// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. #include "ssl_lib.h" #include "ssl_pkey.h" #include "ssl_x509.h" #include "ssl_cert.h" #include "ssl_dbg.h" #include "ssl_port.h" #define SSL_SEND_DATA_MAX_LENGTH 1460 /** * @brief create a new SSL session object */ static SSL_SESSION* SSL_SESSION_new(void) { SSL_SESSION *session; session = ssl_mem_zalloc(sizeof(SSL_SESSION)); if (!session) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)"); goto failed1; } session->peer = X509_new(); if (!session->peer) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL"); goto failed2; } return session; failed2: ssl_mem_free(session); failed1: return NULL; } /** * @brief free a new SSL session object */ static void SSL_SESSION_free(SSL_SESSION *session) { X509_free(session->peer); ssl_mem_free(session); } /** * @brief Discover whether the current connection is in the error state */ int ossl_statem_in_error(const SSL *ssl) { SSL_ASSERT1(ssl); if (ssl->statem.state == MSG_FLOW_ERROR) return 1; return 0; } /** * @brief get the SSL specifical statement */ int SSL_want(const SSL *ssl) { SSL_ASSERT1(ssl); return ssl->rwstate; } /** * @brief check if SSL want nothing */ int SSL_want_nothing(const SSL *ssl) { SSL_ASSERT1(ssl); return (SSL_want(ssl) == SSL_NOTHING); } /** * @brief check if SSL want to read */ int SSL_want_read(const SSL *ssl) { SSL_ASSERT1(ssl); return (SSL_want(ssl) == SSL_READING); } /** * @brief check if SSL want to write */ int SSL_want_write(const SSL *ssl) { SSL_ASSERT1(ssl); return (SSL_want(ssl) == SSL_WRITING); } /** * @brief check if SSL want to lookup X509 certification */ int SSL_want_x509_lookup(const SSL *ssl) { SSL_ASSERT1(ssl); return (SSL_want(ssl) == SSL_WRITING); } /** * @brief get SSL error code */ int SSL_get_error(const SSL *ssl, int ret_code) { int ret = SSL_ERROR_SYSCALL; SSL_ASSERT1(ssl); if (ret_code > 0) ret = SSL_ERROR_NONE; else if (ret_code < 0) { if (SSL_want_read(ssl)) ret = SSL_ERROR_WANT_READ; else if (SSL_want_write(ssl)) ret = SSL_ERROR_WANT_WRITE; else ret = SSL_ERROR_SYSCALL; //unknown } else // ret_code == 0 { if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) ret = SSL_ERROR_ZERO_RETURN; else ret = SSL_ERROR_SYSCALL; } return ret; } /** * @brief get the SSL state */ OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl) { OSSL_HANDSHAKE_STATE state; SSL_ASSERT1(ssl); state = SSL_METHOD_CALL(get_state, ssl); return state; } /** * @brief create a SSL context */ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method) { SSL_CTX *ctx; CERT *cert; X509 *client_ca; if (!method) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method"); return NULL; } client_ca = X509_new(); if (!client_ca) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL"); goto failed1; } cert = ssl_cert_new(); if (!cert) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL"); goto failed2; } ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX)); if (!ctx) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)"); goto failed3; } ctx->method = method; ctx->client_CA = client_ca; ctx->cert = cert; ctx->version = method->version; return ctx; failed3: ssl_cert_free(cert); failed2: X509_free(client_ca); failed1: return NULL; } /** * @brief free a SSL context */ void SSL_CTX_free(SSL_CTX* ctx) { SSL_ASSERT3(ctx); ssl_cert_free(ctx->cert); X509_free(ctx->client_CA); if (ctx->ssl_alpn.alpn_string) { ssl_mem_free((void *)ctx->ssl_alpn.alpn_string); } ssl_mem_free(ctx); } /** * @brief set the SSL context version */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) { SSL_ASSERT1(ctx); SSL_ASSERT1(meth); ctx->method = meth; ctx->version = meth->version; return 1; } /** * @brief get the SSL context current method */ const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) { SSL_ASSERT2(ctx); return ctx->method; } /** * @brief create a SSL */ SSL *SSL_new(SSL_CTX *ctx) { int ret = 0; SSL *ssl; if (!ctx) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx"); return NULL; } ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL)); if (!ssl) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)"); goto failed1; } ssl->session = SSL_SESSION_new(); if (!ssl->session) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL"); goto failed2; } ssl->cert = __ssl_cert_new(ctx->cert); if (!ssl->cert) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL"); goto failed3; } ssl->client_CA = __X509_new(ctx->client_CA); if (!ssl->client_CA) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL"); goto failed4; } ssl->ctx = ctx; ssl->method = ctx->method; ssl->version = ctx->version; ssl->options = ctx->options; ssl->verify_mode = ctx->verify_mode; ret = SSL_METHOD_CALL(new, ssl); if (ret) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); goto failed5; } ssl->rwstate = SSL_NOTHING; return ssl; failed5: X509_free(ssl->client_CA); failed4: ssl_cert_free(ssl->cert); failed3: SSL_SESSION_free(ssl->session); failed2: ssl_mem_free(ssl); failed1: return NULL; } /** * @brief free the SSL */ void SSL_free(SSL *ssl) { SSL_ASSERT3(ssl); SSL_METHOD_CALL(free, ssl); X509_free(ssl->client_CA); ssl_cert_free(ssl->cert); SSL_SESSION_free(ssl->session); ssl_mem_free(ssl); } /** * @brief perform the SSL handshake */ int SSL_do_handshake(SSL *ssl) { int ret; SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(handshake, ssl); return ret; } /** * @brief connect to the remote SSL server */ int SSL_connect(SSL *ssl) { SSL_ASSERT1(ssl); return SSL_do_handshake(ssl); } /** * @brief accept the remote connection */ int SSL_accept(SSL *ssl) { SSL_ASSERT1(ssl); return SSL_do_handshake(ssl); } /** * @brief shutdown the connection */ int SSL_shutdown(SSL *ssl) { int ret; SSL_ASSERT1(ssl); if (SSL_get_state(ssl) != TLS_ST_OK) return 1; ret = SSL_METHOD_CALL(shutdown, ssl); return ret; } /** * @brief reset the SSL */ int SSL_clear(SSL *ssl) { int ret; SSL_ASSERT1(ssl); ret = SSL_shutdown(ssl); if (1 != ret) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret); goto failed1; } SSL_METHOD_CALL(free, ssl); ret = SSL_METHOD_CALL(new, ssl); if (!ret) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); goto failed1; } return 1; failed1: return ret; } /** * @brief read data from to remote */ int SSL_read(SSL *ssl, void *buffer, int len) { int ret; SSL_ASSERT1(ssl); SSL_ASSERT1(buffer); SSL_ASSERT1(len); ssl->rwstate = SSL_READING; ret = SSL_METHOD_CALL(read, ssl, buffer, len); if (ret == len) ssl->rwstate = SSL_NOTHING; return ret; } /** * @brief send the data to remote */ int SSL_write(SSL *ssl, const void *buffer, int len) { int ret; int send_bytes; const unsigned char *pbuf; SSL_ASSERT1(ssl); SSL_ASSERT1(buffer); SSL_ASSERT1(len); ssl->rwstate = SSL_WRITING; send_bytes = len; pbuf = (const unsigned char *)buffer; do { int bytes; if (send_bytes > SSL_SEND_DATA_MAX_LENGTH) bytes = SSL_SEND_DATA_MAX_LENGTH; else bytes = send_bytes; ret = SSL_METHOD_CALL(send, ssl, pbuf, bytes); if (ret > 0) { pbuf += ret; send_bytes -= ret; } } while (ret > 0 && send_bytes); if (ret >= 0) { ret = len - send_bytes; ssl->rwstate = SSL_NOTHING; } else ret = -1; return ret; } /** * @brief get SSL context of the SSL */ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { SSL_ASSERT2(ssl); return ssl->ctx; } /** * @brief get the SSL current method */ const SSL_METHOD *SSL_get_ssl_method(SSL *ssl) { SSL_ASSERT2(ssl); return ssl->method; } /** * @brief set the SSL method */ int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method) { int ret; SSL_ASSERT1(ssl); SSL_ASSERT1(method); if (ssl->version != method->version) { ret = SSL_shutdown(ssl); if (1 != ret) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret); goto failed1; } SSL_METHOD_CALL(free, ssl); ssl->method = method; ret = SSL_METHOD_CALL(new, ssl); if (!ret) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); goto failed1; } } else { ssl->method = method; } return 1; failed1: return ret; } /** * @brief get SSL shutdown mode */ int SSL_get_shutdown(const SSL *ssl) { SSL_ASSERT1(ssl); return ssl->shutdown; } /** * @brief set SSL shutdown mode */ void SSL_set_shutdown(SSL *ssl, int mode) { SSL_ASSERT3(ssl); ssl->shutdown = mode; } /** * @brief get the number of the bytes to be read */ int SSL_pending(const SSL *ssl) { int ret; SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(pending, ssl); return ret; } /** * @brief check if some data can be read */ int SSL_has_pending(const SSL *ssl) { int ret; SSL_ASSERT1(ssl); if (SSL_pending(ssl)) ret = 1; else ret = 0; return ret; } /** * @brief clear the SSL context option bit of "op" */ unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) { SSL_ASSERT1(ctx); return ctx->options &= ~op; } /** * @brief get the SSL context option */ unsigned long SSL_CTX_get_options(SSL_CTX *ctx) { SSL_ASSERT1(ctx); return ctx->options; } /** * @brief set the option of the SSL context */ unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt) { SSL_ASSERT1(ctx); return ctx->options |= opt; } /** * @brief clear SSL option */ unsigned long SSL_clear_options(SSL *ssl, unsigned long op) { SSL_ASSERT1(ssl); return ssl->options & ~op; } /** * @brief get SSL option */ unsigned long SSL_get_options(SSL *ssl) { SSL_ASSERT1(ssl); return ssl->options; } /** * @brief clear SSL option */ unsigned long SSL_set_options(SSL *ssl, unsigned long op) { SSL_ASSERT1(ssl); return ssl->options |= op; } /** * @brief get the socket handle of the SSL */ int SSL_get_fd(const SSL *ssl) { int ret; SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(get_fd, ssl, 0); return ret; } /** * @brief get the read only socket handle of the SSL */ int SSL_get_rfd(const SSL *ssl) { int ret; SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(get_fd, ssl, 0); return ret; } /** * @brief get the write only socket handle of the SSL */ int SSL_get_wfd(const SSL *ssl) { int ret; SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(get_fd, ssl, 0); return ret; } /** * @brief bind the socket file description into the SSL */ int SSL_set_fd(SSL *ssl, int fd) { SSL_ASSERT1(ssl); SSL_ASSERT1(fd >= 0); SSL_METHOD_CALL(set_fd, ssl, fd, 0); return 1; } /** * @brief bind the read only socket file description into the SSL */ int SSL_set_rfd(SSL *ssl, int fd) { SSL_ASSERT1(ssl); SSL_ASSERT1(fd >= 0); SSL_METHOD_CALL(set_fd, ssl, fd, 0); return 1; } /** * @brief bind the write only socket file description into the SSL */ int SSL_set_wfd(SSL *ssl, int fd) { SSL_ASSERT1(ssl); SSL_ASSERT1(fd >= 0); SSL_METHOD_CALL(set_fd, ssl, fd, 0); return 1; } /** * @brief SET TLS Hostname */ int SSL_set_tlsext_host_name(SSL* ssl, const char *hostname) { SSL_ASSERT1(ssl); SSL_ASSERT1(hostname); SSL_METHOD_CALL(set_hostname, ssl, hostname); return 1; } /** * @brief get SSL version */ int SSL_version(const SSL *ssl) { SSL_ASSERT1(ssl); return ssl->version; } /** * @brief get the SSL version string */ static const char* ssl_protocol_to_string(int version) { const char *str; if (version == TLS1_2_VERSION) str = "TLSv1.2"; else if (version == TLS1_1_VERSION) str = "TLSv1.1"; else if (version == TLS1_VERSION) str = "TLSv1"; else if (version == SSL3_VERSION) str = "SSLv3"; else str = "unknown"; return str; } /** * @brief get the SSL current version */ const char *SSL_get_version(const SSL *ssl) { SSL_ASSERT2(ssl); return ssl_protocol_to_string(SSL_version(ssl)); } /** * @brief get alert description string */ const char* SSL_alert_desc_string(int value) { const char *str; switch (value & 0xff) { case SSL3_AD_CLOSE_NOTIFY: str = "CN"; break; case SSL3_AD_UNEXPECTED_MESSAGE: str = "UM"; break; case SSL3_AD_BAD_RECORD_MAC: str = "BM"; break; case SSL3_AD_DECOMPRESSION_FAILURE: str = "DF"; break; case SSL3_AD_HANDSHAKE_FAILURE: str = "HF"; break; case SSL3_AD_NO_CERTIFICATE: str = "NC"; break; case SSL3_AD_BAD_CERTIFICATE: str = "BC"; break; case SSL3_AD_UNSUPPORTED_CERTIFICATE: str = "UC"; break; case SSL3_AD_CERTIFICATE_REVOKED: str = "CR"; break; case SSL3_AD_CERTIFICATE_EXPIRED: str = "CE"; break; case SSL3_AD_CERTIFICATE_UNKNOWN: str = "CU"; break; case SSL3_AD_ILLEGAL_PARAMETER: str = "IP"; break; case TLS1_AD_DECRYPTION_FAILED: str = "DC"; break; case TLS1_AD_RECORD_OVERFLOW: str = "RO"; break; case TLS1_AD_UNKNOWN_CA: str = "CA"; break; case TLS1_AD_ACCESS_DENIED: str = "AD"; break; case TLS1_AD_DECODE_ERROR: str = "DE"; break; case TLS1_AD_DECRYPT_ERROR: str = "CY"; break; case TLS1_AD_EXPORT_RESTRICTION: str = "ER"; break; case TLS1_AD_PROTOCOL_VERSION: str = "PV"; break; case TLS1_AD_INSUFFICIENT_SECURITY: str = "IS"; break; case TLS1_AD_INTERNAL_ERROR: str = "IE"; break; case TLS1_AD_USER_CANCELLED: str = "US"; break; case TLS1_AD_NO_RENEGOTIATION: str = "NR"; break; case TLS1_AD_UNSUPPORTED_EXTENSION: str = "UE"; break; case TLS1_AD_CERTIFICATE_UNOBTAINABLE: str = "CO"; break; case TLS1_AD_UNRECOGNIZED_NAME: str = "UN"; break; case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str = "BR"; break; case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: str = "BH"; break; case TLS1_AD_UNKNOWN_PSK_IDENTITY: str = "UP"; break; default: str = "UK"; break; } return str; } /** * @brief get alert description long string */ const char* SSL_alert_desc_string_long(int value) { const char *str; switch (value & 0xff) { case SSL3_AD_CLOSE_NOTIFY: str = "close notify"; break; case SSL3_AD_UNEXPECTED_MESSAGE: str = "unexpected_message"; break; case SSL3_AD_BAD_RECORD_MAC: str = "bad record mac"; break; case SSL3_AD_DECOMPRESSION_FAILURE: str = "decompression failure"; break; case SSL3_AD_HANDSHAKE_FAILURE: str = "handshake failure"; break; case SSL3_AD_NO_CERTIFICATE: str = "no certificate"; break; case SSL3_AD_BAD_CERTIFICATE: str = "bad certificate"; break; case SSL3_AD_UNSUPPORTED_CERTIFICATE: str = "unsupported certificate"; break; case SSL3_AD_CERTIFICATE_REVOKED: str = "certificate revoked"; break; case SSL3_AD_CERTIFICATE_EXPIRED: str = "certificate expired"; break; case SSL3_AD_CERTIFICATE_UNKNOWN: str = "certificate unknown"; break; case SSL3_AD_ILLEGAL_PARAMETER: str = "illegal parameter"; break; case TLS1_AD_DECRYPTION_FAILED: str = "decryption failed"; break; case TLS1_AD_RECORD_OVERFLOW: str = "record overflow"; break; case TLS1_AD_UNKNOWN_CA: str = "unknown CA"; break; case TLS1_AD_ACCESS_DENIED: str = "access denied"; break; case TLS1_AD_DECODE_ERROR: str = "decode error"; break; case TLS1_AD_DECRYPT_ERROR: str = "decrypt error"; break; case TLS1_AD_EXPORT_RESTRICTION: str = "export restriction"; break; case TLS1_AD_PROTOCOL_VERSION: str = "protocol version"; break; case TLS1_AD_INSUFFICIENT_SECURITY: str = "insufficient security"; break; case TLS1_AD_INTERNAL_ERROR: str = "internal error"; break; case TLS1_AD_USER_CANCELLED: str = "user canceled"; break; case TLS1_AD_NO_RENEGOTIATION: str = "no renegotiation"; break; case TLS1_AD_UNSUPPORTED_EXTENSION: str = "unsupported extension"; break; case TLS1_AD_CERTIFICATE_UNOBTAINABLE: str = "certificate unobtainable"; break; case TLS1_AD_UNRECOGNIZED_NAME: str = "unrecognized name"; break; case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str = "bad certificate status response"; break; case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: str = "bad certificate hash value"; break; case TLS1_AD_UNKNOWN_PSK_IDENTITY: str = "unknown PSK identity"; break; default: str = "unknown"; break; } return str; } /** * @brief get alert type string */ const char *SSL_alert_type_string(int value) { const char *str; switch (value >> 8) { case SSL3_AL_WARNING: str = "W"; break; case SSL3_AL_FATAL: str = "F"; break; default: str = "U"; break; } return str; } /** * @brief get alert type long string */ const char *SSL_alert_type_string_long(int value) { const char *str; switch (value >> 8) { case SSL3_AL_WARNING: str = "warning"; break; case SSL3_AL_FATAL: str = "fatal"; break; default: str = "unknown"; break; } return str; } /** * @brief get the state string where SSL is reading */ const char *SSL_rstate_string(SSL *ssl) { const char *str; SSL_ASSERT2(ssl); switch (ssl->rlayer.rstate) { case SSL_ST_READ_HEADER: str = "RH"; break; case SSL_ST_READ_BODY: str = "RB"; break; case SSL_ST_READ_DONE: str = "RD"; break; default: str = "unknown"; break; } return str; } /** * @brief get the statement long string where SSL is reading */ const char *SSL_rstate_string_long(SSL *ssl) { const char *str = "unknown"; SSL_ASSERT2(ssl); switch (ssl->rlayer.rstate) { case SSL_ST_READ_HEADER: str = "read header"; break; case SSL_ST_READ_BODY: str = "read body"; break; case SSL_ST_READ_DONE: str = "read done"; break; default: break; } return str; } /** * @brief get SSL statement string */ const char *SSL_state_string(const SSL *ssl) { const char *str = "UNKWN "; SSL_ASSERT2(ssl); if (ossl_statem_in_error(ssl)) str = "SSLERR"; else { switch (SSL_get_state(ssl)) { case TLS_ST_BEFORE: str = "PINIT "; break; case TLS_ST_OK: str = "SSLOK "; break; case TLS_ST_CW_CLNT_HELLO: str = "TWCH"; break; case TLS_ST_CR_SRVR_HELLO: str = "TRSH"; break; case TLS_ST_CR_CERT: str = "TRSC"; break; case TLS_ST_CR_KEY_EXCH: str = "TRSKE"; break; case TLS_ST_CR_CERT_REQ: str = "TRCR"; break; case TLS_ST_CR_SRVR_DONE: str = "TRSD"; break; case TLS_ST_CW_CERT: str = "TWCC"; break; case TLS_ST_CW_KEY_EXCH: str = "TWCKE"; break; case TLS_ST_CW_CERT_VRFY: str = "TWCV"; break; case TLS_ST_SW_CHANGE: case TLS_ST_CW_CHANGE: str = "TWCCS"; break; case TLS_ST_SW_FINISHED: case TLS_ST_CW_FINISHED: str = "TWFIN"; break; case TLS_ST_SR_CHANGE: case TLS_ST_CR_CHANGE: str = "TRCCS"; break; case TLS_ST_SR_FINISHED: case TLS_ST_CR_FINISHED: str = "TRFIN"; break; case TLS_ST_SW_HELLO_REQ: str = "TWHR"; break; case TLS_ST_SR_CLNT_HELLO: str = "TRCH"; break; case TLS_ST_SW_SRVR_HELLO: str = "TWSH"; break; case TLS_ST_SW_CERT: str = "TWSC"; break; case TLS_ST_SW_KEY_EXCH: str = "TWSKE"; break; case TLS_ST_SW_CERT_REQ: str = "TWCR"; break; case TLS_ST_SW_SRVR_DONE: str = "TWSD"; break; case TLS_ST_SR_CERT: str = "TRCC"; break; case TLS_ST_SR_KEY_EXCH: str = "TRCKE"; break; case TLS_ST_SR_CERT_VRFY: str = "TRCV"; break; case DTLS_ST_CR_HELLO_VERIFY_REQUEST: str = "DRCHV"; break; case DTLS_ST_SW_HELLO_VERIFY_REQUEST: str = "DWCHV"; break; default: break; } } return str; } /** * @brief get SSL statement long string */ const char *SSL_state_string_long(const SSL *ssl) { const char *str = "UNKWN "; SSL_ASSERT2(ssl); if (ossl_statem_in_error(ssl)) str = "SSLERR"; else { switch (SSL_get_state(ssl)) { case TLS_ST_BEFORE: str = "before SSL initialization"; break; case TLS_ST_OK: str = "SSL negotiation finished successfully"; break; case TLS_ST_CW_CLNT_HELLO: str = "SSLv3/TLS write client hello"; break; case TLS_ST_CR_SRVR_HELLO: str = "SSLv3/TLS read server hello"; break; case TLS_ST_CR_CERT: str = "SSLv3/TLS read server certificate"; break; case TLS_ST_CR_KEY_EXCH: str = "SSLv3/TLS read server key exchange"; break; case TLS_ST_CR_CERT_REQ: str = "SSLv3/TLS read server certificate request"; break; case TLS_ST_CR_SESSION_TICKET: str = "SSLv3/TLS read server session ticket"; break; case TLS_ST_CR_SRVR_DONE: str = "SSLv3/TLS read server done"; break; case TLS_ST_CW_CERT: str = "SSLv3/TLS write client certificate"; break; case TLS_ST_CW_KEY_EXCH: str = "SSLv3/TLS write client key exchange"; break; case TLS_ST_CW_CERT_VRFY: str = "SSLv3/TLS write certificate verify"; break; case TLS_ST_CW_CHANGE: case TLS_ST_SW_CHANGE: str = "SSLv3/TLS write change cipher spec"; break; case TLS_ST_CW_FINISHED: case TLS_ST_SW_FINISHED: str = "SSLv3/TLS write finished"; break; case TLS_ST_CR_CHANGE: case TLS_ST_SR_CHANGE: str = "SSLv3/TLS read change cipher spec"; break; case TLS_ST_CR_FINISHED: case TLS_ST_SR_FINISHED: str = "SSLv3/TLS read finished"; break; case TLS_ST_SR_CLNT_HELLO: str = "SSLv3/TLS read client hello"; break; case TLS_ST_SW_HELLO_REQ: str = "SSLv3/TLS write hello request"; break; case TLS_ST_SW_SRVR_HELLO: str = "SSLv3/TLS write server hello"; break; case TLS_ST_SW_CERT: str = "SSLv3/TLS write certificate"; break; case TLS_ST_SW_KEY_EXCH: str = "SSLv3/TLS write key exchange"; break; case TLS_ST_SW_CERT_REQ: str = "SSLv3/TLS write certificate request"; break; case TLS_ST_SW_SESSION_TICKET: str = "SSLv3/TLS write session ticket"; break; case TLS_ST_SW_SRVR_DONE: str = "SSLv3/TLS write server done"; break; case TLS_ST_SR_CERT: str = "SSLv3/TLS read client certificate"; break; case TLS_ST_SR_KEY_EXCH: str = "SSLv3/TLS read client key exchange"; break; case TLS_ST_SR_CERT_VRFY: str = "SSLv3/TLS read certificate verify"; break; case DTLS_ST_CR_HELLO_VERIFY_REQUEST: str = "DTLS1 read hello verify request"; break; case DTLS_ST_SW_HELLO_VERIFY_REQUEST: str = "DTLS1 write hello verify request"; break; default: break; } } return str; } /** * @brief set the SSL context read buffer length */ void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) { SSL_ASSERT3(ctx); ctx->read_buffer_len = len; } /** * @brief set the SSL read buffer length */ void SSL_set_default_read_buffer_len(SSL *ssl, size_t len) { SSL_ASSERT3(ssl); SSL_ASSERT3(len); SSL_METHOD_CALL(set_bufflen, ssl, len); } /** * @brief set the SSL information callback function */ void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val)) { SSL_ASSERT3(ssl); ssl->info_callback = cb; } /** * @brief add SSL context reference count by '1' */ int SSL_CTX_up_ref(SSL_CTX *ctx) { SSL_ASSERT1(ctx); /** * no support multi-thread SSL here */ ctx->references++; return 1; } /** * @brief set the SSL security level */ void SSL_set_security_level(SSL *ssl, int level) { SSL_ASSERT3(ssl); ssl->cert->sec_level = level; } /** * @brief get the SSL security level */ int SSL_get_security_level(const SSL *ssl) { SSL_ASSERT1(ssl); return ssl->cert->sec_level; } /** * @brief get the SSL verifying mode of the SSL context */ int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { SSL_ASSERT1(ctx); return ctx->verify_mode; } /** * @brief set the session timeout time */ long SSL_CTX_set_timeout(SSL_CTX *ctx, long t) { long l; SSL_ASSERT1(ctx); l = ctx->session_timeout; ctx->session_timeout = t; return l; } /** * @brief get the session timeout time */ long SSL_CTX_get_timeout(const SSL_CTX *ctx) { SSL_ASSERT1(ctx); return ctx->session_timeout; } /** * @brief set the SSL if we can read as many as data */ void SSL_set_read_ahead(SSL *ssl, int yes) { SSL_ASSERT3(ssl); ssl->rlayer.read_ahead = yes; } /** * @brief set the SSL context if we can read as many as data */ void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { SSL_ASSERT3(ctx); ctx->read_ahead = yes; } /** * @brief get the SSL ahead signal if we can read as many as data */ int SSL_get_read_ahead(const SSL *ssl) { SSL_ASSERT1(ssl); return ssl->rlayer.read_ahead; } /** * @brief get the SSL context ahead signal if we can read as many as data */ long SSL_CTX_get_read_ahead(SSL_CTX *ctx) { SSL_ASSERT1(ctx); return ctx->read_ahead; } /** * @brief check if the SSL context can read as many as data */ long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx) { SSL_ASSERT1(ctx); return ctx->read_ahead; } /** * @brief set SSL session time */ long SSL_set_time(SSL *ssl, long t) { SSL_ASSERT1(ssl); ssl->session->time = t; return t; } /** * @brief set SSL session timeout time */ long SSL_set_timeout(SSL *ssl, long t) { SSL_ASSERT1(ssl); ssl->session->timeout = t; return t; } /** * @brief get the verifying result of the SSL certification */ long SSL_get_verify_result(const SSL *ssl) { SSL_ASSERT1(ssl); return SSL_METHOD_CALL(get_verify_result, ssl); } /** * @brief get the SSL verifying depth of the SSL context */ int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) { SSL_ASSERT1(ctx); return ctx->param.depth; } /** * @brief set the SSL verify depth of the SSL context */ void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) { SSL_ASSERT3(ctx); ctx->param.depth = depth; } /** * @brief get the SSL verifying depth of the SSL */ int SSL_get_verify_depth(const SSL *ssl) { SSL_ASSERT1(ssl); return ssl->param.depth; } /** * @brief set the SSL verify depth of the SSL */ void SSL_set_verify_depth(SSL *ssl, int depth) { SSL_ASSERT3(ssl); ssl->param.depth = depth; } /** * @brief set the SSL context verifying of the SSL context */ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) { SSL_ASSERT3(ctx); ctx->verify_mode = mode; ctx->default_verify_callback = verify_callback; } /** * @brief set the SSL verifying of the SSL context */ void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) { SSL_ASSERT3(ssl); ssl->verify_mode = mode; ssl->verify_callback = verify_callback; } /** * @brief set the ALPN protocols in the preferred order. SSL APIs require the * protocols in a format. mbedtls doesn't need * that though. We sanitize that here itself. So convert from: * "\x02h2\x06spdy/1" to { {"h2"}, {"spdy/1}, {NULL}} */ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned protos_len) { ctx->ssl_alpn.alpn_string = ssl_mem_zalloc(protos_len + 1); if (! ctx->ssl_alpn.alpn_string) { return 1; } ctx->ssl_alpn.alpn_status = ALPN_ENABLE; memcpy(ctx->ssl_alpn.alpn_string, protos, protos_len); char *ptr = ctx->ssl_alpn.alpn_string; int i; /* Only running to 1 less than the actual size */ for (i = 0; i < ALPN_LIST_MAX - 1; i++) { char len = *ptr; *ptr = '\0'; // Overwrite the length to act as previous element's string terminator ptr++; protos_len--; ctx->ssl_alpn.alpn_list[i] = ptr; ptr += len; protos_len -= len; if (! protos_len) { i++; break; } } ctx->ssl_alpn.alpn_list[i] = NULL; return 0; }