1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). */ 108 /* ==================================================================== 109 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 110 * ECC cipher suite support in OpenSSL originally developed by 111 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ 112 113 #include <openssl/ssl.h> 114 115 #include <assert.h> 116 #include <limits.h> 117 #include <string.h> 118 119 #include <openssl/buf.h> 120 #include <openssl/bytestring.h> 121 #include <openssl/err.h> 122 #include <openssl/evp.h> 123 #include <openssl/mem.h> 124 #include <openssl/md5.h> 125 #include <openssl/nid.h> 126 #include <openssl/rand.h> 127 #include <openssl/sha.h> 128 129 #include "../crypto/internal.h" 130 #include "internal.h" 131 132 133 SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) { 134 SSL_HANDSHAKE *hs = (SSL_HANDSHAKE *)OPENSSL_malloc(sizeof(SSL_HANDSHAKE)); 135 if (hs == NULL) { 136 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 137 return NULL; 138 } 139 OPENSSL_memset(hs, 0, sizeof(SSL_HANDSHAKE)); 140 hs->ssl = ssl; 141 hs->wait = ssl_hs_ok; 142 hs->state = SSL_ST_INIT; 143 if (!SSL_TRANSCRIPT_init(&hs->transcript)) { 144 ssl_handshake_free(hs); 145 return NULL; 146 } 147 return hs; 148 } 149 150 void ssl_handshake_free(SSL_HANDSHAKE *hs) { 151 if (hs == NULL) { 152 return; 153 } 154 155 OPENSSL_cleanse(hs->secret, sizeof(hs->secret)); 156 OPENSSL_cleanse(hs->early_traffic_secret, sizeof(hs->early_traffic_secret)); 157 OPENSSL_cleanse(hs->client_handshake_secret, 158 sizeof(hs->client_handshake_secret)); 159 OPENSSL_cleanse(hs->server_handshake_secret, 160 sizeof(hs->server_handshake_secret)); 161 OPENSSL_cleanse(hs->client_traffic_secret_0, 162 sizeof(hs->client_traffic_secret_0)); 163 OPENSSL_cleanse(hs->server_traffic_secret_0, 164 sizeof(hs->server_traffic_secret_0)); 165 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx); 166 SSL_TRANSCRIPT_cleanup(&hs->transcript); 167 OPENSSL_free(hs->cookie); 168 OPENSSL_free(hs->key_share_bytes); 169 OPENSSL_free(hs->ecdh_public_key); 170 SSL_SESSION_free(hs->new_session); 171 SSL_SESSION_free(hs->early_session); 172 OPENSSL_free(hs->peer_sigalgs); 173 OPENSSL_free(hs->peer_supported_group_list); 174 OPENSSL_free(hs->peer_key); 175 OPENSSL_free(hs->server_params); 176 OPENSSL_free(hs->peer_psk_identity_hint); 177 sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free); 178 hs->ssl->ctx->x509_method->hs_flush_cached_ca_names(hs); 179 OPENSSL_free(hs->certificate_types); 180 181 if (hs->key_block != NULL) { 182 OPENSSL_cleanse(hs->key_block, hs->key_block_len); 183 OPENSSL_free(hs->key_block); 184 } 185 186 OPENSSL_free(hs->hostname); 187 EVP_PKEY_free(hs->peer_pubkey); 188 EVP_PKEY_free(hs->local_pubkey); 189 OPENSSL_free(hs); 190 } 191 192 int ssl_check_message_type(SSL *ssl, int type) { 193 if (ssl->s3->tmp.message_type != type) { 194 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 195 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); 196 ERR_add_error_dataf("got type %d, wanted type %d", 197 ssl->s3->tmp.message_type, type); 198 return 0; 199 } 200 201 return 1; 202 } 203 204 static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in, 205 size_t in_len) { 206 /* We'll never add a flight while in the process of writing it out. */ 207 assert(ssl->s3->pending_flight_offset == 0); 208 209 if (ssl->s3->pending_flight == NULL) { 210 ssl->s3->pending_flight = BUF_MEM_new(); 211 if (ssl->s3->pending_flight == NULL) { 212 return 0; 213 } 214 } 215 216 size_t max_out = in_len + SSL_max_seal_overhead(ssl); 217 size_t new_cap = ssl->s3->pending_flight->length + max_out; 218 if (max_out < in_len || new_cap < max_out) { 219 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 220 return 0; 221 } 222 223 size_t len; 224 if (!BUF_MEM_reserve(ssl->s3->pending_flight, new_cap) || 225 !tls_seal_record(ssl, (uint8_t *)ssl->s3->pending_flight->data + 226 ssl->s3->pending_flight->length, 227 &len, max_out, type, in, in_len)) { 228 return 0; 229 } 230 231 ssl->s3->pending_flight->length += len; 232 return 1; 233 } 234 235 int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) { 236 /* Pick a modest size hint to save most of the |realloc| calls. */ 237 if (!CBB_init(cbb, 64) || 238 !CBB_add_u8(cbb, type) || 239 !CBB_add_u24_length_prefixed(cbb, body)) { 240 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 241 CBB_cleanup(cbb); 242 return 0; 243 } 244 245 return 1; 246 } 247 248 int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, 249 size_t *out_len) { 250 if (!CBB_finish(cbb, out_msg, out_len)) { 251 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 252 return 0; 253 } 254 255 return 1; 256 } 257 258 int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) { 259 /* Add the message to the current flight, splitting into several records if 260 * needed. */ 261 int ret = 0; 262 size_t added = 0; 263 do { 264 size_t todo = len - added; 265 if (todo > ssl->max_send_fragment) { 266 todo = ssl->max_send_fragment; 267 } 268 269 uint8_t type = SSL3_RT_HANDSHAKE; 270 if (ssl->server && 271 ssl->s3->have_version && 272 ssl->version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION && 273 ssl->s3->aead_write_ctx == NULL) { 274 type = SSL3_RT_PLAINTEXT_HANDSHAKE; 275 } 276 277 if (!add_record_to_flight(ssl, type, msg + added, todo)) { 278 goto err; 279 } 280 added += todo; 281 } while (added < len); 282 283 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len); 284 /* TODO(svaldez): Move this up a layer to fix abstraction for SSL_TRANSCRIPT 285 * on hs. */ 286 if (ssl->s3->hs != NULL && 287 !SSL_TRANSCRIPT_update(&ssl->s3->hs->transcript, msg, len)) { 288 goto err; 289 } 290 ret = 1; 291 292 err: 293 OPENSSL_free(msg); 294 return ret; 295 } 296 297 int ssl3_add_change_cipher_spec(SSL *ssl) { 298 static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS}; 299 300 if (!add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec, 301 sizeof(kChangeCipherSpec))) { 302 return 0; 303 } 304 305 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC, 306 kChangeCipherSpec, sizeof(kChangeCipherSpec)); 307 return 1; 308 } 309 310 int ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc) { 311 uint8_t alert[2] = {level, desc}; 312 if (!add_record_to_flight(ssl, SSL3_RT_ALERT, alert, sizeof(alert))) { 313 return 0; 314 } 315 316 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, alert, sizeof(alert)); 317 ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, ((int)level << 8) | desc); 318 return 1; 319 } 320 321 int ssl_add_message_cbb(SSL *ssl, CBB *cbb) { 322 uint8_t *msg; 323 size_t len; 324 if (!ssl->method->finish_message(ssl, cbb, &msg, &len) || 325 !ssl->method->add_message(ssl, msg, len)) { 326 return 0; 327 } 328 329 return 1; 330 } 331 332 int ssl3_flush_flight(SSL *ssl) { 333 if (ssl->s3->pending_flight == NULL) { 334 return 1; 335 } 336 337 if (ssl->s3->pending_flight->length > 0xffffffff || 338 ssl->s3->pending_flight->length > INT_MAX) { 339 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 340 return -1; 341 } 342 343 /* If there is pending data in the write buffer, it must be flushed out before 344 * any new data in pending_flight. */ 345 if (ssl_write_buffer_is_pending(ssl)) { 346 int ret = ssl_write_buffer_flush(ssl); 347 if (ret <= 0) { 348 ssl->rwstate = SSL_WRITING; 349 return ret; 350 } 351 } 352 353 /* Write the pending flight. */ 354 while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) { 355 int ret = BIO_write( 356 ssl->wbio, 357 ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset, 358 ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset); 359 if (ret <= 0) { 360 ssl->rwstate = SSL_WRITING; 361 return ret; 362 } 363 364 ssl->s3->pending_flight_offset += ret; 365 } 366 367 if (BIO_flush(ssl->wbio) <= 0) { 368 ssl->rwstate = SSL_WRITING; 369 return -1; 370 } 371 372 BUF_MEM_free(ssl->s3->pending_flight); 373 ssl->s3->pending_flight = NULL; 374 ssl->s3->pending_flight_offset = 0; 375 return 1; 376 } 377 378 int ssl3_send_finished(SSL_HANDSHAKE *hs) { 379 SSL *const ssl = hs->ssl; 380 const SSL_SESSION *session = SSL_get_session(ssl); 381 382 uint8_t finished[EVP_MAX_MD_SIZE]; 383 size_t finished_len; 384 if (!SSL_TRANSCRIPT_finish_mac(&hs->transcript, finished, &finished_len, 385 session, ssl->server, 386 ssl3_protocol_version(ssl))) { 387 return 0; 388 } 389 390 /* Log the master secret, if logging is enabled. */ 391 if (!ssl_log_secret(ssl, "CLIENT_RANDOM", 392 session->master_key, 393 session->master_key_length)) { 394 return 0; 395 } 396 397 /* Copy the Finished so we can use it for renegotiation checks. */ 398 if (ssl->version != SSL3_VERSION) { 399 if (finished_len > sizeof(ssl->s3->previous_client_finished) || 400 finished_len > sizeof(ssl->s3->previous_server_finished)) { 401 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 402 return -1; 403 } 404 405 if (ssl->server) { 406 OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len); 407 ssl->s3->previous_server_finished_len = finished_len; 408 } else { 409 OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len); 410 ssl->s3->previous_client_finished_len = finished_len; 411 } 412 } 413 414 CBB cbb, body; 415 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) || 416 !CBB_add_bytes(&body, finished, finished_len) || 417 !ssl_add_message_cbb(ssl, &cbb)) { 418 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 419 CBB_cleanup(&cbb); 420 return -1; 421 } 422 423 return 1; 424 } 425 426 int ssl3_get_finished(SSL_HANDSHAKE *hs) { 427 SSL *const ssl = hs->ssl; 428 int ret = ssl->method->ssl_get_message(ssl); 429 if (ret <= 0) { 430 return ret; 431 } 432 433 if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED)) { 434 return -1; 435 } 436 437 /* Snapshot the finished hash before incorporating the new message. */ 438 uint8_t finished[EVP_MAX_MD_SIZE]; 439 size_t finished_len; 440 if (!SSL_TRANSCRIPT_finish_mac(&hs->transcript, finished, &finished_len, 441 SSL_get_session(ssl), !ssl->server, 442 ssl3_protocol_version(ssl)) || 443 !ssl_hash_current_message(hs)) { 444 return -1; 445 } 446 447 int finished_ok = ssl->init_num == finished_len && 448 CRYPTO_memcmp(ssl->init_msg, finished, finished_len) == 0; 449 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 450 finished_ok = 1; 451 #endif 452 if (!finished_ok) { 453 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 454 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED); 455 return -1; 456 } 457 458 /* Copy the Finished so we can use it for renegotiation checks. */ 459 if (ssl->version != SSL3_VERSION) { 460 if (finished_len > sizeof(ssl->s3->previous_client_finished) || 461 finished_len > sizeof(ssl->s3->previous_server_finished)) { 462 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 463 return -1; 464 } 465 466 if (ssl->server) { 467 OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len); 468 ssl->s3->previous_client_finished_len = finished_len; 469 } else { 470 OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len); 471 ssl->s3->previous_server_finished_len = finished_len; 472 } 473 } 474 475 return 1; 476 } 477 478 int ssl3_output_cert_chain(SSL *ssl) { 479 CBB cbb, body; 480 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) || 481 !ssl_add_cert_chain(ssl, &body) || 482 !ssl_add_message_cbb(ssl, &cbb)) { 483 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 484 CBB_cleanup(&cbb); 485 return 0; 486 } 487 488 return 1; 489 } 490 491 size_t ssl_max_handshake_message_len(const SSL *ssl) { 492 /* kMaxMessageLen is the default maximum message size for handshakes which do 493 * not accept peer certificate chains. */ 494 static const size_t kMaxMessageLen = 16384; 495 496 if (SSL_in_init(ssl)) { 497 if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) && 498 kMaxMessageLen < ssl->max_cert_list) { 499 return ssl->max_cert_list; 500 } 501 return kMaxMessageLen; 502 } 503 504 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { 505 /* In TLS 1.2 and below, the largest acceptable post-handshake message is 506 * a HelloRequest. */ 507 return 0; 508 } 509 510 if (ssl->server) { 511 /* The largest acceptable post-handshake message for a server is a 512 * KeyUpdate. We will never initiate post-handshake auth. */ 513 return 1; 514 } 515 516 /* Clients must accept NewSessionTicket and CertificateRequest, so allow the 517 * default size. */ 518 return kMaxMessageLen; 519 } 520 521 static int extend_handshake_buffer(SSL *ssl, size_t length) { 522 if (!BUF_MEM_reserve(ssl->init_buf, length)) { 523 return -1; 524 } 525 while (ssl->init_buf->length < length) { 526 int ret = ssl3_read_handshake_bytes( 527 ssl, (uint8_t *)ssl->init_buf->data + ssl->init_buf->length, 528 length - ssl->init_buf->length); 529 if (ret <= 0) { 530 return ret; 531 } 532 ssl->init_buf->length += (size_t)ret; 533 } 534 return 1; 535 } 536 537 static int read_v2_client_hello(SSL *ssl) { 538 /* Read the first 5 bytes, the size of the TLS record header. This is 539 * sufficient to detect a V2ClientHello and ensures that we never read beyond 540 * the first record. */ 541 int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH); 542 if (ret <= 0) { 543 return ret; 544 } 545 const uint8_t *p = ssl_read_buffer(ssl); 546 547 /* Some dedicated error codes for protocol mixups should the application wish 548 * to interpret them differently. (These do not overlap with ClientHello or 549 * V2ClientHello.) */ 550 if (strncmp("GET ", (const char *)p, 4) == 0 || 551 strncmp("POST ", (const char *)p, 5) == 0 || 552 strncmp("HEAD ", (const char *)p, 5) == 0 || 553 strncmp("PUT ", (const char *)p, 4) == 0) { 554 OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST); 555 return -1; 556 } 557 if (strncmp("CONNE", (const char *)p, 5) == 0) { 558 OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST); 559 return -1; 560 } 561 562 if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO || 563 p[3] != SSL3_VERSION_MAJOR) { 564 /* Not a V2ClientHello. */ 565 return 1; 566 } 567 568 /* Determine the length of the V2ClientHello. */ 569 size_t msg_length = ((p[0] & 0x7f) << 8) | p[1]; 570 if (msg_length > (1024 * 4)) { 571 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); 572 return -1; 573 } 574 if (msg_length < SSL3_RT_HEADER_LENGTH - 2) { 575 /* Reject lengths that are too short early. We have already read 576 * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an 577 * (invalid) V2ClientHello which would be shorter than that. */ 578 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH); 579 return -1; 580 } 581 582 /* Read the remainder of the V2ClientHello. */ 583 ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length); 584 if (ret <= 0) { 585 return ret; 586 } 587 588 CBS v2_client_hello; 589 CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length); 590 591 /* The V2ClientHello without the length is incorporated into the handshake 592 * hash. This is only ever called at the start of the handshake, so hs is 593 * guaranteed to be non-NULL. */ 594 if (!SSL_TRANSCRIPT_update(&ssl->s3->hs->transcript, 595 CBS_data(&v2_client_hello), 596 CBS_len(&v2_client_hello))) { 597 return -1; 598 } 599 600 ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */, 601 CBS_data(&v2_client_hello), CBS_len(&v2_client_hello)); 602 603 uint8_t msg_type; 604 uint16_t version, cipher_spec_length, session_id_length, challenge_length; 605 CBS cipher_specs, session_id, challenge; 606 if (!CBS_get_u8(&v2_client_hello, &msg_type) || 607 !CBS_get_u16(&v2_client_hello, &version) || 608 !CBS_get_u16(&v2_client_hello, &cipher_spec_length) || 609 !CBS_get_u16(&v2_client_hello, &session_id_length) || 610 !CBS_get_u16(&v2_client_hello, &challenge_length) || 611 !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) || 612 !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) || 613 !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) || 614 CBS_len(&v2_client_hello) != 0) { 615 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 616 return -1; 617 } 618 619 /* msg_type has already been checked. */ 620 assert(msg_type == SSL2_MT_CLIENT_HELLO); 621 622 /* The client_random is the V2ClientHello challenge. Truncate or 623 * left-pad with zeros as needed. */ 624 size_t rand_len = CBS_len(&challenge); 625 if (rand_len > SSL3_RANDOM_SIZE) { 626 rand_len = SSL3_RANDOM_SIZE; 627 } 628 uint8_t random[SSL3_RANDOM_SIZE]; 629 OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE); 630 OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge), 631 rand_len); 632 633 /* Write out an equivalent SSLv3 ClientHello. */ 634 size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ + 635 SSL3_RANDOM_SIZE + 1 /* session ID length */ + 636 2 /* cipher list length */ + 637 CBS_len(&cipher_specs) / 3 * 2 + 638 1 /* compression length */ + 1 /* compression */; 639 CBB client_hello, hello_body, cipher_suites; 640 CBB_zero(&client_hello); 641 if (!BUF_MEM_reserve(ssl->init_buf, max_v3_client_hello) || 642 !CBB_init_fixed(&client_hello, (uint8_t *)ssl->init_buf->data, 643 ssl->init_buf->max) || 644 !CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) || 645 !CBB_add_u24_length_prefixed(&client_hello, &hello_body) || 646 !CBB_add_u16(&hello_body, version) || 647 !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) || 648 /* No session id. */ 649 !CBB_add_u8(&hello_body, 0) || 650 !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) { 651 CBB_cleanup(&client_hello); 652 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 653 return -1; 654 } 655 656 /* Copy the cipher suites. */ 657 while (CBS_len(&cipher_specs) > 0) { 658 uint32_t cipher_spec; 659 if (!CBS_get_u24(&cipher_specs, &cipher_spec)) { 660 CBB_cleanup(&client_hello); 661 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 662 return -1; 663 } 664 665 /* Skip SSLv2 ciphers. */ 666 if ((cipher_spec & 0xff0000) != 0) { 667 continue; 668 } 669 if (!CBB_add_u16(&cipher_suites, cipher_spec)) { 670 CBB_cleanup(&client_hello); 671 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 672 return -1; 673 } 674 } 675 676 /* Add the null compression scheme and finish. */ 677 if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) || 678 !CBB_finish(&client_hello, NULL, &ssl->init_buf->length)) { 679 CBB_cleanup(&client_hello); 680 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 681 return -1; 682 } 683 684 /* Consume and discard the V2ClientHello. */ 685 ssl_read_buffer_consume(ssl, 2 + msg_length); 686 ssl_read_buffer_discard(ssl); 687 688 ssl->s3->is_v2_hello = 1; 689 return 1; 690 } 691 692 int ssl3_get_message(SSL *ssl) { 693 /* Re-create the handshake buffer if needed. */ 694 if (ssl->init_buf == NULL) { 695 ssl->init_buf = BUF_MEM_new(); 696 if (ssl->init_buf == NULL) { 697 return -1; 698 } 699 } 700 701 if (ssl->server && !ssl->s3->v2_hello_done) { 702 /* Bypass the record layer for the first message to handle V2ClientHello. */ 703 int ret = read_v2_client_hello(ssl); 704 if (ret <= 0) { 705 return ret; 706 } 707 ssl->s3->v2_hello_done = 1; 708 } 709 710 if (ssl->s3->tmp.reuse_message) { 711 /* There must be a current message. */ 712 assert(ssl->init_msg != NULL); 713 ssl->s3->tmp.reuse_message = 0; 714 } else { 715 ssl3_release_current_message(ssl, 0 /* don't free buffer */); 716 } 717 718 /* Read the message header, if we haven't yet. */ 719 int ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH); 720 if (ret <= 0) { 721 return ret; 722 } 723 724 /* Parse out the length. Cap it so the peer cannot force us to buffer up to 725 * 2^24 bytes. */ 726 const uint8_t *p = (uint8_t *)ssl->init_buf->data; 727 size_t msg_len = (((uint32_t)p[1]) << 16) | (((uint32_t)p[2]) << 8) | p[3]; 728 if (msg_len > ssl_max_handshake_message_len(ssl)) { 729 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 730 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE); 731 return -1; 732 } 733 734 /* Read the message body, if we haven't yet. */ 735 ret = extend_handshake_buffer(ssl, SSL3_HM_HEADER_LENGTH + msg_len); 736 if (ret <= 0) { 737 return ret; 738 } 739 740 /* We have now received a complete message. */ 741 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, ssl->init_buf->data, 742 ssl->init_buf->length); 743 744 ssl->s3->tmp.message_type = ((const uint8_t *)ssl->init_buf->data)[0]; 745 ssl->init_msg = (uint8_t*)ssl->init_buf->data + SSL3_HM_HEADER_LENGTH; 746 ssl->init_num = ssl->init_buf->length - SSL3_HM_HEADER_LENGTH; 747 return 1; 748 } 749 750 void ssl3_get_current_message(const SSL *ssl, CBS *out) { 751 CBS_init(out, (uint8_t *)ssl->init_buf->data, ssl->init_buf->length); 752 } 753 754 int ssl_hash_current_message(SSL_HANDSHAKE *hs) { 755 /* V2ClientHellos are hashed implicitly. */ 756 if (hs->ssl->s3->is_v2_hello) { 757 return 1; 758 } 759 760 CBS cbs; 761 hs->ssl->method->get_current_message(hs->ssl, &cbs); 762 return SSL_TRANSCRIPT_update(&hs->transcript, CBS_data(&cbs), CBS_len(&cbs)); 763 } 764 765 void ssl3_release_current_message(SSL *ssl, int free_buffer) { 766 if (ssl->init_msg != NULL) { 767 /* |init_buf| never contains data beyond the current message. */ 768 assert(SSL3_HM_HEADER_LENGTH + ssl->init_num == ssl->init_buf->length); 769 770 /* Clear the current message. */ 771 ssl->init_msg = NULL; 772 ssl->init_num = 0; 773 ssl->init_buf->length = 0; 774 ssl->s3->is_v2_hello = 0; 775 } 776 777 if (free_buffer) { 778 BUF_MEM_free(ssl->init_buf); 779 ssl->init_buf = NULL; 780 } 781 } 782 783 int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, 784 const SSL_EXTENSION_TYPE *ext_types, 785 size_t num_ext_types, int ignore_unknown) { 786 /* Reset everything. */ 787 for (size_t i = 0; i < num_ext_types; i++) { 788 *ext_types[i].out_present = 0; 789 CBS_init(ext_types[i].out_data, NULL, 0); 790 } 791 792 CBS copy = *cbs; 793 while (CBS_len(©) != 0) { 794 uint16_t type; 795 CBS data; 796 if (!CBS_get_u16(©, &type) || 797 !CBS_get_u16_length_prefixed(©, &data)) { 798 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); 799 *out_alert = SSL_AD_DECODE_ERROR; 800 return 0; 801 } 802 803 const SSL_EXTENSION_TYPE *ext_type = NULL; 804 for (size_t i = 0; i < num_ext_types; i++) { 805 if (type == ext_types[i].type) { 806 ext_type = &ext_types[i]; 807 break; 808 } 809 } 810 811 if (ext_type == NULL) { 812 if (ignore_unknown) { 813 continue; 814 } 815 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 816 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 817 return 0; 818 } 819 820 /* Duplicate ext_types are forbidden. */ 821 if (*ext_type->out_present) { 822 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION); 823 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 824 return 0; 825 } 826 827 *ext_type->out_present = 1; 828 *ext_type->out_data = data; 829 } 830 831 return 1; 832 } 833