Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 2 | * All rights reserved. |
| 3 | * |
| 4 | * This package is an SSL implementation written |
| 5 | * by Eric Young (eay@cryptsoft.com). |
| 6 | * The implementation was written so as to conform with Netscapes SSL. |
| 7 | * |
| 8 | * This library is free for commercial and non-commercial use as long as |
| 9 | * the following conditions are aheared to. The following conditions |
| 10 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 12 | * included with this distribution is covered by the same copyright terms |
| 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 14 | * |
| 15 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 16 | * the code are not to be removed. |
| 17 | * If this package is used in a product, Eric Young should be given attribution |
| 18 | * as the author of the parts of the library used. |
| 19 | * This can be in the form of a textual message at program startup or |
| 20 | * in documentation (online or textual) provided with the package. |
| 21 | * |
| 22 | * Redistribution and use in source and binary forms, with or without |
| 23 | * modification, are permitted provided that the following conditions |
| 24 | * are met: |
| 25 | * 1. Redistributions of source code must retain the copyright |
| 26 | * notice, this list of conditions and the following disclaimer. |
| 27 | * 2. Redistributions in binary form must reproduce the above copyright |
| 28 | * notice, this list of conditions and the following disclaimer in the |
| 29 | * documentation and/or other materials provided with the distribution. |
| 30 | * 3. All advertising materials mentioning features or use of this software |
| 31 | * must display the following acknowledgement: |
| 32 | * "This product includes cryptographic software written by |
| 33 | * Eric Young (eay@cryptsoft.com)" |
| 34 | * The word 'cryptographic' can be left out if the rouines from the library |
| 35 | * being used are not cryptographic related :-). |
| 36 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 37 | * the apps directory (application code) you must include an acknowledgement: |
| 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 39 | * |
| 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 50 | * SUCH DAMAGE. |
| 51 | * |
| 52 | * The licence and distribution terms for any publically available version or |
| 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 54 | * copied and put under another distribution licence |
| 55 | * [including the GNU Public Licence.] |
| 56 | */ |
| 57 | /* ==================================================================== |
| 58 | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
| 59 | * |
| 60 | * Redistribution and use in source and binary forms, with or without |
| 61 | * modification, are permitted provided that the following conditions |
| 62 | * are met: |
| 63 | * |
| 64 | * 1. Redistributions of source code must retain the above copyright |
| 65 | * notice, this list of conditions and the following disclaimer. |
| 66 | * |
| 67 | * 2. Redistributions in binary form must reproduce the above copyright |
| 68 | * notice, this list of conditions and the following disclaimer in |
| 69 | * the documentation and/or other materials provided with the |
| 70 | * distribution. |
| 71 | * |
| 72 | * 3. All advertising materials mentioning features or use of this |
| 73 | * software must display the following acknowledgment: |
| 74 | * "This product includes software developed by the OpenSSL Project |
| 75 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 76 | * |
| 77 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 78 | * endorse or promote products derived from this software without |
| 79 | * prior written permission. For written permission, please contact |
| 80 | * openssl-core@openssl.org. |
| 81 | * |
| 82 | * 5. Products derived from this software may not be called "OpenSSL" |
| 83 | * nor may "OpenSSL" appear in their names without prior written |
| 84 | * permission of the OpenSSL Project. |
| 85 | * |
| 86 | * 6. Redistributions of any form whatsoever must retain the following |
| 87 | * acknowledgment: |
| 88 | * "This product includes software developed by the OpenSSL Project |
| 89 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 90 | * |
| 91 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 92 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 93 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 94 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 95 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 96 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 97 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 98 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 99 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 100 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 101 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 102 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 103 | * ==================================================================== |
| 104 | * |
| 105 | * This product includes cryptographic software written by Eric Young |
| 106 | * (eay@cryptsoft.com). This product includes software written by Tim |
| 107 | * Hudson (tjh@cryptsoft.com). |
| 108 | * |
| 109 | */ |
| 110 | /* ==================================================================== |
| 111 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
| 112 | * ECC cipher suite support in OpenSSL originally developed by |
| 113 | * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. |
| 114 | */ |
| 115 | /* ==================================================================== |
| 116 | * Copyright 2005 Nokia. All rights reserved. |
| 117 | * |
| 118 | * The portions of the attached software ("Contribution") is developed by |
| 119 | * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
| 120 | * license. |
| 121 | * |
| 122 | * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
| 123 | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
| 124 | * support (see RFC 4279) to OpenSSL. |
| 125 | * |
| 126 | * No patent licenses or other rights except those expressly stated in |
| 127 | * the OpenSSL open source license shall be deemed granted or received |
| 128 | * expressly, by implication, estoppel, or otherwise. |
| 129 | * |
| 130 | * No assurances are provided by Nokia that the Contribution does not |
| 131 | * infringe the patent or other intellectual property rights of any third |
| 132 | * party or that the license provides you with all the necessary rights |
| 133 | * to make use of the Contribution. |
| 134 | * |
| 135 | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
| 136 | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
| 137 | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
| 138 | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
| 139 | * OTHERWISE. |
| 140 | */ |
| 141 | |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 142 | #ifndef OPENSSL_HEADER_SSL_INTERNAL_H |
| 143 | #define OPENSSL_HEADER_SSL_INTERNAL_H |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 144 | |
| 145 | #include <openssl/base.h> |
| 146 | |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 147 | #include <stdlib.h> |
| 148 | |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 149 | #include <limits> |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 150 | #include <new> |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 151 | #include <type_traits> |
| 152 | #include <utility> |
| 153 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 154 | #include <openssl/aead.h> |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 155 | #include <openssl/err.h> |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 156 | #include <openssl/lhash.h> |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 157 | #include <openssl/mem.h> |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 158 | #include <openssl/ssl.h> |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 159 | #include <openssl/span.h> |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 160 | #include <openssl/stack.h> |
| 161 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 162 | #include "../crypto/err/internal.h" |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 163 | #include "../crypto/internal.h" |
| 164 | |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 165 | |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 166 | #if defined(OPENSSL_WINDOWS) |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 167 | // Windows defines struct timeval in winsock2.h. |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 168 | OPENSSL_MSVC_PRAGMA(warning(push, 3)) |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 169 | #include <winsock2.h> |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 170 | OPENSSL_MSVC_PRAGMA(warning(pop)) |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 171 | #else |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 172 | #include <sys/time.h> |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 173 | #endif |
| 174 | |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 175 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 176 | namespace bssl { |
| 177 | |
| 178 | struct SSL_HANDSHAKE; |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 179 | struct SSL_PROTOCOL_METHOD; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 180 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 181 | // C++ utilities. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 182 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 183 | // New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It |
| 184 | // returns nullptr on allocation error. It only implements single-object |
| 185 | // allocation and not new T[n]. |
| 186 | // |
| 187 | // Note: unlike |new|, this does not support non-public constructors. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 188 | template <typename T, typename... Args> |
| 189 | T *New(Args &&... args) { |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 190 | void *t = OPENSSL_malloc(sizeof(T)); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 191 | if (t == nullptr) { |
| 192 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
| 193 | return nullptr; |
| 194 | } |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 195 | return new (t) T(std::forward<Args>(args)...); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 196 | } |
| 197 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 198 | // Delete behaves like |delete| but uses |OPENSSL_free| to release memory. |
| 199 | // |
| 200 | // Note: unlike |delete| this does not support non-public destructors. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 201 | template <typename T> |
| 202 | void Delete(T *t) { |
| 203 | if (t != nullptr) { |
| 204 | t->~T(); |
| 205 | OPENSSL_free(t); |
| 206 | } |
| 207 | } |
| 208 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 209 | // All types with kAllowUniquePtr set may be used with UniquePtr. Other types |
| 210 | // may be C structs which require a |BORINGSSL_MAKE_DELETER| registration. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 211 | namespace internal { |
| 212 | template <typename T> |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 213 | struct DeleterImpl<T, typename std::enable_if<T::kAllowUniquePtr>::type> { |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 214 | static void Free(T *t) { Delete(t); } |
| 215 | }; |
| 216 | } |
| 217 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 218 | // MakeUnique behaves like |std::make_unique| but returns nullptr on allocation |
| 219 | // error. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 220 | template <typename T, typename... Args> |
| 221 | UniquePtr<T> MakeUnique(Args &&... args) { |
| 222 | return UniquePtr<T>(New<T>(std::forward<Args>(args)...)); |
| 223 | } |
| 224 | |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 225 | #if defined(BORINGSSL_ALLOW_CXX_RUNTIME) |
| 226 | #define HAS_VIRTUAL_DESTRUCTOR |
| 227 | #define PURE_VIRTUAL = 0 |
| 228 | #else |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 229 | // HAS_VIRTUAL_DESTRUCTOR should be declared in any base class which defines a |
| 230 | // virtual destructor. This avoids a dependency on |_ZdlPv| and prevents the |
| 231 | // class from being used with |delete|. |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 232 | #define HAS_VIRTUAL_DESTRUCTOR \ |
| 233 | void operator delete(void *) { abort(); } |
| 234 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 235 | // PURE_VIRTUAL should be used instead of = 0 when defining pure-virtual |
| 236 | // functions. This avoids a dependency on |__cxa_pure_virtual| but loses |
| 237 | // compile-time checking. |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 238 | #define PURE_VIRTUAL { abort(); } |
| 239 | #endif |
| 240 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 241 | // CONSTEXPR_ARRAY works around a VS 2015 bug where ranged for loops don't work |
| 242 | // on constexpr arrays. |
| 243 | #if defined(_MSC_VER) && !defined(__clang__) && _MSC_VER < 1910 |
| 244 | #define CONSTEXPR_ARRAY const |
| 245 | #else |
| 246 | #define CONSTEXPR_ARRAY constexpr |
| 247 | #endif |
| 248 | |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 249 | // Array<T> is an owning array of elements of |T|. |
| 250 | template <typename T> |
| 251 | class Array { |
| 252 | public: |
| 253 | // Array's default constructor creates an empty array. |
| 254 | Array() {} |
| 255 | Array(const Array &) = delete; |
| 256 | Array(Array &&other) { *this = std::move(other); } |
| 257 | |
| 258 | ~Array() { Reset(); } |
| 259 | |
| 260 | Array &operator=(const Array &) = delete; |
| 261 | Array &operator=(Array &&other) { |
| 262 | Reset(); |
| 263 | other.Release(&data_, &size_); |
| 264 | return *this; |
| 265 | } |
| 266 | |
| 267 | const T *data() const { return data_; } |
| 268 | T *data() { return data_; } |
| 269 | size_t size() const { return size_; } |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 270 | bool empty() const { return size_ == 0; } |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 271 | |
| 272 | const T &operator[](size_t i) const { return data_[i]; } |
| 273 | T &operator[](size_t i) { return data_[i]; } |
| 274 | |
| 275 | T *begin() { return data_; } |
| 276 | const T *cbegin() const { return data_; } |
| 277 | T *end() { return data_ + size_; } |
| 278 | const T *cend() const { return data_ + size_; } |
| 279 | |
| 280 | void Reset() { Reset(nullptr, 0); } |
| 281 | |
| 282 | // Reset releases the current contents of the array and takes ownership of the |
| 283 | // raw pointer supplied by the caller. |
| 284 | void Reset(T *new_data, size_t new_size) { |
| 285 | for (size_t i = 0; i < size_; i++) { |
| 286 | data_[i].~T(); |
| 287 | } |
| 288 | OPENSSL_free(data_); |
| 289 | data_ = new_data; |
| 290 | size_ = new_size; |
| 291 | } |
| 292 | |
| 293 | // Release releases ownership of the array to a raw pointer supplied by the |
| 294 | // caller. |
| 295 | void Release(T **out, size_t *out_size) { |
| 296 | *out = data_; |
| 297 | *out_size = size_; |
| 298 | data_ = nullptr; |
| 299 | size_ = 0; |
| 300 | } |
| 301 | |
| 302 | // Init replaces the array with a newly-allocated array of |new_size| |
| 303 | // default-constructed copies of |T|. It returns true on success and false on |
| 304 | // error. |
| 305 | // |
| 306 | // Note that if |T| is a primitive type like |uint8_t|, it is uninitialized. |
| 307 | bool Init(size_t new_size) { |
| 308 | Reset(); |
| 309 | if (new_size == 0) { |
| 310 | return true; |
| 311 | } |
| 312 | |
| 313 | if (new_size > std::numeric_limits<size_t>::max() / sizeof(T)) { |
| 314 | OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); |
| 315 | return false; |
| 316 | } |
| 317 | data_ = reinterpret_cast<T*>(OPENSSL_malloc(new_size * sizeof(T))); |
| 318 | if (data_ == nullptr) { |
| 319 | OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); |
| 320 | return false; |
| 321 | } |
| 322 | size_ = new_size; |
| 323 | for (size_t i = 0; i < size_; i++) { |
| 324 | new (&data_[i]) T; |
| 325 | } |
| 326 | return true; |
| 327 | } |
| 328 | |
| 329 | // CopyFrom replaces the array with a newly-allocated copy of |in|. It returns |
| 330 | // true on success and false on error. |
| 331 | bool CopyFrom(Span<const uint8_t> in) { |
| 332 | if (!Init(in.size())) { |
| 333 | return false; |
| 334 | } |
| 335 | OPENSSL_memcpy(data_, in.data(), in.size()); |
| 336 | return true; |
| 337 | } |
| 338 | |
| 339 | private: |
| 340 | T *data_ = nullptr; |
| 341 | size_t size_ = 0; |
| 342 | }; |
| 343 | |
| 344 | // CBBFinishArray behaves like |CBB_finish| but stores the result in an Array. |
| 345 | bool CBBFinishArray(CBB *cbb, Array<uint8_t> *out); |
| 346 | |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 347 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 348 | // Protocol versions. |
| 349 | // |
| 350 | // Due to DTLS's historical wire version differences and to support multiple |
| 351 | // variants of the same protocol during development, we maintain two notions of |
| 352 | // version. |
| 353 | // |
| 354 | // The "version" or "wire version" is the actual 16-bit value that appears on |
| 355 | // the wire. It uniquely identifies a version and is also used at API |
| 356 | // boundaries. The set of supported versions differs between TLS and DTLS. Wire |
| 357 | // versions are opaque values and may not be compared numerically. |
| 358 | // |
| 359 | // The "protocol version" identifies the high-level handshake variant being |
| 360 | // used. DTLS versions map to the corresponding TLS versions. Draft TLS 1.3 |
| 361 | // variants all map to TLS 1.3. Protocol versions are sequential and may be |
| 362 | // compared numerically. |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 363 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 364 | // ssl_protocol_version_from_wire sets |*out| to the protocol version |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 365 | // corresponding to wire version |version| and returns true. If |version| is not |
| 366 | // a valid TLS or DTLS version, it returns false. |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 367 | // |
| 368 | // Note this simultaneously handles both DTLS and TLS. Use one of the |
| 369 | // higher-level functions below for most operations. |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 370 | bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version); |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 371 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 372 | // ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the |
| 373 | // minimum and maximum enabled protocol versions, respectively. |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 374 | bool ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, |
| 375 | uint16_t *out_max_version); |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 376 | |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 377 | // ssl_supports_version returns whether |hs| supports |version|. |
| 378 | bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version); |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 379 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 380 | // ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in |
| 381 | // decreasing preference order. |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 382 | bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb); |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 383 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 384 | // ssl_negotiate_version negotiates a common version based on |hs|'s preferences |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 385 | // and the peer preference list in |peer_versions|. On success, it returns true |
| 386 | // and sets |*out_version| to the selected version. Otherwise, it returns false |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 387 | // and sets |*out_alert| to an alert to send. |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 388 | bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 389 | uint16_t *out_version, const CBS *peer_versions); |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 390 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 391 | // ssl_protocol_version returns |ssl|'s protocol version. It is an error to |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 392 | // call this function before the version is determined. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 393 | uint16_t ssl_protocol_version(const SSL *ssl); |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 394 | |
Robert Sloan | d5c2215 | 2017-11-13 09:22:12 -0800 | [diff] [blame] | 395 | // ssl_is_draft22 returns whether the version corresponds to a draft22 TLS 1.3 |
| 396 | // variant. |
| 397 | bool ssl_is_draft22(uint16_t version); |
| 398 | |
Robert Sloan | 0db7f54 | 2018-01-16 15:48:33 -0800 | [diff] [blame] | 399 | // ssl_is_draft23 returns whether the version corresponds to a draft23 TLS 1.3 |
| 400 | // variant. |
| 401 | bool ssl_is_draft23(uint16_t version); |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 402 | |
Robert Sloan | 0db7f54 | 2018-01-16 15:48:33 -0800 | [diff] [blame] | 403 | // ssl_is_draft23_variant returns whether the variant corresponds to a |
| 404 | // draft23 TLS 1.3 variant. |
| 405 | bool ssl_is_draft23_variant(enum tls13_variant_t variant); |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 406 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 407 | // Cipher suites. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 408 | |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 409 | } // namespace bssl |
| 410 | |
| 411 | struct ssl_cipher_st { |
| 412 | // name is the OpenSSL name for the cipher. |
| 413 | const char *name; |
| 414 | // standard_name is the IETF name for the cipher. |
| 415 | const char *standard_name; |
| 416 | // id is the cipher suite value bitwise OR-d with 0x03000000. |
| 417 | uint32_t id; |
| 418 | |
| 419 | // algorithm_* determine the cipher suite. See constants below for the values. |
| 420 | uint32_t algorithm_mkey; |
| 421 | uint32_t algorithm_auth; |
| 422 | uint32_t algorithm_enc; |
| 423 | uint32_t algorithm_mac; |
| 424 | uint32_t algorithm_prf; |
| 425 | }; |
| 426 | |
| 427 | namespace bssl { |
| 428 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 429 | // Bits for |algorithm_mkey| (key exchange algorithm). |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 430 | #define SSL_kRSA 0x00000001u |
| 431 | #define SSL_kECDHE 0x00000002u |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 432 | // SSL_kPSK is only set for plain PSK, not ECDHE_PSK. |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 433 | #define SSL_kPSK 0x00000004u |
| 434 | #define SSL_kGENERIC 0x00000008u |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 435 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 436 | // Bits for |algorithm_auth| (server authentication). |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 437 | #define SSL_aRSA 0x00000001u |
| 438 | #define SSL_aECDSA 0x00000002u |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 439 | // SSL_aPSK is set for both PSK and ECDHE_PSK. |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 440 | #define SSL_aPSK 0x00000004u |
| 441 | #define SSL_aGENERIC 0x00000008u |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 442 | |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 443 | #define SSL_aCERT (SSL_aRSA | SSL_aECDSA) |
| 444 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 445 | // Bits for |algorithm_enc| (symmetric encryption). |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 446 | #define SSL_3DES 0x00000001u |
| 447 | #define SSL_AES128 0x00000002u |
| 448 | #define SSL_AES256 0x00000004u |
| 449 | #define SSL_AES128GCM 0x00000008u |
| 450 | #define SSL_AES256GCM 0x00000010u |
| 451 | #define SSL_eNULL 0x00000020u |
| 452 | #define SSL_CHACHA20POLY1305 0x00000040u |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 453 | |
| 454 | #define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM) |
| 455 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 456 | // Bits for |algorithm_mac| (symmetric authentication). |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 457 | #define SSL_SHA1 0x00000001u |
| 458 | #define SSL_SHA256 0x00000002u |
| 459 | #define SSL_SHA384 0x00000004u |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 460 | // SSL_AEAD is set for all AEADs. |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 461 | #define SSL_AEAD 0x00000008u |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 462 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 463 | // Bits for |algorithm_prf| (handshake digest). |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 464 | #define SSL_HANDSHAKE_MAC_DEFAULT 0x1 |
| 465 | #define SSL_HANDSHAKE_MAC_SHA256 0x2 |
| 466 | #define SSL_HANDSHAKE_MAC_SHA384 0x4 |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 467 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 468 | // SSL_MAX_DIGEST is the number of digest types which exist. When adding a new |
| 469 | // one, update the table in ssl_cipher.c. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 470 | #define SSL_MAX_DIGEST 4 |
| 471 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 472 | // ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD |
| 473 | // object for |cipher| protocol version |version|. It sets |*out_mac_secret_len| |
| 474 | // and |*out_fixed_iv_len| to the MAC key length and fixed IV length, |
| 475 | // respectively. The MAC key length is zero except for legacy block and stream |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 476 | // ciphers. It returns true on success and false on error. |
| 477 | bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, |
| 478 | size_t *out_mac_secret_len, |
| 479 | size_t *out_fixed_iv_len, const SSL_CIPHER *cipher, |
| 480 | uint16_t version, int is_dtls); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 481 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 482 | // ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and |
| 483 | // |cipher|. |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 484 | const EVP_MD *ssl_get_handshake_digest(uint16_t version, |
| 485 | const SSL_CIPHER *cipher); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 486 | |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 487 | // ssl_create_cipher_list evaluates |rule_str|. It sets |*out_cipher_list| to a |
| 488 | // newly-allocated |ssl_cipher_preference_list_st| containing the result. It |
| 489 | // returns true on success and false on failure. If |strict| is true, nonsense |
| 490 | // will be rejected. If false, nonsense will be silently ignored. An empty |
| 491 | // result is considered an error regardless of |strict|. |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 492 | bool ssl_create_cipher_list( |
Robert Sloan | 1c9db53 | 2017-03-13 08:03:59 -0700 | [diff] [blame] | 493 | struct ssl_cipher_preference_list_st **out_cipher_list, |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 494 | const char *rule_str, bool strict); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 495 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 496 | // ssl_cipher_get_value returns the cipher suite id of |cipher|. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 497 | uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher); |
| 498 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 499 | // ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth| |
| 500 | // values suitable for use with |key| in TLS 1.2 and below. |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 501 | uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 502 | |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 503 | // ssl_cipher_uses_certificate_auth returns whether |cipher| authenticates the |
| 504 | // server and, optionally, the client with a certificate. |
| 505 | bool ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 506 | |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 507 | // ssl_cipher_requires_server_key_exchange returns whether |cipher| requires a |
| 508 | // ServerKeyExchange message. |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 509 | // |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 510 | // This function may return false while still allowing |cipher| an optional |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 511 | // ServerKeyExchange. This is the case for plain PSK ciphers. |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 512 | bool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 513 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 514 | // ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the |
| 515 | // length of an encrypted 1-byte record, for use in record-splitting. Otherwise |
| 516 | // it returns zero. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 517 | size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); |
| 518 | |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 519 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 520 | // Transcript layer. |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 521 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 522 | // SSLTranscript maintains the handshake transcript as a combination of a |
| 523 | // buffer and running hash. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 524 | class SSLTranscript { |
| 525 | public: |
| 526 | SSLTranscript(); |
| 527 | ~SSLTranscript(); |
| 528 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 529 | // Init initializes the handshake transcript. If called on an existing |
| 530 | // transcript, it resets the transcript and hash. It returns true on success |
| 531 | // and false on failure. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 532 | bool Init(); |
| 533 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 534 | // InitHash initializes the handshake hash based on the PRF and contents of |
| 535 | // the handshake transcript. Subsequent calls to |Update| will update the |
| 536 | // rolling hash. It returns one on success and zero on failure. It is an error |
| 537 | // to call this function after the handshake buffer is released. |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 538 | bool InitHash(uint16_t version, const SSL_CIPHER *cipher); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 539 | |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 540 | // UpdateForHelloRetryRequest resets the rolling hash with the |
| 541 | // HelloRetryRequest construction. It returns true on success and false on |
| 542 | // failure. It is an error to call this function before the handshake buffer |
| 543 | // is released. |
| 544 | bool UpdateForHelloRetryRequest(); |
| 545 | |
| 546 | // CopyHashContext copies the hash context into |ctx| and returns true on |
| 547 | // success. |
| 548 | bool CopyHashContext(EVP_MD_CTX *ctx); |
| 549 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 550 | Span<const uint8_t> buffer() { |
| 551 | return MakeConstSpan(reinterpret_cast<const uint8_t *>(buffer_->data), |
| 552 | buffer_->length); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 553 | } |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 554 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 555 | // FreeBuffer releases the handshake buffer. Subsequent calls to |
| 556 | // |Update| will not update the handshake buffer. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 557 | void FreeBuffer(); |
| 558 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 559 | // DigestLen returns the length of the PRF hash. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 560 | size_t DigestLen() const; |
| 561 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 562 | // Digest returns the PRF hash. For TLS 1.1 and below, this is |
| 563 | // |EVP_md5_sha1|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 564 | const EVP_MD *Digest() const; |
| 565 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 566 | // Update adds |in| to the handshake buffer and handshake hash, whichever is |
| 567 | // enabled. It returns true on success and false on failure. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 568 | bool Update(Span<const uint8_t> in); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 569 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 570 | // GetHash writes the handshake hash to |out| which must have room for at |
| 571 | // least |DigestLen| bytes. On success, it returns true and sets |*out_len| to |
| 572 | // the number of bytes written. Otherwise, it returns false. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 573 | bool GetHash(uint8_t *out, size_t *out_len); |
| 574 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 575 | // GetSSL3CertVerifyHash writes the SSL 3.0 CertificateVerify hash into the |
| 576 | // bytes pointed to by |out| and writes the number of bytes to |
| 577 | // |*out_len|. |out| must have room for |EVP_MAX_MD_SIZE| bytes. It returns |
| 578 | // one on success and zero on failure. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 579 | bool GetSSL3CertVerifyHash(uint8_t *out, size_t *out_len, |
| 580 | const SSL_SESSION *session, |
| 581 | uint16_t signature_algorithm); |
| 582 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 583 | // GetFinishedMAC computes the MAC for the Finished message into the bytes |
| 584 | // pointed by |out| and writes the number of bytes to |*out_len|. |out| must |
| 585 | // have room for |EVP_MAX_MD_SIZE| bytes. It returns true on success and false |
| 586 | // on failure. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 587 | bool GetFinishedMAC(uint8_t *out, size_t *out_len, const SSL_SESSION *session, |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 588 | bool from_server); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 589 | |
| 590 | private: |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 591 | // buffer_, if non-null, contains the handshake transcript. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 592 | UniquePtr<BUF_MEM> buffer_; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 593 | // hash, if initialized with an |EVP_MD|, maintains the handshake hash. For |
| 594 | // TLS 1.1 and below, it is the SHA-1 half. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 595 | ScopedEVP_MD_CTX hash_; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 596 | // md5, if initialized with an |EVP_MD|, maintains the MD5 half of the |
| 597 | // handshake hash for TLS 1.1 and below. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 598 | ScopedEVP_MD_CTX md5_; |
| 599 | }; |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 600 | |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 601 | // tls1_prf computes the PRF function for |ssl|. It fills |out|, using |secret| |
| 602 | // as the secret and |label| as the label. |seed1| and |seed2| are concatenated |
| 603 | // to form the seed parameter. It returns true on success and false on failure. |
| 604 | bool tls1_prf(const EVP_MD *digest, Span<uint8_t> out, |
| 605 | Span<const uint8_t> secret, Span<const char> label, |
| 606 | Span<const uint8_t> seed1, Span<const uint8_t> seed2); |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 607 | |
| 608 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 609 | // Encryption layer. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 610 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 611 | // SSLAEADContext contains information about an AEAD that is being used to |
| 612 | // encrypt an SSL connection. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 613 | class SSLAEADContext { |
| 614 | public: |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 615 | SSLAEADContext(uint16_t version, bool is_dtls, const SSL_CIPHER *cipher); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 616 | ~SSLAEADContext(); |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 617 | static constexpr bool kAllowUniquePtr = true; |
| 618 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 619 | SSLAEADContext(const SSLAEADContext &&) = delete; |
| 620 | SSLAEADContext &operator=(const SSLAEADContext &&) = delete; |
| 621 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 622 | // CreateNullCipher creates an |SSLAEADContext| for the null cipher. |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 623 | static UniquePtr<SSLAEADContext> CreateNullCipher(bool is_dtls); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 624 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 625 | // Create creates an |SSLAEADContext| using the supplied key material. It |
| 626 | // returns nullptr on error. Only one of |Open| or |Seal| may be used with the |
| 627 | // resulting object, depending on |direction|. |version| is the normalized |
| 628 | // protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef. |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 629 | static UniquePtr<SSLAEADContext> Create(enum evp_aead_direction_t direction, |
| 630 | uint16_t version, int is_dtls, |
| 631 | const SSL_CIPHER *cipher, |
| 632 | Span<const uint8_t> enc_key, |
| 633 | Span<const uint8_t> mac_key, |
| 634 | Span<const uint8_t> fixed_iv); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 635 | |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 636 | // SetVersionIfNullCipher sets the version the SSLAEADContext for the null |
| 637 | // cipher, to make version-specific determinations in the record layer prior |
| 638 | // to a cipher being selected. |
| 639 | void SetVersionIfNullCipher(uint16_t version); |
| 640 | |
| 641 | // ProtocolVersion returns the protocol version associated with this |
| 642 | // SSLAEADContext. It can only be called once |version_| has been set to a |
| 643 | // valid value. |
| 644 | uint16_t ProtocolVersion() const; |
| 645 | |
| 646 | // RecordVersion returns the record version that should be used with this |
| 647 | // SSLAEADContext for record construction and crypto. |
| 648 | uint16_t RecordVersion() const; |
| 649 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 650 | const SSL_CIPHER *cipher() const { return cipher_; } |
| 651 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 652 | // is_null_cipher returns true if this is the null cipher. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 653 | bool is_null_cipher() const { return !cipher_; } |
| 654 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 655 | // ExplicitNonceLen returns the length of the explicit nonce. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 656 | size_t ExplicitNonceLen() const; |
| 657 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 658 | // MaxOverhead returns the maximum overhead of calling |Seal|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 659 | size_t MaxOverhead() const; |
| 660 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 661 | // SuffixLen calculates the suffix length written by |SealScatter| and writes |
| 662 | // it to |*out_suffix_len|. It returns true on success and false on error. |
| 663 | // |in_len| and |extra_in_len| should equal the argument of the same names |
| 664 | // passed to |SealScatter|. |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 665 | bool SuffixLen(size_t *out_suffix_len, size_t in_len, |
| 666 | size_t extra_in_len) const; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 667 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 668 | // Open authenticates and decrypts |in| in-place. On success, it sets |*out| |
| 669 | // to the plaintext in |in| and returns true. Otherwise, it returns |
| 670 | // false. The output will always be |ExplicitNonceLen| bytes ahead of |in|. |
| 671 | bool Open(Span<uint8_t> *out, uint8_t type, uint16_t record_version, |
| 672 | const uint8_t seqnum[8], Span<uint8_t> in); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 673 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 674 | // Seal encrypts and authenticates |in_len| bytes from |in| and writes the |
| 675 | // result to |out|. It returns true on success and false on error. |
| 676 | // |
| 677 | // If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 678 | bool Seal(uint8_t *out, size_t *out_len, size_t max_out, uint8_t type, |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 679 | uint16_t record_version, const uint8_t seqnum[8], const uint8_t *in, |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 680 | size_t in_len); |
| 681 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 682 | // SealScatter encrypts and authenticates |in_len| bytes from |in| and splits |
| 683 | // the result between |out_prefix|, |out| and |out_suffix|. It returns one on |
| 684 | // success and zero on error. |
| 685 | // |
| 686 | // On successful return, exactly |ExplicitNonceLen| bytes are written to |
| 687 | // |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to |
| 688 | // |out_suffix|. |
| 689 | // |
| 690 | // |extra_in| may point to an additional plaintext buffer. If present, |
| 691 | // |extra_in_len| additional bytes are encrypted and authenticated, and the |
| 692 | // ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should |
| 693 | // be used to size |out_suffix| accordingly. |
| 694 | // |
| 695 | // If |in| and |out| alias then |out| must be == |in|. Other arguments may not |
| 696 | // alias anything. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 697 | bool SealScatter(uint8_t *out_prefix, uint8_t *out, uint8_t *out_suffix, |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 698 | uint8_t type, uint16_t record_version, |
| 699 | const uint8_t seqnum[8], const uint8_t *in, size_t in_len, |
| 700 | const uint8_t *extra_in, size_t extra_in_len); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 701 | |
| 702 | bool GetIV(const uint8_t **out_iv, size_t *out_iv_len) const; |
| 703 | |
| 704 | private: |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 705 | // GetAdditionalData writes the additional data into |out| and returns the |
| 706 | // number of bytes written. |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 707 | size_t GetAdditionalData(uint8_t out[13], uint8_t type, |
| 708 | uint16_t record_version, const uint8_t seqnum[8], |
| 709 | size_t plaintext_len); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 710 | |
| 711 | const SSL_CIPHER *cipher_; |
| 712 | ScopedEVP_AEAD_CTX ctx_; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 713 | // fixed_nonce_ contains any bytes of the nonce that are fixed for all |
| 714 | // records. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 715 | uint8_t fixed_nonce_[12]; |
| 716 | uint8_t fixed_nonce_len_ = 0, variable_nonce_len_ = 0; |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 717 | // version_ is the wire version that should be used with this AEAD. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 718 | uint16_t version_; |
Robert Sloan | db4251a | 2017-09-18 09:38:15 -0700 | [diff] [blame] | 719 | // is_dtls_ is whether DTLS is being used with this AEAD. |
| 720 | bool is_dtls_; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 721 | // variable_nonce_included_in_record_ is true if the variable nonce |
| 722 | // for a record is included as a prefix before the ciphertext. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 723 | bool variable_nonce_included_in_record_ : 1; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 724 | // random_variable_nonce_ is true if the variable nonce is |
| 725 | // randomly generated, rather than derived from the sequence |
| 726 | // number. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 727 | bool random_variable_nonce_ : 1; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 728 | // omit_length_in_ad_ is true if the length should be omitted in the |
| 729 | // AEAD's ad parameter. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 730 | bool omit_length_in_ad_ : 1; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 731 | // omit_version_in_ad_ is true if the version should be omitted |
| 732 | // in the AEAD's ad parameter. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 733 | bool omit_version_in_ad_ : 1; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 734 | // omit_ad_ is true if the AEAD's ad parameter should be omitted. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 735 | bool omit_ad_ : 1; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 736 | // xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the |
| 737 | // variable nonce rather than prepended. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 738 | bool xor_fixed_nonce_ : 1; |
| 739 | }; |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 740 | |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 741 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 742 | // DTLS replay bitmap. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 743 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 744 | // DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect |
| 745 | // replayed packets. It should be initialized by zeroing every field. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 746 | struct DTLS1_BITMAP { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 747 | // map is a bit mask of the last 64 sequence numbers. Bit |
| 748 | // |1<<i| corresponds to |max_seq_num - i|. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 749 | uint64_t map = 0; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 750 | // max_seq_num is the largest sequence number seen so far as a 64-bit |
| 751 | // integer. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 752 | uint64_t max_seq_num = 0; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 753 | }; |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 754 | |
| 755 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 756 | // Record layer. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 757 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 758 | // ssl_record_sequence_update increments the sequence number in |seq|. It |
| 759 | // returns one on success and zero on wraparound. |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 760 | int ssl_record_sequence_update(uint8_t *seq, size_t seq_len); |
| 761 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 762 | // ssl_record_prefix_len returns the length of the prefix before the ciphertext |
| 763 | // of a record for |ssl|. |
| 764 | // |
| 765 | // TODO(davidben): Expose this as part of public API once the high-level |
| 766 | // buffer-free APIs are available. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 767 | size_t ssl_record_prefix_len(const SSL *ssl); |
| 768 | |
| 769 | enum ssl_open_record_t { |
| 770 | ssl_open_record_success, |
| 771 | ssl_open_record_discard, |
| 772 | ssl_open_record_partial, |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 773 | ssl_open_record_close_notify, |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 774 | ssl_open_record_error, |
| 775 | }; |
| 776 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 777 | // tls_open_record decrypts a record from |in| in-place. |
| 778 | // |
| 779 | // If the input did not contain a complete record, it returns |
| 780 | // |ssl_open_record_partial|. It sets |*out_consumed| to the total number of |
| 781 | // bytes necessary. It is guaranteed that a successful call to |tls_open_record| |
| 782 | // will consume at least that many bytes. |
| 783 | // |
| 784 | // Otherwise, it sets |*out_consumed| to the number of bytes of input |
| 785 | // consumed. Note that input may be consumed on all return codes if a record was |
| 786 | // decrypted. |
| 787 | // |
| 788 | // On success, it returns |ssl_open_record_success|. It sets |*out_type| to the |
| 789 | // record type and |*out| to the record body in |in|. Note that |*out| may be |
| 790 | // empty. |
| 791 | // |
| 792 | // If a record was successfully processed but should be discarded, it returns |
| 793 | // |ssl_open_record_discard|. |
| 794 | // |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 795 | // If a record was successfully processed but is a close_notify, it returns |
| 796 | // |ssl_open_record_close_notify|. |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 797 | // |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 798 | // On failure or fatal alert, it returns |ssl_open_record_error| and sets |
| 799 | // |*out_alert| to an alert to emit, or zero if no alert should be emitted. |
| 800 | enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, |
| 801 | Span<uint8_t> *out, size_t *out_consumed, |
| 802 | uint8_t *out_alert, Span<uint8_t> in); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 803 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 804 | // dtls_open_record implements |tls_open_record| for DTLS. It only returns |
| 805 | // |ssl_open_record_partial| if |in| was empty and sets |*out_consumed| to |
| 806 | // zero. The caller should read one packet and try again. |
| 807 | enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, |
| 808 | Span<uint8_t> *out, |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 809 | size_t *out_consumed, |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 810 | uint8_t *out_alert, Span<uint8_t> in); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 811 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 812 | // ssl_seal_align_prefix_len returns the length of the prefix before the start |
| 813 | // of the bulk of the ciphertext when sealing a record with |ssl|. Callers may |
| 814 | // use this to align buffers. |
| 815 | // |
| 816 | // Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte |
| 817 | // record and is the offset into second record's ciphertext. Thus sealing a |
| 818 | // small record may result in a smaller output than this value. |
| 819 | // |
| 820 | // TODO(davidben): Is this alignment valuable? Record-splitting makes this a |
| 821 | // mess. |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 822 | size_t ssl_seal_align_prefix_len(const SSL *ssl); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 823 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 824 | // tls_seal_record seals a new record of type |type| and body |in| and writes it |
| 825 | // to |out|. At most |max_out| bytes will be written. It returns one on success |
| 826 | // and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1 |
| 827 | // record splitting and may write two records concatenated. |
| 828 | // |
| 829 | // For a large record, the bulk of the ciphertext will begin |
| 830 | // |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may |
| 831 | // improve performance. It writes at most |in_len| + |SSL_max_seal_overhead| |
| 832 | // bytes to |out|. |
| 833 | // |
| 834 | // |in| and |out| may not alias. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 835 | int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, |
| 836 | uint8_t type, const uint8_t *in, size_t in_len); |
| 837 | |
| 838 | enum dtls1_use_epoch_t { |
| 839 | dtls1_use_previous_epoch, |
| 840 | dtls1_use_current_epoch, |
| 841 | }; |
| 842 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 843 | // dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a |
| 844 | // record. |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 845 | size_t dtls_max_seal_overhead(const SSL *ssl, enum dtls1_use_epoch_t use_epoch); |
| 846 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 847 | // dtls_seal_prefix_len returns the number of bytes of prefix to reserve in |
| 848 | // front of the plaintext when sealing a record in-place. |
David Benjamin | f31229b | 2017-01-25 14:08:15 -0500 | [diff] [blame] | 849 | size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch); |
| 850 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 851 | // dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects |
| 852 | // which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| |
| 853 | // may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes |
| 854 | // ahead of |out|. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 855 | int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, |
| 856 | uint8_t type, const uint8_t *in, size_t in_len, |
| 857 | enum dtls1_use_epoch_t use_epoch); |
| 858 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 859 | // ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown |
| 860 | // state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|, |
| 861 | // |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as |
| 862 | // appropriate. |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 863 | enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 864 | Span<const uint8_t> in); |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 865 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 866 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 867 | // Private key operations. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 868 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 869 | // ssl_has_private_key returns one if |ssl| has a private key |
| 870 | // configured and zero otherwise. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 871 | int ssl_has_private_key(const SSL *ssl); |
| 872 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 873 | // ssl_private_key_* perform the corresponding operation on |
| 874 | // |SSL_PRIVATE_KEY_METHOD|. If there is a custom private key configured, they |
| 875 | // call the corresponding function or |complete| depending on whether there is a |
| 876 | // pending operation. Otherwise, they implement the operation with |
| 877 | // |EVP_PKEY|. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 878 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 879 | enum ssl_private_key_result_t ssl_private_key_sign( |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 880 | SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out, |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 881 | uint16_t sigalg, Span<const uint8_t> in); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 882 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 883 | enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs, |
| 884 | uint8_t *out, |
| 885 | size_t *out_len, |
| 886 | size_t max_out, |
| 887 | Span<const uint8_t> in); |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 888 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 889 | // ssl_private_key_supports_signature_algorithm returns whether |hs|'s private |
| 890 | // key supports |sigalg|. |
| 891 | bool ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs, |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 892 | uint16_t sigalg); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 893 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 894 | // ssl_public_key_verify verifies that the |signature| is valid for the public |
| 895 | // key |pkey| and input |in|, using the signature algorithm |sigalg|. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 896 | bool ssl_public_key_verify(SSL *ssl, Span<const uint8_t> signature, |
| 897 | uint16_t sigalg, EVP_PKEY *pkey, |
| 898 | Span<const uint8_t> in); |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 899 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 900 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 901 | // Custom extensions |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 902 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 903 | } // namespace bssl |
| 904 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 905 | // |SSL_CUSTOM_EXTENSION| is a structure that contains information about |
| 906 | // custom-extension callbacks. It is defined unnamespaced for compatibility with |
| 907 | // |STACK_OF(SSL_CUSTOM_EXTENSION)|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 908 | typedef struct ssl_custom_extension { |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 909 | SSL_custom_ext_add_cb add_callback; |
| 910 | void *add_arg; |
| 911 | SSL_custom_ext_free_cb free_callback; |
| 912 | SSL_custom_ext_parse_cb parse_callback; |
| 913 | void *parse_arg; |
| 914 | uint16_t value; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 915 | } SSL_CUSTOM_EXTENSION; |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 916 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 917 | DEFINE_STACK_OF(SSL_CUSTOM_EXTENSION) |
| 918 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 919 | namespace bssl { |
| 920 | |
| 921 | void SSL_CUSTOM_EXTENSION_free(SSL_CUSTOM_EXTENSION *custom_extension); |
| 922 | |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 923 | int custom_ext_add_clienthello(SSL_HANDSHAKE *hs, CBB *extensions); |
| 924 | int custom_ext_parse_serverhello(SSL_HANDSHAKE *hs, int *out_alert, |
| 925 | uint16_t value, const CBS *extension); |
| 926 | int custom_ext_parse_clienthello(SSL_HANDSHAKE *hs, int *out_alert, |
| 927 | uint16_t value, const CBS *extension); |
| 928 | int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 929 | |
| 930 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 931 | // Key shares. |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 932 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 933 | // SSLKeyShare abstracts over Diffie-Hellman-like key exchanges. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 934 | class SSLKeyShare { |
| 935 | public: |
| 936 | virtual ~SSLKeyShare() {} |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 937 | static constexpr bool kAllowUniquePtr = true; |
| 938 | HAS_VIRTUAL_DESTRUCTOR |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 939 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 940 | // Create returns a SSLKeyShare instance for use with group |group_id| or |
| 941 | // nullptr on error. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 942 | static UniquePtr<SSLKeyShare> Create(uint16_t group_id); |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 943 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 944 | // GroupID returns the group ID. |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 945 | virtual uint16_t GroupID() const PURE_VIRTUAL; |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 946 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 947 | // Offer generates a keypair and writes the public value to |
| 948 | // |out_public_key|. It returns true on success and false on error. |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 949 | virtual bool Offer(CBB *out_public_key) PURE_VIRTUAL; |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 950 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 951 | // Accept performs a key exchange against the |peer_key| generated by |offer|. |
| 952 | // On success, it returns true, writes the public value to |out_public_key|, |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 953 | // and sets |*out_secret| the shared secret. On failure, it returns false and |
| 954 | // sets |*out_alert| to an alert to send to the peer. |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 955 | // |
| 956 | // The default implementation calls |Offer| and then |Finish|, assuming a key |
| 957 | // exchange protocol where the peers are symmetric. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 958 | virtual bool Accept(CBB *out_public_key, Array<uint8_t> *out_secret, |
| 959 | uint8_t *out_alert, Span<const uint8_t> peer_key); |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 960 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 961 | // Finish performs a key exchange against the |peer_key| generated by |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 962 | // |Accept|. On success, it returns true and sets |*out_secret| to the shared |
| 963 | // secret. On failure, it returns zero and sets |*out_alert| to an alert to |
| 964 | // send to the peer. |
| 965 | virtual bool Finish(Array<uint8_t> *out_secret, uint8_t *out_alert, |
| 966 | Span<const uint8_t> peer_key) PURE_VIRTUAL; |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 967 | }; |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 968 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 969 | // ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it |
| 970 | // sets |*out_group_id| to the group ID and returns one. Otherwise, it returns |
| 971 | // zero. |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 972 | int ssl_nid_to_group_id(uint16_t *out_group_id, int nid); |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 973 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 974 | // ssl_name_to_group_id looks up the group corresponding to the |name| string |
| 975 | // of length |len|. On success, it sets |*out_group_id| to the group ID and |
| 976 | // returns one. Otherwise, it returns zero. |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 977 | int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len); |
| 978 | |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 979 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 980 | // Handshake messages. |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 981 | |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 982 | struct SSLMessage { |
| 983 | bool is_v2_hello; |
| 984 | uint8_t type; |
| 985 | CBS body; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 986 | // raw is the entire serialized handshake message, including the TLS or DTLS |
| 987 | // message header. |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 988 | CBS raw; |
| 989 | }; |
| 990 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 991 | // SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including |
| 992 | // ChangeCipherSpec, in the longest handshake flight. Currently this is the |
| 993 | // client's second leg in a full handshake when client certificates, NPN, and |
| 994 | // Channel ID, are all enabled. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 995 | #define SSL_MAX_HANDSHAKE_FLIGHT 7 |
| 996 | |
Robert Sloan | d5c2215 | 2017-11-13 09:22:12 -0800 | [diff] [blame] | 997 | extern const uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE]; |
Robert Sloan | 0da4395 | 2018-01-03 15:13:14 -0800 | [diff] [blame] | 998 | extern const uint8_t kDraftDowngradeRandom[8]; |
Robert Sloan | d5c2215 | 2017-11-13 09:22:12 -0800 | [diff] [blame] | 999 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1000 | // ssl_max_handshake_message_len returns the maximum number of bytes permitted |
| 1001 | // in a handshake message for |ssl|. |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 1002 | size_t ssl_max_handshake_message_len(const SSL *ssl); |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 1003 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1004 | // tls_can_accept_handshake_data returns whether |ssl| is able to accept more |
| 1005 | // data into handshake buffer. |
| 1006 | bool tls_can_accept_handshake_data(const SSL *ssl, uint8_t *out_alert); |
| 1007 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1008 | // tls_has_unprocessed_handshake_data returns whether there is buffered |
| 1009 | // handshake data that has not been consumed by |get_message|. |
| 1010 | bool tls_has_unprocessed_handshake_data(const SSL *ssl); |
| 1011 | |
| 1012 | // dtls_has_unprocessed_handshake_data behaves like |
| 1013 | // |tls_has_unprocessed_handshake_data| for DTLS. |
| 1014 | bool dtls_has_unprocessed_handshake_data(const SSL *ssl); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1015 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1016 | struct DTLS_OUTGOING_MESSAGE { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 1017 | DTLS_OUTGOING_MESSAGE() {} |
| 1018 | DTLS_OUTGOING_MESSAGE(const DTLS_OUTGOING_MESSAGE &) = delete; |
| 1019 | DTLS_OUTGOING_MESSAGE &operator=(const DTLS_OUTGOING_MESSAGE &) = delete; |
| 1020 | ~DTLS_OUTGOING_MESSAGE() { Clear(); } |
| 1021 | |
| 1022 | void Clear(); |
| 1023 | |
| 1024 | uint8_t *data = nullptr; |
| 1025 | uint32_t len = 0; |
| 1026 | uint16_t epoch = 0; |
| 1027 | bool is_ccs = false; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1028 | }; |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1029 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1030 | // dtls_clear_outgoing_messages releases all buffered outgoing messages. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1031 | void dtls_clear_outgoing_messages(SSL *ssl); |
| 1032 | |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 1033 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1034 | // Callbacks. |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 1035 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1036 | // ssl_do_info_callback calls |ssl|'s info callback, if set. |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 1037 | void ssl_do_info_callback(const SSL *ssl, int type, int value); |
| 1038 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1039 | // ssl_do_msg_callback calls |ssl|'s message callback, if set. |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1040 | void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1041 | Span<const uint8_t> in); |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 1042 | |
| 1043 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1044 | // Transport buffers. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 1045 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 1046 | class SSLBuffer { |
| 1047 | public: |
| 1048 | SSLBuffer() {} |
| 1049 | ~SSLBuffer() { Clear(); } |
| 1050 | |
| 1051 | SSLBuffer(const SSLBuffer &) = delete; |
| 1052 | SSLBuffer &operator=(const SSLBuffer &) = delete; |
| 1053 | |
| 1054 | uint8_t *data() { return buf_ + offset_; } |
| 1055 | size_t size() const { return size_; } |
| 1056 | bool empty() const { return size_ == 0; } |
| 1057 | size_t cap() const { return cap_; } |
| 1058 | |
| 1059 | Span<uint8_t> span() { return MakeSpan(data(), size()); } |
| 1060 | |
| 1061 | Span<uint8_t> remaining() { |
| 1062 | return MakeSpan(data() + size(), cap() - size()); |
| 1063 | } |
| 1064 | |
| 1065 | // Clear releases the buffer. |
| 1066 | void Clear(); |
| 1067 | |
| 1068 | // EnsureCap ensures the buffer has capacity at least |new_cap|, aligned such |
| 1069 | // that data written after |header_len| is aligned to a |
| 1070 | // |SSL3_ALIGN_PAYLOAD|-byte boundary. It returns true on success and false |
| 1071 | // on error. |
| 1072 | bool EnsureCap(size_t header_len, size_t new_cap); |
| 1073 | |
| 1074 | // DidWrite extends the buffer by |len|. The caller must have filled in to |
| 1075 | // this point. |
| 1076 | void DidWrite(size_t len); |
| 1077 | |
| 1078 | // Consume consumes |len| bytes from the front of the buffer. The memory |
| 1079 | // consumed will remain valid until the next call to |DiscardConsumed| or |
| 1080 | // |Clear|. |
| 1081 | void Consume(size_t len); |
| 1082 | |
| 1083 | // DiscardConsumed discards the consumed bytes from the buffer. If the buffer |
| 1084 | // is now empty, it releases memory used by it. |
| 1085 | void DiscardConsumed(); |
| 1086 | |
| 1087 | private: |
| 1088 | // buf_ is the memory allocated for this buffer. |
| 1089 | uint8_t *buf_ = nullptr; |
| 1090 | // offset_ is the offset into |buf_| which the buffer contents start at. |
| 1091 | uint16_t offset_ = 0; |
| 1092 | // size_ is the size of the buffer contents from |buf_| + |offset_|. |
| 1093 | uint16_t size_ = 0; |
| 1094 | // cap_ is how much memory beyond |buf_| + |offset_| is available. |
| 1095 | uint16_t cap_ = 0; |
| 1096 | }; |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 1097 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1098 | // ssl_read_buffer_extend_to extends the read buffer to the desired length. For |
| 1099 | // TLS, it reads to the end of the buffer until the buffer is |len| bytes |
| 1100 | // long. For DTLS, it reads a new packet and ignores |len|. It returns one on |
| 1101 | // success, zero on EOF, and a negative number on error. |
| 1102 | // |
| 1103 | // It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is |
| 1104 | // non-empty. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 1105 | int ssl_read_buffer_extend_to(SSL *ssl, size_t len); |
| 1106 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 1107 | // ssl_handle_open_record handles the result of passing |ssl->s3->read_buffer| |
| 1108 | // to a record-processing function. If |ret| is a success or if the caller |
| 1109 | // should retry, it returns one and sets |*out_retry|. Otherwise, it returns <= |
| 1110 | // 0. |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1111 | int ssl_handle_open_record(SSL *ssl, bool *out_retry, ssl_open_record_t ret, |
| 1112 | size_t consumed, uint8_t alert); |
| 1113 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1114 | // ssl_write_buffer_flush flushes the write buffer to the transport. It returns |
| 1115 | // one on success and <= 0 on error. For DTLS, whether or not the write |
| 1116 | // succeeds, the write buffer will be cleared. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 1117 | int ssl_write_buffer_flush(SSL *ssl); |
| 1118 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 1119 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1120 | // Certificate functions. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1121 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1122 | // ssl_has_certificate returns one if a certificate and private key are |
| 1123 | // configured and zero otherwise. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1124 | int ssl_has_certificate(const SSL *ssl); |
| 1125 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1126 | // ssl_parse_cert_chain parses a certificate list from |cbs| in the format used |
| 1127 | // by a TLS Certificate message. On success, it advances |cbs| and returns |
| 1128 | // true. Otherwise, it returns false and sets |*out_alert| to an alert to send |
| 1129 | // to the peer. |
| 1130 | // |
| 1131 | // If the list is non-empty then |*out_chain| and |*out_pubkey| will be set to |
| 1132 | // the certificate chain and the leaf certificate's public key |
| 1133 | // respectively. Otherwise, both will be set to nullptr. |
| 1134 | // |
| 1135 | // If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the |
| 1136 | // SHA-256 hash of the leaf to |out_leaf_sha256|. |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 1137 | bool ssl_parse_cert_chain(uint8_t *out_alert, |
| 1138 | UniquePtr<STACK_OF(CRYPTO_BUFFER)> *out_chain, |
| 1139 | UniquePtr<EVP_PKEY> *out_pubkey, |
| 1140 | uint8_t *out_leaf_sha256, CBS *cbs, |
| 1141 | CRYPTO_BUFFER_POOL *pool); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1142 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1143 | // ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used |
| 1144 | // by a TLS Certificate message. If there is no certificate chain, it emits an |
| 1145 | // empty certificate list. It returns one on success and zero on error. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1146 | int ssl_add_cert_chain(SSL *ssl, CBB *cbb); |
| 1147 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1148 | // ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509 |
| 1149 | // certificate in |in| and returns one if doesn't specify a key usage or, if it |
| 1150 | // does, if it includes digitalSignature. Otherwise it pushes to the error |
| 1151 | // queue and returns zero. |
Steven Valdez | e7531f0 | 2016-12-14 13:29:57 -0500 | [diff] [blame] | 1152 | int ssl_cert_check_digital_signature_key_usage(const CBS *in); |
| 1153 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1154 | // ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509 |
| 1155 | // certificate in |in|. It returns an allocated |EVP_PKEY| or else returns |
| 1156 | // nullptr and pushes to the error queue. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1157 | UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in); |
Steven Valdez | e7531f0 | 2016-12-14 13:29:57 -0500 | [diff] [blame] | 1158 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1159 | // ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a |
| 1160 | // TLS CertificateRequest message. On success, it returns a newly-allocated |
| 1161 | // |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns nullptr and |
| 1162 | // sets |*out_alert| to an alert to send to the peer. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1163 | UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl, |
| 1164 | uint8_t *out_alert, |
| 1165 | CBS *cbs); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1166 | |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 1167 | // ssl_has_client_CAs returns there are configured CAs. |
| 1168 | bool ssl_has_client_CAs(SSL *ssl); |
| 1169 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1170 | // ssl_add_client_CA_list adds the configured CA list to |cbb| in the format |
| 1171 | // used by a TLS CertificateRequest message. It returns one on success and zero |
| 1172 | // on error. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1173 | int ssl_add_client_CA_list(SSL *ssl, CBB *cbb); |
| 1174 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1175 | // ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as |
| 1176 | // a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes |
| 1177 | // an error on the error queue. |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 1178 | int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, |
Steven Valdez | e7531f0 | 2016-12-14 13:29:57 -0500 | [diff] [blame] | 1179 | const CRYPTO_BUFFER *leaf); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1180 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1181 | // ssl_on_certificate_selected is called once the certificate has been selected. |
| 1182 | // It finalizes the certificate and initializes |hs->local_pubkey|. It returns |
| 1183 | // one on success and zero on error. |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 1184 | int ssl_on_certificate_selected(SSL_HANDSHAKE *hs); |
| 1185 | |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1186 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1187 | // TLS 1.3 key derivation. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1188 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1189 | // tls13_init_key_schedule initializes the handshake hash and key derivation |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 1190 | // state, and incorporates the PSK. The cipher suite and PRF hash must have been |
| 1191 | // selected at this point. It returns one on success and zero on error. |
| 1192 | int tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk, |
| 1193 | size_t psk_len); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1194 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1195 | // tls13_init_early_key_schedule initializes the handshake hash and key |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 1196 | // derivation state from the resumption secret and incorporates the PSK to |
| 1197 | // derive the early secrets. It returns one on success and zero on error. |
| 1198 | int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk, |
| 1199 | size_t psk_len); |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 1200 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1201 | // tls13_advance_key_schedule incorporates |in| into the key schedule with |
| 1202 | // HKDF-Extract. It returns one on success and zero on error. |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1203 | int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in, |
| 1204 | size_t len); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1205 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1206 | // tls13_set_traffic_key sets the read or write traffic keys to |
| 1207 | // |traffic_secret|. It returns one on success and zero on error. |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1208 | int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1209 | const uint8_t *traffic_secret, |
| 1210 | size_t traffic_secret_len); |
| 1211 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1212 | // tls13_derive_early_secrets derives the early traffic secret. It returns one |
| 1213 | // on success and zero on error. |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 1214 | int tls13_derive_early_secrets(SSL_HANDSHAKE *hs); |
| 1215 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1216 | // tls13_derive_handshake_secrets derives the handshake traffic secret. It |
| 1217 | // returns one on success and zero on error. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 1218 | int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1219 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1220 | // tls13_rotate_traffic_key derives the next read or write traffic secret. It |
| 1221 | // returns one on success and zero on error. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1222 | int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction); |
| 1223 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1224 | // tls13_derive_application_secrets derives the initial application data traffic |
| 1225 | // and exporter secrets based on the handshake transcripts and |master_secret|. |
| 1226 | // It returns one on success and zero on error. |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1227 | int tls13_derive_application_secrets(SSL_HANDSHAKE *hs); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1228 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1229 | // tls13_derive_resumption_secret derives the |resumption_secret|. |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1230 | int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1231 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1232 | // tls13_export_keying_material provides an exporter interface to use the |
| 1233 | // |exporter_secret|. |
Robert Sloan | 5581810 | 2017-12-18 11:26:17 -0800 | [diff] [blame] | 1234 | int tls13_export_keying_material(SSL *ssl, Span<uint8_t> out, |
| 1235 | Span<const uint8_t> secret, |
| 1236 | Span<const char> label, |
| 1237 | Span<const uint8_t> context); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1238 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1239 | // tls13_finished_mac calculates the MAC of the handshake transcript to verify |
| 1240 | // the integrity of the Finished message, and stores the result in |out| and |
| 1241 | // length in |out_len|. |is_server| is 1 if this is for the Server Finished and |
| 1242 | // 0 for the Client Finished. |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1243 | int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, |
| 1244 | size_t *out_len, int is_server); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1245 | |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 1246 | // tls13_derive_session_psk calculates the PSK for this session based on the |
| 1247 | // resumption master secret and |nonce|. It returns true on success, and false |
| 1248 | // on failure. |
| 1249 | bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce); |
| 1250 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1251 | // tls13_write_psk_binder calculates the PSK binder value and replaces the last |
| 1252 | // bytes of |msg| with the resulting value. It returns 1 on success, and 0 on |
| 1253 | // failure. |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 1254 | int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len); |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1255 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1256 | // tls13_verify_psk_binder verifies that the handshake transcript, truncated |
| 1257 | // up to the binders has a valid signature using the value of |session|'s |
| 1258 | // resumption secret. It returns 1 on success, and 0 on failure. |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 1259 | int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session, |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 1260 | const SSLMessage &msg, CBS *binders); |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1261 | |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1262 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1263 | // Handshake functions. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1264 | |
| 1265 | enum ssl_hs_wait_t { |
| 1266 | ssl_hs_error, |
| 1267 | ssl_hs_ok, |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1268 | ssl_hs_read_server_hello, |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1269 | ssl_hs_read_message, |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1270 | ssl_hs_flush, |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1271 | ssl_hs_certificate_selection_pending, |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1272 | ssl_hs_x509_lookup, |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1273 | ssl_hs_channel_id_lookup, |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1274 | ssl_hs_private_key_operation, |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1275 | ssl_hs_pending_session, |
Robert Sloan | 1c9db53 | 2017-03-13 08:03:59 -0700 | [diff] [blame] | 1276 | ssl_hs_pending_ticket, |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1277 | ssl_hs_early_return, |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1278 | ssl_hs_early_data_rejected, |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 1279 | ssl_hs_read_end_of_early_data, |
Robert Sloan | a12bf46 | 2017-07-17 07:08:26 -0700 | [diff] [blame] | 1280 | ssl_hs_read_change_cipher_spec, |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1281 | ssl_hs_certificate_verify, |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1282 | }; |
| 1283 | |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1284 | enum ssl_grease_index_t { |
| 1285 | ssl_grease_cipher = 0, |
| 1286 | ssl_grease_group, |
| 1287 | ssl_grease_extension1, |
| 1288 | ssl_grease_extension2, |
| 1289 | ssl_grease_version, |
| 1290 | ssl_grease_ticket_extension, |
| 1291 | ssl_grease_last_index = ssl_grease_ticket_extension, |
| 1292 | }; |
| 1293 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1294 | struct SSL_HANDSHAKE { |
| 1295 | explicit SSL_HANDSHAKE(SSL *ssl); |
| 1296 | ~SSL_HANDSHAKE(); |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 1297 | static constexpr bool kAllowUniquePtr = true; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1298 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1299 | // ssl is a non-owning pointer to the parent |SSL| object. |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1300 | SSL *ssl; |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1301 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1302 | // wait contains the operation the handshake is currently blocking on or |
| 1303 | // |ssl_hs_ok| if none. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1304 | enum ssl_hs_wait_t wait = ssl_hs_ok; |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1305 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1306 | // state is the internal state for the TLS 1.2 and below handshake. Its |
| 1307 | // values depend on |do_handshake| but the starting state is always zero. |
| 1308 | int state = 0; |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1309 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1310 | // tls13_state is the internal state for the TLS 1.3 handshake. Its values |
| 1311 | // depend on |do_handshake| but the starting state is always zero. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1312 | int tls13_state = 0; |
Steven Valdez | e7531f0 | 2016-12-14 13:29:57 -0500 | [diff] [blame] | 1313 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1314 | // min_version is the minimum accepted protocol version, taking account both |
| 1315 | // |SSL_OP_NO_*| and |SSL_CTX_set_min_proto_version| APIs. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1316 | uint16_t min_version = 0; |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1317 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1318 | // max_version is the maximum accepted protocol version, taking account both |
| 1319 | // |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1320 | uint16_t max_version = 0; |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1321 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1322 | size_t hash_len = 0; |
| 1323 | uint8_t secret[EVP_MAX_MD_SIZE] = {0}; |
| 1324 | uint8_t early_traffic_secret[EVP_MAX_MD_SIZE] = {0}; |
| 1325 | uint8_t client_handshake_secret[EVP_MAX_MD_SIZE] = {0}; |
| 1326 | uint8_t server_handshake_secret[EVP_MAX_MD_SIZE] = {0}; |
| 1327 | uint8_t client_traffic_secret_0[EVP_MAX_MD_SIZE] = {0}; |
| 1328 | uint8_t server_traffic_secret_0[EVP_MAX_MD_SIZE] = {0}; |
| 1329 | uint8_t expected_client_finished[EVP_MAX_MD_SIZE] = {0}; |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1330 | |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1331 | union { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1332 | // sent is a bitset where the bits correspond to elements of kExtensions |
| 1333 | // in t1_lib.c. Each bit is set if that extension was sent in a |
| 1334 | // ClientHello. It's not used by servers. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1335 | uint32_t sent = 0; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1336 | // received is a bitset, like |sent|, but is used by servers to record |
| 1337 | // which extensions were received from a client. |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1338 | uint32_t received; |
| 1339 | } extensions; |
| 1340 | |
| 1341 | union { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1342 | // sent is a bitset where the bits correspond to elements of |
| 1343 | // |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that |
| 1344 | // extension was sent in a ClientHello. It's not used by servers. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1345 | uint16_t sent = 0; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1346 | // received is a bitset, like |sent|, but is used by servers to record |
| 1347 | // which custom extensions were received from a client. The bits here |
| 1348 | // correspond to |server_custom_extensions|. |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1349 | uint16_t received; |
| 1350 | } custom_extensions; |
| 1351 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1352 | // retry_group is the group ID selected by the server in HelloRetryRequest in |
| 1353 | // TLS 1.3. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1354 | uint16_t retry_group = 0; |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1355 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1356 | // error, if |wait| is |ssl_hs_error|, is the error the handshake failed on. |
| 1357 | UniquePtr<ERR_SAVE_STATE> error; |
| 1358 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1359 | // key_share is the current key exchange instance. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1360 | UniquePtr<SSLKeyShare> key_share; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1361 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1362 | // transcript is the current handshake transcript. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1363 | SSLTranscript transcript; |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 1364 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1365 | // cookie is the value of the cookie received from the server, if any. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1366 | Array<uint8_t> cookie; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1367 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1368 | // key_share_bytes is the value of the previously sent KeyShare extension by |
| 1369 | // the client in TLS 1.3. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1370 | Array<uint8_t> key_share_bytes; |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1371 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1372 | // ecdh_public_key, for servers, is the key share to be sent to the client in |
| 1373 | // TLS 1.3. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1374 | Array<uint8_t> ecdh_public_key; |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1375 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1376 | // peer_sigalgs are the signature algorithms that the peer supports. These are |
| 1377 | // taken from the contents of the signature algorithms extension for a server |
| 1378 | // or from the CertificateRequest for a client. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1379 | Array<uint16_t> peer_sigalgs; |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1380 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1381 | // peer_supported_group_list contains the supported group IDs advertised by |
| 1382 | // the peer. This is only set on the server's end. The server does not |
| 1383 | // advertise this extension to the client. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1384 | Array<uint16_t> peer_supported_group_list; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1385 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1386 | // peer_key is the peer's ECDH key for a TLS 1.2 client. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1387 | Array<uint8_t> peer_key; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1388 | |
Robert Sloan | 978112c | 2018-01-22 12:53:01 -0800 | [diff] [blame] | 1389 | // negotiated_token_binding_version is used by a server to store the |
| 1390 | // on-the-wire encoding of the Token Binding protocol version to advertise in |
| 1391 | // the ServerHello/EncryptedExtensions if the Token Binding extension is to be |
| 1392 | // sent. |
| 1393 | uint16_t negotiated_token_binding_version; |
| 1394 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1395 | // server_params, in a TLS 1.2 server, stores the ServerKeyExchange |
| 1396 | // parameters. It has client and server randoms prepended for signing |
| 1397 | // convenience. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1398 | Array<uint8_t> server_params; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1399 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1400 | // peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the |
| 1401 | // server when using a TLS 1.2 PSK key exchange. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1402 | UniquePtr<char> peer_psk_identity_hint; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1403 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1404 | // ca_names, on the client, contains the list of CAs received in a |
| 1405 | // CertificateRequest message. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1406 | UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names; |
Robert Sloan | 7d422bc | 2017-03-06 10:04:29 -0800 | [diff] [blame] | 1407 | |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 1408 | // cached_x509_ca_names contains a cache of parsed versions of the elements of |
| 1409 | // |ca_names|. This pointer is left non-owning so only |
| 1410 | // |ssl_crypto_x509_method| needs to link against crypto/x509. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1411 | STACK_OF(X509_NAME) *cached_x509_ca_names = nullptr; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1412 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1413 | // certificate_types, on the client, contains the set of certificate types |
| 1414 | // received in a CertificateRequest message. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1415 | Array<uint8_t> certificate_types; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1416 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1417 | // local_pubkey is the public key we are authenticating as. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1418 | UniquePtr<EVP_PKEY> local_pubkey; |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 1419 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1420 | // peer_pubkey is the public key parsed from the peer's leaf certificate. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1421 | UniquePtr<EVP_PKEY> peer_pubkey; |
Steven Valdez | e7531f0 | 2016-12-14 13:29:57 -0500 | [diff] [blame] | 1422 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1423 | // new_session is the new mutable session being established by the current |
| 1424 | // handshake. It should not be cached. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1425 | UniquePtr<SSL_SESSION> new_session; |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 1426 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1427 | // early_session is the session corresponding to the current 0-RTT state on |
| 1428 | // the client if |in_early_data| is true. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1429 | UniquePtr<SSL_SESSION> early_session; |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1430 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1431 | // new_cipher is the cipher being negotiated in this handshake. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1432 | const SSL_CIPHER *new_cipher = nullptr; |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 1433 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1434 | // key_block is the record-layer key block for TLS 1.2 and earlier. |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 1435 | Array<uint8_t> key_block; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1436 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1437 | // scts_requested is true if the SCT extension is in the ClientHello. |
| 1438 | bool scts_requested:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1439 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1440 | // needs_psk_binder is true if the ClientHello has a placeholder PSK binder to |
| 1441 | // be filled in. |
| 1442 | bool needs_psk_binder:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1443 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1444 | bool received_hello_retry_request:1; |
Robert Sloan | d5c2215 | 2017-11-13 09:22:12 -0800 | [diff] [blame] | 1445 | bool sent_hello_retry_request:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1446 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1447 | bool received_custom_extension:1; |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 1448 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1449 | // handshake_finalized is true once the handshake has completed, at which |
| 1450 | // point accessors should use the established state. |
| 1451 | bool handshake_finalized:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1452 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1453 | // accept_psk_mode stores whether the client's PSK mode is compatible with our |
| 1454 | // preferences. |
| 1455 | bool accept_psk_mode:1; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1456 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1457 | // cert_request is true if a client certificate was requested. |
| 1458 | bool cert_request:1; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1459 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1460 | // certificate_status_expected is true if OCSP stapling was negotiated and the |
| 1461 | // server is expected to send a CertificateStatus message. (This is used on |
| 1462 | // both the client and server sides.) |
| 1463 | bool certificate_status_expected:1; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1464 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1465 | // ocsp_stapling_requested is true if a client requested OCSP stapling. |
| 1466 | bool ocsp_stapling_requested:1; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1467 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1468 | // should_ack_sni is used by a server and indicates that the SNI extension |
| 1469 | // should be echoed in the ServerHello. |
| 1470 | bool should_ack_sni:1; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1471 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1472 | // in_false_start is true if there is a pending client handshake in False |
| 1473 | // Start. The client may write data at this point. |
| 1474 | bool in_false_start:1; |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1475 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1476 | // in_early_data is true if there is a pending handshake that has progressed |
| 1477 | // enough to send and receive early data. |
| 1478 | bool in_early_data:1; |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 1479 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1480 | // early_data_offered is true if the client sent the early_data extension. |
| 1481 | bool early_data_offered:1; |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 1482 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1483 | // can_early_read is true if application data may be read at this point in the |
| 1484 | // handshake. |
| 1485 | bool can_early_read:1; |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 1486 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1487 | // can_early_write is true if application data may be written at this point in |
| 1488 | // the handshake. |
| 1489 | bool can_early_write:1; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1490 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1491 | // next_proto_neg_seen is one of NPN was negotiated. |
| 1492 | bool next_proto_neg_seen:1; |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1493 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1494 | // ticket_expected is true if a TLS 1.2 NewSessionTicket message is to be sent |
| 1495 | // or received. |
| 1496 | bool ticket_expected:1; |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 1497 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1498 | // extended_master_secret is true if the extended master secret extension is |
| 1499 | // negotiated in this handshake. |
| 1500 | bool extended_master_secret:1; |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1501 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1502 | // pending_private_key_op is true if there is a pending private key operation |
| 1503 | // in progress. |
| 1504 | bool pending_private_key_op:1; |
| 1505 | |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1506 | // grease_seeded is true if |grease_seed| has been initialized. |
| 1507 | bool grease_seeded:1; |
| 1508 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1509 | // client_version is the value sent or received in the ClientHello version. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1510 | uint16_t client_version = 0; |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 1511 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1512 | // early_data_read is the amount of early data that has been read by the |
| 1513 | // record layer. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1514 | uint16_t early_data_read = 0; |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1515 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1516 | // early_data_written is the amount of early data that has been written by the |
| 1517 | // record layer. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1518 | uint16_t early_data_written = 0; |
Robert Sloan | a450c92 | 2018-01-08 10:35:32 -0800 | [diff] [blame] | 1519 | |
| 1520 | // session_id is the session ID in the ClientHello, used for the experimental |
| 1521 | // TLS 1.3 variant. |
| 1522 | uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH] = {0}; |
| 1523 | uint8_t session_id_len = 0; |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1524 | |
| 1525 | // grease_seed is the entropy for GREASE values. It is valid if |
| 1526 | // |grease_seeded| is true. |
| 1527 | uint8_t grease_seed[ssl_grease_last_index + 1] = {0}; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1528 | }; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1529 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 1530 | UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1531 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1532 | // ssl_check_message_type checks if |msg| has type |type|. If so it returns |
| 1533 | // one. Otherwise, it sends an alert and returns zero. |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1534 | bool ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type); |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 1535 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1536 | // ssl_run_handshake runs the TLS handshake. It returns one on success and <= 0 |
| 1537 | // on error. It sets |out_early_return| to one if we've completed the handshake |
| 1538 | // early. |
| 1539 | int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1540 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1541 | // The following are implementations of |do_handshake| for the client and |
| 1542 | // server. |
| 1543 | enum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs); |
| 1544 | enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs); |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1545 | enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs); |
| 1546 | enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1547 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1548 | // The following functions return human-readable representations of the TLS |
| 1549 | // handshake states for debugging. |
| 1550 | const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs); |
| 1551 | const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs); |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 1552 | const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs); |
| 1553 | const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs); |
| 1554 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1555 | // tls13_post_handshake processes a post-handshake message. It returns one on |
| 1556 | // success and zero on failure. |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 1557 | int tls13_post_handshake(SSL *ssl, const SSLMessage &msg); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1558 | |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 1559 | int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, |
| 1560 | int allow_anonymous); |
| 1561 | int tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg); |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 1562 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1563 | // tls13_process_finished processes |msg| as a Finished message from the |
| 1564 | // peer. If |use_saved_value| is one, the verify_data is compared against |
| 1565 | // |hs->expected_client_finished| rather than computed fresh. |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 1566 | int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg, |
| 1567 | int use_saved_value); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1568 | |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 1569 | int tls13_add_certificate(SSL_HANDSHAKE *hs); |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1570 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1571 | // tls13_add_certificate_verify adds a TLS 1.3 CertificateVerify message to the |
| 1572 | // handshake. If it returns |ssl_private_key_retry|, it should be called again |
| 1573 | // to retry when the signing operation is completed. |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 1574 | enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs); |
| 1575 | |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 1576 | int tls13_add_finished(SSL_HANDSHAKE *hs); |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 1577 | int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1578 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1579 | bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, |
| 1580 | Array<uint8_t> *out_secret, |
| 1581 | uint8_t *out_alert, CBS *contents); |
| 1582 | bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found, |
| 1583 | Array<uint8_t> *out_secret, |
| 1584 | uint8_t *out_alert, CBS *contents); |
| 1585 | bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1586 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1587 | bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs, |
| 1588 | uint8_t *out_alert, |
| 1589 | CBS *contents); |
| 1590 | bool ssl_ext_pre_shared_key_parse_clienthello( |
Robert Sloan | 1c9db53 | 2017-03-13 08:03:59 -0700 | [diff] [blame] | 1591 | SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders, |
| 1592 | uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1593 | bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out); |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1594 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1595 | // ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and |
| 1596 | // returns one iff it's valid. |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1597 | int ssl_is_sct_list_valid(const CBS *contents); |
| 1598 | |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1599 | int ssl_write_client_hello(SSL_HANDSHAKE *hs); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1600 | |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1601 | enum ssl_cert_verify_context_t { |
| 1602 | ssl_cert_verify_server, |
| 1603 | ssl_cert_verify_client, |
| 1604 | ssl_cert_verify_channel_id, |
| 1605 | }; |
| 1606 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1607 | // tls13_get_cert_verify_signature_input generates the message to be signed for |
| 1608 | // TLS 1.3's CertificateVerify message. |cert_verify_context| determines the |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1609 | // type of signature. It sets |*out| to a newly allocated buffer containing the |
| 1610 | // result. This function returns true on success and false on failure. |
| 1611 | bool tls13_get_cert_verify_signature_input( |
| 1612 | SSL_HANDSHAKE *hs, Array<uint8_t> *out, |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1613 | enum ssl_cert_verify_context_t cert_verify_context); |
| 1614 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 1615 | // ssl_is_alpn_protocol_allowed returns whether |protocol| is a valid server |
| 1616 | // selection for |ssl|'s client preferences. |
| 1617 | bool ssl_is_alpn_protocol_allowed(const SSL *ssl, Span<const uint8_t> protocol); |
| 1618 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1619 | // ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1620 | // true on successful negotiation or if nothing was negotiated. It returns false |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1621 | // and sets |*out_alert| to an alert on error. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1622 | bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1623 | const SSL_CLIENT_HELLO *client_hello); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1624 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1625 | struct SSL_EXTENSION_TYPE { |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1626 | uint16_t type; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1627 | bool *out_present; |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1628 | CBS *out_data; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1629 | }; |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1630 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1631 | // ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances |
| 1632 | // it. It writes the parsed extensions to pointers denoted by |ext_types|. On |
| 1633 | // success, it fills in the |out_present| and |out_data| fields and returns one. |
| 1634 | // Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown |
| 1635 | // extensions are rejected unless |ignore_unknown| is 1. |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1636 | int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, |
| 1637 | const SSL_EXTENSION_TYPE *ext_types, |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 1638 | size_t num_ext_types, int ignore_unknown); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1639 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1640 | // ssl_verify_peer_cert verifies the peer certificate for |hs|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1641 | enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs); |
| 1642 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1643 | enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs); |
| 1644 | bool ssl_send_finished(SSL_HANDSHAKE *hs); |
| 1645 | bool ssl_output_cert_chain(SSL *ssl); |
| 1646 | |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1647 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1648 | // SSLKEYLOGFILE functions. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1649 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1650 | // ssl_log_secret logs |secret| with label |label|, if logging is enabled for |
| 1651 | // |ssl|. It returns one on success and zero on failure. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1652 | int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, |
| 1653 | size_t secret_len); |
| 1654 | |
| 1655 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1656 | // ClientHello functions. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1657 | |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 1658 | int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, |
| 1659 | const SSLMessage &msg); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1660 | |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1661 | int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello, |
| 1662 | CBS *out, uint16_t extension_type); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1663 | |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 1664 | int ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO *client_hello, |
| 1665 | uint16_t id); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1666 | |
| 1667 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1668 | // GREASE. |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 1669 | |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1670 | // ssl_get_grease_value returns a GREASE value for |hs|. For a given |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1671 | // connection, the values for each index will be deterministic. This allows the |
| 1672 | // same ClientHello be sent twice for a HelloRetryRequest or the same group be |
| 1673 | // advertised in both supported_groups and key_shares. |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1674 | uint16_t ssl_get_grease_value(SSL_HANDSHAKE *hs, enum ssl_grease_index_t index); |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 1675 | |
| 1676 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1677 | // Signature algorithms. |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1678 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1679 | // tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1680 | // algorithms and saves them on |hs|. It returns true on success and false on |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1681 | // error. |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1682 | bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs); |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1683 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1684 | // tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1685 | // that should be used with |pkey| in TLS 1.1 and earlier. It returns true on |
| 1686 | // success and false if |pkey| may not be used at those versions. |
| 1687 | bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey); |
Robert Sloan | 2424d84 | 2017-05-01 07:46:28 -0700 | [diff] [blame] | 1688 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1689 | // tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use |
| 1690 | // with |hs|'s private key based on the peer's preferences and the algorithms |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1691 | // supported. It returns true on success and false on error. |
| 1692 | bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out); |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1693 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1694 | // tls12_add_verify_sigalgs adds the signature algorithms acceptable for the |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1695 | // peer signature to |out|. It returns true on success and false on error. |
| 1696 | bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out); |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1697 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1698 | // tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 1699 | // signature. It returns true on success and false on error, setting |
| 1700 | // |*out_alert| to an alert to send. |
| 1701 | bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert, |
| 1702 | uint16_t sigalg); |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 1703 | |
| 1704 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1705 | // Underdocumented functions. |
| 1706 | // |
| 1707 | // Functions below here haven't been touched up and may be underdocumented. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1708 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1709 | #define TLSEXT_CHANNEL_ID_SIZE 128 |
| 1710 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1711 | // From RFC4492, used in encoding the curve type in ECParameters |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1712 | #define NAMED_CURVE_TYPE 3 |
| 1713 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1714 | struct CERT { |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1715 | EVP_PKEY *privatekey; |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 1716 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1717 | // chain contains the certificate chain, with the leaf at the beginning. The |
| 1718 | // first element of |chain| may be NULL to indicate that the leaf certificate |
| 1719 | // has not yet been set. |
| 1720 | // If |chain| != NULL -> len(chain) >= 1 |
| 1721 | // If |chain[0]| == NULL -> len(chain) >= 2. |
| 1722 | // |chain[1..]| != NULL |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 1723 | STACK_OF(CRYPTO_BUFFER) *chain; |
| 1724 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1725 | // x509_chain may contain a parsed copy of |chain[1..]|. This is only used as |
| 1726 | // a cache in order to implement “get0” functions that return a non-owning |
| 1727 | // pointer to the certificate chain. |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 1728 | STACK_OF(X509) *x509_chain; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1729 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1730 | // x509_leaf may contain a parsed copy of the first element of |chain|. This |
| 1731 | // is only used as a cache in order to implement “get0” functions that return |
| 1732 | // a non-owning pointer to the certificate chain. |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 1733 | X509 *x509_leaf; |
| 1734 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1735 | // x509_stash contains the last |X509| object append to the chain. This is a |
| 1736 | // workaround for some third-party code that continue to use an |X509| object |
| 1737 | // even after passing ownership with an “add0” function. |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 1738 | X509 *x509_stash; |
| 1739 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1740 | // key_method, if non-NULL, is a set of callbacks to call for private key |
| 1741 | // operations. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 1742 | const SSL_PRIVATE_KEY_METHOD *key_method; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1743 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1744 | // x509_method contains pointers to functions that might deal with |X509| |
| 1745 | // compatibility, or might be a no-op, depending on the application. |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 1746 | const SSL_X509_METHOD *x509_method; |
| 1747 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1748 | // sigalgs, if non-NULL, is the set of signature algorithms supported by |
| 1749 | // |privatekey| in decreasing order of preference. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1750 | uint16_t *sigalgs; |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 1751 | size_t num_sigalgs; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1752 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1753 | // Certificate setup callback: if set is called whenever a |
| 1754 | // certificate may be required (client or server). the callback |
| 1755 | // can then examine any appropriate parameters and setup any |
| 1756 | // certificates required. This allows advanced applications |
| 1757 | // to select certificates on the fly: for example based on |
| 1758 | // supported signature algorithms or curves. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1759 | int (*cert_cb)(SSL *ssl, void *arg); |
| 1760 | void *cert_cb_arg; |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 1761 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1762 | // Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX |
| 1763 | // store is used instead. |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 1764 | X509_STORE *verify_store; |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 1765 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1766 | // Signed certificate timestamp list to be sent to the client, if requested |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 1767 | CRYPTO_BUFFER *signed_cert_timestamp_list; |
| 1768 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1769 | // OCSP response to be sent to the client, if requested. |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 1770 | CRYPTO_BUFFER *ocsp_response; |
| 1771 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1772 | // sid_ctx partitions the session space within a shared session cache or |
| 1773 | // ticket key. Only sessions with a matching value will be accepted. |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 1774 | uint8_t sid_ctx_length; |
| 1775 | uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 1776 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1777 | // If enable_early_data is true, early data can be sent and accepted. |
| 1778 | bool enable_early_data:1; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1779 | }; |
| 1780 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1781 | // |SSL_PROTOCOL_METHOD| abstracts between TLS and DTLS. |
| 1782 | struct SSL_PROTOCOL_METHOD { |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1783 | bool is_dtls; |
| 1784 | bool (*ssl_new)(SSL *ssl); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1785 | void (*ssl_free)(SSL *ssl); |
| 1786 | // get_message sets |*out| to the current handshake message and returns true |
| 1787 | // if one has been received. It returns false if more input is needed. |
| 1788 | bool (*get_message)(SSL *ssl, SSLMessage *out); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1789 | // next_message is called to release the current handshake message. |
| 1790 | void (*next_message)(SSL *ssl); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1791 | // Use the |ssl_open_handshake| wrapper. |
| 1792 | ssl_open_record_t (*open_handshake)(SSL *ssl, size_t *out_consumed, |
| 1793 | uint8_t *out_alert, Span<uint8_t> in); |
| 1794 | // Use the |ssl_open_change_cipher_spec| wrapper. |
| 1795 | ssl_open_record_t (*open_change_cipher_spec)(SSL *ssl, size_t *out_consumed, |
| 1796 | uint8_t *out_alert, |
| 1797 | Span<uint8_t> in); |
| 1798 | // Use the |ssl_open_app_data| wrapper. |
| 1799 | ssl_open_record_t (*open_app_data)(SSL *ssl, Span<uint8_t> *out, |
| 1800 | size_t *out_consumed, uint8_t *out_alert, |
| 1801 | Span<uint8_t> in); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1802 | int (*write_app_data)(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf, |
| 1803 | int len); |
| 1804 | int (*dispatch_alert)(SSL *ssl); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1805 | // init_message begins a new handshake message of type |type|. |cbb| is the |
| 1806 | // root CBB to be passed into |finish_message|. |*body| is set to a child CBB |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1807 | // the caller should write to. It returns true on success and false on error. |
| 1808 | bool (*init_message)(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1809 | // finish_message finishes a handshake message. It sets |*out_msg| to the |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1810 | // serialized message. It returns true on success and false on error. |
| 1811 | bool (*finish_message)(SSL *ssl, CBB *cbb, bssl::Array<uint8_t> *out_msg); |
| 1812 | // add_message adds a handshake message to the pending flight. It returns |
| 1813 | // true on success and false on error. |
| 1814 | bool (*add_message)(SSL *ssl, bssl::Array<uint8_t> msg); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1815 | // add_change_cipher_spec adds a ChangeCipherSpec record to the pending |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1816 | // flight. It returns true on success and false on error. |
| 1817 | bool (*add_change_cipher_spec)(SSL *ssl); |
| 1818 | // add_alert adds an alert to the pending flight. It returns true on success |
| 1819 | // and false on error. |
| 1820 | bool (*add_alert)(SSL *ssl, uint8_t level, uint8_t desc); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1821 | // flush_flight flushes the pending flight to the transport. It returns one on |
| 1822 | // success and <= 0 on error. |
| 1823 | int (*flush_flight)(SSL *ssl); |
| 1824 | // on_handshake_complete is called when the handshake is complete. |
| 1825 | void (*on_handshake_complete)(SSL *ssl); |
| 1826 | // set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1827 | // true on success and false if changing the read state is forbidden at this |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1828 | // point. |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1829 | bool (*set_read_state)(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1830 | // set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1831 | // true on success and false if changing the write state is forbidden at this |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1832 | // point. |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1833 | bool (*set_write_state)(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1834 | }; |
| 1835 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 1836 | // The following wrappers call |open_*| but handle |read_shutdown| correctly. |
| 1837 | |
| 1838 | // ssl_open_handshake processes a record from |in| for reading a handshake |
| 1839 | // message. |
| 1840 | ssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed, |
| 1841 | uint8_t *out_alert, Span<uint8_t> in); |
| 1842 | |
| 1843 | // ssl_open_change_cipher_spec processes a record from |in| for reading a |
| 1844 | // ChangeCipherSpec. |
| 1845 | ssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed, |
| 1846 | uint8_t *out_alert, |
| 1847 | Span<uint8_t> in); |
| 1848 | |
| 1849 | // ssl_open_app_data processes a record from |in| for reading application data. |
| 1850 | // On success, it returns |ssl_open_record_success| and sets |*out| to the |
| 1851 | // input. If it encounters a post-handshake message, it returns |
| 1852 | // |ssl_open_record_discard|. The caller should then retry, after processing any |
| 1853 | // messages received with |get_message|. |
| 1854 | ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out, |
| 1855 | size_t *out_consumed, uint8_t *out_alert, |
| 1856 | Span<uint8_t> in); |
| 1857 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1858 | // ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using |
| 1859 | // crypto/x509. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 1860 | extern const SSL_X509_METHOD ssl_crypto_x509_method; |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1861 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1862 | // ssl_noop_x509_method provides the |SSL_X509_METHOD| functions that avoid |
| 1863 | // crypto/x509. |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 1864 | extern const SSL_X509_METHOD ssl_noop_x509_method; |
| 1865 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 1866 | // ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with |
| 1867 | // equal-preference groups. For TLS clients, the groups are moot because the |
| 1868 | // server picks the cipher and groups cannot be expressed on the wire. However, |
| 1869 | // for servers, the equal-preference groups allow the client's preferences to |
| 1870 | // be partially respected. (This only has an effect with |
| 1871 | // SSL_OP_CIPHER_SERVER_PREFERENCE). |
| 1872 | // |
| 1873 | // The equal-preference groups are expressed by grouping SSL_CIPHERs together. |
| 1874 | // All elements of a group have the same priority: no ordering is expressed |
| 1875 | // within a group. |
| 1876 | // |
| 1877 | // The values in |ciphers| are in one-to-one correspondence with |
| 1878 | // |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of |
| 1879 | // bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to |
| 1880 | // indicate that the corresponding SSL_CIPHER is not the last element of a |
| 1881 | // group, or 0 to indicate that it is. |
| 1882 | // |
| 1883 | // For example, if |in_group_flags| contains all zeros then that indicates a |
| 1884 | // traditional, fully-ordered preference. Every SSL_CIPHER is the last element |
| 1885 | // of the group (i.e. they are all in a one-element group). |
| 1886 | // |
| 1887 | // For a more complex example, consider: |
| 1888 | // ciphers: A B C D E F |
| 1889 | // in_group_flags: 1 1 0 0 1 0 |
| 1890 | // |
| 1891 | // That would express the following, order: |
| 1892 | // |
| 1893 | // A E |
| 1894 | // B -> D -> F |
| 1895 | // C |
| 1896 | struct ssl_cipher_preference_list_st { |
| 1897 | STACK_OF(SSL_CIPHER) *ciphers; |
| 1898 | uint8_t *in_group_flags; |
| 1899 | }; |
| 1900 | |
| 1901 | struct tlsext_ticket_key { |
| 1902 | static constexpr bool kAllowUniquePtr = true; |
| 1903 | |
| 1904 | uint8_t name[SSL_TICKET_KEY_NAME_LEN]; |
| 1905 | uint8_t hmac_key[16]; |
| 1906 | uint8_t aes_key[16]; |
| 1907 | // next_rotation_tv_sec is the time (in seconds from the epoch) when the |
| 1908 | // current key should be superseded by a new key, or the time when a previous |
| 1909 | // key should be dropped. If zero, then the key should not be automatically |
| 1910 | // rotated. |
| 1911 | uint64_t next_rotation_tv_sec; |
| 1912 | }; |
| 1913 | |
| 1914 | } // namespace bssl |
| 1915 | |
| 1916 | DECLARE_LHASH_OF(SSL_SESSION) |
| 1917 | |
| 1918 | namespace bssl { |
| 1919 | |
| 1920 | // SSLContext backs the public |SSL_CTX| type. Due to compatibility constraints, |
| 1921 | // it is a base class for |ssl_ctx_st|. |
| 1922 | struct SSLContext { |
| 1923 | const SSL_PROTOCOL_METHOD *method; |
| 1924 | const SSL_X509_METHOD *x509_method; |
| 1925 | |
| 1926 | // lock is used to protect various operations on this object. |
| 1927 | CRYPTO_MUTEX lock; |
| 1928 | |
| 1929 | // conf_max_version is the maximum acceptable protocol version configured by |
| 1930 | // |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS |
| 1931 | // and is further constrainted by |SSL_OP_NO_*|. |
| 1932 | uint16_t conf_max_version; |
| 1933 | |
| 1934 | // conf_min_version is the minimum acceptable protocol version configured by |
| 1935 | // |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS |
| 1936 | // and is further constrainted by |SSL_OP_NO_*|. |
| 1937 | uint16_t conf_min_version; |
| 1938 | |
| 1939 | // tls13_variant is the variant of TLS 1.3 we are using for this |
| 1940 | // configuration. |
| 1941 | enum tls13_variant_t tls13_variant; |
| 1942 | |
| 1943 | struct ssl_cipher_preference_list_st *cipher_list; |
| 1944 | |
| 1945 | X509_STORE *cert_store; |
| 1946 | LHASH_OF(SSL_SESSION) *sessions; |
| 1947 | // Most session-ids that will be cached, default is |
| 1948 | // SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. |
| 1949 | unsigned long session_cache_size; |
| 1950 | SSL_SESSION *session_cache_head; |
| 1951 | SSL_SESSION *session_cache_tail; |
| 1952 | |
| 1953 | // handshakes_since_cache_flush is the number of successful handshakes since |
| 1954 | // the last cache flush. |
| 1955 | int handshakes_since_cache_flush; |
| 1956 | |
| 1957 | // This can have one of 2 values, ored together, |
| 1958 | // SSL_SESS_CACHE_CLIENT, |
| 1959 | // SSL_SESS_CACHE_SERVER, |
| 1960 | // Default is SSL_SESSION_CACHE_SERVER, which means only |
| 1961 | // SSL_accept which cache SSL_SESSIONS. |
| 1962 | int session_cache_mode; |
| 1963 | |
| 1964 | // session_timeout is the default lifetime for new sessions in TLS 1.2 and |
| 1965 | // earlier, in seconds. |
| 1966 | uint32_t session_timeout; |
| 1967 | |
| 1968 | // session_psk_dhe_timeout is the default lifetime for new sessions in TLS |
| 1969 | // 1.3, in seconds. |
| 1970 | uint32_t session_psk_dhe_timeout; |
| 1971 | |
| 1972 | // If this callback is not null, it will be called each time a session id is |
| 1973 | // added to the cache. If this function returns 1, it means that the |
| 1974 | // callback will do a SSL_SESSION_free() when it has finished using it. |
| 1975 | // Otherwise, on 0, it means the callback has finished with it. If |
| 1976 | // remove_session_cb is not null, it will be called when a session-id is |
| 1977 | // removed from the cache. After the call, OpenSSL will SSL_SESSION_free() |
| 1978 | // it. |
| 1979 | int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess); |
| 1980 | void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess); |
| 1981 | SSL_SESSION *(*get_session_cb)(SSL *ssl, const uint8_t *data, int len, |
| 1982 | int *copy); |
| 1983 | SSL_SESSION *(*get_session_cb_legacy)(SSL *ssl, uint8_t *data, int len, |
| 1984 | int *copy); |
| 1985 | |
| 1986 | CRYPTO_refcount_t references; |
| 1987 | |
| 1988 | // if defined, these override the X509_verify_cert() calls |
| 1989 | int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg); |
| 1990 | void *app_verify_arg; |
| 1991 | |
| 1992 | enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl, |
| 1993 | uint8_t *out_alert); |
| 1994 | |
| 1995 | // Default password callback. |
| 1996 | pem_password_cb *default_passwd_callback; |
| 1997 | |
| 1998 | // Default password callback user data. |
| 1999 | void *default_passwd_callback_userdata; |
| 2000 | |
| 2001 | // get client cert callback |
| 2002 | int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey); |
| 2003 | |
| 2004 | // get channel id callback |
| 2005 | void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey); |
| 2006 | |
| 2007 | CRYPTO_EX_DATA ex_data; |
| 2008 | |
| 2009 | // custom_*_extensions stores any callback sets for custom extensions. Note |
| 2010 | // that these pointers will be NULL if the stack would otherwise be empty. |
| 2011 | STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions; |
| 2012 | STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions; |
| 2013 | |
| 2014 | // Default values used when no per-SSL value is defined follow |
| 2015 | |
| 2016 | void (*info_callback)(const SSL *ssl, int type, int value); |
| 2017 | |
| 2018 | // what we put in client cert requests |
| 2019 | STACK_OF(CRYPTO_BUFFER) *client_CA; |
| 2020 | |
| 2021 | // cached_x509_client_CA is a cache of parsed versions of the elements of |
| 2022 | // |client_CA|. |
| 2023 | STACK_OF(X509_NAME) *cached_x509_client_CA; |
| 2024 | |
| 2025 | |
| 2026 | // Default values to use in SSL structures follow (these are copied by |
| 2027 | // SSL_new) |
| 2028 | |
| 2029 | uint32_t options; |
| 2030 | uint32_t mode; |
| 2031 | uint32_t max_cert_list; |
| 2032 | |
| 2033 | CERT *cert; |
| 2034 | |
| 2035 | // callback that allows applications to peek at protocol messages |
| 2036 | void (*msg_callback)(int write_p, int version, int content_type, |
| 2037 | const void *buf, size_t len, SSL *ssl, void *arg); |
| 2038 | void *msg_callback_arg; |
| 2039 | |
| 2040 | int verify_mode; |
| 2041 | int (*default_verify_callback)( |
| 2042 | int ok, X509_STORE_CTX *ctx); // called 'verify_callback' in the SSL |
| 2043 | |
| 2044 | X509_VERIFY_PARAM *param; |
| 2045 | |
| 2046 | // select_certificate_cb is called before most ClientHello processing and |
| 2047 | // before the decision whether to resume a session is made. See |
| 2048 | // |ssl_select_cert_result_t| for details of the return values. |
| 2049 | enum ssl_select_cert_result_t (*select_certificate_cb)( |
| 2050 | const SSL_CLIENT_HELLO *); |
| 2051 | |
| 2052 | // dos_protection_cb is called once the resumption decision for a ClientHello |
| 2053 | // has been made. It returns one to continue the handshake or zero to |
| 2054 | // abort. |
| 2055 | int (*dos_protection_cb) (const SSL_CLIENT_HELLO *); |
| 2056 | |
| 2057 | // Maximum amount of data to send in one fragment. actual record size can be |
| 2058 | // more than this due to padding and MAC overheads. |
| 2059 | uint16_t max_send_fragment; |
| 2060 | |
| 2061 | // TLS extensions servername callback |
| 2062 | int (*tlsext_servername_callback)(SSL *, int *, void *); |
| 2063 | void *tlsext_servername_arg; |
| 2064 | |
| 2065 | // RFC 4507 session ticket keys. |tlsext_ticket_key_current| may be NULL |
| 2066 | // before the first handshake and |tlsext_ticket_key_prev| may be NULL at any |
| 2067 | // time. Automatically generated ticket keys are rotated as needed at |
| 2068 | // handshake time. Hence, all access must be synchronized through |lock|. |
| 2069 | struct tlsext_ticket_key *tlsext_ticket_key_current; |
| 2070 | struct tlsext_ticket_key *tlsext_ticket_key_prev; |
| 2071 | |
| 2072 | // Callback to support customisation of ticket key setting |
| 2073 | int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv, |
| 2074 | EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); |
| 2075 | |
| 2076 | // Server-only: psk_identity_hint is the default identity hint to send in |
| 2077 | // PSK-based key exchanges. |
| 2078 | char *psk_identity_hint; |
| 2079 | |
| 2080 | unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, |
| 2081 | char *identity, |
| 2082 | unsigned int max_identity_len, |
| 2083 | uint8_t *psk, unsigned int max_psk_len); |
| 2084 | unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, |
| 2085 | uint8_t *psk, unsigned int max_psk_len); |
| 2086 | |
| 2087 | |
| 2088 | // Next protocol negotiation information |
| 2089 | // (for experimental NPN extension). |
| 2090 | |
| 2091 | // For a server, this contains a callback function by which the set of |
| 2092 | // advertised protocols can be provided. |
| 2093 | int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out, |
| 2094 | unsigned *out_len, void *arg); |
| 2095 | void *next_protos_advertised_cb_arg; |
| 2096 | // For a client, this contains a callback function that selects the |
| 2097 | // next protocol from the list provided by the server. |
| 2098 | int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, |
| 2099 | const uint8_t *in, unsigned in_len, void *arg); |
| 2100 | void *next_proto_select_cb_arg; |
| 2101 | |
| 2102 | // ALPN information |
| 2103 | // (we are in the process of transitioning from NPN to ALPN.) |
| 2104 | |
| 2105 | // For a server, this contains a callback function that allows the |
| 2106 | // server to select the protocol for the connection. |
| 2107 | // out: on successful return, this must point to the raw protocol |
| 2108 | // name (without the length prefix). |
| 2109 | // outlen: on successful return, this contains the length of |*out|. |
| 2110 | // in: points to the client's list of supported protocols in |
| 2111 | // wire-format. |
| 2112 | // inlen: the length of |in|. |
| 2113 | int (*alpn_select_cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len, |
| 2114 | const uint8_t *in, unsigned in_len, void *arg); |
| 2115 | void *alpn_select_cb_arg; |
| 2116 | |
| 2117 | // For a client, this contains the list of supported protocols in wire |
| 2118 | // format. |
| 2119 | uint8_t *alpn_client_proto_list; |
| 2120 | unsigned alpn_client_proto_list_len; |
| 2121 | |
| 2122 | // SRTP profiles we are willing to do from RFC 5764 |
| 2123 | STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; |
| 2124 | |
| 2125 | // Supported group values inherited by SSL structure |
| 2126 | size_t supported_group_list_len; |
| 2127 | uint16_t *supported_group_list; |
| 2128 | |
| 2129 | // The client's Channel ID private key. |
| 2130 | EVP_PKEY *tlsext_channel_id_private; |
| 2131 | |
| 2132 | // keylog_callback, if not NULL, is the key logging callback. See |
| 2133 | // |SSL_CTX_set_keylog_callback|. |
| 2134 | void (*keylog_callback)(const SSL *ssl, const char *line); |
| 2135 | |
| 2136 | // current_time_cb, if not NULL, is the function to use to get the current |
| 2137 | // time. It sets |*out_clock| to the current time. The |ssl| argument is |
| 2138 | // always NULL. See |SSL_CTX_set_current_time_cb|. |
| 2139 | void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock); |
| 2140 | |
| 2141 | // pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate |
| 2142 | // memory. |
| 2143 | CRYPTO_BUFFER_POOL *pool; |
| 2144 | |
| 2145 | // ticket_aead_method contains function pointers for opening and sealing |
| 2146 | // session tickets. |
| 2147 | const SSL_TICKET_AEAD_METHOD *ticket_aead_method; |
| 2148 | |
| 2149 | // verify_sigalgs, if not empty, is the set of signature algorithms |
| 2150 | // accepted from the peer in decreasing order of preference. |
| 2151 | uint16_t *verify_sigalgs; |
| 2152 | size_t num_verify_sigalgs; |
| 2153 | |
| 2154 | // retain_only_sha256_of_client_certs is true if we should compute the SHA256 |
| 2155 | // hash of the peer's certificate and then discard it to save memory and |
| 2156 | // session space. Only effective on the server side. |
| 2157 | bool retain_only_sha256_of_client_certs:1; |
| 2158 | |
| 2159 | // quiet_shutdown is true if the connection should not send a close_notify on |
| 2160 | // shutdown. |
| 2161 | bool quiet_shutdown:1; |
| 2162 | |
| 2163 | // ocsp_stapling_enabled is only used by client connections and indicates |
| 2164 | // whether OCSP stapling will be requested. |
| 2165 | bool ocsp_stapling_enabled:1; |
| 2166 | |
| 2167 | // If true, a client will request certificate timestamps. |
| 2168 | bool signed_cert_timestamps_enabled:1; |
| 2169 | |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 2170 | // tlsext_channel_id_enabled is whether Channel ID is enabled. For a server, |
| 2171 | // means that we'll accept Channel IDs from clients. For a client, means that |
| 2172 | // we'll advertise support. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2173 | bool tlsext_channel_id_enabled:1; |
| 2174 | |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 2175 | // grease_enabled is whether draft-davidben-tls-grease-01 is enabled. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2176 | bool grease_enabled:1; |
| 2177 | |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 2178 | // allow_unknown_alpn_protos is whether the client allows unsolicited ALPN |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2179 | // protocols from the peer. |
| 2180 | bool allow_unknown_alpn_protos:1; |
| 2181 | |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 2182 | // ed25519_enabled is whether Ed25519 is advertised in the handshake. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2183 | bool ed25519_enabled:1; |
Robert Sloan | cd79cde | 2017-12-11 09:06:12 -0800 | [diff] [blame] | 2184 | |
| 2185 | // false_start_allowed_without_alpn is whether False Start (if |
| 2186 | // |SSL_MODE_ENABLE_FALSE_START| is enabled) is allowed without ALPN. |
| 2187 | bool false_start_allowed_without_alpn:1; |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2188 | }; |
| 2189 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2190 | // An ssl_shutdown_t describes the shutdown state of one end of the connection, |
| 2191 | // whether it is alive or has been shutdown via close_notify or fatal alert. |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2192 | enum ssl_shutdown_t { |
| 2193 | ssl_shutdown_none = 0, |
| 2194 | ssl_shutdown_close_notify = 1, |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2195 | ssl_shutdown_error = 2, |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2196 | }; |
| 2197 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2198 | struct SSL3_STATE { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2199 | static constexpr bool kAllowUniquePtr = true; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2200 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2201 | SSL3_STATE(); |
| 2202 | ~SSL3_STATE(); |
| 2203 | |
| 2204 | uint8_t read_sequence[8] = {0}; |
| 2205 | uint8_t write_sequence[8] = {0}; |
| 2206 | |
| 2207 | uint8_t server_random[SSL3_RANDOM_SIZE] = {0}; |
| 2208 | uint8_t client_random[SSL3_RANDOM_SIZE] = {0}; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2209 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2210 | // read_buffer holds data from the transport to be processed. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2211 | SSLBuffer read_buffer; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2212 | // write_buffer holds data to be written to the transport. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2213 | SSLBuffer write_buffer; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2214 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2215 | // pending_app_data is the unconsumed application data. It points into |
| 2216 | // |read_buffer|. |
| 2217 | Span<uint8_t> pending_app_data; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2218 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2219 | // partial write - check the numbers match |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2220 | unsigned int wnum = 0; // number of bytes sent so far |
| 2221 | int wpend_tot = 0; // number bytes written |
| 2222 | int wpend_type = 0; |
| 2223 | int wpend_ret = 0; // number of bytes submitted |
| 2224 | const uint8_t *wpend_buf = nullptr; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2225 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2226 | // read_shutdown is the shutdown state for the read half of the connection. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2227 | enum ssl_shutdown_t read_shutdown = ssl_shutdown_none; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2228 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2229 | // write_shutdown is the shutdown state for the write half of the connection. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2230 | enum ssl_shutdown_t write_shutdown = ssl_shutdown_none; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2231 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2232 | // read_error, if |read_shutdown| is |ssl_shutdown_error|, is the error for |
| 2233 | // the receive half of the connection. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2234 | UniquePtr<ERR_SAVE_STATE> read_error; |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2235 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2236 | int alert_dispatch = 0; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2237 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2238 | int total_renegotiations = 0; |
| 2239 | |
| 2240 | // This holds a variable that indicates what we were doing when a 0 or -1 is |
| 2241 | // returned. This is needed for non-blocking IO so we know what request |
| 2242 | // needs re-doing when in SSL_accept or SSL_connect |
| 2243 | int rwstate = SSL_NOTHING; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2244 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2245 | // early_data_skipped is the amount of early data that has been skipped by the |
| 2246 | // record layer. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2247 | uint16_t early_data_skipped = 0; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2248 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2249 | // empty_record_count is the number of consecutive empty records received. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2250 | uint8_t empty_record_count = 0; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2251 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2252 | // warning_alert_count is the number of consecutive warning alerts |
| 2253 | // received. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2254 | uint8_t warning_alert_count = 0; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2255 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2256 | // key_update_count is the number of consecutive KeyUpdates received. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2257 | uint8_t key_update_count = 0; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2258 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2259 | // skip_early_data instructs the record layer to skip unexpected early data |
| 2260 | // messages when 0RTT is rejected. |
| 2261 | bool skip_early_data:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2262 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2263 | // have_version is true if the connection's final version is known. Otherwise |
| 2264 | // the version has not been negotiated yet. |
| 2265 | bool have_version:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2266 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2267 | // v2_hello_done is true if the peer's V2ClientHello, if any, has been handled |
| 2268 | // and future messages should use the record layer. |
| 2269 | bool v2_hello_done:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2270 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2271 | // is_v2_hello is true if the current handshake message was derived from a |
| 2272 | // V2ClientHello rather than received from the peer directly. |
| 2273 | bool is_v2_hello:1; |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 2274 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2275 | // has_message is true if the current handshake message has been returned |
| 2276 | // at least once by |get_message| and false otherwise. |
| 2277 | bool has_message:1; |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 2278 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2279 | // initial_handshake_complete is true if the initial handshake has |
| 2280 | // completed. |
| 2281 | bool initial_handshake_complete:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2282 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2283 | // session_reused indicates whether a session was resumed. |
| 2284 | bool session_reused:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2285 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2286 | bool send_connection_binding:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2287 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2288 | // In a client, this means that the server supported Channel ID and that a |
| 2289 | // Channel ID was sent. In a server it means that we echoed support for |
| 2290 | // Channel IDs and that tlsext_channel_id will be valid after the |
| 2291 | // handshake. |
| 2292 | bool tlsext_channel_id_valid:1; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2293 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2294 | // key_update_pending is true if we have a KeyUpdate acknowledgment |
| 2295 | // outstanding. |
| 2296 | bool key_update_pending:1; |
Robert Sloan | 572a4e2 | 2017-04-17 10:52:19 -0700 | [diff] [blame] | 2297 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2298 | // wpend_pending is true if we have a pending write outstanding. |
| 2299 | bool wpend_pending:1; |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 2300 | |
Robert Sloan | 0da4395 | 2018-01-03 15:13:14 -0800 | [diff] [blame] | 2301 | // early_data_accepted is true if early data was accepted by the server. |
| 2302 | bool early_data_accepted:1; |
| 2303 | |
| 2304 | // draft_downgrade is whether the TLS 1.3 anti-downgrade logic would have |
| 2305 | // fired, were it not a draft. |
| 2306 | bool draft_downgrade:1; |
| 2307 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2308 | // hs_buf is the buffer of handshake data to process. |
| 2309 | UniquePtr<BUF_MEM> hs_buf; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2310 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2311 | // pending_flight is the pending outgoing flight. This is used to flush each |
| 2312 | // handshake flight in a single write. |write_buffer| must be written out |
| 2313 | // before this data. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2314 | UniquePtr<BUF_MEM> pending_flight; |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 2315 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2316 | // pending_flight_offset is the number of bytes of |pending_flight| which have |
| 2317 | // been successfully written. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2318 | uint32_t pending_flight_offset = 0; |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2319 | |
Robert Sloan | a450c92 | 2018-01-08 10:35:32 -0800 | [diff] [blame] | 2320 | // ticket_age_skew is the difference, in seconds, between the client-sent |
| 2321 | // ticket age and the server-computed value in TLS 1.3 server connections |
| 2322 | // which resumed a session. |
| 2323 | int32_t ticket_age_skew = 0; |
| 2324 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2325 | // aead_read_ctx is the current read cipher state. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2326 | UniquePtr<SSLAEADContext> aead_read_ctx; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2327 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2328 | // aead_write_ctx is the current write cipher state. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2329 | UniquePtr<SSLAEADContext> aead_write_ctx; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2330 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2331 | // hs is the handshake state for the current handshake or NULL if there isn't |
| 2332 | // one. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2333 | UniquePtr<SSL_HANDSHAKE> hs; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2334 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2335 | uint8_t write_traffic_secret[EVP_MAX_MD_SIZE] = {0}; |
| 2336 | uint8_t read_traffic_secret[EVP_MAX_MD_SIZE] = {0}; |
| 2337 | uint8_t exporter_secret[EVP_MAX_MD_SIZE] = {0}; |
| 2338 | uint8_t early_exporter_secret[EVP_MAX_MD_SIZE] = {0}; |
| 2339 | uint8_t write_traffic_secret_len = 0; |
| 2340 | uint8_t read_traffic_secret_len = 0; |
| 2341 | uint8_t exporter_secret_len = 0; |
| 2342 | uint8_t early_exporter_secret_len = 0; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2343 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2344 | // Connection binding to prevent renegotiation attacks |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2345 | uint8_t previous_client_finished[12] = {0}; |
| 2346 | uint8_t previous_client_finished_len = 0; |
| 2347 | uint8_t previous_server_finished_len = 0; |
| 2348 | uint8_t previous_server_finished[12] = {0}; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2349 | |
Robert Sloan | a450c92 | 2018-01-08 10:35:32 -0800 | [diff] [blame] | 2350 | uint8_t send_alert[2] = {0}; |
| 2351 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2352 | // established_session is the session established by the connection. This |
| 2353 | // session is only filled upon the completion of the handshake and is |
| 2354 | // immutable. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2355 | UniquePtr<SSL_SESSION> established_session; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2356 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2357 | // Next protocol negotiation. For the client, this is the protocol that we |
| 2358 | // sent in NextProtocol and is set when handling ServerHello extensions. |
| 2359 | // |
| 2360 | // For a server, this is the client's selected_protocol from NextProtocol and |
| 2361 | // is set when handling the NextProtocol message, before the Finished |
| 2362 | // message. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2363 | Array<uint8_t> next_proto_negotiated; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2364 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2365 | // ALPN information |
| 2366 | // (we are in the process of transitioning from NPN to ALPN.) |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2367 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2368 | // In a server these point to the selected ALPN protocol after the |
| 2369 | // ClientHello has been processed. In a client these contain the protocol |
| 2370 | // that the server selected once the ServerHello has been processed. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2371 | Array<uint8_t> alpn_selected; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2372 | |
Robert Sloan | d1d118f | 2017-09-11 09:00:48 -0700 | [diff] [blame] | 2373 | // hostname, on the server, is the value of the SNI extension. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2374 | UniquePtr<char> hostname; |
Robert Sloan | d1d118f | 2017-09-11 09:00:48 -0700 | [diff] [blame] | 2375 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2376 | // For a server: |
| 2377 | // If |tlsext_channel_id_valid| is true, then this contains the |
| 2378 | // verified Channel ID from the client: a P256 point, (x,y), where |
| 2379 | // each are big-endian values. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2380 | uint8_t tlsext_channel_id[64] = {0}; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2381 | }; |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2382 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2383 | // lengths of messages |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2384 | #define DTLS1_COOKIE_LENGTH 256 |
| 2385 | |
| 2386 | #define DTLS1_RT_HEADER_LENGTH 13 |
| 2387 | |
| 2388 | #define DTLS1_HM_HEADER_LENGTH 12 |
| 2389 | |
| 2390 | #define DTLS1_CCS_HEADER_LENGTH 1 |
| 2391 | |
| 2392 | #define DTLS1_AL_HEADER_LENGTH 2 |
| 2393 | |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2394 | struct hm_header_st { |
| 2395 | uint8_t type; |
| 2396 | uint32_t msg_len; |
| 2397 | uint16_t seq; |
| 2398 | uint32_t frag_off; |
| 2399 | uint32_t frag_len; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2400 | }; |
| 2401 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2402 | // An hm_fragment is an incoming DTLS message, possibly not yet assembled. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2403 | struct hm_fragment { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2404 | static constexpr bool kAllowUniquePtr = true; |
| 2405 | |
| 2406 | hm_fragment() {} |
| 2407 | hm_fragment(const hm_fragment &) = delete; |
| 2408 | hm_fragment &operator=(const hm_fragment &) = delete; |
| 2409 | |
| 2410 | ~hm_fragment(); |
| 2411 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2412 | // type is the type of the message. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2413 | uint8_t type = 0; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2414 | // seq is the sequence number of this message. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2415 | uint16_t seq = 0; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2416 | // msg_len is the length of the message body. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2417 | uint32_t msg_len = 0; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2418 | // data is a pointer to the message, including message header. It has length |
| 2419 | // |DTLS1_HM_HEADER_LENGTH| + |msg_len|. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2420 | uint8_t *data = nullptr; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2421 | // reassembly is a bitmask of |msg_len| bits corresponding to which parts of |
| 2422 | // the message have been received. It is NULL if the message is complete. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2423 | uint8_t *reassembly = nullptr; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2424 | }; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2425 | |
Robert Sloan | 7d422bc | 2017-03-06 10:04:29 -0800 | [diff] [blame] | 2426 | struct OPENSSL_timeval { |
| 2427 | uint64_t tv_sec; |
| 2428 | uint32_t tv_usec; |
| 2429 | }; |
| 2430 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2431 | struct DTLS1_STATE { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2432 | static constexpr bool kAllowUniquePtr = true; |
| 2433 | |
| 2434 | DTLS1_STATE(); |
| 2435 | ~DTLS1_STATE(); |
| 2436 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2437 | // has_change_cipher_spec is true if we have received a ChangeCipherSpec from |
| 2438 | // the peer in this epoch. |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 2439 | bool has_change_cipher_spec:1; |
| 2440 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2441 | // outgoing_messages_complete is true if |outgoing_messages| has been |
| 2442 | // completed by an attempt to flush it. Future calls to |add_message| and |
| 2443 | // |add_change_cipher_spec| will start a new flight. |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 2444 | bool outgoing_messages_complete:1; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2445 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2446 | // flight_has_reply is true if the current outgoing flight is complete and has |
| 2447 | // processed at least one message. This is used to detect whether we or the |
| 2448 | // peer sent the final flight. |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 2449 | bool flight_has_reply:1; |
| 2450 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2451 | uint8_t cookie[DTLS1_COOKIE_LENGTH] = {0}; |
| 2452 | size_t cookie_len = 0; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2453 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2454 | // The current data and handshake epoch. This is initially undefined, and |
| 2455 | // starts at zero once the initial handshake is completed. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2456 | uint16_t r_epoch = 0; |
| 2457 | uint16_t w_epoch = 0; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2458 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2459 | // records being received in the current epoch |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2460 | DTLS1_BITMAP bitmap; |
| 2461 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2462 | uint16_t handshake_write_seq = 0; |
| 2463 | uint16_t handshake_read_seq = 0; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2464 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2465 | // save last sequence number for retransmissions |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2466 | uint8_t last_write_sequence[8] = {0}; |
| 2467 | UniquePtr<SSLAEADContext> last_aead_write_ctx; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2468 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2469 | // incoming_messages is a ring buffer of incoming handshake messages that have |
| 2470 | // yet to be processed. The front of the ring buffer is message number |
| 2471 | // |handshake_read_seq|, at position |handshake_read_seq| % |
| 2472 | // |SSL_MAX_HANDSHAKE_FLIGHT|. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2473 | UniquePtr<hm_fragment> incoming_messages[SSL_MAX_HANDSHAKE_FLIGHT]; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2474 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2475 | // outgoing_messages is the queue of outgoing messages from the last handshake |
| 2476 | // flight. |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2477 | DTLS_OUTGOING_MESSAGE outgoing_messages[SSL_MAX_HANDSHAKE_FLIGHT]; |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2478 | uint8_t outgoing_messages_len = 0; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2479 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2480 | // outgoing_written is the number of outgoing messages that have been |
| 2481 | // written. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2482 | uint8_t outgoing_written = 0; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2483 | // outgoing_offset is the number of bytes of the next outgoing message have |
| 2484 | // been written. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2485 | uint32_t outgoing_offset = 0; |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 2486 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2487 | unsigned mtu = 0; // max DTLS packet size |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2488 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2489 | // num_timeouts is the number of times the retransmit timer has fired since |
| 2490 | // the last time it was reset. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2491 | unsigned num_timeouts = 0; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2492 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2493 | // Indicates when the last handshake msg or heartbeat sent will |
| 2494 | // timeout. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2495 | struct OPENSSL_timeval next_timeout = {0, 0}; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2496 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2497 | // timeout_duration_ms is the timeout duration in milliseconds. |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 2498 | unsigned timeout_duration_ms = 0; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2499 | }; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2500 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2501 | // SSLConnection backs the public |SSL| type. Due to compatibility constraints, |
| 2502 | // it is a base class for |ssl_st|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2503 | struct SSLConnection { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2504 | // method is the method table corresponding to the current protocol (DTLS or |
| 2505 | // TLS). |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2506 | const SSL_PROTOCOL_METHOD *method; |
| 2507 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2508 | // version is the protocol version. |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 2509 | uint16_t version; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2510 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2511 | // conf_max_version is the maximum acceptable protocol version configured by |
| 2512 | // |SSL_set_max_proto_version|. Note this version is normalized in DTLS and is |
| 2513 | // further constrainted by |SSL_OP_NO_*|. |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 2514 | uint16_t conf_max_version; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2515 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2516 | // conf_min_version is the minimum acceptable protocol version configured by |
| 2517 | // |SSL_set_min_proto_version|. Note this version is normalized in DTLS and is |
| 2518 | // further constrainted by |SSL_OP_NO_*|. |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 2519 | uint16_t conf_min_version; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2520 | |
| 2521 | uint16_t max_send_fragment; |
| 2522 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2523 | // There are 2 BIO's even though they are normally both the same. This is so |
| 2524 | // data can be read and written to different handlers |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2525 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2526 | BIO *rbio; // used by SSL_read |
| 2527 | BIO *wbio; // used by SSL_write |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2528 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2529 | // do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|. |
| 2530 | // Otherwise, it returns a value corresponding to what operation is needed to |
| 2531 | // progress. |
| 2532 | enum ssl_hs_wait_t (*do_handshake)(SSL_HANDSHAKE *hs); |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2533 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2534 | SSL3_STATE *s3; // SSLv3 variables |
| 2535 | DTLS1_STATE *d1; // DTLSv1 variables |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2536 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2537 | // callback that allows applications to peek at protocol messages |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2538 | void (*msg_callback)(int write_p, int version, int content_type, |
| 2539 | const void *buf, size_t len, SSL *ssl, void *arg); |
| 2540 | void *msg_callback_arg; |
| 2541 | |
| 2542 | X509_VERIFY_PARAM *param; |
| 2543 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2544 | // crypto |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2545 | struct ssl_cipher_preference_list_st *cipher_list; |
| 2546 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2547 | // session info |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2548 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2549 | // client cert? |
| 2550 | // This is used to hold the server certificate used |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2551 | CERT *cert; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2552 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2553 | // initial_timeout_duration_ms is the default DTLS timeout duration in |
| 2554 | // milliseconds. It's used to initialize the timer any time it's restarted. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2555 | unsigned initial_timeout_duration_ms; |
| 2556 | |
Robert Sloan | a450c92 | 2018-01-08 10:35:32 -0800 | [diff] [blame] | 2557 | // tls13_variant is the variant of TLS 1.3 we are using for this |
| 2558 | // configuration. |
| 2559 | enum tls13_variant_t tls13_variant; |
| 2560 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2561 | // session is the configured session to be offered by the client. This session |
| 2562 | // is immutable. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2563 | SSL_SESSION *session; |
| 2564 | |
| 2565 | int (*verify_callback)(int ok, |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2566 | X509_STORE_CTX *ctx); // fail if callback returns 0 |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2567 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2568 | enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl, |
| 2569 | uint8_t *out_alert); |
| 2570 | |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2571 | void (*info_callback)(const SSL *ssl, int type, int value); |
| 2572 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2573 | // Server-only: psk_identity_hint is the identity hint to send in |
| 2574 | // PSK-based key exchanges. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2575 | char *psk_identity_hint; |
| 2576 | |
| 2577 | unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, |
| 2578 | char *identity, |
| 2579 | unsigned int max_identity_len, |
| 2580 | uint8_t *psk, unsigned int max_psk_len); |
| 2581 | unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, |
| 2582 | uint8_t *psk, unsigned int max_psk_len); |
| 2583 | |
| 2584 | SSL_CTX *ctx; |
| 2585 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2586 | // extra application data |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2587 | CRYPTO_EX_DATA ex_data; |
| 2588 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2589 | // for server side, keep the list of CA_dn we can use |
Robert Sloan | 7d422bc | 2017-03-06 10:04:29 -0800 | [diff] [blame] | 2590 | STACK_OF(CRYPTO_BUFFER) *client_CA; |
| 2591 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2592 | // cached_x509_client_CA is a cache of parsed versions of the elements of |
| 2593 | // |client_CA|. |
Robert Sloan | 7d422bc | 2017-03-06 10:04:29 -0800 | [diff] [blame] | 2594 | STACK_OF(X509_NAME) *cached_x509_client_CA; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2595 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2596 | uint32_t options; // protocol behaviour |
| 2597 | uint32_t mode; // API behaviour |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2598 | uint32_t max_cert_list; |
Robert Sloan | 0db7f54 | 2018-01-16 15:48:33 -0800 | [diff] [blame] | 2599 | uint16_t dummy_pq_padding_len; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2600 | char *tlsext_hostname; |
| 2601 | size_t supported_group_list_len; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2602 | uint16_t *supported_group_list; // our list |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2603 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2604 | // session_ctx is the |SSL_CTX| used for the session cache and related |
| 2605 | // settings. |
Robert Sloan | 1c9db53 | 2017-03-13 08:03:59 -0700 | [diff] [blame] | 2606 | SSL_CTX *session_ctx; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2607 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2608 | // srtp_profiles is the list of configured SRTP protection profiles for |
| 2609 | // DTLS-SRTP. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2610 | STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; |
| 2611 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2612 | // srtp_profile is the selected SRTP protection profile for |
| 2613 | // DTLS-SRTP. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2614 | const SRTP_PROTECTION_PROFILE *srtp_profile; |
| 2615 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2616 | // The client's Channel ID private key. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2617 | EVP_PKEY *tlsext_channel_id_private; |
| 2618 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2619 | // For a client, this contains the list of supported protocols in wire |
| 2620 | // format. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2621 | uint8_t *alpn_client_proto_list; |
| 2622 | unsigned alpn_client_proto_list_len; |
| 2623 | |
Robert Sloan | 978112c | 2018-01-22 12:53:01 -0800 | [diff] [blame] | 2624 | // Contains a list of supported Token Binding key parameters. |
| 2625 | uint8_t *token_binding_params; |
| 2626 | size_t token_binding_params_len; |
| 2627 | |
| 2628 | // The negotiated Token Binding key parameter. Only valid if |
| 2629 | // |token_binding_negotiated| is set. |
| 2630 | uint8_t negotiated_token_binding_param; |
| 2631 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2632 | // renegotiate_mode controls how peer renegotiation attempts are handled. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2633 | enum ssl_renegotiate_mode_t renegotiate_mode; |
| 2634 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2635 | // verify_mode is a bitmask of |SSL_VERIFY_*| values. |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2636 | uint8_t verify_mode; |
| 2637 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2638 | // server is true iff the this SSL* is the server half. Note: before the SSL* |
| 2639 | // is initialized by either SSL_set_accept_state or SSL_set_connect_state, |
| 2640 | // the side is not determined. In this state, server is always false. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2641 | bool server:1; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2642 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2643 | // quiet_shutdown is true if the connection should not send a close_notify on |
| 2644 | // shutdown. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2645 | bool quiet_shutdown:1; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2646 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2647 | // Enable signed certificate time stamps. Currently client only. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2648 | bool signed_cert_timestamps_enabled:1; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2649 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2650 | // ocsp_stapling_enabled is only used by client connections and indicates |
| 2651 | // whether OCSP stapling will be requested. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2652 | bool ocsp_stapling_enabled:1; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2653 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2654 | // tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server, |
| 2655 | // means that we'll accept Channel IDs from clients. For a client, means that |
| 2656 | // we'll advertise support. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2657 | bool tlsext_channel_id_enabled:1; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2658 | |
Robert Sloan | 978112c | 2018-01-22 12:53:01 -0800 | [diff] [blame] | 2659 | // token_binding_negotiated is set if Token Binding was negotiated. |
| 2660 | bool token_binding_negotiated:1; |
| 2661 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2662 | // retain_only_sha256_of_client_certs is true if we should compute the SHA256 |
| 2663 | // hash of the peer's certificate and then discard it to save memory and |
| 2664 | // session space. Only effective on the server side. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2665 | bool retain_only_sha256_of_client_certs:1; |
Robert Sloan | 47f43ed | 2017-02-06 14:55:15 -0800 | [diff] [blame] | 2666 | }; |
| 2667 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2668 | // From draft-ietf-tls-tls13-18, used in determining PSK modes. |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2669 | #define SSL_PSK_DHE_KE 0x1 |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2670 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2671 | // From draft-ietf-tls-tls13-16, used in determining whether to respond with a |
| 2672 | // KeyUpdate. |
David Benjamin | 95add82 | 2016-10-19 01:09:12 -0400 | [diff] [blame] | 2673 | #define SSL_KEY_UPDATE_NOT_REQUESTED 0 |
| 2674 | #define SSL_KEY_UPDATE_REQUESTED 1 |
| 2675 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2676 | // kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early |
| 2677 | // data that will be accepted. This value should be slightly below |
| 2678 | // kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 2679 | static const size_t kMaxEarlyDataAccepted = 14336; |
| 2680 | |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 2681 | CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2682 | CERT *ssl_cert_dup(CERT *cert); |
Robert Sloan | fe7cd21 | 2017-08-07 09:03:39 -0700 | [diff] [blame] | 2683 | void ssl_cert_clear_certs(CERT *cert); |
| 2684 | void ssl_cert_free(CERT *cert); |
| 2685 | int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer); |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 2686 | int ssl_is_key_type_supported(int key_type); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2687 | // ssl_compare_public_and_private_key returns one if |pubkey| is the public |
| 2688 | // counterpart to |privkey|. Otherwise it returns zero and pushes a helpful |
| 2689 | // message on the error queue. |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 2690 | int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey, |
| 2691 | const EVP_PKEY *privkey); |
| 2692 | int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey); |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2693 | int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2694 | int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session); |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 2695 | int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 2696 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2697 | // ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on |
| 2698 | // error. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2699 | UniquePtr<SSL_SESSION> ssl_session_new(const SSL_X509_METHOD *x509_method); |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 2700 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2701 | // SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over |
| 2702 | // the parsed data. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2703 | UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs, |
| 2704 | const SSL_X509_METHOD *x509_method, |
| 2705 | CRYPTO_BUFFER_POOL *pool); |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 2706 | |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame^] | 2707 | // ssl_session_serialize writes |in| to |cbb| as if it were serialising a |
| 2708 | // session for Session-ID resumption. It returns one on success and zero on |
| 2709 | // error. |
| 2710 | int ssl_session_serialize(const SSL_SESSION *in, CBB *cbb); |
| 2711 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2712 | // ssl_session_is_context_valid returns one if |session|'s session ID context |
| 2713 | // matches the one set on |ssl| and zero otherwise. |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2714 | int ssl_session_is_context_valid(const SSL *ssl, const SSL_SESSION *session); |
| 2715 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2716 | // ssl_session_is_time_valid returns one if |session| is still valid and zero if |
| 2717 | // it has expired. |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2718 | int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session); |
| 2719 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2720 | // ssl_session_is_resumable returns one if |session| is resumable for |hs| and |
| 2721 | // zero otherwise. |
Robert Sloan | a94fe05 | 2017-02-21 08:49:28 -0800 | [diff] [blame] | 2722 | int ssl_session_is_resumable(const SSL_HANDSHAKE *hs, |
| 2723 | const SSL_SESSION *session); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2724 | |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 2725 | // ssl_session_protocol_version returns the protocol version associated with |
| 2726 | // |session|. Note that despite the name, this is not the same as |
| 2727 | // |SSL_SESSION_get_protocol_version|. The latter is based on upstream's name. |
| 2728 | uint16_t ssl_session_protocol_version(const SSL_SESSION *session); |
Robert Sloan | f6200e7 | 2017-07-10 08:09:18 -0700 | [diff] [blame] | 2729 | |
Robert Sloan | ae1abf9 | 2017-10-05 12:50:08 -0700 | [diff] [blame] | 2730 | // ssl_session_get_digest returns the digest used in |session|. |
| 2731 | const EVP_MD *ssl_session_get_digest(const SSL_SESSION *session); |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 2732 | |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2733 | void ssl_set_session(SSL *ssl, SSL_SESSION *session); |
| 2734 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2735 | // ssl_get_prev_session looks up the previous session based on |client_hello|. |
| 2736 | // On success, it sets |*out_session| to the session or nullptr if none was |
| 2737 | // found. If the session could not be looked up synchronously, it returns |
| 2738 | // |ssl_hs_pending_session| and should be called again. If a ticket could not be |
| 2739 | // decrypted immediately it returns |ssl_hs_pending_ticket| and should also |
| 2740 | // be called again. Otherwise, it returns |ssl_hs_error|. |
| 2741 | enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl, |
| 2742 | UniquePtr<SSL_SESSION> *out_session, |
| 2743 | bool *out_tickets_supported, |
| 2744 | bool *out_renew_ticket, |
| 2745 | const SSL_CLIENT_HELLO *client_hello); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 2746 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2747 | // The following flags determine which parts of the session are duplicated. |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2748 | #define SSL_SESSION_DUP_AUTH_ONLY 0x0 |
| 2749 | #define SSL_SESSION_INCLUDE_TICKET 0x1 |
| 2750 | #define SSL_SESSION_INCLUDE_NONAUTH 0x2 |
| 2751 | #define SSL_SESSION_DUP_ALL \ |
| 2752 | (SSL_SESSION_INCLUDE_TICKET | SSL_SESSION_INCLUDE_NONAUTH) |
| 2753 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2754 | // SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the |
| 2755 | // fields in |session| or nullptr on error. The new session is non-resumable and |
| 2756 | // must be explicitly marked resumable once it has been filled in. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2757 | OPENSSL_EXPORT UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, |
| 2758 | int dup_flags); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2759 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2760 | // ssl_session_rebase_time updates |session|'s start time to the current time, |
| 2761 | // adjusting the timeout so the expiration time is unchanged. |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 2762 | void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session); |
| 2763 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2764 | // ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews |
| 2765 | // |session|'s timeout to |timeout| (measured from the current time). The |
| 2766 | // renewal is clamped to the session's auth_timeout. |
Robert Sloan | 7d422bc | 2017-03-06 10:04:29 -0800 | [diff] [blame] | 2767 | void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session, |
| 2768 | uint32_t timeout); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2769 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2770 | void ssl_cipher_preference_list_free( |
| 2771 | struct ssl_cipher_preference_list_st *cipher_list); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2772 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2773 | // ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and |
| 2774 | // below. |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2775 | const struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences( |
| 2776 | const SSL *ssl); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2777 | |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2778 | void ssl_update_cache(SSL_HANDSHAKE *hs, int mode); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2779 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2780 | int ssl_send_alert(SSL *ssl, int level, int desc); |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 2781 | bool ssl3_get_message(SSL *ssl, SSLMessage *out); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2782 | ssl_open_record_t ssl3_open_handshake(SSL *ssl, size_t *out_consumed, |
| 2783 | uint8_t *out_alert, Span<uint8_t> in); |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 2784 | void ssl3_next_message(SSL *ssl); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2785 | |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 2786 | int ssl3_dispatch_alert(SSL *ssl); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2787 | ssl_open_record_t ssl3_open_app_data(SSL *ssl, Span<uint8_t> *out, |
| 2788 | size_t *out_consumed, uint8_t *out_alert, |
| 2789 | Span<uint8_t> in); |
| 2790 | ssl_open_record_t ssl3_open_change_cipher_spec(SSL *ssl, size_t *out_consumed, |
| 2791 | uint8_t *out_alert, |
| 2792 | Span<uint8_t> in); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2793 | int ssl3_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf, |
Robert Sloan | e56da3e | 2017-06-26 08:26:42 -0700 | [diff] [blame] | 2794 | int len); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2795 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2796 | bool ssl3_new(SSL *ssl); |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 2797 | void ssl3_free(SSL *ssl); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2798 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2799 | bool ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); |
| 2800 | bool ssl3_finish_message(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg); |
| 2801 | bool ssl3_add_message(SSL *ssl, Array<uint8_t> msg); |
| 2802 | bool ssl3_add_change_cipher_spec(SSL *ssl); |
| 2803 | bool ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc); |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 2804 | int ssl3_flush_flight(SSL *ssl); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2805 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2806 | bool dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); |
| 2807 | bool dtls1_finish_message(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg); |
| 2808 | bool dtls1_add_message(SSL *ssl, Array<uint8_t> msg); |
| 2809 | bool dtls1_add_change_cipher_spec(SSL *ssl); |
| 2810 | bool dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc); |
Robert Sloan | 4d1ac50 | 2017-02-06 08:36:14 -0800 | [diff] [blame] | 2811 | int dtls1_flush_flight(SSL *ssl); |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 2812 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2813 | // ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2814 | // the pending flight. It returns true on success and false on error. |
| 2815 | bool ssl_add_message_cbb(SSL *ssl, CBB *cbb); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2816 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2817 | // ssl_hash_message incorporates |msg| into the handshake hash. It returns true |
| 2818 | // on success and false on allocation failure. |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 2819 | bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2820 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2821 | ssl_open_record_t dtls1_open_app_data(SSL *ssl, Span<uint8_t> *out, |
| 2822 | size_t *out_consumed, uint8_t *out_alert, |
| 2823 | Span<uint8_t> in); |
| 2824 | ssl_open_record_t dtls1_open_change_cipher_spec(SSL *ssl, size_t *out_consumed, |
| 2825 | uint8_t *out_alert, |
| 2826 | Span<uint8_t> in); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2827 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2828 | int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake, |
| 2829 | const uint8_t *buf, int len); |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 2830 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2831 | // dtls1_write_record sends a record. It returns one on success and <= 0 on |
| 2832 | // error. |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 2833 | int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len, |
| 2834 | enum dtls1_use_epoch_t use_epoch); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2835 | |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2836 | int dtls1_retransmit_outgoing_messages(SSL *ssl); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2837 | bool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr, |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 2838 | CBS *out_body); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2839 | bool dtls1_check_timeout_num(SSL *ssl); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 2840 | |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 2841 | void dtls1_start_timer(SSL *ssl); |
| 2842 | void dtls1_stop_timer(SSL *ssl); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2843 | bool dtls1_is_timer_expired(SSL *ssl); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2844 | unsigned int dtls1_min_mtu(void); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2845 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2846 | bool dtls1_new(SSL *ssl); |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 2847 | void dtls1_free(SSL *ssl); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2848 | |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 2849 | bool dtls1_get_message(SSL *ssl, SSLMessage *out); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2850 | ssl_open_record_t dtls1_open_handshake(SSL *ssl, size_t *out_consumed, |
| 2851 | uint8_t *out_alert, Span<uint8_t> in); |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 2852 | void dtls1_next_message(SSL *ssl); |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 2853 | int dtls1_dispatch_alert(SSL *ssl); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2854 | |
Robert Sloan | 2e9e66a | 2017-09-25 09:08:29 -0700 | [diff] [blame] | 2855 | int tls1_change_cipher_state(SSL_HANDSHAKE *hs, evp_aead_direction_t direction); |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 2856 | int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out, |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 2857 | Span<const uint8_t> premaster); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2858 | |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 2859 | // tls1_get_grouplist returns the locally-configured group preference list. |
| 2860 | Span<const uint16_t> tls1_get_grouplist(const SSL *ssl); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2861 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2862 | // tls1_check_group_id returns one if |group_id| is consistent with |
| 2863 | // locally-configured group preferences. |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 2864 | int tls1_check_group_id(const SSL *ssl, uint16_t group_id); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 2865 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2866 | // tls1_get_shared_group sets |*out_group_id| to the first preferred shared |
| 2867 | // group between client and server preferences and returns one. If none may be |
| 2868 | // found, it returns zero. |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2869 | int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2870 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2871 | // tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| |
| 2872 | // into a newly allocated array of TLS group IDs. On success, the function |
| 2873 | // returns one and writes the array to |*out_group_ids| and its size to |
| 2874 | // |*out_group_ids_len|. Otherwise, it returns zero. |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 2875 | int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len, |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2876 | const int *curves, size_t ncurves); |
| 2877 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2878 | // tls1_set_curves_list converts the string of curves pointed to by |curves| |
| 2879 | // into a newly allocated array of TLS group IDs. On success, the function |
| 2880 | // returns one and writes the array to |*out_group_ids| and its size to |
| 2881 | // |*out_group_ids_len|. Otherwise, it returns zero. |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 2882 | int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len, |
| 2883 | const char *curves); |
| 2884 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2885 | // ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It |
| 2886 | // returns one on success and zero on failure. The |header_len| argument is the |
| 2887 | // length of the ClientHello written so far and is used to compute the padding |
| 2888 | // length. (It does not include the record header.) |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2889 | int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len); |
Kenny Root | e99801b | 2015-11-06 15:31:15 -0800 | [diff] [blame] | 2890 | |
David Benjamin | 1b24967 | 2016-12-06 18:25:50 -0500 | [diff] [blame] | 2891 | int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out); |
| 2892 | int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs, |
| 2893 | const SSL_CLIENT_HELLO *client_hello); |
| 2894 | int ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2895 | |
| 2896 | #define tlsext_tick_md EVP_sha256 |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2897 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2898 | // ssl_process_ticket processes a session ticket from the client. It returns |
| 2899 | // one of: |
| 2900 | // |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and |
| 2901 | // |*out_renew_ticket| is set to whether the ticket should be renewed. |
| 2902 | // |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a |
| 2903 | // fresh ticket should be sent, but the given ticket cannot be used. |
| 2904 | // |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted. |
| 2905 | // Retry later. |
| 2906 | // |ssl_ticket_aead_error|: an error occured that is fatal to the connection. |
Robert Sloan | 1c9db53 | 2017-03-13 08:03:59 -0700 | [diff] [blame] | 2907 | enum ssl_ticket_aead_result_t ssl_process_ticket( |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2908 | SSL *ssl, UniquePtr<SSL_SESSION> *out_session, bool *out_renew_ticket, |
Robert Sloan | 1c9db53 | 2017-03-13 08:03:59 -0700 | [diff] [blame] | 2909 | const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id, |
| 2910 | size_t session_id_len); |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 2911 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2912 | // tls1_verify_channel_id processes |msg| as a Channel ID message, and verifies |
| 2913 | // the signature. If the key is valid, it saves the Channel ID and returns |
| 2914 | // one. Otherwise, it returns zero. |
Robert Sloan | 8437709 | 2017-08-14 09:33:19 -0700 | [diff] [blame] | 2915 | int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2916 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2917 | // tls1_write_channel_id generates a Channel ID message and puts the output in |
| 2918 | // |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling. |
Robert Sloan | b1b54b8 | 2017-11-06 13:50:02 -0800 | [diff] [blame] | 2919 | // This function returns true on success and false on error. |
| 2920 | bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb); |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2921 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2922 | // tls1_channel_id_hash computes the hash to be signed by Channel ID and writes |
| 2923 | // it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns |
| 2924 | // one on success and zero on failure. |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 2925 | int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 2926 | |
Robert Sloan | 5d62578 | 2017-02-13 09:55:39 -0800 | [diff] [blame] | 2927 | int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs); |
Kenny Root | a04d78d | 2015-09-25 00:26:37 +0000 | [diff] [blame] | 2928 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2929 | // ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if |
| 2930 | // necessary. It returns one on success and zero on fatal error. Note that, on |
| 2931 | // success, |ssl->tlsext_channel_id_private| may be unset, in which case the |
| 2932 | // operation should be retried later. |
Steven Valdez | 909b19f | 2016-11-21 15:35:44 -0500 | [diff] [blame] | 2933 | int ssl_do_channel_id_callback(SSL *ssl); |
| 2934 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2935 | // ssl_can_write returns one if |ssl| is allowed to write and zero otherwise. |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 2936 | int ssl_can_write(const SSL *ssl); |
| 2937 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2938 | // ssl_can_read returns one if |ssl| is allowed to read and zero otherwise. |
Robert Sloan | 6d0d00e | 2017-03-27 07:13:07 -0700 | [diff] [blame] | 2939 | int ssl_can_read(const SSL *ssl); |
| 2940 | |
Robert Sloan | 7d422bc | 2017-03-06 10:04:29 -0800 | [diff] [blame] | 2941 | void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock); |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 2942 | void ssl_ctx_get_current_time(const SSL_CTX *ctx, |
| 2943 | struct OPENSSL_timeval *out_clock); |
David Benjamin | c895d6b | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 2944 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2945 | // ssl_reset_error_state resets state for |SSL_get_error|. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 2946 | void ssl_reset_error_state(SSL *ssl); |
| 2947 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 2948 | // ssl_set_read_error sets |ssl|'s read half into an error state, saving the |
| 2949 | // current state of the error queue. |
| 2950 | void ssl_set_read_error(SSL* ssl); |
| 2951 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2952 | } // namespace bssl |
| 2953 | |
| 2954 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2955 | // Opaque C types. |
| 2956 | // |
| 2957 | // The following types are exported to C code as public typedefs, so they must |
| 2958 | // be defined outside of the namespace. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2959 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2960 | // ssl_method_st backs the public |SSL_METHOD| type. It is a compatibility |
| 2961 | // structure to support the legacy version-locked methods. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2962 | struct ssl_method_st { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2963 | // version, if non-zero, is the only protocol version acceptable to an |
| 2964 | // SSL_CTX initialized from this method. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2965 | uint16_t version; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2966 | // method is the underlying SSL_PROTOCOL_METHOD that initializes the |
| 2967 | // SSL_CTX. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2968 | const bssl::SSL_PROTOCOL_METHOD *method; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2969 | // x509_method contains pointers to functions that might deal with |X509| |
| 2970 | // compatibility, or might be a no-op, depending on the application. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2971 | const SSL_X509_METHOD *x509_method; |
| 2972 | }; |
| 2973 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2974 | struct ssl_x509_method_st { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2975 | // check_client_CA_list returns one if |names| is a good list of X.509 |
| 2976 | // distinguished names and zero otherwise. This is used to ensure that we can |
| 2977 | // reject unparsable values at handshake time when using crypto/x509. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2978 | int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names); |
| 2979 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2980 | // cert_clear frees and NULLs all X509 certificate-related state. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2981 | void (*cert_clear)(bssl::CERT *cert); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2982 | // cert_free frees all X509-related state. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2983 | void (*cert_free)(bssl::CERT *cert); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2984 | // cert_flush_cached_chain drops any cached |X509|-based certificate chain |
| 2985 | // from |cert|. |
| 2986 | // cert_dup duplicates any needed fields from |cert| to |new_cert|. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2987 | void (*cert_dup)(bssl::CERT *new_cert, const bssl::CERT *cert); |
| 2988 | void (*cert_flush_cached_chain)(bssl::CERT *cert); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2989 | // cert_flush_cached_chain drops any cached |X509|-based leaf certificate |
| 2990 | // from |cert|. |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 2991 | void (*cert_flush_cached_leaf)(bssl::CERT *cert); |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2992 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2993 | // session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain| |
| 2994 | // from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns |
| 2995 | // one on success or zero on error. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2996 | int (*session_cache_objects)(SSL_SESSION *session); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 2997 | // session_dup duplicates any needed fields from |session| to |new_session|. |
| 2998 | // It returns one on success or zero on error. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 2999 | int (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3000 | // session_clear frees any X509-related state from |session|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3001 | void (*session_clear)(SSL_SESSION *session); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3002 | // session_verify_cert_chain verifies the certificate chain in |session|, |
| 3003 | // sets |session->verify_result| and returns one on success or zero on |
| 3004 | // error. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3005 | int (*session_verify_cert_chain)(SSL_SESSION *session, SSL *ssl, |
| 3006 | uint8_t *out_alert); |
| 3007 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3008 | // hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3009 | void (*hs_flush_cached_ca_names)(bssl::SSL_HANDSHAKE *hs); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3010 | // ssl_new does any neccessary initialisation of |ssl|. It returns one on |
| 3011 | // success or zero on error. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3012 | int (*ssl_new)(SSL *ssl); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3013 | // ssl_free frees anything created by |ssl_new|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3014 | void (*ssl_free)(SSL *ssl); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3015 | // ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3016 | void (*ssl_flush_cached_client_CA)(SSL *ssl); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3017 | // ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if |
| 3018 | // necessary. On success, it updates |ssl|'s certificate configuration as |
| 3019 | // needed and returns one. Otherwise, it returns zero. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3020 | int (*ssl_auto_chain_if_needed)(SSL *ssl); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3021 | // ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on |
| 3022 | // success or zero on error. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3023 | int (*ssl_ctx_new)(SSL_CTX *ctx); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3024 | // ssl_ctx_free frees anything created by |ssl_ctx_new|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3025 | void (*ssl_ctx_free)(SSL_CTX *ctx); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3026 | // ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|. |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3027 | void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl); |
| 3028 | }; |
| 3029 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 3030 | // The following types back public C-exposed types which must live in the global |
| 3031 | // namespace. We use subclassing so the implementations may be C++ types with |
| 3032 | // methods and destructor without polluting the global namespace. |
| 3033 | struct ssl_ctx_st : public bssl::SSLContext {}; |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3034 | struct ssl_st : public bssl::SSLConnection {}; |
| 3035 | |
Robert Sloan | b6d070c | 2017-07-24 08:40:01 -0700 | [diff] [blame] | 3036 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 3037 | #endif // OPENSSL_HEADER_SSL_INTERNAL_H |