1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright 2005 Nokia. All rights reserved.
59 *
60 * The portions of the attached software ("Contribution") is developed by
61 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
62 * license.
63 *
64 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
65 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
66 * support (see RFC 4279) to OpenSSL.
67 *
68 * No patent licenses or other rights except those expressly stated in
69 * the OpenSSL open source license shall be deemed granted or received
70 * expressly, by implication, estoppel, or otherwise.
71 *
72 * No assurances are provided by Nokia that the Contribution does not
73 * infringe the patent or other intellectual property rights of any third
74 * party or that the license provides you with all the necessary rights
75 * to make use of the Contribution.
76 *
77 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
78 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
79 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
80 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
81 * OTHERWISE. */
82
83 #include <openssl/ssl.h>
84
85 #include <limits.h>
86 #include <string.h>
87
88 #include <utility>
89
90 #include <openssl/bytestring.h>
91 #include <openssl/err.h>
92 #include <openssl/mem.h>
93 #include <openssl/x509.h>
94
95 #include "../crypto/internal.h"
96 #include "internal.h"
97
98
99 BSSL_NAMESPACE_BEGIN
100
101 // An SSL_SESSION is serialized as the following ASN.1 structure:
102 //
103 // SSLSession ::= SEQUENCE {
104 // version INTEGER (1), -- session structure version
105 // sslVersion INTEGER, -- protocol version number
106 // cipher OCTET STRING, -- two bytes long
107 // sessionID OCTET STRING,
108 // secret OCTET STRING,
109 // time [1] INTEGER, -- seconds since UNIX epoch
110 // timeout [2] INTEGER, -- in seconds
111 // peer [3] Certificate OPTIONAL,
112 // sessionIDContext [4] OCTET STRING OPTIONAL,
113 // verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
114 // pskIdentity [8] OCTET STRING OPTIONAL,
115 // ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
116 // ticket [10] OCTET STRING OPTIONAL, -- client-only
117 // peerSHA256 [13] OCTET STRING OPTIONAL,
118 // originalHandshakeHash [14] OCTET STRING OPTIONAL,
119 // signedCertTimestampList [15] OCTET STRING OPTIONAL,
120 // -- contents of SCT extension
121 // ocspResponse [16] OCTET STRING OPTIONAL,
122 // -- stapled OCSP response from the server
123 // extendedMasterSecret [17] BOOLEAN OPTIONAL,
124 // groupID [18] INTEGER OPTIONAL,
125 // certChain [19] SEQUENCE OF Certificate OPTIONAL,
126 // ticketAgeAdd [21] OCTET STRING OPTIONAL,
127 // isServer [22] BOOLEAN DEFAULT TRUE,
128 // peerSignatureAlgorithm [23] INTEGER OPTIONAL,
129 // ticketMaxEarlyData [24] INTEGER OPTIONAL,
130 // authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout
131 // earlyALPN [26] OCTET STRING OPTIONAL,
132 // isQuic [27] BOOLEAN OPTIONAL,
133 // quicEarlyDataHash [28] OCTET STRING OPTIONAL,
134 // localALPS [29] OCTET STRING OPTIONAL,
135 // peerALPS [30] OCTET STRING OPTIONAL,
136 // -- Either both or none of localALPS and peerALPS must be present. If both
137 // -- are present, earlyALPN must be present and non-empty.
138 // }
139 //
140 // Note: historically this serialization has included other optional
141 // fields. Their presence is currently treated as a parse error, except for
142 // hostName, which is ignored.
143 //
144 // keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
145 // hostName [6] OCTET STRING OPTIONAL,
146 // pskIdentityHint [7] OCTET STRING OPTIONAL,
147 // compressionMethod [11] OCTET STRING OPTIONAL,
148 // srpUsername [12] OCTET STRING OPTIONAL,
149 // ticketFlags [20] INTEGER OPTIONAL,
150
151 static const unsigned kVersion = 1;
152
153 static const unsigned kTimeTag =
154 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
155 static const unsigned kTimeoutTag =
156 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;
157 static const unsigned kPeerTag =
158 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3;
159 static const unsigned kSessionIDContextTag =
160 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 4;
161 static const unsigned kVerifyResultTag =
162 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 5;
163 static const unsigned kHostNameTag =
164 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 6;
165 static const unsigned kPSKIdentityTag =
166 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 8;
167 static const unsigned kTicketLifetimeHintTag =
168 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 9;
169 static const unsigned kTicketTag =
170 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 10;
171 static const unsigned kPeerSHA256Tag =
172 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 13;
173 static const unsigned kOriginalHandshakeHashTag =
174 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 14;
175 static const unsigned kSignedCertTimestampListTag =
176 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 15;
177 static const unsigned kOCSPResponseTag =
178 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 16;
179 static const unsigned kExtendedMasterSecretTag =
180 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 17;
181 static const unsigned kGroupIDTag =
182 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 18;
183 static const unsigned kCertChainTag =
184 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 19;
185 static const unsigned kTicketAgeAddTag =
186 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 21;
187 static const unsigned kIsServerTag =
188 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 22;
189 static const unsigned kPeerSignatureAlgorithmTag =
190 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 23;
191 static const unsigned kTicketMaxEarlyDataTag =
192 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 24;
193 static const unsigned kAuthTimeoutTag =
194 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 25;
195 static const unsigned kEarlyALPNTag =
196 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 26;
197 static const unsigned kIsQuicTag =
198 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 27;
199 static const unsigned kQuicEarlyDataContextTag =
200 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 28;
201 static const unsigned kLocalALPSTag =
202 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 29;
203 static const unsigned kPeerALPSTag =
204 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 30;
205
SSL_SESSION_to_bytes_full(const SSL_SESSION * in,CBB * cbb,int for_ticket)206 static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
207 int for_ticket) {
208 if (in == NULL || in->cipher == NULL) {
209 return 0;
210 }
211
212 CBB session, child, child2;
213 if (!CBB_add_asn1(cbb, &session, CBS_ASN1_SEQUENCE) ||
214 !CBB_add_asn1_uint64(&session, kVersion) ||
215 !CBB_add_asn1_uint64(&session, in->ssl_version) ||
216 !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
217 !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) ||
218 // The session ID is irrelevant for a session ticket.
219 !CBB_add_asn1_octet_string(&session, in->session_id,
220 for_ticket ? 0 : in->session_id_length) ||
221 !CBB_add_asn1_octet_string(&session, in->secret, in->secret_length) ||
222 !CBB_add_asn1(&session, &child, kTimeTag) ||
223 !CBB_add_asn1_uint64(&child, in->time) ||
224 !CBB_add_asn1(&session, &child, kTimeoutTag) ||
225 !CBB_add_asn1_uint64(&child, in->timeout)) {
226 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
227 return 0;
228 }
229
230 // The peer certificate is only serialized if the SHA-256 isn't
231 // serialized instead.
232 if (sk_CRYPTO_BUFFER_num(in->certs.get()) > 0 && !in->peer_sha256_valid) {
233 const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs.get(), 0);
234 if (!CBB_add_asn1(&session, &child, kPeerTag) ||
235 !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),
236 CRYPTO_BUFFER_len(buffer))) {
237 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
238 return 0;
239 }
240 }
241
242 // Although it is OPTIONAL and usually empty, OpenSSL has
243 // historically always encoded the sid_ctx.
244 if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
245 !CBB_add_asn1_octet_string(&child, in->sid_ctx, in->sid_ctx_length)) {
246 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
247 return 0;
248 }
249
250 if (in->verify_result != X509_V_OK) {
251 if (!CBB_add_asn1(&session, &child, kVerifyResultTag) ||
252 !CBB_add_asn1_uint64(&child, in->verify_result)) {
253 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
254 return 0;
255 }
256 }
257
258 if (in->psk_identity) {
259 if (!CBB_add_asn1(&session, &child, kPSKIdentityTag) ||
260 !CBB_add_asn1_octet_string(&child,
261 (const uint8_t *)in->psk_identity.get(),
262 strlen(in->psk_identity.get()))) {
263 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
264 return 0;
265 }
266 }
267
268 if (in->ticket_lifetime_hint > 0) {
269 if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) ||
270 !CBB_add_asn1_uint64(&child, in->ticket_lifetime_hint)) {
271 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
272 return 0;
273 }
274 }
275
276 if (!in->ticket.empty() && !for_ticket) {
277 if (!CBB_add_asn1(&session, &child, kTicketTag) ||
278 !CBB_add_asn1_octet_string(&child, in->ticket.data(),
279 in->ticket.size())) {
280 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
281 return 0;
282 }
283 }
284
285 if (in->peer_sha256_valid) {
286 if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) ||
287 !CBB_add_asn1_octet_string(&child, in->peer_sha256,
288 sizeof(in->peer_sha256))) {
289 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
290 return 0;
291 }
292 }
293
294 if (in->original_handshake_hash_len > 0) {
295 if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) ||
296 !CBB_add_asn1_octet_string(&child, in->original_handshake_hash,
297 in->original_handshake_hash_len)) {
298 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
299 return 0;
300 }
301 }
302
303 if (in->signed_cert_timestamp_list != nullptr) {
304 if (!CBB_add_asn1(&session, &child, kSignedCertTimestampListTag) ||
305 !CBB_add_asn1_octet_string(
306 &child, CRYPTO_BUFFER_data(in->signed_cert_timestamp_list.get()),
307 CRYPTO_BUFFER_len(in->signed_cert_timestamp_list.get()))) {
308 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
309 return 0;
310 }
311 }
312
313 if (in->ocsp_response != nullptr) {
314 if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) ||
315 !CBB_add_asn1_octet_string(
316 &child, CRYPTO_BUFFER_data(in->ocsp_response.get()),
317 CRYPTO_BUFFER_len(in->ocsp_response.get()))) {
318 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
319 return 0;
320 }
321 }
322
323 if (in->extended_master_secret) {
324 if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) ||
325 !CBB_add_asn1_bool(&child, true)) {
326 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
327 return 0;
328 }
329 }
330
331 if (in->group_id > 0 &&
332 (!CBB_add_asn1(&session, &child, kGroupIDTag) ||
333 !CBB_add_asn1_uint64(&child, in->group_id))) {
334 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
335 return 0;
336 }
337
338 // The certificate chain is only serialized if the leaf's SHA-256 isn't
339 // serialized instead.
340 if (in->certs != NULL &&
341 !in->peer_sha256_valid &&
342 sk_CRYPTO_BUFFER_num(in->certs.get()) >= 2) {
343 if (!CBB_add_asn1(&session, &child, kCertChainTag)) {
344 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
345 return 0;
346 }
347 for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(in->certs.get()); i++) {
348 const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs.get(), i);
349 if (!CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),
350 CRYPTO_BUFFER_len(buffer))) {
351 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
352 return 0;
353 }
354 }
355 }
356
357 if (in->ticket_age_add_valid) {
358 if (!CBB_add_asn1(&session, &child, kTicketAgeAddTag) ||
359 !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
360 !CBB_add_u32(&child2, in->ticket_age_add)) {
361 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
362 return 0;
363 }
364 }
365
366 if (!in->is_server) {
367 if (!CBB_add_asn1(&session, &child, kIsServerTag) ||
368 !CBB_add_asn1_bool(&child, false)) {
369 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
370 return 0;
371 }
372 }
373
374 if (in->peer_signature_algorithm != 0 &&
375 (!CBB_add_asn1(&session, &child, kPeerSignatureAlgorithmTag) ||
376 !CBB_add_asn1_uint64(&child, in->peer_signature_algorithm))) {
377 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
378 return 0;
379 }
380
381 if (in->ticket_max_early_data != 0 &&
382 (!CBB_add_asn1(&session, &child, kTicketMaxEarlyDataTag) ||
383 !CBB_add_asn1_uint64(&child, in->ticket_max_early_data))) {
384 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
385 return 0;
386 }
387
388 if (in->timeout != in->auth_timeout &&
389 (!CBB_add_asn1(&session, &child, kAuthTimeoutTag) ||
390 !CBB_add_asn1_uint64(&child, in->auth_timeout))) {
391 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
392 return 0;
393 }
394
395 if (!in->early_alpn.empty()) {
396 if (!CBB_add_asn1(&session, &child, kEarlyALPNTag) ||
397 !CBB_add_asn1_octet_string(&child, in->early_alpn.data(),
398 in->early_alpn.size())) {
399 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
400 return 0;
401 }
402 }
403
404 if (in->is_quic) {
405 if (!CBB_add_asn1(&session, &child, kIsQuicTag) ||
406 !CBB_add_asn1_bool(&child, true)) {
407 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
408 return 0;
409 }
410 }
411
412 if (!in->quic_early_data_context.empty()) {
413 if (!CBB_add_asn1(&session, &child, kQuicEarlyDataContextTag) ||
414 !CBB_add_asn1_octet_string(&child, in->quic_early_data_context.data(),
415 in->quic_early_data_context.size())) {
416 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
417 return 0;
418 }
419 }
420
421 if (in->has_application_settings) {
422 if (!CBB_add_asn1(&session, &child, kLocalALPSTag) ||
423 !CBB_add_asn1_octet_string(&child,
424 in->local_application_settings.data(),
425 in->local_application_settings.size()) ||
426 !CBB_add_asn1(&session, &child, kPeerALPSTag) ||
427 !CBB_add_asn1_octet_string(&child, in->peer_application_settings.data(),
428 in->peer_application_settings.size())) {
429 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
430 return 0;
431 }
432 }
433
434 return CBB_flush(cbb);
435 }
436
437 // SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING explicitly
438 // tagged with |tag| from |cbs| and saves it in |*out|. If the element was not
439 // found, it sets |*out| to NULL. It returns one on success, whether or not the
440 // element was found, and zero on decode error.
SSL_SESSION_parse_string(CBS * cbs,UniquePtr<char> * out,unsigned tag)441 static int SSL_SESSION_parse_string(CBS *cbs, UniquePtr<char> *out, unsigned tag) {
442 CBS value;
443 int present;
444 if (!CBS_get_optional_asn1_octet_string(cbs, &value, &present, tag)) {
445 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
446 return 0;
447 }
448 if (present) {
449 if (CBS_contains_zero_byte(&value)) {
450 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
451 return 0;
452 }
453 char *raw = nullptr;
454 if (!CBS_strdup(&value, &raw)) {
455 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
456 return 0;
457 }
458 out->reset(raw);
459 } else {
460 out->reset();
461 }
462 return 1;
463 }
464
465 // SSL_SESSION_parse_octet_string gets an optional ASN.1 OCTET STRING explicitly
466 // tagged with |tag| from |cbs| and stows it in |*out|. It returns one on
467 // success, whether or not the element was found, and zero on decode error.
SSL_SESSION_parse_octet_string(CBS * cbs,Array<uint8_t> * out,unsigned tag)468 static bool SSL_SESSION_parse_octet_string(CBS *cbs, Array<uint8_t> *out,
469 unsigned tag) {
470 CBS value;
471 if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag)) {
472 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
473 return false;
474 }
475 return out->CopyFrom(value);
476 }
477
SSL_SESSION_parse_crypto_buffer(CBS * cbs,UniquePtr<CRYPTO_BUFFER> * out,unsigned tag,CRYPTO_BUFFER_POOL * pool)478 static int SSL_SESSION_parse_crypto_buffer(CBS *cbs,
479 UniquePtr<CRYPTO_BUFFER> *out,
480 unsigned tag,
481 CRYPTO_BUFFER_POOL *pool) {
482 if (!CBS_peek_asn1_tag(cbs, tag)) {
483 return 1;
484 }
485
486 CBS child, value;
487 if (!CBS_get_asn1(cbs, &child, tag) ||
488 !CBS_get_asn1(&child, &value, CBS_ASN1_OCTETSTRING) ||
489 CBS_len(&child) != 0) {
490 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
491 return 0;
492 }
493 out->reset(CRYPTO_BUFFER_new_from_CBS(&value, pool));
494 if (*out == nullptr) {
495 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
496 return 0;
497 }
498 return 1;
499 }
500
501 // SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
502 // explicitly tagged with |tag| of size at most |max_out|.
SSL_SESSION_parse_bounded_octet_string(CBS * cbs,uint8_t * out,uint8_t * out_len,uint8_t max_out,unsigned tag)503 static int SSL_SESSION_parse_bounded_octet_string(
504 CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) {
505 CBS value;
506 if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag) ||
507 CBS_len(&value) > max_out) {
508 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
509 return 0;
510 }
511 OPENSSL_memcpy(out, CBS_data(&value), CBS_len(&value));
512 *out_len = (uint8_t)CBS_len(&value);
513 return 1;
514 }
515
SSL_SESSION_parse_long(CBS * cbs,long * out,unsigned tag,long default_value)516 static int SSL_SESSION_parse_long(CBS *cbs, long *out, unsigned tag,
517 long default_value) {
518 uint64_t value;
519 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
520 (uint64_t)default_value) ||
521 value > LONG_MAX) {
522 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
523 return 0;
524 }
525 *out = (long)value;
526 return 1;
527 }
528
SSL_SESSION_parse_u32(CBS * cbs,uint32_t * out,unsigned tag,uint32_t default_value)529 static int SSL_SESSION_parse_u32(CBS *cbs, uint32_t *out, unsigned tag,
530 uint32_t default_value) {
531 uint64_t value;
532 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
533 (uint64_t)default_value) ||
534 value > 0xffffffff) {
535 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
536 return 0;
537 }
538 *out = (uint32_t)value;
539 return 1;
540 }
541
SSL_SESSION_parse_u16(CBS * cbs,uint16_t * out,unsigned tag,uint16_t default_value)542 static int SSL_SESSION_parse_u16(CBS *cbs, uint16_t *out, unsigned tag,
543 uint16_t default_value) {
544 uint64_t value;
545 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
546 (uint64_t)default_value) ||
547 value > 0xffff) {
548 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
549 return 0;
550 }
551 *out = (uint16_t)value;
552 return 1;
553 }
554
SSL_SESSION_parse(CBS * cbs,const SSL_X509_METHOD * x509_method,CRYPTO_BUFFER_POOL * pool)555 UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
556 const SSL_X509_METHOD *x509_method,
557 CRYPTO_BUFFER_POOL *pool) {
558 UniquePtr<SSL_SESSION> ret = ssl_session_new(x509_method);
559 if (!ret) {
560 return nullptr;
561 }
562
563 CBS session;
564 uint64_t version, ssl_version;
565 uint16_t unused;
566 if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) ||
567 !CBS_get_asn1_uint64(&session, &version) ||
568 version != kVersion ||
569 !CBS_get_asn1_uint64(&session, &ssl_version) ||
570 // Require sessions have versions valid in either TLS or DTLS. The session
571 // will not be used by the handshake if not applicable, but, for
572 // simplicity, never parse a session that does not pass
573 // |ssl_protocol_version_from_wire|.
574 ssl_version > UINT16_MAX ||
575 !ssl_protocol_version_from_wire(&unused, ssl_version)) {
576 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
577 return nullptr;
578 }
579 ret->ssl_version = ssl_version;
580
581 CBS cipher;
582 uint16_t cipher_value;
583 if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) ||
584 !CBS_get_u16(&cipher, &cipher_value) ||
585 CBS_len(&cipher) != 0) {
586 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
587 return nullptr;
588 }
589 ret->cipher = SSL_get_cipher_by_value(cipher_value);
590 if (ret->cipher == NULL) {
591 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_CIPHER);
592 return nullptr;
593 }
594
595 CBS session_id, secret;
596 if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||
597 CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH ||
598 !CBS_get_asn1(&session, &secret, CBS_ASN1_OCTETSTRING) ||
599 CBS_len(&secret) > SSL_MAX_MASTER_KEY_LENGTH) {
600 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
601 return nullptr;
602 }
603 OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id));
604 ret->session_id_length = CBS_len(&session_id);
605 OPENSSL_memcpy(ret->secret, CBS_data(&secret), CBS_len(&secret));
606 ret->secret_length = CBS_len(&secret);
607
608 CBS child;
609 uint64_t timeout;
610 if (!CBS_get_asn1(&session, &child, kTimeTag) ||
611 !CBS_get_asn1_uint64(&child, &ret->time) ||
612 !CBS_get_asn1(&session, &child, kTimeoutTag) ||
613 !CBS_get_asn1_uint64(&child, &timeout) ||
614 timeout > UINT32_MAX) {
615 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
616 return nullptr;
617 }
618
619 ret->timeout = (uint32_t)timeout;
620
621 CBS peer;
622 int has_peer;
623 if (!CBS_get_optional_asn1(&session, &peer, &has_peer, kPeerTag) ||
624 (has_peer && CBS_len(&peer) == 0)) {
625 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
626 return nullptr;
627 }
628 // |peer| is processed with the certificate chain.
629
630 if (!SSL_SESSION_parse_bounded_octet_string(
631 &session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx),
632 kSessionIDContextTag) ||
633 !SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag,
634 X509_V_OK)) {
635 return nullptr;
636 }
637
638 // Skip the historical hostName field.
639 CBS unused_hostname;
640 if (!CBS_get_optional_asn1(&session, &unused_hostname, nullptr,
641 kHostNameTag)) {
642 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
643 return nullptr;
644 }
645
646 if (!SSL_SESSION_parse_string(&session, &ret->psk_identity,
647 kPSKIdentityTag) ||
648 !SSL_SESSION_parse_u32(&session, &ret->ticket_lifetime_hint,
649 kTicketLifetimeHintTag, 0) ||
650 !SSL_SESSION_parse_octet_string(&session, &ret->ticket, kTicketTag)) {
651 return nullptr;
652 }
653
654 if (CBS_peek_asn1_tag(&session, kPeerSHA256Tag)) {
655 CBS peer_sha256;
656 if (!CBS_get_asn1(&session, &child, kPeerSHA256Tag) ||
657 !CBS_get_asn1(&child, &peer_sha256, CBS_ASN1_OCTETSTRING) ||
658 CBS_len(&peer_sha256) != sizeof(ret->peer_sha256) ||
659 CBS_len(&child) != 0) {
660 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
661 return nullptr;
662 }
663 OPENSSL_memcpy(ret->peer_sha256, CBS_data(&peer_sha256),
664 sizeof(ret->peer_sha256));
665 ret->peer_sha256_valid = 1;
666 } else {
667 ret->peer_sha256_valid = 0;
668 }
669
670 if (!SSL_SESSION_parse_bounded_octet_string(
671 &session, ret->original_handshake_hash,
672 &ret->original_handshake_hash_len,
673 sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) ||
674 !SSL_SESSION_parse_crypto_buffer(&session,
675 &ret->signed_cert_timestamp_list,
676 kSignedCertTimestampListTag, pool) ||
677 !SSL_SESSION_parse_crypto_buffer(&session, &ret->ocsp_response,
678 kOCSPResponseTag, pool)) {
679 return nullptr;
680 }
681
682 int extended_master_secret;
683 if (!CBS_get_optional_asn1_bool(&session, &extended_master_secret,
684 kExtendedMasterSecretTag,
685 0 /* default to false */)) {
686 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
687 return nullptr;
688 }
689 ret->extended_master_secret = !!extended_master_secret;
690
691 if (!SSL_SESSION_parse_u16(&session, &ret->group_id, kGroupIDTag, 0)) {
692 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
693 return nullptr;
694 }
695
696 CBS cert_chain;
697 CBS_init(&cert_chain, NULL, 0);
698 int has_cert_chain;
699 if (!CBS_get_optional_asn1(&session, &cert_chain, &has_cert_chain,
700 kCertChainTag) ||
701 (has_cert_chain && CBS_len(&cert_chain) == 0)) {
702 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
703 return nullptr;
704 }
705 if (has_cert_chain && !has_peer) {
706 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
707 return nullptr;
708 }
709 if (has_peer || has_cert_chain) {
710 ret->certs.reset(sk_CRYPTO_BUFFER_new_null());
711 if (ret->certs == nullptr) {
712 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
713 return nullptr;
714 }
715
716 if (has_peer) {
717 UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new_from_CBS(&peer, pool));
718 if (!buffer ||
719 !PushToStack(ret->certs.get(), std::move(buffer))) {
720 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
721 return nullptr;
722 }
723 }
724
725 while (CBS_len(&cert_chain) > 0) {
726 CBS cert;
727 if (!CBS_get_any_asn1_element(&cert_chain, &cert, NULL, NULL) ||
728 CBS_len(&cert) == 0) {
729 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
730 return nullptr;
731 }
732
733 UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new_from_CBS(&cert, pool));
734 if (buffer == nullptr ||
735 !PushToStack(ret->certs.get(), std::move(buffer))) {
736 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
737 return nullptr;
738 }
739 }
740 }
741
742 CBS age_add;
743 int age_add_present;
744 if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present,
745 kTicketAgeAddTag) ||
746 (age_add_present &&
747 !CBS_get_u32(&age_add, &ret->ticket_age_add)) ||
748 CBS_len(&age_add) != 0) {
749 return nullptr;
750 }
751 ret->ticket_age_add_valid = age_add_present != 0;
752
753 int is_server;
754 if (!CBS_get_optional_asn1_bool(&session, &is_server, kIsServerTag,
755 1 /* default to true */)) {
756 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
757 return nullptr;
758 }
759 /* TODO: in time we can include |is_server| for servers too, then we can
760 enforce that client and server sessions are never mixed up. */
761
762 ret->is_server = is_server;
763
764 int is_quic;
765 if (!SSL_SESSION_parse_u16(&session, &ret->peer_signature_algorithm,
766 kPeerSignatureAlgorithmTag, 0) ||
767 !SSL_SESSION_parse_u32(&session, &ret->ticket_max_early_data,
768 kTicketMaxEarlyDataTag, 0) ||
769 !SSL_SESSION_parse_u32(&session, &ret->auth_timeout, kAuthTimeoutTag,
770 ret->timeout) ||
771 !SSL_SESSION_parse_octet_string(&session, &ret->early_alpn,
772 kEarlyALPNTag) ||
773 !CBS_get_optional_asn1_bool(&session, &is_quic, kIsQuicTag,
774 /*default_value=*/false) ||
775 !SSL_SESSION_parse_octet_string(&session, &ret->quic_early_data_context,
776 kQuicEarlyDataContextTag)) {
777 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
778 return nullptr;
779 }
780
781 CBS settings;
782 int has_local_alps, has_peer_alps;
783 if (!CBS_get_optional_asn1_octet_string(&session, &settings, &has_local_alps,
784 kLocalALPSTag) ||
785 !ret->local_application_settings.CopyFrom(settings) ||
786 !CBS_get_optional_asn1_octet_string(&session, &settings, &has_peer_alps,
787 kPeerALPSTag) ||
788 !ret->peer_application_settings.CopyFrom(settings) ||
789 CBS_len(&session) != 0) {
790 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
791 return nullptr;
792 }
793 ret->is_quic = is_quic;
794
795 // The two ALPS values and ALPN must be consistent.
796 if (has_local_alps != has_peer_alps ||
797 (has_local_alps && ret->early_alpn.empty())) {
798 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
799 return nullptr;
800 }
801 ret->has_application_settings = has_local_alps;
802
803 if (!x509_method->session_cache_objects(ret.get())) {
804 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
805 return nullptr;
806 }
807
808 return ret;
809 }
810
ssl_session_serialize(const SSL_SESSION * in,CBB * cbb)811 int ssl_session_serialize(const SSL_SESSION *in, CBB *cbb) {
812 return SSL_SESSION_to_bytes_full(in, cbb, 0);
813 }
814
815 BSSL_NAMESPACE_END
816
817 using namespace bssl;
818
SSL_SESSION_to_bytes(const SSL_SESSION * in,uint8_t ** out_data,size_t * out_len)819 int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data,
820 size_t *out_len) {
821 if (in->not_resumable) {
822 // If the caller has an unresumable session, e.g. if |SSL_get_session| were
823 // called on a TLS 1.3 or False Started connection, serialize with a
824 // placeholder value so it is not accidentally deserialized into a resumable
825 // one.
826 static const char kNotResumableSession[] = "NOT RESUMABLE";
827
828 *out_len = strlen(kNotResumableSession);
829 *out_data = (uint8_t *)OPENSSL_memdup(kNotResumableSession, *out_len);
830 if (*out_data == NULL) {
831 return 0;
832 }
833
834 return 1;
835 }
836
837 ScopedCBB cbb;
838 if (!CBB_init(cbb.get(), 256) ||
839 !SSL_SESSION_to_bytes_full(in, cbb.get(), 0) ||
840 !CBB_finish(cbb.get(), out_data, out_len)) {
841 return 0;
842 }
843
844 return 1;
845 }
846
SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION * in,uint8_t ** out_data,size_t * out_len)847 int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in, uint8_t **out_data,
848 size_t *out_len) {
849 ScopedCBB cbb;
850 if (!CBB_init(cbb.get(), 256) ||
851 !SSL_SESSION_to_bytes_full(in, cbb.get(), 1) ||
852 !CBB_finish(cbb.get(), out_data, out_len)) {
853 return 0;
854 }
855
856 return 1;
857 }
858
i2d_SSL_SESSION(SSL_SESSION * in,uint8_t ** pp)859 int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp) {
860 uint8_t *out;
861 size_t len;
862
863 if (!SSL_SESSION_to_bytes(in, &out, &len)) {
864 return -1;
865 }
866
867 if (len > INT_MAX) {
868 OPENSSL_free(out);
869 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
870 return -1;
871 }
872
873 if (pp) {
874 OPENSSL_memcpy(*pp, out, len);
875 *pp += len;
876 }
877 OPENSSL_free(out);
878
879 return len;
880 }
881
SSL_SESSION_from_bytes(const uint8_t * in,size_t in_len,const SSL_CTX * ctx)882 SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len,
883 const SSL_CTX *ctx) {
884 CBS cbs;
885 CBS_init(&cbs, in, in_len);
886 UniquePtr<SSL_SESSION> ret =
887 SSL_SESSION_parse(&cbs, ctx->x509_method, ctx->pool);
888 if (!ret) {
889 return NULL;
890 }
891 if (CBS_len(&cbs) != 0) {
892 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
893 return NULL;
894 }
895 return ret.release();
896 }
897