# define OPENSSL_EXTERN OPENSSL_EXPORT
# endif
-# undef PKCS1_CHECK
-
# define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
l|=(((unsigned long)(*((c)++)))<< 8), \
l|=(((unsigned long)(*((c)++)))<<16), \
# define DTLS_VERSION_LT(v1, v2) (dtls_ver_ordinal(v1) > dtls_ver_ordinal(v2))
# define DTLS_VERSION_LE(v1, v2) (dtls_ver_ordinal(v1) >= dtls_ver_ordinal(v2))
-/* LOCAL STUFF */
-
-# define SSL_DECRYPT 0
-# define SSL_ENCRYPT 1
-
-# define TWO_BYTE_BIT 0x80
-# define SEC_ESC_BIT 0x40
-# define TWO_BYTE_MASK 0x7fff
-# define THREE_BYTE_MASK 0x3fff
-
-# define INC32(a) ((a)=((a)+1)&0xffffffffL)
-# define DEC32(a) ((a)=((a)-1)&0xffffffffL)
-# define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
/*
* Define the Bitmasks for SSL_CIPHER.algorithms.
&& (s)->method->version >= TLS1_3_VERSION \
&& (s)->method->version != TLS_ANY_VERSION)
+# define SSL_TREAT_AS_TLS13(s) \
+ (SSL_IS_TLS13(s) || (s)->early_data_state == SSL_EARLY_DATA_WRITING \
+ || (s)->early_data_state == SSL_EARLY_DATA_WRITE_RETRY)
+
# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0)
/* See if we need explicit IV */
/* This is the cert and type for the other end. */
X509 *peer;
int peer_type;
- /* Certificate chain peer sent */
+ /* Certificate chain peer sent. */
STACK_OF(X509) *peer_chain;
/*
* when app_verify_callback accepts a session where the peer's
unsigned long tick_lifetime_hint;
uint32_t tick_age_add;
int tick_identity;
+ /* Max number of bytes that can be sent as early data */
+ uint32_t max_early_data;
+ /* The ALPN protocol selected for this session */
+ unsigned char *alpn_selected;
+ size_t alpn_selected_len;
} ext;
# ifndef OPENSSL_NO_SRP
char *srp_username;
# endif
+typedef enum {
+ SSL_EARLY_DATA_NONE = 0,
+ SSL_EARLY_DATA_CONNECT_RETRY,
+ SSL_EARLY_DATA_CONNECTING,
+ SSL_EARLY_DATA_WRITE_RETRY,
+ SSL_EARLY_DATA_WRITING,
+ SSL_EARLY_DATA_UNAUTH_WRITING,
+ SSL_EARLY_DATA_FINISHED_WRITING,
+ SSL_EARLY_DATA_ACCEPT_RETRY,
+ SSL_EARLY_DATA_ACCEPTING,
+ SSL_EARLY_DATA_READ_RETRY,
+ SSL_EARLY_DATA_READING,
+ SSL_EARLY_DATA_FINISHED_READING
+} SSL_EARLY_DATA_STATE;
+
+/*
+ * We check that the amount of unreadable early data doesn't exceed
+ * max_early_data. max_early_data is given in plaintext bytes. However if it is
+ * unreadable then we only know the number of ciphertext bytes. We also don't
+ * know how much the overhead should be because it depends on the ciphersuite.
+ * We make a small allowance. We assume 5 records of actual data plus the end
+ * of early data alert record. Each record has a tag and a content type byte.
+ * The longest tag length we know of is EVP_GCM_TLS_TAG_LEN. We don't count the
+ * content of the alert record either which is 2 bytes.
+ */
+# define EARLY_DATA_CIPHERTEXT_OVERHEAD ((6 * (EVP_GCM_TLS_TAG_LEN + 1)) + 2)
+
+/*
+ * The allowance we have between the client's calculated ticket age and our own.
+ * We allow for 10 seconds (units are in ms). If a ticket is presented and the
+ * client's age calculation is different by more than this than our own then we
+ * do not allow that ticket for early_data.
+ */
+# define TICKET_AGE_ALLOWANCE (10 * 1000)
+
#define MAX_COMPRESSIONS_SIZE 255
struct ssl_comp_st {
/* used if SSL's info_callback is NULL */
void (*info_callback) (const SSL *ssl, int type, int val);
- /* what we put in client cert requests */
- STACK_OF(X509_NAME) *client_CA;
+ /*
+ * What we put in certificate_authorities extension for TLS 1.3
+ * (ClientHello and CertificateRequest) or just client cert requests for
+ * earlier versions.
+ */
+ STACK_OF(X509_NAME) *ca_names;
/*
* Default values to use in SSL structures follow (these are copied by
ENGINE *client_cert_engine;
# endif
+ /* Early callback. Mostly for extensions, but not entirely. */
+ SSL_early_cb_fn early_cb;
+ void *early_cb_arg;
+
/* TLS extensions. */
struct {
/* TLS extensions servername callback */
* Wireshark. The callback should log `line` followed by a newline.
*/
SSL_CTX_keylog_cb_func keylog_callback;
+
+ /* The maximum number of bytes that can be sent as early data */
+ uint32_t max_early_data;
};
struct ssl_st {
int shutdown;
/* where we are */
OSSL_STATEM statem;
+ SSL_EARLY_DATA_STATE early_data_state;
BUF_MEM *init_buf; /* buffer used during init */
void *init_msg; /* pointer to handshake message body, set by
* ssl3_get_message() */
unsigned char client_finished_secret[EVP_MAX_MD_SIZE];
unsigned char server_finished_secret[EVP_MAX_MD_SIZE];
unsigned char server_finished_hash[EVP_MAX_MD_SIZE];
+ unsigned char handshake_traffic_hash[EVP_MAX_MD_SIZE];
unsigned char client_app_traffic_secret[EVP_MAX_MD_SIZE];
unsigned char server_app_traffic_secret[EVP_MAX_MD_SIZE];
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
/* extra application data */
CRYPTO_EX_DATA ex_data;
/* for server side, keep the list of CA_dn we can use */
- STACK_OF(X509_NAME) *client_CA;
+ STACK_OF(X509_NAME) *ca_names;
CRYPTO_REF_COUNT references;
/* protocol behaviour */
uint32_t options;
/* Set to one if we have negotiated ETM */
int use_etm;
+
+ /* Are we expecting to receive early data? */
+ int early_data;
+ /* Is the session suitable for early data? */
+ int early_data_ok;
+
+ /* May be sent by a server in HRR. Must be echoed back in ClientHello */
+ unsigned char *tls13_cookie;
+ size_t tls13_cookie_len;
} ext;
+ /* Parsed form of the ClientHello, kept around across early_cb calls. */
+ CLIENTHELLO_MSG *clienthello;
+
/*-
* no further mod of servername
* 0 : call the servername extension callback.
ASYNC_WAIT_CTX *waitctx;
size_t asyncrw;
+ /* The maximum number of plaintext bytes that can be sent as early data */
+ uint32_t max_early_data;
+ /*
+ * The number of bytes of early data received so far. If we accepted early
+ * data then this is a count of the plaintext bytes. If we rejected it then
+ * this is a count of the ciphertext bytes.
+ */
+ uint32_t early_data_count;
+
CRYPTO_RWLOCK *lock;
};
# endif
/* used for certificate requests */
int cert_req;
- int ctype_num;
- char ctype[SSL3_CT_NUMBER];
- STACK_OF(X509_NAME) *ca_names;
+ /* Certificate types in certificate request message. */
+ uint8_t *ctype;
+ size_t ctype_len;
+ /* Certificate authorities list peer sent */
+ STACK_OF(X509_NAME) *peer_ca_names;
size_t key_block_length;
unsigned char *key_block;
const EVP_CIPHER *new_sym_enc;
# define SSL_CERT_FLAGS_CHECK_TLS_STRICT \
(SSL_CERT_FLAG_SUITEB_128_LOS|SSL_CERT_FLAG_TLS_STRICT)
+typedef enum {
+ ENDPOINT_CLIENT = 0,
+ ENDPOINT_SERVER,
+ ENDPOINT_BOTH
+} ENDPOINT;
+
+
typedef struct {
unsigned short ext_type;
+ ENDPOINT role;
+ /* The context which this extension applies to */
+ unsigned int context;
/*
* Per-connection flags relating to this extension type: not used if
* part of an SSL_CTX structure.
*/
uint32_t ext_flags;
- custom_ext_add_cb add_cb;
- custom_ext_free_cb free_cb;
+ SSL_custom_ext_add_cb_ex add_cb;
+ SSL_custom_ext_free_cb_ex free_cb;
void *add_arg;
- custom_ext_parse_cb parse_cb;
+ SSL_custom_ext_parse_cb_ex parse_cb;
void *parse_arg;
} custom_ext_method;
/* Flags related to certificates */
uint32_t cert_flags;
CERT_PKEY pkeys[SSL_PKEY_NUM];
- /*
- * Certificate types (received or sent) in certificate request message.
- * On receive this is only set if number of certificate types exceeds
- * SSL3_CT_NUMBER.
- */
- unsigned char *ctypes;
- size_t ctype_num;
+ /* Custom certificate types sent in certificate request message. */
+ uint8_t *ctype;
+ size_t ctype_len;
/*
* supported signature algorithms. When set on a client this is sent in
* the client hello as the supported signature algorithms extension. For
*/
X509_STORE *chain_store;
X509_STORE *verify_store;
- /* Custom extension methods for server and client */
- custom_ext_methods cli_ext;
- custom_ext_methods srv_ext;
+ /* Custom extensions */
+ custom_ext_methods custext;
/* Security callback */
int (*sec_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid,
void *other, void *ex);
} SSL3_COMP;
# endif
+typedef enum downgrade_en {
+ DOWNGRADE_NONE,
+ DOWNGRADE_TO_1_2,
+ DOWNGRADE_TO_1_1
+} DOWNGRADE;
+
/*
* Extension index values NOTE: Any updates to these defines should be mirrored
* with equivalent updates to ext_defs in extensions.c
TLSEXT_IDX_supported_versions,
TLSEXT_IDX_psk_kex_modes,
TLSEXT_IDX_key_share,
+ TLSEXT_IDX_cookie,
TLSEXT_IDX_cryptopro_bug,
+ TLSEXT_IDX_early_data,
+ TLSEXT_IDX_certificate_authorities,
TLSEXT_IDX_padding,
TLSEXT_IDX_psk
} TLSEXT_INDEX;
/* A dummy signature value not valid for TLSv1.2 signature algs */
#define TLSEXT_signature_rsa_pss 0x0101
+/* TLSv1.3 downgrade protection sentinel values */
+extern const unsigned char tls11downgrade[8];
+extern const unsigned char tls12downgrade[8];
extern SSL3_ENC_METHOD ssl3_undef_enc_method;
# ifndef OPENSSL_UNIT_TEST
+__owur int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes);
+__owur int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written);
void ssl_clear_cipher_ctx(SSL *s);
int ssl_clear_bad_session(SSL *s);
__owur CERT *ssl_cert_new(void);
void ssl_sort_cipher_list(void);
void ssl_load_ciphers(void);
__owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field,
- size_t len);
+ size_t len, DOWNGRADE dgrd);
__owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
int free_pms);
__owur EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm);
__owur int ssl_set_client_hello_version(SSL *s);
__owur int ssl_check_version_downgrade(SSL *s);
__owur int ssl_set_version_bound(int method_version, int version, int *bound);
-__owur int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello);
-__owur int ssl_choose_client_version(SSL *s, int version);
+__owur int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello,
+ DOWNGRADE *dgrd);
+__owur int ssl_choose_client_version(SSL *s, int version, int checkdgrd,
+ int *al);
int ssl_get_client_min_max_version(const SSL *s, int *min_version,
int *max_version);
const unsigned char *label, size_t labellen,
const unsigned char *hash,
unsigned char *out, size_t outlen);
-__owur int tls13_derive_key(SSL *s, const unsigned char *secret,
- unsigned char *key, size_t keylen);
-__owur int tls13_derive_iv(SSL *s, const unsigned char *secret,
- unsigned char *iv, size_t ivlen);
+__owur int tls13_derive_key(SSL *s, const EVP_MD *md,
+ const unsigned char *secret, unsigned char *key,
+ size_t keylen);
+__owur int tls13_derive_iv(SSL *s, const EVP_MD *md,
+ const unsigned char *secret, unsigned char *iv,
+ size_t ivlen);
__owur int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
const unsigned char *secret,
unsigned char *fin, size_t finlen);
__owur int tls1_alert_code(int code);
__owur int tls13_alert_code(int code);
__owur int ssl3_alert_code(int code);
-__owur int ssl_ok(SSL *s);
# ifndef OPENSSL_NO_EC
__owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
__owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
void ssl_set_client_disabled(SSL *s);
-__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);
+__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
__owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
size_t *hashlen);
const uint8_t *secret, size_t secret_len);
#define MASTER_SECRET_LABEL "CLIENT_RANDOM"
+#define CLIENT_EARLY_LABEL "CLIENT_EARLY_TRAFFIC_SECRET"
#define CLIENT_HANDSHAKE_LABEL "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
#define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET"
#define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0"
const unsigned char *mac_secret,
size_t mac_secret_length, char is_sslv3);
-__owur int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
- EVP_MD_CTX *mac_ctx, const unsigned char *data,
- size_t data_len, size_t orig_len);
-
__owur int srp_generate_server_master_secret(SSL *s);
__owur int srp_generate_client_master_secret(SSL *s);
__owur int srp_verify_server_param(SSL *s, int *al);
-/* t1_ext.c */
+/* statem/extensions_cust.c */
+
+custom_ext_method *custom_ext_find(const custom_ext_methods *exts,
+ ENDPOINT role, unsigned int ext_type,
+ size_t *idx);
void custom_ext_init(custom_ext_methods *meths);
-__owur int custom_ext_parse(SSL *s, int server,
- unsigned int ext_type,
+__owur int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
const unsigned char *ext_data, size_t ext_size,
- int *al);
-__owur int custom_ext_add(SSL *s, int server, WPACKET *pkt, int *al);
+ X509 *x, size_t chainidx, int *al);
+__owur int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x,
+ size_t chainidx, int maxversion, int *al);
__owur int custom_exts_copy(custom_ext_methods *dst,
const custom_ext_methods *src);
void ssl_comp_free_compression_methods_int(void);
-# else
+# else /* OPENSSL_UNIT_TEST */
# define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer
# define ssl3_setup_buffers SSL_test_functions()->p_ssl3_setup_buffers