awesome-grpc-that-works 0.12.2 → 0.14.0.dev

Sign up to get free protection for your applications and to get access to all the features.
Files changed (724) hide show
  1. checksums.yaml +4 -4
  2. data/.yardopts +1 -0
  3. data/Makefile +5783 -22121
  4. data/include/grpc/byte_buffer.h +2 -83
  5. data/include/grpc/census.h +173 -121
  6. data/include/grpc/compression.h +14 -38
  7. data/include/grpc/grpc.h +85 -434
  8. data/include/grpc/grpc_security.h +76 -46
  9. data/include/grpc/grpc_zookeeper.h +1 -1
  10. data/include/grpc/impl/codegen/alloc.h +74 -0
  11. data/include/grpc/impl/codegen/atm.h +92 -0
  12. data/include/grpc/impl/codegen/atm_gcc_atomic.h +72 -0
  13. data/include/grpc/impl/codegen/atm_gcc_sync.h +87 -0
  14. data/include/grpc/impl/codegen/atm_win32.h +125 -0
  15. data/include/grpc/impl/codegen/byte_buffer.h +121 -0
  16. data/include/grpc/impl/codegen/compression_types.h +73 -0
  17. data/include/grpc/impl/codegen/connectivity_state.h +59 -0
  18. data/include/grpc/impl/codegen/grpc_types.h +378 -0
  19. data/include/grpc/impl/codegen/log.h +110 -0
  20. data/include/grpc/impl/codegen/port_platform.h +370 -0
  21. data/include/grpc/impl/codegen/propagation_bits.h +67 -0
  22. data/include/grpc/impl/codegen/slice.h +182 -0
  23. data/include/grpc/impl/codegen/slice_buffer.h +105 -0
  24. data/include/grpc/impl/codegen/status.h +163 -0
  25. data/include/grpc/impl/codegen/sync.h +316 -0
  26. data/include/grpc/impl/codegen/sync_generic.h +55 -0
  27. data/{src/core/census/context.h → include/grpc/impl/codegen/sync_posix.h} +11 -11
  28. data/include/grpc/impl/codegen/sync_win32.h +49 -0
  29. data/include/grpc/impl/codegen/time.h +130 -0
  30. data/include/grpc/status.h +2 -126
  31. data/include/grpc/support/alloc.h +2 -35
  32. data/include/grpc/support/atm.h +2 -55
  33. data/include/grpc/support/atm_gcc_atomic.h +5 -38
  34. data/include/grpc/support/atm_gcc_sync.h +2 -50
  35. data/include/grpc/support/atm_win32.h +2 -88
  36. data/include/grpc/support/avl.h +10 -9
  37. data/include/grpc/support/cmdline.h +15 -13
  38. data/include/grpc/support/cpu.h +5 -3
  39. data/include/grpc/support/histogram.h +23 -20
  40. data/include/grpc/support/host_port.h +5 -3
  41. data/include/grpc/support/log.h +2 -71
  42. data/include/grpc/support/log_win32.h +2 -2
  43. data/include/grpc/support/port_platform.h +2 -319
  44. data/include/grpc/support/slice.h +2 -145
  45. data/include/grpc/support/slice_buffer.h +2 -65
  46. data/include/grpc/support/string_util.h +3 -3
  47. data/include/grpc/support/subprocess.h +8 -6
  48. data/include/grpc/support/sync.h +2 -278
  49. data/include/grpc/support/sync_generic.h +2 -18
  50. data/include/grpc/support/sync_posix.h +2 -10
  51. data/include/grpc/support/sync_win32.h +2 -12
  52. data/include/grpc/support/thd.h +11 -11
  53. data/include/grpc/support/time.h +2 -91
  54. data/include/grpc/support/tls.h +1 -1
  55. data/include/grpc/support/tls_gcc.h +1 -1
  56. data/include/grpc/support/tls_msvc.h +1 -1
  57. data/include/grpc/support/tls_pthread.h +2 -2
  58. data/include/grpc/support/useful.h +3 -1
  59. data/src/boringssl/err_data.c +1252 -0
  60. data/src/core/census/context.c +471 -8
  61. data/src/core/census/grpc_filter.c +5 -5
  62. data/src/core/census/initialize.c +4 -7
  63. data/src/core/census/mlog.c +600 -0
  64. data/src/core/census/mlog.h +95 -0
  65. data/src/core/census/operation.c +2 -2
  66. data/src/core/census/placeholders.c +109 -0
  67. data/src/core/census/rpc_metric_id.h +6 -6
  68. data/src/core/census/tracing.c +1 -1
  69. data/src/core/channel/channel_args.c +71 -9
  70. data/src/core/channel/channel_args.h +7 -1
  71. data/src/core/channel/channel_stack.c +1 -1
  72. data/src/core/channel/client_channel.c +33 -30
  73. data/src/core/channel/client_uchannel.c +3 -3
  74. data/src/core/channel/compress_filter.c +8 -8
  75. data/src/core/channel/http_client_filter.c +4 -4
  76. data/src/core/channel/http_server_filter.c +11 -11
  77. data/src/core/channel/subchannel_call_holder.c +11 -11
  78. data/src/core/client_config/connector.c +3 -2
  79. data/src/core/client_config/connector.h +2 -2
  80. data/src/core/client_config/lb_policies/load_balancer_api.c +163 -0
  81. data/src/core/client_config/lb_policies/load_balancer_api.h +85 -0
  82. data/src/core/client_config/lb_policies/pick_first.c +57 -40
  83. data/src/core/client_config/lb_policies/round_robin.c +14 -15
  84. data/src/core/client_config/lb_policy.c +3 -3
  85. data/src/core/client_config/lb_policy.h +3 -2
  86. data/src/core/client_config/resolvers/dns_resolver.c +3 -3
  87. data/src/core/client_config/resolvers/sockaddr_resolver.c +5 -5
  88. data/src/core/client_config/subchannel.c +84 -39
  89. data/src/core/client_config/subchannel.h +15 -6
  90. data/src/core/client_config/subchannel_index.c +261 -0
  91. data/src/core/client_config/subchannel_index.h +77 -0
  92. data/src/core/compression/{algorithm.c → compression_algorithm.c} +3 -3
  93. data/src/core/httpcli/format_request.c +1 -1
  94. data/src/core/httpcli/httpcli.c +18 -16
  95. data/src/core/httpcli/httpcli.h +3 -2
  96. data/src/core/httpcli/httpcli_security_connector.c +9 -10
  97. data/src/core/httpcli/parser.c +7 -7
  98. data/src/core/httpcli/parser.h +1 -1
  99. data/src/core/iomgr/closure.c +7 -7
  100. data/src/core/iomgr/closure.h +6 -5
  101. data/src/core/iomgr/exec_ctx.c +12 -8
  102. data/src/core/iomgr/exec_ctx.h +12 -5
  103. data/src/core/iomgr/executor.c +4 -4
  104. data/src/core/iomgr/executor.h +2 -2
  105. data/src/core/iomgr/fd_posix.c +32 -19
  106. data/src/core/iomgr/fd_posix.h +7 -4
  107. data/src/core/iomgr/iocp_windows.c +7 -9
  108. data/src/core/iomgr/iomgr.c +2 -2
  109. data/src/core/iomgr/pollset.h +9 -10
  110. data/src/core/iomgr/pollset_multipoller_with_epoll.c +71 -5
  111. data/src/core/iomgr/pollset_multipoller_with_poll_posix.c +9 -5
  112. data/src/core/iomgr/pollset_posix.c +44 -49
  113. data/src/core/iomgr/pollset_posix.h +14 -8
  114. data/src/core/iomgr/pollset_set.h +3 -9
  115. data/src/core/iomgr/pollset_set_posix.c +23 -3
  116. data/src/core/iomgr/pollset_set_posix.h +2 -18
  117. data/src/core/iomgr/pollset_set_windows.c +3 -3
  118. data/src/core/iomgr/pollset_set_windows.h +2 -2
  119. data/src/core/iomgr/pollset_windows.c +29 -37
  120. data/src/core/iomgr/pollset_windows.h +1 -5
  121. data/src/core/iomgr/resolve_address_posix.c +2 -2
  122. data/src/core/iomgr/resolve_address_windows.c +2 -2
  123. data/src/core/iomgr/sockaddr_utils.c +6 -6
  124. data/src/core/iomgr/sockaddr_win32.h +1 -6
  125. data/src/core/iomgr/tcp_client_posix.c +14 -12
  126. data/src/core/iomgr/tcp_client_windows.c +4 -4
  127. data/src/core/iomgr/tcp_posix.c +18 -10
  128. data/src/core/iomgr/tcp_posix.h +7 -1
  129. data/src/core/iomgr/tcp_server.h +40 -20
  130. data/src/core/iomgr/tcp_server_posix.c +106 -49
  131. data/src/core/iomgr/tcp_server_windows.c +98 -49
  132. data/src/core/iomgr/tcp_windows.c +11 -15
  133. data/src/core/iomgr/timer.c +10 -11
  134. data/src/core/iomgr/timer.h +22 -2
  135. data/src/core/iomgr/timer_heap.c +10 -10
  136. data/src/core/iomgr/timer_heap.h +2 -2
  137. data/src/core/iomgr/udp_server.c +7 -16
  138. data/src/core/iomgr/udp_server.h +2 -9
  139. data/src/core/iomgr/workqueue.h +2 -4
  140. data/src/core/iomgr/workqueue_posix.c +4 -3
  141. data/src/core/iomgr/workqueue_posix.h +3 -1
  142. data/src/core/json/json_reader.c +11 -12
  143. data/src/core/json/json_reader.h +4 -4
  144. data/src/core/json/json_string.c +19 -19
  145. data/src/core/json/json_writer.c +7 -9
  146. data/src/core/profiling/basic_timers.c +1 -1
  147. data/src/core/proto/grpc/lb/v0/load_balancer.pb.c +119 -0
  148. data/src/core/proto/grpc/lb/v0/load_balancer.pb.h +182 -0
  149. data/src/core/security/{base64.c → b64.c} +10 -10
  150. data/src/core/security/{base64.h → b64.h} +1 -1
  151. data/src/core/security/client_auth_filter.c +4 -5
  152. data/src/core/security/credentials.c +17 -10
  153. data/src/core/security/credentials.h +3 -3
  154. data/src/core/security/google_default_credentials.c +27 -22
  155. data/src/core/security/handshake.c +21 -12
  156. data/src/core/security/handshake.h +2 -1
  157. data/src/core/security/json_token.c +14 -8
  158. data/src/core/security/jwt_verifier.c +4 -3
  159. data/src/core/security/secure_endpoint.c +16 -16
  160. data/src/core/security/security_connector.c +131 -81
  161. data/src/core/security/security_connector.h +47 -27
  162. data/src/core/security/security_context.c +8 -3
  163. data/src/core/security/server_auth_filter.c +5 -5
  164. data/src/core/security/server_secure_chttp2.c +36 -37
  165. data/src/core/statistics/census_interface.h +2 -2
  166. data/src/core/statistics/census_rpc_stats.h +3 -3
  167. data/src/core/support/alloc.c +1 -1
  168. data/src/core/support/avl.c +2 -2
  169. data/src/core/support/cpu_posix.c +2 -2
  170. data/src/core/support/env_linux.c +28 -1
  171. data/src/core/support/env_win32.c +15 -7
  172. data/src/core/support/histogram.c +5 -5
  173. data/src/core/support/{file.c → load_file.c} +2 -2
  174. data/src/core/support/{file.h → load_file.h} +4 -12
  175. data/src/core/support/log_posix.c +1 -1
  176. data/src/core/support/log_win32.c +4 -3
  177. data/src/core/support/murmur_hash.c +11 -11
  178. data/src/core/support/murmur_hash.h +1 -1
  179. data/src/core/support/slice.c +11 -11
  180. data/src/core/support/slice_buffer.c +6 -6
  181. data/src/core/support/stack_lockfree.c +20 -10
  182. data/src/core/support/string.c +15 -15
  183. data/src/core/support/string.h +5 -5
  184. data/src/core/support/string_win32.c +5 -5
  185. data/src/core/support/subprocess_windows.c +141 -0
  186. data/src/core/support/sync.c +4 -4
  187. data/src/core/support/sync_posix.c +2 -2
  188. data/src/core/support/sync_win32.c +10 -5
  189. data/src/core/support/time.c +29 -29
  190. data/src/core/support/time_posix.c +15 -6
  191. data/src/core/support/time_precise.c +2 -2
  192. data/src/core/support/time_win32.c +18 -9
  193. data/src/core/support/tls_pthread.c +1 -1
  194. data/src/core/support/tmpfile.h +55 -0
  195. data/src/core/support/{file_posix.c → tmpfile_posix.c} +2 -2
  196. data/src/core/support/{file_win32.c → tmpfile_win32.c} +2 -2
  197. data/src/core/support/wrap_memcpy.c +53 -0
  198. data/src/core/surface/alarm.c +84 -0
  199. data/src/core/surface/byte_buffer_reader.c +1 -1
  200. data/src/core/surface/call.c +175 -116
  201. data/src/core/surface/call.h +2 -2
  202. data/src/core/surface/call_test_only.h +2 -2
  203. data/src/core/surface/channel.c +9 -9
  204. data/src/core/surface/channel.h +1 -1
  205. data/src/core/surface/channel_connectivity.c +3 -3
  206. data/src/core/surface/channel_create.c +4 -4
  207. data/src/core/surface/channel_ping.c +2 -2
  208. data/src/core/surface/completion_queue.c +84 -53
  209. data/src/core/surface/completion_queue.h +1 -1
  210. data/src/core/surface/init.c +11 -5
  211. data/src/core/surface/lame_client.c +2 -3
  212. data/src/core/surface/secure_channel_create.c +9 -10
  213. data/src/core/surface/server.c +30 -30
  214. data/src/core/surface/server_chttp2.c +8 -8
  215. data/src/core/surface/server_create.c +1 -4
  216. data/src/core/surface/validate_metadata.c +4 -4
  217. data/src/core/surface/version.c +2 -2
  218. data/src/core/transport/byte_stream.c +8 -6
  219. data/src/core/transport/byte_stream.h +6 -5
  220. data/src/core/transport/chttp2/bin_encoder.c +29 -29
  221. data/src/core/transport/chttp2/frame_data.c +29 -26
  222. data/src/core/transport/chttp2/frame_data.h +6 -6
  223. data/src/core/transport/chttp2/frame_goaway.c +30 -30
  224. data/src/core/transport/chttp2/frame_goaway.h +6 -6
  225. data/src/core/transport/chttp2/frame_ping.c +6 -6
  226. data/src/core/transport/chttp2/frame_ping.h +5 -5
  227. data/src/core/transport/chttp2/frame_rst_stream.c +18 -19
  228. data/src/core/transport/chttp2/frame_rst_stream.h +4 -4
  229. data/src/core/transport/chttp2/frame_settings.c +30 -30
  230. data/src/core/transport/chttp2/frame_settings.h +13 -13
  231. data/src/core/transport/chttp2/frame_window_update.c +17 -18
  232. data/src/core/transport/chttp2/frame_window_update.h +5 -7
  233. data/src/core/transport/chttp2/hpack_encoder.c +69 -73
  234. data/src/core/transport/chttp2/hpack_encoder.h +16 -16
  235. data/src/core/transport/chttp2/hpack_parser.c +167 -167
  236. data/src/core/transport/chttp2/hpack_parser.h +16 -16
  237. data/src/core/transport/chttp2/hpack_table.c +13 -13
  238. data/src/core/transport/chttp2/hpack_table.h +11 -11
  239. data/src/core/transport/chttp2/internal.h +103 -87
  240. data/src/core/transport/chttp2/parsing.c +25 -25
  241. data/src/core/transport/chttp2/stream_lists.c +38 -1
  242. data/src/core/transport/chttp2/stream_map.c +13 -14
  243. data/src/core/transport/chttp2/stream_map.h +6 -7
  244. data/src/core/transport/chttp2/timeout_encoding.c +19 -16
  245. data/src/core/transport/chttp2/varint.c +8 -9
  246. data/src/core/transport/chttp2/varint.h +7 -8
  247. data/src/core/transport/chttp2/writing.c +25 -22
  248. data/src/core/transport/chttp2_transport.c +147 -100
  249. data/src/core/transport/connectivity_state.c +6 -6
  250. data/src/core/transport/metadata.c +18 -18
  251. data/src/core/transport/metadata.h +5 -5
  252. data/src/core/transport/static_metadata.c +32 -33
  253. data/src/core/transport/static_metadata.h +8 -8
  254. data/src/core/transport/transport.c +6 -5
  255. data/src/core/transport/transport.h +17 -1
  256. data/src/core/tsi/fake_transport_security.c +7 -7
  257. data/src/core/tsi/ssl_transport_security.c +6 -4
  258. data/src/core/{iomgr/timer_internal.h → tsi/ssl_types.h} +19 -25
  259. data/src/ruby/ext/grpc/extconf.rb +52 -14
  260. data/src/ruby/ext/grpc/rb_byte_buffer.c +3 -1
  261. data/src/ruby/ext/grpc/rb_call.c +7 -3
  262. data/src/ruby/ext/grpc/rb_call_credentials.c +4 -0
  263. data/src/ruby/ext/grpc/rb_channel.c +4 -2
  264. data/src/ruby/ext/grpc/rb_channel_args.c +3 -1
  265. data/src/ruby/ext/grpc/rb_channel_credentials.c +3 -1
  266. data/src/ruby/ext/grpc/rb_completion_queue.c +3 -1
  267. data/src/ruby/ext/grpc/rb_event_thread.c +5 -0
  268. data/src/ruby/ext/grpc/rb_grpc.c +28 -19
  269. data/src/ruby/ext/grpc/rb_grpc_imports.generated.c +562 -0
  270. data/src/ruby/ext/grpc/rb_grpc_imports.generated.h +846 -0
  271. data/src/ruby/ext/grpc/rb_loader.c +72 -0
  272. data/src/ruby/ext/grpc/rb_loader.h +40 -0
  273. data/src/ruby/ext/grpc/rb_server.c +3 -1
  274. data/src/ruby/ext/grpc/rb_server_credentials.c +4 -2
  275. data/src/ruby/lib/grpc/core/time_consts.rb +2 -2
  276. data/src/ruby/lib/grpc/errors.rb +2 -2
  277. data/src/ruby/lib/grpc/generic/bidi_call.rb +1 -1
  278. data/src/ruby/lib/grpc/generic/rpc_desc.rb +1 -1
  279. data/src/ruby/lib/grpc/generic/rpc_server.rb +1 -1
  280. data/src/ruby/lib/grpc/grpc.rb +34 -0
  281. data/src/ruby/lib/grpc/version.rb +1 -1
  282. data/src/ruby/pb/README.md +2 -2
  283. data/src/ruby/pb/generate_proto_ruby.sh +2 -2
  284. data/src/ruby/pb/grpc/health/checker.rb +11 -11
  285. data/src/ruby/pb/grpc/health/v1/health.rb +28 -0
  286. data/src/ruby/pb/grpc/health/{v1alpha → v1}/health_services.rb +4 -4
  287. data/src/ruby/spec/client_server_spec.rb +2 -1
  288. data/src/ruby/spec/pb/health/checker_spec.rb +23 -37
  289. data/third_party/boringssl/crypto/aes/aes.c +1142 -0
  290. data/third_party/boringssl/crypto/aes/internal.h +87 -0
  291. data/third_party/boringssl/crypto/aes/mode_wrappers.c +108 -0
  292. data/third_party/boringssl/crypto/asn1/a_bitstr.c +255 -0
  293. data/third_party/boringssl/crypto/asn1/a_bool.c +112 -0
  294. data/third_party/boringssl/crypto/asn1/a_bytes.c +317 -0
  295. data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +286 -0
  296. data/third_party/boringssl/crypto/asn1/a_dup.c +103 -0
  297. data/third_party/boringssl/crypto/asn1/a_enum.c +183 -0
  298. data/third_party/boringssl/crypto/asn1/a_gentm.c +255 -0
  299. data/third_party/boringssl/crypto/asn1/a_i2d_fp.c +154 -0
  300. data/third_party/boringssl/crypto/asn1/a_int.c +456 -0
  301. data/third_party/boringssl/crypto/asn1/a_mbstr.c +390 -0
  302. data/third_party/boringssl/crypto/asn1/a_object.c +412 -0
  303. data/third_party/boringssl/crypto/asn1/a_octet.c +70 -0
  304. data/third_party/boringssl/crypto/asn1/a_print.c +119 -0
  305. data/third_party/boringssl/crypto/asn1/a_strnid.c +286 -0
  306. data/third_party/boringssl/crypto/asn1/a_time.c +221 -0
  307. data/third_party/boringssl/crypto/asn1/a_type.c +160 -0
  308. data/third_party/boringssl/crypto/asn1/a_utctm.c +342 -0
  309. data/third_party/boringssl/crypto/asn1/a_utf8.c +210 -0
  310. data/third_party/boringssl/crypto/asn1/asn1_lib.c +510 -0
  311. data/third_party/boringssl/crypto/asn1/asn1_locl.h +73 -0
  312. data/third_party/boringssl/crypto/asn1/asn1_par.c +444 -0
  313. data/third_party/boringssl/crypto/asn1/asn_pack.c +104 -0
  314. data/third_party/boringssl/crypto/asn1/bio_asn1.c +496 -0
  315. data/third_party/boringssl/crypto/asn1/bio_ndef.c +254 -0
  316. data/third_party/boringssl/crypto/asn1/f_enum.c +206 -0
  317. data/third_party/boringssl/crypto/asn1/f_int.c +210 -0
  318. data/third_party/boringssl/crypto/asn1/f_string.c +204 -0
  319. data/third_party/boringssl/crypto/asn1/t_bitst.c +102 -0
  320. data/third_party/boringssl/crypto/asn1/t_pkey.c +112 -0
  321. data/third_party/boringssl/crypto/asn1/tasn_dec.c +1342 -0
  322. data/third_party/boringssl/crypto/asn1/tasn_enc.c +695 -0
  323. data/third_party/boringssl/crypto/asn1/tasn_fre.c +264 -0
  324. data/third_party/boringssl/crypto/asn1/tasn_new.c +398 -0
  325. data/third_party/boringssl/crypto/asn1/tasn_prn.c +642 -0
  326. data/third_party/boringssl/crypto/asn1/tasn_typ.c +137 -0
  327. data/third_party/boringssl/crypto/asn1/tasn_utl.c +266 -0
  328. data/third_party/boringssl/crypto/asn1/x_bignum.c +143 -0
  329. data/third_party/boringssl/crypto/asn1/x_long.c +182 -0
  330. data/third_party/boringssl/crypto/base64/base64.c +478 -0
  331. data/third_party/boringssl/crypto/bio/bio.c +608 -0
  332. data/third_party/boringssl/crypto/bio/bio_mem.c +327 -0
  333. data/third_party/boringssl/crypto/bio/buffer.c +496 -0
  334. data/third_party/boringssl/crypto/bio/connect.c +544 -0
  335. data/third_party/boringssl/crypto/bio/fd.c +270 -0
  336. data/third_party/boringssl/crypto/bio/file.c +349 -0
  337. data/third_party/boringssl/crypto/bio/hexdump.c +192 -0
  338. data/third_party/boringssl/crypto/bio/internal.h +108 -0
  339. data/third_party/boringssl/crypto/bio/pair.c +803 -0
  340. data/third_party/boringssl/crypto/bio/printf.c +119 -0
  341. data/third_party/boringssl/crypto/bio/socket.c +195 -0
  342. data/third_party/boringssl/crypto/bio/socket_helper.c +113 -0
  343. data/third_party/boringssl/crypto/bn/add.c +377 -0
  344. data/third_party/boringssl/crypto/bn/asm/x86_64-gcc.c +599 -0
  345. data/third_party/boringssl/crypto/bn/bn.c +341 -0
  346. data/third_party/boringssl/crypto/bn/bn_asn1.c +93 -0
  347. data/third_party/boringssl/crypto/bn/cmp.c +200 -0
  348. data/third_party/boringssl/crypto/bn/convert.c +597 -0
  349. data/third_party/boringssl/crypto/bn/ctx.c +311 -0
  350. data/third_party/boringssl/crypto/bn/div.c +625 -0
  351. data/third_party/boringssl/crypto/bn/exponentiation.c +1544 -0
  352. data/third_party/boringssl/crypto/bn/gcd.c +711 -0
  353. data/third_party/boringssl/crypto/bn/generic.c +1019 -0
  354. data/third_party/boringssl/crypto/bn/internal.h +294 -0
  355. data/third_party/boringssl/crypto/bn/kronecker.c +175 -0
  356. data/third_party/boringssl/crypto/bn/montgomery.c +561 -0
  357. data/third_party/boringssl/crypto/bn/mul.c +888 -0
  358. data/third_party/boringssl/crypto/bn/prime.c +845 -0
  359. data/third_party/boringssl/crypto/bn/random.c +326 -0
  360. data/third_party/boringssl/crypto/bn/rsaz_exp.c +326 -0
  361. data/third_party/boringssl/crypto/bn/rsaz_exp.h +56 -0
  362. data/third_party/boringssl/crypto/bn/shift.c +299 -0
  363. data/third_party/boringssl/crypto/bn/sqrt.c +505 -0
  364. data/third_party/boringssl/crypto/buf/buf.c +235 -0
  365. data/third_party/boringssl/crypto/bytestring/ber.c +221 -0
  366. data/third_party/boringssl/crypto/bytestring/cbb.c +411 -0
  367. data/third_party/boringssl/crypto/bytestring/cbs.c +415 -0
  368. data/third_party/boringssl/crypto/bytestring/internal.h +46 -0
  369. data/third_party/boringssl/crypto/chacha/chacha_generic.c +140 -0
  370. data/third_party/boringssl/crypto/chacha/chacha_vec.c +323 -0
  371. data/third_party/boringssl/crypto/cipher/aead.c +167 -0
  372. data/third_party/boringssl/crypto/cipher/cipher.c +652 -0
  373. data/third_party/boringssl/crypto/cipher/derive_key.c +154 -0
  374. data/third_party/boringssl/crypto/cipher/e_aes.c +1767 -0
  375. data/third_party/boringssl/crypto/cipher/e_chacha20poly1305.c +311 -0
  376. data/third_party/boringssl/crypto/cipher/e_des.c +207 -0
  377. data/third_party/boringssl/crypto/cipher/e_null.c +85 -0
  378. data/third_party/boringssl/crypto/cipher/e_rc2.c +443 -0
  379. data/third_party/boringssl/crypto/cipher/e_rc4.c +87 -0
  380. data/third_party/boringssl/crypto/cipher/e_ssl3.c +463 -0
  381. data/third_party/boringssl/crypto/cipher/e_tls.c +673 -0
  382. data/third_party/boringssl/crypto/cipher/internal.h +164 -0
  383. data/third_party/boringssl/crypto/cipher/tls_cbc.c +495 -0
  384. data/third_party/boringssl/crypto/cmac/cmac.c +239 -0
  385. data/third_party/boringssl/crypto/conf/conf.c +778 -0
  386. data/third_party/boringssl/crypto/conf/conf_def.h +127 -0
  387. data/third_party/boringssl/crypto/conf/internal.h +31 -0
  388. data/third_party/boringssl/crypto/cpu-arm.c +199 -0
  389. data/third_party/boringssl/crypto/cpu-intel.c +261 -0
  390. data/third_party/boringssl/crypto/crypto.c +140 -0
  391. data/third_party/boringssl/crypto/curve25519/curve25519.c +4897 -0
  392. data/third_party/boringssl/crypto/des/des.c +771 -0
  393. data/third_party/boringssl/crypto/des/internal.h +212 -0
  394. data/third_party/boringssl/crypto/dh/check.c +180 -0
  395. data/third_party/boringssl/crypto/dh/dh.c +463 -0
  396. data/third_party/boringssl/crypto/dh/dh_asn1.c +84 -0
  397. data/third_party/boringssl/crypto/dh/internal.h +80 -0
  398. data/third_party/boringssl/crypto/dh/params.c +301 -0
  399. data/third_party/boringssl/crypto/digest/digest.c +248 -0
  400. data/third_party/boringssl/crypto/digest/digests.c +321 -0
  401. data/third_party/boringssl/crypto/digest/internal.h +112 -0
  402. data/third_party/boringssl/crypto/digest/md32_common.h +322 -0
  403. data/third_party/boringssl/crypto/directory.h +66 -0
  404. data/third_party/boringssl/crypto/directory_posix.c +108 -0
  405. data/third_party/boringssl/crypto/directory_win.c +144 -0
  406. data/third_party/boringssl/crypto/dsa/dsa.c +908 -0
  407. data/third_party/boringssl/crypto/dsa/dsa_asn1.c +150 -0
  408. data/third_party/boringssl/crypto/dsa/internal.h +78 -0
  409. data/third_party/boringssl/crypto/ec/ec.c +889 -0
  410. data/third_party/boringssl/crypto/ec/ec_asn1.c +586 -0
  411. data/third_party/boringssl/crypto/ec/ec_key.c +482 -0
  412. data/third_party/boringssl/crypto/ec/ec_montgomery.c +280 -0
  413. data/third_party/boringssl/crypto/ec/internal.h +318 -0
  414. data/third_party/boringssl/crypto/ec/oct.c +416 -0
  415. data/third_party/boringssl/crypto/ec/p224-64.c +1305 -0
  416. data/third_party/boringssl/crypto/ec/p256-64.c +1878 -0
  417. data/third_party/boringssl/crypto/ec/p256-x86_64-table.h +9548 -0
  418. data/third_party/boringssl/crypto/ec/p256-x86_64.c +596 -0
  419. data/third_party/boringssl/crypto/ec/simple.c +1313 -0
  420. data/third_party/boringssl/crypto/ec/util-64.c +183 -0
  421. data/third_party/boringssl/crypto/ec/wnaf.c +449 -0
  422. data/third_party/boringssl/crypto/ecdh/ecdh.c +153 -0
  423. data/third_party/boringssl/crypto/ecdsa/ecdsa.c +496 -0
  424. data/third_party/boringssl/crypto/ecdsa/ecdsa_asn1.c +240 -0
  425. data/third_party/boringssl/crypto/engine/engine.c +96 -0
  426. data/third_party/boringssl/crypto/err/err.c +756 -0
  427. data/third_party/boringssl/crypto/evp/algorithm.c +153 -0
  428. data/third_party/boringssl/crypto/evp/digestsign.c +159 -0
  429. data/third_party/boringssl/crypto/evp/evp.c +411 -0
  430. data/third_party/boringssl/crypto/evp/evp_asn1.c +179 -0
  431. data/third_party/boringssl/crypto/evp/evp_ctx.c +477 -0
  432. data/third_party/boringssl/crypto/evp/internal.h +278 -0
  433. data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +588 -0
  434. data/third_party/boringssl/crypto/evp/p_ec.c +283 -0
  435. data/third_party/boringssl/crypto/evp/p_ec_asn1.c +562 -0
  436. data/third_party/boringssl/crypto/evp/p_rsa.c +596 -0
  437. data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +737 -0
  438. data/third_party/boringssl/crypto/evp/pbkdf.c +151 -0
  439. data/third_party/boringssl/crypto/evp/sign.c +151 -0
  440. data/third_party/boringssl/crypto/ex_data.c +294 -0
  441. data/third_party/boringssl/crypto/hkdf/hkdf.c +89 -0
  442. data/third_party/boringssl/crypto/hmac/hmac.c +213 -0
  443. data/third_party/boringssl/crypto/internal.h +532 -0
  444. data/third_party/boringssl/crypto/lhash/lhash.c +346 -0
  445. data/third_party/boringssl/crypto/md4/md4.c +225 -0
  446. data/third_party/boringssl/crypto/md5/md5.c +275 -0
  447. data/third_party/boringssl/crypto/mem.c +200 -0
  448. data/third_party/boringssl/crypto/modes/cbc.c +216 -0
  449. data/third_party/boringssl/crypto/modes/cfb.c +231 -0
  450. data/third_party/boringssl/crypto/modes/ctr.c +226 -0
  451. data/third_party/boringssl/crypto/modes/gcm.c +1252 -0
  452. data/third_party/boringssl/crypto/modes/internal.h +370 -0
  453. data/third_party/boringssl/crypto/modes/ofb.c +108 -0
  454. data/third_party/boringssl/crypto/obj/obj.c +664 -0
  455. data/third_party/boringssl/crypto/obj/obj_dat.h +5257 -0
  456. data/third_party/boringssl/crypto/obj/obj_xref.c +124 -0
  457. data/third_party/boringssl/crypto/obj/obj_xref.h +96 -0
  458. data/third_party/boringssl/crypto/pem/pem_all.c +281 -0
  459. data/third_party/boringssl/crypto/pem/pem_info.c +404 -0
  460. data/third_party/boringssl/crypto/pem/pem_lib.c +835 -0
  461. data/third_party/boringssl/crypto/pem/pem_oth.c +89 -0
  462. data/third_party/boringssl/crypto/pem/pem_pk8.c +244 -0
  463. data/third_party/boringssl/crypto/pem/pem_pkey.c +312 -0
  464. data/third_party/boringssl/crypto/pem/pem_x509.c +65 -0
  465. data/third_party/boringssl/crypto/pem/pem_xaux.c +66 -0
  466. data/third_party/boringssl/crypto/pkcs8/internal.h +83 -0
  467. data/third_party/boringssl/crypto/pkcs8/p5_pbe.c +150 -0
  468. data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +440 -0
  469. data/third_party/boringssl/crypto/pkcs8/p8_pkey.c +85 -0
  470. data/third_party/boringssl/crypto/pkcs8/pkcs8.c +1217 -0
  471. data/third_party/boringssl/crypto/poly1305/poly1305.c +331 -0
  472. data/third_party/boringssl/crypto/poly1305/poly1305_arm.c +301 -0
  473. data/third_party/boringssl/crypto/poly1305/poly1305_vec.c +892 -0
  474. data/third_party/boringssl/crypto/rand/internal.h +32 -0
  475. data/third_party/boringssl/crypto/rand/rand.c +239 -0
  476. data/third_party/boringssl/crypto/rand/urandom.c +223 -0
  477. data/third_party/boringssl/crypto/rand/windows.c +56 -0
  478. data/third_party/boringssl/crypto/rc4/rc4.c +283 -0
  479. data/third_party/boringssl/crypto/refcount_c11.c +67 -0
  480. data/third_party/boringssl/crypto/refcount_lock.c +53 -0
  481. data/third_party/boringssl/crypto/rsa/blinding.c +462 -0
  482. data/third_party/boringssl/crypto/rsa/internal.h +164 -0
  483. data/third_party/boringssl/crypto/rsa/padding.c +711 -0
  484. data/third_party/boringssl/crypto/rsa/rsa.c +808 -0
  485. data/third_party/boringssl/crypto/rsa/rsa_asn1.c +473 -0
  486. data/third_party/boringssl/crypto/rsa/rsa_impl.c +1138 -0
  487. data/third_party/boringssl/crypto/sha/sha1.c +337 -0
  488. data/third_party/boringssl/crypto/sha/sha256.c +327 -0
  489. data/third_party/boringssl/crypto/sha/sha512.c +607 -0
  490. data/third_party/boringssl/crypto/stack/stack.c +386 -0
  491. data/third_party/boringssl/crypto/test/scoped_types.h +137 -0
  492. data/third_party/boringssl/crypto/test/test_util.h +35 -0
  493. data/third_party/boringssl/crypto/thread.c +101 -0
  494. data/third_party/boringssl/crypto/thread_none.c +55 -0
  495. data/third_party/boringssl/crypto/thread_pthread.c +167 -0
  496. data/third_party/boringssl/crypto/thread_win.c +282 -0
  497. data/third_party/boringssl/crypto/time_support.c +212 -0
  498. data/third_party/boringssl/crypto/x509/a_digest.c +97 -0
  499. data/third_party/boringssl/crypto/x509/a_sign.c +136 -0
  500. data/third_party/boringssl/crypto/x509/a_strex.c +564 -0
  501. data/third_party/boringssl/crypto/x509/a_verify.c +133 -0
  502. data/third_party/boringssl/crypto/x509/asn1_gen.c +873 -0
  503. data/third_party/boringssl/crypto/x509/by_dir.c +491 -0
  504. data/third_party/boringssl/crypto/x509/by_file.c +295 -0
  505. data/third_party/boringssl/crypto/x509/charmap.h +15 -0
  506. data/third_party/boringssl/crypto/x509/i2d_pr.c +84 -0
  507. data/third_party/boringssl/crypto/x509/pkcs7.c +353 -0
  508. data/third_party/boringssl/crypto/x509/t_crl.c +129 -0
  509. data/third_party/boringssl/crypto/x509/t_req.c +246 -0
  510. data/third_party/boringssl/crypto/x509/t_x509.c +500 -0
  511. data/third_party/boringssl/crypto/x509/t_x509a.c +109 -0
  512. data/third_party/boringssl/crypto/x509/vpm_int.h +70 -0
  513. data/third_party/boringssl/crypto/x509/x509.c +152 -0
  514. data/third_party/boringssl/crypto/x509/x509_att.c +353 -0
  515. data/third_party/boringssl/crypto/x509/x509_cmp.c +490 -0
  516. data/third_party/boringssl/crypto/x509/x509_d2.c +105 -0
  517. data/third_party/boringssl/crypto/x509/x509_def.c +88 -0
  518. data/third_party/boringssl/crypto/x509/x509_ext.c +206 -0
  519. data/third_party/boringssl/crypto/x509/x509_lu.c +738 -0
  520. data/third_party/boringssl/crypto/x509/x509_obj.c +191 -0
  521. data/third_party/boringssl/crypto/x509/x509_r2x.c +113 -0
  522. data/third_party/boringssl/crypto/x509/x509_req.c +315 -0
  523. data/third_party/boringssl/crypto/x509/x509_set.c +154 -0
  524. data/third_party/boringssl/crypto/x509/x509_trs.c +304 -0
  525. data/third_party/boringssl/crypto/x509/x509_txt.c +209 -0
  526. data/third_party/boringssl/crypto/x509/x509_v3.c +271 -0
  527. data/third_party/boringssl/crypto/x509/x509_vfy.c +2456 -0
  528. data/third_party/boringssl/crypto/x509/x509_vpm.c +672 -0
  529. data/third_party/boringssl/crypto/x509/x509cset.c +172 -0
  530. data/third_party/boringssl/crypto/x509/x509name.c +381 -0
  531. data/third_party/boringssl/crypto/x509/x509rset.c +80 -0
  532. data/third_party/boringssl/crypto/x509/x509spki.c +135 -0
  533. data/third_party/boringssl/crypto/x509/x509type.c +128 -0
  534. data/third_party/boringssl/crypto/x509/x_algor.c +154 -0
  535. data/third_party/boringssl/crypto/x509/x_all.c +547 -0
  536. data/third_party/boringssl/crypto/x509/x_attrib.c +117 -0
  537. data/third_party/boringssl/crypto/x509/x_crl.c +560 -0
  538. data/third_party/boringssl/crypto/x509/x_exten.c +75 -0
  539. data/third_party/boringssl/crypto/x509/x_info.c +95 -0
  540. data/third_party/boringssl/crypto/x509/x_name.c +538 -0
  541. data/third_party/boringssl/crypto/x509/x_pkey.c +100 -0
  542. data/third_party/boringssl/crypto/x509/x_pubkey.c +384 -0
  543. data/third_party/boringssl/crypto/x509/x_req.c +112 -0
  544. data/third_party/boringssl/crypto/x509/x_sig.c +69 -0
  545. data/third_party/boringssl/crypto/x509/x_spki.c +78 -0
  546. data/third_party/boringssl/crypto/x509/x_val.c +69 -0
  547. data/third_party/boringssl/crypto/x509/x_x509.c +227 -0
  548. data/third_party/boringssl/crypto/x509/x_x509a.c +197 -0
  549. data/third_party/boringssl/crypto/x509v3/ext_dat.h +129 -0
  550. data/third_party/boringssl/crypto/x509v3/pcy_cache.c +299 -0
  551. data/third_party/boringssl/crypto/x509v3/pcy_data.c +137 -0
  552. data/third_party/boringssl/crypto/x509v3/pcy_int.h +212 -0
  553. data/third_party/boringssl/crypto/x509v3/pcy_lib.c +165 -0
  554. data/third_party/boringssl/crypto/x509v3/pcy_map.c +133 -0
  555. data/third_party/boringssl/crypto/x509v3/pcy_node.c +197 -0
  556. data/third_party/boringssl/crypto/x509v3/pcy_tree.c +876 -0
  557. data/third_party/boringssl/crypto/x509v3/v3_akey.c +212 -0
  558. data/third_party/boringssl/crypto/x509v3/v3_akeya.c +71 -0
  559. data/third_party/boringssl/crypto/x509v3/v3_alt.c +622 -0
  560. data/third_party/boringssl/crypto/x509v3/v3_bcons.c +126 -0
  561. data/third_party/boringssl/crypto/x509v3/v3_bitst.c +141 -0
  562. data/third_party/boringssl/crypto/x509v3/v3_conf.c +459 -0
  563. data/third_party/boringssl/crypto/x509v3/v3_cpols.c +475 -0
  564. data/third_party/boringssl/crypto/x509v3/v3_crld.c +616 -0
  565. data/third_party/boringssl/crypto/x509v3/v3_enum.c +98 -0
  566. data/third_party/boringssl/crypto/x509v3/v3_extku.c +145 -0
  567. data/third_party/boringssl/crypto/x509v3/v3_genn.c +252 -0
  568. data/third_party/boringssl/crypto/x509v3/v3_ia5.c +117 -0
  569. data/third_party/boringssl/crypto/x509v3/v3_info.c +200 -0
  570. data/third_party/boringssl/crypto/x509v3/v3_int.c +87 -0
  571. data/third_party/boringssl/crypto/x509v3/v3_lib.c +335 -0
  572. data/third_party/boringssl/crypto/x509v3/v3_ncons.c +510 -0
  573. data/third_party/boringssl/crypto/x509v3/v3_pci.c +335 -0
  574. data/third_party/boringssl/crypto/x509v3/v3_pcia.c +56 -0
  575. data/third_party/boringssl/crypto/x509v3/v3_pcons.c +142 -0
  576. data/third_party/boringssl/crypto/x509v3/v3_pku.c +109 -0
  577. data/third_party/boringssl/crypto/x509v3/v3_pmaps.c +156 -0
  578. data/third_party/boringssl/crypto/x509v3/v3_prn.c +207 -0
  579. data/third_party/boringssl/crypto/x509v3/v3_purp.c +805 -0
  580. data/third_party/boringssl/crypto/x509v3/v3_skey.c +148 -0
  581. data/third_party/boringssl/crypto/x509v3/v3_sxnet.c +266 -0
  582. data/third_party/boringssl/crypto/x509v3/v3_utl.c +1322 -0
  583. data/third_party/boringssl/include/openssl/aead.h +346 -0
  584. data/third_party/boringssl/include/openssl/aes.h +158 -0
  585. data/third_party/boringssl/include/openssl/arm_arch.h +127 -0
  586. data/third_party/boringssl/include/openssl/asn1.h +1168 -0
  587. data/third_party/boringssl/include/openssl/asn1_mac.h +75 -0
  588. data/third_party/boringssl/include/openssl/asn1t.h +906 -0
  589. data/third_party/boringssl/include/openssl/base.h +261 -0
  590. data/third_party/boringssl/include/openssl/base64.h +184 -0
  591. data/third_party/boringssl/include/openssl/bio.h +902 -0
  592. data/third_party/boringssl/include/openssl/blowfish.h +93 -0
  593. data/third_party/boringssl/include/openssl/bn.h +885 -0
  594. data/third_party/boringssl/include/openssl/buf.h +118 -0
  595. data/third_party/boringssl/include/openssl/buffer.h +18 -0
  596. data/third_party/boringssl/include/openssl/bytestring.h +360 -0
  597. data/third_party/boringssl/include/openssl/cast.h +96 -0
  598. data/third_party/boringssl/include/openssl/chacha.h +37 -0
  599. data/third_party/boringssl/include/openssl/cipher.h +571 -0
  600. data/third_party/boringssl/include/openssl/cmac.h +76 -0
  601. data/third_party/boringssl/include/openssl/conf.h +145 -0
  602. data/third_party/boringssl/include/openssl/cpu.h +184 -0
  603. data/third_party/boringssl/include/openssl/crypto.h +68 -0
  604. data/third_party/boringssl/include/openssl/curve25519.h +88 -0
  605. data/third_party/boringssl/include/openssl/des.h +177 -0
  606. data/third_party/boringssl/include/openssl/dh.h +238 -0
  607. data/third_party/boringssl/include/openssl/digest.h +258 -0
  608. data/third_party/boringssl/include/openssl/dsa.h +343 -0
  609. data/third_party/boringssl/include/openssl/dtls1.h +16 -0
  610. data/third_party/boringssl/include/openssl/ec.h +355 -0
  611. data/third_party/boringssl/include/openssl/ec_key.h +280 -0
  612. data/third_party/boringssl/include/openssl/ecdh.h +102 -0
  613. data/third_party/boringssl/include/openssl/ecdsa.h +206 -0
  614. data/third_party/boringssl/include/openssl/engine.h +98 -0
  615. data/third_party/boringssl/include/openssl/err.h +487 -0
  616. data/third_party/boringssl/include/openssl/evp.h +750 -0
  617. data/third_party/boringssl/include/openssl/ex_data.h +213 -0
  618. data/third_party/boringssl/include/openssl/hkdf.h +44 -0
  619. data/third_party/boringssl/include/openssl/hmac.h +160 -0
  620. data/third_party/boringssl/include/openssl/lhash.h +192 -0
  621. data/third_party/boringssl/include/openssl/lhash_macros.h +132 -0
  622. data/third_party/boringssl/include/openssl/md4.h +102 -0
  623. data/third_party/boringssl/include/openssl/md5.h +107 -0
  624. data/third_party/boringssl/include/openssl/mem.h +140 -0
  625. data/third_party/boringssl/include/openssl/obj.h +198 -0
  626. data/third_party/boringssl/include/openssl/obj_mac.h +4140 -0
  627. data/third_party/boringssl/include/openssl/objects.h +18 -0
  628. data/third_party/boringssl/include/openssl/opensslfeatures.h +60 -0
  629. data/third_party/boringssl/include/openssl/opensslv.h +18 -0
  630. data/third_party/boringssl/include/openssl/ossl_typ.h +18 -0
  631. data/third_party/boringssl/include/openssl/pem.h +521 -0
  632. data/third_party/boringssl/include/openssl/pkcs12.h +18 -0
  633. data/third_party/boringssl/include/openssl/pkcs7.h +16 -0
  634. data/third_party/boringssl/include/openssl/pkcs8.h +220 -0
  635. data/third_party/boringssl/include/openssl/poly1305.h +51 -0
  636. data/third_party/boringssl/include/openssl/pqueue.h +146 -0
  637. data/third_party/boringssl/include/openssl/rand.h +113 -0
  638. data/third_party/boringssl/include/openssl/rc4.h +90 -0
  639. data/third_party/boringssl/include/openssl/rsa.h +637 -0
  640. data/third_party/boringssl/include/openssl/safestack.h +16 -0
  641. data/third_party/boringssl/include/openssl/sha.h +256 -0
  642. data/third_party/boringssl/include/openssl/srtp.h +18 -0
  643. data/third_party/boringssl/include/openssl/ssl.h +4466 -0
  644. data/third_party/boringssl/include/openssl/ssl3.h +441 -0
  645. data/third_party/boringssl/include/openssl/stack.h +298 -0
  646. data/third_party/boringssl/include/openssl/stack_macros.h +4190 -0
  647. data/third_party/boringssl/include/openssl/thread.h +173 -0
  648. data/third_party/boringssl/include/openssl/time_support.h +90 -0
  649. data/third_party/boringssl/include/openssl/tls1.h +653 -0
  650. data/third_party/boringssl/include/openssl/type_check.h +91 -0
  651. data/third_party/boringssl/include/openssl/x509.h +1258 -0
  652. data/third_party/boringssl/include/openssl/x509_vfy.h +611 -0
  653. data/third_party/boringssl/include/openssl/x509v3.h +798 -0
  654. data/third_party/boringssl/ssl/custom_extensions.c +257 -0
  655. data/third_party/boringssl/ssl/d1_both.c +880 -0
  656. data/third_party/boringssl/ssl/d1_clnt.c +566 -0
  657. data/third_party/boringssl/ssl/d1_lib.c +340 -0
  658. data/third_party/boringssl/ssl/d1_meth.c +130 -0
  659. data/third_party/boringssl/ssl/d1_pkt.c +578 -0
  660. data/third_party/boringssl/ssl/d1_srtp.c +234 -0
  661. data/third_party/boringssl/ssl/d1_srvr.c +485 -0
  662. data/third_party/boringssl/ssl/dtls_record.c +308 -0
  663. data/third_party/boringssl/ssl/internal.h +1276 -0
  664. data/third_party/boringssl/ssl/pqueue/pqueue.c +197 -0
  665. data/third_party/boringssl/ssl/s3_both.c +571 -0
  666. data/third_party/boringssl/ssl/s3_clnt.c +2241 -0
  667. data/third_party/boringssl/ssl/s3_enc.c +494 -0
  668. data/third_party/boringssl/ssl/s3_lib.c +587 -0
  669. data/third_party/boringssl/ssl/s3_meth.c +166 -0
  670. data/third_party/boringssl/ssl/s3_pkt.c +732 -0
  671. data/third_party/boringssl/ssl/s3_srvr.c +2536 -0
  672. data/third_party/boringssl/ssl/ssl_aead_ctx.c +300 -0
  673. data/third_party/boringssl/ssl/ssl_asn1.c +718 -0
  674. data/third_party/boringssl/ssl/ssl_buffer.c +319 -0
  675. data/third_party/boringssl/ssl/ssl_cert.c +539 -0
  676. data/third_party/boringssl/ssl/ssl_cipher.c +2003 -0
  677. data/third_party/boringssl/ssl/ssl_file.c +633 -0
  678. data/third_party/boringssl/ssl/ssl_lib.c +2653 -0
  679. data/third_party/boringssl/ssl/ssl_rsa.c +423 -0
  680. data/third_party/boringssl/ssl/ssl_session.c +764 -0
  681. data/third_party/boringssl/ssl/ssl_stat.c +591 -0
  682. data/third_party/boringssl/ssl/t1_enc.c +708 -0
  683. data/third_party/boringssl/ssl/t1_lib.c +2905 -0
  684. data/third_party/boringssl/ssl/test/async_bio.h +45 -0
  685. data/third_party/boringssl/ssl/test/packeted_bio.h +44 -0
  686. data/third_party/boringssl/ssl/test/scoped_types.h +28 -0
  687. data/third_party/boringssl/ssl/test/test_config.h +108 -0
  688. data/third_party/boringssl/ssl/tls_record.c +342 -0
  689. data/third_party/nanopb/pb.h +547 -0
  690. data/third_party/nanopb/pb_common.c +97 -0
  691. data/third_party/nanopb/pb_common.h +42 -0
  692. data/third_party/nanopb/pb_decode.c +1319 -0
  693. data/third_party/nanopb/pb_decode.h +149 -0
  694. data/third_party/nanopb/pb_encode.c +690 -0
  695. data/third_party/nanopb/pb_encode.h +154 -0
  696. data/third_party/zlib/adler32.c +179 -0
  697. data/third_party/zlib/compress.c +80 -0
  698. data/third_party/zlib/crc32.c +425 -0
  699. data/third_party/zlib/crc32.h +441 -0
  700. data/third_party/zlib/deflate.c +1967 -0
  701. data/third_party/zlib/deflate.h +346 -0
  702. data/third_party/zlib/gzclose.c +25 -0
  703. data/third_party/zlib/gzguts.h +209 -0
  704. data/third_party/zlib/gzlib.c +634 -0
  705. data/third_party/zlib/gzread.c +594 -0
  706. data/third_party/zlib/gzwrite.c +577 -0
  707. data/third_party/zlib/infback.c +640 -0
  708. data/third_party/zlib/inffast.c +340 -0
  709. data/third_party/zlib/inffast.h +11 -0
  710. data/third_party/zlib/inffixed.h +94 -0
  711. data/third_party/zlib/inflate.c +1512 -0
  712. data/third_party/zlib/inflate.h +122 -0
  713. data/third_party/zlib/inftrees.c +306 -0
  714. data/third_party/zlib/inftrees.h +62 -0
  715. data/third_party/zlib/trees.c +1226 -0
  716. data/third_party/zlib/trees.h +128 -0
  717. data/third_party/zlib/uncompr.c +59 -0
  718. data/third_party/zlib/zconf.h +511 -0
  719. data/third_party/zlib/zlib.h +1768 -0
  720. data/third_party/zlib/zutil.c +324 -0
  721. data/third_party/zlib/zutil.h +253 -0
  722. metadata +504 -20
  723. data/Rakefile +0 -63
  724. data/src/ruby/pb/grpc/health/v1alpha/health.rb +0 -29
@@ -0,0 +1,2536 @@
1
+ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2
+ * All rights reserved.
3
+ *
4
+ * This package is an SSL implementation written
5
+ * by Eric Young (eay@cryptsoft.com).
6
+ * The implementation was written so as to conform with Netscapes SSL.
7
+ *
8
+ * This library is free for commercial and non-commercial use as long as
9
+ * the following conditions are aheared to. The following conditions
10
+ * apply to all code found in this distribution, be it the RC4, RSA,
11
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12
+ * included with this distribution is covered by the same copyright terms
13
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
+ *
15
+ * Copyright remains Eric Young's, and as such any Copyright notices in
16
+ * the code are not to be removed.
17
+ * If this package is used in a product, Eric Young should be given attribution
18
+ * as the author of the parts of the library used.
19
+ * This can be in the form of a textual message at program startup or
20
+ * in documentation (online or textual) provided with the package.
21
+ *
22
+ * Redistribution and use in source and binary forms, with or without
23
+ * modification, are permitted provided that the following conditions
24
+ * are met:
25
+ * 1. Redistributions of source code must retain the copyright
26
+ * notice, this list of conditions and the following disclaimer.
27
+ * 2. Redistributions in binary form must reproduce the above copyright
28
+ * notice, this list of conditions and the following disclaimer in the
29
+ * documentation and/or other materials provided with the distribution.
30
+ * 3. All advertising materials mentioning features or use of this software
31
+ * must display the following acknowledgement:
32
+ * "This product includes cryptographic software written by
33
+ * Eric Young (eay@cryptsoft.com)"
34
+ * The word 'cryptographic' can be left out if the rouines from the library
35
+ * being used are not cryptographic related :-).
36
+ * 4. If you include any Windows specific code (or a derivative thereof) from
37
+ * the apps directory (application code) you must include an acknowledgement:
38
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
+ *
40
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50
+ * SUCH DAMAGE.
51
+ *
52
+ * The licence and distribution terms for any publically available version or
53
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
54
+ * copied and put under another distribution licence
55
+ * [including the GNU Public Licence.]
56
+ */
57
+ /* ====================================================================
58
+ * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59
+ *
60
+ * Redistribution and use in source and binary forms, with or without
61
+ * modification, are permitted provided that the following conditions
62
+ * are met:
63
+ *
64
+ * 1. Redistributions of source code must retain the above copyright
65
+ * notice, this list of conditions and the following disclaimer.
66
+ *
67
+ * 2. Redistributions in binary form must reproduce the above copyright
68
+ * notice, this list of conditions and the following disclaimer in
69
+ * the documentation and/or other materials provided with the
70
+ * distribution.
71
+ *
72
+ * 3. All advertising materials mentioning features or use of this
73
+ * software must display the following acknowledgment:
74
+ * "This product includes software developed by the OpenSSL Project
75
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76
+ *
77
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78
+ * endorse or promote products derived from this software without
79
+ * prior written permission. For written permission, please contact
80
+ * openssl-core@openssl.org.
81
+ *
82
+ * 5. Products derived from this software may not be called "OpenSSL"
83
+ * nor may "OpenSSL" appear in their names without prior written
84
+ * permission of the OpenSSL Project.
85
+ *
86
+ * 6. Redistributions of any form whatsoever must retain the following
87
+ * acknowledgment:
88
+ * "This product includes software developed by the OpenSSL Project
89
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90
+ *
91
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
103
+ * ====================================================================
104
+ *
105
+ * This product includes cryptographic software written by Eric Young
106
+ * (eay@cryptsoft.com). This product includes software written by Tim
107
+ * Hudson (tjh@cryptsoft.com).
108
+ *
109
+ */
110
+ /* ====================================================================
111
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112
+ *
113
+ * Portions of the attached software ("Contribution") are developed by
114
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
115
+ *
116
+ * The Contribution is licensed pursuant to the OpenSSL open source
117
+ * license provided above.
118
+ *
119
+ * ECC cipher suite support in OpenSSL originally written by
120
+ * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
121
+ *
122
+ */
123
+ /* ====================================================================
124
+ * Copyright 2005 Nokia. All rights reserved.
125
+ *
126
+ * The portions of the attached software ("Contribution") is developed by
127
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
128
+ * license.
129
+ *
130
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
131
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132
+ * support (see RFC 4279) to OpenSSL.
133
+ *
134
+ * No patent licenses or other rights except those expressly stated in
135
+ * the OpenSSL open source license shall be deemed granted or received
136
+ * expressly, by implication, estoppel, or otherwise.
137
+ *
138
+ * No assurances are provided by Nokia that the Contribution does not
139
+ * infringe the patent or other intellectual property rights of any third
140
+ * party or that the license provides you with all the necessary rights
141
+ * to make use of the Contribution.
142
+ *
143
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
147
+ * OTHERWISE. */
148
+
149
+ #include <openssl/ssl.h>
150
+
151
+ #include <assert.h>
152
+ #include <stdio.h>
153
+ #include <string.h>
154
+
155
+ #include <openssl/bn.h>
156
+ #include <openssl/buf.h>
157
+ #include <openssl/bytestring.h>
158
+ #include <openssl/cipher.h>
159
+ #include <openssl/dh.h>
160
+ #include <openssl/ec.h>
161
+ #include <openssl/ecdsa.h>
162
+ #include <openssl/err.h>
163
+ #include <openssl/evp.h>
164
+ #include <openssl/hmac.h>
165
+ #include <openssl/md5.h>
166
+ #include <openssl/mem.h>
167
+ #include <openssl/obj.h>
168
+ #include <openssl/rand.h>
169
+ #include <openssl/sha.h>
170
+ #include <openssl/x509.h>
171
+
172
+ #include "internal.h"
173
+ #include "../crypto/internal.h"
174
+ #include "../crypto/dh/internal.h"
175
+
176
+
177
+ int ssl3_accept(SSL *s) {
178
+ BUF_MEM *buf = NULL;
179
+ uint32_t alg_a;
180
+ void (*cb)(const SSL *ssl, int type, int value) = NULL;
181
+ int ret = -1;
182
+ int new_state, state, skip = 0;
183
+
184
+ assert(s->handshake_func == ssl3_accept);
185
+ assert(s->server);
186
+ assert(!SSL_IS_DTLS(s));
187
+
188
+ ERR_clear_error();
189
+ ERR_clear_system_error();
190
+
191
+ if (s->info_callback != NULL) {
192
+ cb = s->info_callback;
193
+ } else if (s->ctx->info_callback != NULL) {
194
+ cb = s->ctx->info_callback;
195
+ }
196
+
197
+ s->in_handshake++;
198
+
199
+ if (s->cert == NULL) {
200
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
201
+ return -1;
202
+ }
203
+
204
+ for (;;) {
205
+ state = s->state;
206
+
207
+ switch (s->state) {
208
+ case SSL_ST_ACCEPT:
209
+ if (cb != NULL) {
210
+ cb(s, SSL_CB_HANDSHAKE_START, 1);
211
+ }
212
+
213
+ if (s->init_buf == NULL) {
214
+ buf = BUF_MEM_new();
215
+ if (!buf || !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
216
+ ret = -1;
217
+ goto end;
218
+ }
219
+ s->init_buf = buf;
220
+ buf = NULL;
221
+ }
222
+ s->init_num = 0;
223
+
224
+ /* Enable a write buffer. This groups handshake messages within a flight
225
+ * into a single write. */
226
+ if (!ssl_init_wbio_buffer(s, 1)) {
227
+ ret = -1;
228
+ goto end;
229
+ }
230
+
231
+ if (!ssl3_init_handshake_buffer(s)) {
232
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
233
+ ret = -1;
234
+ goto end;
235
+ }
236
+
237
+ if (!s->s3->have_version) {
238
+ s->state = SSL3_ST_SR_INITIAL_BYTES;
239
+ } else {
240
+ s->state = SSL3_ST_SR_CLNT_HELLO_A;
241
+ }
242
+ break;
243
+
244
+ case SSL3_ST_SR_INITIAL_BYTES:
245
+ ret = ssl3_get_initial_bytes(s);
246
+ if (ret <= 0) {
247
+ goto end;
248
+ }
249
+ /* ssl3_get_initial_bytes sets s->state to one of
250
+ * SSL3_ST_SR_V2_CLIENT_HELLO or SSL3_ST_SR_CLNT_HELLO_A on success. */
251
+ break;
252
+
253
+ case SSL3_ST_SR_V2_CLIENT_HELLO:
254
+ ret = ssl3_get_v2_client_hello(s);
255
+ if (ret <= 0) {
256
+ goto end;
257
+ }
258
+ s->state = SSL3_ST_SR_CLNT_HELLO_A;
259
+ break;
260
+
261
+ case SSL3_ST_SR_CLNT_HELLO_A:
262
+ case SSL3_ST_SR_CLNT_HELLO_B:
263
+ case SSL3_ST_SR_CLNT_HELLO_C:
264
+ case SSL3_ST_SR_CLNT_HELLO_D:
265
+ s->shutdown = 0;
266
+ ret = ssl3_get_client_hello(s);
267
+ if (ret <= 0) {
268
+ goto end;
269
+ }
270
+ s->state = SSL3_ST_SW_SRVR_HELLO_A;
271
+ s->init_num = 0;
272
+ break;
273
+
274
+ case SSL3_ST_SW_SRVR_HELLO_A:
275
+ case SSL3_ST_SW_SRVR_HELLO_B:
276
+ ret = ssl3_send_server_hello(s);
277
+ if (ret <= 0) {
278
+ goto end;
279
+ }
280
+ if (s->hit) {
281
+ if (s->tlsext_ticket_expected) {
282
+ s->state = SSL3_ST_SW_SESSION_TICKET_A;
283
+ } else {
284
+ s->state = SSL3_ST_SW_CHANGE_A;
285
+ }
286
+ } else {
287
+ s->state = SSL3_ST_SW_CERT_A;
288
+ }
289
+ s->init_num = 0;
290
+ break;
291
+
292
+ case SSL3_ST_SW_CERT_A:
293
+ case SSL3_ST_SW_CERT_B:
294
+ if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
295
+ ret = ssl3_send_server_certificate(s);
296
+ if (ret <= 0) {
297
+ goto end;
298
+ }
299
+ if (s->s3->tmp.certificate_status_expected) {
300
+ s->state = SSL3_ST_SW_CERT_STATUS_A;
301
+ } else {
302
+ s->state = SSL3_ST_SW_KEY_EXCH_A;
303
+ }
304
+ } else {
305
+ skip = 1;
306
+ s->state = SSL3_ST_SW_KEY_EXCH_A;
307
+ }
308
+ s->init_num = 0;
309
+ break;
310
+
311
+ case SSL3_ST_SW_CERT_STATUS_A:
312
+ case SSL3_ST_SW_CERT_STATUS_B:
313
+ ret = ssl3_send_certificate_status(s);
314
+ if (ret <= 0) {
315
+ goto end;
316
+ }
317
+ s->state = SSL3_ST_SW_KEY_EXCH_A;
318
+ s->init_num = 0;
319
+ break;
320
+
321
+ case SSL3_ST_SW_KEY_EXCH_A:
322
+ case SSL3_ST_SW_KEY_EXCH_B:
323
+ case SSL3_ST_SW_KEY_EXCH_C:
324
+ alg_a = s->s3->tmp.new_cipher->algorithm_auth;
325
+
326
+ /* Send a ServerKeyExchange message if:
327
+ * - The key exchange is ephemeral or anonymous
328
+ * Diffie-Hellman.
329
+ * - There is a PSK identity hint.
330
+ *
331
+ * TODO(davidben): This logic is currently duplicated in d1_srvr.c. Fix
332
+ * this. In the meantime, keep them in sync. */
333
+ if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher) ||
334
+ ((alg_a & SSL_aPSK) && s->psk_identity_hint)) {
335
+ ret = ssl3_send_server_key_exchange(s);
336
+ if (ret <= 0) {
337
+ goto end;
338
+ }
339
+ } else {
340
+ skip = 1;
341
+ }
342
+
343
+ s->state = SSL3_ST_SW_CERT_REQ_A;
344
+ s->init_num = 0;
345
+ break;
346
+
347
+ case SSL3_ST_SW_CERT_REQ_A:
348
+ case SSL3_ST_SW_CERT_REQ_B:
349
+ if (s->s3->tmp.cert_request) {
350
+ ret = ssl3_send_certificate_request(s);
351
+ if (ret <= 0) {
352
+ goto end;
353
+ }
354
+ } else {
355
+ skip = 1;
356
+ }
357
+ s->state = SSL3_ST_SW_SRVR_DONE_A;
358
+ s->init_num = 0;
359
+ break;
360
+
361
+ case SSL3_ST_SW_SRVR_DONE_A:
362
+ case SSL3_ST_SW_SRVR_DONE_B:
363
+ ret = ssl3_send_server_done(s);
364
+ if (ret <= 0) {
365
+ goto end;
366
+ }
367
+ s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
368
+ s->state = SSL3_ST_SW_FLUSH;
369
+ s->init_num = 0;
370
+ break;
371
+
372
+ case SSL3_ST_SW_FLUSH:
373
+ /* This code originally checked to see if any data was pending using
374
+ * BIO_CTRL_INFO and then flushed. This caused problems as documented
375
+ * in PR#1939. The proposed fix doesn't completely resolve this issue
376
+ * as buggy implementations of BIO_CTRL_PENDING still exist. So instead
377
+ * we just flush unconditionally. */
378
+ s->rwstate = SSL_WRITING;
379
+ if (BIO_flush(s->wbio) <= 0) {
380
+ ret = -1;
381
+ goto end;
382
+ }
383
+ s->rwstate = SSL_NOTHING;
384
+
385
+ s->state = s->s3->tmp.next_state;
386
+ break;
387
+
388
+ case SSL3_ST_SR_CERT_A:
389
+ case SSL3_ST_SR_CERT_B:
390
+ if (s->s3->tmp.cert_request) {
391
+ ret = ssl3_get_client_certificate(s);
392
+ if (ret <= 0) {
393
+ goto end;
394
+ }
395
+ }
396
+ s->init_num = 0;
397
+ s->state = SSL3_ST_SR_KEY_EXCH_A;
398
+ break;
399
+
400
+ case SSL3_ST_SR_KEY_EXCH_A:
401
+ case SSL3_ST_SR_KEY_EXCH_B:
402
+ case SSL3_ST_SR_KEY_EXCH_C:
403
+ ret = ssl3_get_client_key_exchange(s);
404
+ if (ret <= 0) {
405
+ goto end;
406
+ }
407
+ s->state = SSL3_ST_SR_CERT_VRFY_A;
408
+ s->init_num = 0;
409
+ break;
410
+
411
+ case SSL3_ST_SR_CERT_VRFY_A:
412
+ case SSL3_ST_SR_CERT_VRFY_B:
413
+ ret = ssl3_get_cert_verify(s);
414
+ if (ret <= 0) {
415
+ goto end;
416
+ }
417
+
418
+ s->state = SSL3_ST_SR_CHANGE;
419
+ s->init_num = 0;
420
+ break;
421
+
422
+ case SSL3_ST_SR_CHANGE:
423
+ ret = s->method->ssl_read_change_cipher_spec(s);
424
+ if (ret <= 0) {
425
+ goto end;
426
+ }
427
+
428
+ if (!ssl3_do_change_cipher_spec(s)) {
429
+ ret = -1;
430
+ goto end;
431
+ }
432
+
433
+ if (s->s3->next_proto_neg_seen) {
434
+ s->state = SSL3_ST_SR_NEXT_PROTO_A;
435
+ } else if (s->s3->tlsext_channel_id_valid) {
436
+ s->state = SSL3_ST_SR_CHANNEL_ID_A;
437
+ } else {
438
+ s->state = SSL3_ST_SR_FINISHED_A;
439
+ }
440
+ break;
441
+
442
+ case SSL3_ST_SR_NEXT_PROTO_A:
443
+ case SSL3_ST_SR_NEXT_PROTO_B:
444
+ ret = ssl3_get_next_proto(s);
445
+ if (ret <= 0) {
446
+ goto end;
447
+ }
448
+ s->init_num = 0;
449
+ if (s->s3->tlsext_channel_id_valid) {
450
+ s->state = SSL3_ST_SR_CHANNEL_ID_A;
451
+ } else {
452
+ s->state = SSL3_ST_SR_FINISHED_A;
453
+ }
454
+ break;
455
+
456
+ case SSL3_ST_SR_CHANNEL_ID_A:
457
+ case SSL3_ST_SR_CHANNEL_ID_B:
458
+ ret = ssl3_get_channel_id(s);
459
+ if (ret <= 0) {
460
+ goto end;
461
+ }
462
+ s->init_num = 0;
463
+ s->state = SSL3_ST_SR_FINISHED_A;
464
+ break;
465
+
466
+ case SSL3_ST_SR_FINISHED_A:
467
+ case SSL3_ST_SR_FINISHED_B:
468
+ ret =
469
+ ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B);
470
+ if (ret <= 0) {
471
+ goto end;
472
+ }
473
+
474
+ if (s->hit) {
475
+ s->state = SSL_ST_OK;
476
+ } else if (s->tlsext_ticket_expected) {
477
+ s->state = SSL3_ST_SW_SESSION_TICKET_A;
478
+ } else {
479
+ s->state = SSL3_ST_SW_CHANGE_A;
480
+ }
481
+ /* If this is a full handshake with ChannelID then record the hashshake
482
+ * hashes in |s->session| in case we need them to verify a ChannelID
483
+ * signature on a resumption of this session in the future. */
484
+ if (!s->hit && s->s3->tlsext_channel_id_valid) {
485
+ ret = tls1_record_handshake_hashes_for_channel_id(s);
486
+ if (ret <= 0) {
487
+ goto end;
488
+ }
489
+ }
490
+ s->init_num = 0;
491
+ break;
492
+
493
+ case SSL3_ST_SW_SESSION_TICKET_A:
494
+ case SSL3_ST_SW_SESSION_TICKET_B:
495
+ ret = ssl3_send_new_session_ticket(s);
496
+ if (ret <= 0) {
497
+ goto end;
498
+ }
499
+ s->state = SSL3_ST_SW_CHANGE_A;
500
+ s->init_num = 0;
501
+ break;
502
+
503
+ case SSL3_ST_SW_CHANGE_A:
504
+ case SSL3_ST_SW_CHANGE_B:
505
+ s->session->cipher = s->s3->tmp.new_cipher;
506
+ if (!s->enc_method->setup_key_block(s)) {
507
+ ret = -1;
508
+ goto end;
509
+ }
510
+
511
+ ret = ssl3_send_change_cipher_spec(s, SSL3_ST_SW_CHANGE_A,
512
+ SSL3_ST_SW_CHANGE_B);
513
+ if (ret <= 0) {
514
+ goto end;
515
+ }
516
+ s->state = SSL3_ST_SW_FINISHED_A;
517
+ s->init_num = 0;
518
+
519
+ if (!s->enc_method->change_cipher_state(
520
+ s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
521
+ ret = -1;
522
+ goto end;
523
+ }
524
+ break;
525
+
526
+ case SSL3_ST_SW_FINISHED_A:
527
+ case SSL3_ST_SW_FINISHED_B:
528
+ ret =
529
+ ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
530
+ s->enc_method->server_finished_label,
531
+ s->enc_method->server_finished_label_len);
532
+ if (ret <= 0) {
533
+ goto end;
534
+ }
535
+ s->state = SSL3_ST_SW_FLUSH;
536
+ if (s->hit) {
537
+ s->s3->tmp.next_state = SSL3_ST_SR_CHANGE;
538
+ } else {
539
+ s->s3->tmp.next_state = SSL_ST_OK;
540
+ }
541
+ s->init_num = 0;
542
+ break;
543
+
544
+ case SSL_ST_OK:
545
+ /* clean a few things up */
546
+ ssl3_cleanup_key_block(s);
547
+
548
+ BUF_MEM_free(s->init_buf);
549
+ s->init_buf = NULL;
550
+
551
+ /* remove buffering on output */
552
+ ssl_free_wbio_buffer(s);
553
+
554
+ s->init_num = 0;
555
+
556
+ /* If we aren't retaining peer certificates then we can discard it
557
+ * now. */
558
+ if (s->ctx->retain_only_sha256_of_client_certs) {
559
+ X509_free(s->session->peer);
560
+ s->session->peer = NULL;
561
+ sk_X509_pop_free(s->session->cert_chain, X509_free);
562
+ s->session->cert_chain = NULL;
563
+ }
564
+
565
+ s->s3->initial_handshake_complete = 1;
566
+
567
+ ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
568
+
569
+ if (cb != NULL) {
570
+ cb(s, SSL_CB_HANDSHAKE_DONE, 1);
571
+ }
572
+
573
+ ret = 1;
574
+ goto end;
575
+
576
+ default:
577
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE);
578
+ ret = -1;
579
+ goto end;
580
+ }
581
+
582
+ if (!s->s3->tmp.reuse_message && !skip && cb != NULL && s->state != state) {
583
+ new_state = s->state;
584
+ s->state = state;
585
+ cb(s, SSL_CB_ACCEPT_LOOP, 1);
586
+ s->state = new_state;
587
+ }
588
+ skip = 0;
589
+ }
590
+
591
+ end:
592
+ s->in_handshake--;
593
+ BUF_MEM_free(buf);
594
+ if (cb != NULL) {
595
+ cb(s, SSL_CB_ACCEPT_EXIT, ret);
596
+ }
597
+ return ret;
598
+ }
599
+
600
+ int ssl3_get_initial_bytes(SSL *s) {
601
+ /* Read the first 5 bytes, the size of the TLS record header. This is
602
+ * sufficient to detect a V2ClientHello and ensures that we never read beyond
603
+ * the first record. */
604
+ int ret = ssl_read_buffer_extend_to(s, SSL3_RT_HEADER_LENGTH);
605
+ if (ret <= 0) {
606
+ return ret;
607
+ }
608
+ assert(ssl_read_buffer_len(s) == SSL3_RT_HEADER_LENGTH);
609
+ const uint8_t *p = ssl_read_buffer(s);
610
+
611
+ /* Some dedicated error codes for protocol mixups should the application wish
612
+ * to interpret them differently. (These do not overlap with ClientHello or
613
+ * V2ClientHello.) */
614
+ if (strncmp("GET ", (const char *)p, 4) == 0 ||
615
+ strncmp("POST ", (const char *)p, 5) == 0 ||
616
+ strncmp("HEAD ", (const char *)p, 5) == 0 ||
617
+ strncmp("PUT ", (const char *)p, 4) == 0) {
618
+ OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);
619
+ return -1;
620
+ }
621
+ if (strncmp("CONNE", (const char *)p, 5) == 0) {
622
+ OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);
623
+ return -1;
624
+ }
625
+
626
+ /* Determine if this is a V2ClientHello. */
627
+ if ((p[0] & 0x80) && p[2] == SSL2_MT_CLIENT_HELLO &&
628
+ p[3] >= SSL3_VERSION_MAJOR) {
629
+ /* This is a V2ClientHello. */
630
+ s->state = SSL3_ST_SR_V2_CLIENT_HELLO;
631
+ return 1;
632
+ }
633
+
634
+ /* Fall through to the standard logic. */
635
+ s->state = SSL3_ST_SR_CLNT_HELLO_A;
636
+ return 1;
637
+ }
638
+
639
+ int ssl3_get_v2_client_hello(SSL *s) {
640
+ const uint8_t *p;
641
+ int ret;
642
+ CBS v2_client_hello, cipher_specs, session_id, challenge;
643
+ size_t msg_length, rand_len, len;
644
+ uint8_t msg_type;
645
+ uint16_t version, cipher_spec_length, session_id_length, challenge_length;
646
+ CBB client_hello, hello_body, cipher_suites;
647
+ uint8_t random[SSL3_RANDOM_SIZE];
648
+
649
+ /* Determine the length of the V2ClientHello. */
650
+ assert(ssl_read_buffer_len(s) >= SSL3_RT_HEADER_LENGTH);
651
+ p = ssl_read_buffer(s);
652
+ msg_length = ((p[0] & 0x7f) << 8) | p[1];
653
+ if (msg_length > (1024 * 4)) {
654
+ OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
655
+ return -1;
656
+ }
657
+ if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {
658
+ /* Reject lengths that are too short early. We have already read
659
+ * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
660
+ * (invalid) V2ClientHello which would be shorter than that. */
661
+ OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
662
+ return -1;
663
+ }
664
+
665
+ /* Read the remainder of the V2ClientHello. */
666
+ ret = ssl_read_buffer_extend_to(s, 2 + msg_length);
667
+ if (ret <= 0) {
668
+ return ret;
669
+ }
670
+ assert(ssl_read_buffer_len(s) == msg_length + 2);
671
+ CBS_init(&v2_client_hello, ssl_read_buffer(s) + 2, msg_length);
672
+
673
+ /* The V2ClientHello without the length is incorporated into the handshake
674
+ * hash. */
675
+ if (!ssl3_update_handshake_hash(s, CBS_data(&v2_client_hello),
676
+ CBS_len(&v2_client_hello))) {
677
+ return -1;
678
+ }
679
+ if (s->msg_callback) {
680
+ s->msg_callback(0, SSL2_VERSION, 0, CBS_data(&v2_client_hello),
681
+ CBS_len(&v2_client_hello), s, s->msg_callback_arg);
682
+ }
683
+
684
+ if (!CBS_get_u8(&v2_client_hello, &msg_type) ||
685
+ !CBS_get_u16(&v2_client_hello, &version) ||
686
+ !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||
687
+ !CBS_get_u16(&v2_client_hello, &session_id_length) ||
688
+ !CBS_get_u16(&v2_client_hello, &challenge_length) ||
689
+ !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||
690
+ !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||
691
+ !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||
692
+ CBS_len(&v2_client_hello) != 0) {
693
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
694
+ return -1;
695
+ }
696
+
697
+ /* msg_type has already been checked. */
698
+ assert(msg_type == SSL2_MT_CLIENT_HELLO);
699
+
700
+ /* The client_random is the V2ClientHello challenge. Truncate or
701
+ * left-pad with zeros as needed. */
702
+ memset(random, 0, SSL3_RANDOM_SIZE);
703
+ rand_len = CBS_len(&challenge);
704
+ if (rand_len > SSL3_RANDOM_SIZE) {
705
+ rand_len = SSL3_RANDOM_SIZE;
706
+ }
707
+ memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
708
+ rand_len);
709
+
710
+ /* Write out an equivalent SSLv3 ClientHello. */
711
+ CBB_zero(&client_hello);
712
+ if (!CBB_init_fixed(&client_hello, (uint8_t *)s->init_buf->data,
713
+ s->init_buf->max) ||
714
+ !CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) ||
715
+ !CBB_add_u24_length_prefixed(&client_hello, &hello_body) ||
716
+ !CBB_add_u16(&hello_body, version) ||
717
+ !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||
718
+ /* No session id. */
719
+ !CBB_add_u8(&hello_body, 0) ||
720
+ !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
721
+ CBB_cleanup(&client_hello);
722
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
723
+ return -1;
724
+ }
725
+
726
+ /* Copy the cipher suites. */
727
+ while (CBS_len(&cipher_specs) > 0) {
728
+ uint32_t cipher_spec;
729
+ if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
730
+ CBB_cleanup(&client_hello);
731
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
732
+ return -1;
733
+ }
734
+
735
+ /* Skip SSLv2 ciphers. */
736
+ if ((cipher_spec & 0xff0000) != 0) {
737
+ continue;
738
+ }
739
+ if (!CBB_add_u16(&cipher_suites, cipher_spec)) {
740
+ CBB_cleanup(&client_hello);
741
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
742
+ return -1;
743
+ }
744
+ }
745
+
746
+ /* Add the null compression scheme and finish. */
747
+ if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) ||
748
+ !CBB_finish(&client_hello, NULL, &len)) {
749
+ CBB_cleanup(&client_hello);
750
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
751
+ return -1;
752
+ }
753
+
754
+ /* Mark the message for "re"-use by the version-specific method. */
755
+ s->s3->tmp.reuse_message = 1;
756
+ s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO;
757
+ /* The handshake message header is 4 bytes. */
758
+ s->s3->tmp.message_size = len - 4;
759
+
760
+ /* Consume and discard the V2ClientHello. */
761
+ ssl_read_buffer_consume(s, 2 + msg_length);
762
+ ssl_read_buffer_discard(s);
763
+
764
+ return 1;
765
+ }
766
+
767
+ int ssl3_get_client_hello(SSL *s) {
768
+ int ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
769
+ long n;
770
+ const SSL_CIPHER *c;
771
+ STACK_OF(SSL_CIPHER) *ciphers = NULL;
772
+ struct ssl_early_callback_ctx early_ctx;
773
+ CBS client_hello;
774
+ uint16_t client_version;
775
+ CBS client_random, session_id, cipher_suites, compression_methods;
776
+ SSL_SESSION *session = NULL;
777
+
778
+ /* We do this so that we will respond with our native type. If we are TLSv1
779
+ * and we get SSLv3, we will respond with TLSv1, This down switching should
780
+ * be handled by a different method. If we are SSLv3, we will respond with
781
+ * SSLv3, even if prompted with TLSv1. */
782
+ switch (s->state) {
783
+ case SSL3_ST_SR_CLNT_HELLO_A:
784
+ case SSL3_ST_SR_CLNT_HELLO_B:
785
+ n = s->method->ssl_get_message(
786
+ s, SSL3_ST_SR_CLNT_HELLO_A, SSL3_ST_SR_CLNT_HELLO_B,
787
+ SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH,
788
+ ssl_hash_message, &ok);
789
+
790
+ if (!ok) {
791
+ return n;
792
+ }
793
+
794
+ s->state = SSL3_ST_SR_CLNT_HELLO_C;
795
+ /* fallthrough */
796
+ case SSL3_ST_SR_CLNT_HELLO_C:
797
+ case SSL3_ST_SR_CLNT_HELLO_D:
798
+ /* We have previously parsed the ClientHello message, and can't call
799
+ * ssl_get_message again without hashing the message into the Finished
800
+ * digest again. */
801
+ n = s->init_num;
802
+
803
+ memset(&early_ctx, 0, sizeof(early_ctx));
804
+ early_ctx.ssl = s;
805
+ early_ctx.client_hello = s->init_msg;
806
+ early_ctx.client_hello_len = n;
807
+ if (!ssl_early_callback_init(&early_ctx)) {
808
+ al = SSL_AD_DECODE_ERROR;
809
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
810
+ goto f_err;
811
+ }
812
+
813
+ if (s->state == SSL3_ST_SR_CLNT_HELLO_C &&
814
+ s->ctx->select_certificate_cb != NULL) {
815
+ s->state = SSL3_ST_SR_CLNT_HELLO_D;
816
+ switch (s->ctx->select_certificate_cb(&early_ctx)) {
817
+ case 0:
818
+ s->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
819
+ goto err;
820
+
821
+ case -1:
822
+ /* Connection rejected. */
823
+ al = SSL_AD_ACCESS_DENIED;
824
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
825
+ goto f_err;
826
+
827
+ default:
828
+ /* fallthrough */;
829
+ }
830
+ }
831
+ s->state = SSL3_ST_SR_CLNT_HELLO_D;
832
+ break;
833
+
834
+ default:
835
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE);
836
+ return -1;
837
+ }
838
+
839
+ CBS_init(&client_hello, s->init_msg, n);
840
+ if (!CBS_get_u16(&client_hello, &client_version) ||
841
+ !CBS_get_bytes(&client_hello, &client_random, SSL3_RANDOM_SIZE) ||
842
+ !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
843
+ CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
844
+ al = SSL_AD_DECODE_ERROR;
845
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
846
+ goto f_err;
847
+ }
848
+
849
+ /* use version from inside client hello, not from record header (may differ:
850
+ * see RFC 2246, Appendix E, second paragraph) */
851
+ s->client_version = client_version;
852
+
853
+ /* Load the client random. */
854
+ memcpy(s->s3->client_random, CBS_data(&client_random), SSL3_RANDOM_SIZE);
855
+
856
+ if (SSL_IS_DTLS(s)) {
857
+ CBS cookie;
858
+
859
+ if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
860
+ CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
861
+ al = SSL_AD_DECODE_ERROR;
862
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
863
+ goto f_err;
864
+ }
865
+ }
866
+
867
+ /* Note: This codepath may run twice if |ssl_get_prev_session| completes
868
+ * asynchronously.
869
+ *
870
+ * TODO(davidben): Clean up the order of events around ClientHello
871
+ * processing. */
872
+ if (!s->s3->have_version) {
873
+ /* Select version to use */
874
+ uint16_t version = ssl3_get_mutual_version(s, client_version);
875
+ if (version == 0) {
876
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
877
+ s->version = s->client_version;
878
+ al = SSL_AD_PROTOCOL_VERSION;
879
+ goto f_err;
880
+ }
881
+ s->version = version;
882
+ s->enc_method = ssl3_get_enc_method(version);
883
+ assert(s->enc_method != NULL);
884
+ /* At this point, the connection's version is known and |s->version| is
885
+ * fixed. Begin enforcing the record-layer version. */
886
+ s->s3->have_version = 1;
887
+ } else if (SSL_IS_DTLS(s) ? (s->client_version > s->version)
888
+ : (s->client_version < s->version)) {
889
+ OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
890
+ al = SSL_AD_PROTOCOL_VERSION;
891
+ goto f_err;
892
+ }
893
+
894
+ s->hit = 0;
895
+ int send_new_ticket = 0;
896
+ switch (ssl_get_prev_session(s, &session, &send_new_ticket, &early_ctx)) {
897
+ case ssl_session_success:
898
+ break;
899
+ case ssl_session_error:
900
+ goto err;
901
+ case ssl_session_retry:
902
+ s->rwstate = SSL_PENDING_SESSION;
903
+ goto err;
904
+ }
905
+ s->tlsext_ticket_expected = send_new_ticket;
906
+
907
+ /* The EMS state is needed when making the resumption decision, but
908
+ * extensions are not normally parsed until later. This detects the EMS
909
+ * extension for the resumption decision and it's checked against the result
910
+ * of the normal parse later in this function. */
911
+ const uint8_t *ems_data;
912
+ size_t ems_len;
913
+ int have_extended_master_secret =
914
+ s->version != SSL3_VERSION &&
915
+ SSL_early_callback_ctx_extension_get(&early_ctx,
916
+ TLSEXT_TYPE_extended_master_secret,
917
+ &ems_data, &ems_len) &&
918
+ ems_len == 0;
919
+
920
+ if (session != NULL) {
921
+ if (session->extended_master_secret &&
922
+ !have_extended_master_secret) {
923
+ /* A ClientHello without EMS that attempts to resume a session with EMS
924
+ * is fatal to the connection. */
925
+ al = SSL_AD_HANDSHAKE_FAILURE;
926
+ OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
927
+ goto f_err;
928
+ }
929
+
930
+ s->hit =
931
+ /* Only resume if the session's version matches the negotiated version:
932
+ * most clients do not accept a mismatch. */
933
+ s->version == session->ssl_version &&
934
+ /* If the client offers the EMS extension, but the previous session
935
+ * didn't use it, then negotiate a new session. */
936
+ have_extended_master_secret == session->extended_master_secret;
937
+ }
938
+
939
+ if (s->hit) {
940
+ /* Use the new session. */
941
+ SSL_SESSION_free(s->session);
942
+ s->session = session;
943
+ session = NULL;
944
+
945
+ s->verify_result = s->session->verify_result;
946
+ } else {
947
+ if (!ssl_get_new_session(s, 1 /* server */)) {
948
+ goto err;
949
+ }
950
+
951
+ /* Clear the session ID if we want the session to be single-use. */
952
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
953
+ s->session->session_id_length = 0;
954
+ }
955
+ }
956
+
957
+ if (s->ctx->dos_protection_cb != NULL && s->ctx->dos_protection_cb(&early_ctx) == 0) {
958
+ /* Connection rejected for DOS reasons. */
959
+ al = SSL_AD_ACCESS_DENIED;
960
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
961
+ goto f_err;
962
+ }
963
+
964
+ if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
965
+ CBS_len(&cipher_suites) == 0 ||
966
+ CBS_len(&cipher_suites) % 2 != 0 ||
967
+ !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
968
+ CBS_len(&compression_methods) == 0) {
969
+ al = SSL_AD_DECODE_ERROR;
970
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
971
+ goto f_err;
972
+ }
973
+
974
+ ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites);
975
+ if (ciphers == NULL) {
976
+ goto err;
977
+ }
978
+
979
+ /* If it is a hit, check that the cipher is in the list. */
980
+ if (s->hit) {
981
+ size_t j;
982
+ int found_cipher = 0;
983
+ uint32_t id = s->session->cipher->id;
984
+
985
+ for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) {
986
+ c = sk_SSL_CIPHER_value(ciphers, j);
987
+ if (c->id == id) {
988
+ found_cipher = 1;
989
+ break;
990
+ }
991
+ }
992
+
993
+ if (!found_cipher) {
994
+ /* we need to have the cipher in the cipher list if we are asked to reuse
995
+ * it */
996
+ al = SSL_AD_ILLEGAL_PARAMETER;
997
+ OPENSSL_PUT_ERROR(SSL, SSL_R_REQUIRED_CIPHER_MISSING);
998
+ goto f_err;
999
+ }
1000
+ }
1001
+
1002
+ /* Only null compression is supported. */
1003
+ if (memchr(CBS_data(&compression_methods), 0,
1004
+ CBS_len(&compression_methods)) == NULL) {
1005
+ al = SSL_AD_ILLEGAL_PARAMETER;
1006
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMPRESSION_SPECIFIED);
1007
+ goto f_err;
1008
+ }
1009
+
1010
+ /* TLS extensions. */
1011
+ if (s->version >= SSL3_VERSION &&
1012
+ !ssl_parse_clienthello_tlsext(s, &client_hello)) {
1013
+ OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1014
+ goto err;
1015
+ }
1016
+
1017
+ /* There should be nothing left over in the record. */
1018
+ if (CBS_len(&client_hello) != 0) {
1019
+ /* wrong packet length */
1020
+ al = SSL_AD_DECODE_ERROR;
1021
+ OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
1022
+ goto f_err;
1023
+ }
1024
+
1025
+ if (have_extended_master_secret != s->s3->tmp.extended_master_secret) {
1026
+ al = SSL_AD_INTERNAL_ERROR;
1027
+ OPENSSL_PUT_ERROR(SSL, SSL_R_EMS_STATE_INCONSISTENT);
1028
+ goto f_err;
1029
+ }
1030
+
1031
+ /* Given ciphers and SSL_get_ciphers, we must pick a cipher */
1032
+ if (!s->hit) {
1033
+ if (ciphers == NULL) {
1034
+ al = SSL_AD_ILLEGAL_PARAMETER;
1035
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_PASSED);
1036
+ goto f_err;
1037
+ }
1038
+
1039
+ /* Let cert callback update server certificates if required */
1040
+ if (s->cert->cert_cb) {
1041
+ int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
1042
+ if (rv == 0) {
1043
+ al = SSL_AD_INTERNAL_ERROR;
1044
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
1045
+ goto f_err;
1046
+ }
1047
+ if (rv < 0) {
1048
+ s->rwstate = SSL_X509_LOOKUP;
1049
+ goto err;
1050
+ }
1051
+ s->rwstate = SSL_NOTHING;
1052
+ }
1053
+ c = ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
1054
+
1055
+ if (c == NULL) {
1056
+ al = SSL_AD_HANDSHAKE_FAILURE;
1057
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
1058
+ goto f_err;
1059
+ }
1060
+ s->s3->tmp.new_cipher = c;
1061
+
1062
+ /* Determine whether to request a client certificate. */
1063
+ s->s3->tmp.cert_request = !!(s->verify_mode & SSL_VERIFY_PEER);
1064
+ /* Only request a certificate if Channel ID isn't negotiated. */
1065
+ if ((s->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
1066
+ s->s3->tlsext_channel_id_valid) {
1067
+ s->s3->tmp.cert_request = 0;
1068
+ }
1069
+ /* Plain PSK forbids Certificate and CertificateRequest. */
1070
+ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
1071
+ s->s3->tmp.cert_request = 0;
1072
+ }
1073
+ } else {
1074
+ /* Session-id reuse */
1075
+ s->s3->tmp.new_cipher = s->session->cipher;
1076
+ s->s3->tmp.cert_request = 0;
1077
+ }
1078
+
1079
+ /* Now that the cipher is known, initialize the handshake hash. */
1080
+ if (!ssl3_init_handshake_hash(s)) {
1081
+ goto f_err;
1082
+ }
1083
+
1084
+ /* In TLS 1.2, client authentication requires hashing the handshake transcript
1085
+ * under a different hash. Otherwise, release the handshake buffer. */
1086
+ if (!SSL_USE_SIGALGS(s) || !s->s3->tmp.cert_request) {
1087
+ ssl3_free_handshake_buffer(s);
1088
+ }
1089
+
1090
+ /* we now have the following setup;
1091
+ * client_random
1092
+ * cipher_list - our prefered list of ciphers
1093
+ * ciphers - the clients prefered list of ciphers
1094
+ * compression - basically ignored right now
1095
+ * ssl version is set - sslv3
1096
+ * s->session - The ssl session has been setup.
1097
+ * s->hit - session reuse flag
1098
+ * s->tmp.new_cipher - the new cipher to use. */
1099
+
1100
+ ret = 1;
1101
+
1102
+ if (0) {
1103
+ f_err:
1104
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
1105
+ }
1106
+
1107
+ err:
1108
+ sk_SSL_CIPHER_free(ciphers);
1109
+ SSL_SESSION_free(session);
1110
+ return ret;
1111
+ }
1112
+
1113
+ int ssl3_send_server_hello(SSL *ssl) {
1114
+ if (ssl->state == SSL3_ST_SW_SRVR_HELLO_B) {
1115
+ return ssl_do_write(ssl);
1116
+ }
1117
+
1118
+ assert(ssl->state == SSL3_ST_SW_SRVR_HELLO_A);
1119
+
1120
+ /* We only accept ChannelIDs on connections with ECDHE in order to avoid a
1121
+ * known attack while we fix ChannelID itself. */
1122
+ if (ssl->s3->tlsext_channel_id_valid &&
1123
+ (ssl->s3->tmp.new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
1124
+ ssl->s3->tlsext_channel_id_valid = 0;
1125
+ }
1126
+
1127
+ /* If this is a resumption and the original handshake didn't support
1128
+ * ChannelID then we didn't record the original handshake hashes in the
1129
+ * session and so cannot resume with ChannelIDs. */
1130
+ if (ssl->hit && ssl->session->original_handshake_hash_len == 0) {
1131
+ ssl->s3->tlsext_channel_id_valid = 0;
1132
+ }
1133
+
1134
+ if (!ssl_fill_hello_random(ssl->s3->server_random, SSL3_RANDOM_SIZE,
1135
+ 1 /* server */)) {
1136
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1137
+ return -1;
1138
+ }
1139
+
1140
+ CBB cbb, session_id;
1141
+ size_t length;
1142
+ CBB_zero(&cbb);
1143
+ if (!CBB_init_fixed(&cbb, ssl_handshake_start(ssl),
1144
+ ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl)) ||
1145
+ !CBB_add_u16(&cbb, ssl->version) ||
1146
+ !CBB_add_bytes(&cbb, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
1147
+ !CBB_add_u8_length_prefixed(&cbb, &session_id) ||
1148
+ !CBB_add_bytes(&session_id, ssl->session->session_id,
1149
+ ssl->session->session_id_length) ||
1150
+ !CBB_add_u16(&cbb, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
1151
+ !CBB_add_u8(&cbb, 0 /* no compression */) ||
1152
+ !ssl_add_serverhello_tlsext(ssl, &cbb) ||
1153
+ !CBB_finish(&cbb, NULL, &length) ||
1154
+ !ssl_set_handshake_header(ssl, SSL3_MT_SERVER_HELLO, length)) {
1155
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1156
+ CBB_cleanup(&cbb);
1157
+ return -1;
1158
+ }
1159
+
1160
+ ssl->state = SSL3_ST_SW_SRVR_HELLO_B;
1161
+ return ssl_do_write(ssl);
1162
+ }
1163
+
1164
+ int ssl3_send_certificate_status(SSL *ssl) {
1165
+ if (ssl->state == SSL3_ST_SW_CERT_STATUS_A) {
1166
+ CBB out, ocsp_response;
1167
+ size_t length;
1168
+
1169
+ CBB_zero(&out);
1170
+ if (!CBB_init_fixed(&out, ssl_handshake_start(ssl),
1171
+ ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl)) ||
1172
+ !CBB_add_u8(&out, TLSEXT_STATUSTYPE_ocsp) ||
1173
+ !CBB_add_u24_length_prefixed(&out, &ocsp_response) ||
1174
+ !CBB_add_bytes(&ocsp_response, ssl->ctx->ocsp_response,
1175
+ ssl->ctx->ocsp_response_length) ||
1176
+ !CBB_finish(&out, NULL, &length) ||
1177
+ !ssl_set_handshake_header(ssl, SSL3_MT_CERTIFICATE_STATUS, length)) {
1178
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1179
+ CBB_cleanup(&out);
1180
+ return -1;
1181
+ }
1182
+
1183
+ ssl->state = SSL3_ST_SW_CERT_STATUS_B;
1184
+ }
1185
+
1186
+ /* SSL3_ST_SW_CERT_STATUS_B */
1187
+ return ssl_do_write(ssl);
1188
+ }
1189
+
1190
+ int ssl3_send_server_done(SSL *s) {
1191
+ if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1192
+ if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
1193
+ return -1;
1194
+ }
1195
+ s->state = SSL3_ST_SW_SRVR_DONE_B;
1196
+ }
1197
+
1198
+ /* SSL3_ST_SW_SRVR_DONE_B */
1199
+ return ssl_do_write(s);
1200
+ }
1201
+
1202
+ int ssl3_send_server_key_exchange(SSL *s) {
1203
+ DH *dh = NULL, *dhp;
1204
+ EC_KEY *ecdh = NULL;
1205
+ uint8_t *encodedPoint = NULL;
1206
+ int encodedlen = 0;
1207
+ uint16_t curve_id = 0;
1208
+ BN_CTX *bn_ctx = NULL;
1209
+ const char *psk_identity_hint = NULL;
1210
+ size_t psk_identity_hint_len = 0;
1211
+ size_t sig_len;
1212
+ size_t max_sig_len;
1213
+ uint8_t *p, *d;
1214
+ int al, i;
1215
+ uint32_t alg_k;
1216
+ uint32_t alg_a;
1217
+ int n;
1218
+ CERT *cert;
1219
+ BIGNUM *r[4];
1220
+ /* r_pad_bytes[i] contains the number of zero padding bytes that need to
1221
+ * precede |r[i]| when serialising it. */
1222
+ unsigned r_pad_bytes[4] = {0};
1223
+ int nr[4];
1224
+ BUF_MEM *buf;
1225
+ EVP_MD_CTX md_ctx;
1226
+
1227
+ if (s->state == SSL3_ST_SW_KEY_EXCH_C) {
1228
+ return ssl_do_write(s);
1229
+ }
1230
+
1231
+ EVP_MD_CTX_init(&md_ctx);
1232
+
1233
+ if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
1234
+ if (!ssl_has_private_key(s)) {
1235
+ al = SSL_AD_INTERNAL_ERROR;
1236
+ goto f_err;
1237
+ }
1238
+ max_sig_len = ssl_private_key_max_signature_len(s);
1239
+ } else {
1240
+ max_sig_len = 0;
1241
+ }
1242
+
1243
+ enum ssl_private_key_result_t sign_result;
1244
+ if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1245
+ alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1246
+ alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1247
+ cert = s->cert;
1248
+
1249
+ buf = s->init_buf;
1250
+
1251
+ r[0] = r[1] = r[2] = r[3] = NULL;
1252
+ n = 0;
1253
+ if (alg_a & SSL_aPSK) {
1254
+ /* size for PSK identity hint */
1255
+ psk_identity_hint = s->psk_identity_hint;
1256
+ if (psk_identity_hint) {
1257
+ psk_identity_hint_len = strlen(psk_identity_hint);
1258
+ } else {
1259
+ psk_identity_hint_len = 0;
1260
+ }
1261
+ n += 2 + psk_identity_hint_len;
1262
+ }
1263
+
1264
+ if (alg_k & SSL_kDHE) {
1265
+ dhp = cert->dh_tmp;
1266
+ if (dhp == NULL && s->cert->dh_tmp_cb != NULL) {
1267
+ dhp = s->cert->dh_tmp_cb(s, 0, 1024);
1268
+ }
1269
+ if (dhp == NULL) {
1270
+ al = SSL_AD_HANDSHAKE_FAILURE;
1271
+ OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_DH_KEY);
1272
+ goto f_err;
1273
+ }
1274
+
1275
+ if (s->s3->tmp.dh != NULL) {
1276
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1277
+ goto err;
1278
+ }
1279
+ dh = DHparams_dup(dhp);
1280
+ if (dh == NULL) {
1281
+ OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
1282
+ goto err;
1283
+ }
1284
+ s->s3->tmp.dh = dh;
1285
+
1286
+ if (!DH_generate_key(dh)) {
1287
+ OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
1288
+ goto err;
1289
+ }
1290
+
1291
+ r[0] = dh->p;
1292
+ r[1] = dh->g;
1293
+ r[2] = dh->pub_key;
1294
+ /* Due to a bug in yaSSL, the public key must be zero padded to the size
1295
+ * of the prime. */
1296
+ assert(BN_num_bytes(dh->pub_key) <= BN_num_bytes(dh->p));
1297
+ r_pad_bytes[2] = BN_num_bytes(dh->p) - BN_num_bytes(dh->pub_key);
1298
+ } else if (alg_k & SSL_kECDHE) {
1299
+ /* Determine the curve to use. */
1300
+ int nid = tls1_get_shared_curve(s);
1301
+ if (nid == NID_undef) {
1302
+ al = SSL_AD_HANDSHAKE_FAILURE;
1303
+ OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_ECDH_KEY);
1304
+ goto f_err;
1305
+ }
1306
+
1307
+ if (s->s3->tmp.ecdh != NULL) {
1308
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1309
+ goto err;
1310
+ }
1311
+ ecdh = EC_KEY_new_by_curve_name(nid);
1312
+ if (ecdh == NULL) {
1313
+ goto err;
1314
+ }
1315
+ s->s3->tmp.ecdh = ecdh;
1316
+
1317
+ if (!EC_KEY_generate_key(ecdh)) {
1318
+ OPENSSL_PUT_ERROR(SSL, ERR_R_ECDH_LIB);
1319
+ goto err;
1320
+ }
1321
+
1322
+ /* We only support ephemeral ECDH keys over named (not generic) curves. */
1323
+ const EC_GROUP *group = EC_KEY_get0_group(ecdh);
1324
+ if (!tls1_ec_nid2curve_id(&curve_id, EC_GROUP_get_curve_name(group))) {
1325
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1326
+ goto err;
1327
+ }
1328
+
1329
+ /* Encode the public key. First check the size of encoding and allocate
1330
+ * memory accordingly. */
1331
+ encodedlen =
1332
+ EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
1333
+ POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
1334
+
1335
+ encodedPoint = (uint8_t *)OPENSSL_malloc(encodedlen * sizeof(uint8_t));
1336
+ bn_ctx = BN_CTX_new();
1337
+ if (encodedPoint == NULL || bn_ctx == NULL) {
1338
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1339
+ goto err;
1340
+ }
1341
+
1342
+ encodedlen = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
1343
+ POINT_CONVERSION_UNCOMPRESSED,
1344
+ encodedPoint, encodedlen, bn_ctx);
1345
+
1346
+ if (encodedlen == 0) {
1347
+ OPENSSL_PUT_ERROR(SSL, ERR_R_ECDH_LIB);
1348
+ goto err;
1349
+ }
1350
+
1351
+ BN_CTX_free(bn_ctx);
1352
+ bn_ctx = NULL;
1353
+
1354
+ /* We only support named (not generic) curves in ECDH ephemeral key
1355
+ * exchanges. In this situation, we need four additional bytes to encode
1356
+ * the entire ServerECDHParams structure. */
1357
+ n += 4 + encodedlen;
1358
+
1359
+ /* We'll generate the serverKeyExchange message explicitly so we can set
1360
+ * these to NULLs */
1361
+ r[0] = NULL;
1362
+ r[1] = NULL;
1363
+ r[2] = NULL;
1364
+ r[3] = NULL;
1365
+ } else if (!(alg_k & SSL_kPSK)) {
1366
+ al = SSL_AD_HANDSHAKE_FAILURE;
1367
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1368
+ goto f_err;
1369
+ }
1370
+
1371
+ for (i = 0; i < 4 && r[i] != NULL; i++) {
1372
+ nr[i] = BN_num_bytes(r[i]) + r_pad_bytes[i];
1373
+ n += 2 + nr[i];
1374
+ }
1375
+
1376
+ if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + max_sig_len)) {
1377
+ OPENSSL_PUT_ERROR(SSL, ERR_LIB_BUF);
1378
+ goto err;
1379
+ }
1380
+ d = p = ssl_handshake_start(s);
1381
+
1382
+ for (i = 0; i < 4 && r[i] != NULL; i++) {
1383
+ s2n(nr[i], p);
1384
+ if (!BN_bn2bin_padded(p, nr[i], r[i])) {
1385
+ OPENSSL_PUT_ERROR(SSL, ERR_LIB_BN);
1386
+ goto err;
1387
+ }
1388
+ p += nr[i];
1389
+ }
1390
+
1391
+ /* Note: ECDHE PSK ciphersuites use SSL_kECDHE and SSL_aPSK. When one of
1392
+ * them is used, the server key exchange record needs to have both the
1393
+ * psk_identity_hint and the ServerECDHParams. */
1394
+ if (alg_a & SSL_aPSK) {
1395
+ /* copy PSK identity hint (if provided) */
1396
+ s2n(psk_identity_hint_len, p);
1397
+ if (psk_identity_hint_len > 0) {
1398
+ memcpy(p, psk_identity_hint, psk_identity_hint_len);
1399
+ p += psk_identity_hint_len;
1400
+ }
1401
+ }
1402
+
1403
+ if (alg_k & SSL_kECDHE) {
1404
+ /* We only support named (not generic) curves. In this situation, the
1405
+ * serverKeyExchange message has:
1406
+ * [1 byte CurveType], [2 byte CurveName]
1407
+ * [1 byte length of encoded point], followed by
1408
+ * the actual encoded point itself. */
1409
+ *(p++) = NAMED_CURVE_TYPE;
1410
+ *(p++) = (uint8_t)(curve_id >> 8);
1411
+ *(p++) = (uint8_t)(curve_id & 0xff);
1412
+ *(p++) = encodedlen;
1413
+ memcpy(p, encodedPoint, encodedlen);
1414
+ p += encodedlen;
1415
+ OPENSSL_free(encodedPoint);
1416
+ encodedPoint = NULL;
1417
+ }
1418
+
1419
+ if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
1420
+ /* n is the length of the params, they start at d and p points to
1421
+ * the space at the end. */
1422
+ const EVP_MD *md;
1423
+ uint8_t digest[EVP_MAX_MD_SIZE];
1424
+ unsigned int digest_length;
1425
+
1426
+ const int pkey_type = ssl_private_key_type(s);
1427
+
1428
+ /* Determine signature algorithm. */
1429
+ if (SSL_USE_SIGALGS(s)) {
1430
+ md = tls1_choose_signing_digest(s);
1431
+ if (!tls12_get_sigandhash(s, p, md)) {
1432
+ /* Should never happen */
1433
+ al = SSL_AD_INTERNAL_ERROR;
1434
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1435
+ goto f_err;
1436
+ }
1437
+ p += 2;
1438
+ } else if (pkey_type == EVP_PKEY_RSA) {
1439
+ md = EVP_md5_sha1();
1440
+ } else {
1441
+ md = EVP_sha1();
1442
+ }
1443
+
1444
+ if (!EVP_DigestInit_ex(&md_ctx, md, NULL) ||
1445
+ !EVP_DigestUpdate(&md_ctx, s->s3->client_random, SSL3_RANDOM_SIZE) ||
1446
+ !EVP_DigestUpdate(&md_ctx, s->s3->server_random, SSL3_RANDOM_SIZE) ||
1447
+ !EVP_DigestUpdate(&md_ctx, d, n) ||
1448
+ !EVP_DigestFinal_ex(&md_ctx, digest, &digest_length)) {
1449
+ OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
1450
+ goto err;
1451
+ }
1452
+
1453
+ sign_result = ssl_private_key_sign(s, &p[2], &sig_len, max_sig_len,
1454
+ EVP_MD_CTX_md(&md_ctx), digest,
1455
+ digest_length);
1456
+ } else {
1457
+ /* This key exchange doesn't involve a signature. */
1458
+ sign_result = ssl_private_key_success;
1459
+ sig_len = 0;
1460
+ }
1461
+ } else {
1462
+ assert(s->state == SSL3_ST_SW_KEY_EXCH_B);
1463
+ /* Restore |p|. */
1464
+ p = ssl_handshake_start(s) + s->init_num - SSL_HM_HEADER_LENGTH(s);
1465
+ sign_result = ssl_private_key_sign_complete(s, &p[2], &sig_len,
1466
+ max_sig_len);
1467
+ }
1468
+
1469
+ switch (sign_result) {
1470
+ case ssl_private_key_success:
1471
+ s->rwstate = SSL_NOTHING;
1472
+ break;
1473
+ case ssl_private_key_failure:
1474
+ s->rwstate = SSL_NOTHING;
1475
+ goto err;
1476
+ case ssl_private_key_retry:
1477
+ s->rwstate = SSL_PRIVATE_KEY_OPERATION;
1478
+ /* Stash away |p|. */
1479
+ s->init_num = p - ssl_handshake_start(s) + SSL_HM_HEADER_LENGTH(s);
1480
+ s->state = SSL3_ST_SW_KEY_EXCH_B;
1481
+ goto err;
1482
+ }
1483
+
1484
+ if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
1485
+ s2n(sig_len, p);
1486
+ p += sig_len;
1487
+ }
1488
+ if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE,
1489
+ p - ssl_handshake_start(s))) {
1490
+ goto err;
1491
+ }
1492
+ s->state = SSL3_ST_SW_KEY_EXCH_C;
1493
+
1494
+ EVP_MD_CTX_cleanup(&md_ctx);
1495
+ return ssl_do_write(s);
1496
+
1497
+ f_err:
1498
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
1499
+ err:
1500
+ OPENSSL_free(encodedPoint);
1501
+ BN_CTX_free(bn_ctx);
1502
+ EVP_MD_CTX_cleanup(&md_ctx);
1503
+ return -1;
1504
+ }
1505
+
1506
+ int ssl3_send_certificate_request(SSL *s) {
1507
+ uint8_t *p, *d;
1508
+ size_t i;
1509
+ int j, nl, off, n;
1510
+ STACK_OF(X509_NAME) *sk = NULL;
1511
+ X509_NAME *name;
1512
+ BUF_MEM *buf;
1513
+
1514
+ if (s->state == SSL3_ST_SW_CERT_REQ_A) {
1515
+ buf = s->init_buf;
1516
+
1517
+ d = p = ssl_handshake_start(s);
1518
+
1519
+ /* get the list of acceptable cert types */
1520
+ p++;
1521
+ n = ssl3_get_req_cert_type(s, p);
1522
+ d[0] = n;
1523
+ p += n;
1524
+ n++;
1525
+
1526
+ if (SSL_USE_SIGALGS(s)) {
1527
+ const uint8_t *psigs;
1528
+ nl = tls12_get_psigalgs(s, &psigs);
1529
+ s2n(nl, p);
1530
+ memcpy(p, psigs, nl);
1531
+ p += nl;
1532
+ n += nl + 2;
1533
+ }
1534
+
1535
+ off = n;
1536
+ p += 2;
1537
+ n += 2;
1538
+
1539
+ sk = SSL_get_client_CA_list(s);
1540
+ nl = 0;
1541
+ if (sk != NULL) {
1542
+ for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1543
+ name = sk_X509_NAME_value(sk, i);
1544
+ j = i2d_X509_NAME(name, NULL);
1545
+ if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
1546
+ OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
1547
+ goto err;
1548
+ }
1549
+ p = ssl_handshake_start(s) + n;
1550
+ s2n(j, p);
1551
+ i2d_X509_NAME(name, &p);
1552
+ n += 2 + j;
1553
+ nl += 2 + j;
1554
+ }
1555
+ }
1556
+
1557
+ /* else no CA names */
1558
+ p = ssl_handshake_start(s) + off;
1559
+ s2n(nl, p);
1560
+
1561
+ if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
1562
+ goto err;
1563
+ }
1564
+ s->state = SSL3_ST_SW_CERT_REQ_B;
1565
+ }
1566
+
1567
+ /* SSL3_ST_SW_CERT_REQ_B */
1568
+ return ssl_do_write(s);
1569
+
1570
+ err:
1571
+ return -1;
1572
+ }
1573
+
1574
+ int ssl3_get_client_key_exchange(SSL *s) {
1575
+ int al;
1576
+ CBS client_key_exchange;
1577
+ uint32_t alg_k;
1578
+ uint32_t alg_a;
1579
+ uint8_t *premaster_secret = NULL;
1580
+ size_t premaster_secret_len = 0;
1581
+ uint8_t *decrypt_buf = NULL;
1582
+ BIGNUM *pub = NULL;
1583
+ DH *dh_srvr;
1584
+
1585
+ EC_KEY *srvr_ecdh = NULL;
1586
+ EVP_PKEY *clnt_pub_pkey = NULL;
1587
+ EC_POINT *clnt_ecpoint = NULL;
1588
+ BN_CTX *bn_ctx = NULL;
1589
+ unsigned int psk_len = 0;
1590
+ uint8_t psk[PSK_MAX_PSK_LEN];
1591
+
1592
+ if (s->state == SSL3_ST_SR_KEY_EXCH_A ||
1593
+ s->state == SSL3_ST_SR_KEY_EXCH_B) {
1594
+ int ok;
1595
+ const long n = s->method->ssl_get_message(
1596
+ s, SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B,
1597
+ SSL3_MT_CLIENT_KEY_EXCHANGE, 2048 /* ??? */, ssl_hash_message, &ok);
1598
+ if (!ok) {
1599
+ return n;
1600
+ }
1601
+ }
1602
+
1603
+ CBS_init(&client_key_exchange, s->init_msg, s->init_num);
1604
+ alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1605
+ alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1606
+
1607
+ /* If using a PSK key exchange, prepare the pre-shared key. */
1608
+ if (alg_a & SSL_aPSK) {
1609
+ CBS psk_identity;
1610
+
1611
+ /* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
1612
+ * then this is the only field in the message. */
1613
+ if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
1614
+ ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
1615
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1616
+ al = SSL_AD_DECODE_ERROR;
1617
+ goto f_err;
1618
+ }
1619
+
1620
+ if (s->psk_server_callback == NULL) {
1621
+ OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_NO_SERVER_CB);
1622
+ al = SSL_AD_INTERNAL_ERROR;
1623
+ goto f_err;
1624
+ }
1625
+
1626
+ if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN ||
1627
+ CBS_contains_zero_byte(&psk_identity)) {
1628
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
1629
+ al = SSL_AD_ILLEGAL_PARAMETER;
1630
+ goto f_err;
1631
+ }
1632
+
1633
+ if (!CBS_strdup(&psk_identity, &s->session->psk_identity)) {
1634
+ al = SSL_AD_INTERNAL_ERROR;
1635
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1636
+ goto f_err;
1637
+ }
1638
+
1639
+ /* Look up the key for the identity. */
1640
+ psk_len =
1641
+ s->psk_server_callback(s, s->session->psk_identity, psk, sizeof(psk));
1642
+ if (psk_len > PSK_MAX_PSK_LEN) {
1643
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1644
+ al = SSL_AD_INTERNAL_ERROR;
1645
+ goto f_err;
1646
+ } else if (psk_len == 0) {
1647
+ /* PSK related to the given identity not found */
1648
+ OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1649
+ al = SSL_AD_UNKNOWN_PSK_IDENTITY;
1650
+ goto f_err;
1651
+ }
1652
+ }
1653
+
1654
+ /* Depending on the key exchange method, compute |premaster_secret| and
1655
+ * |premaster_secret_len|. */
1656
+ if (alg_k & SSL_kRSA) {
1657
+ CBS encrypted_premaster_secret;
1658
+ uint8_t rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
1659
+ uint8_t good;
1660
+ size_t decrypt_len, premaster_index, j;
1661
+ const size_t rsa_size = ssl_private_key_max_signature_len(s);
1662
+
1663
+ /* Allocate a buffer large enough for an RSA decryption. */
1664
+ decrypt_buf = OPENSSL_malloc(rsa_size);
1665
+ if (decrypt_buf == NULL) {
1666
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1667
+ goto err;
1668
+ }
1669
+
1670
+ enum ssl_private_key_result_t decrypt_result;
1671
+ if (s->state == SSL3_ST_SR_KEY_EXCH_B) {
1672
+ if (!ssl_has_private_key(s) || ssl_private_key_type(s) != EVP_PKEY_RSA) {
1673
+ al = SSL_AD_HANDSHAKE_FAILURE;
1674
+ OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_RSA_CERTIFICATE);
1675
+ goto f_err;
1676
+ }
1677
+ /* TLS and [incidentally] DTLS{0xFEFF} */
1678
+ if (s->version > SSL3_VERSION) {
1679
+ if (!CBS_get_u16_length_prefixed(&client_key_exchange,
1680
+ &encrypted_premaster_secret) ||
1681
+ CBS_len(&client_key_exchange) != 0) {
1682
+ al = SSL_AD_DECODE_ERROR;
1683
+ OPENSSL_PUT_ERROR(SSL,
1684
+ SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1685
+ goto f_err;
1686
+ }
1687
+ } else {
1688
+ encrypted_premaster_secret = client_key_exchange;
1689
+ }
1690
+
1691
+ /* Reject overly short RSA keys because we want to be sure that the buffer
1692
+ * size makes it safe to iterate over the entire size of a premaster
1693
+ * secret (SSL_MAX_MASTER_KEY_LENGTH). The actual expected size is larger
1694
+ * due to RSA padding, but the bound is sufficient to be safe. */
1695
+ if (rsa_size < SSL_MAX_MASTER_KEY_LENGTH) {
1696
+ al = SSL_AD_DECRYPT_ERROR;
1697
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1698
+ goto f_err;
1699
+ }
1700
+
1701
+ /* Decrypt with no padding. PKCS#1 padding will be removed as part of the
1702
+ * timing-sensitive code below. */
1703
+ decrypt_result = ssl_private_key_decrypt(
1704
+ s, decrypt_buf, &decrypt_len, rsa_size,
1705
+ CBS_data(&encrypted_premaster_secret),
1706
+ CBS_len(&encrypted_premaster_secret));
1707
+ } else {
1708
+ assert(s->state == SSL3_ST_SR_KEY_EXCH_C);
1709
+ /* Complete async decrypt. */
1710
+ decrypt_result = ssl_private_key_decrypt_complete(
1711
+ s, decrypt_buf, &decrypt_len, rsa_size);
1712
+ }
1713
+
1714
+ switch (decrypt_result) {
1715
+ case ssl_private_key_success:
1716
+ s->rwstate = SSL_NOTHING;
1717
+ break;
1718
+ case ssl_private_key_failure:
1719
+ s->rwstate = SSL_NOTHING;
1720
+ goto err;
1721
+ case ssl_private_key_retry:
1722
+ s->rwstate = SSL_PRIVATE_KEY_OPERATION;
1723
+ s->state = SSL3_ST_SR_KEY_EXCH_C;
1724
+ goto err;
1725
+ }
1726
+
1727
+ if (decrypt_len != rsa_size) {
1728
+ /* This should never happen, but do a check so we do not read
1729
+ * uninitialized memory. */
1730
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1731
+ goto err;
1732
+ }
1733
+
1734
+ /* Remove the PKCS#1 padding and adjust |decrypt_len| as appropriate.
1735
+ * |good| will be 0xff if the premaster is acceptable and zero otherwise.
1736
+ * */
1737
+ good =
1738
+ constant_time_eq_int_8(RSA_message_index_PKCS1_type_2(
1739
+ decrypt_buf, decrypt_len, &premaster_index),
1740
+ 1);
1741
+ decrypt_len = decrypt_len - premaster_index;
1742
+
1743
+ /* decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. */
1744
+ good &= constant_time_eq_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
1745
+
1746
+ /* Copy over the unpadded premaster. Whatever the value of
1747
+ * |decrypt_good_mask|, copy as if the premaster were the right length. It
1748
+ * is important the memory access pattern be constant. */
1749
+ premaster_secret =
1750
+ BUF_memdup(decrypt_buf + (rsa_size - SSL_MAX_MASTER_KEY_LENGTH),
1751
+ SSL_MAX_MASTER_KEY_LENGTH);
1752
+ if (premaster_secret == NULL) {
1753
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1754
+ goto err;
1755
+ }
1756
+ OPENSSL_free(decrypt_buf);
1757
+ decrypt_buf = NULL;
1758
+
1759
+ /* If the version in the decrypted pre-master secret is correct then
1760
+ * version_good will be 0xff, otherwise it'll be zero. The
1761
+ * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
1762
+ * (http://eprint.iacr.org/2003/052/) exploits the version number check as
1763
+ * a "bad version oracle". Thus version checks are done in constant time
1764
+ * and are treated like any other decryption error. */
1765
+ good &= constant_time_eq_8(premaster_secret[0],
1766
+ (unsigned)(s->client_version >> 8));
1767
+ good &= constant_time_eq_8(premaster_secret[1],
1768
+ (unsigned)(s->client_version & 0xff));
1769
+
1770
+ /* We must not leak whether a decryption failure occurs because of
1771
+ * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
1772
+ * section 7.4.7.1). The code follows that advice of the TLS RFC and
1773
+ * generates a random premaster secret for the case that the decrypt
1774
+ * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */
1775
+ if (!RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret))) {
1776
+ goto err;
1777
+ }
1778
+
1779
+ /* Now copy rand_premaster_secret over premaster_secret using
1780
+ * decrypt_good_mask. */
1781
+ for (j = 0; j < sizeof(rand_premaster_secret); j++) {
1782
+ premaster_secret[j] = constant_time_select_8(good, premaster_secret[j],
1783
+ rand_premaster_secret[j]);
1784
+ }
1785
+
1786
+ premaster_secret_len = sizeof(rand_premaster_secret);
1787
+ } else if (alg_k & SSL_kDHE) {
1788
+ CBS dh_Yc;
1789
+ int dh_len;
1790
+
1791
+ if (!CBS_get_u16_length_prefixed(&client_key_exchange, &dh_Yc) ||
1792
+ CBS_len(&dh_Yc) == 0 || CBS_len(&client_key_exchange) != 0) {
1793
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1794
+ al = SSL_R_DECODE_ERROR;
1795
+ goto f_err;
1796
+ }
1797
+
1798
+ if (s->s3->tmp.dh == NULL) {
1799
+ al = SSL_AD_HANDSHAKE_FAILURE;
1800
+ OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_DH_KEY);
1801
+ goto f_err;
1802
+ }
1803
+ dh_srvr = s->s3->tmp.dh;
1804
+
1805
+ pub = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL);
1806
+ if (pub == NULL) {
1807
+ OPENSSL_PUT_ERROR(SSL, SSL_R_BN_LIB);
1808
+ goto err;
1809
+ }
1810
+
1811
+ /* Allocate a buffer for the premaster secret. */
1812
+ premaster_secret = OPENSSL_malloc(DH_size(dh_srvr));
1813
+ if (premaster_secret == NULL) {
1814
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1815
+ BN_clear_free(pub);
1816
+ goto err;
1817
+ }
1818
+
1819
+ dh_len = DH_compute_key(premaster_secret, pub, dh_srvr);
1820
+ if (dh_len <= 0) {
1821
+ OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
1822
+ BN_clear_free(pub);
1823
+ goto err;
1824
+ }
1825
+
1826
+ DH_free(s->s3->tmp.dh);
1827
+ s->s3->tmp.dh = NULL;
1828
+ BN_clear_free(pub);
1829
+ pub = NULL;
1830
+
1831
+ premaster_secret_len = dh_len;
1832
+ } else if (alg_k & SSL_kECDHE) {
1833
+ int ecdh_len;
1834
+ const EC_KEY *tkey;
1835
+ const EC_GROUP *group;
1836
+ const BIGNUM *priv_key;
1837
+ CBS ecdh_Yc;
1838
+
1839
+ /* initialize structures for server's ECDH key pair */
1840
+ srvr_ecdh = EC_KEY_new();
1841
+ if (srvr_ecdh == NULL) {
1842
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1843
+ goto err;
1844
+ }
1845
+
1846
+ /* Use the ephermeral values we saved when generating the ServerKeyExchange
1847
+ * msg. */
1848
+ tkey = s->s3->tmp.ecdh;
1849
+
1850
+ group = EC_KEY_get0_group(tkey);
1851
+ priv_key = EC_KEY_get0_private_key(tkey);
1852
+
1853
+ if (!EC_KEY_set_group(srvr_ecdh, group) ||
1854
+ !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
1855
+ OPENSSL_PUT_ERROR(SSL, ERR_R_EC_LIB);
1856
+ goto err;
1857
+ }
1858
+
1859
+ /* Let's get client's public key */
1860
+ clnt_ecpoint = EC_POINT_new(group);
1861
+ if (clnt_ecpoint == NULL) {
1862
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1863
+ goto err;
1864
+ }
1865
+
1866
+ /* Get client's public key from encoded point in the ClientKeyExchange
1867
+ * message. */
1868
+ if (!CBS_get_u8_length_prefixed(&client_key_exchange, &ecdh_Yc) ||
1869
+ CBS_len(&client_key_exchange) != 0) {
1870
+ al = SSL_AD_DECODE_ERROR;
1871
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1872
+ goto f_err;
1873
+ }
1874
+
1875
+ bn_ctx = BN_CTX_new();
1876
+ if (bn_ctx == NULL) {
1877
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1878
+ goto err;
1879
+ }
1880
+
1881
+ if (!EC_POINT_oct2point(group, clnt_ecpoint, CBS_data(&ecdh_Yc),
1882
+ CBS_len(&ecdh_Yc), bn_ctx)) {
1883
+ OPENSSL_PUT_ERROR(SSL, ERR_R_EC_LIB);
1884
+ goto err;
1885
+ }
1886
+
1887
+ /* Allocate a buffer for both the secret and the PSK. */
1888
+ unsigned field_size = EC_GROUP_get_degree(group);
1889
+ if (field_size == 0) {
1890
+ OPENSSL_PUT_ERROR(SSL, ERR_R_ECDH_LIB);
1891
+ goto err;
1892
+ }
1893
+
1894
+ ecdh_len = (field_size + 7) / 8;
1895
+ premaster_secret = OPENSSL_malloc(ecdh_len);
1896
+ if (premaster_secret == NULL) {
1897
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1898
+ goto err;
1899
+ }
1900
+
1901
+ /* Compute the shared pre-master secret */
1902
+ ecdh_len = ECDH_compute_key(premaster_secret, ecdh_len, clnt_ecpoint,
1903
+ srvr_ecdh, NULL);
1904
+ if (ecdh_len <= 0) {
1905
+ OPENSSL_PUT_ERROR(SSL, ERR_R_ECDH_LIB);
1906
+ goto err;
1907
+ }
1908
+
1909
+ EVP_PKEY_free(clnt_pub_pkey);
1910
+ clnt_pub_pkey = NULL;
1911
+ EC_POINT_free(clnt_ecpoint);
1912
+ clnt_ecpoint = NULL;
1913
+ EC_KEY_free(srvr_ecdh);
1914
+ srvr_ecdh = NULL;
1915
+ BN_CTX_free(bn_ctx);
1916
+ bn_ctx = NULL;
1917
+ EC_KEY_free(s->s3->tmp.ecdh);
1918
+ s->s3->tmp.ecdh = NULL;
1919
+
1920
+ premaster_secret_len = ecdh_len;
1921
+ } else if (alg_k & SSL_kPSK) {
1922
+ /* For plain PSK, other_secret is a block of 0s with the same length as the
1923
+ * pre-shared key. */
1924
+ premaster_secret_len = psk_len;
1925
+ premaster_secret = OPENSSL_malloc(premaster_secret_len);
1926
+ if (premaster_secret == NULL) {
1927
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1928
+ goto err;
1929
+ }
1930
+ memset(premaster_secret, 0, premaster_secret_len);
1931
+ } else {
1932
+ al = SSL_AD_HANDSHAKE_FAILURE;
1933
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_TYPE);
1934
+ goto f_err;
1935
+ }
1936
+
1937
+ /* For a PSK cipher suite, the actual pre-master secret is combined with the
1938
+ * pre-shared key. */
1939
+ if (alg_a & SSL_aPSK) {
1940
+ CBB new_premaster, child;
1941
+ uint8_t *new_data;
1942
+ size_t new_len;
1943
+
1944
+ CBB_zero(&new_premaster);
1945
+ if (!CBB_init(&new_premaster, 2 + psk_len + 2 + premaster_secret_len) ||
1946
+ !CBB_add_u16_length_prefixed(&new_premaster, &child) ||
1947
+ !CBB_add_bytes(&child, premaster_secret, premaster_secret_len) ||
1948
+ !CBB_add_u16_length_prefixed(&new_premaster, &child) ||
1949
+ !CBB_add_bytes(&child, psk, psk_len) ||
1950
+ !CBB_finish(&new_premaster, &new_data, &new_len)) {
1951
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1952
+ CBB_cleanup(&new_premaster);
1953
+ goto err;
1954
+ }
1955
+
1956
+ OPENSSL_cleanse(premaster_secret, premaster_secret_len);
1957
+ OPENSSL_free(premaster_secret);
1958
+ premaster_secret = new_data;
1959
+ premaster_secret_len = new_len;
1960
+ }
1961
+
1962
+ /* Compute the master secret */
1963
+ s->session->master_key_length = s->enc_method->generate_master_secret(
1964
+ s, s->session->master_key, premaster_secret, premaster_secret_len);
1965
+ if (s->session->master_key_length == 0) {
1966
+ goto err;
1967
+ }
1968
+ s->session->extended_master_secret = s->s3->tmp.extended_master_secret;
1969
+
1970
+ OPENSSL_cleanse(premaster_secret, premaster_secret_len);
1971
+ OPENSSL_free(premaster_secret);
1972
+ return 1;
1973
+
1974
+ f_err:
1975
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
1976
+ err:
1977
+ if (premaster_secret) {
1978
+ if (premaster_secret_len) {
1979
+ OPENSSL_cleanse(premaster_secret, premaster_secret_len);
1980
+ }
1981
+ OPENSSL_free(premaster_secret);
1982
+ }
1983
+ OPENSSL_free(decrypt_buf);
1984
+ EVP_PKEY_free(clnt_pub_pkey);
1985
+ EC_POINT_free(clnt_ecpoint);
1986
+ EC_KEY_free(srvr_ecdh);
1987
+ BN_CTX_free(bn_ctx);
1988
+
1989
+ return -1;
1990
+ }
1991
+
1992
+ int ssl3_get_cert_verify(SSL *s) {
1993
+ int al, ok, ret = 0;
1994
+ long n;
1995
+ CBS certificate_verify, signature;
1996
+ X509 *peer = s->session->peer;
1997
+ EVP_PKEY *pkey = NULL;
1998
+ const EVP_MD *md = NULL;
1999
+ uint8_t digest[EVP_MAX_MD_SIZE];
2000
+ size_t digest_length;
2001
+ EVP_PKEY_CTX *pctx = NULL;
2002
+
2003
+ /* Only RSA and ECDSA client certificates are supported, so a
2004
+ * CertificateVerify is required if and only if there's a client certificate.
2005
+ * */
2006
+ if (peer == NULL) {
2007
+ ssl3_free_handshake_buffer(s);
2008
+ return 1;
2009
+ }
2010
+
2011
+ n = s->method->ssl_get_message(
2012
+ s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B,
2013
+ SSL3_MT_CERTIFICATE_VERIFY, SSL3_RT_MAX_PLAIN_LENGTH,
2014
+ ssl_dont_hash_message, &ok);
2015
+
2016
+ if (!ok) {
2017
+ return n;
2018
+ }
2019
+
2020
+ /* Filter out unsupported certificate types. */
2021
+ pkey = X509_get_pubkey(peer);
2022
+ if (pkey == NULL) {
2023
+ goto err;
2024
+ }
2025
+ if (!(X509_certificate_type(peer, pkey) & EVP_PKT_SIGN) ||
2026
+ (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_EC)) {
2027
+ al = SSL_AD_UNSUPPORTED_CERTIFICATE;
2028
+ OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
2029
+ goto f_err;
2030
+ }
2031
+
2032
+ CBS_init(&certificate_verify, s->init_msg, n);
2033
+
2034
+ /* Determine the digest type if needbe. */
2035
+ if (SSL_USE_SIGALGS(s)) {
2036
+ uint8_t hash, signature_type;
2037
+ if (!CBS_get_u8(&certificate_verify, &hash) ||
2038
+ !CBS_get_u8(&certificate_verify, &signature_type)) {
2039
+ al = SSL_AD_DECODE_ERROR;
2040
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2041
+ goto f_err;
2042
+ }
2043
+ if (!tls12_check_peer_sigalg(s, &md, &al, hash, signature_type, pkey)) {
2044
+ goto f_err;
2045
+ }
2046
+ }
2047
+
2048
+ /* Compute the digest. */
2049
+ if (!ssl3_cert_verify_hash(s, digest, &digest_length, &md, pkey->type)) {
2050
+ goto err;
2051
+ }
2052
+
2053
+ /* The handshake buffer is no longer necessary, and we may hash the current
2054
+ * message.*/
2055
+ ssl3_free_handshake_buffer(s);
2056
+ if (!ssl3_hash_current_message(s)) {
2057
+ goto err;
2058
+ }
2059
+
2060
+ /* Parse and verify the signature. */
2061
+ if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
2062
+ CBS_len(&certificate_verify) != 0) {
2063
+ al = SSL_AD_DECODE_ERROR;
2064
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2065
+ goto f_err;
2066
+ }
2067
+
2068
+ pctx = EVP_PKEY_CTX_new(pkey, NULL);
2069
+ if (pctx == NULL) {
2070
+ goto err;
2071
+ }
2072
+ if (!EVP_PKEY_verify_init(pctx) ||
2073
+ !EVP_PKEY_CTX_set_signature_md(pctx, md) ||
2074
+ !EVP_PKEY_verify(pctx, CBS_data(&signature), CBS_len(&signature), digest,
2075
+ digest_length)) {
2076
+ al = SSL_AD_DECRYPT_ERROR;
2077
+ OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
2078
+ goto f_err;
2079
+ }
2080
+
2081
+ ret = 1;
2082
+
2083
+ if (0) {
2084
+ f_err:
2085
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
2086
+ }
2087
+
2088
+ err:
2089
+ EVP_PKEY_CTX_free(pctx);
2090
+ EVP_PKEY_free(pkey);
2091
+
2092
+ return ret;
2093
+ }
2094
+
2095
+ int ssl3_get_client_certificate(SSL *s) {
2096
+ int i, ok, al, ret = -1;
2097
+ X509 *x = NULL;
2098
+ unsigned long n;
2099
+ STACK_OF(X509) *sk = NULL;
2100
+ SHA256_CTX sha256;
2101
+ CBS certificate_msg, certificate_list;
2102
+ int is_first_certificate = 1;
2103
+
2104
+ n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1,
2105
+ (long)s->max_cert_list, ssl_hash_message, &ok);
2106
+
2107
+ if (!ok) {
2108
+ return n;
2109
+ }
2110
+
2111
+ if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2112
+ if ((s->verify_mode & SSL_VERIFY_PEER) &&
2113
+ (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2114
+ OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2115
+ al = SSL_AD_HANDSHAKE_FAILURE;
2116
+ goto f_err;
2117
+ }
2118
+
2119
+ /* If tls asked for a client cert, the client must return a 0 list */
2120
+ if (s->version > SSL3_VERSION && s->s3->tmp.cert_request) {
2121
+ OPENSSL_PUT_ERROR(SSL,
2122
+ SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
2123
+ al = SSL_AD_UNEXPECTED_MESSAGE;
2124
+ goto f_err;
2125
+ }
2126
+ s->s3->tmp.reuse_message = 1;
2127
+
2128
+ return 1;
2129
+ }
2130
+
2131
+ if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
2132
+ al = SSL_AD_UNEXPECTED_MESSAGE;
2133
+ OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_MESSAGE_TYPE);
2134
+ goto f_err;
2135
+ }
2136
+
2137
+ CBS_init(&certificate_msg, s->init_msg, n);
2138
+
2139
+ sk = sk_X509_new_null();
2140
+ if (sk == NULL) {
2141
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
2142
+ goto err;
2143
+ }
2144
+
2145
+ if (!CBS_get_u24_length_prefixed(&certificate_msg, &certificate_list) ||
2146
+ CBS_len(&certificate_msg) != 0) {
2147
+ al = SSL_AD_DECODE_ERROR;
2148
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2149
+ goto f_err;
2150
+ }
2151
+
2152
+ while (CBS_len(&certificate_list) > 0) {
2153
+ CBS certificate;
2154
+ const uint8_t *data;
2155
+
2156
+ if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate)) {
2157
+ al = SSL_AD_DECODE_ERROR;
2158
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2159
+ goto f_err;
2160
+ }
2161
+
2162
+ if (is_first_certificate && s->ctx->retain_only_sha256_of_client_certs) {
2163
+ /* If this is the first certificate, and we don't want to keep peer
2164
+ * certificates in memory, then we hash it right away. */
2165
+ SHA256_Init(&sha256);
2166
+ SHA256_Update(&sha256, CBS_data(&certificate), CBS_len(&certificate));
2167
+ SHA256_Final(s->session->peer_sha256, &sha256);
2168
+ s->session->peer_sha256_valid = 1;
2169
+ }
2170
+ is_first_certificate = 0;
2171
+
2172
+ /* A u24 length cannot overflow a long. */
2173
+ data = CBS_data(&certificate);
2174
+ x = d2i_X509(NULL, &data, (long)CBS_len(&certificate));
2175
+ if (x == NULL) {
2176
+ al = SSL_AD_BAD_CERTIFICATE;
2177
+ OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
2178
+ goto f_err;
2179
+ }
2180
+ if (data != CBS_data(&certificate) + CBS_len(&certificate)) {
2181
+ al = SSL_AD_DECODE_ERROR;
2182
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
2183
+ goto f_err;
2184
+ }
2185
+ if (!sk_X509_push(sk, x)) {
2186
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
2187
+ goto err;
2188
+ }
2189
+ x = NULL;
2190
+ }
2191
+
2192
+ if (sk_X509_num(sk) <= 0) {
2193
+ /* No client certificate so the handshake buffer may be discarded. */
2194
+ ssl3_free_handshake_buffer(s);
2195
+
2196
+ /* TLS does not mind 0 certs returned */
2197
+ if (s->version == SSL3_VERSION) {
2198
+ al = SSL_AD_HANDSHAKE_FAILURE;
2199
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED);
2200
+ goto f_err;
2201
+ } else if ((s->verify_mode & SSL_VERIFY_PEER) &&
2202
+ (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2203
+ /* Fail for TLS only if we required a certificate */
2204
+ OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2205
+ al = SSL_AD_HANDSHAKE_FAILURE;
2206
+ goto f_err;
2207
+ }
2208
+ } else {
2209
+ i = ssl_verify_cert_chain(s, sk);
2210
+ if (i <= 0) {
2211
+ al = ssl_verify_alarm_type(s->verify_result);
2212
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
2213
+ goto f_err;
2214
+ }
2215
+ }
2216
+
2217
+ X509_free(s->session->peer);
2218
+ s->session->peer = sk_X509_shift(sk);
2219
+ s->session->verify_result = s->verify_result;
2220
+
2221
+ sk_X509_pop_free(s->session->cert_chain, X509_free);
2222
+ s->session->cert_chain = sk;
2223
+ /* Inconsistency alert: cert_chain does *not* include the peer's own
2224
+ * certificate, while we do include it in s3_clnt.c */
2225
+
2226
+ sk = NULL;
2227
+
2228
+ ret = 1;
2229
+
2230
+ if (0) {
2231
+ f_err:
2232
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
2233
+ }
2234
+
2235
+ err:
2236
+ X509_free(x);
2237
+ sk_X509_pop_free(sk, X509_free);
2238
+ return ret;
2239
+ }
2240
+
2241
+ int ssl3_send_server_certificate(SSL *s) {
2242
+ if (s->state == SSL3_ST_SW_CERT_A) {
2243
+ if (!ssl3_output_cert_chain(s)) {
2244
+ return 0;
2245
+ }
2246
+ s->state = SSL3_ST_SW_CERT_B;
2247
+ }
2248
+
2249
+ /* SSL3_ST_SW_CERT_B */
2250
+ return ssl_do_write(s);
2251
+ }
2252
+
2253
+ /* send a new session ticket (not necessarily for a new session) */
2254
+ int ssl3_send_new_session_ticket(SSL *s) {
2255
+ int ret = -1;
2256
+ uint8_t *session = NULL;
2257
+ size_t session_len;
2258
+ EVP_CIPHER_CTX ctx;
2259
+ HMAC_CTX hctx;
2260
+
2261
+ EVP_CIPHER_CTX_init(&ctx);
2262
+ HMAC_CTX_init(&hctx);
2263
+
2264
+ if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
2265
+ uint8_t *p, *macstart;
2266
+ int len;
2267
+ unsigned int hlen;
2268
+ SSL_CTX *tctx = s->initial_ctx;
2269
+ uint8_t iv[EVP_MAX_IV_LENGTH];
2270
+ uint8_t key_name[16];
2271
+ /* The maximum overhead of encrypting the session is 16 (key name) + IV +
2272
+ * one block of encryption overhead + HMAC. */
2273
+ const size_t max_ticket_overhead =
2274
+ 16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE;
2275
+
2276
+ /* Serialize the SSL_SESSION to be encoded into the ticket. */
2277
+ if (!SSL_SESSION_to_bytes_for_ticket(s->session, &session, &session_len)) {
2278
+ goto err;
2279
+ }
2280
+
2281
+ /* If the session is too long, emit a dummy value rather than abort the
2282
+ * connection. */
2283
+ if (session_len > 0xFFFF - max_ticket_overhead) {
2284
+ static const char kTicketPlaceholder[] = "TICKET TOO LARGE";
2285
+ const size_t placeholder_len = strlen(kTicketPlaceholder);
2286
+
2287
+ OPENSSL_free(session);
2288
+ session = NULL;
2289
+
2290
+ p = ssl_handshake_start(s);
2291
+ /* Emit ticket_lifetime_hint. */
2292
+ l2n(0, p);
2293
+ /* Emit ticket. */
2294
+ s2n(placeholder_len, p);
2295
+ memcpy(p, kTicketPlaceholder, placeholder_len);
2296
+ p += placeholder_len;
2297
+
2298
+ len = p - ssl_handshake_start(s);
2299
+ if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
2300
+ goto err;
2301
+ }
2302
+ s->state = SSL3_ST_SW_SESSION_TICKET_B;
2303
+ return ssl_do_write(s);
2304
+ }
2305
+
2306
+ /* Grow buffer if need be: the length calculation is as follows:
2307
+ * handshake_header_length + 4 (ticket lifetime hint) + 2 (ticket length) +
2308
+ * max_ticket_overhead + * session_length */
2309
+ if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + 6 +
2310
+ max_ticket_overhead + session_len)) {
2311
+ goto err;
2312
+ }
2313
+ p = ssl_handshake_start(s);
2314
+ /* Initialize HMAC and cipher contexts. If callback present it does all the
2315
+ * work otherwise use generated values from parent ctx. */
2316
+ if (tctx->tlsext_ticket_key_cb) {
2317
+ if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, &hctx,
2318
+ 1 /* encrypt */) < 0) {
2319
+ goto err;
2320
+ }
2321
+ } else {
2322
+ if (!RAND_bytes(iv, 16) ||
2323
+ !EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2324
+ tctx->tlsext_tick_aes_key, iv) ||
2325
+ !HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(),
2326
+ NULL)) {
2327
+ goto err;
2328
+ }
2329
+ memcpy(key_name, tctx->tlsext_tick_key_name, 16);
2330
+ }
2331
+
2332
+ /* Ticket lifetime hint (advisory only): We leave this unspecified for
2333
+ * resumed session (for simplicity), and guess that tickets for new
2334
+ * sessions will live as long as their sessions. */
2335
+ l2n(s->hit ? 0 : s->session->timeout, p);
2336
+
2337
+ /* Skip ticket length for now */
2338
+ p += 2;
2339
+ /* Output key name */
2340
+ macstart = p;
2341
+ memcpy(p, key_name, 16);
2342
+ p += 16;
2343
+ /* output IV */
2344
+ memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
2345
+ p += EVP_CIPHER_CTX_iv_length(&ctx);
2346
+ /* Encrypt session data */
2347
+ if (!EVP_EncryptUpdate(&ctx, p, &len, session, session_len)) {
2348
+ goto err;
2349
+ }
2350
+ p += len;
2351
+ if (!EVP_EncryptFinal_ex(&ctx, p, &len)) {
2352
+ goto err;
2353
+ }
2354
+ p += len;
2355
+
2356
+ if (!HMAC_Update(&hctx, macstart, p - macstart) ||
2357
+ !HMAC_Final(&hctx, p, &hlen)) {
2358
+ goto err;
2359
+ }
2360
+
2361
+ p += hlen;
2362
+ /* Now write out lengths: p points to end of data written */
2363
+ /* Total length */
2364
+ len = p - ssl_handshake_start(s);
2365
+ /* Skip ticket lifetime hint */
2366
+ p = ssl_handshake_start(s) + 4;
2367
+ s2n(len - 6, p);
2368
+ if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
2369
+ goto err;
2370
+ }
2371
+ s->state = SSL3_ST_SW_SESSION_TICKET_B;
2372
+ }
2373
+
2374
+ /* SSL3_ST_SW_SESSION_TICKET_B */
2375
+ ret = ssl_do_write(s);
2376
+
2377
+ err:
2378
+ OPENSSL_free(session);
2379
+ EVP_CIPHER_CTX_cleanup(&ctx);
2380
+ HMAC_CTX_cleanup(&hctx);
2381
+ return ret;
2382
+ }
2383
+
2384
+ /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
2385
+ * sets the next_proto member in s if found */
2386
+ int ssl3_get_next_proto(SSL *s) {
2387
+ int ok;
2388
+ long n;
2389
+ CBS next_protocol, selected_protocol, padding;
2390
+
2391
+ /* Clients cannot send a NextProtocol message if we didn't see the extension
2392
+ * in their ClientHello */
2393
+ if (!s->s3->next_proto_neg_seen) {
2394
+ OPENSSL_PUT_ERROR(SSL, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
2395
+ return -1;
2396
+ }
2397
+
2398
+ n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
2399
+ SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
2400
+ 514, /* See the payload format below */
2401
+ ssl_hash_message, &ok);
2402
+
2403
+ if (!ok) {
2404
+ return n;
2405
+ }
2406
+
2407
+ CBS_init(&next_protocol, s->init_msg, n);
2408
+
2409
+ /* The payload looks like:
2410
+ * uint8 proto_len;
2411
+ * uint8 proto[proto_len];
2412
+ * uint8 padding_len;
2413
+ * uint8 padding[padding_len]; */
2414
+ if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||
2415
+ !CBS_get_u8_length_prefixed(&next_protocol, &padding) ||
2416
+ CBS_len(&next_protocol) != 0 ||
2417
+ !CBS_stow(&selected_protocol, &s->next_proto_negotiated,
2418
+ &s->next_proto_negotiated_len)) {
2419
+ return 0;
2420
+ }
2421
+
2422
+ return 1;
2423
+ }
2424
+
2425
+ /* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
2426
+ int ssl3_get_channel_id(SSL *s) {
2427
+ int ret = -1, ok;
2428
+ long n;
2429
+ uint8_t channel_id_hash[EVP_MAX_MD_SIZE];
2430
+ size_t channel_id_hash_len;
2431
+ const uint8_t *p;
2432
+ uint16_t extension_type;
2433
+ EC_GROUP *p256 = NULL;
2434
+ EC_KEY *key = NULL;
2435
+ EC_POINT *point = NULL;
2436
+ ECDSA_SIG sig;
2437
+ BIGNUM x, y;
2438
+ CBS encrypted_extensions, extension;
2439
+
2440
+ n = s->method->ssl_get_message(
2441
+ s, SSL3_ST_SR_CHANNEL_ID_A, SSL3_ST_SR_CHANNEL_ID_B,
2442
+ SSL3_MT_ENCRYPTED_EXTENSIONS, 2 + 2 + TLSEXT_CHANNEL_ID_SIZE,
2443
+ ssl_dont_hash_message, &ok);
2444
+
2445
+ if (!ok) {
2446
+ return n;
2447
+ }
2448
+
2449
+ /* Before incorporating the EncryptedExtensions message to the handshake
2450
+ * hash, compute the hash that should have been signed. */
2451
+ if (!tls1_channel_id_hash(s, channel_id_hash, &channel_id_hash_len)) {
2452
+ return -1;
2453
+ }
2454
+ assert(channel_id_hash_len == SHA256_DIGEST_LENGTH);
2455
+
2456
+ if (!ssl3_hash_current_message(s)) {
2457
+ return -1;
2458
+ }
2459
+
2460
+ CBS_init(&encrypted_extensions, s->init_msg, n);
2461
+
2462
+ /* EncryptedExtensions could include multiple extensions, but the only
2463
+ * extension that could be negotiated is ChannelID, so there can only be one
2464
+ * entry.
2465
+ *
2466
+ * The payload looks like:
2467
+ * uint16 extension_type
2468
+ * uint16 extension_len;
2469
+ * uint8 x[32];
2470
+ * uint8 y[32];
2471
+ * uint8 r[32];
2472
+ * uint8 s[32]; */
2473
+
2474
+ if (!CBS_get_u16(&encrypted_extensions, &extension_type) ||
2475
+ !CBS_get_u16_length_prefixed(&encrypted_extensions, &extension) ||
2476
+ CBS_len(&encrypted_extensions) != 0 ||
2477
+ extension_type != TLSEXT_TYPE_channel_id ||
2478
+ CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
2479
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_MESSAGE);
2480
+ return -1;
2481
+ }
2482
+
2483
+ p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
2484
+ if (!p256) {
2485
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
2486
+ return -1;
2487
+ }
2488
+
2489
+ BN_init(&x);
2490
+ BN_init(&y);
2491
+ sig.r = BN_new();
2492
+ sig.s = BN_new();
2493
+ if (sig.r == NULL || sig.s == NULL) {
2494
+ goto err;
2495
+ }
2496
+
2497
+ p = CBS_data(&extension);
2498
+ if (BN_bin2bn(p + 0, 32, &x) == NULL ||
2499
+ BN_bin2bn(p + 32, 32, &y) == NULL ||
2500
+ BN_bin2bn(p + 64, 32, sig.r) == NULL ||
2501
+ BN_bin2bn(p + 96, 32, sig.s) == NULL) {
2502
+ goto err;
2503
+ }
2504
+
2505
+ point = EC_POINT_new(p256);
2506
+ if (!point || !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL)) {
2507
+ goto err;
2508
+ }
2509
+
2510
+ key = EC_KEY_new();
2511
+ if (!key || !EC_KEY_set_group(key, p256) ||
2512
+ !EC_KEY_set_public_key(key, point)) {
2513
+ goto err;
2514
+ }
2515
+
2516
+ /* We stored the handshake hash in |tlsext_channel_id| the first time that we
2517
+ * were called. */
2518
+ if (!ECDSA_do_verify(channel_id_hash, channel_id_hash_len, &sig, key)) {
2519
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
2520
+ s->s3->tlsext_channel_id_valid = 0;
2521
+ goto err;
2522
+ }
2523
+
2524
+ memcpy(s->s3->tlsext_channel_id, p, 64);
2525
+ ret = 1;
2526
+
2527
+ err:
2528
+ BN_free(&x);
2529
+ BN_free(&y);
2530
+ BN_free(sig.r);
2531
+ BN_free(sig.s);
2532
+ EC_KEY_free(key);
2533
+ EC_POINT_free(point);
2534
+ EC_GROUP_free(p256);
2535
+ return ret;
2536
+ }