1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright 2005 Nokia. All rights reserved. 59 * 60 * The portions of the attached software ("Contribution") is developed by 61 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 62 * license. 63 * 64 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 65 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 66 * support (see RFC 4279) to OpenSSL. 67 * 68 * No patent licenses or other rights except those expressly stated in 69 * the OpenSSL open source license shall be deemed granted or received 70 * expressly, by implication, estoppel, or otherwise. 71 * 72 * No assurances are provided by Nokia that the Contribution does not 73 * infringe the patent or other intellectual property rights of any third 74 * party or that the license provides you with all the necessary rights 75 * to make use of the Contribution. 76 * 77 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 78 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 79 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 80 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 81 * OTHERWISE. */ 82 83 // Per C99, various stdint.h macros are unavailable in C++ unless some macros 84 // are defined. C++11 overruled this decision, but older Android NDKs still 85 // require it. 86 #if !defined(__STDC_LIMIT_MACROS) 87 #define __STDC_LIMIT_MACROS 88 #endif 89 90 #include <openssl/ssl.h> 91 92 #include <limits.h> 93 #include <string.h> 94 95 #include <utility> 96 97 #include <openssl/buf.h> 98 #include <openssl/bytestring.h> 99 #include <openssl/err.h> 100 #include <openssl/mem.h> 101 #include <openssl/x509.h> 102 103 #include "../crypto/internal.h" 104 #include "internal.h" 105 106 107 namespace bssl { 108 109 // An SSL_SESSION is serialized as the following ASN.1 structure: 110 // 111 // SSLSession ::= SEQUENCE { 112 // version INTEGER (1), -- session structure version 113 // sslVersion INTEGER, -- protocol version number 114 // cipher OCTET STRING, -- two bytes long 115 // sessionID OCTET STRING, 116 // masterKey OCTET STRING, 117 // time [1] INTEGER, -- seconds since UNIX epoch 118 // timeout [2] INTEGER, -- in seconds 119 // peer [3] Certificate OPTIONAL, 120 // sessionIDContext [4] OCTET STRING OPTIONAL, 121 // verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes 122 // pskIdentity [8] OCTET STRING OPTIONAL, 123 // ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only 124 // ticket [10] OCTET STRING OPTIONAL, -- client-only 125 // peerSHA256 [13] OCTET STRING OPTIONAL, 126 // originalHandshakeHash [14] OCTET STRING OPTIONAL, 127 // signedCertTimestampList [15] OCTET STRING OPTIONAL, 128 // -- contents of SCT extension 129 // ocspResponse [16] OCTET STRING OPTIONAL, 130 // -- stapled OCSP response from the server 131 // extendedMasterSecret [17] BOOLEAN OPTIONAL, 132 // groupID [18] INTEGER OPTIONAL, 133 // certChain [19] SEQUENCE OF Certificate OPTIONAL, 134 // ticketAgeAdd [21] OCTET STRING OPTIONAL, 135 // isServer [22] BOOLEAN DEFAULT TRUE, 136 // peerSignatureAlgorithm [23] INTEGER OPTIONAL, 137 // ticketMaxEarlyData [24] INTEGER OPTIONAL, 138 // authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout 139 // earlyALPN [26] OCTET STRING OPTIONAL, 140 // } 141 // 142 // Note: historically this serialization has included other optional 143 // fields. Their presence is currently treated as a parse error, except for 144 // hostName, which is ignored. 145 // 146 // keyArg [0] IMPLICIT OCTET STRING OPTIONAL, 147 // hostName [6] OCTET STRING OPTIONAL, 148 // pskIdentityHint [7] OCTET STRING OPTIONAL, 149 // compressionMethod [11] OCTET STRING OPTIONAL, 150 // srpUsername [12] OCTET STRING OPTIONAL, 151 // ticketFlags [20] INTEGER OPTIONAL, 152 153 static const unsigned kVersion = 1; 154 155 static const unsigned kTimeTag = 156 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1; 157 static const unsigned kTimeoutTag = 158 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2; 159 static const unsigned kPeerTag = 160 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3; 161 static const unsigned kSessionIDContextTag = 162 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 4; 163 static const unsigned kVerifyResultTag = 164 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 5; 165 static const unsigned kHostNameTag = 166 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 6; 167 static const unsigned kPSKIdentityTag = 168 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 8; 169 static const unsigned kTicketLifetimeHintTag = 170 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 9; 171 static const unsigned kTicketTag = 172 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 10; 173 static const unsigned kPeerSHA256Tag = 174 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 13; 175 static const unsigned kOriginalHandshakeHashTag = 176 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 14; 177 static const unsigned kSignedCertTimestampListTag = 178 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 15; 179 static const unsigned kOCSPResponseTag = 180 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 16; 181 static const unsigned kExtendedMasterSecretTag = 182 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 17; 183 static const unsigned kGroupIDTag = 184 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 18; 185 static const unsigned kCertChainTag = 186 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 19; 187 static const unsigned kTicketAgeAddTag = 188 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 21; 189 static const unsigned kIsServerTag = 190 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 22; 191 static const unsigned kPeerSignatureAlgorithmTag = 192 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 23; 193 static const unsigned kTicketMaxEarlyDataTag = 194 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 24; 195 static const unsigned kAuthTimeoutTag = 196 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 25; 197 static const unsigned kEarlyALPNTag = 198 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 26; 199 200 static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb, 201 int for_ticket) { 202 if (in == NULL || in->cipher == NULL) { 203 return 0; 204 } 205 206 CBB session, child, child2; 207 if (!CBB_add_asn1(cbb, &session, CBS_ASN1_SEQUENCE) || 208 !CBB_add_asn1_uint64(&session, kVersion) || 209 !CBB_add_asn1_uint64(&session, in->ssl_version) || 210 !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || 211 !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) || 212 // The session ID is irrelevant for a session ticket. 213 !CBB_add_asn1_octet_string(&session, in->session_id, 214 for_ticket ? 0 : in->session_id_length) || 215 !CBB_add_asn1_octet_string(&session, in->master_key, 216 in->master_key_length) || 217 !CBB_add_asn1(&session, &child, kTimeTag) || 218 !CBB_add_asn1_uint64(&child, in->time) || 219 !CBB_add_asn1(&session, &child, kTimeoutTag) || 220 !CBB_add_asn1_uint64(&child, in->timeout)) { 221 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 222 return 0; 223 } 224 225 // The peer certificate is only serialized if the SHA-256 isn't 226 // serialized instead. 227 if (sk_CRYPTO_BUFFER_num(in->certs) > 0 && !in->peer_sha256_valid) { 228 const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, 0); 229 if (!CBB_add_asn1(&session, &child, kPeerTag) || 230 !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer), 231 CRYPTO_BUFFER_len(buffer))) { 232 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 233 return 0; 234 } 235 } 236 237 // Although it is OPTIONAL and usually empty, OpenSSL has 238 // historically always encoded the sid_ctx. 239 if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) || 240 !CBB_add_asn1_octet_string(&child, in->sid_ctx, in->sid_ctx_length)) { 241 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 242 return 0; 243 } 244 245 if (in->verify_result != X509_V_OK) { 246 if (!CBB_add_asn1(&session, &child, kVerifyResultTag) || 247 !CBB_add_asn1_uint64(&child, in->verify_result)) { 248 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 249 return 0; 250 } 251 } 252 253 if (in->psk_identity) { 254 if (!CBB_add_asn1(&session, &child, kPSKIdentityTag) || 255 !CBB_add_asn1_octet_string(&child, (const uint8_t *)in->psk_identity, 256 strlen(in->psk_identity))) { 257 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 258 return 0; 259 } 260 } 261 262 if (in->tlsext_tick_lifetime_hint > 0) { 263 if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) || 264 !CBB_add_asn1_uint64(&child, in->tlsext_tick_lifetime_hint)) { 265 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 266 return 0; 267 } 268 } 269 270 if (in->tlsext_tick && !for_ticket) { 271 if (!CBB_add_asn1(&session, &child, kTicketTag) || 272 !CBB_add_asn1_octet_string(&child, in->tlsext_tick, 273 in->tlsext_ticklen)) { 274 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 275 return 0; 276 } 277 } 278 279 if (in->peer_sha256_valid) { 280 if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) || 281 !CBB_add_asn1_octet_string(&child, in->peer_sha256, 282 sizeof(in->peer_sha256))) { 283 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 284 return 0; 285 } 286 } 287 288 if (in->original_handshake_hash_len > 0) { 289 if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) || 290 !CBB_add_asn1_octet_string(&child, in->original_handshake_hash, 291 in->original_handshake_hash_len)) { 292 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 293 return 0; 294 } 295 } 296 297 if (in->signed_cert_timestamp_list != nullptr) { 298 if (!CBB_add_asn1(&session, &child, kSignedCertTimestampListTag) || 299 !CBB_add_asn1_octet_string( 300 &child, CRYPTO_BUFFER_data(in->signed_cert_timestamp_list), 301 CRYPTO_BUFFER_len(in->signed_cert_timestamp_list))) { 302 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 303 return 0; 304 } 305 } 306 307 if (in->ocsp_response != nullptr) { 308 if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) || 309 !CBB_add_asn1_octet_string(&child, 310 CRYPTO_BUFFER_data(in->ocsp_response), 311 CRYPTO_BUFFER_len(in->ocsp_response))) { 312 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 313 return 0; 314 } 315 } 316 317 if (in->extended_master_secret) { 318 if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) || 319 !CBB_add_asn1_bool(&child, true)) { 320 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 321 return 0; 322 } 323 } 324 325 if (in->group_id > 0 && 326 (!CBB_add_asn1(&session, &child, kGroupIDTag) || 327 !CBB_add_asn1_uint64(&child, in->group_id))) { 328 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 329 return 0; 330 } 331 332 // The certificate chain is only serialized if the leaf's SHA-256 isn't 333 // serialized instead. 334 if (in->certs != NULL && 335 !in->peer_sha256_valid && 336 sk_CRYPTO_BUFFER_num(in->certs) >= 2) { 337 if (!CBB_add_asn1(&session, &child, kCertChainTag)) { 338 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 339 return 0; 340 } 341 for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(in->certs); i++) { 342 const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, i); 343 if (!CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer), 344 CRYPTO_BUFFER_len(buffer))) { 345 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 346 return 0; 347 } 348 } 349 } 350 351 if (in->ticket_age_add_valid) { 352 if (!CBB_add_asn1(&session, &child, kTicketAgeAddTag) || 353 !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || 354 !CBB_add_u32(&child2, in->ticket_age_add)) { 355 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 356 return 0; 357 } 358 } 359 360 if (!in->is_server) { 361 if (!CBB_add_asn1(&session, &child, kIsServerTag) || 362 !CBB_add_asn1_bool(&child, false)) { 363 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 364 return 0; 365 } 366 } 367 368 if (in->peer_signature_algorithm != 0 && 369 (!CBB_add_asn1(&session, &child, kPeerSignatureAlgorithmTag) || 370 !CBB_add_asn1_uint64(&child, in->peer_signature_algorithm))) { 371 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 372 return 0; 373 } 374 375 if (in->ticket_max_early_data != 0 && 376 (!CBB_add_asn1(&session, &child, kTicketMaxEarlyDataTag) || 377 !CBB_add_asn1_uint64(&child, in->ticket_max_early_data))) { 378 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 379 return 0; 380 } 381 382 if (in->timeout != in->auth_timeout && 383 (!CBB_add_asn1(&session, &child, kAuthTimeoutTag) || 384 !CBB_add_asn1_uint64(&child, in->auth_timeout))) { 385 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 386 return 0; 387 } 388 389 if (in->early_alpn) { 390 if (!CBB_add_asn1(&session, &child, kEarlyALPNTag) || 391 !CBB_add_asn1_octet_string(&child, (const uint8_t *)in->early_alpn, 392 in->early_alpn_len)) { 393 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 394 return 0; 395 } 396 } 397 398 return CBB_flush(cbb); 399 } 400 401 // SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING 402 // explicitly tagged with |tag| from |cbs| and saves it in |*out|. On 403 // entry, if |*out| is not NULL, it frees the existing contents. If 404 // the element was not found, it sets |*out| to NULL. It returns one 405 // on success, whether or not the element was found, and zero on 406 // decode error. 407 static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) { 408 CBS value; 409 int present; 410 if (!CBS_get_optional_asn1_octet_string(cbs, &value, &present, tag)) { 411 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 412 return 0; 413 } 414 if (present) { 415 if (CBS_contains_zero_byte(&value)) { 416 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 417 return 0; 418 } 419 if (!CBS_strdup(&value, out)) { 420 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 421 return 0; 422 } 423 } else { 424 OPENSSL_free(*out); 425 *out = NULL; 426 } 427 return 1; 428 } 429 430 // SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING 431 // explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr| 432 // and |*out_len|. If |*out_ptr| is not NULL, it frees the existing 433 // contents. On entry, if the element was not found, it sets 434 // |*out_ptr| to NULL. It returns one on success, whether or not the 435 // element was found, and zero on decode error. 436 static int SSL_SESSION_parse_octet_string(CBS *cbs, uint8_t **out_ptr, 437 size_t *out_len, unsigned tag) { 438 CBS value; 439 if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag)) { 440 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 441 return 0; 442 } 443 if (!CBS_stow(&value, out_ptr, out_len)) { 444 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 445 return 0; 446 } 447 return 1; 448 } 449 450 static int SSL_SESSION_parse_crypto_buffer(CBS *cbs, CRYPTO_BUFFER **out, 451 unsigned tag, 452 CRYPTO_BUFFER_POOL *pool) { 453 if (!CBS_peek_asn1_tag(cbs, tag)) { 454 return 1; 455 } 456 457 CBS child, value; 458 if (!CBS_get_asn1(cbs, &child, tag) || 459 !CBS_get_asn1(&child, &value, CBS_ASN1_OCTETSTRING) || 460 CBS_len(&child) != 0) { 461 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 462 return 0; 463 } 464 CRYPTO_BUFFER_free(*out); 465 *out = CRYPTO_BUFFER_new_from_CBS(&value, pool); 466 if (*out == nullptr) { 467 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 468 return 0; 469 } 470 return 1; 471 } 472 473 // SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING 474 // explicitly tagged with |tag| of size at most |max_out|. 475 static int SSL_SESSION_parse_bounded_octet_string( 476 CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) { 477 CBS value; 478 if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag) || 479 CBS_len(&value) > max_out) { 480 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 481 return 0; 482 } 483 OPENSSL_memcpy(out, CBS_data(&value), CBS_len(&value)); 484 *out_len = (uint8_t)CBS_len(&value); 485 return 1; 486 } 487 488 static int SSL_SESSION_parse_long(CBS *cbs, long *out, unsigned tag, 489 long default_value) { 490 uint64_t value; 491 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag, 492 (uint64_t)default_value) || 493 value > LONG_MAX) { 494 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 495 return 0; 496 } 497 *out = (long)value; 498 return 1; 499 } 500 501 static int SSL_SESSION_parse_u32(CBS *cbs, uint32_t *out, unsigned tag, 502 uint32_t default_value) { 503 uint64_t value; 504 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag, 505 (uint64_t)default_value) || 506 value > 0xffffffff) { 507 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 508 return 0; 509 } 510 *out = (uint32_t)value; 511 return 1; 512 } 513 514 static int SSL_SESSION_parse_u16(CBS *cbs, uint16_t *out, unsigned tag, 515 uint16_t default_value) { 516 uint64_t value; 517 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag, 518 (uint64_t)default_value) || 519 value > 0xffff) { 520 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 521 return 0; 522 } 523 *out = (uint16_t)value; 524 return 1; 525 } 526 527 UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs, 528 const SSL_X509_METHOD *x509_method, 529 CRYPTO_BUFFER_POOL *pool) { 530 UniquePtr<SSL_SESSION> ret = ssl_session_new(x509_method); 531 if (!ret) { 532 return nullptr; 533 } 534 535 CBS session; 536 uint64_t version, ssl_version; 537 uint16_t unused; 538 if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) || 539 !CBS_get_asn1_uint64(&session, &version) || 540 version != kVersion || 541 !CBS_get_asn1_uint64(&session, &ssl_version) || 542 // Require sessions have versions valid in either TLS or DTLS. The session 543 // will not be used by the handshake if not applicable, but, for 544 // simplicity, never parse a session that does not pass 545 // |ssl_protocol_version_from_wire|. 546 ssl_version > UINT16_MAX || 547 !ssl_protocol_version_from_wire(&unused, ssl_version)) { 548 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 549 return nullptr; 550 } 551 ret->ssl_version = ssl_version; 552 553 CBS cipher; 554 uint16_t cipher_value; 555 if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) || 556 !CBS_get_u16(&cipher, &cipher_value) || 557 CBS_len(&cipher) != 0) { 558 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 559 return nullptr; 560 } 561 ret->cipher = SSL_get_cipher_by_value(cipher_value); 562 if (ret->cipher == NULL) { 563 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_CIPHER); 564 return nullptr; 565 } 566 567 CBS session_id, master_key; 568 if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) || 569 CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH || 570 !CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING) || 571 CBS_len(&master_key) > SSL_MAX_MASTER_KEY_LENGTH) { 572 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 573 return nullptr; 574 } 575 OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id)); 576 ret->session_id_length = CBS_len(&session_id); 577 OPENSSL_memcpy(ret->master_key, CBS_data(&master_key), CBS_len(&master_key)); 578 ret->master_key_length = CBS_len(&master_key); 579 580 CBS child; 581 uint64_t timeout; 582 if (!CBS_get_asn1(&session, &child, kTimeTag) || 583 !CBS_get_asn1_uint64(&child, &ret->time) || 584 !CBS_get_asn1(&session, &child, kTimeoutTag) || 585 !CBS_get_asn1_uint64(&child, &timeout) || 586 timeout > UINT32_MAX) { 587 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 588 return nullptr; 589 } 590 591 ret->timeout = (uint32_t)timeout; 592 593 CBS peer; 594 int has_peer; 595 if (!CBS_get_optional_asn1(&session, &peer, &has_peer, kPeerTag) || 596 (has_peer && CBS_len(&peer) == 0)) { 597 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 598 return nullptr; 599 } 600 // |peer| is processed with the certificate chain. 601 602 if (!SSL_SESSION_parse_bounded_octet_string( 603 &session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx), 604 kSessionIDContextTag) || 605 !SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag, 606 X509_V_OK)) { 607 return nullptr; 608 } 609 610 // Skip the historical hostName field. 611 CBS unused_hostname; 612 if (!CBS_get_optional_asn1(&session, &unused_hostname, nullptr, 613 kHostNameTag)) { 614 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 615 return nullptr; 616 } 617 618 if (!SSL_SESSION_parse_string(&session, &ret->psk_identity, 619 kPSKIdentityTag) || 620 !SSL_SESSION_parse_u32(&session, &ret->tlsext_tick_lifetime_hint, 621 kTicketLifetimeHintTag, 0) || 622 !SSL_SESSION_parse_octet_string(&session, &ret->tlsext_tick, 623 &ret->tlsext_ticklen, kTicketTag)) { 624 return nullptr; 625 } 626 627 if (CBS_peek_asn1_tag(&session, kPeerSHA256Tag)) { 628 CBS peer_sha256; 629 if (!CBS_get_asn1(&session, &child, kPeerSHA256Tag) || 630 !CBS_get_asn1(&child, &peer_sha256, CBS_ASN1_OCTETSTRING) || 631 CBS_len(&peer_sha256) != sizeof(ret->peer_sha256) || 632 CBS_len(&child) != 0) { 633 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 634 return nullptr; 635 } 636 OPENSSL_memcpy(ret->peer_sha256, CBS_data(&peer_sha256), 637 sizeof(ret->peer_sha256)); 638 ret->peer_sha256_valid = 1; 639 } else { 640 ret->peer_sha256_valid = 0; 641 } 642 643 if (!SSL_SESSION_parse_bounded_octet_string( 644 &session, ret->original_handshake_hash, 645 &ret->original_handshake_hash_len, 646 sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) || 647 !SSL_SESSION_parse_crypto_buffer(&session, 648 &ret->signed_cert_timestamp_list, 649 kSignedCertTimestampListTag, pool) || 650 !SSL_SESSION_parse_crypto_buffer(&session, &ret->ocsp_response, 651 kOCSPResponseTag, pool)) { 652 return nullptr; 653 } 654 655 int extended_master_secret; 656 if (!CBS_get_optional_asn1_bool(&session, &extended_master_secret, 657 kExtendedMasterSecretTag, 658 0 /* default to false */)) { 659 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 660 return nullptr; 661 } 662 ret->extended_master_secret = !!extended_master_secret; 663 664 if (!SSL_SESSION_parse_u16(&session, &ret->group_id, kGroupIDTag, 0)) { 665 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 666 return nullptr; 667 } 668 669 CBS cert_chain; 670 CBS_init(&cert_chain, NULL, 0); 671 int has_cert_chain; 672 if (!CBS_get_optional_asn1(&session, &cert_chain, &has_cert_chain, 673 kCertChainTag) || 674 (has_cert_chain && CBS_len(&cert_chain) == 0)) { 675 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 676 return nullptr; 677 } 678 if (has_cert_chain && !has_peer) { 679 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 680 return nullptr; 681 } 682 if (has_peer || has_cert_chain) { 683 ret->certs = sk_CRYPTO_BUFFER_new_null(); 684 if (ret->certs == NULL) { 685 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 686 return nullptr; 687 } 688 689 if (has_peer) { 690 UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new_from_CBS(&peer, pool)); 691 if (!buffer || 692 !PushToStack(ret->certs, std::move(buffer))) { 693 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 694 return nullptr; 695 } 696 } 697 698 while (CBS_len(&cert_chain) > 0) { 699 CBS cert; 700 if (!CBS_get_any_asn1_element(&cert_chain, &cert, NULL, NULL) || 701 CBS_len(&cert) == 0) { 702 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 703 return nullptr; 704 } 705 706 CRYPTO_BUFFER *buffer = CRYPTO_BUFFER_new_from_CBS(&cert, pool); 707 if (buffer == NULL || 708 !sk_CRYPTO_BUFFER_push(ret->certs, buffer)) { 709 CRYPTO_BUFFER_free(buffer); 710 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 711 return nullptr; 712 } 713 } 714 } 715 716 if (!x509_method->session_cache_objects(ret.get())) { 717 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 718 return nullptr; 719 } 720 721 CBS age_add; 722 int age_add_present; 723 if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present, 724 kTicketAgeAddTag) || 725 (age_add_present && 726 !CBS_get_u32(&age_add, &ret->ticket_age_add)) || 727 CBS_len(&age_add) != 0) { 728 return nullptr; 729 } 730 ret->ticket_age_add_valid = age_add_present; 731 732 int is_server; 733 if (!CBS_get_optional_asn1_bool(&session, &is_server, kIsServerTag, 734 1 /* default to true */)) { 735 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 736 return nullptr; 737 } 738 /* TODO: in time we can include |is_server| for servers too, then we can 739 enforce that client and server sessions are never mixed up. */ 740 741 ret->is_server = is_server; 742 743 if (!SSL_SESSION_parse_u16(&session, &ret->peer_signature_algorithm, 744 kPeerSignatureAlgorithmTag, 0) || 745 !SSL_SESSION_parse_u32(&session, &ret->ticket_max_early_data, 746 kTicketMaxEarlyDataTag, 0) || 747 !SSL_SESSION_parse_u32(&session, &ret->auth_timeout, kAuthTimeoutTag, 748 ret->timeout) || 749 !SSL_SESSION_parse_octet_string(&session, &ret->early_alpn, 750 &ret->early_alpn_len, kEarlyALPNTag) || 751 CBS_len(&session) != 0) { 752 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 753 return nullptr; 754 } 755 756 return ret; 757 } 758 759 int ssl_session_serialize(const SSL_SESSION *in, CBB *cbb) { 760 return SSL_SESSION_to_bytes_full(in, cbb, 0); 761 } 762 763 } // namespace bssl 764 765 using namespace bssl; 766 767 int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data, 768 size_t *out_len) { 769 if (in->not_resumable) { 770 // If the caller has an unresumable session, e.g. if |SSL_get_session| were 771 // called on a TLS 1.3 or False Started connection, serialize with a 772 // placeholder value so it is not accidentally deserialized into a resumable 773 // one. 774 static const char kNotResumableSession[] = "NOT RESUMABLE"; 775 776 *out_len = strlen(kNotResumableSession); 777 *out_data = (uint8_t *)BUF_memdup(kNotResumableSession, *out_len); 778 if (*out_data == NULL) { 779 return 0; 780 } 781 782 return 1; 783 } 784 785 ScopedCBB cbb; 786 if (!CBB_init(cbb.get(), 256) || 787 !SSL_SESSION_to_bytes_full(in, cbb.get(), 0) || 788 !CBB_finish(cbb.get(), out_data, out_len)) { 789 return 0; 790 } 791 792 return 1; 793 } 794 795 int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in, uint8_t **out_data, 796 size_t *out_len) { 797 ScopedCBB cbb; 798 if (!CBB_init(cbb.get(), 256) || 799 !SSL_SESSION_to_bytes_full(in, cbb.get(), 1) || 800 !CBB_finish(cbb.get(), out_data, out_len)) { 801 return 0; 802 } 803 804 return 1; 805 } 806 807 int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp) { 808 uint8_t *out; 809 size_t len; 810 811 if (!SSL_SESSION_to_bytes(in, &out, &len)) { 812 return -1; 813 } 814 815 if (len > INT_MAX) { 816 OPENSSL_free(out); 817 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 818 return -1; 819 } 820 821 if (pp) { 822 OPENSSL_memcpy(*pp, out, len); 823 *pp += len; 824 } 825 OPENSSL_free(out); 826 827 return len; 828 } 829 830 SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len, 831 const SSL_CTX *ctx) { 832 CBS cbs; 833 CBS_init(&cbs, in, in_len); 834 UniquePtr<SSL_SESSION> ret = 835 SSL_SESSION_parse(&cbs, ctx->x509_method, ctx->pool); 836 if (!ret) { 837 return NULL; 838 } 839 if (CBS_len(&cbs) != 0) { 840 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); 841 return NULL; 842 } 843 return ret.release(); 844 } 845
