1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core@openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay@cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh@cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. 140 */ 141 142 #ifndef OPENSSL_HEADER_SSL_INTERNAL_H 143 #define OPENSSL_HEADER_SSL_INTERNAL_H 144 145 #include <openssl/base.h> 146 147 #include <openssl/aead.h> 148 #include <openssl/pqueue.h> 149 #include <openssl/ssl.h> 150 #include <openssl/stack.h> 151 152 #if defined(OPENSSL_WINDOWS) 153 /* Windows defines struct timeval in winsock2.h. */ 154 OPENSSL_MSVC_PRAGMA(warning(push, 3)) 155 #include <winsock2.h> 156 OPENSSL_MSVC_PRAGMA(warning(pop)) 157 #else 158 #include <sys/time.h> 159 #endif 160 161 162 /* Cipher suites. */ 163 164 /* Bits for |algorithm_mkey| (key exchange algorithm). */ 165 #define SSL_kRSA 0x00000001L 166 #define SSL_kDHE 0x00000002L 167 #define SSL_kECDHE 0x00000004L 168 /* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */ 169 #define SSL_kPSK 0x00000008L 170 #define SSL_kCECPQ1 0x00000010L 171 172 /* Bits for |algorithm_auth| (server authentication). */ 173 #define SSL_aRSA 0x00000001L 174 #define SSL_aECDSA 0x00000002L 175 /* SSL_aPSK is set for both PSK and ECDHE_PSK. */ 176 #define SSL_aPSK 0x00000004L 177 178 #define SSL_aCERT (SSL_aRSA | SSL_aECDSA) 179 180 /* Bits for |algorithm_enc| (symmetric encryption). */ 181 #define SSL_3DES 0x00000001L 182 #define SSL_RC4 0x00000002L 183 #define SSL_AES128 0x00000004L 184 #define SSL_AES256 0x00000008L 185 #define SSL_AES128GCM 0x00000010L 186 #define SSL_AES256GCM 0x00000020L 187 #define SSL_CHACHA20POLY1305_OLD 0x00000040L 188 #define SSL_eNULL 0x00000080L 189 #define SSL_CHACHA20POLY1305 0x00000100L 190 191 #define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM) 192 193 /* Bits for |algorithm_mac| (symmetric authentication). */ 194 #define SSL_MD5 0x00000001L 195 #define SSL_SHA1 0x00000002L 196 #define SSL_SHA256 0x00000004L 197 #define SSL_SHA384 0x00000008L 198 /* SSL_AEAD is set for all AEADs. */ 199 #define SSL_AEAD 0x00000010L 200 201 /* Bits for |algorithm_prf| (handshake digest). */ 202 #define SSL_HANDSHAKE_MAC_DEFAULT 0x1 203 #define SSL_HANDSHAKE_MAC_SHA256 0x2 204 #define SSL_HANDSHAKE_MAC_SHA384 0x4 205 206 /* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new 207 * one, update the table in ssl_cipher.c. */ 208 #define SSL_MAX_DIGEST 4 209 210 /* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD 211 * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len| 212 * and |*out_fixed_iv_len| to the MAC key length and fixed IV length, 213 * respectively. The MAC key length is zero except for legacy block and stream 214 * ciphers. It returns 1 on success and 0 on error. */ 215 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, 216 size_t *out_mac_secret_len, 217 size_t *out_fixed_iv_len, 218 const SSL_CIPHER *cipher, uint16_t version); 219 220 /* ssl_get_handshake_digest returns the |EVP_MD| corresponding to 221 * |algorithm_prf|. It returns SHA-1 for |SSL_HANDSHAKE_DEFAULT|. The caller is 222 * responsible for maintaining the additional MD5 digest and switching to 223 * SHA-256 in TLS 1.2. */ 224 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf); 225 226 /* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in 227 * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated 228 * |ssl_cipher_preference_list_st| containing the result. 229 * |*out_cipher_list_by_id| is set to a list of selected ciphers sorted by 230 * id. It returns |(*out_cipher_list)->ciphers| on success and NULL on 231 * failure. */ 232 STACK_OF(SSL_CIPHER) * 233 ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method, 234 struct ssl_cipher_preference_list_st **out_cipher_list, 235 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id, 236 const char *rule_str); 237 238 /* ssl_cipher_get_value returns the cipher suite id of |cipher|. */ 239 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher); 240 241 /* ssl_cipher_get_key_type returns the |EVP_PKEY_*| value corresponding to the 242 * server key used in |cipher| or |EVP_PKEY_NONE| if there is none. */ 243 int ssl_cipher_get_key_type(const SSL_CIPHER *cipher); 244 245 /* ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the 246 * server and, optionally, the client with a certificate. Otherwise it returns 247 * zero. */ 248 int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher); 249 250 /* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a 251 * ServerKeyExchange message. Otherwise it returns 0. 252 * 253 * This function may return zero while still allowing |cipher| an optional 254 * ServerKeyExchange. This is the case for plain PSK ciphers. */ 255 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher); 256 257 /* ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the 258 * length of an encrypted 1-byte record, for use in record-splitting. Otherwise 259 * it returns zero. */ 260 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); 261 262 263 /* Encryption layer. */ 264 265 /* SSL_AEAD_CTX contains information about an AEAD that is being used to encrypt 266 * an SSL connection. */ 267 struct ssl_aead_ctx_st { 268 const SSL_CIPHER *cipher; 269 EVP_AEAD_CTX ctx; 270 /* fixed_nonce contains any bytes of the nonce that are fixed for all 271 * records. */ 272 uint8_t fixed_nonce[12]; 273 uint8_t fixed_nonce_len, variable_nonce_len; 274 /* variable_nonce_included_in_record is non-zero if the variable nonce 275 * for a record is included as a prefix before the ciphertext. */ 276 char variable_nonce_included_in_record; 277 /* random_variable_nonce is non-zero if the variable nonce is 278 * randomly generated, rather than derived from the sequence 279 * number. */ 280 char random_variable_nonce; 281 /* omit_length_in_ad is non-zero if the length should be omitted in the 282 * AEAD's ad parameter. */ 283 char omit_length_in_ad; 284 /* omit_version_in_ad is non-zero if the version should be omitted 285 * in the AEAD's ad parameter. */ 286 char omit_version_in_ad; 287 /* omit_ad is non-zero if the AEAD's ad parameter should be omitted. */ 288 char omit_ad; 289 /* xor_fixed_nonce is non-zero if the fixed nonce should be XOR'd into the 290 * variable nonce rather than prepended. */ 291 char xor_fixed_nonce; 292 } /* SSL_AEAD_CTX */; 293 294 /* SSL_AEAD_CTX_new creates a newly-allocated |SSL_AEAD_CTX| using the supplied 295 * key material. It returns NULL on error. Only one of |SSL_AEAD_CTX_open| or 296 * |SSL_AEAD_CTX_seal| may be used with the resulting object, depending on 297 * |direction|. |version| is the normalized protocol version, so DTLS 1.0 is 298 * represented as 0x0301, not 0xffef. */ 299 SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction, 300 uint16_t version, const SSL_CIPHER *cipher, 301 const uint8_t *enc_key, size_t enc_key_len, 302 const uint8_t *mac_key, size_t mac_key_len, 303 const uint8_t *fixed_iv, size_t fixed_iv_len); 304 305 /* SSL_AEAD_CTX_free frees |ctx|. */ 306 void SSL_AEAD_CTX_free(SSL_AEAD_CTX *ctx); 307 308 /* SSL_AEAD_CTX_explicit_nonce_len returns the length of the explicit nonce for 309 * |ctx|, if any. |ctx| may be NULL to denote the null cipher. */ 310 size_t SSL_AEAD_CTX_explicit_nonce_len(SSL_AEAD_CTX *ctx); 311 312 /* SSL_AEAD_CTX_max_overhead returns the maximum overhead of calling 313 * |SSL_AEAD_CTX_seal|. |ctx| may be NULL to denote the null cipher. */ 314 size_t SSL_AEAD_CTX_max_overhead(SSL_AEAD_CTX *ctx); 315 316 /* SSL_AEAD_CTX_open authenticates and decrypts |in_len| bytes from |in| 317 * in-place. On success, it sets |*out| to the plaintext in |in| and returns 318 * one. Otherwise, it returns zero. |ctx| may be NULL to denote the null cipher. 319 * The output will always be |explicit_nonce_len| bytes ahead of |in|. */ 320 int SSL_AEAD_CTX_open(SSL_AEAD_CTX *ctx, CBS *out, uint8_t type, 321 uint16_t wire_version, const uint8_t seqnum[8], 322 uint8_t *in, size_t in_len); 323 324 /* SSL_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and 325 * writes the result to |out|. It returns one on success and zero on 326 * error. |ctx| may be NULL to denote the null cipher. 327 * 328 * If |in| and |out| alias then |out| + |explicit_nonce_len| must be == |in|. */ 329 int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, 330 size_t max_out, uint8_t type, uint16_t wire_version, 331 const uint8_t seqnum[8], const uint8_t *in, 332 size_t in_len); 333 334 335 /* DTLS replay bitmap. */ 336 337 /* DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect 338 * replayed packets. It should be initialized by zeroing every field. */ 339 typedef struct dtls1_bitmap_st { 340 /* map is a bit mask of the last 64 sequence numbers. Bit 341 * |1<<i| corresponds to |max_seq_num - i|. */ 342 uint64_t map; 343 /* max_seq_num is the largest sequence number seen so far as a 64-bit 344 * integer. */ 345 uint64_t max_seq_num; 346 } DTLS1_BITMAP; 347 348 349 /* Record layer. */ 350 351 /* ssl_record_sequence_update increments the sequence number in |seq|. It 352 * returns one on success and zero on wraparound. */ 353 int ssl_record_sequence_update(uint8_t *seq, size_t seq_len); 354 355 /* ssl_record_prefix_len returns the length of the prefix before the ciphertext 356 * of a record for |ssl|. 357 * 358 * TODO(davidben): Expose this as part of public API once the high-level 359 * buffer-free APIs are available. */ 360 size_t ssl_record_prefix_len(const SSL *ssl); 361 362 enum ssl_open_record_t { 363 ssl_open_record_success, 364 ssl_open_record_discard, 365 ssl_open_record_partial, 366 ssl_open_record_close_notify, 367 ssl_open_record_fatal_alert, 368 ssl_open_record_error, 369 }; 370 371 /* tls_open_record decrypts a record from |in| in-place. 372 * 373 * If the input did not contain a complete record, it returns 374 * |ssl_open_record_partial|. It sets |*out_consumed| to the total number of 375 * bytes necessary. It is guaranteed that a successful call to |tls_open_record| 376 * will consume at least that many bytes. 377 * 378 * Otherwise, it sets |*out_consumed| to the number of bytes of input 379 * consumed. Note that input may be consumed on all return codes if a record was 380 * decrypted. 381 * 382 * On success, it returns |ssl_open_record_success|. It sets |*out_type| to the 383 * record type and |*out| to the record body in |in|. Note that |*out| may be 384 * empty. 385 * 386 * If a record was successfully processed but should be discarded, it returns 387 * |ssl_open_record_discard|. 388 * 389 * If a record was successfully processed but is a close_notify or fatal alert, 390 * it returns |ssl_open_record_close_notify| or |ssl_open_record_fatal_alert|. 391 * 392 * On failure, it returns |ssl_open_record_error| and sets |*out_alert| to an 393 * alert to emit. */ 394 enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, 395 size_t *out_consumed, uint8_t *out_alert, 396 uint8_t *in, size_t in_len); 397 398 /* dtls_open_record implements |tls_open_record| for DTLS. It never returns 399 * |ssl_open_record_partial| but otherwise behaves analogously. */ 400 enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, 401 size_t *out_consumed, 402 uint8_t *out_alert, uint8_t *in, 403 size_t in_len); 404 405 /* ssl_seal_align_prefix_len returns the length of the prefix before the start 406 * of the bulk of the ciphertext when sealing a record with |ssl|. Callers may 407 * use this to align buffers. 408 * 409 * Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte 410 * record and is the offset into second record's ciphertext. Thus this value may 411 * differ from |ssl_record_prefix_len| and sealing a small record may result in 412 * a smaller output than this value. 413 * 414 * TODO(davidben): Expose this as part of public API once the high-level 415 * buffer-free APIs are available. */ 416 size_t ssl_seal_align_prefix_len(const SSL *ssl); 417 418 /* ssl_max_seal_overhead returns the maximum overhead of sealing a record with 419 * |ssl|. 420 * 421 * TODO(davidben): Expose this as part of public API once the high-level 422 * buffer-free APIs are available. */ 423 size_t ssl_max_seal_overhead(const SSL *ssl); 424 425 /* tls_seal_record seals a new record of type |type| and body |in| and writes it 426 * to |out|. At most |max_out| bytes will be written. It returns one on success 427 * and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1 428 * record splitting and may write two records concatenated. 429 * 430 * For a large record, the bulk of the ciphertext will begin 431 * |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may 432 * improve performance. It writes at most |in_len| + |ssl_max_seal_overhead| 433 * bytes to |out|. 434 * 435 * |in| and |out| may not alias. */ 436 int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 437 uint8_t type, const uint8_t *in, size_t in_len); 438 439 enum dtls1_use_epoch_t { 440 dtls1_use_previous_epoch, 441 dtls1_use_current_epoch, 442 }; 443 444 /* dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects 445 * which epoch's cipher state to use. */ 446 int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 447 uint8_t type, const uint8_t *in, size_t in_len, 448 enum dtls1_use_epoch_t use_epoch); 449 450 /* ssl_set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It takes 451 * ownership of |aead_ctx|. */ 452 void ssl_set_read_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx); 453 454 /* ssl_set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It takes 455 * ownership of |aead_ctx|. */ 456 void ssl_set_write_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx); 457 458 /* ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown 459 * state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|, 460 * |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as 461 * appropriate. */ 462 enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, 463 const uint8_t *in, size_t in_len); 464 465 466 /* Private key operations. */ 467 468 /* ssl_has_private_key returns one if |ssl| has a private key 469 * configured and zero otherwise. */ 470 int ssl_has_private_key(SSL *ssl); 471 472 /* ssl_private_key_* call the corresponding function on the 473 * |SSL_PRIVATE_KEY_METHOD| for |ssl|, if configured. Otherwise, they implement 474 * the operation with |EVP_PKEY|. */ 475 476 int ssl_private_key_type(SSL *ssl); 477 478 size_t ssl_private_key_max_signature_len(SSL *ssl); 479 480 enum ssl_private_key_result_t ssl_private_key_sign( 481 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, const EVP_MD *md, 482 const uint8_t *in, size_t in_len); 483 484 enum ssl_private_key_result_t ssl_private_key_sign_complete( 485 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out); 486 487 enum ssl_private_key_result_t ssl_private_key_decrypt( 488 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 489 const uint8_t *in, size_t in_len); 490 491 enum ssl_private_key_result_t ssl_private_key_decrypt_complete( 492 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out); 493 494 495 /* Custom extensions */ 496 497 /* ssl_custom_extension (a.k.a. SSL_CUSTOM_EXTENSION) is a structure that 498 * contains information about custom-extension callbacks. */ 499 struct ssl_custom_extension { 500 SSL_custom_ext_add_cb add_callback; 501 void *add_arg; 502 SSL_custom_ext_free_cb free_callback; 503 SSL_custom_ext_parse_cb parse_callback; 504 void *parse_arg; 505 uint16_t value; 506 }; 507 508 void SSL_CUSTOM_EXTENSION_free(SSL_CUSTOM_EXTENSION *custom_extension); 509 510 int custom_ext_add_clienthello(SSL *ssl, CBB *extensions); 511 int custom_ext_parse_serverhello(SSL *ssl, int *out_alert, uint16_t value, 512 const CBS *extension); 513 int custom_ext_parse_clienthello(SSL *ssl, int *out_alert, uint16_t value, 514 const CBS *extension); 515 int custom_ext_add_serverhello(SSL *ssl, CBB *extensions); 516 517 518 /* Handshake hash. 519 * 520 * The TLS handshake maintains a transcript of all handshake messages. At 521 * various points in the protocol, this is either a handshake buffer, a rolling 522 * hash (selected by cipher suite) or both. */ 523 524 /* ssl3_init_handshake_buffer initializes the handshake buffer and resets the 525 * handshake hash. It returns one success and zero on failure. */ 526 int ssl3_init_handshake_buffer(SSL *ssl); 527 528 /* ssl3_init_handshake_hash initializes the handshake hash based on the pending 529 * cipher and the contents of the handshake buffer. Subsequent calls to 530 * |ssl3_update_handshake_hash| will update the rolling hash. It returns one on 531 * success and zero on failure. It is an error to call this function after the 532 * handshake buffer is released. */ 533 int ssl3_init_handshake_hash(SSL *ssl); 534 535 /* ssl3_free_handshake_buffer releases the handshake buffer. Subsequent calls 536 * to |ssl3_update_handshake_hash| will not update the handshake buffer. */ 537 void ssl3_free_handshake_buffer(SSL *ssl); 538 539 /* ssl3_free_handshake_hash releases the handshake hash. */ 540 void ssl3_free_handshake_hash(SSL *ssl); 541 542 /* ssl3_update_handshake_hash adds |in| to the handshake buffer and handshake 543 * hash, whichever is enabled. It returns one on success and zero on failure. */ 544 int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len); 545 546 547 /* ECDH groups. */ 548 549 #define SSL_GROUP_SECP256R1 23 550 #define SSL_GROUP_SECP384R1 24 551 #define SSL_GROUP_SECP521R1 25 552 #define SSL_GROUP_X25519 29 553 #define SSL_GROUP_CECPQ1 65165 554 555 /* An SSL_ECDH_METHOD is an implementation of ECDH-like key exchanges for 556 * TLS. */ 557 struct ssl_ecdh_method_st { 558 int nid; 559 uint16_t group_id; 560 const char name[8]; 561 562 /* cleanup releases state in |ctx|. */ 563 void (*cleanup)(SSL_ECDH_CTX *ctx); 564 565 /* offer generates a keypair and writes the public value to 566 * |out_public_key|. It returns one on success and zero on error. */ 567 int (*offer)(SSL_ECDH_CTX *ctx, CBB *out_public_key); 568 569 /* accept performs a key exchange against the |peer_key| generated by |offer|. 570 * On success, it returns one, writes the public value to |out_public_key|, 571 * and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer 572 * containing the shared secret. The caller must release this buffer with 573 * |OPENSSL_free|. On failure, it returns zero and sets |*out_alert| to an 574 * alert to send to the peer. */ 575 int (*accept)(SSL_ECDH_CTX *ctx, CBB *out_public_key, uint8_t **out_secret, 576 size_t *out_secret_len, uint8_t *out_alert, 577 const uint8_t *peer_key, size_t peer_key_len); 578 579 /* finish performs a key exchange against the |peer_key| generated by 580 * |accept|. On success, it returns one and sets |*out_secret| and 581 * |*out_secret_len| to a newly-allocated buffer containing the shared 582 * secret. The caller must release this buffer with |OPENSSL_free|. On 583 * failure, it returns zero and sets |*out_alert| to an alert to send to the 584 * peer. */ 585 int (*finish)(SSL_ECDH_CTX *ctx, uint8_t **out_secret, size_t *out_secret_len, 586 uint8_t *out_alert, const uint8_t *peer_key, 587 size_t peer_key_len); 588 589 /* get_key initializes |out| with a length-prefixed key from |cbs|. It returns 590 * one on success and zero on error. */ 591 int (*get_key)(CBS *cbs, CBS *out); 592 593 /* add_key initializes |out_contents| to receive a key. Typically it will then 594 * be passed to |offer| or |accept|. It returns one on success and zero on 595 * error. */ 596 int (*add_key)(CBB *cbb, CBB *out_contents); 597 } /* SSL_ECDH_METHOD */; 598 599 /* ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it 600 * sets |*out_group_id| to the group ID and returns one. Otherwise, it returns 601 * zero. */ 602 int ssl_nid_to_group_id(uint16_t *out_group_id, int nid); 603 604 /* SSL_ECDH_CTX_init sets up |ctx| for use with curve |group_id|. It returns one 605 * on success and zero on error. */ 606 int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id); 607 608 /* SSL_ECDH_CTX_init_for_dhe sets up |ctx| for use with legacy DHE-based ciphers 609 * where the server specifies a group. It takes ownership of |params|. */ 610 void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params); 611 612 /* SSL_ECDH_CTX_cleanup releases memory associated with |ctx|. It is legal to 613 * call it in the zero state. */ 614 void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx); 615 616 /* SSL_ECDH_CTX_get_key calls the |get_key| method of |SSL_ECDH_METHOD|. */ 617 int SSL_ECDH_CTX_get_key(SSL_ECDH_CTX *ctx, CBS *cbs, CBS *out); 618 619 /* SSL_ECDH_CTX_add_key calls the |add_key| method of |SSL_ECDH_METHOD|. */ 620 int SSL_ECDH_CTX_add_key(SSL_ECDH_CTX *ctx, CBB *cbb, CBB *out_contents); 621 622 /* SSL_ECDH_CTX_offer calls the |offer| method of |SSL_ECDH_METHOD|. */ 623 int SSL_ECDH_CTX_offer(SSL_ECDH_CTX *ctx, CBB *out_public_key); 624 625 /* SSL_ECDH_CTX_accept calls the |accept| method of |SSL_ECDH_METHOD|. */ 626 int SSL_ECDH_CTX_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key, 627 uint8_t **out_secret, size_t *out_secret_len, 628 uint8_t *out_alert, const uint8_t *peer_key, 629 size_t peer_key_len); 630 631 /* SSL_ECDH_CTX_finish the |finish| method of |SSL_ECDH_METHOD|. */ 632 int SSL_ECDH_CTX_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret, 633 size_t *out_secret_len, uint8_t *out_alert, 634 const uint8_t *peer_key, size_t peer_key_len); 635 636 /* Handshake messages. */ 637 638 /* ssl_max_handshake_message_len returns the maximum number of bytes permitted 639 * in a handshake message for |ssl|. */ 640 size_t ssl_max_handshake_message_len(const SSL *ssl); 641 642 643 /* Callbacks. */ 644 645 /* ssl_do_info_callback calls |ssl|'s info callback, if set. */ 646 void ssl_do_info_callback(const SSL *ssl, int type, int value); 647 648 /* ssl_do_msg_callback calls |ssl|'s message callback, if set. */ 649 void ssl_do_msg_callback(SSL *ssl, int is_write, int version, int content_type, 650 const void *buf, size_t len); 651 652 653 /* Transport buffers. */ 654 655 /* ssl_read_buffer returns a pointer to contents of the read buffer. */ 656 uint8_t *ssl_read_buffer(SSL *ssl); 657 658 /* ssl_read_buffer_len returns the length of the read buffer. */ 659 size_t ssl_read_buffer_len(const SSL *ssl); 660 661 /* ssl_read_buffer_extend_to extends the read buffer to the desired length. For 662 * TLS, it reads to the end of the buffer until the buffer is |len| bytes 663 * long. For DTLS, it reads a new packet and ignores |len|. It returns one on 664 * success, zero on EOF, and a negative number on error. 665 * 666 * It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is 667 * non-empty. */ 668 int ssl_read_buffer_extend_to(SSL *ssl, size_t len); 669 670 /* ssl_read_buffer_consume consumes |len| bytes from the read buffer. It 671 * advances the data pointer and decrements the length. The memory consumed will 672 * remain valid until the next call to |ssl_read_buffer_extend| or it is 673 * discarded with |ssl_read_buffer_discard|. */ 674 void ssl_read_buffer_consume(SSL *ssl, size_t len); 675 676 /* ssl_read_buffer_discard discards the consumed bytes from the read buffer. If 677 * the buffer is now empty, it releases memory used by it. */ 678 void ssl_read_buffer_discard(SSL *ssl); 679 680 /* ssl_read_buffer_clear releases all memory associated with the read buffer and 681 * zero-initializes it. */ 682 void ssl_read_buffer_clear(SSL *ssl); 683 684 /* ssl_write_buffer_is_pending returns one if the write buffer has pending data 685 * and zero if is empty. */ 686 int ssl_write_buffer_is_pending(const SSL *ssl); 687 688 /* ssl_write_buffer_init initializes the write buffer. On success, it sets 689 * |*out_ptr| to the start of the write buffer with space for up to |max_len| 690 * bytes. It returns one on success and zero on failure. Call 691 * |ssl_write_buffer_set_len| to complete initialization. */ 692 int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len); 693 694 /* ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete 695 * initialization after |len| bytes are written to the buffer. */ 696 void ssl_write_buffer_set_len(SSL *ssl, size_t len); 697 698 /* ssl_write_buffer_flush flushes the write buffer to the transport. It returns 699 * one on success and <= 0 on error. For DTLS, whether or not the write 700 * succeeds, the write buffer will be cleared. */ 701 int ssl_write_buffer_flush(SSL *ssl); 702 703 /* ssl_write_buffer_clear releases all memory associated with the write buffer 704 * and zero-initializes it. */ 705 void ssl_write_buffer_clear(SSL *ssl); 706 707 708 /* Underdocumented functions. 709 * 710 * Functions below here haven't been touched up and may be underdocumented. */ 711 712 #define l2n(l, c) \ 713 (*((c)++) = (uint8_t)(((l) >> 24) & 0xff), \ 714 *((c)++) = (uint8_t)(((l) >> 16) & 0xff), \ 715 *((c)++) = (uint8_t)(((l) >> 8) & 0xff), \ 716 *((c)++) = (uint8_t)(((l)) & 0xff)) 717 718 #define s2n(s, c) \ 719 ((c[0] = (uint8_t)(((s) >> 8) & 0xff), \ 720 c[1] = (uint8_t)(((s)) & 0xff)), \ 721 c += 2) 722 723 #define l2n3(l, c) \ 724 ((c[0] = (uint8_t)(((l) >> 16) & 0xff), \ 725 c[1] = (uint8_t)(((l) >> 8) & 0xff), \ 726 c[2] = (uint8_t)(((l)) & 0xff)), \ 727 c += 3) 728 729 /* LOCAL STUFF */ 730 731 #define TLSEXT_CHANNEL_ID_SIZE 128 732 733 /* Check if an SSL structure is using DTLS */ 734 #define SSL_IS_DTLS(ssl) (ssl->method->is_dtls) 735 736 /* From RFC4492, used in encoding the curve type in ECParameters */ 737 #define NAMED_CURVE_TYPE 3 738 739 enum ssl_hash_message_t { 740 ssl_dont_hash_message, 741 ssl_hash_message, 742 }; 743 744 /* Structure containing decoded values of signature algorithms extension */ 745 typedef struct tls_sigalgs_st { 746 uint8_t rsign; 747 uint8_t rhash; 748 } TLS_SIGALGS; 749 750 typedef struct cert_st { 751 X509 *x509; 752 EVP_PKEY *privatekey; 753 /* Chain for this certificate */ 754 STACK_OF(X509) *chain; 755 756 /* key_method, if non-NULL, is a set of callbacks to call for private key 757 * operations. */ 758 const SSL_PRIVATE_KEY_METHOD *key_method; 759 760 /* For clients the following masks are of *disabled* key and auth algorithms 761 * based on the current configuration. 762 * 763 * TODO(davidben): Remove these. They get checked twice: when sending the 764 * ClientHello and when processing the ServerHello. */ 765 uint32_t mask_k; 766 uint32_t mask_a; 767 768 DH *dh_tmp; 769 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); 770 771 /* peer_sigalgs are the algorithm/hash pairs that the peer supports. These 772 * are taken from the contents of signature algorithms extension for a server 773 * or from the CertificateRequest for a client. */ 774 TLS_SIGALGS *peer_sigalgs; 775 /* peer_sigalgslen is the number of entries in |peer_sigalgs|. */ 776 size_t peer_sigalgslen; 777 778 /* digest_nids, if non-NULL, is the set of digests supported by |privatekey| 779 * in decreasing order of preference. */ 780 int *digest_nids; 781 size_t num_digest_nids; 782 783 /* Certificate setup callback: if set is called whenever a 784 * certificate may be required (client or server). the callback 785 * can then examine any appropriate parameters and setup any 786 * certificates required. This allows advanced applications 787 * to select certificates on the fly: for example based on 788 * supported signature algorithms or curves. */ 789 int (*cert_cb)(SSL *ssl, void *arg); 790 void *cert_cb_arg; 791 792 /* Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX 793 * store is used instead. */ 794 X509_STORE *verify_store; 795 } CERT; 796 797 /* SSL_METHOD is a compatibility structure to support the legacy version-locked 798 * methods. */ 799 struct ssl_method_st { 800 /* version, if non-zero, is the only protocol version acceptable to an 801 * SSL_CTX initialized from this method. */ 802 uint16_t version; 803 /* method is the underlying SSL_PROTOCOL_METHOD that initializes the 804 * SSL_CTX. */ 805 const SSL_PROTOCOL_METHOD *method; 806 }; 807 808 /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ 809 struct ssl_protocol_method_st { 810 /* is_dtls is one if the protocol is DTLS and zero otherwise. */ 811 char is_dtls; 812 int (*ssl_new)(SSL *ssl); 813 void (*ssl_free)(SSL *ssl); 814 long (*ssl_get_message)(SSL *ssl, int msg_type, 815 enum ssl_hash_message_t hash_message, int *ok); 816 int (*ssl_read_app_data)(SSL *ssl, uint8_t *buf, int len, int peek); 817 int (*ssl_read_change_cipher_spec)(SSL *ssl); 818 void (*ssl_read_close_notify)(SSL *ssl); 819 int (*ssl_write_app_data)(SSL *ssl, const void *buf_, int len); 820 int (*ssl_dispatch_alert)(SSL *ssl); 821 /* supports_cipher returns one if |cipher| is supported by this protocol and 822 * zero otherwise. */ 823 int (*supports_cipher)(const SSL_CIPHER *cipher); 824 /* Handshake header length */ 825 unsigned int hhlen; 826 /* Set the handshake header */ 827 int (*set_handshake_header)(SSL *ssl, int type, unsigned long len); 828 /* Write out handshake message */ 829 int (*do_write)(SSL *ssl); 830 /* send_change_cipher_spec sends a ChangeCipherSpec message. */ 831 int (*send_change_cipher_spec)(SSL *ssl, int a, int b); 832 /* expect_flight is called when the handshake expects a flight of messages from 833 * the peer. */ 834 void (*expect_flight)(SSL *ssl); 835 /* received_flight is called when the handshake has received a flight of 836 * messages from the peer. */ 837 void (*received_flight)(SSL *ssl); 838 }; 839 840 /* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit 841 * of a mess of functions, but hell, think of it as an opaque structure. */ 842 struct ssl3_enc_method { 843 /* prf computes the PRF function for |ssl|. It writes |out_len| bytes to 844 * |out|, using |secret| as the secret and |label| as the label. |seed1| and 845 * |seed2| are concatenated to form the seed parameter. It returns one on 846 * success and zero on failure. */ 847 int (*prf)(const SSL *ssl, uint8_t *out, size_t out_len, 848 const uint8_t *secret, size_t secret_len, const char *label, 849 size_t label_len, const uint8_t *seed1, size_t seed1_len, 850 const uint8_t *seed2, size_t seed2_len); 851 int (*final_finish_mac)(SSL *ssl, int from_server, uint8_t *out); 852 int (*cert_verify_mac)(SSL *, int, uint8_t *); 853 }; 854 855 #define SSL_HM_HEADER_LENGTH(ssl) ssl->method->hhlen 856 #define ssl_handshake_start(ssl) \ 857 (((uint8_t *)ssl->init_buf->data) + ssl->method->hhlen) 858 #define ssl_set_handshake_header(ssl, htype, len) \ 859 ssl->method->set_handshake_header(ssl, htype, len) 860 #define ssl_do_write(ssl) ssl->method->do_write(ssl) 861 862 /* lengths of messages */ 863 #define DTLS1_COOKIE_LENGTH 256 864 865 #define DTLS1_RT_HEADER_LENGTH 13 866 867 #define DTLS1_HM_HEADER_LENGTH 12 868 869 #define DTLS1_CCS_HEADER_LENGTH 1 870 871 #define DTLS1_AL_HEADER_LENGTH 2 872 873 /* TODO(davidben): This structure is used for both incoming messages and 874 * outgoing messages. |is_ccs| and |epoch| are only used in the latter and 875 * should be moved elsewhere. */ 876 struct hm_header_st { 877 uint8_t type; 878 uint32_t msg_len; 879 uint16_t seq; 880 uint32_t frag_off; 881 uint32_t frag_len; 882 int is_ccs; 883 /* epoch, for buffered outgoing messages, is the epoch the message was 884 * originally sent in. */ 885 uint16_t epoch; 886 }; 887 888 /* TODO(davidben): This structure is used for both incoming messages and 889 * outgoing messages. |fragment| and |reassembly| are only used in the former 890 * and should be moved elsewhere. */ 891 typedef struct hm_fragment_st { 892 struct hm_header_st msg_header; 893 uint8_t *fragment; 894 uint8_t *reassembly; 895 } hm_fragment; 896 897 typedef struct dtls1_state_st { 898 /* send_cookie is true if we are resending the ClientHello 899 * with a cookie from a HelloVerifyRequest. */ 900 unsigned int send_cookie; 901 902 uint8_t cookie[DTLS1_COOKIE_LENGTH]; 903 size_t cookie_len; 904 905 /* The current data and handshake epoch. This is initially undefined, and 906 * starts at zero once the initial handshake is completed. */ 907 uint16_t r_epoch; 908 uint16_t w_epoch; 909 910 /* records being received in the current epoch */ 911 DTLS1_BITMAP bitmap; 912 913 /* handshake message numbers. 914 * TODO(davidben): It doesn't make much sense to store both of these. Only 915 * store one. */ 916 uint16_t handshake_write_seq; 917 uint16_t next_handshake_write_seq; 918 919 uint16_t handshake_read_seq; 920 921 /* save last sequence number for retransmissions */ 922 uint8_t last_write_sequence[8]; 923 924 /* buffered_messages is a priority queue of incoming handshake messages that 925 * have yet to be processed. 926 * 927 * TODO(davidben): This data structure may as well be a ring buffer of fixed 928 * size. */ 929 pqueue buffered_messages; 930 931 /* send_messages is a priority queue of outgoing handshake messages sent in 932 * the most recent handshake flight. 933 * 934 * TODO(davidben): This data structure may as well be a STACK_OF(T). */ 935 pqueue sent_messages; 936 937 unsigned int mtu; /* max DTLS packet size */ 938 939 struct hm_header_st w_msg_hdr; 940 941 /* num_timeouts is the number of times the retransmit timer has fired since 942 * the last time it was reset. */ 943 unsigned int num_timeouts; 944 945 /* Indicates when the last handshake msg or heartbeat sent will 946 * timeout. */ 947 struct timeval next_timeout; 948 949 /* timeout_duration_ms is the timeout duration in milliseconds. */ 950 unsigned timeout_duration_ms; 951 } DTLS1_STATE; 952 953 extern const SSL3_ENC_METHOD TLSv1_enc_data; 954 extern const SSL3_ENC_METHOD SSLv3_enc_data; 955 956 int ssl_clear_bad_session(SSL *ssl); 957 CERT *ssl_cert_new(void); 958 CERT *ssl_cert_dup(CERT *cert); 959 void ssl_cert_clear_certs(CERT *c); 960 void ssl_cert_free(CERT *c); 961 int ssl_get_new_session(SSL *ssl, int is_server); 962 963 enum ssl_session_result_t { 964 ssl_session_success, 965 ssl_session_error, 966 ssl_session_retry, 967 }; 968 969 /* ssl_get_prev_session looks up the previous session based on |ctx|. On 970 * success, it sets |*out_session| to the session or NULL if none was found. It 971 * sets |*out_send_ticket| to whether a ticket should be sent at the end of the 972 * handshake. If the session could not be looked up synchronously, it returns 973 * |ssl_session_retry| and should be called again. Otherwise, it returns 974 * |ssl_session_error|. */ 975 enum ssl_session_result_t ssl_get_prev_session( 976 SSL *ssl, SSL_SESSION **out_session, int *out_send_ticket, 977 const struct ssl_early_callback_ctx *ctx); 978 979 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *ssl, const CBS *cbs); 980 void ssl_cipher_preference_list_free( 981 struct ssl_cipher_preference_list_st *cipher_list); 982 struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *ssl); 983 984 int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain); 985 int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain); 986 int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509); 987 int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509); 988 void ssl_cert_set_cert_cb(CERT *cert, 989 int (*cb)(SSL *ssl, void *arg), void *arg); 990 991 int ssl_verify_cert_chain(SSL *ssl, STACK_OF(X509) *cert_chain); 992 int ssl_add_cert_chain(SSL *ssl, unsigned long *l); 993 void ssl_update_cache(SSL *ssl, int mode); 994 995 /* ssl_get_compatible_server_ciphers determines the key exchange and 996 * authentication cipher suite masks compatible with the server configuration 997 * and current ClientHello parameters of |ssl|. It sets |*out_mask_k| to the key 998 * exchange mask and |*out_mask_a| to the authentication mask. */ 999 void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k, 1000 uint32_t *out_mask_a); 1001 1002 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *ssl); 1003 int ssl_verify_alarm_type(long type); 1004 1005 /* ssl_fill_hello_random fills a client_random or server_random field of length 1006 * |len|. It returns one on success and zero on failure. */ 1007 int ssl_fill_hello_random(uint8_t *out, size_t len, int is_server); 1008 1009 int ssl3_get_finished(SSL *ssl); 1010 int ssl3_send_change_cipher_spec(SSL *ssl, int state_a, int state_b); 1011 void ssl3_cleanup_key_block(SSL *ssl); 1012 int ssl3_do_write(SSL *ssl, int type); 1013 int ssl3_send_alert(SSL *ssl, int level, int desc); 1014 int ssl3_get_req_cert_type(SSL *ssl, uint8_t *p); 1015 long ssl3_get_message(SSL *ssl, int msg_type, 1016 enum ssl_hash_message_t hash_message, int *ok); 1017 1018 /* ssl3_hash_current_message incorporates the current handshake message into the 1019 * handshake hash. It returns one on success and zero on allocation failure. */ 1020 int ssl3_hash_current_message(SSL *ssl); 1021 1022 /* ssl3_cert_verify_hash writes the CertificateVerify hash into the bytes 1023 * pointed to by |out| and writes the number of bytes to |*out_len|. |out| must 1024 * have room for EVP_MAX_MD_SIZE bytes. For TLS 1.2 and up, |*out_md| is used 1025 * for the hash function, otherwise the hash function depends on |pkey_type| 1026 * and is written to |*out_md|. It returns one on success and zero on 1027 * failure. */ 1028 int ssl3_cert_verify_hash(SSL *ssl, uint8_t *out, size_t *out_len, 1029 const EVP_MD **out_md, int pkey_type); 1030 1031 int ssl3_send_finished(SSL *ssl, int a, int b); 1032 int ssl3_supports_cipher(const SSL_CIPHER *cipher); 1033 int ssl3_dispatch_alert(SSL *ssl); 1034 int ssl3_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek); 1035 int ssl3_read_change_cipher_spec(SSL *ssl); 1036 void ssl3_read_close_notify(SSL *ssl); 1037 int ssl3_read_bytes(SSL *ssl, int type, uint8_t *buf, int len, int peek); 1038 int ssl3_write_app_data(SSL *ssl, const void *buf, int len); 1039 int ssl3_write_bytes(SSL *ssl, int type, const void *buf, int len); 1040 int ssl3_output_cert_chain(SSL *ssl); 1041 const SSL_CIPHER *ssl3_choose_cipher( 1042 SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, 1043 struct ssl_cipher_preference_list_st *srvr); 1044 1045 int ssl3_new(SSL *ssl); 1046 void ssl3_free(SSL *ssl); 1047 int ssl3_accept(SSL *ssl); 1048 int ssl3_connect(SSL *ssl); 1049 1050 int ssl3_set_handshake_header(SSL *ssl, int htype, unsigned long len); 1051 int ssl3_handshake_write(SSL *ssl); 1052 void ssl3_expect_flight(SSL *ssl); 1053 void ssl3_received_flight(SSL *ssl); 1054 1055 int dtls1_do_handshake_write(SSL *ssl, enum dtls1_use_epoch_t use_epoch); 1056 1057 /* dtls1_get_record reads a new input record. On success, it places it in 1058 * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if 1059 * more data is needed. */ 1060 int dtls1_get_record(SSL *ssl); 1061 1062 int dtls1_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek); 1063 int dtls1_read_change_cipher_spec(SSL *ssl); 1064 void dtls1_read_close_notify(SSL *ssl); 1065 void dtls1_set_message_header(SSL *ssl, uint8_t mt, unsigned long len, 1066 unsigned short seq_num, unsigned long frag_off, 1067 unsigned long frag_len); 1068 1069 int dtls1_write_app_data(SSL *ssl, const void *buf, int len); 1070 1071 /* dtls1_write_record sends a record. It returns one on success and <= 0 on 1072 * error. */ 1073 int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len, 1074 enum dtls1_use_epoch_t use_epoch); 1075 1076 int dtls1_send_change_cipher_spec(SSL *ssl, int a, int b); 1077 int dtls1_send_finished(SSL *ssl, int a, int b, const char *sender, int slen); 1078 int dtls1_buffer_message(SSL *ssl); 1079 int dtls1_retransmit_buffered_messages(SSL *ssl); 1080 void dtls1_clear_record_buffer(SSL *ssl); 1081 int dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr, 1082 CBS *out_body); 1083 int dtls1_check_timeout_num(SSL *ssl); 1084 int dtls1_set_handshake_header(SSL *ssl, int type, unsigned long len); 1085 int dtls1_handshake_write(SSL *ssl); 1086 void dtls1_expect_flight(SSL *ssl); 1087 void dtls1_received_flight(SSL *ssl); 1088 1089 int dtls1_supports_cipher(const SSL_CIPHER *cipher); 1090 void dtls1_start_timer(SSL *ssl); 1091 void dtls1_stop_timer(SSL *ssl); 1092 int dtls1_is_timer_expired(SSL *ssl); 1093 void dtls1_double_timeout(SSL *ssl); 1094 unsigned int dtls1_min_mtu(void); 1095 void dtls1_hm_fragment_free(hm_fragment *frag); 1096 1097 int dtls1_new(SSL *ssl); 1098 int dtls1_accept(SSL *ssl); 1099 int dtls1_connect(SSL *ssl); 1100 void dtls1_free(SSL *ssl); 1101 1102 long dtls1_get_message(SSL *ssl, int mt, enum ssl_hash_message_t hash_message, 1103 int *ok); 1104 int dtls1_dispatch_alert(SSL *ssl); 1105 1106 /* ssl_is_wbio_buffered returns one if |ssl|'s write BIO is buffered and zero 1107 * otherwise. */ 1108 int ssl_is_wbio_buffered(const SSL *ssl); 1109 1110 int ssl_init_wbio_buffer(SSL *ssl); 1111 void ssl_free_wbio_buffer(SSL *ssl); 1112 1113 int tls1_change_cipher_state(SSL *ssl, int which); 1114 int tls1_setup_key_block(SSL *ssl); 1115 int tls1_handshake_digest(SSL *ssl, uint8_t *out, size_t out_len); 1116 int tls1_generate_master_secret(SSL *ssl, uint8_t *out, const uint8_t *premaster, 1117 size_t premaster_len); 1118 1119 char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx); 1120 1121 /* tls1_check_group_id returns one if |group_id| is consistent with both our 1122 * and the peer's group preferences. Note: if called as the client, only our 1123 * preferences are checked; the peer (the server) does not send preferences. */ 1124 int tls1_check_group_id(SSL *ssl, uint16_t group_id); 1125 1126 /* tls1_get_shared_group sets |*out_group_id| to the first preferred shared 1127 * group between client and server preferences and returns one. If none may be 1128 * found, it returns zero. */ 1129 int tls1_get_shared_group(SSL *ssl, uint16_t *out_group_id); 1130 1131 /* tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| 1132 * into a newly allocated array of TLS group IDs. On success, the function 1133 * returns one and writes the array to |*out_group_ids| and its size to 1134 * |*out_group_ids_len|. Otherwise, it returns zero. */ 1135 int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len, 1136 const int *curves, size_t ncurves); 1137 1138 /* tls1_check_ec_cert returns one if |x| is an ECC certificate with curve and 1139 * point format compatible with the client's preferences. Otherwise it returns 1140 * zero. */ 1141 int tls1_check_ec_cert(SSL *ssl, X509 *x); 1142 1143 /* ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It 1144 * returns one on success and zero on failure. The |header_len| argument is the 1145 * length of the ClientHello written so far and is used to compute the padding 1146 * length. (It does not include the record header.) */ 1147 int ssl_add_clienthello_tlsext(SSL *ssl, CBB *out, size_t header_len); 1148 1149 int ssl_add_serverhello_tlsext(SSL *ssl, CBB *out); 1150 int ssl_parse_clienthello_tlsext(SSL *ssl, CBS *cbs); 1151 int ssl_parse_serverhello_tlsext(SSL *ssl, CBS *cbs); 1152 1153 #define tlsext_tick_md EVP_sha256 1154 1155 /* tls_process_ticket processes a session ticket from the client. On success, 1156 * it sets |*out_session| to the decrypted session or NULL if the ticket was 1157 * rejected. If the ticket was valid, it sets |*out_renew_ticket| to whether 1158 * the ticket should be renewed. It returns one on success and zero on fatal 1159 * error. */ 1160 int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session, 1161 int *out_renew_ticket, const uint8_t *ticket, 1162 size_t ticket_len, const uint8_t *session_id, 1163 size_t session_id_len); 1164 1165 /* tls12_add_sigandhash assembles the SignatureAndHashAlgorithm corresponding to 1166 * |ssl|'s private key and |md|. The two-byte value is written to |out|. It 1167 * returns one on success and zero on failure. */ 1168 int tls12_add_sigandhash(SSL *ssl, CBB *out, const EVP_MD *md); 1169 1170 int tls12_get_sigid(int pkey_type); 1171 const EVP_MD *tls12_get_hash(uint8_t hash_alg); 1172 1173 /* tls1_channel_id_hash computes the hash to be signed by Channel ID and writes 1174 * it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns 1175 * one on success and zero on failure. */ 1176 int tls1_channel_id_hash(SSL *ssl, uint8_t *out, size_t *out_len); 1177 1178 int tls1_record_handshake_hashes_for_channel_id(SSL *ssl); 1179 1180 /* ssl_log_rsa_client_key_exchange logs |premaster|, if logging is enabled for 1181 * |ssl|. It returns one on success and zero on failure. The entry is identified 1182 * by the first 8 bytes of |encrypted_premaster|. */ 1183 int ssl_log_rsa_client_key_exchange(const SSL *ssl, 1184 const uint8_t *encrypted_premaster, 1185 size_t encrypted_premaster_len, 1186 const uint8_t *premaster, 1187 size_t premaster_len); 1188 1189 /* ssl_log_master_secret logs |master|, if logging is enabled for |ssl|. It 1190 * returns one on success and zero on failure. The entry is identified by 1191 * |client_random|. */ 1192 int ssl_log_master_secret(const SSL *ssl, const uint8_t *client_random, 1193 size_t client_random_len, const uint8_t *master, 1194 size_t master_len); 1195 1196 /* ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero 1197 * otherwise. */ 1198 int ssl3_can_false_start(const SSL *ssl); 1199 1200 /* ssl3_get_enc_method returns the SSL3_ENC_METHOD corresponding to 1201 * |version|. */ 1202 const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version); 1203 1204 /* ssl3_get_max_server_version returns the maximum SSL/TLS version number 1205 * supported by |ssl| as a server, or zero if all versions are disabled. */ 1206 uint16_t ssl3_get_max_server_version(const SSL *ssl); 1207 1208 /* ssl3_get_mutual_version selects the protocol version on |ssl| for a client 1209 * which advertises |client_version|. If no suitable version exists, it returns 1210 * zero. */ 1211 uint16_t ssl3_get_mutual_version(SSL *ssl, uint16_t client_version); 1212 1213 /* ssl3_get_max_client_version returns the maximum protocol version configured 1214 * for the client. It is guaranteed that the set of allowed versions at or below 1215 * this maximum version is contiguous. If all versions are disabled, it returns 1216 * zero. */ 1217 uint16_t ssl3_get_max_client_version(SSL *ssl); 1218 1219 /* ssl3_is_version_enabled returns one if |version| is an enabled protocol 1220 * version for |ssl| and zero otherwise. */ 1221 int ssl3_is_version_enabled(SSL *ssl, uint16_t version); 1222 1223 /* ssl3_version_from_wire maps |wire_version| to a protocol version. For 1224 * SSLv3/TLS, the version is returned as-is. For DTLS, the corresponding TLS 1225 * version is used. Note that this mapping is not injective but preserves 1226 * comparisons. 1227 * 1228 * TODO(davidben): To normalize some DTLS-specific code, move away from using 1229 * the wire version except at API boundaries. */ 1230 uint16_t ssl3_version_from_wire(const SSL *ssl, uint16_t wire_version); 1231 1232 /* ssl3_protocol_version returns |ssl|'s protocol version. It is an error to 1233 * call this function before the version is determined. */ 1234 uint16_t ssl3_protocol_version(const SSL *ssl); 1235 1236 uint32_t ssl_get_algorithm_prf(const SSL *ssl); 1237 int tls1_parse_peer_sigalgs(SSL *ssl, const CBS *sigalgs); 1238 1239 /* tls1_choose_signing_digest returns a digest for use with |ssl|'s private key 1240 * based on the peer's preferences the digests supported. */ 1241 const EVP_MD *tls1_choose_signing_digest(SSL *ssl); 1242 1243 size_t tls12_get_psigalgs(SSL *ssl, const uint8_t **psigs); 1244 1245 /* tls12_check_peer_sigalg checks that |hash| and |signature| are consistent 1246 * with |pkey| and |ssl|'s sent, supported signature algorithms and, if so, 1247 * writes the relevant digest into |*out_md| and returns 1. Otherwise it 1248 * returns 0 and writes an alert into |*out_alert|. */ 1249 int tls12_check_peer_sigalg(SSL *ssl, const EVP_MD **out_md, int *out_alert, 1250 uint8_t hash, uint8_t signature, EVP_PKEY *pkey); 1251 void ssl_set_client_disabled(SSL *ssl); 1252 1253 #endif /* OPENSSL_HEADER_SSL_INTERNAL_H */ 1254