1 /* Copyright (c) 2018, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/ssl.h> 16 17 #include <openssl/bytestring.h> 18 19 #include "internal.h" 20 21 22 namespace bssl { 23 24 constexpr int kHandoffVersion = 0; 25 constexpr int kHandbackVersion = 0; 26 27 bool SSL_serialize_handoff(const SSL *ssl, CBB *out) { 28 const SSL3_STATE *const s3 = ssl->s3; 29 if (!ssl->server || 30 s3->hs == nullptr || 31 s3->rwstate != SSL_HANDOFF) { 32 return false; 33 } 34 35 CBB seq; 36 Span<const uint8_t> transcript = s3->hs->transcript.buffer(); 37 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || 38 !CBB_add_asn1_uint64(&seq, kHandoffVersion) || 39 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) || 40 !CBB_add_asn1_octet_string(&seq, 41 reinterpret_cast<uint8_t *>(s3->hs_buf->data), 42 s3->hs_buf->length) || 43 !CBB_flush(out)) { 44 return false; 45 } 46 47 return true; 48 } 49 50 bool SSL_decline_handoff(SSL *ssl) { 51 const SSL3_STATE *const s3 = ssl->s3; 52 if (!ssl->server || 53 s3->hs == nullptr || 54 s3->rwstate != SSL_HANDOFF) { 55 return false; 56 } 57 58 ssl->handoff = false; 59 return true; 60 } 61 62 bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) { 63 if (ssl->method->is_dtls) { 64 return false; 65 } 66 67 CBS seq, handoff_cbs(handoff); 68 uint64_t handoff_version; 69 if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) || 70 !CBS_get_asn1_uint64(&seq, &handoff_version) || 71 handoff_version != kHandoffVersion) { 72 return false; 73 } 74 75 CBS transcript, hs_buf; 76 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) || 77 !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING)) { 78 return false; 79 } 80 81 SSL_set_accept_state(ssl); 82 83 SSL3_STATE *const s3 = ssl->s3; 84 s3->v2_hello_done = true; 85 s3->has_message = true; 86 87 s3->hs_buf.reset(BUF_MEM_new()); 88 if (!s3->hs_buf || 89 !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) { 90 return false; 91 } 92 93 if (CBS_len(&transcript) != 0) { 94 s3->hs->transcript.Update(transcript); 95 s3->is_v2_hello = true; 96 ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */, transcript); 97 } 98 99 return true; 100 } 101 102 bool SSL_serialize_handback(const SSL *ssl, CBB *out) { 103 if (!ssl->server || 104 !ssl->s3->initial_handshake_complete || 105 ssl->method->is_dtls || 106 ssl->version < TLS1_VERSION) { 107 return false; 108 } 109 110 const SSL3_STATE *const s3 = ssl->s3; 111 size_t hostname_len = 0; 112 if (s3->hostname) { 113 hostname_len = strlen(s3->hostname.get()); 114 } 115 116 size_t iv_len = 0; 117 const uint8_t *read_iv = nullptr, *write_iv = nullptr; 118 if (ssl->version == TLS1_VERSION && 119 SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) && 120 (!s3->aead_read_ctx->GetIV(&read_iv, &iv_len) || 121 !s3->aead_write_ctx->GetIV(&write_iv, &iv_len))) { 122 return false; 123 } 124 125 CBB seq; 126 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || 127 !CBB_add_asn1_uint64(&seq, kHandbackVersion) || 128 !CBB_add_asn1_uint64(&seq, ssl->version) || 129 !CBB_add_asn1_uint64(&seq, ssl->conf_max_version) || 130 !CBB_add_asn1_uint64(&seq, ssl->conf_min_version) || 131 !CBB_add_asn1_uint64(&seq, ssl->max_send_fragment) || 132 !CBB_add_asn1_octet_string(&seq, s3->read_sequence, 133 sizeof(s3->read_sequence)) || 134 !CBB_add_asn1_octet_string(&seq, s3->write_sequence, 135 sizeof(s3->write_sequence)) || 136 !CBB_add_asn1_octet_string(&seq, s3->server_random, 137 sizeof(s3->server_random)) || 138 !CBB_add_asn1_octet_string(&seq, s3->client_random, 139 sizeof(s3->client_random)) || 140 !CBB_add_asn1_octet_string(&seq, read_iv, iv_len) || 141 !CBB_add_asn1_octet_string(&seq, write_iv, iv_len) || 142 !CBB_add_asn1_bool(&seq, s3->session_reused) || 143 !CBB_add_asn1_bool(&seq, s3->send_connection_binding) || 144 !CBB_add_asn1_bool(&seq, s3->tlsext_channel_id_valid) || 145 !ssl_session_serialize(s3->established_session.get(), &seq) || 146 !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(), 147 s3->next_proto_negotiated.size()) || 148 !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(), 149 s3->alpn_selected.size()) || 150 !CBB_add_asn1_octet_string( 151 &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()), 152 hostname_len) || 153 !CBB_add_asn1_octet_string(&seq, s3->tlsext_channel_id, 154 sizeof(s3->tlsext_channel_id)) || 155 !CBB_add_asn1_uint64(&seq, ssl->options) || 156 !CBB_add_asn1_uint64(&seq, ssl->mode) || 157 !CBB_add_asn1_uint64(&seq, ssl->max_cert_list) || 158 !CBB_add_asn1_bool(&seq, ssl->quiet_shutdown) || 159 !CBB_add_asn1_bool(&seq, ssl->tlsext_channel_id_enabled) || 160 !CBB_add_asn1_bool(&seq, ssl->retain_only_sha256_of_client_certs) || 161 !CBB_flush(out)) { 162 return false; 163 } 164 165 return true; 166 } 167 168 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) { 169 if (ssl->do_handshake != nullptr || 170 ssl->method->is_dtls) { 171 return false; 172 } 173 174 SSL3_STATE *const s3 = ssl->s3; 175 uint64_t handback_version, version, conf_max_version, conf_min_version, 176 max_send_fragment, options, mode, max_cert_list; 177 CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv, 178 next_proto, alpn, hostname, channel_id; 179 int session_reused, send_connection_binding, channel_id_valid, 180 quiet_shutdown, channel_id_enabled, retain_only_sha256; 181 182 CBS handback_cbs(handback); 183 if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) || 184 !CBS_get_asn1_uint64(&seq, &handback_version) || 185 handback_version != kHandbackVersion) { 186 return false; 187 } 188 189 if (!CBS_get_asn1_uint64(&seq, &version) || 190 !CBS_get_asn1_uint64(&seq, &conf_max_version) || 191 !CBS_get_asn1_uint64(&seq, &conf_min_version) || 192 !CBS_get_asn1_uint64(&seq, &max_send_fragment) || 193 !CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) || 194 CBS_len(&read_seq) != sizeof(s3->read_sequence) || 195 !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) || 196 CBS_len(&write_seq) != sizeof(s3->write_sequence) || 197 !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) || 198 CBS_len(&server_rand) != sizeof(s3->server_random) || 199 !CBS_copy_bytes(&server_rand, s3->server_random, 200 sizeof(s3->server_random)) || 201 !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) || 202 CBS_len(&client_rand) != sizeof(s3->client_random) || 203 !CBS_copy_bytes(&client_rand, s3->client_random, 204 sizeof(s3->client_random)) || 205 !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) || 206 !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) || 207 !CBS_get_asn1_bool(&seq, &session_reused) || 208 !CBS_get_asn1_bool(&seq, &send_connection_binding) || 209 !CBS_get_asn1_bool(&seq, &channel_id_valid)) { 210 return false; 211 } 212 213 s3->established_session = 214 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool); 215 216 if (!s3->established_session || 217 !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) || 218 !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) || 219 !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) || 220 !CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) || 221 CBS_len(&channel_id) != sizeof(s3->tlsext_channel_id) || 222 !CBS_copy_bytes(&channel_id, s3->tlsext_channel_id, 223 sizeof(s3->tlsext_channel_id)) || 224 !CBS_get_asn1_uint64(&seq, &options) || 225 !CBS_get_asn1_uint64(&seq, &mode) || 226 !CBS_get_asn1_uint64(&seq, &max_cert_list) || 227 !CBS_get_asn1_bool(&seq, &quiet_shutdown) || 228 !CBS_get_asn1_bool(&seq, &channel_id_enabled) || 229 !CBS_get_asn1_bool(&seq, &retain_only_sha256)) { 230 return false; 231 } 232 233 ssl->version = version; 234 ssl->conf_max_version = conf_max_version; 235 ssl->conf_min_version = conf_min_version; 236 ssl->max_send_fragment = max_send_fragment; 237 ssl->do_handshake = ssl_server_handshake; 238 ssl->server = true; 239 ssl->options = options; 240 ssl->mode = mode; 241 ssl->max_cert_list = max_cert_list; 242 243 s3->hs.reset(); 244 s3->have_version = true; 245 s3->initial_handshake_complete = true; 246 s3->session_reused = session_reused; 247 s3->send_connection_binding = send_connection_binding; 248 s3->tlsext_channel_id_valid = channel_id_valid; 249 s3->next_proto_negotiated.CopyFrom(next_proto); 250 s3->alpn_selected.CopyFrom(alpn); 251 252 const size_t hostname_len = CBS_len(&hostname); 253 if (hostname_len == 0) { 254 s3->hostname.reset(); 255 } else { 256 char *hostname_str = nullptr; 257 if (!CBS_strdup(&hostname, &hostname_str)) { 258 return false; 259 } 260 s3->hostname.reset(hostname_str); 261 } 262 263 ssl->quiet_shutdown = quiet_shutdown; 264 ssl->tlsext_channel_id_enabled = channel_id_enabled; 265 ssl->retain_only_sha256_of_client_certs = retain_only_sha256; 266 267 Array<uint8_t> key_block; 268 if (!tls1_configure_aead(ssl, evp_aead_open, &key_block, 269 s3->established_session->cipher, read_iv) || 270 !tls1_configure_aead(ssl, evp_aead_seal, &key_block, 271 s3->established_session->cipher, write_iv)) { 272 return false; 273 } 274 275 if (!CBS_copy_bytes(&read_seq, s3->read_sequence, 276 sizeof(s3->read_sequence)) || 277 !CBS_copy_bytes(&write_seq, s3->write_sequence, 278 sizeof(s3->write_sequence))) { 279 return false; 280 } 281 282 return true; 283 } 284 285 } // namespace bssl 286
