static int test_cbb_prefixed(void) {
static const uint8_t kExpected[] = {0, 1, 1, 0, 2, 2, 3, 0, 0, 3,
4, 5, 6, 5, 4, 1, 0, 1, 2};
uint8_t *buf;
size_t buf_len;
CBB cbb, contents, inner_contents, inner_inner_contents;
int ok;
if (!CBB_init(&cbb, 0) ||
!CBB_add_u8_length_prefixed(&cbb, &contents) ||
!CBB_add_u8_length_prefixed(&cbb, &contents) ||
!CBB_add_u8(&contents, 1) ||
!CBB_add_u16_length_prefixed(&cbb, &contents) ||
!CBB_add_u16(&contents, 0x203) ||
!CBB_add_u24_length_prefixed(&cbb, &contents) ||
!CBB_add_u24(&contents, 0x40506) ||
!CBB_add_u8_length_prefixed(&cbb, &contents) ||
!CBB_add_u8_length_prefixed(&contents, &inner_contents) ||
!CBB_add_u8(&inner_contents, 1) ||
!CBB_add_u16_length_prefixed(&inner_contents, &inner_inner_contents) ||
!CBB_add_u8(&inner_inner_contents, 2) ||
!CBB_finish(&cbb, &buf, &buf_len)) {
return 0;
}
ok = buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
free(buf);
return ok;
}
int ssl_add_client_CA_list(SSL *ssl, CBB *cbb) {
CBB child, name_cbb;
if (!CBB_add_u16_length_prefixed(cbb, &child)) {
return 0;
}
STACK_OF(CRYPTO_BUFFER) *names = ssl->client_CA;
if (names == NULL) {
names = ssl->ctx->client_CA;
}
if (names == NULL) {
return CBB_flush(cbb);
}
for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(names); i++) {
const CRYPTO_BUFFER *name = sk_CRYPTO_BUFFER_value(names, i);
if (!CBB_add_u16_length_prefixed(&child, &name_cbb) ||
!CBB_add_bytes(&name_cbb, CRYPTO_BUFFER_data(name),
CRYPTO_BUFFER_len(name))) {
return 0;
}
}
return CBB_flush(cbb);
}
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL *ssl,
SSL_HANDSHAKE *hs) {
SSL_SESSION *session = ssl->s3->new_session;
session->tlsext_tick_lifetime_hint = session->timeout;
session->ticket_flags = SSL_TICKET_ALLOW_DHE_RESUMPTION;
if (!RAND_bytes((uint8_t *)&session->ticket_age_add,
sizeof(session->ticket_age_add))) {
return 0;
}
session->ticket_age_add_valid = 1;
CBB cbb, body, ticket;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_NEW_SESSION_TICKET) ||
!CBB_add_u32(&body, session->tlsext_tick_lifetime_hint) ||
!CBB_add_u32(&body, session->ticket_flags) ||
!CBB_add_u32(&body, session->ticket_age_add) ||
!CBB_add_u16(&body, 0 /* no ticket extensions */) ||
!CBB_add_u16_length_prefixed(&body, &ticket) ||
!ssl_encrypt_ticket(ssl, &ticket, session) ||
!ssl->method->finish_message(ssl, &cbb)) {
CBB_cleanup(&cbb);
return ssl_hs_error;
}
hs->session_tickets_sent++;
hs->state = state_flush_new_session_ticket;
return ssl_hs_write_message;
}
enum ssl_private_key_result_t tls13_prepare_certificate_verify(
SSL *ssl, int is_first_run) {
enum ssl_private_key_result_t ret = ssl_private_key_failure;
uint8_t *msg = NULL;
size_t msg_len;
CBB cbb, body;
CBB_zero(&cbb);
uint16_t signature_algorithm;
if (!tls1_choose_signature_algorithm(ssl, &signature_algorithm)) {
goto err;
}
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_CERTIFICATE_VERIFY) ||
!CBB_add_u16(&body, signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
/* Sign the digest. */
CBB child;
const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);
uint8_t *sig;
size_t sig_len;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
!CBB_reserve(&child, &sig, max_sig_len)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
}
enum ssl_private_key_result_t sign_result;
if (is_first_run) {
if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len,
ssl->server)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
}
sign_result = ssl_private_key_sign(ssl, sig, &sig_len, max_sig_len,
signature_algorithm, msg, msg_len);
} else {
sign_result = ssl_private_key_complete(ssl, sig, &sig_len, max_sig_len);
}
if (sign_result != ssl_private_key_success) {
ret = sign_result;
goto err;
}
if (!CBB_did_write(&child, sig_len) ||
!ssl->method->finish_message(ssl, &cbb)) {
goto err;
}
ret = ssl_private_key_success;
err:
CBB_cleanup(&cbb);
OPENSSL_free(msg);
return ret;
}
static int test_cbb_misuse(void) {
CBB cbb, child, contents;
uint8_t *buf;
size_t buf_len;
if (!CBB_init(&cbb, 0) ||
!CBB_add_u8_length_prefixed(&cbb, &child) ||
!CBB_add_u8(&child, 1) ||
!CBB_add_u8(&cbb, 2)) {
return 0;
}
/* Since we wrote to |cbb|, |child| is now invalid and attempts to write to
* it should fail. */
if (CBB_add_u8(&child, 1) ||
CBB_add_u16(&child, 1) ||
CBB_add_u24(&child, 1) ||
CBB_add_u8_length_prefixed(&child, &contents) ||
CBB_add_u16_length_prefixed(&child, &contents) ||
CBB_add_asn1(&child, &contents, 1) ||
CBB_add_bytes(&child, (const uint8_t*) "a", 1)) {
fprintf(stderr, "CBB operation on invalid CBB did not fail.\n");
return 0;
}
if (!CBB_finish(&cbb, &buf, &buf_len) ||
buf_len != 3 ||
memcmp(buf, "\x01\x01\x02", 3) != 0) {
return 0;
}
free(buf);
return 1;
}
static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl,
SSL_HANDSHAKE *hs) {
/* Determine whether to request a client certificate. */
ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
/* CertificateRequest may only be sent in certificate-based ciphers. */
if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
ssl->s3->tmp.cert_request = 0;
}
if (!ssl->s3->tmp.cert_request) {
/* Skip this state. */
hs->state = state_send_server_certificate;
return ssl_hs_ok;
}
CBB cbb, body, sigalgs_cbb;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_CERTIFICATE_REQUEST) ||
!CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
goto err;
}
const uint16_t *sigalgs;
size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs);
if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
goto err;
}
for (size_t i = 0; i < sigalgs_len; i++) {
if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
goto err;
}
}
if (!ssl_add_client_CA_list(ssl, &body) ||
!CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||
!ssl->method->finish_message(ssl, &cbb)) {
goto err;
}
hs->state = state_send_server_certificate;
return ssl_hs_write_message;
err:
CBB_cleanup(&cbb);
return ssl_hs_error;
}
static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
CBB cbb, body, extensions;
if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
!CBB_add_u16(&body, ssl->version) ||
!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
!ssl_ext_key_share_add_serverhello(ssl, &extensions) ||
!ssl->method->finish_message(ssl, &cbb)) {
CBB_cleanup(&cbb);
return ssl_hs_error;
}
hs->state = state_send_encrypted_extensions;
return ssl_hs_write_message;
}
static enum ssl_hs_wait_t do_send_hello_retry_request(SSL *ssl,
SSL_HANDSHAKE *hs) {
CBB cbb, body, extensions;
uint16_t group_id;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_HELLO_RETRY_REQUEST) ||
!CBB_add_u16(&body, ssl->version) ||
!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
!tls1_get_shared_group(ssl, &group_id) ||
!CBB_add_u16(&body, group_id) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
!ssl->method->finish_message(ssl, &cbb)) {
CBB_cleanup(&cbb);
return ssl_hs_error;
}
hs->state = state_flush_hello_retry_request;
return ssl_hs_write_message;
}
static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
CBB cbb, body, extensions;
uint16_t group_id;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_HELLO_RETRY_REQUEST) ||
!CBB_add_u16(&body, ssl->version) ||
!tls1_get_shared_group(hs, &group_id) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
!CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||
!CBB_add_u16(&extensions, 2 /* length */) ||
!CBB_add_u16(&extensions, group_id) ||
!ssl_add_message_cbb(ssl, &cbb)) {
CBB_cleanup(&cbb);
return ssl_hs_error;
}
hs->tls13_state = state_process_second_client_hello;
return ssl_hs_flush_and_read_message;
}
int tls13_prepare_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
CBB cbb, body, certificate_list;
if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||
/* The request context is always empty in the handshake. */
!CBB_add_u8(&body, 0) ||
!CBB_add_u24_length_prefixed(&body, &certificate_list)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
if (!ssl_has_certificate(ssl)) {
if (!ssl_complete_message(ssl, &cbb)) {
goto err;
}
return 1;
}
CERT *cert = ssl->cert;
CBB leaf, extensions;
if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) ||
!ssl_add_cert_to_cbb(&leaf, cert->x509_leaf) ||
!CBB_add_u16_length_prefixed(&certificate_list, &extensions)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
if (hs->scts_requested &&
ssl->ctx->signed_cert_timestamp_list_length != 0) {
CBB contents;
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) ||
!CBB_add_u16_length_prefixed(&extensions, &contents) ||
!CBB_add_bytes(&contents, ssl->ctx->signed_cert_timestamp_list,
ssl->ctx->signed_cert_timestamp_list_length) ||
!CBB_flush(&extensions)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (hs->ocsp_stapling_requested &&
ssl->ocsp_response != NULL) {
CBB contents, ocsp_response;
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) ||
!CBB_add_u16_length_prefixed(&extensions, &contents) ||
!CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
!CBB_add_u24_length_prefixed(&contents, &ocsp_response) ||
!CBB_add_bytes(&ocsp_response, CRYPTO_BUFFER_data(ssl->ocsp_response),
CRYPTO_BUFFER_len(ssl->ocsp_response)) ||
!CBB_flush(&extensions)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
}
for (size_t i = 0; i < sk_X509_num(cert->x509_chain); i++) {
CBB child;
if (!CBB_add_u24_length_prefixed(&certificate_list, &child) ||
!ssl_add_cert_to_cbb(&child, sk_X509_value(cert->x509_chain, i)) ||
!CBB_add_u16(&certificate_list, 0 /* no extensions */)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (!ssl_complete_message(ssl, &cbb)) {
goto err;
}
return 1;
err:
CBB_cleanup(&cbb);
return 0;
}
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
* client makes several connections before getting a renewal. */
static const int kNumTickets = 2;
SSL *const ssl = hs->ssl;
/* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
* session ticket. */
if (!hs->accept_psk_mode) {
hs->tls13_state = state_done;
return ssl_hs_ok;
}
SSL_SESSION *session = ssl->s3->new_session;
CBB cbb;
CBB_zero(&cbb);
for (int i = 0; i < kNumTickets; i++) {
if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
goto err;
}
CBB body, ticket, extensions;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_NEW_SESSION_TICKET) ||
!CBB_add_u32(&body, session->timeout) ||
!CBB_add_u32(&body, session->ticket_age_add) ||
!CBB_add_u16_length_prefixed(&body, &ticket) ||
!ssl_encrypt_ticket(ssl, &ticket, session) ||
!CBB_add_u16_length_prefixed(&body, &extensions)) {
goto err;
}
if (ssl->ctx->enable_early_data) {
session->ticket_max_early_data = kMaxEarlyDataAccepted;
CBB early_data_info;
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) ||
!CBB_add_u16_length_prefixed(&extensions, &early_data_info) ||
!CBB_add_u32(&early_data_info, session->ticket_max_early_data) ||
!CBB_flush(&extensions)) {
goto err;
}
}
/* Add a fake extension. See draft-davidben-tls-grease-01. */
if (!CBB_add_u16(&extensions,
ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) ||
!CBB_add_u16(&extensions, 0 /* empty */)) {
goto err;
}
if (!ssl_add_message_cbb(ssl, &cbb)) {
goto err;
}
}
hs->session_tickets_sent++;
hs->tls13_state = state_done;
return ssl_hs_flush;
err:
CBB_cleanup(&cbb);
return ssl_hs_error;
}
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
/* Send a ServerHello. */
CBB cbb, body, extensions;
if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
!CBB_add_u16(&body, ssl->version) ||
!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
!ssl_ext_key_share_add_serverhello(hs, &extensions)) {
goto err;
}
if (ssl->s3->short_header) {
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_short_header) ||
!CBB_add_u16(&extensions, 0 /* empty extension */)) {
goto err;
}
}
if (!ssl_add_message_cbb(ssl, &cbb)) {
goto err;
}
/* Derive and enable the handshake traffic secrets. */
if (!tls13_derive_handshake_secrets(hs) ||
!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
hs->hash_len) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
hs->hash_len)) {
goto err;
}
/* Send EncryptedExtensions. */
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_ENCRYPTED_EXTENSIONS) ||
!ssl_add_serverhello_tlsext(hs, &body) ||
!ssl_add_message_cbb(ssl, &cbb)) {
goto err;
}
/* Determine whether to request a client certificate. */
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
/* CertificateRequest may only be sent in non-resumption handshakes. */
if (ssl->s3->session_reused) {
hs->cert_request = 0;
}
/* Send a CertificateRequest, if necessary. */
if (hs->cert_request) {
CBB sigalgs_cbb;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_CERTIFICATE_REQUEST) ||
!CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
goto err;
}
const uint16_t *sigalgs;
size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
goto err;
}
for (size_t i = 0; i < num_sigalgs; i++) {
if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
goto err;
}
}
if (!ssl_add_client_CA_list(ssl, &body) ||
!CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||
!ssl_add_message_cbb(ssl, &cbb)) {
goto err;
}
}
/* Send the server Certificate message, if necessary. */
if (!ssl->s3->session_reused) {
if (!ssl_has_certificate(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
goto err;
}
if (!tls13_add_certificate(hs)) {
goto err;
}
hs->tls13_state = state_send_server_certificate_verify;
return ssl_hs_ok;
}
hs->tls13_state = state_send_server_finished;
return ssl_hs_ok;
err:
CBB_cleanup(&cbb);
return ssl_hs_error;
}
static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
* the client makes several connections before getting a renewal. */
static const int kNumTickets = 2;
SSL_SESSION *session = hs->new_session;
CBB cbb;
CBB_zero(&cbb);
/* Rebase the session timestamp so that it is measured from ticket
* issuance. */
ssl_session_rebase_time(ssl, session);
for (int i = 0; i < kNumTickets; i++) {
if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
goto err;
}
session->ticket_age_add_valid = 1;
CBB body, ticket, extensions;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_NEW_SESSION_TICKET) ||
!CBB_add_u32(&body, session->timeout) ||
!CBB_add_u32(&body, session->ticket_age_add) ||
!CBB_add_u16_length_prefixed(&body, &ticket) ||
!ssl_encrypt_ticket(ssl, &ticket, session) ||
!CBB_add_u16_length_prefixed(&body, &extensions)) {
goto err;
}
if (ssl->cert->enable_early_data) {
session->ticket_max_early_data = kMaxEarlyDataAccepted;
CBB early_data_info;
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) ||
!CBB_add_u16_length_prefixed(&extensions, &early_data_info) ||
!CBB_add_u32(&early_data_info, session->ticket_max_early_data) ||
!CBB_flush(&extensions)) {
goto err;
}
}
/* Add a fake extension. See draft-davidben-tls-grease-01. */
if (!CBB_add_u16(&extensions,
ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) ||
!CBB_add_u16(&extensions, 0 /* empty */)) {
goto err;
}
if (!ssl_add_message_cbb(ssl, &cbb)) {
goto err;
}
}
return 1;
err:
CBB_cleanup(&cbb);
return 0;
}