kris
/
boringssl
1
0
Fork 0
Código Issues 0 Pull requests 0 Versões 0 Wiki Atividade
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
5157 Commits
12 Branches
38 MiB
Tag: 6ae7ddb755
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 6ae7ddb755
${ noResults }
boringssl/ssl/tls_method.cc

tls_method.cc 8.8 KiB
Original Visão normal Histórico

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anos atrás
Align the SSL stack on #include style. ssl.h should be first. Also two lines after includes and the rest of the file. Change-Id: Icb7586e00a3e64170082c96cf3f8bfbb2b7e1611 Reviewed-on: https://boringssl-review.googlesource.com/5892 Reviewed-by: Adam Langley <agl@google.com>
9 anos atrás
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 anos atrás
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 anos atrás
Move references to init_buf into SSL_PROTOCOL_METHOD. Both DTLS and TLS still use it, but that will change in the following commit. This also removes the handshake's knowledge of the dtls_clear_incoming_messages function. (It's possible we'll want to get rid of begin_handshake in favor of allocating it lazily depending on how TLS 1.3 post-handshake messages end up working out. But this should work for now.) Change-Id: I0f512788bbc330ab2c947890939c73e0a1aca18b Reviewed-on: https://boringssl-review.googlesource.com/8666 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
7 anos atrás
Rename ssl_locl.h to internal.h Match the other internal headers. Change-Id: Iff7e2dd06a1a7bf993053d0464cc15638ace3aaa Reviewed-on: https://boringssl-review.googlesource.com/4280 Reviewed-by: Adam Langley <agl@google.com>
9 anos atrás
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anos atrás
Move libssl's internals into the bssl namespace. This is horrible, but everything else I tried was worse. The goal with this CL is to take the extern "C" out of ssl/internal.h and move most symbols to namespace bssl, so we can start using C++ helpers and destructors without worry. Complications: - Public API functions must be extern "C" and match their declaration in ssl.h, which is unnamespaced. C++ really does not want you to interleave namespaced and unnamespaced things. One can actually write a namespaced extern "C" function, but this means, from C++'s perspective, the function is namespaced. Trying to namespace the public header would worked but ended up too deep a rabbithole. - Our STACK_OF macros do not work right in namespaces. - The typedefs for our exposed but opaque types are visible in the header files and copied into consuming projects as forward declarations. We ultimately want to give SSL a destructor, but clobbering an unnamespaced ssl_st::~ssl_st seems bad manners. - MSVC complains about ambiguous names if one typedefs SSL to bssl::SSL. This CL opts for: - ssl/*.cc must begin with #define BORINGSSL_INTERNAL_CXX_TYPES. This informs the public headers to create forward declarations which are compatible with our namespaces. - For now, C++-defined type FOO ends up at bssl::FOO with a typedef outside. Later I imagine we'll rename many of them. - Internal functions get namespace bssl, so we stop worrying about stomping the tls1_prf symbol. Exported C functions are stuck as they are. Rather than try anything weird, bite the bullet and reorder files which have a mix of public and private functions. I expect that over time, the public functions will become fairly small as we move logic to more idiomatic C++. Files without any public C functions can just be written normally. - To avoid MSVC troubles, some bssl types are renamed to CPlusPlusStyle in advance of them being made idiomatic C++. Bug: 132 Change-Id: Ic931895e117c38b14ff8d6e5a273e868796c7581 Reviewed-on: https://boringssl-review.googlesource.com/18124 Reviewed-by: David Benjamin <davidben@google.com>
7 anos atrás
Remove the free_buffer parameter to release_current_message. With on_handshake_complete, this can be managed internally by the TLS code. The next commit will add a ton more calls to this function. Change-Id: I91575d3e4bfcccbbe492017ae33c74b8cc1d1340 Reviewed-on: https://boringssl-review.googlesource.com/18865 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Convert comments in ssl. That's the last of it! Change-Id: I93d1f5ab7e95b2ad105c34b24297a0bf77625263 Reviewed-on: https://boringssl-review.googlesource.com/19784 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Replace init_msg/init_num with a get_message hook. Rather than init_msg/init_num, there is a get_message function which either returns success or try again. This function does not advance the current message (see the previous preparatory change). It only completes the current one if necessary. Being idempotent means it may be freely placed at the top of states which otherwise have other asychronous operations. It also eases converting the TLS 1.2 state machine. See https://docs.google.com/a/google.com/document/d/11n7LHsT3GwE34LAJIe3EFs4165TI4UR_3CqiM9LJVpI/edit?usp=sharing for details. The read_message hook (later to be replaced by something which doesn't depend on BIO) intentionally does not finish the handshake, only "makes progress". A follow-up change will align both TLS and DTLS on consuming one handshake record and always consuming the entire record (so init_buf may contain trailing data). In a few places I've gone ahead and accounted for that case because it was more natural to do so. This change also removes a couple pointers of redundant state from every socket. Bug: 128 Change-Id: I89d8f3622d3b53147d69ee3ac34bb654ed044a71 Reviewed-on: https://boringssl-review.googlesource.com/18806 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Replace reuse_message with an explicit next_message call. This means that ssl_get_message (soon to be replaced with a BIO-less version) is idempotent which avoids the SSL3_ST_SR_KEY_EXCH_B contortion. It also eases converting the TLS 1.2 state machine. See https://docs.google.com/a/google.com/document/d/11n7LHsT3GwE34LAJIe3EFs4165TI4UR_3CqiM9LJVpI/edit?usp=sharing for details. Bug: 128 Change-Id: Iddd4f951389e8766da07a9de595b552e75f8acf0 Reviewed-on: https://boringssl-review.googlesource.com/18805 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Move init_buf and rwstate into SSL3_STATE. This finally clears most of the SSL_clear special-cases. Change-Id: I00fc240ccbf13f4290322845f585ca6f5786ad80 Reviewed-on: https://boringssl-review.googlesource.com/21947 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Always process handshake records in full. This removes the last place where non-app-data hooks leave anything uncomsumed in rrec. (There is still a place where non-app-data hooks see a non-empty rrec an entrance. read_app_data calls into read_handshake. That'll be fixed in a later patch in this series.) This should not change behavior, though some error codes may change due to some processing happening in a slightly different order. Since we do this in a few places, this adds a BUF_MEM_append with tests. Change-Id: I9fe1fc0103e47f90e3c9f4acfe638927aecdeff6 Reviewed-on: https://boringssl-review.googlesource.com/21345 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Convert comments in ssl. That's the last of it! Change-Id: I93d1f5ab7e95b2ad105c34b24297a0bf77625263 Reviewed-on: https://boringssl-review.googlesource.com/19784 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Always process handshake records in full. This removes the last place where non-app-data hooks leave anything uncomsumed in rrec. (There is still a place where non-app-data hooks see a non-empty rrec an entrance. read_app_data calls into read_handshake. That'll be fixed in a later patch in this series.) This should not change behavior, though some error codes may change due to some processing happening in a slightly different order. Since we do this in a few places, this adds a BUF_MEM_append with tests. Change-Id: I9fe1fc0103e47f90e3c9f4acfe638927aecdeff6 Reviewed-on: https://boringssl-review.googlesource.com/21345 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Move init_buf and rwstate into SSL3_STATE. This finally clears most of the SSL_clear special-cases. Change-Id: I00fc240ccbf13f4290322845f585ca6f5786ad80 Reviewed-on: https://boringssl-review.googlesource.com/21947 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Replace reuse_message with an explicit next_message call. This means that ssl_get_message (soon to be replaced with a BIO-less version) is idempotent which avoids the SSL3_ST_SR_KEY_EXCH_B contortion. It also eases converting the TLS 1.2 state machine. See https://docs.google.com/a/google.com/document/d/11n7LHsT3GwE34LAJIe3EFs4165TI4UR_3CqiM9LJVpI/edit?usp=sharing for details. Bug: 128 Change-Id: Iddd4f951389e8766da07a9de595b552e75f8acf0 Reviewed-on: https://boringssl-review.googlesource.com/18805 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Remove the free_buffer parameter to release_current_message. With on_handshake_complete, this can be managed internally by the TLS code. The next commit will add a ton more calls to this function. Change-Id: I91575d3e4bfcccbbe492017ae33c74b8cc1d1340 Reviewed-on: https://boringssl-review.googlesource.com/18865 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Move a few more functions into *_method.c. s3_lib.c is nearly gone. ssl_get_cipher_preferences will fall away once we remove the version-specific cipher lists. ssl_get_algorithm_prf and the PRF stuff in general needs some revising (it was the motivation for all the SSL_HANDSHAKE business). I've left ssl3_new / ssl3_free alone for now because we don't have a good separation between common TLS/DTLS connection state and state internal to the TLS SSL_PROTOCOL_METHOD. Leaving that alone for now as there's lower-hanging fruit. Change-Id: Idf7989123a387938aa89b6a052161c9fff4cbfb3 Reviewed-on: https://boringssl-review.googlesource.com/12584 Reviewed-by: Adam Langley <agl@google.com>
7 anos atrás
Switch a bunch of things from int to bool. Change-Id: I419c3a1459425fcd016c130d9699c5d89e66713c Reviewed-on: https://boringssl-review.googlesource.com/21386 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Always process handshake records in full. This removes the last place where non-app-data hooks leave anything uncomsumed in rrec. (There is still a place where non-app-data hooks see a non-empty rrec an entrance. read_app_data calls into read_handshake. That'll be fixed in a later patch in this series.) This should not change behavior, though some error codes may change due to some processing happening in a slightly different order. Since we do this in a few places, this adds a BUF_MEM_append with tests. Change-Id: I9fe1fc0103e47f90e3c9f4acfe638927aecdeff6 Reviewed-on: https://boringssl-review.googlesource.com/21345 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Lift BIO above SSL_PROTOCOL_METHOD. This gets us closer to exposing BIO-free APIs. The next step is probably to make the experimental bssl::OpenRecord function call a split out core of ssl_read_impl. Change-Id: I4acebb43f708df8c52eb4e328da8ae3551362fb9 Reviewed-on: https://boringssl-review.googlesource.com/21865 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Add TLS 1.3 1-RTT. This adds the machinery for doing TLS 1.3 1RTT. Change-Id: I736921ffe9dc6f6e64a08a836df6bb166d20f504 Reviewed-on: https://boringssl-review.googlesource.com/8720 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 anos atrás
Rename ssl3_send_alert and ssl3_protocol_version. These are common between TLS and DTLS so should not have the ssl3_ prefix. (TLS-only stuff should really have a tls_ prefix, but we still have a lot of that one.) This also fixes a stray reference to ssl3_send_client_key_exchange.. Change-Id: Ia05b360aa090ab3b5f075d5f80f133cbfe0520d4 Reviewed-on: https://boringssl-review.googlesource.com/21346 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Switch a bunch of things from int to bool. Change-Id: I419c3a1459425fcd016c130d9699c5d89e66713c Reviewed-on: https://boringssl-review.googlesource.com/21386 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Add TLS 1.3 1-RTT. This adds the machinery for doing TLS 1.3 1RTT. Change-Id: I736921ffe9dc6f6e64a08a836df6bb166d20f504 Reviewed-on: https://boringssl-review.googlesource.com/8720 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 anos atrás
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 anos atrás
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
7 anos atrás
Use more scopers. Change-Id: I34dd0a57efd5435fcdc59a3c7b1ce806bc0cbb3e Reviewed-on: https://boringssl-review.googlesource.com/21946 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Switch a bunch of things from int to bool. Change-Id: I419c3a1459425fcd016c130d9699c5d89e66713c Reviewed-on: https://boringssl-review.googlesource.com/21386 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 anos atrás
Switch a bunch of things from int to bool. Change-Id: I419c3a1459425fcd016c130d9699c5d89e66713c Reviewed-on: https://boringssl-review.googlesource.com/21386 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Pack encrypted handshake messages together. This does not affect TLS 1.2 (beyond Channel ID or NPN) but, in TLS 1.3, we send several encrypted handshake messages in a row. For the server, this means 66 wasted bytes in TLS 1.3. Since OpenSSL has otherwise used one record per message since the beginning and unencrypted overhead is less interesting, leave that behavior as-is for the time being. (This isn't the most pressing use of the breakage budget.) But TLS 1.3 is new, so get this tight from the start. Change-Id: I64dbd590a62469d296e1f10673c14bcd0c62919a Reviewed-on: https://boringssl-review.googlesource.com/22068 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Use more scopers. Change-Id: I34dd0a57efd5435fcdc59a3c7b1ce806bc0cbb3e Reviewed-on: https://boringssl-review.googlesource.com/21946 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Switch a bunch of things from int to bool. Change-Id: I419c3a1459425fcd016c130d9699c5d89e66713c Reviewed-on: https://boringssl-review.googlesource.com/21386 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Switch a bunch of things from int to bool. Change-Id: I419c3a1459425fcd016c130d9699c5d89e66713c Reviewed-on: https://boringssl-review.googlesource.com/21386 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Replace reuse_message with an explicit next_message call. This means that ssl_get_message (soon to be replaced with a BIO-less version) is idempotent which avoids the SSL3_ST_SR_KEY_EXCH_B contortion. It also eases converting the TLS 1.2 state machine. See https://docs.google.com/a/google.com/document/d/11n7LHsT3GwE34LAJIe3EFs4165TI4UR_3CqiM9LJVpI/edit?usp=sharing for details. Bug: 128 Change-Id: Iddd4f951389e8766da07a9de595b552e75f8acf0 Reviewed-on: https://boringssl-review.googlesource.com/18805 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Lift BIO above SSL_PROTOCOL_METHOD. This gets us closer to exposing BIO-free APIs. The next step is probably to make the experimental bssl::OpenRecord function call a split out core of ssl_read_impl. Change-Id: I4acebb43f708df8c52eb4e328da8ae3551362fb9 Reviewed-on: https://boringssl-review.googlesource.com/21865 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com>
7 anos atrás
Switch the ssl_write_bytes hook to ssl_write_app_data. The SSL_PROTOCOL_METHOD table needs work, but this makes it clearer exactly what the shared interface between the upper later and TLS/DTLS is. BUG=468889 Change-Id: I38931c484aa4ab3f77964d708d38bfd349fac293 Reviewed-on: https://boringssl-review.googlesource.com/4955 Reviewed-by: Adam Langley <agl@google.com>
9 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Disconnect handshake message creation from init_buf. This allows us to use CBB for all handshake messages. Now, SSL_PROTOCOL_METHOD is responsible for implementing a trio of CBB-related hooks to assemble handshake messages. Change-Id: I144d3cac4f05b6637bf45d3f838673fc5c854405 Reviewed-on: https://boringssl-review.googlesource.com/8440 Reviewed-by: Adam Langley <agl@google.com>
8 anos atrás
Don't use the buffer BIO in TLS. On the TLS side, we introduce a running buffer of ciphertext. Queuing up pending data consists of encrypting the record into the buffer. This effectively reimplements what the buffer BIO was doing previously, but this resizes to fit the whole flight. As part of this, rename all the functions to add to the pending flight to be more uniform. This CL proposes "add_foo" to add to the pending flight and "flush_flight" to drain it. We add an add_alert hook for alerts but, for now, only the SSL 3.0 warning alert (sent mid-handshake) uses this mechanism. Later work will push this down to the rest of the write path so closure alerts use it too, as in DTLS. The intended end state is that all the ssl_buffer.c and wpend_ret logic will only be used for application data and eventually optionally replaced by the in-place API, while all "incidental" data will be handled internally. For now, the two buffers are mutually exclusive. Moving closure alerts to "incidentals" will change this, but flushing application data early is tricky due to wpend_ret. (If we call ssl_write_buffer_flush, do_ssl3_write doesn't realize it still has a wpend_ret to replay.) That too is all left alone in this change. To keep the diff down, write_message is retained for now and will be removed from the state machines in a follow-up change. BUG=72 Change-Id: Ibce882f5f7196880648f25d5005322ca4055c71d Reviewed-on: https://boringssl-review.googlesource.com/13224 Reviewed-by: Adam Langley <agl@google.com>
7 anos atrás
Abstract away BIO_flush calls in the handshake. This is the first part to removing the buffer BIO. The eventual end state is the SSL_PROTOCOL_METHOD is responsible for maintaining one flight's worth of messages. In TLS, it will just be a buffer containing the flight's ciphertext. In DTLS, it's the existing structure for retransmit purposes. There will be hooks: - add_message (synchronous) - add_change_cipher_spec (synchronous) - add_warning_alert (synchronous; needed until we lose SSLv3 client auth and TLS 1.3 draft 18; draft 19 will switch end_of_early_data to a handshake message) - write_flight (BIO; flush_flight will be renamed to this) This also preserves the exact return value of BIO_flush. Eventually all the BIO_write calls will be hidden behind BIO_flush to, to be consistent with other BIO-based calls, preserve the return value. BUG=72 Change-Id: I74cd23759a17356aab3bb475a8ea42bd2cd115c9 Reviewed-on: https://boringssl-review.googlesource.com/13222 Reviewed-by: Adam Langley <agl@google.com>
7 anos atrás
Remove expect and received flight hooks. Instead, the DTLS driver can detect these states implicitly based on when we write flights and when the handshake completes. When we flush a new flight, the peer has enough information to send their reply, so we start a timer. When we begin assembling a new flight, we must have received the final message in the peer's flight. (If there are asynchronous events between, we may stop the timer later, but we may freely stop the timer anytime before we next try to read something.) The only place this fails is if we were the last to write a flight, we'll have a stray timer. Clear it in a handshake completion hook. Change-Id: I973c592ee5721192949a45c259b93192fa309edb Reviewed-on: https://boringssl-review.googlesource.com/18864 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Move libssl's internals into the bssl namespace. This is horrible, but everything else I tried was worse. The goal with this CL is to take the extern "C" out of ssl/internal.h and move most symbols to namespace bssl, so we can start using C++ helpers and destructors without worry. Complications: - Public API functions must be extern "C" and match their declaration in ssl.h, which is unnamespaced. C++ really does not want you to interleave namespaced and unnamespaced things. One can actually write a namespaced extern "C" function, but this means, from C++'s perspective, the function is namespaced. Trying to namespace the public header would worked but ended up too deep a rabbithole. - Our STACK_OF macros do not work right in namespaces. - The typedefs for our exposed but opaque types are visible in the header files and copied into consuming projects as forward declarations. We ultimately want to give SSL a destructor, but clobbering an unnamespaced ssl_st::~ssl_st seems bad manners. - MSVC complains about ambiguous names if one typedefs SSL to bssl::SSL. This CL opts for: - ssl/*.cc must begin with #define BORINGSSL_INTERNAL_CXX_TYPES. This informs the public headers to create forward declarations which are compatible with our namespaces. - For now, C++-defined type FOO ends up at bssl::FOO with a typedef outside. Later I imagine we'll rename many of them. - Internal functions get namespace bssl, so we stop worrying about stomping the tls1_prf symbol. Exported C functions are stuck as they are. Rather than try anything weird, bite the bullet and reorder files which have a mix of public and private functions. I expect that over time, the public functions will become fairly small as we move logic to more idiomatic C++. Files without any public C functions can just be written normally. - To avoid MSVC troubles, some bssl types are renamed to CPlusPlusStyle in advance of them being made idiomatic C++. Bug: 132 Change-Id: Ic931895e117c38b14ff8d6e5a273e868796c7581 Reviewed-on: https://boringssl-review.googlesource.com/18124 Reviewed-by: David Benjamin <davidben@google.com>
7 anos atrás
Add DTLS_with_buffers_method. WebRTC will need this (probably among other things) to lose crypto/x509 at some point. Bug: chromium:706445 Change-Id: I988e7300c4d913986b6ebbd1fa4130548dde76a4 Reviewed-on: https://boringssl-review.googlesource.com/18904 Reviewed-by: David Benjamin <davidben@google.com>
7 anos atrás
Move libssl's internals into the bssl namespace. This is horrible, but everything else I tried was worse. The goal with this CL is to take the extern "C" out of ssl/internal.h and move most symbols to namespace bssl, so we can start using C++ helpers and destructors without worry. Complications: - Public API functions must be extern "C" and match their declaration in ssl.h, which is unnamespaced. C++ really does not want you to interleave namespaced and unnamespaced things. One can actually write a namespaced extern "C" function, but this means, from C++'s perspective, the function is namespaced. Trying to namespace the public header would worked but ended up too deep a rabbithole. - Our STACK_OF macros do not work right in namespaces. - The typedefs for our exposed but opaque types are visible in the header files and copied into consuming projects as forward declarations. We ultimately want to give SSL a destructor, but clobbering an unnamespaced ssl_st::~ssl_st seems bad manners. - MSVC complains about ambiguous names if one typedefs SSL to bssl::SSL. This CL opts for: - ssl/*.cc must begin with #define BORINGSSL_INTERNAL_CXX_TYPES. This informs the public headers to create forward declarations which are compatible with our namespaces. - For now, C++-defined type FOO ends up at bssl::FOO with a typedef outside. Later I imagine we'll rename many of them. - Internal functions get namespace bssl, so we stop worrying about stomping the tls1_prf symbol. Exported C functions are stuck as they are. Rather than try anything weird, bite the bullet and reorder files which have a mix of public and private functions. I expect that over time, the public functions will become fairly small as we move logic to more idiomatic C++. Files without any public C functions can just be written normally. - To avoid MSVC troubles, some bssl types are renamed to CPlusPlusStyle in advance of them being made idiomatic C++. Bug: 132 Change-Id: Ic931895e117c38b14ff8d6e5a273e868796c7581 Reviewed-on: https://boringssl-review.googlesource.com/18124 Reviewed-by: David Benjamin <davidben@google.com>
7 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Add |X509_METHOD| and, using it, move many functions to ssl_x509.c. Change-Id: I266af0c2bdcebcc1dd1026f816b9ef6ece5a592f Reviewed-on: https://boringssl-review.googlesource.com/13581 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Move libssl's internals into the bssl namespace. This is horrible, but everything else I tried was worse. The goal with this CL is to take the extern "C" out of ssl/internal.h and move most symbols to namespace bssl, so we can start using C++ helpers and destructors without worry. Complications: - Public API functions must be extern "C" and match their declaration in ssl.h, which is unnamespaced. C++ really does not want you to interleave namespaced and unnamespaced things. One can actually write a namespaced extern "C" function, but this means, from C++'s perspective, the function is namespaced. Trying to namespace the public header would worked but ended up too deep a rabbithole. - Our STACK_OF macros do not work right in namespaces. - The typedefs for our exposed but opaque types are visible in the header files and copied into consuming projects as forward declarations. We ultimately want to give SSL a destructor, but clobbering an unnamespaced ssl_st::~ssl_st seems bad manners. - MSVC complains about ambiguous names if one typedefs SSL to bssl::SSL. This CL opts for: - ssl/*.cc must begin with #define BORINGSSL_INTERNAL_CXX_TYPES. This informs the public headers to create forward declarations which are compatible with our namespaces. - For now, C++-defined type FOO ends up at bssl::FOO with a typedef outside. Later I imagine we'll rename many of them. - Internal functions get namespace bssl, so we stop worrying about stomping the tls1_prf symbol. Exported C functions are stuck as they are. Rather than try anything weird, bite the bullet and reorder files which have a mix of public and private functions. I expect that over time, the public functions will become fairly small as we move logic to more idiomatic C++. Files without any public C functions can just be written normally. - To avoid MSVC troubles, some bssl types are renamed to CPlusPlusStyle in advance of them being made idiomatic C++. Bug: 132 Change-Id: Ic931895e117c38b14ff8d6e5a273e868796c7581 Reviewed-on: https://boringssl-review.googlesource.com/18124 Reviewed-by: David Benjamin <davidben@google.com>
7 anos atrás
Convert comments in ssl. That's the last of it! Change-Id: I93d1f5ab7e95b2ad105c34b24297a0bf77625263 Reviewed-on: https://boringssl-review.googlesource.com/19784 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Add |X509_METHOD| and, using it, move many functions to ssl_x509.c. Change-Id: I266af0c2bdcebcc1dd1026f816b9ef6ece5a592f Reviewed-on: https://boringssl-review.googlesource.com/13581 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Add |X509_METHOD| and, using it, move many functions to ssl_x509.c. Change-Id: I266af0c2bdcebcc1dd1026f816b9ef6ece5a592f Reviewed-on: https://boringssl-review.googlesource.com/13581 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Add |X509_METHOD| and, using it, move many functions to ssl_x509.c. Change-Id: I266af0c2bdcebcc1dd1026f816b9ef6ece5a592f Reviewed-on: https://boringssl-review.googlesource.com/13581 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Convert comments in ssl. That's the last of it! Change-Id: I93d1f5ab7e95b2ad105c34b24297a0bf77625263 Reviewed-on: https://boringssl-review.googlesource.com/19784 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anos atrás
Merge the get_ssl_method hooks between TLS and SSLv3. Remove one more difference to worry about switching between TLS and SSLv3 method tables. Although this does change the get_ssl_method hook for the version-specific tables (before TLS and SSLv3 would be somewhat partitioned), it does not appear to do anything. get_ssl_method is only ever called in SSL_set_session for client session resumption. Either you're using the version-specific method tables and don't know about other versions anyway or you're using SSLv23 and don't partition TLS vs SSL3 anyway. BUG=chromium:403378 Change-Id: I8cbdf02847653a01b04dbbcaf61fcb3fa4753a99 Reviewed-on: https://boringssl-review.googlesource.com/1842 Reviewed-by: Adam Langley <agl@google.com>
10 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Merge the get_ssl_method hooks between TLS and SSLv3. Remove one more difference to worry about switching between TLS and SSLv3 method tables. Although this does change the get_ssl_method hook for the version-specific tables (before TLS and SSLv3 would be somewhat partitioned), it does not appear to do anything. get_ssl_method is only ever called in SSL_set_session for client session resumption. Either you're using the version-specific method tables and don't know about other versions anyway or you're using SSLv23 and don't partition TLS vs SSL3 anyway. BUG=chromium:403378 Change-Id: I8cbdf02847653a01b04dbbcaf61fcb3fa4753a99 Reviewed-on: https://boringssl-review.googlesource.com/1842 Reviewed-by: Adam Langley <agl@google.com>
10 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
10 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
10 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
10 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
10 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
10 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
10 anos atrás
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
10 anos atrás
Add TLS_{client,server}_method. Inch towards OpenSSL 1.1.0 compatibility. BUG=91 Change-Id: Ia45b6bdb5114d0891fdffdef0b5868920324ecec Reviewed-on: https://boringssl-review.googlesource.com/9140 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
8 anos atrás
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274 
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/ssl.h>

  58. 

  59. #include <assert.h>

  60. #include <string.h>

  61. 

  62. #include <openssl/buf.h>

  63. 

  64. #include "../crypto/internal.h"

  65. #include "internal.h"

  66. 

  67. 

  68. namespace bssl {

  69. 

  70. static void ssl3_on_handshake_complete(SSL *ssl) {

  71.   // The handshake should have released its final message.

  72.   assert(!ssl->s3->has_message);

  73. 

  74.   // During the handshake, |hs_buf| is retained. Release if it there is no

  75.   // excess in it. There may be excess left if there server sent Finished and

  76.   // HelloRequest in the same record.

  77.   //

  78.   // TODO(davidben): SChannel does not support this. Reject this case.

  79.   if (ssl->s3->hs_buf && ssl->s3->hs_buf->length == 0) {

  80.     ssl->s3->hs_buf.reset();

  81.   }

  82. }

  83. 

  84. static bool ssl3_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {

  85.   // Cipher changes are forbidden if the current epoch has leftover data.

  86.   if (tls_has_unprocessed_handshake_data(ssl)) {

  87.     OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);

  88.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  89.     return false;

  90.   }

  91. 

  92.   OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));

  93.   ssl->s3->aead_read_ctx = std::move(aead_ctx);

  94.   return true;

  95. }

  96. 

  97. static bool ssl3_set_write_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {

  98.   OPENSSL_memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));

  99.   ssl->s3->aead_write_ctx = std::move(aead_ctx);

  100.   return true;

  101. }

  102. 

  103. static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {

  104.     false /* is_dtls */,

  105.     ssl3_new,

  106.     ssl3_free,

  107.     ssl3_get_message,

  108.     ssl3_next_message,

  109.     ssl3_open_handshake,

  110.     ssl3_open_change_cipher_spec,

  111.     ssl3_open_app_data,

  112.     ssl3_write_app_data,

  113.     ssl3_dispatch_alert,

  114.     ssl3_init_message,

  115.     ssl3_finish_message,

  116.     ssl3_add_message,

  117.     ssl3_add_change_cipher_spec,

  118.     ssl3_add_alert,

  119.     ssl3_flush_flight,

  120.     ssl3_on_handshake_complete,

  121.     ssl3_set_read_state,

  122.     ssl3_set_write_state,

  123. };

  124. 

  125. static int ssl_noop_x509_check_client_CA_names(

  126.     STACK_OF(CRYPTO_BUFFER) *names) {

  127.   return 1;

  128. }

  129. 

  130. static void ssl_noop_x509_clear(CERT *cert) {}

  131. static void ssl_noop_x509_free(CERT *cert) {}

  132. static void ssl_noop_x509_dup(CERT *new_cert, const CERT *cert) {}

  133. static void ssl_noop_x509_flush_cached_leaf(CERT *cert) {}

  134. static void ssl_noop_x509_flush_cached_chain(CERT *cert) {}

  135. static int ssl_noop_x509_session_cache_objects(SSL_SESSION *sess) {

  136.   return 1;

  137. }

  138. static int ssl_noop_x509_session_dup(SSL_SESSION *new_session,

  139.                                        const SSL_SESSION *session) {

  140.   return 1;

  141. }

  142. static void ssl_noop_x509_session_clear(SSL_SESSION *session) {}

  143. static int ssl_noop_x509_session_verify_cert_chain(SSL_SESSION *session,

  144.                                                    SSL *ssl,

  145.                                                    uint8_t *out_alert) {

  146.   return 0;

  147. }

  148. 

  149. static void ssl_noop_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {}

  150. static int ssl_noop_x509_ssl_new(SSL *ctx) { return 1; }

  151. static void ssl_noop_x509_ssl_free(SSL *ctx) { }

  152. static void ssl_noop_x509_ssl_flush_cached_client_CA(SSL *ssl) {}

  153. static int ssl_noop_x509_ssl_auto_chain_if_needed(SSL *ssl) { return 1; }

  154. static int ssl_noop_x509_ssl_ctx_new(SSL_CTX *ctx) { return 1; }

  155. static void ssl_noop_x509_ssl_ctx_free(SSL_CTX *ctx) { }

  156. static void ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {}

  157. 

  158. const SSL_X509_METHOD ssl_noop_x509_method = {

  159.   ssl_noop_x509_check_client_CA_names,

  160.   ssl_noop_x509_clear,

  161.   ssl_noop_x509_free,

  162.   ssl_noop_x509_dup,

  163.   ssl_noop_x509_flush_cached_chain,

  164.   ssl_noop_x509_flush_cached_leaf,

  165.   ssl_noop_x509_session_cache_objects,

  166.   ssl_noop_x509_session_dup,

  167.   ssl_noop_x509_session_clear,

  168.   ssl_noop_x509_session_verify_cert_chain,

  169.   ssl_noop_x509_hs_flush_cached_ca_names,

  170.   ssl_noop_x509_ssl_new,

  171.   ssl_noop_x509_ssl_free,

  172.   ssl_noop_x509_ssl_flush_cached_client_CA,

  173.   ssl_noop_x509_ssl_auto_chain_if_needed,

  174.   ssl_noop_x509_ssl_ctx_new,

  175.   ssl_noop_x509_ssl_ctx_free,

  176.   ssl_noop_x509_ssl_ctx_flush_cached_client_CA,

  177. };

  178. 

  179. }  // namespace bssl

  180. 

  181. using namespace bssl;

  182. 

  183. const SSL_METHOD *TLS_method(void) {

  184.   static const SSL_METHOD kMethod = {

  185.       0,

  186.       &kTLSProtocolMethod,

  187.       &ssl_crypto_x509_method,

  188.   };

  189.   return &kMethod;

  190. }

  191. 

  192. const SSL_METHOD *SSLv23_method(void) {

  193.   return TLS_method();

  194. }

  195. 

  196. const SSL_METHOD *TLS_with_buffers_method(void) {

  197.   static const SSL_METHOD kMethod = {

  198.       0,

  199.       &kTLSProtocolMethod,

  200.       &ssl_noop_x509_method,

  201.   };

  202.   return &kMethod;

  203. }

  204. 

  205. // Legacy version-locked methods.

  206. 

  207. const SSL_METHOD *TLSv1_2_method(void) {

  208.   static const SSL_METHOD kMethod = {

  209.       TLS1_2_VERSION,

  210.       &kTLSProtocolMethod,

  211.       &ssl_crypto_x509_method,

  212.   };

  213.   return &kMethod;

  214. }

  215. 

  216. const SSL_METHOD *TLSv1_1_method(void) {

  217.   static const SSL_METHOD kMethod = {

  218.       TLS1_1_VERSION,

  219.       &kTLSProtocolMethod,

  220.       &ssl_crypto_x509_method,

  221.   };

  222.   return &kMethod;

  223. }

  224. 

  225. const SSL_METHOD *TLSv1_method(void) {

  226.   static const SSL_METHOD kMethod = {

  227.       TLS1_VERSION,

  228.       &kTLSProtocolMethod,

  229.       &ssl_crypto_x509_method,

  230.   };

  231.   return &kMethod;

  232. }

  233. 

  234. // Legacy side-specific methods.

  235. 

  236. const SSL_METHOD *TLSv1_2_server_method(void) {

  237.   return TLSv1_2_method();

  238. }

  239. 

  240. const SSL_METHOD *TLSv1_1_server_method(void) {

  241.   return TLSv1_1_method();

  242. }

  243. 

  244. const SSL_METHOD *TLSv1_server_method(void) {

  245.   return TLSv1_method();

  246. }

  247. 

  248. const SSL_METHOD *TLSv1_2_client_method(void) {

  249.   return TLSv1_2_method();

  250. }

  251. 

  252. const SSL_METHOD *TLSv1_1_client_method(void) {

  253.   return TLSv1_1_method();

  254. }

  255. 

  256. const SSL_METHOD *TLSv1_client_method(void) {

  257.   return TLSv1_method();

  258. }

  259. 

  260. const SSL_METHOD *SSLv23_server_method(void) {

  261.   return SSLv23_method();

  262. }

  263. 

  264. const SSL_METHOD *SSLv23_client_method(void) {

  265.   return SSLv23_method();

  266. }

  267. 

  268. const SSL_METHOD *TLS_server_method(void) {

  269.   return TLS_method();

  270. }

  271. 

  272. const SSL_METHOD *TLS_client_method(void) {

  273.   return TLS_method();

  274. }