s3_both.cc source code [flutter_engine/third_party/boringssl/src/ssl/s3_both.cc]

1	/ Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)*
2	* All rights reserved.
3	*
4	* This package is an SSL implementation written
5	* by Eric Young (eay@cryptsoft.com).
6	* The implementation was written so as to conform with Netscapes SSL.
7	*
8	* This library is free for commercial and non-commercial use as long as
9	* the following conditions are aheared to. The following conditions
10	* apply to all code found in this distribution, be it the RC4, RSA,
11	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
12	* included with this distribution is covered by the same copyright terms
13	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
14	*
15	* Copyright remains Eric Young's, and as such any Copyright notices in
16	* the code are not to be removed.
17	* If this package is used in a product, Eric Young should be given attribution
18	* as the author of the parts of the library used.
19	* This can be in the form of a textual message at program startup or
20	* in documentation (online or textual) provided with the package.
21	*
22	* Redistribution and use in source and binary forms, with or without
23	* modification, are permitted provided that the following conditions
24	* are met:
25	* 1. Redistributions of source code must retain the copyright
26	* notice, this list of conditions and the following disclaimer.
27	* 2. Redistributions in binary form must reproduce the above copyright
28	* notice, this list of conditions and the following disclaimer in the
29	* documentation and/or other materials provided with the distribution.
30	* 3. All advertising materials mentioning features or use of this software
31	* must display the following acknowledgement:
32	* "This product includes cryptographic software written by
33	* Eric Young (eay@cryptsoft.com)"
34	* The word 'cryptographic' can be left out if the rouines from the library
35	* being used are not cryptographic related :-).
36	* 4. If you include any Windows specific code (or a derivative thereof) from
37	* the apps directory (application code) you must include an acknowledgement:
38	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39	*
40	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50	* SUCH DAMAGE.
51	*
52	* The licence and distribution terms for any publically available version or
53	* derivative of this code cannot be changed. i.e. this code cannot simply be
54	* copied and put under another distribution licence
55	* [including the GNU Public Licence.]
56	*/
57	/ ====================================================================*
58	* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
59	*
60	* Redistribution and use in source and binary forms, with or without
61	* modification, are permitted provided that the following conditions
62	* are met:
63	*
64	* 1. Redistributions of source code must retain the above copyright
65	* notice, this list of conditions and the following disclaimer.
66	*
67	* 2. Redistributions in binary form must reproduce the above copyright
68	* notice, this list of conditions and the following disclaimer in
69	* the documentation and/or other materials provided with the
70	* distribution.
71	*
72	* 3. All advertising materials mentioning features or use of this
73	* software must display the following acknowledgment:
74	* "This product includes software developed by the OpenSSL Project
75	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76	*
77	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78	* endorse or promote products derived from this software without
79	* prior written permission. For written permission, please contact
80	* openssl-core@openssl.org.
81	*
82	* 5. Products derived from this software may not be called "OpenSSL"
83	* nor may "OpenSSL" appear in their names without prior written
84	* permission of the OpenSSL Project.
85	*
86	* 6. Redistributions of any form whatsoever must retain the following
87	* acknowledgment:
88	* "This product includes software developed by the OpenSSL Project
89	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90	*
91	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102	* OF THE POSSIBILITY OF SUCH DAMAGE.
103	* ====================================================================
104	*
105	* This product includes cryptographic software written by Eric Young
106	* (eay@cryptsoft.com). This product includes software written by Tim
107	* Hudson (tjh@cryptsoft.com). */
108	/ ====================================================================*
109	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
110	* ECC cipher suite support in OpenSSL originally developed by
111	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
112
113	#include <openssl/ssl.h>
114
115	#include <assert.h>
116	#include <limits.h>
117	#include <string.h>
118
119	#include <tuple>
120
121	#include <openssl/buf.h>
122	#include <openssl/bytestring.h>
123	#include <openssl/err.h>
124	#include <openssl/evp.h>
125	#include <openssl/mem.h>
126	#include <openssl/md5.h>
127	#include <openssl/nid.h>
128	#include <openssl/rand.h>
129	#include <openssl/sha.h>
130
131	#include "../crypto/internal.h"
132	#include "internal.h"
133
134
135	BSSL_NAMESPACE_BEGIN
136
137	static bool add_record_to_flight(SSL *ssl, uint8_t type,
138	Span<const uint8_t> in) {
139	// The caller should have flushed \|pending_hs_data\| first.
140	assert(!ssl->s3->pending_hs_data);
141	// We'll never add a flight while in the process of writing it out.
142	assert(ssl->s3->pending_flight_offset == `0`);
143
144	if (ssl->s3->pending_flight == nullptr) {
145	ssl->s3->pending_flight.reset(p: BUF_MEM_new());
146	if (ssl->s3->pending_flight == nullptr) {
147	return false;
148	}
149	}
150
151	size_t max_out = in.size() + SSL_max_seal_overhead(ssl);
152	size_t new_cap = ssl->s3->pending_flight ->length + max_out;
153	if (max_out < in.size() \|\| new_cap < max_out) {
154	OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
155	return false;
156	}
157
158	size_t len;
159	if (!BUF_MEM_reserve(buf: ssl->s3->pending_flight.get(), cap: new_cap) \|\|
160	!tls_seal_record(ssl,
161	out: (uint8_t *)ssl->s3->pending_flight ->data +
162	ssl->s3->pending_flight ->length,
163	out_len: &len, max_out, type, in: in.data(), in_len: in.size())) {
164	return false;
165	}
166
167	ssl->s3->pending_flight ->length += len;
168	return true;
169	}
170
171	bool tls_init_message(const SSL ssl, CBB cbb, CBB *body, uint8_t type) {
172	// Pick a modest size hint to save most of the \|realloc\| calls.
173	if (!CBB_init(cbb, initial_capacity: `64`) \|\|
174	!CBB_add_u8(cbb, value: type) \|\|
175	!CBB_add_u24_length_prefixed(cbb, out_contents: body)) {
176	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
177	CBB_cleanup(cbb);
178	return false;
179	}
180
181	return true;
182	}
183
184	bool tls_finish_message(const SSL ssl, CBB cbb, Array<uint8_t> *out_msg) {
185	return CBBFinishArray(cbb, out: out_msg);
186	}
187
188	bool tls_add_message(SSL *ssl, Array<uint8_t> msg) {
189	// Pack handshake data into the minimal number of records. This avoids
190	// unnecessary encryption overhead, notably in TLS 1.3 where we send several
191	// encrypted messages in a row. For now, we do not do this for the null
192	// cipher. The benefit is smaller and there is a risk of breaking buggy
193	// implementations.
194	//
195	// TODO(davidben): See if we can do this uniformly.
196	Span<const uint8_t> rest = msg;
197	if (ssl->quic_method == nullptr &&
198	ssl->s3->aead_write_ctx ->is_null_cipher()) {
199	while (!rest.empty()) {
200	Span<const uint8_t> chunk = rest.subspan(pos: `0`, len: ssl->max_send_fragment);
201	rest = rest.subspan(pos: chunk.size());
202
203	if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, in: chunk)) {
204	return false;
205	}
206	}
207	} else {
208	while (!rest.empty()) {
209	// Flush if \|pending_hs_data\| is full.
210	if (ssl->s3->pending_hs_data &&
211	ssl->s3->pending_hs_data ->length >= ssl->max_send_fragment &&
212	!tls_flush_pending_hs_data(ssl)) {
213	return false;
214	}
215
216	size_t pending_len =
217	ssl->s3->pending_hs_data ? ssl->s3->pending_hs_data ->length : `0`;
218	Span<const uint8_t> chunk =
219	rest.subspan(pos: `0`, len: ssl->max_send_fragment - pending_len);
220	assert(!chunk.empty());
221	rest = rest.subspan(pos: chunk.size());
222
223	if (!ssl->s3->pending_hs_data) {
224	ssl->s3->pending_hs_data.reset(p: BUF_MEM_new());
225	}
226	if (!ssl->s3->pending_hs_data \|\|
227	!BUF_MEM_append(buf: ssl->s3->pending_hs_data.get(), in: chunk.data(),
228	len: chunk.size())) {
229	return false;
230	}
231	}
232	}
233
234	ssl_do_msg_callback(ssl, is_write: `1` / write /, SSL3_RT_HANDSHAKE, in: msg);
235	// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
236	// hs.
237	if (ssl->s3->hs != NULL &&
238	!ssl->s3->hs ->transcript.Update(in: msg)) {
239	return false;
240	}
241	return true;
242	}
243
244	bool tls_flush_pending_hs_data(SSL *ssl) {
245	if (!ssl->s3->pending_hs_data \|\| ssl->s3->pending_hs_data ->length == `0`) {
246	return true;
247	}
248
249	UniquePtr<BUF_MEM> pending_hs_data = std::move(ssl->s3->pending_hs_data);
250	auto data =
251	MakeConstSpan(ptr: reinterpret_cast<const uint8_t *>(pending_hs_data ->data),
252	size: pending_hs_data ->length);
253	if (ssl->quic_method) {
254	if ((ssl->s3->hs == nullptr \|\| !ssl->s3->hs ->hints_requested) &&
255	!ssl->quic_method->add_handshake_data(ssl, ssl->s3->write_level,
256	data.data(), data.size())) {
257	OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
258	return false;
259	}
260	return true;
261	}
262
263	return add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, in: data);
264	}
265
266	bool tls_add_change_cipher_spec(SSL *ssl) {
267	static const uint8_t kChangeCipherSpec[`1`] = {SSL3_MT_CCS};
268
269	if (!tls_flush_pending_hs_data(ssl)) {
270	return false;
271	}
272
273	if (!ssl->quic_method &&
274	!add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC,
275	in: kChangeCipherSpec)) {
276	return false;
277	}
278
279	ssl_do_msg_callback(ssl, is_write: `1` / write /, SSL3_RT_CHANGE_CIPHER_SPEC,
280	in: kChangeCipherSpec);
281	return true;
282	}
283
284	int tls_flush_flight(SSL *ssl) {
285	if (!tls_flush_pending_hs_data(ssl)) {
286	return -`1`;
287	}
288
289	if (ssl->quic_method) {
290	if (ssl->s3->write_shutdown != ssl_shutdown_none) {
291	OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
292	return -`1`;
293	}
294
295	if (!ssl->quic_method->flush_flight(ssl)) {
296	OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
297	return -`1`;
298	}
299	}
300
301	if (ssl->s3->pending_flight == nullptr) {
302	return `1`;
303	}
304
305	if (ssl->s3->write_shutdown != ssl_shutdown_none) {
306	OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
307	return -`1`;
308	}
309
310	static_assert(INT_MAX <= `0xffffffff`, "int is larger than 32 bits");
311	if (ssl->s3->pending_flight ->length > INT_MAX) {
312	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
313	return -`1`;
314	}
315
316	// If there is pending data in the write buffer, it must be flushed out before
317	// any new data in pending_flight.
318	if (!ssl->s3->write_buffer.empty()) {
319	int ret = ssl_write_buffer_flush(ssl);
320	if (ret <= `0`) {
321	ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
322	return ret;
323	}
324	}
325
326	if (ssl->wbio == nullptr) {
327	OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);
328	return -`1`;
329	}
330
331	// Write the pending flight.
332	while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight ->length) {
333	int ret = BIO_write(
334	bio: ssl->wbio.get(),
335	data: ssl->s3->pending_flight ->data + ssl->s3->pending_flight_offset,
336	len: ssl->s3->pending_flight ->length - ssl->s3->pending_flight_offset);
337	if (ret <= `0`) {
338	ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
339	return ret;
340	}
341
342	ssl->s3->pending_flight_offset += ret;
343	}
344
345	if (BIO_flush(bio: ssl->wbio.get()) <= `0`) {
346	ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
347	return -`1`;
348	}
349
350	ssl->s3->pending_flight.reset();
351	ssl->s3->pending_flight_offset = `0`;
352	return `1`;
353	}
354
355	static ssl_open_record_t read_v2_client_hello(SSL ssl, size_t out_consumed,
356	Span<const uint8_t> in) {
357	*out_consumed = `0`;
358	assert(in.size() >= SSL3_RT_HEADER_LENGTH);
359	// Determine the length of the V2ClientHello.
360	size_t msg_length = ((in [`0`] & `0x7f`) << `8`) \| in [`1`];
361	if (msg_length > (`1024` * `4`)) {
362	OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
363	return ssl_open_record_error;
364	}
365	if (msg_length < SSL3_RT_HEADER_LENGTH - `2`) {
366	// Reject lengths that are too short early. We have already read
367	// \|SSL3_RT_HEADER_LENGTH\| bytes, so we should not attempt to process an
368	// (invalid) V2ClientHello which would be shorter than that.
369	OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
370	return ssl_open_record_error;
371	}
372
373	// Ask for the remainder of the V2ClientHello.
374	if (in.size() < `2` + msg_length) {
375	*out_consumed = `2` + msg_length;
376	return ssl_open_record_partial;
377	}
378
379	CBS v2_client_hello = CBS (ssl->s3->read_buffer.span().subspan(pos: `2`, len: msg_length));
380	// The V2ClientHello without the length is incorporated into the handshake
381	// hash. This is only ever called at the start of the handshake, so hs is
382	// guaranteed to be non-NULL.
383	if (!ssl->s3->hs ->transcript.Update(in: v2_client_hello)) {
384	return ssl_open_record_error;
385	}
386
387	ssl_do_msg_callback(ssl, is_write: `0` / read /, content_type: `0` / V2ClientHello /,
388	in: v2_client_hello);
389
390	uint8_t msg_type;
391	uint16_t version, cipher_spec_length, session_id_length, challenge_length;
392	CBS cipher_specs, session_id, challenge;
393	if (!CBS_get_u8(cbs: &v2_client_hello, out: &msg_type) \|\|
394	!CBS_get_u16(cbs: &v2_client_hello, out: &version) \|\|
395	!CBS_get_u16(cbs: &v2_client_hello, out: &cipher_spec_length) \|\|
396	!CBS_get_u16(cbs: &v2_client_hello, out: &session_id_length) \|\|
397	!CBS_get_u16(cbs: &v2_client_hello, out: &challenge_length) \|\|
398	!CBS_get_bytes(cbs: &v2_client_hello, out: &cipher_specs, len: cipher_spec_length) \|\|
399	!CBS_get_bytes(cbs: &v2_client_hello, out: &session_id, len: session_id_length) \|\|
400	!CBS_get_bytes(cbs: &v2_client_hello, out: &challenge, len: challenge_length) \|\|
401	CBS_len(cbs: &v2_client_hello) != `0`) {
402	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
403	return ssl_open_record_error;
404	}
405
406	// msg_type has already been checked.
407	assert(msg_type == SSL2_MT_CLIENT_HELLO);
408
409	// The client_random is the V2ClientHello challenge. Truncate or left-pad with
410	// zeros as needed.
411	size_t rand_len = CBS_len(cbs: &challenge);
412	if (rand_len > SSL3_RANDOM_SIZE) {
413	rand_len = SSL3_RANDOM_SIZE;
414	}
415	uint8_t random[SSL3_RANDOM_SIZE];
416	OPENSSL_memset(dst: random, c: `0`, SSL3_RANDOM_SIZE);
417	OPENSSL_memcpy(dst: random + (SSL3_RANDOM_SIZE - rand_len), src: CBS_data(cbs: &challenge),
418	n: rand_len);
419
420	// Write out an equivalent TLS ClientHello directly to the handshake buffer.
421	size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + `2` / version / +
422	SSL3_RANDOM_SIZE + `1` / session ID length / +
423	`2` / cipher list length / +
424	CBS_len(cbs: &cipher_specs) / `3` * `2` +
425	`1` / compression length / + `1` / compression /;
426	ScopedCBB client_hello;
427	CBB hello_body, cipher_suites;
428	if (!ssl->s3->hs_buf) {
429	ssl->s3->hs_buf.reset(p: BUF_MEM_new());
430	}
431	if (!ssl->s3->hs_buf \|\|
432	!BUF_MEM_reserve(buf: ssl->s3->hs_buf.get(), cap: max_v3_client_hello) \|\|
433	!CBB_init_fixed(cbb: client_hello.get(), buf: (uint8_t *)ssl->s3->hs_buf ->data,
434	len: ssl->s3->hs_buf ->max) \|\|
435	!CBB_add_u8(cbb: client_hello.get(), SSL3_MT_CLIENT_HELLO) \|\|
436	!CBB_add_u24_length_prefixed(cbb: client_hello.get(), out_contents: &hello_body) \|\|
437	!CBB_add_u16(cbb: &hello_body, value: version) \|\|
438	!CBB_add_bytes(cbb: &hello_body, data: random, SSL3_RANDOM_SIZE) \|\|
439	// No session id.
440	!CBB_add_u8(cbb: &hello_body, value: `0`) \|\|
441	!CBB_add_u16_length_prefixed(cbb: &hello_body, out_contents: &cipher_suites)) {
442	return ssl_open_record_error;
443	}
444
445	// Copy the cipher suites.
446	while (CBS_len(cbs: &cipher_specs) > `0`) {
447	uint32_t cipher_spec;
448	if (!CBS_get_u24(cbs: &cipher_specs, out: &cipher_spec)) {
449	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
450	return ssl_open_record_error;
451	}
452
453	// Skip SSLv2 ciphers.
454	if ((cipher_spec & `0xff0000`) != `0`) {
455	continue;
456	}
457	if (!CBB_add_u16(cbb: &cipher_suites, value: cipher_spec)) {
458	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
459	return ssl_open_record_error;
460	}
461	}
462
463	// Add the null compression scheme and finish.
464	if (!CBB_add_u8(cbb: &hello_body, value: `1`) \|\|
465	!CBB_add_u8(cbb: &hello_body, value: `0`) \|\|
466	!CBB_finish(cbb: client_hello.get(), NULL, out_len: &ssl->s3->hs_buf ->length)) {
467	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
468	return ssl_open_record_error;
469	}
470
471	*out_consumed = `2` + msg_length;
472	ssl->s3->is_v2_hello = true;
473	return ssl_open_record_success;
474	}
475
476	static bool parse_message(const SSL ssl, SSLMessage out,
477	size_t *out_bytes_needed) {
478	if (!ssl->s3->hs_buf) {
479	*out_bytes_needed = `4`;
480	return false;
481	}
482
483	CBS cbs;
484	uint32_t len;
485	CBS_init(cbs: &cbs, data: reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf ->data),
486	len: ssl->s3->hs_buf ->length);
487	if (!CBS_get_u8(cbs: &cbs, out: &out->type) \|\|
488	!CBS_get_u24(cbs: &cbs, out: &len)) {
489	*out_bytes_needed = `4`;
490	return false;
491	}
492
493	if (!CBS_get_bytes(cbs: &cbs, out: &out->body, len)) {
494	*out_bytes_needed = `4` + len;
495	return false;
496	}
497
498	CBS_init(cbs: &out->raw, data: reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf ->data),
499	len: `4` + len);
500	out->is_v2_hello = ssl->s3->is_v2_hello;
501	return true;
502	}
503
504	bool tls_get_message(const SSL ssl, SSLMessage out) {
505	size_t unused;
506	if (!parse_message(ssl, out, out_bytes_needed: &unused)) {
507	return false;
508	}
509	if (!ssl->s3->has_message) {
510	if (!out->is_v2_hello) {
511	ssl_do_msg_callback(ssl, is_write: `0` / read /, SSL3_RT_HANDSHAKE, in: out->raw);
512	}
513	ssl->s3->has_message = true;
514	}
515	return true;
516	}
517
518	bool tls_can_accept_handshake_data(const SSL ssl, uint8_t out_alert) {
519	// If there is a complete message, the caller must have consumed it first.
520	SSLMessage msg;
521	size_t bytes_needed;
522	if (parse_message(ssl, out: &msg, out_bytes_needed: &bytes_needed)) {
523	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
524	*out_alert = SSL_AD_INTERNAL_ERROR;
525	return false;
526	}
527
528	// Enforce the limit so the peer cannot force us to buffer 16MB.
529	if (bytes_needed > `4` + ssl_max_handshake_message_len(ssl)) {
530	OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
531	*out_alert = SSL_AD_ILLEGAL_PARAMETER;
532	return false;
533	}
534
535	return true;
536	}
537
538	bool tls_has_unprocessed_handshake_data(const SSL *ssl) {
539	size_t msg_len = `0`;
540	if (ssl->s3->has_message) {
541	SSLMessage msg;
542	size_t unused;
543	if (parse_message(ssl, out: &msg, out_bytes_needed: &unused)) {
544	msg_len = CBS_len(cbs: &msg.raw);
545	}
546	}
547
548	return ssl->s3->hs_buf && ssl->s3->hs_buf ->length > msg_len;
549	}
550
551	bool tls_append_handshake_data(SSL ssl, Span<const* uint8_t> data) {
552	// Re-create the handshake buffer if needed.
553	if (!ssl->s3->hs_buf) {
554	ssl->s3->hs_buf.reset(p: BUF_MEM_new());
555	}
556	return ssl->s3->hs_buf &&
557	BUF_MEM_append(buf: ssl->s3->hs_buf.get(), in: data.data(), len: data.size());
558	}
559
560	ssl_open_record_t tls_open_handshake(SSL ssl, size_t out_consumed,
561	uint8_t *out_alert, Span<uint8_t> in) {
562	*out_consumed = `0`;
563	// Bypass the record layer for the first message to handle V2ClientHello.
564	if (ssl->server && !ssl->s3->v2_hello_done) {
565	// Ask for the first 5 bytes, the size of the TLS record header. This is
566	// sufficient to detect a V2ClientHello and ensures that we never read
567	// beyond the first record.
568	if (in.size() < SSL3_RT_HEADER_LENGTH) {
569	*out_consumed = SSL3_RT_HEADER_LENGTH;
570	return ssl_open_record_partial;
571	}
572
573	// Some dedicated error codes for protocol mixups should the application
574	// wish to interpret them differently. (These do not overlap with
575	// ClientHello or V2ClientHello.)
576	const char str = reinterpret_cast<const* char*>(in.data());
577	if (strncmp(s1: "GET ", s2: str, n: `4`) == `0` \|\|
578	strncmp(s1: "POST ", s2: str, n: `5`) == `0` \|\|
579	strncmp(s1: "HEAD ", s2: str, n: `5`) == `0` \|\|
580	strncmp(s1: "PUT ", s2: str, n: `4`) == `0`) {
581	OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);
582	*out_alert = `0`;
583	return ssl_open_record_error;
584	}
585	if (strncmp(s1: "CONNE", s2: str, n: `5`) == `0`) {
586	OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);
587	*out_alert = `0`;
588	return ssl_open_record_error;
589	}
590
591	// Check for a V2ClientHello.
592	if ((in [`0`] & `0x80`) != `0` && in [`2`] == SSL2_MT_CLIENT_HELLO &&
593	in [`3`] == SSL3_VERSION_MAJOR) {
594	auto ret = read_v2_client_hello(ssl, out_consumed, in);
595	if (ret == ssl_open_record_error) {
596	*out_alert = `0`;
597	} else if (ret == ssl_open_record_success) {
598	ssl->s3->v2_hello_done = true;
599	}
600	return ret;
601	}
602
603	ssl->s3->v2_hello_done = true;
604	}
605
606	uint8_t type;
607	Span<uint8_t> body;
608	auto ret = tls_open_record(ssl, out_type: &type, out: &body, out_consumed, out_alert, in);
609	if (ret != ssl_open_record_success) {
610	return ret;
611	}
612
613	// WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
614	// ServerHello and send the remaining encrypted application data records
615	// as-is. This manifests as an application data record when we expect
616	// handshake. Report a dedicated error code for this case.
617	if (!ssl->server && type == SSL3_RT_APPLICATION_DATA &&
618	ssl->s3->aead_read_ctx ->is_null_cipher()) {
619	OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);
620	*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
621	return ssl_open_record_error;
622	}
623
624	if (type != SSL3_RT_HANDSHAKE) {
625	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
626	*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
627	return ssl_open_record_error;
628	}
629
630	// Append the entire handshake record to the buffer.
631	if (!tls_append_handshake_data(ssl, data: body)) {
632	*out_alert = SSL_AD_INTERNAL_ERROR;
633	return ssl_open_record_error;
634	}
635
636	return ssl_open_record_success;
637	}
638
639	void tls_next_message(SSL *ssl) {
640	SSLMessage msg;
641	if (!tls_get_message(ssl, out: &msg) \|\|
642	!ssl->s3->hs_buf \|\|
643	ssl->s3->hs_buf ->length < CBS_len(cbs: &msg.raw)) {
644	assert(`0`);
645	return;
646	}
647
648	OPENSSL_memmove(dst: ssl->s3->hs_buf ->data,
649	src: ssl->s3->hs_buf ->data + CBS_len(cbs: &msg.raw),
650	n: ssl->s3->hs_buf ->length - CBS_len(cbs: &msg.raw));
651	ssl->s3->hs_buf ->length -= CBS_len(cbs: &msg.raw);
652	ssl->s3->is_v2_hello = false;
653	ssl->s3->has_message = false;
654
655	// Post-handshake messages are rare, so release the buffer after every
656	// message. During the handshake, \|on_handshake_complete\| will release it.
657	if (!SSL_in_init(ssl) && ssl->s3->hs_buf ->length == `0`) {
658	ssl->s3->hs_buf.reset();
659	}
660	}
661
662	// CipherScorer produces a "score" for each possible cipher suite offered by
663	// the client.
664	class CipherScorer {
665	public:
666	CipherScorer() : aes_is_fine_(EVP_has_aes_hardware()) {}
667
668	typedef std::tuple<bool, bool> Score;
669
670	// MinScore returns a \|Score\| that will compare less than the score of all
671	// cipher suites.
672	Score MinScore() const {
673	return Score (false, false);
674	}
675
676	Score Evaluate(const SSL_CIPHER a) const* {
677	return Score (
678	// Something is always preferable to nothing.
679	true,
680	// Either AES is fine, or else ChaCha20 is preferred.
681	aes_is_fine_ \|\| a->algorithm_enc == SSL_CHACHA20POLY1305);
682	}
683
684	private:
685	const bool aes_is_fine_;
686	};
687
688	bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, bool only_fips) {
689	if (!only_fips) {
690	return true;
691	}
692
693	switch (cipher_id) {
694	case TLS1_3_CK_AES_128_GCM_SHA256 & `0xffff`:
695	case TLS1_3_CK_AES_256_GCM_SHA384 & `0xffff`:
696	return true;
697	case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & `0xffff`:
698	return false;
699	default:
700	assert(false);
701	return false;
702	}
703	}
704
705	const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, uint16_t version,
706	uint16_t group_id, bool only_fips) {
707	if (CBS_len(cbs: &cipher_suites) % `2` != `0`) {
708	return nullptr;
709	}
710
711	const SSL_CIPHER best = nullptr*;
712	CipherScorer scorer;
713	CipherScorer::Score best_score = scorer.MinScore();
714
715	while (CBS_len(cbs: &cipher_suites) > `0`) {
716	uint16_t cipher_suite;
717	if (!CBS_get_u16(cbs: &cipher_suites, out: &cipher_suite)) {
718	return nullptr;
719	}
720
721	// Limit to TLS 1.3 ciphers we know about.
722	const SSL_CIPHER *candidate = SSL_get_cipher_by_value(value: cipher_suite);
723	if (candidate == nullptr \|\|
724	SSL_CIPHER_get_min_version(cipher: candidate) > version \|\|
725	SSL_CIPHER_get_max_version(cipher: candidate) < version) {
726	continue;
727	}
728
729	if (!ssl_tls13_cipher_meets_policy(cipher_id: SSL_CIPHER_get_protocol_id(cipher: candidate),
730	only_fips)) {
731	continue;
732	}
733
734	const CipherScorer::Score candidate_score = scorer.Evaluate(a: candidate);
735	// \|candidate_score\| must be larger to displace the current choice. That way
736	// the client's order controls between ciphers with an equal score.
737	if (candidate_score > best_score) {
738	best = candidate;
739	best_score = candidate_score;
740	}
741	}
742
743	return best;
744	}
745
746	BSSL_NAMESPACE_END
747

source code of flutter_engine/third_party/boringssl/src/ssl/s3_both.cc