1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. */ 140 141 #include <openssl/ssl.h> 142 143 #include <assert.h> 144 #include <stdlib.h> 145 #include <string.h> 146 147 #include <openssl/bytestring.h> 148 #include <openssl/crypto.h> 149 #include <openssl/err.h> 150 #include <openssl/lhash.h> 151 #include <openssl/mem.h> 152 #include <openssl/rand.h> 153 154 #include "internal.h" 155 #include "../crypto/internal.h" 156 157 #if defined(OPENSSL_WINDOWS) 158 #include <sys/timeb.h> 159 #else 160 #include <sys/socket.h> 161 #include <sys/time.h> 162 #endif 163 164 165 namespace bssl { 166 167 // |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it 168 // to avoid downstream churn. 169 OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL) 170 171 // The following errors are no longer emitted, but are used in nginx without 172 // #ifdefs. 173 OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG) 174 OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED) 175 176 // Some error codes are special. Ensure the make_errors.go script never 177 // regresses this. 178 static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION == 179 SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET, 180 "alert reason code mismatch"); 181 182 // kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. 183 static const size_t kMaxHandshakeSize = (1u << 24) - 1; 184 185 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl = 186 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; 187 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx = 188 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; 189 190 bool CBBFinishArray(CBB *cbb, Array<uint8_t> *out) { 191 uint8_t *ptr; 192 size_t len; 193 if (!CBB_finish(cbb, &ptr, &len)) { 194 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 195 return false; 196 } 197 out->Reset(ptr, len); 198 return true; 199 } 200 201 void ssl_reset_error_state(SSL *ssl) { 202 // Functions which use |SSL_get_error| must reset I/O and error state on 203 // entry. 204 ssl->s3->rwstate = SSL_NOTHING; 205 ERR_clear_error(); 206 ERR_clear_system_error(); 207 } 208 209 void ssl_set_read_error(SSL* ssl) { 210 ssl->s3->read_shutdown = ssl_shutdown_error; 211 ssl->s3->read_error.reset(ERR_save_state()); 212 } 213 214 static bool check_read_error(const SSL *ssl) { 215 if (ssl->s3->read_shutdown == ssl_shutdown_error) { 216 ERR_restore_state(ssl->s3->read_error.get()); 217 return false; 218 } 219 return true; 220 } 221 222 int ssl_can_write(const SSL *ssl) { 223 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write; 224 } 225 226 int ssl_can_read(const SSL *ssl) { 227 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read; 228 } 229 230 ssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed, 231 uint8_t *out_alert, Span<uint8_t> in) { 232 *out_consumed = 0; 233 if (!check_read_error(ssl)) { 234 *out_alert = 0; 235 return ssl_open_record_error; 236 } 237 auto ret = ssl->method->open_handshake(ssl, out_consumed, out_alert, in); 238 if (ret == ssl_open_record_error) { 239 ssl_set_read_error(ssl); 240 } 241 return ret; 242 } 243 244 ssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed, 245 uint8_t *out_alert, 246 Span<uint8_t> in) { 247 *out_consumed = 0; 248 if (!check_read_error(ssl)) { 249 *out_alert = 0; 250 return ssl_open_record_error; 251 } 252 auto ret = 253 ssl->method->open_change_cipher_spec(ssl, out_consumed, out_alert, in); 254 if (ret == ssl_open_record_error) { 255 ssl_set_read_error(ssl); 256 } 257 return ret; 258 } 259 260 ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out, 261 size_t *out_consumed, uint8_t *out_alert, 262 Span<uint8_t> in) { 263 *out_consumed = 0; 264 if (!check_read_error(ssl)) { 265 *out_alert = 0; 266 return ssl_open_record_error; 267 } 268 auto ret = ssl->method->open_app_data(ssl, out, out_consumed, out_alert, in); 269 if (ret == ssl_open_record_error) { 270 ssl_set_read_error(ssl); 271 } 272 return ret; 273 } 274 275 void ssl_cipher_preference_list_free( 276 struct ssl_cipher_preference_list_st *cipher_list) { 277 if (cipher_list == NULL) { 278 return; 279 } 280 sk_SSL_CIPHER_free(cipher_list->ciphers); 281 OPENSSL_free(cipher_list->in_group_flags); 282 OPENSSL_free(cipher_list); 283 } 284 285 void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { 286 SSL *const ssl = hs->ssl; 287 SSL_CTX *ctx = ssl->session_ctx; 288 // Never cache sessions with empty session IDs. 289 if (ssl->s3->established_session->session_id_length == 0 || 290 ssl->s3->established_session->not_resumable || 291 (ctx->session_cache_mode & mode) != mode) { 292 return; 293 } 294 295 // Clients never use the internal session cache. 296 int use_internal_cache = ssl->server && !(ctx->session_cache_mode & 297 SSL_SESS_CACHE_NO_INTERNAL_STORE); 298 299 // A client may see new sessions on abbreviated handshakes if the server 300 // decides to renew the ticket. Once the handshake is completed, it should be 301 // inserted into the cache. 302 if (ssl->s3->established_session.get() != ssl->session || 303 (!ssl->server && hs->ticket_expected)) { 304 if (use_internal_cache) { 305 SSL_CTX_add_session(ctx, ssl->s3->established_session.get()); 306 } 307 if (ctx->new_session_cb != NULL) { 308 SSL_SESSION_up_ref(ssl->s3->established_session.get()); 309 if (!ctx->new_session_cb(ssl, ssl->s3->established_session.get())) { 310 // |new_session_cb|'s return value signals whether it took ownership. 311 SSL_SESSION_free(ssl->s3->established_session.get()); 312 } 313 } 314 } 315 316 if (use_internal_cache && 317 !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) { 318 // Automatically flush the internal session cache every 255 connections. 319 int flush_cache = 0; 320 CRYPTO_MUTEX_lock_write(&ctx->lock); 321 ctx->handshakes_since_cache_flush++; 322 if (ctx->handshakes_since_cache_flush >= 255) { 323 flush_cache = 1; 324 ctx->handshakes_since_cache_flush = 0; 325 } 326 CRYPTO_MUTEX_unlock_write(&ctx->lock); 327 328 if (flush_cache) { 329 struct OPENSSL_timeval now; 330 ssl_get_current_time(ssl, &now); 331 SSL_CTX_flush_sessions(ctx, now.tv_sec); 332 } 333 } 334 } 335 336 static int cbb_add_hex(CBB *cbb, const uint8_t *in, size_t in_len) { 337 static const char hextable[] = "0123456789abcdef"; 338 uint8_t *out; 339 340 if (!CBB_add_space(cbb, &out, in_len * 2)) { 341 return 0; 342 } 343 344 for (size_t i = 0; i < in_len; i++) { 345 *(out++) = (uint8_t)hextable[in[i] >> 4]; 346 *(out++) = (uint8_t)hextable[in[i] & 0xf]; 347 } 348 349 return 1; 350 } 351 352 int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, 353 size_t secret_len) { 354 if (ssl->ctx->keylog_callback == NULL) { 355 return 1; 356 } 357 358 ScopedCBB cbb; 359 uint8_t *out; 360 size_t out_len; 361 if (!CBB_init(cbb.get(), strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 + 362 secret_len * 2 + 1) || 363 !CBB_add_bytes(cbb.get(), (const uint8_t *)label, strlen(label)) || 364 !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) || 365 !cbb_add_hex(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) || 366 !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) || 367 !cbb_add_hex(cbb.get(), secret, secret_len) || 368 !CBB_add_u8(cbb.get(), 0 /* NUL */) || 369 !CBB_finish(cbb.get(), &out, &out_len)) { 370 return 0; 371 } 372 373 ssl->ctx->keylog_callback(ssl, (const char *)out); 374 OPENSSL_free(out); 375 return 1; 376 } 377 378 void ssl_do_info_callback(const SSL *ssl, int type, int value) { 379 void (*cb)(const SSL *ssl, int type, int value) = NULL; 380 if (ssl->info_callback != NULL) { 381 cb = ssl->info_callback; 382 } else if (ssl->ctx->info_callback != NULL) { 383 cb = ssl->ctx->info_callback; 384 } 385 386 if (cb != NULL) { 387 cb(ssl, type, value); 388 } 389 } 390 391 void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, 392 Span<const uint8_t> in) { 393 if (ssl->msg_callback == NULL) { 394 return; 395 } 396 397 // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for 398 // a V2ClientHello. 399 int version; 400 switch (content_type) { 401 case 0: 402 // V2ClientHello 403 version = SSL2_VERSION; 404 break; 405 case SSL3_RT_HEADER: 406 version = 0; 407 break; 408 default: 409 version = SSL_version(ssl); 410 } 411 412 ssl->msg_callback(is_write, version, content_type, in.data(), in.size(), ssl, 413 ssl->msg_callback_arg); 414 } 415 416 void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) { 417 // TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the 418 // |ssl| arg from |current_time_cb| if possible. 419 ssl_ctx_get_current_time(ssl->ctx, out_clock); 420 } 421 422 void ssl_ctx_get_current_time(const SSL_CTX *ctx, 423 struct OPENSSL_timeval *out_clock) { 424 if (ctx->current_time_cb != NULL) { 425 // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See 426 // https://crbug.com/boringssl/155. 427 struct timeval clock; 428 ctx->current_time_cb(nullptr /* ssl */, &clock); 429 if (clock.tv_sec < 0) { 430 assert(0); 431 out_clock->tv_sec = 0; 432 out_clock->tv_usec = 0; 433 } else { 434 out_clock->tv_sec = (uint64_t)clock.tv_sec; 435 out_clock->tv_usec = (uint32_t)clock.tv_usec; 436 } 437 return; 438 } 439 440 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) 441 out_clock->tv_sec = 1234; 442 out_clock->tv_usec = 1234; 443 #elif defined(OPENSSL_WINDOWS) 444 struct _timeb time; 445 _ftime(&time); 446 if (time.time < 0) { 447 assert(0); 448 out_clock->tv_sec = 0; 449 out_clock->tv_usec = 0; 450 } else { 451 out_clock->tv_sec = time.time; 452 out_clock->tv_usec = time.millitm * 1000; 453 } 454 #else 455 struct timeval clock; 456 gettimeofday(&clock, NULL); 457 if (clock.tv_sec < 0) { 458 assert(0); 459 out_clock->tv_sec = 0; 460 out_clock->tv_usec = 0; 461 } else { 462 out_clock->tv_sec = (uint64_t)clock.tv_sec; 463 out_clock->tv_usec = (uint32_t)clock.tv_usec; 464 } 465 #endif 466 } 467 468 void SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on) { 469 ctx->handoff = on; 470 } 471 472 } // namespace bssl 473 474 using namespace bssl; 475 476 int SSL_library_init(void) { 477 CRYPTO_library_init(); 478 return 1; 479 } 480 481 int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { 482 CRYPTO_library_init(); 483 return 1; 484 } 485 486 static uint32_t ssl_session_hash(const SSL_SESSION *sess) { 487 const uint8_t *session_id = sess->session_id; 488 489 uint8_t tmp_storage[sizeof(uint32_t)]; 490 if (sess->session_id_length < sizeof(tmp_storage)) { 491 OPENSSL_memset(tmp_storage, 0, sizeof(tmp_storage)); 492 OPENSSL_memcpy(tmp_storage, sess->session_id, sess->session_id_length); 493 session_id = tmp_storage; 494 } 495 496 uint32_t hash = 497 ((uint32_t)session_id[0]) | 498 ((uint32_t)session_id[1] << 8) | 499 ((uint32_t)session_id[2] << 16) | 500 ((uint32_t)session_id[3] << 24); 501 502 return hash; 503 } 504 505 // NB: If this function (or indeed the hash function which uses a sort of 506 // coarser function than this one) is changed, ensure 507 // SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being 508 // able to construct an SSL_SESSION that will collide with any existing session 509 // with a matching session ID. 510 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { 511 if (a->ssl_version != b->ssl_version) { 512 return 1; 513 } 514 515 if (a->session_id_length != b->session_id_length) { 516 return 1; 517 } 518 519 return OPENSSL_memcmp(a->session_id, b->session_id, a->session_id_length); 520 } 521 522 SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { 523 SSL_CTX *ret = NULL; 524 525 if (method == NULL) { 526 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED); 527 return NULL; 528 } 529 530 ret = (SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); 531 if (ret == NULL) { 532 goto err; 533 } 534 535 OPENSSL_memset(ret, 0, sizeof(SSL_CTX)); 536 537 ret->method = method->method; 538 ret->x509_method = method->x509_method; 539 540 CRYPTO_MUTEX_init(&ret->lock); 541 542 ret->session_cache_mode = SSL_SESS_CACHE_SERVER; 543 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; 544 545 ret->session_timeout = SSL_DEFAULT_SESSION_TIMEOUT; 546 ret->session_psk_dhe_timeout = SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT; 547 548 ret->references = 1; 549 550 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; 551 ret->verify_mode = SSL_VERIFY_NONE; 552 ret->cert = ssl_cert_new(method->x509_method); 553 if (ret->cert == NULL) { 554 goto err; 555 } 556 557 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); 558 if (ret->sessions == NULL) { 559 goto err; 560 } 561 562 if (!ret->x509_method->ssl_ctx_new(ret)) { 563 goto err; 564 } 565 566 if (!SSL_CTX_set_strict_cipher_list(ret, SSL_DEFAULT_CIPHER_LIST)) { 567 goto err2; 568 } 569 570 ret->client_CA = sk_CRYPTO_BUFFER_new_null(); 571 if (ret->client_CA == NULL) { 572 goto err; 573 } 574 575 CRYPTO_new_ex_data(&ret->ex_data); 576 577 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 578 579 // Disable the auto-chaining feature by default. Once this has stuck without 580 // problems, the feature will be removed entirely. 581 ret->mode = SSL_MODE_NO_AUTO_CHAIN; 582 583 // Lock the SSL_CTX to the specified version, for compatibility with legacy 584 // uses of SSL_METHOD, but we do not set the minimum version for 585 // |SSLv3_method|. 586 if (!SSL_CTX_set_max_proto_version(ret, method->version) || 587 !SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION 588 ? 0 // default 589 : method->version)) { 590 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 591 goto err2; 592 } 593 594 return ret; 595 596 err: 597 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 598 err2: 599 SSL_CTX_free(ret); 600 return NULL; 601 } 602 603 int SSL_CTX_up_ref(SSL_CTX *ctx) { 604 CRYPTO_refcount_inc(&ctx->references); 605 return 1; 606 } 607 608 void SSL_CTX_free(SSL_CTX *ctx) { 609 if (ctx == NULL || 610 !CRYPTO_refcount_dec_and_test_zero(&ctx->references)) { 611 return; 612 } 613 614 // Free internal session cache. However: the remove_cb() may reference the 615 // ex_data of SSL_CTX, thus the ex_data store can only be removed after the 616 // sessions were flushed. As the ex_data handling routines might also touch 617 // the session cache, the most secure solution seems to be: empty (flush) the 618 // cache, then free ex_data, then finally free the cache. (See ticket 619 // [openssl.org #212].) 620 SSL_CTX_flush_sessions(ctx, 0); 621 622 CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data); 623 624 CRYPTO_MUTEX_cleanup(&ctx->lock); 625 lh_SSL_SESSION_free(ctx->sessions); 626 ssl_cipher_preference_list_free(ctx->cipher_list); 627 ssl_cert_free(ctx->cert); 628 sk_SSL_CUSTOM_EXTENSION_pop_free(ctx->client_custom_extensions, 629 SSL_CUSTOM_EXTENSION_free); 630 sk_SSL_CUSTOM_EXTENSION_pop_free(ctx->server_custom_extensions, 631 SSL_CUSTOM_EXTENSION_free); 632 sk_CRYPTO_BUFFER_pop_free(ctx->client_CA, CRYPTO_BUFFER_free); 633 ctx->x509_method->ssl_ctx_free(ctx); 634 sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles); 635 OPENSSL_free(ctx->psk_identity_hint); 636 OPENSSL_free(ctx->supported_group_list); 637 OPENSSL_free(ctx->alpn_client_proto_list); 638 EVP_PKEY_free(ctx->tlsext_channel_id_private); 639 OPENSSL_free(ctx->verify_sigalgs); 640 OPENSSL_free(ctx->tlsext_ticket_key_current); 641 OPENSSL_free(ctx->tlsext_ticket_key_prev); 642 643 OPENSSL_free(ctx); 644 } 645 646 SSL *SSL_new(SSL_CTX *ctx) { 647 if (ctx == NULL) { 648 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX); 649 return NULL; 650 } 651 if (ctx->method == NULL) { 652 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); 653 return NULL; 654 } 655 656 SSL *ssl = (SSL *)OPENSSL_malloc(sizeof(SSL)); 657 if (ssl == NULL) { 658 goto err; 659 } 660 OPENSSL_memset(ssl, 0, sizeof(SSL)); 661 662 ssl->conf_min_version = ctx->conf_min_version; 663 ssl->conf_max_version = ctx->conf_max_version; 664 ssl->tls13_variant = ctx->tls13_variant; 665 666 // RFC 6347 states that implementations SHOULD use an initial timer value of 667 // 1 second. 668 ssl->initial_timeout_duration_ms = 1000; 669 670 ssl->options = ctx->options; 671 ssl->mode = ctx->mode; 672 ssl->max_cert_list = ctx->max_cert_list; 673 674 ssl->cert = ssl_cert_dup(ctx->cert); 675 if (ssl->cert == NULL) { 676 goto err; 677 } 678 679 ssl->msg_callback = ctx->msg_callback; 680 ssl->msg_callback_arg = ctx->msg_callback_arg; 681 ssl->verify_mode = ctx->verify_mode; 682 ssl->verify_callback = ctx->default_verify_callback; 683 ssl->custom_verify_callback = ctx->custom_verify_callback; 684 ssl->retain_only_sha256_of_client_certs = 685 ctx->retain_only_sha256_of_client_certs; 686 687 ssl->quiet_shutdown = ctx->quiet_shutdown; 688 ssl->max_send_fragment = ctx->max_send_fragment; 689 690 SSL_CTX_up_ref(ctx); 691 ssl->ctx = ctx; 692 SSL_CTX_up_ref(ctx); 693 ssl->session_ctx = ctx; 694 695 if (!ssl->ctx->x509_method->ssl_new(ssl)) { 696 goto err; 697 } 698 699 if (ctx->supported_group_list) { 700 ssl->supported_group_list = (uint16_t *)BUF_memdup( 701 ctx->supported_group_list, ctx->supported_group_list_len * 2); 702 if (!ssl->supported_group_list) { 703 goto err; 704 } 705 ssl->supported_group_list_len = ctx->supported_group_list_len; 706 } 707 708 if (ctx->alpn_client_proto_list) { 709 ssl->alpn_client_proto_list = (uint8_t *)BUF_memdup( 710 ctx->alpn_client_proto_list, ctx->alpn_client_proto_list_len); 711 if (ssl->alpn_client_proto_list == NULL) { 712 goto err; 713 } 714 ssl->alpn_client_proto_list_len = ctx->alpn_client_proto_list_len; 715 } 716 717 ssl->method = ctx->method; 718 719 if (!ssl->method->ssl_new(ssl)) { 720 goto err; 721 } 722 723 CRYPTO_new_ex_data(&ssl->ex_data); 724 725 ssl->psk_identity_hint = NULL; 726 if (ctx->psk_identity_hint) { 727 ssl->psk_identity_hint = BUF_strdup(ctx->psk_identity_hint); 728 if (ssl->psk_identity_hint == NULL) { 729 goto err; 730 } 731 } 732 ssl->psk_client_callback = ctx->psk_client_callback; 733 ssl->psk_server_callback = ctx->psk_server_callback; 734 735 ssl->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled; 736 if (ctx->tlsext_channel_id_private) { 737 EVP_PKEY_up_ref(ctx->tlsext_channel_id_private); 738 ssl->tlsext_channel_id_private = ctx->tlsext_channel_id_private; 739 } 740 741 ssl->signed_cert_timestamps_enabled = ctx->signed_cert_timestamps_enabled; 742 ssl->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled; 743 ssl->handoff = ctx->handoff; 744 745 return ssl; 746 747 err: 748 SSL_free(ssl); 749 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 750 751 return NULL; 752 } 753 754 void SSL_free(SSL *ssl) { 755 if (ssl == NULL) { 756 return; 757 } 758 759 if (ssl->ctx != NULL) { 760 ssl->ctx->x509_method->ssl_free(ssl); 761 } 762 763 CRYPTO_free_ex_data(&g_ex_data_class_ssl, ssl, &ssl->ex_data); 764 765 BIO_free_all(ssl->rbio); 766 BIO_free_all(ssl->wbio); 767 768 // add extra stuff 769 ssl_cipher_preference_list_free(ssl->cipher_list); 770 771 SSL_SESSION_free(ssl->session); 772 773 ssl_cert_free(ssl->cert); 774 775 OPENSSL_free(ssl->tlsext_hostname); 776 SSL_CTX_free(ssl->session_ctx); 777 OPENSSL_free(ssl->supported_group_list); 778 OPENSSL_free(ssl->alpn_client_proto_list); 779 OPENSSL_free(ssl->token_binding_params); 780 OPENSSL_free(ssl->quic_transport_params); 781 EVP_PKEY_free(ssl->tlsext_channel_id_private); 782 OPENSSL_free(ssl->psk_identity_hint); 783 sk_CRYPTO_BUFFER_pop_free(ssl->client_CA, CRYPTO_BUFFER_free); 784 sk_SRTP_PROTECTION_PROFILE_free(ssl->srtp_profiles); 785 786 if (ssl->method != NULL) { 787 ssl->method->ssl_free(ssl); 788 } 789 SSL_CTX_free(ssl->ctx); 790 791 OPENSSL_free(ssl); 792 } 793 794 void SSL_set_connect_state(SSL *ssl) { 795 ssl->server = false; 796 ssl->do_handshake = ssl_client_handshake; 797 } 798 799 void SSL_set_accept_state(SSL *ssl) { 800 ssl->server = true; 801 ssl->do_handshake = ssl_server_handshake; 802 } 803 804 void SSL_set0_rbio(SSL *ssl, BIO *rbio) { 805 BIO_free_all(ssl->rbio); 806 ssl->rbio = rbio; 807 } 808 809 void SSL_set0_wbio(SSL *ssl, BIO *wbio) { 810 BIO_free_all(ssl->wbio); 811 ssl->wbio = wbio; 812 } 813 814 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { 815 // For historical reasons, this function has many different cases in ownership 816 // handling. 817 818 // If nothing has changed, do nothing 819 if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) { 820 return; 821 } 822 823 // If the two arguments are equal, one fewer reference is granted than 824 // taken. 825 if (rbio != NULL && rbio == wbio) { 826 BIO_up_ref(rbio); 827 } 828 829 // If only the wbio is changed, adopt only one reference. 830 if (rbio == SSL_get_rbio(ssl)) { 831 SSL_set0_wbio(ssl, wbio); 832 return; 833 } 834 835 // There is an asymmetry here for historical reasons. If only the rbio is 836 // changed AND the rbio and wbio were originally different, then we only adopt 837 // one reference. 838 if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) { 839 SSL_set0_rbio(ssl, rbio); 840 return; 841 } 842 843 // Otherwise, adopt both references. 844 SSL_set0_rbio(ssl, rbio); 845 SSL_set0_wbio(ssl, wbio); 846 } 847 848 BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; } 849 850 BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; } 851 852 int SSL_do_handshake(SSL *ssl) { 853 ssl_reset_error_state(ssl); 854 855 if (ssl->do_handshake == NULL) { 856 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET); 857 return -1; 858 } 859 860 if (!SSL_in_init(ssl)) { 861 return 1; 862 } 863 864 // Run the handshake. 865 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 866 867 bool early_return = false; 868 int ret = ssl_run_handshake(hs, &early_return); 869 ssl_do_info_callback( 870 ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret); 871 if (ret <= 0) { 872 return ret; 873 } 874 875 // Destroy the handshake object if the handshake has completely finished. 876 if (!early_return) { 877 ssl->s3->hs.reset(); 878 } 879 880 return 1; 881 } 882 883 int SSL_connect(SSL *ssl) { 884 if (ssl->do_handshake == NULL) { 885 // Not properly initialized yet 886 SSL_set_connect_state(ssl); 887 } 888 889 return SSL_do_handshake(ssl); 890 } 891 892 int SSL_accept(SSL *ssl) { 893 if (ssl->do_handshake == NULL) { 894 // Not properly initialized yet 895 SSL_set_accept_state(ssl); 896 } 897 898 return SSL_do_handshake(ssl); 899 } 900 901 static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { 902 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 903 return tls13_post_handshake(ssl, msg); 904 } 905 906 // We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be 907 // removed entirely in the future and requires retaining more data for 908 // renegotiation_info. 909 if (ssl->server || ssl->version == SSL3_VERSION) { 910 goto no_renegotiation; 911 } 912 913 if (msg.type != SSL3_MT_HELLO_REQUEST || CBS_len(&msg.body) != 0) { 914 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 915 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST); 916 return 0; 917 } 918 919 switch (ssl->renegotiate_mode) { 920 case ssl_renegotiate_ignore: 921 // Ignore the HelloRequest. 922 return 1; 923 924 case ssl_renegotiate_once: 925 if (ssl->s3->total_renegotiations != 0) { 926 goto no_renegotiation; 927 } 928 break; 929 930 case ssl_renegotiate_never: 931 goto no_renegotiation; 932 933 case ssl_renegotiate_freely: 934 break; 935 } 936 937 // Renegotiation is only supported at quiescent points in the application 938 // protocol, namely in HTTPS, just before reading the HTTP response. Require 939 // the record-layer be idle and avoid complexities of sending a handshake 940 // record while an application_data record is being written. 941 if (!ssl->s3->write_buffer.empty() || 942 ssl->s3->write_shutdown != ssl_shutdown_none) { 943 goto no_renegotiation; 944 } 945 946 // Begin a new handshake. 947 if (ssl->s3->hs != nullptr) { 948 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 949 return 0; 950 } 951 ssl->s3->hs = ssl_handshake_new(ssl); 952 if (ssl->s3->hs == nullptr) { 953 return 0; 954 } 955 956 ssl->s3->total_renegotiations++; 957 return 1; 958 959 no_renegotiation: 960 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); 961 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); 962 return 0; 963 } 964 965 static int ssl_read_impl(SSL *ssl) { 966 ssl_reset_error_state(ssl); 967 968 if (ssl->do_handshake == NULL) { 969 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 970 return -1; 971 } 972 973 // Replay post-handshake message errors. 974 if (!check_read_error(ssl)) { 975 return -1; 976 } 977 978 while (ssl->s3->pending_app_data.empty()) { 979 // Complete the current handshake, if any. False Start will cause 980 // |SSL_do_handshake| to return mid-handshake, so this may require multiple 981 // iterations. 982 while (!ssl_can_read(ssl)) { 983 int ret = SSL_do_handshake(ssl); 984 if (ret < 0) { 985 return ret; 986 } 987 if (ret == 0) { 988 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 989 return -1; 990 } 991 } 992 993 // Process any buffered post-handshake messages. 994 SSLMessage msg; 995 if (ssl->method->get_message(ssl, &msg)) { 996 // If we received an interrupt in early read (EndOfEarlyData), loop again 997 // for the handshake to process it. 998 if (SSL_in_init(ssl)) { 999 ssl->s3->hs->can_early_read = false; 1000 continue; 1001 } 1002 1003 // Handle the post-handshake message and try again. 1004 if (!ssl_do_post_handshake(ssl, msg)) { 1005 ssl_set_read_error(ssl); 1006 return -1; 1007 } 1008 ssl->method->next_message(ssl); 1009 continue; // Loop again. We may have begun a new handshake. 1010 } 1011 1012 uint8_t alert = SSL_AD_DECODE_ERROR; 1013 size_t consumed = 0; 1014 auto ret = ssl_open_app_data(ssl, &ssl->s3->pending_app_data, &consumed, 1015 &alert, ssl->s3->read_buffer.span()); 1016 bool retry; 1017 int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert); 1018 if (bio_ret <= 0) { 1019 return bio_ret; 1020 } 1021 if (!retry) { 1022 assert(!ssl->s3->pending_app_data.empty()); 1023 ssl->s3->key_update_count = 0; 1024 } 1025 } 1026 1027 return 1; 1028 } 1029 1030 int SSL_read(SSL *ssl, void *buf, int num) { 1031 int ret = SSL_peek(ssl, buf, num); 1032 if (ret <= 0) { 1033 return ret; 1034 } 1035 // TODO(davidben): In DTLS, should the rest of the record be discarded? DTLS 1036 // is not a stream. See https://crbug.com/boringssl/65. 1037 ssl->s3->pending_app_data = 1038 ssl->s3->pending_app_data.subspan(static_cast<size_t>(ret)); 1039 if (ssl->s3->pending_app_data.empty()) { 1040 ssl->s3->read_buffer.DiscardConsumed(); 1041 } 1042 return ret; 1043 } 1044 1045 int SSL_peek(SSL *ssl, void *buf, int num) { 1046 int ret = ssl_read_impl(ssl); 1047 if (ret <= 0) { 1048 return ret; 1049 } 1050 if (num <= 0) { 1051 return num; 1052 } 1053 size_t todo = 1054 std::min(ssl->s3->pending_app_data.size(), static_cast<size_t>(num)); 1055 OPENSSL_memcpy(buf, ssl->s3->pending_app_data.data(), todo); 1056 return static_cast<int>(todo); 1057 } 1058 1059 int SSL_write(SSL *ssl, const void *buf, int num) { 1060 ssl_reset_error_state(ssl); 1061 1062 if (ssl->do_handshake == NULL) { 1063 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 1064 return -1; 1065 } 1066 1067 if (ssl->s3->write_shutdown != ssl_shutdown_none) { 1068 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); 1069 return -1; 1070 } 1071 1072 int ret = 0; 1073 bool needs_handshake = false; 1074 do { 1075 // If necessary, complete the handshake implicitly. 1076 if (!ssl_can_write(ssl)) { 1077 ret = SSL_do_handshake(ssl); 1078 if (ret < 0) { 1079 return ret; 1080 } 1081 if (ret == 0) { 1082 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 1083 return -1; 1084 } 1085 } 1086 1087 ret = ssl->method->write_app_data(ssl, &needs_handshake, 1088 (const uint8_t *)buf, num); 1089 } while (needs_handshake); 1090 return ret; 1091 } 1092 1093 int SSL_shutdown(SSL *ssl) { 1094 ssl_reset_error_state(ssl); 1095 1096 if (ssl->do_handshake == NULL) { 1097 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); 1098 return -1; 1099 } 1100 1101 // If we are in the middle of a handshake, silently succeed. Consumers often 1102 // call this function before |SSL_free|, whether the handshake succeeded or 1103 // not. We assume the caller has already handled failed handshakes. 1104 if (SSL_in_init(ssl)) { 1105 return 1; 1106 } 1107 1108 if (ssl->quiet_shutdown) { 1109 // Do nothing if configured not to send a close_notify. 1110 ssl->s3->write_shutdown = ssl_shutdown_close_notify; 1111 ssl->s3->read_shutdown = ssl_shutdown_close_notify; 1112 return 1; 1113 } 1114 1115 // This function completes in two stages. It sends a close_notify and then it 1116 // waits for a close_notify to come in. Perform exactly one action and return 1117 // whether or not it succeeds. 1118 1119 if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) { 1120 // Send a close_notify. 1121 if (ssl_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) { 1122 return -1; 1123 } 1124 } else if (ssl->s3->alert_dispatch) { 1125 // Finish sending the close_notify. 1126 if (ssl->method->dispatch_alert(ssl) <= 0) { 1127 return -1; 1128 } 1129 } else if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) { 1130 if (SSL_is_dtls(ssl)) { 1131 // Bidirectional shutdown doesn't make sense for an unordered 1132 // transport. DTLS alerts also aren't delivered reliably, so we may even 1133 // time out because the peer never received our close_notify. Report to 1134 // the caller that the channel has fully shut down. 1135 if (ssl->s3->read_shutdown == ssl_shutdown_error) { 1136 ERR_restore_state(ssl->s3->read_error.get()); 1137 return -1; 1138 } 1139 ssl->s3->read_shutdown = ssl_shutdown_close_notify; 1140 } else { 1141 // Keep discarding data until we see a close_notify. 1142 for (;;) { 1143 ssl->s3->pending_app_data = Span<uint8_t>(); 1144 int ret = ssl_read_impl(ssl); 1145 if (ret <= 0) { 1146 break; 1147 } 1148 } 1149 if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) { 1150 return -1; 1151 } 1152 } 1153 } 1154 1155 // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. 1156 return ssl->s3->read_shutdown == ssl_shutdown_close_notify; 1157 } 1158 1159 int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) { 1160 if (ssl->s3->alert_dispatch) { 1161 if (ssl->s3->send_alert[0] != SSL3_AL_FATAL || 1162 ssl->s3->send_alert[1] != alert) { 1163 // We are already attempting to write a different alert. 1164 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); 1165 return -1; 1166 } 1167 return ssl->method->dispatch_alert(ssl); 1168 } 1169 1170 return ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 1171 } 1172 1173 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, 1174 size_t params_len) { 1175 ssl->quic_transport_params = (uint8_t *)BUF_memdup(params, params_len); 1176 if (!ssl->quic_transport_params) { 1177 return 0; 1178 } 1179 ssl->quic_transport_params_len = params_len; 1180 return 1; 1181 } 1182 1183 void SSL_get_peer_quic_transport_params(const SSL *ssl, 1184 const uint8_t **out_params, 1185 size_t *out_params_len) { 1186 *out_params = ssl->s3->peer_quic_transport_params.data(); 1187 *out_params_len = ssl->s3->peer_quic_transport_params.size(); 1188 } 1189 1190 void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) { 1191 ctx->cert->enable_early_data = !!enabled; 1192 } 1193 1194 void SSL_CTX_set_tls13_variant(SSL_CTX *ctx, enum tls13_variant_t variant) { 1195 ctx->tls13_variant = variant; 1196 } 1197 1198 void SSL_set_tls13_variant(SSL *ssl, enum tls13_variant_t variant) { 1199 ssl->tls13_variant = variant; 1200 } 1201 1202 void SSL_set_early_data_enabled(SSL *ssl, int enabled) { 1203 ssl->cert->enable_early_data = !!enabled; 1204 } 1205 1206 int SSL_in_early_data(const SSL *ssl) { 1207 if (ssl->s3->hs == NULL) { 1208 return 0; 1209 } 1210 return ssl->s3->hs->in_early_data; 1211 } 1212 1213 int SSL_early_data_accepted(const SSL *ssl) { 1214 return ssl->s3->early_data_accepted; 1215 } 1216 1217 void SSL_reset_early_data_reject(SSL *ssl) { 1218 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 1219 if (hs == NULL || 1220 hs->wait != ssl_hs_early_data_rejected) { 1221 abort(); 1222 } 1223 1224 hs->wait = ssl_hs_ok; 1225 hs->in_early_data = false; 1226 hs->early_session.reset(); 1227 1228 // Discard any unfinished writes from the perspective of |SSL_write|'s 1229 // retry. The handshake will transparently flush out the pending record 1230 // (discarded by the server) to keep the framing correct. 1231 ssl->s3->wpend_pending = false; 1232 } 1233 1234 static int bio_retry_reason_to_error(int reason) { 1235 switch (reason) { 1236 case BIO_RR_CONNECT: 1237 return SSL_ERROR_WANT_CONNECT; 1238 case BIO_RR_ACCEPT: 1239 return SSL_ERROR_WANT_ACCEPT; 1240 default: 1241 return SSL_ERROR_SYSCALL; 1242 } 1243 } 1244 1245 int SSL_get_error(const SSL *ssl, int ret_code) { 1246 if (ret_code > 0) { 1247 return SSL_ERROR_NONE; 1248 } 1249 1250 // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, 1251 // where we do encode the error 1252 uint32_t err = ERR_peek_error(); 1253 if (err != 0) { 1254 if (ERR_GET_LIB(err) == ERR_LIB_SYS) { 1255 return SSL_ERROR_SYSCALL; 1256 } 1257 return SSL_ERROR_SSL; 1258 } 1259 1260 if (ret_code == 0) { 1261 if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) { 1262 return SSL_ERROR_ZERO_RETURN; 1263 } 1264 // An EOF was observed which violates the protocol, and the underlying 1265 // transport does not participate in the error queue. Bubble up to the 1266 // caller. 1267 return SSL_ERROR_SYSCALL; 1268 } 1269 1270 switch (ssl->s3->rwstate) { 1271 case SSL_PENDING_SESSION: 1272 return SSL_ERROR_PENDING_SESSION; 1273 1274 case SSL_CERTIFICATE_SELECTION_PENDING: 1275 return SSL_ERROR_PENDING_CERTIFICATE; 1276 1277 case SSL_HANDOFF: 1278 return SSL_ERROR_HANDOFF; 1279 1280 case SSL_READING: { 1281 BIO *bio = SSL_get_rbio(ssl); 1282 if (BIO_should_read(bio)) { 1283 return SSL_ERROR_WANT_READ; 1284 } 1285 1286 if (BIO_should_write(bio)) { 1287 // TODO(davidben): OpenSSL historically checked for writes on the read 1288 // BIO. Can this be removed? 1289 return SSL_ERROR_WANT_WRITE; 1290 } 1291 1292 if (BIO_should_io_special(bio)) { 1293 return bio_retry_reason_to_error(BIO_get_retry_reason(bio)); 1294 } 1295 1296 break; 1297 } 1298 1299 case SSL_WRITING: { 1300 BIO *bio = SSL_get_wbio(ssl); 1301 if (BIO_should_write(bio)) { 1302 return SSL_ERROR_WANT_WRITE; 1303 } 1304 1305 if (BIO_should_read(bio)) { 1306 // TODO(davidben): OpenSSL historically checked for reads on the write 1307 // BIO. Can this be removed? 1308 return SSL_ERROR_WANT_READ; 1309 } 1310 1311 if (BIO_should_io_special(bio)) { 1312 return bio_retry_reason_to_error(BIO_get_retry_reason(bio)); 1313 } 1314 1315 break; 1316 } 1317 1318 case SSL_X509_LOOKUP: 1319 return SSL_ERROR_WANT_X509_LOOKUP; 1320 1321 case SSL_CHANNEL_ID_LOOKUP: 1322 return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP; 1323 1324 case SSL_PRIVATE_KEY_OPERATION: 1325 return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION; 1326 1327 case SSL_PENDING_TICKET: 1328 return SSL_ERROR_PENDING_TICKET; 1329 1330 case SSL_EARLY_DATA_REJECTED: 1331 return SSL_ERROR_EARLY_DATA_REJECTED; 1332 1333 case SSL_CERTIFICATE_VERIFY: 1334 return SSL_ERROR_WANT_CERTIFICATE_VERIFY; 1335 } 1336 1337 return SSL_ERROR_SYSCALL; 1338 } 1339 1340 uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) { 1341 ctx->options |= options; 1342 return ctx->options; 1343 } 1344 1345 uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) { 1346 ctx->options &= ~options; 1347 return ctx->options; 1348 } 1349 1350 uint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; } 1351 1352 uint32_t SSL_set_options(SSL *ssl, uint32_t options) { 1353 ssl->options |= options; 1354 return ssl->options; 1355 } 1356 1357 uint32_t SSL_clear_options(SSL *ssl, uint32_t options) { 1358 ssl->options &= ~options; 1359 return ssl->options; 1360 } 1361 1362 uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; } 1363 1364 uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) { 1365 ctx->mode |= mode; 1366 return ctx->mode; 1367 } 1368 1369 uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) { 1370 ctx->mode &= ~mode; 1371 return ctx->mode; 1372 } 1373 1374 uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; } 1375 1376 uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) { 1377 ssl->mode |= mode; 1378 return ssl->mode; 1379 } 1380 1381 uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) { 1382 ssl->mode &= ~mode; 1383 return ssl->mode; 1384 } 1385 1386 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; } 1387 1388 void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) { 1389 ctx->pool = pool; 1390 } 1391 1392 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, 1393 size_t max_out) { 1394 *out_len = 0; 1395 OPENSSL_memset(out, 0, max_out); 1396 1397 // tls-unique is not defined for SSL 3.0 or TLS 1.3. 1398 if (!ssl->s3->initial_handshake_complete || 1399 ssl_protocol_version(ssl) < TLS1_VERSION || 1400 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1401 return 0; 1402 } 1403 1404 // The tls-unique value is the first Finished message in the handshake, which 1405 // is the client's in a full handshake and the server's for a resumption. See 1406 // https://tools.ietf.org/html/rfc5929#section-3.1. 1407 const uint8_t *finished = ssl->s3->previous_client_finished; 1408 size_t finished_len = ssl->s3->previous_client_finished_len; 1409 if (ssl->session != NULL) { 1410 // tls-unique is broken for resumed sessions unless EMS is used. 1411 if (!ssl->session->extended_master_secret) { 1412 return 0; 1413 } 1414 finished = ssl->s3->previous_server_finished; 1415 finished_len = ssl->s3->previous_server_finished_len; 1416 } 1417 1418 *out_len = finished_len; 1419 if (finished_len > max_out) { 1420 *out_len = max_out; 1421 } 1422 1423 OPENSSL_memcpy(out, finished, *out_len); 1424 return 1; 1425 } 1426 1427 static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx, 1428 size_t sid_ctx_len) { 1429 if (sid_ctx_len > sizeof(cert->sid_ctx)) { 1430 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 1431 return 0; 1432 } 1433 1434 static_assert(sizeof(cert->sid_ctx) < 256, "sid_ctx too large"); 1435 cert->sid_ctx_length = (uint8_t)sid_ctx_len; 1436 OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len); 1437 return 1; 1438 } 1439 1440 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx, 1441 size_t sid_ctx_len) { 1442 return set_session_id_context(ctx->cert, sid_ctx, sid_ctx_len); 1443 } 1444 1445 int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, 1446 size_t sid_ctx_len) { 1447 return set_session_id_context(ssl->cert, sid_ctx, sid_ctx_len); 1448 } 1449 1450 const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) { 1451 *out_len = ssl->cert->sid_ctx_length; 1452 return ssl->cert->sid_ctx; 1453 } 1454 1455 void SSL_certs_clear(SSL *ssl) { ssl_cert_clear_certs(ssl->cert); } 1456 1457 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); } 1458 1459 int SSL_get_rfd(const SSL *ssl) { 1460 int ret = -1; 1461 BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR); 1462 if (b != NULL) { 1463 BIO_get_fd(b, &ret); 1464 } 1465 return ret; 1466 } 1467 1468 int SSL_get_wfd(const SSL *ssl) { 1469 int ret = -1; 1470 BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR); 1471 if (b != NULL) { 1472 BIO_get_fd(b, &ret); 1473 } 1474 return ret; 1475 } 1476 1477 int SSL_set_fd(SSL *ssl, int fd) { 1478 BIO *bio = BIO_new(BIO_s_socket()); 1479 if (bio == NULL) { 1480 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1481 return 0; 1482 } 1483 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1484 SSL_set_bio(ssl, bio, bio); 1485 return 1; 1486 } 1487 1488 int SSL_set_wfd(SSL *ssl, int fd) { 1489 BIO *rbio = SSL_get_rbio(ssl); 1490 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET || 1491 BIO_get_fd(rbio, NULL) != fd) { 1492 BIO *bio = BIO_new(BIO_s_socket()); 1493 if (bio == NULL) { 1494 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1495 return 0; 1496 } 1497 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1498 SSL_set0_wbio(ssl, bio); 1499 } else { 1500 // Copy the rbio over to the wbio. 1501 BIO_up_ref(rbio); 1502 SSL_set0_wbio(ssl, rbio); 1503 } 1504 1505 return 1; 1506 } 1507 1508 int SSL_set_rfd(SSL *ssl, int fd) { 1509 BIO *wbio = SSL_get_wbio(ssl); 1510 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET || 1511 BIO_get_fd(wbio, NULL) != fd) { 1512 BIO *bio = BIO_new(BIO_s_socket()); 1513 if (bio == NULL) { 1514 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); 1515 return 0; 1516 } 1517 BIO_set_fd(bio, fd, BIO_NOCLOSE); 1518 SSL_set0_rbio(ssl, bio); 1519 } else { 1520 // Copy the wbio over to the rbio. 1521 BIO_up_ref(wbio); 1522 SSL_set0_rbio(ssl, wbio); 1523 } 1524 return 1; 1525 } 1526 1527 static size_t copy_finished(void *out, size_t out_len, const uint8_t *in, 1528 size_t in_len) { 1529 if (out_len > in_len) { 1530 out_len = in_len; 1531 } 1532 OPENSSL_memcpy(out, in, out_len); 1533 return in_len; 1534 } 1535 1536 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) { 1537 if (!ssl->s3->initial_handshake_complete || 1538 ssl_protocol_version(ssl) < TLS1_VERSION || 1539 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1540 return 0; 1541 } 1542 1543 if (ssl->server) { 1544 return copy_finished(buf, count, ssl->s3->previous_server_finished, 1545 ssl->s3->previous_server_finished_len); 1546 } 1547 1548 return copy_finished(buf, count, ssl->s3->previous_client_finished, 1549 ssl->s3->previous_client_finished_len); 1550 } 1551 1552 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { 1553 if (!ssl->s3->initial_handshake_complete || 1554 ssl_protocol_version(ssl) < TLS1_VERSION || 1555 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1556 return 0; 1557 } 1558 1559 if (ssl->server) { 1560 return copy_finished(buf, count, ssl->s3->previous_client_finished, 1561 ssl->s3->previous_client_finished_len); 1562 } 1563 1564 return copy_finished(buf, count, ssl->s3->previous_server_finished, 1565 ssl->s3->previous_server_finished_len); 1566 } 1567 1568 int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; } 1569 1570 int SSL_get_extms_support(const SSL *ssl) { 1571 // TLS 1.3 does not require extended master secret and always reports as 1572 // supporting it. 1573 if (!ssl->s3->have_version) { 1574 return 0; 1575 } 1576 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1577 return 1; 1578 } 1579 1580 // If the initial handshake completed, query the established session. 1581 if (ssl->s3->established_session != NULL) { 1582 return ssl->s3->established_session->extended_master_secret; 1583 } 1584 1585 // Otherwise, query the in-progress handshake. 1586 if (ssl->s3->hs != NULL) { 1587 return ssl->s3->hs->extended_master_secret; 1588 } 1589 assert(0); 1590 return 0; 1591 } 1592 1593 int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; } 1594 1595 int SSL_get_read_ahead(const SSL *ssl) { return 0; } 1596 1597 void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { } 1598 1599 void SSL_set_read_ahead(SSL *ssl, int yes) { } 1600 1601 int SSL_pending(const SSL *ssl) { 1602 return static_cast<int>(ssl->s3->pending_app_data.size()); 1603 } 1604 1605 // Fix this so it checks all the valid key/cert options 1606 int SSL_CTX_check_private_key(const SSL_CTX *ctx) { 1607 return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey); 1608 } 1609 1610 // Fix this function so that it takes an optional type parameter 1611 int SSL_check_private_key(const SSL *ssl) { 1612 return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey); 1613 } 1614 1615 long SSL_get_default_timeout(const SSL *ssl) { 1616 return SSL_DEFAULT_SESSION_TIMEOUT; 1617 } 1618 1619 int SSL_renegotiate(SSL *ssl) { 1620 // Caller-initiated renegotiation is not supported. 1621 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1622 return 0; 1623 } 1624 1625 int SSL_renegotiate_pending(SSL *ssl) { 1626 return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete; 1627 } 1628 1629 int SSL_total_renegotiations(const SSL *ssl) { 1630 return ssl->s3->total_renegotiations; 1631 } 1632 1633 size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) { 1634 return ctx->max_cert_list; 1635 } 1636 1637 void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) { 1638 if (max_cert_list > kMaxHandshakeSize) { 1639 max_cert_list = kMaxHandshakeSize; 1640 } 1641 ctx->max_cert_list = (uint32_t)max_cert_list; 1642 } 1643 1644 size_t SSL_get_max_cert_list(const SSL *ssl) { 1645 return ssl->max_cert_list; 1646 } 1647 1648 void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) { 1649 if (max_cert_list > kMaxHandshakeSize) { 1650 max_cert_list = kMaxHandshakeSize; 1651 } 1652 ssl->max_cert_list = (uint32_t)max_cert_list; 1653 } 1654 1655 int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) { 1656 if (max_send_fragment < 512) { 1657 max_send_fragment = 512; 1658 } 1659 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { 1660 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1661 } 1662 ctx->max_send_fragment = (uint16_t)max_send_fragment; 1663 1664 return 1; 1665 } 1666 1667 int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) { 1668 if (max_send_fragment < 512) { 1669 max_send_fragment = 512; 1670 } 1671 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { 1672 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1673 } 1674 ssl->max_send_fragment = (uint16_t)max_send_fragment; 1675 1676 return 1; 1677 } 1678 1679 int SSL_set_mtu(SSL *ssl, unsigned mtu) { 1680 if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) { 1681 return 0; 1682 } 1683 ssl->d1->mtu = mtu; 1684 return 1; 1685 } 1686 1687 int SSL_get_secure_renegotiation_support(const SSL *ssl) { 1688 if (!ssl->s3->have_version) { 1689 return 0; 1690 } 1691 return ssl_protocol_version(ssl) >= TLS1_3_VERSION || 1692 ssl->s3->send_connection_binding; 1693 } 1694 1695 size_t SSL_CTX_sess_number(const SSL_CTX *ctx) { 1696 MutexReadLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock)); 1697 return lh_SSL_SESSION_num_items(ctx->sessions); 1698 } 1699 1700 unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) { 1701 unsigned long ret = ctx->session_cache_size; 1702 ctx->session_cache_size = size; 1703 return ret; 1704 } 1705 1706 unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) { 1707 return ctx->session_cache_size; 1708 } 1709 1710 int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) { 1711 int ret = ctx->session_cache_mode; 1712 ctx->session_cache_mode = mode; 1713 return ret; 1714 } 1715 1716 int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) { 1717 return ctx->session_cache_mode; 1718 } 1719 1720 1721 int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) { 1722 if (out == NULL) { 1723 return 48; 1724 } 1725 if (len != 48) { 1726 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH); 1727 return 0; 1728 } 1729 1730 // The default ticket keys are initialized lazily. Trigger a key 1731 // rotation to initialize them. 1732 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { 1733 return 0; 1734 } 1735 1736 uint8_t *out_bytes = reinterpret_cast<uint8_t *>(out); 1737 MutexReadLock lock(&ctx->lock); 1738 OPENSSL_memcpy(out_bytes, ctx->tlsext_ticket_key_current->name, 16); 1739 OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_ticket_key_current->hmac_key, 16); 1740 OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_ticket_key_current->aes_key, 16); 1741 return 1; 1742 } 1743 1744 int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) { 1745 if (in == NULL) { 1746 return 48; 1747 } 1748 if (len != 48) { 1749 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH); 1750 return 0; 1751 } 1752 if (!ctx->tlsext_ticket_key_current) { 1753 ctx->tlsext_ticket_key_current = 1754 (tlsext_ticket_key *)OPENSSL_malloc(sizeof(tlsext_ticket_key)); 1755 if (!ctx->tlsext_ticket_key_current) { 1756 return 0; 1757 } 1758 } 1759 OPENSSL_memset(ctx->tlsext_ticket_key_current, 0, sizeof(tlsext_ticket_key)); 1760 const uint8_t *in_bytes = reinterpret_cast<const uint8_t *>(in); 1761 OPENSSL_memcpy(ctx->tlsext_ticket_key_current->name, in_bytes, 16); 1762 OPENSSL_memcpy(ctx->tlsext_ticket_key_current->hmac_key, in_bytes + 16, 16); 1763 OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16); 1764 OPENSSL_free(ctx->tlsext_ticket_key_prev); 1765 ctx->tlsext_ticket_key_prev = nullptr; 1766 // Disable automatic key rotation. 1767 ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0; 1768 return 1; 1769 } 1770 1771 int SSL_CTX_set_tlsext_ticket_key_cb( 1772 SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv, 1773 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, 1774 int encrypt)) { 1775 ctx->tlsext_ticket_key_cb = callback; 1776 return 1; 1777 } 1778 1779 int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t curves_len) { 1780 return tls1_set_curves(&ctx->supported_group_list, 1781 &ctx->supported_group_list_len, curves, 1782 curves_len); 1783 } 1784 1785 int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) { 1786 return tls1_set_curves(&ssl->supported_group_list, 1787 &ssl->supported_group_list_len, curves, 1788 curves_len); 1789 } 1790 1791 int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) { 1792 return tls1_set_curves_list(&ctx->supported_group_list, 1793 &ctx->supported_group_list_len, curves); 1794 } 1795 1796 int SSL_set1_curves_list(SSL *ssl, const char *curves) { 1797 return tls1_set_curves_list(&ssl->supported_group_list, 1798 &ssl->supported_group_list_len, curves); 1799 } 1800 1801 uint16_t SSL_get_curve_id(const SSL *ssl) { 1802 // TODO(davidben): This checks the wrong session if there is a renegotiation 1803 // in progress. 1804 SSL_SESSION *session = SSL_get_session(ssl); 1805 if (session == NULL) { 1806 return 0; 1807 } 1808 1809 return session->group_id; 1810 } 1811 1812 int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) { 1813 return 1; 1814 } 1815 1816 int SSL_set_tmp_dh(SSL *ssl, const DH *dh) { 1817 return 1; 1818 } 1819 1820 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { 1821 return ctx->cipher_list->ciphers; 1822 } 1823 1824 int SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i) { 1825 if (i >= sk_SSL_CIPHER_num(ctx->cipher_list->ciphers)) { 1826 return 0; 1827 } 1828 return ctx->cipher_list->in_group_flags[i]; 1829 } 1830 1831 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) { 1832 if (ssl == NULL) { 1833 return NULL; 1834 } 1835 1836 const struct ssl_cipher_preference_list_st *prefs = 1837 ssl_get_cipher_preferences(ssl); 1838 if (prefs == NULL) { 1839 return NULL; 1840 } 1841 1842 return prefs->ciphers; 1843 } 1844 1845 const char *SSL_get_cipher_list(const SSL *ssl, int n) { 1846 if (ssl == NULL) { 1847 return NULL; 1848 } 1849 1850 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); 1851 if (sk == NULL || n < 0 || (size_t)n >= sk_SSL_CIPHER_num(sk)) { 1852 return NULL; 1853 } 1854 1855 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, n); 1856 if (c == NULL) { 1857 return NULL; 1858 } 1859 1860 return c->name; 1861 } 1862 1863 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { 1864 return ssl_create_cipher_list(&ctx->cipher_list, str, false /* not strict */); 1865 } 1866 1867 int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) { 1868 return ssl_create_cipher_list(&ctx->cipher_list, str, true /* strict */); 1869 } 1870 1871 int SSL_set_cipher_list(SSL *ssl, const char *str) { 1872 return ssl_create_cipher_list(&ssl->cipher_list, str, false /* not strict */); 1873 } 1874 1875 int SSL_set_strict_cipher_list(SSL *ssl, const char *str) { 1876 return ssl_create_cipher_list(&ssl->cipher_list, str, true /* strict */); 1877 } 1878 1879 const char *SSL_get_servername(const SSL *ssl, const int type) { 1880 if (type != TLSEXT_NAMETYPE_host_name) { 1881 return NULL; 1882 } 1883 1884 // Historically, |SSL_get_servername| was also the configuration getter 1885 // corresponding to |SSL_set_tlsext_host_name|. 1886 if (ssl->tlsext_hostname != NULL) { 1887 return ssl->tlsext_hostname; 1888 } 1889 1890 return ssl->s3->hostname.get(); 1891 } 1892 1893 int SSL_get_servername_type(const SSL *ssl) { 1894 if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) == NULL) { 1895 return -1; 1896 } 1897 return TLSEXT_NAMETYPE_host_name; 1898 } 1899 1900 void SSL_CTX_set_custom_verify( 1901 SSL_CTX *ctx, int mode, 1902 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { 1903 ctx->verify_mode = mode; 1904 ctx->custom_verify_callback = callback; 1905 } 1906 1907 void SSL_set_custom_verify( 1908 SSL *ssl, int mode, 1909 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { 1910 ssl->verify_mode = mode; 1911 ssl->custom_verify_callback = callback; 1912 } 1913 1914 void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) { 1915 ctx->signed_cert_timestamps_enabled = true; 1916 } 1917 1918 void SSL_enable_signed_cert_timestamps(SSL *ssl) { 1919 ssl->signed_cert_timestamps_enabled = true; 1920 } 1921 1922 void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx) { 1923 ctx->ocsp_stapling_enabled = true; 1924 } 1925 1926 void SSL_enable_ocsp_stapling(SSL *ssl) { 1927 ssl->ocsp_stapling_enabled = true; 1928 } 1929 1930 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out, 1931 size_t *out_len) { 1932 SSL_SESSION *session = SSL_get_session(ssl); 1933 if (ssl->server || !session || !session->signed_cert_timestamp_list) { 1934 *out_len = 0; 1935 *out = NULL; 1936 return; 1937 } 1938 1939 *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list); 1940 *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list); 1941 } 1942 1943 void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, 1944 size_t *out_len) { 1945 SSL_SESSION *session = SSL_get_session(ssl); 1946 if (ssl->server || !session || !session->ocsp_response) { 1947 *out_len = 0; 1948 *out = NULL; 1949 return; 1950 } 1951 1952 *out = CRYPTO_BUFFER_data(session->ocsp_response); 1953 *out_len = CRYPTO_BUFFER_len(session->ocsp_response); 1954 } 1955 1956 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) { 1957 OPENSSL_free(ssl->tlsext_hostname); 1958 ssl->tlsext_hostname = NULL; 1959 1960 if (name == NULL) { 1961 return 1; 1962 } 1963 1964 size_t len = strlen(name); 1965 if (len == 0 || len > TLSEXT_MAXLEN_host_name) { 1966 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1967 return 0; 1968 } 1969 ssl->tlsext_hostname = BUF_strdup(name); 1970 if (ssl->tlsext_hostname == NULL) { 1971 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1972 return 0; 1973 } 1974 return 1; 1975 } 1976 1977 int SSL_CTX_set_tlsext_servername_callback( 1978 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) { 1979 ctx->tlsext_servername_callback = callback; 1980 return 1; 1981 } 1982 1983 int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) { 1984 ctx->tlsext_servername_arg = arg; 1985 return 1; 1986 } 1987 1988 int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, 1989 unsigned peer_len, const uint8_t *supported, 1990 unsigned supported_len) { 1991 const uint8_t *result; 1992 int status; 1993 1994 // For each protocol in peer preference order, see if we support it. 1995 for (unsigned i = 0; i < peer_len;) { 1996 for (unsigned j = 0; j < supported_len;) { 1997 if (peer[i] == supported[j] && 1998 OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) { 1999 // We found a match 2000 result = &peer[i]; 2001 status = OPENSSL_NPN_NEGOTIATED; 2002 goto found; 2003 } 2004 j += supported[j]; 2005 j++; 2006 } 2007 i += peer[i]; 2008 i++; 2009 } 2010 2011 // There's no overlap between our protocols and the peer's list. 2012 result = supported; 2013 status = OPENSSL_NPN_NO_OVERLAP; 2014 2015 found: 2016 *out = (uint8_t *)result + 1; 2017 *out_len = result[0]; 2018 return status; 2019 } 2020 2021 void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data, 2022 unsigned *out_len) { 2023 *out_data = ssl->s3->next_proto_negotiated.data(); 2024 *out_len = ssl->s3->next_proto_negotiated.size(); 2025 } 2026 2027 void SSL_CTX_set_next_protos_advertised_cb( 2028 SSL_CTX *ctx, 2029 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg), 2030 void *arg) { 2031 ctx->next_protos_advertised_cb = cb; 2032 ctx->next_protos_advertised_cb_arg = arg; 2033 } 2034 2035 void SSL_CTX_set_next_proto_select_cb( 2036 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, 2037 const uint8_t *in, unsigned in_len, void *arg), 2038 void *arg) { 2039 ctx->next_proto_select_cb = cb; 2040 ctx->next_proto_select_cb_arg = arg; 2041 } 2042 2043 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos, 2044 unsigned protos_len) { 2045 OPENSSL_free(ctx->alpn_client_proto_list); 2046 ctx->alpn_client_proto_list = (uint8_t *)BUF_memdup(protos, protos_len); 2047 if (!ctx->alpn_client_proto_list) { 2048 return 1; 2049 } 2050 ctx->alpn_client_proto_list_len = protos_len; 2051 2052 return 0; 2053 } 2054 2055 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) { 2056 OPENSSL_free(ssl->alpn_client_proto_list); 2057 ssl->alpn_client_proto_list = (uint8_t *)BUF_memdup(protos, protos_len); 2058 if (!ssl->alpn_client_proto_list) { 2059 return 1; 2060 } 2061 ssl->alpn_client_proto_list_len = protos_len; 2062 2063 return 0; 2064 } 2065 2066 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, 2067 int (*cb)(SSL *ssl, const uint8_t **out, 2068 uint8_t *out_len, const uint8_t *in, 2069 unsigned in_len, void *arg), 2070 void *arg) { 2071 ctx->alpn_select_cb = cb; 2072 ctx->alpn_select_cb_arg = arg; 2073 } 2074 2075 void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data, 2076 unsigned *out_len) { 2077 if (SSL_in_early_data(ssl) && !ssl->server) { 2078 *out_data = ssl->s3->hs->early_session->early_alpn; 2079 *out_len = ssl->s3->hs->early_session->early_alpn_len; 2080 } else { 2081 *out_data = ssl->s3->alpn_selected.data(); 2082 *out_len = ssl->s3->alpn_selected.size(); 2083 } 2084 } 2085 2086 void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) { 2087 ctx->allow_unknown_alpn_protos = !!enabled; 2088 } 2089 2090 void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) { 2091 ctx->tlsext_channel_id_enabled = !!enabled; 2092 } 2093 2094 int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) { 2095 SSL_CTX_set_tls_channel_id_enabled(ctx, 1); 2096 return 1; 2097 } 2098 2099 void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) { 2100 ssl->tlsext_channel_id_enabled = !!enabled; 2101 } 2102 2103 int SSL_enable_tls_channel_id(SSL *ssl) { 2104 SSL_set_tls_channel_id_enabled(ssl, 1); 2105 return 1; 2106 } 2107 2108 static int is_p256_key(EVP_PKEY *private_key) { 2109 const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(private_key); 2110 return ec_key != NULL && 2111 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) == 2112 NID_X9_62_prime256v1; 2113 } 2114 2115 int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) { 2116 if (!is_p256_key(private_key)) { 2117 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); 2118 return 0; 2119 } 2120 2121 EVP_PKEY_free(ctx->tlsext_channel_id_private); 2122 EVP_PKEY_up_ref(private_key); 2123 ctx->tlsext_channel_id_private = private_key; 2124 ctx->tlsext_channel_id_enabled = true; 2125 2126 return 1; 2127 } 2128 2129 int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) { 2130 if (!is_p256_key(private_key)) { 2131 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); 2132 return 0; 2133 } 2134 2135 EVP_PKEY_free(ssl->tlsext_channel_id_private); 2136 EVP_PKEY_up_ref(private_key); 2137 ssl->tlsext_channel_id_private = private_key; 2138 ssl->tlsext_channel_id_enabled = true; 2139 2140 return 1; 2141 } 2142 2143 size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) { 2144 if (!ssl->s3->tlsext_channel_id_valid) { 2145 return 0; 2146 } 2147 OPENSSL_memcpy(out, ssl->s3->tlsext_channel_id, 2148 (max_out < 64) ? max_out : 64); 2149 return 64; 2150 } 2151 2152 int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params, size_t len) { 2153 if (len > 256) { 2154 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 2155 return 0; 2156 } 2157 OPENSSL_free(ssl->token_binding_params); 2158 ssl->token_binding_params = (uint8_t *)BUF_memdup(params, len); 2159 if (!ssl->token_binding_params) { 2160 return 0; 2161 } 2162 ssl->token_binding_params_len = len; 2163 return 1; 2164 } 2165 2166 int SSL_is_token_binding_negotiated(const SSL *ssl) { 2167 return ssl->token_binding_negotiated; 2168 } 2169 2170 uint8_t SSL_get_negotiated_token_binding_param(const SSL *ssl) { 2171 return ssl->negotiated_token_binding_param; 2172 } 2173 2174 size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types) { 2175 if (ssl->server || ssl->s3->hs == NULL) { 2176 *out_types = NULL; 2177 return 0; 2178 } 2179 *out_types = ssl->s3->hs->certificate_types.data(); 2180 return ssl->s3->hs->certificate_types.size(); 2181 } 2182 2183 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) { 2184 if (ssl->cert != NULL) { 2185 return ssl->cert->privatekey; 2186 } 2187 2188 return NULL; 2189 } 2190 2191 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { 2192 if (ctx->cert != NULL) { 2193 return ctx->cert->privatekey; 2194 } 2195 2196 return NULL; 2197 } 2198 2199 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) { 2200 return ssl->s3->aead_write_ctx->cipher(); 2201 } 2202 2203 int SSL_session_reused(const SSL *ssl) { 2204 return ssl->s3->session_reused || SSL_in_early_data(ssl); 2205 } 2206 2207 const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; } 2208 2209 const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; } 2210 2211 int *SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; } 2212 2213 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { 2214 ctx->quiet_shutdown = (mode != 0); 2215 } 2216 2217 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { 2218 return ctx->quiet_shutdown; 2219 } 2220 2221 void SSL_set_quiet_shutdown(SSL *ssl, int mode) { 2222 ssl->quiet_shutdown = (mode != 0); 2223 } 2224 2225 int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; } 2226 2227 void SSL_set_shutdown(SSL *ssl, int mode) { 2228 // It is an error to clear any bits that have already been set. (We can't try 2229 // to get a second close_notify or send two.) 2230 assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)); 2231 2232 if (mode & SSL_RECEIVED_SHUTDOWN && 2233 ssl->s3->read_shutdown == ssl_shutdown_none) { 2234 ssl->s3->read_shutdown = ssl_shutdown_close_notify; 2235 } 2236 2237 if (mode & SSL_SENT_SHUTDOWN && 2238 ssl->s3->write_shutdown == ssl_shutdown_none) { 2239 ssl->s3->write_shutdown = ssl_shutdown_close_notify; 2240 } 2241 } 2242 2243 int SSL_get_shutdown(const SSL *ssl) { 2244 int ret = 0; 2245 if (ssl->s3->read_shutdown != ssl_shutdown_none) { 2246 // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify 2247 // and fatal alert. 2248 ret |= SSL_RECEIVED_SHUTDOWN; 2249 } 2250 if (ssl->s3->write_shutdown == ssl_shutdown_close_notify) { 2251 // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. 2252 ret |= SSL_SENT_SHUTDOWN; 2253 } 2254 return ret; 2255 } 2256 2257 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx; } 2258 2259 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { 2260 if (ssl->ctx == ctx) { 2261 return ssl->ctx; 2262 } 2263 2264 // One cannot change the X.509 callbacks during a connection. 2265 if (ssl->ctx->x509_method != ctx->x509_method) { 2266 assert(0); 2267 return NULL; 2268 } 2269 2270 if (ctx == NULL) { 2271 ctx = ssl->session_ctx; 2272 } 2273 2274 ssl_cert_free(ssl->cert); 2275 ssl->cert = ssl_cert_dup(ctx->cert); 2276 2277 SSL_CTX_up_ref(ctx); 2278 SSL_CTX_free(ssl->ctx); 2279 ssl->ctx = ctx; 2280 2281 return ssl->ctx; 2282 } 2283 2284 void SSL_set_info_callback(SSL *ssl, 2285 void (*cb)(const SSL *ssl, int type, int value)) { 2286 ssl->info_callback = cb; 2287 } 2288 2289 void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, 2290 int value) { 2291 return ssl->info_callback; 2292 } 2293 2294 int SSL_state(const SSL *ssl) { 2295 return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK; 2296 } 2297 2298 void SSL_set_state(SSL *ssl, int state) { } 2299 2300 char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) { 2301 if (len <= 0) { 2302 return NULL; 2303 } 2304 buf[0] = '\0'; 2305 return buf; 2306 } 2307 2308 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, 2309 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { 2310 int index; 2311 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp, 2312 free_func)) { 2313 return -1; 2314 } 2315 return index; 2316 } 2317 2318 int SSL_set_ex_data(SSL *ssl, int idx, void *data) { 2319 return CRYPTO_set_ex_data(&ssl->ex_data, idx, data); 2320 } 2321 2322 void *SSL_get_ex_data(const SSL *ssl, int idx) { 2323 return CRYPTO_get_ex_data(&ssl->ex_data, idx); 2324 } 2325 2326 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, 2327 CRYPTO_EX_dup *dup_unused, 2328 CRYPTO_EX_free *free_func) { 2329 int index; 2330 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp, 2331 free_func)) { 2332 return -1; 2333 } 2334 return index; 2335 } 2336 2337 int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) { 2338 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); 2339 } 2340 2341 void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) { 2342 return CRYPTO_get_ex_data(&ctx->ex_data, idx); 2343 } 2344 2345 int SSL_want(const SSL *ssl) { return ssl->s3->rwstate; } 2346 2347 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, 2348 RSA *(*cb)(SSL *ssl, int is_export, 2349 int keylength)) {} 2350 2351 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export, 2352 int keylength)) {} 2353 2354 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 2355 DH *(*cb)(SSL *ssl, int is_export, 2356 int keylength)) {} 2357 2358 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export, 2359 int keylength)) {} 2360 2361 static int use_psk_identity_hint(char **out, const char *identity_hint) { 2362 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { 2363 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); 2364 return 0; 2365 } 2366 2367 // Clear currently configured hint, if any. 2368 OPENSSL_free(*out); 2369 *out = NULL; 2370 2371 // Treat the empty hint as not supplying one. Plain PSK makes it possible to 2372 // send either no hint (omit ServerKeyExchange) or an empty hint, while 2373 // ECDHE_PSK can only spell empty hint. Having different capabilities is odd, 2374 // so we interpret empty and missing as identical. 2375 if (identity_hint != NULL && identity_hint[0] != '\0') { 2376 *out = BUF_strdup(identity_hint); 2377 if (*out == NULL) { 2378 return 0; 2379 } 2380 } 2381 2382 return 1; 2383 } 2384 2385 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { 2386 return use_psk_identity_hint(&ctx->psk_identity_hint, identity_hint); 2387 } 2388 2389 int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) { 2390 return use_psk_identity_hint(&ssl->psk_identity_hint, identity_hint); 2391 } 2392 2393 const char *SSL_get_psk_identity_hint(const SSL *ssl) { 2394 if (ssl == NULL) { 2395 return NULL; 2396 } 2397 return ssl->psk_identity_hint; 2398 } 2399 2400 const char *SSL_get_psk_identity(const SSL *ssl) { 2401 if (ssl == NULL) { 2402 return NULL; 2403 } 2404 SSL_SESSION *session = SSL_get_session(ssl); 2405 if (session == NULL) { 2406 return NULL; 2407 } 2408 return session->psk_identity; 2409 } 2410 2411 void SSL_set_psk_client_callback( 2412 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, 2413 unsigned max_identity_len, uint8_t *psk, 2414 unsigned max_psk_len)) { 2415 ssl->psk_client_callback = cb; 2416 } 2417 2418 void SSL_CTX_set_psk_client_callback( 2419 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, 2420 unsigned max_identity_len, uint8_t *psk, 2421 unsigned max_psk_len)) { 2422 ctx->psk_client_callback = cb; 2423 } 2424 2425 void SSL_set_psk_server_callback( 2426 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk, 2427 unsigned max_psk_len)) { 2428 ssl->psk_server_callback = cb; 2429 } 2430 2431 void SSL_CTX_set_psk_server_callback( 2432 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, 2433 uint8_t *psk, unsigned max_psk_len)) { 2434 ctx->psk_server_callback = cb; 2435 } 2436 2437 int SSL_set_dummy_pq_padding_size(SSL *ssl, size_t num_bytes) { 2438 if (num_bytes > 0xffff) { 2439 return 0; 2440 } 2441 2442 ssl->dummy_pq_padding_len = num_bytes; 2443 return 1; 2444 } 2445 2446 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, 2447 void (*cb)(int write_p, int version, 2448 int content_type, const void *buf, 2449 size_t len, SSL *ssl, void *arg)) { 2450 ctx->msg_callback = cb; 2451 } 2452 2453 void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) { 2454 ctx->msg_callback_arg = arg; 2455 } 2456 2457 void SSL_set_msg_callback(SSL *ssl, 2458 void (*cb)(int write_p, int version, int content_type, 2459 const void *buf, size_t len, SSL *ssl, 2460 void *arg)) { 2461 ssl->msg_callback = cb; 2462 } 2463 2464 void SSL_set_msg_callback_arg(SSL *ssl, void *arg) { 2465 ssl->msg_callback_arg = arg; 2466 } 2467 2468 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, 2469 void (*cb)(const SSL *ssl, const char *line)) { 2470 ctx->keylog_callback = cb; 2471 } 2472 2473 void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl, 2474 const char *line) { 2475 return ctx->keylog_callback; 2476 } 2477 2478 void SSL_CTX_set_current_time_cb(SSL_CTX *ctx, 2479 void (*cb)(const SSL *ssl, 2480 struct timeval *out_clock)) { 2481 ctx->current_time_cb = cb; 2482 } 2483 2484 int SSL_is_init_finished(const SSL *ssl) { 2485 return !SSL_in_init(ssl); 2486 } 2487 2488 int SSL_in_init(const SSL *ssl) { 2489 // This returns false once all the handshake state has been finalized, to 2490 // allow callbacks and getters based on SSL_in_init to return the correct 2491 // values. 2492 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 2493 return hs != nullptr && !hs->handshake_finalized; 2494 } 2495 2496 int SSL_in_false_start(const SSL *ssl) { 2497 if (ssl->s3->hs == NULL) { 2498 return 0; 2499 } 2500 return ssl->s3->hs->in_false_start; 2501 } 2502 2503 int SSL_cutthrough_complete(const SSL *ssl) { 2504 return SSL_in_false_start(ssl); 2505 } 2506 2507 void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size, 2508 size_t *ssl_session_size) { 2509 *ssl_size = sizeof(SSL); 2510 *ssl_ctx_size = sizeof(SSL_CTX); 2511 *ssl_session_size = sizeof(SSL_SESSION); 2512 } 2513 2514 int SSL_is_server(const SSL *ssl) { return ssl->server; } 2515 2516 int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; } 2517 2518 void SSL_CTX_set_select_certificate_cb( 2519 SSL_CTX *ctx, 2520 enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)) { 2521 ctx->select_certificate_cb = cb; 2522 } 2523 2524 void SSL_CTX_set_dos_protection_cb(SSL_CTX *ctx, 2525 int (*cb)(const SSL_CLIENT_HELLO *)) { 2526 ctx->dos_protection_cb = cb; 2527 } 2528 2529 void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) { 2530 ssl->renegotiate_mode = mode; 2531 } 2532 2533 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv, 2534 const uint8_t **out_write_iv, size_t *out_iv_len) { 2535 size_t write_iv_len; 2536 if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) || 2537 !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) || 2538 *out_iv_len != write_iv_len) { 2539 return 0; 2540 } 2541 2542 return 1; 2543 } 2544 2545 static uint64_t be_to_u64(const uint8_t in[8]) { 2546 return (((uint64_t)in[0]) << 56) | (((uint64_t)in[1]) << 48) | 2547 (((uint64_t)in[2]) << 40) | (((uint64_t)in[3]) << 32) | 2548 (((uint64_t)in[4]) << 24) | (((uint64_t)in[5]) << 16) | 2549 (((uint64_t)in[6]) << 8) | ((uint64_t)in[7]); 2550 } 2551 2552 uint64_t SSL_get_read_sequence(const SSL *ssl) { 2553 // TODO(davidben): Internally represent sequence numbers as uint64_t. 2554 if (SSL_is_dtls(ssl)) { 2555 // max_seq_num already includes the epoch. 2556 assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48)); 2557 return ssl->d1->bitmap.max_seq_num; 2558 } 2559 return be_to_u64(ssl->s3->read_sequence); 2560 } 2561 2562 uint64_t SSL_get_write_sequence(const SSL *ssl) { 2563 uint64_t ret = be_to_u64(ssl->s3->write_sequence); 2564 if (SSL_is_dtls(ssl)) { 2565 assert((ret >> 48) == 0); 2566 ret |= ((uint64_t)ssl->d1->w_epoch) << 48; 2567 } 2568 return ret; 2569 } 2570 2571 uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) { 2572 // TODO(davidben): This checks the wrong session if there is a renegotiation 2573 // in progress. 2574 SSL_SESSION *session = SSL_get_session(ssl); 2575 if (session == NULL) { 2576 return 0; 2577 } 2578 2579 return session->peer_signature_algorithm; 2580 } 2581 2582 size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) { 2583 if (max_out == 0) { 2584 return sizeof(ssl->s3->client_random); 2585 } 2586 if (max_out > sizeof(ssl->s3->client_random)) { 2587 max_out = sizeof(ssl->s3->client_random); 2588 } 2589 OPENSSL_memcpy(out, ssl->s3->client_random, max_out); 2590 return max_out; 2591 } 2592 2593 size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) { 2594 if (max_out == 0) { 2595 return sizeof(ssl->s3->server_random); 2596 } 2597 if (max_out > sizeof(ssl->s3->server_random)) { 2598 max_out = sizeof(ssl->s3->server_random); 2599 } 2600 OPENSSL_memcpy(out, ssl->s3->server_random, max_out); 2601 return max_out; 2602 } 2603 2604 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) { 2605 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); 2606 if (hs == NULL) { 2607 return NULL; 2608 } 2609 return hs->new_cipher; 2610 } 2611 2612 void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) { 2613 ssl->retain_only_sha256_of_client_certs = !!enabled; 2614 } 2615 2616 void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) { 2617 ctx->retain_only_sha256_of_client_certs = !!enabled; 2618 } 2619 2620 void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) { 2621 ctx->grease_enabled = !!enabled; 2622 } 2623 2624 int32_t SSL_get_ticket_age_skew(const SSL *ssl) { 2625 return ssl->s3->ticket_age_skew; 2626 } 2627 2628 void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) { 2629 ctx->false_start_allowed_without_alpn = !!allowed; 2630 } 2631 2632 int SSL_is_draft_downgrade(const SSL *ssl) { return ssl->s3->draft_downgrade; } 2633 2634 int SSL_clear(SSL *ssl) { 2635 // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously 2636 // established session to be offered the next time around. wpa_supplicant 2637 // depends on this behavior, so emulate it. 2638 UniquePtr<SSL_SESSION> session; 2639 if (!ssl->server && ssl->s3->established_session != NULL) { 2640 session.reset(ssl->s3->established_session.get()); 2641 SSL_SESSION_up_ref(session.get()); 2642 } 2643 2644 // The ssl->d1->mtu is simultaneously configuration (preserved across 2645 // clear) and connection-specific state (gets reset). 2646 // 2647 // TODO(davidben): Avoid this. 2648 unsigned mtu = 0; 2649 if (ssl->d1 != NULL) { 2650 mtu = ssl->d1->mtu; 2651 } 2652 2653 ssl->method->ssl_free(ssl); 2654 if (!ssl->method->ssl_new(ssl)) { 2655 return 0; 2656 } 2657 2658 if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { 2659 ssl->d1->mtu = mtu; 2660 } 2661 2662 if (session != nullptr) { 2663 SSL_set_session(ssl, session.get()); 2664 } 2665 2666 return 1; 2667 } 2668 2669 int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; } 2670 int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; } 2671 int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; } 2672 int SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; } 2673 int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; } 2674 int SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; } 2675 int SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; } 2676 int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; } 2677 int SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; } 2678 int SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; } 2679 int SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; } 2680 2681 int SSL_num_renegotiations(const SSL *ssl) { 2682 return SSL_total_renegotiations(ssl); 2683 } 2684 2685 int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) { return 0; } 2686 int SSL_need_tmp_RSA(const SSL *ssl) { return 0; } 2687 int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) { return 1; } 2688 int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; } 2689 void ERR_load_SSL_strings(void) {} 2690 void SSL_load_error_strings(void) {} 2691 int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); } 2692 2693 int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) { 2694 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { 2695 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 2696 return 0; 2697 } 2698 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); 2699 return SSL_CTX_set1_curves(ctx, &nid, 1); 2700 } 2701 2702 int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) { 2703 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { 2704 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); 2705 return 0; 2706 } 2707 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); 2708 return SSL_set1_curves(ssl, &nid, 1); 2709 } 2710 2711 void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx, 2712 const SSL_TICKET_AEAD_METHOD *aead_method) { 2713 ctx->ticket_aead_method = aead_method; 2714 } 2715