* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
# include <openssl/ct.h>
# include "record/record.h"
# include "statem/statem.h"
-# include "packet_locl.h"
+# include "internal/packet.h"
# include "internal/dane.h"
# include "internal/refcount.h"
+# include "internal/tsan_assist.h"
+# include "internal/bio.h"
# ifdef OPENSSL_BUILD_SHLIBSSL
# undef OPENSSL_EXTERN
(c)[1]=(unsigned char)(((l)>> 8)&0xff), \
(c)[2]=(unsigned char)(((l) )&0xff)),(c)+=3)
+# define TLS_MAX_VERSION_INTERNAL TLS1_3_VERSION
+# define DTLS_MAX_VERSION_INTERNAL DTLS1_2_VERSION
+
/*
* DTLS version numbers are strange because they're inverted. Except for
* DTLS1_BAD_VER, which should be considered "lower" than the rest.
|| (s)->early_data_state == SSL_EARLY_DATA_WRITE_RETRY \
|| (s)->hello_retry_request == SSL_HRR_PENDING)
-# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0 \
- || (s)->s3->tmp.peer_finish_md_len == 0)
+# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3.tmp.finish_md_len == 0 \
+ || (s)->s3.tmp.peer_finish_md_len == 0)
/* See if we need explicit IV */
# define SSL_USE_EXPLICIT_IV(s) \
# define GET_MAX_FRAGMENT_LENGTH(session) \
(512U << (session->ext.max_fragment_len_mode - 1))
-# define SSL_READ_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ)
-# define SSL_WRITE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)
+# define SSL_READ_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ)
+# define SSL_WRITE_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)
/* Mostly for SSLv3 */
# define SSL_PKEY_RSA 0
# define SSL_PKEY_GOST12_256 5
# define SSL_PKEY_GOST12_512 6
# define SSL_PKEY_ED25519 7
-# define SSL_PKEY_NUM 8
-/*
- * Pseudo-constant. GOST cipher suites can use different certs for 1
- * SSL_CIPHER. So let's see which one we have in fact.
- */
-# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
+# define SSL_PKEY_ED448 8
+# define SSL_PKEY_NUM 9
/*-
* SSL_kRSA <- RSA_ENC
long (*ssl_ctx_callback_ctrl) (SSL_CTX *s, int cb_id, void (*fp) (void));
};
+/*
+ * Matches the length of PSK_MAX_PSK_LEN. We keep it the same value for
+ * consistency, even in the event of OPENSSL_NO_PSK being defined.
+ */
+# define TLS13_MAX_RESUMPTION_PSK_LENGTH 256
+
/*-
* Lets make this into an ASN.1 type structure as follows
* SSL_SESSION_ID ::= SEQUENCE {
unsigned char early_secret[EVP_MAX_MD_SIZE];
/*
* For <=TLS1.2 this is the master_key. For TLS1.3 this is the resumption
- * master secret
+ * PSK
*/
- unsigned char master_key[TLS13_MAX_RESUMPTION_MASTER_LENGTH];
+ unsigned char master_key[TLS13_MAX_RESUMPTION_PSK_LENGTH];
/* session_id - valid? */
size_t session_id_length;
unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
const SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to
* load the 'cipher' structure */
- STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
CRYPTO_EX_DATA ex_data; /* application specific data */
/*
* These are used to make removal of session-ids more efficient and to
struct {
char *hostname;
-# ifndef OPENSSL_NO_EC
- size_t ecpointformats_len;
- unsigned char *ecpointformats; /* peer's list */
-# endif /* OPENSSL_NO_EC */
- size_t supportedgroups_len;
- uint16_t *supportedgroups; /* peer's list */
- /* RFC4507 info */
+ /* RFC4507 info */
unsigned char *tick; /* Session ticket */
size_t ticklen; /* Session ticket length */
/* Session lifetime hint in seconds */
unsigned long tick_lifetime_hint;
uint32_t tick_age_add;
- unsigned char *tick_nonce;
- size_t tick_nonce_len;
- int tick_identity;
/* Max number of bytes that can be sent as early data */
uint32_t max_early_data;
/* The ALPN protocol selected for this session */
# ifndef OPENSSL_NO_SRP
char *srp_username;
# endif
+ unsigned char *ticket_appdata;
+ size_t ticket_appdata_len;
uint32_t flags;
CRYPTO_RWLOCK *lock;
};
/* Needed in ssl_cert.c */
DEFINE_LHASH_OF(X509_NAME);
-# define TLSEXT_KEYNAME_LENGTH 16
+# define TLSEXT_KEYNAME_LENGTH 16
+# define TLSEXT_TICK_KEY_LENGTH 32
+
+typedef struct ssl_ctx_ext_secure_st {
+ unsigned char tick_hmac_key[TLSEXT_TICK_KEY_LENGTH];
+ unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
+} SSL_CTX_EXT_SECURE;
struct ssl_ctx_st {
const SSL_METHOD *method;
STACK_OF(SSL_CIPHER) *cipher_list;
/* same as above but sorted for lookup */
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
+ /* TLSv1.3 specific ciphersuites */
+ STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
struct x509_store_st /* X509_STORE */ *cert_store;
LHASH_OF(SSL_SESSION) *sessions;
/*
const unsigned char *data, int len,
int *copy);
struct {
- int sess_connect; /* SSL new conn - started */
- int sess_connect_renegotiate; /* SSL reneg - requested */
- int sess_connect_good; /* SSL new conne/reneg - finished */
- int sess_accept; /* SSL new accept - started */
- int sess_accept_renegotiate; /* SSL reneg - requested */
- int sess_accept_good; /* SSL accept/reneg - finished */
- int sess_miss; /* session lookup misses */
- int sess_timeout; /* reuse attempt on timeouted session */
- int sess_cache_full; /* session removed due to full cache */
- int sess_hit; /* session reuse actually done */
- int sess_cb_hit; /* session-id that was not in the cache was
- * passed back via the callback. This
- * indicates that the application is supplying
- * session-id's from other processes - spooky
- * :-) */
+ TSAN_QUALIFIER int sess_connect; /* SSL new conn - started */
+ TSAN_QUALIFIER int sess_connect_renegotiate; /* SSL reneg - requested */
+ TSAN_QUALIFIER int sess_connect_good; /* SSL new conne/reneg - finished */
+ TSAN_QUALIFIER int sess_accept; /* SSL new accept - started */
+ TSAN_QUALIFIER int sess_accept_renegotiate; /* SSL reneg - requested */
+ TSAN_QUALIFIER int sess_accept_good; /* SSL accept/reneg - finished */
+ TSAN_QUALIFIER int sess_miss; /* session lookup misses */
+ TSAN_QUALIFIER int sess_timeout; /* reuse attempt on timeouted session */
+ TSAN_QUALIFIER int sess_cache_full; /* session removed due to full cache */
+ TSAN_QUALIFIER int sess_hit; /* session reuse actually done */
+ TSAN_QUALIFIER int sess_cb_hit; /* session-id that was not in
+ * the cache was passed back via
+ * the callback. This indicates
+ * that the application is
+ * supplying session-id's from
+ * other processes - spooky
+ * :-) */
} stats;
CRYPTO_REF_COUNT references;
int (*app_verify_cookie_cb) (SSL *ssl, const unsigned char *cookie,
unsigned int cookie_len);
+ /* TLS1.3 app-controlled cookie generate callback */
+ int (*gen_stateless_cookie_cb) (SSL *ssl, unsigned char *cookie,
+ size_t *cookie_len);
+
+ /* TLS1.3 verify app-controlled cookie callback */
+ int (*verify_stateless_cookie_cb) (SSL *ssl, const unsigned char *cookie,
+ size_t cookie_len);
+
CRYPTO_EX_DATA ex_data;
const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
/*
* What we put in certificate_authorities extension for TLS 1.3
* (ClientHello and CertificateRequest) or just client cert requests for
- * earlier versions.
+ * earlier versions. If client_ca_names is populated then it is only used
+ * for client cert requests, and in preference to ca_names.
*/
STACK_OF(X509_NAME) *ca_names;
+ STACK_OF(X509_NAME) *client_ca_names;
/*
* Default values to use in SSL structures follow (these are copied by
void *servername_arg;
/* RFC 4507 session ticket keys */
unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];
- unsigned char tick_hmac_key[32];
- unsigned char tick_aes_key[32];
+ SSL_CTX_EXT_SECURE *secure;
/* Callback to support customisation of ticket key setting */
int (*ticket_key_cb) (SSL *ssl,
unsigned char *name, unsigned char *iv,
/* EC extension values inherited by SSL structure */
size_t ecpointformats_len;
unsigned char *ecpointformats;
+# endif /* OPENSSL_NO_EC */
+
size_t supportedgroups_len;
uint16_t *supportedgroups;
-# endif /* OPENSSL_NO_EC */
/*
* ALPN information (we are in the process of transitioning from NPN to
/* Shared DANE context */
struct dane_ctx_st dane;
+# ifndef OPENSSL_NO_SRTP
/* SRTP profiles we are willing to do from RFC 5764 */
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+# endif
/*
* Callback for disabling session caching and ticket support on a session
* basis, depending on the chosen cipher.
*/
SSL_CTX_keylog_cb_func keylog_callback;
- /* The maximum number of bytes that can be sent as early data */
+ /*
+ * The maximum number of bytes advertised in session tickets that can be
+ * sent as early data.
+ */
uint32_t max_early_data;
+ /*
+ * The maximum number of bytes of early data that a server will tolerate
+ * (which should be at least as much as max_early_data).
+ */
+ uint32_t recv_max_early_data;
+
/* TLS1.3 padding callback */
size_t (*record_padding_cb)(SSL *s, int type, size_t len, void *arg);
void *record_padding_arg;
size_t block_padding;
+
+ /* Session ticket appdata */
+ SSL_CTX_generate_session_ticket_fn generate_ticket_cb;
+ SSL_CTX_decrypt_session_ticket_fn decrypt_ticket_cb;
+ void *ticket_cb_data;
+
+ /* The number of TLS1.3 tickets to automatically send */
+ size_t num_tickets;
+
+ /* Callback to determine if early_data is acceptable or not */
+ SSL_allow_early_data_cb_fn allow_early_data_cb;
+ void *allow_early_data_cb_data;
+
+ /* Do we advertise Post-handshake auth support? */
+ int pha_enabled;
+
+ /* Callback for SSL async handling */
+ SSL_async_callback_fn async_cb;
+ void *async_cb_arg;
};
+typedef struct cert_pkey_st CERT_PKEY;
+
struct ssl_st {
/*
* protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION,
* ssl3_get_message() */
size_t init_num; /* amount read/written */
size_t init_off; /* amount read/written */
- struct ssl3_state_st *s3; /* SSLv3 variables */
+
+ struct {
+ long flags;
+ size_t read_mac_secret_size;
+ unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
+ size_t write_mac_secret_size;
+ unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
+ unsigned char server_random[SSL3_RANDOM_SIZE];
+ unsigned char client_random[SSL3_RANDOM_SIZE];
+ /* flags for countermeasure against known-IV weakness */
+ int need_empty_fragments;
+ int empty_fragment_done;
+ /* used during startup, digest all incoming/outgoing packets */
+ BIO *handshake_buffer;
+ /*
+ * When handshake digest is determined, buffer is hashed and
+ * freed and MD_CTX for the required digest is stored here.
+ */
+ EVP_MD_CTX *handshake_dgst;
+ /*
+ * Set whenever an expected ChangeCipherSpec message is processed.
+ * Unset when the peer's Finished message is received.
+ * Unexpected ChangeCipherSpec messages trigger a fatal alert.
+ */
+ int change_cipher_spec;
+ int warn_alert;
+ int fatal_alert;
+ /*
+ * we allow one fatal and one warning alert to be outstanding, send close
+ * alert via the warning alert
+ */
+ int alert_dispatch;
+ unsigned char send_alert[2];
+ /*
+ * This flag is set when we should renegotiate ASAP, basically when there
+ * is no more data in the read or write buffers
+ */
+ int renegotiate;
+ int total_renegotiations;
+ int num_renegotiations;
+ int in_read_app_data;
+ struct {
+ /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
+ unsigned char finish_md[EVP_MAX_MD_SIZE * 2];
+ size_t finish_md_len;
+ unsigned char peer_finish_md[EVP_MAX_MD_SIZE * 2];
+ size_t peer_finish_md_len;
+ size_t message_size;
+ int message_type;
+ /* used to hold the new cipher we are going to use */
+ const SSL_CIPHER *new_cipher;
+# if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
+ EVP_PKEY *pkey; /* holds short lived DH/ECDH key */
+# endif
+ /* used for certificate requests */
+ int cert_req;
+ /* Certificate types in certificate request message. */
+ uint8_t *ctype;
+ size_t ctype_len;
+ /* Certificate authorities list peer sent */
+ STACK_OF(X509_NAME) *peer_ca_names;
+ size_t key_block_length;
+ unsigned char *key_block;
+ const EVP_CIPHER *new_sym_enc;
+ const EVP_MD *new_hash;
+ int new_mac_pkey_type;
+ size_t new_mac_secret_size;
+# ifndef OPENSSL_NO_COMP
+ const SSL_COMP *new_compression;
+# else
+ char *new_compression;
+# endif
+ int cert_request;
+ /* Raw values of the cipher list from a client */
+ unsigned char *ciphers_raw;
+ size_t ciphers_rawlen;
+ /* Temporary storage for premaster secret */
+ unsigned char *pms;
+ size_t pmslen;
+# ifndef OPENSSL_NO_PSK
+ /* Temporary storage for PSK key */
+ unsigned char *psk;
+ size_t psklen;
+# endif
+ /* Signature algorithm we actually use */
+ const struct sigalg_lookup_st *sigalg;
+ /* Pointer to certificate we use */
+ CERT_PKEY *cert;
+ /*
+ * signature algorithms peer reports: e.g. supported signature
+ * algorithms extension for server or as part of a certificate
+ * request for client.
+ * Keep track of the algorithms for TLS and X.509 usage separately.
+ */
+ uint16_t *peer_sigalgs;
+ uint16_t *peer_cert_sigalgs;
+ /* Size of above arrays */
+ size_t peer_sigalgslen;
+ size_t peer_cert_sigalgslen;
+ /* Sigalg peer actually uses */
+ const struct sigalg_lookup_st *peer_sigalg;
+ /*
+ * Set if corresponding CERT_PKEY can be used with current
+ * SSL session: e.g. appropriate curve, signature algorithms etc.
+ * If zero it can't be used at all.
+ */
+ uint32_t valid_flags[SSL_PKEY_NUM];
+ /*
+ * For servers the following masks are for the key and auth algorithms
+ * that are supported by the certs below. For clients they are masks of
+ * *disabled* algorithms based on the current session.
+ */
+ uint32_t mask_k;
+ uint32_t mask_a;
+ /*
+ * The following are used by the client to see if a cipher is allowed or
+ * not. It contains the minimum and maximum version the client's using
+ * based on what it knows so far.
+ */
+ int min_ver;
+ int max_ver;
+ } tmp;
+
+ /* Connection binding to prevent renegotiation attacks */
+ unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
+ size_t previous_client_finished_len;
+ unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
+ size_t previous_server_finished_len;
+ int send_connection_binding; /* TODOEKR */
+
+# ifndef OPENSSL_NO_NEXTPROTONEG
+ /*
+ * Set if we saw the Next Protocol Negotiation extension from our peer.
+ */
+ int npn_seen;
+# endif
+
+ /*
+ * ALPN information (we are in the process of transitioning from NPN to
+ * ALPN.)
+ */
+
+ /*
+ * In a server these point to the selected ALPN protocol after the
+ * ClientHello has been processed. In a client these contain the protocol
+ * that the server selected once the ServerHello has been processed.
+ */
+ unsigned char *alpn_selected;
+ size_t alpn_selected_len;
+ /* used by the server to know what options were proposed */
+ unsigned char *alpn_proposed;
+ size_t alpn_proposed_len;
+ /* used by the client to know if it actually sent alpn */
+ int alpn_sent;
+
+# ifndef OPENSSL_NO_EC
+ /*
+ * This is set to true if we believe that this is a version of Safari
+ * running on OS X 10.6 or newer. We wish to know this because Safari on
+ * 10.8 .. 10.8.3 has broken ECDHE-ECDSA support.
+ */
+ char is_probably_safari;
+# endif /* !OPENSSL_NO_EC */
+
+ /* For clients: peer temporary key */
+# if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
+ /* The group_id for the DH/ECDH key */
+ uint16_t group_id;
+ EVP_PKEY *peer_tmp;
+# endif
+
+ } s3;
+
struct dtls1_state_st *d1; /* DTLSv1 variables */
/* callback that allows applications to peek at protocol messages */
void (*msg_callback) (int write_p, int version, int content_type,
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
+ STACK_OF(SSL_CIPHER) *peer_ciphers;
STACK_OF(SSL_CIPHER) *cipher_list;
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
+ /* TLSv1.3 specific ciphersuites */
+ STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
/*
* These are the ones being used, the ones in SSL_SESSION are the ones to
* be 'copied' into these ones
*/
uint32_t mac_flags;
/*
- * The TLS1.3 secrets. The resumption master secret is stored in the
- * session.
+ * The TLS1.3 secrets.
*/
unsigned char early_secret[EVP_MAX_MD_SIZE];
unsigned char handshake_secret[EVP_MAX_MD_SIZE];
unsigned char master_secret[EVP_MAX_MD_SIZE];
+ unsigned char resumption_master_secret[EVP_MAX_MD_SIZE];
unsigned char client_finished_secret[EVP_MAX_MD_SIZE];
unsigned char server_finished_secret[EVP_MAX_MD_SIZE];
unsigned char server_finished_hash[EVP_MAX_MD_SIZE];
unsigned char client_app_traffic_secret[EVP_MAX_MD_SIZE];
unsigned char server_app_traffic_secret[EVP_MAX_MD_SIZE];
unsigned char exporter_master_secret[EVP_MAX_MD_SIZE];
+ unsigned char early_exporter_master_secret[EVP_MAX_MD_SIZE];
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
unsigned char read_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static read IV */
EVP_MD_CTX *read_hash; /* used for mac generation */
EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
unsigned char write_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static write IV */
EVP_MD_CTX *write_hash; /* used for mac generation */
- /* Count of how many KeyUpdate messages we have received */
- unsigned int key_update_count;
/* session info */
/* client cert? */
/* This is used to hold the server certificate used */
# endif
SSL_psk_find_session_cb_func psk_find_session_cb;
SSL_psk_use_session_cb_func psk_use_session_cb;
+
SSL_CTX *ctx;
/* Verified chain of peer */
STACK_OF(X509) *verified_chain;
long verify_result;
/* extra application data */
CRYPTO_EX_DATA ex_data;
- /* for server side, keep the list of CA_dn we can use */
+ /*
+ * What we put in certificate_authorities extension for TLS 1.3
+ * (ClientHello and CertificateRequest) or just client cert requests for
+ * earlier versions. If client_ca_names is populated then it is only used
+ * for client cert requests, and in preference to ca_names.
+ */
STACK_OF(X509_NAME) *ca_names;
+ STACK_OF(X509_NAME) *client_ca_names;
CRYPTO_REF_COUNT references;
/* protocol behaviour */
uint32_t options;
size_t ecpointformats_len;
/* our list */
unsigned char *ecpointformats;
+
+ size_t peer_ecpointformats_len;
+ /* peer's list */
+ unsigned char *peer_ecpointformats;
# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
/* our list */
uint16_t *supportedgroups;
+
+ size_t peer_supportedgroups_len;
+ /* peer's list */
+ uint16_t *peer_supportedgroups;
+
/* TLS Session Ticket extension override */
TLS_SESSION_TICKET_EXT *session_ticket;
/* TLS Session Ticket extension callback */
* as this extension is optional on server side.
*/
uint8_t max_fragment_len_mode;
+
+ /*
+ * On the client side the number of ticket identities we sent in the
+ * ClientHello. On the server side the identity of the ticket we
+ * selected.
+ */
+ int tick_identity;
} ext;
/*
int scts_parsed;
# endif
SSL_CTX *session_ctx; /* initial ctx, used to store sessions */
+# ifndef OPENSSL_NO_SRTP
/* What we'll do */
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
/* What's been chosen */
SRTP_PROTECTION_PROFILE *srtp_profile;
+# endif
/*-
* 1 if we are renegotiating.
* 2 if we are a server and are inside a handshake
int key_update;
/* Post-handshake authentication state */
SSL_PHA_STATE post_handshake_auth;
- int pha_forced;
+ int pha_enabled;
uint8_t* pha_context;
size_t pha_context_len;
int certreqs_sent;
ASYNC_WAIT_CTX *waitctx;
size_t asyncrw;
- /* The maximum number of plaintext bytes that can be sent as early data */
+ /*
+ * The maximum number of bytes advertised in session tickets that can be
+ * sent as early data.
+ */
uint32_t max_early_data;
+ /*
+ * The maximum number of bytes of early data that a server will tolerate
+ * (which should be at least as much as max_early_data).
+ */
+ uint32_t recv_max_early_data;
+
/*
* The number of bytes of early data received so far. If we accepted early
* data then this is a count of the plaintext bytes. If we rejected it then
size_t block_padding;
CRYPTO_RWLOCK *lock;
- RAND_DRBG *drbg;
+
+ /* The number of TLS1.3 tickets to automatically send */
+ size_t num_tickets;
+ /* The number of TLS1.3 tickets actually sent so far */
+ size_t sent_tickets;
+ /* The next nonce value to use when we send a ticket on this connection */
+ uint64_t next_ticket_nonce;
+
+ /* Callback to determine if early_data is acceptable or not */
+ SSL_allow_early_data_cb_fn allow_early_data_cb;
+ void *allow_early_data_cb_data;
+
+ /* Callback for SSL async handling */
+ SSL_async_callback_fn async_cb;
+ void *async_cb_arg;
+
+ /*
+ * Signature algorithms shared by client and server: cached because these
+ * are used most often.
+ */
+ const struct sigalg_lookup_st **shared_sigalgs;
+ size_t shared_sigalgslen;
};
/*
typedef struct tls_group_info_st {
int nid; /* Curve NID */
int secbits; /* Bits of security (from SP800-57) */
- uint16_t flags; /* Flags: currently just group type */
+ uint32_t flags; /* For group type and applicable TLS versions */
+ uint16_t group_id; /* Group ID */
} TLS_GROUP_INFO;
/* flags values */
-# define TLS_CURVE_TYPE 0x3 /* Mask for group type */
-# define TLS_CURVE_PRIME 0x0
-# define TLS_CURVE_CHAR2 0x1
-# define TLS_CURVE_CUSTOM 0x2
+# define TLS_GROUP_TYPE 0x0000000FU /* Mask for group type */
+# define TLS_GROUP_CURVE_PRIME 0x00000001U
+# define TLS_GROUP_CURVE_CHAR2 0x00000002U
+# define TLS_GROUP_CURVE_CUSTOM 0x00000004U
+# define TLS_GROUP_FFDHE 0x00000008U
+# define TLS_GROUP_ONLY_FOR_TLS1_3 0x00000010U
-typedef struct cert_pkey_st CERT_PKEY;
+# define TLS_GROUP_FFDHE_FOR_TLS1_3 (TLS_GROUP_FFDHE|TLS_GROUP_ONLY_FOR_TLS1_3)
/*
* Structure containing table entry of certificate info corresponding to
* CERT_PKEY entries
*/
typedef struct {
- int nid; /* NID of pubic key algorithm */
+ int nid; /* NID of public key algorithm */
uint32_t amask; /* authmask corresponding to key type */
} SSL_CERT_LOOKUP;
-typedef struct ssl3_state_st {
- long flags;
- size_t read_mac_secret_size;
- unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
- size_t write_mac_secret_size;
- unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
- unsigned char server_random[SSL3_RANDOM_SIZE];
- unsigned char client_random[SSL3_RANDOM_SIZE];
- /* flags for countermeasure against known-IV weakness */
- int need_empty_fragments;
- int empty_fragment_done;
- /* used during startup, digest all incoming/outgoing packets */
- BIO *handshake_buffer;
- /*
- * When handshake digest is determined, buffer is hashed and
- * freed and MD_CTX for the required digest is stored here.
- */
- EVP_MD_CTX *handshake_dgst;
- /*
- * Set whenever an expected ChangeCipherSpec message is processed.
- * Unset when the peer's Finished message is received.
- * Unexpected ChangeCipherSpec messages trigger a fatal alert.
- */
- int change_cipher_spec;
- int warn_alert;
- int fatal_alert;
- /*
- * we allow one fatal and one warning alert to be outstanding, send close
- * alert via the warning alert
- */
- int alert_dispatch;
- unsigned char send_alert[2];
- /*
- * This flag is set when we should renegotiate ASAP, basically when there
- * is no more data in the read or write buffers
- */
- int renegotiate;
- int total_renegotiations;
- int num_renegotiations;
- int in_read_app_data;
- struct {
- /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
- unsigned char finish_md[EVP_MAX_MD_SIZE * 2];
- size_t finish_md_len;
- unsigned char peer_finish_md[EVP_MAX_MD_SIZE * 2];
- size_t peer_finish_md_len;
- size_t message_size;
- int message_type;
- /* used to hold the new cipher we are going to use */
- const SSL_CIPHER *new_cipher;
-# if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
- EVP_PKEY *pkey; /* holds short lived DH/ECDH key */
-# endif
- /* used for certificate requests */
- int cert_req;
- /* Certificate types in certificate request message. */
- uint8_t *ctype;
- size_t ctype_len;
- /* Certificate authorities list peer sent */
- STACK_OF(X509_NAME) *peer_ca_names;
- size_t key_block_length;
- unsigned char *key_block;
- const EVP_CIPHER *new_sym_enc;
- const EVP_MD *new_hash;
- int new_mac_pkey_type;
- size_t new_mac_secret_size;
-# ifndef OPENSSL_NO_COMP
- const SSL_COMP *new_compression;
-# else
- char *new_compression;
-# endif
- int cert_request;
- /* Raw values of the cipher list from a client */
- unsigned char *ciphers_raw;
- size_t ciphers_rawlen;
- /* Temporary storage for premaster secret */
- unsigned char *pms;
- size_t pmslen;
-# ifndef OPENSSL_NO_PSK
- /* Temporary storage for PSK key */
- unsigned char *psk;
- size_t psklen;
-# endif
- /* Signature algorithm we actually use */
- const SIGALG_LOOKUP *sigalg;
- /* Pointer to certificate we use */
- CERT_PKEY *cert;
- /*
- * signature algorithms peer reports: e.g. supported signature
- * algorithms extension for server or as part of a certificate
- * request for client.
- * Keep track of the algorithms for TLS and X.509 usage separately.
- */
- uint16_t *peer_sigalgs;
- uint16_t *peer_cert_sigalgs;
- /* Size of above arrays */
- size_t peer_sigalgslen;
- size_t peer_cert_sigalgslen;
- /* Sigalg peer actually uses */
- const SIGALG_LOOKUP *peer_sigalg;
- /*
- * Set if corresponding CERT_PKEY can be used with current
- * SSL session: e.g. appropriate curve, signature algorithms etc.
- * If zero it can't be used at all.
- */
- uint32_t valid_flags[SSL_PKEY_NUM];
- /*
- * For servers the following masks are for the key and auth algorithms
- * that are supported by the certs below. For clients they are masks of
- * *disabled* algorithms based on the current session.
- */
- uint32_t mask_k;
- uint32_t mask_a;
- /*
- * The following are used by the client to see if a cipher is allowed or
- * not. It contains the minimum and maximum version the client's using
- * based on what it knows so far.
- */
- int min_ver;
- int max_ver;
- } tmp;
-
- /* Connection binding to prevent renegotiation attacks */
- unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
- size_t previous_client_finished_len;
- unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
- size_t previous_server_finished_len;
- int send_connection_binding; /* TODOEKR */
-
-# ifndef OPENSSL_NO_NEXTPROTONEG
- /*
- * Set if we saw the Next Protocol Negotiation extension from our peer.
- */
- int npn_seen;
-# endif
-
- /*
- * ALPN information (we are in the process of transitioning from NPN to
- * ALPN.)
- */
-
- /*
- * In a server these point to the selected ALPN protocol after the
- * ClientHello has been processed. In a client these contain the protocol
- * that the server selected once the ServerHello has been processed.
- */
- unsigned char *alpn_selected;
- size_t alpn_selected_len;
- /* used by the server to know what options were proposed */
- unsigned char *alpn_proposed;
- size_t alpn_proposed_len;
- /* used by the client to know if it actually sent alpn */
- int alpn_sent;
-
-# ifndef OPENSSL_NO_EC
- /*
- * This is set to true if we believe that this is a version of Safari
- * running on OS X 10.6 or newer. We wish to know this because Safari on
- * 10.8 .. 10.8.3 has broken ECDHE-ECDSA support.
- */
- char is_probably_safari;
-# endif /* !OPENSSL_NO_EC */
-
- /* For clients: peer temporary key */
-# if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
- /* The group_id for the DH/ECDH key */
- uint16_t group_id;
- EVP_PKEY *peer_tmp;
-# endif
-
-} SSL3_STATE;
-
/* DTLS structures */
# ifndef OPENSSL_NO_SCTP
uint16_t *client_sigalgs;
/* Size of above array */
size_t client_sigalgslen;
- /*
- * Signature algorithms shared by client and server: cached because these
- * are used most often.
- */
- const SIGALG_LOOKUP **shared_sigalgs;
- size_t shared_sigalgslen;
/*
* Certificate setup callback: if set is called whenever a certificate
* may be required (client or server). the callback can then examine any
#define TLSEXT_SIGALG_gostr34102001_gostr3411 0xeded
#define TLSEXT_SIGALG_ed25519 0x0807
+#define TLSEXT_SIGALG_ed448 0x0808
/* Known PSK key exchange modes */
#define TLSEXT_KEX_MODE_KE 0x00
#define TLSEXT_KEX_MODE_FLAG_KE 1
#define TLSEXT_KEX_MODE_FLAG_KE_DHE 2
-/* An invalid index into the TLSv1.3 PSK identities */
-#define TLSEXT_PSK_BAD_IDENTITY -1
-
-#define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \
- s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS)
+#define SSL_USE_PSS(s) (s->s3.tmp.peer_sigalg != NULL && \
+ s->s3.tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS)
/* A dummy signature value not valid for TLSv1.2 signature algs */
#define TLSEXT_signature_rsa_pss 0x0101
static ossl_inline void tls1_get_peer_groups(SSL *s, const uint16_t **pgroups,
size_t *pgroupslen)
{
- *pgroups = s->session->ext.supportedgroups;
- *pgroupslen = s->session->ext.supportedgroups_len;
+ *pgroups = s->ext.peer_supportedgroups;
+ *pgroupslen = s->ext.peer_supportedgroups_len;
}
# ifndef OPENSSL_UNIT_TEST
void ssl_cert_free(CERT *c);
__owur int ssl_generate_session_id(SSL *s, SSL_SESSION *ss);
__owur int ssl_get_new_session(SSL *s, int session);
+__owur SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
+ size_t sess_id_len);
__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello);
-__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
+__owur SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket);
__owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
__owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
const SSL_CIPHER *const *bp);
-__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
- STACK_OF(SSL_CIPHER) **pref,
- STACK_OF(SSL_CIPHER)
- **sorted,
+__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+ STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
+ STACK_OF(SSL_CIPHER) **cipher_list,
+ STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str,
CERT *c);
__owur int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format);
__owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain,
int ref);
-__owur int ssl_randbytes(SSL *s, unsigned char *buf, size_t num);
__owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
void *other);
+__owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx);
__owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk,
size_t *pidx);
__owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx);
size_t *serverinfo_length);
void ssl_set_masks(SSL *s);
__owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
-__owur int ssl_verify_alarm_type(long type);
+__owur int ssl_x509err2alert(int type);
void ssl_sort_cipher_list(void);
int ssl_load_ciphers(void);
__owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field,
__owur const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
int ssl3_renegotiate(SSL *ssl);
int ssl3_renegotiate_check(SSL *ssl, int initok);
+void ssl3_digest_master_key_set_params(const SSL_SESSION *session,
+ OSSL_PARAM params[]);
__owur int ssl3_dispatch_alert(SSL *s);
__owur size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t slen,
unsigned char *p);
__owur int ssl_allow_compression(SSL *s);
-__owur int ssl_version_supported(const SSL *s, int version);
+__owur int ssl_version_supported(const SSL *s, int version,
+ const SSL_METHOD **meth);
__owur int ssl_set_client_hello_version(SSL *s);
__owur int ssl_check_version_downgrade(SSL *s);
DOWNGRADE *dgrd);
__owur int ssl_choose_client_version(SSL *s, int version,
RAW_EXTENSION *extensions);
-int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version);
+__owur int ssl_get_min_max_version(const SSL *s, int *min_version,
+ int *max_version, int *real_max);
__owur long tls1_default_timeout(void);
__owur int dtls1_do_write(SSL *s, int type);
const unsigned char *secret,
const unsigned char *label, size_t labellen,
const unsigned char *data, size_t datalen,
- unsigned char *out, size_t outlen);
+ unsigned char *out, size_t outlen, int fatal);
__owur int tls13_derive_key(SSL *s, const EVP_MD *md,
const unsigned char *secret, unsigned char *key,
size_t keylen);
const char *label, size_t llen,
const unsigned char *context,
size_t contextlen, int use_context);
+__owur int tls13_export_keying_material_early(SSL *s, unsigned char *out,
+ size_t olen, const char *label,
+ size_t llen,
+ const unsigned char *context,
+ size_t contextlen);
__owur int tls1_alert_code(int code);
__owur int tls13_alert_code(int code);
__owur int ssl3_alert_code(int code);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
-# ifndef OPENSSL_NO_EC
-
__owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id);
-__owur int tls1_check_group_id(SSL *s, uint16_t group_id);
+__owur int tls1_group_id2nid(uint16_t group_id);
+__owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves);
__owur uint16_t tls1_shared_group(SSL *s, int nmatch);
__owur int tls1_set_groups(uint16_t **pext, size_t *pextlen,
int *curves, size_t ncurves);
__owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen,
const char *str);
+__owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id);
+__owur int tls_valid_group(SSL *s, uint16_t group_id, int version);
+__owur EVP_PKEY *ssl_generate_param_group(uint16_t id);
+# ifndef OPENSSL_NO_EC
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
size_t *num_formats);
__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
-__owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id);
-__owur EVP_PKEY *ssl_generate_param_group(uint16_t id);
# endif /* OPENSSL_NO_EC */
-__owur int tls_curve_allowed(SSL *s, uint16_t curve, int op);
+__owur int tls_group_allowed(SSL *s, uint16_t curve, int op);
void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
size_t *pgroupslen);
__owur int tls1_set_server_sigalgs(SSL *s);
-/* Return codes for tls_get_ticket_from_client() and tls_decrypt_ticket() */
-typedef enum ticket_en {
- /* fatal error, malloc failure */
- TICKET_FATAL_ERR_MALLOC,
- /* fatal error, either from parsing or decrypting the ticket */
- TICKET_FATAL_ERR_OTHER,
- /* No ticket present */
- TICKET_NONE,
- /* Empty ticket present */
- TICKET_EMPTY,
- /* the ticket couldn't be decrypted */
- TICKET_NO_DECRYPT,
- /* a ticket was successfully decrypted */
- TICKET_SUCCESS,
- /* same as above but the ticket needs to be renewed */
- TICKET_SUCCESS_RENEW
-} TICKET_RETURN;
-
-__owur TICKET_RETURN tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
- SSL_SESSION **ret);
-__owur TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,
- size_t eticklen,
- const unsigned char *sess_id,
- size_t sesslen, SSL_SESSION **psess);
+__owur SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
+ SSL_SESSION **ret);
+__owur SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
+ size_t eticklen,
+ const unsigned char *sess_id,
+ size_t sesslen, SSL_SESSION **psess);
__owur int tls_use_ticket(SSL *s);
__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+# ifndef OPENSSL_NO_EC
+__owur int tls_check_sigalg_curve(const SSL *s, int curve);
+# endif
__owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
-void ssl_set_client_disabled(SSL *s);
+__owur int ssl_set_client_disabled(SSL *s);
__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
__owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
#define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET"
#define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0"
#define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0"
+#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET"
+#define EXPORTER_SECRET_LABEL "EXPORTER_SECRET"
/* s3_cbc.c */
__owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
void ssl_comp_free_compression_methods_int(void);
+/* ssl_mcnf.c */
+void ssl_ctx_system_config(SSL_CTX *ctx);
+
# else /* OPENSSL_UNIT_TEST */
# define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer
projects / openssl.git / blobdiff