kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
c7df7967fa
boringssl/ssl/tls_method.c

254 lines
7.3 KiB
C
Raw Normal View History

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
Align the SSL stack on #include style. ssl.h should be first. Also two lines after includes and the rest of the file. Change-Id: Icb7586e00a3e64170082c96cf3f8bfbb2b7e1611 Reviewed-on: https://boringssl-review.googlesource.com/5892 Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 06:48:04 +01:00
#include <openssl/ssl.h>
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
#include <assert.h>
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
#include <string.h>
Move references to init_buf into SSL_PROTOCOL_METHOD. Both DTLS and TLS still use it, but that will change in the following commit. This also removes the handshake's knowledge of the dtls_clear_incoming_messages function. (It's possible we'll want to get rid of begin_handshake in favor of allocating it lazily depending on how TLS 1.3 post-handshake messages end up working out. But this should work for now.) Change-Id: I0f512788bbc330ab2c947890939c73e0a1aca18b Reviewed-on: https://boringssl-review.googlesource.com/8666 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:16:50 +01:00
#include <openssl/buf.h>
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
#include "../crypto/internal.h"
Rename ssl_locl.h to internal.h Match the other internal headers. Change-Id: Iff7e2dd06a1a7bf993053d0464cc15638ace3aaa Reviewed-on: https://boringssl-review.googlesource.com/4280 Reviewed-by: Adam Langley <agl@google.com>
2015-04-08 03:38:30 +01:00
#include "internal.h"
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
2014-06-20 20:00:00 +01:00
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
static int ssl3_version_from_wire(uint16_t *out_version,
uint16_t wire_version) {
switch (wire_version) {
case SSL3_VERSION:
case TLS1_VERSION:
case TLS1_1_VERSION:
case TLS1_2_VERSION:
*out_version = wire_version;
return 1;
Moving TLS 1.3 version negotiation into extension. Change-Id: I73f9fd64b46f26978b897409d817b34ec9d93afd Reviewed-on: https://boringssl-review.googlesource.com/11080 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-15 21:27:05 +01:00
case TLS1_3_DRAFT_VERSION:
*out_version = TLS1_3_VERSION;
return 1;
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
}
return 0;
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
}
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
static uint16_t ssl3_version_to_wire(uint16_t version) {
switch (version) {
case SSL3_VERSION:
case TLS1_VERSION:
case TLS1_1_VERSION:
case TLS1_2_VERSION:
return version;
Moving TLS 1.3 version negotiation into extension. Change-Id: I73f9fd64b46f26978b897409d817b34ec9d93afd Reviewed-on: https://boringssl-review.googlesource.com/11080 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-15 21:27:05 +01:00
case TLS1_3_VERSION:
return TLS1_3_DRAFT_VERSION;
Don't return invalid versions in version_from_wire. This is in preparation for using the supported_versions extension to experiment with draft TLS 1.3 versions, since we don't wish to restore the fallback. With versions begin opaque values, we will want version_from_wire to reject unknown values, not attempt to preserve order in some way. This means ClientHello.version processing needs to be separate code. That's just written out fully in negotiate_version now. It also means SSL_set_{min,max}_version will notice invalid inputs which aligns us better with upstream's versions of those APIs. This CL doesn't replace ssl->version with an internal-representation version, though follow work should do it once a couple of changes land in consumers. BUG=90 Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da Reviewed-on: https://boringssl-review.googlesource.com/11122 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-20 00:57:37 +01:00
}
/* It is an error to use this function with an invalid version. */
assert(0);
return 0;
}
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
Move a few more functions into *_method.c. s3_lib.c is nearly gone. ssl_get_cipher_preferences will fall away once we remove the version-specific cipher lists. ssl_get_algorithm_prf and the PRF stuff in general needs some revising (it was the motivation for all the SSL_HANDSHAKE business). I've left ssl3_new / ssl3_free alone for now because we don't have a good separation between common TLS/DTLS connection state and state internal to the TLS SSL_PROTOCOL_METHOD. Leaving that alone for now as there's lower-hanging fruit. Change-Id: Idf7989123a387938aa89b6a052161c9fff4cbfb3 Reviewed-on: https://boringssl-review.googlesource.com/12584 Reviewed-by: Adam Langley <agl@google.com>
2016-12-04 04:23:52 +00:00
static int ssl3_supports_cipher(const SSL_CIPHER *cipher) { return 1; }
static void ssl3_expect_flight(SSL *ssl) {}
static void ssl3_received_flight(SSL *ssl) {}
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
static int ssl3_set_read_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
Add TLS 1.3 1-RTT. This adds the machinery for doing TLS 1.3 1RTT. Change-Id: I736921ffe9dc6f6e64a08a836df6bb166d20f504 Reviewed-on: https://boringssl-review.googlesource.com/8720 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-11 18:19:03 +01:00
if (ssl->s3->rrec.length != 0) {
/* There may not be unprocessed record data at a cipher change. */
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
SSL_AEAD_CTX_free(aead_ctx);
return 0;
}
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
ssl->s3->aead_read_ctx = aead_ctx;
return 1;
}
static int ssl3_set_write_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
Work around language and compiler bug in memcpy, etc. Most C standard library functions are undefined if passed NULL, even when the corresponding length is zero. This gives them (and, in turn, all functions which call them) surprising behavior on empty arrays. Some compilers will miscompile code due to this rule. See also https://www.imperialviolet.org/2016/06/26/nonnull.html Add OPENSSL_memcpy, etc., wrappers which avoid this problem. BUG=23 Change-Id: I95f42b23e92945af0e681264fffaf578e7f8465e Reviewed-on: https://boringssl-review.googlesource.com/12928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-12-13 06:07:13 +00:00
OPENSSL_memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
ssl->s3->aead_write_ctx = aead_ctx;
return 1;
}
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {
Move the is_dtls bit from SSL3_ENC_METHOD to SSL_PROTOCOL_METHOD. This too isn't version-specific. This removes the final difference between TLS and DTLS SSL3_ENC_METHODs and we can fold them together. (We should be able to fold away the version-specific differences too, but all in due time.) Change-Id: I6652d3942a0970273d46d28d7052629c81f848b5 Reviewed-on: https://boringssl-review.googlesource.com/3771 Reviewed-by: Adam Langley <agl@google.com>
2015-03-05 06:56:32 +00:00
0 /* is_dtls */,
Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-21 15:33:21 +01:00
SSL3_VERSION,
TLS1_3_VERSION,
ssl3_version_from_wire,
ssl3_version_to_wire,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
ssl3_new,
ssl3_free,
ssl3_get_message,
Replace hash_current_message with get_current_message. For TLS 1.3 draft 18, it will be useful to get at the full current message and not just the body. Add a hook to expose it and replace hash_current_message with a wrapper over it. BUG=112 Change-Id: Ib9e00dd1b78e8b72e12409d85c80e96c5b411a8b Reviewed-on: https://boringssl-review.googlesource.com/12238 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-14 08:12:11 +00:00
ssl3_get_current_message,
Switch finish_handshake to release_current_message. With the previous DTLS change, the dispatch layer only cares about the end of the handshake to know when to drop the current message. TLS 1.3 post-handshake messages will need a similar hook, so convert it to this lower-level one. BUG=83 Change-Id: I4c8c3ba55ba793afa065bf261a7bccac8816c348 Reviewed-on: https://boringssl-review.googlesource.com/8989 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-27 22:51:49 +01:00
ssl3_release_current_message,
Split ssl_read_bytes hook into app_data and close_notify hooks. This still needs significant work, especially the close_notify half, but clarify the interface and get *_read_bytes out of SSL_PROTOCOL_METHOD. read_bytes is an implementation detail of those two and get_message rather than both an implementation detail of get_message for handshake and a (wholly inappropriate) exposed interface for the other two. BUG=468889 Change-Id: I7dd23869e0b7c3532ceb2e9dd31ca25ea31128e7 Reviewed-on: https://boringssl-review.googlesource.com/4956 Reviewed-by: Adam Langley <agl@google.com>
2015-05-30 21:22:10 +01:00
ssl3_read_app_data,
Pull ChangeCipherSpec into the handshake state machine. This uses ssl3_read_bytes for now. We still need to dismantle that function and then invert the handshake state machine, but this gets things closer to the right shape as an intermediate step and is a large chunk in itself. It simplifies a lot of the CCS/handshake synchronization as a lot of the invariants much more clearly follow from the handshake itself. Tests need to be adjusted since this changes some error codes. Now all the CCS/Handshake checks fall through to the usual SSL_R_UNEXPECTED_RECORD codepath. Most of what used to be a special-case falls out naturally. (If half of Finished was in the same record as the pre-CCS message, that part of the handshake record would have been left unconsumed, so read_change_cipher_spec would have noticed, just like read_app_data would have noticed.) Change-Id: I15c7501afe523d5062f0e24a3b65f053008d87be Reviewed-on: https://boringssl-review.googlesource.com/6642 Reviewed-by: Adam Langley <agl@google.com>
2015-11-26 07:16:49 +00:00
ssl3_read_change_cipher_spec,
Split ssl_read_bytes hook into app_data and close_notify hooks. This still needs significant work, especially the close_notify half, but clarify the interface and get *_read_bytes out of SSL_PROTOCOL_METHOD. read_bytes is an implementation detail of those two and get_message rather than both an implementation detail of get_message for handshake and a (wholly inappropriate) exposed interface for the other two. BUG=468889 Change-Id: I7dd23869e0b7c3532ceb2e9dd31ca25ea31128e7 Reviewed-on: https://boringssl-review.googlesource.com/4956 Reviewed-by: Adam Langley <agl@google.com>
2015-05-30 21:22:10 +01:00
ssl3_read_close_notify,
Switch the ssl_write_bytes hook to ssl_write_app_data. The SSL_PROTOCOL_METHOD table needs work, but this makes it clearer exactly what the shared interface between the upper later and TLS/DTLS is. BUG=468889 Change-Id: I38931c484aa4ab3f77964d708d38bfd349fac293 Reviewed-on: https://boringssl-review.googlesource.com/4955 Reviewed-by: Adam Langley <agl@google.com>
2015-05-30 21:14:58 +01:00
ssl3_write_app_data,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
ssl3_dispatch_alert,
Further tidy up cipher logic. With SSL2 gone, there's no need for this split between the abstract cipher framework and ciphers. Put the cipher suite table in ssl_cipher.c and move other SSL_CIPHER logic there. With that gone, prune the cipher-related hooks in SSL_PROTOCOL_METHOD. BUG=468889 Change-Id: I48579de8bc4c0ea52781ba1b7b57bc5b4919d21c Reviewed-on: https://boringssl-review.googlesource.com/4961 Reviewed-by: Adam Langley <agl@google.com>
2015-05-30 22:03:14 +01:00
ssl3_supports_cipher,
Disconnect handshake message creation from init_buf. This allows us to use CBB for all handshake messages. Now, SSL_PROTOCOL_METHOD is responsible for implementing a trio of CBB-related hooks to assemble handshake messages. Change-Id: I144d3cac4f05b6637bf45d3f838673fc5c854405 Reviewed-on: https://boringssl-review.googlesource.com/8440 Reviewed-by: Adam Langley <agl@google.com>
2016-06-17 23:48:29 +01:00
ssl3_init_message,
ssl3_finish_message,
Splitting finish_message to finish_message/queue_message. This is to allow for PSK binders to be munged into the ClientHello as part of draft 18. BUG=112 Change-Id: Ic4fd3b70fa45669389b6aaf55e61d5839f296748 Reviewed-on: https://boringssl-review.googlesource.com/12228 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-12 03:23:25 +00:00
ssl3_queue_message,
Disconnect handshake message creation from init_buf. This allows us to use CBB for all handshake messages. Now, SSL_PROTOCOL_METHOD is responsible for implementing a trio of CBB-related hooks to assemble handshake messages. Change-Id: I144d3cac4f05b6637bf45d3f838673fc5c854405 Reviewed-on: https://boringssl-review.googlesource.com/8440 Reviewed-by: Adam Langley <agl@google.com>
2016-06-17 23:48:29 +01:00
ssl3_write_message,
Fold the DTLS client handshake into the TLS one. Change-Id: Ib8b1c646cf1652ee1481fe73589830be8263fc20 Reviewed-on: https://boringssl-review.googlesource.com/8182 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-07 21:40:46 +01:00
ssl3_send_change_cipher_spec,
ssl3_expect_flight,
ssl3_received_flight,
Check for buffered handshake messages on cipher change in DTLS. This is the equivalent of FragmentAcrossChangeCipherSuite for DTLS. It is possible for us to, while receiving pre-CCS handshake messages, to buffer up a message with sequence number meant for a post-CCS Finished. When we then get to the new epoch and attempt to read the Finished, we will process the buffered Finished although it was sent with the wrong encryption. Move ssl_set_{read,write}_state to SSL_PROTOCOL_METHOD hooks as this is a property of the transport. Notably, read_state may fail. In DTLS check the handshake buffer size. We could place this check in read_change_cipher_spec, but TLS 1.3 has no ChangeCipherSpec message, so we will need to implement this at the cipher change point anyway. (For now, there is only an assert on the TLS side. This will be replaced with a proper check in TLS 1.3.) Change-Id: Ia52b0b81e7db53e9ed2d4f6d334a1cce13e93297 Reviewed-on: https://boringssl-review.googlesource.com/8790 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-07-15 04:10:43 +01:00
ssl3_set_read_state,
ssl3_set_write_state,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
const SSL_METHOD *TLS_method(void) {
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_METHOD kMethod = {
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
0,
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
&kTLSProtocolMethod,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
return &kMethod;
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
}
const SSL_METHOD *SSLv23_method(void) {
return TLS_method();
}
/* Legacy version-locked methods. */
const SSL_METHOD *TLSv1_2_method(void) {
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_METHOD kMethod = {
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
TLS1_2_VERSION,
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
&kTLSProtocolMethod,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
return &kMethod;
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
}
const SSL_METHOD *TLSv1_1_method(void) {
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_METHOD kMethod = {
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
TLS1_1_VERSION,
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
&kTLSProtocolMethod,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
return &kMethod;
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
}
const SSL_METHOD *TLSv1_method(void) {
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_METHOD kMethod = {
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
TLS1_VERSION,
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
&kTLSProtocolMethod,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
return &kMethod;
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
}
const SSL_METHOD *SSLv3_method(void) {
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
static const SSL_METHOD kMethod = {
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
SSL3_VERSION,
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
&kTLSProtocolMethod,
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
};
Rename (s3,d1)_meth.c. These are where the DTLS- and TLS-specific transport layer hooks will be defined. Later we can probably move much of the implementations of these hooks into these files so those functions can be static. While I'm here, fix up the naming of some constants. Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d Reviewed-on: https://boringssl-review.googlesource.com/8665 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 17:05:45 +01:00
return &kMethod;
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
}
Merge the get_ssl_method hooks between TLS and SSLv3. Remove one more difference to worry about switching between TLS and SSLv3 method tables. Although this does change the get_ssl_method hook for the version-specific tables (before TLS and SSLv3 would be somewhat partitioned), it does not appear to do anything. get_ssl_method is only ever called in SSL_set_session for client session resumption. Either you're using the version-specific method tables and don't know about other versions anyway or you're using SSLv23 and don't partition TLS vs SSL3 anyway. BUG=chromium:403378 Change-Id: I8cbdf02847653a01b04dbbcaf61fcb3fa4753a99 Reviewed-on: https://boringssl-review.googlesource.com/1842 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 21:27:30 +01:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
/* Legacy side-specific methods. */
Merge the get_ssl_method hooks between TLS and SSLv3. Remove one more difference to worry about switching between TLS and SSLv3 method tables. Although this does change the get_ssl_method hook for the version-specific tables (before TLS and SSLv3 would be somewhat partitioned), it does not appear to do anything. get_ssl_method is only ever called in SSL_set_session for client session resumption. Either you're using the version-specific method tables and don't know about other versions anyway or you're using SSLv23 and don't partition TLS vs SSL3 anyway. BUG=chromium:403378 Change-Id: I8cbdf02847653a01b04dbbcaf61fcb3fa4753a99 Reviewed-on: https://boringssl-review.googlesource.com/1842 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 21:27:30 +01:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *TLSv1_2_server_method(void) {
return TLSv1_2_method();
}
Merge the get_ssl_method hooks between TLS and SSLv3. Remove one more difference to worry about switching between TLS and SSLv3 method tables. Although this does change the get_ssl_method hook for the version-specific tables (before TLS and SSLv3 would be somewhat partitioned), it does not appear to do anything. get_ssl_method is only ever called in SSL_set_session for client session resumption. Either you're using the version-specific method tables and don't know about other versions anyway or you're using SSLv23 and don't partition TLS vs SSL3 anyway. BUG=chromium:403378 Change-Id: I8cbdf02847653a01b04dbbcaf61fcb3fa4753a99 Reviewed-on: https://boringssl-review.googlesource.com/1842 Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 21:27:30 +01:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *TLSv1_1_server_method(void) {
return TLSv1_1_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *TLSv1_server_method(void) {
return TLSv1_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *SSLv3_server_method(void) {
return SSLv3_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *TLSv1_2_client_method(void) {
return TLSv1_2_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *TLSv1_1_client_method(void) {
return TLSv1_1_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *TLSv1_client_method(void) {
return TLSv1_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *SSLv3_client_method(void) {
return SSLv3_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *SSLv23_server_method(void) {
return SSLv23_method();
}
Merge client/server SSL_METHODs into the generic one. Supporting both schemes seems pointless. Now that s->server and s->state are set appropriately late and get_ssl_method is gone, the only difference is that the client/server ones have non-functional ssl_accept or ssl_connect hooks. We can't lose the generic ones, so let's unify on that. Note: this means a static linker will no longer drop the client or server handshake code if unused by a consumer linking statically. However, Chromium needs the server half anyway for DTLS and WebRTC, so that's probably a lost cause. Android also exposes server APIs. Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23 Reviewed-on: https://boringssl-review.googlesource.com/2440 Reviewed-by: Adam Langley <agl@google.com>
2014-11-23 20:47:20 +00:00
Merge SSLv23_method and DTLS_ANY_VERSION. This makes SSLv23_method go through DTLS_ANY_VERSION's version negotiation logic. This allows us to get rid of duplicate ClientHello logic. For compatibility, SSL_METHOD is now split into SSL_PROTOCOL_METHOD and a version. The legacy version-locked methods set min_version and max_version based this version field to emulate the original semantics. As a bonus, we can now handle fragmented ClientHello versions now. Because SSLv23_method is a silly name, deprecate that too and introduce TLS_method. Change-Id: I8b3df2b427ae34c44ecf972f466ad64dc3dbb171
2014-12-12 20:55:27 +00:00
const SSL_METHOD *SSLv23_client_method(void) {
return SSLv23_method();
}
Add TLS_{client,server}_method. Inch towards OpenSSL 1.1.0 compatibility. BUG=91 Change-Id: Ia45b6bdb5114d0891fdffdef0b5868920324ecec Reviewed-on: https://boringssl-review.googlesource.com/9140 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2016-08-05 15:41:07 +01:00
const SSL_METHOD *TLS_server_method(void) {
return TLS_method();
}
const SSL_METHOD *TLS_client_method(void) {
return TLS_method();
}
Reference in New Issue Copy Permalink