summaryrefslogtreecommitdiffstats
path: root/src/include/openssl/ssl3.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/include/openssl/ssl3.h')
-rw-r--r--src/include/openssl/ssl3.h136
1 files changed, 60 insertions, 76 deletions
diff --git a/src/include/openssl/ssl3.h b/src/include/openssl/ssl3.h
index 1f6ca31..640a228 100644
--- a/src/include/openssl/ssl3.h
+++ b/src/include/openssl/ssl3.h
@@ -127,14 +127,11 @@
extern "C" {
#endif
-/* These are kept to support clients that negotiates higher protocol versions
- * using SSLv2 client hello records. */
-#define SSL2_MT_CLIENT_HELLO 1
-#define SSL2_VERSION 0x0002
-/* Signalling cipher suite value from RFC 5746. */
+/* Signalling cipher suite value: from RFC5746 */
#define SSL3_CK_SCSV 0x030000FF
-/* Fallback signalling cipher suite value from RFC 7507. */
+/* Fallback signalling cipher suite value: not IANA assigned.
+ * See https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01 */
#define SSL3_CK_FALLBACK_SCSV 0x03005600
#define SSL3_CK_RSA_NULL_MD5 0x03000001
@@ -272,11 +269,29 @@ OPENSSL_COMPILE_ASSERT(
#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
+#define SSL3_VERSION 0x0300
+#define SSL3_VERSION_MAJOR 0x03
+#define SSL3_VERSION_MINOR 0x00
+
#define SSL3_RT_CHANGE_CIPHER_SPEC 20
#define SSL3_RT_ALERT 21
#define SSL3_RT_HANDSHAKE 22
#define SSL3_RT_APPLICATION_DATA 23
+/* Pseudo content types to indicate additional parameters */
+#define TLS1_RT_CRYPTO 0x1000
+#define TLS1_RT_CRYPTO_PREMASTER (TLS1_RT_CRYPTO | 0x1)
+#define TLS1_RT_CRYPTO_CLIENT_RANDOM (TLS1_RT_CRYPTO | 0x2)
+#define TLS1_RT_CRYPTO_SERVER_RANDOM (TLS1_RT_CRYPTO | 0x3)
+#define TLS1_RT_CRYPTO_MASTER (TLS1_RT_CRYPTO | 0x4)
+
+#define TLS1_RT_CRYPTO_READ 0x0000
+#define TLS1_RT_CRYPTO_WRITE 0x0100
+#define TLS1_RT_CRYPTO_MAC (TLS1_RT_CRYPTO | 0x5)
+#define TLS1_RT_CRYPTO_KEY (TLS1_RT_CRYPTO | 0x6)
+#define TLS1_RT_CRYPTO_IV (TLS1_RT_CRYPTO | 0x7)
+#define TLS1_RT_CRYPTO_FIXED_IV (TLS1_RT_CRYPTO | 0x8)
+
/* Pseudo content type for SSL/TLS header info */
#define SSL3_RT_HEADER 0x100
@@ -307,17 +322,22 @@ typedef struct ssl3_record_st {
/* data is a non-owning pointer to the record contents. The total length of
* the buffer is |off| + |length|. */
uint8_t *data;
+ /* epoch, in DTLS, is the epoch number of the record. */
+ uint16_t epoch;
+ /* seq_num, in DTLS, is the sequence number of the record. The top two bytes
+ * are always zero.
+ *
+ * TODO(davidben): This is confusing. They should include the epoch or the
+ * field should be six bytes. */
+ uint8_t seq_num[8];
} SSL3_RECORD;
typedef struct ssl3_buffer_st {
- /* buf is the memory allocated for this buffer. */
- uint8_t *buf;
- /* offset is the offset into |buf| which the buffer contents start at. */
- uint16_t offset;
- /* len is the length of the buffer contents from |buf| + |offset|. */
- uint16_t len;
- /* cap is how much memory beyond |buf| + |offset| is available. */
- uint16_t cap;
+ uint8_t *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, see
+ ssl3_setup_buffers() */
+ size_t len; /* buffer size */
+ int offset; /* where to 'copy from' */
+ int left; /* how many bytes left */
} SSL3_BUFFER;
#define SSL3_CT_RSA_SIGN 1
@@ -349,6 +369,9 @@ typedef struct ssl3_state_st {
/* flags for countermeasure against known-IV weakness */
int need_record_splitting;
+ /* The value of 'extra' when the buffers were initialized */
+ int init_extra;
+
/* have_version is true if the connection's final version is known. Otherwise
* the version has not been negotiated yet. */
char have_version;
@@ -357,10 +380,13 @@ typedef struct ssl3_state_st {
* completed. */
char initial_handshake_complete;
- /* read_buffer holds data from the transport to be processed. */
- SSL3_BUFFER read_buffer;
- /* write_buffer holds data to be written to the transport. */
- SSL3_BUFFER write_buffer;
+ /* sniff_buffer is used by the server in the initial handshake to read a
+ * V2ClientHello before the record layer is initialized. */
+ BUF_MEM *sniff_buffer;
+ size_t sniff_buffer_len;
+
+ SSL3_BUFFER rbuf; /* read IO goes into here */
+ SSL3_BUFFER wbuf; /* write IO goes into here */
SSL3_RECORD rrec; /* each decoded record goes in here */
@@ -376,15 +402,11 @@ typedef struct ssl3_state_st {
int wpend_ret; /* number of bytes submitted */
const uint8_t *wpend_buf;
- /* handshake_buffer, if non-NULL, contains the handshake transcript. */
- BUF_MEM *handshake_buffer;
- /* handshake_hash, if initialized with an |EVP_MD|, maintains the handshake
- * hash. For TLS 1.1 and below, it is the SHA-1 half. */
- EVP_MD_CTX handshake_hash;
- /* handshake_md5, if initialized with an |EVP_MD|, maintains the MD5 half of
- * the handshake hash for TLS 1.1 and below. */
- EVP_MD_CTX handshake_md5;
-
+ /* used during startup, digest all incoming/outgoing packets */
+ BIO *handshake_buffer;
+ /* When set of handshake digests is determined, buffer is hashed and freed
+ * and MD_CTX-es for all required digests are stored in this array */
+ EVP_MD_CTX **handshake_dgst;
/* this is set whenerver we see a change_cipher_spec message come in when we
* are not looking for one */
int change_cipher_spec;
@@ -398,13 +420,6 @@ typedef struct ssl3_state_st {
int total_renegotiations;
- /* empty_record_count is the number of consecutive empty records received. */
- uint8_t empty_record_count;
-
- /* warning_alert_count is the number of consecutive warning alerts
- * received. */
- uint8_t warning_alert_count;
-
/* State pertaining to the pending handshake.
*
* TODO(davidben): State is current spread all over the place. Move
@@ -431,34 +446,6 @@ typedef struct ssl3_state_st {
int reuse_message;
- union {
- /* sent is a bitset where the bits correspond to elements of kExtensions
- * in t1_lib.c. Each bit is set if that extension was sent in a
- * ClientHello. It's not used by servers. */
- uint32_t sent;
- /* received is a bitset, like |sent|, but is used by servers to record
- * which extensions were received from a client. */
- uint32_t received;
- } extensions;
-
- union {
- /* sent is a bitset where the bits correspond to elements of
- * |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that
- * extension was sent in a ClientHello. It's not used by servers. */
- uint16_t sent;
- /* received is a bitset, like |sent|, but is used by servers to record
- * which custom extensions were received from a client. The bits here
- * correspond to |server_custom_extensions|. */
- uint16_t received;
- } custom_extensions;
-
- /* SNI extension */
-
- /* should_ack_sni is used by a server and indicates that the SNI extension
- * should be echoed in the ServerHello. */
- unsigned should_ack_sni:1;
-
-
/* Client-only: cert_req determines if a client certificate is to be sent.
* This is 0 if no client Certificate message is to be sent, 1 if there is
* a client certificate, and 2 to send an empty client Certificate
@@ -487,12 +474,13 @@ typedef struct ssl3_state_st {
int cert_request;
/* certificate_status_expected is true if OCSP stapling was negotiated and
- * the server is expected to send a CertificateStatus message. (This is
- * used on both the client and server sides.) */
- unsigned certificate_status_expected:1;
+ * the server is expected to send a CertificateStatus message. */
+ char certificate_status_expected;
- /* ocsp_stapling_requested is true if a client requested OCSP stapling. */
- unsigned ocsp_stapling_requested:1;
+ /* peer_ecpointformatlist contains the EC point formats advertised by the
+ * peer. */
+ uint8_t *peer_ecpointformatlist;
+ size_t peer_ecpointformatlist_length;
/* Server-only: peer_ellipticcurvelist contains the EC curve IDs advertised
* by the peer. This is only set on the server's end. The server does not
@@ -519,12 +507,6 @@ typedef struct ssl3_state_st {
/* Client-only: in_false_start is one if there is a pending handshake in
* False Start. The client may write data at this point. */
char in_false_start;
-
- /* peer_dh_tmp, on a client, is the server's DHE public key. */
- DH *peer_dh_tmp;
-
- /* peer_ecdh_tmp, on a client, is the server's ECDHE public key. */
- EC_KEY *peer_ecdh_tmp;
} tmp;
/* Connection binding to prevent renegotiation attacks */
@@ -551,6 +533,11 @@ typedef struct ssl3_state_st {
* Channel IDs and that tlsext_channel_id will be valid after the
* handshake. */
char tlsext_channel_id_valid;
+ /* tlsext_channel_id_new means that the updated Channel ID extension was
+ * negotiated. This is a temporary hack in the code to support both forms of
+ * Channel ID extension while we transition to the new format, which fixed a
+ * security issue. */
+ char tlsext_channel_id_new;
/* For a server:
* If |tlsext_channel_id_valid| is true, then this contains the
* verified Channel ID from the client: a P256 point, (x,y), where
@@ -563,7 +550,6 @@ typedef struct ssl3_state_st {
/* extra state */
#define SSL3_ST_CW_FLUSH (0x100 | SSL_ST_CONNECT)
#define SSL3_ST_FALSE_START (0x101 | SSL_ST_CONNECT)
-#define SSL3_ST_VERIFY_SERVER_CERT (0x102 | SSL_ST_CONNECT)
/* write to server */
#define SSL3_ST_CW_CLNT_HELLO_A (0x110 | SSL_ST_CONNECT)
#define SSL3_ST_CW_CLNT_HELLO_B (0x111 | SSL_ST_CONNECT)
@@ -589,7 +575,6 @@ typedef struct ssl3_state_st {
#define SSL3_ST_CW_KEY_EXCH_B (0x181 | SSL_ST_CONNECT)
#define SSL3_ST_CW_CERT_VRFY_A (0x190 | SSL_ST_CONNECT)
#define SSL3_ST_CW_CERT_VRFY_B (0x191 | SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_VRFY_C (0x192 | SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANGE_A (0x1A0 | SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANGE_B (0x1A1 | SSL_ST_CONNECT)
#define SSL3_ST_CW_NEXT_PROTO_A (0x200 | SSL_ST_CONNECT)
@@ -628,7 +613,6 @@ typedef struct ssl3_state_st {
#define SSL3_ST_SW_CERT_B (0x141 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_KEY_EXCH_A (0x150 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_KEY_EXCH_B (0x151 | SSL_ST_ACCEPT)
-#define SSL3_ST_SW_KEY_EXCH_C (0x152 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_CERT_REQ_A (0x160 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_CERT_REQ_B (0x161 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_SRVR_DONE_A (0x170 | SSL_ST_ACCEPT)