Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / daf207a52a65621cbd18033b9d2fa5b45f550caa / . / ssl / s3_both.c
blob: 133cd2d9d787c5ed3b65e39be2253841f1640c16 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108/* ====================================================================
109 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
110 * ECC cipher suite support in OpenSSL originally developed by
111 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
112
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]113#include <openssl/ssl.h>
114
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]115#include <assert.h>
116#include <limits.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]117#include <string.h>
118
119#include <openssl/buf.h>
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]120#include <openssl/bytestring.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]121#include <openssl/err.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]122#include <openssl/evp.h>
123#include <openssl/mem.h>
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]124#include <openssl/md5.h>
David Benjamin98193672016-03-25 18:07:11 -0400[diff] [blame]125#include <openssl/nid.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]126#include <openssl/rand.h>
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]127#include <openssl/sha.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]128#include <openssl/x509.h>
129
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]130#include "../crypto/internal.h"
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]131#include "internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]132
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]133
David Benjamince8c9d22016-11-14 10:45:16 +0900[diff] [blame]134SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) {
David Benjamin867bcba2016-08-18 15:32:23 -0400[diff] [blame]135 SSL_HANDSHAKE *hs = OPENSSL_malloc(sizeof(SSL_HANDSHAKE));
136 if (hs == NULL) {
137 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
138 return NULL;
139 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]140 OPENSSL_memset(hs, 0, sizeof(SSL_HANDSHAKE));
David Benjamince8c9d22016-11-14 10:45:16 +0900[diff] [blame]141 hs->ssl = ssl;
David Benjamin867bcba2016-08-18 15:32:23 -0400[diff] [blame]142 hs->wait = ssl_hs_ok;
David Benjamincb0c29f2016-12-12 17:00:50 -0500[diff] [blame]143 hs->state = SSL_ST_INIT;
David Benjamin867bcba2016-08-18 15:32:23 -0400[diff] [blame]144 return hs;
145}
146
David Benjamin867bcba2016-08-18 15:32:23 -0400[diff] [blame]147void ssl_handshake_free(SSL_HANDSHAKE *hs) {
148 if (hs == NULL) {
149 return;
150 }
151
152 OPENSSL_cleanse(hs->secret, sizeof(hs->secret));
Steven Valdez4cb84942016-12-16 11:29:28 -0500[diff] [blame]153 OPENSSL_cleanse(hs->client_handshake_secret,
154 sizeof(hs->client_handshake_secret));
155 OPENSSL_cleanse(hs->server_handshake_secret,
156 sizeof(hs->server_handshake_secret));
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]157 OPENSSL_cleanse(hs->client_traffic_secret_0,
158 sizeof(hs->client_traffic_secret_0));
159 OPENSSL_cleanse(hs->server_traffic_secret_0,
160 sizeof(hs->server_traffic_secret_0));
David Benjaminc8b6b4f2016-09-08 23:47:48 -0400[diff] [blame]161 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]162 OPENSSL_free(hs->cookie);
David Benjamin867bcba2016-08-18 15:32:23 -0400[diff] [blame]163 OPENSSL_free(hs->key_share_bytes);
164 OPENSSL_free(hs->public_key);
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]165 OPENSSL_free(hs->peer_sigalgs);
David Benjamin43612b62016-10-07 00:41:50 -0400[diff] [blame]166 OPENSSL_free(hs->peer_supported_group_list);
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]167 OPENSSL_free(hs->peer_key);
168 OPENSSL_free(hs->server_params);
David Benjaminbac75b82016-09-16 19:34:02 -0400[diff] [blame]169 OPENSSL_free(hs->peer_psk_identity_hint);
David Benjamina0486782016-10-06 19:11:32 -0400[diff] [blame]170 sk_X509_NAME_pop_free(hs->ca_names, X509_NAME_free);
171 OPENSSL_free(hs->certificate_types);
David Benjamin4e419262016-11-07 15:45:53 -0500[diff] [blame]172
173 if (hs->key_block != NULL) {
174 OPENSSL_cleanse(hs->key_block, hs->key_block_len);
175 OPENSSL_free(hs->key_block);
176 }
177
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]178 OPENSSL_free(hs->hostname);
Adam Langleyd5157222016-12-12 11:37:43 -0800[diff] [blame]179 EVP_PKEY_free(hs->peer_pubkey);
David Benjamin867bcba2016-08-18 15:32:23 -0400[diff] [blame]180 OPENSSL_free(hs);
181}
182
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]183static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in,
184 size_t in_len) {
185 /* We'll never add a flight while in the process of writing it out. */
186 assert(ssl->s3->pending_flight_offset == 0);
187
188 if (ssl->s3->pending_flight == NULL) {
189 ssl->s3->pending_flight = BUF_MEM_new();
190 if (ssl->s3->pending_flight == NULL) {
191 return 0;
192 }
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]193 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]194
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]195 size_t max_out = in_len + SSL_max_seal_overhead(ssl);
196 size_t new_cap = ssl->s3->pending_flight->length + max_out;
197 if (max_out < in_len || new_cap < max_out) {
198 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
199 return 0;
200 }
201
202 size_t len;
203 if (!BUF_MEM_reserve(ssl->s3->pending_flight, new_cap) ||
204 !tls_seal_record(ssl, (uint8_t *)ssl->s3->pending_flight->data +
205 ssl->s3->pending_flight->length,
206 &len, max_out, type, in, in_len)) {
207 return 0;
208 }
209
210 ssl->s3->pending_flight->length += len;
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]211 return 1;
212}
213
214int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]215 /* Pick a modest size hint to save most of the |realloc| calls. */
216 if (!CBB_init(cbb, 64) ||
217 !CBB_add_u8(cbb, type) ||
218 !CBB_add_u24_length_prefixed(cbb, body)) {
219 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]220 CBB_cleanup(cbb);
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]221 return 0;
222 }
223
224 return 1;
225}
226
Steven Valdez5eead162016-11-11 22:23:25 -0500[diff] [blame]227int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,
228 size_t *out_len) {
229 if (!CBB_finish(cbb, out_msg, out_len)) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]230 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
231 return 0;
232 }
David Benjaminba1660b2016-11-12 14:26:19 +0900[diff] [blame]233
Steven Valdez5eead162016-11-11 22:23:25 -0500[diff] [blame]234 return 1;
235}
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]236
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]237int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) {
238 /* Add the message to the current flight, splitting into several records if
239 * needed. */
240 int ret = 0;
241 size_t added = 0;
242 do {
243 size_t todo = len - added;
244 if (todo > ssl->max_send_fragment) {
245 todo = ssl->max_send_fragment;
246 }
247
248 if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, msg + added, todo)) {
249 goto err;
250 }
251 added += todo;
252 } while (added < len);
253
254 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len);
255 ssl3_update_handshake_hash(ssl, msg, len);
256 ret = 1;
257
258err:
259 OPENSSL_free(msg);
260 return ret;
261}
262
263int ssl3_add_change_cipher_spec(SSL *ssl) {
264 static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};
265
266 if (!add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,
267 sizeof(kChangeCipherSpec))) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]268 return 0;
269 }
270
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]271 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,
272 kChangeCipherSpec, sizeof(kChangeCipherSpec));
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]273 return 1;
274}
275
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]276int ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {
277 uint8_t alert[2] = {level, desc};
278 if (!add_record_to_flight(ssl, SSL3_RT_ALERT, alert, sizeof(alert))) {
279 return 0;
280 }
281
282 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, alert, sizeof(alert));
283 ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, ((int)level << 8) | desc);
284 return 1;
285}
286
287int ssl_add_message_cbb(SSL *ssl, CBB *cbb) {
David Benjaminba1660b2016-11-12 14:26:19 +0900[diff] [blame]288 uint8_t *msg;
Steven Valdez5eead162016-11-11 22:23:25 -0500[diff] [blame]289 size_t len;
290 if (!ssl->method->finish_message(ssl, cbb, &msg, &len) ||
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]291 !ssl->method->add_message(ssl, msg, len)) {
Steven Valdez5eead162016-11-11 22:23:25 -0500[diff] [blame]292 return 0;
293 }
294
295 return 1;
296}
297
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]298int ssl3_write_message(SSL *ssl) { return 1; }
299
300int ssl3_flush_flight(SSL *ssl) {
301 if (ssl->s3->pending_flight == NULL) {
302 return 1;
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]303 }
304
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]305 if (ssl->s3->pending_flight->length > 0xffffffff ||
306 ssl->s3->pending_flight->length > INT_MAX) {
307 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
308 return -1;
309 }
310
311 /* The handshake flight buffer is mutually exclusive with application data.
312 *
313 * TODO(davidben): This will not be true when closure alerts use this. */
314 if (ssl_write_buffer_is_pending(ssl)) {
315 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
316 return -1;
317 }
318
319 /* Write the pending flight. */
320 while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {
321 int ret = BIO_write(
322 ssl->wbio,
323 ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,
324 ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);
325 if (ret <= 0) {
326 ssl->rwstate = SSL_WRITING;
327 return ret;
328 }
329
330 ssl->s3->pending_flight_offset += ret;
331 }
332
333 int ret = BIO_flush(ssl->wbio);
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]334 if (ret <= 0) {
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]335 ssl->rwstate = SSL_WRITING;
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]336 return ret;
337 }
338
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]339 BUF_MEM_free(ssl->s3->pending_flight);
340 ssl->s3->pending_flight = NULL;
341 ssl->s3->pending_flight_offset = 0;
David Benjamin2a08c8d2016-06-07 15:06:39 -0400[diff] [blame]342 return 1;
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]343}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]344
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]345int ssl3_send_finished(SSL_HANDSHAKE *hs, int a, int b) {
346 SSL *const ssl = hs->ssl;
David Benjamincb0c29f2016-12-12 17:00:50 -0500[diff] [blame]347 if (hs->state == b) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]348 return ssl->method->write_message(ssl);
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]349 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]350
David Benjamin49ddf412016-10-08 11:56:01 -0400[diff] [blame]351 uint8_t finished[EVP_MAX_MD_SIZE];
352 size_t finished_len =
353 ssl->s3->enc_method->final_finish_mac(ssl, ssl->server, finished);
354 if (finished_len == 0) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]355 return 0;
356 }
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]357
358 /* Log the master secret, if logging is enabled. */
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]359 if (!ssl_log_secret(ssl, "CLIENT_RANDOM",
360 SSL_get_session(ssl)->master_key,
361 SSL_get_session(ssl)->master_key_length)) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]362 return 0;
363 }
364
David Benjamin52bf6902016-10-08 12:05:03 -0400[diff] [blame]365 /* Copy the Finished so we can use it for renegotiation checks. */
366 if (ssl->version != SSL3_VERSION) {
367 if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
368 finished_len > sizeof(ssl->s3->previous_server_finished)) {
369 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
370 return -1;
371 }
372
373 if (ssl->server) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]374 OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);
David Benjamin52bf6902016-10-08 12:05:03 -0400[diff] [blame]375 ssl->s3->previous_server_finished_len = finished_len;
376 } else {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]377 OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);
David Benjamin52bf6902016-10-08 12:05:03 -0400[diff] [blame]378 ssl->s3->previous_client_finished_len = finished_len;
379 }
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]380 }
381
382 CBB cbb, body;
383 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||
David Benjamin49ddf412016-10-08 11:56:01 -0400[diff] [blame]384 !CBB_add_bytes(&body, finished, finished_len) ||
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]385 !ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]386 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
387 CBB_cleanup(&cbb);
388 return -1;
389 }
390
David Benjamincb0c29f2016-12-12 17:00:50 -0500[diff] [blame]391 hs->state = b;
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]392 return ssl->method->write_message(ssl);
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]393}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]394
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]395int ssl3_get_finished(SSL_HANDSHAKE *hs) {
396 SSL *const ssl = hs->ssl;
David Benjamin09eb6552016-07-08 14:32:11 -0700[diff] [blame]397 int ret = ssl->method->ssl_get_message(ssl, SSL3_MT_FINISHED,
398 ssl_dont_hash_message);
399 if (ret <= 0) {
400 return ret;
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]401 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]402
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]403 /* Snapshot the finished hash before incorporating the new message. */
David Benjamin49ddf412016-10-08 11:56:01 -0400[diff] [blame]404 uint8_t finished[EVP_MAX_MD_SIZE];
405 size_t finished_len =
406 ssl->s3->enc_method->final_finish_mac(ssl, !ssl->server, finished);
407 if (finished_len == 0 ||
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]408 !ssl_hash_current_message(ssl)) {
David Benjamin49ddf412016-10-08 11:56:01 -0400[diff] [blame]409 return -1;
David Benjaminfbdfefb2015-02-16 19:33:53 -0500[diff] [blame]410 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]411
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]412 int finished_ok = ssl->init_num == finished_len &&
David Benjamin49ddf412016-10-08 11:56:01 -0400[diff] [blame]413 CRYPTO_memcmp(ssl->init_msg, finished, finished_len) == 0;
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]414#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]415 finished_ok = 1;
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]416#endif
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]417 if (!finished_ok) {
David Benjamin49ddf412016-10-08 11:56:01 -0400[diff] [blame]418 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]419 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
David Benjamin49ddf412016-10-08 11:56:01 -0400[diff] [blame]420 return -1;
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]421 }
422
David Benjamin52bf6902016-10-08 12:05:03 -0400[diff] [blame]423 /* Copy the Finished so we can use it for renegotiation checks. */
424 if (ssl->version != SSL3_VERSION) {
425 if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
426 finished_len > sizeof(ssl->s3->previous_server_finished)) {
427 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
428 return -1;
429 }
430
431 if (ssl->server) {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]432 OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);
David Benjamin52bf6902016-10-08 12:05:03 -0400[diff] [blame]433 ssl->s3->previous_client_finished_len = finished_len;
434 } else {
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]435 OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);
David Benjamin52bf6902016-10-08 12:05:03 -0400[diff] [blame]436 ssl->s3->previous_server_finished_len = finished_len;
437 }
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]438 }
439
440 return 1;
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]441}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]442
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]443int ssl3_output_cert_chain(SSL *ssl) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]444 CBB cbb, body;
445 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||
446 !ssl_add_cert_chain(ssl, &body) ||
David Benjamindaf207a2017-01-03 18:37:41 -0500[diff] [blame^]447 !ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]448 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
449 CBB_cleanup(&cbb);
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]450 return 0;
451 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]452
David Benjamin75836432016-06-17 18:48:29 -0400[diff] [blame]453 return 1;
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]454}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]455
David Benjamin060cfb02016-05-12 00:43:05 -0400[diff] [blame]456size_t ssl_max_handshake_message_len(const SSL *ssl) {
457 /* kMaxMessageLen is the default maximum message size for handshakes which do
458 * not accept peer certificate chains. */
459 static const size_t kMaxMessageLen = 16384;
460
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]461 if (SSL_in_init(ssl)) {
462 if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) &&
463 kMaxMessageLen < ssl->max_cert_list) {
464 return ssl->max_cert_list;
465 }
466 return kMaxMessageLen;
David Benjamin060cfb02016-05-12 00:43:05 -0400[diff] [blame]467 }
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]468
469 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
470 /* In TLS 1.2 and below, the largest acceptable post-handshake message is
471 * a HelloRequest. */
472 return 0;
473 }
474
475 if (ssl->server) {
476 /* The largest acceptable post-handshake message for a server is a
477 * KeyUpdate. We will never initiate post-handshake auth. */
478 return 0;
479 }
480
481 /* Clients must accept NewSessionTicket and CertificateRequest, so allow the
482 * default size. */
David Benjamin060cfb02016-05-12 00:43:05 -0400[diff] [blame]483 return kMaxMessageLen;
484}
485
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]486static int extend_handshake_buffer(SSL *ssl, size_t length) {
487 if (!BUF_MEM_reserve(ssl->init_buf, length)) {
488 return -1;
489 }
490 while (ssl->init_buf->length < length) {
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]491 int ret = ssl3_read_handshake_bytes(
492 ssl, (uint8_t *)ssl->init_buf->data + ssl->init_buf->length,
493 length - ssl->init_buf->length);
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]494 if (ret <= 0) {
495 return ret;
496 }
497 ssl->init_buf->length += (size_t)ret;
498 }
499 return 1;
500}
501
David Benjamin9fd95802016-07-27 14:20:08 -0400[diff] [blame]502static int read_v2_client_hello(SSL *ssl, int *out_is_v2_client_hello) {
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]503 /* Read the first 5 bytes, the size of the TLS record header. This is
504 * sufficient to detect a V2ClientHello and ensures that we never read beyond
505 * the first record. */
506 int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);
507 if (ret <= 0) {
508 return ret;
509 }
510 const uint8_t *p = ssl_read_buffer(ssl);
511
512 /* Some dedicated error codes for protocol mixups should the application wish
513 * to interpret them differently. (These do not overlap with ClientHello or
514 * V2ClientHello.) */
515 if (strncmp("GET ", (const char *)p, 4) == 0 ||
516 strncmp("POST ", (const char *)p, 5) == 0 ||
517 strncmp("HEAD ", (const char *)p, 5) == 0 ||
518 strncmp("PUT ", (const char *)p, 4) == 0) {
519 OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);
520 return -1;
521 }
522 if (strncmp("CONNE", (const char *)p, 5) == 0) {
523 OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);
524 return -1;
525 }
526
527 if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||
528 p[3] != SSL3_VERSION_MAJOR) {
529 /* Not a V2ClientHello. */
David Benjamin9fd95802016-07-27 14:20:08 -0400[diff] [blame]530 *out_is_v2_client_hello = 0;
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]531 return 1;
532 }
533
534 /* Determine the length of the V2ClientHello. */
535 size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];
536 if (msg_length > (1024 * 4)) {
537 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
538 return -1;
539 }
540 if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {
541 /* Reject lengths that are too short early. We have already read
542 * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
543 * (invalid) V2ClientHello which would be shorter than that. */
544 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
545 return -1;
546 }
547
548 /* Read the remainder of the V2ClientHello. */
549 ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);
550 if (ret <= 0) {
551 return ret;
552 }
553
554 CBS v2_client_hello;
555 CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);
556
557 /* The V2ClientHello without the length is incorporated into the handshake
558 * hash. */
559 if (!ssl3_update_handshake_hash(ssl, CBS_data(&v2_client_hello),
560 CBS_len(&v2_client_hello))) {
561 return -1;
562 }
563
David Benjaminc0279992016-09-19 20:15:07 -0400[diff] [blame]564 ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]565 CBS_data(&v2_client_hello), CBS_len(&v2_client_hello));
566
567 uint8_t msg_type;
568 uint16_t version, cipher_spec_length, session_id_length, challenge_length;
569 CBS cipher_specs, session_id, challenge;
570 if (!CBS_get_u8(&v2_client_hello, &msg_type) ||
571 !CBS_get_u16(&v2_client_hello, &version) ||
572 !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||
573 !CBS_get_u16(&v2_client_hello, &session_id_length) ||
574 !CBS_get_u16(&v2_client_hello, &challenge_length) ||
575 !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||
576 !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||
577 !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||
578 CBS_len(&v2_client_hello) != 0) {
579 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
580 return -1;
581 }
582
583 /* msg_type has already been checked. */
584 assert(msg_type == SSL2_MT_CLIENT_HELLO);
585
586 /* The client_random is the V2ClientHello challenge. Truncate or
587 * left-pad with zeros as needed. */
588 size_t rand_len = CBS_len(&challenge);
589 if (rand_len > SSL3_RANDOM_SIZE) {
590 rand_len = SSL3_RANDOM_SIZE;
591 }
592 uint8_t random[SSL3_RANDOM_SIZE];
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]593 OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);
594 OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
595 rand_len);
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]596
597 /* Write out an equivalent SSLv3 ClientHello. */
David Benjamin481b9d22016-07-27 14:01:59 -0400[diff] [blame]598 size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +
599 SSL3_RANDOM_SIZE + 1 /* session ID length */ +
600 2 /* cipher list length */ +
601 CBS_len(&cipher_specs) / 3 * 2 +
602 1 /* compression length */ + 1 /* compression */;
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]603 CBB client_hello, hello_body, cipher_suites;
David Benjamin481b9d22016-07-27 14:01:59 -0400[diff] [blame]604 CBB_zero(&client_hello);
605 if (!BUF_MEM_reserve(ssl->init_buf, max_v3_client_hello) ||
606 !CBB_init_fixed(&client_hello, (uint8_t *)ssl->init_buf->data,
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]607 ssl->init_buf->max) ||
608 !CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) ||
609 !CBB_add_u24_length_prefixed(&client_hello, &hello_body) ||
610 !CBB_add_u16(&hello_body, version) ||
611 !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||
612 /* No session id. */
613 !CBB_add_u8(&hello_body, 0) ||
614 !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
615 CBB_cleanup(&client_hello);
616 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
617 return -1;
618 }
619
620 /* Copy the cipher suites. */
621 while (CBS_len(&cipher_specs) > 0) {
622 uint32_t cipher_spec;
623 if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
624 CBB_cleanup(&client_hello);
625 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
626 return -1;
627 }
628
629 /* Skip SSLv2 ciphers. */
630 if ((cipher_spec & 0xff0000) != 0) {
631 continue;
632 }
633 if (!CBB_add_u16(&cipher_suites, cipher_spec)) {
634 CBB_cleanup(&client_hello);
635 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
636 return -1;
637 }
638 }
639
640 /* Add the null compression scheme and finish. */
641 if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) ||
642 !CBB_finish(&client_hello, NULL, &ssl->init_buf->length)) {
643 CBB_cleanup(&client_hello);
644 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
645 return -1;
646 }
647
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]648 /* Consume and discard the V2ClientHello. */
649 ssl_read_buffer_consume(ssl, 2 + msg_length);
650 ssl_read_buffer_discard(ssl);
David Benjamin9fd95802016-07-27 14:20:08 -0400[diff] [blame]651
652 *out_is_v2_client_hello = 1;
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]653 return 1;
654}
655
David Benjamin09eb6552016-07-08 14:32:11 -0700[diff] [blame]656int ssl3_get_message(SSL *ssl, int msg_type,
657 enum ssl_hash_message_t hash_message) {
David Benjamin34a3c492016-07-06 21:31:14 -0700[diff] [blame]658again:
David Benjamin481b9d22016-07-27 14:01:59 -0400[diff] [blame]659 /* Re-create the handshake buffer if needed. */
660 if (ssl->init_buf == NULL) {
661 ssl->init_buf = BUF_MEM_new();
662 if (ssl->init_buf == NULL) {
663 return -1;
664 }
665 }
666
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]667 if (ssl->server && !ssl->s3->v2_hello_done) {
668 /* Bypass the record layer for the first message to handle V2ClientHello. */
669 assert(hash_message == ssl_hash_message);
David Benjamin9fd95802016-07-27 14:20:08 -0400[diff] [blame]670 int is_v2_client_hello = 0;
671 int ret = read_v2_client_hello(ssl, &is_v2_client_hello);
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]672 if (ret <= 0) {
673 return ret;
674 }
David Benjamin9fd95802016-07-27 14:20:08 -0400[diff] [blame]675 if (is_v2_client_hello) {
676 /* V2ClientHello is hashed separately. */
677 hash_message = ssl_dont_hash_message;
678 }
David Benjamin4dbdf942016-07-06 21:55:10 -0700[diff] [blame]679 ssl->s3->v2_hello_done = 1;
680 }
681
David Benjamin0d56f882015-12-19 17:05:56 -0500[diff] [blame]682 if (ssl->s3->tmp.reuse_message) {
David Benjamin5ca39fb2015-03-01 23:57:54 -0500[diff] [blame]683 /* A ssl_dont_hash_message call cannot be combined with reuse_message; the
684 * ssl_dont_hash_message would have to have been applied to the previous
685 * call. */
686 assert(hash_message == ssl_hash_message);
David Benjamin9fd95802016-07-27 14:20:08 -0400[diff] [blame]687 assert(ssl->init_msg != NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]688
David Benjamin34a3c492016-07-06 21:31:14 -0700[diff] [blame]689 ssl->s3->tmp.reuse_message = 0;
690 hash_message = ssl_dont_hash_message;
David Benjamin4497e582016-07-27 17:51:49 -0400[diff] [blame]691 } else {
692 ssl3_release_current_message(ssl, 0 /* don't free buffer */);
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]693 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]694
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]695 /* Read the message header, if we haven't yet. */
David Benjamina9509482016-07-27 14:03:33 -0400[diff] [blame]696 int ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH);
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]697 if (ret <= 0) {
698 return ret;
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]699 }
700
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]701 /* Parse out the length. Cap it so the peer cannot force us to buffer up to
702 * 2^24 bytes. */
703 const uint8_t *p = (uint8_t *)ssl->init_buf->data;
704 size_t msg_len = (((uint32_t)p[1]) << 16) | (((uint32_t)p[2]) << 8) | p[3];
705 if (msg_len > ssl_max_handshake_message_len(ssl)) {
706 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
707 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
708 return -1;
709 }
710
711 /* Read the message body, if we haven't yet. */
David Benjamina9509482016-07-27 14:03:33 -0400[diff] [blame]712 ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH + msg_len);
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]713 if (ret <= 0) {
714 return ret;
715 }
716
717 /* We have now received a complete message. */
David Benjaminc0279992016-09-19 20:15:07 -0400[diff] [blame]718 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, ssl->init_buf->data,
719 ssl->init_buf->length);
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]720
David Benjaminbd4679d2016-07-24 01:59:10 -0400[diff] [blame]721 ssl->s3->tmp.message_type = ((const uint8_t *)ssl->init_buf->data)[0];
David Benjamina9509482016-07-27 14:03:33 -0400[diff] [blame]722 ssl->init_msg = (uint8_t*)ssl->init_buf->data + SSL3_HM_HEADER_LENGTH;
723 ssl->init_num = ssl->init_buf->length - SSL3_HM_HEADER_LENGTH;
David Benjaminbd4679d2016-07-24 01:59:10 -0400[diff] [blame]724
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]725 /* Ignore stray HelloRequest messages in the handshake before TLS 1.3. Per RFC
726 * 5246, section 7.4.1.1, the server may send HelloRequest at any time. */
727 if (!ssl->server && SSL_in_init(ssl) &&
David Benjaminbd4679d2016-07-24 01:59:10 -0400[diff] [blame]728 (!ssl->s3->have_version || ssl3_protocol_version(ssl) < TLS1_3_VERSION) &&
729 ssl->s3->tmp.message_type == SSL3_MT_HELLO_REQUEST &&
730 ssl->init_num == 0) {
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]731 goto again;
732 }
733
David Benjaminbd4679d2016-07-24 01:59:10 -0400[diff] [blame]734 if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) {
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]735 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
736 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
737 return -1;
738 }
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]739
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]740 /* Feed this message into MAC computation. */
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]741 if (hash_message == ssl_hash_message && !ssl_hash_current_message(ssl)) {
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]742 return -1;
Adam Langley6e73d622014-12-15 18:46:16 -0800[diff] [blame]743 }
David Benjamina6338be2016-05-13 18:12:19 -0400[diff] [blame]744
David Benjamin09eb6552016-07-08 14:32:11 -0700[diff] [blame]745 return 1;
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]746}
747
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]748void ssl3_get_current_message(const SSL *ssl, CBS *out) {
749 CBS_init(out, (uint8_t *)ssl->init_buf->data, ssl->init_buf->length);
750}
751
752int ssl_hash_current_message(SSL *ssl) {
753 CBS cbs;
754 ssl->method->get_current_message(ssl, &cbs);
755 return ssl3_update_handshake_hash(ssl, CBS_data(&cbs), CBS_len(&cbs));
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]756}
David Benjamin590cbe92014-08-25 21:34:56 -0400[diff] [blame]757
David Benjamin4497e582016-07-27 17:51:49 -0400[diff] [blame]758void ssl3_release_current_message(SSL *ssl, int free_buffer) {
759 if (ssl->init_msg != NULL) {
760 /* |init_buf| never contains data beyond the current message. */
761 assert(SSL3_HM_HEADER_LENGTH + ssl->init_num == ssl->init_buf->length);
762
763 /* Clear the current message. */
764 ssl->init_msg = NULL;
765 ssl->init_num = 0;
766 ssl->init_buf->length = 0;
767 }
768
769 if (free_buffer) {
770 BUF_MEM_free(ssl->init_buf);
771 ssl->init_buf = NULL;
772 }
773}
774
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]775int ssl_verify_alarm_type(long type) {
776 int al;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]777
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]778 switch (type) {
779 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
780 case X509_V_ERR_UNABLE_TO_GET_CRL:
781 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
782 al = SSL_AD_UNKNOWN_CA;
783 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]784
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]785 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
786 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
787 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
788 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
789 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
790 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
791 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
792 case X509_V_ERR_CERT_NOT_YET_VALID:
793 case X509_V_ERR_CRL_NOT_YET_VALID:
794 case X509_V_ERR_CERT_UNTRUSTED:
795 case X509_V_ERR_CERT_REJECTED:
David Benjamin8f1e1132016-06-07 12:49:36 -0400[diff] [blame]796 case X509_V_ERR_HOSTNAME_MISMATCH:
797 case X509_V_ERR_EMAIL_MISMATCH:
798 case X509_V_ERR_IP_ADDRESS_MISMATCH:
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]799 al = SSL_AD_BAD_CERTIFICATE;
800 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]801
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]802 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
803 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
804 al = SSL_AD_DECRYPT_ERROR;
805 break;
806
807 case X509_V_ERR_CERT_HAS_EXPIRED:
808 case X509_V_ERR_CRL_HAS_EXPIRED:
809 al = SSL_AD_CERTIFICATE_EXPIRED;
810 break;
811
812 case X509_V_ERR_CERT_REVOKED:
813 al = SSL_AD_CERTIFICATE_REVOKED;
814 break;
815
David Benjamin8f1e1132016-06-07 12:49:36 -0400[diff] [blame]816 case X509_V_ERR_UNSPECIFIED:
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]817 case X509_V_ERR_OUT_OF_MEM:
David Benjamin8f1e1132016-06-07 12:49:36 -0400[diff] [blame]818 case X509_V_ERR_INVALID_CALL:
819 case X509_V_ERR_STORE_LOOKUP:
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]820 al = SSL_AD_INTERNAL_ERROR;
821 break;
822
823 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
824 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
825 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
826 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
827 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
828 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
829 case X509_V_ERR_INVALID_CA:
830 al = SSL_AD_UNKNOWN_CA;
831 break;
832
833 case X509_V_ERR_APPLICATION_VERIFICATION:
834 al = SSL_AD_HANDSHAKE_FAILURE;
835 break;
836
837 case X509_V_ERR_INVALID_PURPOSE:
838 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
839 break;
840
841 default:
842 al = SSL_AD_CERTIFICATE_UNKNOWN;
843 break;
844 }
845
846 return al;
847}
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]848
849int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
850 const SSL_EXTENSION_TYPE *ext_types,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]851 size_t num_ext_types, int ignore_unknown) {
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]852 /* Reset everything. */
853 for (size_t i = 0; i < num_ext_types; i++) {
854 *ext_types[i].out_present = 0;
855 CBS_init(ext_types[i].out_data, NULL, 0);
856 }
857
858 CBS copy = *cbs;
859 while (CBS_len(&copy) != 0) {
860 uint16_t type;
861 CBS data;
862 if (!CBS_get_u16(&copy, &type) ||
863 !CBS_get_u16_length_prefixed(&copy, &data)) {
864 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
865 *out_alert = SSL_AD_DECODE_ERROR;
866 return 0;
867 }
868
869 const SSL_EXTENSION_TYPE *ext_type = NULL;
870 for (size_t i = 0; i < num_ext_types; i++) {
871 if (type == ext_types[i].type) {
872 ext_type = &ext_types[i];
873 break;
874 }
875 }
876
877 if (ext_type == NULL) {
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]878 if (ignore_unknown) {
879 continue;
880 }
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]881 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
882 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
883 return 0;
884 }
885
886 /* Duplicate ext_types are forbidden. */
887 if (*ext_type->out_present) {
888 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
889 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
890 return 0;
891 }
892
893 *ext_type->out_present = 1;
894 *ext_type->out_data = data;
895 }
896
897 return 1;
898}