kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
4784b99bf3
boringssl/ssl/dtls_method.c

219 lines
6.6 KiB
C
Raw Normal View History

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
*/
/* ====================================================================
* Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
Align the SSL stack on #include style. ssl.h should be first. Also two lines after includes and the rest of the file. Change-Id: Icb7586e00a3e64170082c96cf3f8bfbb2b7e1611 Reviewed-on: https://boringssl-review.googlesource.com/5892 Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 06:48:04 +01:00
#include <openssl/ssl.h>
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
#include <assert.h>
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
#include <string.h>
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
Move references to init_buf into SSL_PROTOCOL_METHOD. Both DTLS and TLS still use it, but that will change in the following commit. This also removes the handshake's knowledge of the dtls_clear_incoming_messages function. (It's possible we'll want to get rid of begin_handshake in favor of allocating it lazily depending on how TLS 1.3 post-handshake messages end up working out. But this should work for now.) Change-Id: I0f512788bbc330ab2c947890939c73e0a1aca18b Reviewed-on: https://boringssl-review.googlesource.com/8666 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:16:50 +01:00
#include <openssl/buf.h>
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
#include <openssl/err.h>
Move references to init_buf into SSL_PROTOCOL_METHOD. Both DTLS and TLS still use it, but that will change in the following commit. This also removes the handshake's knowledge of the dtls_clear_incoming_messages function. (It's possible we'll want to get rid of begin_handshake in favor of allocating it lazily depending on how TLS 1.3 post-handshake messages end up working out. But this should work for now.) Change-Id: I0f512788bbc330ab2c947890939c73e0a1aca18b Reviewed-on: https://boringssl-review.googlesource.com/8666 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:16:50 +01:00
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
#include "../crypto/internal.h"
Rename ssl_locl.h to internal.h Match the other internal headers. Change-Id: Iff7e2dd06a1a7bf993053d0464cc15638ace3aaa Reviewed-on: https://boringssl-review.googlesource.com/4280 Reviewed-by: Adam Langley <agl@google.com>
2015-04-08 03:38:30 +01:00
#include "internal.h"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
static int dtls1_version_from_wire(uint16_t *out_version,
uint16_t wire_version) {
switch (wire_version) {
case DTLS1_VERSION:
/* DTLS 1.0 maps to TLS 1.1, not TLS 1.0. */
*out_version = TLS1_1_VERSION;
return 1;
case DTLS1_2_VERSION:
*out_version = TLS1_2_VERSION;
return 1;
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
}
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
return 0;
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
}
static uint16_t dtls1_version_to_wire(uint16_t version) {
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
switch (version) {
case TLS1_1_VERSION:
/* DTLS 1.0 maps to TLS 1.1, not TLS 1.0. */
return DTLS1_VERSION;
case TLS1_2_VERSION:
return DTLS1_2_VERSION;
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
}
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
/* It is an error to use this function with an invalid version. */
assert(0);
return 0;
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
}
Move a few more functions into *_method.c. s3_lib.c is nearly gone. ssl_get_cipher_preferences will fall away once we remove the version-specific cipher lists. ssl_get_algorithm_prf and the PRF stuff in general needs some revising (it was the motivation for all the SSL_HANDSHAKE business). I've left ssl3_new / ssl3_free alone for now because we don't have a good separation between common TLS/DTLS connection state and state internal to the TLS SSL_PROTOCOL_METHOD. Leaving that alone for now as there's lower-hanging fruit. Change-Id: Idf7989123a387938aa89b6a052161c9fff4cbfb3 Reviewed-on: https://boringssl-review.googlesource.com/12584 Reviewed-by: Adam Langley <agl@google.com>
2016-12-04 04:23:52 +00:00
static int dtls1_supports_cipher(const SSL_CIPHER *cipher) {
return cipher->algorithm_enc != SSL_eNULL;
}
static void dtls1_expect_flight(SSL *ssl) { dtls1_start_timer(ssl); }
static void dtls1_received_flight(SSL *ssl) { dtls1_stop_timer(ssl); }
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
static int dtls1_set_read_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
/* Cipher changes are illegal when there are buffered incoming messages. */
if (dtls_has_incoming_messages(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
SSL_AEAD_CTX_free(aead_ctx);
return 0;
}
ssl->d1->r_epoch++;
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
OPENSSL_memset(&ssl->d1->bitmap, 0, sizeof(ssl->d1->bitmap));
OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
ssl->s3->aead_read_ctx = aead_ctx;
return 1;
}
static int dtls1_set_write_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
ssl->d1->w_epoch++;
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
OPENSSL_memcpy(ssl->d1->last_write_sequence, ssl->s3->write_sequence,
sizeof(ssl->s3->write_sequence));
OPENSSL_memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
ssl->s3->aead_write_ctx = aead_ctx;
return 1;
}
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_PROTOCOL_METHOD kDTLSProtocolMethod = {
Move the is_dtls bit from SSL3_ENC_METHOD to SSL_PROTOCOL_METHOD. This too isn't version-specific. This removes the final difference between TLS and DTLS SSL3_ENC_METHODs and we can fold them together. (We should be able to fold away the version-specific differences too, but all in due time.) Change-Id: I6652d3942a0970273d46d28d7052629c81f848b5 Reviewed-on: https://boringssl-review.googlesource.com/3771 Reviewed-by: Adam Langley <agl@google.com>
2015-03-05 06:56:32 +00:00
1 /* is_dtls */,
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
TLS1_1_VERSION,
TLS1_2_VERSION,
dtls1_version_from_wire,
dtls1_version_to_wire,
Move the is_dtls bit from SSL3_ENC_METHOD to SSL_PROTOCOL_METHOD. This too isn't version-specific. This removes the final difference between TLS and DTLS SSL3_ENC_METHODs and we can fold them together. (We should be able to fold away the version-specific differences too, but all in due time.) Change-Id: I6652d3942a0970273d46d28d7052629c81f848b5 Reviewed-on: https://boringssl-review.googlesource.com/3771 Reviewed-by: Adam Langley <agl@google.com>
2015-03-05 06:56:32 +00:00
dtls1_new,
dtls1_free,
dtls1_get_message,
Replace hash_current_message with get_current_message. For TLS 1.3 draft 18, it will be useful to get at the full current message and not just the body. Add a hook to expose it and replace hash_current_message with a wrapper over it. BUG=112 Change-Id: Ib9e00dd1b78e8b72e12409d85c80e96c5b411a8b Reviewed-on: https://boringssl-review.googlesource.com/12238 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-14 08:12:11 +00:00
dtls1_get_current_message,
Switch finish_handshake to release_current_message. With the previous DTLS change, the dispatch layer only cares about the end of the handshake to know when to drop the current message. TLS 1.3 post-handshake messages will need a similar hook, so convert it to this lower-level one. BUG=83 Change-Id: I4c8c3ba55ba793afa065bf261a7bccac8816c348 Reviewed-on: https://boringssl-review.googlesource.com/8989 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-27 22:51:49 +01:00
dtls1_release_current_message,
Split ssl_read_bytes hook into app_data and close_notify hooks. This still needs significant work, especially the close_notify half, but clarify the interface and get *_read_bytes out of SSL_PROTOCOL_METHOD. read_bytes is an implementation detail of those two and get_message rather than both an implementation detail of get_message for handshake and a (wholly inappropriate) exposed interface for the other two. BUG=468889 Change-Id: I7dd23869e0b7c3532ceb2e9dd31ca25ea31128e7 Reviewed-on: https://boringssl-review.googlesource.com/4956 Reviewed-by: Adam Langley <agl@google.com>
2015-05-30 21:22:10 +01:00
dtls1_read_app_data,
Pull ChangeCipherSpec into the handshake state machine. This uses ssl3_read_bytes for now. We still need to dismantle that function and then invert the handshake state machine, but this gets things closer to the right shape as an intermediate step and is a large chunk in itself. It simplifies a lot of the CCS/handshake synchronization as a lot of the invariants much more clearly follow from the handshake itself. Tests need to be adjusted since this changes some error codes. Now all the CCS/Handshake checks fall through to the usual SSL_R_UNEXPECTED_RECORD codepath. Most of what used to be a special-case falls out naturally. (If half of Finished was in the same record as the pre-CCS message, that part of the handshake record would have been left unconsumed, so read_change_cipher_spec would have noticed, just like read_app_data would have noticed.) Change-Id: I15c7501afe523d5062f0e24a3b65f053008d87be Reviewed-on: https://boringssl-review.googlesource.com/6642 Reviewed-by: Adam Langley <agl@google.com>
2015-11-26 07:16:49 +00:00
dtls1_read_change_cipher_spec,
Add Data-less Zero-RTT support. This adds support on the server and client to accept data-less early data. The server will still fail to parse early data with any contents, so this should remain disabled. BUG=76 Change-Id: Id85d192d8e0360b8de4b6971511b5e8a0e8012f7 Reviewed-on: https://boringssl-review.googlesource.com/12921 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-01-11 16:34:52 +00:00
NULL,
Split ssl_read_bytes hook into app_data and close_notify hooks. This still needs significant work, especially the close_notify half, but clarify the interface and get *_read_bytes out of SSL_PROTOCOL_METHOD. read_bytes is an implementation detail of those two and get_message rather than both an implementation detail of get_message for handshake and a (wholly inappropriate) exposed interface for the other two. BUG=468889 Change-Id: I7dd23869e0b7c3532ceb2e9dd31ca25ea31128e7 Reviewed-on: https://boringssl-review.googlesource.com/4956 Reviewed-by: Adam Langley <agl@google.com>
2015-05-30 21:22:10 +01:00
dtls1_read_close_notify,
Switch the ssl_write_bytes hook to ssl_write_app_data. The SSL_PROTOCOL_METHOD table needs work, but this makes it clearer exactly what the shared interface between the upper later and TLS/DTLS is. BUG=468889 Change-Id: I38931c484aa4ab3f77964d708d38bfd349fac293 Reviewed-on: https://boringssl-review.googlesource.com/4955 Reviewed-by: Adam Langley <agl@google.com>
2015-05-30 21:14:58 +01:00
dtls1_write_app_data,
Move the is_dtls bit from SSL3_ENC_METHOD to SSL_PROTOCOL_METHOD. This too isn't version-specific. This removes the final difference between TLS and DTLS SSL3_ENC_METHODs and we can fold them together. (We should be able to fold away the version-specific differences too, but all in due time.) Change-Id: I6652d3942a0970273d46d28d7052629c81f848b5 Reviewed-on: https://boringssl-review.googlesource.com/3771 Reviewed-by: Adam Langley <agl@google.com>
2015-03-05 06:56:32 +00:00
dtls1_dispatch_alert,
Further tidy up cipher logic. With SSL2 gone, there's no need for this split between the abstract cipher framework and ciphers. Put the cipher suite table in ssl_cipher.c and move other SSL_CIPHER logic there. With that gone, prune the cipher-related hooks in SSL_PROTOCOL_METHOD. BUG=468889 Change-Id: I48579de8bc4c0ea52781ba1b7b57bc5b4919d21c Reviewed-on: https://boringssl-review.googlesource.com/4961 Reviewed-by: Adam Langley <agl@google.com>
2015-05-30 22:03:14 +01:00
dtls1_supports_cipher,
Disconnect handshake message creation from init_buf. This allows us to use CBB for all handshake messages. Now, SSL_PROTOCOL_METHOD is responsible for implementing a trio of CBB-related hooks to assemble handshake messages. Change-Id: I144d3cac4f05b6637bf45d3f838673fc5c854405 Reviewed-on: https://boringssl-review.googlesource.com/8440 Reviewed-by: Adam Langley <agl@google.com>
2016-06-17 23:48:29 +01:00
dtls1_init_message,
dtls1_finish_message,
Don't use the buffer BIO in TLS. On the TLS side, we introduce a running buffer of ciphertext. Queuing up pending data consists of encrypting the record into the buffer. This effectively reimplements what the buffer BIO was doing previously, but this resizes to fit the whole flight. As part of this, rename all the functions to add to the pending flight to be more uniform. This CL proposes "add_foo" to add to the pending flight and "flush_flight" to drain it. We add an add_alert hook for alerts but, for now, only the SSL 3.0 warning alert (sent mid-handshake) uses this mechanism. Later work will push this down to the rest of the write path so closure alerts use it too, as in DTLS. The intended end state is that all the ssl_buffer.c and wpend_ret logic will only be used for application data and eventually optionally replaced by the in-place API, while all "incidental" data will be handled internally. For now, the two buffers are mutually exclusive. Moving closure alerts to "incidentals" will change this, but flushing application data early is tricky due to wpend_ret. (If we call ssl_write_buffer_flush, do_ssl3_write doesn't realize it still has a wpend_ret to replay.) That too is all left alone in this change. To keep the diff down, write_message is retained for now and will be removed from the state machines in a follow-up change. BUG=72 Change-Id: Ibce882f5f7196880648f25d5005322ca4055c71d Reviewed-on: https://boringssl-review.googlesource.com/13224 Reviewed-by: Adam Langley <agl@google.com>
2017-01-03 23:37:41 +00:00
dtls1_add_message,
dtls1_add_change_cipher_spec,
dtls1_add_alert,
Abstract away BIO_flush calls in the handshake. This is the first part to removing the buffer BIO. The eventual end state is the SSL_PROTOCOL_METHOD is responsible for maintaining one flight's worth of messages. In TLS, it will just be a buffer containing the flight's ciphertext. In DTLS, it's the existing structure for retransmit purposes. There will be hooks: - add_message (synchronous) - add_change_cipher_spec (synchronous) - add_warning_alert (synchronous; needed until we lose SSLv3 client auth and TLS 1.3 draft 18; draft 19 will switch end_of_early_data to a handshake message) - write_flight (BIO; flush_flight will be renamed to this) This also preserves the exact return value of BIO_flush. Eventually all the BIO_write calls will be hidden behind BIO_flush to, to be consistent with other BIO-based calls, preserve the return value. BUG=72 Change-Id: I74cd23759a17356aab3bb475a8ea42bd2cd115c9 Reviewed-on: https://boringssl-review.googlesource.com/13222 Reviewed-by: Adam Langley <agl@google.com>
2017-01-01 22:41:30 +00:00
dtls1_flush_flight,
Fold the DTLS client handshake into the TLS one. Change-Id: Ib8b1c646cf1652ee1481fe73589830be8263fc20 Reviewed-on: https://boringssl-review.googlesource.com/8182 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-07 21:40:46 +01:00
dtls1_expect_flight,
dtls1_received_flight,
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
dtls1_set_read_state,
dtls1_set_write_state,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *DTLS_method(void) {
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_METHOD kMethod = {
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
0,
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
&kDTLSProtocolMethod,
Add |X509_METHOD| and, using it, move many functions to ssl_x509.c. Change-Id: I266af0c2bdcebcc1dd1026f816b9ef6ece5a592f Reviewed-on: https://boringssl-review.googlesource.com/13581 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-02-01 19:59:18 +00:00
&ssl_crypto_x509_method,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
return &kMethod;
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
}
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
/* Legacy version-locked methods. */
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *DTLSv1_2_method(void) {
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_METHOD kMethod = {
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
DTLS1_2_VERSION,
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
&kDTLSProtocolMethod,
Add |X509_METHOD| and, using it, move many functions to ssl_x509.c. Change-Id: I266af0c2bdcebcc1dd1026f816b9ef6ece5a592f Reviewed-on: https://boringssl-review.googlesource.com/13581 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-02-01 19:59:18 +00:00
&ssl_crypto_x509_method,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
return &kMethod;
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *DTLSv1_method(void) {
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_METHOD kMethod = {
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
DTLS1_VERSION,
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
&kDTLSProtocolMethod,
Add |X509_METHOD| and, using it, move many functions to ssl_x509.c. Change-Id: I266af0c2bdcebcc1dd1026f816b9ef6ece5a592f Reviewed-on: https://boringssl-review.googlesource.com/13581 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-02-01 19:59:18 +00:00
&ssl_crypto_x509_method,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
return &kMethod;
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
/* Legacy side-specific methods. */
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *DTLSv1_2_server_method(void) {
return DTLSv1_2_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *DTLSv1_server_method(void) {
return DTLSv1_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *DTLSv1_2_client_method(void) {
return DTLSv1_2_method();
}
const SSL_METHOD *DTLSv1_client_method(void) {
return DTLSv1_method();
}
const SSL_METHOD *DTLS_server_method(void) {
return DTLS_method();
}
const SSL_METHOD *DTLS_client_method(void) {
return DTLS_method();
}
Reference in New Issue Copy Permalink