1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108 /* ====================================================================
109 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
110 * ECC cipher suite support in OpenSSL originally developed by
111 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
112
113 #include <openssl/ssl.h>
114
115 #include <assert.h>
116 #include <limits.h>
117 #include <string.h>
118
119 #include <openssl/buf.h>
120 #include <openssl/bytestring.h>
121 #include <openssl/err.h>
122 #include <openssl/evp.h>
123 #include <openssl/mem.h>
124 #include <openssl/md5.h>
125 #include <openssl/nid.h>
126 #include <openssl/rand.h>
127 #include <openssl/sha.h>
128
129 #include "../crypto/internal.h"
130 #include "internal.h"
131
132
133 namespace bssl {
134
add_record_to_flight(SSL * ssl,uint8_t type,Span<const uint8_t> in)135 static bool add_record_to_flight(SSL *ssl, uint8_t type,
136 Span<const uint8_t> in) {
137 // We'll never add a flight while in the process of writing it out.
138 assert(ssl->s3->pending_flight_offset == 0);
139
140 if (ssl->s3->pending_flight == nullptr) {
141 ssl->s3->pending_flight.reset(BUF_MEM_new());
142 if (ssl->s3->pending_flight == nullptr) {
143 return false;
144 }
145 }
146
147 size_t max_out = in.size() + SSL_max_seal_overhead(ssl);
148 size_t new_cap = ssl->s3->pending_flight->length + max_out;
149 if (max_out < in.size() || new_cap < max_out) {
150 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
151 return false;
152 }
153
154 size_t len;
155 if (!BUF_MEM_reserve(ssl->s3->pending_flight.get(), new_cap) ||
156 !tls_seal_record(ssl,
157 (uint8_t *)ssl->s3->pending_flight->data +
158 ssl->s3->pending_flight->length,
159 &len, max_out, type, in.data(), in.size())) {
160 return false;
161 }
162
163 ssl->s3->pending_flight->length += len;
164 return true;
165 }
166
ssl3_init_message(SSL * ssl,CBB * cbb,CBB * body,uint8_t type)167 bool ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
168 // Pick a modest size hint to save most of the |realloc| calls.
169 if (!CBB_init(cbb, 64) ||
170 !CBB_add_u8(cbb, type) ||
171 !CBB_add_u24_length_prefixed(cbb, body)) {
172 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
173 CBB_cleanup(cbb);
174 return false;
175 }
176
177 return true;
178 }
179
ssl3_finish_message(SSL * ssl,CBB * cbb,Array<uint8_t> * out_msg)180 bool ssl3_finish_message(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg) {
181 return CBBFinishArray(cbb, out_msg);
182 }
183
ssl3_add_message(SSL * ssl,Array<uint8_t> msg)184 bool ssl3_add_message(SSL *ssl, Array<uint8_t> msg) {
185 // Add the message to the current flight, splitting into several records if
186 // needed.
187 Span<const uint8_t> rest = msg;
188 do {
189 Span<const uint8_t> chunk = rest.subspan(0, ssl->max_send_fragment);
190 rest = rest.subspan(chunk.size());
191
192 if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, chunk)) {
193 return false;
194 }
195 } while (!rest.empty());
196
197 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg);
198 // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
199 // hs.
200 if (ssl->s3->hs != NULL &&
201 !ssl->s3->hs->transcript.Update(msg)) {
202 return false;
203 }
204 return true;
205 }
206
ssl3_add_change_cipher_spec(SSL * ssl)207 bool ssl3_add_change_cipher_spec(SSL *ssl) {
208 static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};
209
210 if (!add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC,
211 kChangeCipherSpec)) {
212 return false;
213 }
214
215 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,
216 kChangeCipherSpec);
217 return true;
218 }
219
ssl3_add_alert(SSL * ssl,uint8_t level,uint8_t desc)220 bool ssl3_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {
221 uint8_t alert[2] = {level, desc};
222 if (!add_record_to_flight(ssl, SSL3_RT_ALERT, alert)) {
223 return false;
224 }
225
226 ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, alert);
227 ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, ((int)level << 8) | desc);
228 return true;
229 }
230
ssl3_flush_flight(SSL * ssl)231 int ssl3_flush_flight(SSL *ssl) {
232 if (ssl->s3->pending_flight == nullptr) {
233 return 1;
234 }
235
236 if (ssl->s3->write_shutdown != ssl_shutdown_none) {
237 OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
238 return -1;
239 }
240
241 if (ssl->s3->pending_flight->length > 0xffffffff ||
242 ssl->s3->pending_flight->length > INT_MAX) {
243 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
244 return -1;
245 }
246
247 // If there is pending data in the write buffer, it must be flushed out before
248 // any new data in pending_flight.
249 if (!ssl->s3->write_buffer.empty()) {
250 int ret = ssl_write_buffer_flush(ssl);
251 if (ret <= 0) {
252 ssl->s3->rwstate = SSL_WRITING;
253 return ret;
254 }
255 }
256
257 // Write the pending flight.
258 while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {
259 int ret = BIO_write(
260 ssl->wbio,
261 ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,
262 ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);
263 if (ret <= 0) {
264 ssl->s3->rwstate = SSL_WRITING;
265 return ret;
266 }
267
268 ssl->s3->pending_flight_offset += ret;
269 }
270
271 if (BIO_flush(ssl->wbio) <= 0) {
272 ssl->s3->rwstate = SSL_WRITING;
273 return -1;
274 }
275
276 ssl->s3->pending_flight.reset();
277 ssl->s3->pending_flight_offset = 0;
278 return 1;
279 }
280
read_v2_client_hello(SSL * ssl,size_t * out_consumed,Span<const uint8_t> in)281 static ssl_open_record_t read_v2_client_hello(SSL *ssl, size_t *out_consumed,
282 Span<const uint8_t> in) {
283 *out_consumed = 0;
284 assert(in.size() >= SSL3_RT_HEADER_LENGTH);
285 // Determine the length of the V2ClientHello.
286 size_t msg_length = ((in[0] & 0x7f) << 8) | in[1];
287 if (msg_length > (1024 * 4)) {
288 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
289 return ssl_open_record_error;
290 }
291 if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {
292 // Reject lengths that are too short early. We have already read
293 // |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
294 // (invalid) V2ClientHello which would be shorter than that.
295 OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
296 return ssl_open_record_error;
297 }
298
299 // Ask for the remainder of the V2ClientHello.
300 if (in.size() < 2 + msg_length) {
301 *out_consumed = 2 + msg_length;
302 return ssl_open_record_partial;
303 }
304
305 CBS v2_client_hello = CBS(ssl->s3->read_buffer.span().subspan(2, msg_length));
306 // The V2ClientHello without the length is incorporated into the handshake
307 // hash. This is only ever called at the start of the handshake, so hs is
308 // guaranteed to be non-NULL.
309 if (!ssl->s3->hs->transcript.Update(v2_client_hello)) {
310 return ssl_open_record_error;
311 }
312
313 ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,
314 v2_client_hello);
315
316 uint8_t msg_type;
317 uint16_t version, cipher_spec_length, session_id_length, challenge_length;
318 CBS cipher_specs, session_id, challenge;
319 if (!CBS_get_u8(&v2_client_hello, &msg_type) ||
320 !CBS_get_u16(&v2_client_hello, &version) ||
321 !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||
322 !CBS_get_u16(&v2_client_hello, &session_id_length) ||
323 !CBS_get_u16(&v2_client_hello, &challenge_length) ||
324 !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||
325 !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||
326 !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||
327 CBS_len(&v2_client_hello) != 0) {
328 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
329 return ssl_open_record_error;
330 }
331
332 // msg_type has already been checked.
333 assert(msg_type == SSL2_MT_CLIENT_HELLO);
334
335 // The client_random is the V2ClientHello challenge. Truncate or left-pad with
336 // zeros as needed.
337 size_t rand_len = CBS_len(&challenge);
338 if (rand_len > SSL3_RANDOM_SIZE) {
339 rand_len = SSL3_RANDOM_SIZE;
340 }
341 uint8_t random[SSL3_RANDOM_SIZE];
342 OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);
343 OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
344 rand_len);
345
346 // Write out an equivalent SSLv3 ClientHello.
347 size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +
348 SSL3_RANDOM_SIZE + 1 /* session ID length */ +
349 2 /* cipher list length */ +
350 CBS_len(&cipher_specs) / 3 * 2 +
351 1 /* compression length */ + 1 /* compression */;
352 ScopedCBB client_hello;
353 CBB hello_body, cipher_suites;
354 if (!BUF_MEM_reserve(ssl->s3->hs_buf.get(), max_v3_client_hello) ||
355 !CBB_init_fixed(client_hello.get(), (uint8_t *)ssl->s3->hs_buf->data,
356 ssl->s3->hs_buf->max) ||
357 !CBB_add_u8(client_hello.get(), SSL3_MT_CLIENT_HELLO) ||
358 !CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||
359 !CBB_add_u16(&hello_body, version) ||
360 !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||
361 // No session id.
362 !CBB_add_u8(&hello_body, 0) ||
363 !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
364 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
365 return ssl_open_record_error;
366 }
367
368 // Copy the cipher suites.
369 while (CBS_len(&cipher_specs) > 0) {
370 uint32_t cipher_spec;
371 if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
372 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
373 return ssl_open_record_error;
374 }
375
376 // Skip SSLv2 ciphers.
377 if ((cipher_spec & 0xff0000) != 0) {
378 continue;
379 }
380 if (!CBB_add_u16(&cipher_suites, cipher_spec)) {
381 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
382 return ssl_open_record_error;
383 }
384 }
385
386 // Add the null compression scheme and finish.
387 if (!CBB_add_u8(&hello_body, 1) ||
388 !CBB_add_u8(&hello_body, 0) ||
389 !CBB_finish(client_hello.get(), NULL, &ssl->s3->hs_buf->length)) {
390 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
391 return ssl_open_record_error;
392 }
393
394 *out_consumed = 2 + msg_length;
395 ssl->s3->is_v2_hello = true;
396 return ssl_open_record_success;
397 }
398
parse_message(const SSL * ssl,SSLMessage * out,size_t * out_bytes_needed)399 static bool parse_message(const SSL *ssl, SSLMessage *out,
400 size_t *out_bytes_needed) {
401 if (!ssl->s3->hs_buf) {
402 *out_bytes_needed = 4;
403 return false;
404 }
405
406 CBS cbs;
407 uint32_t len;
408 CBS_init(&cbs, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),
409 ssl->s3->hs_buf->length);
410 if (!CBS_get_u8(&cbs, &out->type) ||
411 !CBS_get_u24(&cbs, &len)) {
412 *out_bytes_needed = 4;
413 return false;
414 }
415
416 if (!CBS_get_bytes(&cbs, &out->body, len)) {
417 *out_bytes_needed = 4 + len;
418 return false;
419 }
420
421 CBS_init(&out->raw, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),
422 4 + len);
423 out->is_v2_hello = ssl->s3->is_v2_hello;
424 return true;
425 }
426
ssl3_get_message(SSL * ssl,SSLMessage * out)427 bool ssl3_get_message(SSL *ssl, SSLMessage *out) {
428 size_t unused;
429 if (!parse_message(ssl, out, &unused)) {
430 return false;
431 }
432 if (!ssl->s3->has_message) {
433 if (!out->is_v2_hello) {
434 ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, out->raw);
435 }
436 ssl->s3->has_message = true;
437 }
438 return true;
439 }
440
tls_can_accept_handshake_data(const SSL * ssl,uint8_t * out_alert)441 bool tls_can_accept_handshake_data(const SSL *ssl, uint8_t *out_alert) {
442 // If there is a complete message, the caller must have consumed it first.
443 SSLMessage msg;
444 size_t bytes_needed;
445 if (parse_message(ssl, &msg, &bytes_needed)) {
446 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
447 *out_alert = SSL_AD_INTERNAL_ERROR;
448 return false;
449 }
450
451 // Enforce the limit so the peer cannot force us to buffer 16MB.
452 if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {
453 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
454 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
455 return false;
456 }
457
458 return true;
459 }
460
tls_has_unprocessed_handshake_data(const SSL * ssl)461 bool tls_has_unprocessed_handshake_data(const SSL *ssl) {
462 size_t msg_len = 0;
463 if (ssl->s3->has_message) {
464 SSLMessage msg;
465 size_t unused;
466 if (parse_message(ssl, &msg, &unused)) {
467 msg_len = CBS_len(&msg.raw);
468 }
469 }
470
471 return ssl->s3->hs_buf && ssl->s3->hs_buf->length > msg_len;
472 }
473
ssl3_open_handshake(SSL * ssl,size_t * out_consumed,uint8_t * out_alert,Span<uint8_t> in)474 ssl_open_record_t ssl3_open_handshake(SSL *ssl, size_t *out_consumed,
475 uint8_t *out_alert, Span<uint8_t> in) {
476 *out_consumed = 0;
477 // Re-create the handshake buffer if needed.
478 if (!ssl->s3->hs_buf) {
479 ssl->s3->hs_buf.reset(BUF_MEM_new());
480 if (!ssl->s3->hs_buf) {
481 *out_alert = SSL_AD_INTERNAL_ERROR;
482 return ssl_open_record_error;
483 }
484 }
485
486 // Bypass the record layer for the first message to handle V2ClientHello.
487 if (ssl->server && !ssl->s3->v2_hello_done) {
488 // Ask for the first 5 bytes, the size of the TLS record header. This is
489 // sufficient to detect a V2ClientHello and ensures that we never read
490 // beyond the first record.
491 if (in.size() < SSL3_RT_HEADER_LENGTH) {
492 *out_consumed = SSL3_RT_HEADER_LENGTH;
493 return ssl_open_record_partial;
494 }
495
496 // Some dedicated error codes for protocol mixups should the application
497 // wish to interpret them differently. (These do not overlap with
498 // ClientHello or V2ClientHello.)
499 const char *str = reinterpret_cast<const char*>(in.data());
500 if (strncmp("GET ", str, 4) == 0 ||
501 strncmp("POST ", str, 5) == 0 ||
502 strncmp("HEAD ", str, 5) == 0 ||
503 strncmp("PUT ", str, 4) == 0) {
504 OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);
505 *out_alert = 0;
506 return ssl_open_record_error;
507 }
508 if (strncmp("CONNE", str, 5) == 0) {
509 OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);
510 *out_alert = 0;
511 return ssl_open_record_error;
512 }
513
514 // Check for a V2ClientHello.
515 if ((in[0] & 0x80) != 0 && in[2] == SSL2_MT_CLIENT_HELLO &&
516 in[3] == SSL3_VERSION_MAJOR) {
517 auto ret = read_v2_client_hello(ssl, out_consumed, in);
518 if (ret == ssl_open_record_error) {
519 *out_alert = 0;
520 } else if (ret == ssl_open_record_success) {
521 ssl->s3->v2_hello_done = true;
522 }
523 return ret;
524 }
525
526 ssl->s3->v2_hello_done = true;
527 }
528
529 uint8_t type;
530 Span<uint8_t> body;
531 auto ret = tls_open_record(ssl, &type, &body, out_consumed, out_alert, in);
532 if (ret != ssl_open_record_success) {
533 return ret;
534 }
535
536 // WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
537 // ServerHello and send the remaining encrypted application data records
538 // as-is. This manifests as an application data record when we expect
539 // handshake. Report a dedicated error code for this case.
540 if (!ssl->server && type == SSL3_RT_APPLICATION_DATA &&
541 ssl->s3->aead_read_ctx->is_null_cipher()) {
542 OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);
543 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
544 return ssl_open_record_error;
545 }
546
547 if (type != SSL3_RT_HANDSHAKE) {
548 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
549 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
550 return ssl_open_record_error;
551 }
552
553 // Append the entire handshake record to the buffer.
554 if (!BUF_MEM_append(ssl->s3->hs_buf.get(), body.data(), body.size())) {
555 *out_alert = SSL_AD_INTERNAL_ERROR;
556 return ssl_open_record_error;
557 }
558
559 return ssl_open_record_success;
560 }
561
ssl3_next_message(SSL * ssl)562 void ssl3_next_message(SSL *ssl) {
563 SSLMessage msg;
564 if (!ssl3_get_message(ssl, &msg) ||
565 !ssl->s3->hs_buf ||
566 ssl->s3->hs_buf->length < CBS_len(&msg.raw)) {
567 assert(0);
568 return;
569 }
570
571 OPENSSL_memmove(ssl->s3->hs_buf->data,
572 ssl->s3->hs_buf->data + CBS_len(&msg.raw),
573 ssl->s3->hs_buf->length - CBS_len(&msg.raw));
574 ssl->s3->hs_buf->length -= CBS_len(&msg.raw);
575 ssl->s3->is_v2_hello = false;
576 ssl->s3->has_message = false;
577
578 // Post-handshake messages are rare, so release the buffer after every
579 // message. During the handshake, |on_handshake_complete| will release it.
580 if (!SSL_in_init(ssl) && ssl->s3->hs_buf->length == 0) {
581 ssl->s3->hs_buf.reset();
582 }
583 }
584
585 } // namespace bssl
586