1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <openssl/bytestring.h>
18
19 #include "internal.h"
20
21
22 namespace bssl {
23
24 constexpr int kHandoffVersion = 0;
25 constexpr int kHandbackVersion = 0;
26
SSL_serialize_handoff(const SSL * ssl,CBB * out)27 bool SSL_serialize_handoff(const SSL *ssl, CBB *out) {
28 const SSL3_STATE *const s3 = ssl->s3;
29 if (!ssl->server ||
30 s3->hs == nullptr ||
31 s3->rwstate != SSL_HANDOFF) {
32 return false;
33 }
34
35 CBB seq;
36 Span<const uint8_t> transcript = s3->hs->transcript.buffer();
37 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
38 !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
39 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
40 !CBB_add_asn1_octet_string(&seq,
41 reinterpret_cast<uint8_t *>(s3->hs_buf->data),
42 s3->hs_buf->length) ||
43 !CBB_flush(out)) {
44 return false;
45 }
46
47 return true;
48 }
49
SSL_decline_handoff(SSL * ssl)50 bool SSL_decline_handoff(SSL *ssl) {
51 const SSL3_STATE *const s3 = ssl->s3;
52 if (!ssl->server ||
53 s3->hs == nullptr ||
54 s3->rwstate != SSL_HANDOFF) {
55 return false;
56 }
57
58 ssl->handoff = false;
59 return true;
60 }
61
SSL_apply_handoff(SSL * ssl,Span<const uint8_t> handoff)62 bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
63 if (ssl->method->is_dtls) {
64 return false;
65 }
66
67 CBS seq, handoff_cbs(handoff);
68 uint64_t handoff_version;
69 if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
70 !CBS_get_asn1_uint64(&seq, &handoff_version) ||
71 handoff_version != kHandoffVersion) {
72 return false;
73 }
74
75 CBS transcript, hs_buf;
76 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
77 !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING)) {
78 return false;
79 }
80
81 SSL_set_accept_state(ssl);
82
83 SSL3_STATE *const s3 = ssl->s3;
84 s3->v2_hello_done = true;
85 s3->has_message = true;
86
87 s3->hs_buf.reset(BUF_MEM_new());
88 if (!s3->hs_buf ||
89 !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
90 return false;
91 }
92
93 if (CBS_len(&transcript) != 0) {
94 s3->hs->transcript.Update(transcript);
95 s3->is_v2_hello = true;
96 ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */, transcript);
97 }
98
99 return true;
100 }
101
SSL_serialize_handback(const SSL * ssl,CBB * out)102 bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
103 if (!ssl->server ||
104 !ssl->s3->initial_handshake_complete ||
105 ssl->method->is_dtls ||
106 ssl->version < TLS1_VERSION) {
107 return false;
108 }
109
110 const SSL3_STATE *const s3 = ssl->s3;
111 size_t hostname_len = 0;
112 if (s3->hostname) {
113 hostname_len = strlen(s3->hostname.get());
114 }
115
116 size_t iv_len = 0;
117 const uint8_t *read_iv = nullptr, *write_iv = nullptr;
118 if (ssl->version == TLS1_VERSION &&
119 SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
120 (!s3->aead_read_ctx->GetIV(&read_iv, &iv_len) ||
121 !s3->aead_write_ctx->GetIV(&write_iv, &iv_len))) {
122 return false;
123 }
124
125 CBB seq;
126 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
127 !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
128 !CBB_add_asn1_uint64(&seq, ssl->version) ||
129 !CBB_add_asn1_uint64(&seq, ssl->conf_max_version) ||
130 !CBB_add_asn1_uint64(&seq, ssl->conf_min_version) ||
131 !CBB_add_asn1_uint64(&seq, ssl->max_send_fragment) ||
132 !CBB_add_asn1_octet_string(&seq, s3->read_sequence,
133 sizeof(s3->read_sequence)) ||
134 !CBB_add_asn1_octet_string(&seq, s3->write_sequence,
135 sizeof(s3->write_sequence)) ||
136 !CBB_add_asn1_octet_string(&seq, s3->server_random,
137 sizeof(s3->server_random)) ||
138 !CBB_add_asn1_octet_string(&seq, s3->client_random,
139 sizeof(s3->client_random)) ||
140 !CBB_add_asn1_octet_string(&seq, read_iv, iv_len) ||
141 !CBB_add_asn1_octet_string(&seq, write_iv, iv_len) ||
142 !CBB_add_asn1_bool(&seq, s3->session_reused) ||
143 !CBB_add_asn1_bool(&seq, s3->send_connection_binding) ||
144 !CBB_add_asn1_bool(&seq, s3->tlsext_channel_id_valid) ||
145 !ssl_session_serialize(s3->established_session.get(), &seq) ||
146 !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
147 s3->next_proto_negotiated.size()) ||
148 !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
149 s3->alpn_selected.size()) ||
150 !CBB_add_asn1_octet_string(
151 &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
152 hostname_len) ||
153 !CBB_add_asn1_octet_string(&seq, s3->tlsext_channel_id,
154 sizeof(s3->tlsext_channel_id)) ||
155 !CBB_add_asn1_uint64(&seq, ssl->options) ||
156 !CBB_add_asn1_uint64(&seq, ssl->mode) ||
157 !CBB_add_asn1_uint64(&seq, ssl->max_cert_list) ||
158 !CBB_add_asn1_bool(&seq, ssl->quiet_shutdown) ||
159 !CBB_add_asn1_bool(&seq, ssl->tlsext_channel_id_enabled) ||
160 !CBB_add_asn1_bool(&seq, ssl->retain_only_sha256_of_client_certs) ||
161 !CBB_flush(out)) {
162 return false;
163 }
164
165 return true;
166 }
167
SSL_apply_handback(SSL * ssl,Span<const uint8_t> handback)168 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
169 if (ssl->do_handshake != nullptr ||
170 ssl->method->is_dtls) {
171 return false;
172 }
173
174 SSL3_STATE *const s3 = ssl->s3;
175 uint64_t handback_version, version, conf_max_version, conf_min_version,
176 max_send_fragment, options, mode, max_cert_list;
177 CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
178 next_proto, alpn, hostname, channel_id;
179 int session_reused, send_connection_binding, channel_id_valid,
180 quiet_shutdown, channel_id_enabled, retain_only_sha256;
181
182 CBS handback_cbs(handback);
183 if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
184 !CBS_get_asn1_uint64(&seq, &handback_version) ||
185 handback_version != kHandbackVersion) {
186 return false;
187 }
188
189 if (!CBS_get_asn1_uint64(&seq, &version) ||
190 !CBS_get_asn1_uint64(&seq, &conf_max_version) ||
191 !CBS_get_asn1_uint64(&seq, &conf_min_version) ||
192 !CBS_get_asn1_uint64(&seq, &max_send_fragment) ||
193 !CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
194 CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
195 !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
196 CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
197 !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
198 CBS_len(&server_rand) != sizeof(s3->server_random) ||
199 !CBS_copy_bytes(&server_rand, s3->server_random,
200 sizeof(s3->server_random)) ||
201 !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
202 CBS_len(&client_rand) != sizeof(s3->client_random) ||
203 !CBS_copy_bytes(&client_rand, s3->client_random,
204 sizeof(s3->client_random)) ||
205 !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
206 !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
207 !CBS_get_asn1_bool(&seq, &session_reused) ||
208 !CBS_get_asn1_bool(&seq, &send_connection_binding) ||
209 !CBS_get_asn1_bool(&seq, &channel_id_valid)) {
210 return false;
211 }
212
213 s3->established_session =
214 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
215
216 if (!s3->established_session ||
217 !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
218 !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
219 !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
220 !CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) ||
221 CBS_len(&channel_id) != sizeof(s3->tlsext_channel_id) ||
222 !CBS_copy_bytes(&channel_id, s3->tlsext_channel_id,
223 sizeof(s3->tlsext_channel_id)) ||
224 !CBS_get_asn1_uint64(&seq, &options) ||
225 !CBS_get_asn1_uint64(&seq, &mode) ||
226 !CBS_get_asn1_uint64(&seq, &max_cert_list) ||
227 !CBS_get_asn1_bool(&seq, &quiet_shutdown) ||
228 !CBS_get_asn1_bool(&seq, &channel_id_enabled) ||
229 !CBS_get_asn1_bool(&seq, &retain_only_sha256)) {
230 return false;
231 }
232
233 ssl->version = version;
234 ssl->conf_max_version = conf_max_version;
235 ssl->conf_min_version = conf_min_version;
236 ssl->max_send_fragment = max_send_fragment;
237 ssl->do_handshake = ssl_server_handshake;
238 ssl->server = true;
239 ssl->options = options;
240 ssl->mode = mode;
241 ssl->max_cert_list = max_cert_list;
242
243 s3->hs.reset();
244 s3->have_version = true;
245 s3->initial_handshake_complete = true;
246 s3->session_reused = session_reused;
247 s3->send_connection_binding = send_connection_binding;
248 s3->tlsext_channel_id_valid = channel_id_valid;
249 s3->next_proto_negotiated.CopyFrom(next_proto);
250 s3->alpn_selected.CopyFrom(alpn);
251
252 const size_t hostname_len = CBS_len(&hostname);
253 if (hostname_len == 0) {
254 s3->hostname.reset();
255 } else {
256 char *hostname_str = nullptr;
257 if (!CBS_strdup(&hostname, &hostname_str)) {
258 return false;
259 }
260 s3->hostname.reset(hostname_str);
261 }
262
263 ssl->quiet_shutdown = quiet_shutdown;
264 ssl->tlsext_channel_id_enabled = channel_id_enabled;
265 ssl->retain_only_sha256_of_client_certs = retain_only_sha256;
266
267 Array<uint8_t> key_block;
268 if (!tls1_configure_aead(ssl, evp_aead_open, &key_block,
269 s3->established_session->cipher, read_iv) ||
270 !tls1_configure_aead(ssl, evp_aead_seal, &key_block,
271 s3->established_session->cipher, write_iv)) {
272 return false;
273 }
274
275 if (!CBS_copy_bytes(&read_seq, s3->read_sequence,
276 sizeof(s3->read_sequence)) ||
277 !CBS_copy_bytes(&write_seq, s3->write_sequence,
278 sizeof(s3->write_sequence))) {
279 return false;
280 }
281
282 return true;
283 }
284
285 } // namespace bssl
286