static int eckey_priv_encode(CBB *out, const EVP_PKEY *key) { const EC_KEY *ec_key = key->pkey.ec; // Omit the redundant copy of the curve name. This contradicts RFC 5915 but // aligns with PKCS #11. SEC 1 only says they may be omitted if known by other // means. Both OpenSSL and NSS omit the redundant parameters, so we omit them // as well. unsigned enc_flags = EC_KEY_get_enc_flags(ec_key) | EC_PKEY_NO_PARAMETERS; // See RFC 5915. CBB pkcs8, algorithm, oid, private_key; if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) || !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) || !CBB_add_bytes(&oid, ec_asn1_meth.oid, ec_asn1_meth.oid_len) || !EC_KEY_marshal_curve_name(&algorithm, EC_KEY_get0_group(ec_key)) || !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) || !EC_KEY_marshal_private_key(&private_key, ec_key, enc_flags) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } return 1; }
int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) { const int is_multiprime = sk_RSA_additional_prime_num(rsa->additional_primes) > 0; CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&child, is_multiprime ? kVersionMulti : kVersionTwoPrime) || !marshal_integer(&child, rsa->n) || !marshal_integer(&child, rsa->e) || !marshal_integer(&child, rsa->d) || !marshal_integer(&child, rsa->p) || !marshal_integer(&child, rsa->q) || !marshal_integer(&child, rsa->dmp1) || !marshal_integer(&child, rsa->dmq1) || !marshal_integer(&child, rsa->iqmp)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; } CBB other_prime_infos; if (is_multiprime) { if (!CBB_add_asn1(&child, &other_prime_infos, CBS_ASN1_SEQUENCE)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; } size_t i; for (i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes); i++) { RSA_additional_prime *ap = sk_RSA_additional_prime_value(rsa->additional_primes, i); CBB other_prime_info; if (!CBB_add_asn1(&other_prime_infos, &other_prime_info, CBS_ASN1_SEQUENCE) || !marshal_integer(&other_prime_info, ap->prime) || !marshal_integer(&other_prime_info, ap->exp) || !marshal_integer(&other_prime_info, ap->coeff) || !CBB_flush(&other_prime_infos)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; } } } if (!CBB_flush(cbb)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; } return 1; }
int BN_bn2cbb(CBB *cbb, const BIGNUM *bn) { /* Negative numbers are unsupported. */ if (BN_is_negative(bn)) { OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER); return 0; } CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER)) { OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR); return 0; } /* The number must be padded with a leading zero if the high bit would * otherwise be set (or |bn| is zero). */ if (BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) { OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR); return 0; } uint8_t *out; if (!CBB_add_space(&child, &out, BN_num_bytes(bn))) { OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR); return 0; } BN_bn2bin(bn, out); if (!CBB_flush(cbb)) { OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR); return 0; } return 1; }
static int test_cbb_misuse(void) { CBB cbb, child, contents; uint8_t *buf; size_t buf_len; if (!CBB_init(&cbb, 0) || !CBB_add_u8_length_prefixed(&cbb, &child) || !CBB_add_u8(&child, 1) || !CBB_add_u8(&cbb, 2)) { return 0; } /* Since we wrote to |cbb|, |child| is now invalid and attempts to write to * it should fail. */ if (CBB_add_u8(&child, 1) || CBB_add_u16(&child, 1) || CBB_add_u24(&child, 1) || CBB_add_u8_length_prefixed(&child, &contents) || CBB_add_u16_length_prefixed(&child, &contents) || CBB_add_asn1(&child, &contents, 1) || CBB_add_bytes(&child, (const uint8_t*) "a", 1)) { fprintf(stderr, "CBB operation on invalid CBB did not fail.\n"); return 0; } if (!CBB_finish(&cbb, &buf, &buf_len) || buf_len != 3 || memcmp(buf, "\x01\x01\x02", 3) != 0) { return 0; } free(buf); return 1; }
static int rsa_priv_encode(CBB *out, const EVP_PKEY *key) { CBB pkcs8, algorithm, oid, null, private_key; if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) || !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) || !CBB_add_bytes(&oid, rsa_asn1_meth.oid, rsa_asn1_meth.oid_len) || !CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) || !RSA_marshal_private_key(&private_key, key->pkey.rsa) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } return 1; }
static int rsa_pub_encode(CBB *out, const EVP_PKEY *key) { // See RFC 3279, section 2.3.1. CBB spki, algorithm, oid, null, key_bitstring; if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) || !CBB_add_bytes(&oid, rsa_asn1_meth.oid, rsa_asn1_meth.oid_len) || !CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) || !CBB_add_u8(&key_bitstring, 0 /* padding */) || !RSA_marshal_public_key(&key_bitstring, key->pkey.rsa) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } return 1; }
MONO_API MonoBtlsX509Name * mono_btls_x509_name_from_data (const void *data, int len, int use_canon_enc) { MonoBtlsX509Name *name; uint8_t *buf; const unsigned char *ptr; X509_NAME *ret; name = OPENSSL_malloc (sizeof (MonoBtlsX509Name)); if (!name) return NULL; memset (name, 0, sizeof(MonoBtlsX509Name)); name->owns = 1; name->name = X509_NAME_new (); if (!name->name) { OPENSSL_free (name); return NULL; } if (use_canon_enc) { CBB cbb, contents; size_t buf_len; // re-add ASN1 SEQUENCE header. CBB_init(&cbb, 0); if (!CBB_add_asn1(&cbb, &contents, 0x30) || !CBB_add_bytes(&contents, data, len) || !CBB_finish(&cbb, &buf, &buf_len)) { CBB_cleanup (&cbb); mono_btls_x509_name_free (name); return NULL; } ptr = buf; len = (int)buf_len; } else { ptr = data; buf = NULL; } ret = d2i_X509_NAME (&name->name, &ptr, len); if (buf) OPENSSL_free (buf); if (ret != name->name) { mono_btls_x509_name_free (name); return NULL; } return name; }
int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !BN_marshal_asn1(&child, sig->r) || !BN_marshal_asn1(&child, sig->s) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR); return 0; } return 1; }
int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !marshal_integer(&child, rsa->n) || !marshal_integer(&child, rsa->e) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; } return 1; }
int DSA_marshal_parameters(CBB *cbb, const DSA *dsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !marshal_integer(&child, dsa->p) || !marshal_integer(&child, dsa->q) || !marshal_integer(&child, dsa->g) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR); return 0; } return 1; }
static int eckey_pub_encode(CBB *out, const EVP_PKEY *key) { const EC_KEY *ec_key = key->pkey.ec; const EC_GROUP *group = EC_KEY_get0_group(ec_key); const EC_POINT *public_key = EC_KEY_get0_public_key(ec_key); // See RFC 5480, section 2. CBB spki, algorithm, oid, key_bitstring; if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) || !CBB_add_bytes(&oid, ec_asn1_meth.oid, ec_asn1_meth.oid_len) || !EC_KEY_marshal_curve_name(&algorithm, group) || !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) || !CBB_add_u8(&key_bitstring, 0 /* padding */) || !EC_POINT_point2cbb(&key_bitstring, group, public_key, POINT_CONVERSION_UNCOMPRESSED, NULL) || !CBB_flush(out)) { OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR); return 0; } return 1; }
int DSA_marshal_private_key(CBB *cbb, const DSA *dsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&child, 0 /* version */) || !marshal_integer(&child, dsa->p) || !marshal_integer(&child, dsa->q) || !marshal_integer(&child, dsa->g) || !marshal_integer(&child, dsa->pub_key) || !marshal_integer(&child, dsa->priv_key) || !CBB_flush(cbb)) { OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR); return 0; } return 1; }
int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&child, kVersionTwoPrime) || !marshal_integer(&child, rsa->n) || !marshal_integer(&child, rsa->e) || !marshal_integer(&child, rsa->d) || !marshal_integer(&child, rsa->p) || !marshal_integer(&child, rsa->q) || !marshal_integer(&child, rsa->dmp1) || !marshal_integer(&child, rsa->dmq1) || !marshal_integer(&child, rsa->iqmp)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; } if (!CBB_flush(cbb)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR); return 0; } return 1; }
/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If * |string_tag| is non-zero, then all elements must match |string_tag| up to the * constructed bit and primitive element bodies are written to |out| without * element headers. This is used when concatenating the fragments of a * constructed string. If |looking_for_eoc| is set then any EOC elements found * will cause the function to return after consuming it. It returns one on * success and zero on error. */ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag, char looking_for_eoc, unsigned depth) { assert(!(string_tag & CBS_ASN1_CONSTRUCTED)); if (depth > kMaxDepth) { return 0; } while (CBS_len(in) > 0) { CBS contents; unsigned tag, child_string_tag = string_tag; size_t header_len; CBB *out_contents, out_contents_storage; if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len)) { return 0; } if (is_eoc(header_len, &contents)) { return looking_for_eoc; } if (string_tag != 0) { /* This is part of a constructed string. All elements must match * |string_tag| up to the constructed bit and get appended to |out| * without a child element. */ if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) { return 0; } out_contents = out; } else { unsigned out_tag = tag; if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) { /* If a constructed string, clear the constructed bit and inform * children to concatenate bodies. */ out_tag &= ~CBS_ASN1_CONSTRUCTED; child_string_tag = out_tag; } if (!CBB_add_asn1(out, &out_contents_storage, out_tag)) { return 0; } out_contents = &out_contents_storage; } if (CBS_len(&contents) == header_len && header_len > 0 && CBS_data(&contents)[header_len - 1] == 0x80) { /* This is an indefinite length element. */ if (!cbs_convert_ber(in, out_contents, child_string_tag, 1 /* looking for eoc */, depth + 1) || !CBB_flush(out)) { return 0; } continue; } if (!CBS_skip(&contents, header_len)) { return 0; } if (tag & CBS_ASN1_CONSTRUCTED) { /* Recurse into children. */ if (!cbs_convert_ber(&contents, out_contents, child_string_tag, 0 /* not looking for eoc */, depth + 1)) { return 0; } } else { /* Copy primitive contents as-is. */ if (!CBB_add_bytes(out_contents, CBS_data(&contents), CBS_len(&contents))) { return 0; } } if (!CBB_flush(out)) { return 0; } } return looking_for_eoc == 0; }
static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, size_t *out_len, int for_ticket) { CBB cbb, session, child, child2; if (in == NULL || in->cipher == NULL) { return 0; } CBB_zero(&cbb); if (!CBB_init(&cbb, 0) || !CBB_add_asn1(&cbb, &session, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&session, kVersion) || !CBB_add_asn1_uint64(&session, in->ssl_version) || !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) || !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || /* The session ID is irrelevant for a session ticket. */ !CBB_add_bytes(&child, in->session_id, for_ticket ? 0 : in->session_id_length) || !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child, in->master_key, in->master_key_length) || !CBB_add_asn1(&session, &child, kTimeTag) || !CBB_add_asn1_uint64(&child, in->time) || !CBB_add_asn1(&session, &child, kTimeoutTag) || !CBB_add_asn1_uint64(&child, in->timeout)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } /* The peer certificate is only serialized if the SHA-256 isn't * serialized instead. */ if (sk_CRYPTO_BUFFER_num(in->certs) > 0 && !in->peer_sha256_valid) { const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, 0); if (!CBB_add_asn1(&session, &child, kPeerTag) || !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer), CRYPTO_BUFFER_len(buffer))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } /* Although it is OPTIONAL and usually empty, OpenSSL has * historically always encoded the sid_ctx. */ if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (in->verify_result != X509_V_OK) { if (!CBB_add_asn1(&session, &child, kVerifyResultTag) || !CBB_add_asn1_uint64(&child, in->verify_result)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->tlsext_hostname) { if (!CBB_add_asn1(&session, &child, kHostNameTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, (const uint8_t *)in->tlsext_hostname, strlen(in->tlsext_hostname))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->psk_identity) { if (!CBB_add_asn1(&session, &child, kPSKIdentityTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, (const uint8_t *)in->psk_identity, strlen(in->psk_identity))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->tlsext_tick_lifetime_hint > 0) { if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) || !CBB_add_asn1_uint64(&child, in->tlsext_tick_lifetime_hint)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->tlsext_tick && !for_ticket) { if (!CBB_add_asn1(&session, &child, kTicketTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->tlsext_tick, in->tlsext_ticklen)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->peer_sha256_valid) { if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->peer_sha256, sizeof(in->peer_sha256))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->original_handshake_hash_len > 0) { if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->original_handshake_hash, in->original_handshake_hash_len)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->tlsext_signed_cert_timestamp_list_length > 0) { if (!CBB_add_asn1(&session, &child, kSignedCertTimestampListTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->tlsext_signed_cert_timestamp_list, in->tlsext_signed_cert_timestamp_list_length)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->ocsp_response_length > 0) { if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->ocsp_response, in->ocsp_response_length)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->extended_master_secret) { if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_BOOLEAN) || !CBB_add_u8(&child2, 0xff)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->group_id > 0 && (!CBB_add_asn1(&session, &child, kGroupIDTag) || !CBB_add_asn1_uint64(&child, in->group_id))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } /* The certificate chain is only serialized if the leaf's SHA-256 isn't * serialized instead. */ if (in->certs != NULL && !in->peer_sha256_valid && sk_CRYPTO_BUFFER_num(in->certs) >= 2) { if (!CBB_add_asn1(&session, &child, kCertChainTag)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(in->certs); i++) { const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, i); if (!CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer), CRYPTO_BUFFER_len(buffer))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } } if (in->ticket_age_add_valid) { if (!CBB_add_asn1(&session, &child, kTicketAgeAddTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_u32(&child2, in->ticket_age_add)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (!in->is_server) { if (!CBB_add_asn1(&session, &child, kIsServerTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_BOOLEAN) || !CBB_add_u8(&child2, 0x00)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (in->peer_signature_algorithm != 0 && (!CBB_add_asn1(&session, &child, kPeerSignatureAlgorithmTag) || !CBB_add_asn1_uint64(&child, in->peer_signature_algorithm))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (in->ticket_max_early_data != 0 && (!CBB_add_asn1(&session, &child, kTicketMaxEarlyDataTag) || !CBB_add_asn1_uint64(&child, in->ticket_max_early_data))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (in->timeout != in->auth_timeout && (!CBB_add_asn1(&session, &child, kAuthTimeoutTag) || !CBB_add_asn1_uint64(&child, in->auth_timeout))) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (in->early_alpn) { if (!CBB_add_asn1(&session, &child, kEarlyALPNTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, (const uint8_t *)in->early_alpn, in->early_alpn_len)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } if (!CBB_finish(&cbb, out_data, out_len)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } return 1; err: CBB_cleanup(&cbb); return 0; }
/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If * |squash_header| is set then the top-level of elements from |in| will not * have their headers written. This is used when concatenating the fragments of * an indefinite length, primitive value. If |looking_for_eoc| is set then any * EOC elements found will cause the function to return after consuming it. * It returns one on success and zero on error. */ static int cbs_convert_ber(CBS *in, CBB *out, char squash_header, char looking_for_eoc, unsigned depth) { if (depth > kMaxDepth) { return 0; } while (CBS_len(in) > 0) { CBS contents; unsigned tag; size_t header_len; CBB *out_contents, out_contents_storage; if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len)) { return 0; } out_contents = out; if (CBS_len(&contents) == header_len) { if (is_eoc(header_len, &contents)) { return looking_for_eoc; } if (header_len > 0 && CBS_data(&contents)[header_len - 1] == 0x80) { /* This is an indefinite length element. If it's a SEQUENCE or SET then * we just need to write the out the contents as normal, but with a * concrete length prefix. * * If it's a something else then the contents will be a series of BER * elements of the same type which need to be concatenated. */ const char context_specific = (tag & 0xc0) == 0x80; char squash_child_headers = is_primitive_type(tag); /* This is a hack, but it sufficies to handle NSS's output. If we find * an indefinite length, context-specific tag with a definite, primitive * tag inside it, then we assume that the context-specific tag is * implicit and the tags within are fragments of a primitive type that * need to be concatenated. */ if (context_specific && (tag & CBS_ASN1_CONSTRUCTED)) { CBS in_copy, inner_contents; unsigned inner_tag; size_t inner_header_len; CBS_init(&in_copy, CBS_data(in), CBS_len(in)); if (!CBS_get_any_ber_asn1_element(&in_copy, &inner_contents, &inner_tag, &inner_header_len)) { return 0; } if (CBS_len(&inner_contents) > inner_header_len && is_primitive_type(inner_tag)) { squash_child_headers = 1; } } if (!squash_header) { unsigned out_tag = tag; if (squash_child_headers) { out_tag &= ~CBS_ASN1_CONSTRUCTED; } if (!CBB_add_asn1(out, &out_contents_storage, out_tag)) { return 0; } out_contents = &out_contents_storage; } if (!cbs_convert_ber(in, out_contents, squash_child_headers, 1 /* looking for eoc */, depth + 1)) { return 0; } if (out_contents != out && !CBB_flush(out)) { return 0; } continue; } } if (!squash_header) { if (!CBB_add_asn1(out, &out_contents_storage, tag)) { return 0; } out_contents = &out_contents_storage; } if (!CBS_skip(&contents, header_len)) { return 0; } if (tag & CBS_ASN1_CONSTRUCTED) { if (!cbs_convert_ber(&contents, out_contents, 0 /* don't squash header */, 0 /* not looking for eoc */, depth + 1)) { return 0; } } else { if (!CBB_add_bytes(out_contents, CBS_data(&contents), CBS_len(&contents))) { return 0; } } if (out_contents != out && !CBB_flush(out)) { return 0; } } return looking_for_eoc == 0; }
int i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) { CBB cbb, session, cipher_suite, session_id, master_key, time, timeout; CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket; CBB value; unsigned char *data = NULL, *peer_cert_bytes = NULL; size_t data_len = 0; int len, rv = -1; uint16_t cid; if (s == NULL) return (0); if (s->cipher == NULL && s->cipher_id == 0) return (0); if (!CBB_init(&cbb, 0)) goto err; if (!CBB_add_asn1(&cbb, &session, CBS_ASN1_SEQUENCE)) goto err; /* Session ASN1 version. */ if (!CBB_add_asn1_uint64(&session, SSL_SESSION_ASN1_VERSION)) goto err; /* TLS/SSL protocol version. */ if (s->ssl_version < 0) goto err; if (!CBB_add_asn1_uint64(&session, s->ssl_version)) goto err; /* Cipher suite ID. */ /* XXX - require cipher to be non-NULL or always/only use cipher_id. */ cid = (uint16_t)(s->cipher_id & 0xffff); if (s->cipher != NULL) cid = ssl3_cipher_get_value(s->cipher); if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_u16(&cipher_suite, cid)) goto err; /* Session ID. */ if (!CBB_add_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&session_id, s->session_id, s->session_id_length)) goto err; /* Master key. */ if (!CBB_add_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&master_key, s->master_key, s->master_key_length)) goto err; /* Time [1]. */ if (s->time != 0) { if (s->time < 0) goto err; if (!CBB_add_asn1(&session, &time, SSLASN1_TIME_TAG)) goto err; if (!CBB_add_asn1_uint64(&time, s->time)) goto err; } /* Timeout [2]. */ if (s->timeout != 0) { if (s->timeout < 0) goto err; if (!CBB_add_asn1(&session, &timeout, SSLASN1_TIMEOUT_TAG)) goto err; if (!CBB_add_asn1_uint64(&timeout, s->timeout)) goto err; } /* Peer certificate [3]. */ if (s->peer != NULL) { if ((len = i2d_X509(s->peer, &peer_cert_bytes)) <= 0) goto err; if (!CBB_add_asn1(&session, &peer_cert, SSLASN1_PEER_CERT_TAG)) goto err; if (!CBB_add_bytes(&peer_cert, peer_cert_bytes, len)) goto err; } /* Session ID context [4]. */ /* XXX - Actually handle this as optional? */ if (!CBB_add_asn1(&session, &sidctx, SSLASN1_SESSION_ID_CTX_TAG)) goto err; if (!CBB_add_asn1(&sidctx, &value, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&value, s->sid_ctx, s->sid_ctx_length)) goto err; /* Verify result [5]. */ if (s->verify_result != X509_V_OK) { if (s->verify_result < 0) goto err; if (!CBB_add_asn1(&session, &verify_result, SSLASN1_VERIFY_RESULT_TAG)) goto err; if (!CBB_add_asn1_uint64(&verify_result, s->verify_result)) goto err; } /* Hostname [6]. */ if (s->tlsext_hostname != NULL) { if (!CBB_add_asn1(&session, &hostname, SSLASN1_HOSTNAME_TAG)) goto err; if (!CBB_add_asn1(&hostname, &value, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&value, (const uint8_t *)s->tlsext_hostname, strlen(s->tlsext_hostname))) goto err; } /* PSK identity hint [7]. */ /* PSK identity [8]. */ /* Ticket lifetime hint [9]. */ if (s->tlsext_tick_lifetime_hint > 0) { if (!CBB_add_asn1(&session, &lifetime, SSLASN1_LIFETIME_TAG)) goto err; if (!CBB_add_asn1_uint64(&lifetime, s->tlsext_tick_lifetime_hint)) goto err; } /* Ticket [10]. */ if (s->tlsext_tick) { if (!CBB_add_asn1(&session, &ticket, SSLASN1_TICKET_TAG)) goto err; if (!CBB_add_asn1(&ticket, &value, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_bytes(&value, s->tlsext_tick, s->tlsext_ticklen)) goto err; } /* Compression method [11]. */ /* SRP username [12]. */ if (!CBB_finish(&cbb, &data, &data_len)) goto err; if (data_len > INT_MAX) goto err; if (pp != NULL) { if (*pp == NULL) { *pp = data; data = NULL; } else { memcpy(*pp, data, data_len); *pp += data_len; } } rv = (int)data_len; err: CBB_cleanup(&cbb); freezero(data, data_len); free(peer_cert_bytes); return rv; }
static int test_cbb_asn1(void) { static const uint8_t kExpected[] = {0x30, 3, 1, 2, 3}; uint8_t *buf, *test_data; size_t buf_len; CBB cbb, contents, inner_contents; if (!CBB_init(&cbb, 0) || !CBB_add_asn1(&cbb, &contents, 0x30) || !CBB_add_bytes(&contents, (const uint8_t*) "\x01\x02\x03", 3) || !CBB_finish(&cbb, &buf, &buf_len)) { return 0; } if (buf_len != sizeof(kExpected) || memcmp(buf, kExpected, buf_len) != 0) { return 0; } free(buf); test_data = malloc(100000); memset(test_data, 0x42, 100000); if (!CBB_init(&cbb, 0) || !CBB_add_asn1(&cbb, &contents, 0x30) || !CBB_add_bytes(&contents, test_data, 130) || !CBB_finish(&cbb, &buf, &buf_len)) { return 0; } if (buf_len != 3 + 130 || memcmp(buf, "\x30\x81\x82", 3) != 0 || memcmp(buf + 3, test_data, 130) != 0) { return 0; } free(buf); if (!CBB_init(&cbb, 0) || !CBB_add_asn1(&cbb, &contents, 0x30) || !CBB_add_bytes(&contents, test_data, 1000) || !CBB_finish(&cbb, &buf, &buf_len)) { return 0; } if (buf_len != 4 + 1000 || memcmp(buf, "\x30\x82\x03\xe8", 4) != 0 || memcmp(buf + 4, test_data, 1000)) { return 0; } free(buf); if (!CBB_init(&cbb, 0) || !CBB_add_asn1(&cbb, &contents, 0x30) || !CBB_add_asn1(&contents, &inner_contents, 0x30) || !CBB_add_bytes(&inner_contents, test_data, 100000) || !CBB_finish(&cbb, &buf, &buf_len)) { return 0; } if (buf_len != 5 + 5 + 100000 || memcmp(buf, "\x30\x83\x01\x86\xa5\x30\x83\x01\x86\xa0", 10) != 0 || memcmp(buf + 10, test_data, 100000)) { return 0; } free(buf); free(test_data); return 1; }