2018-01-26 17:14:30 +00:00
|
|
|
/* Copyright (c) 2018, Google Inc.
|
|
|
|
*
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
|
|
|
#include <openssl/bytestring.h>
|
|
|
|
|
|
|
|
#include "internal.h"
|
|
|
|
|
|
|
|
|
|
|
|
namespace bssl {
|
|
|
|
|
|
|
|
constexpr int kHandoffVersion = 0;
|
|
|
|
constexpr int kHandbackVersion = 0;
|
|
|
|
|
|
|
|
bool SSL_serialize_handoff(const SSL *ssl, CBB *out) {
|
|
|
|
const SSL3_STATE *const s3 = ssl->s3;
|
|
|
|
if (!ssl->server ||
|
|
|
|
s3->hs == nullptr ||
|
|
|
|
s3->rwstate != SSL_HANDOFF) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB seq;
|
|
|
|
Span<const uint8_t> transcript = s3->hs->transcript.buffer();
|
|
|
|
if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
|
|
|
|
!CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq,
|
|
|
|
reinterpret_cast<uint8_t *>(s3->hs_buf->data),
|
|
|
|
s3->hs_buf->length) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool SSL_decline_handoff(SSL *ssl) {
|
|
|
|
const SSL3_STATE *const s3 = ssl->s3;
|
|
|
|
if (!ssl->server ||
|
|
|
|
s3->hs == nullptr ||
|
|
|
|
s3->rwstate != SSL_HANDOFF) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-04-13 23:51:30 +01:00
|
|
|
s3->hs->config->handoff = false;
|
2018-01-26 17:14:30 +00:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
|
|
|
|
if (ssl->method->is_dtls) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBS seq, handoff_cbs(handoff);
|
|
|
|
uint64_t handoff_version;
|
|
|
|
if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
|
|
|
|
!CBS_get_asn1_uint64(&seq, &handoff_version) ||
|
|
|
|
handoff_version != kHandoffVersion) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBS transcript, hs_buf;
|
|
|
|
if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
!CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
SSL_set_accept_state(ssl);
|
|
|
|
|
|
|
|
SSL3_STATE *const s3 = ssl->s3;
|
|
|
|
s3->v2_hello_done = true;
|
|
|
|
s3->has_message = true;
|
|
|
|
|
|
|
|
s3->hs_buf.reset(BUF_MEM_new());
|
|
|
|
if (!s3->hs_buf ||
|
|
|
|
!BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(&transcript) != 0) {
|
|
|
|
s3->hs->transcript.Update(transcript);
|
|
|
|
s3->is_v2_hello = true;
|
|
|
|
}
|
2018-04-13 23:51:30 +01:00
|
|
|
s3->hs->handback = true;
|
2018-01-26 17:14:30 +00:00
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
|
|
|
|
if (!ssl->server ||
|
2018-03-22 18:48:33 +00:00
|
|
|
(ssl->s3->hs->state != state12_finish_server_handshake &&
|
|
|
|
ssl->s3->hs->state != state12_read_client_certificate) ||
|
|
|
|
ssl->method->is_dtls || ssl->version < TLS1_VERSION) {
|
2018-01-26 17:14:30 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
const SSL3_STATE *const s3 = ssl->s3;
|
|
|
|
size_t hostname_len = 0;
|
|
|
|
if (s3->hostname) {
|
|
|
|
hostname_len = strlen(s3->hostname.get());
|
|
|
|
}
|
|
|
|
|
|
|
|
size_t iv_len = 0;
|
|
|
|
const uint8_t *read_iv = nullptr, *write_iv = nullptr;
|
2018-03-22 18:48:33 +00:00
|
|
|
Span<const uint8_t> transcript;
|
|
|
|
if (ssl->s3->hs->state == state12_finish_server_handshake) {
|
|
|
|
if (ssl->version == TLS1_VERSION &&
|
|
|
|
SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
|
|
|
|
(!s3->aead_read_ctx->GetIV(&read_iv, &iv_len) ||
|
|
|
|
!s3->aead_write_ctx->GetIV(&write_iv, &iv_len))) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
transcript = s3->hs->transcript.buffer();
|
2018-01-26 17:14:30 +00:00
|
|
|
}
|
|
|
|
|
2018-03-22 18:48:33 +00:00
|
|
|
// TODO(mab): make sure everything is serialized.
|
|
|
|
CBB seq, key_share;
|
|
|
|
SSL_SESSION *session =
|
|
|
|
s3->session_reused ? ssl->session : s3->hs->new_session.get();
|
2018-01-26 17:14:30 +00:00
|
|
|
if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
|
|
|
|
!CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, s3->read_sequence,
|
|
|
|
sizeof(s3->read_sequence)) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, s3->write_sequence,
|
|
|
|
sizeof(s3->write_sequence)) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, s3->server_random,
|
|
|
|
sizeof(s3->server_random)) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, s3->client_random,
|
|
|
|
sizeof(s3->client_random)) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, read_iv, iv_len) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, write_iv, iv_len) ||
|
|
|
|
!CBB_add_asn1_bool(&seq, s3->session_reused) ||
|
|
|
|
!CBB_add_asn1_bool(&seq, s3->tlsext_channel_id_valid) ||
|
2018-03-22 18:48:33 +00:00
|
|
|
!ssl_session_serialize(session, &seq) ||
|
2018-01-26 17:14:30 +00:00
|
|
|
!CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
|
|
|
|
s3->next_proto_negotiated.size()) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
|
|
|
|
s3->alpn_selected.size()) ||
|
|
|
|
!CBB_add_asn1_octet_string(
|
|
|
|
&seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
|
|
|
|
hostname_len) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, s3->tlsext_channel_id,
|
|
|
|
sizeof(s3->tlsext_channel_id)) ||
|
2018-04-12 20:36:30 +01:00
|
|
|
!CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) ||
|
|
|
|
!CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) ||
|
2018-03-22 18:48:33 +00:00
|
|
|
!CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
|
|
|
|
!CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
|
|
|
|
!CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
|
|
|
|
!CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
|
|
|
|
!CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
|
|
|
|
!CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
|
|
|
|
!CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
|
2018-01-26 17:14:30 +00:00
|
|
|
return false;
|
|
|
|
}
|
2018-03-22 18:48:33 +00:00
|
|
|
if (ssl->s3->hs->state == state12_read_client_certificate &&
|
|
|
|
!s3->hs->key_share->Serialize(&key_share)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return CBB_flush(out);
|
2018-01-26 17:14:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
|
|
|
|
if (ssl->do_handshake != nullptr ||
|
|
|
|
ssl->method->is_dtls) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
SSL3_STATE *const s3 = ssl->s3;
|
SSL_serialize_handoff: serialize fewer things.
In the handoff+handback case, bssl_shim.cc creates 3 |SSL| objects:
one to receive the ClientHello, one to receive the handoff, and a
third one to receive the handback.
Before 56986f9, only the first of these received any configuration.
Since that commit, all 3 of them receive the same configuration. That
means that the handback message no longer needs to serialize as many
things.
N.B. even before 56986f9, not all of the fields were necessary. For
example, there was no reason to serialize |conf_max_version| and
|conf_min_version| in the handback, so far as I can tell.
This commit is mechanical: it simply removes everything that doesn't
cause any tests to fail. In the long run, I'll need to carefully
check for two possibilities:
- Knobs that affect the handshake after the server's first message it
sent. These are troublesome because that portion of the handshake
may run on a different |SSL|, depending on whether the handback is
early or late.
- Getters that may be called post-handshake, and that callers may
reasonably expect to reflect the value that was used during
handshake.
(I'm not sure that either case exists!)
Change-Id: Ibf6e0be6609ad6e83ab50e69199e9b2d51e59a87
Reviewed-on: https://boringssl-review.googlesource.com/27364
Commit-Queue: Matt Braithwaite <mab@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-04-12 01:00:54 +01:00
|
|
|
uint64_t handback_version, negotiated_token_binding_param, cipher;
|
2018-03-22 18:48:33 +00:00
|
|
|
|
2018-01-26 17:14:30 +00:00
|
|
|
CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
|
2018-03-22 18:48:33 +00:00
|
|
|
next_proto, alpn, hostname, channel_id, transcript, key_share;
|
SSL_serialize_handoff: serialize fewer things.
In the handoff+handback case, bssl_shim.cc creates 3 |SSL| objects:
one to receive the ClientHello, one to receive the handoff, and a
third one to receive the handback.
Before 56986f9, only the first of these received any configuration.
Since that commit, all 3 of them receive the same configuration. That
means that the handback message no longer needs to serialize as many
things.
N.B. even before 56986f9, not all of the fields were necessary. For
example, there was no reason to serialize |conf_max_version| and
|conf_min_version| in the handback, so far as I can tell.
This commit is mechanical: it simply removes everything that doesn't
cause any tests to fail. In the long run, I'll need to carefully
check for two possibilities:
- Knobs that affect the handshake after the server's first message it
sent. These are troublesome because that portion of the handshake
may run on a different |SSL|, depending on whether the handback is
early or late.
- Getters that may be called post-handshake, and that callers may
reasonably expect to reflect the value that was used during
handshake.
(I'm not sure that either case exists!)
Change-Id: Ibf6e0be6609ad6e83ab50e69199e9b2d51e59a87
Reviewed-on: https://boringssl-review.googlesource.com/27364
Commit-Queue: Matt Braithwaite <mab@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-04-12 01:00:54 +01:00
|
|
|
int session_reused, channel_id_valid, cert_request, extended_master_secret,
|
|
|
|
ticket_expected, token_binding_negotiated, next_proto_neg_seen;
|
2018-03-22 18:48:33 +00:00
|
|
|
SSL_SESSION *session = nullptr;
|
2018-01-26 17:14:30 +00:00
|
|
|
|
|
|
|
CBS handback_cbs(handback);
|
|
|
|
if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
|
|
|
|
!CBS_get_asn1_uint64(&seq, &handback_version) ||
|
|
|
|
handback_version != kHandbackVersion) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
SSL_serialize_handoff: serialize fewer things.
In the handoff+handback case, bssl_shim.cc creates 3 |SSL| objects:
one to receive the ClientHello, one to receive the handoff, and a
third one to receive the handback.
Before 56986f9, only the first of these received any configuration.
Since that commit, all 3 of them receive the same configuration. That
means that the handback message no longer needs to serialize as many
things.
N.B. even before 56986f9, not all of the fields were necessary. For
example, there was no reason to serialize |conf_max_version| and
|conf_min_version| in the handback, so far as I can tell.
This commit is mechanical: it simply removes everything that doesn't
cause any tests to fail. In the long run, I'll need to carefully
check for two possibilities:
- Knobs that affect the handshake after the server's first message it
sent. These are troublesome because that portion of the handshake
may run on a different |SSL|, depending on whether the handback is
early or late.
- Getters that may be called post-handshake, and that callers may
reasonably expect to reflect the value that was used during
handshake.
(I'm not sure that either case exists!)
Change-Id: Ibf6e0be6609ad6e83ab50e69199e9b2d51e59a87
Reviewed-on: https://boringssl-review.googlesource.com/27364
Commit-Queue: Matt Braithwaite <mab@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-04-12 01:00:54 +01:00
|
|
|
if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
|
2018-01-26 17:14:30 +00:00
|
|
|
CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
|
|
|
|
!CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
|
|
|
|
!CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
CBS_len(&server_rand) != sizeof(s3->server_random) ||
|
|
|
|
!CBS_copy_bytes(&server_rand, s3->server_random,
|
|
|
|
sizeof(s3->server_random)) ||
|
|
|
|
!CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
CBS_len(&client_rand) != sizeof(s3->client_random) ||
|
|
|
|
!CBS_copy_bytes(&client_rand, s3->client_random,
|
|
|
|
sizeof(s3->client_random)) ||
|
|
|
|
!CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
!CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
!CBS_get_asn1_bool(&seq, &session_reused) ||
|
|
|
|
!CBS_get_asn1_bool(&seq, &channel_id_valid)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-03-22 18:48:33 +00:00
|
|
|
s3->hs = ssl_handshake_new(ssl);
|
|
|
|
if (session_reused) {
|
|
|
|
ssl->session =
|
|
|
|
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool)
|
|
|
|
.release();
|
|
|
|
session = ssl->session;
|
|
|
|
} else {
|
|
|
|
s3->hs->new_session =
|
|
|
|
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
|
|
|
|
session = s3->hs->new_session.get();
|
|
|
|
}
|
2018-01-26 17:14:30 +00:00
|
|
|
|
2018-03-22 18:48:33 +00:00
|
|
|
if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
|
2018-01-26 17:14:30 +00:00
|
|
|
!CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
!CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
!CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
CBS_len(&channel_id) != sizeof(s3->tlsext_channel_id) ||
|
|
|
|
!CBS_copy_bytes(&channel_id, s3->tlsext_channel_id,
|
|
|
|
sizeof(s3->tlsext_channel_id)) ||
|
2018-03-22 18:48:33 +00:00
|
|
|
!CBS_get_asn1_bool(&seq, &token_binding_negotiated) ||
|
|
|
|
!CBS_get_asn1_uint64(&seq, &negotiated_token_binding_param) ||
|
|
|
|
!CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
|
|
|
|
!CBS_get_asn1_bool(&seq, &cert_request) ||
|
|
|
|
!CBS_get_asn1_bool(&seq, &extended_master_secret) ||
|
|
|
|
!CBS_get_asn1_bool(&seq, &ticket_expected) ||
|
|
|
|
!CBS_get_asn1_uint64(&seq, &cipher)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if ((s3->hs->new_cipher =
|
|
|
|
SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
|
|
|
|
!CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
|
2018-01-26 17:14:30 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
SSL_serialize_handoff: serialize fewer things.
In the handoff+handback case, bssl_shim.cc creates 3 |SSL| objects:
one to receive the ClientHello, one to receive the handoff, and a
third one to receive the handback.
Before 56986f9, only the first of these received any configuration.
Since that commit, all 3 of them receive the same configuration. That
means that the handback message no longer needs to serialize as many
things.
N.B. even before 56986f9, not all of the fields were necessary. For
example, there was no reason to serialize |conf_max_version| and
|conf_min_version| in the handback, so far as I can tell.
This commit is mechanical: it simply removes everything that doesn't
cause any tests to fail. In the long run, I'll need to carefully
check for two possibilities:
- Knobs that affect the handshake after the server's first message it
sent. These are troublesome because that portion of the handshake
may run on a different |SSL|, depending on whether the handback is
early or late.
- Getters that may be called post-handshake, and that callers may
reasonably expect to reflect the value that was used during
handshake.
(I'm not sure that either case exists!)
Change-Id: Ibf6e0be6609ad6e83ab50e69199e9b2d51e59a87
Reviewed-on: https://boringssl-review.googlesource.com/27364
Commit-Queue: Matt Braithwaite <mab@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-04-12 01:00:54 +01:00
|
|
|
ssl->version = session->ssl_version;
|
2018-04-10 23:40:12 +01:00
|
|
|
s3->have_version = true;
|
|
|
|
if (!ssl_method_supports_version(ssl->method, ssl->version) ||
|
|
|
|
session->cipher != s3->hs->new_cipher ||
|
|
|
|
ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
|
|
|
|
SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
|
|
|
|
return false;
|
|
|
|
}
|
2018-01-26 17:14:30 +00:00
|
|
|
ssl->do_handshake = ssl_server_handshake;
|
|
|
|
ssl->server = true;
|
|
|
|
|
2018-03-22 18:48:33 +00:00
|
|
|
s3->hs->state = CBS_len(&transcript) == 0 ? state12_finish_server_handshake
|
|
|
|
: state12_read_client_certificate;
|
2018-01-26 17:14:30 +00:00
|
|
|
s3->session_reused = session_reused;
|
|
|
|
s3->tlsext_channel_id_valid = channel_id_valid;
|
|
|
|
s3->next_proto_negotiated.CopyFrom(next_proto);
|
|
|
|
s3->alpn_selected.CopyFrom(alpn);
|
|
|
|
|
|
|
|
const size_t hostname_len = CBS_len(&hostname);
|
|
|
|
if (hostname_len == 0) {
|
|
|
|
s3->hostname.reset();
|
|
|
|
} else {
|
|
|
|
char *hostname_str = nullptr;
|
|
|
|
if (!CBS_strdup(&hostname, &hostname_str)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
s3->hostname.reset(hostname_str);
|
|
|
|
}
|
|
|
|
|
2018-04-12 20:36:30 +01:00
|
|
|
s3->token_binding_negotiated = token_binding_negotiated;
|
|
|
|
s3->negotiated_token_binding_param =
|
2018-03-22 18:48:33 +00:00
|
|
|
static_cast<uint8_t>(negotiated_token_binding_param);
|
|
|
|
s3->hs->next_proto_neg_seen = next_proto_neg_seen;
|
|
|
|
s3->hs->wait = ssl_hs_flush;
|
|
|
|
s3->hs->extended_master_secret = extended_master_secret;
|
|
|
|
s3->hs->ticket_expected = ticket_expected;
|
|
|
|
s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
|
|
|
|
s3->hs->cert_request = cert_request;
|
|
|
|
|
|
|
|
if (s3->hs->state == state12_finish_server_handshake) {
|
|
|
|
Array<uint8_t> key_block;
|
|
|
|
if (!tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher,
|
|
|
|
read_iv) ||
|
|
|
|
!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
|
|
|
|
write_iv)) {
|
|
|
|
return false;
|
|
|
|
}
|
2018-01-26 17:14:30 +00:00
|
|
|
|
2018-03-22 18:48:33 +00:00
|
|
|
if (!CBS_copy_bytes(&read_seq, s3->read_sequence,
|
|
|
|
sizeof(s3->read_sequence)) ||
|
|
|
|
!CBS_copy_bytes(&write_seq, s3->write_sequence,
|
|
|
|
sizeof(s3->write_sequence))) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (!s3->hs->transcript.Init() ||
|
|
|
|
!s3->hs->transcript.InitHash(ssl_protocol_version(ssl),
|
|
|
|
s3->hs->new_cipher) ||
|
|
|
|
!s3->hs->transcript.Update(transcript)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if ((s3->hs->key_share = SSLKeyShare::Create(&key_share)) == nullptr) {
|
|
|
|
return false;
|
|
|
|
}
|
2018-01-26 17:14:30 +00:00
|
|
|
}
|
|
|
|
|
2018-03-22 18:48:33 +00:00
|
|
|
return CBS_len(&seq) == 0;
|
2018-01-26 17:14:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace bssl
|