Google Git
Sign in
cobalt / cobalt / 788710a0d7b1b8d8e2340dd5fad5e8783a239862 / . / third_party / boringssl / src / ssl / ssl_asn1.cc
blob: f5c6492c89042e0954d305b0e2c77057ebad7448 [file] [log] [blame]
Andrew Topdee8b292019-01-22 14:48:26 -0800[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright 2005 Nokia. All rights reserved.
59 *
60 * The portions of the attached software ("Contribution") is developed by
61 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
62 * license.
63 *
64 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
65 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
66 * support (see RFC 4279) to OpenSSL.
67 *
68 * No patent licenses or other rights except those expressly stated in
69 * the OpenSSL open source license shall be deemed granted or received
70 * expressly, by implication, estoppel, or otherwise.
71 *
72 * No assurances are provided by Nokia that the Contribution does not
73 * infringe the patent or other intellectual property rights of any third
74 * party or that the license provides you with all the necessary rights
75 * to make use of the Contribution.
76 *
77 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
78 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
79 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
80 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
81 * OTHERWISE. */
82
83// Per C99, various stdint.h macros are unavailable in C++ unless some macros
84// are defined. C++11 overruled this decision, but older Android NDKs still
85// require it.
86#if !defined(__STDC_LIMIT_MACROS)
87#define __STDC_LIMIT_MACROS
88#endif
89
90#include <openssl/ssl.h>
91
92#include <limits.h>
93#include <string.h>
94
95#include <utility>
96
97#include <openssl/buf.h>
98#include <openssl/bytestring.h>
99#include <openssl/err.h>
100#include <openssl/mem.h>
101#include <openssl/x509.h>
102
103#include "../crypto/internal.h"
104#include "internal.h"
105
106
Andrew Top193dc3d2019-01-23 09:57:23 -0800[diff] [blame]107namespace bssl {
Andrew Topdee8b292019-01-22 14:48:26 -0800[diff] [blame]108
109// An SSL_SESSION is serialized as the following ASN.1 structure:
110//
111// SSLSession ::= SEQUENCE {
112// version INTEGER (1), -- session structure version
113// sslVersion INTEGER, -- protocol version number
114// cipher OCTET STRING, -- two bytes long
115// sessionID OCTET STRING,
116// masterKey OCTET STRING,
117// time [1] INTEGER, -- seconds since UNIX epoch
118// timeout [2] INTEGER, -- in seconds
119// peer [3] Certificate OPTIONAL,
120// sessionIDContext [4] OCTET STRING OPTIONAL,
121// verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
122// pskIdentity [8] OCTET STRING OPTIONAL,
123// ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
124// ticket [10] OCTET STRING OPTIONAL, -- client-only
125// peerSHA256 [13] OCTET STRING OPTIONAL,
126// originalHandshakeHash [14] OCTET STRING OPTIONAL,
127// signedCertTimestampList [15] OCTET STRING OPTIONAL,
128// -- contents of SCT extension
129// ocspResponse [16] OCTET STRING OPTIONAL,
130// -- stapled OCSP response from the server
131// extendedMasterSecret [17] BOOLEAN OPTIONAL,
132// groupID [18] INTEGER OPTIONAL,
133// certChain [19] SEQUENCE OF Certificate OPTIONAL,
134// ticketAgeAdd [21] OCTET STRING OPTIONAL,
135// isServer [22] BOOLEAN DEFAULT TRUE,
136// peerSignatureAlgorithm [23] INTEGER OPTIONAL,
137// ticketMaxEarlyData [24] INTEGER OPTIONAL,
138// authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout
139// earlyALPN [26] OCTET STRING OPTIONAL,
140// }
141//
142// Note: historically this serialization has included other optional
143// fields. Their presence is currently treated as a parse error, except for
144// hostName, which is ignored.
145//
146// keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
147// hostName [6] OCTET STRING OPTIONAL,
148// pskIdentityHint [7] OCTET STRING OPTIONAL,
149// compressionMethod [11] OCTET STRING OPTIONAL,
150// srpUsername [12] OCTET STRING OPTIONAL,
151// ticketFlags [20] INTEGER OPTIONAL,
152
153static const unsigned kVersion = 1;
154
155static const unsigned kTimeTag =
156 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
157static const unsigned kTimeoutTag =
158 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;
159static const unsigned kPeerTag =
160 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3;
161static const unsigned kSessionIDContextTag =
162 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 4;
163static const unsigned kVerifyResultTag =
164 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 5;
165static const unsigned kHostNameTag =
166 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 6;
167static const unsigned kPSKIdentityTag =
168 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 8;
169static const unsigned kTicketLifetimeHintTag =
170 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 9;
171static const unsigned kTicketTag =
172 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 10;
173static const unsigned kPeerSHA256Tag =
174 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 13;
175static const unsigned kOriginalHandshakeHashTag =
176 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 14;
177static const unsigned kSignedCertTimestampListTag =
178 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 15;
179static const unsigned kOCSPResponseTag =
180 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 16;
181static const unsigned kExtendedMasterSecretTag =
182 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 17;
183static const unsigned kGroupIDTag =
184 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 18;
185static const unsigned kCertChainTag =
186 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 19;
187static const unsigned kTicketAgeAddTag =
188 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 21;
189static const unsigned kIsServerTag =
190 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 22;
191static const unsigned kPeerSignatureAlgorithmTag =
192 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 23;
193static const unsigned kTicketMaxEarlyDataTag =
194 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 24;
195static const unsigned kAuthTimeoutTag =
196 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 25;
197static const unsigned kEarlyALPNTag =
198 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 26;
199
200static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,
201 int for_ticket) {
202 if (in == NULL || in->cipher == NULL) {
203 return 0;
204 }
205
206 CBB session, child, child2;
207 if (!CBB_add_asn1(cbb, &session, CBS_ASN1_SEQUENCE) ||
208 !CBB_add_asn1_uint64(&session, kVersion) ||
209 !CBB_add_asn1_uint64(&session, in->ssl_version) ||
210 !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
211 !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) ||
212 // The session ID is irrelevant for a session ticket.
213 !CBB_add_asn1_octet_string(&session, in->session_id,
214 for_ticket ? 0 : in->session_id_length) ||
215 !CBB_add_asn1_octet_string(&session, in->master_key,
216 in->master_key_length) ||
217 !CBB_add_asn1(&session, &child, kTimeTag) ||
218 !CBB_add_asn1_uint64(&child, in->time) ||
219 !CBB_add_asn1(&session, &child, kTimeoutTag) ||
220 !CBB_add_asn1_uint64(&child, in->timeout)) {
221 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
222 return 0;
223 }
224
225 // The peer certificate is only serialized if the SHA-256 isn't
226 // serialized instead.
227 if (sk_CRYPTO_BUFFER_num(in->certs.get()) > 0 && !in->peer_sha256_valid) {
228 const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs.get(), 0);
229 if (!CBB_add_asn1(&session, &child, kPeerTag) ||
230 !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),
231 CRYPTO_BUFFER_len(buffer))) {
232 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
233 return 0;
234 }
235 }
236
237 // Although it is OPTIONAL and usually empty, OpenSSL has
238 // historically always encoded the sid_ctx.
239 if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
240 !CBB_add_asn1_octet_string(&child, in->sid_ctx, in->sid_ctx_length)) {
241 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
242 return 0;
243 }
244
245 if (in->verify_result != X509_V_OK) {
246 if (!CBB_add_asn1(&session, &child, kVerifyResultTag) ||
247 !CBB_add_asn1_uint64(&child, in->verify_result)) {
248 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
249 return 0;
250 }
251 }
252
253 if (in->psk_identity) {
254 if (!CBB_add_asn1(&session, &child, kPSKIdentityTag) ||
Andrew Top61a84952019-04-30 15:07:33 -0700[diff] [blame]255 !CBB_add_asn1_octet_string(
256 &child, (const uint8_t *)in->psk_identity.get(),
Kaido Kert6f3fc442021-06-25 11:58:59 -0700[diff] [blame]257 strlen(in->psk_identity.get()))) {
Andrew Topdee8b292019-01-22 14:48:26 -0800[diff] [blame]258 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
259 return 0;
260 }
261 }
262
263 if (in->ticket_lifetime_hint > 0) {
264 if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) ||
265 !CBB_add_asn1_uint64(&child, in->ticket_lifetime_hint)) {
266 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
267 return 0;
268 }
269 }
270
271 if (!in->ticket.empty() && !for_ticket) {
272 if (!CBB_add_asn1(&session, &child, kTicketTag) ||
273 !CBB_add_asn1_octet_string(&child, in->ticket.data(),
274 in->ticket.size())) {
275 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
276 return 0;
277 }
278 }
279
280 if (in->peer_sha256_valid) {
281 if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) ||
282 !CBB_add_asn1_octet_string(&child, in->peer_sha256,
283 sizeof(in->peer_sha256))) {
284 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
285 return 0;
286 }
287 }
288
289 if (in->original_handshake_hash_len > 0) {
290 if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) ||
291 !CBB_add_asn1_octet_string(&child, in->original_handshake_hash,
292 in->original_handshake_hash_len)) {
293 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
294 return 0;
295 }
296 }
297
298 if (in->signed_cert_timestamp_list != nullptr) {
299 if (!CBB_add_asn1(&session, &child, kSignedCertTimestampListTag) ||
300 !CBB_add_asn1_octet_string(
301 &child, CRYPTO_BUFFER_data(in->signed_cert_timestamp_list.get()),
302 CRYPTO_BUFFER_len(in->signed_cert_timestamp_list.get()))) {
303 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
304 return 0;
305 }
306 }
307
308 if (in->ocsp_response != nullptr) {
309 if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) ||
310 !CBB_add_asn1_octet_string(
311 &child, CRYPTO_BUFFER_data(in->ocsp_response.get()),
312 CRYPTO_BUFFER_len(in->ocsp_response.get()))) {
313 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
314 return 0;
315 }
316 }
317
318 if (in->extended_master_secret) {
319 if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) ||
320 !CBB_add_asn1_bool(&child, true)) {
321 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
322 return 0;
323 }
324 }
325
326 if (in->group_id > 0 &&
327 (!CBB_add_asn1(&session, &child, kGroupIDTag) ||
328 !CBB_add_asn1_uint64(&child, in->group_id))) {
329 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
330 return 0;
331 }
332
333 // The certificate chain is only serialized if the leaf's SHA-256 isn't
334 // serialized instead.
335 if (in->certs != NULL &&
336 !in->peer_sha256_valid &&
337 sk_CRYPTO_BUFFER_num(in->certs.get()) >= 2) {
338 if (!CBB_add_asn1(&session, &child, kCertChainTag)) {
339 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
340 return 0;
341 }
342 for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(in->certs.get()); i++) {
343 const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs.get(), i);
344 if (!CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),
345 CRYPTO_BUFFER_len(buffer))) {
346 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
347 return 0;
348 }
349 }
350 }
351
352 if (in->ticket_age_add_valid) {
353 if (!CBB_add_asn1(&session, &child, kTicketAgeAddTag) ||
354 !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
355 !CBB_add_u32(&child2, in->ticket_age_add)) {
356 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
357 return 0;
358 }
359 }
360
361 if (!in->is_server) {
362 if (!CBB_add_asn1(&session, &child, kIsServerTag) ||
363 !CBB_add_asn1_bool(&child, false)) {
364 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
365 return 0;
366 }
367 }
368
369 if (in->peer_signature_algorithm != 0 &&
370 (!CBB_add_asn1(&session, &child, kPeerSignatureAlgorithmTag) ||
371 !CBB_add_asn1_uint64(&child, in->peer_signature_algorithm))) {
372 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
373 return 0;
374 }
375
376 if (in->ticket_max_early_data != 0 &&
377 (!CBB_add_asn1(&session, &child, kTicketMaxEarlyDataTag) ||
378 !CBB_add_asn1_uint64(&child, in->ticket_max_early_data))) {
379 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
380 return 0;
381 }
382
383 if (in->timeout != in->auth_timeout &&
384 (!CBB_add_asn1(&session, &child, kAuthTimeoutTag) ||
385 !CBB_add_asn1_uint64(&child, in->auth_timeout))) {
386 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
387 return 0;
388 }
389
390 if (!in->early_alpn.empty()) {
391 if (!CBB_add_asn1(&session, &child, kEarlyALPNTag) ||
392 !CBB_add_asn1_octet_string(&child, in->early_alpn.data(),
393 in->early_alpn.size())) {
394 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
395 return 0;
396 }
397 }
398
399 return CBB_flush(cbb);
400}
401
402// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING explicitly
403// tagged with |tag| from |cbs| and saves it in |*out|. If the element was not
404// found, it sets |*out| to NULL. It returns one on success, whether or not the
405// element was found, and zero on decode error.
406static int SSL_SESSION_parse_string(CBS *cbs, UniquePtr<char> *out, unsigned tag) {
407 CBS value;
408 int present;
409 if (!CBS_get_optional_asn1_octet_string(cbs, &value, &present, tag)) {
410 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
411 return 0;
412 }
413 if (present) {
414 if (CBS_contains_zero_byte(&value)) {
415 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
416 return 0;
417 }
418 char *raw = nullptr;
419 if (!CBS_strdup(&value, &raw)) {
420 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
421 return 0;
422 }
423 out->reset(raw);
424 } else {
425 out->reset();
426 }
427 return 1;
428}
429
430// SSL_SESSION_parse_octet_string gets an optional ASN.1 OCTET STRING explicitly
431// tagged with |tag| from |cbs| and stows it in |*out|. It returns one on
432// success, whether or not the element was found, and zero on decode error.
433static bool SSL_SESSION_parse_octet_string(CBS *cbs, Array<uint8_t> *out,
434 unsigned tag) {
435 CBS value;
436 if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag)) {
437 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
438 return false;
439 }
440 return out->CopyFrom(value);
441}
442
443static int SSL_SESSION_parse_crypto_buffer(CBS *cbs,
444 UniquePtr<CRYPTO_BUFFER> *out,
445 unsigned tag,
446 CRYPTO_BUFFER_POOL *pool) {
447 if (!CBS_peek_asn1_tag(cbs, tag)) {
448 return 1;
449 }
450
451 CBS child, value;
452 if (!CBS_get_asn1(cbs, &child, tag) ||
453 !CBS_get_asn1(&child, &value, CBS_ASN1_OCTETSTRING) ||
454 CBS_len(&child) != 0) {
455 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
456 return 0;
457 }
458 out->reset(CRYPTO_BUFFER_new_from_CBS(&value, pool));
459 if (*out == nullptr) {
460 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
461 return 0;
462 }
463 return 1;
464}
465
466// SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
467// explicitly tagged with |tag| of size at most |max_out|.
468static int SSL_SESSION_parse_bounded_octet_string(
469 CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) {
470 CBS value;
471 if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag) ||
472 CBS_len(&value) > max_out) {
473 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
474 return 0;
475 }
476 OPENSSL_memcpy(out, CBS_data(&value), CBS_len(&value));
477 *out_len = (uint8_t)CBS_len(&value);
478 return 1;
479}
480
481static int SSL_SESSION_parse_long(CBS *cbs, long *out, unsigned tag,
482 long default_value) {
483 uint64_t value;
484 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
485 (uint64_t)default_value) ||
486 value > LONG_MAX) {
487 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
488 return 0;
489 }
490 *out = (long)value;
491 return 1;
492}
493
494static int SSL_SESSION_parse_u32(CBS *cbs, uint32_t *out, unsigned tag,
495 uint32_t default_value) {
496 uint64_t value;
497 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
498 (uint64_t)default_value) ||
499 value > 0xffffffff) {
500 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
501 return 0;
502 }
503 *out = (uint32_t)value;
504 return 1;
505}
506
507static int SSL_SESSION_parse_u16(CBS *cbs, uint16_t *out, unsigned tag,
508 uint16_t default_value) {
509 uint64_t value;
510 if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,
511 (uint64_t)default_value) ||
512 value > 0xffff) {
513 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
514 return 0;
515 }
516 *out = (uint16_t)value;
517 return 1;
518}
519
520UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
521 const SSL_X509_METHOD *x509_method,
522 CRYPTO_BUFFER_POOL *pool) {
523 UniquePtr<SSL_SESSION> ret = ssl_session_new(x509_method);
524 if (!ret) {
525 return nullptr;
526 }
527
528 CBS session;
529 uint64_t version, ssl_version;
530 uint16_t unused;
531 if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) ||
532 !CBS_get_asn1_uint64(&session, &version) ||
533 version != kVersion ||
534 !CBS_get_asn1_uint64(&session, &ssl_version) ||
535 // Require sessions have versions valid in either TLS or DTLS. The session
536 // will not be used by the handshake if not applicable, but, for
537 // simplicity, never parse a session that does not pass
538 // |ssl_protocol_version_from_wire|.
539 ssl_version > UINT16_MAX ||
540 !ssl_protocol_version_from_wire(&unused, ssl_version)) {
541 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
542 return nullptr;
543 }
544 ret->ssl_version = ssl_version;
545
546 CBS cipher;
547 uint16_t cipher_value;
548 if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) ||
549 !CBS_get_u16(&cipher, &cipher_value) ||
550 CBS_len(&cipher) != 0) {
551 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
552 return nullptr;
553 }
554 ret->cipher = SSL_get_cipher_by_value(cipher_value);
555 if (ret->cipher == NULL) {
556 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_CIPHER);
557 return nullptr;
558 }
559
560 CBS session_id, master_key;
561 if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||
562 CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH ||
563 !CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING) ||
564 CBS_len(&master_key) > SSL_MAX_MASTER_KEY_LENGTH) {
565 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
566 return nullptr;
567 }
568 OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id));
569 ret->session_id_length = CBS_len(&session_id);
570 OPENSSL_memcpy(ret->master_key, CBS_data(&master_key), CBS_len(&master_key));
571 ret->master_key_length = CBS_len(&master_key);
572
573 CBS child;
574 uint64_t timeout;
575 if (!CBS_get_asn1(&session, &child, kTimeTag) ||
576 !CBS_get_asn1_uint64(&child, &ret->time) ||
577 !CBS_get_asn1(&session, &child, kTimeoutTag) ||
578 !CBS_get_asn1_uint64(&child, &timeout) ||
579 timeout > UINT32_MAX) {
580 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
581 return nullptr;
582 }
583
584 ret->timeout = (uint32_t)timeout;
585
586 CBS peer;
587 int has_peer;
588 if (!CBS_get_optional_asn1(&session, &peer, &has_peer, kPeerTag) ||
589 (has_peer && CBS_len(&peer) == 0)) {
590 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
591 return nullptr;
592 }
593 // |peer| is processed with the certificate chain.
594
595 if (!SSL_SESSION_parse_bounded_octet_string(
596 &session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx),
597 kSessionIDContextTag) ||
598 !SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag,
599 X509_V_OK)) {
600 return nullptr;
601 }
602
603 // Skip the historical hostName field.
604 CBS unused_hostname;
605 if (!CBS_get_optional_asn1(&session, &unused_hostname, nullptr,
606 kHostNameTag)) {
607 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
608 return nullptr;
609 }
610
611 if (!SSL_SESSION_parse_string(&session, &ret->psk_identity,
612 kPSKIdentityTag) ||
613 !SSL_SESSION_parse_u32(&session, &ret->ticket_lifetime_hint,
614 kTicketLifetimeHintTag, 0) ||
615 !SSL_SESSION_parse_octet_string(&session, &ret->ticket, kTicketTag)) {
616 return nullptr;
617 }
618
619 if (CBS_peek_asn1_tag(&session, kPeerSHA256Tag)) {
620 CBS peer_sha256;
621 if (!CBS_get_asn1(&session, &child, kPeerSHA256Tag) ||
622 !CBS_get_asn1(&child, &peer_sha256, CBS_ASN1_OCTETSTRING) ||
623 CBS_len(&peer_sha256) != sizeof(ret->peer_sha256) ||
624 CBS_len(&child) != 0) {
625 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
626 return nullptr;
627 }
628 OPENSSL_memcpy(ret->peer_sha256, CBS_data(&peer_sha256),
629 sizeof(ret->peer_sha256));
630 ret->peer_sha256_valid = 1;
631 } else {
632 ret->peer_sha256_valid = 0;
633 }
634
635 if (!SSL_SESSION_parse_bounded_octet_string(
636 &session, ret->original_handshake_hash,
637 &ret->original_handshake_hash_len,
638 sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) ||
639 !SSL_SESSION_parse_crypto_buffer(&session,
640 &ret->signed_cert_timestamp_list,
641 kSignedCertTimestampListTag, pool) ||
642 !SSL_SESSION_parse_crypto_buffer(&session, &ret->ocsp_response,
643 kOCSPResponseTag, pool)) {
644 return nullptr;
645 }
646
647 int extended_master_secret;
648 if (!CBS_get_optional_asn1_bool(&session, &extended_master_secret,
649 kExtendedMasterSecretTag,
650 0 /* default to false */)) {
651 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
652 return nullptr;
653 }
654 ret->extended_master_secret = !!extended_master_secret;
655
656 if (!SSL_SESSION_parse_u16(&session, &ret->group_id, kGroupIDTag, 0)) {
657 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
658 return nullptr;
659 }
660
661 CBS cert_chain;
662 CBS_init(&cert_chain, NULL, 0);
663 int has_cert_chain;
664 if (!CBS_get_optional_asn1(&session, &cert_chain, &has_cert_chain,
665 kCertChainTag) ||
666 (has_cert_chain && CBS_len(&cert_chain) == 0)) {
667 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
668 return nullptr;
669 }
670 if (has_cert_chain && !has_peer) {
671 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
672 return nullptr;
673 }
674 if (has_peer || has_cert_chain) {
675 ret->certs.reset(sk_CRYPTO_BUFFER_new_null());
676 if (ret->certs == nullptr) {
677 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
678 return nullptr;
679 }
680
681 if (has_peer) {
682 UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new_from_CBS(&peer, pool));
683 if (!buffer ||
684 !PushToStack(ret->certs.get(), std::move(buffer))) {
685 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
686 return nullptr;
687 }
688 }
689
690 while (CBS_len(&cert_chain) > 0) {
691 CBS cert;
692 if (!CBS_get_any_asn1_element(&cert_chain, &cert, NULL, NULL) ||
693 CBS_len(&cert) == 0) {
694 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
695 return nullptr;
696 }
697
698 UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new_from_CBS(&cert, pool));
699 if (buffer == nullptr ||
700 !PushToStack(ret->certs.get(), std::move(buffer))) {
701 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
702 return nullptr;
703 }
704 }
705 }
706
707 if (!x509_method->session_cache_objects(ret.get())) {
708 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
709 return nullptr;
710 }
711
712 CBS age_add;
713 int age_add_present;
714 if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present,
715 kTicketAgeAddTag) ||
716 (age_add_present &&
717 !CBS_get_u32(&age_add, &ret->ticket_age_add)) ||
718 CBS_len(&age_add) != 0) {
719 return nullptr;
720 }
721 ret->ticket_age_add_valid = age_add_present != 0;
722
723 int is_server;
724 if (!CBS_get_optional_asn1_bool(&session, &is_server, kIsServerTag,
725 1 /* default to true */)) {
726 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
727 return nullptr;
728 }
729 /* TODO: in time we can include |is_server| for servers too, then we can
730 enforce that client and server sessions are never mixed up. */
731
732 ret->is_server = is_server;
733
734 if (!SSL_SESSION_parse_u16(&session, &ret->peer_signature_algorithm,
735 kPeerSignatureAlgorithmTag, 0) ||
736 !SSL_SESSION_parse_u32(&session, &ret->ticket_max_early_data,
737 kTicketMaxEarlyDataTag, 0) ||
738 !SSL_SESSION_parse_u32(&session, &ret->auth_timeout, kAuthTimeoutTag,
739 ret->timeout) ||
740 !SSL_SESSION_parse_octet_string(&session, &ret->early_alpn,
741 kEarlyALPNTag) ||
742 CBS_len(&session) != 0) {
743 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
744 return nullptr;
745 }
746
747 return ret;
748}
749
750int ssl_session_serialize(const SSL_SESSION *in, CBB *cbb) {
751 return SSL_SESSION_to_bytes_full(in, cbb, 0);
752}
753
Andrew Top193dc3d2019-01-23 09:57:23 -0800[diff] [blame]754} // namespace bssl
Andrew Topdee8b292019-01-22 14:48:26 -0800[diff] [blame]755
756using namespace bssl;
757
758int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data,
759 size_t *out_len) {
760 if (in->not_resumable) {
761 // If the caller has an unresumable session, e.g. if |SSL_get_session| were
762 // called on a TLS 1.3 or False Started connection, serialize with a
763 // placeholder value so it is not accidentally deserialized into a resumable
764 // one.
765 static const char kNotResumableSession[] = "NOT RESUMABLE";
766
Kaido Kert6f3fc442021-06-25 11:58:59 -0700[diff] [blame]767 *out_len = strlen(kNotResumableSession);
Andrew Topdee8b292019-01-22 14:48:26 -0800[diff] [blame]768 *out_data = (uint8_t *)BUF_memdup(kNotResumableSession, *out_len);
769 if (*out_data == NULL) {
770 return 0;
771 }
772
773 return 1;
774 }
775
776 ScopedCBB cbb;
777 if (!CBB_init(cbb.get(), 256) ||
778 !SSL_SESSION_to_bytes_full(in, cbb.get(), 0) ||
779 !CBB_finish(cbb.get(), out_data, out_len)) {
780 return 0;
781 }
782
783 return 1;
784}
785
786int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in, uint8_t **out_data,
787 size_t *out_len) {
788 ScopedCBB cbb;
789 if (!CBB_init(cbb.get(), 256) ||
790 !SSL_SESSION_to_bytes_full(in, cbb.get(), 1) ||
791 !CBB_finish(cbb.get(), out_data, out_len)) {
792 return 0;
793 }
794
795 return 1;
796}
797
798int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp) {
799 uint8_t *out;
800 size_t len;
801
802 if (!SSL_SESSION_to_bytes(in, &out, &len)) {
803 return -1;
804 }
805
806 if (len > INT_MAX) {
807 OPENSSL_free(out);
808 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
809 return -1;
810 }
811
812 if (pp) {
813 OPENSSL_memcpy(*pp, out, len);
814 *pp += len;
815 }
816 OPENSSL_free(out);
817
818 return len;
819}
820
821SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len,
822 const SSL_CTX *ctx) {
823 CBS cbs;
824 CBS_init(&cbs, in, in_len);
825 UniquePtr<SSL_SESSION> ret =
826 SSL_SESSION_parse(&cbs, ctx->x509_method, ctx->pool);
827 if (!ret) {
828 return NULL;
829 }
830 if (CBS_len(&cbs) != 0) {
831 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
832 return NULL;
833 }
834 return ret.release();
835}