Lines Matching refs:ssl
79 void ssl_reset_error_state(SSL *ssl) { in ssl_reset_error_state() argument
82 ssl->s3->rwstate = SSL_ERROR_NONE; in ssl_reset_error_state()
87 void ssl_set_read_error(SSL *ssl) { in ssl_set_read_error() argument
88 ssl->s3->read_shutdown = ssl_shutdown_error; in ssl_set_read_error()
89 ssl->s3->read_error.reset(ERR_save_state()); in ssl_set_read_error()
92 static bool check_read_error(const SSL *ssl) { in check_read_error() argument
93 if (ssl->s3->read_shutdown == ssl_shutdown_error) { in check_read_error()
94 ERR_restore_state(ssl->s3->read_error.get()); in check_read_error()
100 bool ssl_can_write(const SSL *ssl) { in ssl_can_write() argument
101 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write; in ssl_can_write()
104 bool ssl_can_read(const SSL *ssl) { in ssl_can_read() argument
105 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read; in ssl_can_read()
108 ssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed, in ssl_open_handshake() argument
111 if (!check_read_error(ssl)) { in ssl_open_handshake()
115 auto ret = ssl->method->open_handshake(ssl, out_consumed, out_alert, in); in ssl_open_handshake()
117 ssl_set_read_error(ssl); in ssl_open_handshake()
122 ssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed, in ssl_open_change_cipher_spec() argument
126 if (!check_read_error(ssl)) { in ssl_open_change_cipher_spec()
131 ssl->method->open_change_cipher_spec(ssl, out_consumed, out_alert, in); in ssl_open_change_cipher_spec()
133 ssl_set_read_error(ssl); in ssl_open_change_cipher_spec()
138 ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out, in ssl_open_app_data() argument
142 if (!check_read_error(ssl)) { in ssl_open_app_data()
146 auto ret = ssl->method->open_app_data(ssl, out, out_consumed, out_alert, in); in ssl_open_app_data()
148 ssl_set_read_error(ssl); in ssl_open_app_data()
173 bool ssl_log_secret(const SSL *ssl, const char *label, in ssl_log_secret() argument
175 if (ssl->ctx->keylog_callback == NULL) { in ssl_log_secret()
186 !cbb_add_hex_consttime(cbb.get(), ssl->s3->client_random) || in ssl_log_secret()
196 ssl->ctx->keylog_callback(ssl, reinterpret_cast<const char *>(line.data())); in ssl_log_secret()
200 void ssl_do_info_callback(const SSL *ssl, int type, int value) { in ssl_do_info_callback() argument
201 void (*cb)(const SSL *ssl, int type, int value) = NULL; in ssl_do_info_callback()
202 if (ssl->info_callback != NULL) { in ssl_do_info_callback()
203 cb = ssl->info_callback; in ssl_do_info_callback()
204 } else if (ssl->ctx->info_callback != NULL) { in ssl_do_info_callback()
205 cb = ssl->ctx->info_callback; in ssl_do_info_callback()
209 cb(ssl, type, value); in ssl_do_info_callback()
213 void ssl_do_msg_callback(const SSL *ssl, int is_write, int content_type, in ssl_do_msg_callback() argument
215 if (ssl->msg_callback == NULL) { in ssl_do_msg_callback()
231 version = SSL_version(ssl); in ssl_do_msg_callback()
234 ssl->msg_callback(is_write, version, content_type, in.data(), in.size(), in ssl_do_msg_callback()
235 const_cast<SSL *>(ssl), ssl->msg_callback_arg); in ssl_do_msg_callback()
280 static bool ssl_can_renegotiate(const SSL *ssl) { in ssl_can_renegotiate() argument
281 if (ssl->server || SSL_is_dtls(ssl)) { in ssl_can_renegotiate()
285 if (ssl->s3->version != 0 // in ssl_can_renegotiate()
286 && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { in ssl_can_renegotiate()
291 if (!ssl->config) { in ssl_can_renegotiate()
295 switch (ssl->renegotiate_mode) { in ssl_can_renegotiate()
304 return ssl->s3->total_renegotiations == 0; in ssl_can_renegotiate()
311 static void ssl_maybe_shed_handshake_config(SSL *ssl) { in ssl_maybe_shed_handshake_config() argument
312 if (ssl->s3->hs != nullptr || // in ssl_maybe_shed_handshake_config()
313 ssl->config == nullptr || // in ssl_maybe_shed_handshake_config()
314 !ssl->config->shed_handshake_config || // in ssl_maybe_shed_handshake_config()
315 ssl_can_renegotiate(ssl)) { in ssl_maybe_shed_handshake_config()
319 ssl->config.reset(); in ssl_maybe_shed_handshake_config()
322 void SSL_set_handoff_mode(SSL *ssl, bool on) { in SSL_set_handoff_mode() argument
323 if (!ssl->config) { in SSL_set_handoff_mode()
326 ssl->config->handoff = on; in SSL_set_handoff_mode()
329 bool SSL_get_traffic_secrets(const SSL *ssl, in SSL_get_traffic_secrets() argument
334 if (SSL_is_dtls(ssl) || SSL_is_quic(ssl)) { in SSL_get_traffic_secrets()
339 if (!ssl->s3->initial_handshake_complete) { in SSL_get_traffic_secrets()
344 if (SSL_version(ssl) < TLS1_3_VERSION) { in SSL_get_traffic_secrets()
349 *out_read_traffic_secret = ssl->s3->read_traffic_secret; in SSL_get_traffic_secrets()
350 *out_write_traffic_secret = ssl->s3->write_traffic_secret; in SSL_get_traffic_secrets()
360 void SSL_set_aes_hw_override_for_testing(SSL *ssl, bool override_value) { in SSL_set_aes_hw_override_for_testing() argument
361 ssl->config->aes_hw_override = true; in SSL_set_aes_hw_override_for_testing()
362 ssl->config->aes_hw_override_value = override_value; in SSL_set_aes_hw_override_for_testing()
495 UniquePtr<SSL> ssl = MakeUnique<SSL>(ctx); in SSL_new() local
496 if (ssl == nullptr) { in SSL_new()
500 ssl->config = MakeUnique<SSL_CONFIG>(ssl.get()); in SSL_new()
501 if (ssl->config == nullptr) { in SSL_new()
504 ssl->config->conf_min_version = ctx->conf_min_version; in SSL_new()
505 ssl->config->conf_max_version = ctx->conf_max_version; in SSL_new()
507 ssl->config->cert = ssl_cert_dup(ctx->cert.get()); in SSL_new()
508 if (ssl->config->cert == nullptr) { in SSL_new()
512 ssl->config->verify_mode = ctx->verify_mode; in SSL_new()
513 ssl->config->verify_callback = ctx->default_verify_callback; in SSL_new()
514 ssl->config->custom_verify_callback = ctx->custom_verify_callback; in SSL_new()
515 ssl->config->retain_only_sha256_of_client_certs = in SSL_new()
517 ssl->config->permute_extensions = ctx->permute_extensions; in SSL_new()
518 ssl->config->aes_hw_override = ctx->aes_hw_override; in SSL_new()
519 ssl->config->aes_hw_override_value = ctx->aes_hw_override_value; in SSL_new()
520 ssl->config->compliance_policy = ctx->compliance_policy; in SSL_new()
522 if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) || in SSL_new()
523 !ssl->config->alpn_client_proto_list.CopyFrom( in SSL_new()
525 !ssl->config->verify_sigalgs.CopyFrom(ctx->verify_sigalgs)) { in SSL_new()
530 ssl->config->psk_identity_hint.reset( in SSL_new()
532 if (ssl->config->psk_identity_hint == nullptr) { in SSL_new()
536 ssl->config->psk_client_callback = ctx->psk_client_callback; in SSL_new()
537 ssl->config->psk_server_callback = ctx->psk_server_callback; in SSL_new()
539 ssl->config->channel_id_enabled = ctx->channel_id_enabled; in SSL_new()
540 ssl->config->channel_id_private = UpRef(ctx->channel_id_private); in SSL_new()
542 ssl->config->signed_cert_timestamps_enabled = in SSL_new()
544 ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled; in SSL_new()
545 ssl->config->handoff = ctx->handoff; in SSL_new()
546 ssl->quic_method = ctx->quic_method; in SSL_new()
548 if (!ssl->method->ssl_new(ssl.get()) || in SSL_new()
549 !ssl->ctx->x509_method->ssl_new(ssl->s3->hs.get())) { in SSL_new()
553 return ssl.release(); in SSL_new()
557 : ssl(ssl_arg), in SSL_CONFIG()
572 assert(ssl); in SSL_CONFIG()
576 if (ssl->ctx != nullptr) { in ~SSL_CONFIG()
577 ssl->ctx->x509_method->ssl_config_free(this); in ~SSL_CONFIG()
581 void SSL_free(SSL *ssl) { Delete(ssl); } in SSL_free() argument
583 void SSL_set_connect_state(SSL *ssl) { in SSL_set_connect_state() argument
584 ssl->server = false; in SSL_set_connect_state()
585 ssl->do_handshake = ssl_client_handshake; in SSL_set_connect_state()
588 void SSL_set_accept_state(SSL *ssl) { in SSL_set_accept_state() argument
589 ssl->server = true; in SSL_set_accept_state()
590 ssl->do_handshake = ssl_server_handshake; in SSL_set_accept_state()
593 void SSL_set0_rbio(SSL *ssl, BIO *rbio) { ssl->rbio.reset(rbio); } in SSL_set0_rbio() argument
595 void SSL_set0_wbio(SSL *ssl, BIO *wbio) { ssl->wbio.reset(wbio); } in SSL_set0_wbio() argument
597 void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { in SSL_set_bio() argument
602 if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) { in SSL_set_bio()
613 if (rbio == SSL_get_rbio(ssl)) { in SSL_set_bio()
614 SSL_set0_wbio(ssl, wbio); in SSL_set_bio()
621 if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) { in SSL_set_bio()
622 SSL_set0_rbio(ssl, rbio); in SSL_set_bio()
627 SSL_set0_rbio(ssl, rbio); in SSL_set_bio()
628 SSL_set0_wbio(ssl, wbio); in SSL_set_bio()
631 BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio.get(); } in SSL_get_rbio() argument
633 BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio.get(); } in SSL_get_wbio() argument
635 size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, in SSL_quic_max_handshake_flight_len() argument
648 if (ssl->server) { in SSL_quic_max_handshake_flight_len()
651 if (!!(ssl->config->verify_mode & SSL_VERIFY_PEER) && in SSL_quic_max_handshake_flight_len()
652 ssl->max_cert_list > kDefaultLimit) { in SSL_quic_max_handshake_flight_len()
653 return ssl->max_cert_list; in SSL_quic_max_handshake_flight_len()
658 if (2 * ssl->max_cert_list > kDefaultLimit) { in SSL_quic_max_handshake_flight_len()
659 return 2 * ssl->max_cert_list; in SSL_quic_max_handshake_flight_len()
673 enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl) { in SSL_quic_read_level() argument
674 assert(SSL_is_quic(ssl)); in SSL_quic_read_level()
675 return ssl->s3->quic_read_level; in SSL_quic_read_level()
678 enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl) { in SSL_quic_write_level() argument
679 assert(SSL_is_quic(ssl)); in SSL_quic_write_level()
680 return ssl->s3->quic_write_level; in SSL_quic_write_level()
683 int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, in SSL_provide_quic_data() argument
685 if (!SSL_is_quic(ssl)) { in SSL_provide_quic_data()
690 if (level != ssl->s3->quic_read_level) { in SSL_provide_quic_data()
695 size_t new_len = (ssl->s3->hs_buf ? ssl->s3->hs_buf->length : 0) + len; in SSL_provide_quic_data()
697 new_len > SSL_quic_max_handshake_flight_len(ssl, level)) { in SSL_provide_quic_data()
702 return tls_append_handshake_data(ssl, Span(data, len)); in SSL_provide_quic_data()
705 int SSL_do_handshake(SSL *ssl) { in SSL_do_handshake() argument
706 ssl_reset_error_state(ssl); in SSL_do_handshake()
708 if (ssl->do_handshake == NULL) { in SSL_do_handshake()
713 if (!SSL_in_init(ssl)) { in SSL_do_handshake()
718 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); in SSL_do_handshake()
723 ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret); in SSL_do_handshake()
730 ssl->s3->hs.reset(); in SSL_do_handshake()
731 ssl_maybe_shed_handshake_config(ssl); in SSL_do_handshake()
737 int SSL_connect(SSL *ssl) { in SSL_connect() argument
738 if (ssl->do_handshake == NULL) { in SSL_connect()
740 SSL_set_connect_state(ssl); in SSL_connect()
743 return SSL_do_handshake(ssl); in SSL_connect()
746 int SSL_accept(SSL *ssl) { in SSL_accept() argument
747 if (ssl->do_handshake == NULL) { in SSL_accept()
749 SSL_set_accept_state(ssl); in SSL_accept()
752 return SSL_do_handshake(ssl); in SSL_accept()
755 static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { in ssl_do_post_handshake() argument
756 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { in ssl_do_post_handshake()
757 return tls13_post_handshake(ssl, msg); in ssl_do_post_handshake()
762 if (ssl->server) { in ssl_do_post_handshake()
764 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); in ssl_do_post_handshake()
769 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); in ssl_do_post_handshake()
774 if (ssl->renegotiate_mode == ssl_renegotiate_ignore) { in ssl_do_post_handshake()
778 ssl->s3->renegotiate_pending = true; in ssl_do_post_handshake()
779 if (ssl->renegotiate_mode == ssl_renegotiate_explicit) { in ssl_do_post_handshake()
783 if (!SSL_renegotiate(ssl)) { in ssl_do_post_handshake()
784 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); in ssl_do_post_handshake()
791 int SSL_process_quic_post_handshake(SSL *ssl) { in SSL_process_quic_post_handshake() argument
792 ssl_reset_error_state(ssl); in SSL_process_quic_post_handshake()
794 if (!SSL_is_quic(ssl) || SSL_in_init(ssl)) { in SSL_process_quic_post_handshake()
800 if (!check_read_error(ssl)) { in SSL_process_quic_post_handshake()
806 while (ssl->method->get_message(ssl, &msg)) { in SSL_process_quic_post_handshake()
808 if (!ssl_do_post_handshake(ssl, msg)) { in SSL_process_quic_post_handshake()
809 ssl_set_read_error(ssl); in SSL_process_quic_post_handshake()
812 ssl->method->next_message(ssl); in SSL_process_quic_post_handshake()
818 static int ssl_read_impl(SSL *ssl) { in ssl_read_impl() argument
819 ssl_reset_error_state(ssl); in ssl_read_impl()
821 if (ssl->do_handshake == NULL) { in ssl_read_impl()
827 if (!check_read_error(ssl)) { in ssl_read_impl()
831 while (ssl->s3->pending_app_data.empty()) { in ssl_read_impl()
832 if (ssl->s3->renegotiate_pending) { in ssl_read_impl()
833 ssl->s3->rwstate = SSL_ERROR_WANT_RENEGOTIATE; in ssl_read_impl()
839 if (SSL_is_dtls(ssl)) { in ssl_read_impl()
840 int ret = ssl->method->flush(ssl); in ssl_read_impl()
849 while (!ssl_can_read(ssl)) { in ssl_read_impl()
850 int ret = SSL_do_handshake(ssl); in ssl_read_impl()
862 if (ssl->method->get_message(ssl, &msg)) { in ssl_read_impl()
865 if (SSL_in_init(ssl)) { in ssl_read_impl()
866 ssl->s3->hs->can_early_read = false; in ssl_read_impl()
871 if (!ssl_do_post_handshake(ssl, msg)) { in ssl_read_impl()
872 ssl_set_read_error(ssl); in ssl_read_impl()
875 ssl->method->next_message(ssl); in ssl_read_impl()
881 auto ret = ssl_open_app_data(ssl, &ssl->s3->pending_app_data, &consumed, in ssl_read_impl()
882 &alert, ssl->s3->read_buffer.span()); in ssl_read_impl()
884 int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert); in ssl_read_impl()
889 assert(!ssl->s3->pending_app_data.empty()); in ssl_read_impl()
890 ssl->s3->key_update_count = 0; in ssl_read_impl()
897 int SSL_read(SSL *ssl, void *buf, int num) { in SSL_read() argument
898 int ret = SSL_peek(ssl, buf, num); in SSL_read()
904 ssl->s3->pending_app_data = in SSL_read()
905 ssl->s3->pending_app_data.subspan(static_cast<size_t>(ret)); in SSL_read()
906 if (ssl->s3->pending_app_data.empty()) { in SSL_read()
907 ssl->s3->read_buffer.DiscardConsumed(); in SSL_read()
912 int SSL_peek(SSL *ssl, void *buf, int num) { in SSL_peek() argument
913 if (SSL_is_quic(ssl)) { in SSL_peek()
918 int ret = ssl_read_impl(ssl); in SSL_peek()
926 std::min(ssl->s3->pending_app_data.size(), static_cast<size_t>(num)); in SSL_peek()
927 OPENSSL_memcpy(buf, ssl->s3->pending_app_data.data(), todo); in SSL_peek()
931 int SSL_write(SSL *ssl, const void *buf, int num) { in SSL_write() argument
932 ssl_reset_error_state(ssl); in SSL_write()
934 if (SSL_is_quic(ssl)) { in SSL_write()
939 if (ssl->do_handshake == NULL) { in SSL_write()
949 if (!ssl_can_write(ssl)) { in SSL_write()
950 ret = SSL_do_handshake(ssl); in SSL_write()
964 ret = ssl->method->write_app_data( in SSL_write()
965 ssl, &needs_handshake, &bytes_written, in SSL_write()
971 int SSL_key_update(SSL *ssl, int request_type) { in SSL_key_update() argument
972 ssl_reset_error_state(ssl); in SSL_key_update()
974 if (ssl->do_handshake == NULL) { in SSL_key_update()
979 if (SSL_is_quic(ssl)) { in SSL_key_update()
984 if (!ssl->s3->initial_handshake_complete) { in SSL_key_update()
989 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { in SSL_key_update()
994 return tls13_add_key_update(ssl, request_type); in SSL_key_update()
997 int SSL_shutdown(SSL *ssl) { in SSL_shutdown() argument
998 ssl_reset_error_state(ssl); in SSL_shutdown()
1000 if (ssl->do_handshake == NULL) { in SSL_shutdown()
1008 if (SSL_in_init(ssl)) { in SSL_shutdown()
1012 if (ssl->quiet_shutdown) { in SSL_shutdown()
1014 ssl->s3->write_shutdown = ssl_shutdown_close_notify; in SSL_shutdown()
1015 ssl->s3->read_shutdown = ssl_shutdown_close_notify; in SSL_shutdown()
1023 if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) { in SSL_shutdown()
1025 if (ssl_send_alert_impl(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) { in SSL_shutdown()
1028 } else if (ssl->s3->alert_dispatch) { in SSL_shutdown()
1030 if (ssl->method->dispatch_alert(ssl) <= 0) { in SSL_shutdown()
1033 } else if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) { in SSL_shutdown()
1034 if (SSL_is_dtls(ssl)) { in SSL_shutdown()
1039 if (ssl->s3->read_shutdown == ssl_shutdown_error) { in SSL_shutdown()
1040 ERR_restore_state(ssl->s3->read_error.get()); in SSL_shutdown()
1043 ssl->s3->read_shutdown = ssl_shutdown_close_notify; in SSL_shutdown()
1046 if (ssl_read_impl(ssl) > 0) { in SSL_shutdown()
1051 if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) { in SSL_shutdown()
1058 return ssl->s3->read_shutdown == ssl_shutdown_close_notify; in SSL_shutdown()
1061 int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) { in SSL_send_fatal_alert() argument
1062 if (ssl->s3->alert_dispatch) { in SSL_send_fatal_alert()
1063 if (ssl->s3->send_alert[0] != SSL3_AL_FATAL || in SSL_send_fatal_alert()
1064 ssl->s3->send_alert[1] != alert) { in SSL_send_fatal_alert()
1069 return ssl->method->dispatch_alert(ssl); in SSL_send_fatal_alert()
1072 return ssl_send_alert_impl(ssl, SSL3_AL_FATAL, alert); in SSL_send_fatal_alert()
1075 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, in SSL_set_quic_transport_params() argument
1077 return ssl->config && in SSL_set_quic_transport_params()
1078 ssl->config->quic_transport_params.CopyFrom(Span(params, params_len)); in SSL_set_quic_transport_params()
1081 void SSL_get_peer_quic_transport_params(const SSL *ssl, in SSL_get_peer_quic_transport_params() argument
1084 *out_params = ssl->s3->peer_quic_transport_params.data(); in SSL_get_peer_quic_transport_params()
1085 *out_params_len = ssl->s3->peer_quic_transport_params.size(); in SSL_get_peer_quic_transport_params()
1088 int SSL_set_quic_early_data_context(SSL *ssl, const uint8_t *context, in SSL_set_quic_early_data_context() argument
1090 return ssl->config && ssl->config->quic_early_data_context.CopyFrom( in SSL_set_quic_early_data_context()
1098 void SSL_set_early_data_enabled(SSL *ssl, int enabled) { in SSL_set_early_data_enabled() argument
1099 ssl->enable_early_data = !!enabled; in SSL_set_early_data_enabled()
1102 int SSL_in_early_data(const SSL *ssl) { in SSL_in_early_data() argument
1103 if (ssl->s3->hs == NULL) { in SSL_in_early_data()
1106 return ssl->s3->hs->in_early_data; in SSL_in_early_data()
1109 int SSL_early_data_accepted(const SSL *ssl) { in SSL_early_data_accepted() argument
1110 return ssl->s3->early_data_accepted; in SSL_early_data_accepted()
1113 void SSL_reset_early_data_reject(SSL *ssl) { in SSL_reset_early_data_reject() argument
1114 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); in SSL_reset_early_data_reject()
1127 ssl->s3->pending_write = {}; in SSL_reset_early_data_reject()
1130 enum ssl_early_data_reason_t SSL_get_early_data_reason(const SSL *ssl) { in SSL_get_early_data_reason() argument
1131 return ssl->s3->early_data_reason; in SSL_get_early_data_reason()
1180 int SSL_get_error(const SSL *ssl, int ret_code) { in SSL_get_error() argument
1196 if (ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN) { in SSL_get_error()
1205 switch (ssl->s3->rwstate) { in SSL_get_error()
1217 return ssl->s3->rwstate; in SSL_get_error()
1220 if (SSL_is_quic(ssl)) { in SSL_get_error()
1223 BIO *bio = SSL_get_rbio(ssl); in SSL_get_error()
1242 BIO *bio = SSL_get_wbio(ssl); in SSL_get_error()
1321 uint32_t SSL_set_options(SSL *ssl, uint32_t options) { in SSL_set_options() argument
1322 ssl->options |= options; in SSL_set_options()
1323 return ssl->options; in SSL_set_options()
1326 uint32_t SSL_clear_options(SSL *ssl, uint32_t options) { in SSL_clear_options() argument
1327 ssl->options &= ~options; in SSL_clear_options()
1328 return ssl->options; in SSL_clear_options()
1331 uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; } in SSL_get_options() argument
1345 uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) { in SSL_set_mode() argument
1346 ssl->mode |= mode; in SSL_set_mode()
1347 return ssl->mode; in SSL_set_mode()
1350 uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) { in SSL_clear_mode() argument
1351 ssl->mode &= ~mode; in SSL_clear_mode()
1352 return ssl->mode; in SSL_clear_mode()
1355 uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; } in SSL_get_mode() argument
1361 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, in SSL_get_tls_unique() argument
1367 if (!ssl->s3->initial_handshake_complete || in SSL_get_tls_unique()
1368 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { in SSL_get_tls_unique()
1375 Span<const uint8_t> finished = ssl->s3->previous_client_finished; in SSL_get_tls_unique()
1376 if (ssl->session != NULL) { in SSL_get_tls_unique()
1378 if (!ssl->session->extended_master_secret) { in SSL_get_tls_unique()
1381 finished = ssl->s3->previous_server_finished; in SSL_get_tls_unique()
1408 int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, in SSL_set_session_id_context() argument
1410 if (!ssl->config) { in SSL_set_session_id_context()
1413 return set_session_id_context(ssl->config->cert.get(), sid_ctx, sid_ctx_len); in SSL_set_session_id_context()
1416 const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) { in SSL_get0_session_id_context() argument
1417 if (!ssl->config) { in SSL_get0_session_id_context()
1418 assert(ssl->config); in SSL_get0_session_id_context()
1422 *out_len = ssl->config->cert->sid_ctx.size(); in SSL_get0_session_id_context()
1423 return ssl->config->cert->sid_ctx.data(); in SSL_get0_session_id_context()
1426 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); } in SSL_get_fd() argument
1428 int SSL_get_rfd(const SSL *ssl) { in SSL_get_rfd() argument
1430 BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR); in SSL_get_rfd()
1437 int SSL_get_wfd(const SSL *ssl) { in SSL_get_wfd() argument
1439 BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR); in SSL_get_wfd()
1447 int SSL_set_fd(SSL *ssl, int fd) { in SSL_set_fd() argument
1454 SSL_set_bio(ssl, bio, bio); in SSL_set_fd()
1458 int SSL_set_wfd(SSL *ssl, int fd) { in SSL_set_wfd() argument
1459 BIO *rbio = SSL_get_rbio(ssl); in SSL_set_wfd()
1468 SSL_set0_wbio(ssl, bio); in SSL_set_wfd()
1472 SSL_set0_wbio(ssl, rbio); in SSL_set_wfd()
1478 int SSL_set_rfd(SSL *ssl, int fd) { in SSL_set_rfd() argument
1479 BIO *wbio = SSL_get_wbio(ssl); in SSL_set_rfd()
1488 SSL_set0_rbio(ssl, bio); in SSL_set_rfd()
1492 SSL_set0_rbio(ssl, wbio); in SSL_set_rfd()
1506 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) { in SSL_get_finished() argument
1507 if (!ssl->s3->initial_handshake_complete || in SSL_get_finished()
1508 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { in SSL_get_finished()
1512 if (ssl->server) { in SSL_get_finished()
1513 return copy_finished(buf, count, ssl->s3->previous_server_finished); in SSL_get_finished()
1516 return copy_finished(buf, count, ssl->s3->previous_client_finished); in SSL_get_finished()
1519 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { in SSL_get_peer_finished() argument
1520 if (!ssl->s3->initial_handshake_complete || in SSL_get_peer_finished()
1521 ssl_protocol_version(ssl) >= TLS1_3_VERSION) { in SSL_get_peer_finished()
1525 if (ssl->server) { in SSL_get_peer_finished()
1526 return copy_finished(buf, count, ssl->s3->previous_client_finished); in SSL_get_peer_finished()
1529 return copy_finished(buf, count, ssl->s3->previous_server_finished); in SSL_get_peer_finished()
1532 int SSL_get_verify_mode(const SSL *ssl) { in SSL_get_verify_mode() argument
1533 if (!ssl->config) { in SSL_get_verify_mode()
1534 assert(ssl->config); in SSL_get_verify_mode()
1537 return ssl->config->verify_mode; in SSL_get_verify_mode()
1540 int SSL_get_extms_support(const SSL *ssl) { in SSL_get_extms_support() argument
1543 if (ssl->s3->version == 0) { in SSL_get_extms_support()
1546 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { in SSL_get_extms_support()
1551 if (ssl->s3->established_session != NULL) { in SSL_get_extms_support()
1552 return ssl->s3->established_session->extended_master_secret; in SSL_get_extms_support()
1556 if (ssl->s3->hs != NULL) { in SSL_get_extms_support()
1557 return ssl->s3->hs->extended_master_secret; in SSL_get_extms_support()
1565 int SSL_get_read_ahead(const SSL *ssl) { return 0; } in SSL_get_read_ahead() argument
1569 int SSL_set_read_ahead(SSL *ssl, int yes) { return 1; } in SSL_set_read_ahead() argument
1571 int SSL_pending(const SSL *ssl) { in SSL_pending() argument
1572 return static_cast<int>(ssl->s3->pending_app_data.size()); in SSL_pending()
1575 int SSL_has_pending(const SSL *ssl) { in SSL_has_pending() argument
1576 return SSL_pending(ssl) != 0 || !ssl->s3->read_buffer.empty(); in SSL_has_pending()
1601 int SSL_check_private_key(const SSL *ssl) { in SSL_check_private_key() argument
1602 if (!ssl->config) { in SSL_check_private_key()
1608 return has_cert_and_key(ssl->config->cert->legacy_credential.get()); in SSL_check_private_key()
1611 long SSL_get_default_timeout(const SSL *ssl) { in SSL_get_default_timeout() argument
1615 int SSL_renegotiate(SSL *ssl) { in SSL_renegotiate() argument
1617 if (!ssl->s3->renegotiate_pending) { in SSL_renegotiate()
1622 if (!ssl_can_renegotiate(ssl)) { in SSL_renegotiate()
1628 assert(!SSL_can_release_private_key(ssl)); in SSL_renegotiate()
1634 if (!ssl->s3->write_buffer.empty() || in SSL_renegotiate()
1635 ssl->s3->write_shutdown != ssl_shutdown_none) { in SSL_renegotiate()
1641 if (ssl->s3->hs != nullptr) { in SSL_renegotiate()
1645 ssl->s3->hs = ssl_handshake_new(ssl); in SSL_renegotiate()
1646 if (ssl->s3->hs == nullptr) { in SSL_renegotiate()
1650 ssl->s3->renegotiate_pending = false; in SSL_renegotiate()
1651 ssl->s3->total_renegotiations++; in SSL_renegotiate()
1655 int SSL_renegotiate_pending(SSL *ssl) { in SSL_renegotiate_pending() argument
1656 return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete; in SSL_renegotiate_pending()
1659 int SSL_total_renegotiations(const SSL *ssl) { in SSL_total_renegotiations() argument
1660 return ssl->s3->total_renegotiations; in SSL_total_renegotiations()
1674 size_t SSL_get_max_cert_list(const SSL *ssl) { return ssl->max_cert_list; } in SSL_get_max_cert_list() argument
1676 void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) { in SSL_set_max_cert_list() argument
1680 ssl->max_cert_list = (uint32_t)max_cert_list; in SSL_set_max_cert_list()
1695 int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) { in SSL_set_max_send_fragment() argument
1702 ssl->max_send_fragment = (uint16_t)max_send_fragment; in SSL_set_max_send_fragment()
1707 int SSL_set_mtu(SSL *ssl, unsigned mtu) { in SSL_set_mtu() argument
1708 if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) { in SSL_set_mtu()
1711 ssl->d1->mtu = mtu; in SSL_set_mtu()
1715 int SSL_get_secure_renegotiation_support(const SSL *ssl) { in SSL_get_secure_renegotiation_support() argument
1716 if (ssl->s3->version == 0) { in SSL_get_secure_renegotiation_support()
1719 return ssl_protocol_version(ssl) >= TLS1_3_VERSION || in SSL_get_secure_renegotiation_support()
1720 ssl->s3->send_connection_binding; in SSL_get_secure_renegotiation_support()
1798 int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv, in SSL_CTX_set_tlsext_ticket_key_cb() argument
1820 int SSL_set1_group_ids(SSL *ssl, const uint16_t *group_ids, in SSL_set1_group_ids() argument
1822 if (!ssl->config) { in SSL_set1_group_ids()
1827 ssl->config->supported_group_list.CopyFrom(span); in SSL_set1_group_ids()
1853 int SSL_set1_groups(SSL *ssl, const int *groups, size_t num_groups) { in SSL_set1_groups() argument
1854 if (!ssl->config) { in SSL_set1_groups()
1857 return ssl_nids_to_group_ids(&ssl->config->supported_group_list, in SSL_set1_groups()
1902 int SSL_set1_groups_list(SSL *ssl, const char *groups) { in SSL_set1_groups_list() argument
1903 if (!ssl->config) { in SSL_set1_groups_list()
1906 return ssl_str_to_group_ids(&ssl->config->supported_group_list, groups); in SSL_set1_groups_list()
1909 uint16_t SSL_get_group_id(const SSL *ssl) { in SSL_get_group_id() argument
1910 SSL_SESSION *session = SSL_get_session(ssl); in SSL_get_group_id()
1918 int SSL_get_negotiated_group(const SSL *ssl) { in SSL_get_negotiated_group() argument
1919 uint16_t group_id = SSL_get_group_id(ssl); in SSL_get_negotiated_group()
1928 int SSL_set_tmp_dh(SSL *ssl, const DH *dh) { return 1; } in SSL_set_tmp_dh() argument
1941 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) { in STACK_OF()
1942 if (ssl == NULL) { in STACK_OF()
1945 if (ssl->config == NULL) { in STACK_OF()
1946 assert(ssl->config); in STACK_OF()
1950 return ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get() in STACK_OF()
1951 : ssl->ctx->cipher_list->ciphers.get(); in STACK_OF()
1954 const char *SSL_get_cipher_list(const SSL *ssl, int n) { in SSL_get_cipher_list() argument
1955 if (ssl == NULL) { in SSL_get_cipher_list()
1959 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); in SSL_get_cipher_list()
1986 int SSL_set_cipher_list(SSL *ssl, const char *str) { in SSL_set_cipher_list() argument
1987 if (!ssl->config) { in SSL_set_cipher_list()
1990 const bool has_aes_hw = ssl->config->aes_hw_override in SSL_set_cipher_list()
1991 ? ssl->config->aes_hw_override_value in SSL_set_cipher_list()
1993 return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str, in SSL_set_cipher_list()
1997 int SSL_set_strict_cipher_list(SSL *ssl, const char *str) { in SSL_set_strict_cipher_list() argument
1998 if (!ssl->config) { in SSL_set_strict_cipher_list()
2001 const bool has_aes_hw = ssl->config->aes_hw_override in SSL_set_strict_cipher_list()
2002 ? ssl->config->aes_hw_override_value in SSL_set_strict_cipher_list()
2004 return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str, in SSL_set_strict_cipher_list()
2008 const char *SSL_get_servername(const SSL *ssl, const int type) { in SSL_get_servername() argument
2015 if (ssl->hostname != nullptr) { in SSL_get_servername()
2016 return ssl->hostname.get(); in SSL_get_servername()
2019 return ssl->s3->hostname.get(); in SSL_get_servername()
2022 int SSL_get_servername_type(const SSL *ssl) { in SSL_get_servername_type() argument
2023 if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) == NULL) { in SSL_get_servername_type()
2031 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { in SSL_CTX_set_custom_verify() argument
2037 SSL *ssl, int mode, in SSL_set_custom_verify() argument
2038 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { in SSL_set_custom_verify() argument
2039 if (!ssl->config) { in SSL_set_custom_verify()
2042 ssl->config->verify_mode = mode; in SSL_set_custom_verify()
2043 ssl->config->custom_verify_callback = callback; in SSL_set_custom_verify()
2050 void SSL_enable_signed_cert_timestamps(SSL *ssl) { in SSL_enable_signed_cert_timestamps() argument
2051 if (!ssl->config) { in SSL_enable_signed_cert_timestamps()
2054 ssl->config->signed_cert_timestamps_enabled = true; in SSL_enable_signed_cert_timestamps()
2061 void SSL_enable_ocsp_stapling(SSL *ssl) { in SSL_enable_ocsp_stapling() argument
2062 if (!ssl->config) { in SSL_enable_ocsp_stapling()
2065 ssl->config->ocsp_stapling_enabled = true; in SSL_enable_ocsp_stapling()
2068 void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out, in SSL_get0_signed_cert_timestamp_list() argument
2070 SSL_SESSION *session = SSL_get_session(ssl); in SSL_get0_signed_cert_timestamp_list()
2071 if (ssl->server || !session || !session->signed_cert_timestamp_list) { in SSL_get0_signed_cert_timestamp_list()
2081 void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, in SSL_get0_ocsp_response() argument
2083 SSL_SESSION *session = SSL_get_session(ssl); in SSL_get0_ocsp_response()
2084 if (ssl->server || !session || !session->ocsp_response) { in SSL_get0_ocsp_response()
2094 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) { in SSL_set_tlsext_host_name() argument
2095 ssl->hostname.reset(); in SSL_set_tlsext_host_name()
2105 ssl->hostname.reset(OPENSSL_strdup(name)); in SSL_set_tlsext_host_name()
2106 if (ssl->hostname == nullptr) { in SSL_set_tlsext_host_name()
2113 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) { in SSL_CTX_set_tlsext_servername_callback() argument
2171 void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data, in SSL_get0_next_proto_negotiated() argument
2174 assert(ssl->s3->next_proto_negotiated.size() <= UINT_MAX); in SSL_get0_next_proto_negotiated()
2175 *out_data = ssl->s3->next_proto_negotiated.data(); in SSL_get0_next_proto_negotiated()
2176 *out_len = static_cast<unsigned>(ssl->s3->next_proto_negotiated.size()); in SSL_get0_next_proto_negotiated()
2181 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg), in SSL_CTX_set_next_protos_advertised_cb() argument
2188 int (*cb)(SSL *ssl, uint8_t **out, in SSL_CTX_set_next_proto_select_cb() argument
2208 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, size_t protos_len) { in SSL_set_alpn_protos() argument
2210 if (!ssl->config) { in SSL_set_alpn_protos()
2218 return ssl->config->alpn_client_proto_list.CopyFrom(span) ? 0 : 1; in SSL_set_alpn_protos()
2222 int (*cb)(SSL *ssl, const uint8_t **out, in SSL_CTX_set_alpn_select_cb() argument
2230 void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data, in SSL_get0_alpn_selected() argument
2233 if (SSL_in_early_data(ssl) && !ssl->server) { in SSL_get0_alpn_selected()
2234 protocol = ssl->s3->hs->early_session->early_alpn; in SSL_get0_alpn_selected()
2236 protocol = ssl->s3->alpn_selected; in SSL_get0_alpn_selected()
2248 int SSL_add_application_settings(SSL *ssl, const uint8_t *proto, in SSL_add_application_settings() argument
2251 if (!ssl->config) { in SSL_add_application_settings()
2257 !ssl->config->alps_configs.Push(std::move(config))) { in SSL_add_application_settings()
2263 void SSL_get0_peer_application_settings(const SSL *ssl, in SSL_get0_peer_application_settings() argument
2266 const SSL_SESSION *session = SSL_get_session(ssl); in SSL_get0_peer_application_settings()
2273 int SSL_has_application_settings(const SSL *ssl) { in SSL_has_application_settings() argument
2274 const SSL_SESSION *session = SSL_get_session(ssl); in SSL_has_application_settings()
2278 void SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new) { in SSL_set_alps_use_new_codepoint() argument
2279 if (!ssl->config) { in SSL_set_alps_use_new_codepoint()
2282 ssl->config->alps_use_new_codepoint = !!use_new; in SSL_set_alps_use_new_codepoint()
2312 void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) { in SSL_set_tls_channel_id_enabled() argument
2313 if (!ssl->config) { in SSL_set_tls_channel_id_enabled()
2316 ssl->config->channel_id_enabled = !!enabled; in SSL_set_tls_channel_id_enabled()
2319 int SSL_enable_tls_channel_id(SSL *ssl) { in SSL_enable_tls_channel_id() argument
2320 SSL_set_tls_channel_id_enabled(ssl, 1); in SSL_enable_tls_channel_id()
2340 int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) { in SSL_set1_tls_channel_id() argument
2341 if (!ssl->config) { in SSL_set1_tls_channel_id()
2349 ssl->config->channel_id_private = UpRef(private_key); in SSL_set1_tls_channel_id()
2353 size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) { in SSL_get_tls_channel_id() argument
2354 if (!ssl->s3->channel_id_valid) { in SSL_get_tls_channel_id()
2357 OPENSSL_memcpy(out, ssl->s3->channel_id, (max_out < 64) ? max_out : 64); in SSL_get_tls_channel_id()
2361 size_t SSL_get0_certificate_types(const SSL *ssl, const uint8_t **out_types) { in SSL_get0_certificate_types() argument
2363 if (!ssl->server && ssl->s3->hs != nullptr) { in SSL_get0_certificate_types()
2364 types = ssl->s3->hs->certificate_types; in SSL_get0_certificate_types()
2370 size_t SSL_get0_peer_verify_algorithms(const SSL *ssl, in SSL_get0_peer_verify_algorithms() argument
2373 if (ssl->s3->hs != nullptr) { in SSL_get0_peer_verify_algorithms()
2374 sigalgs = ssl->s3->hs->peer_sigalgs; in SSL_get0_peer_verify_algorithms()
2380 size_t SSL_get0_peer_delegation_algorithms(const SSL *ssl, in SSL_get0_peer_delegation_algorithms() argument
2383 if (ssl->s3->hs != nullptr) { in SSL_get0_peer_delegation_algorithms()
2384 sigalgs = ssl->s3->hs->peer_delegated_credential_sigalgs; in SSL_get0_peer_delegation_algorithms()
2390 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) { in SSL_get_privatekey() argument
2391 if (!ssl->config) { in SSL_get_privatekey()
2392 assert(ssl->config); in SSL_get_privatekey()
2395 return ssl->config->cert->legacy_credential->privkey.get(); in SSL_get_privatekey()
2402 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) { in SSL_get_current_cipher() argument
2403 const SSL_SESSION *session = SSL_get_session(ssl); in SSL_get_current_cipher()
2407 int SSL_session_reused(const SSL *ssl) { in SSL_session_reused() argument
2408 return ssl->s3->session_reused || SSL_in_early_data(ssl); in SSL_session_reused()
2411 const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; } in SSL_get_current_compression() argument
2413 const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; } in SSL_get_current_expansion() argument
2415 int SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; } in SSL_get_server_tmp_key() argument
2425 void SSL_set_quiet_shutdown(SSL *ssl, int mode) { in SSL_set_quiet_shutdown() argument
2426 ssl->quiet_shutdown = (mode != 0); in SSL_set_quiet_shutdown()
2429 int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; } in SSL_get_quiet_shutdown() argument
2431 void SSL_set_shutdown(SSL *ssl, int mode) { in SSL_set_shutdown() argument
2434 assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)); in SSL_set_shutdown()
2437 ssl->s3->read_shutdown == ssl_shutdown_none) { in SSL_set_shutdown()
2438 ssl->s3->read_shutdown = ssl_shutdown_close_notify; in SSL_set_shutdown()
2442 ssl->s3->write_shutdown == ssl_shutdown_none) { in SSL_set_shutdown()
2443 ssl->s3->write_shutdown = ssl_shutdown_close_notify; in SSL_set_shutdown()
2447 int SSL_get_shutdown(const SSL *ssl) { in SSL_get_shutdown() argument
2449 if (ssl->s3->read_shutdown != ssl_shutdown_none) { in SSL_get_shutdown()
2454 if (ssl->s3->write_shutdown == ssl_shutdown_close_notify) { in SSL_get_shutdown()
2461 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx.get(); } in SSL_get_SSL_CTX() argument
2463 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { in SSL_set_SSL_CTX() argument
2464 if (!ssl->config) { in SSL_set_SSL_CTX()
2467 if (ssl->ctx.get() == ctx) { in SSL_set_SSL_CTX()
2468 return ssl->ctx.get(); in SSL_set_SSL_CTX()
2472 if (ssl->ctx->x509_method != ctx->x509_method) { in SSL_set_SSL_CTX()
2482 ssl->config->cert = std::move(new_cert); in SSL_set_SSL_CTX()
2483 ssl->ctx = UpRef(ctx); in SSL_set_SSL_CTX()
2484 ssl->enable_early_data = ssl->ctx->enable_early_data; in SSL_set_SSL_CTX()
2486 return ssl->ctx.get(); in SSL_set_SSL_CTX()
2489 void SSL_set_info_callback(SSL *ssl, in SSL_set_info_callback() argument
2490 void (*cb)(const SSL *ssl, int type, int value)) { in SSL_set_info_callback() argument
2491 ssl->info_callback = cb; in SSL_set_info_callback()
2494 void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, in SSL_get_info_callback() argument
2496 return ssl->info_callback; in SSL_get_info_callback()
2499 int SSL_state(const SSL *ssl) { in SSL_state() argument
2500 return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK; in SSL_state()
2503 void SSL_set_state(SSL *ssl, int state) {} in SSL_set_state() argument
2505 char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) { in SSL_get_shared_ciphers() argument
2513 int SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign, int *phash, in SSL_get_shared_sigalgs() argument
2526 int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) { in SSL_set_quic_method() argument
2527 if (ssl->method->is_dtls) { in SSL_set_quic_method()
2530 ssl->quic_method = quic_method; in SSL_set_quic_method()
2540 int SSL_set_ex_data(SSL *ssl, int idx, void *data) { in SSL_set_ex_data() argument
2541 return CRYPTO_set_ex_data(&ssl->ex_data, idx, data); in SSL_set_ex_data()
2544 void *SSL_get_ex_data(const SSL *ssl, int idx) { in SSL_get_ex_data() argument
2545 return CRYPTO_get_ex_data(&ssl->ex_data, idx); in SSL_get_ex_data()
2563 int SSL_want(const SSL *ssl) { in SSL_want() argument
2567 return ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN ? SSL_ERROR_NONE in SSL_want()
2568 : ssl->s3->rwstate; in SSL_want()
2572 RSA *(*cb)(SSL *ssl, int is_export, in SSL_CTX_set_tmp_rsa_callback() argument
2575 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export, in SSL_set_tmp_rsa_callback() argument
2579 DH *(*cb)(SSL *ssl, int is_export, in SSL_CTX_set_tmp_dh_callback() argument
2582 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export, in SSL_set_tmp_dh_callback() argument
2613 int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) { in SSL_use_psk_identity_hint() argument
2614 if (!ssl->config) { in SSL_use_psk_identity_hint()
2617 return use_psk_identity_hint(&ssl->config->psk_identity_hint, identity_hint); in SSL_use_psk_identity_hint()
2620 const char *SSL_get_psk_identity_hint(const SSL *ssl) { in SSL_get_psk_identity_hint() argument
2621 if (ssl == NULL) { in SSL_get_psk_identity_hint()
2624 if (ssl->config == NULL) { in SSL_get_psk_identity_hint()
2625 assert(ssl->config); in SSL_get_psk_identity_hint()
2628 return ssl->config->psk_identity_hint.get(); in SSL_get_psk_identity_hint()
2631 const char *SSL_get_psk_identity(const SSL *ssl) { in SSL_get_psk_identity() argument
2632 if (ssl == NULL) { in SSL_get_psk_identity()
2635 SSL_SESSION *session = SSL_get_session(ssl); in SSL_get_psk_identity()
2643 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, in SSL_set_psk_client_callback() argument
2646 if (!ssl->config) { in SSL_set_psk_client_callback()
2649 ssl->config->psk_client_callback = cb; in SSL_set_psk_client_callback()
2653 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, in SSL_CTX_set_psk_client_callback() argument
2659 void SSL_set_psk_server_callback(SSL *ssl, in SSL_set_psk_server_callback() argument
2660 unsigned (*cb)(SSL *ssl, const char *identity, in SSL_set_psk_server_callback() argument
2663 if (!ssl->config) { in SSL_set_psk_server_callback()
2666 ssl->config->psk_server_callback = cb; in SSL_set_psk_server_callback()
2670 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk, in SSL_CTX_set_psk_server_callback() argument
2678 size_t len, SSL *ssl, void *arg)) { in SSL_CTX_set_msg_callback() argument
2686 void SSL_set_msg_callback(SSL *ssl, in SSL_set_msg_callback() argument
2688 const void *buf, size_t len, SSL *ssl, in SSL_set_msg_callback()
2690 ssl->msg_callback = cb; in SSL_set_msg_callback()
2693 void SSL_set_msg_callback_arg(SSL *ssl, void *arg) { in SSL_set_msg_callback_arg() argument
2694 ssl->msg_callback_arg = arg; in SSL_set_msg_callback_arg()
2698 void (*cb)(const SSL *ssl, const char *line)) { in SSL_CTX_set_keylog_callback() argument
2702 void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl, in SSL_CTX_get_keylog_callback()
2708 void (*cb)(const SSL *ssl, in SSL_CTX_set_current_time_cb() argument
2713 int SSL_can_release_private_key(const SSL *ssl) { in SSL_can_release_private_key() argument
2714 if (ssl_can_renegotiate(ssl)) { in SSL_can_release_private_key()
2721 return !ssl->s3->hs || ssl->s3->hs->can_release_private_key; in SSL_can_release_private_key()
2724 int SSL_is_init_finished(const SSL *ssl) { return !SSL_in_init(ssl); } in SSL_is_init_finished() argument
2726 int SSL_in_init(const SSL *ssl) { in SSL_in_init() argument
2730 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); in SSL_in_init()
2734 int SSL_in_false_start(const SSL *ssl) { in SSL_in_false_start() argument
2735 if (ssl->s3->hs == NULL) { in SSL_in_false_start()
2738 return ssl->s3->hs->in_false_start; in SSL_in_false_start()
2741 int SSL_cutthrough_complete(const SSL *ssl) { return SSL_in_false_start(ssl); } in SSL_cutthrough_complete() argument
2743 int SSL_is_server(const SSL *ssl) { return ssl->server; } in SSL_is_server() argument
2745 int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; } in SSL_is_dtls() argument
2747 int SSL_is_quic(const SSL *ssl) { return ssl->quic_method != nullptr; } in SSL_is_quic() argument
2764 void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled) { in SSL_set_enforce_rsa_key_usage() argument
2765 if (!ssl->config) { in SSL_set_enforce_rsa_key_usage()
2768 ssl->config->enforce_rsa_key_usage = !!enabled; in SSL_set_enforce_rsa_key_usage()
2771 int SSL_was_key_usage_invalid(const SSL *ssl) { in SSL_was_key_usage_invalid() argument
2772 return ssl->s3->was_key_usage_invalid; in SSL_was_key_usage_invalid()
2775 void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) { in SSL_set_renegotiate_mode() argument
2776 ssl->renegotiate_mode = mode; in SSL_set_renegotiate_mode()
2781 ssl_maybe_shed_handshake_config(ssl); in SSL_set_renegotiate_mode()
2784 int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv, in SSL_get_ivs() argument
2788 if (SSL_is_dtls(ssl)) { in SSL_get_ivs()
2794 if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) || in SSL_get_ivs()
2795 !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) || in SSL_get_ivs()
2803 uint64_t SSL_get_read_sequence(const SSL *ssl) { in SSL_get_read_sequence() argument
2804 if (SSL_is_dtls(ssl)) { in SSL_get_read_sequence()
2816 const DTLSReadEpoch *read_epoch = &ssl->d1->read_epoch; in SSL_get_read_sequence()
2820 return ssl->s3->read_sequence; in SSL_get_read_sequence()
2823 uint64_t SSL_get_write_sequence(const SSL *ssl) { in SSL_get_write_sequence() argument
2824 if (SSL_is_dtls(ssl)) { in SSL_get_write_sequence()
2825 return ssl->d1->write_epoch.next_record.combined(); in SSL_get_write_sequence()
2828 return ssl->s3->write_sequence; in SSL_get_write_sequence()
2831 uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) { in SSL_get_peer_signature_algorithm() argument
2832 SSL_SESSION *session = SSL_get_session(ssl); in SSL_get_peer_signature_algorithm()
2840 size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) { in SSL_get_client_random() argument
2842 return sizeof(ssl->s3->client_random); in SSL_get_client_random()
2844 if (max_out > sizeof(ssl->s3->client_random)) { in SSL_get_client_random()
2845 max_out = sizeof(ssl->s3->client_random); in SSL_get_client_random()
2847 OPENSSL_memcpy(out, ssl->s3->client_random, max_out); in SSL_get_client_random()
2851 size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) { in SSL_get_server_random() argument
2853 return sizeof(ssl->s3->server_random); in SSL_get_server_random()
2855 if (max_out > sizeof(ssl->s3->server_random)) { in SSL_get_server_random()
2856 max_out = sizeof(ssl->s3->server_random); in SSL_get_server_random()
2858 OPENSSL_memcpy(out, ssl->s3->server_random, max_out); in SSL_get_server_random()
2862 const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) { in SSL_get_pending_cipher() argument
2863 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); in SSL_get_pending_cipher()
2870 void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) { in SSL_set_retain_only_sha256_of_client_certs() argument
2871 if (!ssl->config) { in SSL_set_retain_only_sha256_of_client_certs()
2874 ssl->config->retain_only_sha256_of_client_certs = !!enabled; in SSL_set_retain_only_sha256_of_client_certs()
2889 void SSL_set_permute_extensions(SSL *ssl, int enabled) { in SSL_set_permute_extensions() argument
2890 if (!ssl->config) { in SSL_set_permute_extensions()
2893 ssl->config->permute_extensions = !!enabled; in SSL_set_permute_extensions()
2896 int32_t SSL_get_ticket_age_skew(const SSL *ssl) { in SSL_get_ticket_age_skew() argument
2897 return ssl->s3->ticket_age_skew; in SSL_get_ticket_age_skew()
2904 int SSL_used_hello_retry_request(const SSL *ssl) { in SSL_used_hello_retry_request() argument
2905 return ssl->s3->used_hello_retry_request; in SSL_used_hello_retry_request()
2908 void SSL_set_shed_handshake_config(SSL *ssl, int enable) { in SSL_set_shed_handshake_config() argument
2909 if (!ssl->config) { in SSL_set_shed_handshake_config()
2912 ssl->config->shed_handshake_config = !!enable; in SSL_set_shed_handshake_config()
2915 void SSL_set_jdk11_workaround(SSL *ssl, int enable) { in SSL_set_jdk11_workaround() argument
2916 if (!ssl->config) { in SSL_set_jdk11_workaround()
2919 ssl->config->jdk11_workaround = !!enable; in SSL_set_jdk11_workaround()
2922 void SSL_set_check_client_certificate_type(SSL *ssl, int enable) { in SSL_set_check_client_certificate_type() argument
2923 if (!ssl->config) { in SSL_set_check_client_certificate_type()
2926 ssl->config->check_client_certificate_type = !!enable; in SSL_set_check_client_certificate_type()
2929 void SSL_set_check_ecdsa_curve(SSL *ssl, int enable) { in SSL_set_check_ecdsa_curve() argument
2930 if (!ssl->config) { in SSL_set_check_ecdsa_curve()
2933 ssl->config->check_ecdsa_curve = !!enable; in SSL_set_check_ecdsa_curve()
2936 void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) { in SSL_set_quic_use_legacy_codepoint() argument
2937 if (!ssl->config) { in SSL_set_quic_use_legacy_codepoint()
2940 ssl->config->quic_use_legacy_codepoint = !!use_legacy; in SSL_set_quic_use_legacy_codepoint()
2943 int SSL_clear(SSL *ssl) { in SSL_clear() argument
2944 if (!ssl->config) { in SSL_clear()
2952 if (!ssl->server && ssl->s3->established_session != NULL) { in SSL_clear()
2953 session = UpRef(ssl->s3->established_session); in SSL_clear()
2961 if (ssl->d1 != NULL) { in SSL_clear()
2962 mtu = ssl->d1->mtu; in SSL_clear()
2965 ssl->method->ssl_free(ssl); in SSL_clear()
2966 if (!ssl->method->ssl_new(ssl)) { in SSL_clear()
2970 if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { in SSL_clear()
2971 ssl->d1->mtu = mtu; in SSL_clear()
2975 SSL_set_session(ssl, session.get()); in SSL_clear()
2993 int SSL_num_renegotiations(const SSL *ssl) { in SSL_num_renegotiations() argument
2994 return SSL_total_renegotiations(ssl); in SSL_num_renegotiations()
2998 int SSL_need_tmp_RSA(const SSL *ssl) { return 0; } in SSL_need_tmp_RSA() argument
3000 int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; } in SSL_set_tmp_rsa() argument
3003 int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); } in SSL_cache_hit() argument
3014 int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) { in SSL_set_tmp_ecdh() argument
3020 return SSL_set1_groups(ssl, &nid, 1); in SSL_set_tmp_ecdh()
3028 SSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf, in SSL_process_tls13_new_session_ticket() argument
3030 if (SSL_in_init(ssl) || // in SSL_process_tls13_new_session_ticket()
3031 ssl_protocol_version(ssl) != TLS1_3_VERSION || // in SSL_process_tls13_new_session_ticket()
3032 ssl->server) { in SSL_process_tls13_new_session_ticket()
3048 UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body); in SSL_process_tls13_new_session_ticket()
3065 int SSL_set_tlsext_status_type(SSL *ssl, int type) { in SSL_set_tlsext_status_type() argument
3066 if (!ssl->config) { in SSL_set_tlsext_status_type()
3069 ssl->config->ocsp_stapling_enabled = type == TLSEXT_STATUSTYPE_ocsp; in SSL_set_tlsext_status_type()
3073 int SSL_get_tlsext_status_type(const SSL *ssl) { in SSL_get_tlsext_status_type() argument
3074 if (ssl->server) { in SSL_get_tlsext_status_type()
3075 SSL_HANDSHAKE *hs = ssl->s3->hs.get(); in SSL_get_tlsext_status_type()
3081 return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled in SSL_get_tlsext_status_type()
3086 int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) { in SSL_set_tlsext_status_ocsp_resp() argument
3087 if (SSL_set_ocsp_response(ssl, resp, resp_len)) { in SSL_set_tlsext_status_ocsp_resp()
3094 size_t SSL_get_tlsext_status_ocsp_resp(const SSL *ssl, const uint8_t **out) { in SSL_get_tlsext_status_ocsp_resp() argument
3096 SSL_get0_ocsp_response(ssl, out, &ret); in SSL_get_tlsext_status_ocsp_resp()
3101 int (*callback)(SSL *ssl, void *arg)) { in SSL_CTX_set_tlsext_status_cb() argument
3111 uint16_t SSL_get_curve_id(const SSL *ssl) { return SSL_get_group_id(ssl); } in SSL_get_curve_id() argument
3125 int SSL_set1_curves(SSL *ssl, const int *curves, size_t num_curves) { in SSL_set1_curves() argument
3126 return SSL_set1_groups(ssl, curves, num_curves); in SSL_set1_curves()
3133 int SSL_set1_curves_list(SSL *ssl, const char *curves) { in SSL_set1_curves_list() argument
3134 return SSL_set1_groups_list(ssl, curves); in SSL_set1_curves_list()
3192 static int Configure(SSL *ssl) { in Configure() argument
3193 ssl->config->compliance_policy = ssl_compliance_policy_fips_202205; in Configure()
3196 return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) && in Configure()
3197 SSL_set_max_proto_version(ssl, TLS1_3_VERSION) && in Configure()
3198 SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) && in Configure()
3199 SSL_set1_group_ids(ssl, kGroups, OPENSSL_ARRAY_SIZE(kGroups)) && in Configure()
3200 SSL_set_signing_algorithm_prefs(ssl, kSigAlgs, in Configure()
3202 SSL_set_verify_algorithm_prefs(ssl, kSigAlgs, in Configure()
3239 static int Configure(SSL *ssl) { in Configure() argument
3240 ssl->config->compliance_policy = ssl_compliance_policy_wpa3_192_202304; in Configure()
3242 return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) && in Configure()
3243 SSL_set_max_proto_version(ssl, TLS1_3_VERSION) && in Configure()
3244 SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) && in Configure()
3245 SSL_set1_group_ids(ssl, kGroups, OPENSSL_ARRAY_SIZE(kGroups)) && in Configure()
3246 SSL_set_signing_algorithm_prefs(ssl, kSigAlgs, in Configure()
3248 SSL_set_verify_algorithm_prefs(ssl, kSigAlgs, in Configure()
3261 static int Configure(SSL *ssl) { in Configure() argument
3262 ssl->config->compliance_policy = ssl_compliance_policy_cnsa_202407; in Configure()
3286 int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) { in SSL_set_compliance_policy() argument
3289 return fips202205::Configure(ssl); in SSL_set_compliance_policy()
3291 return wpa202304::Configure(ssl); in SSL_set_compliance_policy()
3293 return cnsa202407::Configure(ssl); in SSL_set_compliance_policy()
3299 enum ssl_compliance_policy_t SSL_get_compliance_policy(const SSL *ssl) { in SSL_get_compliance_policy() argument
3300 return ssl->config->compliance_policy; in SSL_get_compliance_policy()