in ssl/handoff.cc [291:459]
bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
if (!ssl->server || uses_disallowed_feature(ssl)) {
return false;
}
const SSL3_STATE *const s3 = ssl->s3;
SSL_HANDSHAKE *const hs = s3->hs.get();
handback_t type;
switch (hs->state) {
case state12_read_change_cipher_spec:
type = handback_after_session_resumption;
break;
case state12_read_client_certificate:
type = handback_after_ecdhe;
break;
case state12_finish_server_handshake:
type = handback_after_handshake;
break;
case state12_tls13:
if (hs->tls13_state != state13_send_half_rtt_ticket) {
return false;
}
type = handback_tls13;
break;
default:
return false;
}
size_t hostname_len = 0;
if (s3->hostname) {
hostname_len = strlen(s3->hostname.get());
}
Span<const uint8_t> transcript;
if (type != handback_after_handshake) {
transcript = s3->hs->transcript.buffer();
}
size_t write_iv_len = 0;
const uint8_t *write_iv = nullptr;
if ((type == handback_after_session_resumption ||
type == handback_after_handshake) &&
ssl->version == TLS1_VERSION &&
SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
!s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
return false;
}
size_t read_iv_len = 0;
const uint8_t *read_iv = nullptr;
if (type == handback_after_handshake &&
ssl->version == TLS1_VERSION &&
SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
!s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
return false;
}
// TODO(mab): make sure everything is serialized.
CBB seq, key_share;
const SSL_SESSION *session;
if (type == handback_tls13) {
session = hs->new_session.get();
} else {
session = s3->session_reused ? ssl->session.get() : hs->new_session.get();
}
static const uint8_t kUnusedChannelID[64] = {0};
if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
!CBB_add_asn1_uint64(&seq, type) ||
!CBB_add_asn1_octet_string(&seq, s3->read_sequence,
sizeof(s3->read_sequence)) ||
!CBB_add_asn1_octet_string(&seq, s3->write_sequence,
sizeof(s3->write_sequence)) ||
!CBB_add_asn1_octet_string(&seq, s3->server_random,
sizeof(s3->server_random)) ||
!CBB_add_asn1_octet_string(&seq, s3->client_random,
sizeof(s3->client_random)) ||
!CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
!CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
!CBB_add_asn1_bool(&seq, s3->session_reused) ||
!CBB_add_asn1_bool(&seq, hs->channel_id_negotiated) ||
!ssl_session_serialize(session, &seq) ||
!CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
s3->next_proto_negotiated.size()) ||
!CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
s3->alpn_selected.size()) ||
!CBB_add_asn1_octet_string(
&seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
hostname_len) ||
!CBB_add_asn1_octet_string(&seq, kUnusedChannelID,
sizeof(kUnusedChannelID)) ||
// These two fields were historically |token_binding_negotiated| and
// |negotiated_token_binding_param|.
!CBB_add_asn1_bool(&seq, 0) ||
!CBB_add_asn1_uint64(&seq, 0) ||
!CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
!CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
!CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
!CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
!CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
!CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
!CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
return false;
}
if (type == handback_after_ecdhe) {
CBB private_key;
if (!CBB_add_asn1_uint64(&key_share, s3->hs->key_shares[0]->GroupID()) ||
!CBB_add_asn1(&key_share, &private_key, CBS_ASN1_OCTETSTRING) ||
!s3->hs->key_shares[0]->SerializePrivateKey(&private_key) ||
!CBB_flush(&key_share)) {
return false;
}
}
if (type == handback_tls13) {
early_data_t early_data;
// Check early data invariants.
if (ssl->enable_early_data ==
(s3->early_data_reason == ssl_early_data_disabled)) {
return false;
}
if (hs->early_data_offered) {
if (s3->early_data_accepted && !s3->skip_early_data) {
early_data = early_data_accepted;
} else if (!s3->early_data_accepted && !s3->skip_early_data) {
early_data = early_data_rejected_hrr;
} else if (!s3->early_data_accepted && s3->skip_early_data) {
early_data = early_data_skipped;
} else {
return false;
}
} else if (!s3->early_data_accepted && !s3->skip_early_data) {
early_data = early_data_not_offered;
} else {
return false;
}
if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
hs->client_traffic_secret_0().size()) ||
!CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
hs->server_traffic_secret_0().size()) ||
!CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret().data(),
hs->client_handshake_secret().size()) ||
!CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret().data(),
hs->server_handshake_secret().size()) ||
!CBB_add_asn1_octet_string(&seq, hs->secret().data(),
hs->secret().size()) ||
!CBB_add_asn1_octet_string(&seq, s3->exporter_secret,
s3->exporter_secret_len) ||
!CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
!CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
!CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||
!CBB_add_asn1_uint64(&seq, s3->early_data_reason) ||
!CBB_add_asn1_uint64(&seq, early_data)) {
return false;
}
if (early_data == early_data_accepted &&
!CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret().data(),
hs->early_traffic_secret().size())) {
return false;
}
if (session->has_application_settings) {
uint16_t alps_codepoint = TLSEXT_TYPE_application_settings_old;
if (hs->config->alps_use_new_codepoint) {
alps_codepoint = TLSEXT_TYPE_application_settings;
}
if (!CBB_add_asn1_uint64(&seq, alps_codepoint)) {
return false;
}
}
}
return CBB_flush(out);
}