1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141#include <openssl/ssl.h>
142
143#include <assert.h>
144#include <stdlib.h>
145#include <string.h>
146
147#include <openssl/bytestring.h>
148#include <openssl/crypto.h>
149#include <openssl/err.h>
150#include <openssl/lhash.h>
151#include <openssl/mem.h>
152#include <openssl/rand.h>
153
154#include "internal.h"
155#include "../crypto/internal.h"
156
157#if defined(OPENSSL_WINDOWS)
158#include <sys/timeb.h>
159#else
160#include <sys/socket.h>
161#include <sys/time.h>
162#endif
163
164
165BSSL_NAMESPACE_BEGIN
166
167// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
168// to avoid downstream churn.
169OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
170
171// The following errors are no longer emitted, but are used in nginx without
172// #ifdefs.
173OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG)
174OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED)
175
176// Some error codes are special. Ensure the make_errors.go script never
177// regresses this.
178static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==
179 SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
180 "alert reason code mismatch");
181
182// kMaxHandshakeSize is the maximum size, in bytes, of a handshake message.
183static const size_t kMaxHandshakeSize = (1u << 24) - 1;
184
185static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl =
186 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
187static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx =
188 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
189
190bool CBBFinishArray(CBB *cbb, Array<uint8_t> *out) {
191 uint8_t *ptr;
192 size_t len;
193 if (!CBB_finish(cbb, &ptr, &len)) {
194 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
195 return false;
196 }
197 out->Reset(ptr, len);
198 return true;
199}
200
201void ssl_reset_error_state(SSL *ssl) {
202 // Functions which use |SSL_get_error| must reset I/O and error state on
203 // entry.
204 ssl->s3->rwstate = SSL_NOTHING;
205 ERR_clear_error();
206 ERR_clear_system_error();
207}
208
209void ssl_set_read_error(SSL* ssl) {
210 ssl->s3->read_shutdown = ssl_shutdown_error;
211 ssl->s3->read_error.reset(ERR_save_state());
212}
213
214static bool check_read_error(const SSL *ssl) {
215 if (ssl->s3->read_shutdown == ssl_shutdown_error) {
216 ERR_restore_state(ssl->s3->read_error.get());
217 return false;
218 }
219 return true;
220}
221
222bool ssl_can_write(const SSL *ssl) {
223 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write;
224}
225
226bool ssl_can_read(const SSL *ssl) {
227 return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read;
228}
229
230ssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed,
231 uint8_t *out_alert, Span<uint8_t> in) {
232 *out_consumed = 0;
233 if (!check_read_error(ssl)) {
234 *out_alert = 0;
235 return ssl_open_record_error;
236 }
237 auto ret = ssl->method->open_handshake(ssl, out_consumed, out_alert, in);
238 if (ret == ssl_open_record_error) {
239 ssl_set_read_error(ssl);
240 }
241 return ret;
242}
243
244ssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,
245 uint8_t *out_alert,
246 Span<uint8_t> in) {
247 *out_consumed = 0;
248 if (!check_read_error(ssl)) {
249 *out_alert = 0;
250 return ssl_open_record_error;
251 }
252 auto ret =
253 ssl->method->open_change_cipher_spec(ssl, out_consumed, out_alert, in);
254 if (ret == ssl_open_record_error) {
255 ssl_set_read_error(ssl);
256 }
257 return ret;
258}
259
260ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out,
261 size_t *out_consumed, uint8_t *out_alert,
262 Span<uint8_t> in) {
263 *out_consumed = 0;
264 if (!check_read_error(ssl)) {
265 *out_alert = 0;
266 return ssl_open_record_error;
267 }
268 auto ret = ssl->method->open_app_data(ssl, out, out_consumed, out_alert, in);
269 if (ret == ssl_open_record_error) {
270 ssl_set_read_error(ssl);
271 }
272 return ret;
273}
274
275void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
276 SSL *const ssl = hs->ssl;
277 SSL_CTX *ctx = ssl->session_ctx.get();
278 // Never cache sessions with empty session IDs.
279 if (ssl->s3->established_session->session_id_length == 0 ||
280 ssl->s3->established_session->not_resumable ||
281 (ctx->session_cache_mode & mode) != mode) {
282 return;
283 }
284
285 // Clients never use the internal session cache.
286 int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
287 SSL_SESS_CACHE_NO_INTERNAL_STORE);
288
289 // A client may see new sessions on abbreviated handshakes if the server
290 // decides to renew the ticket. Once the handshake is completed, it should be
291 // inserted into the cache.
292 if (ssl->s3->established_session.get() != ssl->session.get() ||
293 (!ssl->server && hs->ticket_expected)) {
294 if (use_internal_cache) {
295 SSL_CTX_add_session(ctx, ssl->s3->established_session.get());
296 }
297 if (ctx->new_session_cb != NULL) {
298 UniquePtr<SSL_SESSION> ref = UpRef(ssl->s3->established_session);
299 if (ctx->new_session_cb(ssl, ref.get())) {
300 // |new_session_cb|'s return value signals whether it took ownership.
301 ref.release();
302 }
303 }
304 }
305
306 if (use_internal_cache &&
307 !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) {
308 // Automatically flush the internal session cache every 255 connections.
309 int flush_cache = 0;
310 CRYPTO_MUTEX_lock_write(&ctx->lock);
311 ctx->handshakes_since_cache_flush++;
312 if (ctx->handshakes_since_cache_flush >= 255) {
313 flush_cache = 1;
314 ctx->handshakes_since_cache_flush = 0;
315 }
316 CRYPTO_MUTEX_unlock_write(&ctx->lock);
317
318 if (flush_cache) {
319 struct OPENSSL_timeval now;
320 ssl_get_current_time(ssl, &now);
321 SSL_CTX_flush_sessions(ctx, now.tv_sec);
322 }
323 }
324}
325
326static int cbb_add_hex(CBB *cbb, const uint8_t *in, size_t in_len) {
327 static const char hextable[] = "0123456789abcdef";
328 uint8_t *out;
329
330 if (!CBB_add_space(cbb, &out, in_len * 2)) {
331 return 0;
332 }
333
334 for (size_t i = 0; i < in_len; i++) {
335 *(out++) = (uint8_t)hextable[in[i] >> 4];
336 *(out++) = (uint8_t)hextable[in[i] & 0xf];
337 }
338
339 return 1;
340}
341
342int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
343 size_t secret_len) {
344 if (ssl->ctx->keylog_callback == NULL) {
345 return 1;
346 }
347
348 ScopedCBB cbb;
349 uint8_t *out;
350 size_t out_len;
351 if (!CBB_init(cbb.get(), strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 +
352 secret_len * 2 + 1) ||
353 !CBB_add_bytes(cbb.get(), (const uint8_t *)label, strlen(label)) ||
354 !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) ||
355 !cbb_add_hex(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
356 !CBB_add_bytes(cbb.get(), (const uint8_t *)" ", 1) ||
357 !cbb_add_hex(cbb.get(), secret, secret_len) ||
358 !CBB_add_u8(cbb.get(), 0 /* NUL */) ||
359 !CBB_finish(cbb.get(), &out, &out_len)) {
360 return 0;
361 }
362
363 ssl->ctx->keylog_callback(ssl, (const char *)out);
364 OPENSSL_free(out);
365 return 1;
366}
367
368void ssl_do_info_callback(const SSL *ssl, int type, int value) {
369 void (*cb)(const SSL *ssl, int type, int value) = NULL;
370 if (ssl->info_callback != NULL) {
371 cb = ssl->info_callback;
372 } else if (ssl->ctx->info_callback != NULL) {
373 cb = ssl->ctx->info_callback;
374 }
375
376 if (cb != NULL) {
377 cb(ssl, type, value);
378 }
379}
380
381void ssl_do_msg_callback(const SSL *ssl, int is_write, int content_type,
382 Span<const uint8_t> in) {
383 if (ssl->msg_callback == NULL) {
384 return;
385 }
386
387 // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
388 // a V2ClientHello.
389 int version;
390 switch (content_type) {
391 case 0:
392 // V2ClientHello
393 version = SSL2_VERSION;
394 break;
395 case SSL3_RT_HEADER:
396 version = 0;
397 break;
398 default:
399 version = SSL_version(ssl);
400 }
401
402 ssl->msg_callback(is_write, version, content_type, in.data(), in.size(),
403 const_cast<SSL *>(ssl), ssl->msg_callback_arg);
404}
405
406void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
407 // TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
408 // |ssl| arg from |current_time_cb| if possible.
409 ssl_ctx_get_current_time(ssl->ctx.get(), out_clock);
410}
411
412void ssl_ctx_get_current_time(const SSL_CTX *ctx,
413 struct OPENSSL_timeval *out_clock) {
414 if (ctx->current_time_cb != NULL) {
415 // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
416 // https://crbug.com/boringssl/155.
417 struct timeval clock;
418 ctx->current_time_cb(nullptr /* ssl */, &clock);
419 if (clock.tv_sec < 0) {
420 assert(0);
421 out_clock->tv_sec = 0;
422 out_clock->tv_usec = 0;
423 } else {
424 out_clock->tv_sec = (uint64_t)clock.tv_sec;
425 out_clock->tv_usec = (uint32_t)clock.tv_usec;
426 }
427 return;
428 }
429
430#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
431 out_clock->tv_sec = 1234;
432 out_clock->tv_usec = 1234;
433#elif defined(OPENSSL_WINDOWS)
434 struct _timeb time;
435 _ftime(&time);
436 if (time.time < 0) {
437 assert(0);
438 out_clock->tv_sec = 0;
439 out_clock->tv_usec = 0;
440 } else {
441 out_clock->tv_sec = time.time;
442 out_clock->tv_usec = time.millitm * 1000;
443 }
444#else
445 struct timeval clock;
446 gettimeofday(&clock, NULL);
447 if (clock.tv_sec < 0) {
448 assert(0);
449 out_clock->tv_sec = 0;
450 out_clock->tv_usec = 0;
451 } else {
452 out_clock->tv_sec = (uint64_t)clock.tv_sec;
453 out_clock->tv_usec = (uint32_t)clock.tv_usec;
454 }
455#endif
456}
457
458void SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on) {
459 ctx->handoff = on;
460}
461
462static bool ssl_can_renegotiate(const SSL *ssl) {
463 if (ssl->server || SSL_is_dtls(ssl)) {
464 return false;
465 }
466
467 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
468 return false;
469 }
470
471 // The config has already been shed.
472 if (!ssl->config) {
473 return false;
474 }
475
476 switch (ssl->renegotiate_mode) {
477 case ssl_renegotiate_ignore:
478 case ssl_renegotiate_never:
479 return false;
480
481 case ssl_renegotiate_freely:
482 return true;
483 case ssl_renegotiate_once:
484 return ssl->s3->total_renegotiations == 0;
485 }
486
487 assert(0);
488 return false;
489}
490
491static void ssl_maybe_shed_handshake_config(SSL *ssl) {
492 if (ssl->s3->hs != nullptr ||
493 ssl->config == nullptr ||
494 !ssl->config->shed_handshake_config ||
495 ssl_can_renegotiate(ssl)) {
496 return;
497 }
498
499 ssl->config.reset();
500}
501
502void SSL_set_handoff_mode(SSL *ssl, bool on) {
503 if (!ssl->config) {
504 return;
505 }
506 ssl->config->handoff = on;
507}
508
509bool SSL_get_traffic_secrets(const SSL *ssl,
510 Span<const uint8_t> *out_read_traffic_secret,
511 Span<const uint8_t> *out_write_traffic_secret) {
512 if (SSL_version(ssl) < TLS1_3_VERSION) {
513 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
514 return false;
515 }
516
517 if (!ssl->s3->initial_handshake_complete) {
518 OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
519 return false;
520 }
521
522 *out_read_traffic_secret = Span<const uint8_t>(
523 ssl->s3->read_traffic_secret, ssl->s3->read_traffic_secret_len);
524 *out_write_traffic_secret = Span<const uint8_t>(
525 ssl->s3->write_traffic_secret, ssl->s3->write_traffic_secret_len);
526
527 return true;
528}
529
530BSSL_NAMESPACE_END
531
532using namespace bssl;
533
534int SSL_library_init(void) {
535 CRYPTO_library_init();
536 return 1;
537}
538
539int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
540 CRYPTO_library_init();
541 return 1;
542}
543
544static uint32_t ssl_session_hash(const SSL_SESSION *sess) {
545 return ssl_hash_session_id(
546 MakeConstSpan(sess->session_id, sess->session_id_length));
547}
548
549static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
550 if (a->session_id_length != b->session_id_length) {
551 return 1;
552 }
553
554 return OPENSSL_memcmp(a->session_id, b->session_id, a->session_id_length);
555}
556
557ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
558 : method(ssl_method->method),
559 x509_method(ssl_method->x509_method),
560 retain_only_sha256_of_client_certs(false),
561 quiet_shutdown(false),
562 ocsp_stapling_enabled(false),
563 signed_cert_timestamps_enabled(false),
564 channel_id_enabled(false),
565 grease_enabled(false),
566 allow_unknown_alpn_protos(false),
567 ed25519_enabled(false),
568 rsa_pss_rsae_certs_enabled(true),
569 false_start_allowed_without_alpn(false),
570 ignore_tls13_downgrade(false),
571 handoff(false),
572 enable_early_data(false),
573 pq_experiment_signal(false) {
574 CRYPTO_MUTEX_init(&lock);
575 CRYPTO_new_ex_data(&ex_data);
576}
577
578ssl_ctx_st::~ssl_ctx_st() {
579 // Free the internal session cache. Note that this calls the caller-supplied
580 // remove callback, so we must do it before clearing ex_data. (See ticket
581 // [openssl.org #212].)
582 SSL_CTX_flush_sessions(this, 0);
583
584 CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, this, &ex_data);
585
586 CRYPTO_MUTEX_cleanup(&lock);
587 lh_SSL_SESSION_free(sessions);
588 x509_method->ssl_ctx_free(this);
589}
590
591SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
592 if (method == NULL) {
593 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED);
594 return nullptr;
595 }
596
597 UniquePtr<SSL_CTX> ret = MakeUnique<SSL_CTX>(method);
598 if (!ret) {
599 return nullptr;
600 }
601
602 ret->cert = MakeUnique<CERT>(method->x509_method);
603 ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
604 ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null());
605 if (ret->cert == nullptr ||
606 ret->sessions == nullptr ||
607 ret->client_CA == nullptr ||
608 !ret->x509_method->ssl_ctx_new(ret.get())) {
609 return nullptr;
610 }
611
612 if (!SSL_CTX_set_strict_cipher_list(ret.get(), SSL_DEFAULT_CIPHER_LIST) ||
613 // Lock the SSL_CTX to the specified version, for compatibility with
614 // legacy uses of SSL_METHOD.
615 !SSL_CTX_set_max_proto_version(ret.get(), method->version) ||
616 !SSL_CTX_set_min_proto_version(ret.get(), method->version)) {
617 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
618 return nullptr;
619 }
620
621 return ret.release();
622}
623
624int SSL_CTX_up_ref(SSL_CTX *ctx) {
625 CRYPTO_refcount_inc(&ctx->references);
626 return 1;
627}
628
629void SSL_CTX_free(SSL_CTX *ctx) {
630 if (ctx == NULL ||
631 !CRYPTO_refcount_dec_and_test_zero(&ctx->references)) {
632 return;
633 }
634
635 ctx->~ssl_ctx_st();
636 OPENSSL_free(ctx);
637}
638
639ssl_st::ssl_st(SSL_CTX *ctx_arg)
640 : method(ctx_arg->method),
641 max_send_fragment(ctx_arg->max_send_fragment),
642 msg_callback(ctx_arg->msg_callback),
643 msg_callback_arg(ctx_arg->msg_callback_arg),
644 ctx(UpRef(ctx_arg)),
645 session_ctx(UpRef(ctx_arg)),
646 options(ctx->options),
647 mode(ctx->mode),
648 max_cert_list(ctx->max_cert_list),
649 server(false),
650 quiet_shutdown(ctx->quiet_shutdown),
651 enable_early_data(ctx->enable_early_data) {
652 CRYPTO_new_ex_data(&ex_data);
653}
654
655ssl_st::~ssl_st() {
656 CRYPTO_free_ex_data(&g_ex_data_class_ssl, this, &ex_data);
657 // |config| refers to |this|, so we must release it earlier.
658 config.reset();
659 if (method != NULL) {
660 method->ssl_free(this);
661 }
662}
663
664SSL *SSL_new(SSL_CTX *ctx) {
665 if (ctx == nullptr) {
666 OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX);
667 return nullptr;
668 }
669
670 UniquePtr<SSL> ssl = MakeUnique<SSL>(ctx);
671 if (ssl == nullptr) {
672 return nullptr;
673 }
674
675 ssl->config = MakeUnique<SSL_CONFIG>(ssl.get());
676 if (ssl->config == nullptr) {
677 return nullptr;
678 }
679 ssl->config->conf_min_version = ctx->conf_min_version;
680 ssl->config->conf_max_version = ctx->conf_max_version;
681
682 ssl->config->cert = ssl_cert_dup(ctx->cert.get());
683 if (ssl->config->cert == nullptr) {
684 return nullptr;
685 }
686
687 ssl->config->verify_mode = ctx->verify_mode;
688 ssl->config->verify_callback = ctx->default_verify_callback;
689 ssl->config->custom_verify_callback = ctx->custom_verify_callback;
690 ssl->config->retain_only_sha256_of_client_certs =
691 ctx->retain_only_sha256_of_client_certs;
692
693 if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
694 !ssl->config->alpn_client_proto_list.CopyFrom(
695 ctx->alpn_client_proto_list) ||
696 !ssl->config->verify_sigalgs.CopyFrom(ctx->verify_sigalgs)) {
697 return nullptr;
698 }
699
700 if (ctx->psk_identity_hint) {
701 ssl->config->psk_identity_hint.reset(
702 BUF_strdup(ctx->psk_identity_hint.get()));
703 if (ssl->config->psk_identity_hint == nullptr) {
704 return nullptr;
705 }
706 }
707 ssl->config->psk_client_callback = ctx->psk_client_callback;
708 ssl->config->psk_server_callback = ctx->psk_server_callback;
709
710 ssl->config->channel_id_enabled = ctx->channel_id_enabled;
711 ssl->config->channel_id_private = UpRef(ctx->channel_id_private);
712
713 ssl->config->signed_cert_timestamps_enabled =
714 ctx->signed_cert_timestamps_enabled;
715 ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;
716 ssl->config->handoff = ctx->handoff;
717 ssl->config->ignore_tls13_downgrade = ctx->ignore_tls13_downgrade;
718 ssl->quic_method = ctx->quic_method;
719
720 if (!ssl->method->ssl_new(ssl.get()) ||
721 !ssl->ctx->x509_method->ssl_new(ssl->s3->hs.get())) {
722 return nullptr;
723 }
724
725 return ssl.release();
726}
727
728SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
729 : ssl(ssl_arg),
730 signed_cert_timestamps_enabled(false),
731 ocsp_stapling_enabled(false),
732 channel_id_enabled(false),
733 enforce_rsa_key_usage(false),
734 retain_only_sha256_of_client_certs(false),
735 handoff(false),
736 shed_handshake_config(false),
737 ignore_tls13_downgrade(false),
738 jdk11_workaround(false) {
739 assert(ssl);
740}
741
742SSL_CONFIG::~SSL_CONFIG() {
743 if (ssl->ctx != nullptr) {
744 ssl->ctx->x509_method->ssl_config_free(this);
745 }
746}
747
748void SSL_free(SSL *ssl) {
749 Delete(ssl);
750}
751
752void SSL_set_connect_state(SSL *ssl) {
753 ssl->server = false;
754 ssl->do_handshake = ssl_client_handshake;
755}
756
757void SSL_set_accept_state(SSL *ssl) {
758 ssl->server = true;
759 ssl->do_handshake = ssl_server_handshake;
760}
761
762void SSL_set0_rbio(SSL *ssl, BIO *rbio) {
763 ssl->rbio.reset(rbio);
764}
765
766void SSL_set0_wbio(SSL *ssl, BIO *wbio) {
767 ssl->wbio.reset(wbio);
768}
769
770void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
771 // For historical reasons, this function has many different cases in ownership
772 // handling.
773
774 // If nothing has changed, do nothing
775 if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) {
776 return;
777 }
778
779 // If the two arguments are equal, one fewer reference is granted than
780 // taken.
781 if (rbio != NULL && rbio == wbio) {
782 BIO_up_ref(rbio);
783 }
784
785 // If only the wbio is changed, adopt only one reference.
786 if (rbio == SSL_get_rbio(ssl)) {
787 SSL_set0_wbio(ssl, wbio);
788 return;
789 }
790
791 // There is an asymmetry here for historical reasons. If only the rbio is
792 // changed AND the rbio and wbio were originally different, then we only adopt
793 // one reference.
794 if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) {
795 SSL_set0_rbio(ssl, rbio);
796 return;
797 }
798
799 // Otherwise, adopt both references.
800 SSL_set0_rbio(ssl, rbio);
801 SSL_set0_wbio(ssl, wbio);
802}
803
804BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio.get(); }
805
806BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio.get(); }
807
808size_t SSL_quic_max_handshake_flight_len(const SSL *ssl,
809 enum ssl_encryption_level_t level) {
810 // Limits flights to 16K by default when there are no large
811 // (certificate-carrying) messages.
812 static const size_t kDefaultLimit = 16384;
813
814 switch (level) {
815 case ssl_encryption_initial:
816 return kDefaultLimit;
817 case ssl_encryption_early_data:
818 // QUIC does not send EndOfEarlyData.
819 return 0;
820 case ssl_encryption_handshake:
821 if (ssl->server) {
822 // Servers may receive Certificate message if configured to request
823 // client certificates.
824 if (!!(ssl->config->verify_mode & SSL_VERIFY_PEER) &&
825 ssl->max_cert_list > kDefaultLimit) {
826 return ssl->max_cert_list;
827 }
828 } else {
829 // Clients may receive both Certificate message and a CertificateRequest
830 // message.
831 if (2*ssl->max_cert_list > kDefaultLimit) {
832 return 2*ssl->max_cert_list;
833 }
834 }
835 return kDefaultLimit;
836 case ssl_encryption_application:
837 // Note there is not actually a bound on the number of NewSessionTickets
838 // one may send in a row. This level may need more involved flow
839 // control. See https://github.com/quicwg/base-drafts/issues/1834.
840 return kDefaultLimit;
841 }
842
843 return 0;
844}
845
846enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl) {
847 return ssl->s3->read_level;
848}
849
850enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl) {
851 return ssl->s3->write_level;
852}
853
854int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
855 const uint8_t *data, size_t len) {
856 if (ssl->quic_method == nullptr) {
857 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
858 return 0;
859 }
860
861 if (level != ssl->s3->read_level) {
862 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);
863 return 0;
864 }
865
866 size_t new_len = (ssl->s3->hs_buf ? ssl->s3->hs_buf->length : 0) + len;
867 if (new_len < len ||
868 new_len > SSL_quic_max_handshake_flight_len(ssl, level)) {
869 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
870 return 0;
871 }
872
873 return tls_append_handshake_data(ssl, MakeConstSpan(data, len));
874}
875
876int SSL_do_handshake(SSL *ssl) {
877 ssl_reset_error_state(ssl);
878
879 if (ssl->do_handshake == NULL) {
880 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
881 return -1;
882 }
883
884 if (!SSL_in_init(ssl)) {
885 return 1;
886 }
887
888 // Run the handshake.
889 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
890
891 bool early_return = false;
892 int ret = ssl_run_handshake(hs, &early_return);
893 ssl_do_info_callback(
894 ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret);
895 if (ret <= 0) {
896 return ret;
897 }
898
899 // Destroy the handshake object if the handshake has completely finished.
900 if (!early_return) {
901 ssl->s3->hs.reset();
902 ssl_maybe_shed_handshake_config(ssl);
903 }
904
905 return 1;
906}
907
908int SSL_connect(SSL *ssl) {
909 if (ssl->do_handshake == NULL) {
910 // Not properly initialized yet
911 SSL_set_connect_state(ssl);
912 }
913
914 return SSL_do_handshake(ssl);
915}
916
917int SSL_accept(SSL *ssl) {
918 if (ssl->do_handshake == NULL) {
919 // Not properly initialized yet
920 SSL_set_accept_state(ssl);
921 }
922
923 return SSL_do_handshake(ssl);
924}
925
926static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) {
927 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
928 return tls13_post_handshake(ssl, msg);
929 }
930
931 // Check for renegotiation on the server before parsing to use the correct
932 // error. Renegotiation is triggered by a different message for servers.
933 if (ssl->server) {
934 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
935 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
936 return 0;
937 }
938
939 if (msg.type != SSL3_MT_HELLO_REQUEST || CBS_len(&msg.body) != 0) {
940 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
941 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST);
942 return 0;
943 }
944
945 if (ssl->renegotiate_mode == ssl_renegotiate_ignore) {
946 return 1; // Ignore the HelloRequest.
947 }
948
949 if (!ssl_can_renegotiate(ssl) ||
950 // Renegotiation is only supported at quiescent points in the application
951 // protocol, namely in HTTPS, just before reading the HTTP response.
952 // Require the record-layer be idle and avoid complexities of sending a
953 // handshake record while an application_data record is being written.
954 !ssl->s3->write_buffer.empty() ||
955 ssl->s3->write_shutdown != ssl_shutdown_none) {
956 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
957 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
958 return 0;
959 }
960
961 // Begin a new handshake.
962 if (ssl->s3->hs != nullptr) {
963 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
964 return 0;
965 }
966 ssl->s3->hs = ssl_handshake_new(ssl);
967 if (ssl->s3->hs == nullptr) {
968 return 0;
969 }
970
971 ssl->s3->total_renegotiations++;
972 return 1;
973}
974
975int SSL_process_quic_post_handshake(SSL *ssl) {
976 ssl_reset_error_state(ssl);
977
978 if (SSL_in_init(ssl)) {
979 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
980 return 0;
981 }
982
983 // Replay post-handshake message errors.
984 if (!check_read_error(ssl)) {
985 return 0;
986 }
987
988 // Process any buffered post-handshake messages.
989 SSLMessage msg;
990 while (ssl->method->get_message(ssl, &msg)) {
991 // Handle the post-handshake message and try again.
992 if (!ssl_do_post_handshake(ssl, msg)) {
993 ssl_set_read_error(ssl);
994 return 0;
995 }
996 ssl->method->next_message(ssl);
997 }
998
999 return 1;
1000}
1001
1002static int ssl_read_impl(SSL *ssl) {
1003 ssl_reset_error_state(ssl);
1004
1005 if (ssl->do_handshake == NULL) {
1006 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
1007 return -1;
1008 }
1009
1010 // Replay post-handshake message errors.
1011 if (!check_read_error(ssl)) {
1012 return -1;
1013 }
1014
1015 while (ssl->s3->pending_app_data.empty()) {
1016 // Complete the current handshake, if any. False Start will cause
1017 // |SSL_do_handshake| to return mid-handshake, so this may require multiple
1018 // iterations.
1019 while (!ssl_can_read(ssl)) {
1020 int ret = SSL_do_handshake(ssl);
1021 if (ret < 0) {
1022 return ret;
1023 }
1024 if (ret == 0) {
1025 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
1026 return -1;
1027 }
1028 }
1029
1030 // Process any buffered post-handshake messages.
1031 SSLMessage msg;
1032 if (ssl->method->get_message(ssl, &msg)) {
1033 // If we received an interrupt in early read (EndOfEarlyData), loop again
1034 // for the handshake to process it.
1035 if (SSL_in_init(ssl)) {
1036 ssl->s3->hs->can_early_read = false;
1037 continue;
1038 }
1039
1040 // Handle the post-handshake message and try again.
1041 if (!ssl_do_post_handshake(ssl, msg)) {
1042 ssl_set_read_error(ssl);
1043 return -1;
1044 }
1045 ssl->method->next_message(ssl);
1046 continue; // Loop again. We may have begun a new handshake.
1047 }
1048
1049 uint8_t alert = SSL_AD_DECODE_ERROR;
1050 size_t consumed = 0;
1051 auto ret = ssl_open_app_data(ssl, &ssl->s3->pending_app_data, &consumed,
1052 &alert, ssl->s3->read_buffer.span());
1053 bool retry;
1054 int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert);
1055 if (bio_ret <= 0) {
1056 return bio_ret;
1057 }
1058 if (!retry) {
1059 assert(!ssl->s3->pending_app_data.empty());
1060 ssl->s3->key_update_count = 0;
1061 }
1062 }
1063
1064 return 1;
1065}
1066
1067int SSL_read(SSL *ssl, void *buf, int num) {
1068 int ret = SSL_peek(ssl, buf, num);
1069 if (ret <= 0) {
1070 return ret;
1071 }
1072 // TODO(davidben): In DTLS, should the rest of the record be discarded? DTLS
1073 // is not a stream. See https://crbug.com/boringssl/65.
1074 ssl->s3->pending_app_data =
1075 ssl->s3->pending_app_data.subspan(static_cast<size_t>(ret));
1076 if (ssl->s3->pending_app_data.empty()) {
1077 ssl->s3->read_buffer.DiscardConsumed();
1078 }
1079 return ret;
1080}
1081
1082int SSL_peek(SSL *ssl, void *buf, int num) {
1083 if (ssl->quic_method != nullptr) {
1084 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1085 return 0;
1086 }
1087
1088 int ret = ssl_read_impl(ssl);
1089 if (ret <= 0) {
1090 return ret;
1091 }
1092 if (num <= 0) {
1093 return num;
1094 }
1095 size_t todo =
1096 std::min(ssl->s3->pending_app_data.size(), static_cast<size_t>(num));
1097 OPENSSL_memcpy(buf, ssl->s3->pending_app_data.data(), todo);
1098 return static_cast<int>(todo);
1099}
1100
1101int SSL_write(SSL *ssl, const void *buf, int num) {
1102 ssl_reset_error_state(ssl);
1103
1104 if (ssl->quic_method != nullptr) {
1105 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1106 return 0;
1107 }
1108
1109 if (ssl->do_handshake == NULL) {
1110 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
1111 return -1;
1112 }
1113
1114 if (ssl->s3->write_shutdown != ssl_shutdown_none) {
1115 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
1116 return -1;
1117 }
1118
1119 int ret = 0;
1120 bool needs_handshake = false;
1121 do {
1122 // If necessary, complete the handshake implicitly.
1123 if (!ssl_can_write(ssl)) {
1124 ret = SSL_do_handshake(ssl);
1125 if (ret < 0) {
1126 return ret;
1127 }
1128 if (ret == 0) {
1129 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
1130 return -1;
1131 }
1132 }
1133
1134 ret = ssl->method->write_app_data(ssl, &needs_handshake,
1135 (const uint8_t *)buf, num);
1136 } while (needs_handshake);
1137 return ret;
1138}
1139
1140int SSL_key_update(SSL *ssl, int request_type) {
1141 ssl_reset_error_state(ssl);
1142
1143 if (ssl->do_handshake == NULL) {
1144 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
1145 return 0;
1146 }
1147
1148 if (ssl->ctx->quic_method != nullptr) {
1149 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1150 return 0;
1151 }
1152
1153 if (!ssl->s3->initial_handshake_complete) {
1154 OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
1155 return 0;
1156 }
1157
1158 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
1159 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
1160 return 0;
1161 }
1162
1163 if (!ssl->s3->key_update_pending &&
1164 !tls13_add_key_update(ssl, request_type)) {
1165 return 0;
1166 }
1167
1168 return 1;
1169}
1170
1171int SSL_shutdown(SSL *ssl) {
1172 ssl_reset_error_state(ssl);
1173
1174 if (ssl->do_handshake == NULL) {
1175 OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
1176 return -1;
1177 }
1178
1179 // If we are in the middle of a handshake, silently succeed. Consumers often
1180 // call this function before |SSL_free|, whether the handshake succeeded or
1181 // not. We assume the caller has already handled failed handshakes.
1182 if (SSL_in_init(ssl)) {
1183 return 1;
1184 }
1185
1186 if (ssl->quiet_shutdown) {
1187 // Do nothing if configured not to send a close_notify.
1188 ssl->s3->write_shutdown = ssl_shutdown_close_notify;
1189 ssl->s3->read_shutdown = ssl_shutdown_close_notify;
1190 return 1;
1191 }
1192
1193 // This function completes in two stages. It sends a close_notify and then it
1194 // waits for a close_notify to come in. Perform exactly one action and return
1195 // whether or not it succeeds.
1196
1197 if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) {
1198 // Send a close_notify.
1199 if (ssl_send_alert_impl(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
1200 return -1;
1201 }
1202 } else if (ssl->s3->alert_dispatch) {
1203 // Finish sending the close_notify.
1204 if (ssl->method->dispatch_alert(ssl) <= 0) {
1205 return -1;
1206 }
1207 } else if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) {
1208 if (SSL_is_dtls(ssl)) {
1209 // Bidirectional shutdown doesn't make sense for an unordered
1210 // transport. DTLS alerts also aren't delivered reliably, so we may even
1211 // time out because the peer never received our close_notify. Report to
1212 // the caller that the channel has fully shut down.
1213 if (ssl->s3->read_shutdown == ssl_shutdown_error) {
1214 ERR_restore_state(ssl->s3->read_error.get());
1215 return -1;
1216 }
1217 ssl->s3->read_shutdown = ssl_shutdown_close_notify;
1218 } else {
1219 // Process records until an error, close_notify, or application data.
1220 if (ssl_read_impl(ssl) > 0) {
1221 // We received some unexpected application data.
1222 OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_ON_SHUTDOWN);
1223 return -1;
1224 }
1225 if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) {
1226 return -1;
1227 }
1228 }
1229 }
1230
1231 // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown.
1232 return ssl->s3->read_shutdown == ssl_shutdown_close_notify;
1233}
1234
1235int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
1236 if (ssl->s3->alert_dispatch) {
1237 if (ssl->s3->send_alert[0] != SSL3_AL_FATAL ||
1238 ssl->s3->send_alert[1] != alert) {
1239 // We are already attempting to write a different alert.
1240 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
1241 return -1;
1242 }
1243 return ssl->method->dispatch_alert(ssl);
1244 }
1245
1246 return ssl_send_alert_impl(ssl, SSL3_AL_FATAL, alert);
1247}
1248
1249void SSL_CTX_enable_pq_experiment_signal(SSL_CTX *ctx) {
1250 ctx->pq_experiment_signal = true;
1251}
1252
1253int SSL_pq_experiment_signal_seen(const SSL *ssl) {
1254 return ssl->s3->pq_experiment_signal_seen;
1255}
1256
1257int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
1258 size_t params_len) {
1259 return ssl->config && ssl->config->quic_transport_params.CopyFrom(
1260 MakeConstSpan(params, params_len));
1261}
1262
1263void SSL_get_peer_quic_transport_params(const SSL *ssl,
1264 const uint8_t **out_params,
1265 size_t *out_params_len) {
1266 *out_params = ssl->s3->peer_quic_transport_params.data();
1267 *out_params_len = ssl->s3->peer_quic_transport_params.size();
1268}
1269
1270void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) {
1271 ctx->enable_early_data = !!enabled;
1272}
1273
1274void SSL_set_early_data_enabled(SSL *ssl, int enabled) {
1275 ssl->enable_early_data = !!enabled;
1276}
1277
1278int SSL_in_early_data(const SSL *ssl) {
1279 if (ssl->s3->hs == NULL) {
1280 return 0;
1281 }
1282 return ssl->s3->hs->in_early_data;
1283}
1284
1285int SSL_early_data_accepted(const SSL *ssl) {
1286 return ssl->s3->early_data_accepted;
1287}
1288
1289void SSL_reset_early_data_reject(SSL *ssl) {
1290 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
1291 if (hs == NULL ||
1292 hs->wait != ssl_hs_early_data_rejected) {
1293 abort();
1294 }
1295
1296 hs->wait = ssl_hs_ok;
1297 hs->in_early_data = false;
1298 hs->early_session.reset();
1299
1300 // Discard any unfinished writes from the perspective of |SSL_write|'s
1301 // retry. The handshake will transparently flush out the pending record
1302 // (discarded by the server) to keep the framing correct.
1303 ssl->s3->wpend_pending = false;
1304}
1305
1306enum ssl_early_data_reason_t SSL_get_early_data_reason(const SSL *ssl) {
1307 return ssl->s3->early_data_reason;
1308}
1309
1310static int bio_retry_reason_to_error(int reason) {
1311 switch (reason) {
1312 case BIO_RR_CONNECT:
1313 return SSL_ERROR_WANT_CONNECT;
1314 case BIO_RR_ACCEPT:
1315 return SSL_ERROR_WANT_ACCEPT;
1316 default:
1317 return SSL_ERROR_SYSCALL;
1318 }
1319}
1320
1321int SSL_get_error(const SSL *ssl, int ret_code) {
1322 if (ret_code > 0) {
1323 return SSL_ERROR_NONE;
1324 }
1325
1326 // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
1327 // where we do encode the error
1328 uint32_t err = ERR_peek_error();
1329 if (err != 0) {
1330 if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
1331 return SSL_ERROR_SYSCALL;
1332 }
1333 return SSL_ERROR_SSL;
1334 }
1335
1336 if (ret_code == 0) {
1337 if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) {
1338 return SSL_ERROR_ZERO_RETURN;
1339 }
1340 // An EOF was observed which violates the protocol, and the underlying
1341 // transport does not participate in the error queue. Bubble up to the
1342 // caller.
1343 return SSL_ERROR_SYSCALL;
1344 }
1345
1346 switch (ssl->s3->rwstate) {
1347 case SSL_PENDING_SESSION:
1348 return SSL_ERROR_PENDING_SESSION;
1349
1350 case SSL_CERTIFICATE_SELECTION_PENDING:
1351 return SSL_ERROR_PENDING_CERTIFICATE;
1352
1353 case SSL_HANDOFF:
1354 return SSL_ERROR_HANDOFF;
1355
1356 case SSL_HANDBACK:
1357 return SSL_ERROR_HANDBACK;
1358
1359 case SSL_READING: {
1360 if (ssl->quic_method) {
1361 return SSL_ERROR_WANT_READ;
1362 }
1363 BIO *bio = SSL_get_rbio(ssl);
1364 if (BIO_should_read(bio)) {
1365 return SSL_ERROR_WANT_READ;
1366 }
1367
1368 if (BIO_should_write(bio)) {
1369 // TODO(davidben): OpenSSL historically checked for writes on the read
1370 // BIO. Can this be removed?
1371 return SSL_ERROR_WANT_WRITE;
1372 }
1373
1374 if (BIO_should_io_special(bio)) {
1375 return bio_retry_reason_to_error(BIO_get_retry_reason(bio));
1376 }
1377
1378 break;
1379 }
1380
1381 case SSL_WRITING: {
1382 BIO *bio = SSL_get_wbio(ssl);
1383 if (BIO_should_write(bio)) {
1384 return SSL_ERROR_WANT_WRITE;
1385 }
1386
1387 if (BIO_should_read(bio)) {
1388 // TODO(davidben): OpenSSL historically checked for reads on the write
1389 // BIO. Can this be removed?
1390 return SSL_ERROR_WANT_READ;
1391 }
1392
1393 if (BIO_should_io_special(bio)) {
1394 return bio_retry_reason_to_error(BIO_get_retry_reason(bio));
1395 }
1396
1397 break;
1398 }
1399
1400 case SSL_X509_LOOKUP:
1401 return SSL_ERROR_WANT_X509_LOOKUP;
1402
1403 case SSL_CHANNEL_ID_LOOKUP:
1404 return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP;
1405
1406 case SSL_PRIVATE_KEY_OPERATION:
1407 return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;
1408
1409 case SSL_PENDING_TICKET:
1410 return SSL_ERROR_PENDING_TICKET;
1411
1412 case SSL_EARLY_DATA_REJECTED:
1413 return SSL_ERROR_EARLY_DATA_REJECTED;
1414
1415 case SSL_CERTIFICATE_VERIFY:
1416 return SSL_ERROR_WANT_CERTIFICATE_VERIFY;
1417 }
1418
1419 return SSL_ERROR_SYSCALL;
1420}
1421
1422uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
1423 ctx->options |= options;
1424 return ctx->options;
1425}
1426
1427uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) {
1428 ctx->options &= ~options;
1429 return ctx->options;
1430}
1431
1432uint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; }
1433
1434uint32_t SSL_set_options(SSL *ssl, uint32_t options) {
1435 ssl->options |= options;
1436 return ssl->options;
1437}
1438
1439uint32_t SSL_clear_options(SSL *ssl, uint32_t options) {
1440 ssl->options &= ~options;
1441 return ssl->options;
1442}
1443
1444uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; }
1445
1446uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) {
1447 ctx->mode |= mode;
1448 return ctx->mode;
1449}
1450
1451uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) {
1452 ctx->mode &= ~mode;
1453 return ctx->mode;
1454}
1455
1456uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; }
1457
1458uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) {
1459 ssl->mode |= mode;
1460 return ssl->mode;
1461}
1462
1463uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {
1464 ssl->mode &= ~mode;
1465 return ssl->mode;
1466}
1467
1468uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }
1469
1470void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) {
1471 ctx->pool = pool;
1472}
1473
1474int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
1475 size_t max_out) {
1476 *out_len = 0;
1477 OPENSSL_memset(out, 0, max_out);
1478
1479 // tls-unique is not defined for TLS 1.3.
1480 if (!ssl->s3->initial_handshake_complete ||
1481 ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1482 return 0;
1483 }
1484
1485 // The tls-unique value is the first Finished message in the handshake, which
1486 // is the client's in a full handshake and the server's for a resumption. See
1487 // https://tools.ietf.org/html/rfc5929#section-3.1.
1488 const uint8_t *finished = ssl->s3->previous_client_finished;
1489 size_t finished_len = ssl->s3->previous_client_finished_len;
1490 if (ssl->session != NULL) {
1491 // tls-unique is broken for resumed sessions unless EMS is used.
1492 if (!ssl->session->extended_master_secret) {
1493 return 0;
1494 }
1495 finished = ssl->s3->previous_server_finished;
1496 finished_len = ssl->s3->previous_server_finished_len;
1497 }
1498
1499 *out_len = finished_len;
1500 if (finished_len > max_out) {
1501 *out_len = max_out;
1502 }
1503
1504 OPENSSL_memcpy(out, finished, *out_len);
1505 return 1;
1506}
1507
1508static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx,
1509 size_t sid_ctx_len) {
1510 if (sid_ctx_len > sizeof(cert->sid_ctx)) {
1511 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
1512 return 0;
1513 }
1514
1515 static_assert(sizeof(cert->sid_ctx) < 256, "sid_ctx too large");
1516 cert->sid_ctx_length = (uint8_t)sid_ctx_len;
1517 OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len);
1518 return 1;
1519}
1520
1521int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx,
1522 size_t sid_ctx_len) {
1523 return set_session_id_context(ctx->cert.get(), sid_ctx, sid_ctx_len);
1524}
1525
1526int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,
1527 size_t sid_ctx_len) {
1528 if (!ssl->config) {
1529 return 0;
1530 }
1531 return set_session_id_context(ssl->config->cert.get(), sid_ctx, sid_ctx_len);
1532}
1533
1534const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {
1535 if (!ssl->config) {
1536 assert(ssl->config);
1537 *out_len = 0;
1538 return NULL;
1539 }
1540 *out_len = ssl->config->cert->sid_ctx_length;
1541 return ssl->config->cert->sid_ctx;
1542}
1543
1544void SSL_certs_clear(SSL *ssl) {
1545 if (!ssl->config) {
1546 return;
1547 }
1548 ssl_cert_clear_certs(ssl->config->cert.get());
1549}
1550
1551int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
1552
1553int SSL_get_rfd(const SSL *ssl) {
1554 int ret = -1;
1555 BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR);
1556 if (b != NULL) {
1557 BIO_get_fd(b, &ret);
1558 }
1559 return ret;
1560}
1561
1562int SSL_get_wfd(const SSL *ssl) {
1563 int ret = -1;
1564 BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR);
1565 if (b != NULL) {
1566 BIO_get_fd(b, &ret);
1567 }
1568 return ret;
1569}
1570
1571int SSL_set_fd(SSL *ssl, int fd) {
1572 BIO *bio = BIO_new(BIO_s_socket());
1573 if (bio == NULL) {
1574 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1575 return 0;
1576 }
1577 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1578 SSL_set_bio(ssl, bio, bio);
1579 return 1;
1580}
1581
1582int SSL_set_wfd(SSL *ssl, int fd) {
1583 BIO *rbio = SSL_get_rbio(ssl);
1584 if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET ||
1585 BIO_get_fd(rbio, NULL) != fd) {
1586 BIO *bio = BIO_new(BIO_s_socket());
1587 if (bio == NULL) {
1588 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1589 return 0;
1590 }
1591 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1592 SSL_set0_wbio(ssl, bio);
1593 } else {
1594 // Copy the rbio over to the wbio.
1595 BIO_up_ref(rbio);
1596 SSL_set0_wbio(ssl, rbio);
1597 }
1598
1599 return 1;
1600}
1601
1602int SSL_set_rfd(SSL *ssl, int fd) {
1603 BIO *wbio = SSL_get_wbio(ssl);
1604 if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET ||
1605 BIO_get_fd(wbio, NULL) != fd) {
1606 BIO *bio = BIO_new(BIO_s_socket());
1607 if (bio == NULL) {
1608 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1609 return 0;
1610 }
1611 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1612 SSL_set0_rbio(ssl, bio);
1613 } else {
1614 // Copy the wbio over to the rbio.
1615 BIO_up_ref(wbio);
1616 SSL_set0_rbio(ssl, wbio);
1617 }
1618 return 1;
1619}
1620
1621static size_t copy_finished(void *out, size_t out_len, const uint8_t *in,
1622 size_t in_len) {
1623 if (out_len > in_len) {
1624 out_len = in_len;
1625 }
1626 OPENSSL_memcpy(out, in, out_len);
1627 return in_len;
1628}
1629
1630size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
1631 if (!ssl->s3->initial_handshake_complete ||
1632 ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1633 return 0;
1634 }
1635
1636 if (ssl->server) {
1637 return copy_finished(buf, count, ssl->s3->previous_server_finished,
1638 ssl->s3->previous_server_finished_len);
1639 }
1640
1641 return copy_finished(buf, count, ssl->s3->previous_client_finished,
1642 ssl->s3->previous_client_finished_len);
1643}
1644
1645size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
1646 if (!ssl->s3->initial_handshake_complete ||
1647 ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1648 return 0;
1649 }
1650
1651 if (ssl->server) {
1652 return copy_finished(buf, count, ssl->s3->previous_client_finished,
1653 ssl->s3->previous_client_finished_len);
1654 }
1655
1656 return copy_finished(buf, count, ssl->s3->previous_server_finished,
1657 ssl->s3->previous_server_finished_len);
1658}
1659
1660int SSL_get_verify_mode(const SSL *ssl) {
1661 if (!ssl->config) {
1662 assert(ssl->config);
1663 return -1;
1664 }
1665 return ssl->config->verify_mode;
1666}
1667
1668int SSL_get_extms_support(const SSL *ssl) {
1669 // TLS 1.3 does not require extended master secret and always reports as
1670 // supporting it.
1671 if (!ssl->s3->have_version) {
1672 return 0;
1673 }
1674 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1675 return 1;
1676 }
1677
1678 // If the initial handshake completed, query the established session.
1679 if (ssl->s3->established_session != NULL) {
1680 return ssl->s3->established_session->extended_master_secret;
1681 }
1682
1683 // Otherwise, query the in-progress handshake.
1684 if (ssl->s3->hs != NULL) {
1685 return ssl->s3->hs->extended_master_secret;
1686 }
1687 assert(0);
1688 return 0;
1689}
1690
1691int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; }
1692
1693int SSL_get_read_ahead(const SSL *ssl) { return 0; }
1694
1695int SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { return 1; }
1696
1697int SSL_set_read_ahead(SSL *ssl, int yes) { return 1; }
1698
1699int SSL_pending(const SSL *ssl) {
1700 return static_cast<int>(ssl->s3->pending_app_data.size());
1701}
1702
1703int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
1704 return ssl_cert_check_private_key(ctx->cert.get(),
1705 ctx->cert->privatekey.get());
1706}
1707
1708int SSL_check_private_key(const SSL *ssl) {
1709 if (!ssl->config) {
1710 return 0;
1711 }
1712 return ssl_cert_check_private_key(ssl->config->cert.get(),
1713 ssl->config->cert->privatekey.get());
1714}
1715
1716long SSL_get_default_timeout(const SSL *ssl) {
1717 return SSL_DEFAULT_SESSION_TIMEOUT;
1718}
1719
1720int SSL_renegotiate(SSL *ssl) {
1721 // Caller-initiated renegotiation is not supported.
1722 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1723 return 0;
1724}
1725
1726int SSL_renegotiate_pending(SSL *ssl) {
1727 return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete;
1728}
1729
1730int SSL_total_renegotiations(const SSL *ssl) {
1731 return ssl->s3->total_renegotiations;
1732}
1733
1734size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) {
1735 return ctx->max_cert_list;
1736}
1737
1738void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) {
1739 if (max_cert_list > kMaxHandshakeSize) {
1740 max_cert_list = kMaxHandshakeSize;
1741 }
1742 ctx->max_cert_list = (uint32_t)max_cert_list;
1743}
1744
1745size_t SSL_get_max_cert_list(const SSL *ssl) {
1746 return ssl->max_cert_list;
1747}
1748
1749void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
1750 if (max_cert_list > kMaxHandshakeSize) {
1751 max_cert_list = kMaxHandshakeSize;
1752 }
1753 ssl->max_cert_list = (uint32_t)max_cert_list;
1754}
1755
1756int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
1757 if (max_send_fragment < 512) {
1758 max_send_fragment = 512;
1759 }
1760 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
1761 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1762 }
1763 ctx->max_send_fragment = (uint16_t)max_send_fragment;
1764
1765 return 1;
1766}
1767
1768int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
1769 if (max_send_fragment < 512) {
1770 max_send_fragment = 512;
1771 }
1772 if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
1773 max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1774 }
1775 ssl->max_send_fragment = (uint16_t)max_send_fragment;
1776
1777 return 1;
1778}
1779
1780int SSL_set_mtu(SSL *ssl, unsigned mtu) {
1781 if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) {
1782 return 0;
1783 }
1784 ssl->d1->mtu = mtu;
1785 return 1;
1786}
1787
1788int SSL_get_secure_renegotiation_support(const SSL *ssl) {
1789 if (!ssl->s3->have_version) {
1790 return 0;
1791 }
1792 return ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1793 ssl->s3->send_connection_binding;
1794}
1795
1796size_t SSL_CTX_sess_number(const SSL_CTX *ctx) {
1797 MutexReadLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
1798 return lh_SSL_SESSION_num_items(ctx->sessions);
1799}
1800
1801unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) {
1802 unsigned long ret = ctx->session_cache_size;
1803 ctx->session_cache_size = size;
1804 return ret;
1805}
1806
1807unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) {
1808 return ctx->session_cache_size;
1809}
1810
1811int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) {
1812 int ret = ctx->session_cache_mode;
1813 ctx->session_cache_mode = mode;
1814 return ret;
1815}
1816
1817int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) {
1818 return ctx->session_cache_mode;
1819}
1820
1821
1822int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) {
1823 if (out == NULL) {
1824 return 48;
1825 }
1826 if (len != 48) {
1827 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
1828 return 0;
1829 }
1830
1831 // The default ticket keys are initialized lazily. Trigger a key
1832 // rotation to initialize them.
1833 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
1834 return 0;
1835 }
1836
1837 uint8_t *out_bytes = reinterpret_cast<uint8_t *>(out);
1838 MutexReadLock lock(&ctx->lock);
1839 OPENSSL_memcpy(out_bytes, ctx->ticket_key_current->name, 16);
1840 OPENSSL_memcpy(out_bytes + 16, ctx->ticket_key_current->hmac_key, 16);
1841 OPENSSL_memcpy(out_bytes + 32, ctx->ticket_key_current->aes_key, 16);
1842 return 1;
1843}
1844
1845int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) {
1846 if (in == NULL) {
1847 return 48;
1848 }
1849 if (len != 48) {
1850 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
1851 return 0;
1852 }
1853 auto key = MakeUnique<TicketKey>();
1854 if (!key) {
1855 return 0;
1856 }
1857 const uint8_t *in_bytes = reinterpret_cast<const uint8_t *>(in);
1858 OPENSSL_memcpy(key->name, in_bytes, 16);
1859 OPENSSL_memcpy(key->hmac_key, in_bytes + 16, 16);
1860 OPENSSL_memcpy(key->aes_key, in_bytes + 32, 16);
1861 // Disable automatic key rotation for manually-configured keys. This is now
1862 // the caller's responsibility.
1863 key->next_rotation_tv_sec = 0;
1864 ctx->ticket_key_current = std::move(key);
1865 ctx->ticket_key_prev.reset();
1866 return 1;
1867}
1868
1869int SSL_CTX_set_tlsext_ticket_key_cb(
1870 SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
1871 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
1872 int encrypt)) {
1873 ctx->ticket_key_cb = callback;
1874 return 1;
1875}
1876
1877int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t curves_len) {
1878 return tls1_set_curves(&ctx->supported_group_list,
1879 MakeConstSpan(curves, curves_len));
1880}
1881
1882int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) {
1883 if (!ssl->config) {
1884 return 0;
1885 }
1886 return tls1_set_curves(&ssl->config->supported_group_list,
1887 MakeConstSpan(curves, curves_len));
1888}
1889
1890int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) {
1891 return tls1_set_curves_list(&ctx->supported_group_list, curves);
1892}
1893
1894int SSL_set1_curves_list(SSL *ssl, const char *curves) {
1895 if (!ssl->config) {
1896 return 0;
1897 }
1898 return tls1_set_curves_list(&ssl->config->supported_group_list, curves);
1899}
1900
1901uint16_t SSL_get_curve_id(const SSL *ssl) {
1902 // TODO(davidben): This checks the wrong session if there is a renegotiation
1903 // in progress.
1904 SSL_SESSION *session = SSL_get_session(ssl);
1905 if (session == NULL) {
1906 return 0;
1907 }
1908
1909 return session->group_id;
1910}
1911
1912int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
1913 return 1;
1914}
1915
1916int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
1917 return 1;
1918}
1919
1920STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) {
1921 return ctx->cipher_list->ciphers.get();
1922}
1923
1924int SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i) {
1925 if (i >= sk_SSL_CIPHER_num(ctx->cipher_list->ciphers.get())) {
1926 return 0;
1927 }
1928 return ctx->cipher_list->in_group_flags[i];
1929}
1930
1931STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {
1932 if (ssl == NULL) {
1933 return NULL;
1934 }
1935 if (ssl->config == NULL) {
1936 assert(ssl->config);
1937 return NULL;
1938 }
1939
1940 return ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
1941 : ssl->ctx->cipher_list->ciphers.get();
1942}
1943
1944const char *SSL_get_cipher_list(const SSL *ssl, int n) {
1945 if (ssl == NULL) {
1946 return NULL;
1947 }
1948
1949 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
1950 if (sk == NULL || n < 0 || (size_t)n >= sk_SSL_CIPHER_num(sk)) {
1951 return NULL;
1952 }
1953
1954 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, n);
1955 if (c == NULL) {
1956 return NULL;
1957 }
1958
1959 return c->name;
1960}
1961
1962int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
1963 return ssl_create_cipher_list(&ctx->cipher_list, str, false /* not strict */);
1964}
1965
1966int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
1967 return ssl_create_cipher_list(&ctx->cipher_list, str, true /* strict */);
1968}
1969
1970int SSL_set_cipher_list(SSL *ssl, const char *str) {
1971 if (!ssl->config) {
1972 return 0;
1973 }
1974 return ssl_create_cipher_list(&ssl->config->cipher_list, str,
1975 false /* not strict */);
1976}
1977
1978int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
1979 if (!ssl->config) {
1980 return 0;
1981 }
1982 return ssl_create_cipher_list(&ssl->config->cipher_list, str,
1983 true /* strict */);
1984}
1985
1986const char *SSL_get_servername(const SSL *ssl, const int type) {
1987 if (type != TLSEXT_NAMETYPE_host_name) {
1988 return NULL;
1989 }
1990
1991 // Historically, |SSL_get_servername| was also the configuration getter
1992 // corresponding to |SSL_set_tlsext_host_name|.
1993 if (ssl->hostname != nullptr) {
1994 return ssl->hostname.get();
1995 }
1996
1997 return ssl->s3->hostname.get();
1998}
1999
2000int SSL_get_servername_type(const SSL *ssl) {
2001 if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) == NULL) {
2002 return -1;
2003 }
2004 return TLSEXT_NAMETYPE_host_name;
2005}
2006
2007void SSL_CTX_set_custom_verify(
2008 SSL_CTX *ctx, int mode,
2009 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {
2010 ctx->verify_mode = mode;
2011 ctx->custom_verify_callback = callback;
2012}
2013
2014void SSL_set_custom_verify(
2015 SSL *ssl, int mode,
2016 enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {
2017 if (!ssl->config) {
2018 return;
2019 }
2020 ssl->config->verify_mode = mode;
2021 ssl->config->custom_verify_callback = callback;
2022}
2023
2024void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) {
2025 ctx->signed_cert_timestamps_enabled = true;
2026}
2027
2028void SSL_enable_signed_cert_timestamps(SSL *ssl) {
2029 if (!ssl->config) {
2030 return;
2031 }
2032 ssl->config->signed_cert_timestamps_enabled = true;
2033}
2034
2035void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx) {
2036 ctx->ocsp_stapling_enabled = true;
2037}
2038
2039void SSL_enable_ocsp_stapling(SSL *ssl) {
2040 if (!ssl->config) {
2041 return;
2042 }
2043 ssl->config->ocsp_stapling_enabled = true;
2044}
2045
2046void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
2047 size_t *out_len) {
2048 SSL_SESSION *session = SSL_get_session(ssl);
2049 if (ssl->server || !session || !session->signed_cert_timestamp_list) {
2050 *out_len = 0;
2051 *out = NULL;
2052 return;
2053 }
2054
2055 *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list.get());
2056 *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list.get());
2057}
2058
2059void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
2060 size_t *out_len) {
2061 SSL_SESSION *session = SSL_get_session(ssl);
2062 if (ssl->server || !session || !session->ocsp_response) {
2063 *out_len = 0;
2064 *out = NULL;
2065 return;
2066 }
2067
2068 *out = CRYPTO_BUFFER_data(session->ocsp_response.get());
2069 *out_len = CRYPTO_BUFFER_len(session->ocsp_response.get());
2070}
2071
2072int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
2073 ssl->hostname.reset();
2074 if (name == nullptr) {
2075 return 1;
2076 }
2077
2078 size_t len = strlen(name);
2079 if (len == 0 || len > TLSEXT_MAXLEN_host_name) {
2080 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
2081 return 0;
2082 }
2083 ssl->hostname.reset(BUF_strdup(name));
2084 if (ssl->hostname == nullptr) {
2085 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
2086 return 0;
2087 }
2088 return 1;
2089}
2090
2091int SSL_CTX_set_tlsext_servername_callback(
2092 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) {
2093 ctx->servername_callback = callback;
2094 return 1;
2095}
2096
2097int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
2098 ctx->servername_arg = arg;
2099 return 1;
2100}
2101
2102int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
2103 unsigned peer_len, const uint8_t *supported,
2104 unsigned supported_len) {
2105 const uint8_t *result;
2106 int status;
2107
2108 // For each protocol in peer preference order, see if we support it.
2109 for (unsigned i = 0; i < peer_len;) {
2110 for (unsigned j = 0; j < supported_len;) {
2111 if (peer[i] == supported[j] &&
2112 OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) {
2113 // We found a match
2114 result = &peer[i];
2115 status = OPENSSL_NPN_NEGOTIATED;
2116 goto found;
2117 }
2118 j += supported[j];
2119 j++;
2120 }
2121 i += peer[i];
2122 i++;
2123 }
2124
2125 // There's no overlap between our protocols and the peer's list.
2126 result = supported;
2127 status = OPENSSL_NPN_NO_OVERLAP;
2128
2129found:
2130 *out = (uint8_t *)result + 1;
2131 *out_len = result[0];
2132 return status;
2133}
2134
2135void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,
2136 unsigned *out_len) {
2137 *out_data = ssl->s3->next_proto_negotiated.data();
2138 *out_len = ssl->s3->next_proto_negotiated.size();
2139}
2140
2141void SSL_CTX_set_next_protos_advertised_cb(
2142 SSL_CTX *ctx,
2143 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),
2144 void *arg) {
2145 ctx->next_protos_advertised_cb = cb;
2146 ctx->next_protos_advertised_cb_arg = arg;
2147}
2148
2149void SSL_CTX_set_next_proto_select_cb(
2150 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
2151 const uint8_t *in, unsigned in_len, void *arg),
2152 void *arg) {
2153 ctx->next_proto_select_cb = cb;
2154 ctx->next_proto_select_cb_arg = arg;
2155}
2156
2157int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
2158 unsigned protos_len) {
2159 // Note this function's calling convention is backwards.
2160 return ctx->alpn_client_proto_list.CopyFrom(MakeConstSpan(protos, protos_len))
2161 ? 0
2162 : 1;
2163}
2164
2165int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) {
2166 // Note this function's calling convention is backwards.
2167 if (!ssl->config) {
2168 return 1;
2169 }
2170 return ssl->config->alpn_client_proto_list.CopyFrom(
2171 MakeConstSpan(protos, protos_len))
2172 ? 0
2173 : 1;
2174}
2175
2176void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
2177 int (*cb)(SSL *ssl, const uint8_t **out,
2178 uint8_t *out_len, const uint8_t *in,
2179 unsigned in_len, void *arg),
2180 void *arg) {
2181 ctx->alpn_select_cb = cb;
2182 ctx->alpn_select_cb_arg = arg;
2183}
2184
2185void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
2186 unsigned *out_len) {
2187 if (SSL_in_early_data(ssl) && !ssl->server) {
2188 *out_data = ssl->s3->hs->early_session->early_alpn.data();
2189 *out_len = ssl->s3->hs->early_session->early_alpn.size();
2190 } else {
2191 *out_data = ssl->s3->alpn_selected.data();
2192 *out_len = ssl->s3->alpn_selected.size();
2193 }
2194}
2195
2196void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) {
2197 ctx->allow_unknown_alpn_protos = !!enabled;
2198}
2199
2200int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id,
2201 ssl_cert_compression_func_t compress,
2202 ssl_cert_decompression_func_t decompress) {
2203 assert(compress != nullptr || decompress != nullptr);
2204
2205 for (const auto *alg : ctx->cert_compression_algs.get()) {
2206 if (alg->alg_id == alg_id) {
2207 return 0;
2208 }
2209 }
2210
2211 UniquePtr<CertCompressionAlg> alg = MakeUnique<CertCompressionAlg>();
2212 if (alg == nullptr) {
2213 return 0;
2214 }
2215
2216 alg->alg_id = alg_id;
2217 alg->compress = compress;
2218 alg->decompress = decompress;
2219
2220 if (ctx->cert_compression_algs == nullptr) {
2221 ctx->cert_compression_algs.reset(sk_CertCompressionAlg_new_null());
2222 if (ctx->cert_compression_algs == nullptr) {
2223 return 0;
2224 }
2225 }
2226
2227 if (!PushToStack(ctx->cert_compression_algs.get(), std::move(alg))) {
2228 if (sk_CertCompressionAlg_num(ctx->cert_compression_algs.get()) == 0) {
2229 ctx->cert_compression_algs.reset();
2230 }
2231 return 0;
2232 }
2233
2234 return 1;
2235}
2236
2237void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) {
2238 ctx->channel_id_enabled = !!enabled;
2239}
2240
2241int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
2242 SSL_CTX_set_tls_channel_id_enabled(ctx, 1);
2243 return 1;
2244}
2245
2246void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) {
2247 if (!ssl->config) {
2248 return;
2249 }
2250 ssl->config->channel_id_enabled = !!enabled;
2251}
2252
2253int SSL_enable_tls_channel_id(SSL *ssl) {
2254 SSL_set_tls_channel_id_enabled(ssl, 1);
2255 return 1;
2256}
2257
2258static int is_p256_key(EVP_PKEY *private_key) {
2259 const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(private_key);
2260 return ec_key != NULL &&
2261 EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) ==
2262 NID_X9_62_prime256v1;
2263}
2264
2265int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {
2266 if (!is_p256_key(private_key)) {
2267 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);
2268 return 0;
2269 }
2270
2271 ctx->channel_id_private = UpRef(private_key);
2272 ctx->channel_id_enabled = true;
2273
2274 return 1;
2275}
2276
2277int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {
2278 if (!ssl->config) {
2279 return 0;
2280 }
2281 if (!is_p256_key(private_key)) {
2282 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);
2283 return 0;
2284 }
2285
2286 ssl->config->channel_id_private = UpRef(private_key);
2287 ssl->config->channel_id_enabled = true;
2288
2289 return 1;
2290}
2291
2292size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
2293 if (!ssl->s3->channel_id_valid) {
2294 return 0;
2295 }
2296 OPENSSL_memcpy(out, ssl->s3->channel_id, (max_out < 64) ? max_out : 64);
2297 return 64;
2298}
2299
2300int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params, size_t len) {
2301 if (!ssl->config) {
2302 return 0;
2303 }
2304 if (len > 256) {
2305 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
2306 return 0;
2307 }
2308 return ssl->config->token_binding_params.CopyFrom(MakeConstSpan(params, len));
2309}
2310
2311int SSL_is_token_binding_negotiated(const SSL *ssl) {
2312 return ssl->s3->token_binding_negotiated;
2313}
2314
2315uint8_t SSL_get_negotiated_token_binding_param(const SSL *ssl) {
2316 return ssl->s3->negotiated_token_binding_param;
2317}
2318
2319size_t SSL_get0_certificate_types(const SSL *ssl, const uint8_t **out_types) {
2320 Span<const uint8_t> types;
2321 if (!ssl->server && ssl->s3->hs != nullptr) {
2322 types = ssl->s3->hs->certificate_types;
2323 }
2324 *out_types = types.data();
2325 return types.size();
2326}
2327
2328size_t SSL_get0_peer_verify_algorithms(const SSL *ssl,
2329 const uint16_t **out_sigalgs) {
2330 Span<const uint16_t> sigalgs;
2331 if (ssl->s3->hs != nullptr) {
2332 sigalgs = ssl->s3->hs->peer_sigalgs;
2333 }
2334 *out_sigalgs = sigalgs.data();
2335 return sigalgs.size();
2336}
2337
2338EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
2339 if (!ssl->config) {
2340 assert(ssl->config);
2341 return NULL;
2342 }
2343 if (ssl->config->cert != NULL) {
2344 return ssl->config->cert->privatekey.get();
2345 }
2346
2347 return NULL;
2348}
2349
2350EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) {
2351 if (ctx->cert != NULL) {
2352 return ctx->cert->privatekey.get();
2353 }
2354
2355 return NULL;
2356}
2357
2358const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
2359 const SSL_SESSION *session = SSL_get_session(ssl);
2360 return session == nullptr ? nullptr : session->cipher;
2361}
2362
2363int SSL_session_reused(const SSL *ssl) {
2364 return ssl->s3->session_reused || SSL_in_early_data(ssl);
2365}
2366
2367const COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; }
2368
2369const COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; }
2370
2371int SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; }
2372
2373void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) {
2374 ctx->quiet_shutdown = (mode != 0);
2375}
2376
2377int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) {
2378 return ctx->quiet_shutdown;
2379}
2380
2381void SSL_set_quiet_shutdown(SSL *ssl, int mode) {
2382 ssl->quiet_shutdown = (mode != 0);
2383}
2384
2385int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }
2386
2387void SSL_set_shutdown(SSL *ssl, int mode) {
2388 // It is an error to clear any bits that have already been set. (We can't try
2389 // to get a second close_notify or send two.)
2390 assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
2391
2392 if (mode & SSL_RECEIVED_SHUTDOWN &&
2393 ssl->s3->read_shutdown == ssl_shutdown_none) {
2394 ssl->s3->read_shutdown = ssl_shutdown_close_notify;
2395 }
2396
2397 if (mode & SSL_SENT_SHUTDOWN &&
2398 ssl->s3->write_shutdown == ssl_shutdown_none) {
2399 ssl->s3->write_shutdown = ssl_shutdown_close_notify;
2400 }
2401}
2402
2403int SSL_get_shutdown(const SSL *ssl) {
2404 int ret = 0;
2405 if (ssl->s3->read_shutdown != ssl_shutdown_none) {
2406 // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
2407 // and fatal alert.
2408 ret |= SSL_RECEIVED_SHUTDOWN;
2409 }
2410 if (ssl->s3->write_shutdown == ssl_shutdown_close_notify) {
2411 // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify.
2412 ret |= SSL_SENT_SHUTDOWN;
2413 }
2414 return ret;
2415}
2416
2417SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx.get(); }
2418
2419SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
2420 if (!ssl->config) {
2421 return NULL;
2422 }
2423 if (ssl->ctx.get() == ctx) {
2424 return ssl->ctx.get();
2425 }
2426
2427 // One cannot change the X.509 callbacks during a connection.
2428 if (ssl->ctx->x509_method != ctx->x509_method) {
2429 assert(0);
2430 return NULL;
2431 }
2432
2433 UniquePtr<CERT> new_cert = ssl_cert_dup(ctx->cert.get());
2434 if (!new_cert) {
2435 return nullptr;
2436 }
2437
2438 ssl->config->cert = std::move(new_cert);
2439 ssl->ctx = UpRef(ctx);
2440 ssl->enable_early_data = ssl->ctx->enable_early_data;
2441
2442 return ssl->ctx.get();
2443}
2444
2445void SSL_set_info_callback(SSL *ssl,
2446 void (*cb)(const SSL *ssl, int type, int value)) {
2447 ssl->info_callback = cb;
2448}
2449
2450void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type,
2451 int value) {
2452 return ssl->info_callback;
2453}
2454
2455int SSL_state(const SSL *ssl) {
2456 return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK;
2457}
2458
2459void SSL_set_state(SSL *ssl, int state) { }
2460
2461char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {
2462 if (len <= 0) {
2463 return NULL;
2464 }
2465 buf[0] = '\0';
2466 return buf;
2467}
2468
2469int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) {
2470 if (ctx->method->is_dtls) {
2471 return 0;
2472 }
2473 ctx->quic_method = quic_method;
2474 return 1;
2475}
2476
2477int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) {
2478 if (ssl->method->is_dtls) {
2479 return 0;
2480 }
2481 ssl->quic_method = quic_method;
2482 return 1;
2483}
2484
2485int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
2486 CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
2487 int index;
2488 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp,
2489 free_func)) {
2490 return -1;
2491 }
2492 return index;
2493}
2494
2495int SSL_set_ex_data(SSL *ssl, int idx, void *data) {
2496 return CRYPTO_set_ex_data(&ssl->ex_data, idx, data);
2497}
2498
2499void *SSL_get_ex_data(const SSL *ssl, int idx) {
2500 return CRYPTO_get_ex_data(&ssl->ex_data, idx);
2501}
2502
2503int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
2504 CRYPTO_EX_dup *dup_unused,
2505 CRYPTO_EX_free *free_func) {
2506 int index;
2507 if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp,
2508 free_func)) {
2509 return -1;
2510 }
2511 return index;
2512}
2513
2514int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) {
2515 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
2516}
2517
2518void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {
2519 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
2520}
2521
2522int SSL_want(const SSL *ssl) { return ssl->s3->rwstate; }
2523
2524void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
2525 RSA *(*cb)(SSL *ssl, int is_export,
2526 int keylength)) {}
2527
2528void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
2529 int keylength)) {}
2530
2531void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
2532 DH *(*cb)(SSL *ssl, int is_export,
2533 int keylength)) {}
2534
2535void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export,
2536 int keylength)) {}
2537
2538static int use_psk_identity_hint(UniquePtr<char> *out,
2539 const char *identity_hint) {
2540 if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
2541 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
2542 return 0;
2543 }
2544
2545 // Clear currently configured hint, if any.
2546 out->reset();
2547
2548 // Treat the empty hint as not supplying one. Plain PSK makes it possible to
2549 // send either no hint (omit ServerKeyExchange) or an empty hint, while
2550 // ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
2551 // so we interpret empty and missing as identical.
2552 if (identity_hint != NULL && identity_hint[0] != '\0') {
2553 out->reset(BUF_strdup(identity_hint));
2554 if (*out == nullptr) {
2555 return 0;
2556 }
2557 }
2558
2559 return 1;
2560}
2561
2562int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
2563 return use_psk_identity_hint(&ctx->psk_identity_hint, identity_hint);
2564}
2565
2566int SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) {
2567 if (!ssl->config) {
2568 return 0;
2569 }
2570 return use_psk_identity_hint(&ssl->config->psk_identity_hint, identity_hint);
2571}
2572
2573const char *SSL_get_psk_identity_hint(const SSL *ssl) {
2574 if (ssl == NULL) {
2575 return NULL;
2576 }
2577 if (ssl->config == NULL) {
2578 assert(ssl->config);
2579 return NULL;
2580 }
2581 return ssl->config->psk_identity_hint.get();
2582}
2583
2584const char *SSL_get_psk_identity(const SSL *ssl) {
2585 if (ssl == NULL) {
2586 return NULL;
2587 }
2588 SSL_SESSION *session = SSL_get_session(ssl);
2589 if (session == NULL) {
2590 return NULL;
2591 }
2592 return session->psk_identity.get();
2593}
2594
2595void SSL_set_psk_client_callback(
2596 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
2597 unsigned max_identity_len, uint8_t *psk,
2598 unsigned max_psk_len)) {
2599 if (!ssl->config) {
2600 return;
2601 }
2602 ssl->config->psk_client_callback = cb;
2603}
2604
2605void SSL_CTX_set_psk_client_callback(
2606 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
2607 unsigned max_identity_len, uint8_t *psk,
2608 unsigned max_psk_len)) {
2609 ctx->psk_client_callback = cb;
2610}
2611
2612void SSL_set_psk_server_callback(
2613 SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,
2614 unsigned max_psk_len)) {
2615 if (!ssl->config) {
2616 return;
2617 }
2618 ssl->config->psk_server_callback = cb;
2619}
2620
2621void SSL_CTX_set_psk_server_callback(
2622 SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity,
2623 uint8_t *psk, unsigned max_psk_len)) {
2624 ctx->psk_server_callback = cb;
2625}
2626
2627void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
2628 void (*cb)(int write_p, int version,
2629 int content_type, const void *buf,
2630 size_t len, SSL *ssl, void *arg)) {
2631 ctx->msg_callback = cb;
2632}
2633
2634void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) {
2635 ctx->msg_callback_arg = arg;
2636}
2637
2638void SSL_set_msg_callback(SSL *ssl,
2639 void (*cb)(int write_p, int version, int content_type,
2640 const void *buf, size_t len, SSL *ssl,
2641 void *arg)) {
2642 ssl->msg_callback = cb;
2643}
2644
2645void SSL_set_msg_callback_arg(SSL *ssl, void *arg) {
2646 ssl->msg_callback_arg = arg;
2647}
2648
2649void SSL_CTX_set_keylog_callback(SSL_CTX *ctx,
2650 void (*cb)(const SSL *ssl, const char *line)) {
2651 ctx->keylog_callback = cb;
2652}
2653
2654void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl,
2655 const char *line) {
2656 return ctx->keylog_callback;
2657}
2658
2659void SSL_CTX_set_current_time_cb(SSL_CTX *ctx,
2660 void (*cb)(const SSL *ssl,
2661 struct timeval *out_clock)) {
2662 ctx->current_time_cb = cb;
2663}
2664
2665int SSL_is_init_finished(const SSL *ssl) {
2666 return !SSL_in_init(ssl);
2667}
2668
2669int SSL_in_init(const SSL *ssl) {
2670 // This returns false once all the handshake state has been finalized, to
2671 // allow callbacks and getters based on SSL_in_init to return the correct
2672 // values.
2673 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
2674 return hs != nullptr && !hs->handshake_finalized;
2675}
2676
2677int SSL_in_false_start(const SSL *ssl) {
2678 if (ssl->s3->hs == NULL) {
2679 return 0;
2680 }
2681 return ssl->s3->hs->in_false_start;
2682}
2683
2684int SSL_cutthrough_complete(const SSL *ssl) {
2685 return SSL_in_false_start(ssl);
2686}
2687
2688int SSL_is_server(const SSL *ssl) { return ssl->server; }
2689
2690int SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; }
2691
2692void SSL_CTX_set_select_certificate_cb(
2693 SSL_CTX *ctx,
2694 enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)) {
2695 ctx->select_certificate_cb = cb;
2696}
2697
2698void SSL_CTX_set_dos_protection_cb(SSL_CTX *ctx,
2699 int (*cb)(const SSL_CLIENT_HELLO *)) {
2700 ctx->dos_protection_cb = cb;
2701}
2702
2703void SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled) {
2704 ctx->reverify_on_resume = !!enabled;
2705}
2706
2707void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled) {
2708 if (!ssl->config) {
2709 return;
2710 }
2711 ssl->config->enforce_rsa_key_usage = !!enabled;
2712}
2713
2714void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {
2715 ssl->renegotiate_mode = mode;
2716
2717 // Check if |ssl_can_renegotiate| has changed and the configuration may now be
2718 // shed. HTTP clients may initially allow renegotiation for HTTP/1.1, and then
2719 // disable after the handshake once the ALPN protocol is known to be HTTP/2.
2720 ssl_maybe_shed_handshake_config(ssl);
2721}
2722
2723int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
2724 const uint8_t **out_write_iv, size_t *out_iv_len) {
2725 size_t write_iv_len;
2726 if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) ||
2727 !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) ||
2728 *out_iv_len != write_iv_len) {
2729 return 0;
2730 }
2731
2732 return 1;
2733}
2734
2735static uint64_t be_to_u64(const uint8_t in[8]) {
2736 return (((uint64_t)in[0]) << 56) | (((uint64_t)in[1]) << 48) |
2737 (((uint64_t)in[2]) << 40) | (((uint64_t)in[3]) << 32) |
2738 (((uint64_t)in[4]) << 24) | (((uint64_t)in[5]) << 16) |
2739 (((uint64_t)in[6]) << 8) | ((uint64_t)in[7]);
2740}
2741
2742uint64_t SSL_get_read_sequence(const SSL *ssl) {
2743 // TODO(davidben): Internally represent sequence numbers as uint64_t.
2744 if (SSL_is_dtls(ssl)) {
2745 // max_seq_num already includes the epoch.
2746 assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
2747 return ssl->d1->bitmap.max_seq_num;
2748 }
2749 return be_to_u64(ssl->s3->read_sequence);
2750}
2751
2752uint64_t SSL_get_write_sequence(const SSL *ssl) {
2753 uint64_t ret = be_to_u64(ssl->s3->write_sequence);
2754 if (SSL_is_dtls(ssl)) {
2755 assert((ret >> 48) == 0);
2756 ret |= ((uint64_t)ssl->d1->w_epoch) << 48;
2757 }
2758 return ret;
2759}
2760
2761uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
2762 // TODO(davidben): This checks the wrong session if there is a renegotiation
2763 // in progress.
2764 SSL_SESSION *session = SSL_get_session(ssl);
2765 if (session == NULL) {
2766 return 0;
2767 }
2768
2769 return session->peer_signature_algorithm;
2770}
2771
2772size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) {
2773 if (max_out == 0) {
2774 return sizeof(ssl->s3->client_random);
2775 }
2776 if (max_out > sizeof(ssl->s3->client_random)) {
2777 max_out = sizeof(ssl->s3->client_random);
2778 }
2779 OPENSSL_memcpy(out, ssl->s3->client_random, max_out);
2780 return max_out;
2781}
2782
2783size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) {
2784 if (max_out == 0) {
2785 return sizeof(ssl->s3->server_random);
2786 }
2787 if (max_out > sizeof(ssl->s3->server_random)) {
2788 max_out = sizeof(ssl->s3->server_random);
2789 }
2790 OPENSSL_memcpy(out, ssl->s3->server_random, max_out);
2791 return max_out;
2792}
2793
2794const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) {
2795 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
2796 if (hs == NULL) {
2797 return NULL;
2798 }
2799 return hs->new_cipher;
2800}
2801
2802void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) {
2803 if (!ssl->config) {
2804 return;
2805 }
2806 ssl->config->retain_only_sha256_of_client_certs = !!enabled;
2807}
2808
2809void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) {
2810 ctx->retain_only_sha256_of_client_certs = !!enabled;
2811}
2812
2813void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) {
2814 ctx->grease_enabled = !!enabled;
2815}
2816
2817int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
2818 return ssl->s3->ticket_age_skew;
2819}
2820
2821void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) {
2822 ctx->false_start_allowed_without_alpn = !!allowed;
2823}
2824
2825int SSL_is_tls13_downgrade(const SSL *ssl) { return ssl->s3->tls13_downgrade; }
2826
2827void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) {
2828 ctx->ignore_tls13_downgrade = !!ignore;
2829}
2830
2831void SSL_set_ignore_tls13_downgrade(SSL *ssl, int ignore) {
2832 if (!ssl->config) {
2833 return;
2834 }
2835 ssl->config->ignore_tls13_downgrade = !!ignore;
2836}
2837
2838void SSL_set_shed_handshake_config(SSL *ssl, int enable) {
2839 if (!ssl->config) {
2840 return;
2841 }
2842 ssl->config->shed_handshake_config = !!enable;
2843}
2844
2845void SSL_set_jdk11_workaround(SSL *ssl, int enable) {
2846 if (!ssl->config) {
2847 return;
2848 }
2849 ssl->config->jdk11_workaround = !!enable;
2850}
2851
2852int SSL_clear(SSL *ssl) {
2853 if (!ssl->config) {
2854 return 0; // SSL_clear may not be used after shedding config.
2855 }
2856
2857 // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
2858 // established session to be offered the next time around. wpa_supplicant
2859 // depends on this behavior, so emulate it.
2860 UniquePtr<SSL_SESSION> session;
2861 if (!ssl->server && ssl->s3->established_session != NULL) {
2862 session = UpRef(ssl->s3->established_session);
2863 }
2864
2865 // The ssl->d1->mtu is simultaneously configuration (preserved across
2866 // clear) and connection-specific state (gets reset).
2867 //
2868 // TODO(davidben): Avoid this.
2869 unsigned mtu = 0;
2870 if (ssl->d1 != NULL) {
2871 mtu = ssl->d1->mtu;
2872 }
2873
2874 ssl->method->ssl_free(ssl);
2875 if (!ssl->method->ssl_new(ssl)) {
2876 return 0;
2877 }
2878
2879 if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
2880 ssl->d1->mtu = mtu;
2881 }
2882
2883 if (session != nullptr) {
2884 SSL_set_session(ssl, session.get());
2885 }
2886
2887 return 1;
2888}
2889
2890int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; }
2891int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; }
2892int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; }
2893int SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; }
2894int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; }
2895int SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; }
2896int SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; }
2897int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; }
2898int SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; }
2899int SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; }
2900int SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; }
2901
2902int SSL_num_renegotiations(const SSL *ssl) {
2903 return SSL_total_renegotiations(ssl);
2904}
2905
2906int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) { return 0; }
2907int SSL_need_tmp_RSA(const SSL *ssl) { return 0; }
2908int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) { return 1; }
2909int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; }
2910void ERR_load_SSL_strings(void) {}
2911void SSL_load_error_strings(void) {}
2912int SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); }
2913
2914int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) {
2915 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
2916 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
2917 return 0;
2918 }
2919 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
2920 return SSL_CTX_set1_curves(ctx, &nid, 1);
2921}
2922
2923int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
2924 if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
2925 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
2926 return 0;
2927 }
2928 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
2929 return SSL_set1_curves(ssl, &nid, 1);
2930}
2931
2932void SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx,
2933 const SSL_TICKET_AEAD_METHOD *aead_method) {
2934 ctx->ticket_aead_method = aead_method;
2935}
2936
2937int SSL_set_tlsext_status_type(SSL *ssl, int type) {
2938 if (!ssl->config) {
2939 return 0;
2940 }
2941 ssl->config->ocsp_stapling_enabled = type == TLSEXT_STATUSTYPE_ocsp;
2942 return 1;
2943}
2944
2945int SSL_get_tlsext_status_type(const SSL *ssl) {
2946 if (ssl->server) {
2947 SSL_HANDSHAKE *hs = ssl->s3->hs.get();
2948 return hs != nullptr && hs->ocsp_stapling_requested
2949 ? TLSEXT_STATUSTYPE_ocsp
2950 : TLSEXT_STATUSTYPE_nothing;
2951 }
2952
2953 return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled
2954 ? TLSEXT_STATUSTYPE_ocsp
2955 : TLSEXT_STATUSTYPE_nothing;
2956}
2957
2958int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) {
2959 if (SSL_set_ocsp_response(ssl, resp, resp_len)) {
2960 OPENSSL_free(resp);
2961 return 1;
2962 }
2963 return 0;
2964}
2965
2966size_t SSL_get_tlsext_status_ocsp_resp(const SSL *ssl, const uint8_t **out) {
2967 size_t ret;
2968 SSL_get0_ocsp_response(ssl, out, &ret);
2969 return ret;
2970}
2971
2972int SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,
2973 int (*callback)(SSL *ssl, void *arg)) {
2974 ctx->legacy_ocsp_callback = callback;
2975 return 1;
2976}
2977
2978int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) {
2979 ctx->legacy_ocsp_callback_arg = arg;
2980 return 1;
2981}
2982