esp-idf/components/openssl/library/ssl_lib.c

1610 wiersze
33 KiB
C

// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "ssl_lib.h"
#include "ssl_pkey.h"
#include "ssl_x509.h"
#include "ssl_cert.h"
#include "ssl_dbg.h"
#include "ssl_port.h"
#define SSL_SEND_DATA_MAX_LENGTH 1460
/**
* @brief create a new SSL session object
*/
static SSL_SESSION* SSL_SESSION_new(void)
{
SSL_SESSION *session;
session = ssl_mem_zalloc(sizeof(SSL_SESSION));
if (!session) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)");
goto failed1;
}
session->peer = X509_new();
if (!session->peer) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
goto failed2;
}
return session;
failed2:
ssl_mem_free(session);
failed1:
return NULL;
}
/**
* @brief free a new SSL session object
*/
static void SSL_SESSION_free(SSL_SESSION *session)
{
X509_free(session->peer);
ssl_mem_free(session);
}
/**
* @brief Discover whether the current connection is in the error state
*/
int ossl_statem_in_error(const SSL *ssl)
{
SSL_ASSERT1(ssl);
if (ssl->statem.state == MSG_FLOW_ERROR)
return 1;
return 0;
}
/**
* @brief get the SSL specifical statement
*/
int SSL_want(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return ssl->rwstate;
}
/**
* @brief check if SSL want nothing
*/
int SSL_want_nothing(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return (SSL_want(ssl) == SSL_NOTHING);
}
/**
* @brief check if SSL want to read
*/
int SSL_want_read(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return (SSL_want(ssl) == SSL_READING);
}
/**
* @brief check if SSL want to write
*/
int SSL_want_write(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return (SSL_want(ssl) == SSL_WRITING);
}
/**
* @brief check if SSL want to lookup X509 certification
*/
int SSL_want_x509_lookup(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return (SSL_want(ssl) == SSL_WRITING);
}
/**
* @brief get SSL error code
*/
int SSL_get_error(const SSL *ssl, int ret_code)
{
int ret = SSL_ERROR_SYSCALL;
SSL_ASSERT1(ssl);
if (ret_code > 0)
ret = SSL_ERROR_NONE;
else if (ret_code < 0)
{
if (SSL_want_read(ssl))
ret = SSL_ERROR_WANT_READ;
else if (SSL_want_write(ssl))
ret = SSL_ERROR_WANT_WRITE;
else
ret = SSL_ERROR_SYSCALL; //unknown
}
else // ret_code == 0
{
if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN)
ret = SSL_ERROR_ZERO_RETURN;
else
ret = SSL_ERROR_SYSCALL;
}
return ret;
}
/**
* @brief get the SSL state
*/
OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
{
OSSL_HANDSHAKE_STATE state;
SSL_ASSERT1(ssl);
state = SSL_METHOD_CALL(get_state, ssl);
return state;
}
/**
* @brief create a SSL context
*/
SSL_CTX* SSL_CTX_new(const SSL_METHOD *method)
{
SSL_CTX *ctx;
CERT *cert;
X509 *client_ca;
if (!method) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method");
return NULL;
}
client_ca = X509_new();
if (!client_ca) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
goto failed1;
}
cert = ssl_cert_new();
if (!cert) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL");
goto failed2;
}
ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX));
if (!ctx) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)");
goto failed3;
}
ctx->method = method;
ctx->client_CA = client_ca;
ctx->cert = cert;
ctx->version = method->version;
return ctx;
failed3:
ssl_cert_free(cert);
failed2:
X509_free(client_ca);
failed1:
return NULL;
}
/**
* @brief free a SSL context
*/
void SSL_CTX_free(SSL_CTX* ctx)
{
SSL_ASSERT3(ctx);
ssl_cert_free(ctx->cert);
X509_free(ctx->client_CA);
if (ctx->ssl_alpn.alpn_string) {
ssl_mem_free((void *)ctx->ssl_alpn.alpn_string);
}
ssl_mem_free(ctx);
}
/**
* @brief set the SSL context version
*/
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
{
SSL_ASSERT1(ctx);
SSL_ASSERT1(meth);
ctx->method = meth;
ctx->version = meth->version;
return 1;
}
/**
* @brief get the SSL context current method
*/
const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
{
SSL_ASSERT2(ctx);
return ctx->method;
}
/**
* @brief create a SSL
*/
SSL *SSL_new(SSL_CTX *ctx)
{
int ret = 0;
SSL *ssl;
if (!ctx) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx");
return NULL;
}
ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL));
if (!ssl) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)");
goto failed1;
}
ssl->session = SSL_SESSION_new();
if (!ssl->session) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL");
goto failed2;
}
ssl->cert = __ssl_cert_new(ctx->cert);
if (!ssl->cert) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL");
goto failed3;
}
ssl->client_CA = __X509_new(ctx->client_CA);
if (!ssl->client_CA) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL");
goto failed4;
}
ssl->ctx = ctx;
ssl->method = ctx->method;
ssl->version = ctx->version;
ssl->options = ctx->options;
ssl->verify_mode = ctx->verify_mode;
ret = SSL_METHOD_CALL(new, ssl);
if (ret) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
goto failed5;
}
ssl->rwstate = SSL_NOTHING;
return ssl;
failed5:
X509_free(ssl->client_CA);
failed4:
ssl_cert_free(ssl->cert);
failed3:
SSL_SESSION_free(ssl->session);
failed2:
ssl_mem_free(ssl);
failed1:
return NULL;
}
/**
* @brief free the SSL
*/
void SSL_free(SSL *ssl)
{
SSL_ASSERT3(ssl);
SSL_METHOD_CALL(free, ssl);
X509_free(ssl->client_CA);
ssl_cert_free(ssl->cert);
SSL_SESSION_free(ssl->session);
ssl_mem_free(ssl);
}
/**
* @brief perform the SSL handshake
*/
int SSL_do_handshake(SSL *ssl)
{
int ret;
SSL_ASSERT1(ssl);
ret = SSL_METHOD_CALL(handshake, ssl);
return ret;
}
/**
* @brief connect to the remote SSL server
*/
int SSL_connect(SSL *ssl)
{
SSL_ASSERT1(ssl);
return SSL_do_handshake(ssl);
}
/**
* @brief accept the remote connection
*/
int SSL_accept(SSL *ssl)
{
SSL_ASSERT1(ssl);
return SSL_do_handshake(ssl);
}
/**
* @brief shutdown the connection
*/
int SSL_shutdown(SSL *ssl)
{
int ret;
SSL_ASSERT1(ssl);
if (SSL_get_state(ssl) != TLS_ST_OK) return 1;
ret = SSL_METHOD_CALL(shutdown, ssl);
return ret;
}
/**
* @brief reset the SSL
*/
int SSL_clear(SSL *ssl)
{
int ret;
SSL_ASSERT1(ssl);
ret = SSL_shutdown(ssl);
if (1 != ret) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
goto failed1;
}
SSL_METHOD_CALL(free, ssl);
ret = SSL_METHOD_CALL(new, ssl);
if (!ret) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
goto failed1;
}
return 1;
failed1:
return ret;
}
/**
* @brief read data from to remote
*/
int SSL_read(SSL *ssl, void *buffer, int len)
{
int ret;
SSL_ASSERT1(ssl);
SSL_ASSERT1(buffer);
SSL_ASSERT1(len);
ssl->rwstate = SSL_READING;
ret = SSL_METHOD_CALL(read, ssl, buffer, len);
if (ret == len)
ssl->rwstate = SSL_NOTHING;
return ret;
}
/**
* @brief send the data to remote
*/
int SSL_write(SSL *ssl, const void *buffer, int len)
{
int ret;
int send_bytes;
const unsigned char *pbuf;
SSL_ASSERT1(ssl);
SSL_ASSERT1(buffer);
SSL_ASSERT1(len);
ssl->rwstate = SSL_WRITING;
send_bytes = len;
pbuf = (const unsigned char *)buffer;
do {
int bytes;
if (send_bytes > SSL_SEND_DATA_MAX_LENGTH)
bytes = SSL_SEND_DATA_MAX_LENGTH;
else
bytes = send_bytes;
ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes);
if (ret > 0) {
pbuf += ret;
send_bytes -= ret;
}
} while (ret > 0 && send_bytes);
if (ret >= 0) {
ret = len - send_bytes;
ssl->rwstate = SSL_NOTHING;
} else
ret = -1;
return ret;
}
/**
* @brief get SSL context of the SSL
*/
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
{
SSL_ASSERT2(ssl);
return ssl->ctx;
}
/**
* @brief get the SSL current method
*/
const SSL_METHOD *SSL_get_ssl_method(SSL *ssl)
{
SSL_ASSERT2(ssl);
return ssl->method;
}
/**
* @brief set the SSL method
*/
int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method)
{
int ret;
SSL_ASSERT1(ssl);
SSL_ASSERT1(method);
if (ssl->version != method->version) {
ret = SSL_shutdown(ssl);
if (1 != ret) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
goto failed1;
}
SSL_METHOD_CALL(free, ssl);
ssl->method = method;
ret = SSL_METHOD_CALL(new, ssl);
if (!ret) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
goto failed1;
}
} else {
ssl->method = method;
}
return 1;
failed1:
return ret;
}
/**
* @brief get SSL shutdown mode
*/
int SSL_get_shutdown(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return ssl->shutdown;
}
/**
* @brief set SSL shutdown mode
*/
void SSL_set_shutdown(SSL *ssl, int mode)
{
SSL_ASSERT3(ssl);
ssl->shutdown = mode;
}
/**
* @brief get the number of the bytes to be read
*/
int SSL_pending(const SSL *ssl)
{
int ret;
SSL_ASSERT1(ssl);
ret = SSL_METHOD_CALL(pending, ssl);
return ret;
}
/**
* @brief check if some data can be read
*/
int SSL_has_pending(const SSL *ssl)
{
int ret;
SSL_ASSERT1(ssl);
if (SSL_pending(ssl))
ret = 1;
else
ret = 0;
return ret;
}
/**
* @brief clear the SSL context option bit of "op"
*/
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
{
SSL_ASSERT1(ctx);
return ctx->options &= ~op;
}
/**
* @brief get the SSL context option
*/
unsigned long SSL_CTX_get_options(SSL_CTX *ctx)
{
SSL_ASSERT1(ctx);
return ctx->options;
}
/**
* @brief set the option of the SSL context
*/
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt)
{
SSL_ASSERT1(ctx);
return ctx->options |= opt;
}
/**
* @brief clear SSL option
*/
unsigned long SSL_clear_options(SSL *ssl, unsigned long op)
{
SSL_ASSERT1(ssl);
return ssl->options & ~op;
}
/**
* @brief get SSL option
*/
unsigned long SSL_get_options(SSL *ssl)
{
SSL_ASSERT1(ssl);
return ssl->options;
}
/**
* @brief clear SSL option
*/
unsigned long SSL_set_options(SSL *ssl, unsigned long op)
{
SSL_ASSERT1(ssl);
return ssl->options |= op;
}
/**
* @brief get the socket handle of the SSL
*/
int SSL_get_fd(const SSL *ssl)
{
int ret;
SSL_ASSERT1(ssl);
ret = SSL_METHOD_CALL(get_fd, ssl, 0);
return ret;
}
/**
* @brief get the read only socket handle of the SSL
*/
int SSL_get_rfd(const SSL *ssl)
{
int ret;
SSL_ASSERT1(ssl);
ret = SSL_METHOD_CALL(get_fd, ssl, 0);
return ret;
}
/**
* @brief get the write only socket handle of the SSL
*/
int SSL_get_wfd(const SSL *ssl)
{
int ret;
SSL_ASSERT1(ssl);
ret = SSL_METHOD_CALL(get_fd, ssl, 0);
return ret;
}
/**
* @brief bind the socket file description into the SSL
*/
int SSL_set_fd(SSL *ssl, int fd)
{
SSL_ASSERT1(ssl);
SSL_ASSERT1(fd >= 0);
SSL_METHOD_CALL(set_fd, ssl, fd, 0);
return 1;
}
/**
* @brief bind the read only socket file description into the SSL
*/
int SSL_set_rfd(SSL *ssl, int fd)
{
SSL_ASSERT1(ssl);
SSL_ASSERT1(fd >= 0);
SSL_METHOD_CALL(set_fd, ssl, fd, 0);
return 1;
}
/**
* @brief bind the write only socket file description into the SSL
*/
int SSL_set_wfd(SSL *ssl, int fd)
{
SSL_ASSERT1(ssl);
SSL_ASSERT1(fd >= 0);
SSL_METHOD_CALL(set_fd, ssl, fd, 0);
return 1;
}
/**
* @brief SET TLS Hostname
*/
int SSL_set_tlsext_host_name(SSL* ssl, const char *hostname)
{
SSL_ASSERT1(ssl);
SSL_ASSERT1(hostname);
SSL_METHOD_CALL(set_hostname, ssl, hostname);
return 1;
}
/**
* @brief get SSL version
*/
int SSL_version(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return ssl->version;
}
/**
* @brief get the SSL version string
*/
static const char* ssl_protocol_to_string(int version)
{
const char *str;
if (version == TLS1_2_VERSION)
str = "TLSv1.2";
else if (version == TLS1_1_VERSION)
str = "TLSv1.1";
else if (version == TLS1_VERSION)
str = "TLSv1";
else if (version == SSL3_VERSION)
str = "SSLv3";
else
str = "unknown";
return str;
}
/**
* @brief get the SSL current version
*/
const char *SSL_get_version(const SSL *ssl)
{
SSL_ASSERT2(ssl);
return ssl_protocol_to_string(SSL_version(ssl));
}
/**
* @brief get alert description string
*/
const char* SSL_alert_desc_string(int value)
{
const char *str;
switch (value & 0xff)
{
case SSL3_AD_CLOSE_NOTIFY:
str = "CN";
break;
case SSL3_AD_UNEXPECTED_MESSAGE:
str = "UM";
break;
case SSL3_AD_BAD_RECORD_MAC:
str = "BM";
break;
case SSL3_AD_DECOMPRESSION_FAILURE:
str = "DF";
break;
case SSL3_AD_HANDSHAKE_FAILURE:
str = "HF";
break;
case SSL3_AD_NO_CERTIFICATE:
str = "NC";
break;
case SSL3_AD_BAD_CERTIFICATE:
str = "BC";
break;
case SSL3_AD_UNSUPPORTED_CERTIFICATE:
str = "UC";
break;
case SSL3_AD_CERTIFICATE_REVOKED:
str = "CR";
break;
case SSL3_AD_CERTIFICATE_EXPIRED:
str = "CE";
break;
case SSL3_AD_CERTIFICATE_UNKNOWN:
str = "CU";
break;
case SSL3_AD_ILLEGAL_PARAMETER:
str = "IP";
break;
case TLS1_AD_DECRYPTION_FAILED:
str = "DC";
break;
case TLS1_AD_RECORD_OVERFLOW:
str = "RO";
break;
case TLS1_AD_UNKNOWN_CA:
str = "CA";
break;
case TLS1_AD_ACCESS_DENIED:
str = "AD";
break;
case TLS1_AD_DECODE_ERROR:
str = "DE";
break;
case TLS1_AD_DECRYPT_ERROR:
str = "CY";
break;
case TLS1_AD_EXPORT_RESTRICTION:
str = "ER";
break;
case TLS1_AD_PROTOCOL_VERSION:
str = "PV";
break;
case TLS1_AD_INSUFFICIENT_SECURITY:
str = "IS";
break;
case TLS1_AD_INTERNAL_ERROR:
str = "IE";
break;
case TLS1_AD_USER_CANCELLED:
str = "US";
break;
case TLS1_AD_NO_RENEGOTIATION:
str = "NR";
break;
case TLS1_AD_UNSUPPORTED_EXTENSION:
str = "UE";
break;
case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
str = "CO";
break;
case TLS1_AD_UNRECOGNIZED_NAME:
str = "UN";
break;
case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
str = "BR";
break;
case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
str = "BH";
break;
case TLS1_AD_UNKNOWN_PSK_IDENTITY:
str = "UP";
break;
default:
str = "UK";
break;
}
return str;
}
/**
* @brief get alert description long string
*/
const char* SSL_alert_desc_string_long(int value)
{
const char *str;
switch (value & 0xff)
{
case SSL3_AD_CLOSE_NOTIFY:
str = "close notify";
break;
case SSL3_AD_UNEXPECTED_MESSAGE:
str = "unexpected_message";
break;
case SSL3_AD_BAD_RECORD_MAC:
str = "bad record mac";
break;
case SSL3_AD_DECOMPRESSION_FAILURE:
str = "decompression failure";
break;
case SSL3_AD_HANDSHAKE_FAILURE:
str = "handshake failure";
break;
case SSL3_AD_NO_CERTIFICATE:
str = "no certificate";
break;
case SSL3_AD_BAD_CERTIFICATE:
str = "bad certificate";
break;
case SSL3_AD_UNSUPPORTED_CERTIFICATE:
str = "unsupported certificate";
break;
case SSL3_AD_CERTIFICATE_REVOKED:
str = "certificate revoked";
break;
case SSL3_AD_CERTIFICATE_EXPIRED:
str = "certificate expired";
break;
case SSL3_AD_CERTIFICATE_UNKNOWN:
str = "certificate unknown";
break;
case SSL3_AD_ILLEGAL_PARAMETER:
str = "illegal parameter";
break;
case TLS1_AD_DECRYPTION_FAILED:
str = "decryption failed";
break;
case TLS1_AD_RECORD_OVERFLOW:
str = "record overflow";
break;
case TLS1_AD_UNKNOWN_CA:
str = "unknown CA";
break;
case TLS1_AD_ACCESS_DENIED:
str = "access denied";
break;
case TLS1_AD_DECODE_ERROR:
str = "decode error";
break;
case TLS1_AD_DECRYPT_ERROR:
str = "decrypt error";
break;
case TLS1_AD_EXPORT_RESTRICTION:
str = "export restriction";
break;
case TLS1_AD_PROTOCOL_VERSION:
str = "protocol version";
break;
case TLS1_AD_INSUFFICIENT_SECURITY:
str = "insufficient security";
break;
case TLS1_AD_INTERNAL_ERROR:
str = "internal error";
break;
case TLS1_AD_USER_CANCELLED:
str = "user canceled";
break;
case TLS1_AD_NO_RENEGOTIATION:
str = "no renegotiation";
break;
case TLS1_AD_UNSUPPORTED_EXTENSION:
str = "unsupported extension";
break;
case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
str = "certificate unobtainable";
break;
case TLS1_AD_UNRECOGNIZED_NAME:
str = "unrecognized name";
break;
case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
str = "bad certificate status response";
break;
case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
str = "bad certificate hash value";
break;
case TLS1_AD_UNKNOWN_PSK_IDENTITY:
str = "unknown PSK identity";
break;
default:
str = "unknown";
break;
}
return str;
}
/**
* @brief get alert type string
*/
const char *SSL_alert_type_string(int value)
{
const char *str;
switch (value >> 8)
{
case SSL3_AL_WARNING:
str = "W";
break;
case SSL3_AL_FATAL:
str = "F";
break;
default:
str = "U";
break;
}
return str;
}
/**
* @brief get alert type long string
*/
const char *SSL_alert_type_string_long(int value)
{
const char *str;
switch (value >> 8)
{
case SSL3_AL_WARNING:
str = "warning";
break;
case SSL3_AL_FATAL:
str = "fatal";
break;
default:
str = "unknown";
break;
}
return str;
}
/**
* @brief get the state string where SSL is reading
*/
const char *SSL_rstate_string(SSL *ssl)
{
const char *str;
SSL_ASSERT2(ssl);
switch (ssl->rlayer.rstate)
{
case SSL_ST_READ_HEADER:
str = "RH";
break;
case SSL_ST_READ_BODY:
str = "RB";
break;
case SSL_ST_READ_DONE:
str = "RD";
break;
default:
str = "unknown";
break;
}
return str;
}
/**
* @brief get the statement long string where SSL is reading
*/
const char *SSL_rstate_string_long(SSL *ssl)
{
const char *str = "unknown";
SSL_ASSERT2(ssl);
switch (ssl->rlayer.rstate)
{
case SSL_ST_READ_HEADER:
str = "read header";
break;
case SSL_ST_READ_BODY:
str = "read body";
break;
case SSL_ST_READ_DONE:
str = "read done";
break;
default:
break;
}
return str;
}
/**
* @brief get SSL statement string
*/
const char *SSL_state_string(const SSL *ssl)
{
const char *str = "UNKWN ";
SSL_ASSERT2(ssl);
if (ossl_statem_in_error(ssl))
str = "SSLERR";
else
{
switch (SSL_get_state(ssl))
{
case TLS_ST_BEFORE:
str = "PINIT ";
break;
case TLS_ST_OK:
str = "SSLOK ";
break;
case TLS_ST_CW_CLNT_HELLO:
str = "TWCH";
break;
case TLS_ST_CR_SRVR_HELLO:
str = "TRSH";
break;
case TLS_ST_CR_CERT:
str = "TRSC";
break;
case TLS_ST_CR_KEY_EXCH:
str = "TRSKE";
break;
case TLS_ST_CR_CERT_REQ:
str = "TRCR";
break;
case TLS_ST_CR_SRVR_DONE:
str = "TRSD";
break;
case TLS_ST_CW_CERT:
str = "TWCC";
break;
case TLS_ST_CW_KEY_EXCH:
str = "TWCKE";
break;
case TLS_ST_CW_CERT_VRFY:
str = "TWCV";
break;
case TLS_ST_SW_CHANGE:
case TLS_ST_CW_CHANGE:
str = "TWCCS";
break;
case TLS_ST_SW_FINISHED:
case TLS_ST_CW_FINISHED:
str = "TWFIN";
break;
case TLS_ST_SR_CHANGE:
case TLS_ST_CR_CHANGE:
str = "TRCCS";
break;
case TLS_ST_SR_FINISHED:
case TLS_ST_CR_FINISHED:
str = "TRFIN";
break;
case TLS_ST_SW_HELLO_REQ:
str = "TWHR";
break;
case TLS_ST_SR_CLNT_HELLO:
str = "TRCH";
break;
case TLS_ST_SW_SRVR_HELLO:
str = "TWSH";
break;
case TLS_ST_SW_CERT:
str = "TWSC";
break;
case TLS_ST_SW_KEY_EXCH:
str = "TWSKE";
break;
case TLS_ST_SW_CERT_REQ:
str = "TWCR";
break;
case TLS_ST_SW_SRVR_DONE:
str = "TWSD";
break;
case TLS_ST_SR_CERT:
str = "TRCC";
break;
case TLS_ST_SR_KEY_EXCH:
str = "TRCKE";
break;
case TLS_ST_SR_CERT_VRFY:
str = "TRCV";
break;
case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
str = "DRCHV";
break;
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
str = "DWCHV";
break;
default:
break;
}
}
return str;
}
/**
* @brief get SSL statement long string
*/
const char *SSL_state_string_long(const SSL *ssl)
{
const char *str = "UNKWN ";
SSL_ASSERT2(ssl);
if (ossl_statem_in_error(ssl))
str = "SSLERR";
else
{
switch (SSL_get_state(ssl))
{
case TLS_ST_BEFORE:
str = "before SSL initialization";
break;
case TLS_ST_OK:
str = "SSL negotiation finished successfully";
break;
case TLS_ST_CW_CLNT_HELLO:
str = "SSLv3/TLS write client hello";
break;
case TLS_ST_CR_SRVR_HELLO:
str = "SSLv3/TLS read server hello";
break;
case TLS_ST_CR_CERT:
str = "SSLv3/TLS read server certificate";
break;
case TLS_ST_CR_KEY_EXCH:
str = "SSLv3/TLS read server key exchange";
break;
case TLS_ST_CR_CERT_REQ:
str = "SSLv3/TLS read server certificate request";
break;
case TLS_ST_CR_SESSION_TICKET:
str = "SSLv3/TLS read server session ticket";
break;
case TLS_ST_CR_SRVR_DONE:
str = "SSLv3/TLS read server done";
break;
case TLS_ST_CW_CERT:
str = "SSLv3/TLS write client certificate";
break;
case TLS_ST_CW_KEY_EXCH:
str = "SSLv3/TLS write client key exchange";
break;
case TLS_ST_CW_CERT_VRFY:
str = "SSLv3/TLS write certificate verify";
break;
case TLS_ST_CW_CHANGE:
case TLS_ST_SW_CHANGE:
str = "SSLv3/TLS write change cipher spec";
break;
case TLS_ST_CW_FINISHED:
case TLS_ST_SW_FINISHED:
str = "SSLv3/TLS write finished";
break;
case TLS_ST_CR_CHANGE:
case TLS_ST_SR_CHANGE:
str = "SSLv3/TLS read change cipher spec";
break;
case TLS_ST_CR_FINISHED:
case TLS_ST_SR_FINISHED:
str = "SSLv3/TLS read finished";
break;
case TLS_ST_SR_CLNT_HELLO:
str = "SSLv3/TLS read client hello";
break;
case TLS_ST_SW_HELLO_REQ:
str = "SSLv3/TLS write hello request";
break;
case TLS_ST_SW_SRVR_HELLO:
str = "SSLv3/TLS write server hello";
break;
case TLS_ST_SW_CERT:
str = "SSLv3/TLS write certificate";
break;
case TLS_ST_SW_KEY_EXCH:
str = "SSLv3/TLS write key exchange";
break;
case TLS_ST_SW_CERT_REQ:
str = "SSLv3/TLS write certificate request";
break;
case TLS_ST_SW_SESSION_TICKET:
str = "SSLv3/TLS write session ticket";
break;
case TLS_ST_SW_SRVR_DONE:
str = "SSLv3/TLS write server done";
break;
case TLS_ST_SR_CERT:
str = "SSLv3/TLS read client certificate";
break;
case TLS_ST_SR_KEY_EXCH:
str = "SSLv3/TLS read client key exchange";
break;
case TLS_ST_SR_CERT_VRFY:
str = "SSLv3/TLS read certificate verify";
break;
case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
str = "DTLS1 read hello verify request";
break;
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
str = "DTLS1 write hello verify request";
break;
default:
break;
}
}
return str;
}
/**
* @brief set the SSL context read buffer length
*/
void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
{
SSL_ASSERT3(ctx);
ctx->read_buffer_len = len;
}
/**
* @brief set the SSL read buffer length
*/
void SSL_set_default_read_buffer_len(SSL *ssl, size_t len)
{
SSL_ASSERT3(ssl);
SSL_ASSERT3(len);
SSL_METHOD_CALL(set_bufflen, ssl, len);
}
/**
* @brief set the SSL information callback function
*/
void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val))
{
SSL_ASSERT3(ssl);
ssl->info_callback = cb;
}
/**
* @brief add SSL context reference count by '1'
*/
int SSL_CTX_up_ref(SSL_CTX *ctx)
{
SSL_ASSERT1(ctx);
/**
* no support multi-thread SSL here
*/
ctx->references++;
return 1;
}
/**
* @brief set the SSL security level
*/
void SSL_set_security_level(SSL *ssl, int level)
{
SSL_ASSERT3(ssl);
ssl->cert->sec_level = level;
}
/**
* @brief get the SSL security level
*/
int SSL_get_security_level(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return ssl->cert->sec_level;
}
/**
* @brief get the SSL verifying mode of the SSL context
*/
int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
{
SSL_ASSERT1(ctx);
return ctx->verify_mode;
}
/**
* @brief set the session timeout time
*/
long SSL_CTX_set_timeout(SSL_CTX *ctx, long t)
{
long l;
SSL_ASSERT1(ctx);
l = ctx->session_timeout;
ctx->session_timeout = t;
return l;
}
/**
* @brief get the session timeout time
*/
long SSL_CTX_get_timeout(const SSL_CTX *ctx)
{
SSL_ASSERT1(ctx);
return ctx->session_timeout;
}
/**
* @brief set the SSL if we can read as many as data
*/
void SSL_set_read_ahead(SSL *ssl, int yes)
{
SSL_ASSERT3(ssl);
ssl->rlayer.read_ahead = yes;
}
/**
* @brief set the SSL context if we can read as many as data
*/
void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes)
{
SSL_ASSERT3(ctx);
ctx->read_ahead = yes;
}
/**
* @brief get the SSL ahead signal if we can read as many as data
*/
int SSL_get_read_ahead(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return ssl->rlayer.read_ahead;
}
/**
* @brief get the SSL context ahead signal if we can read as many as data
*/
long SSL_CTX_get_read_ahead(SSL_CTX *ctx)
{
SSL_ASSERT1(ctx);
return ctx->read_ahead;
}
/**
* @brief check if the SSL context can read as many as data
*/
long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx)
{
SSL_ASSERT1(ctx);
return ctx->read_ahead;
}
/**
* @brief set SSL session time
*/
long SSL_set_time(SSL *ssl, long t)
{
SSL_ASSERT1(ssl);
ssl->session->time = t;
return t;
}
/**
* @brief set SSL session timeout time
*/
long SSL_set_timeout(SSL *ssl, long t)
{
SSL_ASSERT1(ssl);
ssl->session->timeout = t;
return t;
}
/**
* @brief get the verifying result of the SSL certification
*/
long SSL_get_verify_result(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return SSL_METHOD_CALL(get_verify_result, ssl);
}
/**
* @brief get the SSL verifying depth of the SSL context
*/
int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
{
SSL_ASSERT1(ctx);
return ctx->param.depth;
}
/**
* @brief set the SSL verify depth of the SSL context
*/
void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
{
SSL_ASSERT3(ctx);
ctx->param.depth = depth;
}
/**
* @brief get the SSL verifying depth of the SSL
*/
int SSL_get_verify_depth(const SSL *ssl)
{
SSL_ASSERT1(ssl);
return ssl->param.depth;
}
/**
* @brief set the SSL verify depth of the SSL
*/
void SSL_set_verify_depth(SSL *ssl, int depth)
{
SSL_ASSERT3(ssl);
ssl->param.depth = depth;
}
/**
* @brief set the SSL context verifying of the SSL context
*/
void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
{
SSL_ASSERT3(ctx);
ctx->verify_mode = mode;
ctx->default_verify_callback = verify_callback;
}
/**
* @brief set the SSL verifying of the SSL context
*/
void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
{
SSL_ASSERT3(ssl);
ssl->verify_mode = mode;
ssl->verify_callback = verify_callback;
}
/**
* @brief set the ALPN protocols in the preferred order. SSL APIs require the
* protocols in a <length><value><length2><value2> format. mbedtls doesn't need
* that though. We sanitize that here itself. So convert from:
* "\x02h2\x06spdy/1" to { {"h2"}, {"spdy/1}, {NULL}}
*/
int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned protos_len)
{
ctx->ssl_alpn.alpn_string = ssl_mem_zalloc(protos_len + 1);
if (! ctx->ssl_alpn.alpn_string) {
return 1;
}
ctx->ssl_alpn.alpn_status = ALPN_ENABLE;
memcpy(ctx->ssl_alpn.alpn_string, protos, protos_len);
char *ptr = ctx->ssl_alpn.alpn_string;
int i;
/* Only running to 1 less than the actual size */
for (i = 0; i < ALPN_LIST_MAX - 1; i++) {
char len = *ptr;
*ptr = '\0'; // Overwrite the length to act as previous element's string terminator
ptr++;
protos_len--;
ctx->ssl_alpn.alpn_list[i] = ptr;
ptr += len;
protos_len -= len;
if (! protos_len) {
i++;
break;
}
}
ctx->ssl_alpn.alpn_list[i] = NULL;
return 0;
}