kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4232 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 429e85b516
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '429e85b516'
${ noResults }
boringssl/ssl/s3_both.c

824 lines
27 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. /* ====================================================================

  109.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  110.  * ECC cipher suite support in OpenSSL originally developed by

  111.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  112. 

  113. #include <openssl/ssl.h>

  114. 

  115. #include <assert.h>

  116. #include <limits.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/bytestring.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/md5.h>

  125. #include <openssl/nid.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/sha.h>

  128. 

  129. #include "../crypto/internal.h"

  130. #include "internal.h"

  131. 

  132. 

  133. SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) {

  134.   SSL_HANDSHAKE *hs = OPENSSL_malloc(sizeof(SSL_HANDSHAKE));

  135.   if (hs == NULL) {

  136.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  137.     return NULL;

  138.   }

  139.   OPENSSL_memset(hs, 0, sizeof(SSL_HANDSHAKE));

  140.   hs->ssl = ssl;

  141.   hs->wait = ssl_hs_ok;

  142.   hs->state = SSL_ST_INIT;

  143.   if (!SSL_TRANSCRIPT_init(&hs->transcript)) {

  144.     ssl_handshake_free(hs);

  145.     return NULL;

  146.   }

  147.   return hs;

  148. }

  149. 

  150. void ssl_handshake_free(SSL_HANDSHAKE *hs) {

  151.   if (hs == NULL) {

  152.     return;

  153.   }

  154. 

  155.   OPENSSL_cleanse(hs->secret, sizeof(hs->secret));

  156.   OPENSSL_cleanse(hs->early_traffic_secret, sizeof(hs->early_traffic_secret));

  157.   OPENSSL_cleanse(hs->client_handshake_secret,

  158.                   sizeof(hs->client_handshake_secret));

  159.   OPENSSL_cleanse(hs->server_handshake_secret,

  160.                   sizeof(hs->server_handshake_secret));

  161.   OPENSSL_cleanse(hs->client_traffic_secret_0,

  162.                   sizeof(hs->client_traffic_secret_0));

  163.   OPENSSL_cleanse(hs->server_traffic_secret_0,

  164.                   sizeof(hs->server_traffic_secret_0));

  165.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  166.   SSL_TRANSCRIPT_cleanup(&hs->transcript);

  167.   OPENSSL_free(hs->cookie);

  168.   OPENSSL_free(hs->key_share_bytes);

  169.   OPENSSL_free(hs->ecdh_public_key);

  170.   SSL_SESSION_free(hs->new_session);

  171.   OPENSSL_free(hs->peer_sigalgs);

  172.   OPENSSL_free(hs->peer_supported_group_list);

  173.   OPENSSL_free(hs->peer_key);

  174.   OPENSSL_free(hs->server_params);

  175.   OPENSSL_free(hs->peer_psk_identity_hint);

  176.   sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free);

  177.   hs->ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);

  178.   OPENSSL_free(hs->certificate_types);

  179. 

  180.   if (hs->key_block != NULL) {

  181.     OPENSSL_cleanse(hs->key_block, hs->key_block_len);

  182.     OPENSSL_free(hs->key_block);

  183.   }

  184. 

  185.   OPENSSL_free(hs->hostname);

  186.   EVP_PKEY_free(hs->peer_pubkey);

  187.   EVP_PKEY_free(hs->local_pubkey);

  188.   OPENSSL_free(hs);

  189. }

  190. 

  191. int ssl_check_message_type(SSL *ssl, int type) {

  192.   if (ssl->s3->tmp.message_type != type) {

  193.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  194.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  195.     ERR_add_error_dataf("got type %d, wanted type %d",

  196.                         ssl->s3->tmp.message_type, type);

  197.     return 0;

  198.   }

  199. 

  200.   return 1;

  201. }

  202. 

  203. static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in,

  204.                                 size_t in_len) {

  205.   /* We'll never add a flight while in the process of writing it out. */

  206.   assert(ssl->s3->pending_flight_offset == 0);

  207. 

  208.   if (ssl->s3->pending_flight == NULL) {

  209.     ssl->s3->pending_flight = BUF_MEM_new();

  210.     if (ssl->s3->pending_flight == NULL) {

  211.       return 0;

  212.     }

  213.   }

  214. 

  215.   size_t max_out = in_len + SSL_max_seal_overhead(ssl);

  216.   size_t new_cap = ssl->s3->pending_flight->length + max_out;

  217.   if (max_out < in_len || new_cap < max_out) {

  218.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  219.     return 0;

  220.   }

  221. 

  222.   size_t len;

  223.   if (!BUF_MEM_reserve(ssl->s3->pending_flight, new_cap) ||

  224.       !tls_seal_record(ssl, (uint8_t *)ssl->s3->pending_flight->data +

  225.                                 ssl->s3->pending_flight->length,

  226.                        &len, max_out, type, in, in_len)) {

  227.     return 0;

  228.   }

  229. 

  230.   ssl->s3->pending_flight->length += len;

  231.   return 1;

  232. }

  233. 

  234. int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  235.   /* Pick a modest size hint to save most of the |realloc| calls. */

  236.   if (!CBB_init(cbb, 64) ||

  237.       !CBB_add_u8(cbb, type) ||

  238.       !CBB_add_u24_length_prefixed(cbb, body)) {

  239.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  240.     CBB_cleanup(cbb);

  241.     return 0;

  242.   }

  243. 

  244.   return 1;

  245. }

  246. 

  247. int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,

  248.                         size_t *out_len) {

  249.   if (!CBB_finish(cbb, out_msg, out_len)) {

  250.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  251.     return 0;

  252.   }

  253. 

  254.   return 1;

  255. }

  256. 

  257. int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) {

  258.   /* Add the message to the current flight, splitting into several records if

  259.    * needed. */

  260.   int ret = 0;

  261.   size_t added = 0;

  262.   do {

  263.     size_t todo = len - added;

  264.     if (todo > ssl->max_send_fragment) {

  265.       todo = ssl->max_send_fragment;

  266.     }

  267. 

  268.     if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, msg + added, todo)) {

  269.       goto err;

  270.     }

  271.     added += todo;

  272.   } while (added < len);

  273. 

  274.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len);

  275.   /* TODO(svaldez): Move this up a layer to fix abstraction for SSL_TRANSCRIPT

  276.    * on hs. */

  277.   if (ssl->s3->hs != NULL &&

  278.       !SSL_TRANSCRIPT_update(&ssl->s3->hs->transcript, msg, len)) {

  279.     goto err;

  280.   }

  281.   ret = 1;

  282. 

  283. err:

  284.   OPENSSL_free(msg);

  285.   return ret;

  286. }

  287. 

  288. int ssl3_add_change_cipher_spec(SSL *ssl) {

  289.   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  290. 

  291.   if (!add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,

  292.                             sizeof(kChangeCipherSpec))) {

  293.     return 0;

  294.   }

  295. 

  296.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,

  297.                       kChangeCipherSpec, sizeof(kChangeCipherSpec));

  298.   return 1;

  299. }

  300. 

  301. int ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {

  302.   uint8_t alert[2] = {level, desc};

  303.   if (!add_record_to_flight(ssl, SSL3_RT_ALERT, alert, sizeof(alert))) {

  304.     return 0;

  305.   }

  306. 

  307.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, alert, sizeof(alert));

  308.   ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, ((int)level << 8) | desc);

  309.   return 1;

  310. }

  311. 

  312. int ssl_add_message_cbb(SSL *ssl, CBB *cbb) {

  313.   uint8_t *msg;

  314.   size_t len;

  315.   if (!ssl->method->finish_message(ssl, cbb, &msg, &len) ||

  316.       !ssl->method->add_message(ssl, msg, len)) {

  317.     return 0;

  318.   }

  319. 

  320.   return 1;

  321. }

  322. 

  323. int ssl3_flush_flight(SSL *ssl) {

  324.   if (ssl->s3->pending_flight == NULL) {

  325.     return 1;

  326.   }

  327. 

  328.   if (ssl->s3->pending_flight->length > 0xffffffff ||

  329.       ssl->s3->pending_flight->length > INT_MAX) {

  330.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  331.     return -1;

  332.   }

  333. 

  334.   /* The handshake flight buffer is mutually exclusive with application data.

  335.    *

  336.    * TODO(davidben): This will not be true when closure alerts use this. */

  337.   if (ssl_write_buffer_is_pending(ssl)) {

  338.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  339.     return -1;

  340.   }

  341. 

  342.   /* Write the pending flight. */

  343.   while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {

  344.     int ret = BIO_write(

  345.         ssl->wbio,

  346.         ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,

  347.         ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);

  348.     if (ret <= 0) {

  349.       ssl->rwstate = SSL_WRITING;

  350.       return ret;

  351.     }

  352. 

  353.     ssl->s3->pending_flight_offset += ret;

  354.   }

  355. 

  356.   if (BIO_flush(ssl->wbio) <= 0) {

  357.     ssl->rwstate = SSL_WRITING;

  358.     return -1;

  359.   }

  360. 

  361.   BUF_MEM_free(ssl->s3->pending_flight);

  362.   ssl->s3->pending_flight = NULL;

  363.   ssl->s3->pending_flight_offset = 0;

  364.   return 1;

  365. }

  366. 

  367. int ssl3_send_finished(SSL_HANDSHAKE *hs) {

  368.   SSL *const ssl = hs->ssl;

  369.   const SSL_SESSION *session = SSL_get_session(ssl);

  370. 

  371.   uint8_t finished[EVP_MAX_MD_SIZE];

  372.   size_t finished_len;

  373.   if (!SSL_TRANSCRIPT_finish_mac(&hs->transcript, finished, &finished_len,

  374.                                  session, ssl->server,

  375.                                  ssl3_protocol_version(ssl))) {

  376.     return 0;

  377.   }

  378. 

  379.   /* Log the master secret, if logging is enabled. */

  380.   if (!ssl_log_secret(ssl, "CLIENT_RANDOM",

  381.                       session->master_key,

  382.                       session->master_key_length)) {

  383.     return 0;

  384.   }

  385. 

  386.   /* Copy the Finished so we can use it for renegotiation checks. */

  387.   if (ssl->version != SSL3_VERSION) {

  388.     if (finished_len > sizeof(ssl->s3->previous_client_finished) ||

  389.         finished_len > sizeof(ssl->s3->previous_server_finished)) {

  390.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  391.       return -1;

  392.     }

  393. 

  394.     if (ssl->server) {

  395.       OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);

  396.       ssl->s3->previous_server_finished_len = finished_len;

  397.     } else {

  398.       OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);

  399.       ssl->s3->previous_client_finished_len = finished_len;

  400.     }

  401.   }

  402. 

  403.   CBB cbb, body;

  404.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||

  405.       !CBB_add_bytes(&body, finished, finished_len) ||

  406.       !ssl_add_message_cbb(ssl, &cbb)) {

  407.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  408.     CBB_cleanup(&cbb);

  409.     return -1;

  410.   }

  411. 

  412.   return 1;

  413. }

  414. 

  415. int ssl3_get_finished(SSL_HANDSHAKE *hs) {

  416.   SSL *const ssl = hs->ssl;

  417.   int ret = ssl->method->ssl_get_message(ssl);

  418.   if (ret <= 0) {

  419.     return ret;

  420.   }

  421. 

  422.   if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED)) {

  423.     return -1;

  424.   }

  425. 

  426.   /* Snapshot the finished hash before incorporating the new message. */

  427.   uint8_t finished[EVP_MAX_MD_SIZE];

  428.   size_t finished_len;

  429.   if (!SSL_TRANSCRIPT_finish_mac(&hs->transcript, finished, &finished_len,

  430.                                  SSL_get_session(ssl), !ssl->server,

  431.                                  ssl3_protocol_version(ssl)) ||

  432.       !ssl_hash_current_message(hs)) {

  433.     return -1;

  434.   }

  435. 

  436.   int finished_ok = ssl->init_num == finished_len &&

  437.                     CRYPTO_memcmp(ssl->init_msg, finished, finished_len) == 0;

  438. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  439.   finished_ok = 1;

  440. #endif

  441.   if (!finished_ok) {

  442.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  443.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  444.     return -1;

  445.   }

  446. 

  447.   /* Copy the Finished so we can use it for renegotiation checks. */

  448.   if (ssl->version != SSL3_VERSION) {

  449.     if (finished_len > sizeof(ssl->s3->previous_client_finished) ||

  450.         finished_len > sizeof(ssl->s3->previous_server_finished)) {

  451.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  452.       return -1;

  453.     }

  454. 

  455.     if (ssl->server) {

  456.       OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);

  457.       ssl->s3->previous_client_finished_len = finished_len;

  458.     } else {

  459.       OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);

  460.       ssl->s3->previous_server_finished_len = finished_len;

  461.     }

  462.   }

  463. 

  464.   return 1;

  465. }

  466. 

  467. int ssl3_output_cert_chain(SSL *ssl) {

  468.   CBB cbb, body;

  469.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||

  470.       !ssl_add_cert_chain(ssl, &body) ||

  471.       !ssl_add_message_cbb(ssl, &cbb)) {

  472.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  473.     CBB_cleanup(&cbb);

  474.     return 0;

  475.   }

  476. 

  477.   return 1;

  478. }

  479. 

  480. size_t ssl_max_handshake_message_len(const SSL *ssl) {

  481.   /* kMaxMessageLen is the default maximum message size for handshakes which do

  482.    * not accept peer certificate chains. */

  483.   static const size_t kMaxMessageLen = 16384;

  484. 

  485.   if (SSL_in_init(ssl)) {

  486.     if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) &&

  487.         kMaxMessageLen < ssl->max_cert_list) {

  488.       return ssl->max_cert_list;

  489.     }

  490.     return kMaxMessageLen;

  491.   }

  492. 

  493.   if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {

  494.     /* In TLS 1.2 and below, the largest acceptable post-handshake message is

  495.      * a HelloRequest. */

  496.     return 0;

  497.   }

  498. 

  499.   if (ssl->server) {

  500.     /* The largest acceptable post-handshake message for a server is a

  501.      * KeyUpdate. We will never initiate post-handshake auth. */

  502.     return 1;

  503.   }

  504. 

  505.   /* Clients must accept NewSessionTicket and CertificateRequest, so allow the

  506.    * default size. */

  507.   return kMaxMessageLen;

  508. }

  509. 

  510. static int extend_handshake_buffer(SSL *ssl, size_t length) {

  511.   if (!BUF_MEM_reserve(ssl->init_buf, length)) {

  512.     return -1;

  513.   }

  514.   while (ssl->init_buf->length < length) {

  515.     int ret = ssl3_read_handshake_bytes(

  516.         ssl, (uint8_t *)ssl->init_buf->data + ssl->init_buf->length,

  517.         length - ssl->init_buf->length);

  518.     if (ret <= 0) {

  519.       return ret;

  520.     }

  521.     ssl->init_buf->length += (size_t)ret;

  522.   }

  523.   return 1;

  524. }

  525. 

  526. static int read_v2_client_hello(SSL *ssl) {

  527.   /* Read the first 5 bytes, the size of the TLS record header. This is

  528.    * sufficient to detect a V2ClientHello and ensures that we never read beyond

  529.    * the first record. */

  530.   int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);

  531.   if (ret <= 0) {

  532.     return ret;

  533.   }

  534.   const uint8_t *p = ssl_read_buffer(ssl);

  535. 

  536.   /* Some dedicated error codes for protocol mixups should the application wish

  537.    * to interpret them differently. (These do not overlap with ClientHello or

  538.    * V2ClientHello.) */

  539.   if (strncmp("GET ", (const char *)p, 4) == 0 ||

  540.       strncmp("POST ", (const char *)p, 5) == 0 ||

  541.       strncmp("HEAD ", (const char *)p, 5) == 0 ||

  542.       strncmp("PUT ", (const char *)p, 4) == 0) {

  543.     OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);

  544.     return -1;

  545.   }

  546.   if (strncmp("CONNE", (const char *)p, 5) == 0) {

  547.     OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);

  548.     return -1;

  549.   }

  550. 

  551.   if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||

  552.       p[3] != SSL3_VERSION_MAJOR) {

  553.     /* Not a V2ClientHello. */

  554.     return 1;

  555.   }

  556. 

  557.   /* Determine the length of the V2ClientHello. */

  558.   size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];

  559.   if (msg_length > (1024 * 4)) {

  560.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);

  561.     return -1;

  562.   }

  563.   if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {

  564.     /* Reject lengths that are too short early. We have already read

  565.      * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an

  566.      * (invalid) V2ClientHello which would be shorter than that. */

  567.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);

  568.     return -1;

  569.   }

  570. 

  571.   /* Read the remainder of the V2ClientHello. */

  572.   ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);

  573.   if (ret <= 0) {

  574.     return ret;

  575.   }

  576. 

  577.   CBS v2_client_hello;

  578.   CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);

  579. 

  580.   /* The V2ClientHello without the length is incorporated into the handshake

  581.    * hash. This is only ever called at the start of the handshake, so hs is

  582.    * guaranteed to be non-NULL. */

  583.   if (!SSL_TRANSCRIPT_update(&ssl->s3->hs->transcript,

  584.                              CBS_data(&v2_client_hello),

  585.                              CBS_len(&v2_client_hello))) {

  586.     return -1;

  587.   }

  588. 

  589.   ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,

  590.                       CBS_data(&v2_client_hello), CBS_len(&v2_client_hello));

  591. 

  592.   uint8_t msg_type;

  593.   uint16_t version, cipher_spec_length, session_id_length, challenge_length;

  594.   CBS cipher_specs, session_id, challenge;

  595.   if (!CBS_get_u8(&v2_client_hello, &msg_type) ||

  596.       !CBS_get_u16(&v2_client_hello, &version) ||

  597.       !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||

  598.       !CBS_get_u16(&v2_client_hello, &session_id_length) ||

  599.       !CBS_get_u16(&v2_client_hello, &challenge_length) ||

  600.       !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||

  601.       !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||

  602.       !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||

  603.       CBS_len(&v2_client_hello) != 0) {

  604.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  605.     return -1;

  606.   }

  607. 

  608.   /* msg_type has already been checked. */

  609.   assert(msg_type == SSL2_MT_CLIENT_HELLO);

  610. 

  611.   /* The client_random is the V2ClientHello challenge. Truncate or

  612.    * left-pad with zeros as needed. */

  613.   size_t rand_len = CBS_len(&challenge);

  614.   if (rand_len > SSL3_RANDOM_SIZE) {

  615.     rand_len = SSL3_RANDOM_SIZE;

  616.   }

  617.   uint8_t random[SSL3_RANDOM_SIZE];

  618.   OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);

  619.   OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),

  620.                  rand_len);

  621. 

  622.   /* Write out an equivalent SSLv3 ClientHello. */

  623.   size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +

  624.                                SSL3_RANDOM_SIZE + 1 /* session ID length */ +

  625.                                2 /* cipher list length */ +

  626.                                CBS_len(&cipher_specs) / 3 * 2 +

  627.                                1 /* compression length */ + 1 /* compression */;

  628.   CBB client_hello, hello_body, cipher_suites;

  629.   CBB_zero(&client_hello);

  630.   if (!BUF_MEM_reserve(ssl->init_buf, max_v3_client_hello) ||

  631.       !CBB_init_fixed(&client_hello, (uint8_t *)ssl->init_buf->data,

  632.                       ssl->init_buf->max) ||

  633.       !CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) ||

  634.       !CBB_add_u24_length_prefixed(&client_hello, &hello_body) ||

  635.       !CBB_add_u16(&hello_body, version) ||

  636.       !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||

  637.       /* No session id. */

  638.       !CBB_add_u8(&hello_body, 0) ||

  639.       !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {

  640.     CBB_cleanup(&client_hello);

  641.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  642.     return -1;

  643.   }

  644. 

  645.   /* Copy the cipher suites. */

  646.   while (CBS_len(&cipher_specs) > 0) {

  647.     uint32_t cipher_spec;

  648.     if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {

  649.       CBB_cleanup(&client_hello);

  650.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  651.       return -1;

  652.     }

  653. 

  654.     /* Skip SSLv2 ciphers. */

  655.     if ((cipher_spec & 0xff0000) != 0) {

  656.       continue;

  657.     }

  658.     if (!CBB_add_u16(&cipher_suites, cipher_spec)) {

  659.       CBB_cleanup(&client_hello);

  660.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  661.       return -1;

  662.     }

  663.   }

  664. 

  665.   /* Add the null compression scheme and finish. */

  666.   if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) ||

  667.       !CBB_finish(&client_hello, NULL, &ssl->init_buf->length)) {

  668.     CBB_cleanup(&client_hello);

  669.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  670.     return -1;

  671.   }

  672. 

  673.   /* Consume and discard the V2ClientHello. */

  674.   ssl_read_buffer_consume(ssl, 2 + msg_length);

  675.   ssl_read_buffer_discard(ssl);

  676. 

  677.   ssl->s3->is_v2_hello = 1;

  678.   /* This is the first message, so hs must be non-NULL. */

  679.   ssl->s3->hs->v2_clienthello = 1;

  680.   return 1;

  681. }

  682. 

  683. int ssl3_get_message(SSL *ssl) {

  684.   /* Re-create the handshake buffer if needed. */

  685.   if (ssl->init_buf == NULL) {

  686.     ssl->init_buf = BUF_MEM_new();

  687.     if (ssl->init_buf == NULL) {

  688.       return -1;

  689.     }

  690.   }

  691. 

  692.   if (ssl->server && !ssl->s3->v2_hello_done) {

  693.     /* Bypass the record layer for the first message to handle V2ClientHello. */

  694.     int ret = read_v2_client_hello(ssl);

  695.     if (ret <= 0) {

  696.       return ret;

  697.     }

  698.     ssl->s3->v2_hello_done = 1;

  699.   }

  700. 

  701.   if (ssl->s3->tmp.reuse_message) {

  702.     /* There must be a current message. */

  703.     assert(ssl->init_msg != NULL);

  704.     ssl->s3->tmp.reuse_message = 0;

  705.   } else {

  706.     ssl3_release_current_message(ssl, 0 /* don't free buffer */);

  707.   }

  708. 

  709.   /* Read the message header, if we haven't yet. */

  710.   int ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH);

  711.   if (ret <= 0) {

  712.     return ret;

  713.   }

  714. 

  715.   /* Parse out the length. Cap it so the peer cannot force us to buffer up to

  716.    * 2^24 bytes. */

  717.   const uint8_t *p = (uint8_t *)ssl->init_buf->data;

  718.   size_t msg_len = (((uint32_t)p[1]) << 16) | (((uint32_t)p[2]) << 8) | p[3];

  719.   if (msg_len > ssl_max_handshake_message_len(ssl)) {

  720.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  721.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  722.     return -1;

  723.   }

  724. 

  725.   /* Read the message body, if we haven't yet. */

  726.   ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH + msg_len);

  727.   if (ret <= 0) {

  728.     return ret;

  729.   }

  730. 

  731.   /* We have now received a complete message. */

  732.   ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, ssl->init_buf->data,

  733.                       ssl->init_buf->length);

  734. 

  735.   ssl->s3->tmp.message_type = ((const uint8_t *)ssl->init_buf->data)[0];

  736.   ssl->init_msg = (uint8_t*)ssl->init_buf->data + SSL3_HM_HEADER_LENGTH;

  737.   ssl->init_num = ssl->init_buf->length - SSL3_HM_HEADER_LENGTH;

  738.   return 1;

  739. }

  740. 

  741. void ssl3_get_current_message(const SSL *ssl, CBS *out) {

  742.   CBS_init(out, (uint8_t *)ssl->init_buf->data, ssl->init_buf->length);

  743. }

  744. 

  745. int ssl_hash_current_message(SSL_HANDSHAKE *hs) {

  746.   /* V2ClientHellos are hashed implicitly. */

  747.   if (hs->ssl->s3->is_v2_hello) {

  748.     return 1;

  749.   }

  750. 

  751.   CBS cbs;

  752.   hs->ssl->method->get_current_message(hs->ssl, &cbs);

  753.   return SSL_TRANSCRIPT_update(&hs->transcript, CBS_data(&cbs), CBS_len(&cbs));

  754. }

  755. 

  756. void ssl3_release_current_message(SSL *ssl, int free_buffer) {

  757.   if (ssl->init_msg != NULL) {

  758.     /* |init_buf| never contains data beyond the current message. */

  759.     assert(SSL3_HM_HEADER_LENGTH + ssl->init_num == ssl->init_buf->length);

  760. 

  761.     /* Clear the current message. */

  762.     ssl->init_msg = NULL;

  763.     ssl->init_num = 0;

  764.     ssl->init_buf->length = 0;

  765.     ssl->s3->is_v2_hello = 0;

  766.   }

  767. 

  768.   if (free_buffer) {

  769.     BUF_MEM_free(ssl->init_buf);

  770.     ssl->init_buf = NULL;

  771.   }

  772. }

  773. 

  774. int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,

  775.                          const SSL_EXTENSION_TYPE *ext_types,

  776.                          size_t num_ext_types, int ignore_unknown) {

  777.   /* Reset everything. */

  778.   for (size_t i = 0; i < num_ext_types; i++) {

  779.     *ext_types[i].out_present = 0;

  780.     CBS_init(ext_types[i].out_data, NULL, 0);

  781.   }

  782. 

  783.   CBS copy = *cbs;

  784.   while (CBS_len(&copy) != 0) {

  785.     uint16_t type;

  786.     CBS data;

  787.     if (!CBS_get_u16(&copy, &type) ||

  788.         !CBS_get_u16_length_prefixed(&copy, &data)) {

  789.       OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  790.       *out_alert = SSL_AD_DECODE_ERROR;

  791.       return 0;

  792.     }

  793. 

  794.     const SSL_EXTENSION_TYPE *ext_type = NULL;

  795.     for (size_t i = 0; i < num_ext_types; i++) {

  796.       if (type == ext_types[i].type) {

  797.         ext_type = &ext_types[i];

  798.         break;

  799.       }

  800.     }

  801. 

  802.     if (ext_type == NULL) {

  803.       if (ignore_unknown) {

  804.         continue;

  805.       }

  806.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  807.       *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  808.       return 0;

  809.     }

  810. 

  811.     /* Duplicate ext_types are forbidden. */

  812.     if (*ext_type->out_present) {

  813.       OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);

  814.       *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  815.       return 0;

  816.     }

  817. 

  818.     *ext_type->out_present = 1;

  819.     *ext_type->out_data = data;

  820.   }

  821. 

  822.   return 1;

  823. }