Make SSL_CTX opaque. This frees us up to make SSL_CTX a C++ type and avoids a lot of protrusions of otherwise private types into the global namespace. Bug: 6 Change-Id: I8a0624a53a4d26ac4a483fa270c39ecdd07459ee Reviewed-on: https://boringssl-review.googlesource.com/21584 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 032ec7e..0ac3ebf 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -4042,13 +4042,10 @@ // This structures are exposed for historical reasons, but access to them is // deprecated. -// TODO(davidben): Opaquify most or all of |SSL_CTX| and |SSL_SESSION| so these -// forward declarations are not needed. -typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD; +// TODO(davidben): Remove this forward declaration when is |SSL_SESSION| is +// opaque. typedef struct ssl_x509_method_st SSL_X509_METHOD; -DECLARE_STACK_OF(SSL_CUSTOM_EXTENSION) - #define SSL_MAX_SSL_SESSION_ID_LENGTH 32 #define SSL_MAX_SID_CTX_LENGTH 32 #define SSL_MAX_MASTER_KEY_LENGTH 48 @@ -4177,319 +4174,6 @@ unsigned is_server:1; }; -// ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with -// equal-preference groups. For TLS clients, the groups are moot because the -// server picks the cipher and groups cannot be expressed on the wire. However, -// for servers, the equal-preference groups allow the client's preferences to -// be partially respected. (This only has an effect with -// SSL_OP_CIPHER_SERVER_PREFERENCE). -// -// The equal-preference groups are expressed by grouping SSL_CIPHERs together. -// All elements of a group have the same priority: no ordering is expressed -// within a group. -// -// The values in |ciphers| are in one-to-one correspondence with -// |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of -// bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to -// indicate that the corresponding SSL_CIPHER is not the last element of a -// group, or 0 to indicate that it is. -// -// For example, if |in_group_flags| contains all zeros then that indicates a -// traditional, fully-ordered preference. Every SSL_CIPHER is the last element -// of the group (i.e. they are all in a one-element group). -// -// For a more complex example, consider: -// ciphers: A B C D E F -// in_group_flags: 1 1 0 0 1 0 -// -// That would express the following, order: -// -// A E -// B -> D -> F -// C -struct ssl_cipher_preference_list_st { - STACK_OF(SSL_CIPHER) *ciphers; - uint8_t *in_group_flags; -}; - -struct tlsext_ticket_key { - uint8_t name[SSL_TICKET_KEY_NAME_LEN]; - uint8_t hmac_key[16]; - uint8_t aes_key[16]; - // next_rotation_tv_sec is the time (in seconds from the epoch) when the - // current key should be superseded by a new key, or the time when a previous - // key should be dropped. If zero, then the key should not be automatically - // rotated. - uint64_t next_rotation_tv_sec; -}; - -// ssl_ctx_st (aka |SSL_CTX|) contains configuration common to several SSL -// connections. -struct ssl_ctx_st { - const SSL_PROTOCOL_METHOD *method; - const SSL_X509_METHOD *x509_method; - - // lock is used to protect various operations on this object. - CRYPTO_MUTEX lock; - - // conf_max_version is the maximum acceptable protocol version configured by - // |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS - // and is further constrainted by |SSL_OP_NO_*|. - uint16_t conf_max_version; - - // conf_min_version is the minimum acceptable protocol version configured by - // |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS - // and is further constrainted by |SSL_OP_NO_*|. - uint16_t conf_min_version; - - // tls13_variant is the variant of TLS 1.3 we are using for this - // configuration. - enum tls13_variant_t tls13_variant; - - struct ssl_cipher_preference_list_st *cipher_list; - - X509_STORE *cert_store; - LHASH_OF(SSL_SESSION) *sessions; - // Most session-ids that will be cached, default is - // SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. - unsigned long session_cache_size; - SSL_SESSION *session_cache_head; - SSL_SESSION *session_cache_tail; - - // handshakes_since_cache_flush is the number of successful handshakes since - // the last cache flush. - int handshakes_since_cache_flush; - - // This can have one of 2 values, ored together, - // SSL_SESS_CACHE_CLIENT, - // SSL_SESS_CACHE_SERVER, - // Default is SSL_SESSION_CACHE_SERVER, which means only - // SSL_accept which cache SSL_SESSIONS. - int session_cache_mode; - - // session_timeout is the default lifetime for new sessions in TLS 1.2 and - // earlier, in seconds. - uint32_t session_timeout; - - // session_psk_dhe_timeout is the default lifetime for new sessions in TLS - // 1.3, in seconds. - uint32_t session_psk_dhe_timeout; - - // If this callback is not null, it will be called each time a session id is - // added to the cache. If this function returns 1, it means that the - // callback will do a SSL_SESSION_free() when it has finished using it. - // Otherwise, on 0, it means the callback has finished with it. If - // remove_session_cb is not null, it will be called when a session-id is - // removed from the cache. After the call, OpenSSL will SSL_SESSION_free() - // it. - int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess); - void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess); - SSL_SESSION *(*get_session_cb)(SSL *ssl, const uint8_t *data, int len, - int *copy); - SSL_SESSION *(*get_session_cb_legacy)(SSL *ssl, uint8_t *data, int len, - int *copy); - - CRYPTO_refcount_t references; - - // if defined, these override the X509_verify_cert() calls - int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg); - void *app_verify_arg; - - enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl, - uint8_t *out_alert); - - // Default password callback. - pem_password_cb *default_passwd_callback; - - // Default password callback user data. - void *default_passwd_callback_userdata; - - // get client cert callback - int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey); - - // get channel id callback - void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey); - - CRYPTO_EX_DATA ex_data; - - // custom_*_extensions stores any callback sets for custom extensions. Note - // that these pointers will be NULL if the stack would otherwise be empty. - STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions; - STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions; - - // Default values used when no per-SSL value is defined follow - - void (*info_callback)(const SSL *ssl, int type, int value); - - // what we put in client cert requests - STACK_OF(CRYPTO_BUFFER) *client_CA; - - // cached_x509_client_CA is a cache of parsed versions of the elements of - // |client_CA|. - STACK_OF(X509_NAME) *cached_x509_client_CA; - - - // Default values to use in SSL structures follow (these are copied by - // SSL_new) - - uint32_t options; - uint32_t mode; - uint32_t max_cert_list; - - struct cert_st *cert; - - // callback that allows applications to peek at protocol messages - void (*msg_callback)(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg); - void *msg_callback_arg; - - int verify_mode; - int (*default_verify_callback)( - int ok, X509_STORE_CTX *ctx); // called 'verify_callback' in the SSL - - X509_VERIFY_PARAM *param; - - // select_certificate_cb is called before most ClientHello processing and - // before the decision whether to resume a session is made. See - // |ssl_select_cert_result_t| for details of the return values. - enum ssl_select_cert_result_t (*select_certificate_cb)( - const SSL_CLIENT_HELLO *); - - // dos_protection_cb is called once the resumption decision for a ClientHello - // has been made. It returns one to continue the handshake or zero to - // abort. - int (*dos_protection_cb) (const SSL_CLIENT_HELLO *); - - // Maximum amount of data to send in one fragment. actual record size can be - // more than this due to padding and MAC overheads. - uint16_t max_send_fragment; - - // TLS extensions servername callback - int (*tlsext_servername_callback)(SSL *, int *, void *); - void *tlsext_servername_arg; - - // RFC 4507 session ticket keys. |tlsext_ticket_key_current| may be NULL - // before the first handshake and |tlsext_ticket_key_prev| may be NULL at any - // time. Automatically generated ticket keys are rotated as needed at - // handshake time. Hence, all access must be synchronized through |lock|. - struct tlsext_ticket_key *tlsext_ticket_key_current; - struct tlsext_ticket_key *tlsext_ticket_key_prev; - - // Callback to support customisation of ticket key setting - int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv, - EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); - - // Server-only: psk_identity_hint is the default identity hint to send in - // PSK-based key exchanges. - char *psk_identity_hint; - - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, - unsigned int max_identity_len, - uint8_t *psk, unsigned int max_psk_len); - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - uint8_t *psk, unsigned int max_psk_len); - - - // retain_only_sha256_of_client_certs is true if we should compute the SHA256 - // hash of the peer's certificate and then discard it to save memory and - // session space. Only effective on the server side. - char retain_only_sha256_of_client_certs; - - // Next protocol negotiation information - // (for experimental NPN extension). - - // For a server, this contains a callback function by which the set of - // advertised protocols can be provided. - int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out, - unsigned *out_len, void *arg); - void *next_protos_advertised_cb_arg; - // For a client, this contains a callback function that selects the - // next protocol from the list provided by the server. - int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, - const uint8_t *in, unsigned in_len, void *arg); - void *next_proto_select_cb_arg; - - // ALPN information - // (we are in the process of transitioning from NPN to ALPN.) - - // For a server, this contains a callback function that allows the - // server to select the protocol for the connection. - // out: on successful return, this must point to the raw protocol - // name (without the length prefix). - // outlen: on successful return, this contains the length of |*out|. - // in: points to the client's list of supported protocols in - // wire-format. - // inlen: the length of |in|. - int (*alpn_select_cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len, - const uint8_t *in, unsigned in_len, void *arg); - void *alpn_select_cb_arg; - - // For a client, this contains the list of supported protocols in wire - // format. - uint8_t *alpn_client_proto_list; - unsigned alpn_client_proto_list_len; - - // SRTP profiles we are willing to do from RFC 5764 - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; - - // Supported group values inherited by SSL structure - size_t supported_group_list_len; - uint16_t *supported_group_list; - - // The client's Channel ID private key. - EVP_PKEY *tlsext_channel_id_private; - - // keylog_callback, if not NULL, is the key logging callback. See - // |SSL_CTX_set_keylog_callback|. - void (*keylog_callback)(const SSL *ssl, const char *line); - - // current_time_cb, if not NULL, is the function to use to get the current - // time. It sets |*out_clock| to the current time. The |ssl| argument is - // always NULL. See |SSL_CTX_set_current_time_cb|. - void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock); - - // pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate - // memory. - CRYPTO_BUFFER_POOL *pool; - - // ticket_aead_method contains function pointers for opening and sealing - // session tickets. - const SSL_TICKET_AEAD_METHOD *ticket_aead_method; - - // verify_sigalgs, if not empty, is the set of signature algorithms - // accepted from the peer in decreasing order of preference. - uint16_t *verify_sigalgs; - size_t num_verify_sigalgs; - - // quiet_shutdown is true if the connection should not send a close_notify on - // shutdown. - unsigned quiet_shutdown:1; - - // ocsp_stapling_enabled is only used by client connections and indicates - // whether OCSP stapling will be requested. - unsigned ocsp_stapling_enabled:1; - - // If true, a client will request certificate timestamps. - unsigned signed_cert_timestamps_enabled:1; - - // tlsext_channel_id_enabled is one if Channel ID is enabled and zero - // otherwise. For a server, means that we'll accept Channel IDs from clients. - // For a client, means that we'll advertise support. - unsigned tlsext_channel_id_enabled:1; - - // grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero - // otherwise. - unsigned grease_enabled:1; - - // allow_unknown_alpn_protos is one if the client allows unsolicited ALPN - // protocols from the peer. - unsigned allow_unknown_alpn_protos:1; - - // ed25519_enabled is one if Ed25519 is advertised in the handshake. - unsigned ed25519_enabled:1; -}; - // Nodejs compatibility section (hidden). // @@ -4644,7 +4328,6 @@ BORINGSSL_MAKE_DELETER(SSL, SSL_free) BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free) BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free) -BORINGSSL_MAKE_DELETER(tlsext_ticket_key, OPENSSL_free); enum class OpenRecordResult { kOK,
diff --git a/ssl/internal.h b/ssl/internal.h index 9efd79c..9efc292 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -172,11 +172,10 @@ #endif -typedef struct cert_st CERT; - namespace bssl { struct SSL_HANDSHAKE; +struct SSL_PROTOCOL_METHOD; // C++ utilities. @@ -1638,7 +1637,7 @@ // From RFC4492, used in encoding the curve type in ECParameters #define NAMED_CURVE_TYPE 3 -struct SSLCertConfig { +struct CERT { EVP_PKEY *privatekey; // chain contains the certificate chain, with the leaf at the beginning. The @@ -1705,6 +1704,66 @@ bool enable_early_data:1; }; +// |SSL_PROTOCOL_METHOD| abstracts between TLS and DTLS. +struct SSL_PROTOCOL_METHOD { + // is_dtls is one if the protocol is DTLS and zero otherwise. + char is_dtls; + int (*ssl_new)(SSL *ssl); + void (*ssl_free)(SSL *ssl); + // get_message sets |*out| to the current handshake message and returns true + // if one has been received. It returns false if more input is needed. + bool (*get_message)(SSL *ssl, SSLMessage *out); + // read_message reads additional handshake data for |get_message|. On success, + // it returns one. Otherwise, it returns <= 0. + int (*read_message)(SSL *ssl); + // next_message is called to release the current handshake message. + void (*next_message)(SSL *ssl); + // read_app_data reads up to |len| bytes of application data into |buf|. On + // success, it returns the number of bytes read. Otherwise, it returns <= 0 + // and sets |*out_got_handshake| to whether the failure was due to a + // post-handshake handshake message. If so, any handshake messages consumed + // may be read with |get_message|. + int (*read_app_data)(SSL *ssl, bool *out_got_handshake, uint8_t *buf, int len, + int peek); + int (*read_change_cipher_spec)(SSL *ssl); + void (*read_close_notify)(SSL *ssl); + int (*write_app_data)(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf, + int len); + int (*dispatch_alert)(SSL *ssl); + // supports_cipher returns one if |cipher| is supported by this protocol and + // zero otherwise. + int (*supports_cipher)(const SSL_CIPHER *cipher); + // init_message begins a new handshake message of type |type|. |cbb| is the + // root CBB to be passed into |finish_message|. |*body| is set to a child CBB + // the caller should write to. It returns one on success and zero on error. + int (*init_message)(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); + // finish_message finishes a handshake message. It sets |*out_msg| to the + // serialized message. It returns one on success and zero on error. + int (*finish_message)(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg); + // add_message adds a handshake message to the pending flight. It returns one + // on success and zero on error. + int (*add_message)(SSL *ssl, Array<uint8_t> msg); + // add_change_cipher_spec adds a ChangeCipherSpec record to the pending + // flight. It returns one on success and zero on error. + int (*add_change_cipher_spec)(SSL *ssl); + // add_alert adds an alert to the pending flight. It returns one on success + // and zero on error. + int (*add_alert)(SSL *ssl, uint8_t level, uint8_t desc); + // flush_flight flushes the pending flight to the transport. It returns one on + // success and <= 0 on error. + int (*flush_flight)(SSL *ssl); + // on_handshake_complete is called when the handshake is complete. + void (*on_handshake_complete)(SSL *ssl); + // set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns + // one on success and zero if changing the read state is forbidden at this + // point. + int (*set_read_state)(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx); + // set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns + // one on success and zero if changing the write state is forbidden at this + // point. + int (*set_write_state)(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx); +}; + // ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using // crypto/x509. extern const SSL_X509_METHOD ssl_crypto_x509_method; @@ -1713,6 +1772,321 @@ // crypto/x509. extern const SSL_X509_METHOD ssl_noop_x509_method; +// ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with +// equal-preference groups. For TLS clients, the groups are moot because the +// server picks the cipher and groups cannot be expressed on the wire. However, +// for servers, the equal-preference groups allow the client's preferences to +// be partially respected. (This only has an effect with +// SSL_OP_CIPHER_SERVER_PREFERENCE). +// +// The equal-preference groups are expressed by grouping SSL_CIPHERs together. +// All elements of a group have the same priority: no ordering is expressed +// within a group. +// +// The values in |ciphers| are in one-to-one correspondence with +// |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of +// bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to +// indicate that the corresponding SSL_CIPHER is not the last element of a +// group, or 0 to indicate that it is. +// +// For example, if |in_group_flags| contains all zeros then that indicates a +// traditional, fully-ordered preference. Every SSL_CIPHER is the last element +// of the group (i.e. they are all in a one-element group). +// +// For a more complex example, consider: +// ciphers: A B C D E F +// in_group_flags: 1 1 0 0 1 0 +// +// That would express the following, order: +// +// A E +// B -> D -> F +// C +struct ssl_cipher_preference_list_st { + STACK_OF(SSL_CIPHER) *ciphers; + uint8_t *in_group_flags; +}; + +struct tlsext_ticket_key { + static constexpr bool kAllowUniquePtr = true; + + uint8_t name[SSL_TICKET_KEY_NAME_LEN]; + uint8_t hmac_key[16]; + uint8_t aes_key[16]; + // next_rotation_tv_sec is the time (in seconds from the epoch) when the + // current key should be superseded by a new key, or the time when a previous + // key should be dropped. If zero, then the key should not be automatically + // rotated. + uint64_t next_rotation_tv_sec; +}; + +// SSLContext backs the public |SSL_CTX| type. Due to compatibility constraints, +// it is a base class for |ssl_ctx_st|. +struct SSLContext { + const SSL_PROTOCOL_METHOD *method; + const SSL_X509_METHOD *x509_method; + + // lock is used to protect various operations on this object. + CRYPTO_MUTEX lock; + + // conf_max_version is the maximum acceptable protocol version configured by + // |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS + // and is further constrainted by |SSL_OP_NO_*|. + uint16_t conf_max_version; + + // conf_min_version is the minimum acceptable protocol version configured by + // |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS + // and is further constrainted by |SSL_OP_NO_*|. + uint16_t conf_min_version; + + // tls13_variant is the variant of TLS 1.3 we are using for this + // configuration. + enum tls13_variant_t tls13_variant; + + struct ssl_cipher_preference_list_st *cipher_list; + + X509_STORE *cert_store; + LHASH_OF(SSL_SESSION) *sessions; + // Most session-ids that will be cached, default is + // SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. + unsigned long session_cache_size; + SSL_SESSION *session_cache_head; + SSL_SESSION *session_cache_tail; + + // handshakes_since_cache_flush is the number of successful handshakes since + // the last cache flush. + int handshakes_since_cache_flush; + + // This can have one of 2 values, ored together, + // SSL_SESS_CACHE_CLIENT, + // SSL_SESS_CACHE_SERVER, + // Default is SSL_SESSION_CACHE_SERVER, which means only + // SSL_accept which cache SSL_SESSIONS. + int session_cache_mode; + + // session_timeout is the default lifetime for new sessions in TLS 1.2 and + // earlier, in seconds. + uint32_t session_timeout; + + // session_psk_dhe_timeout is the default lifetime for new sessions in TLS + // 1.3, in seconds. + uint32_t session_psk_dhe_timeout; + + // If this callback is not null, it will be called each time a session id is + // added to the cache. If this function returns 1, it means that the + // callback will do a SSL_SESSION_free() when it has finished using it. + // Otherwise, on 0, it means the callback has finished with it. If + // remove_session_cb is not null, it will be called when a session-id is + // removed from the cache. After the call, OpenSSL will SSL_SESSION_free() + // it. + int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess); + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess); + SSL_SESSION *(*get_session_cb)(SSL *ssl, const uint8_t *data, int len, + int *copy); + SSL_SESSION *(*get_session_cb_legacy)(SSL *ssl, uint8_t *data, int len, + int *copy); + + CRYPTO_refcount_t references; + + // if defined, these override the X509_verify_cert() calls + int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg); + void *app_verify_arg; + + enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl, + uint8_t *out_alert); + + // Default password callback. + pem_password_cb *default_passwd_callback; + + // Default password callback user data. + void *default_passwd_callback_userdata; + + // get client cert callback + int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey); + + // get channel id callback + void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey); + + CRYPTO_EX_DATA ex_data; + + // custom_*_extensions stores any callback sets for custom extensions. Note + // that these pointers will be NULL if the stack would otherwise be empty. + STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions; + STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions; + + // Default values used when no per-SSL value is defined follow + + void (*info_callback)(const SSL *ssl, int type, int value); + + // what we put in client cert requests + STACK_OF(CRYPTO_BUFFER) *client_CA; + + // cached_x509_client_CA is a cache of parsed versions of the elements of + // |client_CA|. + STACK_OF(X509_NAME) *cached_x509_client_CA; + + + // Default values to use in SSL structures follow (these are copied by + // SSL_new) + + uint32_t options; + uint32_t mode; + uint32_t max_cert_list; + + CERT *cert; + + // callback that allows applications to peek at protocol messages + void (*msg_callback)(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, void *arg); + void *msg_callback_arg; + + int verify_mode; + int (*default_verify_callback)( + int ok, X509_STORE_CTX *ctx); // called 'verify_callback' in the SSL + + X509_VERIFY_PARAM *param; + + // select_certificate_cb is called before most ClientHello processing and + // before the decision whether to resume a session is made. See + // |ssl_select_cert_result_t| for details of the return values. + enum ssl_select_cert_result_t (*select_certificate_cb)( + const SSL_CLIENT_HELLO *); + + // dos_protection_cb is called once the resumption decision for a ClientHello + // has been made. It returns one to continue the handshake or zero to + // abort. + int (*dos_protection_cb) (const SSL_CLIENT_HELLO *); + + // Maximum amount of data to send in one fragment. actual record size can be + // more than this due to padding and MAC overheads. + uint16_t max_send_fragment; + + // TLS extensions servername callback + int (*tlsext_servername_callback)(SSL *, int *, void *); + void *tlsext_servername_arg; + + // RFC 4507 session ticket keys. |tlsext_ticket_key_current| may be NULL + // before the first handshake and |tlsext_ticket_key_prev| may be NULL at any + // time. Automatically generated ticket keys are rotated as needed at + // handshake time. Hence, all access must be synchronized through |lock|. + struct tlsext_ticket_key *tlsext_ticket_key_current; + struct tlsext_ticket_key *tlsext_ticket_key_prev; + + // Callback to support customisation of ticket key setting + int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv, + EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); + + // Server-only: psk_identity_hint is the default identity hint to send in + // PSK-based key exchanges. + char *psk_identity_hint; + + unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, + char *identity, + unsigned int max_identity_len, + uint8_t *psk, unsigned int max_psk_len); + unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, + uint8_t *psk, unsigned int max_psk_len); + + + // retain_only_sha256_of_client_certs is true if we should compute the SHA256 + // hash of the peer's certificate and then discard it to save memory and + // session space. Only effective on the server side. + char retain_only_sha256_of_client_certs; + + // Next protocol negotiation information + // (for experimental NPN extension). + + // For a server, this contains a callback function by which the set of + // advertised protocols can be provided. + int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out, + unsigned *out_len, void *arg); + void *next_protos_advertised_cb_arg; + // For a client, this contains a callback function that selects the + // next protocol from the list provided by the server. + int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, + const uint8_t *in, unsigned in_len, void *arg); + void *next_proto_select_cb_arg; + + // ALPN information + // (we are in the process of transitioning from NPN to ALPN.) + + // For a server, this contains a callback function that allows the + // server to select the protocol for the connection. + // out: on successful return, this must point to the raw protocol + // name (without the length prefix). + // outlen: on successful return, this contains the length of |*out|. + // in: points to the client's list of supported protocols in + // wire-format. + // inlen: the length of |in|. + int (*alpn_select_cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len, + const uint8_t *in, unsigned in_len, void *arg); + void *alpn_select_cb_arg; + + // For a client, this contains the list of supported protocols in wire + // format. + uint8_t *alpn_client_proto_list; + unsigned alpn_client_proto_list_len; + + // SRTP profiles we are willing to do from RFC 5764 + STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; + + // Supported group values inherited by SSL structure + size_t supported_group_list_len; + uint16_t *supported_group_list; + + // The client's Channel ID private key. + EVP_PKEY *tlsext_channel_id_private; + + // keylog_callback, if not NULL, is the key logging callback. See + // |SSL_CTX_set_keylog_callback|. + void (*keylog_callback)(const SSL *ssl, const char *line); + + // current_time_cb, if not NULL, is the function to use to get the current + // time. It sets |*out_clock| to the current time. The |ssl| argument is + // always NULL. See |SSL_CTX_set_current_time_cb|. + void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock); + + // pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate + // memory. + CRYPTO_BUFFER_POOL *pool; + + // ticket_aead_method contains function pointers for opening and sealing + // session tickets. + const SSL_TICKET_AEAD_METHOD *ticket_aead_method; + + // verify_sigalgs, if not empty, is the set of signature algorithms + // accepted from the peer in decreasing order of preference. + uint16_t *verify_sigalgs; + size_t num_verify_sigalgs; + + // quiet_shutdown is true if the connection should not send a close_notify on + // shutdown. + unsigned quiet_shutdown:1; + + // ocsp_stapling_enabled is only used by client connections and indicates + // whether OCSP stapling will be requested. + unsigned ocsp_stapling_enabled:1; + + // If true, a client will request certificate timestamps. + unsigned signed_cert_timestamps_enabled:1; + + // tlsext_channel_id_enabled is one if Channel ID is enabled and zero + // otherwise. For a server, means that we'll accept Channel IDs from clients. + // For a client, means that we'll advertise support. + unsigned tlsext_channel_id_enabled:1; + + // grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero + // otherwise. + unsigned grease_enabled:1; + + // allow_unknown_alpn_protos is one if the client allows unsolicited ALPN + // protocols from the peer. + unsigned allow_unknown_alpn_protos:1; + + // ed25519_enabled is one if Ed25519 is advertised in the handshake. + unsigned ed25519_enabled:1; +}; + struct SSL3_RECORD { // type is the record type. uint8_t type; @@ -2486,75 +2860,12 @@ uint16_t version; // method is the underlying SSL_PROTOCOL_METHOD that initializes the // SSL_CTX. - const SSL_PROTOCOL_METHOD *method; + const bssl::SSL_PROTOCOL_METHOD *method; // x509_method contains pointers to functions that might deal with |X509| // compatibility, or might be a no-op, depending on the application. const SSL_X509_METHOD *x509_method; }; -// ssl_protocol_method_st, aka |SSL_PROTOCOL_METHOD| abstracts between TLS and -// DTLS. -struct ssl_protocol_method_st { - // is_dtls is one if the protocol is DTLS and zero otherwise. - char is_dtls; - int (*ssl_new)(SSL *ssl); - void (*ssl_free)(SSL *ssl); - // get_message sets |*out| to the current handshake message and returns true - // if one has been received. It returns false if more input is needed. - bool (*get_message)(SSL *ssl, bssl::SSLMessage *out); - // read_message reads additional handshake data for |get_message|. On success, - // it returns one. Otherwise, it returns <= 0. - int (*read_message)(SSL *ssl); - // next_message is called to release the current handshake message. - void (*next_message)(SSL *ssl); - // read_app_data reads up to |len| bytes of application data into |buf|. On - // success, it returns the number of bytes read. Otherwise, it returns <= 0 - // and sets |*out_got_handshake| to whether the failure was due to a - // post-handshake handshake message. If so, any handshake messages consumed - // may be read with |get_message|. - int (*read_app_data)(SSL *ssl, bool *out_got_handshake, uint8_t *buf, int len, - int peek); - int (*read_change_cipher_spec)(SSL *ssl); - void (*read_close_notify)(SSL *ssl); - int (*write_app_data)(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf, - int len); - int (*dispatch_alert)(SSL *ssl); - // supports_cipher returns one if |cipher| is supported by this protocol and - // zero otherwise. - int (*supports_cipher)(const SSL_CIPHER *cipher); - // init_message begins a new handshake message of type |type|. |cbb| is the - // root CBB to be passed into |finish_message|. |*body| is set to a child CBB - // the caller should write to. It returns one on success and zero on error. - int (*init_message)(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); - // finish_message finishes a handshake message. It sets |*out_msg| to the - // serialized message. It returns one on success and zero on error. - int (*finish_message)(SSL *ssl, CBB *cbb, bssl::Array<uint8_t> *out_msg); - // add_message adds a handshake message to the pending flight. It returns one - // on success and zero on error. - int (*add_message)(SSL *ssl, bssl::Array<uint8_t> msg); - // add_change_cipher_spec adds a ChangeCipherSpec record to the pending - // flight. It returns one on success and zero on error. - int (*add_change_cipher_spec)(SSL *ssl); - // add_alert adds an alert to the pending flight. It returns one on success - // and zero on error. - int (*add_alert)(SSL *ssl, uint8_t level, uint8_t desc); - // flush_flight flushes the pending flight to the transport. It returns one on - // success and <= 0 on error. - int (*flush_flight)(SSL *ssl); - // on_handshake_complete is called when the handshake is complete. - void (*on_handshake_complete)(SSL *ssl); - // set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns - // one on success and zero if changing the read state is forbidden at this - // point. - int (*set_read_state)(SSL *ssl, - bssl::UniquePtr<bssl::SSLAEADContext> aead_ctx); - // set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns - // one on success and zero if changing the write state is forbidden at this - // point. - int (*set_write_state)(SSL *ssl, - bssl::UniquePtr<bssl::SSLAEADContext> aead_ctx); -}; - struct ssl_x509_method_st { // check_client_CA_list returns one if |names| is a good list of X.509 // distinguished names and zero otherwise. This is used to ensure that we can @@ -2562,17 +2873,17 @@ int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names); // cert_clear frees and NULLs all X509 certificate-related state. - void (*cert_clear)(CERT *cert); + void (*cert_clear)(bssl::CERT *cert); // cert_free frees all X509-related state. - void (*cert_free)(CERT *cert); + void (*cert_free)(bssl::CERT *cert); // cert_flush_cached_chain drops any cached |X509|-based certificate chain // from |cert|. // cert_dup duplicates any needed fields from |cert| to |new_cert|. - void (*cert_dup)(CERT *new_cert, const CERT *cert); - void (*cert_flush_cached_chain)(CERT *cert); + void (*cert_dup)(bssl::CERT *new_cert, const bssl::CERT *cert); + void (*cert_flush_cached_chain)(bssl::CERT *cert); // cert_flush_cached_chain drops any cached |X509|-based leaf certificate // from |cert|. - void (*cert_flush_cached_leaf)(CERT *cert); + void (*cert_flush_cached_leaf)(bssl::CERT *cert); // session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain| // from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns @@ -2611,12 +2922,11 @@ void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl); }; -// ssl_st backs the public |SSL| type. It subclasses the true type so that -// SSLConnection may be a C++ type with methods and destructor without -// polluting the global namespace. +// The following types back public C-exposed types which must live in the global +// namespace. We use subclassing so the implementations may be C++ types with +// methods and destructor without polluting the global namespace. +struct ssl_ctx_st : public bssl::SSLContext {}; struct ssl_st : public bssl::SSLConnection {}; -struct cert_st : public bssl::SSLCertConfig {}; - #endif // OPENSSL_HEADER_SSL_INTERNAL_H