grpc: handoff.cc Source File

Go to the documentation of this file.
 /* Copyright (c) 2018, Google Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
  
 #include <openssl/ssl.h>
  
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
  
 #include "internal.h"
  
  
 BSSL_NAMESPACE_BEGIN
  
 constexpr int kHandoffVersion = 0;
 constexpr int kHandbackVersion = 0;
  
 static const unsigned kHandoffTagALPS = CBS_ASN1_CONTEXT_SPECIFIC | 0;
  
 // early_data_t represents the state of early data in a more compact way than
 // the 3 bits used by the implementation.
 enum early_data_t {
   early_data_not_offered = 0,
   early_data_accepted = 1,
   early_data_rejected_hrr = 2,
   early_data_skipped = 3,
  
   early_data_max_value = early_data_skipped,
 };
  
 // serialize_features adds a description of features supported by this binary to
 // |out|.  Returns true on success and false on error.
 static bool serialize_features(CBB *out) {
   CBB ciphers;
   if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {
     return false;
   }
   Span<const SSL_CIPHER> all_ciphers = AllCiphers();
   for (const SSL_CIPHER& cipher : all_ciphers) {
     if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
       return false;
     }
   }
   CBB curves;
   if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) {
     return false;
   }
   for (const NamedGroup& g : NamedGroups()) {
     if (!CBB_add_u16(&curves, g.group_id)) {
       return false;
     }
   }
   // ALPS is a draft protocol and may change over time. The handoff structure
   // contains a [0] IMPLICIT OCTET STRING OPTIONAL, containing a list of u16
   // ALPS versions that the binary supports. For now we name them by codepoint.
   // Once ALPS is finalized and past the support horizon, this field can be
   // removed.
   CBB alps;
   if (!CBB_add_asn1(out, &alps, kHandoffTagALPS) ||
       !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings)) {
     return false;
   }
   return CBB_flush(out);
 }
  
 bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
                            SSL_CLIENT_HELLO *out_hello) {
   const SSL3_STATE *const s3 = ssl->s3;
   if (!ssl->server ||
       s3->hs == nullptr ||
       s3->rwstate != SSL_ERROR_HANDOFF) {
     return false;
   }
  
   CBB seq;
   SSLMessage msg;
   Span<const uint8_t> transcript = s3->hs->transcript.buffer();
   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
       !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
       !CBB_add_asn1_octet_string(&seq,
                                  reinterpret_cast<uint8_t *>(s3->hs_buf->data),
                                  s3->hs_buf->length) ||
       !serialize_features(&seq) ||
       !CBB_flush(out) ||
       !ssl->method->get_message(ssl, &msg) ||
       !ssl_client_hello_init(ssl, out_hello, msg.body)) {
     return false;
   }
  
   return true;
 }
  
 bool SSL_decline_handoff(SSL *ssl) {
   const SSL3_STATE *const s3 = ssl->s3;
   if (!ssl->server ||
       s3->hs == nullptr ||
       s3->rwstate != SSL_ERROR_HANDOFF) {
     return false;
   }
  
   s3->hs->config->handoff = false;
   return true;
 }
  
 // apply_remote_features reads a list of supported features from |in| and
 // (possibly) reconfigures |ssl| to disallow the negotation of features whose
 // support has not been indicated.  (This prevents the the handshake from
 // committing to features that are not supported on the handoff/handback side.)
 static bool apply_remote_features(SSL *ssl, CBS *in) {
   CBS ciphers;
   if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {
     return false;
   }
   bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
   while (CBS_len(&ciphers)) {
     uint16_t id;
     if (!CBS_get_u16(&ciphers, &id)) {
       return false;
     }
     const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);
     if (!cipher) {
       continue;
     }
     if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
       return false;
     }
   }
   STACK_OF(SSL_CIPHER) *configured =
       ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
                                : ssl->ctx->cipher_list->ciphers.get();
   bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
   for (const SSL_CIPHER *configured_cipher : configured) {
     if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
       continue;
     }
     if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
       return false;
     }
   }
   if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
     ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
     if (!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
       return false;
     }
   }
   for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
     ssl->config->cipher_list->Remove(unsupported_cipher);
   }
   if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) {
     return false;
   }
  
   CBS curves;
   if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) {
     return false;
   }
   Array<uint16_t> supported_curves;
   if (!supported_curves.Init(CBS_len(&curves) / 2)) {
     return false;
   }
   size_t idx = 0;
   while (CBS_len(&curves)) {
     uint16_t curve;
     if (!CBS_get_u16(&curves, &curve)) {
       return false;
     }
     supported_curves[idx++] = curve;
   }
   Span<const uint16_t> configured_curves =
       tls1_get_grouplist(ssl->s3->hs.get());
   Array<uint16_t> new_configured_curves;
   if (!new_configured_curves.Init(configured_curves.size())) {
     return false;
   }
   idx = 0;
   for (uint16_t configured_curve : configured_curves) {
     bool ok = false;
     for (uint16_t supported_curve : supported_curves) {
       if (supported_curve == configured_curve) {
         ok = true;
         break;
       }
     }
     if (ok) {
       new_configured_curves[idx++] = configured_curve;
     }
   }
   if (idx == 0) {
     return false;
   }
   new_configured_curves.Shrink(idx);
   ssl->config->supported_group_list = std::move(new_configured_curves);
  
   CBS alps;
   CBS_init(&alps, nullptr, 0);
   if (!CBS_get_optional_asn1(in, &alps, /*out_present=*/nullptr,
                              kHandoffTagALPS)) {
     return false;
   }
   bool supports_alps = false;
   while (CBS_len(&alps) != 0) {
     uint16_t id;
     if (!CBS_get_u16(&alps, &id)) {
       return false;
     }
     // For now, we only support one ALPS code point, so we only need to extract
     // a boolean signal from the feature list.
     if (id == TLSEXT_TYPE_application_settings) {
       supports_alps = true;
       break;
     }
   }
   if (!supports_alps) {
     ssl->config->alps_configs.clear();
   }
  
   return true;
 }
  
 // uses_disallowed_feature returns true iff |ssl| enables a feature that
 // disqualifies it for split handshakes.
 static bool uses_disallowed_feature(const SSL *ssl) {
   return ssl->method->is_dtls || (ssl->config->cert && ssl->config->cert->dc) ||
          ssl->config->quic_transport_params.size() > 0 || ssl->ctx->ech_keys;
 }
  
 bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
   if (uses_disallowed_feature(ssl)) {
     return false;
   }
  
   CBS seq, handoff_cbs(handoff);
   uint64_t handoff_version;
   if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
       !CBS_get_asn1_uint64(&seq, &handoff_version) ||
       handoff_version != kHandoffVersion) {
     return false;
   }
  
   CBS transcript, hs_buf;
   if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||
       !apply_remote_features(ssl, &seq)) {
     return false;
   }
  
   SSL_set_accept_state(ssl);
  
   SSL3_STATE *const s3 = ssl->s3;
   s3->v2_hello_done = true;
   s3->has_message = true;
  
   s3->hs_buf.reset(BUF_MEM_new());
   if (!s3->hs_buf ||
       !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
     return false;
   }
  
   if (CBS_len(&transcript) != 0) {
     s3->hs->transcript.Update(transcript);
     s3->is_v2_hello = true;
   }
   s3->hs->handback = true;
  
   return true;
 }
  
 bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
   if (!ssl->server || uses_disallowed_feature(ssl)) {
     return false;
   }
   const SSL3_STATE *const s3 = ssl->s3;
   SSL_HANDSHAKE *const hs = s3->hs.get();
   handback_t type;
   switch (hs->state) {
     case state12_read_change_cipher_spec:
       type = handback_after_session_resumption;
       break;
     case state12_read_client_certificate:
       type = handback_after_ecdhe;
       break;
     case state12_finish_server_handshake:
       type = handback_after_handshake;
       break;
     case state12_tls13:
       if (hs->tls13_state != state13_send_half_rtt_ticket) {
         return false;
       }
       type = handback_tls13;
       break;
     default:
       return false;
   }
  
   size_t hostname_len = 0;
   if (s3->hostname) {
     hostname_len = strlen(s3->hostname.get());
   }
  
   Span<const uint8_t> transcript;
   if (type != handback_after_handshake) {
     transcript = s3->hs->transcript.buffer();
   }
   size_t write_iv_len = 0;
   const uint8_t *write_iv = nullptr;
   if ((type == handback_after_session_resumption ||
        type == handback_after_handshake) &&
       ssl->version == TLS1_VERSION &&
       SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
       !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
     return false;
   }
   size_t read_iv_len = 0;
   const uint8_t *read_iv = nullptr;
   if (type == handback_after_handshake &&
       ssl->version == TLS1_VERSION &&
       SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
       !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
       return false;
   }
  
   // TODO(mab): make sure everything is serialized.
   CBB seq, key_share;
   const SSL_SESSION *session;
   if (type == handback_tls13) {
     session = hs->new_session.get();
   } else {
     session = s3->session_reused ? ssl->session.get() : hs->new_session.get();
   }
   static const uint8_t kUnusedChannelID[64] = {0};
   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
       !CBB_add_asn1_uint64(&seq, type) ||
       !CBB_add_asn1_octet_string(&seq, s3->read_sequence,
                                  sizeof(s3->read_sequence)) ||
       !CBB_add_asn1_octet_string(&seq, s3->write_sequence,
                                  sizeof(s3->write_sequence)) ||
       !CBB_add_asn1_octet_string(&seq, s3->server_random,
                                  sizeof(s3->server_random)) ||
       !CBB_add_asn1_octet_string(&seq, s3->client_random,
                                  sizeof(s3->client_random)) ||
       !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
       !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
       !CBB_add_asn1_bool(&seq, s3->session_reused) ||
       !CBB_add_asn1_bool(&seq, hs->channel_id_negotiated) ||
       !ssl_session_serialize(session, &seq) ||
       !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
                                  s3->next_proto_negotiated.size()) ||
       !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
                                  s3->alpn_selected.size()) ||
       !CBB_add_asn1_octet_string(
           &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
           hostname_len) ||
       !CBB_add_asn1_octet_string(&seq, kUnusedChannelID,
                                  sizeof(kUnusedChannelID)) ||
       // These two fields were historically |token_binding_negotiated| and
       // |negotiated_token_binding_param|.
       !CBB_add_asn1_bool(&seq, 0) ||
       !CBB_add_asn1_uint64(&seq, 0) ||
       !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
       !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
       !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
       !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
       !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
       !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
       !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
     return false;
   }
   if (type == handback_after_ecdhe &&
       !s3->hs->key_shares[0]->Serialize(&key_share)) {
     return false;
   }
   if (type == handback_tls13) {
     early_data_t early_data;
     // Check early data invariants.
     if (ssl->enable_early_data ==
         (s3->early_data_reason == ssl_early_data_disabled)) {
       return false;
     }
     if (hs->early_data_offered) {
       if (s3->early_data_accepted && !s3->skip_early_data) {
         early_data = early_data_accepted;
       } else if (!s3->early_data_accepted && !s3->skip_early_data) {
         early_data = early_data_rejected_hrr;
       } else if (!s3->early_data_accepted && s3->skip_early_data) {
         early_data = early_data_skipped;
       } else {
         return false;
       }
     } else if (!s3->early_data_accepted && !s3->skip_early_data) {
       early_data = early_data_not_offered;
     } else {
       return false;
     }
     if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
                                    hs->client_traffic_secret_0().size()) ||
         !CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
                                    hs->server_traffic_secret_0().size()) ||
         !CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret().data(),
                                    hs->client_handshake_secret().size()) ||
         !CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret().data(),
                                    hs->server_handshake_secret().size()) ||
         !CBB_add_asn1_octet_string(&seq, hs->secret().data(),
                                    hs->secret().size()) ||
         !CBB_add_asn1_octet_string(&seq, s3->exporter_secret,
                                    s3->exporter_secret_len) ||
         !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
         !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
         !CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||
         !CBB_add_asn1_uint64(&seq, s3->early_data_reason) ||
         !CBB_add_asn1_uint64(&seq, early_data)) {
       return false;
     }
     if (early_data == early_data_accepted &&
         !CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret().data(),
                                    hs->early_traffic_secret().size())) {
       return false;
     }
   }
   return CBB_flush(out);
 }
  
 static bool CopyExact(Span<uint8_t> out, const CBS *in) {
   if (CBS_len(in) != out.size()) {
     return false;
   }
   OPENSSL_memcpy(out.data(), CBS_data(in), out.size());
   return true;
 }
  
 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
   if (ssl->do_handshake != nullptr ||
       ssl->method->is_dtls) {
     return false;
   }
  
   SSL3_STATE *const s3 = ssl->s3;
   uint64_t handback_version, unused_token_binding_param, cipher, type_u64;
  
   CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
       next_proto, alpn, hostname, unused_channel_id, transcript, key_share;
   int session_reused, channel_id_negotiated, cert_request,
       extended_master_secret, ticket_expected, unused_token_binding,
       next_proto_neg_seen;
   SSL_SESSION *session = nullptr;
  
   CBS handback_cbs(handback);
   if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
       !CBS_get_asn1_uint64(&seq, &handback_version) ||
       handback_version != kHandbackVersion ||
       !CBS_get_asn1_uint64(&seq, &type_u64) ||
       type_u64 > handback_max_value) {
     return false;
   }
  
   handback_t type = static_cast<handback_t>(type_u64);
   if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
       !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
       !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&server_rand) != sizeof(s3->server_random) ||
       !CBS_copy_bytes(&server_rand, s3->server_random,
                       sizeof(s3->server_random)) ||
       !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&client_rand) != sizeof(s3->client_random) ||
       !CBS_copy_bytes(&client_rand, s3->client_random,
                       sizeof(s3->client_random)) ||
       !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1_bool(&seq, &session_reused) ||
       !CBS_get_asn1_bool(&seq, &channel_id_negotiated)) {
     return false;
   }
  
   s3->hs = ssl_handshake_new(ssl);
   SSL_HANDSHAKE *const hs = s3->hs.get();
   if (!session_reused || type == handback_tls13) {
     hs->new_session =
         SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
     session = hs->new_session.get();
   } else {
     ssl->session =
         SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
     session = ssl->session.get();
   }
  
   if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &unused_channel_id, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1_bool(&seq, &unused_token_binding) ||
       !CBS_get_asn1_uint64(&seq, &unused_token_binding_param) ||
       !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
       !CBS_get_asn1_bool(&seq, &cert_request) ||
       !CBS_get_asn1_bool(&seq, &extended_master_secret) ||
       !CBS_get_asn1_bool(&seq, &ticket_expected) ||
       !CBS_get_asn1_uint64(&seq, &cipher)) {
     return false;
   }
   if ((hs->new_cipher =
            SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
     return false;
   }
   if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
       !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
     return false;
   }
   CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
       server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;
   if (type == handback_tls13) {
     int used_hello_retry_request, accept_psk_mode;
     uint64_t early_data, early_data_reason;
     int64_t ticket_age_skew;
     if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1(&seq, &client_handshake_secret, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1(&seq, &server_handshake_secret, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1(&seq, &secret, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||
         !CBS_get_asn1_bool(&seq, &accept_psk_mode) ||
         !CBS_get_asn1_int64(&seq, &ticket_age_skew) ||
         !CBS_get_asn1_uint64(&seq, &early_data_reason) ||
         early_data_reason > ssl_early_data_reason_max_value ||
         !CBS_get_asn1_uint64(&seq, &early_data) ||
         early_data > early_data_max_value) {
       return false;
     }
     early_data_t early_data_type = static_cast<early_data_t>(early_data);
     if (early_data_type == early_data_accepted &&
         !CBS_get_asn1(&seq, &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {
       return false;
     }
     if (ticket_age_skew > std::numeric_limits<int32_t>::max() ||
         ticket_age_skew < std::numeric_limits<int32_t>::min()) {
       return false;
     }
     s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
     s3->used_hello_retry_request = used_hello_retry_request;
     hs->accept_psk_mode = accept_psk_mode;
  
     s3->early_data_reason =
         static_cast<ssl_early_data_reason_t>(early_data_reason);
     ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;
     s3->skip_early_data = false;
     s3->early_data_accepted = false;
     hs->early_data_offered = false;
     switch (early_data_type) {
       case early_data_not_offered:
         break;
       case early_data_accepted:
         s3->early_data_accepted = true;
         hs->early_data_offered = true;
         hs->can_early_write = true;
         hs->can_early_read = true;
         hs->in_early_data = true;
         break;
       case early_data_rejected_hrr:
         hs->early_data_offered = true;
         break;
       case early_data_skipped:
         s3->skip_early_data = true;
         hs->early_data_offered = true;
         break;
       default:
         return false;
     }
   } else {
     s3->early_data_reason = ssl_early_data_protocol_version;
   }
  
   ssl->version = session->ssl_version;
   s3->have_version = true;
   if (!ssl_method_supports_version(ssl->method, ssl->version) ||
       session->cipher != hs->new_cipher ||
       ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
       SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
     return false;
   }
   ssl->do_handshake = ssl_server_handshake;
   ssl->server = true;
   switch (type) {
     case handback_after_session_resumption:
       hs->state = state12_read_change_cipher_spec;
       if (!session_reused) {
         return false;
       }
       break;
     case handback_after_ecdhe:
       hs->state = state12_read_client_certificate;
       if (session_reused) {
         return false;
       }
       break;
     case handback_after_handshake:
       hs->state = state12_finish_server_handshake;
       break;
     case handback_tls13:
       hs->state = state12_tls13;
       hs->tls13_state = state13_send_half_rtt_ticket;
       break;
     default:
       return false;
   }
   s3->session_reused = session_reused;
   hs->channel_id_negotiated = channel_id_negotiated;
   s3->next_proto_negotiated.CopyFrom(next_proto);
   s3->alpn_selected.CopyFrom(alpn);
  
   const size_t hostname_len = CBS_len(&hostname);
   if (hostname_len == 0) {
     s3->hostname.reset();
   } else {
     char *hostname_str = nullptr;
     if (!CBS_strdup(&hostname, &hostname_str)) {
       return false;
     }
     s3->hostname.reset(hostname_str);
   }
  
   hs->next_proto_neg_seen = next_proto_neg_seen;
   hs->wait = ssl_hs_flush;
   hs->extended_master_secret = extended_master_secret;
   hs->ticket_expected = ticket_expected;
   s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
   hs->cert_request = cert_request;
  
   if (type != handback_after_handshake &&
       (!hs->transcript.Init() ||
        !hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
        !hs->transcript.Update(transcript))) {
     return false;
   }
   if (type == handback_tls13) {
     hs->ResizeSecrets(hs->transcript.DigestLen());
     if (!CopyExact(hs->client_traffic_secret_0(), &client_traffic_secret_0) ||
         !CopyExact(hs->server_traffic_secret_0(), &server_traffic_secret_0) ||
         !CopyExact(hs->client_handshake_secret(), &client_handshake_secret) ||
         !CopyExact(hs->server_handshake_secret(), &server_handshake_secret) ||
         !CopyExact(hs->secret(), &secret) ||
         !CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
                    &exporter_secret)) {
       return false;
     }
     s3->exporter_secret_len = CBS_len(&exporter_secret);
  
     if (s3->early_data_accepted &&
         !CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) {
       return false;
     }
   }
   Array<uint8_t> key_block;
   switch (type) {
     case handback_after_session_resumption:
       // The write keys are installed after server Finished, but the client
       // keys must wait for ChangeCipherSpec.
       if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
                                write_iv)) {
         return false;
       }
       break;
     case handback_after_ecdhe:
       // The premaster secret is not yet computed, so install no keys.
       break;
     case handback_after_handshake:
       // The handshake is complete, so both keys are installed.
       if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
                                write_iv) ||
           !tls1_configure_aead(ssl, evp_aead_open, &key_block, session,
                                read_iv)) {
         return false;
       }
       break;
     case handback_tls13:
       // After server Finished, the application write keys are installed, but
       // none of the read keys. The read keys are installed in the state machine
       // immediately after processing handback.
       if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
                                  hs->new_session.get(),
                                  hs->server_traffic_secret_0())) {
         return false;
       }
       break;
   }
   if (!CopyExact({s3->read_sequence, sizeof(s3->read_sequence)}, &read_seq) ||
       !CopyExact({s3->write_sequence, sizeof(s3->write_sequence)},
                  &write_seq)) {
     return false;
   }
   if (type == handback_after_ecdhe &&
       (hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
     return false;
   }
   return true;  // Trailing data allowed for extensibility.
 }
  
 BSSL_NAMESPACE_END
  
 using namespace bssl;
  
 int SSL_serialize_capabilities(const SSL *ssl, CBB *out) {
   CBB seq;
   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
       !serialize_features(&seq) ||  //
       !CBB_flush(out)) {
     return 0;
   }
  
   return 1;
 }
  
 int SSL_request_handshake_hints(SSL *ssl, const uint8_t *client_hello,
                                 size_t client_hello_len,
                                 const uint8_t *capabilities,
                                 size_t capabilities_len) {
   if (SSL_is_dtls(ssl)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }
  
   CBS cbs, seq;
   CBS_init(&cbs, capabilities, capabilities_len);
   UniquePtr<SSL_HANDSHAKE_HINTS> hints = MakeUnique<SSL_HANDSHAKE_HINTS>();
   if (hints == nullptr ||
       !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
       !apply_remote_features(ssl, &seq)) {
     return 0;
   }
  
   SSL3_STATE *const s3 = ssl->s3;
   s3->v2_hello_done = true;
   s3->has_message = true;
  
   Array<uint8_t> client_hello_msg;
   ScopedCBB client_hello_cbb;
   CBB client_hello_body;
   if (!ssl->method->init_message(ssl, client_hello_cbb.get(),
                                  &client_hello_body, SSL3_MT_CLIENT_HELLO) ||
       !CBB_add_bytes(&client_hello_body, client_hello, client_hello_len) ||
       !ssl->method->finish_message(ssl, client_hello_cbb.get(),
                                    &client_hello_msg)) {
     return 0;
   }
  
   s3->hs_buf.reset(BUF_MEM_new());
   if (!s3->hs_buf || !BUF_MEM_append(s3->hs_buf.get(), client_hello_msg.data(),
                                      client_hello_msg.size())) {
     return 0;
   }
  
   s3->hs->hints_requested = true;
   s3->hs->hints = std::move(hints);
   return 1;
 }
  
 // |SSL_HANDSHAKE_HINTS| is serialized as the following ASN.1 structure. We use
 // implicit tagging to make it a little more compact.
 //
 // HandshakeHints ::= SEQUENCE {
 //     serverRandom            [0] IMPLICIT OCTET STRING OPTIONAL,
 //     keyShareHint            [1] IMPLICIT KeyShareHint OPTIONAL,
 //     signatureHint           [2] IMPLICIT SignatureHint OPTIONAL,
 //     -- At most one of decryptedPSKHint or ignorePSKHint may be present. It
 //     -- corresponds to the first entry in pre_shared_keys. TLS 1.2 session
 //     -- tickets will use a separate hint, to ensure the caller does not mix
 //     -- them up.
 //     decryptedPSKHint        [3] IMPLICIT OCTET STRING OPTIONAL,
 //     ignorePSKHint           [4] IMPLICIT NULL OPTIONAL,
 //     compressCertificateHint [5] IMPLICIT CompressCertificateHint OPTIONAL,
 // }
 //
 // KeyShareHint ::= SEQUENCE {
 //     groupId                 INTEGER,
 //     publicKey               OCTET STRING,
 //     secret                  OCTET STRING,
 // }
 //
 // SignatureHint ::= SEQUENCE {
 //     algorithm               INTEGER,
 //     input                   OCTET STRING,
 //     subjectPublicKeyInfo    OCTET STRING,
 //     signature               OCTET STRING,
 // }
 //
 // CompressCertificateHint ::= SEQUENCE {
 //     algorithm               INTEGER,
 //     input                   OCTET STRING,
 //     compressed              OCTET STRING,
 // }
  
 // HandshakeHints tags.
 static const unsigned kServerRandomTag = CBS_ASN1_CONTEXT_SPECIFIC | 0;
 static const unsigned kKeyShareHintTag =
     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
 static const unsigned kSignatureHintTag =
     CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;
 static const unsigned kDecryptedPSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 3;
 static const unsigned kIgnorePSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 4;
 static const unsigned kCompressCertificateTag = CBS_ASN1_CONTEXT_SPECIFIC | 5;
  
 int SSL_serialize_handshake_hints(const SSL *ssl, CBB *out) {
   const SSL_HANDSHAKE *hs = ssl->s3->hs.get();
   if (!ssl->server || !hs->hints_requested) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }
  
   const SSL_HANDSHAKE_HINTS *hints = hs->hints.get();
   CBB seq, child;
   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE)) {
     return 0;
   }
  
   if (!hints->server_random.empty()) {
     if (!CBB_add_asn1(&seq, &child, kServerRandomTag) ||
         !CBB_add_bytes(&child, hints->server_random.data(),
                        hints->server_random.size())) {
       return 0;
     }
   }
  
   if (hints->key_share_group_id != 0 && !hints->key_share_public_key.empty() &&
       !hints->key_share_secret.empty()) {
     if (!CBB_add_asn1(&seq, &child, kKeyShareHintTag) ||
         !CBB_add_asn1_uint64(&child, hints->key_share_group_id) ||
         !CBB_add_asn1_octet_string(&child, hints->key_share_public_key.data(),
                                    hints->key_share_public_key.size()) ||
         !CBB_add_asn1_octet_string(&child, hints->key_share_secret.data(),
                                    hints->key_share_secret.size())) {
       return 0;
     }
   }
  
   if (hints->signature_algorithm != 0 && !hints->signature_input.empty() &&
       !hints->signature.empty()) {
     if (!CBB_add_asn1(&seq, &child, kSignatureHintTag) ||
         !CBB_add_asn1_uint64(&child, hints->signature_algorithm) ||
         !CBB_add_asn1_octet_string(&child, hints->signature_input.data(),
                                    hints->signature_input.size()) ||
         !CBB_add_asn1_octet_string(&child, hints->signature_spki.data(),
                                    hints->signature_spki.size()) ||
         !CBB_add_asn1_octet_string(&child, hints->signature.data(),
                                    hints->signature.size())) {
       return 0;
     }
   }
  
   if (!hints->decrypted_psk.empty()) {
     if (!CBB_add_asn1(&seq, &child, kDecryptedPSKTag) ||
         !CBB_add_bytes(&child, hints->decrypted_psk.data(),
                        hints->decrypted_psk.size())) {
       return 0;
     }
   }
  
   if (hints->ignore_psk &&  //
       !CBB_add_asn1(&seq, &child, kIgnorePSKTag)) {
     return 0;
   }
  
   if (hints->cert_compression_alg_id != 0 &&
       !hints->cert_compression_input.empty() &&
       !hints->cert_compression_output.empty()) {
     if (!CBB_add_asn1(&seq, &child, kCompressCertificateTag) ||
         !CBB_add_asn1_uint64(&child, hints->cert_compression_alg_id) ||
         !CBB_add_asn1_octet_string(&child, hints->cert_compression_input.data(),
                                    hints->cert_compression_input.size()) ||
         !CBB_add_asn1_octet_string(&child,
                                    hints->cert_compression_output.data(),
                                    hints->cert_compression_output.size())) {
       return 0;
     }
   }
  
   return CBB_flush(out);
 }
  
 int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints, size_t hints_len) {
   if (SSL_is_dtls(ssl)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }
  
   UniquePtr<SSL_HANDSHAKE_HINTS> hints_obj = MakeUnique<SSL_HANDSHAKE_HINTS>();
   if (hints_obj == nullptr) {
     return 0;
   }
  
   CBS cbs, seq, server_random, key_share, signature_hint, ticket, ignore_psk,
       cert_compression;
   int has_server_random, has_key_share, has_signature_hint, has_ticket,
       has_ignore_psk, has_cert_compression;
   CBS_init(&cbs, hints, hints_len);
   if (!CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
       !CBS_get_optional_asn1(&seq, &server_random, &has_server_random,
                              kServerRandomTag) ||
       !CBS_get_optional_asn1(&seq, &key_share, &has_key_share,
                              kKeyShareHintTag) ||
       !CBS_get_optional_asn1(&seq, &signature_hint, &has_signature_hint,
                              kSignatureHintTag) ||
       !CBS_get_optional_asn1(&seq, &ticket, &has_ticket, kDecryptedPSKTag) ||
       !CBS_get_optional_asn1(&seq, &ignore_psk, &has_ignore_psk,
                              kIgnorePSKTag) ||
       !CBS_get_optional_asn1(&seq, &cert_compression, &has_cert_compression,
                              kCompressCertificateTag)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
     return 0;
   }
  
   if (has_server_random && !hints_obj->server_random.CopyFrom(server_random)) {
     return 0;
   }
  
   if (has_key_share) {
     uint64_t group_id;
     CBS public_key, secret;
     if (!CBS_get_asn1_uint64(&key_share, &group_id) ||  //
         group_id == 0 || group_id > 0xffff ||
         !CBS_get_asn1(&key_share, &public_key, CBS_ASN1_OCTETSTRING) ||
         !hints_obj->key_share_public_key.CopyFrom(public_key) ||
         !CBS_get_asn1(&key_share, &secret, CBS_ASN1_OCTETSTRING) ||
         !hints_obj->key_share_secret.CopyFrom(secret)) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
       return 0;
     }
     hints_obj->key_share_group_id = static_cast<uint16_t>(group_id);
   }
  
   if (has_signature_hint) {
     uint64_t sig_alg;
     CBS input, spki, signature;
     if (!CBS_get_asn1_uint64(&signature_hint, &sig_alg) ||  //
         sig_alg == 0 || sig_alg > 0xffff ||
         !CBS_get_asn1(&signature_hint, &input, CBS_ASN1_OCTETSTRING) ||
         !hints_obj->signature_input.CopyFrom(input) ||
         !CBS_get_asn1(&signature_hint, &spki, CBS_ASN1_OCTETSTRING) ||
         !hints_obj->signature_spki.CopyFrom(spki) ||
         !CBS_get_asn1(&signature_hint, &signature, CBS_ASN1_OCTETSTRING) ||
         !hints_obj->signature.CopyFrom(signature)) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
       return 0;
     }
     hints_obj->signature_algorithm = static_cast<uint16_t>(sig_alg);
   }
  
   if (has_ticket && !hints_obj->decrypted_psk.CopyFrom(ticket)) {
     return 0;
   }
  
   if (has_ignore_psk) {
     if (CBS_len(&ignore_psk) != 0) {
       return 0;
     }
     hints_obj->ignore_psk = true;
   }
  
   if (has_cert_compression) {
     uint64_t alg;
     CBS input, output;
     if (!CBS_get_asn1_uint64(&cert_compression, &alg) ||  //
         alg == 0 || alg > 0xffff ||
         !CBS_get_asn1(&cert_compression, &input, CBS_ASN1_OCTETSTRING) ||
         !hints_obj->cert_compression_input.CopyFrom(input) ||
         !CBS_get_asn1(&cert_compression, &output, CBS_ASN1_OCTETSTRING) ||
         !hints_obj->cert_compression_output.CopyFrom(output)) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);
       return 0;
     }
     hints_obj->cert_compression_alg_id = static_cast<uint16_t>(alg);
   }
  
   ssl->s3->hs->hints = std::move(hints_obj);
   return 1;
 }