/src/boringssl/ssl/tls_method.cc

Source (jump to first uncovered line)
// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include <openssl/ssl.h>

#include <assert.h>
#include <string.h>

#include <openssl/err.h>

#include "../crypto/internal.h"
#include "internal.h"


BSSL_NAMESPACE_BEGIN

static void tls_on_handshake_complete(SSL *ssl) {
  // The handshake should have released its final message.
  assert(!ssl->s3->has_message);

  // During the handshake, |hs_buf| is retained. Release if it there is no
  // excess in it. There should not be any excess because the handshake logic
  // rejects unprocessed data after each Finished message. Note this means we do
  // not allow a TLS 1.2 HelloRequest to be packed into the same record as
  // Finished. (Schannel also rejects this.)
  assert(!ssl->s3->hs_buf || ssl->s3->hs_buf->length == 0);
  if (ssl->s3->hs_buf && ssl->s3->hs_buf->length == 0) {
    ssl->s3->hs_buf.reset();
  }
}

static bool tls_set_read_state(SSL *ssl, ssl_encryption_level_t level,
                               UniquePtr<SSLAEADContext> aead_ctx,
                               Span<const uint8_t> traffic_secret) {
  // Cipher changes are forbidden if the current epoch has leftover data.
  if (tls_has_unprocessed_handshake_data(ssl)) {
    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
    return false;
  }

  if (SSL_is_quic(ssl)) {
    if ((ssl->s3->hs == nullptr || !ssl->s3->hs->hints_requested) &&
        !ssl->quic_method->set_read_secret(ssl, level, aead_ctx->cipher(),
                                           traffic_secret.data(),
                                           traffic_secret.size())) {
      return false;
    }

    // QUIC only uses |ssl| for handshake messages, which never use early data
    // keys, so we return without installing anything. This avoids needing to
    // have two secrets active at once in 0-RTT.
    if (level == ssl_encryption_early_data) {
      return true;
    }
    ssl->s3->quic_read_level = level;
  }

  ssl->s3->read_sequence = 0;
  ssl->s3->aead_read_ctx = std::move(aead_ctx);
  return true;
}

static bool tls_set_write_state(SSL *ssl, ssl_encryption_level_t level,
                                UniquePtr<SSLAEADContext> aead_ctx,
                                Span<const uint8_t> traffic_secret) {
  if (!tls_flush_pending_hs_data(ssl)) {
    return false;
  }

  if (SSL_is_quic(ssl)) {
    if ((ssl->s3->hs == nullptr || !ssl->s3->hs->hints_requested) &&
        !ssl->quic_method->set_write_secret(ssl, level, aead_ctx->cipher(),
                                            traffic_secret.data(),
                                            traffic_secret.size())) {
      return false;
    }

    // QUIC only uses |ssl| for handshake messages, which never use early data
    // keys, so we return without installing anything. This avoids needing to
    // have two secrets active at once in 0-RTT.
    if (level == ssl_encryption_early_data) {
      return true;
    }
    ssl->s3->quic_write_level = level;
  }

  ssl->s3->write_sequence = 0;
  ssl->s3->aead_write_ctx = std::move(aead_ctx);
  return true;
}

static void tls_finish_flight(SSL *ssl) {
  // We don't track whether a flight is complete in TLS and instead always flush
  // every queued message in |tls_flush|, whether the flight is complete or not.
}

static void tls_schedule_ack(SSL *ssl) {
  // TLS does not use ACKs.
}

static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {
    false /* is_dtls */,
    tls_new,
    tls_free,
    tls_get_message,
    tls_next_message,
    tls_has_unprocessed_handshake_data,
    tls_open_handshake,
    tls_open_change_cipher_spec,
    tls_open_app_data,
    tls_write_app_data,
    tls_dispatch_alert,
    tls_init_message,
    tls_finish_message,
    tls_add_message,
    tls_add_change_cipher_spec,
    tls_finish_flight,
    tls_schedule_ack,
    tls_flush,
    tls_on_handshake_complete,
    tls_set_read_state,
    tls_set_write_state,
};

static bool ssl_noop_x509_check_client_CA_names(
    STACK_OF(CRYPTO_BUFFER) *names) {
  return true;
}

static void ssl_noop_x509_clear(CERT *cert) {}
static void ssl_noop_x509_free(CERT *cert) {}
static void ssl_noop_x509_dup(CERT *new_cert, const CERT *cert) {}
static void ssl_noop_x509_flush_cached_leaf(CERT *cert) {}
static void ssl_noop_x509_flush_cached_chain(CERT *cert) {}
static bool ssl_noop_x509_session_cache_objects(SSL_SESSION *sess) {
  return true;
}
static bool ssl_noop_x509_session_dup(SSL_SESSION *new_session,
                                      const SSL_SESSION *session) {
  return true;
}
static void ssl_noop_x509_session_clear(SSL_SESSION *session) {}
static bool ssl_noop_x509_session_verify_cert_chain(SSL_SESSION *session,
                                                    SSL_HANDSHAKE *hs,
                                                    uint8_t *out_alert) {
  return false;
}

static void ssl_noop_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {}
static bool ssl_noop_x509_ssl_new(SSL_HANDSHAKE *hs) { return true; }
static void ssl_noop_x509_ssl_config_free(SSL_CONFIG *cfg) {}
static void ssl_noop_x509_ssl_flush_cached_client_CA(SSL_CONFIG *cfg) {}
static bool ssl_noop_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
  return true;
}
static bool ssl_noop_x509_ssl_ctx_new(SSL_CTX *ctx) { return true; }
static void ssl_noop_x509_ssl_ctx_free(SSL_CTX *ctx) {}
static void ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {}

const SSL_X509_METHOD ssl_noop_x509_method = {
    ssl_noop_x509_check_client_CA_names,
    ssl_noop_x509_clear,
    ssl_noop_x509_free,
    ssl_noop_x509_dup,
    ssl_noop_x509_flush_cached_chain,
    ssl_noop_x509_flush_cached_leaf,
    ssl_noop_x509_session_cache_objects,
    ssl_noop_x509_session_dup,
    ssl_noop_x509_session_clear,
    ssl_noop_x509_session_verify_cert_chain,
    ssl_noop_x509_hs_flush_cached_ca_names,
    ssl_noop_x509_ssl_new,
    ssl_noop_x509_ssl_config_free,
    ssl_noop_x509_ssl_flush_cached_client_CA,
    ssl_noop_x509_ssl_auto_chain_if_needed,
    ssl_noop_x509_ssl_ctx_new,
    ssl_noop_x509_ssl_ctx_free,
    ssl_noop_x509_ssl_ctx_flush_cached_client_CA,
};

BSSL_NAMESPACE_END

using namespace bssl;

const SSL_METHOD *TLS_method(void) {
  static const SSL_METHOD kMethod = {
      0,
      &kTLSProtocolMethod,
      &ssl_crypto_x509_method,
  };
  return &kMethod;
}

const SSL_METHOD *SSLv23_method(void) { return TLS_method(); }

const SSL_METHOD *TLS_with_buffers_method(void) {
  static const SSL_METHOD kMethod = {
      0,
      &kTLSProtocolMethod,
      &ssl_noop_x509_method,
  };
  return &kMethod;
}

// Legacy version-locked methods.

const SSL_METHOD *TLSv1_2_method(void) {
  static const SSL_METHOD kMethod = {
      TLS1_2_VERSION,
      &kTLSProtocolMethod,
      &ssl_crypto_x509_method,
  };
  return &kMethod;
}

const SSL_METHOD *TLSv1_1_method(void) {
  static const SSL_METHOD kMethod = {
      TLS1_1_VERSION,
      &kTLSProtocolMethod,
      &ssl_crypto_x509_method,
  };
  return &kMethod;
}

const SSL_METHOD *TLSv1_method(void) {
  static const SSL_METHOD kMethod = {
      TLS1_VERSION,
      &kTLSProtocolMethod,
      &ssl_crypto_x509_method,
  };
  return &kMethod;
}

// Legacy side-specific methods.

const SSL_METHOD *TLSv1_2_server_method(void) { return TLSv1_2_method(); }

const SSL_METHOD *TLSv1_1_server_method(void) { return TLSv1_1_method(); }

const SSL_METHOD *TLSv1_server_method(void) { return TLSv1_method(); }

const SSL_METHOD *TLSv1_2_client_method(void) { return TLSv1_2_method(); }

const SSL_METHOD *TLSv1_1_client_method(void) { return TLSv1_1_method(); }

const SSL_METHOD *TLSv1_client_method(void) { return TLSv1_method(); }

const SSL_METHOD *SSLv23_server_method(void) { return SSLv23_method(); }

const SSL_METHOD *SSLv23_client_method(void) { return SSLv23_method(); }

const SSL_METHOD *TLS_server_method(void) { return TLS_method(); }

const SSL_METHOD *TLS_client_method(void) { return TLS_method(); }

Coverage Report

Created: 2025-06-11 06:40

Line	Count	Source (jump to first uncovered line)
1		// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include <openssl/ssl.h>
16
17		#include <assert.h>
18		#include <string.h>
19
20		#include <openssl/err.h>
21
22		#include "../crypto/internal.h"
23		#include "internal.h"
24
25
26		BSSL_NAMESPACE_BEGIN
27
28	408	static void tls_on_handshake_complete(SSL *ssl) {
29		// The handshake should have released its final message.
30	408	assert(!ssl->s3->has_message);
31
32		// During the handshake, \|hs_buf\| is retained. Release if it there is no
33		// excess in it. There should not be any excess because the handshake logic
34		// rejects unprocessed data after each Finished message. Note this means we do
35		// not allow a TLS 1.2 HelloRequest to be packed into the same record as
36		// Finished. (Schannel also rejects this.)
37	408	assert(!ssl->s3->hs_buf \|\| ssl->s3->hs_buf->length == 0);
38	408	if (ssl->s3->hs_buf && ssl->s3->hs_buf->length == 0) {
39	408	ssl->s3->hs_buf.reset();
40	408	}
41	408	}
42
43		static bool tls_set_read_state(SSL *ssl, ssl_encryption_level_t level,
44		UniquePtr<SSLAEADContext> aead_ctx,
45	8.97k	Span<const uint8_t> traffic_secret) {
46		// Cipher changes are forbidden if the current epoch has leftover data.
47	8.97k	if (tls_has_unprocessed_handshake_data(ssl)) {
48	11	OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
49	11	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
50	11	return false;
51	11	}
52
53	8.96k	if (SSL_is_quic(ssl)) {
54	0	if ((ssl->s3->hs == nullptr \|\| !ssl->s3->hs->hints_requested) &&
55	0	!ssl->quic_method->set_read_secret(ssl, level, aead_ctx->cipher(),
56	0	traffic_secret.data(),
57	0	traffic_secret.size())) {
58	0	return false;
59	0	}
60
61		// QUIC only uses \|ssl\| for handshake messages, which never use early data
62		// keys, so we return without installing anything. This avoids needing to
63		// have two secrets active at once in 0-RTT.
64	0	if (level == ssl_encryption_early_data) {
65	0	return true;
66	0	}
67	0	ssl->s3->quic_read_level = level;
68	0	}
69
70	8.96k	ssl->s3->read_sequence = 0;
71	8.96k	ssl->s3->aead_read_ctx = std::move(aead_ctx);
72	8.96k	return true;
73	8.96k	}
74
75		static bool tls_set_write_state(SSL *ssl, ssl_encryption_level_t level,
76		UniquePtr<SSLAEADContext> aead_ctx,
77	1.52k	Span<const uint8_t> traffic_secret) {
78	1.52k	if (!tls_flush_pending_hs_data(ssl)) {
79	0	return false;
80	0	}
81
82	1.52k	if (SSL_is_quic(ssl)) {
83	0	if ((ssl->s3->hs == nullptr \|\| !ssl->s3->hs->hints_requested) &&
84	0	!ssl->quic_method->set_write_secret(ssl, level, aead_ctx->cipher(),
85	0	traffic_secret.data(),
86	0	traffic_secret.size())) {
87	0	return false;
88	0	}
89
90		// QUIC only uses \|ssl\| for handshake messages, which never use early data
91		// keys, so we return without installing anything. This avoids needing to
92		// have two secrets active at once in 0-RTT.
93	0	if (level == ssl_encryption_early_data) {
94	0	return true;
95	0	}
96	0	ssl->s3->quic_write_level = level;
97	0	}
98
99	1.52k	ssl->s3->write_sequence = 0;
100	1.52k	ssl->s3->aead_write_ctx = std::move(aead_ctx);
101	1.52k	return true;
102	1.52k	}
103
104	3.74k	static void tls_finish_flight(SSL *ssl) {
105		// We don't track whether a flight is complete in TLS and instead always flush
106		// every queued message in \|tls_flush\|, whether the flight is complete or not.
107	3.74k	}
108
109	0	static void tls_schedule_ack(SSL *ssl) {
110		// TLS does not use ACKs.
111	0	}
112
113		static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {
114		false /* is_dtls */,
115		tls_new,
116		tls_free,
117		tls_get_message,
118		tls_next_message,
119		tls_has_unprocessed_handshake_data,
120		tls_open_handshake,
121		tls_open_change_cipher_spec,
122		tls_open_app_data,
123		tls_write_app_data,
124		tls_dispatch_alert,
125		tls_init_message,
126		tls_finish_message,
127		tls_add_message,
128		tls_add_change_cipher_spec,
129		tls_finish_flight,
130		tls_schedule_ack,
131		tls_flush,
132		tls_on_handshake_complete,
133		tls_set_read_state,
134		tls_set_write_state,
135		};
136
137		static bool ssl_noop_x509_check_client_CA_names(
138	0	STACK_OF(CRYPTO_BUFFER) *names) {
139	0	return true;
140	0	}
141
142	0	static void ssl_noop_x509_clear(CERT *cert) {}
143	0	static void ssl_noop_x509_free(CERT *cert) {}
144	0	static void ssl_noop_x509_dup(CERT new_cert, const CERT cert) {}
145	0	static void ssl_noop_x509_flush_cached_leaf(CERT *cert) {}
146	0	static void ssl_noop_x509_flush_cached_chain(CERT *cert) {}
147	0	static bool ssl_noop_x509_session_cache_objects(SSL_SESSION *sess) {
148	0	return true;
149	0	}
150		static bool ssl_noop_x509_session_dup(SSL_SESSION *new_session,
151	0	const SSL_SESSION *session) {
152	0	return true;
153	0	}
154	0	static void ssl_noop_x509_session_clear(SSL_SESSION *session) {}
155		static bool ssl_noop_x509_session_verify_cert_chain(SSL_SESSION *session,
156		SSL_HANDSHAKE *hs,
157	0	uint8_t *out_alert) {
158	0	return false;
159	0	}
160
161	0	static void ssl_noop_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {}
162	0	static bool ssl_noop_x509_ssl_new(SSL_HANDSHAKE *hs) { return true; }
163	0	static void ssl_noop_x509_ssl_config_free(SSL_CONFIG *cfg) {}
164	0	static void ssl_noop_x509_ssl_flush_cached_client_CA(SSL_CONFIG *cfg) {}
165	0	static bool ssl_noop_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
166	0	return true;
167	0	}
168	0	static bool ssl_noop_x509_ssl_ctx_new(SSL_CTX *ctx) { return true; }
169	0	static void ssl_noop_x509_ssl_ctx_free(SSL_CTX *ctx) {}
170	0	static void ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {}
171
172		const SSL_X509_METHOD ssl_noop_x509_method = {
173		ssl_noop_x509_check_client_CA_names,
174		ssl_noop_x509_clear,
175		ssl_noop_x509_free,
176		ssl_noop_x509_dup,
177		ssl_noop_x509_flush_cached_chain,
178		ssl_noop_x509_flush_cached_leaf,
179		ssl_noop_x509_session_cache_objects,
180		ssl_noop_x509_session_dup,
181		ssl_noop_x509_session_clear,
182		ssl_noop_x509_session_verify_cert_chain,
183		ssl_noop_x509_hs_flush_cached_ca_names,
184		ssl_noop_x509_ssl_new,
185		ssl_noop_x509_ssl_config_free,
186		ssl_noop_x509_ssl_flush_cached_client_CA,
187		ssl_noop_x509_ssl_auto_chain_if_needed,
188		ssl_noop_x509_ssl_ctx_new,
189		ssl_noop_x509_ssl_ctx_free,
190		ssl_noop_x509_ssl_ctx_flush_cached_client_CA,
191		};
192
193		BSSL_NAMESPACE_END
194
195		using namespace bssl;
196
197	2	const SSL_METHOD *TLS_method(void) {
198	2	static const SSL_METHOD kMethod = {
199	2	0,
200	2	&kTLSProtocolMethod,
201	2	&ssl_crypto_x509_method,
202	2	};
203	2	return &kMethod;
204	2	}
205
206	0	const SSL_METHOD *SSLv23_method(void) { return TLS_method(); }
207
208	0	const SSL_METHOD *TLS_with_buffers_method(void) {
209	0	static const SSL_METHOD kMethod = {
210	0	0,
211	0	&kTLSProtocolMethod,
212	0	&ssl_noop_x509_method,
213	0	};
214	0	return &kMethod;
215	0	}
216
217		// Legacy version-locked methods.
218
219	0	const SSL_METHOD *TLSv1_2_method(void) {
220	0	static const SSL_METHOD kMethod = {
221	0	TLS1_2_VERSION,
222	0	&kTLSProtocolMethod,
223	0	&ssl_crypto_x509_method,
224	0	};
225	0	return &kMethod;
226	0	}
227
228	0	const SSL_METHOD *TLSv1_1_method(void) {
229	0	static const SSL_METHOD kMethod = {
230	0	TLS1_1_VERSION,
231	0	&kTLSProtocolMethod,
232	0	&ssl_crypto_x509_method,
233	0	};
234	0	return &kMethod;
235	0	}
236
237	0	const SSL_METHOD *TLSv1_method(void) {
238	0	static const SSL_METHOD kMethod = {
239	0	TLS1_VERSION,
240	0	&kTLSProtocolMethod,
241	0	&ssl_crypto_x509_method,
242	0	};
243	0	return &kMethod;
244	0	}
245
246		// Legacy side-specific methods.
247
248	0	const SSL_METHOD *TLSv1_2_server_method(void) { return TLSv1_2_method(); }
249
250	0	const SSL_METHOD *TLSv1_1_server_method(void) { return TLSv1_1_method(); }
251
252	0	const SSL_METHOD *TLSv1_server_method(void) { return TLSv1_method(); }
253
254	0	const SSL_METHOD *TLSv1_2_client_method(void) { return TLSv1_2_method(); }
255
256	0	const SSL_METHOD *TLSv1_1_client_method(void) { return TLSv1_1_method(); }
257
258	0	const SSL_METHOD *TLSv1_client_method(void) { return TLSv1_method(); }
259
260	0	const SSL_METHOD *SSLv23_server_method(void) { return SSLv23_method(); }
261
262	0	const SSL_METHOD *SSLv23_client_method(void) { return SSLv23_method(); }
263
264	0	const SSL_METHOD *TLS_server_method(void) { return TLS_method(); }
265
266	0	const SSL_METHOD *TLS_client_method(void) { return TLS_method(); }