blob: d3bbe3eeabdfe49dfaa14a552335689426379b8a [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -07001/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE.
140 */
141
David Benjamin2ee94aa2015-04-07 22:38:30 -0400142#ifndef OPENSSL_HEADER_SSL_INTERNAL_H
143#define OPENSSL_HEADER_SSL_INTERNAL_H
Adam Langley95c29f32014-06-20 12:00:00 -0700144
145#include <openssl/base.h>
146
Adam Langleyc9fb3752014-06-20 12:00:00 -0700147#include <openssl/aead.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700148#include <openssl/ssl.h>
149#include <openssl/stack.h>
150
Steven Valdezcb966542016-08-17 16:56:14 -0400151
David Benjamin4d2e7ce2015-05-08 13:29:45 -0400152#if defined(OPENSSL_WINDOWS)
153/* Windows defines struct timeval in winsock2.h. */
David Benjamina353cdb2016-06-09 16:48:33 -0400154OPENSSL_MSVC_PRAGMA(warning(push, 3))
David Benjamin4d2e7ce2015-05-08 13:29:45 -0400155#include <winsock2.h>
David Benjamina353cdb2016-06-09 16:48:33 -0400156OPENSSL_MSVC_PRAGMA(warning(pop))
David Benjamin4d2e7ce2015-05-08 13:29:45 -0400157#else
David Benjamin0abd6f22015-12-04 21:49:53 -0500158#include <sys/time.h>
David Benjamin4d2e7ce2015-05-08 13:29:45 -0400159#endif
160
Steven Valdez87eab492016-06-27 16:34:59 -0400161#if defined(__cplusplus)
162extern "C" {
163#endif
164
Adam Langleyfcf25832014-12-18 17:42:32 -0800165
David Benjamin71f07942015-04-08 02:36:59 -0400166/* Cipher suites. */
167
168/* Bits for |algorithm_mkey| (key exchange algorithm). */
169#define SSL_kRSA 0x00000001L
170#define SSL_kDHE 0x00000002L
171#define SSL_kECDHE 0x00000004L
172/* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */
173#define SSL_kPSK 0x00000008L
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800174#define SSL_kGENERIC 0x00000010L
David Benjamin71f07942015-04-08 02:36:59 -0400175
176/* Bits for |algorithm_auth| (server authentication). */
177#define SSL_aRSA 0x00000001L
178#define SSL_aECDSA 0x00000002L
179/* SSL_aPSK is set for both PSK and ECDHE_PSK. */
180#define SSL_aPSK 0x00000004L
Steven Valdez803c77a2016-09-06 14:13:43 -0400181#define SSL_aGENERIC 0x00000008L
David Benjamin71f07942015-04-08 02:36:59 -0400182
David Benjaminc032dfa2016-05-12 14:54:57 -0400183#define SSL_aCERT (SSL_aRSA | SSL_aECDSA)
184
David Benjamin71f07942015-04-08 02:36:59 -0400185/* Bits for |algorithm_enc| (symmetric encryption). */
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700186#define SSL_3DES 0x00000001L
187#define SSL_AES128 0x00000002L
188#define SSL_AES256 0x00000004L
189#define SSL_AES128GCM 0x00000008L
190#define SSL_AES256GCM 0x00000010L
Adam Langley2e839242017-01-19 15:12:44 -0800191#define SSL_eNULL 0x00000020L
192#define SSL_CHACHA20POLY1305 0x00000040L
David Benjamin71f07942015-04-08 02:36:59 -0400193
194#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
195
196/* Bits for |algorithm_mac| (symmetric authentication). */
David Benjamin5fc99c62017-01-10 08:19:12 -0500197#define SSL_SHA1 0x00000001L
198#define SSL_SHA256 0x00000002L
199#define SSL_SHA384 0x00000004L
David Benjamin71f07942015-04-08 02:36:59 -0400200/* SSL_AEAD is set for all AEADs. */
David Benjamin5fc99c62017-01-10 08:19:12 -0500201#define SSL_AEAD 0x00000008L
David Benjamin71f07942015-04-08 02:36:59 -0400202
David Benjamin5055c762015-08-04 09:24:14 -0400203/* Bits for |algorithm_prf| (handshake digest). */
David Benjaminb0883312015-08-06 09:54:13 -0400204#define SSL_HANDSHAKE_MAC_DEFAULT 0x1
205#define SSL_HANDSHAKE_MAC_SHA256 0x2
206#define SSL_HANDSHAKE_MAC_SHA384 0x4
David Benjamin71f07942015-04-08 02:36:59 -0400207
208/* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new
209 * one, update the table in ssl_cipher.c. */
210#define SSL_MAX_DIGEST 4
211
David Benjamin71f07942015-04-08 02:36:59 -0400212/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
213 * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
214 * and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
215 * respectively. The MAC key length is zero except for legacy block and stream
216 * ciphers. It returns 1 on success and 0 on error. */
217int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
218 size_t *out_mac_secret_len,
219 size_t *out_fixed_iv_len,
220 const SSL_CIPHER *cipher, uint16_t version);
221
David Benjaminb0883312015-08-06 09:54:13 -0400222/* ssl_get_handshake_digest returns the |EVP_MD| corresponding to
223 * |algorithm_prf|. It returns SHA-1 for |SSL_HANDSHAKE_DEFAULT|. The caller is
224 * responsible for maintaining the additional MD5 digest and switching to
225 * SHA-256 in TLS 1.2. */
226const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf);
David Benjamin71f07942015-04-08 02:36:59 -0400227
228/* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
229 * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
David Benjamind2cb1c12016-11-02 17:49:09 -0400230 * |ssl_cipher_preference_list_st| containing the result. It returns
231 * |(*out_cipher_list)->ciphers| on success and NULL on
David Benjamin71f07942015-04-08 02:36:59 -0400232 * failure. */
233STACK_OF(SSL_CIPHER) *
234ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
235 struct ssl_cipher_preference_list_st **out_cipher_list,
David Benjamin71f07942015-04-08 02:36:59 -0400236 const char *rule_str);
237
David Benjamina1c90a52015-05-30 17:03:14 -0400238/* ssl_cipher_get_value returns the cipher suite id of |cipher|. */
239uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher);
240
David Benjamind1d80782015-07-05 11:54:09 -0400241/* ssl_cipher_get_key_type returns the |EVP_PKEY_*| value corresponding to the
242 * server key used in |cipher| or |EVP_PKEY_NONE| if there is none. */
243int ssl_cipher_get_key_type(const SSL_CIPHER *cipher);
David Benjamin71f07942015-04-08 02:36:59 -0400244
David Benjaminc032dfa2016-05-12 14:54:57 -0400245/* ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the
246 * server and, optionally, the client with a certificate. Otherwise it returns
247 * zero. */
248int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher);
David Benjamin71f07942015-04-08 02:36:59 -0400249
250/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
251 * ServerKeyExchange message. Otherwise it returns 0.
252 *
David Benjaminc032dfa2016-05-12 14:54:57 -0400253 * This function may return zero while still allowing |cipher| an optional
254 * ServerKeyExchange. This is the case for plain PSK ciphers. */
David Benjamin71f07942015-04-08 02:36:59 -0400255int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher);
256
David Benjaminb8d28cf2015-07-28 21:34:45 -0400257/* ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the
258 * length of an encrypted 1-byte record, for use in record-splitting. Otherwise
259 * it returns zero. */
260size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher);
261
David Benjamin71f07942015-04-08 02:36:59 -0400262
David Benjamin31a07792015-03-03 14:20:26 -0500263/* Encryption layer. */
264
265/* SSL_AEAD_CTX contains information about an AEAD that is being used to encrypt
266 * an SSL connection. */
David Benjaminb9179092016-10-26 13:47:33 -0400267typedef struct ssl_aead_ctx_st {
David Benjamin31a07792015-03-03 14:20:26 -0500268 const SSL_CIPHER *cipher;
269 EVP_AEAD_CTX ctx;
270 /* fixed_nonce contains any bytes of the nonce that are fixed for all
271 * records. */
David Benjamin13414b32015-12-09 23:02:39 -0500272 uint8_t fixed_nonce[12];
David Benjamin31a07792015-03-03 14:20:26 -0500273 uint8_t fixed_nonce_len, variable_nonce_len;
274 /* variable_nonce_included_in_record is non-zero if the variable nonce
275 * for a record is included as a prefix before the ciphertext. */
276 char variable_nonce_included_in_record;
277 /* random_variable_nonce is non-zero if the variable nonce is
278 * randomly generated, rather than derived from the sequence
279 * number. */
280 char random_variable_nonce;
281 /* omit_length_in_ad is non-zero if the length should be omitted in the
282 * AEAD's ad parameter. */
283 char omit_length_in_ad;
284 /* omit_version_in_ad is non-zero if the version should be omitted
285 * in the AEAD's ad parameter. */
286 char omit_version_in_ad;
Steven Valdez494650c2016-05-24 12:43:04 -0400287 /* omit_ad is non-zero if the AEAD's ad parameter should be omitted. */
288 char omit_ad;
David Benjamin13414b32015-12-09 23:02:39 -0500289 /* xor_fixed_nonce is non-zero if the fixed nonce should be XOR'd into the
290 * variable nonce rather than prepended. */
291 char xor_fixed_nonce;
David Benjaminb9179092016-10-26 13:47:33 -0400292} SSL_AEAD_CTX;
David Benjamin31a07792015-03-03 14:20:26 -0500293
294/* SSL_AEAD_CTX_new creates a newly-allocated |SSL_AEAD_CTX| using the supplied
295 * key material. It returns NULL on error. Only one of |SSL_AEAD_CTX_open| or
296 * |SSL_AEAD_CTX_seal| may be used with the resulting object, depending on
297 * |direction|. |version| is the normalized protocol version, so DTLS 1.0 is
298 * represented as 0x0301, not 0xffef. */
299SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction,
300 uint16_t version, const SSL_CIPHER *cipher,
301 const uint8_t *enc_key, size_t enc_key_len,
302 const uint8_t *mac_key, size_t mac_key_len,
303 const uint8_t *fixed_iv, size_t fixed_iv_len);
304
305/* SSL_AEAD_CTX_free frees |ctx|. */
306void SSL_AEAD_CTX_free(SSL_AEAD_CTX *ctx);
307
308/* SSL_AEAD_CTX_explicit_nonce_len returns the length of the explicit nonce for
309 * |ctx|, if any. |ctx| may be NULL to denote the null cipher. */
David Benjamina772b162017-01-24 17:51:33 -0500310size_t SSL_AEAD_CTX_explicit_nonce_len(const SSL_AEAD_CTX *ctx);
David Benjamin31a07792015-03-03 14:20:26 -0500311
312/* SSL_AEAD_CTX_max_overhead returns the maximum overhead of calling
313 * |SSL_AEAD_CTX_seal|. |ctx| may be NULL to denote the null cipher. */
David Benjamina772b162017-01-24 17:51:33 -0500314size_t SSL_AEAD_CTX_max_overhead(const SSL_AEAD_CTX *ctx);
David Benjamin31a07792015-03-03 14:20:26 -0500315
David Benjamina7810c12016-06-06 18:54:51 -0400316/* SSL_AEAD_CTX_open authenticates and decrypts |in_len| bytes from |in|
317 * in-place. On success, it sets |*out| to the plaintext in |in| and returns
318 * one. Otherwise, it returns zero. |ctx| may be NULL to denote the null cipher.
319 * The output will always be |explicit_nonce_len| bytes ahead of |in|. */
320int SSL_AEAD_CTX_open(SSL_AEAD_CTX *ctx, CBS *out, uint8_t type,
321 uint16_t wire_version, const uint8_t seqnum[8],
322 uint8_t *in, size_t in_len);
David Benjamin31a07792015-03-03 14:20:26 -0500323
324/* SSL_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
325 * writes the result to |out|. It returns one on success and zero on
326 * error. |ctx| may be NULL to denote the null cipher.
327 *
David Benjamin2446db02016-06-08 18:31:42 -0400328 * If |in| and |out| alias then |out| + |explicit_nonce_len| must be == |in|. */
David Benjamin31a07792015-03-03 14:20:26 -0500329int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
330 size_t max_out, uint8_t type, uint16_t wire_version,
331 const uint8_t seqnum[8], const uint8_t *in,
332 size_t in_len);
333
334
David Benjamin7446a3b2015-07-25 17:53:57 -0400335/* DTLS replay bitmap. */
336
337/* DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect
338 * replayed packets. It should be initialized by zeroing every field. */
339typedef struct dtls1_bitmap_st {
340 /* map is a bit mask of the last 64 sequence numbers. Bit
341 * |1<<i| corresponds to |max_seq_num - i|. */
342 uint64_t map;
343 /* max_seq_num is the largest sequence number seen so far as a 64-bit
344 * integer. */
345 uint64_t max_seq_num;
346} DTLS1_BITMAP;
347
348
David Benjaminb8d28cf2015-07-28 21:34:45 -0400349/* Record layer. */
350
David Benjamin1db21562015-12-25 15:11:39 -0500351/* ssl_record_sequence_update increments the sequence number in |seq|. It
352 * returns one on success and zero on wraparound. */
353int ssl_record_sequence_update(uint8_t *seq, size_t seq_len);
354
David Benjaminb8d28cf2015-07-28 21:34:45 -0400355/* ssl_record_prefix_len returns the length of the prefix before the ciphertext
356 * of a record for |ssl|.
357 *
358 * TODO(davidben): Expose this as part of public API once the high-level
359 * buffer-free APIs are available. */
360size_t ssl_record_prefix_len(const SSL *ssl);
361
362enum ssl_open_record_t {
363 ssl_open_record_success,
364 ssl_open_record_discard,
365 ssl_open_record_partial,
David Benjamin728f3542016-06-02 15:42:01 -0400366 ssl_open_record_close_notify,
367 ssl_open_record_fatal_alert,
David Benjaminb8d28cf2015-07-28 21:34:45 -0400368 ssl_open_record_error,
369};
370
David Benjamina7810c12016-06-06 18:54:51 -0400371/* tls_open_record decrypts a record from |in| in-place.
David Benjaminb8d28cf2015-07-28 21:34:45 -0400372 *
David Benjaminb8d28cf2015-07-28 21:34:45 -0400373 * If the input did not contain a complete record, it returns
374 * |ssl_open_record_partial|. It sets |*out_consumed| to the total number of
375 * bytes necessary. It is guaranteed that a successful call to |tls_open_record|
376 * will consume at least that many bytes.
377 *
David Benjamin728f3542016-06-02 15:42:01 -0400378 * Otherwise, it sets |*out_consumed| to the number of bytes of input
379 * consumed. Note that input may be consumed on all return codes if a record was
380 * decrypted.
381 *
382 * On success, it returns |ssl_open_record_success|. It sets |*out_type| to the
David Benjamina7810c12016-06-06 18:54:51 -0400383 * record type and |*out| to the record body in |in|. Note that |*out| may be
384 * empty.
David Benjamin728f3542016-06-02 15:42:01 -0400385 *
386 * If a record was successfully processed but should be discarded, it returns
387 * |ssl_open_record_discard|.
388 *
389 * If a record was successfully processed but is a close_notify or fatal alert,
390 * it returns |ssl_open_record_close_notify| or |ssl_open_record_fatal_alert|.
391 *
David Benjaminb8d28cf2015-07-28 21:34:45 -0400392 * On failure, it returns |ssl_open_record_error| and sets |*out_alert| to an
David Benjamina7810c12016-06-06 18:54:51 -0400393 * alert to emit. */
394enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
395 size_t *out_consumed, uint8_t *out_alert,
396 uint8_t *in, size_t in_len);
David Benjaminb8d28cf2015-07-28 21:34:45 -0400397
398/* dtls_open_record implements |tls_open_record| for DTLS. It never returns
399 * |ssl_open_record_partial| but otherwise behaves analogously. */
David Benjamina7810c12016-06-06 18:54:51 -0400400enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
401 size_t *out_consumed,
402 uint8_t *out_alert, uint8_t *in,
403 size_t in_len);
David Benjaminb8d28cf2015-07-28 21:34:45 -0400404
David Benjamin1a01e1f2016-06-08 18:31:24 -0400405/* ssl_seal_align_prefix_len returns the length of the prefix before the start
406 * of the bulk of the ciphertext when sealing a record with |ssl|. Callers may
407 * use this to align buffers.
408 *
409 * Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte
David Benjamina772b162017-01-24 17:51:33 -0500410 * record and is the offset into second record's ciphertext. Thus sealing a
411 * small record may result in a smaller output than this value.
David Benjaminb8d28cf2015-07-28 21:34:45 -0400412 *
David Benjamina772b162017-01-24 17:51:33 -0500413 * TODO(davidben): Is this alignment valuable? Record-splitting makes this a
414 * mess. */
David Benjamin1a01e1f2016-06-08 18:31:24 -0400415size_t ssl_seal_align_prefix_len(const SSL *ssl);
David Benjaminb8d28cf2015-07-28 21:34:45 -0400416
David Benjaminb8d28cf2015-07-28 21:34:45 -0400417/* tls_seal_record seals a new record of type |type| and body |in| and writes it
418 * to |out|. At most |max_out| bytes will be written. It returns one on success
419 * and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1
420 * record splitting and may write two records concatenated.
421 *
David Benjamin1a01e1f2016-06-08 18:31:24 -0400422 * For a large record, the bulk of the ciphertext will begin
423 * |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may
David Benjaminda8636082016-11-04 15:44:28 -0400424 * improve performance. It writes at most |in_len| + |SSL_max_seal_overhead|
David Benjamin1a01e1f2016-06-08 18:31:24 -0400425 * bytes to |out|.
David Benjaminb8d28cf2015-07-28 21:34:45 -0400426 *
David Benjamin1a01e1f2016-06-08 18:31:24 -0400427 * |in| and |out| may not alias. */
David Benjaminb8d28cf2015-07-28 21:34:45 -0400428int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
429 uint8_t type, const uint8_t *in, size_t in_len);
430
431enum dtls1_use_epoch_t {
432 dtls1_use_previous_epoch,
433 dtls1_use_current_epoch,
434};
435
David Benjamin1a999cf2017-01-03 10:30:35 -0500436/* dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
437 * record. */
438size_t dtls_max_seal_overhead(const SSL *ssl, enum dtls1_use_epoch_t use_epoch);
439
David Benjamina772b162017-01-24 17:51:33 -0500440/* dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
441 * front of the plaintext when sealing a record in-place. */
442size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch);
443
David Benjaminb8d28cf2015-07-28 21:34:45 -0400444/* dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects
David Benjamina772b162017-01-24 17:51:33 -0500445 * which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out|
446 * may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
447 * ahead of |out|. */
David Benjaminb8d28cf2015-07-28 21:34:45 -0400448int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
449 uint8_t type, const uint8_t *in, size_t in_len,
450 enum dtls1_use_epoch_t use_epoch);
451
David Benjamin728f3542016-06-02 15:42:01 -0400452/* ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
453 * state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
454 * |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as
455 * appropriate. */
456enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
457 const uint8_t *in, size_t in_len);
458
David Benjaminb8d28cf2015-07-28 21:34:45 -0400459
David Benjaminb4d65fd2015-05-29 17:11:21 -0400460/* Private key operations. */
461
nagendra modadugu601448a2015-07-24 09:31:31 -0700462/* ssl_has_private_key returns one if |ssl| has a private key
463 * configured and zero otherwise. */
David Benjamin32a66d52016-07-13 22:03:11 -0400464int ssl_has_private_key(const SSL *ssl);
nagendra modadugu601448a2015-07-24 09:31:31 -0700465
David Benjamin0c0b7e12016-07-14 13:47:55 -0400466/* ssl_is_ecdsa_key_type returns one if |type| is an ECDSA key type and zero
467 * otherwise. */
468int ssl_is_ecdsa_key_type(int type);
469
David Benjaminb4d65fd2015-05-29 17:11:21 -0400470/* ssl_private_key_* call the corresponding function on the
471 * |SSL_PRIVATE_KEY_METHOD| for |ssl|, if configured. Otherwise, they implement
David Benjamind1d80782015-07-05 11:54:09 -0400472 * the operation with |EVP_PKEY|. */
David Benjaminb4d65fd2015-05-29 17:11:21 -0400473
David Benjamind1d80782015-07-05 11:54:09 -0400474int ssl_private_key_type(SSL *ssl);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400475
David Benjamind1d80782015-07-05 11:54:09 -0400476size_t ssl_private_key_max_signature_len(SSL *ssl);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400477
478enum ssl_private_key_result_t ssl_private_key_sign(
Steven Valdezf0451ca2016-06-29 13:16:27 -0400479 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
480 uint16_t signature_algorithm, const uint8_t *in, size_t in_len);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400481
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700482enum ssl_private_key_result_t ssl_private_key_decrypt(
483 SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
484 const uint8_t *in, size_t in_len);
485
David Benjamind3440b42016-07-14 14:52:41 -0400486enum ssl_private_key_result_t ssl_private_key_complete(SSL *ssl, uint8_t *out,
487 size_t *out_len,
488 size_t max_out);
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700489
David Benjamin1fb125c2016-07-08 18:52:12 -0700490/* ssl_private_key_supports_signature_algorithm returns one if |ssl|'s private
491 * key supports |signature_algorithm| and zero otherwise. */
492int ssl_private_key_supports_signature_algorithm(SSL *ssl,
493 uint16_t signature_algorithm);
494
Steven Valdez2b8415e2016-06-30 13:27:23 -0400495/* ssl_public_key_verify verifies that the |signature| is valid for the public
496 * key |pkey| and input |in|, using the |signature_algorithm| specified. */
497int ssl_public_key_verify(
498 SSL *ssl, const uint8_t *signature, size_t signature_len,
499 uint16_t signature_algorithm, EVP_PKEY *pkey,
500 const uint8_t *in, size_t in_len);
David Benjaminb4d65fd2015-05-29 17:11:21 -0400501
David Benjamin1fb125c2016-07-08 18:52:12 -0700502
Adam Langley09505632015-07-30 18:10:13 -0700503/* Custom extensions */
504
505/* ssl_custom_extension (a.k.a. SSL_CUSTOM_EXTENSION) is a structure that
506 * contains information about custom-extension callbacks. */
507struct ssl_custom_extension {
508 SSL_custom_ext_add_cb add_callback;
509 void *add_arg;
510 SSL_custom_ext_free_cb free_callback;
511 SSL_custom_ext_parse_cb parse_callback;
512 void *parse_arg;
513 uint16_t value;
514};
515
516void SSL_CUSTOM_EXTENSION_free(SSL_CUSTOM_EXTENSION *custom_extension);
517
David Benjamin2bd19172016-11-17 16:47:15 +0900518int custom_ext_add_clienthello(SSL_HANDSHAKE *hs, CBB *extensions);
519int custom_ext_parse_serverhello(SSL_HANDSHAKE *hs, int *out_alert,
520 uint16_t value, const CBS *extension);
521int custom_ext_parse_clienthello(SSL_HANDSHAKE *hs, int *out_alert,
522 uint16_t value, const CBS *extension);
523int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions);
Adam Langley09505632015-07-30 18:10:13 -0700524
525
David Benjamin9550c3a2015-08-05 08:50:34 -0400526/* Handshake hash.
527 *
528 * The TLS handshake maintains a transcript of all handshake messages. At
529 * various points in the protocol, this is either a handshake buffer, a rolling
530 * hash (selected by cipher suite) or both. */
531
532/* ssl3_init_handshake_buffer initializes the handshake buffer and resets the
533 * handshake hash. It returns one success and zero on failure. */
534int ssl3_init_handshake_buffer(SSL *ssl);
535
536/* ssl3_init_handshake_hash initializes the handshake hash based on the pending
537 * cipher and the contents of the handshake buffer. Subsequent calls to
538 * |ssl3_update_handshake_hash| will update the rolling hash. It returns one on
539 * success and zero on failure. It is an error to call this function after the
540 * handshake buffer is released. */
541int ssl3_init_handshake_hash(SSL *ssl);
542
543/* ssl3_free_handshake_buffer releases the handshake buffer. Subsequent calls
544 * to |ssl3_update_handshake_hash| will not update the handshake buffer. */
545void ssl3_free_handshake_buffer(SSL *ssl);
546
547/* ssl3_free_handshake_hash releases the handshake hash. */
David Benjamin0d56f882015-12-19 17:05:56 -0500548void ssl3_free_handshake_hash(SSL *ssl);
David Benjamin9550c3a2015-08-05 08:50:34 -0400549
550/* ssl3_update_handshake_hash adds |in| to the handshake buffer and handshake
551 * hash, whichever is enabled. It returns one on success and zero on failure. */
552int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len);
553
554
Steven Valdezce902a92016-05-17 11:47:53 -0400555/* ECDH groups. */
David Benjamin4298d772015-12-19 00:18:25 -0500556
David Benjaminb9179092016-10-26 13:47:33 -0400557typedef struct ssl_ecdh_ctx_st SSL_ECDH_CTX;
558
David Benjamin4298d772015-12-19 00:18:25 -0500559/* An SSL_ECDH_METHOD is an implementation of ECDH-like key exchanges for
560 * TLS. */
David Benjaminb9179092016-10-26 13:47:33 -0400561typedef struct ssl_ecdh_method_st {
David Benjamin4298d772015-12-19 00:18:25 -0500562 int nid;
Steven Valdezce902a92016-05-17 11:47:53 -0400563 uint16_t group_id;
David Benjamin4298d772015-12-19 00:18:25 -0500564 const char name[8];
565
566 /* cleanup releases state in |ctx|. */
567 void (*cleanup)(SSL_ECDH_CTX *ctx);
568
Matt Braithwaitef4ce8e52016-05-16 14:27:14 -0700569 /* offer generates a keypair and writes the public value to
David Benjamin4298d772015-12-19 00:18:25 -0500570 * |out_public_key|. It returns one on success and zero on error. */
Matt Braithwaitef4ce8e52016-05-16 14:27:14 -0700571 int (*offer)(SSL_ECDH_CTX *ctx, CBB *out_public_key);
David Benjamin4298d772015-12-19 00:18:25 -0500572
Matt Braithwaitef4ce8e52016-05-16 14:27:14 -0700573 /* accept performs a key exchange against the |peer_key| generated by |offer|.
574 * On success, it returns one, writes the public value to |out_public_key|,
575 * and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer
576 * containing the shared secret. The caller must release this buffer with
577 * |OPENSSL_free|. On failure, it returns zero and sets |*out_alert| to an
578 * alert to send to the peer. */
579 int (*accept)(SSL_ECDH_CTX *ctx, CBB *out_public_key, uint8_t **out_secret,
580 size_t *out_secret_len, uint8_t *out_alert,
581 const uint8_t *peer_key, size_t peer_key_len);
582
583 /* finish performs a key exchange against the |peer_key| generated by
584 * |accept|. On success, it returns one and sets |*out_secret| and
585 * |*out_secret_len| to a newly-allocated buffer containing the shared
586 * secret. The caller must release this buffer with |OPENSSL_free|. On
587 * failure, it returns zero and sets |*out_alert| to an alert to send to the
588 * peer. */
589 int (*finish)(SSL_ECDH_CTX *ctx, uint8_t **out_secret, size_t *out_secret_len,
590 uint8_t *out_alert, const uint8_t *peer_key,
591 size_t peer_key_len);
Matt Braithwaitee25775b2016-05-16 16:31:05 -0700592
593 /* get_key initializes |out| with a length-prefixed key from |cbs|. It returns
594 * one on success and zero on error. */
595 int (*get_key)(CBS *cbs, CBS *out);
596
597 /* add_key initializes |out_contents| to receive a key. Typically it will then
598 * be passed to |offer| or |accept|. It returns one on success and zero on
599 * error. */
600 int (*add_key)(CBB *cbb, CBB *out_contents);
David Benjaminb9179092016-10-26 13:47:33 -0400601} SSL_ECDH_METHOD;
602
603struct ssl_ecdh_ctx_st {
604 const SSL_ECDH_METHOD *method;
605 void *data;
606};
David Benjamin4298d772015-12-19 00:18:25 -0500607
Steven Valdezce902a92016-05-17 11:47:53 -0400608/* ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it
609 * sets |*out_group_id| to the group ID and returns one. Otherwise, it returns
David Benjamin4298d772015-12-19 00:18:25 -0500610 * zero. */
Steven Valdezce902a92016-05-17 11:47:53 -0400611int ssl_nid_to_group_id(uint16_t *out_group_id, int nid);
David Benjamin4298d772015-12-19 00:18:25 -0500612
Alessandro Ghedini5fd18072016-09-28 21:04:25 +0100613/* ssl_name_to_group_id looks up the group corresponding to the |name| string
614 * of length |len|. On success, it sets |*out_group_id| to the group ID and
615 * returns one. Otherwise, it returns zero. */
616int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len);
617
Steven Valdezce902a92016-05-17 11:47:53 -0400618/* SSL_ECDH_CTX_init sets up |ctx| for use with curve |group_id|. It returns one
David Benjamin4298d772015-12-19 00:18:25 -0500619 * on success and zero on error. */
Steven Valdezce902a92016-05-17 11:47:53 -0400620int SSL_ECDH_CTX_init(SSL_ECDH_CTX *ctx, uint16_t group_id);
David Benjamin4298d772015-12-19 00:18:25 -0500621
David Benjamin974c7ba2015-12-19 16:58:04 -0500622/* SSL_ECDH_CTX_init_for_dhe sets up |ctx| for use with legacy DHE-based ciphers
623 * where the server specifies a group. It takes ownership of |params|. */
624void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params);
625
David Benjamin4298d772015-12-19 00:18:25 -0500626/* SSL_ECDH_CTX_cleanup releases memory associated with |ctx|. It is legal to
627 * call it in the zero state. */
628void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx);
629
Steven Valdez143e8b32016-07-11 13:19:03 -0400630/* SSL_ECDH_CTX_get_id returns the group ID for |ctx|. */
631uint16_t SSL_ECDH_CTX_get_id(const SSL_ECDH_CTX *ctx);
632
Matt Braithwaitee25775b2016-05-16 16:31:05 -0700633/* SSL_ECDH_CTX_get_key calls the |get_key| method of |SSL_ECDH_METHOD|. */
634int SSL_ECDH_CTX_get_key(SSL_ECDH_CTX *ctx, CBS *cbs, CBS *out);
635
636/* SSL_ECDH_CTX_add_key calls the |add_key| method of |SSL_ECDH_METHOD|. */
637int SSL_ECDH_CTX_add_key(SSL_ECDH_CTX *ctx, CBB *cbb, CBB *out_contents);
638
Matt Braithwaitef4ce8e52016-05-16 14:27:14 -0700639/* SSL_ECDH_CTX_offer calls the |offer| method of |SSL_ECDH_METHOD|. */
640int SSL_ECDH_CTX_offer(SSL_ECDH_CTX *ctx, CBB *out_public_key);
David Benjamin4298d772015-12-19 00:18:25 -0500641
Matt Braithwaitef4ce8e52016-05-16 14:27:14 -0700642/* SSL_ECDH_CTX_accept calls the |accept| method of |SSL_ECDH_METHOD|. */
643int SSL_ECDH_CTX_accept(SSL_ECDH_CTX *ctx, CBB *out_public_key,
644 uint8_t **out_secret, size_t *out_secret_len,
645 uint8_t *out_alert, const uint8_t *peer_key,
646 size_t peer_key_len);
647
648/* SSL_ECDH_CTX_finish the |finish| method of |SSL_ECDH_METHOD|. */
649int SSL_ECDH_CTX_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
650 size_t *out_secret_len, uint8_t *out_alert,
651 const uint8_t *peer_key, size_t peer_key_len);
David Benjamin4298d772015-12-19 00:18:25 -0500652
David Benjamin060cfb02016-05-12 00:43:05 -0400653/* Handshake messages. */
654
David Benjamin29a83c52016-06-17 19:12:54 -0400655/* SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including
656 * ChangeCipherSpec, in the longest handshake flight. Currently this is the
657 * client's second leg in a full handshake when client certificates, NPN, and
658 * Channel ID, are all enabled. */
659#define SSL_MAX_HANDSHAKE_FLIGHT 7
660
David Benjamin060cfb02016-05-12 00:43:05 -0400661/* ssl_max_handshake_message_len returns the maximum number of bytes permitted
662 * in a handshake message for |ssl|. */
663size_t ssl_max_handshake_message_len(const SSL *ssl);
664
David Benjaminec847ce2016-06-17 19:30:47 -0400665/* dtls_clear_incoming_messages releases all buffered incoming messages. */
666void dtls_clear_incoming_messages(SSL *ssl);
667
David Benjamin61672812016-07-14 23:10:43 -0400668/* dtls_has_incoming_messages returns one if there are buffered incoming
669 * messages ahead of the current message and zero otherwise. */
670int dtls_has_incoming_messages(const SSL *ssl);
671
David Benjamin29a83c52016-06-17 19:12:54 -0400672typedef struct dtls_outgoing_message_st {
673 uint8_t *data;
674 uint32_t len;
675 uint16_t epoch;
676 char is_ccs;
677} DTLS_OUTGOING_MESSAGE;
678
679/* dtls_clear_outgoing_messages releases all buffered outgoing messages. */
680void dtls_clear_outgoing_messages(SSL *ssl);
681
David Benjamin060cfb02016-05-12 00:43:05 -0400682
David Benjamin4e9cc712016-06-01 20:16:03 -0400683/* Callbacks. */
684
685/* ssl_do_info_callback calls |ssl|'s info callback, if set. */
686void ssl_do_info_callback(const SSL *ssl, int type, int value);
687
688/* ssl_do_msg_callback calls |ssl|'s message callback, if set. */
David Benjaminc0279992016-09-19 20:15:07 -0400689void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
David Benjamin4e9cc712016-06-01 20:16:03 -0400690 const void *buf, size_t len);
691
692
David Benjaminb8d28cf2015-07-28 21:34:45 -0400693/* Transport buffers. */
694
695/* ssl_read_buffer returns a pointer to contents of the read buffer. */
696uint8_t *ssl_read_buffer(SSL *ssl);
697
698/* ssl_read_buffer_len returns the length of the read buffer. */
699size_t ssl_read_buffer_len(const SSL *ssl);
700
701/* ssl_read_buffer_extend_to extends the read buffer to the desired length. For
702 * TLS, it reads to the end of the buffer until the buffer is |len| bytes
703 * long. For DTLS, it reads a new packet and ignores |len|. It returns one on
704 * success, zero on EOF, and a negative number on error.
705 *
706 * It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is
707 * non-empty. */
708int ssl_read_buffer_extend_to(SSL *ssl, size_t len);
709
710/* ssl_read_buffer_consume consumes |len| bytes from the read buffer. It
711 * advances the data pointer and decrements the length. The memory consumed will
712 * remain valid until the next call to |ssl_read_buffer_extend| or it is
713 * discarded with |ssl_read_buffer_discard|. */
714void ssl_read_buffer_consume(SSL *ssl, size_t len);
715
716/* ssl_read_buffer_discard discards the consumed bytes from the read buffer. If
717 * the buffer is now empty, it releases memory used by it. */
718void ssl_read_buffer_discard(SSL *ssl);
719
720/* ssl_read_buffer_clear releases all memory associated with the read buffer and
721 * zero-initializes it. */
722void ssl_read_buffer_clear(SSL *ssl);
723
724/* ssl_write_buffer_is_pending returns one if the write buffer has pending data
725 * and zero if is empty. */
726int ssl_write_buffer_is_pending(const SSL *ssl);
727
728/* ssl_write_buffer_init initializes the write buffer. On success, it sets
729 * |*out_ptr| to the start of the write buffer with space for up to |max_len|
730 * bytes. It returns one on success and zero on failure. Call
731 * |ssl_write_buffer_set_len| to complete initialization. */
732int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len);
733
734/* ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete
735 * initialization after |len| bytes are written to the buffer. */
736void ssl_write_buffer_set_len(SSL *ssl, size_t len);
737
738/* ssl_write_buffer_flush flushes the write buffer to the transport. It returns
739 * one on success and <= 0 on error. For DTLS, whether or not the write
740 * succeeds, the write buffer will be cleared. */
741int ssl_write_buffer_flush(SSL *ssl);
742
743/* ssl_write_buffer_clear releases all memory associated with the write buffer
744 * and zero-initializes it. */
745void ssl_write_buffer_clear(SSL *ssl);
746
747
David Benjamin75836432016-06-17 18:48:29 -0400748/* Certificate functions. */
749
David Benjamin32a66d52016-07-13 22:03:11 -0400750/* ssl_has_certificate returns one if a certificate and private key are
751 * configured and zero otherwise. */
752int ssl_has_certificate(const SSL *ssl);
753
Adam Langley68e71242016-12-12 11:06:16 -0800754/* ssl_session_x509_cache_objects fills out |sess->x509_peer| and
755 * |sess->x509_chain| from |sess->certs| and erases
756 * |sess->x509_chain_without_leaf|. It returns one on success or zero on
757 * error. */
758int ssl_session_x509_cache_objects(SSL_SESSION *sess);
759
David Benjamin5c900c82016-07-13 23:03:26 -0400760/* ssl_parse_cert_chain parses a certificate list from |cbs| in the format used
Adam Langleyc0fc7a12016-12-09 15:05:34 -0800761 * by a TLS Certificate message. On success, it returns a newly-allocated
Adam Langley68e71242016-12-12 11:06:16 -0800762 * |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns NULL and sets
Adam Langleyd5157222016-12-12 11:37:43 -0800763 * |*out_alert| to an alert to send to the peer.
764 *
765 * If the list is non-empty then |*out_pubkey| will be set to a freshly
766 * allocated public-key from the leaf certificate.
767 *
768 * If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the
769 * SHA-256 hash of the leaf to |out_leaf_sha256|. */
Adam Langley68e71242016-12-12 11:06:16 -0800770STACK_OF(CRYPTO_BUFFER) *ssl_parse_cert_chain(uint8_t *out_alert,
Adam Langleyd5157222016-12-12 11:37:43 -0800771 EVP_PKEY **out_pubkey,
Adam Langley68e71242016-12-12 11:06:16 -0800772 uint8_t *out_leaf_sha256,
Adam Langleyd519bf62016-12-12 11:16:44 -0800773 CBS *cbs,
774 CRYPTO_BUFFER_POOL *pool);
David Benjamin5c900c82016-07-13 23:03:26 -0400775
David Benjamin32a66d52016-07-13 22:03:11 -0400776/* ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used
777 * by a TLS Certificate message. If there is no certificate chain, it emits an
778 * empty certificate list. It returns one on success and zero on error. */
779int ssl_add_cert_chain(SSL *ssl, CBB *cbb);
780
David Benjamin650aa1c2016-12-20 18:55:16 -0500781/* ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if
782 * necessary. On success, it updates |ssl|'s certificate configuration as needed
783 * and returns one. Otherwise, it returns zero. */
784int ssl_auto_chain_if_needed(SSL *ssl);
785
Adam Langley05672202016-12-13 12:05:49 -0800786/* ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509
787 * certificate in |in| and returns one if doesn't specify a key usage or, if it
788 * does, if it includes digitalSignature. Otherwise it pushes to the error
789 * queue and returns zero. */
790int ssl_cert_check_digital_signature_key_usage(const CBS *in);
791
Adam Langleyd5157222016-12-12 11:37:43 -0800792/* ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509
793 * certificate in |in|. It returns an allocated |EVP_PKEY| or else returns NULL
794 * and pushes to the error queue. */
795EVP_PKEY *ssl_cert_parse_pubkey(const CBS *in);
796
David Benjamine0332e82016-07-13 22:40:36 -0400797/* ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a
798 * TLS CertificateRequest message. On success, it returns a newly-allocated
799 * |X509_NAME| list and advances |cbs|. Otherwise, it returns NULL and sets
800 * |*out_alert| to an alert to send to the peer. */
801STACK_OF(X509_NAME) *
802 ssl_parse_client_CA_list(SSL *ssl, uint8_t *out_alert, CBS *cbs);
803
David Benjamin32a66d52016-07-13 22:03:11 -0400804/* ssl_add_client_CA_list adds the configured CA list to |cbb| in the format
805 * used by a TLS CertificateRequest message. It returns one on success and zero
806 * on error. */
807int ssl_add_client_CA_list(SSL *ssl, CBB *cbb);
808
Adam Langley05672202016-12-13 12:05:49 -0800809/* ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as
810 * a server's leaf certificate for |ssl|. Otherwise, it returns zero and pushes
811 * an error on the error queue. */
812int ssl_check_leaf_certificate(SSL *ssl, EVP_PKEY *pkey,
813 const CRYPTO_BUFFER *leaf);
Steven Valdezbf5aa842016-07-15 07:07:40 -0400814
David Benjamin75836432016-06-17 18:48:29 -0400815
Steven Valdez143e8b32016-07-11 13:19:03 -0400816/* TLS 1.3 key derivation. */
817
818/* tls13_init_key_schedule initializes the handshake hash and key derivation
Steven Valdeza833c352016-11-01 13:39:36 -0400819 * state. The cipher suite and PRF hash must have been selected at this point.
820 * It returns one on success and zero on error. */
David Benjamin6e4fc332016-11-17 16:43:08 +0900821int tls13_init_key_schedule(SSL_HANDSHAKE *hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400822
823/* tls13_advance_key_schedule incorporates |in| into the key schedule with
824 * HKDF-Extract. It returns one on success and zero on error. */
David Benjamin6e4fc332016-11-17 16:43:08 +0900825int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
826 size_t len);
Steven Valdez143e8b32016-07-11 13:19:03 -0400827
Steven Valdeza833c352016-11-01 13:39:36 -0400828/* tls13_get_context_hash writes Hash(Handshake Context) to |out| which must
829 * have room for at least |EVP_MAX_MD_SIZE| bytes. On success, it returns one
830 * and sets |*out_len| to the number of bytes written. Otherwise, it returns
831 * zero. */
832int tls13_get_context_hash(SSL *ssl, uint8_t *out, size_t *out_len);
Steven Valdez143e8b32016-07-11 13:19:03 -0400833
Steven Valdeza833c352016-11-01 13:39:36 -0400834/* tls13_set_traffic_key sets the read or write traffic keys to
835 * |traffic_secret|. It returns one on success and zero on error. */
836int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
Steven Valdez143e8b32016-07-11 13:19:03 -0400837 const uint8_t *traffic_secret,
838 size_t traffic_secret_len);
839
Steven Valdez4cb84942016-12-16 11:29:28 -0500840/* tls13_derive_handshake_secrets derives the handshake traffic secret. It
841 * returns one on success and zero on error. */
842int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400843
Steven Valdez1dc53d22016-07-26 12:27:38 -0400844/* tls13_rotate_traffic_key derives the next read or write traffic secret. It
845 * returns one on success and zero on error. */
846int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction);
847
Steven Valdeza833c352016-11-01 13:39:36 -0400848/* tls13_derive_application_secrets derives the initial application data traffic
849 * and exporter secrets based on the handshake transcripts and |master_secret|.
850 * It returns one on success and zero on error. */
David Benjamin6e4fc332016-11-17 16:43:08 +0900851int tls13_derive_application_secrets(SSL_HANDSHAKE *hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400852
Steven Valdeza833c352016-11-01 13:39:36 -0400853/* tls13_derive_resumption_secret derives the |resumption_secret|. */
David Benjamin6e4fc332016-11-17 16:43:08 +0900854int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400855
Steven Valdeza833c352016-11-01 13:39:36 -0400856/* tls13_export_keying_material provides an exporter interface to use the
Steven Valdez143e8b32016-07-11 13:19:03 -0400857 * |exporter_secret|. */
858int tls13_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
859 const char *label, size_t label_len,
860 const uint8_t *context, size_t context_len,
861 int use_context);
862
863/* tls13_finished_mac calculates the MAC of the handshake transcript to verify
864 * the integrity of the Finished message, and stores the result in |out| and
865 * length in |out_len|. |is_server| is 1 if this is for the Server Finished and
866 * 0 for the Client Finished. */
David Benjamin6e4fc332016-11-17 16:43:08 +0900867int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out,
868 size_t *out_len, int is_server);
Steven Valdez143e8b32016-07-11 13:19:03 -0400869
Steven Valdeza833c352016-11-01 13:39:36 -0400870/* tls13_write_psk_binder calculates the PSK binder value and replaces the last
871 * bytes of |msg| with the resulting value. It returns 1 on success, and 0 on
872 * failure. */
873int tls13_write_psk_binder(SSL *ssl, uint8_t *msg, size_t len);
Steven Valdez4aa154e2016-07-29 14:32:55 -0400874
Steven Valdeza833c352016-11-01 13:39:36 -0400875/* tls13_verify_psk_binder verifies that the handshake transcript, truncated
876 * up to the binders has a valid signature using the value of |session|'s
877 * resumption secret. It returns 1 on success, and 0 on failure. */
878int tls13_verify_psk_binder(SSL *ssl, SSL_SESSION *session, CBS *binders);
Steven Valdez4aa154e2016-07-29 14:32:55 -0400879
Steven Valdez143e8b32016-07-11 13:19:03 -0400880
881/* Handshake functions. */
882
883enum ssl_hs_wait_t {
884 ssl_hs_error,
885 ssl_hs_ok,
886 ssl_hs_read_message,
Steven Valdez143e8b32016-07-11 13:19:03 -0400887 ssl_hs_flush,
David Benjaminf2401eb2016-07-18 22:25:05 +0200888 ssl_hs_flush_and_read_message,
Steven Valdez143e8b32016-07-11 13:19:03 -0400889 ssl_hs_x509_lookup,
Nick Harper60a85cb2016-09-23 16:25:11 -0700890 ssl_hs_channel_id_lookup,
Steven Valdez143e8b32016-07-11 13:19:03 -0400891 ssl_hs_private_key_operation,
892};
893
David Benjamince8c9d22016-11-14 10:45:16 +0900894struct ssl_handshake_st {
895 /* ssl is a non-owning pointer to the parent |SSL| object. */
896 SSL *ssl;
897
David Benjamince8c9d22016-11-14 10:45:16 +0900898 /* do_tls13_handshake runs the TLS 1.3 handshake. On completion, it returns
899 * |ssl_hs_ok|. Otherwise, it returns a value corresponding to what operation
900 * is needed to progress. */
David Benjaminc3c88822016-11-14 10:32:04 +0900901 enum ssl_hs_wait_t (*do_tls13_handshake)(SSL_HANDSHAKE *hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400902
Adam Langley4ba6e192016-12-07 15:54:54 -0800903 /* wait contains the operation |do_tls13_handshake| is currently blocking on
904 * or |ssl_hs_ok| if none. */
905 enum ssl_hs_wait_t wait;
906
David Benjamincb0c29f2016-12-12 17:00:50 -0500907 /* state contains one of the SSL3_ST_* values. */
908 int state;
909
910 /* next_state is used when SSL_ST_FLUSH_DATA is entered */
911 int next_state;
912
David Benjamin3977f302016-12-11 13:30:41 -0500913 /* tls13_state is the internal state for the TLS 1.3 handshake. Its values
914 * depend on |do_tls13_handshake| but the starting state is always zero. */
915 int tls13_state;
Steven Valdez143e8b32016-07-11 13:19:03 -0400916
917 size_t hash_len;
Steven Valdez143e8b32016-07-11 13:19:03 -0400918 uint8_t secret[EVP_MAX_MD_SIZE];
Steven Valdez4cb84942016-12-16 11:29:28 -0500919 uint8_t client_handshake_secret[EVP_MAX_MD_SIZE];
920 uint8_t server_handshake_secret[EVP_MAX_MD_SIZE];
Steven Valdezc4aa7272016-10-03 12:25:56 -0400921 uint8_t client_traffic_secret_0[EVP_MAX_MD_SIZE];
922 uint8_t server_traffic_secret_0[EVP_MAX_MD_SIZE];
Steven Valdez143e8b32016-07-11 13:19:03 -0400923
David Benjaminf5d2cd02016-10-06 19:39:20 -0400924 union {
925 /* sent is a bitset where the bits correspond to elements of kExtensions
926 * in t1_lib.c. Each bit is set if that extension was sent in a
927 * ClientHello. It's not used by servers. */
928 uint32_t sent;
929 /* received is a bitset, like |sent|, but is used by servers to record
930 * which extensions were received from a client. */
931 uint32_t received;
932 } extensions;
933
934 union {
935 /* sent is a bitset where the bits correspond to elements of
936 * |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that
937 * extension was sent in a ClientHello. It's not used by servers. */
938 uint16_t sent;
939 /* received is a bitset, like |sent|, but is used by servers to record
940 * which custom extensions were received from a client. The bits here
941 * correspond to |server_custom_extensions|. */
942 uint16_t received;
943 } custom_extensions;
944
David Benjamin4fe3c902016-08-16 02:17:03 -0400945 /* retry_group is the group ID selected by the server in HelloRetryRequest in
946 * TLS 1.3. */
Steven Valdez5440fe02016-07-18 12:40:30 -0400947 uint16_t retry_group;
David Benjamin4fe3c902016-08-16 02:17:03 -0400948
Adam Langley4ba6e192016-12-07 15:54:54 -0800949 /* ecdh_ctx is the current ECDH instance. */
950 SSL_ECDH_CTX ecdh_ctx;
951
David Benjamin3baa6e12016-10-07 21:10:38 -0400952 /* cookie is the value of the cookie received from the server, if any. */
953 uint8_t *cookie;
954 size_t cookie_len;
955
David Benjamin4fe3c902016-08-16 02:17:03 -0400956 /* key_share_bytes is the value of the previously sent KeyShare extension by
957 * the client in TLS 1.3. */
Steven Valdez5440fe02016-07-18 12:40:30 -0400958 uint8_t *key_share_bytes;
959 size_t key_share_bytes_len;
David Benjamin4fe3c902016-08-16 02:17:03 -0400960
961 /* public_key, for servers, is the key share to be sent to the client in TLS
962 * 1.3. */
Steven Valdez143e8b32016-07-11 13:19:03 -0400963 uint8_t *public_key;
964 size_t public_key_len;
965
David Benjamin0fc37ef2016-08-17 15:29:46 -0400966 /* peer_sigalgs are the signature algorithms that the peer supports. These are
967 * taken from the contents of the signature algorithms extension for a server
968 * or from the CertificateRequest for a client. */
969 uint16_t *peer_sigalgs;
970 /* num_peer_sigalgs is the number of entries in |peer_sigalgs|. */
971 size_t num_peer_sigalgs;
972
David Benjamin43612b62016-10-07 00:41:50 -0400973 /* peer_supported_group_list contains the supported group IDs advertised by
974 * the peer. This is only set on the server's end. The server does not
975 * advertise this extension to the client. */
976 uint16_t *peer_supported_group_list;
977 size_t peer_supported_group_list_len;
978
David Benjamina4c8ff02016-10-08 02:49:01 -0400979 /* peer_key is the peer's ECDH key for a TLS 1.2 client. */
980 uint8_t *peer_key;
981 size_t peer_key_len;
982
983 /* server_params, in TLS 1.2, stores the ServerKeyExchange parameters to be
984 * signed while the signature is being computed. */
985 uint8_t *server_params;
986 size_t server_params_len;
987
Adam Langley4ba6e192016-12-07 15:54:54 -0800988 /* peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the
989 * server when using a TLS 1.2 PSK key exchange. */
990 char *peer_psk_identity_hint;
991
992 /* ca_names, on the client, contains the list of CAs received in a
993 * CertificateRequest message. */
994 STACK_OF(X509_NAME) *ca_names;
995
996 /* certificate_types, on the client, contains the set of certificate types
997 * received in a CertificateRequest message. */
998 uint8_t *certificate_types;
999 size_t num_certificate_types;
1000
1001 /* hostname, on the server, is the value of the SNI extension. */
1002 char *hostname;
1003
Adam Langleyd5157222016-12-12 11:37:43 -08001004 /* peer_pubkey is the public key parsed from the peer's leaf certificate. */
1005 EVP_PKEY *peer_pubkey;
1006
Adam Langley4ba6e192016-12-07 15:54:54 -08001007 /* key_block is the record-layer key block for TLS 1.2 and earlier. */
1008 uint8_t *key_block;
1009 uint8_t key_block_len;
1010
David Benjamina0486782016-10-06 19:11:32 -04001011 /* session_tickets_sent, in TLS 1.3, is the number of tickets the server has
1012 * sent. */
Steven Valdez1e6f11a2016-07-27 11:10:52 -04001013 uint8_t session_tickets_sent;
David Benjaminbac75b82016-09-16 19:34:02 -04001014
Adam Langley4ba6e192016-12-07 15:54:54 -08001015 /* scts_requested is one if the SCT extension is in the ClientHello. */
1016 unsigned scts_requested:1;
1017
1018 /* needs_psk_binder if the ClientHello has a placeholder PSK binder to be
1019 * filled in. */
1020 unsigned needs_psk_binder:1;
1021
1022 unsigned received_hello_retry_request:1;
1023
1024 /* accept_psk_mode stores whether the client's PSK mode is compatible with our
1025 * preferences. */
1026 unsigned accept_psk_mode:1;
1027
David Benjamina0486782016-10-06 19:11:32 -04001028 /* cert_request is one if a client certificate was requested and zero
1029 * otherwise. */
1030 unsigned cert_request:1;
1031
1032 /* certificate_status_expected is one if OCSP stapling was negotiated and the
1033 * server is expected to send a CertificateStatus message. (This is used on
1034 * both the client and server sides.) */
1035 unsigned certificate_status_expected:1;
1036
1037 /* ocsp_stapling_requested is one if a client requested OCSP stapling. */
1038 unsigned ocsp_stapling_requested:1;
1039
1040 /* should_ack_sni is used by a server and indicates that the SNI extension
1041 * should be echoed in the ServerHello. */
1042 unsigned should_ack_sni:1;
1043
1044 /* in_false_start is one if there is a pending client handshake in False
1045 * Start. The client may write data at this point. */
1046 unsigned in_false_start:1;
1047
David Benjaminb74b0812016-10-06 19:43:48 -04001048 /* next_proto_neg_seen is one of NPN was negotiated. */
1049 unsigned next_proto_neg_seen:1;
1050
David Benjamin78476f62016-11-12 11:20:55 +09001051 /* ticket_expected is one if a TLS 1.2 NewSessionTicket message is to be sent
1052 * or received. */
1053 unsigned ticket_expected:1;
David Benjaminf04c2e92016-12-06 13:35:25 -05001054
Steven Valdez258508f2017-01-25 15:47:49 -05001055 /* v2_clienthello is one if we received a V2ClientHello. */
1056 unsigned v2_clienthello:1;
1057
David Benjaminf04c2e92016-12-06 13:35:25 -05001058 /* client_version is the value sent or received in the ClientHello version. */
1059 uint16_t client_version;
David Benjamince8c9d22016-11-14 10:45:16 +09001060} /* SSL_HANDSHAKE */;
Steven Valdez143e8b32016-07-11 13:19:03 -04001061
David Benjamince8c9d22016-11-14 10:45:16 +09001062SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl);
Steven Valdez143e8b32016-07-11 13:19:03 -04001063
1064/* ssl_handshake_free releases all memory associated with |hs|. */
1065void ssl_handshake_free(SSL_HANDSHAKE *hs);
1066
David Benjamin276b7e82017-01-21 14:13:39 -05001067/* ssl_check_message_type checks if the current message has type |type|. If so
1068 * it returns one. Otherwise, it sends an alert and returns zero. */
1069int ssl_check_message_type(SSL *ssl, int type);
1070
Steven Valdez143e8b32016-07-11 13:19:03 -04001071/* tls13_handshake runs the TLS 1.3 handshake. It returns one on success and <=
1072 * 0 on error. */
David Benjaminc3c88822016-11-14 10:32:04 +09001073int tls13_handshake(SSL_HANDSHAKE *hs);
Steven Valdez143e8b32016-07-11 13:19:03 -04001074
David Benjamince8c9d22016-11-14 10:45:16 +09001075/* The following are implementations of |do_tls13_handshake| for the client and
Steven Valdez143e8b32016-07-11 13:19:03 -04001076 * server. */
David Benjaminc3c88822016-11-14 10:32:04 +09001077enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs);
1078enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs);
Steven Valdez143e8b32016-07-11 13:19:03 -04001079
Steven Valdez8e1c7be2016-07-26 12:39:22 -04001080/* tls13_post_handshake processes a post-handshake message. It returns one on
1081 * success and zero on failure. */
1082int tls13_post_handshake(SSL *ssl);
1083
Adam Langley0c294252016-12-12 11:46:09 -08001084int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous);
1085int tls13_process_certificate_verify(SSL_HANDSHAKE *hs);
David Benjamin6e4fc332016-11-17 16:43:08 +09001086int tls13_process_finished(SSL_HANDSHAKE *hs);
Steven Valdez143e8b32016-07-11 13:19:03 -04001087
David Benjamin0f24bed2017-01-12 19:46:50 -05001088int tls13_add_certificate(SSL_HANDSHAKE *hs);
1089enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs,
1090 int is_first_run);
1091int tls13_add_finished(SSL_HANDSHAKE *hs);
Steven Valdez1e6f11a2016-07-27 11:10:52 -04001092int tls13_process_new_session_ticket(SSL *ssl);
Steven Valdez143e8b32016-07-11 13:19:03 -04001093
David Benjamin8baf9632016-11-17 17:11:16 +09001094int ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t **out_secret,
Steven Valdez7259f2f2016-08-02 16:55:05 -04001095 size_t *out_secret_len,
1096 uint8_t *out_alert, CBS *contents);
David Benjamin8baf9632016-11-17 17:11:16 +09001097int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found,
Steven Valdez7259f2f2016-08-02 16:55:05 -04001098 uint8_t **out_secret,
1099 size_t *out_secret_len,
1100 uint8_t *out_alert, CBS *contents);
David Benjamin8baf9632016-11-17 17:11:16 +09001101int ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out);
Steven Valdez143e8b32016-07-11 13:19:03 -04001102
David Benjamin8baf9632016-11-17 17:11:16 +09001103int ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1104 uint8_t *out_alert, CBS *contents);
1105int ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE *hs,
Steven Valdez4aa154e2016-07-29 14:32:55 -04001106 SSL_SESSION **out_session,
Steven Valdeza833c352016-11-01 13:39:36 -04001107 CBS *out_binders,
Steven Valdez4aa154e2016-07-29 14:32:55 -04001108 uint8_t *out_alert, CBS *contents);
David Benjamin8baf9632016-11-17 17:11:16 +09001109int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out);
Steven Valdez4aa154e2016-07-29 14:32:55 -04001110
Adam Langleycfa08c32016-11-17 13:21:27 -08001111/* ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and
1112 * returns one iff it's valid. */
1113int ssl_is_sct_list_valid(const CBS *contents);
1114
David Benjamin8c880a22016-12-03 02:20:34 -05001115int ssl_write_client_hello(SSL_HANDSHAKE *hs);
Steven Valdez5440fe02016-07-18 12:40:30 -04001116
David Benjamin4fe3c902016-08-16 02:17:03 -04001117/* ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
1118 * should be called once the version is known to be TLS 1.2 or earlier. */
David Benjamin6e4fc332016-11-17 16:43:08 +09001119void ssl_clear_tls13_state(SSL_HANDSHAKE *hs);
David Benjamin4fe3c902016-08-16 02:17:03 -04001120
Nick Harper60a85cb2016-09-23 16:25:11 -07001121enum ssl_cert_verify_context_t {
1122 ssl_cert_verify_server,
1123 ssl_cert_verify_client,
1124 ssl_cert_verify_channel_id,
1125};
1126
1127/* tls13_get_cert_verify_signature_input generates the message to be signed for
1128 * TLS 1.3's CertificateVerify message. |cert_verify_context| determines the
1129 * type of signature. It sets |*out| and |*out_len| to a newly allocated buffer
1130 * containing the result. The caller must free it with |OPENSSL_free| to release
1131 * it. This function returns one on success and zero on failure. */
1132int tls13_get_cert_verify_signature_input(
1133 SSL *ssl, uint8_t **out, size_t *out_len,
1134 enum ssl_cert_verify_context_t cert_verify_context);
1135
David Benjamin9ef31f02016-10-31 18:01:13 -04001136/* ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
1137 * one on successful negotiation or if nothing was negotiated. It returns zero
1138 * and sets |*out_alert| to an alert on error. */
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001139int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
David Benjamin731058e2016-12-03 23:15:13 -05001140 const SSL_CLIENT_HELLO *client_hello);
David Benjamin9ef31f02016-10-31 18:01:13 -04001141
David Benjaminffb11072016-11-13 10:32:10 +09001142typedef struct {
1143 uint16_t type;
1144 int *out_present;
1145 CBS *out_data;
1146} SSL_EXTENSION_TYPE;
1147
1148/* ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances
1149 * it. It writes the parsed extensions to pointers denoted by |ext_types|. On
1150 * success, it fills in the |out_present| and |out_data| fields and returns one.
1151 * Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown
Steven Valdez08b65f42016-12-07 15:29:45 -05001152 * extensions are rejected unless |ignore_unknown| is 1. */
David Benjaminffb11072016-11-13 10:32:10 +09001153int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
1154 const SSL_EXTENSION_TYPE *ext_types,
Steven Valdez08b65f42016-12-07 15:29:45 -05001155 size_t num_ext_types, int ignore_unknown);
David Benjaminffb11072016-11-13 10:32:10 +09001156
Steven Valdez143e8b32016-07-11 13:19:03 -04001157
David Benjamine776cc22016-07-19 07:26:49 +02001158/* SSLKEYLOGFILE functions. */
1159
David Benjamine776cc22016-07-19 07:26:49 +02001160/* ssl_log_secret logs |secret| with label |label|, if logging is enabled for
1161 * |ssl|. It returns one on success and zero on failure. */
1162int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
1163 size_t secret_len);
1164
1165
David Benjamine14ff062016-08-09 16:21:24 -04001166/* ClientHello functions. */
1167
David Benjamin731058e2016-12-03 23:15:13 -05001168int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, const uint8_t *in,
1169 size_t in_len);
David Benjamine14ff062016-08-09 16:21:24 -04001170
David Benjamin731058e2016-12-03 23:15:13 -05001171int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
1172 CBS *out, uint16_t extension_type);
David Benjamine14ff062016-08-09 16:21:24 -04001173
David Benjamin731058e2016-12-03 23:15:13 -05001174int ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO *client_hello,
1175 uint16_t id);
David Benjamine14ff062016-08-09 16:21:24 -04001176
1177
David Benjamin65ac9972016-09-02 21:35:25 -04001178/* GREASE. */
1179
1180enum ssl_grease_index_t {
1181 ssl_grease_cipher = 0,
1182 ssl_grease_group,
1183 ssl_grease_extension1,
1184 ssl_grease_extension2,
David Benjamind9791bf2016-09-27 16:39:52 -04001185 ssl_grease_version,
David Benjamin1a5e8ec2016-10-07 15:19:18 -04001186 ssl_grease_ticket_extension,
David Benjamin65ac9972016-09-02 21:35:25 -04001187};
1188
1189/* ssl_get_grease_value returns a GREASE value for |ssl|. For a given
1190 * connection, the values for each index will be deterministic. This allows the
1191 * same ClientHello be sent twice for a HelloRetryRequest or the same group be
1192 * advertised in both supported_groups and key_shares. */
1193uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index);
1194
1195
David Benjamin3ef76972016-10-17 17:59:54 -04001196/* Signature algorithms. */
1197
1198/* tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001199 * algorithms and saves them on |hs|. It returns one on success and zero on
1200 * error. */
1201int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);
David Benjamin3ef76972016-10-17 17:59:54 -04001202
1203/* tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001204 * with |hs|'s private key based on the peer's preferences and the algorithms
David Benjamin3ef76972016-10-17 17:59:54 -04001205 * supported. It returns one on success and zero on error. */
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001206int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out);
David Benjamin3ef76972016-10-17 17:59:54 -04001207
1208/* tls12_get_verify_sigalgs sets |*out| to the signature algorithms acceptable
1209 * for the peer signature and returns the length of the list. */
1210size_t tls12_get_verify_sigalgs(const SSL *ssl, const uint16_t **out);
1211
1212/* tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
1213 * signature. It returns one on success and zero on error, setting |*out_alert|
1214 * to an alert to send. */
1215int tls12_check_peer_sigalg(SSL *ssl, int *out_alert, uint16_t sigalg);
1216
1217
David Benjamin71f07942015-04-08 02:36:59 -04001218/* Underdocumented functions.
1219 *
1220 * Functions below here haven't been touched up and may be underdocumented. */
1221
Adam Langley1258b6a2014-06-20 12:00:00 -07001222#define TLSEXT_CHANNEL_ID_SIZE 128
Adam Langley95c29f32014-06-20 12:00:00 -07001223
David Benjamine518f652014-10-13 16:12:45 -04001224/* From RFC4492, used in encoding the curve type in ECParameters */
Adam Langleyfcf25832014-12-18 17:42:32 -08001225#define NAMED_CURVE_TYPE 3
Adam Langley95c29f32014-06-20 12:00:00 -07001226
Adam Langleyfcf25832014-12-18 17:42:32 -08001227typedef struct cert_st {
David Benjamind1d80782015-07-05 11:54:09 -04001228 EVP_PKEY *privatekey;
Adam Langley3a2b47a2017-01-24 13:59:42 -08001229
1230 /* chain contains the certificate chain, with the leaf at the beginning. The
1231 * first element of |chain| may be NULL to indicate that the leaf certificate
1232 * has not yet been set.
1233 * If |chain| != NULL -> len(chain) >= 1
1234 * If |chain[0]| == NULL -> len(chain) >= 2.
1235 * |chain[1..]| != NULL */
1236 STACK_OF(CRYPTO_BUFFER) *chain;
1237
1238 /* x509_chain may contain a parsed copy of |chain[1..]|. This is only used as
1239 * a cache in order to implement “get0” functions that return a non-owning
1240 * pointer to the certificate chain. */
Adam Langleyc5ac2b62016-11-07 12:02:35 -08001241 STACK_OF(X509) *x509_chain;
David Benjaminf31e6812014-11-13 18:05:55 -05001242
Adam Langley3a2b47a2017-01-24 13:59:42 -08001243 /* x509_leaf may contain a parsed copy of the first element of |chain|. This
1244 * is only used as a cache in order to implement “get0” functions that return
1245 * a non-owning pointer to the certificate chain. */
1246 X509 *x509_leaf;
1247
Adam Langleye1e78132017-01-31 15:24:31 -08001248 /* x509_stash contains the last |X509| object append to the chain. This is a
1249 * workaround for some third-party code that continue to use an |X509| object
1250 * even after passing ownership with an “add0” function. */
1251 X509 *x509_stash;
1252
David Benjaminb4d65fd2015-05-29 17:11:21 -04001253 /* key_method, if non-NULL, is a set of callbacks to call for private key
1254 * operations. */
1255 const SSL_PRIVATE_KEY_METHOD *key_method;
1256
Adam Langleyfcf25832014-12-18 17:42:32 -08001257 DH *dh_tmp;
1258 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
David Benjamindd978782015-04-24 15:20:13 -04001259
David Benjamin0fc37ef2016-08-17 15:29:46 -04001260 /* sigalgs, if non-NULL, is the set of signature algorithms supported by
1261 * |privatekey| in decreasing order of preference. */
David Benjamind246b812016-07-08 15:07:02 -07001262 uint16_t *sigalgs;
David Benjamin0fc37ef2016-08-17 15:29:46 -04001263 size_t num_sigalgs;
Adam Langley95c29f32014-06-20 12:00:00 -07001264
Adam Langleyfcf25832014-12-18 17:42:32 -08001265 /* Certificate setup callback: if set is called whenever a
1266 * certificate may be required (client or server). the callback
1267 * can then examine any appropriate parameters and setup any
1268 * certificates required. This allows advanced applications
1269 * to select certificates on the fly: for example based on
1270 * supported signature algorithms or curves. */
1271 int (*cert_cb)(SSL *ssl, void *arg);
1272 void *cert_cb_arg;
Adam Langleyd323f4b2016-03-01 15:58:14 -08001273
1274 /* Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX
1275 * store is used instead. */
1276 X509_STORE *verify_store;
Adam Langleyfcf25832014-12-18 17:42:32 -08001277} CERT;
Adam Langley95c29f32014-06-20 12:00:00 -07001278
Adam Langleyfcf25832014-12-18 17:42:32 -08001279/* SSL_METHOD is a compatibility structure to support the legacy version-locked
1280 * methods. */
1281struct ssl_method_st {
1282 /* version, if non-zero, is the only protocol version acceptable to an
1283 * SSL_CTX initialized from this method. */
1284 uint16_t version;
1285 /* method is the underlying SSL_PROTOCOL_METHOD that initializes the
1286 * SSL_CTX. */
1287 const SSL_PROTOCOL_METHOD *method;
1288};
David Benjamin82c9e902014-12-12 15:55:27 -05001289
1290/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
Adam Langleyfcf25832014-12-18 17:42:32 -08001291struct ssl_protocol_method_st {
David Benjamin9e13e1a2015-03-05 01:56:32 -05001292 /* is_dtls is one if the protocol is DTLS and zero otherwise. */
1293 char is_dtls;
David Benjaminb6a0a512016-06-21 10:33:21 -04001294 /* min_version is the minimum implemented version. */
1295 uint16_t min_version;
1296 /* max_version is the maximum implemented version. */
1297 uint16_t max_version;
David Benjamin2dc02042016-09-19 19:57:37 -04001298 /* version_from_wire maps |wire_version| to a protocol version. On success, it
1299 * sets |*out_version| to the result and returns one. If the version is
1300 * unknown, it returns zero. */
1301 int (*version_from_wire)(uint16_t *out_version, uint16_t wire_version);
David Benjaminb6a0a512016-06-21 10:33:21 -04001302 /* version_to_wire maps |version| to the wire representation. It is an error
1303 * to call it with an invalid version. */
1304 uint16_t (*version_to_wire)(uint16_t version);
David Benjamina41280d2015-11-26 02:16:49 -05001305 int (*ssl_new)(SSL *ssl);
1306 void (*ssl_free)(SSL *ssl);
David Benjamin276b7e82017-01-21 14:13:39 -05001307 /* ssl_get_message reads the next handshake message. On success, it returns
1308 * one and sets |ssl->s3->tmp.message_type|, |ssl->init_msg|, and
1309 * |ssl->init_num|. Otherwise, it returns <= 0. */
David Benjaminf71036e2017-01-21 14:49:39 -05001310 int (*ssl_get_message)(SSL *ssl);
David Benjaminced94792016-11-14 17:12:11 +09001311 /* get_current_message sets |*out| to the current handshake message. This
1312 * includes the protocol-specific message header. */
1313 void (*get_current_message)(const SSL *ssl, CBS *out);
David Benjamin4497e582016-07-27 17:51:49 -04001314 /* release_current_message is called to release the current handshake message.
1315 * If |free_buffer| is one, buffers will also be released. */
1316 void (*release_current_message)(SSL *ssl, int free_buffer);
David Benjamin163f29a2016-07-28 11:05:58 -04001317 /* read_app_data reads up to |len| bytes of application data into |buf|. On
1318 * success, it returns the number of bytes read. Otherwise, it returns <= 0
1319 * and sets |*out_got_handshake| to whether the failure was due to a
1320 * post-handshake handshake message. If so, it fills in the current message as
1321 * in |ssl_get_message|. */
1322 int (*read_app_data)(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
1323 int peek);
David Benjaminf0ee9072016-06-15 17:44:37 -04001324 int (*read_change_cipher_spec)(SSL *ssl);
1325 void (*read_close_notify)(SSL *ssl);
1326 int (*write_app_data)(SSL *ssl, const void *buf_, int len);
1327 int (*dispatch_alert)(SSL *ssl);
David Benjamina1c90a52015-05-30 17:03:14 -04001328 /* supports_cipher returns one if |cipher| is supported by this protocol and
1329 * zero otherwise. */
1330 int (*supports_cipher)(const SSL_CIPHER *cipher);
David Benjamin75836432016-06-17 18:48:29 -04001331 /* init_message begins a new handshake message of type |type|. |cbb| is the
1332 * root CBB to be passed into |finish_message|. |*body| is set to a child CBB
1333 * the caller should write to. It returns one on success and zero on error. */
1334 int (*init_message)(SSL *ssl, CBB *cbb, CBB *body, uint8_t type);
Steven Valdez5eead162016-11-11 22:23:25 -05001335 /* finish_message finishes a handshake message. It sets |*out_msg| to a
1336 * newly-allocated buffer with the serialized message. The caller must
1337 * release it with |OPENSSL_free| when done. It returns one on success and
1338 * zero on error. */
1339 int (*finish_message)(SSL *ssl, CBB *cbb, uint8_t **out_msg, size_t *out_len);
David Benjamindaf207a2017-01-03 18:37:41 -05001340 /* add_message adds a handshake message to the pending flight. It returns one
1341 * on success and zero on error. In either case, it takes ownership of |msg|
1342 * and releases it with |OPENSSL_free| when done. */
1343 int (*add_message)(SSL *ssl, uint8_t *msg, size_t len);
1344 /* add_change_cipher_spec adds a ChangeCipherSpec record to the pending
1345 * flight. It returns one on success and zero on error. */
1346 int (*add_change_cipher_spec)(SSL *ssl);
1347 /* add_alert adds an alert to the pending flight. It returns one on success
1348 * and zero on error. */
1349 int (*add_alert)(SSL *ssl, uint8_t level, uint8_t desc);
1350 /* flush_flight flushes the pending flight to the transport. It returns one on
David Benjamin8d5f9da2017-01-01 17:41:30 -05001351 * success and <= 0 on error. */
1352 int (*flush_flight)(SSL *ssl);
David Benjaminaa7734b2016-06-07 16:40:46 -04001353 /* expect_flight is called when the handshake expects a flight of messages from
1354 * the peer. */
1355 void (*expect_flight)(SSL *ssl);
1356 /* received_flight is called when the handshake has received a flight of
1357 * messages from the peer. */
1358 void (*received_flight)(SSL *ssl);
David Benjamin61672812016-07-14 23:10:43 -04001359 /* set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It takes
1360 * ownership of |aead_ctx|. It returns one on success and zero if changing the
1361 * read state is forbidden at this point. */
1362 int (*set_read_state)(SSL *ssl, SSL_AEAD_CTX *aead_ctx);
1363 /* set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It takes
1364 * ownership of |aead_ctx|. It returns one on success and zero if changing the
1365 * write state is forbidden at this point. */
1366 int (*set_write_state)(SSL *ssl, SSL_AEAD_CTX *aead_ctx);
Adam Langleyfcf25832014-12-18 17:42:32 -08001367};
David Benjamin82c9e902014-12-12 15:55:27 -05001368
Adam Langleyfcf25832014-12-18 17:42:32 -08001369/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit
1370 * of a mess of functions, but hell, think of it as an opaque structure. */
David Benjaminb9179092016-10-26 13:47:33 -04001371typedef struct ssl3_enc_method {
David Benjamin928f32a2015-12-29 23:32:29 -05001372 /* prf computes the PRF function for |ssl|. It writes |out_len| bytes to
1373 * |out|, using |secret| as the secret and |label| as the label. |seed1| and
1374 * |seed2| are concatenated to form the seed parameter. It returns one on
1375 * success and zero on failure. */
1376 int (*prf)(const SSL *ssl, uint8_t *out, size_t out_len,
1377 const uint8_t *secret, size_t secret_len, const char *label,
1378 size_t label_len, const uint8_t *seed1, size_t seed1_len,
1379 const uint8_t *seed2, size_t seed2_len);
David Benjaminbaa12162015-12-29 19:13:58 -05001380 int (*final_finish_mac)(SSL *ssl, int from_server, uint8_t *out);
David Benjaminb9179092016-10-26 13:47:33 -04001381} SSL3_ENC_METHOD;
Adam Langley95c29f32014-06-20 12:00:00 -07001382
David Benjamine228bd22016-10-17 20:41:08 -04001383typedef struct ssl3_record_st {
1384 /* type is the record type. */
1385 uint8_t type;
1386 /* length is the number of unconsumed bytes in the record. */
1387 uint16_t length;
1388 /* data is a non-owning pointer to the first unconsumed byte of the record. */
1389 uint8_t *data;
1390} SSL3_RECORD;
1391
1392typedef struct ssl3_buffer_st {
1393 /* buf is the memory allocated for this buffer. */
1394 uint8_t *buf;
1395 /* offset is the offset into |buf| which the buffer contents start at. */
1396 uint16_t offset;
1397 /* len is the length of the buffer contents from |buf| + |offset|. */
1398 uint16_t len;
1399 /* cap is how much memory beyond |buf| + |offset| is available. */
1400 uint16_t cap;
1401} SSL3_BUFFER;
1402
1403/* An ssl_shutdown_t describes the shutdown state of one end of the connection,
1404 * whether it is alive or has been shutdown via close_notify or fatal alert. */
1405enum ssl_shutdown_t {
1406 ssl_shutdown_none = 0,
1407 ssl_shutdown_close_notify = 1,
1408 ssl_shutdown_fatal_alert = 2,
1409};
1410
1411typedef struct ssl3_state_st {
1412 uint8_t read_sequence[8];
1413 uint8_t write_sequence[8];
1414
1415 uint8_t server_random[SSL3_RANDOM_SIZE];
1416 uint8_t client_random[SSL3_RANDOM_SIZE];
1417
David Benjamine228bd22016-10-17 20:41:08 -04001418 /* read_buffer holds data from the transport to be processed. */
1419 SSL3_BUFFER read_buffer;
1420 /* write_buffer holds data to be written to the transport. */
1421 SSL3_BUFFER write_buffer;
1422
1423 SSL3_RECORD rrec; /* each decoded record goes in here */
1424
1425 /* partial write - check the numbers match */
1426 unsigned int wnum; /* number of bytes sent so far */
1427 int wpend_tot; /* number bytes written */
1428 int wpend_type;
1429 int wpend_ret; /* number of bytes submitted */
1430 const uint8_t *wpend_buf;
1431
1432 /* handshake_buffer, if non-NULL, contains the handshake transcript. */
1433 BUF_MEM *handshake_buffer;
1434 /* handshake_hash, if initialized with an |EVP_MD|, maintains the handshake
1435 * hash. For TLS 1.1 and below, it is the SHA-1 half. */
1436 EVP_MD_CTX handshake_hash;
1437 /* handshake_md5, if initialized with an |EVP_MD|, maintains the MD5 half of
1438 * the handshake hash for TLS 1.1 and below. */
1439 EVP_MD_CTX handshake_md5;
1440
1441 /* recv_shutdown is the shutdown state for the receive half of the
1442 * connection. */
1443 enum ssl_shutdown_t recv_shutdown;
1444
1445 /* recv_shutdown is the shutdown state for the send half of the connection. */
1446 enum ssl_shutdown_t send_shutdown;
1447
Adam Langley4ba6e192016-12-07 15:54:54 -08001448 int alert_dispatch;
1449
1450 int total_renegotiations;
1451
Steven Valdeza4ee74d2016-11-29 13:36:45 -05001452 /* early_data_skipped is the amount of early data that has been skipped by the
1453 * record layer. */
1454 uint16_t early_data_skipped;
1455
David Benjamine228bd22016-10-17 20:41:08 -04001456 /* empty_record_count is the number of consecutive empty records received. */
1457 uint8_t empty_record_count;
1458
1459 /* warning_alert_count is the number of consecutive warning alerts
1460 * received. */
1461 uint8_t warning_alert_count;
1462
1463 /* key_update_count is the number of consecutive KeyUpdates received. */
1464 uint8_t key_update_count;
1465
Adam Langley4ba6e192016-12-07 15:54:54 -08001466 /* skip_early_data instructs the record layer to skip unexpected early data
1467 * messages when 0RTT is rejected. */
1468 unsigned skip_early_data:1;
1469
1470 /* have_version is true if the connection's final version is known. Otherwise
1471 * the version has not been negotiated yet. */
1472 unsigned have_version:1;
1473
1474 /* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled
1475 * and future messages should use the record layer. */
1476 unsigned v2_hello_done:1;
1477
David Benjamin1a444da2017-01-21 14:27:45 -05001478 /* is_v2_hello is true if the current handshake message was derived from a
1479 * V2ClientHello rather than received from the peer directly. */
1480 unsigned is_v2_hello:1;
1481
Adam Langley4ba6e192016-12-07 15:54:54 -08001482 /* initial_handshake_complete is true if the initial handshake has
1483 * completed. */
1484 unsigned initial_handshake_complete:1;
1485
1486 /* session_reused indicates whether a session was resumed. */
1487 unsigned session_reused:1;
1488
1489 unsigned send_connection_binding:1;
1490
1491 /* In a client, this means that the server supported Channel ID and that a
1492 * Channel ID was sent. In a server it means that we echoed support for
1493 * Channel IDs and that tlsext_channel_id will be valid after the
1494 * handshake. */
1495 unsigned tlsext_channel_id_valid:1;
1496
David Benjamin6f600d62016-12-21 16:06:54 -05001497 /* short_header is one if https://github.com/tlswg/tls13-spec/pull/762 has
1498 * been negotiated. */
1499 unsigned short_header:1;
1500
Adam Langley4ba6e192016-12-07 15:54:54 -08001501 uint8_t send_alert[2];
1502
David Benjamindaf207a2017-01-03 18:37:41 -05001503 /* pending_flight is the pending outgoing flight. This is used to flush each
1504 * handshake flight in a single write. */
1505 BUF_MEM *pending_flight;
1506
1507 /* pending_flight_offset is the number of bytes of |pending_flight| which have
1508 * been successfully written. */
1509 uint32_t pending_flight_offset;
Adam Langley4ba6e192016-12-07 15:54:54 -08001510
David Benjamine228bd22016-10-17 20:41:08 -04001511 /* aead_read_ctx is the current read cipher state. */
1512 SSL_AEAD_CTX *aead_read_ctx;
1513
1514 /* aead_write_ctx is the current write cipher state. */
1515 SSL_AEAD_CTX *aead_write_ctx;
1516
1517 /* enc_method is the method table corresponding to the current protocol
1518 * version. */
1519 const SSL3_ENC_METHOD *enc_method;
1520
David Benjamine228bd22016-10-17 20:41:08 -04001521 /* hs is the handshake state for the current handshake or NULL if there isn't
1522 * one. */
1523 SSL_HANDSHAKE *hs;
1524
1525 uint8_t write_traffic_secret[EVP_MAX_MD_SIZE];
David Benjamine228bd22016-10-17 20:41:08 -04001526 uint8_t read_traffic_secret[EVP_MAX_MD_SIZE];
David Benjamine228bd22016-10-17 20:41:08 -04001527 uint8_t exporter_secret[EVP_MAX_MD_SIZE];
Adam Langley4ba6e192016-12-07 15:54:54 -08001528 uint8_t write_traffic_secret_len;
1529 uint8_t read_traffic_secret_len;
David Benjamine228bd22016-10-17 20:41:08 -04001530 uint8_t exporter_secret_len;
1531
Adam Langley4ba6e192016-12-07 15:54:54 -08001532 /* Connection binding to prevent renegotiation attacks */
1533 uint8_t previous_client_finished[12];
1534 uint8_t previous_client_finished_len;
1535 uint8_t previous_server_finished_len;
1536 uint8_t previous_server_finished[12];
1537
David Benjamine228bd22016-10-17 20:41:08 -04001538 /* State pertaining to the pending handshake.
1539 *
1540 * TODO(davidben): Move everything not needed after the handshake completes to
1541 * |hs| and remove this. */
1542 struct {
David Benjamine228bd22016-10-17 20:41:08 -04001543 /* used to hold the new cipher we are going to use */
1544 const SSL_CIPHER *new_cipher;
1545
Adam Langley4ba6e192016-12-07 15:54:54 -08001546 int message_type;
1547
David Benjamine228bd22016-10-17 20:41:08 -04001548 int reuse_message;
1549
David Benjamine228bd22016-10-17 20:41:08 -04001550 uint8_t new_mac_secret_len;
1551 uint8_t new_key_len;
1552 uint8_t new_fixed_iv_len;
1553
1554 /* extended_master_secret indicates whether the extended master secret
1555 * computation is used in this handshake. Note that this is different from
1556 * whether it was used for the current session. If this is a resumption
1557 * handshake then EMS might be negotiated in the client and server hello
1558 * messages, but it doesn't matter if the session that's being resumed
1559 * didn't use it to create the master secret initially. */
1560 char extended_master_secret;
David Benjamine228bd22016-10-17 20:41:08 -04001561 } tmp;
1562
1563 /* new_session is the new mutable session being established by the current
1564 * handshake. It should not be cached. */
1565 SSL_SESSION *new_session;
1566
1567 /* established_session is the session established by the connection. This
1568 * session is only filled upon the completion of the handshake and is
1569 * immutable. */
1570 SSL_SESSION *established_session;
1571
David Benjamine228bd22016-10-17 20:41:08 -04001572 /* Next protocol negotiation. For the client, this is the protocol that we
1573 * sent in NextProtocol and is set when handling ServerHello extensions.
1574 *
1575 * For a server, this is the client's selected_protocol from NextProtocol and
1576 * is set when handling the NextProtocol message, before the Finished
1577 * message. */
1578 uint8_t *next_proto_negotiated;
1579 size_t next_proto_negotiated_len;
1580
1581 /* ALPN information
1582 * (we are in the process of transitioning from NPN to ALPN.) */
1583
1584 /* In a server these point to the selected ALPN protocol after the
1585 * ClientHello has been processed. In a client these contain the protocol
1586 * that the server selected once the ServerHello has been processed. */
1587 uint8_t *alpn_selected;
1588 size_t alpn_selected_len;
1589
David Benjamine228bd22016-10-17 20:41:08 -04001590 /* For a server:
1591 * If |tlsext_channel_id_valid| is true, then this contains the
1592 * verified Channel ID from the client: a P256 point, (x,y), where
1593 * each are big-endian values. */
1594 uint8_t tlsext_channel_id[64];
1595} SSL3_STATE;
1596
David Benjamin593047f2015-05-08 13:08:52 -04001597/* lengths of messages */
1598#define DTLS1_COOKIE_LENGTH 256
1599
1600#define DTLS1_RT_HEADER_LENGTH 13
1601
1602#define DTLS1_HM_HEADER_LENGTH 12
1603
1604#define DTLS1_CCS_HEADER_LENGTH 1
1605
1606#define DTLS1_AL_HEADER_LENGTH 2
1607
David Benjamin593047f2015-05-08 13:08:52 -04001608struct hm_header_st {
1609 uint8_t type;
1610 uint32_t msg_len;
1611 uint16_t seq;
1612 uint32_t frag_off;
1613 uint32_t frag_len;
David Benjamin593047f2015-05-08 13:08:52 -04001614};
1615
David Benjamin528bd262016-07-08 09:34:05 -07001616/* An hm_fragment is an incoming DTLS message, possibly not yet assembled. */
David Benjamin593047f2015-05-08 13:08:52 -04001617typedef struct hm_fragment_st {
David Benjamin528bd262016-07-08 09:34:05 -07001618 /* type is the type of the message. */
1619 uint8_t type;
1620 /* seq is the sequence number of this message. */
1621 uint16_t seq;
1622 /* msg_len is the length of the message body. */
1623 uint32_t msg_len;
1624 /* data is a pointer to the message, including message header. It has length
1625 * |DTLS1_HM_HEADER_LENGTH| + |msg_len|. */
1626 uint8_t *data;
1627 /* reassembly is a bitmask of |msg_len| bits corresponding to which parts of
1628 * the message have been received. It is NULL if the message is complete. */
David Benjamin593047f2015-05-08 13:08:52 -04001629 uint8_t *reassembly;
1630} hm_fragment;
1631
1632typedef struct dtls1_state_st {
1633 /* send_cookie is true if we are resending the ClientHello
1634 * with a cookie from a HelloVerifyRequest. */
1635 unsigned int send_cookie;
1636
1637 uint8_t cookie[DTLS1_COOKIE_LENGTH];
1638 size_t cookie_len;
1639
1640 /* The current data and handshake epoch. This is initially undefined, and
1641 * starts at zero once the initial handshake is completed. */
1642 uint16_t r_epoch;
1643 uint16_t w_epoch;
1644
1645 /* records being received in the current epoch */
1646 DTLS1_BITMAP bitmap;
1647
David Benjamin593047f2015-05-08 13:08:52 -04001648 uint16_t handshake_write_seq;
David Benjamin593047f2015-05-08 13:08:52 -04001649 uint16_t handshake_read_seq;
1650
1651 /* save last sequence number for retransmissions */
1652 uint8_t last_write_sequence[8];
1653
David Benjaminec847ce2016-06-17 19:30:47 -04001654 /* incoming_messages is a ring buffer of incoming handshake messages that have
1655 * yet to be processed. The front of the ring buffer is message number
1656 * |handshake_read_seq|, at position |handshake_read_seq| %
1657 * |SSL_MAX_HANDSHAKE_FLIGHT|. */
1658 hm_fragment *incoming_messages[SSL_MAX_HANDSHAKE_FLIGHT];
David Benjamin593047f2015-05-08 13:08:52 -04001659
David Benjamin29a83c52016-06-17 19:12:54 -04001660 /* outgoing_messages is the queue of outgoing messages from the last handshake
1661 * flight. */
1662 DTLS_OUTGOING_MESSAGE outgoing_messages[SSL_MAX_HANDSHAKE_FLIGHT];
1663 uint8_t outgoing_messages_len;
David Benjamin593047f2015-05-08 13:08:52 -04001664
David Benjamin1a999cf2017-01-03 10:30:35 -05001665 /* outgoing_written is the number of outgoing messages that have been
1666 * written. */
1667 uint8_t outgoing_written;
1668 /* outgoing_offset is the number of bytes of the next outgoing message have
1669 * been written. */
1670 uint32_t outgoing_offset;
1671
David Benjamin593047f2015-05-08 13:08:52 -04001672 unsigned int mtu; /* max DTLS packet size */
1673
David Benjamin593047f2015-05-08 13:08:52 -04001674 /* num_timeouts is the number of times the retransmit timer has fired since
1675 * the last time it was reset. */
1676 unsigned int num_timeouts;
1677
1678 /* Indicates when the last handshake msg or heartbeat sent will
David Benjamin4d2e7ce2015-05-08 13:29:45 -04001679 * timeout. */
1680 struct timeval next_timeout;
David Benjamin593047f2015-05-08 13:08:52 -04001681
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -07001682 /* timeout_duration_ms is the timeout duration in milliseconds. */
1683 unsigned timeout_duration_ms;
David Benjamin593047f2015-05-08 13:08:52 -04001684} DTLS1_STATE;
1685
David Benjamin338fcaf2014-12-11 01:20:52 -05001686extern const SSL3_ENC_METHOD TLSv1_enc_data;
David Benjamin338fcaf2014-12-11 01:20:52 -05001687extern const SSL3_ENC_METHOD SSLv3_enc_data;
Adam Langley95c29f32014-06-20 12:00:00 -07001688
Steven Valdeza833c352016-11-01 13:39:36 -04001689/* From draft-ietf-tls-tls13-18, used in determining PSK modes. */
1690#define SSL_PSK_KE 0x0
1691#define SSL_PSK_DHE_KE 0x1
Steven Valdez1e6f11a2016-07-27 11:10:52 -04001692
Steven Valdezc4aa7272016-10-03 12:25:56 -04001693/* From draft-ietf-tls-tls13-16, used in determining whether to respond with a
1694 * KeyUpdate. */
1695#define SSL_KEY_UPDATE_NOT_REQUESTED 0
1696#define SSL_KEY_UPDATE_REQUESTED 1
1697
Adam Langley95c29f32014-06-20 12:00:00 -07001698CERT *ssl_cert_new(void);
1699CERT *ssl_cert_dup(CERT *cert);
Adam Langley95c29f32014-06-20 12:00:00 -07001700void ssl_cert_clear_certs(CERT *c);
1701void ssl_cert_free(CERT *c);
Adam Langley3a2b47a2017-01-24 13:59:42 -08001702CRYPTO_BUFFER *x509_to_buffer(X509 *x509);
1703void ssl_cert_flush_cached_x509_leaf(CERT *cert);
1704int ssl_cert_cache_leaf_cert(CERT *cert);
Adam Langleyc26692c2017-01-25 09:34:42 -08001705/* ssl_compare_public_and_private_key returns one if |pubkey| is the public
1706 * counterpart to |privkey|. Otherwise it returns zero and pushes a helpful
1707 * message on the error queue. */
1708int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
1709 const EVP_PKEY *privkey);
Adam Langley3a2b47a2017-01-24 13:59:42 -08001710int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey);
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001711int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server);
Steven Valdez1e6f11a2016-07-27 11:10:52 -04001712int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session);
David Benjamine3aa1d92015-06-16 15:34:50 -04001713
Steven Valdez4aa154e2016-07-29 14:32:55 -04001714/* ssl_session_is_context_valid returns one if |session|'s session ID context
1715 * matches the one set on |ssl| and zero otherwise. */
1716int ssl_session_is_context_valid(const SSL *ssl, const SSL_SESSION *session);
1717
1718/* ssl_session_is_time_valid returns one if |session| is still valid and zero if
1719 * it has expired. */
1720int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session);
1721
David Benjamin75f99142016-11-12 12:36:06 +09001722/* ssl_session_is_resumable returns one if |session| is resumable for |ssl| and
1723 * zero otherwise. */
1724int ssl_session_is_resumable(const SSL *ssl, const SSL_SESSION *session);
1725
David Benjamin4d0be242016-09-01 01:10:07 -04001726void ssl_set_session(SSL *ssl, SSL_SESSION *session);
1727
David Benjamine3aa1d92015-06-16 15:34:50 -04001728enum ssl_session_result_t {
1729 ssl_session_success,
1730 ssl_session_error,
1731 ssl_session_retry,
1732};
1733
David Benjamin731058e2016-12-03 23:15:13 -05001734/* ssl_get_prev_session looks up the previous session based on |client_hello|.
1735 * On success, it sets |*out_session| to the session or NULL if none was found.
1736 * If the session could not be looked up synchronously, it returns
David Benjamine3aa1d92015-06-16 15:34:50 -04001737 * |ssl_session_retry| and should be called again. Otherwise, it returns
1738 * |ssl_session_error|. */
1739enum ssl_session_result_t ssl_get_prev_session(
David Benjamin75f99142016-11-12 12:36:06 +09001740 SSL *ssl, SSL_SESSION **out_session, int *out_tickets_supported,
David Benjamin731058e2016-12-03 23:15:13 -05001741 int *out_renew_ticket, const SSL_CLIENT_HELLO *client_hello);
David Benjamine3aa1d92015-06-16 15:34:50 -04001742
Steven Valdez4aa154e2016-07-29 14:32:55 -04001743/* The following flags determine which parts of the session are duplicated. */
1744#define SSL_SESSION_DUP_AUTH_ONLY 0x0
1745#define SSL_SESSION_INCLUDE_TICKET 0x1
1746#define SSL_SESSION_INCLUDE_NONAUTH 0x2
1747#define SSL_SESSION_DUP_ALL \
1748 (SSL_SESSION_INCLUDE_TICKET | SSL_SESSION_INCLUDE_NONAUTH)
1749
Steven Valdez87eab492016-06-27 16:34:59 -04001750/* SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the
1751 * fields in |session| or NULL on error. The new session is non-resumable and
1752 * must be explicitly marked resumable once it has been filled in. */
1753OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *session,
Steven Valdez4aa154e2016-07-29 14:32:55 -04001754 int dup_flags);
Steven Valdez87eab492016-06-27 16:34:59 -04001755
David Benjamin123db572016-11-03 16:59:25 -04001756/* ssl_session_refresh_time updates |session|'s start time to the current time,
1757 * adjusting the timeout so the expiration time is unchanged. */
1758void ssl_session_refresh_time(SSL *ssl, SSL_SESSION *session);
1759
Adam Langley858a88d2014-06-20 12:00:00 -07001760void ssl_cipher_preference_list_free(
Adam Langleyfcf25832014-12-18 17:42:32 -08001761 struct ssl_cipher_preference_list_st *cipher_list);
David Benjaminabbbee12016-10-31 19:20:42 -04001762
1763/* ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and
1764 * below. */
David Benjaminaf3b3d32016-10-31 16:29:57 -04001765const struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(
1766 const SSL *ssl);
David Benjaminea72bd02014-12-21 21:27:41 -05001767
David Benjamin7aa31d62016-08-08 21:38:32 -04001768int ssl_verify_cert_chain(SSL *ssl, long *out_verify_result,
1769 STACK_OF(X509) * cert_chain);
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001770void ssl_update_cache(SSL_HANDSHAKE *hs, int mode);
David Benjaminf31e6812014-11-13 18:05:55 -05001771
Adam Langley95c29f32014-06-20 12:00:00 -07001772int ssl_verify_alarm_type(long type);
David Benjamin74d8bc22015-05-21 02:16:53 -04001773
David Benjaminc3c88822016-11-14 10:32:04 +09001774int ssl3_get_finished(SSL_HANDSHAKE *hs);
David Benjamin0d56f882015-12-19 17:05:56 -05001775int ssl3_send_alert(SSL *ssl, int level, int desc);
David Benjaminf71036e2017-01-21 14:49:39 -05001776int ssl3_get_message(SSL *ssl);
David Benjaminced94792016-11-14 17:12:11 +09001777void ssl3_get_current_message(const SSL *ssl, CBS *out);
David Benjamin4497e582016-07-27 17:51:49 -04001778void ssl3_release_current_message(SSL *ssl, int free_buffer);
David Benjamin854dd652014-08-26 00:32:30 -04001779
Steven Valdez2b8415e2016-06-30 13:27:23 -04001780/* ssl3_cert_verify_hash writes the SSL 3.0 CertificateVerify hash into the
1781 * bytes pointed to by |out| and writes the number of bytes to |*out_len|. |out|
David Benjamin0aa25bd2016-07-08 14:44:56 -07001782 * must have room for |EVP_MAX_MD_SIZE| bytes. It sets |*out_md| to the hash
1783 * function used. It returns one on success and zero on failure. */
1784int ssl3_cert_verify_hash(SSL *ssl, const EVP_MD **out_md, uint8_t *out,
1785 size_t *out_len, uint16_t signature_algorithm);
David Benjamin854dd652014-08-26 00:32:30 -04001786
David Benjamin16315f72017-01-12 20:02:05 -05001787int ssl3_send_finished(SSL_HANDSHAKE *hs);
David Benjamin0d56f882015-12-19 17:05:56 -05001788int ssl3_dispatch_alert(SSL *ssl);
David Benjamin163f29a2016-07-28 11:05:58 -04001789int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
1790 int peek);
David Benjamina41280d2015-11-26 02:16:49 -05001791int ssl3_read_change_cipher_spec(SSL *ssl);
David Benjamina6022772015-05-30 16:22:10 -04001792void ssl3_read_close_notify(SSL *ssl);
David Benjamin163f29a2016-07-28 11:05:58 -04001793int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len);
David Benjaminc933a472015-05-30 16:14:58 -04001794int ssl3_write_app_data(SSL *ssl, const void *buf, int len);
David Benjamin0d56f882015-12-19 17:05:56 -05001795int ssl3_write_bytes(SSL *ssl, int type, const void *buf, int len);
David Benjamin0d56f882015-12-19 17:05:56 -05001796int ssl3_output_cert_chain(SSL *ssl);
Steven Valdezb6b6ff32016-10-26 11:56:35 -04001797
David Benjamin0d56f882015-12-19 17:05:56 -05001798int ssl3_new(SSL *ssl);
1799void ssl3_free(SSL *ssl);
David Benjamince8c9d22016-11-14 10:45:16 +09001800int ssl3_accept(SSL_HANDSHAKE *hs);
1801int ssl3_connect(SSL_HANDSHAKE *hs);
Adam Langley95c29f32014-06-20 12:00:00 -07001802
David Benjamin75836432016-06-17 18:48:29 -04001803int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type);
Steven Valdez5eead162016-11-11 22:23:25 -05001804int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, size_t *out_len);
David Benjamindaf207a2017-01-03 18:37:41 -05001805int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len);
1806int ssl3_add_change_cipher_spec(SSL *ssl);
1807int ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc);
David Benjamindaf207a2017-01-03 18:37:41 -05001808int ssl3_flush_flight(SSL *ssl);
David Benjamin75836432016-06-17 18:48:29 -04001809
David Benjamin75836432016-06-17 18:48:29 -04001810int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type);
Steven Valdez5eead162016-11-11 22:23:25 -05001811int dtls1_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,
1812 size_t *out_len);
David Benjamindaf207a2017-01-03 18:37:41 -05001813int dtls1_add_message(SSL *ssl, uint8_t *msg, size_t len);
1814int dtls1_add_change_cipher_spec(SSL *ssl);
1815int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc);
David Benjamin1a999cf2017-01-03 10:30:35 -05001816int dtls1_flush_flight(SSL *ssl);
David Benjaminc6604172016-06-02 16:38:35 -04001817
David Benjamindaf207a2017-01-03 18:37:41 -05001818/* ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to
1819 * the pending flight. It returns one on success and zero on error. */
1820int ssl_add_message_cbb(SSL *ssl, CBB *cbb);
Steven Valdez5eead162016-11-11 22:23:25 -05001821
David Benjaminced94792016-11-14 17:12:11 +09001822/* ssl_hash_current_message incorporates the current handshake message into the
1823 * handshake hash. It returns one on success and zero on allocation failure. */
1824int ssl_hash_current_message(SSL *ssl);
1825
David Benjaminc6604172016-06-02 16:38:35 -04001826/* dtls1_get_record reads a new input record. On success, it places it in
1827 * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
1828 * more data is needed. */
1829int dtls1_get_record(SSL *ssl);
1830
David Benjamin163f29a2016-07-28 11:05:58 -04001831int dtls1_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
1832 int peek);
David Benjamina41280d2015-11-26 02:16:49 -05001833int dtls1_read_change_cipher_spec(SSL *ssl);
David Benjamina6022772015-05-30 16:22:10 -04001834void dtls1_read_close_notify(SSL *ssl);
Adam Langley95c29f32014-06-20 12:00:00 -07001835
David Benjamin0d56f882015-12-19 17:05:56 -05001836int dtls1_write_app_data(SSL *ssl, const void *buf, int len);
David Benjamin45d45c12016-06-07 15:20:49 -04001837
1838/* dtls1_write_record sends a record. It returns one on success and <= 0 on
1839 * error. */
1840int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len,
1841 enum dtls1_use_epoch_t use_epoch);
Adam Langley95c29f32014-06-20 12:00:00 -07001842
David Benjamin0d56f882015-12-19 17:05:56 -05001843int dtls1_send_finished(SSL *ssl, int a, int b, const char *sender, int slen);
David Benjaminaad50db2016-06-23 17:49:12 -04001844int dtls1_retransmit_outgoing_messages(SSL *ssl);
David Benjamin0d56f882015-12-19 17:05:56 -05001845void dtls1_clear_record_buffer(SSL *ssl);
David Benjaminc6604172016-06-02 16:38:35 -04001846int dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,
1847 CBS *out_body);
David Benjamin0d56f882015-12-19 17:05:56 -05001848int dtls1_check_timeout_num(SSL *ssl);
David Benjamin0d56f882015-12-19 17:05:56 -05001849int dtls1_handshake_write(SSL *ssl);
David Benjamin2fa83de2015-02-08 01:40:08 -05001850
David Benjamin0d56f882015-12-19 17:05:56 -05001851void dtls1_start_timer(SSL *ssl);
1852void dtls1_stop_timer(SSL *ssl);
1853int dtls1_is_timer_expired(SSL *ssl);
1854void dtls1_double_timeout(SSL *ssl);
Adam Langley95c29f32014-06-20 12:00:00 -07001855unsigned int dtls1_min_mtu(void);
1856
David Benjamin0d56f882015-12-19 17:05:56 -05001857int dtls1_new(SSL *ssl);
1858int dtls1_accept(SSL *ssl);
1859int dtls1_connect(SSL *ssl);
1860void dtls1_free(SSL *ssl);
Adam Langley95c29f32014-06-20 12:00:00 -07001861
David Benjaminf71036e2017-01-21 14:49:39 -05001862int dtls1_get_message(SSL *ssl);
David Benjaminced94792016-11-14 17:12:11 +09001863void dtls1_get_current_message(const SSL *ssl, CBS *out);
David Benjamin4497e582016-07-27 17:51:49 -04001864void dtls1_release_current_message(SSL *ssl, int free_buffer);
David Benjamin0d56f882015-12-19 17:05:56 -05001865int dtls1_dispatch_alert(SSL *ssl);
Adam Langley95c29f32014-06-20 12:00:00 -07001866
David Benjamin67739722016-11-17 17:03:59 +09001867int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which);
David Benjamin0d56f882015-12-19 17:05:56 -05001868int tls1_handshake_digest(SSL *ssl, uint8_t *out, size_t out_len);
David Benjamin0d56f882015-12-19 17:05:56 -05001869int tls1_generate_master_secret(SSL *ssl, uint8_t *out, const uint8_t *premaster,
David Benjamin31b1d812014-12-23 10:01:09 -05001870 size_t premaster_len);
Adam Langley95c29f32014-06-20 12:00:00 -07001871
Steven Valdez5440fe02016-07-18 12:40:30 -04001872/* tls1_get_grouplist sets |*out_group_ids| and |*out_group_ids_len| to the
David Benjaminf04976b2016-10-07 00:37:55 -04001873 * locally-configured group preference list. */
1874void tls1_get_grouplist(SSL *ssl, const uint16_t **out_group_ids,
Steven Valdez5440fe02016-07-18 12:40:30 -04001875 size_t *out_group_ids_len);
1876
David Benjamin9d0b4bc2016-10-07 00:34:08 -04001877/* tls1_check_group_id returns one if |group_id| is consistent with
1878 * locally-configured group preferences. */
Steven Valdezce902a92016-05-17 11:47:53 -04001879int tls1_check_group_id(SSL *ssl, uint16_t group_id);
Sigbjorn Vik2b23d242015-06-29 15:07:26 +02001880
Steven Valdezce902a92016-05-17 11:47:53 -04001881/* tls1_get_shared_group sets |*out_group_id| to the first preferred shared
1882 * group between client and server preferences and returns one. If none may be
David Benjamin4298d772015-12-19 00:18:25 -05001883 * found, it returns zero. */
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001884int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id);
David Benjamin072334d2014-07-13 16:24:27 -04001885
1886/* tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves|
Steven Valdezce902a92016-05-17 11:47:53 -04001887 * into a newly allocated array of TLS group IDs. On success, the function
1888 * returns one and writes the array to |*out_group_ids| and its size to
1889 * |*out_group_ids_len|. Otherwise, it returns zero. */
1890int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len,
Adam Langleyfcf25832014-12-18 17:42:32 -08001891 const int *curves, size_t ncurves);
David Benjamin072334d2014-07-13 16:24:27 -04001892
Alessandro Ghedini5fd18072016-09-28 21:04:25 +01001893/* tls1_set_curves_list converts the string of curves pointed to by |curves|
1894 * into a newly allocated array of TLS group IDs. On success, the function
1895 * returns one and writes the array to |*out_group_ids| and its size to
1896 * |*out_group_ids_len|. Otherwise, it returns zero. */
1897int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
1898 const char *curves);
1899
David Benjamine8d53502015-10-10 14:13:23 -04001900/* ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It
1901 * returns one on success and zero on failure. The |header_len| argument is the
1902 * length of the ClientHello written so far and is used to compute the padding
1903 * length. (It does not include the record header.) */
David Benjamin8c880a22016-12-03 02:20:34 -05001904int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len);
David Benjamine8d53502015-10-10 14:13:23 -04001905
David Benjamin8c880a22016-12-03 02:20:34 -05001906int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out);
David Benjamin731058e2016-12-03 23:15:13 -05001907int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
1908 const SSL_CLIENT_HELLO *client_hello);
David Benjamin8c880a22016-12-03 02:20:34 -05001909int ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs);
Adam Langley95c29f32014-06-20 12:00:00 -07001910
Adam Langleyfcf25832014-12-18 17:42:32 -08001911#define tlsext_tick_md EVP_sha256
David Benjamine3aa1d92015-06-16 15:34:50 -04001912
David Benjaminef1b0092015-11-21 14:05:44 -05001913/* tls_process_ticket processes a session ticket from the client. On success,
1914 * it sets |*out_session| to the decrypted session or NULL if the ticket was
1915 * rejected. If the ticket was valid, it sets |*out_renew_ticket| to whether
1916 * the ticket should be renewed. It returns one on success and zero on fatal
David Benjamine3aa1d92015-06-16 15:34:50 -04001917 * error. */
1918int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session,
David Benjaminef1b0092015-11-21 14:05:44 -05001919 int *out_renew_ticket, const uint8_t *ticket,
David Benjamine3aa1d92015-06-16 15:34:50 -04001920 size_t ticket_len, const uint8_t *session_id,
1921 size_t session_id_len);
Adam Langley95c29f32014-06-20 12:00:00 -07001922
Nick Harper60a85cb2016-09-23 16:25:11 -07001923/* tls1_verify_channel_id processes the current message as a Channel ID message,
1924 * and verifies the signature. If the key is valid, it saves the Channel ID and
1925 * returns one. Otherwise, it returns zero. */
1926int tls1_verify_channel_id(SSL *ssl);
1927
1928/* tls1_write_channel_id generates a Channel ID message and puts the output in
1929 * |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling.
1930 * This function returns one on success and zero on error. */
1931int tls1_write_channel_id(SSL *ssl, CBB *cbb);
1932
David Benjamind6a4ae92015-08-06 11:10:51 -04001933/* tls1_channel_id_hash computes the hash to be signed by Channel ID and writes
1934 * it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns
1935 * one on success and zero on failure. */
1936int tls1_channel_id_hash(SSL *ssl, uint8_t *out, size_t *out_len);
1937
David Benjamin0d56f882015-12-19 17:05:56 -05001938int tls1_record_handshake_hashes_for_channel_id(SSL *ssl);
Adam Langley1258b6a2014-06-20 12:00:00 -07001939
Nick Harper60a85cb2016-09-23 16:25:11 -07001940/* ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if
1941 * necessary. It returns one on success and zero on fatal error. Note that, on
1942 * success, |ssl->tlsext_channel_id_private| may be unset, in which case the
1943 * operation should be retried later. */
1944int ssl_do_channel_id_callback(SSL *ssl);
1945
David Benjamin0d56f882015-12-19 17:05:56 -05001946/* ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero
David Benjamined7c4752015-02-16 19:16:46 -05001947 * otherwise. */
David Benjamin0d56f882015-12-19 17:05:56 -05001948int ssl3_can_false_start(const SSL *ssl);
David Benjaminceb6f282014-12-07 23:56:19 -05001949
David Benjamine99e9122014-12-11 01:46:01 -05001950/* ssl3_get_enc_method returns the SSL3_ENC_METHOD corresponding to
1951 * |version|. */
1952const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version);
1953
David Benjamine0ff7672016-09-19 18:40:03 -04001954/* ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the
1955 * minimum and maximum enabled protocol versions, respectively. */
David Benjaminb6a0a512016-06-21 10:33:21 -04001956int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
David Benjamine0ff7672016-09-19 18:40:03 -04001957 uint16_t *out_max_version);
David Benjaminb9e4fa52015-12-29 23:58:17 -05001958
1959/* ssl3_protocol_version returns |ssl|'s protocol version. It is an error to
1960 * call this function before the version is determined. */
1961uint16_t ssl3_protocol_version(const SSL *ssl);
David Benjaminea72bd02014-12-21 21:27:41 -05001962
David Benjamin928f32a2015-12-29 23:32:29 -05001963uint32_t ssl_get_algorithm_prf(const SSL *ssl);
David Benjaminec2f27d2014-11-13 19:17:25 -05001964
David Benjamin721e8b72016-08-03 13:13:17 -04001965void ssl_get_current_time(const SSL *ssl, struct timeval *out_clock);
1966
David Benjamin2be4aa72017-01-02 07:56:51 -05001967/* ssl_reset_error_state resets state for |SSL_get_error|. */
1968void ssl_reset_error_state(SSL *ssl);
1969
Steven Valdez87eab492016-06-27 16:34:59 -04001970
1971#if defined(__cplusplus)
1972} /* extern C */
1973#endif
1974
David Benjamin2ee94aa2015-04-07 22:38:30 -04001975#endif /* OPENSSL_HEADER_SSL_INTERNAL_H */