static enum ssl_hs_wait_t do_send_new_session_ticket(SSL *ssl, SSL_HANDSHAKE *hs) { SSL_SESSION *session = ssl->s3->new_session; session->tlsext_tick_lifetime_hint = session->timeout; session->ticket_flags = SSL_TICKET_ALLOW_DHE_RESUMPTION; if (!RAND_bytes((uint8_t *)&session->ticket_age_add, sizeof(session->ticket_age_add))) { return 0; } session->ticket_age_add_valid = 1; CBB cbb, body, ticket; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_NEW_SESSION_TICKET) || !CBB_add_u32(&body, session->tlsext_tick_lifetime_hint) || !CBB_add_u32(&body, session->ticket_flags) || !CBB_add_u32(&body, session->ticket_age_add) || !CBB_add_u16(&body, 0 /* no ticket extensions */) || !CBB_add_u16_length_prefixed(&body, &ticket) || !ssl_encrypt_ticket(ssl, &ticket, session) || !ssl->method->finish_message(ssl, &cbb)) { CBB_cleanup(&cbb); return ssl_hs_error; } hs->session_tickets_sent++; hs->state = state_flush_new_session_ticket; return ssl_hs_write_message; }
enum ssl_private_key_result_t tls13_prepare_certificate_verify( SSL *ssl, int is_first_run) { enum ssl_private_key_result_t ret = ssl_private_key_failure; uint8_t *msg = NULL; size_t msg_len; CBB cbb, body; CBB_zero(&cbb); uint16_t signature_algorithm; if (!tls1_choose_signature_algorithm(ssl, &signature_algorithm)) { goto err; } if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE_VERIFY) || !CBB_add_u16(&body, signature_algorithm)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); goto err; } /* Sign the digest. */ CBB child; const size_t max_sig_len = ssl_private_key_max_signature_len(ssl); uint8_t *sig; size_t sig_len; if (!CBB_add_u16_length_prefixed(&body, &child) || !CBB_reserve(&child, &sig, max_sig_len)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; } enum ssl_private_key_result_t sign_result; if (is_first_run) { if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len, ssl->server)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; } sign_result = ssl_private_key_sign(ssl, sig, &sig_len, max_sig_len, signature_algorithm, msg, msg_len); } else { sign_result = ssl_private_key_complete(ssl, sig, &sig_len, max_sig_len); } if (sign_result != ssl_private_key_success) { ret = sign_result; goto err; } if (!CBB_did_write(&child, sig_len) || !ssl->method->finish_message(ssl, &cbb)) { goto err; } ret = ssl_private_key_success; err: CBB_cleanup(&cbb); OPENSSL_free(msg); return ret; }
static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest, const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len, const uint8_t *hash, size_t hash_len, size_t len) { static const char kTLS13LabelVersion[] = "TLS 1.3, "; CBB cbb, child; uint8_t *hkdf_label; size_t hkdf_label_len; if (!CBB_init(&cbb, 2 + 1 + strlen(kTLS13LabelVersion) + label_len + 1 + hash_len) || !CBB_add_u16(&cbb, len) || !CBB_add_u8_length_prefixed(&cbb, &child) || !CBB_add_bytes(&child, (const uint8_t *)kTLS13LabelVersion, strlen(kTLS13LabelVersion)) || !CBB_add_bytes(&child, label, label_len) || !CBB_add_u8_length_prefixed(&cbb, &child) || !CBB_add_bytes(&child, hash, hash_len) || !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) { CBB_cleanup(&cbb); return 0; } int ret = HKDF_expand(out, len, digest, secret, secret_len, hkdf_label, hkdf_label_len); OPENSSL_free(hkdf_label); return ret; }
static int test_cbb_misuse(void) { CBB cbb, child, contents; uint8_t *buf; size_t buf_len; if (!CBB_init(&cbb, 0) || !CBB_add_u8_length_prefixed(&cbb, &child) || !CBB_add_u8(&child, 1) || !CBB_add_u8(&cbb, 2)) { return 0; } /* Since we wrote to |cbb|, |child| is now invalid and attempts to write to * it should fail. */ if (CBB_add_u8(&child, 1) || CBB_add_u16(&child, 1) || CBB_add_u24(&child, 1) || CBB_add_u8_length_prefixed(&child, &contents) || CBB_add_u16_length_prefixed(&child, &contents) || CBB_add_asn1(&child, &contents, 1) || CBB_add_bytes(&child, (const uint8_t*) "a", 1)) { fprintf(stderr, "CBB operation on invalid CBB did not fail.\n"); return 0; } if (!CBB_finish(&cbb, &buf, &buf_len) || buf_len != 3 || memcmp(buf, "\x01\x01\x02", 3) != 0) { return 0; } free(buf); return 1; }
static int test_cbb_prefixed(void) { static const uint8_t kExpected[] = {0, 1, 1, 0, 2, 2, 3, 0, 0, 3, 4, 5, 6, 5, 4, 1, 0, 1, 2}; uint8_t *buf; size_t buf_len; CBB cbb, contents, inner_contents, inner_inner_contents; int ok; if (!CBB_init(&cbb, 0) || !CBB_add_u8_length_prefixed(&cbb, &contents) || !CBB_add_u8_length_prefixed(&cbb, &contents) || !CBB_add_u8(&contents, 1) || !CBB_add_u16_length_prefixed(&cbb, &contents) || !CBB_add_u16(&contents, 0x203) || !CBB_add_u24_length_prefixed(&cbb, &contents) || !CBB_add_u24(&contents, 0x40506) || !CBB_add_u8_length_prefixed(&cbb, &contents) || !CBB_add_u8_length_prefixed(&contents, &inner_contents) || !CBB_add_u8(&inner_contents, 1) || !CBB_add_u16_length_prefixed(&inner_contents, &inner_inner_contents) || !CBB_add_u8(&inner_inner_contents, 2) || !CBB_finish(&cbb, &buf, &buf_len)) { return 0; } ok = buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0; free(buf); return ok; }
static int test_cbb_basic(void) { static const uint8_t kExpected[] = {1, 2, 3, 4, 5, 6, 7, 8}; uint8_t *buf; size_t buf_len; int ok; CBB cbb; if (!CBB_init(&cbb, 100)) { return 0; } CBB_cleanup(&cbb); if (!CBB_init(&cbb, 0) || !CBB_add_u8(&cbb, 1) || !CBB_add_u16(&cbb, 0x203) || !CBB_add_u24(&cbb, 0x40506) || !CBB_add_bytes(&cbb, (const uint8_t*) "\x07\x08", 2) || !CBB_finish(&cbb, &buf, &buf_len)) { return 0; } ok = buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0; free(buf); return ok; }
static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl, SSL_HANDSHAKE *hs) { /* Determine whether to request a client certificate. */ ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); /* CertificateRequest may only be sent in certificate-based ciphers. */ if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { ssl->s3->tmp.cert_request = 0; } if (!ssl->s3->tmp.cert_request) { /* Skip this state. */ hs->state = state_send_server_certificate; return ssl_hs_ok; } CBB cbb, body, sigalgs_cbb; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE_REQUEST) || !CBB_add_u8(&body, 0 /* no certificate_request_context. */)) { goto err; } const uint16_t *sigalgs; size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs); if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) { goto err; } for (size_t i = 0; i < sigalgs_len; i++) { if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) { goto err; } } if (!ssl_add_client_CA_list(ssl, &body) || !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) || !ssl->method->finish_message(ssl, &cbb)) { goto err; } hs->state = state_send_server_certificate; return ssl_hs_write_message; err: CBB_cleanup(&cbb); return ssl_hs_error; }
static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) { CBB cbb, body, extensions; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) || !CBB_add_u16(&body, ssl->version) || !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) || !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) || !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) || !CBB_add_u16_length_prefixed(&body, &extensions) || !ssl_ext_key_share_add_serverhello(ssl, &extensions) || !ssl->method->finish_message(ssl, &cbb)) { CBB_cleanup(&cbb); return ssl_hs_error; } hs->state = state_send_encrypted_extensions; return ssl_hs_write_message; }
static enum ssl_hs_wait_t do_send_hello_retry_request(SSL *ssl, SSL_HANDSHAKE *hs) { CBB cbb, body, extensions; uint16_t group_id; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_HELLO_RETRY_REQUEST) || !CBB_add_u16(&body, ssl->version) || !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) || !tls1_get_shared_group(ssl, &group_id) || !CBB_add_u16(&body, group_id) || !CBB_add_u16_length_prefixed(&body, &extensions) || !ssl->method->finish_message(ssl, &cbb)) { CBB_cleanup(&cbb); return ssl_hs_error; } hs->state = state_flush_hello_retry_request; return ssl_hs_write_message; }
static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; CBB cbb, body, extensions; uint16_t group_id; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_HELLO_RETRY_REQUEST) || !CBB_add_u16(&body, ssl->version) || !tls1_get_shared_group(hs, &group_id) || !CBB_add_u16_length_prefixed(&body, &extensions) || !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) || !CBB_add_u16(&extensions, 2 /* length */) || !CBB_add_u16(&extensions, group_id) || !ssl_add_message_cbb(ssl, &cbb)) { CBB_cleanup(&cbb); return ssl_hs_error; } hs->tls13_state = state_process_second_client_hello; return ssl_hs_flush_and_read_message; }
int tls13_prepare_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; CBB cbb, body, certificate_list; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) || /* The request context is always empty in the handshake. */ !CBB_add_u8(&body, 0) || !CBB_add_u24_length_prefixed(&body, &certificate_list)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); goto err; } if (!ssl_has_certificate(ssl)) { if (!ssl_complete_message(ssl, &cbb)) { goto err; } return 1; } CERT *cert = ssl->cert; CBB leaf, extensions; if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) || !ssl_add_cert_to_cbb(&leaf, cert->x509_leaf) || !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); goto err; } if (hs->scts_requested && ssl->ctx->signed_cert_timestamp_list_length != 0) { CBB contents; if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) || !CBB_add_u16_length_prefixed(&extensions, &contents) || !CBB_add_bytes(&contents, ssl->ctx->signed_cert_timestamp_list, ssl->ctx->signed_cert_timestamp_list_length) || !CBB_flush(&extensions)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); goto err; } } if (hs->ocsp_stapling_requested && ssl->ocsp_response != NULL) { CBB contents, ocsp_response; if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) || !CBB_add_u16_length_prefixed(&extensions, &contents) || !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) || !CBB_add_u24_length_prefixed(&contents, &ocsp_response) || !CBB_add_bytes(&ocsp_response, CRYPTO_BUFFER_data(ssl->ocsp_response), CRYPTO_BUFFER_len(ssl->ocsp_response)) || !CBB_flush(&extensions)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); goto err; } } for (size_t i = 0; i < sk_X509_num(cert->x509_chain); i++) { CBB child; if (!CBB_add_u24_length_prefixed(&certificate_list, &child) || !ssl_add_cert_to_cbb(&child, sk_X509_value(cert->x509_chain, i)) || !CBB_add_u16(&certificate_list, 0 /* no extensions */)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); goto err; } } if (!ssl_complete_message(ssl, &cbb)) { goto err; } return 1; err: CBB_cleanup(&cbb); return 0; }
static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, size_t *out_len, int for_ticket) { CBB cbb, session, child, child2; if (in == NULL || in->cipher == NULL) { return 0; } CBB_zero(&cbb); if (!CBB_init(&cbb, 0) || !CBB_add_asn1(&cbb, &session, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&session, kVersion) || !CBB_add_asn1_uint64(&session, in->ssl_version) || !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) || !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || /* The session ID is irrelevant for a session ticket. */ !CBB_add_bytes(&child, in->session_id, for_ticket ? 0 : in->session_id_length) || !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child, in->master_key, in->master_key_length) || !CBB_add_asn1(&session, &child, kTimeTag) || !CBB_add_asn1_uint64(&child, in->time) || !CBB_add_asn1(&session, &child, kTimeoutTag) || !CBB_add_asn1_uint64(&child, in->timeout)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } /* The peer certificate is only serialized if the SHA-256 isn't * serialized instead. */ if (sk_CRYPTO_BUFFER_num(in->certs) > 0 && !in->peer_sha256_valid) { const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, 0); if (!CBB_add_asn1(&session, &child, kPeerTag) || !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer), CRYPTO_BUFFER_len(buffer))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } /* Although it is OPTIONAL and usually empty, OpenSSL has * historically always encoded the sid_ctx. */ if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (in->verify_result != X509_V_OK) { if (!CBB_add_asn1(&session, &child, kVerifyResultTag) || !CBB_add_asn1_uint64(&child, in->verify_result)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->tlsext_hostname) { if (!CBB_add_asn1(&session, &child, kHostNameTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, (const uint8_t *)in->tlsext_hostname, strlen(in->tlsext_hostname))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->psk_identity) { if (!CBB_add_asn1(&session, &child, kPSKIdentityTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, (const uint8_t *)in->psk_identity, strlen(in->psk_identity))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->tlsext_tick_lifetime_hint > 0) { if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) || !CBB_add_asn1_uint64(&child, in->tlsext_tick_lifetime_hint)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->tlsext_tick && !for_ticket) { if (!CBB_add_asn1(&session, &child, kTicketTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->tlsext_tick, in->tlsext_ticklen)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->peer_sha256_valid) { if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->peer_sha256, sizeof(in->peer_sha256))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->original_handshake_hash_len > 0) { if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->original_handshake_hash, in->original_handshake_hash_len)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->tlsext_signed_cert_timestamp_list_length > 0) { if (!CBB_add_asn1(&session, &child, kSignedCertTimestampListTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->tlsext_signed_cert_timestamp_list, in->tlsext_signed_cert_timestamp_list_length)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->ocsp_response_length > 0) { if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->ocsp_response, in->ocsp_response_length)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->extended_master_secret) { if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_BOOLEAN) || !CBB_add_u8(&child2, 0xff)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->group_id > 0 && (!CBB_add_asn1(&session, &child, kGroupIDTag) || !CBB_add_asn1_uint64(&child, in->group_id))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } /* The certificate chain is only serialized if the leaf's SHA-256 isn't * serialized instead. */ if (in->certs != NULL && !in->peer_sha256_valid && sk_CRYPTO_BUFFER_num(in->certs) >= 2) { if (!CBB_add_asn1(&session, &child, kCertChainTag)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(in->certs); i++) { const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, i); if (!CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer), CRYPTO_BUFFER_len(buffer))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } } if (in->ticket_age_add_valid) { if (!CBB_add_asn1(&session, &child, kTicketAgeAddTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_u32(&child2, in->ticket_age_add)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (!in->is_server) { if (!CBB_add_asn1(&session, &child, kIsServerTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_BOOLEAN) || !CBB_add_u8(&child2, 0x00)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->peer_signature_algorithm != 0 && (!CBB_add_asn1(&session, &child, kPeerSignatureAlgorithmTag) || !CBB_add_asn1_uint64(&child, in->peer_signature_algorithm))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (in->ticket_max_early_data != 0 && (!CBB_add_asn1(&session, &child, kTicketMaxEarlyDataTag) || !CBB_add_asn1_uint64(&child, in->ticket_max_early_data))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (in->timeout != in->auth_timeout && (!CBB_add_asn1(&session, &child, kAuthTimeoutTag) || !CBB_add_asn1_uint64(&child, in->auth_timeout))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (in->early_alpn) { if (!CBB_add_asn1(&session, &child, kEarlyALPNTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, (const uint8_t *)in->early_alpn, in->early_alpn_len)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (!CBB_finish(&cbb, out_data, out_len)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } return 1; err: CBB_cleanup(&cbb); return 0; }
int i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) { CBB cbb, session, cipher_suite, session_id, master_key, time, timeout; CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket; CBB value; unsigned char *data = NULL, *peer_cert_bytes = NULL; size_t data_len = 0; int len, rv = -1; uint16_t cid; if (s == NULL) return (0); if (s->cipher == NULL && s->cipher_id == 0) return (0); if (!CBB_init(&cbb, 0)) goto err; if (!CBB_add_asn1(&cbb, &session, CBS_ASN1_SEQUENCE)) goto err; /* Session ASN1 version. */ if (!CBB_add_asn1_uint64(&session, SSL_SESSION_ASN1_VERSION)) goto err; /* TLS/SSL protocol version. */ if (s->ssl_version < 0) goto err; if (!CBB_add_asn1_uint64(&session, s->ssl_version)) goto err; /* Cipher suite ID. */ /* XXX - require cipher to be non-NULL or always/only use cipher_id. */ cid = (uint16_t)(s->cipher_id & 0xffff); if (s->cipher != NULL) cid = ssl3_cipher_get_value(s->cipher); if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_u16(&cipher_suite, cid)) goto err; /* Session ID. */ if (!CBB_add_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&session_id, s->session_id, s->session_id_length)) goto err; /* Master key. */ if (!CBB_add_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&master_key, s->master_key, s->master_key_length)) goto err; /* Time [1]. */ if (s->time != 0) { if (s->time < 0) goto err; if (!CBB_add_asn1(&session, &time, SSLASN1_TIME_TAG)) goto err; if (!CBB_add_asn1_uint64(&time, s->time)) goto err; } /* Timeout [2]. */ if (s->timeout != 0) { if (s->timeout < 0) goto err; if (!CBB_add_asn1(&session, &timeout, SSLASN1_TIMEOUT_TAG)) goto err; if (!CBB_add_asn1_uint64(&timeout, s->timeout)) goto err; } /* Peer certificate [3]. */ if (s->peer != NULL) { if ((len = i2d_X509(s->peer, &peer_cert_bytes)) <= 0) goto err; if (!CBB_add_asn1(&session, &peer_cert, SSLASN1_PEER_CERT_TAG)) goto err; if (!CBB_add_bytes(&peer_cert, peer_cert_bytes, len)) goto err; } /* Session ID context [4]. */ /* XXX - Actually handle this as optional? */ if (!CBB_add_asn1(&session, &sidctx, SSLASN1_SESSION_ID_CTX_TAG)) goto err; if (!CBB_add_asn1(&sidctx, &value, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&value, s->sid_ctx, s->sid_ctx_length)) goto err; /* Verify result [5]. */ if (s->verify_result != X509_V_OK) { if (s->verify_result < 0) goto err; if (!CBB_add_asn1(&session, &verify_result, SSLASN1_VERIFY_RESULT_TAG)) goto err; if (!CBB_add_asn1_uint64(&verify_result, s->verify_result)) goto err; } /* Hostname [6]. */ if (s->tlsext_hostname != NULL) { if (!CBB_add_asn1(&session, &hostname, SSLASN1_HOSTNAME_TAG)) goto err; if (!CBB_add_asn1(&hostname, &value, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&value, (const uint8_t *)s->tlsext_hostname, strlen(s->tlsext_hostname))) goto err; } /* PSK identity hint [7]. */ /* PSK identity [8]. */ /* Ticket lifetime hint [9]. */ if (s->tlsext_tick_lifetime_hint > 0) { if (!CBB_add_asn1(&session, &lifetime, SSLASN1_LIFETIME_TAG)) goto err; if (!CBB_add_asn1_uint64(&lifetime, s->tlsext_tick_lifetime_hint)) goto err; } /* Ticket [10]. */ if (s->tlsext_tick) { if (!CBB_add_asn1(&session, &ticket, SSLASN1_TICKET_TAG)) goto err; if (!CBB_add_asn1(&ticket, &value, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&value, s->tlsext_tick, s->tlsext_ticklen)) goto err; } /* Compression method [11]. */ /* SRP username [12]. */ if (!CBB_finish(&cbb, &data, &data_len)) goto err; if (data_len > INT_MAX) goto err; if (pp != NULL) { if (*pp == NULL) { *pp = data; data = NULL; } else { memcpy(*pp, data, data_len); *pp += data_len; } } rv = (int)data_len; err: CBB_cleanup(&cbb); freezero(data, data_len); free(peer_cert_bytes); return rv; }
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) { /* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the * client makes several connections before getting a renewal. */ static const int kNumTickets = 2; SSL *const ssl = hs->ssl; /* If the client doesn't accept resumption with PSK_DHE_KE, don't send a * session ticket. */ if (!hs->accept_psk_mode) { hs->tls13_state = state_done; return ssl_hs_ok; } SSL_SESSION *session = ssl->s3->new_session; CBB cbb; CBB_zero(&cbb); for (int i = 0; i < kNumTickets; i++) { if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) { goto err; } CBB body, ticket, extensions; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_NEW_SESSION_TICKET) || !CBB_add_u32(&body, session->timeout) || !CBB_add_u32(&body, session->ticket_age_add) || !CBB_add_u16_length_prefixed(&body, &ticket) || !ssl_encrypt_ticket(ssl, &ticket, session) || !CBB_add_u16_length_prefixed(&body, &extensions)) { goto err; } if (ssl->ctx->enable_early_data) { session->ticket_max_early_data = kMaxEarlyDataAccepted; CBB early_data_info; if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) || !CBB_add_u16_length_prefixed(&extensions, &early_data_info) || !CBB_add_u32(&early_data_info, session->ticket_max_early_data) || !CBB_flush(&extensions)) { goto err; } } /* Add a fake extension. See draft-davidben-tls-grease-01. */ if (!CBB_add_u16(&extensions, ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) || !CBB_add_u16(&extensions, 0 /* empty */)) { goto err; } if (!ssl_add_message_cbb(ssl, &cbb)) { goto err; } } hs->session_tickets_sent++; hs->tls13_state = state_done; return ssl_hs_flush; err: CBB_cleanup(&cbb); return ssl_hs_error; }
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; /* Send a ServerHello. */ CBB cbb, body, extensions; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) || !CBB_add_u16(&body, ssl->version) || !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) || !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) || !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) || !CBB_add_u16_length_prefixed(&body, &extensions) || !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) || !ssl_ext_key_share_add_serverhello(hs, &extensions)) { goto err; } if (ssl->s3->short_header) { if (!CBB_add_u16(&extensions, TLSEXT_TYPE_short_header) || !CBB_add_u16(&extensions, 0 /* empty extension */)) { goto err; } } if (!ssl_add_message_cbb(ssl, &cbb)) { goto err; } /* Derive and enable the handshake traffic secrets. */ if (!tls13_derive_handshake_secrets(hs) || !tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret, hs->hash_len) || !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret, hs->hash_len)) { goto err; } /* Send EncryptedExtensions. */ if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_ENCRYPTED_EXTENSIONS) || !ssl_add_serverhello_tlsext(hs, &body) || !ssl_add_message_cbb(ssl, &cbb)) { goto err; } /* Determine whether to request a client certificate. */ hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); /* CertificateRequest may only be sent in non-resumption handshakes. */ if (ssl->s3->session_reused) { hs->cert_request = 0; } /* Send a CertificateRequest, if necessary. */ if (hs->cert_request) { CBB sigalgs_cbb; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE_REQUEST) || !CBB_add_u8(&body, 0 /* no certificate_request_context. */)) { goto err; } const uint16_t *sigalgs; size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs); if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) { goto err; } for (size_t i = 0; i < num_sigalgs; i++) { if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) { goto err; } } if (!ssl_add_client_CA_list(ssl, &body) || !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) || !ssl_add_message_cbb(ssl, &cbb)) { goto err; } } /* Send the server Certificate message, if necessary. */ if (!ssl->s3->session_reused) { if (!ssl_has_certificate(ssl)) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); goto err; } if (!tls13_add_certificate(hs)) { goto err; } hs->tls13_state = state_send_server_certificate_verify; return ssl_hs_ok; } hs->tls13_state = state_send_server_finished; return ssl_hs_ok; err: CBB_cleanup(&cbb); return ssl_hs_error; }
static int add_new_session_tickets(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; /* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case * the client makes several connections before getting a renewal. */ static const int kNumTickets = 2; SSL_SESSION *session = hs->new_session; CBB cbb; CBB_zero(&cbb); /* Rebase the session timestamp so that it is measured from ticket * issuance. */ ssl_session_rebase_time(ssl, session); for (int i = 0; i < kNumTickets; i++) { if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) { goto err; } session->ticket_age_add_valid = 1; CBB body, ticket, extensions; if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_NEW_SESSION_TICKET) || !CBB_add_u32(&body, session->timeout) || !CBB_add_u32(&body, session->ticket_age_add) || !CBB_add_u16_length_prefixed(&body, &ticket) || !ssl_encrypt_ticket(ssl, &ticket, session) || !CBB_add_u16_length_prefixed(&body, &extensions)) { goto err; } if (ssl->cert->enable_early_data) { session->ticket_max_early_data = kMaxEarlyDataAccepted; CBB early_data_info; if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) || !CBB_add_u16_length_prefixed(&extensions, &early_data_info) || !CBB_add_u32(&early_data_info, session->ticket_max_early_data) || !CBB_flush(&extensions)) { goto err; } } /* Add a fake extension. See draft-davidben-tls-grease-01. */ if (!CBB_add_u16(&extensions, ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) || !CBB_add_u16(&extensions, 0 /* empty */)) { goto err; } if (!ssl_add_message_cbb(ssl, &cbb)) { goto err; } } return 1; err: CBB_cleanup(&cbb); return 0; }