| 1 | /* Copyright (c) 2018, Google Inc. |
|---|---|
| 2 | * |
| 3 | * Permission to use, copy, modify, and/or distribute this software for any |
| 4 | * purpose with or without fee is hereby granted, provided that the above |
| 5 | * copyright notice and this permission notice appear in all copies. |
| 6 | * |
| 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| 14 | |
| 15 | #include <openssl/ssl.h> |
| 16 | |
| 17 | #include <openssl/bytestring.h> |
| 18 | |
| 19 | #include "internal.h" |
| 20 | |
| 21 | |
| 22 | BSSL_NAMESPACE_BEGIN |
| 23 | |
| 24 | constexpr int kHandoffVersion = 0; |
| 25 | constexpr int kHandbackVersion = 0; |
| 26 | |
| 27 | // serialize_features adds a description of features supported by this binary to |
| 28 | // |out|. Returns true on success and false on error. |
| 29 | static bool serialize_features(CBB *out) { |
| 30 | CBB ciphers; |
| 31 | if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) { |
| 32 | return false; |
| 33 | } |
| 34 | Span<const SSL_CIPHER> all_ciphers = AllCiphers(); |
| 35 | for (const SSL_CIPHER& cipher : all_ciphers) { |
| 36 | if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) { |
| 37 | return false; |
| 38 | } |
| 39 | } |
| 40 | CBB curves; |
| 41 | if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) { |
| 42 | return false; |
| 43 | } |
| 44 | for (const NamedGroup& g : NamedGroups()) { |
| 45 | if (!CBB_add_u16(&curves, g.group_id)) { |
| 46 | return false; |
| 47 | } |
| 48 | } |
| 49 | return CBB_flush(out); |
| 50 | } |
| 51 | |
| 52 | bool SSL_serialize_handoff(const SSL *ssl, CBB *out, |
| 53 | SSL_CLIENT_HELLO *out_hello) { |
| 54 | const SSL3_STATE *const s3 = ssl->s3; |
| 55 | if (!ssl->server || |
| 56 | s3->hs == nullptr || |
| 57 | s3->rwstate != SSL_HANDOFF) { |
| 58 | return false; |
| 59 | } |
| 60 | |
| 61 | CBB seq; |
| 62 | SSLMessage msg; |
| 63 | Span<const uint8_t> transcript = s3->hs->transcript.buffer(); |
| 64 | if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || |
| 65 | !CBB_add_asn1_uint64(&seq, kHandoffVersion) || |
| 66 | !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) || |
| 67 | !CBB_add_asn1_octet_string(&seq, |
| 68 | reinterpret_cast<uint8_t *>(s3->hs_buf->data), |
| 69 | s3->hs_buf->length) || |
| 70 | !serialize_features(&seq) || |
| 71 | !CBB_flush(out) || |
| 72 | !ssl->method->get_message(ssl, &msg) || |
| 73 | !ssl_client_hello_init(ssl, out_hello, msg)) { |
| 74 | return false; |
| 75 | } |
| 76 | |
| 77 | return true; |
| 78 | } |
| 79 | |
| 80 | bool SSL_decline_handoff(SSL *ssl) { |
| 81 | const SSL3_STATE *const s3 = ssl->s3; |
| 82 | if (!ssl->server || |
| 83 | s3->hs == nullptr || |
| 84 | s3->rwstate != SSL_HANDOFF) { |
| 85 | return false; |
| 86 | } |
| 87 | |
| 88 | s3->hs->config->handoff = false; |
| 89 | return true; |
| 90 | } |
| 91 | |
| 92 | // apply_remote_features reads a list of supported features from |in| and |
| 93 | // (possibly) reconfigures |ssl| to disallow the negotation of features whose |
| 94 | // support has not been indicated. (This prevents the the handshake from |
| 95 | // committing to features that are not supported on the handoff/handback side.) |
| 96 | static bool apply_remote_features(SSL *ssl, CBS *in) { |
| 97 | CBS ciphers; |
| 98 | if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) { |
| 99 | return false; |
| 100 | } |
| 101 | bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null()); |
| 102 | while (CBS_len(&ciphers)) { |
| 103 | uint16_t id; |
| 104 | if (!CBS_get_u16(&ciphers, &id)) { |
| 105 | return false; |
| 106 | } |
| 107 | const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id); |
| 108 | if (!cipher) { |
| 109 | continue; |
| 110 | } |
| 111 | if (!sk_SSL_CIPHER_push(supported.get(), cipher)) { |
| 112 | return false; |
| 113 | } |
| 114 | } |
| 115 | STACK_OF(SSL_CIPHER) *configured = |
| 116 | ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get() |
| 117 | : ssl->ctx->cipher_list->ciphers.get(); |
| 118 | bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null()); |
| 119 | for (const SSL_CIPHER *configured_cipher : configured) { |
| 120 | if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) { |
| 121 | continue; |
| 122 | } |
| 123 | if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) { |
| 124 | return false; |
| 125 | } |
| 126 | } |
| 127 | if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) { |
| 128 | ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>(); |
| 129 | if (!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) { |
| 130 | return false; |
| 131 | } |
| 132 | } |
| 133 | for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) { |
| 134 | ssl->config->cipher_list->Remove(unsupported_cipher); |
| 135 | } |
| 136 | if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) { |
| 137 | return false; |
| 138 | } |
| 139 | |
| 140 | CBS curves; |
| 141 | if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) { |
| 142 | return false; |
| 143 | } |
| 144 | Array<uint16_t> supported_curves; |
| 145 | if (!supported_curves.Init(CBS_len(&curves) / 2)) { |
| 146 | return false; |
| 147 | } |
| 148 | size_t idx = 0; |
| 149 | while (CBS_len(&curves)) { |
| 150 | uint16_t curve; |
| 151 | if (!CBS_get_u16(&curves, &curve)) { |
| 152 | return false; |
| 153 | } |
| 154 | supported_curves[idx++] = curve; |
| 155 | } |
| 156 | Span<const uint16_t> configured_curves = |
| 157 | tls1_get_grouplist(ssl->s3->hs.get()); |
| 158 | Array<uint16_t> new_configured_curves; |
| 159 | if (!new_configured_curves.Init(configured_curves.size())) { |
| 160 | return false; |
| 161 | } |
| 162 | idx = 0; |
| 163 | for (uint16_t configured_curve : configured_curves) { |
| 164 | bool ok = false; |
| 165 | for (uint16_t supported_curve : supported_curves) { |
| 166 | if (supported_curve == configured_curve) { |
| 167 | ok = true; |
| 168 | break; |
| 169 | } |
| 170 | } |
| 171 | if (ok) { |
| 172 | new_configured_curves[idx++] = configured_curve; |
| 173 | } |
| 174 | } |
| 175 | if (idx == 0) { |
| 176 | return false; |
| 177 | } |
| 178 | new_configured_curves.Shrink(idx); |
| 179 | ssl->config->supported_group_list = std::move(new_configured_curves); |
| 180 | |
| 181 | return true; |
| 182 | } |
| 183 | |
| 184 | bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) { |
| 185 | if (ssl->method->is_dtls) { |
| 186 | return false; |
| 187 | } |
| 188 | |
| 189 | CBS seq, handoff_cbs(handoff); |
| 190 | uint64_t handoff_version; |
| 191 | if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) || |
| 192 | !CBS_get_asn1_uint64(&seq, &handoff_version) || |
| 193 | handoff_version != kHandoffVersion) { |
| 194 | return false; |
| 195 | } |
| 196 | |
| 197 | CBS transcript, hs_buf; |
| 198 | if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) || |
| 199 | !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) || |
| 200 | !apply_remote_features(ssl, &seq)) { |
| 201 | return false; |
| 202 | } |
| 203 | |
| 204 | SSL_set_accept_state(ssl); |
| 205 | |
| 206 | SSL3_STATE *const s3 = ssl->s3; |
| 207 | s3->v2_hello_done = true; |
| 208 | s3->has_message = true; |
| 209 | |
| 210 | s3->hs_buf.reset(BUF_MEM_new()); |
| 211 | if (!s3->hs_buf || |
| 212 | !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) { |
| 213 | return false; |
| 214 | } |
| 215 | |
| 216 | if (CBS_len(&transcript) != 0) { |
| 217 | s3->hs->transcript.Update(transcript); |
| 218 | s3->is_v2_hello = true; |
| 219 | } |
| 220 | s3->hs->handback = true; |
| 221 | |
| 222 | return true; |
| 223 | } |
| 224 | |
| 225 | bool SSL_serialize_handback(const SSL *ssl, CBB *out) { |
| 226 | if (!ssl->server || ssl->method->is_dtls) { |
| 227 | return false; |
| 228 | } |
| 229 | handback_t type; |
| 230 | switch (ssl->s3->hs->state) { |
| 231 | case state12_read_change_cipher_spec: |
| 232 | type = handback_after_session_resumption; |
| 233 | break; |
| 234 | case state12_read_client_certificate: |
| 235 | type = handback_after_ecdhe; |
| 236 | break; |
| 237 | case state12_finish_server_handshake: |
| 238 | type = handback_after_handshake; |
| 239 | break; |
| 240 | default: |
| 241 | return false; |
| 242 | } |
| 243 | |
| 244 | const SSL3_STATE *const s3 = ssl->s3; |
| 245 | size_t hostname_len = 0; |
| 246 | if (s3->hostname) { |
| 247 | hostname_len = strlen(s3->hostname.get()); |
| 248 | } |
| 249 | |
| 250 | Span<const uint8_t> transcript; |
| 251 | if (type == handback_after_ecdhe || |
| 252 | type == handback_after_session_resumption) { |
| 253 | transcript = s3->hs->transcript.buffer(); |
| 254 | } |
| 255 | size_t write_iv_len = 0; |
| 256 | const uint8_t *write_iv = nullptr; |
| 257 | if ((type == handback_after_session_resumption || |
| 258 | type == handback_after_handshake) && |
| 259 | ssl->version == TLS1_VERSION && |
| 260 | SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) && |
| 261 | !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) { |
| 262 | return false; |
| 263 | } |
| 264 | size_t read_iv_len = 0; |
| 265 | const uint8_t *read_iv = nullptr; |
| 266 | if (type == handback_after_handshake && |
| 267 | ssl->version == TLS1_VERSION && |
| 268 | SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) && |
| 269 | !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) { |
| 270 | return false; |
| 271 | } |
| 272 | |
| 273 | // TODO(mab): make sure everything is serialized. |
| 274 | CBB seq, key_share; |
| 275 | const SSL_SESSION *session = |
| 276 | s3->session_reused ? ssl->session.get() : s3->hs->new_session.get(); |
| 277 | if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || |
| 278 | !CBB_add_asn1_uint64(&seq, kHandbackVersion) || |
| 279 | !CBB_add_asn1_uint64(&seq, type) || |
| 280 | !CBB_add_asn1_octet_string(&seq, s3->read_sequence, |
| 281 | sizeof(s3->read_sequence)) || |
| 282 | !CBB_add_asn1_octet_string(&seq, s3->write_sequence, |
| 283 | sizeof(s3->write_sequence)) || |
| 284 | !CBB_add_asn1_octet_string(&seq, s3->server_random, |
| 285 | sizeof(s3->server_random)) || |
| 286 | !CBB_add_asn1_octet_string(&seq, s3->client_random, |
| 287 | sizeof(s3->client_random)) || |
| 288 | !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) || |
| 289 | !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) || |
| 290 | !CBB_add_asn1_bool(&seq, s3->session_reused) || |
| 291 | !CBB_add_asn1_bool(&seq, s3->channel_id_valid) || |
| 292 | !ssl_session_serialize(session, &seq) || |
| 293 | !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(), |
| 294 | s3->next_proto_negotiated.size()) || |
| 295 | !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(), |
| 296 | s3->alpn_selected.size()) || |
| 297 | !CBB_add_asn1_octet_string( |
| 298 | &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()), |
| 299 | hostname_len) || |
| 300 | !CBB_add_asn1_octet_string(&seq, s3->channel_id, |
| 301 | sizeof(s3->channel_id)) || |
| 302 | !CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) || |
| 303 | !CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) || |
| 304 | !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) || |
| 305 | !CBB_add_asn1_bool(&seq, s3->hs->cert_request) || |
| 306 | !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) || |
| 307 | !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) || |
| 308 | !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) || |
| 309 | !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) || |
| 310 | !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) { |
| 311 | return false; |
| 312 | } |
| 313 | if (type == handback_after_ecdhe && |
| 314 | !s3->hs->key_shares[0]->Serialize(&key_share)) { |
| 315 | return false; |
| 316 | } |
| 317 | return CBB_flush(out); |
| 318 | } |
| 319 | |
| 320 | bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) { |
| 321 | if (ssl->do_handshake != nullptr || |
| 322 | ssl->method->is_dtls) { |
| 323 | return false; |
| 324 | } |
| 325 | |
| 326 | SSL3_STATE *const s3 = ssl->s3; |
| 327 | uint64_t handback_version, negotiated_token_binding_param, cipher, type; |
| 328 | |
| 329 | CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv, |
| 330 | next_proto, alpn, hostname, channel_id, transcript, key_share; |
| 331 | int session_reused, channel_id_valid, cert_request, extended_master_secret, |
| 332 | ticket_expected, token_binding_negotiated, next_proto_neg_seen; |
| 333 | SSL_SESSION *session = nullptr; |
| 334 | |
| 335 | CBS handback_cbs(handback); |
| 336 | if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) || |
| 337 | !CBS_get_asn1_uint64(&seq, &handback_version) || |
| 338 | handback_version != kHandbackVersion || |
| 339 | !CBS_get_asn1_uint64(&seq, &type)) { |
| 340 | return false; |
| 341 | } |
| 342 | |
| 343 | if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) || |
| 344 | CBS_len(&read_seq) != sizeof(s3->read_sequence) || |
| 345 | !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) || |
| 346 | CBS_len(&write_seq) != sizeof(s3->write_sequence) || |
| 347 | !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) || |
| 348 | CBS_len(&server_rand) != sizeof(s3->server_random) || |
| 349 | !CBS_copy_bytes(&server_rand, s3->server_random, |
| 350 | sizeof(s3->server_random)) || |
| 351 | !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) || |
| 352 | CBS_len(&client_rand) != sizeof(s3->client_random) || |
| 353 | !CBS_copy_bytes(&client_rand, s3->client_random, |
| 354 | sizeof(s3->client_random)) || |
| 355 | !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) || |
| 356 | !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) || |
| 357 | !CBS_get_asn1_bool(&seq, &session_reused) || |
| 358 | !CBS_get_asn1_bool(&seq, &channel_id_valid)) { |
| 359 | return false; |
| 360 | } |
| 361 | |
| 362 | s3->hs = ssl_handshake_new(ssl); |
| 363 | if (session_reused) { |
| 364 | ssl->session = |
| 365 | SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool); |
| 366 | session = ssl->session.get(); |
| 367 | } else { |
| 368 | s3->hs->new_session = |
| 369 | SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool); |
| 370 | session = s3->hs->new_session.get(); |
| 371 | } |
| 372 | |
| 373 | if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) || |
| 374 | !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) || |
| 375 | !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) || |
| 376 | !CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) || |
| 377 | CBS_len(&channel_id) != sizeof(s3->channel_id) || |
| 378 | !CBS_copy_bytes(&channel_id, s3->channel_id, |
| 379 | sizeof(s3->channel_id)) || |
| 380 | !CBS_get_asn1_bool(&seq, &token_binding_negotiated) || |
| 381 | !CBS_get_asn1_uint64(&seq, &negotiated_token_binding_param) || |
| 382 | !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) || |
| 383 | !CBS_get_asn1_bool(&seq, &cert_request) || |
| 384 | !CBS_get_asn1_bool(&seq, &extended_master_secret) || |
| 385 | !CBS_get_asn1_bool(&seq, &ticket_expected) || |
| 386 | !CBS_get_asn1_uint64(&seq, &cipher)) { |
| 387 | return false; |
| 388 | } |
| 389 | if ((s3->hs->new_cipher = |
| 390 | SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) { |
| 391 | return false; |
| 392 | } |
| 393 | if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) || |
| 394 | !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) { |
| 395 | return false; |
| 396 | } |
| 397 | |
| 398 | ssl->version = session->ssl_version; |
| 399 | s3->have_version = true; |
| 400 | if (!ssl_method_supports_version(ssl->method, ssl->version) || |
| 401 | session->cipher != s3->hs->new_cipher || |
| 402 | ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) || |
| 403 | SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) { |
| 404 | return false; |
| 405 | } |
| 406 | ssl->do_handshake = ssl_server_handshake; |
| 407 | ssl->server = true; |
| 408 | switch (type) { |
| 409 | case handback_after_session_resumption: |
| 410 | ssl->s3->hs->state = state12_read_change_cipher_spec; |
| 411 | if (!session_reused) { |
| 412 | return false; |
| 413 | } |
| 414 | break; |
| 415 | case handback_after_ecdhe: |
| 416 | ssl->s3->hs->state = state12_read_client_certificate; |
| 417 | if (session_reused) { |
| 418 | return false; |
| 419 | } |
| 420 | break; |
| 421 | case handback_after_handshake: |
| 422 | ssl->s3->hs->state = state12_finish_server_handshake; |
| 423 | break; |
| 424 | default: |
| 425 | return false; |
| 426 | } |
| 427 | s3->session_reused = session_reused; |
| 428 | s3->channel_id_valid = channel_id_valid; |
| 429 | s3->next_proto_negotiated.CopyFrom(next_proto); |
| 430 | s3->alpn_selected.CopyFrom(alpn); |
| 431 | |
| 432 | const size_t hostname_len = CBS_len(&hostname); |
| 433 | if (hostname_len == 0) { |
| 434 | s3->hostname.reset(); |
| 435 | } else { |
| 436 | char *hostname_str = nullptr; |
| 437 | if (!CBS_strdup(&hostname, &hostname_str)) { |
| 438 | return false; |
| 439 | } |
| 440 | s3->hostname.reset(hostname_str); |
| 441 | } |
| 442 | |
| 443 | s3->token_binding_negotiated = token_binding_negotiated; |
| 444 | s3->negotiated_token_binding_param = |
| 445 | static_cast<uint8_t>(negotiated_token_binding_param); |
| 446 | s3->hs->next_proto_neg_seen = next_proto_neg_seen; |
| 447 | s3->hs->wait = ssl_hs_flush; |
| 448 | s3->hs->extended_master_secret = extended_master_secret; |
| 449 | s3->hs->ticket_expected = ticket_expected; |
| 450 | s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version); |
| 451 | s3->hs->cert_request = cert_request; |
| 452 | |
| 453 | // TODO(davidben): When handoff for TLS 1.3 is added, serialize |
| 454 | // |early_data_reason| and stabilize the constants. |
| 455 | s3->early_data_reason = ssl_early_data_protocol_version; |
| 456 | |
| 457 | Array<uint8_t> key_block; |
| 458 | if ((type == handback_after_session_resumption || |
| 459 | type == handback_after_handshake) && |
| 460 | (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher, |
| 461 | write_iv) || |
| 462 | !CBS_copy_bytes(&write_seq, s3->write_sequence, |
| 463 | sizeof(s3->write_sequence)))) { |
| 464 | return false; |
| 465 | } |
| 466 | if (type == handback_after_handshake && |
| 467 | (!tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher, |
| 468 | read_iv) || |
| 469 | !CBS_copy_bytes(&read_seq, s3->read_sequence, |
| 470 | sizeof(s3->read_sequence)))) { |
| 471 | return false; |
| 472 | } |
| 473 | if ((type == handback_after_ecdhe || |
| 474 | type == handback_after_session_resumption) && |
| 475 | (!s3->hs->transcript.Init() || |
| 476 | !s3->hs->transcript.InitHash(ssl_protocol_version(ssl), |
| 477 | s3->hs->new_cipher) || |
| 478 | !s3->hs->transcript.Update(transcript))) { |
| 479 | return false; |
| 480 | } |
| 481 | if (type == handback_after_ecdhe && |
| 482 | (s3->hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) { |
| 483 | return false; |
| 484 | } |
| 485 | |
| 486 | return CBS_len(&seq) == 0; |
| 487 | } |
| 488 | |
| 489 | BSSL_NAMESPACE_END |
| 490 |
Generated on 2020-Aug-16 from project engine revision 1.21
Powered by 
Code Browser 2.1
Generator usage only permitted with license.