Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / 843770915703e4d21d7f1776be72e769812f9f1e / . / src / ssl / s3_both.cc
blob: 9c4aa7ff5be5d6012605ebce6e0e62e859f04ea7 [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108/* ====================================================================
109 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
110 * ECC cipher suite support in OpenSSL originally developed by
111 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
112
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]113#include <openssl/ssl.h>
114
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]115#include <assert.h>
116#include <limits.h>
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]117#include <string.h>
118
119#include <openssl/buf.h>
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]120#include <openssl/bytestring.h>
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]121#include <openssl/err.h>
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]122#include <openssl/evp.h>
123#include <openssl/mem.h>
124#include <openssl/md5.h>
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]125#include <openssl/nid.h>
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]126#include <openssl/rand.h>
127#include <openssl/sha.h>
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]128
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]129#include "../crypto/internal.h"
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]130#include "internal.h"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]131
132
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]133namespace bssl {
134
135SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
136 : ssl(ssl_arg),
137 scts_requested(0),
138 needs_psk_binder(0),
139 received_hello_retry_request(0),
140 accept_psk_mode(0),
141 cert_request(0),
142 certificate_status_expected(0),
143 ocsp_stapling_requested(0),
144 should_ack_sni(0),
145 in_false_start(0),
146 in_early_data(0),
147 early_data_offered(0),
148 can_early_read(0),
149 can_early_write(0),
150 next_proto_neg_seen(0),
151 ticket_expected(0),
152 extended_master_secret(0),
153 pending_private_key_op(0) {
154}
155
156SSL_HANDSHAKE::~SSL_HANDSHAKE() {
157 OPENSSL_cleanse(secret, sizeof(secret));
158 OPENSSL_cleanse(early_traffic_secret, sizeof(early_traffic_secret));
159 OPENSSL_cleanse(client_handshake_secret, sizeof(client_handshake_secret));
160 OPENSSL_cleanse(server_handshake_secret, sizeof(server_handshake_secret));
161 OPENSSL_cleanse(client_traffic_secret_0, sizeof(client_traffic_secret_0));
162 OPENSSL_cleanse(server_traffic_secret_0, sizeof(server_traffic_secret_0));
163 OPENSSL_free(cookie);
164 OPENSSL_free(key_share_bytes);
165 OPENSSL_free(ecdh_public_key);
166 OPENSSL_free(peer_sigalgs);
167 OPENSSL_free(peer_supported_group_list);
168 OPENSSL_free(peer_key);
169 OPENSSL_free(server_params);
170 ssl->ctx->x509_method->hs_flush_cached_ca_names(this);
171 OPENSSL_free(certificate_types);
172
173 if (key_block != NULL) {
174 OPENSSL_cleanse(key_block, key_block_len);
175 OPENSSL_free(key_block);
176 }
177}
178
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]179SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) {
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]180 UniquePtr<SSL_HANDSHAKE> hs = MakeUnique<SSL_HANDSHAKE>(ssl);
181 if (!hs ||
182 !hs->transcript.Init()) {
183 return nullptr;
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]184 }
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]185 return hs.release();
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]186}
187
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]188void ssl_handshake_free(SSL_HANDSHAKE *hs) { Delete(hs); }
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]189
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]190int ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type) {
191 if (msg.type != type) {
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]192 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
193 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]194 ERR_add_error_dataf("got type %d, wanted type %d", msg.type, type);
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]195 return 0;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]196 }
197
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]198 return 1;
199}
200
201static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in,
202 size_t in_len) {
203 /* We'll never add a flight while in the process of writing it out. */
204 assert(ssl->s3->pending_flight_offset == 0);
205
206 if (ssl->s3->pending_flight == NULL) {
207 ssl->s3->pending_flight = BUF_MEM_new();
208 if (ssl->s3->pending_flight == NULL) {
209 return 0;
210 }
211 }
212
213 size_t max_out = in_len + SSL_max_seal_overhead(ssl);
214 size_t new_cap = ssl->s3->pending_flight->length + max_out;
215 if (max_out < in_len || new_cap < max_out) {
216 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
217 return 0;
218 }
219
220 size_t len;
221 if (!BUF_MEM_reserve(ssl->s3->pending_flight, new_cap) ||
222 !tls_seal_record(ssl, (uint8_t *)ssl->s3->pending_flight->data +
223 ssl->s3->pending_flight->length,
224 &len, max_out, type, in, in_len)) {
225 return 0;
226 }
227
228 ssl->s3->pending_flight->length += len;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]229 return 1;
230}
231
232int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]233 /* Pick a modest size hint to save most of the |realloc| calls. */
234 if (!CBB_init(cbb, 64) ||
235 !CBB_add_u8(cbb, type) ||
236 !CBB_add_u24_length_prefixed(cbb, body)) {
237 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]238 CBB_cleanup(cbb);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]239 return 0;
240 }
241
242 return 1;
243}
244
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]245int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,
246 size_t *out_len) {
247 if (!CBB_finish(cbb, out_msg, out_len)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]248 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
249 return 0;
250 }
251
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]252 return 1;
253}
254
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]255int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) {
256 /* Add the message to the current flight, splitting into several records if
257 * needed. */
258 int ret = 0;
259 size_t added = 0;
260 do {
261 size_t todo = len - added;
262 if (todo > ssl->max_send_fragment) {
263 todo = ssl->max_send_fragment;
264 }
265
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]266 uint8_t type = SSL3_RT_HANDSHAKE;
267 if (ssl->server &&
268 ssl->s3->have_version &&
269 ssl->version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION &&
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]270 ssl->s3->aead_write_ctx->is_null_cipher()) {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]271 type = SSL3_RT_PLAINTEXT_HANDSHAKE;
272 }
273
274 if (!add_record_to_flight(ssl, type, msg + added, todo)) {
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]275 goto err;
276 }
277 added += todo;
278 } while (added < len);
279
280 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len);
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]281 /* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
282 * hs. */
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]283 if (ssl->s3->hs != NULL &&
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]284 !ssl->s3->hs->transcript.Update(msg, len)) {
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]285 goto err;
286 }
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]287 ret = 1;
288
289err:
290 OPENSSL_free(msg);
291 return ret;
292}
293
294int ssl3_add_change_cipher_spec(SSL *ssl) {
295 static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};
296
297 if (!add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,
298 sizeof(kChangeCipherSpec))) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]299 return 0;
300 }
301
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]302 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,
303 kChangeCipherSpec, sizeof(kChangeCipherSpec));
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]304 return 1;
305}
306
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]307int ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {
308 uint8_t alert[2] = {level, desc};
309 if (!add_record_to_flight(ssl, SSL3_RT_ALERT, alert, sizeof(alert))) {
310 return 0;
311 }
312
313 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, alert, sizeof(alert));
314 ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, ((int)level << 8) | desc);
315 return 1;
316}
317
318int ssl_add_message_cbb(SSL *ssl, CBB *cbb) {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]319 uint8_t *msg;
320 size_t len;
321 if (!ssl->method->finish_message(ssl, cbb, &msg, &len) ||
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]322 !ssl->method->add_message(ssl, msg, len)) {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]323 return 0;
324 }
325
326 return 1;
327}
328
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]329int ssl3_flush_flight(SSL *ssl) {
330 if (ssl->s3->pending_flight == NULL) {
331 return 1;
332 }
333
334 if (ssl->s3->pending_flight->length > 0xffffffff ||
335 ssl->s3->pending_flight->length > INT_MAX) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]336 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]337 return -1;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]338 }
339
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]340 /* If there is pending data in the write buffer, it must be flushed out before
341 * any new data in pending_flight. */
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]342 if (ssl_write_buffer_is_pending(ssl)) {
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]343 int ret = ssl_write_buffer_flush(ssl);
344 if (ret <= 0) {
345 ssl->rwstate = SSL_WRITING;
346 return ret;
347 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]348 }
349
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]350 /* Write the pending flight. */
351 while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {
352 int ret = BIO_write(
353 ssl->wbio,
354 ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,
355 ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);
356 if (ret <= 0) {
357 ssl->rwstate = SSL_WRITING;
358 return ret;
359 }
360
361 ssl->s3->pending_flight_offset += ret;
362 }
363
364 if (BIO_flush(ssl->wbio) <= 0) {
365 ssl->rwstate = SSL_WRITING;
366 return -1;
367 }
368
369 BUF_MEM_free(ssl->s3->pending_flight);
370 ssl->s3->pending_flight = NULL;
371 ssl->s3->pending_flight_offset = 0;
David Benjamin6e899c72016-06-09 18:02:18 -0400[diff] [blame]372 return 1;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]373}
374
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]375int ssl3_send_finished(SSL_HANDSHAKE *hs) {
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]376 SSL *const ssl = hs->ssl;
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]377 const SSL_SESSION *session = SSL_get_session(ssl);
378
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]379 uint8_t finished[EVP_MAX_MD_SIZE];
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]380 size_t finished_len;
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]381 if (!hs->transcript.GetFinishedMAC(finished, &finished_len, session,
382 ssl->server, ssl3_protocol_version(ssl))) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]383 return 0;
384 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]385
386 /* Log the master secret, if logging is enabled. */
387 if (!ssl_log_secret(ssl, "CLIENT_RANDOM",
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]388 session->master_key,
389 session->master_key_length)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]390 return 0;
391 }
392
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]393 /* Copy the Finished so we can use it for renegotiation checks. */
394 if (ssl->version != SSL3_VERSION) {
395 if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
396 finished_len > sizeof(ssl->s3->previous_server_finished)) {
397 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
398 return -1;
399 }
400
401 if (ssl->server) {
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]402 OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]403 ssl->s3->previous_server_finished_len = finished_len;
404 } else {
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]405 OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]406 ssl->s3->previous_client_finished_len = finished_len;
407 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]408 }
409
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]410 ScopedCBB cbb;
411 CBB body;
412 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]413 !CBB_add_bytes(&body, finished, finished_len) ||
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]414 !ssl_add_message_cbb(ssl, cbb.get())) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]415 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]416 return -1;
417 }
418
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]419 return 1;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]420}
421
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]422int ssl3_get_finished(SSL_HANDSHAKE *hs) {
423 SSL *const ssl = hs->ssl;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]424 SSLMessage msg;
425 int ret = ssl_read_message(ssl, &msg);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]426 if (ret <= 0) {
427 return ret;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]428 }
429
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]430 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED)) {
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]431 return -1;
432 }
433
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]434 /* Snapshot the finished hash before incorporating the new message. */
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]435 uint8_t finished[EVP_MAX_MD_SIZE];
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]436 size_t finished_len;
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]437 if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
438 SSL_get_session(ssl), !ssl->server,
439 ssl3_protocol_version(ssl)) ||
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]440 !ssl_hash_message(hs, msg)) {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]441 return -1;
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]442 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]443
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]444 int finished_ok = CBS_mem_equal(&msg.body, finished, finished_len);
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]445#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]446 finished_ok = 1;
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]447#endif
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]448 if (!finished_ok) {
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]449 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]450 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]451 return -1;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]452 }
453
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]454 /* Copy the Finished so we can use it for renegotiation checks. */
455 if (ssl->version != SSL3_VERSION) {
456 if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
457 finished_len > sizeof(ssl->s3->previous_server_finished)) {
458 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
459 return -1;
460 }
461
462 if (ssl->server) {
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]463 OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]464 ssl->s3->previous_client_finished_len = finished_len;
465 } else {
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]466 OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);
David Benjamin95add822016-10-19 01:09:12 -0400[diff] [blame]467 ssl->s3->previous_server_finished_len = finished_len;
468 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]469 }
470
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]471 ssl->method->next_message(ssl);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]472 return 1;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]473}
474
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]475int ssl3_output_cert_chain(SSL *ssl) {
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]476 ScopedCBB cbb;
477 CBB body;
478 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) ||
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]479 !ssl_add_cert_chain(ssl, &body) ||
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]480 !ssl_add_message_cbb(ssl, cbb.get())) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]481 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]482 return 0;
483 }
484
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]485 return 1;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]486}
487
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]488size_t ssl_max_handshake_message_len(const SSL *ssl) {
489 /* kMaxMessageLen is the default maximum message size for handshakes which do
490 * not accept peer certificate chains. */
491 static const size_t kMaxMessageLen = 16384;
492
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]493 if (SSL_in_init(ssl)) {
494 if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) &&
495 kMaxMessageLen < ssl->max_cert_list) {
496 return ssl->max_cert_list;
497 }
498 return kMaxMessageLen;
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]499 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]500
501 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
502 /* In TLS 1.2 and below, the largest acceptable post-handshake message is
503 * a HelloRequest. */
504 return 0;
505 }
506
507 if (ssl->server) {
508 /* The largest acceptable post-handshake message for a server is a
509 * KeyUpdate. We will never initiate post-handshake auth. */
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]510 return 1;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]511 }
512
513 /* Clients must accept NewSessionTicket and CertificateRequest, so allow the
514 * default size. */
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]515 return kMaxMessageLen;
516}
517
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]518int ssl_read_message(SSL *ssl, SSLMessage *out) {
519 while (!ssl->method->get_message(ssl, out)) {
520 int ret = ssl->method->read_message(ssl);
521 if (ret <= 0) {
522 return ret;
523 }
524 }
525 return 1;
526}
527
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]528static int extend_handshake_buffer(SSL *ssl, size_t length) {
529 if (!BUF_MEM_reserve(ssl->init_buf, length)) {
530 return -1;
531 }
532 while (ssl->init_buf->length < length) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]533 int ret = ssl3_read_handshake_bytes(
534 ssl, (uint8_t *)ssl->init_buf->data + ssl->init_buf->length,
535 length - ssl->init_buf->length);
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]536 if (ret <= 0) {
537 return ret;
538 }
539 ssl->init_buf->length += (size_t)ret;
540 }
541 return 1;
542}
543
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]544static int read_v2_client_hello(SSL *ssl) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]545 /* Read the first 5 bytes, the size of the TLS record header. This is
546 * sufficient to detect a V2ClientHello and ensures that we never read beyond
547 * the first record. */
548 int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);
549 if (ret <= 0) {
550 return ret;
551 }
552 const uint8_t *p = ssl_read_buffer(ssl);
553
554 /* Some dedicated error codes for protocol mixups should the application wish
555 * to interpret them differently. (These do not overlap with ClientHello or
556 * V2ClientHello.) */
557 if (strncmp("GET ", (const char *)p, 4) == 0 ||
558 strncmp("POST ", (const char *)p, 5) == 0 ||
559 strncmp("HEAD ", (const char *)p, 5) == 0 ||
560 strncmp("PUT ", (const char *)p, 4) == 0) {
561 OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);
562 return -1;
563 }
564 if (strncmp("CONNE", (const char *)p, 5) == 0) {
565 OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);
566 return -1;
567 }
568
569 if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||
570 p[3] != SSL3_VERSION_MAJOR) {
571 /* Not a V2ClientHello. */
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]572 return 1;
573 }
574
575 /* Determine the length of the V2ClientHello. */
576 size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];
577 if (msg_length > (1024 * 4)) {
578 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
579 return -1;
580 }
581 if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {
582 /* Reject lengths that are too short early. We have already read
583 * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
584 * (invalid) V2ClientHello which would be shorter than that. */
585 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
586 return -1;
587 }
588
589 /* Read the remainder of the V2ClientHello. */
590 ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);
591 if (ret <= 0) {
592 return ret;
593 }
594
595 CBS v2_client_hello;
596 CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);
597
598 /* The V2ClientHello without the length is incorporated into the handshake
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]599 * hash. This is only ever called at the start of the handshake, so hs is
600 * guaranteed to be non-NULL. */
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]601 if (!ssl->s3->hs->transcript.Update(CBS_data(&v2_client_hello),
602 CBS_len(&v2_client_hello))) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]603 return -1;
604 }
605
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]606 ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]607 CBS_data(&v2_client_hello), CBS_len(&v2_client_hello));
608
609 uint8_t msg_type;
610 uint16_t version, cipher_spec_length, session_id_length, challenge_length;
611 CBS cipher_specs, session_id, challenge;
612 if (!CBS_get_u8(&v2_client_hello, &msg_type) ||
613 !CBS_get_u16(&v2_client_hello, &version) ||
614 !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||
615 !CBS_get_u16(&v2_client_hello, &session_id_length) ||
616 !CBS_get_u16(&v2_client_hello, &challenge_length) ||
617 !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||
618 !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||
619 !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||
620 CBS_len(&v2_client_hello) != 0) {
621 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
622 return -1;
623 }
624
625 /* msg_type has already been checked. */
626 assert(msg_type == SSL2_MT_CLIENT_HELLO);
627
628 /* The client_random is the V2ClientHello challenge. Truncate or
629 * left-pad with zeros as needed. */
630 size_t rand_len = CBS_len(&challenge);
631 if (rand_len > SSL3_RANDOM_SIZE) {
632 rand_len = SSL3_RANDOM_SIZE;
633 }
634 uint8_t random[SSL3_RANDOM_SIZE];
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]635 OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);
636 OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
637 rand_len);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]638
639 /* Write out an equivalent SSLv3 ClientHello. */
640 size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +
641 SSL3_RANDOM_SIZE + 1 /* session ID length */ +
642 2 /* cipher list length */ +
643 CBS_len(&cipher_specs) / 3 * 2 +
644 1 /* compression length */ + 1 /* compression */;
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]645 ScopedCBB client_hello;
646 CBB hello_body, cipher_suites;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]647 if (!BUF_MEM_reserve(ssl->init_buf, max_v3_client_hello) ||
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]648 !CBB_init_fixed(client_hello.get(), (uint8_t *)ssl->init_buf->data,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]649 ssl->init_buf->max) ||
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]650 !CBB_add_u8(client_hello.get(), SSL3_MT_CLIENT_HELLO) ||
651 !CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]652 !CBB_add_u16(&hello_body, version) ||
653 !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||
654 /* No session id. */
655 !CBB_add_u8(&hello_body, 0) ||
656 !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]657 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
658 return -1;
659 }
660
661 /* Copy the cipher suites. */
662 while (CBS_len(&cipher_specs) > 0) {
663 uint32_t cipher_spec;
664 if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]665 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
666 return -1;
667 }
668
669 /* Skip SSLv2 ciphers. */
670 if ((cipher_spec & 0xff0000) != 0) {
671 continue;
672 }
673 if (!CBB_add_u16(&cipher_suites, cipher_spec)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]674 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
675 return -1;
676 }
677 }
678
679 /* Add the null compression scheme and finish. */
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]680 if (!CBB_add_u8(&hello_body, 1) ||
681 !CBB_add_u8(&hello_body, 0) ||
682 !CBB_finish(client_hello.get(), NULL, &ssl->init_buf->length)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]683 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
684 return -1;
685 }
686
687 /* Consume and discard the V2ClientHello. */
688 ssl_read_buffer_consume(ssl, 2 + msg_length);
689 ssl_read_buffer_discard(ssl);
690
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]691 ssl->s3->is_v2_hello = 1;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]692 return 1;
693}
694
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]695/* TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message|
696 * when the entire record is copied into |init_buf|. */
697static bool parse_message(SSL *ssl, SSLMessage *out, size_t *out_bytes_needed) {
698 if (ssl->init_buf == NULL) {
699 *out_bytes_needed = 4;
700 return false;
701 }
702
703 CBS cbs;
704 uint32_t len;
705 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(ssl->init_buf->data),
706 ssl->init_buf->length);
707 if (!CBS_get_u8(&cbs, &out->type) ||
708 !CBS_get_u24(&cbs, &len)) {
709 *out_bytes_needed = 4;
710 return false;
711 }
712
713 if (!CBS_get_bytes(&cbs, &out->body, len)) {
714 *out_bytes_needed = 4 + len;
715 return false;
716 }
717
718 CBS_init(&out->raw, reinterpret_cast<const uint8_t *>(ssl->init_buf->data),
719 4 + len);
720 out->is_v2_hello = ssl->s3->is_v2_hello;
721 if (!ssl->s3->has_message) {
722 if (!out->is_v2_hello) {
723 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE,
724 CBS_data(&out->raw), CBS_len(&out->raw));
725 }
726 ssl->s3->has_message = 1;
727 }
728 return true;
729}
730
731bool ssl3_get_message(SSL *ssl, SSLMessage *out) {
732 size_t unused;
733 return parse_message(ssl, out, &unused);
734}
735
736int ssl3_read_message(SSL *ssl) {
737 SSLMessage msg;
738 size_t bytes_needed;
739 if (parse_message(ssl, &msg, &bytes_needed)) {
740 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
741 return -1;
742 }
743
744 /* Enforce the limit so the peer cannot force us to buffer 16MB. */
745 if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {
746 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
747 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
748 return -1;
749 }
750
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]751 /* Re-create the handshake buffer if needed. */
752 if (ssl->init_buf == NULL) {
753 ssl->init_buf = BUF_MEM_new();
754 if (ssl->init_buf == NULL) {
755 return -1;
756 }
757 }
758
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]759 /* Bypass the record layer for the first message to handle V2ClientHello. */
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]760 if (ssl->server && !ssl->s3->v2_hello_done) {
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]761 int ret = read_v2_client_hello(ssl);
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]762 if (ret > 0) {
763 ssl->s3->v2_hello_done = 1;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]764 }
David Benjamind316cba2016-06-02 16:17:39 -0400[diff] [blame]765 return ret;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]766 }
767
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]768 return extend_handshake_buffer(ssl, bytes_needed);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]769}
770
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]771bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
772 /* V2ClientHello messages are pre-hashed. */
773 if (msg.is_v2_hello) {
774 return true;
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]775 }
776
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]777 return hs->transcript.Update(CBS_data(&msg.raw), CBS_len(&msg.raw));
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]778}
779
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]780void ssl3_next_message(SSL *ssl) {
781 SSLMessage msg;
782 if (!ssl3_get_message(ssl, &msg) ||
783 ssl->init_buf == NULL ||
784 ssl->init_buf->length < CBS_len(&msg.raw)) {
785 assert(0);
786 return;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]787 }
788
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame^]789 OPENSSL_memmove(ssl->init_buf->data, ssl->init_buf->data + CBS_len(&msg.raw),
790 ssl->init_buf->length - CBS_len(&msg.raw));
791 ssl->init_buf->length -= CBS_len(&msg.raw);
792 ssl->s3->is_v2_hello = 0;
793 ssl->s3->has_message = 0;
794
795 /* Post-handshake messages are rare, so release the buffer after every
796 * message. During the handshake, |on_handshake_complete| will release it. */
797 if (!SSL_in_init(ssl) && ssl->init_buf->length == 0) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]798 BUF_MEM_free(ssl->init_buf);
799 ssl->init_buf = NULL;
800 }
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]801}
802
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]803int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
804 const SSL_EXTENSION_TYPE *ext_types,
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]805 size_t num_ext_types, int ignore_unknown) {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]806 /* Reset everything. */
807 for (size_t i = 0; i < num_ext_types; i++) {
808 *ext_types[i].out_present = 0;
809 CBS_init(ext_types[i].out_data, NULL, 0);
810 }
811
812 CBS copy = *cbs;
813 while (CBS_len(&copy) != 0) {
814 uint16_t type;
815 CBS data;
816 if (!CBS_get_u16(&copy, &type) ||
817 !CBS_get_u16_length_prefixed(&copy, &data)) {
818 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
819 *out_alert = SSL_AD_DECODE_ERROR;
820 return 0;
821 }
822
823 const SSL_EXTENSION_TYPE *ext_type = NULL;
824 for (size_t i = 0; i < num_ext_types; i++) {
825 if (type == ext_types[i].type) {
826 ext_type = &ext_types[i];
827 break;
828 }
829 }
830
831 if (ext_type == NULL) {
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]832 if (ignore_unknown) {
833 continue;
834 }
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]835 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
836 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
837 return 0;
838 }
839
840 /* Duplicate ext_types are forbidden. */
841 if (*ext_type->out_present) {
842 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
843 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
844 return 0;
845 }
846
847 *ext_type->out_present = 1;
848 *ext_type->out_data = data;
849 }
850
851 return 1;
852}
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]853
854enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
855 SSL *const ssl = hs->ssl;
856 uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;
857 enum ssl_verify_result_t ret;
858 if (ssl->custom_verify_callback != nullptr) {
859 ret = ssl->custom_verify_callback(ssl, &alert);
860 switch (ret) {
861 case ssl_verify_ok:
862 hs->new_session->verify_result = X509_V_OK;
863 break;
864 case ssl_verify_invalid:
865 hs->new_session->verify_result = X509_V_ERR_APPLICATION_VERIFICATION;
866 break;
867 case ssl_verify_retry:
868 break;
869 }
870 } else {
871 ret = ssl->ctx->x509_method->session_verify_cert_chain(
872 hs->new_session.get(), ssl, &alert)
873 ? ssl_verify_ok
874 : ssl_verify_invalid;
875 }
876
877 if (ret == ssl_verify_invalid) {
878 OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
879 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
880 }
881
882 return ret;
883}
884
885uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index) {
886 /* Use the client_random or server_random for entropy. This both avoids
887 * calling |RAND_bytes| on a single byte repeatedly and ensures the values are
888 * deterministic. This allows the same ClientHello be sent twice for a
889 * HelloRetryRequest or the same group be advertised in both supported_groups
890 * and key_shares. */
891 uint16_t ret = ssl->server ? ssl->s3->server_random[index]
892 : ssl->s3->client_random[index];
893 /* The first four bytes of server_random are a timestamp prior to TLS 1.3, but
894 * servers have no fields to GREASE until TLS 1.3. */
895 assert(!ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION);
896 /* This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. */
897 ret = (ret & 0xf0) | 0x0a;
898 ret |= ret << 8;
899 return ret;
900}
901
902} // namespace bssl