1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141 #include <openssl/ssl.h>
142
143 #include <assert.h>
144 #include <stdlib.h>
145 #include <string.h>
146
147 #include <openssl/bytestring.h>
148 #include <openssl/crypto.h>
149 #include <openssl/err.h>
150 #include <openssl/lhash.h>
151 #include <openssl/mem.h>
152 #include <openssl/rand.h>
153
154 #include "internal.h"
155 #include "../crypto/internal.h"
156
157 #if defined(OPENSSL_WINDOWS)
158 #include <sys/timeb.h>
159 #else
160 #include <sys/socket.h>
161 #include <sys/time.h>
162 #endif
163
164
165 BSSL_NAMESPACE_BEGIN
166
167 // |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
168 // to avoid downstream churn.
169 OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
170
171 // The following errors are no longer emitted, but are used in nginx without
172 // #ifdefs.
173 OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG)
174 OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED)
175
176 // Some error codes are special. Ensure the make_errors.go script never
177 // regresses this.
178 static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==
179 SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
180 "alert reason code mismatch");
181
182 // kMaxHandshakeSize is the maximum size, in bytes, of a handshake message.
183 static const size_t kMaxHandshakeSize = (1u << 24) - 1;
184
185 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl =
186 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
187 static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx =
188 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
189
CBBFinishArray(CBB * cbb,Array<uint8_t> * out)190 bool CBBFinishArray(CBB *cbb, Array<uint8_t> *out) {
191 uint8_t *ptr;
192 size_t len;
193 if (!CBB_finish(cbb, &ptr, &len)) {
194 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
195 return false;
196 }
197 out->Reset(ptr, len);
198 return true;
199 }
200
ssl_reset_error_state(SSL * ssl)201 void ssl_reset_error_state(SSL *ssl) {
202 // Functions which use |SSL_get_error| must reset I/O and error state on
203 // entry.
204 ssl->s3->rwstate = SSL_NOTHING;
205 ERR_clear_error();
206 ERR_clear_system_error();
207 }
208
ssl_set_read_error(SSL * ssl)209 void ssl_set_read_error(SSL* ssl) {
210 ssl->s3->read_shutdown = ssl_shutdown_error;
211 ssl->s3->read_error.reset(ERR_save_state());
212 }
213
check_read_error(const SSL * ssl)214 static bool check_read_error(const SSL *ssl) {
215 if (ssl->s3->read_shutdown == ssl_shutdown_error) {
216 ERR_restore_state(ssl->s3->read_error.get());
217 return false;
218 }
219 return true;
220 }
221
ssl_can_write(const SSL * ssl)222 bool ssl_can_write(const SSL *ssl) {
223 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write;
224 }
225
ssl_can_read(const SSL * ssl)226 bool ssl_can_read(const SSL *ssl) {
227 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read;
228 }
229
ssl_open_handshake(SSL * ssl,size_t * out_consumed,uint8_t * out_alert,Span<uint8_t> in)230 ssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed,
231 uint8_t *out_alert, Span<uint8_t> in) {
232 *out_consumed = 0;
233 if (!check_read_error(ssl)) {
234 *out_alert = 0;
235 return ssl_open_record_error;
236 }
237 auto ret = ssl->method->open_handshake(ssl, out_consumed, out_alert, in);
238 if (ret == ssl_open_record_error) {
239 ssl_set_read_error(ssl);
240 }
241 return ret;
242 }
243
ssl_open_change_cipher_spec(SSL * ssl,size_t * out_consumed,uint8_t * out_alert,Span<uint8_t> in)244 ssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,
245 uint8_t *out_alert,
246 Span<uint8_t> in) {
247 *out_consumed = 0;
248 if (!check_read_error(ssl)) {
249 *out_alert = 0;
250 return ssl_open_record_error;
251 }
252 auto ret =
253 ssl->method->open_change_cipher_spec(ssl, out_consumed, out_alert, in);
254 if (ret == ssl_open_record_error) {
255 ssl_set_read_error(ssl);
256 }
257 return ret;
258 }
259
ssl_open_app_data(SSL * ssl,Span<uint8_t> * out,size_t * out_consumed,uint8_t * out_alert,Span<uint8_t> in)260 ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out,
261 size_t *out_consumed, uint8_t *out_alert,
262 Span<uint8_t> in) {
263 *out_consumed = 0;
264 if (!check_read_error(ssl)) {
265 *out_alert = 0;
266 return ssl_open_record_error;
267 }
268 auto ret = ssl->method->open_app_data(ssl, out, out_consumed, out_alert, in);
269 if (ret == ssl_open_record_error) {
270 ssl_set_read_error(ssl);
271 }
272 return ret;
273 }
274
ssl_update_cache(SSL_HANDSHAKE * hs,int mode)275 void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
276 SSL *const ssl = hs->ssl;
277 SSL_CTX *ctx = ssl->session_ctx.get();
278 // Never cache sessions with empty session IDs.
279 if (ssl->s3->established_session->session_id_length == 0 ||
280 ssl->s3->established_session->not_resumable ||
281 (ctx->session_cache_mode & mode) != mode) {
282 return;
283 }
284
285 // Clients never use the internal session cache.
286 int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
287 SSL_SESS_CACHE_NO_INTERNAL_STORE);
288
289 // A client may see new sessions on abbreviated handshakes if the server
290 // decides to renew the ticket. Once the handshake is completed, it should be
291 // inserted into the cache.
292 if (ssl->s3->established_session.get() != ssl->session.get() ||
293 (!ssl->server && hs->ticket_expected)) {
294 if (use_internal_cache) {
295 SSL_CTX_add_session(ctx, ssl->s3->established_session.get());
296 }
297 if (ctx->new_session_cb != NULL) {
298 UniquePtr<SSL_SESSION> ref = UpRef(ssl->s3->established_session);
299 if (ctx->new_session_cb(ssl, ref.get())) {
300 // |new_session_cb|'s return value signals whether it took ownership.
301 ref.release();
302 }
303 }
304 }
305
306 if (use_internal_cache &&
307 !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) {
308 // Automatically flush the internal session cache every 255 connections.
309 int flush_cache = 0;
310 CRYPTO_MUTEX_lock_write(&ctx->lock);
311 ctx->handshakes_since_cache_flush++;
312 if (ctx->handshakes_since_cache_flush >= 255) {
313 flush_cache = 1;
314 ctx->handshakes_since_cache_flush = 0;
315 }
316 CRYPTO_MUTEX_unlock_write(&ctx->lock);
317
318 if (flush_cache) {
319 struct OPENSSL_timeval now;
320 ssl_get_current_time(ssl, &now);
321 SSL_CTX_flush_sessions(ctx, now.tv_sec);
322 }
323 }
324 }
325
cbb_add_hex(CBB * cbb,const uint8_t * in,size_t in_len)326 static int cbb_add_hex(CBB *cbb, const uint8_t *in, size_t in_len) {
327 static const char hextable[] = "0123456789abcdef";
328 uint8_t *out;
329
330 if (!CBB_add_space(cbb, &out, in_len * 2)) {
331 return 0;
332 }
333
334 for (size_t i = 0; i < in_len; i++) {
335 *(out++) = (uint8_t)hextable[in[i] >> 4];
336 *(out++) = (uint8_t)hextable[in[i] & 0xf];
337 }
338
339 return 1;
340 }
341
ssl_log_secret(const SSL * ssl,const char * label,const uint8_t * secret,size_t secret_len)342 int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
343 size_t secret_len) {
344 if (ssl->ctx->keylog_callback == NULL) {
345 return 1;
346 }
347
348 ScopedCBB cbb;
349 uint8_t *out;
350 size_t out_len;
351 if (!CBB_init(cbb.get(), strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 +
352 secret_len * 2 + 1) ||
353 !CBB_add_bytes(cbb.get(), (const uint8_t *)label, strlen(label)) ||
354 !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) ||
355 !cbb_add_hex(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
356 !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) ||
357 !cbb_add_hex(cbb.get(), secret, secret_len) ||
358 !CBB_add_u8(cbb.get(), 0 /* NUL */) ||
359 !CBB_finish(cbb.get(), &out, &out_len)) {
360 return 0;
361 }
362
363 ssl->ctx->keylog_callback(ssl, (const char *)out);
364 OPENSSL_free(out);
365 return 1;
366 }
367
ssl_do_info_callback(const SSL * ssl,int type,int value)368 void ssl_do_info_callback(const SSL *ssl, int type, int value) {
369 void (*cb)(const SSL *ssl, int type, int value) = NULL;
370 if (ssl->info_callback != NULL) {
371 cb = ssl->info_callback;
372 } else if (ssl->ctx->info_callback != NULL) {
373 cb = ssl->ctx->info_callback;
374 }
375
376 if (cb != NULL) {
377 cb(ssl, type, value);
378 }
379 }
380
ssl_do_msg_callback(SSL * ssl,int is_write,int content_type,Span<const uint8_t> in)381 void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
382 Span<const uint8_t> in) {
383 if (ssl->msg_callback == NULL) {
384 return;
385 }
386
387 // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
388 // a V2ClientHello.
389 int version;
390 switch (content_type) {
391 case 0:
392 // V2ClientHello
393 version = SSL2_VERSION;
394 break;
395 case SSL3_RT_HEADER:
396 version = 0;
397 break;
398 default:
399 version = SSL_version(ssl);
400 }
401
402 ssl->msg_callback(is_write, version, content_type, in.data(), in.size(), ssl,
403 ssl->msg_callback_arg);
404 }
405
ssl_get_current_time(const SSL * ssl,struct OPENSSL_timeval * out_clock)406 void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
407 // TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
408 // |ssl| arg from |current_time_cb| if possible.
409 ssl_ctx_get_current_time(ssl->ctx.get(), out_clock);
410 }
411
ssl_ctx_get_current_time(const SSL_CTX * ctx,struct OPENSSL_timeval * out_clock)412 void ssl_ctx_get_current_time(const SSL_CTX *ctx,
413 struct OPENSSL_timeval *out_clock) {
414 if (ctx->current_time_cb != NULL) {
415 // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
416 // https://crbug.com/boringssl/155.
417 struct timeval clock;
418 ctx->current_time_cb(nullptr /* ssl */, &clock);
419 if (clock.tv_sec < 0) {
420 assert(0);
421 out_clock->tv_sec = 0;
422 out_clock->tv_usec = 0;
423 } else {
424 out_clock->tv_sec = (uint64_t)clock.tv_sec;
425 out_clock->tv_usec = (uint32_t)clock.tv_usec;
426 }
427 return;
428 }
429
430 #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
431 out_clock->tv_sec = 1234;
432 out_clock->tv_usec = 1234;
433 #elif defined(OPENSSL_WINDOWS)
434 struct _timeb time;
435 _ftime(&time);
436 if (time.time < 0) {
437 assert(0);
438 out_clock->tv_sec = 0;
439 out_clock->tv_usec = 0;
440 } else {
441 out_clock->tv_sec = time.time;
442 out_clock->tv_usec = time.millitm * 1000;
443 }
444 #else
445 struct timeval clock;
446 gettimeofday(&clock, NULL);
447 if (clock.tv_sec < 0) {
448 assert(0);
449 out_clock->tv_sec = 0;
450 out_clock->tv_usec = 0;
451 } else {
452 out_clock->tv_sec = (uint64_t)clock.tv_sec;
453 out_clock->tv_usec = (uint32_t)clock.tv_usec;
454 }
455 #endif
456 }
457
SSL_CTX_set_handoff_mode(SSL_CTX * ctx,bool on)458 void SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on) {
459 ctx->handoff = on;
460 }
461
ssl_can_renegotiate(const SSL * ssl)462 static bool ssl_can_renegotiate(const SSL *ssl) {
463 if (ssl->server || SSL_is_dtls(ssl)) {
464 return false;
465 }
466
467 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
468 return false;
469 }
470
471 // The config has already been shed.
472 if (!ssl->config) {
473 return false;
474 }
475
476 switch (ssl->renegotiate_mode) {
477 case ssl_renegotiate_ignore:
478 case ssl_renegotiate_never:
479 return false;
480
481 case ssl_renegotiate_freely:
482 return true;
483 case ssl_renegotiate_once:
484 return ssl->s3->total_renegotiations == 0;
485 }
486
487 assert(0);
488 return false;
489 }
490
ssl_maybe_shed_handshake_config(SSL * ssl)491 static void ssl_maybe_shed_handshake_config(SSL *ssl) {
492 if (ssl->s3->hs != nullptr ||
493 ssl->config == nullptr ||
494 !ssl->config->shed_handshake_config ||
495 ssl_can_renegotiate(ssl)) {
496 return;
497 }
498
499 ssl->config.reset();
500 }
501
SSL_set_handoff_mode(SSL * ssl,bool on)502 void SSL_set_handoff_mode(SSL *ssl, bool on) {
503 if (!ssl->config) {
504 return;
505 }
506 ssl->config->handoff = on;
507 }
508
SSL_get_traffic_secrets(const SSL * ssl,Span<const uint8_t> * out_read_traffic_secret,Span<const uint8_t> * out_write_traffic_secret)509 bool SSL_get_traffic_secrets(const SSL *ssl,
510 Span<const uint8_t> *out_read_traffic_secret,
511 Span<const uint8_t> *out_write_traffic_secret) {
512 if (SSL_version(ssl) < TLS1_3_VERSION) {
513 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
514 return false;
515 }
516
517 if (!ssl->s3->initial_handshake_complete) {
518 OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
519 return false;
520 }
521
522 *out_read_traffic_secret = Span<const uint8_t>(
523 ssl->s3->read_traffic_secret, ssl->s3->read_traffic_secret_len);
524 *out_write_traffic_secret = Span<const uint8_t>(
525 ssl->s3->write_traffic_secret, ssl->s3->write_traffic_secret_len);
526
527 return true;
528 }
529
530 BSSL_NAMESPACE_END
531
532 using namespace bssl;
533
SSL_library_init(void)534 int SSL_library_init(void) {
535 CRYPTO_library_init();
536 return 1;
537 }
538
OPENSSL_init_ssl(uint64_t opts,const OPENSSL_INIT_SETTINGS * settings)539 int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
540 CRYPTO_library_init();
541 return 1;
542 }
543
ssl_session_hash(const SSL_SESSION * sess)544 static uint32_t ssl_session_hash(const SSL_SESSION *sess) {
545 return ssl_hash_session_id(
546 MakeConstSpan(sess->session_id, sess->session_id_length));
547 }
548
ssl_session_cmp(const SSL_SESSION * a,const SSL_SESSION * b)549 static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
550 if (a->session_id_length != b->session_id_length) {
551 return 1;
552 }
553
554 return OPENSSL_memcmp(a->session_id, b->session_id, a->session_id_length);
555 }
556
ssl_ctx_st(const SSL_METHOD * ssl_method)557 ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
558 : method(ssl_method->method),
559 x509_method(ssl_method->x509_method),
560 retain_only_sha256_of_client_certs(false),
561 quiet_shutdown(false),
562 ocsp_stapling_enabled(false),
563 signed_cert_timestamps_enabled(false),
564 channel_id_enabled(false),
565 grease_enabled(false),
566 allow_unknown_alpn_protos(false),
567 ed25519_enabled(false),
568 rsa_pss_rsae_certs_enabled(true),
569 false_start_allowed_without_alpn(false),
570 ignore_tls13_downgrade(false),
571 handoff(false),
572 enable_early_data(false) {
573 CRYPTO_MUTEX_init(&lock);
574 CRYPTO_new_ex_data(&ex_data);
575 }
576
~ssl_ctx_st()577 ssl_ctx_st::~ssl_ctx_st() {
578 // Free the internal session cache. Note that this calls the caller-supplied
579 // remove callback, so we must do it before clearing ex_data. (See ticket
580 // [openssl.org #212].)
581 SSL_CTX_flush_sessions(this, 0);
582
583 CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, this, &ex_data);
584
585 CRYPTO_MUTEX_cleanup(&lock);
586 lh_SSL_SESSION_free(sessions);
587 x509_method->ssl_ctx_free(this);
588 }
589
SSL_CTX_new(const SSL_METHOD * method)590 SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
591 if (method == NULL) {
592 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED);
593 return nullptr;
594 }
595
596 UniquePtr<SSL_CTX> ret = MakeUnique<SSL_CTX>(method);
597 if (!ret) {
598 return nullptr;
599 }
600
601 ret->cert = MakeUnique<CERT>(method->x509_method);
602 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
603 ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null());
604 if (ret->cert == nullptr ||
605 ret->sessions == nullptr ||
606 ret->client_CA == nullptr ||
607 !ret->x509_method->ssl_ctx_new(ret.get())) {
608 return nullptr;
609 }
610
611 if (!SSL_CTX_set_strict_cipher_list(ret.get(), SSL_DEFAULT_CIPHER_LIST) ||
612 // Lock the SSL_CTX to the specified version, for compatibility with
613 // legacy uses of SSL_METHOD.
614 !SSL_CTX_set_max_proto_version(ret.get(), method->version) ||
615 !SSL_CTX_set_min_proto_version(ret.get(), method->version)) {
616 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
617 return nullptr;
618 }
619
620 return ret.release();
621 }
622
SSL_CTX_up_ref(SSL_CTX * ctx)623 int SSL_CTX_up_ref(SSL_CTX *ctx) {
624 CRYPTO_refcount_inc(&ctx->references);
625 return 1;
626 }
627
SSL_CTX_free(SSL_CTX * ctx)628 void SSL_CTX_free(SSL_CTX *ctx) {
629 if (ctx == NULL ||
630 !CRYPTO_refcount_dec_and_test_zero(&ctx->references)) {
631 return;
632 }
633
634 ctx->~ssl_ctx_st();
635 OPENSSL_free(ctx);
636 }
637
ssl_st(SSL_CTX * ctx_arg)638 ssl_st::ssl_st(SSL_CTX *ctx_arg)
639 : method(ctx_arg->method),
640 max_send_fragment(ctx_arg->max_send_fragment),
641 msg_callback(ctx_arg->msg_callback),
642 msg_callback_arg(ctx_arg->msg_callback_arg),
643 ctx(UpRef(ctx_arg)),
644 session_ctx(UpRef(ctx_arg)),
645 options(ctx->options),
646 mode(ctx->mode),
647 max_cert_list(ctx->max_cert_list),
648 server(false),
649 quiet_shutdown(ctx->quiet_shutdown),
650 enable_early_data(ctx->enable_early_data) {
651 CRYPTO_new_ex_data(&ex_data);
652 }
653
~ssl_st()654 ssl_st::~ssl_st() {
655 CRYPTO_free_ex_data(&g_ex_data_class_ssl, this, &ex_data);
656 // |config| refers to |this|, so we must release it earlier.
657 config.reset();
658 if (method != NULL) {
659 method->ssl_free(this);
660 }
661 }
662
SSL_new(SSL_CTX * ctx)663 SSL *SSL_new(SSL_CTX *ctx) {
664 if (ctx == nullptr) {
665 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX);
666 return nullptr;
667 }
668
669 UniquePtr<SSL> ssl = MakeUnique<SSL>(ctx);
670 if (ssl == nullptr) {
671 return nullptr;
672 }
673
674 ssl->config = MakeUnique<SSL_CONFIG>(ssl.get());
675 if (ssl->config == nullptr) {
676 return nullptr;
677 }
678 ssl->config->conf_min_version = ctx->conf_min_version;
679 ssl->config->conf_max_version = ctx->conf_max_version;
680
681 ssl->config->cert = ssl_cert_dup(ctx->cert.get());
682 if (ssl->config->cert == nullptr) {
683 return nullptr;
684 }
685
686 ssl->config->verify_mode = ctx->verify_mode;
687 ssl->config->verify_callback = ctx->default_verify_callback;
688 ssl->config->custom_verify_callback = ctx->custom_verify_callback;
689 ssl->config->retain_only_sha256_of_client_certs =
690 ctx->retain_only_sha256_of_client_certs;
691
692 if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
693 !ssl->config->alpn_client_proto_list.CopyFrom(
694 ctx->alpn_client_proto_list) ||
695 !ssl->config->verify_sigalgs.CopyFrom(ctx->verify_sigalgs)) {
696 return nullptr;
697 }
698
699 if (ctx->psk_identity_hint) {
700 ssl->config->psk_identity_hint.reset(
701 BUF_strdup(ctx->psk_identity_hint.get()));
702 if (ssl->config->psk_identity_hint == nullptr) {
703 return nullptr;
704 }
705 }
706 ssl->config->psk_client_callback = ctx->psk_client_callback;
707 ssl->config->psk_server_callback = ctx->psk_server_callback;
708
709 ssl->config->channel_id_enabled = ctx->channel_id_enabled;
710 ssl->config->channel_id_private = UpRef(ctx->channel_id_private);
711
712 ssl->config->signed_cert_timestamps_enabled =
713 ctx->signed_cert_timestamps_enabled;
714 ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;
715 ssl->config->handoff = ctx->handoff;
716 ssl->config->ignore_tls13_downgrade = ctx->ignore_tls13_downgrade;
717 ssl->quic_method = ctx->quic_method;
718
719 if (!ssl->method->ssl_new(ssl.get()) ||
720 !ssl->ctx->x509_method->ssl_new(ssl->s3->hs.get())) {
721 return nullptr;
722 }
723
724 return ssl.release();
725 }
726
SSL_CONFIG(SSL * ssl_arg)727 SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
728 : ssl(ssl_arg),
729 signed_cert_timestamps_enabled(false),
730 ocsp_stapling_enabled(false),
731 channel_id_enabled(false),
732 enforce_rsa_key_usage(false),
733 retain_only_sha256_of_client_certs(false),
734 handoff(false),
735 shed_handshake_config(false),
736 ignore_tls13_downgrade(false),
737 jdk11_workaround(false) {
738 assert(ssl);
739 }
740
~SSL_CONFIG()741 SSL_CONFIG::~SSL_CONFIG() {
742 if (ssl->ctx != nullptr) {
743 ssl->ctx->x509_method->ssl_config_free(this);
744 }
745 }
746
SSL_free(SSL * ssl)747 void SSL_free(SSL *ssl) {
748 Delete(ssl);
749 }
750
SSL_set_connect_state(SSL * ssl)751 void SSL_set_connect_state(SSL *ssl) {
752 ssl->server = false;
753 ssl->do_handshake = ssl_client_handshake;
754 }
755
SSL_set_accept_state(SSL * ssl)756 void SSL_set_accept_state(SSL *ssl) {
757 ssl->server = true;
758 ssl->do_handshake = ssl_server_handshake;
759 }
760
SSL_set0_rbio(SSL * ssl,BIO * rbio)761 void SSL_set0_rbio(SSL *ssl, BIO *rbio) {
762 ssl->rbio.reset(rbio);
763 }
764
SSL_set0_wbio(SSL * ssl,BIO * wbio)765 void SSL_set0_wbio(SSL *ssl, BIO *wbio) {
766 ssl->wbio.reset(wbio);
767 }
768
SSL_set_bio(SSL * ssl,BIO * rbio,BIO * wbio)769 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
770 // For historical reasons, this function has many different cases in ownership
771 // handling.
772
773 // If nothing has changed, do nothing
774 if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) {
775 return;
776 }
777
778 // If the two arguments are equal, one fewer reference is granted than
779 // taken.
780 if (rbio != NULL && rbio == wbio) {
781 BIO_up_ref(rbio);
782 }
783
784 // If only the wbio is changed, adopt only one reference.
785 if (rbio == SSL_get_rbio(ssl)) {
786 SSL_set0_wbio(ssl, wbio);
787 return;
788 }
789
790 // There is an asymmetry here for historical reasons. If only the rbio is
791 // changed AND the rbio and wbio were originally different, then we only adopt
792 // one reference.
793 if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) {
794 SSL_set0_rbio(ssl, rbio);
795 return;
796 }
797
798 // Otherwise, adopt both references.
799 SSL_set0_rbio(ssl, rbio);
800 SSL_set0_wbio(ssl, wbio);
801 }
802
SSL_get_rbio(const SSL * ssl)803 BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio.get(); }
804
SSL_get_wbio(const SSL * ssl)805 BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio.get(); }
806
SSL_quic_max_handshake_flight_len(const SSL * ssl,enum ssl_encryption_level_t level)807 size_t SSL_quic_max_handshake_flight_len(const SSL *ssl,
808 enum ssl_encryption_level_t level) {
809 // Limits flights to 16K by default when there are no large
810 // (certificate-carrying) messages.
811 static const size_t kDefaultLimit = 16384;
812
813 switch (level) {
814 case ssl_encryption_initial:
815 return kDefaultLimit;
816 case ssl_encryption_early_data:
817 // QUIC does not send EndOfEarlyData.
818 return 0;
819 case ssl_encryption_handshake:
820 if (ssl->server) {
821 // Servers may receive Certificate message if configured to request
822 // client certificates.
823 if (!!(ssl->config->verify_mode & SSL_VERIFY_PEER) &&
824 ssl->max_cert_list > kDefaultLimit) {
825 return ssl->max_cert_list;
826 }
827 } else {
828 // Clients may receive both Certificate message and a CertificateRequest
829 // message.
830 if (2*ssl->max_cert_list > kDefaultLimit) {
831 return 2*ssl->max_cert_list;
832 }
833 }
834 return kDefaultLimit;
835 case ssl_encryption_application:
836 // Note there is not actually a bound on the number of NewSessionTickets
837 // one may send in a row. This level may need more involved flow
838 // control. See https://github.com/quicwg/base-drafts/issues/1834.
839 return kDefaultLimit;
840 }
841
842 return 0;
843 }
844
SSL_quic_read_level(const SSL * ssl)845 enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl) {
846 return ssl->s3->read_level;
847 }
848
SSL_quic_write_level(const SSL * ssl)849 enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl) {
850 return ssl->s3->write_level;
851 }
852
SSL_provide_quic_data(SSL * ssl,enum ssl_encryption_level_t level,const uint8_t * data,size_t len)853 int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
854 const uint8_t *data, size_t len) {
855 if (ssl->quic_method == nullptr) {
856 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
857 return 0;
858 }
859
860 if (level != ssl->s3->read_level) {
861 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
862 return 0;
863 }
864
865 size_t new_len = (ssl->s3->hs_buf ? ssl->s3->hs_buf->length : 0) + len;
866 if (new_len < len ||
867 new_len > SSL_quic_max_handshake_flight_len(ssl, level)) {
868 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
869 return 0;
870 }
871
872 return tls_append_handshake_data(ssl, MakeConstSpan(data, len));
873 }
874
SSL_do_handshake(SSL * ssl)875 int SSL_do_handshake(SSL *ssl) {
876 ssl_reset_error_state(ssl);
877
878 if (ssl->do_handshake == NULL) {
879 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
880 return -1;
881 }
882
883 if (!SSL_in_init(ssl)) {
884 return 1;
885 }
886
887 // Run the handshake.
888 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
889
890 bool early_return = false;
891 int ret = ssl_run_handshake(hs, &early_return);
892 ssl_do_info_callback(
893 ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret);
894 if (ret <= 0) {
895 return ret;
896 }
897
898 // Destroy the handshake object if the handshake has completely finished.
899 if (!early_return) {
900 ssl->s3->hs.reset();
901 ssl_maybe_shed_handshake_config(ssl);
902 }
903
904 return 1;
905 }
906
SSL_connect(SSL * ssl)907 int SSL_connect(SSL *ssl) {
908 if (ssl->do_handshake == NULL) {
909 // Not properly initialized yet
910 SSL_set_connect_state(ssl);
911 }
912
913 return SSL_do_handshake(ssl);
914 }
915
SSL_accept(SSL * ssl)916 int SSL_accept(SSL *ssl) {
917 if (ssl->do_handshake == NULL) {
918 // Not properly initialized yet
919 SSL_set_accept_state(ssl);
920 }
921
922 return SSL_do_handshake(ssl);
923 }
924
ssl_do_post_handshake(SSL * ssl,const SSLMessage & msg)925 static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) {
926 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
927 return tls13_post_handshake(ssl, msg);
928 }
929
930 // Check for renegotiation on the server before parsing to use the correct
931 // error. Renegotiation is triggered by a different message for servers.
932 if (ssl->server) {
933 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
934 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
935 return 0;
936 }
937
938 if (msg.type != SSL3_MT_HELLO_REQUEST || CBS_len(&msg.body) != 0) {
939 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
940 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST);
941 return 0;
942 }
943
944 if (ssl->renegotiate_mode == ssl_renegotiate_ignore) {
945 return 1; // Ignore the HelloRequest.
946 }
947
948 if (!ssl_can_renegotiate(ssl) ||
949 // Renegotiation is only supported at quiescent points in the application
950 // protocol, namely in HTTPS, just before reading the HTTP response.
951 // Require the record-layer be idle and avoid complexities of sending a
952 // handshake record while an application_data record is being written.
953 !ssl->s3->write_buffer.empty() ||
954 ssl->s3->write_shutdown != ssl_shutdown_none) {
955 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
956 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
957 return 0;
958 }
959
960 // Begin a new handshake.
961 if (ssl->s3->hs != nullptr) {
962 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
963 return 0;
964 }
965 ssl->s3->hs = ssl_handshake_new(ssl);
966 if (ssl->s3->hs == nullptr) {
967 return 0;
968 }
969
970 ssl->s3->total_renegotiations++;
971 return 1;
972 }
973
SSL_process_quic_post_handshake(SSL * ssl)974 int SSL_process_quic_post_handshake(SSL *ssl) {
975 ssl_reset_error_state(ssl);
976
977 if (SSL_in_init(ssl)) {
978 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
979 return 0;
980 }
981
982 // Replay post-handshake message errors.
983 if (!check_read_error(ssl)) {
984 return 0;
985 }
986
987 // Process any buffered post-handshake messages.
988 SSLMessage msg;
989 while (ssl->method->get_message(ssl, &msg)) {
990 // Handle the post-handshake message and try again.
991 if (!ssl_do_post_handshake(ssl, msg)) {
992 ssl_set_read_error(ssl);
993 return 0;
994 }
995 ssl->method->next_message(ssl);
996 }
997
998 return 1;
999 }
1000
ssl_read_impl(SSL * ssl)1001 static int ssl_read_impl(SSL *ssl) {
1002 ssl_reset_error_state(ssl);
1003
1004 if (ssl->do_handshake == NULL) {
1005 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
1006 return -1;
1007 }
1008
1009 // Replay post-handshake message errors.
1010 if (!check_read_error(ssl)) {
1011 return -1;
1012 }
1013
1014 while (ssl->s3->pending_app_data.empty()) {
1015 // Complete the current handshake, if any. False Start will cause
1016 // |SSL_do_handshake| to return mid-handshake, so this may require multiple
1017 // iterations.
1018 while (!ssl_can_read(ssl)) {
1019 int ret = SSL_do_handshake(ssl);
1020 if (ret < 0) {
1021 return ret;
1022 }
1023 if (ret == 0) {
1024 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
1025 return -1;
1026 }
1027 }
1028
1029 // Process any buffered post-handshake messages.
1030 SSLMessage msg;
1031 if (ssl->method->get_message(ssl, &msg)) {
1032 // If we received an interrupt in early read (EndOfEarlyData), loop again
1033 // for the handshake to process it.
1034 if (SSL_in_init(ssl)) {
1035 ssl->s3->hs->can_early_read = false;
1036 continue;
1037 }
1038
1039 // Handle the post-handshake message and try again.
1040 if (!ssl_do_post_handshake(ssl, msg)) {
1041 ssl_set_read_error(ssl);
1042 return -1;
1043 }
1044 ssl->method->next_message(ssl);
1045 continue; // Loop again. We may have begun a new handshake.
1046 }
1047
1048 uint8_t alert = SSL_AD_DECODE_ERROR;
1049 size_t consumed = 0;
1050 auto ret = ssl_open_app_data(ssl, &ssl->s3->pending_app_data, &consumed,
1051 &alert, ssl->s3->read_buffer.span());
1052 bool retry;
1053 int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert);
1054 if (bio_ret <= 0) {
1055 return bio_ret;
1056 }
1057 if (!retry) {
1058 assert(!ssl->s3->pending_app_data.empty());
1059 ssl->s3->key_update_count = 0;
1060 }
1061 }
1062
1063 return 1;
1064 }
1065
SSL_read(SSL * ssl,void * buf,int num)1066 int SSL_read(SSL *ssl, void *buf, int num) {
1067 int ret = SSL_peek(ssl, buf, num);
1068 if (ret <= 0) {
1069 return ret;
1070 }
1071 // TODO(davidben): In DTLS, should the rest of the record be discarded? DTLS
1072 // is not a stream. See https://crbug.com/boringssl/65.
1073 ssl->s3->pending_app_data =
1074 ssl->s3->pending_app_data.subspan(static_cast<size_t>(ret));
1075 if (ssl->s3->pending_app_data.empty()) {
1076 ssl->s3->read_buffer.DiscardConsumed();
1077 }
1078 return ret;
1079 }
1080
SSL_peek(SSL * ssl,void * buf,int num)1081 int SSL_peek(SSL *ssl, void *buf, int num) {
1082 if (ssl->quic_method != nullptr) {
1083 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1084 return 0;
1085 }
1086
1087 int ret = ssl_read_impl(ssl);
1088 if (ret <= 0) {
1089 return ret;
1090 }
1091 if (num <= 0) {
1092 return num;
1093 }
1094 size_t todo =
1095 std::min(ssl->s3->pending_app_data.size(), static_cast<size_t>(num));
1096 OPENSSL_memcpy(buf, ssl->s3->pending_app_data.data(), todo);
1097 return static_cast<int>(todo);
1098 }
1099
SSL_write(SSL * ssl,const void * buf,int num)1100 int SSL_write(SSL *ssl, const void *buf, int num) {
1101 ssl_reset_error_state(ssl);
1102
1103 if (ssl->quic_method != nullptr) {
1104 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1105 return 0;
1106 }
1107
1108 if (ssl->do_handshake == NULL) {
1109 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
1110 return -1;
1111 }
1112
1113 if (ssl->s3->write_shutdown != ssl_shutdown_none) {
1114 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
1115 return -1;
1116 }
1117
1118 int ret = 0;
1119 bool needs_handshake = false;
1120 do {
1121 // If necessary, complete the handshake implicitly.
1122 if (!ssl_can_write(ssl)) {
1123 ret = SSL_do_handshake(ssl);
1124 if (ret < 0) {
1125 return ret;
1126 }
1127 if (ret == 0) {
1128 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
1129 return -1;
1130 }
1131 }
1132
1133 ret = ssl->method->write_app_data(ssl, &needs_handshake,
1134 (const uint8_t *)buf, num);
1135 } while (needs_handshake);
1136 return ret;
1137 }
1138
SSL_key_update(SSL * ssl,int request_type)1139 int SSL_key_update(SSL *ssl, int request_type) {
1140 ssl_reset_error_state(ssl);
1141
1142 if (ssl->do_handshake == NULL) {
1143 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
1144 return 0;
1145 }
1146
1147 if (ssl->ctx->quic_method != nullptr) {
1148 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1149 return 0;
1150 }
1151
1152 if (!ssl->s3->initial_handshake_complete) {
1153 OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
1154 return 0;
1155 }
1156
1157 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
1158 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
1159 return 0;
1160 }
1161
1162 if (!ssl->s3->key_update_pending &&
1163 !tls13_add_key_update(ssl, request_type)) {
1164 return 0;
1165 }
1166
1167 return 1;
1168 }
1169
SSL_shutdown(SSL * ssl)1170 int SSL_shutdown(SSL *ssl) {
1171 ssl_reset_error_state(ssl);
1172
1173 if (ssl->do_handshake == NULL) {
1174 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
1175 return -1;
1176 }
1177
1178 // If we are in the middle of a handshake, silently succeed. Consumers often
1179 // call this function before |SSL_free|, whether the handshake succeeded or
1180 // not. We assume the caller has already handled failed handshakes.
1181 if (SSL_in_init(ssl)) {
1182 return 1;
1183 }
1184
1185 if (ssl->quiet_shutdown) {
1186 // Do nothing if configured not to send a close_notify.
1187 ssl->s3->write_shutdown = ssl_shutdown_close_notify;
1188 ssl->s3->read_shutdown = ssl_shutdown_close_notify;
1189 return 1;
1190 }
1191
1192 // This function completes in two stages. It sends a close_notify and then it
1193 // waits for a close_notify to come in. Perform exactly one action and return
1194 // whether or not it succeeds.
1195
1196 if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) {
1197 // Send a close_notify.
1198 if (ssl_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
1199 return -1;
1200 }
1201 } else if (ssl->s3->alert_dispatch) {
1202 // Finish sending the close_notify.
1203 if (ssl->method->dispatch_alert(ssl) <= 0) {
1204 return -1;
1205 }
1206 } else if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) {
1207 if (SSL_is_dtls(ssl)) {
1208 // Bidirectional shutdown doesn't make sense for an unordered
1209 // transport. DTLS alerts also aren't delivered reliably, so we may even
1210 // time out because the peer never received our close_notify. Report to
1211 // the caller that the channel has fully shut down.
1212 if (ssl->s3->read_shutdown == ssl_shutdown_error) {
1213 ERR_restore_state(ssl->s3->read_error.get());
1214 return -1;
1215 }
1216 ssl->s3->read_shutdown = ssl_shutdown_close_notify;
1217 } else {
1218 // Process records until an error, close_notify, or application data.
1219 if (ssl_read_impl(ssl) > 0) {
1220 // We received some unexpected application data.
1221 OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_ON_SHUTDOWN);
1222 return -1;
1223 }
1224 if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) {
1225 return -1;
1226 }
1227 }
1228 }
1229
1230 // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown.
1231 return ssl->s3->read_shutdown == ssl_shutdown_close_notify;
1232 }
1233
SSL_send_fatal_alert(SSL * ssl,uint8_t alert)1234 int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
1235 if (ssl->s3->alert_dispatch) {
1236 if (ssl->s3->send_alert[0] != SSL3_AL_FATAL ||
1237 ssl->s3->send_alert[1] != alert) {
1238 // We are already attempting to write a different alert.
1239 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
1240 return -1;
1241 }
1242 return ssl->method->dispatch_alert(ssl);
1243 }
1244
1245 return ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1246 }
1247
SSL_set_quic_transport_params(SSL * ssl,const uint8_t * params,size_t params_len)1248 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
1249 size_t params_len) {
1250 return ssl->config && ssl->config->quic_transport_params.CopyFrom(
1251 MakeConstSpan(params, params_len));
1252 }
1253
SSL_get_peer_quic_transport_params(const SSL * ssl,const uint8_t ** out_params,size_t * out_params_len)1254 void SSL_get_peer_quic_transport_params(const SSL *ssl,
1255 const uint8_t **out_params,
1256 size_t *out_params_len) {
1257 *out_params = ssl->s3->peer_quic_transport_params.data();
1258 *out_params_len = ssl->s3->peer_quic_transport_params.size();
1259 }
1260
SSL_CTX_set_early_data_enabled(SSL_CTX * ctx,int enabled)1261 void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) {
1262 ctx->enable_early_data = !!enabled;
1263 }
1264
SSL_set_early_data_enabled(SSL * ssl,int enabled)1265 void SSL_set_early_data_enabled(SSL *ssl, int enabled) {
1266 ssl->enable_early_data = !!enabled;
1267 }
1268
SSL_in_early_data(const SSL * ssl)1269 int SSL_in_early_data(const SSL *ssl) {
1270 if (ssl->s3->hs == NULL) {
1271 return 0;
1272 }
1273 return ssl->s3->hs->in_early_data;
1274 }
1275
SSL_early_data_accepted(const SSL * ssl)1276 int SSL_early_data_accepted(const SSL *ssl) {
1277 return ssl->s3->early_data_accepted;
1278 }
1279
SSL_reset_early_data_reject(SSL * ssl)1280 void SSL_reset_early_data_reject(SSL *ssl) {
1281 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
1282 if (hs == NULL ||
1283 hs->wait != ssl_hs_early_data_rejected) {
1284 abort();
1285 }
1286
1287 hs->wait = ssl_hs_ok;
1288 hs->in_early_data = false;
1289 hs->early_session.reset();
1290
1291 // Discard any unfinished writes from the perspective of |SSL_write|'s
1292 // retry. The handshake will transparently flush out the pending record
1293 // (discarded by the server) to keep the framing correct.
1294 ssl->s3->wpend_pending = false;
1295 }
1296
bio_retry_reason_to_error(int reason)1297 static int bio_retry_reason_to_error(int reason) {
1298 switch (reason) {
1299 case BIO_RR_CONNECT:
1300 return SSL_ERROR_WANT_CONNECT;
1301 case BIO_RR_ACCEPT:
1302 return SSL_ERROR_WANT_ACCEPT;
1303 default:
1304 return SSL_ERROR_SYSCALL;
1305 }
1306 }
1307
SSL_get_error(const SSL * ssl,int ret_code)1308 int SSL_get_error(const SSL *ssl, int ret_code) {
1309 if (ret_code > 0) {
1310 return SSL_ERROR_NONE;
1311 }
1312
1313 // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
1314 // where we do encode the error
1315 uint32_t err = ERR_peek_error();
1316 if (err != 0) {
1317 if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
1318 return SSL_ERROR_SYSCALL;
1319 }
1320 return SSL_ERROR_SSL;
1321 }
1322
1323 if (ret_code == 0) {
1324 if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) {
1325 return SSL_ERROR_ZERO_RETURN;
1326 }
1327 // An EOF was observed which violates the protocol, and the underlying
1328 // transport does not participate in the error queue. Bubble up to the
1329 // caller.
1330 return SSL_ERROR_SYSCALL;
1331 }
1332
1333 switch (ssl->s3->rwstate) {
1334 case SSL_PENDING_SESSION:
1335 return SSL_ERROR_PENDING_SESSION;
1336
1337 case SSL_CERTIFICATE_SELECTION_PENDING:
1338 return SSL_ERROR_PENDING_CERTIFICATE;
1339
1340 case SSL_HANDOFF:
1341 return SSL_ERROR_HANDOFF;
1342
1343 case SSL_HANDBACK:
1344 return SSL_ERROR_HANDBACK;
1345
1346 case SSL_READING: {
1347 if (ssl->quic_method) {
1348 return SSL_ERROR_WANT_READ;
1349 }
1350 BIO *bio = SSL_get_rbio(ssl);
1351 if (BIO_should_read(bio)) {
1352 return SSL_ERROR_WANT_READ;
1353 }
1354
1355 if (BIO_should_write(bio)) {
1356 // TODO(davidben): OpenSSL historically checked for writes on the read
1357 // BIO. Can this be removed?
1358 return SSL_ERROR_WANT_WRITE;
1359 }
1360
1361 if (BIO_should_io_special(bio)) {
1362 return bio_retry_reason_to_error(BIO_get_retry_reason(bio));
1363 }
1364
1365 break;
1366 }
1367
1368 case SSL_WRITING: {
1369 BIO *bio = SSL_get_wbio(ssl);
1370 if (BIO_should_write(bio)) {
1371 return SSL_ERROR_WANT_WRITE;
1372 }
1373
1374 if (BIO_should_read(bio)) {
1375 // TODO(davidben): OpenSSL historically checked for reads on the write
1376 // BIO. Can this be removed?
1377 return SSL_ERROR_WANT_READ;
1378 }
1379
1380 if (BIO_should_io_special(bio)) {
1381 return bio_retry_reason_to_error(BIO_get_retry_reason(bio));
1382 }
1383
1384 break;
1385 }
1386
1387 case SSL_X509_LOOKUP:
1388 return SSL_ERROR_WANT_X509_LOOKUP;
1389
1390 case SSL_CHANNEL_ID_LOOKUP:
1391 return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP;
1392
1393 case SSL_PRIVATE_KEY_OPERATION:
1394 return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;
1395
1396 case SSL_PENDING_TICKET:
1397 return SSL_ERROR_PENDING_TICKET;
1398
1399 case SSL_EARLY_DATA_REJECTED:
1400 return SSL_ERROR_EARLY_DATA_REJECTED;
1401
1402 case SSL_CERTIFICATE_VERIFY:
1403 return SSL_ERROR_WANT_CERTIFICATE_VERIFY;
1404 }
1405
1406 return SSL_ERROR_SYSCALL;
1407 }
1408
SSL_CTX_set_options(SSL_CTX * ctx,uint32_t options)1409 uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
1410 ctx->options |= options;
1411 return ctx->options;
1412 }
1413
SSL_CTX_clear_options(SSL_CTX * ctx,uint32_t options)1414 uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) {
1415 ctx->options &= ~options;
1416 return ctx->options;
1417 }
1418
SSL_CTX_get_options(const SSL_CTX * ctx)1419 uint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; }
1420
SSL_set_options(SSL * ssl,uint32_t options)1421 uint32_t SSL_set_options(SSL *ssl, uint32_t options) {
1422 ssl->options |= options;
1423 return ssl->options;
1424 }
1425
SSL_clear_options(SSL * ssl,uint32_t options)1426 uint32_t SSL_clear_options(SSL *ssl, uint32_t options) {
1427 ssl->options &= ~options;
1428 return ssl->options;
1429 }
1430
SSL_get_options(const SSL * ssl)1431 uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; }
1432
SSL_CTX_set_mode(SSL_CTX * ctx,uint32_t mode)1433 uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) {
1434 ctx->mode |= mode;
1435 return ctx->mode;
1436 }
1437
SSL_CTX_clear_mode(SSL_CTX * ctx,uint32_t mode)1438 uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) {
1439 ctx->mode &= ~mode;
1440 return ctx->mode;
1441 }
1442
SSL_CTX_get_mode(const SSL_CTX * ctx)1443 uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; }
1444
SSL_set_mode(SSL * ssl,uint32_t mode)1445 uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) {
1446 ssl->mode |= mode;
1447 return ssl->mode;
1448 }
1449
SSL_clear_mode(SSL * ssl,uint32_t mode)1450 uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {
1451 ssl->mode &= ~mode;
1452 return ssl->mode;
1453 }
1454
SSL_get_mode(const SSL * ssl)1455 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }
1456
SSL_CTX_set0_buffer_pool(SSL_CTX * ctx,CRYPTO_BUFFER_POOL * pool)1457 void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) {
1458 ctx->pool = pool;
1459 }
1460
SSL_get_tls_unique(const SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out)1461 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
1462 size_t max_out) {
1463 *out_len = 0;
1464 OPENSSL_memset(out, 0, max_out);
1465
1466 // tls-unique is not defined for TLS 1.3.
1467 if (!ssl->s3->initial_handshake_complete ||
1468 ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1469 return 0;
1470 }
1471
1472 // The tls-unique value is the first Finished message in the handshake, which
1473 // is the client's in a full handshake and the server's for a resumption. See
1474 // https://tools.ietf.org/html/rfc5929#section-3.1.
1475 const uint8_t *finished = ssl->s3->previous_client_finished;
1476 size_t finished_len = ssl->s3->previous_client_finished_len;
1477 if (ssl->session != NULL) {
1478 // tls-unique is broken for resumed sessions unless EMS is used.
1479 if (!ssl->session->extended_master_secret) {
1480 return 0;
1481 }
1482 finished = ssl->s3->previous_server_finished;
1483 finished_len = ssl->s3->previous_server_finished_len;
1484 }
1485
1486 *out_len = finished_len;
1487 if (finished_len > max_out) {
1488 *out_len = max_out;
1489 }
1490
1491 OPENSSL_memcpy(out, finished, *out_len);
1492 return 1;
1493 }
1494
set_session_id_context(CERT * cert,const uint8_t * sid_ctx,size_t sid_ctx_len)1495 static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx,
1496 size_t sid_ctx_len) {
1497 if (sid_ctx_len > sizeof(cert->sid_ctx)) {
1498 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1499 return 0;
1500 }
1501
1502 static_assert(sizeof(cert->sid_ctx) < 256, "sid_ctx too large");
1503 cert->sid_ctx_length = (uint8_t)sid_ctx_len;
1504 OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len);
1505 return 1;
1506 }
1507
SSL_CTX_set_session_id_context(SSL_CTX * ctx,const uint8_t * sid_ctx,size_t sid_ctx_len)1508 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx,
1509 size_t sid_ctx_len) {
1510 return set_session_id_context(ctx->cert.get(), sid_ctx, sid_ctx_len);
1511 }
1512
SSL_set_session_id_context(SSL * ssl,const uint8_t * sid_ctx,size_t sid_ctx_len)1513 int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,
1514 size_t sid_ctx_len) {
1515 if (!ssl->config) {
1516 return 0;
1517 }
1518 return set_session_id_context(ssl->config->cert.get(), sid_ctx, sid_ctx_len);
1519 }
1520
SSL_get0_session_id_context(const SSL * ssl,size_t * out_len)1521 const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {
1522 if (!ssl->config) {
1523 assert(ssl->config);
1524 *out_len = 0;
1525 return NULL;
1526 }
1527 *out_len = ssl->config->cert->sid_ctx_length;
1528 return ssl->config->cert->sid_ctx;
1529 }
1530
SSL_certs_clear(SSL * ssl)1531 void SSL_certs_clear(SSL *ssl) {
1532 if (!ssl->config) {
1533 return;
1534 }
1535 ssl_cert_clear_certs(ssl->config->cert.get());
1536 }
1537
SSL_get_fd(const SSL * ssl)1538 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
1539
SSL_get_rfd(const SSL * ssl)1540 int SSL_get_rfd(const SSL *ssl) {
1541 int ret = -1;
1542 BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR);
1543 if (b != NULL) {
1544 BIO_get_fd(b, &ret);
1545 }
1546 return ret;
1547 }
1548
SSL_get_wfd(const SSL * ssl)1549 int SSL_get_wfd(const SSL *ssl) {
1550 int ret = -1;
1551 BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR);
1552 if (b != NULL) {
1553 BIO_get_fd(b, &ret);
1554 }
1555 return ret;
1556 }
1557
SSL_set_fd(SSL * ssl,int fd)1558 int SSL_set_fd(SSL *ssl, int fd) {
1559 BIO *bio = BIO_new(BIO_s_socket());
1560 if (bio == NULL) {
1561 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1562 return 0;
1563 }
1564 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1565 SSL_set_bio(ssl, bio, bio);
1566 return 1;
1567 }
1568
SSL_set_wfd(SSL * ssl,int fd)1569 int SSL_set_wfd(SSL *ssl, int fd) {
1570 BIO *rbio = SSL_get_rbio(ssl);
1571 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET ||
1572 BIO_get_fd(rbio, NULL) != fd) {
1573 BIO *bio = BIO_new(BIO_s_socket());
1574 if (bio == NULL) {
1575 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1576 return 0;
1577 }
1578 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1579 SSL_set0_wbio(ssl, bio);
1580 } else {
1581 // Copy the rbio over to the wbio.
1582 BIO_up_ref(rbio);
1583 SSL_set0_wbio(ssl, rbio);
1584 }
1585
1586 return 1;
1587 }
1588
SSL_set_rfd(SSL * ssl,int fd)1589 int SSL_set_rfd(SSL *ssl, int fd) {
1590 BIO *wbio = SSL_get_wbio(ssl);
1591 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET ||
1592 BIO_get_fd(wbio, NULL) != fd) {
1593 BIO *bio = BIO_new(BIO_s_socket());
1594 if (bio == NULL) {
1595 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1596 return 0;
1597 }
1598 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1599 SSL_set0_rbio(ssl, bio);
1600 } else {
1601 // Copy the wbio over to the rbio.
1602 BIO_up_ref(wbio);
1603 SSL_set0_rbio(ssl, wbio);
1604 }
1605 return 1;
1606 }
1607
copy_finished(void * out,size_t out_len,const uint8_t * in,size_t in_len)1608 static size_t copy_finished(void *out, size_t out_len, const uint8_t *in,
1609 size_t in_len) {
1610 if (out_len > in_len) {
1611 out_len = in_len;
1612 }
1613 OPENSSL_memcpy(out, in, out_len);
1614 return in_len;
1615 }
1616
SSL_get_finished(const SSL * ssl,void * buf,size_t count)1617 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
1618 if (!ssl->s3->initial_handshake_complete ||
1619 ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1620 return 0;
1621 }
1622
1623 if (ssl->server) {
1624 return copy_finished(buf, count, ssl->s3->previous_server_finished,
1625 ssl->s3->previous_server_finished_len);
1626 }
1627
1628 return copy_finished(buf, count, ssl->s3->previous_client_finished,
1629 ssl->s3->previous_client_finished_len);
1630 }
1631
SSL_get_peer_finished(const SSL * ssl,void * buf,size_t count)1632 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
1633 if (!ssl->s3->initial_handshake_complete ||
1634 ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1635 return 0;
1636 }
1637
1638 if (ssl->server) {
1639 return copy_finished(buf, count, ssl->s3->previous_client_finished,
1640 ssl->s3->previous_client_finished_len);
1641 }
1642
1643 return copy_finished(buf, count, ssl->s3->previous_server_finished,
1644 ssl->s3->previous_server_finished_len);
1645 }
1646
SSL_get_verify_mode(const SSL * ssl)1647 int SSL_get_verify_mode(const SSL *ssl) {
1648 if (!ssl->config) {
1649 assert(ssl->config);
1650 return -1;
1651 }
1652 return ssl->config->verify_mode;
1653 }
1654
SSL_get_extms_support(const SSL * ssl)1655 int SSL_get_extms_support(const SSL *ssl) {
1656 // TLS 1.3 does not require extended master secret and always reports as
1657 // supporting it.
1658 if (!ssl->s3->have_version) {
1659 return 0;
1660 }
1661 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1662 return 1;
1663 }
1664
1665 // If the initial handshake completed, query the established session.
1666 if (ssl->s3->established_session != NULL) {
1667 return ssl->s3->established_session->extended_master_secret;
1668 }
1669
1670 // Otherwise, query the in-progress handshake.
1671 if (ssl->s3->hs != NULL) {
1672 return ssl->s3->hs->extended_master_secret;
1673 }
1674 assert(0);
1675 return 0;
1676 }
1677
SSL_CTX_get_read_ahead(const SSL_CTX * ctx)1678 int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; }
1679
SSL_get_read_ahead(const SSL * ssl)1680 int SSL_get_read_ahead(const SSL *ssl) { return 0; }
1681
SSL_CTX_set_read_ahead(SSL_CTX * ctx,int yes)1682 int SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { return 1; }
1683
SSL_set_read_ahead(SSL * ssl,int yes)1684 int SSL_set_read_ahead(SSL *ssl, int yes) { return 1; }
1685
SSL_pending(const SSL * ssl)1686 int SSL_pending(const SSL *ssl) {
1687 return static_cast<int>(ssl->s3->pending_app_data.size());
1688 }
1689
SSL_CTX_check_private_key(const SSL_CTX * ctx)1690 int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
1691 return ssl_cert_check_private_key(ctx->cert.get(),
1692 ctx->cert->privatekey.get());
1693 }
1694
SSL_check_private_key(const SSL * ssl)1695 int SSL_check_private_key(const SSL *ssl) {
1696 if (!ssl->config) {
1697 return 0;
1698 }
1699 return ssl_cert_check_private_key(ssl->config->cert.get(),
1700 ssl->config->cert->privatekey.get());
1701 }
1702
SSL_get_default_timeout(const SSL * ssl)1703 long SSL_get_default_timeout(const SSL *ssl) {
1704 return SSL_DEFAULT_SESSION_TIMEOUT;
1705 }
1706
SSL_renegotiate(SSL * ssl)1707 int SSL_renegotiate(SSL *ssl) {
1708 // Caller-initiated renegotiation is not supported.
1709 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1710 return 0;
1711 }
1712
SSL_renegotiate_pending(SSL * ssl)1713 int SSL_renegotiate_pending(SSL *ssl) {
1714 return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete;
1715 }
1716
SSL_total_renegotiations(const SSL * ssl)1717 int SSL_total_renegotiations(const SSL *ssl) {
1718 return ssl->s3->total_renegotiations;
1719 }
1720
SSL_CTX_get_max_cert_list(const SSL_CTX * ctx)1721 size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) {
1722 return ctx->max_cert_list;
1723 }
1724
SSL_CTX_set_max_cert_list(SSL_CTX * ctx,size_t max_cert_list)1725 void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) {
1726 if (max_cert_list > kMaxHandshakeSize) {
1727 max_cert_list = kMaxHandshakeSize;
1728 }
1729 ctx->max_cert_list = (uint32_t)max_cert_list;
1730 }
1731
SSL_get_max_cert_list(const SSL * ssl)1732 size_t SSL_get_max_cert_list(const SSL *ssl) {
1733 return ssl->max_cert_list;
1734 }
1735
SSL_set_max_cert_list(SSL * ssl,size_t max_cert_list)1736 void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
1737 if (max_cert_list > kMaxHandshakeSize) {
1738 max_cert_list = kMaxHandshakeSize;
1739 }
1740 ssl->max_cert_list = (uint32_t)max_cert_list;
1741 }
1742
SSL_CTX_set_max_send_fragment(SSL_CTX * ctx,size_t max_send_fragment)1743 int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
1744 if (max_send_fragment < 512) {
1745 max_send_fragment = 512;
1746 }
1747 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
1748 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1749 }
1750 ctx->max_send_fragment = (uint16_t)max_send_fragment;
1751
1752 return 1;
1753 }
1754
SSL_set_max_send_fragment(SSL * ssl,size_t max_send_fragment)1755 int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
1756 if (max_send_fragment < 512) {
1757 max_send_fragment = 512;
1758 }
1759 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
1760 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1761 }
1762 ssl->max_send_fragment = (uint16_t)max_send_fragment;
1763
1764 return 1;
1765 }
1766
SSL_set_mtu(SSL * ssl,unsigned mtu)1767 int SSL_set_mtu(SSL *ssl, unsigned mtu) {
1768 if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) {
1769 return 0;
1770 }
1771 ssl->d1->mtu = mtu;
1772 return 1;
1773 }
1774
SSL_get_secure_renegotiation_support(const SSL * ssl)1775 int SSL_get_secure_renegotiation_support(const SSL *ssl) {
1776 if (!ssl->s3->have_version) {
1777 return 0;
1778 }
1779 return ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1780 ssl->s3->send_connection_binding;
1781 }
1782
SSL_CTX_sess_number(const SSL_CTX * ctx)1783 size_t SSL_CTX_sess_number(const SSL_CTX *ctx) {
1784 MutexReadLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
1785 return lh_SSL_SESSION_num_items(ctx->sessions);
1786 }
1787
SSL_CTX_sess_set_cache_size(SSL_CTX * ctx,unsigned long size)1788 unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) {
1789 unsigned long ret = ctx->session_cache_size;
1790 ctx->session_cache_size = size;
1791 return ret;
1792 }
1793
SSL_CTX_sess_get_cache_size(const SSL_CTX * ctx)1794 unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) {
1795 return ctx->session_cache_size;
1796 }
1797
SSL_CTX_set_session_cache_mode(SSL_CTX * ctx,int mode)1798 int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) {
1799 int ret = ctx->session_cache_mode;
1800 ctx->session_cache_mode = mode;
1801 return ret;
1802 }
1803
SSL_CTX_get_session_cache_mode(const SSL_CTX * ctx)1804 int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) {
1805 return ctx->session_cache_mode;
1806 }
1807
1808
SSL_CTX_get_tlsext_ticket_keys(SSL_CTX * ctx,void * out,size_t len)1809 int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) {
1810 if (out == NULL) {
1811 return 48;
1812 }
1813 if (len != 48) {
1814 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
1815 return 0;
1816 }
1817
1818 // The default ticket keys are initialized lazily. Trigger a key
1819 // rotation to initialize them.
1820 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
1821 return 0;
1822 }
1823
1824 uint8_t *out_bytes = reinterpret_cast<uint8_t *>(out);
1825 MutexReadLock lock(&ctx->lock);
1826 OPENSSL_memcpy(out_bytes, ctx->ticket_key_current->name, 16);
1827 OPENSSL_memcpy(out_bytes + 16, ctx->ticket_key_current->hmac_key, 16);
1828 OPENSSL_memcpy(out_bytes + 32, ctx->ticket_key_current->aes_key, 16);
1829 return 1;
1830 }
1831
SSL_CTX_set_tlsext_ticket_keys(SSL_CTX * ctx,const void * in,size_t len)1832 int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) {
1833 if (in == NULL) {
1834 return 48;
1835 }
1836 if (len != 48) {
1837 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
1838 return 0;
1839 }
1840 auto key = MakeUnique<TicketKey>();
1841 if (!key) {
1842 return 0;
1843 }
1844 const uint8_t *in_bytes = reinterpret_cast<const uint8_t *>(in);
1845 OPENSSL_memcpy(key->name, in_bytes, 16);
1846 OPENSSL_memcpy(key->hmac_key, in_bytes + 16, 16);
1847 OPENSSL_memcpy(key->aes_key, in_bytes + 32, 16);
1848 // Disable automatic key rotation for manually-configured keys. This is now
1849 // the caller's responsibility.
1850 key->next_rotation_tv_sec = 0;
1851 ctx->ticket_key_current = std::move(key);
1852 ctx->ticket_key_prev.reset();
1853 return 1;
1854 }
1855
SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX * ctx,int (* callback)(SSL * ssl,uint8_t * key_name,uint8_t * iv,EVP_CIPHER_CTX * ctx,HMAC_CTX * hmac_ctx,int encrypt))1856 int SSL_CTX_set_tlsext_ticket_key_cb(
1857 SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
1858 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
1859 int encrypt)) {
1860 ctx->ticket_key_cb = callback;
1861 return 1;
1862 }
1863
SSL_CTX_set1_curves(SSL_CTX * ctx,const int * curves,size_t curves_len)1864 int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t curves_len) {
1865 return tls1_set_curves(&ctx->supported_group_list,
1866 MakeConstSpan(curves, curves_len));
1867 }
1868
SSL_set1_curves(SSL * ssl,const int * curves,size_t curves_len)1869 int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) {
1870 if (!ssl->config) {
1871 return 0;
1872 }
1873 return tls1_set_curves(&ssl->config->supported_group_list,
1874 MakeConstSpan(curves, curves_len));
1875 }
1876
SSL_CTX_set1_curves_list(SSL_CTX * ctx,const char * curves)1877 int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) {
1878 return tls1_set_curves_list(&ctx->supported_group_list, curves);
1879 }
1880
SSL_set1_curves_list(SSL * ssl,const char * curves)1881 int SSL_set1_curves_list(SSL *ssl, const char *curves) {
1882 if (!ssl->config) {
1883 return 0;
1884 }
1885 return tls1_set_curves_list(&ssl->config->supported_group_list, curves);
1886 }
1887
SSL_get_curve_id(const SSL * ssl)1888 uint16_t SSL_get_curve_id(const SSL *ssl) {
1889 // TODO(davidben): This checks the wrong session if there is a renegotiation
1890 // in progress.
1891 SSL_SESSION *session = SSL_get_session(ssl);
1892 if (session == NULL) {
1893 return 0;
1894 }
1895
1896 return session->group_id;
1897 }
1898
SSL_CTX_set_tmp_dh(SSL_CTX * ctx,const DH * dh)1899 int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
1900 return 1;
1901 }
1902
SSL_set_tmp_dh(SSL * ssl,const DH * dh)1903 int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
1904 return 1;
1905 }
1906
STACK_OF(SSL_CIPHER)1907 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) {
1908 return ctx->cipher_list->ciphers.get();
1909 }
1910
SSL_CTX_cipher_in_group(const SSL_CTX * ctx,size_t i)1911 int SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i) {
1912 if (i >= sk_SSL_CIPHER_num(ctx->cipher_list->ciphers.get())) {
1913 return 0;
1914 }
1915 return ctx->cipher_list->in_group_flags[i];
1916 }
1917
STACK_OF(SSL_CIPHER)1918 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {
1919 if (ssl == NULL) {
1920 return NULL;
1921 }
1922 if (ssl->config == NULL) {
1923 assert(ssl->config);
1924 return NULL;
1925 }
1926
1927 return ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
1928 : ssl->ctx->cipher_list->ciphers.get();
1929 }
1930
SSL_get_cipher_list(const SSL * ssl,int n)1931 const char *SSL_get_cipher_list(const SSL *ssl, int n) {
1932 if (ssl == NULL) {
1933 return NULL;
1934 }
1935
1936 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
1937 if (sk == NULL || n < 0 || (size_t)n >= sk_SSL_CIPHER_num(sk)) {
1938 return NULL;
1939 }
1940
1941 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, n);
1942 if (c == NULL) {
1943 return NULL;
1944 }
1945
1946 return c->name;
1947 }
1948
SSL_CTX_set_cipher_list(SSL_CTX * ctx,const char * str)1949 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
1950 return ssl_create_cipher_list(&ctx->cipher_list, str, false /* not strict */);
1951 }
1952
SSL_CTX_set_strict_cipher_list(SSL_CTX * ctx,const char * str)1953 int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
1954 return ssl_create_cipher_list(&ctx->cipher_list, str, true /* strict */);
1955 }
1956
SSL_set_cipher_list(SSL * ssl,const char * str)1957 int SSL_set_cipher_list(SSL *ssl, const char *str) {
1958 if (!ssl->config) {
1959 return 0;
1960 }
1961 return ssl_create_cipher_list(&ssl->config->cipher_list, str,
1962 false /* not strict */);
1963 }
1964
SSL_set_strict_cipher_list(SSL * ssl,const char * str)1965 int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
1966 if (!ssl->config) {
1967 return 0;
1968 }
1969 return ssl_create_cipher_list(&ssl->config->cipher_list, str,
1970 true /* strict */);
1971 }
1972
SSL_get_servername(const SSL * ssl,const int type)1973 const char *SSL_get_servername(const SSL *ssl, const int type) {
1974 if (type != TLSEXT_NAMETYPE_host_name) {
1975 return NULL;
1976 }
1977
1978 // Historically, |SSL_get_servername| was also the configuration getter
1979 // corresponding to |SSL_set_tlsext_host_name|.
1980 if (ssl->hostname != nullptr) {
1981 return ssl->hostname.get();
1982 }
1983
1984 return ssl->s3->hostname.get();
1985 }
1986
SSL_get_servername_type(const SSL * ssl)1987 int SSL_get_servername_type(const SSL *ssl) {
1988 if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) == NULL) {
1989 return -1;
1990 }
1991 return TLSEXT_NAMETYPE_host_name;
1992 }
1993
SSL_CTX_set_custom_verify(SSL_CTX * ctx,int mode,enum ssl_verify_result_t (* callback)(SSL * ssl,uint8_t * out_alert))1994 void SSL_CTX_set_custom_verify(
1995 SSL_CTX *ctx, int mode,
1996 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {
1997 ctx->verify_mode = mode;
1998 ctx->custom_verify_callback = callback;
1999 }
2000
SSL_set_custom_verify(SSL * ssl,int mode,enum ssl_verify_result_t (* callback)(SSL * ssl,uint8_t * out_alert))2001 void SSL_set_custom_verify(
2002 SSL *ssl, int mode,
2003 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {
2004 if (!ssl->config) {
2005 return;
2006 }
2007 ssl->config->verify_mode = mode;
2008 ssl->config->custom_verify_callback = callback;
2009 }
2010
SSL_CTX_enable_signed_cert_timestamps(SSL_CTX * ctx)2011 void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) {
2012 ctx->signed_cert_timestamps_enabled = true;
2013 }
2014
SSL_enable_signed_cert_timestamps(SSL * ssl)2015 void SSL_enable_signed_cert_timestamps(SSL *ssl) {
2016 if (!ssl->config) {
2017 return;
2018 }
2019 ssl->config->signed_cert_timestamps_enabled = true;
2020 }
2021
SSL_CTX_enable_ocsp_stapling(SSL_CTX * ctx)2022 void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx) {
2023 ctx->ocsp_stapling_enabled = true;
2024 }
2025
SSL_enable_ocsp_stapling(SSL * ssl)2026 void SSL_enable_ocsp_stapling(SSL *ssl) {
2027 if (!ssl->config) {
2028 return;
2029 }
2030 ssl->config->ocsp_stapling_enabled = true;
2031 }
2032
SSL_get0_signed_cert_timestamp_list(const SSL * ssl,const uint8_t ** out,size_t * out_len)2033 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
2034 size_t *out_len) {
2035 SSL_SESSION *session = SSL_get_session(ssl);
2036 if (ssl->server || !session || !session->signed_cert_timestamp_list) {
2037 *out_len = 0;
2038 *out = NULL;
2039 return;
2040 }
2041
2042 *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list.get());
2043 *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list.get());
2044 }
2045
SSL_get0_ocsp_response(const SSL * ssl,const uint8_t ** out,size_t * out_len)2046 void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
2047 size_t *out_len) {
2048 SSL_SESSION *session = SSL_get_session(ssl);
2049 if (ssl->server || !session || !session->ocsp_response) {
2050 *out_len = 0;
2051 *out = NULL;
2052 return;
2053 }
2054
2055 *out = CRYPTO_BUFFER_data(session->ocsp_response.get());
2056 *out_len = CRYPTO_BUFFER_len(session->ocsp_response.get());
2057 }
2058
SSL_set_tlsext_host_name(SSL * ssl,const char * name)2059 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
2060 ssl->hostname.reset();
2061 if (name == nullptr) {
2062 return 1;
2063 }
2064
2065 size_t len = strlen(name);
2066 if (len == 0 || len > TLSEXT_MAXLEN_host_name) {
2067 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
2068 return 0;
2069 }
2070 ssl->hostname.reset(BUF_strdup(name));
2071 if (ssl->hostname == nullptr) {
2072 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
2073 return 0;
2074 }
2075 return 1;
2076 }
2077
SSL_CTX_set_tlsext_servername_callback(SSL_CTX * ctx,int (* callback)(SSL * ssl,int * out_alert,void * arg))2078 int SSL_CTX_set_tlsext_servername_callback(
2079 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) {
2080 ctx->servername_callback = callback;
2081 return 1;
2082 }
2083
SSL_CTX_set_tlsext_servername_arg(SSL_CTX * ctx,void * arg)2084 int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
2085 ctx->servername_arg = arg;
2086 return 1;
2087 }
2088
SSL_select_next_proto(uint8_t ** out,uint8_t * out_len,const uint8_t * peer,unsigned peer_len,const uint8_t * supported,unsigned supported_len)2089 int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
2090 unsigned peer_len, const uint8_t *supported,
2091 unsigned supported_len) {
2092 const uint8_t *result;
2093 int status;
2094
2095 // For each protocol in peer preference order, see if we support it.
2096 for (unsigned i = 0; i < peer_len;) {
2097 for (unsigned j = 0; j < supported_len;) {
2098 if (peer[i] == supported[j] &&
2099 OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) {
2100 // We found a match
2101 result = &peer[i];
2102 status = OPENSSL_NPN_NEGOTIATED;
2103 goto found;
2104 }
2105 j += supported[j];
2106 j++;
2107 }
2108 i += peer[i];
2109 i++;
2110 }
2111
2112 // There's no overlap between our protocols and the peer's list.
2113 result = supported;
2114 status = OPENSSL_NPN_NO_OVERLAP;
2115
2116 found:
2117 *out = (uint8_t *)result + 1;
2118 *out_len = result[0];
2119 return status;
2120 }
2121
SSL_get0_next_proto_negotiated(const SSL * ssl,const uint8_t ** out_data,unsigned * out_len)2122 void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
2123 unsigned *out_len) {
2124 *out_data = ssl->s3->next_proto_negotiated.data();
2125 *out_len = ssl->s3->next_proto_negotiated.size();
2126 }
2127
SSL_CTX_set_next_protos_advertised_cb(SSL_CTX * ctx,int (* cb)(SSL * ssl,const uint8_t ** out,unsigned * out_len,void * arg),void * arg)2128 void SSL_CTX_set_next_protos_advertised_cb(
2129 SSL_CTX *ctx,
2130 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),
2131 void *arg) {
2132 ctx->next_protos_advertised_cb = cb;
2133 ctx->next_protos_advertised_cb_arg = arg;
2134 }
2135
SSL_CTX_set_next_proto_select_cb(SSL_CTX * ctx,int (* cb)(SSL * ssl,uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len,void * arg),void * arg)2136 void SSL_CTX_set_next_proto_select_cb(
2137 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
2138 const uint8_t *in, unsigned in_len, void *arg),
2139 void *arg) {
2140 ctx->next_proto_select_cb = cb;
2141 ctx->next_proto_select_cb_arg = arg;
2142 }
2143
SSL_CTX_set_alpn_protos(SSL_CTX * ctx,const uint8_t * protos,unsigned protos_len)2144 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
2145 unsigned protos_len) {
2146 // Note this function's calling convention is backwards.
2147 return ctx->alpn_client_proto_list.CopyFrom(MakeConstSpan(protos, protos_len))
2148 ? 0
2149 : 1;
2150 }
2151
SSL_set_alpn_protos(SSL * ssl,const uint8_t * protos,unsigned protos_len)2152 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) {
2153 // Note this function's calling convention is backwards.
2154 if (!ssl->config) {
2155 return 1;
2156 }
2157 return ssl->config->alpn_client_proto_list.CopyFrom(
2158 MakeConstSpan(protos, protos_len))
2159 ? 0
2160 : 1;
2161 }
2162
SSL_CTX_set_alpn_select_cb(SSL_CTX * ctx,int (* cb)(SSL * ssl,const uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len,void * arg),void * arg)2163 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
2164 int (*cb)(SSL *ssl, const uint8_t **out,
2165 uint8_t *out_len, const uint8_t *in,
2166 unsigned in_len, void *arg),
2167 void *arg) {
2168 ctx->alpn_select_cb = cb;
2169 ctx->alpn_select_cb_arg = arg;
2170 }
2171
SSL_get0_alpn_selected(const SSL * ssl,const uint8_t ** out_data,unsigned * out_len)2172 void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
2173 unsigned *out_len) {
2174 if (SSL_in_early_data(ssl) && !ssl->server) {
2175 *out_data = ssl->s3->hs->early_session->early_alpn.data();
2176 *out_len = ssl->s3->hs->early_session->early_alpn.size();
2177 } else {
2178 *out_data = ssl->s3->alpn_selected.data();
2179 *out_len = ssl->s3->alpn_selected.size();
2180 }
2181 }
2182
SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX * ctx,int enabled)2183 void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) {
2184 ctx->allow_unknown_alpn_protos = !!enabled;
2185 }
2186
SSL_CTX_add_cert_compression_alg(SSL_CTX * ctx,uint16_t alg_id,ssl_cert_compression_func_t compress,ssl_cert_decompression_func_t decompress)2187 int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id,
2188 ssl_cert_compression_func_t compress,
2189 ssl_cert_decompression_func_t decompress) {
2190 assert(compress != nullptr || decompress != nullptr);
2191
2192 for (const auto *alg : ctx->cert_compression_algs.get()) {
2193 if (alg->alg_id == alg_id) {
2194 return 0;
2195 }
2196 }
2197
2198 UniquePtr<CertCompressionAlg> alg = MakeUnique<CertCompressionAlg>();
2199 if (alg == nullptr) {
2200 return 0;
2201 }
2202
2203 alg->alg_id = alg_id;
2204 alg->compress = compress;
2205 alg->decompress = decompress;
2206
2207 if (ctx->cert_compression_algs == nullptr) {
2208 ctx->cert_compression_algs.reset(sk_CertCompressionAlg_new_null());
2209 if (ctx->cert_compression_algs == nullptr) {
2210 return 0;
2211 }
2212 }
2213
2214 if (!PushToStack(ctx->cert_compression_algs.get(), std::move(alg))) {
2215 if (sk_CertCompressionAlg_num(ctx->cert_compression_algs.get()) == 0) {
2216 ctx->cert_compression_algs.reset();
2217 }
2218 return 0;
2219 }
2220
2221 return 1;
2222 }
2223
SSL_CTX_set_tls_channel_id_enabled(SSL_CTX * ctx,int enabled)2224 void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) {
2225 ctx->channel_id_enabled = !!enabled;
2226 }
2227
SSL_CTX_enable_tls_channel_id(SSL_CTX * ctx)2228 int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
2229 SSL_CTX_set_tls_channel_id_enabled(ctx, 1);
2230 return 1;
2231 }
2232
SSL_set_tls_channel_id_enabled(SSL * ssl,int enabled)2233 void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) {
2234 if (!ssl->config) {
2235 return;
2236 }
2237 ssl->config->channel_id_enabled = !!enabled;
2238 }
2239
SSL_enable_tls_channel_id(SSL * ssl)2240 int SSL_enable_tls_channel_id(SSL *ssl) {
2241 SSL_set_tls_channel_id_enabled(ssl, 1);
2242 return 1;
2243 }
2244
is_p256_key(EVP_PKEY * private_key)2245 static int is_p256_key(EVP_PKEY *private_key) {
2246 const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(private_key);
2247 return ec_key != NULL &&
2248 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) ==
2249 NID_X9_62_prime256v1;
2250 }
2251
SSL_CTX_set1_tls_channel_id(SSL_CTX * ctx,EVP_PKEY * private_key)2252 int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {
2253 if (!is_p256_key(private_key)) {
2254 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);
2255 return 0;
2256 }
2257
2258 ctx->channel_id_private = UpRef(private_key);
2259 ctx->channel_id_enabled = true;
2260
2261 return 1;
2262 }
2263
SSL_set1_tls_channel_id(SSL * ssl,EVP_PKEY * private_key)2264 int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {
2265 if (!ssl->config) {
2266 return 0;
2267 }
2268 if (!is_p256_key(private_key)) {
2269 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);
2270 return 0;
2271 }
2272
2273 ssl->config->channel_id_private = UpRef(private_key);
2274 ssl->config->channel_id_enabled = true;
2275
2276 return 1;
2277 }
2278
SSL_get_tls_channel_id(SSL * ssl,uint8_t * out,size_t max_out)2279 size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
2280 if (!ssl->s3->channel_id_valid) {
2281 return 0;
2282 }
2283 OPENSSL_memcpy(out, ssl->s3->channel_id, (max_out < 64) ? max_out : 64);
2284 return 64;
2285 }
2286
SSL_set_token_binding_params(SSL * ssl,const uint8_t * params,size_t len)2287 int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params, size_t len) {
2288 if (!ssl->config) {
2289 return 0;
2290 }
2291 if (len > 256) {
2292 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
2293 return 0;
2294 }
2295 return ssl->config->token_binding_params.CopyFrom(MakeConstSpan(params, len));
2296 }
2297
SSL_is_token_binding_negotiated(const SSL * ssl)2298 int SSL_is_token_binding_negotiated(const SSL *ssl) {
2299 return ssl->s3->token_binding_negotiated;
2300 }
2301
SSL_get_negotiated_token_binding_param(const SSL * ssl)2302 uint8_t SSL_get_negotiated_token_binding_param(const SSL *ssl) {
2303 return ssl->s3->negotiated_token_binding_param;
2304 }
2305
SSL_get0_certificate_types(const SSL * ssl,const uint8_t ** out_types)2306 size_t SSL_get0_certificate_types(const SSL *ssl, const uint8_t **out_types) {
2307 Span<const uint8_t> types;
2308 if (!ssl->server && ssl->s3->hs != nullptr) {
2309 types = ssl->s3->hs->certificate_types;
2310 }
2311 *out_types = types.data();
2312 return types.size();
2313 }
2314
SSL_get0_peer_verify_algorithms(const SSL * ssl,const uint16_t ** out_sigalgs)2315 size_t SSL_get0_peer_verify_algorithms(const SSL *ssl,
2316 const uint16_t **out_sigalgs) {
2317 Span<const uint16_t> sigalgs;
2318 if (ssl->s3->hs != nullptr) {
2319 sigalgs = ssl->s3->hs->peer_sigalgs;
2320 }
2321 *out_sigalgs = sigalgs.data();
2322 return sigalgs.size();
2323 }
2324
SSL_get_privatekey(const SSL * ssl)2325 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
2326 if (!ssl->config) {
2327 assert(ssl->config);
2328 return NULL;
2329 }
2330 if (ssl->config->cert != NULL) {
2331 return ssl->config->cert->privatekey.get();
2332 }
2333
2334 return NULL;
2335 }
2336
SSL_CTX_get0_privatekey(const SSL_CTX * ctx)2337 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) {
2338 if (ctx->cert != NULL) {
2339 return ctx->cert->privatekey.get();
2340 }
2341
2342 return NULL;
2343 }
2344
SSL_get_current_cipher(const SSL * ssl)2345 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
2346 const SSL_SESSION *session = SSL_get_session(ssl);
2347 return session == nullptr ? nullptr : session->cipher;
2348 }
2349
SSL_session_reused(const SSL * ssl)2350 int SSL_session_reused(const SSL *ssl) {
2351 return ssl->s3->session_reused || SSL_in_early_data(ssl);
2352 }
2353
SSL_get_current_compression(SSL * ssl)2354 const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; }
2355
SSL_get_current_expansion(SSL * ssl)2356 const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; }
2357
SSL_get_server_tmp_key(SSL * ssl,EVP_PKEY ** out_key)2358 int SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; }
2359
SSL_CTX_set_quiet_shutdown(SSL_CTX * ctx,int mode)2360 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) {
2361 ctx->quiet_shutdown = (mode != 0);
2362 }
2363
SSL_CTX_get_quiet_shutdown(const SSL_CTX * ctx)2364 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) {
2365 return ctx->quiet_shutdown;
2366 }
2367
SSL_set_quiet_shutdown(SSL * ssl,int mode)2368 void SSL_set_quiet_shutdown(SSL *ssl, int mode) {
2369 ssl->quiet_shutdown = (mode != 0);
2370 }
2371
SSL_get_quiet_shutdown(const SSL * ssl)2372 int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }
2373
SSL_set_shutdown(SSL * ssl,int mode)2374 void SSL_set_shutdown(SSL *ssl, int mode) {
2375 // It is an error to clear any bits that have already been set. (We can't try
2376 // to get a second close_notify or send two.)
2377 assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
2378
2379 if (mode & SSL_RECEIVED_SHUTDOWN &&
2380 ssl->s3->read_shutdown == ssl_shutdown_none) {
2381 ssl->s3->read_shutdown = ssl_shutdown_close_notify;
2382 }
2383
2384 if (mode & SSL_SENT_SHUTDOWN &&
2385 ssl->s3->write_shutdown == ssl_shutdown_none) {
2386 ssl->s3->write_shutdown = ssl_shutdown_close_notify;
2387 }
2388 }
2389
SSL_get_shutdown(const SSL * ssl)2390 int SSL_get_shutdown(const SSL *ssl) {
2391 int ret = 0;
2392 if (ssl->s3->read_shutdown != ssl_shutdown_none) {
2393 // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
2394 // and fatal alert.
2395 ret |= SSL_RECEIVED_SHUTDOWN;
2396 }
2397 if (ssl->s3->write_shutdown == ssl_shutdown_close_notify) {
2398 // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify.
2399 ret |= SSL_SENT_SHUTDOWN;
2400 }
2401 return ret;
2402 }
2403
SSL_get_SSL_CTX(const SSL * ssl)2404 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx.get(); }
2405
SSL_set_SSL_CTX(SSL * ssl,SSL_CTX * ctx)2406 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
2407 if (!ssl->config) {
2408 return NULL;
2409 }
2410 if (ssl->ctx.get() == ctx) {
2411 return ssl->ctx.get();
2412 }
2413
2414 // One cannot change the X.509 callbacks during a connection.
2415 if (ssl->ctx->x509_method != ctx->x509_method) {
2416 assert(0);
2417 return NULL;
2418 }
2419
2420 UniquePtr<CERT> new_cert = ssl_cert_dup(ctx->cert.get());
2421 if (!new_cert) {
2422 return nullptr;
2423 }
2424
2425 ssl->config->cert = std::move(new_cert);
2426 ssl->ctx = UpRef(ctx);
2427 ssl->enable_early_data = ssl->ctx->enable_early_data;
2428
2429 return ssl->ctx.get();
2430 }
2431
SSL_set_info_callback(SSL * ssl,void (* cb)(const SSL * ssl,int type,int value))2432 void SSL_set_info_callback(SSL *ssl,
2433 void (*cb)(const SSL *ssl, int type, int value)) {
2434 ssl->info_callback = cb;
2435 }
2436
SSL_get_info_callback(const SSL * ssl)2437 void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type,
2438 int value) {
2439 return ssl->info_callback;
2440 }
2441
SSL_state(const SSL * ssl)2442 int SSL_state(const SSL *ssl) {
2443 return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK;
2444 }
2445
SSL_set_state(SSL * ssl,int state)2446 void SSL_set_state(SSL *ssl, int state) { }
2447
SSL_get_shared_ciphers(const SSL * ssl,char * buf,int len)2448 char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {
2449 if (len <= 0) {
2450 return NULL;
2451 }
2452 buf[0] = '\0';
2453 return buf;
2454 }
2455
SSL_CTX_set_quic_method(SSL_CTX * ctx,const SSL_QUIC_METHOD * quic_method)2456 int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) {
2457 if (ctx->method->is_dtls) {
2458 return 0;
2459 }
2460 ctx->quic_method = quic_method;
2461 return 1;
2462 }
2463
SSL_set_quic_method(SSL * ssl,const SSL_QUIC_METHOD * quic_method)2464 int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) {
2465 if (ssl->method->is_dtls) {
2466 return 0;
2467 }
2468 ssl->quic_method = quic_method;
2469 return 1;
2470 }
2471
SSL_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)2472 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
2473 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
2474 int index;
2475 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp,
2476 free_func)) {
2477 return -1;
2478 }
2479 return index;
2480 }
2481
SSL_set_ex_data(SSL * ssl,int idx,void * data)2482 int SSL_set_ex_data(SSL *ssl, int idx, void *data) {
2483 return CRYPTO_set_ex_data(&ssl->ex_data, idx, data);
2484 }
2485
SSL_get_ex_data(const SSL * ssl,int idx)2486 void *SSL_get_ex_data(const SSL *ssl, int idx) {
2487 return CRYPTO_get_ex_data(&ssl->ex_data, idx);
2488 }
2489
SSL_CTX_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)2490 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
2491 CRYPTO_EX_dup *dup_unused,
2492 CRYPTO_EX_free *free_func) {
2493 int index;
2494 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp,
2495 free_func)) {
2496 return -1;
2497 }
2498 return index;
2499 }
2500
SSL_CTX_set_ex_data(SSL_CTX * ctx,int idx,void * data)2501 int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) {
2502 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
2503 }
2504
SSL_CTX_get_ex_data(const SSL_CTX * ctx,int idx)2505 void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {
2506 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
2507 }
2508
SSL_want(const SSL * ssl)2509 int SSL_want(const SSL *ssl) { return ssl->s3->rwstate; }
2510
SSL_CTX_set_tmp_rsa_callback(SSL_CTX * ctx,RSA * (* cb)(SSL * ssl,int is_export,int keylength))2511 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
2512 RSA *(*cb)(SSL *ssl, int is_export,
2513 int keylength)) {}
2514
SSL_set_tmp_rsa_callback(SSL * ssl,RSA * (* cb)(SSL * ssl,int is_export,int keylength))2515 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
2516 int keylength)) {}
2517
SSL_CTX_set_tmp_dh_callback(SSL_CTX * ctx,DH * (* cb)(SSL * ssl,int is_export,int keylength))2518 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
2519 DH *(*cb)(SSL *ssl, int is_export,
2520 int keylength)) {}
2521
SSL_set_tmp_dh_callback(SSL * ssl,DH * (* cb)(SSL * ssl,int is_export,int keylength))2522 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export,
2523 int keylength)) {}
2524
use_psk_identity_hint(UniquePtr<char> * out,const char * identity_hint)2525 static int use_psk_identity_hint(UniquePtr<char> *out,
2526 const char *identity_hint) {
2527 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
2528 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
2529 return 0;
2530 }
2531
2532 // Clear currently configured hint, if any.
2533 out->reset();
2534
2535 // Treat the empty hint as not supplying one. Plain PSK makes it possible to
2536 // send either no hint (omit ServerKeyExchange) or an empty hint, while
2537 // ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
2538 // so we interpret empty and missing as identical.
2539 if (identity_hint != NULL && identity_hint[0] != '\0') {
2540 out->reset(BUF_strdup(identity_hint));
2541 if (*out == nullptr) {
2542 return 0;
2543 }
2544 }
2545
2546 return 1;
2547 }
2548
SSL_CTX_use_psk_identity_hint(SSL_CTX * ctx,const char * identity_hint)2549 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
2550 return use_psk_identity_hint(&ctx->psk_identity_hint, identity_hint);
2551 }
2552
SSL_use_psk_identity_hint(SSL * ssl,const char * identity_hint)2553 int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) {
2554 if (!ssl->config) {
2555 return 0;
2556 }
2557 return use_psk_identity_hint(&ssl->config->psk_identity_hint, identity_hint);
2558 }
2559
SSL_get_psk_identity_hint(const SSL * ssl)2560 const char *SSL_get_psk_identity_hint(const SSL *ssl) {
2561 if (ssl == NULL) {
2562 return NULL;
2563 }
2564 if (ssl->config == NULL) {
2565 assert(ssl->config);
2566 return NULL;
2567 }
2568 return ssl->config->psk_identity_hint.get();
2569 }
2570
SSL_get_psk_identity(const SSL * ssl)2571 const char *SSL_get_psk_identity(const SSL *ssl) {
2572 if (ssl == NULL) {
2573 return NULL;
2574 }
2575 SSL_SESSION *session = SSL_get_session(ssl);
2576 if (session == NULL) {
2577 return NULL;
2578 }
2579 return session->psk_identity.get();
2580 }
2581
SSL_set_psk_client_callback(SSL * ssl,unsigned (* cb)(SSL * ssl,const char * hint,char * identity,unsigned max_identity_len,uint8_t * psk,unsigned max_psk_len))2582 void SSL_set_psk_client_callback(
2583 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
2584 unsigned max_identity_len, uint8_t *psk,
2585 unsigned max_psk_len)) {
2586 if (!ssl->config) {
2587 return;
2588 }
2589 ssl->config->psk_client_callback = cb;
2590 }
2591
SSL_CTX_set_psk_client_callback(SSL_CTX * ctx,unsigned (* cb)(SSL * ssl,const char * hint,char * identity,unsigned max_identity_len,uint8_t * psk,unsigned max_psk_len))2592 void SSL_CTX_set_psk_client_callback(
2593 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
2594 unsigned max_identity_len, uint8_t *psk,
2595 unsigned max_psk_len)) {
2596 ctx->psk_client_callback = cb;
2597 }
2598
SSL_set_psk_server_callback(SSL * ssl,unsigned (* cb)(SSL * ssl,const char * identity,uint8_t * psk,unsigned max_psk_len))2599 void SSL_set_psk_server_callback(
2600 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,
2601 unsigned max_psk_len)) {
2602 if (!ssl->config) {
2603 return;
2604 }
2605 ssl->config->psk_server_callback = cb;
2606 }
2607
SSL_CTX_set_psk_server_callback(SSL_CTX * ctx,unsigned (* cb)(SSL * ssl,const char * identity,uint8_t * psk,unsigned max_psk_len))2608 void SSL_CTX_set_psk_server_callback(
2609 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity,
2610 uint8_t *psk, unsigned max_psk_len)) {
2611 ctx->psk_server_callback = cb;
2612 }
2613
SSL_CTX_set_msg_callback(SSL_CTX * ctx,void (* cb)(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg))2614 void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
2615 void (*cb)(int write_p, int version,
2616 int content_type, const void *buf,
2617 size_t len, SSL *ssl, void *arg)) {
2618 ctx->msg_callback = cb;
2619 }
2620
SSL_CTX_set_msg_callback_arg(SSL_CTX * ctx,void * arg)2621 void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) {
2622 ctx->msg_callback_arg = arg;
2623 }
2624
SSL_set_msg_callback(SSL * ssl,void (* cb)(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg))2625 void SSL_set_msg_callback(SSL *ssl,
2626 void (*cb)(int write_p, int version, int content_type,
2627 const void *buf, size_t len, SSL *ssl,
2628 void *arg)) {
2629 ssl->msg_callback = cb;
2630 }
2631
SSL_set_msg_callback_arg(SSL * ssl,void * arg)2632 void SSL_set_msg_callback_arg(SSL *ssl, void *arg) {
2633 ssl->msg_callback_arg = arg;
2634 }
2635
SSL_CTX_set_keylog_callback(SSL_CTX * ctx,void (* cb)(const SSL * ssl,const char * line))2636 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx,
2637 void (*cb)(const SSL *ssl, const char *line)) {
2638 ctx->keylog_callback = cb;
2639 }
2640
SSL_CTX_get_keylog_callback(const SSL_CTX * ctx)2641 void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl,
2642 const char *line) {
2643 return ctx->keylog_callback;
2644 }
2645
SSL_CTX_set_current_time_cb(SSL_CTX * ctx,void (* cb)(const SSL * ssl,struct timeval * out_clock))2646 void SSL_CTX_set_current_time_cb(SSL_CTX *ctx,
2647 void (*cb)(const SSL *ssl,
2648 struct timeval *out_clock)) {
2649 ctx->current_time_cb = cb;
2650 }
2651
SSL_is_init_finished(const SSL * ssl)2652 int SSL_is_init_finished(const SSL *ssl) {
2653 return !SSL_in_init(ssl);
2654 }
2655
SSL_in_init(const SSL * ssl)2656 int SSL_in_init(const SSL *ssl) {
2657 // This returns false once all the handshake state has been finalized, to
2658 // allow callbacks and getters based on SSL_in_init to return the correct
2659 // values.
2660 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
2661 return hs != nullptr && !hs->handshake_finalized;
2662 }
2663
SSL_in_false_start(const SSL * ssl)2664 int SSL_in_false_start(const SSL *ssl) {
2665 if (ssl->s3->hs == NULL) {
2666 return 0;
2667 }
2668 return ssl->s3->hs->in_false_start;
2669 }
2670
SSL_cutthrough_complete(const SSL * ssl)2671 int SSL_cutthrough_complete(const SSL *ssl) {
2672 return SSL_in_false_start(ssl);
2673 }
2674
SSL_is_server(const SSL * ssl)2675 int SSL_is_server(const SSL *ssl) { return ssl->server; }
2676
SSL_is_dtls(const SSL * ssl)2677 int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; }
2678
SSL_CTX_set_select_certificate_cb(SSL_CTX * ctx,enum ssl_select_cert_result_t (* cb)(const SSL_CLIENT_HELLO *))2679 void SSL_CTX_set_select_certificate_cb(
2680 SSL_CTX *ctx,
2681 enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)) {
2682 ctx->select_certificate_cb = cb;
2683 }
2684
SSL_CTX_set_dos_protection_cb(SSL_CTX * ctx,int (* cb)(const SSL_CLIENT_HELLO *))2685 void SSL_CTX_set_dos_protection_cb(SSL_CTX *ctx,
2686 int (*cb)(const SSL_CLIENT_HELLO *)) {
2687 ctx->dos_protection_cb = cb;
2688 }
2689
SSL_CTX_set_reverify_on_resume(SSL_CTX * ctx,int enabled)2690 void SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled) {
2691 ctx->reverify_on_resume = !!enabled;
2692 }
2693
SSL_set_enforce_rsa_key_usage(SSL * ssl,int enabled)2694 void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled) {
2695 if (!ssl->config) {
2696 return;
2697 }
2698 ssl->config->enforce_rsa_key_usage = !!enabled;
2699 }
2700
SSL_set_renegotiate_mode(SSL * ssl,enum ssl_renegotiate_mode_t mode)2701 void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {
2702 ssl->renegotiate_mode = mode;
2703
2704 // Check if |ssl_can_renegotiate| has changed and the configuration may now be
2705 // shed. HTTP clients may initially allow renegotiation for HTTP/1.1, and then
2706 // disable after the handshake once the ALPN protocol is known to be HTTP/2.
2707 ssl_maybe_shed_handshake_config(ssl);
2708 }
2709
SSL_get_ivs(const SSL * ssl,const uint8_t ** out_read_iv,const uint8_t ** out_write_iv,size_t * out_iv_len)2710 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
2711 const uint8_t **out_write_iv, size_t *out_iv_len) {
2712 size_t write_iv_len;
2713 if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) ||
2714 !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) ||
2715 *out_iv_len != write_iv_len) {
2716 return 0;
2717 }
2718
2719 return 1;
2720 }
2721
be_to_u64(const uint8_t in[8])2722 static uint64_t be_to_u64(const uint8_t in[8]) {
2723 return (((uint64_t)in[0]) << 56) | (((uint64_t)in[1]) << 48) |
2724 (((uint64_t)in[2]) << 40) | (((uint64_t)in[3]) << 32) |
2725 (((uint64_t)in[4]) << 24) | (((uint64_t)in[5]) << 16) |
2726 (((uint64_t)in[6]) << 8) | ((uint64_t)in[7]);
2727 }
2728
SSL_get_read_sequence(const SSL * ssl)2729 uint64_t SSL_get_read_sequence(const SSL *ssl) {
2730 // TODO(davidben): Internally represent sequence numbers as uint64_t.
2731 if (SSL_is_dtls(ssl)) {
2732 // max_seq_num already includes the epoch.
2733 assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
2734 return ssl->d1->bitmap.max_seq_num;
2735 }
2736 return be_to_u64(ssl->s3->read_sequence);
2737 }
2738
SSL_get_write_sequence(const SSL * ssl)2739 uint64_t SSL_get_write_sequence(const SSL *ssl) {
2740 uint64_t ret = be_to_u64(ssl->s3->write_sequence);
2741 if (SSL_is_dtls(ssl)) {
2742 assert((ret >> 48) == 0);
2743 ret |= ((uint64_t)ssl->d1->w_epoch) << 48;
2744 }
2745 return ret;
2746 }
2747
SSL_get_peer_signature_algorithm(const SSL * ssl)2748 uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
2749 // TODO(davidben): This checks the wrong session if there is a renegotiation
2750 // in progress.
2751 SSL_SESSION *session = SSL_get_session(ssl);
2752 if (session == NULL) {
2753 return 0;
2754 }
2755
2756 return session->peer_signature_algorithm;
2757 }
2758
SSL_get_client_random(const SSL * ssl,uint8_t * out,size_t max_out)2759 size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) {
2760 if (max_out == 0) {
2761 return sizeof(ssl->s3->client_random);
2762 }
2763 if (max_out > sizeof(ssl->s3->client_random)) {
2764 max_out = sizeof(ssl->s3->client_random);
2765 }
2766 OPENSSL_memcpy(out, ssl->s3->client_random, max_out);
2767 return max_out;
2768 }
2769
SSL_get_server_random(const SSL * ssl,uint8_t * out,size_t max_out)2770 size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) {
2771 if (max_out == 0) {
2772 return sizeof(ssl->s3->server_random);
2773 }
2774 if (max_out > sizeof(ssl->s3->server_random)) {
2775 max_out = sizeof(ssl->s3->server_random);
2776 }
2777 OPENSSL_memcpy(out, ssl->s3->server_random, max_out);
2778 return max_out;
2779 }
2780
SSL_get_pending_cipher(const SSL * ssl)2781 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) {
2782 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
2783 if (hs == NULL) {
2784 return NULL;
2785 }
2786 return hs->new_cipher;
2787 }
2788
SSL_set_retain_only_sha256_of_client_certs(SSL * ssl,int enabled)2789 void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) {
2790 if (!ssl->config) {
2791 return;
2792 }
2793 ssl->config->retain_only_sha256_of_client_certs = !!enabled;
2794 }
2795
SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX * ctx,int enabled)2796 void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) {
2797 ctx->retain_only_sha256_of_client_certs = !!enabled;
2798 }
2799
SSL_CTX_set_grease_enabled(SSL_CTX * ctx,int enabled)2800 void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) {
2801 ctx->grease_enabled = !!enabled;
2802 }
2803
SSL_get_ticket_age_skew(const SSL * ssl)2804 int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
2805 return ssl->s3->ticket_age_skew;
2806 }
2807
SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX * ctx,int allowed)2808 void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) {
2809 ctx->false_start_allowed_without_alpn = !!allowed;
2810 }
2811
SSL_is_tls13_downgrade(const SSL * ssl)2812 int SSL_is_tls13_downgrade(const SSL *ssl) { return ssl->s3->tls13_downgrade; }
2813
SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX * ctx,int ignore)2814 void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) {
2815 ctx->ignore_tls13_downgrade = !!ignore;
2816 }
2817
SSL_set_ignore_tls13_downgrade(SSL * ssl,int ignore)2818 void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore) {
2819 if (!ssl->config) {
2820 return;
2821 }
2822 ssl->config->ignore_tls13_downgrade = !!ignore;
2823 }
2824
SSL_set_shed_handshake_config(SSL * ssl,int enable)2825 void SSL_set_shed_handshake_config(SSL *ssl, int enable) {
2826 if (!ssl->config) {
2827 return;
2828 }
2829 ssl->config->shed_handshake_config = !!enable;
2830 }
2831
SSL_set_jdk11_workaround(SSL * ssl,int enable)2832 void SSL_set_jdk11_workaround(SSL *ssl, int enable) {
2833 if (!ssl->config) {
2834 return;
2835 }
2836 ssl->config->jdk11_workaround = !!enable;
2837 }
2838
SSL_clear(SSL * ssl)2839 int SSL_clear(SSL *ssl) {
2840 if (!ssl->config) {
2841 return 0; // SSL_clear may not be used after shedding config.
2842 }
2843
2844 // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
2845 // established session to be offered the next time around. wpa_supplicant
2846 // depends on this behavior, so emulate it.
2847 UniquePtr<SSL_SESSION> session;
2848 if (!ssl->server && ssl->s3->established_session != NULL) {
2849 session = UpRef(ssl->s3->established_session);
2850 }
2851
2852 // The ssl->d1->mtu is simultaneously configuration (preserved across
2853 // clear) and connection-specific state (gets reset).
2854 //
2855 // TODO(davidben): Avoid this.
2856 unsigned mtu = 0;
2857 if (ssl->d1 != NULL) {
2858 mtu = ssl->d1->mtu;
2859 }
2860
2861 ssl->method->ssl_free(ssl);
2862 if (!ssl->method->ssl_new(ssl)) {
2863 return 0;
2864 }
2865
2866 if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
2867 ssl->d1->mtu = mtu;
2868 }
2869
2870 if (session != nullptr) {
2871 SSL_set_session(ssl, session.get());
2872 }
2873
2874 return 1;
2875 }
2876
SSL_CTX_sess_connect(const SSL_CTX * ctx)2877 int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_connect_good(const SSL_CTX * ctx)2878 int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_connect_renegotiate(const SSL_CTX * ctx)2879 int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_accept(const SSL_CTX * ctx)2880 int SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_accept_renegotiate(const SSL_CTX * ctx)2881 int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_accept_good(const SSL_CTX * ctx)2882 int SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_hits(const SSL_CTX * ctx)2883 int SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_cb_hits(const SSL_CTX * ctx)2884 int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_misses(const SSL_CTX * ctx)2885 int SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_timeouts(const SSL_CTX * ctx)2886 int SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; }
SSL_CTX_sess_cache_full(const SSL_CTX * ctx)2887 int SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; }
2888
SSL_num_renegotiations(const SSL * ssl)2889 int SSL_num_renegotiations(const SSL *ssl) {
2890 return SSL_total_renegotiations(ssl);
2891 }
2892
SSL_CTX_need_tmp_RSA(const SSL_CTX * ctx)2893 int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) { return 0; }
SSL_need_tmp_RSA(const SSL * ssl)2894 int SSL_need_tmp_RSA(const SSL *ssl) { return 0; }
SSL_CTX_set_tmp_rsa(SSL_CTX * ctx,const RSA * rsa)2895 int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) { return 1; }
SSL_set_tmp_rsa(SSL * ssl,const RSA * rsa)2896 int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; }
ERR_load_SSL_strings(void)2897 void ERR_load_SSL_strings(void) {}
SSL_load_error_strings(void)2898 void SSL_load_error_strings(void) {}
SSL_cache_hit(SSL * ssl)2899 int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); }
2900
SSL_CTX_set_tmp_ecdh(SSL_CTX * ctx,const EC_KEY * ec_key)2901 int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) {
2902 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
2903 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
2904 return 0;
2905 }
2906 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
2907 return SSL_CTX_set1_curves(ctx, &nid, 1);
2908 }
2909
SSL_set_tmp_ecdh(SSL * ssl,const EC_KEY * ec_key)2910 int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
2911 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
2912 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
2913 return 0;
2914 }
2915 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
2916 return SSL_set1_curves(ssl, &nid, 1);
2917 }
2918
SSL_CTX_set_ticket_aead_method(SSL_CTX * ctx,const SSL_TICKET_AEAD_METHOD * aead_method)2919 void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx,
2920 const SSL_TICKET_AEAD_METHOD *aead_method) {
2921 ctx->ticket_aead_method = aead_method;
2922 }
2923
SSL_set_tlsext_status_type(SSL * ssl,int type)2924 int SSL_set_tlsext_status_type(SSL *ssl, int type) {
2925 if (!ssl->config) {
2926 return 0;
2927 }
2928 ssl->config->ocsp_stapling_enabled = type == TLSEXT_STATUSTYPE_ocsp;
2929 return 1;
2930 }
2931
SSL_get_tlsext_status_type(const SSL * ssl)2932 int SSL_get_tlsext_status_type(const SSL *ssl) {
2933 if (ssl->server) {
2934 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
2935 return hs != nullptr && hs->ocsp_stapling_requested
2936 ? TLSEXT_STATUSTYPE_ocsp
2937 : TLSEXT_STATUSTYPE_nothing;
2938 }
2939
2940 return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled
2941 ? TLSEXT_STATUSTYPE_ocsp
2942 : TLSEXT_STATUSTYPE_nothing;
2943 }
2944
SSL_set_tlsext_status_ocsp_resp(SSL * ssl,uint8_t * resp,size_t resp_len)2945 int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) {
2946 if (SSL_set_ocsp_response(ssl, resp, resp_len)) {
2947 OPENSSL_free(resp);
2948 return 1;
2949 }
2950 return 0;
2951 }
2952
SSL_get_tlsext_status_ocsp_resp(const SSL * ssl,const uint8_t ** out)2953 size_t SSL_get_tlsext_status_ocsp_resp(const SSL *ssl, const uint8_t **out) {
2954 size_t ret;
2955 SSL_get0_ocsp_response(ssl, out, &ret);
2956 return ret;
2957 }
2958
SSL_CTX_set_tlsext_status_cb(SSL_CTX * ctx,int (* callback)(SSL * ssl,void * arg))2959 int SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,
2960 int (*callback)(SSL *ssl, void *arg)) {
2961 ctx->legacy_ocsp_callback = callback;
2962 return 1;
2963 }
2964
SSL_CTX_set_tlsext_status_arg(SSL_CTX * ctx,void * arg)2965 int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) {
2966 ctx->legacy_ocsp_callback_arg = arg;
2967 return 1;
2968 }
2969