kris
/
boringssl
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
3578 Revize
12 Větve
38 MiB
 
 
 
 
 
 
Strom: 8a55ce4954
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „8a55ce4954“
${ noResults }
boringssl/ssl/s3_both.c

823 řádky
27 KiB
Surový Blame Historie 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. /* ====================================================================

  109.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  110.  * ECC cipher suite support in OpenSSL originally developed by

  111.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  112. 

  113. #include <openssl/ssl.h>

  114. 

  115. #include <assert.h>

  116. #include <limits.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/bytestring.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/md5.h>

  125. #include <openssl/nid.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/sha.h>

  128. #include <openssl/x509.h>

  129. 

  130. #include "internal.h"

  131. 

  132. 

  133. SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) {

  134.   SSL_HANDSHAKE *hs = OPENSSL_malloc(sizeof(SSL_HANDSHAKE));

  135.   if (hs == NULL) {

  136.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  137.     return NULL;

  138.   }

  139.   memset(hs, 0, sizeof(SSL_HANDSHAKE));

  140.   hs->ssl = ssl;

  141.   hs->wait = ssl_hs_ok;

  142.   hs->state = SSL_ST_INIT;

  143.   return hs;

  144. }

  145. 

  146. void ssl_handshake_free(SSL_HANDSHAKE *hs) {

  147.   if (hs == NULL) {

  148.     return;

  149.   }

  150. 

  151.   OPENSSL_cleanse(hs->secret, sizeof(hs->secret));

  152.   OPENSSL_cleanse(hs->client_traffic_secret_0,

  153.                   sizeof(hs->client_traffic_secret_0));

  154.   OPENSSL_cleanse(hs->server_traffic_secret_0,

  155.                   sizeof(hs->server_traffic_secret_0));

  156.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  157.   OPENSSL_free(hs->cookie);

  158.   OPENSSL_free(hs->key_share_bytes);

  159.   OPENSSL_free(hs->public_key);

  160.   OPENSSL_free(hs->peer_sigalgs);

  161.   OPENSSL_free(hs->peer_supported_group_list);

  162.   OPENSSL_free(hs->peer_key);

  163.   OPENSSL_free(hs->server_params);

  164.   OPENSSL_free(hs->peer_psk_identity_hint);

  165.   sk_X509_NAME_pop_free(hs->ca_names, X509_NAME_free);

  166.   OPENSSL_free(hs->certificate_types);

  167. 

  168.   if (hs->key_block != NULL) {

  169.     OPENSSL_cleanse(hs->key_block, hs->key_block_len);

  170.     OPENSSL_free(hs->key_block);

  171.   }

  172. 

  173.   OPENSSL_free(hs->hostname);

  174.   EVP_PKEY_free(hs->peer_pubkey);

  175.   OPENSSL_free(hs);

  176. }

  177. 

  178. /* ssl3_do_write sends |ssl->init_buf| in records of type 'type'

  179.  * (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC). It returns 1 on success

  180.  * and <= 0 on error. */

  181. static int ssl3_do_write(SSL *ssl, int type, const uint8_t *data, size_t len) {

  182.   int ret = ssl3_write_bytes(ssl, type, data, len);

  183.   if (ret <= 0) {

  184.     return ret;

  185.   }

  186. 

  187.   /* ssl3_write_bytes writes the data in its entirety. */

  188.   assert((size_t)ret == len);

  189.   ssl_do_msg_callback(ssl, 1 /* write */, type, data, len);

  190.   return 1;

  191. }

  192. 

  193. int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  194.   CBB_zero(cbb);

  195.   if (ssl->s3->pending_message != NULL) {

  196.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  197.     return 0;

  198.   }

  199. 

  200.   /* Pick a modest size hint to save most of the |realloc| calls. */

  201.   if (!CBB_init(cbb, 64) ||

  202.       !CBB_add_u8(cbb, type) ||

  203.       !CBB_add_u24_length_prefixed(cbb, body)) {

  204.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  205.     return 0;

  206.   }

  207. 

  208.   return 1;

  209. }

  210. 

  211. int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,

  212.                         size_t *out_len) {

  213.   if (!CBB_finish(cbb, out_msg, out_len)) {

  214.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  215.     return 0;

  216.   }

  217. 

  218.   return 1;

  219. }

  220. 

  221. int ssl3_queue_message(SSL *ssl, uint8_t *msg, size_t len) {

  222.   if (ssl->s3->pending_message != NULL ||

  223.       len > 0xffffffffu) {

  224.     OPENSSL_free(msg);

  225.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  226.     return 0;

  227.   }

  228. 

  229.   ssl3_update_handshake_hash(ssl, msg, len);

  230. 

  231.   ssl->s3->pending_message = msg;

  232.   ssl->s3->pending_message_len = (uint32_t)len;

  233.   return 1;

  234. }

  235. 

  236. int ssl_complete_message(SSL *ssl, CBB *cbb) {

  237.   uint8_t *msg;

  238.   size_t len;

  239.   if (!ssl->method->finish_message(ssl, cbb, &msg, &len) ||

  240.       !ssl->method->queue_message(ssl, msg, len)) {

  241.     return 0;

  242.   }

  243. 

  244.   return 1;

  245. }

  246. 

  247. int ssl3_write_message(SSL *ssl) {

  248.   if (ssl->s3->pending_message == NULL) {

  249.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  250.     return 0;

  251.   }

  252. 

  253.   int ret = ssl3_do_write(ssl, SSL3_RT_HANDSHAKE, ssl->s3->pending_message,

  254.                           ssl->s3->pending_message_len);

  255.   if (ret <= 0) {

  256.     return ret;

  257.   }

  258. 

  259.   OPENSSL_free(ssl->s3->pending_message);

  260.   ssl->s3->pending_message = NULL;

  261.   ssl->s3->pending_message_len = 0;

  262.   return 1;

  263. }

  264. 

  265. int ssl3_send_finished(SSL_HANDSHAKE *hs, int a, int b) {

  266.   SSL *const ssl = hs->ssl;

  267.   if (hs->state == b) {

  268.     return ssl->method->write_message(ssl);

  269.   }

  270. 

  271.   uint8_t finished[EVP_MAX_MD_SIZE];

  272.   size_t finished_len =

  273.       ssl->s3->enc_method->final_finish_mac(ssl, ssl->server, finished);

  274.   if (finished_len == 0) {

  275.     return 0;

  276.   }

  277. 

  278.   /* Log the master secret, if logging is enabled. */

  279.   if (!ssl_log_secret(ssl, "CLIENT_RANDOM",

  280.                       SSL_get_session(ssl)->master_key,

  281.                       SSL_get_session(ssl)->master_key_length)) {

  282.     return 0;

  283.   }

  284. 

  285.   /* Copy the Finished so we can use it for renegotiation checks. */

  286.   if (ssl->version != SSL3_VERSION) {

  287.     if (finished_len > sizeof(ssl->s3->previous_client_finished) ||

  288.         finished_len > sizeof(ssl->s3->previous_server_finished)) {

  289.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  290.       return -1;

  291.     }

  292. 

  293.     if (ssl->server) {

  294.       memcpy(ssl->s3->previous_server_finished, finished, finished_len);

  295.       ssl->s3->previous_server_finished_len = finished_len;

  296.     } else {

  297.       memcpy(ssl->s3->previous_client_finished, finished, finished_len);

  298.       ssl->s3->previous_client_finished_len = finished_len;

  299.     }

  300.   }

  301. 

  302.   CBB cbb, body;

  303.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||

  304.       !CBB_add_bytes(&body, finished, finished_len) ||

  305.       !ssl_complete_message(ssl, &cbb)) {

  306.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  307.     CBB_cleanup(&cbb);

  308.     return -1;

  309.   }

  310. 

  311.   hs->state = b;

  312.   return ssl->method->write_message(ssl);

  313. }

  314. 

  315. int ssl3_get_finished(SSL_HANDSHAKE *hs) {

  316.   SSL *const ssl = hs->ssl;

  317.   int ret = ssl->method->ssl_get_message(ssl, SSL3_MT_FINISHED,

  318.                                          ssl_dont_hash_message);

  319.   if (ret <= 0) {

  320.     return ret;

  321.   }

  322. 

  323.   /* Snapshot the finished hash before incorporating the new message. */

  324.   uint8_t finished[EVP_MAX_MD_SIZE];

  325.   size_t finished_len =

  326.       ssl->s3->enc_method->final_finish_mac(ssl, !ssl->server, finished);

  327.   if (finished_len == 0 ||

  328.       !ssl_hash_current_message(ssl)) {

  329.     return -1;

  330.   }

  331. 

  332.   int finished_ok = ssl->init_num == finished_len &&

  333.                     CRYPTO_memcmp(ssl->init_msg, finished, finished_len) == 0;

  334. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  335.   finished_ok = 1;

  336. #endif

  337.   if (!finished_ok) {

  338.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  339.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  340.     return -1;

  341.   }

  342. 

  343.   /* Copy the Finished so we can use it for renegotiation checks. */

  344.   if (ssl->version != SSL3_VERSION) {

  345.     if (finished_len > sizeof(ssl->s3->previous_client_finished) ||

  346.         finished_len > sizeof(ssl->s3->previous_server_finished)) {

  347.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  348.       return -1;

  349.     }

  350. 

  351.     if (ssl->server) {

  352.       memcpy(ssl->s3->previous_client_finished, finished, finished_len);

  353.       ssl->s3->previous_client_finished_len = finished_len;

  354.     } else {

  355.       memcpy(ssl->s3->previous_server_finished, finished, finished_len);

  356.       ssl->s3->previous_server_finished_len = finished_len;

  357.     }

  358.   }

  359. 

  360.   return 1;

  361. }

  362. 

  363. int ssl3_send_change_cipher_spec(SSL *ssl) {

  364.   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  365. 

  366.   return ssl3_do_write(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,

  367.                        sizeof(kChangeCipherSpec));

  368. }

  369. 

  370. int ssl3_output_cert_chain(SSL *ssl) {

  371.   CBB cbb, body;

  372.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||

  373.       !ssl_add_cert_chain(ssl, &body) ||

  374.       !ssl_complete_message(ssl, &cbb)) {

  375.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  376.     CBB_cleanup(&cbb);

  377.     return 0;

  378.   }

  379. 

  380.   return 1;

  381. }

  382. 

  383. size_t ssl_max_handshake_message_len(const SSL *ssl) {

  384.   /* kMaxMessageLen is the default maximum message size for handshakes which do

  385.    * not accept peer certificate chains. */

  386.   static const size_t kMaxMessageLen = 16384;

  387. 

  388.   if (SSL_in_init(ssl)) {

  389.     if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) &&

  390.         kMaxMessageLen < ssl->max_cert_list) {

  391.       return ssl->max_cert_list;

  392.     }

  393.     return kMaxMessageLen;

  394.   }

  395. 

  396.   if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {

  397.     /* In TLS 1.2 and below, the largest acceptable post-handshake message is

  398.      * a HelloRequest. */

  399.     return 0;

  400.   }

  401. 

  402.   if (ssl->server) {

  403.     /* The largest acceptable post-handshake message for a server is a

  404.      * KeyUpdate. We will never initiate post-handshake auth. */

  405.     return 0;

  406.   }

  407. 

  408.   /* Clients must accept NewSessionTicket and CertificateRequest, so allow the

  409.    * default size. */

  410.   return kMaxMessageLen;

  411. }

  412. 

  413. static int extend_handshake_buffer(SSL *ssl, size_t length) {

  414.   if (!BUF_MEM_reserve(ssl->init_buf, length)) {

  415.     return -1;

  416.   }

  417.   while (ssl->init_buf->length < length) {

  418.     int ret = ssl3_read_handshake_bytes(

  419.         ssl, (uint8_t *)ssl->init_buf->data + ssl->init_buf->length,

  420.         length - ssl->init_buf->length);

  421.     if (ret <= 0) {

  422.       return ret;

  423.     }

  424.     ssl->init_buf->length += (size_t)ret;

  425.   }

  426.   return 1;

  427. }

  428. 

  429. static int read_v2_client_hello(SSL *ssl, int *out_is_v2_client_hello) {

  430.   /* Read the first 5 bytes, the size of the TLS record header. This is

  431.    * sufficient to detect a V2ClientHello and ensures that we never read beyond

  432.    * the first record. */

  433.   int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);

  434.   if (ret <= 0) {

  435.     return ret;

  436.   }

  437.   const uint8_t *p = ssl_read_buffer(ssl);

  438. 

  439.   /* Some dedicated error codes for protocol mixups should the application wish

  440.    * to interpret them differently. (These do not overlap with ClientHello or

  441.    * V2ClientHello.) */

  442.   if (strncmp("GET ", (const char *)p, 4) == 0 ||

  443.       strncmp("POST ", (const char *)p, 5) == 0 ||

  444.       strncmp("HEAD ", (const char *)p, 5) == 0 ||

  445.       strncmp("PUT ", (const char *)p, 4) == 0) {

  446.     OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);

  447.     return -1;

  448.   }

  449.   if (strncmp("CONNE", (const char *)p, 5) == 0) {

  450.     OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);

  451.     return -1;

  452.   }

  453. 

  454.   if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||

  455.       p[3] != SSL3_VERSION_MAJOR) {

  456.     /* Not a V2ClientHello. */

  457.     *out_is_v2_client_hello = 0;

  458.     return 1;

  459.   }

  460. 

  461.   /* Determine the length of the V2ClientHello. */

  462.   size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];

  463.   if (msg_length > (1024 * 4)) {

  464.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);

  465.     return -1;

  466.   }

  467.   if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {

  468.     /* Reject lengths that are too short early. We have already read

  469.      * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an

  470.      * (invalid) V2ClientHello which would be shorter than that. */

  471.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);

  472.     return -1;

  473.   }

  474. 

  475.   /* Read the remainder of the V2ClientHello. */

  476.   ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);

  477.   if (ret <= 0) {

  478.     return ret;

  479.   }

  480. 

  481.   CBS v2_client_hello;

  482.   CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);

  483. 

  484.   /* The V2ClientHello without the length is incorporated into the handshake

  485.    * hash. */

  486.   if (!ssl3_update_handshake_hash(ssl, CBS_data(&v2_client_hello),

  487.                                   CBS_len(&v2_client_hello))) {

  488.     return -1;

  489.   }

  490. 

  491.   ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,

  492.                       CBS_data(&v2_client_hello), CBS_len(&v2_client_hello));

  493. 

  494.   uint8_t msg_type;

  495.   uint16_t version, cipher_spec_length, session_id_length, challenge_length;

  496.   CBS cipher_specs, session_id, challenge;

  497.   if (!CBS_get_u8(&v2_client_hello, &msg_type) ||

  498.       !CBS_get_u16(&v2_client_hello, &version) ||

  499.       !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||

  500.       !CBS_get_u16(&v2_client_hello, &session_id_length) ||

  501.       !CBS_get_u16(&v2_client_hello, &challenge_length) ||

  502.       !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||

  503.       !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||

  504.       !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||

  505.       CBS_len(&v2_client_hello) != 0) {

  506.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  507.     return -1;

  508.   }

  509. 

  510.   /* msg_type has already been checked. */

  511.   assert(msg_type == SSL2_MT_CLIENT_HELLO);

  512. 

  513.   /* The client_random is the V2ClientHello challenge. Truncate or

  514.    * left-pad with zeros as needed. */

  515.   size_t rand_len = CBS_len(&challenge);

  516.   if (rand_len > SSL3_RANDOM_SIZE) {

  517.     rand_len = SSL3_RANDOM_SIZE;

  518.   }

  519.   uint8_t random[SSL3_RANDOM_SIZE];

  520.   memset(random, 0, SSL3_RANDOM_SIZE);

  521.   memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),

  522.          rand_len);

  523. 

  524.   /* Write out an equivalent SSLv3 ClientHello. */

  525.   size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +

  526.                                SSL3_RANDOM_SIZE + 1 /* session ID length */ +

  527.                                2 /* cipher list length */ +

  528.                                CBS_len(&cipher_specs) / 3 * 2 +

  529.                                1 /* compression length */ + 1 /* compression */;

  530.   CBB client_hello, hello_body, cipher_suites;

  531.   CBB_zero(&client_hello);

  532.   if (!BUF_MEM_reserve(ssl->init_buf, max_v3_client_hello) ||

  533.       !CBB_init_fixed(&client_hello, (uint8_t *)ssl->init_buf->data,

  534.                       ssl->init_buf->max) ||

  535.       !CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) ||

  536.       !CBB_add_u24_length_prefixed(&client_hello, &hello_body) ||

  537.       !CBB_add_u16(&hello_body, version) ||

  538.       !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||

  539.       /* No session id. */

  540.       !CBB_add_u8(&hello_body, 0) ||

  541.       !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {

  542.     CBB_cleanup(&client_hello);

  543.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  544.     return -1;

  545.   }

  546. 

  547.   /* Copy the cipher suites. */

  548.   while (CBS_len(&cipher_specs) > 0) {

  549.     uint32_t cipher_spec;

  550.     if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {

  551.       CBB_cleanup(&client_hello);

  552.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  553.       return -1;

  554.     }

  555. 

  556.     /* Skip SSLv2 ciphers. */

  557.     if ((cipher_spec & 0xff0000) != 0) {

  558.       continue;

  559.     }

  560.     if (!CBB_add_u16(&cipher_suites, cipher_spec)) {

  561.       CBB_cleanup(&client_hello);

  562.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  563.       return -1;

  564.     }

  565.   }

  566. 

  567.   /* Add the null compression scheme and finish. */

  568.   if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) ||

  569.       !CBB_finish(&client_hello, NULL, &ssl->init_buf->length)) {

  570.     CBB_cleanup(&client_hello);

  571.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  572.     return -1;

  573.   }

  574. 

  575.   /* Consume and discard the V2ClientHello. */

  576.   ssl_read_buffer_consume(ssl, 2 + msg_length);

  577.   ssl_read_buffer_discard(ssl);

  578. 

  579.   *out_is_v2_client_hello = 1;

  580.   return 1;

  581. }

  582. 

  583. int ssl3_get_message(SSL *ssl, int msg_type,

  584.                      enum ssl_hash_message_t hash_message) {

  585. again:

  586.   /* Re-create the handshake buffer if needed. */

  587.   if (ssl->init_buf == NULL) {

  588.     ssl->init_buf = BUF_MEM_new();

  589.     if (ssl->init_buf == NULL) {

  590.       return -1;

  591.     }

  592.   }

  593. 

  594.   if (ssl->server && !ssl->s3->v2_hello_done) {

  595.     /* Bypass the record layer for the first message to handle V2ClientHello. */

  596.     assert(hash_message == ssl_hash_message);

  597.     int is_v2_client_hello = 0;

  598.     int ret = read_v2_client_hello(ssl, &is_v2_client_hello);

  599.     if (ret <= 0) {

  600.       return ret;

  601.     }

  602.     if (is_v2_client_hello) {

  603.       /* V2ClientHello is hashed separately. */

  604.       hash_message = ssl_dont_hash_message;

  605.     }

  606.     ssl->s3->v2_hello_done = 1;

  607.   }

  608. 

  609.   if (ssl->s3->tmp.reuse_message) {

  610.     /* A ssl_dont_hash_message call cannot be combined with reuse_message; the

  611.      * ssl_dont_hash_message would have to have been applied to the previous

  612.      * call. */

  613.     assert(hash_message == ssl_hash_message);

  614.     assert(ssl->init_msg != NULL);

  615. 

  616.     ssl->s3->tmp.reuse_message = 0;

  617.     hash_message = ssl_dont_hash_message;

  618.   } else {

  619.     ssl3_release_current_message(ssl, 0 /* don't free buffer */);

  620.   }

  621. 

  622.   /* Read the message header, if we haven't yet. */

  623.   int ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH);

  624.   if (ret <= 0) {

  625.     return ret;

  626.   }

  627. 

  628.   /* Parse out the length. Cap it so the peer cannot force us to buffer up to

  629.    * 2^24 bytes. */

  630.   const uint8_t *p = (uint8_t *)ssl->init_buf->data;

  631.   size_t msg_len = (((uint32_t)p[1]) << 16) | (((uint32_t)p[2]) << 8) | p[3];

  632.   if (msg_len > ssl_max_handshake_message_len(ssl)) {

  633.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  634.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  635.     return -1;

  636.   }

  637. 

  638.   /* Read the message body, if we haven't yet. */

  639.   ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH + msg_len);

  640.   if (ret <= 0) {

  641.     return ret;

  642.   }

  643. 

  644.   /* We have now received a complete message. */

  645.   ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, ssl->init_buf->data,

  646.                       ssl->init_buf->length);

  647. 

  648.   ssl->s3->tmp.message_type = ((const uint8_t *)ssl->init_buf->data)[0];

  649.   ssl->init_msg = (uint8_t*)ssl->init_buf->data + SSL3_HM_HEADER_LENGTH;

  650.   ssl->init_num = ssl->init_buf->length - SSL3_HM_HEADER_LENGTH;

  651. 

  652.   /* Ignore stray HelloRequest messages in the handshake before TLS 1.3. Per RFC

  653.    * 5246, section 7.4.1.1, the server may send HelloRequest at any time. */

  654.   if (!ssl->server && SSL_in_init(ssl) &&

  655.       (!ssl->s3->have_version || ssl3_protocol_version(ssl) < TLS1_3_VERSION) &&

  656.       ssl->s3->tmp.message_type == SSL3_MT_HELLO_REQUEST &&

  657.       ssl->init_num == 0) {

  658.     goto again;

  659.   }

  660. 

  661.   if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) {

  662.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  663.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  664.     return -1;

  665.   }

  666. 

  667.   /* Feed this message into MAC computation. */

  668.   if (hash_message == ssl_hash_message && !ssl_hash_current_message(ssl)) {

  669.     return -1;

  670.   }

  671. 

  672.   return 1;

  673. }

  674. 

  675. void ssl3_get_current_message(const SSL *ssl, CBS *out) {

  676.   CBS_init(out, (uint8_t *)ssl->init_buf->data, ssl->init_buf->length);

  677. }

  678. 

  679. int ssl_hash_current_message(SSL *ssl) {

  680.   CBS cbs;

  681.   ssl->method->get_current_message(ssl, &cbs);

  682.   return ssl3_update_handshake_hash(ssl, CBS_data(&cbs), CBS_len(&cbs));

  683. }

  684. 

  685. void ssl3_release_current_message(SSL *ssl, int free_buffer) {

  686.   if (ssl->init_msg != NULL) {

  687.     /* |init_buf| never contains data beyond the current message. */

  688.     assert(SSL3_HM_HEADER_LENGTH + ssl->init_num == ssl->init_buf->length);

  689. 

  690.     /* Clear the current message. */

  691.     ssl->init_msg = NULL;

  692.     ssl->init_num = 0;

  693.     ssl->init_buf->length = 0;

  694.   }

  695. 

  696.   if (free_buffer) {

  697.     BUF_MEM_free(ssl->init_buf);

  698.     ssl->init_buf = NULL;

  699.   }

  700. }

  701. 

  702. int ssl_verify_alarm_type(long type) {

  703.   int al;

  704. 

  705.   switch (type) {

  706.     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:

  707.     case X509_V_ERR_UNABLE_TO_GET_CRL:

  708.     case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:

  709.       al = SSL_AD_UNKNOWN_CA;

  710.       break;

  711. 

  712.     case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:

  713.     case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:

  714.     case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:

  715.     case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:

  716.     case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:

  717.     case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:

  718.     case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:

  719.     case X509_V_ERR_CERT_NOT_YET_VALID:

  720.     case X509_V_ERR_CRL_NOT_YET_VALID:

  721.     case X509_V_ERR_CERT_UNTRUSTED:

  722.     case X509_V_ERR_CERT_REJECTED:

  723.     case X509_V_ERR_HOSTNAME_MISMATCH:

  724.     case X509_V_ERR_EMAIL_MISMATCH:

  725.     case X509_V_ERR_IP_ADDRESS_MISMATCH:

  726.       al = SSL_AD_BAD_CERTIFICATE;

  727.       break;

  728. 

  729.     case X509_V_ERR_CERT_SIGNATURE_FAILURE:

  730.     case X509_V_ERR_CRL_SIGNATURE_FAILURE:

  731.       al = SSL_AD_DECRYPT_ERROR;

  732.       break;

  733. 

  734.     case X509_V_ERR_CERT_HAS_EXPIRED:

  735.     case X509_V_ERR_CRL_HAS_EXPIRED:

  736.       al = SSL_AD_CERTIFICATE_EXPIRED;

  737.       break;

  738. 

  739.     case X509_V_ERR_CERT_REVOKED:

  740.       al = SSL_AD_CERTIFICATE_REVOKED;

  741.       break;

  742. 

  743.     case X509_V_ERR_UNSPECIFIED:

  744.     case X509_V_ERR_OUT_OF_MEM:

  745.     case X509_V_ERR_INVALID_CALL:

  746.     case X509_V_ERR_STORE_LOOKUP:

  747.       al = SSL_AD_INTERNAL_ERROR;

  748.       break;

  749. 

  750.     case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:

  751.     case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:

  752.     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:

  753.     case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:

  754.     case X509_V_ERR_CERT_CHAIN_TOO_LONG:

  755.     case X509_V_ERR_PATH_LENGTH_EXCEEDED:

  756.     case X509_V_ERR_INVALID_CA:

  757.       al = SSL_AD_UNKNOWN_CA;

  758.       break;

  759. 

  760.     case X509_V_ERR_APPLICATION_VERIFICATION:

  761.       al = SSL_AD_HANDSHAKE_FAILURE;

  762.       break;

  763. 

  764.     case X509_V_ERR_INVALID_PURPOSE:

  765.       al = SSL_AD_UNSUPPORTED_CERTIFICATE;

  766.       break;

  767. 

  768.     default:

  769.       al = SSL_AD_CERTIFICATE_UNKNOWN;

  770.       break;

  771.   }

  772. 

  773.   return al;

  774. }

  775. 

  776. int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,

  777.                          const SSL_EXTENSION_TYPE *ext_types,

  778.                          size_t num_ext_types) {

  779.   /* Reset everything. */

  780.   for (size_t i = 0; i < num_ext_types; i++) {

  781.     *ext_types[i].out_present = 0;

  782.     CBS_init(ext_types[i].out_data, NULL, 0);

  783.   }

  784. 

  785.   CBS copy = *cbs;

  786.   while (CBS_len(&copy) != 0) {

  787.     uint16_t type;

  788.     CBS data;

  789.     if (!CBS_get_u16(&copy, &type) ||

  790.         !CBS_get_u16_length_prefixed(&copy, &data)) {

  791.       OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  792.       *out_alert = SSL_AD_DECODE_ERROR;

  793.       return 0;

  794.     }

  795. 

  796.     const SSL_EXTENSION_TYPE *ext_type = NULL;

  797.     for (size_t i = 0; i < num_ext_types; i++) {

  798.       if (type == ext_types[i].type) {

  799.         ext_type = &ext_types[i];

  800.         break;

  801.       }

  802.     }

  803. 

  804.     if (ext_type == NULL) {

  805.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  806.       *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  807.       return 0;

  808.     }

  809. 

  810.     /* Duplicate ext_types are forbidden. */

  811.     if (*ext_type->out_present) {

  812.       OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);

  813.       *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  814.       return 0;

  815.     }

  816. 

  817.     *ext_type->out_present = 1;

  818.     *ext_type->out_data = data;

  819.   }

  820. 

  821.   return 1;

  822. }