1 /* $OpenBSD: ssl_locl.h,v 1.425 2022/09/10 15:29:33 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
116 /* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
143 #ifndef HEADER_SSL_LOCL_H
144 #define HEADER_SSL_LOCL_H
146 #include <sys/types.h>
154 #include <openssl/opensslconf.h>
156 #include <openssl/bio.h>
157 #include <openssl/buffer.h>
158 #include <openssl/dsa.h>
159 #include <openssl/err.h>
160 #include <openssl/rsa.h>
161 #include <openssl/ssl.h>
162 #include <openssl/stack.h>
164 #include "bytestring.h"
165 #include "tls13_internal.h"
169 #define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \
170 __attribute__((__unused__))
172 #ifndef LIBRESSL_HAS_DTLS1_2
173 #define LIBRESSL_HAS_DTLS1_2
176 #ifndef LIBRESSL_HAS_TLS1_3_CLIENT
177 #define LIBRESSL_HAS_TLS1_3_CLIENT
180 #ifndef LIBRESSL_HAS_TLS1_3_SERVER
181 #define LIBRESSL_HAS_TLS1_3_SERVER
184 #if defined(LIBRESSL_HAS_TLS1_3_CLIENT) || defined(LIBRESSL_HAS_TLS1_3_SERVER)
185 #define LIBRESSL_HAS_TLS1_3
190 #define SSL_DECRYPT 0
191 #define SSL_ENCRYPT 1
194 * Define the Bitmasks for SSL_CIPHER.algorithms.
195 * This bits are used packed as dense as possible. If new methods/ciphers
196 * etc will be added, the bits a likely to change, so this information
197 * is for internal library use only, even though SSL_CIPHER.algorithms
198 * can be publicly accessed.
199 * Use the according functions for cipher management instead.
201 * The bit mask handling in the selection and sorting scheme in
202 * ssl_create_cipher_list() has only limited capabilities, reflecting
203 * that the different entities within are mutually exclusive:
204 * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
207 /* Bits for algorithm_mkey (key exchange algorithm) */
208 #define SSL_kRSA 0x00000001L /* RSA key exchange */
209 #define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */
210 #define SSL_kECDHE 0x00000080L /* ephemeral ECDH */
211 #define SSL_kGOST 0x00000200L /* GOST key exchange */
212 #define SSL_kTLS1_3 0x00000400L /* TLSv1.3 key exchange */
214 /* Bits for algorithm_auth (server authentication) */
215 #define SSL_aRSA 0x00000001L /* RSA auth */
216 #define SSL_aDSS 0x00000002L /* DSS auth */
217 #define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
218 #define SSL_aECDSA 0x00000040L /* ECDSA auth*/
219 #define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
220 #define SSL_aTLS1_3 0x00000400L /* TLSv1.3 authentication */
222 /* Bits for algorithm_enc (symmetric encryption) */
223 #define SSL_DES 0x00000001L
224 #define SSL_3DES 0x00000002L
225 #define SSL_RC4 0x00000004L
226 #define SSL_IDEA 0x00000008L
227 #define SSL_eNULL 0x00000010L
228 #define SSL_AES128 0x00000020L
229 #define SSL_AES256 0x00000040L
230 #define SSL_CAMELLIA128 0x00000080L
231 #define SSL_CAMELLIA256 0x00000100L
232 #define SSL_eGOST2814789CNT 0x00000200L
233 #define SSL_AES128GCM 0x00000400L
234 #define SSL_AES256GCM 0x00000800L
235 #define SSL_CHACHA20POLY1305 0x00001000L
237 #define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
238 #define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
241 /* Bits for algorithm_mac (symmetric authentication) */
243 #define SSL_MD5 0x00000001L
244 #define SSL_SHA1 0x00000002L
245 #define SSL_GOST94 0x00000004L
246 #define SSL_GOST89MAC 0x00000008L
247 #define SSL_SHA256 0x00000010L
248 #define SSL_SHA384 0x00000020L
249 /* Not a real MAC, just an indication it is part of cipher */
250 #define SSL_AEAD 0x00000040L
251 #define SSL_STREEBOG256 0x00000080L
253 /* Bits for algorithm_ssl (protocol version) */
254 #define SSL_SSLV3 0x00000002L
255 #define SSL_TLSV1 SSL_SSLV3 /* for now */
256 #define SSL_TLSV1_2 0x00000004L
257 #define SSL_TLSV1_3 0x00000008L
260 /* Bits for algorithm2 (handshake digests and other extra flags) */
262 #define SSL_HANDSHAKE_MAC_MASK 0xff0
263 #define SSL_HANDSHAKE_MAC_MD5 0x010
264 #define SSL_HANDSHAKE_MAC_SHA 0x020
265 #define SSL_HANDSHAKE_MAC_GOST94 0x040
266 #define SSL_HANDSHAKE_MAC_SHA256 0x080
267 #define SSL_HANDSHAKE_MAC_SHA384 0x100
268 #define SSL_HANDSHAKE_MAC_STREEBOG256 0x200
269 #define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
271 #define SSL3_CK_ID 0x03000000
272 #define SSL3_CK_VALUE_MASK 0x0000ffff
274 #define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
276 #define TLS1_PRF_DGST_SHIFT 10
277 #define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
278 #define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
279 #define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
280 #define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
281 #define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
282 #define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT)
283 #define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
286 * Stream MAC for GOST ciphersuites from cryptopro draft
287 * (currently this also goes into algorithm2).
289 #define TLS1_STREAM_MAC 0x04
292 * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that
293 * indicates that the variable part of the nonce is included as a prefix of
294 * the record (AES-GCM, for example, does this with an 8-byte variable nonce.)
296 #define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22)
299 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce
300 * for an SSL_CIPHER with an algorithm_mac of SSL_AEAD.
302 #define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \
303 (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2)
306 * Cipher strength information.
308 #define SSL_STRONG_MASK 0x000001fcL
309 #define SSL_STRONG_NONE 0x00000004L
310 #define SSL_LOW 0x00000020L
311 #define SSL_MEDIUM 0x00000040L
312 #define SSL_HIGH 0x00000080L
315 * The keylength (measured in RSA key bits, I guess) for temporary keys.
316 * Cipher argument is so that this can be variable in the future.
318 #define SSL_C_PKEYLENGTH(c) 1024
320 /* See if we use signature algorithms extension. */
321 #define SSL_USE_SIGALGS(s) \
322 (s->method->enc_flags & SSL_ENC_FLAG_SIGALGS)
324 /* See if we use SHA256 default PRF. */
325 #define SSL_USE_SHA256_PRF(s) \
326 (s->method->enc_flags & SSL_ENC_FLAG_SHA256_PRF)
328 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
329 #define SSL_USE_TLS1_2_CIPHERS(s) \
330 (s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
332 /* Allow TLS 1.3 ciphersuites only. */
333 #define SSL_USE_TLS1_3_CIPHERS(s) \
334 (s->method->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS)
336 #define SSL_PKEY_RSA 0
337 #define SSL_PKEY_ECC 1
338 #define SSL_PKEY_GOST01 2
339 #define SSL_PKEY_NUM 3
341 #define SSL_MAX_EMPTY_RECORDS 32
343 /* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
344 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
345 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
346 * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
347 * SSL_aRSA <- RSA_ENC | RSA_SIGN
348 * SSL_aDSS <- DSA_SIGN
351 /* From ECC-TLS draft, used in encoding the curve type in
354 #define EXPLICIT_PRIME_CURVE_TYPE 1
355 #define EXPLICIT_CHAR2_CURVE_TYPE 2
356 #define NAMED_CURVE_TYPE 3
358 typedef struct ssl_cert_pkey_st
{
360 EVP_PKEY
*privatekey
;
361 STACK_OF(X509
) *chain
;
364 typedef struct ssl_cert_st
{
365 /* Current active set */
366 /* ALWAYS points to an element of the pkeys array
367 * Probably it would make more sense to store
368 * an index, not a pointer. */
371 SSL_CERT_PKEY pkeys
[SSL_PKEY_NUM
];
373 /* The following masks are for the key and auth
374 * algorithms that are supported by the certs below */
376 unsigned long mask_k
;
377 unsigned long mask_a
;
380 DH
*(*dhe_params_cb
)(SSL
*ssl
, int is_export
, int keysize
);
383 int (*security_cb
)(const SSL
*s
, const SSL_CTX
*ctx
, int op
, int bits
,
384 int nid
, void *other
, void *ex_data
); /* Not exposed in API. */
386 void *security_ex_data
; /* Not exposed in API. */
388 int references
; /* >1 only if SSL_copy_session_id is used */
396 struct ssl_cipher_st
{
398 const char *name
; /* text name */
399 unsigned long id
; /* id, 4 bytes, first is version */
401 unsigned long algorithm_mkey
; /* key exchange algorithm */
402 unsigned long algorithm_auth
; /* server authentication */
403 unsigned long algorithm_enc
; /* symmetric encryption */
404 unsigned long algorithm_mac
; /* symmetric authentication */
405 unsigned long algorithm_ssl
; /* (major) protocol version */
407 unsigned long algo_strength
; /* strength and export flags */
408 unsigned long algorithm2
; /* Extra flags */
409 int strength_bits
; /* Number of bits really used */
410 int alg_bits
; /* Number of bits for algorithm */
413 struct ssl_method_st
{
418 uint16_t min_tls_version
;
419 uint16_t max_tls_version
;
421 int (*ssl_new
)(SSL
*s
);
422 void (*ssl_clear
)(SSL
*s
);
423 void (*ssl_free
)(SSL
*s
);
425 int (*ssl_accept
)(SSL
*s
);
426 int (*ssl_connect
)(SSL
*s
);
427 int (*ssl_shutdown
)(SSL
*s
);
429 int (*ssl_renegotiate
)(SSL
*s
);
430 int (*ssl_renegotiate_check
)(SSL
*s
);
432 int (*ssl_pending
)(const SSL
*s
);
433 int (*ssl_read_bytes
)(SSL
*s
, int type
, unsigned char *buf
, int len
,
435 int (*ssl_write_bytes
)(SSL
*s
, int type
, const void *buf_
, int len
);
437 const SSL_CIPHER
*(*get_cipher
)(unsigned int ncipher
);
439 unsigned int enc_flags
; /* SSL_ENC_FLAG_* */
443 * Let's make this into an ASN.1 type structure as follows
444 * SSL_SESSION_ID ::= SEQUENCE {
445 * version INTEGER, -- structure version number
446 * SSLversion INTEGER, -- SSL version number
447 * Cipher OCTET STRING, -- the 2 byte cipher ID
448 * Session_ID OCTET STRING, -- the Session ID
449 * Master_key OCTET STRING, -- the master key
450 * KRB5_principal OCTET STRING -- optional Kerberos principal
451 * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
452 * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
453 * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
454 * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
455 * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
456 * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
457 * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
458 * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity
459 * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
460 * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
461 * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
462 * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
464 * Look in ssl/ssl_asn1.c for more details
465 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
467 struct ssl_session_st
{
468 int ssl_version
; /* what ssl version session info is
469 * being kept in here? */
471 size_t master_key_length
;
472 unsigned char master_key
[SSL_MAX_MASTER_KEY_LENGTH
];
474 /* session_id - valid? */
475 size_t session_id_length
;
476 unsigned char session_id
[SSL_MAX_SSL_SESSION_ID_LENGTH
];
478 /* this is used to determine whether the session is being reused in
479 * the appropriate context. It is up to the application to set this,
481 size_t sid_ctx_length
;
482 unsigned char sid_ctx
[SSL_MAX_SID_CTX_LENGTH
];
484 /* Peer provided leaf (end-entity) certificate. */
488 /* when app_verify_callback accepts a session where the peer's certificate
489 * is not ok, we must remember the error for session reuse: */
490 long verify_result
; /* only for servers */
496 const SSL_CIPHER
*cipher
;
497 unsigned long cipher_id
; /* when ASN.1 loaded, this
498 * needs to be used to load
499 * the 'cipher' structure */
501 STACK_OF(SSL_CIPHER
) *ciphers
; /* shared ciphers? */
503 char *tlsext_hostname
;
506 unsigned char *tlsext_tick
; /* Session ticket */
507 size_t tlsext_ticklen
; /* Session ticket length */
508 uint32_t tlsext_tick_lifetime_hint
; /* Session lifetime hint in seconds */
510 CRYPTO_EX_DATA ex_data
; /* application specific data */
512 /* These are used to make removal of session-ids more
513 * efficient and to implement a maximum cache size. */
514 struct ssl_session_st
*prev
, *next
;
516 /* Used to indicate that session resumption is not allowed.
517 * Applications can also set this bit for a new session via
518 * not_resumable_session_cb to disable session caching and tickets. */
521 size_t tlsext_ecpointformatlist_length
;
522 uint8_t *tlsext_ecpointformatlist
; /* peer's list */
523 size_t tlsext_supportedgroups_length
;
524 uint16_t *tlsext_supportedgroups
; /* peer's list */
529 typedef struct ssl_handshake_tls12_st
{
530 /* Used when SSL_ST_FLUSH_DATA is entered. */
533 /* Handshake message type and size. */
535 unsigned long message_size
;
537 /* Reuse current handshake message. */
540 /* Client certificate requests. */
542 STACK_OF(X509_NAME
) *ca_names
;
544 /* Record-layer key block for TLS 1.2 and earlier. */
545 struct tls12_key_block
*key_block
;
547 /* Transcript hash prior to sending certificate verify message. */
548 uint8_t cert_verify
[EVP_MAX_MD_SIZE
];
549 } SSL_HANDSHAKE_TLS12
;
551 typedef struct ssl_handshake_tls13_st
{
555 /* Client indicates psk_dhe_ke support in PskKeyExchangeMode. */
558 /* Certificate selected for use (static pointer). */
559 const SSL_CERT_PKEY
*cpk
;
561 /* Version proposed by peer server. */
562 uint16_t server_version
;
564 uint16_t server_group
;
565 struct tls13_secrets
*secrets
;
570 /* Preserved transcript hash. */
571 uint8_t transcript_hash
[EVP_MAX_MD_SIZE
];
572 size_t transcript_hash_len
;
574 /* Legacy session ID. */
575 uint8_t legacy_session_id
[SSL_MAX_SSL_SESSION_ID_LENGTH
];
576 size_t legacy_session_id_len
;
578 /* ClientHello hash, used to validate following HelloRetryRequest */
579 EVP_MD_CTX
*clienthello_md_ctx
;
580 unsigned char *clienthello_hash
;
581 unsigned int clienthello_hash_len
;
583 /* QUIC read buffer and read/write encryption levels. */
584 struct tls_buffer
*quic_read_buffer
;
585 enum ssl_encryption_level_t quic_read_level
;
586 enum ssl_encryption_level_t quic_write_level
;
587 } SSL_HANDSHAKE_TLS13
;
589 typedef struct ssl_handshake_st
{
591 * Minimum and maximum versions supported for this handshake. These are
592 * initialised at the start of a handshake based on the method in use
593 * and the current protocol version configuration.
595 uint16_t our_min_tls_version
;
596 uint16_t our_max_tls_version
;
599 * Version negotiated for this session. For a client this is set once
600 * the server selected version is parsed from the ServerHello (either
601 * from the legacy version or supported versions extension). For a
602 * server this is set once we select the version we will use with the
605 uint16_t negotiated_tls_version
;
608 * Legacy version advertised by our peer. For a server this is the
609 * version specified by the client in the ClientHello message. For a
610 * client, this is the version provided in the ServerHello message.
612 uint16_t peer_legacy_version
;
615 * Current handshake state - contains one of the SSL3_ST_* values and
616 * is used by the TLSv1.2 state machine, as well as being updated by
617 * the TLSv1.3 stack due to it being exposed externally.
621 /* Cipher being negotiated in this handshake. */
622 const SSL_CIPHER
*cipher
;
624 /* Extensions seen in this handshake. */
625 uint32_t extensions_seen
;
627 /* Signature algorithms selected for use (static pointers). */
628 const struct ssl_sigalg
*our_sigalg
;
629 const struct ssl_sigalg
*peer_sigalg
;
631 /* sigalgs offered in this handshake in wire form */
635 /* Key share for ephemeral key exchange. */
636 struct tls_key_share
*key_share
;
639 * Copies of the verify data sent in our finished message and the
640 * verify data received in the finished message sent by our peer.
642 uint8_t finished
[EVP_MAX_MD_SIZE
];
644 uint8_t peer_finished
[EVP_MAX_MD_SIZE
];
645 size_t peer_finished_len
;
647 /* List of certificates received from our peer. */
648 STACK_OF(X509
) *peer_certs
;
649 STACK_OF(X509
) *peer_certs_no_leaf
;
651 SSL_HANDSHAKE_TLS12 tls12
;
652 SSL_HANDSHAKE_TLS13 tls13
;
655 typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT
;
657 /* TLS Session Ticket extension struct. */
658 struct tls_session_ticket_ext_st
{
659 unsigned short length
;
663 struct tls12_key_block
;
665 struct tls12_key_block
*tls12_key_block_new(void);
666 void tls12_key_block_free(struct tls12_key_block
*kb
);
667 void tls12_key_block_client_write(struct tls12_key_block
*kb
, CBS
*mac_key
,
669 void tls12_key_block_server_write(struct tls12_key_block
*kb
, CBS
*mac_key
,
671 int tls12_key_block_generate(struct tls12_key_block
*kb
, SSL
*s
,
672 const EVP_AEAD
*aead
, const EVP_CIPHER
*cipher
, const EVP_MD
*mac_hash
);
674 struct tls12_record_layer
;
676 struct tls12_record_layer
*tls12_record_layer_new(void);
677 void tls12_record_layer_free(struct tls12_record_layer
*rl
);
678 void tls12_record_layer_alert(struct tls12_record_layer
*rl
,
679 uint8_t *alert_desc
);
680 int tls12_record_layer_write_overhead(struct tls12_record_layer
*rl
,
682 int tls12_record_layer_read_protected(struct tls12_record_layer
*rl
);
683 int tls12_record_layer_write_protected(struct tls12_record_layer
*rl
);
684 void tls12_record_layer_set_aead(struct tls12_record_layer
*rl
,
685 const EVP_AEAD
*aead
);
686 void tls12_record_layer_set_cipher_hash(struct tls12_record_layer
*rl
,
687 const EVP_CIPHER
*cipher
, const EVP_MD
*handshake_hash
,
688 const EVP_MD
*mac_hash
);
689 void tls12_record_layer_set_version(struct tls12_record_layer
*rl
,
691 void tls12_record_layer_set_initial_epoch(struct tls12_record_layer
*rl
,
693 uint16_t tls12_record_layer_read_epoch(struct tls12_record_layer
*rl
);
694 uint16_t tls12_record_layer_write_epoch(struct tls12_record_layer
*rl
);
695 int tls12_record_layer_use_write_epoch(struct tls12_record_layer
*rl
,
697 void tls12_record_layer_write_epoch_done(struct tls12_record_layer
*rl
,
699 void tls12_record_layer_clear_read_state(struct tls12_record_layer
*rl
);
700 void tls12_record_layer_clear_write_state(struct tls12_record_layer
*rl
);
701 void tls12_record_layer_reflect_seq_num(struct tls12_record_layer
*rl
);
702 int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer
*rl
,
703 CBS
*mac_key
, CBS
*key
, CBS
*iv
);
704 int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer
*rl
,
705 CBS
*mac_key
, CBS
*key
, CBS
*iv
);
706 int tls12_record_layer_open_record(struct tls12_record_layer
*rl
,
707 uint8_t *buf
, size_t buf_len
, uint8_t **out
, size_t *out_len
);
708 int tls12_record_layer_seal_record(struct tls12_record_layer
*rl
,
709 uint8_t content_type
, const uint8_t *content
, size_t content_len
,
712 typedef void (ssl_info_callback_fn
)(const SSL
*s
, int type
, int val
);
713 typedef void (ssl_msg_callback_fn
)(int is_write
, int version
, int content_type
,
714 const void *buf
, size_t len
, SSL
*ssl
, void *arg
);
716 typedef struct ssl_ctx_internal_st
{
717 uint16_t min_tls_version
;
718 uint16_t max_tls_version
;
721 * These may be zero to imply minimum or maximum version supported by
724 uint16_t min_proto_version
;
725 uint16_t max_proto_version
;
727 unsigned long options
;
730 /* If this callback is not null, it will be called each
731 * time a session id is added to the cache. If this function
732 * returns 1, it means that the callback will do a
733 * SSL_SESSION_free() when it has finished using it. Otherwise,
734 * on 0, it means the callback has finished with it.
735 * If remove_session_cb is not null, it will be called when
736 * a session-id is removed from the cache. After the call,
737 * OpenSSL will SSL_SESSION_free() it. */
738 int (*new_session_cb
)(struct ssl_st
*ssl
, SSL_SESSION
*sess
);
739 void (*remove_session_cb
)(struct ssl_ctx_st
*ctx
, SSL_SESSION
*sess
);
740 SSL_SESSION
*(*get_session_cb
)(struct ssl_st
*ssl
,
741 const unsigned char *data
, int len
, int *copy
);
743 /* if defined, these override the X509_verify_cert() calls */
744 int (*app_verify_callback
)(X509_STORE_CTX
*, void *);
745 void *app_verify_arg
;
747 /* get client cert callback */
748 int (*client_cert_cb
)(SSL
*ssl
, X509
**x509
, EVP_PKEY
**pkey
);
750 /* cookie generate callback */
751 int (*app_gen_cookie_cb
)(SSL
*ssl
, unsigned char *cookie
,
752 unsigned int *cookie_len
);
754 /* verify cookie callback */
755 int (*app_verify_cookie_cb
)(SSL
*ssl
, const unsigned char *cookie
,
756 unsigned int cookie_len
);
758 ssl_info_callback_fn
*info_callback
;
760 /* callback that allows applications to peek at protocol messages */
761 ssl_msg_callback_fn
*msg_callback
;
762 void *msg_callback_arg
;
764 int (*default_verify_callback
)(int ok
,X509_STORE_CTX
*ctx
); /* called 'verify_callback' in the SSL */
766 /* Default generate session ID callback. */
767 GEN_SESSION_CB generate_session_id
;
769 /* TLS extensions servername callback */
770 int (*tlsext_servername_callback
)(SSL
*, int *, void *);
771 void *tlsext_servername_arg
;
773 /* Callback to support customisation of ticket key setting */
774 int (*tlsext_ticket_key_cb
)(SSL
*ssl
, unsigned char *name
,
775 unsigned char *iv
, EVP_CIPHER_CTX
*ectx
, HMAC_CTX
*hctx
, int enc
);
777 /* certificate status request info */
778 /* Callback for status request */
779 int (*tlsext_status_cb
)(SSL
*ssl
, void *arg
);
780 void *tlsext_status_arg
;
782 struct lhash_st_SSL_SESSION
*sessions
;
784 /* Most session-ids that will be cached, default is
785 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
786 unsigned long session_cache_size
;
787 struct ssl_session_st
*session_cache_head
;
788 struct ssl_session_st
*session_cache_tail
;
790 /* This can have one of 2 values, ored together,
791 * SSL_SESS_CACHE_CLIENT,
792 * SSL_SESS_CACHE_SERVER,
793 * Default is SSL_SESSION_CACHE_SERVER, which means only
794 * SSL_accept which cache SSL_SESSIONS. */
795 int session_cache_mode
;
798 int sess_connect
; /* SSL new conn - started */
799 int sess_connect_renegotiate
;/* SSL reneg - requested */
800 int sess_connect_good
; /* SSL new conne/reneg - finished */
801 int sess_accept
; /* SSL new accept - started */
802 int sess_accept_renegotiate
;/* SSL reneg - requested */
803 int sess_accept_good
; /* SSL accept/reneg - finished */
804 int sess_miss
; /* session lookup misses */
805 int sess_timeout
; /* reuse attempt on timeouted session */
806 int sess_cache_full
; /* session removed due to full cache */
807 int sess_hit
; /* session reuse actually done */
808 int sess_cb_hit
; /* session-id that was not
810 * passed back via the callback. This
811 * indicates that the application is
812 * supplying session-id's from other
813 * processes - spooky :-) */
816 CRYPTO_EX_DATA ex_data
;
818 STACK_OF(SSL_CIPHER
) *cipher_list_tls13
;
822 /* Default values used when no per-SSL value is defined follow */
824 /* what we put in client cert requests */
825 STACK_OF(X509_NAME
) *client_CA
;
833 /* Maximum amount of data to send in one fragment.
834 * actual record size can be more than this due to
835 * padding and MAC overheads.
837 unsigned int max_send_fragment
;
839 #ifndef OPENSSL_NO_ENGINE
840 /* Engine to pass requests for client certs to
842 ENGINE
*client_cert_engine
;
845 /* RFC 4507 session ticket keys */
846 unsigned char tlsext_tick_key_name
[16];
847 unsigned char tlsext_tick_hmac_key
[16];
848 unsigned char tlsext_tick_aes_key
[16];
850 /* SRTP profiles we are willing to do from RFC 5764 */
851 STACK_OF(SRTP_PROTECTION_PROFILE
) *srtp_profiles
;
858 * Server callback function that allows the server to select the
859 * protocol for the connection.
860 * out: on successful return, this must point to the raw protocol
861 * name (without the length prefix).
862 * outlen: on successful return, this contains the length of out.
863 * in: points to the client's list of supported protocols in
865 * inlen: the length of in.
867 int (*alpn_select_cb
)(SSL
*s
, const unsigned char **out
,
868 unsigned char *outlen
, const unsigned char *in
, unsigned int inlen
,
870 void *alpn_select_cb_arg
;
872 /* Client list of supported protocols in wire format. */
873 uint8_t *alpn_client_proto_list
;
874 size_t alpn_client_proto_list_len
;
876 size_t tlsext_ecpointformatlist_length
;
877 uint8_t *tlsext_ecpointformatlist
; /* our list */
878 size_t tlsext_supportedgroups_length
;
879 uint16_t *tlsext_supportedgroups
; /* our list */
880 SSL_CTX_keylog_cb_func keylog_callback
; /* Unused. For OpenSSL compatibility. */
881 size_t num_tickets
; /* Unused, for OpenSSL compatibility */
885 const SSL_METHOD
*method
;
886 const SSL_QUIC_METHOD
*quic_method
;
888 STACK_OF(SSL_CIPHER
) *cipher_list
;
890 struct x509_store_st
/* X509_STORE */ *cert_store
;
892 /* If timeout is not 0, it is the default timeout value set
893 * when SSL_new() is called. This has been put in to make
894 * life easier to set things up */
895 long session_timeout
;
899 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
901 STACK_OF(X509
) *extra_certs
;
904 size_t sid_ctx_length
;
905 unsigned char sid_ctx
[SSL_MAX_SID_CTX_LENGTH
];
907 X509_VERIFY_PARAM
*param
;
911 * default_passwd_cb used by python and openvpn, need to keep it until we
914 /* Default password callback. */
915 pem_password_cb
*default_passwd_callback
;
917 /* Default password callback user data. */
918 void *default_passwd_callback_userdata
;
920 struct ssl_ctx_internal_st
*internal
;
923 typedef struct ssl_internal_st
{
924 struct tls13_ctx
*tls13
;
926 uint16_t min_tls_version
;
927 uint16_t max_tls_version
;
930 * These may be zero to imply minimum or maximum version supported by
933 uint16_t min_proto_version
;
934 uint16_t max_proto_version
;
936 unsigned long options
; /* protocol behaviour */
937 unsigned long mode
; /* API behaviour */
939 /* Client list of supported protocols in wire format. */
940 uint8_t *alpn_client_proto_list
;
941 size_t alpn_client_proto_list_len
;
943 /* QUIC transport params we will send */
944 uint8_t *quic_transport_params
;
945 size_t quic_transport_params_len
;
949 /* true when we are actually in SSL_accept() or SSL_connect() */
951 int (*handshake_func
)(SSL
*);
953 ssl_info_callback_fn
*info_callback
;
955 /* callback that allows applications to peek at protocol messages */
956 ssl_msg_callback_fn
*msg_callback
;
957 void *msg_callback_arg
;
959 int (*verify_callback
)(int ok
,X509_STORE_CTX
*ctx
); /* fail if callback returns 0 */
961 /* Default generate session ID callback. */
962 GEN_SESSION_CB generate_session_id
;
964 /* TLS extension debug callback */
965 void (*tlsext_debug_cb
)(SSL
*s
, int client_server
, int type
,
966 unsigned char *data
, int len
, void *arg
);
967 void *tlsext_debug_arg
;
969 /* TLS Session Ticket extension callback */
970 tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb
;
971 void *tls_session_ticket_ext_cb_arg
;
973 /* TLS pre-shared secret session resumption */
974 tls_session_secret_cb_fn tls_session_secret_cb
;
975 void *tls_session_secret_cb_arg
;
977 /* XXX non-callback */
979 /* This holds a variable that indicates what we were doing
980 * when a 0 or -1 is returned. This is needed for
981 * non-blocking IO so we know what request needs re-doing when
982 * in SSL_accept or SSL_connect */
985 /* Imagine that here's a boolean member "init" that is
986 * switched as soon as SSL_set_{accept/connect}_state
987 * is called for the first time, so that "state" and
988 * "handshake_func" are properly initialized. But as
989 * handshake_func is == 0 until then, we use this
990 * test instead of an "init" member.
993 int new_session
;/* Generate a new session or reuse an old one.
994 * NB: For servers, the 'new' session may actually be a previously
995 * cached session or even the previous session unless
996 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
997 int quiet_shutdown
;/* don't send shutdown packets */
998 int shutdown
; /* we have shut things down, 0x01 sent, 0x02
1000 BUF_MEM
*init_buf
; /* buffer used during init */
1001 void *init_msg
; /* pointer to handshake message body, set by ssl3_get_message() */
1002 int init_num
; /* amount read/written */
1003 int init_off
; /* amount read/written */
1005 /* used internally to point at a raw packet */
1006 unsigned char *packet
;
1007 unsigned int packet_length
;
1009 int read_ahead
; /* Read as many input bytes as possible
1010 * (for non-blocking reads) */
1012 int hit
; /* reusing a previous session */
1014 STACK_OF(SSL_CIPHER
) *cipher_list_tls13
;
1016 struct tls12_record_layer
*rl
;
1020 /* extra application data */
1021 CRYPTO_EX_DATA ex_data
;
1024 /* for server side, keep the list of CA_dn we can use */
1025 STACK_OF(X509_NAME
) *client_CA
;
1027 /* set this flag to 1 and a sleep(1) is put into all SSL_read()
1028 * and SSL_write() calls, good for nbio debuging :-) */
1033 /* Expect OCSP CertificateStatus message */
1034 int tlsext_status_expected
;
1035 /* OCSP status request only */
1036 STACK_OF(OCSP_RESPID
) *tlsext_ocsp_ids
;
1037 X509_EXTENSIONS
*tlsext_ocsp_exts
;
1039 /* OCSP response received or to be sent */
1040 unsigned char *tlsext_ocsp_resp
;
1041 size_t tlsext_ocsp_resp_len
;
1043 /* RFC4507 session ticket expected to be received or sent */
1044 int tlsext_ticket_expected
;
1046 size_t tlsext_ecpointformatlist_length
;
1047 uint8_t *tlsext_ecpointformatlist
; /* our list */
1048 size_t tlsext_supportedgroups_length
;
1049 uint16_t *tlsext_supportedgroups
; /* our list */
1051 /* TLS Session Ticket extension override */
1052 TLS_SESSION_TICKET_EXT
*tlsext_session_ticket
;
1054 STACK_OF(SRTP_PROTECTION_PROFILE
) *srtp_profiles
; /* What we'll do */
1055 const SRTP_PROTECTION_PROFILE
*srtp_profile
; /* What's been chosen */
1057 int renegotiate
;/* 1 if we are renegotiating.
1058 * 2 if we are a server and are inside a handshake
1059 * (i.e. not just sending a HelloRequest) */
1061 int rstate
; /* where we are when reading */
1065 int empty_record_count
;
1067 size_t num_tickets
; /* Unused, for OpenSSL compatibility */
1068 STACK_OF(X509
) *verified_chain
;
1073 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
1077 const SSL_METHOD
*method
;
1078 const SSL_QUIC_METHOD
*quic_method
;
1080 /* There are 2 BIO's even though they are normally both the
1081 * same. This is so data can be read and written to different
1084 BIO
*rbio
; /* used by SSL_read */
1085 BIO
*wbio
; /* used by SSL_write */
1086 BIO
*bbio
; /* used during session-id reuse to concatenate
1088 int server
; /* are we the server side? - mostly used by SSL_clear*/
1090 struct ssl3_state_st
*s3
; /* SSLv3 variables */
1091 struct dtls1_state_st
*d1
; /* DTLSv1 variables */
1093 X509_VERIFY_PARAM
*param
;
1096 STACK_OF(SSL_CIPHER
) *cipher_list
;
1098 /* This is used to hold the server certificate used */
1101 /* the session_id_context is used to ensure sessions are only reused
1102 * in the appropriate context */
1103 size_t sid_ctx_length
;
1104 unsigned char sid_ctx
[SSL_MAX_SID_CTX_LENGTH
];
1106 /* This can also be in the session once a session is established */
1107 SSL_SESSION
*session
;
1109 /* Used in SSL2 and SSL3 */
1110 int verify_mode
; /* 0 don't care about verify failure.
1111 * 1 fail if verify fails */
1112 int error
; /* error bytes to be written */
1113 int error_code
; /* actual code */
1121 int client_version
; /* what was passed, used for
1122 * SSLv3/TLS rollback check */
1124 unsigned int max_send_fragment
;
1126 char *tlsext_hostname
;
1128 /* certificate status request info */
1129 /* Status type or -1 if no status type */
1130 int tlsext_status_type
;
1132 SSL_CTX
* initial_ctx
; /* initial ctx, used to store sessions */
1133 #define session_ctx initial_ctx
1135 struct ssl_internal_st
*internal
;
1138 typedef struct ssl3_record_internal_st
{
1139 int type
; /* type of record */
1140 unsigned int length
; /* How many bytes available */
1141 unsigned int padding_length
; /* Number of padding bytes. */
1142 unsigned int off
; /* read/write offset into 'buf' */
1143 unsigned char *data
; /* pointer to the record data */
1144 unsigned char *input
; /* where the decode bytes are */
1145 uint16_t epoch
; /* epoch number, needed by DTLS1 */
1146 unsigned char seq_num
[8]; /* sequence number, needed by DTLS1 */
1147 } SSL3_RECORD_INTERNAL
;
1149 typedef struct ssl3_buffer_internal_st
{
1150 unsigned char *buf
; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
1151 * see ssl3_setup_buffers() */
1152 size_t len
; /* buffer size */
1153 int offset
; /* where to 'copy from' */
1154 int left
; /* how many bytes left */
1155 } SSL3_BUFFER_INTERNAL
;
1157 typedef struct ssl3_state_st
{
1160 unsigned char server_random
[SSL3_RANDOM_SIZE
];
1161 unsigned char client_random
[SSL3_RANDOM_SIZE
];
1163 SSL3_BUFFER_INTERNAL rbuf
; /* read IO goes into here */
1164 SSL3_BUFFER_INTERNAL wbuf
; /* write IO goes into here */
1166 /* we allow one fatal and one warning alert to be outstanding,
1167 * send close alert via the warning alert */
1169 unsigned char send_alert
[2];
1171 /* flags for countermeasure against known-IV weakness */
1172 int need_empty_fragments
;
1173 int empty_fragment_done
;
1175 SSL3_RECORD_INTERNAL rrec
; /* each decoded record goes in here */
1177 /* storage for Alert/Handshake protocol data received but not
1178 * yet processed by ssl3_read_bytes: */
1179 unsigned char alert_fragment
[2];
1180 unsigned int alert_fragment_len
;
1181 unsigned char handshake_fragment
[4];
1182 unsigned int handshake_fragment_len
;
1184 /* partial write - check the numbers match */
1185 unsigned int wnum
; /* number of bytes sent so far */
1186 int wpend_tot
; /* number bytes written */
1188 int wpend_ret
; /* number of bytes submitted */
1189 const unsigned char *wpend_buf
;
1191 /* Transcript of handshake messages that have been sent and received. */
1192 struct tls_buffer
*handshake_transcript
;
1194 /* Rolling hash of handshake messages. */
1195 EVP_MD_CTX
*handshake_hash
;
1197 /* this is set whenerver we see a change_cipher_spec message
1198 * come in when we are not looking for one */
1199 int change_cipher_spec
;
1204 /* This flag is set when we should renegotiate ASAP, basically when
1205 * there is no more data in the read or write buffers */
1207 int total_renegotiations
;
1208 int num_renegotiations
;
1210 int in_read_app_data
;
1214 /* Connection binding to prevent renegotiation attacks */
1215 unsigned char previous_client_finished
[EVP_MAX_MD_SIZE
];
1216 unsigned char previous_client_finished_len
;
1217 unsigned char previous_server_finished
[EVP_MAX_MD_SIZE
];
1218 unsigned char previous_server_finished_len
;
1219 int send_connection_binding
; /* TODOEKR */
1221 /* Set if we saw a Renegotiation Indication extension from our peer. */
1222 int renegotiate_seen
;
1227 * In a server these point to the selected ALPN protocol after the
1228 * ClientHello has been processed. In a client these contain the
1229 * protocol that the server selected once the ServerHello has been
1232 uint8_t *alpn_selected
;
1233 size_t alpn_selected_len
;
1235 /* Contains the QUIC transport params received from our peer. */
1236 uint8_t *peer_quic_transport_params
;
1237 size_t peer_quic_transport_params_len
;
1241 * Flag values for enc_flags.
1244 /* Uses signature algorithms extension. */
1245 #define SSL_ENC_FLAG_SIGALGS (1 << 1)
1247 /* Uses SHA256 default PRF. */
1248 #define SSL_ENC_FLAG_SHA256_PRF (1 << 2)
1250 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
1251 #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4)
1253 /* Allow TLS 1.3 ciphersuites only. */
1254 #define SSL_ENC_FLAG_TLS1_3_CIPHERS (1 << 5)
1256 #define TLSV1_ENC_FLAGS 0
1257 #define TLSV1_1_ENC_FLAGS 0
1258 #define TLSV1_2_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \
1259 SSL_ENC_FLAG_SHA256_PRF | \
1260 SSL_ENC_FLAG_TLS1_2_CIPHERS)
1261 #define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \
1262 SSL_ENC_FLAG_TLS1_3_CIPHERS)
1264 extern const SSL_CIPHER ssl3_ciphers
[];
1266 const char *ssl_version_string(int ver
);
1267 int ssl_version_set_min(const SSL_METHOD
*meth
, uint16_t proto_ver
,
1268 uint16_t max_tls_ver
, uint16_t *out_tls_ver
, uint16_t *out_proto_ver
);
1269 int ssl_version_set_max(const SSL_METHOD
*meth
, uint16_t proto_ver
,
1270 uint16_t min_tls_ver
, uint16_t *out_tls_ver
, uint16_t *out_proto_ver
);
1271 int ssl_enabled_tls_version_range(SSL
*s
, uint16_t *min_ver
, uint16_t *max_ver
);
1272 int ssl_supported_tls_version_range(SSL
*s
, uint16_t *min_ver
, uint16_t *max_ver
);
1273 uint16_t ssl_tls_version(uint16_t version
);
1274 uint16_t ssl_effective_tls_version(SSL
*s
);
1275 int ssl_max_supported_version(SSL
*s
, uint16_t *max_ver
);
1276 int ssl_max_legacy_version(SSL
*s
, uint16_t *max_ver
);
1277 int ssl_max_shared_version(SSL
*s
, uint16_t peer_ver
, uint16_t *max_ver
);
1278 int ssl_check_version_from_server(SSL
*s
, uint16_t server_version
);
1279 int ssl_legacy_stack_version(SSL
*s
, uint16_t version
);
1280 int ssl_cipher_in_list(STACK_OF(SSL_CIPHER
) *ciphers
, const SSL_CIPHER
*cipher
);
1281 int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER
*cipher
,
1282 uint16_t min_ver
, uint16_t max_ver
);
1284 const SSL_METHOD
*tls_legacy_method(void);
1285 const SSL_METHOD
*ssl_get_method(uint16_t version
);
1287 void ssl_clear_cipher_state(SSL
*s
);
1288 int ssl_clear_bad_session(SSL
*s
);
1290 void ssl_info_callback(const SSL
*s
, int type
, int value
);
1291 void ssl_msg_callback(SSL
*s
, int is_write
, int content_type
,
1292 const void *msg_buf
, size_t msg_len
);
1293 void ssl_msg_callback_cbs(SSL
*s
, int is_write
, int content_type
, CBS
*cbs
);
1295 SSL_CERT
*ssl_cert_new(void);
1296 SSL_CERT
*ssl_cert_dup(SSL_CERT
*cert
);
1297 void ssl_cert_free(SSL_CERT
*c
);
1298 SSL_CERT
*ssl_get0_cert(SSL_CTX
*ctx
, SSL
*ssl
);
1299 int ssl_cert_set0_chain(SSL_CTX
*ctx
, SSL
*ssl
, STACK_OF(X509
) *chain
);
1300 int ssl_cert_set1_chain(SSL_CTX
*ctx
, SSL
*ssl
, STACK_OF(X509
) *chain
);
1301 int ssl_cert_add0_chain_cert(SSL_CTX
*ctx
, SSL
*ssl
, X509
*cert
);
1302 int ssl_cert_add1_chain_cert(SSL_CTX
*ctx
, SSL
*ssl
, X509
*cert
);
1304 int ssl_security_default_cb(const SSL
*ssl
, const SSL_CTX
*ctx
, int op
,
1305 int bits
, int nid
, void *other
, void *ex_data
);
1307 int ssl_security_cipher_check(const SSL
*ssl
, SSL_CIPHER
*cipher
);
1308 int ssl_security_shared_cipher(const SSL
*ssl
, SSL_CIPHER
*cipher
);
1309 int ssl_security_supported_cipher(const SSL
*ssl
, SSL_CIPHER
*cipher
);
1310 int ssl_ctx_security_dh(const SSL_CTX
*ctx
, DH
*dh
);
1311 int ssl_security_dh(const SSL
*ssl
, DH
*dh
);
1312 int ssl_security_sigalg_check(const SSL
*ssl
, const EVP_PKEY
*pkey
);
1313 int ssl_security_tickets(const SSL
*ssl
);
1314 int ssl_security_version(const SSL
*ssl
, int version
);
1315 int ssl_security_cert(const SSL_CTX
*ctx
, const SSL
*ssl
, X509
*x509
,
1316 int is_peer
, int *out_error
);
1317 int ssl_security_cert_chain(const SSL
*ssl
, STACK_OF(X509
) *sk
,
1318 X509
*x509
, int *out_error
);
1319 int ssl_security_shared_group(const SSL
*ssl
, uint16_t group_id
);
1320 int ssl_security_supported_group(const SSL
*ssl
, uint16_t group_id
);
1322 int ssl_get_new_session(SSL
*s
, int session
);
1323 int ssl_get_prev_session(SSL
*s
, CBS
*session_id
, CBS
*ext_block
,
1325 int ssl_cipher_id_cmp(const SSL_CIPHER
*a
, const SSL_CIPHER
*b
);
1326 SSL_CIPHER
*OBJ_bsearch_ssl_cipher_id(SSL_CIPHER
*key
, SSL_CIPHER
const *base
,
1328 int ssl_cipher_list_to_bytes(SSL
*s
, STACK_OF(SSL_CIPHER
) *ciphers
, CBB
*cbb
);
1329 STACK_OF(SSL_CIPHER
) *ssl_bytes_to_cipher_list(SSL
*s
, CBS
*cbs
);
1330 STACK_OF(SSL_CIPHER
) *ssl_create_cipher_list(const SSL_METHOD
*meth
,
1331 STACK_OF(SSL_CIPHER
) **pref
, STACK_OF(SSL_CIPHER
) *tls13
,
1332 const char *rule_str
, SSL_CERT
*cert
);
1333 int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER
) **out_ciphers
, const char *str
);
1334 int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER
) *cipherlist
,
1335 STACK_OF(SSL_CIPHER
) *cipherlist_tls13
,
1336 STACK_OF(SSL_CIPHER
) **out_cipherlist
);
1337 void ssl_update_cache(SSL
*s
, int mode
);
1338 int ssl_cipher_get_evp(const SSL_SESSION
*s
, const EVP_CIPHER
**enc
,
1339 const EVP_MD
**md
, int *mac_pkey_type
, int *mac_secret_size
);
1340 int ssl_cipher_get_evp_aead(const SSL_SESSION
*s
, const EVP_AEAD
**aead
);
1341 int ssl_get_handshake_evp_md(SSL
*s
, const EVP_MD
**md
);
1343 int ssl_verify_cert_chain(SSL
*s
, STACK_OF(X509
) *sk
);
1344 int ssl_undefined_function(SSL
*s
);
1345 int ssl_undefined_void_function(void);
1346 int ssl_undefined_const_function(const SSL
*s
);
1347 SSL_CERT_PKEY
*ssl_get_server_send_pkey(const SSL
*s
);
1348 EVP_PKEY
*ssl_get_sign_pkey(SSL
*s
, const SSL_CIPHER
*c
, const EVP_MD
**pmd
,
1349 const struct ssl_sigalg
**sap
);
1350 size_t ssl_dhe_params_auto_key_bits(SSL
*s
);
1351 int ssl_cert_type(EVP_PKEY
*pkey
);
1352 void ssl_set_cert_masks(SSL_CERT
*c
, const SSL_CIPHER
*cipher
);
1353 STACK_OF(SSL_CIPHER
) *ssl_get_ciphers_by_id(SSL
*s
);
1354 int ssl_has_ecc_ciphers(SSL
*s
);
1355 int ssl_verify_alarm_type(long type
);
1357 int SSL_SESSION_ticket(SSL_SESSION
*ss
, unsigned char **out
, size_t *out_len
);
1359 const SSL_CIPHER
*ssl3_get_cipher_by_char(const unsigned char *p
);
1360 int ssl3_send_server_certificate(SSL
*s
);
1361 int ssl3_send_newsession_ticket(SSL
*s
);
1362 int ssl3_send_cert_status(SSL
*s
);
1363 int ssl3_get_finished(SSL
*s
, int state_a
, int state_b
);
1364 int ssl3_send_change_cipher_spec(SSL
*s
, int state_a
, int state_b
);
1365 int ssl3_do_write(SSL
*s
, int type
);
1366 int ssl3_send_alert(SSL
*s
, int level
, int desc
);
1367 int ssl3_get_req_cert_types(SSL
*s
, CBB
*cbb
);
1368 int ssl3_get_message(SSL
*s
, int st1
, int stn
, int mt
, long max
);
1369 int ssl3_send_finished(SSL
*s
, int state_a
, int state_b
);
1370 int ssl3_num_ciphers(void);
1371 const SSL_CIPHER
*ssl3_get_cipher(unsigned int u
);
1372 const SSL_CIPHER
*ssl3_get_cipher_by_id(unsigned int id
);
1373 const SSL_CIPHER
*ssl3_get_cipher_by_value(uint16_t value
);
1374 uint16_t ssl3_cipher_get_value(const SSL_CIPHER
*c
);
1375 int ssl3_renegotiate(SSL
*ssl
);
1377 int ssl3_renegotiate_check(SSL
*ssl
);
1379 void ssl_force_want_read(SSL
*s
);
1381 int ssl3_dispatch_alert(SSL
*s
);
1382 int ssl3_read_alert(SSL
*s
);
1383 int ssl3_read_change_cipher_spec(SSL
*s
);
1384 int ssl3_read_bytes(SSL
*s
, int type
, unsigned char *buf
, int len
, int peek
);
1385 int ssl3_write_bytes(SSL
*s
, int type
, const void *buf
, int len
);
1386 int ssl3_output_cert_chain(SSL
*s
, CBB
*cbb
, SSL_CERT_PKEY
*cpk
);
1387 SSL_CIPHER
*ssl3_choose_cipher(SSL
*ssl
, STACK_OF(SSL_CIPHER
) *clnt
,
1388 STACK_OF(SSL_CIPHER
) *srvr
);
1389 int ssl3_setup_buffers(SSL
*s
);
1390 int ssl3_setup_init_buffer(SSL
*s
);
1391 void ssl3_release_init_buffer(SSL
*s
);
1392 int ssl3_setup_read_buffer(SSL
*s
);
1393 int ssl3_setup_write_buffer(SSL
*s
);
1394 void ssl3_release_buffer(SSL3_BUFFER_INTERNAL
*b
);
1395 void ssl3_release_read_buffer(SSL
*s
);
1396 void ssl3_release_write_buffer(SSL
*s
);
1397 int ssl3_new(SSL
*s
);
1398 void ssl3_free(SSL
*s
);
1399 int ssl3_accept(SSL
*s
);
1400 int ssl3_connect(SSL
*s
);
1401 int ssl3_read(SSL
*s
, void *buf
, int len
);
1402 int ssl3_peek(SSL
*s
, void *buf
, int len
);
1403 int ssl3_write(SSL
*s
, const void *buf
, int len
);
1404 int ssl3_shutdown(SSL
*s
);
1405 void ssl3_clear(SSL
*s
);
1406 long ssl3_ctrl(SSL
*s
, int cmd
, long larg
, void *parg
);
1407 long ssl3_ctx_ctrl(SSL_CTX
*s
, int cmd
, long larg
, void *parg
);
1408 long ssl3_callback_ctrl(SSL
*s
, int cmd
, void (*fp
)(void));
1409 long ssl3_ctx_callback_ctrl(SSL_CTX
*s
, int cmd
, void (*fp
)(void));
1410 int ssl3_pending(const SSL
*s
);
1412 int ssl3_handshake_msg_hdr_len(SSL
*s
);
1413 int ssl3_handshake_msg_start(SSL
*s
, CBB
*handshake
, CBB
*body
,
1415 int ssl3_handshake_msg_finish(SSL
*s
, CBB
*handshake
);
1416 int ssl3_handshake_write(SSL
*s
);
1417 int ssl3_record_write(SSL
*s
, int type
);
1419 int ssl3_do_change_cipher_spec(SSL
*ssl
);
1421 int ssl3_packet_read(SSL
*s
, int plen
);
1422 int ssl3_packet_extend(SSL
*s
, int plen
);
1423 int ssl_server_legacy_first_packet(SSL
*s
);
1424 int ssl3_write_pending(SSL
*s
, int type
, const unsigned char *buf
,
1427 /* some client-only functions */
1428 int ssl3_send_client_hello(SSL
*s
);
1429 int ssl3_get_dtls_hello_verify(SSL
*s
);
1430 int ssl3_get_server_hello(SSL
*s
);
1431 int ssl3_get_certificate_request(SSL
*s
);
1432 int ssl3_get_new_session_ticket(SSL
*s
);
1433 int ssl3_get_cert_status(SSL
*s
);
1434 int ssl3_get_server_done(SSL
*s
);
1435 int ssl3_send_client_verify(SSL
*s
);
1436 int ssl3_send_client_certificate(SSL
*s
);
1437 int ssl_do_client_cert_cb(SSL
*s
, X509
**px509
, EVP_PKEY
**ppkey
);
1438 int ssl3_send_client_key_exchange(SSL
*s
);
1439 int ssl3_get_server_key_exchange(SSL
*s
);
1440 int ssl3_get_server_certificate(SSL
*s
);
1441 int ssl3_check_cert_and_algorithm(SSL
*s
);
1442 int ssl3_check_finished(SSL
*s
);
1444 /* some server-only functions */
1445 int ssl3_get_client_hello(SSL
*s
);
1446 int ssl3_send_dtls_hello_verify_request(SSL
*s
);
1447 int ssl3_send_server_hello(SSL
*s
);
1448 int ssl3_send_hello_request(SSL
*s
);
1449 int ssl3_send_server_key_exchange(SSL
*s
);
1450 int ssl3_send_certificate_request(SSL
*s
);
1451 int ssl3_send_server_done(SSL
*s
);
1452 int ssl3_get_client_certificate(SSL
*s
);
1453 int ssl3_get_client_key_exchange(SSL
*s
);
1454 int ssl3_get_cert_verify(SSL
*s
);
1456 int ssl_kex_generate_dhe(DH
*dh
, DH
*dh_params
);
1457 int ssl_kex_generate_dhe_params_auto(DH
*dh
, size_t key_len
);
1458 int ssl_kex_params_dhe(DH
*dh
, CBB
*cbb
);
1459 int ssl_kex_public_dhe(DH
*dh
, CBB
*cbb
);
1460 int ssl_kex_peer_params_dhe(DH
*dh
, CBS
*cbs
, int *decode_error
,
1461 int *invalid_params
);
1462 int ssl_kex_peer_public_dhe(DH
*dh
, CBS
*cbs
, int *decode_error
,
1464 int ssl_kex_derive_dhe(DH
*dh
, DH
*dh_peer
,
1465 uint8_t **shared_key
, size_t *shared_key_len
);
1467 int ssl_kex_dummy_ecdhe_x25519(EVP_PKEY
*pkey
);
1468 int ssl_kex_generate_ecdhe_ecp(EC_KEY
*ecdh
, int nid
);
1469 int ssl_kex_public_ecdhe_ecp(EC_KEY
*ecdh
, CBB
*cbb
);
1470 int ssl_kex_peer_public_ecdhe_ecp(EC_KEY
*ecdh
, int nid
, CBS
*cbs
);
1471 int ssl_kex_derive_ecdhe_ecp(EC_KEY
*ecdh
, EC_KEY
*ecdh_peer
,
1472 uint8_t **shared_key
, size_t *shared_key_len
);
1474 int tls1_new(SSL
*s
);
1475 void tls1_free(SSL
*s
);
1476 void tls1_clear(SSL
*s
);
1478 int ssl_init_wbio_buffer(SSL
*s
, int push
);
1479 void ssl_free_wbio_buffer(SSL
*s
);
1481 int tls1_transcript_hash_init(SSL
*s
);
1482 int tls1_transcript_hash_update(SSL
*s
, const unsigned char *buf
, size_t len
);
1483 int tls1_transcript_hash_value(SSL
*s
, unsigned char *out
, size_t len
,
1485 void tls1_transcript_hash_free(SSL
*s
);
1487 int tls1_transcript_init(SSL
*s
);
1488 void tls1_transcript_free(SSL
*s
);
1489 void tls1_transcript_reset(SSL
*s
);
1490 int tls1_transcript_append(SSL
*s
, const unsigned char *buf
, size_t len
);
1491 int tls1_transcript_data(SSL
*s
, const unsigned char **data
, size_t *len
);
1492 void tls1_transcript_freeze(SSL
*s
);
1493 void tls1_transcript_unfreeze(SSL
*s
);
1494 int tls1_transcript_record(SSL
*s
, const unsigned char *buf
, size_t len
);
1496 int tls1_PRF(SSL
*s
, const unsigned char *secret
, size_t secret_len
,
1497 const void *seed1
, size_t seed1_len
, const void *seed2
, size_t seed2_len
,
1498 const void *seed3
, size_t seed3_len
, const void *seed4
, size_t seed4_len
,
1499 const void *seed5
, size_t seed5_len
, unsigned char *out
, size_t out_len
);
1501 void tls1_cleanup_key_block(SSL
*s
);
1502 int tls1_change_read_cipher_state(SSL
*s
);
1503 int tls1_change_write_cipher_state(SSL
*s
);
1504 int tls1_setup_key_block(SSL
*s
);
1505 int tls1_generate_key_block(SSL
*s
, uint8_t *key_block
, size_t key_block_len
);
1506 int tls1_export_keying_material(SSL
*s
, unsigned char *out
, size_t olen
,
1507 const char *label
, size_t llen
, const unsigned char *p
, size_t plen
,
1511 int tls12_derive_finished(SSL
*s
);
1512 int tls12_derive_peer_finished(SSL
*s
);
1513 int tls12_derive_master_secret(SSL
*s
, uint8_t *premaster_secret
,
1514 size_t premaster_secret_len
);
1516 int ssl_using_ecc_cipher(SSL
*s
);
1517 int ssl_check_srvr_ecc_cert_and_alg(SSL
*s
, X509
*x
);
1519 void tls1_get_formatlist(const SSL
*s
, int client_formats
,
1520 const uint8_t **pformats
, size_t *pformatslen
);
1521 void tls1_get_group_list(const SSL
*s
, int client_groups
,
1522 const uint16_t **pgroups
, size_t *pgroupslen
);
1524 int tls1_set_groups(uint16_t **out_group_ids
, size_t *out_group_ids_len
,
1525 const int *groups
, size_t ngroups
);
1526 int tls1_set_group_list(uint16_t **out_group_ids
, size_t *out_group_ids_len
,
1527 const char *groups
);
1529 int tls1_ec_group_id2nid(uint16_t group_id
, int *out_nid
);
1530 int tls1_ec_group_id2bits(uint16_t group_id
, int *out_bits
);
1531 int tls1_ec_nid2group_id(int nid
, uint16_t *out_group_id
);
1532 int tls1_check_group(SSL
*s
, uint16_t group_id
);
1533 int tls1_count_shared_groups(const SSL
*ssl
, size_t *out_count
);
1534 int tls1_get_shared_group_by_index(const SSL
*ssl
, size_t index
, int *out_nid
);
1535 int tls1_get_supported_group(const SSL
*s
, int *out_nid
);
1537 int ssl_check_clienthello_tlsext_early(SSL
*s
);
1538 int ssl_check_clienthello_tlsext_late(SSL
*s
);
1539 int ssl_check_serverhello_tlsext(SSL
*s
);
1541 #define TLS1_TICKET_FATAL_ERROR -1
1542 #define TLS1_TICKET_NONE 0
1543 #define TLS1_TICKET_EMPTY 1
1544 #define TLS1_TICKET_NOT_DECRYPTED 2
1545 #define TLS1_TICKET_DECRYPTED 3
1547 int tls1_process_ticket(SSL
*s
, CBS
*ext_block
, int *alert
, SSL_SESSION
**ret
);
1549 int tls1_check_ec_server_key(SSL
*s
);
1552 void ssl3_cbc_copy_mac(unsigned char *out
, const SSL3_RECORD_INTERNAL
*rec
,
1553 unsigned int md_size
, unsigned int orig_len
);
1554 int ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL
*rec
, unsigned int eiv_len
,
1555 unsigned int mac_size
);
1556 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX
*ctx
);
1557 int ssl3_cbc_digest_record(const EVP_MD_CTX
*ctx
, unsigned char *md_out
,
1558 size_t *md_out_size
, const unsigned char header
[13],
1559 const unsigned char *data
, size_t data_plus_mac_size
,
1560 size_t data_plus_mac_plus_padding_size
, const unsigned char *mac_secret
,
1561 unsigned int mac_secret_length
);
1562 int SSL_state_func_code(int _state
);
1564 #define SSLerror(s, r) SSL_error_internal(s, r, __FILE__, __LINE__)
1565 #define SSLerrorx(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),__FILE__,__LINE__)
1566 void SSL_error_internal(const SSL
*s
, int r
, char *f
, int l
);
1568 #ifndef OPENSSL_NO_SRTP
1570 int srtp_find_profile_by_name(const char *profile_name
,
1571 const SRTP_PROTECTION_PROFILE
**pptr
, unsigned int len
);
1572 int srtp_find_profile_by_num(unsigned int profile_num
,
1573 const SRTP_PROTECTION_PROFILE
**pptr
);
1575 #endif /* OPENSSL_NO_SRTP */
1577 int tls_process_peer_certs(SSL
*s
, STACK_OF(X509
) *peer_certs
);