1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: ssl_locl.h,v 1.425 2022/09/10 15:29:33 jsing Exp $ */ 2f5b1c8a1SJohn Marino /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3f5b1c8a1SJohn Marino * All rights reserved. 4f5b1c8a1SJohn Marino * 5f5b1c8a1SJohn Marino * This package is an SSL implementation written 6f5b1c8a1SJohn Marino * by Eric Young (eay@cryptsoft.com). 7f5b1c8a1SJohn Marino * The implementation was written so as to conform with Netscapes SSL. 8f5b1c8a1SJohn Marino * 9f5b1c8a1SJohn Marino * This library is free for commercial and non-commercial use as long as 10f5b1c8a1SJohn Marino * the following conditions are aheared to. The following conditions 11f5b1c8a1SJohn Marino * apply to all code found in this distribution, be it the RC4, RSA, 12f5b1c8a1SJohn Marino * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13f5b1c8a1SJohn Marino * included with this distribution is covered by the same copyright terms 14f5b1c8a1SJohn Marino * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15f5b1c8a1SJohn Marino * 16f5b1c8a1SJohn Marino * Copyright remains Eric Young's, and as such any Copyright notices in 17f5b1c8a1SJohn Marino * the code are not to be removed. 18f5b1c8a1SJohn Marino * If this package is used in a product, Eric Young should be given attribution 19f5b1c8a1SJohn Marino * as the author of the parts of the library used. 20f5b1c8a1SJohn Marino * This can be in the form of a textual message at program startup or 21f5b1c8a1SJohn Marino * in documentation (online or textual) provided with the package. 22f5b1c8a1SJohn Marino * 23f5b1c8a1SJohn Marino * Redistribution and use in source and binary forms, with or without 24f5b1c8a1SJohn Marino * modification, are permitted provided that the following conditions 25f5b1c8a1SJohn Marino * are met: 26f5b1c8a1SJohn Marino * 1. Redistributions of source code must retain the copyright 27f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer. 28f5b1c8a1SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright 29f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer in the 30f5b1c8a1SJohn Marino * documentation and/or other materials provided with the distribution. 31f5b1c8a1SJohn Marino * 3. All advertising materials mentioning features or use of this software 32f5b1c8a1SJohn Marino * must display the following acknowledgement: 33f5b1c8a1SJohn Marino * "This product includes cryptographic software written by 34f5b1c8a1SJohn Marino * Eric Young (eay@cryptsoft.com)" 35f5b1c8a1SJohn Marino * The word 'cryptographic' can be left out if the rouines from the library 36f5b1c8a1SJohn Marino * being used are not cryptographic related :-). 37f5b1c8a1SJohn Marino * 4. If you include any Windows specific code (or a derivative thereof) from 38f5b1c8a1SJohn Marino * the apps directory (application code) you must include an acknowledgement: 39f5b1c8a1SJohn Marino * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40f5b1c8a1SJohn Marino * 41f5b1c8a1SJohn Marino * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42f5b1c8a1SJohn Marino * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43f5b1c8a1SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44f5b1c8a1SJohn Marino * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45f5b1c8a1SJohn Marino * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46f5b1c8a1SJohn Marino * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47f5b1c8a1SJohn Marino * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48f5b1c8a1SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49f5b1c8a1SJohn Marino * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50f5b1c8a1SJohn Marino * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51f5b1c8a1SJohn Marino * SUCH DAMAGE. 52f5b1c8a1SJohn Marino * 53f5b1c8a1SJohn Marino * The licence and distribution terms for any publically available version or 54f5b1c8a1SJohn Marino * derivative of this code cannot be changed. i.e. this code cannot simply be 55f5b1c8a1SJohn Marino * copied and put under another distribution licence 56f5b1c8a1SJohn Marino * [including the GNU Public Licence.] 57f5b1c8a1SJohn Marino */ 58f5b1c8a1SJohn Marino /* ==================================================================== 59f5b1c8a1SJohn Marino * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60f5b1c8a1SJohn Marino * 61f5b1c8a1SJohn Marino * Redistribution and use in source and binary forms, with or without 62f5b1c8a1SJohn Marino * modification, are permitted provided that the following conditions 63f5b1c8a1SJohn Marino * are met: 64f5b1c8a1SJohn Marino * 65f5b1c8a1SJohn Marino * 1. Redistributions of source code must retain the above copyright 66f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer. 67f5b1c8a1SJohn Marino * 68f5b1c8a1SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright 69f5b1c8a1SJohn Marino * notice, this list of conditions and the following disclaimer in 70f5b1c8a1SJohn Marino * the documentation and/or other materials provided with the 71f5b1c8a1SJohn Marino * distribution. 72f5b1c8a1SJohn Marino * 73f5b1c8a1SJohn Marino * 3. All advertising materials mentioning features or use of this 74f5b1c8a1SJohn Marino * software must display the following acknowledgment: 75f5b1c8a1SJohn Marino * "This product includes software developed by the OpenSSL Project 76f5b1c8a1SJohn Marino * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77f5b1c8a1SJohn Marino * 78f5b1c8a1SJohn Marino * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79f5b1c8a1SJohn Marino * endorse or promote products derived from this software without 80f5b1c8a1SJohn Marino * prior written permission. For written permission, please contact 81f5b1c8a1SJohn Marino * openssl-core@openssl.org. 82f5b1c8a1SJohn Marino * 83f5b1c8a1SJohn Marino * 5. Products derived from this software may not be called "OpenSSL" 84f5b1c8a1SJohn Marino * nor may "OpenSSL" appear in their names without prior written 85f5b1c8a1SJohn Marino * permission of the OpenSSL Project. 86f5b1c8a1SJohn Marino * 87f5b1c8a1SJohn Marino * 6. Redistributions of any form whatsoever must retain the following 88f5b1c8a1SJohn Marino * acknowledgment: 89f5b1c8a1SJohn Marino * "This product includes software developed by the OpenSSL Project 90f5b1c8a1SJohn Marino * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91f5b1c8a1SJohn Marino * 92f5b1c8a1SJohn Marino * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93f5b1c8a1SJohn Marino * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94f5b1c8a1SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95f5b1c8a1SJohn Marino * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96f5b1c8a1SJohn Marino * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97f5b1c8a1SJohn Marino * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98f5b1c8a1SJohn Marino * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99f5b1c8a1SJohn Marino * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100f5b1c8a1SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101f5b1c8a1SJohn Marino * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102f5b1c8a1SJohn Marino * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103f5b1c8a1SJohn Marino * OF THE POSSIBILITY OF SUCH DAMAGE. 104f5b1c8a1SJohn Marino * ==================================================================== 105f5b1c8a1SJohn Marino * 106f5b1c8a1SJohn Marino * This product includes cryptographic software written by Eric Young 107f5b1c8a1SJohn Marino * (eay@cryptsoft.com). This product includes software written by Tim 108f5b1c8a1SJohn Marino * Hudson (tjh@cryptsoft.com). 109f5b1c8a1SJohn Marino * 110f5b1c8a1SJohn Marino */ 111f5b1c8a1SJohn Marino /* ==================================================================== 112f5b1c8a1SJohn Marino * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113f5b1c8a1SJohn Marino * ECC cipher suite support in OpenSSL originally developed by 114f5b1c8a1SJohn Marino * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115f5b1c8a1SJohn Marino */ 116f5b1c8a1SJohn Marino /* ==================================================================== 117f5b1c8a1SJohn Marino * Copyright 2005 Nokia. All rights reserved. 118f5b1c8a1SJohn Marino * 119f5b1c8a1SJohn Marino * The portions of the attached software ("Contribution") is developed by 120f5b1c8a1SJohn Marino * Nokia Corporation and is licensed pursuant to the OpenSSL open source 121f5b1c8a1SJohn Marino * license. 122f5b1c8a1SJohn Marino * 123f5b1c8a1SJohn Marino * The Contribution, originally written by Mika Kousa and Pasi Eronen of 124f5b1c8a1SJohn Marino * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 125f5b1c8a1SJohn Marino * support (see RFC 4279) to OpenSSL. 126f5b1c8a1SJohn Marino * 127f5b1c8a1SJohn Marino * No patent licenses or other rights except those expressly stated in 128f5b1c8a1SJohn Marino * the OpenSSL open source license shall be deemed granted or received 129f5b1c8a1SJohn Marino * expressly, by implication, estoppel, or otherwise. 130f5b1c8a1SJohn Marino * 131f5b1c8a1SJohn Marino * No assurances are provided by Nokia that the Contribution does not 132f5b1c8a1SJohn Marino * infringe the patent or other intellectual property rights of any third 133f5b1c8a1SJohn Marino * party or that the license provides you with all the necessary rights 134f5b1c8a1SJohn Marino * to make use of the Contribution. 135f5b1c8a1SJohn Marino * 136f5b1c8a1SJohn Marino * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 137f5b1c8a1SJohn Marino * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 138f5b1c8a1SJohn Marino * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 139f5b1c8a1SJohn Marino * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 140f5b1c8a1SJohn Marino * OTHERWISE. 141f5b1c8a1SJohn Marino */ 142f5b1c8a1SJohn Marino 143f5b1c8a1SJohn Marino #ifndef HEADER_SSL_LOCL_H 144f5b1c8a1SJohn Marino #define HEADER_SSL_LOCL_H 145f5b1c8a1SJohn Marino 146f5b1c8a1SJohn Marino #include <sys/types.h> 147f5b1c8a1SJohn Marino 148f5b1c8a1SJohn Marino #include <errno.h> 149f5b1c8a1SJohn Marino #include <stdlib.h> 150f5b1c8a1SJohn Marino #include <string.h> 151f5b1c8a1SJohn Marino #include <time.h> 152f5b1c8a1SJohn Marino #include <unistd.h> 153f5b1c8a1SJohn Marino 154f5b1c8a1SJohn Marino #include <openssl/opensslconf.h> 155*de0e0e4dSAntonio Huete Jimenez 156f5b1c8a1SJohn Marino #include <openssl/bio.h> 157f5b1c8a1SJohn Marino #include <openssl/buffer.h> 158f5b1c8a1SJohn Marino #include <openssl/dsa.h> 159f5b1c8a1SJohn Marino #include <openssl/err.h> 160f5b1c8a1SJohn Marino #include <openssl/rsa.h> 161f5b1c8a1SJohn Marino #include <openssl/ssl.h> 162f5b1c8a1SJohn Marino #include <openssl/stack.h> 163f5b1c8a1SJohn Marino 16472c33676SMaxim Ag #include "bytestring.h" 16572c33676SMaxim Ag #include "tls13_internal.h" 166f5b1c8a1SJohn Marino 16772c33676SMaxim Ag __BEGIN_HIDDEN_DECLS 168f5b1c8a1SJohn Marino 16972c33676SMaxim Ag #define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ 17072c33676SMaxim Ag __attribute__((__unused__)) 171f5b1c8a1SJohn Marino 172*de0e0e4dSAntonio Huete Jimenez #ifndef LIBRESSL_HAS_DTLS1_2 173*de0e0e4dSAntonio Huete Jimenez #define LIBRESSL_HAS_DTLS1_2 174*de0e0e4dSAntonio Huete Jimenez #endif 175*de0e0e4dSAntonio Huete Jimenez 176cca6fc52SDaniel Fojt #ifndef LIBRESSL_HAS_TLS1_3_CLIENT 177cca6fc52SDaniel Fojt #define LIBRESSL_HAS_TLS1_3_CLIENT 178cca6fc52SDaniel Fojt #endif 179f5b1c8a1SJohn Marino 1808edacedfSDaniel Fojt #ifndef LIBRESSL_HAS_TLS1_3_SERVER 1818edacedfSDaniel Fojt #define LIBRESSL_HAS_TLS1_3_SERVER 1828edacedfSDaniel Fojt #endif 1838edacedfSDaniel Fojt 184cca6fc52SDaniel Fojt #if defined(LIBRESSL_HAS_TLS1_3_CLIENT) || defined(LIBRESSL_HAS_TLS1_3_SERVER) 185cca6fc52SDaniel Fojt #define LIBRESSL_HAS_TLS1_3 186cca6fc52SDaniel Fojt #endif 187f5b1c8a1SJohn Marino 188f5b1c8a1SJohn Marino /* LOCAL STUFF */ 189f5b1c8a1SJohn Marino 190f5b1c8a1SJohn Marino #define SSL_DECRYPT 0 191f5b1c8a1SJohn Marino #define SSL_ENCRYPT 1 192f5b1c8a1SJohn Marino 193f5b1c8a1SJohn Marino /* 194f5b1c8a1SJohn Marino * Define the Bitmasks for SSL_CIPHER.algorithms. 195f5b1c8a1SJohn Marino * This bits are used packed as dense as possible. If new methods/ciphers 196f5b1c8a1SJohn Marino * etc will be added, the bits a likely to change, so this information 197f5b1c8a1SJohn Marino * is for internal library use only, even though SSL_CIPHER.algorithms 198f5b1c8a1SJohn Marino * can be publicly accessed. 199f5b1c8a1SJohn Marino * Use the according functions for cipher management instead. 200f5b1c8a1SJohn Marino * 201f5b1c8a1SJohn Marino * The bit mask handling in the selection and sorting scheme in 202f5b1c8a1SJohn Marino * ssl_create_cipher_list() has only limited capabilities, reflecting 203f5b1c8a1SJohn Marino * that the different entities within are mutually exclusive: 204f5b1c8a1SJohn Marino * ONLY ONE BIT PER MASK CAN BE SET AT A TIME. 205f5b1c8a1SJohn Marino */ 206f5b1c8a1SJohn Marino 207f5b1c8a1SJohn Marino /* Bits for algorithm_mkey (key exchange algorithm) */ 208f5b1c8a1SJohn Marino #define SSL_kRSA 0x00000001L /* RSA key exchange */ 209f5b1c8a1SJohn Marino #define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ 210f5b1c8a1SJohn Marino #define SSL_kECDHE 0x00000080L /* ephemeral ECDH */ 211f5b1c8a1SJohn Marino #define SSL_kGOST 0x00000200L /* GOST key exchange */ 21272c33676SMaxim Ag #define SSL_kTLS1_3 0x00000400L /* TLSv1.3 key exchange */ 213f5b1c8a1SJohn Marino 214f5b1c8a1SJohn Marino /* Bits for algorithm_auth (server authentication) */ 215f5b1c8a1SJohn Marino #define SSL_aRSA 0x00000001L /* RSA auth */ 216f5b1c8a1SJohn Marino #define SSL_aDSS 0x00000002L /* DSS auth */ 217f5b1c8a1SJohn Marino #define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ 218f5b1c8a1SJohn Marino #define SSL_aECDSA 0x00000040L /* ECDSA auth*/ 219f5b1c8a1SJohn Marino #define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ 22072c33676SMaxim Ag #define SSL_aTLS1_3 0x00000400L /* TLSv1.3 authentication */ 221f5b1c8a1SJohn Marino 222f5b1c8a1SJohn Marino /* Bits for algorithm_enc (symmetric encryption) */ 223f5b1c8a1SJohn Marino #define SSL_DES 0x00000001L 224f5b1c8a1SJohn Marino #define SSL_3DES 0x00000002L 225f5b1c8a1SJohn Marino #define SSL_RC4 0x00000004L 226f5b1c8a1SJohn Marino #define SSL_IDEA 0x00000008L 227f5b1c8a1SJohn Marino #define SSL_eNULL 0x00000010L 228f5b1c8a1SJohn Marino #define SSL_AES128 0x00000020L 229f5b1c8a1SJohn Marino #define SSL_AES256 0x00000040L 230f5b1c8a1SJohn Marino #define SSL_CAMELLIA128 0x00000080L 231f5b1c8a1SJohn Marino #define SSL_CAMELLIA256 0x00000100L 232f5b1c8a1SJohn Marino #define SSL_eGOST2814789CNT 0x00000200L 233f5b1c8a1SJohn Marino #define SSL_AES128GCM 0x00000400L 234f5b1c8a1SJohn Marino #define SSL_AES256GCM 0x00000800L 235f5b1c8a1SJohn Marino #define SSL_CHACHA20POLY1305 0x00001000L 236f5b1c8a1SJohn Marino 237f5b1c8a1SJohn Marino #define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) 238f5b1c8a1SJohn Marino #define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) 239f5b1c8a1SJohn Marino 240f5b1c8a1SJohn Marino 241f5b1c8a1SJohn Marino /* Bits for algorithm_mac (symmetric authentication) */ 242f5b1c8a1SJohn Marino 243f5b1c8a1SJohn Marino #define SSL_MD5 0x00000001L 244f5b1c8a1SJohn Marino #define SSL_SHA1 0x00000002L 245f5b1c8a1SJohn Marino #define SSL_GOST94 0x00000004L 246f5b1c8a1SJohn Marino #define SSL_GOST89MAC 0x00000008L 247f5b1c8a1SJohn Marino #define SSL_SHA256 0x00000010L 248f5b1c8a1SJohn Marino #define SSL_SHA384 0x00000020L 249f5b1c8a1SJohn Marino /* Not a real MAC, just an indication it is part of cipher */ 250f5b1c8a1SJohn Marino #define SSL_AEAD 0x00000040L 251f5b1c8a1SJohn Marino #define SSL_STREEBOG256 0x00000080L 252f5b1c8a1SJohn Marino 253f5b1c8a1SJohn Marino /* Bits for algorithm_ssl (protocol version) */ 254f5b1c8a1SJohn Marino #define SSL_SSLV3 0x00000002L 255f5b1c8a1SJohn Marino #define SSL_TLSV1 SSL_SSLV3 /* for now */ 256f5b1c8a1SJohn Marino #define SSL_TLSV1_2 0x00000004L 25772c33676SMaxim Ag #define SSL_TLSV1_3 0x00000008L 258f5b1c8a1SJohn Marino 259f5b1c8a1SJohn Marino 260f5b1c8a1SJohn Marino /* Bits for algorithm2 (handshake digests and other extra flags) */ 261f5b1c8a1SJohn Marino 26272c33676SMaxim Ag #define SSL_HANDSHAKE_MAC_MASK 0xff0 26372c33676SMaxim Ag #define SSL_HANDSHAKE_MAC_MD5 0x010 26472c33676SMaxim Ag #define SSL_HANDSHAKE_MAC_SHA 0x020 26572c33676SMaxim Ag #define SSL_HANDSHAKE_MAC_GOST94 0x040 26672c33676SMaxim Ag #define SSL_HANDSHAKE_MAC_SHA256 0x080 267f5b1c8a1SJohn Marino #define SSL_HANDSHAKE_MAC_SHA384 0x100 268f5b1c8a1SJohn Marino #define SSL_HANDSHAKE_MAC_STREEBOG256 0x200 269f5b1c8a1SJohn Marino #define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) 270f5b1c8a1SJohn Marino 271f5b1c8a1SJohn Marino #define SSL3_CK_ID 0x03000000 272f5b1c8a1SJohn Marino #define SSL3_CK_VALUE_MASK 0x0000ffff 273f5b1c8a1SJohn Marino 274f5b1c8a1SJohn Marino #define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) 275f5b1c8a1SJohn Marino 276f5b1c8a1SJohn Marino #define TLS1_PRF_DGST_SHIFT 10 277f5b1c8a1SJohn Marino #define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT) 278f5b1c8a1SJohn Marino #define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT) 279f5b1c8a1SJohn Marino #define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT) 280f5b1c8a1SJohn Marino #define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT) 281f5b1c8a1SJohn Marino #define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT) 282f5b1c8a1SJohn Marino #define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT) 283f5b1c8a1SJohn Marino #define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1) 284f5b1c8a1SJohn Marino 28572c33676SMaxim Ag /* 28672c33676SMaxim Ag * Stream MAC for GOST ciphersuites from cryptopro draft 28772c33676SMaxim Ag * (currently this also goes into algorithm2). 28872c33676SMaxim Ag */ 289f5b1c8a1SJohn Marino #define TLS1_STREAM_MAC 0x04 290f5b1c8a1SJohn Marino 291f5b1c8a1SJohn Marino /* 292f5b1c8a1SJohn Marino * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that 293f5b1c8a1SJohn Marino * indicates that the variable part of the nonce is included as a prefix of 294f5b1c8a1SJohn Marino * the record (AES-GCM, for example, does this with an 8-byte variable nonce.) 295f5b1c8a1SJohn Marino */ 296f5b1c8a1SJohn Marino #define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22) 297f5b1c8a1SJohn Marino 298f5b1c8a1SJohn Marino /* 299f5b1c8a1SJohn Marino * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce 30072c33676SMaxim Ag * for an SSL_CIPHER with an algorithm_mac of SSL_AEAD. 301f5b1c8a1SJohn Marino */ 302f5b1c8a1SJohn Marino #define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \ 303f5b1c8a1SJohn Marino (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2) 304f5b1c8a1SJohn Marino 305f5b1c8a1SJohn Marino /* 306f5b1c8a1SJohn Marino * Cipher strength information. 307f5b1c8a1SJohn Marino */ 308f5b1c8a1SJohn Marino #define SSL_STRONG_MASK 0x000001fcL 309f5b1c8a1SJohn Marino #define SSL_STRONG_NONE 0x00000004L 310f5b1c8a1SJohn Marino #define SSL_LOW 0x00000020L 311f5b1c8a1SJohn Marino #define SSL_MEDIUM 0x00000040L 312f5b1c8a1SJohn Marino #define SSL_HIGH 0x00000080L 313f5b1c8a1SJohn Marino 314f5b1c8a1SJohn Marino /* 315f5b1c8a1SJohn Marino * The keylength (measured in RSA key bits, I guess) for temporary keys. 316f5b1c8a1SJohn Marino * Cipher argument is so that this can be variable in the future. 317f5b1c8a1SJohn Marino */ 318f5b1c8a1SJohn Marino #define SSL_C_PKEYLENGTH(c) 1024 319f5b1c8a1SJohn Marino 320f5b1c8a1SJohn Marino /* See if we use signature algorithms extension. */ 321f5b1c8a1SJohn Marino #define SSL_USE_SIGALGS(s) \ 322*de0e0e4dSAntonio Huete Jimenez (s->method->enc_flags & SSL_ENC_FLAG_SIGALGS) 323*de0e0e4dSAntonio Huete Jimenez 324*de0e0e4dSAntonio Huete Jimenez /* See if we use SHA256 default PRF. */ 325*de0e0e4dSAntonio Huete Jimenez #define SSL_USE_SHA256_PRF(s) \ 326*de0e0e4dSAntonio Huete Jimenez (s->method->enc_flags & SSL_ENC_FLAG_SHA256_PRF) 327f5b1c8a1SJohn Marino 328f5b1c8a1SJohn Marino /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ 329f5b1c8a1SJohn Marino #define SSL_USE_TLS1_2_CIPHERS(s) \ 330*de0e0e4dSAntonio Huete Jimenez (s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) 331f5b1c8a1SJohn Marino 332cca6fc52SDaniel Fojt /* Allow TLS 1.3 ciphersuites only. */ 333cca6fc52SDaniel Fojt #define SSL_USE_TLS1_3_CIPHERS(s) \ 334*de0e0e4dSAntonio Huete Jimenez (s->method->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) 335cca6fc52SDaniel Fojt 3368edacedfSDaniel Fojt #define SSL_PKEY_RSA 0 3378edacedfSDaniel Fojt #define SSL_PKEY_ECC 1 3388edacedfSDaniel Fojt #define SSL_PKEY_GOST01 2 3398edacedfSDaniel Fojt #define SSL_PKEY_NUM 3 34072c33676SMaxim Ag 34172c33676SMaxim Ag #define SSL_MAX_EMPTY_RECORDS 32 342f5b1c8a1SJohn Marino 343f5b1c8a1SJohn Marino /* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | 344f5b1c8a1SJohn Marino * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) 345f5b1c8a1SJohn Marino * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) 346f5b1c8a1SJohn Marino * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN 347f5b1c8a1SJohn Marino * SSL_aRSA <- RSA_ENC | RSA_SIGN 348f5b1c8a1SJohn Marino * SSL_aDSS <- DSA_SIGN 349f5b1c8a1SJohn Marino */ 350f5b1c8a1SJohn Marino 351f5b1c8a1SJohn Marino /* From ECC-TLS draft, used in encoding the curve type in 352f5b1c8a1SJohn Marino * ECParameters 353f5b1c8a1SJohn Marino */ 354f5b1c8a1SJohn Marino #define EXPLICIT_PRIME_CURVE_TYPE 1 355f5b1c8a1SJohn Marino #define EXPLICIT_CHAR2_CURVE_TYPE 2 356f5b1c8a1SJohn Marino #define NAMED_CURVE_TYPE 3 357f5b1c8a1SJohn Marino 358*de0e0e4dSAntonio Huete Jimenez typedef struct ssl_cert_pkey_st { 359*de0e0e4dSAntonio Huete Jimenez X509 *x509; 360*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *privatekey; 361*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509) *chain; 362*de0e0e4dSAntonio Huete Jimenez } SSL_CERT_PKEY; 363*de0e0e4dSAntonio Huete Jimenez 364*de0e0e4dSAntonio Huete Jimenez typedef struct ssl_cert_st { 365*de0e0e4dSAntonio Huete Jimenez /* Current active set */ 366*de0e0e4dSAntonio Huete Jimenez /* ALWAYS points to an element of the pkeys array 367*de0e0e4dSAntonio Huete Jimenez * Probably it would make more sense to store 368*de0e0e4dSAntonio Huete Jimenez * an index, not a pointer. */ 369*de0e0e4dSAntonio Huete Jimenez SSL_CERT_PKEY *key; 370*de0e0e4dSAntonio Huete Jimenez 371*de0e0e4dSAntonio Huete Jimenez SSL_CERT_PKEY pkeys[SSL_PKEY_NUM]; 372*de0e0e4dSAntonio Huete Jimenez 373*de0e0e4dSAntonio Huete Jimenez /* The following masks are for the key and auth 374*de0e0e4dSAntonio Huete Jimenez * algorithms that are supported by the certs below */ 375*de0e0e4dSAntonio Huete Jimenez int valid; 376*de0e0e4dSAntonio Huete Jimenez unsigned long mask_k; 377*de0e0e4dSAntonio Huete Jimenez unsigned long mask_a; 378*de0e0e4dSAntonio Huete Jimenez 379*de0e0e4dSAntonio Huete Jimenez DH *dhe_params; 380*de0e0e4dSAntonio Huete Jimenez DH *(*dhe_params_cb)(SSL *ssl, int is_export, int keysize); 381*de0e0e4dSAntonio Huete Jimenez int dhe_params_auto; 382*de0e0e4dSAntonio Huete Jimenez 383*de0e0e4dSAntonio Huete Jimenez int (*security_cb)(const SSL *s, const SSL_CTX *ctx, int op, int bits, 384*de0e0e4dSAntonio Huete Jimenez int nid, void *other, void *ex_data); /* Not exposed in API. */ 385*de0e0e4dSAntonio Huete Jimenez int security_level; 386*de0e0e4dSAntonio Huete Jimenez void *security_ex_data; /* Not exposed in API. */ 387*de0e0e4dSAntonio Huete Jimenez 388*de0e0e4dSAntonio Huete Jimenez int references; /* >1 only if SSL_copy_session_id is used */ 389*de0e0e4dSAntonio Huete Jimenez } SSL_CERT; 390*de0e0e4dSAntonio Huete Jimenez 391*de0e0e4dSAntonio Huete Jimenez struct ssl_comp_st { 392*de0e0e4dSAntonio Huete Jimenez int id; 393*de0e0e4dSAntonio Huete Jimenez const char *name; 394*de0e0e4dSAntonio Huete Jimenez }; 395*de0e0e4dSAntonio Huete Jimenez 396*de0e0e4dSAntonio Huete Jimenez struct ssl_cipher_st { 397*de0e0e4dSAntonio Huete Jimenez int valid; 398*de0e0e4dSAntonio Huete Jimenez const char *name; /* text name */ 399*de0e0e4dSAntonio Huete Jimenez unsigned long id; /* id, 4 bytes, first is version */ 400*de0e0e4dSAntonio Huete Jimenez 401*de0e0e4dSAntonio Huete Jimenez unsigned long algorithm_mkey; /* key exchange algorithm */ 402*de0e0e4dSAntonio Huete Jimenez unsigned long algorithm_auth; /* server authentication */ 403*de0e0e4dSAntonio Huete Jimenez unsigned long algorithm_enc; /* symmetric encryption */ 404*de0e0e4dSAntonio Huete Jimenez unsigned long algorithm_mac; /* symmetric authentication */ 405*de0e0e4dSAntonio Huete Jimenez unsigned long algorithm_ssl; /* (major) protocol version */ 406*de0e0e4dSAntonio Huete Jimenez 407*de0e0e4dSAntonio Huete Jimenez unsigned long algo_strength; /* strength and export flags */ 408*de0e0e4dSAntonio Huete Jimenez unsigned long algorithm2; /* Extra flags */ 409*de0e0e4dSAntonio Huete Jimenez int strength_bits; /* Number of bits really used */ 410*de0e0e4dSAntonio Huete Jimenez int alg_bits; /* Number of bits for algorithm */ 411*de0e0e4dSAntonio Huete Jimenez }; 412*de0e0e4dSAntonio Huete Jimenez 413*de0e0e4dSAntonio Huete Jimenez struct ssl_method_st { 414*de0e0e4dSAntonio Huete Jimenez int dtls; 415*de0e0e4dSAntonio Huete Jimenez int server; 41672c33676SMaxim Ag int version; 41772c33676SMaxim Ag 418*de0e0e4dSAntonio Huete Jimenez uint16_t min_tls_version; 419*de0e0e4dSAntonio Huete Jimenez uint16_t max_tls_version; 42072c33676SMaxim Ag 42172c33676SMaxim Ag int (*ssl_new)(SSL *s); 42272c33676SMaxim Ag void (*ssl_clear)(SSL *s); 42372c33676SMaxim Ag void (*ssl_free)(SSL *s); 42472c33676SMaxim Ag 42572c33676SMaxim Ag int (*ssl_accept)(SSL *s); 42672c33676SMaxim Ag int (*ssl_connect)(SSL *s); 427cca6fc52SDaniel Fojt int (*ssl_shutdown)(SSL *s); 42872c33676SMaxim Ag 42972c33676SMaxim Ag int (*ssl_renegotiate)(SSL *s); 43072c33676SMaxim Ag int (*ssl_renegotiate_check)(SSL *s); 43172c33676SMaxim Ag 432cca6fc52SDaniel Fojt int (*ssl_pending)(const SSL *s); 433cca6fc52SDaniel Fojt int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len, 434cca6fc52SDaniel Fojt int peek); 43572c33676SMaxim Ag int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len); 43672c33676SMaxim Ag 437*de0e0e4dSAntonio Huete Jimenez const SSL_CIPHER *(*get_cipher)(unsigned int ncipher); 43872c33676SMaxim Ag 439*de0e0e4dSAntonio Huete Jimenez unsigned int enc_flags; /* SSL_ENC_FLAG_* */ 440*de0e0e4dSAntonio Huete Jimenez }; 441*de0e0e4dSAntonio Huete Jimenez 442*de0e0e4dSAntonio Huete Jimenez /* 443*de0e0e4dSAntonio Huete Jimenez * Let's make this into an ASN.1 type structure as follows 444*de0e0e4dSAntonio Huete Jimenez * SSL_SESSION_ID ::= SEQUENCE { 445*de0e0e4dSAntonio Huete Jimenez * version INTEGER, -- structure version number 446*de0e0e4dSAntonio Huete Jimenez * SSLversion INTEGER, -- SSL version number 447*de0e0e4dSAntonio Huete Jimenez * Cipher OCTET STRING, -- the 2 byte cipher ID 448*de0e0e4dSAntonio Huete Jimenez * Session_ID OCTET STRING, -- the Session ID 449*de0e0e4dSAntonio Huete Jimenez * Master_key OCTET STRING, -- the master key 450*de0e0e4dSAntonio Huete Jimenez * KRB5_principal OCTET STRING -- optional Kerberos principal 451*de0e0e4dSAntonio Huete Jimenez * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time 452*de0e0e4dSAntonio Huete Jimenez * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds 453*de0e0e4dSAntonio Huete Jimenez * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate 454*de0e0e4dSAntonio Huete Jimenez * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context 455*de0e0e4dSAntonio Huete Jimenez * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer' 456*de0e0e4dSAntonio Huete Jimenez * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension 457*de0e0e4dSAntonio Huete Jimenez * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint 458*de0e0e4dSAntonio Huete Jimenez * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity 459*de0e0e4dSAntonio Huete Jimenez * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket 460*de0e0e4dSAntonio Huete Jimenez * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only) 461*de0e0e4dSAntonio Huete Jimenez * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method 462*de0e0e4dSAntonio Huete Jimenez * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username 463*de0e0e4dSAntonio Huete Jimenez * } 464*de0e0e4dSAntonio Huete Jimenez * Look in ssl/ssl_asn1.c for more details 465*de0e0e4dSAntonio Huete Jimenez * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). 466*de0e0e4dSAntonio Huete Jimenez */ 467*de0e0e4dSAntonio Huete Jimenez struct ssl_session_st { 468*de0e0e4dSAntonio Huete Jimenez int ssl_version; /* what ssl version session info is 469*de0e0e4dSAntonio Huete Jimenez * being kept in here? */ 470*de0e0e4dSAntonio Huete Jimenez 471*de0e0e4dSAntonio Huete Jimenez size_t master_key_length; 472*de0e0e4dSAntonio Huete Jimenez unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; 473*de0e0e4dSAntonio Huete Jimenez 474*de0e0e4dSAntonio Huete Jimenez /* session_id - valid? */ 475*de0e0e4dSAntonio Huete Jimenez size_t session_id_length; 476*de0e0e4dSAntonio Huete Jimenez unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; 477*de0e0e4dSAntonio Huete Jimenez 478*de0e0e4dSAntonio Huete Jimenez /* this is used to determine whether the session is being reused in 479*de0e0e4dSAntonio Huete Jimenez * the appropriate context. It is up to the application to set this, 480*de0e0e4dSAntonio Huete Jimenez * via SSL_new */ 481*de0e0e4dSAntonio Huete Jimenez size_t sid_ctx_length; 482*de0e0e4dSAntonio Huete Jimenez unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 483*de0e0e4dSAntonio Huete Jimenez 484*de0e0e4dSAntonio Huete Jimenez /* Peer provided leaf (end-entity) certificate. */ 485*de0e0e4dSAntonio Huete Jimenez X509 *peer_cert; 486*de0e0e4dSAntonio Huete Jimenez int peer_cert_type; 487*de0e0e4dSAntonio Huete Jimenez 488*de0e0e4dSAntonio Huete Jimenez /* when app_verify_callback accepts a session where the peer's certificate 489*de0e0e4dSAntonio Huete Jimenez * is not ok, we must remember the error for session reuse: */ 490*de0e0e4dSAntonio Huete Jimenez long verify_result; /* only for servers */ 491*de0e0e4dSAntonio Huete Jimenez 492*de0e0e4dSAntonio Huete Jimenez long timeout; 493*de0e0e4dSAntonio Huete Jimenez time_t time; 494*de0e0e4dSAntonio Huete Jimenez int references; 495*de0e0e4dSAntonio Huete Jimenez 496*de0e0e4dSAntonio Huete Jimenez const SSL_CIPHER *cipher; 497*de0e0e4dSAntonio Huete Jimenez unsigned long cipher_id; /* when ASN.1 loaded, this 498*de0e0e4dSAntonio Huete Jimenez * needs to be used to load 499*de0e0e4dSAntonio Huete Jimenez * the 'cipher' structure */ 500*de0e0e4dSAntonio Huete Jimenez 501*de0e0e4dSAntonio Huete Jimenez STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ 502*de0e0e4dSAntonio Huete Jimenez 503*de0e0e4dSAntonio Huete Jimenez char *tlsext_hostname; 504*de0e0e4dSAntonio Huete Jimenez 505*de0e0e4dSAntonio Huete Jimenez /* RFC4507 info */ 506*de0e0e4dSAntonio Huete Jimenez unsigned char *tlsext_tick; /* Session ticket */ 507*de0e0e4dSAntonio Huete Jimenez size_t tlsext_ticklen; /* Session ticket length */ 508*de0e0e4dSAntonio Huete Jimenez uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 509*de0e0e4dSAntonio Huete Jimenez 51072c33676SMaxim Ag CRYPTO_EX_DATA ex_data; /* application specific data */ 51172c33676SMaxim Ag 51272c33676SMaxim Ag /* These are used to make removal of session-ids more 51372c33676SMaxim Ag * efficient and to implement a maximum cache size. */ 51472c33676SMaxim Ag struct ssl_session_st *prev, *next; 51572c33676SMaxim Ag 51672c33676SMaxim Ag /* Used to indicate that session resumption is not allowed. 51772c33676SMaxim Ag * Applications can also set this bit for a new session via 51872c33676SMaxim Ag * not_resumable_session_cb to disable session caching and tickets. */ 51972c33676SMaxim Ag int not_resumable; 52072c33676SMaxim Ag 52172c33676SMaxim Ag size_t tlsext_ecpointformatlist_length; 52272c33676SMaxim Ag uint8_t *tlsext_ecpointformatlist; /* peer's list */ 52372c33676SMaxim Ag size_t tlsext_supportedgroups_length; 52472c33676SMaxim Ag uint16_t *tlsext_supportedgroups; /* peer's list */ 525*de0e0e4dSAntonio Huete Jimenez }; 52672c33676SMaxim Ag 527*de0e0e4dSAntonio Huete Jimenez struct ssl_sigalg; 52872c33676SMaxim Ag 529*de0e0e4dSAntonio Huete Jimenez typedef struct ssl_handshake_tls12_st { 530*de0e0e4dSAntonio Huete Jimenez /* Used when SSL_ST_FLUSH_DATA is entered. */ 53172c33676SMaxim Ag int next_state; 53272c33676SMaxim Ag 533*de0e0e4dSAntonio Huete Jimenez /* Handshake message type and size. */ 534*de0e0e4dSAntonio Huete Jimenez int message_type; 535*de0e0e4dSAntonio Huete Jimenez unsigned long message_size; 53672c33676SMaxim Ag 537*de0e0e4dSAntonio Huete Jimenez /* Reuse current handshake message. */ 538*de0e0e4dSAntonio Huete Jimenez int reuse_message; 53972c33676SMaxim Ag 540*de0e0e4dSAntonio Huete Jimenez /* Client certificate requests. */ 541*de0e0e4dSAntonio Huete Jimenez int cert_request; 542*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509_NAME) *ca_names; 54372c33676SMaxim Ag 544*de0e0e4dSAntonio Huete Jimenez /* Record-layer key block for TLS 1.2 and earlier. */ 545*de0e0e4dSAntonio Huete Jimenez struct tls12_key_block *key_block; 54672c33676SMaxim Ag 547*de0e0e4dSAntonio Huete Jimenez /* Transcript hash prior to sending certificate verify message. */ 548*de0e0e4dSAntonio Huete Jimenez uint8_t cert_verify[EVP_MAX_MD_SIZE]; 549*de0e0e4dSAntonio Huete Jimenez } SSL_HANDSHAKE_TLS12; 550f015dc58SDaniel Fojt 55172c33676SMaxim Ag typedef struct ssl_handshake_tls13_st { 552cca6fc52SDaniel Fojt int use_legacy; 553cca6fc52SDaniel Fojt int hrr; 554cca6fc52SDaniel Fojt 555*de0e0e4dSAntonio Huete Jimenez /* Client indicates psk_dhe_ke support in PskKeyExchangeMode. */ 556*de0e0e4dSAntonio Huete Jimenez int use_psk_dhe_ke; 557*de0e0e4dSAntonio Huete Jimenez 558*de0e0e4dSAntonio Huete Jimenez /* Certificate selected for use (static pointer). */ 559*de0e0e4dSAntonio Huete Jimenez const SSL_CERT_PKEY *cpk; 560f015dc58SDaniel Fojt 56172c33676SMaxim Ag /* Version proposed by peer server. */ 56272c33676SMaxim Ag uint16_t server_version; 56372c33676SMaxim Ag 564cca6fc52SDaniel Fojt uint16_t server_group; 56572c33676SMaxim Ag struct tls13_secrets *secrets; 56672c33676SMaxim Ag 56772c33676SMaxim Ag uint8_t *cookie; 56872c33676SMaxim Ag size_t cookie_len; 56972c33676SMaxim Ag 57072c33676SMaxim Ag /* Preserved transcript hash. */ 57172c33676SMaxim Ag uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 57272c33676SMaxim Ag size_t transcript_hash_len; 573cca6fc52SDaniel Fojt 574cca6fc52SDaniel Fojt /* Legacy session ID. */ 575cca6fc52SDaniel Fojt uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; 576cca6fc52SDaniel Fojt size_t legacy_session_id_len; 5778edacedfSDaniel Fojt 5788edacedfSDaniel Fojt /* ClientHello hash, used to validate following HelloRetryRequest */ 5798edacedfSDaniel Fojt EVP_MD_CTX *clienthello_md_ctx; 5808edacedfSDaniel Fojt unsigned char *clienthello_hash; 5818edacedfSDaniel Fojt unsigned int clienthello_hash_len; 5828edacedfSDaniel Fojt 583*de0e0e4dSAntonio Huete Jimenez /* QUIC read buffer and read/write encryption levels. */ 584*de0e0e4dSAntonio Huete Jimenez struct tls_buffer *quic_read_buffer; 585*de0e0e4dSAntonio Huete Jimenez enum ssl_encryption_level_t quic_read_level; 586*de0e0e4dSAntonio Huete Jimenez enum ssl_encryption_level_t quic_write_level; 58772c33676SMaxim Ag } SSL_HANDSHAKE_TLS13; 58872c33676SMaxim Ag 589*de0e0e4dSAntonio Huete Jimenez typedef struct ssl_handshake_st { 590*de0e0e4dSAntonio Huete Jimenez /* 591*de0e0e4dSAntonio Huete Jimenez * Minimum and maximum versions supported for this handshake. These are 592*de0e0e4dSAntonio Huete Jimenez * initialised at the start of a handshake based on the method in use 593*de0e0e4dSAntonio Huete Jimenez * and the current protocol version configuration. 594*de0e0e4dSAntonio Huete Jimenez */ 595*de0e0e4dSAntonio Huete Jimenez uint16_t our_min_tls_version; 596*de0e0e4dSAntonio Huete Jimenez uint16_t our_max_tls_version; 597*de0e0e4dSAntonio Huete Jimenez 598*de0e0e4dSAntonio Huete Jimenez /* 599*de0e0e4dSAntonio Huete Jimenez * Version negotiated for this session. For a client this is set once 600*de0e0e4dSAntonio Huete Jimenez * the server selected version is parsed from the ServerHello (either 601*de0e0e4dSAntonio Huete Jimenez * from the legacy version or supported versions extension). For a 602*de0e0e4dSAntonio Huete Jimenez * server this is set once we select the version we will use with the 603*de0e0e4dSAntonio Huete Jimenez * client. 604*de0e0e4dSAntonio Huete Jimenez */ 605*de0e0e4dSAntonio Huete Jimenez uint16_t negotiated_tls_version; 606*de0e0e4dSAntonio Huete Jimenez 607*de0e0e4dSAntonio Huete Jimenez /* 608*de0e0e4dSAntonio Huete Jimenez * Legacy version advertised by our peer. For a server this is the 609*de0e0e4dSAntonio Huete Jimenez * version specified by the client in the ClientHello message. For a 610*de0e0e4dSAntonio Huete Jimenez * client, this is the version provided in the ServerHello message. 611*de0e0e4dSAntonio Huete Jimenez */ 612*de0e0e4dSAntonio Huete Jimenez uint16_t peer_legacy_version; 613*de0e0e4dSAntonio Huete Jimenez 614*de0e0e4dSAntonio Huete Jimenez /* 615*de0e0e4dSAntonio Huete Jimenez * Current handshake state - contains one of the SSL3_ST_* values and 616*de0e0e4dSAntonio Huete Jimenez * is used by the TLSv1.2 state machine, as well as being updated by 617*de0e0e4dSAntonio Huete Jimenez * the TLSv1.3 stack due to it being exposed externally. 618*de0e0e4dSAntonio Huete Jimenez */ 619*de0e0e4dSAntonio Huete Jimenez int state; 620*de0e0e4dSAntonio Huete Jimenez 621*de0e0e4dSAntonio Huete Jimenez /* Cipher being negotiated in this handshake. */ 622*de0e0e4dSAntonio Huete Jimenez const SSL_CIPHER *cipher; 623*de0e0e4dSAntonio Huete Jimenez 624*de0e0e4dSAntonio Huete Jimenez /* Extensions seen in this handshake. */ 625*de0e0e4dSAntonio Huete Jimenez uint32_t extensions_seen; 626*de0e0e4dSAntonio Huete Jimenez 627*de0e0e4dSAntonio Huete Jimenez /* Signature algorithms selected for use (static pointers). */ 628*de0e0e4dSAntonio Huete Jimenez const struct ssl_sigalg *our_sigalg; 629*de0e0e4dSAntonio Huete Jimenez const struct ssl_sigalg *peer_sigalg; 630*de0e0e4dSAntonio Huete Jimenez 631*de0e0e4dSAntonio Huete Jimenez /* sigalgs offered in this handshake in wire form */ 632*de0e0e4dSAntonio Huete Jimenez uint8_t *sigalgs; 633*de0e0e4dSAntonio Huete Jimenez size_t sigalgs_len; 634*de0e0e4dSAntonio Huete Jimenez 635*de0e0e4dSAntonio Huete Jimenez /* Key share for ephemeral key exchange. */ 636*de0e0e4dSAntonio Huete Jimenez struct tls_key_share *key_share; 637*de0e0e4dSAntonio Huete Jimenez 638*de0e0e4dSAntonio Huete Jimenez /* 639*de0e0e4dSAntonio Huete Jimenez * Copies of the verify data sent in our finished message and the 640*de0e0e4dSAntonio Huete Jimenez * verify data received in the finished message sent by our peer. 641*de0e0e4dSAntonio Huete Jimenez */ 642*de0e0e4dSAntonio Huete Jimenez uint8_t finished[EVP_MAX_MD_SIZE]; 643*de0e0e4dSAntonio Huete Jimenez size_t finished_len; 644*de0e0e4dSAntonio Huete Jimenez uint8_t peer_finished[EVP_MAX_MD_SIZE]; 645*de0e0e4dSAntonio Huete Jimenez size_t peer_finished_len; 646*de0e0e4dSAntonio Huete Jimenez 647*de0e0e4dSAntonio Huete Jimenez /* List of certificates received from our peer. */ 648*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509) *peer_certs; 649*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509) *peer_certs_no_leaf; 650*de0e0e4dSAntonio Huete Jimenez 651*de0e0e4dSAntonio Huete Jimenez SSL_HANDSHAKE_TLS12 tls12; 652*de0e0e4dSAntonio Huete Jimenez SSL_HANDSHAKE_TLS13 tls13; 653*de0e0e4dSAntonio Huete Jimenez } SSL_HANDSHAKE; 654*de0e0e4dSAntonio Huete Jimenez 655*de0e0e4dSAntonio Huete Jimenez typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; 656*de0e0e4dSAntonio Huete Jimenez 657*de0e0e4dSAntonio Huete Jimenez /* TLS Session Ticket extension struct. */ 658*de0e0e4dSAntonio Huete Jimenez struct tls_session_ticket_ext_st { 659*de0e0e4dSAntonio Huete Jimenez unsigned short length; 660*de0e0e4dSAntonio Huete Jimenez void *data; 661*de0e0e4dSAntonio Huete Jimenez }; 662*de0e0e4dSAntonio Huete Jimenez 663*de0e0e4dSAntonio Huete Jimenez struct tls12_key_block; 664*de0e0e4dSAntonio Huete Jimenez 665*de0e0e4dSAntonio Huete Jimenez struct tls12_key_block *tls12_key_block_new(void); 666*de0e0e4dSAntonio Huete Jimenez void tls12_key_block_free(struct tls12_key_block *kb); 667*de0e0e4dSAntonio Huete Jimenez void tls12_key_block_client_write(struct tls12_key_block *kb, CBS *mac_key, 668*de0e0e4dSAntonio Huete Jimenez CBS *key, CBS *iv); 669*de0e0e4dSAntonio Huete Jimenez void tls12_key_block_server_write(struct tls12_key_block *kb, CBS *mac_key, 670*de0e0e4dSAntonio Huete Jimenez CBS *key, CBS *iv); 671*de0e0e4dSAntonio Huete Jimenez int tls12_key_block_generate(struct tls12_key_block *kb, SSL *s, 672*de0e0e4dSAntonio Huete Jimenez const EVP_AEAD *aead, const EVP_CIPHER *cipher, const EVP_MD *mac_hash); 673*de0e0e4dSAntonio Huete Jimenez 6748edacedfSDaniel Fojt struct tls12_record_layer; 6758edacedfSDaniel Fojt 6768edacedfSDaniel Fojt struct tls12_record_layer *tls12_record_layer_new(void); 6778edacedfSDaniel Fojt void tls12_record_layer_free(struct tls12_record_layer *rl); 678*de0e0e4dSAntonio Huete Jimenez void tls12_record_layer_alert(struct tls12_record_layer *rl, 679*de0e0e4dSAntonio Huete Jimenez uint8_t *alert_desc); 680*de0e0e4dSAntonio Huete Jimenez int tls12_record_layer_write_overhead(struct tls12_record_layer *rl, 681*de0e0e4dSAntonio Huete Jimenez size_t *overhead); 682*de0e0e4dSAntonio Huete Jimenez int tls12_record_layer_read_protected(struct tls12_record_layer *rl); 683*de0e0e4dSAntonio Huete Jimenez int tls12_record_layer_write_protected(struct tls12_record_layer *rl); 684*de0e0e4dSAntonio Huete Jimenez void tls12_record_layer_set_aead(struct tls12_record_layer *rl, 685*de0e0e4dSAntonio Huete Jimenez const EVP_AEAD *aead); 686*de0e0e4dSAntonio Huete Jimenez void tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl, 687*de0e0e4dSAntonio Huete Jimenez const EVP_CIPHER *cipher, const EVP_MD *handshake_hash, 688*de0e0e4dSAntonio Huete Jimenez const EVP_MD *mac_hash); 6898edacedfSDaniel Fojt void tls12_record_layer_set_version(struct tls12_record_layer *rl, 6908edacedfSDaniel Fojt uint16_t version); 691*de0e0e4dSAntonio Huete Jimenez void tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, 6928edacedfSDaniel Fojt uint16_t epoch); 693*de0e0e4dSAntonio Huete Jimenez uint16_t tls12_record_layer_read_epoch(struct tls12_record_layer *rl); 694*de0e0e4dSAntonio Huete Jimenez uint16_t tls12_record_layer_write_epoch(struct tls12_record_layer *rl); 695*de0e0e4dSAntonio Huete Jimenez int tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, 696*de0e0e4dSAntonio Huete Jimenez uint16_t epoch); 697*de0e0e4dSAntonio Huete Jimenez void tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, 6988edacedfSDaniel Fojt uint16_t epoch); 6998edacedfSDaniel Fojt void tls12_record_layer_clear_read_state(struct tls12_record_layer *rl); 7008edacedfSDaniel Fojt void tls12_record_layer_clear_write_state(struct tls12_record_layer *rl); 701*de0e0e4dSAntonio Huete Jimenez void tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl); 702*de0e0e4dSAntonio Huete Jimenez int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, 703*de0e0e4dSAntonio Huete Jimenez CBS *mac_key, CBS *key, CBS *iv); 704*de0e0e4dSAntonio Huete Jimenez int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, 705*de0e0e4dSAntonio Huete Jimenez CBS *mac_key, CBS *key, CBS *iv); 706*de0e0e4dSAntonio Huete Jimenez int tls12_record_layer_open_record(struct tls12_record_layer *rl, 707*de0e0e4dSAntonio Huete Jimenez uint8_t *buf, size_t buf_len, uint8_t **out, size_t *out_len); 7088edacedfSDaniel Fojt int tls12_record_layer_seal_record(struct tls12_record_layer *rl, 7098edacedfSDaniel Fojt uint8_t content_type, const uint8_t *content, size_t content_len, 7108edacedfSDaniel Fojt CBB *out); 7118edacedfSDaniel Fojt 712*de0e0e4dSAntonio Huete Jimenez typedef void (ssl_info_callback_fn)(const SSL *s, int type, int val); 713*de0e0e4dSAntonio Huete Jimenez typedef void (ssl_msg_callback_fn)(int is_write, int version, int content_type, 714*de0e0e4dSAntonio Huete Jimenez const void *buf, size_t len, SSL *ssl, void *arg); 715*de0e0e4dSAntonio Huete Jimenez 71672c33676SMaxim Ag typedef struct ssl_ctx_internal_st { 717*de0e0e4dSAntonio Huete Jimenez uint16_t min_tls_version; 718*de0e0e4dSAntonio Huete Jimenez uint16_t max_tls_version; 719*de0e0e4dSAntonio Huete Jimenez 720*de0e0e4dSAntonio Huete Jimenez /* 721*de0e0e4dSAntonio Huete Jimenez * These may be zero to imply minimum or maximum version supported by 722*de0e0e4dSAntonio Huete Jimenez * the method. 723*de0e0e4dSAntonio Huete Jimenez */ 724*de0e0e4dSAntonio Huete Jimenez uint16_t min_proto_version; 725*de0e0e4dSAntonio Huete Jimenez uint16_t max_proto_version; 72672c33676SMaxim Ag 72772c33676SMaxim Ag unsigned long options; 72872c33676SMaxim Ag unsigned long mode; 72972c33676SMaxim Ag 73072c33676SMaxim Ag /* If this callback is not null, it will be called each 73172c33676SMaxim Ag * time a session id is added to the cache. If this function 73272c33676SMaxim Ag * returns 1, it means that the callback will do a 73372c33676SMaxim Ag * SSL_SESSION_free() when it has finished using it. Otherwise, 73472c33676SMaxim Ag * on 0, it means the callback has finished with it. 73572c33676SMaxim Ag * If remove_session_cb is not null, it will be called when 73672c33676SMaxim Ag * a session-id is removed from the cache. After the call, 73772c33676SMaxim Ag * OpenSSL will SSL_SESSION_free() it. */ 73872c33676SMaxim Ag int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); 73972c33676SMaxim Ag void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); 74072c33676SMaxim Ag SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, 74172c33676SMaxim Ag const unsigned char *data, int len, int *copy); 74272c33676SMaxim Ag 74372c33676SMaxim Ag /* if defined, these override the X509_verify_cert() calls */ 74472c33676SMaxim Ag int (*app_verify_callback)(X509_STORE_CTX *, void *); 74572c33676SMaxim Ag void *app_verify_arg; 74672c33676SMaxim Ag 74772c33676SMaxim Ag /* get client cert callback */ 74872c33676SMaxim Ag int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 74972c33676SMaxim Ag 75072c33676SMaxim Ag /* cookie generate callback */ 75172c33676SMaxim Ag int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, 75272c33676SMaxim Ag unsigned int *cookie_len); 75372c33676SMaxim Ag 75472c33676SMaxim Ag /* verify cookie callback */ 75572c33676SMaxim Ag int (*app_verify_cookie_cb)(SSL *ssl, const unsigned char *cookie, 75672c33676SMaxim Ag unsigned int cookie_len); 75772c33676SMaxim Ag 758*de0e0e4dSAntonio Huete Jimenez ssl_info_callback_fn *info_callback; 75972c33676SMaxim Ag 76072c33676SMaxim Ag /* callback that allows applications to peek at protocol messages */ 761*de0e0e4dSAntonio Huete Jimenez ssl_msg_callback_fn *msg_callback; 76272c33676SMaxim Ag void *msg_callback_arg; 76372c33676SMaxim Ag 76472c33676SMaxim Ag int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ 76572c33676SMaxim Ag 76672c33676SMaxim Ag /* Default generate session ID callback. */ 76772c33676SMaxim Ag GEN_SESSION_CB generate_session_id; 76872c33676SMaxim Ag 76972c33676SMaxim Ag /* TLS extensions servername callback */ 77072c33676SMaxim Ag int (*tlsext_servername_callback)(SSL*, int *, void *); 77172c33676SMaxim Ag void *tlsext_servername_arg; 77272c33676SMaxim Ag 77372c33676SMaxim Ag /* Callback to support customisation of ticket key setting */ 77472c33676SMaxim Ag int (*tlsext_ticket_key_cb)(SSL *ssl, unsigned char *name, 77572c33676SMaxim Ag unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); 77672c33676SMaxim Ag 77772c33676SMaxim Ag /* certificate status request info */ 77872c33676SMaxim Ag /* Callback for status request */ 77972c33676SMaxim Ag int (*tlsext_status_cb)(SSL *ssl, void *arg); 78072c33676SMaxim Ag void *tlsext_status_arg; 78172c33676SMaxim Ag 78272c33676SMaxim Ag struct lhash_st_SSL_SESSION *sessions; 78372c33676SMaxim Ag 78472c33676SMaxim Ag /* Most session-ids that will be cached, default is 78572c33676SMaxim Ag * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ 78672c33676SMaxim Ag unsigned long session_cache_size; 78772c33676SMaxim Ag struct ssl_session_st *session_cache_head; 78872c33676SMaxim Ag struct ssl_session_st *session_cache_tail; 78972c33676SMaxim Ag 79072c33676SMaxim Ag /* This can have one of 2 values, ored together, 79172c33676SMaxim Ag * SSL_SESS_CACHE_CLIENT, 79272c33676SMaxim Ag * SSL_SESS_CACHE_SERVER, 79372c33676SMaxim Ag * Default is SSL_SESSION_CACHE_SERVER, which means only 79472c33676SMaxim Ag * SSL_accept which cache SSL_SESSIONS. */ 79572c33676SMaxim Ag int session_cache_mode; 79672c33676SMaxim Ag 79772c33676SMaxim Ag struct { 79872c33676SMaxim Ag int sess_connect; /* SSL new conn - started */ 79972c33676SMaxim Ag int sess_connect_renegotiate;/* SSL reneg - requested */ 80072c33676SMaxim Ag int sess_connect_good; /* SSL new conne/reneg - finished */ 80172c33676SMaxim Ag int sess_accept; /* SSL new accept - started */ 80272c33676SMaxim Ag int sess_accept_renegotiate;/* SSL reneg - requested */ 80372c33676SMaxim Ag int sess_accept_good; /* SSL accept/reneg - finished */ 80472c33676SMaxim Ag int sess_miss; /* session lookup misses */ 80572c33676SMaxim Ag int sess_timeout; /* reuse attempt on timeouted session */ 80672c33676SMaxim Ag int sess_cache_full; /* session removed due to full cache */ 80772c33676SMaxim Ag int sess_hit; /* session reuse actually done */ 80872c33676SMaxim Ag int sess_cb_hit; /* session-id that was not 80972c33676SMaxim Ag * in the cache was 81072c33676SMaxim Ag * passed back via the callback. This 81172c33676SMaxim Ag * indicates that the application is 81272c33676SMaxim Ag * supplying session-id's from other 81372c33676SMaxim Ag * processes - spooky :-) */ 81472c33676SMaxim Ag } stats; 81572c33676SMaxim Ag 81672c33676SMaxim Ag CRYPTO_EX_DATA ex_data; 81772c33676SMaxim Ag 8188edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *cipher_list_tls13; 81972c33676SMaxim Ag 820*de0e0e4dSAntonio Huete Jimenez SSL_CERT *cert; 82172c33676SMaxim Ag 82272c33676SMaxim Ag /* Default values used when no per-SSL value is defined follow */ 82372c33676SMaxim Ag 82472c33676SMaxim Ag /* what we put in client cert requests */ 82572c33676SMaxim Ag STACK_OF(X509_NAME) *client_CA; 82672c33676SMaxim Ag 82772c33676SMaxim Ag long max_cert_list; 82872c33676SMaxim Ag 82972c33676SMaxim Ag int read_ahead; 83072c33676SMaxim Ag 83172c33676SMaxim Ag int quiet_shutdown; 83272c33676SMaxim Ag 83372c33676SMaxim Ag /* Maximum amount of data to send in one fragment. 83472c33676SMaxim Ag * actual record size can be more than this due to 83572c33676SMaxim Ag * padding and MAC overheads. 83672c33676SMaxim Ag */ 83772c33676SMaxim Ag unsigned int max_send_fragment; 83872c33676SMaxim Ag 83972c33676SMaxim Ag #ifndef OPENSSL_NO_ENGINE 84072c33676SMaxim Ag /* Engine to pass requests for client certs to 84172c33676SMaxim Ag */ 84272c33676SMaxim Ag ENGINE *client_cert_engine; 84372c33676SMaxim Ag #endif 84472c33676SMaxim Ag 84572c33676SMaxim Ag /* RFC 4507 session ticket keys */ 84672c33676SMaxim Ag unsigned char tlsext_tick_key_name[16]; 84772c33676SMaxim Ag unsigned char tlsext_tick_hmac_key[16]; 84872c33676SMaxim Ag unsigned char tlsext_tick_aes_key[16]; 84972c33676SMaxim Ag 85072c33676SMaxim Ag /* SRTP profiles we are willing to do from RFC 5764 */ 85172c33676SMaxim Ag STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 85272c33676SMaxim Ag 85372c33676SMaxim Ag /* 85472c33676SMaxim Ag * ALPN information. 85572c33676SMaxim Ag */ 85672c33676SMaxim Ag 85772c33676SMaxim Ag /* 85872c33676SMaxim Ag * Server callback function that allows the server to select the 85972c33676SMaxim Ag * protocol for the connection. 86072c33676SMaxim Ag * out: on successful return, this must point to the raw protocol 86172c33676SMaxim Ag * name (without the length prefix). 86272c33676SMaxim Ag * outlen: on successful return, this contains the length of out. 86372c33676SMaxim Ag * in: points to the client's list of supported protocols in 86472c33676SMaxim Ag * wire-format. 86572c33676SMaxim Ag * inlen: the length of in. 86672c33676SMaxim Ag */ 86772c33676SMaxim Ag int (*alpn_select_cb)(SSL *s, const unsigned char **out, 86872c33676SMaxim Ag unsigned char *outlen, const unsigned char *in, unsigned int inlen, 86972c33676SMaxim Ag void *arg); 87072c33676SMaxim Ag void *alpn_select_cb_arg; 87172c33676SMaxim Ag 87272c33676SMaxim Ag /* Client list of supported protocols in wire format. */ 873*de0e0e4dSAntonio Huete Jimenez uint8_t *alpn_client_proto_list; 874*de0e0e4dSAntonio Huete Jimenez size_t alpn_client_proto_list_len; 87572c33676SMaxim Ag 87672c33676SMaxim Ag size_t tlsext_ecpointformatlist_length; 87772c33676SMaxim Ag uint8_t *tlsext_ecpointformatlist; /* our list */ 87872c33676SMaxim Ag size_t tlsext_supportedgroups_length; 87972c33676SMaxim Ag uint16_t *tlsext_supportedgroups; /* our list */ 880*de0e0e4dSAntonio Huete Jimenez SSL_CTX_keylog_cb_func keylog_callback; /* Unused. For OpenSSL compatibility. */ 881*de0e0e4dSAntonio Huete Jimenez size_t num_tickets; /* Unused, for OpenSSL compatibility */ 88272c33676SMaxim Ag } SSL_CTX_INTERNAL; 88372c33676SMaxim Ag 884*de0e0e4dSAntonio Huete Jimenez struct ssl_ctx_st { 885*de0e0e4dSAntonio Huete Jimenez const SSL_METHOD *method; 886*de0e0e4dSAntonio Huete Jimenez const SSL_QUIC_METHOD *quic_method; 887*de0e0e4dSAntonio Huete Jimenez 888*de0e0e4dSAntonio Huete Jimenez STACK_OF(SSL_CIPHER) *cipher_list; 889*de0e0e4dSAntonio Huete Jimenez 890*de0e0e4dSAntonio Huete Jimenez struct x509_store_st /* X509_STORE */ *cert_store; 891*de0e0e4dSAntonio Huete Jimenez 892*de0e0e4dSAntonio Huete Jimenez /* If timeout is not 0, it is the default timeout value set 893*de0e0e4dSAntonio Huete Jimenez * when SSL_new() is called. This has been put in to make 894*de0e0e4dSAntonio Huete Jimenez * life easier to set things up */ 895*de0e0e4dSAntonio Huete Jimenez long session_timeout; 896*de0e0e4dSAntonio Huete Jimenez 897*de0e0e4dSAntonio Huete Jimenez int references; 898*de0e0e4dSAntonio Huete Jimenez 899*de0e0e4dSAntonio Huete Jimenez /* Default values to use in SSL structures follow (these are copied by SSL_new) */ 900*de0e0e4dSAntonio Huete Jimenez 901*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509) *extra_certs; 902*de0e0e4dSAntonio Huete Jimenez 903*de0e0e4dSAntonio Huete Jimenez int verify_mode; 904*de0e0e4dSAntonio Huete Jimenez size_t sid_ctx_length; 905*de0e0e4dSAntonio Huete Jimenez unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 906*de0e0e4dSAntonio Huete Jimenez 907*de0e0e4dSAntonio Huete Jimenez X509_VERIFY_PARAM *param; 908*de0e0e4dSAntonio Huete Jimenez 909*de0e0e4dSAntonio Huete Jimenez /* 910*de0e0e4dSAntonio Huete Jimenez * XXX 911*de0e0e4dSAntonio Huete Jimenez * default_passwd_cb used by python and openvpn, need to keep it until we 912*de0e0e4dSAntonio Huete Jimenez * add an accessor 913*de0e0e4dSAntonio Huete Jimenez */ 914*de0e0e4dSAntonio Huete Jimenez /* Default password callback. */ 915*de0e0e4dSAntonio Huete Jimenez pem_password_cb *default_passwd_callback; 916*de0e0e4dSAntonio Huete Jimenez 917*de0e0e4dSAntonio Huete Jimenez /* Default password callback user data. */ 918*de0e0e4dSAntonio Huete Jimenez void *default_passwd_callback_userdata; 919*de0e0e4dSAntonio Huete Jimenez 920*de0e0e4dSAntonio Huete Jimenez struct ssl_ctx_internal_st *internal; 921*de0e0e4dSAntonio Huete Jimenez }; 922*de0e0e4dSAntonio Huete Jimenez 92372c33676SMaxim Ag typedef struct ssl_internal_st { 92472c33676SMaxim Ag struct tls13_ctx *tls13; 92572c33676SMaxim Ag 926*de0e0e4dSAntonio Huete Jimenez uint16_t min_tls_version; 927*de0e0e4dSAntonio Huete Jimenez uint16_t max_tls_version; 928*de0e0e4dSAntonio Huete Jimenez 929*de0e0e4dSAntonio Huete Jimenez /* 930*de0e0e4dSAntonio Huete Jimenez * These may be zero to imply minimum or maximum version supported by 931*de0e0e4dSAntonio Huete Jimenez * the method. 932*de0e0e4dSAntonio Huete Jimenez */ 933*de0e0e4dSAntonio Huete Jimenez uint16_t min_proto_version; 934*de0e0e4dSAntonio Huete Jimenez uint16_t max_proto_version; 93572c33676SMaxim Ag 93672c33676SMaxim Ag unsigned long options; /* protocol behaviour */ 93772c33676SMaxim Ag unsigned long mode; /* API behaviour */ 93872c33676SMaxim Ag 93972c33676SMaxim Ag /* Client list of supported protocols in wire format. */ 940*de0e0e4dSAntonio Huete Jimenez uint8_t *alpn_client_proto_list; 941*de0e0e4dSAntonio Huete Jimenez size_t alpn_client_proto_list_len; 942*de0e0e4dSAntonio Huete Jimenez 943*de0e0e4dSAntonio Huete Jimenez /* QUIC transport params we will send */ 944*de0e0e4dSAntonio Huete Jimenez uint8_t *quic_transport_params; 945*de0e0e4dSAntonio Huete Jimenez size_t quic_transport_params_len; 94672c33676SMaxim Ag 94772c33676SMaxim Ag /* XXX Callbacks */ 94872c33676SMaxim Ag 94972c33676SMaxim Ag /* true when we are actually in SSL_accept() or SSL_connect() */ 95072c33676SMaxim Ag int in_handshake; 95172c33676SMaxim Ag int (*handshake_func)(SSL *); 95272c33676SMaxim Ag 953*de0e0e4dSAntonio Huete Jimenez ssl_info_callback_fn *info_callback; 954*de0e0e4dSAntonio Huete Jimenez 955*de0e0e4dSAntonio Huete Jimenez /* callback that allows applications to peek at protocol messages */ 956*de0e0e4dSAntonio Huete Jimenez ssl_msg_callback_fn *msg_callback; 957*de0e0e4dSAntonio Huete Jimenez void *msg_callback_arg; 95872c33676SMaxim Ag 95972c33676SMaxim Ag int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ 96072c33676SMaxim Ag 961*de0e0e4dSAntonio Huete Jimenez /* Default generate session ID callback. */ 962*de0e0e4dSAntonio Huete Jimenez GEN_SESSION_CB generate_session_id; 96372c33676SMaxim Ag 96472c33676SMaxim Ag /* TLS extension debug callback */ 96572c33676SMaxim Ag void (*tlsext_debug_cb)(SSL *s, int client_server, int type, 96672c33676SMaxim Ag unsigned char *data, int len, void *arg); 96772c33676SMaxim Ag void *tlsext_debug_arg; 96872c33676SMaxim Ag 96972c33676SMaxim Ag /* TLS Session Ticket extension callback */ 97072c33676SMaxim Ag tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; 97172c33676SMaxim Ag void *tls_session_ticket_ext_cb_arg; 97272c33676SMaxim Ag 97372c33676SMaxim Ag /* TLS pre-shared secret session resumption */ 97472c33676SMaxim Ag tls_session_secret_cb_fn tls_session_secret_cb; 97572c33676SMaxim Ag void *tls_session_secret_cb_arg; 97672c33676SMaxim Ag 97772c33676SMaxim Ag /* XXX non-callback */ 97872c33676SMaxim Ag 97972c33676SMaxim Ag /* This holds a variable that indicates what we were doing 98072c33676SMaxim Ag * when a 0 or -1 is returned. This is needed for 98172c33676SMaxim Ag * non-blocking IO so we know what request needs re-doing when 98272c33676SMaxim Ag * in SSL_accept or SSL_connect */ 98372c33676SMaxim Ag int rwstate; 98472c33676SMaxim Ag 98572c33676SMaxim Ag /* Imagine that here's a boolean member "init" that is 98672c33676SMaxim Ag * switched as soon as SSL_set_{accept/connect}_state 98772c33676SMaxim Ag * is called for the first time, so that "state" and 98872c33676SMaxim Ag * "handshake_func" are properly initialized. But as 98972c33676SMaxim Ag * handshake_func is == 0 until then, we use this 99072c33676SMaxim Ag * test instead of an "init" member. 99172c33676SMaxim Ag */ 99272c33676SMaxim Ag 99372c33676SMaxim Ag int new_session;/* Generate a new session or reuse an old one. 99472c33676SMaxim Ag * NB: For servers, the 'new' session may actually be a previously 99572c33676SMaxim Ag * cached session or even the previous session unless 99672c33676SMaxim Ag * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ 99772c33676SMaxim Ag int quiet_shutdown;/* don't send shutdown packets */ 99872c33676SMaxim Ag int shutdown; /* we have shut things down, 0x01 sent, 0x02 99972c33676SMaxim Ag * for received */ 100072c33676SMaxim Ag BUF_MEM *init_buf; /* buffer used during init */ 100172c33676SMaxim Ag void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */ 100272c33676SMaxim Ag int init_num; /* amount read/written */ 100372c33676SMaxim Ag int init_off; /* amount read/written */ 100472c33676SMaxim Ag 100572c33676SMaxim Ag /* used internally to point at a raw packet */ 100672c33676SMaxim Ag unsigned char *packet; 100772c33676SMaxim Ag unsigned int packet_length; 100872c33676SMaxim Ag 100972c33676SMaxim Ag int read_ahead; /* Read as many input bytes as possible 101072c33676SMaxim Ag * (for non-blocking reads) */ 101172c33676SMaxim Ag 101272c33676SMaxim Ag int hit; /* reusing a previous session */ 101372c33676SMaxim Ag 10148edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *cipher_list_tls13; 101572c33676SMaxim Ag 10168edacedfSDaniel Fojt struct tls12_record_layer *rl; 10178edacedfSDaniel Fojt 101872c33676SMaxim Ag /* session info */ 101972c33676SMaxim Ag 102072c33676SMaxim Ag /* extra application data */ 102172c33676SMaxim Ag CRYPTO_EX_DATA ex_data; 102272c33676SMaxim Ag 102372c33676SMaxim Ag /* client cert? */ 102472c33676SMaxim Ag /* for server side, keep the list of CA_dn we can use */ 102572c33676SMaxim Ag STACK_OF(X509_NAME) *client_CA; 102672c33676SMaxim Ag 102772c33676SMaxim Ag /* set this flag to 1 and a sleep(1) is put into all SSL_read() 102872c33676SMaxim Ag * and SSL_write() calls, good for nbio debuging :-) */ 102972c33676SMaxim Ag int debug; 103072c33676SMaxim Ag long max_cert_list; 103172c33676SMaxim Ag int first_packet; 103272c33676SMaxim Ag 103372c33676SMaxim Ag /* Expect OCSP CertificateStatus message */ 103472c33676SMaxim Ag int tlsext_status_expected; 103572c33676SMaxim Ag /* OCSP status request only */ 103672c33676SMaxim Ag STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids; 103772c33676SMaxim Ag X509_EXTENSIONS *tlsext_ocsp_exts; 10388edacedfSDaniel Fojt 103972c33676SMaxim Ag /* OCSP response received or to be sent */ 104072c33676SMaxim Ag unsigned char *tlsext_ocsp_resp; 10418edacedfSDaniel Fojt size_t tlsext_ocsp_resp_len; 104272c33676SMaxim Ag 104372c33676SMaxim Ag /* RFC4507 session ticket expected to be received or sent */ 104472c33676SMaxim Ag int tlsext_ticket_expected; 104572c33676SMaxim Ag 104672c33676SMaxim Ag size_t tlsext_ecpointformatlist_length; 104772c33676SMaxim Ag uint8_t *tlsext_ecpointformatlist; /* our list */ 104872c33676SMaxim Ag size_t tlsext_supportedgroups_length; 104972c33676SMaxim Ag uint16_t *tlsext_supportedgroups; /* our list */ 105072c33676SMaxim Ag 105172c33676SMaxim Ag /* TLS Session Ticket extension override */ 105272c33676SMaxim Ag TLS_SESSION_TICKET_EXT *tlsext_session_ticket; 105372c33676SMaxim Ag 105472c33676SMaxim Ag STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */ 1055*de0e0e4dSAntonio Huete Jimenez const SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ 105672c33676SMaxim Ag 105772c33676SMaxim Ag int renegotiate;/* 1 if we are renegotiating. 105872c33676SMaxim Ag * 2 if we are a server and are inside a handshake 105972c33676SMaxim Ag * (i.e. not just sending a HelloRequest) */ 106072c33676SMaxim Ag 106172c33676SMaxim Ag int rstate; /* where we are when reading */ 106272c33676SMaxim Ag 106372c33676SMaxim Ag int mac_packet; 106472c33676SMaxim Ag 106572c33676SMaxim Ag int empty_record_count; 1066*de0e0e4dSAntonio Huete Jimenez 1067*de0e0e4dSAntonio Huete Jimenez size_t num_tickets; /* Unused, for OpenSSL compatibility */ 1068*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509) *verified_chain; 106972c33676SMaxim Ag } SSL_INTERNAL; 107072c33676SMaxim Ag 1071*de0e0e4dSAntonio Huete Jimenez struct ssl_st { 1072*de0e0e4dSAntonio Huete Jimenez /* protocol version 1073*de0e0e4dSAntonio Huete Jimenez * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) 1074*de0e0e4dSAntonio Huete Jimenez */ 1075*de0e0e4dSAntonio Huete Jimenez int version; 1076*de0e0e4dSAntonio Huete Jimenez 1077*de0e0e4dSAntonio Huete Jimenez const SSL_METHOD *method; 1078*de0e0e4dSAntonio Huete Jimenez const SSL_QUIC_METHOD *quic_method; 1079*de0e0e4dSAntonio Huete Jimenez 1080*de0e0e4dSAntonio Huete Jimenez /* There are 2 BIO's even though they are normally both the 1081*de0e0e4dSAntonio Huete Jimenez * same. This is so data can be read and written to different 1082*de0e0e4dSAntonio Huete Jimenez * handlers */ 1083*de0e0e4dSAntonio Huete Jimenez 1084*de0e0e4dSAntonio Huete Jimenez BIO *rbio; /* used by SSL_read */ 1085*de0e0e4dSAntonio Huete Jimenez BIO *wbio; /* used by SSL_write */ 1086*de0e0e4dSAntonio Huete Jimenez BIO *bbio; /* used during session-id reuse to concatenate 1087*de0e0e4dSAntonio Huete Jimenez * messages */ 1088*de0e0e4dSAntonio Huete Jimenez int server; /* are we the server side? - mostly used by SSL_clear*/ 1089*de0e0e4dSAntonio Huete Jimenez 1090*de0e0e4dSAntonio Huete Jimenez struct ssl3_state_st *s3; /* SSLv3 variables */ 1091*de0e0e4dSAntonio Huete Jimenez struct dtls1_state_st *d1; /* DTLSv1 variables */ 1092*de0e0e4dSAntonio Huete Jimenez 1093*de0e0e4dSAntonio Huete Jimenez X509_VERIFY_PARAM *param; 1094*de0e0e4dSAntonio Huete Jimenez 1095*de0e0e4dSAntonio Huete Jimenez /* crypto */ 1096*de0e0e4dSAntonio Huete Jimenez STACK_OF(SSL_CIPHER) *cipher_list; 1097*de0e0e4dSAntonio Huete Jimenez 1098*de0e0e4dSAntonio Huete Jimenez /* This is used to hold the server certificate used */ 1099*de0e0e4dSAntonio Huete Jimenez SSL_CERT *cert; 1100*de0e0e4dSAntonio Huete Jimenez 1101*de0e0e4dSAntonio Huete Jimenez /* the session_id_context is used to ensure sessions are only reused 1102*de0e0e4dSAntonio Huete Jimenez * in the appropriate context */ 1103*de0e0e4dSAntonio Huete Jimenez size_t sid_ctx_length; 1104*de0e0e4dSAntonio Huete Jimenez unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 1105*de0e0e4dSAntonio Huete Jimenez 1106*de0e0e4dSAntonio Huete Jimenez /* This can also be in the session once a session is established */ 1107*de0e0e4dSAntonio Huete Jimenez SSL_SESSION *session; 1108*de0e0e4dSAntonio Huete Jimenez 1109*de0e0e4dSAntonio Huete Jimenez /* Used in SSL2 and SSL3 */ 1110*de0e0e4dSAntonio Huete Jimenez int verify_mode; /* 0 don't care about verify failure. 1111*de0e0e4dSAntonio Huete Jimenez * 1 fail if verify fails */ 1112*de0e0e4dSAntonio Huete Jimenez int error; /* error bytes to be written */ 1113*de0e0e4dSAntonio Huete Jimenez int error_code; /* actual code */ 1114*de0e0e4dSAntonio Huete Jimenez 1115*de0e0e4dSAntonio Huete Jimenez SSL_CTX *ctx; 1116*de0e0e4dSAntonio Huete Jimenez 1117*de0e0e4dSAntonio Huete Jimenez long verify_result; 1118*de0e0e4dSAntonio Huete Jimenez 1119*de0e0e4dSAntonio Huete Jimenez int references; 1120*de0e0e4dSAntonio Huete Jimenez 1121*de0e0e4dSAntonio Huete Jimenez int client_version; /* what was passed, used for 1122*de0e0e4dSAntonio Huete Jimenez * SSLv3/TLS rollback check */ 1123*de0e0e4dSAntonio Huete Jimenez 1124*de0e0e4dSAntonio Huete Jimenez unsigned int max_send_fragment; 1125*de0e0e4dSAntonio Huete Jimenez 1126*de0e0e4dSAntonio Huete Jimenez char *tlsext_hostname; 1127*de0e0e4dSAntonio Huete Jimenez 1128*de0e0e4dSAntonio Huete Jimenez /* certificate status request info */ 1129*de0e0e4dSAntonio Huete Jimenez /* Status type or -1 if no status type */ 1130*de0e0e4dSAntonio Huete Jimenez int tlsext_status_type; 1131*de0e0e4dSAntonio Huete Jimenez 1132*de0e0e4dSAntonio Huete Jimenez SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ 1133*de0e0e4dSAntonio Huete Jimenez #define session_ctx initial_ctx 1134*de0e0e4dSAntonio Huete Jimenez 1135*de0e0e4dSAntonio Huete Jimenez struct ssl_internal_st *internal; 1136*de0e0e4dSAntonio Huete Jimenez }; 1137*de0e0e4dSAntonio Huete Jimenez 1138cca6fc52SDaniel Fojt typedef struct ssl3_record_internal_st { 1139cca6fc52SDaniel Fojt int type; /* type of record */ 1140cca6fc52SDaniel Fojt unsigned int length; /* How many bytes available */ 1141cca6fc52SDaniel Fojt unsigned int padding_length; /* Number of padding bytes. */ 1142cca6fc52SDaniel Fojt unsigned int off; /* read/write offset into 'buf' */ 1143cca6fc52SDaniel Fojt unsigned char *data; /* pointer to the record data */ 1144cca6fc52SDaniel Fojt unsigned char *input; /* where the decode bytes are */ 1145*de0e0e4dSAntonio Huete Jimenez uint16_t epoch; /* epoch number, needed by DTLS1 */ 1146cca6fc52SDaniel Fojt unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ 1147cca6fc52SDaniel Fojt } SSL3_RECORD_INTERNAL; 1148cca6fc52SDaniel Fojt 1149cca6fc52SDaniel Fojt typedef struct ssl3_buffer_internal_st { 1150cca6fc52SDaniel Fojt unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, 1151cca6fc52SDaniel Fojt * see ssl3_setup_buffers() */ 1152cca6fc52SDaniel Fojt size_t len; /* buffer size */ 1153cca6fc52SDaniel Fojt int offset; /* where to 'copy from' */ 1154cca6fc52SDaniel Fojt int left; /* how many bytes left */ 1155cca6fc52SDaniel Fojt } SSL3_BUFFER_INTERNAL; 1156cca6fc52SDaniel Fojt 1157*de0e0e4dSAntonio Huete Jimenez typedef struct ssl3_state_st { 1158*de0e0e4dSAntonio Huete Jimenez long flags; 1159*de0e0e4dSAntonio Huete Jimenez 1160*de0e0e4dSAntonio Huete Jimenez unsigned char server_random[SSL3_RANDOM_SIZE]; 1161*de0e0e4dSAntonio Huete Jimenez unsigned char client_random[SSL3_RANDOM_SIZE]; 116272c33676SMaxim Ag 1163cca6fc52SDaniel Fojt SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */ 1164cca6fc52SDaniel Fojt SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */ 116572c33676SMaxim Ag 116672c33676SMaxim Ag /* we allow one fatal and one warning alert to be outstanding, 116772c33676SMaxim Ag * send close alert via the warning alert */ 116872c33676SMaxim Ag int alert_dispatch; 116972c33676SMaxim Ag unsigned char send_alert[2]; 117072c33676SMaxim Ag 117172c33676SMaxim Ag /* flags for countermeasure against known-IV weakness */ 117272c33676SMaxim Ag int need_empty_fragments; 117372c33676SMaxim Ag int empty_fragment_done; 117472c33676SMaxim Ag 1175cca6fc52SDaniel Fojt SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */ 117672c33676SMaxim Ag 117772c33676SMaxim Ag /* storage for Alert/Handshake protocol data received but not 117872c33676SMaxim Ag * yet processed by ssl3_read_bytes: */ 117972c33676SMaxim Ag unsigned char alert_fragment[2]; 118072c33676SMaxim Ag unsigned int alert_fragment_len; 118172c33676SMaxim Ag unsigned char handshake_fragment[4]; 118272c33676SMaxim Ag unsigned int handshake_fragment_len; 118372c33676SMaxim Ag 118472c33676SMaxim Ag /* partial write - check the numbers match */ 118572c33676SMaxim Ag unsigned int wnum; /* number of bytes sent so far */ 118672c33676SMaxim Ag int wpend_tot; /* number bytes written */ 118772c33676SMaxim Ag int wpend_type; 118872c33676SMaxim Ag int wpend_ret; /* number of bytes submitted */ 118972c33676SMaxim Ag const unsigned char *wpend_buf; 119072c33676SMaxim Ag 119172c33676SMaxim Ag /* Transcript of handshake messages that have been sent and received. */ 1192*de0e0e4dSAntonio Huete Jimenez struct tls_buffer *handshake_transcript; 119372c33676SMaxim Ag 119472c33676SMaxim Ag /* Rolling hash of handshake messages. */ 119572c33676SMaxim Ag EVP_MD_CTX *handshake_hash; 119672c33676SMaxim Ag 119772c33676SMaxim Ag /* this is set whenerver we see a change_cipher_spec message 119872c33676SMaxim Ag * come in when we are not looking for one */ 119972c33676SMaxim Ag int change_cipher_spec; 120072c33676SMaxim Ag 120172c33676SMaxim Ag int warn_alert; 120272c33676SMaxim Ag int fatal_alert; 120372c33676SMaxim Ag 120472c33676SMaxim Ag /* This flag is set when we should renegotiate ASAP, basically when 120572c33676SMaxim Ag * there is no more data in the read or write buffers */ 120672c33676SMaxim Ag int renegotiate; 120772c33676SMaxim Ag int total_renegotiations; 120872c33676SMaxim Ag int num_renegotiations; 120972c33676SMaxim Ag 121072c33676SMaxim Ag int in_read_app_data; 121172c33676SMaxim Ag 121272c33676SMaxim Ag SSL_HANDSHAKE hs; 121372c33676SMaxim Ag 121472c33676SMaxim Ag /* Connection binding to prevent renegotiation attacks */ 121572c33676SMaxim Ag unsigned char previous_client_finished[EVP_MAX_MD_SIZE]; 121672c33676SMaxim Ag unsigned char previous_client_finished_len; 121772c33676SMaxim Ag unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; 121872c33676SMaxim Ag unsigned char previous_server_finished_len; 121972c33676SMaxim Ag int send_connection_binding; /* TODOEKR */ 122072c33676SMaxim Ag 122172c33676SMaxim Ag /* Set if we saw a Renegotiation Indication extension from our peer. */ 122272c33676SMaxim Ag int renegotiate_seen; 122372c33676SMaxim Ag 122472c33676SMaxim Ag /* 122572c33676SMaxim Ag * ALPN information. 122672c33676SMaxim Ag * 122772c33676SMaxim Ag * In a server these point to the selected ALPN protocol after the 122872c33676SMaxim Ag * ClientHello has been processed. In a client these contain the 122972c33676SMaxim Ag * protocol that the server selected once the ServerHello has been 123072c33676SMaxim Ag * processed. 123172c33676SMaxim Ag */ 1232*de0e0e4dSAntonio Huete Jimenez uint8_t *alpn_selected; 123372c33676SMaxim Ag size_t alpn_selected_len; 123472c33676SMaxim Ag 1235*de0e0e4dSAntonio Huete Jimenez /* Contains the QUIC transport params received from our peer. */ 1236*de0e0e4dSAntonio Huete Jimenez uint8_t *peer_quic_transport_params; 1237*de0e0e4dSAntonio Huete Jimenez size_t peer_quic_transport_params_len; 1238*de0e0e4dSAntonio Huete Jimenez } SSL3_STATE; 1239f5b1c8a1SJohn Marino 1240f5b1c8a1SJohn Marino /* 1241f5b1c8a1SJohn Marino * Flag values for enc_flags. 1242f5b1c8a1SJohn Marino */ 1243f5b1c8a1SJohn Marino 1244f5b1c8a1SJohn Marino /* Uses signature algorithms extension. */ 1245f5b1c8a1SJohn Marino #define SSL_ENC_FLAG_SIGALGS (1 << 1) 1246f5b1c8a1SJohn Marino 1247f5b1c8a1SJohn Marino /* Uses SHA256 default PRF. */ 1248f5b1c8a1SJohn Marino #define SSL_ENC_FLAG_SHA256_PRF (1 << 2) 1249f5b1c8a1SJohn Marino 1250f5b1c8a1SJohn Marino /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ 1251f5b1c8a1SJohn Marino #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) 1252f5b1c8a1SJohn Marino 1253cca6fc52SDaniel Fojt /* Allow TLS 1.3 ciphersuites only. */ 1254cca6fc52SDaniel Fojt #define SSL_ENC_FLAG_TLS1_3_CIPHERS (1 << 5) 1255cca6fc52SDaniel Fojt 1256*de0e0e4dSAntonio Huete Jimenez #define TLSV1_ENC_FLAGS 0 1257*de0e0e4dSAntonio Huete Jimenez #define TLSV1_1_ENC_FLAGS 0 1258*de0e0e4dSAntonio Huete Jimenez #define TLSV1_2_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ 1259*de0e0e4dSAntonio Huete Jimenez SSL_ENC_FLAG_SHA256_PRF | \ 1260*de0e0e4dSAntonio Huete Jimenez SSL_ENC_FLAG_TLS1_2_CIPHERS) 1261*de0e0e4dSAntonio Huete Jimenez #define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ 1262*de0e0e4dSAntonio Huete Jimenez SSL_ENC_FLAG_TLS1_3_CIPHERS) 1263f5b1c8a1SJohn Marino 1264*de0e0e4dSAntonio Huete Jimenez extern const SSL_CIPHER ssl3_ciphers[]; 1265f5b1c8a1SJohn Marino 1266f5b1c8a1SJohn Marino const char *ssl_version_string(int ver); 1267*de0e0e4dSAntonio Huete Jimenez int ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, 1268*de0e0e4dSAntonio Huete Jimenez uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver); 1269*de0e0e4dSAntonio Huete Jimenez int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, 1270*de0e0e4dSAntonio Huete Jimenez uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver); 1271*de0e0e4dSAntonio Huete Jimenez int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); 1272*de0e0e4dSAntonio Huete Jimenez int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); 1273*de0e0e4dSAntonio Huete Jimenez uint16_t ssl_tls_version(uint16_t version); 1274*de0e0e4dSAntonio Huete Jimenez uint16_t ssl_effective_tls_version(SSL *s); 1275*de0e0e4dSAntonio Huete Jimenez int ssl_max_supported_version(SSL *s, uint16_t *max_ver); 1276*de0e0e4dSAntonio Huete Jimenez int ssl_max_legacy_version(SSL *s, uint16_t *max_ver); 127772c33676SMaxim Ag int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); 1278*de0e0e4dSAntonio Huete Jimenez int ssl_check_version_from_server(SSL *s, uint16_t server_version); 1279*de0e0e4dSAntonio Huete Jimenez int ssl_legacy_stack_version(SSL *s, uint16_t version); 12808edacedfSDaniel Fojt int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); 1281*de0e0e4dSAntonio Huete Jimenez int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, 12828edacedfSDaniel Fojt uint16_t min_ver, uint16_t max_ver); 128372c33676SMaxim Ag 12848edacedfSDaniel Fojt const SSL_METHOD *tls_legacy_method(void); 1285*de0e0e4dSAntonio Huete Jimenez const SSL_METHOD *ssl_get_method(uint16_t version); 1286f5b1c8a1SJohn Marino 128772c33676SMaxim Ag void ssl_clear_cipher_state(SSL *s); 1288f5b1c8a1SJohn Marino int ssl_clear_bad_session(SSL *s); 128972c33676SMaxim Ag 1290*de0e0e4dSAntonio Huete Jimenez void ssl_info_callback(const SSL *s, int type, int value); 1291*de0e0e4dSAntonio Huete Jimenez void ssl_msg_callback(SSL *s, int is_write, int content_type, 1292*de0e0e4dSAntonio Huete Jimenez const void *msg_buf, size_t msg_len); 1293*de0e0e4dSAntonio Huete Jimenez void ssl_msg_callback_cbs(SSL *s, int is_write, int content_type, CBS *cbs); 129472c33676SMaxim Ag 1295*de0e0e4dSAntonio Huete Jimenez SSL_CERT *ssl_cert_new(void); 1296*de0e0e4dSAntonio Huete Jimenez SSL_CERT *ssl_cert_dup(SSL_CERT *cert); 1297*de0e0e4dSAntonio Huete Jimenez void ssl_cert_free(SSL_CERT *c); 1298*de0e0e4dSAntonio Huete Jimenez SSL_CERT *ssl_get0_cert(SSL_CTX *ctx, SSL *ssl); 1299*de0e0e4dSAntonio Huete Jimenez int ssl_cert_set0_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain); 1300*de0e0e4dSAntonio Huete Jimenez int ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain); 1301*de0e0e4dSAntonio Huete Jimenez int ssl_cert_add0_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert); 1302*de0e0e4dSAntonio Huete Jimenez int ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert); 1303*de0e0e4dSAntonio Huete Jimenez 1304*de0e0e4dSAntonio Huete Jimenez int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, 1305*de0e0e4dSAntonio Huete Jimenez int bits, int nid, void *other, void *ex_data); 1306*de0e0e4dSAntonio Huete Jimenez 1307*de0e0e4dSAntonio Huete Jimenez int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher); 1308*de0e0e4dSAntonio Huete Jimenez int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher); 1309*de0e0e4dSAntonio Huete Jimenez int ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher); 1310*de0e0e4dSAntonio Huete Jimenez int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh); 1311*de0e0e4dSAntonio Huete Jimenez int ssl_security_dh(const SSL *ssl, DH *dh); 1312*de0e0e4dSAntonio Huete Jimenez int ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey); 1313*de0e0e4dSAntonio Huete Jimenez int ssl_security_tickets(const SSL *ssl); 1314*de0e0e4dSAntonio Huete Jimenez int ssl_security_version(const SSL *ssl, int version); 1315*de0e0e4dSAntonio Huete Jimenez int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, 1316*de0e0e4dSAntonio Huete Jimenez int is_peer, int *out_error); 1317*de0e0e4dSAntonio Huete Jimenez int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, 1318*de0e0e4dSAntonio Huete Jimenez X509 *x509, int *out_error); 1319*de0e0e4dSAntonio Huete Jimenez int ssl_security_shared_group(const SSL *ssl, uint16_t group_id); 1320*de0e0e4dSAntonio Huete Jimenez int ssl_security_supported_group(const SSL *ssl, uint16_t group_id); 1321*de0e0e4dSAntonio Huete Jimenez 1322f5b1c8a1SJohn Marino int ssl_get_new_session(SSL *s, int session); 13238edacedfSDaniel Fojt int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, 13248edacedfSDaniel Fojt int *alert); 1325f5b1c8a1SJohn Marino int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); 132672c33676SMaxim Ag SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, 132772c33676SMaxim Ag int num); 132872c33676SMaxim Ag int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); 132972c33676SMaxim Ag STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); 1330f5b1c8a1SJohn Marino STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, 13318edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13, 1332*de0e0e4dSAntonio Huete Jimenez const char *rule_str, SSL_CERT *cert); 13338edacedfSDaniel Fojt int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); 13348edacedfSDaniel Fojt int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, 13358edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *cipherlist_tls13, 13368edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) **out_cipherlist); 1337f5b1c8a1SJohn Marino void ssl_update_cache(SSL *s, int mode); 1338f5b1c8a1SJohn Marino int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, 1339f5b1c8a1SJohn Marino const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); 1340f5b1c8a1SJohn Marino int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead); 134172c33676SMaxim Ag int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md); 1342f5b1c8a1SJohn Marino 1343f5b1c8a1SJohn Marino int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk); 1344f5b1c8a1SJohn Marino int ssl_undefined_function(SSL *s); 1345f5b1c8a1SJohn Marino int ssl_undefined_void_function(void); 1346f5b1c8a1SJohn Marino int ssl_undefined_const_function(const SSL *s); 1347*de0e0e4dSAntonio Huete Jimenez SSL_CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); 134872c33676SMaxim Ag EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd, 134972c33676SMaxim Ag const struct ssl_sigalg **sap); 1350*de0e0e4dSAntonio Huete Jimenez size_t ssl_dhe_params_auto_key_bits(SSL *s); 1351*de0e0e4dSAntonio Huete Jimenez int ssl_cert_type(EVP_PKEY *pkey); 1352*de0e0e4dSAntonio Huete Jimenez void ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher); 1353f5b1c8a1SJohn Marino STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); 135472c33676SMaxim Ag int ssl_has_ecc_ciphers(SSL *s); 1355f5b1c8a1SJohn Marino int ssl_verify_alarm_type(long type); 135672c33676SMaxim Ag 135772c33676SMaxim Ag int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len); 1358f5b1c8a1SJohn Marino 1359f5b1c8a1SJohn Marino const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); 1360f5b1c8a1SJohn Marino int ssl3_send_server_certificate(SSL *s); 1361f5b1c8a1SJohn Marino int ssl3_send_newsession_ticket(SSL *s); 1362f5b1c8a1SJohn Marino int ssl3_send_cert_status(SSL *s); 1363f5b1c8a1SJohn Marino int ssl3_get_finished(SSL *s, int state_a, int state_b); 1364f5b1c8a1SJohn Marino int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b); 1365f5b1c8a1SJohn Marino int ssl3_do_write(SSL *s, int type); 1366f5b1c8a1SJohn Marino int ssl3_send_alert(SSL *s, int level, int desc); 136772c33676SMaxim Ag int ssl3_get_req_cert_types(SSL *s, CBB *cbb); 1368*de0e0e4dSAntonio Huete Jimenez int ssl3_get_message(SSL *s, int st1, int stn, int mt, long max); 1369*de0e0e4dSAntonio Huete Jimenez int ssl3_send_finished(SSL *s, int state_a, int state_b); 1370f5b1c8a1SJohn Marino int ssl3_num_ciphers(void); 1371f5b1c8a1SJohn Marino const SSL_CIPHER *ssl3_get_cipher(unsigned int u); 1372f5b1c8a1SJohn Marino const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned int id); 1373f5b1c8a1SJohn Marino const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value); 1374f5b1c8a1SJohn Marino uint16_t ssl3_cipher_get_value(const SSL_CIPHER *c); 1375f5b1c8a1SJohn Marino int ssl3_renegotiate(SSL *ssl); 1376f5b1c8a1SJohn Marino 1377f5b1c8a1SJohn Marino int ssl3_renegotiate_check(SSL *ssl); 1378f5b1c8a1SJohn Marino 1379*de0e0e4dSAntonio Huete Jimenez void ssl_force_want_read(SSL *s); 1380*de0e0e4dSAntonio Huete Jimenez 1381f5b1c8a1SJohn Marino int ssl3_dispatch_alert(SSL *s); 1382*de0e0e4dSAntonio Huete Jimenez int ssl3_read_alert(SSL *s); 1383*de0e0e4dSAntonio Huete Jimenez int ssl3_read_change_cipher_spec(SSL *s); 1384f5b1c8a1SJohn Marino int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); 1385f5b1c8a1SJohn Marino int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); 1386*de0e0e4dSAntonio Huete Jimenez int ssl3_output_cert_chain(SSL *s, CBB *cbb, SSL_CERT_PKEY *cpk); 1387f5b1c8a1SJohn Marino SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, 1388f5b1c8a1SJohn Marino STACK_OF(SSL_CIPHER) *srvr); 1389f5b1c8a1SJohn Marino int ssl3_setup_buffers(SSL *s); 1390f5b1c8a1SJohn Marino int ssl3_setup_init_buffer(SSL *s); 13918edacedfSDaniel Fojt void ssl3_release_init_buffer(SSL *s); 1392f5b1c8a1SJohn Marino int ssl3_setup_read_buffer(SSL *s); 1393f5b1c8a1SJohn Marino int ssl3_setup_write_buffer(SSL *s); 13948edacedfSDaniel Fojt void ssl3_release_buffer(SSL3_BUFFER_INTERNAL *b); 13958edacedfSDaniel Fojt void ssl3_release_read_buffer(SSL *s); 13968edacedfSDaniel Fojt void ssl3_release_write_buffer(SSL *s); 1397f5b1c8a1SJohn Marino int ssl3_new(SSL *s); 1398f5b1c8a1SJohn Marino void ssl3_free(SSL *s); 1399f5b1c8a1SJohn Marino int ssl3_accept(SSL *s); 1400f5b1c8a1SJohn Marino int ssl3_connect(SSL *s); 1401f5b1c8a1SJohn Marino int ssl3_read(SSL *s, void *buf, int len); 1402f5b1c8a1SJohn Marino int ssl3_peek(SSL *s, void *buf, int len); 1403f5b1c8a1SJohn Marino int ssl3_write(SSL *s, const void *buf, int len); 1404f5b1c8a1SJohn Marino int ssl3_shutdown(SSL *s); 1405f5b1c8a1SJohn Marino void ssl3_clear(SSL *s); 1406f5b1c8a1SJohn Marino long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg); 1407f5b1c8a1SJohn Marino long ssl3_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg); 1408f5b1c8a1SJohn Marino long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)); 1409f5b1c8a1SJohn Marino long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void)); 1410f5b1c8a1SJohn Marino int ssl3_pending(const SSL *s); 1411f5b1c8a1SJohn Marino 1412f5b1c8a1SJohn Marino int ssl3_handshake_msg_hdr_len(SSL *s); 141372c33676SMaxim Ag int ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, 141472c33676SMaxim Ag uint8_t msg_type); 141572c33676SMaxim Ag int ssl3_handshake_msg_finish(SSL *s, CBB *handshake); 1416f5b1c8a1SJohn Marino int ssl3_handshake_write(SSL *s); 141772c33676SMaxim Ag int ssl3_record_write(SSL *s, int type); 1418f5b1c8a1SJohn Marino 1419f5b1c8a1SJohn Marino int ssl3_do_change_cipher_spec(SSL *ssl); 1420f5b1c8a1SJohn Marino 142172c33676SMaxim Ag int ssl3_packet_read(SSL *s, int plen); 142272c33676SMaxim Ag int ssl3_packet_extend(SSL *s, int plen); 142372c33676SMaxim Ag int ssl_server_legacy_first_packet(SSL *s); 1424f5b1c8a1SJohn Marino int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, 1425f5b1c8a1SJohn Marino unsigned int len); 1426f5b1c8a1SJohn Marino 1427f5b1c8a1SJohn Marino /* some client-only functions */ 142872c33676SMaxim Ag int ssl3_send_client_hello(SSL *s); 1429*de0e0e4dSAntonio Huete Jimenez int ssl3_get_dtls_hello_verify(SSL *s); 1430f5b1c8a1SJohn Marino int ssl3_get_server_hello(SSL *s); 1431f5b1c8a1SJohn Marino int ssl3_get_certificate_request(SSL *s); 1432f5b1c8a1SJohn Marino int ssl3_get_new_session_ticket(SSL *s); 1433f5b1c8a1SJohn Marino int ssl3_get_cert_status(SSL *s); 1434f5b1c8a1SJohn Marino int ssl3_get_server_done(SSL *s); 1435f5b1c8a1SJohn Marino int ssl3_send_client_verify(SSL *s); 1436f5b1c8a1SJohn Marino int ssl3_send_client_certificate(SSL *s); 1437f5b1c8a1SJohn Marino int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey); 1438f5b1c8a1SJohn Marino int ssl3_send_client_key_exchange(SSL *s); 143972c33676SMaxim Ag int ssl3_get_server_key_exchange(SSL *s); 1440f5b1c8a1SJohn Marino int ssl3_get_server_certificate(SSL *s); 1441f5b1c8a1SJohn Marino int ssl3_check_cert_and_algorithm(SSL *s); 1442f5b1c8a1SJohn Marino int ssl3_check_finished(SSL *s); 1443f5b1c8a1SJohn Marino 1444f5b1c8a1SJohn Marino /* some server-only functions */ 1445f5b1c8a1SJohn Marino int ssl3_get_client_hello(SSL *s); 1446*de0e0e4dSAntonio Huete Jimenez int ssl3_send_dtls_hello_verify_request(SSL *s); 1447f5b1c8a1SJohn Marino int ssl3_send_server_hello(SSL *s); 1448f5b1c8a1SJohn Marino int ssl3_send_hello_request(SSL *s); 1449f5b1c8a1SJohn Marino int ssl3_send_server_key_exchange(SSL *s); 1450f5b1c8a1SJohn Marino int ssl3_send_certificate_request(SSL *s); 1451f5b1c8a1SJohn Marino int ssl3_send_server_done(SSL *s); 1452f5b1c8a1SJohn Marino int ssl3_get_client_certificate(SSL *s); 1453f5b1c8a1SJohn Marino int ssl3_get_client_key_exchange(SSL *s); 1454f5b1c8a1SJohn Marino int ssl3_get_cert_verify(SSL *s); 1455f5b1c8a1SJohn Marino 1456*de0e0e4dSAntonio Huete Jimenez int ssl_kex_generate_dhe(DH *dh, DH *dh_params); 1457*de0e0e4dSAntonio Huete Jimenez int ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_len); 1458*de0e0e4dSAntonio Huete Jimenez int ssl_kex_params_dhe(DH *dh, CBB *cbb); 1459*de0e0e4dSAntonio Huete Jimenez int ssl_kex_public_dhe(DH *dh, CBB *cbb); 1460*de0e0e4dSAntonio Huete Jimenez int ssl_kex_peer_params_dhe(DH *dh, CBS *cbs, int *decode_error, 1461*de0e0e4dSAntonio Huete Jimenez int *invalid_params); 1462*de0e0e4dSAntonio Huete Jimenez int ssl_kex_peer_public_dhe(DH *dh, CBS *cbs, int *decode_error, 1463*de0e0e4dSAntonio Huete Jimenez int *invalid_key); 1464*de0e0e4dSAntonio Huete Jimenez int ssl_kex_derive_dhe(DH *dh, DH *dh_peer, 1465*de0e0e4dSAntonio Huete Jimenez uint8_t **shared_key, size_t *shared_key_len); 1466*de0e0e4dSAntonio Huete Jimenez 1467cca6fc52SDaniel Fojt int ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey); 1468cca6fc52SDaniel Fojt int ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid); 1469cca6fc52SDaniel Fojt int ssl_kex_public_ecdhe_ecp(EC_KEY *ecdh, CBB *cbb); 1470cca6fc52SDaniel Fojt int ssl_kex_peer_public_ecdhe_ecp(EC_KEY *ecdh, int nid, CBS *cbs); 1471cca6fc52SDaniel Fojt int ssl_kex_derive_ecdhe_ecp(EC_KEY *ecdh, EC_KEY *ecdh_peer, 1472cca6fc52SDaniel Fojt uint8_t **shared_key, size_t *shared_key_len); 1473cca6fc52SDaniel Fojt 1474f5b1c8a1SJohn Marino int tls1_new(SSL *s); 1475f5b1c8a1SJohn Marino void tls1_free(SSL *s); 1476f5b1c8a1SJohn Marino void tls1_clear(SSL *s); 1477f5b1c8a1SJohn Marino 1478f5b1c8a1SJohn Marino int ssl_init_wbio_buffer(SSL *s, int push); 1479f5b1c8a1SJohn Marino void ssl_free_wbio_buffer(SSL *s); 1480f5b1c8a1SJohn Marino 148172c33676SMaxim Ag int tls1_transcript_hash_init(SSL *s); 148272c33676SMaxim Ag int tls1_transcript_hash_update(SSL *s, const unsigned char *buf, size_t len); 1483*de0e0e4dSAntonio Huete Jimenez int tls1_transcript_hash_value(SSL *s, unsigned char *out, size_t len, 148472c33676SMaxim Ag size_t *outlen); 148572c33676SMaxim Ag void tls1_transcript_hash_free(SSL *s); 148672c33676SMaxim Ag 148772c33676SMaxim Ag int tls1_transcript_init(SSL *s); 148872c33676SMaxim Ag void tls1_transcript_free(SSL *s); 148972c33676SMaxim Ag void tls1_transcript_reset(SSL *s); 149072c33676SMaxim Ag int tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len); 149172c33676SMaxim Ag int tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len); 149272c33676SMaxim Ag void tls1_transcript_freeze(SSL *s); 1493cca6fc52SDaniel Fojt void tls1_transcript_unfreeze(SSL *s); 149472c33676SMaxim Ag int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len); 149572c33676SMaxim Ag 1496*de0e0e4dSAntonio Huete Jimenez int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, 1497*de0e0e4dSAntonio Huete Jimenez const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, 1498*de0e0e4dSAntonio Huete Jimenez const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, 1499*de0e0e4dSAntonio Huete Jimenez const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len); 1500*de0e0e4dSAntonio Huete Jimenez 1501f5b1c8a1SJohn Marino void tls1_cleanup_key_block(SSL *s); 1502*de0e0e4dSAntonio Huete Jimenez int tls1_change_read_cipher_state(SSL *s); 1503*de0e0e4dSAntonio Huete Jimenez int tls1_change_write_cipher_state(SSL *s); 1504f5b1c8a1SJohn Marino int tls1_setup_key_block(SSL *s); 1505*de0e0e4dSAntonio Huete Jimenez int tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len); 1506f5b1c8a1SJohn Marino int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 1507f5b1c8a1SJohn Marino const char *label, size_t llen, const unsigned char *p, size_t plen, 1508f5b1c8a1SJohn Marino int use_context); 1509f5b1c8a1SJohn Marino int ssl_ok(SSL *s); 1510f5b1c8a1SJohn Marino 1511*de0e0e4dSAntonio Huete Jimenez int tls12_derive_finished(SSL *s); 1512*de0e0e4dSAntonio Huete Jimenez int tls12_derive_peer_finished(SSL *s); 1513*de0e0e4dSAntonio Huete Jimenez int tls12_derive_master_secret(SSL *s, uint8_t *premaster_secret, 1514*de0e0e4dSAntonio Huete Jimenez size_t premaster_secret_len); 1515f5b1c8a1SJohn Marino 1516*de0e0e4dSAntonio Huete Jimenez int ssl_using_ecc_cipher(SSL *s); 1517*de0e0e4dSAntonio Huete Jimenez int ssl_check_srvr_ecc_cert_and_alg(SSL *s, X509 *x); 1518*de0e0e4dSAntonio Huete Jimenez 1519*de0e0e4dSAntonio Huete Jimenez void tls1_get_formatlist(const SSL *s, int client_formats, 1520*de0e0e4dSAntonio Huete Jimenez const uint8_t **pformats, size_t *pformatslen); 1521*de0e0e4dSAntonio Huete Jimenez void tls1_get_group_list(const SSL *s, int client_groups, 1522*de0e0e4dSAntonio Huete Jimenez const uint16_t **pgroups, size_t *pgroupslen); 1523f5b1c8a1SJohn Marino 152472c33676SMaxim Ag int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, 152572c33676SMaxim Ag const int *groups, size_t ngroups); 152672c33676SMaxim Ag int tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, 152772c33676SMaxim Ag const char *groups); 152872c33676SMaxim Ag 1529*de0e0e4dSAntonio Huete Jimenez int tls1_ec_group_id2nid(uint16_t group_id, int *out_nid); 1530*de0e0e4dSAntonio Huete Jimenez int tls1_ec_group_id2bits(uint16_t group_id, int *out_bits); 1531*de0e0e4dSAntonio Huete Jimenez int tls1_ec_nid2group_id(int nid, uint16_t *out_group_id); 1532*de0e0e4dSAntonio Huete Jimenez int tls1_check_group(SSL *s, uint16_t group_id); 1533*de0e0e4dSAntonio Huete Jimenez int tls1_count_shared_groups(const SSL *ssl, size_t *out_count); 1534*de0e0e4dSAntonio Huete Jimenez int tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid); 1535*de0e0e4dSAntonio Huete Jimenez int tls1_get_supported_group(const SSL *s, int *out_nid); 1536f5b1c8a1SJohn Marino 1537f5b1c8a1SJohn Marino int ssl_check_clienthello_tlsext_early(SSL *s); 1538f5b1c8a1SJohn Marino int ssl_check_clienthello_tlsext_late(SSL *s); 1539f5b1c8a1SJohn Marino int ssl_check_serverhello_tlsext(SSL *s); 1540f5b1c8a1SJohn Marino 15418edacedfSDaniel Fojt #define TLS1_TICKET_FATAL_ERROR -1 15428edacedfSDaniel Fojt #define TLS1_TICKET_NONE 0 15438edacedfSDaniel Fojt #define TLS1_TICKET_EMPTY 1 15448edacedfSDaniel Fojt #define TLS1_TICKET_NOT_DECRYPTED 2 15458edacedfSDaniel Fojt #define TLS1_TICKET_DECRYPTED 3 15468edacedfSDaniel Fojt 15478edacedfSDaniel Fojt int tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret); 1548f5b1c8a1SJohn Marino 1549f5b1c8a1SJohn Marino int tls1_check_ec_server_key(SSL *s); 1550f5b1c8a1SJohn Marino 1551f5b1c8a1SJohn Marino /* s3_cbc.c */ 1552cca6fc52SDaniel Fojt void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec, 1553cca6fc52SDaniel Fojt unsigned int md_size, unsigned int orig_len); 1554*de0e0e4dSAntonio Huete Jimenez int ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len, 1555*de0e0e4dSAntonio Huete Jimenez unsigned int mac_size); 1556f5b1c8a1SJohn Marino char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); 1557f5b1c8a1SJohn Marino int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, 1558f5b1c8a1SJohn Marino size_t *md_out_size, const unsigned char header[13], 1559f5b1c8a1SJohn Marino const unsigned char *data, size_t data_plus_mac_size, 1560f5b1c8a1SJohn Marino size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, 1561cca6fc52SDaniel Fojt unsigned int mac_secret_length); 156272c33676SMaxim Ag int SSL_state_func_code(int _state); 156372c33676SMaxim Ag 156472c33676SMaxim Ag #define SSLerror(s, r) SSL_error_internal(s, r, __FILE__, __LINE__) 156572c33676SMaxim Ag #define SSLerrorx(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),__FILE__,__LINE__) 156672c33676SMaxim Ag void SSL_error_internal(const SSL *s, int r, char *f, int l); 156772c33676SMaxim Ag 156872c33676SMaxim Ag #ifndef OPENSSL_NO_SRTP 156972c33676SMaxim Ag 1570*de0e0e4dSAntonio Huete Jimenez int srtp_find_profile_by_name(const char *profile_name, 1571*de0e0e4dSAntonio Huete Jimenez const SRTP_PROTECTION_PROFILE **pptr, unsigned int len); 1572cca6fc52SDaniel Fojt int srtp_find_profile_by_num(unsigned int profile_num, 1573*de0e0e4dSAntonio Huete Jimenez const SRTP_PROTECTION_PROFILE **pptr); 157472c33676SMaxim Ag 157572c33676SMaxim Ag #endif /* OPENSSL_NO_SRTP */ 157672c33676SMaxim Ag 1577*de0e0e4dSAntonio Huete Jimenez int tls_process_peer_certs(SSL *s, STACK_OF(X509) *peer_certs); 1578*de0e0e4dSAntonio Huete Jimenez 157972c33676SMaxim Ag __END_HIDDEN_DECLS 1580f5b1c8a1SJohn Marino 1581f5b1c8a1SJohn Marino #endif 1582