kris
/
boringssl
1
0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Toiminta
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4373 Commitit
12 Branchit
38 MiB
 
 
 
 
 
 
Puu: a1ce85696d
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from 'a1ce85696d'
${ noResults }
boringssl/ssl/s3_both.c

825 rivejä
27 KiB
Raaka Blame Historia 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com). */

  108. /* ====================================================================

  109.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  110.  * ECC cipher suite support in OpenSSL originally developed by

  111.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  112. 

  113. #include <openssl/ssl.h>

  114. 

  115. #include <assert.h>

  116. #include <limits.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/bytestring.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/md5.h>

  125. #include <openssl/nid.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/sha.h>

  128. 

  129. #include "../crypto/internal.h"

  130. #include "internal.h"

  131. 

  132. 

  133. SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) {

  134.   SSL_HANDSHAKE *hs = OPENSSL_malloc(sizeof(SSL_HANDSHAKE));

  135.   if (hs == NULL) {

  136.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  137.     return NULL;

  138.   }

  139.   OPENSSL_memset(hs, 0, sizeof(SSL_HANDSHAKE));

  140.   hs->ssl = ssl;

  141.   hs->wait = ssl_hs_ok;

  142.   hs->state = SSL_ST_INIT;

  143.   if (!SSL_TRANSCRIPT_init(&hs->transcript)) {

  144.     ssl_handshake_free(hs);

  145.     return NULL;

  146.   }

  147.   return hs;

  148. }

  149. 

  150. void ssl_handshake_free(SSL_HANDSHAKE *hs) {

  151.   if (hs == NULL) {

  152.     return;

  153.   }

  154. 

  155.   OPENSSL_cleanse(hs->secret, sizeof(hs->secret));

  156.   OPENSSL_cleanse(hs->early_traffic_secret, sizeof(hs->early_traffic_secret));

  157.   OPENSSL_cleanse(hs->client_handshake_secret,

  158.                   sizeof(hs->client_handshake_secret));

  159.   OPENSSL_cleanse(hs->server_handshake_secret,

  160.                   sizeof(hs->server_handshake_secret));

  161.   OPENSSL_cleanse(hs->client_traffic_secret_0,

  162.                   sizeof(hs->client_traffic_secret_0));

  163.   OPENSSL_cleanse(hs->server_traffic_secret_0,

  164.                   sizeof(hs->server_traffic_secret_0));

  165.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  166.   SSL_TRANSCRIPT_cleanup(&hs->transcript);

  167.   OPENSSL_free(hs->cookie);

  168.   OPENSSL_free(hs->key_share_bytes);

  169.   OPENSSL_free(hs->ecdh_public_key);

  170.   SSL_SESSION_free(hs->new_session);

  171.   SSL_SESSION_free(hs->early_session);

  172.   OPENSSL_free(hs->peer_sigalgs);

  173.   OPENSSL_free(hs->peer_supported_group_list);

  174.   OPENSSL_free(hs->peer_key);

  175.   OPENSSL_free(hs->server_params);

  176.   OPENSSL_free(hs->peer_psk_identity_hint);

  177.   sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free);

  178.   hs->ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);

  179.   OPENSSL_free(hs->certificate_types);

  180. 

  181.   if (hs->key_block != NULL) {

  182.     OPENSSL_cleanse(hs->key_block, hs->key_block_len);

  183.     OPENSSL_free(hs->key_block);

  184.   }

  185. 

  186.   OPENSSL_free(hs->hostname);

  187.   EVP_PKEY_free(hs->peer_pubkey);

  188.   EVP_PKEY_free(hs->local_pubkey);

  189.   OPENSSL_free(hs);

  190. }

  191. 

  192. int ssl_check_message_type(SSL *ssl, int type) {

  193.   if (ssl->s3->tmp.message_type != type) {

  194.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  195.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  196.     ERR_add_error_dataf("got type %d, wanted type %d",

  197.                         ssl->s3->tmp.message_type, type);

  198.     return 0;

  199.   }

  200. 

  201.   return 1;

  202. }

  203. 

  204. static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in,

  205.                                 size_t in_len) {

  206.   /* We'll never add a flight while in the process of writing it out. */

  207.   assert(ssl->s3->pending_flight_offset == 0);

  208. 

  209.   if (ssl->s3->pending_flight == NULL) {

  210.     ssl->s3->pending_flight = BUF_MEM_new();

  211.     if (ssl->s3->pending_flight == NULL) {

  212.       return 0;

  213.     }

  214.   }

  215. 

  216.   size_t max_out = in_len + SSL_max_seal_overhead(ssl);

  217.   size_t new_cap = ssl->s3->pending_flight->length + max_out;

  218.   if (max_out < in_len || new_cap < max_out) {

  219.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  220.     return 0;

  221.   }

  222. 

  223.   size_t len;

  224.   if (!BUF_MEM_reserve(ssl->s3->pending_flight, new_cap) ||

  225.       !tls_seal_record(ssl, (uint8_t *)ssl->s3->pending_flight->data +

  226.                                 ssl->s3->pending_flight->length,

  227.                        &len, max_out, type, in, in_len)) {

  228.     return 0;

  229.   }

  230. 

  231.   ssl->s3->pending_flight->length += len;

  232.   return 1;

  233. }

  234. 

  235. int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  236.   /* Pick a modest size hint to save most of the |realloc| calls. */

  237.   if (!CBB_init(cbb, 64) ||

  238.       !CBB_add_u8(cbb, type) ||

  239.       !CBB_add_u24_length_prefixed(cbb, body)) {

  240.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  241.     CBB_cleanup(cbb);

  242.     return 0;

  243.   }

  244. 

  245.   return 1;

  246. }

  247. 

  248. int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,

  249.                         size_t *out_len) {

  250.   if (!CBB_finish(cbb, out_msg, out_len)) {

  251.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  252.     return 0;

  253.   }

  254. 

  255.   return 1;

  256. }

  257. 

  258. int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) {

  259.   /* Add the message to the current flight, splitting into several records if

  260.    * needed. */

  261.   int ret = 0;

  262.   size_t added = 0;

  263.   do {

  264.     size_t todo = len - added;

  265.     if (todo > ssl->max_send_fragment) {

  266.       todo = ssl->max_send_fragment;

  267.     }

  268. 

  269.     if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, msg + added, todo)) {

  270.       goto err;

  271.     }

  272.     added += todo;

  273.   } while (added < len);

  274. 

  275.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len);

  276.   /* TODO(svaldez): Move this up a layer to fix abstraction for SSL_TRANSCRIPT

  277.    * on hs. */

  278.   if (ssl->s3->hs != NULL &&

  279.       !SSL_TRANSCRIPT_update(&ssl->s3->hs->transcript, msg, len)) {

  280.     goto err;

  281.   }

  282.   ret = 1;

  283. 

  284. err:

  285.   OPENSSL_free(msg);

  286.   return ret;

  287. }

  288. 

  289. int ssl3_add_change_cipher_spec(SSL *ssl) {

  290.   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  291. 

  292.   if (!add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,

  293.                             sizeof(kChangeCipherSpec))) {

  294.     return 0;

  295.   }

  296. 

  297.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,

  298.                       kChangeCipherSpec, sizeof(kChangeCipherSpec));

  299.   return 1;

  300. }

  301. 

  302. int ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {

  303.   uint8_t alert[2] = {level, desc};

  304.   if (!add_record_to_flight(ssl, SSL3_RT_ALERT, alert, sizeof(alert))) {

  305.     return 0;

  306.   }

  307. 

  308.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, alert, sizeof(alert));

  309.   ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, ((int)level << 8) | desc);

  310.   return 1;

  311. }

  312. 

  313. int ssl_add_message_cbb(SSL *ssl, CBB *cbb) {

  314.   uint8_t *msg;

  315.   size_t len;

  316.   if (!ssl->method->finish_message(ssl, cbb, &msg, &len) ||

  317.       !ssl->method->add_message(ssl, msg, len)) {

  318.     return 0;

  319.   }

  320. 

  321.   return 1;

  322. }

  323. 

  324. int ssl3_flush_flight(SSL *ssl) {

  325.   if (ssl->s3->pending_flight == NULL) {

  326.     return 1;

  327.   }

  328. 

  329.   if (ssl->s3->pending_flight->length > 0xffffffff ||

  330.       ssl->s3->pending_flight->length > INT_MAX) {

  331.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  332.     return -1;

  333.   }

  334. 

  335.   /* If there is pending data in the write buffer, it must be flushed out before

  336.    * any new data in pending_flight. */

  337.   if (ssl_write_buffer_is_pending(ssl)) {

  338.     int ret = ssl_write_buffer_flush(ssl);

  339.     if (ret <= 0) {

  340.       ssl->rwstate = SSL_WRITING;

  341.       return ret;

  342.     }

  343.   }

  344. 

  345.   /* Write the pending flight. */

  346.   while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {

  347.     int ret = BIO_write(

  348.         ssl->wbio,

  349.         ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,

  350.         ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);

  351.     if (ret <= 0) {

  352.       ssl->rwstate = SSL_WRITING;

  353.       return ret;

  354.     }

  355. 

  356.     ssl->s3->pending_flight_offset += ret;

  357.   }

  358. 

  359.   if (BIO_flush(ssl->wbio) <= 0) {

  360.     ssl->rwstate = SSL_WRITING;

  361.     return -1;

  362.   }

  363. 

  364.   BUF_MEM_free(ssl->s3->pending_flight);

  365.   ssl->s3->pending_flight = NULL;

  366.   ssl->s3->pending_flight_offset = 0;

  367.   return 1;

  368. }

  369. 

  370. int ssl3_send_finished(SSL_HANDSHAKE *hs) {

  371.   SSL *const ssl = hs->ssl;

  372.   const SSL_SESSION *session = SSL_get_session(ssl);

  373. 

  374.   uint8_t finished[EVP_MAX_MD_SIZE];

  375.   size_t finished_len;

  376.   if (!SSL_TRANSCRIPT_finish_mac(&hs->transcript, finished, &finished_len,

  377.                                  session, ssl->server,

  378.                                  ssl3_protocol_version(ssl))) {

  379.     return 0;

  380.   }

  381. 

  382.   /* Log the master secret, if logging is enabled. */

  383.   if (!ssl_log_secret(ssl, "CLIENT_RANDOM",

  384.                       session->master_key,

  385.                       session->master_key_length)) {

  386.     return 0;

  387.   }

  388. 

  389.   /* Copy the Finished so we can use it for renegotiation checks. */

  390.   if (ssl->version != SSL3_VERSION) {

  391.     if (finished_len > sizeof(ssl->s3->previous_client_finished) ||

  392.         finished_len > sizeof(ssl->s3->previous_server_finished)) {

  393.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  394.       return -1;

  395.     }

  396. 

  397.     if (ssl->server) {

  398.       OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);

  399.       ssl->s3->previous_server_finished_len = finished_len;

  400.     } else {

  401.       OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);

  402.       ssl->s3->previous_client_finished_len = finished_len;

  403.     }

  404.   }

  405. 

  406.   CBB cbb, body;

  407.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||

  408.       !CBB_add_bytes(&body, finished, finished_len) ||

  409.       !ssl_add_message_cbb(ssl, &cbb)) {

  410.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  411.     CBB_cleanup(&cbb);

  412.     return -1;

  413.   }

  414. 

  415.   return 1;

  416. }

  417. 

  418. int ssl3_get_finished(SSL_HANDSHAKE *hs) {

  419.   SSL *const ssl = hs->ssl;

  420.   int ret = ssl->method->ssl_get_message(ssl);

  421.   if (ret <= 0) {

  422.     return ret;

  423.   }

  424. 

  425.   if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED)) {

  426.     return -1;

  427.   }

  428. 

  429.   /* Snapshot the finished hash before incorporating the new message. */

  430.   uint8_t finished[EVP_MAX_MD_SIZE];

  431.   size_t finished_len;

  432.   if (!SSL_TRANSCRIPT_finish_mac(&hs->transcript, finished, &finished_len,

  433.                                  SSL_get_session(ssl), !ssl->server,

  434.                                  ssl3_protocol_version(ssl)) ||

  435.       !ssl_hash_current_message(hs)) {

  436.     return -1;

  437.   }

  438. 

  439.   int finished_ok = ssl->init_num == finished_len &&

  440.                     CRYPTO_memcmp(ssl->init_msg, finished, finished_len) == 0;

  441. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  442.   finished_ok = 1;

  443. #endif

  444.   if (!finished_ok) {

  445.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  446.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  447.     return -1;

  448.   }

  449. 

  450.   /* Copy the Finished so we can use it for renegotiation checks. */

  451.   if (ssl->version != SSL3_VERSION) {

  452.     if (finished_len > sizeof(ssl->s3->previous_client_finished) ||

  453.         finished_len > sizeof(ssl->s3->previous_server_finished)) {

  454.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  455.       return -1;

  456.     }

  457. 

  458.     if (ssl->server) {

  459.       OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);

  460.       ssl->s3->previous_client_finished_len = finished_len;

  461.     } else {

  462.       OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);

  463.       ssl->s3->previous_server_finished_len = finished_len;

  464.     }

  465.   }

  466. 

  467.   return 1;

  468. }

  469. 

  470. int ssl3_output_cert_chain(SSL *ssl) {

  471.   CBB cbb, body;

  472.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||

  473.       !ssl_add_cert_chain(ssl, &body) ||

  474.       !ssl_add_message_cbb(ssl, &cbb)) {

  475.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  476.     CBB_cleanup(&cbb);

  477.     return 0;

  478.   }

  479. 

  480.   return 1;

  481. }

  482. 

  483. size_t ssl_max_handshake_message_len(const SSL *ssl) {

  484.   /* kMaxMessageLen is the default maximum message size for handshakes which do

  485.    * not accept peer certificate chains. */

  486.   static const size_t kMaxMessageLen = 16384;

  487. 

  488.   if (SSL_in_init(ssl)) {

  489.     if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) &&

  490.         kMaxMessageLen < ssl->max_cert_list) {

  491.       return ssl->max_cert_list;

  492.     }

  493.     return kMaxMessageLen;

  494.   }

  495. 

  496.   if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {

  497.     /* In TLS 1.2 and below, the largest acceptable post-handshake message is

  498.      * a HelloRequest. */

  499.     return 0;

  500.   }

  501. 

  502.   if (ssl->server) {

  503.     /* The largest acceptable post-handshake message for a server is a

  504.      * KeyUpdate. We will never initiate post-handshake auth. */

  505.     return 1;

  506.   }

  507. 

  508.   /* Clients must accept NewSessionTicket and CertificateRequest, so allow the

  509.    * default size. */

  510.   return kMaxMessageLen;

  511. }

  512. 

  513. static int extend_handshake_buffer(SSL *ssl, size_t length) {

  514.   if (!BUF_MEM_reserve(ssl->init_buf, length)) {

  515.     return -1;

  516.   }

  517.   while (ssl->init_buf->length < length) {

  518.     int ret = ssl3_read_handshake_bytes(

  519.         ssl, (uint8_t *)ssl->init_buf->data + ssl->init_buf->length,

  520.         length - ssl->init_buf->length);

  521.     if (ret <= 0) {

  522.       return ret;

  523.     }

  524.     ssl->init_buf->length += (size_t)ret;

  525.   }

  526.   return 1;

  527. }

  528. 

  529. static int read_v2_client_hello(SSL *ssl) {

  530.   /* Read the first 5 bytes, the size of the TLS record header. This is

  531.    * sufficient to detect a V2ClientHello and ensures that we never read beyond

  532.    * the first record. */

  533.   int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);

  534.   if (ret <= 0) {

  535.     return ret;

  536.   }

  537.   const uint8_t *p = ssl_read_buffer(ssl);

  538. 

  539.   /* Some dedicated error codes for protocol mixups should the application wish

  540.    * to interpret them differently. (These do not overlap with ClientHello or

  541.    * V2ClientHello.) */

  542.   if (strncmp("GET ", (const char *)p, 4) == 0 ||

  543.       strncmp("POST ", (const char *)p, 5) == 0 ||

  544.       strncmp("HEAD ", (const char *)p, 5) == 0 ||

  545.       strncmp("PUT ", (const char *)p, 4) == 0) {

  546.     OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);

  547.     return -1;

  548.   }

  549.   if (strncmp("CONNE", (const char *)p, 5) == 0) {

  550.     OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);

  551.     return -1;

  552.   }

  553. 

  554.   if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||

  555.       p[3] != SSL3_VERSION_MAJOR) {

  556.     /* Not a V2ClientHello. */

  557.     return 1;

  558.   }

  559. 

  560.   /* Determine the length of the V2ClientHello. */

  561.   size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];

  562.   if (msg_length > (1024 * 4)) {

  563.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);

  564.     return -1;

  565.   }

  566.   if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {

  567.     /* Reject lengths that are too short early. We have already read

  568.      * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an

  569.      * (invalid) V2ClientHello which would be shorter than that. */

  570.     OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);

  571.     return -1;

  572.   }

  573. 

  574.   /* Read the remainder of the V2ClientHello. */

  575.   ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);

  576.   if (ret <= 0) {

  577.     return ret;

  578.   }

  579. 

  580.   CBS v2_client_hello;

  581.   CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);

  582. 

  583.   /* The V2ClientHello without the length is incorporated into the handshake

  584.    * hash. This is only ever called at the start of the handshake, so hs is

  585.    * guaranteed to be non-NULL. */

  586.   if (!SSL_TRANSCRIPT_update(&ssl->s3->hs->transcript,

  587.                              CBS_data(&v2_client_hello),

  588.                              CBS_len(&v2_client_hello))) {

  589.     return -1;

  590.   }

  591. 

  592.   ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,

  593.                       CBS_data(&v2_client_hello), CBS_len(&v2_client_hello));

  594. 

  595.   uint8_t msg_type;

  596.   uint16_t version, cipher_spec_length, session_id_length, challenge_length;

  597.   CBS cipher_specs, session_id, challenge;

  598.   if (!CBS_get_u8(&v2_client_hello, &msg_type) ||

  599.       !CBS_get_u16(&v2_client_hello, &version) ||

  600.       !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||

  601.       !CBS_get_u16(&v2_client_hello, &session_id_length) ||

  602.       !CBS_get_u16(&v2_client_hello, &challenge_length) ||

  603.       !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||

  604.       !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||

  605.       !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||

  606.       CBS_len(&v2_client_hello) != 0) {

  607.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  608.     return -1;

  609.   }

  610. 

  611.   /* msg_type has already been checked. */

  612.   assert(msg_type == SSL2_MT_CLIENT_HELLO);

  613. 

  614.   /* The client_random is the V2ClientHello challenge. Truncate or

  615.    * left-pad with zeros as needed. */

  616.   size_t rand_len = CBS_len(&challenge);

  617.   if (rand_len > SSL3_RANDOM_SIZE) {

  618.     rand_len = SSL3_RANDOM_SIZE;

  619.   }

  620.   uint8_t random[SSL3_RANDOM_SIZE];

  621.   OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);

  622.   OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),

  623.                  rand_len);

  624. 

  625.   /* Write out an equivalent SSLv3 ClientHello. */

  626.   size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +

  627.                                SSL3_RANDOM_SIZE + 1 /* session ID length */ +

  628.                                2 /* cipher list length */ +

  629.                                CBS_len(&cipher_specs) / 3 * 2 +

  630.                                1 /* compression length */ + 1 /* compression */;

  631.   CBB client_hello, hello_body, cipher_suites;

  632.   CBB_zero(&client_hello);

  633.   if (!BUF_MEM_reserve(ssl->init_buf, max_v3_client_hello) ||

  634.       !CBB_init_fixed(&client_hello, (uint8_t *)ssl->init_buf->data,

  635.                       ssl->init_buf->max) ||

  636.       !CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) ||

  637.       !CBB_add_u24_length_prefixed(&client_hello, &hello_body) ||

  638.       !CBB_add_u16(&hello_body, version) ||

  639.       !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||

  640.       /* No session id. */

  641.       !CBB_add_u8(&hello_body, 0) ||

  642.       !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {

  643.     CBB_cleanup(&client_hello);

  644.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  645.     return -1;

  646.   }

  647. 

  648.   /* Copy the cipher suites. */

  649.   while (CBS_len(&cipher_specs) > 0) {

  650.     uint32_t cipher_spec;

  651.     if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {

  652.       CBB_cleanup(&client_hello);

  653.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  654.       return -1;

  655.     }

  656. 

  657.     /* Skip SSLv2 ciphers. */

  658.     if ((cipher_spec & 0xff0000) != 0) {

  659.       continue;

  660.     }

  661.     if (!CBB_add_u16(&cipher_suites, cipher_spec)) {

  662.       CBB_cleanup(&client_hello);

  663.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  664.       return -1;

  665.     }

  666.   }

  667. 

  668.   /* Add the null compression scheme and finish. */

  669.   if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) ||

  670.       !CBB_finish(&client_hello, NULL, &ssl->init_buf->length)) {

  671.     CBB_cleanup(&client_hello);

  672.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  673.     return -1;

  674.   }

  675. 

  676.   /* Consume and discard the V2ClientHello. */

  677.   ssl_read_buffer_consume(ssl, 2 + msg_length);

  678.   ssl_read_buffer_discard(ssl);

  679. 

  680.   ssl->s3->is_v2_hello = 1;

  681.   return 1;

  682. }

  683. 

  684. int ssl3_get_message(SSL *ssl) {

  685.   /* Re-create the handshake buffer if needed. */

  686.   if (ssl->init_buf == NULL) {

  687.     ssl->init_buf = BUF_MEM_new();

  688.     if (ssl->init_buf == NULL) {

  689.       return -1;

  690.     }

  691.   }

  692. 

  693.   if (ssl->server && !ssl->s3->v2_hello_done) {

  694.     /* Bypass the record layer for the first message to handle V2ClientHello. */

  695.     int ret = read_v2_client_hello(ssl);

  696.     if (ret <= 0) {

  697.       return ret;

  698.     }

  699.     ssl->s3->v2_hello_done = 1;

  700.   }

  701. 

  702.   if (ssl->s3->tmp.reuse_message) {

  703.     /* There must be a current message. */

  704.     assert(ssl->init_msg != NULL);

  705.     ssl->s3->tmp.reuse_message = 0;

  706.   } else {

  707.     ssl3_release_current_message(ssl, 0 /* don't free buffer */);

  708.   }

  709. 

  710.   /* Read the message header, if we haven't yet. */

  711.   int ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH);

  712.   if (ret <= 0) {

  713.     return ret;

  714.   }

  715. 

  716.   /* Parse out the length. Cap it so the peer cannot force us to buffer up to

  717.    * 2^24 bytes. */

  718.   const uint8_t *p = (uint8_t *)ssl->init_buf->data;

  719.   size_t msg_len = (((uint32_t)p[1]) << 16) | (((uint32_t)p[2]) << 8) | p[3];

  720.   if (msg_len > ssl_max_handshake_message_len(ssl)) {

  721.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  722.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  723.     return -1;

  724.   }

  725. 

  726.   /* Read the message body, if we haven't yet. */

  727.   ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH + msg_len);

  728.   if (ret <= 0) {

  729.     return ret;

  730.   }

  731. 

  732.   /* We have now received a complete message. */

  733.   ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, ssl->init_buf->data,

  734.                       ssl->init_buf->length);

  735. 

  736.   ssl->s3->tmp.message_type = ((const uint8_t *)ssl->init_buf->data)[0];

  737.   ssl->init_msg = (uint8_t*)ssl->init_buf->data + SSL3_HM_HEADER_LENGTH;

  738.   ssl->init_num = ssl->init_buf->length - SSL3_HM_HEADER_LENGTH;

  739.   return 1;

  740. }

  741. 

  742. void ssl3_get_current_message(const SSL *ssl, CBS *out) {

  743.   CBS_init(out, (uint8_t *)ssl->init_buf->data, ssl->init_buf->length);

  744. }

  745. 

  746. int ssl_hash_current_message(SSL_HANDSHAKE *hs) {

  747.   /* V2ClientHellos are hashed implicitly. */

  748.   if (hs->ssl->s3->is_v2_hello) {

  749.     return 1;

  750.   }

  751. 

  752.   CBS cbs;

  753.   hs->ssl->method->get_current_message(hs->ssl, &cbs);

  754.   return SSL_TRANSCRIPT_update(&hs->transcript, CBS_data(&cbs), CBS_len(&cbs));

  755. }

  756. 

  757. void ssl3_release_current_message(SSL *ssl, int free_buffer) {

  758.   if (ssl->init_msg != NULL) {

  759.     /* |init_buf| never contains data beyond the current message. */

  760.     assert(SSL3_HM_HEADER_LENGTH + ssl->init_num == ssl->init_buf->length);

  761. 

  762.     /* Clear the current message. */

  763.     ssl->init_msg = NULL;

  764.     ssl->init_num = 0;

  765.     ssl->init_buf->length = 0;

  766.     ssl->s3->is_v2_hello = 0;

  767.   }

  768. 

  769.   if (free_buffer) {

  770.     BUF_MEM_free(ssl->init_buf);

  771.     ssl->init_buf = NULL;

  772.   }

  773. }

  774. 

  775. int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,

  776.                          const SSL_EXTENSION_TYPE *ext_types,

  777.                          size_t num_ext_types, int ignore_unknown) {

  778.   /* Reset everything. */

  779.   for (size_t i = 0; i < num_ext_types; i++) {

  780.     *ext_types[i].out_present = 0;

  781.     CBS_init(ext_types[i].out_data, NULL, 0);

  782.   }

  783. 

  784.   CBS copy = *cbs;

  785.   while (CBS_len(&copy) != 0) {

  786.     uint16_t type;

  787.     CBS data;

  788.     if (!CBS_get_u16(&copy, &type) ||

  789.         !CBS_get_u16_length_prefixed(&copy, &data)) {

  790.       OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  791.       *out_alert = SSL_AD_DECODE_ERROR;

  792.       return 0;

  793.     }

  794. 

  795.     const SSL_EXTENSION_TYPE *ext_type = NULL;

  796.     for (size_t i = 0; i < num_ext_types; i++) {

  797.       if (type == ext_types[i].type) {

  798.         ext_type = &ext_types[i];

  799.         break;

  800.       }

  801.     }

  802. 

  803.     if (ext_type == NULL) {

  804.       if (ignore_unknown) {

  805.         continue;

  806.       }

  807.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  808.       *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;

  809.       return 0;

  810.     }

  811. 

  812.     /* Duplicate ext_types are forbidden. */

  813.     if (*ext_type->out_present) {

  814.       OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);

  815.       *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  816.       return 0;

  817.     }

  818. 

  819.     *ext_type->out_present = 1;

  820.     *ext_type->out_data = data;

  821.   }

  822. 

  823.   return 1;

  824. }