From 1e4884f615b20946411a74e41eb9c6aa65e2d5f3 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Thu, 24 Sep 2015 10:57:52 -0700 Subject: external/boringssl: sync with upstream. This change imports the current version of BoringSSL. The only local change now is that |BORINGSSL_201509| is defined in base.h. This allows this change to be made without (hopefully) breaking the build. This change will need https://android-review.googlesource.com/172744 to be landed afterwards to update a test. Change-Id: I6d1f463f7785a2423bd846305af91c973c326104 --- src/include/openssl/ssl3.h | 136 +++++++++++++++++++++++++-------------------- 1 file changed, 76 insertions(+), 60 deletions(-) (limited to 'src/include/openssl/ssl3.h') diff --git a/src/include/openssl/ssl3.h b/src/include/openssl/ssl3.h index 640a228..1f6ca31 100644 --- a/src/include/openssl/ssl3.h +++ b/src/include/openssl/ssl3.h @@ -127,11 +127,14 @@ extern "C" { #endif +/* These are kept to support clients that negotiates higher protocol versions + * using SSLv2 client hello records. */ +#define SSL2_MT_CLIENT_HELLO 1 +#define SSL2_VERSION 0x0002 -/* Signalling cipher suite value: from RFC5746 */ +/* Signalling cipher suite value from RFC 5746. */ #define SSL3_CK_SCSV 0x030000FF -/* Fallback signalling cipher suite value: not IANA assigned. - * See https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01 */ +/* Fallback signalling cipher suite value from RFC 7507. */ #define SSL3_CK_FALLBACK_SCSV 0x03005600 #define SSL3_CK_RSA_NULL_MD5 0x03000001 @@ -269,29 +272,11 @@ OPENSSL_COMPILE_ASSERT( #define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54" #define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52" -#define SSL3_VERSION 0x0300 -#define SSL3_VERSION_MAJOR 0x03 -#define SSL3_VERSION_MINOR 0x00 - #define SSL3_RT_CHANGE_CIPHER_SPEC 20 #define SSL3_RT_ALERT 21 #define SSL3_RT_HANDSHAKE 22 #define SSL3_RT_APPLICATION_DATA 23 -/* Pseudo content types to indicate additional parameters */ -#define TLS1_RT_CRYPTO 0x1000 -#define TLS1_RT_CRYPTO_PREMASTER (TLS1_RT_CRYPTO | 0x1) -#define TLS1_RT_CRYPTO_CLIENT_RANDOM (TLS1_RT_CRYPTO | 0x2) -#define TLS1_RT_CRYPTO_SERVER_RANDOM (TLS1_RT_CRYPTO | 0x3) -#define TLS1_RT_CRYPTO_MASTER (TLS1_RT_CRYPTO | 0x4) - -#define TLS1_RT_CRYPTO_READ 0x0000 -#define TLS1_RT_CRYPTO_WRITE 0x0100 -#define TLS1_RT_CRYPTO_MAC (TLS1_RT_CRYPTO | 0x5) -#define TLS1_RT_CRYPTO_KEY (TLS1_RT_CRYPTO | 0x6) -#define TLS1_RT_CRYPTO_IV (TLS1_RT_CRYPTO | 0x7) -#define TLS1_RT_CRYPTO_FIXED_IV (TLS1_RT_CRYPTO | 0x8) - /* Pseudo content type for SSL/TLS header info */ #define SSL3_RT_HEADER 0x100 @@ -322,22 +307,17 @@ typedef struct ssl3_record_st { /* data is a non-owning pointer to the record contents. The total length of * the buffer is |off| + |length|. */ uint8_t *data; - /* epoch, in DTLS, is the epoch number of the record. */ - uint16_t epoch; - /* seq_num, in DTLS, is the sequence number of the record. The top two bytes - * are always zero. - * - * TODO(davidben): This is confusing. They should include the epoch or the - * field should be six bytes. */ - uint8_t seq_num[8]; } SSL3_RECORD; typedef struct ssl3_buffer_st { - uint8_t *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, see - ssl3_setup_buffers() */ - size_t len; /* buffer size */ - int offset; /* where to 'copy from' */ - int left; /* how many bytes left */ + /* buf is the memory allocated for this buffer. */ + uint8_t *buf; + /* offset is the offset into |buf| which the buffer contents start at. */ + uint16_t offset; + /* len is the length of the buffer contents from |buf| + |offset|. */ + uint16_t len; + /* cap is how much memory beyond |buf| + |offset| is available. */ + uint16_t cap; } SSL3_BUFFER; #define SSL3_CT_RSA_SIGN 1 @@ -369,9 +349,6 @@ typedef struct ssl3_state_st { /* flags for countermeasure against known-IV weakness */ int need_record_splitting; - /* The value of 'extra' when the buffers were initialized */ - int init_extra; - /* have_version is true if the connection's final version is known. Otherwise * the version has not been negotiated yet. */ char have_version; @@ -380,13 +357,10 @@ typedef struct ssl3_state_st { * completed. */ char initial_handshake_complete; - /* sniff_buffer is used by the server in the initial handshake to read a - * V2ClientHello before the record layer is initialized. */ - BUF_MEM *sniff_buffer; - size_t sniff_buffer_len; - - SSL3_BUFFER rbuf; /* read IO goes into here */ - SSL3_BUFFER wbuf; /* write IO goes into here */ + /* read_buffer holds data from the transport to be processed. */ + SSL3_BUFFER read_buffer; + /* write_buffer holds data to be written to the transport. */ + SSL3_BUFFER write_buffer; SSL3_RECORD rrec; /* each decoded record goes in here */ @@ -402,11 +376,15 @@ typedef struct ssl3_state_st { int wpend_ret; /* number of bytes submitted */ const uint8_t *wpend_buf; - /* used during startup, digest all incoming/outgoing packets */ - BIO *handshake_buffer; - /* When set of handshake digests is determined, buffer is hashed and freed - * and MD_CTX-es for all required digests are stored in this array */ - EVP_MD_CTX **handshake_dgst; + /* handshake_buffer, if non-NULL, contains the handshake transcript. */ + BUF_MEM *handshake_buffer; + /* handshake_hash, if initialized with an |EVP_MD|, maintains the handshake + * hash. For TLS 1.1 and below, it is the SHA-1 half. */ + EVP_MD_CTX handshake_hash; + /* handshake_md5, if initialized with an |EVP_MD|, maintains the MD5 half of + * the handshake hash for TLS 1.1 and below. */ + EVP_MD_CTX handshake_md5; + /* this is set whenerver we see a change_cipher_spec message come in when we * are not looking for one */ int change_cipher_spec; @@ -420,6 +398,13 @@ typedef struct ssl3_state_st { int total_renegotiations; + /* empty_record_count is the number of consecutive empty records received. */ + uint8_t empty_record_count; + + /* warning_alert_count is the number of consecutive warning alerts + * received. */ + uint8_t warning_alert_count; + /* State pertaining to the pending handshake. * * TODO(davidben): State is current spread all over the place. Move @@ -446,6 +431,34 @@ typedef struct ssl3_state_st { int reuse_message; + union { + /* sent is a bitset where the bits correspond to elements of kExtensions + * in t1_lib.c. Each bit is set if that extension was sent in a + * ClientHello. It's not used by servers. */ + uint32_t sent; + /* received is a bitset, like |sent|, but is used by servers to record + * which extensions were received from a client. */ + uint32_t received; + } extensions; + + union { + /* sent is a bitset where the bits correspond to elements of + * |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that + * extension was sent in a ClientHello. It's not used by servers. */ + uint16_t sent; + /* received is a bitset, like |sent|, but is used by servers to record + * which custom extensions were received from a client. The bits here + * correspond to |server_custom_extensions|. */ + uint16_t received; + } custom_extensions; + + /* SNI extension */ + + /* should_ack_sni is used by a server and indicates that the SNI extension + * should be echoed in the ServerHello. */ + unsigned should_ack_sni:1; + + /* Client-only: cert_req determines if a client certificate is to be sent. * This is 0 if no client Certificate message is to be sent, 1 if there is * a client certificate, and 2 to send an empty client Certificate @@ -474,13 +487,12 @@ typedef struct ssl3_state_st { int cert_request; /* certificate_status_expected is true if OCSP stapling was negotiated and - * the server is expected to send a CertificateStatus message. */ - char certificate_status_expected; + * the server is expected to send a CertificateStatus message. (This is + * used on both the client and server sides.) */ + unsigned certificate_status_expected:1; - /* peer_ecpointformatlist contains the EC point formats advertised by the - * peer. */ - uint8_t *peer_ecpointformatlist; - size_t peer_ecpointformatlist_length; + /* ocsp_stapling_requested is true if a client requested OCSP stapling. */ + unsigned ocsp_stapling_requested:1; /* Server-only: peer_ellipticcurvelist contains the EC curve IDs advertised * by the peer. This is only set on the server's end. The server does not @@ -507,6 +519,12 @@ typedef struct ssl3_state_st { /* Client-only: in_false_start is one if there is a pending handshake in * False Start. The client may write data at this point. */ char in_false_start; + + /* peer_dh_tmp, on a client, is the server's DHE public key. */ + DH *peer_dh_tmp; + + /* peer_ecdh_tmp, on a client, is the server's ECDHE public key. */ + EC_KEY *peer_ecdh_tmp; } tmp; /* Connection binding to prevent renegotiation attacks */ @@ -533,11 +551,6 @@ typedef struct ssl3_state_st { * Channel IDs and that tlsext_channel_id will be valid after the * handshake. */ char tlsext_channel_id_valid; - /* tlsext_channel_id_new means that the updated Channel ID extension was - * negotiated. This is a temporary hack in the code to support both forms of - * Channel ID extension while we transition to the new format, which fixed a - * security issue. */ - char tlsext_channel_id_new; /* For a server: * If |tlsext_channel_id_valid| is true, then this contains the * verified Channel ID from the client: a P256 point, (x,y), where @@ -550,6 +563,7 @@ typedef struct ssl3_state_st { /* extra state */ #define SSL3_ST_CW_FLUSH (0x100 | SSL_ST_CONNECT) #define SSL3_ST_FALSE_START (0x101 | SSL_ST_CONNECT) +#define SSL3_ST_VERIFY_SERVER_CERT (0x102 | SSL_ST_CONNECT) /* write to server */ #define SSL3_ST_CW_CLNT_HELLO_A (0x110 | SSL_ST_CONNECT) #define SSL3_ST_CW_CLNT_HELLO_B (0x111 | SSL_ST_CONNECT) @@ -575,6 +589,7 @@ typedef struct ssl3_state_st { #define SSL3_ST_CW_KEY_EXCH_B (0x181 | SSL_ST_CONNECT) #define SSL3_ST_CW_CERT_VRFY_A (0x190 | SSL_ST_CONNECT) #define SSL3_ST_CW_CERT_VRFY_B (0x191 | SSL_ST_CONNECT) +#define SSL3_ST_CW_CERT_VRFY_C (0x192 | SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_A (0x1A0 | SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_B (0x1A1 | SSL_ST_CONNECT) #define SSL3_ST_CW_NEXT_PROTO_A (0x200 | SSL_ST_CONNECT) @@ -613,6 +628,7 @@ typedef struct ssl3_state_st { #define SSL3_ST_SW_CERT_B (0x141 | SSL_ST_ACCEPT) #define SSL3_ST_SW_KEY_EXCH_A (0x150 | SSL_ST_ACCEPT) #define SSL3_ST_SW_KEY_EXCH_B (0x151 | SSL_ST_ACCEPT) +#define SSL3_ST_SW_KEY_EXCH_C (0x152 | SSL_ST_ACCEPT) #define SSL3_ST_SW_CERT_REQ_A (0x160 | SSL_ST_ACCEPT) #define SSL3_ST_SW_CERT_REQ_B (0x161 | SSL_ST_ACCEPT) #define SSL3_ST_SW_SRVR_DONE_A (0x170 | SSL_ST_ACCEPT) -- cgit v1.1