static enum ssl_hs_wait_t do_process_hello_retry_request(SSL *ssl,
SSL_HANDSHAKE *hs) {
if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {
hs->state = state_process_server_hello;
return ssl_hs_ok;
}
CBS cbs, extensions;
uint16_t server_wire_version, cipher_suite, group_id;
CBS_init(&cbs, ssl->init_msg, ssl->init_num);
if (!CBS_get_u16(&cbs, &server_wire_version) ||
!CBS_get_u16(&cbs, &cipher_suite) ||
!CBS_get_u16(&cbs, &group_id) ||
/* We do not currently parse any HelloRetryRequest extensions. */
!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
CBS_len(&cbs) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
/* TODO(svaldez): Don't do early_data on HelloRetryRequest. */
const uint16_t *groups;
size_t groups_len;
tls1_get_grouplist(ssl, 0 /* local groups */, &groups, &groups_len);
int found = 0;
for (size_t i = 0; i < groups_len; i++) {
if (groups[i] == group_id) {
found = 1;
break;
}
}
if (!found) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
return ssl_hs_error;
}
for (size_t i = 0; i < ssl->s3->hs->groups_len; i++) {
/* Check that the HelloRetryRequest does not request a key share that was
* provided in the initial ClientHello.
*
* TODO(svaldez): Don't enforce this check when the HelloRetryRequest is due
* to a cookie. */
if (SSL_ECDH_CTX_get_id(&ssl->s3->hs->groups[i]) == group_id) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
return ssl_hs_error;
}
}
ssl_handshake_clear_groups(ssl->s3->hs);
ssl->s3->hs->retry_group = group_id;
hs->state = state_send_second_client_hello;
return ssl_hs_ok;
}
int tls13_process_certificate_verify(SSL *ssl) {
int ret = 0;
X509 *peer = ssl->s3->new_session->peer;
EVP_PKEY *pkey = NULL;
uint8_t *msg = NULL;
size_t msg_len;
/* Filter out unsupported certificate types. */
pkey = X509_get_pubkey(peer);
if (pkey == NULL) {
goto err;
}
CBS cbs, signature;
uint16_t signature_algorithm;
CBS_init(&cbs, ssl->init_msg, ssl->init_num);
if (!CBS_get_u16(&cbs, &signature_algorithm) ||
!CBS_get_u16_length_prefixed(&cbs, &signature) ||
CBS_len(&cbs) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
goto err;
}
int al;
if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
goto err;
}
ssl->s3->tmp.peer_signature_algorithm = signature_algorithm;
if (!tls13_get_cert_verify_signature_input(
ssl, &msg, &msg_len,
ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
}
int sig_ok =
ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),
signature_algorithm, pkey, msg, msg_len);
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
sig_ok = 1;
ERR_clear_error();
#endif
if (!sig_ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
goto err;
}
ret = 1;
err:
EVP_PKEY_free(pkey);
OPENSSL_free(msg);
return ret;
}
int
dtls1_get_hello_verify(SSL *s)
{
long n;
int al, ok = 0;
size_t cookie_len;
uint16_t ssl_version;
CBS hello_verify_request, cookie;
n = s->method->internal->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok);
if (!ok)
return ((int)n);
if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
D1I(s)->send_cookie = 0;
S3I(s)->tmp.reuse_message = 1;
return (1);
}
if (n < 0)
goto truncated;
CBS_init(&hello_verify_request, s->internal->init_msg, n);
if (!CBS_get_u16(&hello_verify_request, &ssl_version))
goto truncated;
if (ssl_version != s->version) {
SSLerror(s, SSL_R_WRONG_SSL_VERSION);
s->version = (s->version & 0xff00) | (ssl_version & 0xff);
al = SSL_AD_PROTOCOL_VERSION;
goto f_err;
}
if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie))
goto truncated;
if (!CBS_write_bytes(&cookie, D1I(s)->cookie,
sizeof(D1I(s)->cookie), &cookie_len)) {
D1I(s)->cookie_len = 0;
al = SSL_AD_ILLEGAL_PARAMETER;
goto f_err;
}
D1I(s)->cookie_len = cookie_len;
D1I(s)->send_cookie = 1;
return 1;
truncated:
al = SSL_AD_DECODE_ERROR;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return -1;
}
int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
int ret = 0;
uint8_t *msg = NULL;
size_t msg_len;
if (hs->peer_pubkey == NULL) {
goto err;
}
CBS cbs, signature;
uint16_t signature_algorithm;
CBS_init(&cbs, ssl->init_msg, ssl->init_num);
if (!CBS_get_u16(&cbs, &signature_algorithm) ||
!CBS_get_u16_length_prefixed(&cbs, &signature) ||
CBS_len(&cbs) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
goto err;
}
int al;
if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
goto err;
}
ssl->s3->new_session->peer_signature_algorithm = signature_algorithm;
if (!tls13_get_cert_verify_signature_input(
ssl, &msg, &msg_len,
ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
}
int sig_ok =
ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),
signature_algorithm, hs->peer_pubkey, msg, msg_len);
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
sig_ok = 1;
ERR_clear_error();
#endif
if (!sig_ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
goto err;
}
ret = 1;
err:
OPENSSL_free(msg);
return ret;
}
static int dtls1_get_hello_verify(SSL *s) {
long n;
int al, ok = 0;
CBS hello_verify_request, cookie;
uint16_t server_version;
n = s->method->ssl_get_message(
s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
-1,
/* Use the same maximum size as ssl3_get_server_hello. */
20000, ssl_hash_message, &ok);
if (!ok) {
return n;
}
if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
s->d1->send_cookie = 0;
s->s3->tmp.reuse_message = 1;
return 1;
}
CBS_init(&hello_verify_request, s->init_msg, n);
if (!CBS_get_u16(&hello_verify_request, &server_version) ||
!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
CBS_len(&hello_verify_request) != 0) {
al = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
goto f_err;
}
if (CBS_len(&cookie) > sizeof(s->d1->cookie)) {
al = SSL_AD_ILLEGAL_PARAMETER;
goto f_err;
}
memcpy(s->d1->cookie, CBS_data(&cookie), CBS_len(&cookie));
s->d1->cookie_len = CBS_len(&cookie);
s->d1->send_cookie = 1;
return 1;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return -1;
}
static const SSL_CIPHER *choose_tls13_cipher(
const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {
if (client_hello->cipher_suites_len % 2 != 0) {
return NULL;
}
CBS cipher_suites;
CBS_init(&cipher_suites, client_hello->cipher_suites,
client_hello->cipher_suites_len);
const int aes_is_fine = EVP_has_aes_hardware();
const uint16_t version = ssl3_protocol_version(ssl);
const SSL_CIPHER *best = NULL;
while (CBS_len(&cipher_suites) > 0) {
uint16_t cipher_suite;
if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
return NULL;
}
/* Limit to TLS 1.3 ciphers we know about. */
const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
if (candidate == NULL ||
SSL_CIPHER_get_min_version(candidate) > version ||
SSL_CIPHER_get_max_version(candidate) < version) {
continue;
}
/* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
* ChaCha20 if we do not have AES hardware. */
if (aes_is_fine) {
return candidate;
}
if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {
return candidate;
}
if (best == NULL) {
best = candidate;
}
}
return best;
}
static int test_get_u(void) {
static const uint8_t kData[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
uint8_t u8;
uint16_t u16;
uint32_t u32;
CBS data;
CBS_init(&data, kData, sizeof(kData));
return CBS_get_u8(&data, &u8) &&
u8 == 1 &&
CBS_get_u16(&data, &u16) &&
u16 == 0x203 &&
CBS_get_u24(&data, &u32) &&
u32 == 0x40506 &&
CBS_get_u32(&data, &u32) &&
u32 == 0x708090a &&
!CBS_get_u8(&data, &u8);
}
static int test_get_prefixed(void) {
static const uint8_t kData[] = {1, 2, 0, 2, 3, 4, 0, 0, 3, 3, 2, 1};
uint8_t u8;
uint16_t u16;
uint32_t u32;
CBS data, prefixed;
CBS_init(&data, kData, sizeof(kData));
return CBS_get_u8_length_prefixed(&data, &prefixed) &&
CBS_len(&prefixed) == 1 &&
CBS_get_u8(&prefixed, &u8) &&
u8 == 2 &&
CBS_get_u16_length_prefixed(&data, &prefixed) &&
CBS_len(&prefixed) == 2 &&
CBS_get_u16(&prefixed, &u16) &&
u16 == 0x304 &&
CBS_get_u24_length_prefixed(&data, &prefixed) &&
CBS_len(&prefixed) == 3 &&
CBS_get_u24(&prefixed, &u32) &&
u32 == 0x30201;
}
/* Since the server cache lookup is done early on in the processing of the
* ClientHello, and other operations depend on the result, we need to handle
* any TLS session ticket extension at the same time.
*
* session_id: points at the session ID in the ClientHello. This code will
* read past the end of this in order to parse out the session ticket
* extension, if any.
* len: the length of the session ID.
* limit: a pointer to the first byte after the ClientHello.
* ret: (output) on return, if a ticket was decrypted, then this is set to
* point to the resulting session.
*
* If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
* ciphersuite, in which case we have no use for session tickets and one will
* never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
*
* Returns:
* -1: fatal error, either from parsing or decrypting the ticket.
* 0: no ticket was found (or was ignored, based on settings).
* 1: a zero length extension was found, indicating that the client supports
* session tickets but doesn't currently have one to offer.
* 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but
* couldn't be decrypted because of a non-fatal error.
* 3: a ticket was successfully decrypted and *ret was set.
*
* Side effects:
* Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
* a new session ticket to the client because the client indicated support
* (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
* a session ticket or we couldn't use the one it gave us, or if
* s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
* Otherwise, s->internal->tlsext_ticket_expected is set to 0.
*/
int
tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
const unsigned char *limit, SSL_SESSION **ret)
{
/* Point after session ID in client hello */
CBS session_id, cookie, cipher_list, compress_algo, extensions;
*ret = NULL;
s->internal->tlsext_ticket_expected = 0;
/* If tickets disabled behave as if no ticket present
* to permit stateful resumption.
*/
if (SSL_get_options(s) & SSL_OP_NO_TICKET)
return 0;
if (!limit)
return 0;
if (limit < session)
return -1;
CBS_init(&session_id, session, limit - session);
/* Skip past the session id */
if (!CBS_skip(&session_id, session_len))
return -1;
/* Skip past DTLS cookie */
if (SSL_IS_DTLS(s)) {
if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
return -1;
}
/* Skip past cipher list */
if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
return -1;
/* Skip past compression algorithm list */
if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
return -1;
/* Now at start of extensions */
if (CBS_len(&session_id) == 0)
return 0;
if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
return -1;
while (CBS_len(&extensions) > 0) {
CBS ext_data;
uint16_t ext_type;
if (!CBS_get_u16(&extensions, &ext_type) ||
!CBS_get_u16_length_prefixed(&extensions, &ext_data))
return -1;
if (ext_type == TLSEXT_TYPE_session_ticket) {
int r;
if (CBS_len(&ext_data) == 0) {
/* The client will accept a ticket but doesn't
* currently have one. */
s->internal->tlsext_ticket_expected = 1;
return 1;
}
if (s->internal->tls_session_secret_cb) {
/* Indicate that the ticket couldn't be
* decrypted rather than generating the session
* from ticket now, trigger abbreviated
* handshake based on external mechanism to
* calculate the master secret later. */
return 2;
}
r = tls_decrypt_ticket(s, CBS_data(&ext_data),
CBS_len(&ext_data), session, session_len, ret);
switch (r) {
case 2: /* ticket couldn't be decrypted */
s->internal->tlsext_ticket_expected = 1;
return 2;
case 3: /* ticket was decrypted */
return r;
case 4: /* ticket decrypted but need to renew */
s->internal->tlsext_ticket_expected = 1;
return 3;
default: /* fatal error */
return -1;
}
}
}
return 0;
}
static enum ssl_hs_wait_t do_process_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
if (!tls13_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {
return ssl_hs_error;
}
CBS cbs, server_random, extensions;
uint16_t server_wire_version;
uint16_t cipher_suite;
CBS_init(&cbs, ssl->init_msg, ssl->init_num);
if (!CBS_get_u16(&cbs, &server_wire_version) ||
!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||
!CBS_get_u16(&cbs, &cipher_suite) ||
!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
CBS_len(&cbs) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
return ssl_hs_error;
}
if (server_wire_version != ssl->version) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
return ssl_hs_error;
}
/* Parse out the extensions. */
int have_key_share = 0;
CBS key_share;
while (CBS_len(&extensions) != 0) {
uint16_t type;
CBS extension;
if (!CBS_get_u16(&extensions, &type) ||
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
switch (type) {
case TLSEXT_TYPE_key_share:
if (have_key_share) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
key_share = extension;
have_key_share = 1;
break;
default:
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
return ssl_hs_error;
}
}
assert(ssl->s3->have_version);
memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
ssl->hit = 0;
if (!ssl_get_new_session(ssl, 0)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
if (cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
/* Check if the cipher is disabled. */
if ((cipher->algorithm_mkey & ssl->cert->mask_k) ||
(cipher->algorithm_auth & ssl->cert->mask_a) ||
SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl) ||
!sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(ssl), NULL, cipher)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
ssl->session->cipher = cipher;
ssl->s3->tmp.new_cipher = cipher;
/* The PRF hash is now known. Set up the key schedule. */
static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
size_t hash_len =
EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
if (!tls13_init_key_schedule(ssl, kZeroes, hash_len)) {
return ssl_hs_error;
}
/* Resolve PSK and incorporate it into the secret. */
if (cipher->algorithm_auth == SSL_aPSK) {
/* TODO(davidben): Support PSK. */
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_hs_error;
} else if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {
return ssl_hs_error;
}
/* Resolve ECDHE and incorporate it into the secret. */
if (cipher->algorithm_mkey == SSL_kECDHE) {
if (!have_key_share) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
return ssl_hs_error;
}
uint8_t *dhe_secret;
size_t dhe_secret_len;
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ext_key_share_parse_serverhello(ssl, &dhe_secret, &dhe_secret_len,
&alert, &key_share)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);
OPENSSL_free(dhe_secret);
if (!ok) {
return ssl_hs_error;
}
} else {
if (have_key_share) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
return ssl_hs_error;
}
if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {
return ssl_hs_error;
}
}
/* If there was no HelloRetryRequest, the version negotiation logic has
* already hashed the message. */
if (ssl->s3->hs->retry_group != 0 &&
!ssl->method->hash_current_message(ssl)) {
return ssl_hs_error;
}
if (!tls13_set_handshake_traffic(ssl)) {
return ssl_hs_error;
}
hs->state = state_process_encrypted_extensions;
return ssl_hs_read_message;
}
SSL_SESSION *SSL_SESSION_parse(CBS *cbs, const SSL_X509_METHOD *x509_method,
CRYPTO_BUFFER_POOL *pool) {
SSL_SESSION *ret = ssl_session_new(x509_method);
if (ret == NULL) {
goto err;
}
CBS session;
uint64_t version, ssl_version;
if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1_uint64(&session, &version) ||
version != kVersion ||
!CBS_get_asn1_uint64(&session, &ssl_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
ret->ssl_version = ssl_version;
CBS cipher;
uint16_t cipher_value;
if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) ||
!CBS_get_u16(&cipher, &cipher_value) ||
CBS_len(&cipher) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
ret->cipher = SSL_get_cipher_by_value(cipher_value);
if (ret->cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_CIPHER);
goto err;
}
CBS session_id, master_key;
if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||
CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH ||
!CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING) ||
CBS_len(&master_key) > SSL_MAX_MASTER_KEY_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id));
ret->session_id_length = CBS_len(&session_id);
OPENSSL_memcpy(ret->master_key, CBS_data(&master_key), CBS_len(&master_key));
ret->master_key_length = CBS_len(&master_key);
CBS child;
uint64_t timeout;
if (!CBS_get_asn1(&session, &child, kTimeTag) ||
!CBS_get_asn1_uint64(&child, &ret->time) ||
!CBS_get_asn1(&session, &child, kTimeoutTag) ||
!CBS_get_asn1_uint64(&child, &timeout) ||
timeout > UINT32_MAX) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
ret->timeout = (uint32_t)timeout;
CBS peer;
int has_peer;
if (!CBS_get_optional_asn1(&session, &peer, &has_peer, kPeerTag) ||
(has_peer && CBS_len(&peer) == 0)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
/* |peer| is processed with the certificate chain. */
if (!SSL_SESSION_parse_bounded_octet_string(
&session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx),
kSessionIDContextTag) ||
!SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag,
X509_V_OK) ||
!SSL_SESSION_parse_string(&session, &ret->tlsext_hostname,
kHostNameTag) ||
!SSL_SESSION_parse_string(&session, &ret->psk_identity,
kPSKIdentityTag) ||
!SSL_SESSION_parse_u32(&session, &ret->tlsext_tick_lifetime_hint,
kTicketLifetimeHintTag, 0) ||
!SSL_SESSION_parse_octet_string(&session, &ret->tlsext_tick,
&ret->tlsext_ticklen, kTicketTag)) {
goto err;
}
if (CBS_peek_asn1_tag(&session, kPeerSHA256Tag)) {
CBS peer_sha256;
if (!CBS_get_asn1(&session, &child, kPeerSHA256Tag) ||
!CBS_get_asn1(&child, &peer_sha256, CBS_ASN1_OCTETSTRING) ||
CBS_len(&peer_sha256) != sizeof(ret->peer_sha256) ||
CBS_len(&child) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
OPENSSL_memcpy(ret->peer_sha256, CBS_data(&peer_sha256),
sizeof(ret->peer_sha256));
ret->peer_sha256_valid = 1;
} else {
ret->peer_sha256_valid = 0;
}
if (!SSL_SESSION_parse_bounded_octet_string(
&session, ret->original_handshake_hash,
&ret->original_handshake_hash_len,
sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) ||
!SSL_SESSION_parse_octet_string(
&session, &ret->tlsext_signed_cert_timestamp_list,
&ret->tlsext_signed_cert_timestamp_list_length,
kSignedCertTimestampListTag) ||
!SSL_SESSION_parse_octet_string(
&session, &ret->ocsp_response, &ret->ocsp_response_length,
kOCSPResponseTag)) {
goto err;
}
int extended_master_secret;
if (!CBS_get_optional_asn1_bool(&session, &extended_master_secret,
kExtendedMasterSecretTag,
0 /* default to false */)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
ret->extended_master_secret = !!extended_master_secret;
if (!SSL_SESSION_parse_u16(&session, &ret->group_id, kGroupIDTag, 0)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
CBS cert_chain;
CBS_init(&cert_chain, NULL, 0);
int has_cert_chain;
if (!CBS_get_optional_asn1(&session, &cert_chain, &has_cert_chain,
kCertChainTag) ||
(has_cert_chain && CBS_len(&cert_chain) == 0)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
if (has_cert_chain && !has_peer) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
if (has_peer || has_cert_chain) {
ret->certs = sk_CRYPTO_BUFFER_new_null();
if (ret->certs == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
if (has_peer) {
/* TODO(agl): this should use the |SSL_CTX|'s pool. */
CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&peer, pool);
if (buffer == NULL ||
!sk_CRYPTO_BUFFER_push(ret->certs, buffer)) {
CRYPTO_BUFFER_free(buffer);
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
}
while (CBS_len(&cert_chain) > 0) {
CBS cert;
if (!CBS_get_any_asn1_element(&cert_chain, &cert, NULL, NULL) ||
CBS_len(&cert) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
/* TODO(agl): this should use the |SSL_CTX|'s pool. */
CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&cert, pool);
if (buffer == NULL ||
!sk_CRYPTO_BUFFER_push(ret->certs, buffer)) {
CRYPTO_BUFFER_free(buffer);
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
}
}
if (!x509_method->session_cache_objects(ret)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
CBS age_add;
int age_add_present;
if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present,
kTicketAgeAddTag) ||
(age_add_present &&
!CBS_get_u32(&age_add, &ret->ticket_age_add)) ||
CBS_len(&age_add) != 0) {
goto err;
}
ret->ticket_age_add_valid = age_add_present;
int is_server;
if (!CBS_get_optional_asn1_bool(&session, &is_server, kIsServerTag,
1 /* default to true */)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
/* TODO: in time we can include |is_server| for servers too, then we can
enforce that client and server sessions are never mixed up. */
ret->is_server = is_server;
if (!SSL_SESSION_parse_u16(&session, &ret->peer_signature_algorithm,
kPeerSignatureAlgorithmTag, 0) ||
!SSL_SESSION_parse_u32(&session, &ret->ticket_max_early_data,
kTicketMaxEarlyDataTag, 0) ||
!SSL_SESSION_parse_u32(&session, &ret->auth_timeout, kAuthTimeoutTag,
ret->timeout) ||
!SSL_SESSION_parse_octet_string(&session, &ret->early_alpn,
&ret->early_alpn_len, kEarlyALPNTag) ||
CBS_len(&session) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
return ret;
err:
SSL_SESSION_free(ret);
return NULL;
}
SSL_SESSION *
d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
{
CBS cbs, session, cipher_suite, session_id, master_key, peer_cert;
CBS hostname, ticket;
uint64_t version, tls_version, stime, timeout, verify_result, lifetime;
const unsigned char *peer_cert_bytes;
uint16_t cipher_value;
SSL_SESSION *s = NULL;
size_t data_len;
int present;
if (a != NULL)
s = *a;
if (s == NULL) {
if ((s = SSL_SESSION_new()) == NULL) {
SSLerrorx(ERR_R_MALLOC_FAILURE);
return (NULL);
}
}
CBS_init(&cbs, *pp, length);
if (!CBS_get_asn1(&cbs, &session, CBS_ASN1_SEQUENCE))
goto err;
/* Session ASN1 version. */
if (!CBS_get_asn1_uint64(&session, &version))
goto err;
if (version != SSL_SESSION_ASN1_VERSION)
goto err;
/* TLS/SSL Protocol Version. */
if (!CBS_get_asn1_uint64(&session, &tls_version))
goto err;
if (tls_version > INT_MAX)
goto err;
s->ssl_version = (int)tls_version;
/* Cipher suite. */
if (!CBS_get_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING))
goto err;
if (!CBS_get_u16(&cipher_suite, &cipher_value))
goto err;
if (CBS_len(&cipher_suite) != 0)
goto err;
/* XXX - populate cipher instead? */
s->cipher = NULL;
s->cipher_id = SSL3_CK_ID | cipher_value;
/* Session ID. */
if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING))
goto err;
if (!CBS_write_bytes(&session_id, s->session_id, sizeof(s->session_id),
&data_len))
goto err;
if (data_len > UINT_MAX)
goto err;
s->session_id_length = (unsigned int)data_len;
/* Master key. */
if (!CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING))
goto err;
if (!CBS_write_bytes(&master_key, s->master_key, sizeof(s->master_key),
&data_len))
goto err;
if (data_len > INT_MAX)
goto err;
s->master_key_length = (int)data_len;
/* Time [1]. */
s->time = time(NULL);
if (!CBS_get_optional_asn1_uint64(&session, &stime, SSLASN1_TIME_TAG,
0))
goto err;
if (stime > time_max())
goto err;
if (stime != 0)
s->time = (time_t)stime;
/* Timeout [2]. */
s->timeout = 3;
if (!CBS_get_optional_asn1_uint64(&session, &timeout,
SSLASN1_TIMEOUT_TAG, 0))
goto err;
if (timeout > LONG_MAX)
goto err;
if (timeout != 0)
s->timeout = (long)timeout;
/* Peer certificate [3]. */
X509_free(s->peer);
s->peer = NULL;
if (!CBS_get_optional_asn1(&session, &peer_cert, &present,
SSLASN1_PEER_CERT_TAG))
goto err;
if (present) {
data_len = CBS_len(&peer_cert);
if (data_len > LONG_MAX)
goto err;
peer_cert_bytes = CBS_data(&peer_cert);
if (d2i_X509(&s->peer, &peer_cert_bytes,
(long)data_len) == NULL)
goto err;
}
/* Session ID context [4]. */
s->sid_ctx_length = 0;
if (!CBS_get_optional_asn1_octet_string(&session, &session_id, &present,
SSLASN1_SESSION_ID_CTX_TAG))
goto err;
if (present) {
if (!CBS_write_bytes(&session_id, (uint8_t *)&s->sid_ctx,
sizeof(s->sid_ctx), &data_len))
goto err;
if (data_len > UINT_MAX)
goto err;
s->sid_ctx_length = (unsigned int)data_len;
}
/* Verify result [5]. */
s->verify_result = X509_V_OK;
if (!CBS_get_optional_asn1_uint64(&session, &verify_result,
SSLASN1_VERIFY_RESULT_TAG, X509_V_OK))
goto err;
if (verify_result > LONG_MAX)
goto err;
s->verify_result = (long)verify_result;
/* Hostname [6]. */
free(s->tlsext_hostname);
s->tlsext_hostname = NULL;
if (!CBS_get_optional_asn1_octet_string(&session, &hostname, &present,
SSLASN1_HOSTNAME_TAG))
goto err;
if (present) {
if (CBS_contains_zero_byte(&hostname))
goto err;
if (!CBS_strdup(&hostname, &s->tlsext_hostname))
goto err;
}
/* PSK identity hint [7]. */
/* PSK identity [8]. */
/* Ticket lifetime [9]. */
s->tlsext_tick_lifetime_hint = 0;
/* XXX - tlsext_ticklen is not yet set... */
if (s->tlsext_ticklen > 0 && s->session_id_length > 0)
s->tlsext_tick_lifetime_hint = -1;
if (!CBS_get_optional_asn1_uint64(&session, &lifetime,
SSLASN1_LIFETIME_TAG, 0))
goto err;
if (lifetime > LONG_MAX)
goto err;
if (lifetime > 0)
s->tlsext_tick_lifetime_hint = (long)lifetime;
/* Ticket [10]. */
free(s->tlsext_tick);
s->tlsext_tick = NULL;
if (!CBS_get_optional_asn1_octet_string(&session, &ticket, &present,
SSLASN1_TICKET_TAG))
goto err;
if (present) {
if (!CBS_stow(&ticket, &s->tlsext_tick, &s->tlsext_ticklen))
goto err;
}
/* Compression method [11]. */
/* SRP username [12]. */
*pp = CBS_data(&cbs);
if (a != NULL)
*a = s;
return (s);
err:
ERR_asprintf_error_data("offset=%d", (int)(CBS_data(&cbs) - *pp));
if (s != NULL && (a == NULL || *a != s))
SSL_SESSION_free(s);
return (NULL);
}
