in ssl/handoff.cc [469:770]
bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
if (ssl->do_handshake != nullptr ||
ssl->method->is_dtls) {
return false;
}
SSL3_STATE *const s3 = ssl->s3;
uint64_t handback_version, unused_token_binding_param, cipher, type_u64,
alps_codepoint;
CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
next_proto, alpn, hostname, unused_channel_id, transcript, key_share;
int session_reused, channel_id_negotiated, cert_request,
extended_master_secret, ticket_expected, unused_token_binding,
next_proto_neg_seen;
SSL_SESSION *session = nullptr;
CBS handback_cbs(handback);
if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1_uint64(&seq, &handback_version) ||
handback_version != kHandbackVersion ||
!CBS_get_asn1_uint64(&seq, &type_u64) ||
type_u64 > handback_max_value) {
return false;
}
handback_t type = static_cast<handback_t>(type_u64);
if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
!CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
!CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
CBS_len(&server_rand) != sizeof(s3->server_random) ||
!CBS_copy_bytes(&server_rand, s3->server_random,
sizeof(s3->server_random)) ||
!CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
CBS_len(&client_rand) != sizeof(s3->client_random) ||
!CBS_copy_bytes(&client_rand, s3->client_random,
sizeof(s3->client_random)) ||
!CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1_bool(&seq, &session_reused) ||
!CBS_get_asn1_bool(&seq, &channel_id_negotiated)) {
return false;
}
s3->hs = ssl_handshake_new(ssl);
if (!s3->hs) {
return false;
}
SSL_HANDSHAKE *const hs = s3->hs.get();
if (!session_reused || type == handback_tls13) {
hs->new_session =
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
session = hs->new_session.get();
} else {
ssl->session =
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
session = ssl->session.get();
}
if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &unused_channel_id, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1_bool(&seq, &unused_token_binding) ||
!CBS_get_asn1_uint64(&seq, &unused_token_binding_param) ||
!CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
!CBS_get_asn1_bool(&seq, &cert_request) ||
!CBS_get_asn1_bool(&seq, &extended_master_secret) ||
!CBS_get_asn1_bool(&seq, &ticket_expected) ||
!CBS_get_asn1_uint64(&seq, &cipher)) {
return false;
}
if ((hs->new_cipher =
SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
return false;
}
if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
return false;
}
CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;
if (type == handback_tls13) {
int used_hello_retry_request, accept_psk_mode;
uint64_t early_data, early_data_reason;
int64_t ticket_age_skew;
if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &client_handshake_secret, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &server_handshake_secret, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &secret, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||
!CBS_get_asn1_bool(&seq, &accept_psk_mode) ||
!CBS_get_asn1_int64(&seq, &ticket_age_skew) ||
!CBS_get_asn1_uint64(&seq, &early_data_reason) ||
early_data_reason > ssl_early_data_reason_max_value ||
!CBS_get_asn1_uint64(&seq, &early_data) ||
early_data > early_data_max_value) {
return false;
}
early_data_t early_data_type = static_cast<early_data_t>(early_data);
if (early_data_type == early_data_accepted &&
!CBS_get_asn1(&seq, &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {
return false;
}
if (session->has_application_settings) {
// Making it optional to keep compatibility with older handshakers.
// Older handshakers won't send the field.
if (CBS_len(&seq) == 0) {
hs->config->alps_use_new_codepoint = false;
} else {
if (!CBS_get_asn1_uint64(&seq, &alps_codepoint)) {
return false;
}
if (alps_codepoint == TLSEXT_TYPE_application_settings) {
hs->config->alps_use_new_codepoint = true;
} else if (alps_codepoint == TLSEXT_TYPE_application_settings_old) {
hs->config->alps_use_new_codepoint = false;
} else {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPS_CODEPOINT);
return false;
}
}
}
if (ticket_age_skew > std::numeric_limits<int32_t>::max() ||
ticket_age_skew < std::numeric_limits<int32_t>::min()) {
return false;
}
s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
s3->used_hello_retry_request = used_hello_retry_request;
hs->accept_psk_mode = accept_psk_mode;
s3->early_data_reason =
static_cast<ssl_early_data_reason_t>(early_data_reason);
ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;
s3->skip_early_data = false;
s3->early_data_accepted = false;
hs->early_data_offered = false;
switch (early_data_type) {
case early_data_not_offered:
break;
case early_data_accepted:
s3->early_data_accepted = true;
hs->early_data_offered = true;
hs->can_early_write = true;
hs->can_early_read = true;
hs->in_early_data = true;
break;
case early_data_rejected_hrr:
hs->early_data_offered = true;
break;
case early_data_skipped:
s3->skip_early_data = true;
hs->early_data_offered = true;
break;
default:
return false;
}
} else {
s3->early_data_reason = ssl_early_data_protocol_version;
}
ssl->version = session->ssl_version;
s3->have_version = true;
if (!ssl_method_supports_version(ssl->method, ssl->version) ||
session->cipher != hs->new_cipher ||
ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
return false;
}
ssl->do_handshake = ssl_server_handshake;
ssl->server = true;
switch (type) {
case handback_after_session_resumption:
hs->state = state12_read_change_cipher_spec;
if (!session_reused) {
return false;
}
break;
case handback_after_ecdhe:
hs->state = state12_read_client_certificate;
if (session_reused) {
return false;
}
break;
case handback_after_handshake:
hs->state = state12_finish_server_handshake;
break;
case handback_tls13:
hs->state = state12_tls13;
hs->tls13_state = state13_send_half_rtt_ticket;
break;
default:
return false;
}
s3->session_reused = session_reused;
hs->channel_id_negotiated = channel_id_negotiated;
s3->next_proto_negotiated.CopyFrom(next_proto);
s3->alpn_selected.CopyFrom(alpn);
const size_t hostname_len = CBS_len(&hostname);
if (hostname_len == 0) {
s3->hostname.reset();
} else {
char *hostname_str = nullptr;
if (!CBS_strdup(&hostname, &hostname_str)) {
return false;
}
s3->hostname.reset(hostname_str);
}
hs->next_proto_neg_seen = next_proto_neg_seen;
hs->wait = ssl_hs_flush;
hs->extended_master_secret = extended_master_secret;
hs->ticket_expected = ticket_expected;
s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
hs->cert_request = cert_request;
if (type != handback_after_handshake &&
(!hs->transcript.Init() ||
!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
!hs->transcript.Update(transcript))) {
return false;
}
if (type == handback_tls13) {
hs->ResizeSecrets(hs->transcript.DigestLen());
if (!CopyExact(hs->client_traffic_secret_0(), &client_traffic_secret_0) ||
!CopyExact(hs->server_traffic_secret_0(), &server_traffic_secret_0) ||
!CopyExact(hs->client_handshake_secret(), &client_handshake_secret) ||
!CopyExact(hs->server_handshake_secret(), &server_handshake_secret) ||
!CopyExact(hs->secret(), &secret) ||
!CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
&exporter_secret)) {
return false;
}
s3->exporter_secret_len = CBS_len(&exporter_secret);
if (s3->early_data_accepted &&
!CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) {
return false;
}
}
Array<uint8_t> key_block;
switch (type) {
case handback_after_session_resumption:
// The write keys are installed after server Finished, but the client
// keys must wait for ChangeCipherSpec.
if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
write_iv)) {
return false;
}
break;
case handback_after_ecdhe:
// The premaster secret is not yet computed, so install no keys.
break;
case handback_after_handshake:
// The handshake is complete, so both keys are installed.
if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
write_iv) ||
!tls1_configure_aead(ssl, evp_aead_open, &key_block, session,
read_iv)) {
return false;
}
break;
case handback_tls13:
// After server Finished, the application write keys are installed, but
// none of the read keys. The read keys are installed in the state machine
// immediately after processing handback.
if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
hs->new_session.get(),
hs->server_traffic_secret_0())) {
return false;
}
break;
}
if (!CopyExact({s3->read_sequence, sizeof(s3->read_sequence)}, &read_seq) ||
!CopyExact({s3->write_sequence, sizeof(s3->write_sequence)},
&write_seq)) {
return false;
}
if (type == handback_after_ecdhe) {
uint64_t group_id;
CBS private_key;
if (!CBS_get_asn1_uint64(&key_share, &group_id) || //
group_id > 0xffff ||
!CBS_get_asn1(&key_share, &private_key, CBS_ASN1_OCTETSTRING)) {
return false;
}
hs->key_shares[0] = SSLKeyShare::Create(group_id);
if (!hs->key_shares[0] ||
!hs->key_shares[0]->DeserializePrivateKey(&private_key)) {
return false;
}
}
return true; // Trailing data allowed for extensibility.
}