kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3679 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 5fc99c6603
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5fc99c6603'
${ noResults }
boringssl/ssl/s3_both.c

831 lines
28 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. /* ====================================================================

  109.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  110.  * ECC cipher suite support in OpenSSL originally developed by

  111.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  112. 

  113. #include <openssl/ssl.h>

  114. 

  115. #include <assert.h>

  116. #include <limits.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/bytestring.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/md5.h>

  125. #include <openssl/nid.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/sha.h>

  128. #include <openssl/x509.h>

  129. 

  130. #include "../crypto/internal.h"

  131. #include "internal.h"

  132. 

  133. 

  134. SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) {

  135.   SSL_HANDSHAKE *hs = OPENSSL_malloc(sizeof(SSL_HANDSHAKE));

  136.   if (hs == NULL) {

  137.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  138.     return NULL;

  139.   }

  140.   OPENSSL_memset(hs, 0, sizeof(SSL_HANDSHAKE));

  141.   hs->ssl = ssl;

  142.   hs->wait = ssl_hs_ok;

  143.   hs->state = SSL_ST_INIT;

  144.   return hs;

  145. }

  146. 

  147. void ssl_handshake_free(SSL_HANDSHAKE *hs) {

  148.   if (hs == NULL) {

  149.     return;

  150.   }

  151. 

  152.   OPENSSL_cleanse(hs->secret, sizeof(hs->secret));

  153.   OPENSSL_cleanse(hs->client_handshake_secret,

  154.                   sizeof(hs->client_handshake_secret));

  155.   OPENSSL_cleanse(hs->server_handshake_secret,

  156.                   sizeof(hs->server_handshake_secret));

  157.   OPENSSL_cleanse(hs->client_traffic_secret_0,

  158.                   sizeof(hs->client_traffic_secret_0));

  159.   OPENSSL_cleanse(hs->server_traffic_secret_0,

  160.                   sizeof(hs->server_traffic_secret_0));

  161.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  162.   OPENSSL_free(hs->cookie);

  163.   OPENSSL_free(hs->key_share_bytes);

  164.   OPENSSL_free(hs->public_key);

  165.   OPENSSL_free(hs->peer_sigalgs);

  166.   OPENSSL_free(hs->peer_supported_group_list);

  167.   OPENSSL_free(hs->peer_key);

  168.   OPENSSL_free(hs->server_params);

  169.   OPENSSL_free(hs->peer_psk_identity_hint);

  170.   sk_X509_NAME_pop_free(hs->ca_names, X509_NAME_free);

  171.   OPENSSL_free(hs->certificate_types);

  172. 

  173.   if (hs->key_block != NULL) {

  174.     OPENSSL_cleanse(hs->key_block, hs->key_block_len);

  175.     OPENSSL_free(hs->key_block);

  176.   }

  177. 

  178.   OPENSSL_free(hs->hostname);

  179.   EVP_PKEY_free(hs->peer_pubkey);

  180.   OPENSSL_free(hs);

  181. }

  182. 

  183. /* ssl3_do_write sends |ssl->init_buf| in records of type 'type'

  184.  * (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC). It returns 1 on success

  185.  * and <= 0 on error. */

  186. static int ssl3_do_write(SSL *ssl, int type, const uint8_t *data, size_t len) {

  187.   int ret = ssl3_write_bytes(ssl, type, data, len);

  188.   if (ret <= 0) {

  189.     return ret;

  190.   }

  191. 

  192.   /* ssl3_write_bytes writes the data in its entirety. */

  193.   assert((size_t)ret == len);

  194.   ssl_do_msg_callback(ssl, 1 /* write */, type, data, len);

  195.   return 1;

  196. }

  197. 

  198. int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  199.   CBB_zero(cbb);

  200.   if (ssl->s3->pending_message != NULL) {

  201.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  202.     return 0;

  203.   }

  204. 

  205.   /* Pick a modest size hint to save most of the |realloc| calls. */

  206.   if (!CBB_init(cbb, 64) ||

  207.       !CBB_add_u8(cbb, type) ||

  208.       !CBB_add_u24_length_prefixed(cbb, body)) {

  209.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  210.     return 0;

  211.   }

  212. 

  213.   return 1;

  214. }

  215. 

  216. int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,

  217.                         size_t *out_len) {

  218.   if (!CBB_finish(cbb, out_msg, out_len)) {

  219.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  220.     return 0;

  221.   }

  222. 

  223.   return 1;

  224. }

  225. 

  226. int ssl3_queue_message(SSL *ssl, uint8_t *msg, size_t len) {

  227.   if (ssl->s3->pending_message != NULL ||

  228.       len > 0xffffffffu) {

  229.     OPENSSL_free(msg);

  230.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  231.     return 0;

  232.   }

  233. 

  234.   ssl3_update_handshake_hash(ssl, msg, len);

  235. 

  236.   ssl->s3->pending_message = msg;

  237.   ssl->s3->pending_message_len = (uint32_t)len;

  238.   return 1;

  239. }

  240. 

  241. int ssl_complete_message(SSL *ssl, CBB *cbb) {

  242.   uint8_t *msg;

  243.   size_t len;

  244.   if (!ssl->method->finish_message(ssl, cbb, &msg, &len) ||

  245.       !ssl->method->queue_message(ssl, msg, len)) {

  246.     return 0;

  247.   }

  248. 

  249.   return 1;

  250. }

  251. 

  252. int ssl3_write_message(SSL *ssl) {

  253.   if (ssl->s3->pending_message == NULL) {

  254.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  255.     return 0;

  256.   }

  257. 

  258.   int ret = ssl3_do_write(ssl, SSL3_RT_HANDSHAKE, ssl->s3->pending_message,

  259.                           ssl->s3->pending_message_len);

  260.   if (ret <= 0) {

  261.     return ret;

  262.   }

  263. 

  264.   OPENSSL_free(ssl->s3->pending_message);

  265.   ssl->s3->pending_message = NULL;

  266.   ssl->s3->pending_message_len = 0;

  267.   return 1;

  268. }

  269. 

  270. int ssl3_send_finished(SSL_HANDSHAKE *hs, int a, int b) {

  271.   SSL *const ssl = hs->ssl;

  272.   if (hs->state == b) {

  273.     return ssl->method->write_message(ssl);

  274.   }

  275. 

  276.   uint8_t finished[EVP_MAX_MD_SIZE];

  277.   size_t finished_len =

  278.       ssl->s3->enc_method->final_finish_mac(ssl, ssl->server, finished);

  279.   if (finished_len == 0) {

  280.     return 0;

  281.   }

  282. 

  283.   /* Log the master secret, if logging is enabled. */

  284.   if (!ssl_log_secret(ssl, "CLIENT_RANDOM",

  285.                       SSL_get_session(ssl)->master_key,

  286.                       SSL_get_session(ssl)->master_key_length)) {

  287.     return 0;

  288.   }

  289. 

  290.   /* Copy the Finished so we can use it for renegotiation checks. */

  291.   if (ssl->version != SSL3_VERSION) {

  292.     if (finished_len > sizeof(ssl->s3->previous_client_finished) ||

  293.         finished_len > sizeof(ssl->s3->previous_server_finished)) {

  294.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  295.       return -1;

  296.     }

  297. 

  298.     if (ssl->server) {

  299.       OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);

  300.       ssl->s3->previous_server_finished_len = finished_len;

  301.     } else {

  302.       OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);

  303.       ssl->s3->previous_client_finished_len = finished_len;

  304.     }

  305.   }

  306. 

  307.   CBB cbb, body;

  308.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||

  309.       !CBB_add_bytes(&body, finished, finished_len) ||

  310.       !ssl_complete_message(ssl, &cbb)) {

  311.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  312.     CBB_cleanup(&cbb);

  313.     return -1;

  314.   }

  315. 

  316.   hs->state = b;

  317.   return ssl->method->write_message(ssl);

  318. }

  319. 

  320. int ssl3_get_finished(SSL_HANDSHAKE *hs) {

  321.   SSL *const ssl = hs->ssl;

  322.   int ret = ssl->method->ssl_get_message(ssl, SSL3_MT_FINISHED,

  323.                                          ssl_dont_hash_message);

  324.   if (ret <= 0) {

  325.     return ret;

  326.   }

  327. 

  328.   /* Snapshot the finished hash before incorporating the new message. */

  329.   uint8_t finished[EVP_MAX_MD_SIZE];

  330.   size_t finished_len =

  331.       ssl->s3->enc_method->final_finish_mac(ssl, !ssl->server, finished);

  332.   if (finished_len == 0 ||

  333.       !ssl_hash_current_message(ssl)) {

  334.     return -1;

  335.   }

  336. 

  337.   int finished_ok = ssl->init_num == finished_len &&

  338.                     CRYPTO_memcmp(ssl->init_msg, finished, finished_len) == 0;

  339. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  340.   finished_ok = 1;

  341. #endif

  342.   if (!finished_ok) {

  343.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  344.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  345.     return -1;

  346.   }

  347. 

  348.   /* Copy the Finished so we can use it for renegotiation checks. */

  349.   if (ssl->version != SSL3_VERSION) {

  350.     if (finished_len > sizeof(ssl->s3->previous_client_finished) ||

  351.         finished_len > sizeof(ssl->s3->previous_server_finished)) {

  352.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  353.       return -1;

  354.     }

  355. 

  356.     if (ssl->server) {

  357.       OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);

  358.       ssl->s3->previous_client_finished_len = finished_len;

  359.     } else {

  360.       OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);

  361.       ssl->s3->previous_server_finished_len = finished_len;

  362.     }

  363.   }

  364. 

  365.   return 1;

  366. }

  367. 

  368. int ssl3_send_change_cipher_spec(SSL *ssl) {

  369.   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  370. 

  371.   return ssl3_do_write(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,

  372.                        sizeof(kChangeCipherSpec));

  373. }

  374. 

  375. int ssl3_output_cert_chain(SSL *ssl) {

  376.   CBB cbb, body;

  377.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||

  378.       !ssl_add_cert_chain(ssl, &body) ||

  379.       !ssl_complete_message(ssl, &cbb)) {

  380.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  381.     CBB_cleanup(&cbb);

  382.     return 0;

  383.   }

  384. 

  385.   return 1;

  386. }

  387. 

  388. size_t ssl_max_handshake_message_len(const SSL *ssl) {

  389.   /* kMaxMessageLen is the default maximum message size for handshakes which do

  390.    * not accept peer certificate chains. */

  391.   static const size_t kMaxMessageLen = 16384;

  392. 

  393.   if (SSL_in_init(ssl)) {

  394.     if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) &&

  395.         kMaxMessageLen < ssl->max_cert_list) {

  396.       return ssl->max_cert_list;

  397.     }

  398.     return kMaxMessageLen;

  399.   }

  400. 

  401.   if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {

  402.     /* In TLS 1.2 and below, the largest acceptable post-handshake message is

  403.      * a HelloRequest. */

  404.     return 0;

  405.   }

  406. 

  407.   if (ssl->server) {

  408.     /* The largest acceptable post-handshake message for a server is a

  409.      * KeyUpdate. We will never initiate post-handshake auth. */

  410.     return 0;

  411.   }

  412. 

  413.   /* Clients must accept NewSessionTicket and CertificateRequest, so allow the

  414.    * default size. */

  415.   return kMaxMessageLen;

  416. }

  417. 

  418. static int extend_handshake_buffer(SSL *ssl, size_t length) {

  419.   if (!BUF_MEM_reserve(ssl->init_buf, length)) {

  420.     return -1;

  421.   }

  422.   while (ssl->init_buf->length < length) {

  423.     int ret = ssl3_read_handshake_bytes(

  424.         ssl, (uint8_t *)ssl->init_buf->data + ssl->init_buf->length,

  425.         length - ssl->init_buf->length);

  426.     if (ret <= 0) {

  427.       return ret;

  428.     }

  429.     ssl->init_buf->length += (size_t)ret;

  430.   }

  431.   return 1;

  432. }

  433. 

  434. static int read_v2_client_hello(SSL *ssl, int *out_is_v2_client_hello) {

  435.   /* Read the first 5 bytes, the size of the TLS record header. This is

  436.    * sufficient to detect a V2ClientHello and ensures that we never read beyond

  437.    * the first record. */

  438.   int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);

  439.   if (ret <= 0) {

  440.     return ret;

  441.   }

  442.   const uint8_t *p = ssl_read_buffer(ssl);

  443. 

  444.   /* Some dedicated error codes for protocol mixups should the application wish

  445.    * to interpret them differently. (These do not overlap with ClientHello or

  446.    * V2ClientHello.) */

  447.   if (strncmp("GET ", (const char *)p, 4) == 0 ||

  448.       strncmp("POST ", (const char *)p, 5) == 0 ||

  449.       strncmp("HEAD ", (const char *)p, 5) == 0 ||

  450.       strncmp("PUT ", (const char *)p, 4) == 0) {

  451.     OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);

  452.     return -1;

  453.   }

  454.   if (strncmp("CONNE", (const char *)p, 5) == 0) {

  455.     OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);

  456.     return -1;

  457.   }

  458. 

  459.   if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||

  460.       p[3] != SSL3_VERSION_MAJOR) {

  461.     /* Not a V2ClientHello. */

  462.     *out_is_v2_client_hello = 0;

  463.     return 1;

  464.   }

  465. 

  466.   /* Determine the length of the V2ClientHello. */

  467.   size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];

  468.   if (msg_length > (1024 * 4)) {

  469.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);

  470.     return -1;

  471.   }

  472.   if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {

  473.     /* Reject lengths that are too short early. We have already read

  474.      * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an

  475.      * (invalid) V2ClientHello which would be shorter than that. */

  476.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);

  477.     return -1;

  478.   }

  479. 

  480.   /* Read the remainder of the V2ClientHello. */

  481.   ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);

  482.   if (ret <= 0) {

  483.     return ret;

  484.   }

  485. 

  486.   CBS v2_client_hello;

  487.   CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);

  488. 

  489.   /* The V2ClientHello without the length is incorporated into the handshake

  490.    * hash. */

  491.   if (!ssl3_update_handshake_hash(ssl, CBS_data(&v2_client_hello),

  492.                                   CBS_len(&v2_client_hello))) {

  493.     return -1;

  494.   }

  495. 

  496.   ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,

  497.                       CBS_data(&v2_client_hello), CBS_len(&v2_client_hello));

  498. 

  499.   uint8_t msg_type;

  500.   uint16_t version, cipher_spec_length, session_id_length, challenge_length;

  501.   CBS cipher_specs, session_id, challenge;

  502.   if (!CBS_get_u8(&v2_client_hello, &msg_type) ||

  503.       !CBS_get_u16(&v2_client_hello, &version) ||

  504.       !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||

  505.       !CBS_get_u16(&v2_client_hello, &session_id_length) ||

  506.       !CBS_get_u16(&v2_client_hello, &challenge_length) ||

  507.       !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||

  508.       !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||

  509.       !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||

  510.       CBS_len(&v2_client_hello) != 0) {

  511.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  512.     return -1;

  513.   }

  514. 

  515.   /* msg_type has already been checked. */

  516.   assert(msg_type == SSL2_MT_CLIENT_HELLO);

  517. 

  518.   /* The client_random is the V2ClientHello challenge. Truncate or

  519.    * left-pad with zeros as needed. */

  520.   size_t rand_len = CBS_len(&challenge);

  521.   if (rand_len > SSL3_RANDOM_SIZE) {

  522.     rand_len = SSL3_RANDOM_SIZE;

  523.   }

  524.   uint8_t random[SSL3_RANDOM_SIZE];

  525.   OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);

  526.   OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),

  527.                  rand_len);

  528. 

  529.   /* Write out an equivalent SSLv3 ClientHello. */

  530.   size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +

  531.                                SSL3_RANDOM_SIZE + 1 /* session ID length */ +

  532.                                2 /* cipher list length */ +

  533.                                CBS_len(&cipher_specs) / 3 * 2 +

  534.                                1 /* compression length */ + 1 /* compression */;

  535.   CBB client_hello, hello_body, cipher_suites;

  536.   CBB_zero(&client_hello);

  537.   if (!BUF_MEM_reserve(ssl->init_buf, max_v3_client_hello) ||

  538.       !CBB_init_fixed(&client_hello, (uint8_t *)ssl->init_buf->data,

  539.                       ssl->init_buf->max) ||

  540.       !CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) ||

  541.       !CBB_add_u24_length_prefixed(&client_hello, &hello_body) ||

  542.       !CBB_add_u16(&hello_body, version) ||

  543.       !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||

  544.       /* No session id. */

  545.       !CBB_add_u8(&hello_body, 0) ||

  546.       !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {

  547.     CBB_cleanup(&client_hello);

  548.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  549.     return -1;

  550.   }

  551. 

  552.   /* Copy the cipher suites. */

  553.   while (CBS_len(&cipher_specs) > 0) {

  554.     uint32_t cipher_spec;

  555.     if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {

  556.       CBB_cleanup(&client_hello);

  557.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  558.       return -1;

  559.     }

  560. 

  561.     /* Skip SSLv2 ciphers. */

  562.     if ((cipher_spec & 0xff0000) != 0) {

  563.       continue;

  564.     }

  565.     if (!CBB_add_u16(&cipher_suites, cipher_spec)) {

  566.       CBB_cleanup(&client_hello);

  567.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  568.       return -1;

  569.     }

  570.   }

  571. 

  572.   /* Add the null compression scheme and finish. */

  573.   if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) ||

  574.       !CBB_finish(&client_hello, NULL, &ssl->init_buf->length)) {

  575.     CBB_cleanup(&client_hello);

  576.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  577.     return -1;

  578.   }

  579. 

  580.   /* Consume and discard the V2ClientHello. */

  581.   ssl_read_buffer_consume(ssl, 2 + msg_length);

  582.   ssl_read_buffer_discard(ssl);

  583. 

  584.   *out_is_v2_client_hello = 1;

  585.   return 1;

  586. }

  587. 

  588. int ssl3_get_message(SSL *ssl, int msg_type,

  589.                      enum ssl_hash_message_t hash_message) {

  590. again:

  591.   /* Re-create the handshake buffer if needed. */

  592.   if (ssl->init_buf == NULL) {

  593.     ssl->init_buf = BUF_MEM_new();

  594.     if (ssl->init_buf == NULL) {

  595.       return -1;

  596.     }

  597.   }

  598. 

  599.   if (ssl->server && !ssl->s3->v2_hello_done) {

  600.     /* Bypass the record layer for the first message to handle V2ClientHello. */

  601.     assert(hash_message == ssl_hash_message);

  602.     int is_v2_client_hello = 0;

  603.     int ret = read_v2_client_hello(ssl, &is_v2_client_hello);

  604.     if (ret <= 0) {

  605.       return ret;

  606.     }

  607.     if (is_v2_client_hello) {

  608.       /* V2ClientHello is hashed separately. */

  609.       hash_message = ssl_dont_hash_message;

  610.     }

  611.     ssl->s3->v2_hello_done = 1;

  612.   }

  613. 

  614.   if (ssl->s3->tmp.reuse_message) {

  615.     /* A ssl_dont_hash_message call cannot be combined with reuse_message; the

  616.      * ssl_dont_hash_message would have to have been applied to the previous

  617.      * call. */

  618.     assert(hash_message == ssl_hash_message);

  619.     assert(ssl->init_msg != NULL);

  620. 

  621.     ssl->s3->tmp.reuse_message = 0;

  622.     hash_message = ssl_dont_hash_message;

  623.   } else {

  624.     ssl3_release_current_message(ssl, 0 /* don't free buffer */);

  625.   }

  626. 

  627.   /* Read the message header, if we haven't yet. */

  628.   int ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH);

  629.   if (ret <= 0) {

  630.     return ret;

  631.   }

  632. 

  633.   /* Parse out the length. Cap it so the peer cannot force us to buffer up to

  634.    * 2^24 bytes. */

  635.   const uint8_t *p = (uint8_t *)ssl->init_buf->data;

  636.   size_t msg_len = (((uint32_t)p[1]) << 16) | (((uint32_t)p[2]) << 8) | p[3];

  637.   if (msg_len > ssl_max_handshake_message_len(ssl)) {

  638.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  639.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  640.     return -1;

  641.   }

  642. 

  643.   /* Read the message body, if we haven't yet. */

  644.   ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH + msg_len);

  645.   if (ret <= 0) {

  646.     return ret;

  647.   }

  648. 

  649.   /* We have now received a complete message. */

  650.   ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, ssl->init_buf->data,

  651.                       ssl->init_buf->length);

  652. 

  653.   ssl->s3->tmp.message_type = ((const uint8_t *)ssl->init_buf->data)[0];

  654.   ssl->init_msg = (uint8_t*)ssl->init_buf->data + SSL3_HM_HEADER_LENGTH;

  655.   ssl->init_num = ssl->init_buf->length - SSL3_HM_HEADER_LENGTH;

  656. 

  657.   /* Ignore stray HelloRequest messages in the handshake before TLS 1.3. Per RFC

  658.    * 5246, section 7.4.1.1, the server may send HelloRequest at any time. */

  659.   if (!ssl->server && SSL_in_init(ssl) &&

  660.       (!ssl->s3->have_version || ssl3_protocol_version(ssl) < TLS1_3_VERSION) &&

  661.       ssl->s3->tmp.message_type == SSL3_MT_HELLO_REQUEST &&

  662.       ssl->init_num == 0) {

  663.     goto again;

  664.   }

  665. 

  666.   if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) {

  667.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  668.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  669.     return -1;

  670.   }

  671. 

  672.   /* Feed this message into MAC computation. */

  673.   if (hash_message == ssl_hash_message && !ssl_hash_current_message(ssl)) {

  674.     return -1;

  675.   }

  676. 

  677.   return 1;

  678. }

  679. 

  680. void ssl3_get_current_message(const SSL *ssl, CBS *out) {

  681.   CBS_init(out, (uint8_t *)ssl->init_buf->data, ssl->init_buf->length);

  682. }

  683. 

  684. int ssl_hash_current_message(SSL *ssl) {

  685.   CBS cbs;

  686.   ssl->method->get_current_message(ssl, &cbs);

  687.   return ssl3_update_handshake_hash(ssl, CBS_data(&cbs), CBS_len(&cbs));

  688. }

  689. 

  690. void ssl3_release_current_message(SSL *ssl, int free_buffer) {

  691.   if (ssl->init_msg != NULL) {

  692.     /* |init_buf| never contains data beyond the current message. */

  693.     assert(SSL3_HM_HEADER_LENGTH + ssl->init_num == ssl->init_buf->length);

  694. 

  695.     /* Clear the current message. */

  696.     ssl->init_msg = NULL;

  697.     ssl->init_num = 0;

  698.     ssl->init_buf->length = 0;

  699.   }

  700. 

  701.   if (free_buffer) {

  702.     BUF_MEM_free(ssl->init_buf);

  703.     ssl->init_buf = NULL;

  704.   }

  705. }

  706. 

  707. int ssl_verify_alarm_type(long type) {

  708.   int al;

  709. 

  710.   switch (type) {

  711.     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:

  712.     case X509_V_ERR_UNABLE_TO_GET_CRL:

  713.     case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:

  714.       al = SSL_AD_UNKNOWN_CA;

  715.       break;

  716. 

  717.     case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:

  718.     case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:

  719.     case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:

  720.     case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:

  721.     case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:

  722.     case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:

  723.     case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:

  724.     case X509_V_ERR_CERT_NOT_YET_VALID:

  725.     case X509_V_ERR_CRL_NOT_YET_VALID:

  726.     case X509_V_ERR_CERT_UNTRUSTED:

  727.     case X509_V_ERR_CERT_REJECTED:

  728.     case X509_V_ERR_HOSTNAME_MISMATCH:

  729.     case X509_V_ERR_EMAIL_MISMATCH:

  730.     case X509_V_ERR_IP_ADDRESS_MISMATCH:

  731.       al = SSL_AD_BAD_CERTIFICATE;

  732.       break;

  733. 

  734.     case X509_V_ERR_CERT_SIGNATURE_FAILURE:

  735.     case X509_V_ERR_CRL_SIGNATURE_FAILURE:

  736.       al = SSL_AD_DECRYPT_ERROR;

  737.       break;

  738. 

  739.     case X509_V_ERR_CERT_HAS_EXPIRED:

  740.     case X509_V_ERR_CRL_HAS_EXPIRED:

  741.       al = SSL_AD_CERTIFICATE_EXPIRED;

  742.       break;

  743. 

  744.     case X509_V_ERR_CERT_REVOKED:

  745.       al = SSL_AD_CERTIFICATE_REVOKED;

  746.       break;

  747. 

  748.     case X509_V_ERR_UNSPECIFIED:

  749.     case X509_V_ERR_OUT_OF_MEM:

  750.     case X509_V_ERR_INVALID_CALL:

  751.     case X509_V_ERR_STORE_LOOKUP:

  752.       al = SSL_AD_INTERNAL_ERROR;

  753.       break;

  754. 

  755.     case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:

  756.     case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:

  757.     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:

  758.     case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:

  759.     case X509_V_ERR_CERT_CHAIN_TOO_LONG:

  760.     case X509_V_ERR_PATH_LENGTH_EXCEEDED:

  761.     case X509_V_ERR_INVALID_CA:

  762.       al = SSL_AD_UNKNOWN_CA;

  763.       break;

  764. 

  765.     case X509_V_ERR_APPLICATION_VERIFICATION:

  766.       al = SSL_AD_HANDSHAKE_FAILURE;

  767.       break;

  768. 

  769.     case X509_V_ERR_INVALID_PURPOSE:

  770.       al = SSL_AD_UNSUPPORTED_CERTIFICATE;

  771.       break;

  772. 

  773.     default:

  774.       al = SSL_AD_CERTIFICATE_UNKNOWN;

  775.       break;

  776.   }

  777. 

  778.   return al;

  779. }

  780. 

  781. int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,

  782.                          const SSL_EXTENSION_TYPE *ext_types,

  783.                          size_t num_ext_types, int ignore_unknown) {

  784.   /* Reset everything. */

  785.   for (size_t i = 0; i < num_ext_types; i++) {

  786.     *ext_types[i].out_present = 0;

  787.     CBS_init(ext_types[i].out_data, NULL, 0);

  788.   }

  789. 

  790.   CBS copy = *cbs;

  791.   while (CBS_len(&copy) != 0) {

  792.     uint16_t type;

  793.     CBS data;

  794.     if (!CBS_get_u16(&copy, &type) ||

  795.         !CBS_get_u16_length_prefixed(&copy, &data)) {

  796.       OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  797.       *out_alert = SSL_AD_DECODE_ERROR;

  798.       return 0;

  799.     }

  800. 

  801.     const SSL_EXTENSION_TYPE *ext_type = NULL;

  802.     for (size_t i = 0; i < num_ext_types; i++) {

  803.       if (type == ext_types[i].type) {

  804.         ext_type = &ext_types[i];

  805.         break;

  806.       }

  807.     }

  808. 

  809.     if (ext_type == NULL) {

  810.       if (ignore_unknown) {

  811.         continue;

  812.       }

  813.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  814.       *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  815.       return 0;

  816.     }

  817. 

  818.     /* Duplicate ext_types are forbidden. */

  819.     if (*ext_type->out_present) {

  820.       OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);

  821.       *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  822.       return 0;

  823.     }

  824. 

  825.     *ext_type->out_present = 1;

  826.     *ext_type->out_data = data;

  827.   }

  828. 

  829.   return 1;

  830. }