BUG=6 Change-Id: I463f5daa0bbf0f65269c52da25fa235ee2aa6ffb Reviewed-on: https://boringssl-review.googlesource.com/11240 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
@@ -4202,207 +4202,6 @@ struct ssl_st { | |||
int tlsext_status_type; | |||
}; | |||
typedef struct ssl3_record_st { | |||
/* type is the record type. */ | |||
uint8_t type; | |||
/* length is the number of unconsumed bytes in the record. */ | |||
uint16_t length; | |||
/* data is a non-owning pointer to the first unconsumed byte of the record. */ | |||
uint8_t *data; | |||
} SSL3_RECORD; | |||
typedef struct ssl3_buffer_st { | |||
/* buf is the memory allocated for this buffer. */ | |||
uint8_t *buf; | |||
/* offset is the offset into |buf| which the buffer contents start at. */ | |||
uint16_t offset; | |||
/* len is the length of the buffer contents from |buf| + |offset|. */ | |||
uint16_t len; | |||
/* cap is how much memory beyond |buf| + |offset| is available. */ | |||
uint16_t cap; | |||
} SSL3_BUFFER; | |||
/* An ssl_shutdown_t describes the shutdown state of one end of the connection, | |||
* whether it is alive or has been shutdown via close_notify or fatal alert. */ | |||
enum ssl_shutdown_t { | |||
ssl_shutdown_none = 0, | |||
ssl_shutdown_close_notify = 1, | |||
ssl_shutdown_fatal_alert = 2, | |||
}; | |||
typedef struct ssl3_state_st { | |||
uint8_t read_sequence[8]; | |||
uint8_t write_sequence[8]; | |||
uint8_t server_random[SSL3_RANDOM_SIZE]; | |||
uint8_t client_random[SSL3_RANDOM_SIZE]; | |||
/* have_version is true if the connection's final version is known. Otherwise | |||
* the version has not been negotiated yet. */ | |||
unsigned have_version:1; | |||
/* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled | |||
* and future messages should use the record layer. */ | |||
unsigned v2_hello_done:1; | |||
/* initial_handshake_complete is true if the initial handshake has | |||
* completed. */ | |||
unsigned initial_handshake_complete:1; | |||
/* read_buffer holds data from the transport to be processed. */ | |||
SSL3_BUFFER read_buffer; | |||
/* write_buffer holds data to be written to the transport. */ | |||
SSL3_BUFFER write_buffer; | |||
SSL3_RECORD rrec; /* each decoded record goes in here */ | |||
/* partial write - check the numbers match */ | |||
unsigned int wnum; /* number of bytes sent so far */ | |||
int wpend_tot; /* number bytes written */ | |||
int wpend_type; | |||
int wpend_ret; /* number of bytes submitted */ | |||
const uint8_t *wpend_buf; | |||
/* handshake_buffer, if non-NULL, contains the handshake transcript. */ | |||
BUF_MEM *handshake_buffer; | |||
/* handshake_hash, if initialized with an |EVP_MD|, maintains the handshake | |||
* hash. For TLS 1.1 and below, it is the SHA-1 half. */ | |||
EVP_MD_CTX handshake_hash; | |||
/* handshake_md5, if initialized with an |EVP_MD|, maintains the MD5 half of | |||
* the handshake hash for TLS 1.1 and below. */ | |||
EVP_MD_CTX handshake_md5; | |||
/* recv_shutdown is the shutdown state for the receive half of the | |||
* connection. */ | |||
enum ssl_shutdown_t recv_shutdown; | |||
/* recv_shutdown is the shutdown state for the send half of the connection. */ | |||
enum ssl_shutdown_t send_shutdown; | |||
int alert_dispatch; | |||
uint8_t send_alert[2]; | |||
int total_renegotiations; | |||
/* empty_record_count is the number of consecutive empty records received. */ | |||
uint8_t empty_record_count; | |||
/* warning_alert_count is the number of consecutive warning alerts | |||
* received. */ | |||
uint8_t warning_alert_count; | |||
/* key_update_count is the number of consecutive KeyUpdates received. */ | |||
uint8_t key_update_count; | |||
/* aead_read_ctx is the current read cipher state. */ | |||
SSL_AEAD_CTX *aead_read_ctx; | |||
/* aead_write_ctx is the current write cipher state. */ | |||
SSL_AEAD_CTX *aead_write_ctx; | |||
/* enc_method is the method table corresponding to the current protocol | |||
* version. */ | |||
const SSL3_ENC_METHOD *enc_method; | |||
/* pending_message is the current outgoing handshake message. */ | |||
uint8_t *pending_message; | |||
uint32_t pending_message_len; | |||
/* hs is the handshake state for the current handshake or NULL if there isn't | |||
* one. */ | |||
SSL_HANDSHAKE *hs; | |||
uint8_t write_traffic_secret[EVP_MAX_MD_SIZE]; | |||
uint8_t write_traffic_secret_len; | |||
uint8_t read_traffic_secret[EVP_MAX_MD_SIZE]; | |||
uint8_t read_traffic_secret_len; | |||
uint8_t exporter_secret[EVP_MAX_MD_SIZE]; | |||
uint8_t exporter_secret_len; | |||
/* State pertaining to the pending handshake. | |||
* | |||
* TODO(davidben): Move everything not needed after the handshake completes to | |||
* |hs| and remove this. */ | |||
struct { | |||
int message_type; | |||
/* used to hold the new cipher we are going to use */ | |||
const SSL_CIPHER *new_cipher; | |||
/* used when SSL_ST_FLUSH_DATA is entered */ | |||
int next_state; | |||
int reuse_message; | |||
uint8_t *key_block; | |||
uint8_t key_block_length; | |||
uint8_t new_mac_secret_len; | |||
uint8_t new_key_len; | |||
uint8_t new_fixed_iv_len; | |||
/* extended_master_secret indicates whether the extended master secret | |||
* computation is used in this handshake. Note that this is different from | |||
* whether it was used for the current session. If this is a resumption | |||
* handshake then EMS might be negotiated in the client and server hello | |||
* messages, but it doesn't matter if the session that's being resumed | |||
* didn't use it to create the master secret initially. */ | |||
char extended_master_secret; | |||
/* peer_signature_algorithm is the signature algorithm used to authenticate | |||
* the peer, or zero if not applicable. */ | |||
uint16_t peer_signature_algorithm; | |||
} tmp; | |||
/* new_session is the new mutable session being established by the current | |||
* handshake. It should not be cached. */ | |||
SSL_SESSION *new_session; | |||
/* established_session is the session established by the connection. This | |||
* session is only filled upon the completion of the handshake and is | |||
* immutable. */ | |||
SSL_SESSION *established_session; | |||
/* session_reused indicates whether a session was resumed. */ | |||
unsigned session_reused:1; | |||
/* Connection binding to prevent renegotiation attacks */ | |||
uint8_t previous_client_finished[12]; | |||
uint8_t previous_client_finished_len; | |||
uint8_t previous_server_finished[12]; | |||
uint8_t previous_server_finished_len; | |||
int send_connection_binding; | |||
/* Next protocol negotiation. For the client, this is the protocol that we | |||
* sent in NextProtocol and is set when handling ServerHello extensions. | |||
* | |||
* For a server, this is the client's selected_protocol from NextProtocol and | |||
* is set when handling the NextProtocol message, before the Finished | |||
* message. */ | |||
uint8_t *next_proto_negotiated; | |||
size_t next_proto_negotiated_len; | |||
/* ALPN information | |||
* (we are in the process of transitioning from NPN to ALPN.) */ | |||
/* In a server these point to the selected ALPN protocol after the | |||
* ClientHello has been processed. In a client these contain the protocol | |||
* that the server selected once the ServerHello has been processed. */ | |||
uint8_t *alpn_selected; | |||
size_t alpn_selected_len; | |||
/* In a client, this means that the server supported Channel ID and that a | |||
* Channel ID was sent. In a server it means that we echoed support for | |||
* Channel IDs and that tlsext_channel_id will be valid after the | |||
* handshake. */ | |||
char tlsext_channel_id_valid; | |||
/* For a server: | |||
* If |tlsext_channel_id_valid| is true, then this contains the | |||
* verified Channel ID from the client: a P256 point, (x,y), where | |||
* each are big-endian values. */ | |||
uint8_t tlsext_channel_id[64]; | |||
} SSL3_STATE; | |||
/* Nodejs compatibility section (hidden). | |||
* | |||
@@ -1262,6 +1262,207 @@ struct ssl3_enc_method { | |||
int (*final_finish_mac)(SSL *ssl, int from_server, uint8_t *out); | |||
}; | |||
typedef struct ssl3_record_st { | |||
/* type is the record type. */ | |||
uint8_t type; | |||
/* length is the number of unconsumed bytes in the record. */ | |||
uint16_t length; | |||
/* data is a non-owning pointer to the first unconsumed byte of the record. */ | |||
uint8_t *data; | |||
} SSL3_RECORD; | |||
typedef struct ssl3_buffer_st { | |||
/* buf is the memory allocated for this buffer. */ | |||
uint8_t *buf; | |||
/* offset is the offset into |buf| which the buffer contents start at. */ | |||
uint16_t offset; | |||
/* len is the length of the buffer contents from |buf| + |offset|. */ | |||
uint16_t len; | |||
/* cap is how much memory beyond |buf| + |offset| is available. */ | |||
uint16_t cap; | |||
} SSL3_BUFFER; | |||
/* An ssl_shutdown_t describes the shutdown state of one end of the connection, | |||
* whether it is alive or has been shutdown via close_notify or fatal alert. */ | |||
enum ssl_shutdown_t { | |||
ssl_shutdown_none = 0, | |||
ssl_shutdown_close_notify = 1, | |||
ssl_shutdown_fatal_alert = 2, | |||
}; | |||
typedef struct ssl3_state_st { | |||
uint8_t read_sequence[8]; | |||
uint8_t write_sequence[8]; | |||
uint8_t server_random[SSL3_RANDOM_SIZE]; | |||
uint8_t client_random[SSL3_RANDOM_SIZE]; | |||
/* have_version is true if the connection's final version is known. Otherwise | |||
* the version has not been negotiated yet. */ | |||
unsigned have_version:1; | |||
/* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled | |||
* and future messages should use the record layer. */ | |||
unsigned v2_hello_done:1; | |||
/* initial_handshake_complete is true if the initial handshake has | |||
* completed. */ | |||
unsigned initial_handshake_complete:1; | |||
/* read_buffer holds data from the transport to be processed. */ | |||
SSL3_BUFFER read_buffer; | |||
/* write_buffer holds data to be written to the transport. */ | |||
SSL3_BUFFER write_buffer; | |||
SSL3_RECORD rrec; /* each decoded record goes in here */ | |||
/* partial write - check the numbers match */ | |||
unsigned int wnum; /* number of bytes sent so far */ | |||
int wpend_tot; /* number bytes written */ | |||
int wpend_type; | |||
int wpend_ret; /* number of bytes submitted */ | |||
const uint8_t *wpend_buf; | |||
/* handshake_buffer, if non-NULL, contains the handshake transcript. */ | |||
BUF_MEM *handshake_buffer; | |||
/* handshake_hash, if initialized with an |EVP_MD|, maintains the handshake | |||
* hash. For TLS 1.1 and below, it is the SHA-1 half. */ | |||
EVP_MD_CTX handshake_hash; | |||
/* handshake_md5, if initialized with an |EVP_MD|, maintains the MD5 half of | |||
* the handshake hash for TLS 1.1 and below. */ | |||
EVP_MD_CTX handshake_md5; | |||
/* recv_shutdown is the shutdown state for the receive half of the | |||
* connection. */ | |||
enum ssl_shutdown_t recv_shutdown; | |||
/* recv_shutdown is the shutdown state for the send half of the connection. */ | |||
enum ssl_shutdown_t send_shutdown; | |||
int alert_dispatch; | |||
uint8_t send_alert[2]; | |||
int total_renegotiations; | |||
/* empty_record_count is the number of consecutive empty records received. */ | |||
uint8_t empty_record_count; | |||
/* warning_alert_count is the number of consecutive warning alerts | |||
* received. */ | |||
uint8_t warning_alert_count; | |||
/* key_update_count is the number of consecutive KeyUpdates received. */ | |||
uint8_t key_update_count; | |||
/* aead_read_ctx is the current read cipher state. */ | |||
SSL_AEAD_CTX *aead_read_ctx; | |||
/* aead_write_ctx is the current write cipher state. */ | |||
SSL_AEAD_CTX *aead_write_ctx; | |||
/* enc_method is the method table corresponding to the current protocol | |||
* version. */ | |||
const SSL3_ENC_METHOD *enc_method; | |||
/* pending_message is the current outgoing handshake message. */ | |||
uint8_t *pending_message; | |||
uint32_t pending_message_len; | |||
/* hs is the handshake state for the current handshake or NULL if there isn't | |||
* one. */ | |||
SSL_HANDSHAKE *hs; | |||
uint8_t write_traffic_secret[EVP_MAX_MD_SIZE]; | |||
uint8_t write_traffic_secret_len; | |||
uint8_t read_traffic_secret[EVP_MAX_MD_SIZE]; | |||
uint8_t read_traffic_secret_len; | |||
uint8_t exporter_secret[EVP_MAX_MD_SIZE]; | |||
uint8_t exporter_secret_len; | |||
/* State pertaining to the pending handshake. | |||
* | |||
* TODO(davidben): Move everything not needed after the handshake completes to | |||
* |hs| and remove this. */ | |||
struct { | |||
int message_type; | |||
/* used to hold the new cipher we are going to use */ | |||
const SSL_CIPHER *new_cipher; | |||
/* used when SSL_ST_FLUSH_DATA is entered */ | |||
int next_state; | |||
int reuse_message; | |||
uint8_t *key_block; | |||
uint8_t key_block_length; | |||
uint8_t new_mac_secret_len; | |||
uint8_t new_key_len; | |||
uint8_t new_fixed_iv_len; | |||
/* extended_master_secret indicates whether the extended master secret | |||
* computation is used in this handshake. Note that this is different from | |||
* whether it was used for the current session. If this is a resumption | |||
* handshake then EMS might be negotiated in the client and server hello | |||
* messages, but it doesn't matter if the session that's being resumed | |||
* didn't use it to create the master secret initially. */ | |||
char extended_master_secret; | |||
/* peer_signature_algorithm is the signature algorithm used to authenticate | |||
* the peer, or zero if not applicable. */ | |||
uint16_t peer_signature_algorithm; | |||
} tmp; | |||
/* new_session is the new mutable session being established by the current | |||
* handshake. It should not be cached. */ | |||
SSL_SESSION *new_session; | |||
/* established_session is the session established by the connection. This | |||
* session is only filled upon the completion of the handshake and is | |||
* immutable. */ | |||
SSL_SESSION *established_session; | |||
/* session_reused indicates whether a session was resumed. */ | |||
unsigned session_reused:1; | |||
/* Connection binding to prevent renegotiation attacks */ | |||
uint8_t previous_client_finished[12]; | |||
uint8_t previous_client_finished_len; | |||
uint8_t previous_server_finished[12]; | |||
uint8_t previous_server_finished_len; | |||
int send_connection_binding; | |||
/* Next protocol negotiation. For the client, this is the protocol that we | |||
* sent in NextProtocol and is set when handling ServerHello extensions. | |||
* | |||
* For a server, this is the client's selected_protocol from NextProtocol and | |||
* is set when handling the NextProtocol message, before the Finished | |||
* message. */ | |||
uint8_t *next_proto_negotiated; | |||
size_t next_proto_negotiated_len; | |||
/* ALPN information | |||
* (we are in the process of transitioning from NPN to ALPN.) */ | |||
/* In a server these point to the selected ALPN protocol after the | |||
* ClientHello has been processed. In a client these contain the protocol | |||
* that the server selected once the ServerHello has been processed. */ | |||
uint8_t *alpn_selected; | |||
size_t alpn_selected_len; | |||
/* In a client, this means that the server supported Channel ID and that a | |||
* Channel ID was sent. In a server it means that we echoed support for | |||
* Channel IDs and that tlsext_channel_id will be valid after the | |||
* handshake. */ | |||
char tlsext_channel_id_valid; | |||
/* For a server: | |||
* If |tlsext_channel_id_valid| is true, then this contains the | |||
* verified Channel ID from the client: a P256 point, (x,y), where | |||
* each are big-endian values. */ | |||
uint8_t tlsext_channel_id[64]; | |||
} SSL3_STATE; | |||
/* lengths of messages */ | |||
#define DTLS1_COOKIE_LENGTH 256 | |||