */ 1693 uint8_t *next_proto_negotiated; 1694 size_t next_proto_negotiated_len; 1695 1696 /* ALPN information 1697 * (we are in the process of transitioning from NPN to ALPN.) */ 1698 1699 /* In a server these point to the selected ALPN protocol after the 1700 * ClientHello has been processed. In a client these contain the protocol 1701 * that the server selected once the ServerHello has been processed. */ 1702 uint8_t *alpn_selected; 1703 size_t alpn_selected_len; 1704 1705 /* For a server: 1706 * If |tlsext_channel_id_valid| is true, then this contains the 1707 * verified Channel ID from the client: a P256 point, (x,y), where 1708 * each are big-endian values. */ 1709 uint8_t tlsext_channel_id[64]; 1710 1711 /* ticket_age_skew is the difference, in seconds, between the client-sent 1712 * ticket age and the server-computed value in TLS 1.3 server connections 1713 * which resumed a session. */ 1714 int32_t ticket_age_skew; 1715 } SSL3_STATE; 1716 1717 /* lengths of messages */ 1718 #define DTLS1_COOKIE_LENGTH 256 1719 1720 #define DTLS1_RT_HEADER_LENGTH 13 1721 1722 #define DTLS1_HM_HEADER_LENGTH 12 1723 1724 #define DTLS1_CCS_HEADER_LENGTH 1 1725 1726 #define DTLS1_AL_HEADER_LENGTH 2 1727 1728 struct hm_header_st { 1729 uint8_t type; 1730 uint32_t msg_len; 1731 uint16_t seq; 1732 uint32_t frag_off; 1733 uint32_t frag_len; 1734 }; 1735 1736 /* An hm_fragment is an incoming DTLS message, possibly not yet assembled. */ 1737 typedef struct hm_fragment_st { 1738 /* type is the type of the message. */ 1739 uint8_t type; 1740 /* seq is the sequence number of this message. */ 1741 uint16_t seq; 1742 /* msg_len is the length of the message body. */ 1743 uint32_t msg_len; 1744 /* data is a pointer to the message, including message header. It has length 1745 * |DTLS1_HM_HEADER_LENGTH| + |msg_len|. */ 1746 uint8_t *data; 1747 /* reassembly is a bitmask of |msg_len| bits corresponding to which parts of 1748 * the message have been received. It is NULL if the message is complete. */ 1749 uint8_t *reassembly; 1750 } hm_fragment; 1751 1752 struct OPENSSL_timeval { 1753 uint64_t tv_sec; 1754 uint32_t tv_usec; 1755 }; 1756 1757 typedef struct dtls1_state_st { 1758 /* send_cookie is true if we are resending the ClientHello 1759 * with a cookie from a HelloVerifyRequest. */ 1760 unsigned int send_cookie; 1761 1762 uint8_t cookie[DTLS1_COOKIE_LENGTH]; 1763 size_t cookie_len; 1764 1765 /* The current data and handshake epoch. This is initially undefined, and 1766 * starts at zero once the initial handshake is completed. */ 1767 uint16_t r_epoch; 1768 uint16_t w_epoch; 1769 1770 /* records being received in the current epoch */ 1771 DTLS1_BITMAP bitmap; 1772 1773 uint16_t handshake_write_seq; 1774 uint16_t handshake_read_seq; 1775 1776 /* save last sequence number for retransmissions */ 1777 uint8_t last_write_sequence[8]; 1778 1779 /* incoming_messages is a ring buffer of incoming handshake messages that have 1780 * yet to be processed. The front of the ring buffer is message number 1781 * |handshake_read_seq|, at position |handshake_read_seq| % 1782 * |SSL_MAX_HANDSHAKE_FLIGHT|. */ 1783 hm_fragment *incoming_messages[SSL_MAX_HANDSHAKE_FLIGHT]; 1784 1785 /* outgoing_messages is the queue of outgoing messages from the last handshake 1786 * flight. */ 1787 DTLS_OUTGOING_MESSAGE outgoing_messages[SSL_MAX_HANDSHAKE_FLIGHT]; 1788 uint8_t outgoing_messages_len; 1789 1790 /* outgoing_written is the number of outgoing messages that have been 1791 * written. */ 1792 uint8_t outgoing_written; 1793 /* outgoing_offset is the number of bytes of the next outgoing message have 1794 * been written. */ 1795 uint32_t outgoing_offset; 1796 1797 unsigned int mtu; /* max DTLS packet size */ 1798 1799 /* num_timeouts is the number of times the retransmit timer has fired since 1800 * the last time it was reset. */ 1801 unsigned int num_timeouts; 1802 1803 /* Indicates when the last handshake msg or heartbeat sent will 1804 * timeout. */ 1805 struct OPENSSL_timeval next_timeout; 1806 1807 /* timeout_duration_ms is the timeout duration in milliseconds. */ 1808 unsigned timeout_duration_ms; 1809 } DTLS1_STATE; 1810 1811 struct ssl_st { 1812 /* method is the method table corresponding to the current protocol (DTLS or 1813 * TLS). */ 1814 const SSL_PROTOCOL_METHOD *method; 1815 1816 /* version is the protocol version. */ 1817 int version; 1818 1819 /* max_version is the maximum acceptable protocol version. Note this version 1820 * is normalized in DTLS. */ 1821 uint16_t max_version; 1822 1823 /* min_version is the minimum acceptable protocol version. Note this version 1824 * is normalized in DTLS. */ 1825 uint16_t min_version; 1826 1827 uint16_t max_send_fragment; 1828 1829 /* There are 2 BIO's even though they are normally both the same. This is so 1830 * data can be read and written to different handlers */ 1831 1832 BIO *rbio; /* used by SSL_read */ 1833 BIO *wbio; /* used by SSL_write */ 1834 1835 int (*handshake_func)(SSL_HANDSHAKE *hs); 1836 1837 BUF_MEM *init_buf; /* buffer used during init */ 1838 1839 /* init_msg is a pointer to the current handshake message body. */ 1840 const uint8_t *init_msg; 1841 /* init_num is the length of the current handshake message body. */ 1842 uint32_t init_num; 1843 1844 struct ssl3_state_st *s3; /* SSLv3 variables */ 1845 struct dtls1_state_st *d1; /* DTLSv1 variables */ 1846 1847 /* callback that allows applications to peek at protocol messages */ 1848 void (*msg_callback)(int write_p, int version, int content_type, 1849 const void *buf, size_t len, SSL *ssl, void *arg); 1850 void *msg_callback_arg; 1851 1852 X509_VERIFY_PARAM *param; 1853 1854 /* crypto */ 1855 struct ssl_cipher_preference_list_st *cipher_list; 1856 1857 /* session info */ 1858 1859 /* client cert? */ 1860 /* This is used to hold the server certificate used */ 1861 struct cert_st /* CERT */ *cert; 1862 1863 /* This holds a variable that indicates what we were doing when a 0 or -1 is 1864 * returned. This is needed for non-blocking IO so we know what request 1865 * needs re-doing when in SSL_accept or SSL_connect */ 1866 int rwstate; 1867 1868 /* initial_timeout_duration_ms is the default DTLS timeout duration in 1869 * milliseconds. It's used to initialize the timer any time it's restarted. */ 1870 unsigned initial_timeout_duration_ms; 1871 1872 /* session is the configured session to be offered by the client. This session 1873 * is immutable. */ 1874 SSL_SESSION *session; 1875 1876 int (*verify_callback)(int ok, 1877 X509_STORE_CTX *ctx); /* fail if callback returns 0 */ 1878 1879 void (*info_callback)(const SSL *ssl, int type, int value); 1880 1881 /* Server-only: psk_identity_hint is the identity hint to send in 1882 * PSK-based key exchanges. */ 1883 char *psk_identity_hint; 1884 1885 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, 1886 char *identity, 1887 unsigned int max_identity_len, 1888 uint8_t *psk, unsigned int max_psk_len); 1889 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, 1890 uint8_t *psk, unsigned int max_psk_len); 1891 1892 SSL_CTX *ctx; 1893 1894 /* extra application data */ 1895 CRYPTO_EX_DATA ex_data; 1896 1897 /* for server side, keep the list of CA_dn we can use */ 1898 STACK_OF(CRYPTO_BUFFER) *client_CA; 1899 1900 /* cached_x509_client_CA is a cache of parsed versions of the elements of 1901 * |client_CA|. */ 1902 STACK_OF(X509_NAME) *cached_x509_client_CA; 1903 1904 uint32_t options; /* protocol behaviour */ 1905 uint32_t mode; /* API behaviour */ 1906 uint32_t max_cert_list; 1907 char *tlsext_hostname; 1908 size_t supported_group_list_len; 1909 uint16_t *supported_group_list; /* our list */ 1910 1911 /* session_ctx is the |SSL_CTX| used for the session cache and related 1912 * settings. */ 1913 SSL_CTX *session_ctx; 1914 1915 /* srtp_profiles is the list of configured SRTP protection profiles for 1916 * DTLS-SRTP. */ 1917 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 1918 1919 /* srtp_profile is the selected SRTP protection profile for 1920 * DTLS-SRTP. */ 1921 const SRTP_PROTECTION_PROFILE *srtp_profile; 1922 1923 /* The client's Channel ID private key. */ 1924 EVP_PKEY *tlsext_channel_id_private; 1925 1926 /* For a client, this contains the list of supported protocols in wire 1927 * format. */ 1928 uint8_t *alpn_client_proto_list; 1929 unsigned alpn_client_proto_list_len; 1930 1931 /* renegotiate_mode controls how peer renegotiation attempts are handled. */ 1932 enum ssl_renegotiate_mode_t renegotiate_mode; 1933 1934 /* verify_mode is a bitmask of |SSL_VERIFY_*| values. */ 1935 uint8_t verify_mode; 1936 1937 /* server is true iff the this SSL* is the server half. Note: before the SSL* 1938 * is initialized by either SSL_set_accept_state or SSL_set_connect_state, 1939 * the side is not determined. In this state, server is always false. */ 1940 unsigned server:1; 1941 1942 /* quiet_shutdown is true if the connection should not send a close_notify on 1943 * shutdown. */ 1944 unsigned quiet_shutdown:1; 1945 1946 /* Enable signed certificate time stamps. Currently client only. */ 1947 unsigned signed_cert_timestamps_enabled:1; 1948 1949 /* ocsp_stapling_enabled is only used by client connections and indicates 1950 * whether OCSP stapling will be requested. */ 1951 unsigned ocsp_stapling_enabled:1; 1952 1953 /* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server, 1954 * means that we'll accept Channel IDs from clients. For a client, means that 1955 * we'll advertise support. */ 1956 unsigned tlsext_channel_id_enabled:1; 1957 1958 /* retain_only_sha256_of_client_certs is true if we should compute the SHA256 1959 * hash of the peer's certificate and then discard it to save memory and 1960 * session space. Only effective on the server side. */ 1961 unsigned retain_only_sha256_of_client_certs:1; 1962 1963 /* early_data_accepted is true if early data was accepted by the server. */ 1964 unsigned early_data_accepted:1; 1965 }; 1966 1967 /* From draft-ietf-tls-tls13-18, used in determining PSK modes. */ 1968 #define SSL_PSK_KE 0x0 1969 #define SSL_PSK_DHE_KE 0x1 1970 1971 /* From draft-ietf-tls-tls13-16, used in determining whether to respond with a 1972 * KeyUpdate. */ 1973 #define SSL_KEY_UPDATE_NOT_REQUESTED 0 1974 #define SSL_KEY_UPDATE_REQUESTED 1 1975 1976 CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method); 1977 CERT *ssl_cert_dup(CERT *cert); 1978 void ssl_cert_clear_certs(CERT *c); 1979 void ssl_cert_free(CERT *c); 1980 int ssl_set_cert(CERT *cert, CRYPTO_BUFFER *buffer); 1981 int ssl_is_key_type_supported(int key_type); 1982 /* ssl_compare_public_and_private_key returns one if |pubkey| is the public 1983 * counterpart to |privkey|. Otherwise it returns zero and pushes a helpful 1984 * message on the error queue. */ 1985 int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey, 1986 const EVP_PKEY *privkey); 1987 int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey); 1988 int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server); 1989 int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session); 1990 1991 /* ssl_session_new returns a newly-allocated blank |SSL_SESSION| or NULL on 1992 * error. */ 1993 SSL_SESSION *ssl_session_new(const SSL_X509_METHOD *x509_method); 1994 1995 /* SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over 1996 * the parsed data. */ 1997 SSL_SESSION *SSL_SESSION_parse(CBS *cbs, const SSL_X509_METHOD *x509_method, 1998 CRYPTO_BUFFER_POOL *pool); 1999 2000 /* ssl_session_is_context_valid returns one if |session|'s session ID context 2001 * matches the one set on |ssl| and zero otherwise. */ 2002 int ssl_session_is_context_valid(const SSL *ssl, const SSL_SESSION *session); 2003 2004 /* ssl_session_is_time_valid returns one if |session| is still valid and zero if 2005 * it has expired. */ 2006 int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session); 2007 2008 /* ssl_session_is_resumable returns one if |session| is resumable for |hs| and 2009 * zero otherwise. */ 2010 int ssl_session_is_resumable(const SSL_HANDSHAKE *hs, 2011 const SSL_SESSION *session); 2012 2013 /* SSL_SESSION_get_digest returns the digest used in |session|. If the digest is 2014 * invalid, it returns NULL. */ 2015 const EVP_MD *SSL_SESSION_get_digest(const SSL_SESSION *session, 2016 const SSL *ssl); 2017 2018 void ssl_set_session(SSL *ssl, SSL_SESSION *session); 2019 2020 enum ssl_session_result_t { 2021 ssl_session_success, 2022 ssl_session_error, 2023 ssl_session_retry, 2024 ssl_session_ticket_retry, 2025 }; 2026 2027 /* ssl_get_prev_session looks up the previous session based on |client_hello|. 2028 * On success, it sets |*out_session| to the session or NULL if none was found. 2029 * If the session could not be looked up synchronously, it returns 2030 * |ssl_session_retry| and should be called again. If a ticket could not be 2031 * decrypted immediately it returns |ssl_session_ticket_retry| and should also 2032 * be called again. Otherwise, it returns |ssl_session_error|. */ 2033 enum ssl_session_result_t ssl_get_prev_session( 2034 SSL *ssl, SSL_SESSION **out_session, int *out_tickets_supported, 2035 int *out_renew_ticket, const SSL_CLIENT_HELLO *client_hello); 2036 2037 /* The following flags determine which parts of the session are duplicated. */ 2038 #define SSL_SESSION_DUP_AUTH_ONLY 0x0 2039 #define SSL_SESSION_INCLUDE_TICKET 0x1 2040 #define SSL_SESSION_INCLUDE_NONAUTH 0x2 2041 #define SSL_SESSION_DUP_ALL \ 2042 (SSL_SESSION_INCLUDE_TICKET | SSL_SESSION_INCLUDE_NONAUTH) 2043 2044 /* SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the 2045 * fields in |session| or NULL on error. The new session is non-resumable and 2046 * must be explicitly marked resumable once it has been filled in. */ 2047 OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *session, 2048 int dup_flags); 2049 2050 /* ssl_session_rebase_time updates |session|'s start time to the current time, 2051 * adjusting the timeout so the expiration time is unchanged. */ 2052 void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session); 2053 2054 /* ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews 2055 * |session|'s timeout to |timeout| (measured from the current time). The 2056 * renewal is clamped to the session's auth_timeout. */ 2057 void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session, 2058 uint32_t timeout); 2059 2060 void ssl_cipher_preference_list_free( 2061 struct ssl_cipher_preference_list_st *cipher_list); 2062 2063 /* ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and 2064 * below. */ 2065 const struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences( 2066 const SSL *ssl); 2067 2068 void ssl_update_cache(SSL_HANDSHAKE *hs, int mode); 2069 2070 int ssl3_get_finished(SSL_HANDSHAKE *hs); 2071 int ssl3_send_alert(SSL *ssl, int level, int desc); 2072 int ssl3_get_message(SSL *ssl); 2073 void ssl3_get_current_message(const SSL *ssl, CBS *out); 2074 void ssl3_release_current_message(SSL *ssl, int free_buffer); 2075 2076 int ssl3_send_finished(SSL_HANDSHAKE *hs); 2077 int ssl3_dispatch_alert(SSL *ssl); 2078 int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, 2079 int peek); 2080 int ssl3_read_change_cipher_spec(SSL *ssl); 2081 void ssl3_read_close_notify(SSL *ssl); 2082 int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len); 2083 int ssl3_write_app_data(SSL *ssl, const uint8_t *buf, int len); 2084 int ssl3_output_cert_chain(SSL *ssl); 2085 2086 int ssl3_new(SSL *ssl); 2087 void ssl3_free(SSL *ssl); 2088 int ssl3_accept(SSL_HANDSHAKE *hs); 2089 int ssl3_connect(SSL_HANDSHAKE *hs); 2090 2091 int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); 2092 int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, size_t *out_len); 2093 int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len); 2094 int ssl3_add_change_cipher_spec(SSL *ssl); 2095 int ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc); 2096 int ssl3_flush_flight(SSL *ssl); 2097 2098 int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); 2099 int dtls1_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, 2100 size_t *out_len); 2101 int dtls1_add_message(SSL *ssl, uint8_t *msg, size_t len); 2102 int dtls1_add_change_cipher_spec(SSL *ssl); 2103 int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc); 2104 int dtls1_flush_flight(SSL *ssl); 2105 2106 /* ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to 2107 * the pending flight. It returns one on success and zero on error. */ 2108 int ssl_add_message_cbb(SSL *ssl, CBB *cbb); 2109 2110 /* ssl_hash_current_message incorporates the current handshake message into the 2111 * handshake hash. It returns one on success and zero on allocation failure. */ 2112 int ssl_hash_current_message(SSL_HANDSHAKE *hs); 2113 2114 /* dtls1_get_record reads a new input record. On success, it places it in 2115 * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if 2116 * more data is needed. */ 2117 int dtls1_get_record(SSL *ssl); 2118 2119 int dtls1_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, 2120 int peek); 2121 int dtls1_read_change_cipher_spec(SSL *ssl); 2122 void dtls1_read_close_notify(SSL *ssl); 2123 2124 int dtls1_write_app_data(SSL *ssl, const uint8_t *buf, int len); 2125 2126 /* dtls1_write_record sends a record. It returns one on success and <= 0 on 2127 * error. */ 2128 int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len, 2129 enum dtls1_use_epoch_t use_epoch); 2130 2131 int dtls1_send_finished(SSL *ssl, int a, int b, const char *sender, int slen); 2132 int dtls1_retransmit_outgoing_messages(SSL *ssl); 2133 void dtls1_clear_record_buffer(SSL *ssl); 2134 int dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr, 2135 CBS *out_body); 2136 int dtls1_check_timeout_num(SSL *ssl); 2137 int dtls1_handshake_write(SSL *ssl); 2138 2139 void dtls1_start_timer(SSL *ssl); 2140 void dtls1_stop_timer(SSL *ssl); 2141 int dtls1_is_timer_expired(SSL *ssl); 2142 void dtls1_double_timeout(SSL *ssl); 2143 unsigned int dtls1_min_mtu(void); 2144 2145 int dtls1_new(SSL *ssl); 2146 int dtls1_accept(SSL *ssl); 2147 int dtls1_connect(SSL *ssl); 2148 void dtls1_free(SSL *ssl); 2149 2150 int dtls1_get_message(SSL *ssl); 2151 void dtls1_get_current_message(const SSL *ssl, CBS *out); 2152 void dtls1_release_current_message(SSL *ssl, int free_buffer); 2153 int dtls1_dispatch_alert(SSL *ssl); 2154 2155 int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which); 2156 int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out, 2157 const uint8_t *premaster, size_t premaster_len); 2158 2159 /* tls1_get_grouplist sets |*out_group_ids| and |*out_group_ids_len| to the 2160 * locally-configured group preference list. */ 2161 void tls1_get_grouplist(SSL *ssl, const uint16_t **out_group_ids, 2162 size_t *out_group_ids_len); 2163 2164 /* tls1_check_group_id returns one if |group_id| is consistent with 2165 * locally-configured group preferences. */ 2166 int tls1_check_group_id(SSL *ssl, uint16_t group_id); 2167 2168 /* tls1_get_shared_group sets |*out_group_id| to the first preferred shared 2169 * group between client and server preferences and returns one. If none may be 2170 * found, it returns zero. */ 2171 int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id); 2172 2173 /* tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| 2174 * into a newly allocated array of TLS group IDs. On success, the function 2175 * returns one and writes the array to |*out_group_ids| and its size to 2176 * |*out_group_ids_len|. Otherwise, it returns zero. */ 2177 int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len, 2178 const int *curves, size_t ncurves); 2179 2180 /* tls1_set_curves_list converts the string of curves pointed to by |curves| 2181 * into a newly allocated array of TLS group IDs. On success, the function 2182 * returns one and writes the array to |*out_group_ids| and its size to 2183 * |*out_group_ids_len|. Otherwise, it returns zero. */ 2184 int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len, 2185 const char *curves); 2186 2187 /* ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It 2188 * returns one on success and zero on failure. The |header_len| argument is the 2189 * length of the ClientHello written so far and is used to compute the padding 2190 * length. (It does not include the record header.) */ 2191 int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len); 2192 2193 int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out); 2194 int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs, 2195 const SSL_CLIENT_HELLO *client_hello); 2196 int ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs); 2197 2198 #define tlsext_tick_md EVP_sha256 2199 2200 /* ssl_process_ticket processes a session ticket from the client. It returns 2201 * one of: 2202 * |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and 2203 * |*out_renew_ticket| is set to whether the ticket should be renewed. 2204 * |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a 2205 * fresh ticket should be sent, but the given ticket cannot be used. 2206 * |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted. 2207 * Retry later. 2208 * |ssl_ticket_aead_error|: an error occured that is fatal to the connection. */ 2209 enum ssl_ticket_aead_result_t ssl_process_ticket( 2210 SSL *ssl, SSL_SESSION **out_session, int *out_renew_ticket, 2211 const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id, 2212 size_t session_id_len); 2213 2214 /* tls1_verify_channel_id processes the current message as a Channel ID message, 2215 * and verifies the signature. If the key is valid, it saves the Channel ID and 2216 * returns one. Otherwise, it returns zero. */ 2217 int tls1_verify_channel_id(SSL_HANDSHAKE *hs); 2218 2219 /* tls1_write_channel_id generates a Channel ID message and puts the output in 2220 * |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling. 2221 * This function returns one on success and zero on error. */ 2222 int tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb); 2223 2224 /* tls1_channel_id_hash computes the hash to be signed by Channel ID and writes 2225 * it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns 2226 * one on success and zero on failure. */ 2227 int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len); 2228 2229 int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs); 2230 2231 /* ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if 2232 * necessary. It returns one on success and zero on fatal error. Note that, on 2233 * success, |ssl->tlsext_channel_id_private| may be unset, in which case the 2234 * operation should be retried later. */ 2235 int ssl_do_channel_id_callback(SSL *ssl); 2236 2237 /* ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero 2238 * otherwise. */ 2239 int ssl3_can_false_start(const SSL *ssl); 2240 2241 /* ssl_can_write returns one if |ssl| is allowed to write and zero otherwise. */ 2242 int ssl_can_write(const SSL *ssl); 2243 2244 /* ssl_can_read returns one if |ssl| is allowed to read and zero otherwise. */ 2245 int ssl_can_read(const SSL *ssl); 2246 2247 /* ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the 2248 * minimum and maximum enabled protocol versions, respectively. */ 2249 int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, 2250 uint16_t *out_max_version); 2251 2252 /* ssl3_protocol_version returns |ssl|'s protocol version. It is an error to 2253 * call this function before the version is determined. */ 2254 uint16_t ssl3_protocol_version(const SSL *ssl); 2255 2256 void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock); 2257 2258 /* ssl_reset_error_state resets state for |SSL_get_error|. */ 2259 void ssl_reset_error_state(SSL *ssl); 2260 2261 2262 #if defined(__cplusplus) 2263 } /* extern C */ 2264 #endif 2265 2266 #endif /* OPENSSL_HEADER_SSL_INTERNAL_H */ 2267
