1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core@openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay@cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh@cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. 140 */ 141 142 #ifndef OPENSSL_HEADER_SSL_INTERNAL_H 143 #define OPENSSL_HEADER_SSL_INTERNAL_H 144 145 #include <openssl/base.h> 146 147 #include <openssl/aead.h> 148 #include <openssl/pqueue.h> 149 #include <openssl/ssl.h> 150 #include <openssl/stack.h> 151 152 #if defined(OPENSSL_WINDOWS) 153 /* Windows defines struct timeval in winsock2.h. */ 154 #pragma warning(push, 3) 155 #include <winsock2.h> 156 #pragma warning(pop) 157 #else 158 #include <sys/types.h> 159 #endif 160 161 162 /* Cipher suites. */ 163 164 /* Bits for |algorithm_mkey| (key exchange algorithm). */ 165 #define SSL_kRSA 0x00000001L 166 #define SSL_kDHE 0x00000002L 167 #define SSL_kECDHE 0x00000004L 168 /* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */ 169 #define SSL_kPSK 0x00000008L 170 171 /* Bits for |algorithm_auth| (server authentication). */ 172 #define SSL_aRSA 0x00000001L 173 #define SSL_aECDSA 0x00000002L 174 /* SSL_aPSK is set for both PSK and ECDHE_PSK. */ 175 #define SSL_aPSK 0x00000004L 176 177 /* Bits for |algorithm_enc| (symmetric encryption). */ 178 #define SSL_3DES 0x00000001L 179 #define SSL_RC4 0x00000002L 180 #define SSL_AES128 0x00000004L 181 #define SSL_AES256 0x00000008L 182 #define SSL_AES128GCM 0x00000010L 183 #define SSL_AES256GCM 0x00000020L 184 #define SSL_CHACHA20POLY1305 0x00000040L 185 186 #define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM) 187 188 /* Bits for |algorithm_mac| (symmetric authentication). */ 189 #define SSL_MD5 0x00000001L 190 #define SSL_SHA1 0x00000002L 191 #define SSL_SHA256 0x00000004L 192 #define SSL_SHA384 0x00000008L 193 /* SSL_AEAD is set for all AEADs. */ 194 #define SSL_AEAD 0x00000010L 195 196 /* Bits for |algorithm_ssl| (protocol version). These denote the first protocol 197 * version which introduced the cipher. 198 * 199 * TODO(davidben): These are extremely confusing, both in code and in 200 * cipher rules. Try to remove them. */ 201 #define SSL_SSLV3 0x00000002L 202 #define SSL_TLSV1 SSL_SSLV3 203 #define SSL_TLSV1_2 0x00000004L 204 205 /* Bits for |algorithm2| (handshake digests and other extra flags). */ 206 207 #define SSL_HANDSHAKE_MAC_MD5 0x10 208 #define SSL_HANDSHAKE_MAC_SHA 0x20 209 #define SSL_HANDSHAKE_MAC_SHA256 0x40 210 #define SSL_HANDSHAKE_MAC_SHA384 0x80 211 #define SSL_HANDSHAKE_MAC_DEFAULT \ 212 (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) 213 214 /* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new 215 * one, update the table in ssl_cipher.c. */ 216 #define SSL_MAX_DIGEST 4 217 218 /* SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD is a flag in 219 * SSL_CIPHER.algorithm2 which indicates that the variable part of the nonce is 220 * included as a prefix of the record. (AES-GCM, for example, does with with an 221 * 8-byte variable nonce.) */ 222 #define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD (1<<22) 223 224 /* Bits for |algo_strength|, cipher strength information. */ 225 #define SSL_MEDIUM 0x00000001L 226 #define SSL_HIGH 0x00000002L 227 #define SSL_FIPS 0x00000004L 228 229 /* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD 230 * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len| 231 * and |*out_fixed_iv_len| to the MAC key length and fixed IV length, 232 * respectively. The MAC key length is zero except for legacy block and stream 233 * ciphers. It returns 1 on success and 0 on error. */ 234 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, 235 size_t *out_mac_secret_len, 236 size_t *out_fixed_iv_len, 237 const SSL_CIPHER *cipher, uint16_t version); 238 239 /* ssl_get_handshake_digest looks up the |i|th handshake digest type and sets 240 * |*out_mask| to the |SSL_HANDSHAKE_MAC_*| mask and |*out_md| to the 241 * |EVP_MD|. It returns one on successs and zero if |i| >= |SSL_MAX_DIGEST|. */ 242 int ssl_get_handshake_digest(uint32_t *out_mask, const EVP_MD **out_md, 243 size_t i); 244 245 /* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in 246 * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated 247 * |ssl_cipher_preference_list_st| containing the result. 248 * |*out_cipher_list_by_id| is set to a list of selected ciphers sorted by 249 * id. It returns |(*out_cipher_list)->ciphers| on success and NULL on 250 * failure. */ 251 STACK_OF(SSL_CIPHER) * 252 ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method, 253 struct ssl_cipher_preference_list_st **out_cipher_list, 254 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id, 255 const char *rule_str); 256 257 /* SSL_PKEY_* denote certificate types. */ 258 #define SSL_PKEY_RSA_ENC 0 259 #define SSL_PKEY_RSA_SIGN 1 260 #define SSL_PKEY_ECC 2 261 #define SSL_PKEY_NUM 3 262 263 /* ssl_cipher_get_value returns the cipher suite id of |cipher|. */ 264 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher); 265 266 /* ssl_cipher_get_cert_index returns the |SSL_PKEY_*| value corresponding to the 267 * certificate type of |cipher| or -1 if there is none. */ 268 int ssl_cipher_get_cert_index(const SSL_CIPHER *cipher); 269 270 /* ssl_cipher_has_server_public_key returns 1 if |cipher| involves a server 271 * public key in the key exchange, sent in a server Certificate message. 272 * Otherwise it returns 0. */ 273 int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher); 274 275 /* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a 276 * ServerKeyExchange message. Otherwise it returns 0. 277 * 278 * Unlike ssl_cipher_has_server_public_key, some ciphers take optional 279 * ServerKeyExchanges. PSK and RSA_PSK only use the ServerKeyExchange to 280 * communicate a psk_identity_hint, so it is optional. */ 281 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher); 282 283 284 /* Encryption layer. */ 285 286 /* SSL_AEAD_CTX contains information about an AEAD that is being used to encrypt 287 * an SSL connection. */ 288 struct ssl_aead_ctx_st { 289 const SSL_CIPHER *cipher; 290 EVP_AEAD_CTX ctx; 291 /* fixed_nonce contains any bytes of the nonce that are fixed for all 292 * records. */ 293 uint8_t fixed_nonce[8]; 294 uint8_t fixed_nonce_len, variable_nonce_len; 295 /* variable_nonce_included_in_record is non-zero if the variable nonce 296 * for a record is included as a prefix before the ciphertext. */ 297 char variable_nonce_included_in_record; 298 /* random_variable_nonce is non-zero if the variable nonce is 299 * randomly generated, rather than derived from the sequence 300 * number. */ 301 char random_variable_nonce; 302 /* omit_length_in_ad is non-zero if the length should be omitted in the 303 * AEAD's ad parameter. */ 304 char omit_length_in_ad; 305 /* omit_version_in_ad is non-zero if the version should be omitted 306 * in the AEAD's ad parameter. */ 307 char omit_version_in_ad; 308 } /* SSL_AEAD_CTX */; 309 310 /* SSL_AEAD_CTX_new creates a newly-allocated |SSL_AEAD_CTX| using the supplied 311 * key material. It returns NULL on error. Only one of |SSL_AEAD_CTX_open| or 312 * |SSL_AEAD_CTX_seal| may be used with the resulting object, depending on 313 * |direction|. |version| is the normalized protocol version, so DTLS 1.0 is 314 * represented as 0x0301, not 0xffef. */ 315 SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction, 316 uint16_t version, const SSL_CIPHER *cipher, 317 const uint8_t *enc_key, size_t enc_key_len, 318 const uint8_t *mac_key, size_t mac_key_len, 319 const uint8_t *fixed_iv, size_t fixed_iv_len); 320 321 /* SSL_AEAD_CTX_free frees |ctx|. */ 322 void SSL_AEAD_CTX_free(SSL_AEAD_CTX *ctx); 323 324 /* SSL_AEAD_CTX_explicit_nonce_len returns the length of the explicit nonce for 325 * |ctx|, if any. |ctx| may be NULL to denote the null cipher. */ 326 size_t SSL_AEAD_CTX_explicit_nonce_len(SSL_AEAD_CTX *ctx); 327 328 /* SSL_AEAD_CTX_max_overhead returns the maximum overhead of calling 329 * |SSL_AEAD_CTX_seal|. |ctx| may be NULL to denote the null cipher. */ 330 size_t SSL_AEAD_CTX_max_overhead(SSL_AEAD_CTX *ctx); 331 332 /* SSL_AEAD_CTX_open authenticates and decrypts |in_len| bytes from |in| and 333 * writes the result to |out|. It returns one on success and zero on 334 * error. |ctx| may be NULL to denote the null cipher. 335 * 336 * If |in| and |out| alias then |out| must be <= |in| + |explicit_nonce_len|. */ 337 int SSL_AEAD_CTX_open(SSL_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, 338 size_t max_out, uint8_t type, uint16_t wire_version, 339 const uint8_t seqnum[8], const uint8_t *in, 340 size_t in_len); 341 342 /* SSL_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and 343 * writes the result to |out|. It returns one on success and zero on 344 * error. |ctx| may be NULL to denote the null cipher. 345 * 346 * If |in| and |out| alias then |out| + |explicit_nonce_len| must be <= |in| */ 347 int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, 348 size_t max_out, uint8_t type, uint16_t wire_version, 349 const uint8_t seqnum[8], const uint8_t *in, 350 size_t in_len); 351 352 353 /* Underdocumented functions. 354 * 355 * Functions below here haven't been touched up and may be underdocumented. */ 356 357 #define c2l(c, l) \ 358 (l = ((unsigned long)(*((c)++))), l |= (((unsigned long)(*((c)++))) << 8), \ 359 l |= (((unsigned long)(*((c)++))) << 16), \ 360 l |= (((unsigned long)(*((c)++))) << 24)) 361 362 /* NOTE - c is not incremented as per c2l */ 363 #define c2ln(c, l1, l2, n) \ 364 { \ 365 c += n; \ 366 l1 = l2 = 0; \ 367 switch (n) { \ 368 case 8: \ 369 l2 = ((unsigned long)(*(--(c)))) << 24; \ 370 case 7: \ 371 l2 |= ((unsigned long)(*(--(c)))) << 16; \ 372 case 6: \ 373 l2 |= ((unsigned long)(*(--(c)))) << 8; \ 374 case 5: \ 375 l2 |= ((unsigned long)(*(--(c)))); \ 376 case 4: \ 377 l1 = ((unsigned long)(*(--(c)))) << 24; \ 378 case 3: \ 379 l1 |= ((unsigned long)(*(--(c)))) << 16; \ 380 case 2: \ 381 l1 |= ((unsigned long)(*(--(c)))) << 8; \ 382 case 1: \ 383 l1 |= ((unsigned long)(*(--(c)))); \ 384 } \ 385 } 386 387 #define l2c(l, c) \ 388 (*((c)++) = (uint8_t)(((l)) & 0xff), \ 389 *((c)++) = (uint8_t)(((l) >> 8) & 0xff), \ 390 *((c)++) = (uint8_t)(((l) >> 16) & 0xff), \ 391 *((c)++) = (uint8_t)(((l) >> 24) & 0xff)) 392 393 #define n2l(c, l) \ 394 (l = ((unsigned long)(*((c)++))) << 24, \ 395 l |= ((unsigned long)(*((c)++))) << 16, \ 396 l |= ((unsigned long)(*((c)++))) << 8, l |= ((unsigned long)(*((c)++)))) 397 398 #define l2n(l, c) \ 399 (*((c)++) = (uint8_t)(((l) >> 24) & 0xff), \ 400 *((c)++) = (uint8_t)(((l) >> 16) & 0xff), \ 401 *((c)++) = (uint8_t)(((l) >> 8) & 0xff), \ 402 *((c)++) = (uint8_t)(((l)) & 0xff)) 403 404 #define l2n8(l, c) \ 405 (*((c)++) = (uint8_t)(((l) >> 56) & 0xff), \ 406 *((c)++) = (uint8_t)(((l) >> 48) & 0xff), \ 407 *((c)++) = (uint8_t)(((l) >> 40) & 0xff), \ 408 *((c)++) = (uint8_t)(((l) >> 32) & 0xff), \ 409 *((c)++) = (uint8_t)(((l) >> 24) & 0xff), \ 410 *((c)++) = (uint8_t)(((l) >> 16) & 0xff), \ 411 *((c)++) = (uint8_t)(((l) >> 8) & 0xff), \ 412 *((c)++) = (uint8_t)(((l)) & 0xff)) 413 414 /* NOTE - c is not incremented as per l2c */ 415 #define l2cn(l1, l2, c, n) \ 416 { \ 417 c += n; \ 418 switch (n) { \ 419 case 8: \ 420 *(--(c)) = (uint8_t)(((l2) >> 24) & 0xff); \ 421 case 7: \ 422 *(--(c)) = (uint8_t)(((l2) >> 16) & 0xff); \ 423 case 6: \ 424 *(--(c)) = (uint8_t)(((l2) >> 8) & 0xff); \ 425 case 5: \ 426 *(--(c)) = (uint8_t)(((l2)) & 0xff); \ 427 case 4: \ 428 *(--(c)) = (uint8_t)(((l1) >> 24) & 0xff); \ 429 case 3: \ 430 *(--(c)) = (uint8_t)(((l1) >> 16) & 0xff); \ 431 case 2: \ 432 *(--(c)) = (uint8_t)(((l1) >> 8) & 0xff); \ 433 case 1: \ 434 *(--(c)) = (uint8_t)(((l1)) & 0xff); \ 435 } \ 436 } 437 438 #define n2s(c, s) \ 439 ((s = (((unsigned int)(c[0])) << 8) | (((unsigned int)(c[1])))), c += 2) 440 441 #define s2n(s, c) \ 442 ((c[0] = (uint8_t)(((s) >> 8) & 0xff), \ 443 c[1] = (uint8_t)(((s)) & 0xff)), \ 444 c += 2) 445 446 #define n2l3(c, l) \ 447 ((l = (((unsigned long)(c[0])) << 16) | (((unsigned long)(c[1])) << 8) | \ 448 (((unsigned long)(c[2])))), \ 449 c += 3) 450 451 #define l2n3(l, c) \ 452 ((c[0] = (uint8_t)(((l) >> 16) & 0xff), \ 453 c[1] = (uint8_t)(((l) >> 8) & 0xff), \ 454 c[2] = (uint8_t)(((l)) & 0xff)), \ 455 c += 3) 456 457 /* LOCAL STUFF */ 458 459 #define TLSEXT_CHANNEL_ID_SIZE 128 460 461 /* Check if an SSL structure is using DTLS */ 462 #define SSL_IS_DTLS(s) (s->method->is_dtls) 463 /* See if we need explicit IV */ 464 #define SSL_USE_EXPLICIT_IV(s) \ 465 (s->enc_method->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) 466 /* See if we use signature algorithms extension and signature algorithm before 467 * signatures. */ 468 #define SSL_USE_SIGALGS(s) (s->enc_method->enc_flags & SSL_ENC_FLAG_SIGALGS) 469 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2: may 470 * apply to others in future. */ 471 #define SSL_USE_TLS1_2_CIPHERS(s) \ 472 (s->enc_method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) 473 /* Determine if a client can use TLS 1.2 ciphersuites: can't rely on method 474 * flags because it may not be set to correct version yet. */ 475 #define SSL_CLIENT_USE_TLS1_2_CIPHERS(s) \ 476 ((SSL_IS_DTLS(s) && s->client_version <= DTLS1_2_VERSION) || \ 477 (!SSL_IS_DTLS(s) && s->client_version >= TLS1_2_VERSION)) 478 479 /* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | 480 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) 481 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) 482 * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN 483 * SSL_aRSA <- RSA_ENC | RSA_SIGN 484 * SSL_aDSS <- DSA_SIGN */ 485 486 #define PENDING_SESSION -10000 487 488 /* From RFC4492, used in encoding the curve type in ECParameters */ 489 #define EXPLICIT_PRIME_CURVE_TYPE 1 490 #define EXPLICIT_CHAR2_CURVE_TYPE 2 491 #define NAMED_CURVE_TYPE 3 492 493 enum ssl_hash_message_t { 494 ssl_dont_hash_message, 495 ssl_hash_message, 496 }; 497 498 typedef struct cert_pkey_st { 499 X509 *x509; 500 EVP_PKEY *privatekey; 501 /* Chain for this certificate */ 502 STACK_OF(X509) *chain; 503 } CERT_PKEY; 504 505 typedef struct cert_st { 506 /* Current active set */ 507 CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array 508 * Probably it would make more sense to store 509 * an index, not a pointer. */ 510 511 /* For clients the following masks are of *disabled* key and auth algorithms 512 * based on the current session. 513 * 514 * TODO(davidben): Remove these. They get checked twice: when sending the 515 * ClientHello and when processing the ServerHello. However, mask_ssl is a 516 * different value both times. mask_k and mask_a are not, but is a 517 * round-about way of checking the server's cipher was one of the advertised 518 * ones. (Currently it checks the masks and then the list of ciphers prior to 519 * applying the masks in ClientHello.) */ 520 uint32_t mask_k; 521 uint32_t mask_a; 522 uint32_t mask_ssl; 523 524 DH *dh_tmp; 525 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); 526 527 /* ecdh_nid, if not |NID_undef|, is the NID of the curve to use for ephemeral 528 * ECDH keys. If unset, |ecdh_tmp_cb| is consulted. */ 529 int ecdh_nid; 530 /* ecdh_tmp_cb is a callback for selecting the curve to use for ephemeral ECDH 531 * keys. If NULL, a curve is selected automatically. See 532 * |SSL_CTX_set_tmp_ecdh_callback|. */ 533 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); 534 CERT_PKEY pkeys[SSL_PKEY_NUM]; 535 536 /* Server-only: client_certificate_types is list of certificate types to 537 * include in the CertificateRequest message. 538 */ 539 uint8_t *client_certificate_types; 540 size_t num_client_certificate_types; 541 542 /* signature algorithms peer reports: e.g. supported signature 543 * algorithms extension for server or as part of a certificate 544 * request for client. */ 545 uint8_t *peer_sigalgs; 546 /* Size of above array */ 547 size_t peer_sigalgslen; 548 /* suppported signature algorithms. 549 * When set on a client this is sent in the client hello as the 550 * supported signature algorithms extension. For servers 551 * it represents the signature algorithms we are willing to use. */ 552 uint8_t *conf_sigalgs; 553 /* Size of above array */ 554 size_t conf_sigalgslen; 555 /* Client authentication signature algorithms, if not set then 556 * uses conf_sigalgs. On servers these will be the signature 557 * algorithms sent to the client in a cerificate request for TLS 1.2. 558 * On a client this represents the signature algortithms we are 559 * willing to use for client authentication. */ 560 uint8_t *client_sigalgs; 561 /* Size of above array */ 562 size_t client_sigalgslen; 563 /* Signature algorithms shared by client and server: cached 564 * because these are used most often. */ 565 TLS_SIGALGS *shared_sigalgs; 566 size_t shared_sigalgslen; 567 568 /* Certificate setup callback: if set is called whenever a 569 * certificate may be required (client or server). the callback 570 * can then examine any appropriate parameters and setup any 571 * certificates required. This allows advanced applications 572 * to select certificates on the fly: for example based on 573 * supported signature algorithms or curves. */ 574 int (*cert_cb)(SSL *ssl, void *arg); 575 void *cert_cb_arg; 576 577 /* Optional X509_STORE for chain building or certificate validation 578 * If NULL the parent SSL_CTX store is used instead. */ 579 X509_STORE *chain_store; 580 X509_STORE *verify_store; 581 } CERT; 582 583 typedef struct sess_cert_st { 584 STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */ 585 586 /* The 'peer_...' members are used only by clients. */ 587 int peer_cert_type; 588 589 CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */ 590 CERT_PKEY peer_pkeys[SSL_PKEY_NUM]; 591 /* Obviously we don't have the private keys of these, 592 * so maybe we shouldn't even use the CERT_PKEY type here. */ 593 594 DH *peer_dh_tmp; 595 EC_KEY *peer_ecdh_tmp; 596 } SESS_CERT; 597 598 /* Structure containing decoded values of signature algorithms extension */ 599 struct tls_sigalgs_st { 600 /* NID of hash algorithm */ 601 int hash_nid; 602 /* NID of signature algorithm */ 603 int sign_nid; 604 /* Combined hash and signature NID */ 605 int signandhash_nid; 606 /* Raw values used in extension */ 607 uint8_t rsign; 608 uint8_t rhash; 609 }; 610 611 /* SSL_METHOD is a compatibility structure to support the legacy version-locked 612 * methods. */ 613 struct ssl_method_st { 614 /* version, if non-zero, is the only protocol version acceptable to an 615 * SSL_CTX initialized from this method. */ 616 uint16_t version; 617 /* method is the underlying SSL_PROTOCOL_METHOD that initializes the 618 * SSL_CTX. */ 619 const SSL_PROTOCOL_METHOD *method; 620 }; 621 622 /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ 623 struct ssl_protocol_method_st { 624 /* is_dtls is one if the protocol is DTLS and zero otherwise. */ 625 char is_dtls; 626 int (*ssl_new)(SSL *s); 627 void (*ssl_free)(SSL *s); 628 int (*ssl_accept)(SSL *s); 629 int (*ssl_connect)(SSL *s); 630 long (*ssl_get_message)(SSL *s, int header_state, int body_state, 631 int msg_type, long max, 632 enum ssl_hash_message_t hash_message, int *ok); 633 int (*ssl_read_app_data)(SSL *s, uint8_t *buf, int len, int peek); 634 void (*ssl_read_close_notify)(SSL *s); 635 int (*ssl_write_app_data)(SSL *s, const void *buf_, int len); 636 int (*ssl_dispatch_alert)(SSL *s); 637 long (*ssl_ctrl)(SSL *s, int cmd, long larg, void *parg); 638 long (*ssl_ctx_ctrl)(SSL_CTX *ctx, int cmd, long larg, void *parg); 639 /* supports_cipher returns one if |cipher| is supported by this protocol and 640 * zero otherwise. */ 641 int (*supports_cipher)(const SSL_CIPHER *cipher); 642 /* Handshake header length */ 643 unsigned int hhlen; 644 /* Set the handshake header */ 645 int (*set_handshake_header)(SSL *s, int type, unsigned long len); 646 /* Write out handshake message */ 647 int (*do_write)(SSL *s); 648 }; 649 650 /* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit 651 * of a mess of functions, but hell, think of it as an opaque structure. */ 652 struct ssl3_enc_method { 653 int (*prf)(SSL *, uint8_t *, size_t, const uint8_t *, size_t, const char *, 654 size_t, const uint8_t *, size_t, const uint8_t *, size_t); 655 int (*setup_key_block)(SSL *); 656 int (*generate_master_secret)(SSL *, uint8_t *, const uint8_t *, size_t); 657 int (*change_cipher_state)(SSL *, int); 658 int (*final_finish_mac)(SSL *, const char *, int, uint8_t *); 659 int (*cert_verify_mac)(SSL *, int, uint8_t *); 660 const char *client_finished_label; 661 int client_finished_label_len; 662 const char *server_finished_label; 663 int server_finished_label_len; 664 int (*alert_value)(int); 665 int (*export_keying_material)(SSL *, uint8_t *, size_t, const char *, size_t, 666 const uint8_t *, size_t, int use_context); 667 /* Various flags indicating protocol version requirements */ 668 unsigned int enc_flags; 669 }; 670 671 #define SSL_HM_HEADER_LENGTH(s) s->method->hhlen 672 #define ssl_handshake_start(s) \ 673 (((uint8_t *)s->init_buf->data) + s->method->hhlen) 674 #define ssl_set_handshake_header(s, htype, len) \ 675 s->method->set_handshake_header(s, htype, len) 676 #define ssl_do_write(s) s->method->do_write(s) 677 678 /* Values for enc_flags */ 679 680 /* Uses explicit IV for CBC mode */ 681 #define SSL_ENC_FLAG_EXPLICIT_IV 0x1 682 /* Uses signature algorithms extension */ 683 #define SSL_ENC_FLAG_SIGALGS 0x2 684 /* Uses SHA256 default PRF */ 685 #define SSL_ENC_FLAG_SHA256_PRF 0x4 686 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2: 687 * may apply to others in future. */ 688 #define SSL_ENC_FLAG_TLS1_2_CIPHERS 0x8 689 690 /* lengths of messages */ 691 #define DTLS1_COOKIE_LENGTH 256 692 693 #define DTLS1_RT_HEADER_LENGTH 13 694 695 #define DTLS1_HM_HEADER_LENGTH 12 696 697 #define DTLS1_CCS_HEADER_LENGTH 1 698 699 #define DTLS1_AL_HEADER_LENGTH 2 700 701 typedef struct dtls1_bitmap_st { 702 /* map is a bit mask of the last 64 sequence numbers. Bit 703 * |1<<i| corresponds to |max_seq_num - i|. */ 704 uint64_t map; 705 /* max_seq_num is the largest sequence number seen so far. It 706 * is a 64-bit value in big-endian encoding. */ 707 uint8_t max_seq_num[8]; 708 } DTLS1_BITMAP; 709 710 /* TODO(davidben): This structure is used for both incoming messages and 711 * outgoing messages. |is_ccs| and |epoch| are only used in the latter and 712 * should be moved elsewhere. */ 713 struct hm_header_st { 714 uint8_t type; 715 uint32_t msg_len; 716 uint16_t seq; 717 uint32_t frag_off; 718 uint32_t frag_len; 719 int is_ccs; 720 /* epoch, for buffered outgoing messages, is the epoch the message was 721 * originally sent in. */ 722 uint16_t epoch; 723 }; 724 725 /* TODO(davidben): This structure is used for both incoming messages and 726 * outgoing messages. |fragment| and |reassembly| are only used in the former 727 * and should be moved elsewhere. */ 728 typedef struct hm_fragment_st { 729 struct hm_header_st msg_header; 730 uint8_t *fragment; 731 uint8_t *reassembly; 732 } hm_fragment; 733 734 typedef struct dtls1_state_st { 735 /* send_cookie is true if we are resending the ClientHello 736 * with a cookie from a HelloVerifyRequest. */ 737 unsigned int send_cookie; 738 739 uint8_t cookie[DTLS1_COOKIE_LENGTH]; 740 size_t cookie_len; 741 742 /* The current data and handshake epoch. This is initially undefined, and 743 * starts at zero once the initial handshake is completed. */ 744 uint16_t r_epoch; 745 uint16_t w_epoch; 746 747 /* records being received in the current epoch */ 748 DTLS1_BITMAP bitmap; 749 750 /* handshake message numbers */ 751 uint16_t handshake_write_seq; 752 uint16_t next_handshake_write_seq; 753 754 uint16_t handshake_read_seq; 755 756 /* save last sequence number for retransmissions */ 757 uint8_t last_write_sequence[8]; 758 759 /* buffered_messages is a priority queue of incoming handshake messages that 760 * have yet to be processed. 761 * 762 * TODO(davidben): This data structure may as well be a ring buffer of fixed 763 * size. */ 764 pqueue buffered_messages; 765 766 /* send_messages is a priority queue of outgoing handshake messages sent in 767 * the most recent handshake flight. 768 * 769 * TODO(davidben): This data structure may as well be a STACK_OF(T). */ 770 pqueue sent_messages; 771 772 unsigned int mtu; /* max DTLS packet size */ 773 774 struct hm_header_st w_msg_hdr; 775 776 /* num_timeouts is the number of times the retransmit timer has fired since 777 * the last time it was reset. */ 778 unsigned int num_timeouts; 779 780 /* Indicates when the last handshake msg or heartbeat sent will 781 * timeout. */ 782 struct timeval next_timeout; 783 784 /* Timeout duration */ 785 unsigned short timeout_duration; 786 787 unsigned int change_cipher_spec_ok; 788 } DTLS1_STATE; 789 790 extern const SSL3_ENC_METHOD TLSv1_enc_data; 791 extern const SSL3_ENC_METHOD TLSv1_1_enc_data; 792 extern const SSL3_ENC_METHOD TLSv1_2_enc_data; 793 extern const SSL3_ENC_METHOD SSLv3_enc_data; 794 795 void ssl_clear_cipher_ctx(SSL *s); 796 int ssl_clear_bad_session(SSL *s); 797 CERT *ssl_cert_new(void); 798 CERT *ssl_cert_dup(CERT *cert); 799 void ssl_cert_clear_certs(CERT *c); 800 void ssl_cert_free(CERT *c); 801 SESS_CERT *ssl_sess_cert_new(void); 802 void ssl_sess_cert_free(SESS_CERT *sc); 803 int ssl_set_peer_cert_type(SESS_CERT *c, int type); 804 int ssl_get_new_session(SSL *s, int session); 805 int ssl_get_prev_session(SSL *s, const struct ssl_early_callback_ctx *ctx); 806 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs); 807 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, uint8_t *p); 808 struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_dup( 809 struct ssl_cipher_preference_list_st *cipher_list); 810 void ssl_cipher_preference_list_free( 811 struct ssl_cipher_preference_list_st *cipher_list); 812 struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_from_ciphers( 813 STACK_OF(SSL_CIPHER) *ciphers); 814 struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *s); 815 816 int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain); 817 int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain); 818 int ssl_cert_add0_chain_cert(CERT *c, X509 *x); 819 int ssl_cert_add1_chain_cert(CERT *c, X509 *x); 820 int ssl_cert_select_current(CERT *c, X509 *x); 821 void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg); 822 823 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk); 824 int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l); 825 int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags); 826 int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref); 827 CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); 828 EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c); 829 void ssl_update_cache(SSL *s, int mode); 830 int ssl_cert_type(EVP_PKEY *pkey); 831 832 /* ssl_get_compatible_server_ciphers determines the key exchange and 833 * authentication cipher suite masks compatible with the server configuration 834 * and current ClientHello parameters of |s|. It sets |*out_mask_k| to the key 835 * exchange mask and |*out_mask_a| to the authentication mask. */ 836 void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k, 837 uint32_t *out_mask_a); 838 839 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); 840 int ssl_verify_alarm_type(long type); 841 842 /* ssl_fill_hello_random fills a client_random or server_random field of length 843 * |len|. It returns one on success and zero on failure. */ 844 int ssl_fill_hello_random(uint8_t *out, size_t len, int is_server); 845 846 int ssl3_init_finished_mac(SSL *s); 847 int ssl3_send_server_certificate(SSL *s); 848 int ssl3_send_new_session_ticket(SSL *s); 849 int ssl3_send_cert_status(SSL *s); 850 int ssl3_get_finished(SSL *s, int state_a, int state_b); 851 int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b); 852 int ssl3_prf(SSL *s, uint8_t *out, size_t out_len, const uint8_t *secret, 853 size_t secret_len, const char *label, size_t label_len, 854 const uint8_t *seed1, size_t seed1_len, 855 const uint8_t *seed2, size_t seed2_len); 856 void ssl3_cleanup_key_block(SSL *s); 857 int ssl3_do_write(SSL *s, int type); 858 int ssl3_send_alert(SSL *s, int level, int desc); 859 int ssl3_get_req_cert_type(SSL *s, uint8_t *p); 860 long ssl3_get_message(SSL *s, int header_state, int body_state, int msg_type, 861 long max, enum ssl_hash_message_t hash_message, int *ok); 862 863 /* ssl3_hash_current_message incorporates the current handshake message into the 864 * handshake hash. It returns one on success and zero on allocation failure. */ 865 int ssl3_hash_current_message(SSL *s); 866 867 /* ssl3_cert_verify_hash writes the CertificateVerify hash into the bytes 868 * pointed to by |out| and writes the number of bytes to |*out_len|. |out| must 869 * have room for EVP_MAX_MD_SIZE bytes. For TLS 1.2 and up, |*out_md| is used 870 * for the hash function, otherwise the hash function depends on the type of 871 * |pkey| and is written to |*out_md|. It returns one on success and zero on 872 * failure. */ 873 int ssl3_cert_verify_hash(SSL *s, uint8_t *out, size_t *out_len, 874 const EVP_MD **out_md, EVP_PKEY *pkey); 875 876 int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen); 877 int ssl3_supports_cipher(const SSL_CIPHER *cipher); 878 int ssl3_dispatch_alert(SSL *s); 879 int ssl3_expect_change_cipher_spec(SSL *s); 880 int ssl3_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek); 881 void ssl3_read_close_notify(SSL *ssl); 882 int ssl3_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek); 883 int ssl3_write_app_data(SSL *ssl, const void *buf, int len); 884 int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); 885 int ssl3_final_finish_mac(SSL *s, const char *sender, int slen, uint8_t *p); 886 int ssl3_cert_verify_mac(SSL *s, int md_nid, uint8_t *p); 887 int ssl3_finish_mac(SSL *s, const uint8_t *buf, int len); 888 void ssl3_free_digest_list(SSL *s); 889 int ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk); 890 const SSL_CIPHER *ssl3_choose_cipher( 891 SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, 892 struct ssl_cipher_preference_list_st *srvr); 893 int ssl3_setup_read_buffer(SSL *s); 894 int ssl3_setup_write_buffer(SSL *s); 895 int ssl3_release_read_buffer(SSL *s); 896 int ssl3_release_write_buffer(SSL *s); 897 898 enum should_free_handshake_buffer_t { 899 free_handshake_buffer, 900 dont_free_handshake_buffer, 901 }; 902 int ssl3_digest_cached_records(SSL *s, enum should_free_handshake_buffer_t); 903 904 int ssl3_new(SSL *s); 905 void ssl3_free(SSL *s); 906 int ssl3_accept(SSL *s); 907 int ssl3_connect(SSL *s); 908 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg); 909 long ssl3_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg); 910 911 /* ssl3_record_sequence_update increments the sequence number in |seq|. It 912 * returns one on success and zero on wraparound. */ 913 int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len); 914 915 int ssl3_do_change_cipher_spec(SSL *ssl); 916 917 int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len); 918 int ssl3_handshake_write(SSL *s); 919 920 enum dtls1_use_epoch_t { 921 dtls1_use_previous_epoch, 922 dtls1_use_current_epoch, 923 }; 924 925 int dtls1_do_write(SSL *s, int type, enum dtls1_use_epoch_t use_epoch); 926 int ssl3_read_n(SSL *s, int n, int extend); 927 int dtls1_read_app_data(SSL *ssl, uint8_t *buf, int len, int peek); 928 void dtls1_read_close_notify(SSL *ssl); 929 int dtls1_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek); 930 int ssl3_write_pending(SSL *s, int type, const uint8_t *buf, unsigned int len); 931 void dtls1_set_message_header(SSL *s, uint8_t mt, unsigned long len, 932 unsigned short seq_num, unsigned long frag_off, 933 unsigned long frag_len); 934 935 int dtls1_write_app_data(SSL *s, const void *buf, int len); 936 int dtls1_write_bytes(SSL *s, int type, const void *buf, int len, 937 enum dtls1_use_epoch_t use_epoch); 938 939 int dtls1_send_change_cipher_spec(SSL *s, int a, int b); 940 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen); 941 int dtls1_read_failed(SSL *s, int code); 942 int dtls1_buffer_message(SSL *s, int ccs); 943 int dtls1_get_queue_priority(unsigned short seq, int is_ccs); 944 int dtls1_retransmit_buffered_messages(SSL *s); 945 void dtls1_clear_record_buffer(SSL *s); 946 void dtls1_get_message_header(uint8_t *data, struct hm_header_st *msg_hdr); 947 void dtls1_reset_seq_numbers(SSL *s, int rw); 948 int dtls1_check_timeout_num(SSL *s); 949 int dtls1_set_handshake_header(SSL *s, int type, unsigned long len); 950 int dtls1_handshake_write(SSL *s); 951 952 int dtls1_supports_cipher(const SSL_CIPHER *cipher); 953 void dtls1_start_timer(SSL *s); 954 void dtls1_stop_timer(SSL *s); 955 int dtls1_is_timer_expired(SSL *s); 956 void dtls1_double_timeout(SSL *s); 957 unsigned int dtls1_min_mtu(void); 958 void dtls1_hm_fragment_free(hm_fragment *frag); 959 960 /* some client-only functions */ 961 int ssl3_send_client_hello(SSL *s); 962 int ssl3_get_server_hello(SSL *s); 963 int ssl3_get_certificate_request(SSL *s); 964 int ssl3_get_new_session_ticket(SSL *s); 965 int ssl3_get_cert_status(SSL *s); 966 int ssl3_get_server_done(SSL *s); 967 int ssl3_send_cert_verify(SSL *s); 968 int ssl3_send_client_certificate(SSL *s); 969 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey); 970 int ssl3_send_client_key_exchange(SSL *s); 971 int ssl3_get_server_key_exchange(SSL *s); 972 int ssl3_get_server_certificate(SSL *s); 973 int ssl3_check_cert_and_algorithm(SSL *s); 974 int ssl3_send_next_proto(SSL *s); 975 int ssl3_send_channel_id(SSL *s); 976 977 int dtls1_client_hello(SSL *s); 978 979 /* some server-only functions */ 980 int ssl3_get_initial_bytes(SSL *s); 981 int ssl3_get_v2_client_hello(SSL *s); 982 int ssl3_get_client_hello(SSL *s); 983 int ssl3_send_server_hello(SSL *s); 984 int ssl3_send_server_key_exchange(SSL *s); 985 int ssl3_send_certificate_request(SSL *s); 986 int ssl3_send_server_done(SSL *s); 987 int ssl3_get_client_certificate(SSL *s); 988 int ssl3_get_client_key_exchange(SSL *s); 989 int ssl3_get_cert_verify(SSL *s); 990 int ssl3_get_next_proto(SSL *s); 991 int ssl3_get_channel_id(SSL *s); 992 993 int dtls1_new(SSL *s); 994 int dtls1_accept(SSL *s); 995 int dtls1_connect(SSL *s); 996 void dtls1_free(SSL *s); 997 998 long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, 999 enum ssl_hash_message_t hash_message, int *ok); 1000 int dtls1_get_record(SSL *s); 1001 int dtls1_dispatch_alert(SSL *s); 1002 1003 int ssl_init_wbio_buffer(SSL *s, int push); 1004 void ssl_free_wbio_buffer(SSL *s); 1005 1006 /* tls1_prf computes the TLS PRF function for |s| as described in RFC 5246, 1007 * section 5 and RFC 2246 section 5. It writes |out_len| bytes to |out|, using 1008 * |secret| as the secret and |label| as the label. |seed1| and |seed2| are 1009 * concatenated to form the seed parameter. It returns one on success and zero 1010 * on failure. */ 1011 int tls1_prf(SSL *s, uint8_t *out, size_t out_len, const uint8_t *secret, 1012 size_t secret_len, const char *label, size_t label_len, 1013 const uint8_t *seed1, size_t seed1_len, 1014 const uint8_t *seed2, size_t seed2_len); 1015 1016 int tls1_change_cipher_state(SSL *s, int which); 1017 int tls1_setup_key_block(SSL *s); 1018 int tls1_handshake_digest(SSL *s, uint8_t *out, size_t out_len); 1019 int tls1_final_finish_mac(SSL *s, const char *str, int slen, uint8_t *p); 1020 int tls1_cert_verify_mac(SSL *s, int md_nid, uint8_t *p); 1021 int tls1_generate_master_secret(SSL *s, uint8_t *out, const uint8_t *premaster, 1022 size_t premaster_len); 1023 int tls1_export_keying_material(SSL *s, uint8_t *out, size_t out_len, 1024 const char *label, size_t label_len, 1025 const uint8_t *context, size_t context_len, 1026 int use_context); 1027 int tls1_alert_code(int code); 1028 int ssl3_alert_code(int code); 1029 1030 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); 1031 1032 char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx); 1033 int tls1_ec_curve_id2nid(uint16_t curve_id); 1034 int tls1_ec_nid2curve_id(uint16_t *out_curve_id, int nid); 1035 1036 /* tls1_check_curve parses ECParameters out of |cbs|, modifying it. It 1037 * checks the curve is one of our preferences and writes the 1038 * NamedCurve value to |*out_curve_id|. It returns one on success and 1039 * zero on error. */ 1040 int tls1_check_curve(SSL *s, CBS *cbs, uint16_t *out_curve_id); 1041 1042 /* tls1_get_shared_curve returns the NID of the first preferred shared curve 1043 * between client and server preferences. If none can be found, it returns 1044 * NID_undef. */ 1045 int tls1_get_shared_curve(SSL *s); 1046 1047 /* tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| 1048 * into a newly allocated array of TLS curve IDs. On success, the function 1049 * returns one and writes the array to |*out_curve_ids| and its size to 1050 * |*out_curve_ids_len|. Otherwise, it returns zero. */ 1051 int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len, 1052 const int *curves, size_t ncurves); 1053 1054 /* tls1_check_ec_cert returns one if |x| is an ECC certificate with curve and 1055 * point format compatible with the client's preferences. Otherwise it returns 1056 * zero. */ 1057 int tls1_check_ec_cert(SSL *s, X509 *x); 1058 1059 /* tls1_check_ec_tmp_key returns one if the EC temporary key is compatible with 1060 * client extensions and zero otherwise. */ 1061 int tls1_check_ec_tmp_key(SSL *s); 1062 1063 int tls1_shared_list(SSL *s, const uint8_t *l1, size_t l1len, const uint8_t *l2, 1064 size_t l2len, int nmatch); 1065 uint8_t *ssl_add_clienthello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit, 1066 size_t header_len); 1067 uint8_t *ssl_add_serverhello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit); 1068 int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs); 1069 int ssl_parse_serverhello_tlsext(SSL *s, CBS *cbs); 1070 int ssl_prepare_clienthello_tlsext(SSL *s); 1071 int ssl_prepare_serverhello_tlsext(SSL *s); 1072 1073 #define tlsext_tick_md EVP_sha256 1074 int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx, 1075 SSL_SESSION **ret); 1076 1077 int tls12_get_sigandhash(uint8_t *p, const EVP_PKEY *pk, const EVP_MD *md); 1078 int tls12_get_sigid(const EVP_PKEY *pk); 1079 const EVP_MD *tls12_get_hash(uint8_t hash_alg); 1080 1081 int tls1_channel_id_hash(EVP_MD_CTX *ctx, SSL *s); 1082 int tls1_record_handshake_hashes_for_channel_id(SSL *s); 1083 1084 int tls1_set_sigalgs_list(CERT *c, const char *str, int client); 1085 int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, int client); 1086 1087 /* ssl_ctx_log_rsa_client_key_exchange logs |premaster| to |ctx|, if logging is 1088 * enabled. It returns one on success and zero on failure. The entry is 1089 * identified by the first 8 bytes of |encrypted_premaster|. */ 1090 int ssl_ctx_log_rsa_client_key_exchange(SSL_CTX *ctx, 1091 const uint8_t *encrypted_premaster, 1092 size_t encrypted_premaster_len, 1093 const uint8_t *premaster, 1094 size_t premaster_len); 1095 1096 /* ssl_ctx_log_master_secret logs |master| to |ctx|, if logging is enabled. It 1097 * returns one on success and zero on failure. The entry is identified by 1098 * |client_random|. */ 1099 int ssl_ctx_log_master_secret(SSL_CTX *ctx, const uint8_t *client_random, 1100 size_t client_random_len, const uint8_t *master, 1101 size_t master_len); 1102 1103 /* ssl3_can_false_start returns one if |s| is allowed to False Start and zero 1104 * otherwise. */ 1105 int ssl3_can_false_start(const SSL *s); 1106 1107 /* ssl3_get_enc_method returns the SSL3_ENC_METHOD corresponding to 1108 * |version|. */ 1109 const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version); 1110 1111 /* ssl3_get_max_server_version returns the maximum SSL/TLS version number 1112 * supported by |s| as a server, or zero if all versions are disabled. */ 1113 uint16_t ssl3_get_max_server_version(const SSL *s); 1114 1115 /* ssl3_get_mutual_version selects the protocol version on |s| for a client 1116 * which advertises |client_version|. If no suitable version exists, it returns 1117 * zero. */ 1118 uint16_t ssl3_get_mutual_version(SSL *s, uint16_t client_version); 1119 1120 /* ssl3_get_max_client_version returns the maximum protocol version configured 1121 * for the client. It is guaranteed that the set of allowed versions at or below 1122 * this maximum version is contiguous. If all versions are disabled, it returns 1123 * zero. */ 1124 uint16_t ssl3_get_max_client_version(SSL *s); 1125 1126 /* ssl3_is_version_enabled returns one if |version| is an enabled protocol 1127 * version for |s| and zero otherwise. */ 1128 int ssl3_is_version_enabled(SSL *s, uint16_t version); 1129 1130 /* ssl3_version_from_wire maps |wire_version| to a protocol version. For 1131 * SSLv3/TLS, the version is returned as-is. For DTLS, the corresponding TLS 1132 * version is used. Note that this mapping is not injective but preserves 1133 * comparisons. 1134 * 1135 * TODO(davidben): To normalize some DTLS-specific code, move away from using 1136 * the wire version except at API boundaries. */ 1137 uint16_t ssl3_version_from_wire(SSL *s, uint16_t wire_version); 1138 1139 int ssl_add_serverhello_renegotiate_ext(SSL *s, uint8_t *p, int *len, 1140 int maxlen); 1141 int ssl_parse_serverhello_renegotiate_ext(SSL *s, CBS *cbs, int *out_alert); 1142 int ssl_add_clienthello_renegotiate_ext(SSL *s, uint8_t *p, int *len, 1143 int maxlen); 1144 int ssl_parse_clienthello_renegotiate_ext(SSL *s, CBS *cbs, int *out_alert); 1145 uint32_t ssl_get_algorithm2(SSL *s); 1146 int tls1_process_sigalgs(SSL *s, const CBS *sigalgs); 1147 1148 /* tls1_choose_signing_digest returns a digest for use with |pkey| based on the 1149 * peer's preferences recorded for |s| and the digests supported by |pkey|. */ 1150 const EVP_MD *tls1_choose_signing_digest(SSL *s, EVP_PKEY *pkey); 1151 1152 size_t tls12_get_psigalgs(SSL *s, const uint8_t **psigs); 1153 int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, SSL *s, 1154 CBS *cbs, EVP_PKEY *pkey); 1155 void ssl_set_client_disabled(SSL *s); 1156 1157 int ssl_add_clienthello_use_srtp_ext(SSL *s, uint8_t *p, int *len, int maxlen); 1158 int ssl_parse_clienthello_use_srtp_ext(SSL *s, CBS *cbs, int *out_alert); 1159 int ssl_add_serverhello_use_srtp_ext(SSL *s, uint8_t *p, int *len, int maxlen); 1160 int ssl_parse_serverhello_use_srtp_ext(SSL *s, CBS *cbs, int *out_alert); 1161 1162 #endif /* OPENSSL_HEADER_SSL_INTERNAL_H */ 1163