summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl.h2362
-rw-r--r--src/lib/libssl/ssl2.h153
-rw-r--r--src/lib/libssl/ssl23.h82
-rw-r--r--src/lib/libssl/ssl3.h455
-rw-r--r--src/lib/libssl/ssl_algs.c125
-rw-r--r--src/lib/libssl/ssl_asn1.c418
-rw-r--r--src/lib/libssl/ssl_both.c579
-rw-r--r--src/lib/libssl/ssl_cert.c730
-rw-r--r--src/lib/libssl/ssl_ciph.c1743
-rw-r--r--src/lib/libssl/ssl_ciphers.c286
-rw-r--r--src/lib/libssl/ssl_clnt.c2674
-rw-r--r--src/lib/libssl/ssl_err.c671
-rw-r--r--src/lib/libssl/ssl_init.c51
-rw-r--r--src/lib/libssl/ssl_kex.c423
-rw-r--r--src/lib/libssl/ssl_lib.c3492
-rw-r--r--src/lib/libssl/ssl_local.h1538
-rw-r--r--src/lib/libssl/ssl_methods.c580
-rw-r--r--src/lib/libssl/ssl_packet.c292
-rw-r--r--src/lib/libssl/ssl_pkt.c1324
-rw-r--r--src/lib/libssl/ssl_rsa.c748
-rw-r--r--src/lib/libssl/ssl_seclevel.c473
-rw-r--r--src/lib/libssl/ssl_sess.c1336
-rw-r--r--src/lib/libssl/ssl_sigalgs.c388
-rw-r--r--src/lib/libssl/ssl_sigalgs.h79
-rw-r--r--src/lib/libssl/ssl_srvr.c2625
-rw-r--r--src/lib/libssl/ssl_stat.c789
-rw-r--r--src/lib/libssl/ssl_tlsext.c2442
-rw-r--r--src/lib/libssl/ssl_tlsext.h47
-rw-r--r--src/lib/libssl/ssl_transcript.c197
-rw-r--r--src/lib/libssl/ssl_txt.c199
-rw-r--r--src/lib/libssl/ssl_versions.c381
31 files changed, 0 insertions, 27682 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
deleted file mode 100644
index acde94c749..0000000000
--- a/src/lib/libssl/ssl.h
+++ /dev/null
@@ -1,2362 +0,0 @@
1/* $OpenBSD: ssl.h,v 1.230 2022/12/26 07:31:44 jmc Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#ifndef HEADER_SSL_H
144#define HEADER_SSL_H
145
146#include <stdint.h>
147
148#include <openssl/opensslconf.h>
149
150#include <openssl/hmac.h>
151#include <openssl/pem.h>
152#include <openssl/safestack.h>
153
154#include <openssl/bio.h>
155
156#ifndef OPENSSL_NO_DEPRECATED
157#include <openssl/buffer.h>
158#include <openssl/crypto.h>
159#include <openssl/lhash.h>
160
161#ifndef OPENSSL_NO_X509
162#include <openssl/x509.h>
163#endif
164#endif
165
166#ifdef __cplusplus
167extern "C" {
168#endif
169
170/* SSLeay version number for ASN.1 encoding of the session information */
171/* Version 0 - initial version
172 * Version 1 - added the optional peer certificate
173 */
174#define SSL_SESSION_ASN1_VERSION 0x0001
175
176/* text strings for the ciphers */
177#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5
178#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5
179#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
180#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5
181#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
182#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5
183#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5
184#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA
185#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
186#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
187
188/* VRS Additional Kerberos5 entries
189 */
190#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
191#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
192#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
193#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
194#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
195#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
196#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
197#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
198
199#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
200#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
201#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
202#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
203#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
204#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
205
206#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
207#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
208#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
209#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
210#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
211#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
212#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
213
214#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
215#define SSL_MAX_SID_CTX_LENGTH 32
216
217#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
218#define SSL_MAX_KEY_ARG_LENGTH 8
219#define SSL_MAX_MASTER_KEY_LENGTH 48
220
221
222/* These are used to specify which ciphers to use and not to use */
223
224#define SSL_TXT_LOW "LOW"
225#define SSL_TXT_MEDIUM "MEDIUM"
226#define SSL_TXT_HIGH "HIGH"
227
228#define SSL_TXT_kFZA "kFZA" /* unused! */
229#define SSL_TXT_aFZA "aFZA" /* unused! */
230#define SSL_TXT_eFZA "eFZA" /* unused! */
231#define SSL_TXT_FZA "FZA" /* unused! */
232
233#define SSL_TXT_aNULL "aNULL"
234#define SSL_TXT_eNULL "eNULL"
235#define SSL_TXT_NULL "NULL"
236
237#define SSL_TXT_kRSA "kRSA"
238#define SSL_TXT_kDHr "kDHr" /* no such ciphersuites supported! */
239#define SSL_TXT_kDHd "kDHd" /* no such ciphersuites supported! */
240#define SSL_TXT_kDH "kDH" /* no such ciphersuites supported! */
241#define SSL_TXT_kEDH "kEDH"
242#define SSL_TXT_kKRB5 "kKRB5"
243#define SSL_TXT_kECDHr "kECDHr"
244#define SSL_TXT_kECDHe "kECDHe"
245#define SSL_TXT_kECDH "kECDH"
246#define SSL_TXT_kEECDH "kEECDH"
247#define SSL_TXT_kPSK "kPSK"
248#define SSL_TXT_kGOST "kGOST"
249#define SSL_TXT_kSRP "kSRP"
250
251#define SSL_TXT_aRSA "aRSA"
252#define SSL_TXT_aDSS "aDSS"
253#define SSL_TXT_aDH "aDH" /* no such ciphersuites supported! */
254#define SSL_TXT_aECDH "aECDH"
255#define SSL_TXT_aKRB5 "aKRB5"
256#define SSL_TXT_aECDSA "aECDSA"
257#define SSL_TXT_aPSK "aPSK"
258#define SSL_TXT_aGOST94 "aGOST94"
259#define SSL_TXT_aGOST01 "aGOST01"
260#define SSL_TXT_aGOST "aGOST"
261
262#define SSL_TXT_DSS "DSS"
263#define SSL_TXT_DH "DH"
264#define SSL_TXT_DHE "DHE" /* same as "kDHE:-ADH" */
265#define SSL_TXT_EDH "EDH" /* previous name for DHE */
266#define SSL_TXT_ADH "ADH"
267#define SSL_TXT_RSA "RSA"
268#define SSL_TXT_ECDH "ECDH"
269#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE:-AECDH" */
270#define SSL_TXT_EECDH "EECDH" /* previous name for ECDHE */
271#define SSL_TXT_AECDH "AECDH"
272#define SSL_TXT_ECDSA "ECDSA"
273#define SSL_TXT_KRB5 "KRB5"
274#define SSL_TXT_PSK "PSK"
275#define SSL_TXT_SRP "SRP"
276
277#define SSL_TXT_DES "DES"
278#define SSL_TXT_3DES "3DES"
279#define SSL_TXT_RC4 "RC4"
280#define SSL_TXT_RC2 "RC2"
281#define SSL_TXT_IDEA "IDEA"
282#define SSL_TXT_SEED "SEED"
283#define SSL_TXT_AES128 "AES128"
284#define SSL_TXT_AES256 "AES256"
285#define SSL_TXT_AES "AES"
286#define SSL_TXT_AES_GCM "AESGCM"
287#define SSL_TXT_CAMELLIA128 "CAMELLIA128"
288#define SSL_TXT_CAMELLIA256 "CAMELLIA256"
289#define SSL_TXT_CAMELLIA "CAMELLIA"
290#define SSL_TXT_CHACHA20 "CHACHA20"
291
292#define SSL_TXT_AEAD "AEAD"
293#define SSL_TXT_MD5 "MD5"
294#define SSL_TXT_SHA1 "SHA1"
295#define SSL_TXT_SHA "SHA" /* same as "SHA1" */
296#define SSL_TXT_GOST94 "GOST94"
297#define SSL_TXT_GOST89MAC "GOST89MAC"
298#define SSL_TXT_SHA256 "SHA256"
299#define SSL_TXT_SHA384 "SHA384"
300#define SSL_TXT_STREEBOG256 "STREEBOG256"
301#define SSL_TXT_STREEBOG512 "STREEBOG512"
302
303#define SSL_TXT_DTLS1 "DTLSv1"
304#define SSL_TXT_DTLS1_2 "DTLSv1.2"
305#define SSL_TXT_SSLV2 "SSLv2"
306#define SSL_TXT_SSLV3 "SSLv3"
307#define SSL_TXT_TLSV1 "TLSv1"
308#define SSL_TXT_TLSV1_1 "TLSv1.1"
309#define SSL_TXT_TLSV1_2 "TLSv1.2"
310#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
311#define SSL_TXT_TLSV1_3 "TLSv1.3"
312#endif
313
314#define SSL_TXT_EXP "EXP"
315#define SSL_TXT_EXPORT "EXPORT"
316
317#define SSL_TXT_ALL "ALL"
318
319/*
320 * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
321 * ciphers normally not being used.
322 * Example: "RC4" will activate all ciphers using RC4 including ciphers
323 * without authentication, which would normally disabled by DEFAULT (due
324 * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
325 * will make sure that it is also disabled in the specific selection.
326 * COMPLEMENTOF* identifiers are portable between version, as adjustments
327 * to the default cipher setup will also be included here.
328 *
329 * COMPLEMENTOFDEFAULT does not experience the same special treatment that
330 * DEFAULT gets, as only selection is being done and no sorting as needed
331 * for DEFAULT.
332 */
333#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
334#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
335
336/* The following cipher list is used by default.
337 * It also is substituted when an application-defined cipher list string
338 * starts with 'DEFAULT'. */
339#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
340/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
341 * starts with a reasonable order, and all we have to do for DEFAULT is
342 * throwing out anonymous and unencrypted ciphersuites!
343 * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
344 * some of them.)
345 */
346
347/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
348#define SSL_SENT_SHUTDOWN 1
349#define SSL_RECEIVED_SHUTDOWN 2
350
351
352#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
353#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
354
355/* This is needed to stop compilers complaining about the
356 * 'struct ssl_st *' function parameters used to prototype callbacks
357 * in SSL_CTX. */
358typedef struct ssl_st *ssl_crock_st;
359
360typedef struct ssl_method_st SSL_METHOD;
361typedef struct ssl_cipher_st SSL_CIPHER;
362typedef struct ssl_session_st SSL_SESSION;
363
364#if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL)
365typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
366#endif
367
368DECLARE_STACK_OF(SSL_CIPHER)
369
370/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
371typedef struct srtp_protection_profile_st {
372 const char *name;
373 unsigned long id;
374} SRTP_PROTECTION_PROFILE;
375
376DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
377
378typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
379 int len, void *arg);
380typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
381 STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
382
383/* Allow initial connection to servers that don't support RI */
384#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
385
386/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
387 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
388 * the workaround is not needed.
389 * Unfortunately some broken SSL/TLS implementations cannot handle it
390 * at all, which is why it was previously included in SSL_OP_ALL.
391 * Now it's not.
392 */
393#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L
394
395/* DTLS options */
396#define SSL_OP_NO_QUERY_MTU 0x00001000L
397/* Turn on Cookie Exchange (on relevant for servers) */
398#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
399/* Don't use RFC4507 ticket extension */
400#define SSL_OP_NO_TICKET 0x00004000L
401
402/* As server, disallow session resumption on renegotiation */
403#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
404/* Disallow client initiated renegotiation. */
405#define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L
406/* If set, always create a new key when using tmp_dh parameters */
407#define SSL_OP_SINGLE_DH_USE 0x00100000L
408/* Set on servers to choose the cipher according to the server's
409 * preferences */
410#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
411
412#define SSL_OP_NO_TLSv1 0x04000000L
413#define SSL_OP_NO_TLSv1_2 0x08000000L
414#define SSL_OP_NO_TLSv1_1 0x10000000L
415
416#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
417#define SSL_OP_NO_TLSv1_3 0x20000000L
418#endif
419
420#define SSL_OP_NO_DTLSv1 0x40000000L
421#define SSL_OP_NO_DTLSv1_2 0x80000000L
422
423/* SSL_OP_ALL: various bug workarounds that should be rather harmless. */
424#define SSL_OP_ALL \
425 (SSL_OP_LEGACY_SERVER_CONNECT)
426
427/* Obsolete flags kept for compatibility. No sane code should use them. */
428#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0
429#define SSL_OP_CISCO_ANYCONNECT 0x0
430#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x0
431#define SSL_OP_EPHEMERAL_RSA 0x0
432#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0
433#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
434#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
435#define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
436#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0
437#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0
438#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
439#define SSL_OP_NO_COMPRESSION 0x0
440#define SSL_OP_NO_SSLv2 0x0
441#define SSL_OP_NO_SSLv3 0x0
442#define SSL_OP_PKCS1_CHECK_1 0x0
443#define SSL_OP_PKCS1_CHECK_2 0x0
444#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x0
445#define SSL_OP_SINGLE_ECDH_USE 0x0
446#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
447#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
448#define SSL_OP_TLSEXT_PADDING 0x0
449#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0
450#define SSL_OP_TLS_D5_BUG 0x0
451#define SSL_OP_TLS_ROLLBACK_BUG 0x0
452
453/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
454 * when just a single record has been written): */
455#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
456/* Make it possible to retry SSL_write() with changed buffer location
457 * (buffer contents must stay the same!); this is not the default to avoid
458 * the misconception that non-blocking SSL_write() behaves like
459 * non-blocking write(): */
460#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
461/* Never bother the application with retries if the transport
462 * is blocking: */
463#define SSL_MODE_AUTO_RETRY 0x00000004L
464/* Don't attempt to automatically build certificate chain */
465#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
466/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
467 * TLS only.) "Released" buffers are put onto a free-list in the context
468 * or just freed (depending on the context's setting for freelist_max_len). */
469#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
470
471/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
472 * they cannot be used to clear bits. */
473
474#define SSL_CTX_set_options(ctx,op) \
475 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
476#define SSL_CTX_clear_options(ctx,op) \
477 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
478#define SSL_CTX_get_options(ctx) \
479 SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
480#define SSL_set_options(ssl,op) \
481 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
482#define SSL_clear_options(ssl,op) \
483 SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
484#define SSL_get_options(ssl) \
485 SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
486
487#define SSL_CTX_set_mode(ctx,op) \
488 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
489#define SSL_CTX_clear_mode(ctx,op) \
490 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
491#define SSL_CTX_get_mode(ctx) \
492 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
493#define SSL_clear_mode(ssl,op) \
494 SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
495#define SSL_set_mode(ssl,op) \
496 SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
497#define SSL_get_mode(ssl) \
498 SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
499#define SSL_set_mtu(ssl, mtu) \
500 SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
501
502#define SSL_get_secure_renegotiation_support(ssl) \
503 SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
504
505void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p,
506 int version, int content_type, const void *buf, size_t len, SSL *ssl,
507 void *arg));
508void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
509 int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
510#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
511#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
512typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line);
513void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb);
514SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx);
515int SSL_set_num_tickets(SSL *s, size_t num_tickets);
516size_t SSL_get_num_tickets(const SSL *s);
517int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
518size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
519STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s);
520
521#ifndef LIBRESSL_INTERNAL
522struct ssl_aead_ctx_st;
523typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
524#endif
525
526#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
527
528#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
529
530/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
531 * them. It is used to override the generation of SSL/TLS session IDs in a
532 * server. Return value should be zero on an error, non-zero to proceed. Also,
533 * callbacks should themselves check if the id they generate is unique otherwise
534 * the SSL handshake will fail with an error - callbacks can do this using the
535 * 'ssl' value they're passed by;
536 * SSL_has_matching_session_id(ssl, id, *id_len)
537 * The length value passed in is set at the maximum size the session ID can be.
538 * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
539 * can alter this length to be less if desired, but under SSLv2 session IDs are
540 * supposed to be fixed at 16 bytes so the id will be padded after the callback
541 * returns in this case. It is also an error for the callback to set the size to
542 * zero. */
543typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
544 unsigned int *id_len);
545
546typedef struct ssl_comp_st SSL_COMP;
547
548#ifdef LIBRESSL_INTERNAL
549DECLARE_STACK_OF(SSL_COMP)
550struct lhash_st_SSL_SESSION {
551 int dummy;
552};
553#endif
554
555#define SSL_SESS_CACHE_OFF 0x0000
556#define SSL_SESS_CACHE_CLIENT 0x0001
557#define SSL_SESS_CACHE_SERVER 0x0002
558#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
559#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
560/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
561#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
562#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
563#define SSL_SESS_CACHE_NO_INTERNAL \
564 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
565
566struct lhash_st_SSL_SESSION *SSL_CTX_sessions(SSL_CTX *ctx);
567#define SSL_CTX_sess_number(ctx) \
568 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
569#define SSL_CTX_sess_connect(ctx) \
570 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
571#define SSL_CTX_sess_connect_good(ctx) \
572 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
573#define SSL_CTX_sess_connect_renegotiate(ctx) \
574 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
575#define SSL_CTX_sess_accept(ctx) \
576 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
577#define SSL_CTX_sess_accept_renegotiate(ctx) \
578 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
579#define SSL_CTX_sess_accept_good(ctx) \
580 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
581#define SSL_CTX_sess_hits(ctx) \
582 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
583#define SSL_CTX_sess_cb_hits(ctx) \
584 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
585#define SSL_CTX_sess_misses(ctx) \
586 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
587#define SSL_CTX_sess_timeouts(ctx) \
588 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
589#define SSL_CTX_sess_cache_full(ctx) \
590 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
591
592void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
593 int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess));
594int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
595 SSL_SESSION *sess);
596void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
597 void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess));
598void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx,
599 SSL_SESSION *sess);
600void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
601 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
602 const unsigned char *data, int len, int *copy));
603SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
604 const unsigned char *data, int len, int *copy);
605void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,
606 int type, int val));
607void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type,
608 int val);
609void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
610 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
611int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
612 EVP_PKEY **pkey);
613#ifndef OPENSSL_NO_ENGINE
614int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
615#endif
616void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
617 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
618 unsigned int *cookie_len));
619void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
620 int (*app_verify_cookie_cb)(SSL *ssl, const unsigned char *cookie,
621 unsigned int cookie_len));
622void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb)(SSL *ssl,
623 const unsigned char **out, unsigned int *outlen, void *arg), void *arg);
624void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, int (*cb)(SSL *ssl,
625 unsigned char **out, unsigned char *outlen, const unsigned char *in,
626 unsigned int inlen, void *arg), void *arg);
627
628int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
629 const unsigned char *in, unsigned int inlen, const unsigned char *client,
630 unsigned int client_len);
631void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
632 unsigned int *len);
633
634#define OPENSSL_NPN_UNSUPPORTED 0
635#define OPENSSL_NPN_NEGOTIATED 1
636#define OPENSSL_NPN_NO_OVERLAP 2
637
638int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
639 unsigned int protos_len);
640int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
641 unsigned int protos_len);
642void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
643 int (*cb)(SSL *ssl, const unsigned char **out, unsigned char *outlen,
644 const unsigned char *in, unsigned int inlen, void *arg), void *arg);
645void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
646 unsigned int *len);
647
648#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
649typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md,
650 const unsigned char **id, size_t *idlen, SSL_SESSION **sess);
651void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb);
652#endif
653
654#define SSL_NOTHING 1
655#define SSL_WRITING 2
656#define SSL_READING 3
657#define SSL_X509_LOOKUP 4
658
659/* These will only be used when doing non-blocking IO */
660#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
661#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
662#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
663#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
664
665#define SSL_MAC_FLAG_READ_MAC_STREAM 1
666#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
667
668#ifdef __cplusplus
669}
670#endif
671
672#include <openssl/ssl2.h>
673#include <openssl/ssl3.h>
674#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
675#include <openssl/dtls1.h> /* Datagram TLS */
676#include <openssl/ssl23.h>
677#include <openssl/srtp.h> /* Support for the use_srtp extension */
678
679#ifdef __cplusplus
680extern "C" {
681#endif
682
683/* compatibility */
684#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
685#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
686#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
687#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
688#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
689#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
690
691/* The following are the possible values for ssl->state are are
692 * used to indicate where we are up to in the SSL connection establishment.
693 * The macros that follow are about the only things you should need to use
694 * and even then, only when using non-blocking IO.
695 * It can also be useful to work out where you were when the connection
696 * failed */
697
698#define SSL_ST_CONNECT 0x1000
699#define SSL_ST_ACCEPT 0x2000
700#define SSL_ST_MASK 0x0FFF
701#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT)
702#define SSL_ST_BEFORE 0x4000
703#define SSL_ST_OK 0x03
704#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
705
706#define SSL_CB_LOOP 0x01
707#define SSL_CB_EXIT 0x02
708#define SSL_CB_READ 0x04
709#define SSL_CB_WRITE 0x08
710#define SSL_CB_ALERT 0x4000 /* used in callback */
711#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
712#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
713#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
714#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
715#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
716#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
717#define SSL_CB_HANDSHAKE_START 0x10
718#define SSL_CB_HANDSHAKE_DONE 0x20
719
720/* Is the SSL_connection established? */
721#define SSL_get_state(a) (SSL_state((a)))
722#define SSL_is_init_finished(a) (SSL_state((a)) == SSL_ST_OK)
723#define SSL_in_init(a) (SSL_state((a))&SSL_ST_INIT)
724#define SSL_in_before(a) (SSL_state((a))&SSL_ST_BEFORE)
725#define SSL_in_connect_init(a) (SSL_state((a))&SSL_ST_CONNECT)
726#define SSL_in_accept_init(a) (SSL_state((a))&SSL_ST_ACCEPT)
727
728/* The following 2 states are kept in ssl->rstate when reads fail,
729 * you should not need these */
730#define SSL_ST_READ_HEADER 0xF0
731#define SSL_ST_READ_BODY 0xF1
732#define SSL_ST_READ_DONE 0xF2
733
734/* Obtain latest Finished message
735 * -- that we sent (SSL_get_finished)
736 * -- that we expected from peer (SSL_get_peer_finished).
737 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
738size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
739size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
740
741/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
742 * are 'ored' with SSL_VERIFY_PEER if they are desired */
743#define SSL_VERIFY_NONE 0x00
744#define SSL_VERIFY_PEER 0x01
745#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
746#define SSL_VERIFY_CLIENT_ONCE 0x04
747#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
748#define SSL_VERIFY_POST_HANDSHAKE 0x08
749
750int SSL_verify_client_post_handshake(SSL *s);
751void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
752void SSL_set_post_handshake_auth(SSL *s, int val);
753#endif
754
755#define OpenSSL_add_ssl_algorithms() SSL_library_init()
756#define SSLeay_add_ssl_algorithms() SSL_library_init()
757
758/* More backward compatibility */
759#define SSL_get_cipher(s) \
760 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
761#define SSL_get_cipher_bits(s,np) \
762 SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
763#define SSL_get_cipher_version(s) \
764 SSL_CIPHER_get_version(SSL_get_current_cipher(s))
765#define SSL_get_cipher_name(s) \
766 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
767#define SSL_get_time(a) SSL_SESSION_get_time(a)
768#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
769#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
770#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
771
772#define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
773#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
774
775SSL_SESSION *PEM_read_bio_SSL_SESSION(BIO *bp, SSL_SESSION **x,
776 pem_password_cb *cb, void *u);
777SSL_SESSION *PEM_read_SSL_SESSION(FILE *fp, SSL_SESSION **x,
778 pem_password_cb *cb, void *u);
779int PEM_write_bio_SSL_SESSION(BIO *bp, SSL_SESSION *x);
780int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
781
782/*
783 * TLS Alerts.
784 *
785 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6
786 */
787
788/* Obsolete alerts. */
789#ifndef LIBRESSL_INTERNAL
790#define SSL_AD_DECRYPTION_FAILED 21 /* Removed in TLSv1.1 */
791#define SSL_AD_NO_CERTIFICATE 41 /* Removed in TLSv1.0 */
792#define SSL_AD_EXPORT_RESTRICTION 60 /* Removed in TLSv1.1 */
793#endif
794
795#define SSL_AD_CLOSE_NOTIFY 0
796#define SSL_AD_UNEXPECTED_MESSAGE 10
797#define SSL_AD_BAD_RECORD_MAC 20
798#define SSL_AD_RECORD_OVERFLOW 22
799#define SSL_AD_DECOMPRESSION_FAILURE 30 /* Removed in TLSv1.3 */
800#define SSL_AD_HANDSHAKE_FAILURE 40
801#define SSL_AD_BAD_CERTIFICATE 42
802#define SSL_AD_UNSUPPORTED_CERTIFICATE 43
803#define SSL_AD_CERTIFICATE_REVOKED 44
804#define SSL_AD_CERTIFICATE_EXPIRED 45
805#define SSL_AD_CERTIFICATE_UNKNOWN 46
806#define SSL_AD_ILLEGAL_PARAMETER 47
807#define SSL_AD_UNKNOWN_CA 48
808#define SSL_AD_ACCESS_DENIED 49
809#define SSL_AD_DECODE_ERROR 50
810#define SSL_AD_DECRYPT_ERROR 51
811#define SSL_AD_PROTOCOL_VERSION 70
812#define SSL_AD_INSUFFICIENT_SECURITY 71
813#define SSL_AD_INTERNAL_ERROR 80
814#define SSL_AD_INAPPROPRIATE_FALLBACK 86
815#define SSL_AD_USER_CANCELLED 90
816#define SSL_AD_NO_RENEGOTIATION 100 /* Removed in TLSv1.3 */
817#define SSL_AD_MISSING_EXTENSION 109 /* Added in TLSv1.3. */
818#define SSL_AD_UNSUPPORTED_EXTENSION 110
819#define SSL_AD_CERTIFICATE_UNOBTAINABLE 111 /* Removed in TLSv1.3 */
820#define SSL_AD_UNRECOGNIZED_NAME 112
821#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
822#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE 114 /* Removed in TLSv1.3 */
823#define SSL_AD_UNKNOWN_PSK_IDENTITY 115
824#define SSL_AD_CERTIFICATE_REQUIRED 116
825#define SSL_AD_NO_APPLICATION_PROTOCOL 120
826
827/* Offset to get an SSL_R_... value from an SSL_AD_... value. */
828#define SSL_AD_REASON_OFFSET 1000
829
830#define SSL_ERROR_NONE 0
831#define SSL_ERROR_SSL 1
832#define SSL_ERROR_WANT_READ 2
833#define SSL_ERROR_WANT_WRITE 3
834#define SSL_ERROR_WANT_X509_LOOKUP 4
835#define SSL_ERROR_SYSCALL 5
836#define SSL_ERROR_ZERO_RETURN 6
837#define SSL_ERROR_WANT_CONNECT 7
838#define SSL_ERROR_WANT_ACCEPT 8
839#define SSL_ERROR_WANT_ASYNC 9
840#define SSL_ERROR_WANT_ASYNC_JOB 10
841#define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
842
843#define SSL_CTRL_NEED_TMP_RSA 1
844#define SSL_CTRL_SET_TMP_RSA 2
845#define SSL_CTRL_SET_TMP_DH 3
846#define SSL_CTRL_SET_TMP_ECDH 4
847#define SSL_CTRL_SET_TMP_RSA_CB 5
848#define SSL_CTRL_SET_TMP_DH_CB 6
849#define SSL_CTRL_SET_TMP_ECDH_CB 7
850
851#define SSL_CTRL_GET_SESSION_REUSED 8
852#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
853#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
854#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
855#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
856#define SSL_CTRL_GET_FLAGS 13
857#define SSL_CTRL_EXTRA_CHAIN_CERT 14
858
859#define SSL_CTRL_SET_MSG_CALLBACK 15
860#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
861
862/* only applies to datagram connections */
863#define SSL_CTRL_SET_MTU 17
864/* Stats */
865#define SSL_CTRL_SESS_NUMBER 20
866#define SSL_CTRL_SESS_CONNECT 21
867#define SSL_CTRL_SESS_CONNECT_GOOD 22
868#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
869#define SSL_CTRL_SESS_ACCEPT 24
870#define SSL_CTRL_SESS_ACCEPT_GOOD 25
871#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
872#define SSL_CTRL_SESS_HIT 27
873#define SSL_CTRL_SESS_CB_HIT 28
874#define SSL_CTRL_SESS_MISSES 29
875#define SSL_CTRL_SESS_TIMEOUTS 30
876#define SSL_CTRL_SESS_CACHE_FULL 31
877#define SSL_CTRL_OPTIONS 32
878#define SSL_CTRL_MODE 33
879
880#define SSL_CTRL_GET_READ_AHEAD 40
881#define SSL_CTRL_SET_READ_AHEAD 41
882#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
883#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
884#define SSL_CTRL_SET_SESS_CACHE_MODE 44
885#define SSL_CTRL_GET_SESS_CACHE_MODE 45
886
887#define SSL_CTRL_GET_MAX_CERT_LIST 50
888#define SSL_CTRL_SET_MAX_CERT_LIST 51
889
890#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
891
892/* see tls1.h for macros based on these */
893#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
894#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
895#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
896#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56
897#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
898#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
899#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
900#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
901#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
902#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
903#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
904#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE 127
905#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
906#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66
907#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67
908#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68
909#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69
910#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70
911#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71
912
913#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
914
915#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
916#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
917#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
918
919#define SSL_CTRL_SET_SRP_ARG 78
920#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
921#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
922#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
923
924#define DTLS_CTRL_GET_TIMEOUT 73
925#define DTLS_CTRL_HANDLE_TIMEOUT 74
926#define DTLS_CTRL_LISTEN 75
927
928#define SSL_CTRL_GET_RI_SUPPORT 76
929#define SSL_CTRL_CLEAR_OPTIONS 77
930#define SSL_CTRL_CLEAR_MODE 78
931
932#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
933#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
934
935#define SSL_CTRL_CHAIN 88
936#define SSL_CTRL_CHAIN_CERT 89
937
938#define SSL_CTRL_SET_GROUPS 91
939#define SSL_CTRL_SET_GROUPS_LIST 92
940#define SSL_CTRL_GET_SHARED_GROUP 93
941#define SSL_CTRL_SET_ECDH_AUTO 94
942
943#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
944#define SSL_CTRL_GET_PEER_SIGNATURE_NID 108
945#define SSL_CTRL_GET_PEER_TMP_KEY 109
946#define SSL_CTRL_GET_SERVER_TMP_KEY SSL_CTRL_GET_PEER_TMP_KEY
947#else
948#define SSL_CTRL_GET_SERVER_TMP_KEY 109
949#endif
950
951#define SSL_CTRL_GET_CHAIN_CERTS 115
952
953#define SSL_CTRL_SET_DH_AUTO 118
954
955#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
956#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
957#define SSL_CTRL_GET_MIN_PROTO_VERSION 130
958#define SSL_CTRL_GET_MAX_PROTO_VERSION 131
959
960#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
961#define SSL_CTRL_GET_SIGNATURE_NID 132
962#endif
963
964#define DTLSv1_get_timeout(ssl, arg) \
965 SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
966#define DTLSv1_handle_timeout(ssl) \
967 SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
968#define DTLSv1_listen(ssl, peer) \
969 SSL_ctrl(ssl,DTLS_CTRL_LISTEN,0, (void *)peer)
970
971#define SSL_session_reused(ssl) \
972 SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
973#define SSL_num_renegotiations(ssl) \
974 SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
975#define SSL_clear_num_renegotiations(ssl) \
976 SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
977#define SSL_total_renegotiations(ssl) \
978 SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
979
980#define SSL_CTX_need_tmp_RSA(ctx) \
981 SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
982#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
983 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
984#define SSL_CTX_set_tmp_dh(ctx,dh) \
985 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
986#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
987 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
988#define SSL_CTX_set_dh_auto(ctx, onoff) \
989 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
990#define SSL_CTX_set_ecdh_auto(ctx, onoff) \
991 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
992
993#define SSL_need_tmp_RSA(ssl) \
994 SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
995#define SSL_set_tmp_rsa(ssl,rsa) \
996 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
997#define SSL_set_tmp_dh(ssl,dh) \
998 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
999#define SSL_set_tmp_ecdh(ssl,ecdh) \
1000 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1001#define SSL_set_dh_auto(s, onoff) \
1002 SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
1003#define SSL_set_ecdh_auto(s, onoff) \
1004 SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
1005
1006int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
1007int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
1008int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509);
1009int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);
1010int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain);
1011int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);
1012
1013int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain);
1014int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain);
1015int SSL_add0_chain_cert(SSL *ssl, X509 *x509);
1016int SSL_add1_chain_cert(SSL *ssl, X509 *x509);
1017int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain);
1018int SSL_clear_chain_certs(SSL *ssl);
1019
1020int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len);
1021int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
1022
1023int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len);
1024int SSL_set1_groups_list(SSL *ssl, const char *groups);
1025
1026int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
1027int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
1028int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version);
1029int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);
1030
1031int SSL_get_min_proto_version(SSL *ssl);
1032int SSL_get_max_proto_version(SSL *ssl);
1033int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
1034int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
1035
1036const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx);
1037
1038#ifndef LIBRESSL_INTERNAL
1039#define SSL_CTRL_SET_CURVES SSL_CTRL_SET_GROUPS
1040#define SSL_CTRL_SET_CURVES_LIST SSL_CTRL_SET_GROUPS_LIST
1041
1042#define SSL_CTX_set1_curves SSL_CTX_set1_groups
1043#define SSL_CTX_set1_curves_list SSL_CTX_set1_groups_list
1044#define SSL_set1_curves SSL_set1_groups
1045#define SSL_set1_curves_list SSL_set1_groups_list
1046#endif
1047
1048#define SSL_CTX_add_extra_chain_cert(ctx, x509) \
1049 SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)x509)
1050#define SSL_CTX_get_extra_chain_certs(ctx, px509) \
1051 SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 0, px509)
1052#define SSL_CTX_get_extra_chain_certs_only(ctx, px509) \
1053 SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 1, px509)
1054#define SSL_CTX_clear_extra_chain_certs(ctx) \
1055 SSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0, NULL)
1056
1057#define SSL_get_shared_group(s, n) \
1058 SSL_ctrl((s), SSL_CTRL_GET_SHARED_GROUP, (n), NULL)
1059#define SSL_get_shared_curve SSL_get_shared_group
1060
1061#define SSL_get_server_tmp_key(s, pk) \
1062 SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
1063
1064#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1065#define SSL_get_signature_nid(s, pn) \
1066 SSL_ctrl(s, SSL_CTRL_GET_SIGNATURE_NID, 0, pn)
1067
1068#define SSL_get_peer_signature_nid(s, pn) \
1069 SSL_ctrl(s, SSL_CTRL_GET_PEER_SIGNATURE_NID, 0, pn)
1070#define SSL_get_peer_tmp_key(s, pk) \
1071 SSL_ctrl(s, SSL_CTRL_GET_PEER_TMP_KEY, 0, pk)
1072
1073int SSL_get_signature_type_nid(const SSL *ssl, int *nid);
1074int SSL_get_peer_signature_type_nid(const SSL *ssl, int *nid);
1075
1076#endif /* LIBRESSL_HAS_TLS1_3 || LIBRESSL_INTERNAL */
1077
1078#ifndef LIBRESSL_INTERNAL
1079/*
1080 * Also provide those functions as macros for compatibility with
1081 * existing users.
1082 */
1083#define SSL_CTX_set0_chain SSL_CTX_set0_chain
1084#define SSL_CTX_set1_chain SSL_CTX_set1_chain
1085#define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert
1086#define SSL_CTX_add1_chain_cert SSL_CTX_add1_chain_cert
1087#define SSL_CTX_get0_chain_certs SSL_CTX_get0_chain_certs
1088#define SSL_CTX_clear_chain_certs SSL_CTX_clear_chain_certs
1089
1090#define SSL_add0_chain_cert SSL_add0_chain_cert
1091#define SSL_add1_chain_cert SSL_add1_chain_cert
1092#define SSL_set0_chain SSL_set0_chain
1093#define SSL_set1_chain SSL_set1_chain
1094#define SSL_get0_chain_certs SSL_get0_chain_certs
1095#define SSL_clear_chain_certs SSL_clear_chain_certs
1096
1097#define SSL_CTX_set1_groups SSL_CTX_set1_groups
1098#define SSL_CTX_set1_groups_list SSL_CTX_set1_groups_list
1099#define SSL_set1_groups SSL_set1_groups
1100#define SSL_set1_groups_list SSL_set1_groups_list
1101
1102#define SSL_CTX_get_min_proto_version SSL_CTX_get_min_proto_version
1103#define SSL_CTX_get_max_proto_version SSL_CTX_get_max_proto_version
1104#define SSL_CTX_set_min_proto_version SSL_CTX_set_min_proto_version
1105#define SSL_CTX_set_max_proto_version SSL_CTX_set_max_proto_version
1106
1107#define SSL_get_min_proto_version SSL_get_min_proto_version
1108#define SSL_get_max_proto_version SSL_get_max_proto_version
1109#define SSL_set_min_proto_version SSL_set_min_proto_version
1110#define SSL_set_max_proto_version SSL_set_max_proto_version
1111#endif
1112
1113const BIO_METHOD *BIO_f_ssl(void);
1114BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
1115BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
1116BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
1117int BIO_ssl_copy_session_id(BIO *to, BIO *from);
1118void BIO_ssl_shutdown(BIO *ssl_bio);
1119
1120STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
1121int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
1122#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1123int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
1124#endif
1125SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
1126void SSL_CTX_free(SSL_CTX *);
1127int SSL_CTX_up_ref(SSL_CTX *ctx);
1128long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
1129long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1130X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1131void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
1132X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
1133EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
1134int SSL_want(const SSL *s);
1135int SSL_clear(SSL *s);
1136
1137void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
1138
1139const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1140const SSL_CIPHER *SSL_CIPHER_get_by_id(unsigned int id);
1141const SSL_CIPHER *SSL_CIPHER_get_by_value(uint16_t value);
1142int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
1143const char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1144const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1145unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c);
1146uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c);
1147const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
1148int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
1149int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
1150int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
1151int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
1152int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
1153
1154int SSL_get_fd(const SSL *s);
1155int SSL_get_rfd(const SSL *s);
1156int SSL_get_wfd(const SSL *s);
1157const char * SSL_get_cipher_list(const SSL *s, int n);
1158char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1159int SSL_get_read_ahead(const SSL * s);
1160int SSL_pending(const SSL *s);
1161int SSL_set_fd(SSL *s, int fd);
1162int SSL_set_rfd(SSL *s, int fd);
1163int SSL_set_wfd(SSL *s, int fd);
1164void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio);
1165BIO * SSL_get_rbio(const SSL *s);
1166void SSL_set0_rbio(SSL *s, BIO *rbio);
1167BIO * SSL_get_wbio(const SSL *s);
1168int SSL_set_cipher_list(SSL *s, const char *str);
1169#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1170int SSL_set_ciphersuites(SSL *s, const char *str);
1171#endif
1172void SSL_set_read_ahead(SSL *s, int yes);
1173int SSL_get_verify_mode(const SSL *s);
1174int SSL_get_verify_depth(const SSL *s);
1175int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *);
1176void SSL_set_verify(SSL *s, int mode,
1177 int (*callback)(int ok, X509_STORE_CTX *ctx));
1178void SSL_set_verify_depth(SSL *s, int depth);
1179int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1180int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len);
1181int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1182int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len);
1183int SSL_use_certificate(SSL *ssl, X509 *x);
1184int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
1185
1186int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
1187int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
1188int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
1189int SSL_use_certificate_chain_file(SSL *ssl, const char *file);
1190int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1191int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1192int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
1193int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
1194int SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len);
1195STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
1196int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1197 const char *file);
1198int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1199 const char *dir);
1200
1201void SSL_load_error_strings(void );
1202const char *SSL_state_string(const SSL *s);
1203const char *SSL_rstate_string(const SSL *s);
1204const char *SSL_state_string_long(const SSL *s);
1205const char *SSL_rstate_string_long(const SSL *s);
1206const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *ss);
1207size_t SSL_SESSION_get_master_key(const SSL_SESSION *ss,
1208 unsigned char *out, size_t max_out);
1209int SSL_SESSION_get_protocol_version(const SSL_SESSION *s);
1210long SSL_SESSION_get_time(const SSL_SESSION *s);
1211long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1212long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1213long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1214int SSL_copy_session_id(SSL *to, const SSL *from);
1215X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
1216int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
1217 unsigned int sid_len);
1218int SSL_SESSION_set1_id_context(SSL_SESSION *s,
1219 const unsigned char *sid_ctx, unsigned int sid_ctx_len);
1220#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1221int SSL_SESSION_is_resumable(const SSL_SESSION *s);
1222#endif
1223
1224SSL_SESSION *SSL_SESSION_new(void);
1225void SSL_SESSION_free(SSL_SESSION *ses);
1226int SSL_SESSION_up_ref(SSL_SESSION *ss);
1227const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *ss,
1228 unsigned int *len);
1229const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *ss,
1230 unsigned int *len);
1231#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1232uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *sess);
1233int SSL_SESSION_set_max_early_data(SSL_SESSION *sess, uint32_t max_early_data);
1234#endif
1235unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s);
1236int SSL_SESSION_has_ticket(const SSL_SESSION *s);
1237unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *ss);
1238int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
1239int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
1240int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
1241int SSL_set_session(SSL *to, SSL_SESSION *session);
1242int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
1243int SSL_CTX_remove_session(SSL_CTX *, SSL_SESSION *c);
1244int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1245int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1246int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1247 unsigned int id_len);
1248SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
1249 long length);
1250
1251#ifdef HEADER_X509_H
1252X509 * SSL_get_peer_certificate(const SSL *s);
1253#endif
1254
1255STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1256
1257int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1258int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1259int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *);
1260void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
1261 int (*callback)(int, X509_STORE_CTX *));
1262void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
1263void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg);
1264int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1265int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
1266int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1267int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len);
1268int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
1269int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
1270
1271pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx);
1272void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1273void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx);
1274void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1275
1276int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1277int SSL_check_private_key(const SSL *ctx);
1278
1279int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
1280
1281int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
1282
1283int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
1284int SSL_set_purpose(SSL *s, int purpose);
1285int SSL_CTX_set_trust(SSL_CTX *s, int trust);
1286int SSL_set_trust(SSL *s, int trust);
1287int SSL_set1_host(SSL *s, const char *hostname);
1288void SSL_set_hostflags(SSL *s, unsigned int flags);
1289const char *SSL_get0_peername(SSL *s);
1290
1291X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
1292int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1293X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
1294int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1295
1296SSL *SSL_new(SSL_CTX *ctx);
1297void SSL_free(SSL *ssl);
1298int SSL_up_ref(SSL *ssl);
1299int SSL_accept(SSL *ssl);
1300int SSL_connect(SSL *ssl);
1301int SSL_is_dtls(const SSL *s);
1302int SSL_is_server(const SSL *s);
1303int SSL_read(SSL *ssl, void *buf, int num);
1304int SSL_peek(SSL *ssl, void *buf, int num);
1305int SSL_write(SSL *ssl, const void *buf, int num);
1306int SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *bytes_read);
1307int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *bytes_peeked);
1308int SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *bytes_written);
1309
1310#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1311uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx);
1312int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data);
1313
1314uint32_t SSL_get_max_early_data(const SSL *s);
1315int SSL_set_max_early_data(SSL *s, uint32_t max_early_data);
1316
1317#define SSL_EARLY_DATA_NOT_SENT 0
1318#define SSL_EARLY_DATA_REJECTED 1
1319#define SSL_EARLY_DATA_ACCEPTED 2
1320int SSL_get_early_data_status(const SSL *s);
1321
1322#define SSL_READ_EARLY_DATA_ERROR 0
1323#define SSL_READ_EARLY_DATA_SUCCESS 1
1324#define SSL_READ_EARLY_DATA_FINISH 2
1325int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes);
1326int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written);
1327#endif
1328
1329long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
1330long SSL_callback_ctrl(SSL *, int, void (*)(void));
1331long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
1332long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
1333
1334int SSL_get_error(const SSL *s, int ret_code);
1335const char *SSL_get_version(const SSL *s);
1336
1337/* This sets the 'default' SSL version that SSL_new() will create */
1338int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
1339
1340const SSL_METHOD *SSLv23_method(void); /* SSLv3 or TLSv1.* */
1341const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 or TLSv1.* */
1342const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 or TLSv1.* */
1343
1344const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1345const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1346const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1347
1348const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */
1349const SSL_METHOD *TLSv1_1_server_method(void); /* TLSv1.1 */
1350const SSL_METHOD *TLSv1_1_client_method(void); /* TLSv1.1 */
1351
1352const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
1353const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */
1354const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */
1355
1356const SSL_METHOD *TLS_method(void); /* TLS v1.0 or later */
1357const SSL_METHOD *TLS_server_method(void); /* TLS v1.0 or later */
1358const SSL_METHOD *TLS_client_method(void); /* TLS v1.0 or later */
1359
1360const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
1361const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
1362const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
1363
1364const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */
1365const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */
1366const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */
1367
1368const SSL_METHOD *DTLS_method(void); /* DTLS v1.0 or later */
1369const SSL_METHOD *DTLS_server_method(void); /* DTLS v1.0 or later */
1370const SSL_METHOD *DTLS_client_method(void); /* DTLS v1.0 or later */
1371
1372STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1373STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s);
1374STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
1375
1376int SSL_do_handshake(SSL *s);
1377int SSL_renegotiate(SSL *s);
1378int SSL_renegotiate_abbreviated(SSL *s);
1379int SSL_renegotiate_pending(SSL *s);
1380int SSL_shutdown(SSL *s);
1381
1382const SSL_METHOD *SSL_get_ssl_method(SSL *s);
1383int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
1384const char *SSL_alert_type_string_long(int value);
1385const char *SSL_alert_type_string(int value);
1386const char *SSL_alert_desc_string_long(int value);
1387const char *SSL_alert_desc_string(int value);
1388
1389void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1390void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1391STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1392STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1393int SSL_add_client_CA(SSL *ssl, X509 *x);
1394int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
1395
1396void SSL_set_connect_state(SSL *s);
1397void SSL_set_accept_state(SSL *s);
1398
1399long SSL_get_default_timeout(const SSL *s);
1400
1401int SSL_library_init(void );
1402
1403char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size);
1404STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk);
1405
1406SSL *SSL_dup(SSL *ssl);
1407
1408X509 *SSL_get_certificate(const SSL *ssl);
1409/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(const SSL *ssl);
1410
1411void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1412int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1413void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1414int SSL_get_quiet_shutdown(const SSL *ssl);
1415void SSL_set_shutdown(SSL *ssl,int mode);
1416int SSL_get_shutdown(const SSL *ssl);
1417int SSL_version(const SSL *ssl);
1418int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1419int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1420 const char *CApath);
1421int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len);
1422#define SSL_get0_session SSL_get_session /* just peek at pointer */
1423SSL_SESSION *SSL_get_session(const SSL *ssl);
1424SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1425SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1426SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx);
1427void SSL_set_info_callback(SSL *ssl,
1428 void (*cb)(const SSL *ssl, int type, int val));
1429void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val);
1430int SSL_state(const SSL *ssl);
1431void SSL_set_state(SSL *ssl, int state);
1432
1433void SSL_set_verify_result(SSL *ssl, long v);
1434long SSL_get_verify_result(const SSL *ssl);
1435
1436int SSL_set_ex_data(SSL *ssl, int idx, void *data);
1437void *SSL_get_ex_data(const SSL *ssl, int idx);
1438int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1439 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1440
1441int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data);
1442void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss, int idx);
1443int SSL_SESSION_get_ex_new_index(long argl, void *argp,
1444 CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
1445 CRYPTO_EX_free *free_func);
1446
1447int SSL_CTX_set_ex_data(SSL_CTX *ssl, int idx, void *data);
1448void *SSL_CTX_get_ex_data(const SSL_CTX *ssl, int idx);
1449int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1450 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1451
1452int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1453
1454#define SSL_CTX_sess_set_cache_size(ctx,t) \
1455 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
1456#define SSL_CTX_sess_get_cache_size(ctx) \
1457 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
1458#define SSL_CTX_set_session_cache_mode(ctx,m) \
1459 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
1460#define SSL_CTX_get_session_cache_mode(ctx) \
1461 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
1462
1463#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
1464#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
1465#define SSL_CTX_get_read_ahead(ctx) \
1466 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
1467#define SSL_CTX_set_read_ahead(ctx,m) \
1468 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
1469#define SSL_CTX_get_max_cert_list(ctx) \
1470 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1471#define SSL_CTX_set_max_cert_list(ctx,m) \
1472 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1473#define SSL_get_max_cert_list(ssl) \
1474 SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1475#define SSL_set_max_cert_list(ssl,m) \
1476 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1477
1478#define SSL_CTX_set_max_send_fragment(ctx,m) \
1479 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1480#define SSL_set_max_send_fragment(ssl,m) \
1481 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1482
1483/* NB: the keylength is only applicable when is_export is true */
1484void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1485 RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1486
1487void SSL_set_tmp_rsa_callback(SSL *ssl,
1488 RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1489void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1490 DH *(*dh)(SSL *ssl, int is_export, int keylength));
1491void SSL_set_tmp_dh_callback(SSL *ssl,
1492 DH *(*dh)(SSL *ssl, int is_export, int keylength));
1493void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
1494 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
1495void SSL_set_tmp_ecdh_callback(SSL *ssl,
1496 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
1497
1498size_t SSL_get_client_random(const SSL *s, unsigned char *out, size_t max_out);
1499size_t SSL_get_server_random(const SSL *s, unsigned char *out, size_t max_out);
1500
1501const void *SSL_get_current_compression(SSL *s);
1502const void *SSL_get_current_expansion(SSL *s);
1503
1504const char *SSL_COMP_get_name(const void *comp);
1505void *SSL_COMP_get_compression_methods(void);
1506int SSL_COMP_add_compression_method(int id, void *cm);
1507
1508/* TLS extensions functions */
1509int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
1510
1511int SSL_set_session_ticket_ext_cb(SSL *s,
1512 tls_session_ticket_ext_cb_fn cb, void *arg);
1513
1514/* Pre-shared secret session resumption functions */
1515int SSL_set_session_secret_cb(SSL *s,
1516 tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
1517
1518void SSL_set_debug(SSL *s, int debug);
1519int SSL_cache_hit(SSL *s);
1520
1521/* What the "other" parameter contains in security callback */
1522/* Mask for type */
1523#define SSL_SECOP_OTHER_TYPE 0xffff0000
1524#define SSL_SECOP_OTHER_NONE 0
1525#define SSL_SECOP_OTHER_CIPHER (1 << 16)
1526#define SSL_SECOP_OTHER_CURVE (2 << 16)
1527#define SSL_SECOP_OTHER_DH (3 << 16)
1528#define SSL_SECOP_OTHER_PKEY (4 << 16)
1529#define SSL_SECOP_OTHER_SIGALG (5 << 16)
1530#define SSL_SECOP_OTHER_CERT (6 << 16)
1531
1532/* Indicated operation refers to peer key or certificate */
1533#define SSL_SECOP_PEER 0x1000
1534
1535/* Values for "op" parameter in security callback */
1536
1537/* Called to filter ciphers */
1538/* Ciphers client supports */
1539#define SSL_SECOP_CIPHER_SUPPORTED (1 | SSL_SECOP_OTHER_CIPHER)
1540/* Cipher shared by client/server */
1541#define SSL_SECOP_CIPHER_SHARED (2 | SSL_SECOP_OTHER_CIPHER)
1542/* Sanity check of cipher server selects */
1543#define SSL_SECOP_CIPHER_CHECK (3 | SSL_SECOP_OTHER_CIPHER)
1544/* Curves supported by client */
1545#define SSL_SECOP_CURVE_SUPPORTED (4 | SSL_SECOP_OTHER_CURVE)
1546/* Curves shared by client/server */
1547#define SSL_SECOP_CURVE_SHARED (5 | SSL_SECOP_OTHER_CURVE)
1548/* Sanity check of curve server selects */
1549#define SSL_SECOP_CURVE_CHECK (6 | SSL_SECOP_OTHER_CURVE)
1550/* Temporary DH key */
1551/*
1552 * XXX: changed in OpenSSL e2b420fdd70 to (7 | SSL_SECOP_OTHER_PKEY)
1553 * Needs switching internal use of DH to EVP_PKEY. The code is not reachable
1554 * from outside the library as long as we do not expose the callback in the API.
1555 */
1556#define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_DH)
1557/* SSL/TLS version */
1558#define SSL_SECOP_VERSION (9 | SSL_SECOP_OTHER_NONE)
1559/* Session tickets */
1560#define SSL_SECOP_TICKET (10 | SSL_SECOP_OTHER_NONE)
1561/* Supported signature algorithms sent to peer */
1562#define SSL_SECOP_SIGALG_SUPPORTED (11 | SSL_SECOP_OTHER_SIGALG)
1563/* Shared signature algorithm */
1564#define SSL_SECOP_SIGALG_SHARED (12 | SSL_SECOP_OTHER_SIGALG)
1565/* Sanity check signature algorithm allowed */
1566#define SSL_SECOP_SIGALG_CHECK (13 | SSL_SECOP_OTHER_SIGALG)
1567/* Used to get mask of supported public key signature algorithms */
1568#define SSL_SECOP_SIGALG_MASK (14 | SSL_SECOP_OTHER_SIGALG)
1569/* Use to see if compression is allowed */
1570#define SSL_SECOP_COMPRESSION (15 | SSL_SECOP_OTHER_NONE)
1571/* EE key in certificate */
1572#define SSL_SECOP_EE_KEY (16 | SSL_SECOP_OTHER_CERT)
1573/* CA key in certificate */
1574#define SSL_SECOP_CA_KEY (17 | SSL_SECOP_OTHER_CERT)
1575/* CA digest algorithm in certificate */
1576#define SSL_SECOP_CA_MD (18 | SSL_SECOP_OTHER_CERT)
1577/* Peer EE key in certificate */
1578#define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY | SSL_SECOP_PEER)
1579/* Peer CA key in certificate */
1580#define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY | SSL_SECOP_PEER)
1581/* Peer CA digest algorithm in certificate */
1582#define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD | SSL_SECOP_PEER)
1583
1584void SSL_set_security_level(SSL *ssl, int level);
1585int SSL_get_security_level(const SSL *ssl);
1586
1587void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
1588int SSL_CTX_get_security_level(const SSL_CTX *ctx);
1589
1590#if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL)
1591/*
1592 * QUIC integration.
1593 *
1594 * QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
1595 * functions allow a QUIC implementation to serve as the underlying transport as
1596 * described in RFC 9001.
1597 *
1598 * When configured for QUIC, |SSL_do_handshake| will drive the handshake as
1599 * before, but it will not use the configured |BIO|. It will call functions on
1600 * |SSL_QUIC_METHOD| to configure secrets and send data. If data is needed from
1601 * the peer, it will return |SSL_ERROR_WANT_READ|. As the caller receives data
1602 * it can decrypt, it calls |SSL_provide_quic_data|. Subsequent
1603 * |SSL_do_handshake| calls will then consume that data and progress the
1604 * handshake. After the handshake is complete, the caller should continue to
1605 * call |SSL_provide_quic_data| for any post-handshake data, followed by
1606 * |SSL_process_quic_post_handshake| to process it. It is an error to call
1607 * |SSL_peek|, |SSL_read| and |SSL_write| in QUIC.
1608 *
1609 * To avoid DoS attacks, the QUIC implementation must limit the amount of data
1610 * being queued up. The implementation can call
1611 * |SSL_quic_max_handshake_flight_len| to get the maximum buffer length at each
1612 * encryption level.
1613 *
1614 * QUIC implementations must additionally configure transport parameters with
1615 * |SSL_set_quic_transport_params|. |SSL_get_peer_quic_transport_params| may be
1616 * used to query the value received from the peer. This extension is handled
1617 * as an opaque byte string, which the caller is responsible for serializing
1618 * and parsing. See RFC 9000 section 7.4 for further details.
1619 */
1620
1621/*
1622 * ssl_encryption_level_t specifies the QUIC encryption level used to transmit
1623 * handshake messages.
1624 */
1625typedef enum ssl_encryption_level_t {
1626 ssl_encryption_initial = 0,
1627 ssl_encryption_early_data,
1628 ssl_encryption_handshake,
1629 ssl_encryption_application,
1630} OSSL_ENCRYPTION_LEVEL;
1631
1632/*
1633 * ssl_quic_method_st (aka |SSL_QUIC_METHOD|) describes custom QUIC hooks.
1634 *
1635 * Note that we provide both the new (BoringSSL) secrets interface
1636 * (set_read_secret/set_write_secret) along with the old interface
1637 * (set_encryption_secrets), which quictls is still using.
1638 *
1639 * Since some consumers fail to use named initialisers, the order of these
1640 * functions is important. Hopefully all of these consumers use the old version.
1641 */
1642struct ssl_quic_method_st {
1643 /*
1644 * set_encryption_secrets configures the read and write secrets for the
1645 * given encryption level. This function will always be called before an
1646 * encryption level other than |ssl_encryption_initial| is used.
1647 *
1648 * When reading packets at a given level, the QUIC implementation must
1649 * send ACKs at the same level, so this function provides read and write
1650 * secrets together. The exception is |ssl_encryption_early_data|, where
1651 * secrets are only available in the client to server direction. The
1652 * other secret will be NULL. The server acknowledges such data at
1653 * |ssl_encryption_application|, which will be configured in the same
1654 * |SSL_do_handshake| call.
1655 *
1656 * This function should use |SSL_get_current_cipher| to determine the TLS
1657 * cipher suite.
1658 */
1659 int (*set_encryption_secrets)(SSL *ssl, enum ssl_encryption_level_t level,
1660 const uint8_t *read_secret, const uint8_t *write_secret,
1661 size_t secret_len);
1662
1663 /*
1664 * add_handshake_data adds handshake data to the current flight at the
1665 * given encryption level. It returns one on success and zero on error.
1666 * Callers should defer writing data to the network until |flush_flight|
1667 * to better pack QUIC packets into transport datagrams.
1668 *
1669 * If |level| is not |ssl_encryption_initial|, this function will not be
1670 * called before |level| is initialized with |set_write_secret|.
1671 */
1672 int (*add_handshake_data)(SSL *ssl, enum ssl_encryption_level_t level,
1673 const uint8_t *data, size_t len);
1674
1675 /*
1676 * flush_flight is called when the current flight is complete and should
1677 * be written to the transport. Note a flight may contain data at
1678 * several encryption levels. It returns one on success and zero on
1679 * error.
1680 */
1681 int (*flush_flight)(SSL *ssl);
1682
1683 /*
1684 * send_alert sends a fatal alert at the specified encryption level. It
1685 * returns one on success and zero on error.
1686 *
1687 * If |level| is not |ssl_encryption_initial|, this function will not be
1688 * called before |level| is initialized with |set_write_secret|.
1689 */
1690 int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level,
1691 uint8_t alert);
1692
1693 /*
1694 * set_read_secret configures the read secret and cipher suite for the
1695 * given encryption level. It returns one on success and zero to
1696 * terminate the handshake with an error. It will be called at most once
1697 * per encryption level.
1698 *
1699 * Read keys will not be released before QUIC may use them. Once a level
1700 * has been initialized, QUIC may begin processing data from it.
1701 * Handshake data should be passed to |SSL_provide_quic_data| and
1702 * application data (if |level| is |ssl_encryption_early_data| or
1703 * |ssl_encryption_application|) may be processed according to the rules
1704 * of the QUIC protocol.
1705 */
1706 int (*set_read_secret)(SSL *ssl, enum ssl_encryption_level_t level,
1707 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
1708
1709 /*
1710 * set_write_secret behaves like |set_read_secret| but configures the
1711 * write secret and cipher suite for the given encryption level. It will
1712 * be called at most once per encryption level.
1713 *
1714 * Write keys will not be released before QUIC may use them. If |level|
1715 * is |ssl_encryption_early_data| or |ssl_encryption_application|, QUIC
1716 * may begin sending application data at |level|.
1717 */
1718 int (*set_write_secret)(SSL *ssl, enum ssl_encryption_level_t level,
1719 const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
1720};
1721
1722/*
1723 * SSL_CTX_set_quic_method configures the QUIC hooks. This should only be
1724 * configured with a minimum version of TLS 1.3. |quic_method| must remain valid
1725 * for the lifetime of |ctx|. It returns one on success and zero on error.
1726 */
1727int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method);
1728
1729/*
1730 * SSL_set_quic_method configures the QUIC hooks. This should only be
1731 * configured with a minimum version of TLS 1.3. |quic_method| must remain valid
1732 * for the lifetime of |ssl|. It returns one on success and zero on error.
1733 */
1734int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
1735
1736/* SSL_is_quic returns true if an SSL has been configured for use with QUIC. */
1737int SSL_is_quic(const SSL *ssl);
1738
1739/*
1740 * SSL_quic_max_handshake_flight_len returns returns the maximum number of bytes
1741 * that may be received at the given encryption level. This function should be
1742 * used to limit buffering in the QUIC implementation. See RFC 9000 section 7.5.
1743 */
1744size_t SSL_quic_max_handshake_flight_len(const SSL *ssl,
1745 enum ssl_encryption_level_t level);
1746
1747/*
1748 * SSL_quic_read_level returns the current read encryption level.
1749 */
1750enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl);
1751
1752/*
1753 * SSL_quic_write_level returns the current write encryption level.
1754 */
1755enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl);
1756
1757/*
1758 * SSL_provide_quic_data provides data from QUIC at a particular encryption
1759 * level |level|. It returns one on success and zero on error. Note this
1760 * function will return zero if the handshake is not expecting data from |level|
1761 * at this time. The QUIC implementation should then close the connection with
1762 * an error.
1763 */
1764int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
1765 const uint8_t *data, size_t len);
1766
1767/*
1768 * SSL_process_quic_post_handshake processes any data that QUIC has provided
1769 * after the handshake has completed. This includes NewSessionTicket messages
1770 * sent by the server. It returns one on success and zero on error.
1771 */
1772int SSL_process_quic_post_handshake(SSL *ssl);
1773
1774/*
1775 * SSL_set_quic_transport_params configures |ssl| to send |params| (of length
1776 * |params_len|) in the quic_transport_parameters extension in either the
1777 * ClientHello or EncryptedExtensions handshake message. It is an error to set
1778 * transport parameters if |ssl| is not configured for QUIC. The buffer pointed
1779 * to by |params| only need be valid for the duration of the call to this
1780 * function. This function returns 1 on success and 0 on failure.
1781 */
1782int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
1783 size_t params_len);
1784
1785/*
1786 * SSL_get_peer_quic_transport_params provides the caller with the value of the
1787 * quic_transport_parameters extension sent by the peer. A pointer to the buffer
1788 * containing the TransportParameters will be put in |*out_params|, and its
1789 * length in |*params_len|. This buffer will be valid for the lifetime of the
1790 * |SSL|. If no params were received from the peer, |*out_params_len| will be 0.
1791 */
1792void SSL_get_peer_quic_transport_params(const SSL *ssl,
1793 const uint8_t **out_params, size_t *out_params_len);
1794
1795/*
1796 * SSL_set_quic_use_legacy_codepoint configures whether to use the legacy QUIC
1797 * extension codepoint 0xffa5 as opposed to the official value 57. This is
1798 * unsupported in LibreSSL.
1799 */
1800void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
1801
1802#endif
1803
1804void ERR_load_SSL_strings(void);
1805
1806/* Error codes for the SSL functions. */
1807
1808/* Function codes. */
1809#define SSL_F_CLIENT_CERTIFICATE 100
1810#define SSL_F_CLIENT_FINISHED 167
1811#define SSL_F_CLIENT_HELLO 101
1812#define SSL_F_CLIENT_MASTER_KEY 102
1813#define SSL_F_D2I_SSL_SESSION 103
1814#define SSL_F_DO_DTLS1_WRITE 245
1815#define SSL_F_DO_SSL3_WRITE 104
1816#define SSL_F_DTLS1_ACCEPT 246
1817#define SSL_F_DTLS1_ADD_CERT_TO_BUF 295
1818#define SSL_F_DTLS1_BUFFER_RECORD 247
1819#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 316
1820#define SSL_F_DTLS1_CLIENT_HELLO 248
1821#define SSL_F_DTLS1_CONNECT 249
1822#define SSL_F_DTLS1_ENC 250
1823#define SSL_F_DTLS1_GET_HELLO_VERIFY 251
1824#define SSL_F_DTLS1_GET_MESSAGE 252
1825#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253
1826#define SSL_F_DTLS1_GET_RECORD 254
1827#define SSL_F_DTLS1_HANDLE_TIMEOUT 297
1828#define SSL_F_DTLS1_HEARTBEAT 305
1829#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
1830#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
1831#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
1832#define SSL_F_DTLS1_PROCESS_RECORD 257
1833#define SSL_F_DTLS1_READ_BYTES 258
1834#define SSL_F_DTLS1_READ_FAILED 259
1835#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
1836#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
1837#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
1838#define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263
1839#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST 264
1840#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE 265
1841#define SSL_F_DTLS1_SEND_SERVER_HELLO 266
1842#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267
1843#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268
1844#define SSL_F_GET_CLIENT_FINISHED 105
1845#define SSL_F_GET_CLIENT_HELLO 106
1846#define SSL_F_GET_CLIENT_MASTER_KEY 107
1847#define SSL_F_GET_SERVER_FINISHED 108
1848#define SSL_F_GET_SERVER_HELLO 109
1849#define SSL_F_GET_SERVER_VERIFY 110
1850#define SSL_F_I2D_SSL_SESSION 111
1851#define SSL_F_READ_N 112
1852#define SSL_F_REQUEST_CERTIFICATE 113
1853#define SSL_F_SERVER_FINISH 239
1854#define SSL_F_SERVER_HELLO 114
1855#define SSL_F_SERVER_VERIFY 240
1856#define SSL_F_SSL23_ACCEPT 115
1857#define SSL_F_SSL23_CLIENT_HELLO 116
1858#define SSL_F_SSL23_CONNECT 117
1859#define SSL_F_SSL23_GET_CLIENT_HELLO 118
1860#define SSL_F_SSL23_GET_SERVER_HELLO 119
1861#define SSL_F_SSL23_PEEK 237
1862#define SSL_F_SSL23_READ 120
1863#define SSL_F_SSL23_WRITE 121
1864#define SSL_F_SSL2_ACCEPT 122
1865#define SSL_F_SSL2_CONNECT 123
1866#define SSL_F_SSL2_ENC_INIT 124
1867#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241
1868#define SSL_F_SSL2_PEEK 234
1869#define SSL_F_SSL2_READ 125
1870#define SSL_F_SSL2_READ_INTERNAL 236
1871#define SSL_F_SSL2_SET_CERTIFICATE 126
1872#define SSL_F_SSL2_WRITE 127
1873#define SSL_F_SSL3_ACCEPT 128
1874#define SSL_F_SSL3_ADD_CERT_TO_BUF 296
1875#define SSL_F_SSL3_CALLBACK_CTRL 233
1876#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
1877#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
1878#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
1879#define SSL_F_SSL3_CLIENT_HELLO 131
1880#define SSL_F_SSL3_CONNECT 132
1881#define SSL_F_SSL3_CTRL 213
1882#define SSL_F_SSL3_CTX_CTRL 133
1883#define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293
1884#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
1885#define SSL_F_SSL3_ENC 134
1886#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
1887#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
1888#define SSL_F_SSL3_GET_CERT_STATUS 289
1889#define SSL_F_SSL3_GET_CERT_VERIFY 136
1890#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
1891#define SSL_F_SSL3_GET_CLIENT_HELLO 138
1892#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
1893#define SSL_F_SSL3_GET_FINISHED 140
1894#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
1895#define SSL_F_SSL3_GET_MESSAGE 142
1896#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283
1897#define SSL_F_SSL3_GET_NEXT_PROTO 306
1898#define SSL_F_SSL3_GET_RECORD 143
1899#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
1900#define SSL_F_SSL3_GET_SERVER_DONE 145
1901#define SSL_F_SSL3_GET_SERVER_HELLO 146
1902#define SSL_F_SSL3_HANDSHAKE_MAC 285
1903#define SSL_F_SSL3_NEW_SESSION_TICKET 287
1904#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
1905#define SSL_F_SSL3_PEEK 235
1906#define SSL_F_SSL3_READ_BYTES 148
1907#define SSL_F_SSL3_READ_N 149
1908#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
1909#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
1910#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
1911#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
1912#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
1913#define SSL_F_SSL3_SEND_SERVER_HELLO 242
1914#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
1915#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
1916#define SSL_F_SSL3_SETUP_READ_BUFFER 156
1917#define SSL_F_SSL3_SETUP_WRITE_BUFFER 291
1918#define SSL_F_SSL3_WRITE_BYTES 158
1919#define SSL_F_SSL3_WRITE_PENDING 159
1920#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 298
1921#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 277
1922#define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT 307
1923#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
1924#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
1925#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 299
1926#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278
1927#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 308
1928#define SSL_F_SSL_BAD_METHOD 160
1929#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
1930#define SSL_F_SSL_CERT_DUP 221
1931#define SSL_F_SSL_CERT_INST 222
1932#define SSL_F_SSL_CERT_INSTANTIATE 214
1933#define SSL_F_SSL_CERT_NEW 162
1934#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
1935#define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 280
1936#define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 279
1937#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
1938#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
1939#define SSL_F_SSL_CLEAR 164
1940#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
1941#define SSL_F_SSL_CREATE_CIPHER_LIST 166
1942#define SSL_F_SSL_CTRL 232
1943#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
1944#define SSL_F_SSL_CTX_MAKE_PROFILES 309
1945#define SSL_F_SSL_CTX_NEW 169
1946#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
1947#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 290
1948#define SSL_F_SSL_CTX_SET_PURPOSE 226
1949#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
1950#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
1951#define SSL_F_SSL_CTX_SET_TRUST 229
1952#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
1953#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
1954#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
1955#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173
1956#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174
1957#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175
1958#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176
1959#define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT 272
1960#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177
1961#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178
1962#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179
1963#define SSL_F_SSL_DO_HANDSHAKE 180
1964#define SSL_F_SSL_GET_NEW_SESSION 181
1965#define SSL_F_SSL_GET_PREV_SESSION 217
1966#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
1967#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317
1968#define SSL_F_SSL_GET_SIGN_PKEY 183
1969#define SSL_F_SSL_INIT_WBIO_BUFFER 184
1970#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
1971#define SSL_F_SSL_NEW 186
1972#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
1973#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
1974#define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 310
1975#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
1976#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
1977#define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT 311
1978#define SSL_F_SSL_PEEK 270
1979#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
1980#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
1981#define SSL_F_SSL_READ 223
1982#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
1983#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
1984#define SSL_F_SSL_SESSION_NEW 189
1985#define SSL_F_SSL_SESSION_PRINT_FP 190
1986#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
1987#define SSL_F_SSL_SESS_CERT_NEW 225
1988#define SSL_F_SSL_SET_CERT 191
1989#define SSL_F_SSL_SET_CIPHER_LIST 271
1990#define SSL_F_SSL_SET_FD 192
1991#define SSL_F_SSL_SET_PKEY 193
1992#define SSL_F_SSL_SET_PURPOSE 227
1993#define SSL_F_SSL_SET_RFD 194
1994#define SSL_F_SSL_SET_SESSION 195
1995#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
1996#define SSL_F_SSL_SET_SESSION_TICKET_EXT 294
1997#define SSL_F_SSL_SET_TRUST 228
1998#define SSL_F_SSL_SET_WFD 196
1999#define SSL_F_SSL_SHUTDOWN 224
2000#define SSL_F_SSL_SRP_CTX_INIT 313
2001#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
2002#define SSL_F_SSL_UNDEFINED_FUNCTION 197
2003#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
2004#define SSL_F_SSL_USE_CERTIFICATE 198
2005#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
2006#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
2007#define SSL_F_SSL_USE_PRIVATEKEY 201
2008#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202
2009#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203
2010#define SSL_F_SSL_USE_PSK_IDENTITY_HINT 273
2011#define SSL_F_SSL_USE_RSAPRIVATEKEY 204
2012#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205
2013#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
2014#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
2015#define SSL_F_SSL_WRITE 208
2016#define SSL_F_TLS1_AEAD_CTX_INIT 339
2017#define SSL_F_TLS1_CERT_VERIFY_MAC 286
2018#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
2019#define SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD 340
2020#define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER 338
2021#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
2022#define SSL_F_TLS1_ENC 210
2023#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314
2024#define SSL_F_TLS1_HEARTBEAT 315
2025#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275
2026#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
2027#define SSL_F_TLS1_PRF 284
2028#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
2029#define SSL_F_WRITE_PENDING 212
2030
2031/* Reason codes. */
2032#define SSL_R_APP_DATA_IN_HANDSHAKE 100
2033#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
2034#define SSL_R_BAD_ALERT_RECORD 101
2035#define SSL_R_BAD_AUTHENTICATION_TYPE 102
2036#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
2037#define SSL_R_BAD_CHECKSUM 104
2038#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
2039#define SSL_R_BAD_DECOMPRESSION 107
2040#define SSL_R_BAD_DH_G_LENGTH 108
2041#define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
2042#define SSL_R_BAD_DH_P_LENGTH 110
2043#define SSL_R_BAD_DIGEST_LENGTH 111
2044#define SSL_R_BAD_DSA_SIGNATURE 112
2045#define SSL_R_BAD_ECC_CERT 304
2046#define SSL_R_BAD_ECDSA_SIGNATURE 305
2047#define SSL_R_BAD_ECPOINT 306
2048#define SSL_R_BAD_HANDSHAKE_LENGTH 332
2049#define SSL_R_BAD_HELLO_REQUEST 105
2050#define SSL_R_BAD_LENGTH 271
2051#define SSL_R_BAD_MAC_DECODE 113
2052#define SSL_R_BAD_MAC_LENGTH 333
2053#define SSL_R_BAD_MESSAGE_TYPE 114
2054#define SSL_R_BAD_PACKET_LENGTH 115
2055#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
2056#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH 316
2057#define SSL_R_BAD_RESPONSE_ARGUMENT 117
2058#define SSL_R_BAD_RSA_DECRYPT 118
2059#define SSL_R_BAD_RSA_ENCRYPT 119
2060#define SSL_R_BAD_RSA_E_LENGTH 120
2061#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
2062#define SSL_R_BAD_RSA_SIGNATURE 122
2063#define SSL_R_BAD_SIGNATURE 123
2064#define SSL_R_BAD_SRP_A_LENGTH 347
2065#define SSL_R_BAD_SRP_B_LENGTH 348
2066#define SSL_R_BAD_SRP_G_LENGTH 349
2067#define SSL_R_BAD_SRP_N_LENGTH 350
2068#define SSL_R_BAD_SRP_S_LENGTH 351
2069#define SSL_R_BAD_SRTP_MKI_VALUE 352
2070#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 353
2071#define SSL_R_BAD_SSL_FILETYPE 124
2072#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
2073#define SSL_R_BAD_STATE 126
2074#define SSL_R_BAD_WRITE_RETRY 127
2075#define SSL_R_BIO_NOT_SET 128
2076#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
2077#define SSL_R_BN_LIB 130
2078#define SSL_R_CA_DN_LENGTH_MISMATCH 131
2079#define SSL_R_CA_DN_TOO_LONG 132
2080#define SSL_R_CA_KEY_TOO_SMALL 397
2081#define SSL_R_CA_MD_TOO_WEAK 398
2082#define SSL_R_CCS_RECEIVED_EARLY 133
2083#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
2084#define SSL_R_CERT_LENGTH_MISMATCH 135
2085#define SSL_R_CHALLENGE_IS_DIFFERENT 136
2086#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
2087#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE 371
2088#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
2089#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
2090#define SSL_R_CLIENTHELLO_TLSEXT 226
2091#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
2092#define SSL_R_COMPRESSION_DISABLED 343
2093#define SSL_R_COMPRESSION_FAILURE 141
2094#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307
2095#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
2096#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
2097#define SSL_R_CONNECTION_TYPE_NOT_SET 144
2098#define SSL_R_COOKIE_MISMATCH 308
2099#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
2100#define SSL_R_DATA_LENGTH_TOO_LONG 146
2101#define SSL_R_DECRYPTION_FAILED 147
2102#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
2103#define SSL_R_DH_KEY_TOO_SMALL 394
2104#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
2105#define SSL_R_DIGEST_CHECK_FAILED 149
2106#define SSL_R_DTLS_MESSAGE_TOO_BIG 334
2107#define SSL_R_DUPLICATE_COMPRESSION_ID 309
2108#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT 317
2109#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 318
2110#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322
2111#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323
2112#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
2113#define SSL_R_EE_KEY_TOO_SMALL 399
2114#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354
2115#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
2116#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
2117#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
2118#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
2119#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
2120#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
2121#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355
2122#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356
2123#define SSL_R_HTTPS_PROXY_REQUEST 155
2124#define SSL_R_HTTP_REQUEST 156
2125#define SSL_R_ILLEGAL_PADDING 283
2126#define SSL_R_INAPPROPRIATE_FALLBACK 373
2127#define SSL_R_INCONSISTENT_COMPRESSION 340
2128#define SSL_R_INVALID_CHALLENGE_LENGTH 158
2129#define SSL_R_INVALID_COMMAND 280
2130#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
2131#define SSL_R_INVALID_PURPOSE 278
2132#define SSL_R_INVALID_SRP_USERNAME 357
2133#define SSL_R_INVALID_STATUS_RESPONSE 328
2134#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
2135#define SSL_R_INVALID_TRUST 279
2136#define SSL_R_KEY_ARG_TOO_LONG 284
2137#define SSL_R_KRB5 285
2138#define SSL_R_KRB5_C_CC_PRINC 286
2139#define SSL_R_KRB5_C_GET_CRED 287
2140#define SSL_R_KRB5_C_INIT 288
2141#define SSL_R_KRB5_C_MK_REQ 289
2142#define SSL_R_KRB5_S_BAD_TICKET 290
2143#define SSL_R_KRB5_S_INIT 291
2144#define SSL_R_KRB5_S_RD_REQ 292
2145#define SSL_R_KRB5_S_TKT_EXPIRED 293
2146#define SSL_R_KRB5_S_TKT_NYV 294
2147#define SSL_R_KRB5_S_TKT_SKEW 295
2148#define SSL_R_LENGTH_MISMATCH 159
2149#define SSL_R_LENGTH_TOO_SHORT 160
2150#define SSL_R_LIBRARY_BUG 274
2151#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
2152#define SSL_R_MESSAGE_TOO_LONG 296
2153#define SSL_R_MISSING_DH_DSA_CERT 162
2154#define SSL_R_MISSING_DH_KEY 163
2155#define SSL_R_MISSING_DH_RSA_CERT 164
2156#define SSL_R_MISSING_DSA_SIGNING_CERT 165
2157#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
2158#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
2159#define SSL_R_MISSING_RSA_CERTIFICATE 168
2160#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
2161#define SSL_R_MISSING_RSA_SIGNING_CERT 170
2162#define SSL_R_MISSING_SRP_PARAM 358
2163#define SSL_R_MISSING_TMP_DH_KEY 171
2164#define SSL_R_MISSING_TMP_ECDH_KEY 311
2165#define SSL_R_MISSING_TMP_RSA_KEY 172
2166#define SSL_R_MISSING_TMP_RSA_PKEY 173
2167#define SSL_R_MISSING_VERIFY_MESSAGE 174
2168#define SSL_R_MULTIPLE_SGC_RESTARTS 346
2169#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
2170#define SSL_R_NO_APPLICATION_PROTOCOL 235
2171#define SSL_R_NO_CERTIFICATES_RETURNED 176
2172#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
2173#define SSL_R_NO_CERTIFICATE_RETURNED 178
2174#define SSL_R_NO_CERTIFICATE_SET 179
2175#define SSL_R_NO_CERTIFICATE_SPECIFIED 180
2176#define SSL_R_NO_CIPHERS_AVAILABLE 181
2177#define SSL_R_NO_CIPHERS_PASSED 182
2178#define SSL_R_NO_CIPHERS_SPECIFIED 183
2179#define SSL_R_NO_CIPHER_LIST 184
2180#define SSL_R_NO_CIPHER_MATCH 185
2181#define SSL_R_NO_CLIENT_CERT_METHOD 331
2182#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
2183#define SSL_R_NO_COMPRESSION_SPECIFIED 187
2184#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330
2185#define SSL_R_NO_METHOD_SPECIFIED 188
2186#define SSL_R_NO_PRIVATEKEY 189
2187#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
2188#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
2189#define SSL_R_NO_PUBLICKEY 192
2190#define SSL_R_NO_RENEGOTIATION 339
2191#define SSL_R_NO_REQUIRED_DIGEST 324
2192#define SSL_R_NO_SHARED_CIPHER 193
2193#define SSL_R_NO_SRTP_PROFILES 359
2194#define SSL_R_NO_VERIFY_CALLBACK 194
2195#define SSL_R_NULL_SSL_CTX 195
2196#define SSL_R_NULL_SSL_METHOD_PASSED 196
2197#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
2198#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
2199#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
2200#define SSL_R_PACKET_LENGTH_TOO_LONG 198
2201#define SSL_R_PARSE_TLSEXT 227
2202#define SSL_R_PATH_TOO_LONG 270
2203#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
2204#define SSL_R_PEER_ERROR 200
2205#define SSL_R_PEER_ERROR_CERTIFICATE 201
2206#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202
2207#define SSL_R_PEER_ERROR_NO_CIPHER 203
2208#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204
2209#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205
2210#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206
2211#define SSL_R_PROTOCOL_IS_SHUTDOWN 207
2212#define SSL_R_PSK_IDENTITY_NOT_FOUND 223
2213#define SSL_R_PSK_NO_CLIENT_CB 224
2214#define SSL_R_PSK_NO_SERVER_CB 225
2215#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208
2216#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
2217#define SSL_R_PUBLIC_KEY_NOT_RSA 210
2218#define SSL_R_READ_BIO_NOT_SET 211
2219#define SSL_R_READ_TIMEOUT_EXPIRED 312
2220#define SSL_R_READ_WRONG_PACKET_TYPE 212
2221#define SSL_R_RECORD_LENGTH_MISMATCH 213
2222#define SSL_R_RECORD_TOO_LARGE 214
2223#define SSL_R_RECORD_TOO_SMALL 298
2224#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 335
2225#define SSL_R_RENEGOTIATION_ENCODING_ERR 336
2226#define SSL_R_RENEGOTIATION_MISMATCH 337
2227#define SSL_R_REQUIRED_CIPHER_MISSING 215
2228#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342
2229#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
2230#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
2231#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218
2232#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
2233#define SSL_R_SERVERHELLO_TLSEXT 275
2234#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
2235#define SSL_R_SHORT_READ 219
2236#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360
2237#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
2238#define SSL_R_SRP_A_CALC 361
2239#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 362
2240#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 363
2241#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 364
2242#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
2243#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
2244#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321
2245#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 319
2246#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 320
2247#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300
2248#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
2249#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
2250#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
2251#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
2252#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
2253#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
2254#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
2255#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
2256#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
2257#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
2258#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
2259#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
2260#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
2261#define SSL_R_SSL_HANDSHAKE_FAILURE 229
2262#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
2263#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
2264#define SSL_R_SSL_SESSION_ID_CONFLICT 302
2265#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
2266#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
2267#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
2268#define SSL_R_SSL_SESSION_ID_TOO_LONG 408
2269#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
2270#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
2271#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
2272#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
2273#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
2274#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
2275#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
2276#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
2277#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
2278#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
2279#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
2280#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
2281#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
2282#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
2283#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
2284#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
2285#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
2286#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
2287#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
2288#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365
2289#define SSL_R_TLS_HEARTBEAT_PENDING 366
2290#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
2291#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
2292#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
2293#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
2294#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
2295#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
2296#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
2297#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
2298#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
2299#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314
2300#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
2301#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
2302#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
2303#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242
2304#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243
2305#define SSL_R_UNEXPECTED_MESSAGE 244
2306#define SSL_R_UNEXPECTED_RECORD 245
2307#define SSL_R_UNINITIALIZED 276
2308#define SSL_R_UNKNOWN_ALERT_TYPE 246
2309#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
2310#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
2311#define SSL_R_UNKNOWN_CIPHER_TYPE 249
2312#define SSL_R_UNKNOWN_DIGEST 368
2313#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
2314#define SSL_R_UNKNOWN_PKEY_TYPE 251
2315#define SSL_R_UNKNOWN_PROTOCOL 252
2316#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
2317#define SSL_R_UNKNOWN_SSL_VERSION 254
2318#define SSL_R_UNKNOWN_STATE 255
2319#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
2320#define SSL_R_UNSUPPORTED_CIPHER 256
2321#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
2322#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
2323#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
2324#define SSL_R_UNSUPPORTED_PROTOCOL 258
2325#define SSL_R_UNSUPPORTED_SSL_VERSION 259
2326#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
2327#define SSL_R_USE_SRTP_NOT_NEGOTIATED 369
2328#define SSL_R_VERSION_TOO_LOW 396
2329#define SSL_R_WRITE_BIO_NOT_SET 260
2330#define SSL_R_WRONG_CIPHER_RETURNED 261
2331#define SSL_R_WRONG_CURVE 378
2332#define SSL_R_WRONG_MESSAGE_TYPE 262
2333#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
2334#define SSL_R_WRONG_SIGNATURE_LENGTH 264
2335#define SSL_R_WRONG_SIGNATURE_SIZE 265
2336#define SSL_R_WRONG_SIGNATURE_TYPE 370
2337#define SSL_R_WRONG_SSL_VERSION 266
2338#define SSL_R_WRONG_VERSION_NUMBER 267
2339#define SSL_R_X509_LIB 268
2340#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
2341#define SSL_R_PEER_BEHAVING_BADLY 666
2342#define SSL_R_QUIC_INTERNAL_ERROR 667
2343#define SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED 668
2344#define SSL_R_UNKNOWN 999
2345
2346/*
2347 * OpenSSL compatible OPENSSL_INIT options
2348 */
2349
2350/*
2351 * These are provided for compatibility, but have no effect
2352 * on how LibreSSL is initialized.
2353 */
2354#define OPENSSL_INIT_LOAD_SSL_STRINGS _OPENSSL_INIT_FLAG_NOOP
2355#define OPENSSL_INIT_SSL_DEFAULT _OPENSSL_INIT_FLAG_NOOP
2356
2357int OPENSSL_init_ssl(uint64_t opts, const void *settings);
2358
2359#ifdef __cplusplus
2360}
2361#endif
2362#endif
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
deleted file mode 100644
index 3a8d300729..0000000000
--- a/src/lib/libssl/ssl2.h
+++ /dev/null
@@ -1,153 +0,0 @@
1/* $OpenBSD: ssl2.h,v 1.12 2014/12/14 15:30:50 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL2_H
60#define HEADER_SSL2_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/* Protocol Version Codes */
67#define SSL2_VERSION 0x0002
68#define SSL2_VERSION_MAJOR 0x00
69#define SSL2_VERSION_MINOR 0x02
70/* #define SSL2_CLIENT_VERSION 0x0002 */
71/* #define SSL2_SERVER_VERSION 0x0002 */
72
73/* Protocol Message Codes */
74#define SSL2_MT_ERROR 0
75#define SSL2_MT_CLIENT_HELLO 1
76#define SSL2_MT_CLIENT_MASTER_KEY 2
77#define SSL2_MT_CLIENT_FINISHED 3
78#define SSL2_MT_SERVER_HELLO 4
79#define SSL2_MT_SERVER_VERIFY 5
80#define SSL2_MT_SERVER_FINISHED 6
81#define SSL2_MT_REQUEST_CERTIFICATE 7
82#define SSL2_MT_CLIENT_CERTIFICATE 8
83
84/* Error Message Codes */
85#define SSL2_PE_UNDEFINED_ERROR 0x0000
86#define SSL2_PE_NO_CIPHER 0x0001
87#define SSL2_PE_NO_CERTIFICATE 0x0002
88#define SSL2_PE_BAD_CERTIFICATE 0x0004
89#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
90
91/* Cipher Kind Values */
92#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */
93#define SSL2_CK_RC4_128_WITH_MD5 0x02010080
94#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080
95#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080
96#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080
97#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080
98#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040
99#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */
100#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0
101#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */
102#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */
103
104#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */
105#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */
106
107#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1"
108#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5"
109#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5"
110#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5"
111#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5"
112#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5"
113#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5"
114#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5"
115#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA"
116#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5"
117#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA"
118#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5"
119
120#define SSL2_TXT_NULL "NULL"
121
122/* Flags for the SSL_CIPHER.algorithm2 field */
123#define SSL2_CF_5_BYTE_ENC 0x01
124#define SSL2_CF_8_BYTE_ENC 0x02
125
126/* Certificate Type Codes */
127#define SSL2_CT_X509_CERTIFICATE 0x01
128
129/* Authentication Type Code */
130#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01
131
132#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32
133
134/* Upper/Lower Bounds */
135#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
136#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
137#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
138
139#define SSL2_CHALLENGE_LENGTH 16
140/*#define SSL2_CHALLENGE_LENGTH 32 */
141#define SSL2_MIN_CHALLENGE_LENGTH 16
142#define SSL2_MAX_CHALLENGE_LENGTH 32
143#define SSL2_CONNECTION_ID_LENGTH 16
144#define SSL2_MAX_CONNECTION_ID_LENGTH 16
145#define SSL2_SSL_SESSION_ID_LENGTH 16
146#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32
147#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
148#define SSL2_MAX_KEY_MATERIAL_LENGTH 24
149
150#ifdef __cplusplus
151}
152#endif
153#endif
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
deleted file mode 100644
index 570e4b0171..0000000000
--- a/src/lib/libssl/ssl23.h
+++ /dev/null
@@ -1,82 +0,0 @@
1/* $OpenBSD: ssl23.h,v 1.4 2014/12/14 15:30:50 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_SSL23_H
60#define HEADER_SSL23_H
61
62#ifdef __cplusplus
63extern "C" {
64#endif
65
66/*client */
67/* write to server */
68#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT)
69#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT)
70/* read from server */
71#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT)
72#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT)
73
74/* server */
75/* read from client */
76#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
77#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT)
78
79#ifdef __cplusplus
80}
81#endif
82#endif
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
deleted file mode 100644
index 6c6cc2ad2b..0000000000
--- a/src/lib/libssl/ssl3.h
+++ /dev/null
@@ -1,455 +0,0 @@
1/* $OpenBSD: ssl3.h,v 1.57 2021/09/10 14:49:13 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#ifndef HEADER_SSL3_H
118#define HEADER_SSL3_H
119
120#include <openssl/opensslconf.h>
121#include <openssl/buffer.h>
122#include <openssl/evp.h>
123#include <openssl/ssl.h>
124
125#ifdef __cplusplus
126extern "C" {
127#endif
128
129/* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */
130#define SSL3_CK_SCSV 0x030000FF
131
132/* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */
133#define SSL3_CK_FALLBACK_SCSV 0x03005600
134
135#define SSL3_CK_RSA_NULL_MD5 0x03000001
136#define SSL3_CK_RSA_NULL_SHA 0x03000002
137#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
138#define SSL3_CK_RSA_RC4_128_MD5 0x03000004
139#define SSL3_CK_RSA_RC4_128_SHA 0x03000005
140#define SSL3_CK_RSA_RC2_40_MD5 0x03000006
141#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007
142#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008
143#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009
144#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A
145
146#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B
147#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C
148#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D
149#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E
150#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F
151#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010
152
153#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011
154#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012
155#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013
156#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014
157#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015
158#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016
159
160#define SSL3_CK_ADH_RC4_40_MD5 0x03000017
161#define SSL3_CK_ADH_RC4_128_MD5 0x03000018
162#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019
163#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
164#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
165
166/* VRS Additional Kerberos5 entries
167 */
168#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E
169#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F
170#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020
171#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021
172#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022
173#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023
174#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024
175#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025
176
177#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026
178#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027
179#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028
180#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029
181#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A
182#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B
183
184#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
185#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
186#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
187#define SSL3_TXT_RSA_RC4_128_MD5 "RC4-MD5"
188#define SSL3_TXT_RSA_RC4_128_SHA "RC4-SHA"
189#define SSL3_TXT_RSA_RC2_40_MD5 "EXP-RC2-CBC-MD5"
190#define SSL3_TXT_RSA_IDEA_128_SHA "IDEA-CBC-SHA"
191#define SSL3_TXT_RSA_DES_40_CBC_SHA "EXP-DES-CBC-SHA"
192#define SSL3_TXT_RSA_DES_64_CBC_SHA "DES-CBC-SHA"
193#define SSL3_TXT_RSA_DES_192_CBC3_SHA "DES-CBC3-SHA"
194
195#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA "EXP-DH-DSS-DES-CBC-SHA"
196#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA "DH-DSS-DES-CBC-SHA"
197#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA "DH-DSS-DES-CBC3-SHA"
198#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA "EXP-DH-RSA-DES-CBC-SHA"
199#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA "DH-RSA-DES-CBC-SHA"
200#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA "DH-RSA-DES-CBC3-SHA"
201
202#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA "EXP-EDH-DSS-DES-CBC-SHA"
203#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA "EDH-DSS-DES-CBC-SHA"
204#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA "EDH-DSS-DES-CBC3-SHA"
205#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA "EXP-EDH-RSA-DES-CBC-SHA"
206#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA "EDH-RSA-DES-CBC-SHA"
207#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA "EDH-RSA-DES-CBC3-SHA"
208
209#define SSL3_TXT_ADH_RC4_40_MD5 "EXP-ADH-RC4-MD5"
210#define SSL3_TXT_ADH_RC4_128_MD5 "ADH-RC4-MD5"
211#define SSL3_TXT_ADH_DES_40_CBC_SHA "EXP-ADH-DES-CBC-SHA"
212#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
213#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
214
215#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
216#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
217#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA"
218#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA"
219#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
220#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
221#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5"
222#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5"
223
224#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
225#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA"
226#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA"
227#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
228#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5"
229#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5"
230
231#define SSL3_SSL_SESSION_ID_LENGTH 32
232#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
233
234#define SSL3_MASTER_SECRET_SIZE 48
235#define SSL3_RANDOM_SIZE 32
236#define SSL3_SEQUENCE_SIZE 8
237#define SSL3_SESSION_ID_SIZE 32
238#define SSL3_CIPHER_VALUE_SIZE 2
239
240#define SSL3_RT_HEADER_LENGTH 5
241#define SSL3_HM_HEADER_LENGTH 4
242
243#define SSL3_ALIGN_PAYLOAD 8
244
245/* This is the maximum MAC (digest) size used by the SSL library.
246 * Currently maximum of 20 is used by SHA1, but we reserve for
247 * future extension for 512-bit hashes.
248 */
249
250#define SSL3_RT_MAX_MD_SIZE 64
251
252/* Maximum block size used in all ciphersuites. Currently 16 for AES.
253 */
254
255#define SSL_RT_MAX_CIPHER_BLOCK_SIZE 16
256
257#define SSL3_RT_MAX_EXTRA (16384)
258
259/* Maximum plaintext length: defined by SSL/TLS standards */
260#define SSL3_RT_MAX_PLAIN_LENGTH 16384
261/* Maximum compression overhead: defined by SSL/TLS standards */
262#define SSL3_RT_MAX_COMPRESSED_OVERHEAD 1024
263
264/* The standards give a maximum encryption overhead of 1024 bytes.
265 * In practice the value is lower than this. The overhead is the maximum
266 * number of padding bytes (256) plus the mac size.
267 */
268#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE)
269
270/* OpenSSL currently only uses a padding length of at most one block so
271 * the send overhead is smaller.
272 */
273
274#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
275 (SSL_RT_MAX_CIPHER_BLOCK_SIZE + SSL3_RT_MAX_MD_SIZE)
276
277/* If compression isn't used don't include the compression overhead */
278#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH
279#define SSL3_RT_MAX_ENCRYPTED_LENGTH \
280 (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH)
281#define SSL3_RT_MAX_PACKET_SIZE \
282 (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
283
284#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
285#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
286
287#define SSL3_VERSION 0x0300
288#define SSL3_VERSION_MAJOR 0x03
289#define SSL3_VERSION_MINOR 0x00
290
291#define SSL3_RT_CHANGE_CIPHER_SPEC 20
292#define SSL3_RT_ALERT 21
293#define SSL3_RT_HANDSHAKE 22
294#define SSL3_RT_APPLICATION_DATA 23
295
296#define SSL3_AL_WARNING 1
297#define SSL3_AL_FATAL 2
298
299#ifndef LIBRESSL_INTERNAL
300#define SSL3_AD_CLOSE_NOTIFY 0
301#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */
302#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */
303#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */
304#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */
305#define SSL3_AD_NO_CERTIFICATE 41
306#define SSL3_AD_BAD_CERTIFICATE 42
307#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
308#define SSL3_AD_CERTIFICATE_REVOKED 44
309#define SSL3_AD_CERTIFICATE_EXPIRED 45
310#define SSL3_AD_CERTIFICATE_UNKNOWN 46
311#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
312#endif
313
314#define TLS1_HB_REQUEST 1
315#define TLS1_HB_RESPONSE 2
316
317#define SSL3_CT_RSA_SIGN 1
318#define SSL3_CT_DSS_SIGN 2
319#define SSL3_CT_RSA_FIXED_DH 3
320#define SSL3_CT_DSS_FIXED_DH 4
321#define SSL3_CT_RSA_EPHEMERAL_DH 5
322#define SSL3_CT_DSS_EPHEMERAL_DH 6
323#define SSL3_CT_FORTEZZA_DMS 20
324/* SSL3_CT_NUMBER is used to size arrays and it must be large
325 * enough to contain all of the cert types defined either for
326 * SSLv3 and TLSv1.
327 */
328#define SSL3_CT_NUMBER 13
329
330#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
331#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
332#define TLS1_FLAGS_FREEZE_TRANSCRIPT 0x0020
333#define SSL3_FLAGS_CCS_OK 0x0080
334
335/* SSLv3 */
336/*client */
337/* extra state */
338#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
339/* write to server */
340#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
341#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
342/* read from server */
343#define SSL3_ST_CR_SRVR_HELLO_A (0x120|SSL_ST_CONNECT)
344#define SSL3_ST_CR_SRVR_HELLO_B (0x121|SSL_ST_CONNECT)
345#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126|SSL_ST_CONNECT)
346#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B (0x127|SSL_ST_CONNECT)
347#define SSL3_ST_CR_CERT_A (0x130|SSL_ST_CONNECT)
348#define SSL3_ST_CR_CERT_B (0x131|SSL_ST_CONNECT)
349#define SSL3_ST_CR_KEY_EXCH_A (0x140|SSL_ST_CONNECT)
350#define SSL3_ST_CR_KEY_EXCH_B (0x141|SSL_ST_CONNECT)
351#define SSL3_ST_CR_CERT_REQ_A (0x150|SSL_ST_CONNECT)
352#define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT)
353#define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT)
354#define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT)
355/* write to server */
356#define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT)
357#define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT)
358#define SSL3_ST_CW_CERT_C (0x172|SSL_ST_CONNECT)
359#define SSL3_ST_CW_CERT_D (0x173|SSL_ST_CONNECT)
360#define SSL3_ST_CW_KEY_EXCH_A (0x180|SSL_ST_CONNECT)
361#define SSL3_ST_CW_KEY_EXCH_B (0x181|SSL_ST_CONNECT)
362#define SSL3_ST_CW_CERT_VRFY_A (0x190|SSL_ST_CONNECT)
363#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
364#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
365#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
366#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
367#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
368/* read from server */
369#define SSL3_ST_CR_CHANGE_A (0x1C0|SSL_ST_CONNECT)
370#define SSL3_ST_CR_CHANGE_B (0x1C1|SSL_ST_CONNECT)
371#define SSL3_ST_CR_FINISHED_A (0x1D0|SSL_ST_CONNECT)
372#define SSL3_ST_CR_FINISHED_B (0x1D1|SSL_ST_CONNECT)
373#define SSL3_ST_CR_SESSION_TICKET_A (0x1E0|SSL_ST_CONNECT)
374#define SSL3_ST_CR_SESSION_TICKET_B (0x1E1|SSL_ST_CONNECT)
375#define SSL3_ST_CR_CERT_STATUS_A (0x1F0|SSL_ST_CONNECT)
376#define SSL3_ST_CR_CERT_STATUS_B (0x1F1|SSL_ST_CONNECT)
377
378/* server */
379/* extra state */
380#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT)
381/* read from client */
382/* Do not change the number values, they do matter */
383#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
384#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
385#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
386/* write to client */
387#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
388#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
389#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT)
390#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT)
391#define SSL3_ST_SW_HELLO_REQ_C (0x122|SSL_ST_ACCEPT)
392#define SSL3_ST_SW_SRVR_HELLO_A (0x130|SSL_ST_ACCEPT)
393#define SSL3_ST_SW_SRVR_HELLO_B (0x131|SSL_ST_ACCEPT)
394#define SSL3_ST_SW_CERT_A (0x140|SSL_ST_ACCEPT)
395#define SSL3_ST_SW_CERT_B (0x141|SSL_ST_ACCEPT)
396#define SSL3_ST_SW_KEY_EXCH_A (0x150|SSL_ST_ACCEPT)
397#define SSL3_ST_SW_KEY_EXCH_B (0x151|SSL_ST_ACCEPT)
398#define SSL3_ST_SW_CERT_REQ_A (0x160|SSL_ST_ACCEPT)
399#define SSL3_ST_SW_CERT_REQ_B (0x161|SSL_ST_ACCEPT)
400#define SSL3_ST_SW_SRVR_DONE_A (0x170|SSL_ST_ACCEPT)
401#define SSL3_ST_SW_SRVR_DONE_B (0x171|SSL_ST_ACCEPT)
402/* read from client */
403#define SSL3_ST_SR_CERT_A (0x180|SSL_ST_ACCEPT)
404#define SSL3_ST_SR_CERT_B (0x181|SSL_ST_ACCEPT)
405#define SSL3_ST_SR_KEY_EXCH_A (0x190|SSL_ST_ACCEPT)
406#define SSL3_ST_SR_KEY_EXCH_B (0x191|SSL_ST_ACCEPT)
407#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT)
408#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
409#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
410#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
411#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
412#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
413/* write to client */
414#define SSL3_ST_SW_CHANGE_A (0x1D0|SSL_ST_ACCEPT)
415#define SSL3_ST_SW_CHANGE_B (0x1D1|SSL_ST_ACCEPT)
416#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT)
417#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
418#define SSL3_ST_SW_SESSION_TICKET_A (0x1F0|SSL_ST_ACCEPT)
419#define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT)
420#define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT)
421#define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT)
422
423#define SSL3_MT_HELLO_REQUEST 0
424#define SSL3_MT_CLIENT_HELLO 1
425#define SSL3_MT_SERVER_HELLO 2
426#define SSL3_MT_NEWSESSION_TICKET 4
427#define SSL3_MT_CERTIFICATE 11
428#define SSL3_MT_SERVER_KEY_EXCHANGE 12
429#define SSL3_MT_CERTIFICATE_REQUEST 13
430#define SSL3_MT_SERVER_DONE 14
431#define SSL3_MT_CERTIFICATE_VERIFY 15
432#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
433#define SSL3_MT_FINISHED 20
434#define SSL3_MT_CERTIFICATE_STATUS 22
435
436#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
437
438#define SSL3_MT_CCS 1
439
440#ifndef LIBRESSL_INTERNAL
441/* These are used when changing over to a new cipher */
442#define SSL3_CC_READ 0x01
443#define SSL3_CC_WRITE 0x02
444#define SSL3_CC_CLIENT 0x10
445#define SSL3_CC_SERVER 0x20
446#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE)
447#define SSL3_CHANGE_CIPHER_SERVER_READ (SSL3_CC_SERVER|SSL3_CC_READ)
448#define SSL3_CHANGE_CIPHER_CLIENT_READ (SSL3_CC_CLIENT|SSL3_CC_READ)
449#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE)
450#endif
451
452#ifdef __cplusplus
453}
454#endif
455#endif
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
deleted file mode 100644
index ab23f4bc45..0000000000
--- a/src/lib/libssl/ssl_algs.c
+++ /dev/null
@@ -1,125 +0,0 @@
1/* $OpenBSD: ssl_algs.c,v 1.31 2022/11/26 16:08:55 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60
61#include <openssl/lhash.h>
62#include <openssl/objects.h>
63#include <openssl/opensslconf.h>
64
65#include "ssl_local.h"
66
67int
68SSL_library_init(void)
69{
70
71#ifndef OPENSSL_NO_DES
72 EVP_add_cipher(EVP_des_cbc());
73 EVP_add_cipher(EVP_des_ede3_cbc());
74#endif
75#ifndef OPENSSL_NO_RC4
76 EVP_add_cipher(EVP_rc4());
77#if !defined(OPENSSL_NO_MD5) && (defined(__x86_64) || defined(__x86_64__))
78 EVP_add_cipher(EVP_rc4_hmac_md5());
79#endif
80#endif
81#ifndef OPENSSL_NO_RC2
82 EVP_add_cipher(EVP_rc2_cbc());
83 /* Not actually used for SSL/TLS but this makes PKCS#12 work
84 * if an application only calls SSL_library_init().
85 */
86 EVP_add_cipher(EVP_rc2_40_cbc());
87#endif
88 EVP_add_cipher(EVP_aes_128_cbc());
89 EVP_add_cipher(EVP_aes_192_cbc());
90 EVP_add_cipher(EVP_aes_256_cbc());
91 EVP_add_cipher(EVP_aes_128_gcm());
92 EVP_add_cipher(EVP_aes_256_gcm());
93 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
94 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
95#ifndef OPENSSL_NO_CAMELLIA
96 EVP_add_cipher(EVP_camellia_128_cbc());
97 EVP_add_cipher(EVP_camellia_256_cbc());
98#endif
99#ifndef OPENSSL_NO_GOST
100 EVP_add_cipher(EVP_gost2814789_cfb64());
101 EVP_add_cipher(EVP_gost2814789_cnt());
102#endif
103
104 EVP_add_digest(EVP_md5());
105 EVP_add_digest(EVP_md5_sha1());
106 EVP_add_digest_alias(SN_md5, "ssl2-md5");
107 EVP_add_digest_alias(SN_md5, "ssl3-md5");
108
109 EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
110 EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
111 EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
112 EVP_add_digest(EVP_sha224());
113 EVP_add_digest(EVP_sha256());
114 EVP_add_digest(EVP_sha384());
115 EVP_add_digest(EVP_sha512());
116#ifndef OPENSSL_NO_GOST
117 EVP_add_digest(EVP_gostr341194());
118 EVP_add_digest(EVP_gost2814789imit());
119 EVP_add_digest(EVP_streebog256());
120 EVP_add_digest(EVP_streebog512());
121#endif
122
123 return (1);
124}
125
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
deleted file mode 100644
index 7684602129..0000000000
--- a/src/lib/libssl/ssl_asn1.c
+++ /dev/null
@@ -1,418 +0,0 @@
1/* $OpenBSD: ssl_asn1.c,v 1.66 2022/11/26 16:08:55 tb Exp $ */
2/*
3 * Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <limits.h>
19
20#include <openssl/ssl.h>
21#include <openssl/x509.h>
22
23#include "bytestring.h"
24#include "ssl_local.h"
25
26#define SSLASN1_TAG (CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC)
27#define SSLASN1_TIME_TAG (SSLASN1_TAG | 1)
28#define SSLASN1_TIMEOUT_TAG (SSLASN1_TAG | 2)
29#define SSLASN1_PEER_CERT_TAG (SSLASN1_TAG | 3)
30#define SSLASN1_SESSION_ID_CTX_TAG (SSLASN1_TAG | 4)
31#define SSLASN1_VERIFY_RESULT_TAG (SSLASN1_TAG | 5)
32#define SSLASN1_HOSTNAME_TAG (SSLASN1_TAG | 6)
33#define SSLASN1_LIFETIME_TAG (SSLASN1_TAG | 9)
34#define SSLASN1_TICKET_TAG (SSLASN1_TAG | 10)
35
36static uint64_t
37time_max(void)
38{
39 if (sizeof(time_t) == sizeof(int32_t))
40 return INT32_MAX;
41 if (sizeof(time_t) == sizeof(int64_t))
42 return INT64_MAX;
43 return 0;
44}
45
46static int
47SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len,
48 int ticket_encoding)
49{
50 CBB cbb, session, cipher_suite, session_id, master_key, time, timeout;
51 CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket, value;
52 unsigned char *peer_cert_bytes = NULL;
53 int len, rv = 0;
54 uint16_t cid;
55
56 if (!CBB_init(&cbb, 0))
57 goto err;
58
59 if (!CBB_add_asn1(&cbb, &session, CBS_ASN1_SEQUENCE))
60 goto err;
61
62 /* Session ASN1 version. */
63 if (!CBB_add_asn1_uint64(&session, SSL_SESSION_ASN1_VERSION))
64 goto err;
65
66 /* TLS/SSL protocol version. */
67 if (s->ssl_version < 0)
68 goto err;
69 if (!CBB_add_asn1_uint64(&session, s->ssl_version))
70 goto err;
71
72 /* Cipher suite ID. */
73 /* XXX - require cipher to be non-NULL or always/only use cipher_id. */
74 cid = (uint16_t)(s->cipher_id & SSL3_CK_VALUE_MASK);
75 if (s->cipher != NULL)
76 cid = ssl3_cipher_get_value(s->cipher);
77 if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING))
78 goto err;
79 if (!CBB_add_u16(&cipher_suite, cid))
80 goto err;
81
82 /* Session ID - zero length for a ticket. */
83 if (!CBB_add_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING))
84 goto err;
85 if (!CBB_add_bytes(&session_id, s->session_id,
86 ticket_encoding ? 0 : s->session_id_length))
87 goto err;
88
89 /* Master key. */
90 if (!CBB_add_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING))
91 goto err;
92 if (!CBB_add_bytes(&master_key, s->master_key, s->master_key_length))
93 goto err;
94
95 /* Time [1]. */
96 if (s->time != 0) {
97 if (s->time < 0)
98 goto err;
99 if (!CBB_add_asn1(&session, &time, SSLASN1_TIME_TAG))
100 goto err;
101 if (!CBB_add_asn1_uint64(&time, s->time))
102 goto err;
103 }
104
105 /* Timeout [2]. */
106 if (s->timeout != 0) {
107 if (s->timeout < 0)
108 goto err;
109 if (!CBB_add_asn1(&session, &timeout, SSLASN1_TIMEOUT_TAG))
110 goto err;
111 if (!CBB_add_asn1_uint64(&timeout, s->timeout))
112 goto err;
113 }
114
115 /* Peer certificate [3]. */
116 if (s->peer_cert != NULL) {
117 if ((len = i2d_X509(s->peer_cert, &peer_cert_bytes)) <= 0)
118 goto err;
119 if (!CBB_add_asn1(&session, &peer_cert, SSLASN1_PEER_CERT_TAG))
120 goto err;
121 if (!CBB_add_bytes(&peer_cert, peer_cert_bytes, len))
122 goto err;
123 }
124
125 /* Session ID context [4]. */
126 /* XXX - Actually handle this as optional? */
127 if (!CBB_add_asn1(&session, &sidctx, SSLASN1_SESSION_ID_CTX_TAG))
128 goto err;
129 if (!CBB_add_asn1(&sidctx, &value, CBS_ASN1_OCTETSTRING))
130 goto err;
131 if (!CBB_add_bytes(&value, s->sid_ctx, s->sid_ctx_length))
132 goto err;
133
134 /* Verify result [5]. */
135 if (s->verify_result != X509_V_OK) {
136 if (s->verify_result < 0)
137 goto err;
138 if (!CBB_add_asn1(&session, &verify_result,
139 SSLASN1_VERIFY_RESULT_TAG))
140 goto err;
141 if (!CBB_add_asn1_uint64(&verify_result, s->verify_result))
142 goto err;
143 }
144
145 /* Hostname [6]. */
146 if (s->tlsext_hostname != NULL) {
147 if (!CBB_add_asn1(&session, &hostname, SSLASN1_HOSTNAME_TAG))
148 goto err;
149 if (!CBB_add_asn1(&hostname, &value, CBS_ASN1_OCTETSTRING))
150 goto err;
151 if (!CBB_add_bytes(&value, (const uint8_t *)s->tlsext_hostname,
152 strlen(s->tlsext_hostname)))
153 goto err;
154 }
155
156 /* PSK identity hint [7]. */
157 /* PSK identity [8]. */
158
159 /* Ticket lifetime hint [9]. */
160 if (s->tlsext_tick_lifetime_hint > 0) {
161 if (!CBB_add_asn1(&session, &lifetime, SSLASN1_LIFETIME_TAG))
162 goto err;
163 if (!CBB_add_asn1_uint64(&lifetime,
164 s->tlsext_tick_lifetime_hint))
165 goto err;
166 }
167
168 /* Ticket [10]. */
169 if (s->tlsext_tick != NULL) {
170 if (!CBB_add_asn1(&session, &ticket, SSLASN1_TICKET_TAG))
171 goto err;
172 if (!CBB_add_asn1(&ticket, &value, CBS_ASN1_OCTETSTRING))
173 goto err;
174 if (!CBB_add_bytes(&value, s->tlsext_tick, s->tlsext_ticklen))
175 goto err;
176 }
177
178 /* Compression method [11]. */
179 /* SRP username [12]. */
180
181 if (!CBB_finish(&cbb, out, out_len))
182 goto err;
183
184 rv = 1;
185
186 err:
187 CBB_cleanup(&cbb);
188 free(peer_cert_bytes);
189
190 return rv;
191}
192
193int
194SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len)
195{
196 if (ss == NULL)
197 return 0;
198
199 if (ss->cipher == NULL && ss->cipher_id == 0)
200 return 0;
201
202 return SSL_SESSION_encode(ss, out, out_len, 1);
203}
204
205int
206i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp)
207{
208 unsigned char *data = NULL;
209 size_t data_len = 0;
210 int rv = -1;
211
212 if (ss == NULL)
213 return 0;
214
215 if (ss->cipher == NULL && ss->cipher_id == 0)
216 return 0;
217
218 if (!SSL_SESSION_encode(ss, &data, &data_len, 0))
219 goto err;
220
221 if (data_len > INT_MAX)
222 goto err;
223
224 if (pp != NULL) {
225 if (*pp == NULL) {
226 *pp = data;
227 data = NULL;
228 } else {
229 memcpy(*pp, data, data_len);
230 *pp += data_len;
231 }
232 }
233
234 rv = (int)data_len;
235
236 err:
237 freezero(data, data_len);
238
239 return rv;
240}
241
242SSL_SESSION *
243d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
244{
245 CBS cbs, session, cipher_suite, session_id, master_key, peer_cert;
246 CBS hostname, ticket;
247 uint64_t version, tls_version, stime, timeout, verify_result, lifetime;
248 const unsigned char *peer_cert_bytes;
249 uint16_t cipher_value;
250 SSL_SESSION *s = NULL;
251 size_t data_len;
252 int present;
253
254 if (a != NULL)
255 s = *a;
256
257 if (s == NULL) {
258 if ((s = SSL_SESSION_new()) == NULL) {
259 SSLerrorx(ERR_R_MALLOC_FAILURE);
260 return (NULL);
261 }
262 }
263
264 CBS_init(&cbs, *pp, length);
265
266 if (!CBS_get_asn1(&cbs, &session, CBS_ASN1_SEQUENCE))
267 goto err;
268
269 /* Session ASN1 version. */
270 if (!CBS_get_asn1_uint64(&session, &version))
271 goto err;
272 if (version != SSL_SESSION_ASN1_VERSION)
273 goto err;
274
275 /* TLS/SSL Protocol Version. */
276 if (!CBS_get_asn1_uint64(&session, &tls_version))
277 goto err;
278 if (tls_version > INT_MAX)
279 goto err;
280 s->ssl_version = (int)tls_version;
281
282 /* Cipher suite. */
283 if (!CBS_get_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING))
284 goto err;
285 if (!CBS_get_u16(&cipher_suite, &cipher_value))
286 goto err;
287 if (CBS_len(&cipher_suite) != 0)
288 goto err;
289
290 /* XXX - populate cipher instead? */
291 s->cipher = NULL;
292 s->cipher_id = SSL3_CK_ID | cipher_value;
293
294 /* Session ID. */
295 if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING))
296 goto err;
297 if (!CBS_write_bytes(&session_id, s->session_id, sizeof(s->session_id),
298 &s->session_id_length))
299 goto err;
300
301 /* Master key. */
302 if (!CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING))
303 goto err;
304 if (!CBS_write_bytes(&master_key, s->master_key, sizeof(s->master_key),
305 &s->master_key_length))
306 goto err;
307
308 /* Time [1]. */
309 s->time = time(NULL);
310 if (!CBS_get_optional_asn1_uint64(&session, &stime, SSLASN1_TIME_TAG,
311 0))
312 goto err;
313 if (stime > time_max())
314 goto err;
315 if (stime != 0)
316 s->time = (time_t)stime;
317
318 /* Timeout [2]. */
319 s->timeout = 3;
320 if (!CBS_get_optional_asn1_uint64(&session, &timeout,
321 SSLASN1_TIMEOUT_TAG, 0))
322 goto err;
323 if (timeout > LONG_MAX)
324 goto err;
325 if (timeout != 0)
326 s->timeout = (long)timeout;
327
328 /* Peer certificate [3]. */
329 X509_free(s->peer_cert);
330 s->peer_cert = NULL;
331 if (!CBS_get_optional_asn1(&session, &peer_cert, &present,
332 SSLASN1_PEER_CERT_TAG))
333 goto err;
334 if (present) {
335 data_len = CBS_len(&peer_cert);
336 if (data_len > LONG_MAX)
337 goto err;
338 peer_cert_bytes = CBS_data(&peer_cert);
339 if (d2i_X509(&s->peer_cert, &peer_cert_bytes,
340 (long)data_len) == NULL)
341 goto err;
342 }
343
344 /* Session ID context [4]. */
345 s->sid_ctx_length = 0;
346 if (!CBS_get_optional_asn1_octet_string(&session, &session_id, &present,
347 SSLASN1_SESSION_ID_CTX_TAG))
348 goto err;
349 if (present) {
350 if (!CBS_write_bytes(&session_id, (uint8_t *)&s->sid_ctx,
351 sizeof(s->sid_ctx), &s->sid_ctx_length))
352 goto err;
353 }
354
355 /* Verify result [5]. */
356 s->verify_result = X509_V_OK;
357 if (!CBS_get_optional_asn1_uint64(&session, &verify_result,
358 SSLASN1_VERIFY_RESULT_TAG, X509_V_OK))
359 goto err;
360 if (verify_result > LONG_MAX)
361 goto err;
362 s->verify_result = (long)verify_result;
363
364 /* Hostname [6]. */
365 free(s->tlsext_hostname);
366 s->tlsext_hostname = NULL;
367 if (!CBS_get_optional_asn1_octet_string(&session, &hostname, &present,
368 SSLASN1_HOSTNAME_TAG))
369 goto err;
370 if (present) {
371 if (CBS_contains_zero_byte(&hostname))
372 goto err;
373 if (!CBS_strdup(&hostname, &s->tlsext_hostname))
374 goto err;
375 }
376
377 /* PSK identity hint [7]. */
378 /* PSK identity [8]. */
379
380 /* Ticket lifetime [9]. */
381 s->tlsext_tick_lifetime_hint = 0;
382 if (!CBS_get_optional_asn1_uint64(&session, &lifetime,
383 SSLASN1_LIFETIME_TAG, 0))
384 goto err;
385 if (lifetime > UINT32_MAX)
386 goto err;
387 if (lifetime > 0)
388 s->tlsext_tick_lifetime_hint = (uint32_t)lifetime;
389
390 /* Ticket [10]. */
391 free(s->tlsext_tick);
392 s->tlsext_tick = NULL;
393 if (!CBS_get_optional_asn1_octet_string(&session, &ticket, &present,
394 SSLASN1_TICKET_TAG))
395 goto err;
396 if (present) {
397 if (!CBS_stow(&ticket, &s->tlsext_tick, &s->tlsext_ticklen))
398 goto err;
399 }
400
401 /* Compression method [11]. */
402 /* SRP username [12]. */
403
404 *pp = CBS_data(&cbs);
405
406 if (a != NULL)
407 *a = s;
408
409 return (s);
410
411 err:
412 ERR_asprintf_error_data("offset=%d", (int)(CBS_data(&cbs) - *pp));
413
414 if (s != NULL && (a == NULL || *a != s))
415 SSL_SESSION_free(s);
416
417 return (NULL);
418}
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
deleted file mode 100644
index 3feedc18f2..0000000000
--- a/src/lib/libssl/ssl_both.c
+++ /dev/null
@@ -1,579 +0,0 @@
1/* $OpenBSD: ssl_both.c,v 1.45 2022/11/26 16:08:55 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#include <limits.h>
118#include <stdio.h>
119#include <string.h>
120
121#include <openssl/buffer.h>
122#include <openssl/evp.h>
123#include <openssl/objects.h>
124#include <openssl/x509.h>
125
126#include "bytestring.h"
127#include "dtls_local.h"
128#include "ssl_local.h"
129
130/*
131 * Send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
132 * SSL3_RT_CHANGE_CIPHER_SPEC).
133 */
134int
135ssl3_do_write(SSL *s, int type)
136{
137 int ret;
138
139 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
140 s->init_num);
141 if (ret < 0)
142 return (-1);
143
144 if (type == SSL3_RT_HANDSHAKE)
145 /*
146 * Should not be done for 'Hello Request's, but in that case
147 * we'll ignore the result anyway.
148 */
149 tls1_transcript_record(s,
150 (unsigned char *)&s->init_buf->data[s->init_off], ret);
151
152 if (ret == s->init_num) {
153 ssl_msg_callback(s, 1, type, s->init_buf->data,
154 (size_t)(s->init_off + s->init_num));
155 return (1);
156 }
157
158 s->init_off += ret;
159 s->init_num -= ret;
160
161 return (0);
162}
163
164static int
165ssl3_add_cert(CBB *cbb, X509 *x)
166{
167 unsigned char *data;
168 int cert_len;
169 int ret = 0;
170 CBB cert;
171
172 if ((cert_len = i2d_X509(x, NULL)) < 0)
173 goto err;
174
175 if (!CBB_add_u24_length_prefixed(cbb, &cert))
176 goto err;
177 if (!CBB_add_space(&cert, &data, cert_len))
178 goto err;
179 if (i2d_X509(x, &data) < 0)
180 goto err;
181 if (!CBB_flush(cbb))
182 goto err;
183
184 ret = 1;
185
186 err:
187 return (ret);
188}
189
190int
191ssl3_output_cert_chain(SSL *s, CBB *cbb, SSL_CERT_PKEY *cpk)
192{
193 X509_STORE_CTX *xs_ctx = NULL;
194 STACK_OF(X509) *chain;
195 CBB cert_list;
196 X509 *x;
197 int ret = 0;
198 int i;
199
200 if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
201 goto err;
202
203 /* Send an empty certificate list when no certificate is available. */
204 if (cpk == NULL)
205 goto done;
206
207 if ((chain = cpk->chain) == NULL)
208 chain = s->ctx->extra_certs;
209
210 if (chain != NULL || (s->mode & SSL_MODE_NO_AUTO_CHAIN)) {
211 if (!ssl3_add_cert(&cert_list, cpk->x509))
212 goto err;
213 } else {
214 if ((xs_ctx = X509_STORE_CTX_new()) == NULL)
215 goto err;
216 if (!X509_STORE_CTX_init(xs_ctx, s->ctx->cert_store,
217 cpk->x509, NULL)) {
218 SSLerror(s, ERR_R_X509_LIB);
219 goto err;
220 }
221 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx),
222 X509_V_FLAG_LEGACY_VERIFY);
223 X509_verify_cert(xs_ctx);
224 ERR_clear_error();
225 chain = X509_STORE_CTX_get0_chain(xs_ctx);
226 }
227
228 for (i = 0; i < sk_X509_num(chain); i++) {
229 x = sk_X509_value(chain, i);
230 if (!ssl3_add_cert(&cert_list, x))
231 goto err;
232 }
233
234 done:
235 if (!CBB_flush(cbb))
236 goto err;
237
238 ret = 1;
239
240 err:
241 X509_STORE_CTX_free(xs_ctx);
242
243 return (ret);
244}
245
246/*
247 * Obtain handshake message of message type 'mt' (any if mt == -1),
248 * maximum acceptable body length 'max'.
249 * The first four bytes (msg_type and length) are read in state 'st1',
250 * the body is read in state 'stn'.
251 */
252int
253ssl3_get_message(SSL *s, int st1, int stn, int mt, long max)
254{
255 unsigned char *p;
256 uint32_t l;
257 long n;
258 int i, al;
259 CBS cbs;
260 uint8_t u8;
261
262 if (SSL_is_dtls(s))
263 return dtls1_get_message(s, st1, stn, mt, max);
264
265 if (s->s3->hs.tls12.reuse_message) {
266 s->s3->hs.tls12.reuse_message = 0;
267 if ((mt >= 0) && (s->s3->hs.tls12.message_type != mt)) {
268 al = SSL_AD_UNEXPECTED_MESSAGE;
269 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
270 goto fatal_err;
271 }
272 s->init_msg = s->init_buf->data +
273 SSL3_HM_HEADER_LENGTH;
274 s->init_num = (int)s->s3->hs.tls12.message_size;
275 return 1;
276 }
277
278 p = (unsigned char *)s->init_buf->data;
279
280 if (s->s3->hs.state == st1) {
281 int skip_message;
282
283 do {
284 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
285 i = s->method->ssl_read_bytes(s,
286 SSL3_RT_HANDSHAKE, &p[s->init_num],
287 SSL3_HM_HEADER_LENGTH - s->init_num, 0);
288 if (i <= 0) {
289 s->rwstate = SSL_READING;
290 return i;
291 }
292 s->init_num += i;
293 }
294
295 skip_message = 0;
296 if (!s->server && p[0] == SSL3_MT_HELLO_REQUEST) {
297 /*
298 * The server may always send 'Hello Request'
299 * messages -- we are doing a handshake anyway
300 * now, so ignore them if their format is
301 * correct. Does not count for 'Finished' MAC.
302 */
303 if (p[1] == 0 && p[2] == 0 &&p[3] == 0) {
304 s->init_num = 0;
305 skip_message = 1;
306
307 ssl_msg_callback(s, 0,
308 SSL3_RT_HANDSHAKE, p,
309 SSL3_HM_HEADER_LENGTH);
310 }
311 }
312 } while (skip_message);
313
314 if ((mt >= 0) && (*p != mt)) {
315 al = SSL_AD_UNEXPECTED_MESSAGE;
316 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
317 goto fatal_err;
318 }
319
320 CBS_init(&cbs, p, SSL3_HM_HEADER_LENGTH);
321 if (!CBS_get_u8(&cbs, &u8) ||
322 !CBS_get_u24(&cbs, &l)) {
323 SSLerror(s, ERR_R_BUF_LIB);
324 goto err;
325 }
326 s->s3->hs.tls12.message_type = u8;
327
328 if (l > (unsigned long)max) {
329 al = SSL_AD_ILLEGAL_PARAMETER;
330 SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE);
331 goto fatal_err;
332 }
333 if (l && !BUF_MEM_grow_clean(s->init_buf,
334 l + SSL3_HM_HEADER_LENGTH)) {
335 SSLerror(s, ERR_R_BUF_LIB);
336 goto err;
337 }
338 s->s3->hs.tls12.message_size = l;
339 s->s3->hs.state = stn;
340
341 s->init_msg = s->init_buf->data +
342 SSL3_HM_HEADER_LENGTH;
343 s->init_num = 0;
344 }
345
346 /* next state (stn) */
347 p = s->init_msg;
348 n = s->s3->hs.tls12.message_size - s->init_num;
349 while (n > 0) {
350 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
351 &p[s->init_num], n, 0);
352 if (i <= 0) {
353 s->rwstate = SSL_READING;
354 return i;
355 }
356 s->init_num += i;
357 n -= i;
358 }
359
360 /* Feed this message into MAC computation. */
361 if (s->mac_packet) {
362 tls1_transcript_record(s, (unsigned char *)s->init_buf->data,
363 s->init_num + SSL3_HM_HEADER_LENGTH);
364
365 ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE,
366 s->init_buf->data,
367 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH);
368 }
369
370 return 1;
371
372 fatal_err:
373 ssl3_send_alert(s, SSL3_AL_FATAL, al);
374 err:
375 return -1;
376}
377
378int
379ssl_cert_type(EVP_PKEY *pkey)
380{
381 if (pkey == NULL)
382 return -1;
383
384 switch (EVP_PKEY_id(pkey)) {
385 case EVP_PKEY_EC:
386 return SSL_PKEY_ECC;
387 case NID_id_GostR3410_2001:
388 case NID_id_GostR3410_2001_cc:
389 return SSL_PKEY_GOST01;
390 case EVP_PKEY_RSA:
391 return SSL_PKEY_RSA;
392 }
393
394 return -1;
395}
396
397int
398ssl_verify_alarm_type(long type)
399{
400 int al;
401
402 switch (type) {
403 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
404 case X509_V_ERR_UNABLE_TO_GET_CRL:
405 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
406 al = SSL_AD_UNKNOWN_CA;
407 break;
408 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
409 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
410 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
411 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
412 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
413 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
414 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
415 case X509_V_ERR_CERT_NOT_YET_VALID:
416 case X509_V_ERR_CRL_NOT_YET_VALID:
417 case X509_V_ERR_CERT_UNTRUSTED:
418 case X509_V_ERR_CERT_REJECTED:
419 al = SSL_AD_BAD_CERTIFICATE;
420 break;
421 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
422 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
423 al = SSL_AD_DECRYPT_ERROR;
424 break;
425 case X509_V_ERR_CERT_HAS_EXPIRED:
426 case X509_V_ERR_CRL_HAS_EXPIRED:
427 al = SSL_AD_CERTIFICATE_EXPIRED;
428 break;
429 case X509_V_ERR_CERT_REVOKED:
430 al = SSL_AD_CERTIFICATE_REVOKED;
431 break;
432 case X509_V_ERR_OUT_OF_MEM:
433 al = SSL_AD_INTERNAL_ERROR;
434 break;
435 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
436 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
437 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
438 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
439 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
440 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
441 case X509_V_ERR_INVALID_CA:
442 al = SSL_AD_UNKNOWN_CA;
443 break;
444 case X509_V_ERR_APPLICATION_VERIFICATION:
445 al = SSL_AD_HANDSHAKE_FAILURE;
446 break;
447 case X509_V_ERR_INVALID_PURPOSE:
448 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
449 break;
450 default:
451 al = SSL_AD_CERTIFICATE_UNKNOWN;
452 break;
453 }
454 return (al);
455}
456
457int
458ssl3_setup_init_buffer(SSL *s)
459{
460 BUF_MEM *buf = NULL;
461
462 if (s->init_buf != NULL)
463 return (1);
464
465 if ((buf = BUF_MEM_new()) == NULL)
466 goto err;
467 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH))
468 goto err;
469
470 s->init_buf = buf;
471 return (1);
472
473 err:
474 BUF_MEM_free(buf);
475 return (0);
476}
477
478void
479ssl3_release_init_buffer(SSL *s)
480{
481 BUF_MEM_free(s->init_buf);
482 s->init_buf = NULL;
483 s->init_msg = NULL;
484 s->init_num = 0;
485 s->init_off = 0;
486}
487
488int
489ssl3_setup_read_buffer(SSL *s)
490{
491 unsigned char *p;
492 size_t len, align, headerlen;
493
494 if (SSL_is_dtls(s))
495 headerlen = DTLS1_RT_HEADER_LENGTH;
496 else
497 headerlen = SSL3_RT_HEADER_LENGTH;
498
499 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
500
501 if (s->s3->rbuf.buf == NULL) {
502 len = SSL3_RT_MAX_PLAIN_LENGTH +
503 SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
504 if ((p = calloc(1, len)) == NULL)
505 goto err;
506 s->s3->rbuf.buf = p;
507 s->s3->rbuf.len = len;
508 }
509
510 s->packet = s->s3->rbuf.buf;
511 return 1;
512
513 err:
514 SSLerror(s, ERR_R_MALLOC_FAILURE);
515 return 0;
516}
517
518int
519ssl3_setup_write_buffer(SSL *s)
520{
521 unsigned char *p;
522 size_t len, align, headerlen;
523
524 if (SSL_is_dtls(s))
525 headerlen = DTLS1_RT_HEADER_LENGTH + 1;
526 else
527 headerlen = SSL3_RT_HEADER_LENGTH;
528
529 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
530
531 if (s->s3->wbuf.buf == NULL) {
532 len = s->max_send_fragment +
533 SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
534 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
535 len += headerlen + align +
536 SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
537
538 if ((p = calloc(1, len)) == NULL)
539 goto err;
540 s->s3->wbuf.buf = p;
541 s->s3->wbuf.len = len;
542 }
543
544 return 1;
545
546 err:
547 SSLerror(s, ERR_R_MALLOC_FAILURE);
548 return 0;
549}
550
551int
552ssl3_setup_buffers(SSL *s)
553{
554 if (!ssl3_setup_read_buffer(s))
555 return 0;
556 if (!ssl3_setup_write_buffer(s))
557 return 0;
558 return 1;
559}
560
561void
562ssl3_release_buffer(SSL3_BUFFER_INTERNAL *b)
563{
564 freezero(b->buf, b->len);
565 b->buf = NULL;
566 b->len = 0;
567}
568
569void
570ssl3_release_read_buffer(SSL *s)
571{
572 ssl3_release_buffer(&s->s3->rbuf);
573}
574
575void
576ssl3_release_write_buffer(SSL *s)
577{
578 ssl3_release_buffer(&s->s3->wbuf);
579}
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
deleted file mode 100644
index 4fe805212b..0000000000
--- a/src/lib/libssl/ssl_cert.c
+++ /dev/null
@@ -1,730 +0,0 @@
1/* $OpenBSD: ssl_cert.c,v 1.105 2022/11/26 16:08:55 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#include <sys/types.h>
118
119#include <dirent.h>
120#include <stdio.h>
121#include <unistd.h>
122
123#include <openssl/bio.h>
124#include <openssl/bn.h>
125#include <openssl/dh.h>
126#include <openssl/objects.h>
127#include <openssl/opensslconf.h>
128#include <openssl/pem.h>
129#include <openssl/x509v3.h>
130
131#include "ssl_local.h"
132
133int
134SSL_get_ex_data_X509_STORE_CTX_idx(void)
135{
136 static volatile int ssl_x509_store_ctx_idx = -1;
137 int got_write_lock = 0;
138
139 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
140
141 if (ssl_x509_store_ctx_idx < 0) {
142 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
143 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
144 got_write_lock = 1;
145
146 if (ssl_x509_store_ctx_idx < 0) {
147 ssl_x509_store_ctx_idx =
148 X509_STORE_CTX_get_ex_new_index(
149 0, "SSL for verify callback", NULL, NULL, NULL);
150 }
151 }
152
153 if (got_write_lock)
154 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
155 else
156 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
157
158 return ssl_x509_store_ctx_idx;
159}
160
161SSL_CERT *
162ssl_cert_new(void)
163{
164 SSL_CERT *ret;
165
166 ret = calloc(1, sizeof(SSL_CERT));
167 if (ret == NULL) {
168 SSLerrorx(ERR_R_MALLOC_FAILURE);
169 return (NULL);
170 }
171 ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
172 ret->references = 1;
173 ret->security_cb = ssl_security_default_cb;
174 ret->security_level = OPENSSL_TLS_SECURITY_LEVEL;
175 ret->security_ex_data = NULL;
176 return (ret);
177}
178
179SSL_CERT *
180ssl_cert_dup(SSL_CERT *cert)
181{
182 SSL_CERT *ret;
183 int i;
184
185 ret = calloc(1, sizeof(SSL_CERT));
186 if (ret == NULL) {
187 SSLerrorx(ERR_R_MALLOC_FAILURE);
188 return (NULL);
189 }
190
191 /*
192 * same as ret->key = ret->pkeys + (cert->key - cert->pkeys),
193 * if you find that more readable
194 */
195 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
196
197 ret->valid = cert->valid;
198 ret->mask_k = cert->mask_k;
199 ret->mask_a = cert->mask_a;
200
201 if (cert->dhe_params != NULL) {
202 ret->dhe_params = DHparams_dup(cert->dhe_params);
203 if (ret->dhe_params == NULL) {
204 SSLerrorx(ERR_R_DH_LIB);
205 goto err;
206 }
207 }
208 ret->dhe_params_cb = cert->dhe_params_cb;
209 ret->dhe_params_auto = cert->dhe_params_auto;
210
211 for (i = 0; i < SSL_PKEY_NUM; i++) {
212 if (cert->pkeys[i].x509 != NULL) {
213 ret->pkeys[i].x509 = cert->pkeys[i].x509;
214 X509_up_ref(ret->pkeys[i].x509);
215 }
216
217 if (cert->pkeys[i].privatekey != NULL) {
218 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
219 EVP_PKEY_up_ref(ret->pkeys[i].privatekey);
220 switch (i) {
221 /*
222 * If there was anything special to do for
223 * certain types of keys, we'd do it here.
224 * (Nothing at the moment, I think.)
225 */
226
227 case SSL_PKEY_RSA:
228 /* We have an RSA key. */
229 break;
230
231 case SSL_PKEY_ECC:
232 /* We have an ECC key */
233 break;
234
235 case SSL_PKEY_GOST01:
236 /* We have a GOST key */
237 break;
238
239 default:
240 /* Can't happen. */
241 SSLerrorx(SSL_R_LIBRARY_BUG);
242 }
243 }
244
245 if (cert->pkeys[i].chain != NULL) {
246 if ((ret->pkeys[i].chain =
247 X509_chain_up_ref(cert->pkeys[i].chain)) == NULL)
248 goto err;
249 }
250 }
251
252 ret->security_cb = cert->security_cb;
253 ret->security_level = cert->security_level;
254 ret->security_ex_data = cert->security_ex_data;
255
256 /*
257 * ret->extra_certs *should* exist, but currently the own certificate
258 * chain is held inside SSL_CTX
259 */
260
261 ret->references = 1;
262
263 return (ret);
264
265 err:
266 DH_free(ret->dhe_params);
267
268 for (i = 0; i < SSL_PKEY_NUM; i++) {
269 X509_free(ret->pkeys[i].x509);
270 EVP_PKEY_free(ret->pkeys[i].privatekey);
271 sk_X509_pop_free(ret->pkeys[i].chain, X509_free);
272 }
273 free (ret);
274 return NULL;
275}
276
277
278void
279ssl_cert_free(SSL_CERT *c)
280{
281 int i;
282
283 if (c == NULL)
284 return;
285
286 i = CRYPTO_add(&c->references, -1, CRYPTO_LOCK_SSL_CERT);
287 if (i > 0)
288 return;
289
290 DH_free(c->dhe_params);
291
292 for (i = 0; i < SSL_PKEY_NUM; i++) {
293 X509_free(c->pkeys[i].x509);
294 EVP_PKEY_free(c->pkeys[i].privatekey);
295 sk_X509_pop_free(c->pkeys[i].chain, X509_free);
296 }
297
298 free(c);
299}
300
301SSL_CERT *
302ssl_get0_cert(SSL_CTX *ctx, SSL *ssl)
303{
304 if (ssl != NULL)
305 return ssl->cert;
306
307 return ctx->cert;
308}
309
310int
311ssl_cert_set0_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain)
312{
313 SSL_CERT *ssl_cert;
314 SSL_CERT_PKEY *cpk;
315 X509 *x509;
316 int ssl_err;
317 int i;
318
319 if ((ssl_cert = ssl_get0_cert(ctx, ssl)) == NULL)
320 return 0;
321
322 if ((cpk = ssl_cert->key) == NULL)
323 return 0;
324
325 for (i = 0; i < sk_X509_num(chain); i++) {
326 x509 = sk_X509_value(chain, i);
327 if (!ssl_security_cert(ctx, ssl, x509, 0, &ssl_err)) {
328 SSLerrorx(ssl_err);
329 return 0;
330 }
331 }
332
333 sk_X509_pop_free(cpk->chain, X509_free);
334 cpk->chain = chain;
335
336 return 1;
337}
338
339int
340ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain)
341{
342 STACK_OF(X509) *new_chain = NULL;
343
344 if (chain != NULL) {
345 if ((new_chain = X509_chain_up_ref(chain)) == NULL)
346 return 0;
347 }
348 if (!ssl_cert_set0_chain(ctx, ssl, new_chain)) {
349 sk_X509_pop_free(new_chain, X509_free);
350 return 0;
351 }
352
353 return 1;
354}
355
356int
357ssl_cert_add0_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert)
358{
359 SSL_CERT *ssl_cert;
360 SSL_CERT_PKEY *cpk;
361 int ssl_err;
362
363 if ((ssl_cert = ssl_get0_cert(ctx, ssl)) == NULL)
364 return 0;
365
366 if ((cpk = ssl_cert->key) == NULL)
367 return 0;
368
369 if (!ssl_security_cert(ctx, ssl, cert, 0, &ssl_err)) {
370 SSLerrorx(ssl_err);
371 return 0;
372 }
373
374 if (cpk->chain == NULL) {
375 if ((cpk->chain = sk_X509_new_null()) == NULL)
376 return 0;
377 }
378 if (!sk_X509_push(cpk->chain, cert))
379 return 0;
380
381 return 1;
382}
383
384int
385ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert)
386{
387 if (!ssl_cert_add0_chain_cert(ctx, ssl, cert))
388 return 0;
389
390 X509_up_ref(cert);
391
392 return 1;
393}
394
395int
396ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs)
397{
398 X509_STORE_CTX *ctx = NULL;
399 X509_VERIFY_PARAM *param;
400 X509 *cert;
401 int ret = 0;
402
403 if (sk_X509_num(certs) < 1)
404 goto err;
405
406 if ((ctx = X509_STORE_CTX_new()) == NULL)
407 goto err;
408
409 cert = sk_X509_value(certs, 0);
410 if (!X509_STORE_CTX_init(ctx, s->ctx->cert_store, cert, certs)) {
411 SSLerror(s, ERR_R_X509_LIB);
412 goto err;
413 }
414 X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
415
416 /*
417 * We need to inherit the verify parameters. These can be
418 * determined by the context: if its a server it will verify
419 * SSL client certificates or vice versa.
420 */
421 X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server");
422
423 param = X509_STORE_CTX_get0_param(ctx);
424
425 X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
426
427 /*
428 * Anything non-default in "param" should overwrite anything
429 * in the ctx.
430 */
431 X509_VERIFY_PARAM_set1(param, s->param);
432
433 if (s->verify_callback)
434 X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback);
435
436 if (s->ctx->app_verify_callback != NULL)
437 ret = s->ctx->app_verify_callback(ctx,
438 s->ctx->app_verify_arg);
439 else
440 ret = X509_verify_cert(ctx);
441
442 s->verify_result = X509_STORE_CTX_get_error(ctx);
443 sk_X509_pop_free(s->verified_chain, X509_free);
444 s->verified_chain = NULL;
445 if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
446 s->verified_chain = X509_STORE_CTX_get1_chain(ctx);
447 if (s->verified_chain == NULL) {
448 SSLerrorx(ERR_R_MALLOC_FAILURE);
449 ret = 0;
450 }
451 }
452
453 err:
454 X509_STORE_CTX_free(ctx);
455
456 return (ret);
457}
458
459static void
460set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
461 STACK_OF(X509_NAME) *name_list)
462{
463 sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
464 *ca_list = name_list;
465}
466
467STACK_OF(X509_NAME) *
468SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk)
469{
470 int i;
471 STACK_OF(X509_NAME) *ret;
472 X509_NAME *name = NULL;
473
474 if ((ret = sk_X509_NAME_new_null()) == NULL)
475 goto err;
476
477 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
478 if ((name = X509_NAME_dup(sk_X509_NAME_value(sk, i))) == NULL)
479 goto err;
480 if (!sk_X509_NAME_push(ret, name))
481 goto err;
482 }
483 return (ret);
484
485 err:
486 X509_NAME_free(name);
487 sk_X509_NAME_pop_free(ret, X509_NAME_free);
488 return NULL;
489}
490
491void
492SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
493{
494 set_client_CA_list(&(s->client_CA), name_list);
495}
496
497void
498SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
499{
500 set_client_CA_list(&(ctx->client_CA), name_list);
501}
502
503STACK_OF(X509_NAME) *
504SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
505{
506 return (ctx->client_CA);
507}
508
509STACK_OF(X509_NAME) *
510SSL_get_client_CA_list(const SSL *s)
511{
512 if (!s->server) {
513 /* We are in the client. */
514 if ((s->version >> 8) == SSL3_VERSION_MAJOR)
515 return (s->s3->hs.tls12.ca_names);
516 else
517 return (NULL);
518 } else {
519 if (s->client_CA != NULL)
520 return (s->client_CA);
521 else
522 return (s->ctx->client_CA);
523 }
524}
525
526static int
527add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x)
528{
529 X509_NAME *name;
530
531 if (x == NULL)
532 return (0);
533 if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL))
534 return (0);
535
536 if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL)
537 return (0);
538
539 if (!sk_X509_NAME_push(*sk, name)) {
540 X509_NAME_free(name);
541 return (0);
542 }
543 return (1);
544}
545
546int
547SSL_add_client_CA(SSL *ssl, X509 *x)
548{
549 return (add_client_CA(&(ssl->client_CA), x));
550}
551
552int
553SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
554{
555 return (add_client_CA(&(ctx->client_CA), x));
556}
557
558static int
559xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
560{
561 return (X509_NAME_cmp(*a, *b));
562}
563
564/*!
565 * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
566 * it doesn't really have anything to do with clients (except that a common use
567 * for a stack of CAs is to send it to the client). Actually, it doesn't have
568 * much to do with CAs, either, since it will load any old cert.
569 * \param file the file containing one or more certs.
570 * \return a ::STACK containing the certs.
571 */
572STACK_OF(X509_NAME) *
573SSL_load_client_CA_file(const char *file)
574{
575 BIO *in;
576 X509 *x = NULL;
577 X509_NAME *xn = NULL;
578 STACK_OF(X509_NAME) *ret = NULL, *sk;
579
580 sk = sk_X509_NAME_new(xname_cmp);
581
582 in = BIO_new(BIO_s_file());
583
584 if ((sk == NULL) || (in == NULL)) {
585 SSLerrorx(ERR_R_MALLOC_FAILURE);
586 goto err;
587 }
588
589 if (!BIO_read_filename(in, file))
590 goto err;
591
592 for (;;) {
593 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
594 break;
595 if (ret == NULL) {
596 ret = sk_X509_NAME_new_null();
597 if (ret == NULL) {
598 SSLerrorx(ERR_R_MALLOC_FAILURE);
599 goto err;
600 }
601 }
602 if ((xn = X509_get_subject_name(x)) == NULL)
603 goto err;
604 /* check for duplicates */
605 xn = X509_NAME_dup(xn);
606 if (xn == NULL)
607 goto err;
608 if (sk_X509_NAME_find(sk, xn) >= 0)
609 X509_NAME_free(xn);
610 else {
611 if (!sk_X509_NAME_push(sk, xn))
612 goto err;
613 if (!sk_X509_NAME_push(ret, xn))
614 goto err;
615 }
616 }
617
618 if (0) {
619 err:
620 sk_X509_NAME_pop_free(ret, X509_NAME_free);
621 ret = NULL;
622 }
623 sk_X509_NAME_free(sk);
624 BIO_free(in);
625 X509_free(x);
626 if (ret != NULL)
627 ERR_clear_error();
628
629 return (ret);
630}
631
632/*!
633 * Add a file of certs to a stack.
634 * \param stack the stack to add to.
635 * \param file the file to add from. All certs in this file that are not
636 * already in the stack will be added.
637 * \return 1 for success, 0 for failure. Note that in the case of failure some
638 * certs may have been added to \c stack.
639 */
640
641int
642SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
643 const char *file)
644{
645 BIO *in;
646 X509 *x = NULL;
647 X509_NAME *xn = NULL;
648 int ret = 1;
649 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
650
651 oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp);
652
653 in = BIO_new(BIO_s_file());
654
655 if (in == NULL) {
656 SSLerrorx(ERR_R_MALLOC_FAILURE);
657 goto err;
658 }
659
660 if (!BIO_read_filename(in, file))
661 goto err;
662
663 for (;;) {
664 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
665 break;
666 if ((xn = X509_get_subject_name(x)) == NULL)
667 goto err;
668 xn = X509_NAME_dup(xn);
669 if (xn == NULL)
670 goto err;
671 if (sk_X509_NAME_find(stack, xn) >= 0)
672 X509_NAME_free(xn);
673 else
674 if (!sk_X509_NAME_push(stack, xn))
675 goto err;
676 }
677
678 ERR_clear_error();
679
680 if (0) {
681 err:
682 ret = 0;
683 }
684 BIO_free(in);
685 X509_free(x);
686
687 (void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
688
689 return ret;
690}
691
692/*!
693 * Add a directory of certs to a stack.
694 * \param stack the stack to append to.
695 * \param dir the directory to append from. All files in this directory will be
696 * examined as potential certs. Any that are acceptable to
697 * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will
698 * be included.
699 * \return 1 for success, 0 for failure. Note that in the case of failure some
700 * certs may have been added to \c stack.
701 */
702
703int
704SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir)
705{
706 DIR *dirp = NULL;
707 char *path = NULL;
708 int ret = 0;
709
710 dirp = opendir(dir);
711 if (dirp) {
712 struct dirent *dp;
713 while ((dp = readdir(dirp)) != NULL) {
714 if (asprintf(&path, "%s/%s", dir, dp->d_name) != -1) {
715 ret = SSL_add_file_cert_subjects_to_stack(
716 stack, path);
717 free(path);
718 }
719 if (!ret)
720 break;
721 }
722 (void) closedir(dirp);
723 }
724 if (!ret) {
725 SYSerror(errno);
726 ERR_asprintf_error_data("opendir ('%s')", dir);
727 SSLerrorx(ERR_R_SYS_LIB);
728 }
729 return ret;
730}
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
deleted file mode 100644
index a71c5042c7..0000000000
--- a/src/lib/libssl/ssl_ciph.c
+++ /dev/null
@@ -1,1743 +0,0 @@
1/* $OpenBSD: ssl_ciph.c,v 1.135 2022/11/26 16:08:55 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#include <stdio.h>
144
145#include <openssl/objects.h>
146#include <openssl/opensslconf.h>
147
148#ifndef OPENSSL_NO_ENGINE
149#include <openssl/engine.h>
150#endif
151
152#include "ssl_local.h"
153
154#define CIPHER_ADD 1
155#define CIPHER_KILL 2
156#define CIPHER_DEL 3
157#define CIPHER_ORD 4
158#define CIPHER_SPECIAL 5
159
160typedef struct cipher_order_st {
161 const SSL_CIPHER *cipher;
162 int active;
163 int dead;
164 struct cipher_order_st *next, *prev;
165} CIPHER_ORDER;
166
167static const SSL_CIPHER cipher_aliases[] = {
168
169 /* "ALL" doesn't include eNULL (must be specifically enabled) */
170 {
171 .name = SSL_TXT_ALL,
172 .algorithm_enc = ~SSL_eNULL,
173 },
174
175 /* "COMPLEMENTOFALL" */
176 {
177 .name = SSL_TXT_CMPALL,
178 .algorithm_enc = SSL_eNULL,
179 },
180
181 /*
182 * "COMPLEMENTOFDEFAULT"
183 * (does *not* include ciphersuites not found in ALL!)
184 */
185 {
186 .name = SSL_TXT_CMPDEF,
187 .algorithm_mkey = SSL_kDHE|SSL_kECDHE,
188 .algorithm_auth = SSL_aNULL,
189 .algorithm_enc = ~SSL_eNULL,
190 },
191
192 /*
193 * key exchange aliases
194 * (some of those using only a single bit here combine multiple key
195 * exchange algs according to the RFCs, e.g. kEDH combines DHE_DSS
196 * and DHE_RSA)
197 */
198 {
199 .name = SSL_TXT_kRSA,
200 .algorithm_mkey = SSL_kRSA,
201 },
202 {
203 .name = SSL_TXT_kEDH,
204 .algorithm_mkey = SSL_kDHE,
205 },
206 {
207 .name = SSL_TXT_DH,
208 .algorithm_mkey = SSL_kDHE,
209 },
210 {
211 .name = SSL_TXT_kEECDH,
212 .algorithm_mkey = SSL_kECDHE,
213 },
214 {
215 .name = SSL_TXT_ECDH,
216 .algorithm_mkey = SSL_kECDHE,
217 },
218 {
219 .name = SSL_TXT_kGOST,
220 .algorithm_mkey = SSL_kGOST,
221 },
222
223 /* server authentication aliases */
224 {
225 .name = SSL_TXT_aRSA,
226 .algorithm_auth = SSL_aRSA,
227 },
228 {
229 .name = SSL_TXT_aDSS,
230 .algorithm_auth = SSL_aDSS,
231 },
232 {
233 .name = SSL_TXT_DSS,
234 .algorithm_auth = SSL_aDSS,
235 },
236 {
237 .name = SSL_TXT_aNULL,
238 .algorithm_auth = SSL_aNULL,
239 },
240 {
241 .name = SSL_TXT_aECDSA,
242 .algorithm_auth = SSL_aECDSA,
243 },
244 {
245 .name = SSL_TXT_ECDSA,
246 .algorithm_auth = SSL_aECDSA,
247 },
248 {
249 .name = SSL_TXT_aGOST01,
250 .algorithm_auth = SSL_aGOST01,
251 },
252 {
253 .name = SSL_TXT_aGOST,
254 .algorithm_auth = SSL_aGOST01,
255 },
256
257 /* aliases combining key exchange and server authentication */
258 {
259 .name = SSL_TXT_DHE,
260 .algorithm_mkey = SSL_kDHE,
261 .algorithm_auth = ~SSL_aNULL,
262 },
263 {
264 .name = SSL_TXT_EDH,
265 .algorithm_mkey = SSL_kDHE,
266 .algorithm_auth = ~SSL_aNULL,
267 },
268 {
269 .name = SSL_TXT_ECDHE,
270 .algorithm_mkey = SSL_kECDHE,
271 .algorithm_auth = ~SSL_aNULL,
272 },
273 {
274 .name = SSL_TXT_EECDH,
275 .algorithm_mkey = SSL_kECDHE,
276 .algorithm_auth = ~SSL_aNULL,
277 },
278 {
279 .name = SSL_TXT_NULL,
280 .algorithm_enc = SSL_eNULL,
281 },
282 {
283 .name = SSL_TXT_RSA,
284 .algorithm_mkey = SSL_kRSA,
285 .algorithm_auth = SSL_aRSA,
286 },
287 {
288 .name = SSL_TXT_ADH,
289 .algorithm_mkey = SSL_kDHE,
290 .algorithm_auth = SSL_aNULL,
291 },
292 {
293 .name = SSL_TXT_AECDH,
294 .algorithm_mkey = SSL_kECDHE,
295 .algorithm_auth = SSL_aNULL,
296 },
297
298 /* symmetric encryption aliases */
299 {
300 .name = SSL_TXT_3DES,
301 .algorithm_enc = SSL_3DES,
302 },
303 {
304 .name = SSL_TXT_RC4,
305 .algorithm_enc = SSL_RC4,
306 },
307 {
308 .name = SSL_TXT_eNULL,
309 .algorithm_enc = SSL_eNULL,
310 },
311 {
312 .name = SSL_TXT_AES128,
313 .algorithm_enc = SSL_AES128|SSL_AES128GCM,
314 },
315 {
316 .name = SSL_TXT_AES256,
317 .algorithm_enc = SSL_AES256|SSL_AES256GCM,
318 },
319 {
320 .name = SSL_TXT_AES,
321 .algorithm_enc = SSL_AES,
322 },
323 {
324 .name = SSL_TXT_AES_GCM,
325 .algorithm_enc = SSL_AES128GCM|SSL_AES256GCM,
326 },
327 {
328 .name = SSL_TXT_CAMELLIA128,
329 .algorithm_enc = SSL_CAMELLIA128,
330 },
331 {
332 .name = SSL_TXT_CAMELLIA256,
333 .algorithm_enc = SSL_CAMELLIA256,
334 },
335 {
336 .name = SSL_TXT_CAMELLIA,
337 .algorithm_enc = SSL_CAMELLIA128|SSL_CAMELLIA256,
338 },
339 {
340 .name = SSL_TXT_CHACHA20,
341 .algorithm_enc = SSL_CHACHA20POLY1305,
342 },
343
344 /* MAC aliases */
345 {
346 .name = SSL_TXT_AEAD,
347 .algorithm_mac = SSL_AEAD,
348 },
349 {
350 .name = SSL_TXT_MD5,
351 .algorithm_mac = SSL_MD5,
352 },
353 {
354 .name = SSL_TXT_SHA1,
355 .algorithm_mac = SSL_SHA1,
356 },
357 {
358 .name = SSL_TXT_SHA,
359 .algorithm_mac = SSL_SHA1,
360 },
361 {
362 .name = SSL_TXT_GOST94,
363 .algorithm_mac = SSL_GOST94,
364 },
365 {
366 .name = SSL_TXT_GOST89MAC,
367 .algorithm_mac = SSL_GOST89MAC,
368 },
369 {
370 .name = SSL_TXT_SHA256,
371 .algorithm_mac = SSL_SHA256,
372 },
373 {
374 .name = SSL_TXT_SHA384,
375 .algorithm_mac = SSL_SHA384,
376 },
377 {
378 .name = SSL_TXT_STREEBOG256,
379 .algorithm_mac = SSL_STREEBOG256,
380 },
381
382 /* protocol version aliases */
383 {
384 .name = SSL_TXT_SSLV3,
385 .algorithm_ssl = SSL_SSLV3,
386 },
387 {
388 .name = SSL_TXT_TLSV1,
389 .algorithm_ssl = SSL_TLSV1,
390 },
391 {
392 .name = SSL_TXT_TLSV1_2,
393 .algorithm_ssl = SSL_TLSV1_2,
394 },
395 {
396 .name = SSL_TXT_TLSV1_3,
397 .algorithm_ssl = SSL_TLSV1_3,
398 },
399
400 /* cipher suite aliases */
401#ifdef LIBRESSL_HAS_TLS1_3
402 {
403 .valid = 1,
404 .name = "TLS_AES_128_GCM_SHA256",
405 .id = TLS1_3_CK_AES_128_GCM_SHA256,
406 .algorithm_ssl = SSL_TLSV1_3,
407 },
408 {
409 .valid = 1,
410 .name = "TLS_AES_256_GCM_SHA384",
411 .id = TLS1_3_CK_AES_256_GCM_SHA384,
412 .algorithm_ssl = SSL_TLSV1_3,
413 },
414 {
415 .valid = 1,
416 .name = "TLS_CHACHA20_POLY1305_SHA256",
417 .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
418 .algorithm_ssl = SSL_TLSV1_3,
419 },
420#endif
421
422 /* strength classes */
423 {
424 .name = SSL_TXT_LOW,
425 .algo_strength = SSL_LOW,
426 },
427 {
428 .name = SSL_TXT_MEDIUM,
429 .algo_strength = SSL_MEDIUM,
430 },
431 {
432 .name = SSL_TXT_HIGH,
433 .algo_strength = SSL_HIGH,
434 },
435};
436
437int
438ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
439 const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
440{
441 *enc = NULL;
442 *md = NULL;
443 *mac_pkey_type = NID_undef;
444 *mac_secret_size = 0;
445
446 if (ss->cipher == NULL)
447 return 0;
448
449 /*
450 * This function does not handle EVP_AEAD.
451 * See ssl_cipher_get_evp_aead instead.
452 */
453 if (ss->cipher->algorithm_mac & SSL_AEAD)
454 return 0;
455
456 switch (ss->cipher->algorithm_enc) {
457 case SSL_3DES:
458 *enc = EVP_des_ede3_cbc();
459 break;
460 case SSL_RC4:
461 *enc = EVP_rc4();
462 break;
463 case SSL_eNULL:
464 *enc = EVP_enc_null();
465 break;
466 case SSL_AES128:
467 *enc = EVP_aes_128_cbc();
468 break;
469 case SSL_AES256:
470 *enc = EVP_aes_256_cbc();
471 break;
472 case SSL_CAMELLIA128:
473 *enc = EVP_camellia_128_cbc();
474 break;
475 case SSL_CAMELLIA256:
476 *enc = EVP_camellia_256_cbc();
477 break;
478 case SSL_eGOST2814789CNT:
479 *enc = EVP_gost2814789_cnt();
480 break;
481 }
482
483 switch (ss->cipher->algorithm_mac) {
484 case SSL_MD5:
485 *md = EVP_md5();
486 break;
487 case SSL_SHA1:
488 *md = EVP_sha1();
489 break;
490 case SSL_SHA256:
491 *md = EVP_sha256();
492 break;
493 case SSL_SHA384:
494 *md = EVP_sha384();
495 break;
496 case SSL_GOST89MAC:
497 *md = EVP_gost2814789imit();
498 break;
499 case SSL_GOST94:
500 *md = EVP_gostr341194();
501 break;
502 case SSL_STREEBOG256:
503 *md = EVP_streebog256();
504 break;
505 }
506
507 if (*enc == NULL || *md == NULL)
508 return 0;
509
510 /*
511 * EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not
512 * supported via EVP_CIPHER (they should be using EVP_AEAD instead).
513 */
514 if (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER)
515 return 0;
516 if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
517 return 0;
518
519 if (ss->cipher->algorithm_mac == SSL_GOST89MAC) {
520 *mac_pkey_type = EVP_PKEY_GOSTIMIT;
521 *mac_secret_size = 32; /* XXX */
522 } else {
523 *mac_pkey_type = EVP_PKEY_HMAC;
524 *mac_secret_size = EVP_MD_size(*md);
525 }
526
527 return 1;
528}
529
530/*
531 * ssl_cipher_get_evp_aead sets aead to point to the correct EVP_AEAD object
532 * for s->cipher. It returns 1 on success and 0 on error.
533 */
534int
535ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
536{
537 *aead = NULL;
538
539 if (ss->cipher == NULL)
540 return 0;
541 if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0)
542 return 0;
543
544 switch (ss->cipher->algorithm_enc) {
545 case SSL_AES128GCM:
546 *aead = EVP_aead_aes_128_gcm();
547 return 1;
548 case SSL_AES256GCM:
549 *aead = EVP_aead_aes_256_gcm();
550 return 1;
551 case SSL_CHACHA20POLY1305:
552 *aead = EVP_aead_chacha20_poly1305();
553 return 1;
554 default:
555 break;
556 }
557 return 0;
558}
559
560int
561ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
562{
563 unsigned long handshake_mac;
564
565 *md = NULL;
566
567 if (s->s3->hs.cipher == NULL)
568 return 0;
569
570 handshake_mac = s->s3->hs.cipher->algorithm2 &
571 SSL_HANDSHAKE_MAC_MASK;
572
573 /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */
574 if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT)
575 handshake_mac = SSL_HANDSHAKE_MAC_SHA256;
576
577 switch (handshake_mac) {
578 case SSL_HANDSHAKE_MAC_DEFAULT:
579 *md = EVP_md5_sha1();
580 return 1;
581 case SSL_HANDSHAKE_MAC_GOST94:
582 *md = EVP_gostr341194();
583 return 1;
584 case SSL_HANDSHAKE_MAC_SHA256:
585 *md = EVP_sha256();
586 return 1;
587 case SSL_HANDSHAKE_MAC_SHA384:
588 *md = EVP_sha384();
589 return 1;
590 case SSL_HANDSHAKE_MAC_STREEBOG256:
591 *md = EVP_streebog256();
592 return 1;
593 default:
594 break;
595 }
596
597 return 0;
598}
599
600#define ITEM_SEP(a) \
601 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
602
603static void
604ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
605 CIPHER_ORDER **tail)
606{
607 if (curr == *tail)
608 return;
609 if (curr == *head)
610 *head = curr->next;
611 if (curr->prev != NULL)
612 curr->prev->next = curr->next;
613 if (curr->next != NULL)
614 curr->next->prev = curr->prev;
615 (*tail)->next = curr;
616 curr->prev= *tail;
617 curr->next = NULL;
618 *tail = curr;
619}
620
621static void
622ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
623 CIPHER_ORDER **tail)
624{
625 if (curr == *head)
626 return;
627 if (curr == *tail)
628 *tail = curr->prev;
629 if (curr->next != NULL)
630 curr->next->prev = curr->prev;
631 if (curr->prev != NULL)
632 curr->prev->next = curr->next;
633 (*head)->prev = curr;
634 curr->next= *head;
635 curr->prev = NULL;
636 *head = curr;
637}
638
639static void
640ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
641 unsigned long *enc, unsigned long *mac, unsigned long *ssl)
642{
643 *mkey = 0;
644 *auth = 0;
645 *enc = 0;
646 *mac = 0;
647 *ssl = 0;
648
649 /*
650 * Check for the availability of GOST 34.10 public/private key
651 * algorithms. If they are not available disable the associated
652 * authentication and key exchange algorithms.
653 */
654 if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL) {
655 *auth |= SSL_aGOST01;
656 *mkey |= SSL_kGOST;
657 }
658
659#ifdef SSL_FORBID_ENULL
660 *enc |= SSL_eNULL;
661#endif
662}
663
664static void
665ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers,
666 unsigned long disabled_mkey, unsigned long disabled_auth,
667 unsigned long disabled_enc, unsigned long disabled_mac,
668 unsigned long disabled_ssl, CIPHER_ORDER *co_list,
669 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
670{
671 int i, co_list_num;
672 const SSL_CIPHER *c;
673
674 /*
675 * We have num_of_ciphers descriptions compiled in, depending on the
676 * method selected (SSLv3, TLSv1, etc). These will later be sorted in
677 * a linked list with at most num entries.
678 */
679
680 /* Get the initial list of ciphers */
681 co_list_num = 0; /* actual count of ciphers */
682 for (i = 0; i < num_of_ciphers; i++) {
683 c = ssl_method->get_cipher(i);
684 /*
685 * Drop any invalid ciphers and any which use unavailable
686 * algorithms.
687 */
688 if ((c != NULL) && c->valid &&
689 !(c->algorithm_mkey & disabled_mkey) &&
690 !(c->algorithm_auth & disabled_auth) &&
691 !(c->algorithm_enc & disabled_enc) &&
692 !(c->algorithm_mac & disabled_mac) &&
693 !(c->algorithm_ssl & disabled_ssl)) {
694 co_list[co_list_num].cipher = c;
695 co_list[co_list_num].next = NULL;
696 co_list[co_list_num].prev = NULL;
697 co_list[co_list_num].active = 0;
698 co_list_num++;
699 }
700 }
701
702 /*
703 * Prepare linked list from list entries
704 */
705 if (co_list_num > 0) {
706 co_list[0].prev = NULL;
707
708 if (co_list_num > 1) {
709 co_list[0].next = &co_list[1];
710
711 for (i = 1; i < co_list_num - 1; i++) {
712 co_list[i].prev = &co_list[i - 1];
713 co_list[i].next = &co_list[i + 1];
714 }
715
716 co_list[co_list_num - 1].prev =
717 &co_list[co_list_num - 2];
718 }
719
720 co_list[co_list_num - 1].next = NULL;
721
722 *head_p = &co_list[0];
723 *tail_p = &co_list[co_list_num - 1];
724 }
725}
726
727static void
728ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases,
729 unsigned long disabled_mkey, unsigned long disabled_auth,
730 unsigned long disabled_enc, unsigned long disabled_mac,
731 unsigned long disabled_ssl, CIPHER_ORDER *head)
732{
733 CIPHER_ORDER *ciph_curr;
734 const SSL_CIPHER **ca_curr;
735 int i;
736 unsigned long mask_mkey = ~disabled_mkey;
737 unsigned long mask_auth = ~disabled_auth;
738 unsigned long mask_enc = ~disabled_enc;
739 unsigned long mask_mac = ~disabled_mac;
740 unsigned long mask_ssl = ~disabled_ssl;
741
742 /*
743 * First, add the real ciphers as already collected
744 */
745 ciph_curr = head;
746 ca_curr = ca_list;
747 while (ciph_curr != NULL) {
748 *ca_curr = ciph_curr->cipher;
749 ca_curr++;
750 ciph_curr = ciph_curr->next;
751 }
752
753 /*
754 * Now we add the available ones from the cipher_aliases[] table.
755 * They represent either one or more algorithms, some of which
756 * in any affected category must be supported (set in enabled_mask),
757 * or represent a cipher strength value (will be added in any case because algorithms=0).
758 */
759 for (i = 0; i < num_of_group_aliases; i++) {
760 unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey;
761 unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth;
762 unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc;
763 unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac;
764 unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl;
765
766 if (algorithm_mkey)
767 if ((algorithm_mkey & mask_mkey) == 0)
768 continue;
769
770 if (algorithm_auth)
771 if ((algorithm_auth & mask_auth) == 0)
772 continue;
773
774 if (algorithm_enc)
775 if ((algorithm_enc & mask_enc) == 0)
776 continue;
777
778 if (algorithm_mac)
779 if ((algorithm_mac & mask_mac) == 0)
780 continue;
781
782 if (algorithm_ssl)
783 if ((algorithm_ssl & mask_ssl) == 0)
784 continue;
785
786 *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
787 ca_curr++;
788 }
789
790 *ca_curr = NULL; /* end of list */
791}
792
793static void
794ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
795 unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac,
796 unsigned long alg_ssl, unsigned long algo_strength, int rule,
797 int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
798{
799 CIPHER_ORDER *head, *tail, *curr, *next, *last;
800 const SSL_CIPHER *cp;
801 int reverse = 0;
802
803 if (rule == CIPHER_DEL)
804 reverse = 1; /* needed to maintain sorting between currently deleted ciphers */
805
806 head = *head_p;
807 tail = *tail_p;
808
809 if (reverse) {
810 next = tail;
811 last = head;
812 } else {
813 next = head;
814 last = tail;
815 }
816
817 curr = NULL;
818 for (;;) {
819 if (curr == last)
820 break;
821 curr = next;
822 next = reverse ? curr->prev : curr->next;
823
824 cp = curr->cipher;
825
826 if (cipher_id && cp->id != cipher_id)
827 continue;
828
829 /*
830 * Selection criteria is either the value of strength_bits
831 * or the algorithms used.
832 */
833 if (strength_bits >= 0) {
834 if (strength_bits != cp->strength_bits)
835 continue;
836 } else {
837 if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
838 continue;
839 if (alg_auth && !(alg_auth & cp->algorithm_auth))
840 continue;
841 if (alg_enc && !(alg_enc & cp->algorithm_enc))
842 continue;
843 if (alg_mac && !(alg_mac & cp->algorithm_mac))
844 continue;
845 if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
846 continue;
847 if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
848 continue;
849 }
850
851 /* add the cipher if it has not been added yet. */
852 if (rule == CIPHER_ADD) {
853 /* reverse == 0 */
854 if (!curr->active) {
855 ll_append_tail(&head, curr, &tail);
856 curr->active = 1;
857 }
858 }
859 /* Move the added cipher to this location */
860 else if (rule == CIPHER_ORD) {
861 /* reverse == 0 */
862 if (curr->active) {
863 ll_append_tail(&head, curr, &tail);
864 }
865 } else if (rule == CIPHER_DEL) {
866 /* reverse == 1 */
867 if (curr->active) {
868 /* most recently deleted ciphersuites get best positions
869 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
870 * works in reverse to maintain the order) */
871 ll_append_head(&head, curr, &tail);
872 curr->active = 0;
873 }
874 } else if (rule == CIPHER_KILL) {
875 /* reverse == 0 */
876 if (head == curr)
877 head = curr->next;
878 else
879 curr->prev->next = curr->next;
880 if (tail == curr)
881 tail = curr->prev;
882 curr->active = 0;
883 if (curr->next != NULL)
884 curr->next->prev = curr->prev;
885 if (curr->prev != NULL)
886 curr->prev->next = curr->next;
887 curr->next = NULL;
888 curr->prev = NULL;
889 }
890 }
891
892 *head_p = head;
893 *tail_p = tail;
894}
895
896static int
897ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
898{
899 int max_strength_bits, i, *number_uses;
900 CIPHER_ORDER *curr;
901
902 /*
903 * This routine sorts the ciphers with descending strength. The sorting
904 * must keep the pre-sorted sequence, so we apply the normal sorting
905 * routine as '+' movement to the end of the list.
906 */
907 max_strength_bits = 0;
908 curr = *head_p;
909 while (curr != NULL) {
910 if (curr->active &&
911 (curr->cipher->strength_bits > max_strength_bits))
912 max_strength_bits = curr->cipher->strength_bits;
913 curr = curr->next;
914 }
915
916 number_uses = calloc((max_strength_bits + 1), sizeof(int));
917 if (!number_uses) {
918 SSLerrorx(ERR_R_MALLOC_FAILURE);
919 return (0);
920 }
921
922 /*
923 * Now find the strength_bits values actually used
924 */
925 curr = *head_p;
926 while (curr != NULL) {
927 if (curr->active)
928 number_uses[curr->cipher->strength_bits]++;
929 curr = curr->next;
930 }
931 /*
932 * Go through the list of used strength_bits values in descending
933 * order.
934 */
935 for (i = max_strength_bits; i >= 0; i--)
936 if (number_uses[i] > 0)
937 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p);
938
939 free(number_uses);
940 return (1);
941}
942
943static int
944ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
945 CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, SSL_CERT *cert,
946 int *tls13_seen)
947{
948 unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
949 unsigned long algo_strength;
950 int j, multi, found, rule, retval, ok, buflen;
951 unsigned long cipher_id = 0;
952 const char *l, *buf;
953 char ch;
954
955 *tls13_seen = 0;
956
957 retval = 1;
958 l = rule_str;
959 for (;;) {
960 ch = *l;
961
962 if (ch == '\0')
963 break;
964
965 if (ch == '-') {
966 rule = CIPHER_DEL;
967 l++;
968 } else if (ch == '+') {
969 rule = CIPHER_ORD;
970 l++;
971 } else if (ch == '!') {
972 rule = CIPHER_KILL;
973 l++;
974 } else if (ch == '@') {
975 rule = CIPHER_SPECIAL;
976 l++;
977 } else {
978 rule = CIPHER_ADD;
979 }
980
981 if (ITEM_SEP(ch)) {
982 l++;
983 continue;
984 }
985
986 alg_mkey = 0;
987 alg_auth = 0;
988 alg_enc = 0;
989 alg_mac = 0;
990 alg_ssl = 0;
991 algo_strength = 0;
992
993 for (;;) {
994 ch = *l;
995 buf = l;
996 buflen = 0;
997 while (((ch >= 'A') && (ch <= 'Z')) ||
998 ((ch >= '0') && (ch <= '9')) ||
999 ((ch >= 'a') && (ch <= 'z')) ||
1000 (ch == '-') || (ch == '.') ||
1001 (ch == '_') || (ch == '=')) {
1002 ch = *(++l);
1003 buflen++;
1004 }
1005
1006 if (buflen == 0) {
1007 /*
1008 * We hit something we cannot deal with,
1009 * it is no command or separator nor
1010 * alphanumeric, so we call this an error.
1011 */
1012 SSLerrorx(SSL_R_INVALID_COMMAND);
1013 return 0;
1014 }
1015
1016 if (rule == CIPHER_SPECIAL) {
1017 /* unused -- avoid compiler warning */
1018 found = 0;
1019 /* special treatment */
1020 break;
1021 }
1022
1023 /* check for multi-part specification */
1024 if (ch == '+') {
1025 multi = 1;
1026 l++;
1027 } else
1028 multi = 0;
1029
1030 /*
1031 * Now search for the cipher alias in the ca_list.
1032 * Be careful with the strncmp, because the "buflen"
1033 * limitation will make the rule "ADH:SOME" and the
1034 * cipher "ADH-MY-CIPHER" look like a match for
1035 * buflen=3. So additionally check whether the cipher
1036 * name found has the correct length. We can save a
1037 * strlen() call: just checking for the '\0' at the
1038 * right place is sufficient, we have to strncmp()
1039 * anyway (we cannot use strcmp(), because buf is not
1040 * '\0' terminated.)
1041 */
1042 j = found = 0;
1043 cipher_id = 0;
1044 while (ca_list[j]) {
1045 if (!strncmp(buf, ca_list[j]->name, buflen) &&
1046 (ca_list[j]->name[buflen] == '\0')) {
1047 found = 1;
1048 break;
1049 } else
1050 j++;
1051 }
1052
1053 if (!found)
1054 break; /* ignore this entry */
1055
1056 if (ca_list[j]->algorithm_mkey) {
1057 if (alg_mkey) {
1058 alg_mkey &= ca_list[j]->algorithm_mkey;
1059 if (!alg_mkey) {
1060 found = 0;
1061 break;
1062 }
1063 } else
1064 alg_mkey = ca_list[j]->algorithm_mkey;
1065 }
1066
1067 if (ca_list[j]->algorithm_auth) {
1068 if (alg_auth) {
1069 alg_auth &= ca_list[j]->algorithm_auth;
1070 if (!alg_auth) {
1071 found = 0;
1072 break;
1073 }
1074 } else
1075 alg_auth = ca_list[j]->algorithm_auth;
1076 }
1077
1078 if (ca_list[j]->algorithm_enc) {
1079 if (alg_enc) {
1080 alg_enc &= ca_list[j]->algorithm_enc;
1081 if (!alg_enc) {
1082 found = 0;
1083 break;
1084 }
1085 } else
1086 alg_enc = ca_list[j]->algorithm_enc;
1087 }
1088
1089 if (ca_list[j]->algorithm_mac) {
1090 if (alg_mac) {
1091 alg_mac &= ca_list[j]->algorithm_mac;
1092 if (!alg_mac) {
1093 found = 0;
1094 break;
1095 }
1096 } else
1097 alg_mac = ca_list[j]->algorithm_mac;
1098 }
1099
1100 if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
1101 if (algo_strength & SSL_STRONG_MASK) {
1102 algo_strength &=
1103 (ca_list[j]->algo_strength &
1104 SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
1105 if (!(algo_strength &
1106 SSL_STRONG_MASK)) {
1107 found = 0;
1108 break;
1109 }
1110 } else
1111 algo_strength |=
1112 ca_list[j]->algo_strength &
1113 SSL_STRONG_MASK;
1114 }
1115
1116 if (ca_list[j]->valid) {
1117 /*
1118 * explicit ciphersuite found; its protocol
1119 * version does not become part of the search
1120 * pattern!
1121 */
1122 cipher_id = ca_list[j]->id;
1123 if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3)
1124 *tls13_seen = 1;
1125 } else {
1126 /*
1127 * not an explicit ciphersuite; only in this
1128 * case, the protocol version is considered
1129 * part of the search pattern
1130 */
1131 if (ca_list[j]->algorithm_ssl) {
1132 if (alg_ssl) {
1133 alg_ssl &=
1134 ca_list[j]->algorithm_ssl;
1135 if (!alg_ssl) {
1136 found = 0;
1137 break;
1138 }
1139 } else
1140 alg_ssl =
1141 ca_list[j]->algorithm_ssl;
1142 }
1143 }
1144
1145 if (!multi)
1146 break;
1147 }
1148
1149 /*
1150 * Ok, we have the rule, now apply it
1151 */
1152 if (rule == CIPHER_SPECIAL) {
1153 /* special command */
1154 ok = 0;
1155 if (buflen == 8 && strncmp(buf, "STRENGTH", 8) == 0) {
1156 ok = ssl_cipher_strength_sort(head_p, tail_p);
1157 } else if (buflen == 10 &&
1158 strncmp(buf, "SECLEVEL=", 9) == 0) {
1159 int level = buf[9] - '0';
1160
1161 if (level >= 0 && level <= 5) {
1162 cert->security_level = level;
1163 ok = 1;
1164 } else {
1165 SSLerrorx(SSL_R_INVALID_COMMAND);
1166 }
1167 } else {
1168 SSLerrorx(SSL_R_INVALID_COMMAND);
1169 }
1170 if (ok == 0)
1171 retval = 0;
1172
1173 while ((*l != '\0') && !ITEM_SEP(*l))
1174 l++;
1175 } else if (found) {
1176 if (alg_ssl == SSL_TLSV1_3)
1177 *tls13_seen = 1;
1178 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth,
1179 alg_enc, alg_mac, alg_ssl, algo_strength, rule,
1180 -1, head_p, tail_p);
1181 } else {
1182 while ((*l != '\0') && !ITEM_SEP(*l))
1183 l++;
1184 }
1185 if (*l == '\0')
1186 break; /* done */
1187 }
1188
1189 return (retval);
1190}
1191
1192static inline int
1193ssl_aes_is_accelerated(void)
1194{
1195#if defined(__i386__) || defined(__x86_64__)
1196 return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0);
1197#else
1198 return (0);
1199#endif
1200}
1201
1202STACK_OF(SSL_CIPHER) *
1203ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1204 STACK_OF(SSL_CIPHER) **cipher_list,
1205 STACK_OF(SSL_CIPHER) *cipher_list_tls13,
1206 const char *rule_str, SSL_CERT *cert)
1207{
1208 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
1209 unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
1210 STACK_OF(SSL_CIPHER) *cipherstack = NULL, *ret = NULL;
1211 const char *rule_p;
1212 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1213 const SSL_CIPHER **ca_list = NULL;
1214 const SSL_CIPHER *cipher;
1215 int tls13_seen = 0;
1216 int any_active;
1217 int i;
1218
1219 /*
1220 * Return with error if nothing to do.
1221 */
1222 if (rule_str == NULL || cipher_list == NULL)
1223 goto err;
1224
1225 /*
1226 * To reduce the work to do we only want to process the compiled
1227 * in algorithms, so we first get the mask of disabled ciphers.
1228 */
1229 ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl);
1230
1231 /*
1232 * Now we have to collect the available ciphers from the compiled
1233 * in ciphers. We cannot get more than the number compiled in, so
1234 * it is used for allocation.
1235 */
1236 num_of_ciphers = ssl3_num_ciphers();
1237 co_list = reallocarray(NULL, num_of_ciphers, sizeof(CIPHER_ORDER));
1238 if (co_list == NULL) {
1239 SSLerrorx(ERR_R_MALLOC_FAILURE);
1240 goto err;
1241 }
1242
1243 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
1244 disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
1245 co_list, &head, &tail);
1246
1247
1248 /* Now arrange all ciphers by preference: */
1249
1250 /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */
1251 ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1252 ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1253
1254 if (ssl_aes_is_accelerated()) {
1255 /*
1256 * We have hardware assisted AES - prefer AES as a symmetric
1257 * cipher, with CHACHA20 second.
1258 */
1259 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
1260 CIPHER_ADD, -1, &head, &tail);
1261 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
1262 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1263 } else {
1264 /*
1265 * CHACHA20 is fast and safe on all hardware and is thus our
1266 * preferred symmetric cipher, with AES second.
1267 */
1268 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
1269 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1270 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
1271 CIPHER_ADD, -1, &head, &tail);
1272 }
1273
1274 /* Temporarily enable everything else for sorting */
1275 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1276
1277 /* Low priority for MD5 */
1278 ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
1279
1280 /* Move anonymous ciphers to the end. Usually, these will remain disabled.
1281 * (For applications that allow them, they aren't too bad, but we prefer
1282 * authenticated ciphers.) */
1283 ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1284
1285 /* Move ciphers without forward secrecy to the end */
1286 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1287
1288 /* RC4 is sort of broken - move it to the end */
1289 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1290
1291 /* Now sort by symmetric encryption strength. The above ordering remains
1292 * in force within each class */
1293 if (!ssl_cipher_strength_sort(&head, &tail))
1294 goto err;
1295
1296 /* Now disable everything (maintaining the ordering!) */
1297 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1298
1299 /* TLSv1.3 first. */
1300 ssl_cipher_apply_rule(0, 0, 0, 0, 0, SSL_TLSV1_3, 0, CIPHER_ADD, -1, &head, &tail);
1301 ssl_cipher_apply_rule(0, 0, 0, 0, 0, SSL_TLSV1_3, 0, CIPHER_DEL, -1, &head, &tail);
1302
1303 /*
1304 * We also need cipher aliases for selecting based on the rule_str.
1305 * There might be two types of entries in the rule_str: 1) names
1306 * of ciphers themselves 2) aliases for groups of ciphers.
1307 * For 1) we need the available ciphers and for 2) the cipher
1308 * groups of cipher_aliases added together in one list (otherwise
1309 * we would be happy with just the cipher_aliases table).
1310 */
1311 num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
1312 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
1313 ca_list = reallocarray(NULL, num_of_alias_max, sizeof(SSL_CIPHER *));
1314 if (ca_list == NULL) {
1315 SSLerrorx(ERR_R_MALLOC_FAILURE);
1316 goto err;
1317 }
1318 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey,
1319 disabled_auth, disabled_enc, disabled_mac, disabled_ssl, head);
1320
1321 /*
1322 * If the rule_string begins with DEFAULT, apply the default rule
1323 * before using the (possibly available) additional rules.
1324 */
1325 ok = 1;
1326 rule_p = rule_str;
1327 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1328 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
1329 &head, &tail, ca_list, cert, &tls13_seen);
1330 rule_p += 7;
1331 if (*rule_p == ':')
1332 rule_p++;
1333 }
1334
1335 if (ok && (strlen(rule_p) > 0))
1336 ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list,
1337 cert, &tls13_seen);
1338
1339 if (!ok) {
1340 /* Rule processing failure */
1341 goto err;
1342 }
1343
1344 /*
1345 * Allocate new "cipherstack" for the result, return with error
1346 * if we cannot get one.
1347 */
1348 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
1349 SSLerrorx(ERR_R_MALLOC_FAILURE);
1350 goto err;
1351 }
1352
1353 /* Prefer TLSv1.3 cipher suites. */
1354 if (cipher_list_tls13 != NULL) {
1355 for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) {
1356 cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i);
1357 if (!sk_SSL_CIPHER_push(cipherstack, cipher)) {
1358 SSLerrorx(ERR_R_MALLOC_FAILURE);
1359 goto err;
1360 }
1361 }
1362 tls13_seen = 1;
1363 }
1364
1365 /*
1366 * The cipher selection for the list is done. The ciphers are added
1367 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
1368 *
1369 * If the rule string did not contain any references to TLSv1.3 and
1370 * TLSv1.3 cipher suites have not been configured separately,
1371 * include inactive TLSv1.3 cipher suites. This avoids attempts to
1372 * use TLSv1.3 with an older rule string that does not include
1373 * TLSv1.3 cipher suites. If the rule string resulted in no active
1374 * cipher suites then we return an empty stack.
1375 */
1376 any_active = 0;
1377 for (curr = head; curr != NULL; curr = curr->next) {
1378 if (curr->active ||
1379 (!tls13_seen && curr->cipher->algorithm_ssl == SSL_TLSV1_3)) {
1380 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1381 SSLerrorx(ERR_R_MALLOC_FAILURE);
1382 goto err;
1383 }
1384 }
1385 any_active |= curr->active;
1386 }
1387 if (!any_active)
1388 sk_SSL_CIPHER_zero(cipherstack);
1389
1390 sk_SSL_CIPHER_free(*cipher_list);
1391 *cipher_list = cipherstack;
1392 cipherstack = NULL;
1393
1394 ret = *cipher_list;
1395
1396 err:
1397 sk_SSL_CIPHER_free(cipherstack);
1398 free((void *)ca_list);
1399 free(co_list);
1400
1401 return ret;
1402}
1403
1404const SSL_CIPHER *
1405SSL_CIPHER_get_by_id(unsigned int id)
1406{
1407 return ssl3_get_cipher_by_id(id);
1408}
1409
1410const SSL_CIPHER *
1411SSL_CIPHER_get_by_value(uint16_t value)
1412{
1413 return ssl3_get_cipher_by_value(value);
1414}
1415
1416char *
1417SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1418{
1419 unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, alg2;
1420 const char *ver, *kx, *au, *enc, *mac;
1421 char *ret;
1422 int l;
1423
1424 alg_mkey = cipher->algorithm_mkey;
1425 alg_auth = cipher->algorithm_auth;
1426 alg_enc = cipher->algorithm_enc;
1427 alg_mac = cipher->algorithm_mac;
1428 alg_ssl = cipher->algorithm_ssl;
1429
1430 alg2 = cipher->algorithm2;
1431
1432 if (alg_ssl & SSL_SSLV3)
1433 ver = "SSLv3";
1434 else if (alg_ssl & SSL_TLSV1_2)
1435 ver = "TLSv1.2";
1436 else if (alg_ssl & SSL_TLSV1_3)
1437 ver = "TLSv1.3";
1438 else
1439 ver = "unknown";
1440
1441 switch (alg_mkey) {
1442 case SSL_kRSA:
1443 kx = "RSA";
1444 break;
1445 case SSL_kDHE:
1446 kx = "DH";
1447 break;
1448 case SSL_kECDHE:
1449 kx = "ECDH";
1450 break;
1451 case SSL_kGOST:
1452 kx = "GOST";
1453 break;
1454 case SSL_kTLS1_3:
1455 kx = "TLSv1.3";
1456 break;
1457 default:
1458 kx = "unknown";
1459 }
1460
1461 switch (alg_auth) {
1462 case SSL_aRSA:
1463 au = "RSA";
1464 break;
1465 case SSL_aDSS:
1466 au = "DSS";
1467 break;
1468 case SSL_aNULL:
1469 au = "None";
1470 break;
1471 case SSL_aECDSA:
1472 au = "ECDSA";
1473 break;
1474 case SSL_aGOST01:
1475 au = "GOST01";
1476 break;
1477 case SSL_aTLS1_3:
1478 au = "TLSv1.3";
1479 break;
1480 default:
1481 au = "unknown";
1482 break;
1483 }
1484
1485 switch (alg_enc) {
1486 case SSL_3DES:
1487 enc = "3DES(168)";
1488 break;
1489 case SSL_RC4:
1490 enc = alg2 & SSL2_CF_8_BYTE_ENC ? "RC4(64)" : "RC4(128)";
1491 break;
1492 case SSL_eNULL:
1493 enc = "None";
1494 break;
1495 case SSL_AES128:
1496 enc = "AES(128)";
1497 break;
1498 case SSL_AES256:
1499 enc = "AES(256)";
1500 break;
1501 case SSL_AES128GCM:
1502 enc = "AESGCM(128)";
1503 break;
1504 case SSL_AES256GCM:
1505 enc = "AESGCM(256)";
1506 break;
1507 case SSL_CAMELLIA128:
1508 enc = "Camellia(128)";
1509 break;
1510 case SSL_CAMELLIA256:
1511 enc = "Camellia(256)";
1512 break;
1513 case SSL_CHACHA20POLY1305:
1514 enc = "ChaCha20-Poly1305";
1515 break;
1516 case SSL_eGOST2814789CNT:
1517 enc = "GOST-28178-89-CNT";
1518 break;
1519 default:
1520 enc = "unknown";
1521 break;
1522 }
1523
1524 switch (alg_mac) {
1525 case SSL_MD5:
1526 mac = "MD5";
1527 break;
1528 case SSL_SHA1:
1529 mac = "SHA1";
1530 break;
1531 case SSL_SHA256:
1532 mac = "SHA256";
1533 break;
1534 case SSL_SHA384:
1535 mac = "SHA384";
1536 break;
1537 case SSL_AEAD:
1538 mac = "AEAD";
1539 break;
1540 case SSL_GOST94:
1541 mac = "GOST94";
1542 break;
1543 case SSL_GOST89MAC:
1544 mac = "GOST89IMIT";
1545 break;
1546 case SSL_STREEBOG256:
1547 mac = "STREEBOG256";
1548 break;
1549 default:
1550 mac = "unknown";
1551 break;
1552 }
1553
1554 if (asprintf(&ret, "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1555 cipher->name, ver, kx, au, enc, mac) == -1)
1556 return "OPENSSL_malloc Error";
1557
1558 if (buf != NULL) {
1559 l = strlcpy(buf, ret, len);
1560 free(ret);
1561 ret = buf;
1562 if (l >= len)
1563 ret = "Buffer too small";
1564 }
1565
1566 return (ret);
1567}
1568
1569const char *
1570SSL_CIPHER_get_version(const SSL_CIPHER *c)
1571{
1572 if (c == NULL)
1573 return("(NONE)");
1574 if ((c->id >> 24) == 3)
1575 return("TLSv1/SSLv3");
1576 else
1577 return("unknown");
1578}
1579
1580/* return the actual cipher being used */
1581const char *
1582SSL_CIPHER_get_name(const SSL_CIPHER *c)
1583{
1584 if (c != NULL)
1585 return (c->name);
1586 return("(NONE)");
1587}
1588
1589/* number of bits for symmetric cipher */
1590int
1591SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1592{
1593 int ret = 0;
1594
1595 if (c != NULL) {
1596 if (alg_bits != NULL)
1597 *alg_bits = c->alg_bits;
1598 ret = c->strength_bits;
1599 }
1600 return (ret);
1601}
1602
1603unsigned long
1604SSL_CIPHER_get_id(const SSL_CIPHER *c)
1605{
1606 return c->id;
1607}
1608
1609uint16_t
1610SSL_CIPHER_get_value(const SSL_CIPHER *c)
1611{
1612 return ssl3_cipher_get_value(c);
1613}
1614
1615const SSL_CIPHER *
1616SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr)
1617{
1618 uint16_t cipher_value;
1619 CBS cbs;
1620
1621 /* This API is documented with ptr being an array of length two. */
1622 CBS_init(&cbs, ptr, 2);
1623 if (!CBS_get_u16(&cbs, &cipher_value))
1624 return NULL;
1625
1626 return ssl3_get_cipher_by_value(cipher_value);
1627}
1628
1629int
1630SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
1631{
1632 switch (c->algorithm_enc) {
1633 case SSL_eNULL:
1634 return NID_undef;
1635 case SSL_3DES:
1636 return NID_des_ede3_cbc;
1637 case SSL_AES128:
1638 return NID_aes_128_cbc;
1639 case SSL_AES128GCM:
1640 return NID_aes_128_gcm;
1641 case SSL_AES256:
1642 return NID_aes_256_cbc;
1643 case SSL_AES256GCM:
1644 return NID_aes_256_gcm;
1645 case SSL_CAMELLIA128:
1646 return NID_camellia_128_cbc;
1647 case SSL_CAMELLIA256:
1648 return NID_camellia_256_cbc;
1649 case SSL_CHACHA20POLY1305:
1650 return NID_chacha20_poly1305;
1651 case SSL_DES:
1652 return NID_des_cbc;
1653 case SSL_RC4:
1654 return NID_rc4;
1655 case SSL_eGOST2814789CNT:
1656 return NID_gost89_cnt;
1657 default:
1658 return NID_undef;
1659 }
1660}
1661
1662int
1663SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
1664{
1665 switch (c->algorithm_mac) {
1666 case SSL_AEAD:
1667 return NID_undef;
1668 case SSL_GOST89MAC:
1669 return NID_id_Gost28147_89_MAC;
1670 case SSL_GOST94:
1671 return NID_id_GostR3411_94;
1672 case SSL_MD5:
1673 return NID_md5;
1674 case SSL_SHA1:
1675 return NID_sha1;
1676 case SSL_SHA256:
1677 return NID_sha256;
1678 case SSL_SHA384:
1679 return NID_sha384;
1680 case SSL_STREEBOG256:
1681 return NID_id_tc26_gost3411_2012_256;
1682 default:
1683 return NID_undef;
1684 }
1685}
1686
1687int
1688SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
1689{
1690 switch (c->algorithm_mkey) {
1691 case SSL_kDHE:
1692 return NID_kx_dhe;
1693 case SSL_kECDHE:
1694 return NID_kx_ecdhe;
1695 case SSL_kGOST:
1696 return NID_kx_gost;
1697 case SSL_kRSA:
1698 return NID_kx_rsa;
1699 default:
1700 return NID_undef;
1701 }
1702}
1703
1704int
1705SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
1706{
1707 switch (c->algorithm_auth) {
1708 case SSL_aNULL:
1709 return NID_auth_null;
1710 case SSL_aECDSA:
1711 return NID_auth_ecdsa;
1712 case SSL_aGOST01:
1713 return NID_auth_gost01;
1714 case SSL_aRSA:
1715 return NID_auth_rsa;
1716 default:
1717 return NID_undef;
1718 }
1719}
1720
1721int
1722SSL_CIPHER_is_aead(const SSL_CIPHER *c)
1723{
1724 return (c->algorithm_mac & SSL_AEAD) == SSL_AEAD;
1725}
1726
1727void *
1728SSL_COMP_get_compression_methods(void)
1729{
1730 return NULL;
1731}
1732
1733int
1734SSL_COMP_add_compression_method(int id, void *cm)
1735{
1736 return 1;
1737}
1738
1739const char *
1740SSL_COMP_get_name(const void *comp)
1741{
1742 return NULL;
1743}
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
deleted file mode 100644
index 4ec1b099bc..0000000000
--- a/src/lib/libssl/ssl_ciphers.c
+++ /dev/null
@@ -1,286 +0,0 @@
1/* $OpenBSD: ssl_ciphers.c,v 1.17 2022/11/26 16:08:55 tb Exp $ */
2/*
3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
5 * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <openssl/safestack.h>
21
22#include "bytestring.h"
23#include "ssl_local.h"
24
25int
26ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
27{
28 int i;
29
30 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
31 if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id)
32 return 1;
33 }
34
35 return 0;
36}
37
38int
39ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
40 uint16_t max_ver)
41{
42 switch(cipher->algorithm_ssl) {
43 case SSL_SSLV3:
44 return (min_ver <= TLS1_2_VERSION);
45 case SSL_TLSV1_2:
46 return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
47 case SSL_TLSV1_3:
48 return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
49 }
50 return 0;
51}
52
53int
54ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
55{
56 SSL_CIPHER *cipher;
57 int num_ciphers = 0;
58 uint16_t min_vers, max_vers;
59 int i;
60
61 if (ciphers == NULL)
62 return 0;
63
64 if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
65 return 0;
66
67 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
68 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
69 return 0;
70 if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
71 max_vers))
72 continue;
73 if (!ssl_security_cipher_check(s, cipher))
74 continue;
75 if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
76 return 0;
77
78 num_ciphers++;
79 }
80
81 /* Add SCSV if there are other ciphers and we're not renegotiating. */
82 if (num_ciphers > 0 && !s->renegotiate) {
83 if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
84 return 0;
85 }
86
87 if (!CBB_flush(cbb))
88 return 0;
89
90 return 1;
91}
92
93STACK_OF(SSL_CIPHER) *
94ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
95{
96 STACK_OF(SSL_CIPHER) *ciphers = NULL;
97 const SSL_CIPHER *cipher;
98 uint16_t cipher_value;
99 unsigned long cipher_id;
100
101 s->s3->send_connection_binding = 0;
102
103 if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
104 SSLerror(s, ERR_R_MALLOC_FAILURE);
105 goto err;
106 }
107
108 while (CBS_len(cbs) > 0) {
109 if (!CBS_get_u16(cbs, &cipher_value)) {
110 SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
111 goto err;
112 }
113
114 cipher_id = SSL3_CK_ID | cipher_value;
115
116 if (cipher_id == SSL3_CK_SCSV) {
117 /*
118 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
119 * renegotiating.
120 */
121 if (s->renegotiate) {
122 SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
123 ssl3_send_alert(s, SSL3_AL_FATAL,
124 SSL_AD_HANDSHAKE_FAILURE);
125
126 goto err;
127 }
128 s->s3->send_connection_binding = 1;
129 continue;
130 }
131
132 if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
133 /*
134 * TLS_FALLBACK_SCSV indicates that the client
135 * previously tried a higher protocol version.
136 * Fail if the current version is an unexpected
137 * downgrade.
138 */
139 if (s->s3->hs.negotiated_tls_version <
140 s->s3->hs.our_max_tls_version) {
141 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
142 ssl3_send_alert(s, SSL3_AL_FATAL,
143 SSL_AD_INAPPROPRIATE_FALLBACK);
144 goto err;
145 }
146 continue;
147 }
148
149 if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
150 if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
151 SSLerror(s, ERR_R_MALLOC_FAILURE);
152 goto err;
153 }
154 }
155 }
156
157 return (ciphers);
158
159 err:
160 sk_SSL_CIPHER_free(ciphers);
161
162 return (NULL);
163}
164
165struct ssl_tls13_ciphersuite {
166 const char *name;
167 const char *alias;
168 unsigned long cid;
169};
170
171static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = {
172 {
173 .name = TLS1_3_RFC_AES_128_GCM_SHA256,
174 .alias = TLS1_3_TXT_AES_128_GCM_SHA256,
175 .cid = TLS1_3_CK_AES_128_GCM_SHA256,
176 },
177 {
178 .name = TLS1_3_RFC_AES_256_GCM_SHA384,
179 .alias = TLS1_3_TXT_AES_256_GCM_SHA384,
180 .cid = TLS1_3_CK_AES_256_GCM_SHA384,
181 },
182 {
183 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
184 .alias = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
185 .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
186 },
187 {
188 .name = TLS1_3_RFC_AES_128_CCM_SHA256,
189 .alias = TLS1_3_TXT_AES_128_CCM_SHA256,
190 .cid = TLS1_3_CK_AES_128_CCM_SHA256,
191 },
192 {
193 .name = TLS1_3_RFC_AES_128_CCM_8_SHA256,
194 .alias = TLS1_3_TXT_AES_128_CCM_8_SHA256,
195 .cid = TLS1_3_CK_AES_128_CCM_8_SHA256,
196 },
197 {
198 .name = NULL,
199 },
200};
201
202int
203ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str)
204{
205 const struct ssl_tls13_ciphersuite *ciphersuite;
206 STACK_OF(SSL_CIPHER) *ciphers;
207 const SSL_CIPHER *cipher;
208 char *s = NULL;
209 char *p, *q;
210 int i;
211 int ret = 0;
212
213 if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL)
214 goto err;
215
216 /* An empty string is valid and means no ciphers. */
217 if (strcmp(str, "") == 0)
218 goto done;
219
220 if ((s = strdup(str)) == NULL)
221 goto err;
222
223 q = s;
224 while ((p = strsep(&q, ":")) != NULL) {
225 ciphersuite = &ssl_tls13_ciphersuites[0];
226 for (i = 0; ciphersuite->name != NULL; i++) {
227 if (strcmp(p, ciphersuite->name) == 0)
228 break;
229 if (strcmp(p, ciphersuite->alias) == 0)
230 break;
231 ciphersuite = &ssl_tls13_ciphersuites[i];
232 }
233 if (ciphersuite->name == NULL)
234 goto err;
235
236 /* We know about the cipher suite, but it is not supported. */
237 if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL)
238 continue;
239
240 if (!sk_SSL_CIPHER_push(ciphers, cipher))
241 goto err;
242 }
243
244 done:
245 sk_SSL_CIPHER_free(*out_ciphers);
246 *out_ciphers = ciphers;
247 ciphers = NULL;
248 ret = 1;
249
250 err:
251 sk_SSL_CIPHER_free(ciphers);
252 free(s);
253
254 return ret;
255}
256
257int
258ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
259 STACK_OF(SSL_CIPHER) *cipherlist_tls13,
260 STACK_OF(SSL_CIPHER) **out_cipherlist)
261{
262 STACK_OF(SSL_CIPHER) *ciphers = NULL;
263 const SSL_CIPHER *cipher;
264 int i, ret = 0;
265
266 if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL)
267 goto err;
268 for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) {
269 cipher = sk_SSL_CIPHER_value(cipherlist, i);
270 if (cipher->algorithm_ssl == SSL_TLSV1_3)
271 continue;
272 if (!sk_SSL_CIPHER_push(ciphers, cipher))
273 goto err;
274 }
275
276 sk_SSL_CIPHER_free(*out_cipherlist);
277 *out_cipherlist = ciphers;
278 ciphers = NULL;
279
280 ret = 1;
281
282 err:
283 sk_SSL_CIPHER_free(ciphers);
284
285 return ret;
286}
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
deleted file mode 100644
index c721aede4e..0000000000
--- a/src/lib/libssl/ssl_clnt.c
+++ /dev/null
@@ -1,2674 +0,0 @@
1/* $OpenBSD: ssl_clnt.c,v 1.158 2022/12/26 07:31:44 jmc Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <limits.h>
152#include <stdint.h>
153#include <stdio.h>
154
155#include <openssl/bn.h>
156#include <openssl/buffer.h>
157#include <openssl/curve25519.h>
158#include <openssl/dh.h>
159#include <openssl/evp.h>
160#include <openssl/md5.h>
161#include <openssl/objects.h>
162#include <openssl/opensslconf.h>
163
164#ifndef OPENSSL_NO_ENGINE
165#include <openssl/engine.h>
166#endif
167#ifndef OPENSSL_NO_GOST
168#include <openssl/gost.h>
169#endif
170
171#include "bytestring.h"
172#include "dtls_local.h"
173#include "ssl_local.h"
174#include "ssl_sigalgs.h"
175#include "ssl_tlsext.h"
176
177static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
178
179static int ssl3_send_client_hello(SSL *s);
180static int ssl3_get_dtls_hello_verify(SSL *s);
181static int ssl3_get_server_hello(SSL *s);
182static int ssl3_get_certificate_request(SSL *s);
183static int ssl3_get_new_session_ticket(SSL *s);
184static int ssl3_get_cert_status(SSL *s);
185static int ssl3_get_server_done(SSL *s);
186static int ssl3_send_client_verify(SSL *s);
187static int ssl3_send_client_certificate(SSL *s);
188static int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
189static int ssl3_send_client_key_exchange(SSL *s);
190static int ssl3_get_server_key_exchange(SSL *s);
191static int ssl3_get_server_certificate(SSL *s);
192static int ssl3_check_cert_and_algorithm(SSL *s);
193static int ssl3_check_finished(SSL *s);
194static int ssl3_send_client_change_cipher_spec(SSL *s);
195static int ssl3_send_client_finished(SSL *s);
196static int ssl3_get_server_finished(SSL *s);
197
198int
199ssl3_connect(SSL *s)
200{
201 int new_state, state, skip = 0;
202 int ret = -1;
203
204 ERR_clear_error();
205 errno = 0;
206
207 s->in_handshake++;
208 if (!SSL_in_init(s) || SSL_in_before(s))
209 SSL_clear(s);
210
211 for (;;) {
212 state = s->s3->hs.state;
213
214 switch (s->s3->hs.state) {
215 case SSL_ST_RENEGOTIATE:
216 s->renegotiate = 1;
217 s->s3->hs.state = SSL_ST_CONNECT;
218 s->ctx->stats.sess_connect_renegotiate++;
219 /* break */
220 case SSL_ST_BEFORE:
221 case SSL_ST_CONNECT:
222 case SSL_ST_BEFORE|SSL_ST_CONNECT:
223 case SSL_ST_OK|SSL_ST_CONNECT:
224
225 s->server = 0;
226
227 ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1);
228
229 if (!ssl_legacy_stack_version(s, s->version)) {
230 SSLerror(s, ERR_R_INTERNAL_ERROR);
231 ret = -1;
232 goto end;
233 }
234
235 if (!ssl_supported_tls_version_range(s,
236 &s->s3->hs.our_min_tls_version,
237 &s->s3->hs.our_max_tls_version)) {
238 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
239 ret = -1;
240 goto end;
241 }
242
243 if (!ssl_security_version(s,
244 s->s3->hs.our_min_tls_version)) {
245 SSLerror(s, SSL_R_VERSION_TOO_LOW);
246 ret = -1;
247 goto end;
248 }
249
250 if (!ssl3_setup_init_buffer(s)) {
251 ret = -1;
252 goto end;
253 }
254 if (!ssl3_setup_buffers(s)) {
255 ret = -1;
256 goto end;
257 }
258 if (!ssl_init_wbio_buffer(s, 0)) {
259 ret = -1;
260 goto end;
261 }
262
263 /* don't push the buffering BIO quite yet */
264
265 if (!tls1_transcript_init(s)) {
266 ret = -1;
267 goto end;
268 }
269
270 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
271 s->ctx->stats.sess_connect++;
272 s->init_num = 0;
273
274 if (SSL_is_dtls(s)) {
275 /* mark client_random uninitialized */
276 memset(s->s3->client_random, 0,
277 sizeof(s->s3->client_random));
278 s->d1->send_cookie = 0;
279 s->hit = 0;
280 }
281 break;
282
283 case SSL3_ST_CW_CLNT_HELLO_A:
284 case SSL3_ST_CW_CLNT_HELLO_B:
285 s->shutdown = 0;
286
287 if (SSL_is_dtls(s)) {
288 /* every DTLS ClientHello resets Finished MAC */
289 tls1_transcript_reset(s);
290
291 dtls1_start_timer(s);
292 }
293
294 ret = ssl3_send_client_hello(s);
295 if (ret <= 0)
296 goto end;
297
298 if (SSL_is_dtls(s) && s->d1->send_cookie) {
299 s->s3->hs.state = SSL3_ST_CW_FLUSH;
300 s->s3->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A;
301 } else
302 s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
303
304 s->init_num = 0;
305
306 /* turn on buffering for the next lot of output */
307 if (s->bbio != s->wbio)
308 s->wbio = BIO_push(s->bbio, s->wbio);
309
310 break;
311
312 case SSL3_ST_CR_SRVR_HELLO_A:
313 case SSL3_ST_CR_SRVR_HELLO_B:
314 ret = ssl3_get_server_hello(s);
315 if (ret <= 0)
316 goto end;
317
318 if (s->hit) {
319 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
320 if (!SSL_is_dtls(s)) {
321 if (s->tlsext_ticket_expected) {
322 /* receive renewed session ticket */
323 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
324 }
325
326 /* No client certificate verification. */
327 tls1_transcript_free(s);
328 }
329 } else if (SSL_is_dtls(s)) {
330 s->s3->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
331 } else {
332 s->s3->hs.state = SSL3_ST_CR_CERT_A;
333 }
334 s->init_num = 0;
335 break;
336
337 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
338 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
339 ret = ssl3_get_dtls_hello_verify(s);
340 if (ret <= 0)
341 goto end;
342 dtls1_stop_timer(s);
343 if (s->d1->send_cookie) /* start again, with a cookie */
344 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
345 else
346 s->s3->hs.state = SSL3_ST_CR_CERT_A;
347 s->init_num = 0;
348 break;
349
350 case SSL3_ST_CR_CERT_A:
351 case SSL3_ST_CR_CERT_B:
352 ret = ssl3_check_finished(s);
353 if (ret <= 0)
354 goto end;
355 if (ret == 2) {
356 s->hit = 1;
357 if (s->tlsext_ticket_expected)
358 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
359 else
360 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
361 s->init_num = 0;
362 break;
363 }
364 /* Check if it is anon DH/ECDH. */
365 if (!(s->s3->hs.cipher->algorithm_auth &
366 SSL_aNULL)) {
367 ret = ssl3_get_server_certificate(s);
368 if (ret <= 0)
369 goto end;
370 if (s->tlsext_status_expected)
371 s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A;
372 else
373 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
374 } else {
375 skip = 1;
376 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
377 }
378 s->init_num = 0;
379 break;
380
381 case SSL3_ST_CR_KEY_EXCH_A:
382 case SSL3_ST_CR_KEY_EXCH_B:
383 ret = ssl3_get_server_key_exchange(s);
384 if (ret <= 0)
385 goto end;
386 s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A;
387 s->init_num = 0;
388
389 /*
390 * At this point we check that we have the
391 * required stuff from the server.
392 */
393 if (!ssl3_check_cert_and_algorithm(s)) {
394 ret = -1;
395 goto end;
396 }
397 break;
398
399 case SSL3_ST_CR_CERT_REQ_A:
400 case SSL3_ST_CR_CERT_REQ_B:
401 ret = ssl3_get_certificate_request(s);
402 if (ret <= 0)
403 goto end;
404 s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A;
405 s->init_num = 0;
406 break;
407
408 case SSL3_ST_CR_SRVR_DONE_A:
409 case SSL3_ST_CR_SRVR_DONE_B:
410 ret = ssl3_get_server_done(s);
411 if (ret <= 0)
412 goto end;
413 if (SSL_is_dtls(s))
414 dtls1_stop_timer(s);
415 if (s->s3->hs.tls12.cert_request)
416 s->s3->hs.state = SSL3_ST_CW_CERT_A;
417 else
418 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
419 s->init_num = 0;
420
421 break;
422
423 case SSL3_ST_CW_CERT_A:
424 case SSL3_ST_CW_CERT_B:
425 case SSL3_ST_CW_CERT_C:
426 case SSL3_ST_CW_CERT_D:
427 if (SSL_is_dtls(s))
428 dtls1_start_timer(s);
429 ret = ssl3_send_client_certificate(s);
430 if (ret <= 0)
431 goto end;
432 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
433 s->init_num = 0;
434 break;
435
436 case SSL3_ST_CW_KEY_EXCH_A:
437 case SSL3_ST_CW_KEY_EXCH_B:
438 if (SSL_is_dtls(s))
439 dtls1_start_timer(s);
440 ret = ssl3_send_client_key_exchange(s);
441 if (ret <= 0)
442 goto end;
443 /*
444 * EAY EAY EAY need to check for DH fix cert
445 * sent back
446 */
447 /*
448 * For TLS, cert_req is set to 2, so a cert chain
449 * of nothing is sent, but no verify packet is sent
450 */
451 /*
452 * XXX: For now, we do not support client
453 * authentication in ECDH cipher suites with
454 * ECDH (rather than ECDSA) certificates.
455 * We need to skip the certificate verify
456 * message when client's ECDH public key is sent
457 * inside the client certificate.
458 */
459 if (s->s3->hs.tls12.cert_request == 1) {
460 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_A;
461 } else {
462 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
463 s->s3->change_cipher_spec = 0;
464 }
465 if (!SSL_is_dtls(s)) {
466 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
467 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
468 s->s3->change_cipher_spec = 0;
469 }
470 }
471
472 s->init_num = 0;
473 break;
474
475 case SSL3_ST_CW_CERT_VRFY_A:
476 case SSL3_ST_CW_CERT_VRFY_B:
477 if (SSL_is_dtls(s))
478 dtls1_start_timer(s);
479 ret = ssl3_send_client_verify(s);
480 if (ret <= 0)
481 goto end;
482 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
483 s->init_num = 0;
484 s->s3->change_cipher_spec = 0;
485 break;
486
487 case SSL3_ST_CW_CHANGE_A:
488 case SSL3_ST_CW_CHANGE_B:
489 if (SSL_is_dtls(s) && !s->hit)
490 dtls1_start_timer(s);
491 ret = ssl3_send_client_change_cipher_spec(s);
492 if (ret <= 0)
493 goto end;
494
495 s->s3->hs.state = SSL3_ST_CW_FINISHED_A;
496 s->init_num = 0;
497 s->session->cipher = s->s3->hs.cipher;
498
499 if (!tls1_setup_key_block(s)) {
500 ret = -1;
501 goto end;
502 }
503 if (!tls1_change_write_cipher_state(s)) {
504 ret = -1;
505 goto end;
506 }
507 break;
508
509 case SSL3_ST_CW_FINISHED_A:
510 case SSL3_ST_CW_FINISHED_B:
511 if (SSL_is_dtls(s) && !s->hit)
512 dtls1_start_timer(s);
513 ret = ssl3_send_client_finished(s);
514 if (ret <= 0)
515 goto end;
516 if (!SSL_is_dtls(s))
517 s->s3->flags |= SSL3_FLAGS_CCS_OK;
518 s->s3->hs.state = SSL3_ST_CW_FLUSH;
519
520 /* clear flags */
521 if (s->hit) {
522 s->s3->hs.tls12.next_state = SSL_ST_OK;
523 } else {
524 /* Allow NewSessionTicket if ticket expected */
525 if (s->tlsext_ticket_expected)
526 s->s3->hs.tls12.next_state =
527 SSL3_ST_CR_SESSION_TICKET_A;
528 else
529 s->s3->hs.tls12.next_state =
530 SSL3_ST_CR_FINISHED_A;
531 }
532 s->init_num = 0;
533 break;
534
535 case SSL3_ST_CR_SESSION_TICKET_A:
536 case SSL3_ST_CR_SESSION_TICKET_B:
537 ret = ssl3_get_new_session_ticket(s);
538 if (ret <= 0)
539 goto end;
540 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
541 s->init_num = 0;
542 break;
543
544 case SSL3_ST_CR_CERT_STATUS_A:
545 case SSL3_ST_CR_CERT_STATUS_B:
546 ret = ssl3_get_cert_status(s);
547 if (ret <= 0)
548 goto end;
549 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
550 s->init_num = 0;
551 break;
552
553 case SSL3_ST_CR_FINISHED_A:
554 case SSL3_ST_CR_FINISHED_B:
555 if (SSL_is_dtls(s))
556 s->d1->change_cipher_spec_ok = 1;
557 else
558 s->s3->flags |= SSL3_FLAGS_CCS_OK;
559 ret = ssl3_get_server_finished(s);
560 if (ret <= 0)
561 goto end;
562 if (SSL_is_dtls(s))
563 dtls1_stop_timer(s);
564
565 if (s->hit)
566 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
567 else
568 s->s3->hs.state = SSL_ST_OK;
569 s->init_num = 0;
570 break;
571
572 case SSL3_ST_CW_FLUSH:
573 s->rwstate = SSL_WRITING;
574 if (BIO_flush(s->wbio) <= 0) {
575 if (SSL_is_dtls(s)) {
576 /* If the write error was fatal, stop trying */
577 if (!BIO_should_retry(s->wbio)) {
578 s->rwstate = SSL_NOTHING;
579 s->s3->hs.state = s->s3->hs.tls12.next_state;
580 }
581 }
582 ret = -1;
583 goto end;
584 }
585 s->rwstate = SSL_NOTHING;
586 s->s3->hs.state = s->s3->hs.tls12.next_state;
587 break;
588
589 case SSL_ST_OK:
590 /* clean a few things up */
591 tls1_cleanup_key_block(s);
592
593 if (s->s3->handshake_transcript != NULL) {
594 SSLerror(s, ERR_R_INTERNAL_ERROR);
595 ret = -1;
596 goto end;
597 }
598
599 if (!SSL_is_dtls(s))
600 ssl3_release_init_buffer(s);
601
602 ssl_free_wbio_buffer(s);
603
604 s->init_num = 0;
605 s->renegotiate = 0;
606 s->new_session = 0;
607
608 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
609 if (s->hit)
610 s->ctx->stats.sess_hit++;
611
612 ret = 1;
613 /* s->server=0; */
614 s->handshake_func = ssl3_connect;
615 s->ctx->stats.sess_connect_good++;
616
617 ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1);
618
619 if (SSL_is_dtls(s)) {
620 /* done with handshaking */
621 s->d1->handshake_read_seq = 0;
622 s->d1->next_handshake_write_seq = 0;
623 }
624
625 goto end;
626 /* break; */
627
628 default:
629 SSLerror(s, SSL_R_UNKNOWN_STATE);
630 ret = -1;
631 goto end;
632 /* break; */
633 }
634
635 /* did we do anything */
636 if (!s->s3->hs.tls12.reuse_message && !skip) {
637 if (s->debug) {
638 if ((ret = BIO_flush(s->wbio)) <= 0)
639 goto end;
640 }
641
642 if (s->s3->hs.state != state) {
643 new_state = s->s3->hs.state;
644 s->s3->hs.state = state;
645 ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1);
646 s->s3->hs.state = new_state;
647 }
648 }
649 skip = 0;
650 }
651
652 end:
653 s->in_handshake--;
654 ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret);
655
656 return (ret);
657}
658
659static int
660ssl3_send_client_hello(SSL *s)
661{
662 CBB cbb, client_hello, session_id, cookie, cipher_suites;
663 CBB compression_methods;
664 uint16_t max_version;
665 size_t sl;
666
667 memset(&cbb, 0, sizeof(cbb));
668
669 if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_A) {
670 SSL_SESSION *sess = s->session;
671
672 if (!ssl_max_supported_version(s, &max_version)) {
673 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
674 return (-1);
675 }
676 s->version = max_version;
677
678 if (sess == NULL || sess->ssl_version != s->version ||
679 (sess->session_id_length == 0 && sess->tlsext_tick == NULL) ||
680 sess->not_resumable) {
681 if (!ssl_get_new_session(s, 0))
682 goto err;
683 }
684 /* else use the pre-loaded session */
685
686 /*
687 * If a DTLS ClientHello message is being resent after a
688 * HelloVerifyRequest, we must retain the original client
689 * random value.
690 */
691 if (!SSL_is_dtls(s) || s->d1->send_cookie == 0)
692 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
693
694 if (!ssl3_handshake_msg_start(s, &cbb, &client_hello,
695 SSL3_MT_CLIENT_HELLO))
696 goto err;
697
698 if (!CBB_add_u16(&client_hello, s->version))
699 goto err;
700
701 /* Random stuff */
702 if (!CBB_add_bytes(&client_hello, s->s3->client_random,
703 sizeof(s->s3->client_random)))
704 goto err;
705
706 /* Session ID */
707 if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
708 goto err;
709 if (!s->new_session &&
710 s->session->session_id_length > 0) {
711 sl = s->session->session_id_length;
712 if (sl > sizeof(s->session->session_id)) {
713 SSLerror(s, ERR_R_INTERNAL_ERROR);
714 goto err;
715 }
716 if (!CBB_add_bytes(&session_id,
717 s->session->session_id, sl))
718 goto err;
719 }
720
721 /* DTLS Cookie. */
722 if (SSL_is_dtls(s)) {
723 if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
724 SSLerror(s, ERR_R_INTERNAL_ERROR);
725 goto err;
726 }
727 if (!CBB_add_u8_length_prefixed(&client_hello, &cookie))
728 goto err;
729 if (!CBB_add_bytes(&cookie, s->d1->cookie,
730 s->d1->cookie_len))
731 goto err;
732 }
733
734 /* Ciphers supported */
735 if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
736 return 0;
737 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s),
738 &cipher_suites)) {
739 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
740 goto err;
741 }
742
743 /* Add in compression methods (null) */
744 if (!CBB_add_u8_length_prefixed(&client_hello,
745 &compression_methods))
746 goto err;
747 if (!CBB_add_u8(&compression_methods, 0))
748 goto err;
749
750 /* TLS extensions */
751 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) {
752 SSLerror(s, ERR_R_INTERNAL_ERROR);
753 goto err;
754 }
755
756 if (!ssl3_handshake_msg_finish(s, &cbb))
757 goto err;
758
759 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_B;
760 }
761
762 /* SSL3_ST_CW_CLNT_HELLO_B */
763 return (ssl3_handshake_write(s));
764
765 err:
766 CBB_cleanup(&cbb);
767
768 return (-1);
769}
770
771static int
772ssl3_get_dtls_hello_verify(SSL *s)
773{
774 CBS hello_verify_request, cookie;
775 size_t cookie_len;
776 uint16_t ssl_version;
777 int al, ret;
778
779 if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
780 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list)) <= 0)
781 return ret;
782
783 if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
784 s->d1->send_cookie = 0;
785 s->s3->hs.tls12.reuse_message = 1;
786 return (1);
787 }
788
789 if (s->init_num < 0)
790 goto decode_err;
791
792 CBS_init(&hello_verify_request, s->init_msg,
793 s->init_num);
794
795 if (!CBS_get_u16(&hello_verify_request, &ssl_version))
796 goto decode_err;
797 if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie))
798 goto decode_err;
799 if (CBS_len(&hello_verify_request) != 0)
800 goto decode_err;
801
802 /*
803 * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always
804 * contain DTLSv1.0 the version that is going to be negotiated.
805 * Tolerate DTLSv1.2 just in case.
806 */
807 if (ssl_version != DTLS1_VERSION && ssl_version != DTLS1_2_VERSION) {
808 SSLerror(s, SSL_R_WRONG_SSL_VERSION);
809 s->version = (s->version & 0xff00) | (ssl_version & 0xff);
810 al = SSL_AD_PROTOCOL_VERSION;
811 goto fatal_err;
812 }
813
814 if (!CBS_write_bytes(&cookie, s->d1->cookie,
815 sizeof(s->d1->cookie), &cookie_len)) {
816 s->d1->cookie_len = 0;
817 al = SSL_AD_ILLEGAL_PARAMETER;
818 goto fatal_err;
819 }
820 s->d1->cookie_len = cookie_len;
821 s->d1->send_cookie = 1;
822
823 return 1;
824
825 decode_err:
826 al = SSL_AD_DECODE_ERROR;
827 fatal_err:
828 ssl3_send_alert(s, SSL3_AL_FATAL, al);
829 return -1;
830}
831
832static int
833ssl3_get_server_hello(SSL *s)
834{
835 CBS cbs, server_random, session_id;
836 uint16_t server_version, cipher_suite;
837 uint8_t compression_method;
838 const SSL_CIPHER *cipher;
839 const SSL_METHOD *method;
840 unsigned long alg_k;
841 int al, ret;
842
843 s->first_packet = 1;
844 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
845 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000 /* ?? */)) <= 0)
846 return ret;
847 s->first_packet = 0;
848
849 if (s->init_num < 0)
850 goto decode_err;
851
852 CBS_init(&cbs, s->init_msg, s->init_num);
853
854 if (SSL_is_dtls(s)) {
855 if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
856 if (s->d1->send_cookie == 0) {
857 s->s3->hs.tls12.reuse_message = 1;
858 return (1);
859 } else {
860 /* Already sent a cookie. */
861 al = SSL_AD_UNEXPECTED_MESSAGE;
862 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
863 goto fatal_err;
864 }
865 }
866 }
867
868 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) {
869 al = SSL_AD_UNEXPECTED_MESSAGE;
870 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
871 goto fatal_err;
872 }
873
874 if (!CBS_get_u16(&cbs, &server_version))
875 goto decode_err;
876
877 if (!ssl_check_version_from_server(s, server_version)) {
878 SSLerror(s, SSL_R_WRONG_SSL_VERSION);
879 s->version = (s->version & 0xff00) | (server_version & 0xff);
880 al = SSL_AD_PROTOCOL_VERSION;
881 goto fatal_err;
882 }
883 s->s3->hs.peer_legacy_version = server_version;
884 s->version = server_version;
885
886 s->s3->hs.negotiated_tls_version = ssl_tls_version(server_version);
887 if (s->s3->hs.negotiated_tls_version == 0) {
888 SSLerror(s, ERR_R_INTERNAL_ERROR);
889 goto err;
890 }
891
892 if ((method = ssl_get_method(server_version)) == NULL) {
893 SSLerror(s, ERR_R_INTERNAL_ERROR);
894 goto err;
895 }
896 s->method = method;
897
898 /* Server random. */
899 if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE))
900 goto decode_err;
901 if (!CBS_write_bytes(&server_random, s->s3->server_random,
902 sizeof(s->s3->server_random), NULL))
903 goto err;
904
905 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
906 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
907 /*
908 * RFC 8446 section 4.1.3. We must not downgrade if the server
909 * random value contains the TLS 1.2 or TLS 1.1 magical value.
910 */
911 if (!CBS_skip(&server_random,
912 CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
913 goto err;
914 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION &&
915 CBS_mem_equal(&server_random, tls13_downgrade_12,
916 sizeof(tls13_downgrade_12))) {
917 al = SSL_AD_ILLEGAL_PARAMETER;
918 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
919 goto fatal_err;
920 }
921 if (CBS_mem_equal(&server_random, tls13_downgrade_11,
922 sizeof(tls13_downgrade_11))) {
923 al = SSL_AD_ILLEGAL_PARAMETER;
924 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
925 goto fatal_err;
926 }
927 }
928
929 /* Session ID. */
930 if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
931 goto decode_err;
932
933 if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) {
934 al = SSL_AD_ILLEGAL_PARAMETER;
935 SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
936 goto fatal_err;
937 }
938
939 /* Cipher suite. */
940 if (!CBS_get_u16(&cbs, &cipher_suite))
941 goto decode_err;
942
943 /*
944 * Check if we want to resume the session based on external
945 * pre-shared secret.
946 */
947 if (s->tls_session_secret_cb != NULL) {
948 SSL_CIPHER *pref_cipher = NULL;
949 int master_key_length = sizeof(s->session->master_key);
950
951 if (!s->tls_session_secret_cb(s,
952 s->session->master_key, &master_key_length, NULL,
953 &pref_cipher, s->tls_session_secret_cb_arg)) {
954 SSLerror(s, ERR_R_INTERNAL_ERROR);
955 goto err;
956 }
957 if (master_key_length <= 0) {
958 SSLerror(s, ERR_R_INTERNAL_ERROR);
959 goto err;
960 }
961 s->session->master_key_length = master_key_length;
962
963 if ((s->session->cipher = pref_cipher) == NULL)
964 s->session->cipher =
965 ssl3_get_cipher_by_value(cipher_suite);
966 s->s3->flags |= SSL3_FLAGS_CCS_OK;
967 }
968
969 if (s->session->session_id_length != 0 &&
970 CBS_mem_equal(&session_id, s->session->session_id,
971 s->session->session_id_length)) {
972 if (s->sid_ctx_length != s->session->sid_ctx_length ||
973 timingsafe_memcmp(s->session->sid_ctx,
974 s->sid_ctx, s->sid_ctx_length) != 0) {
975 /* actually a client application bug */
976 al = SSL_AD_ILLEGAL_PARAMETER;
977 SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
978 goto fatal_err;
979 }
980 s->s3->flags |= SSL3_FLAGS_CCS_OK;
981 s->hit = 1;
982 } else {
983 /* a miss or crap from the other end */
984
985 /* If we were trying for session-id reuse, make a new
986 * SSL_SESSION so we don't stuff up other people */
987 s->hit = 0;
988 if (s->session->session_id_length > 0) {
989 if (!ssl_get_new_session(s, 0)) {
990 al = SSL_AD_INTERNAL_ERROR;
991 goto fatal_err;
992 }
993 }
994
995 /*
996 * XXX - improve the handling for the case where there is a
997 * zero length session identifier.
998 */
999 if (!CBS_write_bytes(&session_id, s->session->session_id,
1000 sizeof(s->session->session_id),
1001 &s->session->session_id_length))
1002 goto err;
1003
1004 s->session->ssl_version = s->version;
1005 }
1006
1007 if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {
1008 al = SSL_AD_ILLEGAL_PARAMETER;
1009 SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED);
1010 goto fatal_err;
1011 }
1012
1013 /* TLS v1.2 only ciphersuites require v1.2 or later. */
1014 if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&
1015 s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) {
1016 al = SSL_AD_ILLEGAL_PARAMETER;
1017 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1018 goto fatal_err;
1019 }
1020
1021 if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
1022 /* we did not say we would use this cipher */
1023 al = SSL_AD_ILLEGAL_PARAMETER;
1024 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1025 goto fatal_err;
1026 }
1027
1028 /*
1029 * Depending on the session caching (internal/external), the cipher
1030 * and/or cipher_id values may not be set. Make sure that
1031 * cipher_id is set and use it for comparison.
1032 */
1033 if (s->session->cipher)
1034 s->session->cipher_id = s->session->cipher->id;
1035 if (s->hit && (s->session->cipher_id != cipher->id)) {
1036 al = SSL_AD_ILLEGAL_PARAMETER;
1037 SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1038 goto fatal_err;
1039 }
1040 s->s3->hs.cipher = cipher;
1041
1042 if (!tls1_transcript_hash_init(s))
1043 goto err;
1044
1045 /*
1046 * Don't digest cached records if no sigalgs: we may need them for
1047 * client authentication.
1048 */
1049 alg_k = s->s3->hs.cipher->algorithm_mkey;
1050 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)))
1051 tls1_transcript_free(s);
1052
1053 if (!CBS_get_u8(&cbs, &compression_method))
1054 goto decode_err;
1055
1056 if (compression_method != 0) {
1057 al = SSL_AD_ILLEGAL_PARAMETER;
1058 SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1059 goto fatal_err;
1060 }
1061
1062 if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) {
1063 SSLerror(s, SSL_R_PARSE_TLSEXT);
1064 goto fatal_err;
1065 }
1066
1067 if (CBS_len(&cbs) != 0)
1068 goto decode_err;
1069
1070 /*
1071 * Determine if we need to see RI. Strictly speaking if we want to
1072 * avoid an attack we should *always* see RI even on initial server
1073 * hello because the client doesn't see any renegotiation during an
1074 * attack. However this would mean we could not connect to any server
1075 * which doesn't support RI so for the immediate future tolerate RI
1076 * absence on initial connect only.
1077 */
1078 if (!s->s3->renegotiate_seen &&
1079 !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1080 al = SSL_AD_HANDSHAKE_FAILURE;
1081 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1082 goto fatal_err;
1083 }
1084
1085 if (ssl_check_serverhello_tlsext(s) <= 0) {
1086 SSLerror(s, SSL_R_SERVERHELLO_TLSEXT);
1087 goto err;
1088 }
1089
1090 return (1);
1091
1092 decode_err:
1093 /* wrong packet length */
1094 al = SSL_AD_DECODE_ERROR;
1095 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1096 fatal_err:
1097 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1098 err:
1099 return (-1);
1100}
1101
1102static int
1103ssl3_get_server_certificate(SSL *s)
1104{
1105 CBS cbs, cert_list, cert_data;
1106 STACK_OF(X509) *certs = NULL;
1107 X509 *cert = NULL;
1108 const uint8_t *p;
1109 int al, ret;
1110
1111 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
1112 SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0)
1113 return ret;
1114
1115 ret = -1;
1116
1117 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1118 s->s3->hs.tls12.reuse_message = 1;
1119 return (1);
1120 }
1121
1122 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
1123 al = SSL_AD_UNEXPECTED_MESSAGE;
1124 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1125 goto fatal_err;
1126 }
1127
1128 if ((certs = sk_X509_new_null()) == NULL) {
1129 SSLerror(s, ERR_R_MALLOC_FAILURE);
1130 goto err;
1131 }
1132
1133 if (s->init_num < 0)
1134 goto decode_err;
1135
1136 CBS_init(&cbs, s->init_msg, s->init_num);
1137
1138 if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
1139 goto decode_err;
1140 if (CBS_len(&cbs) != 0)
1141 goto decode_err;
1142
1143 while (CBS_len(&cert_list) > 0) {
1144 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
1145 goto decode_err;
1146 p = CBS_data(&cert_data);
1147 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) {
1148 al = SSL_AD_BAD_CERTIFICATE;
1149 SSLerror(s, ERR_R_ASN1_LIB);
1150 goto fatal_err;
1151 }
1152 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
1153 goto decode_err;
1154 if (!sk_X509_push(certs, cert)) {
1155 SSLerror(s, ERR_R_MALLOC_FAILURE);
1156 goto err;
1157 }
1158 cert = NULL;
1159 }
1160
1161 /* A server must always provide a non-empty certificate list. */
1162 if (sk_X509_num(certs) < 1) {
1163 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1164 goto decode_err;
1165 }
1166
1167 if (ssl_verify_cert_chain(s, certs) <= 0 &&
1168 s->verify_mode != SSL_VERIFY_NONE) {
1169 al = ssl_verify_alarm_type(s->verify_result);
1170 SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);
1171 goto fatal_err;
1172 }
1173 s->session->verify_result = s->verify_result;
1174 ERR_clear_error();
1175
1176 if (!tls_process_peer_certs(s, certs))
1177 goto err;
1178
1179 ret = 1;
1180
1181 if (0) {
1182 decode_err:
1183 /* wrong packet length */
1184 al = SSL_AD_DECODE_ERROR;
1185 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1186 fatal_err:
1187 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1188 }
1189 err:
1190 sk_X509_pop_free(certs, X509_free);
1191 X509_free(cert);
1192
1193 return (ret);
1194}
1195
1196static int
1197ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
1198{
1199 int decode_error, invalid_params, invalid_key;
1200 int nid = NID_dhKeyAgreement;
1201
1202 tls_key_share_free(s->s3->hs.key_share);
1203 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1204 goto err;
1205
1206 if (!tls_key_share_peer_params(s->s3->hs.key_share, cbs,
1207 &decode_error, &invalid_params)) {
1208 if (decode_error) {
1209 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1210 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1211 }
1212 goto err;
1213 }
1214 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1215 &decode_error, &invalid_key)) {
1216 if (decode_error) {
1217 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1218 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1219 }
1220 goto err;
1221 }
1222
1223 if (invalid_params) {
1224 SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
1225 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1226 goto err;
1227 }
1228 if (invalid_key) {
1229 SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1230 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1231 goto err;
1232 }
1233
1234 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1235 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1236 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1237 return 0;
1238 }
1239
1240 return 1;
1241
1242 err:
1243 return 0;
1244}
1245
1246static int
1247ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1248{
1249 uint8_t curve_type;
1250 uint16_t group_id;
1251 int decode_error;
1252 CBS public;
1253
1254 if (!CBS_get_u8(cbs, &curve_type))
1255 goto decode_err;
1256 if (!CBS_get_u16(cbs, &group_id))
1257 goto decode_err;
1258
1259 /* Only named curves are supported. */
1260 if (curve_type != NAMED_CURVE_TYPE) {
1261 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1262 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1263 goto err;
1264 }
1265
1266 if (!CBS_get_u8_length_prefixed(cbs, &public))
1267 goto decode_err;
1268
1269 /*
1270 * Check that the group is one of our preferences - if it is not,
1271 * the server has sent us an invalid group.
1272 */
1273 if (!tls1_check_group(s, group_id)) {
1274 SSLerror(s, SSL_R_WRONG_CURVE);
1275 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1276 goto err;
1277 }
1278
1279 tls_key_share_free(s->s3->hs.key_share);
1280 if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
1281 goto err;
1282
1283 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1284 &decode_error, NULL)) {
1285 if (decode_error)
1286 goto decode_err;
1287 goto err;
1288 }
1289
1290 return 1;
1291
1292 decode_err:
1293 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1294 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1295 err:
1296 return 0;
1297}
1298
1299static int
1300ssl3_get_server_key_exchange(SSL *s)
1301{
1302 CBS cbs, signature;
1303 EVP_MD_CTX *md_ctx;
1304 const unsigned char *param;
1305 size_t param_len;
1306 long alg_k, alg_a;
1307 int al, ret;
1308
1309 alg_k = s->s3->hs.cipher->algorithm_mkey;
1310 alg_a = s->s3->hs.cipher->algorithm_auth;
1311
1312 /*
1313 * Use same message size as in ssl3_get_certificate_request()
1314 * as ServerKeyExchange message may be skipped.
1315 */
1316 if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1317 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list)) <= 0)
1318 return ret;
1319
1320 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
1321 goto err;
1322
1323 if (s->init_num < 0)
1324 goto err;
1325
1326 CBS_init(&cbs, s->init_msg, s->init_num);
1327
1328 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1329 /*
1330 * Do not skip server key exchange if this cipher suite uses
1331 * ephemeral keys.
1332 */
1333 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
1334 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1335 al = SSL_AD_UNEXPECTED_MESSAGE;
1336 goto fatal_err;
1337 }
1338
1339 s->s3->hs.tls12.reuse_message = 1;
1340 EVP_MD_CTX_free(md_ctx);
1341 return (1);
1342 }
1343
1344 param = CBS_data(&cbs);
1345 param_len = CBS_len(&cbs);
1346
1347 if (alg_k & SSL_kDHE) {
1348 if (!ssl3_get_server_kex_dhe(s, &cbs))
1349 goto err;
1350 } else if (alg_k & SSL_kECDHE) {
1351 if (!ssl3_get_server_kex_ecdhe(s, &cbs))
1352 goto err;
1353 } else if (alg_k != 0) {
1354 al = SSL_AD_UNEXPECTED_MESSAGE;
1355 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1356 goto fatal_err;
1357 }
1358
1359 param_len -= CBS_len(&cbs);
1360
1361 /* if it was signed, check the signature */
1362 if ((alg_a & SSL_aNULL) == 0) {
1363 uint16_t sigalg_value = SIGALG_NONE;
1364 const struct ssl_sigalg *sigalg;
1365 EVP_PKEY_CTX *pctx;
1366 EVP_PKEY *pkey = NULL;
1367
1368 if ((alg_a & SSL_aRSA) != 0 &&
1369 s->session->peer_cert_type == SSL_PKEY_RSA) {
1370 pkey = X509_get0_pubkey(s->session->peer_cert);
1371 } else if ((alg_a & SSL_aECDSA) != 0 &&
1372 s->session->peer_cert_type == SSL_PKEY_ECC) {
1373 pkey = X509_get0_pubkey(s->session->peer_cert);
1374 }
1375 if (pkey == NULL) {
1376 al = SSL_AD_ILLEGAL_PARAMETER;
1377 SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1378 goto fatal_err;
1379 }
1380
1381 if (SSL_USE_SIGALGS(s)) {
1382 if (!CBS_get_u16(&cbs, &sigalg_value))
1383 goto decode_err;
1384 }
1385 if (!CBS_get_u16_length_prefixed(&cbs, &signature))
1386 goto decode_err;
1387 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
1388 al = SSL_AD_DECODE_ERROR;
1389 SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH);
1390 goto fatal_err;
1391 }
1392
1393 if ((sigalg = ssl_sigalg_for_peer(s, pkey,
1394 sigalg_value)) == NULL) {
1395 al = SSL_AD_DECODE_ERROR;
1396 goto fatal_err;
1397 }
1398 s->s3->hs.peer_sigalg = sigalg;
1399
1400 if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(),
1401 NULL, pkey))
1402 goto err;
1403 if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->client_random,
1404 SSL3_RANDOM_SIZE))
1405 goto err;
1406 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
1407 (!EVP_PKEY_CTX_set_rsa_padding(pctx,
1408 RSA_PKCS1_PSS_PADDING) ||
1409 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)))
1410 goto err;
1411 if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->server_random,
1412 SSL3_RANDOM_SIZE))
1413 goto err;
1414 if (!EVP_DigestVerifyUpdate(md_ctx, param, param_len))
1415 goto err;
1416 if (EVP_DigestVerifyFinal(md_ctx, CBS_data(&signature),
1417 CBS_len(&signature)) <= 0) {
1418 al = SSL_AD_DECRYPT_ERROR;
1419 SSLerror(s, SSL_R_BAD_SIGNATURE);
1420 goto fatal_err;
1421 }
1422 }
1423
1424 if (CBS_len(&cbs) != 0) {
1425 al = SSL_AD_DECODE_ERROR;
1426 SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
1427 goto fatal_err;
1428 }
1429
1430 EVP_MD_CTX_free(md_ctx);
1431
1432 return (1);
1433
1434 decode_err:
1435 al = SSL_AD_DECODE_ERROR;
1436 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1437
1438 fatal_err:
1439 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1440
1441 err:
1442 EVP_MD_CTX_free(md_ctx);
1443
1444 return (-1);
1445}
1446
1447static int
1448ssl3_get_certificate_request(SSL *s)
1449{
1450 CBS cert_request, cert_types, rdn_list;
1451 X509_NAME *xn = NULL;
1452 const unsigned char *q;
1453 STACK_OF(X509_NAME) *ca_sk = NULL;
1454 int ret;
1455
1456 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A,
1457 SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list)) <= 0)
1458 return ret;
1459
1460 ret = 0;
1461
1462 s->s3->hs.tls12.cert_request = 0;
1463
1464 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_DONE) {
1465 s->s3->hs.tls12.reuse_message = 1;
1466 /*
1467 * If we get here we don't need any cached handshake records
1468 * as we wont be doing client auth.
1469 */
1470 tls1_transcript_free(s);
1471 return (1);
1472 }
1473
1474 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1475 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1476 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
1477 goto err;
1478 }
1479
1480 /* TLS does not like anon-DH with client cert */
1481 if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
1482 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1483 SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1484 goto err;
1485 }
1486
1487 if (s->init_num < 0)
1488 goto decode_err;
1489 CBS_init(&cert_request, s->init_msg, s->init_num);
1490
1491 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1492 SSLerror(s, ERR_R_MALLOC_FAILURE);
1493 goto err;
1494 }
1495
1496 if (!CBS_get_u8_length_prefixed(&cert_request, &cert_types))
1497 goto decode_err;
1498
1499 if (SSL_USE_SIGALGS(s)) {
1500 CBS sigalgs;
1501
1502 if (CBS_len(&cert_request) < 2) {
1503 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1504 goto err;
1505 }
1506 if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) {
1507 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1508 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1509 goto err;
1510 }
1511 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) {
1512 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1513 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1514 goto err;
1515 }
1516 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs,
1517 &s->s3->hs.sigalgs_len))
1518 goto err;
1519 }
1520
1521 /* get the CA RDNs */
1522 if (CBS_len(&cert_request) < 2) {
1523 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1524 goto err;
1525 }
1526
1527 if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) ||
1528 CBS_len(&cert_request) != 0) {
1529 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1530 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1531 goto err;
1532 }
1533
1534 while (CBS_len(&rdn_list) > 0) {
1535 CBS rdn;
1536
1537 if (CBS_len(&rdn_list) < 2) {
1538 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1539 goto err;
1540 }
1541
1542 if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) {
1543 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1544 SSLerror(s, SSL_R_CA_DN_TOO_LONG);
1545 goto err;
1546 }
1547
1548 q = CBS_data(&rdn);
1549 if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) {
1550 ssl3_send_alert(s, SSL3_AL_FATAL,
1551 SSL_AD_DECODE_ERROR);
1552 SSLerror(s, ERR_R_ASN1_LIB);
1553 goto err;
1554 }
1555
1556 if (q != CBS_data(&rdn) + CBS_len(&rdn)) {
1557 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1558 SSLerror(s, SSL_R_CA_DN_LENGTH_MISMATCH);
1559 goto err;
1560 }
1561 if (!sk_X509_NAME_push(ca_sk, xn)) {
1562 SSLerror(s, ERR_R_MALLOC_FAILURE);
1563 goto err;
1564 }
1565 xn = NULL; /* avoid free in err block */
1566 }
1567
1568 /* we should setup a certificate to return.... */
1569 s->s3->hs.tls12.cert_request = 1;
1570 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1571 s->s3->hs.tls12.ca_names = ca_sk;
1572 ca_sk = NULL;
1573
1574 ret = 1;
1575 if (0) {
1576 decode_err:
1577 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1578 }
1579 err:
1580 X509_NAME_free(xn);
1581 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
1582 return (ret);
1583}
1584
1585static int
1586ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1587{
1588 return (X509_NAME_cmp(*a, *b));
1589}
1590
1591static int
1592ssl3_get_new_session_ticket(SSL *s)
1593{
1594 uint32_t lifetime_hint;
1595 CBS cbs, session_ticket;
1596 unsigned int session_id_length = 0;
1597 int al, ret;
1598
1599 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
1600 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384)) <= 0)
1601 return ret;
1602
1603 if (s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) {
1604 s->s3->hs.tls12.reuse_message = 1;
1605 return (1);
1606 }
1607 if (s->s3->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) {
1608 al = SSL_AD_UNEXPECTED_MESSAGE;
1609 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1610 goto fatal_err;
1611 }
1612
1613 if (s->init_num < 0) {
1614 al = SSL_AD_DECODE_ERROR;
1615 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1616 goto fatal_err;
1617 }
1618
1619 CBS_init(&cbs, s->init_msg, s->init_num);
1620 if (!CBS_get_u32(&cbs, &lifetime_hint) ||
1621 !CBS_get_u16_length_prefixed(&cbs, &session_ticket) ||
1622 CBS_len(&cbs) != 0) {
1623 al = SSL_AD_DECODE_ERROR;
1624 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1625 goto fatal_err;
1626 }
1627 s->session->tlsext_tick_lifetime_hint = lifetime_hint;
1628
1629 if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,
1630 &s->session->tlsext_ticklen)) {
1631 SSLerror(s, ERR_R_MALLOC_FAILURE);
1632 goto err;
1633 }
1634
1635 /*
1636 * There are two ways to detect a resumed ticket session.
1637 * One is to set an appropriate session ID and then the server
1638 * must return a match in ServerHello. This allows the normal
1639 * client session ID matching to work and we know much
1640 * earlier that the ticket has been accepted.
1641 *
1642 * The other way is to set zero length session ID when the
1643 * ticket is presented and rely on the handshake to determine
1644 * session resumption.
1645 *
1646 * We choose the former approach because this fits in with
1647 * assumptions elsewhere in OpenSSL. The session ID is set
1648 * to the SHA256 hash of the ticket.
1649 */
1650 /* XXX - ensure this doesn't overflow session_id if hash is changed. */
1651 if (!EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket),
1652 s->session->session_id, &session_id_length, EVP_sha256(), NULL)) {
1653 al = SSL_AD_INTERNAL_ERROR;
1654 SSLerror(s, ERR_R_EVP_LIB);
1655 goto fatal_err;
1656 }
1657 s->session->session_id_length = session_id_length;
1658
1659 return (1);
1660
1661 fatal_err:
1662 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1663 err:
1664 return (-1);
1665}
1666
1667static int
1668ssl3_get_cert_status(SSL *s)
1669{
1670 CBS cert_status, response;
1671 uint8_t status_type;
1672 int al, ret;
1673
1674 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
1675 SSL3_ST_CR_CERT_STATUS_B, -1, 16384)) <= 0)
1676 return ret;
1677
1678 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1679 /*
1680 * Tell the callback the server did not send us an OSCP
1681 * response, and has decided to head directly to key exchange.
1682 */
1683 if (s->ctx->tlsext_status_cb) {
1684 free(s->tlsext_ocsp_resp);
1685 s->tlsext_ocsp_resp = NULL;
1686 s->tlsext_ocsp_resp_len = 0;
1687
1688 ret = s->ctx->tlsext_status_cb(s,
1689 s->ctx->tlsext_status_arg);
1690 if (ret == 0) {
1691 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1692 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1693 goto fatal_err;
1694 }
1695 if (ret < 0) {
1696 al = SSL_AD_INTERNAL_ERROR;
1697 SSLerror(s, ERR_R_MALLOC_FAILURE);
1698 goto fatal_err;
1699 }
1700 }
1701 s->s3->hs.tls12.reuse_message = 1;
1702 return (1);
1703 }
1704
1705 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE &&
1706 s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) {
1707 al = SSL_AD_UNEXPECTED_MESSAGE;
1708 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1709 goto fatal_err;
1710 }
1711
1712 if (s->init_num < 0) {
1713 /* need at least status type + length */
1714 al = SSL_AD_DECODE_ERROR;
1715 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1716 goto fatal_err;
1717 }
1718
1719 CBS_init(&cert_status, s->init_msg, s->init_num);
1720 if (!CBS_get_u8(&cert_status, &status_type) ||
1721 CBS_len(&cert_status) < 3) {
1722 /* need at least status type + length */
1723 al = SSL_AD_DECODE_ERROR;
1724 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1725 goto fatal_err;
1726 }
1727
1728 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1729 al = SSL_AD_DECODE_ERROR;
1730 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1731 goto fatal_err;
1732 }
1733
1734 if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
1735 CBS_len(&cert_status) != 0) {
1736 al = SSL_AD_DECODE_ERROR;
1737 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1738 goto fatal_err;
1739 }
1740
1741 if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1742 &s->tlsext_ocsp_resp_len)) {
1743 al = SSL_AD_INTERNAL_ERROR;
1744 SSLerror(s, ERR_R_MALLOC_FAILURE);
1745 goto fatal_err;
1746 }
1747
1748 if (s->ctx->tlsext_status_cb) {
1749 ret = s->ctx->tlsext_status_cb(s,
1750 s->ctx->tlsext_status_arg);
1751 if (ret == 0) {
1752 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1753 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1754 goto fatal_err;
1755 }
1756 if (ret < 0) {
1757 al = SSL_AD_INTERNAL_ERROR;
1758 SSLerror(s, ERR_R_MALLOC_FAILURE);
1759 goto fatal_err;
1760 }
1761 }
1762 return (1);
1763 fatal_err:
1764 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1765 return (-1);
1766}
1767
1768static int
1769ssl3_get_server_done(SSL *s)
1770{
1771 int ret;
1772
1773 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
1774 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
1775 30 /* should be very small, like 0 :-) */)) <= 0)
1776 return ret;
1777
1778 if (s->init_num != 0) {
1779 /* should contain no data */
1780 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1781 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1782 return -1;
1783 }
1784
1785 return 1;
1786}
1787
1788static int
1789ssl3_send_client_kex_rsa(SSL *s, CBB *cbb)
1790{
1791 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH];
1792 unsigned char *enc_pms = NULL;
1793 uint16_t max_legacy_version;
1794 EVP_PKEY *pkey;
1795 RSA *rsa;
1796 int ret = 0;
1797 int enc_len;
1798 CBB epms;
1799
1800 /*
1801 * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1.
1802 */
1803
1804 pkey = X509_get0_pubkey(s->session->peer_cert);
1805 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
1806 SSLerror(s, ERR_R_INTERNAL_ERROR);
1807 goto err;
1808 }
1809
1810 /*
1811 * Our maximum legacy protocol version - while RFC 5246 section 7.4.7.1
1812 * says "The latest (newest) version supported by the client", if we're
1813 * doing RSA key exchange then we have to presume that we're talking to
1814 * a server that does not understand the supported versions extension
1815 * and therefore our maximum version is that sent in the ClientHello.
1816 */
1817 if (!ssl_max_legacy_version(s, &max_legacy_version))
1818 goto err;
1819 pms[0] = max_legacy_version >> 8;
1820 pms[1] = max_legacy_version & 0xff;
1821 arc4random_buf(&pms[2], sizeof(pms) - 2);
1822
1823 if ((enc_pms = malloc(RSA_size(rsa))) == NULL) {
1824 SSLerror(s, ERR_R_MALLOC_FAILURE);
1825 goto err;
1826 }
1827
1828 enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa,
1829 RSA_PKCS1_PADDING);
1830 if (enc_len <= 0) {
1831 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT);
1832 goto err;
1833 }
1834
1835 if (!CBB_add_u16_length_prefixed(cbb, &epms))
1836 goto err;
1837 if (!CBB_add_bytes(&epms, enc_pms, enc_len))
1838 goto err;
1839 if (!CBB_flush(cbb))
1840 goto err;
1841
1842 if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
1843 goto err;
1844
1845 ret = 1;
1846
1847 err:
1848 explicit_bzero(pms, sizeof(pms));
1849 free(enc_pms);
1850
1851 return ret;
1852}
1853
1854static int
1855ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
1856{
1857 uint8_t *key = NULL;
1858 size_t key_len = 0;
1859 int ret = 0;
1860
1861 /* Ensure that we have an ephemeral key from the server for DHE. */
1862 if (s->s3->hs.key_share == NULL) {
1863 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1864 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1865 goto err;
1866 }
1867
1868 if (!tls_key_share_generate(s->s3->hs.key_share))
1869 goto err;
1870 if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1871 goto err;
1872 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1873 goto err;
1874
1875 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1876 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1877 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1878 return 0;
1879 }
1880
1881 if (!tls12_derive_master_secret(s, key, key_len))
1882 goto err;
1883
1884 ret = 1;
1885
1886 err:
1887 freezero(key, key_len);
1888
1889 return ret;
1890}
1891
1892static int
1893ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
1894{
1895 uint8_t *key = NULL;
1896 size_t key_len = 0;
1897 CBB public;
1898 int ret = 0;
1899
1900 /* Ensure that we have an ephemeral key for ECDHE. */
1901 if (s->s3->hs.key_share == NULL) {
1902 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1903 SSLerror(s, ERR_R_INTERNAL_ERROR);
1904 goto err;
1905 }
1906
1907 if (!tls_key_share_generate(s->s3->hs.key_share))
1908 goto err;
1909
1910 if (!CBB_add_u8_length_prefixed(cbb, &public))
1911 return 0;
1912 if (!tls_key_share_public(s->s3->hs.key_share, &public))
1913 goto err;
1914 if (!CBB_flush(cbb))
1915 goto err;
1916
1917 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1918 goto err;
1919
1920 if (!tls12_derive_master_secret(s, key, key_len))
1921 goto err;
1922
1923 ret = 1;
1924
1925 err:
1926 freezero(key, key_len);
1927
1928 return ret;
1929}
1930
1931static int
1932ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
1933{
1934 unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
1935 EVP_PKEY_CTX *pkey_ctx = NULL;
1936 EVP_MD_CTX *ukm_hash = NULL;
1937 EVP_PKEY *pkey;
1938 size_t msglen;
1939 unsigned int md_len;
1940 CBB gostblob;
1941 int nid;
1942 int ret = 0;
1943
1944 /* Get server certificate PKEY and create ctx from it */
1945 pkey = X509_get0_pubkey(s->session->peer_cert);
1946 if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) {
1947 SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
1948 goto err;
1949 }
1950 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
1951 SSLerror(s, ERR_R_MALLOC_FAILURE);
1952 goto err;
1953 }
1954
1955 /*
1956 * If we have send a certificate, and certificate key parameters match
1957 * those of server certificate, use certificate key for key exchange.
1958 * Otherwise, generate ephemeral key pair.
1959 */
1960 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
1961 goto err;
1962
1963 /* Generate session key. */
1964 arc4random_buf(premaster_secret, sizeof(premaster_secret));
1965
1966 /*
1967 * If we have client certificate, use its secret as peer key.
1968 * XXX - this presumably lacks PFS.
1969 */
1970 if (s->s3->hs.tls12.cert_request != 0 &&
1971 s->cert->key->privatekey != NULL) {
1972 if (EVP_PKEY_derive_set_peer(pkey_ctx,
1973 s->cert->key->privatekey) <=0) {
1974 /*
1975 * If there was an error - just ignore it.
1976 * Ephemeral key would be used.
1977 */
1978 ERR_clear_error();
1979 }
1980 }
1981
1982 /*
1983 * Compute shared IV and store it in algorithm-specific context data.
1984 */
1985 if ((ukm_hash = EVP_MD_CTX_new()) == NULL) {
1986 SSLerror(s, ERR_R_MALLOC_FAILURE);
1987 goto err;
1988 }
1989
1990 /* XXX check handshake hash instead. */
1991 if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
1992 nid = NID_id_GostR3411_94;
1993 else
1994 nid = NID_id_tc26_gost3411_2012_256;
1995 if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))
1996 goto err;
1997 if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE))
1998 goto err;
1999 if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE))
2000 goto err;
2001 if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
2002 goto err;
2003 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2004 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2005 SSLerror(s, SSL_R_LIBRARY_BUG);
2006 goto err;
2007 }
2008
2009 /*
2010 * Make GOST keytransport blob message, encapsulate it into sequence.
2011 */
2012 msglen = 255;
2013 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
2014 sizeof(premaster_secret)) < 0) {
2015 SSLerror(s, SSL_R_LIBRARY_BUG);
2016 goto err;
2017 }
2018
2019 if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE))
2020 goto err;
2021 if (!CBB_add_bytes(&gostblob, tmp, msglen))
2022 goto err;
2023 if (!CBB_flush(cbb))
2024 goto err;
2025
2026 /* Check if pubkey from client certificate was used. */
2027 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
2028 NULL) > 0)
2029 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2030
2031 if (!tls12_derive_master_secret(s, premaster_secret, 32))
2032 goto err;
2033
2034 ret = 1;
2035
2036 err:
2037 explicit_bzero(premaster_secret, sizeof(premaster_secret));
2038 EVP_PKEY_CTX_free(pkey_ctx);
2039 EVP_MD_CTX_free(ukm_hash);
2040
2041 return ret;
2042}
2043
2044static int
2045ssl3_send_client_key_exchange(SSL *s)
2046{
2047 unsigned long alg_k;
2048 CBB cbb, kex;
2049
2050 memset(&cbb, 0, sizeof(cbb));
2051
2052 if (s->s3->hs.state == SSL3_ST_CW_KEY_EXCH_A) {
2053 alg_k = s->s3->hs.cipher->algorithm_mkey;
2054
2055 if (!ssl3_handshake_msg_start(s, &cbb, &kex,
2056 SSL3_MT_CLIENT_KEY_EXCHANGE))
2057 goto err;
2058
2059 if (alg_k & SSL_kRSA) {
2060 if (!ssl3_send_client_kex_rsa(s, &kex))
2061 goto err;
2062 } else if (alg_k & SSL_kDHE) {
2063 if (!ssl3_send_client_kex_dhe(s, &kex))
2064 goto err;
2065 } else if (alg_k & SSL_kECDHE) {
2066 if (!ssl3_send_client_kex_ecdhe(s, &kex))
2067 goto err;
2068 } else if (alg_k & SSL_kGOST) {
2069 if (!ssl3_send_client_kex_gost(s, &kex))
2070 goto err;
2071 } else {
2072 ssl3_send_alert(s, SSL3_AL_FATAL,
2073 SSL_AD_HANDSHAKE_FAILURE);
2074 SSLerror(s, ERR_R_INTERNAL_ERROR);
2075 goto err;
2076 }
2077
2078 if (!ssl3_handshake_msg_finish(s, &cbb))
2079 goto err;
2080
2081 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_B;
2082 }
2083
2084 /* SSL3_ST_CW_KEY_EXCH_B */
2085 return (ssl3_handshake_write(s));
2086
2087 err:
2088 CBB_cleanup(&cbb);
2089
2090 return (-1);
2091}
2092
2093static int
2094ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
2095 const struct ssl_sigalg *sigalg, CBB *cert_verify)
2096{
2097 CBB cbb_signature;
2098 EVP_PKEY_CTX *pctx = NULL;
2099 EVP_MD_CTX *mctx = NULL;
2100 const unsigned char *hdata;
2101 unsigned char *signature = NULL;
2102 size_t signature_len, hdata_len;
2103 int ret = 0;
2104
2105 if ((mctx = EVP_MD_CTX_new()) == NULL)
2106 goto err;
2107
2108 if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
2109 SSLerror(s, ERR_R_INTERNAL_ERROR);
2110 goto err;
2111 }
2112 if (!EVP_DigestSignInit(mctx, &pctx, sigalg->md(), NULL, pkey)) {
2113 SSLerror(s, ERR_R_EVP_LIB);
2114 goto err;
2115 }
2116 if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
2117 EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2118 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
2119 SSLerror(s, ERR_R_EVP_LIB);
2120 goto err;
2121 }
2122 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
2123 (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
2124 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
2125 SSLerror(s, ERR_R_EVP_LIB);
2126 goto err;
2127 }
2128 if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)) {
2129 SSLerror(s, ERR_R_EVP_LIB);
2130 goto err;
2131 }
2132 if (!EVP_DigestSignFinal(mctx, NULL, &signature_len) ||
2133 signature_len == 0) {
2134 SSLerror(s, ERR_R_EVP_LIB);
2135 goto err;
2136 }
2137 if ((signature = calloc(1, signature_len)) == NULL) {
2138 SSLerror(s, ERR_R_MALLOC_FAILURE);
2139 goto err;
2140 }
2141 if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) {
2142 SSLerror(s, ERR_R_EVP_LIB);
2143 goto err;
2144 }
2145
2146 if (!CBB_add_u16(cert_verify, sigalg->value))
2147 goto err;
2148 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2149 goto err;
2150 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2151 goto err;
2152 if (!CBB_flush(cert_verify))
2153 goto err;
2154
2155 ret = 1;
2156
2157 err:
2158 EVP_MD_CTX_free(mctx);
2159 free(signature);
2160 return ret;
2161}
2162
2163static int
2164ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2165{
2166 CBB cbb_signature;
2167 RSA *rsa;
2168 unsigned char data[EVP_MAX_MD_SIZE];
2169 unsigned char *signature = NULL;
2170 unsigned int signature_len;
2171 size_t data_len;
2172 int ret = 0;
2173
2174 if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len))
2175 goto err;
2176 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2177 goto err;
2178 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL)
2179 goto err;
2180 if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len,
2181 rsa) <= 0 ) {
2182 SSLerror(s, ERR_R_RSA_LIB);
2183 goto err;
2184 }
2185
2186 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2187 goto err;
2188 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2189 goto err;
2190 if (!CBB_flush(cert_verify))
2191 goto err;
2192
2193 ret = 1;
2194 err:
2195 free(signature);
2196 return ret;
2197}
2198
2199static int
2200ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2201{
2202 CBB cbb_signature;
2203 EC_KEY *eckey;
2204 unsigned char data[EVP_MAX_MD_SIZE];
2205 unsigned char *signature = NULL;
2206 unsigned int signature_len;
2207 int ret = 0;
2208
2209 if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL))
2210 goto err;
2211 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2212 goto err;
2213 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
2214 goto err;
2215 if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
2216 signature, &signature_len, eckey)) {
2217 SSLerror(s, ERR_R_ECDSA_LIB);
2218 goto err;
2219 }
2220
2221 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2222 goto err;
2223 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2224 goto err;
2225 if (!CBB_flush(cert_verify))
2226 goto err;
2227
2228 ret = 1;
2229 err:
2230 free(signature);
2231 return ret;
2232}
2233
2234#ifndef OPENSSL_NO_GOST
2235static int
2236ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2237{
2238 CBB cbb_signature;
2239 EVP_MD_CTX *mctx;
2240 EVP_PKEY_CTX *pctx;
2241 const EVP_MD *md;
2242 const unsigned char *hdata;
2243 unsigned char *signature = NULL;
2244 size_t signature_len;
2245 size_t hdata_len;
2246 int nid;
2247 int ret = 0;
2248
2249 if ((mctx = EVP_MD_CTX_new()) == NULL)
2250 goto err;
2251
2252 if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
2253 SSLerror(s, ERR_R_INTERNAL_ERROR);
2254 goto err;
2255 }
2256 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
2257 (md = EVP_get_digestbynid(nid)) == NULL) {
2258 SSLerror(s, ERR_R_EVP_LIB);
2259 goto err;
2260 }
2261 if (!EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey)) {
2262 SSLerror(s, ERR_R_EVP_LIB);
2263 goto err;
2264 }
2265 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2266 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
2267 SSLerror(s, ERR_R_EVP_LIB);
2268 goto err;
2269 }
2270 if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)) {
2271 SSLerror(s, ERR_R_EVP_LIB);
2272 goto err;
2273 }
2274 if (!EVP_DigestSignFinal(mctx, NULL, &signature_len) ||
2275 signature_len == 0) {
2276 SSLerror(s, ERR_R_EVP_LIB);
2277 goto err;
2278 }
2279 if ((signature = calloc(1, signature_len)) == NULL) {
2280 SSLerror(s, ERR_R_MALLOC_FAILURE);
2281 goto err;
2282 }
2283 if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) {
2284 SSLerror(s, ERR_R_EVP_LIB);
2285 goto err;
2286 }
2287
2288 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2289 goto err;
2290 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2291 goto err;
2292 if (!CBB_flush(cert_verify))
2293 goto err;
2294
2295 ret = 1;
2296 err:
2297 EVP_MD_CTX_free(mctx);
2298 free(signature);
2299 return ret;
2300}
2301#endif
2302
2303static int
2304ssl3_send_client_verify(SSL *s)
2305{
2306 const struct ssl_sigalg *sigalg;
2307 CBB cbb, cert_verify;
2308 EVP_PKEY *pkey;
2309
2310 memset(&cbb, 0, sizeof(cbb));
2311
2312 if (s->s3->hs.state == SSL3_ST_CW_CERT_VRFY_A) {
2313 if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
2314 SSL3_MT_CERTIFICATE_VERIFY))
2315 goto err;
2316
2317 pkey = s->cert->key->privatekey;
2318 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
2319 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2320 goto err;
2321 }
2322 s->s3->hs.our_sigalg = sigalg;
2323
2324 /*
2325 * For TLS v1.2 send signature algorithm and signature using
2326 * agreed digest and cached handshake records.
2327 */
2328 if (SSL_USE_SIGALGS(s)) {
2329 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
2330 &cert_verify))
2331 goto err;
2332 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2333 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
2334 goto err;
2335 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2336 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2337 goto err;
2338#ifndef OPENSSL_NO_GOST
2339 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2340 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2341 if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
2342 goto err;
2343#endif
2344 } else {
2345 SSLerror(s, ERR_R_INTERNAL_ERROR);
2346 goto err;
2347 }
2348
2349 tls1_transcript_free(s);
2350
2351 if (!ssl3_handshake_msg_finish(s, &cbb))
2352 goto err;
2353
2354 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_B;
2355 }
2356
2357 return (ssl3_handshake_write(s));
2358
2359 err:
2360 CBB_cleanup(&cbb);
2361
2362 return (-1);
2363}
2364
2365static int
2366ssl3_send_client_certificate(SSL *s)
2367{
2368 EVP_PKEY *pkey = NULL;
2369 X509 *x509 = NULL;
2370 CBB cbb, client_cert;
2371 int i;
2372
2373 memset(&cbb, 0, sizeof(cbb));
2374
2375 if (s->s3->hs.state == SSL3_ST_CW_CERT_A) {
2376 if (s->cert->key->x509 == NULL ||
2377 s->cert->key->privatekey == NULL)
2378 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2379 else
2380 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2381 }
2382
2383 /* We need to get a client cert */
2384 if (s->s3->hs.state == SSL3_ST_CW_CERT_B) {
2385 /*
2386 * If we get an error, we need to
2387 * ssl->rwstate = SSL_X509_LOOKUP; return(-1);
2388 * We then get retried later.
2389 */
2390 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2391 if (i < 0) {
2392 s->rwstate = SSL_X509_LOOKUP;
2393 return (-1);
2394 }
2395 s->rwstate = SSL_NOTHING;
2396 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
2397 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2398 if (!SSL_use_certificate(s, x509) ||
2399 !SSL_use_PrivateKey(s, pkey))
2400 i = 0;
2401 } else if (i == 1) {
2402 i = 0;
2403 SSLerror(s, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2404 }
2405
2406 X509_free(x509);
2407 EVP_PKEY_free(pkey);
2408 if (i == 0) {
2409 s->s3->hs.tls12.cert_request = 2;
2410
2411 /* There is no client certificate to verify. */
2412 tls1_transcript_free(s);
2413 }
2414
2415 /* Ok, we have a cert */
2416 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2417 }
2418
2419 if (s->s3->hs.state == SSL3_ST_CW_CERT_C) {
2420 if (!ssl3_handshake_msg_start(s, &cbb, &client_cert,
2421 SSL3_MT_CERTIFICATE))
2422 goto err;
2423 if (!ssl3_output_cert_chain(s, &client_cert,
2424 (s->s3->hs.tls12.cert_request == 2) ? NULL : s->cert->key))
2425 goto err;
2426 if (!ssl3_handshake_msg_finish(s, &cbb))
2427 goto err;
2428
2429 s->s3->hs.state = SSL3_ST_CW_CERT_D;
2430 }
2431
2432 /* SSL3_ST_CW_CERT_D */
2433 return (ssl3_handshake_write(s));
2434
2435 err:
2436 CBB_cleanup(&cbb);
2437
2438 return (0);
2439}
2440
2441#define has_bits(i,m) (((i)&(m)) == (m))
2442
2443static int
2444ssl3_check_cert_and_algorithm(SSL *s)
2445{
2446 long alg_k, alg_a;
2447 int nid = NID_undef;
2448 int i;
2449
2450 alg_k = s->s3->hs.cipher->algorithm_mkey;
2451 alg_a = s->s3->hs.cipher->algorithm_auth;
2452
2453 /* We don't have a certificate. */
2454 if (alg_a & SSL_aNULL)
2455 return (1);
2456
2457 if (s->s3->hs.key_share != NULL)
2458 nid = tls_key_share_nid(s->s3->hs.key_share);
2459
2460 /* This is the passed certificate. */
2461
2462 if (s->session->peer_cert_type == SSL_PKEY_ECC) {
2463 if (!ssl_check_srvr_ecc_cert_and_alg(s, s->session->peer_cert)) {
2464 SSLerror(s, SSL_R_BAD_ECC_CERT);
2465 goto fatal_err;
2466 }
2467 return (1);
2468 }
2469
2470 i = X509_certificate_type(s->session->peer_cert, NULL);
2471
2472 /* Check that we have a certificate if we require one. */
2473 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
2474 SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT);
2475 goto fatal_err;
2476 }
2477 if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
2478 SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2479 goto fatal_err;
2480 }
2481 if ((alg_k & SSL_kDHE) &&
2482 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (nid == NID_dhKeyAgreement))) {
2483 SSLerror(s, SSL_R_MISSING_DH_KEY);
2484 goto fatal_err;
2485 }
2486
2487 return (1);
2488
2489 fatal_err:
2490 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2491
2492 return (0);
2493}
2494
2495/*
2496 * Check to see if handshake is full or resumed. Usually this is just a
2497 * case of checking to see if a cache hit has occurred. In the case of
2498 * session tickets we have to check the next message to be sure.
2499 */
2500
2501static int
2502ssl3_check_finished(SSL *s)
2503{
2504 int ret;
2505
2506 /* If we have no ticket it cannot be a resumed session. */
2507 if (!s->session->tlsext_tick)
2508 return (1);
2509 /* this function is called when we really expect a Certificate
2510 * message, so permit appropriate message length */
2511 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
2512 SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0)
2513 return ret;
2514
2515 s->s3->hs.tls12.reuse_message = 1;
2516 if ((s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) ||
2517 (s->s3->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET))
2518 return (2);
2519
2520 return (1);
2521}
2522
2523static int
2524ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2525{
2526 int i = 0;
2527
2528#ifndef OPENSSL_NO_ENGINE
2529 if (s->ctx->client_cert_engine) {
2530 i = ENGINE_load_ssl_client_cert(
2531 s->ctx->client_cert_engine, s,
2532 SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL);
2533 if (i != 0)
2534 return (i);
2535 }
2536#endif
2537 if (s->ctx->client_cert_cb)
2538 i = s->ctx->client_cert_cb(s, px509, ppkey);
2539 return (i);
2540}
2541
2542static int
2543ssl3_send_client_change_cipher_spec(SSL *s)
2544{
2545 size_t outlen;
2546 CBB cbb;
2547
2548 memset(&cbb, 0, sizeof(cbb));
2549
2550 if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) {
2551 if (!CBB_init_fixed(&cbb, s->init_buf->data,
2552 s->init_buf->length))
2553 goto err;
2554 if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
2555 goto err;
2556 if (!CBB_finish(&cbb, NULL, &outlen))
2557 goto err;
2558
2559 if (outlen > INT_MAX)
2560 goto err;
2561
2562 s->init_num = (int)outlen;
2563 s->init_off = 0;
2564
2565 if (SSL_is_dtls(s)) {
2566 s->d1->handshake_write_seq =
2567 s->d1->next_handshake_write_seq;
2568 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
2569 s->d1->handshake_write_seq, 0, 0);
2570 dtls1_buffer_message(s, 1);
2571 }
2572
2573 s->s3->hs.state = SSL3_ST_CW_CHANGE_B;
2574 }
2575
2576 /* SSL3_ST_CW_CHANGE_B */
2577 return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
2578
2579 err:
2580 CBB_cleanup(&cbb);
2581
2582 return -1;
2583}
2584
2585static int
2586ssl3_send_client_finished(SSL *s)
2587{
2588 CBB cbb, finished;
2589
2590 memset(&cbb, 0, sizeof(cbb));
2591
2592 if (s->s3->hs.state == SSL3_ST_CW_FINISHED_A) {
2593 if (!tls12_derive_finished(s))
2594 goto err;
2595
2596 /* Copy finished so we can use it for renegotiation checks. */
2597 memcpy(s->s3->previous_client_finished,
2598 s->s3->hs.finished, s->s3->hs.finished_len);
2599 s->s3->previous_client_finished_len =
2600 s->s3->hs.finished_len;
2601
2602 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
2603 SSL3_MT_FINISHED))
2604 goto err;
2605 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
2606 s->s3->hs.finished_len))
2607 goto err;
2608 if (!ssl3_handshake_msg_finish(s, &cbb))
2609 goto err;
2610
2611 s->s3->hs.state = SSL3_ST_CW_FINISHED_B;
2612 }
2613
2614 return (ssl3_handshake_write(s));
2615
2616 err:
2617 CBB_cleanup(&cbb);
2618
2619 return (-1);
2620}
2621
2622static int
2623ssl3_get_server_finished(SSL *s)
2624{
2625 int al, md_len, ret;
2626 CBS cbs;
2627
2628 /* should actually be 36+4 :-) */
2629 if ((ret = ssl3_get_message(s, SSL3_ST_CR_FINISHED_A,
2630 SSL3_ST_CR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0)
2631 return ret;
2632
2633 /* If this occurs, we have missed a message */
2634 if (!s->s3->change_cipher_spec) {
2635 al = SSL_AD_UNEXPECTED_MESSAGE;
2636 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
2637 goto fatal_err;
2638 }
2639 s->s3->change_cipher_spec = 0;
2640
2641 md_len = TLS1_FINISH_MAC_LENGTH;
2642
2643 if (s->init_num < 0) {
2644 al = SSL_AD_DECODE_ERROR;
2645 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2646 goto fatal_err;
2647 }
2648
2649 CBS_init(&cbs, s->init_msg, s->init_num);
2650
2651 if (s->s3->hs.peer_finished_len != md_len ||
2652 CBS_len(&cbs) != md_len) {
2653 al = SSL_AD_DECODE_ERROR;
2654 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2655 goto fatal_err;
2656 }
2657
2658 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
2659 al = SSL_AD_DECRYPT_ERROR;
2660 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
2661 goto fatal_err;
2662 }
2663
2664 /* Copy finished so we can use it for renegotiation checks. */
2665 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
2666 memcpy(s->s3->previous_server_finished,
2667 s->s3->hs.peer_finished, md_len);
2668 s->s3->previous_server_finished_len = md_len;
2669
2670 return (1);
2671 fatal_err:
2672 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2673 return (0);
2674}
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
deleted file mode 100644
index 59d8119e10..0000000000
--- a/src/lib/libssl/ssl_err.c
+++ /dev/null
@@ -1,671 +0,0 @@
1/* $OpenBSD: ssl_err.c,v 1.45 2022/11/26 16:08:55 tb Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include <stdio.h>
57
58#include <openssl/err.h>
59#include <openssl/opensslconf.h>
60#include <openssl/ssl.h>
61
62#include "ssl_local.h"
63
64#ifndef OPENSSL_NO_ERR
65
66#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
67#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
68
69/* See SSL_state_func_code below */
70static ERR_STRING_DATA SSL_str_functs[]= {
71 {ERR_FUNC(1), "CONNECT_CW_FLUSH"},
72 {ERR_FUNC(2), "CONNECT_CW_CLNT_HELLO"},
73 {ERR_FUNC(3), "CONNECT_CW_CLNT_HELLO"},
74 {ERR_FUNC(4), "CONNECT_CR_SRVR_HELLO"},
75 {ERR_FUNC(5), "CONNECT_CR_SRVR_HELLO"},
76 {ERR_FUNC(6), "CONNECT_CR_CERT"},
77 {ERR_FUNC(7), "CONNECT_CR_CERT"},
78 {ERR_FUNC(8), "CONNECT_CR_KEY_EXCH"},
79 {ERR_FUNC(9), "CONNECT_CR_KEY_EXCH"},
80 {ERR_FUNC(10), "CONNECT_CR_CERT_REQ"},
81 {ERR_FUNC(11), "CONNECT_CR_CERT_REQ"},
82 {ERR_FUNC(12), "CONNECT_CR_SRVR_DONE"},
83 {ERR_FUNC(13), "CONNECT_CR_SRVR_DONE"},
84 {ERR_FUNC(14), "CONNECT_CW_CERT"},
85 {ERR_FUNC(15), "CONNECT_CW_CERT"},
86 {ERR_FUNC(16), "CONNECT_CW_CERT_C"},
87 {ERR_FUNC(17), "CONNECT_CW_CERT_D"},
88 {ERR_FUNC(18), "CONNECT_CW_KEY_EXCH"},
89 {ERR_FUNC(19), "CONNECT_CW_KEY_EXCH"},
90 {ERR_FUNC(20), "CONNECT_CW_CERT_VRFY"},
91 {ERR_FUNC(21), "CONNECT_CW_CERT_VRFY"},
92 {ERR_FUNC(22), "CONNECT_CW_CHANGE"},
93 {ERR_FUNC(23), "CONNECT_CW_CHANGE"},
94 {ERR_FUNC(26), "CONNECT_CW_FINISHED"},
95 {ERR_FUNC(27), "CONNECT_CW_FINISHED"},
96 {ERR_FUNC(28), "CONNECT_CR_CHANGE"},
97 {ERR_FUNC(29), "CONNECT_CR_CHANGE"},
98 {ERR_FUNC(30), "CONNECT_CR_FINISHED"},
99 {ERR_FUNC(31), "CONNECT_CR_FINISHED"},
100 {ERR_FUNC(32), "CONNECT_CR_SESSION_TICKET"},
101 {ERR_FUNC(33), "CONNECT_CR_SESSION_TICKET"},
102 {ERR_FUNC(34), "CONNECT_CR_CERT_STATUS"},
103 {ERR_FUNC(35), "CONNECT_CR_CERT_STATUS"},
104 {ERR_FUNC(36), "ACCEPT_SW_FLUSH"},
105 {ERR_FUNC(37), "ACCEPT_SR_CLNT_HELLO"},
106 {ERR_FUNC(38), "ACCEPT_SR_CLNT_HELLO"},
107 {ERR_FUNC(39), "ACCEPT_SR_CLNT_HELLO_C"},
108 {ERR_FUNC(40), "ACCEPT_SW_HELLO_REQ"},
109 {ERR_FUNC(41), "ACCEPT_SW_HELLO_REQ"},
110 {ERR_FUNC(42), "ACCEPT_SW_HELLO_REQ_C"},
111 {ERR_FUNC(43), "ACCEPT_SW_SRVR_HELLO"},
112 {ERR_FUNC(44), "ACCEPT_SW_SRVR_HELLO"},
113 {ERR_FUNC(45), "ACCEPT_SW_CERT"},
114 {ERR_FUNC(46), "ACCEPT_SW_CERT"},
115 {ERR_FUNC(47), "ACCEPT_SW_KEY_EXCH"},
116 {ERR_FUNC(48), "ACCEPT_SW_KEY_EXCH"},
117 {ERR_FUNC(49), "ACCEPT_SW_CERT_REQ"},
118 {ERR_FUNC(50), "ACCEPT_SW_CERT_REQ"},
119 {ERR_FUNC(51), "ACCEPT_SW_SRVR_DONE"},
120 {ERR_FUNC(52), "ACCEPT_SW_SRVR_DONE"},
121 {ERR_FUNC(53), "ACCEPT_SR_CERT"},
122 {ERR_FUNC(54), "ACCEPT_SR_CERT"},
123 {ERR_FUNC(55), "ACCEPT_SR_KEY_EXCH"},
124 {ERR_FUNC(56), "ACCEPT_SR_KEY_EXCH"},
125 {ERR_FUNC(57), "ACCEPT_SR_CERT_VRFY"},
126 {ERR_FUNC(58), "ACCEPT_SR_CERT_VRFY"},
127 {ERR_FUNC(59), "ACCEPT_SR_CHANGE"},
128 {ERR_FUNC(60), "ACCEPT_SR_CHANGE"},
129 {ERR_FUNC(63), "ACCEPT_SR_FINISHED"},
130 {ERR_FUNC(64), "ACCEPT_SR_FINISHED"},
131 {ERR_FUNC(65), "ACCEPT_SW_CHANGE"},
132 {ERR_FUNC(66), "ACCEPT_SW_CHANGE"},
133 {ERR_FUNC(67), "ACCEPT_SW_FINISHED"},
134 {ERR_FUNC(68), "ACCEPT_SW_FINISHED"},
135 {ERR_FUNC(69), "ACCEPT_SW_SESSION_TICKET"},
136 {ERR_FUNC(70), "ACCEPT_SW_SESSION_TICKET"},
137 {ERR_FUNC(71), "ACCEPT_SW_CERT_STATUS"},
138 {ERR_FUNC(72), "ACCEPT_SW_CERT_STATUS"},
139 {ERR_FUNC(73), "ST_BEFORE"},
140 {ERR_FUNC(74), "ST_ACCEPT"},
141 {ERR_FUNC(75), "ST_CONNECT"},
142 {ERR_FUNC(76), "ST_OK"},
143 {ERR_FUNC(77), "ST_RENEGOTIATE"},
144 {ERR_FUNC(78), "ST_BEFORE_CONNECT"},
145 {ERR_FUNC(79), "ST_OK_CONNECT"},
146 {ERR_FUNC(80), "ST_BEFORE_ACCEPT"},
147 {ERR_FUNC(81), "ST_OK_ACCEPT"},
148 {ERR_FUNC(83), "DTLS1_ST_CR_HELLO_VERIFY_REQUEST"},
149 {ERR_FUNC(84), "DTLS1_ST_CR_HELLO_VERIFY_REQUEST"},
150 {ERR_FUNC(85), "DTLS1_ST_SW_HELLO_VERIFY_REQUEST"},
151 {ERR_FUNC(86), "DTLS1_ST_SW_HELLO_VERIFY_REQUEST"},
152 {ERR_FUNC(0xfff), "(UNKNOWN)SSL_internal"},
153 {0, NULL}
154};
155
156static ERR_STRING_DATA SSL_str_reasons[]= {
157 {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) , "app data in handshake"},
158 {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), "attempt to reuse session in different context"},
159 {ERR_REASON(SSL_R_BAD_ALERT_RECORD) , "bad alert record"},
160 {ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE), "bad authentication type"},
161 {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC), "bad change cipher spec"},
162 {ERR_REASON(SSL_R_BAD_CHECKSUM) , "bad checksum"},
163 {ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK), "bad data returned by callback"},
164 {ERR_REASON(SSL_R_BAD_DECOMPRESSION) , "bad decompression"},
165 {ERR_REASON(SSL_R_BAD_DH_G_LENGTH) , "bad dh g length"},
166 {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) , "bad dh pub key length"},
167 {ERR_REASON(SSL_R_BAD_DH_P_LENGTH) , "bad dh p length"},
168 {ERR_REASON(SSL_R_BAD_DIGEST_LENGTH) , "bad digest length"},
169 {ERR_REASON(SSL_R_BAD_DSA_SIGNATURE) , "bad dsa signature"},
170 {ERR_REASON(SSL_R_BAD_ECC_CERT) , "bad ecc cert"},
171 {ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE) , "bad ecdsa signature"},
172 {ERR_REASON(SSL_R_BAD_ECPOINT) , "bad ecpoint"},
173 {ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH) , "bad handshake length"},
174 {ERR_REASON(SSL_R_BAD_HELLO_REQUEST) , "bad hello request"},
175 {ERR_REASON(SSL_R_BAD_LENGTH) , "bad length"},
176 {ERR_REASON(SSL_R_BAD_MAC_DECODE) , "bad mac decode"},
177 {ERR_REASON(SSL_R_BAD_MAC_LENGTH) , "bad mac length"},
178 {ERR_REASON(SSL_R_BAD_MESSAGE_TYPE) , "bad message type"},
179 {ERR_REASON(SSL_R_BAD_PACKET_LENGTH) , "bad packet length"},
180 {ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER), "bad protocol version number"},
181 {ERR_REASON(SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH), "bad psk identity hint length"},
182 {ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) , "bad response argument"},
183 {ERR_REASON(SSL_R_BAD_RSA_DECRYPT) , "bad rsa decrypt"},
184 {ERR_REASON(SSL_R_BAD_RSA_ENCRYPT) , "bad rsa encrypt"},
185 {ERR_REASON(SSL_R_BAD_RSA_E_LENGTH) , "bad rsa e length"},
186 {ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH), "bad rsa modulus length"},
187 {ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) , "bad rsa signature"},
188 {ERR_REASON(SSL_R_BAD_SIGNATURE) , "bad signature"},
189 {ERR_REASON(SSL_R_BAD_SRP_A_LENGTH) , "bad srp a length"},
190 {ERR_REASON(SSL_R_BAD_SRP_B_LENGTH) , "bad srp b length"},
191 {ERR_REASON(SSL_R_BAD_SRP_G_LENGTH) , "bad srp g length"},
192 {ERR_REASON(SSL_R_BAD_SRP_N_LENGTH) , "bad srp n length"},
193 {ERR_REASON(SSL_R_BAD_SRP_S_LENGTH) , "bad srp s length"},
194 {ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE) , "bad srtp mki value"},
195 {ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST), "bad srtp protection profile list"},
196 {ERR_REASON(SSL_R_BAD_SSL_FILETYPE) , "bad ssl filetype"},
197 {ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH), "bad ssl session id length"},
198 {ERR_REASON(SSL_R_BAD_STATE) , "bad state"},
199 {ERR_REASON(SSL_R_BAD_WRITE_RETRY) , "bad write retry"},
200 {ERR_REASON(SSL_R_BIO_NOT_SET) , "bio not set"},
201 {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "block cipher pad is wrong"},
202 {ERR_REASON(SSL_R_BN_LIB) , "bn lib"},
203 {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) , "ca dn length mismatch"},
204 {ERR_REASON(SSL_R_CA_DN_TOO_LONG) , "ca dn too long"},
205 {ERR_REASON(SSL_R_CA_KEY_TOO_SMALL) , "ca key too small"},
206 {ERR_REASON(SSL_R_CA_MD_TOO_WEAK) , "ca md too weak"},
207 {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) , "ccs received early"},
208 {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"},
209 {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"},
210 {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},
211 {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
212 {ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"},
213 {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},
214 {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},
215 {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) , "clienthello tlsext"},
216 {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG), "compressed length too long"},
217 {ERR_REASON(SSL_R_COMPRESSION_DISABLED) , "compression disabled"},
218 {ERR_REASON(SSL_R_COMPRESSION_FAILURE) , "compression failure"},
219 {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE), "compression id not within private range"},
220 {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), "compression library error"},
221 {ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT), "connection id is different"},
222 {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"},
223 {ERR_REASON(SSL_R_COOKIE_MISMATCH) , "cookie mismatch"},
224 {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED), "data between ccs and finished"},
225 {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) , "data length too long"},
226 {ERR_REASON(SSL_R_DECRYPTION_FAILED) , "decryption failed"},
227 {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), "decryption failed or bad record mac"},
228 {ERR_REASON(SSL_R_DH_KEY_TOO_SMALL) , "dh key too small"},
229 {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), "dh public value length is wrong"},
230 {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) , "digest check failed"},
231 {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) , "dtls message too big"},
232 {ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID), "duplicate compression id"},
233 {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT), "ecc cert not for key agreement"},
234 {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING), "ecc cert not for signing"},
235 {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE), "ecc cert should have rsa signature"},
236 {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE), "ecc cert should have sha1 signature"},
237 {ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER), "ecgroup too large for cipher"},
238 {ERR_REASON(SSL_R_EE_KEY_TOO_SMALL) , "ee key too small"},
239 {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), "empty srtp protection profile list"},
240 {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"},
241 {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY), "error generating tmp rsa key"},
242 {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), "error in received cipher list"},
243 {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE), "excessive message size"},
244 {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) , "extra data in message"},
245 {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS), "got a fin before a ccs"},
246 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS), "got next proto before a ccs"},
247 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION), "got next proto without seeing extension"},
248 {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) , "https proxy request"},
249 {ERR_REASON(SSL_R_HTTP_REQUEST) , "http request"},
250 {ERR_REASON(SSL_R_ILLEGAL_PADDING) , "illegal padding"},
251 {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
252 {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
253 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH), "invalid challenge length"},
254 {ERR_REASON(SSL_R_INVALID_COMMAND) , "invalid command"},
255 {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM), "invalid compression algorithm"},
256 {ERR_REASON(SSL_R_INVALID_PURPOSE) , "invalid purpose"},
257 {ERR_REASON(SSL_R_INVALID_SRP_USERNAME) , "invalid srp username"},
258 {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE), "invalid status response"},
259 {ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH), "invalid ticket keys length"},
260 {ERR_REASON(SSL_R_INVALID_TRUST) , "invalid trust"},
261 {ERR_REASON(SSL_R_KEY_ARG_TOO_LONG) , "key arg too long"},
262 {ERR_REASON(SSL_R_KRB5) , "krb5"},
263 {ERR_REASON(SSL_R_KRB5_C_CC_PRINC) , "krb5 client cc principal (no tkt?)"},
264 {ERR_REASON(SSL_R_KRB5_C_GET_CRED) , "krb5 client get cred"},
265 {ERR_REASON(SSL_R_KRB5_C_INIT) , "krb5 client init"},
266 {ERR_REASON(SSL_R_KRB5_C_MK_REQ) , "krb5 client mk_req (expired tkt?)"},
267 {ERR_REASON(SSL_R_KRB5_S_BAD_TICKET) , "krb5 server bad ticket"},
268 {ERR_REASON(SSL_R_KRB5_S_INIT) , "krb5 server init"},
269 {ERR_REASON(SSL_R_KRB5_S_RD_REQ) , "krb5 server rd_req (keytab perms?)"},
270 {ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED) , "krb5 server tkt expired"},
271 {ERR_REASON(SSL_R_KRB5_S_TKT_NYV) , "krb5 server tkt not yet valid"},
272 {ERR_REASON(SSL_R_KRB5_S_TKT_SKEW) , "krb5 server tkt skew"},
273 {ERR_REASON(SSL_R_LENGTH_MISMATCH) , "length mismatch"},
274 {ERR_REASON(SSL_R_LENGTH_TOO_SHORT) , "length too short"},
275 {ERR_REASON(SSL_R_LIBRARY_BUG) , "library bug"},
276 {ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS), "library has no ciphers"},
277 {ERR_REASON(SSL_R_MESSAGE_TOO_LONG) , "message too long"},
278 {ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) , "missing dh dsa cert"},
279 {ERR_REASON(SSL_R_MISSING_DH_KEY) , "missing dh key"},
280 {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT) , "missing dh rsa cert"},
281 {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT), "missing dsa signing cert"},
282 {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), "missing export tmp dh key"},
283 {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY), "missing export tmp rsa key"},
284 {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"},
285 {ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT), "missing rsa encrypting cert"},
286 {ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT), "missing rsa signing cert"},
287 {ERR_REASON(SSL_R_MISSING_SRP_PARAM) , "can't find SRP server param"},
288 {ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) , "missing tmp dh key"},
289 {ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) , "missing tmp ecdh key"},
290 {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) , "missing tmp rsa key"},
291 {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) , "missing tmp rsa pkey"},
292 {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE), "missing verify message"},
293 {ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) , "multiple sgc restarts"},
294 {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET), "non sslv2 initial packet"},
295 {ERR_REASON(SSL_R_NO_APPLICATION_PROTOCOL), "no application protocol"},
296 {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED), "no certificates returned"},
297 {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED), "no certificate assigned"},
298 {ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED), "no certificate returned"},
299 {ERR_REASON(SSL_R_NO_CERTIFICATE_SET) , "no certificate set"},
300 {ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED), "no certificate specified"},
301 {ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE) , "no ciphers available"},
302 {ERR_REASON(SSL_R_NO_CIPHERS_PASSED) , "no ciphers passed"},
303 {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) , "no ciphers specified"},
304 {ERR_REASON(SSL_R_NO_CIPHER_LIST) , "no cipher list"},
305 {ERR_REASON(SSL_R_NO_CIPHER_MATCH) , "no cipher match"},
306 {ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) , "no client cert method"},
307 {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED), "no client cert received"},
308 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED), "no compression specified"},
309 {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"},
310 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) , "no method specified"},
311 {ERR_REASON(SSL_R_NO_PRIVATEKEY) , "no privatekey"},
312 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"},
313 {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"},
314 {ERR_REASON(SSL_R_NO_PUBLICKEY) , "no publickey"},
315 {ERR_REASON(SSL_R_NO_RENEGOTIATION) , "no renegotiation"},
316 {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST) , "digest requred for handshake isn't computed"},
317 {ERR_REASON(SSL_R_NO_SHARED_CIPHER) , "no shared cipher"},
318 {ERR_REASON(SSL_R_NO_SRTP_PROFILES) , "no srtp profiles"},
319 {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) , "no verify callback"},
320 {ERR_REASON(SSL_R_NULL_SSL_CTX) , "null ssl ctx"},
321 {ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED), "null ssl method passed"},
322 {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), "old session cipher not returned"},
323 {ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), "old session compression algorithm not returned"},
324 {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE), "only tls allowed in fips mode"},
325 {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"},
326 {ERR_REASON(SSL_R_PARSE_TLSEXT) , "parse tlsext"},
327 {ERR_REASON(SSL_R_PATH_TOO_LONG) , "path too long"},
328 {ERR_REASON(SSL_R_PEER_BEHAVING_BADLY) , "peer is doing strange or hostile things"},
329 {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE), "peer did not return a certificate"},
330 {ERR_REASON(SSL_R_PEER_ERROR) , "peer error"},
331 {ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE), "peer error certificate"},
332 {ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE), "peer error no certificate"},
333 {ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER) , "peer error no cipher"},
334 {ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE), "peer error unsupported certificate type"},
335 {ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG), "pre mac length too long"},
336 {ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS), "problems mapping cipher functions"},
337 {ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN) , "protocol is shutdown"},
338 {ERR_REASON(SSL_R_PSK_IDENTITY_NOT_FOUND), "psk identity not found"},
339 {ERR_REASON(SSL_R_PSK_NO_CLIENT_CB) , "psk no client cb"},
340 {ERR_REASON(SSL_R_PSK_NO_SERVER_CB) , "psk no server cb"},
341 {ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR), "public key encrypt error"},
342 {ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) , "public key is not rsa"},
343 {ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) , "public key not rsa"},
344 {ERR_REASON(SSL_R_QUIC_INTERNAL_ERROR) , "QUIC: internal error"},
345 {ERR_REASON(SSL_R_READ_BIO_NOT_SET) , "read bio not set"},
346 {ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED) , "read timeout expired"},
347 {ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE), "read wrong packet type"},
348 {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH), "record length mismatch"},
349 {ERR_REASON(SSL_R_RECORD_TOO_LARGE) , "record too large"},
350 {ERR_REASON(SSL_R_RECORD_TOO_SMALL) , "record too small"},
351 {ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG), "renegotiate ext too long"},
352 {ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR), "renegotiation encoding err"},
353 {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH), "renegotiation mismatch"},
354 {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING), "required cipher missing"},
355 {ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING), "required compresssion algorithm missing"},
356 {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO), "reuse cert length not zero"},
357 {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO), "reuse cert type not zero"},
358 {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO), "reuse cipher list not zero"},
359 {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), "scsv received when renegotiating"},
360 {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) , "serverhello tlsext"},
361 {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), "session id context uninitialized"},
362 {ERR_REASON(SSL_R_SHORT_READ) , "short read"},
363 {ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR), "signature algorithms error"},
364 {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), "signature for non signing certificate"},
365 {ERR_REASON(SSL_R_SRP_A_CALC) , "error with the srp params"},
366 {ERR_REASON(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES), "srtp could not allocate profiles"},
367 {ERR_REASON(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG), "srtp protection profile list too long"},
368 {ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE), "srtp unknown protection profile"},
369 {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE), "ssl23 doing session id reuse"},
370 {ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG), "ssl2 connection id too long"},
371 {ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT), "ssl3 ext invalid ecpointformat"},
372 {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME), "ssl3 ext invalid servername"},
373 {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), "ssl3 ext invalid servername type"},
374 {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"},
375 {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), "ssl3 session id too short"},
376 {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE), "sslv3 alert bad certificate"},
377 {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC), "sslv3 alert bad record mac"},
378 {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED), "sslv3 alert certificate expired"},
379 {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED), "sslv3 alert certificate revoked"},
380 {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN), "sslv3 alert certificate unknown"},
381 {ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE), "sslv3 alert decompression failure"},
382 {ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE), "sslv3 alert handshake failure"},
383 {ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER), "sslv3 alert illegal parameter"},
384 {ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE), "sslv3 alert no certificate"},
385 {ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE), "sslv3 alert unexpected message"},
386 {ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE), "sslv3 alert unsupported certificate"},
387 {ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION), "ssl ctx has no default ssl version"},
388 {ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) , "ssl handshake failure"},
389 {ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS), "ssl library has no ciphers"},
390 {ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED), "ssl session id callback failed"},
391 {ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT), "ssl session id conflict"},
392 {ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG), "ssl session id context too long"},
393 {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), "ssl session id has bad length"},
394 {ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT), "ssl session id is different"},
395 {ERR_REASON(SSL_R_SSL_SESSION_ID_TOO_LONG), "ssl session id is too long"},
396 {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"},
397 {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"},
398 {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"},
399 {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
400 {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"},
401 {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"},
402 {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"},
403 {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"},
404 {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"},
405 {ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION), "tlsv1 alert protocol version"},
406 {ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW), "tlsv1 alert record overflow"},
407 {ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA), "tlsv1 alert unknown ca"},
408 {ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED), "tlsv1 alert user cancelled"},
409 {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE), "tlsv1 bad certificate hash value"},
410 {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE), "tlsv1 bad certificate status response"},
411 {ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE), "tlsv1 certificate unobtainable"},
412 {ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME), "tlsv1 unrecognized name"},
413 {ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION), "tlsv1 unsupported extension"},
414 {ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER), "tls client cert req with anon cipher"},
415 {ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT), "peer does not accept heartbeats"},
416 {ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING) , "heartbeat request already pending"},
417 {ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL), "tls illegal exporter label"},
418 {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST), "tls invalid ecpointformat list"},
419 {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST), "tls peer did not respond with certificate list"},
420 {ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG), "tls rsa encrypted value length is wrong"},
421 {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER), "tried to use unsupported cipher"},
422 {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"},
423 {ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS), "unable to decode ecdh certs"},
424 {ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY), "unable to extract public key"},
425 {ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS), "unable to find dh parameters"},
426 {ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS), "unable to find ecdh parameters"},
427 {ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS), "unable to find public key parameters"},
428 {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), "unable to find ssl method"},
429 {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES), "unable to load ssl2 md5 routines"},
430 {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES), "unable to load ssl3 md5 routines"},
431 {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES), "unable to load ssl3 sha1 routines"},
432 {ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) , "unexpected message"},
433 {ERR_REASON(SSL_R_UNEXPECTED_RECORD) , "unexpected record"},
434 {ERR_REASON(SSL_R_UNINITIALIZED) , "uninitialized"},
435 {ERR_REASON(SSL_R_UNKNOWN), "unknown failure occurred"},
436 {ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) , "unknown alert type"},
437 {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE), "unknown certificate type"},
438 {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED), "unknown cipher returned"},
439 {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) , "unknown cipher type"},
440 {ERR_REASON(SSL_R_UNKNOWN_DIGEST) , "unknown digest"},
441 {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "unknown key exchange type"},
442 {ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) , "unknown pkey type"},
443 {ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) , "unknown protocol"},
444 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "unknown remote error type"},
445 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) , "unknown ssl version"},
446 {ERR_REASON(SSL_R_UNKNOWN_STATE) , "unknown state"},
447 {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED), "unsafe legacy renegotiation disabled"},
448 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) , "unsupported cipher"},
449 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "unsupported compression algorithm"},
450 {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE), "unsupported digest type"},
451 {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE), "unsupported elliptic curve"},
452 {ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) , "unsupported protocol"},
453 {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION), "unsupported ssl version"},
454 {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE), "unsupported status type"},
455 {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED), "use srtp not negotiated"},
456 {ERR_REASON(SSL_R_VERSION_TOO_LOW) , "version too low"},
457 {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) , "write bio not set"},
458 {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) , "wrong cipher returned"},
459 {ERR_REASON(SSL_R_WRONG_CURVE) , "wrong curve"},
460 {ERR_REASON(SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED), "QUIC: wrong encryption level received"},
461 {ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) , "wrong message type"},
462 {ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS), "wrong number of key bits"},
463 {ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"},
464 {ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) , "wrong signature size"},
465 {ERR_REASON(SSL_R_WRONG_SIGNATURE_TYPE) , "wrong signature type"},
466 {ERR_REASON(SSL_R_WRONG_SSL_VERSION) , "wrong ssl version"},
467 {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) , "wrong version number"},
468 {ERR_REASON(SSL_R_X509_LIB) , "x509 lib"},
469 {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), "x509 verification setup problems"},
470 {0, NULL}
471};
472
473#endif
474
475void
476ERR_load_SSL_strings(void)
477{
478#ifndef OPENSSL_NO_ERR
479 if (ERR_func_error_string(SSL_str_functs[0].error) == NULL) {
480 ERR_load_strings(0, SSL_str_functs);
481 ERR_load_strings(0, SSL_str_reasons);
482 }
483#endif
484}
485
486void
487SSL_load_error_strings(void)
488{
489#ifndef OPENSSL_NO_ERR
490 ERR_load_crypto_strings();
491 ERR_load_SSL_strings();
492#endif
493}
494
495int
496SSL_state_func_code(int state) {
497 switch (state) {
498 case SSL3_ST_CW_FLUSH:
499 return 1;
500 case SSL3_ST_CW_CLNT_HELLO_A:
501 return 2;
502 case SSL3_ST_CW_CLNT_HELLO_B:
503 return 3;
504 case SSL3_ST_CR_SRVR_HELLO_A:
505 return 4;
506 case SSL3_ST_CR_SRVR_HELLO_B:
507 return 5;
508 case SSL3_ST_CR_CERT_A:
509 return 6;
510 case SSL3_ST_CR_CERT_B:
511 return 7;
512 case SSL3_ST_CR_KEY_EXCH_A:
513 return 8;
514 case SSL3_ST_CR_KEY_EXCH_B:
515 return 9;
516 case SSL3_ST_CR_CERT_REQ_A:
517 return 10;
518 case SSL3_ST_CR_CERT_REQ_B:
519 return 11;
520 case SSL3_ST_CR_SRVR_DONE_A:
521 return 12;
522 case SSL3_ST_CR_SRVR_DONE_B:
523 return 13;
524 case SSL3_ST_CW_CERT_A:
525 return 14;
526 case SSL3_ST_CW_CERT_B:
527 return 15;
528 case SSL3_ST_CW_CERT_C:
529 return 16;
530 case SSL3_ST_CW_CERT_D:
531 return 17;
532 case SSL3_ST_CW_KEY_EXCH_A:
533 return 18;
534 case SSL3_ST_CW_KEY_EXCH_B:
535 return 19;
536 case SSL3_ST_CW_CERT_VRFY_A:
537 return 20;
538 case SSL3_ST_CW_CERT_VRFY_B:
539 return 21;
540 case SSL3_ST_CW_CHANGE_A:
541 return 22;
542 case SSL3_ST_CW_CHANGE_B:
543 return 23;
544 case SSL3_ST_CW_FINISHED_A:
545 return 26;
546 case SSL3_ST_CW_FINISHED_B:
547 return 27;
548 case SSL3_ST_CR_CHANGE_A:
549 return 28;
550 case SSL3_ST_CR_CHANGE_B:
551 return 29;
552 case SSL3_ST_CR_FINISHED_A:
553 return 30;
554 case SSL3_ST_CR_FINISHED_B:
555 return 31;
556 case SSL3_ST_CR_SESSION_TICKET_A:
557 return 32;
558 case SSL3_ST_CR_SESSION_TICKET_B:
559 return 33;
560 case SSL3_ST_CR_CERT_STATUS_A:
561 return 34;
562 case SSL3_ST_CR_CERT_STATUS_B:
563 return 35;
564 case SSL3_ST_SW_FLUSH:
565 return 36;
566 case SSL3_ST_SR_CLNT_HELLO_A:
567 return 37;
568 case SSL3_ST_SR_CLNT_HELLO_B:
569 return 38;
570 case SSL3_ST_SR_CLNT_HELLO_C:
571 return 39;
572 case SSL3_ST_SW_HELLO_REQ_A:
573 return 40;
574 case SSL3_ST_SW_HELLO_REQ_B:
575 return 41;
576 case SSL3_ST_SW_HELLO_REQ_C:
577 return 42;
578 case SSL3_ST_SW_SRVR_HELLO_A:
579 return 43;
580 case SSL3_ST_SW_SRVR_HELLO_B:
581 return 44;
582 case SSL3_ST_SW_CERT_A:
583 return 45;
584 case SSL3_ST_SW_CERT_B:
585 return 46;
586 case SSL3_ST_SW_KEY_EXCH_A:
587 return 47;
588 case SSL3_ST_SW_KEY_EXCH_B:
589 return 48;
590 case SSL3_ST_SW_CERT_REQ_A:
591 return 49;
592 case SSL3_ST_SW_CERT_REQ_B:
593 return 50;
594 case SSL3_ST_SW_SRVR_DONE_A:
595 return 51;
596 case SSL3_ST_SW_SRVR_DONE_B:
597 return 52;
598 case SSL3_ST_SR_CERT_A:
599 return 53;
600 case SSL3_ST_SR_CERT_B:
601 return 54;
602 case SSL3_ST_SR_KEY_EXCH_A:
603 return 55;
604 case SSL3_ST_SR_KEY_EXCH_B:
605 return 56;
606 case SSL3_ST_SR_CERT_VRFY_A:
607 return 57;
608 case SSL3_ST_SR_CERT_VRFY_B:
609 return 58;
610 case SSL3_ST_SR_CHANGE_A:
611 return 59;
612 case SSL3_ST_SR_CHANGE_B:
613 return 60;
614 case SSL3_ST_SR_FINISHED_A:
615 return 63;
616 case SSL3_ST_SR_FINISHED_B:
617 return 64;
618 case SSL3_ST_SW_CHANGE_A:
619 return 65;
620 case SSL3_ST_SW_CHANGE_B:
621 return 66;
622 case SSL3_ST_SW_FINISHED_A:
623 return 67;
624 case SSL3_ST_SW_FINISHED_B:
625 return 68;
626 case SSL3_ST_SW_SESSION_TICKET_A:
627 return 69;
628 case SSL3_ST_SW_SESSION_TICKET_B:
629 return 70;
630 case SSL3_ST_SW_CERT_STATUS_A:
631 return 71;
632 case SSL3_ST_SW_CERT_STATUS_B:
633 return 72;
634 case SSL_ST_BEFORE:
635 return 73;
636 case SSL_ST_ACCEPT:
637 return 74;
638 case SSL_ST_CONNECT:
639 return 75;
640 case SSL_ST_OK:
641 return 76;
642 case SSL_ST_RENEGOTIATE:
643 return 77;
644 case SSL_ST_BEFORE|SSL_ST_CONNECT:
645 return 78;
646 case SSL_ST_OK|SSL_ST_CONNECT:
647 return 79;
648 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
649 return 80;
650 case SSL_ST_OK|SSL_ST_ACCEPT:
651 return 81;
652 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
653 return 83;
654 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
655 return 84;
656 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
657 return 85;
658 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
659 return 86;
660 default:
661 break;
662 }
663 return 0xfff;
664}
665
666void
667SSL_error_internal(const SSL *s, int r, char *f, int l)
668{
669 ERR_PUT_error(ERR_LIB_SSL,
670 (SSL_state_func_code(s->s3->hs.state)), r, f, l);
671}
diff --git a/src/lib/libssl/ssl_init.c b/src/lib/libssl/ssl_init.c
deleted file mode 100644
index 65f38e25db..0000000000
--- a/src/lib/libssl/ssl_init.c
+++ /dev/null
@@ -1,51 +0,0 @@
1/* $OpenBSD: ssl_init.c,v 1.3 2022/11/26 16:08:55 tb Exp $ */
2/*
3 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18/* OpenSSL style init */
19
20#include <pthread.h>
21#include <stdio.h>
22
23#include <openssl/objects.h>
24
25#include "ssl_local.h"
26
27static pthread_t ssl_init_thread;
28
29static void
30OPENSSL_init_ssl_internal(void)
31{
32 ssl_init_thread = pthread_self();
33 SSL_load_error_strings();
34 SSL_library_init();
35}
36
37int
38OPENSSL_init_ssl(uint64_t opts, const void *settings)
39{
40 static pthread_once_t once = PTHREAD_ONCE_INIT;
41
42 if (pthread_equal(pthread_self(), ssl_init_thread))
43 return 1; /* don't recurse */
44
45 OPENSSL_init_crypto(opts, settings);
46
47 if (pthread_once(&once, OPENSSL_init_ssl_internal) != 0)
48 return 0;
49
50 return 1;
51}
diff --git a/src/lib/libssl/ssl_kex.c b/src/lib/libssl/ssl_kex.c
deleted file mode 100644
index cab2f1c78d..0000000000
--- a/src/lib/libssl/ssl_kex.c
+++ /dev/null
@@ -1,423 +0,0 @@
1/* $OpenBSD: ssl_kex.c,v 1.10 2022/01/14 09:11:22 tb Exp $ */
2/*
3 * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <stdlib.h>
19
20#include <openssl/bn.h>
21#include <openssl/dh.h>
22#include <openssl/ec.h>
23#include <openssl/ecdh.h>
24#include <openssl/evp.h>
25#include <openssl/objects.h>
26
27#include "bytestring.h"
28
29#define DHE_MINIMUM_BITS 1024
30
31int
32ssl_kex_generate_dhe(DH *dh, DH *dh_params)
33{
34 BIGNUM *p = NULL, *g = NULL;
35 int ret = 0;
36
37 if ((p = BN_dup(DH_get0_p(dh_params))) == NULL)
38 goto err;
39 if ((g = BN_dup(DH_get0_g(dh_params))) == NULL)
40 goto err;
41
42 if (!DH_set0_pqg(dh, p, NULL, g))
43 goto err;
44 p = NULL;
45 g = NULL;
46
47 if (!DH_generate_key(dh))
48 goto err;
49
50 ret = 1;
51
52 err:
53 BN_free(p);
54 BN_free(g);
55
56 return ret;
57}
58
59int
60ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_bits)
61{
62 BIGNUM *p = NULL, *g = NULL;
63 int ret = 0;
64
65 if (key_bits >= 8192)
66 p = get_rfc3526_prime_8192(NULL);
67 else if (key_bits >= 4096)
68 p = get_rfc3526_prime_4096(NULL);
69 else if (key_bits >= 3072)
70 p = get_rfc3526_prime_3072(NULL);
71 else if (key_bits >= 2048)
72 p = get_rfc3526_prime_2048(NULL);
73 else if (key_bits >= 1536)
74 p = get_rfc3526_prime_1536(NULL);
75 else
76 p = get_rfc2409_prime_1024(NULL);
77
78 if (p == NULL)
79 goto err;
80
81 if ((g = BN_new()) == NULL)
82 goto err;
83 if (!BN_set_word(g, 2))
84 goto err;
85
86 if (!DH_set0_pqg(dh, p, NULL, g))
87 goto err;
88 p = NULL;
89 g = NULL;
90
91 if (!DH_generate_key(dh))
92 goto err;
93
94 ret = 1;
95
96 err:
97 BN_free(p);
98 BN_free(g);
99
100 return ret;
101}
102
103int
104ssl_kex_params_dhe(DH *dh, CBB *cbb)
105{
106 int dh_p_len, dh_g_len;
107 CBB dh_p, dh_g;
108 uint8_t *data;
109
110 if ((dh_p_len = BN_num_bytes(DH_get0_p(dh))) <= 0)
111 return 0;
112 if ((dh_g_len = BN_num_bytes(DH_get0_g(dh))) <= 0)
113 return 0;
114
115 if (!CBB_add_u16_length_prefixed(cbb, &dh_p))
116 return 0;
117 if (!CBB_add_space(&dh_p, &data, dh_p_len))
118 return 0;
119 if (BN_bn2bin(DH_get0_p(dh), data) != dh_p_len)
120 return 0;
121
122 if (!CBB_add_u16_length_prefixed(cbb, &dh_g))
123 return 0;
124 if (!CBB_add_space(&dh_g, &data, dh_g_len))
125 return 0;
126 if (BN_bn2bin(DH_get0_g(dh), data) != dh_g_len)
127 return 0;
128
129 if (!CBB_flush(cbb))
130 return 0;
131
132 return 1;
133}
134
135int
136ssl_kex_public_dhe(DH *dh, CBB *cbb)
137{
138 uint8_t *data;
139 int dh_y_len;
140 CBB dh_y;
141
142 if ((dh_y_len = BN_num_bytes(DH_get0_pub_key(dh))) <= 0)
143 return 0;
144
145 if (!CBB_add_u16_length_prefixed(cbb, &dh_y))
146 return 0;
147 if (!CBB_add_space(&dh_y, &data, dh_y_len))
148 return 0;
149 if (BN_bn2bin(DH_get0_pub_key(dh), data) != dh_y_len)
150 return 0;
151
152 if (!CBB_flush(cbb))
153 return 0;
154
155 return 1;
156}
157
158int
159ssl_kex_peer_params_dhe(DH *dh, CBS *cbs, int *decode_error,
160 int *invalid_params)
161{
162 BIGNUM *p = NULL, *g = NULL;
163 CBS dh_p, dh_g;
164 int ret = 0;
165
166 *decode_error = 0;
167 *invalid_params = 0;
168
169 if (!CBS_get_u16_length_prefixed(cbs, &dh_p)) {
170 *decode_error = 1;
171 goto err;
172 }
173 if (!CBS_get_u16_length_prefixed(cbs, &dh_g)) {
174 *decode_error = 1;
175 goto err;
176 }
177
178 if ((p = BN_bin2bn(CBS_data(&dh_p), CBS_len(&dh_p), NULL)) == NULL)
179 goto err;
180 if ((g = BN_bin2bn(CBS_data(&dh_g), CBS_len(&dh_g), NULL)) == NULL)
181 goto err;
182
183 if (!DH_set0_pqg(dh, p, NULL, g))
184 goto err;
185 p = NULL;
186 g = NULL;
187
188 /* XXX - consider calling DH_check(). */
189
190 if (DH_bits(dh) < DHE_MINIMUM_BITS)
191 *invalid_params = 1;
192
193 ret = 1;
194
195 err:
196 BN_free(p);
197 BN_free(g);
198
199 return ret;
200}
201
202int
203ssl_kex_peer_public_dhe(DH *dh, CBS *cbs, int *decode_error,
204 int *invalid_key)
205{
206 BIGNUM *pub_key = NULL;
207 int check_flags;
208 CBS dh_y;
209 int ret = 0;
210
211 *decode_error = 0;
212 *invalid_key = 0;
213
214 if (!CBS_get_u16_length_prefixed(cbs, &dh_y)) {
215 *decode_error = 1;
216 goto err;
217 }
218
219 if ((pub_key = BN_bin2bn(CBS_data(&dh_y), CBS_len(&dh_y),
220 NULL)) == NULL)
221 goto err;
222
223 if (!DH_set0_key(dh, pub_key, NULL))
224 goto err;
225 pub_key = NULL;
226
227 if (!DH_check_pub_key(dh, DH_get0_pub_key(dh), &check_flags))
228 goto err;
229 if (check_flags != 0)
230 *invalid_key = 1;
231
232 ret = 1;
233
234 err:
235 BN_free(pub_key);
236
237 return ret;
238}
239
240int
241ssl_kex_derive_dhe(DH *dh, DH *dh_peer,
242 uint8_t **shared_key, size_t *shared_key_len)
243{
244 uint8_t *key = NULL;
245 int key_len = 0;
246 int ret = 0;
247
248 if ((key_len = DH_size(dh)) <= 0)
249 goto err;
250 if ((key = calloc(1, key_len)) == NULL)
251 goto err;
252
253 if ((key_len = DH_compute_key(key, DH_get0_pub_key(dh_peer), dh)) <= 0)
254 goto err;
255
256 *shared_key = key;
257 *shared_key_len = key_len;
258 key = NULL;
259
260 ret = 1;
261
262 err:
263 freezero(key, key_len);
264
265 return ret;
266}
267
268int
269ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey)
270{
271 EC_GROUP *group = NULL;
272 EC_POINT *point = NULL;
273 EC_KEY *ec_key = NULL;
274 BIGNUM *order = NULL;
275 int ret = 0;
276
277 /* Fudge up an EC_KEY that looks like X25519... */
278 if ((group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL)
279 goto err;
280 if ((point = EC_POINT_new(group)) == NULL)
281 goto err;
282 if ((order = BN_new()) == NULL)
283 goto err;
284 if (!BN_set_bit(order, 252))
285 goto err;
286 if (!EC_GROUP_set_generator(group, point, order, NULL))
287 goto err;
288 EC_GROUP_set_curve_name(group, NID_X25519);
289 if ((ec_key = EC_KEY_new()) == NULL)
290 goto err;
291 if (!EC_KEY_set_group(ec_key, group))
292 goto err;
293 if (!EVP_PKEY_set1_EC_KEY(pkey, ec_key))
294 goto err;
295
296 ret = 1;
297
298 err:
299 EC_GROUP_free(group);
300 EC_POINT_free(point);
301 EC_KEY_free(ec_key);
302 BN_free(order);
303
304 return ret;
305}
306
307int
308ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid)
309{
310 EC_GROUP *group;
311 int ret = 0;
312
313 if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL)
314 goto err;
315
316 if (!EC_KEY_set_group(ecdh, group))
317 goto err;
318 if (!EC_KEY_generate_key(ecdh))
319 goto err;
320
321 ret = 1;
322
323 err:
324 EC_GROUP_free(group);
325
326 return ret;
327}
328
329int
330ssl_kex_public_ecdhe_ecp(EC_KEY *ecdh, CBB *cbb)
331{
332 const EC_GROUP *group;
333 const EC_POINT *point;
334 uint8_t *ecp;
335 size_t ecp_len;
336 int ret = 0;
337
338 if ((group = EC_KEY_get0_group(ecdh)) == NULL)
339 goto err;
340 if ((point = EC_KEY_get0_public_key(ecdh)) == NULL)
341 goto err;
342
343 if ((ecp_len = EC_POINT_point2oct(group, point,
344 POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL)) == 0)
345 goto err;
346 if (!CBB_add_space(cbb, &ecp, ecp_len))
347 goto err;
348 if ((EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED,
349 ecp, ecp_len, NULL)) == 0)
350 goto err;
351
352 ret = 1;
353
354 err:
355 return ret;
356}
357
358int
359ssl_kex_peer_public_ecdhe_ecp(EC_KEY *ecdh, int nid, CBS *cbs)
360{
361 EC_GROUP *group = NULL;
362 EC_POINT *point = NULL;
363 int ret = 0;
364
365 if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL)
366 goto err;
367
368 if (!EC_KEY_set_group(ecdh, group))
369 goto err;
370
371 if ((point = EC_POINT_new(group)) == NULL)
372 goto err;
373 if (EC_POINT_oct2point(group, point, CBS_data(cbs), CBS_len(cbs),
374 NULL) == 0)
375 goto err;
376 if (!EC_KEY_set_public_key(ecdh, point))
377 goto err;
378
379 ret = 1;
380
381 err:
382 EC_GROUP_free(group);
383 EC_POINT_free(point);
384
385 return ret;
386}
387
388int
389ssl_kex_derive_ecdhe_ecp(EC_KEY *ecdh, EC_KEY *ecdh_peer,
390 uint8_t **shared_key, size_t *shared_key_len)
391{
392 const EC_POINT *point;
393 uint8_t *key = NULL;
394 int key_len = 0;
395 int ret = 0;
396
397 if (!EC_GROUP_check(EC_KEY_get0_group(ecdh), NULL))
398 goto err;
399 if (!EC_GROUP_check(EC_KEY_get0_group(ecdh_peer), NULL))
400 goto err;
401
402 if ((point = EC_KEY_get0_public_key(ecdh_peer)) == NULL)
403 goto err;
404
405 if ((key_len = ECDH_size(ecdh)) <= 0)
406 goto err;
407 if ((key = calloc(1, key_len)) == NULL)
408 goto err;
409
410 if (ECDH_compute_key(key, key_len, point, ecdh, NULL) <= 0)
411 goto err;
412
413 *shared_key = key;
414 *shared_key_len = key_len;
415 key = NULL;
416
417 ret = 1;
418
419 err:
420 freezero(key, key_len);
421
422 return ret;
423}
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
deleted file mode 100644
index de4ef3fb5e..0000000000
--- a/src/lib/libssl/ssl_lib.c
+++ /dev/null
@@ -1,3492 +0,0 @@
1/* $OpenBSD: ssl_lib.c,v 1.308 2022/11/26 16:08:55 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#include <arpa/inet.h>
144#include <sys/socket.h>
145#include <netinet/in.h>
146
147#include <limits.h>
148#include <stdio.h>
149
150#include <openssl/dh.h>
151#include <openssl/lhash.h>
152#include <openssl/objects.h>
153#include <openssl/ocsp.h>
154#include <openssl/opensslconf.h>
155#include <openssl/x509v3.h>
156
157#ifndef OPENSSL_NO_ENGINE
158#include <openssl/engine.h>
159#endif
160
161#include "bytestring.h"
162#include "dtls_local.h"
163#include "ssl_local.h"
164#include "ssl_sigalgs.h"
165#include "ssl_tlsext.h"
166#include "tls12_internal.h"
167
168const char *SSL_version_str = OPENSSL_VERSION_TEXT;
169
170int
171SSL_clear(SSL *s)
172{
173 if (s->method == NULL) {
174 SSLerror(s, SSL_R_NO_METHOD_SPECIFIED);
175 return (0);
176 }
177
178 if (ssl_clear_bad_session(s)) {
179 SSL_SESSION_free(s->session);
180 s->session = NULL;
181 }
182
183 s->error = 0;
184 s->hit = 0;
185 s->shutdown = 0;
186
187 if (s->renegotiate) {
188 SSLerror(s, ERR_R_INTERNAL_ERROR);
189 return (0);
190 }
191
192 s->version = s->method->version;
193 s->client_version = s->version;
194 s->rwstate = SSL_NOTHING;
195 s->rstate = SSL_ST_READ_HEADER;
196
197 tls13_ctx_free(s->tls13);
198 s->tls13 = NULL;
199
200 ssl3_release_init_buffer(s);
201
202 ssl_clear_cipher_state(s);
203
204 s->first_packet = 0;
205
206 /*
207 * Check to see if we were changed into a different method, if
208 * so, revert back if we are not doing session-id reuse.
209 */
210 if (!s->in_handshake && (s->session == NULL) &&
211 (s->method != s->ctx->method)) {
212 s->method->ssl_free(s);
213 s->method = s->ctx->method;
214 if (!s->method->ssl_new(s))
215 return (0);
216 } else
217 s->method->ssl_clear(s);
218
219 return (1);
220}
221
222/* Used to change an SSL_CTXs default SSL method type */
223int
224SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
225{
226 STACK_OF(SSL_CIPHER) *ciphers;
227
228 ctx->method = meth;
229
230 ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
231 ctx->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST,
232 ctx->cert);
233 if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) {
234 SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
235 return (0);
236 }
237 return (1);
238}
239
240SSL *
241SSL_new(SSL_CTX *ctx)
242{
243 SSL *s;
244 CBS cbs;
245
246 if (ctx == NULL) {
247 SSLerrorx(SSL_R_NULL_SSL_CTX);
248 return (NULL);
249 }
250 if (ctx->method == NULL) {
251 SSLerrorx(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
252 return (NULL);
253 }
254
255 if ((s = calloc(1, sizeof(*s))) == NULL)
256 goto err;
257
258 if ((s->rl = tls12_record_layer_new()) == NULL)
259 goto err;
260
261 s->min_tls_version = ctx->min_tls_version;
262 s->max_tls_version = ctx->max_tls_version;
263 s->min_proto_version = ctx->min_proto_version;
264 s->max_proto_version = ctx->max_proto_version;
265
266 s->options = ctx->options;
267 s->mode = ctx->mode;
268 s->max_cert_list = ctx->max_cert_list;
269 s->num_tickets = ctx->num_tickets;
270
271 if ((s->cert = ssl_cert_dup(ctx->cert)) == NULL)
272 goto err;
273
274 s->read_ahead = ctx->read_ahead;
275 s->msg_callback = ctx->msg_callback;
276 s->msg_callback_arg = ctx->msg_callback_arg;
277 s->verify_mode = ctx->verify_mode;
278 s->sid_ctx_length = ctx->sid_ctx_length;
279 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
280 memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
281 s->verify_callback = ctx->default_verify_callback;
282 s->generate_session_id = ctx->generate_session_id;
283
284 s->param = X509_VERIFY_PARAM_new();
285 if (!s->param)
286 goto err;
287 X509_VERIFY_PARAM_inherit(s->param, ctx->param);
288 s->quiet_shutdown = ctx->quiet_shutdown;
289 s->max_send_fragment = ctx->max_send_fragment;
290
291 CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
292 s->ctx = ctx;
293 s->tlsext_debug_cb = 0;
294 s->tlsext_debug_arg = NULL;
295 s->tlsext_ticket_expected = 0;
296 s->tlsext_status_type = -1;
297 s->tlsext_status_expected = 0;
298 s->tlsext_ocsp_ids = NULL;
299 s->tlsext_ocsp_exts = NULL;
300 s->tlsext_ocsp_resp = NULL;
301 s->tlsext_ocsp_resp_len = 0;
302 CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
303 s->initial_ctx = ctx;
304
305 if (ctx->tlsext_ecpointformatlist != NULL) {
306 s->tlsext_ecpointformatlist =
307 calloc(ctx->tlsext_ecpointformatlist_length,
308 sizeof(ctx->tlsext_ecpointformatlist[0]));
309 if (s->tlsext_ecpointformatlist == NULL)
310 goto err;
311 memcpy(s->tlsext_ecpointformatlist,
312 ctx->tlsext_ecpointformatlist,
313 ctx->tlsext_ecpointformatlist_length *
314 sizeof(ctx->tlsext_ecpointformatlist[0]));
315 s->tlsext_ecpointformatlist_length =
316 ctx->tlsext_ecpointformatlist_length;
317 }
318 if (ctx->tlsext_supportedgroups != NULL) {
319 s->tlsext_supportedgroups =
320 calloc(ctx->tlsext_supportedgroups_length,
321 sizeof(ctx->tlsext_supportedgroups[0]));
322 if (s->tlsext_supportedgroups == NULL)
323 goto err;
324 memcpy(s->tlsext_supportedgroups,
325 ctx->tlsext_supportedgroups,
326 ctx->tlsext_supportedgroups_length *
327 sizeof(ctx->tlsext_supportedgroups[0]));
328 s->tlsext_supportedgroups_length =
329 ctx->tlsext_supportedgroups_length;
330 }
331
332 CBS_init(&cbs, ctx->alpn_client_proto_list,
333 ctx->alpn_client_proto_list_len);
334 if (!CBS_stow(&cbs, &s->alpn_client_proto_list,
335 &s->alpn_client_proto_list_len))
336 goto err;
337
338 s->verify_result = X509_V_OK;
339
340 s->method = ctx->method;
341 s->quic_method = ctx->quic_method;
342
343 if (!s->method->ssl_new(s))
344 goto err;
345
346 s->references = 1;
347 s->server = ctx->method->server;
348
349 SSL_clear(s);
350
351 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
352
353 return (s);
354
355 err:
356 SSL_free(s);
357 SSLerrorx(ERR_R_MALLOC_FAILURE);
358 return (NULL);
359}
360
361int
362SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
363 unsigned int sid_ctx_len)
364{
365 if (sid_ctx_len > sizeof ctx->sid_ctx) {
366 SSLerrorx(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
367 return (0);
368 }
369 ctx->sid_ctx_length = sid_ctx_len;
370 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
371
372 return (1);
373}
374
375int
376SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
377 unsigned int sid_ctx_len)
378{
379 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
380 SSLerror(ssl, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
381 return (0);
382 }
383 ssl->sid_ctx_length = sid_ctx_len;
384 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
385
386 return (1);
387}
388
389int
390SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
391{
392 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
393 ctx->generate_session_id = cb;
394 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
395 return (1);
396}
397
398int
399SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
400{
401 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
402 ssl->generate_session_id = cb;
403 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
404 return (1);
405}
406
407int
408SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
409 unsigned int id_len)
410{
411 /*
412 * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp
413 * shows how we can "construct" a session to give us the desired
414 * check - ie. to find if there's a session in the hash table
415 * that would conflict with any new session built out of this
416 * id/id_len and the ssl_version in use by this SSL.
417 */
418 SSL_SESSION r, *p;
419
420 if (id_len > sizeof r.session_id)
421 return (0);
422
423 r.ssl_version = ssl->version;
424 r.session_id_length = id_len;
425 memcpy(r.session_id, id, id_len);
426
427 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
428 p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r);
429 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
430 return (p != NULL);
431}
432
433int
434SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
435{
436 return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
437}
438
439int
440SSL_set_purpose(SSL *s, int purpose)
441{
442 return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
443}
444
445int
446SSL_CTX_set_trust(SSL_CTX *s, int trust)
447{
448 return (X509_VERIFY_PARAM_set_trust(s->param, trust));
449}
450
451int
452SSL_set_trust(SSL *s, int trust)
453{
454 return (X509_VERIFY_PARAM_set_trust(s->param, trust));
455}
456
457int
458SSL_set1_host(SSL *s, const char *hostname)
459{
460 struct in_addr ina;
461 struct in6_addr in6a;
462
463 if (hostname != NULL && *hostname != '\0' &&
464 (inet_pton(AF_INET, hostname, &ina) == 1 ||
465 inet_pton(AF_INET6, hostname, &in6a) == 1))
466 return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname);
467 else
468 return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0);
469}
470
471void
472SSL_set_hostflags(SSL *s, unsigned int flags)
473{
474 X509_VERIFY_PARAM_set_hostflags(s->param, flags);
475}
476
477const char *
478SSL_get0_peername(SSL *s)
479{
480 return X509_VERIFY_PARAM_get0_peername(s->param);
481}
482
483X509_VERIFY_PARAM *
484SSL_CTX_get0_param(SSL_CTX *ctx)
485{
486 return (ctx->param);
487}
488
489int
490SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
491{
492 return (X509_VERIFY_PARAM_set1(ctx->param, vpm));
493}
494
495X509_VERIFY_PARAM *
496SSL_get0_param(SSL *ssl)
497{
498 return (ssl->param);
499}
500
501int
502SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
503{
504 return (X509_VERIFY_PARAM_set1(ssl->param, vpm));
505}
506
507void
508SSL_free(SSL *s)
509{
510 int i;
511
512 if (s == NULL)
513 return;
514
515 i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL);
516 if (i > 0)
517 return;
518
519 X509_VERIFY_PARAM_free(s->param);
520
521 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
522
523 if (s->bbio != NULL) {
524 /* If the buffering BIO is in place, pop it off */
525 if (s->bbio == s->wbio) {
526 s->wbio = BIO_pop(s->wbio);
527 }
528 BIO_free(s->bbio);
529 s->bbio = NULL;
530 }
531
532 if (s->rbio != s->wbio)
533 BIO_free_all(s->rbio);
534 BIO_free_all(s->wbio);
535
536 tls13_ctx_free(s->tls13);
537
538 ssl3_release_init_buffer(s);
539
540 sk_SSL_CIPHER_free(s->cipher_list);
541 sk_SSL_CIPHER_free(s->cipher_list_tls13);
542
543 /* Make the next call work :-) */
544 if (s->session != NULL) {
545 ssl_clear_bad_session(s);
546 SSL_SESSION_free(s->session);
547 }
548
549 ssl_clear_cipher_state(s);
550
551 ssl_cert_free(s->cert);
552
553 free(s->tlsext_hostname);
554 SSL_CTX_free(s->initial_ctx);
555
556 free(s->tlsext_ecpointformatlist);
557 free(s->tlsext_supportedgroups);
558
559 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
560 X509_EXTENSION_free);
561 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
562 free(s->tlsext_ocsp_resp);
563
564 sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
565
566 if (s->method != NULL)
567 s->method->ssl_free(s);
568
569 SSL_CTX_free(s->ctx);
570
571 free(s->alpn_client_proto_list);
572
573 free(s->quic_transport_params);
574
575#ifndef OPENSSL_NO_SRTP
576 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
577#endif
578
579 tls12_record_layer_free(s->rl);
580
581 free(s);
582}
583
584int
585SSL_up_ref(SSL *s)
586{
587 int refs = CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL);
588 return (refs > 1) ? 1 : 0;
589}
590
591void
592SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
593{
594 /* If the output buffering BIO is still in place, remove it */
595 if (s->bbio != NULL) {
596 if (s->wbio == s->bbio) {
597 s->wbio = BIO_next(s->wbio);
598 BIO_set_next(s->bbio, NULL);
599 }
600 }
601
602 if (s->rbio != rbio && s->rbio != s->wbio)
603 BIO_free_all(s->rbio);
604 if (s->wbio != wbio)
605 BIO_free_all(s->wbio);
606 s->rbio = rbio;
607 s->wbio = wbio;
608}
609
610BIO *
611SSL_get_rbio(const SSL *s)
612{
613 return (s->rbio);
614}
615
616void
617SSL_set0_rbio(SSL *s, BIO *rbio)
618{
619 BIO_free_all(s->rbio);
620 s->rbio = rbio;
621}
622
623BIO *
624SSL_get_wbio(const SSL *s)
625{
626 return (s->wbio);
627}
628
629int
630SSL_get_fd(const SSL *s)
631{
632 return (SSL_get_rfd(s));
633}
634
635int
636SSL_get_rfd(const SSL *s)
637{
638 int ret = -1;
639 BIO *b, *r;
640
641 b = SSL_get_rbio(s);
642 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
643 if (r != NULL)
644 BIO_get_fd(r, &ret);
645 return (ret);
646}
647
648int
649SSL_get_wfd(const SSL *s)
650{
651 int ret = -1;
652 BIO *b, *r;
653
654 b = SSL_get_wbio(s);
655 r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
656 if (r != NULL)
657 BIO_get_fd(r, &ret);
658 return (ret);
659}
660
661int
662SSL_set_fd(SSL *s, int fd)
663{
664 int ret = 0;
665 BIO *bio = NULL;
666
667 bio = BIO_new(BIO_s_socket());
668
669 if (bio == NULL) {
670 SSLerror(s, ERR_R_BUF_LIB);
671 goto err;
672 }
673 BIO_set_fd(bio, fd, BIO_NOCLOSE);
674 SSL_set_bio(s, bio, bio);
675 ret = 1;
676 err:
677 return (ret);
678}
679
680int
681SSL_set_wfd(SSL *s, int fd)
682{
683 int ret = 0;
684 BIO *bio = NULL;
685
686 if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
687 || ((int)BIO_get_fd(s->rbio, NULL) != fd)) {
688 bio = BIO_new(BIO_s_socket());
689
690 if (bio == NULL) {
691 SSLerror(s, ERR_R_BUF_LIB);
692 goto err;
693 }
694 BIO_set_fd(bio, fd, BIO_NOCLOSE);
695 SSL_set_bio(s, SSL_get_rbio(s), bio);
696 } else
697 SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s));
698 ret = 1;
699 err:
700 return (ret);
701}
702
703int
704SSL_set_rfd(SSL *s, int fd)
705{
706 int ret = 0;
707 BIO *bio = NULL;
708
709 if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
710 || ((int)BIO_get_fd(s->wbio, NULL) != fd)) {
711 bio = BIO_new(BIO_s_socket());
712
713 if (bio == NULL) {
714 SSLerror(s, ERR_R_BUF_LIB);
715 goto err;
716 }
717 BIO_set_fd(bio, fd, BIO_NOCLOSE);
718 SSL_set_bio(s, bio, SSL_get_wbio(s));
719 } else
720 SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s));
721 ret = 1;
722 err:
723 return (ret);
724}
725
726
727/* return length of latest Finished message we sent, copy to 'buf' */
728size_t
729SSL_get_finished(const SSL *s, void *buf, size_t count)
730{
731 size_t ret;
732
733 ret = s->s3->hs.finished_len;
734 if (count > ret)
735 count = ret;
736 memcpy(buf, s->s3->hs.finished, count);
737 return (ret);
738}
739
740/* return length of latest Finished message we expected, copy to 'buf' */
741size_t
742SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
743{
744 size_t ret;
745
746 ret = s->s3->hs.peer_finished_len;
747 if (count > ret)
748 count = ret;
749 memcpy(buf, s->s3->hs.peer_finished, count);
750 return (ret);
751}
752
753
754int
755SSL_get_verify_mode(const SSL *s)
756{
757 return (s->verify_mode);
758}
759
760int
761SSL_get_verify_depth(const SSL *s)
762{
763 return (X509_VERIFY_PARAM_get_depth(s->param));
764}
765
766int
767(*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *)
768{
769 return (s->verify_callback);
770}
771
772void
773SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
774{
775 ctx->keylog_callback = cb;
776}
777
778SSL_CTX_keylog_cb_func
779SSL_CTX_get_keylog_callback(const SSL_CTX *ctx)
780{
781 return (ctx->keylog_callback);
782}
783
784int
785SSL_set_num_tickets(SSL *s, size_t num_tickets)
786{
787 s->num_tickets = num_tickets;
788
789 return 1;
790}
791
792size_t
793SSL_get_num_tickets(const SSL *s)
794{
795 return s->num_tickets;
796}
797
798int
799SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets)
800{
801 ctx->num_tickets = num_tickets;
802
803 return 1;
804}
805
806size_t
807SSL_CTX_get_num_tickets(const SSL_CTX *ctx)
808{
809 return ctx->num_tickets;
810}
811
812int
813SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
814{
815 return (ctx->verify_mode);
816}
817
818int
819SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
820{
821 return (X509_VERIFY_PARAM_get_depth(ctx->param));
822}
823
824int
825(*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *)
826{
827 return (ctx->default_verify_callback);
828}
829
830void
831SSL_set_verify(SSL *s, int mode,
832 int (*callback)(int ok, X509_STORE_CTX *ctx))
833{
834 s->verify_mode = mode;
835 if (callback != NULL)
836 s->verify_callback = callback;
837}
838
839void
840SSL_set_verify_depth(SSL *s, int depth)
841{
842 X509_VERIFY_PARAM_set_depth(s->param, depth);
843}
844
845void
846SSL_set_read_ahead(SSL *s, int yes)
847{
848 s->read_ahead = yes;
849}
850
851int
852SSL_get_read_ahead(const SSL *s)
853{
854 return (s->read_ahead);
855}
856
857int
858SSL_pending(const SSL *s)
859{
860 return (s->method->ssl_pending(s));
861}
862
863X509 *
864SSL_get_peer_certificate(const SSL *s)
865{
866 X509 *cert;
867
868 if (s == NULL || s->session == NULL)
869 return NULL;
870
871 if ((cert = s->session->peer_cert) == NULL)
872 return NULL;
873
874 X509_up_ref(cert);
875
876 return cert;
877}
878
879STACK_OF(X509) *
880SSL_get_peer_cert_chain(const SSL *s)
881{
882 if (s == NULL)
883 return NULL;
884
885 /*
886 * Achtung! Due to API inconsistency, a client includes the peer's leaf
887 * certificate in the peer certificate chain, while a server does not.
888 */
889 if (!s->server)
890 return s->s3->hs.peer_certs;
891
892 return s->s3->hs.peer_certs_no_leaf;
893}
894
895STACK_OF(X509) *
896SSL_get0_verified_chain(const SSL *s)
897{
898 return s->verified_chain;
899}
900
901/*
902 * Now in theory, since the calling process own 't' it should be safe to
903 * modify. We need to be able to read f without being hassled
904 */
905int
906SSL_copy_session_id(SSL *t, const SSL *f)
907{
908 SSL_CERT *tmp;
909
910 /* Do we need to do SSL locking? */
911 if (!SSL_set_session(t, SSL_get_session(f)))
912 return 0;
913
914 /* What if we are set up for one protocol but want to talk another? */
915 if (t->method != f->method) {
916 t->method->ssl_free(t);
917 t->method = f->method;
918 if (!t->method->ssl_new(t))
919 return 0;
920 }
921
922 tmp = t->cert;
923 if (f->cert != NULL) {
924 CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
925 t->cert = f->cert;
926 } else
927 t->cert = NULL;
928 ssl_cert_free(tmp);
929
930 if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length))
931 return 0;
932
933 return 1;
934}
935
936/* Fix this so it checks all the valid key/cert options */
937int
938SSL_CTX_check_private_key(const SSL_CTX *ctx)
939{
940 if ((ctx == NULL) || (ctx->cert == NULL) ||
941 (ctx->cert->key->x509 == NULL)) {
942 SSLerrorx(SSL_R_NO_CERTIFICATE_ASSIGNED);
943 return (0);
944 }
945 if (ctx->cert->key->privatekey == NULL) {
946 SSLerrorx(SSL_R_NO_PRIVATE_KEY_ASSIGNED);
947 return (0);
948 }
949 return (X509_check_private_key(ctx->cert->key->x509,
950 ctx->cert->key->privatekey));
951}
952
953/* Fix this function so that it takes an optional type parameter */
954int
955SSL_check_private_key(const SSL *ssl)
956{
957 if (ssl == NULL) {
958 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
959 return (0);
960 }
961 if (ssl->cert == NULL) {
962 SSLerror(ssl, SSL_R_NO_CERTIFICATE_ASSIGNED);
963 return (0);
964 }
965 if (ssl->cert->key->x509 == NULL) {
966 SSLerror(ssl, SSL_R_NO_CERTIFICATE_ASSIGNED);
967 return (0);
968 }
969 if (ssl->cert->key->privatekey == NULL) {
970 SSLerror(ssl, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
971 return (0);
972 }
973 return (X509_check_private_key(ssl->cert->key->x509,
974 ssl->cert->key->privatekey));
975}
976
977int
978SSL_accept(SSL *s)
979{
980 if (s->handshake_func == NULL)
981 SSL_set_accept_state(s); /* Not properly initialized yet */
982
983 return (s->method->ssl_accept(s));
984}
985
986int
987SSL_connect(SSL *s)
988{
989 if (s->handshake_func == NULL)
990 SSL_set_connect_state(s); /* Not properly initialized yet */
991
992 return (s->method->ssl_connect(s));
993}
994
995int
996SSL_is_dtls(const SSL *s)
997{
998 return s->method->dtls;
999}
1000
1001int
1002SSL_is_server(const SSL *s)
1003{
1004 return s->server;
1005}
1006
1007static long
1008ssl_get_default_timeout()
1009{
1010 /*
1011 * 2 hours, the 24 hours mentioned in the TLSv1 spec
1012 * is way too long for http, the cache would over fill.
1013 */
1014 return (2 * 60 * 60);
1015}
1016
1017long
1018SSL_get_default_timeout(const SSL *s)
1019{
1020 return (ssl_get_default_timeout());
1021}
1022
1023int
1024SSL_read(SSL *s, void *buf, int num)
1025{
1026 if (num < 0) {
1027 SSLerror(s, SSL_R_BAD_LENGTH);
1028 return -1;
1029 }
1030
1031 if (SSL_is_quic(s)) {
1032 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1033 return (-1);
1034 }
1035
1036 if (s->handshake_func == NULL) {
1037 SSLerror(s, SSL_R_UNINITIALIZED);
1038 return (-1);
1039 }
1040
1041 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1042 s->rwstate = SSL_NOTHING;
1043 return (0);
1044 }
1045 return ssl3_read(s, buf, num);
1046}
1047
1048int
1049SSL_read_ex(SSL *s, void *buf, size_t num, size_t *bytes_read)
1050{
1051 int ret;
1052
1053 /* We simply don't bother supporting enormous reads */
1054 if (num > INT_MAX) {
1055 SSLerror(s, SSL_R_BAD_LENGTH);
1056 return 0;
1057 }
1058
1059 ret = SSL_read(s, buf, (int)num);
1060 if (ret < 0)
1061 ret = 0;
1062 *bytes_read = ret;
1063
1064 return ret > 0;
1065}
1066
1067int
1068SSL_peek(SSL *s, void *buf, int num)
1069{
1070 if (num < 0) {
1071 SSLerror(s, SSL_R_BAD_LENGTH);
1072 return -1;
1073 }
1074
1075 if (SSL_is_quic(s)) {
1076 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1077 return (-1);
1078 }
1079
1080 if (s->handshake_func == NULL) {
1081 SSLerror(s, SSL_R_UNINITIALIZED);
1082 return (-1);
1083 }
1084
1085 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1086 return (0);
1087 }
1088 return ssl3_peek(s, buf, num);
1089}
1090
1091int
1092SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *bytes_peeked)
1093{
1094 int ret;
1095
1096 /* We simply don't bother supporting enormous peeks */
1097 if (num > INT_MAX) {
1098 SSLerror(s, SSL_R_BAD_LENGTH);
1099 return 0;
1100 }
1101
1102 ret = SSL_peek(s, buf, (int)num);
1103 if (ret < 0)
1104 ret = 0;
1105 *bytes_peeked = ret;
1106
1107 return ret > 0;
1108}
1109
1110int
1111SSL_write(SSL *s, const void *buf, int num)
1112{
1113 if (num < 0) {
1114 SSLerror(s, SSL_R_BAD_LENGTH);
1115 return -1;
1116 }
1117
1118 if (SSL_is_quic(s)) {
1119 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1120 return (-1);
1121 }
1122
1123 if (s->handshake_func == NULL) {
1124 SSLerror(s, SSL_R_UNINITIALIZED);
1125 return (-1);
1126 }
1127
1128 if (s->shutdown & SSL_SENT_SHUTDOWN) {
1129 s->rwstate = SSL_NOTHING;
1130 SSLerror(s, SSL_R_PROTOCOL_IS_SHUTDOWN);
1131 return (-1);
1132 }
1133 return ssl3_write(s, buf, num);
1134}
1135
1136int
1137SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *bytes_written)
1138{
1139 int ret;
1140
1141 /* We simply don't bother supporting enormous writes */
1142 if (num > INT_MAX) {
1143 SSLerror(s, SSL_R_BAD_LENGTH);
1144 return 0;
1145 }
1146
1147 if (num == 0) {
1148 /* This API is special */
1149 bytes_written = 0;
1150 return 1;
1151 }
1152
1153 ret = SSL_write(s, buf, (int)num);
1154 if (ret < 0)
1155 ret = 0;
1156 *bytes_written = ret;
1157
1158 return ret > 0;
1159}
1160
1161uint32_t
1162SSL_CTX_get_max_early_data(const SSL_CTX *ctx)
1163{
1164 return 0;
1165}
1166
1167int
1168SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data)
1169{
1170 return 1;
1171}
1172
1173uint32_t
1174SSL_get_max_early_data(const SSL *s)
1175{
1176 return 0;
1177}
1178
1179int
1180SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
1181{
1182 return 1;
1183}
1184
1185int
1186SSL_get_early_data_status(const SSL *s)
1187{
1188 return SSL_EARLY_DATA_REJECTED;
1189}
1190
1191int
1192SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
1193{
1194 *readbytes = 0;
1195
1196 if (!s->server) {
1197 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1198 return SSL_READ_EARLY_DATA_ERROR;
1199 }
1200
1201 return SSL_READ_EARLY_DATA_FINISH;
1202}
1203
1204int
1205SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
1206{
1207 *written = 0;
1208 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1209 return 0;
1210}
1211
1212int
1213SSL_shutdown(SSL *s)
1214{
1215 /*
1216 * Note that this function behaves differently from what one might
1217 * expect. Return values are 0 for no success (yet),
1218 * 1 for success; but calling it once is usually not enough,
1219 * even if blocking I/O is used (see ssl3_shutdown).
1220 */
1221
1222 if (s->handshake_func == NULL) {
1223 SSLerror(s, SSL_R_UNINITIALIZED);
1224 return (-1);
1225 }
1226
1227 if (s != NULL && !SSL_in_init(s))
1228 return (s->method->ssl_shutdown(s));
1229
1230 return (1);
1231}
1232
1233int
1234SSL_renegotiate(SSL *s)
1235{
1236 if (s->renegotiate == 0)
1237 s->renegotiate = 1;
1238
1239 s->new_session = 1;
1240
1241 return (s->method->ssl_renegotiate(s));
1242}
1243
1244int
1245SSL_renegotiate_abbreviated(SSL *s)
1246{
1247 if (s->renegotiate == 0)
1248 s->renegotiate = 1;
1249
1250 s->new_session = 0;
1251
1252 return (s->method->ssl_renegotiate(s));
1253}
1254
1255int
1256SSL_renegotiate_pending(SSL *s)
1257{
1258 /*
1259 * Becomes true when negotiation is requested;
1260 * false again once a handshake has finished.
1261 */
1262 return (s->renegotiate != 0);
1263}
1264
1265long
1266SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1267{
1268 long l;
1269
1270 switch (cmd) {
1271 case SSL_CTRL_GET_READ_AHEAD:
1272 return (s->read_ahead);
1273 case SSL_CTRL_SET_READ_AHEAD:
1274 l = s->read_ahead;
1275 s->read_ahead = larg;
1276 return (l);
1277
1278 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1279 s->msg_callback_arg = parg;
1280 return (1);
1281
1282 case SSL_CTRL_OPTIONS:
1283 return (s->options|=larg);
1284 case SSL_CTRL_CLEAR_OPTIONS:
1285 return (s->options&=~larg);
1286 case SSL_CTRL_MODE:
1287 return (s->mode|=larg);
1288 case SSL_CTRL_CLEAR_MODE:
1289 return (s->mode &=~larg);
1290 case SSL_CTRL_GET_MAX_CERT_LIST:
1291 return (s->max_cert_list);
1292 case SSL_CTRL_SET_MAX_CERT_LIST:
1293 l = s->max_cert_list;
1294 s->max_cert_list = larg;
1295 return (l);
1296 case SSL_CTRL_SET_MTU:
1297#ifndef OPENSSL_NO_DTLS1
1298 if (larg < (long)dtls1_min_mtu())
1299 return (0);
1300#endif
1301 if (SSL_is_dtls(s)) {
1302 s->d1->mtu = larg;
1303 return (larg);
1304 }
1305 return (0);
1306 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1307 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1308 return (0);
1309 s->max_send_fragment = larg;
1310 return (1);
1311 case SSL_CTRL_GET_RI_SUPPORT:
1312 if (s->s3)
1313 return (s->s3->send_connection_binding);
1314 else return (0);
1315 default:
1316 if (SSL_is_dtls(s))
1317 return dtls1_ctrl(s, cmd, larg, parg);
1318 return ssl3_ctrl(s, cmd, larg, parg);
1319 }
1320}
1321
1322long
1323SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1324{
1325 switch (cmd) {
1326 case SSL_CTRL_SET_MSG_CALLBACK:
1327 s->msg_callback = (ssl_msg_callback_fn *)(fp);
1328 return (1);
1329
1330 default:
1331 return (ssl3_callback_ctrl(s, cmd, fp));
1332 }
1333}
1334
1335struct lhash_st_SSL_SESSION *
1336SSL_CTX_sessions(SSL_CTX *ctx)
1337{
1338 return (ctx->sessions);
1339}
1340
1341long
1342SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1343{
1344 long l;
1345
1346 switch (cmd) {
1347 case SSL_CTRL_GET_READ_AHEAD:
1348 return (ctx->read_ahead);
1349 case SSL_CTRL_SET_READ_AHEAD:
1350 l = ctx->read_ahead;
1351 ctx->read_ahead = larg;
1352 return (l);
1353
1354 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1355 ctx->msg_callback_arg = parg;
1356 return (1);
1357
1358 case SSL_CTRL_GET_MAX_CERT_LIST:
1359 return (ctx->max_cert_list);
1360 case SSL_CTRL_SET_MAX_CERT_LIST:
1361 l = ctx->max_cert_list;
1362 ctx->max_cert_list = larg;
1363 return (l);
1364
1365 case SSL_CTRL_SET_SESS_CACHE_SIZE:
1366 l = ctx->session_cache_size;
1367 ctx->session_cache_size = larg;
1368 return (l);
1369 case SSL_CTRL_GET_SESS_CACHE_SIZE:
1370 return (ctx->session_cache_size);
1371 case SSL_CTRL_SET_SESS_CACHE_MODE:
1372 l = ctx->session_cache_mode;
1373 ctx->session_cache_mode = larg;
1374 return (l);
1375 case SSL_CTRL_GET_SESS_CACHE_MODE:
1376 return (ctx->session_cache_mode);
1377
1378 case SSL_CTRL_SESS_NUMBER:
1379 return (lh_SSL_SESSION_num_items(ctx->sessions));
1380 case SSL_CTRL_SESS_CONNECT:
1381 return (ctx->stats.sess_connect);
1382 case SSL_CTRL_SESS_CONNECT_GOOD:
1383 return (ctx->stats.sess_connect_good);
1384 case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
1385 return (ctx->stats.sess_connect_renegotiate);
1386 case SSL_CTRL_SESS_ACCEPT:
1387 return (ctx->stats.sess_accept);
1388 case SSL_CTRL_SESS_ACCEPT_GOOD:
1389 return (ctx->stats.sess_accept_good);
1390 case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
1391 return (ctx->stats.sess_accept_renegotiate);
1392 case SSL_CTRL_SESS_HIT:
1393 return (ctx->stats.sess_hit);
1394 case SSL_CTRL_SESS_CB_HIT:
1395 return (ctx->stats.sess_cb_hit);
1396 case SSL_CTRL_SESS_MISSES:
1397 return (ctx->stats.sess_miss);
1398 case SSL_CTRL_SESS_TIMEOUTS:
1399 return (ctx->stats.sess_timeout);
1400 case SSL_CTRL_SESS_CACHE_FULL:
1401 return (ctx->stats.sess_cache_full);
1402 case SSL_CTRL_OPTIONS:
1403 return (ctx->options|=larg);
1404 case SSL_CTRL_CLEAR_OPTIONS:
1405 return (ctx->options&=~larg);
1406 case SSL_CTRL_MODE:
1407 return (ctx->mode|=larg);
1408 case SSL_CTRL_CLEAR_MODE:
1409 return (ctx->mode&=~larg);
1410 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1411 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1412 return (0);
1413 ctx->max_send_fragment = larg;
1414 return (1);
1415 default:
1416 return (ssl3_ctx_ctrl(ctx, cmd, larg, parg));
1417 }
1418}
1419
1420long
1421SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1422{
1423 switch (cmd) {
1424 case SSL_CTRL_SET_MSG_CALLBACK:
1425 ctx->msg_callback = (ssl_msg_callback_fn *)fp;
1426 return (1);
1427
1428 default:
1429 return (ssl3_ctx_callback_ctrl(ctx, cmd, fp));
1430 }
1431}
1432
1433int
1434ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
1435{
1436 long l;
1437
1438 l = a->id - b->id;
1439 if (l == 0L)
1440 return (0);
1441 else
1442 return ((l > 0) ? 1:-1);
1443}
1444
1445STACK_OF(SSL_CIPHER) *
1446SSL_get_ciphers(const SSL *s)
1447{
1448 if (s == NULL)
1449 return (NULL);
1450 if (s->cipher_list != NULL)
1451 return (s->cipher_list);
1452
1453 return (s->ctx->cipher_list);
1454}
1455
1456STACK_OF(SSL_CIPHER) *
1457SSL_get_client_ciphers(const SSL *s)
1458{
1459 if (s == NULL || s->session == NULL || !s->server)
1460 return NULL;
1461 return s->session->ciphers;
1462}
1463
1464STACK_OF(SSL_CIPHER) *
1465SSL_get1_supported_ciphers(SSL *s)
1466{
1467 STACK_OF(SSL_CIPHER) *supported_ciphers = NULL, *ciphers;
1468 SSL_CIPHER *cipher;
1469 uint16_t min_vers, max_vers;
1470 int i;
1471
1472 if (s == NULL)
1473 return NULL;
1474 if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
1475 return NULL;
1476 if ((ciphers = SSL_get_ciphers(s)) == NULL)
1477 return NULL;
1478 if ((supported_ciphers = sk_SSL_CIPHER_new_null()) == NULL)
1479 return NULL;
1480
1481 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1482 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
1483 goto err;
1484 if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
1485 max_vers))
1486 continue;
1487 if (!ssl_security_supported_cipher(s, cipher))
1488 continue;
1489 if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
1490 goto err;
1491 }
1492
1493 if (sk_SSL_CIPHER_num(supported_ciphers) > 0)
1494 return supported_ciphers;
1495
1496 err:
1497 sk_SSL_CIPHER_free(supported_ciphers);
1498 return NULL;
1499}
1500
1501/* See if we have any ECC cipher suites. */
1502int
1503ssl_has_ecc_ciphers(SSL *s)
1504{
1505 STACK_OF(SSL_CIPHER) *ciphers;
1506 unsigned long alg_k, alg_a;
1507 SSL_CIPHER *cipher;
1508 int i;
1509
1510 if ((ciphers = SSL_get_ciphers(s)) == NULL)
1511 return 0;
1512
1513 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1514 cipher = sk_SSL_CIPHER_value(ciphers, i);
1515
1516 alg_k = cipher->algorithm_mkey;
1517 alg_a = cipher->algorithm_auth;
1518
1519 if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1520 return 1;
1521 }
1522
1523 return 0;
1524}
1525
1526/* The old interface to get the same thing as SSL_get_ciphers(). */
1527const char *
1528SSL_get_cipher_list(const SSL *s, int n)
1529{
1530 STACK_OF(SSL_CIPHER) *ciphers;
1531 const SSL_CIPHER *cipher;
1532
1533 if ((ciphers = SSL_get_ciphers(s)) == NULL)
1534 return (NULL);
1535 if ((cipher = sk_SSL_CIPHER_value(ciphers, n)) == NULL)
1536 return (NULL);
1537
1538 return (cipher->name);
1539}
1540
1541STACK_OF(SSL_CIPHER) *
1542SSL_CTX_get_ciphers(const SSL_CTX *ctx)
1543{
1544 if (ctx == NULL)
1545 return NULL;
1546 return ctx->cipher_list;
1547}
1548
1549/* Specify the ciphers to be used by default by the SSL_CTX. */
1550int
1551SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1552{
1553 STACK_OF(SSL_CIPHER) *ciphers;
1554
1555 /*
1556 * ssl_create_cipher_list may return an empty stack if it was unable to
1557 * find a cipher matching the given rule string (for example if the
1558 * rule string specifies a cipher which has been disabled). This is not
1559 * an error as far as ssl_create_cipher_list is concerned, and hence
1560 * ctx->cipher_list has been updated.
1561 */
1562 ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
1563 ctx->cipher_list_tls13, str, ctx->cert);
1564 if (ciphers == NULL) {
1565 return (0);
1566 } else if (sk_SSL_CIPHER_num(ciphers) == 0) {
1567 SSLerrorx(SSL_R_NO_CIPHER_MATCH);
1568 return (0);
1569 }
1570 return (1);
1571}
1572
1573int
1574SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
1575{
1576 if (!ssl_parse_ciphersuites(&ctx->cipher_list_tls13, str)) {
1577 SSLerrorx(SSL_R_NO_CIPHER_MATCH);
1578 return 0;
1579 }
1580 if (!ssl_merge_cipherlists(ctx->cipher_list,
1581 ctx->cipher_list_tls13, &ctx->cipher_list))
1582 return 0;
1583
1584 return 1;
1585}
1586
1587/* Specify the ciphers to be used by the SSL. */
1588int
1589SSL_set_cipher_list(SSL *s, const char *str)
1590{
1591 STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13;
1592
1593 if ((ciphers_tls13 = s->cipher_list_tls13) == NULL)
1594 ciphers_tls13 = s->ctx->cipher_list_tls13;
1595
1596 /* See comment in SSL_CTX_set_cipher_list. */
1597 ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
1598 ciphers_tls13, str, s->cert);
1599 if (ciphers == NULL) {
1600 return (0);
1601 } else if (sk_SSL_CIPHER_num(ciphers) == 0) {
1602 SSLerror(s, SSL_R_NO_CIPHER_MATCH);
1603 return (0);
1604 }
1605 return (1);
1606}
1607
1608int
1609SSL_set_ciphersuites(SSL *s, const char *str)
1610{
1611 STACK_OF(SSL_CIPHER) *ciphers;
1612
1613 if ((ciphers = s->cipher_list) == NULL)
1614 ciphers = s->ctx->cipher_list;
1615
1616 if (!ssl_parse_ciphersuites(&s->cipher_list_tls13, str)) {
1617 SSLerrorx(SSL_R_NO_CIPHER_MATCH);
1618 return (0);
1619 }
1620 if (!ssl_merge_cipherlists(ciphers, s->cipher_list_tls13,
1621 &s->cipher_list))
1622 return 0;
1623
1624 return 1;
1625}
1626
1627char *
1628SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
1629{
1630 STACK_OF(SSL_CIPHER) *client_ciphers, *server_ciphers;
1631 const SSL_CIPHER *cipher;
1632 size_t curlen = 0;
1633 char *end;
1634 int i;
1635
1636 if (!s->server || s->session == NULL || len < 2)
1637 return NULL;
1638
1639 if ((client_ciphers = s->session->ciphers) == NULL)
1640 return NULL;
1641 if ((server_ciphers = SSL_get_ciphers(s)) == NULL)
1642 return NULL;
1643 if (sk_SSL_CIPHER_num(client_ciphers) == 0 ||
1644 sk_SSL_CIPHER_num(server_ciphers) == 0)
1645 return NULL;
1646
1647 buf[0] = '\0';
1648 for (i = 0; i < sk_SSL_CIPHER_num(client_ciphers); i++) {
1649 cipher = sk_SSL_CIPHER_value(client_ciphers, i);
1650
1651 if (sk_SSL_CIPHER_find(server_ciphers, cipher) < 0)
1652 continue;
1653
1654 end = buf + curlen;
1655 if (strlcat(buf, cipher->name, len) >= len ||
1656 (curlen = strlcat(buf, ":", len)) >= len) {
1657 /* remove truncated cipher from list */
1658 *end = '\0';
1659 break;
1660 }
1661 }
1662 /* remove trailing colon */
1663 if ((end = strrchr(buf, ':')) != NULL)
1664 *end = '\0';
1665 return buf;
1666}
1667
1668/*
1669 * Return a servername extension value if provided in Client Hello, or NULL.
1670 * So far, only host_name types are defined (RFC 3546).
1671 */
1672const char *
1673SSL_get_servername(const SSL *s, const int type)
1674{
1675 if (type != TLSEXT_NAMETYPE_host_name)
1676 return (NULL);
1677
1678 return (s->session && !s->tlsext_hostname ?
1679 s->session->tlsext_hostname :
1680 s->tlsext_hostname);
1681}
1682
1683int
1684SSL_get_servername_type(const SSL *s)
1685{
1686 if (s->session &&
1687 (!s->tlsext_hostname ?
1688 s->session->tlsext_hostname : s->tlsext_hostname))
1689 return (TLSEXT_NAMETYPE_host_name);
1690 return (-1);
1691}
1692
1693/*
1694 * SSL_select_next_proto implements standard protocol selection. It is
1695 * expected that this function is called from the callback set by
1696 * SSL_CTX_set_alpn_select_cb.
1697 *
1698 * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
1699 * strings. The length byte itself is not included in the length. A byte
1700 * string of length 0 is invalid. No byte string may be truncated.
1701 *
1702 * It returns either:
1703 * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
1704 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
1705 */
1706int
1707SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
1708 const unsigned char *server, unsigned int server_len,
1709 const unsigned char *client, unsigned int client_len)
1710{
1711 unsigned int i, j;
1712 const unsigned char *result;
1713 int status = OPENSSL_NPN_UNSUPPORTED;
1714
1715 /*
1716 * For each protocol in server preference order,
1717 * see if we support it.
1718 */
1719 for (i = 0; i < server_len; ) {
1720 for (j = 0; j < client_len; ) {
1721 if (server[i] == client[j] &&
1722 memcmp(&server[i + 1],
1723 &client[j + 1], server[i]) == 0) {
1724 /* We found a match */
1725 result = &server[i];
1726 status = OPENSSL_NPN_NEGOTIATED;
1727 goto found;
1728 }
1729 j += client[j];
1730 j++;
1731 }
1732 i += server[i];
1733 i++;
1734 }
1735
1736 /* There's no overlap between our protocols and the server's list. */
1737 result = client;
1738 status = OPENSSL_NPN_NO_OVERLAP;
1739
1740 found:
1741 *out = (unsigned char *) result + 1;
1742 *outlen = result[0];
1743 return (status);
1744}
1745
1746/* SSL_get0_next_proto_negotiated is deprecated. */
1747void
1748SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
1749 unsigned int *len)
1750{
1751 *data = NULL;
1752 *len = 0;
1753}
1754
1755/* SSL_CTX_set_next_protos_advertised_cb is deprecated. */
1756void
1757SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl,
1758 const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
1759{
1760}
1761
1762/* SSL_CTX_set_next_proto_select_cb is deprecated. */
1763void
1764SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
1765 unsigned char **out, unsigned char *outlen, const unsigned char *in,
1766 unsigned int inlen, void *arg), void *arg)
1767{
1768}
1769
1770/*
1771 * SSL_CTX_set_alpn_protos sets the ALPN protocol list to the specified
1772 * protocols, which must be in wire-format (i.e. a series of non-empty,
1773 * 8-bit length-prefixed strings). Returns 0 on success.
1774 */
1775int
1776SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
1777 unsigned int protos_len)
1778{
1779 CBS cbs;
1780 int failed = 1;
1781
1782 if (protos == NULL)
1783 protos_len = 0;
1784
1785 CBS_init(&cbs, protos, protos_len);
1786
1787 if (protos_len > 0) {
1788 if (!tlsext_alpn_check_format(&cbs))
1789 goto err;
1790 }
1791
1792 if (!CBS_stow(&cbs, &ctx->alpn_client_proto_list,
1793 &ctx->alpn_client_proto_list_len))
1794 goto err;
1795
1796 failed = 0;
1797
1798 err:
1799 /* NOTE: Return values are the reverse of what you expect. */
1800 return failed;
1801}
1802
1803/*
1804 * SSL_set_alpn_protos sets the ALPN protocol list to the specified
1805 * protocols, which must be in wire-format (i.e. a series of non-empty,
1806 * 8-bit length-prefixed strings). Returns 0 on success.
1807 */
1808int
1809SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
1810 unsigned int protos_len)
1811{
1812 CBS cbs;
1813 int failed = 1;
1814
1815 if (protos == NULL)
1816 protos_len = 0;
1817
1818 CBS_init(&cbs, protos, protos_len);
1819
1820 if (protos_len > 0) {
1821 if (!tlsext_alpn_check_format(&cbs))
1822 goto err;
1823 }
1824
1825 if (!CBS_stow(&cbs, &ssl->alpn_client_proto_list,
1826 &ssl->alpn_client_proto_list_len))
1827 goto err;
1828
1829 failed = 0;
1830
1831 err:
1832 /* NOTE: Return values are the reverse of what you expect. */
1833 return failed;
1834}
1835
1836/*
1837 * SSL_CTX_set_alpn_select_cb sets a callback function that is called during
1838 * ClientHello processing in order to select an ALPN protocol from the
1839 * client's list of offered protocols.
1840 */
1841void
1842SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx,
1843 int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen,
1844 const unsigned char *in, unsigned int inlen, void *arg), void *arg)
1845{
1846 ctx->alpn_select_cb = cb;
1847 ctx->alpn_select_cb_arg = arg;
1848}
1849
1850/*
1851 * SSL_get0_alpn_selected gets the selected ALPN protocol (if any). On return
1852 * it sets data to point to len bytes of protocol name (not including the
1853 * leading length-prefix byte). If the server didn't respond with* a negotiated
1854 * protocol then len will be zero.
1855 */
1856void
1857SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
1858 unsigned int *len)
1859{
1860 *data = ssl->s3->alpn_selected;
1861 *len = ssl->s3->alpn_selected_len;
1862}
1863
1864void
1865SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb)
1866{
1867 return;
1868}
1869
1870int
1871SSL_export_keying_material(SSL *s, unsigned char *out, size_t out_len,
1872 const char *label, size_t label_len, const unsigned char *context,
1873 size_t context_len, int use_context)
1874{
1875 if (s->tls13 != NULL && s->version == TLS1_3_VERSION) {
1876 if (!use_context) {
1877 context = NULL;
1878 context_len = 0;
1879 }
1880 return tls13_exporter(s->tls13, label, label_len, context,
1881 context_len, out, out_len);
1882 }
1883
1884 return tls12_exporter(s, label, label_len, context, context_len,
1885 use_context, out, out_len);
1886}
1887
1888static unsigned long
1889ssl_session_hash(const SSL_SESSION *a)
1890{
1891 unsigned long l;
1892
1893 l = (unsigned long)
1894 ((unsigned int) a->session_id[0] )|
1895 ((unsigned int) a->session_id[1]<< 8L)|
1896 ((unsigned long)a->session_id[2]<<16L)|
1897 ((unsigned long)a->session_id[3]<<24L);
1898 return (l);
1899}
1900
1901/*
1902 * NB: If this function (or indeed the hash function which uses a sort of
1903 * coarser function than this one) is changed, ensure
1904 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
1905 * able to construct an SSL_SESSION that will collide with any existing session
1906 * with a matching session ID.
1907 */
1908static int
1909ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
1910{
1911 if (a->ssl_version != b->ssl_version)
1912 return (1);
1913 if (a->session_id_length != b->session_id_length)
1914 return (1);
1915 if (timingsafe_memcmp(a->session_id, b->session_id, a->session_id_length) != 0)
1916 return (1);
1917 return (0);
1918}
1919
1920/*
1921 * These wrapper functions should remain rather than redeclaring
1922 * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
1923 * variable. The reason is that the functions aren't static, they're exposed via
1924 * ssl.h.
1925 */
1926static unsigned long
1927ssl_session_LHASH_HASH(const void *arg)
1928{
1929 const SSL_SESSION *a = arg;
1930
1931 return ssl_session_hash(a);
1932}
1933
1934static int
1935ssl_session_LHASH_COMP(const void *arg1, const void *arg2)
1936{
1937 const SSL_SESSION *a = arg1;
1938 const SSL_SESSION *b = arg2;
1939
1940 return ssl_session_cmp(a, b);
1941}
1942
1943SSL_CTX *
1944SSL_CTX_new(const SSL_METHOD *meth)
1945{
1946 SSL_CTX *ret;
1947
1948 if (!OPENSSL_init_ssl(0, NULL)) {
1949 SSLerrorx(SSL_R_LIBRARY_BUG);
1950 return (NULL);
1951 }
1952
1953 if (meth == NULL) {
1954 SSLerrorx(SSL_R_NULL_SSL_METHOD_PASSED);
1955 return (NULL);
1956 }
1957
1958 if ((ret = calloc(1, sizeof(*ret))) == NULL) {
1959 SSLerrorx(ERR_R_MALLOC_FAILURE);
1960 return (NULL);
1961 }
1962
1963 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
1964 SSLerrorx(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
1965 goto err;
1966 }
1967
1968 ret->method = meth;
1969 ret->min_tls_version = meth->min_tls_version;
1970 ret->max_tls_version = meth->max_tls_version;
1971 ret->min_proto_version = 0;
1972 ret->max_proto_version = 0;
1973 ret->mode = SSL_MODE_AUTO_RETRY;
1974
1975 ret->cert_store = NULL;
1976 ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
1977 ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
1978 ret->session_cache_head = NULL;
1979 ret->session_cache_tail = NULL;
1980
1981 /* We take the system default */
1982 ret->session_timeout = ssl_get_default_timeout();
1983
1984 ret->new_session_cb = 0;
1985 ret->remove_session_cb = 0;
1986 ret->get_session_cb = 0;
1987 ret->generate_session_id = 0;
1988
1989 memset((char *)&ret->stats, 0, sizeof(ret->stats));
1990
1991 ret->references = 1;
1992 ret->quiet_shutdown = 0;
1993
1994 ret->info_callback = NULL;
1995
1996 ret->app_verify_callback = 0;
1997 ret->app_verify_arg = NULL;
1998
1999 ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
2000 ret->read_ahead = 0;
2001 ret->msg_callback = 0;
2002 ret->msg_callback_arg = NULL;
2003 ret->verify_mode = SSL_VERIFY_NONE;
2004 ret->sid_ctx_length = 0;
2005 ret->default_verify_callback = NULL;
2006
2007 if ((ret->cert = ssl_cert_new()) == NULL)
2008 goto err;
2009
2010 ret->default_passwd_callback = 0;
2011 ret->default_passwd_callback_userdata = NULL;
2012 ret->client_cert_cb = 0;
2013 ret->app_gen_cookie_cb = 0;
2014 ret->app_verify_cookie_cb = 0;
2015
2016 ret->sessions = lh_SSL_SESSION_new();
2017 if (ret->sessions == NULL)
2018 goto err;
2019 ret->cert_store = X509_STORE_new();
2020 if (ret->cert_store == NULL)
2021 goto err;
2022
2023 ssl_create_cipher_list(ret->method, &ret->cipher_list,
2024 NULL, SSL_DEFAULT_CIPHER_LIST, ret->cert);
2025 if (ret->cipher_list == NULL ||
2026 sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
2027 SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS);
2028 goto err2;
2029 }
2030
2031 ret->param = X509_VERIFY_PARAM_new();
2032 if (!ret->param)
2033 goto err;
2034
2035 if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL)
2036 goto err;
2037
2038 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
2039
2040 ret->extra_certs = NULL;
2041
2042 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
2043
2044 ret->tlsext_servername_callback = 0;
2045 ret->tlsext_servername_arg = NULL;
2046
2047 /* Setup RFC4507 ticket keys */
2048 arc4random_buf(ret->tlsext_tick_key_name, 16);
2049 arc4random_buf(ret->tlsext_tick_hmac_key, 16);
2050 arc4random_buf(ret->tlsext_tick_aes_key, 16);
2051
2052 ret->tlsext_status_cb = 0;
2053 ret->tlsext_status_arg = NULL;
2054
2055#ifndef OPENSSL_NO_ENGINE
2056 ret->client_cert_engine = NULL;
2057#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
2058#define eng_strx(x) #x
2059#define eng_str(x) eng_strx(x)
2060 /* Use specific client engine automatically... ignore errors */
2061 {
2062 ENGINE *eng;
2063 eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
2064 if (!eng) {
2065 ERR_clear_error();
2066 ENGINE_load_builtin_engines();
2067 eng = ENGINE_by_id(eng_str(
2068 OPENSSL_SSL_CLIENT_ENGINE_AUTO));
2069 }
2070 if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
2071 ERR_clear_error();
2072 }
2073#endif
2074#endif
2075 /*
2076 * Default is to connect to non-RI servers. When RI is more widely
2077 * deployed might change this.
2078 */
2079 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
2080
2081 return (ret);
2082 err:
2083 SSLerrorx(ERR_R_MALLOC_FAILURE);
2084 err2:
2085 SSL_CTX_free(ret);
2086 return (NULL);
2087}
2088
2089void
2090SSL_CTX_free(SSL_CTX *ctx)
2091{
2092 int i;
2093
2094 if (ctx == NULL)
2095 return;
2096
2097 i = CRYPTO_add(&ctx->references, -1, CRYPTO_LOCK_SSL_CTX);
2098 if (i > 0)
2099 return;
2100
2101 X509_VERIFY_PARAM_free(ctx->param);
2102
2103 /*
2104 * Free internal session cache. However: the remove_cb() may reference
2105 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
2106 * after the sessions were flushed.
2107 * As the ex_data handling routines might also touch the session cache,
2108 * the most secure solution seems to be: empty (flush) the cache, then
2109 * free ex_data, then finally free the cache.
2110 * (See ticket [openssl.org #212].)
2111 */
2112 if (ctx->sessions != NULL)
2113 SSL_CTX_flush_sessions(ctx, 0);
2114
2115 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ctx, &ctx->ex_data);
2116
2117 lh_SSL_SESSION_free(ctx->sessions);
2118
2119 X509_STORE_free(ctx->cert_store);
2120 sk_SSL_CIPHER_free(ctx->cipher_list);
2121 sk_SSL_CIPHER_free(ctx->cipher_list_tls13);
2122 ssl_cert_free(ctx->cert);
2123 sk_X509_NAME_pop_free(ctx->client_CA, X509_NAME_free);
2124 sk_X509_pop_free(ctx->extra_certs, X509_free);
2125
2126#ifndef OPENSSL_NO_SRTP
2127 if (ctx->srtp_profiles)
2128 sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles);
2129#endif
2130
2131#ifndef OPENSSL_NO_ENGINE
2132 ENGINE_finish(ctx->client_cert_engine);
2133#endif
2134
2135 free(ctx->tlsext_ecpointformatlist);
2136 free(ctx->tlsext_supportedgroups);
2137
2138 free(ctx->alpn_client_proto_list);
2139
2140 free(ctx);
2141}
2142
2143int
2144SSL_CTX_up_ref(SSL_CTX *ctx)
2145{
2146 int refs = CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
2147 return ((refs > 1) ? 1 : 0);
2148}
2149
2150pem_password_cb *
2151SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
2152{
2153 return (ctx->default_passwd_callback);
2154}
2155
2156void
2157SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
2158{
2159 ctx->default_passwd_callback = cb;
2160}
2161
2162void *
2163SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
2164{
2165 return ctx->default_passwd_callback_userdata;
2166}
2167
2168void
2169SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
2170{
2171 ctx->default_passwd_callback_userdata = u;
2172}
2173
2174void
2175SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
2176 int (*cb)(X509_STORE_CTX *, void *), void *arg)
2177{
2178 ctx->app_verify_callback = cb;
2179 ctx->app_verify_arg = arg;
2180}
2181
2182void
2183SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *))
2184{
2185 ctx->verify_mode = mode;
2186 ctx->default_verify_callback = cb;
2187}
2188
2189void
2190SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
2191{
2192 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2193}
2194
2195void
2196ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher)
2197{
2198 unsigned long mask_a, mask_k;
2199 SSL_CERT_PKEY *cpk;
2200
2201 if (c == NULL)
2202 return;
2203
2204 mask_a = SSL_aNULL | SSL_aTLS1_3;
2205 mask_k = SSL_kECDHE | SSL_kTLS1_3;
2206
2207 if (c->dhe_params != NULL || c->dhe_params_cb != NULL ||
2208 c->dhe_params_auto != 0)
2209 mask_k |= SSL_kDHE;
2210
2211 cpk = &(c->pkeys[SSL_PKEY_ECC]);
2212 if (cpk->x509 != NULL && cpk->privatekey != NULL) {
2213 /* Key usage, if present, must allow signing. */
2214 if (X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)
2215 mask_a |= SSL_aECDSA;
2216 }
2217
2218 cpk = &(c->pkeys[SSL_PKEY_GOST01]);
2219 if (cpk->x509 != NULL && cpk->privatekey != NULL) {
2220 mask_k |= SSL_kGOST;
2221 mask_a |= SSL_aGOST01;
2222 }
2223
2224 cpk = &(c->pkeys[SSL_PKEY_RSA]);
2225 if (cpk->x509 != NULL && cpk->privatekey != NULL) {
2226 mask_a |= SSL_aRSA;
2227 mask_k |= SSL_kRSA;
2228 }
2229
2230 c->mask_k = mask_k;
2231 c->mask_a = mask_a;
2232 c->valid = 1;
2233}
2234
2235/* See if this handshake is using an ECC cipher suite. */
2236int
2237ssl_using_ecc_cipher(SSL *s)
2238{
2239 unsigned long alg_a, alg_k;
2240
2241 alg_a = s->s3->hs.cipher->algorithm_auth;
2242 alg_k = s->s3->hs.cipher->algorithm_mkey;
2243
2244 return s->session->tlsext_ecpointformatlist != NULL &&
2245 s->session->tlsext_ecpointformatlist_length > 0 &&
2246 ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA));
2247}
2248
2249int
2250ssl_check_srvr_ecc_cert_and_alg(SSL *s, X509 *x)
2251{
2252 const SSL_CIPHER *cs = s->s3->hs.cipher;
2253 unsigned long alg_a;
2254
2255 alg_a = cs->algorithm_auth;
2256
2257 if (alg_a & SSL_aECDSA) {
2258 /* Key usage, if present, must allow signing. */
2259 if (!(X509_get_key_usage(x) & X509v3_KU_DIGITAL_SIGNATURE)) {
2260 SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2261 return (0);
2262 }
2263 }
2264
2265 return (1);
2266}
2267
2268SSL_CERT_PKEY *
2269ssl_get_server_send_pkey(const SSL *s)
2270{
2271 unsigned long alg_a;
2272 SSL_CERT *c;
2273 int i;
2274
2275 c = s->cert;
2276 ssl_set_cert_masks(c, s->s3->hs.cipher);
2277
2278 alg_a = s->s3->hs.cipher->algorithm_auth;
2279
2280 if (alg_a & SSL_aECDSA) {
2281 i = SSL_PKEY_ECC;
2282 } else if (alg_a & SSL_aRSA) {
2283 i = SSL_PKEY_RSA;
2284 } else if (alg_a & SSL_aGOST01) {
2285 i = SSL_PKEY_GOST01;
2286 } else { /* if (alg_a & SSL_aNULL) */
2287 SSLerror(s, ERR_R_INTERNAL_ERROR);
2288 return (NULL);
2289 }
2290
2291 return (c->pkeys + i);
2292}
2293
2294EVP_PKEY *
2295ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd,
2296 const struct ssl_sigalg **sap)
2297{
2298 const struct ssl_sigalg *sigalg = NULL;
2299 EVP_PKEY *pkey = NULL;
2300 unsigned long alg_a;
2301 SSL_CERT *c;
2302 int idx = -1;
2303
2304 alg_a = cipher->algorithm_auth;
2305 c = s->cert;
2306
2307 if (alg_a & SSL_aRSA) {
2308 idx = SSL_PKEY_RSA;
2309 } else if ((alg_a & SSL_aECDSA) &&
2310 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2311 idx = SSL_PKEY_ECC;
2312 if (idx == -1) {
2313 SSLerror(s, ERR_R_INTERNAL_ERROR);
2314 return (NULL);
2315 }
2316
2317 pkey = c->pkeys[idx].privatekey;
2318 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
2319 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2320 return (NULL);
2321 }
2322 *pmd = sigalg->md();
2323 *sap = sigalg;
2324
2325 return (pkey);
2326}
2327
2328size_t
2329ssl_dhe_params_auto_key_bits(SSL *s)
2330{
2331 SSL_CERT_PKEY *cpk;
2332 int key_bits;
2333
2334 if (s->cert->dhe_params_auto == 2) {
2335 key_bits = 1024;
2336 } else if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
2337 key_bits = 1024;
2338 if (s->s3->hs.cipher->strength_bits == 256)
2339 key_bits = 3072;
2340 } else {
2341 if ((cpk = ssl_get_server_send_pkey(s)) == NULL)
2342 return 0;
2343 if (cpk->privatekey == NULL ||
2344 EVP_PKEY_get0_RSA(cpk->privatekey) == NULL)
2345 return 0;
2346 if ((key_bits = EVP_PKEY_bits(cpk->privatekey)) <= 0)
2347 return 0;
2348 }
2349
2350 return key_bits;
2351}
2352
2353static int
2354ssl_should_update_external_cache(SSL *s, int mode)
2355{
2356 int cache_mode;
2357
2358 cache_mode = s->session_ctx->session_cache_mode;
2359
2360 /* Don't cache if mode says not to */
2361 if ((cache_mode & mode) == 0)
2362 return 0;
2363
2364 /* if it is not already cached, cache it */
2365 if (!s->hit)
2366 return 1;
2367
2368 /* If it's TLS 1.3, do it to match OpenSSL */
2369 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION)
2370 return 1;
2371
2372 return 0;
2373}
2374
2375static int
2376ssl_should_update_internal_cache(SSL *s, int mode)
2377{
2378 int cache_mode;
2379
2380 cache_mode = s->session_ctx->session_cache_mode;
2381
2382 /* Don't cache if mode says not to */
2383 if ((cache_mode & mode) == 0)
2384 return 0;
2385
2386 /* If it is already cached, don't cache it again */
2387 if (s->hit)
2388 return 0;
2389
2390 if ((cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0)
2391 return 0;
2392
2393 /* If we are lesser than TLS 1.3, Cache it. */
2394 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
2395 return 1;
2396
2397 /* Below this we consider TLS 1.3 or later */
2398
2399 /* If it's not a server, add it? OpenSSL does this. */
2400 if (!s->server)
2401 return 1;
2402
2403 /* XXX if we support early data / PSK need to add */
2404
2405 /*
2406 * If we have the remove session callback, we will want
2407 * to know about this even if it's a stateless ticket
2408 * from 1.3 so we can know when it is removed.
2409 */
2410 if (s->session_ctx->remove_session_cb != NULL)
2411 return 1;
2412
2413 /* If we have set OP_NO_TICKET, cache it. */
2414 if ((s->options & SSL_OP_NO_TICKET) != 0)
2415 return 1;
2416
2417 /* Otherwise do not cache */
2418 return 0;
2419}
2420
2421void
2422ssl_update_cache(SSL *s, int mode)
2423{
2424 int cache_mode, do_callback;
2425
2426 if (s->session->session_id_length == 0)
2427 return;
2428
2429 cache_mode = s->session_ctx->session_cache_mode;
2430 do_callback = ssl_should_update_external_cache(s, mode);
2431
2432 if (ssl_should_update_internal_cache(s, mode)) {
2433 /*
2434 * XXX should we fail if the add to the internal cache
2435 * fails? OpenSSL doesn't care..
2436 */
2437 (void) SSL_CTX_add_session(s->session_ctx, s->session);
2438 }
2439
2440 /*
2441 * Update the "external cache" by calling the new session
2442 * callback if present, even with TLS 1.3 without early data
2443 * "because some application just want to know about the
2444 * creation of a session and aren't doing a full cache".
2445 * Apparently, if they are doing a full cache, they'll have
2446 * some fun, but we endeavour to give application writers the
2447 * same glorious experience they expect from OpenSSL which
2448 * does it this way.
2449 */
2450 if (do_callback && s->session_ctx->new_session_cb != NULL) {
2451 CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION);
2452 if (!s->session_ctx->new_session_cb(s, s->session))
2453 SSL_SESSION_free(s->session);
2454 }
2455
2456 /* Auto flush every 255 connections. */
2457 if (!(cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR) &&
2458 (cache_mode & mode) != 0) {
2459 int connections;
2460 if (mode & SSL_SESS_CACHE_CLIENT)
2461 connections = s->session_ctx->stats.sess_connect_good;
2462 else
2463 connections = s->session_ctx->stats.sess_accept_good;
2464 if ((connections & 0xff) == 0xff)
2465 SSL_CTX_flush_sessions(s->session_ctx, time(NULL));
2466 }
2467}
2468
2469const SSL_METHOD *
2470SSL_get_ssl_method(SSL *s)
2471{
2472 return (s->method);
2473}
2474
2475int
2476SSL_set_ssl_method(SSL *s, const SSL_METHOD *method)
2477{
2478 int (*handshake_func)(SSL *) = NULL;
2479 int ret = 1;
2480
2481 if (s->method == method)
2482 return (ret);
2483
2484 if (s->handshake_func == s->method->ssl_connect)
2485 handshake_func = method->ssl_connect;
2486 else if (s->handshake_func == s->method->ssl_accept)
2487 handshake_func = method->ssl_accept;
2488
2489 if (s->method->version == method->version) {
2490 s->method = method;
2491 } else {
2492 s->method->ssl_free(s);
2493 s->method = method;
2494 ret = s->method->ssl_new(s);
2495 }
2496 s->handshake_func = handshake_func;
2497
2498 return (ret);
2499}
2500
2501int
2502SSL_get_error(const SSL *s, int i)
2503{
2504 unsigned long l;
2505 int reason;
2506 BIO *bio;
2507
2508 if (i > 0)
2509 return (SSL_ERROR_NONE);
2510
2511 /*
2512 * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
2513 * etc, where we do encode the error.
2514 */
2515 if ((l = ERR_peek_error()) != 0) {
2516 if (ERR_GET_LIB(l) == ERR_LIB_SYS)
2517 return (SSL_ERROR_SYSCALL);
2518 else
2519 return (SSL_ERROR_SSL);
2520 }
2521
2522 if (SSL_want_read(s)) {
2523 bio = SSL_get_rbio(s);
2524 if (BIO_should_read(bio)) {
2525 return (SSL_ERROR_WANT_READ);
2526 } else if (BIO_should_write(bio)) {
2527 /*
2528 * This one doesn't make too much sense... We never
2529 * try to write to the rbio, and an application
2530 * program where rbio and wbio are separate couldn't
2531 * even know what it should wait for. However if we
2532 * ever set s->rwstate incorrectly (so that we have
2533 * SSL_want_read(s) instead of SSL_want_write(s))
2534 * and rbio and wbio *are* the same, this test works
2535 * around that bug; so it might be safer to keep it.
2536 */
2537 return (SSL_ERROR_WANT_WRITE);
2538 } else if (BIO_should_io_special(bio)) {
2539 reason = BIO_get_retry_reason(bio);
2540 if (reason == BIO_RR_CONNECT)
2541 return (SSL_ERROR_WANT_CONNECT);
2542 else if (reason == BIO_RR_ACCEPT)
2543 return (SSL_ERROR_WANT_ACCEPT);
2544 else
2545 return (SSL_ERROR_SYSCALL); /* unknown */
2546 }
2547 }
2548
2549 if (SSL_want_write(s)) {
2550 bio = SSL_get_wbio(s);
2551 if (BIO_should_write(bio)) {
2552 return (SSL_ERROR_WANT_WRITE);
2553 } else if (BIO_should_read(bio)) {
2554 /*
2555 * See above (SSL_want_read(s) with
2556 * BIO_should_write(bio))
2557 */
2558 return (SSL_ERROR_WANT_READ);
2559 } else if (BIO_should_io_special(bio)) {
2560 reason = BIO_get_retry_reason(bio);
2561 if (reason == BIO_RR_CONNECT)
2562 return (SSL_ERROR_WANT_CONNECT);
2563 else if (reason == BIO_RR_ACCEPT)
2564 return (SSL_ERROR_WANT_ACCEPT);
2565 else
2566 return (SSL_ERROR_SYSCALL);
2567 }
2568 }
2569
2570 if (SSL_want_x509_lookup(s))
2571 return (SSL_ERROR_WANT_X509_LOOKUP);
2572
2573 if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
2574 (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
2575 return (SSL_ERROR_ZERO_RETURN);
2576
2577 return (SSL_ERROR_SYSCALL);
2578}
2579
2580int
2581SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method)
2582{
2583 if (ctx->method->dtls)
2584 return 0;
2585
2586 ctx->quic_method = quic_method;
2587
2588 return 1;
2589}
2590
2591int
2592SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
2593{
2594 if (ssl->method->dtls)
2595 return 0;
2596
2597 ssl->quic_method = quic_method;
2598
2599 return 1;
2600}
2601
2602size_t
2603SSL_quic_max_handshake_flight_len(const SSL *ssl,
2604 enum ssl_encryption_level_t level)
2605{
2606 size_t flight_len;
2607
2608 /* Limit flights to 16K when there are no large certificate messages. */
2609 flight_len = 16384;
2610
2611 switch (level) {
2612 case ssl_encryption_initial:
2613 return flight_len;
2614
2615 case ssl_encryption_early_data:
2616 /* QUIC does not send EndOfEarlyData. */
2617 return 0;
2618
2619 case ssl_encryption_handshake:
2620 if (ssl->server) {
2621 /*
2622 * Servers may receive Certificate message if configured
2623 * to request client certificates.
2624 */
2625 if ((SSL_get_verify_mode(ssl) & SSL_VERIFY_PEER) != 0 &&
2626 ssl->max_cert_list > flight_len)
2627 flight_len = ssl->max_cert_list;
2628 } else {
2629 /*
2630 * Clients may receive both Certificate message and a
2631 * CertificateRequest message.
2632 */
2633 if (ssl->max_cert_list * 2 > flight_len)
2634 flight_len = ssl->max_cert_list * 2;
2635 }
2636 return flight_len;
2637 case ssl_encryption_application:
2638 /*
2639 * Note there is not actually a bound on the number of
2640 * NewSessionTickets one may send in a row. This level may need
2641 * more involved flow control.
2642 */
2643 return flight_len;
2644 }
2645
2646 return 0;
2647}
2648
2649enum ssl_encryption_level_t
2650SSL_quic_read_level(const SSL *ssl)
2651{
2652 return ssl->s3->hs.tls13.quic_read_level;
2653}
2654
2655enum ssl_encryption_level_t
2656SSL_quic_write_level(const SSL *ssl)
2657{
2658 return ssl->s3->hs.tls13.quic_write_level;
2659}
2660
2661int
2662SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
2663 const uint8_t *data, size_t len)
2664{
2665 if (!SSL_is_quic(ssl)) {
2666 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2667 return 0;
2668 }
2669
2670 if (level != SSL_quic_read_level(ssl)) {
2671 SSLerror(ssl, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
2672 return 0;
2673 }
2674
2675 if (ssl->s3->hs.tls13.quic_read_buffer == NULL) {
2676 ssl->s3->hs.tls13.quic_read_buffer = tls_buffer_new(0);
2677 if (ssl->s3->hs.tls13.quic_read_buffer == NULL) {
2678 SSLerror(ssl, ERR_R_MALLOC_FAILURE);
2679 return 0;
2680 }
2681 }
2682
2683 /* XXX - note that this does not currently downsize. */
2684 tls_buffer_set_capacity_limit(ssl->s3->hs.tls13.quic_read_buffer,
2685 SSL_quic_max_handshake_flight_len(ssl, level));
2686
2687 /*
2688 * XXX - an append that fails due to exceeding capacity should set
2689 * SSL_R_EXCESSIVE_MESSAGE_SIZE.
2690 */
2691 return tls_buffer_append(ssl->s3->hs.tls13.quic_read_buffer, data, len);
2692}
2693
2694int
2695SSL_process_quic_post_handshake(SSL *ssl)
2696{
2697 /* XXX - this needs to run PHH received. */
2698 return 1;
2699}
2700
2701int
2702SSL_do_handshake(SSL *s)
2703{
2704 if (s->handshake_func == NULL) {
2705 SSLerror(s, SSL_R_CONNECTION_TYPE_NOT_SET);
2706 return (-1);
2707 }
2708
2709 s->method->ssl_renegotiate_check(s);
2710
2711 if (!SSL_in_init(s) && !SSL_in_before(s))
2712 return 1;
2713
2714 return s->handshake_func(s);
2715}
2716
2717/*
2718 * For the next 2 functions, SSL_clear() sets shutdown and so
2719 * one of these calls will reset it
2720 */
2721void
2722SSL_set_accept_state(SSL *s)
2723{
2724 s->server = 1;
2725 s->shutdown = 0;
2726 s->s3->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE;
2727 s->handshake_func = s->method->ssl_accept;
2728 ssl_clear_cipher_state(s);
2729}
2730
2731void
2732SSL_set_connect_state(SSL *s)
2733{
2734 s->server = 0;
2735 s->shutdown = 0;
2736 s->s3->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE;
2737 s->handshake_func = s->method->ssl_connect;
2738 ssl_clear_cipher_state(s);
2739}
2740
2741int
2742ssl_undefined_function(SSL *s)
2743{
2744 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2745 return (0);
2746}
2747
2748int
2749ssl_undefined_void_function(void)
2750{
2751 SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2752 return (0);
2753}
2754
2755int
2756ssl_undefined_const_function(const SSL *s)
2757{
2758 SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2759 return (0);
2760}
2761
2762const char *
2763ssl_version_string(int ver)
2764{
2765 switch (ver) {
2766 case TLS1_VERSION:
2767 return (SSL_TXT_TLSV1);
2768 case TLS1_1_VERSION:
2769 return (SSL_TXT_TLSV1_1);
2770 case TLS1_2_VERSION:
2771 return (SSL_TXT_TLSV1_2);
2772 case TLS1_3_VERSION:
2773 return (SSL_TXT_TLSV1_3);
2774 case DTLS1_VERSION:
2775 return (SSL_TXT_DTLS1);
2776 case DTLS1_2_VERSION:
2777 return (SSL_TXT_DTLS1_2);
2778 default:
2779 return ("unknown");
2780 }
2781}
2782
2783const char *
2784SSL_get_version(const SSL *s)
2785{
2786 return ssl_version_string(s->version);
2787}
2788
2789SSL *
2790SSL_dup(SSL *s)
2791{
2792 STACK_OF(X509_NAME) *sk;
2793 X509_NAME *xn;
2794 SSL *ret;
2795 int i;
2796
2797 if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
2798 goto err;
2799
2800 ret->version = s->version;
2801 ret->method = s->method;
2802
2803 if (s->session != NULL) {
2804 if (!SSL_copy_session_id(ret, s))
2805 goto err;
2806 } else {
2807 /*
2808 * No session has been established yet, so we have to expect
2809 * that s->cert or ret->cert will be changed later --
2810 * they should not both point to the same object,
2811 * and thus we can't use SSL_copy_session_id.
2812 */
2813
2814 ret->method->ssl_free(ret);
2815 ret->method = s->method;
2816 ret->method->ssl_new(ret);
2817
2818 ssl_cert_free(ret->cert);
2819 if ((ret->cert = ssl_cert_dup(s->cert)) == NULL)
2820 goto err;
2821
2822 if (!SSL_set_session_id_context(ret, s->sid_ctx,
2823 s->sid_ctx_length))
2824 goto err;
2825 }
2826
2827 ret->options = s->options;
2828 ret->mode = s->mode;
2829 SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
2830 SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
2831 ret->msg_callback = s->msg_callback;
2832 ret->msg_callback_arg = s->msg_callback_arg;
2833 SSL_set_verify(ret, SSL_get_verify_mode(s),
2834 SSL_get_verify_callback(s));
2835 SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
2836 ret->generate_session_id = s->generate_session_id;
2837
2838 SSL_set_info_callback(ret, SSL_get_info_callback(s));
2839
2840 ret->debug = s->debug;
2841
2842 /* copy app data, a little dangerous perhaps */
2843 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL,
2844 &ret->ex_data, &s->ex_data))
2845 goto err;
2846
2847 /* setup rbio, and wbio */
2848 if (s->rbio != NULL) {
2849 if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
2850 goto err;
2851 }
2852 if (s->wbio != NULL) {
2853 if (s->wbio != s->rbio) {
2854 if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
2855 goto err;
2856 } else
2857 ret->wbio = ret->rbio;
2858 }
2859 ret->rwstate = s->rwstate;
2860 ret->in_handshake = s->in_handshake;
2861 ret->handshake_func = s->handshake_func;
2862 ret->server = s->server;
2863 ret->renegotiate = s->renegotiate;
2864 ret->new_session = s->new_session;
2865 ret->quiet_shutdown = s->quiet_shutdown;
2866 ret->shutdown = s->shutdown;
2867 /* SSL_dup does not really work at any state, though */
2868 ret->s3->hs.state = s->s3->hs.state;
2869 ret->rstate = s->rstate;
2870
2871 /*
2872 * Would have to copy ret->init_buf, ret->init_msg, ret->init_num,
2873 * ret->init_off
2874 */
2875 ret->init_num = 0;
2876
2877 ret->hit = s->hit;
2878
2879 X509_VERIFY_PARAM_inherit(ret->param, s->param);
2880
2881 if (s->cipher_list != NULL) {
2882 if ((ret->cipher_list =
2883 sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2884 goto err;
2885 }
2886 if (s->cipher_list_tls13 != NULL) {
2887 if ((ret->cipher_list_tls13 =
2888 sk_SSL_CIPHER_dup(s->cipher_list_tls13)) == NULL)
2889 goto err;
2890 }
2891
2892 /* Dup the client_CA list */
2893 if (s->client_CA != NULL) {
2894 if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
2895 ret->client_CA = sk;
2896 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2897 xn = sk_X509_NAME_value(sk, i);
2898 if (sk_X509_NAME_set(sk, i,
2899 X509_NAME_dup(xn)) == NULL) {
2900 X509_NAME_free(xn);
2901 goto err;
2902 }
2903 }
2904 }
2905
2906 return ret;
2907 err:
2908 SSL_free(ret);
2909 return NULL;
2910}
2911
2912void
2913ssl_clear_cipher_state(SSL *s)
2914{
2915 tls12_record_layer_clear_read_state(s->rl);
2916 tls12_record_layer_clear_write_state(s->rl);
2917}
2918
2919void
2920ssl_info_callback(const SSL *s, int type, int value)
2921{
2922 ssl_info_callback_fn *cb;
2923
2924 if ((cb = s->info_callback) == NULL)
2925 cb = s->ctx->info_callback;
2926 if (cb != NULL)
2927 cb(s, type, value);
2928}
2929
2930void
2931ssl_msg_callback(SSL *s, int is_write, int content_type,
2932 const void *msg_buf, size_t msg_len)
2933{
2934 if (s->msg_callback == NULL)
2935 return;
2936
2937 s->msg_callback(is_write, s->version, content_type,
2938 msg_buf, msg_len, s, s->msg_callback_arg);
2939}
2940
2941void
2942ssl_msg_callback_cbs(SSL *s, int is_write, int content_type, CBS *cbs)
2943{
2944 ssl_msg_callback(s, is_write, content_type, CBS_data(cbs), CBS_len(cbs));
2945}
2946
2947/* Fix this function so that it takes an optional type parameter */
2948X509 *
2949SSL_get_certificate(const SSL *s)
2950{
2951 return (s->cert->key->x509);
2952}
2953
2954/* Fix this function so that it takes an optional type parameter */
2955EVP_PKEY *
2956SSL_get_privatekey(const SSL *s)
2957{
2958 return (s->cert->key->privatekey);
2959}
2960
2961const SSL_CIPHER *
2962SSL_get_current_cipher(const SSL *s)
2963{
2964 if ((s->session != NULL) && (s->session->cipher != NULL))
2965 return (s->session->cipher);
2966 return (NULL);
2967}
2968const void *
2969SSL_get_current_compression(SSL *s)
2970{
2971 return (NULL);
2972}
2973
2974const void *
2975SSL_get_current_expansion(SSL *s)
2976{
2977 return (NULL);
2978}
2979
2980size_t
2981SSL_get_client_random(const SSL *s, unsigned char *out, size_t max_out)
2982{
2983 size_t len = sizeof(s->s3->client_random);
2984
2985 if (out == NULL)
2986 return len;
2987
2988 if (len > max_out)
2989 len = max_out;
2990
2991 memcpy(out, s->s3->client_random, len);
2992
2993 return len;
2994}
2995
2996size_t
2997SSL_get_server_random(const SSL *s, unsigned char *out, size_t max_out)
2998{
2999 size_t len = sizeof(s->s3->server_random);
3000
3001 if (out == NULL)
3002 return len;
3003
3004 if (len > max_out)
3005 len = max_out;
3006
3007 memcpy(out, s->s3->server_random, len);
3008
3009 return len;
3010}
3011
3012int
3013ssl_init_wbio_buffer(SSL *s, int push)
3014{
3015 BIO *bbio;
3016
3017 if (s->bbio == NULL) {
3018 bbio = BIO_new(BIO_f_buffer());
3019 if (bbio == NULL)
3020 return (0);
3021 s->bbio = bbio;
3022 } else {
3023 bbio = s->bbio;
3024 if (s->bbio == s->wbio)
3025 s->wbio = BIO_pop(s->wbio);
3026 }
3027 (void)BIO_reset(bbio);
3028/* if (!BIO_set_write_buffer_size(bbio,16*1024)) */
3029 if (!BIO_set_read_buffer_size(bbio, 1)) {
3030 SSLerror(s, ERR_R_BUF_LIB);
3031 return (0);
3032 }
3033 if (push) {
3034 if (s->wbio != bbio)
3035 s->wbio = BIO_push(bbio, s->wbio);
3036 } else {
3037 if (s->wbio == bbio)
3038 s->wbio = BIO_pop(bbio);
3039 }
3040 return (1);
3041}
3042
3043void
3044ssl_free_wbio_buffer(SSL *s)
3045{
3046 if (s == NULL)
3047 return;
3048
3049 if (s->bbio == NULL)
3050 return;
3051
3052 if (s->bbio == s->wbio) {
3053 /* remove buffering */
3054 s->wbio = BIO_pop(s->wbio);
3055 }
3056 BIO_free(s->bbio);
3057 s->bbio = NULL;
3058}
3059
3060void
3061SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
3062{
3063 ctx->quiet_shutdown = mode;
3064}
3065
3066int
3067SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
3068{
3069 return (ctx->quiet_shutdown);
3070}
3071
3072void
3073SSL_set_quiet_shutdown(SSL *s, int mode)
3074{
3075 s->quiet_shutdown = mode;
3076}
3077
3078int
3079SSL_get_quiet_shutdown(const SSL *s)
3080{
3081 return (s->quiet_shutdown);
3082}
3083
3084void
3085SSL_set_shutdown(SSL *s, int mode)
3086{
3087 s->shutdown = mode;
3088}
3089
3090int
3091SSL_get_shutdown(const SSL *s)
3092{
3093 return (s->shutdown);
3094}
3095
3096int
3097SSL_version(const SSL *s)
3098{
3099 return (s->version);
3100}
3101
3102SSL_CTX *
3103SSL_get_SSL_CTX(const SSL *ssl)
3104{
3105 return (ssl->ctx);
3106}
3107
3108SSL_CTX *
3109SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
3110{
3111 SSL_CERT *new_cert;
3112
3113 if (ctx == NULL)
3114 ctx = ssl->initial_ctx;
3115 if (ssl->ctx == ctx)
3116 return (ssl->ctx);
3117
3118 if ((new_cert = ssl_cert_dup(ctx->cert)) == NULL)
3119 return NULL;
3120 ssl_cert_free(ssl->cert);
3121 ssl->cert = new_cert;
3122
3123 SSL_CTX_up_ref(ctx);
3124 SSL_CTX_free(ssl->ctx); /* decrement reference count */
3125 ssl->ctx = ctx;
3126
3127 return (ssl->ctx);
3128}
3129
3130int
3131SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
3132{
3133 return (X509_STORE_set_default_paths(ctx->cert_store));
3134}
3135
3136int
3137SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
3138 const char *CApath)
3139{
3140 return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath));
3141}
3142
3143int
3144SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len)
3145{
3146 return (X509_STORE_load_mem(ctx->cert_store, buf, len));
3147}
3148
3149void
3150SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val))
3151{
3152 ssl->info_callback = cb;
3153}
3154
3155void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val)
3156{
3157 return (ssl->info_callback);
3158}
3159
3160int
3161SSL_state(const SSL *ssl)
3162{
3163 return (ssl->s3->hs.state);
3164}
3165
3166void
3167SSL_set_state(SSL *ssl, int state)
3168{
3169 ssl->s3->hs.state = state;
3170}
3171
3172void
3173SSL_set_verify_result(SSL *ssl, long arg)
3174{
3175 ssl->verify_result = arg;
3176}
3177
3178long
3179SSL_get_verify_result(const SSL *ssl)
3180{
3181 return (ssl->verify_result);
3182}
3183
3184int
3185SSL_verify_client_post_handshake(SSL *ssl)
3186{
3187 return 0;
3188}
3189
3190void
3191SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
3192{
3193 return;
3194}
3195
3196void
3197SSL_set_post_handshake_auth(SSL *ssl, int val)
3198{
3199 return;
3200}
3201
3202int
3203SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
3204 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
3205{
3206 return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
3207 new_func, dup_func, free_func));
3208}
3209
3210int
3211SSL_set_ex_data(SSL *s, int idx, void *arg)
3212{
3213 return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));
3214}
3215
3216void *
3217SSL_get_ex_data(const SSL *s, int idx)
3218{
3219 return (CRYPTO_get_ex_data(&s->ex_data, idx));
3220}
3221
3222int
3223SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
3224 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
3225{
3226 return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
3227 new_func, dup_func, free_func));
3228}
3229
3230int
3231SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
3232{
3233 return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));
3234}
3235
3236void *
3237SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
3238{
3239 return (CRYPTO_get_ex_data(&s->ex_data, idx));
3240}
3241
3242int
3243ssl_ok(SSL *s)
3244{
3245 return (1);
3246}
3247
3248X509_STORE *
3249SSL_CTX_get_cert_store(const SSL_CTX *ctx)
3250{
3251 return (ctx->cert_store);
3252}
3253
3254void
3255SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
3256{
3257 X509_STORE_free(ctx->cert_store);
3258 ctx->cert_store = store;
3259}
3260
3261X509 *
3262SSL_CTX_get0_certificate(const SSL_CTX *ctx)
3263{
3264 if (ctx->cert == NULL)
3265 return NULL;
3266
3267 return ctx->cert->key->x509;
3268}
3269
3270EVP_PKEY *
3271SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
3272{
3273 if (ctx->cert == NULL)
3274 return NULL;
3275
3276 return ctx->cert->key->privatekey;
3277}
3278
3279int
3280SSL_want(const SSL *s)
3281{
3282 return (s->rwstate);
3283}
3284
3285void
3286SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export,
3287 int keylength))
3288{
3289 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3290}
3291
3292void
3293SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
3294 int keylength))
3295{
3296 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3297}
3298
3299void
3300SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export,
3301 int keylength))
3302{
3303 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3304}
3305
3306void
3307SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export,
3308 int keylength))
3309{
3310 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3311}
3312
3313void
3314SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl,
3315 int is_export, int keylength))
3316{
3317 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB,
3318 (void (*)(void))ecdh);
3319}
3320
3321void
3322SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export,
3323 int keylength))
3324{
3325 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
3326}
3327
3328
3329void
3330SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version,
3331 int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3332{
3333 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK,
3334 (void (*)(void))cb);
3335}
3336
3337void
3338SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
3339 int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
3340{
3341 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
3342}
3343
3344void
3345SSL_set_debug(SSL *s, int debug)
3346{
3347 s->debug = debug;
3348}
3349
3350int
3351SSL_cache_hit(SSL *s)
3352{
3353 return (s->hit);
3354}
3355
3356int
3357SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
3358{
3359 return ctx->min_proto_version;
3360}
3361
3362int
3363SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
3364{
3365 return ssl_version_set_min(ctx->method, version,
3366 ctx->max_tls_version, &ctx->min_tls_version,
3367 &ctx->min_proto_version);
3368}
3369
3370int
3371SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
3372{
3373 return ctx->max_proto_version;
3374}
3375
3376int
3377SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
3378{
3379 return ssl_version_set_max(ctx->method, version,
3380 ctx->min_tls_version, &ctx->max_tls_version,
3381 &ctx->max_proto_version);
3382}
3383
3384int
3385SSL_get_min_proto_version(SSL *ssl)
3386{
3387 return ssl->min_proto_version;
3388}
3389
3390int
3391SSL_set_min_proto_version(SSL *ssl, uint16_t version)
3392{
3393 return ssl_version_set_min(ssl->method, version,
3394 ssl->max_tls_version, &ssl->min_tls_version,
3395 &ssl->min_proto_version);
3396}
3397int
3398SSL_get_max_proto_version(SSL *ssl)
3399{
3400 return ssl->max_proto_version;
3401}
3402
3403int
3404SSL_set_max_proto_version(SSL *ssl, uint16_t version)
3405{
3406 return ssl_version_set_max(ssl->method, version,
3407 ssl->min_tls_version, &ssl->max_tls_version,
3408 &ssl->max_proto_version);
3409}
3410
3411const SSL_METHOD *
3412SSL_CTX_get_ssl_method(const SSL_CTX *ctx)
3413{
3414 return ctx->method;
3415}
3416
3417int
3418SSL_CTX_get_security_level(const SSL_CTX *ctx)
3419{
3420 return ctx->cert->security_level;
3421}
3422
3423void
3424SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
3425{
3426 ctx->cert->security_level = level;
3427}
3428
3429int
3430SSL_get_security_level(const SSL *ssl)
3431{
3432 return ssl->cert->security_level;
3433}
3434
3435void
3436SSL_set_security_level(SSL *ssl, int level)
3437{
3438 ssl->cert->security_level = level;
3439}
3440
3441int
3442SSL_is_quic(const SSL *ssl)
3443{
3444 return ssl->quic_method != NULL;
3445}
3446
3447int
3448SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
3449 size_t params_len)
3450{
3451 freezero(ssl->quic_transport_params,
3452 ssl->quic_transport_params_len);
3453 ssl->quic_transport_params = NULL;
3454 ssl->quic_transport_params_len = 0;
3455
3456 if ((ssl->quic_transport_params = malloc(params_len)) == NULL)
3457 return 0;
3458
3459 memcpy(ssl->quic_transport_params, params, params_len);
3460 ssl->quic_transport_params_len = params_len;
3461
3462 return 1;
3463}
3464
3465void
3466SSL_get_peer_quic_transport_params(const SSL *ssl, const uint8_t **out_params,
3467 size_t *out_params_len)
3468{
3469 *out_params = ssl->s3->peer_quic_transport_params;
3470 *out_params_len = ssl->s3->peer_quic_transport_params_len;
3471}
3472
3473void
3474SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy)
3475{
3476 /* Not supported. */
3477}
3478
3479static int
3480ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
3481{
3482 SSL_CIPHER const *a = a_;
3483 SSL_CIPHER const *b = b_;
3484 return ssl_cipher_id_cmp(a, b);
3485}
3486
3487SSL_CIPHER *
3488OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, int num)
3489{
3490 return (SSL_CIPHER *)OBJ_bsearch_(key, base, num, sizeof(SSL_CIPHER),
3491 ssl_cipher_id_cmp_BSEARCH_CMP_FN);
3492}
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h
deleted file mode 100644
index d510f80d8c..0000000000
--- a/src/lib/libssl/ssl_local.h
+++ /dev/null
@@ -1,1538 +0,0 @@
1/* $OpenBSD: ssl_local.h,v 1.3 2022/12/26 07:31:44 jmc Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#ifndef HEADER_SSL_LOCL_H
144#define HEADER_SSL_LOCL_H
145
146#include <sys/types.h>
147
148#include <errno.h>
149#include <stdlib.h>
150#include <string.h>
151#include <time.h>
152#include <unistd.h>
153
154#include <openssl/opensslconf.h>
155
156#include <openssl/bio.h>
157#include <openssl/buffer.h>
158#include <openssl/dsa.h>
159#include <openssl/err.h>
160#include <openssl/rsa.h>
161#include <openssl/ssl.h>
162#include <openssl/stack.h>
163
164#include "bytestring.h"
165#include "tls_content.h"
166#include "tls13_internal.h"
167
168__BEGIN_HIDDEN_DECLS
169
170#define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \
171 __attribute__((__unused__))
172
173#ifndef LIBRESSL_HAS_DTLS1_2
174#define LIBRESSL_HAS_DTLS1_2
175#endif
176
177#ifndef LIBRESSL_HAS_TLS1_3_CLIENT
178#define LIBRESSL_HAS_TLS1_3_CLIENT
179#endif
180
181#ifndef LIBRESSL_HAS_TLS1_3_SERVER
182#define LIBRESSL_HAS_TLS1_3_SERVER
183#endif
184
185#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) || defined(LIBRESSL_HAS_TLS1_3_SERVER)
186#define LIBRESSL_HAS_TLS1_3
187#endif
188
189/* LOCAL STUFF */
190
191#define SSL_DECRYPT 0
192#define SSL_ENCRYPT 1
193
194/*
195 * Define the Bitmasks for SSL_CIPHER.algorithms.
196 * This bits are used packed as dense as possible. If new methods/ciphers
197 * etc will be added, the bits a likely to change, so this information
198 * is for internal library use only, even though SSL_CIPHER.algorithms
199 * can be publicly accessed.
200 * Use the according functions for cipher management instead.
201 *
202 * The bit mask handling in the selection and sorting scheme in
203 * ssl_create_cipher_list() has only limited capabilities, reflecting
204 * that the different entities within are mutually exclusive:
205 * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
206 */
207
208/* Bits for algorithm_mkey (key exchange algorithm) */
209#define SSL_kRSA 0x00000001L /* RSA key exchange */
210#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */
211#define SSL_kECDHE 0x00000080L /* ephemeral ECDH */
212#define SSL_kGOST 0x00000200L /* GOST key exchange */
213#define SSL_kTLS1_3 0x00000400L /* TLSv1.3 key exchange */
214
215/* Bits for algorithm_auth (server authentication) */
216#define SSL_aRSA 0x00000001L /* RSA auth */
217#define SSL_aDSS 0x00000002L /* DSS auth */
218#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
219#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
220#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
221#define SSL_aTLS1_3 0x00000400L /* TLSv1.3 authentication */
222
223/* Bits for algorithm_enc (symmetric encryption) */
224#define SSL_DES 0x00000001L
225#define SSL_3DES 0x00000002L
226#define SSL_RC4 0x00000004L
227#define SSL_IDEA 0x00000008L
228#define SSL_eNULL 0x00000010L
229#define SSL_AES128 0x00000020L
230#define SSL_AES256 0x00000040L
231#define SSL_CAMELLIA128 0x00000080L
232#define SSL_CAMELLIA256 0x00000100L
233#define SSL_eGOST2814789CNT 0x00000200L
234#define SSL_AES128GCM 0x00000400L
235#define SSL_AES256GCM 0x00000800L
236#define SSL_CHACHA20POLY1305 0x00001000L
237
238#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
239#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
240
241
242/* Bits for algorithm_mac (symmetric authentication) */
243
244#define SSL_MD5 0x00000001L
245#define SSL_SHA1 0x00000002L
246#define SSL_GOST94 0x00000004L
247#define SSL_GOST89MAC 0x00000008L
248#define SSL_SHA256 0x00000010L
249#define SSL_SHA384 0x00000020L
250/* Not a real MAC, just an indication it is part of cipher */
251#define SSL_AEAD 0x00000040L
252#define SSL_STREEBOG256 0x00000080L
253
254/* Bits for algorithm_ssl (protocol version) */
255#define SSL_SSLV3 0x00000002L
256#define SSL_TLSV1 SSL_SSLV3 /* for now */
257#define SSL_TLSV1_2 0x00000004L
258#define SSL_TLSV1_3 0x00000008L
259
260
261/* Bits for algorithm2 (handshake digests and other extra flags) */
262
263#define SSL_HANDSHAKE_MAC_MASK 0xff0
264#define SSL_HANDSHAKE_MAC_MD5 0x010
265#define SSL_HANDSHAKE_MAC_SHA 0x020
266#define SSL_HANDSHAKE_MAC_GOST94 0x040
267#define SSL_HANDSHAKE_MAC_SHA256 0x080
268#define SSL_HANDSHAKE_MAC_SHA384 0x100
269#define SSL_HANDSHAKE_MAC_STREEBOG256 0x200
270#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
271
272#define SSL3_CK_ID 0x03000000
273#define SSL3_CK_VALUE_MASK 0x0000ffff
274
275#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
276
277#define TLS1_PRF_DGST_SHIFT 10
278#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
279#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
280#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
281#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
282#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
283#define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT)
284#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
285
286/*
287 * Stream MAC for GOST ciphersuites from cryptopro draft
288 * (currently this also goes into algorithm2).
289 */
290#define TLS1_STREAM_MAC 0x04
291
292/*
293 * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that
294 * indicates that the variable part of the nonce is included as a prefix of
295 * the record (AES-GCM, for example, does this with an 8-byte variable nonce.)
296 */
297#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22)
298
299/*
300 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce
301 * for an SSL_CIPHER with an algorithm_mac of SSL_AEAD.
302 */
303#define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \
304 (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2)
305
306/*
307 * Cipher strength information.
308 */
309#define SSL_STRONG_MASK 0x000001fcL
310#define SSL_STRONG_NONE 0x00000004L
311#define SSL_LOW 0x00000020L
312#define SSL_MEDIUM 0x00000040L
313#define SSL_HIGH 0x00000080L
314
315/*
316 * The keylength (measured in RSA key bits, I guess) for temporary keys.
317 * Cipher argument is so that this can be variable in the future.
318 */
319#define SSL_C_PKEYLENGTH(c) 1024
320
321/* See if we use signature algorithms extension. */
322#define SSL_USE_SIGALGS(s) \
323 (s->method->enc_flags & SSL_ENC_FLAG_SIGALGS)
324
325/* See if we use SHA256 default PRF. */
326#define SSL_USE_SHA256_PRF(s) \
327 (s->method->enc_flags & SSL_ENC_FLAG_SHA256_PRF)
328
329/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
330#define SSL_USE_TLS1_2_CIPHERS(s) \
331 (s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
332
333/* Allow TLS 1.3 ciphersuites only. */
334#define SSL_USE_TLS1_3_CIPHERS(s) \
335 (s->method->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS)
336
337#define SSL_PKEY_RSA 0
338#define SSL_PKEY_ECC 1
339#define SSL_PKEY_GOST01 2
340#define SSL_PKEY_NUM 3
341
342#define SSL_MAX_EMPTY_RECORDS 32
343
344/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
345 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
346 * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
347 * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
348 * SSL_aRSA <- RSA_ENC | RSA_SIGN
349 * SSL_aDSS <- DSA_SIGN
350 */
351
352/* From ECC-TLS draft, used in encoding the curve type in
353 * ECParameters
354 */
355#define EXPLICIT_PRIME_CURVE_TYPE 1
356#define EXPLICIT_CHAR2_CURVE_TYPE 2
357#define NAMED_CURVE_TYPE 3
358
359typedef struct ssl_cert_pkey_st {
360 X509 *x509;
361 EVP_PKEY *privatekey;
362 STACK_OF(X509) *chain;
363} SSL_CERT_PKEY;
364
365typedef struct ssl_cert_st {
366 /* Current active set */
367 /* ALWAYS points to an element of the pkeys array
368 * Probably it would make more sense to store
369 * an index, not a pointer. */
370 SSL_CERT_PKEY *key;
371
372 SSL_CERT_PKEY pkeys[SSL_PKEY_NUM];
373
374 /* The following masks are for the key and auth
375 * algorithms that are supported by the certs below */
376 int valid;
377 unsigned long mask_k;
378 unsigned long mask_a;
379
380 DH *dhe_params;
381 DH *(*dhe_params_cb)(SSL *ssl, int is_export, int keysize);
382 int dhe_params_auto;
383
384 int (*security_cb)(const SSL *s, const SSL_CTX *ctx, int op, int bits,
385 int nid, void *other, void *ex_data); /* Not exposed in API. */
386 int security_level;
387 void *security_ex_data; /* Not exposed in API. */
388
389 int references; /* >1 only if SSL_copy_session_id is used */
390} SSL_CERT;
391
392struct ssl_comp_st {
393 int id;
394 const char *name;
395};
396
397struct ssl_cipher_st {
398 int valid;
399 const char *name; /* text name */
400 unsigned long id; /* id, 4 bytes, first is version */
401
402 unsigned long algorithm_mkey; /* key exchange algorithm */
403 unsigned long algorithm_auth; /* server authentication */
404 unsigned long algorithm_enc; /* symmetric encryption */
405 unsigned long algorithm_mac; /* symmetric authentication */
406 unsigned long algorithm_ssl; /* (major) protocol version */
407
408 unsigned long algo_strength; /* strength and export flags */
409 unsigned long algorithm2; /* Extra flags */
410 int strength_bits; /* Number of bits really used */
411 int alg_bits; /* Number of bits for algorithm */
412};
413
414struct ssl_method_st {
415 int dtls;
416 int server;
417 int version;
418
419 uint16_t min_tls_version;
420 uint16_t max_tls_version;
421
422 int (*ssl_new)(SSL *s);
423 void (*ssl_clear)(SSL *s);
424 void (*ssl_free)(SSL *s);
425
426 int (*ssl_accept)(SSL *s);
427 int (*ssl_connect)(SSL *s);
428 int (*ssl_shutdown)(SSL *s);
429
430 int (*ssl_renegotiate)(SSL *s);
431 int (*ssl_renegotiate_check)(SSL *s);
432
433 int (*ssl_pending)(const SSL *s);
434 int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len,
435 int peek);
436 int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
437
438 const SSL_CIPHER *(*get_cipher)(unsigned int ncipher);
439
440 unsigned int enc_flags; /* SSL_ENC_FLAG_* */
441};
442
443/*
444 * Let's make this into an ASN.1 type structure as follows
445 * SSL_SESSION_ID ::= SEQUENCE {
446 * version INTEGER, -- structure version number
447 * SSLversion INTEGER, -- SSL version number
448 * Cipher OCTET STRING, -- the 2 byte cipher ID
449 * Session_ID OCTET STRING, -- the Session ID
450 * Master_key OCTET STRING, -- the master key
451 * KRB5_principal OCTET STRING -- optional Kerberos principal
452 * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
453 * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
454 * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
455 * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
456 * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
457 * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
458 * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
459 * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity
460 * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
461 * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
462 * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
463 * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
464 * }
465 * Look in ssl/ssl_asn1.c for more details
466 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
467 */
468struct ssl_session_st {
469 int ssl_version; /* what ssl version session info is
470 * being kept in here? */
471
472 size_t master_key_length;
473 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
474
475 /* session_id - valid? */
476 size_t session_id_length;
477 unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
478
479 /* this is used to determine whether the session is being reused in
480 * the appropriate context. It is up to the application to set this,
481 * via SSL_new */
482 size_t sid_ctx_length;
483 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
484
485 /* Peer provided leaf (end-entity) certificate. */
486 X509 *peer_cert;
487 int peer_cert_type;
488
489 /* when app_verify_callback accepts a session where the peer's certificate
490 * is not ok, we must remember the error for session reuse: */
491 long verify_result; /* only for servers */
492
493 long timeout;
494 time_t time;
495 int references;
496
497 const SSL_CIPHER *cipher;
498 unsigned long cipher_id; /* when ASN.1 loaded, this
499 * needs to be used to load
500 * the 'cipher' structure */
501
502 STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
503
504 char *tlsext_hostname;
505
506 /* Session resumption - RFC 5077 and RFC 8446. */
507 unsigned char *tlsext_tick; /* Session ticket */
508 size_t tlsext_ticklen; /* Session ticket length */
509 uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
510 uint32_t tlsext_tick_age_add; /* TLSv1.3 ticket age obfuscation (in ms) */
511 struct tls13_secret resumption_master_secret;
512
513 CRYPTO_EX_DATA ex_data; /* application specific data */
514
515 /* These are used to make removal of session-ids more
516 * efficient and to implement a maximum cache size. */
517 struct ssl_session_st *prev, *next;
518
519 /* Used to indicate that session resumption is not allowed.
520 * Applications can also set this bit for a new session via
521 * not_resumable_session_cb to disable session caching and tickets. */
522 int not_resumable;
523
524 size_t tlsext_ecpointformatlist_length;
525 uint8_t *tlsext_ecpointformatlist; /* peer's list */
526 size_t tlsext_supportedgroups_length;
527 uint16_t *tlsext_supportedgroups; /* peer's list */
528};
529
530struct ssl_sigalg;
531
532typedef struct ssl_handshake_tls12_st {
533 /* Used when SSL_ST_FLUSH_DATA is entered. */
534 int next_state;
535
536 /* Handshake message type and size. */
537 int message_type;
538 unsigned long message_size;
539
540 /* Reuse current handshake message. */
541 int reuse_message;
542
543 /* Client certificate requests. */
544 int cert_request;
545 STACK_OF(X509_NAME) *ca_names;
546
547 /* Record-layer key block for TLS 1.2 and earlier. */
548 struct tls12_key_block *key_block;
549
550 /* Transcript hash prior to sending certificate verify message. */
551 uint8_t cert_verify[EVP_MAX_MD_SIZE];
552} SSL_HANDSHAKE_TLS12;
553
554typedef struct ssl_handshake_tls13_st {
555 int use_legacy;
556 int hrr;
557
558 /* Client indicates psk_dhe_ke support in PskKeyExchangeMode. */
559 int use_psk_dhe_ke;
560
561 /* Certificate selected for use (static pointer). */
562 const SSL_CERT_PKEY *cpk;
563
564 /* Version proposed by peer server. */
565 uint16_t server_version;
566
567 uint16_t server_group;
568 struct tls13_secrets *secrets;
569
570 uint8_t *cookie;
571 size_t cookie_len;
572
573 /* Preserved transcript hash. */
574 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
575 size_t transcript_hash_len;
576
577 /* Legacy session ID. */
578 uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
579 size_t legacy_session_id_len;
580
581 /* ClientHello hash, used to validate following HelloRetryRequest */
582 EVP_MD_CTX *clienthello_md_ctx;
583 unsigned char *clienthello_hash;
584 unsigned int clienthello_hash_len;
585
586 /* QUIC read buffer and read/write encryption levels. */
587 struct tls_buffer *quic_read_buffer;
588 enum ssl_encryption_level_t quic_read_level;
589 enum ssl_encryption_level_t quic_write_level;
590} SSL_HANDSHAKE_TLS13;
591
592typedef struct ssl_handshake_st {
593 /*
594 * Minimum and maximum versions supported for this handshake. These are
595 * initialised at the start of a handshake based on the method in use
596 * and the current protocol version configuration.
597 */
598 uint16_t our_min_tls_version;
599 uint16_t our_max_tls_version;
600
601 /*
602 * Version negotiated for this session. For a client this is set once
603 * the server selected version is parsed from the ServerHello (either
604 * from the legacy version or supported versions extension). For a
605 * server this is set once we select the version we will use with the
606 * client.
607 */
608 uint16_t negotiated_tls_version;
609
610 /*
611 * Legacy version advertised by our peer. For a server this is the
612 * version specified by the client in the ClientHello message. For a
613 * client, this is the version provided in the ServerHello message.
614 */
615 uint16_t peer_legacy_version;
616
617 /*
618 * Current handshake state - contains one of the SSL3_ST_* values and
619 * is used by the TLSv1.2 state machine, as well as being updated by
620 * the TLSv1.3 stack due to it being exposed externally.
621 */
622 int state;
623
624 /* Cipher being negotiated in this handshake. */
625 const SSL_CIPHER *cipher;
626
627 /* Extensions seen in this handshake. */
628 uint32_t extensions_seen;
629
630 /* Signature algorithms selected for use (static pointers). */
631 const struct ssl_sigalg *our_sigalg;
632 const struct ssl_sigalg *peer_sigalg;
633
634 /* sigalgs offered in this handshake in wire form */
635 uint8_t *sigalgs;
636 size_t sigalgs_len;
637
638 /* Key share for ephemeral key exchange. */
639 struct tls_key_share *key_share;
640
641 /*
642 * Copies of the verify data sent in our finished message and the
643 * verify data received in the finished message sent by our peer.
644 */
645 uint8_t finished[EVP_MAX_MD_SIZE];
646 size_t finished_len;
647 uint8_t peer_finished[EVP_MAX_MD_SIZE];
648 size_t peer_finished_len;
649
650 /* List of certificates received from our peer. */
651 STACK_OF(X509) *peer_certs;
652 STACK_OF(X509) *peer_certs_no_leaf;
653
654 SSL_HANDSHAKE_TLS12 tls12;
655 SSL_HANDSHAKE_TLS13 tls13;
656} SSL_HANDSHAKE;
657
658typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
659
660/* TLS Session Ticket extension struct. */
661struct tls_session_ticket_ext_st {
662 unsigned short length;
663 void *data;
664};
665
666struct tls12_key_block;
667
668struct tls12_key_block *tls12_key_block_new(void);
669void tls12_key_block_free(struct tls12_key_block *kb);
670void tls12_key_block_client_write(struct tls12_key_block *kb, CBS *mac_key,
671 CBS *key, CBS *iv);
672void tls12_key_block_server_write(struct tls12_key_block *kb, CBS *mac_key,
673 CBS *key, CBS *iv);
674int tls12_key_block_generate(struct tls12_key_block *kb, SSL *s,
675 const EVP_AEAD *aead, const EVP_CIPHER *cipher, const EVP_MD *mac_hash);
676
677struct tls12_record_layer;
678
679struct tls12_record_layer *tls12_record_layer_new(void);
680void tls12_record_layer_free(struct tls12_record_layer *rl);
681void tls12_record_layer_alert(struct tls12_record_layer *rl,
682 uint8_t *alert_desc);
683int tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
684 size_t *overhead);
685int tls12_record_layer_read_protected(struct tls12_record_layer *rl);
686int tls12_record_layer_write_protected(struct tls12_record_layer *rl);
687void tls12_record_layer_set_aead(struct tls12_record_layer *rl,
688 const EVP_AEAD *aead);
689void tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl,
690 const EVP_CIPHER *cipher, const EVP_MD *handshake_hash,
691 const EVP_MD *mac_hash);
692void tls12_record_layer_set_version(struct tls12_record_layer *rl,
693 uint16_t version);
694void tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl,
695 uint16_t epoch);
696uint16_t tls12_record_layer_read_epoch(struct tls12_record_layer *rl);
697uint16_t tls12_record_layer_write_epoch(struct tls12_record_layer *rl);
698int tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl,
699 uint16_t epoch);
700void tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl,
701 uint16_t epoch);
702void tls12_record_layer_clear_read_state(struct tls12_record_layer *rl);
703void tls12_record_layer_clear_write_state(struct tls12_record_layer *rl);
704void tls12_record_layer_reflect_seq_num(struct tls12_record_layer *rl);
705int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
706 CBS *mac_key, CBS *key, CBS *iv);
707int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
708 CBS *mac_key, CBS *key, CBS *iv);
709int tls12_record_layer_open_record(struct tls12_record_layer *rl,
710 uint8_t *buf, size_t buf_len, struct tls_content *out);
711int tls12_record_layer_seal_record(struct tls12_record_layer *rl,
712 uint8_t content_type, const uint8_t *content, size_t content_len,
713 CBB *out);
714
715typedef void (ssl_info_callback_fn)(const SSL *s, int type, int val);
716typedef void (ssl_msg_callback_fn)(int is_write, int version, int content_type,
717 const void *buf, size_t len, SSL *ssl, void *arg);
718
719struct ssl_ctx_st {
720 const SSL_METHOD *method;
721 const SSL_QUIC_METHOD *quic_method;
722
723 STACK_OF(SSL_CIPHER) *cipher_list;
724
725 struct x509_store_st /* X509_STORE */ *cert_store;
726
727 /* If timeout is not 0, it is the default timeout value set
728 * when SSL_new() is called. This has been put in to make
729 * life easier to set things up */
730 long session_timeout;
731
732 int references;
733
734 /* Default values to use in SSL structures follow (these are copied by SSL_new) */
735
736 STACK_OF(X509) *extra_certs;
737
738 int verify_mode;
739 size_t sid_ctx_length;
740 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
741
742 X509_VERIFY_PARAM *param;
743
744 /*
745 * XXX
746 * default_passwd_cb used by python and openvpn, need to keep it until we
747 * add an accessor
748 */
749 /* Default password callback. */
750 pem_password_cb *default_passwd_callback;
751
752 /* Default password callback user data. */
753 void *default_passwd_callback_userdata;
754
755 uint16_t min_tls_version;
756 uint16_t max_tls_version;
757
758 /*
759 * These may be zero to imply minimum or maximum version supported by
760 * the method.
761 */
762 uint16_t min_proto_version;
763 uint16_t max_proto_version;
764
765 unsigned long options;
766 unsigned long mode;
767
768 /* If this callback is not null, it will be called each
769 * time a session id is added to the cache. If this function
770 * returns 1, it means that the callback will do a
771 * SSL_SESSION_free() when it has finished using it. Otherwise,
772 * on 0, it means the callback has finished with it.
773 * If remove_session_cb is not null, it will be called when
774 * a session-id is removed from the cache. After the call,
775 * OpenSSL will SSL_SESSION_free() it. */
776 int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess);
777 void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
778 SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
779 const unsigned char *data, int len, int *copy);
780
781 /* if defined, these override the X509_verify_cert() calls */
782 int (*app_verify_callback)(X509_STORE_CTX *, void *);
783 void *app_verify_arg;
784
785 /* get client cert callback */
786 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
787
788 /* cookie generate callback */
789 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
790 unsigned int *cookie_len);
791
792 /* verify cookie callback */
793 int (*app_verify_cookie_cb)(SSL *ssl, const unsigned char *cookie,
794 unsigned int cookie_len);
795
796 ssl_info_callback_fn *info_callback;
797
798 /* callback that allows applications to peek at protocol messages */
799 ssl_msg_callback_fn *msg_callback;
800 void *msg_callback_arg;
801
802 int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
803
804 /* Default generate session ID callback. */
805 GEN_SESSION_CB generate_session_id;
806
807 /* TLS extensions servername callback */
808 int (*tlsext_servername_callback)(SSL*, int *, void *);
809 void *tlsext_servername_arg;
810
811 /* Callback to support customisation of ticket key setting */
812 int (*tlsext_ticket_key_cb)(SSL *ssl, unsigned char *name,
813 unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
814
815 /* certificate status request info */
816 /* Callback for status request */
817 int (*tlsext_status_cb)(SSL *ssl, void *arg);
818 void *tlsext_status_arg;
819
820 struct lhash_st_SSL_SESSION *sessions;
821
822 /* Most session-ids that will be cached, default is
823 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
824 unsigned long session_cache_size;
825 struct ssl_session_st *session_cache_head;
826 struct ssl_session_st *session_cache_tail;
827
828 /* This can have one of 2 values, ored together,
829 * SSL_SESS_CACHE_CLIENT,
830 * SSL_SESS_CACHE_SERVER,
831 * Default is SSL_SESSION_CACHE_SERVER, which means only
832 * SSL_accept which cache SSL_SESSIONS. */
833 int session_cache_mode;
834
835 struct {
836 int sess_connect; /* SSL new conn - started */
837 int sess_connect_renegotiate;/* SSL reneg - requested */
838 int sess_connect_good; /* SSL new conne/reneg - finished */
839 int sess_accept; /* SSL new accept - started */
840 int sess_accept_renegotiate;/* SSL reneg - requested */
841 int sess_accept_good; /* SSL accept/reneg - finished */
842 int sess_miss; /* session lookup misses */
843 int sess_timeout; /* reuse attempt on timeouted session */
844 int sess_cache_full; /* session removed due to full cache */
845 int sess_hit; /* session reuse actually done */
846 int sess_cb_hit; /* session-id that was not
847 * in the cache was
848 * passed back via the callback. This
849 * indicates that the application is
850 * supplying session-id's from other
851 * processes - spooky :-) */
852 } stats;
853
854 CRYPTO_EX_DATA ex_data;
855
856 STACK_OF(SSL_CIPHER) *cipher_list_tls13;
857
858 SSL_CERT *cert;
859
860 /* Default values used when no per-SSL value is defined follow */
861
862 /* what we put in client cert requests */
863 STACK_OF(X509_NAME) *client_CA;
864
865 long max_cert_list;
866
867 int read_ahead;
868
869 int quiet_shutdown;
870
871 /* Maximum amount of data to send in one fragment.
872 * actual record size can be more than this due to
873 * padding and MAC overheads.
874 */
875 unsigned int max_send_fragment;
876
877#ifndef OPENSSL_NO_ENGINE
878 /* Engine to pass requests for client certs to
879 */
880 ENGINE *client_cert_engine;
881#endif
882
883 /* RFC 4507 session ticket keys */
884 unsigned char tlsext_tick_key_name[16];
885 unsigned char tlsext_tick_hmac_key[16];
886 unsigned char tlsext_tick_aes_key[16];
887
888 /* SRTP profiles we are willing to do from RFC 5764 */
889 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
890
891 /*
892 * ALPN information.
893 */
894
895 /*
896 * Server callback function that allows the server to select the
897 * protocol for the connection.
898 * out: on successful return, this must point to the raw protocol
899 * name (without the length prefix).
900 * outlen: on successful return, this contains the length of out.
901 * in: points to the client's list of supported protocols in
902 * wire-format.
903 * inlen: the length of in.
904 */
905 int (*alpn_select_cb)(SSL *s, const unsigned char **out,
906 unsigned char *outlen, const unsigned char *in, unsigned int inlen,
907 void *arg);
908 void *alpn_select_cb_arg;
909
910 /* Client list of supported protocols in wire format. */
911 uint8_t *alpn_client_proto_list;
912 size_t alpn_client_proto_list_len;
913
914 size_t tlsext_ecpointformatlist_length;
915 uint8_t *tlsext_ecpointformatlist; /* our list */
916 size_t tlsext_supportedgroups_length;
917 uint16_t *tlsext_supportedgroups; /* our list */
918 SSL_CTX_keylog_cb_func keylog_callback; /* Unused. For OpenSSL compatibility. */
919 size_t num_tickets; /* Unused, for OpenSSL compatibility */
920};
921
922struct ssl_st {
923 /* protocol version
924 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
925 */
926 int version;
927
928 const SSL_METHOD *method;
929 const SSL_QUIC_METHOD *quic_method;
930
931 /* There are 2 BIO's even though they are normally both the
932 * same. This is so data can be read and written to different
933 * handlers */
934
935 BIO *rbio; /* used by SSL_read */
936 BIO *wbio; /* used by SSL_write */
937 BIO *bbio; /* used during session-id reuse to concatenate
938 * messages */
939 int server; /* are we the server side? - mostly used by SSL_clear*/
940
941 struct ssl3_state_st *s3; /* SSLv3 variables */
942 struct dtls1_state_st *d1; /* DTLSv1 variables */
943
944 X509_VERIFY_PARAM *param;
945
946 /* crypto */
947 STACK_OF(SSL_CIPHER) *cipher_list;
948
949 /* This is used to hold the server certificate used */
950 SSL_CERT *cert;
951
952 /* the session_id_context is used to ensure sessions are only reused
953 * in the appropriate context */
954 size_t sid_ctx_length;
955 unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
956
957 /* This can also be in the session once a session is established */
958 SSL_SESSION *session;
959
960 /* Used in SSL2 and SSL3 */
961 int verify_mode; /* 0 don't care about verify failure.
962 * 1 fail if verify fails */
963 int error; /* error bytes to be written */
964 int error_code; /* actual code */
965
966 SSL_CTX *ctx;
967
968 long verify_result;
969
970 int references;
971
972 int client_version; /* what was passed, used for
973 * SSLv3/TLS rollback check */
974
975 unsigned int max_send_fragment;
976
977 char *tlsext_hostname;
978
979 /* certificate status request info */
980 /* Status type or -1 if no status type */
981 int tlsext_status_type;
982
983 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
984#define session_ctx initial_ctx
985
986 struct tls13_ctx *tls13;
987
988 uint16_t min_tls_version;
989 uint16_t max_tls_version;
990
991 /*
992 * These may be zero to imply minimum or maximum version supported by
993 * the method.
994 */
995 uint16_t min_proto_version;
996 uint16_t max_proto_version;
997
998 unsigned long options; /* protocol behaviour */
999 unsigned long mode; /* API behaviour */
1000
1001 /* Client list of supported protocols in wire format. */
1002 uint8_t *alpn_client_proto_list;
1003 size_t alpn_client_proto_list_len;
1004
1005 /* QUIC transport params we will send */
1006 uint8_t *quic_transport_params;
1007 size_t quic_transport_params_len;
1008
1009 /* XXX Callbacks */
1010
1011 /* true when we are actually in SSL_accept() or SSL_connect() */
1012 int in_handshake;
1013 int (*handshake_func)(SSL *);
1014
1015 ssl_info_callback_fn *info_callback;
1016
1017 /* callback that allows applications to peek at protocol messages */
1018 ssl_msg_callback_fn *msg_callback;
1019 void *msg_callback_arg;
1020
1021 int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
1022
1023 /* Default generate session ID callback. */
1024 GEN_SESSION_CB generate_session_id;
1025
1026 /* TLS extension debug callback */
1027 void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
1028 unsigned char *data, int len, void *arg);
1029 void *tlsext_debug_arg;
1030
1031 /* TLS Session Ticket extension callback */
1032 tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
1033 void *tls_session_ticket_ext_cb_arg;
1034
1035 /* TLS pre-shared secret session resumption */
1036 tls_session_secret_cb_fn tls_session_secret_cb;
1037 void *tls_session_secret_cb_arg;
1038
1039 /* XXX non-callback */
1040
1041 /* This holds a variable that indicates what we were doing
1042 * when a 0 or -1 is returned. This is needed for
1043 * non-blocking IO so we know what request needs re-doing when
1044 * in SSL_accept or SSL_connect */
1045 int rwstate;
1046
1047 /* Imagine that here's a boolean member "init" that is
1048 * switched as soon as SSL_set_{accept/connect}_state
1049 * is called for the first time, so that "state" and
1050 * "handshake_func" are properly initialized. But as
1051 * handshake_func is == 0 until then, we use this
1052 * test instead of an "init" member.
1053 */
1054
1055 int new_session;/* Generate a new session or reuse an old one.
1056 * NB: For servers, the 'new' session may actually be a previously
1057 * cached session or even the previous session unless
1058 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
1059 int quiet_shutdown;/* don't send shutdown packets */
1060 int shutdown; /* we have shut things down, 0x01 sent, 0x02
1061 * for received */
1062 BUF_MEM *init_buf; /* buffer used during init */
1063 void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
1064 int init_num; /* amount read/written */
1065 int init_off; /* amount read/written */
1066
1067 /* used internally to point at a raw packet */
1068 unsigned char *packet;
1069 unsigned int packet_length;
1070
1071 int read_ahead; /* Read as many input bytes as possible
1072 * (for non-blocking reads) */
1073
1074 int hit; /* reusing a previous session */
1075
1076 STACK_OF(SSL_CIPHER) *cipher_list_tls13;
1077
1078 struct tls12_record_layer *rl;
1079
1080 /* session info */
1081
1082 /* extra application data */
1083 CRYPTO_EX_DATA ex_data;
1084
1085 /* client cert? */
1086 /* for server side, keep the list of CA_dn we can use */
1087 STACK_OF(X509_NAME) *client_CA;
1088
1089 /* set this flag to 1 and a sleep(1) is put into all SSL_read()
1090 * and SSL_write() calls, good for nbio debugging :-) */
1091 int debug;
1092 long max_cert_list;
1093 int first_packet;
1094
1095 /* Expect OCSP CertificateStatus message */
1096 int tlsext_status_expected;
1097 /* OCSP status request only */
1098 STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
1099 X509_EXTENSIONS *tlsext_ocsp_exts;
1100
1101 /* OCSP response received or to be sent */
1102 unsigned char *tlsext_ocsp_resp;
1103 size_t tlsext_ocsp_resp_len;
1104
1105 /* RFC4507 session ticket expected to be received or sent */
1106 int tlsext_ticket_expected;
1107
1108 size_t tlsext_ecpointformatlist_length;
1109 uint8_t *tlsext_ecpointformatlist; /* our list */
1110 size_t tlsext_supportedgroups_length;
1111 uint16_t *tlsext_supportedgroups; /* our list */
1112
1113 /* TLS Session Ticket extension override */
1114 TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
1115
1116 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */
1117 const SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */
1118
1119 int renegotiate;/* 1 if we are renegotiating.
1120 * 2 if we are a server and are inside a handshake
1121 * (i.e. not just sending a HelloRequest) */
1122
1123 int rstate; /* where we are when reading */
1124
1125 int mac_packet;
1126
1127 int empty_record_count;
1128
1129 size_t num_tickets; /* Unused, for OpenSSL compatibility */
1130 STACK_OF(X509) *verified_chain;
1131};
1132
1133typedef struct ssl3_record_internal_st {
1134 int type; /* type of record */
1135 unsigned int length; /* How many bytes available */
1136 unsigned int padding_length; /* Number of padding bytes. */
1137 unsigned int off; /* read/write offset into 'buf' */
1138 unsigned char *data; /* pointer to the record data */
1139 unsigned char *input; /* where the decode bytes are */
1140 uint16_t epoch; /* epoch number, needed by DTLS1 */
1141 unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
1142} SSL3_RECORD_INTERNAL;
1143
1144typedef struct ssl3_buffer_internal_st {
1145 unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
1146 * see ssl3_setup_buffers() */
1147 size_t len; /* buffer size */
1148 int offset; /* where to 'copy from' */
1149 int left; /* how many bytes left */
1150} SSL3_BUFFER_INTERNAL;
1151
1152typedef struct ssl3_state_st {
1153 long flags;
1154
1155 unsigned char server_random[SSL3_RANDOM_SIZE];
1156 unsigned char client_random[SSL3_RANDOM_SIZE];
1157
1158 SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */
1159 SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */
1160
1161 SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */
1162
1163 struct tls_content *rcontent; /* Content from opened TLS records. */
1164
1165 /* we allow one fatal and one warning alert to be outstanding,
1166 * send close alert via the warning alert */
1167 int alert_dispatch;
1168 unsigned char send_alert[2];
1169
1170 /* flags for countermeasure against known-IV weakness */
1171 int need_empty_fragments;
1172 int empty_fragment_done;
1173
1174 /* Unprocessed Alert/Handshake protocol data. */
1175 struct tls_buffer *alert_fragment;
1176 struct tls_buffer *handshake_fragment;
1177
1178 /* partial write - check the numbers match */
1179 unsigned int wnum; /* number of bytes sent so far */
1180 int wpend_tot; /* number bytes written */
1181 int wpend_type;
1182 int wpend_ret; /* number of bytes submitted */
1183 const unsigned char *wpend_buf;
1184
1185 /* Transcript of handshake messages that have been sent and received. */
1186 struct tls_buffer *handshake_transcript;
1187
1188 /* Rolling hash of handshake messages. */
1189 EVP_MD_CTX *handshake_hash;
1190
1191 /* this is set whenerver we see a change_cipher_spec message
1192 * come in when we are not looking for one */
1193 int change_cipher_spec;
1194
1195 int warn_alert;
1196 int fatal_alert;
1197
1198 /* This flag is set when we should renegotiate ASAP, basically when
1199 * there is no more data in the read or write buffers */
1200 int renegotiate;
1201 int total_renegotiations;
1202 int num_renegotiations;
1203
1204 int in_read_app_data;
1205
1206 SSL_HANDSHAKE hs;
1207
1208 /* Connection binding to prevent renegotiation attacks */
1209 unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
1210 unsigned char previous_client_finished_len;
1211 unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
1212 unsigned char previous_server_finished_len;
1213 int send_connection_binding; /* TODOEKR */
1214
1215 /* Set if we saw a Renegotiation Indication extension from our peer. */
1216 int renegotiate_seen;
1217
1218 /*
1219 * ALPN information.
1220 *
1221 * In a server these point to the selected ALPN protocol after the
1222 * ClientHello has been processed. In a client these contain the
1223 * protocol that the server selected once the ServerHello has been
1224 * processed.
1225 */
1226 uint8_t *alpn_selected;
1227 size_t alpn_selected_len;
1228
1229 /* Contains the QUIC transport params received from our peer. */
1230 uint8_t *peer_quic_transport_params;
1231 size_t peer_quic_transport_params_len;
1232} SSL3_STATE;
1233
1234/*
1235 * Flag values for enc_flags.
1236 */
1237
1238/* Uses signature algorithms extension. */
1239#define SSL_ENC_FLAG_SIGALGS (1 << 1)
1240
1241/* Uses SHA256 default PRF. */
1242#define SSL_ENC_FLAG_SHA256_PRF (1 << 2)
1243
1244/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
1245#define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4)
1246
1247/* Allow TLS 1.3 ciphersuites only. */
1248#define SSL_ENC_FLAG_TLS1_3_CIPHERS (1 << 5)
1249
1250#define TLSV1_ENC_FLAGS 0
1251#define TLSV1_1_ENC_FLAGS 0
1252#define TLSV1_2_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \
1253 SSL_ENC_FLAG_SHA256_PRF | \
1254 SSL_ENC_FLAG_TLS1_2_CIPHERS)
1255#define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \
1256 SSL_ENC_FLAG_TLS1_3_CIPHERS)
1257
1258extern const SSL_CIPHER ssl3_ciphers[];
1259
1260const char *ssl_version_string(int ver);
1261int ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
1262 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
1263int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
1264 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
1265int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
1266int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
1267uint16_t ssl_tls_version(uint16_t version);
1268uint16_t ssl_effective_tls_version(SSL *s);
1269int ssl_max_supported_version(SSL *s, uint16_t *max_ver);
1270int ssl_max_legacy_version(SSL *s, uint16_t *max_ver);
1271int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
1272int ssl_check_version_from_server(SSL *s, uint16_t server_version);
1273int ssl_legacy_stack_version(SSL *s, uint16_t version);
1274int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher);
1275int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher,
1276 uint16_t min_ver, uint16_t max_ver);
1277
1278const SSL_METHOD *tls_legacy_method(void);
1279const SSL_METHOD *ssl_get_method(uint16_t version);
1280
1281void ssl_clear_cipher_state(SSL *s);
1282int ssl_clear_bad_session(SSL *s);
1283
1284void ssl_info_callback(const SSL *s, int type, int value);
1285void ssl_msg_callback(SSL *s, int is_write, int content_type,
1286 const void *msg_buf, size_t msg_len);
1287void ssl_msg_callback_cbs(SSL *s, int is_write, int content_type, CBS *cbs);
1288
1289SSL_CERT *ssl_cert_new(void);
1290SSL_CERT *ssl_cert_dup(SSL_CERT *cert);
1291void ssl_cert_free(SSL_CERT *c);
1292SSL_CERT *ssl_get0_cert(SSL_CTX *ctx, SSL *ssl);
1293int ssl_cert_set0_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain);
1294int ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain);
1295int ssl_cert_add0_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert);
1296int ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert);
1297
1298int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
1299 int bits, int nid, void *other, void *ex_data);
1300
1301int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher);
1302int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher);
1303int ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher);
1304int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh);
1305int ssl_security_dh(const SSL *ssl, DH *dh);
1306int ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey);
1307int ssl_security_tickets(const SSL *ssl);
1308int ssl_security_version(const SSL *ssl, int version);
1309int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
1310 int is_peer, int *out_error);
1311int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
1312 X509 *x509, int *out_error);
1313int ssl_security_shared_group(const SSL *ssl, uint16_t group_id);
1314int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
1315
1316SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int include_ticket);
1317int ssl_get_new_session(SSL *s, int session);
1318int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
1319 int *alert);
1320int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
1321SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base,
1322 int num);
1323int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb);
1324STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs);
1325STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
1326 STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13,
1327 const char *rule_str, SSL_CERT *cert);
1328int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str);
1329int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
1330 STACK_OF(SSL_CIPHER) *cipherlist_tls13,
1331 STACK_OF(SSL_CIPHER) **out_cipherlist);
1332void ssl_update_cache(SSL *s, int mode);
1333int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
1334 const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
1335int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead);
1336int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md);
1337
1338int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
1339int ssl_undefined_function(SSL *s);
1340int ssl_undefined_void_function(void);
1341int ssl_undefined_const_function(const SSL *s);
1342SSL_CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
1343EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd,
1344 const struct ssl_sigalg **sap);
1345size_t ssl_dhe_params_auto_key_bits(SSL *s);
1346int ssl_cert_type(EVP_PKEY *pkey);
1347void ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher);
1348STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
1349int ssl_has_ecc_ciphers(SSL *s);
1350int ssl_verify_alarm_type(long type);
1351
1352int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len);
1353
1354const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
1355int ssl3_do_write(SSL *s, int type);
1356int ssl3_send_alert(SSL *s, int level, int desc);
1357int ssl3_get_req_cert_types(SSL *s, CBB *cbb);
1358int ssl3_get_message(SSL *s, int st1, int stn, int mt, long max);
1359int ssl3_num_ciphers(void);
1360const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
1361const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned int id);
1362const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value);
1363uint16_t ssl3_cipher_get_value(const SSL_CIPHER *c);
1364int ssl3_renegotiate(SSL *ssl);
1365
1366int ssl3_renegotiate_check(SSL *ssl);
1367
1368void ssl_force_want_read(SSL *s);
1369
1370int ssl3_dispatch_alert(SSL *s);
1371int ssl3_read_alert(SSL *s);
1372int ssl3_read_change_cipher_spec(SSL *s);
1373int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
1374int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
1375int ssl3_output_cert_chain(SSL *s, CBB *cbb, SSL_CERT_PKEY *cpk);
1376SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt,
1377 STACK_OF(SSL_CIPHER) *srvr);
1378int ssl3_setup_buffers(SSL *s);
1379int ssl3_setup_init_buffer(SSL *s);
1380void ssl3_release_init_buffer(SSL *s);
1381int ssl3_setup_read_buffer(SSL *s);
1382int ssl3_setup_write_buffer(SSL *s);
1383void ssl3_release_buffer(SSL3_BUFFER_INTERNAL *b);
1384void ssl3_release_read_buffer(SSL *s);
1385void ssl3_release_write_buffer(SSL *s);
1386int ssl3_new(SSL *s);
1387void ssl3_free(SSL *s);
1388int ssl3_accept(SSL *s);
1389int ssl3_connect(SSL *s);
1390int ssl3_read(SSL *s, void *buf, int len);
1391int ssl3_peek(SSL *s, void *buf, int len);
1392int ssl3_write(SSL *s, const void *buf, int len);
1393int ssl3_shutdown(SSL *s);
1394void ssl3_clear(SSL *s);
1395long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg);
1396long ssl3_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg);
1397long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void));
1398long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void));
1399int ssl3_pending(const SSL *s);
1400
1401int ssl3_handshake_msg_hdr_len(SSL *s);
1402int ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body,
1403 uint8_t msg_type);
1404int ssl3_handshake_msg_finish(SSL *s, CBB *handshake);
1405int ssl3_handshake_write(SSL *s);
1406int ssl3_record_write(SSL *s, int type);
1407
1408int ssl3_do_change_cipher_spec(SSL *ssl);
1409
1410int ssl3_packet_read(SSL *s, int plen);
1411int ssl3_packet_extend(SSL *s, int plen);
1412int ssl_server_legacy_first_packet(SSL *s);
1413int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
1414 unsigned int len);
1415
1416int ssl_kex_generate_dhe(DH *dh, DH *dh_params);
1417int ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_len);
1418int ssl_kex_params_dhe(DH *dh, CBB *cbb);
1419int ssl_kex_public_dhe(DH *dh, CBB *cbb);
1420int ssl_kex_peer_params_dhe(DH *dh, CBS *cbs, int *decode_error,
1421 int *invalid_params);
1422int ssl_kex_peer_public_dhe(DH *dh, CBS *cbs, int *decode_error,
1423 int *invalid_key);
1424int ssl_kex_derive_dhe(DH *dh, DH *dh_peer,
1425 uint8_t **shared_key, size_t *shared_key_len);
1426
1427int ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey);
1428int ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid);
1429int ssl_kex_public_ecdhe_ecp(EC_KEY *ecdh, CBB *cbb);
1430int ssl_kex_peer_public_ecdhe_ecp(EC_KEY *ecdh, int nid, CBS *cbs);
1431int ssl_kex_derive_ecdhe_ecp(EC_KEY *ecdh, EC_KEY *ecdh_peer,
1432 uint8_t **shared_key, size_t *shared_key_len);
1433
1434int tls1_new(SSL *s);
1435void tls1_free(SSL *s);
1436void tls1_clear(SSL *s);
1437
1438int ssl_init_wbio_buffer(SSL *s, int push);
1439void ssl_free_wbio_buffer(SSL *s);
1440
1441int tls1_transcript_hash_init(SSL *s);
1442int tls1_transcript_hash_update(SSL *s, const unsigned char *buf, size_t len);
1443int tls1_transcript_hash_value(SSL *s, unsigned char *out, size_t len,
1444 size_t *outlen);
1445void tls1_transcript_hash_free(SSL *s);
1446
1447int tls1_transcript_init(SSL *s);
1448void tls1_transcript_free(SSL *s);
1449void tls1_transcript_reset(SSL *s);
1450int tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len);
1451int tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len);
1452void tls1_transcript_freeze(SSL *s);
1453void tls1_transcript_unfreeze(SSL *s);
1454int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len);
1455
1456int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
1457 const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
1458 const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
1459 const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len);
1460
1461void tls1_cleanup_key_block(SSL *s);
1462int tls1_change_read_cipher_state(SSL *s);
1463int tls1_change_write_cipher_state(SSL *s);
1464int tls1_setup_key_block(SSL *s);
1465int tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len);
1466int ssl_ok(SSL *s);
1467
1468int tls12_derive_finished(SSL *s);
1469int tls12_derive_peer_finished(SSL *s);
1470int tls12_derive_master_secret(SSL *s, uint8_t *premaster_secret,
1471 size_t premaster_secret_len);
1472
1473int ssl_using_ecc_cipher(SSL *s);
1474int ssl_check_srvr_ecc_cert_and_alg(SSL *s, X509 *x);
1475
1476void tls1_get_formatlist(const SSL *s, int client_formats,
1477 const uint8_t **pformats, size_t *pformatslen);
1478void tls1_get_group_list(const SSL *s, int client_groups,
1479 const uint16_t **pgroups, size_t *pgroupslen);
1480
1481int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
1482 const int *groups, size_t ngroups);
1483int tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
1484 const char *groups);
1485
1486int tls1_ec_group_id2nid(uint16_t group_id, int *out_nid);
1487int tls1_ec_group_id2bits(uint16_t group_id, int *out_bits);
1488int tls1_ec_nid2group_id(int nid, uint16_t *out_group_id);
1489int tls1_check_group(SSL *s, uint16_t group_id);
1490int tls1_count_shared_groups(const SSL *ssl, size_t *out_count);
1491int tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid);
1492int tls1_get_supported_group(const SSL *s, int *out_nid);
1493
1494int ssl_check_clienthello_tlsext_early(SSL *s);
1495int ssl_check_clienthello_tlsext_late(SSL *s);
1496int ssl_check_serverhello_tlsext(SSL *s);
1497
1498#define TLS1_TICKET_FATAL_ERROR -1
1499#define TLS1_TICKET_NONE 0
1500#define TLS1_TICKET_EMPTY 1
1501#define TLS1_TICKET_NOT_DECRYPTED 2
1502#define TLS1_TICKET_DECRYPTED 3
1503
1504int tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret);
1505
1506int tls1_check_ec_server_key(SSL *s);
1507
1508/* s3_cbc.c */
1509void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec,
1510 unsigned int md_size, unsigned int orig_len);
1511int ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len,
1512 unsigned int mac_size);
1513char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
1514int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
1515 size_t *md_out_size, const unsigned char header[13],
1516 const unsigned char *data, size_t data_plus_mac_size,
1517 size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
1518 unsigned int mac_secret_length);
1519int SSL_state_func_code(int _state);
1520
1521#define SSLerror(s, r) SSL_error_internal(s, r, __FILE__, __LINE__)
1522#define SSLerrorx(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),__FILE__,__LINE__)
1523void SSL_error_internal(const SSL *s, int r, char *f, int l);
1524
1525#ifndef OPENSSL_NO_SRTP
1526
1527int srtp_find_profile_by_name(const char *profile_name,
1528 const SRTP_PROTECTION_PROFILE **pptr, unsigned int len);
1529int srtp_find_profile_by_num(unsigned int profile_num,
1530 const SRTP_PROTECTION_PROFILE **pptr);
1531
1532#endif /* OPENSSL_NO_SRTP */
1533
1534int tls_process_peer_certs(SSL *s, STACK_OF(X509) *peer_certs);
1535
1536__END_HIDDEN_DECLS
1537
1538#endif /* !HEADER_SSL_LOCL_H */
diff --git a/src/lib/libssl/ssl_methods.c b/src/lib/libssl/ssl_methods.c
deleted file mode 100644
index dac28011f4..0000000000
--- a/src/lib/libssl/ssl_methods.c
+++ /dev/null
@@ -1,580 +0,0 @@
1/* $OpenBSD: ssl_methods.c,v 1.29 2022/11/26 16:08:56 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include "dtls_local.h"
60#include "ssl_local.h"
61#include "tls13_internal.h"
62
63static const SSL_METHOD DTLS_method_data = {
64 .dtls = 1,
65 .server = 1,
66 .version = DTLS1_2_VERSION,
67 .min_tls_version = TLS1_1_VERSION,
68 .max_tls_version = TLS1_2_VERSION,
69 .ssl_new = dtls1_new,
70 .ssl_clear = dtls1_clear,
71 .ssl_free = dtls1_free,
72 .ssl_accept = ssl3_accept,
73 .ssl_connect = ssl3_connect,
74 .ssl_shutdown = ssl3_shutdown,
75 .ssl_renegotiate = ssl3_renegotiate,
76 .ssl_renegotiate_check = ssl3_renegotiate_check,
77 .ssl_pending = ssl3_pending,
78 .ssl_read_bytes = dtls1_read_bytes,
79 .ssl_write_bytes = dtls1_write_app_data_bytes,
80 .get_cipher = dtls1_get_cipher,
81 .enc_flags = TLSV1_2_ENC_FLAGS,
82};
83
84static const SSL_METHOD DTLS_client_method_data = {
85 .dtls = 1,
86 .server = 0,
87 .version = DTLS1_2_VERSION,
88 .min_tls_version = TLS1_1_VERSION,
89 .max_tls_version = TLS1_2_VERSION,
90 .ssl_new = dtls1_new,
91 .ssl_clear = dtls1_clear,
92 .ssl_free = dtls1_free,
93 .ssl_accept = ssl_undefined_function,
94 .ssl_connect = ssl3_connect,
95 .ssl_shutdown = ssl3_shutdown,
96 .ssl_renegotiate = ssl3_renegotiate,
97 .ssl_renegotiate_check = ssl3_renegotiate_check,
98 .ssl_pending = ssl3_pending,
99 .ssl_read_bytes = dtls1_read_bytes,
100 .ssl_write_bytes = dtls1_write_app_data_bytes,
101 .get_cipher = dtls1_get_cipher,
102 .enc_flags = TLSV1_2_ENC_FLAGS,
103};
104
105static const SSL_METHOD DTLSv1_method_data = {
106 .dtls = 1,
107 .server = 1,
108 .version = DTLS1_VERSION,
109 .min_tls_version = TLS1_1_VERSION,
110 .max_tls_version = TLS1_1_VERSION,
111 .ssl_new = dtls1_new,
112 .ssl_clear = dtls1_clear,
113 .ssl_free = dtls1_free,
114 .ssl_accept = ssl3_accept,
115 .ssl_connect = ssl3_connect,
116 .ssl_shutdown = ssl3_shutdown,
117 .ssl_renegotiate = ssl3_renegotiate,
118 .ssl_renegotiate_check = ssl3_renegotiate_check,
119 .ssl_pending = ssl3_pending,
120 .ssl_read_bytes = dtls1_read_bytes,
121 .ssl_write_bytes = dtls1_write_app_data_bytes,
122 .get_cipher = dtls1_get_cipher,
123 .enc_flags = TLSV1_1_ENC_FLAGS,
124};
125
126static const SSL_METHOD DTLSv1_client_method_data = {
127 .dtls = 1,
128 .server = 0,
129 .version = DTLS1_VERSION,
130 .min_tls_version = TLS1_1_VERSION,
131 .max_tls_version = TLS1_1_VERSION,
132 .ssl_new = dtls1_new,
133 .ssl_clear = dtls1_clear,
134 .ssl_free = dtls1_free,
135 .ssl_accept = ssl_undefined_function,
136 .ssl_connect = ssl3_connect,
137 .ssl_shutdown = ssl3_shutdown,
138 .ssl_renegotiate = ssl3_renegotiate,
139 .ssl_renegotiate_check = ssl3_renegotiate_check,
140 .ssl_pending = ssl3_pending,
141 .ssl_read_bytes = dtls1_read_bytes,
142 .ssl_write_bytes = dtls1_write_app_data_bytes,
143 .get_cipher = dtls1_get_cipher,
144 .enc_flags = TLSV1_1_ENC_FLAGS,
145};
146
147static const SSL_METHOD DTLSv1_2_method_data = {
148 .dtls = 1,
149 .server = 1,
150 .version = DTLS1_2_VERSION,
151 .min_tls_version = TLS1_2_VERSION,
152 .max_tls_version = TLS1_2_VERSION,
153 .ssl_new = dtls1_new,
154 .ssl_clear = dtls1_clear,
155 .ssl_free = dtls1_free,
156 .ssl_accept = ssl3_accept,
157 .ssl_connect = ssl3_connect,
158 .ssl_shutdown = ssl3_shutdown,
159 .ssl_renegotiate = ssl3_renegotiate,
160 .ssl_renegotiate_check = ssl3_renegotiate_check,
161 .ssl_pending = ssl3_pending,
162 .ssl_read_bytes = dtls1_read_bytes,
163 .ssl_write_bytes = dtls1_write_app_data_bytes,
164 .get_cipher = dtls1_get_cipher,
165 .enc_flags = TLSV1_2_ENC_FLAGS,
166};
167
168static const SSL_METHOD DTLSv1_2_client_method_data = {
169 .dtls = 1,
170 .server = 0,
171 .version = DTLS1_2_VERSION,
172 .min_tls_version = TLS1_2_VERSION,
173 .max_tls_version = TLS1_2_VERSION,
174 .ssl_new = dtls1_new,
175 .ssl_clear = dtls1_clear,
176 .ssl_free = dtls1_free,
177 .ssl_accept = ssl_undefined_function,
178 .ssl_connect = ssl3_connect,
179 .ssl_shutdown = ssl3_shutdown,
180 .ssl_renegotiate = ssl3_renegotiate,
181 .ssl_renegotiate_check = ssl3_renegotiate_check,
182 .ssl_pending = ssl3_pending,
183 .ssl_read_bytes = dtls1_read_bytes,
184 .ssl_write_bytes = dtls1_write_app_data_bytes,
185 .get_cipher = dtls1_get_cipher,
186 .enc_flags = TLSV1_2_ENC_FLAGS,
187};
188
189const SSL_METHOD *
190DTLSv1_client_method(void)
191{
192 return &DTLSv1_client_method_data;
193}
194
195const SSL_METHOD *
196DTLSv1_method(void)
197{
198 return &DTLSv1_method_data;
199}
200
201const SSL_METHOD *
202DTLSv1_server_method(void)
203{
204 return &DTLSv1_method_data;
205}
206
207const SSL_METHOD *
208DTLSv1_2_client_method(void)
209{
210 return &DTLSv1_2_client_method_data;
211}
212
213const SSL_METHOD *
214DTLSv1_2_method(void)
215{
216 return &DTLSv1_2_method_data;
217}
218
219const SSL_METHOD *
220DTLSv1_2_server_method(void)
221{
222 return &DTLSv1_2_method_data;
223}
224
225const SSL_METHOD *
226DTLS_client_method(void)
227{
228 return &DTLS_client_method_data;
229}
230
231const SSL_METHOD *
232DTLS_method(void)
233{
234 return &DTLS_method_data;
235}
236
237const SSL_METHOD *
238DTLS_server_method(void)
239{
240 return &DTLS_method_data;
241}
242
243#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER)
244static const SSL_METHOD TLS_method_data = {
245 .dtls = 0,
246 .server = 1,
247 .version = TLS1_3_VERSION,
248 .min_tls_version = TLS1_VERSION,
249 .max_tls_version = TLS1_3_VERSION,
250 .ssl_new = tls1_new,
251 .ssl_clear = tls1_clear,
252 .ssl_free = tls1_free,
253 .ssl_accept = tls13_legacy_accept,
254 .ssl_connect = tls13_legacy_connect,
255 .ssl_shutdown = tls13_legacy_shutdown,
256 .ssl_renegotiate = ssl_undefined_function,
257 .ssl_renegotiate_check = ssl_ok,
258 .ssl_pending = tls13_legacy_pending,
259 .ssl_read_bytes = tls13_legacy_read_bytes,
260 .ssl_write_bytes = tls13_legacy_write_bytes,
261 .get_cipher = ssl3_get_cipher,
262 .enc_flags = TLSV1_3_ENC_FLAGS,
263};
264#endif
265
266static const SSL_METHOD TLS_legacy_method_data = {
267 .dtls = 0,
268 .server = 1,
269 .version = TLS1_2_VERSION,
270 .min_tls_version = TLS1_VERSION,
271 .max_tls_version = TLS1_2_VERSION,
272 .ssl_new = tls1_new,
273 .ssl_clear = tls1_clear,
274 .ssl_free = tls1_free,
275 .ssl_accept = ssl3_accept,
276 .ssl_connect = ssl3_connect,
277 .ssl_shutdown = ssl3_shutdown,
278 .ssl_renegotiate = ssl_undefined_function,
279 .ssl_renegotiate_check = ssl_ok,
280 .ssl_pending = ssl3_pending,
281 .ssl_read_bytes = ssl3_read_bytes,
282 .ssl_write_bytes = ssl3_write_bytes,
283 .get_cipher = ssl3_get_cipher,
284 .enc_flags = TLSV1_2_ENC_FLAGS,
285};
286
287#if defined(LIBRESSL_HAS_TLS1_3_CLIENT)
288static const SSL_METHOD TLS_client_method_data = {
289 .dtls = 0,
290 .server = 0,
291 .version = TLS1_3_VERSION,
292 .min_tls_version = TLS1_VERSION,
293 .max_tls_version = TLS1_3_VERSION,
294 .ssl_new = tls1_new,
295 .ssl_clear = tls1_clear,
296 .ssl_free = tls1_free,
297 .ssl_accept = tls13_legacy_accept,
298 .ssl_connect = tls13_legacy_connect,
299 .ssl_shutdown = tls13_legacy_shutdown,
300 .ssl_renegotiate = ssl_undefined_function,
301 .ssl_renegotiate_check = ssl_ok,
302 .ssl_pending = tls13_legacy_pending,
303 .ssl_read_bytes = tls13_legacy_read_bytes,
304 .ssl_write_bytes = tls13_legacy_write_bytes,
305 .get_cipher = ssl3_get_cipher,
306 .enc_flags = TLSV1_3_ENC_FLAGS,
307};
308
309#else
310
311static const SSL_METHOD TLS_legacy_client_method_data = {
312 .dtls = 0,
313 .server = 0,
314 .version = TLS1_2_VERSION,
315 .min_tls_version = TLS1_VERSION,
316 .max_tls_version = TLS1_2_VERSION,
317 .ssl_new = tls1_new,
318 .ssl_clear = tls1_clear,
319 .ssl_free = tls1_free,
320 .ssl_accept = ssl3_accept,
321 .ssl_connect = ssl3_connect,
322 .ssl_shutdown = ssl3_shutdown,
323 .ssl_renegotiate = ssl_undefined_function,
324 .ssl_renegotiate_check = ssl_ok,
325 .ssl_pending = ssl3_pending,
326 .ssl_read_bytes = ssl3_read_bytes,
327 .ssl_write_bytes = ssl3_write_bytes,
328 .get_cipher = ssl3_get_cipher,
329 .enc_flags = TLSV1_2_ENC_FLAGS,
330};
331#endif
332
333static const SSL_METHOD TLSv1_method_data = {
334 .dtls = 0,
335 .server = 1,
336 .version = TLS1_VERSION,
337 .min_tls_version = TLS1_VERSION,
338 .max_tls_version = TLS1_VERSION,
339 .ssl_new = tls1_new,
340 .ssl_clear = tls1_clear,
341 .ssl_free = tls1_free,
342 .ssl_accept = ssl3_accept,
343 .ssl_connect = ssl3_connect,
344 .ssl_shutdown = ssl3_shutdown,
345 .ssl_renegotiate = ssl3_renegotiate,
346 .ssl_renegotiate_check = ssl3_renegotiate_check,
347 .ssl_pending = ssl3_pending,
348 .ssl_read_bytes = ssl3_read_bytes,
349 .ssl_write_bytes = ssl3_write_bytes,
350 .get_cipher = ssl3_get_cipher,
351 .enc_flags = TLSV1_ENC_FLAGS,
352};
353
354static const SSL_METHOD TLSv1_client_method_data = {
355 .dtls = 0,
356 .server = 0,
357 .version = TLS1_VERSION,
358 .min_tls_version = TLS1_VERSION,
359 .max_tls_version = TLS1_VERSION,
360 .ssl_new = tls1_new,
361 .ssl_clear = tls1_clear,
362 .ssl_free = tls1_free,
363 .ssl_accept = ssl_undefined_function,
364 .ssl_connect = ssl3_connect,
365 .ssl_shutdown = ssl3_shutdown,
366 .ssl_renegotiate = ssl3_renegotiate,
367 .ssl_renegotiate_check = ssl3_renegotiate_check,
368 .ssl_pending = ssl3_pending,
369 .ssl_read_bytes = ssl3_read_bytes,
370 .ssl_write_bytes = ssl3_write_bytes,
371 .get_cipher = ssl3_get_cipher,
372 .enc_flags = TLSV1_ENC_FLAGS,
373};
374
375static const SSL_METHOD TLSv1_1_method_data = {
376 .dtls = 0,
377 .server = 1,
378 .version = TLS1_1_VERSION,
379 .min_tls_version = TLS1_1_VERSION,
380 .max_tls_version = TLS1_1_VERSION,
381 .ssl_new = tls1_new,
382 .ssl_clear = tls1_clear,
383 .ssl_free = tls1_free,
384 .ssl_accept = ssl3_accept,
385 .ssl_connect = ssl3_connect,
386 .ssl_shutdown = ssl3_shutdown,
387 .ssl_renegotiate = ssl3_renegotiate,
388 .ssl_renegotiate_check = ssl3_renegotiate_check,
389 .ssl_pending = ssl3_pending,
390 .ssl_read_bytes = ssl3_read_bytes,
391 .ssl_write_bytes = ssl3_write_bytes,
392 .get_cipher = ssl3_get_cipher,
393 .enc_flags = TLSV1_1_ENC_FLAGS,
394};
395
396static const SSL_METHOD TLSv1_1_client_method_data = {
397 .dtls = 0,
398 .server = 0,
399 .version = TLS1_1_VERSION,
400 .min_tls_version = TLS1_1_VERSION,
401 .max_tls_version = TLS1_1_VERSION,
402 .ssl_new = tls1_new,
403 .ssl_clear = tls1_clear,
404 .ssl_free = tls1_free,
405 .ssl_accept = ssl_undefined_function,
406 .ssl_connect = ssl3_connect,
407 .ssl_shutdown = ssl3_shutdown,
408 .ssl_renegotiate = ssl3_renegotiate,
409 .ssl_renegotiate_check = ssl3_renegotiate_check,
410 .ssl_pending = ssl3_pending,
411 .ssl_read_bytes = ssl3_read_bytes,
412 .ssl_write_bytes = ssl3_write_bytes,
413 .get_cipher = ssl3_get_cipher,
414 .enc_flags = TLSV1_1_ENC_FLAGS,
415};
416
417static const SSL_METHOD TLSv1_2_method_data = {
418 .dtls = 0,
419 .server = 1,
420 .version = TLS1_2_VERSION,
421 .min_tls_version = TLS1_2_VERSION,
422 .max_tls_version = TLS1_2_VERSION,
423 .ssl_new = tls1_new,
424 .ssl_clear = tls1_clear,
425 .ssl_free = tls1_free,
426 .ssl_accept = ssl3_accept,
427 .ssl_connect = ssl3_connect,
428 .ssl_shutdown = ssl3_shutdown,
429 .ssl_renegotiate = ssl3_renegotiate,
430 .ssl_renegotiate_check = ssl3_renegotiate_check,
431 .ssl_pending = ssl3_pending,
432 .ssl_read_bytes = ssl3_read_bytes,
433 .ssl_write_bytes = ssl3_write_bytes,
434 .get_cipher = ssl3_get_cipher,
435 .enc_flags = TLSV1_2_ENC_FLAGS,
436};
437
438static const SSL_METHOD TLSv1_2_client_method_data = {
439 .dtls = 0,
440 .server = 0,
441 .version = TLS1_2_VERSION,
442 .min_tls_version = TLS1_2_VERSION,
443 .max_tls_version = TLS1_2_VERSION,
444 .ssl_new = tls1_new,
445 .ssl_clear = tls1_clear,
446 .ssl_free = tls1_free,
447 .ssl_accept = ssl_undefined_function,
448 .ssl_connect = ssl3_connect,
449 .ssl_shutdown = ssl3_shutdown,
450 .ssl_renegotiate = ssl3_renegotiate,
451 .ssl_renegotiate_check = ssl3_renegotiate_check,
452 .ssl_pending = ssl3_pending,
453 .ssl_read_bytes = ssl3_read_bytes,
454 .ssl_write_bytes = ssl3_write_bytes,
455 .get_cipher = ssl3_get_cipher,
456 .enc_flags = TLSV1_2_ENC_FLAGS,
457};
458
459const SSL_METHOD *
460TLS_client_method(void)
461{
462#if defined(LIBRESSL_HAS_TLS1_3_CLIENT)
463 return (&TLS_client_method_data);
464#else
465 return (&TLS_legacy_client_method_data);
466#endif
467}
468
469const SSL_METHOD *
470TLS_method(void)
471{
472#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER)
473 return (&TLS_method_data);
474#else
475 return tls_legacy_method();
476#endif
477}
478
479const SSL_METHOD *
480TLS_server_method(void)
481{
482 return TLS_method();
483}
484
485const SSL_METHOD *
486tls_legacy_method(void)
487{
488 return (&TLS_legacy_method_data);
489}
490
491const SSL_METHOD *
492SSLv23_client_method(void)
493{
494 return TLS_client_method();
495}
496
497const SSL_METHOD *
498SSLv23_method(void)
499{
500 return TLS_method();
501}
502
503const SSL_METHOD *
504SSLv23_server_method(void)
505{
506 return TLS_method();
507}
508
509const SSL_METHOD *
510TLSv1_client_method(void)
511{
512 return (&TLSv1_client_method_data);
513}
514
515const SSL_METHOD *
516TLSv1_method(void)
517{
518 return (&TLSv1_method_data);
519}
520
521const SSL_METHOD *
522TLSv1_server_method(void)
523{
524 return (&TLSv1_method_data);
525}
526
527const SSL_METHOD *
528TLSv1_1_client_method(void)
529{
530 return (&TLSv1_1_client_method_data);
531}
532
533const SSL_METHOD *
534TLSv1_1_method(void)
535{
536 return (&TLSv1_1_method_data);
537}
538
539const SSL_METHOD *
540TLSv1_1_server_method(void)
541{
542 return (&TLSv1_1_method_data);
543}
544
545const SSL_METHOD *
546TLSv1_2_client_method(void)
547{
548 return (&TLSv1_2_client_method_data);
549}
550
551const SSL_METHOD *
552TLSv1_2_method(void)
553{
554 return (&TLSv1_2_method_data);
555}
556
557const SSL_METHOD *
558TLSv1_2_server_method(void)
559{
560 return (&TLSv1_2_method_data);
561}
562
563const SSL_METHOD *
564ssl_get_method(uint16_t version)
565{
566 if (version == TLS1_3_VERSION)
567 return (TLS_method());
568 if (version == TLS1_2_VERSION)
569 return (TLSv1_2_method());
570 if (version == TLS1_1_VERSION)
571 return (TLSv1_1_method());
572 if (version == TLS1_VERSION)
573 return (TLSv1_method());
574 if (version == DTLS1_VERSION)
575 return (DTLSv1_method());
576 if (version == DTLS1_2_VERSION)
577 return (DTLSv1_2_method());
578
579 return (NULL);
580}
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
deleted file mode 100644
index 70017b4664..0000000000
--- a/src/lib/libssl/ssl_packet.c
+++ /dev/null
@@ -1,292 +0,0 @@
1/* $OpenBSD: ssl_packet.c,v 1.15 2022/11/26 16:08:56 tb Exp $ */
2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "bytestring.h"
19#include "ssl_local.h"
20
21static int
22ssl_is_sslv2_client_hello(CBS *header)
23{
24 uint16_t record_length;
25 uint8_t message_type;
26 CBS cbs;
27
28 CBS_dup(header, &cbs);
29
30 if (!CBS_get_u16(&cbs, &record_length) ||
31 !CBS_get_u8(&cbs, &message_type))
32 return 0;
33
34 /*
35 * The SSLv2 record length field uses variable length (2 or 3 byte)
36 * encoding. Given the size of a client hello, we expect/require the
37 * 2-byte form which is indicated by a one in the most significant bit.
38 */
39 if ((record_length & 0x8000) == 0)
40 return 0;
41 if ((record_length & ~0x8000) < 3)
42 return 0;
43 if (message_type != SSL2_MT_CLIENT_HELLO)
44 return 0;
45
46 return 1;
47}
48
49static int
50ssl_is_sslv3_handshake(CBS *header)
51{
52 uint16_t record_version;
53 uint8_t record_type;
54 CBS cbs;
55
56 CBS_dup(header, &cbs);
57
58 if (!CBS_get_u8(&cbs, &record_type) ||
59 !CBS_get_u16(&cbs, &record_version))
60 return 0;
61
62 if (record_type != SSL3_RT_HANDSHAKE)
63 return 0;
64 if ((record_version >> 8) != SSL3_VERSION_MAJOR)
65 return 0;
66
67 return 1;
68}
69
70static int
71ssl_convert_sslv2_client_hello(SSL *s)
72{
73 CBB cbb, handshake, client_hello, cipher_suites, compression, session_id;
74 CBS cbs, challenge, cipher_specs, session;
75 uint16_t record_length, client_version, cipher_specs_length;
76 uint16_t session_id_length, challenge_length;
77 unsigned char *client_random = NULL, *data = NULL;
78 size_t data_len, pad_len, len;
79 uint32_t cipher_spec;
80 uint8_t message_type;
81 unsigned char *pad;
82 int ret = -1;
83 int n;
84
85 memset(&cbb, 0, sizeof(cbb));
86
87 CBS_init(&cbs, s->packet, SSL3_RT_HEADER_LENGTH);
88
89 if (!CBS_get_u16(&cbs, &record_length) ||
90 !CBS_get_u8(&cbs, &message_type) ||
91 !CBS_get_u16(&cbs, &client_version))
92 return -1;
93
94 /*
95 * The SSLv2 record length field uses variable length (2 or 3 byte)
96 * encoding. Given the size of a client hello, we expect/require the
97 * 2-byte form which is indicated by a one in the most significant bit.
98 * Also note that the record length value does not include the bytes
99 * used for the record length field.
100 */
101 if ((record_length & 0x8000) == 0)
102 return -1;
103 record_length &= ~0x8000;
104 if (record_length < SSL3_RT_HEADER_LENGTH - 2)
105 return -1;
106 if (message_type != SSL2_MT_CLIENT_HELLO)
107 return -1;
108
109 if (record_length < 9) {
110 SSLerror(s, SSL_R_RECORD_LENGTH_MISMATCH);
111 return -1;
112 }
113 if (record_length > 4096) {
114 SSLerror(s, SSL_R_RECORD_TOO_LARGE);
115 return -1;
116 }
117
118 n = ssl3_packet_extend(s, record_length + 2);
119 if (n != record_length + 2)
120 return n;
121
122 tls1_transcript_record(s, s->packet + 2,
123 s->packet_length - 2);
124 s->mac_packet = 0;
125
126 if (s->msg_callback)
127 s->msg_callback(0, SSL2_VERSION, 0,
128 s->packet + 2, s->packet_length - 2, s,
129 s->msg_callback_arg);
130
131 /* Decode the SSLv2 record containing the client hello. */
132 CBS_init(&cbs, s->packet, s->packet_length);
133
134 if (!CBS_get_u16(&cbs, &record_length))
135 return -1;
136 if (!CBS_get_u8(&cbs, &message_type))
137 return -1;
138 if (!CBS_get_u16(&cbs, &client_version))
139 return -1;
140 if (!CBS_get_u16(&cbs, &cipher_specs_length))
141 return -1;
142 if (!CBS_get_u16(&cbs, &session_id_length))
143 return -1;
144 if (!CBS_get_u16(&cbs, &challenge_length))
145 return -1;
146 if (!CBS_get_bytes(&cbs, &cipher_specs, cipher_specs_length))
147 return -1;
148 if (!CBS_get_bytes(&cbs, &session, session_id_length))
149 return -1;
150 if (!CBS_get_bytes(&cbs, &challenge, challenge_length))
151 return -1;
152 if (CBS_len(&cbs) != 0) {
153 SSLerror(s, SSL_R_RECORD_LENGTH_MISMATCH);
154 return -1;
155 }
156
157 /*
158 * Convert SSLv2 challenge to SSLv3/TLS client random, by truncating or
159 * left-padding with zero bytes.
160 */
161 if ((client_random = malloc(SSL3_RANDOM_SIZE)) == NULL)
162 goto err;
163 if (!CBB_init_fixed(&cbb, client_random, SSL3_RANDOM_SIZE))
164 goto err;
165 if ((len = CBS_len(&challenge)) > SSL3_RANDOM_SIZE)
166 len = SSL3_RANDOM_SIZE;
167 pad_len = SSL3_RANDOM_SIZE - len;
168 if (!CBB_add_space(&cbb, &pad, pad_len))
169 goto err;
170 memset(pad, 0, pad_len);
171 if (!CBB_add_bytes(&cbb, CBS_data(&challenge), len))
172 goto err;
173 if (!CBB_finish(&cbb, NULL, NULL))
174 goto err;
175
176 /* Build SSLv3/TLS record with client hello. */
177 if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
178 goto err;
179 if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
180 goto err;
181 if (!CBB_add_u16(&cbb, 0x0301))
182 goto err;
183 if (!CBB_add_u16_length_prefixed(&cbb, &handshake))
184 goto err;
185 if (!CBB_add_u8(&handshake, SSL3_MT_CLIENT_HELLO))
186 goto err;
187 if (!CBB_add_u24_length_prefixed(&handshake, &client_hello))
188 goto err;
189 if (!CBB_add_u16(&client_hello, client_version))
190 goto err;
191 if (!CBB_add_bytes(&client_hello, client_random, SSL3_RANDOM_SIZE))
192 goto err;
193 if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
194 goto err;
195 if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
196 goto err;
197 while (CBS_len(&cipher_specs) > 0) {
198 if (!CBS_get_u24(&cipher_specs, &cipher_spec))
199 goto err;
200 if ((cipher_spec & 0xff0000) != 0)
201 continue;
202 if (!CBB_add_u16(&cipher_suites, cipher_spec & 0xffff))
203 goto err;
204 }
205 if (!CBB_add_u8_length_prefixed(&client_hello, &compression))
206 goto err;
207 if (!CBB_add_u8(&compression, 0))
208 goto err;
209 if (!CBB_finish(&cbb, &data, &data_len))
210 goto err;
211
212 if (data_len > s->s3->rbuf.len)
213 goto err;
214
215 s->packet = s->s3->rbuf.buf;
216 s->packet_length = data_len;
217 memcpy(s->packet, data, data_len);
218 ret = 1;
219
220 err:
221 CBB_cleanup(&cbb);
222 free(client_random);
223 free(data);
224
225 return (ret);
226}
227
228/*
229 * Potentially do legacy processing on the first packet received by a TLS
230 * server. We return 1 if we want SSLv3/TLS record processing to continue
231 * normally, otherwise we must set an SSLerr and return -1.
232 */
233int
234ssl_server_legacy_first_packet(SSL *s)
235{
236 uint16_t min_version;
237 const char *data;
238 CBS header;
239
240 if (SSL_is_dtls(s))
241 return 1;
242
243 CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
244
245 if (ssl_is_sslv3_handshake(&header) == 1)
246 return 1;
247
248 /* Only continue if this is not a version locked method. */
249 if (s->method->min_tls_version == s->method->max_tls_version)
250 return 1;
251
252 if (ssl_is_sslv2_client_hello(&header) == 1) {
253 /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
254 if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) {
255 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
256 return -1;
257 }
258 if (min_version > TLS1_VERSION)
259 return 1;
260
261 if (ssl_convert_sslv2_client_hello(s) != 1) {
262 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
263 return -1;
264 }
265
266 return 1;
267 }
268
269 /* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
270 if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
271 SSLerror(s, ERR_R_INTERNAL_ERROR);
272 return -1;
273 }
274 data = (const char *)CBS_data(&header);
275
276 /* Is this a cleartext protocol? */
277 if (strncmp("GET ", data, 4) == 0 ||
278 strncmp("POST ", data, 5) == 0 ||
279 strncmp("HEAD ", data, 5) == 0 ||
280 strncmp("PUT ", data, 4) == 0) {
281 SSLerror(s, SSL_R_HTTP_REQUEST);
282 return -1;
283 }
284 if (strncmp("CONNE", data, 5) == 0) {
285 SSLerror(s, SSL_R_HTTPS_PROXY_REQUEST);
286 return -1;
287 }
288
289 SSLerror(s, SSL_R_UNKNOWN_PROTOCOL);
290
291 return -1;
292}
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
deleted file mode 100644
index 728ac141e5..0000000000
--- a/src/lib/libssl/ssl_pkt.c
+++ /dev/null
@@ -1,1324 +0,0 @@
1/* $OpenBSD: ssl_pkt.c,v 1.65 2022/11/26 16:08:56 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <errno.h>
113#include <limits.h>
114#include <stdio.h>
115
116#include <openssl/buffer.h>
117#include <openssl/evp.h>
118
119#include "bytestring.h"
120#include "dtls_local.h"
121#include "ssl_local.h"
122#include "tls_content.h"
123
124static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
125 unsigned int len);
126static int ssl3_get_record(SSL *s);
127
128/*
129 * Force a WANT_READ return for certain error conditions where
130 * we don't want to spin internally.
131 */
132void
133ssl_force_want_read(SSL *s)
134{
135 BIO *bio;
136
137 bio = SSL_get_rbio(s);
138 BIO_clear_retry_flags(bio);
139 BIO_set_retry_read(bio);
140
141 s->rwstate = SSL_READING;
142}
143
144/*
145 * If extend == 0, obtain new n-byte packet; if extend == 1, increase
146 * packet by another n bytes.
147 * The packet will be in the sub-array of s->s3->rbuf.buf specified
148 * by s->packet and s->packet_length.
149 * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
150 * [plus s->packet_length bytes if extend == 1].)
151 */
152static int
153ssl3_read_n(SSL *s, int n, int max, int extend)
154{
155 SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf);
156 int i, len, left;
157 size_t align;
158 unsigned char *pkt;
159
160 if (n <= 0)
161 return n;
162
163 if (rb->buf == NULL) {
164 if (!ssl3_setup_read_buffer(s))
165 return -1;
166 }
167 if (rb->buf == NULL)
168 return -1;
169
170 left = rb->left;
171 align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH;
172 align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
173
174 if (!extend) {
175 /* start with empty packet ... */
176 if (left == 0)
177 rb->offset = align;
178 else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) {
179 /* check if next packet length is large
180 * enough to justify payload alignment... */
181 pkt = rb->buf + rb->offset;
182 if (pkt[0] == SSL3_RT_APPLICATION_DATA &&
183 (pkt[3]<<8|pkt[4]) >= 128) {
184 /* Note that even if packet is corrupted
185 * and its length field is insane, we can
186 * only be led to wrong decision about
187 * whether memmove will occur or not.
188 * Header values has no effect on memmove
189 * arguments and therefore no buffer
190 * overrun can be triggered. */
191 memmove(rb->buf + align, pkt, left);
192 rb->offset = align;
193 }
194 }
195 s->packet = rb->buf + rb->offset;
196 s->packet_length = 0;
197 /* ... now we can act as if 'extend' was set */
198 }
199
200 /* For DTLS/UDP reads should not span multiple packets
201 * because the read operation returns the whole packet
202 * at once (as long as it fits into the buffer). */
203 if (SSL_is_dtls(s)) {
204 if (left > 0 && n > left)
205 n = left;
206 }
207
208 /* if there is enough in the buffer from a previous read, take some */
209 if (left >= n) {
210 s->packet_length += n;
211 rb->left = left - n;
212 rb->offset += n;
213 return (n);
214 }
215
216 /* else we need to read more data */
217
218 len = s->packet_length;
219 pkt = rb->buf + align;
220 /* Move any available bytes to front of buffer:
221 * 'len' bytes already pointed to by 'packet',
222 * 'left' extra ones at the end */
223 if (s->packet != pkt) {
224 /* len > 0 */
225 memmove(pkt, s->packet, len + left);
226 s->packet = pkt;
227 rb->offset = len + align;
228 }
229
230 if (n > (int)(rb->len - rb->offset)) {
231 /* does not happen */
232 SSLerror(s, ERR_R_INTERNAL_ERROR);
233 return -1;
234 }
235
236 if (s->read_ahead || SSL_is_dtls(s)) {
237 if (max < n)
238 max = n;
239 if (max > (int)(rb->len - rb->offset))
240 max = rb->len - rb->offset;
241 } else {
242 /* ignore max parameter */
243 max = n;
244 }
245
246 while (left < n) {
247 /* Now we have len+left bytes at the front of s->s3->rbuf.buf
248 * and need to read in more until we have len+n (up to
249 * len+max if possible) */
250
251 errno = 0;
252 if (s->rbio != NULL) {
253 s->rwstate = SSL_READING;
254 i = BIO_read(s->rbio, pkt + len + left, max - left);
255 } else {
256 SSLerror(s, SSL_R_READ_BIO_NOT_SET);
257 i = -1;
258 }
259
260 if (i <= 0) {
261 rb->left = left;
262 if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
263 !SSL_is_dtls(s)) {
264 if (len + left == 0)
265 ssl3_release_read_buffer(s);
266 }
267 return (i);
268 }
269 left += i;
270
271 /*
272 * reads should *never* span multiple packets for DTLS because
273 * the underlying transport protocol is message oriented as
274 * opposed to byte oriented as in the TLS case.
275 */
276 if (SSL_is_dtls(s)) {
277 if (n > left)
278 n = left; /* makes the while condition false */
279 }
280 }
281
282 /* done reading, now the book-keeping */
283 rb->offset += n;
284 rb->left = left - n;
285 s->packet_length += n;
286 s->rwstate = SSL_NOTHING;
287
288 return (n);
289}
290
291int
292ssl3_packet_read(SSL *s, int plen)
293{
294 int n;
295
296 n = ssl3_read_n(s, plen, s->s3->rbuf.len, 0);
297 if (n <= 0)
298 return n;
299 if (s->packet_length < plen)
300 return s->packet_length;
301
302 return plen;
303}
304
305int
306ssl3_packet_extend(SSL *s, int plen)
307{
308 int rlen, n;
309
310 if (s->packet_length >= plen)
311 return plen;
312 rlen = plen - s->packet_length;
313
314 n = ssl3_read_n(s, rlen, rlen, 1);
315 if (n <= 0)
316 return n;
317 if (s->packet_length < plen)
318 return s->packet_length;
319
320 return plen;
321}
322
323/* Call this to get a new input record.
324 * It will return <= 0 if more data is needed, normally due to an error
325 * or non-blocking IO.
326 * When it finishes, one packet has been decoded and can be found in
327 * ssl->s3->rrec.type - is the type of record
328 * ssl->s3->rrec.data, - data
329 * ssl->s3->rrec.length, - number of bytes
330 */
331/* used only by ssl3_read_bytes */
332static int
333ssl3_get_record(SSL *s)
334{
335 SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf);
336 SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec);
337 uint8_t alert_desc;
338 int al, n;
339 int ret = -1;
340
341 again:
342 /* check if we have the header */
343 if ((s->rstate != SSL_ST_READ_BODY) ||
344 (s->packet_length < SSL3_RT_HEADER_LENGTH)) {
345 CBS header;
346 uint16_t len, ssl_version;
347 uint8_t type;
348
349 n = ssl3_packet_read(s, SSL3_RT_HEADER_LENGTH);
350 if (n <= 0)
351 return (n);
352
353 s->mac_packet = 1;
354 s->rstate = SSL_ST_READ_BODY;
355
356 if (s->server && s->first_packet) {
357 if ((ret = ssl_server_legacy_first_packet(s)) != 1)
358 return (ret);
359 ret = -1;
360 }
361
362 CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
363
364 /* Pull apart the header into the SSL3_RECORD_INTERNAL */
365 if (!CBS_get_u8(&header, &type) ||
366 !CBS_get_u16(&header, &ssl_version) ||
367 !CBS_get_u16(&header, &len)) {
368 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
369 goto err;
370 }
371
372 rr->type = type;
373 rr->length = len;
374
375 /* Lets check version */
376 if (!s->first_packet && ssl_version != s->version) {
377 if ((s->version & 0xFF00) == (ssl_version & 0xFF00) &&
378 !tls12_record_layer_write_protected(s->rl)) {
379 /* Send back error using their minor version number :-) */
380 s->version = ssl_version;
381 }
382 SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
383 al = SSL_AD_PROTOCOL_VERSION;
384 goto fatal_err;
385 }
386
387 if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) {
388 SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
389 goto err;
390 }
391
392 if (rr->length > rb->len - SSL3_RT_HEADER_LENGTH) {
393 al = SSL_AD_RECORD_OVERFLOW;
394 SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG);
395 goto fatal_err;
396 }
397 }
398
399 n = ssl3_packet_extend(s, SSL3_RT_HEADER_LENGTH + rr->length);
400 if (n <= 0)
401 return (n);
402 if (n != SSL3_RT_HEADER_LENGTH + rr->length)
403 return (n);
404
405 s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
406
407 /*
408 * A full record has now been read from the wire, which now needs
409 * to be processed.
410 */
411 tls12_record_layer_set_version(s->rl, s->version);
412
413 if (!tls12_record_layer_open_record(s->rl, s->packet, s->packet_length,
414 s->s3->rcontent)) {
415 tls12_record_layer_alert(s->rl, &alert_desc);
416
417 if (alert_desc == 0)
418 goto err;
419
420 if (alert_desc == SSL_AD_RECORD_OVERFLOW)
421 SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
422 else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
423 SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
424
425 al = alert_desc;
426 goto fatal_err;
427 }
428
429 /* we have pulled in a full packet so zero things */
430 s->packet_length = 0;
431
432 if (tls_content_remaining(s->s3->rcontent) == 0) {
433 /*
434 * Zero-length fragments are only permitted for application
435 * data, as per RFC 5246 section 6.2.1.
436 */
437 if (rr->type != SSL3_RT_APPLICATION_DATA) {
438 SSLerror(s, SSL_R_BAD_LENGTH);
439 al = SSL_AD_UNEXPECTED_MESSAGE;
440 goto fatal_err;
441 }
442
443 tls_content_clear(s->s3->rcontent);
444
445 /*
446 * CBC countermeasures for known IV weaknesses can legitimately
447 * insert a single empty record, so we allow ourselves to read
448 * once past a single empty record without forcing want_read.
449 */
450 if (s->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {
451 SSLerror(s, SSL_R_PEER_BEHAVING_BADLY);
452 return -1;
453 }
454 if (s->empty_record_count > 1) {
455 ssl_force_want_read(s);
456 return -1;
457 }
458 goto again;
459 }
460
461 s->empty_record_count = 0;
462
463 return (1);
464
465 fatal_err:
466 ssl3_send_alert(s, SSL3_AL_FATAL, al);
467 err:
468 return (ret);
469}
470
471/* Call this to write data in records of type 'type'
472 * It will return <= 0 if not all data has been sent or non-blocking IO.
473 */
474int
475ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
476{
477 const unsigned char *buf = buf_;
478 unsigned int tot, n, nw;
479 int i;
480
481 if (len < 0) {
482 SSLerror(s, ERR_R_INTERNAL_ERROR);
483 return -1;
484 }
485
486 s->rwstate = SSL_NOTHING;
487 tot = s->s3->wnum;
488 s->s3->wnum = 0;
489
490 if (SSL_in_init(s) && !s->in_handshake) {
491 i = s->handshake_func(s);
492 if (i < 0)
493 return (i);
494 if (i == 0) {
495 SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE);
496 return -1;
497 }
498 }
499
500 if (len < tot)
501 len = tot;
502 n = (len - tot);
503 for (;;) {
504 if (n > s->max_send_fragment)
505 nw = s->max_send_fragment;
506 else
507 nw = n;
508
509 i = do_ssl3_write(s, type, &(buf[tot]), nw);
510 if (i <= 0) {
511 s->s3->wnum = tot;
512 return i;
513 }
514
515 if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA &&
516 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
517 /*
518 * Next chunk of data should get another prepended
519 * empty fragment in ciphersuites with known-IV
520 * weakness.
521 */
522 s->s3->empty_fragment_done = 0;
523
524 return tot + i;
525 }
526
527 n -= i;
528 tot += i;
529 }
530}
531
532static int
533do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
534{
535 SSL3_BUFFER_INTERNAL *wb = &(s->s3->wbuf);
536 SSL_SESSION *sess = s->session;
537 int need_empty_fragment = 0;
538 size_t align, out_len;
539 uint16_t version;
540 CBB cbb;
541 int ret;
542
543 memset(&cbb, 0, sizeof(cbb));
544
545 if (wb->buf == NULL)
546 if (!ssl3_setup_write_buffer(s))
547 return -1;
548
549 /*
550 * First check if there is a SSL3_BUFFER_INTERNAL still being written
551 * out. This will happen with non blocking IO.
552 */
553 if (wb->left != 0)
554 return (ssl3_write_pending(s, type, buf, len));
555
556 /* If we have an alert to send, let's send it. */
557 if (s->s3->alert_dispatch) {
558 if ((ret = ssl3_dispatch_alert(s)) <= 0)
559 return (ret);
560 /* If it went, fall through and send more stuff. */
561
562 /* We may have released our buffer, if so get it again. */
563 if (wb->buf == NULL)
564 if (!ssl3_setup_write_buffer(s))
565 return -1;
566 }
567
568 if (len == 0)
569 return 0;
570
571 /*
572 * Some servers hang if initial client hello is larger than 256
573 * bytes and record version number > TLS 1.0.
574 */
575 version = s->version;
576 if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_B &&
577 !s->renegotiate &&
578 s->s3->hs.our_max_tls_version > TLS1_VERSION)
579 version = TLS1_VERSION;
580
581 /*
582 * Countermeasure against known-IV weakness in CBC ciphersuites
583 * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this
584 * is unnecessary for AEAD.
585 */
586 if (sess != NULL && tls12_record_layer_write_protected(s->rl)) {
587 if (s->s3->need_empty_fragments &&
588 !s->s3->empty_fragment_done &&
589 type == SSL3_RT_APPLICATION_DATA)
590 need_empty_fragment = 1;
591 }
592
593 /*
594 * An extra fragment would be a couple of cipher blocks, which would
595 * be a multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real
596 * payload, then we can just simply pretend we have two headers.
597 */
598 align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH;
599 if (need_empty_fragment)
600 align += SSL3_RT_HEADER_LENGTH;
601 align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
602 wb->offset = align;
603
604 if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align))
605 goto err;
606
607 tls12_record_layer_set_version(s->rl, version);
608
609 if (need_empty_fragment) {
610 if (!tls12_record_layer_seal_record(s->rl, type,
611 buf, 0, &cbb))
612 goto err;
613 s->s3->empty_fragment_done = 1;
614 }
615
616 if (!tls12_record_layer_seal_record(s->rl, type, buf, len, &cbb))
617 goto err;
618
619 if (!CBB_finish(&cbb, NULL, &out_len))
620 goto err;
621
622 wb->left = out_len;
623
624 /*
625 * Memorize arguments so that ssl3_write_pending can detect
626 * bad write retries later.
627 */
628 s->s3->wpend_tot = len;
629 s->s3->wpend_buf = buf;
630 s->s3->wpend_type = type;
631 s->s3->wpend_ret = len;
632
633 /* We now just need to write the buffer. */
634 return ssl3_write_pending(s, type, buf, len);
635
636 err:
637 CBB_cleanup(&cbb);
638
639 return -1;
640}
641
642/* if s->s3->wbuf.left != 0, we need to call this */
643int
644ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
645{
646 int i;
647 SSL3_BUFFER_INTERNAL *wb = &(s->s3->wbuf);
648
649 /* XXXX */
650 if ((s->s3->wpend_tot > (int)len) || ((s->s3->wpend_buf != buf) &&
651 !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) ||
652 (s->s3->wpend_type != type)) {
653 SSLerror(s, SSL_R_BAD_WRITE_RETRY);
654 return (-1);
655 }
656
657 for (;;) {
658 errno = 0;
659 if (s->wbio != NULL) {
660 s->rwstate = SSL_WRITING;
661 i = BIO_write(s->wbio, (char *)&(wb->buf[wb->offset]),
662 (unsigned int)wb->left);
663 } else {
664 SSLerror(s, SSL_R_BIO_NOT_SET);
665 i = -1;
666 }
667 if (i == wb->left) {
668 wb->left = 0;
669 wb->offset += i;
670 if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
671 !SSL_is_dtls(s))
672 ssl3_release_write_buffer(s);
673 s->rwstate = SSL_NOTHING;
674 return (s->s3->wpend_ret);
675 } else if (i <= 0) {
676 /*
677 * For DTLS, just drop it. That's kind of the
678 * whole point in using a datagram service.
679 */
680 if (SSL_is_dtls(s))
681 wb->left = 0;
682 return (i);
683 }
684 wb->offset += i;
685 wb->left -= i;
686 }
687}
688
689static ssize_t
690ssl3_read_cb(void *buf, size_t n, void *cb_arg)
691{
692 SSL *s = cb_arg;
693
694 return tls_content_read(s->s3->rcontent, buf, n);
695}
696
697#define SSL3_ALERT_LENGTH 2
698
699int
700ssl3_read_alert(SSL *s)
701{
702 uint8_t alert_level, alert_descr;
703 ssize_t ret;
704 CBS cbs;
705
706 /*
707 * TLSv1.2 permits an alert to be fragmented across multiple records or
708 * for multiple alerts to be be coalesced into a single alert record.
709 * In the case of DTLS, there is no way to reassemble an alert
710 * fragmented across multiple records, hence a full alert must be
711 * available in the record.
712 */
713 if (s->s3->alert_fragment == NULL) {
714 if ((s->s3->alert_fragment = tls_buffer_new(0)) == NULL)
715 return -1;
716 tls_buffer_set_capacity_limit(s->s3->alert_fragment,
717 SSL3_ALERT_LENGTH);
718 }
719 ret = tls_buffer_extend(s->s3->alert_fragment, SSL3_ALERT_LENGTH,
720 ssl3_read_cb, s);
721 if (ret <= 0 && ret != TLS_IO_WANT_POLLIN)
722 return -1;
723 if (ret != SSL3_ALERT_LENGTH) {
724 if (SSL_is_dtls(s)) {
725 SSLerror(s, SSL_R_BAD_LENGTH);
726 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
727 return -1;
728 }
729 return 1;
730 }
731
732 if (!tls_buffer_data(s->s3->alert_fragment, &cbs))
733 return -1;
734
735 ssl_msg_callback_cbs(s, 0, SSL3_RT_ALERT, &cbs);
736
737 if (!CBS_get_u8(&cbs, &alert_level))
738 return -1;
739 if (!CBS_get_u8(&cbs, &alert_descr))
740 return -1;
741
742 tls_buffer_free(s->s3->alert_fragment);
743 s->s3->alert_fragment = NULL;
744
745 ssl_info_callback(s, SSL_CB_READ_ALERT,
746 (alert_level << 8) | alert_descr);
747
748 if (alert_level == SSL3_AL_WARNING) {
749 s->s3->warn_alert = alert_descr;
750 if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
751 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
752 return 0;
753 }
754 /* We requested renegotiation and the peer rejected it. */
755 if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
756 SSLerror(s, SSL_R_NO_RENEGOTIATION);
757 ssl3_send_alert(s, SSL3_AL_FATAL,
758 SSL_AD_HANDSHAKE_FAILURE);
759 return -1;
760 }
761 } else if (alert_level == SSL3_AL_FATAL) {
762 s->rwstate = SSL_NOTHING;
763 s->s3->fatal_alert = alert_descr;
764 SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr);
765 ERR_asprintf_error_data("SSL alert number %d", alert_descr);
766 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
767 SSL_CTX_remove_session(s->ctx, s->session);
768 return 0;
769 } else {
770 SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE);
771 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
772 return -1;
773 }
774
775 return 1;
776}
777
778int
779ssl3_read_change_cipher_spec(SSL *s)
780{
781 const uint8_t ccs[1] = { SSL3_MT_CCS };
782
783 /*
784 * 'Change Cipher Spec' is just a single byte, so we know exactly what
785 * the record payload has to look like.
786 */
787 if (tls_content_remaining(s->s3->rcontent) != sizeof(ccs)) {
788 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC);
789 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
790 return -1;
791 }
792 if (!tls_content_equal(s->s3->rcontent, ccs, sizeof(ccs))) {
793 SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC);
794 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
795 return -1;
796 }
797
798 /* XDTLS: check that epoch is consistent */
799
800 ssl_msg_callback_cbs(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC,
801 tls_content_cbs(s->s3->rcontent));
802
803 /* Check that we have a cipher to change to. */
804 if (s->s3->hs.cipher == NULL) {
805 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
806 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
807 return -1;
808 }
809
810 /* Check that we should be receiving a Change Cipher Spec. */
811 if (SSL_is_dtls(s)) {
812 if (!s->d1->change_cipher_spec_ok) {
813 /*
814 * We can't process a CCS now, because previous
815 * handshake messages are still missing, so just
816 * drop it.
817 */
818 tls_content_clear(s->s3->rcontent);
819 return 1;
820 }
821 s->d1->change_cipher_spec_ok = 0;
822 } else {
823 if ((s->s3->flags & SSL3_FLAGS_CCS_OK) == 0) {
824 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
825 ssl3_send_alert(s, SSL3_AL_FATAL,
826 SSL_AD_UNEXPECTED_MESSAGE);
827 return -1;
828 }
829 s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
830 }
831
832 tls_content_clear(s->s3->rcontent);
833
834 s->s3->change_cipher_spec = 1;
835 if (!ssl3_do_change_cipher_spec(s))
836 return -1;
837
838 return 1;
839}
840
841static int
842ssl3_read_handshake_unexpected(SSL *s)
843{
844 uint32_t hs_msg_length;
845 uint8_t hs_msg_type;
846 ssize_t ssret;
847 CBS cbs;
848 int ret;
849
850 /*
851 * We need four bytes of handshake data so we have a handshake message
852 * header - this may be in the same record or fragmented across multiple
853 * records.
854 */
855 if (s->s3->handshake_fragment == NULL) {
856 if ((s->s3->handshake_fragment = tls_buffer_new(0)) == NULL)
857 return -1;
858 tls_buffer_set_capacity_limit(s->s3->handshake_fragment,
859 SSL3_HM_HEADER_LENGTH);
860 }
861 ssret = tls_buffer_extend(s->s3->handshake_fragment, SSL3_HM_HEADER_LENGTH,
862 ssl3_read_cb, s);
863 if (ssret <= 0 && ssret != TLS_IO_WANT_POLLIN)
864 return -1;
865 if (ssret != SSL3_HM_HEADER_LENGTH)
866 return 1;
867
868 if (s->in_handshake) {
869 SSLerror(s, ERR_R_INTERNAL_ERROR);
870 return -1;
871 }
872
873 /*
874 * This code currently deals with HelloRequest and ClientHello messages -
875 * anything else is pushed to the handshake_func. Almost all of this
876 * belongs in the client/server handshake code.
877 */
878
879 /* Parse handshake message header. */
880 if (!tls_buffer_data(s->s3->handshake_fragment, &cbs))
881 return -1;
882 if (!CBS_get_u8(&cbs, &hs_msg_type))
883 return -1;
884 if (!CBS_get_u24(&cbs, &hs_msg_length))
885 return -1;
886
887 if (hs_msg_type == SSL3_MT_HELLO_REQUEST) {
888 /*
889 * Incoming HelloRequest messages should only be received by a
890 * client. A server may send these at any time - a client should
891 * ignore the message if received in the middle of a handshake.
892 * See RFC 5246 sections 7.4 and 7.4.1.1.
893 */
894 if (s->server) {
895 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
896 ssl3_send_alert(s, SSL3_AL_FATAL,
897 SSL_AD_UNEXPECTED_MESSAGE);
898 return -1;
899 }
900
901 if (hs_msg_length != 0) {
902 SSLerror(s, SSL_R_BAD_HELLO_REQUEST);
903 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
904 return -1;
905 }
906
907 if (!tls_buffer_data(s->s3->handshake_fragment, &cbs))
908 return -1;
909 ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
910
911 tls_buffer_free(s->s3->handshake_fragment);
912 s->s3->handshake_fragment = NULL;
913
914 /*
915 * It should be impossible to hit this, but keep the safety
916 * harness for now...
917 */
918 if (s->session == NULL || s->session->cipher == NULL)
919 return 1;
920
921 /*
922 * Ignore this message if we're currently handshaking,
923 * renegotiation is already pending or renegotiation is disabled
924 * via flags.
925 */
926 if (!SSL_is_init_finished(s) || s->s3->renegotiate ||
927 (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) != 0)
928 return 1;
929
930 if (!ssl3_renegotiate(s))
931 return 1;
932 if (!ssl3_renegotiate_check(s))
933 return 1;
934
935 } else if (hs_msg_type == SSL3_MT_CLIENT_HELLO) {
936 /*
937 * Incoming ClientHello messages should only be received by a
938 * server. A client may send these in response to server
939 * initiated renegotiation (HelloRequest) or in order to
940 * initiate renegotiation by the client. See RFC 5246 section
941 * 7.4.1.2.
942 */
943 if (!s->server) {
944 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
945 ssl3_send_alert(s, SSL3_AL_FATAL,
946 SSL_AD_UNEXPECTED_MESSAGE);
947 return -1;
948 }
949
950 /*
951 * A client should not be sending a ClientHello unless we're not
952 * currently handshaking.
953 */
954 if (!SSL_is_init_finished(s)) {
955 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
956 ssl3_send_alert(s, SSL3_AL_FATAL,
957 SSL_AD_UNEXPECTED_MESSAGE);
958 return -1;
959 }
960
961 if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) {
962 ssl3_send_alert(s, SSL3_AL_FATAL,
963 SSL_AD_NO_RENEGOTIATION);
964 return -1;
965 }
966
967 if (s->session == NULL || s->session->cipher == NULL) {
968 SSLerror(s, ERR_R_INTERNAL_ERROR);
969 return -1;
970 }
971
972 /* Client requested renegotiation but it is not permitted. */
973 if (!s->s3->send_connection_binding ||
974 (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) != 0) {
975 ssl3_send_alert(s, SSL3_AL_WARNING,
976 SSL_AD_NO_RENEGOTIATION);
977 return 1;
978 }
979
980 s->s3->hs.state = SSL_ST_ACCEPT;
981 s->renegotiate = 1;
982 s->new_session = 1;
983
984 } else {
985 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
986 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
987 return -1;
988 }
989
990 if ((ret = s->handshake_func(s)) < 0)
991 return ret;
992 if (ret == 0) {
993 SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE);
994 return -1;
995 }
996
997 if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
998 if (s->s3->rbuf.left == 0) {
999 ssl_force_want_read(s);
1000 return -1;
1001 }
1002 }
1003
1004 /*
1005 * We either finished a handshake or ignored the request, now try again
1006 * to obtain the (application) data we were asked for.
1007 */
1008 return 1;
1009}
1010
1011/* Return up to 'len' payload bytes received in 'type' records.
1012 * 'type' is one of the following:
1013 *
1014 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
1015 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
1016 * - 0 (during a shutdown, no data has to be returned)
1017 *
1018 * If we don't have stored data to work from, read a SSL/TLS record first
1019 * (possibly multiple records if we still don't have anything to return).
1020 *
1021 * This function must handle any surprises the peer may have for us, such as
1022 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
1023 * a surprise, but handled as if it were), or renegotiation requests.
1024 * Also if record payloads contain fragments too small to process, we store
1025 * them until there is enough for the respective protocol (the record protocol
1026 * may use arbitrary fragmentation and even interleaving):
1027 * Change cipher spec protocol
1028 * just 1 byte needed, no need for keeping anything stored
1029 * Alert protocol
1030 * 2 bytes needed (AlertLevel, AlertDescription)
1031 * Handshake protocol
1032 * 4 bytes needed (HandshakeType, uint24 length) -- we just have
1033 * to detect unexpected Client Hello and Hello Request messages
1034 * here, anything else is handled by higher layers
1035 * Application data protocol
1036 * none of our business
1037 */
1038int
1039ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1040{
1041 int rrcount = 0;
1042 ssize_t ssret;
1043 int ret;
1044
1045 if (s->s3->rbuf.buf == NULL) {
1046 if (!ssl3_setup_read_buffer(s))
1047 return -1;
1048 }
1049
1050 if (s->s3->rcontent == NULL) {
1051 if ((s->s3->rcontent = tls_content_new()) == NULL)
1052 return -1;
1053 }
1054
1055 if (len < 0) {
1056 SSLerror(s, ERR_R_INTERNAL_ERROR);
1057 return -1;
1058 }
1059
1060 if (type != 0 && type != SSL3_RT_APPLICATION_DATA &&
1061 type != SSL3_RT_HANDSHAKE) {
1062 SSLerror(s, ERR_R_INTERNAL_ERROR);
1063 return -1;
1064 }
1065 if (peek && type != SSL3_RT_APPLICATION_DATA) {
1066 SSLerror(s, ERR_R_INTERNAL_ERROR);
1067 return -1;
1068 }
1069
1070 if (type == SSL3_RT_HANDSHAKE &&
1071 s->s3->handshake_fragment != NULL &&
1072 tls_buffer_remaining(s->s3->handshake_fragment) > 0) {
1073 ssize_t ssn;
1074
1075 if ((ssn = tls_buffer_read(s->s3->handshake_fragment, buf,
1076 len)) <= 0)
1077 return -1;
1078
1079 if (tls_buffer_remaining(s->s3->handshake_fragment) == 0) {
1080 tls_buffer_free(s->s3->handshake_fragment);
1081 s->s3->handshake_fragment = NULL;
1082 }
1083
1084 return (int)ssn;
1085 }
1086
1087 if (SSL_in_init(s) && !s->in_handshake) {
1088 if ((ret = s->handshake_func(s)) < 0)
1089 return ret;
1090 if (ret == 0) {
1091 SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE);
1092 return -1;
1093 }
1094 }
1095
1096 start:
1097 /*
1098 * Do not process more than three consecutive records, otherwise the
1099 * peer can cause us to loop indefinitely. Instead, return with an
1100 * SSL_ERROR_WANT_READ so the caller can choose when to handle further
1101 * processing. In the future, the total number of non-handshake and
1102 * non-application data records per connection should probably also be
1103 * limited...
1104 */
1105 if (rrcount++ >= 3) {
1106 ssl_force_want_read(s);
1107 return -1;
1108 }
1109
1110 s->rwstate = SSL_NOTHING;
1111
1112 if (tls_content_remaining(s->s3->rcontent) == 0) {
1113 if ((ret = ssl3_get_record(s)) <= 0)
1114 return ret;
1115 }
1116
1117 /* We now have a packet which can be read and processed. */
1118
1119 if (s->s3->change_cipher_spec &&
1120 tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) {
1121 SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1122 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1123 return -1;
1124 }
1125
1126 /*
1127 * If the other end has shut down, throw anything we read away (even in
1128 * 'peek' mode).
1129 */
1130 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
1131 s->rwstate = SSL_NOTHING;
1132 tls_content_clear(s->s3->rcontent);
1133 s->s3->rrec.length = 0;
1134 return 0;
1135 }
1136
1137 /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
1138 if (tls_content_type(s->s3->rcontent) == type) {
1139 /*
1140 * Make sure that we are not getting application data when we
1141 * are doing a handshake for the first time.
1142 */
1143 if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA &&
1144 !tls12_record_layer_read_protected(s->rl)) {
1145 SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE);
1146 ssl3_send_alert(s, SSL3_AL_FATAL,
1147 SSL_AD_UNEXPECTED_MESSAGE);
1148 return -1;
1149 }
1150
1151 if (len <= 0)
1152 return len;
1153
1154 if (peek) {
1155 ssret = tls_content_peek(s->s3->rcontent, buf, len);
1156 } else {
1157 ssret = tls_content_read(s->s3->rcontent, buf, len);
1158 }
1159 if (ssret < INT_MIN || ssret > INT_MAX)
1160 return -1;
1161 if (ssret < 0)
1162 return (int)ssret;
1163
1164 if (tls_content_remaining(s->s3->rcontent) == 0) {
1165 s->rstate = SSL_ST_READ_HEADER;
1166
1167 if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
1168 s->s3->rbuf.left == 0)
1169 ssl3_release_read_buffer(s);
1170 }
1171
1172 return ssret;
1173 }
1174
1175 if (tls_content_type(s->s3->rcontent) == SSL3_RT_ALERT) {
1176 if ((ret = ssl3_read_alert(s)) <= 0)
1177 return ret;
1178 goto start;
1179 }
1180
1181 if (s->shutdown & SSL_SENT_SHUTDOWN) {
1182 s->rwstate = SSL_NOTHING;
1183 tls_content_clear(s->s3->rcontent);
1184 s->s3->rrec.length = 0;
1185 return 0;
1186 }
1187
1188 if (tls_content_type(s->s3->rcontent) == SSL3_RT_APPLICATION_DATA) {
1189 /*
1190 * At this point, we were expecting handshake data, but have
1191 * application data. If the library was running inside
1192 * ssl3_read() (i.e. in_read_app_data is set) and it makes
1193 * sense to read application data at this point (session
1194 * renegotiation not yet started), we will indulge it.
1195 */
1196 if (s->s3->in_read_app_data != 0 &&
1197 s->s3->total_renegotiations != 0 &&
1198 (((s->s3->hs.state & SSL_ST_CONNECT) &&
1199 (s->s3->hs.state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1200 (s->s3->hs.state <= SSL3_ST_CR_SRVR_HELLO_A)) || (
1201 (s->s3->hs.state & SSL_ST_ACCEPT) &&
1202 (s->s3->hs.state <= SSL3_ST_SW_HELLO_REQ_A) &&
1203 (s->s3->hs.state >= SSL3_ST_SR_CLNT_HELLO_A)))) {
1204 s->s3->in_read_app_data = 2;
1205 return -1;
1206 } else {
1207 SSLerror(s, SSL_R_UNEXPECTED_RECORD);
1208 ssl3_send_alert(s, SSL3_AL_FATAL,
1209 SSL_AD_UNEXPECTED_MESSAGE);
1210 return -1;
1211 }
1212 }
1213
1214 if (tls_content_type(s->s3->rcontent) == SSL3_RT_CHANGE_CIPHER_SPEC) {
1215 if ((ret = ssl3_read_change_cipher_spec(s)) <= 0)
1216 return ret;
1217 goto start;
1218 }
1219
1220 if (tls_content_type(s->s3->rcontent) == SSL3_RT_HANDSHAKE) {
1221 if ((ret = ssl3_read_handshake_unexpected(s)) <= 0)
1222 return ret;
1223 goto start;
1224 }
1225
1226 /*
1227 * Unknown record type - TLSv1.2 sends an unexpected message alert while
1228 * earlier versions silently ignore the record.
1229 */
1230 if (ssl_effective_tls_version(s) <= TLS1_1_VERSION) {
1231 tls_content_clear(s->s3->rcontent);
1232 goto start;
1233 }
1234 SSLerror(s, SSL_R_UNEXPECTED_RECORD);
1235 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1236 return -1;
1237}
1238
1239int
1240ssl3_do_change_cipher_spec(SSL *s)
1241{
1242 if (s->s3->hs.tls12.key_block == NULL) {
1243 if (s->session == NULL || s->session->master_key_length == 0) {
1244 /* might happen if dtls1_read_bytes() calls this */
1245 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
1246 return (0);
1247 }
1248
1249 s->session->cipher = s->s3->hs.cipher;
1250 if (!tls1_setup_key_block(s))
1251 return (0);
1252 }
1253
1254 if (!tls1_change_read_cipher_state(s))
1255 return (0);
1256
1257 /*
1258 * We have to record the message digest at this point so we can get it
1259 * before we read the finished message.
1260 */
1261 if (!tls12_derive_peer_finished(s))
1262 return (0);
1263
1264 return (1);
1265}
1266
1267static int
1268ssl3_write_alert(SSL *s)
1269{
1270 if (SSL_is_dtls(s))
1271 return do_dtls1_write(s, SSL3_RT_ALERT, s->s3->send_alert,
1272 sizeof(s->s3->send_alert));
1273
1274 return do_ssl3_write(s, SSL3_RT_ALERT, s->s3->send_alert,
1275 sizeof(s->s3->send_alert));
1276}
1277
1278int
1279ssl3_send_alert(SSL *s, int level, int desc)
1280{
1281 /* If alert is fatal, remove session from cache. */
1282 if (level == SSL3_AL_FATAL)
1283 SSL_CTX_remove_session(s->ctx, s->session);
1284
1285 s->s3->alert_dispatch = 1;
1286 s->s3->send_alert[0] = level;
1287 s->s3->send_alert[1] = desc;
1288
1289 /*
1290 * If data is still being written out, the alert will be dispatched at
1291 * some point in the future.
1292 */
1293 if (s->s3->wbuf.left != 0)
1294 return -1;
1295
1296 return ssl3_dispatch_alert(s);
1297}
1298
1299int
1300ssl3_dispatch_alert(SSL *s)
1301{
1302 int ret;
1303
1304 s->s3->alert_dispatch = 0;
1305 if ((ret = ssl3_write_alert(s)) <= 0) {
1306 s->s3->alert_dispatch = 1;
1307 return ret;
1308 }
1309
1310 /*
1311 * Alert sent to BIO. If it is important, flush it now.
1312 * If the message does not get sent due to non-blocking IO,
1313 * we will not worry too much.
1314 */
1315 if (s->s3->send_alert[0] == SSL3_AL_FATAL)
1316 (void)BIO_flush(s->wbio);
1317
1318 ssl_msg_callback(s, 1, SSL3_RT_ALERT, s->s3->send_alert, 2);
1319
1320 ssl_info_callback(s, SSL_CB_WRITE_ALERT,
1321 (s->s3->send_alert[0] << 8) | s->s3->send_alert[1]);
1322
1323 return ret;
1324}
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
deleted file mode 100644
index f84315ba3e..0000000000
--- a/src/lib/libssl/ssl_rsa.c
+++ /dev/null
@@ -1,748 +0,0 @@
1/* $OpenBSD: ssl_rsa.c,v 1.49 2022/11/26 16:08:56 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60
61#include <openssl/bio.h>
62#include <openssl/evp.h>
63#include <openssl/objects.h>
64#include <openssl/pem.h>
65#include <openssl/x509.h>
66
67#include "ssl_local.h"
68
69static int ssl_get_password_cb_and_arg(SSL_CTX *ctx, SSL *ssl,
70 pem_password_cb **passwd_cb, void **passwd_arg);
71static int ssl_set_cert(SSL_CTX *ctx, SSL *ssl, X509 *x509);
72static int ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey);
73static int ssl_use_certificate_chain_bio(SSL_CTX *ctx, SSL *ssl, BIO *in);
74static int ssl_use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl,
75 const char *file);
76
77int
78SSL_use_certificate(SSL *ssl, X509 *x)
79{
80 if (x == NULL) {
81 SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);
82 return (0);
83 }
84 return ssl_set_cert(NULL, ssl, x);
85}
86
87int
88SSL_use_certificate_file(SSL *ssl, const char *file, int type)
89{
90 int j;
91 BIO *in;
92 int ret = 0;
93 X509 *x = NULL;
94
95 in = BIO_new(BIO_s_file());
96 if (in == NULL) {
97 SSLerror(ssl, ERR_R_BUF_LIB);
98 goto end;
99 }
100
101 if (BIO_read_filename(in, file) <= 0) {
102 SSLerror(ssl, ERR_R_SYS_LIB);
103 goto end;
104 }
105 if (type == SSL_FILETYPE_ASN1) {
106 j = ERR_R_ASN1_LIB;
107 x = d2i_X509_bio(in, NULL);
108 } else if (type == SSL_FILETYPE_PEM) {
109 j = ERR_R_PEM_LIB;
110 x = PEM_read_bio_X509(in, NULL,
111 ssl->ctx->default_passwd_callback,
112 ssl->ctx->default_passwd_callback_userdata);
113 } else {
114 SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE);
115 goto end;
116 }
117
118 if (x == NULL) {
119 SSLerror(ssl, j);
120 goto end;
121 }
122
123 ret = SSL_use_certificate(ssl, x);
124 end:
125 X509_free(x);
126 BIO_free(in);
127 return (ret);
128}
129
130int
131SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
132{
133 X509 *x;
134 int ret;
135
136 x = d2i_X509(NULL, &d, (long)len);
137 if (x == NULL) {
138 SSLerror(ssl, ERR_R_ASN1_LIB);
139 return (0);
140 }
141
142 ret = SSL_use_certificate(ssl, x);
143 X509_free(x);
144 return (ret);
145}
146
147int
148SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
149{
150 EVP_PKEY *pkey;
151 int ret;
152
153 if (rsa == NULL) {
154 SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);
155 return (0);
156 }
157 if ((pkey = EVP_PKEY_new()) == NULL) {
158 SSLerror(ssl, ERR_R_EVP_LIB);
159 return (0);
160 }
161
162 RSA_up_ref(rsa);
163 EVP_PKEY_assign_RSA(pkey, rsa);
164
165 ret = ssl_set_pkey(NULL, ssl, pkey);
166 EVP_PKEY_free(pkey);
167 return (ret);
168}
169
170static int
171ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey)
172{
173 SSL_CERT *c;
174 int i;
175
176 i = ssl_cert_type(pkey);
177 if (i < 0) {
178 SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
179 return (0);
180 }
181
182 if ((c = ssl_get0_cert(ctx, ssl)) == NULL)
183 return (0);
184
185 if (c->pkeys[i].x509 != NULL) {
186 EVP_PKEY *pktmp;
187
188 if ((pktmp = X509_get0_pubkey(c->pkeys[i].x509)) == NULL)
189 return 0;
190
191 /*
192 * Callers of EVP_PKEY_copy_parameters() can't distinguish
193 * errors from the absence of a param_copy() method. So
194 * pretend it can never fail.
195 */
196 EVP_PKEY_copy_parameters(pktmp, pkey);
197
198 ERR_clear_error();
199
200 /*
201 * Don't check the public/private key, this is mostly
202 * for smart cards.
203 */
204 if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
205 !(RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK)) {
206 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
207 X509_free(c->pkeys[i].x509);
208 c->pkeys[i].x509 = NULL;
209 return 0;
210 }
211 }
212 }
213
214 EVP_PKEY_free(c->pkeys[i].privatekey);
215 EVP_PKEY_up_ref(pkey);
216 c->pkeys[i].privatekey = pkey;
217 c->key = &(c->pkeys[i]);
218
219 c->valid = 0;
220 return 1;
221}
222
223int
224SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
225{
226 int j, ret = 0;
227 BIO *in;
228 RSA *rsa = NULL;
229
230 in = BIO_new(BIO_s_file());
231 if (in == NULL) {
232 SSLerror(ssl, ERR_R_BUF_LIB);
233 goto end;
234 }
235
236 if (BIO_read_filename(in, file) <= 0) {
237 SSLerror(ssl, ERR_R_SYS_LIB);
238 goto end;
239 }
240 if (type == SSL_FILETYPE_ASN1) {
241 j = ERR_R_ASN1_LIB;
242 rsa = d2i_RSAPrivateKey_bio(in, NULL);
243 } else if (type == SSL_FILETYPE_PEM) {
244 j = ERR_R_PEM_LIB;
245 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
246 ssl->ctx->default_passwd_callback,
247 ssl->ctx->default_passwd_callback_userdata);
248 } else {
249 SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE);
250 goto end;
251 }
252 if (rsa == NULL) {
253 SSLerror(ssl, j);
254 goto end;
255 }
256 ret = SSL_use_RSAPrivateKey(ssl, rsa);
257 RSA_free(rsa);
258 end:
259 BIO_free(in);
260 return (ret);
261}
262
263int
264SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
265{
266 int ret;
267 RSA *rsa;
268
269 if ((rsa = d2i_RSAPrivateKey(NULL, &d, (long)len)) == NULL) {
270 SSLerror(ssl, ERR_R_ASN1_LIB);
271 return (0);
272 }
273
274 ret = SSL_use_RSAPrivateKey(ssl, rsa);
275 RSA_free(rsa);
276 return (ret);
277}
278
279int
280SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
281{
282 int ret;
283
284 if (pkey == NULL) {
285 SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);
286 return (0);
287 }
288 ret = ssl_set_pkey(NULL, ssl, pkey);
289 return (ret);
290}
291
292int
293SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
294{
295 int j, ret = 0;
296 BIO *in;
297 EVP_PKEY *pkey = NULL;
298
299 in = BIO_new(BIO_s_file());
300 if (in == NULL) {
301 SSLerror(ssl, ERR_R_BUF_LIB);
302 goto end;
303 }
304
305 if (BIO_read_filename(in, file) <= 0) {
306 SSLerror(ssl, ERR_R_SYS_LIB);
307 goto end;
308 }
309 if (type == SSL_FILETYPE_PEM) {
310 j = ERR_R_PEM_LIB;
311 pkey = PEM_read_bio_PrivateKey(in, NULL,
312 ssl->ctx->default_passwd_callback,
313 ssl->ctx->default_passwd_callback_userdata);
314 } else if (type == SSL_FILETYPE_ASN1) {
315 j = ERR_R_ASN1_LIB;
316 pkey = d2i_PrivateKey_bio(in, NULL);
317 } else {
318 SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE);
319 goto end;
320 }
321 if (pkey == NULL) {
322 SSLerror(ssl, j);
323 goto end;
324 }
325 ret = SSL_use_PrivateKey(ssl, pkey);
326 EVP_PKEY_free(pkey);
327 end:
328 BIO_free(in);
329 return (ret);
330}
331
332int
333SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
334{
335 int ret;
336 EVP_PKEY *pkey;
337
338 if ((pkey = d2i_PrivateKey(type, NULL, &d, (long)len)) == NULL) {
339 SSLerror(ssl, ERR_R_ASN1_LIB);
340 return (0);
341 }
342
343 ret = SSL_use_PrivateKey(ssl, pkey);
344 EVP_PKEY_free(pkey);
345 return (ret);
346}
347
348int
349SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
350{
351 if (x == NULL) {
352 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
353 return (0);
354 }
355 return ssl_set_cert(ctx, NULL, x);
356}
357
358static int
359ssl_get_password_cb_and_arg(SSL_CTX *ctx, SSL *ssl,
360 pem_password_cb **passwd_cb, void **passwd_arg)
361{
362 if (ssl != NULL)
363 ctx = ssl->ctx;
364
365 *passwd_cb = ctx->default_passwd_callback;
366 *passwd_arg = ctx->default_passwd_callback_userdata;
367
368 return 1;
369}
370
371static int
372ssl_set_cert(SSL_CTX *ctx, SSL *ssl, X509 *x)
373{
374 SSL_CERT *c;
375 EVP_PKEY *pkey;
376 int ssl_err;
377 int i;
378
379 if (!ssl_security_cert(ctx, ssl, x, 1, &ssl_err)) {
380 SSLerrorx(ssl_err);
381 return (0);
382 }
383
384 if ((c = ssl_get0_cert(ctx, ssl)) == NULL)
385 return (0);
386
387 pkey = X509_get_pubkey(x);
388 if (pkey == NULL) {
389 SSLerrorx(SSL_R_X509_LIB);
390 return (0);
391 }
392
393 i = ssl_cert_type(pkey);
394 if (i < 0) {
395 SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
396 EVP_PKEY_free(pkey);
397 return (0);
398 }
399
400 if (c->pkeys[i].privatekey != NULL) {
401 EVP_PKEY *priv_key = c->pkeys[i].privatekey;
402
403 EVP_PKEY_copy_parameters(pkey, priv_key);
404 ERR_clear_error();
405
406 /*
407 * Don't check the public/private key, this is mostly
408 * for smart cards.
409 */
410 if (EVP_PKEY_id(priv_key) != EVP_PKEY_RSA ||
411 !(RSA_flags(EVP_PKEY_get0_RSA(priv_key)) & RSA_METHOD_FLAG_NO_CHECK)) {
412 if (!X509_check_private_key(x, priv_key)) {
413 /*
414 * don't fail for a cert/key mismatch, just free
415 * current private key (when switching to a
416 * different cert & key, first this function
417 * should be used, then ssl_set_pkey.
418 */
419 EVP_PKEY_free(c->pkeys[i].privatekey);
420 c->pkeys[i].privatekey = NULL;
421 ERR_clear_error();
422 }
423 }
424 }
425
426 EVP_PKEY_free(pkey);
427
428 X509_free(c->pkeys[i].x509);
429 X509_up_ref(x);
430 c->pkeys[i].x509 = x;
431 c->key = &(c->pkeys[i]);
432
433 c->valid = 0;
434 return (1);
435}
436
437int
438SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
439{
440 int j;
441 BIO *in;
442 int ret = 0;
443 X509 *x = NULL;
444
445 in = BIO_new(BIO_s_file());
446 if (in == NULL) {
447 SSLerrorx(ERR_R_BUF_LIB);
448 goto end;
449 }
450
451 if (BIO_read_filename(in, file) <= 0) {
452 SSLerrorx(ERR_R_SYS_LIB);
453 goto end;
454 }
455 if (type == SSL_FILETYPE_ASN1) {
456 j = ERR_R_ASN1_LIB;
457 x = d2i_X509_bio(in, NULL);
458 } else if (type == SSL_FILETYPE_PEM) {
459 j = ERR_R_PEM_LIB;
460 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
461 ctx->default_passwd_callback_userdata);
462 } else {
463 SSLerrorx(SSL_R_BAD_SSL_FILETYPE);
464 goto end;
465 }
466
467 if (x == NULL) {
468 SSLerrorx(j);
469 goto end;
470 }
471
472 ret = SSL_CTX_use_certificate(ctx, x);
473 end:
474 X509_free(x);
475 BIO_free(in);
476 return (ret);
477}
478
479int
480SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
481{
482 X509 *x;
483 int ret;
484
485 x = d2i_X509(NULL, &d, (long)len);
486 if (x == NULL) {
487 SSLerrorx(ERR_R_ASN1_LIB);
488 return (0);
489 }
490
491 ret = SSL_CTX_use_certificate(ctx, x);
492 X509_free(x);
493 return (ret);
494}
495
496int
497SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
498{
499 int ret;
500 EVP_PKEY *pkey;
501
502 if (rsa == NULL) {
503 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
504 return (0);
505 }
506 if ((pkey = EVP_PKEY_new()) == NULL) {
507 SSLerrorx(ERR_R_EVP_LIB);
508 return (0);
509 }
510
511 RSA_up_ref(rsa);
512 EVP_PKEY_assign_RSA(pkey, rsa);
513
514 ret = ssl_set_pkey(ctx, NULL, pkey);
515 EVP_PKEY_free(pkey);
516 return (ret);
517}
518
519int
520SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
521{
522 int j, ret = 0;
523 BIO *in;
524 RSA *rsa = NULL;
525
526 in = BIO_new(BIO_s_file());
527 if (in == NULL) {
528 SSLerrorx(ERR_R_BUF_LIB);
529 goto end;
530 }
531
532 if (BIO_read_filename(in, file) <= 0) {
533 SSLerrorx(ERR_R_SYS_LIB);
534 goto end;
535 }
536 if (type == SSL_FILETYPE_ASN1) {
537 j = ERR_R_ASN1_LIB;
538 rsa = d2i_RSAPrivateKey_bio(in, NULL);
539 } else if (type == SSL_FILETYPE_PEM) {
540 j = ERR_R_PEM_LIB;
541 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
542 ctx->default_passwd_callback,
543 ctx->default_passwd_callback_userdata);
544 } else {
545 SSLerrorx(SSL_R_BAD_SSL_FILETYPE);
546 goto end;
547 }
548 if (rsa == NULL) {
549 SSLerrorx(j);
550 goto end;
551 }
552 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
553 RSA_free(rsa);
554 end:
555 BIO_free(in);
556 return (ret);
557}
558
559int
560SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
561{
562 int ret;
563 RSA *rsa;
564
565 if ((rsa = d2i_RSAPrivateKey(NULL, &d, (long)len)) == NULL) {
566 SSLerrorx(ERR_R_ASN1_LIB);
567 return (0);
568 }
569
570 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
571 RSA_free(rsa);
572 return (ret);
573}
574
575int
576SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
577{
578 if (pkey == NULL) {
579 SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
580 return (0);
581 }
582 return ssl_set_pkey(ctx, NULL, pkey);
583}
584
585int
586SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
587{
588 int j, ret = 0;
589 BIO *in;
590 EVP_PKEY *pkey = NULL;
591
592 in = BIO_new(BIO_s_file());
593 if (in == NULL) {
594 SSLerrorx(ERR_R_BUF_LIB);
595 goto end;
596 }
597
598 if (BIO_read_filename(in, file) <= 0) {
599 SSLerrorx(ERR_R_SYS_LIB);
600 goto end;
601 }
602 if (type == SSL_FILETYPE_PEM) {
603 j = ERR_R_PEM_LIB;
604 pkey = PEM_read_bio_PrivateKey(in, NULL,
605 ctx->default_passwd_callback,
606 ctx->default_passwd_callback_userdata);
607 } else if (type == SSL_FILETYPE_ASN1) {
608 j = ERR_R_ASN1_LIB;
609 pkey = d2i_PrivateKey_bio(in, NULL);
610 } else {
611 SSLerrorx(SSL_R_BAD_SSL_FILETYPE);
612 goto end;
613 }
614 if (pkey == NULL) {
615 SSLerrorx(j);
616 goto end;
617 }
618 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
619 EVP_PKEY_free(pkey);
620 end:
621 BIO_free(in);
622 return (ret);
623}
624
625int
626SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
627 long len)
628{
629 int ret;
630 EVP_PKEY *pkey;
631
632 if ((pkey = d2i_PrivateKey(type, NULL, &d, (long)len)) == NULL) {
633 SSLerrorx(ERR_R_ASN1_LIB);
634 return (0);
635 }
636
637 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
638 EVP_PKEY_free(pkey);
639 return (ret);
640}
641
642
643/*
644 * Read a bio that contains our certificate in "PEM" format,
645 * possibly followed by a sequence of CA certificates that should be
646 * sent to the peer in the Certificate message.
647 */
648static int
649ssl_use_certificate_chain_bio(SSL_CTX *ctx, SSL *ssl, BIO *in)
650{
651 pem_password_cb *passwd_cb;
652 void *passwd_arg;
653 X509 *ca, *x = NULL;
654 unsigned long err;
655 int ret = 0;
656
657 if (!ssl_get_password_cb_and_arg(ctx, ssl, &passwd_cb, &passwd_arg))
658 goto err;
659
660 if ((x = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_arg)) ==
661 NULL) {
662 SSLerrorx(ERR_R_PEM_LIB);
663 goto err;
664 }
665
666 if (!ssl_set_cert(ctx, ssl, x))
667 goto err;
668
669 if (!ssl_cert_set0_chain(ctx, ssl, NULL))
670 goto err;
671
672 /* Process any additional CA certificates. */
673 while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_arg)) !=
674 NULL) {
675 if (!ssl_cert_add0_chain_cert(ctx, ssl, ca)) {
676 X509_free(ca);
677 goto err;
678 }
679 }
680
681 /* When the while loop ends, it's usually just EOF. */
682 err = ERR_peek_last_error();
683 if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
684 ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
685 ERR_clear_error();
686 ret = 1;
687 }
688
689 err:
690 X509_free(x);
691
692 return (ret);
693}
694
695int
696ssl_use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
697{
698 BIO *in;
699 int ret = 0;
700
701 in = BIO_new(BIO_s_file());
702 if (in == NULL) {
703 SSLerrorx(ERR_R_BUF_LIB);
704 goto end;
705 }
706
707 if (BIO_read_filename(in, file) <= 0) {
708 SSLerrorx(ERR_R_SYS_LIB);
709 goto end;
710 }
711
712 ret = ssl_use_certificate_chain_bio(ctx, ssl, in);
713
714 end:
715 BIO_free(in);
716 return (ret);
717}
718
719int
720SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
721{
722 return ssl_use_certificate_chain_file(ctx, NULL, file);
723}
724
725int
726SSL_use_certificate_chain_file(SSL *ssl, const char *file)
727{
728 return ssl_use_certificate_chain_file(NULL, ssl, file);
729}
730
731int
732SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
733{
734 BIO *in;
735 int ret = 0;
736
737 in = BIO_new_mem_buf(buf, len);
738 if (in == NULL) {
739 SSLerrorx(ERR_R_BUF_LIB);
740 goto end;
741 }
742
743 ret = ssl_use_certificate_chain_bio(ctx, NULL, in);
744
745 end:
746 BIO_free(in);
747 return (ret);
748}
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
deleted file mode 100644
index 1869c8108d..0000000000
--- a/src/lib/libssl/ssl_seclevel.c
+++ /dev/null
@@ -1,473 +0,0 @@
1/* $OpenBSD: ssl_seclevel.c,v 1.27 2022/11/26 16:08:56 tb Exp $ */
2/*
3 * Copyright (c) 2020-2022 Theo Buehler <tb@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <stddef.h>
19
20#include <openssl/asn1.h>
21#include <openssl/dh.h>
22#include <openssl/evp.h>
23#include <openssl/objects.h>
24#include <openssl/ossl_typ.h>
25#include <openssl/ssl.h>
26#include <openssl/tls1.h>
27#include <openssl/x509.h>
28#include <openssl/x509v3.h>
29
30#include "bytestring.h"
31#include "ssl_local.h"
32
33static int
34ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level)
35{
36 int security_level;
37
38 if (ctx != NULL)
39 security_level = SSL_CTX_get_security_level(ctx);
40 else
41 security_level = SSL_get_security_level(ssl);
42
43 if (security_level < 0)
44 security_level = 0;
45 if (security_level > 5)
46 security_level = 5;
47
48 *out_level = security_level;
49
50 return 1;
51}
52
53static int
54ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits)
55{
56 if (security_level < 0)
57 return 0;
58
59 if (security_level == 0)
60 *out_minimum_bits = 0;
61 else if (security_level == 1)
62 *out_minimum_bits = 80;
63 else if (security_level == 2)
64 *out_minimum_bits = 112;
65 else if (security_level == 3)
66 *out_minimum_bits = 128;
67 else if (security_level == 4)
68 *out_minimum_bits = 192;
69 else if (security_level >= 5)
70 *out_minimum_bits = 256;
71
72 return 1;
73}
74
75static int
76ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl,
77 int *out_level, int *out_minimum_bits)
78{
79 int security_level = 0, minimum_bits = 0;
80
81 if (!ssl_security_normalize_level(ctx, ssl, &security_level))
82 return 0;
83 if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits))
84 return 0;
85
86 if (out_level != NULL)
87 *out_level = security_level;
88 if (out_minimum_bits != NULL)
89 *out_minimum_bits = minimum_bits;
90
91 return 1;
92}
93
94static int
95ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits,
96 void *arg)
97{
98 const SSL_CIPHER *cipher = arg;
99 int security_level, minimum_bits;
100
101 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
102 &minimum_bits))
103 return 0;
104
105 if (security_level <= 0)
106 return 1;
107
108 if (bits < minimum_bits)
109 return 0;
110
111 /* No unauthenticated ciphersuites. */
112 if (cipher->algorithm_auth & SSL_aNULL)
113 return 0;
114
115 if (cipher->algorithm_mac & SSL_MD5)
116 return 0;
117
118 if (security_level <= 1)
119 return 1;
120
121 if (cipher->algorithm_enc & SSL_RC4)
122 return 0;
123
124 if (security_level <= 2)
125 return 1;
126
127 /* Security level >= 3 requires a cipher with forward secrecy. */
128 if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 &&
129 cipher->algorithm_ssl != SSL_TLSV1_3)
130 return 0;
131
132 if (security_level <= 3)
133 return 1;
134
135 if (cipher->algorithm_mac & SSL_SHA1)
136 return 0;
137
138 return 1;
139}
140
141static int
142ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version)
143{
144 int min_version = TLS1_2_VERSION;
145 int security_level;
146
147 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
148 return 0;
149
150 if (security_level < 4)
151 min_version = TLS1_1_VERSION;
152 if (security_level < 3)
153 min_version = TLS1_VERSION;
154
155 return ssl_tls_version(version) >= min_version;
156}
157
158static int
159ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl)
160{
161 return 0;
162}
163
164static int
165ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl)
166{
167 int security_level;
168
169 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
170 return 0;
171
172 return security_level < 3;
173}
174
175static int
176ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits)
177{
178 int security_level, minimum_bits;
179
180 if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
181 &minimum_bits))
182 return 0;
183
184 /* Disallow DHE keys weaker than 1024 bits even at security level 0. */
185 if (security_level <= 0 && bits < 80)
186 return 0;
187
188 return bits >= minimum_bits;
189}
190
191static int
192ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits)
193{
194 int minimum_bits;
195
196 if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits))
197 return 0;
198
199 return bits >= minimum_bits;
200}
201
202int
203ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits,
204 int version, void *cipher, void *ex_data)
205{
206 switch (secop) {
207 case SSL_SECOP_CIPHER_SUPPORTED:
208 case SSL_SECOP_CIPHER_SHARED:
209 case SSL_SECOP_CIPHER_CHECK:
210 return ssl_security_secop_cipher(ctx, ssl, bits, cipher);
211 case SSL_SECOP_VERSION:
212 return ssl_security_secop_version(ctx, ssl, version);
213 case SSL_SECOP_COMPRESSION:
214 return ssl_security_secop_compression(ctx, ssl);
215 case SSL_SECOP_TICKET:
216 return ssl_security_secop_tickets(ctx, ssl);
217 case SSL_SECOP_TMP_DH:
218 return ssl_security_secop_tmp_dh(ctx, ssl, bits);
219 default:
220 return ssl_security_secop_default(ctx, ssl, bits);
221 }
222}
223
224static int
225ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other)
226{
227 return ctx->cert->security_cb(NULL, ctx, secop, bits, nid,
228 other, ctx->cert->security_ex_data);
229}
230
231static int
232ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other)
233{
234 return ssl->cert->security_cb(ssl, NULL, secop, bits, nid, other,
235 ssl->cert->security_ex_data);
236}
237
238int
239ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
240{
241 int bits;
242
243 bits = EVP_PKEY_security_bits(pkey);
244
245 return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, bits, 0, NULL);
246}
247
248int
249ssl_security_tickets(const SSL *ssl)
250{
251 return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
252}
253
254int
255ssl_security_version(const SSL *ssl, int version)
256{
257 return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
258}
259
260static int
261ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop)
262{
263 return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
264}
265
266int
267ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher)
268{
269 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
270}
271
272int
273ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher)
274{
275 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
276}
277
278int
279ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
280{
281 return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
282}
283
284int
285ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
286{
287 int bits;
288
289 bits = DH_security_bits(dh);
290
291 return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, bits, 0, dh);
292}
293
294int
295ssl_security_dh(const SSL *ssl, DH *dh)
296{
297 int bits;
298
299 bits = DH_security_bits(dh);
300
301 return ssl_security(ssl, SSL_SECOP_TMP_DH, bits, 0, dh);
302}
303
304static int
305ssl_cert_pubkey_security_bits(const X509 *x509)
306{
307 EVP_PKEY *pkey;
308
309 if ((pkey = X509_get0_pubkey(x509)) == NULL)
310 return -1;
311
312 /*
313 * XXX: DSA_security_bits() returns -1 on keys without parameters and
314 * makes the default security callback fail.
315 */
316
317 return EVP_PKEY_security_bits(pkey);
318}
319
320static int
321ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
322{
323 int security_bits;
324
325 security_bits = ssl_cert_pubkey_security_bits(x509);
326
327 if (ssl != NULL)
328 return ssl_security(ssl, secop, security_bits, 0, x509);
329
330 return ssl_ctx_security(ctx, secop, security_bits, 0, x509);
331}
332
333static int
334ssl_cert_signature_md_nid(X509 *x509)
335{
336 int md_nid, signature_nid;
337
338 if ((signature_nid = X509_get_signature_nid(x509)) == NID_undef)
339 return NID_undef;
340
341 if (!OBJ_find_sigid_algs(signature_nid, &md_nid, NULL))
342 return NID_undef;
343
344 return md_nid;
345}
346
347static int
348ssl_cert_md_nid_security_bits(int md_nid)
349{
350 const EVP_MD *md;
351
352 if (md_nid == NID_undef)
353 return -1;
354
355 if ((md = EVP_get_digestbynid(md_nid)) == NULL)
356 return -1;
357
358 /* Assume 4 bits of collision resistance for each hash octet. */
359 return EVP_MD_size(md) * 4;
360}
361
362static int
363ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
364{
365 int md_nid, security_bits;
366
367 /* Don't check signature if self signed. */
368 if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0)
369 return 1;
370
371 md_nid = ssl_cert_signature_md_nid(x509);
372 security_bits = ssl_cert_md_nid_security_bits(md_nid);
373
374 if (ssl != NULL)
375 return ssl_security(ssl, secop, security_bits, md_nid, x509);
376
377 return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509);
378}
379
380int
381ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
382 int is_ee, int *out_error)
383{
384 int key_error, operation;
385
386 *out_error = 0;
387
388 if (is_ee) {
389 operation = SSL_SECOP_EE_KEY;
390 key_error = SSL_R_EE_KEY_TOO_SMALL;
391 } else {
392 operation = SSL_SECOP_CA_KEY;
393 key_error = SSL_R_CA_KEY_TOO_SMALL;
394 }
395
396 if (!ssl_security_cert_key(ctx, ssl, x509, operation)) {
397 *out_error = key_error;
398 return 0;
399 }
400
401 if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) {
402 *out_error = SSL_R_CA_MD_TOO_WEAK;
403 return 0;
404 }
405
406 return 1;
407}
408
409/*
410 * Check security of a chain. If |sk| includes the end entity certificate
411 * then |x509| must be NULL.
412 */
413int
414ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509,
415 int *out_error)
416{
417 int start_idx = 0;
418 int is_ee;
419 int i;
420
421 if (x509 == NULL) {
422 x509 = sk_X509_value(sk, 0);
423 start_idx = 1;
424 }
425
426 is_ee = 1;
427 if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
428 return 0;
429
430 is_ee = 0;
431 for (i = start_idx; i < sk_X509_num(sk); i++) {
432 x509 = sk_X509_value(sk, i);
433
434 if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
435 return 0;
436 }
437
438 return 1;
439}
440
441static int
442ssl_security_group(const SSL *ssl, uint16_t group_id, int secop)
443{
444 CBB cbb;
445 int bits, nid;
446 uint8_t group[2];
447
448 if (!tls1_ec_group_id2bits(group_id, &bits))
449 return 0;
450 if (!tls1_ec_group_id2nid(group_id, &nid))
451 return 0;
452
453 if (!CBB_init_fixed(&cbb, group, sizeof(group)))
454 return 0;
455 if (!CBB_add_u16(&cbb, group_id))
456 return 0;
457 if (!CBB_finish(&cbb, NULL, NULL))
458 return 0;
459
460 return ssl_security(ssl, secop, bits, nid, group);
461}
462
463int
464ssl_security_shared_group(const SSL *ssl, uint16_t group_id)
465{
466 return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SHARED);
467}
468
469int
470ssl_security_supported_group(const SSL *ssl, uint16_t group_id)
471{
472 return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SUPPORTED);
473}
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
deleted file mode 100644
index 5847a43dcd..0000000000
--- a/src/lib/libssl/ssl_sess.c
+++ /dev/null
@@ -1,1336 +0,0 @@
1/* $OpenBSD: ssl_sess.c,v 1.121 2022/11/26 16:08:56 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <openssl/lhash.h>
139#include <openssl/opensslconf.h>
140
141#ifndef OPENSSL_NO_ENGINE
142#include <openssl/engine.h>
143#endif
144
145#include "ssl_local.h"
146
147static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
148static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
149static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
150
151/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
152SSL_SESSION *
153SSL_get_session(const SSL *ssl)
154{
155 return (ssl->session);
156}
157
158/* variant of SSL_get_session: caller really gets something */
159SSL_SESSION *
160SSL_get1_session(SSL *ssl)
161{
162 SSL_SESSION *sess;
163
164 /*
165 * Need to lock this all up rather than just use CRYPTO_add so that
166 * somebody doesn't free ssl->session between when we check it's
167 * non-null and when we up the reference count.
168 */
169 CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
170 sess = ssl->session;
171 if (sess)
172 sess->references++;
173 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
174
175 return (sess);
176}
177
178int
179SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
180 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
181{
182 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION,
183 argl, argp, new_func, dup_func, free_func);
184}
185
186int
187SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
188{
189 return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));
190}
191
192void *
193SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
194{
195 return (CRYPTO_get_ex_data(&s->ex_data, idx));
196}
197
198uint32_t
199SSL_SESSION_get_max_early_data(const SSL_SESSION *s)
200{
201 return 0;
202}
203
204int
205SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data)
206{
207 return 1;
208}
209
210SSL_SESSION *
211SSL_SESSION_new(void)
212{
213 SSL_SESSION *ss;
214
215 if (!OPENSSL_init_ssl(0, NULL)) {
216 SSLerrorx(SSL_R_LIBRARY_BUG);
217 return(NULL);
218 }
219
220 if ((ss = calloc(1, sizeof(*ss))) == NULL) {
221 SSLerrorx(ERR_R_MALLOC_FAILURE);
222 return (NULL);
223 }
224
225 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
226 ss->references = 1;
227 ss->timeout = 60 * 5 + 4; /* 5 minutes 4 seconds timeout by default */
228 ss->time = time(NULL);
229 ss->prev = NULL;
230 ss->next = NULL;
231 ss->tlsext_hostname = NULL;
232
233 ss->peer_cert_type = -1;
234
235 ss->tlsext_ecpointformatlist_length = 0;
236 ss->tlsext_ecpointformatlist = NULL;
237 ss->tlsext_supportedgroups_length = 0;
238 ss->tlsext_supportedgroups = NULL;
239
240 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
241
242 return (ss);
243}
244
245SSL_SESSION *
246ssl_session_dup(SSL_SESSION *sess, int include_ticket)
247{
248 SSL_SESSION *copy;
249 CBS cbs;
250
251 if ((copy = calloc(1, sizeof(*copy))) == NULL) {
252 SSLerrorx(ERR_R_MALLOC_FAILURE);
253 goto err;
254 }
255
256 copy->ssl_version = sess->ssl_version;
257
258 CBS_init(&cbs, sess->master_key, sess->master_key_length);
259 if (!CBS_write_bytes(&cbs, copy->master_key, sizeof(copy->master_key),
260 &copy->master_key_length))
261 goto err;
262
263 CBS_init(&cbs, sess->session_id, sess->session_id_length);
264 if (!CBS_write_bytes(&cbs, copy->session_id, sizeof(copy->session_id),
265 &copy->session_id_length))
266 goto err;
267
268 CBS_init(&cbs, sess->sid_ctx, sess->sid_ctx_length);
269 if (!CBS_write_bytes(&cbs, copy->sid_ctx, sizeof(copy->sid_ctx),
270 &copy->sid_ctx_length))
271 goto err;
272
273 if (sess->peer_cert != NULL) {
274 if (!X509_up_ref(sess->peer_cert))
275 goto err;
276 copy->peer_cert = sess->peer_cert;
277 }
278 copy->peer_cert_type = sess->peer_cert_type;
279
280 copy->verify_result = sess->verify_result;
281
282 copy->timeout = sess->timeout;
283 copy->time = sess->time;
284 copy->references = 1;
285
286 copy->cipher = sess->cipher;
287 copy->cipher_id = sess->cipher_id;
288
289 if (sess->ciphers != NULL) {
290 if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL)
291 goto err;
292 }
293
294 if (sess->tlsext_hostname != NULL) {
295 copy->tlsext_hostname = strdup(sess->tlsext_hostname);
296 if (copy->tlsext_hostname == NULL)
297 goto err;
298 }
299
300 if (include_ticket) {
301 CBS_init(&cbs, sess->tlsext_tick, sess->tlsext_ticklen);
302 if (!CBS_stow(&cbs, &copy->tlsext_tick, &copy->tlsext_ticklen))
303 goto err;
304 copy->tlsext_tick_lifetime_hint =
305 sess->tlsext_tick_lifetime_hint;
306
307 /*
308 * XXX - copy sess->resumption_master_secret and all other
309 * TLSv1.3 info here.
310 */
311 }
312
313 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, copy,
314 &copy->ex_data))
315 goto err;
316
317 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &copy->ex_data,
318 &sess->ex_data))
319 goto err;
320
321 /* Omit prev/next: the new session gets its own slot in the cache. */
322
323 copy->not_resumable = sess->not_resumable;
324
325 CBS_init(&cbs, sess->tlsext_ecpointformatlist,
326 sess->tlsext_ecpointformatlist_length);
327 if (!CBS_stow(&cbs, &copy->tlsext_ecpointformatlist,
328 &copy->tlsext_ecpointformatlist_length))
329 goto err;
330
331 if (sess->tlsext_supportedgroups != NULL) {
332 if ((copy->tlsext_supportedgroups = calloc(sizeof(uint16_t),
333 sess->tlsext_supportedgroups_length)) == NULL)
334 goto err;
335 memcpy(copy->tlsext_supportedgroups,
336 sess->tlsext_supportedgroups,
337 sizeof(uint16_t) * sess->tlsext_supportedgroups_length);
338 copy->tlsext_supportedgroups_length =
339 sess->tlsext_supportedgroups_length;
340 }
341
342 return copy;
343
344 err:
345 SSL_SESSION_free(copy);
346
347 return NULL;
348}
349
350const unsigned char *
351SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len)
352{
353 if (len != NULL)
354 *len = (unsigned int)ss->session_id_length;
355 return ss->session_id;
356}
357
358const unsigned char *
359SSL_SESSION_get0_id_context(const SSL_SESSION *ss, unsigned int *len)
360{
361 if (len != NULL)
362 *len = (unsigned int)ss->sid_ctx_length;
363 return ss->sid_ctx;
364}
365
366unsigned int
367SSL_SESSION_get_compress_id(const SSL_SESSION *ss)
368{
369 return 0;
370}
371
372unsigned long
373SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
374{
375 return s->tlsext_tick_lifetime_hint;
376}
377
378int
379SSL_SESSION_has_ticket(const SSL_SESSION *s)
380{
381 return (s->tlsext_ticklen > 0) ? 1 : 0;
382}
383
384/*
385 * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling
386 * the ID with random gunk repeatedly until we have no conflict is going to
387 * complete in one iteration pretty much "most" of the time (btw:
388 * understatement). So, if it takes us 10 iterations and we still can't avoid
389 * a conflict - well that's a reasonable point to call it quits. Either the
390 * arc4random code is broken or someone is trying to open roughly very close to
391 * 2^128 (or 2^256) SSL sessions to our server. How you might store that many
392 * sessions is perhaps a more interesting question...
393 */
394
395#define MAX_SESS_ID_ATTEMPTS 10
396
397static int
398def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len)
399{
400 unsigned int retry = 0;
401
402 do {
403 arc4random_buf(id, *id_len);
404 } while (SSL_has_matching_session_id(ssl, id, *id_len) &&
405 (++retry < MAX_SESS_ID_ATTEMPTS));
406
407 if (retry < MAX_SESS_ID_ATTEMPTS)
408 return 1;
409
410 /* else - woops a session_id match */
411 /* XXX We should also check the external cache --
412 * but the probability of a collision is negligible, and
413 * we could not prevent the concurrent creation of sessions
414 * with identical IDs since we currently don't have means
415 * to atomically check whether a session ID already exists
416 * and make a reservation for it if it does not
417 * (this problem applies to the internal cache as well).
418 */
419 return 0;
420}
421
422int
423ssl_get_new_session(SSL *s, int session)
424{
425 unsigned int tmp;
426 SSL_SESSION *ss = NULL;
427 GEN_SESSION_CB cb = def_generate_session_id;
428
429 /* This gets used by clients and servers. */
430
431 if ((ss = SSL_SESSION_new()) == NULL)
432 return (0);
433
434 /* If the context has a default timeout, use it */
435 if (s->session_ctx->session_timeout == 0)
436 ss->timeout = SSL_get_default_timeout(s);
437 else
438 ss->timeout = s->session_ctx->session_timeout;
439
440 if (s->session != NULL) {
441 SSL_SESSION_free(s->session);
442 s->session = NULL;
443 }
444
445 if (session) {
446 switch (s->version) {
447 case TLS1_VERSION:
448 case TLS1_1_VERSION:
449 case TLS1_2_VERSION:
450 case DTLS1_VERSION:
451 case DTLS1_2_VERSION:
452 ss->ssl_version = s->version;
453 ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
454 break;
455 default:
456 SSLerror(s, SSL_R_UNSUPPORTED_SSL_VERSION);
457 SSL_SESSION_free(ss);
458 return (0);
459 }
460
461 /* If RFC4507 ticket use empty session ID. */
462 if (s->tlsext_ticket_expected) {
463 ss->session_id_length = 0;
464 goto sess_id_done;
465 }
466
467 /* Choose which callback will set the session ID. */
468 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
469 if (s->generate_session_id)
470 cb = s->generate_session_id;
471 else if (s->session_ctx->generate_session_id)
472 cb = s->session_ctx->generate_session_id;
473 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
474
475 /* Choose a session ID. */
476 tmp = ss->session_id_length;
477 if (!cb(s, ss->session_id, &tmp)) {
478 /* The callback failed */
479 SSLerror(s, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
480 SSL_SESSION_free(ss);
481 return (0);
482 }
483
484 /*
485 * Don't allow the callback to set the session length to zero.
486 * nor set it higher than it was.
487 */
488 if (tmp == 0 || tmp > ss->session_id_length) {
489 /* The callback set an illegal length */
490 SSLerror(s, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
491 SSL_SESSION_free(ss);
492 return (0);
493 }
494 ss->session_id_length = tmp;
495
496 /* Finally, check for a conflict. */
497 if (SSL_has_matching_session_id(s, ss->session_id,
498 ss->session_id_length)) {
499 SSLerror(s, SSL_R_SSL_SESSION_ID_CONFLICT);
500 SSL_SESSION_free(ss);
501 return (0);
502 }
503
504 sess_id_done:
505 if (s->tlsext_hostname) {
506 ss->tlsext_hostname = strdup(s->tlsext_hostname);
507 if (ss->tlsext_hostname == NULL) {
508 SSLerror(s, ERR_R_INTERNAL_ERROR);
509 SSL_SESSION_free(ss);
510 return 0;
511 }
512 }
513 } else {
514 ss->session_id_length = 0;
515 }
516
517 if (s->sid_ctx_length > sizeof ss->sid_ctx) {
518 SSLerror(s, ERR_R_INTERNAL_ERROR);
519 SSL_SESSION_free(ss);
520 return 0;
521 }
522
523 memcpy(ss->sid_ctx, s->sid_ctx, s->sid_ctx_length);
524 ss->sid_ctx_length = s->sid_ctx_length;
525 s->session = ss;
526 ss->ssl_version = s->version;
527 ss->verify_result = X509_V_OK;
528
529 return (1);
530}
531
532static SSL_SESSION *
533ssl_session_from_cache(SSL *s, CBS *session_id)
534{
535 SSL_SESSION *sess;
536 SSL_SESSION data;
537
538 if ((s->session_ctx->session_cache_mode &
539 SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
540 return NULL;
541
542 memset(&data, 0, sizeof(data));
543
544 data.ssl_version = s->version;
545
546 if (!CBS_write_bytes(session_id, data.session_id,
547 sizeof(data.session_id), &data.session_id_length))
548 return NULL;
549
550 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
551 sess = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
552 if (sess != NULL)
553 CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
554 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
555
556 if (sess == NULL)
557 s->session_ctx->stats.sess_miss++;
558
559 return sess;
560}
561
562static SSL_SESSION *
563ssl_session_from_callback(SSL *s, CBS *session_id)
564{
565 SSL_SESSION *sess;
566 int copy;
567
568 if (s->session_ctx->get_session_cb == NULL)
569 return NULL;
570
571 copy = 1;
572 if ((sess = s->session_ctx->get_session_cb(s,
573 CBS_data(session_id), CBS_len(session_id), &copy)) == NULL)
574 return NULL;
575 /*
576 * The copy handler may have set copy == 0 to indicate that the session
577 * structures are shared between threads and that it handles the
578 * reference count itself. If it didn't set copy to zero, we must
579 * increment the reference count.
580 */
581 if (copy)
582 CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION);
583
584 s->session_ctx->stats.sess_cb_hit++;
585
586 /* Add the externally cached session to the internal cache as well. */
587 if (!(s->session_ctx->session_cache_mode &
588 SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
589 /*
590 * The following should not return 1,
591 * otherwise, things are very strange.
592 */
593 SSL_CTX_add_session(s->session_ctx, sess);
594 }
595
596 return sess;
597}
598
599static SSL_SESSION *
600ssl_session_by_id(SSL *s, CBS *session_id)
601{
602 SSL_SESSION *sess;
603
604 if (CBS_len(session_id) == 0)
605 return NULL;
606
607 if ((sess = ssl_session_from_cache(s, session_id)) == NULL)
608 sess = ssl_session_from_callback(s, session_id);
609
610 return sess;
611}
612
613/*
614 * ssl_get_prev_session attempts to find an SSL_SESSION to be used to resume
615 * this connection. It is only called by servers.
616 *
617 * session_id: points at the session ID in the ClientHello. This code will
618 * read past the end of this in order to parse out the session ticket
619 * extension, if any.
620 * ext_block: a CBS for the ClientHello extensions block.
621 * alert: alert that the caller should send in case of failure.
622 *
623 * Returns:
624 * -1: error
625 * 0: a session may have been found.
626 *
627 * Side effects:
628 * - If a session is found then s->session is pointed at it (after freeing
629 * an existing session if need be) and s->verify_result is set from the
630 * session.
631 * - For both new and resumed sessions, s->tlsext_ticket_expected
632 * indicates whether the server should issue a new session ticket or not.
633 */
634int
635ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert)
636{
637 SSL_SESSION *sess = NULL;
638 int alert_desc = SSL_AD_INTERNAL_ERROR, fatal = 0;
639 int ticket_decrypted = 0;
640
641 /* This is used only by servers. */
642
643 if (CBS_len(session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH)
644 goto err;
645
646 /* Sets s->tlsext_ticket_expected. */
647 switch (tls1_process_ticket(s, ext_block, &alert_desc, &sess)) {
648 case TLS1_TICKET_FATAL_ERROR:
649 fatal = 1;
650 goto err;
651 case TLS1_TICKET_NONE:
652 case TLS1_TICKET_EMPTY:
653 if ((sess = ssl_session_by_id(s, session_id)) == NULL)
654 goto err;
655 break;
656 case TLS1_TICKET_NOT_DECRYPTED:
657 goto err;
658 case TLS1_TICKET_DECRYPTED:
659 ticket_decrypted = 1;
660
661 /*
662 * The session ID is used by some clients to detect that the
663 * ticket has been accepted so we copy it into sess.
664 */
665 if (!CBS_write_bytes(session_id, sess->session_id,
666 sizeof(sess->session_id), &sess->session_id_length)) {
667 fatal = 1;
668 goto err;
669 }
670 break;
671 default:
672 SSLerror(s, ERR_R_INTERNAL_ERROR);
673 fatal = 1;
674 goto err;
675 }
676
677 /* Now sess is non-NULL and we own one of its reference counts. */
678
679 if (sess->sid_ctx_length != s->sid_ctx_length ||
680 timingsafe_memcmp(sess->sid_ctx, s->sid_ctx,
681 sess->sid_ctx_length) != 0) {
682 /*
683 * We have the session requested by the client, but we don't
684 * want to use it in this context. Treat it like a cache miss.
685 */
686 goto err;
687 }
688
689 if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
690 /*
691 * We can't be sure if this session is being used out of
692 * context, which is especially important for SSL_VERIFY_PEER.
693 * The application should have used
694 * SSL[_CTX]_set_session_id_context.
695 *
696 * For this error case, we generate an error instead of treating
697 * the event like a cache miss (otherwise it would be easy for
698 * applications to effectively disable the session cache by
699 * accident without anyone noticing).
700 */
701 SSLerror(s, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
702 fatal = 1;
703 goto err;
704 }
705
706 if (sess->cipher == NULL) {
707 sess->cipher = ssl3_get_cipher_by_id(sess->cipher_id);
708 if (sess->cipher == NULL)
709 goto err;
710 }
711
712 if (sess->timeout < (time(NULL) - sess->time)) {
713 s->session_ctx->stats.sess_timeout++;
714 if (!ticket_decrypted) {
715 /* The session was from the cache, so remove it. */
716 SSL_CTX_remove_session(s->session_ctx, sess);
717 }
718 goto err;
719 }
720
721 s->session_ctx->stats.sess_hit++;
722
723 SSL_SESSION_free(s->session);
724 s->session = sess;
725 s->verify_result = s->session->verify_result;
726
727 return 1;
728
729 err:
730 SSL_SESSION_free(sess);
731 if (ticket_decrypted) {
732 /*
733 * The session was from a ticket. Issue a ticket for the new
734 * session.
735 */
736 s->tlsext_ticket_expected = 1;
737 }
738 if (fatal) {
739 *alert = alert_desc;
740 return -1;
741 }
742 return 0;
743}
744
745int
746SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
747{
748 int ret = 0;
749 SSL_SESSION *s;
750
751 /*
752 * Add just 1 reference count for the SSL_CTX's session cache
753 * even though it has two ways of access: each session is in a
754 * doubly linked list and an lhash.
755 */
756 CRYPTO_add(&c->references, 1, CRYPTO_LOCK_SSL_SESSION);
757
758 /*
759 * If session c is in already in cache, we take back the increment
760 * later.
761 */
762 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
763 s = lh_SSL_SESSION_insert(ctx->sessions, c);
764
765 /*
766 * s != NULL iff we already had a session with the given PID.
767 * In this case, s == c should hold (then we did not really modify
768 * ctx->sessions), or we're in trouble.
769 */
770 if (s != NULL && s != c) {
771 /* We *are* in trouble ... */
772 SSL_SESSION_list_remove(ctx, s);
773 SSL_SESSION_free(s);
774 /*
775 * ... so pretend the other session did not exist in cache
776 * (we cannot handle two SSL_SESSION structures with identical
777 * session ID in the same cache, which could happen e.g. when
778 * two threads concurrently obtain the same session from an
779 * external cache).
780 */
781 s = NULL;
782 }
783
784 /* Put at the head of the queue unless it is already in the cache */
785 if (s == NULL)
786 SSL_SESSION_list_add(ctx, c);
787
788 if (s != NULL) {
789 /*
790 * existing cache entry -- decrement previously incremented
791 * reference count because it already takes into account the
792 * cache.
793 */
794 SSL_SESSION_free(s); /* s == c */
795 ret = 0;
796 } else {
797 /*
798 * New cache entry -- remove old ones if cache has become
799 * too large.
800 */
801
802 ret = 1;
803
804 if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
805 while (SSL_CTX_sess_number(ctx) >
806 SSL_CTX_sess_get_cache_size(ctx)) {
807 if (!remove_session_lock(ctx,
808 ctx->session_cache_tail, 0))
809 break;
810 else
811 ctx->stats.sess_cache_full++;
812 }
813 }
814 }
815 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
816 return (ret);
817}
818
819int
820SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
821{
822 return remove_session_lock(ctx, c, 1);
823}
824
825static int
826remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
827{
828 SSL_SESSION *r;
829 int ret = 0;
830
831 if (c == NULL || c->session_id_length == 0)
832 return 0;
833
834 if (lck)
835 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
836 if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) {
837 ret = 1;
838 r = lh_SSL_SESSION_delete(ctx->sessions, c);
839 SSL_SESSION_list_remove(ctx, c);
840 }
841 if (lck)
842 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
843
844 if (ret) {
845 r->not_resumable = 1;
846 if (ctx->remove_session_cb != NULL)
847 ctx->remove_session_cb(ctx, r);
848 SSL_SESSION_free(r);
849 }
850
851 return ret;
852}
853
854void
855SSL_SESSION_free(SSL_SESSION *ss)
856{
857 int i;
858
859 if (ss == NULL)
860 return;
861
862 i = CRYPTO_add(&ss->references, -1, CRYPTO_LOCK_SSL_SESSION);
863 if (i > 0)
864 return;
865
866 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
867
868 explicit_bzero(ss->master_key, sizeof ss->master_key);
869 explicit_bzero(ss->session_id, sizeof ss->session_id);
870
871 X509_free(ss->peer_cert);
872
873 sk_SSL_CIPHER_free(ss->ciphers);
874
875 free(ss->tlsext_hostname);
876 free(ss->tlsext_tick);
877 free(ss->tlsext_ecpointformatlist);
878 free(ss->tlsext_supportedgroups);
879
880 tls13_secret_cleanup(&ss->resumption_master_secret);
881
882 freezero(ss, sizeof(*ss));
883}
884
885int
886SSL_SESSION_up_ref(SSL_SESSION *ss)
887{
888 int refs = CRYPTO_add(&ss->references, 1, CRYPTO_LOCK_SSL_SESSION);
889 return (refs > 1) ? 1 : 0;
890}
891
892int
893SSL_set_session(SSL *s, SSL_SESSION *session)
894{
895 const SSL_METHOD *method;
896
897 if (session == NULL) {
898 SSL_SESSION_free(s->session);
899 s->session = NULL;
900
901 return SSL_set_ssl_method(s, s->ctx->method);
902 }
903
904 if ((method = ssl_get_method(session->ssl_version)) == NULL) {
905 SSLerror(s, SSL_R_UNABLE_TO_FIND_SSL_METHOD);
906 return (0);
907 }
908
909 if (!SSL_set_ssl_method(s, method))
910 return (0);
911
912 CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
913 SSL_SESSION_free(s->session);
914 s->session = session;
915 s->verify_result = s->session->verify_result;
916
917 return (1);
918}
919
920size_t
921SSL_SESSION_get_master_key(const SSL_SESSION *ss, unsigned char *out,
922 size_t max_out)
923{
924 size_t len = ss->master_key_length;
925
926 if (out == NULL)
927 return len;
928
929 if (len > max_out)
930 len = max_out;
931
932 memcpy(out, ss->master_key, len);
933
934 return len;
935}
936
937long
938SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
939{
940 if (s == NULL)
941 return (0);
942 s->timeout = t;
943 return (1);
944}
945
946long
947SSL_SESSION_get_timeout(const SSL_SESSION *s)
948{
949 if (s == NULL)
950 return (0);
951 return (s->timeout);
952}
953
954/* XXX 2038 */
955long
956SSL_SESSION_get_time(const SSL_SESSION *s)
957{
958 if (s == NULL)
959 return (0);
960 return (s->time);
961}
962
963/* XXX 2038 */
964long
965SSL_SESSION_set_time(SSL_SESSION *s, long t)
966{
967 if (s == NULL)
968 return (0);
969 s->time = t;
970 return (t);
971}
972
973int
974SSL_SESSION_get_protocol_version(const SSL_SESSION *s)
975{
976 return s->ssl_version;
977}
978
979const SSL_CIPHER *
980SSL_SESSION_get0_cipher(const SSL_SESSION *s)
981{
982 return s->cipher;
983}
984
985X509 *
986SSL_SESSION_get0_peer(SSL_SESSION *s)
987{
988 return s->peer_cert;
989}
990
991int
992SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
993 unsigned int sid_len)
994{
995 if (sid_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
996 SSLerrorx(SSL_R_SSL_SESSION_ID_TOO_LONG);
997 return 0;
998 }
999 s->session_id_length = sid_len;
1000 memmove(s->session_id, sid, sid_len);
1001 return 1;
1002}
1003
1004int
1005SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
1006 unsigned int sid_ctx_len)
1007{
1008 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
1009 SSLerrorx(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1010 return 0;
1011 }
1012 s->sid_ctx_length = sid_ctx_len;
1013 memcpy(s->sid_ctx, sid_ctx, sid_ctx_len);
1014
1015 return 1;
1016}
1017
1018int
1019SSL_SESSION_is_resumable(const SSL_SESSION *s)
1020{
1021 return 0;
1022}
1023
1024long
1025SSL_CTX_set_timeout(SSL_CTX *s, long t)
1026{
1027 long l;
1028
1029 if (s == NULL)
1030 return (0);
1031 l = s->session_timeout;
1032 s->session_timeout = t;
1033
1034 return (l);
1035}
1036
1037long
1038SSL_CTX_get_timeout(const SSL_CTX *s)
1039{
1040 if (s == NULL)
1041 return (0);
1042 return (s->session_timeout);
1043}
1044
1045int
1046SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s,
1047 void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers,
1048 SSL_CIPHER **cipher, void *arg), void *arg)
1049{
1050 if (s == NULL)
1051 return (0);
1052 s->tls_session_secret_cb = tls_session_secret_cb;
1053 s->tls_session_secret_cb_arg = arg;
1054 return (1);
1055}
1056
1057int
1058SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
1059 void *arg)
1060{
1061 if (s == NULL)
1062 return (0);
1063 s->tls_session_ticket_ext_cb = cb;
1064 s->tls_session_ticket_ext_cb_arg = arg;
1065 return (1);
1066}
1067
1068int
1069SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
1070{
1071 if (s->version >= TLS1_VERSION) {
1072 free(s->tlsext_session_ticket);
1073 s->tlsext_session_ticket =
1074 malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
1075 if (!s->tlsext_session_ticket) {
1076 SSLerror(s, ERR_R_MALLOC_FAILURE);
1077 return 0;
1078 }
1079
1080 if (ext_data) {
1081 s->tlsext_session_ticket->length = ext_len;
1082 s->tlsext_session_ticket->data =
1083 s->tlsext_session_ticket + 1;
1084 memcpy(s->tlsext_session_ticket->data,
1085 ext_data, ext_len);
1086 } else {
1087 s->tlsext_session_ticket->length = 0;
1088 s->tlsext_session_ticket->data = NULL;
1089 }
1090
1091 return 1;
1092 }
1093
1094 return 0;
1095}
1096
1097typedef struct timeout_param_st {
1098 SSL_CTX *ctx;
1099 long time;
1100 struct lhash_st_SSL_SESSION *cache;
1101} TIMEOUT_PARAM;
1102
1103static void
1104timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
1105{
1106 if ((p->time == 0) || (p->time > (s->time + s->timeout))) {
1107 /* timeout */
1108 /* The reason we don't call SSL_CTX_remove_session() is to
1109 * save on locking overhead */
1110 (void)lh_SSL_SESSION_delete(p->cache, s);
1111 SSL_SESSION_list_remove(p->ctx, s);
1112 s->not_resumable = 1;
1113 if (p->ctx->remove_session_cb != NULL)
1114 p->ctx->remove_session_cb(p->ctx, s);
1115 SSL_SESSION_free(s);
1116 }
1117}
1118
1119static void
1120timeout_LHASH_DOALL_ARG(void *arg1, void *arg2)
1121{
1122 SSL_SESSION *a = arg1;
1123 TIMEOUT_PARAM *b = arg2;
1124
1125 timeout_doall_arg(a, b);
1126}
1127
1128/* XXX 2038 */
1129void
1130SSL_CTX_flush_sessions(SSL_CTX *s, long t)
1131{
1132 unsigned long i;
1133 TIMEOUT_PARAM tp;
1134
1135 tp.ctx = s;
1136 tp.cache = s->sessions;
1137 if (tp.cache == NULL)
1138 return;
1139 tp.time = t;
1140 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1141 i = CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
1142 CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load = 0;
1143 lh_SSL_SESSION_doall_arg(tp.cache, timeout_LHASH_DOALL_ARG,
1144 TIMEOUT_PARAM, &tp);
1145 CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load = i;
1146 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1147}
1148
1149int
1150ssl_clear_bad_session(SSL *s)
1151{
1152 if ((s->session != NULL) && !(s->shutdown & SSL_SENT_SHUTDOWN) &&
1153 !(SSL_in_init(s) || SSL_in_before(s))) {
1154 SSL_CTX_remove_session(s->ctx, s->session);
1155 return (1);
1156 } else
1157 return (0);
1158}
1159
1160/* locked by SSL_CTX in the calling function */
1161static void
1162SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
1163{
1164 if (s->next == NULL || s->prev == NULL)
1165 return;
1166
1167 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) {
1168 /* last element in list */
1169 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
1170 /* only one element in list */
1171 ctx->session_cache_head = NULL;
1172 ctx->session_cache_tail = NULL;
1173 } else {
1174 ctx->session_cache_tail = s->prev;
1175 s->prev->next =
1176 (SSL_SESSION *)&(ctx->session_cache_tail);
1177 }
1178 } else {
1179 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
1180 /* first element in list */
1181 ctx->session_cache_head = s->next;
1182 s->next->prev =
1183 (SSL_SESSION *)&(ctx->session_cache_head);
1184 } else {
1185 /* middle of list */
1186 s->next->prev = s->prev;
1187 s->prev->next = s->next;
1188 }
1189 }
1190 s->prev = s->next = NULL;
1191}
1192
1193static void
1194SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
1195{
1196 if (s->next != NULL && s->prev != NULL)
1197 SSL_SESSION_list_remove(ctx, s);
1198
1199 if (ctx->session_cache_head == NULL) {
1200 ctx->session_cache_head = s;
1201 ctx->session_cache_tail = s;
1202 s->prev = (SSL_SESSION *)&(ctx->session_cache_head);
1203 s->next = (SSL_SESSION *)&(ctx->session_cache_tail);
1204 } else {
1205 s->next = ctx->session_cache_head;
1206 s->next->prev = s;
1207 s->prev = (SSL_SESSION *)&(ctx->session_cache_head);
1208 ctx->session_cache_head = s;
1209 }
1210}
1211
1212void
1213SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
1214 int (*cb)(struct ssl_st *ssl, SSL_SESSION *sess)) {
1215 ctx->new_session_cb = cb;
1216}
1217
1218int
1219(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
1220{
1221 return ctx->new_session_cb;
1222}
1223
1224void
1225SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
1226 void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess))
1227{
1228 ctx->remove_session_cb = cb;
1229}
1230
1231void
1232(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess)
1233{
1234 return ctx->remove_session_cb;
1235}
1236
1237void
1238SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl,
1239 const unsigned char *data, int len, int *copy))
1240{
1241 ctx->get_session_cb = cb;
1242}
1243
1244SSL_SESSION *
1245(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, const unsigned char *data,
1246 int len, int *copy)
1247{
1248 return ctx->get_session_cb;
1249}
1250
1251void
1252SSL_CTX_set_info_callback(SSL_CTX *ctx,
1253 void (*cb)(const SSL *ssl, int type, int val))
1254{
1255 ctx->info_callback = cb;
1256}
1257
1258void
1259(*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val)
1260{
1261 return ctx->info_callback;
1262}
1263
1264void
1265SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
1266 int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
1267{
1268 ctx->client_cert_cb = cb;
1269}
1270
1271int
1272(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509,
1273 EVP_PKEY **pkey)
1274{
1275 return ctx->client_cert_cb;
1276}
1277
1278#ifndef OPENSSL_NO_ENGINE
1279int
1280SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
1281{
1282 if (!ENGINE_init(e)) {
1283 SSLerrorx(ERR_R_ENGINE_LIB);
1284 return 0;
1285 }
1286 if (!ENGINE_get_ssl_client_cert_function(e)) {
1287 SSLerrorx(SSL_R_NO_CLIENT_CERT_METHOD);
1288 ENGINE_finish(e);
1289 return 0;
1290 }
1291 ctx->client_cert_engine = e;
1292 return 1;
1293}
1294#endif
1295
1296void
1297SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
1298 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
1299{
1300 ctx->app_gen_cookie_cb = cb;
1301}
1302
1303void
1304SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
1305 int (*cb)(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len))
1306{
1307 ctx->app_verify_cookie_cb = cb;
1308}
1309
1310int
1311PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x)
1312{
1313 return PEM_ASN1_write((i2d_of_void *)i2d_SSL_SESSION,
1314 PEM_STRING_SSL_SESSION, fp, x, NULL, NULL, 0, NULL, NULL);
1315}
1316
1317SSL_SESSION *
1318PEM_read_SSL_SESSION(FILE *fp, SSL_SESSION **x, pem_password_cb *cb, void *u)
1319{
1320 return PEM_ASN1_read((d2i_of_void *)d2i_SSL_SESSION,
1321 PEM_STRING_SSL_SESSION, fp, (void **)x, cb, u);
1322}
1323
1324SSL_SESSION *
1325PEM_read_bio_SSL_SESSION(BIO *bp, SSL_SESSION **x, pem_password_cb *cb, void *u)
1326{
1327 return PEM_ASN1_read_bio((d2i_of_void *)d2i_SSL_SESSION,
1328 PEM_STRING_SSL_SESSION, bp, (void **)x, cb, u);
1329}
1330
1331int
1332PEM_write_bio_SSL_SESSION(BIO *bp, SSL_SESSION *x)
1333{
1334 return PEM_ASN1_write_bio((i2d_of_void *)i2d_SSL_SESSION,
1335 PEM_STRING_SSL_SESSION, bp, x, NULL, NULL, 0, NULL, NULL);
1336}
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
deleted file mode 100644
index f59beb4320..0000000000
--- a/src/lib/libssl/ssl_sigalgs.c
+++ /dev/null
@@ -1,388 +0,0 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.48 2022/11/26 16:08:56 tb Exp $ */
2/*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include <string.h>
20#include <stdlib.h>
21
22#include <openssl/evp.h>
23#include <openssl/opensslconf.h>
24
25#include "bytestring.h"
26#include "ssl_local.h"
27#include "ssl_sigalgs.h"
28#include "tls13_internal.h"
29
30const struct ssl_sigalg sigalgs[] = {
31 {
32 .value = SIGALG_RSA_PKCS1_SHA512,
33 .key_type = EVP_PKEY_RSA,
34 .md = EVP_sha512,
35 .security_level = 5,
36 },
37 {
38 .value = SIGALG_ECDSA_SECP521R1_SHA512,
39 .key_type = EVP_PKEY_EC,
40 .md = EVP_sha512,
41 .security_level = 5,
42 .group_nid = NID_secp521r1,
43 },
44#ifndef OPENSSL_NO_GOST
45 {
46 .value = SIGALG_GOSTR12_512_STREEBOG_512,
47 .key_type = EVP_PKEY_GOSTR12_512,
48 .md = EVP_streebog512,
49 .security_level = 0,
50 },
51#endif
52 {
53 .value = SIGALG_RSA_PKCS1_SHA384,
54 .key_type = EVP_PKEY_RSA,
55 .md = EVP_sha384,
56 .security_level = 4,
57 },
58 {
59 .value = SIGALG_ECDSA_SECP384R1_SHA384,
60 .key_type = EVP_PKEY_EC,
61 .md = EVP_sha384,
62 .security_level = 4,
63 .group_nid = NID_secp384r1,
64 },
65 {
66 .value = SIGALG_RSA_PKCS1_SHA256,
67 .key_type = EVP_PKEY_RSA,
68 .md = EVP_sha256,
69 .security_level = 3,
70 },
71 {
72 .value = SIGALG_ECDSA_SECP256R1_SHA256,
73 .key_type = EVP_PKEY_EC,
74 .md = EVP_sha256,
75 .security_level = 3,
76 .group_nid = NID_X9_62_prime256v1,
77 },
78#ifndef OPENSSL_NO_GOST
79 {
80 .value = SIGALG_GOSTR12_256_STREEBOG_256,
81 .key_type = EVP_PKEY_GOSTR12_256,
82 .md = EVP_streebog256,
83 .security_level = 0,
84 },
85 {
86 .value = SIGALG_GOSTR01_GOST94,
87 .key_type = EVP_PKEY_GOSTR01,
88 .md = EVP_gostr341194,
89 .security_level = 0, /* XXX */
90 },
91#endif
92 {
93 .value = SIGALG_RSA_PSS_RSAE_SHA256,
94 .key_type = EVP_PKEY_RSA,
95 .md = EVP_sha256,
96 .security_level = 3,
97 .flags = SIGALG_FLAG_RSA_PSS,
98 },
99 {
100 .value = SIGALG_RSA_PSS_RSAE_SHA384,
101 .key_type = EVP_PKEY_RSA,
102 .md = EVP_sha384,
103 .security_level = 4,
104 .flags = SIGALG_FLAG_RSA_PSS,
105 },
106 {
107 .value = SIGALG_RSA_PSS_RSAE_SHA512,
108 .key_type = EVP_PKEY_RSA,
109 .md = EVP_sha512,
110 .security_level = 5,
111 .flags = SIGALG_FLAG_RSA_PSS,
112 },
113 {
114 .value = SIGALG_RSA_PSS_PSS_SHA256,
115 .key_type = EVP_PKEY_RSA,
116 .md = EVP_sha256,
117 .security_level = 3,
118 .flags = SIGALG_FLAG_RSA_PSS,
119 },
120 {
121 .value = SIGALG_RSA_PSS_PSS_SHA384,
122 .key_type = EVP_PKEY_RSA,
123 .md = EVP_sha384,
124 .security_level = 4,
125 .flags = SIGALG_FLAG_RSA_PSS,
126 },
127 {
128 .value = SIGALG_RSA_PSS_PSS_SHA512,
129 .key_type = EVP_PKEY_RSA,
130 .md = EVP_sha512,
131 .security_level = 5,
132 .flags = SIGALG_FLAG_RSA_PSS,
133 },
134 {
135 .value = SIGALG_RSA_PKCS1_SHA224,
136 .key_type = EVP_PKEY_RSA,
137 .md = EVP_sha224,
138 .security_level = 2,
139 },
140 {
141 .value = SIGALG_ECDSA_SECP224R1_SHA224,
142 .key_type = EVP_PKEY_EC,
143 .md = EVP_sha224,
144 .security_level = 2,
145 },
146 {
147 .value = SIGALG_RSA_PKCS1_SHA1,
148 .key_type = EVP_PKEY_RSA,
149 .md = EVP_sha1,
150 .security_level = 1,
151 },
152 {
153 .value = SIGALG_ECDSA_SHA1,
154 .key_type = EVP_PKEY_EC,
155 .md = EVP_sha1,
156 .security_level = 1,
157 },
158 {
159 .value = SIGALG_RSA_PKCS1_MD5_SHA1,
160 .key_type = EVP_PKEY_RSA,
161 .md = EVP_md5_sha1,
162 .security_level = 1,
163 },
164 {
165 .value = SIGALG_NONE,
166 },
167};
168
169/* Sigalgs for TLSv1.3, in preference order. */
170const uint16_t tls13_sigalgs[] = {
171 SIGALG_RSA_PSS_RSAE_SHA512,
172 SIGALG_RSA_PKCS1_SHA512,
173 SIGALG_ECDSA_SECP521R1_SHA512,
174 SIGALG_RSA_PSS_RSAE_SHA384,
175 SIGALG_RSA_PKCS1_SHA384,
176 SIGALG_ECDSA_SECP384R1_SHA384,
177 SIGALG_RSA_PSS_RSAE_SHA256,
178 SIGALG_RSA_PKCS1_SHA256,
179 SIGALG_ECDSA_SECP256R1_SHA256,
180};
181const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
182
183/* Sigalgs for TLSv1.2, in preference order. */
184const uint16_t tls12_sigalgs[] = {
185 SIGALG_RSA_PSS_RSAE_SHA512,
186 SIGALG_RSA_PKCS1_SHA512,
187 SIGALG_ECDSA_SECP521R1_SHA512,
188 SIGALG_RSA_PSS_RSAE_SHA384,
189 SIGALG_RSA_PKCS1_SHA384,
190 SIGALG_ECDSA_SECP384R1_SHA384,
191 SIGALG_RSA_PSS_RSAE_SHA256,
192 SIGALG_RSA_PKCS1_SHA256,
193 SIGALG_ECDSA_SECP256R1_SHA256,
194 SIGALG_RSA_PKCS1_SHA1, /* XXX */
195 SIGALG_ECDSA_SHA1, /* XXX */
196};
197const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
198
199static void
200ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
201 size_t *out_len)
202{
203 if (tls_version >= TLS1_3_VERSION) {
204 *out_values = tls13_sigalgs;
205 *out_len = tls13_sigalgs_len;
206 } else {
207 *out_values = tls12_sigalgs;
208 *out_len = tls12_sigalgs_len;
209 }
210}
211
212static const struct ssl_sigalg *
213ssl_sigalg_lookup(uint16_t value)
214{
215 int i;
216
217 for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
218 if (sigalgs[i].value == value)
219 return &sigalgs[i];
220 }
221
222 return NULL;
223}
224
225static const struct ssl_sigalg *
226ssl_sigalg_from_value(SSL *s, uint16_t value)
227{
228 const uint16_t *values;
229 size_t len;
230 int i;
231
232 ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
233 &values, &len);
234
235 for (i = 0; i < len; i++) {
236 if (values[i] == value)
237 return ssl_sigalg_lookup(value);
238 }
239
240 return NULL;
241}
242
243int
244ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
245{
246 const struct ssl_sigalg *sigalg;
247 const uint16_t *values;
248 size_t len;
249 size_t i;
250 int ret = 0;
251
252 ssl_sigalgs_for_version(tls_version, &values, &len);
253
254 /* Add values in order as long as they are supported. */
255 for (i = 0; i < len; i++) {
256 /* Do not allow the legacy value for < 1.2 to be used. */
257 if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
258 return 0;
259 if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
260 return 0;
261 if (sigalg->security_level < security_level)
262 continue;
263
264 if (!CBB_add_u16(cbb, values[i]))
265 return 0;
266
267 ret = 1;
268 }
269 return ret;
270}
271
272static const struct ssl_sigalg *
273ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
274{
275 if (SSL_get_security_level(s) > 1)
276 return NULL;
277
278 /* Default signature algorithms used for TLSv1.2 and earlier. */
279 switch (EVP_PKEY_id(pkey)) {
280 case EVP_PKEY_RSA:
281 if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
282 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
283 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
284 case EVP_PKEY_EC:
285 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
286#ifndef OPENSSL_NO_GOST
287 case EVP_PKEY_GOSTR01:
288 return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
289#endif
290 }
291 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
292 return NULL;
293}
294
295static int
296ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
297{
298 if (sigalg == NULL || pkey == NULL)
299 return 0;
300 if (sigalg->key_type != EVP_PKEY_id(pkey))
301 return 0;
302
303 /* RSA PSS must have a sufficiently large RSA key. */
304 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
305 if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
306 EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
307 return 0;
308 }
309
310 if (!ssl_security_sigalg_check(s, pkey))
311 return 0;
312
313 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
314 return 1;
315
316 /* RSA cannot be used without PSS in TLSv1.3. */
317 if (sigalg->key_type == EVP_PKEY_RSA &&
318 (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
319 return 0;
320
321 /* Ensure that group matches for EC keys. */
322 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
323 if (sigalg->group_nid == 0)
324 return 0;
325 if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
326 EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
327 return 0;
328 }
329
330 return 1;
331}
332
333const struct ssl_sigalg *
334ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
335{
336 CBS cbs;
337
338 if (!SSL_USE_SIGALGS(s))
339 return ssl_sigalg_for_legacy(s, pkey);
340
341 /*
342 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
343 * in which case the server must use the default.
344 */
345 if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
346 s->s3->hs.sigalgs == NULL)
347 return ssl_sigalg_for_legacy(s, pkey);
348
349 /*
350 * If we get here, we have client or server sent sigalgs, use one.
351 */
352 CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
353 while (CBS_len(&cbs) > 0) {
354 const struct ssl_sigalg *sigalg;
355 uint16_t sigalg_value;
356
357 if (!CBS_get_u16(&cbs, &sigalg_value))
358 return NULL;
359
360 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
361 continue;
362 if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
363 return sigalg;
364 }
365
366 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
367 return NULL;
368}
369
370const struct ssl_sigalg *
371ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
372{
373 const struct ssl_sigalg *sigalg;
374
375 if (!SSL_USE_SIGALGS(s))
376 return ssl_sigalg_for_legacy(s, pkey);
377
378 if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
379 SSLerror(s, SSL_R_UNKNOWN_DIGEST);
380 return NULL;
381 }
382 if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
383 SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
384 return NULL;
385 }
386
387 return sigalg;
388}
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
deleted file mode 100644
index 21a54d642b..0000000000
--- a/src/lib/libssl/ssl_sigalgs.h
+++ /dev/null
@@ -1,79 +0,0 @@
1/* $OpenBSD: ssl_sigalgs.h,v 1.26 2022/07/02 16:00:12 tb Exp $ */
2/*
3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
12 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
14 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
15 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef HEADER_SSL_SIGALGS_H
19#define HEADER_SSL_SIGALGS_H
20
21__BEGIN_HIDDEN_DECLS
22
23#define SIGALG_NONE 0x0000
24
25/*
26 * RFC 8446 Section 4.2.3
27 * RFC 5246 Section 7.4.1.4.1
28 */
29#define SIGALG_RSA_PKCS1_SHA224 0x0301
30#define SIGALG_RSA_PKCS1_SHA256 0x0401
31#define SIGALG_RSA_PKCS1_SHA384 0x0501
32#define SIGALG_RSA_PKCS1_SHA512 0x0601
33#define SIGALG_ECDSA_SECP224R1_SHA224 0x0303
34#define SIGALG_ECDSA_SECP256R1_SHA256 0x0403
35#define SIGALG_ECDSA_SECP384R1_SHA384 0x0503
36#define SIGALG_ECDSA_SECP521R1_SHA512 0x0603
37#define SIGALG_RSA_PSS_RSAE_SHA256 0x0804
38#define SIGALG_RSA_PSS_RSAE_SHA384 0x0805
39#define SIGALG_RSA_PSS_RSAE_SHA512 0x0806
40#define SIGALG_ED25519 0x0807
41#define SIGALG_ED448 0x0808
42#define SIGALG_RSA_PSS_PSS_SHA256 0x0809
43#define SIGALG_RSA_PSS_PSS_SHA384 0x080a
44#define SIGALG_RSA_PSS_PSS_SHA512 0x080b
45#define SIGALG_RSA_PKCS1_SHA1 0x0201
46#define SIGALG_ECDSA_SHA1 0x0203
47#define SIGALG_PRIVATE_START 0xFE00
48#define SIGALG_PRIVATE_END 0xFFFF
49
50/*
51 * If Russia can elect the US President, surely
52 * IANA could fix this problem.
53 */
54#define SIGALG_GOSTR12_512_STREEBOG_512 0xEFEF
55#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE
56#define SIGALG_GOSTR01_GOST94 0xEDED
57
58/* Legacy sigalg for < TLSv1.2 same value as BoringSSL uses. */
59#define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01
60
61#define SIGALG_FLAG_RSA_PSS 0x00000001
62
63struct ssl_sigalg {
64 uint16_t value;
65 int key_type;
66 const EVP_MD *(*md)(void);
67 int security_level;
68 int group_nid;
69 int flags;
70};
71
72int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level);
73const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey);
74const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey,
75 uint16_t sigalg_value);
76
77__END_HIDDEN_DECLS
78
79#endif
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
deleted file mode 100644
index 556107f5a1..0000000000
--- a/src/lib/libssl/ssl_srvr.c
+++ /dev/null
@@ -1,2625 +0,0 @@
1/* $OpenBSD: ssl_srvr.c,v 1.153 2022/12/26 07:31:44 jmc Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <limits.h>
152#include <stdio.h>
153
154#include <openssl/bn.h>
155#include <openssl/buffer.h>
156#include <openssl/curve25519.h>
157#include <openssl/evp.h>
158#include <openssl/dh.h>
159#include <openssl/hmac.h>
160#include <openssl/md5.h>
161#include <openssl/objects.h>
162#include <openssl/opensslconf.h>
163#include <openssl/x509.h>
164
165#ifndef OPENSSL_NO_GOST
166#include <openssl/gost.h>
167#endif
168
169#include "bytestring.h"
170#include "dtls_local.h"
171#include "ssl_local.h"
172#include "ssl_sigalgs.h"
173#include "ssl_tlsext.h"
174
175static int ssl3_get_client_hello(SSL *s);
176static int ssl3_send_dtls_hello_verify_request(SSL *s);
177static int ssl3_send_server_hello(SSL *s);
178static int ssl3_send_hello_request(SSL *s);
179static int ssl3_send_server_certificate(SSL *s);
180static int ssl3_send_server_key_exchange(SSL *s);
181static int ssl3_send_certificate_request(SSL *s);
182static int ssl3_send_server_done(SSL *s);
183static int ssl3_get_client_certificate(SSL *s);
184static int ssl3_get_client_key_exchange(SSL *s);
185static int ssl3_get_cert_verify(SSL *s);
186static int ssl3_send_newsession_ticket(SSL *s);
187static int ssl3_send_cert_status(SSL *s);
188static int ssl3_send_server_change_cipher_spec(SSL *s);
189static int ssl3_send_server_finished(SSL *s);
190static int ssl3_get_client_finished(SSL *s);
191
192int
193ssl3_accept(SSL *s)
194{
195 unsigned long alg_k;
196 int new_state, state, skip = 0;
197 int listen = 0;
198 int ret = -1;
199
200 ERR_clear_error();
201 errno = 0;
202
203 if (SSL_is_dtls(s))
204 listen = s->d1->listen;
205
206 /* init things to blank */
207 s->in_handshake++;
208 if (!SSL_in_init(s) || SSL_in_before(s))
209 SSL_clear(s);
210
211 if (SSL_is_dtls(s))
212 s->d1->listen = listen;
213
214 for (;;) {
215 state = s->s3->hs.state;
216
217 switch (s->s3->hs.state) {
218 case SSL_ST_RENEGOTIATE:
219 s->renegotiate = 1;
220 /* s->s3->hs.state=SSL_ST_ACCEPT; */
221
222 case SSL_ST_BEFORE:
223 case SSL_ST_ACCEPT:
224 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
225 case SSL_ST_OK|SSL_ST_ACCEPT:
226 s->server = 1;
227
228 ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1);
229
230 if (!ssl_legacy_stack_version(s, s->version)) {
231 SSLerror(s, ERR_R_INTERNAL_ERROR);
232 ret = -1;
233 goto end;
234 }
235
236 if (!ssl_supported_tls_version_range(s,
237 &s->s3->hs.our_min_tls_version,
238 &s->s3->hs.our_max_tls_version)) {
239 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
240 ret = -1;
241 goto end;
242 }
243
244 if (!ssl_security_version(s,
245 s->s3->hs.our_min_tls_version)) {
246 SSLerror(s, SSL_R_VERSION_TOO_LOW);
247 ret = -1;
248 goto end;
249 }
250
251 if (!ssl3_setup_init_buffer(s)) {
252 ret = -1;
253 goto end;
254 }
255 if (!ssl3_setup_buffers(s)) {
256 ret = -1;
257 goto end;
258 }
259
260 s->init_num = 0;
261
262 if (s->s3->hs.state != SSL_ST_RENEGOTIATE) {
263 /*
264 * Ok, we now need to push on a buffering BIO
265 * so that the output is sent in a way that
266 * TCP likes :-)
267 */
268 if (!ssl_init_wbio_buffer(s, 1)) {
269 ret = -1;
270 goto end;
271 }
272
273 if (!tls1_transcript_init(s)) {
274 ret = -1;
275 goto end;
276 }
277
278 s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
279 s->ctx->stats.sess_accept++;
280 } else if (!SSL_is_dtls(s) && !s->s3->send_connection_binding) {
281 /*
282 * Server attempting to renegotiate with
283 * client that doesn't support secure
284 * renegotiation.
285 */
286 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
287 ssl3_send_alert(s, SSL3_AL_FATAL,
288 SSL_AD_HANDSHAKE_FAILURE);
289 ret = -1;
290 goto end;
291 } else {
292 /*
293 * s->s3->hs.state == SSL_ST_RENEGOTIATE,
294 * we will just send a HelloRequest.
295 */
296 s->ctx->stats.sess_accept_renegotiate++;
297 s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_A;
298 }
299 break;
300
301 case SSL3_ST_SW_HELLO_REQ_A:
302 case SSL3_ST_SW_HELLO_REQ_B:
303 s->shutdown = 0;
304 if (SSL_is_dtls(s)) {
305 dtls1_clear_record_buffer(s);
306 dtls1_start_timer(s);
307 }
308 ret = ssl3_send_hello_request(s);
309 if (ret <= 0)
310 goto end;
311 if (SSL_is_dtls(s))
312 s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
313 else
314 s->s3->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C;
315 s->s3->hs.state = SSL3_ST_SW_FLUSH;
316 s->init_num = 0;
317
318 if (SSL_is_dtls(s)) {
319 if (!tls1_transcript_init(s)) {
320 ret = -1;
321 goto end;
322 }
323 }
324 break;
325
326 case SSL3_ST_SW_HELLO_REQ_C:
327 s->s3->hs.state = SSL_ST_OK;
328 break;
329
330 case SSL3_ST_SR_CLNT_HELLO_A:
331 case SSL3_ST_SR_CLNT_HELLO_B:
332 case SSL3_ST_SR_CLNT_HELLO_C:
333 s->shutdown = 0;
334 if (SSL_is_dtls(s)) {
335 ret = ssl3_get_client_hello(s);
336 if (ret <= 0)
337 goto end;
338 dtls1_stop_timer(s);
339
340 if (ret == 1 &&
341 (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
342 s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
343 else
344 s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
345
346 s->init_num = 0;
347
348 /*
349 * Reflect ClientHello sequence to remain
350 * stateless while listening.
351 */
352 if (listen) {
353 tls12_record_layer_reflect_seq_num(
354 s->rl);
355 }
356
357 /* If we're just listening, stop here */
358 if (listen && s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
359 ret = 2;
360 s->d1->listen = 0;
361 /*
362 * Set expected sequence numbers to
363 * continue the handshake.
364 */
365 s->d1->handshake_read_seq = 2;
366 s->d1->handshake_write_seq = 1;
367 s->d1->next_handshake_write_seq = 1;
368 goto end;
369 }
370 } else {
371 if (s->rwstate != SSL_X509_LOOKUP) {
372 ret = ssl3_get_client_hello(s);
373 if (ret <= 0)
374 goto end;
375 }
376
377 s->renegotiate = 2;
378 s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
379 s->init_num = 0;
380 }
381 break;
382
383 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
384 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
385 ret = ssl3_send_dtls_hello_verify_request(s);
386 if (ret <= 0)
387 goto end;
388 s->s3->hs.state = SSL3_ST_SW_FLUSH;
389 s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
390
391 /* HelloVerifyRequest resets Finished MAC. */
392 tls1_transcript_reset(s);
393 break;
394
395 case SSL3_ST_SW_SRVR_HELLO_A:
396 case SSL3_ST_SW_SRVR_HELLO_B:
397 if (SSL_is_dtls(s)) {
398 s->renegotiate = 2;
399 dtls1_start_timer(s);
400 }
401 ret = ssl3_send_server_hello(s);
402 if (ret <= 0)
403 goto end;
404 if (s->hit) {
405 if (s->tlsext_ticket_expected)
406 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
407 else
408 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
409 } else {
410 s->s3->hs.state = SSL3_ST_SW_CERT_A;
411 }
412 s->init_num = 0;
413 break;
414
415 case SSL3_ST_SW_CERT_A:
416 case SSL3_ST_SW_CERT_B:
417 /* Check if it is anon DH or anon ECDH. */
418 if (!(s->s3->hs.cipher->algorithm_auth &
419 SSL_aNULL)) {
420 if (SSL_is_dtls(s))
421 dtls1_start_timer(s);
422 ret = ssl3_send_server_certificate(s);
423 if (ret <= 0)
424 goto end;
425 if (s->tlsext_status_expected)
426 s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_A;
427 else
428 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
429 } else {
430 skip = 1;
431 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
432 }
433 s->init_num = 0;
434 break;
435
436 case SSL3_ST_SW_KEY_EXCH_A:
437 case SSL3_ST_SW_KEY_EXCH_B:
438 alg_k = s->s3->hs.cipher->algorithm_mkey;
439
440 /*
441 * Only send if using a DH key exchange.
442 *
443 * For ECC ciphersuites, we send a ServerKeyExchange
444 * message only if the cipher suite is ECDHE. In other
445 * cases, the server certificate contains the server's
446 * public key for key exchange.
447 */
448 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
449 if (SSL_is_dtls(s))
450 dtls1_start_timer(s);
451 ret = ssl3_send_server_key_exchange(s);
452 if (ret <= 0)
453 goto end;
454 } else
455 skip = 1;
456
457 s->s3->hs.state = SSL3_ST_SW_CERT_REQ_A;
458 s->init_num = 0;
459 break;
460
461 case SSL3_ST_SW_CERT_REQ_A:
462 case SSL3_ST_SW_CERT_REQ_B:
463 /*
464 * Determine whether or not we need to request a
465 * certificate.
466 *
467 * Do not request a certificate if:
468 *
469 * - We did not ask for it (SSL_VERIFY_PEER is unset).
470 *
471 * - SSL_VERIFY_CLIENT_ONCE is set and we are
472 * renegotiating.
473 *
474 * - We are using an anonymous ciphersuites
475 * (see section "Certificate request" in SSL 3 drafts
476 * and in RFC 2246) ... except when the application
477 * insists on verification (against the specs, but
478 * s3_clnt.c accepts this for SSL 3).
479 */
480 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
481 ((s->session->peer_cert != NULL) &&
482 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
483 ((s->s3->hs.cipher->algorithm_auth &
484 SSL_aNULL) && !(s->verify_mode &
485 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
486 /* No cert request. */
487 skip = 1;
488 s->s3->hs.tls12.cert_request = 0;
489 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
490
491 if (!SSL_is_dtls(s))
492 tls1_transcript_free(s);
493 } else {
494 s->s3->hs.tls12.cert_request = 1;
495 if (SSL_is_dtls(s))
496 dtls1_start_timer(s);
497 ret = ssl3_send_certificate_request(s);
498 if (ret <= 0)
499 goto end;
500 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
501 s->init_num = 0;
502 }
503 break;
504
505 case SSL3_ST_SW_SRVR_DONE_A:
506 case SSL3_ST_SW_SRVR_DONE_B:
507 if (SSL_is_dtls(s))
508 dtls1_start_timer(s);
509 ret = ssl3_send_server_done(s);
510 if (ret <= 0)
511 goto end;
512 s->s3->hs.tls12.next_state = SSL3_ST_SR_CERT_A;
513 s->s3->hs.state = SSL3_ST_SW_FLUSH;
514 s->init_num = 0;
515 break;
516
517 case SSL3_ST_SW_FLUSH:
518 /*
519 * This code originally checked to see if
520 * any data was pending using BIO_CTRL_INFO
521 * and then flushed. This caused problems
522 * as documented in PR#1939. The proposed
523 * fix doesn't completely resolve this issue
524 * as buggy implementations of BIO_CTRL_PENDING
525 * still exist. So instead we just flush
526 * unconditionally.
527 */
528 s->rwstate = SSL_WRITING;
529 if (BIO_flush(s->wbio) <= 0) {
530 if (SSL_is_dtls(s)) {
531 /* If the write error was fatal, stop trying. */
532 if (!BIO_should_retry(s->wbio)) {
533 s->rwstate = SSL_NOTHING;
534 s->s3->hs.state = s->s3->hs.tls12.next_state;
535 }
536 }
537 ret = -1;
538 goto end;
539 }
540 s->rwstate = SSL_NOTHING;
541 s->s3->hs.state = s->s3->hs.tls12.next_state;
542 break;
543
544 case SSL3_ST_SR_CERT_A:
545 case SSL3_ST_SR_CERT_B:
546 if (s->s3->hs.tls12.cert_request != 0) {
547 ret = ssl3_get_client_certificate(s);
548 if (ret <= 0)
549 goto end;
550 }
551 s->init_num = 0;
552 s->s3->hs.state = SSL3_ST_SR_KEY_EXCH_A;
553 break;
554
555 case SSL3_ST_SR_KEY_EXCH_A:
556 case SSL3_ST_SR_KEY_EXCH_B:
557 ret = ssl3_get_client_key_exchange(s);
558 if (ret <= 0)
559 goto end;
560
561 if (SSL_is_dtls(s)) {
562 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
563 s->init_num = 0;
564 }
565
566 alg_k = s->s3->hs.cipher->algorithm_mkey;
567 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
568 /*
569 * A GOST client may use the key from its
570 * certificate for key exchange, in which case
571 * the CertificateVerify message is not sent.
572 */
573 s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
574 s->init_num = 0;
575 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
576 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
577 s->init_num = 0;
578 if (!s->session->peer_cert)
579 break;
580 /*
581 * Freeze the transcript for use during client
582 * certificate verification.
583 */
584 tls1_transcript_freeze(s);
585 } else {
586 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
587 s->init_num = 0;
588
589 tls1_transcript_free(s);
590
591 /*
592 * We need to get hashes here so if there is
593 * a client cert, it can be verified.
594 */
595 if (!tls1_transcript_hash_value(s,
596 s->s3->hs.tls12.cert_verify,
597 sizeof(s->s3->hs.tls12.cert_verify),
598 NULL)) {
599 ret = -1;
600 goto end;
601 }
602 }
603 break;
604
605 case SSL3_ST_SR_CERT_VRFY_A:
606 case SSL3_ST_SR_CERT_VRFY_B:
607 if (SSL_is_dtls(s))
608 s->d1->change_cipher_spec_ok = 1;
609 else
610 s->s3->flags |= SSL3_FLAGS_CCS_OK;
611
612 /* we should decide if we expected this one */
613 ret = ssl3_get_cert_verify(s);
614 if (ret <= 0)
615 goto end;
616 s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
617 s->init_num = 0;
618 break;
619
620 case SSL3_ST_SR_FINISHED_A:
621 case SSL3_ST_SR_FINISHED_B:
622 if (SSL_is_dtls(s))
623 s->d1->change_cipher_spec_ok = 1;
624 else
625 s->s3->flags |= SSL3_FLAGS_CCS_OK;
626 ret = ssl3_get_client_finished(s);
627 if (ret <= 0)
628 goto end;
629 if (SSL_is_dtls(s))
630 dtls1_stop_timer(s);
631 if (s->hit)
632 s->s3->hs.state = SSL_ST_OK;
633 else if (s->tlsext_ticket_expected)
634 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
635 else
636 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
637 s->init_num = 0;
638 break;
639
640 case SSL3_ST_SW_SESSION_TICKET_A:
641 case SSL3_ST_SW_SESSION_TICKET_B:
642 ret = ssl3_send_newsession_ticket(s);
643 if (ret <= 0)
644 goto end;
645 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
646 s->init_num = 0;
647 break;
648
649 case SSL3_ST_SW_CERT_STATUS_A:
650 case SSL3_ST_SW_CERT_STATUS_B:
651 ret = ssl3_send_cert_status(s);
652 if (ret <= 0)
653 goto end;
654 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
655 s->init_num = 0;
656 break;
657
658 case SSL3_ST_SW_CHANGE_A:
659 case SSL3_ST_SW_CHANGE_B:
660 ret = ssl3_send_server_change_cipher_spec(s);
661 if (ret <= 0)
662 goto end;
663 s->s3->hs.state = SSL3_ST_SW_FINISHED_A;
664 s->init_num = 0;
665 s->session->cipher = s->s3->hs.cipher;
666
667 if (!tls1_setup_key_block(s)) {
668 ret = -1;
669 goto end;
670 }
671 if (!tls1_change_write_cipher_state(s)) {
672 ret = -1;
673 goto end;
674 }
675 break;
676
677 case SSL3_ST_SW_FINISHED_A:
678 case SSL3_ST_SW_FINISHED_B:
679 ret = ssl3_send_server_finished(s);
680 if (ret <= 0)
681 goto end;
682 s->s3->hs.state = SSL3_ST_SW_FLUSH;
683 if (s->hit) {
684 s->s3->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A;
685 tls1_transcript_free(s);
686 } else
687 s->s3->hs.tls12.next_state = SSL_ST_OK;
688 s->init_num = 0;
689 break;
690
691 case SSL_ST_OK:
692 /* clean a few things up */
693 tls1_cleanup_key_block(s);
694
695 if (s->s3->handshake_transcript != NULL) {
696 SSLerror(s, ERR_R_INTERNAL_ERROR);
697 ret = -1;
698 goto end;
699 }
700
701 if (!SSL_is_dtls(s))
702 ssl3_release_init_buffer(s);
703
704 /* remove buffering on output */
705 ssl_free_wbio_buffer(s);
706
707 s->init_num = 0;
708
709 /* Skipped if we just sent a HelloRequest. */
710 if (s->renegotiate == 2) {
711 s->renegotiate = 0;
712 s->new_session = 0;
713
714 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
715
716 s->ctx->stats.sess_accept_good++;
717 /* s->server=1; */
718 s->handshake_func = ssl3_accept;
719
720 ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1);
721 }
722
723 ret = 1;
724
725 if (SSL_is_dtls(s)) {
726 /* Done handshaking, next message is client hello. */
727 s->d1->handshake_read_seq = 0;
728 /* Next message is server hello. */
729 s->d1->handshake_write_seq = 0;
730 s->d1->next_handshake_write_seq = 0;
731 }
732 goto end;
733 /* break; */
734
735 default:
736 SSLerror(s, SSL_R_UNKNOWN_STATE);
737 ret = -1;
738 goto end;
739 /* break; */
740 }
741
742 if (!s->s3->hs.tls12.reuse_message && !skip) {
743 if (s->debug) {
744 if ((ret = BIO_flush(s->wbio)) <= 0)
745 goto end;
746 }
747
748
749 if (s->s3->hs.state != state) {
750 new_state = s->s3->hs.state;
751 s->s3->hs.state = state;
752 ssl_info_callback(s, SSL_CB_ACCEPT_LOOP, 1);
753 s->s3->hs.state = new_state;
754 }
755 }
756 skip = 0;
757 }
758 end:
759 /* BIO_flush(s->wbio); */
760 s->in_handshake--;
761 ssl_info_callback(s, SSL_CB_ACCEPT_EXIT, ret);
762
763 return (ret);
764}
765
766static int
767ssl3_send_hello_request(SSL *s)
768{
769 CBB cbb, hello;
770
771 memset(&cbb, 0, sizeof(cbb));
772
773 if (s->s3->hs.state == SSL3_ST_SW_HELLO_REQ_A) {
774 if (!ssl3_handshake_msg_start(s, &cbb, &hello,
775 SSL3_MT_HELLO_REQUEST))
776 goto err;
777 if (!ssl3_handshake_msg_finish(s, &cbb))
778 goto err;
779
780 s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_B;
781 }
782
783 /* SSL3_ST_SW_HELLO_REQ_B */
784 return (ssl3_handshake_write(s));
785
786 err:
787 CBB_cleanup(&cbb);
788
789 return (-1);
790}
791
792static int
793ssl3_get_client_hello(SSL *s)
794{
795 CBS cbs, client_random, session_id, cookie, cipher_suites;
796 CBS compression_methods;
797 uint16_t client_version;
798 uint8_t comp_method;
799 int comp_null;
800 int i, j, al, ret, cookie_valid = 0;
801 unsigned long id;
802 SSL_CIPHER *c;
803 STACK_OF(SSL_CIPHER) *ciphers = NULL;
804 unsigned long alg_k;
805 const SSL_METHOD *method;
806 uint16_t shared_version;
807
808 /*
809 * We do this so that we will respond with our native type.
810 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
811 * This down switching should be handled by a different method.
812 * If we are SSLv3, we will respond with SSLv3, even if prompted with
813 * TLSv1.
814 */
815 if (s->s3->hs.state == SSL3_ST_SR_CLNT_HELLO_A)
816 s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_B;
817
818 s->first_packet = 1;
819 if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
820 SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO,
821 SSL3_RT_MAX_PLAIN_LENGTH)) <= 0)
822 return ret;
823 s->first_packet = 0;
824
825 ret = -1;
826
827 if (s->init_num < 0)
828 goto err;
829
830 CBS_init(&cbs, s->init_msg, s->init_num);
831
832 /* Parse client hello up until the extensions (if any). */
833 if (!CBS_get_u16(&cbs, &client_version))
834 goto decode_err;
835 if (!CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE))
836 goto decode_err;
837 if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
838 goto decode_err;
839 if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) {
840 al = SSL_AD_ILLEGAL_PARAMETER;
841 SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
842 goto fatal_err;
843 }
844 if (SSL_is_dtls(s)) {
845 if (!CBS_get_u8_length_prefixed(&cbs, &cookie))
846 goto decode_err;
847 }
848 if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites))
849 goto decode_err;
850 if (!CBS_get_u8_length_prefixed(&cbs, &compression_methods))
851 goto decode_err;
852
853 /*
854 * Use version from inside client hello, not from record header.
855 * (may differ: see RFC 2246, Appendix E, second paragraph)
856 */
857 if (!ssl_max_shared_version(s, client_version, &shared_version)) {
858 if ((client_version >> 8) == SSL3_VERSION_MAJOR &&
859 !tls12_record_layer_write_protected(s->rl)) {
860 /*
861 * Similar to ssl3_get_record, send alert using remote
862 * version number.
863 */
864 s->version = client_version;
865 }
866 SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
867 al = SSL_AD_PROTOCOL_VERSION;
868 goto fatal_err;
869 }
870 s->s3->hs.peer_legacy_version = client_version;
871 s->version = shared_version;
872
873 s->s3->hs.negotiated_tls_version = ssl_tls_version(shared_version);
874 if (s->s3->hs.negotiated_tls_version == 0) {
875 SSLerror(s, ERR_R_INTERNAL_ERROR);
876 goto err;
877 }
878
879 if ((method = ssl_get_method(shared_version)) == NULL) {
880 SSLerror(s, ERR_R_INTERNAL_ERROR);
881 goto err;
882 }
883 s->method = method;
884
885 /*
886 * If we require cookies (DTLS) and this ClientHello does not contain
887 * one, just return since we do not want to allocate any memory yet.
888 * So check cookie length...
889 */
890 if (SSL_is_dtls(s)) {
891 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
892 if (CBS_len(&cookie) == 0)
893 return (1);
894 }
895 }
896
897 if (!CBS_write_bytes(&client_random, s->s3->client_random,
898 sizeof(s->s3->client_random), NULL))
899 goto err;
900
901 s->hit = 0;
902
903 /*
904 * Versions before 0.9.7 always allow clients to resume sessions in
905 * renegotiation. 0.9.7 and later allow this by default, but optionally
906 * ignore resumption requests with flag
907 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
908 * rather than a change to default behavior so that applications
909 * relying on this for security won't even compile against older
910 * library versions).
911 *
912 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
913 * to request renegotiation but not a new session (s->new_session
914 * remains unset): for servers, this essentially just means that the
915 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
916 * ignored.
917 */
918 if ((s->new_session && (s->options &
919 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
920 if (!ssl_get_new_session(s, 1))
921 goto err;
922 } else {
923 CBS ext_block;
924
925 CBS_dup(&cbs, &ext_block);
926
927 i = ssl_get_prev_session(s, &session_id, &ext_block, &al);
928 if (i == 1) { /* previous session */
929 s->hit = 1;
930 } else if (i == -1)
931 goto fatal_err;
932 else {
933 /* i == 0 */
934 if (!ssl_get_new_session(s, 1))
935 goto err;
936 }
937 }
938
939 if (SSL_is_dtls(s)) {
940 /*
941 * The ClientHello may contain a cookie even if the HelloVerify
942 * message has not been sent - make sure that it does not cause
943 * an overflow.
944 */
945 if (CBS_len(&cookie) > sizeof(s->d1->rcvd_cookie)) {
946 al = SSL_AD_DECODE_ERROR;
947 SSLerror(s, SSL_R_COOKIE_MISMATCH);
948 goto fatal_err;
949 }
950
951 /* Verify the cookie if appropriate option is set. */
952 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
953 CBS_len(&cookie) > 0) {
954 size_t cookie_len;
955
956 /* XXX - rcvd_cookie seems to only be used here... */
957 if (!CBS_write_bytes(&cookie, s->d1->rcvd_cookie,
958 sizeof(s->d1->rcvd_cookie), &cookie_len))
959 goto err;
960
961 if (s->ctx->app_verify_cookie_cb != NULL) {
962 if (s->ctx->app_verify_cookie_cb(s,
963 s->d1->rcvd_cookie, cookie_len) == 0) {
964 al = SSL_AD_HANDSHAKE_FAILURE;
965 SSLerror(s, SSL_R_COOKIE_MISMATCH);
966 goto fatal_err;
967 }
968 /* else cookie verification succeeded */
969 /* XXX - can d1->cookie_len > sizeof(rcvd_cookie) ? */
970 } else if (timingsafe_memcmp(s->d1->rcvd_cookie,
971 s->d1->cookie, s->d1->cookie_len) != 0) {
972 /* default verification */
973 al = SSL_AD_HANDSHAKE_FAILURE;
974 SSLerror(s, SSL_R_COOKIE_MISMATCH);
975 goto fatal_err;
976 }
977 cookie_valid = 1;
978 }
979 }
980
981 /* XXX - This logic seems wrong... */
982 if (CBS_len(&cipher_suites) == 0 && CBS_len(&session_id) != 0) {
983 /* we need a cipher if we are not resuming a session */
984 al = SSL_AD_ILLEGAL_PARAMETER;
985 SSLerror(s, SSL_R_NO_CIPHERS_SPECIFIED);
986 goto fatal_err;
987 }
988
989 if (CBS_len(&cipher_suites) > 0) {
990 if ((ciphers = ssl_bytes_to_cipher_list(s,
991 &cipher_suites)) == NULL)
992 goto err;
993 }
994
995 /* If it is a hit, check that the cipher is in the list */
996 /* XXX - CBS_len(&cipher_suites) will always be zero here... */
997 if (s->hit && CBS_len(&cipher_suites) > 0) {
998 j = 0;
999 id = s->session->cipher->id;
1000
1001 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1002 c = sk_SSL_CIPHER_value(ciphers, i);
1003 if (c->id == id) {
1004 j = 1;
1005 break;
1006 }
1007 }
1008 if (j == 0) {
1009 /*
1010 * We need to have the cipher in the cipher
1011 * list if we are asked to reuse it
1012 */
1013 al = SSL_AD_ILLEGAL_PARAMETER;
1014 SSLerror(s, SSL_R_REQUIRED_CIPHER_MISSING);
1015 goto fatal_err;
1016 }
1017 }
1018
1019 comp_null = 0;
1020 while (CBS_len(&compression_methods) > 0) {
1021 if (!CBS_get_u8(&compression_methods, &comp_method))
1022 goto decode_err;
1023 if (comp_method == 0)
1024 comp_null = 1;
1025 }
1026 if (comp_null == 0) {
1027 al = SSL_AD_DECODE_ERROR;
1028 SSLerror(s, SSL_R_NO_COMPRESSION_SPECIFIED);
1029 goto fatal_err;
1030 }
1031
1032 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)) {
1033 SSLerror(s, SSL_R_PARSE_TLSEXT);
1034 goto fatal_err;
1035 }
1036
1037 if (CBS_len(&cbs) != 0)
1038 goto decode_err;
1039
1040 if (!s->s3->renegotiate_seen && s->renegotiate) {
1041 al = SSL_AD_HANDSHAKE_FAILURE;
1042 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1043 goto fatal_err;
1044 }
1045
1046 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1047 SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT);
1048 goto err;
1049 }
1050
1051 /*
1052 * Check if we want to use external pre-shared secret for this
1053 * handshake for not reused session only. We need to generate
1054 * server_random before calling tls_session_secret_cb in order to allow
1055 * SessionTicket processing to use it in key derivation.
1056 */
1057 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
1058
1059 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
1060 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
1061 /*
1062 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3
1063 * we must set the last 8 bytes of the server random to magical
1064 * values to indicate we meant to downgrade. For TLS 1.2 it is
1065 * recommended that we do the same.
1066 */
1067 size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12);
1068 uint8_t *magic = &s->s3->server_random[index];
1069 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION) {
1070 /* Indicate we chose to downgrade to 1.2. */
1071 memcpy(magic, tls13_downgrade_12,
1072 sizeof(tls13_downgrade_12));
1073 } else {
1074 /* Indicate we chose to downgrade to 1.1 or lower */
1075 memcpy(magic, tls13_downgrade_11,
1076 sizeof(tls13_downgrade_11));
1077 }
1078 }
1079
1080 if (!s->hit && s->tls_session_secret_cb != NULL) {
1081 SSL_CIPHER *pref_cipher = NULL;
1082 int master_key_length = sizeof(s->session->master_key);
1083
1084 if (!s->tls_session_secret_cb(s,
1085 s->session->master_key, &master_key_length, ciphers,
1086 &pref_cipher, s->tls_session_secret_cb_arg)) {
1087 SSLerror(s, ERR_R_INTERNAL_ERROR);
1088 goto err;
1089 }
1090 if (master_key_length <= 0) {
1091 SSLerror(s, ERR_R_INTERNAL_ERROR);
1092 goto err;
1093 }
1094 s->session->master_key_length = master_key_length;
1095
1096 s->hit = 1;
1097 s->session->verify_result = X509_V_OK;
1098
1099 sk_SSL_CIPHER_free(s->session->ciphers);
1100 s->session->ciphers = ciphers;
1101 ciphers = NULL;
1102
1103 /* Check if some cipher was preferred by the callback. */
1104 if (pref_cipher == NULL)
1105 pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
1106 SSL_get_ciphers(s));
1107 if (pref_cipher == NULL) {
1108 al = SSL_AD_HANDSHAKE_FAILURE;
1109 SSLerror(s, SSL_R_NO_SHARED_CIPHER);
1110 goto fatal_err;
1111 }
1112 s->session->cipher = pref_cipher;
1113
1114 sk_SSL_CIPHER_free(s->cipher_list);
1115 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1116 }
1117
1118 /*
1119 * Given s->session->ciphers and SSL_get_ciphers, we must
1120 * pick a cipher
1121 */
1122
1123 if (!s->hit) {
1124 if (ciphers == NULL) {
1125 al = SSL_AD_ILLEGAL_PARAMETER;
1126 SSLerror(s, SSL_R_NO_CIPHERS_PASSED);
1127 goto fatal_err;
1128 }
1129 sk_SSL_CIPHER_free(s->session->ciphers);
1130 s->session->ciphers = ciphers;
1131 ciphers = NULL;
1132
1133 if ((c = ssl3_choose_cipher(s, s->session->ciphers,
1134 SSL_get_ciphers(s))) == NULL) {
1135 al = SSL_AD_HANDSHAKE_FAILURE;
1136 SSLerror(s, SSL_R_NO_SHARED_CIPHER);
1137 goto fatal_err;
1138 }
1139 s->s3->hs.cipher = c;
1140 } else {
1141 s->s3->hs.cipher = s->session->cipher;
1142 }
1143
1144 if (!tls1_transcript_hash_init(s))
1145 goto err;
1146
1147 alg_k = s->s3->hs.cipher->algorithm_mkey;
1148 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
1149 !(s->verify_mode & SSL_VERIFY_PEER))
1150 tls1_transcript_free(s);
1151
1152 /*
1153 * We now have the following setup.
1154 * client_random
1155 * cipher_list - our preferred list of ciphers
1156 * ciphers - the clients preferred list of ciphers
1157 * compression - basically ignored right now
1158 * ssl version is set - sslv3
1159 * s->session - The ssl session has been setup.
1160 * s->hit - session reuse flag
1161 * s->hs.cipher - the new cipher to use.
1162 */
1163
1164 /* Handles TLS extensions that we couldn't check earlier */
1165 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1166 SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT);
1167 goto err;
1168 }
1169
1170 ret = cookie_valid ? 2 : 1;
1171
1172 if (0) {
1173 decode_err:
1174 al = SSL_AD_DECODE_ERROR;
1175 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1176 fatal_err:
1177 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1178 }
1179 err:
1180 sk_SSL_CIPHER_free(ciphers);
1181
1182 return (ret);
1183}
1184
1185static int
1186ssl3_send_dtls_hello_verify_request(SSL *s)
1187{
1188 CBB cbb, verify, cookie;
1189
1190 memset(&cbb, 0, sizeof(cbb));
1191
1192 if (s->s3->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
1193 if (s->ctx->app_gen_cookie_cb == NULL ||
1194 s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
1195 &(s->d1->cookie_len)) == 0) {
1196 SSLerror(s, ERR_R_INTERNAL_ERROR);
1197 return 0;
1198 }
1199
1200 /*
1201 * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should
1202 * always contain DTLSv1.0 regardless of the version that is
1203 * going to be negotiated.
1204 */
1205 if (!ssl3_handshake_msg_start(s, &cbb, &verify,
1206 DTLS1_MT_HELLO_VERIFY_REQUEST))
1207 goto err;
1208 if (!CBB_add_u16(&verify, DTLS1_VERSION))
1209 goto err;
1210 if (!CBB_add_u8_length_prefixed(&verify, &cookie))
1211 goto err;
1212 if (!CBB_add_bytes(&cookie, s->d1->cookie, s->d1->cookie_len))
1213 goto err;
1214 if (!ssl3_handshake_msg_finish(s, &cbb))
1215 goto err;
1216
1217 s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
1218 }
1219
1220 /* s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
1221 return (ssl3_handshake_write(s));
1222
1223 err:
1224 CBB_cleanup(&cbb);
1225
1226 return (-1);
1227}
1228
1229static int
1230ssl3_send_server_hello(SSL *s)
1231{
1232 CBB cbb, server_hello, session_id;
1233 size_t sl;
1234
1235 memset(&cbb, 0, sizeof(cbb));
1236
1237 if (s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
1238 if (!ssl3_handshake_msg_start(s, &cbb, &server_hello,
1239 SSL3_MT_SERVER_HELLO))
1240 goto err;
1241
1242 if (!CBB_add_u16(&server_hello, s->version))
1243 goto err;
1244 if (!CBB_add_bytes(&server_hello, s->s3->server_random,
1245 sizeof(s->s3->server_random)))
1246 goto err;
1247
1248 /*
1249 * There are several cases for the session ID to send
1250 * back in the server hello:
1251 *
1252 * - For session reuse from the session cache,
1253 * we send back the old session ID.
1254 * - If stateless session reuse (using a session ticket)
1255 * is successful, we send back the client's "session ID"
1256 * (which doesn't actually identify the session).
1257 * - If it is a new session, we send back the new
1258 * session ID.
1259 * - However, if we want the new session to be single-use,
1260 * we send back a 0-length session ID.
1261 *
1262 * s->hit is non-zero in either case of session reuse,
1263 * so the following won't overwrite an ID that we're supposed
1264 * to send back.
1265 */
1266 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1267 && !s->hit)
1268 s->session->session_id_length = 0;
1269
1270 sl = s->session->session_id_length;
1271 if (sl > sizeof(s->session->session_id)) {
1272 SSLerror(s, ERR_R_INTERNAL_ERROR);
1273 goto err;
1274 }
1275 if (!CBB_add_u8_length_prefixed(&server_hello, &session_id))
1276 goto err;
1277 if (!CBB_add_bytes(&session_id, s->session->session_id, sl))
1278 goto err;
1279
1280 /* Cipher suite. */
1281 if (!CBB_add_u16(&server_hello,
1282 ssl3_cipher_get_value(s->s3->hs.cipher)))
1283 goto err;
1284
1285 /* Compression method (null). */
1286 if (!CBB_add_u8(&server_hello, 0))
1287 goto err;
1288
1289 /* TLS extensions */
1290 if (!tlsext_server_build(s, SSL_TLSEXT_MSG_SH, &server_hello)) {
1291 SSLerror(s, ERR_R_INTERNAL_ERROR);
1292 goto err;
1293 }
1294
1295 if (!ssl3_handshake_msg_finish(s, &cbb))
1296 goto err;
1297 }
1298
1299 /* SSL3_ST_SW_SRVR_HELLO_B */
1300 return (ssl3_handshake_write(s));
1301
1302 err:
1303 CBB_cleanup(&cbb);
1304
1305 return (-1);
1306}
1307
1308static int
1309ssl3_send_server_done(SSL *s)
1310{
1311 CBB cbb, done;
1312
1313 memset(&cbb, 0, sizeof(cbb));
1314
1315 if (s->s3->hs.state == SSL3_ST_SW_SRVR_DONE_A) {
1316 if (!ssl3_handshake_msg_start(s, &cbb, &done,
1317 SSL3_MT_SERVER_DONE))
1318 goto err;
1319 if (!ssl3_handshake_msg_finish(s, &cbb))
1320 goto err;
1321
1322 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_B;
1323 }
1324
1325 /* SSL3_ST_SW_SRVR_DONE_B */
1326 return (ssl3_handshake_write(s));
1327
1328 err:
1329 CBB_cleanup(&cbb);
1330
1331 return (-1);
1332}
1333
1334static int
1335ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
1336{
1337 int nid = NID_dhKeyAgreement;
1338
1339 tls_key_share_free(s->s3->hs.key_share);
1340 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1341 goto err;
1342
1343 if (s->cert->dhe_params_auto != 0) {
1344 size_t key_bits;
1345
1346 if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
1347 SSLerror(s, ERR_R_INTERNAL_ERROR);
1348 ssl3_send_alert(s, SSL3_AL_FATAL,
1349 SSL_AD_INTERNAL_ERROR);
1350 goto err;
1351 }
1352 tls_key_share_set_key_bits(s->s3->hs.key_share,
1353 key_bits);
1354 } else {
1355 DH *dh_params = s->cert->dhe_params;
1356
1357 if (dh_params == NULL && s->cert->dhe_params_cb != NULL)
1358 dh_params = s->cert->dhe_params_cb(s, 0,
1359 SSL_C_PKEYLENGTH(s->s3->hs.cipher));
1360
1361 if (dh_params == NULL) {
1362 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1363 ssl3_send_alert(s, SSL3_AL_FATAL,
1364 SSL_AD_HANDSHAKE_FAILURE);
1365 goto err;
1366 }
1367
1368 if (!tls_key_share_set_dh_params(s->s3->hs.key_share, dh_params))
1369 goto err;
1370 }
1371
1372 if (!tls_key_share_generate(s->s3->hs.key_share))
1373 goto err;
1374
1375 if (!tls_key_share_params(s->s3->hs.key_share, cbb))
1376 goto err;
1377 if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1378 goto err;
1379
1380 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1381 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1382 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1383 return 0;
1384 }
1385
1386 return 1;
1387
1388 err:
1389 return 0;
1390}
1391
1392static int
1393ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
1394{
1395 CBB public;
1396 int nid;
1397
1398 if (!tls1_get_supported_group(s, &nid)) {
1399 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1400 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1401 goto err;
1402 }
1403
1404 tls_key_share_free(s->s3->hs.key_share);
1405 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1406 goto err;
1407
1408 if (!tls_key_share_generate(s->s3->hs.key_share))
1409 goto err;
1410
1411 /*
1412 * ECC key exchange - see RFC 8422, section 5.4.
1413 */
1414 if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1415 goto err;
1416 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1417 goto err;
1418 if (!CBB_add_u8_length_prefixed(cbb, &public))
1419 goto err;
1420 if (!tls_key_share_public(s->s3->hs.key_share, &public))
1421 goto err;
1422 if (!CBB_flush(cbb))
1423 goto err;
1424
1425 return 1;
1426
1427 err:
1428 return 0;
1429}
1430
1431static int
1432ssl3_send_server_key_exchange(SSL *s)
1433{
1434 CBB cbb, cbb_params, cbb_signature, server_kex;
1435 const struct ssl_sigalg *sigalg = NULL;
1436 unsigned char *signature = NULL;
1437 size_t signature_len = 0;
1438 unsigned char *params = NULL;
1439 size_t params_len;
1440 const EVP_MD *md = NULL;
1441 unsigned long type;
1442 EVP_MD_CTX *md_ctx = NULL;
1443 EVP_PKEY_CTX *pctx;
1444 EVP_PKEY *pkey;
1445 int al;
1446
1447 memset(&cbb, 0, sizeof(cbb));
1448 memset(&cbb_params, 0, sizeof(cbb_params));
1449
1450 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
1451 goto err;
1452
1453 if (s->s3->hs.state == SSL3_ST_SW_KEY_EXCH_A) {
1454
1455 if (!ssl3_handshake_msg_start(s, &cbb, &server_kex,
1456 SSL3_MT_SERVER_KEY_EXCHANGE))
1457 goto err;
1458
1459 if (!CBB_init(&cbb_params, 0))
1460 goto err;
1461
1462 type = s->s3->hs.cipher->algorithm_mkey;
1463 if (type & SSL_kDHE) {
1464 if (!ssl3_send_server_kex_dhe(s, &cbb_params))
1465 goto err;
1466 } else if (type & SSL_kECDHE) {
1467 if (!ssl3_send_server_kex_ecdhe(s, &cbb_params))
1468 goto err;
1469 } else {
1470 al = SSL_AD_HANDSHAKE_FAILURE;
1471 SSLerror(s, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1472 goto fatal_err;
1473 }
1474
1475 if (!CBB_finish(&cbb_params, &params, &params_len))
1476 goto err;
1477
1478 if (!CBB_add_bytes(&server_kex, params, params_len))
1479 goto err;
1480
1481 /* Add signature unless anonymous. */
1482 if (!(s->s3->hs.cipher->algorithm_auth & SSL_aNULL)) {
1483 if ((pkey = ssl_get_sign_pkey(s, s->s3->hs.cipher,
1484 &md, &sigalg)) == NULL) {
1485 al = SSL_AD_DECODE_ERROR;
1486 goto fatal_err;
1487 }
1488 s->s3->hs.our_sigalg = sigalg;
1489
1490 /* Send signature algorithm. */
1491 if (SSL_USE_SIGALGS(s)) {
1492 if (!CBB_add_u16(&server_kex, sigalg->value)) {
1493 al = SSL_AD_INTERNAL_ERROR;
1494 SSLerror(s, ERR_R_INTERNAL_ERROR);
1495 goto fatal_err;
1496 }
1497 }
1498
1499 if (!EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey)) {
1500 SSLerror(s, ERR_R_EVP_LIB);
1501 goto err;
1502 }
1503 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
1504 (!EVP_PKEY_CTX_set_rsa_padding(pctx,
1505 RSA_PKCS1_PSS_PADDING) ||
1506 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
1507 SSLerror(s, ERR_R_EVP_LIB);
1508 goto err;
1509 }
1510 if (!EVP_DigestSignUpdate(md_ctx, s->s3->client_random,
1511 SSL3_RANDOM_SIZE)) {
1512 SSLerror(s, ERR_R_EVP_LIB);
1513 goto err;
1514 }
1515 if (!EVP_DigestSignUpdate(md_ctx, s->s3->server_random,
1516 SSL3_RANDOM_SIZE)) {
1517 SSLerror(s, ERR_R_EVP_LIB);
1518 goto err;
1519 }
1520 if (!EVP_DigestSignUpdate(md_ctx, params, params_len)) {
1521 SSLerror(s, ERR_R_EVP_LIB);
1522 goto err;
1523 }
1524 if (!EVP_DigestSignFinal(md_ctx, NULL, &signature_len) ||
1525 !signature_len) {
1526 SSLerror(s, ERR_R_EVP_LIB);
1527 goto err;
1528 }
1529 if ((signature = calloc(1, signature_len)) == NULL) {
1530 SSLerror(s, ERR_R_MALLOC_FAILURE);
1531 goto err;
1532 }
1533 if (!EVP_DigestSignFinal(md_ctx, signature, &signature_len)) {
1534 SSLerror(s, ERR_R_EVP_LIB);
1535 goto err;
1536 }
1537
1538 if (!CBB_add_u16_length_prefixed(&server_kex,
1539 &cbb_signature))
1540 goto err;
1541 if (!CBB_add_bytes(&cbb_signature, signature,
1542 signature_len))
1543 goto err;
1544 }
1545
1546 if (!ssl3_handshake_msg_finish(s, &cbb))
1547 goto err;
1548
1549 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_B;
1550 }
1551
1552 EVP_MD_CTX_free(md_ctx);
1553 free(params);
1554 free(signature);
1555
1556 return (ssl3_handshake_write(s));
1557
1558 fatal_err:
1559 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1560 err:
1561 CBB_cleanup(&cbb_params);
1562 CBB_cleanup(&cbb);
1563 EVP_MD_CTX_free(md_ctx);
1564 free(params);
1565 free(signature);
1566
1567 return (-1);
1568}
1569
1570static int
1571ssl3_send_certificate_request(SSL *s)
1572{
1573 CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn;
1574 STACK_OF(X509_NAME) *sk = NULL;
1575 X509_NAME *name;
1576 int i;
1577
1578 /*
1579 * Certificate Request - RFC 5246 section 7.4.4.
1580 */
1581
1582 memset(&cbb, 0, sizeof(cbb));
1583
1584 if (s->s3->hs.state == SSL3_ST_SW_CERT_REQ_A) {
1585 if (!ssl3_handshake_msg_start(s, &cbb, &cert_request,
1586 SSL3_MT_CERTIFICATE_REQUEST))
1587 goto err;
1588
1589 if (!CBB_add_u8_length_prefixed(&cert_request, &cert_types))
1590 goto err;
1591 if (!ssl3_get_req_cert_types(s, &cert_types))
1592 goto err;
1593
1594 if (SSL_USE_SIGALGS(s)) {
1595 if (!CBB_add_u16_length_prefixed(&cert_request,
1596 &sigalgs))
1597 goto err;
1598 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version,
1599 &sigalgs, SSL_get_security_level(s)))
1600 goto err;
1601 }
1602
1603 if (!CBB_add_u16_length_prefixed(&cert_request, &cert_auth))
1604 goto err;
1605
1606 sk = SSL_get_client_CA_list(s);
1607 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1608 unsigned char *name_data;
1609 size_t name_len;
1610
1611 name = sk_X509_NAME_value(sk, i);
1612 name_len = i2d_X509_NAME(name, NULL);
1613
1614 if (!CBB_add_u16_length_prefixed(&cert_auth, &dn))
1615 goto err;
1616 if (!CBB_add_space(&dn, &name_data, name_len))
1617 goto err;
1618 if (i2d_X509_NAME(name, &name_data) != name_len)
1619 goto err;
1620 }
1621
1622 if (!ssl3_handshake_msg_finish(s, &cbb))
1623 goto err;
1624
1625 s->s3->hs.state = SSL3_ST_SW_CERT_REQ_B;
1626 }
1627
1628 /* SSL3_ST_SW_CERT_REQ_B */
1629 return (ssl3_handshake_write(s));
1630
1631 err:
1632 CBB_cleanup(&cbb);
1633
1634 return (-1);
1635}
1636
1637static int
1638ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
1639{
1640 unsigned char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
1641 unsigned char *pms = NULL;
1642 unsigned char *p;
1643 size_t pms_len = 0;
1644 EVP_PKEY *pkey = NULL;
1645 RSA *rsa = NULL;
1646 CBS enc_pms;
1647 int decrypt_len;
1648 int al = -1;
1649
1650 arc4random_buf(fakekey, sizeof(fakekey));
1651
1652 fakekey[0] = s->s3->hs.peer_legacy_version >> 8;
1653 fakekey[1] = s->s3->hs.peer_legacy_version & 0xff;
1654
1655 pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
1656 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
1657 al = SSL_AD_HANDSHAKE_FAILURE;
1658 SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE);
1659 goto fatal_err;
1660 }
1661
1662 pms_len = RSA_size(rsa);
1663 if (pms_len < SSL_MAX_MASTER_KEY_LENGTH)
1664 goto err;
1665 if ((pms = malloc(pms_len)) == NULL)
1666 goto err;
1667 p = pms;
1668
1669 if (!CBS_get_u16_length_prefixed(cbs, &enc_pms))
1670 goto decode_err;
1671 if (CBS_len(cbs) != 0 || CBS_len(&enc_pms) != RSA_size(rsa)) {
1672 SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1673 goto err;
1674 }
1675
1676 decrypt_len = RSA_private_decrypt(CBS_len(&enc_pms), CBS_data(&enc_pms),
1677 pms, rsa, RSA_PKCS1_PADDING);
1678
1679 ERR_clear_error();
1680
1681 if (decrypt_len != SSL_MAX_MASTER_KEY_LENGTH) {
1682 al = SSL_AD_DECODE_ERROR;
1683 /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */
1684 }
1685
1686 if ((al == -1) && !((pms[0] == (s->s3->hs.peer_legacy_version >> 8)) &&
1687 (pms[1] == (s->s3->hs.peer_legacy_version & 0xff)))) {
1688 /*
1689 * The premaster secret must contain the same version number
1690 * as the ClientHello to detect version rollback attacks
1691 * (strangely, the protocol does not offer such protection for
1692 * DH ciphersuites).
1693 *
1694 * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
1695 * (http://eprint.iacr.org/2003/052/) exploits the version
1696 * number check as a "bad version oracle" -- an alert would
1697 * reveal that the plaintext corresponding to some ciphertext
1698 * made up by the adversary is properly formatted except that
1699 * the version number is wrong. To avoid such attacks, we should
1700 * treat this just like any other decryption error.
1701 */
1702 al = SSL_AD_DECODE_ERROR;
1703 /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
1704 }
1705
1706 if (al != -1) {
1707 /*
1708 * Some decryption failure -- use random value instead
1709 * as countermeasure against Bleichenbacher's attack
1710 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
1711 * section 7.4.7.1).
1712 */
1713 p = fakekey;
1714 }
1715
1716 if (!tls12_derive_master_secret(s, p, SSL_MAX_MASTER_KEY_LENGTH))
1717 goto err;
1718
1719 freezero(pms, pms_len);
1720
1721 return 1;
1722
1723 decode_err:
1724 al = SSL_AD_DECODE_ERROR;
1725 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1726 fatal_err:
1727 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1728 err:
1729 freezero(pms, pms_len);
1730
1731 return 0;
1732}
1733
1734static int
1735ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
1736{
1737 uint8_t *key = NULL;
1738 size_t key_len = 0;
1739 int decode_error, invalid_key;
1740 int ret = 0;
1741
1742 if (s->s3->hs.key_share == NULL) {
1743 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1744 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1745 goto err;
1746 }
1747
1748 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1749 &decode_error, &invalid_key)) {
1750 if (decode_error) {
1751 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1752 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1753 }
1754 goto err;
1755 }
1756 if (invalid_key) {
1757 SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1758 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1759 goto err;
1760 }
1761
1762 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1763 goto err;
1764
1765 if (!tls12_derive_master_secret(s, key, key_len))
1766 goto err;
1767
1768 ret = 1;
1769
1770 err:
1771 freezero(key, key_len);
1772
1773 return ret;
1774}
1775
1776static int
1777ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1778{
1779 uint8_t *key = NULL;
1780 size_t key_len = 0;
1781 int decode_error;
1782 CBS public;
1783 int ret = 0;
1784
1785 if (s->s3->hs.key_share == NULL) {
1786 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1787 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1788 goto err;
1789 }
1790
1791 if (!CBS_get_u8_length_prefixed(cbs, &public)) {
1792 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1793 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1794 goto err;
1795 }
1796 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1797 &decode_error, NULL)) {
1798 if (decode_error) {
1799 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1800 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1801 }
1802 goto err;
1803 }
1804
1805 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1806 goto err;
1807
1808 if (!tls12_derive_master_secret(s, key, key_len))
1809 goto err;
1810
1811 ret = 1;
1812
1813 err:
1814 freezero(key, key_len);
1815
1816 return ret;
1817}
1818
1819static int
1820ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
1821{
1822 unsigned char premaster_secret[32];
1823 EVP_PKEY_CTX *pkey_ctx = NULL;
1824 EVP_PKEY *client_pubkey;
1825 EVP_PKEY *pkey = NULL;
1826 size_t outlen;
1827 CBS gostblob;
1828
1829 /* Get our certificate private key*/
1830 if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1831 pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1832
1833 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
1834 goto err;
1835 if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
1836 goto err;
1837
1838 /*
1839 * If client certificate is present and is of the same type,
1840 * maybe use it for key exchange.
1841 * Don't mind errors from EVP_PKEY_derive_set_peer, because
1842 * it is completely valid to use a client certificate for
1843 * authorization only.
1844 */
1845 if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
1846 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
1847 ERR_clear_error();
1848 }
1849
1850 /* Decrypt session key */
1851 if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
1852 goto decode_err;
1853 if (CBS_len(cbs) != 0)
1854 goto decode_err;
1855 outlen = sizeof(premaster_secret);
1856 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
1857 CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
1858 SSLerror(s, SSL_R_DECRYPTION_FAILED);
1859 goto err;
1860 }
1861
1862 if (!tls12_derive_master_secret(s, premaster_secret,
1863 sizeof(premaster_secret)))
1864 goto err;
1865
1866 /* Check if pubkey from client certificate was used */
1867 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY,
1868 2, NULL) > 0)
1869 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
1870
1871 explicit_bzero(premaster_secret, sizeof(premaster_secret));
1872 EVP_PKEY_CTX_free(pkey_ctx);
1873
1874 return 1;
1875
1876 decode_err:
1877 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1878 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1879 err:
1880 explicit_bzero(premaster_secret, sizeof(premaster_secret));
1881 EVP_PKEY_CTX_free(pkey_ctx);
1882
1883 return 0;
1884}
1885
1886static int
1887ssl3_get_client_key_exchange(SSL *s)
1888{
1889 unsigned long alg_k;
1890 int al, ret;
1891 CBS cbs;
1892
1893 /* 2048 maxlen is a guess. How long a key does that permit? */
1894 if ((ret = ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1895 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048)) <= 0)
1896 return ret;
1897
1898 if (s->init_num < 0)
1899 goto err;
1900
1901 CBS_init(&cbs, s->init_msg, s->init_num);
1902
1903 alg_k = s->s3->hs.cipher->algorithm_mkey;
1904
1905 if (alg_k & SSL_kRSA) {
1906 if (!ssl3_get_client_kex_rsa(s, &cbs))
1907 goto err;
1908 } else if (alg_k & SSL_kDHE) {
1909 if (!ssl3_get_client_kex_dhe(s, &cbs))
1910 goto err;
1911 } else if (alg_k & SSL_kECDHE) {
1912 if (!ssl3_get_client_kex_ecdhe(s, &cbs))
1913 goto err;
1914 } else if (alg_k & SSL_kGOST) {
1915 if (!ssl3_get_client_kex_gost(s, &cbs))
1916 goto err;
1917 } else {
1918 al = SSL_AD_HANDSHAKE_FAILURE;
1919 SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE);
1920 goto fatal_err;
1921 }
1922
1923 if (CBS_len(&cbs) != 0) {
1924 al = SSL_AD_DECODE_ERROR;
1925 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1926 goto fatal_err;
1927 }
1928
1929 return (1);
1930
1931 fatal_err:
1932 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1933 err:
1934 return (-1);
1935}
1936
1937static int
1938ssl3_get_cert_verify(SSL *s)
1939{
1940 CBS cbs, signature;
1941 const struct ssl_sigalg *sigalg = NULL;
1942 uint16_t sigalg_value = SIGALG_NONE;
1943 EVP_PKEY *pkey;
1944 X509 *peer_cert = NULL;
1945 EVP_MD_CTX *mctx = NULL;
1946 int al, verify;
1947 const unsigned char *hdata;
1948 size_t hdatalen;
1949 int type = 0;
1950 int ret;
1951
1952 if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
1953 SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH)) <= 0)
1954 return ret;
1955
1956 ret = 0;
1957
1958 if (s->init_num < 0)
1959 goto err;
1960
1961 if ((mctx = EVP_MD_CTX_new()) == NULL)
1962 goto err;
1963
1964 CBS_init(&cbs, s->init_msg, s->init_num);
1965
1966 peer_cert = s->session->peer_cert;
1967 pkey = X509_get0_pubkey(peer_cert);
1968 type = X509_certificate_type(peer_cert, pkey);
1969
1970 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
1971 s->s3->hs.tls12.reuse_message = 1;
1972 if (peer_cert != NULL) {
1973 al = SSL_AD_UNEXPECTED_MESSAGE;
1974 SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE);
1975 goto fatal_err;
1976 }
1977 ret = 1;
1978 goto end;
1979 }
1980
1981 if (peer_cert == NULL) {
1982 SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED);
1983 al = SSL_AD_UNEXPECTED_MESSAGE;
1984 goto fatal_err;
1985 }
1986
1987 if (!(type & EVP_PKT_SIGN)) {
1988 SSLerror(s, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
1989 al = SSL_AD_ILLEGAL_PARAMETER;
1990 goto fatal_err;
1991 }
1992
1993 if (s->s3->change_cipher_spec) {
1994 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
1995 al = SSL_AD_UNEXPECTED_MESSAGE;
1996 goto fatal_err;
1997 }
1998
1999 if (SSL_USE_SIGALGS(s)) {
2000 if (!CBS_get_u16(&cbs, &sigalg_value))
2001 goto decode_err;
2002 }
2003 if (!CBS_get_u16_length_prefixed(&cbs, &signature))
2004 goto err;
2005 if (CBS_len(&cbs) != 0) {
2006 al = SSL_AD_DECODE_ERROR;
2007 SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
2008 goto fatal_err;
2009 }
2010
2011 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
2012 SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE);
2013 al = SSL_AD_DECODE_ERROR;
2014 goto fatal_err;
2015 }
2016
2017 if ((sigalg = ssl_sigalg_for_peer(s, pkey,
2018 sigalg_value)) == NULL) {
2019 al = SSL_AD_DECODE_ERROR;
2020 goto fatal_err;
2021 }
2022 s->s3->hs.peer_sigalg = sigalg;
2023
2024 if (SSL_USE_SIGALGS(s)) {
2025 EVP_PKEY_CTX *pctx;
2026
2027 if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2028 SSLerror(s, ERR_R_INTERNAL_ERROR);
2029 al = SSL_AD_INTERNAL_ERROR;
2030 goto fatal_err;
2031 }
2032 if (!EVP_DigestVerifyInit(mctx, &pctx, sigalg->md(),
2033 NULL, pkey)) {
2034 SSLerror(s, ERR_R_EVP_LIB);
2035 al = SSL_AD_INTERNAL_ERROR;
2036 goto fatal_err;
2037 }
2038 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
2039 (!EVP_PKEY_CTX_set_rsa_padding(pctx,
2040 RSA_PKCS1_PSS_PADDING) ||
2041 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
2042 al = SSL_AD_INTERNAL_ERROR;
2043 goto fatal_err;
2044 }
2045 if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
2046 EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2047 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
2048 NULL) <= 0) {
2049 al = SSL_AD_INTERNAL_ERROR;
2050 goto fatal_err;
2051 }
2052 if (!EVP_DigestVerifyUpdate(mctx, hdata, hdatalen)) {
2053 SSLerror(s, ERR_R_EVP_LIB);
2054 al = SSL_AD_INTERNAL_ERROR;
2055 goto fatal_err;
2056 }
2057 if (EVP_DigestVerifyFinal(mctx, CBS_data(&signature),
2058 CBS_len(&signature)) <= 0) {
2059 al = SSL_AD_DECRYPT_ERROR;
2060 SSLerror(s, SSL_R_BAD_SIGNATURE);
2061 goto fatal_err;
2062 }
2063 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2064 RSA *rsa;
2065
2066 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
2067 al = SSL_AD_INTERNAL_ERROR;
2068 SSLerror(s, ERR_R_EVP_LIB);
2069 goto fatal_err;
2070 }
2071 verify = RSA_verify(NID_md5_sha1, s->s3->hs.tls12.cert_verify,
2072 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature),
2073 CBS_len(&signature), rsa);
2074 if (verify < 0) {
2075 al = SSL_AD_DECRYPT_ERROR;
2076 SSLerror(s, SSL_R_BAD_RSA_DECRYPT);
2077 goto fatal_err;
2078 }
2079 if (verify == 0) {
2080 al = SSL_AD_DECRYPT_ERROR;
2081 SSLerror(s, SSL_R_BAD_RSA_SIGNATURE);
2082 goto fatal_err;
2083 }
2084 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2085 EC_KEY *eckey;
2086
2087 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
2088 al = SSL_AD_INTERNAL_ERROR;
2089 SSLerror(s, ERR_R_EVP_LIB);
2090 goto fatal_err;
2091 }
2092 verify = ECDSA_verify(0,
2093 &(s->s3->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]),
2094 SHA_DIGEST_LENGTH, CBS_data(&signature),
2095 CBS_len(&signature), eckey);
2096 if (verify <= 0) {
2097 al = SSL_AD_DECRYPT_ERROR;
2098 SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
2099 goto fatal_err;
2100 }
2101#ifndef OPENSSL_NO_GOST
2102 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2103 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2104 unsigned char sigbuf[128];
2105 unsigned int siglen = sizeof(sigbuf);
2106 EVP_PKEY_CTX *pctx;
2107 const EVP_MD *md;
2108 int nid;
2109
2110 if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2111 SSLerror(s, ERR_R_INTERNAL_ERROR);
2112 al = SSL_AD_INTERNAL_ERROR;
2113 goto fatal_err;
2114 }
2115 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
2116 !(md = EVP_get_digestbynid(nid))) {
2117 SSLerror(s, ERR_R_EVP_LIB);
2118 al = SSL_AD_INTERNAL_ERROR;
2119 goto fatal_err;
2120 }
2121 if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
2122 SSLerror(s, ERR_R_EVP_LIB);
2123 al = SSL_AD_INTERNAL_ERROR;
2124 goto fatal_err;
2125 }
2126 if (!EVP_DigestInit_ex(mctx, md, NULL) ||
2127 !EVP_DigestUpdate(mctx, hdata, hdatalen) ||
2128 !EVP_DigestFinal(mctx, sigbuf, &siglen) ||
2129 (EVP_PKEY_verify_init(pctx) <= 0) ||
2130 (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
2131 (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2132 EVP_PKEY_CTRL_GOST_SIG_FORMAT,
2133 GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) {
2134 SSLerror(s, ERR_R_EVP_LIB);
2135 al = SSL_AD_INTERNAL_ERROR;
2136 EVP_PKEY_CTX_free(pctx);
2137 goto fatal_err;
2138 }
2139 if (EVP_PKEY_verify(pctx, CBS_data(&signature),
2140 CBS_len(&signature), sigbuf, siglen) <= 0) {
2141 al = SSL_AD_DECRYPT_ERROR;
2142 SSLerror(s, SSL_R_BAD_SIGNATURE);
2143 EVP_PKEY_CTX_free(pctx);
2144 goto fatal_err;
2145 }
2146
2147 EVP_PKEY_CTX_free(pctx);
2148#endif
2149 } else {
2150 SSLerror(s, ERR_R_INTERNAL_ERROR);
2151 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
2152 goto fatal_err;
2153 }
2154
2155 ret = 1;
2156 if (0) {
2157 decode_err:
2158 al = SSL_AD_DECODE_ERROR;
2159 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
2160 fatal_err:
2161 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2162 }
2163 end:
2164 tls1_transcript_free(s);
2165 err:
2166 EVP_MD_CTX_free(mctx);
2167
2168 return (ret);
2169}
2170
2171static int
2172ssl3_get_client_certificate(SSL *s)
2173{
2174 CBS cbs, cert_list, cert_data;
2175 STACK_OF(X509) *certs = NULL;
2176 X509 *cert = NULL;
2177 const uint8_t *p;
2178 int al, ret;
2179
2180 if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
2181 -1, s->max_cert_list)) <= 0)
2182 return ret;
2183
2184 ret = -1;
2185
2186 if (s->s3->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2187 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2188 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2189 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2190 al = SSL_AD_HANDSHAKE_FAILURE;
2191 goto fatal_err;
2192 }
2193
2194 /*
2195 * If we asked for a client certificate and the client has none,
2196 * it must respond with a certificate list of length zero.
2197 */
2198 if (s->s3->hs.tls12.cert_request != 0) {
2199 SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
2200 al = SSL_AD_UNEXPECTED_MESSAGE;
2201 goto fatal_err;
2202 }
2203 s->s3->hs.tls12.reuse_message = 1;
2204 return (1);
2205 }
2206
2207 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
2208 al = SSL_AD_UNEXPECTED_MESSAGE;
2209 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
2210 goto fatal_err;
2211 }
2212
2213 if (s->init_num < 0)
2214 goto decode_err;
2215
2216 CBS_init(&cbs, s->init_msg, s->init_num);
2217
2218 if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
2219 goto decode_err;
2220 if (CBS_len(&cbs) != 0)
2221 goto decode_err;
2222
2223 /*
2224 * A TLS client must send an empty certificate list, if no suitable
2225 * certificate is available (rather than omitting the Certificate
2226 * handshake message) - see RFC 5246 section 7.4.6.
2227 */
2228 if (CBS_len(&cert_list) == 0) {
2229 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2230 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2231 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2232 al = SSL_AD_HANDSHAKE_FAILURE;
2233 goto fatal_err;
2234 }
2235 /* No client certificate so free transcript. */
2236 tls1_transcript_free(s);
2237 goto done;
2238 }
2239
2240 if ((certs = sk_X509_new_null()) == NULL) {
2241 SSLerror(s, ERR_R_MALLOC_FAILURE);
2242 goto err;
2243 }
2244
2245 while (CBS_len(&cert_list) > 0) {
2246 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
2247 goto decode_err;
2248 p = CBS_data(&cert_data);
2249 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) {
2250 SSLerror(s, ERR_R_ASN1_LIB);
2251 goto err;
2252 }
2253 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
2254 goto decode_err;
2255 if (!sk_X509_push(certs, cert)) {
2256 SSLerror(s, ERR_R_MALLOC_FAILURE);
2257 goto err;
2258 }
2259 cert = NULL;
2260 }
2261
2262 if (ssl_verify_cert_chain(s, certs) <= 0) {
2263 al = ssl_verify_alarm_type(s->verify_result);
2264 SSLerror(s, SSL_R_NO_CERTIFICATE_RETURNED);
2265 goto fatal_err;
2266 }
2267 s->session->verify_result = s->verify_result;
2268 ERR_clear_error();
2269
2270 if (!tls_process_peer_certs(s, certs))
2271 goto err;
2272
2273 done:
2274 ret = 1;
2275 if (0) {
2276 decode_err:
2277 al = SSL_AD_DECODE_ERROR;
2278 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
2279 fatal_err:
2280 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2281 }
2282 err:
2283 sk_X509_pop_free(certs, X509_free);
2284 X509_free(cert);
2285
2286 return (ret);
2287}
2288
2289static int
2290ssl3_send_server_certificate(SSL *s)
2291{
2292 CBB cbb, server_cert;
2293 SSL_CERT_PKEY *cpk;
2294
2295 /*
2296 * Server Certificate - RFC 5246, section 7.4.2.
2297 */
2298
2299 memset(&cbb, 0, sizeof(cbb));
2300
2301 if (s->s3->hs.state == SSL3_ST_SW_CERT_A) {
2302 if ((cpk = ssl_get_server_send_pkey(s)) == NULL) {
2303 SSLerror(s, ERR_R_INTERNAL_ERROR);
2304 return (0);
2305 }
2306
2307 if (!ssl3_handshake_msg_start(s, &cbb, &server_cert,
2308 SSL3_MT_CERTIFICATE))
2309 goto err;
2310 if (!ssl3_output_cert_chain(s, &server_cert, cpk))
2311 goto err;
2312 if (!ssl3_handshake_msg_finish(s, &cbb))
2313 goto err;
2314
2315 s->s3->hs.state = SSL3_ST_SW_CERT_B;
2316 }
2317
2318 /* SSL3_ST_SW_CERT_B */
2319 return (ssl3_handshake_write(s));
2320
2321 err:
2322 CBB_cleanup(&cbb);
2323
2324 return (0);
2325}
2326
2327/* send a new session ticket (not necessarily for a new session) */
2328static int
2329ssl3_send_newsession_ticket(SSL *s)
2330{
2331 CBB cbb, session_ticket, ticket;
2332 SSL_CTX *tctx = s->initial_ctx;
2333 size_t enc_session_len, enc_session_max_len, hmac_len;
2334 size_t session_len = 0;
2335 unsigned char *enc_session = NULL, *session = NULL;
2336 unsigned char iv[EVP_MAX_IV_LENGTH];
2337 unsigned char key_name[16];
2338 unsigned char *hmac;
2339 unsigned int hlen;
2340 EVP_CIPHER_CTX *ctx = NULL;
2341 HMAC_CTX *hctx = NULL;
2342 int len;
2343
2344 /*
2345 * New Session Ticket - RFC 5077, section 3.3.
2346 */
2347
2348 memset(&cbb, 0, sizeof(cbb));
2349
2350 if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
2351 goto err;
2352 if ((hctx = HMAC_CTX_new()) == NULL)
2353 goto err;
2354
2355 if (s->s3->hs.state == SSL3_ST_SW_SESSION_TICKET_A) {
2356 if (!ssl3_handshake_msg_start(s, &cbb, &session_ticket,
2357 SSL3_MT_NEWSESSION_TICKET))
2358 goto err;
2359
2360 if (!SSL_SESSION_ticket(s->session, &session, &session_len))
2361 goto err;
2362 if (session_len > 0xffff)
2363 goto err;
2364
2365 /*
2366 * Initialize HMAC and cipher contexts. If callback is present
2367 * it does all the work, otherwise use generated values from
2368 * parent context.
2369 */
2370 if (tctx->tlsext_ticket_key_cb != NULL) {
2371 if (tctx->tlsext_ticket_key_cb(s,
2372 key_name, iv, ctx, hctx, 1) < 0)
2373 goto err;
2374 } else {
2375 arc4random_buf(iv, 16);
2376 EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
2377 tctx->tlsext_tick_aes_key, iv);
2378 HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
2379 16, EVP_sha256(), NULL);
2380 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
2381 }
2382
2383 /* Encrypt the session state. */
2384 enc_session_max_len = session_len + EVP_MAX_BLOCK_LENGTH;
2385 if ((enc_session = calloc(1, enc_session_max_len)) == NULL)
2386 goto err;
2387 enc_session_len = 0;
2388 if (!EVP_EncryptUpdate(ctx, enc_session, &len, session,
2389 session_len))
2390 goto err;
2391 enc_session_len += len;
2392 if (!EVP_EncryptFinal_ex(ctx, enc_session + enc_session_len,
2393 &len))
2394 goto err;
2395 enc_session_len += len;
2396
2397 if (enc_session_len > enc_session_max_len)
2398 goto err;
2399
2400 /* Generate the HMAC. */
2401 if (!HMAC_Update(hctx, key_name, sizeof(key_name)))
2402 goto err;
2403 if (!HMAC_Update(hctx, iv, EVP_CIPHER_CTX_iv_length(ctx)))
2404 goto err;
2405 if (!HMAC_Update(hctx, enc_session, enc_session_len))
2406 goto err;
2407
2408 if ((hmac_len = HMAC_size(hctx)) <= 0)
2409 goto err;
2410
2411 /*
2412 * Ticket lifetime hint (advisory only):
2413 * We leave this unspecified for resumed session
2414 * (for simplicity), and guess that tickets for new
2415 * sessions will live as long as their sessions.
2416 */
2417 if (!CBB_add_u32(&session_ticket,
2418 s->hit ? 0 : s->session->timeout))
2419 goto err;
2420
2421 if (!CBB_add_u16_length_prefixed(&session_ticket, &ticket))
2422 goto err;
2423 if (!CBB_add_bytes(&ticket, key_name, sizeof(key_name)))
2424 goto err;
2425 if (!CBB_add_bytes(&ticket, iv, EVP_CIPHER_CTX_iv_length(ctx)))
2426 goto err;
2427 if (!CBB_add_bytes(&ticket, enc_session, enc_session_len))
2428 goto err;
2429 if (!CBB_add_space(&ticket, &hmac, hmac_len))
2430 goto err;
2431
2432 if (!HMAC_Final(hctx, hmac, &hlen))
2433 goto err;
2434 if (hlen != hmac_len)
2435 goto err;
2436
2437 if (!ssl3_handshake_msg_finish(s, &cbb))
2438 goto err;
2439
2440 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_B;
2441 }
2442
2443 EVP_CIPHER_CTX_free(ctx);
2444 HMAC_CTX_free(hctx);
2445 freezero(session, session_len);
2446 free(enc_session);
2447
2448 /* SSL3_ST_SW_SESSION_TICKET_B */
2449 return (ssl3_handshake_write(s));
2450
2451 err:
2452 CBB_cleanup(&cbb);
2453 EVP_CIPHER_CTX_free(ctx);
2454 HMAC_CTX_free(hctx);
2455 freezero(session, session_len);
2456 free(enc_session);
2457
2458 return (-1);
2459}
2460
2461static int
2462ssl3_send_cert_status(SSL *s)
2463{
2464 CBB cbb, certstatus, ocspresp;
2465
2466 memset(&cbb, 0, sizeof(cbb));
2467
2468 if (s->s3->hs.state == SSL3_ST_SW_CERT_STATUS_A) {
2469 if (!ssl3_handshake_msg_start(s, &cbb, &certstatus,
2470 SSL3_MT_CERTIFICATE_STATUS))
2471 goto err;
2472 if (!CBB_add_u8(&certstatus, s->tlsext_status_type))
2473 goto err;
2474 if (!CBB_add_u24_length_prefixed(&certstatus, &ocspresp))
2475 goto err;
2476 if (!CBB_add_bytes(&ocspresp, s->tlsext_ocsp_resp,
2477 s->tlsext_ocsp_resp_len))
2478 goto err;
2479 if (!ssl3_handshake_msg_finish(s, &cbb))
2480 goto err;
2481
2482 s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_B;
2483 }
2484
2485 /* SSL3_ST_SW_CERT_STATUS_B */
2486 return (ssl3_handshake_write(s));
2487
2488 err:
2489 CBB_cleanup(&cbb);
2490
2491 return (-1);
2492}
2493
2494static int
2495ssl3_send_server_change_cipher_spec(SSL *s)
2496{
2497 size_t outlen;
2498 CBB cbb;
2499
2500 memset(&cbb, 0, sizeof(cbb));
2501
2502 if (s->s3->hs.state == SSL3_ST_SW_CHANGE_A) {
2503 if (!CBB_init_fixed(&cbb, s->init_buf->data,
2504 s->init_buf->length))
2505 goto err;
2506 if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
2507 goto err;
2508 if (!CBB_finish(&cbb, NULL, &outlen))
2509 goto err;
2510
2511 if (outlen > INT_MAX)
2512 goto err;
2513
2514 s->init_num = (int)outlen;
2515 s->init_off = 0;
2516
2517 if (SSL_is_dtls(s)) {
2518 s->d1->handshake_write_seq =
2519 s->d1->next_handshake_write_seq;
2520 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
2521 s->d1->handshake_write_seq, 0, 0);
2522 dtls1_buffer_message(s, 1);
2523 }
2524
2525 s->s3->hs.state = SSL3_ST_SW_CHANGE_B;
2526 }
2527
2528 /* SSL3_ST_SW_CHANGE_B */
2529 return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
2530
2531 err:
2532 CBB_cleanup(&cbb);
2533
2534 return -1;
2535}
2536
2537static int
2538ssl3_get_client_finished(SSL *s)
2539{
2540 int al, md_len, ret;
2541 CBS cbs;
2542
2543 /* should actually be 36+4 :-) */
2544 if ((ret = ssl3_get_message(s, SSL3_ST_SR_FINISHED_A,
2545 SSL3_ST_SR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0)
2546 return ret;
2547
2548 /* If this occurs, we have missed a message */
2549 if (!s->s3->change_cipher_spec) {
2550 al = SSL_AD_UNEXPECTED_MESSAGE;
2551 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
2552 goto fatal_err;
2553 }
2554 s->s3->change_cipher_spec = 0;
2555
2556 md_len = TLS1_FINISH_MAC_LENGTH;
2557
2558 if (s->init_num < 0) {
2559 al = SSL_AD_DECODE_ERROR;
2560 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2561 goto fatal_err;
2562 }
2563
2564 CBS_init(&cbs, s->init_msg, s->init_num);
2565
2566 if (s->s3->hs.peer_finished_len != md_len ||
2567 CBS_len(&cbs) != md_len) {
2568 al = SSL_AD_DECODE_ERROR;
2569 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2570 goto fatal_err;
2571 }
2572
2573 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
2574 al = SSL_AD_DECRYPT_ERROR;
2575 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
2576 goto fatal_err;
2577 }
2578
2579 /* Copy finished so we can use it for renegotiation checks. */
2580 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
2581 memcpy(s->s3->previous_client_finished,
2582 s->s3->hs.peer_finished, md_len);
2583 s->s3->previous_client_finished_len = md_len;
2584
2585 return (1);
2586 fatal_err:
2587 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2588 return (0);
2589}
2590
2591static int
2592ssl3_send_server_finished(SSL *s)
2593{
2594 CBB cbb, finished;
2595
2596 memset(&cbb, 0, sizeof(cbb));
2597
2598 if (s->s3->hs.state == SSL3_ST_SW_FINISHED_A) {
2599 if (!tls12_derive_finished(s))
2600 goto err;
2601
2602 /* Copy finished so we can use it for renegotiation checks. */
2603 memcpy(s->s3->previous_server_finished,
2604 s->s3->hs.finished, s->s3->hs.finished_len);
2605 s->s3->previous_server_finished_len = s->s3->hs.finished_len;
2606
2607 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
2608 SSL3_MT_FINISHED))
2609 goto err;
2610 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
2611 s->s3->hs.finished_len))
2612 goto err;
2613 if (!ssl3_handshake_msg_finish(s, &cbb))
2614 goto err;
2615
2616 s->s3->hs.state = SSL3_ST_SW_FINISHED_B;
2617 }
2618
2619 return (ssl3_handshake_write(s));
2620
2621 err:
2622 CBB_cleanup(&cbb);
2623
2624 return (-1);
2625}
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
deleted file mode 100644
index b423033e43..0000000000
--- a/src/lib/libssl/ssl_stat.c
+++ /dev/null
@@ -1,789 +0,0 @@
1/* $OpenBSD: ssl_stat.c,v 1.20 2022/11/26 16:08:56 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86
87#include "ssl_local.h"
88
89const char *
90SSL_state_string_long(const SSL *s)
91{
92 const char *str;
93
94 switch (s->s3->hs.state) {
95 case SSL_ST_BEFORE:
96 str = "before SSL initialization";
97 break;
98 case SSL_ST_ACCEPT:
99 str = "before accept initialization";
100 break;
101 case SSL_ST_CONNECT:
102 str = "before connect initialization";
103 break;
104 case SSL_ST_OK:
105 str = "SSL negotiation finished successfully";
106 break;
107 case SSL_ST_RENEGOTIATE:
108 str = "SSL renegotiate ciphers";
109 break;
110 case SSL_ST_BEFORE|SSL_ST_CONNECT:
111 str = "before/connect initialization";
112 break;
113 case SSL_ST_OK|SSL_ST_CONNECT:
114 str = "ok/connect SSL initialization";
115 break;
116 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
117 str = "before/accept initialization";
118 break;
119 case SSL_ST_OK|SSL_ST_ACCEPT:
120 str = "ok/accept SSL initialization";
121 break;
122
123 /* SSLv3 additions */
124 case SSL3_ST_CW_CLNT_HELLO_A:
125 str = "SSLv3 write client hello A";
126 break;
127 case SSL3_ST_CW_CLNT_HELLO_B:
128 str = "SSLv3 write client hello B";
129 break;
130 case SSL3_ST_CR_SRVR_HELLO_A:
131 str = "SSLv3 read server hello A";
132 break;
133 case SSL3_ST_CR_SRVR_HELLO_B:
134 str = "SSLv3 read server hello B";
135 break;
136 case SSL3_ST_CR_CERT_A:
137 str = "SSLv3 read server certificate A";
138 break;
139 case SSL3_ST_CR_CERT_B:
140 str = "SSLv3 read server certificate B";
141 break;
142 case SSL3_ST_CR_KEY_EXCH_A:
143 str = "SSLv3 read server key exchange A";
144 break;
145 case SSL3_ST_CR_KEY_EXCH_B:
146 str = "SSLv3 read server key exchange B";
147 break;
148 case SSL3_ST_CR_CERT_REQ_A:
149 str = "SSLv3 read server certificate request A";
150 break;
151 case SSL3_ST_CR_CERT_REQ_B:
152 str = "SSLv3 read server certificate request B";
153 break;
154 case SSL3_ST_CR_SESSION_TICKET_A:
155 str = "SSLv3 read server session ticket A";
156 break;
157 case SSL3_ST_CR_SESSION_TICKET_B:
158 str = "SSLv3 read server session ticket B";
159 break;
160 case SSL3_ST_CR_SRVR_DONE_A:
161 str = "SSLv3 read server done A";
162 break;
163 case SSL3_ST_CR_SRVR_DONE_B:
164 str = "SSLv3 read server done B";
165 break;
166 case SSL3_ST_CW_CERT_A:
167 str = "SSLv3 write client certificate A";
168 break;
169 case SSL3_ST_CW_CERT_B:
170 str = "SSLv3 write client certificate B";
171 break;
172 case SSL3_ST_CW_CERT_C:
173 str = "SSLv3 write client certificate C";
174 break;
175 case SSL3_ST_CW_CERT_D:
176 str = "SSLv3 write client certificate D";
177 break;
178 case SSL3_ST_CW_KEY_EXCH_A:
179 str = "SSLv3 write client key exchange A";
180 break;
181 case SSL3_ST_CW_KEY_EXCH_B:
182 str = "SSLv3 write client key exchange B";
183 break;
184 case SSL3_ST_CW_CERT_VRFY_A:
185 str = "SSLv3 write certificate verify A";
186 break;
187 case SSL3_ST_CW_CERT_VRFY_B:
188 str = "SSLv3 write certificate verify B";
189 break;
190
191 case SSL3_ST_CW_CHANGE_A:
192 case SSL3_ST_SW_CHANGE_A:
193 str = "SSLv3 write change cipher spec A";
194 break;
195 case SSL3_ST_CW_CHANGE_B:
196 case SSL3_ST_SW_CHANGE_B:
197 str = "SSLv3 write change cipher spec B";
198 break;
199 case SSL3_ST_CW_FINISHED_A:
200 case SSL3_ST_SW_FINISHED_A:
201 str = "SSLv3 write finished A";
202 break;
203 case SSL3_ST_CW_FINISHED_B:
204 case SSL3_ST_SW_FINISHED_B:
205 str = "SSLv3 write finished B";
206 break;
207 case SSL3_ST_CR_CHANGE_A:
208 case SSL3_ST_SR_CHANGE_A:
209 str = "SSLv3 read change cipher spec A";
210 break;
211 case SSL3_ST_CR_CHANGE_B:
212 case SSL3_ST_SR_CHANGE_B:
213 str = "SSLv3 read change cipher spec B";
214 break;
215 case SSL3_ST_CR_FINISHED_A:
216 case SSL3_ST_SR_FINISHED_A:
217 str = "SSLv3 read finished A";
218 break;
219 case SSL3_ST_CR_FINISHED_B:
220 case SSL3_ST_SR_FINISHED_B:
221 str = "SSLv3 read finished B";
222 break;
223
224 case SSL3_ST_CW_FLUSH:
225 case SSL3_ST_SW_FLUSH:
226 str = "SSLv3 flush data";
227 break;
228
229 case SSL3_ST_SR_CLNT_HELLO_A:
230 str = "SSLv3 read client hello A";
231 break;
232 case SSL3_ST_SR_CLNT_HELLO_B:
233 str = "SSLv3 read client hello B";
234 break;
235 case SSL3_ST_SR_CLNT_HELLO_C:
236 str = "SSLv3 read client hello C";
237 break;
238 case SSL3_ST_SW_HELLO_REQ_A:
239 str = "SSLv3 write hello request A";
240 break;
241 case SSL3_ST_SW_HELLO_REQ_B:
242 str = "SSLv3 write hello request B";
243 break;
244 case SSL3_ST_SW_HELLO_REQ_C:
245 str = "SSLv3 write hello request C";
246 break;
247 case SSL3_ST_SW_SRVR_HELLO_A:
248 str = "SSLv3 write server hello A";
249 break;
250 case SSL3_ST_SW_SRVR_HELLO_B:
251 str = "SSLv3 write server hello B";
252 break;
253 case SSL3_ST_SW_CERT_A:
254 str = "SSLv3 write certificate A";
255 break;
256 case SSL3_ST_SW_CERT_B:
257 str = "SSLv3 write certificate B";
258 break;
259 case SSL3_ST_SW_KEY_EXCH_A:
260 str = "SSLv3 write key exchange A";
261 break;
262 case SSL3_ST_SW_KEY_EXCH_B:
263 str = "SSLv3 write key exchange B";
264 break;
265 case SSL3_ST_SW_CERT_REQ_A:
266 str = "SSLv3 write certificate request A";
267 break;
268 case SSL3_ST_SW_CERT_REQ_B:
269 str = "SSLv3 write certificate request B";
270 break;
271 case SSL3_ST_SW_SESSION_TICKET_A:
272 str = "SSLv3 write session ticket A";
273 break;
274 case SSL3_ST_SW_SESSION_TICKET_B:
275 str = "SSLv3 write session ticket B";
276 break;
277 case SSL3_ST_SW_SRVR_DONE_A:
278 str = "SSLv3 write server done A";
279 break;
280 case SSL3_ST_SW_SRVR_DONE_B:
281 str = "SSLv3 write server done B";
282 break;
283 case SSL3_ST_SR_CERT_A:
284 str = "SSLv3 read client certificate A";
285 break;
286 case SSL3_ST_SR_CERT_B:
287 str = "SSLv3 read client certificate B";
288 break;
289 case SSL3_ST_SR_KEY_EXCH_A:
290 str = "SSLv3 read client key exchange A";
291 break;
292 case SSL3_ST_SR_KEY_EXCH_B:
293 str = "SSLv3 read client key exchange B";
294 break;
295 case SSL3_ST_SR_CERT_VRFY_A:
296 str = "SSLv3 read certificate verify A";
297 break;
298 case SSL3_ST_SR_CERT_VRFY_B:
299 str = "SSLv3 read certificate verify B";
300 break;
301
302 /* DTLS */
303 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
304 str = "DTLS1 read hello verify request A";
305 break;
306 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
307 str = "DTLS1 read hello verify request B";
308 break;
309 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
310 str = "DTLS1 write hello verify request A";
311 break;
312 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
313 str = "DTLS1 write hello verify request B";
314 break;
315
316 default:
317 str = "unknown state";
318 break;
319 }
320 return (str);
321}
322
323const char *
324SSL_rstate_string_long(const SSL *s)
325{
326 const char *str;
327
328 switch (s->rstate) {
329 case SSL_ST_READ_HEADER:
330 str = "read header";
331 break;
332 case SSL_ST_READ_BODY:
333 str = "read body";
334 break;
335 case SSL_ST_READ_DONE:
336 str = "read done";
337 break;
338 default:
339 str = "unknown";
340 break;
341 }
342 return (str);
343}
344
345const char *
346SSL_state_string(const SSL *s)
347{
348 const char *str;
349
350 switch (s->s3->hs.state) {
351 case SSL_ST_BEFORE:
352 str = "PINIT ";
353 break;
354 case SSL_ST_ACCEPT:
355 str = "AINIT ";
356 break;
357 case SSL_ST_CONNECT:
358 str = "CINIT ";
359 break;
360 case SSL_ST_OK:
361 str = "SSLOK ";
362 break;
363
364 /* SSLv3 additions */
365 case SSL3_ST_SW_FLUSH:
366 case SSL3_ST_CW_FLUSH:
367 str = "3FLUSH";
368 break;
369 case SSL3_ST_CW_CLNT_HELLO_A:
370 str = "3WCH_A";
371 break;
372 case SSL3_ST_CW_CLNT_HELLO_B:
373 str = "3WCH_B";
374 break;
375 case SSL3_ST_CR_SRVR_HELLO_A:
376 str = "3RSH_A";
377 break;
378 case SSL3_ST_CR_SRVR_HELLO_B:
379 str = "3RSH_B";
380 break;
381 case SSL3_ST_CR_CERT_A:
382 str = "3RSC_A";
383 break;
384 case SSL3_ST_CR_CERT_B:
385 str = "3RSC_B";
386 break;
387 case SSL3_ST_CR_KEY_EXCH_A:
388 str = "3RSKEA";
389 break;
390 case SSL3_ST_CR_KEY_EXCH_B:
391 str = "3RSKEB";
392 break;
393 case SSL3_ST_CR_CERT_REQ_A:
394 str = "3RCR_A";
395 break;
396 case SSL3_ST_CR_CERT_REQ_B:
397 str = "3RCR_B";
398 break;
399 case SSL3_ST_CR_SRVR_DONE_A:
400 str = "3RSD_A";
401 break;
402 case SSL3_ST_CR_SRVR_DONE_B:
403 str = "3RSD_B";
404 break;
405 case SSL3_ST_CW_CERT_A:
406 str = "3WCC_A";
407 break;
408 case SSL3_ST_CW_CERT_B:
409 str = "3WCC_B";
410 break;
411 case SSL3_ST_CW_CERT_C:
412 str = "3WCC_C";
413 break;
414 case SSL3_ST_CW_CERT_D:
415 str = "3WCC_D";
416 break;
417 case SSL3_ST_CW_KEY_EXCH_A:
418 str = "3WCKEA";
419 break;
420 case SSL3_ST_CW_KEY_EXCH_B:
421 str = "3WCKEB";
422 break;
423 case SSL3_ST_CW_CERT_VRFY_A:
424 str = "3WCV_A";
425 break;
426 case SSL3_ST_CW_CERT_VRFY_B:
427 str = "3WCV_B";
428 break;
429
430 case SSL3_ST_SW_CHANGE_A:
431 case SSL3_ST_CW_CHANGE_A:
432 str = "3WCCSA";
433 break;
434 case SSL3_ST_SW_CHANGE_B:
435 case SSL3_ST_CW_CHANGE_B:
436 str = "3WCCSB";
437 break;
438 case SSL3_ST_SW_FINISHED_A:
439 case SSL3_ST_CW_FINISHED_A:
440 str = "3WFINA";
441 break;
442 case SSL3_ST_SW_FINISHED_B:
443 case SSL3_ST_CW_FINISHED_B:
444 str = "3WFINB";
445 break;
446 case SSL3_ST_SR_CHANGE_A:
447 case SSL3_ST_CR_CHANGE_A:
448 str = "3RCCSA";
449 break;
450 case SSL3_ST_SR_CHANGE_B:
451 case SSL3_ST_CR_CHANGE_B:
452 str = "3RCCSB";
453 break;
454 case SSL3_ST_SR_FINISHED_A:
455 case SSL3_ST_CR_FINISHED_A:
456 str = "3RFINA";
457 break;
458 case SSL3_ST_SR_FINISHED_B:
459 case SSL3_ST_CR_FINISHED_B:
460 str = "3RFINB";
461 break;
462
463 case SSL3_ST_SW_HELLO_REQ_A:
464 str = "3WHR_A";
465 break;
466 case SSL3_ST_SW_HELLO_REQ_B:
467 str = "3WHR_B";
468 break;
469 case SSL3_ST_SW_HELLO_REQ_C:
470 str = "3WHR_C";
471 break;
472 case SSL3_ST_SR_CLNT_HELLO_A:
473 str = "3RCH_A";
474 break;
475 case SSL3_ST_SR_CLNT_HELLO_B:
476 str = "3RCH_B";
477 break;
478 case SSL3_ST_SR_CLNT_HELLO_C:
479 str = "3RCH_C";
480 break;
481 case SSL3_ST_SW_SRVR_HELLO_A:
482 str = "3WSH_A";
483 break;
484 case SSL3_ST_SW_SRVR_HELLO_B:
485 str = "3WSH_B";
486 break;
487 case SSL3_ST_SW_CERT_A:
488 str = "3WSC_A";
489 break;
490 case SSL3_ST_SW_CERT_B:
491 str = "3WSC_B";
492 break;
493 case SSL3_ST_SW_KEY_EXCH_A:
494 str = "3WSKEA";
495 break;
496 case SSL3_ST_SW_KEY_EXCH_B:
497 str = "3WSKEB";
498 break;
499 case SSL3_ST_SW_CERT_REQ_A:
500 str = "3WCR_A";
501 break;
502 case SSL3_ST_SW_CERT_REQ_B:
503 str = "3WCR_B";
504 break;
505 case SSL3_ST_SW_SRVR_DONE_A:
506 str = "3WSD_A";
507 break;
508 case SSL3_ST_SW_SRVR_DONE_B:
509 str = "3WSD_B";
510 break;
511 case SSL3_ST_SR_CERT_A:
512 str = "3RCC_A";
513 break;
514 case SSL3_ST_SR_CERT_B:
515 str = "3RCC_B";
516 break;
517 case SSL3_ST_SR_KEY_EXCH_A:
518 str = "3RCKEA";
519 break;
520 case SSL3_ST_SR_KEY_EXCH_B:
521 str = "3RCKEB";
522 break;
523 case SSL3_ST_SR_CERT_VRFY_A:
524 str = "3RCV_A";
525 break;
526 case SSL3_ST_SR_CERT_VRFY_B:
527 str = "3RCV_B";
528 break;
529
530 /* DTLS */
531 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
532 str = "DRCHVA";
533 break;
534 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
535 str = "DRCHVB";
536 break;
537 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
538 str = "DWCHVA";
539 break;
540 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
541 str = "DWCHVB";
542 break;
543
544 default:
545 str = "UNKWN ";
546 break;
547 }
548 return (str);
549}
550
551const char *
552SSL_alert_type_string_long(int value)
553{
554 value >>= 8;
555 if (value == SSL3_AL_WARNING)
556 return ("warning");
557 else if (value == SSL3_AL_FATAL)
558 return ("fatal");
559 else
560 return ("unknown");
561}
562
563const char *
564SSL_alert_type_string(int value)
565{
566 value >>= 8;
567 if (value == SSL3_AL_WARNING)
568 return ("W");
569 else if (value == SSL3_AL_FATAL)
570 return ("F");
571 else
572 return ("U");
573}
574
575const char *
576SSL_alert_desc_string(int value)
577{
578 const char *str;
579
580 switch (value & 0xff) {
581 case SSL_AD_CLOSE_NOTIFY:
582 str = "CN";
583 break;
584 case SSL_AD_UNEXPECTED_MESSAGE:
585 str = "UM";
586 break;
587 case SSL_AD_BAD_RECORD_MAC:
588 str = "BM";
589 break;
590 case SSL_AD_DECOMPRESSION_FAILURE:
591 str = "DF";
592 break;
593 case SSL_AD_HANDSHAKE_FAILURE:
594 str = "HF";
595 break;
596 case SSL_AD_BAD_CERTIFICATE:
597 str = "BC";
598 break;
599 case SSL_AD_UNSUPPORTED_CERTIFICATE:
600 str = "UC";
601 break;
602 case SSL_AD_CERTIFICATE_REVOKED:
603 str = "CR";
604 break;
605 case SSL_AD_CERTIFICATE_EXPIRED:
606 str = "CE";
607 break;
608 case SSL_AD_CERTIFICATE_UNKNOWN:
609 str = "CU";
610 break;
611 case SSL_AD_ILLEGAL_PARAMETER:
612 str = "IP";
613 break;
614 case SSL_AD_RECORD_OVERFLOW:
615 str = "RO";
616 break;
617 case SSL_AD_UNKNOWN_CA:
618 str = "CA";
619 break;
620 case SSL_AD_ACCESS_DENIED:
621 str = "AD";
622 break;
623 case SSL_AD_DECODE_ERROR:
624 str = "DE";
625 break;
626 case SSL_AD_DECRYPT_ERROR:
627 str = "CY";
628 break;
629 case SSL_AD_PROTOCOL_VERSION:
630 str = "PV";
631 break;
632 case SSL_AD_INSUFFICIENT_SECURITY:
633 str = "IS";
634 break;
635 case SSL_AD_INTERNAL_ERROR:
636 str = "IE";
637 break;
638 case SSL_AD_USER_CANCELLED:
639 str = "US";
640 break;
641 case SSL_AD_NO_RENEGOTIATION:
642 str = "NR";
643 break;
644 case SSL_AD_MISSING_EXTENSION:
645 str = "ME";
646 break;
647 case SSL_AD_UNSUPPORTED_EXTENSION:
648 str = "UE";
649 break;
650 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
651 str = "CO";
652 break;
653 case SSL_AD_UNRECOGNIZED_NAME:
654 str = "UN";
655 break;
656 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
657 str = "BR";
658 break;
659 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
660 str = "BH";
661 break;
662 case SSL_AD_UNKNOWN_PSK_IDENTITY:
663 str = "UP";
664 break;
665 default:
666 str = "UK";
667 break;
668 }
669 return (str);
670}
671
672const char *
673SSL_alert_desc_string_long(int value)
674{
675 const char *str;
676
677 switch (value & 0xff) {
678 case SSL_AD_CLOSE_NOTIFY:
679 str = "close notify";
680 break;
681 case SSL_AD_UNEXPECTED_MESSAGE:
682 str = "unexpected_message";
683 break;
684 case SSL_AD_BAD_RECORD_MAC:
685 str = "bad record mac";
686 break;
687 case SSL_AD_DECOMPRESSION_FAILURE:
688 str = "decompression failure";
689 break;
690 case SSL_AD_HANDSHAKE_FAILURE:
691 str = "handshake failure";
692 break;
693 case SSL_AD_BAD_CERTIFICATE:
694 str = "bad certificate";
695 break;
696 case SSL_AD_UNSUPPORTED_CERTIFICATE:
697 str = "unsupported certificate";
698 break;
699 case SSL_AD_CERTIFICATE_REVOKED:
700 str = "certificate revoked";
701 break;
702 case SSL_AD_CERTIFICATE_EXPIRED:
703 str = "certificate expired";
704 break;
705 case SSL_AD_CERTIFICATE_UNKNOWN:
706 str = "certificate unknown";
707 break;
708 case SSL_AD_ILLEGAL_PARAMETER:
709 str = "illegal parameter";
710 break;
711 case SSL_AD_RECORD_OVERFLOW:
712 str = "record overflow";
713 break;
714 case SSL_AD_UNKNOWN_CA:
715 str = "unknown CA";
716 break;
717 case SSL_AD_ACCESS_DENIED:
718 str = "access denied";
719 break;
720 case SSL_AD_DECODE_ERROR:
721 str = "decode error";
722 break;
723 case SSL_AD_DECRYPT_ERROR:
724 str = "decrypt error";
725 break;
726 case SSL_AD_PROTOCOL_VERSION:
727 str = "protocol version";
728 break;
729 case SSL_AD_INSUFFICIENT_SECURITY:
730 str = "insufficient security";
731 break;
732 case SSL_AD_INTERNAL_ERROR:
733 str = "internal error";
734 break;
735 case SSL_AD_USER_CANCELLED:
736 str = "user canceled";
737 break;
738 case SSL_AD_NO_RENEGOTIATION:
739 str = "no renegotiation";
740 break;
741 case SSL_AD_MISSING_EXTENSION:
742 str = "missing extension";
743 break;
744 case SSL_AD_UNSUPPORTED_EXTENSION:
745 str = "unsupported extension";
746 break;
747 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
748 str = "certificate unobtainable";
749 break;
750 case SSL_AD_UNRECOGNIZED_NAME:
751 str = "unrecognized name";
752 break;
753 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
754 str = "bad certificate status response";
755 break;
756 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
757 str = "bad certificate hash value";
758 break;
759 case SSL_AD_UNKNOWN_PSK_IDENTITY:
760 str = "unknown PSK identity";
761 break;
762 default:
763 str = "unknown";
764 break;
765 }
766 return (str);
767}
768
769const char *
770SSL_rstate_string(const SSL *s)
771{
772 const char *str;
773
774 switch (s->rstate) {
775 case SSL_ST_READ_HEADER:
776 str = "RH";
777 break;
778 case SSL_ST_READ_BODY:
779 str = "RB";
780 break;
781 case SSL_ST_READ_DONE:
782 str = "RD";
783 break;
784 default:
785 str = "unknown";
786 break;
787 }
788 return (str);
789}
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
deleted file mode 100644
index e576384118..0000000000
--- a/src/lib/libssl/ssl_tlsext.c
+++ /dev/null
@@ -1,2442 +0,0 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.131 2022/11/26 16:08:56 tb Exp $ */
2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/socket.h>
21
22#include <arpa/inet.h>
23#include <netinet/in.h>
24
25#include <ctype.h>
26
27#include <openssl/ocsp.h>
28#include <openssl/opensslconf.h>
29
30#include "bytestring.h"
31#include "ssl_local.h"
32#include "ssl_sigalgs.h"
33#include "ssl_tlsext.h"
34
35/*
36 * Supported Application-Layer Protocol Negotiation - RFC 7301
37 */
38
39static int
40tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
41{
42 /* ALPN protos have been specified and this is the initial handshake */
43 return s->alpn_client_proto_list != NULL &&
44 s->s3->hs.finished_len == 0;
45}
46
47static int
48tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
49{
50 CBB protolist;
51
52 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
53 return 0;
54
55 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list,
56 s->alpn_client_proto_list_len))
57 return 0;
58
59 if (!CBB_flush(cbb))
60 return 0;
61
62 return 1;
63}
64
65int
66tlsext_alpn_check_format(CBS *cbs)
67{
68 CBS proto_name_list;
69
70 if (CBS_len(cbs) == 0)
71 return 0;
72
73 CBS_dup(cbs, &proto_name_list);
74 while (CBS_len(&proto_name_list) > 0) {
75 CBS proto_name;
76
77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
78 return 0;
79 if (CBS_len(&proto_name) == 0)
80 return 0;
81 }
82
83 return 1;
84}
85
86static int
87tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
88{
89 CBS alpn, selected_cbs;
90 const unsigned char *selected;
91 unsigned char selected_len;
92 int r;
93
94 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
95 return 0;
96
97 if (!tlsext_alpn_check_format(&alpn))
98 return 0;
99
100 if (s->ctx->alpn_select_cb == NULL)
101 return 1;
102
103 /*
104 * XXX - A few things should be considered here:
105 * 1. Ensure that the same protocol is selected on session resumption.
106 * 2. Should the callback be called even if no ALPN extension was sent?
107 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
108 */
109 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
110 CBS_data(&alpn), CBS_len(&alpn),
111 s->ctx->alpn_select_cb_arg);
112
113 if (r == SSL_TLSEXT_ERR_OK) {
114 CBS_init(&selected_cbs, selected, selected_len);
115
116 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected,
117 &s->s3->alpn_selected_len)) {
118 *alert = SSL_AD_INTERNAL_ERROR;
119 return 0;
120 }
121
122 return 1;
123 }
124
125 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
126 if (r == SSL_TLSEXT_ERR_NOACK)
127 return 1;
128
129 *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
130 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL);
131
132 return 0;
133}
134
135static int
136tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
137{
138 return s->s3->alpn_selected != NULL;
139}
140
141static int
142tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
143{
144 CBB list, selected;
145
146 if (!CBB_add_u16_length_prefixed(cbb, &list))
147 return 0;
148
149 if (!CBB_add_u8_length_prefixed(&list, &selected))
150 return 0;
151
152 if (!CBB_add_bytes(&selected, s->s3->alpn_selected,
153 s->s3->alpn_selected_len))
154 return 0;
155
156 if (!CBB_flush(cbb))
157 return 0;
158
159 return 1;
160}
161
162static int
163tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
164{
165 CBS list, proto;
166
167 if (s->alpn_client_proto_list == NULL) {
168 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
169 return 0;
170 }
171
172 if (!CBS_get_u16_length_prefixed(cbs, &list))
173 return 0;
174
175 if (!CBS_get_u8_length_prefixed(&list, &proto))
176 return 0;
177
178 if (CBS_len(&list) != 0)
179 return 0;
180 if (CBS_len(&proto) == 0)
181 return 0;
182
183 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len))
184 return 0;
185
186 return 1;
187}
188
189/*
190 * Supported Groups - RFC 7919 section 2
191 */
192static int
193tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
194{
195 return ssl_has_ecc_ciphers(s) ||
196 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
197}
198
199static int
200tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
201{
202 const uint16_t *groups;
203 size_t groups_len;
204 CBB grouplist;
205 int i;
206
207 tls1_get_group_list(s, 0, &groups, &groups_len);
208 if (groups_len == 0) {
209 SSLerror(s, ERR_R_INTERNAL_ERROR);
210 return 0;
211 }
212
213 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
214 return 0;
215
216 for (i = 0; i < groups_len; i++) {
217 if (!ssl_security_supported_group(s, groups[i]))
218 continue;
219 if (!CBB_add_u16(&grouplist, groups[i]))
220 return 0;
221 }
222
223 if (!CBB_flush(cbb))
224 return 0;
225
226 return 1;
227}
228
229static int
230tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
231 int *alert)
232{
233 CBS grouplist;
234 uint16_t *groups;
235 size_t groups_len;
236 int i;
237
238 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
239 return 0;
240
241 groups_len = CBS_len(&grouplist);
242 if (groups_len == 0 || groups_len % 2 != 0)
243 return 0;
244 groups_len /= 2;
245
246 if (s->hit)
247 return 1;
248
249 if (s->s3->hs.tls13.hrr) {
250 if (s->session->tlsext_supportedgroups == NULL) {
251 *alert = SSL_AD_HANDSHAKE_FAILURE;
252 return 0;
253 }
254
255 /*
256 * The ClientHello extension hashing ensures that the client
257 * did not change its list of supported groups.
258 */
259
260 return 1;
261 }
262
263 if (s->session->tlsext_supportedgroups != NULL)
264 return 0; /* XXX internal error? */
265
266 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) {
267 *alert = SSL_AD_INTERNAL_ERROR;
268 return 0;
269 }
270
271 for (i = 0; i < groups_len; i++) {
272 if (!CBS_get_u16(&grouplist, &groups[i])) {
273 free(groups);
274 return 0;
275 }
276 }
277
278 if (CBS_len(&grouplist) != 0) {
279 free(groups);
280 return 0;
281 }
282
283 s->session->tlsext_supportedgroups = groups;
284 s->session->tlsext_supportedgroups_length = groups_len;
285
286 return 1;
287}
288
289/* This extension is never used by the server. */
290static int
291tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
292{
293 return 0;
294}
295
296static int
297tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
298{
299 return 0;
300}
301
302static int
303tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
304 int *alert)
305{
306 /*
307 * Servers should not send this extension per the RFC.
308 *
309 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
310 * from at least 2014 but as of 2017, there are still large sites with
311 * this unpatched in production. As a result, we need to currently skip
312 * over the extension and ignore its content:
313 *
314 * https://support.f5.com/csp/article/K37345003
315 */
316 if (!CBS_skip(cbs, CBS_len(cbs))) {
317 *alert = SSL_AD_INTERNAL_ERROR;
318 return 0;
319 }
320
321 return 1;
322}
323
324/*
325 * Supported Point Formats Extension - RFC 4492 section 5.1.2
326 */
327static int
328tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
329{
330 CBB ecpf;
331 size_t formats_len;
332 const uint8_t *formats;
333
334 tls1_get_formatlist(s, 0, &formats, &formats_len);
335
336 if (formats_len == 0) {
337 SSLerror(s, ERR_R_INTERNAL_ERROR);
338 return 0;
339 }
340
341 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
342 return 0;
343 if (!CBB_add_bytes(&ecpf, formats, formats_len))
344 return 0;
345 if (!CBB_flush(cbb))
346 return 0;
347
348 return 1;
349}
350
351static int
352tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
353{
354 CBS ecpf;
355
356 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
357 return 0;
358 if (CBS_len(&ecpf) == 0)
359 return 0;
360
361 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
362 if (!CBS_contains_zero_byte(&ecpf)) {
363 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
364 *alert = SSL_AD_ILLEGAL_PARAMETER;
365 return 0;
366 }
367
368 if (!s->hit) {
369 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist),
370 &(s->session->tlsext_ecpointformatlist_length))) {
371 *alert = SSL_AD_INTERNAL_ERROR;
372 return 0;
373 }
374 }
375
376 return 1;
377}
378
379static int
380tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
381{
382 return ssl_has_ecc_ciphers(s);
383}
384
385static int
386tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
387{
388 return tlsext_ecpf_build(s, msg_type, cbb);
389}
390
391static int
392tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
393{
394 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
395}
396
397static int
398tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
399{
400 return ssl_using_ecc_cipher(s);
401}
402
403static int
404tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
405{
406 return tlsext_ecpf_build(s, msg_type, cbb);
407}
408
409static int
410tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
411{
412 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
413}
414
415/*
416 * Renegotiation Indication - RFC 5746.
417 */
418static int
419tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
420{
421 return (s->renegotiate);
422}
423
424static int
425tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
426{
427 CBB reneg;
428
429 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
430 return 0;
431 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
432 s->s3->previous_client_finished_len))
433 return 0;
434 if (!CBB_flush(cbb))
435 return 0;
436
437 return 1;
438}
439
440static int
441tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
442{
443 CBS reneg;
444
445 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
446 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
447 return 0;
448 }
449
450 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished,
451 s->s3->previous_client_finished_len)) {
452 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
453 *alert = SSL_AD_HANDSHAKE_FAILURE;
454 return 0;
455 }
456
457 s->s3->renegotiate_seen = 1;
458 s->s3->send_connection_binding = 1;
459
460 return 1;
461}
462
463static int
464tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
465{
466 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
467 s->s3->send_connection_binding);
468}
469
470static int
471tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
472{
473 CBB reneg;
474
475 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
476 return 0;
477 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
478 s->s3->previous_client_finished_len))
479 return 0;
480 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished,
481 s->s3->previous_server_finished_len))
482 return 0;
483 if (!CBB_flush(cbb))
484 return 0;
485
486 return 1;
487}
488
489static int
490tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
491{
492 CBS reneg, prev_client, prev_server;
493
494 /*
495 * Ensure that the previous client and server values are both not
496 * present, or that they are both present.
497 */
498 if ((s->s3->previous_client_finished_len == 0 &&
499 s->s3->previous_server_finished_len != 0) ||
500 (s->s3->previous_client_finished_len != 0 &&
501 s->s3->previous_server_finished_len == 0)) {
502 *alert = SSL_AD_INTERNAL_ERROR;
503 return 0;
504 }
505
506 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
507 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
508 return 0;
509 }
510 if (!CBS_get_bytes(&reneg, &prev_client,
511 s->s3->previous_client_finished_len)) {
512 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
513 return 0;
514 }
515 if (!CBS_get_bytes(&reneg, &prev_server,
516 s->s3->previous_server_finished_len)) {
517 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
518 return 0;
519 }
520 if (CBS_len(&reneg) != 0) {
521 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
522 return 0;
523 }
524
525 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished,
526 s->s3->previous_client_finished_len)) {
527 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
528 *alert = SSL_AD_HANDSHAKE_FAILURE;
529 return 0;
530 }
531 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished,
532 s->s3->previous_server_finished_len)) {
533 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
534 *alert = SSL_AD_HANDSHAKE_FAILURE;
535 return 0;
536 }
537
538 s->s3->renegotiate_seen = 1;
539 s->s3->send_connection_binding = 1;
540
541 return 1;
542}
543
544/*
545 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
546 */
547static int
548tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
549{
550 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION);
551}
552
553static int
554tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
555{
556 uint16_t tls_version = s->s3->hs.negotiated_tls_version;
557 CBB sigalgs;
558
559 if (msg_type == SSL_TLSEXT_MSG_CH)
560 tls_version = s->s3->hs.our_min_tls_version;
561
562 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
563 return 0;
564 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s)))
565 return 0;
566 if (!CBB_flush(cbb))
567 return 0;
568
569 return 1;
570}
571
572static int
573tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
574{
575 CBS sigalgs;
576
577 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
578 return 0;
579 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
580 return 0;
581 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
582 return 0;
583
584 return 1;
585}
586
587static int
588tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
589{
590 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
591}
592
593static int
594tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
595{
596 CBB sigalgs;
597
598 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
599 return 0;
600 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs,
601 SSL_get_security_level(s)))
602 return 0;
603 if (!CBB_flush(cbb))
604 return 0;
605
606 return 1;
607}
608
609static int
610tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
611{
612 CBS sigalgs;
613
614 if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
615 return 0;
616
617 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
618 return 0;
619 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
620 return 0;
621 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
622 return 0;
623
624 return 1;
625}
626
627/*
628 * Server Name Indication - RFC 6066, section 3.
629 */
630static int
631tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
632{
633 return (s->tlsext_hostname != NULL);
634}
635
636static int
637tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
638{
639 CBB server_name_list, host_name;
640
641 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
642 return 0;
643 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
644 return 0;
645 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
646 return 0;
647 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
648 strlen(s->tlsext_hostname)))
649 return 0;
650 if (!CBB_flush(cbb))
651 return 0;
652
653 return 1;
654}
655
656static int
657tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip)
658{
659 union {
660 struct in_addr ip4;
661 struct in6_addr ip6;
662 } addrbuf;
663 char *hostname = NULL;
664
665 *is_ip = 0;
666
667 if (!CBS_strdup(cbs, &hostname))
668 return 0;
669
670 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 ||
671 inet_pton(AF_INET6, hostname, &addrbuf) == 1)
672 *is_ip = 1;
673
674 free(hostname);
675
676 return 1;
677}
678
679/*
680 * Validate that the CBS contains only a hostname consisting of RFC 5890
681 * compliant A-labels (see RFC 6066 section 3). Not a complete check
682 * since we don't parse punycode to verify its validity but limits to
683 * correct structure and character set.
684 */
685int
686tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip)
687{
688 uint8_t prev, c = 0;
689 int component = 0;
690 CBS hostname;
691
692 *is_ip = 0;
693
694 CBS_dup(cbs, &hostname);
695
696 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
697 return 0;
698
699 /* An IP literal is invalid as a host name (RFC 6066 section 3). */
700 if (!tlsext_sni_is_ip_literal(&hostname, is_ip))
701 return 0;
702 if (*is_ip)
703 return 0;
704
705 while (CBS_len(&hostname) > 0) {
706 prev = c;
707 if (!CBS_get_u8(&hostname, &c))
708 return 0;
709 /* Everything has to be ASCII, with no NUL byte. */
710 if (!isascii(c) || c == '\0')
711 return 0;
712 /* It must be alphanumeric, a '-', or a '.' */
713 if (!isalnum(c) && c != '-' && c != '.')
714 return 0;
715 /* '-' and '.' must not start a component or be at the end. */
716 if (component == 0 || CBS_len(&hostname) == 0) {
717 if (c == '-' || c == '.')
718 return 0;
719 }
720 if (c == '.') {
721 /* Components can not end with a dash. */
722 if (prev == '-')
723 return 0;
724 /* Start new component */
725 component = 0;
726 continue;
727 }
728 /* Components must be 63 chars or less. */
729 if (++component > 63)
730 return 0;
731 }
732
733 return 1;
734}
735
736static int
737tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
738{
739 CBS server_name_list, host_name;
740 uint8_t name_type;
741 int is_ip;
742
743 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
744 goto err;
745
746 if (!CBS_get_u8(&server_name_list, &name_type))
747 goto err;
748
749 /*
750 * RFC 6066 section 3, only one type (host_name) is specified.
751 * We do not tolerate unknown types, neither does BoringSSL.
752 * other implementations appear more tolerant.
753 */
754 if (name_type != TLSEXT_NAMETYPE_host_name) {
755 *alert = SSL_AD_ILLEGAL_PARAMETER;
756 goto err;
757 }
758
759 /*
760 * RFC 6066 section 3 specifies a host name must be at least 1 byte
761 * so 0 length is a decode error.
762 */
763 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
764 goto err;
765 if (CBS_len(&host_name) < 1)
766 goto err;
767
768 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) {
769 /*
770 * Various pieces of software have been known to set the SNI
771 * host name to an IP address, even though that violates the
772 * RFC. If this is the case, pretend the SNI extension does
773 * not exist.
774 */
775 if (is_ip)
776 goto done;
777
778 *alert = SSL_AD_ILLEGAL_PARAMETER;
779 goto err;
780 }
781
782 if (s->hit || s->s3->hs.tls13.hrr) {
783 if (s->session->tlsext_hostname == NULL) {
784 *alert = SSL_AD_UNRECOGNIZED_NAME;
785 goto err;
786 }
787 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
788 strlen(s->session->tlsext_hostname))) {
789 *alert = SSL_AD_UNRECOGNIZED_NAME;
790 goto err;
791 }
792 } else {
793 if (s->session->tlsext_hostname != NULL)
794 goto err;
795 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
796 *alert = SSL_AD_INTERNAL_ERROR;
797 goto err;
798 }
799 }
800
801 done:
802 /*
803 * RFC 6066 section 3 forbids multiple host names with the same type,
804 * therefore we allow only one entry.
805 */
806 if (CBS_len(&server_name_list) != 0) {
807 *alert = SSL_AD_ILLEGAL_PARAMETER;
808 goto err;
809 }
810
811 return 1;
812
813 err:
814 return 0;
815}
816
817static int
818tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
819{
820 if (s->hit)
821 return 0;
822
823 return (s->session->tlsext_hostname != NULL);
824}
825
826static int
827tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
828{
829 return 1;
830}
831
832static int
833tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
834{
835 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
836 *alert = SSL_AD_UNRECOGNIZED_NAME;
837 return 0;
838 }
839
840 if (s->hit) {
841 if (s->session->tlsext_hostname == NULL) {
842 *alert = SSL_AD_UNRECOGNIZED_NAME;
843 return 0;
844 }
845 if (strcmp(s->tlsext_hostname,
846 s->session->tlsext_hostname) != 0) {
847 *alert = SSL_AD_UNRECOGNIZED_NAME;
848 return 0;
849 }
850 } else {
851 if (s->session->tlsext_hostname != NULL)
852 return 0;
853 if ((s->session->tlsext_hostname =
854 strdup(s->tlsext_hostname)) == NULL) {
855 *alert = SSL_AD_INTERNAL_ERROR;
856 return 0;
857 }
858 }
859
860 return 1;
861}
862
863/*
864 * Certificate Status Request - RFC 6066 section 8.
865 */
866
867static int
868tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
869{
870 if (msg_type != SSL_TLSEXT_MSG_CH)
871 return 0;
872
873 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
874}
875
876static int
877tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
878{
879 CBB respid_list, respid, exts;
880 unsigned char *ext_data;
881 size_t ext_len;
882 int i;
883
884 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
885 return 0;
886 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
887 return 0;
888 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
889 unsigned char *respid_data;
890 OCSP_RESPID *id;
891 size_t id_len;
892
893 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids,
894 i)) == NULL)
895 return 0;
896 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
897 return 0;
898 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
899 return 0;
900 if (!CBB_add_space(&respid, &respid_data, id_len))
901 return 0;
902 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
903 return 0;
904 }
905 if (!CBB_add_u16_length_prefixed(cbb, &exts))
906 return 0;
907 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts,
908 NULL)) == -1)
909 return 0;
910 if (!CBB_add_space(&exts, &ext_data, ext_len))
911 return 0;
912 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) !=
913 ext_len))
914 return 0;
915 if (!CBB_flush(cbb))
916 return 0;
917 return 1;
918}
919
920static int
921tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
922{
923 int alert_desc = SSL_AD_DECODE_ERROR;
924 CBS respid_list, respid, exts;
925 const unsigned char *p;
926 uint8_t status_type;
927 int ret = 0;
928
929 if (msg_type != SSL_TLSEXT_MSG_CH)
930 goto err;
931
932 if (!CBS_get_u8(cbs, &status_type))
933 goto err;
934 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
935 /* ignore unknown status types */
936 s->tlsext_status_type = -1;
937
938 if (!CBS_skip(cbs, CBS_len(cbs))) {
939 *alert = SSL_AD_INTERNAL_ERROR;
940 return 0;
941 }
942 return 1;
943 }
944 s->tlsext_status_type = status_type;
945 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
946 goto err;
947
948 /* XXX */
949 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
950 s->tlsext_ocsp_ids = NULL;
951 if (CBS_len(&respid_list) > 0) {
952 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
953 if (s->tlsext_ocsp_ids == NULL) {
954 alert_desc = SSL_AD_INTERNAL_ERROR;
955 goto err;
956 }
957 }
958
959 while (CBS_len(&respid_list) > 0) {
960 OCSP_RESPID *id;
961
962 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
963 goto err;
964 p = CBS_data(&respid);
965 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
966 goto err;
967 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
968 alert_desc = SSL_AD_INTERNAL_ERROR;
969 OCSP_RESPID_free(id);
970 goto err;
971 }
972 }
973
974 /* Read in request_extensions */
975 if (!CBS_get_u16_length_prefixed(cbs, &exts))
976 goto err;
977 if (CBS_len(&exts) > 0) {
978 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
979 X509_EXTENSION_free);
980 p = CBS_data(&exts);
981 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
982 &p, CBS_len(&exts))) == NULL)
983 goto err;
984 }
985
986 ret = 1;
987 err:
988 if (ret == 0)
989 *alert = alert_desc;
990 return ret;
991}
992
993static int
994tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
995{
996 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
997 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
998 s->ctx->tlsext_status_cb != NULL) {
999 s->tlsext_status_expected = 0;
1000 if (s->ctx->tlsext_status_cb(s,
1001 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
1002 s->tlsext_ocsp_resp_len > 0)
1003 s->tlsext_status_expected = 1;
1004 }
1005 return s->tlsext_status_expected;
1006}
1007
1008static int
1009tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1010{
1011 CBB ocsp_response;
1012
1013 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1014 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1015 return 0;
1016 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
1017 return 0;
1018 if (!CBB_add_bytes(&ocsp_response,
1019 s->tlsext_ocsp_resp,
1020 s->tlsext_ocsp_resp_len))
1021 return 0;
1022 if (!CBB_flush(cbb))
1023 return 0;
1024 }
1025 return 1;
1026}
1027
1028static int
1029tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1030{
1031 uint8_t status_type;
1032 CBS response;
1033
1034 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1035 if (msg_type == SSL_TLSEXT_MSG_CR) {
1036 /*
1037 * RFC 8446, 4.4.2.1 - the server may request an OCSP
1038 * response with an empty status_request.
1039 */
1040 if (CBS_len(cbs) == 0)
1041 return 1;
1042
1043 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1044 return 0;
1045 }
1046 if (!CBS_get_u8(cbs, &status_type)) {
1047 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1048 return 0;
1049 }
1050 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1051 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1052 return 0;
1053 }
1054 if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1055 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1056 return 0;
1057 }
1058 if (CBS_len(&response) > 65536) {
1059 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1060 return 0;
1061 }
1062 if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1063 &s->tlsext_ocsp_resp_len)) {
1064 *alert = SSL_AD_INTERNAL_ERROR;
1065 return 0;
1066 }
1067 } else {
1068 if (s->tlsext_status_type == -1) {
1069 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1070 return 0;
1071 }
1072 /* Set flag to expect CertificateStatus message */
1073 s->tlsext_status_expected = 1;
1074 }
1075 return 1;
1076}
1077
1078/*
1079 * SessionTicket extension - RFC 5077 section 3.2
1080 */
1081static int
1082tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1083{
1084 /*
1085 * Send session ticket extension when enabled and not overridden.
1086 *
1087 * When renegotiating, send an empty session ticket to indicate support.
1088 */
1089 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
1090 return 0;
1091
1092 if (!ssl_security_tickets(s))
1093 return 0;
1094
1095 if (s->new_session)
1096 return 1;
1097
1098 if (s->tlsext_session_ticket != NULL &&
1099 s->tlsext_session_ticket->data == NULL)
1100 return 0;
1101
1102 return 1;
1103}
1104
1105static int
1106tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1107{
1108 /*
1109 * Signal that we support session tickets by sending an empty
1110 * extension when renegotiating or no session found.
1111 */
1112 if (s->new_session || s->session == NULL)
1113 return 1;
1114
1115 if (s->session->tlsext_tick != NULL) {
1116 /* Attempt to resume with an existing session ticket */
1117 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1118 s->session->tlsext_ticklen))
1119 return 0;
1120
1121 } else if (s->tlsext_session_ticket != NULL) {
1122 /*
1123 * Attempt to resume with a custom provided session ticket set
1124 * by SSL_set_session_ticket_ext().
1125 */
1126 if (s->tlsext_session_ticket->length > 0) {
1127 size_t ticklen = s->tlsext_session_ticket->length;
1128
1129 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
1130 return 0;
1131 memcpy(s->session->tlsext_tick,
1132 s->tlsext_session_ticket->data,
1133 ticklen);
1134 s->session->tlsext_ticklen = ticklen;
1135
1136 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1137 s->session->tlsext_ticklen))
1138 return 0;
1139 }
1140 }
1141
1142 if (!CBB_flush(cbb))
1143 return 0;
1144
1145 return 1;
1146}
1147
1148static int
1149tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1150 int *alert)
1151{
1152 if (s->tls_session_ticket_ext_cb) {
1153 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1154 (int)CBS_len(cbs),
1155 s->tls_session_ticket_ext_cb_arg)) {
1156 *alert = SSL_AD_INTERNAL_ERROR;
1157 return 0;
1158 }
1159 }
1160
1161 /* We need to signal that this was processed fully */
1162 if (!CBS_skip(cbs, CBS_len(cbs))) {
1163 *alert = SSL_AD_INTERNAL_ERROR;
1164 return 0;
1165 }
1166
1167 return 1;
1168}
1169
1170static int
1171tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1172{
1173 return (s->tlsext_ticket_expected &&
1174 !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
1175 ssl_security_tickets(s));
1176}
1177
1178static int
1179tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1180{
1181 /* Empty ticket */
1182 return 1;
1183}
1184
1185static int
1186tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1187 int *alert)
1188{
1189 if (s->tls_session_ticket_ext_cb) {
1190 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1191 (int)CBS_len(cbs),
1192 s->tls_session_ticket_ext_cb_arg)) {
1193 *alert = SSL_AD_INTERNAL_ERROR;
1194 return 0;
1195 }
1196 }
1197
1198 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
1199 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1200 return 0;
1201 }
1202
1203 s->tlsext_ticket_expected = 1;
1204
1205 return 1;
1206}
1207
1208/*
1209 * DTLS extension for SRTP key establishment - RFC 5764
1210 */
1211
1212#ifndef OPENSSL_NO_SRTP
1213
1214static int
1215tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1216{
1217 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1218}
1219
1220static int
1221tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1222{
1223 CBB profiles, mki;
1224 int ct, i;
1225 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1226 const SRTP_PROTECTION_PROFILE *prof;
1227
1228 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1229 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1230 return 0;
1231 }
1232
1233 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1234 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1235 return 0;
1236 }
1237
1238 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1239 return 0;
1240
1241 for (i = 0; i < ct; i++) {
1242 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1243 return 0;
1244 if (!CBB_add_u16(&profiles, prof->id))
1245 return 0;
1246 }
1247
1248 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1249 return 0;
1250
1251 if (!CBB_flush(cbb))
1252 return 0;
1253
1254 return 1;
1255}
1256
1257static int
1258tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1259{
1260 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1261 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1262 int i, j;
1263 int ret;
1264 uint16_t id;
1265 CBS profiles, mki;
1266
1267 ret = 0;
1268
1269 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1270 goto err;
1271 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1272 goto err;
1273
1274 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1275 goto err;
1276
1277 while (CBS_len(&profiles) > 0) {
1278 if (!CBS_get_u16(&profiles, &id))
1279 goto err;
1280
1281 if (!srtp_find_profile_by_num(id, &cprof)) {
1282 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1283 goto err;
1284 }
1285 }
1286
1287 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1288 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1289 goto done;
1290 }
1291
1292 /*
1293 * Per RFC 5764 section 4.1.1
1294 *
1295 * Find the server preferred profile using the client's list.
1296 *
1297 * The server MUST send a profile if it sends the use_srtp
1298 * extension. If one is not found, it should fall back to the
1299 * negotiated DTLS cipher suite or return a DTLS alert.
1300 */
1301 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1302 goto err;
1303 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1304 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL)
1305 goto err;
1306
1307 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1308 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1309 == NULL)
1310 goto err;
1311
1312 if (cprof->id == sprof->id) {
1313 s->srtp_profile = sprof;
1314 ret = 1;
1315 goto done;
1316 }
1317 }
1318 }
1319
1320 /* If we didn't find anything, fall back to the negotiated */
1321 ret = 1;
1322 goto done;
1323
1324 err:
1325 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1326
1327 done:
1328 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1329 return ret;
1330}
1331
1332static int
1333tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1334{
1335 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1336}
1337
1338static int
1339tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1340{
1341 SRTP_PROTECTION_PROFILE *profile;
1342 CBB srtp, mki;
1343
1344 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1345 return 0;
1346
1347 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1348 return 0;
1349
1350 if (!CBB_add_u16(&srtp, profile->id))
1351 return 0;
1352
1353 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1354 return 0;
1355
1356 if (!CBB_flush(cbb))
1357 return 0;
1358
1359 return 1;
1360}
1361
1362static int
1363tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1364{
1365 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1366 const SRTP_PROTECTION_PROFILE *prof;
1367 int i;
1368 uint16_t id;
1369 CBS profile_ids, mki;
1370
1371 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1372 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1373 return 0;
1374 }
1375
1376 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1377 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1378 return 0;
1379 }
1380
1381 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1382 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1383 *alert = SSL_AD_ILLEGAL_PARAMETER;
1384 return 0;
1385 }
1386
1387 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1388 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1389 return 0;
1390 }
1391
1392 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1393 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1394 == NULL) {
1395 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1396 return 0;
1397 }
1398
1399 if (prof->id == id) {
1400 s->srtp_profile = prof;
1401 return 1;
1402 }
1403 }
1404
1405 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1406
1407 return 0;
1408}
1409
1410#endif /* OPENSSL_NO_SRTP */
1411
1412/*
1413 * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1414 */
1415static int
1416tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1417{
1418 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1419}
1420
1421static int
1422tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1423{
1424 CBB client_shares, key_exchange;
1425
1426 if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1427 return 0;
1428
1429 if (!CBB_add_u16(&client_shares,
1430 tls_key_share_group(s->s3->hs.key_share)))
1431 return 0;
1432 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
1433 return 0;
1434 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1435 return 0;
1436
1437 if (!CBB_flush(cbb))
1438 return 0;
1439
1440 return 1;
1441}
1442
1443static int
1444tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1445{
1446 CBS client_shares, key_exchange;
1447 int decode_error;
1448 uint16_t group;
1449
1450 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1451 return 0;
1452
1453 while (CBS_len(&client_shares) > 0) {
1454
1455 /* Unpack client share. */
1456 if (!CBS_get_u16(&client_shares, &group))
1457 return 0;
1458 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1459 return 0;
1460
1461 /*
1462 * XXX - check key exchange against supported groups from client.
1463 * XXX - check that groups only appear once.
1464 */
1465
1466 /*
1467 * Ignore this client share if we're using earlier than TLSv1.3
1468 * or we've already selected a key share.
1469 */
1470 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
1471 continue;
1472 if (s->s3->hs.key_share != NULL)
1473 continue;
1474
1475 /* XXX - consider implementing server preference. */
1476 if (!tls1_check_group(s, group))
1477 continue;
1478
1479 /* Decode and store the selected key share. */
1480 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
1481 *alert = SSL_AD_INTERNAL_ERROR;
1482 return 0;
1483 }
1484 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1485 &key_exchange, &decode_error, NULL)) {
1486 if (!decode_error)
1487 *alert = SSL_AD_INTERNAL_ERROR;
1488 return 0;
1489 }
1490 }
1491
1492 return 1;
1493}
1494
1495static int
1496tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1497{
1498 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1499 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1500}
1501
1502static int
1503tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1504{
1505 CBB key_exchange;
1506
1507 /* In the case of a HRR, we only send the server selected group. */
1508 if (s->s3->hs.tls13.hrr) {
1509 if (s->s3->hs.tls13.server_group == 0)
1510 return 0;
1511 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group);
1512 }
1513
1514 if (s->s3->hs.key_share == NULL)
1515 return 0;
1516
1517 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1518 return 0;
1519 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1520 return 0;
1521 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1522 return 0;
1523
1524 if (!CBB_flush(cbb))
1525 return 0;
1526
1527 return 1;
1528}
1529
1530static int
1531tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1532{
1533 CBS key_exchange;
1534 int decode_error;
1535 uint16_t group;
1536
1537 /* Unpack server share. */
1538 if (!CBS_get_u16(cbs, &group))
1539 return 0;
1540
1541 if (CBS_len(cbs) == 0) {
1542 /* HRR does not include an actual key share, only the group. */
1543 if (msg_type != SSL_TLSEXT_MSG_HRR)
1544 return 0;
1545
1546 s->s3->hs.tls13.server_group = group;
1547 return 1;
1548 }
1549
1550 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1551 return 0;
1552
1553 if (s->s3->hs.key_share == NULL) {
1554 *alert = SSL_AD_INTERNAL_ERROR;
1555 return 0;
1556 }
1557 if (tls_key_share_group(s->s3->hs.key_share) != group) {
1558 *alert = SSL_AD_INTERNAL_ERROR;
1559 return 0;
1560 }
1561 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1562 &key_exchange, &decode_error, NULL)) {
1563 if (!decode_error)
1564 *alert = SSL_AD_INTERNAL_ERROR;
1565 return 0;
1566 }
1567
1568 return 1;
1569}
1570
1571/*
1572 * Supported Versions - RFC 8446 section 4.2.1.
1573 */
1574static int
1575tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1576{
1577 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1578}
1579
1580static int
1581tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1582{
1583 uint16_t max, min;
1584 uint16_t version;
1585 CBB versions;
1586
1587 max = s->s3->hs.our_max_tls_version;
1588 min = s->s3->hs.our_min_tls_version;
1589
1590 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1591 return 0;
1592
1593 /* XXX - fix, but contiguous for now... */
1594 for (version = max; version >= min; version--) {
1595 if (!CBB_add_u16(&versions, version))
1596 return 0;
1597 }
1598
1599 if (!CBB_flush(cbb))
1600 return 0;
1601
1602 return 1;
1603}
1604
1605static int
1606tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1607{
1608 CBS versions;
1609 uint16_t version;
1610 uint16_t max, min;
1611 uint16_t matched_version = 0;
1612
1613 max = s->s3->hs.our_max_tls_version;
1614 min = s->s3->hs.our_min_tls_version;
1615
1616 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1617 return 0;
1618
1619 while (CBS_len(&versions) > 0) {
1620 if (!CBS_get_u16(&versions, &version))
1621 return 0;
1622 /*
1623 * XXX What is below implements client preference, and
1624 * ignores any server preference entirely.
1625 */
1626 if (matched_version == 0 && version >= min && version <= max)
1627 matched_version = version;
1628 }
1629
1630 if (matched_version > 0) {
1631 /* XXX - this should be stored for later processing. */
1632 s->version = matched_version;
1633 return 1;
1634 }
1635
1636 *alert = SSL_AD_PROTOCOL_VERSION;
1637 return 0;
1638}
1639
1640static int
1641tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1642{
1643 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
1644}
1645
1646static int
1647tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1648{
1649 return CBB_add_u16(cbb, TLS1_3_VERSION);
1650}
1651
1652static int
1653tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1654{
1655 uint16_t selected_version;
1656
1657 if (!CBS_get_u16(cbs, &selected_version))
1658 return 0;
1659
1660 /* XXX - need to fix for DTLS 1.3 */
1661 if (selected_version < TLS1_3_VERSION) {
1662 *alert = SSL_AD_ILLEGAL_PARAMETER;
1663 return 0;
1664 }
1665
1666 /* XXX test between min and max once initialization code goes in */
1667 s->s3->hs.tls13.server_version = selected_version;
1668
1669 return 1;
1670}
1671
1672
1673/*
1674 * Cookie - RFC 8446 section 4.2.2.
1675 */
1676
1677static int
1678tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1679{
1680 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1681 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1682}
1683
1684static int
1685tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1686{
1687 CBB cookie;
1688
1689 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1690 return 0;
1691
1692 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1693 s->s3->hs.tls13.cookie_len))
1694 return 0;
1695
1696 if (!CBB_flush(cbb))
1697 return 0;
1698
1699 return 1;
1700}
1701
1702static int
1703tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1704{
1705 CBS cookie;
1706
1707 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1708 return 0;
1709
1710 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len)
1711 return 0;
1712
1713 /*
1714 * Check provided cookie value against what server previously
1715 * sent - client *MUST* send the same cookie with new CR after
1716 * a cookie is sent by the server with an HRR.
1717 */
1718 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie,
1719 s->s3->hs.tls13.cookie_len)) {
1720 /* XXX special cookie mismatch alert? */
1721 *alert = SSL_AD_ILLEGAL_PARAMETER;
1722 return 0;
1723 }
1724
1725 return 1;
1726}
1727
1728static int
1729tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1730{
1731 /*
1732 * Server needs to set cookie value in tls13 handshake
1733 * in order to send one, should only be sent with HRR.
1734 */
1735 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1736 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1737}
1738
1739static int
1740tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1741{
1742 CBB cookie;
1743
1744 /* XXX deduplicate with client code */
1745
1746 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1747 return 0;
1748
1749 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1750 s->s3->hs.tls13.cookie_len))
1751 return 0;
1752
1753 if (!CBB_flush(cbb))
1754 return 0;
1755
1756 return 1;
1757}
1758
1759static int
1760tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1761{
1762 CBS cookie;
1763
1764 /*
1765 * XXX This currently assumes we will not get a second
1766 * HRR from a server with a cookie to process after accepting
1767 * one from the server in the same handshake
1768 */
1769 if (s->s3->hs.tls13.cookie != NULL ||
1770 s->s3->hs.tls13.cookie_len != 0) {
1771 *alert = SSL_AD_ILLEGAL_PARAMETER;
1772 return 0;
1773 }
1774
1775 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1776 return 0;
1777
1778 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie,
1779 &s->s3->hs.tls13.cookie_len))
1780 return 0;
1781
1782 return 1;
1783}
1784
1785/*
1786 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9.
1787 */
1788
1789static int
1790tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type)
1791{
1792 return (s->s3->hs.tls13.use_psk_dhe_ke &&
1793 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1794}
1795
1796static int
1797tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1798{
1799 CBB ke_modes;
1800
1801 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes))
1802 return 0;
1803
1804 /* Only indicate support for PSK with DHE key establishment. */
1805 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE))
1806 return 0;
1807
1808 if (!CBB_flush(cbb))
1809 return 0;
1810
1811 return 1;
1812}
1813
1814static int
1815tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1816 int *alert)
1817{
1818 CBS ke_modes;
1819 uint8_t ke_mode;
1820
1821 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes))
1822 return 0;
1823
1824 while (CBS_len(&ke_modes) > 0) {
1825 if (!CBS_get_u8(&ke_modes, &ke_mode))
1826 return 0;
1827
1828 if (ke_mode == TLS13_PSK_DHE_KE)
1829 s->s3->hs.tls13.use_psk_dhe_ke = 1;
1830 }
1831
1832 return 1;
1833}
1834
1835static int
1836tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type)
1837{
1838 /* Servers MUST NOT send this extension. */
1839 return 0;
1840}
1841
1842static int
1843tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1844{
1845 return 0;
1846}
1847
1848static int
1849tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1850 int *alert)
1851{
1852 return 0;
1853}
1854
1855/*
1856 * Pre-Shared Key Extension - RFC 8446, 4.2.11
1857 */
1858
1859static int
1860tlsext_psk_client_needs(SSL *s, uint16_t msg_type)
1861{
1862 return 0;
1863}
1864
1865static int
1866tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1867{
1868 return 0;
1869}
1870
1871static int
1872tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1873{
1874 return CBS_skip(cbs, CBS_len(cbs));
1875}
1876
1877static int
1878tlsext_psk_server_needs(SSL *s, uint16_t msg_type)
1879{
1880 return 0;
1881}
1882
1883static int
1884tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1885{
1886 return 0;
1887}
1888
1889static int
1890tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1891{
1892 return CBS_skip(cbs, CBS_len(cbs));
1893}
1894
1895/*
1896 * QUIC transport parameters extension - RFC 9001 section 8.2.
1897 */
1898
1899static int
1900tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type)
1901{
1902 return SSL_is_quic(s) && s->quic_transport_params_len > 0;
1903}
1904
1905static int
1906tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type,
1907 CBB *cbb)
1908{
1909 if (!CBB_add_bytes(cbb, s->quic_transport_params,
1910 s->quic_transport_params_len))
1911 return 0;
1912
1913 return 1;
1914}
1915
1916static int
1917tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type,
1918 CBS *cbs, int *alert)
1919{
1920 if (!SSL_is_quic(s)) {
1921 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1922 return 0;
1923 }
1924
1925 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
1926 &s->s3->peer_quic_transport_params_len))
1927 return 0;
1928 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
1929 return 0;
1930
1931 return 1;
1932}
1933
1934static int
1935tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type)
1936{
1937 return SSL_is_quic(s) && s->quic_transport_params_len > 0;
1938}
1939
1940static int
1941tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type,
1942 CBB *cbb)
1943{
1944 if (!CBB_add_bytes(cbb, s->quic_transport_params,
1945 s->quic_transport_params_len))
1946 return 0;
1947
1948 return 1;
1949}
1950
1951static int
1952tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type,
1953 CBS *cbs, int *alert)
1954{
1955 if (!SSL_is_quic(s)) {
1956 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1957 return 0;
1958 }
1959
1960 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
1961 &s->s3->peer_quic_transport_params_len))
1962 return 0;
1963 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
1964 return 0;
1965
1966 return 1;
1967}
1968
1969struct tls_extension_funcs {
1970 int (*needs)(SSL *s, uint16_t msg_type);
1971 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
1972 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
1973};
1974
1975struct tls_extension {
1976 uint16_t type;
1977 uint16_t messages;
1978 struct tls_extension_funcs client;
1979 struct tls_extension_funcs server;
1980};
1981
1982static const struct tls_extension tls_extensions[] = {
1983 {
1984 .type = TLSEXT_TYPE_supported_versions,
1985 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1986 SSL_TLSEXT_MSG_HRR,
1987 .client = {
1988 .needs = tlsext_versions_client_needs,
1989 .build = tlsext_versions_client_build,
1990 .parse = tlsext_versions_client_parse,
1991 },
1992 .server = {
1993 .needs = tlsext_versions_server_needs,
1994 .build = tlsext_versions_server_build,
1995 .parse = tlsext_versions_server_parse,
1996 },
1997 },
1998 {
1999 .type = TLSEXT_TYPE_key_share,
2000 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
2001 SSL_TLSEXT_MSG_HRR,
2002 .client = {
2003 .needs = tlsext_keyshare_client_needs,
2004 .build = tlsext_keyshare_client_build,
2005 .parse = tlsext_keyshare_client_parse,
2006 },
2007 .server = {
2008 .needs = tlsext_keyshare_server_needs,
2009 .build = tlsext_keyshare_server_build,
2010 .parse = tlsext_keyshare_server_parse,
2011 },
2012 },
2013 {
2014 .type = TLSEXT_TYPE_server_name,
2015 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2016 .client = {
2017 .needs = tlsext_sni_client_needs,
2018 .build = tlsext_sni_client_build,
2019 .parse = tlsext_sni_client_parse,
2020 },
2021 .server = {
2022 .needs = tlsext_sni_server_needs,
2023 .build = tlsext_sni_server_build,
2024 .parse = tlsext_sni_server_parse,
2025 },
2026 },
2027 {
2028 .type = TLSEXT_TYPE_renegotiate,
2029 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2030 .client = {
2031 .needs = tlsext_ri_client_needs,
2032 .build = tlsext_ri_client_build,
2033 .parse = tlsext_ri_client_parse,
2034 },
2035 .server = {
2036 .needs = tlsext_ri_server_needs,
2037 .build = tlsext_ri_server_build,
2038 .parse = tlsext_ri_server_parse,
2039 },
2040 },
2041 {
2042 .type = TLSEXT_TYPE_status_request,
2043 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR |
2044 SSL_TLSEXT_MSG_CT,
2045 .client = {
2046 .needs = tlsext_ocsp_client_needs,
2047 .build = tlsext_ocsp_client_build,
2048 .parse = tlsext_ocsp_client_parse,
2049 },
2050 .server = {
2051 .needs = tlsext_ocsp_server_needs,
2052 .build = tlsext_ocsp_server_build,
2053 .parse = tlsext_ocsp_server_parse,
2054 },
2055 },
2056 {
2057 .type = TLSEXT_TYPE_ec_point_formats,
2058 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2059 .client = {
2060 .needs = tlsext_ecpf_client_needs,
2061 .build = tlsext_ecpf_client_build,
2062 .parse = tlsext_ecpf_client_parse,
2063 },
2064 .server = {
2065 .needs = tlsext_ecpf_server_needs,
2066 .build = tlsext_ecpf_server_build,
2067 .parse = tlsext_ecpf_server_parse,
2068 },
2069 },
2070 {
2071 .type = TLSEXT_TYPE_supported_groups,
2072 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2073 .client = {
2074 .needs = tlsext_supportedgroups_client_needs,
2075 .build = tlsext_supportedgroups_client_build,
2076 .parse = tlsext_supportedgroups_client_parse,
2077 },
2078 .server = {
2079 .needs = tlsext_supportedgroups_server_needs,
2080 .build = tlsext_supportedgroups_server_build,
2081 .parse = tlsext_supportedgroups_server_parse,
2082 },
2083 },
2084 {
2085 .type = TLSEXT_TYPE_session_ticket,
2086 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2087 .client = {
2088 .needs = tlsext_sessionticket_client_needs,
2089 .build = tlsext_sessionticket_client_build,
2090 .parse = tlsext_sessionticket_client_parse,
2091 },
2092 .server = {
2093 .needs = tlsext_sessionticket_server_needs,
2094 .build = tlsext_sessionticket_server_build,
2095 .parse = tlsext_sessionticket_server_parse,
2096 },
2097 },
2098 {
2099 .type = TLSEXT_TYPE_signature_algorithms,
2100 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR,
2101 .client = {
2102 .needs = tlsext_sigalgs_client_needs,
2103 .build = tlsext_sigalgs_client_build,
2104 .parse = tlsext_sigalgs_client_parse,
2105 },
2106 .server = {
2107 .needs = tlsext_sigalgs_server_needs,
2108 .build = tlsext_sigalgs_server_build,
2109 .parse = tlsext_sigalgs_server_parse,
2110 },
2111 },
2112 {
2113 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
2114 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2115 .client = {
2116 .needs = tlsext_alpn_client_needs,
2117 .build = tlsext_alpn_client_build,
2118 .parse = tlsext_alpn_client_parse,
2119 },
2120 .server = {
2121 .needs = tlsext_alpn_server_needs,
2122 .build = tlsext_alpn_server_build,
2123 .parse = tlsext_alpn_server_parse,
2124 },
2125 },
2126 {
2127 .type = TLSEXT_TYPE_cookie,
2128 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
2129 .client = {
2130 .needs = tlsext_cookie_client_needs,
2131 .build = tlsext_cookie_client_build,
2132 .parse = tlsext_cookie_client_parse,
2133 },
2134 .server = {
2135 .needs = tlsext_cookie_server_needs,
2136 .build = tlsext_cookie_server_build,
2137 .parse = tlsext_cookie_server_parse,
2138 },
2139 },
2140#ifndef OPENSSL_NO_SRTP
2141 {
2142 .type = TLSEXT_TYPE_use_srtp,
2143 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
2144 SSL_TLSEXT_MSG_EE,
2145 .client = {
2146 .needs = tlsext_srtp_client_needs,
2147 .build = tlsext_srtp_client_build,
2148 .parse = tlsext_srtp_client_parse,
2149 },
2150 .server = {
2151 .needs = tlsext_srtp_server_needs,
2152 .build = tlsext_srtp_server_build,
2153 .parse = tlsext_srtp_server_parse,
2154 },
2155 },
2156#endif /* OPENSSL_NO_SRTP */
2157 {
2158 .type = TLSEXT_TYPE_quic_transport_parameters,
2159 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2160 .client = {
2161 .needs = tlsext_quic_transport_parameters_client_needs,
2162 .build = tlsext_quic_transport_parameters_client_build,
2163 .parse = tlsext_quic_transport_parameters_client_parse,
2164 },
2165 .server = {
2166 .needs = tlsext_quic_transport_parameters_server_needs,
2167 .build = tlsext_quic_transport_parameters_server_build,
2168 .parse = tlsext_quic_transport_parameters_server_parse,
2169 },
2170 },
2171 {
2172 .type = TLSEXT_TYPE_psk_key_exchange_modes,
2173 .messages = SSL_TLSEXT_MSG_CH,
2174 .client = {
2175 .needs = tlsext_psk_kex_modes_client_needs,
2176 .build = tlsext_psk_kex_modes_client_build,
2177 .parse = tlsext_psk_kex_modes_client_parse,
2178 },
2179 .server = {
2180 .needs = tlsext_psk_kex_modes_server_needs,
2181 .build = tlsext_psk_kex_modes_server_build,
2182 .parse = tlsext_psk_kex_modes_server_parse,
2183 },
2184 },
2185 {
2186 /* MUST be last extension in CH per RFC 8446 section 4.2. */
2187
2188 .type = TLSEXT_TYPE_pre_shared_key,
2189 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2190 .client = {
2191 .needs = tlsext_psk_client_needs,
2192 .build = tlsext_psk_client_build,
2193 .parse = tlsext_psk_client_parse,
2194 },
2195 .server = {
2196 .needs = tlsext_psk_server_needs,
2197 .build = tlsext_psk_server_build,
2198 .parse = tlsext_psk_server_parse,
2199 },
2200 },
2201};
2202
2203#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
2204
2205/* Ensure that extensions fit in a uint32_t bitmask. */
2206CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
2207
2208const struct tls_extension *
2209tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
2210{
2211 size_t i;
2212
2213 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2214 if (tls_extensions[i].type == type) {
2215 *tls_extensions_idx = i;
2216 return &tls_extensions[i];
2217 }
2218 }
2219
2220 return NULL;
2221}
2222
2223int
2224tlsext_extension_seen(SSL *s, uint16_t type)
2225{
2226 size_t idx;
2227
2228 if (tls_extension_find(type, &idx) == NULL)
2229 return 0;
2230 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0);
2231}
2232
2233const struct tls_extension_funcs *
2234tlsext_funcs(const struct tls_extension *tlsext, int is_server)
2235{
2236 if (is_server)
2237 return &tlsext->server;
2238
2239 return &tlsext->client;
2240}
2241
2242static int
2243tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2244{
2245 const struct tls_extension_funcs *ext;
2246 const struct tls_extension *tlsext;
2247 CBB extensions, extension_data;
2248 int extensions_present = 0;
2249 uint16_t tls_version;
2250 size_t i;
2251
2252 tls_version = ssl_effective_tls_version(s);
2253
2254 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2255 return 0;
2256
2257 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2258 tlsext = &tls_extensions[i];
2259 ext = tlsext_funcs(tlsext, is_server);
2260
2261 /* RFC 8446 Section 4.2 */
2262 if (tls_version >= TLS1_3_VERSION &&
2263 !(tlsext->messages & msg_type))
2264 continue;
2265
2266 if (!ext->needs(s, msg_type))
2267 continue;
2268
2269 if (!CBB_add_u16(&extensions, tlsext->type))
2270 return 0;
2271 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2272 return 0;
2273
2274 if (!ext->build(s, msg_type, &extension_data))
2275 return 0;
2276
2277 extensions_present = 1;
2278 }
2279
2280 if (!extensions_present &&
2281 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0)
2282 CBB_discard_child(cbb);
2283
2284 if (!CBB_flush(cbb))
2285 return 0;
2286
2287 return 1;
2288}
2289
2290int
2291tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2292{
2293 /*
2294 * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2295 * cookie may be added, padding may be removed.
2296 */
2297 struct tls13_ctx *ctx = s->tls13;
2298
2299 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
2300 type == TLSEXT_TYPE_padding)
2301 return 1;
2302 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2303 sizeof(type)))
2304 return 0;
2305 /*
2306 * key_share data may be changed, and pre_shared_key data may
2307 * be changed
2308 */
2309 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
2310 return 1;
2311 if (!tls13_clienthello_hash_update(ctx, cbs))
2312 return 0;
2313
2314 return 1;
2315}
2316
2317static int
2318tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2319{
2320 const struct tls_extension_funcs *ext;
2321 const struct tls_extension *tlsext;
2322 CBS extensions, extension_data;
2323 uint16_t type;
2324 size_t idx;
2325 uint16_t tls_version;
2326 int alert_desc;
2327
2328 tls_version = ssl_effective_tls_version(s);
2329
2330 s->s3->hs.extensions_seen = 0;
2331
2332 /* An empty extensions block is valid. */
2333 if (CBS_len(cbs) == 0)
2334 return 1;
2335
2336 alert_desc = SSL_AD_DECODE_ERROR;
2337
2338 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2339 goto err;
2340
2341 while (CBS_len(&extensions) > 0) {
2342 if (!CBS_get_u16(&extensions, &type))
2343 goto err;
2344 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2345 goto err;
2346
2347 if (s->tlsext_debug_cb != NULL)
2348 s->tlsext_debug_cb(s, !is_server, type,
2349 (unsigned char *)CBS_data(&extension_data),
2350 CBS_len(&extension_data),
2351 s->tlsext_debug_arg);
2352
2353 /* Unknown extensions are ignored. */
2354 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2355 continue;
2356
2357 if (tls_version >= TLS1_3_VERSION && is_server &&
2358 msg_type == SSL_TLSEXT_MSG_CH) {
2359 if (!tlsext_clienthello_hash_extension(s, type,
2360 &extension_data))
2361 goto err;
2362 }
2363
2364 /* RFC 8446 Section 4.2 */
2365 if (tls_version >= TLS1_3_VERSION &&
2366 !(tlsext->messages & msg_type)) {
2367 alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2368 goto err;
2369 }
2370
2371 /* Check for duplicate known extensions. */
2372 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0)
2373 goto err;
2374 s->s3->hs.extensions_seen |= (1 << idx);
2375
2376 ext = tlsext_funcs(tlsext, is_server);
2377 if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
2378 goto err;
2379
2380 if (CBS_len(&extension_data) != 0)
2381 goto err;
2382 }
2383
2384 return 1;
2385
2386 err:
2387 *alert = alert_desc;
2388
2389 return 0;
2390}
2391
2392static void
2393tlsext_server_reset_state(SSL *s)
2394{
2395 s->tlsext_status_type = -1;
2396 s->s3->renegotiate_seen = 0;
2397 free(s->s3->alpn_selected);
2398 s->s3->alpn_selected = NULL;
2399 s->s3->alpn_selected_len = 0;
2400 s->srtp_profile = NULL;
2401}
2402
2403int
2404tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2405{
2406 return tlsext_build(s, 1, msg_type, cbb);
2407}
2408
2409int
2410tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2411{
2412 /* XXX - this should be done by the caller... */
2413 if (msg_type == SSL_TLSEXT_MSG_CH)
2414 tlsext_server_reset_state(s);
2415
2416 return tlsext_parse(s, 1, msg_type, cbs, alert);
2417}
2418
2419static void
2420tlsext_client_reset_state(SSL *s)
2421{
2422 s->s3->renegotiate_seen = 0;
2423 free(s->s3->alpn_selected);
2424 s->s3->alpn_selected = NULL;
2425 s->s3->alpn_selected_len = 0;
2426}
2427
2428int
2429tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2430{
2431 return tlsext_build(s, 0, msg_type, cbb);
2432}
2433
2434int
2435tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2436{
2437 /* XXX - this should be done by the caller... */
2438 if (msg_type == SSL_TLSEXT_MSG_SH)
2439 tlsext_client_reset_state(s);
2440
2441 return tlsext_parse(s, 0, msg_type, cbs, alert);
2442}
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
deleted file mode 100644
index 7a41c8095d..0000000000
--- a/src/lib/libssl/ssl_tlsext.h
+++ /dev/null
@@ -1,47 +0,0 @@
1/* $OpenBSD: ssl_tlsext.h,v 1.32 2022/08/04 09:27:36 tb Exp $ */
2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#ifndef HEADER_SSL_TLSEXT_H
21#define HEADER_SSL_TLSEXT_H
22
23/* TLSv1.3 - RFC 8446 Section 4.2. */
24#define SSL_TLSEXT_MSG_CH 0x0001 /* ClientHello */
25#define SSL_TLSEXT_MSG_SH 0x0002 /* ServerHello */
26#define SSL_TLSEXT_MSG_EE 0x0004 /* EncryptedExtension */
27#define SSL_TLSEXT_MSG_CT 0x0008 /* Certificate */
28#define SSL_TLSEXT_MSG_CR 0x0010 /* CertificateRequest */
29#define SSL_TLSEXT_MSG_NST 0x0020 /* NewSessionTicket */
30#define SSL_TLSEXT_MSG_HRR 0x0040 /* HelloRetryRequest */
31
32__BEGIN_HIDDEN_DECLS
33
34int tlsext_alpn_check_format(CBS *cbs);
35int tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip);
36
37int tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb);
38int tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
39
40int tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb);
41int tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
42
43int tlsext_extension_seen(SSL *s, uint16_t);
44
45__END_HIDDEN_DECLS
46
47#endif
diff --git a/src/lib/libssl/ssl_transcript.c b/src/lib/libssl/ssl_transcript.c
deleted file mode 100644
index 22cd6c3cfa..0000000000
--- a/src/lib/libssl/ssl_transcript.c
+++ /dev/null
@@ -1,197 +0,0 @@
1/* $OpenBSD: ssl_transcript.c,v 1.9 2022/11/26 16:08:56 tb Exp $ */
2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <openssl/ssl.h>
19
20#include "ssl_local.h"
21#include "tls_internal.h"
22
23int
24tls1_transcript_hash_init(SSL *s)
25{
26 const unsigned char *data;
27 const EVP_MD *md;
28 size_t len;
29
30 tls1_transcript_hash_free(s);
31
32 if (!ssl_get_handshake_evp_md(s, &md)) {
33 SSLerrorx(ERR_R_INTERNAL_ERROR);
34 goto err;
35 }
36
37 if ((s->s3->handshake_hash = EVP_MD_CTX_new()) == NULL) {
38 SSLerror(s, ERR_R_MALLOC_FAILURE);
39 goto err;
40 }
41 if (!EVP_DigestInit_ex(s->s3->handshake_hash, md, NULL)) {
42 SSLerror(s, ERR_R_EVP_LIB);
43 goto err;
44 }
45
46 if (!tls1_transcript_data(s, &data, &len)) {
47 SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH);
48 goto err;
49 }
50 if (!tls1_transcript_hash_update(s, data, len)) {
51 SSLerror(s, ERR_R_EVP_LIB);
52 goto err;
53 }
54
55 return 1;
56
57 err:
58 tls1_transcript_hash_free(s);
59
60 return 0;
61}
62
63int
64tls1_transcript_hash_update(SSL *s, const unsigned char *buf, size_t len)
65{
66 if (s->s3->handshake_hash == NULL)
67 return 1;
68
69 return EVP_DigestUpdate(s->s3->handshake_hash, buf, len);
70}
71
72int
73tls1_transcript_hash_value(SSL *s, unsigned char *out, size_t len,
74 size_t *outlen)
75{
76 EVP_MD_CTX *mdctx = NULL;
77 unsigned int mdlen;
78 int ret = 0;
79
80 if (s->s3->handshake_hash == NULL)
81 goto err;
82
83 if (EVP_MD_CTX_size(s->s3->handshake_hash) > len)
84 goto err;
85
86 if ((mdctx = EVP_MD_CTX_new()) == NULL) {
87 SSLerror(s, ERR_R_MALLOC_FAILURE);
88 goto err;
89 }
90 if (!EVP_MD_CTX_copy_ex(mdctx, s->s3->handshake_hash)) {
91 SSLerror(s, ERR_R_EVP_LIB);
92 goto err;
93 }
94 if (!EVP_DigestFinal_ex(mdctx, out, &mdlen)) {
95 SSLerror(s, ERR_R_EVP_LIB);
96 goto err;
97 }
98 if (outlen != NULL)
99 *outlen = mdlen;
100
101 ret = 1;
102
103 err:
104 EVP_MD_CTX_free(mdctx);
105
106 return (ret);
107}
108
109void
110tls1_transcript_hash_free(SSL *s)
111{
112 EVP_MD_CTX_free(s->s3->handshake_hash);
113 s->s3->handshake_hash = NULL;
114}
115
116int
117tls1_transcript_init(SSL *s)
118{
119 if (s->s3->handshake_transcript != NULL)
120 return 0;
121
122 if ((s->s3->handshake_transcript = tls_buffer_new(0)) == NULL)
123 return 0;
124
125 tls1_transcript_reset(s);
126
127 return 1;
128}
129
130void
131tls1_transcript_free(SSL *s)
132{
133 tls_buffer_free(s->s3->handshake_transcript);
134 s->s3->handshake_transcript = NULL;
135}
136
137void
138tls1_transcript_reset(SSL *s)
139{
140 tls_buffer_clear(s->s3->handshake_transcript);
141
142 tls1_transcript_unfreeze(s);
143}
144
145int
146tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len)
147{
148 if (s->s3->handshake_transcript == NULL)
149 return 1;
150
151 if (s->s3->flags & TLS1_FLAGS_FREEZE_TRANSCRIPT)
152 return 1;
153
154 return tls_buffer_append(s->s3->handshake_transcript, buf, len);
155}
156
157int
158tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len)
159{
160 CBS cbs;
161
162 if (s->s3->handshake_transcript == NULL)
163 return 0;
164
165 if (!tls_buffer_data(s->s3->handshake_transcript, &cbs))
166 return 0;
167
168 /* XXX - change to caller providing a CBS argument. */
169 *data = CBS_data(&cbs);
170 *len = CBS_len(&cbs);
171
172 return 1;
173}
174
175void
176tls1_transcript_freeze(SSL *s)
177{
178 s->s3->flags |= TLS1_FLAGS_FREEZE_TRANSCRIPT;
179}
180
181void
182tls1_transcript_unfreeze(SSL *s)
183{
184 s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT;
185}
186
187int
188tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len)
189{
190 if (!tls1_transcript_hash_update(s, buf, len))
191 return 0;
192
193 if (!tls1_transcript_append(s, buf, len))
194 return 0;
195
196 return 1;
197}
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
deleted file mode 100644
index 270e60a389..0000000000
--- a/src/lib/libssl/ssl_txt.c
+++ /dev/null
@@ -1,199 +0,0 @@
1/* $OpenBSD: ssl_txt.c,v 1.36 2022/11/26 16:08:56 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
84
85#include <stdio.h>
86
87#include <openssl/buffer.h>
88
89#include "ssl_local.h"
90
91int
92SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
93{
94 BIO *b;
95 int ret;
96
97 if ((b = BIO_new(BIO_s_file())) == NULL) {
98 SSLerrorx(ERR_R_BUF_LIB);
99 return 0;
100 }
101 BIO_set_fp(b, fp, BIO_NOCLOSE);
102 ret = SSL_SESSION_print(b, x);
103 BIO_free(b);
104 return ret;
105}
106
107int
108SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
109{
110 size_t i;
111 int ret = 0;
112
113 if (x == NULL)
114 goto err;
115
116 if (BIO_puts(bp, "SSL-Session:\n") <= 0)
117 goto err;
118
119 if (BIO_printf(bp, " Protocol : %s\n",
120 ssl_version_string(x->ssl_version)) <= 0)
121 goto err;
122
123 if (x->cipher == NULL) {
124 if (BIO_printf(bp, " Cipher : %04lX\n",
125 x->cipher_id & SSL3_CK_VALUE_MASK) <= 0)
126 goto err;
127 } else {
128 const char *cipher_name = "unknown";
129
130 if (x->cipher->name != NULL)
131 cipher_name = x->cipher->name;
132
133 if (BIO_printf(bp, " Cipher : %s\n", cipher_name) <= 0)
134 goto err;
135 }
136
137 if (BIO_puts(bp, " Session-ID: ") <= 0)
138 goto err;
139
140 for (i = 0; i < x->session_id_length; i++) {
141 if (BIO_printf(bp, "%02X", x->session_id[i]) <= 0)
142 goto err;
143 }
144
145 if (BIO_puts(bp, "\n Session-ID-ctx: ") <= 0)
146 goto err;
147
148 for (i = 0; i < x->sid_ctx_length; i++) {
149 if (BIO_printf(bp, "%02X", x->sid_ctx[i]) <= 0)
150 goto err;
151 }
152
153 if (BIO_puts(bp, "\n Master-Key: ") <= 0)
154 goto err;
155
156 for (i = 0; i < x->master_key_length; i++) {
157 if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0)
158 goto err;
159 }
160
161 if (x->tlsext_tick_lifetime_hint > 0) {
162 if (BIO_printf(bp,
163 "\n TLS session ticket lifetime hint: %u (seconds)",
164 x->tlsext_tick_lifetime_hint) <= 0)
165 goto err;
166 }
167
168 if (x->tlsext_tick != NULL) {
169 if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0)
170 goto err;
171 if (BIO_dump_indent(bp, x->tlsext_tick, x->tlsext_ticklen,
172 4) <= 0)
173 goto err;
174 }
175
176 if (x->time != 0) {
177 if (BIO_printf(bp, "\n Start Time: %lld",
178 (long long)x->time) <= 0)
179 goto err;
180 }
181
182 if (x->timeout != 0) {
183 if (BIO_printf(bp, "\n Timeout : %ld (sec)",
184 x->timeout) <= 0)
185 goto err;
186 }
187
188 if (BIO_puts(bp, "\n") <= 0)
189 goto err;
190
191 if (BIO_printf(bp, " Verify return code: %ld (%s)\n",
192 x->verify_result,
193 X509_verify_cert_error_string(x->verify_result)) <= 0)
194 goto err;
195
196 ret = 1;
197 err:
198 return ret;
199}
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
deleted file mode 100644
index fbc0004f4b..0000000000
--- a/src/lib/libssl/ssl_versions.c
+++ /dev/null
@@ -1,381 +0,0 @@
1/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */
2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "ssl_local.h"
19
20static uint16_t
21ssl_dtls_to_tls_version(uint16_t dtls_ver)
22{
23 if (dtls_ver == DTLS1_VERSION)
24 return TLS1_1_VERSION;
25 if (dtls_ver == DTLS1_2_VERSION)
26 return TLS1_2_VERSION;
27 return 0;
28}
29
30static uint16_t
31ssl_tls_to_dtls_version(uint16_t tls_ver)
32{
33 if (tls_ver == TLS1_1_VERSION)
34 return DTLS1_VERSION;
35 if (tls_ver == TLS1_2_VERSION)
36 return DTLS1_2_VERSION;
37 return 0;
38}
39
40static int
41ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
42 uint16_t clamp_min, uint16_t clamp_max)
43{
44 if (clamp_min > clamp_max || *min_ver > *max_ver)
45 return 0;
46 if (clamp_max < *min_ver || clamp_min > *max_ver)
47 return 0;
48
49 if (*min_ver < clamp_min)
50 *min_ver = clamp_min;
51 if (*max_ver > clamp_max)
52 *max_ver = clamp_max;
53
54 return 1;
55}
56
57int
58ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
59 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
60{
61 uint16_t min_proto, min_version, max_version;
62
63 if (proto_ver == 0) {
64 *out_tls_ver = meth->min_tls_version;
65 *out_proto_ver = 0;
66 return 1;
67 }
68
69 min_version = proto_ver;
70 max_version = max_tls_ver;
71
72 if (meth->dtls) {
73 if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
74 return 0;
75 }
76
77 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
78 meth->min_tls_version, meth->max_tls_version))
79 return 0;
80
81 min_proto = min_version;
82 if (meth->dtls) {
83 if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
84 return 0;
85 }
86 *out_tls_ver = min_version;
87 *out_proto_ver = min_proto;
88
89 return 1;
90}
91
92int
93ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
94 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
95{
96 uint16_t max_proto, min_version, max_version;
97
98 if (proto_ver == 0) {
99 *out_tls_ver = meth->max_tls_version;
100 *out_proto_ver = 0;
101 return 1;
102 }
103
104 min_version = min_tls_ver;
105 max_version = proto_ver;
106
107 if (meth->dtls) {
108 if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
109 return 0;
110 }
111
112 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
113 meth->min_tls_version, meth->max_tls_version))
114 return 0;
115
116 max_proto = max_version;
117 if (meth->dtls) {
118 if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
119 return 0;
120 }
121 *out_tls_ver = max_version;
122 *out_proto_ver = max_proto;
123
124 return 1;
125}
126
127int
128ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
129{
130 uint16_t min_version, max_version;
131 unsigned long options;
132
133 /*
134 * The enabled versions have to be a contiguous range, which means we
135 * cannot enable and disable single versions at our whim, even though
136 * this is what the OpenSSL flags allow. The historical way this has
137 * been handled is by making a flag mean that all higher versions
138 * are disabled, if any version lower than the flag is enabled.
139 */
140
141 min_version = 0;
142 max_version = TLS1_3_VERSION;
143 options = s->options;
144
145 if (SSL_is_dtls(s)) {
146 options = 0;
147 if (s->options & SSL_OP_NO_DTLSv1)
148 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
149 if (s->options & SSL_OP_NO_DTLSv1_2)
150 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
151 }
152
153 if ((options & SSL_OP_NO_TLSv1) == 0)
154 min_version = TLS1_VERSION;
155 else if ((options & SSL_OP_NO_TLSv1_1) == 0)
156 min_version = TLS1_1_VERSION;
157 else if ((options & SSL_OP_NO_TLSv1_2) == 0)
158 min_version = TLS1_2_VERSION;
159 else if ((options & SSL_OP_NO_TLSv1_3) == 0)
160 min_version = TLS1_3_VERSION;
161
162 if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
163 max_version = TLS1_2_VERSION;
164 if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
165 max_version = TLS1_1_VERSION;
166 if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
167 max_version = TLS1_VERSION;
168 if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
169 max_version = 0;
170
171 /* Everything has been disabled... */
172 if (min_version == 0 || max_version == 0)
173 return 0;
174
175 /* Limit to configured version range. */
176 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
177 s->min_tls_version, s->max_tls_version))
178 return 0;
179
180 /* QUIC requires a minimum of TLSv1.3. */
181 if (SSL_is_quic(s)) {
182 if (max_version < TLS1_3_VERSION)
183 return 0;
184 if (min_version < TLS1_3_VERSION)
185 min_version = TLS1_3_VERSION;
186 }
187
188 if (min_ver != NULL)
189 *min_ver = min_version;
190 if (max_ver != NULL)
191 *max_ver = max_version;
192
193 return 1;
194}
195
196int
197ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
198{
199 uint16_t min_version, max_version;
200
201 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
202 return 0;
203
204 /* Limit to the versions supported by this method. */
205 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
206 s->method->min_tls_version, s->method->max_tls_version))
207 return 0;
208
209 if (min_ver != NULL)
210 *min_ver = min_version;
211 if (max_ver != NULL)
212 *max_ver = max_version;
213
214 return 1;
215}
216
217uint16_t
218ssl_tls_version(uint16_t version)
219{
220 if (version == TLS1_VERSION || version == TLS1_1_VERSION ||
221 version == TLS1_2_VERSION || version == TLS1_3_VERSION)
222 return version;
223
224 if (version == DTLS1_VERSION)
225 return TLS1_1_VERSION;
226 if (version == DTLS1_2_VERSION)
227 return TLS1_2_VERSION;
228
229 return 0;
230}
231
232uint16_t
233ssl_effective_tls_version(SSL *s)
234{
235 if (s->s3->hs.negotiated_tls_version > 0)
236 return s->s3->hs.negotiated_tls_version;
237
238 return s->s3->hs.our_max_tls_version;
239}
240
241int
242ssl_max_supported_version(SSL *s, uint16_t *max_ver)
243{
244 uint16_t max_version;
245
246 *max_ver = 0;
247
248 if (!ssl_supported_tls_version_range(s, NULL, &max_version))
249 return 0;
250
251 if (SSL_is_dtls(s)) {
252 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
253 return 0;
254 }
255
256 *max_ver = max_version;
257
258 return 1;
259}
260
261int
262ssl_max_legacy_version(SSL *s, uint16_t *max_ver)
263{
264 uint16_t max_version;
265
266 if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION)
267 max_version = TLS1_2_VERSION;
268
269 if (SSL_is_dtls(s)) {
270 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
271 return 0;
272 }
273
274 *max_ver = max_version;
275
276 return 1;
277}
278
279int
280ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
281{
282 uint16_t min_version, max_version, peer_tls_version, shared_version;
283
284 *max_ver = 0;
285 peer_tls_version = peer_ver;
286
287 if (SSL_is_dtls(s)) {
288 if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR)
289 return 0;
290
291 /*
292 * Convert the peer version to a TLS version - DTLS versions are
293 * the 1's complement of TLS version numbers (but not the actual
294 * protocol version numbers, that would be too sensible). Not to
295 * mention that DTLSv1.0 is really equivalent to DTLSv1.1.
296 */
297 peer_tls_version = ssl_dtls_to_tls_version(peer_ver);
298
299 /*
300 * This may be a version that we do not know about, if it is
301 * newer than DTLS1_2_VERSION (yes, less than is correct due
302 * to the "clever" versioning scheme), use TLS1_2_VERSION.
303 */
304 if (peer_tls_version == 0) {
305 if (peer_ver < DTLS1_2_VERSION)
306 peer_tls_version = TLS1_2_VERSION;
307 }
308 }
309
310 if (peer_tls_version >= TLS1_3_VERSION)
311 shared_version = TLS1_3_VERSION;
312 else if (peer_tls_version >= TLS1_2_VERSION)
313 shared_version = TLS1_2_VERSION;
314 else if (peer_tls_version >= TLS1_1_VERSION)
315 shared_version = TLS1_1_VERSION;
316 else if (peer_tls_version >= TLS1_VERSION)
317 shared_version = TLS1_VERSION;
318 else
319 return 0;
320
321 if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
322 return 0;
323
324 if (shared_version < min_version)
325 return 0;
326
327 if (shared_version > max_version)
328 shared_version = max_version;
329
330 if (SSL_is_dtls(s)) {
331 /*
332 * The resulting shared version will by definition be something
333 * that we know about. Switch back from TLS to DTLS.
334 */
335 shared_version = ssl_tls_to_dtls_version(shared_version);
336 if (shared_version == 0)
337 return 0;
338 }
339
340 if (!ssl_security_version(s, shared_version))
341 return 0;
342
343 *max_ver = shared_version;
344
345 return 1;
346}
347
348int
349ssl_check_version_from_server(SSL *s, uint16_t server_version)
350{
351 uint16_t min_tls_version, max_tls_version, server_tls_version;
352
353 /* Ensure that the version selected by the server is valid. */
354
355 server_tls_version = server_version;
356 if (SSL_is_dtls(s)) {
357 server_tls_version = ssl_dtls_to_tls_version(server_version);
358 if (server_tls_version == 0)
359 return 0;
360 }
361
362 if (!ssl_supported_tls_version_range(s, &min_tls_version,
363 &max_tls_version))
364 return 0;
365
366 if (server_tls_version < min_tls_version ||
367 server_tls_version > max_tls_version)
368 return 0;
369
370 return ssl_security_version(s, server_tls_version);
371}
372
373int
374ssl_legacy_stack_version(SSL *s, uint16_t version)
375{
376 if (SSL_is_dtls(s))
377 return version == DTLS1_VERSION || version == DTLS1_2_VERSION;
378
379 return version == TLS1_VERSION || version == TLS1_1_VERSION ||
380 version == TLS1_2_VERSION;
381}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-20 05:03:02 +0000