static enum ssl_hs_wait_t do_process_hello_retry_request(SSL *ssl, SSL_HANDSHAKE *hs) { if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) { hs->state = state_process_server_hello; return ssl_hs_ok; } CBS cbs, extensions; uint16_t server_wire_version, cipher_suite, group_id; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u16(&cbs, &server_wire_version) || !CBS_get_u16(&cbs, &cipher_suite) || !CBS_get_u16(&cbs, &group_id) || /* We do not currently parse any HelloRetryRequest extensions. */ !CBS_get_u16_length_prefixed(&cbs, &extensions) || CBS_len(&cbs) != 0) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; } /* TODO(svaldez): Don't do early_data on HelloRetryRequest. */ const uint16_t *groups; size_t groups_len; tls1_get_grouplist(ssl, 0 /* local groups */, &groups, &groups_len); int found = 0; for (size_t i = 0; i < groups_len; i++) { if (groups[i] == group_id) { found = 1; break; } } if (!found) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); return ssl_hs_error; } for (size_t i = 0; i < ssl->s3->hs->groups_len; i++) { /* Check that the HelloRetryRequest does not request a key share that was * provided in the initial ClientHello. * * TODO(svaldez): Don't enforce this check when the HelloRetryRequest is due * to a cookie. */ if (SSL_ECDH_CTX_get_id(&ssl->s3->hs->groups[i]) == group_id) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); return ssl_hs_error; } } ssl_handshake_clear_groups(ssl->s3->hs); ssl->s3->hs->retry_group = group_id; hs->state = state_send_second_client_hello; return ssl_hs_ok; }
int tls13_process_certificate_verify(SSL *ssl) { int ret = 0; X509 *peer = ssl->s3->new_session->peer; EVP_PKEY *pkey = NULL; uint8_t *msg = NULL; size_t msg_len; /* Filter out unsupported certificate types. */ pkey = X509_get_pubkey(peer); if (pkey == NULL) { goto err; } CBS cbs, signature; uint16_t signature_algorithm; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u16(&cbs, &signature_algorithm) || !CBS_get_u16_length_prefixed(&cbs, &signature) || CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); goto err; } int al; if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, al); goto err; } ssl->s3->tmp.peer_signature_algorithm = signature_algorithm; if (!tls13_get_cert_verify_signature_input( ssl, &msg, &msg_len, ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; } int sig_ok = ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature), signature_algorithm, pkey, msg, msg_len); #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) sig_ok = 1; ERR_clear_error(); #endif if (!sig_ok) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); goto err; } ret = 1; err: EVP_PKEY_free(pkey); OPENSSL_free(msg); return ret; }
int dtls1_get_hello_verify(SSL *s) { long n; int al, ok = 0; size_t cookie_len; uint16_t ssl_version; CBS hello_verify_request, cookie; n = s->method->internal->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok); if (!ok) return ((int)n); if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { D1I(s)->send_cookie = 0; S3I(s)->tmp.reuse_message = 1; return (1); } if (n < 0) goto truncated; CBS_init(&hello_verify_request, s->internal->init_msg, n); if (!CBS_get_u16(&hello_verify_request, &ssl_version)) goto truncated; if (ssl_version != s->version) { SSLerror(s, SSL_R_WRONG_SSL_VERSION); s->version = (s->version & 0xff00) | (ssl_version & 0xff); al = SSL_AD_PROTOCOL_VERSION; goto f_err; } if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie)) goto truncated; if (!CBS_write_bytes(&cookie, D1I(s)->cookie, sizeof(D1I(s)->cookie), &cookie_len)) { D1I(s)->cookie_len = 0; al = SSL_AD_ILLEGAL_PARAMETER; goto f_err; } D1I(s)->cookie_len = cookie_len; D1I(s)->send_cookie = 1; return 1; truncated: al = SSL_AD_DECODE_ERROR; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; }
int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; int ret = 0; uint8_t *msg = NULL; size_t msg_len; if (hs->peer_pubkey == NULL) { goto err; } CBS cbs, signature; uint16_t signature_algorithm; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u16(&cbs, &signature_algorithm) || !CBS_get_u16_length_prefixed(&cbs, &signature) || CBS_len(&cbs) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); goto err; } int al; if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, al); goto err; } ssl->s3->new_session->peer_signature_algorithm = signature_algorithm; if (!tls13_get_cert_verify_signature_input( ssl, &msg, &msg_len, ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; } int sig_ok = ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature), signature_algorithm, hs->peer_pubkey, msg, msg_len); #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) sig_ok = 1; ERR_clear_error(); #endif if (!sig_ok) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); goto err; } ret = 1; err: OPENSSL_free(msg); return ret; }
static int dtls1_get_hello_verify(SSL *s) { long n; int al, ok = 0; CBS hello_verify_request, cookie; uint16_t server_version; n = s->method->ssl_get_message( s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, /* Use the same maximum size as ssl3_get_server_hello. */ 20000, ssl_hash_message, &ok); if (!ok) { return n; } if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { s->d1->send_cookie = 0; s->s3->tmp.reuse_message = 1; return 1; } CBS_init(&hello_verify_request, s->init_msg, n); if (!CBS_get_u16(&hello_verify_request, &server_version) || !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) || CBS_len(&hello_verify_request) != 0) { al = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); goto f_err; } if (CBS_len(&cookie) > sizeof(s->d1->cookie)) { al = SSL_AD_ILLEGAL_PARAMETER; goto f_err; } memcpy(s->d1->cookie, CBS_data(&cookie), CBS_len(&cookie)); s->d1->cookie_len = CBS_len(&cookie); s->d1->send_cookie = 1; return 1; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; }
static const SSL_CIPHER *choose_tls13_cipher( const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) { if (client_hello->cipher_suites_len % 2 != 0) { return NULL; } CBS cipher_suites; CBS_init(&cipher_suites, client_hello->cipher_suites, client_hello->cipher_suites_len); const int aes_is_fine = EVP_has_aes_hardware(); const uint16_t version = ssl3_protocol_version(ssl); const SSL_CIPHER *best = NULL; while (CBS_len(&cipher_suites) > 0) { uint16_t cipher_suite; if (!CBS_get_u16(&cipher_suites, &cipher_suite)) { return NULL; } /* Limit to TLS 1.3 ciphers we know about. */ const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite); if (candidate == NULL || SSL_CIPHER_get_min_version(candidate) > version || SSL_CIPHER_get_max_version(candidate) < version) { continue; } /* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer * ChaCha20 if we do not have AES hardware. */ if (aes_is_fine) { return candidate; } if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) { return candidate; } if (best == NULL) { best = candidate; } } return best; }
static int test_get_u(void) { static const uint8_t kData[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; uint8_t u8; uint16_t u16; uint32_t u32; CBS data; CBS_init(&data, kData, sizeof(kData)); return CBS_get_u8(&data, &u8) && u8 == 1 && CBS_get_u16(&data, &u16) && u16 == 0x203 && CBS_get_u24(&data, &u32) && u32 == 0x40506 && CBS_get_u32(&data, &u32) && u32 == 0x708090a && !CBS_get_u8(&data, &u8); }
static int test_get_prefixed(void) { static const uint8_t kData[] = {1, 2, 0, 2, 3, 4, 0, 0, 3, 3, 2, 1}; uint8_t u8; uint16_t u16; uint32_t u32; CBS data, prefixed; CBS_init(&data, kData, sizeof(kData)); return CBS_get_u8_length_prefixed(&data, &prefixed) && CBS_len(&prefixed) == 1 && CBS_get_u8(&prefixed, &u8) && u8 == 2 && CBS_get_u16_length_prefixed(&data, &prefixed) && CBS_len(&prefixed) == 2 && CBS_get_u16(&prefixed, &u16) && u16 == 0x304 && CBS_get_u24_length_prefixed(&data, &prefixed) && CBS_len(&prefixed) == 3 && CBS_get_u24(&prefixed, &u32) && u32 == 0x30201; }
/* Since the server cache lookup is done early on in the processing of the * ClientHello, and other operations depend on the result, we need to handle * any TLS session ticket extension at the same time. * * session_id: points at the session ID in the ClientHello. This code will * read past the end of this in order to parse out the session ticket * extension, if any. * len: the length of the session ID. * limit: a pointer to the first byte after the ClientHello. * ret: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. * * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key * ciphersuite, in which case we have no use for session tickets and one will * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. * * Returns: * -1: fatal error, either from parsing or decrypting the ticket. * 0: no ticket was found (or was ignored, based on settings). * 1: a zero length extension was found, indicating that the client supports * session tickets but doesn't currently have one to offer. * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but * couldn't be decrypted because of a non-fatal error. * 3: a ticket was successfully decrypted and *ret was set. * * Side effects: * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue * a new session ticket to the client because the client indicated support * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have * a session ticket or we couldn't use the one it gave us, or if * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. * Otherwise, s->internal->tlsext_ticket_expected is set to 0. */ int tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, const unsigned char *limit, SSL_SESSION **ret) { /* Point after session ID in client hello */ CBS session_id, cookie, cipher_list, compress_algo, extensions; *ret = NULL; s->internal->tlsext_ticket_expected = 0; /* If tickets disabled behave as if no ticket present * to permit stateful resumption. */ if (SSL_get_options(s) & SSL_OP_NO_TICKET) return 0; if (!limit) return 0; if (limit < session) return -1; CBS_init(&session_id, session, limit - session); /* Skip past the session id */ if (!CBS_skip(&session_id, session_len)) return -1; /* Skip past DTLS cookie */ if (SSL_IS_DTLS(s)) { if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) return -1; } /* Skip past cipher list */ if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) return -1; /* Skip past compression algorithm list */ if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) return -1; /* Now at start of extensions */ if (CBS_len(&session_id) == 0) return 0; if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) return -1; while (CBS_len(&extensions) > 0) { CBS ext_data; uint16_t ext_type; if (!CBS_get_u16(&extensions, &ext_type) || !CBS_get_u16_length_prefixed(&extensions, &ext_data)) return -1; if (ext_type == TLSEXT_TYPE_session_ticket) { int r; if (CBS_len(&ext_data) == 0) { /* The client will accept a ticket but doesn't * currently have one. */ s->internal->tlsext_ticket_expected = 1; return 1; } if (s->internal->tls_session_secret_cb) { /* Indicate that the ticket couldn't be * decrypted rather than generating the session * from ticket now, trigger abbreviated * handshake based on external mechanism to * calculate the master secret later. */ return 2; } r = tls_decrypt_ticket(s, CBS_data(&ext_data), CBS_len(&ext_data), session, session_len, ret); switch (r) { case 2: /* ticket couldn't be decrypted */ s->internal->tlsext_ticket_expected = 1; return 2; case 3: /* ticket was decrypted */ return r; case 4: /* ticket decrypted but need to renew */ s->internal->tlsext_ticket_expected = 1; return 3; default: /* fatal error */ return -1; } } } return 0; }
static enum ssl_hs_wait_t do_process_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) { if (!tls13_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) { return ssl_hs_error; } CBS cbs, server_random, extensions; uint16_t server_wire_version; uint16_t cipher_suite; CBS_init(&cbs, ssl->init_msg, ssl->init_num); if (!CBS_get_u16(&cbs, &server_wire_version) || !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) || !CBS_get_u16(&cbs, &cipher_suite) || !CBS_get_u16_length_prefixed(&cbs, &extensions) || CBS_len(&cbs) != 0) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); return ssl_hs_error; } if (server_wire_version != ssl->version) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER); return ssl_hs_error; } /* Parse out the extensions. */ int have_key_share = 0; CBS key_share; while (CBS_len(&extensions) != 0) { uint16_t type; CBS extension; if (!CBS_get_u16(&extensions, &type) || !CBS_get_u16_length_prefixed(&extensions, &extension)) { OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; } switch (type) { case TLSEXT_TYPE_key_share: if (have_key_share) { OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; } key_share = extension; have_key_share = 1; break; default: OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); return ssl_hs_error; } } assert(ssl->s3->have_version); memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE); ssl->hit = 0; if (!ssl_get_new_session(ssl, 0)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_hs_error; } const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite); if (cipher == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; } /* Check if the cipher is disabled. */ if ((cipher->algorithm_mkey & ssl->cert->mask_k) || (cipher->algorithm_auth & ssl->cert->mask_a) || SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) || SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl) || !sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(ssl), NULL, cipher)) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; } ssl->session->cipher = cipher; ssl->s3->tmp.new_cipher = cipher; /* The PRF hash is now known. Set up the key schedule. */ static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0}; size_t hash_len = EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl))); if (!tls13_init_key_schedule(ssl, kZeroes, hash_len)) { return ssl_hs_error; } /* Resolve PSK and incorporate it into the secret. */ if (cipher->algorithm_auth == SSL_aPSK) { /* TODO(davidben): Support PSK. */ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_hs_error; } else if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) { return ssl_hs_error; } /* Resolve ECDHE and incorporate it into the secret. */ if (cipher->algorithm_mkey == SSL_kECDHE) { if (!have_key_share) { OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); return ssl_hs_error; } uint8_t *dhe_secret; size_t dhe_secret_len; uint8_t alert = SSL_AD_DECODE_ERROR; if (!ext_key_share_parse_serverhello(ssl, &dhe_secret, &dhe_secret_len, &alert, &key_share)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len); OPENSSL_free(dhe_secret); if (!ok) { return ssl_hs_error; } } else { if (have_key_share) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); return ssl_hs_error; } if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) { return ssl_hs_error; } } /* If there was no HelloRetryRequest, the version negotiation logic has * already hashed the message. */ if (ssl->s3->hs->retry_group != 0 && !ssl->method->hash_current_message(ssl)) { return ssl_hs_error; } if (!tls13_set_handshake_traffic(ssl)) { return ssl_hs_error; } hs->state = state_process_encrypted_extensions; return ssl_hs_read_message; }
SSL_SESSION *SSL_SESSION_parse(CBS *cbs, const SSL_X509_METHOD *x509_method, CRYPTO_BUFFER_POOL *pool) { SSL_SESSION *ret = ssl_session_new(x509_method); if (ret == NULL) { goto err; } CBS session; uint64_t version, ssl_version; if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) || !CBS_get_asn1_uint64(&session, &version) || version != kVersion || !CBS_get_asn1_uint64(&session, &ssl_version)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } ret->ssl_version = ssl_version; CBS cipher; uint16_t cipher_value; if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) || !CBS_get_u16(&cipher, &cipher_value) || CBS_len(&cipher) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } ret->cipher = SSL_get_cipher_by_value(cipher_value); if (ret->cipher == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_CIPHER); goto err; } CBS session_id, master_key; if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) || CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH || !CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING) || CBS_len(&master_key) > SSL_MAX_MASTER_KEY_LENGTH) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id)); ret->session_id_length = CBS_len(&session_id); OPENSSL_memcpy(ret->master_key, CBS_data(&master_key), CBS_len(&master_key)); ret->master_key_length = CBS_len(&master_key); CBS child; uint64_t timeout; if (!CBS_get_asn1(&session, &child, kTimeTag) || !CBS_get_asn1_uint64(&child, &ret->time) || !CBS_get_asn1(&session, &child, kTimeoutTag) || !CBS_get_asn1_uint64(&child, &timeout) || timeout > UINT32_MAX) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } ret->timeout = (uint32_t)timeout; CBS peer; int has_peer; if (!CBS_get_optional_asn1(&session, &peer, &has_peer, kPeerTag) || (has_peer && CBS_len(&peer) == 0)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } /* |peer| is processed with the certificate chain. */ if (!SSL_SESSION_parse_bounded_octet_string( &session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx), kSessionIDContextTag) || !SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag, X509_V_OK) || !SSL_SESSION_parse_string(&session, &ret->tlsext_hostname, kHostNameTag) || !SSL_SESSION_parse_string(&session, &ret->psk_identity, kPSKIdentityTag) || !SSL_SESSION_parse_u32(&session, &ret->tlsext_tick_lifetime_hint, kTicketLifetimeHintTag, 0) || !SSL_SESSION_parse_octet_string(&session, &ret->tlsext_tick, &ret->tlsext_ticklen, kTicketTag)) { goto err; } if (CBS_peek_asn1_tag(&session, kPeerSHA256Tag)) { CBS peer_sha256; if (!CBS_get_asn1(&session, &child, kPeerSHA256Tag) || !CBS_get_asn1(&child, &peer_sha256, CBS_ASN1_OCTETSTRING) || CBS_len(&peer_sha256) != sizeof(ret->peer_sha256) || CBS_len(&child) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } OPENSSL_memcpy(ret->peer_sha256, CBS_data(&peer_sha256), sizeof(ret->peer_sha256)); ret->peer_sha256_valid = 1; } else { ret->peer_sha256_valid = 0; } if (!SSL_SESSION_parse_bounded_octet_string( &session, ret->original_handshake_hash, &ret->original_handshake_hash_len, sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) || !SSL_SESSION_parse_octet_string( &session, &ret->tlsext_signed_cert_timestamp_list, &ret->tlsext_signed_cert_timestamp_list_length, kSignedCertTimestampListTag) || !SSL_SESSION_parse_octet_string( &session, &ret->ocsp_response, &ret->ocsp_response_length, kOCSPResponseTag)) { goto err; } int extended_master_secret; if (!CBS_get_optional_asn1_bool(&session, &extended_master_secret, kExtendedMasterSecretTag, 0 /* default to false */)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } ret->extended_master_secret = !!extended_master_secret; if (!SSL_SESSION_parse_u16(&session, &ret->group_id, kGroupIDTag, 0)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } CBS cert_chain; CBS_init(&cert_chain, NULL, 0); int has_cert_chain; if (!CBS_get_optional_asn1(&session, &cert_chain, &has_cert_chain, kCertChainTag) || (has_cert_chain && CBS_len(&cert_chain) == 0)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } if (has_cert_chain && !has_peer) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } if (has_peer || has_cert_chain) { ret->certs = sk_CRYPTO_BUFFER_new_null(); if (ret->certs == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } if (has_peer) { /* TODO(agl): this should use the |SSL_CTX|'s pool. */ CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&peer, pool); if (buffer == NULL || !sk_CRYPTO_BUFFER_push(ret->certs, buffer)) { CRYPTO_BUFFER_free(buffer); OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } while (CBS_len(&cert_chain) > 0) { CBS cert; if (!CBS_get_any_asn1_element(&cert_chain, &cert, NULL, NULL) || CBS_len(&cert) == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } /* TODO(agl): this should use the |SSL_CTX|'s pool. */ CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&cert, pool); if (buffer == NULL || !sk_CRYPTO_BUFFER_push(ret->certs, buffer)) { CRYPTO_BUFFER_free(buffer); OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } } } if (!x509_method->session_cache_objects(ret)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } CBS age_add; int age_add_present; if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present, kTicketAgeAddTag) || (age_add_present && !CBS_get_u32(&age_add, &ret->ticket_age_add)) || CBS_len(&age_add) != 0) { goto err; } ret->ticket_age_add_valid = age_add_present; int is_server; if (!CBS_get_optional_asn1_bool(&session, &is_server, kIsServerTag, 1 /* default to true */)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } /* TODO: in time we can include |is_server| for servers too, then we can enforce that client and server sessions are never mixed up. */ ret->is_server = is_server; if (!SSL_SESSION_parse_u16(&session, &ret->peer_signature_algorithm, kPeerSignatureAlgorithmTag, 0) || !SSL_SESSION_parse_u32(&session, &ret->ticket_max_early_data, kTicketMaxEarlyDataTag, 0) || !SSL_SESSION_parse_u32(&session, &ret->auth_timeout, kAuthTimeoutTag, ret->timeout) || !SSL_SESSION_parse_octet_string(&session, &ret->early_alpn, &ret->early_alpn_len, kEarlyALPNTag) || CBS_len(&session) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } return ret; err: SSL_SESSION_free(ret); return NULL; }
SSL_SESSION * d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) { CBS cbs, session, cipher_suite, session_id, master_key, peer_cert; CBS hostname, ticket; uint64_t version, tls_version, stime, timeout, verify_result, lifetime; const unsigned char *peer_cert_bytes; uint16_t cipher_value; SSL_SESSION *s = NULL; size_t data_len; int present; if (a != NULL) s = *a; if (s == NULL) { if ((s = SSL_SESSION_new()) == NULL) { SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } } CBS_init(&cbs, *pp, length); if (!CBS_get_asn1(&cbs, &session, CBS_ASN1_SEQUENCE)) goto err; /* Session ASN1 version. */ if (!CBS_get_asn1_uint64(&session, &version)) goto err; if (version != SSL_SESSION_ASN1_VERSION) goto err; /* TLS/SSL Protocol Version. */ if (!CBS_get_asn1_uint64(&session, &tls_version)) goto err; if (tls_version > INT_MAX) goto err; s->ssl_version = (int)tls_version; /* Cipher suite. */ if (!CBS_get_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) goto err; if (!CBS_get_u16(&cipher_suite, &cipher_value)) goto err; if (CBS_len(&cipher_suite) != 0) goto err; /* XXX - populate cipher instead? */ s->cipher = NULL; s->cipher_id = SSL3_CK_ID | cipher_value; /* Session ID. */ if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) goto err; if (!CBS_write_bytes(&session_id, s->session_id, sizeof(s->session_id), &data_len)) goto err; if (data_len > UINT_MAX) goto err; s->session_id_length = (unsigned int)data_len; /* Master key. */ if (!CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING)) goto err; if (!CBS_write_bytes(&master_key, s->master_key, sizeof(s->master_key), &data_len)) goto err; if (data_len > INT_MAX) goto err; s->master_key_length = (int)data_len; /* Time [1]. */ s->time = time(NULL); if (!CBS_get_optional_asn1_uint64(&session, &stime, SSLASN1_TIME_TAG, 0)) goto err; if (stime > time_max()) goto err; if (stime != 0) s->time = (time_t)stime; /* Timeout [2]. */ s->timeout = 3; if (!CBS_get_optional_asn1_uint64(&session, &timeout, SSLASN1_TIMEOUT_TAG, 0)) goto err; if (timeout > LONG_MAX) goto err; if (timeout != 0) s->timeout = (long)timeout; /* Peer certificate [3]. */ X509_free(s->peer); s->peer = NULL; if (!CBS_get_optional_asn1(&session, &peer_cert, &present, SSLASN1_PEER_CERT_TAG)) goto err; if (present) { data_len = CBS_len(&peer_cert); if (data_len > LONG_MAX) goto err; peer_cert_bytes = CBS_data(&peer_cert); if (d2i_X509(&s->peer, &peer_cert_bytes, (long)data_len) == NULL) goto err; } /* Session ID context [4]. */ s->sid_ctx_length = 0; if (!CBS_get_optional_asn1_octet_string(&session, &session_id, &present, SSLASN1_SESSION_ID_CTX_TAG)) goto err; if (present) { if (!CBS_write_bytes(&session_id, (uint8_t *)&s->sid_ctx, sizeof(s->sid_ctx), &data_len)) goto err; if (data_len > UINT_MAX) goto err; s->sid_ctx_length = (unsigned int)data_len; } /* Verify result [5]. */ s->verify_result = X509_V_OK; if (!CBS_get_optional_asn1_uint64(&session, &verify_result, SSLASN1_VERIFY_RESULT_TAG, X509_V_OK)) goto err; if (verify_result > LONG_MAX) goto err; s->verify_result = (long)verify_result; /* Hostname [6]. */ free(s->tlsext_hostname); s->tlsext_hostname = NULL; if (!CBS_get_optional_asn1_octet_string(&session, &hostname, &present, SSLASN1_HOSTNAME_TAG)) goto err; if (present) { if (CBS_contains_zero_byte(&hostname)) goto err; if (!CBS_strdup(&hostname, &s->tlsext_hostname)) goto err; } /* PSK identity hint [7]. */ /* PSK identity [8]. */ /* Ticket lifetime [9]. */ s->tlsext_tick_lifetime_hint = 0; /* XXX - tlsext_ticklen is not yet set... */ if (s->tlsext_ticklen > 0 && s->session_id_length > 0) s->tlsext_tick_lifetime_hint = -1; if (!CBS_get_optional_asn1_uint64(&session, &lifetime, SSLASN1_LIFETIME_TAG, 0)) goto err; if (lifetime > LONG_MAX) goto err; if (lifetime > 0) s->tlsext_tick_lifetime_hint = (long)lifetime; /* Ticket [10]. */ free(s->tlsext_tick); s->tlsext_tick = NULL; if (!CBS_get_optional_asn1_octet_string(&session, &ticket, &present, SSLASN1_TICKET_TAG)) goto err; if (present) { if (!CBS_stow(&ticket, &s->tlsext_tick, &s->tlsext_ticklen)) goto err; } /* Compression method [11]. */ /* SRP username [12]. */ *pp = CBS_data(&cbs); if (a != NULL) *a = s; return (s); err: ERR_asprintf_error_data("offset=%d", (int)(CBS_data(&cbs) - *pp)); if (s != NULL && (a == NULL || *a != s)) SSL_SESSION_free(s); return (NULL); }