/src/boringssl/ssl/ssl_lib.cc
Line | Count | Source |
1 | | // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved. |
3 | | // Copyright 2005 Nokia. All rights reserved. |
4 | | // |
5 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
6 | | // you may not use this file except in compliance with the License. |
7 | | // You may obtain a copy of the License at |
8 | | // |
9 | | // https://www.apache.org/licenses/LICENSE-2.0 |
10 | | // |
11 | | // Unless required by applicable law or agreed to in writing, software |
12 | | // distributed under the License is distributed on an "AS IS" BASIS, |
13 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14 | | // See the License for the specific language governing permissions and |
15 | | // limitations under the License. |
16 | | |
17 | | #include <openssl/ssl.h> |
18 | | |
19 | | #include <algorithm> |
20 | | #include <iterator> |
21 | | |
22 | | #include <assert.h> |
23 | | #include <limits.h> |
24 | | #include <stdlib.h> |
25 | | #include <string.h> |
26 | | |
27 | | #include <openssl/bytestring.h> |
28 | | #include <openssl/crypto.h> |
29 | | #include <openssl/err.h> |
30 | | #include <openssl/evp.h> |
31 | | #include <openssl/mem.h> |
32 | | #include <openssl/nid.h> |
33 | | #include <openssl/rand.h> |
34 | | |
35 | | #include "../crypto/bytestring/internal.h" |
36 | | #include "../crypto/internal.h" |
37 | | #include "internal.h" |
38 | | |
39 | | #if defined(OPENSSL_WINDOWS) |
40 | | #include <sys/timeb.h> |
41 | | #else |
42 | | #include <sys/socket.h> |
43 | | #include <sys/time.h> |
44 | | #endif |
45 | | |
46 | | |
47 | | BSSL_NAMESPACE_BEGIN |
48 | | |
49 | | static_assert(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >= |
50 | | SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD, |
51 | | "max overheads are inconsistent"); |
52 | | |
53 | | // |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it |
54 | | // to avoid downstream churn. |
55 | | OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL) |
56 | | |
57 | | // The following errors are no longer emitted, but are used in nginx without |
58 | | // #ifdefs. |
59 | | OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG) |
60 | | OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED) |
61 | | |
62 | | // Some error codes are special. Ensure the make_errors.go script never |
63 | | // regresses this. |
64 | | static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION == |
65 | | SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET, |
66 | | "alert reason code mismatch"); |
67 | | |
68 | | // kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. |
69 | | static const size_t kMaxHandshakeSize = (1u << 24) - 1; |
70 | | |
71 | | static ExDataClass g_ex_data_class_ssl(/*with_app_data=*/true); |
72 | | static ExDataClass g_ex_data_class_ssl_ctx(/*with_app_data=*/true); |
73 | | |
74 | 98.9k | void ssl_reset_error_state(SSL *ssl) { |
75 | | // Functions which use |SSL_get_error| must reset I/O and error state on |
76 | | // entry. |
77 | 98.9k | ssl->s3->rwstate = SSL_ERROR_NONE; |
78 | 98.9k | ERR_clear_error(); |
79 | 98.9k | ERR_clear_system_error(); |
80 | 98.9k | } |
81 | | |
82 | 4.36k | void ssl_set_read_error(SSL *ssl) { |
83 | 4.36k | ssl->s3->read_shutdown = ssl_shutdown_error; |
84 | 4.36k | ssl->s3->read_error.reset(ERR_save_state()); |
85 | 4.36k | } |
86 | | |
87 | 2.05M | static bool check_read_error(const SSL *ssl) { |
88 | 2.05M | if (ssl->s3->read_shutdown == ssl_shutdown_error) { |
89 | 0 | ERR_restore_state(ssl->s3->read_error.get()); |
90 | 0 | return false; |
91 | 0 | } |
92 | 2.05M | return true; |
93 | 2.05M | } |
94 | | |
95 | 0 | bool ssl_can_write(const SSL *ssl) { |
96 | 0 | return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write; |
97 | 0 | } |
98 | | |
99 | 586k | bool ssl_can_read(const SSL *ssl) { |
100 | 586k | return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read; |
101 | 586k | } |
102 | | |
103 | | ssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed, |
104 | 1.59M | uint8_t *out_alert, Span<uint8_t> in) { |
105 | 1.59M | *out_consumed = 0; |
106 | 1.59M | if (!check_read_error(ssl)) { |
107 | 0 | *out_alert = 0; |
108 | 0 | return ssl_open_record_error; |
109 | 0 | } |
110 | 1.59M | auto ret = ssl->method->open_handshake(ssl, out_consumed, out_alert, in); |
111 | 1.59M | if (ret == ssl_open_record_error) { |
112 | 3.42k | ssl_set_read_error(ssl); |
113 | 3.42k | } |
114 | 1.59M | return ret; |
115 | 1.59M | } |
116 | | |
117 | | ssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed, |
118 | | uint8_t *out_alert, |
119 | 107k | Span<uint8_t> in) { |
120 | 107k | *out_consumed = 0; |
121 | 107k | if (!check_read_error(ssl)) { |
122 | 0 | *out_alert = 0; |
123 | 0 | return ssl_open_record_error; |
124 | 0 | } |
125 | 107k | auto ret = |
126 | 107k | ssl->method->open_change_cipher_spec(ssl, out_consumed, out_alert, in); |
127 | 107k | if (ret == ssl_open_record_error) { |
128 | 273 | ssl_set_read_error(ssl); |
129 | 273 | } |
130 | 107k | return ret; |
131 | 107k | } |
132 | | |
133 | | ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out, |
134 | | size_t *out_consumed, uint8_t *out_alert, |
135 | 315k | Span<uint8_t> in) { |
136 | 315k | *out_consumed = 0; |
137 | 315k | if (!check_read_error(ssl)) { |
138 | 0 | *out_alert = 0; |
139 | 0 | return ssl_open_record_error; |
140 | 0 | } |
141 | 315k | auto ret = ssl->method->open_app_data(ssl, out, out_consumed, out_alert, in); |
142 | 315k | if (ret == ssl_open_record_error) { |
143 | 569 | ssl_set_read_error(ssl); |
144 | 569 | } |
145 | 315k | return ret; |
146 | 315k | } |
147 | | |
148 | 0 | static uint8_t hex_char_consttime(uint8_t b) { |
149 | 0 | declassify_assert(b < 16); |
150 | 0 | return constant_time_select_8(constant_time_lt_8(b, 10), b + '0', |
151 | 0 | b - 10 + 'a'); |
152 | 0 | } |
153 | | |
154 | 0 | static bool cbb_add_hex_consttime(CBB *cbb, Span<const uint8_t> in) { |
155 | 0 | uint8_t *out; |
156 | 0 | if (!CBB_add_space(cbb, &out, in.size() * 2)) { |
157 | 0 | return false; |
158 | 0 | } |
159 | | |
160 | 0 | for (uint8_t b : in) { |
161 | 0 | *(out++) = hex_char_consttime(b >> 4); |
162 | 0 | *(out++) = hex_char_consttime(b & 0xf); |
163 | 0 | } |
164 | |
|
165 | 0 | return true; |
166 | 0 | } |
167 | | |
168 | | bool ssl_log_secret(const SSL *ssl, const char *label, |
169 | 57.1k | Span<const uint8_t> secret) { |
170 | 57.1k | if (ssl->ctx->keylog_callback == nullptr) { |
171 | 57.1k | return true; |
172 | 57.1k | } |
173 | | |
174 | 0 | ScopedCBB cbb; |
175 | 0 | Array<uint8_t> line; |
176 | 0 | auto label_bytes = bssl::StringAsBytes(label); |
177 | 0 | if (!CBB_init(cbb.get(), strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 + |
178 | 0 | secret.size() * 2 + 1) || |
179 | 0 | !CBB_add_bytes(cbb.get(), label_bytes.data(), label_bytes.size()) || |
180 | 0 | !CBB_add_u8(cbb.get(), ' ') || |
181 | 0 | !cbb_add_hex_consttime(cbb.get(), ssl->s3->client_random) || |
182 | 0 | !CBB_add_u8(cbb.get(), ' ') || |
183 | | // Convert to hex in constant time to avoid leaking |secret|. If the |
184 | | // callback discards the data, we should not introduce side channels. |
185 | 0 | !cbb_add_hex_consttime(cbb.get(), secret) || |
186 | 0 | !CBB_add_u8(cbb.get(), 0 /* NUL */) || |
187 | 0 | !CBBFinishArray(cbb.get(), &line)) { |
188 | 0 | return false; |
189 | 0 | } |
190 | | |
191 | 0 | ssl->ctx->keylog_callback(ssl, reinterpret_cast<const char *>(line.data())); |
192 | 0 | return true; |
193 | 0 | } |
194 | | |
195 | 999k | void ssl_do_info_callback(const SSL *ssl, int type, int value) { |
196 | 999k | void (*cb)(const SSL *ssl, int type, int value) = nullptr; |
197 | 999k | if (ssl->info_callback != nullptr) { |
198 | 0 | cb = ssl->info_callback; |
199 | 999k | } else if (ssl->ctx->info_callback != nullptr) { |
200 | 0 | cb = ssl->ctx->info_callback; |
201 | 0 | } |
202 | | |
203 | 999k | if (cb != nullptr) { |
204 | 0 | cb(ssl, type, value); |
205 | 0 | } |
206 | 999k | } |
207 | | |
208 | | void ssl_do_msg_callback(const SSL *ssl, int is_write, int content_type, |
209 | 1.55M | Span<const uint8_t> in) { |
210 | 1.55M | if (ssl->msg_callback == nullptr) { |
211 | 1.55M | return; |
212 | 1.55M | } |
213 | | |
214 | | // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for |
215 | | // a V2ClientHello. |
216 | 0 | int version; |
217 | 0 | switch (content_type) { |
218 | 0 | case 0: |
219 | | // V2ClientHello |
220 | 0 | version = SSL2_VERSION; |
221 | 0 | break; |
222 | 0 | case SSL3_RT_HEADER: |
223 | 0 | version = 0; |
224 | 0 | break; |
225 | 0 | default: |
226 | 0 | version = SSL_version(ssl); |
227 | 0 | } |
228 | | |
229 | 0 | ssl->msg_callback(is_write, version, content_type, in.data(), in.size(), |
230 | 0 | const_cast<SSL *>(ssl), ssl->msg_callback_arg); |
231 | 0 | } |
232 | | |
233 | 230k | OPENSSL_timeval ssl_ctx_get_current_time(const SSL_CTX *ctx) { |
234 | 230k | if (ctx->current_time_cb != nullptr) { |
235 | | // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See |
236 | | // https://crbug.com/boringssl/155. |
237 | 230k | struct timeval clock; |
238 | 230k | ctx->current_time_cb(nullptr /* ssl */, &clock); |
239 | 230k | if (clock.tv_sec < 0) { |
240 | 0 | assert(0); |
241 | 0 | return {0, 0}; |
242 | 230k | } else { |
243 | 230k | return {static_cast<uint64_t>(clock.tv_sec), |
244 | 230k | static_cast<uint32_t>(clock.tv_usec)}; |
245 | 230k | } |
246 | 230k | } |
247 | | |
248 | | #if defined(OPENSSL_WINDOWS) |
249 | | struct _timeb time; |
250 | | _ftime(&time); |
251 | | if (time.time < 0) { |
252 | | assert(0); |
253 | | return {0, 0}; |
254 | | } else { |
255 | | return {static_cast<uint64_t>(time.time), |
256 | | static_cast<uint32_t>(time.millitm * 1000)}; |
257 | | } |
258 | | #else |
259 | 0 | struct timeval clock; |
260 | 0 | gettimeofday(&clock, nullptr); |
261 | 0 | if (clock.tv_sec < 0) { |
262 | 0 | assert(0); |
263 | 0 | return {0, 0}; |
264 | 0 | } else { |
265 | 0 | return {static_cast<uint64_t>(clock.tv_sec), |
266 | 0 | static_cast<uint32_t>(clock.tv_usec)}; |
267 | 0 | } |
268 | 0 | #endif |
269 | 0 | } |
270 | | |
271 | 0 | void SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on) { ctx->handoff = on; } |
272 | | |
273 | 65.3k | static bool ssl_can_renegotiate(const SSL *ssl) { |
274 | 65.3k | if (ssl->server || SSL_is_dtls(ssl)) { |
275 | 0 | return false; |
276 | 0 | } |
277 | | |
278 | 65.3k | if (ssl->s3->version != 0 // |
279 | 65.3k | && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
280 | 0 | return false; |
281 | 0 | } |
282 | | |
283 | | // The config has already been shed. |
284 | 65.3k | if (!ssl->config) { |
285 | 0 | return false; |
286 | 0 | } |
287 | | |
288 | 65.3k | switch (ssl->renegotiate_mode) { |
289 | 0 | case ssl_renegotiate_ignore: |
290 | 0 | case ssl_renegotiate_never: |
291 | 0 | return false; |
292 | | |
293 | 65.3k | case ssl_renegotiate_freely: |
294 | 65.3k | case ssl_renegotiate_explicit: |
295 | 65.3k | return true; |
296 | 0 | case ssl_renegotiate_once: |
297 | 0 | return ssl->s3->total_renegotiations == 0; |
298 | 65.3k | } |
299 | | |
300 | 65.3k | assert(0); |
301 | 0 | return false; |
302 | 0 | } |
303 | | |
304 | 48.5k | static void ssl_maybe_shed_handshake_config(SSL *ssl) { |
305 | 48.5k | if (ssl->s3->hs != nullptr || // |
306 | 36.2k | ssl->config == nullptr || // |
307 | 36.2k | !ssl->config->shed_handshake_config || // |
308 | 48.5k | ssl_can_renegotiate(ssl)) { |
309 | 48.5k | return; |
310 | 48.5k | } |
311 | | |
312 | 0 | ssl->config.reset(); |
313 | 0 | } |
314 | | |
315 | 15.1k | void SSL_set_handoff_mode(SSL *ssl, bool on) { |
316 | 15.1k | if (!ssl->config) { |
317 | 0 | return; |
318 | 0 | } |
319 | 15.1k | ssl->config->handoff = on; |
320 | 15.1k | } |
321 | | |
322 | | bool SSL_get_traffic_secrets(const SSL *ssl, |
323 | | Span<const uint8_t> *out_read_traffic_secret, |
324 | 0 | Span<const uint8_t> *out_write_traffic_secret) { |
325 | | // This API is not well-defined for DTLS, where multiple epochs may be alive |
326 | | // at once. Callers should use |SSL_get_dtls_*_traffic_secret| instead. In |
327 | | // QUIC, the application is already handed the traffic secret. |
328 | 0 | if (SSL_is_dtls(ssl) || SSL_is_quic(ssl)) { |
329 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
330 | 0 | return false; |
331 | 0 | } |
332 | | |
333 | 0 | if (!ssl->s3->initial_handshake_complete) { |
334 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE); |
335 | 0 | return false; |
336 | 0 | } |
337 | | |
338 | 0 | if (SSL_version(ssl) < TLS1_3_VERSION) { |
339 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); |
340 | 0 | return false; |
341 | 0 | } |
342 | | |
343 | 0 | *out_read_traffic_secret = ssl->s3->read_traffic_secret; |
344 | 0 | *out_write_traffic_secret = ssl->s3->write_traffic_secret; |
345 | 0 | return true; |
346 | 0 | } |
347 | | |
348 | | void SSL_CTX_set_aes_hw_override_for_testing(SSL_CTX *ctx, |
349 | 0 | bool override_value) { |
350 | 0 | ctx->aes_hw_override = true; |
351 | 0 | ctx->aes_hw_override_value = override_value; |
352 | 0 | } |
353 | | |
354 | 0 | void SSL_set_aes_hw_override_for_testing(SSL *ssl, bool override_value) { |
355 | 0 | ssl->config->aes_hw_override = true; |
356 | 0 | ssl->config->aes_hw_override_value = override_value; |
357 | 0 | } |
358 | | |
359 | | BSSL_NAMESPACE_END |
360 | | |
361 | | using namespace bssl; |
362 | | |
363 | 0 | int SSL_library_init() { return 1; } |
364 | | |
365 | 0 | int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { |
366 | 0 | return 1; |
367 | 0 | } |
368 | | |
369 | 72.0k | static uint32_t ssl_session_hash(const SSL_SESSION *sess) { |
370 | 72.0k | return ssl_hash_session_id(sess->session_id); |
371 | 72.0k | } |
372 | | |
373 | 187k | static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { |
374 | 187k | return Span(a->session_id) == b->session_id ? 0 : 1; |
375 | 187k | } |
376 | | |
377 | | ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) |
378 | 4.75k | : RefCounted(CheckSubClass()), |
379 | 4.75k | method(ssl_method->method), |
380 | 4.75k | x509_method(ssl_method->x509_method), |
381 | 4.75k | retain_only_sha256_of_client_certs(false), |
382 | 4.75k | quiet_shutdown(false), |
383 | 4.75k | ocsp_stapling_enabled(false), |
384 | 4.75k | signed_cert_timestamps_enabled(false), |
385 | 4.75k | channel_id_enabled(false), |
386 | 4.75k | grease_enabled(false), |
387 | 4.75k | permute_extensions(false), |
388 | 4.75k | allow_unknown_alpn_protos(false), |
389 | 4.75k | false_start_allowed_without_alpn(false), |
390 | 4.75k | handoff(false), |
391 | 4.75k | enable_early_data(false), |
392 | 4.75k | aes_hw_override(false), |
393 | 4.75k | aes_hw_override_value(false), |
394 | 4.75k | resumption_across_names_enabled(false) { |
395 | 4.75k | CRYPTO_new_ex_data(&ex_data); |
396 | 4.75k | } |
397 | | |
398 | 4.74k | ssl_ctx_st::~ssl_ctx_st() { |
399 | | // Free the internal session cache. Note that this calls the caller-supplied |
400 | | // remove callback, so we must do it before clearing ex_data. (See ticket |
401 | | // [openssl.org #212].) |
402 | 4.74k | SSL_CTX_flush_sessions(this, 0); |
403 | | |
404 | 4.74k | CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, &ex_data); |
405 | | |
406 | 4.74k | lh_SSL_SESSION_free(sessions); |
407 | 4.74k | x509_method->ssl_ctx_free(this); |
408 | 4.74k | } |
409 | | |
410 | 4.75k | SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { |
411 | 4.75k | if (method == nullptr) { |
412 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED); |
413 | 0 | return nullptr; |
414 | 0 | } |
415 | | |
416 | 4.75k | UniquePtr<SSL_CTX> ret = MakeUnique<SSL_CTX>(method); |
417 | 4.75k | if (!ret) { |
418 | 0 | return nullptr; |
419 | 0 | } |
420 | | |
421 | 4.75k | ret->cert = MakeUnique<CERT>(method->x509_method); |
422 | 4.75k | ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); |
423 | 4.75k | ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null()); |
424 | 4.75k | ret->CA_names.reset(sk_CRYPTO_BUFFER_new_null()); |
425 | 4.75k | if (ret->cert == nullptr || // |
426 | 4.75k | !ret->cert->is_valid() || // |
427 | 4.75k | ret->sessions == nullptr || // |
428 | 4.75k | ret->client_CA == nullptr || // |
429 | 4.75k | ret->CA_names == nullptr || // |
430 | 4.75k | !ret->x509_method->ssl_ctx_new(ret.get())) { |
431 | 0 | return nullptr; |
432 | 0 | } |
433 | | |
434 | 4.75k | if (!SSL_CTX_set_strict_cipher_list(ret.get(), SSL_DEFAULT_CIPHER_LIST) || |
435 | | // Lock the SSL_CTX to the specified version, for compatibility with |
436 | | // legacy uses of SSL_METHOD. |
437 | 4.75k | !SSL_CTX_set_max_proto_version(ret.get(), method->version) || |
438 | 4.75k | !SSL_CTX_set_min_proto_version(ret.get(), method->version)) { |
439 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
440 | 0 | return nullptr; |
441 | 0 | } |
442 | | |
443 | 4.75k | if (!ret->supported_group_list.CopyFrom(DefaultSupportedGroupIds())) { |
444 | 0 | return nullptr; |
445 | 0 | } |
446 | 4.75k | if (!ret->supported_group_list_flags.Init(ret->supported_group_list.size())) { |
447 | 0 | return nullptr; |
448 | 0 | } |
449 | | |
450 | 4.75k | return ret.release(); |
451 | 4.75k | } |
452 | | |
453 | 216k | int SSL_CTX_up_ref(SSL_CTX *ctx) { |
454 | 216k | ctx->UpRefInternal(); |
455 | 216k | return 1; |
456 | 216k | } |
457 | | |
458 | 221k | void SSL_CTX_free(SSL_CTX *ctx) { |
459 | 221k | if (ctx != nullptr) { |
460 | 221k | ctx->DecRefInternal(); |
461 | 221k | } |
462 | 221k | } |
463 | | |
464 | | ssl_st::ssl_st(SSL_CTX *ctx_arg) |
465 | 108k | : method(ctx_arg->method), |
466 | 108k | max_send_fragment(ctx_arg->max_send_fragment), |
467 | 108k | msg_callback(ctx_arg->msg_callback), |
468 | 108k | msg_callback_arg(ctx_arg->msg_callback_arg), |
469 | 108k | ctx(UpRef(ctx_arg)), |
470 | 108k | session_ctx(UpRef(ctx_arg)), |
471 | 108k | options(ctx->options), |
472 | 108k | mode(ctx->mode), |
473 | 108k | max_cert_list(ctx->max_cert_list), |
474 | 108k | server(false), |
475 | 108k | quiet_shutdown(ctx->quiet_shutdown), |
476 | 108k | enable_early_data(ctx->enable_early_data), |
477 | 108k | resumption_across_names_enabled(ctx->resumption_across_names_enabled) { |
478 | 108k | CRYPTO_new_ex_data(&ex_data); |
479 | 108k | } |
480 | | |
481 | 108k | ssl_st::~ssl_st() { |
482 | 108k | CRYPTO_free_ex_data(&g_ex_data_class_ssl, &ex_data); |
483 | | // |config| refers to |this|, so we must release it earlier. |
484 | 108k | config.reset(); |
485 | 108k | if (method != nullptr) { |
486 | 108k | method->ssl_free(this); |
487 | 108k | } |
488 | 108k | } |
489 | | |
490 | 108k | SSL *SSL_new(SSL_CTX *ctx) { |
491 | 108k | if (ctx == nullptr) { |
492 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX); |
493 | 0 | return nullptr; |
494 | 0 | } |
495 | | |
496 | 108k | UniquePtr<SSL> ssl = MakeUnique<SSL>(ctx); |
497 | 108k | if (ssl == nullptr) { |
498 | 0 | return nullptr; |
499 | 0 | } |
500 | | |
501 | 108k | ssl->config = MakeUnique<SSL_CONFIG>(ssl.get()); |
502 | 108k | if (ssl->config == nullptr) { |
503 | 0 | return nullptr; |
504 | 0 | } |
505 | 108k | ssl->config->conf_min_version = ctx->conf_min_version; |
506 | 108k | ssl->config->conf_max_version = ctx->conf_max_version; |
507 | | |
508 | 108k | ssl->config->cert = ssl_cert_dup(ctx->cert.get()); |
509 | 108k | if (ssl->config->cert == nullptr) { |
510 | 0 | return nullptr; |
511 | 0 | } |
512 | | |
513 | 108k | ssl->config->verify_mode = ctx->verify_mode; |
514 | 108k | ssl->config->verify_callback = ctx->default_verify_callback; |
515 | 108k | ssl->config->custom_verify_callback = ctx->custom_verify_callback; |
516 | 108k | ssl->config->retain_only_sha256_of_client_certs = |
517 | 108k | ctx->retain_only_sha256_of_client_certs; |
518 | 108k | ssl->config->permute_extensions = ctx->permute_extensions; |
519 | 108k | ssl->config->aes_hw_override = ctx->aes_hw_override; |
520 | 108k | ssl->config->aes_hw_override_value = ctx->aes_hw_override_value; |
521 | 108k | ssl->config->compliance_policy = ctx->compliance_policy; |
522 | | |
523 | 108k | if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) || |
524 | 108k | !ssl->config->supported_group_list_flags.CopyFrom( |
525 | 108k | ctx->supported_group_list_flags) || |
526 | 108k | !ssl->config->alpn_client_proto_list.CopyFrom( |
527 | 108k | ctx->alpn_client_proto_list) || |
528 | 108k | !ssl->config->verify_sigalgs.CopyFrom(ctx->verify_sigalgs)) { |
529 | 0 | return nullptr; |
530 | 0 | } |
531 | | |
532 | 108k | if (ctx->requested_trust_anchors) { |
533 | 0 | ssl->config->requested_trust_anchors.emplace(); |
534 | 0 | if (!ssl->config->requested_trust_anchors->CopyFrom( |
535 | 0 | *ctx->requested_trust_anchors)) { |
536 | 0 | return nullptr; |
537 | 0 | } |
538 | 0 | } |
539 | | |
540 | 108k | if (ctx->psk_identity_hint) { |
541 | 0 | ssl->config->psk_identity_hint.reset( |
542 | 0 | OPENSSL_strdup(ctx->psk_identity_hint.get())); |
543 | 0 | if (ssl->config->psk_identity_hint == nullptr) { |
544 | 0 | return nullptr; |
545 | 0 | } |
546 | 0 | } |
547 | 108k | ssl->config->psk_client_callback = ctx->psk_client_callback; |
548 | 108k | ssl->config->psk_server_callback = ctx->psk_server_callback; |
549 | | |
550 | 108k | ssl->config->channel_id_enabled = ctx->channel_id_enabled; |
551 | 108k | ssl->config->channel_id_private = UpRef(ctx->channel_id_private); |
552 | | |
553 | 108k | ssl->config->signed_cert_timestamps_enabled = |
554 | 108k | ctx->signed_cert_timestamps_enabled; |
555 | 108k | ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled; |
556 | 108k | ssl->config->handoff = ctx->handoff; |
557 | 108k | ssl->quic_method = ctx->quic_method; |
558 | | |
559 | 108k | if (!ssl->method->ssl_new(ssl.get()) || |
560 | 108k | !ssl->ctx->x509_method->ssl_new(ssl->s3->hs.get())) { |
561 | 0 | return nullptr; |
562 | 0 | } |
563 | | |
564 | 108k | return ssl.release(); |
565 | 108k | } |
566 | | |
567 | | SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) |
568 | 108k | : ssl(ssl_arg), |
569 | 108k | ech_grease_enabled(false), |
570 | 108k | signed_cert_timestamps_enabled(false), |
571 | 108k | ocsp_stapling_enabled(false), |
572 | 108k | channel_id_enabled(false), |
573 | 108k | enforce_rsa_key_usage(true), |
574 | 108k | retain_only_sha256_of_client_certs(false), |
575 | 108k | handoff(false), |
576 | 108k | shed_handshake_config(false), |
577 | 108k | jdk11_workaround(false), |
578 | 108k | quic_use_legacy_codepoint(false), |
579 | 108k | permute_extensions(false), |
580 | 108k | alps_use_new_codepoint(true) { |
581 | 108k | assert(ssl); |
582 | 108k | } |
583 | | |
584 | 108k | SSL_CONFIG::~SSL_CONFIG() { |
585 | 108k | if (ssl->ctx != nullptr) { |
586 | 108k | ssl->ctx->x509_method->ssl_config_free(this); |
587 | 108k | } |
588 | 108k | } |
589 | | |
590 | 108k | void SSL_free(SSL *ssl) { Delete(ssl); } |
591 | | |
592 | 23.1k | void SSL_set_connect_state(SSL *ssl) { |
593 | 23.1k | ssl->server = false; |
594 | 23.1k | ssl->do_handshake = ssl_client_handshake; |
595 | 23.1k | } |
596 | | |
597 | 53.1k | void SSL_set_accept_state(SSL *ssl) { |
598 | 53.1k | ssl->server = true; |
599 | 53.1k | ssl->do_handshake = ssl_server_handshake; |
600 | 53.1k | } |
601 | | |
602 | 27.3k | void SSL_set0_rbio(SSL *ssl, BIO *rbio) { ssl->rbio.reset(rbio); } |
603 | | |
604 | 27.3k | void SSL_set0_wbio(SSL *ssl, BIO *wbio) { ssl->wbio.reset(wbio); } |
605 | | |
606 | 0 | void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { |
607 | | // For historical reasons, this function has many different cases in ownership |
608 | | // handling. |
609 | | |
610 | | // If nothing has changed, do nothing |
611 | 0 | if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) { |
612 | 0 | return; |
613 | 0 | } |
614 | | |
615 | | // If the two arguments are equal, one fewer reference is granted than |
616 | | // taken. |
617 | 0 | if (rbio != nullptr && rbio == wbio) { |
618 | 0 | BIO_up_ref(rbio); |
619 | 0 | } |
620 | | |
621 | | // If only the wbio is changed, adopt only one reference. |
622 | 0 | if (rbio == SSL_get_rbio(ssl)) { |
623 | 0 | SSL_set0_wbio(ssl, wbio); |
624 | 0 | return; |
625 | 0 | } |
626 | | |
627 | | // There is an asymmetry here for historical reasons. If only the rbio is |
628 | | // changed AND the rbio and wbio were originally different, then we only adopt |
629 | | // one reference. |
630 | 0 | if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) { |
631 | 0 | SSL_set0_rbio(ssl, rbio); |
632 | 0 | return; |
633 | 0 | } |
634 | | |
635 | | // Otherwise, adopt both references. |
636 | 0 | SSL_set0_rbio(ssl, rbio); |
637 | 0 | SSL_set0_wbio(ssl, wbio); |
638 | 0 | } |
639 | | |
640 | 7.61k | BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio.get(); } |
641 | | |
642 | 10 | BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio.get(); } |
643 | | |
644 | | size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, |
645 | 0 | enum ssl_encryption_level_t level) { |
646 | | // Limits flights to 16K by default when there are no large |
647 | | // (certificate-carrying) messages. |
648 | 0 | static const size_t kDefaultLimit = 16384; |
649 | |
|
650 | 0 | switch (level) { |
651 | 0 | case ssl_encryption_initial: |
652 | 0 | return kDefaultLimit; |
653 | 0 | case ssl_encryption_early_data: |
654 | | // QUIC does not send EndOfEarlyData. |
655 | 0 | return 0; |
656 | 0 | case ssl_encryption_handshake: |
657 | 0 | if (ssl->server) { |
658 | | // Servers may receive Certificate message if configured to request |
659 | | // client certificates. |
660 | 0 | if (!!(ssl->config->verify_mode & SSL_VERIFY_PEER) && |
661 | 0 | ssl->max_cert_list > kDefaultLimit) { |
662 | 0 | return ssl->max_cert_list; |
663 | 0 | } |
664 | 0 | } else { |
665 | | // Clients may receive both Certificate message and a CertificateRequest |
666 | | // message. |
667 | 0 | if (2 * ssl->max_cert_list > kDefaultLimit) { |
668 | 0 | return 2 * ssl->max_cert_list; |
669 | 0 | } |
670 | 0 | } |
671 | 0 | return kDefaultLimit; |
672 | 0 | case ssl_encryption_application: |
673 | | // Note there is not actually a bound on the number of NewSessionTickets |
674 | | // one may send in a row. This level may need more involved flow |
675 | | // control. See https://github.com/quicwg/base-drafts/issues/1834. |
676 | 0 | return kDefaultLimit; |
677 | 0 | } |
678 | | |
679 | 0 | return 0; |
680 | 0 | } |
681 | | |
682 | 0 | enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl) { |
683 | 0 | assert(SSL_is_quic(ssl)); |
684 | 0 | return ssl->s3->quic_read_level; |
685 | 0 | } |
686 | | |
687 | 0 | enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl) { |
688 | 0 | assert(SSL_is_quic(ssl)); |
689 | 0 | return ssl->s3->quic_write_level; |
690 | 0 | } |
691 | | |
692 | | int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, |
693 | 0 | const uint8_t *data, size_t len) { |
694 | 0 | if (!SSL_is_quic(ssl)) { |
695 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
696 | 0 | return 0; |
697 | 0 | } |
698 | | |
699 | 0 | if (level != ssl->s3->quic_read_level) { |
700 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED); |
701 | 0 | return 0; |
702 | 0 | } |
703 | | |
704 | 0 | size_t new_len = (ssl->s3->hs_buf ? ssl->s3->hs_buf->length : 0) + len; |
705 | 0 | if (new_len < len || |
706 | 0 | new_len > SSL_quic_max_handshake_flight_len(ssl, level)) { |
707 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE); |
708 | 0 | return 0; |
709 | 0 | } |
710 | | |
711 | 0 | return tls_append_handshake_data(ssl, Span(data, len)); |
712 | 0 | } |
713 | | |
714 | 60.0k | int SSL_do_handshake(SSL *ssl) { |
715 | 60.0k | ssl_reset_error_state(ssl); |
716 | | |
717 | 60.0k | if (ssl->do_handshake == nullptr) { |
718 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET); |
719 | 0 | return -1; |
720 | 0 | } |
721 | | |
722 | 60.0k | if (!SSL_in_init(ssl)) { |
723 | 0 | return 1; |
724 | 0 | } |
725 | | |
726 | | // Run the handshake. |
727 | 60.0k | SSL_HANDSHAKE *hs = ssl->s3->hs.get(); |
728 | | |
729 | 60.0k | bool early_return = false; |
730 | 60.0k | int ret = ssl_run_handshake(hs, &early_return); |
731 | 60.0k | ssl_do_info_callback( |
732 | 60.0k | ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret); |
733 | 60.0k | if (ret <= 0) { |
734 | 23.7k | return ret; |
735 | 23.7k | } |
736 | | |
737 | | // Destroy the handshake object if the handshake has completely finished. |
738 | 36.3k | if (!early_return) { |
739 | 36.2k | ssl->s3->hs.reset(); |
740 | 36.2k | ssl_maybe_shed_handshake_config(ssl); |
741 | 36.2k | } |
742 | | |
743 | 36.3k | return 1; |
744 | 60.0k | } |
745 | | |
746 | 0 | int SSL_connect(SSL *ssl) { |
747 | 0 | if (ssl->do_handshake == nullptr) { |
748 | | // Not properly initialized yet |
749 | 0 | SSL_set_connect_state(ssl); |
750 | 0 | } |
751 | |
|
752 | 0 | return SSL_do_handshake(ssl); |
753 | 0 | } |
754 | | |
755 | 0 | int SSL_accept(SSL *ssl) { |
756 | 0 | if (ssl->do_handshake == nullptr) { |
757 | | // Not properly initialized yet |
758 | 0 | SSL_set_accept_state(ssl); |
759 | 0 | } |
760 | |
|
761 | 0 | return SSL_do_handshake(ssl); |
762 | 0 | } |
763 | | |
764 | 74.0k | static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { |
765 | 74.0k | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
766 | 41.3k | return tls13_post_handshake(ssl, msg); |
767 | 41.3k | } |
768 | | |
769 | | // Check for renegotiation on the server before parsing to use the correct |
770 | | // error. Renegotiation is triggered by a different message for servers. |
771 | 32.6k | if (ssl->server) { |
772 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); |
773 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); |
774 | 0 | return 0; |
775 | 0 | } |
776 | | |
777 | 32.6k | if (msg.type != SSL3_MT_HELLO_REQUEST || CBS_len(&msg.body) != 0) { |
778 | 4 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
779 | 4 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST); |
780 | 4 | return 0; |
781 | 4 | } |
782 | | |
783 | 32.6k | if (ssl->renegotiate_mode == ssl_renegotiate_ignore) { |
784 | 0 | return 1; // Ignore the HelloRequest. |
785 | 0 | } |
786 | | |
787 | 32.6k | ssl->s3->renegotiate_pending = true; |
788 | 32.6k | if (ssl->renegotiate_mode == ssl_renegotiate_explicit) { |
789 | 0 | return 1; // Handle it later. |
790 | 0 | } |
791 | | |
792 | 32.6k | if (!SSL_renegotiate(ssl)) { |
793 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); |
794 | 0 | return 0; |
795 | 0 | } |
796 | | |
797 | 32.6k | return 1; |
798 | 32.6k | } |
799 | | |
800 | 0 | int SSL_process_quic_post_handshake(SSL *ssl) { |
801 | 0 | ssl_reset_error_state(ssl); |
802 | |
|
803 | 0 | if (!SSL_is_quic(ssl) || SSL_in_init(ssl)) { |
804 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
805 | 0 | return 0; |
806 | 0 | } |
807 | | |
808 | | // Replay post-handshake message errors. |
809 | 0 | if (!check_read_error(ssl)) { |
810 | 0 | return 0; |
811 | 0 | } |
812 | | |
813 | | // Process any buffered post-handshake messages. |
814 | 0 | SSLMessage msg; |
815 | 0 | while (ssl->method->get_message(ssl, &msg)) { |
816 | | // Handle the post-handshake message and try again. |
817 | 0 | if (!ssl_do_post_handshake(ssl, msg)) { |
818 | 0 | ssl_set_read_error(ssl); |
819 | 0 | return 0; |
820 | 0 | } |
821 | 0 | ssl->method->next_message(ssl); |
822 | 0 | } |
823 | | |
824 | 0 | return 1; |
825 | 0 | } |
826 | | |
827 | 38.8k | static int ssl_read_impl(SSL *ssl) { |
828 | 38.8k | ssl_reset_error_state(ssl); |
829 | | |
830 | 38.8k | if (ssl->do_handshake == nullptr) { |
831 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); |
832 | 0 | return -1; |
833 | 0 | } |
834 | | |
835 | | // Replay post-handshake message errors. |
836 | 38.8k | if (!check_read_error(ssl)) { |
837 | 0 | return -1; |
838 | 0 | } |
839 | | |
840 | 424k | while (ssl->s3->pending_app_data.empty()) { |
841 | 390k | if (ssl->s3->renegotiate_pending) { |
842 | 0 | ssl->s3->rwstate = SSL_ERROR_WANT_RENEGOTIATE; |
843 | 0 | return -1; |
844 | 0 | } |
845 | | |
846 | | // If a read triggered a DTLS ACK or retransmit, resolve that before reading |
847 | | // more. |
848 | 390k | if (SSL_is_dtls(ssl)) { |
849 | 178k | int ret = ssl->method->flush(ssl); |
850 | 178k | if (ret <= 0) { |
851 | 2 | return ret; |
852 | 2 | } |
853 | 178k | } |
854 | | |
855 | | // Complete the current handshake, if any. False Start will cause |
856 | | // |SSL_do_handshake| to return mid-handshake, so this may require multiple |
857 | | // iterations. |
858 | 422k | while (!ssl_can_read(ssl)) { |
859 | 32.7k | int ret = SSL_do_handshake(ssl); |
860 | 32.7k | if (ret < 0) { |
861 | 659 | return ret; |
862 | 659 | } |
863 | 32.0k | if (ret == 0) { |
864 | 414 | OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); |
865 | 414 | return -1; |
866 | 414 | } |
867 | 32.0k | } |
868 | | |
869 | | // Process any buffered post-handshake messages. |
870 | 389k | SSLMessage msg; |
871 | 389k | if (ssl->method->get_message(ssl, &msg)) { |
872 | | // If we received an interrupt in early read (EndOfEarlyData), loop again |
873 | | // for the handshake to process it. |
874 | 74.0k | if (SSL_in_init(ssl)) { |
875 | 15 | ssl->s3->hs->can_early_read = false; |
876 | 15 | continue; |
877 | 15 | } |
878 | | |
879 | | // Handle the post-handshake message and try again. |
880 | 74.0k | if (!ssl_do_post_handshake(ssl, msg)) { |
881 | 94 | ssl_set_read_error(ssl); |
882 | 94 | return -1; |
883 | 94 | } |
884 | 73.9k | ssl->method->next_message(ssl); |
885 | 73.9k | continue; // Loop again. We may have begun a new handshake. |
886 | 74.0k | } |
887 | | |
888 | 315k | uint8_t alert = SSL_AD_DECODE_ERROR; |
889 | 315k | size_t consumed = 0; |
890 | 315k | auto ret = ssl_open_app_data(ssl, &ssl->s3->pending_app_data, &consumed, |
891 | 315k | &alert, ssl->s3->read_buffer.span()); |
892 | 315k | bool retry; |
893 | 315k | int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert); |
894 | 315k | if (bio_ret <= 0) { |
895 | 3.51k | return bio_ret; |
896 | 3.51k | } |
897 | 311k | if (!retry) { |
898 | 33.7k | assert(!ssl->s3->pending_app_data.empty()); |
899 | 33.7k | ssl->s3->key_update_count = 0; |
900 | 33.7k | } |
901 | 311k | } |
902 | | |
903 | 34.1k | return 1; |
904 | 38.8k | } |
905 | | |
906 | 38.8k | int SSL_read(SSL *ssl, void *buf, int num) { |
907 | 38.8k | int ret = SSL_peek(ssl, buf, num); |
908 | 38.8k | if (ret <= 0) { |
909 | 4.67k | return ret; |
910 | 4.67k | } |
911 | | // TODO(davidben): In DTLS, should the rest of the record be discarded? DTLS |
912 | | // is not a stream. See https://crbug.com/boringssl/65. |
913 | 34.1k | ssl->s3->pending_app_data = |
914 | 34.1k | ssl->s3->pending_app_data.subspan(static_cast<size_t>(ret)); |
915 | 34.1k | if (ssl->s3->pending_app_data.empty()) { |
916 | 33.7k | ssl->s3->read_buffer.DiscardConsumed(); |
917 | 33.7k | } |
918 | 34.1k | return ret; |
919 | 38.8k | } |
920 | | |
921 | 38.8k | int SSL_peek(SSL *ssl, void *buf, int num) { |
922 | 38.8k | if (SSL_is_quic(ssl)) { |
923 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
924 | 0 | return -1; |
925 | 0 | } |
926 | | |
927 | 38.8k | int ret = ssl_read_impl(ssl); |
928 | 38.8k | if (ret <= 0) { |
929 | 4.67k | return ret; |
930 | 4.67k | } |
931 | 34.1k | if (num <= 0) { |
932 | 0 | return num; |
933 | 0 | } |
934 | 34.1k | size_t todo = |
935 | 34.1k | std::min(ssl->s3->pending_app_data.size(), static_cast<size_t>(num)); |
936 | 34.1k | OPENSSL_memcpy(buf, ssl->s3->pending_app_data.data(), todo); |
937 | 34.1k | return static_cast<int>(todo); |
938 | 34.1k | } |
939 | | |
940 | 0 | int SSL_write(SSL *ssl, const void *buf, int num) { |
941 | 0 | ssl_reset_error_state(ssl); |
942 | |
|
943 | 0 | if (SSL_is_quic(ssl)) { |
944 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
945 | 0 | return -1; |
946 | 0 | } |
947 | | |
948 | 0 | if (ssl->do_handshake == nullptr) { |
949 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); |
950 | 0 | return -1; |
951 | 0 | } |
952 | | |
953 | 0 | int ret = 0; |
954 | 0 | size_t bytes_written = 0; |
955 | 0 | bool needs_handshake = false; |
956 | 0 | do { |
957 | | // If necessary, complete the handshake implicitly. |
958 | 0 | if (!ssl_can_write(ssl)) { |
959 | 0 | ret = SSL_do_handshake(ssl); |
960 | 0 | if (ret < 0) { |
961 | 0 | return ret; |
962 | 0 | } |
963 | 0 | if (ret == 0) { |
964 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); |
965 | 0 | return -1; |
966 | 0 | } |
967 | 0 | } |
968 | | |
969 | 0 | if (num < 0) { |
970 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH); |
971 | 0 | return -1; |
972 | 0 | } |
973 | 0 | ret = ssl->method->write_app_data( |
974 | 0 | ssl, &needs_handshake, &bytes_written, |
975 | 0 | Span(static_cast<const uint8_t *>(buf), static_cast<size_t>(num))); |
976 | 0 | } while (needs_handshake); |
977 | 0 | return ret <= 0 ? ret : static_cast<int>(bytes_written); |
978 | 0 | } |
979 | | |
980 | 0 | int SSL_key_update(SSL *ssl, int request_type) { |
981 | 0 | ssl_reset_error_state(ssl); |
982 | |
|
983 | 0 | if (ssl->do_handshake == nullptr) { |
984 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); |
985 | 0 | return 0; |
986 | 0 | } |
987 | | |
988 | 0 | if (SSL_is_quic(ssl)) { |
989 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
990 | 0 | return 0; |
991 | 0 | } |
992 | | |
993 | 0 | if (!ssl->s3->initial_handshake_complete) { |
994 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE); |
995 | 0 | return 0; |
996 | 0 | } |
997 | | |
998 | 0 | if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { |
999 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); |
1000 | 0 | return 0; |
1001 | 0 | } |
1002 | | |
1003 | 0 | return tls13_add_key_update(ssl, request_type); |
1004 | 0 | } |
1005 | | |
1006 | 0 | int SSL_shutdown(SSL *ssl) { |
1007 | 0 | ssl_reset_error_state(ssl); |
1008 | |
|
1009 | 0 | if (ssl->do_handshake == nullptr) { |
1010 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED); |
1011 | 0 | return -1; |
1012 | 0 | } |
1013 | | |
1014 | | // If we are in the middle of a handshake, silently succeed. Consumers often |
1015 | | // call this function before |SSL_free|, whether the handshake succeeded or |
1016 | | // not. We assume the caller has already handled failed handshakes. |
1017 | 0 | if (SSL_in_init(ssl)) { |
1018 | 0 | return 1; |
1019 | 0 | } |
1020 | | |
1021 | 0 | if (ssl->quiet_shutdown) { |
1022 | | // Do nothing if configured not to send a close_notify. |
1023 | 0 | ssl->s3->write_shutdown = ssl_shutdown_close_notify; |
1024 | 0 | ssl->s3->read_shutdown = ssl_shutdown_close_notify; |
1025 | 0 | return 1; |
1026 | 0 | } |
1027 | | |
1028 | | // This function completes in two stages. It sends a close_notify and then it |
1029 | | // waits for a close_notify to come in. Perform exactly one action and return |
1030 | | // whether or not it succeeds. |
1031 | | |
1032 | 0 | if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) { |
1033 | | // Send a close_notify. |
1034 | 0 | if (ssl_send_alert_impl(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) { |
1035 | 0 | return -1; |
1036 | 0 | } |
1037 | 0 | } else if (ssl->s3->alert_dispatch) { |
1038 | | // Finish sending the close_notify. |
1039 | 0 | if (ssl->method->dispatch_alert(ssl) <= 0) { |
1040 | 0 | return -1; |
1041 | 0 | } |
1042 | 0 | } else if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) { |
1043 | 0 | if (SSL_is_dtls(ssl)) { |
1044 | | // Bidirectional shutdown doesn't make sense for an unordered |
1045 | | // transport. DTLS alerts also aren't delivered reliably, so we may even |
1046 | | // time out because the peer never received our close_notify. Report to |
1047 | | // the caller that the channel has fully shut down. |
1048 | 0 | if (ssl->s3->read_shutdown == ssl_shutdown_error) { |
1049 | 0 | ERR_restore_state(ssl->s3->read_error.get()); |
1050 | 0 | return -1; |
1051 | 0 | } |
1052 | 0 | ssl->s3->read_shutdown = ssl_shutdown_close_notify; |
1053 | 0 | } else { |
1054 | | // Process records until an error, close_notify, or application data. |
1055 | 0 | if (ssl_read_impl(ssl) > 0) { |
1056 | | // We received some unexpected application data. |
1057 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_ON_SHUTDOWN); |
1058 | 0 | return -1; |
1059 | 0 | } |
1060 | 0 | if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) { |
1061 | 0 | return -1; |
1062 | 0 | } |
1063 | 0 | } |
1064 | 0 | } |
1065 | | |
1066 | | // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. |
1067 | 0 | return ssl->s3->read_shutdown == ssl_shutdown_close_notify; |
1068 | 0 | } |
1069 | | |
1070 | 0 | int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) { |
1071 | 0 | if (ssl->s3->alert_dispatch) { |
1072 | 0 | if (ssl->s3->send_alert[0] != SSL3_AL_FATAL || |
1073 | 0 | ssl->s3->send_alert[1] != alert) { |
1074 | | // We are already attempting to write a different alert. |
1075 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); |
1076 | 0 | return -1; |
1077 | 0 | } |
1078 | 0 | return ssl->method->dispatch_alert(ssl); |
1079 | 0 | } |
1080 | | |
1081 | 0 | return ssl_send_alert_impl(ssl, SSL3_AL_FATAL, alert); |
1082 | 0 | } |
1083 | | |
1084 | | int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, |
1085 | 0 | size_t params_len) { |
1086 | 0 | return ssl->config && |
1087 | 0 | ssl->config->quic_transport_params.CopyFrom(Span(params, params_len)); |
1088 | 0 | } |
1089 | | |
1090 | | void SSL_get_peer_quic_transport_params(const SSL *ssl, |
1091 | | const uint8_t **out_params, |
1092 | 0 | size_t *out_params_len) { |
1093 | 0 | *out_params = ssl->s3->peer_quic_transport_params.data(); |
1094 | 0 | *out_params_len = ssl->s3->peer_quic_transport_params.size(); |
1095 | 0 | } |
1096 | | |
1097 | | int SSL_set_quic_early_data_context(SSL *ssl, const uint8_t *context, |
1098 | 0 | size_t context_len) { |
1099 | 0 | return ssl->config && ssl->config->quic_early_data_context.CopyFrom( |
1100 | 0 | Span(context, context_len)); |
1101 | 0 | } |
1102 | | |
1103 | 12 | void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) { |
1104 | 12 | ctx->enable_early_data = !!enabled; |
1105 | 12 | } |
1106 | | |
1107 | 0 | void SSL_set_early_data_enabled(SSL *ssl, int enabled) { |
1108 | 0 | ssl->enable_early_data = !!enabled; |
1109 | 0 | } |
1110 | | |
1111 | 11.2k | int SSL_in_early_data(const SSL *ssl) { |
1112 | 11.2k | if (ssl->s3->hs == nullptr) { |
1113 | 10.9k | return 0; |
1114 | 10.9k | } |
1115 | 295 | return ssl->s3->hs->in_early_data; |
1116 | 11.2k | } |
1117 | | |
1118 | 0 | int SSL_early_data_accepted(const SSL *ssl) { |
1119 | 0 | return ssl->s3->early_data_accepted; |
1120 | 0 | } |
1121 | | |
1122 | 0 | void SSL_reset_early_data_reject(SSL *ssl) { |
1123 | 0 | SSL_HANDSHAKE *hs = ssl->s3->hs.get(); |
1124 | 0 | if (hs == nullptr || // |
1125 | 0 | hs->wait != ssl_hs_early_data_rejected) { |
1126 | 0 | abort(); |
1127 | 0 | } |
1128 | | |
1129 | 0 | hs->wait = ssl_hs_ok; |
1130 | 0 | hs->in_early_data = false; |
1131 | 0 | hs->early_session.reset(); |
1132 | | |
1133 | | // Discard any unfinished writes from the perspective of |SSL_write|'s |
1134 | | // retry. The handshake will transparently flush out the pending record |
1135 | | // (discarded by the server) to keep the framing correct. |
1136 | 0 | ssl->s3->pending_write = {}; |
1137 | 0 | } |
1138 | | |
1139 | 0 | enum ssl_early_data_reason_t SSL_get_early_data_reason(const SSL *ssl) { |
1140 | 0 | return ssl->s3->early_data_reason; |
1141 | 0 | } |
1142 | | |
1143 | 0 | const char *SSL_early_data_reason_string(enum ssl_early_data_reason_t reason) { |
1144 | 0 | switch (reason) { |
1145 | 0 | case ssl_early_data_unknown: |
1146 | 0 | return "unknown"; |
1147 | 0 | case ssl_early_data_disabled: |
1148 | 0 | return "disabled"; |
1149 | 0 | case ssl_early_data_accepted: |
1150 | 0 | return "accepted"; |
1151 | 0 | case ssl_early_data_protocol_version: |
1152 | 0 | return "protocol_version"; |
1153 | 0 | case ssl_early_data_peer_declined: |
1154 | 0 | return "peer_declined"; |
1155 | 0 | case ssl_early_data_no_session_offered: |
1156 | 0 | return "no_session_offered"; |
1157 | 0 | case ssl_early_data_session_not_resumed: |
1158 | 0 | return "session_not_resumed"; |
1159 | 0 | case ssl_early_data_unsupported_for_session: |
1160 | 0 | return "unsupported_for_session"; |
1161 | 0 | case ssl_early_data_hello_retry_request: |
1162 | 0 | return "hello_retry_request"; |
1163 | 0 | case ssl_early_data_alpn_mismatch: |
1164 | 0 | return "alpn_mismatch"; |
1165 | 0 | case ssl_early_data_channel_id: |
1166 | 0 | return "channel_id"; |
1167 | 0 | case ssl_early_data_ticket_age_skew: |
1168 | 0 | return "ticket_age_skew"; |
1169 | 0 | case ssl_early_data_quic_parameter_mismatch: |
1170 | 0 | return "quic_parameter_mismatch"; |
1171 | 0 | case ssl_early_data_alps_mismatch: |
1172 | 0 | return "alps_mismatch"; |
1173 | 0 | } |
1174 | | |
1175 | 0 | return nullptr; |
1176 | 0 | } |
1177 | | |
1178 | 0 | static int bio_retry_reason_to_error(int reason) { |
1179 | 0 | switch (reason) { |
1180 | 0 | case BIO_RR_CONNECT: |
1181 | 0 | return SSL_ERROR_WANT_CONNECT; |
1182 | 0 | case BIO_RR_ACCEPT: |
1183 | 0 | return SSL_ERROR_WANT_ACCEPT; |
1184 | 0 | default: |
1185 | 0 | return SSL_ERROR_SYSCALL; |
1186 | 0 | } |
1187 | 0 | } |
1188 | | |
1189 | 34.2k | int SSL_get_error(const SSL *ssl, int ret_code) { |
1190 | 34.2k | if (ret_code > 0) { |
1191 | 0 | return SSL_ERROR_NONE; |
1192 | 0 | } |
1193 | | |
1194 | | // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, |
1195 | | // where we do encode the error |
1196 | 34.2k | uint32_t err = ERR_peek_error(); |
1197 | 34.2k | if (err != 0) { |
1198 | 26.5k | if (ERR_GET_LIB(err) == ERR_LIB_SYS) { |
1199 | 0 | return SSL_ERROR_SYSCALL; |
1200 | 0 | } |
1201 | 26.5k | return SSL_ERROR_SSL; |
1202 | 26.5k | } |
1203 | | |
1204 | 7.74k | if (ret_code == 0) { |
1205 | 0 | if (ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN) { |
1206 | 0 | return SSL_ERROR_ZERO_RETURN; |
1207 | 0 | } |
1208 | | // An EOF was observed which violates the protocol, and the underlying |
1209 | | // transport does not participate in the error queue. Bubble up to the |
1210 | | // caller. |
1211 | 0 | return SSL_ERROR_SYSCALL; |
1212 | 0 | } |
1213 | | |
1214 | 7.74k | switch (ssl->s3->rwstate) { |
1215 | 0 | case SSL_ERROR_PENDING_SESSION: |
1216 | 0 | case SSL_ERROR_PENDING_CERTIFICATE: |
1217 | 10 | case SSL_ERROR_HANDOFF: |
1218 | 10 | case SSL_ERROR_HANDBACK: |
1219 | 10 | case SSL_ERROR_WANT_X509_LOOKUP: |
1220 | 10 | case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION: |
1221 | 10 | case SSL_ERROR_PENDING_TICKET: |
1222 | 10 | case SSL_ERROR_EARLY_DATA_REJECTED: |
1223 | 10 | case SSL_ERROR_WANT_CERTIFICATE_VERIFY: |
1224 | 10 | case SSL_ERROR_WANT_RENEGOTIATE: |
1225 | 10 | case SSL_ERROR_HANDSHAKE_HINTS_READY: |
1226 | 10 | return ssl->s3->rwstate; |
1227 | | |
1228 | 7.60k | case SSL_ERROR_WANT_READ: { |
1229 | 7.60k | if (SSL_is_quic(ssl)) { |
1230 | 0 | return SSL_ERROR_WANT_READ; |
1231 | 0 | } |
1232 | 7.60k | BIO *bio = SSL_get_rbio(ssl); |
1233 | 7.60k | if (BIO_should_read(bio)) { |
1234 | 0 | return SSL_ERROR_WANT_READ; |
1235 | 0 | } |
1236 | | |
1237 | 7.60k | if (BIO_should_write(bio)) { |
1238 | | // TODO(davidben): OpenSSL historically checked for writes on the read |
1239 | | // BIO. Can this be removed? |
1240 | 0 | return SSL_ERROR_WANT_WRITE; |
1241 | 0 | } |
1242 | | |
1243 | 7.60k | if (BIO_should_io_special(bio)) { |
1244 | 0 | return bio_retry_reason_to_error(BIO_get_retry_reason(bio)); |
1245 | 0 | } |
1246 | | |
1247 | 7.60k | break; |
1248 | 7.60k | } |
1249 | | |
1250 | 7.60k | case SSL_ERROR_WANT_WRITE: { |
1251 | 0 | BIO *bio = SSL_get_wbio(ssl); |
1252 | 0 | if (BIO_should_write(bio)) { |
1253 | 0 | return SSL_ERROR_WANT_WRITE; |
1254 | 0 | } |
1255 | | |
1256 | 0 | if (BIO_should_read(bio)) { |
1257 | | // TODO(davidben): OpenSSL historically checked for reads on the write |
1258 | | // BIO. Can this be removed? |
1259 | 0 | return SSL_ERROR_WANT_READ; |
1260 | 0 | } |
1261 | | |
1262 | 0 | if (BIO_should_io_special(bio)) { |
1263 | 0 | return bio_retry_reason_to_error(BIO_get_retry_reason(bio)); |
1264 | 0 | } |
1265 | | |
1266 | 0 | break; |
1267 | 0 | } |
1268 | 7.74k | } |
1269 | | |
1270 | 7.73k | return SSL_ERROR_SYSCALL; |
1271 | 7.74k | } |
1272 | | |
1273 | 0 | const char *SSL_error_description(int err) { |
1274 | 0 | switch (err) { |
1275 | 0 | case SSL_ERROR_NONE: |
1276 | 0 | return "NONE"; |
1277 | 0 | case SSL_ERROR_SSL: |
1278 | 0 | return "SSL"; |
1279 | 0 | case SSL_ERROR_WANT_READ: |
1280 | 0 | return "WANT_READ"; |
1281 | 0 | case SSL_ERROR_WANT_WRITE: |
1282 | 0 | return "WANT_WRITE"; |
1283 | 0 | case SSL_ERROR_WANT_X509_LOOKUP: |
1284 | 0 | return "WANT_X509_LOOKUP"; |
1285 | 0 | case SSL_ERROR_SYSCALL: |
1286 | 0 | return "SYSCALL"; |
1287 | 0 | case SSL_ERROR_ZERO_RETURN: |
1288 | 0 | return "ZERO_RETURN"; |
1289 | 0 | case SSL_ERROR_WANT_CONNECT: |
1290 | 0 | return "WANT_CONNECT"; |
1291 | 0 | case SSL_ERROR_WANT_ACCEPT: |
1292 | 0 | return "WANT_ACCEPT"; |
1293 | 0 | case SSL_ERROR_PENDING_SESSION: |
1294 | 0 | return "PENDING_SESSION"; |
1295 | 0 | case SSL_ERROR_PENDING_CERTIFICATE: |
1296 | 0 | return "PENDING_CERTIFICATE"; |
1297 | 0 | case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION: |
1298 | 0 | return "WANT_PRIVATE_KEY_OPERATION"; |
1299 | 0 | case SSL_ERROR_PENDING_TICKET: |
1300 | 0 | return "PENDING_TICKET"; |
1301 | 0 | case SSL_ERROR_EARLY_DATA_REJECTED: |
1302 | 0 | return "EARLY_DATA_REJECTED"; |
1303 | 0 | case SSL_ERROR_WANT_CERTIFICATE_VERIFY: |
1304 | 0 | return "WANT_CERTIFICATE_VERIFY"; |
1305 | 0 | case SSL_ERROR_HANDOFF: |
1306 | 0 | return "HANDOFF"; |
1307 | 0 | case SSL_ERROR_HANDBACK: |
1308 | 0 | return "HANDBACK"; |
1309 | 0 | case SSL_ERROR_WANT_RENEGOTIATE: |
1310 | 0 | return "WANT_RENEGOTIATE"; |
1311 | 0 | case SSL_ERROR_HANDSHAKE_HINTS_READY: |
1312 | 0 | return "HANDSHAKE_HINTS_READY"; |
1313 | 0 | default: |
1314 | 0 | return nullptr; |
1315 | 0 | } |
1316 | 0 | } |
1317 | | |
1318 | 4.28k | uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) { |
1319 | 4.28k | ctx->options |= options; |
1320 | 4.28k | return ctx->options; |
1321 | 4.28k | } |
1322 | | |
1323 | 2.34k | uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) { |
1324 | 2.34k | ctx->options &= ~options; |
1325 | 2.34k | return ctx->options; |
1326 | 2.34k | } |
1327 | | |
1328 | 4.91k | uint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; } |
1329 | | |
1330 | 0 | uint32_t SSL_set_options(SSL *ssl, uint32_t options) { |
1331 | 0 | ssl->options |= options; |
1332 | 0 | return ssl->options; |
1333 | 0 | } |
1334 | | |
1335 | 0 | uint32_t SSL_clear_options(SSL *ssl, uint32_t options) { |
1336 | 0 | ssl->options &= ~options; |
1337 | 0 | return ssl->options; |
1338 | 0 | } |
1339 | | |
1340 | 104k | uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; } |
1341 | | |
1342 | 6.85k | uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) { |
1343 | 6.85k | ctx->mode |= mode; |
1344 | 6.85k | return ctx->mode; |
1345 | 6.85k | } |
1346 | | |
1347 | 13.0k | uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) { |
1348 | 13.0k | ctx->mode &= ~mode; |
1349 | 13.0k | return ctx->mode; |
1350 | 13.0k | } |
1351 | | |
1352 | 3.49k | uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; } |
1353 | | |
1354 | 0 | uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) { |
1355 | 0 | ssl->mode |= mode; |
1356 | 0 | return ssl->mode; |
1357 | 0 | } |
1358 | | |
1359 | 0 | uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) { |
1360 | 0 | ssl->mode &= ~mode; |
1361 | 0 | return ssl->mode; |
1362 | 0 | } |
1363 | | |
1364 | 34.4k | uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; } |
1365 | | |
1366 | 0 | void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) { |
1367 | 0 | ctx->pool = pool; |
1368 | 0 | } |
1369 | | |
1370 | | int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, |
1371 | 0 | size_t max_out) { |
1372 | 0 | *out_len = 0; |
1373 | 0 | OPENSSL_memset(out, 0, max_out); |
1374 | | |
1375 | | // tls-unique is not defined for TLS 1.3. |
1376 | 0 | if (!ssl->s3->initial_handshake_complete || |
1377 | 0 | ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
1378 | 0 | return 0; |
1379 | 0 | } |
1380 | | |
1381 | | // The tls-unique value is the first Finished message in the handshake, which |
1382 | | // is the client's in a full handshake and the server's for a resumption. See |
1383 | | // https://tools.ietf.org/html/rfc5929#section-3.1. |
1384 | 0 | Span<const uint8_t> finished = ssl->s3->previous_client_finished; |
1385 | 0 | if (ssl->session != nullptr) { |
1386 | | // tls-unique is broken for resumed sessions unless EMS is used. |
1387 | 0 | if (!ssl->session->extended_master_secret) { |
1388 | 0 | return 0; |
1389 | 0 | } |
1390 | 0 | finished = ssl->s3->previous_server_finished; |
1391 | 0 | } |
1392 | | |
1393 | 0 | *out_len = finished.size(); |
1394 | 0 | if (finished.size() > max_out) { |
1395 | 0 | *out_len = max_out; |
1396 | 0 | } |
1397 | |
|
1398 | 0 | OPENSSL_memcpy(out, finished.data(), *out_len); |
1399 | 0 | return 1; |
1400 | 0 | } |
1401 | | |
1402 | | static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx, |
1403 | 1.88k | size_t sid_ctx_len) { |
1404 | 1.88k | if (!cert->sid_ctx.TryCopyFrom(Span(sid_ctx, sid_ctx_len))) { |
1405 | 1.01k | OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); |
1406 | 1.01k | return 0; |
1407 | 1.01k | } |
1408 | | |
1409 | 867 | return 1; |
1410 | 1.88k | } |
1411 | | |
1412 | | int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx, |
1413 | 1.88k | size_t sid_ctx_len) { |
1414 | 1.88k | return set_session_id_context(ctx->cert.get(), sid_ctx, sid_ctx_len); |
1415 | 1.88k | } |
1416 | | |
1417 | | int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, |
1418 | 0 | size_t sid_ctx_len) { |
1419 | 0 | if (!ssl->config) { |
1420 | 0 | return 0; |
1421 | 0 | } |
1422 | 0 | return set_session_id_context(ssl->config->cert.get(), sid_ctx, sid_ctx_len); |
1423 | 0 | } |
1424 | | |
1425 | 0 | const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) { |
1426 | 0 | if (!ssl->config) { |
1427 | 0 | assert(ssl->config); |
1428 | 0 | *out_len = 0; |
1429 | 0 | return nullptr; |
1430 | 0 | } |
1431 | 0 | *out_len = ssl->config->cert->sid_ctx.size(); |
1432 | 0 | return ssl->config->cert->sid_ctx.data(); |
1433 | 0 | } |
1434 | | |
1435 | 0 | int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); } |
1436 | | |
1437 | 0 | int SSL_get_rfd(const SSL *ssl) { |
1438 | 0 | int ret = -1; |
1439 | 0 | BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR); |
1440 | 0 | if (b != nullptr) { |
1441 | 0 | BIO_get_fd(b, &ret); |
1442 | 0 | } |
1443 | 0 | return ret; |
1444 | 0 | } |
1445 | | |
1446 | 0 | int SSL_get_wfd(const SSL *ssl) { |
1447 | 0 | int ret = -1; |
1448 | 0 | BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR); |
1449 | 0 | if (b != nullptr) { |
1450 | 0 | BIO_get_fd(b, &ret); |
1451 | 0 | } |
1452 | 0 | return ret; |
1453 | 0 | } |
1454 | | |
1455 | | #if !defined(OPENSSL_NO_SOCK) |
1456 | 0 | int SSL_set_fd(SSL *ssl, int fd) { |
1457 | 0 | BIO *bio = BIO_new(BIO_s_socket()); |
1458 | 0 | if (bio == nullptr) { |
1459 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); |
1460 | 0 | return 0; |
1461 | 0 | } |
1462 | 0 | BIO_set_fd(bio, fd, BIO_NOCLOSE); |
1463 | 0 | SSL_set_bio(ssl, bio, bio); |
1464 | 0 | return 1; |
1465 | 0 | } |
1466 | | |
1467 | 0 | int SSL_set_wfd(SSL *ssl, int fd) { |
1468 | 0 | BIO *rbio = SSL_get_rbio(ssl); |
1469 | 0 | if (rbio == nullptr || BIO_method_type(rbio) != BIO_TYPE_SOCKET || |
1470 | 0 | BIO_get_fd(rbio, nullptr) != fd) { |
1471 | 0 | BIO *bio = BIO_new(BIO_s_socket()); |
1472 | 0 | if (bio == nullptr) { |
1473 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); |
1474 | 0 | return 0; |
1475 | 0 | } |
1476 | 0 | BIO_set_fd(bio, fd, BIO_NOCLOSE); |
1477 | 0 | SSL_set0_wbio(ssl, bio); |
1478 | 0 | } else { |
1479 | | // Copy the rbio over to the wbio. |
1480 | 0 | BIO_up_ref(rbio); |
1481 | 0 | SSL_set0_wbio(ssl, rbio); |
1482 | 0 | } |
1483 | | |
1484 | 0 | return 1; |
1485 | 0 | } |
1486 | | |
1487 | 0 | int SSL_set_rfd(SSL *ssl, int fd) { |
1488 | 0 | BIO *wbio = SSL_get_wbio(ssl); |
1489 | 0 | if (wbio == nullptr || BIO_method_type(wbio) != BIO_TYPE_SOCKET || |
1490 | 0 | BIO_get_fd(wbio, nullptr) != fd) { |
1491 | 0 | BIO *bio = BIO_new(BIO_s_socket()); |
1492 | 0 | if (bio == nullptr) { |
1493 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); |
1494 | 0 | return 0; |
1495 | 0 | } |
1496 | 0 | BIO_set_fd(bio, fd, BIO_NOCLOSE); |
1497 | 0 | SSL_set0_rbio(ssl, bio); |
1498 | 0 | } else { |
1499 | | // Copy the wbio over to the rbio. |
1500 | 0 | BIO_up_ref(wbio); |
1501 | 0 | SSL_set0_rbio(ssl, wbio); |
1502 | 0 | } |
1503 | 0 | return 1; |
1504 | 0 | } |
1505 | | #endif // !OPENSSL_NO_SOCK |
1506 | | |
1507 | 0 | static size_t copy_finished(void *out, size_t out_len, Span<const uint8_t> in) { |
1508 | 0 | if (out_len > in.size()) { |
1509 | 0 | out_len = in.size(); |
1510 | 0 | } |
1511 | 0 | OPENSSL_memcpy(out, in.data(), out_len); |
1512 | 0 | return in.size(); |
1513 | 0 | } |
1514 | | |
1515 | 0 | size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) { |
1516 | 0 | if (!ssl->s3->initial_handshake_complete || |
1517 | 0 | ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
1518 | 0 | return 0; |
1519 | 0 | } |
1520 | | |
1521 | 0 | if (ssl->server) { |
1522 | 0 | return copy_finished(buf, count, ssl->s3->previous_server_finished); |
1523 | 0 | } |
1524 | | |
1525 | 0 | return copy_finished(buf, count, ssl->s3->previous_client_finished); |
1526 | 0 | } |
1527 | | |
1528 | 0 | size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { |
1529 | 0 | if (!ssl->s3->initial_handshake_complete || |
1530 | 0 | ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
1531 | 0 | return 0; |
1532 | 0 | } |
1533 | | |
1534 | 0 | if (ssl->server) { |
1535 | 0 | return copy_finished(buf, count, ssl->s3->previous_client_finished); |
1536 | 0 | } |
1537 | | |
1538 | 0 | return copy_finished(buf, count, ssl->s3->previous_server_finished); |
1539 | 0 | } |
1540 | | |
1541 | 0 | int SSL_get_verify_mode(const SSL *ssl) { |
1542 | 0 | if (!ssl->config) { |
1543 | 0 | assert(ssl->config); |
1544 | 0 | return -1; |
1545 | 0 | } |
1546 | 0 | return ssl->config->verify_mode; |
1547 | 0 | } |
1548 | | |
1549 | 0 | int SSL_get_extms_support(const SSL *ssl) { |
1550 | | // TLS 1.3 does not require extended master secret and always reports as |
1551 | | // supporting it. |
1552 | 0 | if (ssl->s3->version == 0) { |
1553 | 0 | return 0; |
1554 | 0 | } |
1555 | 0 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
1556 | 0 | return 1; |
1557 | 0 | } |
1558 | | |
1559 | | // If the initial handshake completed, query the established session. |
1560 | 0 | if (ssl->s3->established_session != nullptr) { |
1561 | 0 | return ssl->s3->established_session->extended_master_secret; |
1562 | 0 | } |
1563 | | |
1564 | | // Otherwise, query the in-progress handshake. |
1565 | 0 | if (ssl->s3->hs != nullptr) { |
1566 | 0 | return ssl->s3->hs->extended_master_secret; |
1567 | 0 | } |
1568 | 0 | assert(0); |
1569 | 0 | return 0; |
1570 | 0 | } |
1571 | | |
1572 | 0 | int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; } |
1573 | | |
1574 | 0 | int SSL_get_read_ahead(const SSL *ssl) { return 0; } |
1575 | | |
1576 | 0 | int SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { return 1; } |
1577 | | |
1578 | 0 | int SSL_set_read_ahead(SSL *ssl, int yes) { return 1; } |
1579 | | |
1580 | 0 | int SSL_pending(const SSL *ssl) { |
1581 | 0 | return static_cast<int>(ssl->s3->pending_app_data.size()); |
1582 | 0 | } |
1583 | | |
1584 | 0 | int SSL_has_pending(const SSL *ssl) { |
1585 | 0 | return SSL_pending(ssl) != 0 || !ssl->s3->read_buffer.empty(); |
1586 | 0 | } |
1587 | | |
1588 | 6.11k | static bool has_cert_and_key(const SSL_CREDENTIAL *cred) { |
1589 | | // TODO(davidben): If |cred->key_method| is set, that should be fine too. |
1590 | 6.11k | if (cred->privkey == nullptr) { |
1591 | 1.44k | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); |
1592 | 1.44k | return false; |
1593 | 1.44k | } |
1594 | | |
1595 | 4.67k | if (cred->chain == nullptr || |
1596 | 4.47k | sk_CRYPTO_BUFFER_value(cred->chain.get(), 0) == nullptr) { |
1597 | 470 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); |
1598 | 470 | return false; |
1599 | 470 | } |
1600 | | |
1601 | 4.20k | return true; |
1602 | 4.67k | } |
1603 | | |
1604 | 6.11k | int SSL_CTX_check_private_key(const SSL_CTX *ctx) { |
1605 | | // There is no need to actually check consistency because inconsistent values |
1606 | | // can never be configured. |
1607 | 6.11k | return has_cert_and_key(ctx->cert->legacy_credential.get()); |
1608 | 6.11k | } |
1609 | | |
1610 | 0 | int SSL_check_private_key(const SSL *ssl) { |
1611 | 0 | if (!ssl->config) { |
1612 | 0 | return 0; |
1613 | 0 | } |
1614 | | |
1615 | | // There is no need to actually check consistency because inconsistent values |
1616 | | // can never be configured. |
1617 | 0 | return has_cert_and_key(ssl->config->cert->legacy_credential.get()); |
1618 | 0 | } |
1619 | | |
1620 | 0 | long SSL_get_default_timeout(const SSL *ssl) { |
1621 | 0 | return SSL_DEFAULT_SESSION_TIMEOUT; |
1622 | 0 | } |
1623 | | |
1624 | 32.6k | int SSL_renegotiate(SSL *ssl) { |
1625 | | // Caller-initiated renegotiation is not supported. |
1626 | 32.6k | if (!ssl->s3->renegotiate_pending) { |
1627 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
1628 | 0 | return 0; |
1629 | 0 | } |
1630 | | |
1631 | 32.6k | if (!ssl_can_renegotiate(ssl)) { |
1632 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); |
1633 | 0 | return 0; |
1634 | 0 | } |
1635 | | |
1636 | | // We should not have told the caller to release the private key. |
1637 | 32.6k | assert(!SSL_can_release_private_key(ssl)); |
1638 | | |
1639 | | // Renegotiation is only supported at quiescent points in the application |
1640 | | // protocol, namely in HTTPS, just before reading the HTTP response. |
1641 | | // Require the record-layer be idle and avoid complexities of sending a |
1642 | | // handshake record while an application_data record is being written. |
1643 | 32.6k | if (!ssl->s3->write_buffer.empty() || |
1644 | 32.6k | ssl->s3->write_shutdown != ssl_shutdown_none) { |
1645 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); |
1646 | 0 | return 0; |
1647 | 0 | } |
1648 | | |
1649 | | // Begin a new handshake. |
1650 | 32.6k | if (ssl->s3->hs != nullptr) { |
1651 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1652 | 0 | return 0; |
1653 | 0 | } |
1654 | 32.6k | ssl->s3->hs = ssl_handshake_new(ssl); |
1655 | 32.6k | if (ssl->s3->hs == nullptr) { |
1656 | 0 | return 0; |
1657 | 0 | } |
1658 | | |
1659 | 32.6k | ssl->s3->renegotiate_pending = false; |
1660 | 32.6k | ssl->s3->total_renegotiations++; |
1661 | 32.6k | return 1; |
1662 | 32.6k | } |
1663 | | |
1664 | 0 | int SSL_renegotiate_pending(SSL *ssl) { |
1665 | 0 | return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete; |
1666 | 0 | } |
1667 | | |
1668 | 0 | int SSL_total_renegotiations(const SSL *ssl) { |
1669 | 0 | return ssl->s3->total_renegotiations; |
1670 | 0 | } |
1671 | | |
1672 | 3.38k | size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) { |
1673 | 3.38k | return ctx->max_cert_list; |
1674 | 3.38k | } |
1675 | | |
1676 | 2.40k | void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) { |
1677 | 2.40k | if (max_cert_list > kMaxHandshakeSize) { |
1678 | 1.89k | max_cert_list = kMaxHandshakeSize; |
1679 | 1.89k | } |
1680 | 2.40k | ctx->max_cert_list = (uint32_t)max_cert_list; |
1681 | 2.40k | } |
1682 | | |
1683 | 0 | size_t SSL_get_max_cert_list(const SSL *ssl) { return ssl->max_cert_list; } |
1684 | | |
1685 | 0 | void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) { |
1686 | 0 | if (max_cert_list > kMaxHandshakeSize) { |
1687 | 0 | max_cert_list = kMaxHandshakeSize; |
1688 | 0 | } |
1689 | 0 | ssl->max_cert_list = (uint32_t)max_cert_list; |
1690 | 0 | } |
1691 | | |
1692 | 2.22k | int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) { |
1693 | 2.22k | if (max_send_fragment < 512) { |
1694 | 212 | max_send_fragment = 512; |
1695 | 212 | } |
1696 | 2.22k | if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { |
1697 | 1.99k | max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; |
1698 | 1.99k | } |
1699 | 2.22k | ctx->max_send_fragment = (uint16_t)max_send_fragment; |
1700 | | |
1701 | 2.22k | return 1; |
1702 | 2.22k | } |
1703 | | |
1704 | 0 | int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) { |
1705 | 0 | if (max_send_fragment < 512) { |
1706 | 0 | max_send_fragment = 512; |
1707 | 0 | } |
1708 | 0 | if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { |
1709 | 0 | max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; |
1710 | 0 | } |
1711 | 0 | ssl->max_send_fragment = (uint16_t)max_send_fragment; |
1712 | |
|
1713 | 0 | return 1; |
1714 | 0 | } |
1715 | | |
1716 | 0 | int SSL_set_mtu(SSL *ssl, unsigned mtu) { |
1717 | 0 | if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) { |
1718 | 0 | return 0; |
1719 | 0 | } |
1720 | 0 | ssl->d1->mtu = mtu; |
1721 | 0 | return 1; |
1722 | 0 | } |
1723 | | |
1724 | 0 | int SSL_get_secure_renegotiation_support(const SSL *ssl) { |
1725 | 0 | if (ssl->s3->version == 0) { |
1726 | 0 | return 0; |
1727 | 0 | } |
1728 | 0 | return ssl_protocol_version(ssl) >= TLS1_3_VERSION || |
1729 | 0 | ssl->s3->send_connection_binding; |
1730 | 0 | } |
1731 | | |
1732 | 1.75k | size_t SSL_CTX_sess_number(const SSL_CTX *ctx) { |
1733 | 1.75k | MutexReadLock lock(&ctx->lock); |
1734 | 1.75k | return lh_SSL_SESSION_num_items(ctx->sessions); |
1735 | 1.75k | } |
1736 | | |
1737 | 1.98k | unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) { |
1738 | 1.98k | unsigned long ret = ctx->session_cache_size; |
1739 | 1.98k | ctx->session_cache_size = size; |
1740 | 1.98k | return ret; |
1741 | 1.98k | } |
1742 | | |
1743 | 128k | unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) { |
1744 | 128k | return ctx->session_cache_size; |
1745 | 128k | } |
1746 | | |
1747 | 0 | int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) { |
1748 | 0 | int ret = ctx->session_cache_mode; |
1749 | 0 | ctx->session_cache_mode = mode; |
1750 | 0 | return ret; |
1751 | 0 | } |
1752 | | |
1753 | 0 | int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) { |
1754 | 0 | return ctx->session_cache_mode; |
1755 | 0 | } |
1756 | | |
1757 | | |
1758 | 0 | int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) { |
1759 | 0 | if (out == nullptr) { |
1760 | 0 | return 48; |
1761 | 0 | } |
1762 | 0 | if (len != 48) { |
1763 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH); |
1764 | 0 | return 0; |
1765 | 0 | } |
1766 | | |
1767 | | // The default ticket keys are initialized lazily. Trigger a key |
1768 | | // rotation to initialize them. |
1769 | 0 | if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { |
1770 | 0 | return 0; |
1771 | 0 | } |
1772 | | |
1773 | 0 | uint8_t *out_bytes = reinterpret_cast<uint8_t *>(out); |
1774 | 0 | MutexReadLock lock(&ctx->lock); |
1775 | 0 | OPENSSL_memcpy(out_bytes, ctx->ticket_key_current->name, 16); |
1776 | 0 | OPENSSL_memcpy(out_bytes + 16, ctx->ticket_key_current->hmac_key, 16); |
1777 | 0 | OPENSSL_memcpy(out_bytes + 32, ctx->ticket_key_current->aes_key, 16); |
1778 | 0 | return 1; |
1779 | 0 | } |
1780 | | |
1781 | 1.67k | int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) { |
1782 | 1.67k | if (in == nullptr) { |
1783 | 270 | return 48; |
1784 | 270 | } |
1785 | 1.40k | if (len != 48) { |
1786 | 1.01k | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH); |
1787 | 1.01k | return 0; |
1788 | 1.01k | } |
1789 | 387 | auto key = MakeUnique<TicketKey>(); |
1790 | 387 | if (!key) { |
1791 | 0 | return 0; |
1792 | 0 | } |
1793 | 387 | const uint8_t *in_bytes = reinterpret_cast<const uint8_t *>(in); |
1794 | 387 | OPENSSL_memcpy(key->name, in_bytes, 16); |
1795 | 387 | OPENSSL_memcpy(key->hmac_key, in_bytes + 16, 16); |
1796 | 387 | OPENSSL_memcpy(key->aes_key, in_bytes + 32, 16); |
1797 | | // Disable automatic key rotation for manually-configured keys. This is now |
1798 | | // the caller's responsibility. |
1799 | 387 | key->next_rotation_tv_sec = 0; |
1800 | 387 | ctx->ticket_key_current = std::move(key); |
1801 | 387 | ctx->ticket_key_prev.reset(); |
1802 | 387 | return 1; |
1803 | 387 | } |
1804 | | |
1805 | | int SSL_CTX_set_tlsext_ticket_key_cb( |
1806 | | SSL_CTX *ctx, |
1807 | | int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv, |
1808 | 0 | EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, int encrypt)) { |
1809 | 0 | ctx->ticket_key_cb = callback; |
1810 | 0 | return 1; |
1811 | 0 | } |
1812 | | |
1813 | 6.16k | static bool check_no_duplicates(Span<const uint16_t> list) { |
1814 | 6.16k | if (list.size() < 2) { |
1815 | 821 | return true; |
1816 | 821 | } |
1817 | 12.1k | for (size_t i = 0; i < list.size() - 1; ++i) { |
1818 | 20.3k | for (size_t j = i + 1; j < list.size(); ++j) { |
1819 | 13.4k | if (list[i] == list[j]) { |
1820 | 1.94k | OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_GROUP); |
1821 | 1.94k | return false; |
1822 | 1.94k | } |
1823 | 13.4k | } |
1824 | 8.80k | } |
1825 | 3.39k | return true; |
1826 | 5.34k | } |
1827 | | |
1828 | 3.94k | static bool check_group_ids(Span<const uint16_t> group_ids) { |
1829 | 8.03k | for (uint16_t group_id : group_ids) { |
1830 | 8.03k | if (ssl_group_id_to_nid(group_id) == NID_undef) { |
1831 | 1.91k | OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); |
1832 | 1.91k | return false; |
1833 | 1.91k | } |
1834 | 8.03k | } |
1835 | 2.03k | return check_no_duplicates(group_ids); |
1836 | 3.94k | } |
1837 | | |
1838 | | // validate_key_shares returns whether the `requested_key_shares` are free of |
1839 | | // duplicates and are a (correctly ordered) subsequence of the supported |
1840 | | // `groups`. |
1841 | | static bool validate_key_shares(Span<const uint16_t> requested_key_shares, |
1842 | 0 | Span<const uint16_t> groups) { |
1843 | 0 | if (!check_no_duplicates(requested_key_shares)) { |
1844 | 0 | return false; |
1845 | 0 | } |
1846 | 0 | if (requested_key_shares.size() > groups.size()) { |
1847 | 0 | return false; |
1848 | 0 | } |
1849 | 0 | size_t key_shares_idx = 0u, groups_idx = 0u; |
1850 | 0 | while (key_shares_idx < requested_key_shares.size() && |
1851 | 0 | groups_idx < groups.size()) { |
1852 | 0 | if (requested_key_shares[key_shares_idx] == groups[groups_idx++]) { |
1853 | 0 | ++key_shares_idx; |
1854 | 0 | } |
1855 | 0 | } |
1856 | 0 | return key_shares_idx == requested_key_shares.size(); |
1857 | 0 | } |
1858 | | |
1859 | 0 | static void clear_key_shares_if_invalid(SSL_CONFIG *config) { |
1860 | 0 | if (!config->client_key_share_selections) { |
1861 | 0 | return; |
1862 | 0 | } |
1863 | 0 | if (!validate_key_shares(*(config->client_key_share_selections), |
1864 | 0 | config->supported_group_list)) { |
1865 | 0 | config->client_key_share_selections.reset(); |
1866 | 0 | } |
1867 | 0 | } |
1868 | | |
1869 | 0 | static bool check_group_flags(Span<const uint32_t> flags) { |
1870 | 0 | if (flags.empty()) { |
1871 | 0 | return true; |
1872 | 0 | } |
1873 | | // The last element must not have the "equal preference with next" flag, |
1874 | | // because there is no next element. |
1875 | 0 | return (flags.back() & SSL_GROUP_FLAG_EQUAL_PREFERENCE_WITH_NEXT) == 0; |
1876 | 0 | } |
1877 | | |
1878 | | static bool set_group_ids_and_flags(const uint16_t *group_ids, |
1879 | | const uint32_t *flags, size_t num_group_ids, |
1880 | | Array<uint16_t> *groups_out, |
1881 | 3.94k | Array<uint32_t> *flags_out) { |
1882 | 3.94k | Span<const uint16_t> groups_span = num_group_ids == 0 |
1883 | 3.94k | ? DefaultSupportedGroupIds() |
1884 | 3.94k | : Span(group_ids, num_group_ids); |
1885 | 3.94k | if (!check_group_ids(groups_span)) { |
1886 | 2.36k | return false; |
1887 | 2.36k | } |
1888 | | // If using default groups, always use default flags. |
1889 | 1.58k | if (flags == nullptr || num_group_ids == 0) { |
1890 | 1.58k | return groups_out->CopyFrom(groups_span) && |
1891 | 1.58k | flags_out->Init(groups_span.size()); |
1892 | 1.58k | } |
1893 | 0 | Span<const uint32_t> flags_span = Span(flags, num_group_ids); |
1894 | 0 | if (!check_group_flags(flags_span)) { |
1895 | 0 | return false; |
1896 | 0 | } |
1897 | 0 | return groups_out->CopyFrom(groups_span) && flags_out->CopyFrom(flags_span); |
1898 | 0 | } |
1899 | | |
1900 | | int SSL_CTX_set1_group_ids(SSL_CTX *ctx, const uint16_t *group_ids, |
1901 | 3.94k | size_t num_group_ids) { |
1902 | 3.94k | return SSL_CTX_set1_group_ids_with_flags(ctx, group_ids, /*flags=*/nullptr, |
1903 | 3.94k | num_group_ids); |
1904 | 3.94k | } |
1905 | | |
1906 | | int SSL_CTX_set1_group_ids_with_flags(SSL_CTX *ctx, const uint16_t *group_ids, |
1907 | | const uint32_t *flags, |
1908 | 3.94k | size_t num_group_ids) { |
1909 | 3.94k | return set_group_ids_and_flags(group_ids, flags, num_group_ids, |
1910 | 3.94k | &ctx->supported_group_list, |
1911 | 3.94k | &ctx->supported_group_list_flags); |
1912 | 3.94k | } |
1913 | | |
1914 | | int SSL_set1_group_ids(SSL *ssl, const uint16_t *group_ids, |
1915 | 0 | size_t num_group_ids) { |
1916 | 0 | return SSL_set1_group_ids_with_flags(ssl, group_ids, /*flags=*/nullptr, |
1917 | 0 | num_group_ids); |
1918 | 0 | } |
1919 | | |
1920 | | int SSL_set1_group_ids_with_flags(SSL *ssl, const uint16_t *group_ids, |
1921 | 0 | const uint32_t *flags, size_t num_group_ids) { |
1922 | 0 | if (!ssl->config) { |
1923 | 0 | return 0; |
1924 | 0 | } |
1925 | 0 | if (set_group_ids_and_flags(group_ids, flags, num_group_ids, |
1926 | 0 | &ssl->config->supported_group_list, |
1927 | 0 | &ssl->config->supported_group_list_flags)) { |
1928 | 0 | clear_key_shares_if_invalid(ssl->config.get()); |
1929 | 0 | return 1; |
1930 | 0 | } |
1931 | 0 | return 0; |
1932 | 0 | } |
1933 | | |
1934 | | static bool ssl_nids_to_group_ids(Array<uint16_t> *out_group_ids, |
1935 | 10.1k | Span<const int> nids) { |
1936 | 10.1k | if (nids.empty()) { |
1937 | 1.85k | return out_group_ids->CopyFrom(DefaultSupportedGroupIds()); |
1938 | 1.85k | } |
1939 | 8.33k | Array<uint16_t> group_ids; |
1940 | 8.33k | if (!group_ids.InitForOverwrite(nids.size())) { |
1941 | 0 | return false; |
1942 | 0 | } |
1943 | | |
1944 | 17.0k | for (size_t i = 0; i < nids.size(); i++) { |
1945 | 14.3k | if (!ssl_nid_to_group_id(&group_ids[i], nids[i])) { |
1946 | 5.66k | OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); |
1947 | 5.66k | return false; |
1948 | 5.66k | } |
1949 | 14.3k | } |
1950 | 2.67k | if (!check_no_duplicates(group_ids)) { |
1951 | 877 | return false; |
1952 | 877 | } |
1953 | | |
1954 | 1.79k | *out_group_ids = std::move(group_ids); |
1955 | 1.79k | return true; |
1956 | 2.67k | } |
1957 | | |
1958 | 10.1k | int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t num_groups) { |
1959 | 10.1k | return ssl_nids_to_group_ids(&ctx->supported_group_list, |
1960 | 10.1k | Span(groups, num_groups)) && |
1961 | 3.65k | ctx->supported_group_list_flags.Init(ctx->supported_group_list.size()); |
1962 | 10.1k | } |
1963 | | |
1964 | 0 | int SSL_set1_groups(SSL *ssl, const int *groups, size_t num_groups) { |
1965 | 0 | if (!ssl->config) { |
1966 | 0 | return 0; |
1967 | 0 | } |
1968 | 0 | if (ssl_nids_to_group_ids(&ssl->config->supported_group_list, |
1969 | 0 | Span(groups, num_groups)) && |
1970 | 0 | ssl->config->supported_group_list_flags.Init( |
1971 | 0 | ssl->config->supported_group_list.size())) { |
1972 | 0 | clear_key_shares_if_invalid(ssl->config.get()); |
1973 | 0 | return 1; |
1974 | 0 | } |
1975 | 0 | return 0; |
1976 | 0 | } |
1977 | | |
1978 | | static bool ssl_str_to_group_ids(Array<uint16_t> *out_group_ids, |
1979 | 5.18k | const char *str) { |
1980 | | // Count the number of groups in the list. |
1981 | 5.18k | size_t count = 0; |
1982 | 5.18k | const char *ptr = str, *col; |
1983 | 13.7k | do { |
1984 | 13.7k | col = strchr(ptr, ':'); |
1985 | 13.7k | count++; |
1986 | 13.7k | if (col) { |
1987 | 8.58k | ptr = col + 1; |
1988 | 8.58k | } |
1989 | 13.7k | } while (col); |
1990 | | |
1991 | 5.18k | Array<uint16_t> group_ids; |
1992 | 5.18k | if (!group_ids.InitForOverwrite(count)) { |
1993 | 0 | return false; |
1994 | 0 | } |
1995 | | |
1996 | 5.18k | size_t i = 0; |
1997 | 5.18k | ptr = str; |
1998 | 7.24k | do { |
1999 | 7.24k | col = strchr(ptr, ':'); |
2000 | 7.24k | if (!ssl_name_to_group_id(&group_ids[i++], ptr, |
2001 | 7.24k | col ? (size_t)(col - ptr) : strlen(ptr))) { |
2002 | 3.72k | OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); |
2003 | 3.72k | return false; |
2004 | 3.72k | } |
2005 | 3.51k | if (col) { |
2006 | 2.05k | ptr = col + 1; |
2007 | 2.05k | } |
2008 | 3.51k | } while (col); |
2009 | | |
2010 | 5.18k | assert(i == count); |
2011 | 1.45k | if (!check_no_duplicates(group_ids)) { |
2012 | 627 | return false; |
2013 | 627 | } |
2014 | 830 | *out_group_ids = std::move(group_ids); |
2015 | 830 | return true; |
2016 | 1.45k | } |
2017 | | |
2018 | 5.18k | int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) { |
2019 | 5.18k | return ssl_str_to_group_ids(&ctx->supported_group_list, groups) && |
2020 | 830 | ctx->supported_group_list_flags.Init(ctx->supported_group_list.size()); |
2021 | 5.18k | } |
2022 | | |
2023 | 0 | int SSL_set1_groups_list(SSL *ssl, const char *groups) { |
2024 | 0 | if (!ssl->config) { |
2025 | 0 | return 0; |
2026 | 0 | } |
2027 | 0 | if (ssl_str_to_group_ids(&ssl->config->supported_group_list, groups) && |
2028 | 0 | ssl->config->supported_group_list_flags.Init( |
2029 | 0 | ssl->config->supported_group_list.size())) { |
2030 | 0 | clear_key_shares_if_invalid(ssl->config.get()); |
2031 | 0 | return 1; |
2032 | 0 | } |
2033 | 0 | return 0; |
2034 | 0 | } |
2035 | | |
2036 | 0 | uint16_t SSL_get_group_id(const SSL *ssl) { |
2037 | 0 | SSL_SESSION *session = SSL_get_session(ssl); |
2038 | 0 | if (session == nullptr) { |
2039 | 0 | return 0; |
2040 | 0 | } |
2041 | | |
2042 | 0 | return session->group_id; |
2043 | 0 | } |
2044 | | |
2045 | 0 | int SSL_get_negotiated_group(const SSL *ssl) { |
2046 | 0 | uint16_t group_id = SSL_get_group_id(ssl); |
2047 | 0 | if (group_id == 0) { |
2048 | 0 | return NID_undef; |
2049 | 0 | } |
2050 | 0 | return ssl_group_id_to_nid(group_id); |
2051 | 0 | } |
2052 | | |
2053 | | int SSL_set1_client_key_shares(SSL *ssl, const uint16_t *group_ids, |
2054 | 0 | size_t num_group_ids) { |
2055 | 0 | if (!ssl->config) { |
2056 | 0 | return 0; |
2057 | 0 | } |
2058 | 0 | auto requested_key_shares = Span(group_ids, num_group_ids); |
2059 | 0 | if (!validate_key_shares(requested_key_shares, |
2060 | 0 | ssl->config->supported_group_list)) { |
2061 | 0 | return 0; |
2062 | 0 | } |
2063 | | |
2064 | 0 | assert(requested_key_shares.size() <= kNumNamedGroups); |
2065 | 0 | ssl->config->client_key_share_selections.emplace(); |
2066 | 0 | ssl->config->client_key_share_selections->CopyFrom(requested_key_shares); |
2067 | 0 | return 1; |
2068 | 0 | } |
2069 | | |
2070 | | int SSL_set1_server_supported_groups_hint(SSL *ssl, |
2071 | | const uint16_t *server_groups, |
2072 | 0 | size_t num_server_groups) { |
2073 | 0 | if (!ssl->config) { |
2074 | 0 | return 0; |
2075 | 0 | } |
2076 | 0 | auto span = Span(server_groups, num_server_groups); |
2077 | 0 | return ssl->config->server_supported_groups_hint.CopyFrom(span); |
2078 | 0 | } |
2079 | | |
2080 | 0 | int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) { return 1; } |
2081 | | |
2082 | 0 | int SSL_set_tmp_dh(SSL *ssl, const DH *dh) { return 1; } |
2083 | | |
2084 | 0 | STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { |
2085 | 0 | return ctx->cipher_list->ciphers.get(); |
2086 | 0 | } |
2087 | | |
2088 | 0 | int SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i) { |
2089 | 0 | if (i >= sk_SSL_CIPHER_num(ctx->cipher_list->ciphers.get())) { |
2090 | 0 | return 0; |
2091 | 0 | } |
2092 | 0 | return ctx->cipher_list->in_group_flags[i]; |
2093 | 0 | } |
2094 | | |
2095 | 86.3k | STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) { |
2096 | 86.3k | if (ssl == nullptr) { |
2097 | 0 | return nullptr; |
2098 | 0 | } |
2099 | 86.3k | if (ssl->config == nullptr) { |
2100 | 0 | assert(ssl->config); |
2101 | 0 | return nullptr; |
2102 | 0 | } |
2103 | | |
2104 | 86.3k | return ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get() |
2105 | 86.3k | : ssl->ctx->cipher_list->ciphers.get(); |
2106 | 86.3k | } |
2107 | | |
2108 | 0 | const char *SSL_get_cipher_list(const SSL *ssl, int n) { |
2109 | 0 | if (ssl == nullptr) { |
2110 | 0 | return nullptr; |
2111 | 0 | } |
2112 | | |
2113 | 0 | STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); |
2114 | 0 | if (sk == nullptr || n < 0 || (size_t)n >= sk_SSL_CIPHER_num(sk)) { |
2115 | 0 | return nullptr; |
2116 | 0 | } |
2117 | | |
2118 | 0 | const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, n); |
2119 | 0 | if (c == nullptr) { |
2120 | 0 | return nullptr; |
2121 | 0 | } |
2122 | | |
2123 | 0 | return c->name; |
2124 | 0 | } |
2125 | | |
2126 | 15.2k | int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { |
2127 | 15.2k | const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value |
2128 | 15.2k | : EVP_has_aes_hardware(); |
2129 | 15.2k | return ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str, |
2130 | 15.2k | false /* not strict */); |
2131 | 15.2k | } |
2132 | | |
2133 | 12.5k | int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) { |
2134 | 12.5k | const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value |
2135 | 12.5k | : EVP_has_aes_hardware(); |
2136 | 12.5k | return ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str, |
2137 | 12.5k | true /* strict */); |
2138 | 12.5k | } |
2139 | | |
2140 | 0 | int SSL_set_cipher_list(SSL *ssl, const char *str) { |
2141 | 0 | if (!ssl->config) { |
2142 | 0 | return 0; |
2143 | 0 | } |
2144 | 0 | const bool has_aes_hw = ssl->config->aes_hw_override |
2145 | 0 | ? ssl->config->aes_hw_override_value |
2146 | 0 | : EVP_has_aes_hardware(); |
2147 | 0 | return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str, |
2148 | 0 | false /* not strict */); |
2149 | 0 | } |
2150 | | |
2151 | 0 | int SSL_set_strict_cipher_list(SSL *ssl, const char *str) { |
2152 | 0 | if (!ssl->config) { |
2153 | 0 | return 0; |
2154 | 0 | } |
2155 | 0 | const bool has_aes_hw = ssl->config->aes_hw_override |
2156 | 0 | ? ssl->config->aes_hw_override_value |
2157 | 0 | : EVP_has_aes_hardware(); |
2158 | 0 | return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str, |
2159 | 0 | true /* strict */); |
2160 | 0 | } |
2161 | | |
2162 | 0 | const char *SSL_get_servername(const SSL *ssl, const int type) { |
2163 | 0 | if (type != TLSEXT_NAMETYPE_host_name) { |
2164 | 0 | return nullptr; |
2165 | 0 | } |
2166 | | |
2167 | | // Historically, |SSL_get_servername| was also the configuration getter |
2168 | | // corresponding to |SSL_set_tlsext_host_name|. |
2169 | 0 | if (ssl->hostname != nullptr) { |
2170 | 0 | return ssl->hostname.get(); |
2171 | 0 | } |
2172 | | |
2173 | 0 | return ssl->s3->hostname.get(); |
2174 | 0 | } |
2175 | | |
2176 | 0 | int SSL_get_servername_type(const SSL *ssl) { |
2177 | 0 | if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) == nullptr) { |
2178 | 0 | return -1; |
2179 | 0 | } |
2180 | 0 | return TLSEXT_NAMETYPE_host_name; |
2181 | 0 | } |
2182 | | |
2183 | | void SSL_CTX_set_custom_verify( |
2184 | | SSL_CTX *ctx, int mode, |
2185 | 0 | enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { |
2186 | 0 | ctx->verify_mode = mode; |
2187 | 0 | ctx->custom_verify_callback = callback; |
2188 | 0 | } |
2189 | | |
2190 | | void SSL_set_custom_verify( |
2191 | | SSL *ssl, int mode, |
2192 | 0 | enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) { |
2193 | 0 | if (!ssl->config) { |
2194 | 0 | return; |
2195 | 0 | } |
2196 | 0 | ssl->config->verify_mode = mode; |
2197 | 0 | ssl->config->custom_verify_callback = callback; |
2198 | 0 | } |
2199 | | |
2200 | 4.82k | void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) { |
2201 | 4.82k | ctx->signed_cert_timestamps_enabled = true; |
2202 | 4.82k | } |
2203 | | |
2204 | 0 | void SSL_enable_signed_cert_timestamps(SSL *ssl) { |
2205 | 0 | if (!ssl->config) { |
2206 | 0 | return; |
2207 | 0 | } |
2208 | 0 | ssl->config->signed_cert_timestamps_enabled = true; |
2209 | 0 | } |
2210 | | |
2211 | 3.63k | void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx) { |
2212 | 3.63k | ctx->ocsp_stapling_enabled = true; |
2213 | 3.63k | } |
2214 | | |
2215 | 0 | void SSL_enable_ocsp_stapling(SSL *ssl) { |
2216 | 0 | if (!ssl->config) { |
2217 | 0 | return; |
2218 | 0 | } |
2219 | 0 | ssl->config->ocsp_stapling_enabled = true; |
2220 | 0 | } |
2221 | | |
2222 | | void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out, |
2223 | 0 | size_t *out_len) { |
2224 | 0 | SSL_SESSION *session = SSL_get_session(ssl); |
2225 | 0 | if (ssl->server || !session || !session->signed_cert_timestamp_list) { |
2226 | 0 | *out_len = 0; |
2227 | 0 | *out = nullptr; |
2228 | 0 | return; |
2229 | 0 | } |
2230 | | |
2231 | 0 | *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list.get()); |
2232 | 0 | *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list.get()); |
2233 | 0 | } |
2234 | | |
2235 | | void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, |
2236 | 0 | size_t *out_len) { |
2237 | 0 | SSL_SESSION *session = SSL_get_session(ssl); |
2238 | 0 | if (ssl->server || !session || !session->ocsp_response) { |
2239 | 0 | *out_len = 0; |
2240 | 0 | *out = nullptr; |
2241 | 0 | return; |
2242 | 0 | } |
2243 | | |
2244 | 0 | *out = CRYPTO_BUFFER_data(session->ocsp_response.get()); |
2245 | 0 | *out_len = CRYPTO_BUFFER_len(session->ocsp_response.get()); |
2246 | 0 | } |
2247 | | |
2248 | 12.3k | int SSL_set_tlsext_host_name(SSL *ssl, const char *name) { |
2249 | 12.3k | ssl->hostname.reset(); |
2250 | 12.3k | if (name == nullptr) { |
2251 | 0 | return 1; |
2252 | 0 | } |
2253 | | |
2254 | 12.3k | size_t len = strlen(name); |
2255 | 12.3k | if (len == 0 || len > TLSEXT_MAXLEN_host_name) { |
2256 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); |
2257 | 0 | return 0; |
2258 | 0 | } |
2259 | 12.3k | ssl->hostname.reset(OPENSSL_strdup(name)); |
2260 | 12.3k | if (ssl->hostname == nullptr) { |
2261 | 0 | return 0; |
2262 | 0 | } |
2263 | 12.3k | return 1; |
2264 | 12.3k | } |
2265 | | |
2266 | | int SSL_CTX_set_tlsext_servername_callback( |
2267 | 0 | SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) { |
2268 | 0 | ctx->servername_callback = callback; |
2269 | 0 | return 1; |
2270 | 0 | } |
2271 | | |
2272 | 0 | int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) { |
2273 | 0 | ctx->servername_arg = arg; |
2274 | 0 | return 1; |
2275 | 0 | } |
2276 | | |
2277 | | int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, |
2278 | | unsigned peer_len, const uint8_t *supported, |
2279 | 0 | unsigned supported_len) { |
2280 | 0 | *out = nullptr; |
2281 | 0 | *out_len = 0; |
2282 | | |
2283 | | // Both |peer| and |supported| must be valid protocol lists, but |peer| may be |
2284 | | // empty in NPN. |
2285 | 0 | auto peer_span = Span(peer, peer_len); |
2286 | 0 | auto supported_span = Span(supported, supported_len); |
2287 | 0 | if ((!peer_span.empty() && !ssl_is_valid_alpn_list(peer_span)) || |
2288 | 0 | !ssl_is_valid_alpn_list(supported_span)) { |
2289 | 0 | return OPENSSL_NPN_NO_OVERLAP; |
2290 | 0 | } |
2291 | | |
2292 | | // For each protocol in peer preference order, see if we support it. |
2293 | 0 | CBS cbs = peer_span, proto; |
2294 | 0 | while (CBS_len(&cbs) != 0) { |
2295 | 0 | if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) { |
2296 | 0 | return OPENSSL_NPN_NO_OVERLAP; |
2297 | 0 | } |
2298 | | |
2299 | 0 | if (ssl_alpn_list_contains_protocol(Span(supported, supported_len), |
2300 | 0 | proto)) { |
2301 | | // This function is not const-correct for compatibility with existing |
2302 | | // callers. |
2303 | 0 | *out = const_cast<uint8_t *>(CBS_data(&proto)); |
2304 | | // A u8 length prefix will fit in |uint8_t|. |
2305 | 0 | *out_len = static_cast<uint8_t>(CBS_len(&proto)); |
2306 | 0 | return OPENSSL_NPN_NEGOTIATED; |
2307 | 0 | } |
2308 | 0 | } |
2309 | | |
2310 | | // There's no overlap between our protocols and the peer's list. In ALPN, the |
2311 | | // caller is expected to fail the connection with no_application_protocol. In |
2312 | | // NPN, the caller is expected to opportunistically select the first protocol. |
2313 | | // See draft-agl-tls-nextprotoneg-04, section 6. |
2314 | 0 | cbs = supported_span; |
2315 | 0 | if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) { |
2316 | 0 | return OPENSSL_NPN_NO_OVERLAP; |
2317 | 0 | } |
2318 | | |
2319 | | // See above. |
2320 | 0 | *out = const_cast<uint8_t *>(CBS_data(&proto)); |
2321 | 0 | *out_len = static_cast<uint8_t>(CBS_len(&proto)); |
2322 | 0 | return OPENSSL_NPN_NO_OVERLAP; |
2323 | 0 | } |
2324 | | |
2325 | | void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data, |
2326 | 0 | unsigned *out_len) { |
2327 | | // NPN protocols have one-byte lengths, so they must fit in |unsigned|. |
2328 | 0 | assert(ssl->s3->next_proto_negotiated.size() <= UINT_MAX); |
2329 | 0 | *out_data = ssl->s3->next_proto_negotiated.data(); |
2330 | 0 | *out_len = static_cast<unsigned>(ssl->s3->next_proto_negotiated.size()); |
2331 | 0 | } |
2332 | | |
2333 | | void SSL_CTX_set_next_protos_advertised_cb( |
2334 | | SSL_CTX *ctx, |
2335 | | int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg), |
2336 | 12 | void *arg) { |
2337 | 12 | ctx->next_protos_advertised_cb = cb; |
2338 | 12 | ctx->next_protos_advertised_cb_arg = arg; |
2339 | 12 | } |
2340 | | |
2341 | | void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, |
2342 | | int (*cb)(SSL *ssl, uint8_t **out, |
2343 | | uint8_t *out_len, |
2344 | | const uint8_t *in, |
2345 | | unsigned in_len, void *arg), |
2346 | 12 | void *arg) { |
2347 | 12 | ctx->next_proto_select_cb = cb; |
2348 | 12 | ctx->next_proto_select_cb_arg = arg; |
2349 | 12 | } |
2350 | | |
2351 | | int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos, |
2352 | 2.21k | size_t protos_len) { |
2353 | | // Note this function's return value is backwards. |
2354 | 2.21k | auto span = Span(protos, protos_len); |
2355 | 2.21k | if (!span.empty() && !ssl_is_valid_alpn_list(span)) { |
2356 | 1.66k | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL_LIST); |
2357 | 1.66k | return 1; |
2358 | 1.66k | } |
2359 | 544 | return ctx->alpn_client_proto_list.CopyFrom(span) ? 0 : 1; |
2360 | 2.21k | } |
2361 | | |
2362 | 0 | int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, size_t protos_len) { |
2363 | | // Note this function's return value is backwards. |
2364 | 0 | if (!ssl->config) { |
2365 | 0 | return 1; |
2366 | 0 | } |
2367 | 0 | auto span = Span(protos, protos_len); |
2368 | 0 | if (!span.empty() && !ssl_is_valid_alpn_list(span)) { |
2369 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL_LIST); |
2370 | 0 | return 1; |
2371 | 0 | } |
2372 | 0 | return ssl->config->alpn_client_proto_list.CopyFrom(span) ? 0 : 1; |
2373 | 0 | } |
2374 | | |
2375 | | void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, |
2376 | | int (*cb)(SSL *ssl, const uint8_t **out, |
2377 | | uint8_t *out_len, const uint8_t *in, |
2378 | | unsigned in_len, void *arg), |
2379 | 12 | void *arg) { |
2380 | 12 | ctx->alpn_select_cb = cb; |
2381 | 12 | ctx->alpn_select_cb_arg = arg; |
2382 | 12 | } |
2383 | | |
2384 | | void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data, |
2385 | 0 | unsigned *out_len) { |
2386 | 0 | Span<const uint8_t> protocol; |
2387 | 0 | if (SSL_in_early_data(ssl) && !ssl->server) { |
2388 | 0 | protocol = ssl->s3->hs->early_session->early_alpn; |
2389 | 0 | } else { |
2390 | 0 | protocol = ssl->s3->alpn_selected; |
2391 | 0 | } |
2392 | | // ALPN protocols have one-byte lengths, so they must fit in |unsigned|. |
2393 | 0 | assert(protocol.size() < UINT_MAX); |
2394 | 0 | *out_data = protocol.data(); |
2395 | 0 | *out_len = static_cast<unsigned>(protocol.size()); |
2396 | 0 | } |
2397 | | |
2398 | 0 | void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) { |
2399 | 0 | ctx->allow_unknown_alpn_protos = !!enabled; |
2400 | 0 | } |
2401 | | |
2402 | | int SSL_add_application_settings(SSL *ssl, const uint8_t *proto, |
2403 | | size_t proto_len, const uint8_t *settings, |
2404 | 0 | size_t settings_len) { |
2405 | 0 | if (!ssl->config) { |
2406 | 0 | return 0; |
2407 | 0 | } |
2408 | 0 | ALPSConfig config; |
2409 | 0 | if (!config.protocol.CopyFrom(Span(proto, proto_len)) || |
2410 | 0 | !config.settings.CopyFrom(Span(settings, settings_len)) || |
2411 | 0 | !ssl->config->alps_configs.Push(std::move(config))) { |
2412 | 0 | return 0; |
2413 | 0 | } |
2414 | 0 | return 1; |
2415 | 0 | } |
2416 | | |
2417 | | void SSL_get0_peer_application_settings(const SSL *ssl, |
2418 | | const uint8_t **out_data, |
2419 | 0 | size_t *out_len) { |
2420 | 0 | const SSL_SESSION *session = SSL_get_session(ssl); |
2421 | 0 | Span<const uint8_t> settings = |
2422 | 0 | session ? session->peer_application_settings : Span<const uint8_t>(); |
2423 | 0 | *out_data = settings.data(); |
2424 | 0 | *out_len = settings.size(); |
2425 | 0 | } |
2426 | | |
2427 | 0 | int SSL_has_application_settings(const SSL *ssl) { |
2428 | 0 | const SSL_SESSION *session = SSL_get_session(ssl); |
2429 | 0 | return session && session->has_application_settings; |
2430 | 0 | } |
2431 | | |
2432 | 0 | void SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new) { |
2433 | 0 | if (!ssl->config) { |
2434 | 0 | return; |
2435 | 0 | } |
2436 | 0 | ssl->config->alps_use_new_codepoint = !!use_new; |
2437 | 0 | } |
2438 | | |
2439 | | int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id, |
2440 | | ssl_cert_compression_func_t compress, |
2441 | 0 | ssl_cert_decompression_func_t decompress) { |
2442 | 0 | assert(compress != nullptr || decompress != nullptr); |
2443 | | |
2444 | 0 | for (const auto &alg : ctx->cert_compression_algs) { |
2445 | 0 | if (alg.alg_id == alg_id) { |
2446 | 0 | return 0; |
2447 | 0 | } |
2448 | 0 | } |
2449 | | |
2450 | 0 | CertCompressionAlg alg; |
2451 | 0 | alg.alg_id = alg_id; |
2452 | 0 | alg.compress = compress; |
2453 | 0 | alg.decompress = decompress; |
2454 | 0 | return ctx->cert_compression_algs.Push(alg); |
2455 | 0 | } |
2456 | | |
2457 | 12 | void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) { |
2458 | 12 | ctx->channel_id_enabled = !!enabled; |
2459 | 12 | } |
2460 | | |
2461 | 0 | int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) { |
2462 | 0 | SSL_CTX_set_tls_channel_id_enabled(ctx, 1); |
2463 | 0 | return 1; |
2464 | 0 | } |
2465 | | |
2466 | 0 | void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) { |
2467 | 0 | if (!ssl->config) { |
2468 | 0 | return; |
2469 | 0 | } |
2470 | 0 | ssl->config->channel_id_enabled = !!enabled; |
2471 | 0 | } |
2472 | | |
2473 | 0 | int SSL_enable_tls_channel_id(SSL *ssl) { |
2474 | 0 | SSL_set_tls_channel_id_enabled(ssl, 1); |
2475 | 0 | return 1; |
2476 | 0 | } |
2477 | | |
2478 | 12 | int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) { |
2479 | 12 | if (EVP_PKEY_get_ec_curve_nid(private_key) != NID_X9_62_prime256v1) { |
2480 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); |
2481 | 0 | return 0; |
2482 | 0 | } |
2483 | | |
2484 | 12 | ctx->channel_id_private = UpRef(private_key); |
2485 | 12 | return 1; |
2486 | 12 | } |
2487 | | |
2488 | 0 | int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) { |
2489 | 0 | if (!ssl->config) { |
2490 | 0 | return 0; |
2491 | 0 | } |
2492 | 0 | if (EVP_PKEY_get_ec_curve_nid(private_key) != NID_X9_62_prime256v1) { |
2493 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256); |
2494 | 0 | return 0; |
2495 | 0 | } |
2496 | | |
2497 | 0 | ssl->config->channel_id_private = UpRef(private_key); |
2498 | 0 | return 1; |
2499 | 0 | } |
2500 | | |
2501 | 0 | size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) { |
2502 | 0 | if (!ssl->s3->channel_id_valid) { |
2503 | 0 | return 0; |
2504 | 0 | } |
2505 | 0 | OPENSSL_memcpy(out, ssl->s3->channel_id, (max_out < 64) ? max_out : 64); |
2506 | 0 | return 64; |
2507 | 0 | } |
2508 | | |
2509 | 0 | size_t SSL_get0_certificate_types(const SSL *ssl, const uint8_t **out_types) { |
2510 | 0 | Span<const uint8_t> types; |
2511 | 0 | if (!ssl->server && ssl->s3->hs != nullptr) { |
2512 | 0 | types = ssl->s3->hs->certificate_types; |
2513 | 0 | } |
2514 | 0 | *out_types = types.data(); |
2515 | 0 | return types.size(); |
2516 | 0 | } |
2517 | | |
2518 | | size_t SSL_get0_peer_verify_algorithms(const SSL *ssl, |
2519 | 0 | const uint16_t **out_sigalgs) { |
2520 | 0 | Span<const uint16_t> sigalgs; |
2521 | 0 | if (ssl->s3->hs != nullptr) { |
2522 | 0 | sigalgs = ssl->s3->hs->peer_sigalgs; |
2523 | 0 | } |
2524 | 0 | *out_sigalgs = sigalgs.data(); |
2525 | 0 | return sigalgs.size(); |
2526 | 0 | } |
2527 | | |
2528 | | size_t SSL_get0_peer_delegation_algorithms(const SSL *ssl, |
2529 | 0 | const uint16_t **out_sigalgs) { |
2530 | 0 | Span<const uint16_t> sigalgs; |
2531 | 0 | if (ssl->s3->hs != nullptr) { |
2532 | 0 | sigalgs = ssl->s3->hs->peer_delegated_credential_sigalgs; |
2533 | 0 | } |
2534 | 0 | *out_sigalgs = sigalgs.data(); |
2535 | 0 | return sigalgs.size(); |
2536 | 0 | } |
2537 | | |
2538 | 0 | EVP_PKEY *SSL_get_privatekey(const SSL *ssl) { |
2539 | 0 | if (!ssl->config) { |
2540 | 0 | assert(ssl->config); |
2541 | 0 | return nullptr; |
2542 | 0 | } |
2543 | 0 | return ssl->config->cert->legacy_credential->privkey.get(); |
2544 | 0 | } |
2545 | | |
2546 | 1.50k | EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { |
2547 | 1.50k | return ctx->cert->legacy_credential->privkey.get(); |
2548 | 1.50k | } |
2549 | | |
2550 | 0 | const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) { |
2551 | 0 | const SSL_SESSION *session = SSL_get_session(ssl); |
2552 | 0 | return session == nullptr ? nullptr : session->cipher; |
2553 | 0 | } |
2554 | | |
2555 | 0 | int SSL_session_reused(const SSL *ssl) { |
2556 | 0 | return ssl->s3->session_reused || SSL_in_early_data(ssl); |
2557 | 0 | } |
2558 | | |
2559 | 0 | const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return nullptr; } |
2560 | | |
2561 | 0 | const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return nullptr; } |
2562 | | |
2563 | 0 | int SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; } |
2564 | | |
2565 | 79.4k | void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { |
2566 | 79.4k | ctx->quiet_shutdown = (mode != 0); |
2567 | 79.4k | } |
2568 | | |
2569 | 15.7k | int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { |
2570 | 15.7k | return ctx->quiet_shutdown; |
2571 | 15.7k | } |
2572 | | |
2573 | 0 | void SSL_set_quiet_shutdown(SSL *ssl, int mode) { |
2574 | 0 | ssl->quiet_shutdown = (mode != 0); |
2575 | 0 | } |
2576 | | |
2577 | 0 | int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; } |
2578 | | |
2579 | 0 | void SSL_set_shutdown(SSL *ssl, int mode) { |
2580 | | // It is an error to clear any bits that have already been set. (We can't try |
2581 | | // to get a second close_notify or send two.) |
2582 | 0 | assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)); |
2583 | | |
2584 | 0 | if (mode & SSL_RECEIVED_SHUTDOWN && |
2585 | 0 | ssl->s3->read_shutdown == ssl_shutdown_none) { |
2586 | 0 | ssl->s3->read_shutdown = ssl_shutdown_close_notify; |
2587 | 0 | } |
2588 | |
|
2589 | 0 | if (mode & SSL_SENT_SHUTDOWN && |
2590 | 0 | ssl->s3->write_shutdown == ssl_shutdown_none) { |
2591 | 0 | ssl->s3->write_shutdown = ssl_shutdown_close_notify; |
2592 | 0 | } |
2593 | 0 | } |
2594 | | |
2595 | 0 | int SSL_get_shutdown(const SSL *ssl) { |
2596 | 0 | int ret = 0; |
2597 | 0 | if (ssl->s3->read_shutdown != ssl_shutdown_none) { |
2598 | | // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify |
2599 | | // and fatal alert. |
2600 | 0 | ret |= SSL_RECEIVED_SHUTDOWN; |
2601 | 0 | } |
2602 | 0 | if (ssl->s3->write_shutdown == ssl_shutdown_close_notify) { |
2603 | | // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. |
2604 | 0 | ret |= SSL_SENT_SHUTDOWN; |
2605 | 0 | } |
2606 | 0 | return ret; |
2607 | 0 | } |
2608 | | |
2609 | 0 | SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx.get(); } |
2610 | | |
2611 | 0 | SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { |
2612 | 0 | if (!ssl->config) { |
2613 | 0 | return nullptr; |
2614 | 0 | } |
2615 | 0 | if (ssl->ctx.get() == ctx) { |
2616 | 0 | return ssl->ctx.get(); |
2617 | 0 | } |
2618 | | |
2619 | | // One cannot change the X.509 callbacks during a connection. |
2620 | 0 | if (ssl->ctx->x509_method != ctx->x509_method) { |
2621 | 0 | assert(0); |
2622 | 0 | return nullptr; |
2623 | 0 | } |
2624 | | |
2625 | 0 | UniquePtr<CERT> new_cert = ssl_cert_dup(ctx->cert.get()); |
2626 | 0 | if (!new_cert) { |
2627 | 0 | return nullptr; |
2628 | 0 | } |
2629 | | |
2630 | 0 | ssl->config->cert = std::move(new_cert); |
2631 | 0 | ssl->ctx = UpRef(ctx); |
2632 | 0 | ssl->enable_early_data = ssl->ctx->enable_early_data; |
2633 | |
|
2634 | 0 | return ssl->ctx.get(); |
2635 | 0 | } |
2636 | | |
2637 | | void SSL_set_info_callback(SSL *ssl, |
2638 | 0 | void (*cb)(const SSL *ssl, int type, int value)) { |
2639 | 0 | ssl->info_callback = cb; |
2640 | 0 | } |
2641 | | |
2642 | | void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, |
2643 | 0 | int value) { |
2644 | 0 | return ssl->info_callback; |
2645 | 0 | } |
2646 | | |
2647 | 0 | int SSL_state(const SSL *ssl) { |
2648 | 0 | return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK; |
2649 | 0 | } |
2650 | | |
2651 | 0 | void SSL_set_state(SSL *ssl, int state) {} |
2652 | | |
2653 | 0 | char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) { |
2654 | 0 | if (len <= 0) { |
2655 | 0 | return nullptr; |
2656 | 0 | } |
2657 | 0 | buf[0] = '\0'; |
2658 | 0 | return buf; |
2659 | 0 | } |
2660 | | |
2661 | | int SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign, int *phash, |
2662 | 0 | int *psignandhash, uint8_t *rsig, uint8_t *rhash) { |
2663 | 0 | return 0; |
2664 | 0 | } |
2665 | | |
2666 | 0 | int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) { |
2667 | 0 | if (ctx->method->is_dtls) { |
2668 | 0 | return 0; |
2669 | 0 | } |
2670 | 0 | ctx->quic_method = quic_method; |
2671 | 0 | return 1; |
2672 | 0 | } |
2673 | | |
2674 | 0 | int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) { |
2675 | 0 | if (ssl->method->is_dtls) { |
2676 | 0 | return 0; |
2677 | 0 | } |
2678 | 0 | ssl->quic_method = quic_method; |
2679 | 0 | return 1; |
2680 | 0 | } |
2681 | | |
2682 | | int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, |
2683 | 0 | CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { |
2684 | 0 | return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl, argl, argp, |
2685 | 0 | free_func); |
2686 | 0 | } |
2687 | | |
2688 | 0 | int SSL_set_ex_data(SSL *ssl, int idx, void *data) { |
2689 | 0 | return CRYPTO_set_ex_data(&ssl->ex_data, idx, data); |
2690 | 0 | } |
2691 | | |
2692 | 0 | void *SSL_get_ex_data(const SSL *ssl, int idx) { |
2693 | 0 | return CRYPTO_get_ex_data(&ssl->ex_data, idx); |
2694 | 0 | } |
2695 | | |
2696 | | int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, |
2697 | | CRYPTO_EX_dup *dup_unused, |
2698 | 0 | CRYPTO_EX_free *free_func) { |
2699 | 0 | return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl_ctx, argl, argp, |
2700 | 0 | free_func); |
2701 | 0 | } |
2702 | | |
2703 | 0 | int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) { |
2704 | 0 | return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); |
2705 | 0 | } |
2706 | | |
2707 | 0 | void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) { |
2708 | 0 | return CRYPTO_get_ex_data(&ctx->ex_data, idx); |
2709 | 0 | } |
2710 | | |
2711 | 0 | int SSL_want(const SSL *ssl) { |
2712 | | // Historically, OpenSSL did not track |SSL_ERROR_ZERO_RETURN| as an |rwstate| |
2713 | | // value. We do, but map it back to |SSL_ERROR_NONE| to preserve the original |
2714 | | // behavior. |
2715 | 0 | return ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN ? SSL_ERROR_NONE |
2716 | 0 | : ssl->s3->rwstate; |
2717 | 0 | } |
2718 | | |
2719 | | void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, |
2720 | | RSA *(*cb)(SSL *ssl, int is_export, |
2721 | 0 | int keylength)) {} |
2722 | | |
2723 | | void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export, |
2724 | 0 | int keylength)) {} |
2725 | | |
2726 | | void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, |
2727 | | DH *(*cb)(SSL *ssl, int is_export, |
2728 | 0 | int keylength)) {} |
2729 | | |
2730 | | void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export, |
2731 | 0 | int keylength)) {} |
2732 | | |
2733 | | static int use_psk_identity_hint(UniquePtr<char> *out, |
2734 | 0 | const char *identity_hint) { |
2735 | 0 | if (identity_hint != nullptr && |
2736 | 0 | strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { |
2737 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); |
2738 | 0 | return 0; |
2739 | 0 | } |
2740 | | |
2741 | | // Clear currently configured hint, if any. |
2742 | 0 | out->reset(); |
2743 | | |
2744 | | // Treat the empty hint as not supplying one. Plain PSK makes it possible to |
2745 | | // send either no hint (omit ServerKeyExchange) or an empty hint, while |
2746 | | // ECDHE_PSK can only spell empty hint. Having different capabilities is odd, |
2747 | | // so we interpret empty and missing as identical. |
2748 | 0 | if (identity_hint != nullptr && identity_hint[0] != '\0') { |
2749 | 0 | out->reset(OPENSSL_strdup(identity_hint)); |
2750 | 0 | if (*out == nullptr) { |
2751 | 0 | return 0; |
2752 | 0 | } |
2753 | 0 | } |
2754 | | |
2755 | 0 | return 1; |
2756 | 0 | } |
2757 | | |
2758 | 0 | int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { |
2759 | 0 | return use_psk_identity_hint(&ctx->psk_identity_hint, identity_hint); |
2760 | 0 | } |
2761 | | |
2762 | 0 | int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) { |
2763 | 0 | if (!ssl->config) { |
2764 | 0 | return 0; |
2765 | 0 | } |
2766 | 0 | return use_psk_identity_hint(&ssl->config->psk_identity_hint, identity_hint); |
2767 | 0 | } |
2768 | | |
2769 | 0 | const char *SSL_get_psk_identity_hint(const SSL *ssl) { |
2770 | 0 | if (ssl == nullptr) { |
2771 | 0 | return nullptr; |
2772 | 0 | } |
2773 | 0 | if (ssl->config == nullptr) { |
2774 | 0 | assert(ssl->config); |
2775 | 0 | return nullptr; |
2776 | 0 | } |
2777 | 0 | return ssl->config->psk_identity_hint.get(); |
2778 | 0 | } |
2779 | | |
2780 | 0 | const char *SSL_get_psk_identity(const SSL *ssl) { |
2781 | 0 | if (ssl == nullptr) { |
2782 | 0 | return nullptr; |
2783 | 0 | } |
2784 | 0 | SSL_SESSION *session = SSL_get_session(ssl); |
2785 | 0 | if (session == nullptr) { |
2786 | 0 | return nullptr; |
2787 | 0 | } |
2788 | 0 | return session->psk_identity.get(); |
2789 | 0 | } |
2790 | | |
2791 | | void SSL_set_psk_client_callback( |
2792 | | SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, |
2793 | | unsigned max_identity_len, uint8_t *psk, |
2794 | 0 | unsigned max_psk_len)) { |
2795 | 0 | if (!ssl->config) { |
2796 | 0 | return; |
2797 | 0 | } |
2798 | 0 | ssl->config->psk_client_callback = cb; |
2799 | 0 | } |
2800 | | |
2801 | | void SSL_CTX_set_psk_client_callback( |
2802 | | SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity, |
2803 | | unsigned max_identity_len, uint8_t *psk, |
2804 | 0 | unsigned max_psk_len)) { |
2805 | 0 | ctx->psk_client_callback = cb; |
2806 | 0 | } |
2807 | | |
2808 | | void SSL_set_psk_server_callback(SSL *ssl, |
2809 | | unsigned (*cb)(SSL *ssl, const char *identity, |
2810 | | uint8_t *psk, |
2811 | 0 | unsigned max_psk_len)) { |
2812 | 0 | if (!ssl->config) { |
2813 | 0 | return; |
2814 | 0 | } |
2815 | 0 | ssl->config->psk_server_callback = cb; |
2816 | 0 | } |
2817 | | |
2818 | | void SSL_CTX_set_psk_server_callback( |
2819 | | SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk, |
2820 | 0 | unsigned max_psk_len)) { |
2821 | 0 | ctx->psk_server_callback = cb; |
2822 | 0 | } |
2823 | | |
2824 | | void SSL_CTX_set_msg_callback(SSL_CTX *ctx, |
2825 | | void (*cb)(int write_p, int version, |
2826 | | int content_type, const void *buf, |
2827 | 0 | size_t len, SSL *ssl, void *arg)) { |
2828 | 0 | ctx->msg_callback = cb; |
2829 | 0 | } |
2830 | | |
2831 | 0 | void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) { |
2832 | 0 | ctx->msg_callback_arg = arg; |
2833 | 0 | } |
2834 | | |
2835 | | void SSL_set_msg_callback(SSL *ssl, |
2836 | | void (*cb)(int write_p, int version, int content_type, |
2837 | | const void *buf, size_t len, SSL *ssl, |
2838 | 0 | void *arg)) { |
2839 | 0 | ssl->msg_callback = cb; |
2840 | 0 | } |
2841 | | |
2842 | 0 | void SSL_set_msg_callback_arg(SSL *ssl, void *arg) { |
2843 | 0 | ssl->msg_callback_arg = arg; |
2844 | 0 | } |
2845 | | |
2846 | | void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, |
2847 | 0 | void (*cb)(const SSL *ssl, const char *line)) { |
2848 | 0 | ctx->keylog_callback = cb; |
2849 | 0 | } |
2850 | | |
2851 | | void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl, |
2852 | 0 | const char *line) { |
2853 | 0 | return ctx->keylog_callback; |
2854 | 0 | } |
2855 | | |
2856 | | void SSL_CTX_set_current_time_cb(SSL_CTX *ctx, |
2857 | | void (*cb)(const SSL *ssl, |
2858 | 12 | struct timeval *out_clock)) { |
2859 | 12 | ctx->current_time_cb = cb; |
2860 | 12 | } |
2861 | | |
2862 | 32.6k | int SSL_can_release_private_key(const SSL *ssl) { |
2863 | 32.6k | if (ssl_can_renegotiate(ssl)) { |
2864 | | // If the connection can renegotiate (client only), the private key may be |
2865 | | // used in a future handshake. |
2866 | 32.6k | return 0; |
2867 | 32.6k | } |
2868 | | |
2869 | | // Otherwise, this is determined by the current handshake. |
2870 | 0 | return !ssl->s3->hs || ssl->s3->hs->can_release_private_key; |
2871 | 32.6k | } |
2872 | | |
2873 | 0 | int SSL_is_init_finished(const SSL *ssl) { return !SSL_in_init(ssl); } |
2874 | | |
2875 | 3.01M | int SSL_in_init(const SSL *ssl) { |
2876 | | // This returns false once all the handshake state has been finalized, to |
2877 | | // allow callbacks and getters based on SSL_in_init to return the correct |
2878 | | // values. |
2879 | 3.01M | SSL_HANDSHAKE *hs = ssl->s3->hs.get(); |
2880 | 3.01M | return hs != nullptr && !hs->handshake_finalized; |
2881 | 3.01M | } |
2882 | | |
2883 | 0 | int SSL_in_false_start(const SSL *ssl) { |
2884 | 0 | if (ssl->s3->hs == nullptr) { |
2885 | 0 | return 0; |
2886 | 0 | } |
2887 | 0 | return ssl->s3->hs->in_false_start; |
2888 | 0 | } |
2889 | | |
2890 | 0 | int SSL_cutthrough_complete(const SSL *ssl) { return SSL_in_false_start(ssl); } |
2891 | | |
2892 | 36.0k | int SSL_is_server(const SSL *ssl) { return ssl->server; } |
2893 | | |
2894 | 6.45M | int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; } |
2895 | | |
2896 | 2.72M | int SSL_is_quic(const SSL *ssl) { return ssl->quic_method != nullptr; } |
2897 | | |
2898 | | void SSL_CTX_set_select_certificate_cb( |
2899 | | SSL_CTX *ctx, |
2900 | 0 | enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)) { |
2901 | 0 | ctx->select_certificate_cb = cb; |
2902 | 0 | } |
2903 | | |
2904 | | void SSL_CTX_set_dos_protection_cb(SSL_CTX *ctx, |
2905 | 0 | int (*cb)(const SSL_CLIENT_HELLO *)) { |
2906 | 0 | ctx->dos_protection_cb = cb; |
2907 | 0 | } |
2908 | | |
2909 | 0 | void SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled) { |
2910 | 0 | ctx->reverify_on_resume = !!enabled; |
2911 | 0 | } |
2912 | | |
2913 | 0 | void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled) { |
2914 | 0 | if (!ssl->config) { |
2915 | 0 | return; |
2916 | 0 | } |
2917 | 0 | ssl->config->enforce_rsa_key_usage = !!enabled; |
2918 | 0 | } |
2919 | | |
2920 | 0 | int SSL_was_key_usage_invalid(const SSL *ssl) { |
2921 | 0 | return ssl->s3->was_key_usage_invalid; |
2922 | 0 | } |
2923 | | |
2924 | 12.3k | void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) { |
2925 | 12.3k | ssl->renegotiate_mode = mode; |
2926 | | |
2927 | | // Check if |ssl_can_renegotiate| has changed and the configuration may now be |
2928 | | // shed. HTTP clients may initially allow renegotiation for HTTP/1.1, and then |
2929 | | // disable after the handshake once the ALPN protocol is known to be HTTP/2. |
2930 | 12.3k | ssl_maybe_shed_handshake_config(ssl); |
2931 | 12.3k | } |
2932 | | |
2933 | | int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv, |
2934 | 0 | const uint8_t **out_write_iv, size_t *out_iv_len) { |
2935 | | // No cipher suites maintain stateful internal IVs in DTLS. It would not be |
2936 | | // compatible with reordering. |
2937 | 0 | if (SSL_is_dtls(ssl)) { |
2938 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
2939 | 0 | return 0; |
2940 | 0 | } |
2941 | | |
2942 | 0 | size_t write_iv_len; |
2943 | 0 | if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) || |
2944 | 0 | !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) || |
2945 | 0 | *out_iv_len != write_iv_len) { |
2946 | 0 | return 0; |
2947 | 0 | } |
2948 | | |
2949 | 0 | return 1; |
2950 | 0 | } |
2951 | | |
2952 | 0 | uint64_t SSL_get_read_sequence(const SSL *ssl) { |
2953 | 0 | if (SSL_is_dtls(ssl)) { |
2954 | | // TODO(crbug.com/42290608): This API should not be implemented for DTLS or |
2955 | | // QUIC. In QUIC we do not maintain a sequence number. |
2956 | 0 | const DTLSReadEpoch *read_epoch = &ssl->d1->read_epoch; |
2957 | 0 | return DTLSRecordNumber(read_epoch->epoch, read_epoch->bitmap.max_seq_num()) |
2958 | 0 | .combined(); |
2959 | 0 | } |
2960 | 0 | return ssl->s3->read_sequence; |
2961 | 0 | } |
2962 | | |
2963 | 0 | uint64_t SSL_get_write_sequence(const SSL *ssl) { |
2964 | | // TODO(crbug.com/42290608): This API should not be implemented for DTLS or |
2965 | | // QUIC. In QUIC we do not maintain a sequence number. In DTLS, this API isn't |
2966 | | // harmful per se, but the caller already needs to use a DTLS-specific API on |
2967 | | // the read side. |
2968 | 0 | if (SSL_is_dtls(ssl)) { |
2969 | 0 | return ssl->d1->write_epoch.next_record.combined(); |
2970 | 0 | } |
2971 | | |
2972 | 0 | return ssl->s3->write_sequence; |
2973 | 0 | } |
2974 | | |
2975 | 0 | int SSL_is_dtls_handshake_idle(const SSL *ssl) { |
2976 | 0 | BSSL_CHECK(SSL_is_dtls(ssl)); |
2977 | |
|
2978 | 0 | return !SSL_in_init(ssl) && |
2979 | | // No unacknowledged messages in DTLS 1.3. In DTLS 1.2, there no ACKs |
2980 | | // and we currently never clear |outgoing_messages| on the side that |
2981 | | // speaks last. |
2982 | 0 | (ssl_protocol_version(ssl) < TLS1_3_VERSION || |
2983 | 0 | ssl->d1->outgoing_messages.empty()) && |
2984 | | // No partial or out-of-order messages. |
2985 | 0 | std::all_of(std::begin(ssl->d1->incoming_messages), |
2986 | 0 | std::end(ssl->d1->incoming_messages), |
2987 | 0 | [](const auto &msg) { return msg == nullptr; }) && |
2988 | | // Not trying to send a KeyUpdate. |
2989 | 0 | !ssl->s3->key_update_pending && |
2990 | 0 | ssl->d1->queued_key_update == bssl::QueuedKeyUpdate::kNone; |
2991 | 0 | } |
2992 | | |
2993 | 0 | uint32_t SSL_get_dtls_handshake_read_seq(const SSL *ssl) { |
2994 | 0 | BSSL_CHECK(SSL_is_dtls(ssl)); |
2995 | 0 | return ssl->d1->handshake_read_overflow |
2996 | 0 | ? uint32_t{0x10000} |
2997 | 0 | : uint32_t{ssl->d1->handshake_read_seq}; |
2998 | 0 | } |
2999 | | |
3000 | 0 | uint32_t SSL_get_dtls_handshake_write_seq(const SSL *ssl) { |
3001 | 0 | BSSL_CHECK(SSL_is_dtls(ssl)); |
3002 | 0 | return ssl->d1->handshake_write_overflow |
3003 | 0 | ? uint32_t{0x10000} |
3004 | 0 | : uint32_t{ssl->d1->handshake_write_seq}; |
3005 | 0 | } |
3006 | | |
3007 | 0 | uint16_t SSL_get_dtls_read_epoch(const SSL *ssl) { |
3008 | 0 | BSSL_CHECK(SSL_is_dtls(ssl)); |
3009 | | // Return the highest available epoch. |
3010 | 0 | return ssl->d1->next_read_epoch ? ssl->d1->next_read_epoch->epoch |
3011 | 0 | : ssl->d1->read_epoch.epoch; |
3012 | 0 | } |
3013 | | |
3014 | 0 | uint16_t SSL_get_dtls_write_epoch(const SSL *ssl) { |
3015 | 0 | BSSL_CHECK(SSL_is_dtls(ssl)); |
3016 | 0 | return ssl->d1->write_epoch.epoch(); |
3017 | 0 | } |
3018 | | |
3019 | 0 | uint64_t SSL_get_dtls_read_sequence(const SSL *ssl, uint16_t epoch) { |
3020 | 0 | BSSL_CHECK(SSL_is_dtls(ssl)); |
3021 | 0 | const DTLSReadEpoch *read_epoch = dtls_get_read_epoch(ssl, epoch); |
3022 | 0 | if (read_epoch == nullptr) { |
3023 | 0 | return UINT64_MAX; |
3024 | 0 | } |
3025 | 0 | uint64_t max_seq_num = read_epoch->bitmap.max_seq_num(); |
3026 | 0 | assert(max_seq_num <= DTLSRecordNumber::kMaxSequence); |
3027 | 0 | if (read_epoch->bitmap.ShouldDiscard(max_seq_num)) { |
3028 | | // Increment to get to an available sequence number. |
3029 | 0 | max_seq_num++; |
3030 | 0 | } else { |
3031 | | // If |max_seq_num| was available, the bitmap must have been empty. |
3032 | 0 | assert(max_seq_num == 0); |
3033 | 0 | } |
3034 | 0 | return max_seq_num; |
3035 | 0 | } |
3036 | | |
3037 | 0 | uint64_t SSL_get_dtls_write_sequence(const SSL *ssl, uint16_t epoch) { |
3038 | 0 | BSSL_CHECK(SSL_is_dtls(ssl)); |
3039 | 0 | const DTLSWriteEpoch *write_epoch = dtls_get_write_epoch(ssl, epoch); |
3040 | 0 | if (write_epoch == nullptr) { |
3041 | 0 | return UINT64_MAX; |
3042 | 0 | } |
3043 | 0 | return write_epoch->next_record.sequence(); |
3044 | 0 | } |
3045 | | |
3046 | | template <typename EpochState> |
3047 | | static int get_dtls_traffic_secret( |
3048 | | const SSL *ssl, EpochState *(*get_epoch)(const SSL *, uint16_t), |
3049 | 0 | const uint8_t **out_data, size_t *out_len, uint16_t epoch) { |
3050 | 0 | BSSL_CHECK(SSL_is_dtls(ssl)); |
3051 | | // This function only applies to encrypted DTLS 1.3 epochs. |
3052 | 0 | if (epoch == 0 || ssl->s3->version == 0 || |
3053 | 0 | ssl_protocol_version(ssl) < TLS1_3_VERSION) { |
3054 | 0 | return 0; |
3055 | 0 | } |
3056 | 0 | const EpochState *epoch_state = get_epoch(ssl, epoch); |
3057 | 0 | if (epoch_state == nullptr) { |
3058 | 0 | return 0; |
3059 | 0 | } |
3060 | 0 | assert(!epoch_state->traffic_secret.empty()); |
3061 | 0 | *out_data = epoch_state->traffic_secret.data(); |
3062 | 0 | *out_len = epoch_state->traffic_secret.size(); |
3063 | 0 | return 1; |
3064 | 0 | } Unexecuted instantiation: ssl_lib.cc:int get_dtls_traffic_secret<bssl::DTLSReadEpoch>(ssl_st const*, bssl::DTLSReadEpoch* (*)(ssl_st const*, unsigned short), unsigned char const**, unsigned long*, unsigned short) Unexecuted instantiation: ssl_lib.cc:int get_dtls_traffic_secret<bssl::DTLSWriteEpoch>(ssl_st const*, bssl::DTLSWriteEpoch* (*)(ssl_st const*, unsigned short), unsigned char const**, unsigned long*, unsigned short) |
3065 | | |
3066 | | int SSL_get_dtls_read_traffic_secret(const SSL *ssl, const uint8_t **out_data, |
3067 | 0 | size_t *out_len, uint16_t epoch) { |
3068 | 0 | return get_dtls_traffic_secret(ssl, dtls_get_read_epoch, out_data, out_len, |
3069 | 0 | epoch); |
3070 | 0 | } |
3071 | | |
3072 | | int SSL_get_dtls_write_traffic_secret(const SSL *ssl, const uint8_t **out_data, |
3073 | 0 | size_t *out_len, uint16_t epoch) { |
3074 | 0 | return get_dtls_traffic_secret(ssl, dtls_get_write_epoch, out_data, out_len, |
3075 | 0 | epoch); |
3076 | 0 | } |
3077 | | |
3078 | 0 | uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) { |
3079 | 0 | SSL_SESSION *session = SSL_get_session(ssl); |
3080 | 0 | if (session == nullptr) { |
3081 | 0 | return 0; |
3082 | 0 | } |
3083 | | |
3084 | 0 | return session->peer_signature_algorithm; |
3085 | 0 | } |
3086 | | |
3087 | 0 | size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) { |
3088 | 0 | if (max_out == 0) { |
3089 | 0 | return sizeof(ssl->s3->client_random); |
3090 | 0 | } |
3091 | 0 | if (max_out > sizeof(ssl->s3->client_random)) { |
3092 | 0 | max_out = sizeof(ssl->s3->client_random); |
3093 | 0 | } |
3094 | 0 | OPENSSL_memcpy(out, ssl->s3->client_random, max_out); |
3095 | 0 | return max_out; |
3096 | 0 | } |
3097 | | |
3098 | 0 | size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) { |
3099 | 0 | if (max_out == 0) { |
3100 | 0 | return sizeof(ssl->s3->server_random); |
3101 | 0 | } |
3102 | 0 | if (max_out > sizeof(ssl->s3->server_random)) { |
3103 | 0 | max_out = sizeof(ssl->s3->server_random); |
3104 | 0 | } |
3105 | 0 | OPENSSL_memcpy(out, ssl->s3->server_random, max_out); |
3106 | 0 | return max_out; |
3107 | 0 | } |
3108 | | |
3109 | 0 | const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) { |
3110 | 0 | SSL_HANDSHAKE *hs = ssl->s3->hs.get(); |
3111 | 0 | if (hs == nullptr) { |
3112 | 0 | return nullptr; |
3113 | 0 | } |
3114 | 0 | return hs->new_cipher; |
3115 | 0 | } |
3116 | | |
3117 | 0 | void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) { |
3118 | 0 | if (!ssl->config) { |
3119 | 0 | return; |
3120 | 0 | } |
3121 | 0 | ssl->config->retain_only_sha256_of_client_certs = !!enabled; |
3122 | 0 | } |
3123 | | |
3124 | 3.64k | void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) { |
3125 | 3.64k | ctx->retain_only_sha256_of_client_certs = !!enabled; |
3126 | 3.64k | } |
3127 | | |
3128 | 12.5k | void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) { |
3129 | 12.5k | ctx->grease_enabled = !!enabled; |
3130 | 12.5k | } |
3131 | | |
3132 | 0 | void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) { |
3133 | 0 | ctx->permute_extensions = !!enabled; |
3134 | 0 | } |
3135 | | |
3136 | 0 | void SSL_set_permute_extensions(SSL *ssl, int enabled) { |
3137 | 0 | if (!ssl->config) { |
3138 | 0 | return; |
3139 | 0 | } |
3140 | 0 | ssl->config->permute_extensions = !!enabled; |
3141 | 0 | } |
3142 | | |
3143 | 0 | int32_t SSL_get_ticket_age_skew(const SSL *ssl) { |
3144 | 0 | return ssl->s3->ticket_age_skew; |
3145 | 0 | } |
3146 | | |
3147 | 0 | void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) { |
3148 | 0 | ctx->false_start_allowed_without_alpn = !!allowed; |
3149 | 0 | } |
3150 | | |
3151 | 0 | int SSL_used_hello_retry_request(const SSL *ssl) { |
3152 | 0 | return ssl->s3->used_hello_retry_request; |
3153 | 0 | } |
3154 | | |
3155 | 0 | void SSL_set_shed_handshake_config(SSL *ssl, int enable) { |
3156 | 0 | if (!ssl->config) { |
3157 | 0 | return; |
3158 | 0 | } |
3159 | 0 | ssl->config->shed_handshake_config = !!enable; |
3160 | 0 | } |
3161 | | |
3162 | 0 | void SSL_set_jdk11_workaround(SSL *ssl, int enable) { |
3163 | 0 | if (!ssl->config) { |
3164 | 0 | return; |
3165 | 0 | } |
3166 | 0 | ssl->config->jdk11_workaround = !!enable; |
3167 | 0 | } |
3168 | | |
3169 | 0 | void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) { |
3170 | 0 | if (!ssl->config) { |
3171 | 0 | return; |
3172 | 0 | } |
3173 | 0 | ssl->config->quic_use_legacy_codepoint = !!use_legacy; |
3174 | 0 | } |
3175 | | |
3176 | 0 | int SSL_clear(SSL *ssl) { |
3177 | 0 | if (!ssl->config) { |
3178 | 0 | return 0; // SSL_clear may not be used after shedding config. |
3179 | 0 | } |
3180 | | |
3181 | | // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously |
3182 | | // established session to be offered the next time around. wpa_supplicant |
3183 | | // depends on this behavior, so emulate it. |
3184 | 0 | UniquePtr<SSL_SESSION> session; |
3185 | 0 | if (!ssl->server && ssl->s3->established_session != nullptr) { |
3186 | 0 | session = UpRef(ssl->s3->established_session); |
3187 | 0 | } |
3188 | | |
3189 | | // The ssl->d1->mtu is simultaneously configuration (preserved across |
3190 | | // clear) and connection-specific state (gets reset). |
3191 | | // |
3192 | | // TODO(davidben): Avoid this. |
3193 | 0 | unsigned mtu = 0; |
3194 | 0 | if (ssl->d1 != nullptr) { |
3195 | 0 | mtu = ssl->d1->mtu; |
3196 | 0 | } |
3197 | |
|
3198 | 0 | ssl->method->ssl_free(ssl); |
3199 | 0 | if (!ssl->method->ssl_new(ssl)) { |
3200 | 0 | return 0; |
3201 | 0 | } |
3202 | | |
3203 | 0 | if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { |
3204 | 0 | ssl->d1->mtu = mtu; |
3205 | 0 | } |
3206 | |
|
3207 | 0 | if (session != nullptr) { |
3208 | 0 | SSL_set_session(ssl, session.get()); |
3209 | 0 | } |
3210 | |
|
3211 | 0 | return 1; |
3212 | 0 | } |
3213 | | |
3214 | 0 | int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; } |
3215 | 0 | int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; } |
3216 | 0 | int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; } |
3217 | 0 | int SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; } |
3218 | 0 | int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; } |
3219 | 0 | int SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; } |
3220 | 0 | int SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; } |
3221 | 0 | int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; } |
3222 | 0 | int SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; } |
3223 | 0 | int SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; } |
3224 | 0 | int SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; } |
3225 | | |
3226 | 0 | int SSL_num_renegotiations(const SSL *ssl) { |
3227 | 0 | return SSL_total_renegotiations(ssl); |
3228 | 0 | } |
3229 | | |
3230 | 0 | int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) { return 0; } |
3231 | 0 | int SSL_need_tmp_RSA(const SSL *ssl) { return 0; } |
3232 | 0 | int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) { return 1; } |
3233 | 0 | int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; } |
3234 | 0 | void ERR_load_SSL_strings() {} |
3235 | 0 | void SSL_load_error_strings() {} |
3236 | 0 | int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); } |
3237 | | |
3238 | 0 | int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) { |
3239 | 0 | if (ec_key == nullptr || EC_KEY_get0_group(ec_key) == nullptr) { |
3240 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); |
3241 | 0 | return 0; |
3242 | 0 | } |
3243 | 0 | int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); |
3244 | 0 | return SSL_CTX_set1_groups(ctx, &nid, 1); |
3245 | 0 | } |
3246 | | |
3247 | 0 | int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) { |
3248 | 0 | if (ec_key == nullptr || EC_KEY_get0_group(ec_key) == nullptr) { |
3249 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); |
3250 | 0 | return 0; |
3251 | 0 | } |
3252 | 0 | int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); |
3253 | 0 | return SSL_set1_groups(ssl, &nid, 1); |
3254 | 0 | } |
3255 | | |
3256 | | void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx, |
3257 | 0 | const SSL_TICKET_AEAD_METHOD *aead_method) { |
3258 | 0 | ctx->ticket_aead_method = aead_method; |
3259 | 0 | } |
3260 | | |
3261 | | SSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf, |
3262 | 0 | size_t buf_len) { |
3263 | 0 | if (SSL_in_init(ssl) || // |
3264 | 0 | ssl_protocol_version(ssl) != TLS1_3_VERSION || // |
3265 | 0 | ssl->server) { |
3266 | | // Only TLS 1.3 clients are supported. |
3267 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
3268 | 0 | return nullptr; |
3269 | 0 | } |
3270 | | |
3271 | 0 | CBS cbs, body; |
3272 | 0 | CBS_init(&cbs, buf, buf_len); |
3273 | 0 | uint8_t type; |
3274 | 0 | if (!CBS_get_u8(&cbs, &type) || // |
3275 | 0 | !CBS_get_u24_length_prefixed(&cbs, &body) || // |
3276 | 0 | CBS_len(&cbs) != 0) { |
3277 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
3278 | 0 | return nullptr; |
3279 | 0 | } |
3280 | | |
3281 | 0 | UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body); |
3282 | 0 | if (!session) { |
3283 | | // |tls13_create_session_with_ticket| puts the correct error. |
3284 | 0 | return nullptr; |
3285 | 0 | } |
3286 | 0 | return session.release(); |
3287 | 0 | } |
3288 | | |
3289 | 0 | int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) { |
3290 | 0 | num_tickets = std::min(num_tickets, kMaxTickets); |
3291 | 0 | static_assert(kMaxTickets <= 0xff, "Too many tickets."); |
3292 | 0 | ctx->num_tickets = static_cast<uint8_t>(num_tickets); |
3293 | 0 | return 1; |
3294 | 0 | } |
3295 | | |
3296 | 0 | size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) { return ctx->num_tickets; } |
3297 | | |
3298 | 0 | int SSL_set_tlsext_status_type(SSL *ssl, int type) { |
3299 | 0 | if (!ssl->config) { |
3300 | 0 | return 0; |
3301 | 0 | } |
3302 | 0 | ssl->config->ocsp_stapling_enabled = type == TLSEXT_STATUSTYPE_ocsp; |
3303 | 0 | return 1; |
3304 | 0 | } |
3305 | | |
3306 | 0 | int SSL_get_tlsext_status_type(const SSL *ssl) { |
3307 | 0 | if (ssl->server) { |
3308 | 0 | SSL_HANDSHAKE *hs = ssl->s3->hs.get(); |
3309 | 0 | return hs != nullptr && hs->ocsp_stapling_requested |
3310 | 0 | ? TLSEXT_STATUSTYPE_ocsp |
3311 | 0 | : TLSEXT_STATUSTYPE_nothing; |
3312 | 0 | } |
3313 | | |
3314 | 0 | return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled |
3315 | 0 | ? TLSEXT_STATUSTYPE_ocsp |
3316 | 0 | : TLSEXT_STATUSTYPE_nothing; |
3317 | 0 | } |
3318 | | |
3319 | 0 | int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) { |
3320 | 0 | if (SSL_set_ocsp_response(ssl, resp, resp_len)) { |
3321 | 0 | OPENSSL_free(resp); |
3322 | 0 | return 1; |
3323 | 0 | } |
3324 | 0 | return 0; |
3325 | 0 | } |
3326 | | |
3327 | 0 | size_t SSL_get_tlsext_status_ocsp_resp(const SSL *ssl, const uint8_t **out) { |
3328 | 0 | size_t ret; |
3329 | 0 | SSL_get0_ocsp_response(ssl, out, &ret); |
3330 | 0 | return ret; |
3331 | 0 | } |
3332 | | |
3333 | | int SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, |
3334 | 0 | int (*callback)(SSL *ssl, void *arg)) { |
3335 | 0 | ctx->legacy_ocsp_callback = callback; |
3336 | 0 | return 1; |
3337 | 0 | } |
3338 | | |
3339 | 0 | int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) { |
3340 | 0 | ctx->legacy_ocsp_callback_arg = arg; |
3341 | 0 | return 1; |
3342 | 0 | } |
3343 | | |
3344 | 0 | uint16_t SSL_get_curve_id(const SSL *ssl) { return SSL_get_group_id(ssl); } |
3345 | | |
3346 | 0 | const char *SSL_get_curve_name(uint16_t curve_id) { |
3347 | 0 | return SSL_get_group_name(curve_id); |
3348 | 0 | } |
3349 | | |
3350 | 0 | size_t SSL_get_all_curve_names(const char **out, size_t max_out) { |
3351 | 0 | return SSL_get_all_group_names(out, max_out); |
3352 | 0 | } |
3353 | | |
3354 | 0 | int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t num_curves) { |
3355 | 0 | return SSL_CTX_set1_groups(ctx, curves, num_curves); |
3356 | 0 | } |
3357 | | |
3358 | 0 | int SSL_set1_curves(SSL *ssl, const int *curves, size_t num_curves) { |
3359 | 0 | return SSL_set1_groups(ssl, curves, num_curves); |
3360 | 0 | } |
3361 | | |
3362 | 0 | int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) { |
3363 | 0 | return SSL_CTX_set1_groups_list(ctx, curves); |
3364 | 0 | } |
3365 | | |
3366 | 0 | int SSL_set1_curves_list(SSL *ssl, const char *curves) { |
3367 | 0 | return SSL_set1_groups_list(ssl, curves); |
3368 | 0 | } |
3369 | | |
3370 | | namespace fips202205 { |
3371 | | |
3372 | | // (References are to SP 800-52r2): |
3373 | | |
3374 | | // Section 3.4.2.2 |
3375 | | // "at least one of the NIST-approved curves, P-256 (secp256r1) and P384 |
3376 | | // (secp384r1), shall be supported as described in RFC 8422." |
3377 | | // |
3378 | | // Section 3.3.1 |
3379 | | // "The server shall be configured to only use cipher suites that are |
3380 | | // composed entirely of NIST approved algorithms" |
3381 | | static const uint16_t kGroups[] = {SSL_GROUP_SECP256R1, SSL_GROUP_SECP384R1}; |
3382 | | |
3383 | | static const uint16_t kSigAlgs[] = { |
3384 | | SSL_SIGN_RSA_PKCS1_SHA256, |
3385 | | SSL_SIGN_RSA_PKCS1_SHA384, |
3386 | | SSL_SIGN_RSA_PKCS1_SHA512, |
3387 | | // Table 4.1: |
3388 | | // "The curve should be P-256 or P-384" |
3389 | | SSL_SIGN_ECDSA_SECP256R1_SHA256, |
3390 | | SSL_SIGN_ECDSA_SECP384R1_SHA384, |
3391 | | SSL_SIGN_RSA_PSS_RSAE_SHA256, |
3392 | | SSL_SIGN_RSA_PSS_RSAE_SHA384, |
3393 | | SSL_SIGN_RSA_PSS_RSAE_SHA512, |
3394 | | }; |
3395 | | |
3396 | | static const char kTLS12Ciphers[] = |
3397 | | "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:" |
3398 | | "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:" |
3399 | | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:" |
3400 | | "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; |
3401 | | |
3402 | 0 | static int Configure(SSL_CTX *ctx) { |
3403 | 0 | ctx->compliance_policy = ssl_compliance_policy_fips_202205; |
3404 | |
|
3405 | 0 | return |
3406 | | // Section 3.1: |
3407 | | // "Servers that support government-only applications shall be |
3408 | | // configured to use TLS 1.2 and should be configured to use TLS 1.3 |
3409 | | // as well. These servers should not be configured to use TLS 1.1 and |
3410 | | // shall not use TLS 1.0, SSL 3.0, or SSL 2.0. |
3411 | 0 | SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) && |
3412 | 0 | SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) && |
3413 | | // Sections 3.3.1.1.1 and 3.3.1.1.2 are ambiguous about whether |
3414 | | // HMAC-SHA-1 cipher suites are permitted with TLS 1.2. However, later the |
3415 | | // Encrypt-then-MAC extension is required for all CBC cipher suites and so |
3416 | | // it's easier to drop them. |
3417 | 0 | SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) && |
3418 | 0 | SSL_CTX_set1_group_ids(ctx, kGroups, std::size(kGroups)) && |
3419 | 0 | SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs, std::size(kSigAlgs)) && |
3420 | 0 | SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs, std::size(kSigAlgs)); |
3421 | 0 | } |
3422 | | |
3423 | 0 | static int Configure(SSL *ssl) { |
3424 | 0 | ssl->config->compliance_policy = ssl_compliance_policy_fips_202205; |
3425 | | |
3426 | | // See |Configure(SSL_CTX)|, above, for reasoning. |
3427 | 0 | return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) && |
3428 | 0 | SSL_set_max_proto_version(ssl, TLS1_3_VERSION) && |
3429 | 0 | SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) && |
3430 | 0 | SSL_set1_group_ids(ssl, kGroups, std::size(kGroups)) && |
3431 | 0 | SSL_set_signing_algorithm_prefs(ssl, kSigAlgs, std::size(kSigAlgs)) && |
3432 | 0 | SSL_set_verify_algorithm_prefs(ssl, kSigAlgs, std::size(kSigAlgs)); |
3433 | 0 | } |
3434 | | |
3435 | | } // namespace fips202205 |
3436 | | |
3437 | | namespace wpa202304 { |
3438 | | |
3439 | | // See WPA version 3.1, section 3.5. |
3440 | | |
3441 | | static const uint16_t kGroups[] = {SSL_GROUP_SECP384R1}; |
3442 | | |
3443 | | static const uint16_t kSigAlgs[] = { |
3444 | | SSL_SIGN_RSA_PKCS1_SHA384, // |
3445 | | SSL_SIGN_RSA_PKCS1_SHA512, // |
3446 | | SSL_SIGN_ECDSA_SECP384R1_SHA384, // |
3447 | | SSL_SIGN_RSA_PSS_RSAE_SHA384, // |
3448 | | SSL_SIGN_RSA_PSS_RSAE_SHA512, // |
3449 | | }; |
3450 | | |
3451 | | static const char kTLS12Ciphers[] = |
3452 | | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:" |
3453 | | "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; |
3454 | | |
3455 | 0 | static int Configure(SSL_CTX *ctx) { |
3456 | 0 | ctx->compliance_policy = ssl_compliance_policy_wpa3_192_202304; |
3457 | |
|
3458 | 0 | return SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) && |
3459 | 0 | SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) && |
3460 | 0 | SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) && |
3461 | 0 | SSL_CTX_set1_group_ids(ctx, kGroups, std::size(kGroups)) && |
3462 | 0 | SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs, |
3463 | 0 | std::size(kSigAlgs)) && |
3464 | 0 | SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs, std::size(kSigAlgs)); |
3465 | 0 | } |
3466 | | |
3467 | 0 | static int Configure(SSL *ssl) { |
3468 | 0 | ssl->config->compliance_policy = ssl_compliance_policy_wpa3_192_202304; |
3469 | |
|
3470 | 0 | return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) && |
3471 | 0 | SSL_set_max_proto_version(ssl, TLS1_3_VERSION) && |
3472 | 0 | SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) && |
3473 | 0 | SSL_set1_group_ids(ssl, kGroups, std::size(kGroups)) && |
3474 | 0 | SSL_set_signing_algorithm_prefs(ssl, kSigAlgs, std::size(kSigAlgs)) && |
3475 | 0 | SSL_set_verify_algorithm_prefs(ssl, kSigAlgs, std::size(kSigAlgs)); |
3476 | 0 | } |
3477 | | |
3478 | | } // namespace wpa202304 |
3479 | | |
3480 | | namespace cnsa202407 { |
3481 | | |
3482 | 0 | static int Configure(SSL_CTX *ctx) { |
3483 | 0 | ctx->compliance_policy = ssl_compliance_policy_cnsa_202407; |
3484 | 0 | return 1; |
3485 | 0 | } |
3486 | | |
3487 | 0 | static int Configure(SSL *ssl) { |
3488 | 0 | ssl->config->compliance_policy = ssl_compliance_policy_cnsa_202407; |
3489 | 0 | return 1; |
3490 | 0 | } |
3491 | | |
3492 | | } // namespace cnsa202407 |
3493 | | |
3494 | | int SSL_CTX_set_compliance_policy(SSL_CTX *ctx, |
3495 | 0 | enum ssl_compliance_policy_t policy) { |
3496 | 0 | switch (policy) { |
3497 | 0 | case ssl_compliance_policy_fips_202205: |
3498 | 0 | return fips202205::Configure(ctx); |
3499 | 0 | case ssl_compliance_policy_wpa3_192_202304: |
3500 | 0 | return wpa202304::Configure(ctx); |
3501 | 0 | case ssl_compliance_policy_cnsa_202407: |
3502 | 0 | return cnsa202407::Configure(ctx); |
3503 | 0 | default: |
3504 | 0 | return 0; |
3505 | 0 | } |
3506 | 0 | } |
3507 | | |
3508 | 0 | enum ssl_compliance_policy_t SSL_CTX_get_compliance_policy(const SSL_CTX *ctx) { |
3509 | 0 | return ctx->compliance_policy; |
3510 | 0 | } |
3511 | | |
3512 | 0 | int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) { |
3513 | 0 | switch (policy) { |
3514 | 0 | case ssl_compliance_policy_fips_202205: |
3515 | 0 | return fips202205::Configure(ssl); |
3516 | 0 | case ssl_compliance_policy_wpa3_192_202304: |
3517 | 0 | return wpa202304::Configure(ssl); |
3518 | 0 | case ssl_compliance_policy_cnsa_202407: |
3519 | 0 | return cnsa202407::Configure(ssl); |
3520 | 0 | default: |
3521 | 0 | return 0; |
3522 | 0 | } |
3523 | 0 | } |
3524 | | |
3525 | 0 | enum ssl_compliance_policy_t SSL_get_compliance_policy(const SSL *ssl) { |
3526 | 0 | return ssl->config->compliance_policy; |
3527 | 0 | } |
3528 | | |
3529 | 0 | int SSL_peer_matched_trust_anchor(const SSL *ssl) { |
3530 | 0 | return ssl->s3->hs != nullptr && ssl->s3->hs->peer_matched_trust_anchor; |
3531 | 0 | } |
3532 | | |
3533 | | void SSL_get0_peer_available_trust_anchors(const SSL *ssl, const uint8_t **out, |
3534 | 0 | size_t *out_len) { |
3535 | 0 | Span<const uint8_t> ret; |
3536 | 0 | if (SSL_HANDSHAKE *hs = ssl->s3->hs.get(); hs != nullptr) { |
3537 | 0 | ret = hs->peer_available_trust_anchors; |
3538 | 0 | } |
3539 | 0 | *out = ret.data(); |
3540 | 0 | *out_len = ret.size(); |
3541 | 0 | } |
3542 | | |
3543 | | int SSL_CTX_set1_requested_trust_anchors(SSL_CTX *ctx, const uint8_t *ids, |
3544 | 0 | size_t ids_len) { |
3545 | 0 | auto span = Span(ids, ids_len); |
3546 | 0 | if (!ssl_is_valid_trust_anchor_list(span)) { |
3547 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TRUST_ANCHOR_LIST); |
3548 | 0 | return 0; |
3549 | 0 | } |
3550 | 0 | Array<uint8_t> copy; |
3551 | 0 | if (!copy.CopyFrom(span)) { |
3552 | 0 | return 0; |
3553 | 0 | } |
3554 | 0 | ctx->requested_trust_anchors = std::move(copy); |
3555 | 0 | return 1; |
3556 | 0 | } |
3557 | | |
3558 | | int SSL_set1_requested_trust_anchors(SSL *ssl, const uint8_t *ids, |
3559 | 0 | size_t ids_len) { |
3560 | 0 | if (!ssl->config) { |
3561 | 0 | return 0; |
3562 | 0 | } |
3563 | 0 | auto span = Span(ids, ids_len); |
3564 | 0 | if (!ssl_is_valid_trust_anchor_list(span)) { |
3565 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TRUST_ANCHOR_LIST); |
3566 | 0 | return 0; |
3567 | 0 | } |
3568 | 0 | Array<uint8_t> copy; |
3569 | 0 | if (!copy.CopyFrom(span)) { |
3570 | 0 | return 0; |
3571 | 0 | } |
3572 | 0 | ssl->config->requested_trust_anchors = std::move(copy); |
3573 | 0 | return 1; |
3574 | 0 | } |
3575 | | |
3576 | 0 | int SSL_CTX_get_security_level(const SSL_CTX *ctx) { return 0; } |