1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57/* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core@openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay@cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh@cryptsoft.com). 108 * 109 */ 110/* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115/* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. 140 */ 141 142#ifndef OPENSSL_HEADER_SSL_INTERNAL_H 143#define OPENSSL_HEADER_SSL_INTERNAL_H 144 145#include <openssl/base.h> 146 147#include <openssl/aead.h> 148#include <openssl/pqueue.h> 149#include <openssl/ssl.h> 150#include <openssl/stack.h> 151 152#if defined(OPENSSL_WINDOWS) 153/* Windows defines struct timeval in winsock2.h. */ 154#pragma warning(push, 3) 155#include <winsock2.h> 156#pragma warning(pop) 157#else 158#include <sys/time.h> 159#endif 160 161 162/* Cipher suites. */ 163 164/* Bits for |algorithm_mkey| (key exchange algorithm). */ 165#define SSL_kRSA 0x00000001L 166#define SSL_kDHE 0x00000002L 167#define SSL_kECDHE 0x00000004L 168/* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */ 169#define SSL_kPSK 0x00000008L 170 171/* Bits for |algorithm_auth| (server authentication). */ 172#define SSL_aRSA 0x00000001L 173#define SSL_aECDSA 0x00000002L 174/* SSL_aPSK is set for both PSK and ECDHE_PSK. */ 175#define SSL_aPSK 0x00000004L 176 177/* Bits for |algorithm_enc| (symmetric encryption). */ 178#define SSL_3DES 0x00000001L 179#define SSL_RC4 0x00000002L 180#define SSL_AES128 0x00000004L 181#define SSL_AES256 0x00000008L 182#define SSL_AES128GCM 0x00000010L 183#define SSL_AES256GCM 0x00000020L 184#define SSL_CHACHA20POLY1305_OLD 0x00000040L 185#define SSL_eNULL 0x00000080L 186#define SSL_CHACHA20POLY1305 0x00000100L 187 188#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM) 189 190/* Bits for |algorithm_mac| (symmetric authentication). */ 191#define SSL_MD5 0x00000001L 192#define SSL_SHA1 0x00000002L 193#define SSL_SHA256 0x00000004L 194#define SSL_SHA384 0x00000008L 195/* SSL_AEAD is set for all AEADs. */ 196#define SSL_AEAD 0x00000010L 197 198/* Bits for |algorithm_prf| (handshake digest). */ 199#define SSL_HANDSHAKE_MAC_DEFAULT 0x1 200#define SSL_HANDSHAKE_MAC_SHA256 0x2 201#define SSL_HANDSHAKE_MAC_SHA384 0x4 202 203/* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new 204 * one, update the table in ssl_cipher.c. */ 205#define SSL_MAX_DIGEST 4 206 207/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD 208 * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len| 209 * and |*out_fixed_iv_len| to the MAC key length and fixed IV length, 210 * respectively. The MAC key length is zero except for legacy block and stream 211 * ciphers. It returns 1 on success and 0 on error. */ 212int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, 213 size_t *out_mac_secret_len, 214 size_t *out_fixed_iv_len, 215 const SSL_CIPHER *cipher, uint16_t version); 216 217/* ssl_get_handshake_digest returns the |EVP_MD| corresponding to 218 * |algorithm_prf|. It returns SHA-1 for |SSL_HANDSHAKE_DEFAULT|. The caller is 219 * responsible for maintaining the additional MD5 digest and switching to 220 * SHA-256 in TLS 1.2. */ 221const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf); 222 223/* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in 224 * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated 225 * |ssl_cipher_preference_list_st| containing the result. 226 * |*out_cipher_list_by_id| is set to a list of selected ciphers sorted by 227 * id. It returns |(*out_cipher_list)->ciphers| on success and NULL on 228 * failure. */ 229STACK_OF(SSL_CIPHER) * 230ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method, 231 struct ssl_cipher_preference_list_st **out_cipher_list, 232 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id, 233 const char *rule_str); 234 235/* ssl_cipher_get_value returns the cipher suite id of |cipher|. */ 236uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher); 237 238/* ssl_cipher_get_key_type returns the |EVP_PKEY_*| value corresponding to the 239 * server key used in |cipher| or |EVP_PKEY_NONE| if there is none. */ 240int ssl_cipher_get_key_type(const SSL_CIPHER *cipher); 241 242/* ssl_cipher_has_server_public_key returns 1 if |cipher| involves a server 243 * public key in the key exchange, sent in a server Certificate message. 244 * Otherwise it returns 0. */ 245int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher); 246 247/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a 248 * ServerKeyExchange message. Otherwise it returns 0. 249 * 250 * Unlike |ssl_cipher_has_server_public_key|, this function may return zero 251 * while still allowing |cipher| an optional ServerKeyExchange. This is the 252 * case for plain PSK ciphers. */ 253int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher); 254 255/* ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the 256 * length of an encrypted 1-byte record, for use in record-splitting. Otherwise 257 * it returns zero. */ 258size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); 259 260 261/* Encryption layer. */ 262 263/* SSL_AEAD_CTX contains information about an AEAD that is being used to encrypt 264 * an SSL connection. */ 265struct ssl_aead_ctx_st { 266 const SSL_CIPHER *cipher; 267 EVP_AEAD_CTX ctx; 268 /* fixed_nonce contains any bytes of the nonce that are fixed for all 269 * records. */ 270 uint8_t fixed_nonce[12]; 271 uint8_t fixed_nonce_len, variable_nonce_len; 272 /* variable_nonce_included_in_record is non-zero if the variable nonce 273 * for a record is included as a prefix before the ciphertext. */ 274 char variable_nonce_included_in_record; 275 /* random_variable_nonce is non-zero if the variable nonce is 276 * randomly generated, rather than derived from the sequence 277 * number. */ 278 char random_variable_nonce; 279 /* omit_length_in_ad is non-zero if the length should be omitted in the 280 * AEAD's ad parameter. */ 281 char omit_length_in_ad; 282 /* omit_version_in_ad is non-zero if the version should be omitted 283 * in the AEAD's ad parameter. */ 284 char omit_version_in_ad; 285 /* xor_fixed_nonce is non-zero if the fixed nonce should be XOR'd into the 286 * variable nonce rather than prepended. */ 287 char xor_fixed_nonce; 288} /* SSL_AEAD_CTX */; 289 290/* SSL_AEAD_CTX_new creates a newly-allocated |SSL_AEAD_CTX| using the supplied 291 * key material. It returns NULL on error. Only one of |SSL_AEAD_CTX_open| or 292 * |SSL_AEAD_CTX_seal| may be used with the resulting object, depending on 293 * |direction|. |version| is the normalized protocol version, so DTLS 1.0 is 294 * represented as 0x0301, not 0xffef. */ 295SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction, 296 uint16_t version, const SSL_CIPHER *cipher, 297 const uint8_t *enc_key, size_t enc_key_len, 298 const uint8_t *mac_key, size_t mac_key_len, 299 const uint8_t *fixed_iv, size_t fixed_iv_len); 300 301/* SSL_AEAD_CTX_free frees |ctx|. */ 302void SSL_AEAD_CTX_free(SSL_AEAD_CTX *ctx); 303 304/* SSL_AEAD_CTX_explicit_nonce_len returns the length of the explicit nonce for 305 * |ctx|, if any. |ctx| may be NULL to denote the null cipher. */ 306size_t SSL_AEAD_CTX_explicit_nonce_len(SSL_AEAD_CTX *ctx); 307 308/* SSL_AEAD_CTX_max_overhead returns the maximum overhead of calling 309 * |SSL_AEAD_CTX_seal|. |ctx| may be NULL to denote the null cipher. */ 310size_t SSL_AEAD_CTX_max_overhead(SSL_AEAD_CTX *ctx); 311 312/* SSL_AEAD_CTX_open authenticates and decrypts |in_len| bytes from |in| and 313 * writes the result to |out|. It returns one on success and zero on 314 * error. |ctx| may be NULL to denote the null cipher. 315 * 316 * If |in| and |out| alias then |out| must be <= |in| + |explicit_nonce_len|. */ 317int SSL_AEAD_CTX_open(SSL_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, 318 size_t max_out, uint8_t type, uint16_t wire_version, 319 const uint8_t seqnum[8], const uint8_t *in, 320 size_t in_len); 321 322/* SSL_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and 323 * writes the result to |out|. It returns one on success and zero on 324 * error. |ctx| may be NULL to denote the null cipher. 325 * 326 * If |in| and |out| alias then |out| + |explicit_nonce_len| must be <= |in| */ 327int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, 328 size_t max_out, uint8_t type, uint16_t wire_version, 329 const uint8_t seqnum[8], const uint8_t *in, 330 size_t in_len); 331 332 333/* DTLS replay bitmap. */ 334 335/* DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect 336 * replayed packets. It should be initialized by zeroing every field. */ 337typedef struct dtls1_bitmap_st { 338 /* map is a bit mask of the last 64 sequence numbers. Bit 339 * |1<<i| corresponds to |max_seq_num - i|. */ 340 uint64_t map; 341 /* max_seq_num is the largest sequence number seen so far as a 64-bit 342 * integer. */ 343 uint64_t max_seq_num; 344} DTLS1_BITMAP; 345 346 347/* Record layer. */ 348 349/* ssl_record_prefix_len returns the length of the prefix before the ciphertext 350 * of a record for |ssl|. 351 * 352 * TODO(davidben): Expose this as part of public API once the high-level 353 * buffer-free APIs are available. */ 354size_t ssl_record_prefix_len(const SSL *ssl); 355 356enum ssl_open_record_t { 357 ssl_open_record_success, 358 ssl_open_record_discard, 359 ssl_open_record_partial, 360 ssl_open_record_error, 361}; 362 363/* tls_open_record decrypts a record from |in|. 364 * 365 * On success, it returns |ssl_open_record_success|. It sets |*out_type| to the 366 * record type, |*out_len| to the plaintext length, and writes the record body 367 * to |out|. It sets |*out_consumed| to the number of bytes of |in| consumed. 368 * Note that |*out_len| may be zero. 369 * 370 * If a record was successfully processed but should be discarded, it returns 371 * |ssl_open_record_discard| and sets |*out_consumed| to the number of bytes 372 * consumed. 373 * 374 * If the input did not contain a complete record, it returns 375 * |ssl_open_record_partial|. It sets |*out_consumed| to the total number of 376 * bytes necessary. It is guaranteed that a successful call to |tls_open_record| 377 * will consume at least that many bytes. 378 * 379 * On failure, it returns |ssl_open_record_error| and sets |*out_alert| to an 380 * alert to emit. 381 * 382 * If |in| and |out| alias, |out| must be <= |in| + |ssl_record_prefix_len|. */ 383enum ssl_open_record_t tls_open_record( 384 SSL *ssl, uint8_t *out_type, uint8_t *out, size_t *out_len, 385 size_t *out_consumed, uint8_t *out_alert, size_t max_out, const uint8_t *in, 386 size_t in_len); 387 388/* dtls_open_record implements |tls_open_record| for DTLS. It never returns 389 * |ssl_open_record_partial| but otherwise behaves analogously. */ 390enum ssl_open_record_t dtls_open_record( 391 SSL *ssl, uint8_t *out_type, uint8_t *out, size_t *out_len, 392 size_t *out_consumed, uint8_t *out_alert, size_t max_out, const uint8_t *in, 393 size_t in_len); 394 395/* ssl_seal_prefix_len returns the length of the prefix before the ciphertext 396 * when sealing a record with |ssl|. Note that this value may differ from 397 * |ssl_record_prefix_len| when TLS 1.0 CBC record-splitting is enabled. Sealing 398 * a small record may also result in a smaller output than this value. 399 * 400 * TODO(davidben): Expose this as part of public API once the high-level 401 * buffer-free APIs are available. */ 402size_t ssl_seal_prefix_len(const SSL *ssl); 403 404/* ssl_max_seal_overhead returns the maximum overhead of sealing a record with 405 * |ssl|. This includes |ssl_seal_prefix_len|. 406 * 407 * TODO(davidben): Expose this as part of public API once the high-level 408 * buffer-free APIs are available. */ 409size_t ssl_max_seal_overhead(const SSL *ssl); 410 411/* tls_seal_record seals a new record of type |type| and body |in| and writes it 412 * to |out|. At most |max_out| bytes will be written. It returns one on success 413 * and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1 414 * record splitting and may write two records concatenated. 415 * 416 * For a large record, the ciphertext will begin |ssl_seal_prefix_len| bytes 417 * into out. Aligning |out| appropriately may improve performance. It writes at 418 * most |in_len| + |ssl_max_seal_overhead| bytes to |out|. 419 * 420 * If |in| and |out| alias, |out| + |ssl_seal_prefix_len| must be <= |in|. */ 421int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 422 uint8_t type, const uint8_t *in, size_t in_len); 423 424enum dtls1_use_epoch_t { 425 dtls1_use_previous_epoch, 426 dtls1_use_current_epoch, 427}; 428 429/* dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects 430 * which epoch's cipher state to use. */ 431int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 432 uint8_t type, const uint8_t *in, size_t in_len, 433 enum dtls1_use_epoch_t use_epoch); 434 435 436/* Private key operations. */ 437 438/* ssl_has_private_key returns one if |ssl| has a private key 439 * configured and zero otherwise. */ 440int ssl_has_private_key(SSL *ssl); 441 442/* ssl_private_key_* call the corresponding function on the 443 * |SSL_PRIVATE_KEY_METHOD| for |ssl|, if configured. Otherwise, they implement 444 * the operation with |EVP_PKEY|. */ 445 446int ssl_private_key_type(SSL *ssl); 447 448size_t ssl_private_key_max_signature_len(SSL *ssl); 449 450enum ssl_private_key_result_t ssl_private_key_sign( 451 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, const EVP_MD *md, 452 const uint8_t *in, size_t in_len); 453 454enum ssl_private_key_result_t ssl_private_key_sign_complete( 455 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out); 456 457enum ssl_private_key_result_t ssl_private_key_decrypt( 458 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, 459 const uint8_t *in, size_t in_len); 460 461enum ssl_private_key_result_t ssl_private_key_decrypt_complete( 462 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out); 463 464 465/* Custom extensions */ 466 467/* ssl_custom_extension (a.k.a. SSL_CUSTOM_EXTENSION) is a structure that 468 * contains information about custom-extension callbacks. */ 469struct ssl_custom_extension { 470 SSL_custom_ext_add_cb add_callback; 471 void *add_arg; 472 SSL_custom_ext_free_cb free_callback; 473 SSL_custom_ext_parse_cb parse_callback; 474 void *parse_arg; 475 uint16_t value; 476}; 477 478void SSL_CUSTOM_EXTENSION_free(SSL_CUSTOM_EXTENSION *custom_extension); 479 480int custom_ext_add_clienthello(SSL *ssl, CBB *extensions); 481int custom_ext_parse_serverhello(SSL *ssl, int *out_alert, uint16_t value, 482 const CBS *extension); 483int custom_ext_parse_clienthello(SSL *ssl, int *out_alert, uint16_t value, 484 const CBS *extension); 485int custom_ext_add_serverhello(SSL *ssl, CBB *extensions); 486 487 488/* Handshake hash. 489 * 490 * The TLS handshake maintains a transcript of all handshake messages. At 491 * various points in the protocol, this is either a handshake buffer, a rolling 492 * hash (selected by cipher suite) or both. */ 493 494/* ssl3_init_handshake_buffer initializes the handshake buffer and resets the 495 * handshake hash. It returns one success and zero on failure. */ 496int ssl3_init_handshake_buffer(SSL *ssl); 497 498/* ssl3_init_handshake_hash initializes the handshake hash based on the pending 499 * cipher and the contents of the handshake buffer. Subsequent calls to 500 * |ssl3_update_handshake_hash| will update the rolling hash. It returns one on 501 * success and zero on failure. It is an error to call this function after the 502 * handshake buffer is released. */ 503int ssl3_init_handshake_hash(SSL *ssl); 504 505/* ssl3_free_handshake_buffer releases the handshake buffer. Subsequent calls 506 * to |ssl3_update_handshake_hash| will not update the handshake buffer. */ 507void ssl3_free_handshake_buffer(SSL *ssl); 508 509/* ssl3_free_handshake_hash releases the handshake hash. */ 510void ssl3_free_handshake_hash(SSL *ssl); 511 512/* ssl3_update_handshake_hash adds |in| to the handshake buffer and handshake 513 * hash, whichever is enabled. It returns one on success and zero on failure. */ 514int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len); 515 516 517/* ECDH curves. */ 518 519#define SSL_CURVE_SECP256R1 23 520#define SSL_CURVE_SECP384R1 24 521#define SSL_CURVE_SECP521R1 25 522#define SSL_CURVE_ECDH_X25519 29 523 524/* An SSL_ECDH_METHOD is an implementation of ECDH-like key exchanges for 525 * TLS. */ 526struct ssl_ecdh_method_st { 527 int nid; 528 uint16_t curve_id; 529 const char name[8]; 530 531 /* cleanup releases state in |ctx|. */ 532 void (*cleanup)(SSL_ECDH_CTX *ctx); 533 534 /* generate_keypair generates a keypair and writes the public value to 535 * |out_public_key|. It returns one on success and zero on error. */ 536 int (*generate_keypair)(SSL_ECDH_CTX *ctx, CBB *out_public_key); 537 538 /* compute_secret performs a key exchange against |peer_key| and, on 539 * success, returns one and sets |*out_secret| and |*out_secret_len| to 540 * a newly-allocated buffer containing the shared secret. The caller must 541 * release this buffer with |OPENSSL_free|. Otherwise, it returns zero and 542 * sets |*out_alert| to an alert to send to the peer. */ 543 int (*compute_secret)(SSL_ECDH_CTX *ctx, uint8_t **out_secret, 544 size_t *out_secret_len, uint8_t *out_alert, 545 const uint8_t *peer_key, size_t peer_key_len); 546} /* SSL_ECDH_METHOD */; 547 548/* ssl_nid_to_curve_id looks up the curve corresponding to |nid|. On success, it 549 * sets |*out_curve_id| to the curve ID and returns one. Otherwise, it returns 550 * zero. */ 551int ssl_nid_to_curve_id(uint16_t *out_curve_id, int nid); 552 553/* SSL_ECDH_CTX_init sets up |ctx| for use with curve |curve_id|. It returns one 554 * on success and zero on error. */ 555int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t curve_id); 556 557/* SSL_ECDH_CTX_init_for_dhe sets up |ctx| for use with legacy DHE-based ciphers 558 * where the server specifies a group. It takes ownership of |params|. */ 559void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params); 560 561/* SSL_ECDH_CTX_cleanup releases memory associated with |ctx|. It is legal to 562 * call it in the zero state. */ 563void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx); 564 565/* The following functions call the corresponding method of 566 * |SSL_ECDH_METHOD|. */ 567int SSL_ECDH_CTX_generate_keypair(SSL_ECDH_CTX *ctx, CBB *out_public_key); 568int SSL_ECDH_CTX_compute_secret(SSL_ECDH_CTX *ctx, uint8_t **out_secret, 569 size_t *out_secret_len, uint8_t *out_alert, 570 const uint8_t *peer_key, size_t peer_key_len); 571 572 573/* Transport buffers. */ 574 575/* ssl_read_buffer returns a pointer to contents of the read buffer. */ 576uint8_t *ssl_read_buffer(SSL *ssl); 577 578/* ssl_read_buffer_len returns the length of the read buffer. */ 579size_t ssl_read_buffer_len(const SSL *ssl); 580 581/* ssl_read_buffer_extend_to extends the read buffer to the desired length. For 582 * TLS, it reads to the end of the buffer until the buffer is |len| bytes 583 * long. For DTLS, it reads a new packet and ignores |len|. It returns one on 584 * success, zero on EOF, and a negative number on error. 585 * 586 * It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is 587 * non-empty. */ 588int ssl_read_buffer_extend_to(SSL *ssl, size_t len); 589 590/* ssl_read_buffer_consume consumes |len| bytes from the read buffer. It 591 * advances the data pointer and decrements the length. The memory consumed will 592 * remain valid until the next call to |ssl_read_buffer_extend| or it is 593 * discarded with |ssl_read_buffer_discard|. */ 594void ssl_read_buffer_consume(SSL *ssl, size_t len); 595 596/* ssl_read_buffer_discard discards the consumed bytes from the read buffer. If 597 * the buffer is now empty, it releases memory used by it. */ 598void ssl_read_buffer_discard(SSL *ssl); 599 600/* ssl_read_buffer_clear releases all memory associated with the read buffer and 601 * zero-initializes it. */ 602void ssl_read_buffer_clear(SSL *ssl); 603 604/* ssl_write_buffer_is_pending returns one if the write buffer has pending data 605 * and zero if is empty. */ 606int ssl_write_buffer_is_pending(const SSL *ssl); 607 608/* ssl_write_buffer_init initializes the write buffer. On success, it sets 609 * |*out_ptr| to the start of the write buffer with space for up to |max_len| 610 * bytes. It returns one on success and zero on failure. Call 611 * |ssl_write_buffer_set_len| to complete initialization. */ 612int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len); 613 614/* ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete 615 * initialization after |len| bytes are written to the buffer. */ 616void ssl_write_buffer_set_len(SSL *ssl, size_t len); 617 618/* ssl_write_buffer_flush flushes the write buffer to the transport. It returns 619 * one on success and <= 0 on error. For DTLS, whether or not the write 620 * succeeds, the write buffer will be cleared. */ 621int ssl_write_buffer_flush(SSL *ssl); 622 623/* ssl_write_buffer_clear releases all memory associated with the write buffer 624 * and zero-initializes it. */ 625void ssl_write_buffer_clear(SSL *ssl); 626 627 628/* Underdocumented functions. 629 * 630 * Functions below here haven't been touched up and may be underdocumented. */ 631 632#define c2l(c, l) \ 633 (l = ((unsigned long)(*((c)++))), l |= (((unsigned long)(*((c)++))) << 8), \ 634 l |= (((unsigned long)(*((c)++))) << 16), \ 635 l |= (((unsigned long)(*((c)++))) << 24)) 636 637/* NOTE - c is not incremented as per c2l */ 638#define c2ln(c, l1, l2, n) \ 639 { \ 640 c += n; \ 641 l1 = l2 = 0; \ 642 switch (n) { \ 643 case 8: \ 644 l2 = ((unsigned long)(*(--(c)))) << 24; \ 645 case 7: \ 646 l2 |= ((unsigned long)(*(--(c)))) << 16; \ 647 case 6: \ 648 l2 |= ((unsigned long)(*(--(c)))) << 8; \ 649 case 5: \ 650 l2 |= ((unsigned long)(*(--(c)))); \ 651 case 4: \ 652 l1 = ((unsigned long)(*(--(c)))) << 24; \ 653 case 3: \ 654 l1 |= ((unsigned long)(*(--(c)))) << 16; \ 655 case 2: \ 656 l1 |= ((unsigned long)(*(--(c)))) << 8; \ 657 case 1: \ 658 l1 |= ((unsigned long)(*(--(c)))); \ 659 } \ 660 } 661 662#define l2c(l, c) \ 663 (*((c)++) = (uint8_t)(((l)) & 0xff), \ 664 *((c)++) = (uint8_t)(((l) >> 8) & 0xff), \ 665 *((c)++) = (uint8_t)(((l) >> 16) & 0xff), \ 666 *((c)++) = (uint8_t)(((l) >> 24) & 0xff)) 667 668#define n2l(c, l) \ 669 (l = ((unsigned long)(*((c)++))) << 24, \ 670 l |= ((unsigned long)(*((c)++))) << 16, \ 671 l |= ((unsigned long)(*((c)++))) << 8, l |= ((unsigned long)(*((c)++)))) 672 673#define l2n(l, c) \ 674 (*((c)++) = (uint8_t)(((l) >> 24) & 0xff), \ 675 *((c)++) = (uint8_t)(((l) >> 16) & 0xff), \ 676 *((c)++) = (uint8_t)(((l) >> 8) & 0xff), \ 677 *((c)++) = (uint8_t)(((l)) & 0xff)) 678 679#define l2n8(l, c) \ 680 (*((c)++) = (uint8_t)(((l) >> 56) & 0xff), \ 681 *((c)++) = (uint8_t)(((l) >> 48) & 0xff), \ 682 *((c)++) = (uint8_t)(((l) >> 40) & 0xff), \ 683 *((c)++) = (uint8_t)(((l) >> 32) & 0xff), \ 684 *((c)++) = (uint8_t)(((l) >> 24) & 0xff), \ 685 *((c)++) = (uint8_t)(((l) >> 16) & 0xff), \ 686 *((c)++) = (uint8_t)(((l) >> 8) & 0xff), \ 687 *((c)++) = (uint8_t)(((l)) & 0xff)) 688 689/* NOTE - c is not incremented as per l2c */ 690#define l2cn(l1, l2, c, n) \ 691 { \ 692 c += n; \ 693 switch (n) { \ 694 case 8: \ 695 *(--(c)) = (uint8_t)(((l2) >> 24) & 0xff); \ 696 case 7: \ 697 *(--(c)) = (uint8_t)(((l2) >> 16) & 0xff); \ 698 case 6: \ 699 *(--(c)) = (uint8_t)(((l2) >> 8) & 0xff); \ 700 case 5: \ 701 *(--(c)) = (uint8_t)(((l2)) & 0xff); \ 702 case 4: \ 703 *(--(c)) = (uint8_t)(((l1) >> 24) & 0xff); \ 704 case 3: \ 705 *(--(c)) = (uint8_t)(((l1) >> 16) & 0xff); \ 706 case 2: \ 707 *(--(c)) = (uint8_t)(((l1) >> 8) & 0xff); \ 708 case 1: \ 709 *(--(c)) = (uint8_t)(((l1)) & 0xff); \ 710 } \ 711 } 712 713#define n2s(c, s) \ 714 ((s = (((unsigned int)(c[0])) << 8) | (((unsigned int)(c[1])))), c += 2) 715 716#define s2n(s, c) \ 717 ((c[0] = (uint8_t)(((s) >> 8) & 0xff), \ 718 c[1] = (uint8_t)(((s)) & 0xff)), \ 719 c += 2) 720 721#define n2l3(c, l) \ 722 ((l = (((unsigned long)(c[0])) << 16) | (((unsigned long)(c[1])) << 8) | \ 723 (((unsigned long)(c[2])))), \ 724 c += 3) 725 726#define l2n3(l, c) \ 727 ((c[0] = (uint8_t)(((l) >> 16) & 0xff), \ 728 c[1] = (uint8_t)(((l) >> 8) & 0xff), \ 729 c[2] = (uint8_t)(((l)) & 0xff)), \ 730 c += 3) 731 732/* LOCAL STUFF */ 733 734#define TLSEXT_CHANNEL_ID_SIZE 128 735 736/* Check if an SSL structure is using DTLS */ 737#define SSL_IS_DTLS(ssl) (ssl->method->is_dtls) 738/* See if we need explicit IV */ 739#define SSL_USE_EXPLICIT_IV(ssl) \ 740 (ssl->enc_method->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) 741/* See if we use signature algorithms extension and signature algorithm before 742 * signatures. */ 743#define SSL_USE_SIGALGS(ssl) (ssl->enc_method->enc_flags & SSL_ENC_FLAG_SIGALGS) 744 745/* From RFC4492, used in encoding the curve type in ECParameters */ 746#define NAMED_CURVE_TYPE 3 747 748enum ssl_hash_message_t { 749 ssl_dont_hash_message, 750 ssl_hash_message, 751}; 752 753/* Structure containing decoded values of signature algorithms extension */ 754typedef struct tls_sigalgs_st { 755 uint8_t rsign; 756 uint8_t rhash; 757} TLS_SIGALGS; 758 759typedef struct cert_st { 760 X509 *x509; 761 EVP_PKEY *privatekey; 762 /* Chain for this certificate */ 763 STACK_OF(X509) *chain; 764 765 /* key_method, if non-NULL, is a set of callbacks to call for private key 766 * operations. */ 767 const SSL_PRIVATE_KEY_METHOD *key_method; 768 769 /* For clients the following masks are of *disabled* key and auth algorithms 770 * based on the current configuration. 771 * 772 * TODO(davidben): Remove these. They get checked twice: when sending the 773 * ClientHello and when processing the ServerHello. */ 774 uint32_t mask_k; 775 uint32_t mask_a; 776 777 DH *dh_tmp; 778 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); 779 780 /* peer_sigalgs are the algorithm/hash pairs that the peer supports. These 781 * are taken from the contents of signature algorithms extension for a server 782 * or from the CertificateRequest for a client. */ 783 TLS_SIGALGS *peer_sigalgs; 784 /* peer_sigalgslen is the number of entries in |peer_sigalgs|. */ 785 size_t peer_sigalgslen; 786 787 /* digest_nids, if non-NULL, is the set of digests supported by |privatekey| 788 * in decreasing order of preference. */ 789 int *digest_nids; 790 size_t num_digest_nids; 791 792 /* Certificate setup callback: if set is called whenever a 793 * certificate may be required (client or server). the callback 794 * can then examine any appropriate parameters and setup any 795 * certificates required. This allows advanced applications 796 * to select certificates on the fly: for example based on 797 * supported signature algorithms or curves. */ 798 int (*cert_cb)(SSL *ssl, void *arg); 799 void *cert_cb_arg; 800} CERT; 801 802/* SSL_METHOD is a compatibility structure to support the legacy version-locked 803 * methods. */ 804struct ssl_method_st { 805 /* version, if non-zero, is the only protocol version acceptable to an 806 * SSL_CTX initialized from this method. */ 807 uint16_t version; 808 /* method is the underlying SSL_PROTOCOL_METHOD that initializes the 809 * SSL_CTX. */ 810 const SSL_PROTOCOL_METHOD *method; 811}; 812 813/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ 814struct ssl_protocol_method_st { 815 /* is_dtls is one if the protocol is DTLS and zero otherwise. */ 816 char is_dtls; 817 int (*ssl_new)(SSL *ssl); 818 void (*ssl_free)(SSL *ssl); 819 int (*ssl_accept)(SSL *ssl); 820 int (*ssl_connect)(SSL *ssl); 821 long (*ssl_get_message)(SSL *ssl, int header_state, int body_state, 822 int msg_type, long max, 823 enum ssl_hash_message_t hash_message, int *ok); 824 int (*ssl_read_app_data)(SSL *ssl, uint8_t *buf, int len, int peek); 825 int (*ssl_read_change_cipher_spec)(SSL *ssl); 826 void (*ssl_read_close_notify)(SSL *ssl); 827 int (*ssl_write_app_data)(SSL *ssl, const void *buf_, int len); 828 int (*ssl_dispatch_alert)(SSL *ssl); 829 /* supports_cipher returns one if |cipher| is supported by this protocol and 830 * zero otherwise. */ 831 int (*supports_cipher)(const SSL_CIPHER *cipher); 832 /* Handshake header length */ 833 unsigned int hhlen; 834 /* Set the handshake header */ 835 int (*set_handshake_header)(SSL *ssl, int type, unsigned long len); 836 /* Write out handshake message */ 837 int (*do_write)(SSL *ssl); 838}; 839 840/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit 841 * of a mess of functions, but hell, think of it as an opaque structure. */ 842struct ssl3_enc_method { 843 int (*prf)(SSL *, uint8_t *, size_t, const uint8_t *, size_t, const char *, 844 size_t, const uint8_t *, size_t, const uint8_t *, size_t); 845 int (*setup_key_block)(SSL *); 846 int (*generate_master_secret)(SSL *, uint8_t *, const uint8_t *, size_t); 847 int (*change_cipher_state)(SSL *, int); 848 int (*final_finish_mac)(SSL *, const char *, int, uint8_t *); 849 int (*cert_verify_mac)(SSL *, int, uint8_t *); 850 const char *client_finished_label; 851 int client_finished_label_len; 852 const char *server_finished_label; 853 int server_finished_label_len; 854 int (*alert_value)(int); 855 int (*export_keying_material)(SSL *, uint8_t *, size_t, const char *, size_t, 856 const uint8_t *, size_t, int use_context); 857 /* Various flags indicating protocol version requirements */ 858 unsigned int enc_flags; 859}; 860 861#define SSL_HM_HEADER_LENGTH(ssl) ssl->method->hhlen 862#define ssl_handshake_start(ssl) \ 863 (((uint8_t *)ssl->init_buf->data) + ssl->method->hhlen) 864#define ssl_set_handshake_header(ssl, htype, len) \ 865 ssl->method->set_handshake_header(ssl, htype, len) 866#define ssl_do_write(ssl) ssl->method->do_write(ssl) 867 868/* Values for enc_flags */ 869 870/* Uses explicit IV for CBC mode */ 871#define SSL_ENC_FLAG_EXPLICIT_IV 0x1 872/* Uses signature algorithms extension */ 873#define SSL_ENC_FLAG_SIGALGS 0x2 874/* Uses SHA256 default PRF */ 875#define SSL_ENC_FLAG_SHA256_PRF 0x4 876 877/* lengths of messages */ 878#define DTLS1_COOKIE_LENGTH 256 879 880#define DTLS1_RT_HEADER_LENGTH 13 881 882#define DTLS1_HM_HEADER_LENGTH 12 883 884#define DTLS1_CCS_HEADER_LENGTH 1 885 886#define DTLS1_AL_HEADER_LENGTH 2 887 888/* TODO(davidben): This structure is used for both incoming messages and 889 * outgoing messages. |is_ccs| and |epoch| are only used in the latter and 890 * should be moved elsewhere. */ 891struct hm_header_st { 892 uint8_t type; 893 uint32_t msg_len; 894 uint16_t seq; 895 uint32_t frag_off; 896 uint32_t frag_len; 897 int is_ccs; 898 /* epoch, for buffered outgoing messages, is the epoch the message was 899 * originally sent in. */ 900 uint16_t epoch; 901}; 902 903/* TODO(davidben): This structure is used for both incoming messages and 904 * outgoing messages. |fragment| and |reassembly| are only used in the former 905 * and should be moved elsewhere. */ 906typedef struct hm_fragment_st { 907 struct hm_header_st msg_header; 908 uint8_t *fragment; 909 uint8_t *reassembly; 910} hm_fragment; 911 912typedef struct dtls1_state_st { 913 /* send_cookie is true if we are resending the ClientHello 914 * with a cookie from a HelloVerifyRequest. */ 915 unsigned int send_cookie; 916 917 uint8_t cookie[DTLS1_COOKIE_LENGTH]; 918 size_t cookie_len; 919 920 /* The current data and handshake epoch. This is initially undefined, and 921 * starts at zero once the initial handshake is completed. */ 922 uint16_t r_epoch; 923 uint16_t w_epoch; 924 925 /* records being received in the current epoch */ 926 DTLS1_BITMAP bitmap; 927 928 /* handshake message numbers. 929 * TODO(davidben): It doesn't make much sense to store both of these. Only 930 * store one. */ 931 uint16_t handshake_write_seq; 932 uint16_t next_handshake_write_seq; 933 934 uint16_t handshake_read_seq; 935 936 /* save last sequence number for retransmissions */ 937 uint8_t last_write_sequence[8]; 938 939 /* buffered_messages is a priority queue of incoming handshake messages that 940 * have yet to be processed. 941 * 942 * TODO(davidben): This data structure may as well be a ring buffer of fixed 943 * size. */ 944 pqueue buffered_messages; 945 946 /* send_messages is a priority queue of outgoing handshake messages sent in 947 * the most recent handshake flight. 948 * 949 * TODO(davidben): This data structure may as well be a STACK_OF(T). */ 950 pqueue sent_messages; 951 952 unsigned int mtu; /* max DTLS packet size */ 953 954 struct hm_header_st w_msg_hdr; 955 956 /* num_timeouts is the number of times the retransmit timer has fired since 957 * the last time it was reset. */ 958 unsigned int num_timeouts; 959 960 /* Indicates when the last handshake msg or heartbeat sent will 961 * timeout. */ 962 struct timeval next_timeout; 963 964 /* Timeout duration */ 965 unsigned short timeout_duration; 966} DTLS1_STATE; 967 968extern const SSL3_ENC_METHOD TLSv1_enc_data; 969extern const SSL3_ENC_METHOD TLSv1_1_enc_data; 970extern const SSL3_ENC_METHOD TLSv1_2_enc_data; 971extern const SSL3_ENC_METHOD SSLv3_enc_data; 972extern const SRTP_PROTECTION_PROFILE kSRTPProfiles[]; 973 974void ssl_clear_cipher_ctx(SSL *ssl); 975int ssl_clear_bad_session(SSL *ssl); 976CERT *ssl_cert_new(void); 977CERT *ssl_cert_dup(CERT *cert); 978void ssl_cert_clear_certs(CERT *c); 979void ssl_cert_free(CERT *c); 980int ssl_get_new_session(SSL *ssl, int is_server); 981 982enum ssl_session_result_t { 983 ssl_session_success, 984 ssl_session_error, 985 ssl_session_retry, 986}; 987 988/* ssl_get_prev_session looks up the previous session based on |ctx|. On 989 * success, it sets |*out_session| to the session or NULL if none was found. It 990 * sets |*out_send_ticket| to whether a ticket should be sent at the end of the 991 * handshake. If the session could not be looked up synchronously, it returns 992 * |ssl_session_retry| and should be called again. Otherwise, it returns 993 * |ssl_session_error|. */ 994enum ssl_session_result_t ssl_get_prev_session( 995 SSL *ssl, SSL_SESSION **out_session, int *out_send_ticket, 996 const struct ssl_early_callback_ctx *ctx); 997 998STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *ssl, const CBS *cbs); 999void ssl_cipher_preference_list_free( 1000 struct ssl_cipher_preference_list_st *cipher_list); 1001struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *ssl); 1002 1003int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain); 1004int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain); 1005int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509); 1006int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509); 1007void ssl_cert_set_cert_cb(CERT *cert, 1008 int (*cb)(SSL *ssl, void *arg), void *arg); 1009 1010int ssl_verify_cert_chain(SSL *ssl, STACK_OF(X509) *cert_chain); 1011int ssl_add_cert_chain(SSL *ssl, unsigned long *l); 1012void ssl_update_cache(SSL *ssl, int mode); 1013 1014/* ssl_get_compatible_server_ciphers determines the key exchange and 1015 * authentication cipher suite masks compatible with the server configuration 1016 * and current ClientHello parameters of |ssl|. It sets |*out_mask_k| to the key 1017 * exchange mask and |*out_mask_a| to the authentication mask. */ 1018void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k, 1019 uint32_t *out_mask_a); 1020 1021STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *ssl); 1022int ssl_verify_alarm_type(long type); 1023 1024/* ssl_fill_hello_random fills a client_random or server_random field of length 1025 * |len|. It returns one on success and zero on failure. */ 1026int ssl_fill_hello_random(uint8_t *out, size_t len, int is_server); 1027 1028int ssl3_send_server_certificate(SSL *ssl); 1029int ssl3_send_new_session_ticket(SSL *ssl); 1030int ssl3_send_certificate_status(SSL *ssl); 1031int ssl3_get_finished(SSL *ssl, int state_a, int state_b); 1032int ssl3_send_change_cipher_spec(SSL *ssl, int state_a, int state_b); 1033int ssl3_prf(SSL *ssl, uint8_t *out, size_t out_len, const uint8_t *secret, 1034 size_t secret_len, const char *label, size_t label_len, 1035 const uint8_t *seed1, size_t seed1_len, 1036 const uint8_t *seed2, size_t seed2_len); 1037void ssl3_cleanup_key_block(SSL *ssl); 1038int ssl3_do_write(SSL *ssl, int type); 1039int ssl3_send_alert(SSL *ssl, int level, int desc); 1040int ssl3_get_req_cert_type(SSL *ssl, uint8_t *p); 1041long ssl3_get_message(SSL *ssl, int header_state, int body_state, int msg_type, 1042 long max, enum ssl_hash_message_t hash_message, int *ok); 1043 1044/* ssl3_hash_current_message incorporates the current handshake message into the 1045 * handshake hash. It returns one on success and zero on allocation failure. */ 1046int ssl3_hash_current_message(SSL *ssl); 1047 1048/* ssl3_cert_verify_hash writes the CertificateVerify hash into the bytes 1049 * pointed to by |out| and writes the number of bytes to |*out_len|. |out| must 1050 * have room for EVP_MAX_MD_SIZE bytes. For TLS 1.2 and up, |*out_md| is used 1051 * for the hash function, otherwise the hash function depends on |pkey_type| 1052 * and is written to |*out_md|. It returns one on success and zero on 1053 * failure. */ 1054int ssl3_cert_verify_hash(SSL *ssl, uint8_t *out, size_t *out_len, 1055 const EVP_MD **out_md, int pkey_type); 1056 1057int ssl3_send_finished(SSL *ssl, int a, int b, const char *sender, int slen); 1058int ssl3_supports_cipher(const SSL_CIPHER *cipher); 1059int ssl3_dispatch_alert(SSL *ssl); 1060int ssl3_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek); 1061int ssl3_read_change_cipher_spec(SSL *ssl); 1062void ssl3_read_close_notify(SSL *ssl); 1063int ssl3_read_bytes(SSL *ssl, int type, uint8_t *buf, int len, int peek); 1064int ssl3_write_app_data(SSL *ssl, const void *buf, int len); 1065int ssl3_write_bytes(SSL *ssl, int type, const void *buf, int len); 1066int ssl3_final_finish_mac(SSL *ssl, const char *sender, int slen, uint8_t *p); 1067int ssl3_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *p); 1068int ssl3_output_cert_chain(SSL *ssl); 1069const SSL_CIPHER *ssl3_choose_cipher( 1070 SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, 1071 struct ssl_cipher_preference_list_st *srvr); 1072 1073int ssl3_new(SSL *ssl); 1074void ssl3_free(SSL *ssl); 1075int ssl3_accept(SSL *ssl); 1076int ssl3_connect(SSL *ssl); 1077 1078/* ssl3_record_sequence_update increments the sequence number in |seq|. It 1079 * returns one on success and zero on wraparound. */ 1080int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len); 1081 1082int ssl3_do_change_cipher_spec(SSL *ssl); 1083 1084int ssl3_set_handshake_header(SSL *ssl, int htype, unsigned long len); 1085int ssl3_handshake_write(SSL *ssl); 1086 1087int dtls1_do_handshake_write(SSL *ssl, enum dtls1_use_epoch_t use_epoch); 1088int dtls1_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek); 1089int dtls1_read_change_cipher_spec(SSL *ssl); 1090void dtls1_read_close_notify(SSL *ssl); 1091int dtls1_read_bytes(SSL *ssl, int type, uint8_t *buf, int len, int peek); 1092void dtls1_set_message_header(SSL *ssl, uint8_t mt, unsigned long len, 1093 unsigned short seq_num, unsigned long frag_off, 1094 unsigned long frag_len); 1095 1096int dtls1_write_app_data(SSL *ssl, const void *buf, int len); 1097int dtls1_write_bytes(SSL *ssl, int type, const void *buf, int len, 1098 enum dtls1_use_epoch_t use_epoch); 1099 1100int dtls1_send_change_cipher_spec(SSL *ssl, int a, int b); 1101int dtls1_send_finished(SSL *ssl, int a, int b, const char *sender, int slen); 1102int dtls1_read_failed(SSL *ssl, int code); 1103int dtls1_buffer_message(SSL *ssl); 1104int dtls1_retransmit_buffered_messages(SSL *ssl); 1105void dtls1_clear_record_buffer(SSL *ssl); 1106void dtls1_get_message_header(uint8_t *data, struct hm_header_st *msg_hdr); 1107int dtls1_check_timeout_num(SSL *ssl); 1108int dtls1_set_handshake_header(SSL *ssl, int type, unsigned long len); 1109int dtls1_handshake_write(SSL *ssl); 1110 1111int dtls1_supports_cipher(const SSL_CIPHER *cipher); 1112void dtls1_start_timer(SSL *ssl); 1113void dtls1_stop_timer(SSL *ssl); 1114int dtls1_is_timer_expired(SSL *ssl); 1115void dtls1_double_timeout(SSL *ssl); 1116unsigned int dtls1_min_mtu(void); 1117void dtls1_hm_fragment_free(hm_fragment *frag); 1118 1119/* some client-only functions */ 1120int ssl3_send_client_hello(SSL *ssl); 1121int ssl3_get_server_hello(SSL *ssl); 1122int ssl3_get_certificate_request(SSL *ssl); 1123int ssl3_get_new_session_ticket(SSL *ssl); 1124int ssl3_get_cert_status(SSL *ssl); 1125int ssl3_get_server_done(SSL *ssl); 1126int ssl3_send_cert_verify(SSL *ssl); 1127int ssl3_send_client_certificate(SSL *ssl); 1128int ssl_do_client_cert_cb(SSL *ssl, X509 **px509, EVP_PKEY **ppkey); 1129int ssl3_send_client_key_exchange(SSL *ssl); 1130int ssl3_get_server_key_exchange(SSL *ssl); 1131int ssl3_get_server_certificate(SSL *ssl); 1132int ssl3_send_next_proto(SSL *ssl); 1133int ssl3_send_channel_id(SSL *ssl); 1134int ssl3_verify_server_cert(SSL *ssl); 1135 1136/* some server-only functions */ 1137int ssl3_get_initial_bytes(SSL *ssl); 1138int ssl3_get_v2_client_hello(SSL *ssl); 1139int ssl3_get_client_hello(SSL *ssl); 1140int ssl3_send_server_hello(SSL *ssl); 1141int ssl3_send_server_key_exchange(SSL *ssl); 1142int ssl3_send_certificate_request(SSL *ssl); 1143int ssl3_send_server_done(SSL *ssl); 1144int ssl3_get_client_certificate(SSL *ssl); 1145int ssl3_get_client_key_exchange(SSL *ssl); 1146int ssl3_get_cert_verify(SSL *ssl); 1147int ssl3_get_next_proto(SSL *ssl); 1148int ssl3_get_channel_id(SSL *ssl); 1149 1150int dtls1_new(SSL *ssl); 1151int dtls1_accept(SSL *ssl); 1152int dtls1_connect(SSL *ssl); 1153void dtls1_free(SSL *ssl); 1154 1155long dtls1_get_message(SSL *ssl, int st1, int stn, int mt, long max, 1156 enum ssl_hash_message_t hash_message, int *ok); 1157int dtls1_dispatch_alert(SSL *ssl); 1158 1159int ssl_init_wbio_buffer(SSL *ssl, int push); 1160void ssl_free_wbio_buffer(SSL *ssl); 1161 1162/* tls1_prf computes the TLS PRF function for |ssl| as described in RFC 5246, 1163 * section 5 and RFC 2246 section 5. It writes |out_len| bytes to |out|, using 1164 * |secret| as the secret and |label| as the label. |seed1| and |seed2| are 1165 * concatenated to form the seed parameter. It returns one on success and zero 1166 * on failure. */ 1167int tls1_prf(SSL *ssl, uint8_t *out, size_t out_len, const uint8_t *secret, 1168 size_t secret_len, const char *label, size_t label_len, 1169 const uint8_t *seed1, size_t seed1_len, 1170 const uint8_t *seed2, size_t seed2_len); 1171 1172int tls1_change_cipher_state(SSL *ssl, int which); 1173int tls1_setup_key_block(SSL *ssl); 1174int tls1_handshake_digest(SSL *ssl, uint8_t *out, size_t out_len); 1175int tls1_final_finish_mac(SSL *ssl, const char *str, int slen, uint8_t *p); 1176int tls1_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *p); 1177int tls1_generate_master_secret(SSL *ssl, uint8_t *out, const uint8_t *premaster, 1178 size_t premaster_len); 1179int tls1_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, 1180 const char *label, size_t label_len, 1181 const uint8_t *context, size_t context_len, 1182 int use_context); 1183int tls1_alert_code(int code); 1184int ssl3_alert_code(int code); 1185 1186char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx); 1187 1188/* tls1_check_curve_id returns one if |curve_id| is consistent with both our 1189 * and the peer's curve preferences. Note: if called as the client, only our 1190 * preferences are checked; the peer (the server) does not send preferences. */ 1191int tls1_check_curve_id(SSL *ssl, uint16_t curve_id); 1192 1193/* tls1_get_shared_curve sets |*out_curve_id| to the first preferred shared 1194 * curve between client and server preferences and returns one. If none may be 1195 * found, it returns zero. */ 1196int tls1_get_shared_curve(SSL *ssl, uint16_t *out_curve_id); 1197 1198/* tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| 1199 * into a newly allocated array of TLS curve IDs. On success, the function 1200 * returns one and writes the array to |*out_curve_ids| and its size to 1201 * |*out_curve_ids_len|. Otherwise, it returns zero. */ 1202int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len, 1203 const int *curves, size_t ncurves); 1204 1205/* tls1_check_ec_cert returns one if |x| is an ECC certificate with curve and 1206 * point format compatible with the client's preferences. Otherwise it returns 1207 * zero. */ 1208int tls1_check_ec_cert(SSL *ssl, X509 *x); 1209 1210/* ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It 1211 * returns one on success and zero on failure. The |header_len| argument is the 1212 * length of the ClientHello written so far and is used to compute the padding 1213 * length. (It does not include the record header.) */ 1214int ssl_add_clienthello_tlsext(SSL *ssl, CBB *out, size_t header_len); 1215 1216int ssl_add_serverhello_tlsext(SSL *ssl, CBB *out); 1217int ssl_parse_clienthello_tlsext(SSL *ssl, CBS *cbs); 1218int ssl_parse_serverhello_tlsext(SSL *ssl, CBS *cbs); 1219 1220#define tlsext_tick_md EVP_sha256 1221 1222/* tls_process_ticket processes the session ticket extension. On success, it 1223 * sets |*out_session| to the decrypted session or NULL if the ticket was 1224 * rejected. It sets |*out_send_ticket| to whether a new ticket should be sent 1225 * at the end of the handshake. It returns one on success and zero on fatal 1226 * error. */ 1227int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session, 1228 int *out_send_ticket, const uint8_t *ticket, 1229 size_t ticket_len, const uint8_t *session_id, 1230 size_t session_id_len); 1231 1232/* tls12_add_sigandhash assembles the SignatureAndHashAlgorithm corresponding to 1233 * |ssl|'s private key and |md|. The two-byte value is written to |out|. It 1234 * returns one on success and zero on failure. */ 1235int tls12_add_sigandhash(SSL *ssl, CBB *out, const EVP_MD *md); 1236 1237int tls12_get_sigid(int pkey_type); 1238const EVP_MD *tls12_get_hash(uint8_t hash_alg); 1239 1240/* tls1_channel_id_hash computes the hash to be signed by Channel ID and writes 1241 * it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns 1242 * one on success and zero on failure. */ 1243int tls1_channel_id_hash(SSL *ssl, uint8_t *out, size_t *out_len); 1244 1245int tls1_record_handshake_hashes_for_channel_id(SSL *ssl); 1246 1247/* ssl_log_rsa_client_key_exchange logs |premaster|, if logging is enabled for 1248 * |ssl|. It returns one on success and zero on failure. The entry is identified 1249 * by the first 8 bytes of |encrypted_premaster|. */ 1250int ssl_log_rsa_client_key_exchange(const SSL *ssl, 1251 const uint8_t *encrypted_premaster, 1252 size_t encrypted_premaster_len, 1253 const uint8_t *premaster, 1254 size_t premaster_len); 1255 1256/* ssl_log_master_secret logs |master|, if logging is enabled for |ssl|. It 1257 * returns one on success and zero on failure. The entry is identified by 1258 * |client_random|. */ 1259int ssl_log_master_secret(const SSL *ssl, const uint8_t *client_random, 1260 size_t client_random_len, const uint8_t *master, 1261 size_t master_len); 1262 1263/* ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero 1264 * otherwise. */ 1265int ssl3_can_false_start(const SSL *ssl); 1266 1267/* ssl3_get_enc_method returns the SSL3_ENC_METHOD corresponding to 1268 * |version|. */ 1269const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version); 1270 1271/* ssl3_get_max_server_version returns the maximum SSL/TLS version number 1272 * supported by |ssl| as a server, or zero if all versions are disabled. */ 1273uint16_t ssl3_get_max_server_version(const SSL *ssl); 1274 1275/* ssl3_get_mutual_version selects the protocol version on |ssl| for a client 1276 * which advertises |client_version|. If no suitable version exists, it returns 1277 * zero. */ 1278uint16_t ssl3_get_mutual_version(SSL *ssl, uint16_t client_version); 1279 1280/* ssl3_get_max_client_version returns the maximum protocol version configured 1281 * for the client. It is guaranteed that the set of allowed versions at or below 1282 * this maximum version is contiguous. If all versions are disabled, it returns 1283 * zero. */ 1284uint16_t ssl3_get_max_client_version(SSL *ssl); 1285 1286/* ssl3_is_version_enabled returns one if |version| is an enabled protocol 1287 * version for |ssl| and zero otherwise. */ 1288int ssl3_is_version_enabled(SSL *ssl, uint16_t version); 1289 1290/* ssl3_version_from_wire maps |wire_version| to a protocol version. For 1291 * SSLv3/TLS, the version is returned as-is. For DTLS, the corresponding TLS 1292 * version is used. Note that this mapping is not injective but preserves 1293 * comparisons. 1294 * 1295 * TODO(davidben): To normalize some DTLS-specific code, move away from using 1296 * the wire version except at API boundaries. */ 1297uint16_t ssl3_version_from_wire(SSL *ssl, uint16_t wire_version); 1298 1299uint32_t ssl_get_algorithm_prf(SSL *ssl); 1300int tls1_parse_peer_sigalgs(SSL *ssl, const CBS *sigalgs); 1301 1302/* tls1_choose_signing_digest returns a digest for use with |ssl|'s private key 1303 * based on the peer's preferences the digests supported. */ 1304const EVP_MD *tls1_choose_signing_digest(SSL *ssl); 1305 1306size_t tls12_get_psigalgs(SSL *ssl, const uint8_t **psigs); 1307 1308/* tls12_check_peer_sigalg checks that |hash| and |signature| are consistent 1309 * with |pkey| and |ssl|'s sent, supported signature algorithms and, if so, 1310 * writes the relevant digest into |*out_md| and returns 1. Otherwise it 1311 * returns 0 and writes an alert into |*out_alert|. */ 1312int tls12_check_peer_sigalg(SSL *ssl, const EVP_MD **out_md, int *out_alert, 1313 uint8_t hash, uint8_t signature, EVP_PKEY *pkey); 1314void ssl_set_client_disabled(SSL *ssl); 1315 1316#endif /* OPENSSL_HEADER_SSL_INTERNAL_H */ 1317