kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5335 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 5852cfccbc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5852cfccbc'
${ noResults }
boringssl/ssl/s3_both.cc

640 lines
23 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. /* ====================================================================

  109.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  110.  * ECC cipher suite support in OpenSSL originally developed by

  111.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  112. 

  113. #include <openssl/ssl.h>

  114. 

  115. #include <assert.h>

  116. #include <limits.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/bytestring.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/md5.h>

  125. #include <openssl/nid.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/sha.h>

  128. 

  129. #include "../crypto/internal.h"

  130. #include "internal.h"

  131. 

  132. 

  133. namespace bssl {

  134. 

  135. static bool add_record_to_flight(SSL *ssl, uint8_t type,

  136.                                  Span<const uint8_t> in) {

  137.   // The caller should have flushed |pending_hs_data| first.

  138.   assert(!ssl->s3->pending_hs_data);

  139.   // We'll never add a flight while in the process of writing it out.

  140.   assert(ssl->s3->pending_flight_offset == 0);

  141. 

  142.   if (ssl->s3->pending_flight == nullptr) {

  143.     ssl->s3->pending_flight.reset(BUF_MEM_new());

  144.     if (ssl->s3->pending_flight == nullptr) {

  145.       return false;

  146.     }

  147.   }

  148. 

  149.   size_t max_out = in.size() + SSL_max_seal_overhead(ssl);

  150.   size_t new_cap = ssl->s3->pending_flight->length + max_out;

  151.   if (max_out < in.size() || new_cap < max_out) {

  152.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  153.     return false;

  154.   }

  155. 

  156.   size_t len;

  157.   if (!BUF_MEM_reserve(ssl->s3->pending_flight.get(), new_cap) ||

  158.       !tls_seal_record(ssl,

  159.                        (uint8_t *)ssl->s3->pending_flight->data +

  160.                            ssl->s3->pending_flight->length,

  161.                        &len, max_out, type, in.data(), in.size())) {

  162.     return false;

  163.   }

  164. 

  165.   ssl->s3->pending_flight->length += len;

  166.   return true;

  167. }

  168. 

  169. bool ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  170.   // Pick a modest size hint to save most of the |realloc| calls.

  171.   if (!CBB_init(cbb, 64) ||

  172.       !CBB_add_u8(cbb, type) ||

  173.       !CBB_add_u24_length_prefixed(cbb, body)) {

  174.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  175.     CBB_cleanup(cbb);

  176.     return false;

  177.   }

  178. 

  179.   return true;

  180. }

  181. 

  182. bool ssl3_finish_message(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg) {

  183.   return CBBFinishArray(cbb, out_msg);

  184. }

  185. 

  186. bool ssl3_add_message(SSL *ssl, Array<uint8_t> msg) {

  187.   // Pack handshake data into the minimal number of records. This avoids

  188.   // unnecessary encryption overhead, notably in TLS 1.3 where we send several

  189.   // encrypted messages in a row. For now, we do not do this for the null

  190.   // cipher. The benefit is smaller and there is a risk of breaking buggy

  191.   // implementations. Additionally, we tie this to draft-28 as a sanity check,

  192.   // on the off chance middleboxes have fixated on sizes.

  193.   //

  194.   // TODO(davidben): See if we can do this uniformly.

  195.   Span<const uint8_t> rest = msg;

  196.   if (ssl->s3->aead_write_ctx->is_null_cipher() ||

  197.       ssl->version == TLS1_3_DRAFT23_VERSION) {

  198.     while (!rest.empty()) {

  199.       Span<const uint8_t> chunk = rest.subspan(0, ssl->max_send_fragment);

  200.       rest = rest.subspan(chunk.size());

  201. 

  202.       if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, chunk)) {

  203.         return false;

  204.       }

  205.     }

  206.   } else {

  207.     while (!rest.empty()) {

  208.       // Flush if |pending_hs_data| is full.

  209.       if (ssl->s3->pending_hs_data &&

  210.           ssl->s3->pending_hs_data->length >= ssl->max_send_fragment &&

  211.           !tls_flush_pending_hs_data(ssl)) {

  212.         return false;

  213.       }

  214. 

  215.       size_t pending_len =

  216.           ssl->s3->pending_hs_data ? ssl->s3->pending_hs_data->length : 0;

  217.       Span<const uint8_t> chunk =

  218.           rest.subspan(0, ssl->max_send_fragment - pending_len);

  219.       assert(!chunk.empty());

  220.       rest = rest.subspan(chunk.size());

  221. 

  222.       if (!ssl->s3->pending_hs_data) {

  223.         ssl->s3->pending_hs_data.reset(BUF_MEM_new());

  224.       }

  225.       if (!ssl->s3->pending_hs_data ||

  226.           !BUF_MEM_append(ssl->s3->pending_hs_data.get(), chunk.data(),

  227.                           chunk.size())) {

  228.         return false;

  229.       }

  230.     }

  231.   }

  232. 

  233.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg);

  234.   // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on

  235.   // hs.

  236.   if (ssl->s3->hs != NULL &&

  237.       !ssl->s3->hs->transcript.Update(msg)) {

  238.     return false;

  239.   }

  240.   return true;

  241. }

  242. 

  243. bool tls_flush_pending_hs_data(SSL *ssl) {

  244.   if (!ssl->s3->pending_hs_data || ssl->s3->pending_hs_data->length == 0) {

  245.     return true;

  246.   }

  247. 

  248.   UniquePtr<BUF_MEM> pending_hs_data = std::move(ssl->s3->pending_hs_data);

  249.   return add_record_to_flight(

  250.       ssl, SSL3_RT_HANDSHAKE,

  251.       MakeConstSpan(reinterpret_cast<const uint8_t *>(pending_hs_data->data),

  252.                     pending_hs_data->length));

  253. }

  254. 

  255. bool ssl3_add_change_cipher_spec(SSL *ssl) {

  256.   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  257. 

  258.   if (!tls_flush_pending_hs_data(ssl) ||

  259.       !add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC,

  260.                             kChangeCipherSpec)) {

  261.     return false;

  262.   }

  263. 

  264.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,

  265.                       kChangeCipherSpec);

  266.   return true;

  267. }

  268. 

  269. bool ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {

  270.   uint8_t alert[2] = {level, desc};

  271.   if (!tls_flush_pending_hs_data(ssl) ||

  272.       !add_record_to_flight(ssl, SSL3_RT_ALERT, alert)) {

  273.     return false;

  274.   }

  275. 

  276.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, alert);

  277.   ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, ((int)level << 8) | desc);

  278.   return true;

  279. }

  280. 

  281. int ssl3_flush_flight(SSL *ssl) {

  282.   if (!tls_flush_pending_hs_data(ssl)) {

  283.     return -1;

  284.   }

  285. 

  286.   if (ssl->s3->pending_flight == nullptr) {

  287.     return 1;

  288.   }

  289. 

  290.   if (ssl->s3->write_shutdown != ssl_shutdown_none) {

  291.     OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);

  292.     return -1;

  293.   }

  294. 

  295.   static_assert(INT_MAX <= 0xffffffff, "int is larger than 32 bits");

  296.   if (ssl->s3->pending_flight->length > INT_MAX) {

  297.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  298.     return -1;

  299.   }

  300. 

  301.   // If there is pending data in the write buffer, it must be flushed out before

  302.   // any new data in pending_flight.

  303.   if (!ssl->s3->write_buffer.empty()) {

  304.     int ret = ssl_write_buffer_flush(ssl);

  305.     if (ret <= 0) {

  306.       ssl->s3->rwstate = SSL_WRITING;

  307.       return ret;

  308.     }

  309.   }

  310. 

  311.   // Write the pending flight.

  312.   while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {

  313.     int ret = BIO_write(

  314.         ssl->wbio.get(),

  315.         ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,

  316.         ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);

  317.     if (ret <= 0) {

  318.       ssl->s3->rwstate = SSL_WRITING;

  319.       return ret;

  320.     }

  321. 

  322.     ssl->s3->pending_flight_offset += ret;

  323.   }

  324. 

  325.   if (BIO_flush(ssl->wbio.get()) <= 0) {

  326.     ssl->s3->rwstate = SSL_WRITING;

  327.     return -1;

  328.   }

  329. 

  330.   ssl->s3->pending_flight.reset();

  331.   ssl->s3->pending_flight_offset = 0;

  332.   return 1;

  333. }

  334. 

  335. static ssl_open_record_t read_v2_client_hello(SSL *ssl, size_t *out_consumed,

  336.                                               Span<const uint8_t> in) {

  337.   *out_consumed = 0;

  338.   assert(in.size() >= SSL3_RT_HEADER_LENGTH);

  339.   // Determine the length of the V2ClientHello.

  340.   size_t msg_length = ((in[0] & 0x7f) << 8) | in[1];

  341.   if (msg_length > (1024 * 4)) {

  342.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);

  343.     return ssl_open_record_error;

  344.   }

  345.   if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {

  346.     // Reject lengths that are too short early. We have already read

  347.     // |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an

  348.     // (invalid) V2ClientHello which would be shorter than that.

  349.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);

  350.     return ssl_open_record_error;

  351.   }

  352. 

  353.   // Ask for the remainder of the V2ClientHello.

  354.   if (in.size() < 2 + msg_length) {

  355.     *out_consumed = 2 + msg_length;

  356.     return ssl_open_record_partial;

  357.   }

  358. 

  359.   CBS v2_client_hello = CBS(ssl->s3->read_buffer.span().subspan(2, msg_length));

  360.   // The V2ClientHello without the length is incorporated into the handshake

  361.   // hash. This is only ever called at the start of the handshake, so hs is

  362.   // guaranteed to be non-NULL.

  363.   if (!ssl->s3->hs->transcript.Update(v2_client_hello)) {

  364.     return ssl_open_record_error;

  365.   }

  366. 

  367.   ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,

  368.                       v2_client_hello);

  369. 

  370.   uint8_t msg_type;

  371.   uint16_t version, cipher_spec_length, session_id_length, challenge_length;

  372.   CBS cipher_specs, session_id, challenge;

  373.   if (!CBS_get_u8(&v2_client_hello, &msg_type) ||

  374.       !CBS_get_u16(&v2_client_hello, &version) ||

  375.       !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||

  376.       !CBS_get_u16(&v2_client_hello, &session_id_length) ||

  377.       !CBS_get_u16(&v2_client_hello, &challenge_length) ||

  378.       !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||

  379.       !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||

  380.       !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||

  381.       CBS_len(&v2_client_hello) != 0) {

  382.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  383.     return ssl_open_record_error;

  384.   }

  385. 

  386.   // msg_type has already been checked.

  387.   assert(msg_type == SSL2_MT_CLIENT_HELLO);

  388. 

  389.   // The client_random is the V2ClientHello challenge. Truncate or left-pad with

  390.   // zeros as needed.

  391.   size_t rand_len = CBS_len(&challenge);

  392.   if (rand_len > SSL3_RANDOM_SIZE) {

  393.     rand_len = SSL3_RANDOM_SIZE;

  394.   }

  395.   uint8_t random[SSL3_RANDOM_SIZE];

  396.   OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);

  397.   OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),

  398.                  rand_len);

  399. 

  400.   // Write out an equivalent TLS ClientHello.

  401.   size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +

  402.                                SSL3_RANDOM_SIZE + 1 /* session ID length */ +

  403.                                2 /* cipher list length */ +

  404.                                CBS_len(&cipher_specs) / 3 * 2 +

  405.                                1 /* compression length */ + 1 /* compression */;

  406.   ScopedCBB client_hello;

  407.   CBB hello_body, cipher_suites;

  408.   if (!BUF_MEM_reserve(ssl->s3->hs_buf.get(), max_v3_client_hello) ||

  409.       !CBB_init_fixed(client_hello.get(), (uint8_t *)ssl->s3->hs_buf->data,

  410.                       ssl->s3->hs_buf->max) ||

  411.       !CBB_add_u8(client_hello.get(), SSL3_MT_CLIENT_HELLO) ||

  412.       !CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||

  413.       !CBB_add_u16(&hello_body, version) ||

  414.       !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||

  415.       // No session id.

  416.       !CBB_add_u8(&hello_body, 0) ||

  417.       !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {

  418.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  419.     return ssl_open_record_error;

  420.   }

  421. 

  422.   // Copy the cipher suites.

  423.   while (CBS_len(&cipher_specs) > 0) {

  424.     uint32_t cipher_spec;

  425.     if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {

  426.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  427.       return ssl_open_record_error;

  428.     }

  429. 

  430.     // Skip SSLv2 ciphers.

  431.     if ((cipher_spec & 0xff0000) != 0) {

  432.       continue;

  433.     }

  434.     if (!CBB_add_u16(&cipher_suites, cipher_spec)) {

  435.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  436.       return ssl_open_record_error;

  437.     }

  438.   }

  439. 

  440.   // Add the null compression scheme and finish.

  441.   if (!CBB_add_u8(&hello_body, 1) ||

  442.       !CBB_add_u8(&hello_body, 0) ||

  443.       !CBB_finish(client_hello.get(), NULL, &ssl->s3->hs_buf->length)) {

  444.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  445.     return ssl_open_record_error;

  446.   }

  447. 

  448.   *out_consumed = 2 + msg_length;

  449.   ssl->s3->is_v2_hello = true;

  450.   return ssl_open_record_success;

  451. }

  452. 

  453. static bool parse_message(const SSL *ssl, SSLMessage *out,

  454.                           size_t *out_bytes_needed) {

  455.   if (!ssl->s3->hs_buf) {

  456.     *out_bytes_needed = 4;

  457.     return false;

  458.   }

  459. 

  460.   CBS cbs;

  461.   uint32_t len;

  462.   CBS_init(&cbs, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),

  463.            ssl->s3->hs_buf->length);

  464.   if (!CBS_get_u8(&cbs, &out->type) ||

  465.       !CBS_get_u24(&cbs, &len)) {

  466.     *out_bytes_needed = 4;

  467.     return false;

  468.   }

  469. 

  470.   if (!CBS_get_bytes(&cbs, &out->body, len)) {

  471.     *out_bytes_needed = 4 + len;

  472.     return false;

  473.   }

  474. 

  475.   CBS_init(&out->raw, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),

  476.            4 + len);

  477.   out->is_v2_hello = ssl->s3->is_v2_hello;

  478.   return true;

  479. }

  480. 

  481. bool ssl3_get_message(SSL *ssl, SSLMessage *out) {

  482.   size_t unused;

  483.   if (!parse_message(ssl, out, &unused)) {

  484.     return false;

  485.   }

  486.   if (!ssl->s3->has_message) {

  487.     if (!out->is_v2_hello) {

  488.       ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, out->raw);

  489.     }

  490.     ssl->s3->has_message = true;

  491.   }

  492.   return true;

  493. }

  494. 

  495. bool tls_can_accept_handshake_data(const SSL *ssl, uint8_t *out_alert) {

  496.   // If there is a complete message, the caller must have consumed it first.

  497.   SSLMessage msg;

  498.   size_t bytes_needed;

  499.   if (parse_message(ssl, &msg, &bytes_needed)) {

  500.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  501.     *out_alert = SSL_AD_INTERNAL_ERROR;

  502.     return false;

  503.   }

  504. 

  505.   // Enforce the limit so the peer cannot force us to buffer 16MB.

  506.   if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {

  507.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  508.     *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  509.     return false;

  510.   }

  511. 

  512.   return true;

  513. }

  514. 

  515. bool tls_has_unprocessed_handshake_data(const SSL *ssl) {

  516.   size_t msg_len = 0;

  517.   if (ssl->s3->has_message) {

  518.     SSLMessage msg;

  519.     size_t unused;

  520.     if (parse_message(ssl, &msg, &unused)) {

  521.       msg_len = CBS_len(&msg.raw);

  522.     }

  523.   }

  524. 

  525.   return ssl->s3->hs_buf && ssl->s3->hs_buf->length > msg_len;

  526. }

  527. 

  528. ssl_open_record_t ssl3_open_handshake(SSL *ssl, size_t *out_consumed,

  529.                                       uint8_t *out_alert, Span<uint8_t> in) {

  530.   *out_consumed = 0;

  531.   // Re-create the handshake buffer if needed.

  532.   if (!ssl->s3->hs_buf) {

  533.     ssl->s3->hs_buf.reset(BUF_MEM_new());

  534.     if (!ssl->s3->hs_buf) {

  535.       *out_alert = SSL_AD_INTERNAL_ERROR;

  536.       return ssl_open_record_error;

  537.     }

  538.   }

  539. 

  540.   // Bypass the record layer for the first message to handle V2ClientHello.

  541.   if (ssl->server && !ssl->s3->v2_hello_done) {

  542.     // Ask for the first 5 bytes, the size of the TLS record header. This is

  543.     // sufficient to detect a V2ClientHello and ensures that we never read

  544.     // beyond the first record.

  545.     if (in.size() < SSL3_RT_HEADER_LENGTH) {

  546.       *out_consumed = SSL3_RT_HEADER_LENGTH;

  547.       return ssl_open_record_partial;

  548.     }

  549. 

  550.     // Some dedicated error codes for protocol mixups should the application

  551.     // wish to interpret them differently. (These do not overlap with

  552.     // ClientHello or V2ClientHello.)

  553.     const char *str = reinterpret_cast<const char*>(in.data());

  554.     if (strncmp("GET ", str, 4) == 0 ||

  555.         strncmp("POST ", str, 5) == 0 ||

  556.         strncmp("HEAD ", str, 5) == 0 ||

  557.         strncmp("PUT ", str, 4) == 0) {

  558.       OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);

  559.       *out_alert = 0;

  560.       return ssl_open_record_error;

  561.     }

  562.     if (strncmp("CONNE", str, 5) == 0) {

  563.       OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);

  564.       *out_alert = 0;

  565.       return ssl_open_record_error;

  566.     }

  567. 

  568.     // Check for a V2ClientHello.

  569.     if ((in[0] & 0x80) != 0 && in[2] == SSL2_MT_CLIENT_HELLO &&

  570.         in[3] == SSL3_VERSION_MAJOR) {

  571.       auto ret = read_v2_client_hello(ssl, out_consumed, in);

  572.       if (ret == ssl_open_record_error) {

  573.         *out_alert = 0;

  574.       } else if (ret == ssl_open_record_success) {

  575.         ssl->s3->v2_hello_done = true;

  576.       }

  577.       return ret;

  578.     }

  579. 

  580.     ssl->s3->v2_hello_done = true;

  581.   }

  582. 

  583.   uint8_t type;

  584.   Span<uint8_t> body;

  585.   auto ret = tls_open_record(ssl, &type, &body, out_consumed, out_alert, in);

  586.   if (ret != ssl_open_record_success) {

  587.     return ret;

  588.   }

  589. 

  590.   // WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the

  591.   // ServerHello and send the remaining encrypted application data records

  592.   // as-is. This manifests as an application data record when we expect

  593.   // handshake. Report a dedicated error code for this case.

  594.   if (!ssl->server && type == SSL3_RT_APPLICATION_DATA &&

  595.       ssl->s3->aead_read_ctx->is_null_cipher()) {

  596.     OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);

  597.     *out_alert = SSL_AD_UNEXPECTED_MESSAGE;

  598.     return ssl_open_record_error;

  599.   }

  600. 

  601.   if (type != SSL3_RT_HANDSHAKE) {

  602.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  603.     *out_alert = SSL_AD_UNEXPECTED_MESSAGE;

  604.     return ssl_open_record_error;

  605.   }

  606. 

  607.   // Append the entire handshake record to the buffer.

  608.   if (!BUF_MEM_append(ssl->s3->hs_buf.get(), body.data(), body.size())) {

  609.     *out_alert = SSL_AD_INTERNAL_ERROR;

  610.     return ssl_open_record_error;

  611.   }

  612. 

  613.   return ssl_open_record_success;

  614. }

  615. 

  616. void ssl3_next_message(SSL *ssl) {

  617.   SSLMessage msg;

  618.   if (!ssl3_get_message(ssl, &msg) ||

  619.       !ssl->s3->hs_buf ||

  620.       ssl->s3->hs_buf->length < CBS_len(&msg.raw)) {

  621.     assert(0);

  622.     return;

  623.   }

  624. 

  625.   OPENSSL_memmove(ssl->s3->hs_buf->data,

  626.                   ssl->s3->hs_buf->data + CBS_len(&msg.raw),

  627.                   ssl->s3->hs_buf->length - CBS_len(&msg.raw));

  628.   ssl->s3->hs_buf->length -= CBS_len(&msg.raw);

  629.   ssl->s3->is_v2_hello = false;

  630.   ssl->s3->has_message = false;

  631. 

  632.   // Post-handshake messages are rare, so release the buffer after every

  633.   // message. During the handshake, |on_handshake_complete| will release it.

  634.   if (!SSL_in_init(ssl) && ssl->s3->hs_buf->length == 0) {

  635.     ssl->s3->hs_buf.reset();

  636.   }

  637. }

  638. 

  639. }  // namespace bssl