handoff.cc source code [dart_sdk/third_party/boringssl/src/ssl/handoff.cc]

1	/ Copyright (c) 2018, Google Inc.*
2	*
3	* Permission to use, copy, modify, and/or distribute this software for any
4	* purpose with or without fee is hereby granted, provided that the above
5	* copyright notice and this permission notice appear in all copies.
6	*
7	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15	#include <openssl/ssl.h>
16
17	#include <openssl/bytestring.h>
18	#include <openssl/err.h>
19
20	#include "../crypto/internal.h"
21	#include "internal.h"
22
23
24	BSSL_NAMESPACE_BEGIN
25
26	constexpr int kHandoffVersion = `0`;
27	constexpr int kHandbackVersion = `0`;
28
29	static const CBS_ASN1_TAG kHandoffTagALPS = CBS_ASN1_CONTEXT_SPECIFIC \| `0`;
30
31	// early_data_t represents the state of early data in a more compact way than
32	// the 3 bits used by the implementation.
33	enum early_data_t {
34	early_data_not_offered = `0`,
35	early_data_accepted = `1`,
36	early_data_rejected_hrr = `2`,
37	early_data_skipped = `3`,
38
39	early_data_max_value = early_data_skipped,
40	};
41
42	// serialize_features adds a description of features supported by this binary to
43	// \|out\|. Returns true on success and false on error.
44	static bool serialize_features(CBB *out) {
45	CBB ciphers;
46	if (!CBB_add_asn1(cbb: out, out_contents: &ciphers, CBS_ASN1_OCTETSTRING)) {
47	return false;
48	}
49	Span<const SSL_CIPHER> all_ciphers = AllCiphers();
50	for (const SSL_CIPHER& cipher : all_ciphers) {
51	if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
52	return false;
53	}
54	}
55	CBB curves;
56	if (!CBB_add_asn1(cbb: out, out_contents: &curves, CBS_ASN1_OCTETSTRING)) {
57	return false;
58	}
59	for (const NamedGroup& g : NamedGroups()) {
60	if (!CBB_add_u16(&curves, g.group_id)) {
61	return false;
62	}
63	}
64	// ALPS is a draft protocol and may change over time. The handoff structure
65	// contains a [0] IMPLICIT OCTET STRING OPTIONAL, containing a list of u16
66	// ALPS versions that the binary supports. For now we name them by codepoint.
67	// Once ALPS is finalized and past the support horizon, this field can be
68	// removed.
69	CBB alps;
70	if (!CBB_add_asn1(cbb: out, out_contents: &alps, tag: kHandoffTagALPS) \|\|
71	!CBB_add_u16(cbb: &alps, TLSEXT_TYPE_application_settings)) {
72	return false;
73	}
74	return CBB_flush(cbb: out);
75	}
76
77	bool SSL_serialize_handoff(const SSL ssl, CBB out,
78	SSL_CLIENT_HELLO *out_hello) {
79	const SSL3_STATE *const s3 = ssl->s3;
80	if (!ssl->server \|\|
81	s3->hs == nullptr \|\|
82	s3->rwstate != SSL_ERROR_HANDOFF) {
83	return false;
84	}
85
86	CBB seq;
87	SSLMessage msg;
88	Span<const uint8_t> transcript = s3->hs->transcript.buffer();
89	if (!CBB_add_asn1(cbb: out, out_contents: &seq, CBS_ASN1_SEQUENCE) \|\|
90	!CBB_add_asn1_uint64(cbb: &seq, value: kHandoffVersion) \|\|
91	!CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) \|\|
92	!CBB_add_asn1_octet_string(&seq,
93	reinterpret_cast<uint8_t *>(s3->hs_buf->data),
94	s3->hs_buf->length) \|\|
95	!serialize_features(out: &seq) \|\|
96	!CBB_flush(cbb: out) \|\|
97	!ssl->method->get_message(ssl, &msg) \|\|
98	!ssl_client_hello_init(ssl, out: out_hello, body: msg.body)) {
99	return false;
100	}
101
102	return true;
103	}
104
105	bool SSL_decline_handoff(SSL *ssl) {
106	const SSL3_STATE *const s3 = ssl->s3;
107	if (!ssl->server \|\|
108	s3->hs == nullptr \|\|
109	s3->rwstate != SSL_ERROR_HANDOFF) {
110	return false;
111	}
112
113	s3->hs->config->handoff = false;
114	return true;
115	}
116
117	// apply_remote_features reads a list of supported features from \|in\| and
118	// (possibly) reconfigures \|ssl\| to disallow the negotation of features whose
119	// support has not been indicated. (This prevents the the handshake from
120	// committing to features that are not supported on the handoff/handback side.)
121	static bool apply_remote_features(SSL ssl, CBS in) {
122	CBS ciphers;
123	if (!CBS_get_asn1(cbs: in, out: &ciphers, CBS_ASN1_OCTETSTRING)) {
124	return false;
125	}
126	bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
127	if (!supported) {
128	return false;
129	}
130	while (CBS_len(cbs: &ciphers)) {
131	uint16_t id;
132	if (!CBS_get_u16(cbs: &ciphers, out: &id)) {
133	return false;
134	}
135	const SSL_CIPHER *cipher = SSL_get_cipher_by_value(value: id);
136	if (!cipher) {
137	continue;
138	}
139	if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
140	return false;
141	}
142	}
143	STACK_OF(SSL_CIPHER) *configured =
144	ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
145	: ssl->ctx->cipher_list->ciphers.get();
146	bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
147	if (!unsupported) {
148	return false;
149	}
150	for (const SSL_CIPHER *configured_cipher : configured) {
151	if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
152	continue;
153	}
154	if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
155	return false;
156	}
157	}
158	if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
159	ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
160	if (!ssl->config->cipher_list \|\|
161	!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
162	return false;
163	}
164	}
165	for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
166	ssl->config->cipher_list->Remove(unsupported_cipher);
167	}
168	if (sk_SSL_CIPHER_num(sk: SSL_get_ciphers(ssl)) == `0`) {
169	return false;
170	}
171
172	CBS curves;
173	if (!CBS_get_asn1(cbs: in, out: &curves, CBS_ASN1_OCTETSTRING)) {
174	return false;
175	}
176	Array<uint16_t> supported_curves;
177	if (!supported_curves.Init(new_size: CBS_len(cbs: &curves) / `2`)) {
178	return false;
179	}
180	size_t idx = `0`;
181	while (CBS_len(cbs: &curves)) {
182	uint16_t curve;
183	if (!CBS_get_u16(cbs: &curves, out: &curve)) {
184	return false;
185	}
186	supported_curves [idx++] = curve;
187	}
188	Span<const uint16_t> configured_curves =
189	tls1_get_grouplist(ssl->s3->hs.get());
190	Array<uint16_t> new_configured_curves;
191	if (!new_configured_curves.Init(new_size: configured_curves.size())) {
192	return false;
193	}
194	idx = `0`;
195	for (uint16_t configured_curve : configured_curves) {
196	bool ok = false;
197	for (uint16_t supported_curve : supported_curves) {
198	if (supported_curve == configured_curve) {
199	ok = true;
200	break;
201	}
202	}
203	if (ok) {
204	new_configured_curves[idx++] = configured_curve;
205	}
206	}
207	if (idx == `0`) {
208	return false;
209	}
210	new_configured_curves.Shrink(new_size: idx);
211	ssl->config->supported_group_list = std::move(new_configured_curves);
212
213	CBS alps;
214	CBS_init(cbs: &alps, data: nullptr, len: `0`);
215	if (!CBS_get_optional_asn1(cbs: in, out: &alps, /out_present=/nullptr,
216	tag: kHandoffTagALPS)) {
217	return false;
218	}
219	bool supports_alps = false;
220	while (CBS_len(cbs: &alps) != `0`) {
221	uint16_t id;
222	if (!CBS_get_u16(cbs: &alps, out: &id)) {
223	return false;
224	}
225	// For now, we only support one ALPS code point, so we only need to extract
226	// a boolean signal from the feature list.
227	if (id == TLSEXT_TYPE_application_settings) {
228	supports_alps = true;
229	break;
230	}
231	}
232	if (!supports_alps) {
233	ssl->config->alps_configs.clear();
234	}
235
236	return true;
237	}
238
239	// uses_disallowed_feature returns true iff \|ssl\| enables a feature that
240	// disqualifies it for split handshakes.
241	static bool uses_disallowed_feature(const SSL *ssl) {
242	return ssl->method->is_dtls \|\| (ssl->config->cert && ssl->config->cert->dc) \|\|
243	ssl->config->quic_transport_params.size() > `0` \|\| ssl->ctx->ech_keys;
244	}
245
246	bool SSL_apply_handoff(SSL ssl, Span<const* uint8_t> handoff) {
247	if (uses_disallowed_feature(ssl)) {
248	return false;
249	}
250
251	CBS seq, handoff_cbs(handoff);
252	uint64_t handoff_version;
253	if (!CBS_get_asn1(cbs: &handoff_cbs, out: &seq, CBS_ASN1_SEQUENCE) \|\|
254	!CBS_get_asn1_uint64(cbs: &seq, out: &handoff_version) \|\|
255	handoff_version != kHandoffVersion) {
256	return false;
257	}
258
259	CBS transcript, hs_buf;
260	if (!CBS_get_asn1(cbs: &seq, out: &transcript, CBS_ASN1_OCTETSTRING) \|\|
261	!CBS_get_asn1(cbs: &seq, out: &hs_buf, CBS_ASN1_OCTETSTRING) \|\|
262	!apply_remote_features(ssl, in: &seq)) {
263	return false;
264	}
265
266	SSL_set_accept_state(ssl);
267
268	SSL3_STATE *const s3 = ssl->s3;
269	s3->v2_hello_done = true;
270	s3->has_message = true;
271
272	s3->hs_buf.reset(BUF_MEM_new());
273	if (!s3->hs_buf \|\|
274	!BUF_MEM_append(s3->hs_buf.get(), CBS_data(cbs: &hs_buf), CBS_len(cbs: &hs_buf))) {
275	return false;
276	}
277
278	if (CBS_len(cbs: &transcript) != `0`) {
279	s3->hs->transcript.Update(transcript);
280	s3->is_v2_hello = true;
281	}
282	s3->hs->handback = true;
283
284	return true;
285	}
286
287	bool SSL_serialize_handback(const SSL ssl, CBB out) {
288	if (!ssl->server \|\| uses_disallowed_feature(ssl)) {
289	return false;
290	}
291	const SSL3_STATE *const s3 = ssl->s3;
292	SSL_HANDSHAKE *const hs = s3->hs.get();
293	handback_t type;
294	switch (hs->state) {
295	case state12_read_change_cipher_spec:
296	type = handback_after_session_resumption;
297	break;
298	case state12_read_client_certificate:
299	type = handback_after_ecdhe;
300	break;
301	case state12_finish_server_handshake:
302	type = handback_after_handshake;
303	break;
304	case state12_tls13:
305	if (hs->tls13_state != state13_send_half_rtt_ticket) {
306	return false;
307	}
308	type = handback_tls13;
309	break;
310	default:
311	return false;
312	}
313
314	size_t hostname_len = `0`;
315	if (s3->hostname) {
316	hostname_len = strlen(s3->hostname.get());
317	}
318
319	Span<const uint8_t> transcript;
320	if (type != handback_after_handshake) {
321	transcript = s3->hs->transcript.buffer();
322	}
323	size_t write_iv_len = `0`;
324	const uint8_t write_iv = nullptr*;
325	if ((type == handback_after_session_resumption \|\|
326	type == handback_after_handshake) &&
327	ssl->version == TLS1_VERSION &&
328	SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
329	!s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
330	return false;
331	}
332	size_t read_iv_len = `0`;
333	const uint8_t read_iv = nullptr*;
334	if (type == handback_after_handshake &&
335	ssl->version == TLS1_VERSION &&
336	SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
337	!s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
338	return false;
339	}
340
341	// TODO(mab): make sure everything is serialized.
342	CBB seq, key_share;
343	const SSL_SESSION *session;
344	if (type == handback_tls13) {
345	session = hs->new_session.get();
346	} else {
347	session = s3->session_reused ? ssl->session.get() : hs->new_session.get();
348	}
349	uint8_t read_sequence[`8`], write_sequence[`8`];
350	CRYPTO_store_u64_be(out: read_sequence, v: s3->read_sequence);
351	CRYPTO_store_u64_be(out: write_sequence, v: s3->write_sequence);
352	static const uint8_t kUnusedChannelID[`64`] = {`0`};
353	if (!CBB_add_asn1(cbb: out, out_contents: &seq, CBS_ASN1_SEQUENCE) \|\|
354	!CBB_add_asn1_uint64(cbb: &seq, value: kHandbackVersion) \|\|
355	!CBB_add_asn1_uint64(cbb: &seq, value: type) \|\|
356	!CBB_add_asn1_octet_string(cbb: &seq, data: read_sequence, data_len: sizeof(read_sequence)) \|\|
357	!CBB_add_asn1_octet_string(cbb: &seq, data: write_sequence,
358	data_len: sizeof(write_sequence)) \|\|
359	!CBB_add_asn1_octet_string(cbb: &seq, data: s3->server_random,
360	data_len: sizeof(s3->server_random)) \|\|
361	!CBB_add_asn1_octet_string(cbb: &seq, data: s3->client_random,
362	data_len: sizeof(s3->client_random)) \|\|
363	!CBB_add_asn1_octet_string(cbb: &seq, data: read_iv, data_len: read_iv_len) \|\|
364	!CBB_add_asn1_octet_string(cbb: &seq, data: write_iv, data_len: write_iv_len) \|\|
365	!CBB_add_asn1_bool(cbb: &seq, value: s3->session_reused) \|\|
366	!CBB_add_asn1_bool(cbb: &seq, value: hs->channel_id_negotiated) \|\|
367	!ssl_session_serialize(in: session, cbb: &seq) \|\|
368	!CBB_add_asn1_octet_string(cbb: &seq, data: s3->next_proto_negotiated.data(),
369	data_len: s3->next_proto_negotiated.size()) \|\|
370	!CBB_add_asn1_octet_string(cbb: &seq, data: s3->alpn_selected.data(),
371	data_len: s3->alpn_selected.size()) \|\|
372	!CBB_add_asn1_octet_string(
373	cbb: &seq, data: reinterpret_cast<uint8_t *>(s3->hostname.get()),
374	data_len: hostname_len) \|\|
375	!CBB_add_asn1_octet_string(cbb: &seq, data: kUnusedChannelID,
376	data_len: sizeof(kUnusedChannelID)) \|\|
377	// These two fields were historically \|token_binding_negotiated\| and
378	// \|negotiated_token_binding_param\|.
379	!CBB_add_asn1_bool(cbb: &seq, value: `0`) \|\| //
380	!CBB_add_asn1_uint64(cbb: &seq, value: `0`) \|\|
381	!CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) \|\|
382	!CBB_add_asn1_bool(&seq, s3->hs->cert_request) \|\|
383	!CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) \|\|
384	!CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) \|\|
385	!CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) \|\|
386	!CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) \|\|
387	!CBB_add_asn1(cbb: &seq, out_contents: &key_share, CBS_ASN1_SEQUENCE)) {
388	return false;
389	}
390	if (type == handback_after_ecdhe) {
391	CBB private_key;
392	if (!CBB_add_asn1_uint64(&key_share, s3->hs->key_shares[`0`]->GroupID()) \|\|
393	!CBB_add_asn1(cbb: &key_share, out_contents: &private_key, CBS_ASN1_OCTETSTRING) \|\|
394	!s3->hs->key_shares[`0`]->SerializePrivateKey(&private_key) \|\|
395	!CBB_flush(cbb: &key_share)) {
396	return false;
397	}
398	}
399	if (type == handback_tls13) {
400	early_data_t early_data;
401	// Check early data invariants.
402	if (ssl->enable_early_data ==
403	(s3->early_data_reason == ssl_early_data_disabled)) {
404	return false;
405	}
406	if (hs->early_data_offered) {
407	if (s3->early_data_accepted && !s3->skip_early_data) {
408	early_data = early_data_accepted;
409	} else if (!s3->early_data_accepted && !s3->skip_early_data) {
410	early_data = early_data_rejected_hrr;
411	} else if (!s3->early_data_accepted && s3->skip_early_data) {
412	early_data = early_data_skipped;
413	} else {
414	return false;
415	}
416	} else if (!s3->early_data_accepted && !s3->skip_early_data) {
417	early_data = early_data_not_offered;
418	} else {
419	return false;
420	}
421	if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
422	hs->client_traffic_secret_0().size()) \|\|
423	!CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
424	hs->server_traffic_secret_0().size()) \|\|
425	!CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret().data(),
426	hs->client_handshake_secret().size()) \|\|
427	!CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret().data(),
428	hs->server_handshake_secret().size()) \|\|
429	!CBB_add_asn1_octet_string(&seq, hs->secret().data(),
430	hs->secret().size()) \|\|
431	!CBB_add_asn1_octet_string(cbb: &seq, data: s3->exporter_secret,
432	data_len: s3->exporter_secret_len) \|\|
433	!CBB_add_asn1_bool(cbb: &seq, value: s3->used_hello_retry_request) \|\|
434	!CBB_add_asn1_bool(cbb: &seq, value: hs->accept_psk_mode) \|\|
435	!CBB_add_asn1_int64(cbb: &seq, value: s3->ticket_age_skew) \|\|
436	!CBB_add_asn1_uint64(cbb: &seq, value: s3->early_data_reason) \|\|
437	!CBB_add_asn1_uint64(cbb: &seq, value: early_data)) {
438	return false;
439	}
440	if (early_data == early_data_accepted &&
441	!CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret().data(),
442	hs->early_traffic_secret().size())) {
443	return false;
444	}
445	}
446	return CBB_flush(cbb: out);
447	}
448
449	static bool CopyExact(Span<uint8_t> out, const CBS *in) {
450	if (CBS_len(cbs: in) != out.size()) {
451	return false;
452	}
453	OPENSSL_memcpy(out.data(), CBS_data(cbs: in), out.size());
454	return true;
455	}
456
457	bool SSL_apply_handback(SSL ssl, Span<const* uint8_t> handback) {
458	if (ssl->do_handshake != nullptr \|\|
459	ssl->method->is_dtls) {
460	return false;
461	}
462
463	SSL3_STATE *const s3 = ssl->s3;
464	uint64_t handback_version, unused_token_binding_param, cipher, type_u64;
465
466	CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
467	next_proto, alpn, hostname, unused_channel_id, transcript, key_share;
468	int session_reused, channel_id_negotiated, cert_request,
469	extended_master_secret, ticket_expected, unused_token_binding,
470	next_proto_neg_seen;
471	SSL_SESSION session = nullptr*;
472
473	CBS handback_cbs(handback);
474	if (!CBS_get_asn1(cbs: &handback_cbs, out: &seq, CBS_ASN1_SEQUENCE) \|\|
475	!CBS_get_asn1_uint64(cbs: &seq, out: &handback_version) \|\|
476	handback_version != kHandbackVersion \|\|
477	!CBS_get_asn1_uint64(cbs: &seq, out: &type_u64) \|\|
478	type_u64 > handback_max_value) {
479	return false;
480	}
481
482	handback_t type = static_cast<handback_t>(type_u64);
483	if (!CBS_get_asn1(cbs: &seq, out: &read_seq, CBS_ASN1_OCTETSTRING) \|\|
484	CBS_len(cbs: &read_seq) != sizeof(s3->read_sequence) \|\|
485	!CBS_get_asn1(cbs: &seq, out: &write_seq, CBS_ASN1_OCTETSTRING) \|\|
486	CBS_len(cbs: &write_seq) != sizeof(s3->write_sequence) \|\|
487	!CBS_get_asn1(cbs: &seq, out: &server_rand, CBS_ASN1_OCTETSTRING) \|\|
488	CBS_len(cbs: &server_rand) != sizeof(s3->server_random) \|\|
489	!CBS_copy_bytes(cbs: &server_rand, out: s3->server_random,
490	len: sizeof(s3->server_random)) \|\|
491	!CBS_get_asn1(cbs: &seq, out: &client_rand, CBS_ASN1_OCTETSTRING) \|\|
492	CBS_len(cbs: &client_rand) != sizeof(s3->client_random) \|\|
493	!CBS_copy_bytes(cbs: &client_rand, out: s3->client_random,
494	len: sizeof(s3->client_random)) \|\|
495	!CBS_get_asn1(cbs: &seq, out: &read_iv, CBS_ASN1_OCTETSTRING) \|\|
496	!CBS_get_asn1(cbs: &seq, out: &write_iv, CBS_ASN1_OCTETSTRING) \|\|
497	!CBS_get_asn1_bool(cbs: &seq, out: &session_reused) \|\|
498	!CBS_get_asn1_bool(cbs: &seq, out: &channel_id_negotiated)) {
499	return false;
500	}
501
502	s3->hs = ssl_handshake_new(ssl);
503	if (!s3->hs) {
504	return false;
505	}
506	SSL_HANDSHAKE *const hs = s3->hs.get();
507	if (!session_reused \|\| type == handback_tls13) {
508	hs->new_session =
509	SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
510	session = hs->new_session.get();
511	} else {
512	ssl->session =
513	SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
514	session = ssl->session.get();
515	}
516
517	if (!session \|\| !CBS_get_asn1(cbs: &seq, out: &next_proto, CBS_ASN1_OCTETSTRING) \|\|
518	!CBS_get_asn1(cbs: &seq, out: &alpn, CBS_ASN1_OCTETSTRING) \|\|
519	!CBS_get_asn1(cbs: &seq, out: &hostname, CBS_ASN1_OCTETSTRING) \|\|
520	!CBS_get_asn1(cbs: &seq, out: &unused_channel_id, CBS_ASN1_OCTETSTRING) \|\|
521	!CBS_get_asn1_bool(cbs: &seq, out: &unused_token_binding) \|\|
522	!CBS_get_asn1_uint64(cbs: &seq, out: &unused_token_binding_param) \|\|
523	!CBS_get_asn1_bool(cbs: &seq, out: &next_proto_neg_seen) \|\|
524	!CBS_get_asn1_bool(cbs: &seq, out: &cert_request) \|\|
525	!CBS_get_asn1_bool(cbs: &seq, out: &extended_master_secret) \|\|
526	!CBS_get_asn1_bool(cbs: &seq, out: &ticket_expected) \|\|
527	!CBS_get_asn1_uint64(cbs: &seq, out: &cipher)) {
528	return false;
529	}
530	if ((hs->new_cipher =
531	SSL_get_cipher_by_value(value: static_cast<uint16_t>(cipher))) == nullptr) {
532	return false;
533	}
534	if (!CBS_get_asn1(cbs: &seq, out: &transcript, CBS_ASN1_OCTETSTRING) \|\|
535	!CBS_get_asn1(cbs: &seq, out: &key_share, CBS_ASN1_SEQUENCE)) {
536	return false;
537	}
538	CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
539	server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;
540	if (type == handback_tls13) {
541	int used_hello_retry_request, accept_psk_mode;
542	uint64_t early_data, early_data_reason;
543	int64_t ticket_age_skew;
544	if (!CBS_get_asn1(cbs: &seq, out: &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) \|\|
545	!CBS_get_asn1(cbs: &seq, out: &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) \|\|
546	!CBS_get_asn1(cbs: &seq, out: &client_handshake_secret, CBS_ASN1_OCTETSTRING) \|\|
547	!CBS_get_asn1(cbs: &seq, out: &server_handshake_secret, CBS_ASN1_OCTETSTRING) \|\|
548	!CBS_get_asn1(cbs: &seq, out: &secret, CBS_ASN1_OCTETSTRING) \|\|
549	!CBS_get_asn1(cbs: &seq, out: &exporter_secret, CBS_ASN1_OCTETSTRING) \|\|
550	!CBS_get_asn1_bool(cbs: &seq, out: &used_hello_retry_request) \|\|
551	!CBS_get_asn1_bool(cbs: &seq, out: &accept_psk_mode) \|\|
552	!CBS_get_asn1_int64(cbs: &seq, out: &ticket_age_skew) \|\|
553	!CBS_get_asn1_uint64(cbs: &seq, out: &early_data_reason) \|\|
554	early_data_reason > ssl_early_data_reason_max_value \|\|
555	!CBS_get_asn1_uint64(cbs: &seq, out: &early_data) \|\|
556	early_data > early_data_max_value) {
557	return false;
558	}
559	early_data_t early_data_type = static_cast<early_data_t>(early_data);
560	if (early_data_type == early_data_accepted &&
561	!CBS_get_asn1(cbs: &seq, out: &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {
562	return false;
563	}
564	if (ticket_age_skew > std::numeric_limits<int32_t>::max() \|\|
565	ticket_age_skew < std::numeric_limits<int32_t>::min()) {
566	return false;
567	}
568	s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
569	s3->used_hello_retry_request = used_hello_retry_request;
570	hs->accept_psk_mode = accept_psk_mode;
571
572	s3->early_data_reason =
573	static_cast<ssl_early_data_reason_t>(early_data_reason);
574	ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;
575	s3->skip_early_data = false;
576	s3->early_data_accepted = false;
577	hs->early_data_offered = false;
578	switch (early_data_type) {
579	case early_data_not_offered:
580	break;
581	case early_data_accepted:
582	s3->early_data_accepted = true;
583	hs->early_data_offered = true;
584	hs->can_early_write = true;
585	hs->can_early_read = true;
586	hs->in_early_data = true;
587	break;
588	case early_data_rejected_hrr:
589	hs->early_data_offered = true;
590	break;
591	case early_data_skipped:
592	s3->skip_early_data = true;
593	hs->early_data_offered = true;
594	break;
595	default:
596	return false;
597	}
598	} else {
599	s3->early_data_reason = ssl_early_data_protocol_version;
600	}
601
602	ssl->version = session->ssl_version;
603	s3->have_version = true;
604	if (!ssl_method_supports_version(method: ssl->method, version: ssl->version) \|\|
605	session->cipher != hs->new_cipher \|\|
606	ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(cipher: session->cipher) \|\|
607	SSL_CIPHER_get_max_version(cipher: session->cipher) < ssl_protocol_version(ssl)) {
608	return false;
609	}
610	ssl->do_handshake = ssl_server_handshake;
611	ssl->server = true;
612	switch (type) {
613	case handback_after_session_resumption:
614	hs->state = state12_read_change_cipher_spec;
615	if (!session_reused) {
616	return false;
617	}
618	break;
619	case handback_after_ecdhe:
620	hs->state = state12_read_client_certificate;
621	if (session_reused) {
622	return false;
623	}
624	break;
625	case handback_after_handshake:
626	hs->state = state12_finish_server_handshake;
627	break;
628	case handback_tls13:
629	hs->state = state12_tls13;
630	hs->tls13_state = state13_send_half_rtt_ticket;
631	break;
632	default:
633	return false;
634	}
635	s3->session_reused = session_reused;
636	hs->channel_id_negotiated = channel_id_negotiated;
637	s3->next_proto_negotiated.CopyFrom(in: next_proto);
638	s3->alpn_selected.CopyFrom(in: alpn);
639
640	const size_t hostname_len = CBS_len(cbs: &hostname);
641	if (hostname_len == `0`) {
642	s3->hostname.reset();
643	} else {
644	char hostname_str = nullptr*;
645	if (!CBS_strdup(cbs: &hostname, out_ptr: &hostname_str)) {
646	return false;
647	}
648	s3->hostname.reset(hostname_str);
649	}
650
651	hs->next_proto_neg_seen = next_proto_neg_seen;
652	hs->wait = ssl_hs_flush;
653	hs->extended_master_secret = extended_master_secret;
654	hs->ticket_expected = ticket_expected;
655	s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
656	hs->cert_request = cert_request;
657
658	if (type != handback_after_handshake &&
659	(!hs->transcript.Init() \|\|
660	!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) \|\|
661	!hs->transcript.Update(transcript))) {
662	return false;
663	}
664	if (type == handback_tls13) {
665	hs->ResizeSecrets(hash_len: hs->transcript.DigestLen());
666	if (!CopyExact(out: hs->client_traffic_secret_0(), in: &client_traffic_secret_0) \|\|
667	!CopyExact(out: hs->server_traffic_secret_0(), in: &server_traffic_secret_0) \|\|
668	!CopyExact(out: hs->client_handshake_secret(), in: &client_handshake_secret) \|\|
669	!CopyExact(out: hs->server_handshake_secret(), in: &server_handshake_secret) \|\|
670	!CopyExact(out: hs->secret(), in: &secret) \|\|
671	!CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
672	&exporter_secret)) {
673	return false;
674	}
675	s3->exporter_secret_len = CBS_len(cbs: &exporter_secret);
676
677	if (s3->early_data_accepted &&
678	!CopyExact(out: hs->early_traffic_secret(), in: &early_traffic_secret)) {
679	return false;
680	}
681	}
682	Array<uint8_t> key_block;
683	switch (type) {
684	case handback_after_session_resumption:
685	// The write keys are installed after server Finished, but the client
686	// keys must wait for ChangeCipherSpec.
687	if (!tls1_configure_aead(ssl, direction: evp_aead_seal, key_block_cache: &key_block, session,
688	iv_override: write_iv)) {
689	return false;
690	}
691	break;
692	case handback_after_ecdhe:
693	// The premaster secret is not yet computed, so install no keys.
694	break;
695	case handback_after_handshake:
696	// The handshake is complete, so both keys are installed.
697	if (!tls1_configure_aead(ssl, direction: evp_aead_seal, key_block_cache: &key_block, session,
698	iv_override: write_iv) \|\|
699	!tls1_configure_aead(ssl, direction: evp_aead_open, key_block_cache: &key_block, session,
700	iv_override: read_iv)) {
701	return false;
702	}
703	break;
704	case handback_tls13:
705	// After server Finished, the application write keys are installed, but
706	// none of the read keys. The read keys are installed in the state machine
707	// immediately after processing handback.
708	if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
709	hs->new_session.get(),
710	hs->server_traffic_secret_0())) {
711	return false;
712	}
713	break;
714	}
715	uint8_t read_sequence[`8`], write_sequence[`8`];
716	if (!CopyExact(out: read_sequence, in: &read_seq) \|\|
717	!CopyExact(out: write_sequence, in: &write_seq)) {
718	return false;
719	}
720	s3->read_sequence = CRYPTO_load_u64_be(ptr: read_sequence);
721	s3->write_sequence = CRYPTO_load_u64_be(ptr: write_sequence);
722	if (type == handback_after_ecdhe) {
723	uint64_t group_id;
724	CBS private_key;
725	if (!CBS_get_asn1_uint64(cbs: &key_share, out: &group_id) \|\| //
726	group_id > `0xffff` \|\|
727	!CBS_get_asn1(cbs: &key_share, out: &private_key, CBS_ASN1_OCTETSTRING)) {
728	return false;
729	}
730	hs->key_shares[`0`] = SSLKeyShare::Create(group_id);
731	if (!hs->key_shares[`0`] \|\|
732	!hs->key_shares[`0`]->DeserializePrivateKey(&private_key)) {
733	return false;
734	}
735	}
736	return true; // Trailing data allowed for extensibility.
737	}
738
739	BSSL_NAMESPACE_END
740
741	using namespace bssl;
742
743	int SSL_serialize_capabilities(const SSL ssl, CBB out) {
744	CBB seq;
745	if (!CBB_add_asn1(cbb: out, out_contents: &seq, CBS_ASN1_SEQUENCE) \|\|
746	!serialize_features(out: &seq) \|\| //
747	!CBB_flush(cbb: out)) {
748	return `0`;
749	}
750
751	return `1`;
752	}
753
754	int SSL_request_handshake_hints(SSL ssl, const* uint8_t *client_hello,
755	size_t client_hello_len,
756	const uint8_t *capabilities,
757	size_t capabilities_len) {
758	if (SSL_is_dtls(ssl)) {
759	OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
760	return `0`;
761	}
762
763	CBS cbs, seq;
764	CBS_init(cbs: &cbs, data: capabilities, len: capabilities_len);
765	UniquePtr<SSL_HANDSHAKE_HINTS> hints = MakeUnique<SSL_HANDSHAKE_HINTS>();
766	if (hints == nullptr \|\|
767	!CBS_get_asn1(cbs: &cbs, out: &seq, CBS_ASN1_SEQUENCE) \|\|
768	!apply_remote_features(ssl, in: &seq)) {
769	return `0`;
770	}
771
772	SSL3_STATE *const s3 = ssl->s3;
773	s3->v2_hello_done = true;
774	s3->has_message = true;
775
776	Array<uint8_t> client_hello_msg;
777	ScopedCBB client_hello_cbb;
778	CBB client_hello_body;
779	if (!ssl->method->init_message(ssl, client_hello_cbb.get(),
780	&client_hello_body, SSL3_MT_CLIENT_HELLO) \|\|
781	!CBB_add_bytes(cbb: &client_hello_body, data: client_hello, len: client_hello_len) \|\|
782	!ssl->method->finish_message(ssl, client_hello_cbb.get(),
783	&client_hello_msg)) {
784	return `0`;
785	}
786
787	s3->hs_buf.reset(BUF_MEM_new());
788	if (!s3->hs_buf \|\| !BUF_MEM_append(s3->hs_buf.get(), client_hello_msg.data(),
789	client_hello_msg.size())) {
790	return `0`;
791	}
792
793	s3->hs->hints_requested = true;
794	s3->hs->hints = std::move(hints);
795	return `1`;
796	}
797
798	// \|SSL_HANDSHAKE_HINTS\| is serialized as the following ASN.1 structure. We use
799	// implicit tagging to make it a little more compact.
800	//
801	// HandshakeHints ::= SEQUENCE {
802	// serverRandomTLS13 [0] IMPLICIT OCTET STRING OPTIONAL,
803	// keyShareHint [1] IMPLICIT KeyShareHint OPTIONAL,
804	// signatureHint [2] IMPLICIT SignatureHint OPTIONAL,
805	// -- At most one of decryptedPSKHint or ignorePSKHint may be present. It
806	// -- corresponds to the first entry in pre_shared_keys. TLS 1.2 session
807	// -- tickets use a separate hint, to ensure the caller does not apply the
808	// -- hint to the wrong field.
809	// decryptedPSKHint [3] IMPLICIT OCTET STRING OPTIONAL,
810	// ignorePSKHint [4] IMPLICIT NULL OPTIONAL,
811	// compressCertificateHint [5] IMPLICIT CompressCertificateHint OPTIONAL,
812	// -- TLS 1.2 and 1.3 use different server random hints because one contains
813	// -- a timestamp while the other doesn't. If the hint was generated
814	// -- assuming TLS 1.3 but we actually negotiate TLS 1.2, mixing the two
815	// -- will break this.
816	// serverRandomTLS12 [6] IMPLICIT OCTET STRING OPTIONAL,
817	// ecdheHint [7] IMPLICIT ECDHEHint OPTIONAL
818	// -- At most one of decryptedTicketHint or ignoreTicketHint may be present.
819	// -- renewTicketHint requires decryptedTicketHint.
820	// decryptedTicketHint [8] IMPLICIT OCTET STRING OPTIONAL,
821	// renewTicketHint [9] IMPLICIT NULL OPTIONAL,
822	// ignoreTicketHint [10] IMPLICIT NULL OPTIONAL,
823	// }
824	//
825	// KeyShareHint ::= SEQUENCE {
826	// groupId INTEGER,
827	// ciphertext OCTET STRING,
828	// secret OCTET STRING,
829	// }
830	//
831	// SignatureHint ::= SEQUENCE {
832	// algorithm INTEGER,
833	// input OCTET STRING,
834	// subjectPublicKeyInfo OCTET STRING,
835	// signature OCTET STRING,
836	// }
837	//
838	// CompressCertificateHint ::= SEQUENCE {
839	// algorithm INTEGER,
840	// input OCTET STRING,
841	// compressed OCTET STRING,
842	// }
843	//
844	// ECDHEHint ::= SEQUENCE {
845	// groupId INTEGER,
846	// publicKey OCTET STRING,
847	// privateKey OCTET STRING,
848	// }
849
850	// HandshakeHints tags.
851	static const CBS_ASN1_TAG kServerRandomTLS13Tag =
852	CBS_ASN1_CONTEXT_SPECIFIC \| `0`;
853	static const CBS_ASN1_TAG kKeyShareHintTag =
854	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| `1`;
855	static const CBS_ASN1_TAG kSignatureHintTag =
856	CBS_ASN1_CONSTRUCTED \| CBS_ASN1_CONTEXT_SPECIFIC \| `2`;
857	static const CBS_ASN1_TAG kDecryptedPSKTag = CBS_ASN1_CONTEXT_SPECIFIC \| `3`;
858	static const CBS_ASN1_TAG kIgnorePSKTag = CBS_ASN1_CONTEXT_SPECIFIC \| `4`;
859	static const CBS_ASN1_TAG kCompressCertificateTag =
860	CBS_ASN1_CONTEXT_SPECIFIC \| `5`;
861	static const CBS_ASN1_TAG kServerRandomTLS12Tag =
862	CBS_ASN1_CONTEXT_SPECIFIC \| `6`;
863	static const CBS_ASN1_TAG kECDHEHintTag = CBS_ASN1_CONSTRUCTED \| `7`;
864	static const CBS_ASN1_TAG kDecryptedTicketTag = CBS_ASN1_CONTEXT_SPECIFIC \| `8`;
865	static const CBS_ASN1_TAG kRenewTicketTag = CBS_ASN1_CONTEXT_SPECIFIC \| `9`;
866	static const CBS_ASN1_TAG kIgnoreTicketTag = CBS_ASN1_CONTEXT_SPECIFIC \| `10`;
867
868	int SSL_serialize_handshake_hints(const SSL ssl, CBB out) {
869	const SSL_HANDSHAKE *hs = ssl->s3->hs.get();
870	if (!ssl->server \|\| !hs->hints_requested) {
871	OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
872	return `0`;
873	}
874
875	const SSL_HANDSHAKE_HINTS *hints = hs->hints.get();
876	CBB seq, child;
877	if (!CBB_add_asn1(cbb: out, out_contents: &seq, CBS_ASN1_SEQUENCE)) {
878	return `0`;
879	}
880
881	if (!hints->server_random_tls13.empty()) {
882	if (!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kServerRandomTLS13Tag) \|\|
883	!CBB_add_bytes(cbb: &child, data: hints->server_random_tls13.data(),
884	len: hints->server_random_tls13.size())) {
885	return `0`;
886	}
887	}
888
889	if (hints->key_share_group_id != `0` && !hints->key_share_ciphertext.empty() &&
890	!hints->key_share_secret.empty()) {
891	if (!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kKeyShareHintTag) \|\|
892	!CBB_add_asn1_uint64(cbb: &child, value: hints->key_share_group_id) \|\|
893	!CBB_add_asn1_octet_string(cbb: &child, data: hints->key_share_ciphertext.data(),
894	data_len: hints->key_share_ciphertext.size()) \|\|
895	!CBB_add_asn1_octet_string(cbb: &child, data: hints->key_share_secret.data(),
896	data_len: hints->key_share_secret.size())) {
897	return `0`;
898	}
899	}
900
901	if (hints->signature_algorithm != `0` && !hints->signature_input.empty() &&
902	!hints->signature.empty()) {
903	if (!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kSignatureHintTag) \|\|
904	!CBB_add_asn1_uint64(cbb: &child, value: hints->signature_algorithm) \|\|
905	!CBB_add_asn1_octet_string(cbb: &child, data: hints->signature_input.data(),
906	data_len: hints->signature_input.size()) \|\|
907	!CBB_add_asn1_octet_string(cbb: &child, data: hints->signature_spki.data(),
908	data_len: hints->signature_spki.size()) \|\|
909	!CBB_add_asn1_octet_string(cbb: &child, data: hints->signature.data(),
910	data_len: hints->signature.size())) {
911	return `0`;
912	}
913	}
914
915	if (!hints->decrypted_psk.empty()) {
916	if (!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kDecryptedPSKTag) \|\|
917	!CBB_add_bytes(cbb: &child, data: hints->decrypted_psk.data(),
918	len: hints->decrypted_psk.size())) {
919	return `0`;
920	}
921	}
922
923	if (hints->ignore_psk && //
924	!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kIgnorePSKTag)) {
925	return `0`;
926	}
927
928	if (hints->cert_compression_alg_id != `0` &&
929	!hints->cert_compression_input.empty() &&
930	!hints->cert_compression_output.empty()) {
931	if (!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kCompressCertificateTag) \|\|
932	!CBB_add_asn1_uint64(cbb: &child, value: hints->cert_compression_alg_id) \|\|
933	!CBB_add_asn1_octet_string(cbb: &child, data: hints->cert_compression_input.data(),
934	data_len: hints->cert_compression_input.size()) \|\|
935	!CBB_add_asn1_octet_string(cbb: &child,
936	data: hints->cert_compression_output.data(),
937	data_len: hints->cert_compression_output.size())) {
938	return `0`;
939	}
940	}
941
942	if (!hints->server_random_tls12.empty()) {
943	if (!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kServerRandomTLS12Tag) \|\|
944	!CBB_add_bytes(cbb: &child, data: hints->server_random_tls12.data(),
945	len: hints->server_random_tls12.size())) {
946	return `0`;
947	}
948	}
949
950	if (hints->ecdhe_group_id != `0` && !hints->ecdhe_public_key.empty() &&
951	!hints->ecdhe_private_key.empty()) {
952	if (!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kECDHEHintTag) \|\|
953	!CBB_add_asn1_uint64(cbb: &child, value: hints->ecdhe_group_id) \|\|
954	!CBB_add_asn1_octet_string(cbb: &child, data: hints->ecdhe_public_key.data(),
955	data_len: hints->ecdhe_public_key.size()) \|\|
956	!CBB_add_asn1_octet_string(cbb: &child, data: hints->ecdhe_private_key.data(),
957	data_len: hints->ecdhe_private_key.size())) {
958	return `0`;
959	}
960	}
961
962
963	if (!hints->decrypted_ticket.empty()) {
964	if (!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kDecryptedTicketTag) \|\|
965	!CBB_add_bytes(cbb: &child, data: hints->decrypted_ticket.data(),
966	len: hints->decrypted_ticket.size())) {
967	return `0`;
968	}
969	}
970
971	if (hints->renew_ticket && //
972	!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kRenewTicketTag)) {
973	return `0`;
974	}
975
976	if (hints->ignore_ticket && //
977	!CBB_add_asn1(cbb: &seq, out_contents: &child, tag: kIgnoreTicketTag)) {
978	return `0`;
979	}
980
981	return CBB_flush(cbb: out);
982	}
983
984	static bool get_optional_implicit_null(CBS cbs, bool* *out_present,
985	CBS_ASN1_TAG tag) {
986	CBS value;
987	int present;
988	if (!CBS_get_optional_asn1(cbs, out: &value, out_present: &present, tag) \|\|
989	(present && CBS_len(cbs: &value) != `0`)) {
990	return false;
991	}
992	*out_present = present;
993	return true;
994	}
995
996	int SSL_set_handshake_hints(SSL ssl, const* uint8_t *hints, size_t hints_len) {
997	if (SSL_is_dtls(ssl)) {
998	OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
999	return `0`;
1000	}
1001
1002	UniquePtr<SSL_HANDSHAKE_HINTS> hints_obj = MakeUnique<SSL_HANDSHAKE_HINTS>();
1003	if (hints_obj == nullptr) {
1004	return `0`;
1005	}
1006
1007	CBS cbs, seq, server_random_tls13, key_share, signature_hint, psk,
1008	cert_compression, server_random_tls12, ecdhe, ticket;
1009	int has_server_random_tls13, has_key_share, has_signature_hint, has_psk,
1010	has_cert_compression, has_server_random_tls12, has_ecdhe, has_ticket;
1011	CBS_init(cbs: &cbs, data: hints, len: hints_len);
1012	if (!CBS_get_asn1(cbs: &cbs, out: &seq, CBS_ASN1_SEQUENCE) \|\|
1013	!CBS_get_optional_asn1(cbs: &seq, out: &server_random_tls13,
1014	out_present: &has_server_random_tls13, tag: kServerRandomTLS13Tag) \|\|
1015	!CBS_get_optional_asn1(cbs: &seq, out: &key_share, out_present: &has_key_share,
1016	tag: kKeyShareHintTag) \|\|
1017	!CBS_get_optional_asn1(cbs: &seq, out: &signature_hint, out_present: &has_signature_hint,
1018	tag: kSignatureHintTag) \|\|
1019	!CBS_get_optional_asn1(cbs: &seq, out: &psk, out_present: &has_psk, tag: kDecryptedPSKTag) \|\|
1020	!get_optional_implicit_null(&seq, &hints_obj->ignore_psk,
1021	kIgnorePSKTag) \|\|
1022	!CBS_get_optional_asn1(cbs: &seq, out: &cert_compression, out_present: &has_cert_compression,
1023	tag: kCompressCertificateTag) \|\|
1024	!CBS_get_optional_asn1(cbs: &seq, out: &server_random_tls12,
1025	out_present: &has_server_random_tls12, tag: kServerRandomTLS12Tag) \|\|
1026	!CBS_get_optional_asn1(cbs: &seq, out: &ecdhe, out_present: &has_ecdhe, tag: kECDHEHintTag) \|\|
1027	!CBS_get_optional_asn1(cbs: &seq, out: &ticket, out_present: &has_ticket, tag: kDecryptedTicketTag) \|\|
1028	!get_optional_implicit_null(&seq, &hints_obj->renew_ticket,
1029	kRenewTicketTag) \|\|
1030	!get_optional_implicit_null(&seq, &hints_obj->ignore_ticket,
1031	kIgnoreTicketTag)) {
1032	OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1033	return `0`;
1034	}
1035
1036	if (has_server_random_tls13 &&
1037	!hints_obj->server_random_tls13.CopyFrom(server_random_tls13)) {
1038	return `0`;
1039	}
1040
1041	if (has_key_share) {
1042	uint64_t group_id;
1043	CBS ciphertext, secret;
1044	if (!CBS_get_asn1_uint64(cbs: &key_share, out: &group_id) \|\| //
1045	group_id == `0` \|\| group_id > `0xffff` \|\|
1046	!CBS_get_asn1(cbs: &key_share, out: &ciphertext, CBS_ASN1_OCTETSTRING) \|\|
1047	!hints_obj->key_share_ciphertext.CopyFrom(ciphertext) \|\|
1048	!CBS_get_asn1(cbs: &key_share, out: &secret, CBS_ASN1_OCTETSTRING) \|\|
1049	!hints_obj->key_share_secret.CopyFrom(secret)) {
1050	OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1051	return `0`;
1052	}
1053	hints_obj->key_share_group_id = static_cast<uint16_t>(group_id);
1054	}
1055
1056	if (has_signature_hint) {
1057	uint64_t sig_alg;
1058	CBS input, spki, signature;
1059	if (!CBS_get_asn1_uint64(cbs: &signature_hint, out: &sig_alg) \|\| //
1060	sig_alg == `0` \|\| sig_alg > `0xffff` \|\|
1061	!CBS_get_asn1(cbs: &signature_hint, out: &input, CBS_ASN1_OCTETSTRING) \|\|
1062	!hints_obj->signature_input.CopyFrom(input) \|\|
1063	!CBS_get_asn1(cbs: &signature_hint, out: &spki, CBS_ASN1_OCTETSTRING) \|\|
1064	!hints_obj->signature_spki.CopyFrom(spki) \|\|
1065	!CBS_get_asn1(cbs: &signature_hint, out: &signature, CBS_ASN1_OCTETSTRING) \|\|
1066	!hints_obj->signature.CopyFrom(signature)) {
1067	OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1068	return `0`;
1069	}
1070	hints_obj->signature_algorithm = static_cast<uint16_t>(sig_alg);
1071	}
1072
1073	if (has_psk && !hints_obj->decrypted_psk.CopyFrom(psk)) {
1074	return `0`;
1075	}
1076	if (has_psk && hints_obj->ignore_psk) {
1077	OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1078	return `0`;
1079	}
1080
1081	if (has_cert_compression) {
1082	uint64_t alg;
1083	CBS input, output;
1084	if (!CBS_get_asn1_uint64(cbs: &cert_compression, out: &alg) \|\| //
1085	alg == `0` \|\| alg > `0xffff` \|\|
1086	!CBS_get_asn1(cbs: &cert_compression, out: &input, CBS_ASN1_OCTETSTRING) \|\|
1087	!hints_obj->cert_compression_input.CopyFrom(input) \|\|
1088	!CBS_get_asn1(cbs: &cert_compression, out: &output, CBS_ASN1_OCTETSTRING) \|\|
1089	!hints_obj->cert_compression_output.CopyFrom(output)) {
1090	OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1091	return `0`;
1092	}
1093	hints_obj->cert_compression_alg_id = static_cast<uint16_t>(alg);
1094	}
1095
1096	if (has_server_random_tls12 &&
1097	!hints_obj->server_random_tls12.CopyFrom(server_random_tls12)) {
1098	return `0`;
1099	}
1100
1101	if (has_ecdhe) {
1102	uint64_t group_id;
1103	CBS public_key, private_key;
1104	if (!CBS_get_asn1_uint64(cbs: &ecdhe, out: &group_id) \|\| //
1105	group_id == `0` \|\| group_id > `0xffff` \|\|
1106	!CBS_get_asn1(cbs: &ecdhe, out: &public_key, CBS_ASN1_OCTETSTRING) \|\|
1107	!hints_obj->ecdhe_public_key.CopyFrom(public_key) \|\|
1108	!CBS_get_asn1(cbs: &ecdhe, out: &private_key, CBS_ASN1_OCTETSTRING) \|\|
1109	!hints_obj->ecdhe_private_key.CopyFrom(private_key)) {
1110	OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1111	return `0`;
1112	}
1113	hints_obj->ecdhe_group_id = static_cast<uint16_t>(group_id);
1114	}
1115
1116	if (has_ticket && !hints_obj->decrypted_ticket.CopyFrom(ticket)) {
1117	return `0`;
1118	}
1119	if (has_ticket && hints_obj->ignore_ticket) {
1120	OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1121	return `0`;
1122	}
1123	if (!has_ticket && hints_obj->renew_ticket) {
1124	OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
1125	return `0`;
1126	}
1127
1128	ssl->s3->hs->hints = std::move(hints_obj);
1129	return `1`;
1130	}
1131

source code of dart_sdk/third_party/boringssl/src/ssl/handoff.cc