kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
5667 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Struktur: 9978f0a865
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „9978f0a865“
${ noResults }
boringssl/ssl/s3_both.cc

656 Zeilen
23 KiB
Originalformat Blame Verlauf 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. /* ====================================================================

  109.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  110.  * ECC cipher suite support in OpenSSL originally developed by

  111.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  112. 

  113. #include <openssl/ssl.h>

  114. 

  115. #include <assert.h>

  116. #include <limits.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/bytestring.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/md5.h>

  125. #include <openssl/nid.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/sha.h>

  128. 

  129. #include "../crypto/internal.h"

  130. #include "internal.h"

  131. 

  132. 

  133. BSSL_NAMESPACE_BEGIN

  134. 

  135. static bool add_record_to_flight(SSL *ssl, uint8_t type,

  136.                                  Span<const uint8_t> in) {

  137.   // The caller should have flushed |pending_hs_data| first.

  138.   assert(!ssl->s3->pending_hs_data);

  139.   // We'll never add a flight while in the process of writing it out.

  140.   assert(ssl->s3->pending_flight_offset == 0);

  141. 

  142.   if (ssl->s3->pending_flight == nullptr) {

  143.     ssl->s3->pending_flight.reset(BUF_MEM_new());

  144.     if (ssl->s3->pending_flight == nullptr) {

  145.       return false;

  146.     }

  147.   }

  148. 

  149.   size_t max_out = in.size() + SSL_max_seal_overhead(ssl);

  150.   size_t new_cap = ssl->s3->pending_flight->length + max_out;

  151.   if (max_out < in.size() || new_cap < max_out) {

  152.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  153.     return false;

  154.   }

  155. 

  156.   size_t len;

  157.   if (!BUF_MEM_reserve(ssl->s3->pending_flight.get(), new_cap) ||

  158.       !tls_seal_record(ssl,

  159.                        (uint8_t *)ssl->s3->pending_flight->data +

  160.                            ssl->s3->pending_flight->length,

  161.                        &len, max_out, type, in.data(), in.size())) {

  162.     return false;

  163.   }

  164. 

  165.   ssl->s3->pending_flight->length += len;

  166.   return true;

  167. }

  168. 

  169. bool ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  170.   // Pick a modest size hint to save most of the |realloc| calls.

  171.   if (!CBB_init(cbb, 64) ||

  172.       !CBB_add_u8(cbb, type) ||

  173.       !CBB_add_u24_length_prefixed(cbb, body)) {

  174.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  175.     CBB_cleanup(cbb);

  176.     return false;

  177.   }

  178. 

  179.   return true;

  180. }

  181. 

  182. bool ssl3_finish_message(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg) {

  183.   return CBBFinishArray(cbb, out_msg);

  184. }

  185. 

  186. bool ssl3_add_message(SSL *ssl, Array<uint8_t> msg) {

  187.   // Pack handshake data into the minimal number of records. This avoids

  188.   // unnecessary encryption overhead, notably in TLS 1.3 where we send several

  189.   // encrypted messages in a row. For now, we do not do this for the null

  190.   // cipher. The benefit is smaller and there is a risk of breaking buggy

  191.   // implementations.

  192.   //

  193.   // TODO(davidben): See if we can do this uniformly.

  194.   Span<const uint8_t> rest = msg;

  195.   if (ssl->quic_method == nullptr &&

  196.       ssl->s3->aead_write_ctx->is_null_cipher()) {

  197.     while (!rest.empty()) {

  198.       Span<const uint8_t> chunk = rest.subspan(0, ssl->max_send_fragment);

  199.       rest = rest.subspan(chunk.size());

  200. 

  201.       if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, chunk)) {

  202.         return false;

  203.       }

  204.     }

  205.   } else {

  206.     while (!rest.empty()) {

  207.       // Flush if |pending_hs_data| is full.

  208.       if (ssl->s3->pending_hs_data &&

  209.           ssl->s3->pending_hs_data->length >= ssl->max_send_fragment &&

  210.           !tls_flush_pending_hs_data(ssl)) {

  211.         return false;

  212.       }

  213. 

  214.       size_t pending_len =

  215.           ssl->s3->pending_hs_data ? ssl->s3->pending_hs_data->length : 0;

  216.       Span<const uint8_t> chunk =

  217.           rest.subspan(0, ssl->max_send_fragment - pending_len);

  218.       assert(!chunk.empty());

  219.       rest = rest.subspan(chunk.size());

  220. 

  221.       if (!ssl->s3->pending_hs_data) {

  222.         ssl->s3->pending_hs_data.reset(BUF_MEM_new());

  223.       }

  224.       if (!ssl->s3->pending_hs_data ||

  225.           !BUF_MEM_append(ssl->s3->pending_hs_data.get(), chunk.data(),

  226.                           chunk.size())) {

  227.         return false;

  228.       }

  229.     }

  230.   }

  231. 

  232.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg);

  233.   // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on

  234.   // hs.

  235.   if (ssl->s3->hs != NULL &&

  236.       !ssl->s3->hs->transcript.Update(msg)) {

  237.     return false;

  238.   }

  239.   return true;

  240. }

  241. 

  242. bool tls_flush_pending_hs_data(SSL *ssl) {

  243.   if (!ssl->s3->pending_hs_data || ssl->s3->pending_hs_data->length == 0) {

  244.     return true;

  245.   }

  246. 

  247.   UniquePtr<BUF_MEM> pending_hs_data = std::move(ssl->s3->pending_hs_data);

  248.   auto data =

  249.       MakeConstSpan(reinterpret_cast<const uint8_t *>(pending_hs_data->data),

  250.                     pending_hs_data->length);

  251.   if (ssl->quic_method) {

  252.     if (!ssl->quic_method->add_handshake_data(ssl, ssl->s3->write_level,

  253.                                               data.data(), data.size())) {

  254.       OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);

  255.       return false;

  256.     }

  257.     return true;

  258.   }

  259. 

  260.   return add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, data);

  261. }

  262. 

  263. bool ssl3_add_change_cipher_spec(SSL *ssl) {

  264.   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  265. 

  266.   if (!tls_flush_pending_hs_data(ssl)) {

  267.     return false;

  268.   }

  269. 

  270.   if (!ssl->quic_method &&

  271.       !add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC,

  272.                             kChangeCipherSpec)) {

  273.     return false;

  274.   }

  275. 

  276.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,

  277.                       kChangeCipherSpec);

  278.   return true;

  279. }

  280. 

  281. int ssl3_flush_flight(SSL *ssl) {

  282.   if (!tls_flush_pending_hs_data(ssl)) {

  283.     return -1;

  284.   }

  285. 

  286.   if (ssl->quic_method) {

  287.     if (ssl->s3->write_shutdown != ssl_shutdown_none) {

  288.       OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);

  289.       return -1;

  290.     }

  291. 

  292.     if (!ssl->quic_method->flush_flight(ssl)) {

  293.       OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);

  294.       return -1;

  295.     }

  296.   }

  297. 

  298.   if (ssl->s3->pending_flight == nullptr) {

  299.     return 1;

  300.   }

  301. 

  302.   if (ssl->s3->write_shutdown != ssl_shutdown_none) {

  303.     OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);

  304.     return -1;

  305.   }

  306. 

  307.   static_assert(INT_MAX <= 0xffffffff, "int is larger than 32 bits");

  308.   if (ssl->s3->pending_flight->length > INT_MAX) {

  309.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  310.     return -1;

  311.   }

  312. 

  313.   // If there is pending data in the write buffer, it must be flushed out before

  314.   // any new data in pending_flight.

  315.   if (!ssl->s3->write_buffer.empty()) {

  316.     int ret = ssl_write_buffer_flush(ssl);

  317.     if (ret <= 0) {

  318.       ssl->s3->rwstate = SSL_WRITING;

  319.       return ret;

  320.     }

  321.   }

  322. 

  323.   // Write the pending flight.

  324.   while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {

  325.     int ret = BIO_write(

  326.         ssl->wbio.get(),

  327.         ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,

  328.         ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);

  329.     if (ret <= 0) {

  330.       ssl->s3->rwstate = SSL_WRITING;

  331.       return ret;

  332.     }

  333. 

  334.     ssl->s3->pending_flight_offset += ret;

  335.   }

  336. 

  337.   if (BIO_flush(ssl->wbio.get()) <= 0) {

  338.     ssl->s3->rwstate = SSL_WRITING;

  339.     return -1;

  340.   }

  341. 

  342.   ssl->s3->pending_flight.reset();

  343.   ssl->s3->pending_flight_offset = 0;

  344.   return 1;

  345. }

  346. 

  347. static ssl_open_record_t read_v2_client_hello(SSL *ssl, size_t *out_consumed,

  348.                                               Span<const uint8_t> in) {

  349.   *out_consumed = 0;

  350.   assert(in.size() >= SSL3_RT_HEADER_LENGTH);

  351.   // Determine the length of the V2ClientHello.

  352.   size_t msg_length = ((in[0] & 0x7f) << 8) | in[1];

  353.   if (msg_length > (1024 * 4)) {

  354.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);

  355.     return ssl_open_record_error;

  356.   }

  357.   if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {

  358.     // Reject lengths that are too short early. We have already read

  359.     // |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an

  360.     // (invalid) V2ClientHello which would be shorter than that.

  361.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);

  362.     return ssl_open_record_error;

  363.   }

  364. 

  365.   // Ask for the remainder of the V2ClientHello.

  366.   if (in.size() < 2 + msg_length) {

  367.     *out_consumed = 2 + msg_length;

  368.     return ssl_open_record_partial;

  369.   }

  370. 

  371.   CBS v2_client_hello = CBS(ssl->s3->read_buffer.span().subspan(2, msg_length));

  372.   // The V2ClientHello without the length is incorporated into the handshake

  373.   // hash. This is only ever called at the start of the handshake, so hs is

  374.   // guaranteed to be non-NULL.

  375.   if (!ssl->s3->hs->transcript.Update(v2_client_hello)) {

  376.     return ssl_open_record_error;

  377.   }

  378. 

  379.   ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,

  380.                       v2_client_hello);

  381. 

  382.   uint8_t msg_type;

  383.   uint16_t version, cipher_spec_length, session_id_length, challenge_length;

  384.   CBS cipher_specs, session_id, challenge;

  385.   if (!CBS_get_u8(&v2_client_hello, &msg_type) ||

  386.       !CBS_get_u16(&v2_client_hello, &version) ||

  387.       !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||

  388.       !CBS_get_u16(&v2_client_hello, &session_id_length) ||

  389.       !CBS_get_u16(&v2_client_hello, &challenge_length) ||

  390.       !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||

  391.       !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||

  392.       !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||

  393.       CBS_len(&v2_client_hello) != 0) {

  394.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  395.     return ssl_open_record_error;

  396.   }

  397. 

  398.   // msg_type has already been checked.

  399.   assert(msg_type == SSL2_MT_CLIENT_HELLO);

  400. 

  401.   // The client_random is the V2ClientHello challenge. Truncate or left-pad with

  402.   // zeros as needed.

  403.   size_t rand_len = CBS_len(&challenge);

  404.   if (rand_len > SSL3_RANDOM_SIZE) {

  405.     rand_len = SSL3_RANDOM_SIZE;

  406.   }

  407.   uint8_t random[SSL3_RANDOM_SIZE];

  408.   OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);

  409.   OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),

  410.                  rand_len);

  411. 

  412.   // Write out an equivalent TLS ClientHello directly to the handshake buffer.

  413.   size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +

  414.                                SSL3_RANDOM_SIZE + 1 /* session ID length */ +

  415.                                2 /* cipher list length */ +

  416.                                CBS_len(&cipher_specs) / 3 * 2 +

  417.                                1 /* compression length */ + 1 /* compression */;

  418.   ScopedCBB client_hello;

  419.   CBB hello_body, cipher_suites;

  420.   if (!ssl->s3->hs_buf) {

  421.     ssl->s3->hs_buf.reset(BUF_MEM_new());

  422.   }

  423.   if (!ssl->s3->hs_buf ||

  424.       !BUF_MEM_reserve(ssl->s3->hs_buf.get(), max_v3_client_hello) ||

  425.       !CBB_init_fixed(client_hello.get(), (uint8_t *)ssl->s3->hs_buf->data,

  426.                       ssl->s3->hs_buf->max) ||

  427.       !CBB_add_u8(client_hello.get(), SSL3_MT_CLIENT_HELLO) ||

  428.       !CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||

  429.       !CBB_add_u16(&hello_body, version) ||

  430.       !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||

  431.       // No session id.

  432.       !CBB_add_u8(&hello_body, 0) ||

  433.       !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {

  434.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  435.     return ssl_open_record_error;

  436.   }

  437. 

  438.   // Copy the cipher suites.

  439.   while (CBS_len(&cipher_specs) > 0) {

  440.     uint32_t cipher_spec;

  441.     if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {

  442.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  443.       return ssl_open_record_error;

  444.     }

  445. 

  446.     // Skip SSLv2 ciphers.

  447.     if ((cipher_spec & 0xff0000) != 0) {

  448.       continue;

  449.     }

  450.     if (!CBB_add_u16(&cipher_suites, cipher_spec)) {

  451.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  452.       return ssl_open_record_error;

  453.     }

  454.   }

  455. 

  456.   // Add the null compression scheme and finish.

  457.   if (!CBB_add_u8(&hello_body, 1) ||

  458.       !CBB_add_u8(&hello_body, 0) ||

  459.       !CBB_finish(client_hello.get(), NULL, &ssl->s3->hs_buf->length)) {

  460.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  461.     return ssl_open_record_error;

  462.   }

  463. 

  464.   *out_consumed = 2 + msg_length;

  465.   ssl->s3->is_v2_hello = true;

  466.   return ssl_open_record_success;

  467. }

  468. 

  469. static bool parse_message(const SSL *ssl, SSLMessage *out,

  470.                           size_t *out_bytes_needed) {

  471.   if (!ssl->s3->hs_buf) {

  472.     *out_bytes_needed = 4;

  473.     return false;

  474.   }

  475. 

  476.   CBS cbs;

  477.   uint32_t len;

  478.   CBS_init(&cbs, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),

  479.            ssl->s3->hs_buf->length);

  480.   if (!CBS_get_u8(&cbs, &out->type) ||

  481.       !CBS_get_u24(&cbs, &len)) {

  482.     *out_bytes_needed = 4;

  483.     return false;

  484.   }

  485. 

  486.   if (!CBS_get_bytes(&cbs, &out->body, len)) {

  487.     *out_bytes_needed = 4 + len;

  488.     return false;

  489.   }

  490. 

  491.   CBS_init(&out->raw, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),

  492.            4 + len);

  493.   out->is_v2_hello = ssl->s3->is_v2_hello;

  494.   return true;

  495. }

  496. 

  497. bool ssl3_get_message(SSL *ssl, SSLMessage *out) {

  498.   size_t unused;

  499.   if (!parse_message(ssl, out, &unused)) {

  500.     return false;

  501.   }

  502.   if (!ssl->s3->has_message) {

  503.     if (!out->is_v2_hello) {

  504.       ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, out->raw);

  505.     }

  506.     ssl->s3->has_message = true;

  507.   }

  508.   return true;

  509. }

  510. 

  511. bool tls_can_accept_handshake_data(const SSL *ssl, uint8_t *out_alert) {

  512.   // If there is a complete message, the caller must have consumed it first.

  513.   SSLMessage msg;

  514.   size_t bytes_needed;

  515.   if (parse_message(ssl, &msg, &bytes_needed)) {

  516.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  517.     *out_alert = SSL_AD_INTERNAL_ERROR;

  518.     return false;

  519.   }

  520. 

  521.   // Enforce the limit so the peer cannot force us to buffer 16MB.

  522.   if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {

  523.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  524.     *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  525.     return false;

  526.   }

  527. 

  528.   return true;

  529. }

  530. 

  531. bool tls_has_unprocessed_handshake_data(const SSL *ssl) {

  532.   size_t msg_len = 0;

  533.   if (ssl->s3->has_message) {

  534.     SSLMessage msg;

  535.     size_t unused;

  536.     if (parse_message(ssl, &msg, &unused)) {

  537.       msg_len = CBS_len(&msg.raw);

  538.     }

  539.   }

  540. 

  541.   return ssl->s3->hs_buf && ssl->s3->hs_buf->length > msg_len;

  542. }

  543. 

  544. bool tls_append_handshake_data(SSL *ssl, Span<const uint8_t> data) {

  545.   // Re-create the handshake buffer if needed.

  546.   if (!ssl->s3->hs_buf) {

  547.     ssl->s3->hs_buf.reset(BUF_MEM_new());

  548.   }

  549.   return ssl->s3->hs_buf &&

  550.          BUF_MEM_append(ssl->s3->hs_buf.get(), data.data(), data.size());

  551. }

  552. 

  553. ssl_open_record_t ssl3_open_handshake(SSL *ssl, size_t *out_consumed,

  554.                                       uint8_t *out_alert, Span<uint8_t> in) {

  555.   *out_consumed = 0;

  556.   // Bypass the record layer for the first message to handle V2ClientHello.

  557.   if (ssl->server && !ssl->s3->v2_hello_done) {

  558.     // Ask for the first 5 bytes, the size of the TLS record header. This is

  559.     // sufficient to detect a V2ClientHello and ensures that we never read

  560.     // beyond the first record.

  561.     if (in.size() < SSL3_RT_HEADER_LENGTH) {

  562.       *out_consumed = SSL3_RT_HEADER_LENGTH;

  563.       return ssl_open_record_partial;

  564.     }

  565. 

  566.     // Some dedicated error codes for protocol mixups should the application

  567.     // wish to interpret them differently. (These do not overlap with

  568.     // ClientHello or V2ClientHello.)

  569.     const char *str = reinterpret_cast<const char*>(in.data());

  570.     if (strncmp("GET ", str, 4) == 0 ||

  571.         strncmp("POST ", str, 5) == 0 ||

  572.         strncmp("HEAD ", str, 5) == 0 ||

  573.         strncmp("PUT ", str, 4) == 0) {

  574.       OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);

  575.       *out_alert = 0;

  576.       return ssl_open_record_error;

  577.     }

  578.     if (strncmp("CONNE", str, 5) == 0) {

  579.       OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);

  580.       *out_alert = 0;

  581.       return ssl_open_record_error;

  582.     }

  583. 

  584.     // Check for a V2ClientHello.

  585.     if ((in[0] & 0x80) != 0 && in[2] == SSL2_MT_CLIENT_HELLO &&

  586.         in[3] == SSL3_VERSION_MAJOR) {

  587.       auto ret = read_v2_client_hello(ssl, out_consumed, in);

  588.       if (ret == ssl_open_record_error) {

  589.         *out_alert = 0;

  590.       } else if (ret == ssl_open_record_success) {

  591.         ssl->s3->v2_hello_done = true;

  592.       }

  593.       return ret;

  594.     }

  595. 

  596.     ssl->s3->v2_hello_done = true;

  597.   }

  598. 

  599.   uint8_t type;

  600.   Span<uint8_t> body;

  601.   auto ret = tls_open_record(ssl, &type, &body, out_consumed, out_alert, in);

  602.   if (ret != ssl_open_record_success) {

  603.     return ret;

  604.   }

  605. 

  606.   // WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the

  607.   // ServerHello and send the remaining encrypted application data records

  608.   // as-is. This manifests as an application data record when we expect

  609.   // handshake. Report a dedicated error code for this case.

  610.   if (!ssl->server && type == SSL3_RT_APPLICATION_DATA &&

  611.       ssl->s3->aead_read_ctx->is_null_cipher()) {

  612.     OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);

  613.     *out_alert = SSL_AD_UNEXPECTED_MESSAGE;

  614.     return ssl_open_record_error;

  615.   }

  616. 

  617.   if (type != SSL3_RT_HANDSHAKE) {

  618.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  619.     *out_alert = SSL_AD_UNEXPECTED_MESSAGE;

  620.     return ssl_open_record_error;

  621.   }

  622. 

  623.   // Append the entire handshake record to the buffer.

  624.   if (!tls_append_handshake_data(ssl, body)) {

  625.     *out_alert = SSL_AD_INTERNAL_ERROR;

  626.     return ssl_open_record_error;

  627.   }

  628. 

  629.   return ssl_open_record_success;

  630. }

  631. 

  632. void ssl3_next_message(SSL *ssl) {

  633.   SSLMessage msg;

  634.   if (!ssl3_get_message(ssl, &msg) ||

  635.       !ssl->s3->hs_buf ||

  636.       ssl->s3->hs_buf->length < CBS_len(&msg.raw)) {

  637.     assert(0);

  638.     return;

  639.   }

  640. 

  641.   OPENSSL_memmove(ssl->s3->hs_buf->data,

  642.                   ssl->s3->hs_buf->data + CBS_len(&msg.raw),

  643.                   ssl->s3->hs_buf->length - CBS_len(&msg.raw));

  644.   ssl->s3->hs_buf->length -= CBS_len(&msg.raw);

  645.   ssl->s3->is_v2_hello = false;

  646.   ssl->s3->has_message = false;

  647. 

  648.   // Post-handshake messages are rare, so release the buffer after every

  649.   // message. During the handshake, |on_handshake_complete| will release it.

  650.   if (!SSL_in_init(ssl) && ssl->s3->hs_buf->length == 0) {

  651.     ssl->s3->hs_buf.reset();

  652.   }

  653. }

  654. 

  655. BSSL_NAMESPACE_END