Lines Matching refs:SSL
4 * This package is an SSL implementation written
6 * The implementation was written so as to conform with Netscapes SSL.
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
141 #include <openssl/ssl.h>
167 OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
171 OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG)
172 OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED)
233 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED);
304 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
311 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
358 SSL *SSL_new(SSL_CTX *ctx) {
360 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX);
364 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
368 SSL *ssl = (SSL *)OPENSSL_malloc(sizeof(SSL));
369 if (ssl == NULL) {
372 OPENSSL_memset(ssl, 0, sizeof(SSL));
374 ssl->conf_min_version = ctx->conf_min_version;
375 ssl->conf_max_version = ctx->conf_max_version;
376 ssl->tls13_variant = ctx->tls13_variant;
380 ssl->initial_timeout_duration_ms = 1000;
382 ssl->options = ctx->options;
383 ssl->mode = ctx->mode;
384 ssl->max_cert_list = ctx->max_cert_list;
386 ssl->cert = ssl_cert_dup(ctx->cert);
387 if (ssl->cert == NULL) {
391 ssl->msg_callback = ctx->msg_callback;
392 ssl->msg_callback_arg = ctx->msg_callback_arg;
393 ssl->verify_mode = ctx->verify_mode;
394 ssl->verify_callback = ctx->default_verify_callback;
395 ssl->retain_only_sha256_of_client_certs =
398 ssl->quiet_shutdown = ctx->quiet_shutdown;
399 ssl->max_send_fragment = ctx->max_send_fragment;
402 ssl->ctx = ctx;
404 ssl->session_ctx = ctx;
406 if (!ssl->ctx->x509_method->ssl_new(ssl)) {
411 ssl->supported_group_list = (uint16_t *)BUF_memdup(
413 if (!ssl->supported_group_list) {
416 ssl->supported_group_list_len = ctx->supported_group_list_len;
420 ssl->alpn_client_proto_list = (uint8_t *)BUF_memdup(
422 if (ssl->alpn_client_proto_list == NULL) {
425 ssl->alpn_client_proto_list_len = ctx->alpn_client_proto_list_len;
428 ssl->method = ctx->method;
430 if (!ssl->method->ssl_new(ssl)) {
434 ssl->rwstate = SSL_NOTHING;
436 CRYPTO_new_ex_data(&ssl->ex_data);
438 ssl->psk_identity_hint = NULL;
440 ssl->psk_identity_hint = BUF_strdup(ctx->psk_identity_hint);
441 if (ssl->psk_identity_hint == NULL) {
445 ssl->psk_client_callback = ctx->psk_client_callback;
446 ssl->psk_server_callback = ctx->psk_server_callback;
448 ssl->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled;
451 ssl->tlsext_channel_id_private = ctx->tlsext_channel_id_private;
454 ssl->signed_cert_timestamps_enabled = ctx->signed_cert_timestamps_enabled;
455 ssl->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;
457 return ssl;
460 SSL_free(ssl);
461 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
466 void SSL_free(SSL *ssl) {
467 if (ssl == NULL) {
471 if (ssl->ctx != NULL) {
472 ssl->ctx->x509_method->ssl_free(ssl);
475 CRYPTO_free_ex_data(&g_ex_data_class_ssl, ssl, &ssl->ex_data);
477 BIO_free_all(ssl->rbio);
478 BIO_free_all(ssl->wbio);
480 BUF_MEM_free(ssl->init_buf);
483 ssl_cipher_preference_list_free(ssl->cipher_list);
485 SSL_SESSION_free(ssl->session);
487 ssl_cert_free(ssl->cert);
489 OPENSSL_free(ssl->tlsext_hostname);
490 SSL_CTX_free(ssl->session_ctx);
491 OPENSSL_free(ssl->supported_group_list);
492 OPENSSL_free(ssl->alpn_client_proto_list);
493 EVP_PKEY_free(ssl->tlsext_channel_id_private);
494 OPENSSL_free(ssl->psk_identity_hint);
495 sk_CRYPTO_BUFFER_pop_free(ssl->client_CA, CRYPTO_BUFFER_free);
496 sk_SRTP_PROTECTION_PROFILE_free(ssl->srtp_profiles);
498 if (ssl->method != NULL) {
499 ssl->method->ssl_free(ssl);
501 SSL_CTX_free(ssl->ctx);
503 OPENSSL_free(ssl);
506 void SSL_set_connect_state(SSL *ssl) {
507 ssl->server = 0;
508 ssl->handshake_func = ssl3_connect;
511 void SSL_set_accept_state(SSL *ssl) {
512 ssl->server = 1;
513 ssl->handshake_func = ssl3_accept;
516 void SSL_set0_rbio(SSL *ssl, BIO *rbio) {
517 BIO_free_all(ssl->rbio);
518 ssl->rbio = rbio;
521 void SSL_set0_wbio(SSL *ssl, BIO *wbio) {
522 BIO_free_all(ssl->wbio);
523 ssl->wbio = wbio;
526 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
531 if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) {
542 if (rbio == SSL_get_rbio(ssl)) {
543 SSL_set0_wbio(ssl, wbio);
550 if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) {
551 SSL_set0_rbio(ssl, rbio);
556 SSL_set0_rbio(ssl, rbio);
557 SSL_set0_wbio(ssl, wbio);
560 BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; }
562 BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; }
564 void ssl_reset_error_state(SSL *ssl) {
567 ssl->rwstate = SSL_NOTHING;
572 int SSL_do_handshake(SSL *ssl) {
573 ssl_reset_error_state(ssl);
575 if (ssl->handshake_func == NULL) {
576 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
580 if (!SSL_in_init(ssl)) {
584 if (ssl->s3->hs == NULL) {
585 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
590 assert(ssl->s3->hs != NULL);
591 int ret = ssl->handshake_func(ssl->s3->hs);
597 if (!SSL_in_init(ssl)) {
598 ssl_handshake_free(ssl->s3->hs);
599 ssl->s3->hs = NULL;
605 int SSL_connect(SSL *ssl) {
606 if (ssl->handshake_func == NULL) {
608 SSL_set_connect_state(ssl);
611 return SSL_do_handshake(ssl);
614 int SSL_accept(SSL *ssl) {
615 if (ssl->handshake_func == NULL) {
617 SSL_set_accept_state(ssl);
620 return SSL_do_handshake(ssl);
623 int ssl_can_write(const SSL *ssl) {
624 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write;
627 int ssl_can_read(const SSL *ssl) {
628 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read;
631 static int ssl_do_renegotiate(SSL *ssl) {
632 /* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
635 if (ssl->server || ssl->version == SSL3_VERSION) {
639 if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_REQUEST ||
640 ssl->init_num != 0) {
641 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
642 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST);
646 switch (ssl->renegotiate_mode) {
652 if (ssl->s3->total_renegotiations != 0) {
668 if (ssl_write_buffer_is_pending(ssl)) {
673 if (ssl->s3->hs != NULL) {
674 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
677 ssl->s3->hs = ssl_handshake_new(ssl);
678 if (ssl->s3->hs == NULL) {
682 ssl->s3->total_renegotiations++;
686 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
687 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
691 static int ssl_do_post_handshake(SSL *ssl) {
692 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
693 return ssl_do_renegotiate(ssl);
696 return tls13_post_handshake(ssl);
699 static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
700 ssl_reset_error_state(ssl);
702 if (ssl->handshake_func == NULL) {
703 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
711 while (!ssl_can_read(ssl)) {
712 int ret = SSL_do_handshake(ssl);
717 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
723 int ret = ssl->method->read_app_data(ssl, &got_handshake, (uint8_t *)buf,
726 ssl->s3->key_update_count = 0;
732 if (SSL_in_init(ssl)) {
737 if (!ssl_do_post_handshake(ssl)) {
740 ssl->method->release_current_message(ssl, 1 /* free buffer */);
744 int SSL_read(SSL *ssl, void *buf, int num) {
745 return ssl_read_impl(ssl, buf, num, 0 /* consume bytes */);
748 int SSL_peek(SSL *ssl, void *buf, int num) {
749 return ssl_read_impl(ssl, buf, num, 1 /* peek */);
752 int SSL_write(SSL *ssl, const void *buf, int num) {
753 ssl_reset_error_state(ssl);
755 if (ssl->handshake_func == NULL) {
756 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
760 if (ssl->s3->send_shutdown != ssl_shutdown_none) {
761 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
768 if (!ssl_can_write(ssl)) {
769 ret = SSL_do_handshake(ssl);
774 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
779 ret = ssl->method->write_app_data(ssl, &needs_handshake,
785 int SSL_shutdown(SSL *ssl) {
786 ssl_reset_error_state(ssl);
788 if (ssl->handshake_func == NULL) {
789 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
796 if (SSL_in_init(ssl)) {
800 if (ssl->quiet_shutdown) {
802 ssl->s3->send_shutdown = ssl_shutdown_close_notify;
803 ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
811 if (ssl->s3->send_shutdown != ssl_shutdown_close_notify) {
813 if (ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
816 } else if (ssl->s3->alert_dispatch) {
818 if (ssl->method->dispatch_alert(ssl) <= 0) {
821 } else if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
823 ssl->method->read_close_notify(ssl);
824 if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
830 return ssl->s3->recv_shutdown == ssl_shutdown_close_notify;
833 int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
834 if (ssl->s3->alert_dispatch) {
835 if (ssl->s3->send_alert[0] != SSL3_AL_FATAL ||
836 ssl->s3->send_alert[1] != alert) {
838 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
841 return ssl->method->dispatch_alert(ssl);
844 return ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
855 void SSL_set_tls13_variant(SSL *ssl, enum tls13_variant_t variant) {
856 ssl->tls13_variant = variant;
859 void SSL_set_early_data_enabled(SSL *ssl, int enabled) {
860 ssl->cert->enable_early_data = !!enabled;
863 int SSL_in_early_data(const SSL *ssl) {
864 if (ssl->s3->hs == NULL) {
867 return ssl->s3->hs->in_early_data;
870 int SSL_early_data_accepted(const SSL *ssl) {
871 return ssl->early_data_accepted;
874 void SSL_reset_early_data_reject(SSL *ssl) {
875 SSL_HANDSHAKE *hs = ssl->s3->hs;
889 ssl->s3->wpend_pending = 0;
903 int SSL_get_error(const SSL *ssl, int ret_code) {
919 if (ssl->s3->recv_shutdown == ssl_shutdown_close_notify) {
928 switch (ssl->rwstate) {
936 BIO *bio = SSL_get_rbio(ssl);
955 BIO *bio = SSL_get_wbio(ssl);
1004 uint32_t SSL_set_options(SSL *ssl, uint32_t options) {
1005 ssl->options |= options;
1006 return ssl->options;
1009 uint32_t SSL_clear_options(SSL *ssl, uint32_t options) {
1010 ssl->options &= ~options;
1011 return ssl->options;
1014 uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; }
1028 uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) {
1029 ssl->mode |= mode;
1030 return ssl->mode;
1033 uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {
1034 ssl->mode &= ~mode;
1035 return ssl->mode;
1038 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }
1044 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
1049 /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */
1050 if (!ssl->s3->initial_handshake_complete ||
1051 ssl3_protocol_version(ssl) < TLS1_VERSION ||
1052 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1059 const uint8_t *finished = ssl->s3->previous_client_finished;
1060 size_t finished_len = ssl->s3->previous_client_finished_len;
1061 if (ssl->session != NULL) {
1063 if (!ssl->session->extended_master_secret) {
1066 finished = ssl->s3->previous_server_finished;
1067 finished_len = ssl->s3->previous_server_finished_len;
1082 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1097 int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,
1099 return set_session_id_context(ssl->cert, sid_ctx, sid_ctx_len);
1102 const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {
1103 *out_len = ssl->cert->sid_ctx_length;
1104 return ssl->cert->sid_ctx;
1117 void SSL_certs_clear(SSL *ssl) { ssl_cert_clear_certs(ssl->cert); }
1119 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
1121 int SSL_get_rfd(const SSL *ssl) {
1123 BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR);
1130 int SSL_get_wfd(const SSL *ssl) {
1132 BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR);
1139 int SSL_set_fd(SSL *ssl, int fd) {
1142 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1146 SSL_set_bio(ssl, bio, bio);
1150 int SSL_set_wfd(SSL *ssl, int fd) {
1151 BIO *rbio = SSL_get_rbio(ssl);
1156 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1160 SSL_set0_wbio(ssl, bio);
1164 SSL_set0_wbio(ssl, rbio);
1170 int SSL_set_rfd(SSL *ssl, int fd) {
1171 BIO *wbio = SSL_get_wbio(ssl);
1176 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1180 SSL_set0_rbio(ssl, bio);
1184 SSL_set0_rbio(ssl, wbio);
1198 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
1199 if (!ssl->s3->initial_handshake_complete ||
1200 ssl3_protocol_version(ssl) < TLS1_VERSION ||
1201 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1205 if (ssl->server) {
1206 return copy_finished(buf, count, ssl->s3->previous_server_finished,
1207 ssl->s3->previous_server_finished_len);
1210 return copy_finished(buf, count, ssl->s3->previous_client_finished,
1211 ssl->s3->previous_client_finished_len);
1214 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
1215 if (!ssl->s3->initial_handshake_complete ||
1216 ssl3_protocol_version(ssl) < TLS1_VERSION ||
1217 ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1221 if (ssl->server) {
1222 return copy_finished(buf, count, ssl->s3->previous_client_finished,
1223 ssl->s3->previous_client_finished_len);
1226 return copy_finished(buf, count, ssl->s3->previous_server_finished,
1227 ssl->s3->previous_server_finished_len);
1230 int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; }
1232 int SSL_get_extms_support(const SSL *ssl) {
1235 if (!ssl->s3->have_version) {
1238 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1243 if (ssl->s3->established_session != NULL) {
1244 return ssl->s3->established_session->extended_master_secret;
1248 if (ssl->s3->hs != NULL) {
1249 return ssl->s3->hs->extended_master_secret;
1257 int SSL_get_read_ahead(const SSL *ssl) { return 0; }
1261 void SSL_set_read_ahead(SSL *ssl, int yes) { }
1263 int SSL_pending(const SSL *ssl) {
1264 if (ssl->s3->rrec.type != SSL3_RT_APPLICATION_DATA) {
1267 return ssl->s3->rrec.length;
1276 int SSL_check_private_key(const SSL *ssl) {
1277 return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey);
1280 long SSL_get_default_timeout(const SSL *ssl) {
1284 int SSL_renegotiate(SSL *ssl) {
1286 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1290 int SSL_renegotiate_pending(SSL *ssl) {
1291 return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete;
1294 int SSL_total_renegotiations(const SSL *ssl) {
1295 return ssl->s3->total_renegotiations;
1309 size_t SSL_get_max_cert_list(const SSL *ssl) {
1310 return ssl->max_cert_list;
1313 void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
1317 ssl->max_cert_list = (uint32_t)max_cert_list;
1332 int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
1339 ssl->max_send_fragment = (uint16_t)max_send_fragment;
1344 int SSL_set_mtu(SSL *ssl, unsigned mtu) {
1345 if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) {
1348 ssl->d1->mtu = mtu;
1352 int SSL_get_secure_renegotiation_support(const SSL *ssl) {
1353 if (!ssl->s3->have_version) {
1356 return ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
1357 ssl->s3->send_connection_binding;
1392 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
1407 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
1418 SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
1431 int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) {
1432 return tls1_set_curves(&ssl->supported_group_list,
1433 &ssl->supported_group_list_len, curves,
1442 int SSL_set1_curves_list(SSL *ssl, const char *curves) {
1443 return tls1_set_curves_list(&ssl->supported_group_list,
1444 &ssl->supported_group_list_len, curves);
1447 uint16_t SSL_get_curve_id(const SSL *ssl) {
1450 SSL_SESSION *session = SSL_get_session(ssl);
1462 int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
1470 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {
1471 if (ssl == NULL) {
1476 ssl_get_cipher_preferences(ssl);
1484 const char *SSL_get_cipher_list(const SSL *ssl, int n) {
1485 if (ssl == NULL) {
1489 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
1512 int SSL_set_cipher_list(SSL *ssl, const char *str) {
1513 return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
1517 int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
1518 return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
1522 const char *SSL_get_servername(const SSL *ssl, const int type) {
1529 if (ssl->tlsext_hostname != NULL) {
1530 return ssl->tlsext_hostname;
1534 if (ssl->s3->hs != NULL) {
1535 return ssl->s3->hs->hostname;
1542 SSL_SESSION *session = SSL_get_session(ssl);
1549 int SSL_get_servername_type(const SSL *ssl) {
1550 SSL_SESSION *session = SSL_get_session(ssl);
1565 void SSL_enable_signed_cert_timestamps(SSL *ssl) {
1566 ssl->signed_cert_timestamps_enabled = 1;
1573 void SSL_enable_ocsp_stapling(SSL *ssl) {
1574 ssl->ocsp_stapling_enabled = 1;
1577 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
1579 SSL_SESSION *session = SSL_get_session(ssl);
1583 if (ssl->server || !session || !session->tlsext_signed_cert_timestamp_list) {
1591 void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
1593 SSL_SESSION *session = SSL_get_session(ssl);
1597 if (ssl->server || !session || !session->ocsp_response) {
1604 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
1605 OPENSSL_free(ssl->tlsext_hostname);
1606 ssl->tlsext_hostname = NULL;
1614 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
1617 ssl->tlsext_hostname = BUF_strdup(name);
1618 if (ssl->tlsext_hostname == NULL) {
1619 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1626 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) {
1669 SSL *ssl, const uint8_t **out_data,
1671 *out_data = ssl->s3->next_proto_negotiated;
1672 *out_len = ssl->s3->next_proto_negotiated_len;
1677 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),
1684 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
1703 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) {
1704 OPENSSL_free(ssl->alpn_client_proto_list);
1705 ssl->alpn_client_proto_list = (uint8_t *)BUF_memdup(protos, protos_len);
1706 if (!ssl->alpn_client_proto_list) {
1709 ssl->alpn_client_proto_list_len = protos_len;
1715 int (*cb)(SSL *ssl, const uint8_t **out,
1723 void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
1725 if (SSL_in_early_data(ssl) && !ssl->server) {
1726 *out_data = ssl->s3->hs->early_session->early_alpn;
1727 *out_len = ssl->s3->hs->early_session->early_alpn_len;
1729 *out_data = ssl->s3->alpn_selected;
1730 *out_len = ssl->s3->alpn_selected_len;
1747 void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) {
1748 ssl->tlsext_channel_id_enabled = !!enabled;
1751 int SSL_enable_tls_channel_id(SSL *ssl) {
1752 SSL_set_tls_channel_id_enabled(ssl, 1);
1765 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);
1777 int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {
1779 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);
1783 EVP_PKEY_free(ssl->tlsext_channel_id_private);
1785 ssl->tlsext_channel_id_private = private_key;
1786 ssl->tlsext_channel_id_enabled = 1;
1791 size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
1792 if (!ssl->s3->tlsext_channel_id_valid) {
1795 OPENSSL_memcpy(out, ssl->s3->tlsext_channel_id,
1800 size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types) {
1801 if (ssl->server || ssl->s3->hs == NULL) {
1805 *out_types = ssl->s3->hs->certificate_types;
1806 return ssl->s3->hs->num_certificate_types;
1810 SSL *const ssl = hs->ssl;
1811 SSL_CTX *ctx = ssl->session_ctx;
1813 if (ssl->s3->established_session->session_id_length == 0 ||
1814 ssl->s3->established_session->not_resumable ||
1820 int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
1826 if (ssl->s3->established_session != ssl->session ||
1827 (!ssl->server && hs->ticket_expected)) {
1829 SSL_CTX_add_session(ctx, ssl->s3->established_session);
1832 SSL_SESSION_up_ref(ssl->s3->established_session);
1833 if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) {
1835 SSL_SESSION_free(ssl->s3->established_session);
1854 ssl_get_current_time(ssl, &now);
1860 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
1861 if (ssl->cert != NULL) {
1862 return ssl->cert->privatekey;
1876 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
1877 if (ssl->s3->aead_write_ctx == NULL) {
1880 return ssl->s3->aead_write_ctx->cipher;
1883 int SSL_session_reused(const SSL *ssl) {
1884 return ssl->s3->session_reused || SSL_in_early_data(ssl);
1887 const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; }
1889 const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; }
1891 int *SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; }
1901 void SSL_set_quiet_shutdown(SSL *ssl, int mode) {
1902 ssl->quiet_shutdown = (mode != 0);
1905 int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }
1907 void SSL_set_shutdown(SSL *ssl, int mode) {
1910 assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
1913 ssl->s3->recv_shutdown == ssl_shutdown_none) {
1914 ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
1918 ssl->s3->send_shutdown == ssl_shutdown_none) {
1919 ssl->s3->send_shutdown = ssl_shutdown_close_notify;
1923 int SSL_get_shutdown(const SSL *ssl) {
1925 if (ssl->s3->recv_shutdown != ssl_shutdown_none) {
1930 if (ssl->s3->send_shutdown == ssl_shutdown_close_notify) {
1937 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx; }
1939 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
1940 if (ssl->ctx == ctx) {
1941 return ssl->ctx;
1945 if (ssl->ctx->x509_method != ctx->x509_method) {
1951 ctx = ssl->session_ctx;
1954 ssl_cert_free(ssl->cert);
1955 ssl->cert = ssl_cert_dup(ctx->cert);
1958 SSL_CTX_free(ssl->ctx);
1959 ssl->ctx = ctx;
1961 return ssl->ctx;
1964 void SSL_set_info_callback(SSL *ssl,
1965 void (*cb)(const SSL *ssl, int type, int value)) {
1966 ssl->info_callback = cb;
1969 void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type,
1971 return ssl->info_callback;
1974 int SSL_state(const SSL *ssl) {
1975 return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK;
1978 void SSL_set_state(SSL *ssl, int state) { }
1980 char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {
1998 int SSL_set_ex_data(SSL *ssl, int idx, void *arg) {
1999 return CRYPTO_set_ex_data(&ssl->ex_data, idx, arg);
2002 void *SSL_get_ex_data(const SSL *ssl, int idx) {
2003 return CRYPTO_get_ex_data(&ssl->ex_data, idx);
2025 int SSL_want(const SSL *ssl) { return ssl->rwstate; }
2028 RSA *(*cb)(SSL *ssl, int is_export,
2032 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
2037 DH *(*callback)(SSL *ssl, int is_export,
2041 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export,
2047 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
2073 int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) {
2074 return use_psk_identity_hint(&ssl->psk_identity_hint, identity_hint);
2077 const char *SSL_get_psk_identity_hint(const SSL *ssl) {
2078 if (ssl == NULL) {
2081 return ssl->psk_identity_hint;
2084 const char *SSL_get_psk_identity(const SSL *ssl) {
2085 if (ssl == NULL) {
2088 SSL_SESSION *session = SSL_get_session(ssl);
2096 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
2099 ssl->psk_client_callback = cb;
2103 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
2110 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,
2112 ssl->psk_server_callback = cb;
2116 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity,
2124 size_t len, SSL *ssl, void *arg)) {
2132 void SSL_set_msg_callback(SSL *ssl,
2134 const void *buf, size_t len, SSL *ssl,
2136 ssl->msg_callback = cb;
2139 void SSL_set_msg_callback_arg(SSL *ssl, void *arg) {
2140 ssl->msg_callback_arg = arg;
2144 void (*cb)(const SSL *ssl, const char *line)) {
2148 void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl,
2154 void (*cb)(const SSL *ssl,
2175 int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
2177 if (ssl->ctx->keylog_callback == NULL) {
2188 !cbb_add_hex(&cbb, ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
2197 ssl->ctx->keylog_callback(ssl, (const char *)out);
2202 int SSL_is_init_finished(const SSL *ssl) {
2203 return !SSL_in_init(ssl);
2206 int SSL_in_init(const SSL *ssl) {
2207 SSL_HANDSHAKE *hs = ssl->s3->hs;
2211 int SSL_in_false_start(const SSL *ssl) {
2212 if (ssl->s3->hs == NULL) {
2215 return ssl->s3->hs->in_false_start;
2218 SSL *ssl) {
2219 return SSL_in_false_start(ssl);
2224 *ssl_size = sizeof(SSL);
2229 int ssl3_can_false_start(const SSL *ssl) {
2230 const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl);
2233 return !SSL_is_dtls(ssl) &&
2234 SSL_version(ssl) == TLS1_2_VERSION &&
2235 (ssl->s3->alpn_selected != NULL ||
2236 ssl->s3->next_proto_negotiated != NULL) &&
2242 int SSL_is_server(const SSL *ssl) { return ssl->server; }
2244 int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; }
2257 void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {
2258 ssl->renegotiate_mode = mode;
2261 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
2263 if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) {
2268 if (!EVP_AEAD_CTX_get_iv(&ssl->s3->aead_read_ctx->ctx, out_read_iv,
2270 !EVP_AEAD_CTX_get_iv(&ssl->s3->aead_write_ctx->ctx, out_write_iv,
2286 uint64_t SSL_get_read_sequence(const SSL *ssl) {
2288 if (SSL_is_dtls(ssl)) {
2290 assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
2291 return ssl->d1->bitmap.max_seq_num;
2293 return be_to_u64(ssl->s3->read_sequence);
2296 uint64_t SSL_get_write_sequence(const SSL *ssl) {
2297 uint64_t ret = be_to_u64(ssl->s3->write_sequence);
2298 if (SSL_is_dtls(ssl)) {
2300 ret |= ((uint64_t)ssl->d1->w_epoch) << 48;
2305 uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
2308 SSL_SESSION *session = SSL_get_session(ssl);
2316 size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) {
2318 return sizeof(ssl->s3->client_random);
2320 if (max_out > sizeof(ssl->s3->client_random)) {
2321 max_out = sizeof(ssl->s3->client_random);
2323 OPENSSL_memcpy(out, ssl->s3->client_random, max_out);
2327 size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) {
2329 return sizeof(ssl->s3->server_random);
2331 if (max_out > sizeof(ssl->s3->server_random)) {
2332 max_out = sizeof(ssl->s3->server_random);
2334 OPENSSL_memcpy(out, ssl->s3->server_random, max_out);
2338 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) {
2339 SSL_HANDSHAKE *hs = ssl->s3->hs;
2346 void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) {
2347 ssl->retain_only_sha256_of_client_certs = !!enabled;
2358 int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
2359 return ssl->s3->ticket_age_skew;
2362 int SSL_clear(SSL *ssl) {
2363 /* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
2367 if (!ssl->server && ssl->s3->established_session != NULL) {
2368 session = ssl->s3->established_session;
2372 /* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
2374 * state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
2378 ssl->rwstate = SSL_NOTHING;
2380 BUF_MEM_free(ssl->init_buf);
2381 ssl->init_buf = NULL;
2382 ssl->init_msg = NULL;
2383 ssl->init_num = 0;
2385 /* The ssl->d1->mtu is simultaneously configuration (preserved across
2390 if (ssl->d1 != NULL) {
2391 mtu = ssl->d1->mtu;
2394 ssl->method->ssl_free(ssl);
2395 if (!ssl->method->ssl_new(ssl)) {
2400 if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
2401 ssl->d1->mtu = mtu;
2405 SSL_set_session(ssl, session);
2412 void ssl_do_info_callback(const SSL *ssl, int type, int value) {
2413 void (*cb)(const SSL *ssl, int type, int value) = NULL;
2414 if (ssl->info_callback != NULL) {
2415 cb = ssl->info_callback;
2416 } else if (ssl->ctx->info_callback != NULL) {
2417 cb = ssl->ctx->info_callback;
2421 cb(ssl, type, value);
2425 void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
2427 if (ssl->msg_callback == NULL) {
2443 version = SSL_version(ssl);
2446 ssl->msg_callback(is_write, version, content_type, buf, len, ssl,
2447 ssl->msg_callback_arg);
2462 int SSL_num_renegotiations(const SSL *ssl) {
2463 return SSL_total_renegotiations(ssl);
2467 int SSL_need_tmp_RSA(const SSL *ssl) { return 0; }
2469 int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; }
2472 int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); }
2476 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
2483 int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
2485 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
2489 return SSL_set1_curves(ssl, &nid, 1);
2492 void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
2493 if (ssl->ctx->current_time_cb != NULL) {
2497 ssl->ctx->current_time_cb(ssl, &clock);
