1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <openssl/bytestring.h>
18 #include <openssl/err.h>
19
20 #include "internal.h"
21
22
23 BSSL_NAMESPACE_BEGIN
24
25 constexpr int kHandoffVersion = 0;
26 constexpr int kHandbackVersion = 0;
27
28 static const unsigned kHandoffTagALPS = CBS_ASN1_CONTEXT_SPECIFIC | 0;
29
30 // early_data_t represents the state of early data in a more compact way than
31 // the 3 bits used by the implementation.
32 enum early_data_t {
33 early_data_not_offered = 0,
34 early_data_accepted = 1,
35 early_data_rejected_hrr = 2,
36 early_data_skipped = 3,
37
38 early_data_max_value = early_data_skipped,
39 };
40
41 // serialize_features adds a description of features supported by this binary to
42 // |out|. Returns true on success and false on error.
serialize_features(CBB * out)43 static bool serialize_features(CBB *out) {
44 CBB ciphers;
45 if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {
46 return false;
47 }
48 Span<const SSL_CIPHER> all_ciphers = AllCiphers();
49 for (const SSL_CIPHER& cipher : all_ciphers) {
50 if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
51 return false;
52 }
53 }
54 CBB curves;
55 if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) {
56 return false;
57 }
58 for (const NamedGroup& g : NamedGroups()) {
59 if (!CBB_add_u16(&curves, g.group_id)) {
60 return false;
61 }
62 }
63 // ALPS is a draft protocol and may change over time. The handoff structure
64 // contains a [0] IMPLICIT OCTET STRING OPTIONAL, containing a list of u16
65 // ALPS versions that the binary supports. For now we name them by codepoint.
66 // Once ALPS is finalized and past the support horizon, this field can be
67 // removed.
68 CBB alps;
69 if (!CBB_add_asn1(out, &alps, kHandoffTagALPS) ||
70 !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings)) {
71 return false;
72 }
73 return CBB_flush(out);
74 }
75
SSL_serialize_handoff(const SSL * ssl,CBB * out,SSL_CLIENT_HELLO * out_hello)76 bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
77 SSL_CLIENT_HELLO *out_hello) {
78 const SSL3_STATE *const s3 = ssl->s3;
79 if (!ssl->server ||
80 s3->hs == nullptr ||
81 s3->rwstate != SSL_ERROR_HANDOFF) {
82 return false;
83 }
84
85 CBB seq;
86 SSLMessage msg;
87 Span<const uint8_t> transcript = s3->hs->transcript.buffer();
88 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
89 !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
90 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
91 !CBB_add_asn1_octet_string(&seq,
92 reinterpret_cast<uint8_t *>(s3->hs_buf->data),
93 s3->hs_buf->length) ||
94 !serialize_features(&seq) ||
95 !CBB_flush(out) ||
96 !ssl->method->get_message(ssl, &msg) ||
97 !ssl_client_hello_init(ssl, out_hello, msg.body)) {
98 return false;
99 }
100
101 return true;
102 }
103
SSL_decline_handoff(SSL * ssl)104 bool SSL_decline_handoff(SSL *ssl) {
105 const SSL3_STATE *const s3 = ssl->s3;
106 if (!ssl->server ||
107 s3->hs == nullptr ||
108 s3->rwstate != SSL_ERROR_HANDOFF) {
109 return false;
110 }
111
112 s3->hs->config->handoff = false;
113 return true;
114 }
115
116 // apply_remote_features reads a list of supported features from |in| and
117 // (possibly) reconfigures |ssl| to disallow the negotation of features whose
118 // support has not been indicated. (This prevents the the handshake from
119 // committing to features that are not supported on the handoff/handback side.)
apply_remote_features(SSL * ssl,CBS * in)120 static bool apply_remote_features(SSL *ssl, CBS *in) {
121 CBS ciphers;
122 if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {
123 return false;
124 }
125 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
126 while (CBS_len(&ciphers)) {
127 uint16_t id;
128 if (!CBS_get_u16(&ciphers, &id)) {
129 return false;
130 }
131 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);
132 if (!cipher) {
133 continue;
134 }
135 if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
136 return false;
137 }
138 }
139 STACK_OF(SSL_CIPHER) *configured =
140 ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
141 : ssl->ctx->cipher_list->ciphers.get();
142 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
143 for (const SSL_CIPHER *configured_cipher : configured) {
144 if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
145 continue;
146 }
147 if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
148 return false;
149 }
150 }
151 if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
152 ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
153 if (!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
154 return false;
155 }
156 }
157 for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
158 ssl->config->cipher_list->Remove(unsupported_cipher);
159 }
160 if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) {
161 return false;
162 }
163
164 CBS curves;
165 if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) {
166 return false;
167 }
168 Array<uint16_t> supported_curves;
169 if (!supported_curves.Init(CBS_len(&curves) / 2)) {
170 return false;
171 }
172 size_t idx = 0;
173 while (CBS_len(&curves)) {
174 uint16_t curve;
175 if (!CBS_get_u16(&curves, &curve)) {
176 return false;
177 }
178 supported_curves[idx++] = curve;
179 }
180 Span<const uint16_t> configured_curves =
181 tls1_get_grouplist(ssl->s3->hs.get());
182 Array<uint16_t> new_configured_curves;
183 if (!new_configured_curves.Init(configured_curves.size())) {
184 return false;
185 }
186 idx = 0;
187 for (uint16_t configured_curve : configured_curves) {
188 bool ok = false;
189 for (uint16_t supported_curve : supported_curves) {
190 if (supported_curve == configured_curve) {
191 ok = true;
192 break;
193 }
194 }
195 if (ok) {
196 new_configured_curves[idx++] = configured_curve;
197 }
198 }
199 if (idx == 0) {
200 return false;
201 }
202 new_configured_curves.Shrink(idx);
203 ssl->config->supported_group_list = std::move(new_configured_curves);
204
205 CBS alps;
206 CBS_init(&alps, nullptr, 0);
207 if (!CBS_get_optional_asn1(in, &alps, /*out_present=*/nullptr,
208 kHandoffTagALPS)) {
209 return false;
210 }
211 bool supports_alps = false;
212 while (CBS_len(&alps) != 0) {
213 uint16_t id;
214 if (!CBS_get_u16(&alps, &id)) {
215 return false;
216 }
217 // For now, we only support one ALPS code point, so we only need to extract
218 // a boolean signal from the feature list.
219 if (id == TLSEXT_TYPE_application_settings) {
220 supports_alps = true;
221 break;
222 }
223 }
224 if (!supports_alps) {
225 ssl->config->alps_configs.clear();
226 }
227
228 return true;
229 }
230
231 // uses_disallowed_feature returns true iff |ssl| enables a feature that
232 // disqualifies it for split handshakes.
uses_disallowed_feature(const SSL * ssl)233 static bool uses_disallowed_feature(const SSL *ssl) {
234 return ssl->method->is_dtls || (ssl->config->cert && ssl->config->cert->dc) ||
235 ssl->config->quic_transport_params.size() > 0 || ssl->ctx->ech_keys;
236 }
237
SSL_apply_handoff(SSL * ssl,Span<const uint8_t> handoff)238 bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
239 if (uses_disallowed_feature(ssl)) {
240 return false;
241 }
242
243 CBS seq, handoff_cbs(handoff);
244 uint64_t handoff_version;
245 if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
246 !CBS_get_asn1_uint64(&seq, &handoff_version) ||
247 handoff_version != kHandoffVersion) {
248 return false;
249 }
250
251 CBS transcript, hs_buf;
252 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
253 !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||
254 !apply_remote_features(ssl, &seq)) {
255 return false;
256 }
257
258 SSL_set_accept_state(ssl);
259
260 SSL3_STATE *const s3 = ssl->s3;
261 s3->v2_hello_done = true;
262 s3->has_message = true;
263
264 s3->hs_buf.reset(BUF_MEM_new());
265 if (!s3->hs_buf ||
266 !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
267 return false;
268 }
269
270 if (CBS_len(&transcript) != 0) {
271 s3->hs->transcript.Update(transcript);
272 s3->is_v2_hello = true;
273 }
274 s3->hs->handback = true;
275
276 return true;
277 }
278
SSL_serialize_handback(const SSL * ssl,CBB * out)279 bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
280 if (!ssl->server || uses_disallowed_feature(ssl)) {
281 return false;
282 }
283 const SSL3_STATE *const s3 = ssl->s3;
284 SSL_HANDSHAKE *const hs = s3->hs.get();
285 handback_t type;
286 switch (hs->state) {
287 case state12_read_change_cipher_spec:
288 type = handback_after_session_resumption;
289 break;
290 case state12_read_client_certificate:
291 type = handback_after_ecdhe;
292 break;
293 case state12_finish_server_handshake:
294 type = handback_after_handshake;
295 break;
296 case state12_tls13:
297 if (hs->tls13_state != state13_send_half_rtt_ticket) {
298 return false;
299 }
300 type = handback_tls13;
301 break;
302 default:
303 return false;
304 }
305
306 size_t hostname_len = 0;
307 if (s3->hostname) {
308 hostname_len = strlen(s3->hostname.get());
309 }
310
311 Span<const uint8_t> transcript;
312 if (type != handback_after_handshake) {
313 transcript = s3->hs->transcript.buffer();
314 }
315 size_t write_iv_len = 0;
316 const uint8_t *write_iv = nullptr;
317 if ((type == handback_after_session_resumption ||
318 type == handback_after_handshake) &&
319 ssl->version == TLS1_VERSION &&
320 SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
321 !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
322 return false;
323 }
324 size_t read_iv_len = 0;
325 const uint8_t *read_iv = nullptr;
326 if (type == handback_after_handshake &&
327 ssl->version == TLS1_VERSION &&
328 SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
329 !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
330 return false;
331 }
332
333 // TODO(mab): make sure everything is serialized.
334 CBB seq, key_share;
335 const SSL_SESSION *session;
336 if (type == handback_tls13) {
337 session = hs->new_session.get();
338 } else {
339 session = s3->session_reused ? ssl->session.get() : hs->new_session.get();
340 }
341 static const uint8_t kUnusedChannelID[64] = {0};
342 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
343 !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
344 !CBB_add_asn1_uint64(&seq, type) ||
345 !CBB_add_asn1_octet_string(&seq, s3->read_sequence,
346 sizeof(s3->read_sequence)) ||
347 !CBB_add_asn1_octet_string(&seq, s3->write_sequence,
348 sizeof(s3->write_sequence)) ||
349 !CBB_add_asn1_octet_string(&seq, s3->server_random,
350 sizeof(s3->server_random)) ||
351 !CBB_add_asn1_octet_string(&seq, s3->client_random,
352 sizeof(s3->client_random)) ||
353 !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
354 !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
355 !CBB_add_asn1_bool(&seq, s3->session_reused) ||
356 !CBB_add_asn1_bool(&seq, hs->channel_id_negotiated) ||
357 !ssl_session_serialize(session, &seq) ||
358 !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
359 s3->next_proto_negotiated.size()) ||
360 !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
361 s3->alpn_selected.size()) ||
362 !CBB_add_asn1_octet_string(
363 &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
364 hostname_len) ||
365 !CBB_add_asn1_octet_string(&seq, kUnusedChannelID,
366 sizeof(kUnusedChannelID)) ||
367 // These two fields were historically |token_binding_negotiated| and
368 // |negotiated_token_binding_param|.
369 !CBB_add_asn1_bool(&seq, 0) ||
370 !CBB_add_asn1_uint64(&seq, 0) ||
371 !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
372 !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
373 !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
374 !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
375 !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
376 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
377 !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
378 return false;
379 }
380 if (type == handback_after_ecdhe &&
381 !s3->hs->key_shares[0]->Serialize(&key_share)) {
382 return false;
383 }
384 if (type == handback_tls13) {
385 early_data_t early_data;
386 // Check early data invariants.
387 if (ssl->enable_early_data ==
388 (s3->early_data_reason == ssl_early_data_disabled)) {
389 return false;
390 }
391 if (hs->early_data_offered) {
392 if (s3->early_data_accepted && !s3->skip_early_data) {
393 early_data = early_data_accepted;
394 } else if (!s3->early_data_accepted && !s3->skip_early_data) {
395 early_data = early_data_rejected_hrr;
396 } else if (!s3->early_data_accepted && s3->skip_early_data) {
397 early_data = early_data_skipped;
398 } else {
399 return false;
400 }
401 } else if (!s3->early_data_accepted && !s3->skip_early_data) {
402 early_data = early_data_not_offered;
403 } else {
404 return false;
405 }
406 if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
407 hs->client_traffic_secret_0().size()) ||
408 !CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
409 hs->server_traffic_secret_0().size()) ||
410 !CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret().data(),
411 hs->client_handshake_secret().size()) ||
412 !CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret().data(),
413 hs->server_handshake_secret().size()) ||
414 !CBB_add_asn1_octet_string(&seq, hs->secret().data(),
415 hs->secret().size()) ||
416 !CBB_add_asn1_octet_string(&seq, s3->exporter_secret,
417 s3->exporter_secret_len) ||
418 !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
419 !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
420 !CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||
421 !CBB_add_asn1_uint64(&seq, s3->early_data_reason) ||
422 !CBB_add_asn1_uint64(&seq, early_data)) {
423 return false;
424 }
425 if (early_data == early_data_accepted &&
426 !CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret().data(),
427 hs->early_traffic_secret().size())) {
428 return false;
429 }
430 }
431 return CBB_flush(out);
432 }
433
CopyExact(Span<uint8_t> out,const CBS * in)434 static bool CopyExact(Span<uint8_t> out, const CBS *in) {
435 if (CBS_len(in) != out.size()) {
436 return false;
437 }
438 OPENSSL_memcpy(out.data(), CBS_data(in), out.size());
439 return true;
440 }
441
SSL_apply_handback(SSL * ssl,Span<const uint8_t> handback)442 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
443 if (ssl->do_handshake != nullptr ||
444 ssl->method->is_dtls) {
445 return false;
446 }
447
448 SSL3_STATE *const s3 = ssl->s3;
449 uint64_t handback_version, unused_token_binding_param, cipher, type_u64;
450
451 CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
452 next_proto, alpn, hostname, unused_channel_id, transcript, key_share;
453 int session_reused, channel_id_negotiated, cert_request,
454 extended_master_secret, ticket_expected, unused_token_binding,
455 next_proto_neg_seen;
456 SSL_SESSION *session = nullptr;
457
458 CBS handback_cbs(handback);
459 if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
460 !CBS_get_asn1_uint64(&seq, &handback_version) ||
461 handback_version != kHandbackVersion ||
462 !CBS_get_asn1_uint64(&seq, &type_u64) ||
463 type_u64 > handback_max_value) {
464 return false;
465 }
466
467 handback_t type = static_cast<handback_t>(type_u64);
468 if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
469 CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
470 !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
471 CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
472 !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
473 CBS_len(&server_rand) != sizeof(s3->server_random) ||
474 !CBS_copy_bytes(&server_rand, s3->server_random,
475 sizeof(s3->server_random)) ||
476 !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
477 CBS_len(&client_rand) != sizeof(s3->client_random) ||
478 !CBS_copy_bytes(&client_rand, s3->client_random,
479 sizeof(s3->client_random)) ||
480 !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
481 !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
482 !CBS_get_asn1_bool(&seq, &session_reused) ||
483 !CBS_get_asn1_bool(&seq, &channel_id_negotiated)) {
484 return false;
485 }
486
487 s3->hs = ssl_handshake_new(ssl);
488 SSL_HANDSHAKE *const hs = s3->hs.get();
489 if (!session_reused || type == handback_tls13) {
490 hs->new_session =
491 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
492 session = hs->new_session.get();
493 } else {
494 ssl->session =
495 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
496 session = ssl->session.get();
497 }
498
499 if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
500 !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
501 !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
502 !CBS_get_asn1(&seq, &unused_channel_id, CBS_ASN1_OCTETSTRING) ||
503 !CBS_get_asn1_bool(&seq, &unused_token_binding) ||
504 !CBS_get_asn1_uint64(&seq, &unused_token_binding_param) ||
505 !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
506 !CBS_get_asn1_bool(&seq, &cert_request) ||
507 !CBS_get_asn1_bool(&seq, &extended_master_secret) ||
508 !CBS_get_asn1_bool(&seq, &ticket_expected) ||
509 !CBS_get_asn1_uint64(&seq, &cipher)) {
510 return false;
511 }
512 if ((hs->new_cipher =
513 SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
514 return false;
515 }
516 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
517 !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
518 return false;
519 }
520 CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
521 server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;
522 if (type == handback_tls13) {
523 int used_hello_retry_request, accept_psk_mode;
524 uint64_t early_data, early_data_reason;
525 int64_t ticket_age_skew;
526 if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
527 !CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
528 !CBS_get_asn1(&seq, &client_handshake_secret, CBS_ASN1_OCTETSTRING) ||
529 !CBS_get_asn1(&seq, &server_handshake_secret, CBS_ASN1_OCTETSTRING) ||
530 !CBS_get_asn1(&seq, &secret, CBS_ASN1_OCTETSTRING) ||
531 !CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||
532 !CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||
533 !CBS_get_asn1_bool(&seq, &accept_psk_mode) ||
534 !CBS_get_asn1_int64(&seq, &ticket_age_skew) ||
535 !CBS_get_asn1_uint64(&seq, &early_data_reason) ||
536 early_data_reason > ssl_early_data_reason_max_value ||
537 !CBS_get_asn1_uint64(&seq, &early_data) ||
538 early_data > early_data_max_value) {
539 return false;
540 }
541 early_data_t early_data_type = static_cast<early_data_t>(early_data);
542 if (early_data_type == early_data_accepted &&
543 !CBS_get_asn1(&seq, &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {
544 return false;
545 }
546 if (ticket_age_skew > std::numeric_limits<int32_t>::max() ||
547 ticket_age_skew < std::numeric_limits<int32_t>::min()) {
548 return false;
549 }
550 s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
551 s3->used_hello_retry_request = used_hello_retry_request;
552 hs->accept_psk_mode = accept_psk_mode;
553
554 s3->early_data_reason =
555 static_cast<ssl_early_data_reason_t>(early_data_reason);
556 ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;
557 s3->skip_early_data = false;
558 s3->early_data_accepted = false;
559 hs->early_data_offered = false;
560 switch (early_data_type) {
561 case early_data_not_offered:
562 break;
563 case early_data_accepted:
564 s3->early_data_accepted = true;
565 hs->early_data_offered = true;
566 hs->can_early_write = true;
567 hs->can_early_read = true;
568 hs->in_early_data = true;
569 break;
570 case early_data_rejected_hrr:
571 hs->early_data_offered = true;
572 break;
573 case early_data_skipped:
574 s3->skip_early_data = true;
575 hs->early_data_offered = true;
576 break;
577 default:
578 return false;
579 }
580 } else {
581 s3->early_data_reason = ssl_early_data_protocol_version;
582 }
583
584 ssl->version = session->ssl_version;
585 s3->have_version = true;
586 if (!ssl_method_supports_version(ssl->method, ssl->version) ||
587 session->cipher != hs->new_cipher ||
588 ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
589 SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
590 return false;
591 }
592 ssl->do_handshake = ssl_server_handshake;
593 ssl->server = true;
594 switch (type) {
595 case handback_after_session_resumption:
596 hs->state = state12_read_change_cipher_spec;
597 if (!session_reused) {
598 return false;
599 }
600 break;
601 case handback_after_ecdhe:
602 hs->state = state12_read_client_certificate;
603 if (session_reused) {
604 return false;
605 }
606 break;
607 case handback_after_handshake:
608 hs->state = state12_finish_server_handshake;
609 break;
610 case handback_tls13:
611 hs->state = state12_tls13;
612 hs->tls13_state = state13_send_half_rtt_ticket;
613 break;
614 default:
615 return false;
616 }
617 s3->session_reused = session_reused;
618 hs->channel_id_negotiated = channel_id_negotiated;
619 s3->next_proto_negotiated.CopyFrom(next_proto);
620 s3->alpn_selected.CopyFrom(alpn);
621
622 const size_t hostname_len = CBS_len(&hostname);
623 if (hostname_len == 0) {
624 s3->hostname.reset();
625 } else {
626 char *hostname_str = nullptr;
627 if (!CBS_strdup(&hostname, &hostname_str)) {
628 return false;
629 }
630 s3->hostname.reset(hostname_str);
631 }
632
633 hs->next_proto_neg_seen = next_proto_neg_seen;
634 hs->wait = ssl_hs_flush;
635 hs->extended_master_secret = extended_master_secret;
636 hs->ticket_expected = ticket_expected;
637 s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
638 hs->cert_request = cert_request;
639
640 if (type != handback_after_handshake &&
641 (!hs->transcript.Init() ||
642 !hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
643 !hs->transcript.Update(transcript))) {
644 return false;
645 }
646 if (type == handback_tls13) {
647 hs->ResizeSecrets(hs->transcript.DigestLen());
648 if (!CopyExact(hs->client_traffic_secret_0(), &client_traffic_secret_0) ||
649 !CopyExact(hs->server_traffic_secret_0(), &server_traffic_secret_0) ||
650 !CopyExact(hs->client_handshake_secret(), &client_handshake_secret) ||
651 !CopyExact(hs->server_handshake_secret(), &server_handshake_secret) ||
652 !CopyExact(hs->secret(), &secret) ||
653 !CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
654 &exporter_secret)) {
655 return false;
656 }
657 s3->exporter_secret_len = CBS_len(&exporter_secret);
658
659 if (s3->early_data_accepted &&
660 !CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) {
661 return false;
662 }
663 }
664 Array<uint8_t> key_block;
665 switch (type) {
666 case handback_after_session_resumption:
667 // The write keys are installed after server Finished, but the client
668 // keys must wait for ChangeCipherSpec.
669 if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
670 write_iv)) {
671 return false;
672 }
673 break;
674 case handback_after_ecdhe:
675 // The premaster secret is not yet computed, so install no keys.
676 break;
677 case handback_after_handshake:
678 // The handshake is complete, so both keys are installed.
679 if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
680 write_iv) ||
681 !tls1_configure_aead(ssl, evp_aead_open, &key_block, session,
682 read_iv)) {
683 return false;
684 }
685 break;
686 case handback_tls13:
687 // After server Finished, the application write keys are installed, but
688 // none of the read keys. The read keys are installed in the state machine
689 // immediately after processing handback.
690 if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
691 hs->new_session.get(),
692 hs->server_traffic_secret_0())) {
693 return false;
694 }
695 break;
696 }
697 if (!CopyExact({s3->read_sequence, sizeof(s3->read_sequence)}, &read_seq) ||
698 !CopyExact({s3->write_sequence, sizeof(s3->write_sequence)},
699 &write_seq)) {
700 return false;
701 }
702 if (type == handback_after_ecdhe &&
703 (hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
704 return false;
705 }
706 return true; // Trailing data allowed for extensibility.
707 }
708
709 BSSL_NAMESPACE_END
710
711 using namespace bssl;
712
SSL_serialize_capabilities(const SSL * ssl,CBB * out)713 int SSL_serialize_capabilities(const SSL *ssl, CBB *out) {
714 CBB seq;
715 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
716 !serialize_features(&seq) || //
717 !CBB_flush(out)) {
718 return 0;
719 }
720
721 return 1;
722 }
723
SSL_request_handshake_hints(SSL * ssl,const uint8_t * client_hello,size_t client_hello_len,const uint8_t * capabilities,size_t capabilities_len)724 int SSL_request_handshake_hints(SSL *ssl, const uint8_t *client_hello,
725 size_t client_hello_len,
726 const uint8_t *capabilities,
727 size_t capabilities_len) {
728 if (SSL_is_dtls(ssl)) {
729 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
730 return 0;
731 }
732
733 CBS cbs, seq;
734 CBS_init(&cbs, capabilities, capabilities_len);
735 UniquePtr<SSL_HANDSHAKE_HINTS> hints = MakeUnique<SSL_HANDSHAKE_HINTS>();
736 if (hints == nullptr ||
737 !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
738 !apply_remote_features(ssl, &seq)) {
739 return 0;
740 }
741
742 SSL3_STATE *const s3 = ssl->s3;
743 s3->v2_hello_done = true;
744 s3->has_message = true;
745
746 Array<uint8_t> client_hello_msg;
747 ScopedCBB client_hello_cbb;
748 CBB client_hello_body;
749 if (!ssl->method->init_message(ssl, client_hello_cbb.get(),
750 &client_hello_body, SSL3_MT_CLIENT_HELLO) ||
751 !CBB_add_bytes(&client_hello_body, client_hello, client_hello_len) ||
752 !ssl->method->finish_message(ssl, client_hello_cbb.get(),
753 &client_hello_msg)) {
754 return 0;
755 }
756
757 s3->hs_buf.reset(BUF_MEM_new());
758 if (!s3->hs_buf || !BUF_MEM_append(s3->hs_buf.get(), client_hello_msg.data(),
759 client_hello_msg.size())) {
760 return 0;
761 }
762
763 s3->hs->hints_requested = true;
764 s3->hs->hints = std::move(hints);
765 return 1;
766 }
767
768 // |SSL_HANDSHAKE_HINTS| is serialized as the following ASN.1 structure. We use
769 // implicit tagging to make it a little more compact.
770 //
771 // HandshakeHints ::= SEQUENCE {
772 // serverRandom [0] IMPLICIT OCTET STRING OPTIONAL,
773 // keyShareHint [1] IMPLICIT KeyShareHint OPTIONAL,
774 // signatureHint [2] IMPLICIT SignatureHint OPTIONAL,
775 // -- At most one of decryptedPSKHint or ignorePSKHint may be present. It
776 // -- corresponds to the first entry in pre_shared_keys. TLS 1.2 session
777 // -- tickets will use a separate hint, to ensure the caller does not mix
778 // -- them up.
779 // decryptedPSKHint [3] IMPLICIT OCTET STRING OPTIONAL,
780 // ignorePSKHint [4] IMPLICIT NULL OPTIONAL,
781 // compressCertificateHint [5] IMPLICIT CompressCertificateHint OPTIONAL,
782 // }
783 //
784 // KeyShareHint ::= SEQUENCE {
785 // groupId INTEGER,
786 // publicKey OCTET STRING,
787 // secret OCTET STRING,
788 // }
789 //
790 // SignatureHint ::= SEQUENCE {
791 // algorithm INTEGER,
792 // input OCTET STRING,
793 // subjectPublicKeyInfo OCTET STRING,
794 // signature OCTET STRING,
795 // }
796 //
797 // CompressCertificateHint ::= SEQUENCE {
798 // algorithm INTEGER,
799 // input OCTET STRING,
800 // compressed OCTET STRING,
801 // }
802
803 // HandshakeHints tags.
804 static const unsigned kServerRandomTag = CBS_ASN1_CONTEXT_SPECIFIC | 0;
805 static const unsigned kKeyShareHintTag =
806 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
807 static const unsigned kSignatureHintTag =
808 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;
809 static const unsigned kDecryptedPSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 3;
810 static const unsigned kIgnorePSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 4;
811 static const unsigned kCompressCertificateTag = CBS_ASN1_CONTEXT_SPECIFIC | 5;
812
SSL_serialize_handshake_hints(const SSL * ssl,CBB * out)813 int SSL_serialize_handshake_hints(const SSL *ssl, CBB *out) {
814 const SSL_HANDSHAKE *hs = ssl->s3->hs.get();
815 if (!ssl->server || !hs->hints_requested) {
816 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
817 return 0;
818 }
819
820 const SSL_HANDSHAKE_HINTS *hints = hs->hints.get();
821 CBB seq, child;
822 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE)) {
823 return 0;
824 }
825
826 if (!hints->server_random.empty()) {
827 if (!CBB_add_asn1(&seq, &child, kServerRandomTag) ||
828 !CBB_add_bytes(&child, hints->server_random.data(),
829 hints->server_random.size())) {
830 return 0;
831 }
832 }
833
834 if (hints->key_share_group_id != 0 && !hints->key_share_public_key.empty() &&
835 !hints->key_share_secret.empty()) {
836 if (!CBB_add_asn1(&seq, &child, kKeyShareHintTag) ||
837 !CBB_add_asn1_uint64(&child, hints->key_share_group_id) ||
838 !CBB_add_asn1_octet_string(&child, hints->key_share_public_key.data(),
839 hints->key_share_public_key.size()) ||
840 !CBB_add_asn1_octet_string(&child, hints->key_share_secret.data(),
841 hints->key_share_secret.size())) {
842 return 0;
843 }
844 }
845
846 if (hints->signature_algorithm != 0 && !hints->signature_input.empty() &&
847 !hints->signature.empty()) {
848 if (!CBB_add_asn1(&seq, &child, kSignatureHintTag) ||
849 !CBB_add_asn1_uint64(&child, hints->signature_algorithm) ||
850 !CBB_add_asn1_octet_string(&child, hints->signature_input.data(),
851 hints->signature_input.size()) ||
852 !CBB_add_asn1_octet_string(&child, hints->signature_spki.data(),
853 hints->signature_spki.size()) ||
854 !CBB_add_asn1_octet_string(&child, hints->signature.data(),
855 hints->signature.size())) {
856 return 0;
857 }
858 }
859
860 if (!hints->decrypted_psk.empty()) {
861 if (!CBB_add_asn1(&seq, &child, kDecryptedPSKTag) ||
862 !CBB_add_bytes(&child, hints->decrypted_psk.data(),
863 hints->decrypted_psk.size())) {
864 return 0;
865 }
866 }
867
868 if (hints->ignore_psk && //
869 !CBB_add_asn1(&seq, &child, kIgnorePSKTag)) {
870 return 0;
871 }
872
873 if (hints->cert_compression_alg_id != 0 &&
874 !hints->cert_compression_input.empty() &&
875 !hints->cert_compression_output.empty()) {
876 if (!CBB_add_asn1(&seq, &child, kCompressCertificateTag) ||
877 !CBB_add_asn1_uint64(&child, hints->cert_compression_alg_id) ||
878 !CBB_add_asn1_octet_string(&child, hints->cert_compression_input.data(),
879 hints->cert_compression_input.size()) ||
880 !CBB_add_asn1_octet_string(&child,
881 hints->cert_compression_output.data(),
882 hints->cert_compression_output.size())) {
883 return 0;
884 }
885 }
886
887 return CBB_flush(out);
888 }
889
SSL_set_handshake_hints(SSL * ssl,const uint8_t * hints,size_t hints_len)890 int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints, size_t hints_len) {
891 if (SSL_is_dtls(ssl)) {
892 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
893 return 0;
894 }
895
896 UniquePtr<SSL_HANDSHAKE_HINTS> hints_obj = MakeUnique<SSL_HANDSHAKE_HINTS>();
897 if (hints_obj == nullptr) {
898 return 0;
899 }
900
901 CBS cbs, seq, server_random, key_share, signature_hint, ticket, ignore_psk,
902 cert_compression;
903 int has_server_random, has_key_share, has_signature_hint, has_ticket,
904 has_ignore_psk, has_cert_compression;
905 CBS_init(&cbs, hints, hints_len);
906 if (!CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
907 !CBS_get_optional_asn1(&seq, &server_random, &has_server_random,
908 kServerRandomTag) ||
909 !CBS_get_optional_asn1(&seq, &key_share, &has_key_share,
910 kKeyShareHintTag) ||
911 !CBS_get_optional_asn1(&seq, &signature_hint, &has_signature_hint,
912 kSignatureHintTag) ||
913 !CBS_get_optional_asn1(&seq, &ticket, &has_ticket, kDecryptedPSKTag) ||
914 !CBS_get_optional_asn1(&seq, &ignore_psk, &has_ignore_psk,
915 kIgnorePSKTag) ||
916 !CBS_get_optional_asn1(&seq, &cert_compression, &has_cert_compression,
917 kCompressCertificateTag)) {
918 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
919 return 0;
920 }
921
922 if (has_server_random && !hints_obj->server_random.CopyFrom(server_random)) {
923 return 0;
924 }
925
926 if (has_key_share) {
927 uint64_t group_id;
928 CBS public_key, secret;
929 if (!CBS_get_asn1_uint64(&key_share, &group_id) || //
930 group_id == 0 || group_id > 0xffff ||
931 !CBS_get_asn1(&key_share, &public_key, CBS_ASN1_OCTETSTRING) ||
932 !hints_obj->key_share_public_key.CopyFrom(public_key) ||
933 !CBS_get_asn1(&key_share, &secret, CBS_ASN1_OCTETSTRING) ||
934 !hints_obj->key_share_secret.CopyFrom(secret)) {
935 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
936 return 0;
937 }
938 hints_obj->key_share_group_id = static_cast<uint16_t>(group_id);
939 }
940
941 if (has_signature_hint) {
942 uint64_t sig_alg;
943 CBS input, spki, signature;
944 if (!CBS_get_asn1_uint64(&signature_hint, &sig_alg) || //
945 sig_alg == 0 || sig_alg > 0xffff ||
946 !CBS_get_asn1(&signature_hint, &input, CBS_ASN1_OCTETSTRING) ||
947 !hints_obj->signature_input.CopyFrom(input) ||
948 !CBS_get_asn1(&signature_hint, &spki, CBS_ASN1_OCTETSTRING) ||
949 !hints_obj->signature_spki.CopyFrom(spki) ||
950 !CBS_get_asn1(&signature_hint, &signature, CBS_ASN1_OCTETSTRING) ||
951 !hints_obj->signature.CopyFrom(signature)) {
952 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
953 return 0;
954 }
955 hints_obj->signature_algorithm = static_cast<uint16_t>(sig_alg);
956 }
957
958 if (has_ticket && !hints_obj->decrypted_psk.CopyFrom(ticket)) {
959 return 0;
960 }
961
962 if (has_ignore_psk) {
963 if (CBS_len(&ignore_psk) != 0) {
964 return 0;
965 }
966 hints_obj->ignore_psk = true;
967 }
968
969 if (has_cert_compression) {
970 uint64_t alg;
971 CBS input, output;
972 if (!CBS_get_asn1_uint64(&cert_compression, &alg) || //
973 alg == 0 || alg > 0xffff ||
974 !CBS_get_asn1(&cert_compression, &input, CBS_ASN1_OCTETSTRING) ||
975 !hints_obj->cert_compression_input.CopyFrom(input) ||
976 !CBS_get_asn1(&cert_compression, &output, CBS_ASN1_OCTETSTRING) ||
977 !hints_obj->cert_compression_output.CopyFrom(output)) {
978 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
979 return 0;
980 }
981 hints_obj->cert_compression_alg_id = static_cast<uint16_t>(alg);
982 }
983
984 ssl->s3->hs->hints = std::move(hints_obj);
985 return 1;
986 }
987