kris
/
boringssl
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
5156 Revize
12 Větve
38 MiB
 
 
 
 
 
 
Strom: 8370fb6b41
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „8370fb6b41“
${ noResults }
boringssl/ssl/s3_both.cc

586 řádky
21 KiB
Surový Blame Historie 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. /* ====================================================================

  109.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  110.  * ECC cipher suite support in OpenSSL originally developed by

  111.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  112. 

  113. #include <openssl/ssl.h>

  114. 

  115. #include <assert.h>

  116. #include <limits.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/bytestring.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/md5.h>

  125. #include <openssl/nid.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/sha.h>

  128. 

  129. #include "../crypto/internal.h"

  130. #include "internal.h"

  131. 

  132. 

  133. namespace bssl {

  134. 

  135. static bool add_record_to_flight(SSL *ssl, uint8_t type,

  136.                                  Span<const uint8_t> in) {

  137.   // We'll never add a flight while in the process of writing it out.

  138.   assert(ssl->s3->pending_flight_offset == 0);

  139. 

  140.   if (ssl->s3->pending_flight == nullptr) {

  141.     ssl->s3->pending_flight.reset(BUF_MEM_new());

  142.     if (ssl->s3->pending_flight == nullptr) {

  143.       return false;

  144.     }

  145.   }

  146. 

  147.   size_t max_out = in.size() + SSL_max_seal_overhead(ssl);

  148.   size_t new_cap = ssl->s3->pending_flight->length + max_out;

  149.   if (max_out < in.size() || new_cap < max_out) {

  150.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  151.     return false;

  152.   }

  153. 

  154.   size_t len;

  155.   if (!BUF_MEM_reserve(ssl->s3->pending_flight.get(), new_cap) ||

  156.       !tls_seal_record(ssl,

  157.                        (uint8_t *)ssl->s3->pending_flight->data +

  158.                            ssl->s3->pending_flight->length,

  159.                        &len, max_out, type, in.data(), in.size())) {

  160.     return false;

  161.   }

  162. 

  163.   ssl->s3->pending_flight->length += len;

  164.   return true;

  165. }

  166. 

  167. bool ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  168.   // Pick a modest size hint to save most of the |realloc| calls.

  169.   if (!CBB_init(cbb, 64) ||

  170.       !CBB_add_u8(cbb, type) ||

  171.       !CBB_add_u24_length_prefixed(cbb, body)) {

  172.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  173.     CBB_cleanup(cbb);

  174.     return false;

  175.   }

  176. 

  177.   return true;

  178. }

  179. 

  180. bool ssl3_finish_message(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg) {

  181.   return CBBFinishArray(cbb, out_msg);

  182. }

  183. 

  184. bool ssl3_add_message(SSL *ssl, Array<uint8_t> msg) {

  185.   // Add the message to the current flight, splitting into several records if

  186.   // needed.

  187.   Span<const uint8_t> rest = msg;

  188.   do {

  189.     Span<const uint8_t> chunk = rest.subspan(0, ssl->max_send_fragment);

  190.     rest = rest.subspan(chunk.size());

  191. 

  192.     if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, chunk)) {

  193.       return false;

  194.     }

  195.   } while (!rest.empty());

  196. 

  197.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg);

  198.   // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on

  199.   // hs.

  200.   if (ssl->s3->hs != NULL &&

  201.       !ssl->s3->hs->transcript.Update(msg)) {

  202.     return false;

  203.   }

  204.   return true;

  205. }

  206. 

  207. bool ssl3_add_change_cipher_spec(SSL *ssl) {

  208.   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  209. 

  210.   if (!add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC,

  211.                             kChangeCipherSpec)) {

  212.     return false;

  213.   }

  214. 

  215.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,

  216.                       kChangeCipherSpec);

  217.   return true;

  218. }

  219. 

  220. bool ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {

  221.   uint8_t alert[2] = {level, desc};

  222.   if (!add_record_to_flight(ssl, SSL3_RT_ALERT, alert)) {

  223.     return false;

  224.   }

  225. 

  226.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, alert);

  227.   ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, ((int)level << 8) | desc);

  228.   return true;

  229. }

  230. 

  231. int ssl3_flush_flight(SSL *ssl) {

  232.   if (ssl->s3->pending_flight == nullptr) {

  233.     return 1;

  234.   }

  235. 

  236.   if (ssl->s3->write_shutdown != ssl_shutdown_none) {

  237.     OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);

  238.     return -1;

  239.   }

  240. 

  241.   if (ssl->s3->pending_flight->length > 0xffffffff ||

  242.       ssl->s3->pending_flight->length > INT_MAX) {

  243.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  244.     return -1;

  245.   }

  246. 

  247.   // If there is pending data in the write buffer, it must be flushed out before

  248.   // any new data in pending_flight.

  249.   if (!ssl->s3->write_buffer.empty()) {

  250.     int ret = ssl_write_buffer_flush(ssl);

  251.     if (ret <= 0) {

  252.       ssl->s3->rwstate = SSL_WRITING;

  253.       return ret;

  254.     }

  255.   }

  256. 

  257.   // Write the pending flight.

  258.   while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {

  259.     int ret = BIO_write(

  260.         ssl->wbio,

  261.         ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,

  262.         ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);

  263.     if (ret <= 0) {

  264.       ssl->s3->rwstate = SSL_WRITING;

  265.       return ret;

  266.     }

  267. 

  268.     ssl->s3->pending_flight_offset += ret;

  269.   }

  270. 

  271.   if (BIO_flush(ssl->wbio) <= 0) {

  272.     ssl->s3->rwstate = SSL_WRITING;

  273.     return -1;

  274.   }

  275. 

  276.   ssl->s3->pending_flight.reset();

  277.   ssl->s3->pending_flight_offset = 0;

  278.   return 1;

  279. }

  280. 

  281. static ssl_open_record_t read_v2_client_hello(SSL *ssl, size_t *out_consumed,

  282.                                               Span<const uint8_t> in) {

  283.   *out_consumed = 0;

  284.   assert(in.size() >= SSL3_RT_HEADER_LENGTH);

  285.   // Determine the length of the V2ClientHello.

  286.   size_t msg_length = ((in[0] & 0x7f) << 8) | in[1];

  287.   if (msg_length > (1024 * 4)) {

  288.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);

  289.     return ssl_open_record_error;

  290.   }

  291.   if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {

  292.     // Reject lengths that are too short early. We have already read

  293.     // |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an

  294.     // (invalid) V2ClientHello which would be shorter than that.

  295.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);

  296.     return ssl_open_record_error;

  297.   }

  298. 

  299.   // Ask for the remainder of the V2ClientHello.

  300.   if (in.size() < 2 + msg_length) {

  301.     *out_consumed = 2 + msg_length;

  302.     return ssl_open_record_partial;

  303.   }

  304. 

  305.   CBS v2_client_hello = CBS(ssl->s3->read_buffer.span().subspan(2, msg_length));

  306.   // The V2ClientHello without the length is incorporated into the handshake

  307.   // hash. This is only ever called at the start of the handshake, so hs is

  308.   // guaranteed to be non-NULL.

  309.   if (!ssl->s3->hs->transcript.Update(v2_client_hello)) {

  310.     return ssl_open_record_error;

  311.   }

  312. 

  313.   ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,

  314.                       v2_client_hello);

  315. 

  316.   uint8_t msg_type;

  317.   uint16_t version, cipher_spec_length, session_id_length, challenge_length;

  318.   CBS cipher_specs, session_id, challenge;

  319.   if (!CBS_get_u8(&v2_client_hello, &msg_type) ||

  320.       !CBS_get_u16(&v2_client_hello, &version) ||

  321.       !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||

  322.       !CBS_get_u16(&v2_client_hello, &session_id_length) ||

  323.       !CBS_get_u16(&v2_client_hello, &challenge_length) ||

  324.       !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||

  325.       !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||

  326.       !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||

  327.       CBS_len(&v2_client_hello) != 0) {

  328.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  329.     return ssl_open_record_error;

  330.   }

  331. 

  332.   // msg_type has already been checked.

  333.   assert(msg_type == SSL2_MT_CLIENT_HELLO);

  334. 

  335.   // The client_random is the V2ClientHello challenge. Truncate or left-pad with

  336.   // zeros as needed.

  337.   size_t rand_len = CBS_len(&challenge);

  338.   if (rand_len > SSL3_RANDOM_SIZE) {

  339.     rand_len = SSL3_RANDOM_SIZE;

  340.   }

  341.   uint8_t random[SSL3_RANDOM_SIZE];

  342.   OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);

  343.   OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),

  344.                  rand_len);

  345. 

  346.   // Write out an equivalent SSLv3 ClientHello.

  347.   size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +

  348.                                SSL3_RANDOM_SIZE + 1 /* session ID length */ +

  349.                                2 /* cipher list length */ +

  350.                                CBS_len(&cipher_specs) / 3 * 2 +

  351.                                1 /* compression length */ + 1 /* compression */;

  352.   ScopedCBB client_hello;

  353.   CBB hello_body, cipher_suites;

  354.   if (!BUF_MEM_reserve(ssl->s3->hs_buf.get(), max_v3_client_hello) ||

  355.       !CBB_init_fixed(client_hello.get(), (uint8_t *)ssl->s3->hs_buf->data,

  356.                       ssl->s3->hs_buf->max) ||

  357.       !CBB_add_u8(client_hello.get(), SSL3_MT_CLIENT_HELLO) ||

  358.       !CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||

  359.       !CBB_add_u16(&hello_body, version) ||

  360.       !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||

  361.       // No session id.

  362.       !CBB_add_u8(&hello_body, 0) ||

  363.       !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {

  364.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  365.     return ssl_open_record_error;

  366.   }

  367. 

  368.   // Copy the cipher suites.

  369.   while (CBS_len(&cipher_specs) > 0) {

  370.     uint32_t cipher_spec;

  371.     if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {

  372.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  373.       return ssl_open_record_error;

  374.     }

  375. 

  376.     // Skip SSLv2 ciphers.

  377.     if ((cipher_spec & 0xff0000) != 0) {

  378.       continue;

  379.     }

  380.     if (!CBB_add_u16(&cipher_suites, cipher_spec)) {

  381.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  382.       return ssl_open_record_error;

  383.     }

  384.   }

  385. 

  386.   // Add the null compression scheme and finish.

  387.   if (!CBB_add_u8(&hello_body, 1) ||

  388.       !CBB_add_u8(&hello_body, 0) ||

  389.       !CBB_finish(client_hello.get(), NULL, &ssl->s3->hs_buf->length)) {

  390.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  391.     return ssl_open_record_error;

  392.   }

  393. 

  394.   *out_consumed = 2 + msg_length;

  395.   ssl->s3->is_v2_hello = true;

  396.   return ssl_open_record_success;

  397. }

  398. 

  399. static bool parse_message(const SSL *ssl, SSLMessage *out,

  400.                           size_t *out_bytes_needed) {

  401.   if (!ssl->s3->hs_buf) {

  402.     *out_bytes_needed = 4;

  403.     return false;

  404.   }

  405. 

  406.   CBS cbs;

  407.   uint32_t len;

  408.   CBS_init(&cbs, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),

  409.            ssl->s3->hs_buf->length);

  410.   if (!CBS_get_u8(&cbs, &out->type) ||

  411.       !CBS_get_u24(&cbs, &len)) {

  412.     *out_bytes_needed = 4;

  413.     return false;

  414.   }

  415. 

  416.   if (!CBS_get_bytes(&cbs, &out->body, len)) {

  417.     *out_bytes_needed = 4 + len;

  418.     return false;

  419.   }

  420. 

  421.   CBS_init(&out->raw, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),

  422.            4 + len);

  423.   out->is_v2_hello = ssl->s3->is_v2_hello;

  424.   return true;

  425. }

  426. 

  427. bool ssl3_get_message(SSL *ssl, SSLMessage *out) {

  428.   size_t unused;

  429.   if (!parse_message(ssl, out, &unused)) {

  430.     return false;

  431.   }

  432.   if (!ssl->s3->has_message) {

  433.     if (!out->is_v2_hello) {

  434.       ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, out->raw);

  435.     }

  436.     ssl->s3->has_message = true;

  437.   }

  438.   return true;

  439. }

  440. 

  441. bool tls_can_accept_handshake_data(const SSL *ssl, uint8_t *out_alert) {

  442.   // If there is a complete message, the caller must have consumed it first.

  443.   SSLMessage msg;

  444.   size_t bytes_needed;

  445.   if (parse_message(ssl, &msg, &bytes_needed)) {

  446.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  447.     *out_alert = SSL_AD_INTERNAL_ERROR;

  448.     return false;

  449.   }

  450. 

  451.   // Enforce the limit so the peer cannot force us to buffer 16MB.

  452.   if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {

  453.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  454.     *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  455.     return false;

  456.   }

  457. 

  458.   return true;

  459. }

  460. 

  461. bool tls_has_unprocessed_handshake_data(const SSL *ssl) {

  462.   size_t msg_len = 0;

  463.   if (ssl->s3->has_message) {

  464.     SSLMessage msg;

  465.     size_t unused;

  466.     if (parse_message(ssl, &msg, &unused)) {

  467.       msg_len = CBS_len(&msg.raw);

  468.     }

  469.   }

  470. 

  471.   return ssl->s3->hs_buf && ssl->s3->hs_buf->length > msg_len;

  472. }

  473. 

  474. ssl_open_record_t ssl3_open_handshake(SSL *ssl, size_t *out_consumed,

  475.                                       uint8_t *out_alert, Span<uint8_t> in) {

  476.   *out_consumed = 0;

  477.   // Re-create the handshake buffer if needed.

  478.   if (!ssl->s3->hs_buf) {

  479.     ssl->s3->hs_buf.reset(BUF_MEM_new());

  480.     if (!ssl->s3->hs_buf) {

  481.       *out_alert = SSL_AD_INTERNAL_ERROR;

  482.       return ssl_open_record_error;

  483.     }

  484.   }

  485. 

  486.   // Bypass the record layer for the first message to handle V2ClientHello.

  487.   if (ssl->server && !ssl->s3->v2_hello_done) {

  488.     // Ask for the first 5 bytes, the size of the TLS record header. This is

  489.     // sufficient to detect a V2ClientHello and ensures that we never read

  490.     // beyond the first record.

  491.     if (in.size() < SSL3_RT_HEADER_LENGTH) {

  492.       *out_consumed = SSL3_RT_HEADER_LENGTH;

  493.       return ssl_open_record_partial;

  494.     }

  495. 

  496.     // Some dedicated error codes for protocol mixups should the application

  497.     // wish to interpret them differently. (These do not overlap with

  498.     // ClientHello or V2ClientHello.)

  499.     const char *str = reinterpret_cast<const char*>(in.data());

  500.     if (strncmp("GET ", str, 4) == 0 ||

  501.         strncmp("POST ", str, 5) == 0 ||

  502.         strncmp("HEAD ", str, 5) == 0 ||

  503.         strncmp("PUT ", str, 4) == 0) {

  504.       OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);

  505.       *out_alert = 0;

  506.       return ssl_open_record_error;

  507.     }

  508.     if (strncmp("CONNE", str, 5) == 0) {

  509.       OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);

  510.       *out_alert = 0;

  511.       return ssl_open_record_error;

  512.     }

  513. 

  514.     // Check for a V2ClientHello.

  515.     if ((in[0] & 0x80) != 0 && in[2] == SSL2_MT_CLIENT_HELLO &&

  516.         in[3] == SSL3_VERSION_MAJOR) {

  517.       auto ret = read_v2_client_hello(ssl, out_consumed, in);

  518.       if (ret == ssl_open_record_error) {

  519.         *out_alert = 0;

  520.       } else if (ret == ssl_open_record_success) {

  521.         ssl->s3->v2_hello_done = true;

  522.       }

  523.       return ret;

  524.     }

  525. 

  526.     ssl->s3->v2_hello_done = true;

  527.   }

  528. 

  529.   uint8_t type;

  530.   Span<uint8_t> body;

  531.   auto ret = tls_open_record(ssl, &type, &body, out_consumed, out_alert, in);

  532.   if (ret != ssl_open_record_success) {

  533.     return ret;

  534.   }

  535. 

  536.   // WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the

  537.   // ServerHello and send the remaining encrypted application data records

  538.   // as-is. This manifests as an application data record when we expect

  539.   // handshake. Report a dedicated error code for this case.

  540.   if (!ssl->server && type == SSL3_RT_APPLICATION_DATA &&

  541.       ssl->s3->aead_read_ctx->is_null_cipher()) {

  542.     OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);

  543.     *out_alert = SSL_AD_UNEXPECTED_MESSAGE;

  544.     return ssl_open_record_error;

  545.   }

  546. 

  547.   if (type != SSL3_RT_HANDSHAKE) {

  548.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  549.     *out_alert = SSL_AD_UNEXPECTED_MESSAGE;

  550.     return ssl_open_record_error;

  551.   }

  552. 

  553.   // Append the entire handshake record to the buffer.

  554.   if (!BUF_MEM_append(ssl->s3->hs_buf.get(), body.data(), body.size())) {

  555.     *out_alert = SSL_AD_INTERNAL_ERROR;

  556.     return ssl_open_record_error;

  557.   }

  558. 

  559.   return ssl_open_record_success;

  560. }

  561. 

  562. void ssl3_next_message(SSL *ssl) {

  563.   SSLMessage msg;

  564.   if (!ssl3_get_message(ssl, &msg) ||

  565.       !ssl->s3->hs_buf ||

  566.       ssl->s3->hs_buf->length < CBS_len(&msg.raw)) {

  567.     assert(0);

  568.     return;

  569.   }

  570. 

  571.   OPENSSL_memmove(ssl->s3->hs_buf->data,

  572.                   ssl->s3->hs_buf->data + CBS_len(&msg.raw),

  573.                   ssl->s3->hs_buf->length - CBS_len(&msg.raw));

  574.   ssl->s3->hs_buf->length -= CBS_len(&msg.raw);

  575.   ssl->s3->is_v2_hello = false;

  576.   ssl->s3->has_message = false;

  577. 

  578.   // Post-handshake messages are rare, so release the buffer after every

  579.   // message. During the handshake, |on_handshake_complete| will release it.

  580.   if (!SSL_in_init(ssl) && ssl->s3->hs_buf->length == 0) {

  581.     ssl->s3->hs_buf.reset();

  582.   }

  583. }

  584. 

  585. }  // namespace bssl