155714Skris/* ssl/s3_both.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8280304Sjkim * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280304Sjkim * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22280304Sjkim * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280304Sjkim * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52280304Sjkim * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5859191Skris/* ==================================================================== 59100928Snectar * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 6059191Skris * 6159191Skris * Redistribution and use in source and binary forms, with or without 6259191Skris * modification, are permitted provided that the following conditions 6359191Skris * are met: 6459191Skris * 6559191Skris * 1. Redistributions of source code must retain the above copyright 66280304Sjkim * notice, this list of conditions and the following disclaimer. 6759191Skris * 6859191Skris * 2. Redistributions in binary form must reproduce the above copyright 6959191Skris * notice, this list of conditions and the following disclaimer in 7059191Skris * the documentation and/or other materials provided with the 7159191Skris * distribution. 7259191Skris * 7359191Skris * 3. All advertising materials mentioning features or use of this 7459191Skris * software must display the following acknowledgment: 7559191Skris * "This product includes software developed by the OpenSSL Project 7659191Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7759191Skris * 7859191Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7959191Skris * endorse or promote products derived from this software without 8059191Skris * prior written permission. For written permission, please contact 8159191Skris * openssl-core@openssl.org. 8259191Skris * 8359191Skris * 5. Products derived from this software may not be called "OpenSSL" 8459191Skris * nor may "OpenSSL" appear in their names without prior written 8559191Skris * permission of the OpenSSL Project. 8659191Skris * 8759191Skris * 6. Redistributions of any form whatsoever must retain the following 8859191Skris * acknowledgment: 8959191Skris * "This product includes software developed by the OpenSSL Project 9059191Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9159191Skris * 9259191Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9359191Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9459191Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9559191Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9659191Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9759191Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9859191Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9959191Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10059191Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10159191Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10259191Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10359191Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10459191Skris * ==================================================================== 10559191Skris * 10659191Skris * This product includes cryptographic software written by Eric Young 10759191Skris * (eay@cryptsoft.com). This product includes software written by Tim 10859191Skris * Hudson (tjh@cryptsoft.com). 10959191Skris * 11059191Skris */ 111160814Ssimon/* ==================================================================== 112160814Ssimon * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113280304Sjkim * ECC cipher suite support in OpenSSL originally developed by 114160814Ssimon * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115160814Ssimon */ 11655714Skris 117109998Smarkm#include <limits.h> 11859191Skris#include <string.h> 11955714Skris#include <stdio.h> 120109998Smarkm#include "ssl_locl.h" 12155714Skris#include <openssl/buffer.h> 12255714Skris#include <openssl/rand.h> 12355714Skris#include <openssl/objects.h> 12455714Skris#include <openssl/evp.h> 12555714Skris#include <openssl/x509.h> 12655714Skris 127280304Sjkim/* 128280304Sjkim * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 129280304Sjkim * SSL3_RT_CHANGE_CIPHER_SPEC) 130280304Sjkim */ 13159191Skrisint ssl3_do_write(SSL *s, int type) 132280304Sjkim{ 133280304Sjkim int ret; 13459191Skris 135280304Sjkim ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 136280304Sjkim s->init_num); 137280304Sjkim if (ret < 0) 138280304Sjkim return (-1); 139280304Sjkim if (type == SSL3_RT_HANDSHAKE) 140280304Sjkim /* 141280304Sjkim * should not be done for 'Hello Request's, but in that case we'll 142280304Sjkim * ignore the result anyway 143280304Sjkim */ 144280304Sjkim ssl3_finish_mac(s, (unsigned char *)&s->init_buf->data[s->init_off], 145280304Sjkim ret); 14659191Skris 147280304Sjkim if (ret == s->init_num) { 148280304Sjkim if (s->msg_callback) 149280304Sjkim s->msg_callback(1, s->version, type, s->init_buf->data, 150280304Sjkim (size_t)(s->init_off + s->init_num), s, 151280304Sjkim s->msg_callback_arg); 152280304Sjkim return (1); 153280304Sjkim } 154280304Sjkim s->init_off += ret; 155280304Sjkim s->init_num -= ret; 156280304Sjkim return (0); 157280304Sjkim} 158280304Sjkim 15959191Skrisint ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) 160280304Sjkim{ 161280304Sjkim unsigned char *p, *d; 162280304Sjkim int i; 163280304Sjkim unsigned long l; 16455714Skris 165280304Sjkim if (s->state == a) { 166280304Sjkim d = (unsigned char *)s->init_buf->data; 167280304Sjkim p = &(d[4]); 16855714Skris 169280304Sjkim i = s->method->ssl3_enc->final_finish_mac(s, 170280304Sjkim sender, slen, 171280304Sjkim s->s3->tmp.finish_md); 172284285Sjkim if (i <= 0) 173280304Sjkim return 0; 174280304Sjkim s->s3->tmp.finish_md_len = i; 175280304Sjkim memcpy(p, s->s3->tmp.finish_md, i); 176280304Sjkim p += i; 177280304Sjkim l = i; 17855714Skris 179280304Sjkim /* 180280304Sjkim * Copy the finished so we can use it for renegotiation checks 181280304Sjkim */ 182280304Sjkim if (s->type == SSL_ST_CONNECT) { 183280304Sjkim OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 184280304Sjkim memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, i); 185280304Sjkim s->s3->previous_client_finished_len = i; 186280304Sjkim } else { 187280304Sjkim OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 188280304Sjkim memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, i); 189280304Sjkim s->s3->previous_server_finished_len = i; 190280304Sjkim } 191205128Ssimon 192109998Smarkm#ifdef OPENSSL_SYS_WIN16 193280304Sjkim /* 194280304Sjkim * MSVC 1.5 does not clear the top bytes of the word unless I do 195280304Sjkim * this. 196280304Sjkim */ 197280304Sjkim l &= 0xffff; 19855714Skris#endif 19955714Skris 200280304Sjkim *(d++) = SSL3_MT_FINISHED; 201280304Sjkim l2n3(l, d); 202280304Sjkim s->init_num = (int)l + 4; 203280304Sjkim s->init_off = 0; 20455714Skris 205280304Sjkim s->state = b; 206280304Sjkim } 20755714Skris 208280304Sjkim /* SSL3_ST_SEND_xxxxxx_HELLO_B */ 209280304Sjkim return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 210280304Sjkim} 21155714Skris 212238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 213280304Sjkim/* 214280304Sjkim * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 215280304Sjkim * to far. 216280304Sjkim */ 217246772Sjkimstatic void ssl3_take_mac(SSL *s) 218280304Sjkim{ 219280304Sjkim const char *sender; 220280304Sjkim int slen; 221280304Sjkim /* 222280304Sjkim * If no new cipher setup return immediately: other functions will set 223280304Sjkim * the appropriate error. 224280304Sjkim */ 225280304Sjkim if (s->s3->tmp.new_cipher == NULL) 226280304Sjkim return; 227280304Sjkim if (s->state & SSL_ST_CONNECT) { 228280304Sjkim sender = s->method->ssl3_enc->server_finished_label; 229280304Sjkim slen = s->method->ssl3_enc->server_finished_label_len; 230280304Sjkim } else { 231280304Sjkim sender = s->method->ssl3_enc->client_finished_label; 232280304Sjkim slen = s->method->ssl3_enc->client_finished_label_len; 233280304Sjkim } 234238405Sjkim 235280304Sjkim s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 236280304Sjkim sender, 237280304Sjkim slen, 238280304Sjkim s->s3->tmp.peer_finish_md); 239280304Sjkim} 240238405Sjkim#endif 241238405Sjkim 24255714Skrisint ssl3_get_finished(SSL *s, int a, int b) 243280304Sjkim{ 244280304Sjkim int al, i, ok; 245280304Sjkim long n; 246280304Sjkim unsigned char *p; 24755714Skris 248238405Sjkim#ifdef OPENSSL_NO_NEXTPROTONEG 249280304Sjkim /* 250280304Sjkim * the mac has already been generated when we received the change cipher 251280304Sjkim * spec message and is in s->s3->tmp.peer_finish_md. 252280304Sjkim */ 253238405Sjkim#endif 25455714Skris 255280304Sjkim /* 64 argument should actually be 36+4 :-) */ 256280304Sjkim n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); 25755714Skris 258280304Sjkim if (!ok) 259280304Sjkim return ((int)n); 26055714Skris 261280304Sjkim /* If this occurs, we have missed a message */ 262280304Sjkim if (!s->s3->change_cipher_spec) { 263280304Sjkim al = SSL_AD_UNEXPECTED_MESSAGE; 264280304Sjkim SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 265280304Sjkim goto f_err; 266280304Sjkim } 267280304Sjkim s->s3->change_cipher_spec = 0; 26855714Skris 269280304Sjkim p = (unsigned char *)s->init_msg; 270280304Sjkim i = s->s3->tmp.peer_finish_md_len; 27155714Skris 272280304Sjkim if (i != n) { 273280304Sjkim al = SSL_AD_DECODE_ERROR; 274280304Sjkim SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); 275280304Sjkim goto f_err; 276280304Sjkim } 27755714Skris 278280304Sjkim if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) { 279280304Sjkim al = SSL_AD_DECRYPT_ERROR; 280280304Sjkim SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED); 281280304Sjkim goto f_err; 282280304Sjkim } 28355714Skris 284280304Sjkim /* 285280304Sjkim * Copy the finished so we can use it for renegotiation checks 286280304Sjkim */ 287280304Sjkim if (s->type == SSL_ST_ACCEPT) { 288280304Sjkim OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 289280304Sjkim memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, i); 290280304Sjkim s->s3->previous_client_finished_len = i; 291280304Sjkim } else { 292280304Sjkim OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 293280304Sjkim memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, i); 294280304Sjkim s->s3->previous_server_finished_len = i; 295280304Sjkim } 296205128Ssimon 297280304Sjkim return (1); 298280304Sjkim f_err: 299280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 300280304Sjkim return (0); 301280304Sjkim} 30255714Skris 303280304Sjkim/*- 304280304Sjkim * for these 2 messages, we need to 305280304Sjkim * ssl->enc_read_ctx re-init 306280304Sjkim * ssl->s3->read_sequence zero 307280304Sjkim * ssl->s3->read_mac_secret re-init 308280304Sjkim * ssl->session->read_sym_enc assign 309280304Sjkim * ssl->session->read_compression assign 310280304Sjkim * ssl->session->read_hash assign 31155714Skris */ 31255714Skrisint ssl3_send_change_cipher_spec(SSL *s, int a, int b) 313280304Sjkim{ 314280304Sjkim unsigned char *p; 31555714Skris 316280304Sjkim if (s->state == a) { 317280304Sjkim p = (unsigned char *)s->init_buf->data; 318280304Sjkim *p = SSL3_MT_CCS; 319280304Sjkim s->init_num = 1; 320280304Sjkim s->init_off = 0; 32155714Skris 322280304Sjkim s->state = b; 323280304Sjkim } 32455714Skris 325280304Sjkim /* SSL3_ST_CW_CHANGE_B */ 326280304Sjkim return (ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC)); 327280304Sjkim} 32855714Skris 329205128Ssimonstatic int ssl3_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) 330280304Sjkim{ 331280304Sjkim int n; 332280304Sjkim unsigned char *p; 333205128Ssimon 334280304Sjkim n = i2d_X509(x, NULL); 335280304Sjkim if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { 336280304Sjkim SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); 337280304Sjkim return (-1); 338280304Sjkim } 339280304Sjkim p = (unsigned char *)&(buf->data[*l]); 340280304Sjkim l2n3(n, p); 341280304Sjkim i2d_X509(x, &p); 342280304Sjkim *l += n + 3; 343205128Ssimon 344280304Sjkim return (0); 345280304Sjkim} 346205128Ssimon 34755714Skrisunsigned long ssl3_output_cert_chain(SSL *s, X509 *x) 348280304Sjkim{ 349280304Sjkim unsigned char *p; 350280304Sjkim int i; 351280304Sjkim unsigned long l = 7; 352280304Sjkim BUF_MEM *buf; 353280304Sjkim int no_chain; 354111147Snectar 355280304Sjkim if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) 356280304Sjkim no_chain = 1; 357280304Sjkim else 358280304Sjkim no_chain = 0; 359111147Snectar 360280304Sjkim /* TLSv1 sends a chain with nothing in it, instead of an alert */ 361280304Sjkim buf = s->init_buf; 362280304Sjkim if (!BUF_MEM_grow_clean(buf, 10)) { 363280304Sjkim SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB); 364280304Sjkim return (0); 365280304Sjkim } 366280304Sjkim if (x != NULL) { 367280304Sjkim if (no_chain) { 368280304Sjkim if (ssl3_add_cert_to_buf(buf, &l, x)) 369280304Sjkim return (0); 370280304Sjkim } else { 371280304Sjkim X509_STORE_CTX xs_ctx; 37255714Skris 373280304Sjkim if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, x, NULL)) { 374280304Sjkim SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_X509_LIB); 375280304Sjkim return (0); 376280304Sjkim } 377280304Sjkim X509_verify_cert(&xs_ctx); 378280304Sjkim /* Don't leave errors in the queue */ 379280304Sjkim ERR_clear_error(); 380280304Sjkim for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { 381280304Sjkim x = sk_X509_value(xs_ctx.chain, i); 382111147Snectar 383280304Sjkim if (ssl3_add_cert_to_buf(buf, &l, x)) { 384280304Sjkim X509_STORE_CTX_cleanup(&xs_ctx); 385280304Sjkim return 0; 386280304Sjkim } 387280304Sjkim } 388280304Sjkim X509_STORE_CTX_cleanup(&xs_ctx); 389280304Sjkim } 390280304Sjkim } 391280304Sjkim /* Thawte special :-) */ 392280304Sjkim for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) { 393280304Sjkim x = sk_X509_value(s->ctx->extra_certs, i); 394280304Sjkim if (ssl3_add_cert_to_buf(buf, &l, x)) 395280304Sjkim return (0); 396280304Sjkim } 39755714Skris 398280304Sjkim l -= 7; 399280304Sjkim p = (unsigned char *)&(buf->data[4]); 400280304Sjkim l2n3(l, p); 401280304Sjkim l += 3; 402280304Sjkim p = (unsigned char *)&(buf->data[0]); 403280304Sjkim *(p++) = SSL3_MT_CERTIFICATE; 404280304Sjkim l2n3(l, p); 405280304Sjkim l += 4; 406280304Sjkim return (l); 407280304Sjkim} 40855714Skris 409280304Sjkim/* 410280304Sjkim * Obtain handshake message of message type 'mt' (any if mt == -1), maximum 411280304Sjkim * acceptable body length 'max'. The first four bytes (msg_type and length) 412280304Sjkim * are read in state 'st1', the body is read in state 'stn'. 41359191Skris */ 41455714Skrislong ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) 415280304Sjkim{ 416280304Sjkim unsigned char *p; 417280304Sjkim unsigned long l; 418280304Sjkim long n; 419280304Sjkim int i, al; 42055714Skris 421280304Sjkim if (s->s3->tmp.reuse_message) { 422280304Sjkim s->s3->tmp.reuse_message = 0; 423280304Sjkim if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { 424280304Sjkim al = SSL_AD_UNEXPECTED_MESSAGE; 425280304Sjkim SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 426280304Sjkim goto f_err; 427280304Sjkim } 428280304Sjkim *ok = 1; 429280304Sjkim s->state = stn; 430306196Sjkim s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 431280304Sjkim s->init_num = (int)s->s3->tmp.message_size; 432280304Sjkim return s->init_num; 433280304Sjkim } 43455714Skris 435280304Sjkim p = (unsigned char *)s->init_buf->data; 43655714Skris 437306196Sjkim if (s->state == st1) { /* s->init_num < SSL3_HM_HEADER_LENGTH */ 438280304Sjkim int skip_message; 43959191Skris 440280304Sjkim do { 441306196Sjkim while (s->init_num < SSL3_HM_HEADER_LENGTH) { 442280304Sjkim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 443280304Sjkim &p[s->init_num], 444306196Sjkim SSL3_HM_HEADER_LENGTH - 445306196Sjkim s->init_num, 0); 446280304Sjkim if (i <= 0) { 447280304Sjkim s->rwstate = SSL_READING; 448280304Sjkim *ok = 0; 449280304Sjkim return i; 450280304Sjkim } 451280304Sjkim s->init_num += i; 452280304Sjkim } 453109998Smarkm 454280304Sjkim skip_message = 0; 455280304Sjkim if (!s->server) 456280304Sjkim if (p[0] == SSL3_MT_HELLO_REQUEST) 457280304Sjkim /* 458280304Sjkim * The server may always send 'Hello Request' messages -- 459280304Sjkim * we are doing a handshake anyway now, so ignore them if 460280304Sjkim * their format is correct. Does not count for 'Finished' 461280304Sjkim * MAC. 462280304Sjkim */ 463280304Sjkim if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 464280304Sjkim s->init_num = 0; 465280304Sjkim skip_message = 1; 46655714Skris 467280304Sjkim if (s->msg_callback) 468280304Sjkim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 469306196Sjkim p, SSL3_HM_HEADER_LENGTH, s, 470306196Sjkim s->msg_callback_arg); 471280304Sjkim } 472280304Sjkim } 473280304Sjkim while (skip_message); 47459191Skris 475306196Sjkim /* s->init_num == SSL3_HM_HEADER_LENGTH */ 47659191Skris 477280304Sjkim if ((mt >= 0) && (*p != mt)) { 478280304Sjkim al = SSL_AD_UNEXPECTED_MESSAGE; 479280304Sjkim SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 480280304Sjkim goto f_err; 481280304Sjkim } 482280304Sjkim if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) && 483280304Sjkim (st1 == SSL3_ST_SR_CERT_A) && (stn == SSL3_ST_SR_CERT_B)) { 484280304Sjkim /* 485280304Sjkim * At this point we have got an MS SGC second client hello (maybe 486280304Sjkim * we should always allow the client to start a new handshake?). 487280304Sjkim * We need to restart the mac. Don't increment 488280304Sjkim * {num,total}_renegotiations because we have not completed the 489280304Sjkim * handshake. 490280304Sjkim */ 491280304Sjkim ssl3_init_finished_mac(s); 492280304Sjkim } 49355714Skris 494280304Sjkim s->s3->tmp.message_type = *(p++); 49555714Skris 496280304Sjkim n2l3(p, l); 497280304Sjkim if (l > (unsigned long)max) { 498280304Sjkim al = SSL_AD_ILLEGAL_PARAMETER; 499280304Sjkim SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE); 500280304Sjkim goto f_err; 501280304Sjkim } 502306196Sjkim /* 503306196Sjkim * Make buffer slightly larger than message length as a precaution 504306196Sjkim * against small OOB reads e.g. CVE-2016-6306 505306196Sjkim */ 506306196Sjkim if (l 507306196Sjkim && !BUF_MEM_grow_clean(s->init_buf, 508306196Sjkim (int)l + SSL3_HM_HEADER_LENGTH + 16)) { 509280304Sjkim SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); 510280304Sjkim goto err; 511280304Sjkim } 512280304Sjkim s->s3->tmp.message_size = l; 513280304Sjkim s->state = stn; 51455714Skris 515306196Sjkim s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 516280304Sjkim s->init_num = 0; 517280304Sjkim } 518246772Sjkim 519280304Sjkim /* next state (stn) */ 520280304Sjkim p = s->init_msg; 521280304Sjkim n = s->s3->tmp.message_size - s->init_num; 522280304Sjkim while (n > 0) { 523280304Sjkim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->init_num], 524280304Sjkim n, 0); 525280304Sjkim if (i <= 0) { 526280304Sjkim s->rwstate = SSL_READING; 527280304Sjkim *ok = 0; 528280304Sjkim return i; 529280304Sjkim } 530280304Sjkim s->init_num += i; 531280304Sjkim n -= i; 532280304Sjkim } 533280304Sjkim 534238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 535280304Sjkim /* 536280304Sjkim * If receiving Finished, record MAC of prior handshake messages for 537280304Sjkim * Finished verification. 538280304Sjkim */ 539280304Sjkim if (*s->init_buf->data == SSL3_MT_FINISHED) 540280304Sjkim ssl3_take_mac(s); 541238405Sjkim#endif 542246772Sjkim 543280304Sjkim /* Feed this message into MAC computation. */ 544306196Sjkim ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 545306196Sjkim s->init_num + SSL3_HM_HEADER_LENGTH); 546280304Sjkim if (s->msg_callback) 547280304Sjkim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 548306196Sjkim (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, 549306196Sjkim s->msg_callback_arg); 550280304Sjkim *ok = 1; 551280304Sjkim return s->init_num; 552280304Sjkim f_err: 553280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 554280304Sjkim err: 555280304Sjkim *ok = 0; 556280304Sjkim return (-1); 557280304Sjkim} 55855714Skris 55955714Skrisint ssl_cert_type(X509 *x, EVP_PKEY *pkey) 560280304Sjkim{ 561280304Sjkim EVP_PKEY *pk; 562280304Sjkim int ret = -1, i; 56355714Skris 564280304Sjkim if (pkey == NULL) 565280304Sjkim pk = X509_get_pubkey(x); 566280304Sjkim else 567280304Sjkim pk = pkey; 568280304Sjkim if (pk == NULL) 569280304Sjkim goto err; 57055714Skris 571280304Sjkim i = pk->type; 572280304Sjkim if (i == EVP_PKEY_RSA) { 573280304Sjkim ret = SSL_PKEY_RSA_ENC; 574280304Sjkim } else if (i == EVP_PKEY_DSA) { 575280304Sjkim ret = SSL_PKEY_DSA_SIGN; 576280304Sjkim } 577160814Ssimon#ifndef OPENSSL_NO_EC 578280304Sjkim else if (i == EVP_PKEY_EC) { 579280304Sjkim ret = SSL_PKEY_ECC; 580280304Sjkim } 581238405Sjkim#endif 582280304Sjkim else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) { 583280304Sjkim ret = SSL_PKEY_GOST94; 584280304Sjkim } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) { 585280304Sjkim ret = SSL_PKEY_GOST01; 586280304Sjkim } 587280304Sjkim err: 588280304Sjkim if (!pkey) 589280304Sjkim EVP_PKEY_free(pk); 590280304Sjkim return (ret); 591280304Sjkim} 59255714Skris 59355714Skrisint ssl_verify_alarm_type(long type) 594280304Sjkim{ 595280304Sjkim int al; 59655714Skris 597280304Sjkim switch (type) { 598280304Sjkim case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 599280304Sjkim case X509_V_ERR_UNABLE_TO_GET_CRL: 600280304Sjkim case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 601280304Sjkim al = SSL_AD_UNKNOWN_CA; 602280304Sjkim break; 603280304Sjkim case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 604280304Sjkim case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 605280304Sjkim case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 606280304Sjkim case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 607280304Sjkim case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 608280304Sjkim case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 609280304Sjkim case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 610280304Sjkim case X509_V_ERR_CERT_NOT_YET_VALID: 611280304Sjkim case X509_V_ERR_CRL_NOT_YET_VALID: 612280304Sjkim case X509_V_ERR_CERT_UNTRUSTED: 613280304Sjkim case X509_V_ERR_CERT_REJECTED: 614280304Sjkim al = SSL_AD_BAD_CERTIFICATE; 615280304Sjkim break; 616280304Sjkim case X509_V_ERR_CERT_SIGNATURE_FAILURE: 617280304Sjkim case X509_V_ERR_CRL_SIGNATURE_FAILURE: 618280304Sjkim al = SSL_AD_DECRYPT_ERROR; 619280304Sjkim break; 620280304Sjkim case X509_V_ERR_CERT_HAS_EXPIRED: 621280304Sjkim case X509_V_ERR_CRL_HAS_EXPIRED: 622280304Sjkim al = SSL_AD_CERTIFICATE_EXPIRED; 623280304Sjkim break; 624280304Sjkim case X509_V_ERR_CERT_REVOKED: 625280304Sjkim al = SSL_AD_CERTIFICATE_REVOKED; 626280304Sjkim break; 627306196Sjkim case X509_V_ERR_UNSPECIFIED: 628280304Sjkim case X509_V_ERR_OUT_OF_MEM: 629306196Sjkim case X509_V_ERR_INVALID_CALL: 630306196Sjkim case X509_V_ERR_STORE_LOOKUP: 631280304Sjkim al = SSL_AD_INTERNAL_ERROR; 632280304Sjkim break; 633280304Sjkim case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 634280304Sjkim case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 635280304Sjkim case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 636280304Sjkim case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 637280304Sjkim case X509_V_ERR_CERT_CHAIN_TOO_LONG: 638280304Sjkim case X509_V_ERR_PATH_LENGTH_EXCEEDED: 639280304Sjkim case X509_V_ERR_INVALID_CA: 640280304Sjkim al = SSL_AD_UNKNOWN_CA; 641280304Sjkim break; 642280304Sjkim case X509_V_ERR_APPLICATION_VERIFICATION: 643280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 644280304Sjkim break; 645280304Sjkim case X509_V_ERR_INVALID_PURPOSE: 646280304Sjkim al = SSL_AD_UNSUPPORTED_CERTIFICATE; 647280304Sjkim break; 648280304Sjkim default: 649280304Sjkim al = SSL_AD_CERTIFICATE_UNKNOWN; 650280304Sjkim break; 651280304Sjkim } 652280304Sjkim return (al); 653280304Sjkim} 65455714Skris 655238405Sjkim#ifndef OPENSSL_NO_BUF_FREELISTS 656280304Sjkim/*- 657280304Sjkim * On some platforms, malloc() performance is bad enough that you can't just 658238405Sjkim * free() and malloc() buffers all the time, so we need to use freelists from 659238405Sjkim * unused buffers. Currently, each freelist holds memory chunks of only a 660238405Sjkim * given size (list->chunklen); other sized chunks are freed and malloced. 661238405Sjkim * This doesn't help much if you're using many different SSL option settings 662238405Sjkim * with a given context. (The options affecting buffer size are 663238405Sjkim * max_send_fragment, read buffer vs write buffer, 664238405Sjkim * SSL_OP_MICROSOFT_BIG_WRITE_BUFFER, SSL_OP_NO_COMPRESSION, and 665238405Sjkim * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.) Using a separate freelist for every 666238405Sjkim * possible size is not an option, since max_send_fragment can take on many 667238405Sjkim * different values. 668238405Sjkim * 669238405Sjkim * If you are on a platform with a slow malloc(), and you're using SSL 670238405Sjkim * connections with many different settings for these options, and you need to 671238405Sjkim * use the SSL_MOD_RELEASE_BUFFERS feature, you have a few options: 672238405Sjkim * - Link against a faster malloc implementation. 673238405Sjkim * - Use a separate SSL_CTX for each option set. 674238405Sjkim * - Improve this code. 675238405Sjkim */ 676280304Sjkimstatic void *freelist_extract(SSL_CTX *ctx, int for_read, int sz) 677280304Sjkim{ 678280304Sjkim SSL3_BUF_FREELIST *list; 679280304Sjkim SSL3_BUF_FREELIST_ENTRY *ent = NULL; 680280304Sjkim void *result = NULL; 681238405Sjkim 682280304Sjkim CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 683280304Sjkim list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist; 684280304Sjkim if (list != NULL && sz == (int)list->chunklen) 685280304Sjkim ent = list->head; 686280304Sjkim if (ent != NULL) { 687280304Sjkim list->head = ent->next; 688280304Sjkim result = ent; 689280304Sjkim if (--list->len == 0) 690280304Sjkim list->chunklen = 0; 691280304Sjkim } 692280304Sjkim CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 693280304Sjkim if (!result) 694280304Sjkim result = OPENSSL_malloc(sz); 695280304Sjkim return result; 696238405Sjkim} 697238405Sjkim 698280304Sjkimstatic void freelist_insert(SSL_CTX *ctx, int for_read, size_t sz, void *mem) 699280304Sjkim{ 700280304Sjkim SSL3_BUF_FREELIST *list; 701280304Sjkim SSL3_BUF_FREELIST_ENTRY *ent; 702238405Sjkim 703280304Sjkim CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 704280304Sjkim list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist; 705280304Sjkim if (list != NULL && 706280304Sjkim (sz == list->chunklen || list->chunklen == 0) && 707280304Sjkim list->len < ctx->freelist_max_len && sz >= sizeof(*ent)) { 708280304Sjkim list->chunklen = sz; 709280304Sjkim ent = mem; 710280304Sjkim ent->next = list->head; 711280304Sjkim list->head = ent; 712280304Sjkim ++list->len; 713280304Sjkim mem = NULL; 714280304Sjkim } 715238405Sjkim 716280304Sjkim CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 717280304Sjkim if (mem) 718280304Sjkim OPENSSL_free(mem); 719280304Sjkim} 720238405Sjkim#else 721280304Sjkim# define freelist_extract(c,fr,sz) OPENSSL_malloc(sz) 722280304Sjkim# define freelist_insert(c,fr,sz,m) OPENSSL_free(m) 723238405Sjkim#endif 724238405Sjkim 725238405Sjkimint ssl3_setup_read_buffer(SSL *s) 726280304Sjkim{ 727280304Sjkim unsigned char *p; 728280304Sjkim size_t len, align = 0, headerlen; 729205128Ssimon 730280304Sjkim if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 731280304Sjkim headerlen = DTLS1_RT_HEADER_LENGTH; 732280304Sjkim else 733280304Sjkim headerlen = SSL3_RT_HEADER_LENGTH; 734280304Sjkim 735238405Sjkim#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 736280304Sjkim align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 737238405Sjkim#endif 738238405Sjkim 739280304Sjkim if (s->s3->rbuf.buf == NULL) { 740280304Sjkim len = SSL3_RT_MAX_PLAIN_LENGTH 741280304Sjkim + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 742280304Sjkim if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) { 743280304Sjkim s->s3->init_extra = 1; 744280304Sjkim len += SSL3_RT_MAX_EXTRA; 745280304Sjkim } 746238405Sjkim#ifndef OPENSSL_NO_COMP 747280304Sjkim if (!(s->options & SSL_OP_NO_COMPRESSION)) 748280304Sjkim len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; 749238405Sjkim#endif 750280304Sjkim if ((p = freelist_extract(s->ctx, 1, len)) == NULL) 751280304Sjkim goto err; 752280304Sjkim s->s3->rbuf.buf = p; 753280304Sjkim s->s3->rbuf.len = len; 754280304Sjkim } 75555714Skris 756280304Sjkim s->packet = &(s->s3->rbuf.buf[0]); 757280304Sjkim return 1; 758238405Sjkim 759280304Sjkim err: 760280304Sjkim SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER, ERR_R_MALLOC_FAILURE); 761280304Sjkim return 0; 762280304Sjkim} 763238405Sjkim 764238405Sjkimint ssl3_setup_write_buffer(SSL *s) 765280304Sjkim{ 766280304Sjkim unsigned char *p; 767280304Sjkim size_t len, align = 0, headerlen; 768238405Sjkim 769280304Sjkim if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 770280304Sjkim headerlen = DTLS1_RT_HEADER_LENGTH + 1; 771280304Sjkim else 772280304Sjkim headerlen = SSL3_RT_HEADER_LENGTH; 773238405Sjkim 774238405Sjkim#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 775280304Sjkim align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 776238405Sjkim#endif 777238405Sjkim 778280304Sjkim if (s->s3->wbuf.buf == NULL) { 779280304Sjkim len = s->max_send_fragment 780280304Sjkim + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 781238405Sjkim#ifndef OPENSSL_NO_COMP 782280304Sjkim if (!(s->options & SSL_OP_NO_COMPRESSION)) 783280304Sjkim len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; 784238405Sjkim#endif 785280304Sjkim if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 786280304Sjkim len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; 787238405Sjkim 788280304Sjkim if ((p = freelist_extract(s->ctx, 0, len)) == NULL) 789280304Sjkim goto err; 790280304Sjkim s->s3->wbuf.buf = p; 791280304Sjkim s->s3->wbuf.len = len; 792280304Sjkim } 793238405Sjkim 794280304Sjkim return 1; 795238405Sjkim 796280304Sjkim err: 797280304Sjkim SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); 798280304Sjkim return 0; 799280304Sjkim} 800238405Sjkim 801238405Sjkimint ssl3_setup_buffers(SSL *s) 802280304Sjkim{ 803280304Sjkim if (!ssl3_setup_read_buffer(s)) 804280304Sjkim return 0; 805280304Sjkim if (!ssl3_setup_write_buffer(s)) 806280304Sjkim return 0; 807280304Sjkim return 1; 808280304Sjkim} 809238405Sjkim 810238405Sjkimint ssl3_release_write_buffer(SSL *s) 811280304Sjkim{ 812280304Sjkim if (s->s3->wbuf.buf != NULL) { 813280304Sjkim freelist_insert(s->ctx, 0, s->s3->wbuf.len, s->s3->wbuf.buf); 814280304Sjkim s->s3->wbuf.buf = NULL; 815280304Sjkim } 816280304Sjkim return 1; 817280304Sjkim} 818238405Sjkim 819238405Sjkimint ssl3_release_read_buffer(SSL *s) 820280304Sjkim{ 821280304Sjkim if (s->s3->rbuf.buf != NULL) { 822280304Sjkim freelist_insert(s->ctx, 1, s->s3->rbuf.len, s->s3->rbuf.buf); 823280304Sjkim s->s3->rbuf.buf = NULL; 824280304Sjkim } 825280304Sjkim return 1; 826280304Sjkim} 827