/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found| * depending on whether an indefinite length element was found. The value of * |in| is not changed. It returns one on success (i.e. |*ber_found| was set) * and zero on error. */ static int cbs_find_ber(CBS *orig_in, char *ber_found, unsigned depth) { CBS in; if (depth > kMaxDepth) { return 0; } CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in)); *ber_found = 0; while (CBS_len(&in) > 0) { CBS contents; unsigned tag; size_t header_len; if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) { return 0; } if (CBS_len(&contents) == header_len && header_len > 0 && CBS_data(&contents)[header_len-1] == 0x80) { *ber_found = 1; return 1; } if (tag & CBS_ASN1_CONSTRUCTED) { if (!CBS_skip(&contents, header_len) || !cbs_find_ber(&contents, ber_found, depth + 1)) { return 0; } } } return 1; }
static int eckey_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) { // See RFC 5480, section 2. // The parameters are a named curve. EC_POINT *point = NULL; EC_KEY *eckey = NULL; EC_GROUP *group = EC_KEY_parse_curve_name(params); if (group == NULL || CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); goto err; } eckey = EC_KEY_new(); if (eckey == NULL || !EC_KEY_set_group(eckey, group)) { goto err; } point = EC_POINT_new(group); if (point == NULL || !EC_POINT_oct2point(group, point, CBS_data(key), CBS_len(key), NULL) || !EC_KEY_set_public_key(eckey, point)) { goto err; } EC_GROUP_free(group); EC_POINT_free(point); EVP_PKEY_assign_EC_KEY(out, eckey); return 1; err: EC_GROUP_free(group); EC_POINT_free(point); EC_KEY_free(eckey); return 0; }
/* ssl3_get_record reads a new input record. On success, it places it in * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if * more data is needed. */ static int ssl3_get_record(SSL *ssl) { again: switch (ssl->s3->recv_shutdown) { case ssl_shutdown_none: break; case ssl_shutdown_fatal_alert: OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); return -1; case ssl_shutdown_close_notify: return 0; } CBS body; uint8_t type, alert; size_t consumed; enum ssl_open_record_t open_ret = tls_open_record(ssl, &type, &body, &consumed, &alert, ssl_read_buffer(ssl), ssl_read_buffer_len(ssl)); if (open_ret != ssl_open_record_partial) { ssl_read_buffer_consume(ssl, consumed); } switch (open_ret) { case ssl_open_record_partial: { int read_ret = ssl_read_buffer_extend_to(ssl, consumed); if (read_ret <= 0) { return read_ret; } goto again; } case ssl_open_record_success: if (CBS_len(&body) > 0xffff) { OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); return -1; } SSL3_RECORD *rr = &ssl->s3->rrec; rr->type = type; rr->length = (uint16_t)CBS_len(&body); rr->data = (uint8_t *)CBS_data(&body); return 1; case ssl_open_record_discard: goto again; case ssl_open_record_close_notify: return 0; case ssl_open_record_fatal_alert: return -1; case ssl_open_record_error: ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); return -1; } assert(0); OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return -1; }
int ssl3_get_finished(SSL *s, int a, int b) { int al, ok, md_len; long n; CBS cbs; n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, /* should actually be 36+4 :-) */ &ok); if (!ok) return ((int)n); /* If this occurs, we have missed a message */ if (!s->s3->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); goto f_err; } s->s3->change_cipher_spec = 0; md_len = s->s3->tmp.peer_finish_md_len; if (n < 0) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); goto f_err; } CBS_init(&cbs, s->init_msg, n); if (s->s3->tmp.peer_finish_md_len != md_len || (int)CBS_len(&cbs) != md_len) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); goto f_err; } if (!CBS_mem_equal(&cbs, s->s3->tmp.peer_finish_md, CBS_len(&cbs))) { al = SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED); goto f_err; } /* Copy the finished so we can use it for renegotiation checks */ if (s->type == SSL_ST_ACCEPT) { OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, md_len); s->s3->previous_client_finished_len = md_len; } else { OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, md_len); s->s3->previous_server_finished_len = md_len; } return (1); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return (0); }
int tls13_process_certificate_verify(SSL *ssl) { int ret = 0; X509 *peer = ssl->s3->new_session->peer; EVP_PKEY *pkey = NULL; uint8_t *msg = NULL; size_t msg_len; /* Filter out unsupported certificate types. */ pkey = X509_get_pubkey(peer); if (pkey == NULL) { goto err; } CBS cbs, signature; uint16_t signature_algorithm; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u16(&cbs, &signature_algorithm) || !CBS_get_u16_length_prefixed(&cbs, &signature) || CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); goto err; } int al; if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, al); goto err; } ssl->s3->tmp.peer_signature_algorithm = signature_algorithm; if (!tls13_get_cert_verify_signature_input( ssl, &msg, &msg_len, ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; } int sig_ok = ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature), signature_algorithm, pkey, msg, msg_len); #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) sig_ok = 1; ERR_clear_error(); #endif if (!sig_ok) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); goto err; } ret = 1; err: EVP_PKEY_free(pkey); OPENSSL_free(msg); return ret; }
static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl, SSL_HANDSHAKE *hs) { ssl->s3->tmp.cert_request = 0; /* CertificateRequest may only be sent in certificate-based ciphers. */ if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { hs->state = state_process_server_finished; return ssl_hs_ok; } /* CertificateRequest is optional. */ if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { hs->state = state_process_server_certificate; return ssl_hs_ok; } CBS cbs, context, supported_signature_algorithms; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u8_length_prefixed(&cbs, &context) || /* The request context is always empty during the handshake. */ CBS_len(&context) != 0 || !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) || CBS_len(&supported_signature_algorithms) == 0 || !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); return ssl_hs_error; } uint8_t alert; STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs); if (ca_sk == NULL) { ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } /* Ignore extensions. */ CBS extensions; if (!CBS_get_u16_length_prefixed(&cbs, &extensions) || CBS_len(&cbs) != 0) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); return ssl_hs_error; } ssl->s3->tmp.cert_request = 1; sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free); ssl->s3->tmp.ca_names = ca_sk; if (!ssl->method->hash_current_message(ssl)) { return ssl_hs_error; } hs->state = state_process_server_certificate; return ssl_hs_read_message; }
/* pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7 * SignedData blob from |cbs| and sets |*out| to point to the rest of the * input. If the input is in BER format, then |*der_bytes| will be set to a * pointer that needs to be freed by the caller once they have finished * processing |*out| (which will be pointing into |*der_bytes|). * * It returns one on success or zero on error. On error, |*der_bytes| is * NULL. */ static int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) { size_t der_len; CBS in, content_info, content_type, wrapped_signed_data, signed_data; uint64_t version; /* The input may be in BER format. */ *der_bytes = NULL; if (!CBS_asn1_ber_to_der(cbs, der_bytes, &der_len)) { return 0; } if (*der_bytes != NULL) { CBS_init(&in, *der_bytes, der_len); } else { CBS_init(&in, CBS_data(cbs), CBS_len(cbs)); } /* See https://tools.ietf.org/html/rfc2315#section-7 */ if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) { goto err; } if (OBJ_cbs2nid(&content_type) != NID_pkcs7_signed) { OPENSSL_PUT_ERROR(X509, pkcs7_parse_header, X509_R_NOT_PKCS7_SIGNED_DATA); goto err; } /* See https://tools.ietf.org/html/rfc2315#section-9.1 */ if (!CBS_get_asn1(&content_info, &wrapped_signed_data, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || !CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) || !CBS_get_asn1_uint64(&signed_data, &version) || !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) || !CBS_get_asn1(&signed_data, NULL /* content */, CBS_ASN1_SEQUENCE)) { goto err; } if (version < 1) { OPENSSL_PUT_ERROR(X509, pkcs7_parse_header, X509_R_BAD_PKCS7_VERSION); goto err; } CBS_init(out, CBS_data(&signed_data), CBS_len(&signed_data)); return 1; err: if (*der_bytes) { OPENSSL_free(*der_bytes); *der_bytes = NULL; } return 0; }
int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; int ret = 0; uint8_t *msg = NULL; size_t msg_len; if (hs->peer_pubkey == NULL) { goto err; } CBS cbs, signature; uint16_t signature_algorithm; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u16(&cbs, &signature_algorithm) || !CBS_get_u16_length_prefixed(&cbs, &signature) || CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); goto err; } int al; if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, al); goto err; } ssl->s3->new_session->peer_signature_algorithm = signature_algorithm; if (!tls13_get_cert_verify_signature_input( ssl, &msg, &msg_len, ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; } int sig_ok = ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature), signature_algorithm, hs->peer_pubkey, msg, msg_len); #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) sig_ok = 1; ERR_clear_error(); #endif if (!sig_ok) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); goto err; } ret = 1; err: OPENSSL_free(msg); return ret; }
static int test_skip(void) { static const uint8_t kData[] = {1, 2, 3}; CBS data; CBS_init(&data, kData, sizeof(kData)); return CBS_len(&data) == 3 && CBS_skip(&data, 1) && CBS_len(&data) == 2 && CBS_skip(&data, 2) && CBS_len(&data) == 0 && !CBS_skip(&data, 1); }
/* SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING * explicitly tagged with |tag| of size at most |max_out|. */ static int SSL_SESSION_parse_bounded_octet_string( CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) { CBS value; if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag) || CBS_len(&value) > max_out) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); return 0; } OPENSSL_memcpy(out, CBS_data(&value), CBS_len(&value)); *out_len = (uint8_t)CBS_len(&value); return 1; }
int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, const uint8_t **out_label) { CBS label; if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) { return -1; } if (CBS_len(&label) > INT_MAX) { OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_get0_rsa_oaep_label, ERR_R_OVERFLOW); return -1; } *out_label = CBS_data(&label); return (int)CBS_len(&label); }
int tls13_process_new_session_ticket(SSL *ssl) { SSL_SESSION *session = SSL_SESSION_dup(ssl->s3->established_session, SSL_SESSION_INCLUDE_NONAUTH); if (session == NULL) { return 0; } CBS cbs, extensions, ticket; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u32(&cbs, &session->tlsext_tick_lifetime_hint) || !CBS_get_u32(&cbs, &session->ticket_flags) || !CBS_get_u32(&cbs, &session->ticket_age_add) || !CBS_get_u16_length_prefixed(&cbs, &extensions) || !CBS_get_u16_length_prefixed(&cbs, &ticket) || !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) || CBS_len(&cbs) != 0) { SSL_SESSION_free(session); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); return 0; } session->ticket_age_add_valid = 1; session->not_resumable = 0; if (ssl->ctx->new_session_cb != NULL && ssl->ctx->new_session_cb(ssl, session)) { /* |new_session_cb|'s return value signals that it took ownership. */ return 1; } SSL_SESSION_free(session); return 1; }
static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL *ssl, SSL_HANDSHAKE *hs) { if (!tls13_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) { return ssl_hs_error; } CBS cbs; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!ssl_parse_serverhello_tlsext(ssl, &cbs)) { OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); return ssl_hs_error; } if (CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; } if (!ssl->method->hash_current_message(ssl)) { return ssl_hs_error; } hs->state = state_process_certificate_request; return ssl_hs_read_message; }
int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) { CBB cbb; /* First, do a quick walk to find any indefinite-length elements. Most of the * time we hope that there aren't any and thus we can quickly return. */ char conversion_needed; if (!cbs_find_ber(in, &conversion_needed, 0)) { return 0; } if (!conversion_needed) { *out = NULL; *out_len = 0; return 1; } if (!CBB_init(&cbb, CBS_len(in)) || !cbs_convert_ber(in, &cbb, 0, 0, 0) || !CBB_finish(&cbb, out, out_len)) { CBB_cleanup(&cbb); return 0; } return 1; }
DSA *DSA_parse_private_key(CBS *cbs) { DSA *ret = DSA_new(); if (ret == NULL) { return NULL; } CBS child; uint64_t version; if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) || !CBS_get_asn1_uint64(&child, &version)) { OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR); goto err; } if (version != 0) { OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_VERSION); goto err; } if (!parse_integer(&child, &ret->p) || !parse_integer(&child, &ret->q) || !parse_integer(&child, &ret->g) || !parse_integer(&child, &ret->pub_key) || !parse_integer(&child, &ret->priv_key) || CBS_len(&child) != 0) { OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR); goto err; } return ret; err: DSA_free(ret); return NULL; }
static int dtls1_get_hello_verify(SSL *s) { long n; int al, ok = 0; CBS hello_verify_request, cookie; uint16_t server_version; n = s->method->ssl_get_message( s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, /* Use the same maximum size as ssl3_get_server_hello. */ 20000, ssl_hash_message, &ok); if (!ok) { return n; } if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { s->d1->send_cookie = 0; s->s3->tmp.reuse_message = 1; return 1; } CBS_init(&hello_verify_request, s->init_msg, n); if (!CBS_get_u16(&hello_verify_request, &server_version) || !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) || CBS_len(&hello_verify_request) != 0) { al = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); goto f_err; } if (CBS_len(&cookie) > sizeof(s->d1->cookie)) { al = SSL_AD_ILLEGAL_PARAMETER; goto f_err; } memcpy(s->d1->cookie, CBS_data(&cookie), CBS_len(&cookie)); s->d1->cookie_len = CBS_len(&cookie); s->d1->send_cookie = 1; return 1; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; }
static enum ssl_hs_wait_t do_process_hello_retry_request(SSL *ssl, SSL_HANDSHAKE *hs) { if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) { hs->state = state_process_server_hello; return ssl_hs_ok; } CBS cbs, extensions; uint16_t server_wire_version, cipher_suite, group_id; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u16(&cbs, &server_wire_version) || !CBS_get_u16(&cbs, &cipher_suite) || !CBS_get_u16(&cbs, &group_id) || /* We do not currently parse any HelloRetryRequest extensions. */ !CBS_get_u16_length_prefixed(&cbs, &extensions) || CBS_len(&cbs) != 0) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; } /* TODO(svaldez): Don't do early_data on HelloRetryRequest. */ const uint16_t *groups; size_t groups_len; tls1_get_grouplist(ssl, 0 /* local groups */, &groups, &groups_len); int found = 0; for (size_t i = 0; i < groups_len; i++) { if (groups[i] == group_id) { found = 1; break; } } if (!found) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); return ssl_hs_error; } for (size_t i = 0; i < ssl->s3->hs->groups_len; i++) { /* Check that the HelloRetryRequest does not request a key share that was * provided in the initial ClientHello. * * TODO(svaldez): Don't enforce this check when the HelloRetryRequest is due * to a cookie. */ if (SSL_ECDH_CTX_get_id(&ssl->s3->hs->groups[i]) == group_id) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); return ssl_hs_error; } } ssl_handshake_clear_groups(ssl->s3->hs); ssl->s3->hs->retry_group = group_id; hs->state = state_send_second_client_hello; return ssl_hs_ok; }
int CBS_get_asn1_implicit_string(CBS *in, CBS *out, uint8_t **out_storage, unsigned outer_tag, unsigned inner_tag) { assert(!(outer_tag & CBS_ASN1_CONSTRUCTED)); assert(!(inner_tag & CBS_ASN1_CONSTRUCTED)); assert(is_string_type(inner_tag)); if (CBS_peek_asn1_tag(in, outer_tag)) { /* Normal implicitly-tagged string. */ *out_storage = NULL; return CBS_get_asn1(in, out, outer_tag); } /* Otherwise, try to parse an implicitly-tagged constructed string. * |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep * of nesting. */ CBB result; CBS child; if (!CBB_init(&result, CBS_len(in)) || !CBS_get_asn1(in, &child, outer_tag | CBS_ASN1_CONSTRUCTED)) { goto err; } while (CBS_len(&child) > 0) { CBS chunk; if (!CBS_get_asn1(&child, &chunk, inner_tag) || !CBB_add_bytes(&result, CBS_data(&chunk), CBS_len(&chunk))) { goto err; } } uint8_t *data; size_t len; if (!CBB_finish(&result, &data, &len)) { goto err; } CBS_init(out, data, len); *out_storage = data; return 1; err: CBB_cleanup(&result); return 0; }
static int rsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) { // Per RFC 3447, A.1, the parameters have type NULL. CBS null; if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) || CBS_len(&null) != 0 || CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } RSA *rsa = RSA_parse_private_key(key); if (rsa == NULL || CBS_len(key) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); RSA_free(rsa); return 0; } EVP_PKEY_assign_RSA(out, rsa); return 1; }
RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) { CBS cbs; CBS_init(&cbs, in, in_len); RSA *ret = RSA_parse_private_key(&cbs); if (ret == NULL || CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING); RSA_free(ret); return NULL; } return ret; }
static int eckey_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) { // See RFC 5915. EC_GROUP *group = EC_KEY_parse_parameters(params); if (group == NULL || CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); EC_GROUP_free(group); return 0; } EC_KEY *ec_key = EC_KEY_parse_private_key(key, group); EC_GROUP_free(group); if (ec_key == NULL || CBS_len(key) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); EC_KEY_free(ec_key); return 0; } EVP_PKEY_assign_EC_KEY(out, ec_key); return 1; }
ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) { CBS cbs; CBS_init(&cbs, in, in_len); ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs); if (ret == NULL || CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE); ECDSA_SIG_free(ret); return NULL; } return ret; }
static int test_get_prefixed(void) { static const uint8_t kData[] = {1, 2, 0, 2, 3, 4, 0, 0, 3, 3, 2, 1}; uint8_t u8; uint16_t u16; uint32_t u32; CBS data, prefixed; CBS_init(&data, kData, sizeof(kData)); return CBS_get_u8_length_prefixed(&data, &prefixed) && CBS_len(&prefixed) == 1 && CBS_get_u8(&prefixed, &u8) && u8 == 2 && CBS_get_u16_length_prefixed(&data, &prefixed) && CBS_len(&prefixed) == 2 && CBS_get_u16(&prefixed, &u16) && u16 == 0x304 && CBS_get_u24_length_prefixed(&data, &prefixed) && CBS_len(&prefixed) == 3 && CBS_get_u24(&prefixed, &u32) && u32 == 0x30201; }
/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found| * depending on whether an indefinite length element or constructed string was * found. The value of |orig_in| is not changed. It returns one on success (i.e. * |*ber_found| was set) and zero on error. */ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) { CBS in; if (depth > kMaxDepth) { return 0; } CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in)); *ber_found = 0; while (CBS_len(&in) > 0) { CBS contents; unsigned tag; size_t header_len; if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) { return 0; } if (CBS_len(&contents) == header_len && header_len > 0 && CBS_data(&contents)[header_len-1] == 0x80) { /* Found an indefinite-length element. */ *ber_found = 1; return 1; } if (tag & CBS_ASN1_CONSTRUCTED) { if (is_string_type(tag)) { /* Constructed strings are only legal in BER and require conversion. */ *ber_found = 1; return 1; } if (!CBS_skip(&contents, header_len) || !cbs_find_ber(&contents, ber_found, depth + 1)) { return 0; } } } return 1; }
static int rsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) { // See RFC 3279, section 2.3.1. // The parameters must be NULL. CBS null; if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) || CBS_len(&null) != 0 || CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return 0; } RSA *rsa = RSA_parse_public_key(key); if (rsa == NULL || CBS_len(key) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); RSA_free(rsa); return 0; } EVP_PKEY_assign_RSA(out, rsa); return 1; }
static int test_EVP_DigestVerifyInitFromAlgorithm(void) { int ret = 0; CBS cert, cert_body, tbs_cert, algorithm, signature; uint8_t padding; X509_ALGOR *algor = NULL; const uint8_t *derp; EVP_PKEY *pkey = NULL; EVP_MD_CTX md_ctx; EVP_MD_CTX_init(&md_ctx); CBS_init(&cert, kExamplePSSCert, sizeof(kExamplePSSCert)); if (!CBS_get_asn1(&cert, &cert_body, CBS_ASN1_SEQUENCE) || CBS_len(&cert) != 0 || !CBS_get_any_asn1_element(&cert_body, &tbs_cert, NULL, NULL) || !CBS_get_asn1_element(&cert_body, &algorithm, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&cert_body, &signature, CBS_ASN1_BITSTRING) || CBS_len(&cert_body) != 0) { fprintf(stderr, "Failed to parse certificate\n"); goto out; } /* Signatures are BIT STRINGs, but they have are multiple of 8 bytes, so the leading phase byte is just a zero. */ if (!CBS_get_u8(&signature, &padding) || padding != 0) { fprintf(stderr, "Invalid signature padding\n"); goto out; } derp = CBS_data(&algorithm); if (!d2i_X509_ALGOR(&algor, &derp, CBS_len(&algorithm)) || derp != CBS_data(&algorithm) + CBS_len(&algorithm)) { fprintf(stderr, "Failed to parse algorithm\n"); } pkey = load_example_rsa_key(); if (pkey == NULL || !EVP_DigestVerifyInitFromAlgorithm(&md_ctx, algor, pkey) || !EVP_DigestVerifyUpdate(&md_ctx, CBS_data(&tbs_cert), CBS_len(&tbs_cert)) || !EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature), CBS_len(&signature))) { goto out; } ret = 1; out: if (!ret) { BIO_print_errors_fp(stderr); } EVP_MD_CTX_cleanup(&md_ctx); if (pkey) { EVP_PKEY_free(pkey); } return ret; }
int BN_cbs2unsigned(CBS *cbs, BIGNUM *ret) { CBS child; if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) || CBS_len(&child) == 0) { OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING); return 0; } if (CBS_data(&child)[0] & 0x80) { OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER); return 0; } /* INTEGERs must be minimal. */ if (CBS_data(&child)[0] == 0x00 && CBS_len(&child) > 1 && !(CBS_data(&child)[1] & 0x80)) { OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING); return 0; } return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL; }
static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list, size_t list_len) { CBS sct_list; CBS_init(&sct_list, list, list_len); if (!ssl_is_sct_list_valid(&sct_list)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST); return 0; } CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list); cert->signed_cert_timestamp_list = CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), NULL); return cert->signed_cert_timestamp_list != NULL; }
STACK_OF(CRYPTO_BUFFER) * ssl_parse_client_CA_list(SSL *ssl, uint8_t *out_alert, CBS *cbs) { CRYPTO_BUFFER_POOL *const pool = ssl->ctx->pool; STACK_OF(CRYPTO_BUFFER) *ret = sk_CRYPTO_BUFFER_new_null(); if (ret == NULL) { *out_alert = SSL_AD_INTERNAL_ERROR; OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return NULL; } CBS child; if (!CBS_get_u16_length_prefixed(cbs, &child)) { *out_alert = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH); goto err; } while (CBS_len(&child) > 0) { CBS distinguished_name; if (!CBS_get_u16_length_prefixed(&child, &distinguished_name)) { *out_alert = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_TOO_LONG); goto err; } CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&distinguished_name, pool); if (buffer == NULL || !sk_CRYPTO_BUFFER_push(ret, buffer)) { CRYPTO_BUFFER_free(buffer); *out_alert = SSL_AD_INTERNAL_ERROR; OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (!ssl->ctx->x509_method->check_client_CA_list(ret)) { *out_alert = SSL_AD_INTERNAL_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); goto err; } return ret; err: sk_CRYPTO_BUFFER_pop_free(ret, CRYPTO_BUFFER_free); return NULL; }
SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len, const SSL_CTX *ctx) { CBS cbs; CBS_init(&cbs, in, in_len); SSL_SESSION *ret = SSL_SESSION_parse(&cbs, ctx->x509_method, ctx->pool); if (ret == NULL) { return NULL; } if (CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); SSL_SESSION_free(ret); return NULL; } return ret; }