static int test_skip(void) { static const uint8_t kData[] = {1, 2, 3}; CBS data; CBS_init(&data, kData, sizeof(kData)); return CBS_len(&data) == 3 && CBS_skip(&data, 1) && CBS_len(&data) == 2 && CBS_skip(&data, 2) && CBS_len(&data) == 0 && !CBS_skip(&data, 1); }
/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found| * depending on whether an indefinite length element was found. The value of * |in| is not changed. It returns one on success (i.e. |*ber_found| was set) * and zero on error. */ static int cbs_find_ber(CBS *orig_in, char *ber_found, unsigned depth) { CBS in; if (depth > kMaxDepth) { return 0; } CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in)); *ber_found = 0; while (CBS_len(&in) > 0) { CBS contents; unsigned tag; size_t header_len; if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) { return 0; } if (CBS_len(&contents) == header_len && header_len > 0 && CBS_data(&contents)[header_len-1] == 0x80) { *ber_found = 1; return 1; } if (tag & CBS_ASN1_CONSTRUCTED) { if (!CBS_skip(&contents, header_len) || !cbs_find_ber(&contents, ber_found, depth + 1)) { return 0; } } } return 1; }
/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found| * depending on whether an indefinite length element or constructed string was * found. The value of |orig_in| is not changed. It returns one on success (i.e. * |*ber_found| was set) and zero on error. */ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) { CBS in; if (depth > kMaxDepth) { return 0; } CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in)); *ber_found = 0; while (CBS_len(&in) > 0) { CBS contents; unsigned tag; size_t header_len; if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) { return 0; } if (CBS_len(&contents) == header_len && header_len > 0 && CBS_data(&contents)[header_len-1] == 0x80) { /* Found an indefinite-length element. */ *ber_found = 1; return 1; } if (tag & CBS_ASN1_CONSTRUCTED) { if (is_string_type(tag)) { /* Constructed strings are only legal in BER and require conversion. */ *ber_found = 1; return 1; } if (!CBS_skip(&contents, header_len) || !cbs_find_ber(&contents, ber_found, depth + 1)) { return 0; } } } return 1; }
/* Since the server cache lookup is done early on in the processing of the * ClientHello, and other operations depend on the result, we need to handle * any TLS session ticket extension at the same time. * * session_id: points at the session ID in the ClientHello. This code will * read past the end of this in order to parse out the session ticket * extension, if any. * len: the length of the session ID. * limit: a pointer to the first byte after the ClientHello. * ret: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. * * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key * ciphersuite, in which case we have no use for session tickets and one will * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. * * Returns: * -1: fatal error, either from parsing or decrypting the ticket. * 0: no ticket was found (or was ignored, based on settings). * 1: a zero length extension was found, indicating that the client supports * session tickets but doesn't currently have one to offer. * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but * couldn't be decrypted because of a non-fatal error. * 3: a ticket was successfully decrypted and *ret was set. * * Side effects: * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue * a new session ticket to the client because the client indicated support * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have * a session ticket or we couldn't use the one it gave us, or if * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. * Otherwise, s->internal->tlsext_ticket_expected is set to 0. */ int tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, const unsigned char *limit, SSL_SESSION **ret) { /* Point after session ID in client hello */ CBS session_id, cookie, cipher_list, compress_algo, extensions; *ret = NULL; s->internal->tlsext_ticket_expected = 0; /* If tickets disabled behave as if no ticket present * to permit stateful resumption. */ if (SSL_get_options(s) & SSL_OP_NO_TICKET) return 0; if (!limit) return 0; if (limit < session) return -1; CBS_init(&session_id, session, limit - session); /* Skip past the session id */ if (!CBS_skip(&session_id, session_len)) return -1; /* Skip past DTLS cookie */ if (SSL_IS_DTLS(s)) { if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) return -1; } /* Skip past cipher list */ if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) return -1; /* Skip past compression algorithm list */ if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) return -1; /* Now at start of extensions */ if (CBS_len(&session_id) == 0) return 0; if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) return -1; while (CBS_len(&extensions) > 0) { CBS ext_data; uint16_t ext_type; if (!CBS_get_u16(&extensions, &ext_type) || !CBS_get_u16_length_prefixed(&extensions, &ext_data)) return -1; if (ext_type == TLSEXT_TYPE_session_ticket) { int r; if (CBS_len(&ext_data) == 0) { /* The client will accept a ticket but doesn't * currently have one. */ s->internal->tlsext_ticket_expected = 1; return 1; } if (s->internal->tls_session_secret_cb) { /* Indicate that the ticket couldn't be * decrypted rather than generating the session * from ticket now, trigger abbreviated * handshake based on external mechanism to * calculate the master secret later. */ return 2; } r = tls_decrypt_ticket(s, CBS_data(&ext_data), CBS_len(&ext_data), session, session_len, ret); switch (r) { case 2: /* ticket couldn't be decrypted */ s->internal->tlsext_ticket_expected = 1; return 2; case 3: /* ticket was decrypted */ return r; case 4: /* ticket decrypted but need to renew */ s->internal->tlsext_ticket_expected = 1; return 3; default: /* fatal error */ return -1; } } } return 0; }
/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If * |string_tag| is non-zero, then all elements must match |string_tag| up to the * constructed bit and primitive element bodies are written to |out| without * element headers. This is used when concatenating the fragments of a * constructed string. If |looking_for_eoc| is set then any EOC elements found * will cause the function to return after consuming it. It returns one on * success and zero on error. */ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag, char looking_for_eoc, unsigned depth) { assert(!(string_tag & CBS_ASN1_CONSTRUCTED)); if (depth > kMaxDepth) { return 0; } while (CBS_len(in) > 0) { CBS contents; unsigned tag, child_string_tag = string_tag; size_t header_len; CBB *out_contents, out_contents_storage; if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len)) { return 0; } if (is_eoc(header_len, &contents)) { return looking_for_eoc; } if (string_tag != 0) { /* This is part of a constructed string. All elements must match * |string_tag| up to the constructed bit and get appended to |out| * without a child element. */ if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) { return 0; } out_contents = out; } else { unsigned out_tag = tag; if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) { /* If a constructed string, clear the constructed bit and inform * children to concatenate bodies. */ out_tag &= ~CBS_ASN1_CONSTRUCTED; child_string_tag = out_tag; } if (!CBB_add_asn1(out, &out_contents_storage, out_tag)) { return 0; } out_contents = &out_contents_storage; } if (CBS_len(&contents) == header_len && header_len > 0 && CBS_data(&contents)[header_len - 1] == 0x80) { /* This is an indefinite length element. */ if (!cbs_convert_ber(in, out_contents, child_string_tag, 1 /* looking for eoc */, depth + 1) || !CBB_flush(out)) { return 0; } continue; } if (!CBS_skip(&contents, header_len)) { return 0; } if (tag & CBS_ASN1_CONSTRUCTED) { /* Recurse into children. */ if (!cbs_convert_ber(&contents, out_contents, child_string_tag, 0 /* not looking for eoc */, depth + 1)) { return 0; } } else { /* Copy primitive contents as-is. */ if (!CBB_add_bytes(out_contents, CBS_data(&contents), CBS_len(&contents))) { return 0; } } if (!CBB_flush(out)) { return 0; } } return looking_for_eoc == 0; }
/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If * |squash_header| is set then the top-level of elements from |in| will not * have their headers written. This is used when concatenating the fragments of * an indefinite length, primitive value. If |looking_for_eoc| is set then any * EOC elements found will cause the function to return after consuming it. * It returns one on success and zero on error. */ static int cbs_convert_ber(CBS *in, CBB *out, char squash_header, char looking_for_eoc, unsigned depth) { if (depth > kMaxDepth) { return 0; } while (CBS_len(in) > 0) { CBS contents; unsigned tag; size_t header_len; CBB *out_contents, out_contents_storage; if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len)) { return 0; } out_contents = out; if (CBS_len(&contents) == header_len) { if (is_eoc(header_len, &contents)) { return looking_for_eoc; } if (header_len > 0 && CBS_data(&contents)[header_len - 1] == 0x80) { /* This is an indefinite length element. If it's a SEQUENCE or SET then * we just need to write the out the contents as normal, but with a * concrete length prefix. * * If it's a something else then the contents will be a series of BER * elements of the same type which need to be concatenated. */ const char context_specific = (tag & 0xc0) == 0x80; char squash_child_headers = is_primitive_type(tag); /* This is a hack, but it sufficies to handle NSS's output. If we find * an indefinite length, context-specific tag with a definite, primitive * tag inside it, then we assume that the context-specific tag is * implicit and the tags within are fragments of a primitive type that * need to be concatenated. */ if (context_specific && (tag & CBS_ASN1_CONSTRUCTED)) { CBS in_copy, inner_contents; unsigned inner_tag; size_t inner_header_len; CBS_init(&in_copy, CBS_data(in), CBS_len(in)); if (!CBS_get_any_ber_asn1_element(&in_copy, &inner_contents, &inner_tag, &inner_header_len)) { return 0; } if (CBS_len(&inner_contents) > inner_header_len && is_primitive_type(inner_tag)) { squash_child_headers = 1; } } if (!squash_header) { unsigned out_tag = tag; if (squash_child_headers) { out_tag &= ~CBS_ASN1_CONSTRUCTED; } if (!CBB_add_asn1(out, &out_contents_storage, out_tag)) { return 0; } out_contents = &out_contents_storage; } if (!cbs_convert_ber(in, out_contents, squash_child_headers, 1 /* looking for eoc */, depth + 1)) { return 0; } if (out_contents != out && !CBB_flush(out)) { return 0; } continue; } } if (!squash_header) { if (!CBB_add_asn1(out, &out_contents_storage, tag)) { return 0; } out_contents = &out_contents_storage; } if (!CBS_skip(&contents, header_len)) { return 0; } if (tag & CBS_ASN1_CONSTRUCTED) { if (!cbs_convert_ber(&contents, out_contents, 0 /* don't squash header */, 0 /* not looking for eoc */, depth + 1)) { return 0; } } else { if (!CBB_add_bytes(out_contents, CBS_data(&contents), CBS_len(&contents))) { return 0; } } if (out_contents != out && !CBB_flush(out)) { return 0; } } return looking_for_eoc == 0; }