static int test_skip(void) {
static const uint8_t kData[] = {1, 2, 3};
CBS data;
CBS_init(&data, kData, sizeof(kData));
return CBS_len(&data) == 3 &&
CBS_skip(&data, 1) &&
CBS_len(&data) == 2 &&
CBS_skip(&data, 2) &&
CBS_len(&data) == 0 &&
!CBS_skip(&data, 1);
}
/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
* depending on whether an indefinite length element was found. The value of
* |in| is not changed. It returns one on success (i.e. |*ber_found| was set)
* and zero on error. */
static int cbs_find_ber(CBS *orig_in, char *ber_found, unsigned depth) {
CBS in;
if (depth > kMaxDepth) {
return 0;
}
CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in));
*ber_found = 0;
while (CBS_len(&in) > 0) {
CBS contents;
unsigned tag;
size_t header_len;
if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) {
return 0;
}
if (CBS_len(&contents) == header_len &&
header_len > 0 &&
CBS_data(&contents)[header_len-1] == 0x80) {
*ber_found = 1;
return 1;
}
if (tag & CBS_ASN1_CONSTRUCTED) {
if (!CBS_skip(&contents, header_len) ||
!cbs_find_ber(&contents, ber_found, depth + 1)) {
return 0;
}
}
}
return 1;
}
/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
* depending on whether an indefinite length element or constructed string was
* found. The value of |orig_in| is not changed. It returns one on success (i.e.
* |*ber_found| was set) and zero on error. */
static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
CBS in;
if (depth > kMaxDepth) {
return 0;
}
CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in));
*ber_found = 0;
while (CBS_len(&in) > 0) {
CBS contents;
unsigned tag;
size_t header_len;
if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) {
return 0;
}
if (CBS_len(&contents) == header_len &&
header_len > 0 &&
CBS_data(&contents)[header_len-1] == 0x80) {
/* Found an indefinite-length element. */
*ber_found = 1;
return 1;
}
if (tag & CBS_ASN1_CONSTRUCTED) {
if (is_string_type(tag)) {
/* Constructed strings are only legal in BER and require conversion. */
*ber_found = 1;
return 1;
}
if (!CBS_skip(&contents, header_len) ||
!cbs_find_ber(&contents, ber_found, depth + 1)) {
return 0;
}
}
}
return 1;
}
/* Since the server cache lookup is done early on in the processing of the
* ClientHello, and other operations depend on the result, we need to handle
* any TLS session ticket extension at the same time.
*
* session_id: points at the session ID in the ClientHello. This code will
* read past the end of this in order to parse out the session ticket
* extension, if any.
* len: the length of the session ID.
* limit: a pointer to the first byte after the ClientHello.
* ret: (output) on return, if a ticket was decrypted, then this is set to
* point to the resulting session.
*
* If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
* ciphersuite, in which case we have no use for session tickets and one will
* never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
*
* Returns:
* -1: fatal error, either from parsing or decrypting the ticket.
* 0: no ticket was found (or was ignored, based on settings).
* 1: a zero length extension was found, indicating that the client supports
* session tickets but doesn't currently have one to offer.
* 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but
* couldn't be decrypted because of a non-fatal error.
* 3: a ticket was successfully decrypted and *ret was set.
*
* Side effects:
* Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
* a new session ticket to the client because the client indicated support
* (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
* a session ticket or we couldn't use the one it gave us, or if
* s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
* Otherwise, s->internal->tlsext_ticket_expected is set to 0.
*/
int
tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
const unsigned char *limit, SSL_SESSION **ret)
{
/* Point after session ID in client hello */
CBS session_id, cookie, cipher_list, compress_algo, extensions;
*ret = NULL;
s->internal->tlsext_ticket_expected = 0;
/* If tickets disabled behave as if no ticket present
* to permit stateful resumption.
*/
if (SSL_get_options(s) & SSL_OP_NO_TICKET)
return 0;
if (!limit)
return 0;
if (limit < session)
return -1;
CBS_init(&session_id, session, limit - session);
/* Skip past the session id */
if (!CBS_skip(&session_id, session_len))
return -1;
/* Skip past DTLS cookie */
if (SSL_IS_DTLS(s)) {
if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
return -1;
}
/* Skip past cipher list */
if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
return -1;
/* Skip past compression algorithm list */
if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
return -1;
/* Now at start of extensions */
if (CBS_len(&session_id) == 0)
return 0;
if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
return -1;
while (CBS_len(&extensions) > 0) {
CBS ext_data;
uint16_t ext_type;
if (!CBS_get_u16(&extensions, &ext_type) ||
!CBS_get_u16_length_prefixed(&extensions, &ext_data))
return -1;
if (ext_type == TLSEXT_TYPE_session_ticket) {
int r;
if (CBS_len(&ext_data) == 0) {
/* The client will accept a ticket but doesn't
* currently have one. */
s->internal->tlsext_ticket_expected = 1;
return 1;
}
if (s->internal->tls_session_secret_cb) {
/* Indicate that the ticket couldn't be
* decrypted rather than generating the session
* from ticket now, trigger abbreviated
* handshake based on external mechanism to
* calculate the master secret later. */
return 2;
}
r = tls_decrypt_ticket(s, CBS_data(&ext_data),
CBS_len(&ext_data), session, session_len, ret);
switch (r) {
case 2: /* ticket couldn't be decrypted */
s->internal->tlsext_ticket_expected = 1;
return 2;
case 3: /* ticket was decrypted */
return r;
case 4: /* ticket decrypted but need to renew */
s->internal->tlsext_ticket_expected = 1;
return 3;
default: /* fatal error */
return -1;
}
}
}
return 0;
}
/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
* |string_tag| is non-zero, then all elements must match |string_tag| up to the
* constructed bit and primitive element bodies are written to |out| without
* element headers. This is used when concatenating the fragments of a
* constructed string. If |looking_for_eoc| is set then any EOC elements found
* will cause the function to return after consuming it. It returns one on
* success and zero on error. */
static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
char looking_for_eoc, unsigned depth) {
assert(!(string_tag & CBS_ASN1_CONSTRUCTED));
if (depth > kMaxDepth) {
return 0;
}
while (CBS_len(in) > 0) {
CBS contents;
unsigned tag, child_string_tag = string_tag;
size_t header_len;
CBB *out_contents, out_contents_storage;
if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len)) {
return 0;
}
if (is_eoc(header_len, &contents)) {
return looking_for_eoc;
}
if (string_tag != 0) {
/* This is part of a constructed string. All elements must match
* |string_tag| up to the constructed bit and get appended to |out|
* without a child element. */
if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) {
return 0;
}
out_contents = out;
} else {
unsigned out_tag = tag;
if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) {
/* If a constructed string, clear the constructed bit and inform
* children to concatenate bodies. */
out_tag &= ~CBS_ASN1_CONSTRUCTED;
child_string_tag = out_tag;
}
if (!CBB_add_asn1(out, &out_contents_storage, out_tag)) {
return 0;
}
out_contents = &out_contents_storage;
}
if (CBS_len(&contents) == header_len && header_len > 0 &&
CBS_data(&contents)[header_len - 1] == 0x80) {
/* This is an indefinite length element. */
if (!cbs_convert_ber(in, out_contents, child_string_tag,
1 /* looking for eoc */, depth + 1) ||
!CBB_flush(out)) {
return 0;
}
continue;
}
if (!CBS_skip(&contents, header_len)) {
return 0;
}
if (tag & CBS_ASN1_CONSTRUCTED) {
/* Recurse into children. */
if (!cbs_convert_ber(&contents, out_contents, child_string_tag,
0 /* not looking for eoc */, depth + 1)) {
return 0;
}
} else {
/* Copy primitive contents as-is. */
if (!CBB_add_bytes(out_contents, CBS_data(&contents),
CBS_len(&contents))) {
return 0;
}
}
if (!CBB_flush(out)) {
return 0;
}
}
return looking_for_eoc == 0;
}
/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
* |squash_header| is set then the top-level of elements from |in| will not
* have their headers written. This is used when concatenating the fragments of
* an indefinite length, primitive value. If |looking_for_eoc| is set then any
* EOC elements found will cause the function to return after consuming it.
* It returns one on success and zero on error. */
static int cbs_convert_ber(CBS *in, CBB *out, char squash_header,
char looking_for_eoc, unsigned depth) {
if (depth > kMaxDepth) {
return 0;
}
while (CBS_len(in) > 0) {
CBS contents;
unsigned tag;
size_t header_len;
CBB *out_contents, out_contents_storage;
if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len)) {
return 0;
}
out_contents = out;
if (CBS_len(&contents) == header_len) {
if (is_eoc(header_len, &contents)) {
return looking_for_eoc;
}
if (header_len > 0 && CBS_data(&contents)[header_len - 1] == 0x80) {
/* This is an indefinite length element. If it's a SEQUENCE or SET then
* we just need to write the out the contents as normal, but with a
* concrete length prefix.
*
* If it's a something else then the contents will be a series of BER
* elements of the same type which need to be concatenated. */
const char context_specific = (tag & 0xc0) == 0x80;
char squash_child_headers = is_primitive_type(tag);
/* This is a hack, but it sufficies to handle NSS's output. If we find
* an indefinite length, context-specific tag with a definite, primitive
* tag inside it, then we assume that the context-specific tag is
* implicit and the tags within are fragments of a primitive type that
* need to be concatenated. */
if (context_specific && (tag & CBS_ASN1_CONSTRUCTED)) {
CBS in_copy, inner_contents;
unsigned inner_tag;
size_t inner_header_len;
CBS_init(&in_copy, CBS_data(in), CBS_len(in));
if (!CBS_get_any_ber_asn1_element(&in_copy, &inner_contents,
&inner_tag, &inner_header_len)) {
return 0;
}
if (CBS_len(&inner_contents) > inner_header_len &&
is_primitive_type(inner_tag)) {
squash_child_headers = 1;
}
}
if (!squash_header) {
unsigned out_tag = tag;
if (squash_child_headers) {
out_tag &= ~CBS_ASN1_CONSTRUCTED;
}
if (!CBB_add_asn1(out, &out_contents_storage, out_tag)) {
return 0;
}
out_contents = &out_contents_storage;
}
if (!cbs_convert_ber(in, out_contents,
squash_child_headers,
1 /* looking for eoc */, depth + 1)) {
return 0;
}
if (out_contents != out && !CBB_flush(out)) {
return 0;
}
continue;
}
}
if (!squash_header) {
if (!CBB_add_asn1(out, &out_contents_storage, tag)) {
return 0;
}
out_contents = &out_contents_storage;
}
if (!CBS_skip(&contents, header_len)) {
return 0;
}
if (tag & CBS_ASN1_CONSTRUCTED) {
if (!cbs_convert_ber(&contents, out_contents, 0 /* don't squash header */,
0 /* not looking for eoc */, depth + 1)) {
return 0;
}
} else {
if (!CBB_add_bytes(out_contents, CBS_data(&contents),
CBS_len(&contents))) {
return 0;
}
}
if (out_contents != out && !CBB_flush(out)) {
return 0;
}
}
return looking_for_eoc == 0;
}
