1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). */ 108 /* ==================================================================== 109 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 110 * ECC cipher suite support in OpenSSL originally developed by 111 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ 112 113 #include <assert.h> 114 #include <limits.h> 115 #include <stdio.h> 116 #include <string.h> 117 118 #include <openssl/buf.h> 119 #include <openssl/err.h> 120 #include <openssl/evp.h> 121 #include <openssl/mem.h> 122 #include <openssl/md5.h> 123 #include <openssl/obj.h> 124 #include <openssl/rand.h> 125 #include <openssl/sha.h> 126 #include <openssl/x509.h> 127 128 #include "internal.h" 129 130 131 /* ssl3_do_write sends |s->init_buf| in records of type 'type' 132 * (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC). It returns -1 on error, 1 133 * on success or zero if the transmission is still incomplete. */ 134 int ssl3_do_write(SSL *s, int type) { 135 int n; 136 137 n = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], s->init_num); 138 if (n < 0) { 139 return -1; 140 } 141 142 if (n == s->init_num) { 143 if (s->msg_callback) { 144 s->msg_callback(1, s->version, type, s->init_buf->data, 145 (size_t)(s->init_off + s->init_num), s, 146 s->msg_callback_arg); 147 } 148 return 1; 149 } 150 151 s->init_off += n; 152 s->init_num -= n; 153 return 0; 154 } 155 156 int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) { 157 uint8_t *p; 158 int n; 159 160 if (s->state == a) { 161 p = ssl_handshake_start(s); 162 163 n = s->enc_method->final_finish_mac(s, sender, slen, s->s3->tmp.finish_md); 164 if (n == 0) { 165 return 0; 166 } 167 s->s3->tmp.finish_md_len = n; 168 memcpy(p, s->s3->tmp.finish_md, n); 169 170 /* Log the master secret, if logging is enabled. */ 171 if (!ssl_ctx_log_master_secret(s->ctx, s->s3->client_random, 172 SSL3_RANDOM_SIZE, s->session->master_key, 173 s->session->master_key_length)) { 174 return 0; 175 } 176 177 /* Copy the finished so we can use it for renegotiation checks */ 178 if (s->server) { 179 assert(n <= EVP_MAX_MD_SIZE); 180 memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, n); 181 s->s3->previous_server_finished_len = n; 182 } else { 183 assert(n <= EVP_MAX_MD_SIZE); 184 memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, n); 185 s->s3->previous_client_finished_len = n; 186 } 187 188 if (!ssl_set_handshake_header(s, SSL3_MT_FINISHED, n)) { 189 return 0; 190 } 191 s->state = b; 192 } 193 194 /* SSL3_ST_SEND_xxxxxx_HELLO_B */ 195 return ssl_do_write(s); 196 } 197 198 /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 199 * so far. */ 200 static void ssl3_take_mac(SSL *s) { 201 const char *sender; 202 int slen; 203 204 /* If no new cipher setup then return immediately: other functions will set 205 * the appropriate error. */ 206 if (s->s3->tmp.new_cipher == NULL) { 207 return; 208 } 209 210 if (s->state & SSL_ST_CONNECT) { 211 sender = s->enc_method->server_finished_label; 212 slen = s->enc_method->server_finished_label_len; 213 } else { 214 sender = s->enc_method->client_finished_label; 215 slen = s->enc_method->client_finished_label_len; 216 } 217 218 s->s3->tmp.peer_finish_md_len = s->enc_method->final_finish_mac( 219 s, sender, slen, s->s3->tmp.peer_finish_md); 220 } 221 222 int ssl3_get_finished(SSL *s, int a, int b) { 223 int al, finished_len, ok; 224 long message_len; 225 uint8_t *p; 226 227 message_len = 228 s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, EVP_MAX_MD_SIZE, 229 ssl_dont_hash_message, &ok); 230 231 if (!ok) { 232 return message_len; 233 } 234 235 /* Snapshot the finished hash before incorporating the new message. */ 236 ssl3_take_mac(s); 237 if (!ssl3_hash_current_message(s)) { 238 goto err; 239 } 240 241 /* If this occurs, we have missed a message. 242 * TODO(davidben): Is this check now redundant with SSL3_FLAGS_EXPECT_CCS? */ 243 if (!s->s3->change_cipher_spec) { 244 al = SSL_AD_UNEXPECTED_MESSAGE; 245 OPENSSL_PUT_ERROR(SSL, ssl3_get_finished, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 246 goto f_err; 247 } 248 s->s3->change_cipher_spec = 0; 249 250 p = s->init_msg; 251 finished_len = s->s3->tmp.peer_finish_md_len; 252 253 if (finished_len != message_len) { 254 al = SSL_AD_DECODE_ERROR; 255 OPENSSL_PUT_ERROR(SSL, ssl3_get_finished, SSL_R_BAD_DIGEST_LENGTH); 256 goto f_err; 257 } 258 259 if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, finished_len) != 0) { 260 al = SSL_AD_DECRYPT_ERROR; 261 OPENSSL_PUT_ERROR(SSL, ssl3_get_finished, SSL_R_DIGEST_CHECK_FAILED); 262 goto f_err; 263 } 264 265 /* Copy the finished so we can use it for renegotiation checks */ 266 if (s->server) { 267 assert(finished_len <= EVP_MAX_MD_SIZE); 268 memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, finished_len); 269 s->s3->previous_client_finished_len = finished_len; 270 } else { 271 assert(finished_len <= EVP_MAX_MD_SIZE); 272 memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, finished_len); 273 s->s3->previous_server_finished_len = finished_len; 274 } 275 276 return 1; 277 278 f_err: 279 ssl3_send_alert(s, SSL3_AL_FATAL, al); 280 err: 281 return 0; 282 } 283 284 /* for these 2 messages, we need to 285 * ssl->enc_read_ctx re-init 286 * ssl->s3->read_sequence zero 287 * ssl->s3->read_mac_secret re-init 288 * ssl->session->read_sym_enc assign 289 * ssl->session->read_compression assign 290 * ssl->session->read_hash assign */ 291 int ssl3_send_change_cipher_spec(SSL *s, int a, int b) { 292 if (s->state == a) { 293 *((uint8_t *)s->init_buf->data) = SSL3_MT_CCS; 294 s->init_num = 1; 295 s->init_off = 0; 296 297 s->state = b; 298 } 299 300 /* SSL3_ST_CW_CHANGE_B */ 301 return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 302 } 303 304 int ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) { 305 uint8_t *p; 306 unsigned long l = 3 + SSL_HM_HEADER_LENGTH(s); 307 308 if (cpk == NULL) { 309 /* TLSv1 sends a chain with nothing in it, instead of an alert. */ 310 if (!BUF_MEM_grow_clean(s->init_buf, l)) { 311 OPENSSL_PUT_ERROR(SSL, ssl3_output_cert_chain, ERR_R_BUF_LIB); 312 return 0; 313 } 314 } else if (!ssl_add_cert_chain(s, cpk, &l)) { 315 return 0; 316 } 317 318 l -= 3 + SSL_HM_HEADER_LENGTH(s); 319 p = ssl_handshake_start(s); 320 l2n3(l, p); 321 l += 3; 322 return ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l); 323 } 324 325 /* Obtain handshake message of message type |msg_type| (any if |msg_type| == -1), 326 * maximum acceptable body length |max|. The first four bytes (msg_type and 327 * length) are read in state |header_state|, the body is read in state |body_state|. */ 328 long ssl3_get_message(SSL *s, int header_state, int body_state, int msg_type, 329 long max, enum ssl_hash_message_t hash_message, int *ok) { 330 uint8_t *p; 331 unsigned long l; 332 long n; 333 int al; 334 335 if (s->s3->tmp.reuse_message) { 336 /* A ssl_dont_hash_message call cannot be combined with reuse_message; the 337 * ssl_dont_hash_message would have to have been applied to the previous 338 * call. */ 339 assert(hash_message == ssl_hash_message); 340 s->s3->tmp.reuse_message = 0; 341 if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) { 342 al = SSL_AD_UNEXPECTED_MESSAGE; 343 OPENSSL_PUT_ERROR(SSL, ssl3_get_message, SSL_R_UNEXPECTED_MESSAGE); 344 goto f_err; 345 } 346 *ok = 1; 347 s->state = body_state; 348 s->init_msg = (uint8_t *)s->init_buf->data + 4; 349 s->init_num = (int)s->s3->tmp.message_size; 350 return s->init_num; 351 } 352 353 p = (uint8_t *)s->init_buf->data; 354 355 if (s->state == header_state) { 356 assert(s->init_num < 4); 357 358 for (;;) { 359 while (s->init_num < 4) { 360 int bytes_read = ssl3_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->init_num], 361 4 - s->init_num, 0); 362 if (bytes_read <= 0) { 363 *ok = 0; 364 return bytes_read; 365 } 366 s->init_num += bytes_read; 367 } 368 369 static const uint8_t kHelloRequest[4] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0}; 370 if (s->server || memcmp(p, kHelloRequest, sizeof(kHelloRequest)) != 0) { 371 break; 372 } 373 374 /* The server may always send 'Hello Request' messages -- we are doing 375 * a handshake anyway now, so ignore them if their format is correct. 376 * Does not count for 'Finished' MAC. */ 377 s->init_num = 0; 378 379 if (s->msg_callback) { 380 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, 4, s, 381 s->msg_callback_arg); 382 } 383 } 384 385 /* s->init_num == 4 */ 386 387 if (msg_type >= 0 && *p != msg_type) { 388 al = SSL_AD_UNEXPECTED_MESSAGE; 389 OPENSSL_PUT_ERROR(SSL, ssl3_get_message, SSL_R_UNEXPECTED_MESSAGE); 390 goto f_err; 391 } 392 s->s3->tmp.message_type = *(p++); 393 394 n2l3(p, l); 395 if (l > (unsigned long)max) { 396 al = SSL_AD_ILLEGAL_PARAMETER; 397 OPENSSL_PUT_ERROR(SSL, ssl3_get_message, SSL_R_EXCESSIVE_MESSAGE_SIZE); 398 goto f_err; 399 } 400 401 if (l && !BUF_MEM_grow_clean(s->init_buf, l + 4)) { 402 OPENSSL_PUT_ERROR(SSL, ssl3_get_message, ERR_R_BUF_LIB); 403 goto err; 404 } 405 s->s3->tmp.message_size = l; 406 s->state = body_state; 407 408 s->init_msg = (uint8_t *)s->init_buf->data + 4; 409 s->init_num = 0; 410 } 411 412 /* next state (body_state) */ 413 p = s->init_msg; 414 n = s->s3->tmp.message_size - s->init_num; 415 while (n > 0) { 416 int bytes_read = ssl3_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->init_num], n, 417 0); 418 if (bytes_read <= 0) { 419 s->rwstate = SSL_READING; 420 *ok = 0; 421 return bytes_read; 422 } 423 s->init_num += bytes_read; 424 n -= bytes_read; 425 } 426 427 /* Feed this message into MAC computation. */ 428 if (hash_message == ssl_hash_message && !ssl3_hash_current_message(s)) { 429 goto err; 430 } 431 if (s->msg_callback) { 432 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 433 (size_t)s->init_num + 4, s, s->msg_callback_arg); 434 } 435 *ok = 1; 436 return s->init_num; 437 438 f_err: 439 ssl3_send_alert(s, SSL3_AL_FATAL, al); 440 441 err: 442 *ok = 0; 443 return -1; 444 } 445 446 int ssl3_hash_current_message(SSL *s) { 447 /* The handshake header (different size between DTLS and TLS) is included in 448 * the hash. */ 449 size_t header_len = s->init_msg - (uint8_t *)s->init_buf->data; 450 return ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, 451 s->init_num + header_len); 452 } 453 454 /* ssl3_cert_verify_hash is documented as needing EVP_MAX_MD_SIZE because that 455 * is sufficient pre-TLS1.2 as well. */ 456 OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE > MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, 457 combined_tls_hash_fits_in_max); 458 459 int ssl3_cert_verify_hash(SSL *s, uint8_t *out, size_t *out_len, 460 const EVP_MD **out_md, EVP_PKEY *pkey) { 461 /* For TLS v1.2 send signature algorithm and signature using 462 * agreed digest and cached handshake records. Otherwise, use 463 * SHA1 or MD5 + SHA1 depending on key type. */ 464 if (SSL_USE_SIGALGS(s)) { 465 const uint8_t *hdata; 466 size_t hdatalen; 467 EVP_MD_CTX mctx; 468 unsigned len; 469 470 if (!BIO_mem_contents(s->s3->handshake_buffer, &hdata, &hdatalen)) { 471 OPENSSL_PUT_ERROR(SSL, ssl3_cert_verify_hash, ERR_R_INTERNAL_ERROR); 472 return 0; 473 } 474 EVP_MD_CTX_init(&mctx); 475 if (!EVP_DigestInit_ex(&mctx, *out_md, NULL) || 476 !EVP_DigestUpdate(&mctx, hdata, hdatalen) || 477 !EVP_DigestFinal(&mctx, out, &len)) { 478 OPENSSL_PUT_ERROR(SSL, ssl3_cert_verify_hash, ERR_R_EVP_LIB); 479 EVP_MD_CTX_cleanup(&mctx); 480 return 0; 481 } 482 *out_len = len; 483 } else if (pkey->type == EVP_PKEY_RSA) { 484 if (s->enc_method->cert_verify_mac(s, NID_md5, out) == 0 || 485 s->enc_method->cert_verify_mac(s, NID_sha1, out + MD5_DIGEST_LENGTH) == 486 0) { 487 return 0; 488 } 489 *out_len = MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH; 490 *out_md = EVP_md5_sha1(); 491 } else if (pkey->type == EVP_PKEY_EC) { 492 if (s->enc_method->cert_verify_mac(s, NID_sha1, out) == 0) { 493 return 0; 494 } 495 *out_len = SHA_DIGEST_LENGTH; 496 *out_md = EVP_sha1(); 497 } else { 498 OPENSSL_PUT_ERROR(SSL, ssl3_cert_verify_hash, ERR_R_INTERNAL_ERROR); 499 return 0; 500 } 501 502 return 1; 503 } 504 505 int ssl_cert_type(EVP_PKEY *pkey) { 506 switch (pkey->type) { 507 case EVP_PKEY_RSA: 508 return SSL_PKEY_RSA_ENC; 509 case EVP_PKEY_EC: 510 return SSL_PKEY_ECC; 511 default: 512 return -1; 513 } 514 } 515 516 int ssl_verify_alarm_type(long type) { 517 int al; 518 519 switch (type) { 520 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 521 case X509_V_ERR_UNABLE_TO_GET_CRL: 522 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 523 al = SSL_AD_UNKNOWN_CA; 524 break; 525 526 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 527 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 528 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 529 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 530 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 531 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 532 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 533 case X509_V_ERR_CERT_NOT_YET_VALID: 534 case X509_V_ERR_CRL_NOT_YET_VALID: 535 case X509_V_ERR_CERT_UNTRUSTED: 536 case X509_V_ERR_CERT_REJECTED: 537 al = SSL_AD_BAD_CERTIFICATE; 538 break; 539 540 case X509_V_ERR_CERT_SIGNATURE_FAILURE: 541 case X509_V_ERR_CRL_SIGNATURE_FAILURE: 542 al = SSL_AD_DECRYPT_ERROR; 543 break; 544 545 case X509_V_ERR_CERT_HAS_EXPIRED: 546 case X509_V_ERR_CRL_HAS_EXPIRED: 547 al = SSL_AD_CERTIFICATE_EXPIRED; 548 break; 549 550 case X509_V_ERR_CERT_REVOKED: 551 al = SSL_AD_CERTIFICATE_REVOKED; 552 break; 553 554 case X509_V_ERR_OUT_OF_MEM: 555 al = SSL_AD_INTERNAL_ERROR; 556 break; 557 558 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 559 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 560 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 561 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 562 case X509_V_ERR_CERT_CHAIN_TOO_LONG: 563 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 564 case X509_V_ERR_INVALID_CA: 565 al = SSL_AD_UNKNOWN_CA; 566 break; 567 568 case X509_V_ERR_APPLICATION_VERIFICATION: 569 al = SSL_AD_HANDSHAKE_FAILURE; 570 break; 571 572 case X509_V_ERR_INVALID_PURPOSE: 573 al = SSL_AD_UNSUPPORTED_CERTIFICATE; 574 break; 575 576 default: 577 al = SSL_AD_CERTIFICATE_UNKNOWN; 578 break; 579 } 580 581 return al; 582 } 583 584 int ssl3_setup_read_buffer(SSL *s) { 585 uint8_t *p; 586 size_t len, align = 0, headerlen; 587 588 if (SSL_IS_DTLS(s)) { 589 headerlen = DTLS1_RT_HEADER_LENGTH; 590 } else { 591 headerlen = SSL3_RT_HEADER_LENGTH; 592 } 593 594 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 595 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 596 #endif 597 598 if (s->s3->rbuf.buf == NULL) { 599 len = SSL3_RT_MAX_ENCRYPTED_LENGTH + headerlen + align; 600 if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) { 601 s->s3->init_extra = 1; 602 len += SSL3_RT_MAX_EXTRA; 603 } 604 p = OPENSSL_malloc(len); 605 if (p == NULL) { 606 goto err; 607 } 608 s->s3->rbuf.buf = p; 609 s->s3->rbuf.len = len; 610 } 611 612 s->packet = &s->s3->rbuf.buf[0]; 613 return 1; 614 615 err: 616 OPENSSL_PUT_ERROR(SSL, ssl3_setup_read_buffer, ERR_R_MALLOC_FAILURE); 617 return 0; 618 } 619 620 int ssl3_setup_write_buffer(SSL *s) { 621 uint8_t *p; 622 size_t len, align = 0, headerlen; 623 624 if (SSL_IS_DTLS(s)) { 625 headerlen = DTLS1_RT_HEADER_LENGTH + 1; 626 } else { 627 headerlen = SSL3_RT_HEADER_LENGTH; 628 } 629 630 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 631 align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 632 #endif 633 634 if (s->s3->wbuf.buf == NULL) { 635 len = s->max_send_fragment + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + 636 headerlen + align; 637 /* Account for 1/n-1 record splitting. */ 638 if (s->mode & SSL_MODE_CBC_RECORD_SPLITTING) { 639 len += headerlen + align + 1 + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; 640 } 641 642 p = OPENSSL_malloc(len); 643 if (p == NULL) { 644 goto err; 645 } 646 s->s3->wbuf.buf = p; 647 s->s3->wbuf.len = len; 648 } 649 650 return 1; 651 652 err: 653 OPENSSL_PUT_ERROR(SSL, ssl3_setup_write_buffer, ERR_R_MALLOC_FAILURE); 654 return 0; 655 } 656 657 int ssl3_release_write_buffer(SSL *s) { 658 OPENSSL_free(s->s3->wbuf.buf); 659 s->s3->wbuf.buf = NULL; 660 return 1; 661 } 662 663 int ssl3_release_read_buffer(SSL *s) { 664 OPENSSL_free(s->s3->rbuf.buf); 665 s->s3->rbuf.buf = NULL; 666 s->packet = NULL; 667 return 1; 668 } 669 670 int ssl_fill_hello_random(uint8_t *out, size_t len, int is_server) { 671 if (is_server) { 672 const uint32_t current_time = time(NULL); 673 uint8_t *p = out; 674 675 if (len < 4) { 676 return 0; 677 } 678 p[0] = current_time >> 24; 679 p[1] = current_time >> 16; 680 p[2] = current_time >> 8; 681 p[3] = current_time; 682 return RAND_bytes(p + 4, len - 4); 683 } else { 684 return RAND_bytes(out, len); 685 } 686 } 687