• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.]
56  */
57 /* ====================================================================
58  * Copyright 2005 Nokia. All rights reserved.
59  *
60  * The portions of the attached software ("Contribution") is developed by
61  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
62  * license.
63  *
64  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
65  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
66  * support (see RFC 4279) to OpenSSL.
67  *
68  * No patent licenses or other rights except those expressly stated in
69  * the OpenSSL open source license shall be deemed granted or received
70  * expressly, by implication, estoppel, or otherwise.
71  *
72  * No assurances are provided by Nokia that the Contribution does not
73  * infringe the patent or other intellectual property rights of any third
74  * party or that the license provides you with all the necessary rights
75  * to make use of the Contribution.
76  *
77  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
78  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
79  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
80  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
81  * OTHERWISE. */
82 
83 #include <openssl/ssl.h>
84 
85 #include <limits.h>
86 #include <string.h>
87 
88 #include <utility>
89 
90 #include <openssl/buf.h>
91 #include <openssl/bytestring.h>
92 #include <openssl/err.h>
93 #include <openssl/mem.h>
94 #include <openssl/x509.h>
95 
96 #include "../crypto/internal.h"
97 #include "internal.h"
98 
99 
100 BSSL_NAMESPACE_BEGIN
101 
102 // An SSL_SESSION is serialized as the following ASN.1 structure:
103 //
104 // SSLSession ::= SEQUENCE {
105 //     version                     INTEGER (1),  -- session structure version
106 //     sslVersion                  INTEGER,      -- protocol version number
107 //     cipher                      OCTET STRING, -- two bytes long
108 //     sessionID                   OCTET STRING,
109 //     masterKey                   OCTET STRING,
110 //     time                    [1] INTEGER, -- seconds since UNIX epoch
111 //     timeout                 [2] INTEGER, -- in seconds
112 //     peer                    [3] Certificate OPTIONAL,
113 //     sessionIDContext        [4] OCTET STRING OPTIONAL,
114 //     verifyResult            [5] INTEGER OPTIONAL,  -- one of X509_V_* codes
115 //     pskIdentity             [8] OCTET STRING OPTIONAL,
116 //     ticketLifetimeHint      [9] INTEGER OPTIONAL,       -- client-only
117 //     ticket                  [10] OCTET STRING OPTIONAL, -- client-only
118 //     peerSHA256              [13] OCTET STRING OPTIONAL,
119 //     originalHandshakeHash   [14] OCTET STRING OPTIONAL,
120 //     signedCertTimestampList [15] OCTET STRING OPTIONAL,
121 //                                  -- contents of SCT extension
122 //     ocspResponse            [16] OCTET STRING OPTIONAL,
123 //                                  -- stapled OCSP response from the server
124 //     extendedMasterSecret    [17] BOOLEAN OPTIONAL,
125 //     groupID                 [18] INTEGER OPTIONAL,
126 //     certChain               [19] SEQUENCE OF Certificate OPTIONAL,
127 //     ticketAgeAdd            [21] OCTET STRING OPTIONAL,
128 //     isServer                [22] BOOLEAN DEFAULT TRUE,
129 //     peerSignatureAlgorithm  [23] INTEGER OPTIONAL,
130 //     ticketMaxEarlyData      [24] INTEGER OPTIONAL,
131 //     authTimeout             [25] INTEGER OPTIONAL, -- defaults to timeout
132 //     earlyALPN               [26] OCTET STRING OPTIONAL,
133 // }
134 //
135 // Note: historically this serialization has included other optional
136 // fields. Their presence is currently treated as a parse error, except for
137 // hostName, which is ignored.
138 //
139 //     keyArg                  [0] IMPLICIT OCTET STRING OPTIONAL,
140 //     hostName                [6] OCTET STRING OPTIONAL,
141 //     pskIdentityHint         [7] OCTET STRING OPTIONAL,
142 //     compressionMethod       [11] OCTET STRING OPTIONAL,
143 //     srpUsername             [12] OCTET STRING OPTIONAL,
144 //     ticketFlags             [20] INTEGER OPTIONAL,
145 
146 static const unsigned kVersion = 1;
147 
148 static const unsigned kTimeTag =
149     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
150 static const unsigned kTimeoutTag =
151     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;
152 static const unsigned kPeerTag =
153     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3;
154 static const unsigned kSessionIDContextTag =
155     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 4;
156 static const unsigned kVerifyResultTag =
157     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 5;
158 static const unsigned kHostNameTag =
159     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 6;
160 static const unsigned kPSKIdentityTag =
161     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 8;
162 static const unsigned kTicketLifetimeHintTag =
163     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 9;
164 static const unsigned kTicketTag =
165     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 10;
166 static const unsigned kPeerSHA256Tag =
167     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 13;
168 static const unsigned kOriginalHandshakeHashTag =
169     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 14;
170 static const unsigned kSignedCertTimestampListTag =
171     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 15;
172 static const unsigned kOCSPResponseTag =
173     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 16;
174 static const unsigned kExtendedMasterSecretTag =
175     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 17;
176 static const unsigned kGroupIDTag =
177     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 18;
178 static const unsigned kCertChainTag =
179     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 19;
180 static const unsigned kTicketAgeAddTag =
181     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 21;
182 static const unsigned kIsServerTag =
183     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 22;
184 static const unsigned kPeerSignatureAlgorithmTag =
185     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 23;
186 static const unsigned kTicketMaxEarlyDataTag =
187     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 24;
188 static const unsigned kAuthTimeoutTag =
189     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 25;
190 static const unsigned kEarlyALPNTag =
191     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 26;
192 
SSL_SESSION_to_bytes_full(const SSL_SESSION * in,CBB * cbb,int for_ticket)193 static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
194                                      int for_ticket) {
195   if (in == NULL || in->cipher == NULL) {
196     return 0;
197   }
198 
199   CBB session, child, child2;
200   if (!CBB_add_asn1(cbb, &session, CBS_ASN1_SEQUENCE) ||
201       !CBB_add_asn1_uint64(&session, kVersion) ||
202       !CBB_add_asn1_uint64(&session, in->ssl_version) ||
203       !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
204       !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) ||
205       // The session ID is irrelevant for a session ticket.
206       !CBB_add_asn1_octet_string(&session, in->session_id,
207                                  for_ticket ? 0 : in->session_id_length) ||
208       !CBB_add_asn1_octet_string(&session, in->master_key,
209                                  in->master_key_length) ||
210       !CBB_add_asn1(&session, &child, kTimeTag) ||
211       !CBB_add_asn1_uint64(&child, in->time) ||
212       !CBB_add_asn1(&session, &child, kTimeoutTag) ||
213       !CBB_add_asn1_uint64(&child, in->timeout)) {
214     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
215     return 0;
216   }
217 
218   // The peer certificate is only serialized if the SHA-256 isn't
219   // serialized instead.
220   if (sk_CRYPTO_BUFFER_num(in->certs.get()) > 0 && !in->peer_sha256_valid) {
221     const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs.get(), 0);
222     if (!CBB_add_asn1(&session, &child, kPeerTag) ||
223         !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),
224                        CRYPTO_BUFFER_len(buffer))) {
225       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
226       return 0;
227     }
228   }
229 
230   // Although it is OPTIONAL and usually empty, OpenSSL has
231   // historically always encoded the sid_ctx.
232   if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
233       !CBB_add_asn1_octet_string(&child, in->sid_ctx, in->sid_ctx_length)) {
234     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
235     return 0;
236   }
237 
238   if (in->verify_result != X509_V_OK) {
239     if (!CBB_add_asn1(&session, &child, kVerifyResultTag) ||
240         !CBB_add_asn1_uint64(&child, in->verify_result)) {
241       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
242       return 0;
243     }
244   }
245 
246   if (in->psk_identity) {
247     if (!CBB_add_asn1(&session, &child, kPSKIdentityTag) ||
248         !CBB_add_asn1_octet_string(&child,
249                                    (const uint8_t *)in->psk_identity.get(),
250                                    strlen(in->psk_identity.get()))) {
251       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
252       return 0;
253     }
254   }
255 
256   if (in->ticket_lifetime_hint > 0) {
257     if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) ||
258         !CBB_add_asn1_uint64(&child, in->ticket_lifetime_hint)) {
259       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
260       return 0;
261     }
262   }
263 
264   if (!in->ticket.empty() && !for_ticket) {
265     if (!CBB_add_asn1(&session, &child, kTicketTag) ||
266         !CBB_add_asn1_octet_string(&child, in->ticket.data(),
267                                    in->ticket.size())) {
268       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
269       return 0;
270     }
271   }
272 
273   if (in->peer_sha256_valid) {
274     if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) ||
275         !CBB_add_asn1_octet_string(&child, in->peer_sha256,
276                                    sizeof(in->peer_sha256))) {
277       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
278       return 0;
279     }
280   }
281 
282   if (in->original_handshake_hash_len > 0) {
283     if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) ||
284         !CBB_add_asn1_octet_string(&child, in->original_handshake_hash,
285                                    in->original_handshake_hash_len)) {
286       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
287       return 0;
288     }
289   }
290 
291   if (in->signed_cert_timestamp_list != nullptr) {
292     if (!CBB_add_asn1(&session, &child, kSignedCertTimestampListTag) ||
293         !CBB_add_asn1_octet_string(
294             &child, CRYPTO_BUFFER_data(in->signed_cert_timestamp_list.get()),
295             CRYPTO_BUFFER_len(in->signed_cert_timestamp_list.get()))) {
296       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
297       return 0;
298     }
299   }
300 
301   if (in->ocsp_response != nullptr) {
302     if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) ||
303         !CBB_add_asn1_octet_string(
304             &child, CRYPTO_BUFFER_data(in->ocsp_response.get()),
305             CRYPTO_BUFFER_len(in->ocsp_response.get()))) {
306       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
307       return 0;
308     }
309   }
310 
311   if (in->extended_master_secret) {
312     if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) ||
313         !CBB_add_asn1_bool(&child, true)) {
314       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
315       return 0;
316     }
317   }
318 
319   if (in->group_id > 0 &&
320       (!CBB_add_asn1(&session, &child, kGroupIDTag) ||
321        !CBB_add_asn1_uint64(&child, in->group_id))) {
322     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
323     return 0;
324   }
325 
326   // The certificate chain is only serialized if the leaf's SHA-256 isn't
327   // serialized instead.
328   if (in->certs != NULL &&
329       !in->peer_sha256_valid &&
330       sk_CRYPTO_BUFFER_num(in->certs.get()) >= 2) {
331     if (!CBB_add_asn1(&session, &child, kCertChainTag)) {
332       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
333       return 0;
334     }
335     for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(in->certs.get()); i++) {
336       const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs.get(), i);
337       if (!CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),
338                          CRYPTO_BUFFER_len(buffer))) {
339         OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
340         return 0;
341       }
342     }
343   }
344 
345   if (in->ticket_age_add_valid) {
346     if (!CBB_add_asn1(&session, &child, kTicketAgeAddTag) ||
347         !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
348         !CBB_add_u32(&child2, in->ticket_age_add)) {
349       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
350       return 0;
351     }
352   }
353 
354   if (!in->is_server) {
355     if (!CBB_add_asn1(&session, &child, kIsServerTag) ||
356         !CBB_add_asn1_bool(&child, false)) {
357       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
358       return 0;
359     }
360   }
361 
362   if (in->peer_signature_algorithm != 0 &&
363       (!CBB_add_asn1(&session, &child, kPeerSignatureAlgorithmTag) ||
364        !CBB_add_asn1_uint64(&child, in->peer_signature_algorithm))) {
365     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
366     return 0;
367   }
368 
369   if (in->ticket_max_early_data != 0 &&
370       (!CBB_add_asn1(&session, &child, kTicketMaxEarlyDataTag) ||
371        !CBB_add_asn1_uint64(&child, in->ticket_max_early_data))) {
372     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
373     return 0;
374   }
375 
376   if (in->timeout != in->auth_timeout &&
377       (!CBB_add_asn1(&session, &child, kAuthTimeoutTag) ||
378        !CBB_add_asn1_uint64(&child, in->auth_timeout))) {
379     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
380     return 0;
381   }
382 
383   if (!in->early_alpn.empty()) {
384     if (!CBB_add_asn1(&session, &child, kEarlyALPNTag) ||
385         !CBB_add_asn1_octet_string(&child, in->early_alpn.data(),
386                                    in->early_alpn.size())) {
387       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
388       return 0;
389     }
390   }
391 
392   return CBB_flush(cbb);
393 }
394 
395 // SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING explicitly
396 // tagged with |tag| from |cbs| and saves it in |*out|. If the element was not
397 // found, it sets |*out| to NULL. It returns one on success, whether or not the
398 // element was found, and zero on decode error.
SSL_SESSION_parse_string(CBS * cbs,UniquePtr<char> * out,unsigned tag)399 static int SSL_SESSION_parse_string(CBS *cbs, UniquePtr<char> *out, unsigned tag) {
400   CBS value;
401   int present;
402   if (!CBS_get_optional_asn1_octet_string(cbs, &value, &present, tag)) {
403     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
404     return 0;
405   }
406   if (present) {
407     if (CBS_contains_zero_byte(&value)) {
408       OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
409       return 0;
410     }
411     char *raw = nullptr;
412     if (!CBS_strdup(&value, &raw)) {
413       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
414       return 0;
415     }
416     out->reset(raw);
417   } else {
418     out->reset();
419   }
420   return 1;
421 }
422 
423 // SSL_SESSION_parse_octet_string gets an optional ASN.1 OCTET STRING explicitly
424 // tagged with |tag| from |cbs| and stows it in |*out|. It returns one on
425 // success, whether or not the element was found, and zero on decode error.
SSL_SESSION_parse_octet_string(CBS * cbs,Array<uint8_t> * out,unsigned tag)426 static bool SSL_SESSION_parse_octet_string(CBS *cbs, Array<uint8_t> *out,
427                                            unsigned tag) {
428   CBS value;
429   if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag)) {
430     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
431     return false;
432   }
433   return out->CopyFrom(value);
434 }
435 
SSL_SESSION_parse_crypto_buffer(CBS * cbs,UniquePtr<CRYPTO_BUFFER> * out,unsigned tag,CRYPTO_BUFFER_POOL * pool)436 static int SSL_SESSION_parse_crypto_buffer(CBS *cbs,
437                                            UniquePtr<CRYPTO_BUFFER> *out,
438                                            unsigned tag,
439                                            CRYPTO_BUFFER_POOL *pool) {
440   if (!CBS_peek_asn1_tag(cbs, tag)) {
441     return 1;
442   }
443 
444   CBS child, value;
445   if (!CBS_get_asn1(cbs, &child, tag) ||
446       !CBS_get_asn1(&child, &value, CBS_ASN1_OCTETSTRING) ||
447       CBS_len(&child) != 0) {
448     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
449     return 0;
450   }
451   out->reset(CRYPTO_BUFFER_new_from_CBS(&value, pool));
452   if (*out == nullptr) {
453     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
454     return 0;
455   }
456   return 1;
457 }
458 
459 // SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
460 // explicitly tagged with |tag| of size at most |max_out|.
SSL_SESSION_parse_bounded_octet_string(CBS * cbs,uint8_t * out,uint8_t * out_len,uint8_t max_out,unsigned tag)461 static int SSL_SESSION_parse_bounded_octet_string(
462     CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) {
463   CBS value;
464   if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag) ||
465       CBS_len(&value) > max_out) {
466     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
467     return 0;
468   }
469   OPENSSL_memcpy(out, CBS_data(&value), CBS_len(&value));
470   *out_len = (uint8_t)CBS_len(&value);
471   return 1;
472 }
473 
SSL_SESSION_parse_long(CBS * cbs,long * out,unsigned tag,long default_value)474 static int SSL_SESSION_parse_long(CBS *cbs, long *out, unsigned tag,
475                                   long default_value) {
476   uint64_t value;
477   if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
478                                     (uint64_t)default_value) ||
479       value > LONG_MAX) {
480     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
481     return 0;
482   }
483   *out = (long)value;
484   return 1;
485 }
486 
SSL_SESSION_parse_u32(CBS * cbs,uint32_t * out,unsigned tag,uint32_t default_value)487 static int SSL_SESSION_parse_u32(CBS *cbs, uint32_t *out, unsigned tag,
488                                  uint32_t default_value) {
489   uint64_t value;
490   if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
491                                     (uint64_t)default_value) ||
492       value > 0xffffffff) {
493     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
494     return 0;
495   }
496   *out = (uint32_t)value;
497   return 1;
498 }
499 
SSL_SESSION_parse_u16(CBS * cbs,uint16_t * out,unsigned tag,uint16_t default_value)500 static int SSL_SESSION_parse_u16(CBS *cbs, uint16_t *out, unsigned tag,
501                                  uint16_t default_value) {
502   uint64_t value;
503   if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
504                                     (uint64_t)default_value) ||
505       value > 0xffff) {
506     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
507     return 0;
508   }
509   *out = (uint16_t)value;
510   return 1;
511 }
512 
SSL_SESSION_parse(CBS * cbs,const SSL_X509_METHOD * x509_method,CRYPTO_BUFFER_POOL * pool)513 UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
514                                          const SSL_X509_METHOD *x509_method,
515                                          CRYPTO_BUFFER_POOL *pool) {
516   UniquePtr<SSL_SESSION> ret = ssl_session_new(x509_method);
517   if (!ret) {
518     return nullptr;
519   }
520 
521   CBS session;
522   uint64_t version, ssl_version;
523   uint16_t unused;
524   if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) ||
525       !CBS_get_asn1_uint64(&session, &version) ||
526       version != kVersion ||
527       !CBS_get_asn1_uint64(&session, &ssl_version) ||
528       // Require sessions have versions valid in either TLS or DTLS. The session
529       // will not be used by the handshake if not applicable, but, for
530       // simplicity, never parse a session that does not pass
531       // |ssl_protocol_version_from_wire|.
532       ssl_version > UINT16_MAX ||
533       !ssl_protocol_version_from_wire(&unused, ssl_version)) {
534     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
535     return nullptr;
536   }
537   ret->ssl_version = ssl_version;
538 
539   CBS cipher;
540   uint16_t cipher_value;
541   if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) ||
542       !CBS_get_u16(&cipher, &cipher_value) ||
543       CBS_len(&cipher) != 0) {
544     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
545     return nullptr;
546   }
547   ret->cipher = SSL_get_cipher_by_value(cipher_value);
548   if (ret->cipher == NULL) {
549     OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_CIPHER);
550     return nullptr;
551   }
552 
553   CBS session_id, master_key;
554   if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||
555       CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH ||
556       !CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING) ||
557       CBS_len(&master_key) > SSL_MAX_MASTER_KEY_LENGTH) {
558     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
559     return nullptr;
560   }
561   OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id));
562   ret->session_id_length = CBS_len(&session_id);
563   OPENSSL_memcpy(ret->master_key, CBS_data(&master_key), CBS_len(&master_key));
564   ret->master_key_length = CBS_len(&master_key);
565 
566   CBS child;
567   uint64_t timeout;
568   if (!CBS_get_asn1(&session, &child, kTimeTag) ||
569       !CBS_get_asn1_uint64(&child, &ret->time) ||
570       !CBS_get_asn1(&session, &child, kTimeoutTag) ||
571       !CBS_get_asn1_uint64(&child, &timeout) ||
572       timeout > UINT32_MAX) {
573     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
574     return nullptr;
575   }
576 
577   ret->timeout = (uint32_t)timeout;
578 
579   CBS peer;
580   int has_peer;
581   if (!CBS_get_optional_asn1(&session, &peer, &has_peer, kPeerTag) ||
582       (has_peer && CBS_len(&peer) == 0)) {
583     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
584     return nullptr;
585   }
586   // |peer| is processed with the certificate chain.
587 
588   if (!SSL_SESSION_parse_bounded_octet_string(
589           &session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx),
590           kSessionIDContextTag) ||
591       !SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag,
592                               X509_V_OK)) {
593     return nullptr;
594   }
595 
596   // Skip the historical hostName field.
597   CBS unused_hostname;
598   if (!CBS_get_optional_asn1(&session, &unused_hostname, nullptr,
599                              kHostNameTag)) {
600     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
601     return nullptr;
602   }
603 
604   if (!SSL_SESSION_parse_string(&session, &ret->psk_identity,
605                                 kPSKIdentityTag) ||
606       !SSL_SESSION_parse_u32(&session, &ret->ticket_lifetime_hint,
607                              kTicketLifetimeHintTag, 0) ||
608       !SSL_SESSION_parse_octet_string(&session, &ret->ticket, kTicketTag)) {
609     return nullptr;
610   }
611 
612   if (CBS_peek_asn1_tag(&session, kPeerSHA256Tag)) {
613     CBS peer_sha256;
614     if (!CBS_get_asn1(&session, &child, kPeerSHA256Tag) ||
615         !CBS_get_asn1(&child, &peer_sha256, CBS_ASN1_OCTETSTRING) ||
616         CBS_len(&peer_sha256) != sizeof(ret->peer_sha256) ||
617         CBS_len(&child) != 0) {
618       OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
619       return nullptr;
620     }
621     OPENSSL_memcpy(ret->peer_sha256, CBS_data(&peer_sha256),
622                    sizeof(ret->peer_sha256));
623     ret->peer_sha256_valid = 1;
624   } else {
625     ret->peer_sha256_valid = 0;
626   }
627 
628   if (!SSL_SESSION_parse_bounded_octet_string(
629           &session, ret->original_handshake_hash,
630           &ret->original_handshake_hash_len,
631           sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) ||
632       !SSL_SESSION_parse_crypto_buffer(&session,
633                                        &ret->signed_cert_timestamp_list,
634                                        kSignedCertTimestampListTag, pool) ||
635       !SSL_SESSION_parse_crypto_buffer(&session, &ret->ocsp_response,
636                                        kOCSPResponseTag, pool)) {
637     return nullptr;
638   }
639 
640   int extended_master_secret;
641   if (!CBS_get_optional_asn1_bool(&session, &extended_master_secret,
642                                   kExtendedMasterSecretTag,
643                                   0 /* default to false */)) {
644     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
645     return nullptr;
646   }
647   ret->extended_master_secret = !!extended_master_secret;
648 
649   if (!SSL_SESSION_parse_u16(&session, &ret->group_id, kGroupIDTag, 0)) {
650     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
651     return nullptr;
652   }
653 
654   CBS cert_chain;
655   CBS_init(&cert_chain, NULL, 0);
656   int has_cert_chain;
657   if (!CBS_get_optional_asn1(&session, &cert_chain, &has_cert_chain,
658                              kCertChainTag) ||
659       (has_cert_chain && CBS_len(&cert_chain) == 0)) {
660     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
661     return nullptr;
662   }
663   if (has_cert_chain && !has_peer) {
664     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
665     return nullptr;
666   }
667   if (has_peer || has_cert_chain) {
668     ret->certs.reset(sk_CRYPTO_BUFFER_new_null());
669     if (ret->certs == nullptr) {
670       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
671       return nullptr;
672     }
673 
674     if (has_peer) {
675       UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new_from_CBS(&peer, pool));
676       if (!buffer ||
677           !PushToStack(ret->certs.get(), std::move(buffer))) {
678         OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
679         return nullptr;
680       }
681     }
682 
683     while (CBS_len(&cert_chain) > 0) {
684       CBS cert;
685       if (!CBS_get_any_asn1_element(&cert_chain, &cert, NULL, NULL) ||
686           CBS_len(&cert) == 0) {
687         OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
688         return nullptr;
689       }
690 
691       UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new_from_CBS(&cert, pool));
692       if (buffer == nullptr ||
693           !PushToStack(ret->certs.get(), std::move(buffer))) {
694         OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
695         return nullptr;
696       }
697     }
698   }
699 
700   CBS age_add;
701   int age_add_present;
702   if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present,
703                                           kTicketAgeAddTag) ||
704       (age_add_present &&
705        !CBS_get_u32(&age_add, &ret->ticket_age_add)) ||
706       CBS_len(&age_add) != 0) {
707     return nullptr;
708   }
709   ret->ticket_age_add_valid = age_add_present != 0;
710 
711   int is_server;
712   if (!CBS_get_optional_asn1_bool(&session, &is_server, kIsServerTag,
713                                   1 /* default to true */)) {
714     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
715     return nullptr;
716   }
717   /* TODO: in time we can include |is_server| for servers too, then we can
718      enforce that client and server sessions are never mixed up. */
719 
720   ret->is_server = is_server;
721 
722   if (!SSL_SESSION_parse_u16(&session, &ret->peer_signature_algorithm,
723                              kPeerSignatureAlgorithmTag, 0) ||
724       !SSL_SESSION_parse_u32(&session, &ret->ticket_max_early_data,
725                              kTicketMaxEarlyDataTag, 0) ||
726       !SSL_SESSION_parse_u32(&session, &ret->auth_timeout, kAuthTimeoutTag,
727                              ret->timeout) ||
728       !SSL_SESSION_parse_octet_string(&session, &ret->early_alpn,
729                                       kEarlyALPNTag) ||
730       CBS_len(&session) != 0) {
731     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
732     return nullptr;
733   }
734 
735   if (!x509_method->session_cache_objects(ret.get())) {
736     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
737     return nullptr;
738   }
739 
740   return ret;
741 }
742 
ssl_session_serialize(const SSL_SESSION * in,CBB * cbb)743 int ssl_session_serialize(const SSL_SESSION *in, CBB *cbb) {
744   return SSL_SESSION_to_bytes_full(in, cbb, 0);
745 }
746 
747 BSSL_NAMESPACE_END
748 
749 using namespace bssl;
750 
SSL_SESSION_to_bytes(const SSL_SESSION * in,uint8_t ** out_data,size_t * out_len)751 int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data,
752                          size_t *out_len) {
753   if (in->not_resumable) {
754     // If the caller has an unresumable session, e.g. if |SSL_get_session| were
755     // called on a TLS 1.3 or False Started connection, serialize with a
756     // placeholder value so it is not accidentally deserialized into a resumable
757     // one.
758     static const char kNotResumableSession[] = "NOT RESUMABLE";
759 
760     *out_len = strlen(kNotResumableSession);
761     *out_data = (uint8_t *)BUF_memdup(kNotResumableSession, *out_len);
762     if (*out_data == NULL) {
763       return 0;
764     }
765 
766     return 1;
767   }
768 
769   ScopedCBB cbb;
770   if (!CBB_init(cbb.get(), 256) ||
771       !SSL_SESSION_to_bytes_full(in, cbb.get(), 0) ||
772       !CBB_finish(cbb.get(), out_data, out_len)) {
773     return 0;
774   }
775 
776   return 1;
777 }
778 
SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION * in,uint8_t ** out_data,size_t * out_len)779 int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in, uint8_t **out_data,
780                                     size_t *out_len) {
781   ScopedCBB cbb;
782   if (!CBB_init(cbb.get(), 256) ||
783       !SSL_SESSION_to_bytes_full(in, cbb.get(), 1) ||
784       !CBB_finish(cbb.get(), out_data, out_len)) {
785     return 0;
786   }
787 
788   return 1;
789 }
790 
i2d_SSL_SESSION(SSL_SESSION * in,uint8_t ** pp)791 int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp) {
792   uint8_t *out;
793   size_t len;
794 
795   if (!SSL_SESSION_to_bytes(in, &out, &len)) {
796     return -1;
797   }
798 
799   if (len > INT_MAX) {
800     OPENSSL_free(out);
801     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
802     return -1;
803   }
804 
805   if (pp) {
806     OPENSSL_memcpy(*pp, out, len);
807     *pp += len;
808   }
809   OPENSSL_free(out);
810 
811   return len;
812 }
813 
SSL_SESSION_from_bytes(const uint8_t * in,size_t in_len,const SSL_CTX * ctx)814 SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len,
815                                     const SSL_CTX *ctx) {
816   CBS cbs;
817   CBS_init(&cbs, in, in_len);
818   UniquePtr<SSL_SESSION> ret =
819       SSL_SESSION_parse(&cbs, ctx->x509_method, ctx->pool);
820   if (!ret) {
821     return NULL;
822   }
823   if (CBS_len(&cbs) != 0) {
824     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
825     return NULL;
826   }
827   return ret.release();
828 }
829