&& (s)->method->version >= TLS1_3_VERSION \
&& (s)->method->version != TLS_ANY_VERSION)
+# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0)
+
/* See if we need explicit IV */
# define SSL_USE_EXPLICIT_IV(s) \
(s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV)
int (*ssl_write) (SSL *s, const void *buf, size_t len, size_t *written);
int (*ssl_shutdown) (SSL *s);
int (*ssl_renegotiate) (SSL *s);
- int (*ssl_renegotiate_check) (SSL *s);
+ int (*ssl_renegotiate_check) (SSL *s, int);
int (*ssl_read_bytes) (SSL *s, int type, int *recvd_type,
unsigned char *buf, size_t len, int peek,
size_t *readbytes);
int ssl_version; /* what ssl version session info is being kept
* in here? */
size_t master_key_length;
+
+ /*
+ * For <=TLS1.2 this is the master_key. For TLS1.3 this is the resumption
+ * master secret
+ */
unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
/* session_id - valid? */
size_t session_id_length;
size_t ticklen; /* Session ticket length */
/* Session lifetime hint in seconds */
unsigned long tick_lifetime_hint;
+ uint32_t tick_age_add;
+ int tick_identity;
} ext;
# ifndef OPENSSL_NO_SRP
char *srp_username;
unsigned char *supportedgroups;
# endif /* OPENSSL_NO_EC */
-# ifndef OPENSSL_NO_NEXTPROTONEG
/*
* ALPN information (we are in the process of transitioning from NPN to
* ALPN.)
unsigned char *alpn;
size_t alpn_len;
+# ifndef OPENSSL_NO_NEXTPROTONEG
/* Next protocol negotiation information */
/*
int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
CRYPTO_RWLOCK *lock;
+
+ /*
+ * Callback for logging key material for use with debugging tools like
+ * Wireshark. The callback should log `line` followed by a newline.
+ */
+ SSL_CTX_keylog_cb_func keylog_callback;
};
struct ssl_st {
*/
uint32_t mac_flags;
/*
- * The TLS1.3 early_secret and handshake_secret. The master_secret is stored
- * in the session.
+ * The TLS1.3 secrets. The resumption master secret is stored in the
+ * session.
*/
unsigned char early_secret[EVP_MAX_MD_SIZE];
unsigned char handshake_secret[EVP_MAX_MD_SIZE];
+ unsigned char master_secret[EVP_MAX_MD_SIZE];
unsigned char client_finished_secret[EVP_MAX_MD_SIZE];
unsigned char server_finished_secret[EVP_MAX_MD_SIZE];
+ unsigned char server_finished_hash[EVP_MAX_MD_SIZE];
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
unsigned char read_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static read IV */
EVP_MD_CTX *read_hash; /* used for mac generation */
*/
unsigned char *npn;
size_t npn_len;
+
+ /* The available PSK key exchange modes */
+ int psk_kex_mode;
} ext;
/*-
* If they are not, the connection should be aborted.
*/
ssl_ct_validation_cb ct_validation_callback;
- /* User-supplied argument tha tis passed to the ct_validation_callback */
+ /* User-supplied argument that is passed to the ct_validation_callback */
void *ct_validation_callback_arg;
/*
* Consolidated stack of SCTs from all sources.
* algorithms extension for server or as part of a certificate
* request for client.
*/
- unsigned char *peer_sigalgs;
+ unsigned int *peer_sigalgs;
/* Size of above array */
size_t peer_sigalgslen;
/* Digest peer uses for signing */
* the client hello as the supported signature algorithms extension. For
* servers it represents the signature algorithms we are willing to use.
*/
- unsigned char *conf_sigalgs;
+ unsigned int *conf_sigalgs;
/* Size of above array */
size_t conf_sigalgslen;
/*
* Client authentication signature algorithms, if not set then uses
* conf_sigalgs. On servers these will be the signature algorithms sent
- * to the client in a cerificate request for TLS 1.2. On a client this
- * represents the signature algortithms we are willing to use for client
+ * to the client in a certificate request for TLS 1.2. On a client this
+ * represents the signature algorithms we are willing to use for client
* authentication.
*/
- unsigned char *client_sigalgs;
+ unsigned int *client_sigalgs;
/* Size of above array */
size_t client_sigalgslen;
/*
int sign_nid;
/* Combined hash and signature NID */
int signandhash_nid;
- /* Raw values used in extension */
- unsigned char rsign;
- unsigned char rhash;
+ /* Raw value used in extension */
+ unsigned int rsigalg;
};
# define FP_ICC (int (*)(const void *,const void *))
TLSEXT_IDX_signed_certificate_timestamp,
TLSEXT_IDX_extended_master_secret,
TLSEXT_IDX_supported_versions,
+ TLSEXT_IDX_psk_kex_modes,
TLSEXT_IDX_key_share,
TLSEXT_IDX_cryptopro_bug,
- TLSEXT_IDX_padding
+ TLSEXT_IDX_padding,
+ TLSEXT_IDX_psk
} TLSEXT_INDEX;
/*
*/
#define TLSEXT_STATUSTYPE_nothing -1
+/* Sigalgs values */
+#define TLSEXT_SIGALG_ecdsa_secp256r1_sha256 0x0403
+#define TLSEXT_SIGALG_ecdsa_secp384r1_sha384 0x0503
+#define TLSEXT_SIGALG_ecdsa_secp521r1_sha512 0x0603
+#define TLSEXT_SIGALG_ecdsa_sha1 0x0203
+#define TLSEXT_SIGALG_rsa_pss_sha256 0x0804
+#define TLSEXT_SIGALG_rsa_pss_sha384 0x0805
+#define TLSEXT_SIGALG_rsa_pss_sha512 0x0806
+#define TLSEXT_SIGALG_rsa_pkcs1_sha256 0x0401
+#define TLSEXT_SIGALG_rsa_pkcs1_sha384 0x0501
+#define TLSEXT_SIGALG_rsa_pkcs1_sha512 0x0601
+#define TLSEXT_SIGALG_rsa_pkcs1_sha1 0x0201
+#define TLSEXT_SIGALG_dsa_sha256 0x0402
+#define TLSEXT_SIGALG_dsa_sha384 0x0502
+#define TLSEXT_SIGALG_dsa_sha512 0x0602
+#define TLSEXT_SIGALG_dsa_sha1 0x0202
+#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0xeeee
+#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0xefef
+#define TLSEXT_SIGALG_gostr34102001_gostr3411 0xeded
+
+/* Known PSK key exchange modes */
+#define TLSEXT_KEX_MODE_KE 0x00
+#define TLSEXT_KEX_MODE_KE_DHE 0x01
+
+/*
+ * Internal representations of key exchange modes
+ */
+#define TLSEXT_KEX_MODE_FLAG_NONE 0
+#define TLSEXT_KEX_MODE_FLAG_KE 1
+#define TLSEXT_KEX_MODE_FLAG_KE_DHE 2
+
+/* An invalid index into the TLSv1.3 PSK identities */
+#define TLSEXT_PSK_BAD_IDENTITY -1
+
+#define SIGID_IS_PSS(sigid) ((sigid) == TLSEXT_SIGALG_rsa_pss_sha256 \
+ || (sigid) == TLSEXT_SIGALG_rsa_pss_sha384 \
+ || (sigid) == TLSEXT_SIGALG_rsa_pss_sha512)
+
+
+/* A dummy signature value not valid for TLSv1.2 signature algs */
+#define TLSEXT_signature_rsa_pss 0x0101
+
+
#define MAX_COMPRESSIONS_SIZE 255
typedef struct {
int genmaster);
__owur EVP_PKEY *ssl_dh_to_pkey(DH *dh);
+__owur const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id);
__owur const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
__owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt,
size_t *len);
__owur int ssl3_num_ciphers(void);
__owur const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
int ssl3_renegotiate(SSL *ssl);
-int ssl3_renegotiate_check(SSL *ssl);
+int ssl3_renegotiate_check(SSL *ssl, int initok);
__owur int ssl3_dispatch_alert(SSL *s);
__owur size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t slen,
unsigned char *p);
__owur int ssl3_set_handshake_header(SSL *s, WPACKET *pkt, int htype);
__owur int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype);
+__owur int tls_setup_handshake(SSL *s);
__owur int dtls1_set_handshake_header(SSL *s, WPACKET *pkt, int htype);
__owur int dtls1_close_construct_packet(SSL *s, WPACKET *pkt, int htype);
__owur int ssl3_handshake_write(SSL *s);
__owur size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
unsigned char *p);
__owur int tls13_change_cipher_state(SSL *s, int which);
-__owur int tls13_derive_secret(SSL *s, const unsigned char *insecret,
- const unsigned char *label, size_t labellen,
- unsigned char *secret);
+__owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,
+ const unsigned char *secret,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *hash,
+ unsigned char *out, size_t outlen);
__owur int tls13_derive_key(SSL *s, const unsigned char *secret,
unsigned char *key, size_t keylen);
__owur int tls13_derive_iv(SSL *s, const unsigned char *secret,
unsigned char *iv, size_t ivlen);
-__owur int tls13_generate_early_secret(SSL *s, const unsigned char *insecret,
- size_t insecretlen);
+__owur int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
+ const unsigned char *secret,
+ unsigned char *fin, size_t finlen);
+int tls13_generate_secret(SSL *s, const EVP_MD *md,
+ const unsigned char *prevsecret,
+ const unsigned char *insecret,
+ size_t insecretlen,
+ unsigned char *outsecret);
__owur int tls13_generate_handshake_secret(SSL *s,
const unsigned char *insecret,
size_t insecretlen);
const unsigned char *p, size_t plen,
int use_context);
__owur int tls1_alert_code(int code);
+__owur int tls13_alert_code(int code);
__owur int ssl3_alert_code(int code);
__owur int ssl_ok(SSL *s);
void ssl_set_default_md(SSL *s);
__owur int tls1_set_server_sigalgs(SSL *s);
-__owur RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts,
- size_t numexts,
- unsigned int type);
__owur int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
SSL_SESSION **ret);
+
+/* Return codes for tls_decrypt_ticket */
+#define TICKET_FATAL_ERR_MALLOC -2
+#define TICKET_FATAL_ERR_OTHER -1
+#define TICKET_NO_DECRYPT 2
+#define TICKET_SUCCESS 3
+#define TICKET_SUCCESS_RENEW 4
+__owur int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
+ size_t eticklen, const unsigned char *sess_id,
+ size_t sesslen, SSL_SESSION **psess);
+
__owur int tls_use_ticket(SSL *s);
-__owur int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk,
- const EVP_MD *md);
-__owur int tls12_get_sigid(const EVP_PKEY *pk);
-__owur const EVP_MD *tls12_get_hash(unsigned char hash_alg);
+__owur int tls12_get_sigandhash(SSL *s, WPACKET *pkt, const EVP_PKEY *pk,
+ const EVP_MD *md, int *ispss);
+__owur const EVP_MD *tls12_get_hash(int hash_nid);
void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op);
__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
__owur long ssl_get_algorithm2(SSL *s);
__owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
- const unsigned char *psig, size_t psiglen);
-__owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, size_t dsize);
+ const unsigned int *psig, size_t psiglen);
+__owur int tls1_save_sigalgs(SSL *s, PACKET *pkt);
__owur int tls1_process_sigalgs(SSL *s);
-__owur size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
-__owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
- const unsigned char *sig, EVP_PKEY *pkey);
+__owur size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned int **psigs);
+__owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, unsigned int sig,
+ EVP_PKEY *pkey);
void ssl_set_client_disabled(SSL *s);
__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);
__owur const EVP_MD *ssl_handshake_md(SSL *s);
__owur const EVP_MD *ssl_prf_md(SSL *s);
+/*
+ * ssl_log_rsa_client_key_exchange logs |premaster| to the SSL_CTX associated
+ * with |ssl|, if logging is enabled. It returns one on success and zero on
+ * failure. The entry is identified by the first 8 bytes of
+ * |encrypted_premaster|.
+ */
+__owur int ssl_log_rsa_client_key_exchange(SSL *ssl,
+ const uint8_t *encrypted_premaster,
+ size_t encrypted_premaster_len,
+ const uint8_t *premaster,
+ size_t premaster_len);
+
+/* ssl_log_master_secret logs |master| to the SSL_CTX associated with |ssl|, if
+ * logging is enabled. It returns one on success and zero on failure. The entry
+ * is identified by |client_random|.
+ */
+__owur int ssl_log_master_secret(SSL *ssl, const uint8_t *client_random,
+ size_t client_random_len,
+ const uint8_t *master, size_t master_len);
+
/* s3_cbc.c */
__owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
__owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,