1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <openssl/bytestring.h>
18 #include <openssl/err.h>
19
20 #include "../crypto/internal.h"
21 #include "internal.h"
22
23
24 BSSL_NAMESPACE_BEGIN
25
26 constexpr int kHandoffVersion = 0;
27 constexpr int kHandbackVersion = 0;
28
29 static const CBS_ASN1_TAG kHandoffTagALPS = CBS_ASN1_CONTEXT_SPECIFIC | 0;
30
31 // early_data_t represents the state of early data in a more compact way than
32 // the 3 bits used by the implementation.
33 enum early_data_t {
34 early_data_not_offered = 0,
35 early_data_accepted = 1,
36 early_data_rejected_hrr = 2,
37 early_data_skipped = 3,
38
39 early_data_max_value = early_data_skipped,
40 };
41
42 // serialize_features adds a description of features supported by this binary to
43 // |out|. Returns true on success and false on error.
serialize_features(CBB * out)44 static bool serialize_features(CBB *out) {
45 CBB ciphers;
46 if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {
47 return false;
48 }
49 Span<const SSL_CIPHER> all_ciphers = AllCiphers();
50 for (const SSL_CIPHER& cipher : all_ciphers) {
51 if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
52 return false;
53 }
54 }
55 CBB groups;
56 if (!CBB_add_asn1(out, &groups, CBS_ASN1_OCTETSTRING)) {
57 return false;
58 }
59 for (const NamedGroup& g : NamedGroups()) {
60 if (!CBB_add_u16(&groups, g.group_id)) {
61 return false;
62 }
63 }
64 // ALPS is a draft protocol and may change over time. The handoff structure
65 // contains a [0] IMPLICIT OCTET STRING OPTIONAL, containing a list of u16
66 // ALPS versions that the binary supports. For now we name them by codepoint.
67 // Once ALPS is finalized and past the support horizon, this field can be
68 // removed.
69 CBB alps;
70 if (!CBB_add_asn1(out, &alps, kHandoffTagALPS) ||
71 !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings_old) ||
72 !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings)) {
73 return false;
74 }
75 return CBB_flush(out);
76 }
77
SSL_serialize_handoff(const SSL * ssl,CBB * out,SSL_CLIENT_HELLO * out_hello)78 bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
79 SSL_CLIENT_HELLO *out_hello) {
80 const SSL3_STATE *const s3 = ssl->s3;
81 if (!ssl->server ||
82 s3->hs == nullptr ||
83 s3->rwstate != SSL_ERROR_HANDOFF) {
84 return false;
85 }
86
87 CBB seq;
88 SSLMessage msg;
89 Span<const uint8_t> transcript = s3->hs->transcript.buffer();
90
91 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
92 !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
93 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
94 !CBB_add_asn1_octet_string(&seq,
95 reinterpret_cast<uint8_t *>(s3->hs_buf->data),
96 s3->hs_buf->length) ||
97 !serialize_features(&seq) ||
98 !CBB_flush(out) ||
99 !ssl->method->get_message(ssl, &msg) ||
100 !ssl_client_hello_init(ssl, out_hello, msg.body)) {
101 return false;
102 }
103
104 return true;
105 }
106
SSL_decline_handoff(SSL * ssl)107 bool SSL_decline_handoff(SSL *ssl) {
108 const SSL3_STATE *const s3 = ssl->s3;
109 if (!ssl->server ||
110 s3->hs == nullptr ||
111 s3->rwstate != SSL_ERROR_HANDOFF) {
112 return false;
113 }
114
115 s3->hs->config->handoff = false;
116 return true;
117 }
118
119 // apply_remote_features reads a list of supported features from |in| and
120 // (possibly) reconfigures |ssl| to disallow the negotation of features whose
121 // support has not been indicated. (This prevents the the handshake from
122 // committing to features that are not supported on the handoff/handback side.)
apply_remote_features(SSL * ssl,CBS * in)123 static bool apply_remote_features(SSL *ssl, CBS *in) {
124 CBS ciphers;
125 if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {
126 return false;
127 }
128 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
129 if (!supported) {
130 return false;
131 }
132 while (CBS_len(&ciphers)) {
133 uint16_t id;
134 if (!CBS_get_u16(&ciphers, &id)) {
135 return false;
136 }
137 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);
138 if (!cipher) {
139 continue;
140 }
141 if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
142 return false;
143 }
144 }
145 STACK_OF(SSL_CIPHER) *configured =
146 ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
147 : ssl->ctx->cipher_list->ciphers.get();
148 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
149 if (!unsupported) {
150 return false;
151 }
152 for (const SSL_CIPHER *configured_cipher : configured) {
153 if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
154 continue;
155 }
156 if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
157 return false;
158 }
159 }
160 if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
161 ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
162 if (!ssl->config->cipher_list ||
163 !ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
164 return false;
165 }
166 }
167 for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
168 ssl->config->cipher_list->Remove(unsupported_cipher);
169 }
170 if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) {
171 return false;
172 }
173
174 CBS groups;
175 if (!CBS_get_asn1(in, &groups, CBS_ASN1_OCTETSTRING)) {
176 return false;
177 }
178 Array<uint16_t> supported_groups;
179 if (!supported_groups.Init(CBS_len(&groups) / 2)) {
180 return false;
181 }
182 size_t idx = 0;
183 while (CBS_len(&groups)) {
184 uint16_t group;
185 if (!CBS_get_u16(&groups, &group)) {
186 return false;
187 }
188 supported_groups[idx++] = group;
189 }
190 Span<const uint16_t> configured_groups =
191 tls1_get_grouplist(ssl->s3->hs.get());
192 Array<uint16_t> new_configured_groups;
193 if (!new_configured_groups.Init(configured_groups.size())) {
194 return false;
195 }
196 idx = 0;
197 for (uint16_t configured_group : configured_groups) {
198 bool ok = false;
199 for (uint16_t supported_group : supported_groups) {
200 if (supported_group == configured_group) {
201 ok = true;
202 break;
203 }
204 }
205 if (ok) {
206 new_configured_groups[idx++] = configured_group;
207 }
208 }
209 if (idx == 0) {
210 return false;
211 }
212 new_configured_groups.Shrink(idx);
213 ssl->config->supported_group_list = std::move(new_configured_groups);
214
215 CBS alps;
216 CBS_init(&alps, nullptr, 0);
217 if (!CBS_get_optional_asn1(in, &alps, /*out_present=*/nullptr,
218 kHandoffTagALPS)) {
219 return false;
220 }
221 bool supports_alps = false;
222 while (CBS_len(&alps) != 0) {
223 uint16_t id;
224 if (!CBS_get_u16(&alps, &id)) {
225 return false;
226 }
227 // For now, we support two ALPS codepoints, so we need to extract both
228 // codepoints, and then filter what the handshaker might try to send.
229 if ((id == TLSEXT_TYPE_application_settings &&
230 ssl->config->alps_use_new_codepoint) ||
231 (id == TLSEXT_TYPE_application_settings_old &&
232 !ssl->config->alps_use_new_codepoint)) {
233 supports_alps = true;
234 break;
235 }
236 }
237 if (!supports_alps) {
238 ssl->config->alps_configs.clear();
239 }
240
241 return true;
242 }
243
244 // uses_disallowed_feature returns true iff |ssl| enables a feature that
245 // disqualifies it for split handshakes.
uses_disallowed_feature(const SSL * ssl)246 static bool uses_disallowed_feature(const SSL *ssl) {
247 return ssl->method->is_dtls || !ssl->config->cert->credentials.empty() ||
248 ssl->config->quic_transport_params.size() > 0 || ssl->ctx->ech_keys;
249 }
250
SSL_apply_handoff(SSL * ssl,Span<const uint8_t> handoff)251 bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
252 if (uses_disallowed_feature(ssl)) {
253 return false;
254 }
255
256 CBS seq, handoff_cbs(handoff);
257 uint64_t handoff_version;
258 if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
259 !CBS_get_asn1_uint64(&seq, &handoff_version) ||
260 handoff_version != kHandoffVersion) {
261 return false;
262 }
263
264 CBS transcript, hs_buf;
265 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
266 !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||
267 !apply_remote_features(ssl, &seq)) {
268 return false;
269 }
270
271 SSL_set_accept_state(ssl);
272
273 SSL3_STATE *const s3 = ssl->s3;
274 s3->v2_hello_done = true;
275 s3->has_message = true;
276
277 s3->hs_buf.reset(BUF_MEM_new());
278 if (!s3->hs_buf ||
279 !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
280 return false;
281 }
282
283 if (CBS_len(&transcript) != 0) {
284 s3->hs->transcript.Update(transcript);
285 s3->is_v2_hello = true;
286 }
287 s3->hs->handback = true;
288
289 return true;
290 }
291
SSL_serialize_handback(const SSL * ssl,CBB * out)292 bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
293 if (!ssl->server || uses_disallowed_feature(ssl)) {
294 return false;
295 }
296 const SSL3_STATE *const s3 = ssl->s3;
297 SSL_HANDSHAKE *const hs = s3->hs.get();
298 handback_t type;
299 switch (hs->state) {
300 case state12_read_change_cipher_spec:
301 type = handback_after_session_resumption;
302 break;
303 case state12_read_client_certificate:
304 type = handback_after_ecdhe;
305 break;
306 case state12_finish_server_handshake:
307 type = handback_after_handshake;
308 break;
309 case state12_tls13:
310 if (hs->tls13_state != state13_send_half_rtt_ticket) {
311 return false;
312 }
313 type = handback_tls13;
314 break;
315 default:
316 return false;
317 }
318
319 size_t hostname_len = 0;
320 if (s3->hostname) {
321 hostname_len = strlen(s3->hostname.get());
322 }
323
324 Span<const uint8_t> transcript;
325 if (type != handback_after_handshake) {
326 transcript = s3->hs->transcript.buffer();
327 }
328 size_t write_iv_len = 0;
329 const uint8_t *write_iv = nullptr;
330 if ((type == handback_after_session_resumption ||
331 type == handback_after_handshake) &&
332 ssl->version == TLS1_VERSION &&
333 SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
334 !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
335 return false;
336 }
337 size_t read_iv_len = 0;
338 const uint8_t *read_iv = nullptr;
339 if (type == handback_after_handshake &&
340 ssl->version == TLS1_VERSION &&
341 SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
342 !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
343 return false;
344 }
345
346 // TODO(mab): make sure everything is serialized.
347 CBB seq, key_share;
348 const SSL_SESSION *session;
349 if (type == handback_tls13) {
350 session = hs->new_session.get();
351 } else {
352 session = s3->session_reused ? ssl->session.get() : hs->new_session.get();
353 }
354 uint8_t read_sequence[8], write_sequence[8];
355 CRYPTO_store_u64_be(read_sequence, s3->read_sequence);
356 CRYPTO_store_u64_be(write_sequence, s3->write_sequence);
357 static const uint8_t kUnusedChannelID[64] = {0};
358 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
359 !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
360 !CBB_add_asn1_uint64(&seq, type) ||
361 !CBB_add_asn1_octet_string(&seq, read_sequence, sizeof(read_sequence)) ||
362 !CBB_add_asn1_octet_string(&seq, write_sequence,
363 sizeof(write_sequence)) ||
364 !CBB_add_asn1_octet_string(&seq, s3->server_random,
365 sizeof(s3->server_random)) ||
366 !CBB_add_asn1_octet_string(&seq, s3->client_random,
367 sizeof(s3->client_random)) ||
368 !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
369 !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
370 !CBB_add_asn1_bool(&seq, s3->session_reused) ||
371 !CBB_add_asn1_bool(&seq, hs->channel_id_negotiated) ||
372 !ssl_session_serialize(session, &seq) ||
373 !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
374 s3->next_proto_negotiated.size()) ||
375 !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
376 s3->alpn_selected.size()) ||
377 !CBB_add_asn1_octet_string(
378 &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
379 hostname_len) ||
380 !CBB_add_asn1_octet_string(&seq, kUnusedChannelID,
381 sizeof(kUnusedChannelID)) ||
382 // These two fields were historically |token_binding_negotiated| and
383 // |negotiated_token_binding_param|.
384 !CBB_add_asn1_bool(&seq, 0) || //
385 !CBB_add_asn1_uint64(&seq, 0) ||
386 !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
387 !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
388 !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
389 !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
390 !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
391 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
392 !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
393 return false;
394 }
395 if (type == handback_after_ecdhe) {
396 CBB private_key;
397 if (!CBB_add_asn1_uint64(&key_share, s3->hs->key_shares[0]->GroupID()) ||
398 !CBB_add_asn1(&key_share, &private_key, CBS_ASN1_OCTETSTRING) ||
399 !s3->hs->key_shares[0]->SerializePrivateKey(&private_key) ||
400 !CBB_flush(&key_share)) {
401 return false;
402 }
403 }
404 if (type == handback_tls13) {
405 early_data_t early_data;
406 // Check early data invariants.
407 if (ssl->enable_early_data ==
408 (s3->early_data_reason == ssl_early_data_disabled)) {
409 return false;
410 }
411 if (hs->early_data_offered) {
412 if (s3->early_data_accepted && !s3->skip_early_data) {
413 early_data = early_data_accepted;
414 } else if (!s3->early_data_accepted && !s3->skip_early_data) {
415 early_data = early_data_rejected_hrr;
416 } else if (!s3->early_data_accepted && s3->skip_early_data) {
417 early_data = early_data_skipped;
418 } else {
419 return false;
420 }
421 } else if (!s3->early_data_accepted && !s3->skip_early_data) {
422 early_data = early_data_not_offered;
423 } else {
424 return false;
425 }
426 if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
427 hs->client_traffic_secret_0().size()) ||
428 !CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
429 hs->server_traffic_secret_0().size()) ||
430 !CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret().data(),
431 hs->client_handshake_secret().size()) ||
432 !CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret().data(),
433 hs->server_handshake_secret().size()) ||
434 !CBB_add_asn1_octet_string(&seq, hs->secret().data(),
435 hs->secret().size()) ||
436 !CBB_add_asn1_octet_string(&seq, s3->exporter_secret,
437 s3->exporter_secret_len) ||
438 !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
439 !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
440 !CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||
441 !CBB_add_asn1_uint64(&seq, s3->early_data_reason) ||
442 !CBB_add_asn1_uint64(&seq, early_data)) {
443 return false;
444 }
445 if (early_data == early_data_accepted &&
446 !CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret().data(),
447 hs->early_traffic_secret().size())) {
448 return false;
449 }
450
451 if (session->has_application_settings) {
452 uint16_t alps_codepoint = TLSEXT_TYPE_application_settings_old;
453 if (hs->config->alps_use_new_codepoint) {
454 alps_codepoint = TLSEXT_TYPE_application_settings;
455 }
456 if (!CBB_add_asn1_uint64(&seq, alps_codepoint)) {
457 return false;
458 }
459 }
460 }
461 return CBB_flush(out);
462 }
463
CopyExact(Span<uint8_t> out,const CBS * in)464 static bool CopyExact(Span<uint8_t> out, const CBS *in) {
465 if (CBS_len(in) != out.size()) {
466 return false;
467 }
468 OPENSSL_memcpy(out.data(), CBS_data(in), out.size());
469 return true;
470 }
471
SSL_apply_handback(SSL * ssl,Span<const uint8_t> handback)472 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
473 if (ssl->do_handshake != nullptr ||
474 ssl->method->is_dtls) {
475 return false;
476 }
477
478 SSL3_STATE *const s3 = ssl->s3;
479 uint64_t handback_version, unused_token_binding_param, cipher, type_u64,
480 alps_codepoint;
481
482 CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
483 next_proto, alpn, hostname, unused_channel_id, transcript, key_share;
484 int session_reused, channel_id_negotiated, cert_request,
485 extended_master_secret, ticket_expected, unused_token_binding,
486 next_proto_neg_seen;
487 SSL_SESSION *session = nullptr;
488
489 CBS handback_cbs(handback);
490 if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
491 !CBS_get_asn1_uint64(&seq, &handback_version) ||
492 handback_version != kHandbackVersion ||
493 !CBS_get_asn1_uint64(&seq, &type_u64) ||
494 type_u64 > handback_max_value) {
495 return false;
496 }
497
498 handback_t type = static_cast<handback_t>(type_u64);
499 if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
500 CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
501 !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
502 CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
503 !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
504 CBS_len(&server_rand) != sizeof(s3->server_random) ||
505 !CBS_copy_bytes(&server_rand, s3->server_random,
506 sizeof(s3->server_random)) ||
507 !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
508 CBS_len(&client_rand) != sizeof(s3->client_random) ||
509 !CBS_copy_bytes(&client_rand, s3->client_random,
510 sizeof(s3->client_random)) ||
511 !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
512 !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
513 !CBS_get_asn1_bool(&seq, &session_reused) ||
514 !CBS_get_asn1_bool(&seq, &channel_id_negotiated)) {
515 return false;
516 }
517
518 s3->hs = ssl_handshake_new(ssl);
519 if (!s3->hs) {
520 return false;
521 }
522 SSL_HANDSHAKE *const hs = s3->hs.get();
523 if (!session_reused || type == handback_tls13) {
524 hs->new_session =
525 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
526 session = hs->new_session.get();
527 } else {
528 ssl->session =
529 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
530 session = ssl->session.get();
531 }
532
533 if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
534 !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
535 !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
536 !CBS_get_asn1(&seq, &unused_channel_id, CBS_ASN1_OCTETSTRING) ||
537 !CBS_get_asn1_bool(&seq, &unused_token_binding) ||
538 !CBS_get_asn1_uint64(&seq, &unused_token_binding_param) ||
539 !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
540 !CBS_get_asn1_bool(&seq, &cert_request) ||
541 !CBS_get_asn1_bool(&seq, &extended_master_secret) ||
542 !CBS_get_asn1_bool(&seq, &ticket_expected) ||
543 !CBS_get_asn1_uint64(&seq, &cipher)) {
544 return false;
545 }
546 if ((hs->new_cipher =
547 SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
548 return false;
549 }
550 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
551 !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
552 return false;
553 }
554 CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
555 server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;
556 if (type == handback_tls13) {
557 int used_hello_retry_request, accept_psk_mode;
558 uint64_t early_data, early_data_reason;
559 int64_t ticket_age_skew;
560 if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
561 !CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
562 !CBS_get_asn1(&seq, &client_handshake_secret, CBS_ASN1_OCTETSTRING) ||
563 !CBS_get_asn1(&seq, &server_handshake_secret, CBS_ASN1_OCTETSTRING) ||
564 !CBS_get_asn1(&seq, &secret, CBS_ASN1_OCTETSTRING) ||
565 !CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||
566 !CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||
567 !CBS_get_asn1_bool(&seq, &accept_psk_mode) ||
568 !CBS_get_asn1_int64(&seq, &ticket_age_skew) ||
569 !CBS_get_asn1_uint64(&seq, &early_data_reason) ||
570 early_data_reason > ssl_early_data_reason_max_value ||
571 !CBS_get_asn1_uint64(&seq, &early_data) ||
572 early_data > early_data_max_value) {
573 return false;
574 }
575 early_data_t early_data_type = static_cast<early_data_t>(early_data);
576 if (early_data_type == early_data_accepted &&
577 !CBS_get_asn1(&seq, &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {
578 return false;
579 }
580
581 if (session->has_application_settings) {
582 // Making it optional to keep compatibility with older handshakers.
583 // Older handshakers won't send the field.
584 if (CBS_len(&seq) == 0) {
585 hs->config->alps_use_new_codepoint = false;
586 } else {
587 if (!CBS_get_asn1_uint64(&seq, &alps_codepoint)) {
588 return false;
589 }
590
591 if (alps_codepoint == TLSEXT_TYPE_application_settings) {
592 hs->config->alps_use_new_codepoint = true;
593 } else if (alps_codepoint == TLSEXT_TYPE_application_settings_old) {
594 hs->config->alps_use_new_codepoint = false;
595 } else {
596 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPS_CODEPOINT);
597 return false;
598 }
599 }
600 }
601
602 if (ticket_age_skew > std::numeric_limits<int32_t>::max() ||
603 ticket_age_skew < std::numeric_limits<int32_t>::min()) {
604 return false;
605 }
606 s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
607 s3->used_hello_retry_request = used_hello_retry_request;
608 hs->accept_psk_mode = accept_psk_mode;
609
610 s3->early_data_reason =
611 static_cast<ssl_early_data_reason_t>(early_data_reason);
612 ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;
613 s3->skip_early_data = false;
614 s3->early_data_accepted = false;
615 hs->early_data_offered = false;
616 switch (early_data_type) {
617 case early_data_not_offered:
618 break;
619 case early_data_accepted:
620 s3->early_data_accepted = true;
621 hs->early_data_offered = true;
622 hs->can_early_write = true;
623 hs->can_early_read = true;
624 hs->in_early_data = true;
625 break;
626 case early_data_rejected_hrr:
627 hs->early_data_offered = true;
628 break;
629 case early_data_skipped:
630 s3->skip_early_data = true;
631 hs->early_data_offered = true;
632 break;
633 default:
634 return false;
635 }
636 } else {
637 s3->early_data_reason = ssl_early_data_protocol_version;
638 }
639
640 ssl->version = session->ssl_version;
641 s3->have_version = true;
642 if (!ssl_method_supports_version(ssl->method, ssl->version) ||
643 session->cipher != hs->new_cipher ||
644 ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
645 SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
646 return false;
647 }
648 ssl->do_handshake = ssl_server_handshake;
649 ssl->server = true;
650 switch (type) {
651 case handback_after_session_resumption:
652 hs->state = state12_read_change_cipher_spec;
653 if (!session_reused) {
654 return false;
655 }
656 break;
657 case handback_after_ecdhe:
658 hs->state = state12_read_client_certificate;
659 if (session_reused) {
660 return false;
661 }
662 break;
663 case handback_after_handshake:
664 hs->state = state12_finish_server_handshake;
665 break;
666 case handback_tls13:
667 hs->state = state12_tls13;
668 hs->tls13_state = state13_send_half_rtt_ticket;
669 break;
670 default:
671 return false;
672 }
673 s3->session_reused = session_reused;
674 hs->channel_id_negotiated = channel_id_negotiated;
675 s3->next_proto_negotiated.CopyFrom(next_proto);
676 s3->alpn_selected.CopyFrom(alpn);
677
678 const size_t hostname_len = CBS_len(&hostname);
679 if (hostname_len == 0) {
680 s3->hostname.reset();
681 } else {
682 char *hostname_str = nullptr;
683 if (!CBS_strdup(&hostname, &hostname_str)) {
684 return false;
685 }
686 s3->hostname.reset(hostname_str);
687 }
688
689 hs->next_proto_neg_seen = next_proto_neg_seen;
690 hs->wait = ssl_hs_flush;
691 hs->extended_master_secret = extended_master_secret;
692 hs->ticket_expected = ticket_expected;
693 s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
694 hs->cert_request = cert_request;
695
696 if (type != handback_after_handshake &&
697 (!hs->transcript.Init() ||
698 !hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
699 !hs->transcript.Update(transcript))) {
700 return false;
701 }
702 if (type == handback_tls13) {
703 hs->ResizeSecrets(hs->transcript.DigestLen());
704 if (!CopyExact(hs->client_traffic_secret_0(), &client_traffic_secret_0) ||
705 !CopyExact(hs->server_traffic_secret_0(), &server_traffic_secret_0) ||
706 !CopyExact(hs->client_handshake_secret(), &client_handshake_secret) ||
707 !CopyExact(hs->server_handshake_secret(), &server_handshake_secret) ||
708 !CopyExact(hs->secret(), &secret) ||
709 !CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
710 &exporter_secret)) {
711 return false;
712 }
713 s3->exporter_secret_len = CBS_len(&exporter_secret);
714
715 if (s3->early_data_accepted &&
716 !CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) {
717 return false;
718 }
719 }
720 Array<uint8_t> key_block;
721 switch (type) {
722 case handback_after_session_resumption:
723 // The write keys are installed after server Finished, but the client
724 // keys must wait for ChangeCipherSpec.
725 if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
726 write_iv)) {
727 return false;
728 }
729 break;
730 case handback_after_ecdhe:
731 // The premaster secret is not yet computed, so install no keys.
732 break;
733 case handback_after_handshake:
734 // The handshake is complete, so both keys are installed.
735 if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
736 write_iv) ||
737 !tls1_configure_aead(ssl, evp_aead_open, &key_block, session,
738 read_iv)) {
739 return false;
740 }
741 break;
742 case handback_tls13:
743 // After server Finished, the application write keys are installed, but
744 // none of the read keys. The read keys are installed in the state machine
745 // immediately after processing handback.
746 if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
747 hs->new_session.get(),
748 hs->server_traffic_secret_0())) {
749 return false;
750 }
751 break;
752 }
753 uint8_t read_sequence[8], write_sequence[8];
754 if (!CopyExact(read_sequence, &read_seq) ||
755 !CopyExact(write_sequence, &write_seq)) {
756 return false;
757 }
758 s3->read_sequence = CRYPTO_load_u64_be(read_sequence);
759 s3->write_sequence = CRYPTO_load_u64_be(write_sequence);
760 if (type == handback_after_ecdhe) {
761 uint64_t group_id;
762 CBS private_key;
763 if (!CBS_get_asn1_uint64(&key_share, &group_id) || //
764 group_id > 0xffff ||
765 !CBS_get_asn1(&key_share, &private_key, CBS_ASN1_OCTETSTRING)) {
766 return false;
767 }
768 hs->key_shares[0] = SSLKeyShare::Create(group_id);
769 if (!hs->key_shares[0] ||
770 !hs->key_shares[0]->DeserializePrivateKey(&private_key)) {
771 return false;
772 }
773 }
774 return true; // Trailing data allowed for extensibility.
775 }
776
777 BSSL_NAMESPACE_END
778
779 using namespace bssl;
780
SSL_serialize_capabilities(const SSL * ssl,CBB * out)781 int SSL_serialize_capabilities(const SSL *ssl, CBB *out) {
782 CBB seq;
783 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
784 !serialize_features(&seq) || //
785 !CBB_flush(out)) {
786 return 0;
787 }
788
789 return 1;
790 }
791
SSL_request_handshake_hints(SSL * ssl,const uint8_t * client_hello,size_t client_hello_len,const uint8_t * capabilities,size_t capabilities_len)792 int SSL_request_handshake_hints(SSL *ssl, const uint8_t *client_hello,
793 size_t client_hello_len,
794 const uint8_t *capabilities,
795 size_t capabilities_len) {
796 if (SSL_is_dtls(ssl)) {
797 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
798 return 0;
799 }
800
801 CBS cbs, seq;
802 CBS_init(&cbs, capabilities, capabilities_len);
803 UniquePtr<SSL_HANDSHAKE_HINTS> hints = MakeUnique<SSL_HANDSHAKE_HINTS>();
804 if (hints == nullptr ||
805 !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
806 !apply_remote_features(ssl, &seq)) {
807 return 0;
808 }
809
810 SSL3_STATE *const s3 = ssl->s3;
811 s3->v2_hello_done = true;
812 s3->has_message = true;
813
814 Array<uint8_t> client_hello_msg;
815 ScopedCBB client_hello_cbb;
816 CBB client_hello_body;
817 if (!ssl->method->init_message(ssl, client_hello_cbb.get(),
818 &client_hello_body, SSL3_MT_CLIENT_HELLO) ||
819 !CBB_add_bytes(&client_hello_body, client_hello, client_hello_len) ||
820 !ssl->method->finish_message(ssl, client_hello_cbb.get(),
821 &client_hello_msg)) {
822 return 0;
823 }
824
825 s3->hs_buf.reset(BUF_MEM_new());
826 if (!s3->hs_buf || !BUF_MEM_append(s3->hs_buf.get(), client_hello_msg.data(),
827 client_hello_msg.size())) {
828 return 0;
829 }
830
831 s3->hs->hints_requested = true;
832 s3->hs->hints = std::move(hints);
833 return 1;
834 }
835
836 // |SSL_HANDSHAKE_HINTS| is serialized as the following ASN.1 structure. We use
837 // implicit tagging to make it a little more compact.
838 //
839 // HandshakeHints ::= SEQUENCE {
840 // serverRandomTLS13 [0] IMPLICIT OCTET STRING OPTIONAL,
841 // keyShareHint [1] IMPLICIT KeyShareHint OPTIONAL,
842 // signatureHint [2] IMPLICIT SignatureHint OPTIONAL,
843 // -- At most one of decryptedPSKHint or ignorePSKHint may be present. It
844 // -- corresponds to the first entry in pre_shared_keys. TLS 1.2 session
845 // -- tickets use a separate hint, to ensure the caller does not apply the
846 // -- hint to the wrong field.
847 // decryptedPSKHint [3] IMPLICIT OCTET STRING OPTIONAL,
848 // ignorePSKHint [4] IMPLICIT NULL OPTIONAL,
849 // compressCertificateHint [5] IMPLICIT CompressCertificateHint OPTIONAL,
850 // -- TLS 1.2 and 1.3 use different server random hints because one contains
851 // -- a timestamp while the other doesn't. If the hint was generated
852 // -- assuming TLS 1.3 but we actually negotiate TLS 1.2, mixing the two
853 // -- will break this.
854 // serverRandomTLS12 [6] IMPLICIT OCTET STRING OPTIONAL,
855 // ecdheHint [7] IMPLICIT ECDHEHint OPTIONAL
856 // -- At most one of decryptedTicketHint or ignoreTicketHint may be present.
857 // -- renewTicketHint requires decryptedTicketHint.
858 // decryptedTicketHint [8] IMPLICIT OCTET STRING OPTIONAL,
859 // renewTicketHint [9] IMPLICIT NULL OPTIONAL,
860 // ignoreTicketHint [10] IMPLICIT NULL OPTIONAL,
861 // }
862 //
863 // KeyShareHint ::= SEQUENCE {
864 // groupId INTEGER,
865 // ciphertext OCTET STRING,
866 // secret OCTET STRING,
867 // }
868 //
869 // SignatureHint ::= SEQUENCE {
870 // algorithm INTEGER,
871 // input OCTET STRING,
872 // subjectPublicKeyInfo OCTET STRING,
873 // signature OCTET STRING,
874 // }
875 //
876 // CompressCertificateHint ::= SEQUENCE {
877 // algorithm INTEGER,
878 // input OCTET STRING,
879 // compressed OCTET STRING,
880 // }
881 //
882 // ECDHEHint ::= SEQUENCE {
883 // groupId INTEGER,
884 // publicKey OCTET STRING,
885 // privateKey OCTET STRING,
886 // }
887
888 // HandshakeHints tags.
889 static const CBS_ASN1_TAG kServerRandomTLS13Tag =
890 CBS_ASN1_CONTEXT_SPECIFIC | 0;
891 static const CBS_ASN1_TAG kKeyShareHintTag =
892 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
893 static const CBS_ASN1_TAG kSignatureHintTag =
894 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;
895 static const CBS_ASN1_TAG kDecryptedPSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 3;
896 static const CBS_ASN1_TAG kIgnorePSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 4;
897 static const CBS_ASN1_TAG kCompressCertificateTag =
898 CBS_ASN1_CONTEXT_SPECIFIC | 5;
899 static const CBS_ASN1_TAG kServerRandomTLS12Tag =
900 CBS_ASN1_CONTEXT_SPECIFIC | 6;
901 static const CBS_ASN1_TAG kECDHEHintTag = CBS_ASN1_CONSTRUCTED | 7;
902 static const CBS_ASN1_TAG kDecryptedTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 8;
903 static const CBS_ASN1_TAG kRenewTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 9;
904 static const CBS_ASN1_TAG kIgnoreTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 10;
905
SSL_serialize_handshake_hints(const SSL * ssl,CBB * out)906 int SSL_serialize_handshake_hints(const SSL *ssl, CBB *out) {
907 const SSL_HANDSHAKE *hs = ssl->s3->hs.get();
908 if (!ssl->server || !hs->hints_requested) {
909 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
910 return 0;
911 }
912
913 const SSL_HANDSHAKE_HINTS *hints = hs->hints.get();
914 CBB seq, child;
915 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE)) {
916 return 0;
917 }
918
919 if (!hints->server_random_tls13.empty()) {
920 if (!CBB_add_asn1(&seq, &child, kServerRandomTLS13Tag) ||
921 !CBB_add_bytes(&child, hints->server_random_tls13.data(),
922 hints->server_random_tls13.size())) {
923 return 0;
924 }
925 }
926
927 if (hints->key_share_group_id != 0 && !hints->key_share_ciphertext.empty() &&
928 !hints->key_share_secret.empty()) {
929 if (!CBB_add_asn1(&seq, &child, kKeyShareHintTag) ||
930 !CBB_add_asn1_uint64(&child, hints->key_share_group_id) ||
931 !CBB_add_asn1_octet_string(&child, hints->key_share_ciphertext.data(),
932 hints->key_share_ciphertext.size()) ||
933 !CBB_add_asn1_octet_string(&child, hints->key_share_secret.data(),
934 hints->key_share_secret.size())) {
935 return 0;
936 }
937 }
938
939 if (hints->signature_algorithm != 0 && !hints->signature_input.empty() &&
940 !hints->signature.empty()) {
941 if (!CBB_add_asn1(&seq, &child, kSignatureHintTag) ||
942 !CBB_add_asn1_uint64(&child, hints->signature_algorithm) ||
943 !CBB_add_asn1_octet_string(&child, hints->signature_input.data(),
944 hints->signature_input.size()) ||
945 !CBB_add_asn1_octet_string(&child, hints->signature_spki.data(),
946 hints->signature_spki.size()) ||
947 !CBB_add_asn1_octet_string(&child, hints->signature.data(),
948 hints->signature.size())) {
949 return 0;
950 }
951 }
952
953 if (!hints->decrypted_psk.empty()) {
954 if (!CBB_add_asn1(&seq, &child, kDecryptedPSKTag) ||
955 !CBB_add_bytes(&child, hints->decrypted_psk.data(),
956 hints->decrypted_psk.size())) {
957 return 0;
958 }
959 }
960
961 if (hints->ignore_psk && //
962 !CBB_add_asn1(&seq, &child, kIgnorePSKTag)) {
963 return 0;
964 }
965
966 if (hints->cert_compression_alg_id != 0 &&
967 !hints->cert_compression_input.empty() &&
968 !hints->cert_compression_output.empty()) {
969 if (!CBB_add_asn1(&seq, &child, kCompressCertificateTag) ||
970 !CBB_add_asn1_uint64(&child, hints->cert_compression_alg_id) ||
971 !CBB_add_asn1_octet_string(&child, hints->cert_compression_input.data(),
972 hints->cert_compression_input.size()) ||
973 !CBB_add_asn1_octet_string(&child,
974 hints->cert_compression_output.data(),
975 hints->cert_compression_output.size())) {
976 return 0;
977 }
978 }
979
980 if (!hints->server_random_tls12.empty()) {
981 if (!CBB_add_asn1(&seq, &child, kServerRandomTLS12Tag) ||
982 !CBB_add_bytes(&child, hints->server_random_tls12.data(),
983 hints->server_random_tls12.size())) {
984 return 0;
985 }
986 }
987
988 if (hints->ecdhe_group_id != 0 && !hints->ecdhe_public_key.empty() &&
989 !hints->ecdhe_private_key.empty()) {
990 if (!CBB_add_asn1(&seq, &child, kECDHEHintTag) ||
991 !CBB_add_asn1_uint64(&child, hints->ecdhe_group_id) ||
992 !CBB_add_asn1_octet_string(&child, hints->ecdhe_public_key.data(),
993 hints->ecdhe_public_key.size()) ||
994 !CBB_add_asn1_octet_string(&child, hints->ecdhe_private_key.data(),
995 hints->ecdhe_private_key.size())) {
996 return 0;
997 }
998 }
999
1000
1001 if (!hints->decrypted_ticket.empty()) {
1002 if (!CBB_add_asn1(&seq, &child, kDecryptedTicketTag) ||
1003 !CBB_add_bytes(&child, hints->decrypted_ticket.data(),
1004 hints->decrypted_ticket.size())) {
1005 return 0;
1006 }
1007 }
1008
1009 if (hints->renew_ticket && //
1010 !CBB_add_asn1(&seq, &child, kRenewTicketTag)) {
1011 return 0;
1012 }
1013
1014 if (hints->ignore_ticket && //
1015 !CBB_add_asn1(&seq, &child, kIgnoreTicketTag)) {
1016 return 0;
1017 }
1018
1019 return CBB_flush(out);
1020 }
1021
get_optional_implicit_null(CBS * cbs,bool * out_present,CBS_ASN1_TAG tag)1022 static bool get_optional_implicit_null(CBS *cbs, bool *out_present,
1023 CBS_ASN1_TAG tag) {
1024 CBS value;
1025 int present;
1026 if (!CBS_get_optional_asn1(cbs, &value, &present, tag) ||
1027 (present && CBS_len(&value) != 0)) {
1028 return false;
1029 }
1030 *out_present = present;
1031 return true;
1032 }
1033
SSL_set_handshake_hints(SSL * ssl,const uint8_t * hints,size_t hints_len)1034 int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints, size_t hints_len) {
1035 if (SSL_is_dtls(ssl)) {
1036 OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1037 return 0;
1038 }
1039
1040 UniquePtr<SSL_HANDSHAKE_HINTS> hints_obj = MakeUnique<SSL_HANDSHAKE_HINTS>();
1041 if (hints_obj == nullptr) {
1042 return 0;
1043 }
1044
1045 CBS cbs, seq, server_random_tls13, key_share, signature_hint, psk,
1046 cert_compression, server_random_tls12, ecdhe, ticket;
1047 int has_server_random_tls13, has_key_share, has_signature_hint, has_psk,
1048 has_cert_compression, has_server_random_tls12, has_ecdhe, has_ticket;
1049 CBS_init(&cbs, hints, hints_len);
1050 if (!CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
1051 !CBS_get_optional_asn1(&seq, &server_random_tls13,
1052 &has_server_random_tls13, kServerRandomTLS13Tag) ||
1053 !CBS_get_optional_asn1(&seq, &key_share, &has_key_share,
1054 kKeyShareHintTag) ||
1055 !CBS_get_optional_asn1(&seq, &signature_hint, &has_signature_hint,
1056 kSignatureHintTag) ||
1057 !CBS_get_optional_asn1(&seq, &psk, &has_psk, kDecryptedPSKTag) ||
1058 !get_optional_implicit_null(&seq, &hints_obj->ignore_psk,
1059 kIgnorePSKTag) ||
1060 !CBS_get_optional_asn1(&seq, &cert_compression, &has_cert_compression,
1061 kCompressCertificateTag) ||
1062 !CBS_get_optional_asn1(&seq, &server_random_tls12,
1063 &has_server_random_tls12, kServerRandomTLS12Tag) ||
1064 !CBS_get_optional_asn1(&seq, &ecdhe, &has_ecdhe, kECDHEHintTag) ||
1065 !CBS_get_optional_asn1(&seq, &ticket, &has_ticket, kDecryptedTicketTag) ||
1066 !get_optional_implicit_null(&seq, &hints_obj->renew_ticket,
1067 kRenewTicketTag) ||
1068 !get_optional_implicit_null(&seq, &hints_obj->ignore_ticket,
1069 kIgnoreTicketTag)) {
1070 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1071 return 0;
1072 }
1073
1074 if (has_server_random_tls13 &&
1075 !hints_obj->server_random_tls13.CopyFrom(server_random_tls13)) {
1076 return 0;
1077 }
1078
1079 if (has_key_share) {
1080 uint64_t group_id;
1081 CBS ciphertext, secret;
1082 if (!CBS_get_asn1_uint64(&key_share, &group_id) || //
1083 group_id == 0 || group_id > 0xffff ||
1084 !CBS_get_asn1(&key_share, &ciphertext, CBS_ASN1_OCTETSTRING) ||
1085 !hints_obj->key_share_ciphertext.CopyFrom(ciphertext) ||
1086 !CBS_get_asn1(&key_share, &secret, CBS_ASN1_OCTETSTRING) ||
1087 !hints_obj->key_share_secret.CopyFrom(secret)) {
1088 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1089 return 0;
1090 }
1091 hints_obj->key_share_group_id = static_cast<uint16_t>(group_id);
1092 }
1093
1094 if (has_signature_hint) {
1095 uint64_t sig_alg;
1096 CBS input, spki, signature;
1097 if (!CBS_get_asn1_uint64(&signature_hint, &sig_alg) || //
1098 sig_alg == 0 || sig_alg > 0xffff ||
1099 !CBS_get_asn1(&signature_hint, &input, CBS_ASN1_OCTETSTRING) ||
1100 !hints_obj->signature_input.CopyFrom(input) ||
1101 !CBS_get_asn1(&signature_hint, &spki, CBS_ASN1_OCTETSTRING) ||
1102 !hints_obj->signature_spki.CopyFrom(spki) ||
1103 !CBS_get_asn1(&signature_hint, &signature, CBS_ASN1_OCTETSTRING) ||
1104 !hints_obj->signature.CopyFrom(signature)) {
1105 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1106 return 0;
1107 }
1108 hints_obj->signature_algorithm = static_cast<uint16_t>(sig_alg);
1109 }
1110
1111 if (has_psk && !hints_obj->decrypted_psk.CopyFrom(psk)) {
1112 return 0;
1113 }
1114 if (has_psk && hints_obj->ignore_psk) {
1115 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1116 return 0;
1117 }
1118
1119 if (has_cert_compression) {
1120 uint64_t alg;
1121 CBS input, output;
1122 if (!CBS_get_asn1_uint64(&cert_compression, &alg) || //
1123 alg == 0 || alg > 0xffff ||
1124 !CBS_get_asn1(&cert_compression, &input, CBS_ASN1_OCTETSTRING) ||
1125 !hints_obj->cert_compression_input.CopyFrom(input) ||
1126 !CBS_get_asn1(&cert_compression, &output, CBS_ASN1_OCTETSTRING) ||
1127 !hints_obj->cert_compression_output.CopyFrom(output)) {
1128 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1129 return 0;
1130 }
1131 hints_obj->cert_compression_alg_id = static_cast<uint16_t>(alg);
1132 }
1133
1134 if (has_server_random_tls12 &&
1135 !hints_obj->server_random_tls12.CopyFrom(server_random_tls12)) {
1136 return 0;
1137 }
1138
1139 if (has_ecdhe) {
1140 uint64_t group_id;
1141 CBS public_key, private_key;
1142 if (!CBS_get_asn1_uint64(&ecdhe, &group_id) || //
1143 group_id == 0 || group_id > 0xffff ||
1144 !CBS_get_asn1(&ecdhe, &public_key, CBS_ASN1_OCTETSTRING) ||
1145 !hints_obj->ecdhe_public_key.CopyFrom(public_key) ||
1146 !CBS_get_asn1(&ecdhe, &private_key, CBS_ASN1_OCTETSTRING) ||
1147 !hints_obj->ecdhe_private_key.CopyFrom(private_key)) {
1148 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1149 return 0;
1150 }
1151 hints_obj->ecdhe_group_id = static_cast<uint16_t>(group_id);
1152 }
1153
1154 if (has_ticket && !hints_obj->decrypted_ticket.CopyFrom(ticket)) {
1155 return 0;
1156 }
1157 if (has_ticket && hints_obj->ignore_ticket) {
1158 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1159 return 0;
1160 }
1161 if (!has_ticket && hints_obj->renew_ticket) {
1162 OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1163 return 0;
1164 }
1165
1166 ssl->s3->hs->hints = std::move(hints_obj);
1167 return 1;
1168 }
1169